@hsuite/smart-engines-sdk 3.7.0 → 3.11.0

package/dist/nestjs/index.js

@@ -1152,7 +1152,7 @@ var SdkHttpError = class extends Error {
 };
 function createHttpClient(config) {
   const timeout = config.timeout ?? 3e4;
-  function getHeaders(contentType) {
+  function getHeaders(contentType, opts) {
     const headers = {};
     if (contentType) {
       headers["Content-Type"] = contentType;
@@ -1163,6 +1163,12 @@ function createHttpClient(config) {
     if (config.apiKey) {
       headers["X-API-Key"] = config.apiKey;
     }
+    if (opts?.customerToken) {
+      headers["X-Customer-Session-Token"] = opts.customerToken;
+    }
+    if (opts?.headers) {
+      Object.assign(headers, opts.headers);
+    }
     return headers;
   }
   function setAuthToken(token) {
@@ -1171,14 +1177,14 @@ function createHttpClient(config) {
   function getAuthToken() {
     return config.authToken;
   }
-  async function request(method, path, body) {
+  async function request(method, path, body, opts) {
     const url = `${config.baseUrl}${path}`;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
       const init = {
         method,
-        headers: getHeaders("application/json"),
+        headers: getHeaders("application/json", opts),
         signal: controller.signal
       };
       if (body !== void 0) {
@@ -1207,14 +1213,14 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
     }
   }
-  async function getText(path) {
+  async function getText(path, opts) {
     const url = `${config.baseUrl}${path}`;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
       const response = await fetch(url, {
         method: "GET",
-        headers: getHeaders(),
+        headers: getHeaders(void 0, opts),
         signal: controller.signal
       });
       clearTimeout(timeoutId);
@@ -1237,7 +1243,37 @@ function createHttpClient(config) {
       throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
     }
   }
-  async function upload(path, file, filename, metadata, fieldName = "file") {
+  async function getBinary(path, opts) {
+    const url = `${config.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: getHeaders(void 0, opts),
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const errBody = await response.json().catch(() => ({}));
+        throw new SdkHttpError(
+          errBody.message || `API error: ${response.status} ${response.statusText}`,
+          response.status,
+          errBody
+        );
+      }
+      return new Uint8Array(await response.arrayBuffer());
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof SdkHttpError) throw error;
+      const err = error;
+      if (err.name === "AbortError") {
+        throw new SdkHttpError("Request timeout", 408);
+      }
+      throw new SdkHttpError(`Network error: ${err.message}`, 0, error);
+    }
+  }
+  async function upload(path, file, filename, metadata, fieldName = "file", opts) {
     const url = `${config.baseUrl}${path}`;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout * 2);
@@ -1257,6 +1293,12 @@ function createHttpClient(config) {
       if (config.apiKey) {
         headers["X-API-Key"] = config.apiKey;
       }
+      if (opts?.customerToken) {
+        headers["X-Customer-Session-Token"] = opts.customerToken;
+      }
+      if (opts?.headers) {
+        Object.assign(headers, opts.headers);
+      }
       const response = await fetch(url, {
         method: "POST",
         headers,
@@ -1288,7 +1330,7 @@ function createHttpClient(config) {
     try {
       return await op();
     } catch (error) {
-      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
+      const refreshable = !!config.onUnauthorized && !path.startsWith("/api/v3/baas/auth/") && !path.startsWith("/api/v3/auth/") && error instanceof SdkHttpError && error.statusCode === 401;
       if (!refreshable) throw error;
       if (!reauthInFlight) {
         reauthInFlight = Promise.resolve(config.onUnauthorized()).finally(() => {
@@ -1304,13 +1346,14 @@ function createHttpClient(config) {
     }
   }
   const client = {
-    post: (path, body) => withAuthRetry(path, () => request("POST", path, body)),
-    get: (path) => withAuthRetry(path, () => request("GET", path)),
-    put: (path, body) => withAuthRetry(path, () => request("PUT", path, body)),
-    patch: (path, body) => withAuthRetry(path, () => request("PATCH", path, body)),
-    delete: (path) => withAuthRetry(path, () => request("DELETE", path)),
-    getText: (path) => withAuthRetry(path, () => getText(path)),
-    upload: ((path, file, filename, metadata, fieldName) => withAuthRetry(path, () => upload(path, file, filename, metadata, fieldName))),
+    post: (path, body, opts) => withAuthRetry(path, () => request("POST", path, body, opts)),
+    get: (path, opts) => withAuthRetry(path, () => request("GET", path, void 0, opts)),
+    put: (path, body, opts) => withAuthRetry(path, () => request("PUT", path, body, opts)),
+    patch: (path, body, opts) => withAuthRetry(path, () => request("PATCH", path, body, opts)),
+    delete: (path, opts) => withAuthRetry(path, () => request("DELETE", path, void 0, opts)),
+    getText: (path, opts) => withAuthRetry(path, () => getText(path, opts)),
+    getBinary: (path, opts) => withAuthRetry(path, () => getBinary(path, opts)),
+    upload: ((path, file, filename, metadata, fieldName, opts) => withAuthRetry(path, () => upload(path, file, filename, metadata, fieldName, opts))),
     setAuthToken,
     getAuthToken
   };
@@ -2228,7 +2271,7 @@ var HederaTransactionsClient = class {
    *   - `client.hedera.tss.createTopic(...)` makes the cluster sign+submit in one call.
    *
    * `tssHttp` is the validator's `/api/v3`-rooted HTTP client (different from
-   * the `/api/transactions` one this class uses for prepare paths). Both
+   * the `/api/v3/transactions` one this class uses for prepare paths). Both
    * clients are required — the previous single-arg fallback to `http` was
    * unreachable through `SmartEngineClient` (the only call site always
    * passes both).
@@ -2937,77 +2980,85 @@ var AgentsClient = class {
   }
   http;
   /** Register a new agent */
-  async register(request) {
-    return this.http.post("/api/agents/register", request);
+  async register(request, opts) {
+    return this.http.post("/api/v3/baas/agents/register", request, opts);
   }
   /** Get agent details */
-  async get(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}`);
+  async get(agentId, opts) {
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}`, opts);
   }
   /** List all agents */
-  async list() {
-    return this.http.get("/api/agents");
+  async list(opts) {
+    return this.http.get("/api/v3/baas/agents", opts);
   }
   /**
    * Fund agent treasury (owner-only). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope —
    * the caller is expected to sign and submit the prepared bytes.
    */
-  async fund(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/fund`, request);
+  async fund(agentId, request, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/fund`, request, opts);
   }
   /**
    * Execute a trade (agent-wallet OR owner). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
-  async trade(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/trade`, request);
+  async trade(agentId, request, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/trade`, request, opts);
   }
   /**
    * Withdraw from agent treasury (owner-only). Returns a
    * `PreparedTransactionResponse` wrapped in a `success: true` envelope.
    */
-  async withdraw(agentId, request) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/withdraw`, request);
+  async withdraw(agentId, request, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/withdraw`, request, opts);
+  }
+  /**
+   * Execute a generic, declared capability (agent-wallet OR owner). The
+   * chain-agnostic general form of an agent action: the capability may settle
+   * on-chain, act off-chain, or both. Returns the ordered step results.
+   */
+  async execute(agentId, request, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/execute`, request, opts);
   }
   /** Pause an agent */
-  async pause(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/pause`, {});
+  async pause(agentId, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/pause`, {}, opts);
   }
   /** Resume a paused agent */
-  async resume(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/resume`, {});
+  async resume(agentId, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/resume`, {}, opts);
   }
   /** Revoke an agent (permanent) */
-  async revoke(agentId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/revoke`, {});
+  async revoke(agentId, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/revoke`, {}, opts);
   }
   /**
    * Update agent rules.
    *
-   * Server route is PATCH `/api/agents/:agentId/rules`
+   * Server route is PATCH `/api/v3/baas/agents/:agentId/rules`
    * (`agents.controller.ts:375`). The previous PUT variant 404'd because
    * Nest matched the dynamic `:agentId` GET/POST handlers and rejected
    * the verb mismatch.
    */
-  async updateRules(agentId, rules) {
-    return this.http.patch(`/api/agents/${encodePathParam(agentId)}/rules`, rules);
+  async updateRules(agentId, rules, opts) {
+    return this.http.patch(`/api/v3/baas/agents/${encodePathParam(agentId)}/rules`, rules, opts);
   }
   /** Get agent events */
-  async getEvents(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/events`);
+  async getEvents(agentId, opts) {
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/events`, opts);
   }
   /** Get agent balances across chains */
-  async getBalances(agentId) {
-    return this.http.get(`/api/agents/${encodePathParam(agentId)}/balances`);
+  async getBalances(agentId, opts) {
+    return this.http.get(`/api/v3/baas/agents/${encodePathParam(agentId)}/balances`, opts);
   }
   /** Approve a pending agent operation */
-  async approve(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {});
+  async approve(agentId, operationId, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/approve/${encodePathParam(operationId)}`, {}, opts);
   }
   /** Reject a pending agent operation */
-  async reject(agentId, operationId) {
-    return this.http.post(`/api/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {});
+  async reject(agentId, operationId, opts) {
+    return this.http.post(`/api/v3/baas/agents/${encodePathParam(agentId)}/reject/${encodePathParam(operationId)}`, {}, opts);
   }
 };
 
@@ -3035,7 +3086,56 @@ var DeploymentClient = class {
    * {@link deploy} with the pushed image tag.
    */
   async init(request) {
-    return this.http.post("/api/deployment/apps/init", request);
+    return this.http.post("/api/v3/baas/deployment/apps/init", request);
+  }
+  /**
+   * Issue ephemeral Harbor push credentials for a smart-app that ALREADY
+   * EXISTS — the MINT-FIRST / DEPLOY-LAST credentials-push call.
+   *
+   * Unlike {@link init} (which historically allocated a fresh entity), this
+   * takes the developer's pre-existing `appId` — the `SUBSCRIPTION_APP_ID`
+   * minted by `hsuite subscribe` (`appId == DKG entityId`) — and ONLY
+   * (re)provisions the per-app Harbor project + push robot. The server creates
+   * no DKG entity and no subscription; it asserts the caller owns the app and
+   * that its subscription is ACTIVE (402 otherwise) first.
+   *
+   * Returns the same `{ appId, registry }` shape as {@link init}. Single-use
+   * secret discipline applies to `registry.password` exactly as in `init`.
+   *
+   * This is the credentials path the mint-first `hsuite deploy` uses to obtain
+   * push creds for the developer's already-minted subscription app
+   * (`POST /apps/:appId/credentials/push`). The `hsuite redeploy` re-push path
+   * uses {@link reissuePushCredentials} instead, which targets a dedicated
+   * `credentials/reissue` route with stricter SUSPENDED-app + Harbor-failure
+   * handling.
+   */
+  async pushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/push`,
+      {}
+    );
+  }
+  /**
+   * Reissue ephemeral Harbor push credentials for an EXISTING app, WITHOUT
+   * allocating a new appId / entity. Unlike {@link init} — which historically
+   * forked a fresh smart-app entity (and a fresh paid subscription) on every
+   * call — this re-binds to an app the developer already owns: the `appId` is
+   * echoed back unchanged and only a new single-use `registry.password` push
+   * robot is minted. Same `{ appId, registry }` response shape as `init`.
+   *
+   * Owner-only + active-subscription gated server-side. This is the credential
+   * path `hsuite redeploy` uses so a re-push does not cost a new entity +
+   * subscription each run. Targets the dedicated
+   * `POST /apps/:appId/credentials/reissue` route (distinct from
+   * {@link pushCredentials}'s first-deploy `credentials/push`): the reissue
+   * route additionally refuses SUSPENDED apps and surfaces Harbor failures
+   * loudly rather than returning placeholder creds.
+   */
+  async reissuePushCredentials(appId) {
+    return this.http.post(
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/reissue`,
+      {}
+    );
   }
   /**
    * Step 3 (optional) — upload the SPA tarball.
@@ -3046,7 +3146,7 @@ var DeploymentClient = class {
    */
   async uploadFrontend(appId, bundle, filename = "bundle.tar.gz") {
     return this.http.upload(
-      `/api/deployment/apps/${encodePathParam(appId)}/frontend`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/frontend`,
       bundle,
       filename,
       void 0,
@@ -3060,32 +3160,32 @@ var DeploymentClient = class {
    * until `runtime.runtimeState === 'RUNNING'` for the URL to be live.
    */
   async deploy(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/deploy`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/deploy`, request);
   }
   /**
    * Roll back to a previously-deployed image tag (must exist in
    * `runtime.deploymentHistory[]`).
    */
   async rollback(appId, request) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/rollback`, request);
+    return this.http.post(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/rollback`, request);
   }
   /**
    * Live combined lifecycle + runtime status of an app.
    */
   async status(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}/status`);
+    return this.http.get(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/status`);
   }
   /**
    * List all deployed apps for the authenticated developer.
    */
   async list() {
-    return this.http.get("/api/deployment/apps");
+    return this.http.get("/api/v3/smart-apps");
   }
   /**
    * Get app details.
    */
   async get(appId) {
-    return this.http.get(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Update app configuration.
@@ -3095,31 +3195,31 @@ var DeploymentClient = class {
    * @returns The updated app info.
    */
   async update(appId, updates) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}`, updates);
+    return this.http.put(`/api/v3/smart-apps/${encodePathParam(appId)}`, updates);
   }
   /**
    * Delete an app (runtime effect: namespace teardown).
    */
   async delete(appId) {
-    return this.http.delete(`/api/deployment/apps/${encodePathParam(appId)}`);
+    return this.http.delete(`/api/v3/smart-apps/${encodePathParam(appId)}`);
   }
   /**
    * Suspend an app (runtime effect: scale to zero).
    */
   async suspend(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/suspend`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/suspend`, {});
   }
   /**
    * Resume a suspended app (runtime effect: scale back up).
    */
   async resume(appId) {
-    return this.http.post(`/api/deployment/apps/${encodePathParam(appId)}/resume`, {});
+    return this.http.post(`/api/v3/smart-apps/${encodePathParam(appId)}/resume`, {});
   }
   /**
    * Get deployment statistics.
    */
   async getStats() {
-    return this.http.get("/api/deployment/stats");
+    return this.http.get("/api/v3/smart-apps/stats");
   }
   /**
    * Register or update the developer-facing webhook URL for runtime
@@ -3140,7 +3240,7 @@ var DeploymentClient = class {
    * CGNAT / cloud metadata destinations (SSRF guard).
    */
   async setWebhook(appId, webhookUrl) {
-    return this.http.put(`/api/deployment/apps/${encodePathParam(appId)}/webhook`, {
+    return this.http.put(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/webhook`, {
       webhookUrl
     });
   }
@@ -3156,7 +3256,7 @@ var DeploymentClient = class {
    * exposition format.
    */
   async getMetrics(appId) {
-    return this.http.getText(`/api/deployment/apps/${encodePathParam(appId)}/metrics`);
+    return this.http.getText(`/api/v3/baas/deployment/apps/${encodePathParam(appId)}/metrics`);
   }
   /**
    * Rotate the smart-app's tenant-secret KEK.
@@ -3167,7 +3267,7 @@ var DeploymentClient = class {
    */
   async rotateKek(appId) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/rotate-kek`,
       {}
     );
   }
@@ -3181,7 +3281,7 @@ var DeploymentClient = class {
    */
   async revokeKek(appId, version) {
     return this.http.post(
-      `/api/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
+      `/api/v3/baas/deployment/apps/${encodePathParam(appId)}/credentials/revoke-kek`,
       { version }
     );
   }
@@ -3388,7 +3488,7 @@ var SmartEngineClient = class _SmartEngineClient {
   baseUrl;
   allowInsecure;
   http;
-  /** Separate HTTP client for /api/transactions (non-v3 base path) */
+  /** Separate HTTP client for /api/v3/transactions */
   txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
@@ -3449,7 +3549,7 @@ var SmartEngineClient = class _SmartEngineClient {
       timeout: config.timeout
     });
     this.txHttp = createHttpClient({
-      baseUrl: `${this.baseUrl}/api/transactions`,
+      baseUrl: `${this.baseUrl}/api/v3/transactions`,
       apiKey: config.apiKey,
       authToken: config.authToken,
       timeout: config.timeout
@@ -3783,7 +3883,17 @@ var SmartEngineClient = class _SmartEngineClient {
     return this.http.get("/status");
   }
   // ========== Messaging Operations ==========
-  /** Submit a message to consensus */
+  /**
+   * Submit a message to consensus.
+   *
+   * @deprecated Operator-funded message submission is RETIRED on the validator
+   *   under transaction sovereignty — `POST /api/v3/messages/:chain/:topicId`
+   *   now returns `403 Forbidden` (the operator must never front the chain fee
+   *   for a customer-supplied message). Use the payer-funded prepare path
+   *   instead: prepare a topic-message transaction via
+   *   `POST /api/transactions/topic/message/prepare`, then have the payer sign
+   *   and submit the returned bytes.
+   */
   async submitMessage(chain, topicId, message) {
     if (message.length > 1024 * 1024) {
       throw new SmartEngineError("Message too large (max 1MB)", 400);
@@ -4160,7 +4270,7 @@ var DatabaseClient = class {
   async insert(collection, document) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}`,
       document
     );
   }
@@ -4178,7 +4288,7 @@ var DatabaseClient = class {
     if (options?.sort) params.set("sort", options.sort);
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4187,7 +4297,7 @@ var DatabaseClient = class {
   async update(collection, documentId, updates) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`,
       updates
     );
   }
@@ -4197,19 +4307,19 @@ var DatabaseClient = class {
   async delete(collection, documentId) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(collection)}/${encodePathParam(documentId)}`
     );
   }
   /**
    * List collections for the app.
    *
-   * Server route is `/api/db/:appId/collections`
+   * Server route is `/api/v3/baas/db/:appId/collections`
    * (`database.controller.ts:106`). The previous bare-`:appId` GET 404'd
    * — Nest reserves that pattern for the document-find router below.
    */
   async listCollections() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/collections`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/collections`);
   }
   /**
    * Create a new collection in the database.
@@ -4219,7 +4329,7 @@ var DatabaseClient = class {
    */
   async createCollection(name) {
     const appId = this.getAppId();
-    return this.http.post(`/api/db/${encodePathParam(appId)}/collections`, { name });
+    return this.http.post(`/api/v3/baas/db/${encodePathParam(appId)}/collections`, { name });
   }
   /**
    * Drop a collection and all its documents.
@@ -4230,7 +4340,7 @@ var DatabaseClient = class {
   async dropCollection(name) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/collections/${encodePathParam(name)}`
     );
   }
   // ========== State Proofs ==========
@@ -4239,7 +4349,7 @@ var DatabaseClient = class {
    */
   async getStateRoot() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/state/root`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/state/root`);
   }
   /**
    * Get a Merkle proof for a specific document
@@ -4247,7 +4357,7 @@ var DatabaseClient = class {
   async getDocumentProof(documentId) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
+      `/api/v3/baas/db/${encodePathParam(appId)}/${encodePathParam(documentId)}/proof`
     );
   }
   /**
@@ -4261,7 +4371,7 @@ var DatabaseClient = class {
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
     const qs = params.toString();
     return this.http.get(
-      `/api/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/db/${encodePathParam(appId)}/state/transitions${qs ? `?${qs}` : ""}`
     );
   }
   /**
@@ -4269,7 +4379,7 @@ var DatabaseClient = class {
    */
   async getDbStats() {
     const appId = this.getAppId();
-    return this.http.get(`/api/db/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/db/${encodePathParam(appId)}/stats`);
   }
 };
 
@@ -4284,30 +4394,31 @@ var StorageClient = class {
   /**
    * Upload a file to storage
    */
-  async upload(file, filename, metadata) {
+  async upload(file, filename, metadata, opts) {
     const appId = this.getAppId();
-    return this.http.upload(`/api/storage/${encodePathParam(appId)}/upload`, file, filename, metadata);
+    return this.http.upload(`/api/v3/baas/storage/${encodePathParam(appId)}/upload`, file, filename, metadata, void 0, opts);
   }
   /**
-   * Download a file by CID
+   * Download a file by CID. Returns the raw file bytes as a `Uint8Array`
+   * (binary-safe — never JSON-parsed or text-decoded).
    */
-  async download(cid) {
+  async download(cid, opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`);
+    return this.http.getBinary(`/api/v3/baas/storage/${encodePathParam(appId)}/download/${encodePathParam(cid)}`, opts);
   }
   /**
    * Get file metadata
    */
-  async getMetadata(cid) {
+  async getMetadata(cid, opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/metadata/${encodePathParam(cid)}`, opts);
   }
   /**
    * Delete a file
    */
-  async delete(cid) {
+  async delete(cid, opts) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`);
+    return this.http.delete(`/api/v3/baas/storage/${encodePathParam(appId)}/${encodePathParam(cid)}`, opts);
   }
   /**
    * List all files for the app.
@@ -4316,27 +4427,27 @@ var StorageClient = class {
    *   `offset` for pagination).
    * @returns The file list and total count.
    */
-  async listFiles(pagination) {
+  async listFiles(pagination, opts) {
     const appId = this.getAppId();
     const params = new URLSearchParams();
     if (pagination?.limit !== void 0) params.set("limit", String(pagination.limit));
     if (pagination?.offset !== void 0) params.set("offset", String(pagination.offset));
     const qs = params.toString();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/files${qs ? `?${qs}` : ""}`, opts);
   }
   /**
    * Get storage usage for the current app
    */
-  async getUsage() {
+  async getUsage(opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/usage`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/usage`, opts);
   }
   /**
    * Check if a file exists
    */
-  async exists(cid) {
+  async exists(cid, opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`);
+    return this.http.get(`/api/v3/baas/storage/${encodePathParam(appId)}/exists/${encodePathParam(cid)}`, opts);
   }
 };
 
@@ -4349,61 +4460,99 @@ var FunctionsClient = class {
   http;
   getAppId;
   /**
-   * Deploy a new function
-   */
-  async deploy(request) {
+   * Build the Ed25519 signed-code envelope the host mandates for every deploy
+   * and eval. A fresh ephemeral keypair is generated per call, so no long-lived
+   * signing key is held anywhere — each artifact carries its own signature.
+   *
+   * Scheme (must match the host verifier): `hash = sha256(code)` (hex),
+   * `message = "<hash>:<timestamp>"`, signed Ed25519; `publicKey` is SPKI-DER
+   * (base64). `crypto` is imported lazily so this never pulls Node built-ins
+   * into a browser bundle that doesn't sign code.
+   */
+  async signCode(code) {
+    const { generateKeyPairSync, createHash, sign } = await import('crypto');
+    const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+    const hash = createHash("sha256").update(code, "utf8").digest("hex");
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const signature = sign(null, Buffer.from(`${hash}:${timestamp}`, "utf8"), privateKey).toString("base64");
+    const publicKeyDer = publicKey.export({ format: "der", type: "spki" }).toString("base64");
+    return { code, hash, timestamp, signature, publicKey: publicKeyDer };
+  }
+  /**
+   * Deploy a new function. If `signedCode` is omitted it is auto-built from
+   * `request.code` via {@link signCode} — the host requires it, so the default
+   * is to sign rather than 400. Pass your own envelope to override.
+   */
+  async deploy(request, opts) {
     const appId = this.getAppId();
-    return this.http.post(`/api/functions/${encodePathParam(appId)}`, request);
+    const signedCode = request.signedCode ?? await this.signCode(request.code);
+    return this.http.post(`/api/v3/baas/functions/${encodePathParam(appId)}`, { ...request, signedCode }, opts);
   }
   /**
    * Invoke a function
    */
-  async invoke(functionId, payload) {
+  async invoke(functionId, payload, opts) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
-      payload ?? {}
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/invoke`,
+      payload ?? {},
+      opts
     );
   }
+  /**
+   * Evaluate signed code once (ephemeral) — no persistent deploy.
+   *
+   * For throwaway / AI-generated snippets. The host runs it in the same hardened
+   * isolate and discards it; metered + quota'd like a normal invocation. As with
+   * {@link deploy}, `signedCode` is auto-built from `request.code` when omitted.
+   */
+  async eval(request, opts) {
+    const appId = this.getAppId();
+    const signedCode = request.signedCode ?? await this.signCode(request.code);
+    return this.http.post(`/api/v3/baas/functions/${encodePathParam(appId)}/eval`, { ...request, signedCode }, opts);
+  }
   /**
    * List all functions for the current app
    */
-  async list() {
+  async list(opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}`, opts);
   }
   /**
    * Get function details
    */
-  async get(functionId) {
+  async get(functionId, opts) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
+      opts
     );
   }
   /**
    * Update a function
    */
-  async update(functionId, updates) {
+  async update(functionId, updates, opts) {
     const appId = this.getAppId();
     return this.http.put(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
-      updates
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
+      updates,
+      opts
     );
   }
   /**
    * Delete a function
    */
-  async delete(functionId) {
+  async delete(functionId, opts) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}`,
+      opts
     );
   }
   /**
    * Get function execution logs
    */
-  async getLogs(functionId, options) {
+  async getLogs(functionId, options, opts) {
     const appId = this.getAppId();
     const params = new URLSearchParams();
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
@@ -4411,15 +4560,16 @@ var FunctionsClient = class {
     if (options?.level) params.set("level", options.level);
     const qs = params.toString();
     return this.http.get(
-      `/api/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/functions/${encodePathParam(appId)}/${encodePathParam(functionId)}/logs${qs ? `?${qs}` : ""}`,
+      opts
     );
   }
   /**
    * Get function statistics for an app
    */
-  async getStats() {
+  async getStats(opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/functions/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/functions/${encodePathParam(appId)}/stats`, opts);
   }
 };
 
@@ -4434,45 +4584,46 @@ var MessagingClient = class {
   /**
    * Create a new channel
    */
-  async createChannel(config) {
+  async createChannel(config, opts) {
     const appId = this.getAppId();
-    return this.http.post(`/api/messaging/${encodePathParam(appId)}/channels`, config);
+    return this.http.post(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`, config, opts);
   }
   /**
    * Delete a channel
    */
-  async deleteChannel(channelId) {
+  async deleteChannel(channelId, opts) {
     const appId = this.getAppId();
-    return this.http.delete(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.delete(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`, opts);
   }
   /**
    * Get a channel by ID
    */
-  async getChannel(channelId) {
+  async getChannel(channelId, opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channelId)}`, opts);
   }
   /**
    * List all channels for the app
    */
-  async listChannels() {
+  async listChannels(opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/channels`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/channels`, opts);
   }
   /**
    * Publish a message to a channel
    */
-  async publish(channel, message, metadata) {
+  async publish(channel, message, metadata, opts) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
-      { data: message, metadata }
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/publish`,
+      { data: message, metadata },
+      opts
     );
   }
   /**
    * Get message history for a channel
    */
-  async getHistory(channel, options) {
+  async getHistory(channel, options, opts) {
     const appId = this.getAppId();
     const params = new URLSearchParams();
     if (options?.limit !== void 0) params.set("limit", String(options.limit));
@@ -4480,7 +4631,8 @@ var MessagingClient = class {
     if (options?.after) params.set("after", options.after);
     const qs = params.toString();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/history${qs ? `?${qs}` : ""}`,
+      opts
     );
   }
   /**
@@ -4491,43 +4643,46 @@ var MessagingClient = class {
    * `setPresence(member)` hit a non-existent appId-scoped route and 404'd
    * in production. The channel is now the first argument.
    */
-  async setPresence(channel, member) {
+  async setPresence(channel, member, opts) {
     const appId = this.getAppId();
     return this.http.post(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
-      member
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
+      member,
+      opts
     );
   }
   /**
    * Remove a member's presence from a channel.
    *
    * BREAKING CHANGE (SDK 3.3.0): server route is
-   * `/api/messaging/:appId/channels/:channel/presence/:clientId`
+   * `/api/v3/baas/messaging/:appId/channels/:channel/presence/:clientId`
    * (`messaging.controller.ts:352`). `channel` is now the first arg and
    * `clientId` (not `memberId`) the second — they're the same identifier
    * but renamed to match the server param.
    */
-  async removePresence(channel, clientId) {
+  async removePresence(channel, clientId, opts) {
     const appId = this.getAppId();
     return this.http.delete(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence/${encodePathParam(clientId)}`,
+      opts
     );
   }
   /**
    * Get presence info for a channel
    */
-  async getPresence(channel) {
+  async getPresence(channel, opts) {
     const appId = this.getAppId();
     return this.http.get(
-      `/api/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`
+      `/api/v3/baas/messaging/${encodePathParam(appId)}/channels/${encodePathParam(channel)}/presence`,
+      opts
     );
   }
   /**
    * Get messaging statistics
    */
-  async getStats() {
+  async getStats(opts) {
     const appId = this.getAppId();
-    return this.http.get(`/api/messaging/${encodePathParam(appId)}/stats`);
+    return this.http.get(`/api/v3/baas/messaging/${encodePathParam(appId)}/stats`, opts);
   }
 };
 
@@ -4543,21 +4698,21 @@ var CustomerSessionClient = class {
    * Step 1: ask the host to issue a fresh challenge for the customer to sign.
    */
   async challenge(input) {
-    return this.fetch("POST", "/api/customer-session/challenge", input);
+    return this.fetch("POST", "/api/v3/baas/customer-session/challenge", input);
   }
   /**
    * Step 2: submit the customer's signed challenge. On success returns a
    * short-lived bearer JWT scoped to {appId, chain, address}.
    */
   async verify(req) {
-    return this.fetch("POST", "/api/customer-session/verify", req);
+    return this.fetch("POST", "/api/v3/baas/customer-session/verify", req);
   }
   /**
    * Validate a customer bearer + return the decoded session info. Used by
    * smart-app backends to authorise incoming customer requests.
    */
   async validate(bearer) {
-    return this.fetch("GET", "/api/customer-session/validate", void 0, bearer);
+    return this.fetch("GET", "/api/v3/baas/customer-session/validate", void 0, bearer);
   }
   /**
    * Revoke a customer session. Idempotent.
@@ -4565,7 +4720,7 @@ var CustomerSessionClient = class {
   async end(bearer) {
     return this.fetch(
       "POST",
-      "/api/customer-session/end",
+      "/api/v3/baas/customer-session/end",
       void 0,
       bearer
     );
@@ -4611,15 +4766,15 @@ var RulesClient = class {
   http;
   /** Publish a canonical ValidatorRules document to HCS. */
   async publish(rule) {
-    return this.http.post("/api/rules/publish", rule);
+    return this.http.post("/api/v3/baas/rules/publish", rule);
   }
   /** Fetch a published rule by its HCS consensus timestamp. */
   async get(consensusTimestamp) {
-    return this.http.get(`/api/rules/${encodePathParam(consensusTimestamp)}`);
+    return this.http.get(`/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}`);
   }
   /** List rules owned by the authenticated entity, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/rules?type=${encodeURIComponent(filter.type)}` : "/api/rules";
+    const path = filter?.type ? `/api/v3/baas/rules?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/rules";
     return this.http.get(path);
   }
   /**
@@ -4627,44 +4782,332 @@ var RulesClient = class {
    * `ruleRef` (published) or `rule` (inline) must be supplied by the caller.
    */
   async simulate(params) {
-    return this.http.post("/api/rules/simulate", params);
+    return this.http.post("/api/v3/baas/rules/simulate", params);
   }
   /** Walk the version history of a published rule. */
   async getVersionHistory(consensusTimestamp) {
     return this.http.get(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/versions`
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/versions`
     );
   }
   /** Deprecate a published rule (owner-only). */
   async deprecate(consensusTimestamp) {
     return this.http.post(
-      `/api/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
+      `/api/v3/baas/rules/${encodePathParam(consensusTimestamp)}/deprecate`,
       {}
     );
   }
 };
 
 // src/baas/entities/client.ts
-var EntitiesClient = class {
+var EntitiesClient = class _EntitiesClient {
   constructor(http) {
     this.http = http;
   }
   http;
-  /** Create a canonical token entity bound to a published rule. */
+  /**
+   * Chains whose token-create routes through the payer-funded 3-step (prepare →
+   * fund → execute), mirroring `createAccount`. Hedera = real HTS TokenCreate
+   * (admin/supply = the per-entity DKG slot-pubkey KeyList; treasury = the
+   * entity's own account; `0.0.X` token id is network-assigned, resolved from the
+   * receipt via the threaded `createTxId`). Cardano/Solana/Polkadot = the
+   * AUTHORITY entity (the entity IS the policy/mint/Assets-admin multisig — same
+   * address as an account; the asset MINT itself is a later operate-tab payer
+   * call). XRPL/Stellar token = an ISSUER ACCOUNT (reuses the account preparer) +
+   * issuer flags set at finalize: XRPL relays the funding Payment then finalizes
+   * (issuer-flag AccountSets + SignerListSet + disable-master); Stellar relays the
+   * CreateAccount then finalizes (SetOptions install incl. issuer setFlags +
+   * master lock). Every OTHER chain (EVM) stays on the legacy synchronous path.
+   */
+  static PAYER_FUNDED_TOKEN_CHAINS = /* @__PURE__ */ new Set([
+    "hedera",
+    "cardano",
+    "solana",
+    "polkadot",
+    "xrpl",
+    "stellar"
+  ]);
+  /**
+   * PREPARE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'token'`. The cluster
+   * runs the per-entity DKG, builds the payer-funded create (Hedera: TokenCreate
+   * keyed by the slot-pubkey KeyList with the entity account as treasury;
+   * Cardano/Solana/Polkadot: funds/provisions the authority multisig), and returns
+   * the prepared blob. The prepared `transactionId` is the `createTxId` for
+   * execute (Hedera).
+   */
+  async prepareCreateToken(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "token",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded token-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'token'`. For Hedera,
+   * pass `createTxId` (the prepared create's `transactionId`) so the validator
+   * resolves the network-assigned `0.0.X` token id from the receipt and stamps
+   * `chainAccounts.hedera`. For the authority-entity chains (cardano/solana/
+   * polkadot) execute just verifies the binding and echoes the stamped authority
+   * address (no `createTxId` needed).
+   */
+  async executeCreateToken(req) {
+    const { createTxId, signedFundingBlob, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {},
+      ...signedFundingBlob !== void 0 ? { signedFundingBlob } : {},
+      entityType: "token"
+    });
+  }
+  /**
+   * Create a canonical token entity bound to a published rule.
+   *
+   * Dispatches by `chain` (mirrors `createAccount`):
+   *  - **Hedera / Cardano / Solana / Polkadot** = payer-funded 3-step (prepare →
+   *    caller funds via `fundWith` → execute). Hedera resolves the network-assigned
+   *    `0.0.X` token id from the receipt (threads `createTxId`); the authority-
+   *    entity chains verify/echo the stamped authority address. `fundWith` is
+   *    REQUIRED; to drive the steps manually call `prepareCreateToken` /
+   *    `executeCreateToken` directly.
+   *  - **XRPL / Stellar** = payer-funded too (account-model issuer): `fundWith`
+   *    REQUIRED; the caller's signed funding blob is RELAYED to the validator,
+   *    which submits it then finalizes the issuer multisig (master-locked). NO
+   *    issuer flags are set at create — issuer auth flags / DefaultRipple / clawback
+   *    are an operate-tab, rules-validated concern.
+   *  - **EVM / other** = legacy synchronous `POST /api/v3/baas/entities/createToken`
+   *    (payer-funded-only fields ignored) until it migrates.
+   */
   async createToken(req) {
-    return this.http.post("/api/entities/createToken", req);
+    if (_EntitiesClient.PAYER_FUNDED_TOKEN_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateToken(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createToken(${req.chain}): pass fundWith (sign+submit the prepared create tx), or call prepareCreateToken/executeCreateToken directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateToken({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createToken", legacyReq);
+  }
+  /**
+   * PREPARE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create`. The cluster runs the per-entity DKG
+   * (persists the binding, submits nothing on-chain) and returns the unsigned
+   * payer-funding `Payment`(s) the caller signs + submits with their own wallet.
+   */
+  async prepareCreateAccount(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "account",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded account-create flow.
+   *
+   * POSTs `/api/v3/baas/entities/execute-create`. The entity already exists (its DKG
+   * ran during prepare); pass `signedFundingBlob` for the validator to submit
+   * the payer's signed funding `Payment` (XRPL only), or omit it when the caller
+   * already submitted the funding tx themselves (then execute just finalizes /
+   * verifies).
+   *
+   * `createTxId` is the HEDERA thread: a Hedera AccountCreate gets its
+   * network-assigned `0.0.X` id only from the on-chain receipt after the payer
+   * submits. The caller threads the prepared create's `transactionId` (from
+   * `prepared[0].transactionId`) back here so the validator resolves the id from
+   * the receipt server-side. Ignored for non-Hedera chains.
+   */
+  async executeCreateAccount(req) {
+    const { createTxId, ...rest } = req;
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...rest,
+      ...createTxId !== void 0 ? { createTxId } : {}
+    });
   }
-  /** Create a canonical account entity bound to a published rule. */
+  /**
+   * Chains whose account-create routes through the payer-funded 3-step
+   * (prepare → fund → execute). All are ledgers where the validators never pay:
+   * XRPL funds a reserve; Bitcoin funds a P2WSH UTXO; Cardano funds a
+   * native-script enterprise address above min-UTXO; Polkadot funds a
+   * pallet_multisig SS58 above the existential deposit; Solana funds a Squads
+   * multisig PDA (deterministic from the createKey) via a payer-paid
+   * `multisigCreateV2` — the payer's submission IS the create (no separate
+   * finalizer). Hedera is create-WITH-KEY: the payer submits an AccountCreate
+   * whose controlling key is the per-entity DKG slot-pubkey KeyList, so the
+   * payer's submit IS the create; its `0.0.X` id is network-assigned (resolved
+   * from the receipt at execute-create via the threaded `createTxId`). Stellar is
+   * account-MODEL (like XRPL): the payer funds the entity's slot-0 `G...` master
+   * via a CreateAccount, the validator RELAYS the signed funding blob, then
+   * execute-create finalizes on-chain (threshold-signs a SetOptions installing
+   * the validator chain-key multisig + locking the master). EVM stays on the
+   * legacy synchronous create until it migrates.
+   */
+  static PAYER_FUNDED_CREATE_CHAINS = /* @__PURE__ */ new Set([
+    "xrpl",
+    "bitcoin",
+    "cardano",
+    "polkadot",
+    "solana",
+    "hedera",
+    "stellar"
+  ]);
+  /**
+   * Chains whose execute-create RELAYS the payer's signed funding blob for the
+   * validator to submit (then finalizes on-chain). Both are account-model ledgers
+   * with a validator-side finalize step: XRPL (SignerListSet + disable-master),
+   * Stellar (SetOptions install + master lock). Every OTHER payer-funded chain
+   * has the PAYER submit the funding tx directly with their own wallet — their
+   * execute-create REJECTS a non-undefined `signedFundingBlob` (400), so the blob
+   * is omitted for them.
+   */
+  static FUNDING_BLOB_RELAY_CHAINS = /* @__PURE__ */ new Set(["xrpl", "stellar"]);
+  /**
+   * Create a canonical account entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **XRPL / Stellar / Bitcoin / Cardano / Polkadot / Solana / Hedera** =
+   *    payer-funded 3-step (prepare → fund → execute). The cluster runs the
+   *    per-entity DKG and returns the unsigned payer-funding tx(s); the
+   *    caller-supplied `fundWith` callback signs + submits (or just signs) the
+   *    funding tx with their OWN wallet — the SDK never holds the customer's chain
+   *    key nor opens a network connection — then `executeCreateAccount` finalizes
+   *    (XRPL + Stellar finalize on-chain after relaying the funding blob; the
+   *    deterministic ledgers + Solana verify/stamp the binding; Hedera resolves
+   *    the network-assigned id from the receipt). `fundWith` is REQUIRED on these
+   *    chains; to drive the steps manually call `prepareCreateAccount` /
+   *    `executeCreateAccount` directly.
+   *  - **other chains** (EVM) = legacy synchronous create — a single
+   *    `POST /api/v3/baas/entities/createAccount`, unchanged from pre-3.9.0. These chains
+   *    migrate to the payer-funded flow in a later phase; until then the
+   *    payer-funded-only fields (`fundWith` / `payerAccountId` / `securityMode`)
+   *    are ignored.
+   */
   async createAccount(req) {
-    return this.http.post("/api/entities/createAccount", req);
+    if (_EntitiesClient.PAYER_FUNDED_CREATE_CHAINS.has(req.chain)) {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateAccount(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          `createAccount(${req.chain}): pass fundWith (sign+submit the prepared funding tx), or call prepareCreateAccount/executeCreateAccount directly`
+        );
+      }
+      const funded = await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      return this.executeCreateAccount({
+        entityId: prep.entityId,
+        chain: req.chain,
+        securityMode: req.securityMode,
+        signedFundingBlob: _EntitiesClient.FUNDING_BLOB_RELAY_CHAINS.has(req.chain) ? funded?.signedFundingBlob : void 0,
+        createTxId: req.chain === "hedera" ? prep.prepared?.[0]?.transactionId : void 0
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createAccount", legacyReq);
+  }
+  /**
+   * PREPARE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/prepare-create` with `entityType: 'topic'`. The cluster
+   * runs the per-entity DKG (persists the binding), builds the payer-funded
+   * TopicCreate keyed by the slot-pubkey KeyList, attaches the validator admin
+   * threshold sig, and returns the prepared blob for the caller to add the fee
+   * sig + submit. The prepared `transactionId` is the `createTxId` for execute.
+   */
+  async prepareCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/prepare-create", {
+      entityType: "topic",
+      ...req
+    });
+  }
+  /**
+   * EXECUTE half of the payer-funded topic-create flow (Hedera).
+   *
+   * POSTs `/api/v3/baas/entities/execute-create` with `entityType: 'topic'`. The topic
+   * already exists once the payer submitted the create tx; pass `createTxId` (the
+   * prepared create's `transactionId`) so the validator resolves the network-
+   * assigned `0.0.X` topic id from the receipt and stamps `chainAccounts.hedera`.
+   */
+  async executeCreateTopic(req) {
+    return this.http.post("/api/v3/baas/entities/execute-create", {
+      ...req,
+      entityType: "topic"
+    });
   }
-  /** Create a canonical topic entity bound to a published rule. */
+  /**
+   * Create a canonical topic entity bound to a published rule.
+   *
+   * Dispatches by `chain`:
+   *  - **Hedera** = payer-funded 3-step (prepare → caller submits the TopicCreate
+   *    via `fundWith` → execute resolves the `0.0.X` topic id from the receipt).
+   *    `fundWith` is REQUIRED; to drive the steps manually call
+   *    `prepareCreateTopic` / `executeCreateTopic` directly.
+   *  - **other chains** = legacy synchronous `POST /api/v3/baas/entities/createTopic`
+   *    (topics are a Hedera primitive; the legacy path is unchanged).
+   */
   async createTopic(req) {
-    return this.http.post("/api/entities/createTopic", req);
+    if (req.chain === "hedera") {
+      const { fundWith, ...prepReq } = req;
+      const prep = await this.prepareCreateTopic(prepReq);
+      if (!fundWith) {
+        throw new Error(
+          "createTopic(hedera): pass fundWith (sign+submit the prepared TopicCreate), or call prepareCreateTopic/executeCreateTopic directly"
+        );
+      }
+      await fundWith(prep.prepared, {
+        address: prep.address,
+        reserveRequirement: prep.reserveRequirement
+      });
+      const createTxId = prep.prepared?.[0]?.transactionId;
+      if (!createTxId) {
+        throw new Error(
+          "createTopic(hedera): prepared TopicCreate carries no transactionId \u2014 cannot resolve the topic id from the receipt"
+        );
+      }
+      return this.executeCreateTopic({
+        entityId: prep.entityId,
+        chain: req.chain,
+        createTxId,
+        securityMode: req.securityMode
+      });
+    }
+    const {
+      fundWith: _ignoredFundWith,
+      payerAccountId: _ignoredPayer,
+      securityMode: _ignoredSecurityMode,
+      ...legacyReq
+    } = req;
+    return this.http.post("/api/v3/baas/entities/createTopic", legacyReq);
   }
   /** Create a canonical agent entity bound to a published rule. */
   async createAgent(req) {
-    return this.http.post("/api/entities/createAgent", req);
+    return this.http.post("/api/v3/baas/entities/createAgent", req);
   }
   /**
    * Mega-helper: build a token rule with a launchpad ModuleEntry attached,
@@ -4672,15 +5115,15 @@ var EntitiesClient = class {
    * round-trip.
    */
   async launchpad(req) {
-    return this.http.post("/api/entities/launchpad", req);
+    return this.http.post("/api/v3/baas/entities/launchpad", req);
   }
   /** Fetch an entity by its canonical `entityId`. */
   async get(entityId) {
-    return this.http.get(`/api/entities/${encodePathParam(entityId)}`);
+    return this.http.get(`/api/v3/baas/entities/${encodePathParam(entityId)}`);
   }
   /** List entities owned by the authenticated wallet, optionally filtered by type. */
   async listByOwner(filter) {
-    const path = filter?.type ? `/api/entities?type=${encodeURIComponent(filter.type)}` : "/api/entities";
+    const path = filter?.type ? `/api/v3/baas/entities?type=${encodeURIComponent(filter.type)}` : "/api/v3/baas/entities";
     return this.http.get(path);
   }
 };
@@ -4693,6 +5136,13 @@ var BaasClient = class _BaasClient {
   timeout;
   allowInsecure;
   http;
+  /**
+   * Validator-routed HTTP client for the `/api/v3/transactions/*` prepare/execute
+   * surface — a SIBLING of `/host`, NOT under the `pathPrefix`. Rooted at the
+   * raw gateway/ingress origin (`hostUrl`) so transactions reach the validator
+   * even when BaaS traffic is gateway-routed at `/host/*`.
+   */
+  txHttp;
   /** Last HTTP error (for getHttpHealth) */
   lastHttpError;
   /**
@@ -4721,6 +5171,14 @@ var BaasClient = class _BaasClient {
   rules;
   /** Canonical entity authoring surface (token/account/topic/agent + launchpad). */
   entities;
+  /**
+   * Validator-routed transaction prepare/execute (sovereignty model). The
+   * prepare endpoints accept an explicit `payerAccountId` for the session-less
+   * payer path, OR carry the web3-auth session token for the JWT-wallet payer
+   * path (kept in sync with the main client's token — see {@link authenticate}).
+   * Targets `/api/v3/transactions/*`, a sibling of the `/host` BaaS surface.
+   */
+  transactions;
   constructor(config) {
     this.allowInsecure = config.allowInsecure ?? false;
     this.hostUrl = validateUrl2(config.hostUrl, this.allowInsecure);
@@ -4734,7 +5192,12 @@ var BaasClient = class _BaasClient {
       timeout: this.timeout,
       // Transparent session refresh: on a 401, re-run the challenge-response
       // with the retained signer and retry once. No-op until authenticate() has
-      // been called (authContext set). Excludes /api/auth/* (see http client).
+      // been called (authContext set). Excludes /api/v3/{,baas/}auth/* (see http client).
+      onUnauthorized: () => this.reauthenticate()
+    });
+    this.txHttp = createHttpClient({
+      baseUrl: `${this.hostUrl.replace(/\/$/, "")}/api/v3/transactions`,
+      timeout: this.timeout,
       onUnauthorized: () => this.reauthenticate()
     });
     const getAppId = () => this.requireAppId();
@@ -4747,6 +5210,7 @@ var BaasClient = class _BaasClient {
     this.customerSession = new CustomerSessionClient(baseUrlWithPrefix, this.timeout);
     this.rules = new RulesClient(this.http);
     this.entities = new EntitiesClient(this.http);
+    this.transactions = new TransactionsClient(this.txHttp);
   }
   /**
    * Connect to the Smart Engines BaaS via cluster auto-discovery.
@@ -4874,7 +5338,7 @@ var BaasClient = class _BaasClient {
     this.authContext = options;
     let challenge;
     try {
-      challenge = await this.http.post("/api/auth/challenge", {
+      challenge = await this.http.post("/api/v3/baas/auth/challenge", {
         chain,
         walletAddress,
         appId: this.appId
@@ -4885,7 +5349,7 @@ var BaasClient = class _BaasClient {
     const signature = await signFn(challenge.message);
     let result;
     try {
-      result = await this.http.post("/api/auth/verify", {
+      result = await this.http.post("/api/v3/baas/auth/verify", {
         challengeId: challenge.challengeId,
         signature,
         publicKey
@@ -4894,6 +5358,7 @@ var BaasClient = class _BaasClient {
       throw asBaasError(err);
     }
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
     return result;
   }
   /**
@@ -4901,30 +5366,31 @@ var BaasClient = class _BaasClient {
    * session token. Invoked by the http client's `onUnauthorized` hook when a
    * request 401s because the token expired — so long-lived clients keep working
    * without the caller re-implementing refresh. No-op if {@link authenticate}
-   * was never called. The `/api/auth/*` calls below are excluded from the http
+   * was never called. The `/api/v3/baas/auth/*` calls below are excluded from the http
    * client's 401-retry path, so this can never recurse.
    */
   async reauthenticate() {
     const ctx = this.authContext;
     if (!ctx) return;
-    const challenge = await this.http.post("/api/auth/challenge", {
+    const challenge = await this.http.post("/api/v3/baas/auth/challenge", {
       chain: ctx.chain,
       walletAddress: ctx.walletAddress,
       appId: this.appId
     });
     const signature = await ctx.signFn(challenge.message);
-    const result = await this.http.post("/api/auth/verify", {
+    const result = await this.http.post("/api/v3/baas/auth/verify", {
       challengeId: challenge.challengeId,
       signature,
       publicKey: ctx.publicKey
     });
     this.http.setAuthToken(result.token);
+    this.txHttp.setAuthToken(result.token);
   }
   /** Validate the current session */
   async validateSession() {
     this.requireAuth();
     try {
-      return await this.http.get("/api/auth/session");
+      return await this.http.get("/api/v3/baas/auth/session");
     } catch (err) {
       throw asBaasError(err);
     }
@@ -4933,11 +5399,12 @@ var BaasClient = class _BaasClient {
   async logout() {
     if (this.http.getAuthToken()) {
       try {
-        await this.http.post("/api/auth/logout", {});
+        await this.http.post("/api/v3/baas/auth/logout", {});
       } catch {
       }
     }
     this.http.setAuthToken(void 0);
+    this.txHttp.setAuthToken(void 0);
   }
   // ========== HTTP Helpers ==========
   requireAuth() {