@keetanetwork/keetanet-client 0.16.1 → 0.18.0

package/client/index-browser.js

@@ -101235,6 +101235,7 @@ __webpack_require__.d(client_helper_namespaceObject, {
   crypto: () => (client_helper_crypto),
   debugPrintableObject: () => (client_debugPrintableObject),
   env: () => (client_env),
+  getTypedObjectEntries: () => (client_getTypedObjectEntries),
   isBuffer: () => (client_isBuffer),
   isIntegerOrBigInt: () => (client_isIntegerOrBigInt),
   nonNullable: () => (client_nonNullable),
@@ -101332,6 +101333,16 @@ __webpack_require__.d(client_utils_asn1_namespaceObject, {
   isValidSequenceSchema: () => (client_isValidSequenceSchema)
 });
 
+// NAMESPACE OBJECT: ./src/lib/utils/domain-separation.ts
+var client_domain_separation_namespaceObject = {};
+__webpack_require__.r(client_domain_separation_namespaceObject);
+__webpack_require__.d(client_domain_separation_namespaceObject, {
+  KeetaNamespaceVersion: () => (client_KeetaNamespaceVersion),
+  MaxNamespaceLength: () => (client_MaxNamespaceLength),
+  applyNamespace: () => (client_applyNamespace),
+  namespacePrefixSchema: () => (client_namespacePrefixSchema)
+});
+
 // NAMESPACE OBJECT: ./src/lib/utils/conversion.ts
 var client_conversion_namespaceObject = {};
 __webpack_require__.r(client_conversion_namespaceObject);
@@ -105460,6 +105471,12 @@ function src_client_assertClassBrand(e, t, n) { if ("function" == typeof e ? e =
 
 
 
+
+// Helper to get properly typed entries from an object
+function client_getTypedObjectEntries(obj) {
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  return Object.entries(obj);
+}
 const client_helper_randomBytes = client_crypto_default().randomBytes.bind((client_crypto_default()));
 const client_helper_randomUUID = (client_crypto_default()).randomUUID ? client_crypto_default().randomUUID.bind((client_crypto_default())) : function () {
   return client_esm_browser_v4();
@@ -106337,6 +106354,58 @@ class src_client_BufferStorage {
 client_BufferStorage = src_client_BufferStorage;
 client_buffer_defineProperty(src_client_BufferStorage, "isInstance", client_checkableGenerator(client_BufferStorage));
 
+;// ./src/lib/error/base.ts
+var client_KeetaNetErrorBase;
+function client_base_defineProperty(e, r, t) { return (r = client_base_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
+function client_base_toPropertyKey(t) { var i = client_base_toPrimitive(t, "string"); return "symbol" == typeof i ? i : i + ""; }
+function client_base_toPrimitive(t, r) { if ("object" != typeof t || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != typeof i) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
+
+class src_client_KeetaNetErrorBase extends Error {
+  constructor(code, message, validation) {
+    super(message);
+    const type = (validation === null || validation === void 0 ? void 0 : validation.type) || 'GENERIC';
+    if (validation !== undefined) {
+      const prefix = `${validation.type}_`;
+      const validPrefix = code.startsWith(prefix);
+      const withoutPrefix = code.substring(prefix.length);
+      const validCode = validation.codes.includes(withoutPrefix);
+      if (!validPrefix || !validCode) {
+        throw new Error(`Invalid construction of KeetaNetError Type: ${validation.type} Code: ${code}, prefix ${prefix} valid ${validPrefix} valid code: ${validCode}`);
+      }
+    }
+    this.code = code;
+    this.type = type;
+  }
+  toJSON() {
+    return {
+      type: this.type,
+      code: this.code,
+      message: this.message
+    };
+  }
+}
+client_KeetaNetErrorBase = src_client_KeetaNetErrorBase;
+client_base_defineProperty(src_client_KeetaNetErrorBase, "isInstance", client_checkableGenerator(client_KeetaNetErrorBase, false));
+;// ./src/lib/error/account.ts
+var client_KeetaNetAccountError;
+function client_account_defineProperty(e, r, t) { return (r = client_account_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
+function client_account_toPropertyKey(t) { var i = client_account_toPrimitive(t, "string"); return "symbol" == typeof i ? i : i + ""; }
+function client_account_toPrimitive(t, r) { if ("object" != typeof t || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != typeof i) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
+
+
+const client_AccountErrorType = 'ACCOUNT';
+const client_AccountErrorCodes = ['INVALID_PREFIX', 'INVALID_KEYTYPE', 'INVALID_KEYTYPE_EXTERNAL', 'PASSPHRASE_WEAK', 'INVALID_CONSTRUCTION', 'NO_IDENTIFIER_SIGN', 'NO_IDENTIFIER_VERIFY', 'NOT_ACCOUNT', 'NOT_IDENTIFIER', 'INVALID_IDENTIFIER_CONSTRUCTION', 'SEED_INDEX_UNDEFINED', 'SEED_INDEX_NEGATIVE', 'SEED_INDEX_NOT_INT', 'SEED_INDEX_TOO_LARGE', 'ENCRYPTION_NOT_SUPPORTED', 'NAMESPACE_EMPTY', 'NAMESPACE_TOO_LONG'];
+const client_FullAccountErrorCodes = client_AccountErrorCodes.map(code => `${client_AccountErrorType}_${code}`);
+class src_client_KeetaNetAccountError extends src_client_KeetaNetErrorBase {
+  constructor(code, message) {
+    super(code, message, {
+      type: client_AccountErrorType,
+      codes: client_AccountErrorCodes
+    });
+  }
+}
+client_KeetaNetAccountError = src_client_KeetaNetAccountError;
+client_account_defineProperty(src_client_KeetaNetAccountError, "isInstance", client_checkableGenerator(client_KeetaNetAccountError));
 ;// ./node_modules/pvutils/build/utils.es.js
 /*!
  Copyright (c) Peculiar Ventures, LLC
@@ -115204,6 +115273,58 @@ const client_Testing = {
     ASN1IntegerToBigInt: client_jsIntegerToBigInt
   }
 };
+;// ./src/lib/utils/domain-separation.ts
+/* provided dependency */ var client_domain_separation_Buffer = __webpack_require__(8287)["Buffer"];
+
+
+
+/**
+ * Version for Keeta's domain separation namespace schema, encoded as the
+ * `INTEGER` field of `namespacePrefixSchema`.
+ */
+const client_KeetaNamespaceVersion = 0;
+
+/**
+ * Maximum domain separation namespace length in bytes (for strings,
+ * this is the UTF-8 byte length, not the character count).
+ */
+const client_MaxNamespaceLength = 255;
+
+/**
+ * Schema for the namespace prefix:
+ *
+ * ```asn1
+ * NamespacePrefix ::= SEQUENCE {
+ *     version   INTEGER,
+ *     namespace OCTET STRING,
+ *     data      OCTET STRING
+ * }
+ * ```
+ */
+const client_namespacePrefixSchema = [client_ValidateASN1.IsInteger, client_ValidateASN1.IsOctetString, client_ValidateASN1.IsOctetString];
+
+/**
+ * Apply the `NamespacePrefix` domain separator to `data`.
+ *
+ * String namespaces are UTF-8 encoded; ArrayBuffer namespaces are used
+ * verbatim. Namespace length MUST be 1-`MaxNamespaceLength` bytes after
+ * encoding.
+ */
+function client_applyNamespace(namespace, data) {
+  let namespaceBytes;
+  if (typeof namespace === 'string') {
+    namespaceBytes = new TextEncoder().encode(namespace);
+  } else {
+    namespaceBytes = new Uint8Array(namespace);
+  }
+  if (namespaceBytes.length === 0) {
+    throw new src_client_KeetaNetAccountError('ACCOUNT_NAMESPACE_EMPTY', 'Domain separation namespace must not be empty');
+  }
+  if (namespaceBytes.length > client_MaxNamespaceLength) {
+    throw new src_client_KeetaNetAccountError('ACCOUNT_NAMESPACE_TOO_LONG', `Domain separation namespace must be 1-${client_MaxNamespaceLength} bytes, got: ${namespaceBytes.length}`);
+  }
+  return client_JStoASN1([client_KeetaNamespaceVersion, client_domain_separation_Buffer.from(namespaceBytes), client_domain_separation_Buffer.from(data)]).toBER(false);
+}
 ;// ./src/lib/utils/conversion.ts
 /* provided dependency */ var client_conversion_Buffer = __webpack_require__(8287)["Buffer"];
 
@@ -115352,7 +115473,7 @@ const client_baseValidationConfig = {
   },
   blockOperations: {
     external: {
-      maxLength: 256,
+      maxLength: 1024,
       regex: /^[-_A-Za-z0-9+/= ]+$/,
       canBeEmpty: true
     },
@@ -115561,38 +115682,6 @@ function client_fromOffsetArray(setOffsets) {
   return val;
 }
 client_bitfield_defineProperty(src_client_BitField, "isInstance", client_checkableGenerator(client_BitField));
-;// ./src/lib/error/base.ts
-var client_KeetaNetErrorBase;
-function client_base_defineProperty(e, r, t) { return (r = client_base_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
-function client_base_toPropertyKey(t) { var i = client_base_toPrimitive(t, "string"); return "symbol" == typeof i ? i : i + ""; }
-function client_base_toPrimitive(t, r) { if ("object" != typeof t || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != typeof i) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
-
-class src_client_KeetaNetErrorBase extends Error {
-  constructor(code, message, validation) {
-    super(message);
-    const type = (validation === null || validation === void 0 ? void 0 : validation.type) || 'GENERIC';
-    if (validation !== undefined) {
-      const prefix = `${validation.type}_`;
-      const validPrefix = code.startsWith(prefix);
-      const withoutPrefix = code.substring(prefix.length);
-      const validCode = validation.codes.includes(withoutPrefix);
-      if (!validPrefix || !validCode) {
-        throw new Error(`Invalid construction of KeetaNetError Type: ${validation.type} Code: ${code}, prefix ${prefix} valid ${validPrefix} valid code: ${validCode}`);
-      }
-    }
-    this.code = code;
-    this.type = type;
-  }
-  toJSON() {
-    return {
-      type: this.type,
-      code: this.code,
-      message: this.message
-    };
-  }
-}
-client_KeetaNetErrorBase = src_client_KeetaNetErrorBase;
-client_base_defineProperty(src_client_KeetaNetErrorBase, "isInstance", client_checkableGenerator(client_KeetaNetErrorBase, false));
 ;// ./src/lib/error/permissions.ts
 var client_KeetaNetPermissionsError;
 function client_permissions_defineProperty(e, r, t) { return (r = client_permissions_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
@@ -116208,7 +116297,7 @@ function client_block_toPrimitive(t, r) { if ("object" != typeof t || !t) return
 
 
 const client_BlockErrorType = 'BLOCK';
-const client_BlockErrorCodes = ['AMOUNT_BELOW_ZERO', 'CANNOT_FORWARD_TO_SELF', 'CANNOT_SEND_NON_TOKEN', 'CERTIFICATE_SUBJECT_MISMATCH', 'EXACT_TRUE_WHEN_FORWARDING', 'EXTERNAL_INVALID', 'EXTERNAL_MISSING', 'EXTERNAL_TOO_LONG', 'GENERAL_FIELD_INVALID', 'IDENTIFIER_INVALID', 'IDENTIFIER_NEED_DEFAULT_PERMISSIONS', 'INTERMEDIATE_CERTIFICATES_ONLY_ADD', 'INVALID_ACCOUNT_TYPE', 'INVALID_CERTIFICATE_VALUE', 'INVALID_CREATE_IDENTIFIER_ARGS', 'INVALID_IDEMPOTENT_FORMAT', 'INVALID_IDEMPOTENT_LENGTH', 'INVALID_MULTISIG_QUORUM', 'INVALID_MULTISIG_SIGNER_COUNT', 'INVALID_MULTISIG_SIGNER_DEPTH', 'INVALID_MULTISIG_SIGNER_DUPLICATE', 'INVALID_PURPOSE_VALIDATION', 'INVALID_SIGNATURE', 'INVALID_SIGNER', 'INVALID_TYPE', 'INVALID_VERSION', 'NO_ADMIN_ON_TARGET', 'NO_DELEGATE_ADMIN', 'NO_DUPLICATE_CERTIFICATE_OPERATION', 'NO_IDENTIFIER_OP', 'NO_MODIFY_PERMISSION_DUPE', 'NO_MULTIPLE_SET_REP', 'NO_MULTISIG_OP', 'NO_TOKEN_OP', 'ONLY_IDENTIFIER_OP', 'ONLY_TOKEN_OP', 'PERMISSIONS_INVALID_DEFAULT', 'PERMISSIONS_INVALID_ENTITY', 'PERMISSIONS_INVALID_PRINCIPAL', 'PERMISSIONS_INVALID_TARGET', 'PREVIOUS_SELF', 'SUPPLY_INVALID', 'TOKEN_RECEIVE_DIFFERS', 'SIGNATURE_REQUIRED', 'SIGNATURE_PARAMETER_DIFFERS'];
+const client_BlockErrorCodes = ['AMOUNT_BELOW_ZERO', 'CANNOT_FORWARD_TO_SELF', 'CANNOT_SEND_NON_TOKEN', 'CERTIFICATE_SUBJECT_MISMATCH', 'EXACT_TRUE_WHEN_FORWARDING', 'EXTERNAL_INVALID', 'EXTERNAL_MISSING', 'EXTERNAL_TOO_LONG', 'GENERAL_FIELD_INVALID', 'IDENTIFIER_INVALID', 'IDENTIFIER_NEED_DEFAULT_PERMISSIONS', 'INTERMEDIATE_CERTIFICATES_ONLY_ADD', 'INVALID_ACCOUNT_TYPE', 'INVALID_CERTIFICATE_VALUE', 'INVALID_CREATE_IDENTIFIER_ARGS', 'INVALID_IDEMPOTENT_FORMAT', 'INVALID_IDEMPOTENT_LENGTH', 'INVALID_MULTISIG_QUORUM', 'INVALID_MULTISIG_SIGNER_COUNT', 'INVALID_MULTISIG_SIGNER_DEPTH', 'INVALID_MULTISIG_SIGNER_DUPLICATE', 'INVALID_PURPOSE_VALIDATION', 'INVALID_SIGNATURE', 'INVALID_SIGNER', 'INVALID_TYPE', 'INVALID_VERSION', 'INVALID_PRINCIPAL', 'NO_ADMIN_ON_TARGET', 'NO_DELEGATE_ADMIN', 'NO_DUPLICATE_CERTIFICATE_OPERATION', 'NO_IDENTIFIER_OP', 'NO_MODIFY_PERMISSION_DUPE', 'NO_MULTIPLE_SET_REP', 'NO_MULTISIG_OP', 'NO_TOKEN_OP', 'ONLY_IDENTIFIER_OP', 'ONLY_TOKEN_OP', 'PERMISSIONS_INVALID_DEFAULT', 'PERMISSIONS_INVALID_ENTITY', 'PERMISSIONS_INVALID_PRINCIPAL', 'PERMISSIONS_INVALID_TARGET', 'PREVIOUS_SELF', 'SUPPLY_INVALID', 'TOKEN_RECEIVE_DIFFERS', 'SIGNATURE_REQUIRED', 'SIGNATURE_PARAMETER_DIFFERS'];
 const client_FullBlockErrorCodes = client_BlockErrorCodes.map(code => `${client_BlockErrorType}_${code}`);
 class src_client_KeetaNetBlockError extends src_client_KeetaNetErrorBase {
   constructor(code, message) {
@@ -117826,7 +117915,7 @@ function client_ledger_toPrimitive(t, r) { if ("object" != typeof t || !t) retur
 
 
 const client_LedgerErrorType = 'LEDGER';
-const client_LedgerBaseErrorCodes = ['BLOCK_ALREADY_EXISTS', 'BLOCK_EXPIRED', 'TRANSACTION_ABORTED', 'INVALID_CHAIN', 'INVALID_NETWORK', 'INVALID_SUBNET', 'INVALID_PERMISSIONS', 'INVALID_OWNER_COUNT', 'INVALID_BALANCE', 'INVALID_SET_REP', 'OPERATION_NOT_SUPPORTED', 'NOT_EMPTY', 'PREVIOUS_ALREADY_USED', 'PREVIOUS_NOT_SEEN', 'SUCCESSOR_VOTE_EXISTS', 'INSUFFICIENT_VOTING_WEIGHT', 'INVALID_ACCOUNT_INFO_KEY', 'RECEIVE_NOT_MET', 'DUPLICATE_VOTE_FOUND', 'CANNOT_EXCHANGE_PERM_VOTE', 'TEMP_VOTE_INCLUDES_SELF', 'BLOCKS_DIFFER_FROM_VOTED_ON', 'NO_PERM_WITHOUT_SELF_TEMP', 'DUPLICATE_VOTE_ISSUER_FOUND', 'OTHER', 'MISSING_BLOCKS',
+const client_LedgerBaseErrorCodes = ['BLOCK_ALREADY_EXISTS', 'BLOCK_EXPIRED', 'TRANSACTION_ABORTED', 'INVALID_CHAIN', 'INVALID_NETWORK', 'INVALID_SUBNET', 'INVALID_PERMISSIONS', 'INVALID_OWNER_COUNT', 'INVALID_BALANCE', 'INVALID_SET_REP', 'INVALID_ACL_ROW_TYPE', 'OPERATION_NOT_SUPPORTED', 'NOT_EMPTY', 'PREVIOUS_ALREADY_USED', 'PREVIOUS_NOT_SEEN', 'SUCCESSOR_VOTE_EXISTS', 'INSUFFICIENT_VOTING_WEIGHT', 'INVALID_ACCOUNT_INFO_KEY', 'RECEIVE_NOT_MET', 'DUPLICATE_VOTE_FOUND', 'CANNOT_EXCHANGE_PERM_VOTE', 'TEMP_VOTE_INCLUDES_SELF', 'BLOCKS_DIFFER_FROM_VOTED_ON', 'NO_PERM_WITHOUT_SELF_TEMP', 'DUPLICATE_VOTE_ISSUER_FOUND', 'OTHER', 'MISSING_BLOCKS', 'CERTIFICATE_NOT_FOUND',
 // Fee Errors
 'FEE_AMOUNT_MISMATCH', 'FEE_TOKEN_MISMATCH', 'FEE_MISSING', 'MISSING_REQUIRED_FEE_BLOCK', 'MULTIPLE_FEE_BLOCK', 'VOTE_WITH_QUOTE', 'QUOTE_MISMATCH', 'REQUIRED_FEE_MISMATCH'];
 
@@ -117947,6 +118036,16 @@ function client_common_assertClassBrand(e, t, n) { if ("function" == typeof e ?
 
 
 
+function client_areACLPrincipalEqual(a, b) {
+  if (client_lib_account.isInstance(a) || client_lib_account.isInstance(b)) {
+    if (!client_lib_account.isInstance(a) || !client_lib_account.isInstance(b)) {
+      return false;
+    }
+    return a.comparePublicKey(b);
+  } else {
+    return a.certificate.compareHexString(b.certificate) && a.certificateAccount.comparePublicKey(b.certificateAccount);
+  }
+}
 function client_findPermissionMatch(lookingFor, entries) {
   const {
     principal,
@@ -117955,7 +118054,8 @@ function client_findPermissionMatch(lookingFor, entries) {
   } = lookingFor;
   let foundRow;
   for (const entry of entries) {
-    if (!principal.comparePublicKey(entry.principal)) {
+    // If principals do not match, we can skip
+    if (!client_areACLPrincipalEqual(principal, entry.principal)) {
       continue;
     }
 
@@ -118012,6 +118112,32 @@ function client_validateBlockSignerDepth(depth, network) {
   }
 }
 
+/**
+ * Determines if an account type can delegate voting weight via SET_REP.
+ *
+ * Regular accounts (ECDSA_SECP256K1, ED25519, ECDSA_SECP256R1) can always delegate.
+ * Among identifier accounts, only STORAGE accounts can delegate.
+ * TOKEN, NETWORK, and MULTISIG identifier accounts cannot delegate.
+ *
+ * @param keyType - The account key algorithm type to check
+ * @returns true if the account type can use SET_REP to delegate, false otherwise
+ *
+ */
+function client_canDelegate(keyType) {
+  // Regular accounts (non-identifiers) can always delegate
+  if (!client_lib_account.isIdentifierKeyType(keyType)) {
+    return true;
+  }
+
+  // Among identifiers, only STORAGE can delegate
+  if (keyType === client_AccountKeyAlgorithm.STORAGE) {
+    return true;
+  }
+
+  // Other identifier accounts cannot delegate
+  return false;
+}
+
 /**
  * Compute effects on the ledger from block effects
  */
@@ -118067,79 +118193,111 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
     const resolved = await getAccountInfoPromises[accountPubKey];
     return resolved;
   };
+  const getCertificatePromises = {};
+  const getCertificate = async (certificateHash, account) => {
+    const promiseKey = `${certificateHash.toString()}-${account.publicKeyString.get()}`;
+    if (getCertificatePromises[promiseKey] === undefined) {
+      getCertificatePromises[promiseKey] = storageProvider.getAccountCertificateByHash(transaction, account, certificateHash);
+    }
+    return await getCertificatePromises[promiseKey];
+  };
   const getPermissionPromises = {};
-  const getPermissions = async (account, entityList) => {
-    const accountPubKey = account.publicKeyString.get();
+  const getPermissions = async (principal, entityList) => {
+    let promiseKey;
+    if (client_lib_account.isInstance(principal)) {
+      promiseKey = `account-${principal.publicKeyString.get()}`;
+    } else {
+      promiseKey = `certificate-${principal.certificate.toString()}-${principal.certificateAccount.publicKeyString.get()}`;
+    }
     if (!entityList) {
-      return await getPermissionPromises[accountPubKey];
+      return await getPermissionPromises[promiseKey];
     }
-    if (getPermissionPromises[accountPubKey] !== undefined) {
+    if (getPermissionPromises[promiseKey] !== undefined) {
       throw new Error('getPermissions() can only be called once per account');
     }
-    getPermissionPromises[accountPubKey] = storageProvider.listACLsByPrincipal(transaction, account, entityList);
-    return await getPermissionPromises[accountPubKey];
+    getPermissionPromises[promiseKey] = storageProvider.listACLsByPrincipal(transaction, principal, entityList);
+    return await getPermissionPromises[promiseKey];
   };
   const prefetchPromises = [];
-  for (const {
-    account,
-    fields
-  } of Object.values(effects)) {
-    var _fields$supply, _effects$accountPubKe;
-    // Always fetch the supply from accountInfo if it's changing so we can validate the effect
-    if (((_fields$supply = fields.supply) !== null && _fields$supply !== void 0 ? _fields$supply : []).length > 0 && (checkRangeConstraints || getFinalNumericValues)) {
-      prefetchPromises.push(getAccountInfo(account));
-    }
-    const accountPubKey = account.publicKeyString.get();
-    if (computePermissions && fields.permissions) {
-      const toReadEntity = new client_lib_account.Set();
-      for (const permUpdate of (_fields$permissions = fields.permissions) !== null && _fields$permissions !== void 0 ? _fields$permissions : []) {
-        var _fields$permissions;
-        if (permUpdate.method === src_client_Block.AdjustMethod.SET || permUpdate.permissions === null) {
-          toReadEntity.delete(permUpdate.entity);
-          continue;
-        }
-        toReadEntity.add(permUpdate.entity);
+  for (const effect of Object.values(effects)) {
+    const fields = effect.fields;
+    const toReadEntity = new client_lib_account.Set();
+    for (const permUpdate of (_fields$permissions = fields.permissions) !== null && _fields$permissions !== void 0 ? _fields$permissions : []) {
+      var _fields$permissions;
+      if ((permUpdate.method === src_client_Block.AdjustMethod.ADD || permUpdate.method === src_client_Block.AdjustMethod.SET) && permUpdate.principalType === 'CERTIFICATE') {
+        prefetchPromises.push(getCertificate(permUpdate.principal.certificate, permUpdate.principal.certificateAccount));
+      }
+      if (permUpdate.method === src_client_Block.AdjustMethod.SET || permUpdate.permissions === null) {
+        toReadEntity.delete(permUpdate.entity);
+        continue;
       }
-      prefetchPromises.push(getPermissions(account, toReadEntity.toArray()));
+      toReadEntity.add(permUpdate.entity);
+    }
+    let principal;
+    if (effect.type === 'ACCOUNT') {
+      principal = effect.account;
+    } else {
+      principal = {
+        usingCertificate: true,
+        certificate: effect.certificateHash,
+        certificateAccount: effect.certificateAccount
+      };
     }
-    const delegationField = (_effects$accountPubKe = effects[accountPubKey]) === null || _effects$accountPubKe === void 0 ? void 0 : _effects$accountPubKe.fields.delegation;
-    const isDelegating = delegationField !== undefined;
-    let requestedRep = false;
-    if (isDelegating && computeWeights && getFinalNumericValues && account.isAccount()) {
-      requestedRep = true;
-      prefetchPromises.push(getRep(account, getFinalNumericValues));
-      prefetchPromises.push(getWeight(delegationField.delegateTo));
+
+    // Only prefetch the permissions if we are computing the permissions
+    if (computePermissions) {
+      prefetchPromises.push(getPermissions(principal, toReadEntity.toArray()));
     }
-    const rollingChanges = {};
-    for (const tokenPubKey in (_fields$balance = fields.balance) !== null && _fields$balance !== void 0 ? _fields$balance : {}) {
-      var _fields$balance;
-      for (const balanceUpdate of ((_fields$balance2 = fields.balance) !== null && _fields$balance2 !== void 0 ? _fields$balance2 : {})[tokenPubKey]) {
-        var _fields$balance2;
-        if (balanceUpdate.isReceive) {
-          continue;
-        }
-        const {
-          set,
-          value
-        } = balanceUpdate;
-        const token = client_lib_account.fromPublicKeyString(tokenPubKey).assertKeyType(client_AccountKeyAlgorithm.TOKEN);
-        if (rollingChanges[tokenPubKey] === undefined) {
-          rollingChanges[tokenPubKey] = 0n;
-        }
-        if (set) {
-          prefetchPromises.push(getPreviousBalance(token, token));
-          rollingChanges[tokenPubKey] = value;
-        } else {
-          rollingChanges[tokenPubKey] += value;
-        }
-        const isBaseToken = baseToken.comparePublicKey(tokenPubKey);
-        const possibleNegative = rollingChanges[tokenPubKey] < 0n && checkRangeConstraints;
-        if (possibleNegative && checkRangeConstraints || set || getFinalNumericValues || isDelegating && computeWeights) {
-          prefetchPromises.push(getPreviousBalance(account, token));
-        }
-        if (computeWeights && isBaseToken && account.isAccount() && !requestedRep) {
-          requestedRep = true;
-          prefetchPromises.push(getRep(account, getFinalNumericValues));
+    if (effect.type !== 'CERTIFICATE') {
+      var _fields$supply, _effects$accountPubKe;
+      const {
+        account
+      } = effect;
+
+      // Always fetch the supply from accountInfo if it's changing so we can validate the effect
+      if (((_fields$supply = fields.supply) !== null && _fields$supply !== void 0 ? _fields$supply : []).length > 0 && (checkRangeConstraints || getFinalNumericValues)) {
+        prefetchPromises.push(getAccountInfo(account));
+      }
+      const accountPubKey = account.publicKeyString.get();
+      const delegationField = (_effects$accountPubKe = effects[accountPubKey]) === null || _effects$accountPubKe === void 0 ? void 0 : _effects$accountPubKe.fields.delegation;
+      const isDelegating = delegationField !== undefined;
+      let requestedRep = false;
+      if (isDelegating && computeWeights && getFinalNumericValues && client_canDelegate(account.keyType)) {
+        requestedRep = true;
+        prefetchPromises.push(getRep(account, getFinalNumericValues));
+        prefetchPromises.push(getWeight(delegationField.delegateTo));
+      }
+      const rollingChanges = {};
+      for (const tokenPubKey in (_fields$balance = fields.balance) !== null && _fields$balance !== void 0 ? _fields$balance : {}) {
+        var _fields$balance;
+        for (const balanceUpdate of ((_fields$balance2 = fields.balance) !== null && _fields$balance2 !== void 0 ? _fields$balance2 : {})[tokenPubKey]) {
+          var _fields$balance2;
+          if (balanceUpdate.isReceive) {
+            continue;
+          }
+          const {
+            set,
+            value
+          } = balanceUpdate;
+          const token = client_lib_account.fromPublicKeyString(tokenPubKey).assertKeyType(client_AccountKeyAlgorithm.TOKEN);
+          if (rollingChanges[tokenPubKey] === undefined) {
+            rollingChanges[tokenPubKey] = 0n;
+          }
+          if (set) {
+            prefetchPromises.push(getPreviousBalance(token, token));
+            rollingChanges[tokenPubKey] = value;
+          } else {
+            rollingChanges[tokenPubKey] += value;
+          }
+          const isBaseToken = baseToken.comparePublicKey(tokenPubKey);
+          const possibleNegative = rollingChanges[tokenPubKey] < 0n && checkRangeConstraints;
+          if (possibleNegative && checkRangeConstraints || set || getFinalNumericValues || isDelegating && computeWeights) {
+            prefetchPromises.push(getPreviousBalance(account, token));
+          }
+          if (computeWeights && isBaseToken && client_canDelegate(account.keyType) && !requestedRep) {
+            requestedRep = true;
+            prefetchPromises.push(getRep(account, getFinalNumericValues));
+          }
         }
       }
     }
@@ -118242,34 +118400,56 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
     newEntry.change += change;
     supplies[tokenPubKey] = newEntry;
   };
-  for (const {
-    account,
-    fields
-  } of Object.values(effects)) {
-    var _effects$accountPubKe2;
-    const accountPubKey = account.publicKeyString.get();
+  for (const effect of Object.values(effects)) {
+    const fields = effect.fields;
     for (const supplyChange of (_fields$supply2 = fields.supply) !== null && _fields$supply2 !== void 0 ? _fields$supply2 : []) {
       var _fields$supply2;
-      if (!account.isToken()) {
+      if (effect.type !== 'ACCOUNT' || !effect.account.isToken()) {
         throw new Error('Cannot modify supply of non-token account');
       }
-      await modifySupply(account, supplyChange.value);
+      await modifySupply(effect.account, supplyChange.value);
     }
-    let permissionUpdates = [];
-    if (computePermissions && fields.permissions) {
-      permissionUpdates = fields.permissions;
-    }
-    for (const permUpdate of permissionUpdates) {
-      var _previousEntry$permis;
-      if (!permUpdate.principal.comparePublicKey(account)) {
-        throw new Error('permUpdate.principal should not differ current account');
+    for (const permUpdate of (_fields$permissions2 = fields.permissions) !== null && _fields$permissions2 !== void 0 ? _fields$permissions2 : []) {
+      var _fields$permissions2, _previousEntry$permis;
+      let principal;
+      if (effect.type === 'ACCOUNT') {
+        principal = effect.account;
+        if (!client_lib_account.isInstance(permUpdate.principal)) {
+          throw new Error('permUpdate.principal should be an account for ACCOUNT type effects');
+        }
+        if (!permUpdate.principal.comparePublicKey(effect.account)) {
+          throw new Error('permUpdate.principal should not differ current account');
+        }
+      } else {
+        if (client_lib_account.isInstance(permUpdate.principal)) {
+          throw new Error('permUpdate.principal should be a certificate for CERTIFICATE type effects');
+        }
+        if (!permUpdate.principal.certificate.compareHexString(effect.certificateHash)) {
+          throw new Error('permUpdate.principal should not differ current certificate');
+        }
+        principal = {
+          usingCertificate: true,
+          certificate: effect.certificateHash,
+          certificateAccount: effect.certificateAccount
+        };
+        if (permUpdate.method === src_client_Block.AdjustMethod.ADD || permUpdate.method === src_client_Block.AdjustMethod.SET) {
+          const certificate = await getCertificate(permUpdate.principal.certificate, permUpdate.principal.certificateAccount);
+          if (!certificate) {
+            throw new client_ledger_KeetaNetLedgerError('LEDGER_CERTIFICATE_NOT_FOUND', `Certificate with hash ${permUpdate.principal.certificate.toString()} for account ${permUpdate.principal.certificateAccount.publicKeyString.get()} not found`);
+          }
+        }
+      }
+
+      // If not computing permissions, we only need to validate certificate existence
+      if (!computePermissions) {
+        continue;
       }
       if (permUpdate.method === src_client_Block.AdjustMethod.SET || permUpdate.permissions === null) {
         permissions.push(permUpdate);
         continue;
       }
       let newPermissions;
-      const previousEntry = client_findPermissionMatch(permUpdate, await getPermissions(account));
+      const previousEntry = client_findPermissionMatch(permUpdate, await getPermissions(principal));
       const previousPermissions = (_previousEntry$permis = previousEntry === null || previousEntry === void 0 ? void 0 : previousEntry.permissions) !== null && _previousEntry$permis !== void 0 ? _previousEntry$permis : new client_permissions_Permissions();
       switch (permUpdate.method) {
         case src_client_Block.AdjustMethod.ADD:
@@ -118285,14 +118465,19 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
         permissions: newPermissions
       });
     }
-    const delegationField = (_effects$accountPubKe2 = effects[accountPubKey]) === null || _effects$accountPubKe2 === void 0 ? void 0 : _effects$accountPubKe2.fields.delegation;
-    const isDelegating = delegationField !== undefined;
-    if (isDelegating && account.isAccount() && computeWeights) {
-      const currentDelegation = await getRep(account, getFinalNumericValues);
-      const previousBalance = await getPreviousBalance(account, baseToken);
-      await modifyWeight(delegationField.delegateTo, previousBalance);
-      if (currentDelegation) {
-        await modifyWeight(currentDelegation, -1n * previousBalance);
+    let isDelegating;
+    let delegationField;
+    if (effect.type === 'ACCOUNT') {
+      var _effects$effect$accou;
+      delegationField = (_effects$effect$accou = effects[effect.account.publicKeyString.get()]) === null || _effects$effect$accou === void 0 ? void 0 : _effects$effect$accou.fields.delegation;
+      isDelegating = delegationField !== undefined;
+      if (isDelegating && delegationField && client_canDelegate(effect.account.keyType) && computeWeights) {
+        const currentDelegation = await getRep(effect.account, getFinalNumericValues);
+        const previousBalance = await getPreviousBalance(effect.account, baseToken);
+        await modifyWeight(delegationField.delegateTo, previousBalance);
+        if (currentDelegation) {
+          await modifyWeight(currentDelegation, -1n * previousBalance);
+        }
       }
     }
     const receivable = {};
@@ -118301,6 +118486,9 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
       const tokenAcct = client_lib_account.fromPublicKeyString(tokenPubKey).assertKeyType(client_AccountKeyAlgorithm.TOKEN);
       for (const balanceUpdate of ((_fields$balance4 = fields.balance) !== null && _fields$balance4 !== void 0 ? _fields$balance4 : {})[tokenPubKey]) {
         var _fields$balance4;
+        if (effect.type !== 'ACCOUNT') {
+          throw new Error('Only accounts can have balance changes');
+        }
         const {
           isReceive,
           value,
@@ -118308,7 +118496,7 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
         } = balanceUpdate;
         if (isReceive) {
           const receiveFromPubKey = otherAccount.publicKeyString.get();
-          const previousEntry = getBalanceEntry(account, tokenAcct);
+          const previousEntry = getBalanceEntry(effect.account, tokenAcct);
           if (previousEntry.receiveValidated === false) {
             continue;
           }
@@ -118325,15 +118513,15 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
           } else {
             receiveValid = value <= receivableAmount;
           }
-          balances[accountPubKey][tokenPubKey].receiveValidated = receiveValid;
+          balances[effect.account.publicKeyString.get()][tokenPubKey].receiveValidated = receiveValid;
           continue;
         }
         let balanceChange;
         if (balanceUpdate.set) {
-          balanceChange = await modifyBalance(account, tokenAcct, value, true);
+          balanceChange = await modifyBalance(effect.account, tokenAcct, value, true);
           await modifyBalance(tokenAcct, tokenAcct, -1n * balanceChange, false);
         } else {
-          balanceChange = await modifyBalance(account, tokenAcct, value, false);
+          balanceChange = await modifyBalance(effect.account, tokenAcct, value, false);
         }
         if (balanceUpdate.receivable) {
           const otherAccountPubKey = otherAccount.publicKeyString.get();
@@ -118348,11 +118536,14 @@ async function client_computeLedgerEffect(options, effects, storageProvider, net
           receivable[otherAccountPubKey][tokenPubKey] += balanceChange;
         }
         const isBaseToken = baseToken.comparePublicKey(tokenAcct);
-        if (isBaseToken && account.isAccount() && computeWeights) {
+        if (isBaseToken && client_canDelegate(effect.account.keyType) && computeWeights) {
           if (isDelegating) {
+            if (!delegationField) {
+              throw new Error('delegationField should be defined if isDelegating is true');
+            }
             await modifyWeight(delegationField.delegateTo, balanceChange);
           } else {
-            const currentRep = await getRep(account);
+            const currentRep = await getRep(effect.account);
             if (currentRep) {
               await modifyWeight(currentRep, balanceChange);
             }
@@ -118774,6 +118965,9 @@ function client_operationTypeToNumber(str) {
   }
   return type;
 }
+const client_ModifyPermissionsPrincipalContextSpecificTagValues = {
+  CERTIFICATE: 1
+};
 function client_makeEncodeDecodePermission(emptyValue) {
   return {
     encode: data => {
@@ -118869,7 +119063,52 @@ const client_BlockOperationASN1SchemaBase = {
   }],
   'MODIFY_PERMISSIONS': [{
     name: 'principal',
-    schema: client_ValidateASN1.IsOctetString
+    schema: {
+      choice: [client_ValidateASN1.IsOctetString, {
+        type: 'context',
+        kind: 'explicit',
+        value: client_ModifyPermissionsPrincipalContextSpecificTagValues.CERTIFICATE,
+        contains: [/* Certificate Hash */
+        client_ValidateASN1.IsOctetString, /* Certificate Issued To Account */
+        client_ValidateASN1.IsOctetString]
+      }]
+    },
+    encode(data) {
+      if (client_lib_account.isInstance(data)) {
+        return data.publicKeyAndType;
+      } else if (data.usingCertificate) {
+        return {
+          type: 'context',
+          kind: 'explicit',
+          value: client_ModifyPermissionsPrincipalContextSpecificTagValues.CERTIFICATE,
+          contains: [data.certificateHash.getBuffer(), data.certificateAccount.publicKeyAndType]
+        };
+      } else {
+        throw new Error('Invalid principal type for MODIFY_PERMISSIONS operation');
+      }
+    },
+    decode(data) {
+      if (client_isBuffer(data)) {
+        return client_lib_account.fromPublicKeyAndType(data);
+      } else if (client_ASN1CheckUtilities.isASN1ContextTag(data, 'explicit')) {
+        if (data.value === client_ModifyPermissionsPrincipalContextSpecificTagValues.CERTIFICATE) {
+          if (!Array.isArray(data.contains) || data.contains.length !== 2) {
+            throw new Error('Invalid principal data for MODIFY_PERMISSIONS operation');
+          }
+          const certificateHashData = data.contains[0];
+          const certificateAccountData = data.contains[1];
+          if (!client_isBuffer(certificateHashData) || !client_isBuffer(certificateAccountData)) {
+            throw new Error('Invalid certificate hash data for MODIFY_PERMISSIONS operation');
+          }
+          return {
+            usingCertificate: true,
+            certificateHash: new src_client_CertificateHash(client_bufferToArrayBuffer(certificateHashData)),
+            certificateAccount: client_lib_account.fromPublicKeyAndType(certificateAccountData)
+          };
+        }
+      }
+      throw new Error('Invalid principal data for MODIFY_PERMISSIONS operation');
+    }
   }, {
     name: 'method',
     schema: client_ValidateASN1.IsInteger
@@ -119370,8 +119609,8 @@ class src_client_BlockOperationSET_REP extends src_client_BlockOperation {
     const {
       block
     } = context;
-    if (block.account.isIdentifier()) {
-      throw new src_client_KeetaNetBlockError('BLOCK_NO_IDENTIFIER_OP', 'Identifier accounts cannot use SET_REP');
+    if (!client_canDelegate(block.account.keyType)) {
+      throw new src_client_KeetaNetBlockError('BLOCK_NO_IDENTIFIER_OP', `${client_AccountKeyAlgorithm[block.account.keyType]} accounts cannot use SET_REP`);
     }
     if (this.to.isIdentifier()) {
       throw new src_client_KeetaNetBlockError('BLOCK_NO_IDENTIFIER_OP', 'Cannot delegate to an identifier');
@@ -119609,10 +119848,6 @@ class src_client_BlockOperationSET_INFO extends src_client_BlockOperation {
     return client_toJSONSerializable(val);
   }
 }
-
-/**
- * Set Permissions Operation
- */
 client_BlockOperationSET_INFO = src_client_BlockOperationSET_INFO;
 function client_validateNameDesc(field, value, network) {
   const {
@@ -119631,6 +119866,9 @@ function client_validateNameDesc(field, value, network) {
   return;
 }
 client_operations_defineProperty(src_client_BlockOperationSET_INFO, "isInstance", client_checkableGenerator(client_BlockOperationSET_INFO));
+/**
+ * Set Permissions Operation
+ */
 var client_principal = /*#__PURE__*/new WeakMap();
 var client_target = /*#__PURE__*/new WeakMap();
 var client_method2 = /*#__PURE__*/new WeakMap();
@@ -119648,7 +119886,7 @@ class src_client_BlockOperationMODIFY_PERMISSIONS extends src_client_BlockOperat
     if (input.type !== client_OperationType.MODIFY_PERMISSIONS) {
       throw new src_client_KeetaNetBlockError('BLOCK_INVALID_TYPE', 'Invalid construction of BlockJSONOperationMODIFY_PERMISSIONS');
     }
-    client_operations_classPrivateFieldSet(client_principal, this, this.computeTo(input.principal));
+    client_operations_classPrivateFieldSet(client_principal, this, client_operations_assertClassBrand(client_BlockOperationMODIFY_PERMISSIONS_brand, this, client_computePrincipal).call(this, input.principal));
     client_operations_classPrivateFieldSet(client_target, this, client_lib_account.toAccount(input.target));
     client_operations_classPrivateFieldSet(client_method2, this, client_toAdjustMethod(input.method));
     client_operations_classPrivateFieldSet(client_permissions, this, client_operations_assertClassBrand(client_BlockOperationMODIFY_PERMISSIONS_brand, this, client_computePermissions).call(this, input.permissions));
@@ -119696,8 +119934,15 @@ class src_client_BlockOperationMODIFY_PERMISSIONS extends src_client_BlockOperat
         base
       } = this.permissions;
       const baseFlagsString = `[${base.flags.join(',')}]`;
-      if (!base.checkAccountMatchesGroup('principal', this.principal)) {
-        throw new src_client_KeetaNetBlockError('BLOCK_PERMISSIONS_INVALID_PRINCIPAL', `Incorrect principal for flags ${baseFlagsString}`);
+      if (client_lib_account.isInstance(this.principal)) {
+        if (!base.checkAccountMatchesGroup('principal', this.principal)) {
+          throw new src_client_KeetaNetBlockError('BLOCK_PERMISSIONS_INVALID_PRINCIPAL', `Incorrect principal for flags ${baseFlagsString}`);
+        }
+      } else {
+        // If the principal is not an account, we only allow default permissions to be issued by a certificate principal
+        if (!base.isValidForDefault) {
+          throw new src_client_KeetaNetBlockError('BLOCK_PERMISSIONS_INVALID_DEFAULT', 'Invalid permissions, cannot use certificate principal with non-default permissions');
+        }
       }
       if (this.target && !base.checkAccountMatchesGroup('target', this.target)) {
         throw new src_client_KeetaNetBlockError('BLOCK_PERMISSIONS_INVALID_TARGET', `Incorrect target for flags ${baseFlagsString}`);
@@ -119725,7 +119970,12 @@ class src_client_BlockOperationMODIFY_PERMISSIONS extends src_client_BlockOperat
         target,
         method
       } = operation;
-      const principalKey = principal.publicKeyString.get();
+      let principalKey;
+      if (client_lib_account.isInstance(principal)) {
+        principalKey = principal.publicKeyString.get();
+      } else {
+        principalKey = `cert:${principal.certificateHash.get()}:${principal.certificateAccount.publicKeyString.get()}`;
+      }
       const targetKey = (target !== null && target !== void 0 ? target : block.account).publicKeyString.get();
       if (!foundPrevious[principalKey]) {
         foundPrevious[principalKey] = {};
@@ -119755,6 +120005,26 @@ class src_client_BlockOperationMODIFY_PERMISSIONS extends src_client_BlockOperat
  * Token Supply operation
  */
 client_BlockOperationMODIFY_PERMISSIONS = src_client_BlockOperationMODIFY_PERMISSIONS;
+function client_computePrincipal(principal) {
+  if (typeof principal === 'string' || client_lib_account.isInstance(principal)) {
+    return this.computeTo(principal);
+  } else if (principal.usingCertificate) {
+    const certificateAccount = client_lib_account.toAccount(principal.certificateAccount);
+    let certificateHash;
+    if (src_client_CertificateHash.isInstance(principal.certificateHash)) {
+      certificateHash = principal.certificateHash;
+    } else {
+      certificateHash = new src_client_CertificateHash(principal.certificateHash);
+    }
+    return {
+      usingCertificate: true,
+      certificateHash,
+      certificateAccount
+    };
+  } else {
+    throw new src_client_KeetaNetBlockError('BLOCK_INVALID_PRINCIPAL', 'Invalid principal for MODIFY_PERMISSIONS');
+  }
+}
 function client_computePermissions(permissions) {
   if (!permissions) {
     return null;
@@ -121215,8 +121485,11 @@ class src_client_UnsignedBlock extends src_client_PossiblyUnsignedBlock {
   async seal() {
     const signers = src_client_UnsignedBlock.getSortedRequiredSigners(this.signer);
     const hash = this.hash;
+    const ancillaryData = this.toBytes(false);
     const signatures = await Promise.all(signers.map(async function (signer) {
-      const signature = await signer.sign(hash.getBuffer());
+      const signature = await signer.sign(hash.getBuffer(), {
+        ancillaryData
+      });
       return signature.getBuffer();
     }));
     const shared = {
@@ -121640,26 +121913,6 @@ client_lib_block_defineProperty(src_client_BlockBuilder, "Operation", src_client
 client_lib_block_defineProperty(src_client_BlockBuilder, "NO_PREVIOUS", src_client_Block.NO_PREVIOUS);
 src_client_Block.Builder = src_client_BlockBuilder;
 /* harmony default export */ const client_lib_block = (src_client_Block);
-;// ./src/lib/error/account.ts
-var client_KeetaNetAccountError;
-function client_account_defineProperty(e, r, t) { return (r = client_account_toPropertyKey(r)) in e ? Object.defineProperty(e, r, { value: t, enumerable: !0, configurable: !0, writable: !0 }) : e[r] = t, e; }
-function client_account_toPropertyKey(t) { var i = client_account_toPrimitive(t, "string"); return "symbol" == typeof i ? i : i + ""; }
-function client_account_toPrimitive(t, r) { if ("object" != typeof t || !t) return t; var e = t[Symbol.toPrimitive]; if (void 0 !== e) { var i = e.call(t, r || "default"); if ("object" != typeof i) return i; throw new TypeError("@@toPrimitive must return a primitive value."); } return ("string" === r ? String : Number)(t); }
-
-
-const client_AccountErrorType = 'ACCOUNT';
-const client_AccountErrorCodes = ['INVALID_PREFIX', 'INVALID_KEYTYPE', 'INVALID_KEYTYPE_EXTERNAL', 'PASSPHRASE_WEAK', 'INVALID_CONSTRUCTION', 'NO_IDENTIFIER_SIGN', 'NO_IDENTIFIER_VERIFY', 'INVALID_IDENTIFIER_CONSTRUCTION', 'SEED_INDEX_UNDEFINED', 'SEED_INDEX_NEGATIVE', 'SEED_INDEX_NOT_INT', 'SEED_INDEX_TOO_LARGE', 'ENCRYPTION_NOT_SUPPORTED'];
-const client_FullAccountErrorCodes = client_AccountErrorCodes.map(code => `${client_AccountErrorType}_${code}`);
-class src_client_KeetaNetAccountError extends src_client_KeetaNetErrorBase {
-  constructor(code, message) {
-    super(code, message, {
-      type: client_AccountErrorType,
-      codes: client_AccountErrorCodes
-    });
-  }
-}
-client_KeetaNetAccountError = src_client_KeetaNetAccountError;
-client_account_defineProperty(src_client_KeetaNetAccountError, "isInstance", client_checkableGenerator(client_KeetaNetAccountError));
 ;// ./src/lib/utils/ed2curve.ts
 // https://raw.githubusercontent.com/jjavery/ed25519-to-x25519/main/src/ed2curve.js
 
@@ -122430,7 +122683,7 @@ class src_client_ExternalKeyPair extends client_KeyInterface {
     return client_account_classPrivateFieldGet(client_functions, this).decrypt(...arguments);
   }
   get supportsEncryption() {
-    return true;
+    return client_account_classPrivateFieldGet(client_functions, this).supportsEncryption;
   }
   get keyType() {
     return client_account_classPrivateFieldGet(client_keyType, this);
@@ -123121,10 +123374,8 @@ function client_derivePublicKeyStringFromPublicKey(key, keyType) {
 }
 
 /**
- * Account class, which is used to represent a key pair or an identifier
- * account (which have no private key) such as tokens.
- *
- * @template T - The type of the key algorithm used for this account.
+ * Statically validate that the KeyPairClassesByAlgorithm type has
+ * every AccountKeyAlgorithm as a key
  */
 var client_privateKeyPair = /*#__PURE__*/new WeakMap();
 var client_publicKeyPair2 = /*#__PURE__*/new WeakMap();
@@ -123132,6 +123383,12 @@ var client_keyType4 = /*#__PURE__*/new WeakMap();
 var client_keyPairHandlesHashing = /*#__PURE__*/new WeakMap();
 var client_publicKeyString2 = /*#__PURE__*/new WeakMap();
 var client_publicKeyAndTypeString = /*#__PURE__*/new WeakMap();
+/**
+ * Account class, which is used to represent a key pair or an identifier
+ * account (which have no private key) such as tokens.
+ *
+ * @template T - The type of the key algorithm used for this account.
+ */
 class src_client_Account {
   /**
    * Construct an account from a public key string.  The public key
@@ -123501,6 +123758,9 @@ class src_client_Account {
     if (client_account_classPrivateFieldGet(client_privateKeyPair, this) === null) {
       throw new Error('May not sign unless a private key is available');
     }
+    if (options.namespace !== undefined) {
+      data = client_applyNamespace(options.namespace, data);
+    }
     if (!client_account_classPrivateFieldGet(client_keyPairHandlesHashing, this) && !options.raw) {
       data = client_hash_Hash(client_account_Buffer.from(data));
     }
@@ -123516,6 +123776,9 @@ class src_client_Account {
       forCert: false,
       ...options
     };
+    if (options.namespace !== undefined) {
+      data = client_applyNamespace(options.namespace, data);
+    }
     if (!client_account_classPrivateFieldGet(client_keyPairHandlesHashing, this) && !options.raw) {
       data = client_hash_Hash(client_account_Buffer.from(data));
     }
@@ -123658,10 +123921,12 @@ class src_client_Account {
    * Determine if an account is an identifier
    */
   isIdentifier() {
-    // We are checking here, so it is safe to assert the type
-    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
-    return client_identifierKeyTypes.includes(this.keyType);
+    return src_client_Account.isIdentifierKeyType(client_account_classPrivateFieldGet(client_keyType4, this));
   }
+
+  /**
+   * Determine if an account is a regular (non-identifier)
+   */
   isAccount() {
     return !this.isIdentifier();
   }
@@ -123695,7 +123960,7 @@ class src_client_Account {
   }
   assertAccount() {
     if (this.isIdentifier() !== false) {
-      throw new Error('Required Account but got Identifier');
+      throw new src_client_KeetaNetAccountError('ACCOUNT_NOT_ACCOUNT', 'Required Account but got Identifier');
     }
 
     // We need to assert this type because we are changing what the constructed type is
@@ -123704,7 +123969,7 @@ class src_client_Account {
   }
   assertIdentifier() {
     if (this.isIdentifier() !== true) {
-      throw new Error(`Required Identifier but got Account, ${this.keyType}`);
+      throw new src_client_KeetaNetAccountError('ACCOUNT_NOT_IDENTIFIER', `Required Identifier but got Account, ${this.keyType}`);
     }
 
     // We need to assert this type because we are changing what the constructed type is
@@ -123721,6 +123986,18 @@ client_Account = src_client_Account;
  */
 client_lib_account_defineProperty(src_client_Account, "AccountKeyAlgorithm", client_AccountKeyAlgorithm);
 client_lib_account_defineProperty(src_client_Account, "ExternalKeyPair", src_client_ExternalKeyPair);
+/**
+ * Access to the underlying Key Pair classes for advanced use cases.
+ */
+client_lib_account_defineProperty(src_client_Account, "KeyPairs", {
+  [client_AccountKeyAlgorithm.ECDSA_SECP256K1]: src_client_ECDSASECP256K1KeyPair,
+  [client_AccountKeyAlgorithm.ECDSA_SECP256R1]: src_client_ECDSASECP256R1KeyPair,
+  [client_AccountKeyAlgorithm.ED25519]: src_client_ED25519KeyPair,
+  [client_AccountKeyAlgorithm.NETWORK]: src_client_IdentifierKeyPair,
+  [client_AccountKeyAlgorithm.TOKEN]: src_client_IdentifierKeyPair,
+  [client_AccountKeyAlgorithm.STORAGE]: src_client_IdentifierKeyPair,
+  [client_AccountKeyAlgorithm.MULTISIG]: src_client_IdentifierKeyPair
+});
 client_lib_account_defineProperty(src_client_Account, "isInstance", client_checkableGenerator(client_Account));
 client_lib_account_defineProperty(src_client_Account, "Set", client_setGenerator(client_Account, function (account) {
   const retval = account.publicKeyAndTypeString;
@@ -123896,34 +124173,53 @@ function client_addOrCombineRequirements(existing, addition, alwaysCombine) {
   resp.push(addition);
   return resp;
 }
-function client_addPermission(state, addition) {
-  const principalPubKey = addition.principal.publicKeyString.get();
-  if (state.accounts[principalPubKey] === undefined) {
-    state.accounts[principalPubKey] = {
+function client_touchStateFields(state, toTouch) {
+  let entityKey;
+  let defaultValue;
+  if (client_lib_account.isInstance(toTouch)) {
+    entityKey = toTouch.publicKeyString.get();
+    defaultValue = {
+      type: 'ACCOUNT',
       fields: {},
-      account: client_lib_account.fromPublicKeyString(principalPubKey)
+      account: toTouch
     };
+  } else if (toTouch.usingCertificate) {
+    entityKey = `${toTouch.certificate.toString()}:${toTouch.certificateAccount.publicKeyString.get()}`;
+    defaultValue = {
+      type: 'CERTIFICATE',
+      fields: {},
+      certificateHash: toTouch.certificate,
+      certificateAccount: toTouch.certificateAccount
+    };
+  } else {
+    throw new Error('Invalid principal type in touchStateFields');
   }
-  if (state.accounts[principalPubKey].fields === undefined) {
-    state.accounts[principalPubKey].fields = {};
+  let value = state.accounts[entityKey];
+  if (value === undefined) {
+    state.accounts[entityKey] = defaultValue;
+    value = state.accounts[entityKey];
   }
-  if (state.accounts[principalPubKey].fields.permissions === undefined) {
-    state.accounts[principalPubKey].fields.permissions = [];
+  return {
+    value,
+    entityKey
+  };
+}
+function client_addPermission(state, addition) {
+  const {
+    value
+  } = client_touchStateFields(state, addition.principal);
+  if (value.fields.permissions === undefined) {
+    value.fields.permissions = [];
   }
-  const existing = state.accounts[principalPubKey].fields.permissions || [];
-  state.accounts[principalPubKey].fields.permissions = client_addOrCombineRequirements(existing, addition);
+  const existing = value.fields.permissions || [];
+  value.fields.permissions = client_addOrCombineRequirements(existing, addition);
 }
 function client_addPermissionRequirement(state, requirement) {
-  var _state$accounts$princ, _state$accounts$princ2;
-  const principalPubKey = requirement.principal.publicKeyString.get();
-  const entityPubKey = requirement.entity.publicKeyString.get();
-  if (state.accounts[principalPubKey] === undefined) {
-    state.accounts[principalPubKey] = {
-      account: requirement.principal,
-      fields: {}
-    };
-  }
-  const alreadyAdded = (_state$accounts$princ = state.accounts[principalPubKey].fields.permissions) !== null && _state$accounts$princ !== void 0 ? _state$accounts$princ : [];
+  var _principalFields$fiel, _principalFields$fiel2;
+  const {
+    value: principalFields
+  } = client_touchStateFields(state, requirement.principal);
+  const alreadyAdded = (_principalFields$fiel = principalFields.fields.permissions) !== null && _principalFields$fiel !== void 0 ? _principalFields$fiel : [];
   const foundAddedMatch = alreadyAdded.find(function (_ref) {
     let {
       permissions
@@ -123936,6 +124232,7 @@ function client_addPermissionRequirement(state, requirement) {
   if (foundAddedMatch !== undefined) {
     return;
   }
+  const entityPubKey = requirement.entity.publicKeyString.get();
   if (state.accounts[entityPubKey] !== undefined) {
     const entityInfo = state.accounts[entityPubKey].fields.info;
     if (entityInfo !== undefined && 'defaultPermission' in entityInfo) {
@@ -123947,13 +124244,14 @@ function client_addPermissionRequirement(state, requirement) {
       }
     }
   }
-  const existing = (_state$accounts$princ2 = state.accounts[principalPubKey].fields.permissionRequirements) !== null && _state$accounts$princ2 !== void 0 ? _state$accounts$princ2 : [];
-  state.accounts[principalPubKey].fields.permissionRequirements = client_addOrCombineRequirements(existing, requirement, true);
+  const existing = (_principalFields$fiel2 = principalFields.fields.permissionRequirements) !== null && _principalFields$fiel2 !== void 0 ? _principalFields$fiel2 : [];
+  principalFields.fields.permissionRequirements = client_addOrCombineRequirements(existing, requirement, true);
 }
 function client_updateMinSignerSetLength(state, multisigAccount, count) {
   const multisigPublicKey = multisigAccount.publicKeyString.get();
   if (state.accounts[multisigPublicKey] === undefined) {
     state.accounts[multisigPublicKey] = {
+      type: 'ACCOUNT',
       account: multisigAccount,
       fields: {}
     };
@@ -123977,6 +124275,7 @@ function client_modifyBalanceInState(balanceState) {
   const tokenPubKey = token.publicKeyString.get();
   if (state.accounts[accountPubKey] === undefined) {
     state.accounts[accountPubKey] = {
+      type: 'ACCOUNT',
       account: client_lib_account.fromPublicKeyString(accountPubKey),
       fields: {}
     };
@@ -124042,6 +124341,7 @@ function client_updateAccountInfoInState(state, account, info) {
   }
   if (!state.accounts[accountPubKey]) {
     state.accounts[accountPubKey] = {
+      type: 'ACCOUNT',
       account: account,
       fields: {}
     };
@@ -124199,6 +124499,7 @@ function client_computeEffectOfOperationCREATE_IDENTIFIER(state, block, operatio
     for (const multisigSigner of operation.createArguments.signers) {
       state.possibleNewAccounts.add(multisigSigner);
       client_addPermission(state, {
+        principalType: 'ACCOUNT',
         principal: multisigSigner,
         entity: operation.identifier,
         method: src_client_Block.AdjustMethod.SET,
@@ -124207,6 +124508,7 @@ function client_computeEffectOfOperationCREATE_IDENTIFIER(state, block, operatio
     }
   } else {
     client_addPermission(state, {
+      principalType: 'ACCOUNT',
       principal: block.account,
       entity: operation.identifier,
       method: src_client_Block.AdjustMethod.SET,
@@ -124223,17 +124525,41 @@ function client_computeEffectOfOperationSET_INFO(state, block, operation) {
   });
 }
 function client_computeEffectOfOperationMODIFY_PERMISSIONS(state, block, operation) {
-  state.possibleNewAccounts.add(operation.principal);
+  if (client_lib_account.isInstance(operation.principal)) {
+    state.possibleNewAccounts.add(operation.principal);
+  } else if (operation.principal.usingCertificate) {
+    state.possibleNewAccounts.add(operation.principal.certificateAccount);
+  } else {
+    throw new Error('Invalid principal in MODIFY_PERMISSIONS operation');
+  }
   if (operation.target) {
     state.possibleNewAccounts.add(operation.target);
   }
-  client_addPermission(state, {
-    principal: operation.principal,
+  const shared = {
     entity: block.account,
     permissions: operation.permissions,
     method: operation.method,
     target: operation.target
-  });
+  };
+  if (client_lib_account.isInstance(operation.principal)) {
+    client_addPermission(state, {
+      principalType: 'ACCOUNT',
+      principal: operation.principal,
+      ...shared
+    });
+  } else if (operation.principal.usingCertificate) {
+    client_addPermission(state, {
+      principalType: 'CERTIFICATE',
+      principal: {
+        usingCertificate: true,
+        certificate: operation.principal.certificateHash,
+        certificateAccount: operation.principal.certificateAccount
+      },
+      ...shared
+    });
+  } else {
+    throw new Error('Invalid principal in MODIFY_PERMISSIONS operation');
+  }
 }
 function client_computeEffectOfOperationTOKEN_ADMIN_SUPPLY(state, block, operation) {
   var _state$accounts$token;
@@ -124314,14 +124640,19 @@ function client_computeEffectOfOperationMANAGE_CERTIFICATE(state, block, operati
 const client_operationHandlers = {
   [src_client_Block.OperationType.SEND]: {
     effectGenerator: client_computeEffectOfOperationSEND,
-    accountPermissionACL: (block, operation, context) => {
-      const baseEffect = {
-        entity: operation.token || context.ledger.baseToken
-      };
+    accountPermissionACL: (block, operation) => {
+      // Require both the sender and the recipient to have ['ACCESS'] on the token
+      const baseEffect = [{
+        principal: block.account,
+        entity: operation.token
+      }, {
+        principal: operation.to,
+        entity: operation.token
+      }];
       if (operation.to.keyType !== client_AccountKeyAlgorithm.STORAGE) {
         return baseEffect;
       }
-      return [baseEffect,
+      return [...baseEffect,
       // Require that the token identifier was granted access by storage account for it to be able to hold
       {
         entity: operation.to,
@@ -124419,9 +124750,16 @@ const client_operationHandlers = {
           delegateMethodNeeded = 'PERMISSION_DELEGATE_ADD';
           break;
       }
+      let target;
+      if (client_lib_account.isInstance(operation.principal)) {
+        target = operation.principal;
+      } else {
+        // Currently, we do not have a way to specify a target for certificate principals, so we will not include a target in this case
+        target = undefined;
+      }
       necessary.push({
         permissions: new client_permissions_Permissions([delegateMethodNeeded]),
-        target: operation.principal
+        target: target
       });
       return necessary;
     }
@@ -124569,6 +124907,7 @@ function client_computeEffectOfBlocks(blocks, ledger) {
     }
     if (accumulatedEffects.accounts[blockAccountPubKey] === undefined) {
       accumulatedEffects.accounts[blockAccountPubKey] = {
+        type: 'ACCOUNT',
         account: block.account,
         fields: {}
       };
@@ -124625,6 +124964,9 @@ function client_computeEffectOfBlocks(blocks, ledger) {
     }
   }
   for (const effect of Object.values(accumulatedEffects.accounts)) {
+    if (effect.type !== 'ACCOUNT') {
+      continue;
+    }
     accumulatedEffects.touched.add(effect.account);
     if (effect.fields.balance) {
       let hasDebit = false;
@@ -126523,6 +126865,12 @@ class src_client_BaseVoteBuilder {
 }
 client_BaseVoteBuilder = src_client_BaseVoteBuilder;
 function client_formatSingleFeeEntry(feeInput) {
+  if (feeInput.amount === undefined) {
+    throw new src_client_KeetaNetVoteError('VOTE_BUILDER_INVALID_FEE', 'Fee amount is required');
+  }
+  if (BigInt(feeInput.amount) < 0n) {
+    throw new src_client_KeetaNetVoteError('VOTE_BUILDER_INVALID_FEE', 'Fee amount cannot be negative');
+  }
   const fee = {
     amount: BigInt(feeInput.amount)
   };
@@ -126611,6 +126959,8 @@ const src_client_Testing = {
   feeExtensionSchema: client_feeExtensionSchema
 };
 ;// ./src/lib/ledger/types.ts
+
+
 /**
  * Account info entry
  */
@@ -126641,19 +126991,33 @@ function client_isKeyPairAccountInfo(info) {
 function client_isAccountInfoOfType(info, type) {
   return info.account.isKeyType(type);
 }
+const client_aclPrincipalType = (/* unused pure expression or super */ null && (['ACCOUNT', 'CERTIFICATE']));
+function client_isACLPrincipalType(type) {
+  // eslint-disable-next-line @typescript-eslint/consistent-type-assertions
+  return client_aclPrincipalType.includes(type);
+}
+function client_assertACLPrincipalType(type) {
+  if (!client_isACLPrincipalType(type)) {
+    throw new KeetaNetLedgerError('LEDGER_INVALID_ACL_ROW_TYPE', `Invalid ACL Row Type: ${type}`);
+  }
+}
+function client_asACLPrincipalType(type) {
+  client_assertACLPrincipalType(type);
+  return type;
+}
 
 /**
  * Permissions types
  */
 
 /**
- * An entry for the ACL
- * @expandType ACLRow
+ * A permission requirement for ledger effects
+ * @expandType AccountACLRow
  */
 
 /**
  * Update an ACL for an account
- * @expandType ACLEntry
+ * @expandType ACLRow
  */
 
 /**
@@ -127974,6 +128338,7 @@ function client_lib_ledger_toPrimitive(t, r) { if ("object" != typeof t || !t) r
 
 
 
+
 /**
  * Kind of ledger
  */
@@ -128003,6 +128368,10 @@ let client_LedgerKind = /*#__PURE__*/function (LedgerKind) {
  * Options for "getVotesAfter"
  */
 
+/**
+ * Filters for listing ACLs by entity
+ */
+
 /**
  * Idempotent Key
  */
@@ -128174,6 +128543,14 @@ class client_LedgerAtomicInterface {
       if (!quote.issuer.comparePublicKey(ledgerPubKey)) {
         throw new client_ledger_KeetaNetLedgerError('LEDGER_QUOTE_MISMATCH', 'Provided quote does not match issuer public key');
       }
+      if (quote.blocks.length !== blocks.length) {
+        throw new client_ledger_KeetaNetLedgerError('LEDGER_QUOTE_MISMATCH', 'Provided quote does not match blocks length');
+      }
+      for (let blockIndex = 0; blockIndex < blocks.length; blockIndex++) {
+        if (!blocks[blockIndex].hash.compareHexString(quote.blocks[blockIndex])) {
+          throw new client_ledger_KeetaNetLedgerError('LEDGER_QUOTE_MISMATCH', 'Provided quote does not match blocks content');
+        }
+      }
     }
 
     /**
@@ -128201,6 +128578,7 @@ class client_LedgerAtomicInterface {
         }
       }
       const requiredFees = new Map();
+      const optionalFees = new Map();
       for (const checkVote of otherVotes) {
         if (checkVote.quote === true) {
           throw new client_ledger_KeetaNetLedgerError('LEDGER_VOTE_WITH_QUOTE', 'Cannot request votes with quote as supporting votes');
@@ -128214,7 +128592,18 @@ class client_LedgerAtomicInterface {
         seenVoteIssuers.add(checkVote.issuer);
         seenVoteUIDs.add(checkVote.$id);
         if (checkVote.fee !== undefined) {
-          requiredFees.set(checkVote.issuer, checkVote.fee);
+          const checkVoteFee = Array.isArray(checkVote.fee) ? checkVote.fee : [checkVote.fee];
+
+          // Check if user has the option to pay zero (any fee with amount === 0)
+          // If a zero-amount option exists, fee block is optional; otherwise required
+          const hasZeroFeeOption = checkVoteFee.some(fee => fee.amount === 0n);
+          if (hasZeroFeeOption) {
+            // At least one fee option is zero amount - fee block is optional, but if included should match one of the provided options
+            optionalFees.set(checkVote.issuer, checkVote.fee);
+          } else if (checkVoteFee.length > 0) {
+            // All fee options require payment (no zero option) - fee block MUST be present and operation should match at least one fee option
+            requiredFees.set(checkVote.issuer, checkVote.fee);
+          }
         }
 
         /*
@@ -128242,25 +128631,43 @@ class client_LedgerAtomicInterface {
           foundOurVote = true;
         }
       }
-
+      let finalRequiredFees = requiredFees;
       /*
        * We only care about fees if we are issuing a permanent vote,
        * if we are issuing a temporary vote the fees will be checked
        * when the permanent vote is requested
        */
       if (outcome === 'permanent') {
-        if (requiredFees.size > 0) {
-          if (!hasFeeBlock) {
-            throw new client_ledger_KeetaNetLedgerError('LEDGER_MISSING_REQUIRED_FEE_BLOCK', 'Missing fee block but votes require it');
+        if (requiredFees.size > 0 || optionalFees.size > 0) {
+          // If fees are required then a fee block should have been provided
+          if (requiredFees.size > 0) {
+            if (!hasFeeBlock) {
+              throw new client_ledger_KeetaNetLedgerError('LEDGER_MISSING_REQUIRED_FEE_BLOCK', 'Missing fee block but votes require it');
+            }
           }
-          // Each vote requires exactly one fee payment, regardless of array size
-          if (requiredFees.size !== (possibleFeeBlock === null || possibleFeeBlock === void 0 ? void 0 : possibleFeeBlock.operations.length)) {
-            throw new client_ledger_KeetaNetLedgerError('LEDGER_REQUIRED_FEE_MISMATCH', 'Fee Block Operations do not match required fees');
+
+          // We can only validate operations match if we have a fee block
+          if (hasFeeBlock) {
+            // Each vote requires exactly one fee payment, regardless of array size
+            // Optional fees may or may not be included in the operations but if they are they should match
+            if (optionalFees.size > 0) {
+              if ((possibleFeeBlock === null || possibleFeeBlock === void 0 ? void 0 : possibleFeeBlock.operations.length) !== requiredFees.size && (possibleFeeBlock === null || possibleFeeBlock === void 0 ? void 0 : possibleFeeBlock.operations.length) !== requiredFees.size + optionalFees.size) {
+                throw new client_ledger_KeetaNetLedgerError('LEDGER_REQUIRED_FEE_MISMATCH', 'Fee Block Operations do not match required fees or required and optional fees');
+              }
+              // If user provided optional fees then we should validate they match
+              if ((possibleFeeBlock === null || possibleFeeBlock === void 0 ? void 0 : possibleFeeBlock.operations.length) === requiredFees.size + optionalFees.size) {
+                finalRequiredFees = new Map([...requiredFees, ...optionalFees]);
+              }
+            } else {
+              if (requiredFees.size !== (possibleFeeBlock === null || possibleFeeBlock === void 0 ? void 0 : possibleFeeBlock.operations.length)) {
+                throw new client_ledger_KeetaNetLedgerError('LEDGER_REQUIRED_FEE_MISMATCH', 'Fee Block Operations do not match required fees');
+              }
+            }
           }
         }
 
         // Verify that at least one required fee option has been satisfied for each vote
-        for (const [issuer, feeOrFees] of requiredFees) {
+        for (const [issuer, feeOrFees] of finalRequiredFees) {
           // Handle both single fee and array of fees
           const fees = Array.isArray(feeOrFees) ? feeOrFees : [feeOrFees];
 
@@ -128550,9 +128957,9 @@ class client_LedgerAtomicInterface {
     const permissions = await client_ledger_classPrivateFieldGet(client_ledger_storage, this).listACLsByPrincipal(transaction, principal, entityList);
     return permissions;
   }
-  async listACLsByEntity(entity) {
+  async listACLsByEntity(entity, options) {
     const transaction = client_ledger_assertClassBrand(client_LedgerAtomicInterface_brand, this, client_assertTransaction).call(this);
-    const permissions = await client_ledger_classPrivateFieldGet(client_ledger_storage, this).listACLsByEntity(transaction, entity);
+    const permissions = await client_ledger_classPrivateFieldGet(client_ledger_storage, this).listACLsByEntity(transaction, entity, options);
     return permissions;
   }
   async votingPower(rep) {
@@ -128591,6 +128998,10 @@ class client_LedgerAtomicInterface {
     return retval;
   }
   async getAccountRep(account) {
+    const acct = client_lib_account.toAccount(account);
+    if (!client_canDelegate(acct.keyType)) {
+      return null;
+    }
     const transaction = client_ledger_assertClassBrand(client_LedgerAtomicInterface_brand, this, client_assertTransaction).call(this);
     const retval = await client_ledger_classPrivateFieldGet(client_ledger_storage, this).getAccountRep(transaction, account);
     return retval;
@@ -128895,6 +129306,71 @@ async function client_listAccountInfo(accounts) {
   await Promise.all(permissionPromises);
   return accountInfo;
 }
+async function client_fetchSatisfiedCertificateACLs(account, requirement) {
+  const entityCertificateACLs = await this.listACLsByEntity(requirement.entity, {
+    principalType: 'CERTIFICATE'
+  });
+  if (entityCertificateACLs.length === 0) {
+    return null;
+  }
+  const entityACLsWithValuesResponse = await Promise.all(entityCertificateACLs.map(async acl => {
+    if (acl.principalType !== 'CERTIFICATE') {
+      throw new Error('Expected certificate ACL row');
+    }
+    const certificate = await this.getAccountCertificateByHash(acl.principal.certificateAccount, acl.principal.certificate);
+    if (certificate === null) {
+      return null;
+    }
+    return {
+      acl,
+      certificate
+    };
+  }));
+
+  // XXX:TODO does this need to be paginated
+  const userCertificates = await this.getAccountCertificates(account);
+  const matchedCertificateACLs = [];
+  for (const aclWithCertificate of entityACLsWithValuesResponse) {
+    if (!aclWithCertificate) {
+      continue;
+    }
+    const {
+      certificate: aclCertificate,
+      acl
+    } = aclWithCertificate;
+    const issuerCertificate = new src_client_Certificate(aclCertificate.certificate, {
+      isTrustedRoot: true
+    });
+    if (!issuerCertificate.checkValid()) {
+      continue;
+    }
+    for (const userCertificate of userCertificates) {
+      var _aclCertificate$inter, _aclCertificate$inter2, _userCertificate$inte, _userCertificate$inte2;
+      if (!userCertificate.certificate.checkValid()) {
+        continue;
+      }
+      const foundChain = userCertificate.certificate.verifyChain({
+        root: new Set([issuerCertificate]),
+        intermediate: new Set([...((_aclCertificate$inter = (_aclCertificate$inter2 = aclCertificate.intermediates) === null || _aclCertificate$inter2 === void 0 ? void 0 : _aclCertificate$inter2.getCertificates()) !== null && _aclCertificate$inter !== void 0 ? _aclCertificate$inter : []), ...((_userCertificate$inte = (_userCertificate$inte2 = userCertificate.intermediates) === null || _userCertificate$inte2 === void 0 ? void 0 : _userCertificate$inte2.getCertificates()) !== null && _userCertificate$inte !== void 0 ? _userCertificate$inte : [])])
+      });
+      if (foundChain === null) {
+        continue;
+      }
+      let foundRootInChain = false;
+      for (const certInChain of foundChain) {
+        if (certInChain.hash().compareHexString(issuerCertificate.hash())) {
+          foundRootInChain = true;
+          break;
+        }
+      }
+      if (!foundRootInChain) {
+        throw new Error('Internal error: issuer certificate not found in verified chain');
+      }
+      matchedCertificateACLs.push(acl);
+    }
+  }
+  return matchedCertificateACLs;
+}
 async function client_checkSingleAccountPermissions(account, requirements, accountInfos) {
   client_ledger_assertClassBrand(client_LedgerAtomicInterface_brand, this, client_assertTransaction).call(this);
 
@@ -128903,6 +129379,9 @@ async function client_checkSingleAccountPermissions(account, requirements, accou
   const entityAccounts = new client_lib_account.Set(unfilteredEntity).toArray();
   const gotPermissions = await this.listACLsByPrincipal(account, entityAccounts);
   for (const requirement of requirements) {
+    if (!requirement.permissions) {
+      throw new Error('Unexpected null permissions in requirement');
+    }
     const reqEntityKey = requirement.entity.publicKeyString.get();
     const foundACLRow = client_findPermissionMatch(requirement, gotPermissions);
     const foundAccountInfo = accountInfos[reqEntityKey];
@@ -128914,10 +129393,19 @@ async function client_checkSingleAccountPermissions(account, requirements, accou
     } else {
       foundPermission = new client_permissions_Permissions();
     }
-    if (requirement.permissions === null) {
-      continue;
+    let hasPermissions = foundPermission.has(requirement.permissions);
+    if (!hasPermissions && account.isAccount()) {
+      const found = await client_ledger_assertClassBrand(client_LedgerAtomicInterface_brand, this, client_fetchSatisfiedCertificateACLs).call(this, account, requirement);
+      if (found) {
+        for (const row of found) {
+          const certificateRowHasPermissions = row.permissions.has(requirement.permissions);
+          if (certificateRowHasPermissions) {
+            hasPermissions = true;
+            break;
+          }
+        }
+      }
     }
-    const hasPermissions = foundPermission.has(requirement.permissions);
     if (!hasPermissions) {
       var _requirement$target;
       const accountPubKey = account.publicKeyString.get();
@@ -128935,19 +129423,22 @@ async function client_checkPermissionRequirements(effects) {
   const needToGetAccountInfoFor = new client_lib_account.Set();
   const allAccountsChanges = Object.values(effects);
   const foundMultisigSignerLengths = [];
-  for (const {
-    account,
-    fields
-  } of allAccountsChanges) {
-    if (account.isMultisig()) {
+  for (const accountChanges of allAccountsChanges) {
+    const {
+      fields
+    } = accountChanges;
+    if (accountChanges.type === 'ACCOUNT' && accountChanges.account.isMultisig()) {
       if (fields.minSignerSetLength !== undefined) {
-        needToGetAccountInfoFor.add(account);
-        foundMultisigSignerLengths.push([account, fields.minSignerSetLength]);
+        needToGetAccountInfoFor.add(accountChanges.account);
+        foundMultisigSignerLengths.push([accountChanges.account, fields.minSignerSetLength]);
       }
     }
     for (const singleRequirement of (_fields$permissionReq = fields.permissionRequirements) !== null && _fields$permissionReq !== void 0 ? _fields$permissionReq : []) {
       var _fields$permissionReq;
       const principal = singleRequirement.principal;
+      if (!client_lib_account.isInstance(principal)) {
+        throw new Error('Principal in permission requirement is not an account');
+      }
       const principalPubKey = principal.publicKeyString.get();
       if (!requirementsByPrincipal[principalPubKey]) {
         requirementsByPrincipal[principalPubKey] = [];
@@ -129091,6 +129582,9 @@ async function client_validateLedgerOutcome(blocks) {
   }
   for (const accountChanges of allAccountsChanges) {
     var _fields$createRequest, _fields$permissions;
+    if (accountChanges.type === 'CERTIFICATE') {
+      continue;
+    }
     const {
       account,
       fields = {}
@@ -129109,6 +129603,10 @@ async function client_validateLedgerOutcome(blocks) {
      */
     const addedPermissions = (_fields$permissions = fields.permissions) !== null && _fields$permissions !== void 0 ? _fields$permissions : [];
     for (const newPerm of addedPermissions) {
+      // We only care about permissions that include ownership, and non-accounts (ex: certificate principals) cannot be owners
+      if (newPerm.principalType === 'CERTIFICATE') {
+        continue;
+      }
       let method = 'ADD';
       if (newPerm.permissions === null || !newPerm.permissions.has(['OWNER'])) {
         method = 'REMOVE';
@@ -129301,7 +129799,13 @@ async function client_voteOrQuoteWithFees(blocks, type, quote, options) {
   if (requireBlockTimestampCheck) {
     var _quote$fee;
     const fee = (_quote$fee = quote === null || quote === void 0 ? void 0 : quote.fee) !== null && _quote$fee !== void 0 ? _quote$fee : await this.getFee(blocks, effects);
-    if (fee !== null) {
+    // We add an explicit fee of 0 if one is not provided.
+    // Since the quote identifier is in the fee data and needs to be parsed correctly.
+    if (fee === null || Array.isArray(fee) && fee.length === 0) {
+      builder.addFee({
+        amount: 0n
+      });
+    } else {
       builder.addFee(fee);
     }
   }
@@ -129728,7 +130232,7 @@ client_lib_ledger_defineProperty(src_client_Ledger, "isInstance", client_checkab
 // EXTERNAL MODULE: ws (ignored)
 var client_ws_ignored_ = __webpack_require__(4708);
 ;// ./src/version.ts
-const client_version = '0.16.1+g8d5abd1c27152ecca68f2594f9191c1c77a334a4';
+const client_version = '0.18.0+g5417d9af948be899fcebb75694edb492ff971891';
 /* harmony default export */ const client_src_version = ((/* unused pure expression or super */ null && (client_version)));
 ;// ./src/lib/p2p.ts
 /* provided dependency */ var client_p2p_Buffer = __webpack_require__(8287)["Buffer"];
@@ -132362,6 +132866,7 @@ async function client_generateInitialVoteStaple(options) {
 
 
 
+
 /* harmony default export */ const client_src_lib = ({
   /**
    * The `Account` module provides functionality for managing key pairs
@@ -132381,11 +132886,12 @@ async function client_generateInitialVoteStaple(options) {
     ASN1: client_utils_asn1_namespaceObject,
     Bloom: client_bloom_namespaceObject,
     Buffer: client_utils_buffer_namespaceObject,
+    Certificate: client_utils_certificate_namespaceObject,
+    Conversion: client_conversion_namespaceObject,
+    DomainSeparation: client_domain_separation_namespaceObject,
     Hash: client_hash_namespaceObject,
     Helper: client_helper_namespaceObject,
-    Initial: client_initial_namespaceObject,
-    Conversion: client_conversion_namespaceObject,
-    Certificate: client_utils_certificate_namespaceObject
+    Initial: client_initial_namespaceObject
   }
 });
 ;// ./src/client/builder.ts
@@ -132836,6 +133342,11 @@ class src_client_UserClientBuilder {
           continue;
         }
 
+        // If fee options contains an amount of 0, skip this vote
+        if (fees.some(fee => fee.amount === 0n)) {
+          continue;
+        }
+
         // Find fee with undefined token or matching baseToken
         let selectedFee = fees.find(fee => {
           if (fee.token === undefined || fee.token.comparePublicKey(baseToken)) {
@@ -133456,6 +133967,7 @@ function client_client_assertClassBrand(e, t, n) { if ("function" == typeof e ?
 
 
 
+
 
 
 /*
@@ -133711,6 +134223,15 @@ class src_client_Client {
     return await this.transmit(blocks.blocks, options);
   }
 
+  /**
+   * Check if the provided votes require a fee block.  This is true if any vote has only non zero-amount options available.
+   * If a vote has at least one zero-amount fee option, the user can satisfy the fee requirement without payment.
+   * This is used to determine if we need to generate a fee block before transmitting the blocks.
+   *
+   * @param tempVotes
+   * @returns boolean true if provided votes require a fee block
+   */
+
   /**
    * Transmit a set of blocks to the network.  This will request short
    * votes and permanent votes for the blocks and then publish them to
@@ -133723,13 +134244,7 @@ class src_client_Client {
    */
   async transmit(blocks, options) {
     const tempVotes = await client_client_assertClassBrand(client_Client_brand, this, client_requestVotes).call(this, blocks, undefined, undefined, options === null || options === void 0 ? void 0 : options.quotes);
-    let requiresFee = false;
-    for (const vote of tempVotes) {
-      if (vote.fee !== undefined) {
-        requiresFee = true;
-      }
-    }
-    if (requiresFee) {
+    if (client_client_assertClassBrand(client_Client_brand, this, client_votesRequireFees).call(this, tempVotes)) {
       if ((options === null || options === void 0 ? void 0 : options.generateFeeBlock) === undefined) {
         throw new Error('Votes require fees but generateFeeBlock was not defined');
       }
@@ -134758,16 +135273,9 @@ class src_client_Client {
         tempVotes = [...tempVotes, ...newTempVotes];
       }
       const missingPermReps = client_client_classPrivateFieldGet(client_reps, this).filter(rep => !permReps.includes(rep));
-      // If any of the temporary votes require a fee, we need to generate a fee block
-      let requiresFee = false;
-      for (const vote of tempVotes) {
-        if (vote.fee !== undefined) {
-          requiresFee = true;
-        }
-      }
 
       // If we need a fee block and don't have any permanent votes, we need to generate a fee block
-      if (requiresFee && permVotes.length === 0) {
+      if (client_client_assertClassBrand(client_Client_brand, this, client_votesRequireFees).call(this, tempVotes) && permVotes.length === 0) {
         if ((options === null || options === void 0 ? void 0 : options.generateFeeBlock) === undefined) {
           throw new Error('Votes require fees but generateFeeBlock was not defined');
         }
@@ -135288,6 +135796,25 @@ function client_getBuilderRenderOptions(network) {
     }
   };
 }
+function client_votesRequireFees(tempVotes) {
+  let requiresFees = false;
+  for (const vote of tempVotes) {
+    if (vote.fee !== undefined) {
+      const voteFee = Array.isArray(vote.fee) ? vote.fee : [vote.fee];
+
+      // Check if user has the option to pay zero (any fee with amount === 0)
+      // If a zero-amount option exists, fee block is optional for this vote
+      const hasZeroFeeOption = voteFee.some(fee => fee.amount === 0n);
+
+      // If no zero option exists (requires payment), fee block is required
+      if (!hasZeroFeeOption) {
+        requiresFees = true;
+        break;
+      }
+    }
+  }
+  return requiresFees;
+}
 function client_urlSeparatedAccounts(accounts) {
   const pubKeys = accounts.map(account => client_lib_account.toPublicKeyString(account));
   return pubKeys.join(',');
@@ -135360,12 +135887,31 @@ function client_parseAccountInfo(account, accountInfo) {
 }
 function client_parsePermissionEntries(entries) {
   return entries.map(entry => {
-    return {
-      principal: client_src_lib.Account.fromPublicKeyString(entry.principal),
+    const shared = {
       entity: client_src_lib.Account.fromPublicKeyString(entry.entity),
       permissions: client_client_assertClassBrand(client_Client_brand, this, client_parseResponsePermissions).call(this, entry.permissions),
       target: client_src_lib.Account.fromPublicKeyString(entry.target)
     };
+    if (entry.principalType === 'ACCOUNT') {
+      return {
+        principalType: 'ACCOUNT',
+        principal: client_src_lib.Account.fromPublicKeyString(entry.principal),
+        ...shared
+      };
+    } else if (entry.principalType === 'CERTIFICATE') {
+      return {
+        principalType: 'CERTIFICATE',
+        principal: {
+          usingCertificate: true,
+          certificate: new src_client_Certificate.Hash(entry.principal.certificate),
+          certificateAccount: client_src_lib.Account.fromPublicKeyString(entry.principal.certificateAccount)
+        },
+        ...shared
+      };
+    } else {
+      client_assertNever(entry);
+    }
+    throw new Error('Unknown ACL Entry Type');
   });
 }
 function client_mapCertificateWithBundleResult(input) {
@@ -135710,7 +136256,9 @@ class src_client_UserClient {
                 principals.push(operation.to);
                 break;
               case client_OperationType.MODIFY_PERMISSIONS:
-                principals.push(operation.principal);
+                if (client_lib_account.isInstance(operation.principal)) {
+                  principals.push(operation.principal);
+                }
                 break;
               case client_OperationType.CREATE_IDENTIFIER:
                 principals.push(operation.identifier);