@loyal-labs/private-transactions 0.2.8 → 0.2.9

package/dist/index.js

@@ -1,17 +1,14 @@
 // src/LoyalPrivateTransactionsClient.ts
 import {
-  Connection,
-  PublicKey as PublicKey4,
-  SystemProgram
+  Connection as Connection3,
+  PublicKey as PublicKey7,
+  SystemProgram as SystemProgram5,
+  Transaction as Transaction7
 } from "@solana/web3.js";
-import { AnchorProvider, BN, Program } from "@coral-xyz/anchor";
-import {
-  getAssociatedTokenAddressSync,
-  TOKEN_PROGRAM_ID,
-  ASSOCIATED_TOKEN_PROGRAM_ID
-} from "@solana/spl-token";
+import { AnchorProvider as AnchorProvider2, BN as BN2, Program as Program2 } from "@coral-xyz/anchor";
+import { TOKEN_PROGRAM_ID as TOKEN_PROGRAM_ID4 } from "@solana/spl-token";
 import {
-  verifyTeeRpcIntegrity,
+  verifyTeeIntegrity,
   getAuthToken
 } from "@magicblock-labs/ephemeral-rollups-sdk";
 // src/idl/telegram_private_transfer.json
@@ -105,6 +102,107 @@ var telegram_private_transfer_default = {
         }
       ]
     },
+    {
+      name: "close_deposit",
+      docs: [
+        "Closes an empty user deposit account and returns its rent to the deposit owner."
+      ],
+      discriminator: [
+        200,
+        19,
+        254,
+        192,
+        15,
+        110,
+        209,
+        179
+      ],
+      accounts: [
+        {
+          name: "user",
+          writable: true,
+          signer: true,
+          relations: [
+            "deposit"
+          ]
+        },
+        {
+          name: "deposit",
+          writable: true,
+          pda: {
+            seeds: [
+              {
+                kind: "const",
+                value: [
+                  100,
+                  101,
+                  112,
+                  111,
+                  115,
+                  105,
+                  116,
+                  95,
+                  118,
+                  50
+                ]
+              },
+              {
+                kind: "account",
+                path: "user"
+              },
+              {
+                kind: "account",
+                path: "token_mint"
+              }
+            ]
+          }
+        },
+        {
+          name: "token_mint",
+          relations: [
+            "deposit"
+          ]
+        }
+      ],
+      args: []
+    },
+    {
+      name: "close_username_deposit",
+      docs: [
+        "Closes an empty username deposit account after verified username ownership."
+      ],
+      discriminator: [
+        238,
+        181,
+        185,
+        209,
+        149,
+        161,
+        124,
+        79
+      ],
+      accounts: [
+        {
+          name: "authority",
+          writable: true,
+          signer: true
+        },
+        {
+          name: "deposit",
+          writable: true
+        },
+        {
+          name: "token_mint",
+          relations: [
+            "deposit"
+          ]
+        },
+        {
+          name: "session"
+        }
+      ],
+      args: []
+    },
     {
       name: "create_permission",
       docs: [
@@ -817,10 +915,20 @@ var telegram_private_transfer_default = {
     {
       name: "modify_balance",
       docs: [
-        "Modifies the balance of a user's deposit account by transferring tokens in or out.",
+        "Modifies a user's deposit balance and the backing vault position for the given mint.",
+        "",
+        "For non-USDC mints, this is a direct vault transfer: if `args.increase` is true, `args.amount`",
+        "is transferred from the user's token account to the vault token account and added to",
+        "`deposit.amount`. If false, `args.amount` is transferred from the vault token account back to",
+        "the user's token account and subtracted from `deposit.amount`.",
         "",
-        "If `args.increase` is true, tokens are transferred from the user's token account to the deposit account.",
-        "If false, tokens are transferred from the deposit account back to the user's token account."
+        "For USDC, liquidity is routed through Kamino Lending instead of being left idle in the vault.",
+        "If `args.increase` is true, `args.amount` USDC is transferred into the vault token account,",
+        "supplied to the configured Kamino reserve, and `deposit.amount` is increased by the Kamino",
+        "reserve collateral shares (kTokens) minted to the vault. If false, `args.amount` is",
+        "interpreted as the Kamino share amount to redeem; the reserve returns the corresponding USDC",
+        "at the current exchange rate, that USDC is transferred from the vault token account to the",
+        "user's token account, and `deposit.amount` is decreased by the burned share amount."
       ],
       discriminator: [
         148,
@@ -1657,6 +1765,11 @@ var telegram_private_transfer_default = {
       code: 6013,
       name: "InvalidAmount",
       msg: "Invalid amount"
+    },
+    {
+      code: 6014,
+      name: "NonZeroDeposit",
+      msg: "Deposit account must have zero amount before it can be closed"
     }
   ],
   types: [
@@ -1823,14 +1936,14 @@ import {
   LAMPORTS_PER_SOL,
   SYSVAR_INSTRUCTIONS_PUBKEY
 } from "@solana/web3.js";
-var ER_VALIDATOR_DEVNET = new PublicKey("FnE6VJT5QNZdedZPnCoLsARgBwoE6DeJNjBs2H1gySXA");
+var ER_VALIDATOR_DEVNET = new PublicKey("MTEWGuqxUpYZGFJQcp8tLN7x5v9BSeoFHYWQQ3n3xzo");
 var ER_VALIDATOR_MAINNET = new PublicKey("MTEWGuqxUpYZGFJQcp8tLN7x5v9BSeoFHYWQQ3n3xzo");
 var ER_VALIDATOR = ER_VALIDATOR_DEVNET;
 function getErValidatorForSolanaEnv(env) {
   return env === "mainnet" ? ER_VALIDATOR_MAINNET : ER_VALIDATOR_DEVNET;
 }
-function getErValidatorForRpcEndpoint(rpcEndpoint) {
-  return rpcEndpoint.includes("mainnet-tee") ? ER_VALIDATOR_MAINNET : ER_VALIDATOR_DEVNET;
+function getErValidatorForRpcEndpoint(perRpcEndpoint) {
+  return perRpcEndpoint.includes("mainnet-tee") ? ER_VALIDATOR_MAINNET : ER_VALIDATOR_DEVNET;
 }
 function getKaminoModifyBalanceAccountsForTokenMint(tokenMint) {
   if (tokenMint.equals(USDC_MINT_MAINNET)) {
@@ -1889,6 +2002,125 @@ function lamportsToSol(lamports) {
   return lamports / LAMPORTS_PER_SOL;
 }
 
+// src/enumerate-deposits.ts
+import { AnchorProvider, Program } from "@coral-xyz/anchor";
+import {
+  PublicKey as PublicKey2
+} from "@solana/web3.js";
+var DEPOSIT_ACCOUNT_SIZE = 80;
+var DEPOSIT_USER_OFFSET = 8;
+var DEPOSIT_MINT_OFFSET = 40;
+var DEPOSIT_AMOUNT_OFFSET = 72;
+
+class ReadOnlyWallet {
+  publicKey;
+  constructor(publicKey) {
+    this.publicKey = publicKey;
+  }
+  async signTransaction(_tx) {
+    throw new Error("ReadOnlyWallet cannot sign transactions; construct a real client for write paths.");
+  }
+  async signAllTransactions(_txs) {
+    throw new Error("ReadOnlyWallet cannot sign transactions; construct a real client for write paths.");
+  }
+}
+function createReadOnlyDepositProgram(connection) {
+  const wallet = new ReadOnlyWallet(PublicKey2.default);
+  const provider = new AnchorProvider(connection, wallet, {
+    commitment: connection.commitment ?? "confirmed"
+  });
+  return new Program(telegram_private_transfer_default, provider);
+}
+function readDepositAmount(data) {
+  let value = BigInt(0);
+  for (let i = 0;i < 8; i++) {
+    value += BigInt(data[DEPOSIT_AMOUNT_OFFSET + i] ?? 0) << BigInt(i * 8);
+  }
+  return value;
+}
+async function readDelegatedDepositsOnBase(baseConnection, user) {
+  const accounts = await baseConnection.getProgramAccounts(DELEGATION_PROGRAM_ID, {
+    filters: [
+      { dataSize: DEPOSIT_ACCOUNT_SIZE },
+      {
+        memcmp: {
+          offset: DEPOSIT_USER_OFFSET,
+          bytes: user.toBase58()
+        }
+      }
+    ]
+  });
+  const result = [];
+  for (const { pubkey, account } of accounts) {
+    const data = account.data;
+    if (data.length < DEPOSIT_ACCOUNT_SIZE)
+      continue;
+    const tokenMint = new PublicKey2(data.subarray(DEPOSIT_MINT_OFFSET, DEPOSIT_MINT_OFFSET + 32));
+    result.push({
+      user,
+      tokenMint,
+      amount: readDepositAmount(data),
+      address: pubkey
+    });
+  }
+  return result;
+}
+async function enumerateDepositsByUser(args) {
+  const userFilter = [
+    {
+      memcmp: {
+        offset: DEPOSIT_USER_OFFSET,
+        bytes: args.user.toBase58()
+      }
+    }
+  ];
+  const baseProgram = createReadOnlyDepositProgram(args.baseConnection);
+  const ephemeralProgram = args.ephemeralConnection ? createReadOnlyDepositProgram(args.ephemeralConnection) : null;
+  const [baseUndelegatedResult, baseDelegatedResult, ephemeralResult] = await Promise.allSettled([
+    baseProgram.account.deposit.all(userFilter),
+    readDelegatedDepositsOnBase(args.baseConnection, args.user),
+    ephemeralProgram ? ephemeralProgram.account.deposit.all(userFilter) : Promise.resolve([])
+  ]);
+  const byPda = new Map;
+  const ingestAnchor = (results, preferOverwrite) => {
+    for (const { publicKey, account } of results) {
+      const key = publicKey.toBase58();
+      if (!preferOverwrite && byPda.has(key))
+        continue;
+      byPda.set(key, {
+        user: account.user,
+        tokenMint: account.tokenMint,
+        amount: BigInt(account.amount.toString()),
+        address: publicKey
+      });
+    }
+  };
+  const ingestRaw = (results, preferOverwrite) => {
+    for (const data of results) {
+      const key = data.address.toBase58();
+      if (!preferOverwrite && byPda.has(key))
+        continue;
+      byPda.set(key, data);
+    }
+  };
+  if (baseUndelegatedResult.status === "fulfilled") {
+    ingestAnchor(baseUndelegatedResult.value, false);
+  } else {
+    console.warn("[enumerateDepositsByUser] base undelegated enumeration failed", baseUndelegatedResult.reason);
+  }
+  if (baseDelegatedResult.status === "fulfilled") {
+    ingestRaw(baseDelegatedResult.value, true);
+  } else {
+    console.warn("[enumerateDepositsByUser] base delegated enumeration failed", baseDelegatedResult.reason);
+  }
+  if (ephemeralResult.status === "fulfilled" && ephemeralProgram) {
+    ingestAnchor(ephemeralResult.value, true);
+  } else if (ephemeralProgram && ephemeralResult.status === "rejected") {
+    console.warn("[enumerateDepositsByUser] ephemeral enumeration failed", ephemeralResult.reason);
+  }
+  return Array.from(byPda.values());
+}
+
 // src/kamino.ts
 var KAMINO_RESERVE_DISCRIMINATOR = Buffer.from([
   43,
@@ -1902,14 +2134,24 @@ var KAMINO_RESERVE_DISCRIMINATOR = Buffer.from([
 ]);
 var KAMINO_FRACTION_BITS = 60n;
 var KAMINO_FRACTION_SCALE = 1n << KAMINO_FRACTION_BITS;
+function bytesEqual(a, b) {
+  if (a.length !== b.length)
+    return false;
+  for (let i = 0;i < a.length; i++) {
+    if (a[i] !== b[i])
+      return false;
+  }
+  return true;
+}
+var KAMINO_DISCRIMINATOR_OFFSET = 8;
 var KAMINO_RESERVE_LAYOUT_OFFSETS = {
-  liquidityAvailableAmount: 216,
-  liquidityBorrowedAmountSf: 224,
-  liquidityMintDecimals: 264,
-  liquidityAccumulatedProtocolFeesSf: 336,
-  liquidityAccumulatedReferrerFeesSf: 352,
-  liquidityPendingReferrerFeesSf: 368,
-  collateralMintTotalSupply: 2584
+  liquidityAvailableAmount: KAMINO_DISCRIMINATOR_OFFSET + 216,
+  liquidityBorrowedAmountSf: KAMINO_DISCRIMINATOR_OFFSET + 224,
+  liquidityMintDecimals: KAMINO_DISCRIMINATOR_OFFSET + 264,
+  liquidityAccumulatedProtocolFeesSf: KAMINO_DISCRIMINATOR_OFFSET + 336,
+  liquidityAccumulatedReferrerFeesSf: KAMINO_DISCRIMINATOR_OFFSET + 352,
+  liquidityPendingReferrerFeesSf: KAMINO_DISCRIMINATOR_OFFSET + 368,
+  collateralMintTotalSupply: KAMINO_DISCRIMINATOR_OFFSET + 2584
 };
 function readUint64LE(data, offset) {
   return data.readBigUInt64LE(offset);
@@ -1929,22 +2171,22 @@ function divCeil(numerator, denominator) {
   return (numerator + denominator - 1n) / denominator;
 }
 function parseKaminoReserveSnapshotFromAccountData(args) {
-  const { data, reserve, tokenMint } = args;
-  if (data.length < 8 || !data.subarray(0, 8).equals(KAMINO_RESERVE_DISCRIMINATOR)) {
+  const { reserve, tokenMint } = args;
+  const data = Buffer.isBuffer(args.data) ? args.data : Buffer.from(args.data);
+  if (data.length < 8 || !bytesEqual(data.subarray(0, 8), KAMINO_RESERVE_DISCRIMINATOR)) {
     throw new Error(`Kamino reserve ${reserve.toBase58()} has an invalid discriminator`);
   }
-  const accountData = data.subarray(8);
   const requiredLength = KAMINO_RESERVE_LAYOUT_OFFSETS.collateralMintTotalSupply + 8;
-  if (accountData.length < requiredLength) {
+  if (data.length < requiredLength) {
     throw new Error(`Kamino reserve ${reserve.toBase58()} is too small: expected at least ${requiredLength} bytes`);
   }
-  const liquidityAvailableAmount = readUint64LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAvailableAmount);
-  const liquidityBorrowedAmountSf = readUint128LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityBorrowedAmountSf);
-  const liquidityAccumulatedProtocolFeesSf = readUint128LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAccumulatedProtocolFeesSf);
-  const liquidityAccumulatedReferrerFeesSf = readUint128LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAccumulatedReferrerFeesSf);
-  const liquidityPendingReferrerFeesSf = readUint128LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityPendingReferrerFeesSf);
-  const collateralSupplyRaw = readUint64LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.collateralMintTotalSupply);
-  const liquidityDecimals = Number(readUint64LE(accountData, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityMintDecimals));
+  const liquidityAvailableAmount = readUint64LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAvailableAmount);
+  const liquidityBorrowedAmountSf = readUint128LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityBorrowedAmountSf);
+  const liquidityAccumulatedProtocolFeesSf = readUint128LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAccumulatedProtocolFeesSf);
+  const liquidityAccumulatedReferrerFeesSf = readUint128LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityAccumulatedReferrerFeesSf);
+  const liquidityPendingReferrerFeesSf = readUint128LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityPendingReferrerFeesSf);
+  const collateralSupplyRaw = readUint64LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.collateralMintTotalSupply);
+  const liquidityDecimals = Number(readUint64LE(data, KAMINO_RESERVE_LAYOUT_OFFSETS.liquidityMintDecimals));
   const grossLiquiditySupplyScaled = (liquidityAvailableAmount << KAMINO_FRACTION_BITS) + liquidityBorrowedAmountSf;
   const totalFeeAmountScaled = liquidityAccumulatedProtocolFeesSf + liquidityAccumulatedReferrerFeesSf + liquidityPendingReferrerFeesSf;
   return {
@@ -2019,41 +2261,98 @@ async function fetchKaminoReserveSnapshot(args) {
 }
 
 // src/pda.ts
-import { PublicKey as PublicKey2 } from "@solana/web3.js";
+import { PublicKey as PublicKey4 } from "@solana/web3.js";
 
 // src/utils.ts
+import { PublicKey as PublicKey3 } from "@solana/web3.js";
+function prettyStringify(obj) {
+  const json = JSON.stringify(obj, (_key, value) => {
+    if (value instanceof PublicKey3)
+      return value.toBase58();
+    if (typeof value === "bigint")
+      return value.toString();
+    return value;
+  }, 2);
+  return json.replace(/\[\s+(\d[\d,\s]*\d)\s+\]/g, (_match, inner) => {
+    const items = inner.split(/,\s*/).map((s) => s.trim());
+    return `[${items.join(", ")}]`;
+  });
+}
+function waitForAccountOwnerChange(connection, account, expectedOwner, timeoutMs = 15000, intervalMs = 1000) {
+  let skipWait;
+  const subId = connection.onAccountChange(account, (accountInfo) => {
+    if (accountInfo.owner.equals(expectedOwner) && skipWait) {
+      console.log(`waitForAccountOwnerChange: ${account.toString()} - short-circuit polling wait`);
+      skipWait();
+    }
+  }, { commitment: "confirmed" });
+  const cleanup = async () => {
+    await connection.removeAccountChangeListener(subId);
+  };
+  const wait = async () => {
+    try {
+      const start = Date.now();
+      while (Date.now() - start < timeoutMs) {
+        const info = await connection.getAccountInfo(account, "confirmed");
+        if (info && info.owner.equals(expectedOwner)) {
+          console.log(`waitForAccountOwnerChange: ${account.toString()} appeared with owner ${expectedOwner.toString()} after ${Date.now() - start}ms`);
+          return;
+        }
+        if (info) {
+          console.log(`waitForAccountOwnerChange: ${account.toString()} exists but owner is ${info.owner.toString()}, expected ${expectedOwner.toString()}`);
+        }
+        await new Promise((r) => {
+          skipWait = r;
+          setTimeout(r, intervalMs);
+        });
+      }
+      throw new Error(`waitForAccountOwnerChange: ${account.toString()} did not appear with owner ${expectedOwner.toString()} after ${timeoutMs}ms`);
+    } finally {
+      await cleanup();
+    }
+  };
+  return { wait, cancel: cleanup };
+}
 async function sha256hash(data) {
   const encoded = Uint8Array.from(new TextEncoder().encode(data));
   const hash = await crypto.subtle.digest("SHA-256", encoded);
   return Array.from(new Uint8Array(hash));
 }
+function validateUsername(username) {
+  if (!username || username.length < 5 || username.length > 32) {
+    throw new Error("Username must be between 5 and 32 characters");
+  }
+  if (!/^[a-z0-9_]+$/.test(username)) {
+    throw new Error("Username can only contain lowercase alphanumeric characters and underscores");
+  }
+}
 
 // src/pda.ts
 function findDepositPda(user, tokenMint, programId = PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([DEPOSIT_SEED_BYTES, user.toBuffer(), tokenMint.toBuffer()], programId);
+  return PublicKey4.findProgramAddressSync([DEPOSIT_SEED_BYTES, user.toBuffer(), tokenMint.toBuffer()], programId);
 }
 async function findUsernameDepositPda(username, tokenMint, programId = PROGRAM_ID) {
   const usernameHash = await sha256hash(username);
-  return PublicKey2.findProgramAddressSync([
+  return PublicKey4.findProgramAddressSync([
     USERNAME_DEPOSIT_SEED_BYTES,
     Buffer.from(usernameHash),
     tokenMint.toBuffer()
   ], programId);
 }
 function findVaultPda(tokenMint, programId = PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([VAULT_SEED_BYTES, tokenMint.toBuffer()], programId);
+  return PublicKey4.findProgramAddressSync([VAULT_SEED_BYTES, tokenMint.toBuffer()], programId);
 }
 function findPermissionPda(account, permissionProgramId = PERMISSION_PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([PERMISSION_SEED_BYTES, account.toBuffer()], permissionProgramId);
+  return PublicKey4.findProgramAddressSync([PERMISSION_SEED_BYTES, account.toBuffer()], permissionProgramId);
 }
 function findDelegationRecordPda(account, delegationProgramId = DELEGATION_PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([Buffer.from("delegation"), account.toBuffer()], delegationProgramId);
+  return PublicKey4.findProgramAddressSync([Buffer.from("delegation"), account.toBuffer()], delegationProgramId);
 }
 function findDelegationMetadataPda(account, delegationProgramId = DELEGATION_PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([Buffer.from("delegation-metadata"), account.toBuffer()], delegationProgramId);
+  return PublicKey4.findProgramAddressSync([Buffer.from("delegation-metadata"), account.toBuffer()], delegationProgramId);
 }
 function findBufferPda(account, ownerProgramId = PROGRAM_ID) {
-  return PublicKey2.findProgramAddressSync([Buffer.from("buffer"), account.toBuffer()], ownerProgramId);
+  return PublicKey4.findProgramAddressSync([Buffer.from("buffer"), account.toBuffer()], ownerProgramId);
 }
 
 // src/wallet-adapter.ts
@@ -2192,61 +2491,1621 @@ function createKeypairMessageSigner(keypair) {
   };
 }
 
-// src/LoyalPrivateTransactionsClient.ts
-var KAMINO_API_BASE_URL = "https://api.kamino.finance";
-var KAMINO_MAINNET_ENV = "mainnet-beta";
-var KAMINO_DEVNET_ENV = "devnet";
-function prettyStringify(obj) {
-  const json = JSON.stringify(obj, (_key, value) => {
-    if (value instanceof PublicKey4)
-      return value.toBase58();
-    if (typeof value === "bigint")
-      return value.toString();
-    return value;
-  }, 2);
-  return json.replace(/\[\s+(\d[\d,\s]*\d)\s+\]/g, (_match, inner) => {
-    const items = inner.split(/,\s*/).map((s) => s.trim());
-    return `[${items.join(", ")}]`;
+// src/actions/shieldTokens.ts
+import { NATIVE_MINT as NATIVE_MINT2 } from "@solana/spl-token";
+import {
+  Transaction as Transaction4
+} from "@solana/web3.js";
+
+// src/rent-estimate.ts
+import { ACCOUNT_SIZE, getAssociatedTokenAddressSync } from "@solana/spl-token";
+var DISCRIMINATOR_SIZE = 8;
+var PUBLIC_KEY_SIZE = 32;
+var U64_SIZE = 8;
+var U8_SIZE = 1;
+var BOOL_SIZE = 1;
+var VEC_PREFIX_SIZE = 4;
+var MAGICBLOCK_UNDELEGATE_SESSION_FEE_LAMPORTS = 300000;
+var DEPOSIT_ACCOUNT_SIZE2 = DISCRIMINATOR_SIZE + PUBLIC_KEY_SIZE + PUBLIC_KEY_SIZE + U64_SIZE;
+var VAULT_ACCOUNT_SIZE = DISCRIMINATOR_SIZE + U8_SIZE;
+var PERMISSION_ACCOUNT_SIZE = 567;
+var DELEGATION_RECORD_ACCOUNT_SIZE = DISCRIMINATOR_SIZE + PUBLIC_KEY_SIZE + PUBLIC_KEY_SIZE + U64_SIZE * 3;
+function getDelegationMetadataAccountSize(seeds) {
+  return DISCRIMINATOR_SIZE + U64_SIZE + BOOL_SIZE + PUBLIC_KEY_SIZE + VEC_PREFIX_SIZE + seeds.reduce((total, seed) => total + VEC_PREFIX_SIZE + seed.byteLength, 0);
+}
+async function estimateNewAccountRentLamports(params) {
+  if (params.accounts.length === 0) {
+    return 0;
+  }
+  const spaces = Array.from(new Set(params.accounts.map((account) => account.space)));
+  const [accountInfos, rentEntries] = await Promise.all([
+    params.connection.getMultipleAccountsInfo(params.accounts.map((account) => account.address)),
+    Promise.all(spaces.map(async (space) => [
+      space,
+      await params.connection.getMinimumBalanceForRentExemption(space)
+    ]))
+  ]);
+  const rentBySpace = new Map(rentEntries);
+  return params.accounts.reduce((total, account, index) => {
+    if (!account.forceCreate && accountInfos[index]) {
+      return total;
+    }
+    return total + (rentBySpace.get(account.space) ?? 0);
+  }, 0);
+}
+async function estimateExistingAccountLamports(params) {
+  if (params.accounts.length === 0) {
+    return 0;
+  }
+  const accountInfos = await params.connection.getMultipleAccountsInfo(params.accounts);
+  return accountInfos.reduce((total, accountInfo) => total + (accountInfo?.lamports ?? 0), 0);
+}
+async function estimateDepositRentLamports(params) {
+  return estimateNewAccountRentLamports({
+    connection: params.connection,
+    accounts: [
+      {
+        address: params.depositPda,
+        space: DEPOSIT_ACCOUNT_SIZE2,
+        forceCreate: params.forceCreate
+      }
+    ]
   });
 }
-function programFromRpc(signer, commitment, rpcEndpoint, wsEndpoint) {
-  const adapter = InternalWalletAdapter.from(signer);
-  const baseConnection = new Connection(rpcEndpoint, {
-    wsEndpoint,
-    commitment
+async function estimateModifyBalanceRentLamports(params) {
+  const [vaultPda] = findVaultPda(params.tokenMint);
+  const userTokenAccount = getAssociatedTokenAddressSync(params.tokenMint, params.user);
+  const vaultTokenAccount = getAssociatedTokenAddressSync(params.tokenMint, vaultPda, true);
+  const accounts = [
+    { address: vaultPda, space: VAULT_ACCOUNT_SIZE },
+    { address: vaultTokenAccount, space: ACCOUNT_SIZE }
+  ];
+  if (!params.isNativeSol) {
+    accounts.push({ address: userTokenAccount, space: ACCOUNT_SIZE });
+  }
+  return estimateNewAccountRentLamports({
+    connection: params.connection,
+    accounts
   });
-  const baseProvider = new AnchorProvider(baseConnection, adapter, {
-    commitment
+}
+async function estimatePermissionRentLamports(params) {
+  return estimateNewAccountRentLamports({
+    connection: params.connection,
+    accounts: [
+      {
+        address: params.permissionPda,
+        space: PERMISSION_ACCOUNT_SIZE,
+        forceCreate: params.forceCreate
+      }
+    ]
   });
-  return new Program(telegram_private_transfer_default, baseProvider);
 }
-function getKaminoApiEnv(accounts) {
-  return accounts && isKaminoMainnetModifyBalanceAccounts(accounts) ? KAMINO_MAINNET_ENV : KAMINO_DEVNET_ENV;
+async function estimateDepositDelegationRentLamports(params) {
+  const [delegationRecordPda] = findDelegationRecordPda(params.depositPda);
+  const [delegationMetadataPda] = findDelegationMetadataPda(params.depositPda);
+  const metadataSize = getDelegationMetadataAccountSize([
+    DEPOSIT_SEED_BYTES,
+    params.user.toBuffer(),
+    params.tokenMint.toBuffer()
+  ]);
+  return estimateNewAccountRentLamports({
+    connection: params.connection,
+    accounts: [
+      {
+        address: delegationRecordPda,
+        space: DELEGATION_RECORD_ACCOUNT_SIZE,
+        forceCreate: params.forceCreate
+      },
+      {
+        address: delegationMetadataPda,
+        space: metadataSize,
+        forceCreate: params.forceCreate
+      }
+    ]
+  });
 }
-function normalizeBigInt(value) {
-  if (typeof value === "bigint") {
-    return value;
+async function estimateDepositDelegationRentCreditLamports(params) {
+  const [delegationRecordPda] = findDelegationRecordPda(params.depositPda);
+  const [delegationMetadataPda] = findDelegationMetadataPda(params.depositPda);
+  const delegationAccountLamports = await estimateExistingAccountLamports({
+    connection: params.connection,
+    accounts: [delegationRecordPda, delegationMetadataPda]
+  });
+  const refundableLamports = Math.max(0, delegationAccountLamports - MAGICBLOCK_UNDELEGATE_SESSION_FEE_LAMPORTS);
+  return refundableLamports === 0 ? 0 : -refundableLamports;
+}
+
+// src/checks/enshureChecks.ts
+import { DELEGATION_PROGRAM_ID as DELEGATION_PROGRAM_ID2 } from "@magicblock-labs/ephemeral-rollups-sdk";
+var ENSURE_FETCH_MAX_ATTEMPTS = 3;
+var ENSURE_FETCH_INITIAL_DELAY_MS = 150;
+var ENSURE_FETCH_MAX_DELAY_MS = 1000;
+var ENSURE_FETCH_BACKOFF_MULTIPLIER = 2;
+var ENSURE_FETCH_JITTER_RATIO = 0.2;
+var MULTIPLE_ACCOUNTS_CHUNK_SIZE = 5;
+async function processEnsureChecks(baseConnection, perConnection, ensure) {
+  const mergedChecks = new Map;
+  for (const { address, delegated, passNotExist, label } of ensure) {
+    const addressKey = address.toBase58();
+    const existing = mergedChecks.get(addressKey);
+    if (!existing) {
+      mergedChecks.set(addressKey, {
+        address,
+        delegated,
+        passNotExist,
+        labels: [label]
+      });
+      continue;
+    }
+    existing.labels.push(label);
+    if (existing.delegated !== delegated) {
+      throw new Error(`Conflicting ensure delegation requirements: ${existing.labels.join(", ")} - ${addressKey}`);
+    }
+    existing.passNotExist = existing.passNotExist && passNotExist;
   }
-  if (!Number.isInteger(value) || value < 0) {
-    throw new Error(`Expected a non-negative integer amount, received ${value}`);
+  const cache = {
+    baseAccountInfos: new Map,
+    delegationStatuses: new Map,
+    ephemeralAccountInfos: new Map
+  };
+  const uniqueChecks = [...mergedChecks.values()];
+  await primeEnsureBatchCache(baseConnection, perConnection, uniqueChecks, cache);
+  for (const { address, delegated, passNotExist, labels } of uniqueChecks) {
+    const displayLabels = labels.join(", ");
+    if (delegated) {
+      await ensureDelegated(baseConnection, perConnection, address, displayLabels, undefined, cache);
+    } else {
+      await ensureNotDelegated(baseConnection, perConnection, address, displayLabels, passNotExist, cache);
+    }
   }
-  return BigInt(value);
 }
-async function fetchKaminoReserveMetrics(args) {
-  const url = new URL(`/kamino-market/${args.lendingMarket.toBase58()}/reserves/metrics`, KAMINO_API_BASE_URL);
-  url.searchParams.set("env", args.env);
-  const response = await fetch(url.toString(), {
-    method: "GET",
-    headers: {
-      accept: "application/json"
+async function primeEnsureBatchCache(baseConnection, perConnection, checks, cache) {
+  const addresses = checks.map((check) => check.address);
+  const [baseAccountInfos, ephemeralAccountInfos] = await Promise.all([
+    getMultipleAccountsInfoWithRetry(baseConnection, addresses, "base-getMultipleAccountsInfo"),
+    getMultipleAccountsInfoWithRetry(perConnection, addresses, "ephemeral-getMultipleAccountsInfo")
+  ]);
+  for (let index = 0;index < checks.length; index += 1) {
+    const addressKey = checks[index].address.toBase58();
+    cache.baseAccountInfos.set(addressKey, baseAccountInfos[index] ?? null);
+    cache.ephemeralAccountInfos.set(addressKey, ephemeralAccountInfos[index] ?? null);
+  }
+}
+async function getMultipleAccountsInfoWithRetry(connection, accounts, label) {
+  if (accounts.length === 0) {
+    return [];
+  }
+  const chunks = [];
+  for (let start = 0;start < accounts.length; start += MULTIPLE_ACCOUNTS_CHUNK_SIZE) {
+    chunks.push(accounts.slice(start, start + MULTIPLE_ACCOUNTS_CHUNK_SIZE));
+  }
+  const chunkResults = await Promise.all(chunks.map((chunk, index) => runEnsureFetchWithRetry(`${label}-chunk-${index + 1}`, () => connection.getMultipleAccountsInfo(chunk))));
+  return chunkResults.flat();
+}
+async function ensureNotDelegated(baseConnection, perConnection, account, name, passNotExist, cache) {
+  const baseAccountInfo = await getEnsureBaseAccountInfo(baseConnection, account, cache);
+  if (!baseAccountInfo) {
+    if (passNotExist) {
+      return;
     }
-  });
-  if (!response.ok) {
-    throw new Error(`Kamino reserve metrics request failed with status ${response.status}`);
+    const displayName2 = formatEnsureDisplayName(name);
+    throw new Error(`Account is not exists: ${displayName2}${account.toString()}`);
   }
-  const payload = await response.json();
-  if (!Array.isArray(payload)) {
-    throw new Error("Kamino reserve metrics response was not an array");
+  const isDelegated = baseAccountInfo.owner.equals(DELEGATION_PROGRAM_ID2);
+  const displayName = formatEnsureDisplayName(name);
+  if (isDelegated) {
+    const [ephemeralAccountInfo, delegationStatus] = await Promise.all([
+      getEnsureEphemeralAccountInfo(perConnection, account, cache),
+      getEnsureDelegationStatus(perConnection.rpcEndpoint, account, cache)
+    ]);
+    console.error(`Account is delegated to ER: ${displayName}${account.toString()}`);
+    console.error("/getDelegationStatus", JSON.stringify(delegationStatus, null, 2));
+    console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
+    console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+    const expectedValidator = getErValidatorForRpcEndpoint(perConnection.rpcEndpoint);
+    const authority = delegationStatus.result?.delegationRecord?.authority;
+    if (authority && authority !== expectedValidator.toString()) {
+      console.error(`Account is delegated on wrong validator: ${displayName}${account.toString()} - validator: ${authority}`);
+    }
+    throw new Error(`Account is delegated to ER: ${displayName}${account.toString()}`);
+  }
+}
+async function ensureDelegated(baseConnection, perConnection, account, name, skipValidatorCheck, cache) {
+  const baseAccountInfo = await getEnsureBaseAccountInfo(baseConnection, account, cache);
+  if (!baseAccountInfo) {
+    const displayName2 = formatEnsureDisplayName(name);
+    throw new Error(`Account is not exists: ${displayName2}${account.toString()}`);
+  }
+  const isDelegated = baseAccountInfo.owner.equals(DELEGATION_PROGRAM_ID2);
+  const displayName = formatEnsureDisplayName(name);
+  if (!isDelegated) {
+    const [ephemeralAccountInfo, delegationStatus] = await Promise.all([
+      getEnsureEphemeralAccountInfo(perConnection, account, cache),
+      getEnsureDelegationStatus(perConnection.rpcEndpoint, account, cache)
+    ]);
+    console.error(`Account is not delegated to ER: ${displayName}${account.toString()}`);
+    console.error("/getDelegationStatus:", JSON.stringify(delegationStatus, null, 2));
+    console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
+    console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+    throw new Error(`Account is not delegated to ER: ${displayName}${account.toString()}`);
+  }
+  if (!skipValidatorCheck) {
+    const [ephemeralAccountInfo, delegationStatus] = await Promise.all([
+      getEnsureEphemeralAccountInfo(perConnection, account, cache),
+      getEnsureDelegationStatus(perConnection.rpcEndpoint, account, cache)
+    ]);
+    if (delegationStatus.result.delegationRecord.authority !== getErValidatorForRpcEndpoint(perConnection.rpcEndpoint).toString()) {
+      console.error(`Account is delegated on wrong validator: ${displayName}${account.toString()} - validator: ${delegationStatus.result.delegationRecord.authority}`);
+      console.error("/getDelegationStatus:", JSON.stringify(delegationStatus, null, 2));
+      console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
+      console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+      throw new Error(`Account is delegated on wrong validator: ${displayName}${account.toString()} - validator: ${delegationStatus.result.delegationRecord.authority}`);
+    }
+  }
+}
+async function getEnsureBaseAccountInfo(baseConnection, account, cache) {
+  const addressKey = account.toBase58();
+  if (cache?.baseAccountInfos.has(addressKey)) {
+    return cache.baseAccountInfos.get(addressKey) ?? null;
+  }
+  const baseAccountInfo = await baseConnection.getAccountInfo(account);
+  cache?.baseAccountInfos.set(addressKey, baseAccountInfo);
+  return baseAccountInfo;
+}
+async function getEnsureEphemeralAccountInfo(perConnection, account, cache) {
+  const addressKey = account.toBase58();
+  if (cache?.ephemeralAccountInfos.has(addressKey)) {
+    return cache.ephemeralAccountInfos.get(addressKey) ?? null;
+  }
+  const ephemeralAccountInfo = await perConnection.getAccountInfo(account);
+  cache?.ephemeralAccountInfos.set(addressKey, ephemeralAccountInfo);
+  return ephemeralAccountInfo;
+}
+async function getEnsureDelegationStatus(perRpcEndpoint, account, cache) {
+  const addressKey = account.toBase58();
+  const cachedPromise = cache?.delegationStatuses.get(addressKey);
+  if (cachedPromise) {
+    return cachedPromise;
+  }
+  const request = getDelegationStatus(perRpcEndpoint, account);
+  cache?.delegationStatuses.set(addressKey, request);
+  return request;
+}
+async function runEnsureFetchWithRetry(label, task) {
+  let nextDelayMs = ENSURE_FETCH_INITIAL_DELAY_MS;
+  let lastError;
+  for (let attempt = 1;attempt <= ENSURE_FETCH_MAX_ATTEMPTS; attempt += 1) {
+    try {
+      return await task();
+    } catch (error) {
+      lastError = error;
+      if (attempt === ENSURE_FETCH_MAX_ATTEMPTS) {
+        break;
+      }
+      console.warn(`[ensure] ${label} attempt ${attempt}/${ENSURE_FETCH_MAX_ATTEMPTS} failed: ${error?.message ?? String(error)}`);
+      const jitter = nextDelayMs * ENSURE_FETCH_JITTER_RATIO;
+      const jitteredDelay = Math.max(0, Math.round(nextDelayMs + (Math.random() * 2 - 1) * jitter));
+      await new Promise((resolve) => setTimeout(resolve, jitteredDelay));
+      nextDelayMs = Math.min(ENSURE_FETCH_MAX_DELAY_MS, Math.round(nextDelayMs * ENSURE_FETCH_BACKOFF_MULTIPLIER));
+    }
+  }
+  throw new Error(`[ensure] ${label} failed after ${ENSURE_FETCH_MAX_ATTEMPTS} attempts: ${lastError?.message ?? String(lastError)}`);
+}
+async function getDelegationStatus(perRpcEndpoint, account) {
+  const body = JSON.stringify({
+    jsonrpc: "2.0",
+    id: 1,
+    method: "getDelegationStatus",
+    params: [account.toString()]
+  });
+  const options = {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body
+  };
+  const expectedValidator = getErValidatorForRpcEndpoint(perRpcEndpoint);
+  const isMainnet = perRpcEndpoint.includes("mainnet-tee");
+  const teeBaseUrl = isMainnet ? "https://mainnet-tee.magicblock.app/" : "https://tee.magicblock.app/";
+  try {
+    const teeRes = await fetch(teeBaseUrl, options);
+    const teeData = await teeRes.json();
+    if (teeData.result?.isDelegated) {
+      return {
+        ...teeData,
+        result: {
+          ...teeData.result,
+          delegationRecord: {
+            authority: expectedValidator.toString()
+          }
+        }
+      };
+    }
+  } catch (e) {
+    console.error("[getDelegationStatus] TEE fetch failed, falling back to devnet-router: Options:", options, "Error:", e);
+  }
+  const routerBaseUrl = isMainnet ? "https://router.magicblock.app/" : "https://devnet-router.magicblock.app/";
+  const res = await fetch(routerBaseUrl, options);
+  const routerData = await res.json();
+  if (routerData.error?.message?.includes(expectedValidator.toString())) {
+    return {
+      ...routerData,
+      result: {
+        isDelegated: true,
+        delegationRecord: {
+          authority: expectedValidator.toString()
+        }
+      }
+    };
+  }
+  return routerData;
+}
+function formatEnsureDisplayName(name) {
+  return name ? `${name} - ` : "";
+}
+
+// src/wsol.ts
+import {
+  createAssociatedTokenAccountIdempotentInstruction,
+  createCloseAccountInstruction,
+  createSyncNativeInstruction,
+  getAssociatedTokenAddressSync as getAssociatedTokenAddressSync2,
+  NATIVE_MINT
+} from "@solana/spl-token";
+import {
+  SystemProgram
+} from "@solana/web3.js";
+function wrapSolToWsolIx({
+  user,
+  payer,
+  lamports
+}) {
+  const wsolAta = getAssociatedTokenAddressSync2(NATIVE_MINT, user);
+  return [
+    createAssociatedTokenAccountIdempotentInstruction(payer, wsolAta, user, NATIVE_MINT),
+    SystemProgram.transfer({
+      fromPubkey: user,
+      toPubkey: wsolAta,
+      lamports
+    }),
+    createSyncNativeInstruction(wsolAta)
+  ];
+}
+function createWsolAta({
+  user,
+  payer
+}) {
+  const wsolAta = getAssociatedTokenAddressSync2(NATIVE_MINT, user);
+  return createAssociatedTokenAccountIdempotentInstruction(payer, wsolAta, user, NATIVE_MINT);
+}
+function closeWsolAta({
+  user,
+  destination
+}) {
+  const wsolAta = getAssociatedTokenAddressSync2(NATIVE_MINT, user);
+  return createCloseAccountInstruction(wsolAta, destination, user);
+}
+
+// src/transaction-debug.ts
+import {
+  SendTransactionError
+} from "@solana/web3.js";
+var MULTIPLE_ACCOUNTS_CHUNK_SIZE2 = 10;
+function describeAccountInfo(accountInfo) {
+  if (!accountInfo) {
+    return {
+      exists: false,
+      owner: null,
+      executable: null,
+      lamports: null,
+      dataLength: null,
+      rentEpoch: null
+    };
+  }
+  return {
+    exists: true,
+    owner: accountInfo.owner.toBase58(),
+    executable: accountInfo.executable,
+    lamports: accountInfo.lamports,
+    dataLength: accountInfo.data?.length ?? null,
+    rentEpoch: accountInfo.rentEpoch ?? null
+  };
+}
+function extractInlineTransactionLogs(error) {
+  const logs = error?.logs ?? error?.transactionLogs;
+  return Array.isArray(logs) ? logs : undefined;
+}
+async function getTransactionErrorLogs(error, connection) {
+  const inlineLogs = extractInlineTransactionLogs(error);
+  if (inlineLogs) {
+    return inlineLogs;
+  }
+  if (error instanceof SendTransactionError) {
+    try {
+      const fetchedLogs = await error.getLogs(connection);
+      if (Array.isArray(fetchedLogs)) {
+        return fetchedLogs;
+      }
+    } catch (fetchError) {
+      console.error("[tx-debug] failed to fetch logs via SendTransactionError.getLogs()", {
+        errorName: fetchError?.name ?? "UnknownError",
+        errorMessage: fetchError?.message ?? String(fetchError)
+      });
+    }
+  }
+  return;
+}
+function collectTransactionAccounts(tx) {
+  const uniqueAccounts = new Map;
+  if (tx.feePayer) {
+    uniqueAccounts.set(tx.feePayer.toBase58(), tx.feePayer);
+  }
+  for (const instruction of tx.instructions) {
+    uniqueAccounts.set(instruction.programId.toBase58(), instruction.programId);
+    for (const key of instruction.keys) {
+      uniqueAccounts.set(key.pubkey.toBase58(), key.pubkey);
+    }
+  }
+  return [...uniqueAccounts.values()];
+}
+function describeTransaction(tx) {
+  const compiledMessage = tx.compileMessage();
+  const accountKeys = compiledMessage.accountKeys;
+  const signedWritableCount = compiledMessage.header.numRequiredSignatures - compiledMessage.header.numReadonlySignedAccounts;
+  const unsignedWritableEndExclusive = accountKeys.length - compiledMessage.header.numReadonlyUnsignedAccounts;
+  const isAccountWritable = (index) => {
+    if (index < compiledMessage.header.numRequiredSignatures) {
+      return index < signedWritableCount;
+    }
+    return index < unsignedWritableEndExclusive;
+  };
+  return {
+    feePayer: tx.feePayer?.toBase58() ?? null,
+    recentBlockhash: tx.recentBlockhash ?? null,
+    lastValidBlockHeight: tx.lastValidBlockHeight,
+    signatureBase64: tx.signature ? Buffer.from(tx.signature).toString("base64") : null,
+    instructionCount: tx.instructions.length,
+    accountKeys: accountKeys.map((account, index) => ({
+      index,
+      pubkey: account.toBase58(),
+      isSigner: index < compiledMessage.header.numRequiredSignatures,
+      isWritable: isAccountWritable(index)
+    })),
+    instructions: tx.instructions.map((instruction, index) => ({
+      index,
+      programId: instruction.programId.toBase58(),
+      programIdIndex: accountKeys.findIndex((account) => account.equals(instruction.programId)),
+      dataLength: instruction.data.length,
+      dataBase64: Buffer.from(instruction.data).toString("base64"),
+      keys: instruction.keys.map((key, keyIndex) => ({
+        index: keyIndex,
+        accountIndex: accountKeys.findIndex((account) => account.equals(key.pubkey)),
+        pubkey: key.pubkey.toBase58(),
+        isSigner: key.isSigner,
+        isWritable: key.isWritable
+      }))
+    }))
+  };
+}
+async function getMultipleAccountsInfoInChunks(connection, accounts) {
+  if (accounts.length === 0) {
+    return [];
+  }
+  const chunks = [];
+  for (let start = 0;start < accounts.length; start += MULTIPLE_ACCOUNTS_CHUNK_SIZE2) {
+    chunks.push(accounts.slice(start, start + MULTIPLE_ACCOUNTS_CHUNK_SIZE2));
+  }
+  const results = await Promise.all(chunks.map((chunk) => connection.getMultipleAccountsInfo(chunk)));
+  return results.flat();
+}
+async function logFailedTransactionDiagnostics(params) {
+  const { label, connection, tx, error, extraContext } = params;
+  const txAccounts = collectTransactionAccounts(tx);
+  const [errorLogs, accountInfos] = await Promise.all([
+    getTransactionErrorLogs(error, connection),
+    getMultipleAccountsInfoInChunks(connection, txAccounts)
+  ]);
+  console.error(`[${label}] sendAndConfirm failed`, prettyStringify({
+    errorName: error?.name ?? "UnknownError",
+    errorMessage: error?.message ?? String(error),
+    errorLogs,
+    extraContext,
+    transaction: describeTransaction(tx),
+    accountSnapshots: txAccounts.map((account, index) => ({
+      pubkey: account,
+      ...describeAccountInfo(accountInfos[index] ?? null)
+    }))
+  }));
+  try {
+    const simulation = await connection.simulateTransaction(tx);
+    console.error(`[${label}] simulateTransaction result`, prettyStringify({
+      contextSlot: simulation.context.slot,
+      err: simulation.value.err,
+      logs: simulation.value.logs,
+      unitsConsumed: simulation.value.unitsConsumed,
+      returnData: simulation.value.returnData
+    }));
+  } catch (simulationError) {
+    const simulationLogs = await getTransactionErrorLogs(simulationError, connection);
+    console.error(`[${label}] simulateTransaction failed`, prettyStringify({
+      errorName: simulationError?.name ?? "UnknownError",
+      errorMessage: simulationError?.message ?? String(simulationError),
+      logs: simulationLogs
+    }));
+  }
+}
+var COMMITMENT_ORDER = {
+  processed: 0,
+  confirmed: 1,
+  finalized: 2
+};
+function meetsCommitment(observed, required) {
+  if (!observed)
+    return false;
+  const o = COMMITMENT_ORDER[observed];
+  const r = COMMITMENT_ORDER[required];
+  return o !== undefined && r !== undefined && o >= r;
+}
+async function pollForLanding(connection, signature, lastValidBlockHeight, commitment) {
+  const pollIntervalMs = 1500;
+  const maxWallClockMs = 90000;
+  const start = Date.now();
+  while (Date.now() - start < maxWallClockMs) {
+    let status = null;
+    try {
+      const res = await connection.getSignatureStatuses([signature], {
+        searchTransactionHistory: true
+      });
+      status = res.value[0];
+    } catch {}
+    if (status?.err) {
+      throw new Error(`Transaction failed on-chain: ${JSON.stringify(status.err)}`);
+    }
+    if (meetsCommitment(status?.confirmationStatus, commitment)) {
+      return signature;
+    }
+    try {
+      const currentHeight = await connection.getBlockHeight(commitment);
+      if (currentHeight > lastValidBlockHeight && !status) {
+        throw new Error(`Transaction dropped: ${signature} (blockhash expired without landing)`);
+      }
+    } catch {}
+    await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
+  }
+  throw new Error(`Transaction confirmation timed out after 90s: ${signature}`);
+}
+async function sendAndConfirmWithDiagnostics(params) {
+  const { label, provider, tx, signers, rpcOptions, extraContext } = params;
+  const connection = provider.connection;
+  const wallet = provider.wallet;
+  if (!wallet) {
+    throw new Error(`[${label}] Provider has no wallet`);
+  }
+  const preflightCommitment = rpcOptions?.preflightCommitment ?? "confirmed";
+  const confirmCommitment = preflightCommitment;
+  const blockhashInfo = await connection.getLatestBlockhash(preflightCommitment);
+  if (!tx.feePayer)
+    tx.feePayer = wallet.publicKey;
+  tx.recentBlockhash = blockhashInfo.blockhash;
+  tx.lastValidBlockHeight = blockhashInfo.lastValidBlockHeight;
+  let signedTx;
+  try {
+    signedTx = await wallet.signTransaction(tx);
+  } catch (error) {
+    throw error;
+  }
+  for (const extraSigner of signers ?? []) {
+    signedTx.partialSign(extraSigner);
+  }
+  let signature;
+  try {
+    signature = await connection.sendRawTransaction(signedTx.serialize(), {
+      skipPreflight: rpcOptions?.skipPreflight ?? false,
+      preflightCommitment,
+      maxRetries: rpcOptions?.maxRetries ?? 3
+    });
+  } catch (error) {
+    await logFailedTransactionDiagnostics({
+      label,
+      connection,
+      tx: signedTx,
+      error,
+      extraContext
+    }).catch((debugError) => {
+      console.error(`[${label}] failed to log transaction diagnostics`, {
+        errorName: debugError?.name ?? "UnknownError",
+        errorMessage: debugError?.message ?? String(debugError)
+      });
+    });
+    throw error;
+  }
+  try {
+    return await pollForLanding(connection, signature, blockhashInfo.lastValidBlockHeight, confirmCommitment);
+  } catch (error) {
+    await logFailedTransactionDiagnostics({
+      label,
+      connection,
+      tx: signedTx,
+      error,
+      extraContext: { ...extraContext, signature }
+    }).catch((debugError) => {
+      console.error(`[${label}] failed to log transaction diagnostics`, {
+        errorName: debugError?.name ?? "UnknownError",
+        errorMessage: debugError?.message ?? String(debugError)
+      });
+    });
+    throw error;
+  }
+}
+
+// src/instructions/modifyBalance.ts
+import { BN } from "@coral-xyz/anchor";
+import {
+  ASSOCIATED_TOKEN_PROGRAM_ID,
+  getAssociatedTokenAddressSync as getAssociatedTokenAddressSync3,
+  TOKEN_PROGRAM_ID
+} from "@solana/spl-token";
+import { SystemProgram as SystemProgram2 } from "@solana/web3.js";
+async function modifyBalanceIx(program, params) {
+  const { user, tokenMint, amount, increase, payer, passNotExist } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [vaultPda] = findVaultPda(tokenMint);
+  const userTokenAccount = getAssociatedTokenAddressSync3(tokenMint, user);
+  const vaultTokenAccount = getAssociatedTokenAddressSync3(tokenMint, vaultPda, true);
+  const kaminoAccounts = getKaminoModifyBalanceAccountsForTokenMint(tokenMint);
+  const vaultCollateralTokenAccount = kaminoAccounts ? getAssociatedTokenAddressSync3(kaminoAccounts.reserveCollateralMint, vaultPda, true) : null;
+  const accounts = {
+    payer,
+    user,
+    vault: vaultPda,
+    deposit: depositPda,
+    userTokenAccount,
+    vaultTokenAccount,
+    tokenMint,
+    tokenProgram: TOKEN_PROGRAM_ID,
+    associatedTokenProgram: ASSOCIATED_TOKEN_PROGRAM_ID,
+    systemProgram: SystemProgram2.programId
+  };
+  const remainingAccounts = kaminoAccounts && vaultCollateralTokenAccount ? [
+    {
+      pubkey: kaminoAccounts.lendingMarket,
+      isSigner: false,
+      isWritable: false
+    },
+    {
+      pubkey: kaminoAccounts.lendingMarketAuthority,
+      isSigner: false,
+      isWritable: false
+    },
+    {
+      pubkey: kaminoAccounts.reserve,
+      isSigner: false,
+      isWritable: true
+    },
+    {
+      pubkey: kaminoAccounts.reserveLiquiditySupply,
+      isSigner: false,
+      isWritable: true
+    },
+    {
+      pubkey: kaminoAccounts.reserveCollateralMint,
+      isSigner: false,
+      isWritable: true
+    },
+    {
+      pubkey: vaultCollateralTokenAccount,
+      isSigner: false,
+      isWritable: true
+    },
+    {
+      pubkey: kaminoAccounts.instructionSysvarAccount,
+      isSigner: false,
+      isWritable: false
+    },
+    {
+      pubkey: kaminoAccounts.klendProgram,
+      isSigner: false,
+      isWritable: false
+    }
+  ] : [];
+  const ix = await program.methods.modifyBalance({ amount: new BN(amount.toString()), increase }).accountsPartial(accounts).remainingAccounts(remainingAccounts).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: passNotExist === undefined ? false : passNotExist,
+        label: "modifyBalance-depositPda"
+      }
+    ]
+  };
+}
+
+// src/instructions/initializeDeposit.ts
+import { TOKEN_PROGRAM_ID as TOKEN_PROGRAM_ID2 } from "@solana/spl-token";
+import { SystemProgram as SystemProgram3 } from "@solana/web3.js";
+async function initializeDepositIx(program, params) {
+  const { user, tokenMint, payer } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const ix = await program.methods.initializeDeposit().accountsPartial({
+    payer,
+    user,
+    tokenMint,
+    tokenProgram: TOKEN_PROGRAM_ID2,
+    systemProgram: SystemProgram3.programId
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: true,
+        label: "initializeDeposit-depositPda"
+      }
+    ]
+  };
+}
+
+// src/instructions/createPermission.ts
+import { PERMISSION_PROGRAM_ID as PERMISSION_PROGRAM_ID2 } from "@magicblock-labs/ephemeral-rollups-sdk";
+async function createPermissionIx(program, params) {
+  const { user, tokenMint, payer, passNotExist } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [permissionPda] = findPermissionPda(depositPda);
+  const ix = await program.methods.createPermission().accountsPartial({
+    payer,
+    user,
+    deposit: depositPda,
+    permission: permissionPda,
+    permissionProgram: PERMISSION_PROGRAM_ID2
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: passNotExist === undefined ? true : passNotExist,
+        label: "createPermission-depositPda"
+      },
+      {
+        address: permissionPda,
+        delegated: false,
+        passNotExist: true,
+        label: "createPermission-permissionPda"
+      }
+    ]
+  };
+}
+
+// src/instructions/delegateDeposit.ts
+async function delegateDepositIx(program, params) {
+  const { user, tokenMint, payer, validator, passNotExist } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [bufferPda] = findBufferPda(depositPda);
+  const [delegationRecordPda] = findDelegationRecordPda(depositPda);
+  const [delegationMetadataPda] = findDelegationMetadataPda(depositPda);
+  const ix = await program.methods.delegate(user, tokenMint).accountsPartial({
+    payer,
+    bufferDeposit: bufferPda,
+    delegationRecordDeposit: delegationRecordPda,
+    delegationMetadataDeposit: delegationMetadataPda,
+    deposit: depositPda,
+    validator,
+    ownerProgram: PROGRAM_ID,
+    delegationProgram: DELEGATION_PROGRAM_ID
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: passNotExist === undefined ? false : passNotExist,
+        label: "delegateDeposit-depositPda"
+      }
+    ]
+  };
+}
+
+// src/instructions/undelegateDeposit.ts
+async function undelegateDepositIx(perProgram, params) {
+  const { user, tokenMint, payer, sessionToken, magicProgram, magicContext } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const accounts = {
+    user,
+    payer,
+    deposit: depositPda,
+    magicProgram,
+    magicContext
+  };
+  accounts.sessionToken = sessionToken ?? null;
+  const ix = await perProgram.methods.undelegate().accountsPartial(accounts).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: true,
+        passNotExist: false,
+        label: "undelegateDeposit-depositPda"
+      }
+    ]
+  };
+}
+
+// src/actions/undelegateDeposit.ts
+import {
+  Transaction as Transaction3
+} from "@solana/web3.js";
+async function sendPlannedUndelegateDepositTransaction(params) {
+  const { baseProgram, perProgram, transaction, user, tokenMint, rpcOptions } = params;
+  await processEnsureChecks(baseProgram.provider.connection, perProgram.provider.connection, transaction.checks);
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const delegationWatcher = waitForAccountOwnerChange(baseProgram.provider.connection, depositPda, PROGRAM_ID);
+  const tx = new Transaction3().add(...transaction.instructions.map(({ ix }) => ix));
+  let signature;
+  try {
+    signature = await sendAndConfirmWithDiagnostics({
+      label: transaction.label,
+      provider: perProgram.provider,
+      tx,
+      rpcOptions,
+      extraContext: {
+        user,
+        tokenMint,
+        depositPda
+      }
+    });
+  } catch (e) {
+    await delegationWatcher.cancel();
+    throw e;
+  }
+  try {
+    await delegationWatcher.wait();
+    await new Promise((resolve) => setTimeout(resolve, 3000));
+  } catch (err) {
+    console.warn(`[${transaction.label}] delegation watcher did not observe owner change (signature=${signature}); continuing`, err);
+  }
+  return signature;
+}
+async function undelegateDeposit(baseProgram, perProgram, params) {
+  const { user, tokenMint } = params;
+  const { ix, ensure } = await undelegateDepositIx(perProgram, params);
+  return sendPlannedUndelegateDepositTransaction({
+    baseProgram,
+    perProgram,
+    transaction: {
+      label: "undelegateDeposit",
+      instructions: [{ ix }],
+      checks: ensure
+    },
+    user,
+    tokenMint,
+    rpcOptions: params.rpcOptions
+  });
+}
+
+// src/actions/shieldTokens.ts
+function labelTransactionInstructions(prefix, instructions) {
+  const labels = [
+    `${prefix}:createAssociatedTokenAccount`,
+    `${prefix}:transfer`,
+    `${prefix}:syncNative`
+  ];
+  return instructions.map((ix, index) => ({
+    label: labels[index] ?? `${prefix}:${index}`,
+    ix
+  }));
+}
+async function buildShieldTokensInstructionPlan(params) {
+  const { user, payer, tokenMint, amount, baseProgram, perProgram } = params;
+  const baseConnection = baseProgram.provider.connection;
+  const perRpcEndpoint = perProgram.provider.connection.rpcEndpoint;
+  const isNativeSol = tokenMint.equals(NATIVE_MINT2);
+  const validator = params.validator ?? getErValidatorForRpcEndpoint(perRpcEndpoint);
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [permissionPda] = findPermissionPda(depositPda);
+  const accountInfos = await getMultipleAccountsInfoWithRetry(baseConnection, [depositPda, permissionPda], "base-getMultipleAccountsInfo");
+  const depositAccountInfo = accountInfos[0] ?? null;
+  const permissionAccountInfo = accountInfos[1] ?? null;
+  const needsUndelegate = depositAccountInfo?.owner.equals(DELEGATION_PROGRAM_ID) ?? false;
+  const [
+    depositRentLamports,
+    modifyBalanceRentLamports,
+    permissionRentLamports,
+    delegationRentLamports
+  ] = await Promise.all([
+    !depositAccountInfo ? estimateDepositRentLamports({ connection: baseConnection, depositPda }) : Promise.resolve(0),
+    estimateModifyBalanceRentLamports({
+      connection: baseConnection,
+      user,
+      tokenMint,
+      isNativeSol
+    }),
+    !permissionAccountInfo ? estimatePermissionRentLamports({
+      connection: baseConnection,
+      permissionPda
+    }) : Promise.resolve(0),
+    estimateDepositDelegationRentLamports({
+      connection: baseConnection,
+      user,
+      tokenMint,
+      depositPda,
+      forceCreate: needsUndelegate
+    })
+  ]);
+  const instructions = [];
+  const checks = [];
+  if (isNativeSol) {
+    const wrapSolInstructions = labelTransactionInstructions("wrapSol", wrapSolToWsolIx({
+      user,
+      payer,
+      lamports: amount
+    }));
+    const transferInstruction = wrapSolInstructions.find((instruction) => instruction.label === "wrapSol:transfer");
+    if (transferInstruction) {
+      transferInstruction.nativeLamports = Number(amount);
+    }
+    instructions.push(...wrapSolInstructions);
+  }
+  if (!depositAccountInfo) {
+    const initializeDepositIxs = await initializeDepositIx(baseProgram, {
+      tokenMint,
+      user,
+      payer
+    });
+    instructions.push({
+      label: "initializeDeposit",
+      ix: initializeDepositIxs.ix,
+      rentLamports: depositRentLamports
+    });
+    checks.push(...initializeDepositIxs.ensure);
+  }
+  const modifyBalanceIxs = await modifyBalanceIx(baseProgram, {
+    tokenMint,
+    user,
+    payer,
+    amount,
+    increase: true,
+    passNotExist: true
+  });
+  instructions.push({
+    label: "modifyBalanceIncrease",
+    ix: modifyBalanceIxs.ix,
+    rentLamports: modifyBalanceRentLamports
+  });
+  checks.push(...modifyBalanceIxs.ensure);
+  if (!permissionAccountInfo) {
+    const createPermissionIxs = await createPermissionIx(baseProgram, {
+      tokenMint,
+      user,
+      payer,
+      passNotExist: true
+    });
+    instructions.push({
+      label: "createPermission",
+      ix: createPermissionIxs.ix,
+      rentLamports: permissionRentLamports
+    });
+    checks.push(...createPermissionIxs.ensure);
+  }
+  const delegateDepositIxs = await delegateDepositIx(baseProgram, {
+    tokenMint,
+    user,
+    payer,
+    validator,
+    passNotExist: true
+  });
+  instructions.push({
+    label: "delegateDeposit",
+    ix: delegateDepositIxs.ix,
+    rentLamports: delegationRentLamports
+  });
+  checks.push(...delegateDepositIxs.ensure);
+  if (isNativeSol) {
+    instructions.push({
+      label: "closeWsolAta",
+      ix: closeWsolAta({
+        user,
+        destination: user
+      })
+    });
+  }
+  return {
+    instructions,
+    checks,
+    needsUndelegate,
+    context: {
+      isNativeSol,
+      validator,
+      depositPda,
+      permissionPda,
+      depositAccountInfo,
+      permissionAccountInfo
+    }
+  };
+}
+async function buildShieldTokensTransactionPlan(params) {
+  const instructionPlan = await buildShieldTokensInstructionPlan(params);
+  let preUndelegateTransaction = null;
+  if (instructionPlan.needsUndelegate) {
+    const undelegateRentLamports = await estimateDepositDelegationRentCreditLamports({
+      connection: params.baseProgram.provider.connection,
+      depositPda: instructionPlan.context.depositPda
+    });
+    const undelegateIxs = await undelegateDepositIx(params.perProgram, {
+      user: params.user,
+      payer: params.payer,
+      tokenMint: params.tokenMint,
+      sessionToken: params.sessionToken,
+      magicProgram: params.magicProgram ?? MAGIC_PROGRAM_ID,
+      magicContext: params.magicContext ?? MAGIC_CONTEXT_ID
+    });
+    preUndelegateTransaction = {
+      label: "shield:preUndelegate",
+      cluster: "ephemeral",
+      instructions: [
+        {
+          label: "undelegateDeposit",
+          ix: undelegateIxs.ix,
+          rentLamports: undelegateRentLamports
+        }
+      ],
+      checks: undelegateIxs.ensure
+    };
+  }
+  return {
+    preUndelegateTransaction,
+    baseTransaction: {
+      label: "shield",
+      cluster: "base",
+      instructions: instructionPlan.instructions,
+      checks: instructionPlan.checks
+    },
+    context: instructionPlan.context
+  };
+}
+async function shieldTokens(params) {
+  const {
+    user,
+    payer,
+    tokenMint,
+    amount,
+    baseProgram,
+    perProgram,
+    rpcOptions
+  } = params;
+  const baseConnection = baseProgram.provider.connection;
+  const perConnection = perProgram.provider.connection;
+  const plan = await buildShieldTokensTransactionPlan({
+    user,
+    payer,
+    tokenMint,
+    amount,
+    baseProgram,
+    perProgram,
+    validator: params.validator,
+    sessionToken: params.sessionToken,
+    magicProgram: params.magicProgram,
+    magicContext: params.magicContext
+  });
+  const {
+    context: {
+      validator,
+      depositPda,
+      permissionPda,
+      depositAccountInfo,
+      permissionAccountInfo,
+      isNativeSol
+    }
+  } = plan;
+  if (plan.preUndelegateTransaction) {
+    await sendPlannedUndelegateDepositTransaction({
+      baseProgram,
+      perProgram,
+      transaction: plan.preUndelegateTransaction,
+      user,
+      tokenMint,
+      rpcOptions
+    });
+  }
+  await processEnsureChecks(baseConnection, perConnection, plan.baseTransaction.checks);
+  const delegationWatcher = waitForAccountOwnerChange(baseConnection, depositPda, DELEGATION_PROGRAM_ID);
+  const tx = new Transaction4().add(...plan.baseTransaction.instructions.map(({ ix }) => ix));
+  let signature;
+  try {
+    signature = await sendAndConfirmWithDiagnostics({
+      label: "shieldTokens",
+      provider: baseProgram.provider,
+      tx,
+      rpcOptions,
+      extraContext: {
+        user,
+        payer,
+        tokenMint,
+        amount,
+        isNativeSol,
+        validator,
+        depositPda,
+        permissionPda,
+        depositAccountInfo,
+        permissionAccountInfo
+      }
+    });
+  } catch (e) {
+    await delegationWatcher.cancel();
+    throw e;
+  }
+  try {
+    await delegationWatcher.wait();
+    await new Promise((resolve) => setTimeout(resolve, 3000));
+  } catch (err) {
+    console.warn(`[shieldTokens] delegation watcher did not observe owner change (signature=${signature}); continuing`, err);
+  }
+  return signature;
+}
+
+// src/actions/unshieldTokens.ts
+import { NATIVE_MINT as NATIVE_MINT3 } from "@solana/spl-token";
+import { Transaction as Transaction5 } from "@solana/web3.js";
+
+// src/instructions/closeDeposit.ts
+async function closeDepositIx(program, params) {
+  const { user, tokenMint } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const ix = await program.methods.closeDeposit().accountsPartial({
+    user,
+    deposit: depositPda,
+    tokenMint
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: false,
+        label: "closeDeposit-depositPda"
+      }
+    ]
+  };
+}
+
+// src/instructions/closePermission.ts
+import {
+  createClosePermissionInstruction
+} from "@magicblock-labs/ephemeral-rollups-sdk";
+async function closePermissionIx(params) {
+  const { user, tokenMint } = params;
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [permissionPda] = findPermissionPda(depositPda);
+  const ix = createClosePermissionInstruction({
+    payer: user,
+    authority: [user, true],
+    permissionedAccount: [depositPda, false]
+  });
+  return {
+    ix,
+    ensure: [
+      {
+        address: permissionPda,
+        delegated: false,
+        passNotExist: false,
+        label: "closePermission-permissionPda"
+      }
+    ]
+  };
+}
+
+// src/actions/unshieldTokens.ts
+async function buildUnshieldTokensInstructionPlan(params) {
+  const { user, payer, tokenMint, amount, baseProgram, perProgram } = params;
+  const baseConnection = baseProgram.provider.connection;
+  const perRpcEndpoint = perProgram.provider.connection.rpcEndpoint;
+  const isNativeSol = tokenMint.equals(NATIVE_MINT3);
+  const validator = params.validator ?? getErValidatorForRpcEndpoint(perRpcEndpoint);
+  const [depositPda] = findDepositPda(user, tokenMint);
+  const [permissionPda] = findPermissionPda(depositPda);
+  const depositAccountInfoPromise = baseConnection.getAccountInfo(depositPda);
+  const permissionAccountInfoPromise = baseConnection.getAccountInfo(permissionPda);
+  const modifyBalanceRentLamportsPromise = estimateModifyBalanceRentLamports({
+    connection: baseConnection,
+    user,
+    tokenMint,
+    isNativeSol
+  });
+  const [depositAccountInfo, permissionAccountInfo] = await Promise.all([
+    depositAccountInfoPromise,
+    permissionAccountInfoPromise
+  ]);
+  const needsUndelegate = depositAccountInfo?.owner.equals(DELEGATION_PROGRAM_ID) ?? false;
+  const currentDepositAccount = needsUndelegate ? await perProgram.account.deposit.fetchNullable(depositPda) : depositAccountInfo?.owner.equals(PROGRAM_ID) ? await baseProgram.account.deposit.fetchNullable(depositPda) : null;
+  const currentDepositAmount = currentDepositAccount ? BigInt(currentDepositAccount.amount.toString()) : null;
+  const shouldRedelegate = currentDepositAmount !== null && currentDepositAmount - amount > 0n;
+  const closePermissionRentLamports = shouldRedelegate ? 0 : -(permissionAccountInfo?.lamports ?? 0);
+  const closeDepositRentLamports = shouldRedelegate ? 0 : -(depositAccountInfo?.lamports ?? 0);
+  const [modifyBalanceRentLamports, delegationRentLamports] = await Promise.all([
+    modifyBalanceRentLamportsPromise,
+    shouldRedelegate ? estimateDepositDelegationRentLamports({
+      connection: baseConnection,
+      user,
+      tokenMint,
+      depositPda,
+      forceCreate: needsUndelegate
+    }) : Promise.resolve(0)
+  ]);
+  const instructions = [];
+  const checks = [];
+  if (isNativeSol) {
+    instructions.push(...labelTransactionInstructions("ensureWsolAta", [
+      createWsolAta({ user, payer })
+    ]));
+  }
+  const modifyBalanceIxs = await modifyBalanceIx(baseProgram, {
+    tokenMint,
+    user,
+    payer,
+    amount,
+    increase: false
+  });
+  instructions.push({
+    label: "modifyBalanceDecrease",
+    ix: modifyBalanceIxs.ix,
+    rentLamports: modifyBalanceRentLamports,
+    nativeLamports: isNativeSol ? -Number(amount) : undefined
+  });
+  checks.push(...modifyBalanceIxs.ensure);
+  if (isNativeSol) {
+    instructions.push({
+      label: "closeWsolAta",
+      ix: closeWsolAta({
+        user,
+        destination: user
+      })
+    });
+  }
+  if (shouldRedelegate) {
+    const delegateDepositIxs = await delegateDepositIx(baseProgram, {
+      tokenMint,
+      user,
+      payer,
+      validator
+    });
+    instructions.push({
+      label: "redelegateDeposit",
+      ix: delegateDepositIxs.ix,
+      rentLamports: delegationRentLamports
+    });
+    checks.push(...delegateDepositIxs.ensure);
+  } else {
+    const closePermissionIxs = await closePermissionIx({ user, tokenMint });
+    instructions.push({
+      label: "closePermission",
+      ix: closePermissionIxs.ix,
+      rentLamports: closePermissionRentLamports
+    });
+    checks.push(...closePermissionIxs.ensure);
+    const closeDepositIxs = await closeDepositIx(baseProgram, {
+      user,
+      tokenMint
+    });
+    instructions.push({
+      label: "closeDeposit",
+      ix: closeDepositIxs.ix,
+      rentLamports: closeDepositRentLamports
+    });
+    checks.push(...closeDepositIxs.ensure);
+  }
+  return {
+    instructions,
+    checks,
+    needsUndelegate,
+    shouldRedelegate,
+    context: {
+      isNativeSol,
+      validator,
+      depositPda,
+      currentDepositAmount
+    }
+  };
+}
+async function buildUnshieldTokensTransactionPlan(params) {
+  const instructionPlan = await buildUnshieldTokensInstructionPlan(params);
+  let preUndelegateTransaction = null;
+  if (instructionPlan.needsUndelegate) {
+    preUndelegateTransaction = {
+      label: "unshield:undelegate",
+      cluster: "ephemeral",
+      instructions: [],
+      checks: []
+    };
+    const undelegateDepositIxs = await undelegateDepositIx(params.perProgram, {
+      user: params.user,
+      payer: params.payer,
+      tokenMint: params.tokenMint,
+      sessionToken: params.sessionToken,
+      magicProgram: params.magicProgram ?? MAGIC_PROGRAM_ID,
+      magicContext: params.magicContext ?? MAGIC_CONTEXT_ID
+    });
+    const undelegateRentLamports = await estimateDepositDelegationRentCreditLamports({
+      connection: params.baseProgram.provider.connection,
+      depositPda: instructionPlan.context.depositPda
+    });
+    preUndelegateTransaction.instructions.push({
+      label: "undelegateDeposit",
+      ix: undelegateDepositIxs.ix,
+      rentLamports: undelegateRentLamports
+    });
+    preUndelegateTransaction.checks.push(...undelegateDepositIxs.ensure);
+  }
+  return {
+    preUndelegateTransaction,
+    baseTransaction: {
+      label: "unshield",
+      cluster: "base",
+      instructions: instructionPlan.instructions,
+      checks: instructionPlan.checks
+    },
+    shouldRedelegate: instructionPlan.shouldRedelegate,
+    context: instructionPlan.context
+  };
+}
+async function unshieldTokens(params) {
+  const {
+    user,
+    payer,
+    tokenMint,
+    amount,
+    baseProgram,
+    perProgram,
+    rpcOptions
+  } = params;
+  const baseConnection = baseProgram.provider.connection;
+  const perConnection = perProgram.provider.connection;
+  const plan = await buildUnshieldTokensTransactionPlan({
+    user,
+    payer,
+    tokenMint,
+    amount,
+    baseProgram,
+    perProgram,
+    validator: params.validator,
+    sessionToken: params.sessionToken,
+    magicProgram: params.magicProgram,
+    magicContext: params.magicContext
+  });
+  const {
+    shouldRedelegate,
+    context: { validator, depositPda, isNativeSol, currentDepositAmount }
+  } = plan;
+  if (plan.preUndelegateTransaction) {
+    await sendPlannedUndelegateDepositTransaction({
+      baseProgram,
+      perProgram,
+      transaction: plan.preUndelegateTransaction,
+      user,
+      tokenMint,
+      rpcOptions
+    });
+  }
+  await processEnsureChecks(baseConnection, perConnection, plan.baseTransaction.checks);
+  const delegationWatcher = shouldRedelegate ? waitForAccountOwnerChange(baseConnection, depositPda, DELEGATION_PROGRAM_ID) : null;
+  const tx = new Transaction5().add(...plan.baseTransaction.instructions.map(({ ix }) => ix));
+  let signature;
+  try {
+    signature = await sendAndConfirmWithDiagnostics({
+      label: "unshieldTokens",
+      provider: baseProgram.provider,
+      tx,
+      rpcOptions,
+      extraContext: {
+        user,
+        payer,
+        tokenMint,
+        amount,
+        isNativeSol,
+        validator,
+        depositPda,
+        currentDepositAmount,
+        shouldRedelegate
+      }
+    });
+    if (delegationWatcher) {
+      await delegationWatcher.wait();
+      await new Promise((resolve) => setTimeout(resolve, 3000));
+    }
+  } catch (e) {
+    await delegationWatcher?.cancel();
+    throw e;
+  }
+  return signature;
+}
+
+// src/instructions/initializeUsernameDeposit.ts
+import { TOKEN_PROGRAM_ID as TOKEN_PROGRAM_ID3 } from "@solana/spl-token";
+import { SystemProgram as SystemProgram4 } from "@solana/web3.js";
+async function initializeUsernameDepositIx(program, params) {
+  const { username, tokenMint, payer } = params;
+  validateUsername(username);
+  const [usernameDepositPda] = await findUsernameDepositPda(username, tokenMint);
+  const usernameHash = await sha256hash(username);
+  const ix = await program.methods.initializeUsernameDeposit(usernameHash).accountsPartial({
+    payer,
+    tokenMint,
+    tokenProgram: TOKEN_PROGRAM_ID3,
+    systemProgram: SystemProgram4.programId
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: usernameDepositPda,
+        delegated: false,
+        passNotExist: true,
+        label: "initializeUsernameDeposit-usernameDepositPda"
+      }
+    ]
+  };
+}
+
+// src/fee-estimate.ts
+import {
+  Transaction as Transaction6
+} from "@solana/web3.js";
+function createUnsignedTransaction(params) {
+  return new Transaction6({
+    feePayer: params.feePayer,
+    recentBlockhash: params.blockhash
+  }).add(...params.instructions);
+}
+async function getMessageFeeLamports(params) {
+  const fee = await params.connection.getFeeForMessage(params.transaction.compileMessage(), params.commitment);
+  if (fee.value === null) {
+    throw new Error("RPC returned null fee for transaction message");
+  }
+  return fee.value;
+}
+async function estimatePlannedTransactionFees(params) {
+  const transactionEstimates = await Promise.all(params.transactions.map(async (transactionPlan, index) => {
+    if (transactionPlan.instructions.length === 0) {
+      throw new Error(`Cannot estimate empty transaction: ${transactionPlan.label}`);
+    }
+    const blockhash = await transactionPlan.connection.getLatestBlockhash(params.commitment);
+    const transaction = createUnsignedTransaction({
+      feePayer: transactionPlan.feePayer,
+      blockhash: blockhash.blockhash,
+      instructions: transactionPlan.instructions.map(({ ix }) => ix)
+    });
+    const feeLamports = await getMessageFeeLamports({
+      connection: transactionPlan.connection,
+      transaction,
+      commitment: params.commitment
+    });
+    const instructions = transactionPlan.instructions.map((instructionPlan, instructionIndex) => ({
+      transactionIndex: index,
+      instructionIndex,
+      label: instructionPlan.label,
+      programId: instructionPlan.ix.programId,
+      rentLamports: instructionPlan.rentLamports ?? 0,
+      nativeLamports: instructionPlan.nativeLamports ?? 0
+    }));
+    const rentLamports = instructions.reduce((total, instruction) => total + instruction.rentLamports, 0);
+    const nativeLamports = instructions.reduce((total, instruction) => total + instruction.nativeLamports, 0);
+    return {
+      index,
+      label: transactionPlan.label,
+      cluster: transactionPlan.cluster,
+      feePayer: transactionPlan.feePayer,
+      blockhash: blockhash.blockhash,
+      lastValidBlockHeight: blockhash.lastValidBlockHeight,
+      instructionCount: transactionPlan.instructions.length,
+      feeLamports,
+      rentLamports,
+      nativeLamports,
+      totalLamports: feeLamports + rentLamports + nativeLamports,
+      instructions
+    };
+  }));
+  const instructionEstimates = transactionEstimates.flatMap((transaction) => transaction.instructions);
+  return {
+    transactions: transactionEstimates,
+    instructions: instructionEstimates,
+    totalFeeLamports: transactionEstimates.reduce((total, transaction) => total + transaction.feeLamports, 0),
+    totalRentLamports: instructionEstimates.reduce((total, instruction) => total + instruction.rentLamports, 0),
+    totalNativeLamports: instructionEstimates.reduce((total, instruction) => total + instruction.nativeLamports, 0)
+  };
+}
+
+// src/instructions/closeUsernameDeposit.ts
+async function closeUsernameDepositIx(program, params) {
+  const { username, tokenMint, authority, session } = params;
+  validateUsername(username);
+  const [depositPda] = await findUsernameDepositPda(username, tokenMint);
+  const ix = await program.methods.closeUsernameDeposit().accountsPartial({
+    authority,
+    deposit: depositPda,
+    tokenMint,
+    session
+  }).instruction();
+  return {
+    ix,
+    ensure: [
+      {
+        address: depositPda,
+        delegated: false,
+        passNotExist: false,
+        label: "closeUsernameDeposit-depositPda"
+      }
+    ]
+  };
+}
+
+// src/LoyalPrivateTransactionsClient.ts
+var KAMINO_API_BASE_URL = "https://api.kamino.finance";
+var KAMINO_MAINNET_ENV = "mainnet-beta";
+var KAMINO_DEVNET_ENV = "devnet";
+function prettyStringify2(obj) {
+  const json = JSON.stringify(obj, (_key, value) => {
+    if (value instanceof PublicKey7)
+      return value.toBase58();
+    if (typeof value === "bigint")
+      return value.toString();
+    return value;
+  }, 2);
+  return json.replace(/\[\s+(\d[\d,\s]*\d)\s+\]/g, (_match, inner) => {
+    const items = inner.split(/,\s*/).map((s) => s.trim());
+    return `[${items.join(", ")}]`;
+  });
+}
+function programFromRpc(signer, commitment, rpcEndpoint, wsEndpoint) {
+  const adapter = InternalWalletAdapter.from(signer);
+  const baseConnection = new Connection3(rpcEndpoint, {
+    wsEndpoint,
+    commitment
+  });
+  const baseProvider = new AnchorProvider2(baseConnection, adapter, {
+    commitment
+  });
+  return new Program2(telegram_private_transfer_default, baseProvider);
+}
+function getKaminoApiEnv(accounts) {
+  return accounts && isKaminoMainnetModifyBalanceAccounts(accounts) ? KAMINO_MAINNET_ENV : KAMINO_DEVNET_ENV;
+}
+function normalizeBigInt(value) {
+  if (typeof value === "bigint") {
+    return value;
+  }
+  if (!Number.isInteger(value) || value < 0) {
+    throw new Error(`Expected a non-negative integer amount, received ${value}`);
+  }
+  return BigInt(value);
+}
+function toShieldFlowTransactionPlan(plan) {
+  return {
+    label: plan.label,
+    cluster: plan.cluster,
+    instructions: plan.instructions,
+    checks: plan.checks,
+    postSendOwnerChange: plan.postSendOwnerChange
+  };
+}
+async function fetchKaminoReserveMetrics(args) {
+  const url = new URL(`/kamino-market/${args.lendingMarket.toBase58()}/reserves/metrics`, KAMINO_API_BASE_URL);
+  url.searchParams.set("env", args.env);
+  const response = await fetch(url.toString(), {
+    method: "GET",
+    headers: {
+      accept: "application/json"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`Kamino reserve metrics request failed with status ${response.status}`);
+  }
+  const payload = await response.json();
+  if (!Array.isArray(payload)) {
+    throw new Error("Kamino reserve metrics response was not an array");
   }
   const reserveAddress = args.reserve.toBase58();
   const reserveMetrics = payload.find((item) => {
@@ -2286,7 +4145,7 @@ function deriveMessageSigner(signer) {
   }
   throw new Error("Wallet does not support signMessage, required for PER auth");
 }
-function waitForAccountOwnerChange(connection, account, expectedOwner, timeoutMs = 15000, intervalMs = 1000) {
+function waitForAccountOwnerChange2(connection, account, expectedOwner, timeoutMs = 15000, intervalMs = 1000) {
   let skipWait;
   const subId = connection.onAccountChange(account, (accountInfo) => {
     if (accountInfo.owner.equals(expectedOwner) && skipWait) {
@@ -2359,10 +4218,7 @@ class LoyalPrivateTransactionsClient {
       let expiresAt;
       if (!authToken) {
         try {
-          const isVerified = await verifyTeeRpcIntegrity(ephemeralRpcEndpoint);
-          if (!isVerified) {
-            console.error("[LoyalClient] TEE RPC integrity verification returned false");
-          }
+          await verifyTeeIntegrity(ephemeralRpcEndpoint);
         } catch (e) {
           console.error("[LoyalClient] TEE RPC integrity verification error:", e);
         }
@@ -2377,123 +4233,328 @@ class LoyalPrivateTransactionsClient {
     const ephemeralProgram = programFromRpc(signer, commitment, finalEphemeralRpcEndpoint, finalEphemeralWsEndpoint);
     return new LoyalPrivateTransactionsClient(baseProgram, ephemeralProgram, adapter);
   }
-  async initializeDeposit(params) {
-    const { user, tokenMint, payer, rpcOptions } = params;
-    const [depositPda] = findDepositPda(user, tokenMint);
-    await this.ensureNotDelegated(depositPda, "modifyBalance-depositPda", true);
-    const signature = await this.baseProgram.methods.initializeDeposit().accountsPartial({
+  async shieldTokens(params) {
+    const payer = params.payer ?? params.user;
+    return shieldTokens({
+      user: params.user,
       payer,
-      user,
-      tokenMint,
-      tokenProgram: TOKEN_PROGRAM_ID,
-      systemProgram: SystemProgram.programId
-    }).rpc(rpcOptions);
-    return signature;
+      tokenMint: params.tokenMint,
+      amount: normalizeBigInt(params.amount),
+      baseProgram: this.baseProgram,
+      perProgram: this.ephemeralProgram,
+      validator: params.validator,
+      sessionToken: params.sessionToken,
+      magicProgram: params.magicProgram,
+      magicContext: params.magicContext,
+      rpcOptions: params.rpcOptions
+    });
   }
-  async initializeUsernameDeposit(params) {
-    const { username, tokenMint, payer, rpcOptions } = params;
-    this.validateUsername(username);
-    const [usernameDepositPda] = await findUsernameDepositPda(username, tokenMint);
-    await this.ensureNotDelegated(usernameDepositPda, "modifyBalance-depositPda", true);
-    const usernameHash = await sha256hash(username);
-    const signature = await this.baseProgram.methods.initializeUsernameDeposit(usernameHash).accountsPartial({
+  async unshieldTokens(params) {
+    const payer = params.payer ?? params.user;
+    return unshieldTokens({
+      user: params.user,
       payer,
-      tokenMint,
-      tokenProgram: TOKEN_PROGRAM_ID,
-      systemProgram: SystemProgram.programId
-    }).rpc(rpcOptions);
-    return signature;
+      tokenMint: params.tokenMint,
+      amount: normalizeBigInt(params.amount),
+      baseProgram: this.baseProgram,
+      perProgram: this.ephemeralProgram,
+      validator: params.validator,
+      sessionToken: params.sessionToken,
+      magicProgram: params.magicProgram,
+      magicContext: params.magicContext,
+      rpcOptions: params.rpcOptions
+    });
   }
-  async modifyBalance(params) {
-    const {
-      user,
-      tokenMint,
-      amount,
-      increase,
+  async buildShieldFlowTransactionPlan(params) {
+    const amount = normalizeBigInt(params.amount);
+    const payer = params.payer ?? params.user;
+    const validator = params.validator ?? this.getExpectedErValidator();
+    const magicProgram = params.magicProgram ?? MAGIC_PROGRAM_ID;
+    const magicContext = params.magicContext ?? MAGIC_CONTEXT_ID;
+    const transactions = [];
+    if (params.kind === "shield") {
+      const shieldPlan = await buildShieldTokensTransactionPlan({
+        user: params.user,
+        payer,
+        tokenMint: params.tokenMint,
+        amount,
+        baseProgram: this.baseProgram,
+        perProgram: this.ephemeralProgram,
+        validator,
+        sessionToken: params.sessionToken,
+        magicProgram,
+        magicContext
+      });
+      if (shieldPlan.preUndelegateTransaction) {
+        transactions.push(toShieldFlowTransactionPlan({
+          ...shieldPlan.preUndelegateTransaction,
+          postSendOwnerChange: {
+            address: shieldPlan.context.depositPda,
+            owner: PROGRAM_ID,
+            bestEffort: true
+          }
+        }));
+      }
+      transactions.push(toShieldFlowTransactionPlan({
+        ...shieldPlan.baseTransaction,
+        postSendOwnerChange: {
+          address: shieldPlan.context.depositPda,
+          owner: DELEGATION_PROGRAM_ID,
+          bestEffort: true
+        }
+      }));
+    } else {
+      const unshieldPlan = await buildUnshieldTokensTransactionPlan({
+        user: params.user,
+        payer,
+        tokenMint: params.tokenMint,
+        amount,
+        baseProgram: this.baseProgram,
+        perProgram: this.ephemeralProgram,
+        validator,
+        sessionToken: params.sessionToken,
+        magicProgram,
+        magicContext
+      });
+      if (unshieldPlan.preUndelegateTransaction) {
+        transactions.push(toShieldFlowTransactionPlan({
+          ...unshieldPlan.preUndelegateTransaction,
+          postSendOwnerChange: {
+            address: unshieldPlan.context.depositPda,
+            owner: PROGRAM_ID,
+            bestEffort: true
+          }
+        }));
+      }
+      transactions.push(toShieldFlowTransactionPlan({
+        ...unshieldPlan.baseTransaction,
+        postSendOwnerChange: unshieldPlan.shouldRedelegate ? {
+          address: unshieldPlan.context.depositPda,
+          owner: DELEGATION_PROGRAM_ID,
+          bestEffort: true
+        } : undefined
+      }));
+    }
+    return {
+      kind: params.kind,
+      user: params.user,
       payer,
-      userTokenAccount,
-      rpcOptions
-    } = params;
-    const [depositPda] = findDepositPda(user, tokenMint);
-    await this.ensureNotDelegated(depositPda, "modifyBalance-depositPda");
-    const [vaultPda] = findVaultPda(tokenMint);
-    const vaultTokenAccount = getAssociatedTokenAddressSync(tokenMint, vaultPda, true, TOKEN_PROGRAM_ID, ASSOCIATED_TOKEN_PROGRAM_ID);
-    const kaminoAccounts = getKaminoModifyBalanceAccountsForTokenMint(tokenMint);
-    const vaultCollateralTokenAccount = kaminoAccounts ? getAssociatedTokenAddressSync(kaminoAccounts.reserveCollateralMint, vaultPda, true, TOKEN_PROGRAM_ID, ASSOCIATED_TOKEN_PROGRAM_ID) : null;
-    console.log("modifyBalance", {
-      payer: payer.toString(),
-      user: user.toString(),
-      vault: vaultPda.toString(),
-      deposit: depositPda.toString(),
-      userTokenAccount: userTokenAccount.toString(),
-      vaultTokenAccount: vaultTokenAccount.toString(),
-      tokenMint: tokenMint.toString(),
-      kaminoAccounts: kaminoAccounts ? {
-        lendingMarket: kaminoAccounts.lendingMarket.toString(),
-        lendingMarketAuthority: kaminoAccounts.lendingMarketAuthority.toString(),
-        reserve: kaminoAccounts.reserve.toString(),
-        reserveLiquiditySupply: kaminoAccounts.reserveLiquiditySupply.toString(),
-        reserveCollateralMint: kaminoAccounts.reserveCollateralMint.toString(),
-        vaultCollateralTokenAccount: vaultCollateralTokenAccount?.toString() ?? null
-      } : null
+      tokenMint: params.tokenMint,
+      amount,
+      transactions
+    };
+  }
+  async buildShieldTokensTransactionPlan(params) {
+    return this.buildShieldFlowTransactionPlan({
+      ...params,
+      kind: "shield"
     });
-    let methodBuilder = this.baseProgram.methods.modifyBalance({ amount: new BN(amount.toString()), increase }).accountsPartial({
-      payer,
-      user,
-      vault: vaultPda,
-      deposit: depositPda,
-      userTokenAccount,
-      vaultTokenAccount,
-      tokenMint,
-      tokenProgram: TOKEN_PROGRAM_ID,
-      associatedTokenProgram: ASSOCIATED_TOKEN_PROGRAM_ID,
-      systemProgram: SystemProgram.programId
+  }
+  async buildUnshieldTokensTransactionPlan(params) {
+    return this.buildShieldFlowTransactionPlan({
+      ...params,
+      kind: "unshield"
     });
-    if (kaminoAccounts && vaultCollateralTokenAccount) {
-      methodBuilder = methodBuilder.remainingAccounts([
-        {
-          pubkey: kaminoAccounts.lendingMarket,
-          isSigner: false,
-          isWritable: false
-        },
-        {
-          pubkey: kaminoAccounts.lendingMarketAuthority,
-          isSigner: false,
-          isWritable: false
-        },
-        {
-          pubkey: kaminoAccounts.reserve,
-          isSigner: false,
-          isWritable: true
-        },
-        {
-          pubkey: kaminoAccounts.reserveLiquiditySupply,
-          isSigner: false,
-          isWritable: true
-        },
-        {
-          pubkey: kaminoAccounts.reserveCollateralMint,
-          isSigner: false,
-          isWritable: true
-        },
-        {
-          pubkey: vaultCollateralTokenAccount,
-          isSigner: false,
-          isWritable: true
-        },
-        {
-          pubkey: kaminoAccounts.instructionSysvarAccount,
-          isSigner: false,
-          isWritable: false
-        },
-        {
-          pubkey: kaminoAccounts.klendProgram,
-          isSigner: false,
-          isWritable: false
+  }
+  async estimateShieldFlowFee(params) {
+    const transactions = params.plan.transactions.map((transaction) => ({
+      label: transaction.label,
+      cluster: transaction.cluster,
+      connection: transaction.cluster === "base" ? this.baseProgram.provider.connection : this.ephemeralProgram.provider.connection,
+      feePayer: params.plan.payer,
+      instructions: transaction.instructions
+    }));
+    if (transactions.length === 0) {
+      throw new Error("Cannot estimate an empty shield flow plan");
+    }
+    const estimate = await estimatePlannedTransactionFees({
+      transactions,
+      commitment: params.commitment
+    });
+    return {
+      kind: params.plan.kind,
+      user: params.plan.user,
+      payer: params.plan.payer,
+      tokenMint: params.plan.tokenMint,
+      amount: params.plan.amount,
+      totalFeeLamports: estimate.totalFeeLamports,
+      totalRentLamports: estimate.totalRentLamports,
+      totalNativeLamports: estimate.totalNativeLamports,
+      feeAndRentLamports: estimate.totalFeeLamports + estimate.totalRentLamports,
+      totalLamports: estimate.totalFeeLamports + estimate.totalRentLamports + estimate.totalNativeLamports,
+      transactions: estimate.transactions,
+      instructions: estimate.instructions,
+      note: "Solana charges protocol fees per transaction message. Instruction rows expose net rent changes (positive locks rent, negative reclaims rent) and nativeLamports for native-SOL token value movement. totalLamports is a cost-style net SOL impact for the common payer=user flow: positive values are debits/costs and negative values are credits/gains. feeAndRentLamports excludes native token principal. If payer differs from user, nativeLamports belongs to the token owner while fees/rent may belong to the payer."
+    };
+  }
+  async estimateShieldTokensFee(params) {
+    if (params.plan.kind !== "shield") {
+      throw new Error("estimateShieldTokensFee expected a shield plan");
+    }
+    return this.estimateShieldFlowFee(params);
+  }
+  async estimateUnshieldTokensFee(params) {
+    if (params.plan.kind !== "unshield") {
+      throw new Error("estimateUnshieldTokensFee expected an unshield plan");
+    }
+    return this.estimateShieldFlowFee(params);
+  }
+  async executeShieldFlowTransactionPlan(params) {
+    if (params.plan.transactions.length === 0) {
+      throw new Error("Cannot execute an empty shield flow plan");
+    }
+    const signatures = [];
+    for (let transactionIndex = 0;transactionIndex < params.plan.transactions.length; transactionIndex += 1) {
+      const transactionPlan = params.plan.transactions[transactionIndex];
+      if (transactionPlan.instructions.length === 0) {
+        throw new Error(`Cannot execute empty transaction plan: ${transactionPlan.label}`);
+      }
+      await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, transactionPlan.checks ?? []);
+      const ownerChangeWatcher = transactionPlan.postSendOwnerChange ? waitForAccountOwnerChange2(this.baseProgram.provider.connection, transactionPlan.postSendOwnerChange.address, transactionPlan.postSendOwnerChange.owner) : null;
+      const provider = transactionPlan.cluster === "base" ? this.baseProgram.provider : this.ephemeralProgram.provider;
+      const tx = new Transaction7().add(...transactionPlan.instructions.map(({ ix }) => ix));
+      let signature;
+      try {
+        signature = await sendAndConfirmWithDiagnostics({
+          label: transactionPlan.label,
+          provider,
+          tx,
+          rpcOptions: params.rpcOptions,
+          extraContext: {
+            kind: params.plan.kind,
+            user: params.plan.user,
+            payer: params.plan.payer,
+            tokenMint: params.plan.tokenMint,
+            amount: params.plan.amount,
+            transactionIndex,
+            cluster: transactionPlan.cluster,
+            postSendOwnerChange: transactionPlan.postSendOwnerChange
+          }
+        });
+      } catch (e) {
+        await ownerChangeWatcher?.cancel();
+        throw e;
+      }
+      if (ownerChangeWatcher) {
+        try {
+          await ownerChangeWatcher.wait();
+          await new Promise((resolve) => setTimeout(resolve, 3000));
+        } catch (err) {
+          if (!transactionPlan.postSendOwnerChange?.bestEffort) {
+            throw err;
+          }
+          console.warn(`[${transactionPlan.label}] owner-change watcher did not observe expected owner (signature=${signature}); continuing`, err);
         }
-      ]);
+      }
+      signatures.push({
+        index: transactionIndex,
+        label: transactionPlan.label,
+        cluster: transactionPlan.cluster,
+        signature
+      });
+    }
+    return {
+      kind: params.plan.kind,
+      user: params.plan.user,
+      payer: params.plan.payer,
+      tokenMint: params.plan.tokenMint,
+      amount: params.plan.amount,
+      signatures
+    };
+  }
+  async executeShieldTokensTransactionPlan(params) {
+    if (params.plan.kind !== "shield") {
+      throw new Error("executeShieldTokensTransactionPlan expected a shield plan");
     }
-    const signature = await methodBuilder.rpc(rpcOptions);
+    return this.executeShieldFlowTransactionPlan(params);
+  }
+  async executeUnshieldTokensTransactionPlan(params) {
+    if (params.plan.kind !== "unshield") {
+      throw new Error("executeUnshieldTokensTransactionPlan expected an unshield plan");
+    }
+    return this.executeShieldFlowTransactionPlan(params);
+  }
+  async initializeDeposit(params) {
+    const { ix, ensure } = await initializeDepositIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    return await sendAndConfirmWithDiagnostics({
+      label: "initializeDeposit",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        user: params.user,
+        tokenMint: params.tokenMint
+      }
+    });
+  }
+  async initializeUsernameDeposit(params) {
+    const { ix, ensure } = await initializeUsernameDepositIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    return await sendAndConfirmWithDiagnostics({
+      label: "initializeUsernameDeposit",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        username: params.username,
+        tokenMint: params.tokenMint
+      }
+    });
+  }
+  async closeDeposit(params) {
+    const { user, tokenMint } = params;
+    const { ix, ensure } = await closeDepositIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    return await sendAndConfirmWithDiagnostics({
+      label: "closeDeposit",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        user,
+        tokenMint
+      }
+    });
+  }
+  async closeUsernameDeposit(params) {
+    const { username, tokenMint, authority, session } = params;
+    const { ix, ensure } = await closeUsernameDepositIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    return await sendAndConfirmWithDiagnostics({
+      label: "closeUsernameDeposit",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        username,
+        tokenMint,
+        authority,
+        session
+      }
+    });
+  }
+  async modifyBalance(params) {
+    const { user, tokenMint } = params;
+    const { ix, ensure } = await modifyBalanceIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    const signature = await sendAndConfirmWithDiagnostics({
+      label: "modifyBalance",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        user,
+        tokenMint,
+        amount: params.amount,
+        increase: params.increase
+      }
+    });
     const deposit = await this.getBaseDeposit(user, tokenMint);
     if (!deposit) {
       throw new Error("Failed to fetch deposit after modification");
@@ -2502,7 +4563,7 @@ class LoyalPrivateTransactionsClient {
   }
   async claimUsernameDepositToDeposit(params) {
     const { username, tokenMint, amount, recipient, session, rpcOptions } = params;
-    this.validateUsername(username);
+    validateUsername(username);
     const [sourceUsernameDeposit] = await findUsernameDepositPda(username, tokenMint);
     const [destinationDeposit] = findDepositPda(recipient, tokenMint);
     await this.ensureDelegated(sourceUsernameDeposit, "claimUsernameDepositToDeposit-sourceUsernameDeposit");
@@ -2513,16 +4574,16 @@ class LoyalPrivateTransactionsClient {
       destinationDeposit,
       tokenMint,
       session,
-      tokenProgram: TOKEN_PROGRAM_ID
+      tokenProgram: TOKEN_PROGRAM_ID4
     };
-    console.log("claimUsernameDepositToDeposit accounts:", prettyStringify(accounts));
+    console.log("claimUsernameDepositToDeposit accounts:", prettyStringify2(accounts));
     const connection = this.baseProgram.provider.connection;
     const [srcInfo, dstInfo, sessionInfo] = await Promise.all([
       connection.getAccountInfo(sourceUsernameDeposit),
       connection.getAccountInfo(destinationDeposit),
       connection.getAccountInfo(session)
     ]);
-    console.log("claimUsernameDepositToDeposit sourceUsernameDeposit accountInfo:", prettyStringify({
+    console.log("claimUsernameDepositToDeposit sourceUsernameDeposit accountInfo:", prettyStringify2({
       address: sourceUsernameDeposit.toBase58(),
       exists: !!srcInfo,
       owner: srcInfo?.owner?.toBase58(),
@@ -2530,7 +4591,7 @@ class LoyalPrivateTransactionsClient {
       dataLen: srcInfo?.data?.length,
       executable: srcInfo?.executable
     }));
-    console.log("claimUsernameDepositToDeposit destinationDeposit accountInfo:", prettyStringify({
+    console.log("claimUsernameDepositToDeposit destinationDeposit accountInfo:", prettyStringify2({
       address: destinationDeposit.toBase58(),
       exists: !!dstInfo,
       owner: dstInfo?.owner?.toBase58(),
@@ -2538,7 +4599,7 @@ class LoyalPrivateTransactionsClient {
       dataLen: dstInfo?.data?.length,
       executable: dstInfo?.executable
     }));
-    console.log("claimUsernameDepositToDeposit session accountInfo:", prettyStringify({
+    console.log("claimUsernameDepositToDeposit session accountInfo:", prettyStringify2({
       address: session.toBase58(),
       exists: !!sessionInfo,
       owner: sessionInfo?.owner?.toBase58(),
@@ -2547,50 +4608,40 @@ class LoyalPrivateTransactionsClient {
       executable: sessionInfo?.executable
     }));
     try {
-      const sim = await this.ephemeralProgram.methods.claimUsernameDepositToDeposit(new BN(amount.toString())).accountsPartial(accounts).simulate();
+      const sim = await this.ephemeralProgram.methods.claimUsernameDepositToDeposit(new BN2(amount.toString())).accountsPartial(accounts).simulate();
       console.log("claimUsernameDepositToDeposit simulation logs:", sim.raw);
     } catch (simErr) {
       const simResponse = simErr.simulationResponse;
       console.error("claimUsernameDepositToDeposit simulate FAILED");
       console.error("  error message:", simErr instanceof Error ? simErr.message : String(simErr));
       if (simResponse) {
-        console.error("  simulation err:", prettyStringify(simResponse.err));
-        console.error("  simulation logs:", prettyStringify(simResponse.logs));
+        console.error("  simulation err:", prettyStringify2(simResponse.err));
+        console.error("  simulation logs:", prettyStringify2(simResponse.logs));
         console.error("  unitsConsumed:", simResponse.unitsConsumed);
       }
       throw simErr;
     }
-    const signature = await this.ephemeralProgram.methods.claimUsernameDepositToDeposit(new BN(amount.toString())).accountsPartial(accounts).rpc({ skipPreflight: true, commitment: "confirmed" });
+    const signature = await this.ephemeralProgram.methods.claimUsernameDepositToDeposit(new BN2(amount.toString())).accountsPartial(accounts).rpc({ skipPreflight: true, commitment: "confirmed" });
     return signature;
   }
   async createPermission(params) {
-    const { user, tokenMint, payer, rpcOptions } = params;
-    const [depositPda] = findDepositPda(user, tokenMint);
-    const [permissionPda] = findPermissionPda(depositPda);
-    await this.ensureNotDelegated(depositPda, "createPermission-depositPda");
-    if (await this.permissionAccountExists(permissionPda)) {
-      return null;
-    }
-    try {
-      const signature = await this.baseProgram.methods.createPermission().accountsPartial({
-        payer,
-        user,
-        deposit: depositPda,
-        permission: permissionPda,
-        permissionProgram: PERMISSION_PROGRAM_ID,
-        systemProgram: SystemProgram.programId
-      }).rpc(rpcOptions);
-      return signature;
-    } catch (err) {
-      if (this.isAccountAlreadyInUse(err)) {
-        return "permission-exists";
+    const { ix, ensure } = await createPermissionIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
+    const tx = new Transaction7().add(ix);
+    return await sendAndConfirmWithDiagnostics({
+      label: "createPermission",
+      provider: this.baseProgram.provider,
+      tx,
+      rpcOptions: params.rpcOptions,
+      extraContext: {
+        user: params.user,
+        tokenMint: params.tokenMint
       }
-      throw err;
-    }
+    });
   }
   async createUsernamePermission(params) {
     const { username, tokenMint, session, authority, payer, rpcOptions } = params;
-    this.validateUsername(username);
+    validateUsername(username);
     const [depositPda] = await findUsernameDepositPda(username, tokenMint);
     const [permissionPda] = findPermissionPda(depositPda);
     await this.ensureNotDelegated(depositPda, "createUsernamePermission-depositPda");
@@ -2605,7 +4656,7 @@ class LoyalPrivateTransactionsClient {
         session,
         permission: permissionPda,
         permissionProgram: PERMISSION_PROGRAM_ID,
-        systemProgram: SystemProgram.programId
+        systemProgram: SystemProgram5.programId
       }).rpc(rpcOptions);
       return signature;
     } catch (err) {
@@ -2616,35 +4667,35 @@ class LoyalPrivateTransactionsClient {
     }
   }
   async delegateDeposit(params) {
-    const { user, tokenMint, payer, validator, rpcOptions } = params;
+    const { user, tokenMint } = params;
+    const { ix, ensure } = await delegateDepositIx(this.baseProgram, params);
+    await processEnsureChecks(this.baseProgram.provider.connection, this.ephemeralProgram.provider.connection, ensure);
     const [depositPda] = findDepositPda(user, tokenMint);
-    const [bufferPda] = findBufferPda(depositPda);
-    const [delegationRecordPda] = findDelegationRecordPda(depositPda);
-    const [delegationMetadataPda] = findDelegationMetadataPda(depositPda);
-    await this.ensureNotDelegated(depositPda, "delegateDeposit-depositPda");
-    const accounts = {
-      payer,
-      bufferDeposit: bufferPda,
-      delegationRecordDeposit: delegationRecordPda,
-      delegationMetadataDeposit: delegationMetadataPda,
-      deposit: depositPda,
-      validator,
-      ownerProgram: PROGRAM_ID,
-      delegationProgram: DELEGATION_PROGRAM_ID,
-      systemProgram: SystemProgram.programId
-    };
-    const delegationWatcher = waitForAccountOwnerChange(this.baseProgram.provider.connection, depositPda, DELEGATION_PROGRAM_ID);
+    const delegationWatcher = waitForAccountOwnerChange2(this.baseProgram.provider.connection, depositPda, DELEGATION_PROGRAM_ID);
     let signature;
     try {
-      console.log("delegateDeposit Accounts:", prettyStringify(accounts));
-      signature = await this.baseProgram.methods.delegate(user, tokenMint).accountsPartial(accounts).rpc(rpcOptions);
-      console.log("delegateDeposit: waiting for depositPda owner to be DELEGATION_PROGRAM_ID on base connection...");
-      await delegationWatcher.wait();
-      await new Promise((resolve) => setTimeout(resolve, 3000));
+      const tx = new Transaction7().add(ix);
+      signature = await sendAndConfirmWithDiagnostics({
+        label: "delegateDeposit",
+        provider: this.baseProgram.provider,
+        tx,
+        rpcOptions: params.rpcOptions,
+        extraContext: {
+          user,
+          tokenMint,
+          depositPda
+        }
+      });
     } catch (e) {
       await delegationWatcher.cancel();
       throw e;
     }
+    try {
+      await delegationWatcher.wait();
+      await new Promise((resolve) => setTimeout(resolve, 3000));
+    } catch (err) {
+      console.warn(`[delegateDeposit] delegation watcher did not observe owner change (signature=${signature}); continuing`, err);
+    }
     return signature;
   }
   async delegateUsernameDeposit(params) {
@@ -2655,7 +4706,7 @@ class LoyalPrivateTransactionsClient {
       validator,
       rpcOptions
     } = params;
-    this.validateUsername(username);
+    validateUsername(username);
     const [depositPda] = await findUsernameDepositPda(username, tokenMint);
     const [bufferPda] = findBufferPda(depositPda);
     const [delegationRecordPda] = findDelegationRecordPda(depositPda);
@@ -2670,56 +4721,30 @@ class LoyalPrivateTransactionsClient {
       deposit: depositPda,
       ownerProgram: PROGRAM_ID,
       delegationProgram: DELEGATION_PROGRAM_ID,
-      systemProgram: SystemProgram.programId
+      systemProgram: SystemProgram5.programId
     };
     accounts.validator = validator ?? null;
-    const delegationWatcher = waitForAccountOwnerChange(this.baseProgram.provider.connection, depositPda, DELEGATION_PROGRAM_ID);
+    const delegationWatcher = waitForAccountOwnerChange2(this.baseProgram.provider.connection, depositPda, DELEGATION_PROGRAM_ID);
     let signature;
     try {
-      console.log("delegateUsernameDeposit Accounts:", prettyStringify(accounts));
+      console.log("delegateUsernameDeposit Accounts:", prettyStringify2(accounts));
       signature = await this.baseProgram.methods.delegateUsernameDeposit(usernameHash, tokenMint).accountsPartial(accounts).rpc(rpcOptions);
-      console.log("delegateUsernameDeposit: waiting for depositPda owner to be DELEGATION_PROGRAM_ID on base connection...");
-      await delegationWatcher.wait();
-      await new Promise((resolve) => setTimeout(resolve, 3000));
     } catch (e) {
       await delegationWatcher.cancel();
       throw e;
     }
-    return signature;
-  }
-  async undelegateDeposit(params) {
-    const {
-      user,
-      tokenMint,
-      payer,
-      sessionToken,
-      magicProgram,
-      magicContext,
-      rpcOptions
-    } = params;
-    const [depositPda] = findDepositPda(user, tokenMint);
-    await this.ensureDelegated(depositPda, "undelegateDeposit-depositPda", true);
-    const accounts = {
-      user,
-      payer,
-      deposit: depositPda,
-      magicProgram,
-      magicContext
-    };
-    accounts.sessionToken = sessionToken ?? null;
-    const delegationWatcher = waitForAccountOwnerChange(this.baseProgram.provider.connection, depositPda, PROGRAM_ID);
-    let signature;
     try {
-      console.log("undelegateDeposit Accounts:", prettyStringify(accounts));
-      signature = await this.ephemeralProgram.methods.undelegate().accountsPartial(accounts).rpc(rpcOptions);
-      console.log("undelegateDeposit: waiting for depositPda owner to be PROGRAM_ID on base connection...");
+      console.log("delegateUsernameDeposit: waiting for depositPda owner to be DELEGATION_PROGRAM_ID on base connection...");
       await delegationWatcher.wait();
-    } catch (e) {
-      await delegationWatcher.cancel();
-      throw e;
+      await new Promise((resolve) => setTimeout(resolve, 3000));
+    } catch (err) {
+      console.warn(`[delegateUsernameDeposit] delegation watcher did not observe owner change (signature=${signature}); continuing`, err);
     }
     return signature;
   }
+  async undelegateDeposit(params) {
+    return await undelegateDeposit(this.baseProgram, this.ephemeralProgram, params);
+  }
   async undelegateUsernameDeposit(params) {
     const {
       username,
@@ -2730,7 +4755,7 @@ class LoyalPrivateTransactionsClient {
       magicContext,
       rpcOptions
     } = params;
-    this.validateUsername(username);
+    validateUsername(username);
     const [depositPda] = await findUsernameDepositPda(username, tokenMint);
     await this.ensureDelegated(depositPda, "undelegateUsernameDeposit-depositPda");
     const usernameHash = await sha256hash(username);
@@ -2763,7 +4788,7 @@ class LoyalPrivateTransactionsClient {
       sourceDeposit: sourceDepositPda,
       destinationDeposit: destinationDepositPda,
       tokenMint,
-      systemProgram: SystemProgram.programId
+      systemProgram: SystemProgram5.programId
     };
     accounts.sessionToken = sessionToken ?? null;
     console.log("transferDeposit Accounts:");
@@ -2771,7 +4796,7 @@ class LoyalPrivateTransactionsClient {
       console.log(key, value && value.toString());
     });
     console.log("-----");
-    const signature = await this.ephemeralProgram.methods.transferDeposit(new BN(amount.toString())).accountsPartial(accounts).rpc(rpcOptions);
+    const signature = await this.ephemeralProgram.methods.transferDeposit(new BN2(amount.toString())).accountsPartial(accounts).rpc(rpcOptions);
     return signature;
   }
   async transferToUsernameDeposit(params) {
@@ -2784,7 +4809,7 @@ class LoyalPrivateTransactionsClient {
       sessionToken,
       rpcOptions
     } = params;
-    this.validateUsername(username);
+    validateUsername(username);
     const [sourceDepositPda] = findDepositPda(user, tokenMint);
     const [destinationDepositPda] = await findUsernameDepositPda(username, tokenMint);
     await this.ensureDelegated(sourceDepositPda, "transferToUsernameDeposit-sourceDepositPda");
@@ -2795,10 +4820,10 @@ class LoyalPrivateTransactionsClient {
       sourceDeposit: sourceDepositPda,
       destinationDeposit: destinationDepositPda,
       tokenMint,
-      systemProgram: SystemProgram.programId
+      systemProgram: SystemProgram5.programId
     };
     accounts.sessionToken = sessionToken ?? null;
-    const signature = await this.ephemeralProgram.methods.transferToUsernameDeposit(new BN(amount.toString())).accountsPartial(accounts).rpc(rpcOptions);
+    const signature = await this.ephemeralProgram.methods.transferToUsernameDeposit(new BN2(amount.toString())).accountsPartial(accounts).rpc(rpcOptions);
     return signature;
   }
   async getBaseDeposit(user, tokenMint) {
@@ -2830,43 +4855,11 @@ class LoyalPrivateTransactionsClient {
     }
   }
   async getAllDepositsByUser(user) {
-    const userFilter = [
-      {
-        memcmp: {
-          offset: 8,
-          bytes: user.toBase58()
-        }
-      }
-    ];
-    const [baseResults, ephemeralResults] = await Promise.allSettled([
-      this.baseProgram.account.deposit.all(userFilter),
-      this.ephemeralProgram.account.deposit.all(userFilter)
-    ]);
-    const byPda = new Map;
-    const ingest = (results, preferOverwrite) => {
-      for (const { publicKey, account } of results) {
-        const key = publicKey.toBase58();
-        if (!preferOverwrite && byPda.has(key))
-          continue;
-        byPda.set(key, {
-          user: account.user,
-          tokenMint: account.tokenMint,
-          amount: BigInt(account.amount.toString()),
-          address: publicKey
-        });
-      }
-    };
-    if (baseResults.status === "fulfilled") {
-      ingest(baseResults.value, false);
-    } else {
-      console.warn("[getAllDepositsByUser] base program enumeration failed", baseResults.reason);
-    }
-    if (ephemeralResults.status === "fulfilled") {
-      ingest(ephemeralResults.value, true);
-    } else {
-      console.warn("[getAllDepositsByUser] ephemeral program enumeration failed", ephemeralResults.reason);
-    }
-    return Array.from(byPda.values());
+    return enumerateDepositsByUser({
+      user,
+      baseConnection: this.baseProgram.provider.connection,
+      ephemeralConnection: this.ephemeralProgram.provider.connection
+    });
   }
   async getBaseUsernameDeposit(username, tokenMint) {
     const [depositPda] = await findUsernameDepositPda(username, tokenMint);
@@ -2972,14 +4965,6 @@ class LoyalPrivateTransactionsClient {
   getProgramId() {
     return PROGRAM_ID;
   }
-  validateUsername(username) {
-    if (!username || username.length < 5 || username.length > 32) {
-      throw new Error("Username must be between 5 and 32 characters");
-    }
-    if (!/^[a-z0-9_]+$/.test(username)) {
-      throw new Error("Username can only contain lowercase alphanumeric characters and underscores");
-    }
-  }
   async permissionAccountExists(permission) {
     const info = await this.baseProgram.provider.connection.getAccountInfo(permission);
     return !!info && info.owner.equals(PERMISSION_PROGRAM_ID);
@@ -3011,8 +4996,8 @@ class LoyalPrivateTransactionsClient {
       console.error(`Account is delegated to ER: ${displayName}${account.toString()}`);
       const delegationStatus = await this.getDelegationStatus(account);
       console.error("/getDelegationStatus", JSON.stringify(delegationStatus, null, 2));
-      console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
-      console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+      console.error("baseAccountInfo", prettyStringify2(baseAccountInfo));
+      console.error("ephemeralAccountInfo", prettyStringify2(ephemeralAccountInfo));
       const expectedValidator = this.getExpectedErValidator();
       const authority = delegationStatus.result?.delegationRecord?.authority;
       if (authority && authority !== expectedValidator.toString()) {
@@ -3034,14 +5019,14 @@ class LoyalPrivateTransactionsClient {
     if (!isDelegated) {
       console.error(`Account is not delegated to ER: ${displayName}${account.toString()}`);
       console.error("/getDelegationStatus:", JSON.stringify(delegationStatus, null, 2));
-      console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
-      console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+      console.error("baseAccountInfo", prettyStringify2(baseAccountInfo));
+      console.error("ephemeralAccountInfo", prettyStringify2(ephemeralAccountInfo));
       throw new Error(`Account is not delegated to ER: ${displayName}${account.toString()}`);
     } else if (!skipValidatorCheck && delegationStatus.result.delegationRecord.authority !== this.getExpectedErValidator().toString()) {
       console.error(`Account is delegated on wrong validator: ${displayName}${account.toString()} - validator: ${delegationStatus.result.delegationRecord.authority}`);
       console.error("/getDelegationStatus:", JSON.stringify(delegationStatus, null, 2));
-      console.error("baseAccountInfo", prettyStringify(baseAccountInfo));
-      console.error("ephemeralAccountInfo", prettyStringify(ephemeralAccountInfo));
+      console.error("baseAccountInfo", prettyStringify2(baseAccountInfo));
+      console.error("ephemeralAccountInfo", prettyStringify2(ephemeralAccountInfo));
       throw new Error(`Account is delegated on wrong validator: ${displayName}${account.toString()} - validator: ${delegationStatus.result.delegationRecord.authority}`);
     }
   }
@@ -3097,12 +5082,17 @@ class LoyalPrivateTransactionsClient {
 // index.ts
 var IDL = telegram_private_transfer_default;
 export {
-  waitForAccountOwnerChange,
+  waitForAccountOwnerChange2 as waitForAccountOwnerChange,
+  unshieldTokens,
   solToLamports,
+  shieldTokens,
+  parseKaminoReserveSnapshotFromAccountData,
   lamportsToSol,
   isWalletLike,
   isKeypair,
+  isKaminoMainnetModifyBalanceAccounts,
   isAnchorProvider,
+  getKaminoModifyBalanceAccountsForTokenMint,
   getErValidatorForSolanaEnv,
   getErValidatorForRpcEndpoint,
   findVaultPda,
@@ -3112,10 +5102,18 @@ export {
   findDelegationRecordPda,
   findDelegationMetadataPda,
   findBufferPda,
+  fetchKaminoReserveSnapshot,
+  enumerateDepositsByUser,
+  calculateKaminoShareAmountForLiquidityAmountRaw,
+  calculateKaminoRedeemableLiquidityAmountRaw,
+  calculateKaminoCollateralValuation,
+  calculateKaminoCollateralExchangeRateSfFromAmounts,
   VAULT_SEED_BYTES,
   VAULT_SEED,
   USERNAME_DEPOSIT_SEED_BYTES,
   USERNAME_DEPOSIT_SEED,
+  USDC_MINT_MAINNET,
+  USDC_MINT_DEVNET,
   PROGRAM_ID,
   PERMISSION_SEED_BYTES,
   PERMISSION_SEED,
@@ -3124,6 +5122,7 @@ export {
   MAGIC_CONTEXT_ID,
   LoyalPrivateTransactionsClient,
   LAMPORTS_PER_SOL,
+  KLEND_PROGRAM_ID,
   IDL,
   ER_VALIDATOR_MAINNET,
   ER_VALIDATOR_DEVNET,