@nokinc-flur/sdk 0.1.6 → 1.0.0

package/dist/index.cjs

@@ -0,0 +1,2294 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ADDITIONAL_DATA_SUBFIELD: () => ADDITIONAL_DATA_SUBFIELD,
+  FIELD: () => FIELD,
+  FlurApiError: () => FlurApiError,
+  FlurCapExceededError: () => FlurCapExceededError,
+  FlurClient: () => FlurClient,
+  FlurError: () => FlurError,
+  FlurExpiredError: () => FlurExpiredError,
+  FlurReplayError: () => FlurReplayError,
+  NGN_CURRENCY_CODE: () => NGN_CURRENCY_CODE,
+  NG_COUNTRY_CODE: () => NG_COUNTRY_CODE,
+  NQRParseError: () => NQRParseError,
+  OACSchema: () => OACSchema,
+  OAC_DEFAULT_CUMULATIVE_KOBO: () => OAC_DEFAULT_CUMULATIVE_KOBO,
+  OAC_DEFAULT_PER_TX_KOBO: () => OAC_DEFAULT_PER_TX_KOBO,
+  OAC_DEFAULT_VALIDITY_MS: () => OAC_DEFAULT_VALIDITY_MS,
+  OfflinePaymentAuthorizationSchema: () => OfflinePaymentAuthorizationSchema,
+  OfflinePaymentRequestSchema: () => OfflinePaymentRequestSchema,
+  PASS_KINDS: () => PASS_KINDS,
+  PASS_STATES: () => PASS_STATES,
+  PAYLOAD_FORMAT_INDICATOR_VALUE: () => PAYLOAD_FORMAT_INDICATOR_VALUE,
+  POINT_OF_INITIATION: () => POINT_OF_INITIATION,
+  PassMetadataSchema: () => PassMetadataSchema,
+  PassSchema: () => PassSchema,
+  RECEIPT_CHANNELS: () => RECEIPT_CHANNELS,
+  RECEIPT_KINDS: () => RECEIPT_KINDS,
+  REPLAY_WINDOW_MS: () => REPLAY_WINDOW_MS,
+  ReceiptPayloadSchema: () => ReceiptPayloadSchema,
+  ReceiptSchema: () => ReceiptSchema,
+  RedemptionSchema: () => RedemptionSchema,
+  bodySha256Hex: () => bodySha256Hex,
+  buildAuthorization: () => buildAuthorization,
+  buildOAC: () => buildOAC,
+  buildPass: () => buildPass,
+  buildPaymentRequest: () => buildPaymentRequest,
+  buildReceipt: () => buildReceipt,
+  buildRedemption: () => buildRedemption,
+  canonicalJSONBytes: () => canonicalJSONBytes,
+  canonicalJSONStringify: () => canonicalJSONStringify,
+  canonicalRequestString: () => canonicalRequestString,
+  constantTimeEqual: () => constantTimeEqual,
+  crc16ccitt: () => crc16ccitt,
+  crc16ccittHex: () => crc16ccittHex,
+  createHmacFetch: () => createHmacFetch,
+  createPassesClient: () => createPassesClient,
+  createReceiptsClient: () => createReceiptsClient,
+  decodeAuthorizationQR: () => decodeAuthorizationQR,
+  decodeBase45: () => decodeBase45,
+  decodePaymentRequestQR: () => decodePaymentRequestQR,
+  encodeAuthorizationQR: () => encodeAuthorizationQR,
+  encodeBase45: () => encodeBase45,
+  encodeNQR: () => encodeNQR,
+  encodePaymentRequestQR: () => encodePaymentRequestQR,
+  formatAmount: () => formatAmount,
+  generateDynamicQR: () => generateDynamicQR,
+  generateKeyPair: () => generateKeyPair,
+  generateStaticQR: () => generateStaticQR,
+  init: () => init,
+  isPassWithinValidity: () => isPassWithinValidity,
+  moneyMinorToNumber: () => moneyMinorToNumber,
+  normalizeE164: () => normalizeE164,
+  parseAmountInput: () => parseAmountInput,
+  parseNQR: () => parseNQR,
+  parseQR: () => parseQR,
+  publicKeyFromPrivate: () => publicKeyFromPrivate,
+  readTLV: () => readTLV,
+  routingHint: () => routingHint,
+  sign: () => sign,
+  signAuthorization: () => signAuthorization,
+  signCanonical: () => signCanonical,
+  signOAC: () => signOAC,
+  signPass: () => signPass,
+  signPaymentRequest: () => signPaymentRequest,
+  signReceipt: () => signReceipt,
+  signRedemption: () => signRedemption,
+  signRequestHMAC: () => signRequestHMAC,
+  verify: () => verify,
+  verifyAuthorization: () => verifyAuthorization,
+  verifyCanonical: () => verifyCanonical,
+  verifyOAC: () => verifyOAC,
+  verifyPass: () => verifyPass,
+  verifyPaymentRequest: () => verifyPaymentRequest,
+  verifyReceipt: () => verifyReceipt,
+  verifyRedemption: () => verifyRedemption,
+  verifyRequestHMAC: () => verifyRequestHMAC,
+  writeTLV: () => writeTLV
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/client.ts
+var import_zod3 = require("zod");
+
+// src/contracts.ts
+var import_zod = require("zod");
+var E164Regex = /^\+[1-9]\d{7,14}$/;
+var UuidSchema = import_zod.z.string().uuid();
+var IsoDateSchema = import_zod.z.string().datetime({ offset: true });
+var CurrencySchema = import_zod.z.string().trim().length(3).transform((value) => value.toUpperCase());
+var HealthResponseSchema = import_zod.z.object({
+  ok: import_zod.z.boolean()
+});
+var WelcomeResponseSchema = import_zod.z.object({
+  message: import_zod.z.string()
+});
+var OnboardingStartRequestSchema = import_zod.z.object({
+  phoneE164: import_zod.z.string().regex(E164Regex),
+  appInstanceId: import_zod.z.string().min(3),
+  platform: import_zod.z.enum(["android", "ios", "web"]),
+  turnstileToken: import_zod.z.string().min(20).optional(),
+  appAttestation: import_zod.z.object({
+    provider: import_zod.z.enum(["android", "ios", "web"]),
+    token: import_zod.z.string().min(24)
+  }).optional(),
+  firstName: import_zod.z.string().trim().min(1).max(80).optional(),
+  lastName: import_zod.z.string().trim().min(1).max(80).optional()
+});
+var OnboardingStartResponseSchema = import_zod.z.object({
+  requestId: import_zod.z.string().min(1),
+  checkUrl: import_zod.z.string().url().optional(),
+  expiresInSec: import_zod.z.number().int().positive(),
+  fallback: import_zod.z.enum(["SILENT_AUTH", "OTP"])
+});
+var OnboardingCompleteRequestSchema = import_zod.z.object({
+  requestId: import_zod.z.string().min(1),
+  code: import_zod.z.string().min(1).max(32),
+  appInstanceId: import_zod.z.string().min(3),
+  fingerprintHash: import_zod.z.string().min(3).optional()
+});
+var OnboardingCompleteResponseSchema = import_zod.z.object({
+  sessionToken: import_zod.z.string().min(1),
+  userId: UuidSchema,
+  restricted: import_zod.z.boolean(),
+  risk_reasons: import_zod.z.array(import_zod.z.enum(["SIM_SWAP_RECENT", "ROAMING", "CARRIER_CHANGED"])),
+  stepUpRequired: import_zod.z.boolean().optional(),
+  riskStatus: import_zod.z.enum(["ok", "unavailable"]).optional()
+});
+var RegisterDeviceRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  appInstanceId: import_zod.z.string().min(3),
+  platform: import_zod.z.string().min(2),
+  model: import_zod.z.string().optional(),
+  networkSignals: import_zod.z.object({
+    ip: import_zod.z.string().min(3),
+    asn: import_zod.z.number().int().optional(),
+    country: import_zod.z.string().min(2).optional(),
+    carrier: import_zod.z.string().optional()
+  })
+});
+var RegisterDeviceResponseSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1),
+  fingerprintHash: import_zod.z.string().min(1),
+  driftScore: import_zod.z.number(),
+  trustState: import_zod.z.enum(["TRUSTED_PRIMARY", "TRUSTED_SECONDARY", "UNVERIFIED"]),
+  stepUpRequired: import_zod.z.boolean()
+});
+var AuthRefreshRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  refreshToken: import_zod.z.string().min(8),
+  appInstanceId: import_zod.z.string().min(3),
+  fingerprintHash: import_zod.z.string().min(3)
+});
+var AuthRefreshResponseSchema = import_zod.z.object({
+  refreshToken: import_zod.z.string().min(8),
+  stepUpRequired: import_zod.z.boolean()
+});
+var AuthLogoutRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  refreshToken: import_zod.z.string().min(8)
+});
+var PinSetRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  pin: import_zod.z.string().regex(/^\d{6}$/)
+});
+var PinVerifyRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  pin: import_zod.z.string().regex(/^\d{6}$/)
+});
+var OkResponseSchema = import_zod.z.object({
+  ok: import_zod.z.boolean()
+});
+var RegisterSendDeviceKeyRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod.z.string().min(3),
+  publicKey: import_zod.z.string().min(32)
+});
+var SendChallengeRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod.z.string().min(3)
+});
+var SendChallengeResponseSchema = import_zod.z.object({
+  challengeId: UuidSchema,
+  nonce: import_zod.z.string().min(1),
+  expiresAt: IsoDateSchema
+});
+var SendVerifyRequestSchema = import_zod.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod.z.string().min(3),
+  challengeId: UuidSchema,
+  signature: import_zod.z.string().min(16)
+});
+var SendVerifyResponseSchema = import_zod.z.object({
+  sendAuthToken: import_zod.z.string().min(16)
+});
+var ResolveRecipientRequestSchema = import_zod.z.object({
+  identifier: import_zod.z.string().min(3)
+});
+var ResolveRecipientResponseSchema = import_zod.z.object({
+  recipientUserId: UuidSchema,
+  displayName: import_zod.z.string().min(1),
+  normalizedIdentifier: import_zod.z.string().regex(E164Regex),
+  isActive: import_zod.z.boolean()
+});
+var CreateTransferRequestSchema = import_zod.z.object({
+  recipientIdentifier: import_zod.z.string().min(3),
+  amountMinor: import_zod.z.number().int().positive(),
+  currency: CurrencySchema,
+  sendAuthToken: import_zod.z.string().min(16)
+});
+var TransferStatusSchema = import_zod.z.enum(["SETTLED", "PENDING_REVIEW", "DECLINED"]);
+var TransferResponseSchema = import_zod.z.object({
+  transactionId: import_zod.z.string().min(1),
+  status: TransferStatusSchema,
+  userStatus: TransferStatusSchema,
+  recipientName: import_zod.z.string().min(1),
+  timestamp: IsoDateSchema
+});
+var DirectionSchema = import_zod.z.enum(["OUTGOING", "INCOMING"]);
+var AccountActivityItemSchema = import_zod.z.object({
+  id: import_zod.z.string().min(1),
+  type: import_zod.z.string().min(1),
+  direction: DirectionSchema,
+  name: import_zod.z.string().min(1),
+  identifier: import_zod.z.string().min(1),
+  amountMinor: import_zod.z.number().int(),
+  currency: CurrencySchema,
+  status: import_zod.z.string().min(1),
+  timestamp: IsoDateSchema
+});
+var AccountSummaryResponseSchema = import_zod.z.object({
+  balance: import_zod.z.number().int(),
+  currency: CurrencySchema,
+  dailySendLimit: import_zod.z.number().int().nonnegative(),
+  dailySendRemaining: import_zod.z.number().int().nonnegative(),
+  kycTier: import_zod.z.string().min(1),
+  kycStatus: import_zod.z.string().min(1),
+  recentActivity: import_zod.z.array(AccountActivityItemSchema)
+});
+var TransactionsListResponseSchema = import_zod.z.object({
+  items: import_zod.z.array(AccountActivityItemSchema),
+  nextCursor: import_zod.z.string().nullable()
+});
+var TransactionDetailResponseSchema = import_zod.z.object({
+  transactionId: import_zod.z.string().min(1),
+  type: import_zod.z.string().min(1),
+  direction: DirectionSchema,
+  counterpartyName: import_zod.z.string().min(1),
+  counterpartyIdentifier: import_zod.z.string().min(1),
+  amountMinor: import_zod.z.number().int(),
+  currency: CurrencySchema,
+  status: import_zod.z.string().min(1),
+  timestamp: IsoDateSchema
+});
+var PushRegisterRequestSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(3),
+  platform: import_zod.z.enum(["ios", "android", "web"]),
+  token: import_zod.z.string().min(16)
+});
+var CreatePayLinkResponseSchema = import_zod.z.object({
+  token: import_zod.z.string().min(1)
+});
+var ResolvePayLinkResponseSchema = import_zod.z.object({
+  recipientUserId: UuidSchema,
+  displayName: import_zod.z.string().min(1),
+  normalizedIdentifier: import_zod.z.string().regex(E164Regex),
+  isActive: import_zod.z.boolean()
+});
+
+// src/errors.ts
+var backendErrorCodeSet = /* @__PURE__ */ new Set([
+  "UNAUTHORIZED",
+  "INVALID_REQUEST",
+  "RATE_LIMITED",
+  "NOT_FOUND",
+  "USER_NOT_FOUND",
+  "TOKEN_REPLAYED",
+  "SESSION_MISMATCH",
+  "PIN_INVALID",
+  "PIN_LOCKED",
+  "PIN_NOT_SET",
+  "STEP_UP_REQUIRED",
+  "DEVICE_KEY_NOT_REGISTERED",
+  "CHALLENGE_INVALID",
+  "CHALLENGE_EXPIRED",
+  "DEVICE_KEY_REVOKED",
+  "SIGNATURE_INVALID",
+  "INVALID_RECIPIENT",
+  "SEND_AUTH_INVALID",
+  "IDEMPOTENCY_KEY_CONFLICT",
+  "IDEMPOTENCY_IN_PROGRESS",
+  "CANNOT_SEND_TO_SELF",
+  "INSUFFICIENT_FUNDS"
+]);
+var FlurError = class extends Error {
+  code;
+  status;
+  details;
+  reqId;
+  constructor(message, code, opts) {
+    super(message);
+    this.name = "FlurError";
+    this.code = code;
+    this.status = opts?.status;
+    this.details = opts?.details;
+    this.reqId = opts?.reqId;
+  }
+};
+var FlurApiError = class extends Error {
+  constructor(status, code, message, raw) {
+    super(message);
+    this.status = status;
+    this.code = code;
+    this.raw = raw;
+    this.name = "FlurApiError";
+  }
+  status;
+  code;
+  raw;
+};
+var FlurExpiredError = class extends Error {
+  code = "PASS_EXPIRED";
+  constructor(message = "pass is expired") {
+    super(message);
+    this.name = "FlurExpiredError";
+  }
+};
+var FlurReplayError = class extends Error {
+  code = "PASS_REPLAY";
+  constructor(message = "redemption counter is not strictly increasing") {
+    super(message);
+    this.name = "FlurReplayError";
+  }
+};
+var FlurCapExceededError = class extends Error {
+  code = "PASS_CAP_EXCEEDED";
+  constructor(message = "redemption exceeds cumulative cap") {
+    super(message);
+    this.name = "FlurCapExceededError";
+  }
+};
+async function mapToFlurError(res) {
+  const reqId = res.headers.get("x-request-id");
+  let details = void 0;
+  let mappedCode = "HTTP_ERROR";
+  let mappedMessage = `HTTP ${res.status}`;
+  try {
+    const ct = res.headers.get("content-type") ?? "";
+    details = ct.includes("application/json") ? await res.json() : await res.text();
+    if (details && typeof details === "object") {
+      const candidateCode = details.code;
+      const candidateMessage = details.message;
+      const fallbackMessage = details.error;
+      if (typeof candidateCode === "string" && backendErrorCodeSet.has(candidateCode)) {
+        mappedCode = candidateCode;
+      }
+      if (typeof candidateMessage === "string" && candidateMessage.length > 0) {
+        mappedMessage = candidateMessage;
+      } else if (typeof fallbackMessage === "string" && fallbackMessage.length > 0) {
+        mappedMessage = fallbackMessage;
+      }
+    }
+  } catch {
+  }
+  return new FlurError(mappedMessage, mappedCode, {
+    status: res.status,
+    details,
+    reqId
+  });
+}
+
+// src/primitives.ts
+var import_zod2 = require("zod");
+var CurrencyCodeSchema = import_zod2.z.string().trim().length(3).transform((value) => value.toUpperCase());
+var currencyFractionDigits = {
+  NGN: 2,
+  USD: 2,
+  EUR: 2,
+  GBP: 2,
+  CAD: 2,
+  JPY: 0
+};
+function getFractionDigits(currency) {
+  return currencyFractionDigits[currency] ?? 2;
+}
+function parseAmountInput(value, currency) {
+  const normalizedCurrency = CurrencyCodeSchema.parse(currency);
+  const raw = value.trim();
+  if (!/^\d+(\.\d+)?$/.test(raw)) {
+    throw new FlurError("Invalid amount format", "INVALID_REQUEST");
+  }
+  const [whole, fraction = ""] = raw.split(".");
+  const fractionDigits = getFractionDigits(normalizedCurrency);
+  if (fraction.length > fractionDigits) {
+    throw new FlurError("Too many decimal places for currency", "INVALID_REQUEST");
+  }
+  const paddedFraction = fraction.padEnd(fractionDigits, "0");
+  const minorAsString = `${whole}${paddedFraction}`.replace(/^0+(\d)/, "$1") || "0";
+  const amountMinor = BigInt(minorAsString);
+  if (amountMinor < 0n) {
+    throw new FlurError("Amount cannot be negative", "INVALID_REQUEST");
+  }
+  return {
+    amountMinor,
+    currency: normalizedCurrency
+  };
+}
+function formatAmount(amountMinor, currency) {
+  const normalizedCurrency = CurrencyCodeSchema.parse(currency);
+  if (amountMinor < 0n) {
+    throw new FlurError("Amount cannot be negative", "INVALID_REQUEST");
+  }
+  const fractionDigits = getFractionDigits(normalizedCurrency);
+  if (fractionDigits === 0) {
+    return amountMinor.toString();
+  }
+  const divisor = 10n ** BigInt(fractionDigits);
+  const whole = amountMinor / divisor;
+  const fraction = (amountMinor % divisor).toString().padStart(fractionDigits, "0");
+  return `${whole.toString()}.${fraction}`;
+}
+var defaultCountryDialingCode = {
+  NG: "234",
+  US: "1",
+  CA: "1",
+  GB: "44"
+};
+function normalizeE164(input, defaultCountry) {
+  const trimmed = input.trim();
+  if (trimmed.startsWith("+")) {
+    if (!E164Regex.test(trimmed)) {
+      throw new FlurError("Invalid phone number", "INVALID_REQUEST");
+    }
+    return trimmed;
+  }
+  const digits = trimmed.replace(/\D/g, "");
+  if (digits.length === 0) {
+    throw new FlurError("Invalid phone number", "INVALID_REQUEST");
+  }
+  if (digits.startsWith("00")) {
+    const candidate2 = `+${digits.slice(2)}`;
+    if (!E164Regex.test(candidate2)) {
+      throw new FlurError("Invalid phone number", "INVALID_REQUEST");
+    }
+    return candidate2;
+  }
+  const normalizedCountry = defaultCountry?.trim().toUpperCase();
+  const countryCode = normalizedCountry ? defaultCountryDialingCode[normalizedCountry] : void 0;
+  if (!countryCode) {
+    throw new FlurError("Invalid phone number", "INVALID_REQUEST");
+  }
+  const localDigits = digits.startsWith("0") ? digits.slice(1) : digits;
+  const candidate = `+${countryCode}${localDigits}`;
+  if (!E164Regex.test(candidate)) {
+    throw new FlurError("Invalid phone number", "INVALID_REQUEST");
+  }
+  return candidate;
+}
+function moneyMinorToNumber(amountMinor) {
+  const asNumber = Number(amountMinor);
+  if (!Number.isSafeInteger(asNumber)) {
+    throw new FlurError("Amount exceeds safe integer range", "INVALID_REQUEST");
+  }
+  return asNumber;
+}
+
+// src/client.ts
+var FlurClient = class {
+  baseUrl;
+  fetchImpl;
+  timeoutMs;
+  getExtraHeaders;
+  constructor(opts) {
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+    this.fetchImpl = opts.fetchImpl ?? fetch;
+    this.timeoutMs = opts.timeoutMs ?? 1e4;
+    this.getExtraHeaders = opts.getExtraHeaders;
+  }
+  async health() {
+    return this.requestJson("/health", { method: "GET" }, void 0, HealthResponseSchema);
+  }
+  async welcome() {
+    return this.requestJson("/welcome", { method: "GET" }, void 0, WelcomeResponseSchema);
+  }
+  async onboardingStart(input) {
+    return this.requestJson(
+      "/v1/onboarding/start",
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" }
+      },
+      OnboardingStartRequestSchema,
+      OnboardingStartResponseSchema,
+      input
+    );
+  }
+  async onboardingComplete(input) {
+    return this.requestJson(
+      "/v1/onboarding/complete",
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" }
+      },
+      OnboardingCompleteRequestSchema,
+      OnboardingCompleteResponseSchema,
+      input
+    );
+  }
+  async registerDevice(input, options) {
+    return this.requestJson(
+      "/v1/devices/register",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      RegisterDeviceRequestSchema,
+      RegisterDeviceResponseSchema,
+      input
+    );
+  }
+  async authRefresh(input) {
+    return this.requestJson(
+      "/v1/auth/refresh",
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" }
+      },
+      AuthRefreshRequestSchema,
+      AuthRefreshResponseSchema,
+      input
+    );
+  }
+  async authLogout(input, options) {
+    return this.requestJson(
+      "/v1/auth/logout",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      AuthLogoutRequestSchema,
+      OkResponseSchema,
+      input
+    );
+  }
+  async pinSet(input, options) {
+    return this.requestJson(
+      "/v1/auth/pin/set",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      PinSetRequestSchema,
+      OkResponseSchema,
+      input
+    );
+  }
+  async pinVerify(input, options) {
+    return this.requestJson(
+      "/v1/auth/pin/verify",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      PinVerifyRequestSchema,
+      OkResponseSchema,
+      input
+    );
+  }
+  async registerSendDeviceKey(input, options) {
+    return this.requestJson(
+      "/api/v1/auth/send/device-key",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      RegisterSendDeviceKeyRequestSchema,
+      OkResponseSchema,
+      input
+    );
+  }
+  async createSendChallenge(input, options) {
+    return this.requestJson(
+      "/api/v1/auth/send/challenge",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      SendChallengeRequestSchema,
+      SendChallengeResponseSchema,
+      input
+    );
+  }
+  async verifySendChallenge(input, options) {
+    return this.requestJson(
+      "/api/v1/auth/send/verify",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      SendVerifyRequestSchema,
+      SendVerifyResponseSchema,
+      input
+    );
+  }
+  async registerBiometricDeviceKey(input) {
+    const publicKey = await input.signer.getOrCreateKeyPair(input.deviceId);
+    return this.registerSendDeviceKey({
+      userId: input.userId,
+      deviceId: input.deviceId,
+      publicKey
+    }, { accessToken: input.accessToken });
+  }
+  async authorizeSendWithBiometric(input) {
+    const challenge = await this.createSendChallenge({
+      userId: input.userId,
+      deviceId: input.deviceId
+    }, { accessToken: input.accessToken });
+    const signature = await input.signer.sign(challenge.nonce);
+    return this.verifySendChallenge({
+      userId: input.userId,
+      deviceId: input.deviceId,
+      challengeId: challenge.challengeId,
+      signature
+    }, { accessToken: input.accessToken });
+  }
+  async resolveRecipient(input, options) {
+    return this.requestJson(
+      "/api/v1/recipients/resolve",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      ResolveRecipientRequestSchema,
+      ResolveRecipientResponseSchema,
+      input
+    );
+  }
+  async createTransfer(input, options) {
+    return this.requestJson(
+      "/api/v1/transfers",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`,
+          "x-device-id": options.deviceId,
+          "x-idempotency-key": options.idempotencyKey
+        }
+      },
+      CreateTransferRequestSchema,
+      TransferResponseSchema,
+      input
+    );
+  }
+  async sendMoney(input, options) {
+    const normalizedRecipient = E164Regex.test(input.recipientIdentifier) ? input.recipientIdentifier : normalizeE164(input.recipientIdentifier, input.defaultCountry);
+    const idempotencyKey = input.idempotencyKey ?? getSecureRandomUuid();
+    return this.createTransfer(
+      {
+        recipientIdentifier: normalizedRecipient,
+        amountMinor: moneyMinorToNumber(input.money.amountMinor),
+        currency: input.money.currency,
+        sendAuthToken: input.sendAuthToken
+      },
+      {
+        accessToken: options.accessToken,
+        deviceId: options.deviceId,
+        idempotencyKey
+      }
+    );
+  }
+  async accountSummary(options) {
+    return this.requestJson(
+      "/api/v1/account/summary",
+      {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      void 0,
+      AccountSummaryResponseSchema
+    );
+  }
+  async listTransactions(options) {
+    const query = new URLSearchParams();
+    if (typeof options.cursor === "string" && options.cursor.trim().length > 0) {
+      query.set("cursor", options.cursor);
+    }
+    if (typeof options.limit === "number") {
+      query.set("limit", String(options.limit));
+    }
+    const path = query.size > 0 ? `/api/v1/transactions?${query.toString()}` : "/api/v1/transactions";
+    return this.requestJson(
+      path,
+      {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      void 0,
+      TransactionsListResponseSchema
+    );
+  }
+  async transactionDetail(transactionId, options) {
+    const encodedId = encodeURIComponent(transactionId);
+    return this.requestJson(
+      `/api/v1/transactions/${encodedId}`,
+      {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      void 0,
+      TransactionDetailResponseSchema
+    );
+  }
+  async registerPushToken(input, options) {
+    return this.requestJson(
+      "/api/v1/push/register",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      PushRegisterRequestSchema,
+      OkResponseSchema,
+      input
+    );
+  }
+  async createPayLink(options) {
+    return this.requestJson(
+      "/api/v1/pay-links",
+      {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      void 0,
+      CreatePayLinkResponseSchema
+    );
+  }
+  async resolvePayLink(token, options) {
+    const encodedToken = encodeURIComponent(token);
+    return this.requestJson(
+      `/api/v1/pay-links/${encodedToken}`,
+      {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${options.accessToken}`
+        }
+      },
+      void 0,
+      ResolvePayLinkResponseSchema
+    );
+  }
+  async requestJson(path, init2, requestSchema, responseSchema, input) {
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const t = setTimeout(() => controller.abort(), this.timeoutMs);
+    let body = init2.body;
+    try {
+      body = requestSchema ? JSON.stringify(requestSchema.parse(input)) : init2.body;
+    } catch (err) {
+      if (err instanceof import_zod3.z.ZodError) {
+        throw new FlurError("Invalid request payload", "INVALID_REQUEST", {
+          details: err.flatten()
+        });
+      }
+      throw err;
+    }
+    try {
+      let extraHeaders = {};
+      if (this.getExtraHeaders) {
+        extraHeaders = await this.getExtraHeaders();
+      }
+      const finalHeaders = {
+        ...init2.headers,
+        ...extraHeaders
+      };
+      const res = await this.fetchImpl(url, { ...init2, headers: finalHeaders, body, signal: controller.signal });
+      if (!res.ok) throw await mapToFlurError(res);
+      const payload = await res.json();
+      if (!responseSchema) return payload;
+      try {
+        return responseSchema.parse(payload);
+      } catch (err) {
+        if (err instanceof import_zod3.z.ZodError) {
+          throw new FlurError("SDK contract validation failed", "INVALID_REQUEST", {
+            details: err.flatten()
+          });
+        }
+        throw err;
+      }
+    } catch (err) {
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new FlurError("Request timed out", "TIMEOUT");
+      }
+      if (err instanceof FlurError) throw err;
+      throw new FlurError("Network error", "NETWORK_ERROR", { details: String(err) });
+    } finally {
+      clearTimeout(t);
+    }
+  }
+};
+function getSecureRandomUuid() {
+  if (typeof globalThis.crypto?.randomUUID === "function") {
+    return globalThis.crypto.randomUUID();
+  }
+  throw new FlurError("Secure UUID generator unavailable; provide idempotencyKey", "INVALID_REQUEST");
+}
+
+// src/nqr/fields.ts
+var FIELD = {
+  PAYLOAD_FORMAT_INDICATOR: "00",
+  POINT_OF_INITIATION: "01",
+  // 02..51 — Merchant Account Information templates (issuer-specific)
+  MERCHANT_CATEGORY_CODE: "52",
+  TRANSACTION_CURRENCY: "53",
+  TRANSACTION_AMOUNT: "54",
+  TIP_OR_CONVENIENCE_INDICATOR: "55",
+  VALUE_CONVENIENCE_FEE_FIXED: "56",
+  VALUE_CONVENIENCE_FEE_PERCENT: "57",
+  COUNTRY_CODE: "58",
+  MERCHANT_NAME: "59",
+  MERCHANT_CITY: "60",
+  POSTAL_CODE: "61",
+  ADDITIONAL_DATA_FIELD: "62",
+  CRC: "63",
+  MERCHANT_INFO_LANGUAGE: "64"
+  // 80..99 — Unreserved Templates
+};
+var ADDITIONAL_DATA_SUBFIELD = {
+  BILL_NUMBER: "01",
+  MOBILE_NUMBER: "02",
+  STORE_LABEL: "03",
+  LOYALTY_NUMBER: "04",
+  REFERENCE_LABEL: "05",
+  CUSTOMER_LABEL: "06",
+  TERMINAL_LABEL: "07",
+  PURPOSE_OF_TRANSACTION: "08"
+};
+var POINT_OF_INITIATION = {
+  STATIC: "11",
+  DYNAMIC: "12"
+};
+var PAYLOAD_FORMAT_INDICATOR_VALUE = "01";
+var NGN_CURRENCY_CODE = "566";
+var NG_COUNTRY_CODE = "NG";
+var CRC_TAG_PREFIX = "6304";
+
+// src/nqr/crc16.ts
+function crc16ccitt(bytes) {
+  let crc = 65535;
+  for (let i = 0; i < bytes.length; i++) {
+    crc ^= bytes[i] << 8;
+    for (let j = 0; j < 8; j++) {
+      if (crc & 32768) {
+        crc = crc << 1 ^ 4129;
+      } else {
+        crc <<= 1;
+      }
+      crc &= 65535;
+    }
+  }
+  return crc;
+}
+function crc16ccittHex(bytes) {
+  return crc16ccitt(bytes).toString(16).toUpperCase().padStart(4, "0");
+}
+
+// src/nqr/tlv.ts
+function writeTLV(tag, value) {
+  if (!/^\d{2}$/.test(tag)) {
+    throw new Error(`TLV: tag must be 2 digits, got "${tag}"`);
+  }
+  if (value.length > 99) {
+    throw new Error(
+      `TLV: value for tag ${tag} exceeds 99 chars (${value.length})`
+    );
+  }
+  const len = value.length.toString().padStart(2, "0");
+  return `${tag}${len}${value}`;
+}
+function readTLV(buf) {
+  const out = [];
+  let i = 0;
+  while (i < buf.length) {
+    if (i + 4 > buf.length) {
+      throw new Error(`TLV: truncated header at offset ${i}`);
+    }
+    const tag = buf.slice(i, i + 2);
+    const lenStr = buf.slice(i + 2, i + 4);
+    if (!/^\d{2}$/.test(tag)) {
+      throw new Error(`TLV: bad tag "${tag}" at offset ${i}`);
+    }
+    if (!/^\d{2}$/.test(lenStr)) {
+      throw new Error(`TLV: bad length "${lenStr}" at offset ${i + 2}`);
+    }
+    const len = parseInt(lenStr, 10);
+    const valStart = i + 4;
+    const valEnd = valStart + len;
+    if (valEnd > buf.length) {
+      throw new Error(
+        `TLV: truncated value for tag ${tag} at offset ${valStart}`
+      );
+    }
+    out.push({ tag, value: buf.slice(valStart, valEnd) });
+    i = valEnd;
+  }
+  return out;
+}
+
+// src/nqr/encoder.ts
+var ASCII_PRINTABLE = /^[\x20-\x7E]*$/;
+function buildMAIValue(mai) {
+  if (!/^(0[2-9]|[1-4]\d|5[0-1])$/.test(mai.tag)) {
+    throw new Error(
+      `encodeNQR: merchantAccountInfo.tag must be in 02..51, got "${mai.tag}"`
+    );
+  }
+  let out = "";
+  for (const c of mai.children) {
+    out += writeTLV(c.tag, c.value);
+  }
+  return out;
+}
+function buildAdditionalDataValue(ad) {
+  let out = "";
+  const map = [
+    ["billNumber", ADDITIONAL_DATA_SUBFIELD.BILL_NUMBER],
+    ["mobileNumber", ADDITIONAL_DATA_SUBFIELD.MOBILE_NUMBER],
+    ["storeLabel", ADDITIONAL_DATA_SUBFIELD.STORE_LABEL],
+    ["loyaltyNumber", ADDITIONAL_DATA_SUBFIELD.LOYALTY_NUMBER],
+    ["referenceLabel", ADDITIONAL_DATA_SUBFIELD.REFERENCE_LABEL],
+    ["customerLabel", ADDITIONAL_DATA_SUBFIELD.CUSTOMER_LABEL],
+    ["terminalLabel", ADDITIONAL_DATA_SUBFIELD.TERMINAL_LABEL],
+    ["purposeOfTransaction", ADDITIONAL_DATA_SUBFIELD.PURPOSE_OF_TRANSACTION]
+  ];
+  for (const [k, t] of map) {
+    const v = ad[k];
+    if (v !== void 0) {
+      out += writeTLV(t, v);
+    }
+  }
+  return out;
+}
+function assertAscii(name, v) {
+  if (!ASCII_PRINTABLE.test(v)) {
+    throw new Error(
+      `encodeNQR: ${name} contains non-printable-ASCII characters`
+    );
+  }
+}
+function assertMaxLen(name, v, max) {
+  if (v.length > max) {
+    throw new Error(`encodeNQR: ${name} length ${v.length} exceeds max ${max}`);
+  }
+}
+function assertMCC(mcc) {
+  if (!/^\d{4}$/.test(mcc)) {
+    throw new Error(
+      `encodeNQR: merchantCategoryCode must be 4 digits, got "${mcc}"`
+    );
+  }
+}
+function assertAmount(amt) {
+  if (!/^\d{1,10}(\.\d{1,2})?$/.test(amt)) {
+    throw new Error(
+      `encodeNQR: transactionAmount must match /^\\d{1,10}(\\.\\d{1,2})?$/, got "${amt}"`
+    );
+  }
+  if (amt.length > 13) {
+    throw new Error(
+      `encodeNQR: transactionAmount length ${amt.length} exceeds 13`
+    );
+  }
+}
+function encodeNQR(input) {
+  assertMCC(input.merchantCategoryCode);
+  assertAscii("merchantName", input.merchantName);
+  assertMaxLen("merchantName", input.merchantName, 25);
+  assertAscii("merchantCity", input.merchantCity);
+  assertMaxLen("merchantCity", input.merchantCity, 15);
+  if (input.postalCode !== void 0) {
+    assertAscii("postalCode", input.postalCode);
+    assertMaxLen("postalCode", input.postalCode, 10);
+  }
+  if (input.transactionAmount !== void 0) {
+    assertAmount(input.transactionAmount);
+  }
+  if (input.pointOfInitiation === "dynamic" && input.transactionAmount === void 0) {
+  }
+  let out = "";
+  out += writeTLV(
+    FIELD.PAYLOAD_FORMAT_INDICATOR,
+    PAYLOAD_FORMAT_INDICATOR_VALUE
+  );
+  out += writeTLV(
+    FIELD.POINT_OF_INITIATION,
+    input.pointOfInitiation === "dynamic" ? POINT_OF_INITIATION.DYNAMIC : POINT_OF_INITIATION.STATIC
+  );
+  out += writeTLV(
+    input.merchantAccountInfo.tag,
+    buildMAIValue(input.merchantAccountInfo)
+  );
+  out += writeTLV(FIELD.MERCHANT_CATEGORY_CODE, input.merchantCategoryCode);
+  out += writeTLV(FIELD.TRANSACTION_CURRENCY, NGN_CURRENCY_CODE);
+  if (input.transactionAmount !== void 0) {
+    out += writeTLV(FIELD.TRANSACTION_AMOUNT, input.transactionAmount);
+  }
+  out += writeTLV(FIELD.COUNTRY_CODE, NG_COUNTRY_CODE);
+  out += writeTLV(FIELD.MERCHANT_NAME, input.merchantName);
+  out += writeTLV(FIELD.MERCHANT_CITY, input.merchantCity);
+  if (input.postalCode !== void 0) {
+    out += writeTLV(FIELD.POSTAL_CODE, input.postalCode);
+  }
+  if (input.additionalData) {
+    const adfValue = buildAdditionalDataValue(input.additionalData);
+    if (adfValue.length > 0) {
+      out += writeTLV(FIELD.ADDITIONAL_DATA_FIELD, adfValue);
+    }
+  }
+  out += CRC_TAG_PREFIX;
+  const crc = crc16ccittHex(new TextEncoder().encode(out));
+  out += crc;
+  return out;
+}
+
+// src/nqr/parser.ts
+var NQRParseError = class extends Error {
+  path;
+  constructor(message, path = "") {
+    super(message);
+    this.name = "NQRParseError";
+    this.path = path;
+  }
+};
+function parseNQR(payload) {
+  if (payload.length < 8) {
+    throw new NQRParseError(`payload too short (${payload.length} chars)`);
+  }
+  const crcTagAndLen = payload.slice(-8, -4);
+  const crcValue = payload.slice(-4);
+  if (crcTagAndLen !== CRC_TAG_PREFIX) {
+    throw new NQRParseError(
+      `CRC tag prefix not found (expected "6304" at end)`
+    );
+  }
+  const beforeCrc = payload.slice(0, -4);
+  const expectedCrc = crc16ccittHex(new TextEncoder().encode(beforeCrc));
+  if (expectedCrc !== crcValue.toUpperCase()) {
+    throw new NQRParseError(
+      `CRC mismatch: payload says ${crcValue}, computed ${expectedCrc}`,
+      "63"
+    );
+  }
+  const topBuf = payload.slice(0, -8);
+  const top = readTLV(topBuf);
+  const get = (tag) => top.find((f) => f.tag === tag)?.value;
+  const pfi = get(FIELD.PAYLOAD_FORMAT_INDICATOR);
+  if (pfi !== "01")
+    throw new NQRParseError(
+      `payloadFormatIndicator must be "01", got "${pfi}"`,
+      "00"
+    );
+  const poiRaw = get(FIELD.POINT_OF_INITIATION);
+  const pointOfInitiation = poiRaw === "11" ? "static" : poiRaw === "12" ? "dynamic" : "unknown";
+  const currency = get(FIELD.TRANSACTION_CURRENCY);
+  if (currency !== NGN_CURRENCY_CODE) {
+    throw new NQRParseError(
+      `unsupported currency "${currency}" (expected ${NGN_CURRENCY_CODE})`,
+      "53"
+    );
+  }
+  const country = get(FIELD.COUNTRY_CODE);
+  if (country !== NG_COUNTRY_CODE) {
+    throw new NQRParseError(
+      `unsupported country "${country}" (expected ${NG_COUNTRY_CODE})`,
+      "58"
+    );
+  }
+  const mcc = get(FIELD.MERCHANT_CATEGORY_CODE);
+  if (!mcc) throw new NQRParseError("merchantCategoryCode missing", "52");
+  const merchantName = get(FIELD.MERCHANT_NAME) ?? "";
+  const merchantCity = get(FIELD.MERCHANT_CITY) ?? "";
+  const transactionAmount = get(FIELD.TRANSACTION_AMOUNT);
+  const postalCode = get(FIELD.POSTAL_CODE);
+  const mais = [];
+  for (const f of top) {
+    const n = parseInt(f.tag, 10);
+    if (n >= 2 && n <= 51) {
+      const children = readTLV(f.value).map((c) => ({
+        tag: c.tag,
+        value: c.value
+      }));
+      mais.push({ tag: f.tag, children });
+    }
+  }
+  let additionalData;
+  const adfRaw = get(FIELD.ADDITIONAL_DATA_FIELD);
+  if (adfRaw !== void 0) {
+    additionalData = {};
+    for (const c of readTLV(adfRaw)) {
+      switch (c.tag) {
+        case "01":
+          additionalData.billNumber = c.value;
+          break;
+        case "02":
+          additionalData.mobileNumber = c.value;
+          break;
+        case "03":
+          additionalData.storeLabel = c.value;
+          break;
+        case "04":
+          additionalData.loyaltyNumber = c.value;
+          break;
+        case "05":
+          additionalData.referenceLabel = c.value;
+          break;
+        case "06":
+          additionalData.customerLabel = c.value;
+          break;
+        case "07":
+          additionalData.terminalLabel = c.value;
+          break;
+        case "08":
+          additionalData.purposeOfTransaction = c.value;
+          break;
+      }
+    }
+  }
+  return {
+    payloadFormatIndicator: pfi,
+    pointOfInitiation,
+    merchantAccountInfo: mais,
+    merchantCategoryCode: mcc,
+    transactionCurrency: currency,
+    transactionAmount,
+    countryCode: country,
+    merchantName,
+    merchantCity,
+    postalCode,
+    additionalData,
+    flurReference: additionalData?.referenceLabel?.startsWith("FL-") ? additionalData.referenceLabel : void 0,
+    raw: payload
+  };
+}
+
+// src/nqr/routing.ts
+function routingHint(parsed) {
+  if (parsed.flurReference && parsed.flurReference.startsWith("FL-")) {
+    return "flur-onus";
+  }
+  if (parsed.merchantAccountInfo.length > 0) return "nibss";
+  return "unknown";
+}
+
+// src/crypto/canonical.ts
+function canonicalJSONStringify(value) {
+  return stringify(value);
+}
+function canonicalJSONBytes(value) {
+  return new TextEncoder().encode(canonicalJSONStringify(value));
+}
+function stringify(v) {
+  if (v === null) return "null";
+  const t = typeof v;
+  if (t === "string") return JSON.stringify(v);
+  if (t === "boolean") return v ? "true" : "false";
+  if (t === "number") {
+    if (!Number.isFinite(v)) {
+      throw new Error("canonicalJSON: non-finite number not allowed");
+    }
+    return JSON.stringify(v);
+  }
+  if (t === "bigint" || t === "function" || t === "symbol" || t === "undefined") {
+    throw new Error(`canonicalJSON: unsupported value type ${t}`);
+  }
+  if (Array.isArray(v)) {
+    const parts = [];
+    for (const item of v) parts.push(stringify(item));
+    return "[" + parts.join(",") + "]";
+  }
+  if (t === "object") {
+    const obj = v;
+    const keys = Object.keys(obj).sort();
+    const parts = [];
+    for (const k of keys) {
+      const val = obj[k];
+      if (val === void 0) {
+        throw new Error(`canonicalJSON: undefined value at key "${k}"`);
+      }
+      parts.push(JSON.stringify(k) + ":" + stringify(val));
+    }
+    return "{" + parts.join(",") + "}";
+  }
+  throw new Error(`canonicalJSON: unsupported value type ${t}`);
+}
+
+// src/crypto/ct.ts
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+
+// src/crypto/ed25519.ts
+var import_ed25519 = require("@noble/curves/ed25519");
+function generateKeyPair() {
+  const privateKey = import_ed25519.ed25519.utils.randomPrivateKey();
+  const publicKey = import_ed25519.ed25519.getPublicKey(privateKey);
+  return { privateKey, publicKey };
+}
+function publicKeyFromPrivate(privateKey) {
+  return import_ed25519.ed25519.getPublicKey(privateKey);
+}
+function sign(message, privateKey) {
+  return import_ed25519.ed25519.sign(message, privateKey);
+}
+function verify(message, signature, publicKey) {
+  try {
+    return import_ed25519.ed25519.verify(signature, message, publicKey);
+  } catch {
+    return false;
+  }
+}
+function signCanonical(value, privateKey) {
+  return sign(canonicalJSONBytes(value), privateKey);
+}
+function verifyCanonical(value, signature, publicKey) {
+  return verify(canonicalJSONBytes(value), signature, publicKey);
+}
+
+// src/offline/oac.ts
+var import_zod4 = require("zod");
+var OAC_DEFAULT_PER_TX_KOBO = 5e5;
+var OAC_DEFAULT_CUMULATIVE_KOBO = 2e6;
+var OAC_DEFAULT_VALIDITY_MS = 24 * 60 * 60 * 1e3;
+var HexString = (length) => import_zod4.z.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var OACSchema = import_zod4.z.object({
+  userId: import_zod4.z.string().min(1),
+  deviceId: import_zod4.z.string().min(1),
+  devicePublicKey: HexString(32),
+  perTxCapKobo: import_zod4.z.number().int().nonnegative(),
+  cumulativeCapKobo: import_zod4.z.number().int().nonnegative(),
+  validFromMs: import_zod4.z.number().int().nonnegative(),
+  validUntilMs: import_zod4.z.number().int().positive(),
+  counterSeed: import_zod4.z.number().int().nonnegative(),
+  nonce: import_zod4.z.string().min(1),
+  issuerSig: HexString(64)
+}).refine((v) => v.validUntilMs > v.validFromMs, {
+  message: "validUntilMs must be greater than validFromMs"
+}).refine((v) => v.perTxCapKobo <= v.cumulativeCapKobo, {
+  message: "perTxCapKobo must not exceed cumulativeCapKobo"
+});
+function buildOAC(input) {
+  const devicePublicKey = typeof input.devicePublicKey === "string" ? input.devicePublicKey : bytesToHex(input.devicePublicKey);
+  return {
+    userId: input.userId,
+    deviceId: input.deviceId,
+    devicePublicKey,
+    perTxCapKobo: input.perTxCapKobo ?? OAC_DEFAULT_PER_TX_KOBO,
+    cumulativeCapKobo: input.cumulativeCapKobo ?? OAC_DEFAULT_CUMULATIVE_KOBO,
+    validFromMs: input.validFromMs,
+    validUntilMs: input.validUntilMs,
+    counterSeed: input.counterSeed ?? 0,
+    nonce: input.nonce
+  };
+}
+function signOAC(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyOAC(oac, issuerPublicKey) {
+  try {
+    const parsed = OACSchema.parse(oac);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+function bytesToHex(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+function hexToBytes(s) {
+  if (s.length % 2 !== 0) throw new Error("hex: odd length");
+  const out = new Uint8Array(s.length / 2);
+  for (let i = 0; i < out.length; i++)
+    out[i] = parseInt(s.slice(i * 2, i * 2 + 2), 16);
+  return out;
+}
+
+// src/offline/codec.ts
+var ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:";
+var REVERSE = {};
+for (let i = 0; i < ALPHABET.length; i++) REVERSE[ALPHABET[i]] = i;
+function encodeBase45(bytes) {
+  let out = "";
+  let i = 0;
+  for (; i + 1 < bytes.length; i += 2) {
+    const x = bytes[i] << 8 | bytes[i + 1];
+    const e = Math.floor(x / (45 * 45));
+    const d = Math.floor(x % (45 * 45) / 45);
+    const c = x % 45;
+    out += ALPHABET[c] + ALPHABET[d] + ALPHABET[e];
+  }
+  if (i < bytes.length) {
+    const x = bytes[i];
+    const d = Math.floor(x / 45);
+    const c = x % 45;
+    out += ALPHABET[c] + ALPHABET[d];
+  }
+  return out;
+}
+function decodeBase45(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  const fullChunks = Math.floor(s.length / 3);
+  const tail = s.length - fullChunks * 3;
+  if (tail === 1) throw new Error("base45: invalid length");
+  const out = new Uint8Array(fullChunks * 2 + (tail === 2 ? 1 : 0));
+  let oi = 0;
+  for (let i = 0; i < fullChunks; i++) {
+    const c = REVERSE[s[i * 3]];
+    const d = REVERSE[s[i * 3 + 1]];
+    const e = REVERSE[s[i * 3 + 2]];
+    if (c === void 0 || d === void 0 || e === void 0) {
+      throw new Error("base45: invalid character");
+    }
+    const x = c + 45 * d + 45 * 45 * e;
+    if (x > 65535) throw new Error("base45: chunk overflow");
+    out[oi++] = x >> 8 & 255;
+    out[oi++] = x & 255;
+  }
+  if (tail === 2) {
+    const c = REVERSE[s[fullChunks * 3]];
+    const d = REVERSE[s[fullChunks * 3 + 1]];
+    if (c === void 0 || d === void 0)
+      throw new Error("base45: invalid character");
+    const x = c + 45 * d;
+    if (x > 255) throw new Error("base45: tail overflow");
+    out[oi++] = x & 255;
+  }
+  return out;
+}
+
+// src/offline/messages.ts
+var import_zod5 = require("zod");
+var HexSig = import_zod5.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var OfflinePaymentRequestSchema = import_zod5.z.object({
+  reference: import_zod5.z.string().min(1),
+  amountKobo: import_zod5.z.number().int().positive(),
+  merchantOAC: OACSchema,
+  expiresAtMs: import_zod5.z.number().int().positive(),
+  merchantSig: HexSig
+});
+var OfflinePaymentAuthorizationSchema = import_zod5.z.object({
+  request: OfflinePaymentRequestSchema,
+  payerOAC: OACSchema,
+  payerCounter: import_zod5.z.number().int().positive(),
+  payerSig: HexSig
+});
+function buildPaymentRequest(input) {
+  if (!Number.isInteger(input.amountKobo) || input.amountKobo <= 0) {
+    throw new Error("amountKobo must be a positive integer");
+  }
+  if (input.amountKobo > input.merchantOAC.perTxCapKobo) {
+    throw new Error("amountKobo exceeds merchant OAC perTxCapKobo");
+  }
+  return {
+    reference: input.reference,
+    amountKobo: input.amountKobo,
+    merchantOAC: input.merchantOAC,
+    expiresAtMs: input.expiresAtMs
+  };
+}
+function signPaymentRequest(unsigned, merchantDevicePrivateKey) {
+  const merchantSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), merchantDevicePrivateKey)
+  );
+  return { ...unsigned, merchantSig };
+}
+function verifyPaymentRequest(req, issuerPublicKey) {
+  try {
+    const parsed = OfflinePaymentRequestSchema.parse(req);
+    const { issuerSig: merchantOacSig, ...merchantOacUnsigned } = parsed.merchantOAC;
+    if (!verify(
+      canonicalJSONBytes(merchantOacUnsigned),
+      hexToBytes(merchantOacSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const { merchantSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(merchantSig),
+      hexToBytes(parsed.merchantOAC.devicePublicKey)
+    );
+  } catch {
+    return false;
+  }
+}
+function buildAuthorization(input) {
+  if (!Number.isInteger(input.payerCounter) || input.payerCounter <= 0) {
+    throw new Error("payerCounter must be a positive integer");
+  }
+  if (input.request.amountKobo > input.payerOAC.perTxCapKobo) {
+    throw new Error("amountKobo exceeds payer OAC perTxCapKobo");
+  }
+  return {
+    request: input.request,
+    payerOAC: input.payerOAC,
+    payerCounter: input.payerCounter
+  };
+}
+function signAuthorization(unsigned, payerDevicePrivateKey) {
+  const payerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), payerDevicePrivateKey)
+  );
+  return { ...unsigned, payerSig };
+}
+function verifyAuthorization(auth, issuerPublicKey) {
+  try {
+    const parsed = OfflinePaymentAuthorizationSchema.parse(auth);
+    if (!verifyPaymentRequest(parsed.request, issuerPublicKey)) return false;
+    const { issuerSig: payerOacSig, ...payerOacUnsigned } = parsed.payerOAC;
+    if (!verify(
+      canonicalJSONBytes(payerOacUnsigned),
+      hexToBytes(payerOacSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const { payerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(payerSig),
+      hexToBytes(parsed.payerOAC.devicePublicKey)
+    );
+  } catch {
+    return false;
+  }
+}
+function encodePaymentRequestQR(req) {
+  const json = JSON.stringify(req);
+  return "FLUR1:" + encodeBase45(new TextEncoder().encode(json));
+}
+function decodePaymentRequestQR(s) {
+  if (!s.startsWith("FLUR1:"))
+    throw new Error("not a Flur offline payment request QR");
+  const bytes = decodeBase45(s.slice("FLUR1:".length));
+  const json = new TextDecoder().decode(bytes);
+  return OfflinePaymentRequestSchema.parse(JSON.parse(json));
+}
+function encodeAuthorizationQR(auth) {
+  const json = JSON.stringify(auth);
+  return "FLUR2:" + encodeBase45(new TextEncoder().encode(json));
+}
+function decodeAuthorizationQR(s) {
+  if (!s.startsWith("FLUR2:"))
+    throw new Error("not a Flur offline authorization QR");
+  const bytes = decodeBase45(s.slice("FLUR2:".length));
+  const json = new TextDecoder().decode(bytes);
+  return OfflinePaymentAuthorizationSchema.parse(JSON.parse(json));
+}
+
+// src/auth/hmac.ts
+var import_hmac = require("@noble/hashes/hmac");
+var import_sha256 = require("@noble/hashes/sha256");
+function bytesToHex2(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+function constantTimeStringEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+function bodySha256Hex(body) {
+  return bytesToHex2((0, import_sha256.sha256)(new TextEncoder().encode(body)));
+}
+function canonicalRequestString(input) {
+  return [
+    input.method.toUpperCase(),
+    input.path,
+    input.timestamp,
+    input.nonce,
+    bodySha256Hex(input.body)
+  ].join("\n");
+}
+function signRequestHMAC(input) {
+  return bytesToHex2(
+    (0, import_hmac.hmac)(import_sha256.sha256, input.apiSecret, canonicalRequestString(input))
+  );
+}
+function verifyRequestHMAC(input) {
+  const expected = signRequestHMAC(input);
+  return constantTimeStringEqual(expected, input.signature.toLowerCase());
+}
+
+// src/auth/middleware.ts
+var REPLAY_WINDOW_MS = 5 * 60 * 1e3;
+var SERVER_TIME_HEADER = "x-flur-server-time";
+function defaultNonce() {
+  const c = globalThis.crypto;
+  if (typeof c?.randomUUID === "function") return c.randomUUID();
+  if (typeof c?.getRandomValues !== "function") {
+    throw new Error(
+      "Flur SDK: no CSPRNG available (globalThis.crypto.getRandomValues missing). Refusing to fall back to Math.random for HMAC nonce generation."
+    );
+  }
+  const arr = new Uint8Array(16);
+  c.getRandomValues(arr);
+  let s = "";
+  for (let i = 0; i < arr.length; i++)
+    s += arr[i].toString(16).padStart(2, "0");
+  return s;
+}
+function assertCSPRNG() {
+  const c = globalThis.crypto;
+  if (typeof c?.getRandomValues !== "function" && typeof c?.randomUUID !== "function") {
+    throw new Error(
+      "Flur SDK: no CSPRNG available (globalThis.crypto missing). Initialize on a runtime that provides Web Crypto (Node 19+, modern browsers, RN 0.74+)."
+    );
+  }
+}
+function parseServerTimeMs(value) {
+  if (!value) return null;
+  const trimmed = value.trim();
+  if (/^\d+$/.test(trimmed)) {
+    const n = Number(trimmed);
+    return n < 1e12 ? n * 1e3 : n;
+  }
+  const t = Date.parse(trimmed);
+  return Number.isFinite(t) ? t : null;
+}
+function createHmacFetch(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createHmacFetch: no fetch implementation available");
+  if (!opts.nonceFn) assertCSPRNG();
+  const nowMs = opts.nowMs ?? (() => Date.now());
+  const nonceFn = opts.nonceFn ?? defaultNonce;
+  const scopeHeader = opts.scope && opts.scope.length > 0 ? opts.scope.join(",") : void 0;
+  async function signAndSend(req, skewOffsetMs) {
+    const cloned = req.clone();
+    const url = new URL(cloned.url);
+    const path = url.pathname + url.search;
+    const method = cloned.method.toUpperCase();
+    const bodyText = method === "GET" || method === "HEAD" ? "" : await cloned.clone().text();
+    const timestamp = Math.floor((nowMs() + skewOffsetMs) / 1e3).toString();
+    const nonce = nonceFn();
+    const signature = signRequestHMAC({
+      method,
+      path,
+      timestamp,
+      nonce,
+      body: bodyText,
+      apiSecret: opts.apiSecret
+    });
+    const headers = new Headers(cloned.headers);
+    headers.set("x-flur-key", opts.apiKey);
+    headers.set("x-flur-timestamp", timestamp);
+    headers.set("x-flur-nonce", nonce);
+    headers.set("x-flur-signature", signature);
+    if (scopeHeader) headers.set("x-flur-scope", scopeHeader);
+    const signed = new Request(cloned, { headers });
+    return fetchImpl(signed);
+  }
+  return (async (input, init2) => {
+    const req = input instanceof Request ? input : new Request(input, init2);
+    let resp = await signAndSend(req, 0);
+    if (resp.status === 401) {
+      const serverTimeMs = parseServerTimeMs(
+        resp.headers.get(SERVER_TIME_HEADER)
+      );
+      if (serverTimeMs !== null) {
+        const skew = serverTimeMs - nowMs();
+        if (Math.abs(skew) > 0) {
+          resp = await signAndSend(req, skew);
+        }
+      }
+    }
+    return resp;
+  });
+}
+
+// src/passes/pass.ts
+var import_zod6 = require("zod");
+var PASS_KINDS = [
+  "ride-ticket",
+  "transit-pass",
+  "event-ticket",
+  "voucher",
+  "loyalty",
+  "receipt-link"
+];
+var PASS_STATES = [
+  "issued",
+  "active",
+  "redeemed",
+  "expired",
+  "revoked"
+];
+var HexString2 = (length) => import_zod6.z.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var PassMetadataSchema = import_zod6.z.record(
+  import_zod6.z.union([import_zod6.z.string(), import_zod6.z.number(), import_zod6.z.boolean(), import_zod6.z.null()])
+);
+var PassSchema = import_zod6.z.object({
+  passId: import_zod6.z.string().min(1),
+  /** Optional client/template grouping id (server may omit). */
+  templateId: import_zod6.z.string().min(1).optional(),
+  /** Optional human-facing holder identity (server may omit). The cryptographic binding
+   *  is `holderDevicePubkey` below. */
+  holderUserId: import_zod6.z.string().min(1).optional(),
+  kind: import_zod6.z.enum(PASS_KINDS),
+  issuerId: import_zod6.z.string().min(1),
+  issuedAtMs: import_zod6.z.number().int().nonnegative(),
+  validFromMs: import_zod6.z.number().int().nonnegative(),
+  validUntilMs: import_zod6.z.number().int().positive(),
+  state: import_zod6.z.enum(PASS_STATES),
+  metadata: PassMetadataSchema,
+  nonce: import_zod6.z.string().min(1),
+  /** Device id this pass is bound to (FK to backend `device_keys`). */
+  holderDeviceId: import_zod6.z.string().min(1),
+  /** 32-byte hex Ed25519 public key of the bound device. The redemption signature
+   *  is verified against this key — it is the security-critical binding. */
+  holderDevicePubkey: HexString2(32),
+  /** Optional fixed amount for monetary passes (vouchers, gift cards) in kobo. */
+  amountKobo: import_zod6.z.number().int().nonnegative().optional(),
+  /** ISO-4217-ish currency code; required on the wire. SDK builders default to NGN. */
+  currency: import_zod6.z.string().min(3).max(8),
+  /** Monotonic redemption counter floor. Redemption.counter MUST be > counterSeed. */
+  counterSeed: import_zod6.z.number().int().nonnegative(),
+  /** Optional cumulative spend cap in kobo across all redemptions of this pass. */
+  cumulativeCapKobo: import_zod6.z.number().int().nonnegative().optional(),
+  issuerSig: HexString2(64)
+}).refine((v) => v.validUntilMs > v.validFromMs, {
+  message: "validUntilMs must be greater than validFromMs"
+});
+function buildPass(input) {
+  if (input.validUntilMs <= input.validFromMs) {
+    throw new Error("validUntilMs must be greater than validFromMs");
+  }
+  const out = {
+    passId: input.passId,
+    kind: input.kind,
+    issuerId: input.issuerId,
+    issuedAtMs: input.issuedAtMs,
+    validFromMs: input.validFromMs,
+    validUntilMs: input.validUntilMs,
+    state: input.state,
+    metadata: input.metadata,
+    nonce: input.nonce,
+    holderDeviceId: input.holderDeviceId,
+    holderDevicePubkey: input.holderDevicePubkey,
+    currency: input.currency ?? "NGN",
+    counterSeed: input.counterSeed
+  };
+  if (typeof input.templateId === "string") out.templateId = input.templateId;
+  if (typeof input.holderUserId === "string")
+    out.holderUserId = input.holderUserId;
+  if (typeof input.amountKobo === "number") out.amountKobo = input.amountKobo;
+  if (typeof input.cumulativeCapKobo === "number") {
+    out.cumulativeCapKobo = input.cumulativeCapKobo;
+  }
+  return out;
+}
+function signPass(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyPass(pass, issuerPublicKey) {
+  try {
+    const parsed = PassSchema.parse(pass);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+function isPassWithinValidity(pass, nowMs) {
+  return nowMs >= pass.validFromMs && nowMs < pass.validUntilMs;
+}
+
+// src/passes/redemption.ts
+var import_zod7 = require("zod");
+var HexSig2 = import_zod7.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var RedemptionSchema = import_zod7.z.object({
+  pass: PassSchema,
+  redeemerId: import_zod7.z.string().min(1),
+  redeemedAtMs: import_zod7.z.number().int().nonnegative(),
+  /** Strictly monotonic counter scoped to a single pass. Must be > pass.counterSeed
+   *  and > the redeemer's lastSeenCounter for this pass. */
+  counter: import_zod7.z.number().int().positive(),
+  /** Amount being redeemed in kobo (0 for non-monetary passes like ride tickets). */
+  amountKobo: import_zod7.z.number().int().nonnegative(),
+  nonce: import_zod7.z.string().min(1),
+  holderSig: HexSig2
+});
+var REDEEMABLE_STATES = /* @__PURE__ */ new Set(["issued", "active"]);
+function buildRedemption(input) {
+  if (!REDEEMABLE_STATES.has(input.pass.state)) {
+    throw new Error(`pass not in redeemable state: ${input.pass.state}`);
+  }
+  if (input.redeemedAtMs < input.pass.validFromMs) {
+    throw new Error("redeemedAtMs is before pass validFromMs");
+  }
+  if (input.redeemedAtMs >= input.pass.validUntilMs) {
+    throw new FlurExpiredError(
+      `pass ${input.pass.passId} expired at ${input.pass.validUntilMs}`
+    );
+  }
+  const now = typeof input.nowMs === "number" ? input.nowMs : input.redeemedAtMs;
+  if (now >= input.pass.validUntilMs) {
+    throw new FlurExpiredError(
+      `pass ${input.pass.passId} expired at ${input.pass.validUntilMs}`
+    );
+  }
+  if (!input.pass.holderDevicePubkey) {
+    throw new Error(
+      "pass.holderDevicePubkey is required to build a redemption"
+    );
+  }
+  const lastSeen = Math.max(
+    input.pass.counterSeed,
+    typeof input.lastSeenCounter === "number" ? input.lastSeenCounter : 0
+  );
+  if (input.counter <= lastSeen) {
+    throw new FlurReplayError(
+      `redemption counter ${input.counter} must be > lastSeenCounter ${lastSeen}`
+    );
+  }
+  const amount = input.amountKobo ?? 0;
+  if (typeof input.pass.cumulativeCapKobo === "number") {
+    const used = input.cumulativeUsedKobo ?? 0;
+    if (used + amount > input.pass.cumulativeCapKobo) {
+      throw new FlurCapExceededError(
+        `pass ${input.pass.passId} cap ${input.pass.cumulativeCapKobo} would be exceeded (used ${used} + ${amount})`
+      );
+    }
+  }
+  return {
+    pass: input.pass,
+    redeemerId: input.redeemerId,
+    redeemedAtMs: input.redeemedAtMs,
+    counter: input.counter,
+    amountKobo: amount,
+    nonce: input.nonce
+  };
+}
+function signRedemption(unsigned, holderDevicePrivateKey) {
+  const holderSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), holderDevicePrivateKey)
+  );
+  return { ...unsigned, holderSig };
+}
+function verifyRedemption(r, issuerPublicKey) {
+  try {
+    const parsed = RedemptionSchema.parse(r);
+    if (parsed.counter <= parsed.pass.counterSeed) return false;
+    const { issuerSig, ...passUnsigned } = parsed.pass;
+    if (!verify(
+      canonicalJSONBytes(passUnsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const holderHex = parsed.pass.holderDevicePubkey;
+    if (typeof holderHex !== "string") return false;
+    const { holderSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(holderSig),
+      hexToBytes(holderHex)
+    );
+  } catch {
+    return false;
+  }
+}
+
+// src/passes/client.ts
+function createPassesClient(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createPassesClient: no fetch implementation available");
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  async function call(method, path, body, parser) {
+    const init2 = {
+      method,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      }
+    };
+    if (body !== void 0) init2.body = JSON.stringify(body);
+    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
+    const text = await resp.text();
+    let raw = void 0;
+    if (text) {
+      try {
+        raw = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!resp.ok) {
+      const code = (raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : void 0) ?? `http_${resp.status}`;
+      const message = (raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : void 0) ?? `request failed with status ${resp.status}`;
+      throw new FlurApiError(resp.status, code, message, raw);
+    }
+    return parser(raw);
+  }
+  return {
+    issuePass: (input) => call("POST", "/v1/passes", input, (raw) => PassSchema.parse(raw)),
+    listPasses: (input) => {
+      const qs = new URLSearchParams();
+      if (input.holderDeviceId) qs.set("holderDeviceId", input.holderDeviceId);
+      if (input.holderUserId) qs.set("holderUserId", input.holderUserId);
+      if (input.state) qs.set("state", input.state);
+      if (input.kind) qs.set("kind", input.kind);
+      if (input.templateId) qs.set("templateId", input.templateId);
+      if (typeof input.limit === "number") qs.set("limit", String(input.limit));
+      if (input.cursor) qs.set("cursor", input.cursor);
+      const path = `/v1/passes${qs.size > 0 ? `?${qs.toString()}` : ""}`;
+      return call("GET", path, void 0, (raw) => {
+        const obj = raw;
+        const items = obj.items.map(
+          (it) => PassSchema.parse(it)
+        );
+        const nextCursor = typeof obj.nextCursor === "string" ? obj.nextCursor : null;
+        return { items, nextCursor };
+      });
+    },
+    getPass: (passId) => call(
+      "GET",
+      `/v1/passes/${encodeURIComponent(passId)}`,
+      void 0,
+      (raw) => PassSchema.parse(raw)
+    ),
+    redeemPass: (passId, redemption) => call(
+      "POST",
+      `/v1/passes/${encodeURIComponent(passId)}/redeem`,
+      RedemptionSchema.parse(redemption),
+      (raw) => PassSchema.parse(raw)
+    ),
+    revokePass: (passId, input) => call(
+      "POST",
+      `/v1/passes/${encodeURIComponent(passId)}/revoke`,
+      input,
+      (raw) => PassSchema.parse(raw)
+    ),
+    verifyPass: (pass, issuerPublicKey) => verifyPass(pass, issuerPublicKey)
+  };
+}
+
+// src/receipts/receipt.ts
+var import_zod8 = require("zod");
+var RECEIPT_CHANNELS = ["cash", "pass"];
+var RECEIPT_KINDS = RECEIPT_CHANNELS;
+var HexString3 = (length) => import_zod8.z.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var ReceiptPayloadSchema = import_zod8.z.record(
+  import_zod8.z.union([import_zod8.z.string(), import_zod8.z.number(), import_zod8.z.boolean(), import_zod8.z.null()])
+);
+var ReceiptSchema = import_zod8.z.object({
+  receiptId: import_zod8.z.string().min(1),
+  channel: import_zod8.z.enum(RECEIPT_CHANNELS),
+  /** Cash-channel: send_intents.id. Required when channel === 'cash'. */
+  intentId: import_zod8.z.string().min(1).optional(),
+  /** Pass-channel: pass_redemptions.id. Required when channel === 'pass'. */
+  passRedemptionId: import_zod8.z.string().min(1).optional(),
+  payerUserId: import_zod8.z.string().min(1),
+  payeeUserId: import_zod8.z.string().min(1),
+  amountKobo: import_zod8.z.number().int().nonnegative(),
+  currency: import_zod8.z.string().min(3).max(8),
+  issuedAtMs: import_zod8.z.number().int().nonnegative(),
+  issuerId: import_zod8.z.string().min(1),
+  payload: ReceiptPayloadSchema,
+  issuerSig: HexString3(64)
+}).superRefine((v, ctx) => {
+  if (v.channel === "cash") {
+    if (!v.intentId) {
+      ctx.addIssue({
+        code: import_zod8.z.ZodIssueCode.custom,
+        message: "cash receipts require intentId",
+        path: ["intentId"]
+      });
+    }
+    if (v.passRedemptionId) {
+      ctx.addIssue({
+        code: import_zod8.z.ZodIssueCode.custom,
+        message: "cash receipts must not carry passRedemptionId",
+        path: ["passRedemptionId"]
+      });
+    }
+  } else if (v.channel === "pass") {
+    if (!v.passRedemptionId) {
+      ctx.addIssue({
+        code: import_zod8.z.ZodIssueCode.custom,
+        message: "pass receipts require passRedemptionId",
+        path: ["passRedemptionId"]
+      });
+    }
+    if (v.intentId) {
+      ctx.addIssue({
+        code: import_zod8.z.ZodIssueCode.custom,
+        message: "pass receipts must not carry intentId",
+        path: ["intentId"]
+      });
+    }
+  }
+});
+function buildReceipt(input) {
+  if (input.channel === "cash") {
+    if (!input.intentId) {
+      throw new Error("cash receipts require intentId");
+    }
+    if (input.passRedemptionId) {
+      throw new Error("cash receipts must not carry passRedemptionId");
+    }
+  } else {
+    if (!input.passRedemptionId) {
+      throw new Error("pass receipts require passRedemptionId");
+    }
+    if (input.intentId) {
+      throw new Error("pass receipts must not carry intentId");
+    }
+  }
+  const out = {
+    receiptId: input.receiptId,
+    channel: input.channel,
+    payerUserId: input.payerUserId,
+    payeeUserId: input.payeeUserId,
+    amountKobo: input.amountKobo,
+    currency: input.currency,
+    issuedAtMs: input.issuedAtMs,
+    issuerId: input.issuerId,
+    payload: input.payload ?? {}
+  };
+  if (input.intentId) out.intentId = input.intentId;
+  if (input.passRedemptionId) out.passRedemptionId = input.passRedemptionId;
+  return out;
+}
+function signReceipt(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyReceipt(r, issuerPublicKey) {
+  try {
+    const parsed = ReceiptSchema.parse(r);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+
+// src/receipts/client.ts
+function createReceiptsClient(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createReceiptsClient: no fetch implementation available");
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  async function call(method, path, body, parser) {
+    const init2 = {
+      method,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      }
+    };
+    if (body !== void 0) init2.body = JSON.stringify(body);
+    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
+    const text = await resp.text();
+    let raw = void 0;
+    if (text) {
+      try {
+        raw = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!resp.ok) {
+      const code = raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : `http_${resp.status}`;
+      const message = raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : `request failed with status ${resp.status}`;
+      throw new FlurApiError(resp.status, code, message, raw);
+    }
+    return parser(raw);
+  }
+  const getById = (receiptId) => call(
+    "GET",
+    `/v1/receipts/${encodeURIComponent(receiptId)}`,
+    void 0,
+    (raw) => ReceiptSchema.parse(raw)
+  );
+  return {
+    issueReceipt: (input) => call("POST", "/v1/receipts", input, (raw) => ReceiptSchema.parse(raw)),
+    getReceipt: getById,
+    getById,
+    getByIntentId: (intentId) => call(
+      "GET",
+      `/v1/receipts/by-intent/${encodeURIComponent(intentId)}`,
+      void 0,
+      (raw) => ReceiptSchema.parse(raw)
+    ),
+    getByPassRedemptionId: (passRedemptionId) => call(
+      "GET",
+      `/v1/receipts/by-pass-redemption/${encodeURIComponent(passRedemptionId)}`,
+      void 0,
+      (raw) => ReceiptSchema.parse(raw)
+    ),
+    listForUser: (input) => {
+      const qs = new URLSearchParams();
+      if (input.payerUserId) qs.set("payerUserId", input.payerUserId);
+      if (input.payeeUserId) qs.set("payeeUserId", input.payeeUserId);
+      if (input.channel) qs.set("channel", input.channel);
+      if (typeof input.limit === "number") qs.set("limit", String(input.limit));
+      if (input.cursor) qs.set("cursor", input.cursor);
+      const path = `/v1/receipts${qs.size > 0 ? `?${qs.toString()}` : ""}`;
+      return call("GET", path, void 0, (raw) => {
+        const obj = raw;
+        const items = obj.items.map(
+          (it) => ReceiptSchema.parse(it)
+        );
+        const nextCursor = typeof obj.nextCursor === "string" ? obj.nextCursor : null;
+        return { items, nextCursor };
+      });
+    },
+    verifyReceipt: (receipt, issuerPublicKey) => verifyReceipt(receipt, issuerPublicKey)
+  };
+}
+
+// src/client/flur.ts
+function generateStaticQR(input) {
+  return encodeNQR({ ...input, pointOfInitiation: "static" });
+}
+function generateDynamicQR(input) {
+  return encodeNQR({ ...input, pointOfInitiation: "dynamic" });
+}
+function parseQR(payload) {
+  return parseNQR(payload);
+}
+function init(opts) {
+  const signedFetch = createHmacFetch({
+    apiKey: opts.apiKey,
+    apiSecret: opts.apiSecret,
+    fetchImpl: opts.fetchImpl,
+    scope: opts.scope
+  });
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  function subscribeToPayments(s) {
+    const controller = new AbortController();
+    let cancelled = false;
+    (async () => {
+      try {
+        const url = `${baseUrl}/v1/payments/subscribe?reference=${encodeURIComponent(s.reference)}`;
+        const resp = await signedFetch(url, {
+          method: "GET",
+          headers: { accept: "text/event-stream" },
+          signal: controller.signal
+        });
+        if (!resp.body) return;
+        const reader = resp.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = "";
+        while (!cancelled) {
+          const { value, done } = await reader.read();
+          if (done) return;
+          buffer += decoder.decode(value, { stream: true });
+          let idx;
+          while ((idx = buffer.indexOf("\n\n")) >= 0) {
+            const chunk = buffer.slice(0, idx);
+            buffer = buffer.slice(idx + 2);
+            for (const line of chunk.split("\n")) {
+              if (!line.startsWith("data:")) continue;
+              const json = line.slice(5).trim();
+              if (!json) continue;
+              try {
+                s.onEvent(JSON.parse(json));
+              } catch (err) {
+                s.onError?.(err);
+              }
+            }
+          }
+        }
+      } catch (err) {
+        if (!cancelled) s.onError?.(err);
+      }
+    })();
+    return () => {
+      cancelled = true;
+      controller.abort();
+    };
+  }
+  const cash = {
+    generateStaticQR,
+    generateDynamicQR,
+    parseQR,
+    subscribeToPayments
+  };
+  const passes = createPassesClient({ baseUrl, fetchImpl: signedFetch });
+  const receipts = createReceiptsClient({ baseUrl, fetchImpl: signedFetch });
+  return {
+    // top-level back-compat surface
+    generateStaticQR,
+    generateDynamicQR,
+    parseQR,
+    subscribeToPayments,
+    // namespaces
+    cash,
+    passes,
+    receipts
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ADDITIONAL_DATA_SUBFIELD,
+  FIELD,
+  FlurApiError,
+  FlurCapExceededError,
+  FlurClient,
+  FlurError,
+  FlurExpiredError,
+  FlurReplayError,
+  NGN_CURRENCY_CODE,
+  NG_COUNTRY_CODE,
+  NQRParseError,
+  OACSchema,
+  OAC_DEFAULT_CUMULATIVE_KOBO,
+  OAC_DEFAULT_PER_TX_KOBO,
+  OAC_DEFAULT_VALIDITY_MS,
+  OfflinePaymentAuthorizationSchema,
+  OfflinePaymentRequestSchema,
+  PASS_KINDS,
+  PASS_STATES,
+  PAYLOAD_FORMAT_INDICATOR_VALUE,
+  POINT_OF_INITIATION,
+  PassMetadataSchema,
+  PassSchema,
+  RECEIPT_CHANNELS,
+  RECEIPT_KINDS,
+  REPLAY_WINDOW_MS,
+  ReceiptPayloadSchema,
+  ReceiptSchema,
+  RedemptionSchema,
+  bodySha256Hex,
+  buildAuthorization,
+  buildOAC,
+  buildPass,
+  buildPaymentRequest,
+  buildReceipt,
+  buildRedemption,
+  canonicalJSONBytes,
+  canonicalJSONStringify,
+  canonicalRequestString,
+  constantTimeEqual,
+  crc16ccitt,
+  crc16ccittHex,
+  createHmacFetch,
+  createPassesClient,
+  createReceiptsClient,
+  decodeAuthorizationQR,
+  decodeBase45,
+  decodePaymentRequestQR,
+  encodeAuthorizationQR,
+  encodeBase45,
+  encodeNQR,
+  encodePaymentRequestQR,
+  formatAmount,
+  generateDynamicQR,
+  generateKeyPair,
+  generateStaticQR,
+  init,
+  isPassWithinValidity,
+  moneyMinorToNumber,
+  normalizeE164,
+  parseAmountInput,
+  parseNQR,
+  parseQR,
+  publicKeyFromPrivate,
+  readTLV,
+  routingHint,
+  sign,
+  signAuthorization,
+  signCanonical,
+  signOAC,
+  signPass,
+  signPaymentRequest,
+  signReceipt,
+  signRedemption,
+  signRequestHMAC,
+  verify,
+  verifyAuthorization,
+  verifyCanonical,
+  verifyOAC,
+  verifyPass,
+  verifyPaymentRequest,
+  verifyReceipt,
+  verifyRedemption,
+  verifyRequestHMAC,
+  writeTLV
+});
+//# sourceMappingURL=index.cjs.map