npm - @nokinc-flur/sdk - Versions diffs - 0.1.7 → 1.0.0 - Mend

@nokinc-flur/sdk 0.1.7 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js CHANGED Viewed

@@ -225,6 +225,39 @@ var FlurError = class extends Error {
     this.reqId = opts?.reqId;
   }
 };
+var FlurApiError = class extends Error {
+  constructor(status, code, message, raw) {
+    super(message);
+    this.status = status;
+    this.code = code;
+    this.raw = raw;
+    this.name = "FlurApiError";
+  }
+  status;
+  code;
+  raw;
+};
+var FlurExpiredError = class extends Error {
+  code = "PASS_EXPIRED";
+  constructor(message = "pass is expired") {
+    super(message);
+    this.name = "FlurExpiredError";
+  }
+};
+var FlurReplayError = class extends Error {
+  code = "PASS_REPLAY";
+  constructor(message = "redemption counter is not strictly increasing") {
+    super(message);
+    this.name = "FlurReplayError";
+  }
+};
+var FlurCapExceededError = class extends Error {
+  code = "PASS_CAP_EXCEEDED";
+  constructor(message = "redemption exceeds cumulative cap") {
+    super(message);
+    this.name = "FlurCapExceededError";
+  }
+};
 async function mapToFlurError(res) {
   const reqId = res.headers.get("x-request-id");
   let details = void 0;
@@ -248,7 +281,11 @@ async function mapToFlurError(res) {
     }
   } catch {
   }
-  return new FlurError(mappedMessage, mappedCode, { status: res.status, details, reqId });
+  return new FlurError(mappedMessage, mappedCode, {
+    status: res.status,
+    details,
+    reqId
+  });
 }
 // src/primitives.ts
@@ -665,13 +702,13 @@ var FlurClient = class {
       ResolvePayLinkResponseSchema
     );
   }
-  async requestJson(path, init, requestSchema, responseSchema, input) {
+  async requestJson(path, init2, requestSchema, responseSchema, input) {
     const url = `${this.baseUrl}${path}`;
     const controller = new AbortController();
     const t = setTimeout(() => controller.abort(), this.timeoutMs);
-    let body = init.body;
+    let body = init2.body;
     try {
-      body = requestSchema ? JSON.stringify(requestSchema.parse(input)) : init.body;
+      body = requestSchema ? JSON.stringify(requestSchema.parse(input)) : init2.body;
     } catch (err) {
       if (err instanceof z3.ZodError) {
         throw new FlurError("Invalid request payload", "INVALID_REQUEST", {
@@ -686,10 +723,10 @@ var FlurClient = class {
         extraHeaders = await this.getExtraHeaders();
       }
       const finalHeaders = {
-        ...init.headers,
+        ...init2.headers,
         ...extraHeaders
       };
-      const res = await this.fetchImpl(url, { ...init, headers: finalHeaders, body, signal: controller.signal });
+      const res = await this.fetchImpl(url, { ...init2, headers: finalHeaders, body, signal: controller.signal });
       if (!res.ok) throw await mapToFlurError(res);
       const payload = await res.json();
       if (!responseSchema) return payload;
@@ -720,12 +757,1427 @@ function getSecureRandomUuid() {
   }
   throw new FlurError("Secure UUID generator unavailable; provide idempotencyKey", "INVALID_REQUEST");
 }
+// src/nqr/fields.ts
+var FIELD = {
+  PAYLOAD_FORMAT_INDICATOR: "00",
+  POINT_OF_INITIATION: "01",
+  // 02..51 — Merchant Account Information templates (issuer-specific)
+  MERCHANT_CATEGORY_CODE: "52",
+  TRANSACTION_CURRENCY: "53",
+  TRANSACTION_AMOUNT: "54",
+  TIP_OR_CONVENIENCE_INDICATOR: "55",
+  VALUE_CONVENIENCE_FEE_FIXED: "56",
+  VALUE_CONVENIENCE_FEE_PERCENT: "57",
+  COUNTRY_CODE: "58",
+  MERCHANT_NAME: "59",
+  MERCHANT_CITY: "60",
+  POSTAL_CODE: "61",
+  ADDITIONAL_DATA_FIELD: "62",
+  CRC: "63",
+  MERCHANT_INFO_LANGUAGE: "64"
+  // 80..99 — Unreserved Templates
+};
+var ADDITIONAL_DATA_SUBFIELD = {
+  BILL_NUMBER: "01",
+  MOBILE_NUMBER: "02",
+  STORE_LABEL: "03",
+  LOYALTY_NUMBER: "04",
+  REFERENCE_LABEL: "05",
+  CUSTOMER_LABEL: "06",
+  TERMINAL_LABEL: "07",
+  PURPOSE_OF_TRANSACTION: "08"
+};
+var POINT_OF_INITIATION = {
+  STATIC: "11",
+  DYNAMIC: "12"
+};
+var PAYLOAD_FORMAT_INDICATOR_VALUE = "01";
+var NGN_CURRENCY_CODE = "566";
+var NG_COUNTRY_CODE = "NG";
+var CRC_TAG_PREFIX = "6304";
+// src/nqr/crc16.ts
+function crc16ccitt(bytes) {
+  let crc = 65535;
+  for (let i = 0; i < bytes.length; i++) {
+    crc ^= bytes[i] << 8;
+    for (let j = 0; j < 8; j++) {
+      if (crc & 32768) {
+        crc = crc << 1 ^ 4129;
+      } else {
+        crc <<= 1;
+      }
+      crc &= 65535;
+    }
+  }
+  return crc;
+}
+function crc16ccittHex(bytes) {
+  return crc16ccitt(bytes).toString(16).toUpperCase().padStart(4, "0");
+}
+// src/nqr/tlv.ts
+function writeTLV(tag, value) {
+  if (!/^\d{2}$/.test(tag)) {
+    throw new Error(`TLV: tag must be 2 digits, got "${tag}"`);
+  }
+  if (value.length > 99) {
+    throw new Error(
+      `TLV: value for tag ${tag} exceeds 99 chars (${value.length})`
+    );
+  }
+  const len = value.length.toString().padStart(2, "0");
+  return `${tag}${len}${value}`;
+}
+function readTLV(buf) {
+  const out = [];
+  let i = 0;
+  while (i < buf.length) {
+    if (i + 4 > buf.length) {
+      throw new Error(`TLV: truncated header at offset ${i}`);
+    }
+    const tag = buf.slice(i, i + 2);
+    const lenStr = buf.slice(i + 2, i + 4);
+    if (!/^\d{2}$/.test(tag)) {
+      throw new Error(`TLV: bad tag "${tag}" at offset ${i}`);
+    }
+    if (!/^\d{2}$/.test(lenStr)) {
+      throw new Error(`TLV: bad length "${lenStr}" at offset ${i + 2}`);
+    }
+    const len = parseInt(lenStr, 10);
+    const valStart = i + 4;
+    const valEnd = valStart + len;
+    if (valEnd > buf.length) {
+      throw new Error(
+        `TLV: truncated value for tag ${tag} at offset ${valStart}`
+      );
+    }
+    out.push({ tag, value: buf.slice(valStart, valEnd) });
+    i = valEnd;
+  }
+  return out;
+}
+// src/nqr/encoder.ts
+var ASCII_PRINTABLE = /^[\x20-\x7E]*$/;
+function buildMAIValue(mai) {
+  if (!/^(0[2-9]|[1-4]\d|5[0-1])$/.test(mai.tag)) {
+    throw new Error(
+      `encodeNQR: merchantAccountInfo.tag must be in 02..51, got "${mai.tag}"`
+    );
+  }
+  let out = "";
+  for (const c of mai.children) {
+    out += writeTLV(c.tag, c.value);
+  }
+  return out;
+}
+function buildAdditionalDataValue(ad) {
+  let out = "";
+  const map = [
+    ["billNumber", ADDITIONAL_DATA_SUBFIELD.BILL_NUMBER],
+    ["mobileNumber", ADDITIONAL_DATA_SUBFIELD.MOBILE_NUMBER],
+    ["storeLabel", ADDITIONAL_DATA_SUBFIELD.STORE_LABEL],
+    ["loyaltyNumber", ADDITIONAL_DATA_SUBFIELD.LOYALTY_NUMBER],
+    ["referenceLabel", ADDITIONAL_DATA_SUBFIELD.REFERENCE_LABEL],
+    ["customerLabel", ADDITIONAL_DATA_SUBFIELD.CUSTOMER_LABEL],
+    ["terminalLabel", ADDITIONAL_DATA_SUBFIELD.TERMINAL_LABEL],
+    ["purposeOfTransaction", ADDITIONAL_DATA_SUBFIELD.PURPOSE_OF_TRANSACTION]
+  ];
+  for (const [k, t] of map) {
+    const v = ad[k];
+    if (v !== void 0) {
+      out += writeTLV(t, v);
+    }
+  }
+  return out;
+}
+function assertAscii(name, v) {
+  if (!ASCII_PRINTABLE.test(v)) {
+    throw new Error(
+      `encodeNQR: ${name} contains non-printable-ASCII characters`
+    );
+  }
+}
+function assertMaxLen(name, v, max) {
+  if (v.length > max) {
+    throw new Error(`encodeNQR: ${name} length ${v.length} exceeds max ${max}`);
+  }
+}
+function assertMCC(mcc) {
+  if (!/^\d{4}$/.test(mcc)) {
+    throw new Error(
+      `encodeNQR: merchantCategoryCode must be 4 digits, got "${mcc}"`
+    );
+  }
+}
+function assertAmount(amt) {
+  if (!/^\d{1,10}(\.\d{1,2})?$/.test(amt)) {
+    throw new Error(
+      `encodeNQR: transactionAmount must match /^\\d{1,10}(\\.\\d{1,2})?$/, got "${amt}"`
+    );
+  }
+  if (amt.length > 13) {
+    throw new Error(
+      `encodeNQR: transactionAmount length ${amt.length} exceeds 13`
+    );
+  }
+}
+function encodeNQR(input) {
+  assertMCC(input.merchantCategoryCode);
+  assertAscii("merchantName", input.merchantName);
+  assertMaxLen("merchantName", input.merchantName, 25);
+  assertAscii("merchantCity", input.merchantCity);
+  assertMaxLen("merchantCity", input.merchantCity, 15);
+  if (input.postalCode !== void 0) {
+    assertAscii("postalCode", input.postalCode);
+    assertMaxLen("postalCode", input.postalCode, 10);
+  }
+  if (input.transactionAmount !== void 0) {
+    assertAmount(input.transactionAmount);
+  }
+  if (input.pointOfInitiation === "dynamic" && input.transactionAmount === void 0) {
+  }
+  let out = "";
+  out += writeTLV(
+    FIELD.PAYLOAD_FORMAT_INDICATOR,
+    PAYLOAD_FORMAT_INDICATOR_VALUE
+  );
+  out += writeTLV(
+    FIELD.POINT_OF_INITIATION,
+    input.pointOfInitiation === "dynamic" ? POINT_OF_INITIATION.DYNAMIC : POINT_OF_INITIATION.STATIC
+  );
+  out += writeTLV(
+    input.merchantAccountInfo.tag,
+    buildMAIValue(input.merchantAccountInfo)
+  );
+  out += writeTLV(FIELD.MERCHANT_CATEGORY_CODE, input.merchantCategoryCode);
+  out += writeTLV(FIELD.TRANSACTION_CURRENCY, NGN_CURRENCY_CODE);
+  if (input.transactionAmount !== void 0) {
+    out += writeTLV(FIELD.TRANSACTION_AMOUNT, input.transactionAmount);
+  }
+  out += writeTLV(FIELD.COUNTRY_CODE, NG_COUNTRY_CODE);
+  out += writeTLV(FIELD.MERCHANT_NAME, input.merchantName);
+  out += writeTLV(FIELD.MERCHANT_CITY, input.merchantCity);
+  if (input.postalCode !== void 0) {
+    out += writeTLV(FIELD.POSTAL_CODE, input.postalCode);
+  }
+  if (input.additionalData) {
+    const adfValue = buildAdditionalDataValue(input.additionalData);
+    if (adfValue.length > 0) {
+      out += writeTLV(FIELD.ADDITIONAL_DATA_FIELD, adfValue);
+    }
+  }
+  out += CRC_TAG_PREFIX;
+  const crc = crc16ccittHex(new TextEncoder().encode(out));
+  out += crc;
+  return out;
+}
+// src/nqr/parser.ts
+var NQRParseError = class extends Error {
+  path;
+  constructor(message, path = "") {
+    super(message);
+    this.name = "NQRParseError";
+    this.path = path;
+  }
+};
+function parseNQR(payload) {
+  if (payload.length < 8) {
+    throw new NQRParseError(`payload too short (${payload.length} chars)`);
+  }
+  const crcTagAndLen = payload.slice(-8, -4);
+  const crcValue = payload.slice(-4);
+  if (crcTagAndLen !== CRC_TAG_PREFIX) {
+    throw new NQRParseError(
+      `CRC tag prefix not found (expected "6304" at end)`
+    );
+  }
+  const beforeCrc = payload.slice(0, -4);
+  const expectedCrc = crc16ccittHex(new TextEncoder().encode(beforeCrc));
+  if (expectedCrc !== crcValue.toUpperCase()) {
+    throw new NQRParseError(
+      `CRC mismatch: payload says ${crcValue}, computed ${expectedCrc}`,
+      "63"
+    );
+  }
+  const topBuf = payload.slice(0, -8);
+  const top = readTLV(topBuf);
+  const get = (tag) => top.find((f) => f.tag === tag)?.value;
+  const pfi = get(FIELD.PAYLOAD_FORMAT_INDICATOR);
+  if (pfi !== "01")
+    throw new NQRParseError(
+      `payloadFormatIndicator must be "01", got "${pfi}"`,
+      "00"
+    );
+  const poiRaw = get(FIELD.POINT_OF_INITIATION);
+  const pointOfInitiation = poiRaw === "11" ? "static" : poiRaw === "12" ? "dynamic" : "unknown";
+  const currency = get(FIELD.TRANSACTION_CURRENCY);
+  if (currency !== NGN_CURRENCY_CODE) {
+    throw new NQRParseError(
+      `unsupported currency "${currency}" (expected ${NGN_CURRENCY_CODE})`,
+      "53"
+    );
+  }
+  const country = get(FIELD.COUNTRY_CODE);
+  if (country !== NG_COUNTRY_CODE) {
+    throw new NQRParseError(
+      `unsupported country "${country}" (expected ${NG_COUNTRY_CODE})`,
+      "58"
+    );
+  }
+  const mcc = get(FIELD.MERCHANT_CATEGORY_CODE);
+  if (!mcc) throw new NQRParseError("merchantCategoryCode missing", "52");
+  const merchantName = get(FIELD.MERCHANT_NAME) ?? "";
+  const merchantCity = get(FIELD.MERCHANT_CITY) ?? "";
+  const transactionAmount = get(FIELD.TRANSACTION_AMOUNT);
+  const postalCode = get(FIELD.POSTAL_CODE);
+  const mais = [];
+  for (const f of top) {
+    const n = parseInt(f.tag, 10);
+    if (n >= 2 && n <= 51) {
+      const children = readTLV(f.value).map((c) => ({
+        tag: c.tag,
+        value: c.value
+      }));
+      mais.push({ tag: f.tag, children });
+    }
+  }
+  let additionalData;
+  const adfRaw = get(FIELD.ADDITIONAL_DATA_FIELD);
+  if (adfRaw !== void 0) {
+    additionalData = {};
+    for (const c of readTLV(adfRaw)) {
+      switch (c.tag) {
+        case "01":
+          additionalData.billNumber = c.value;
+          break;
+        case "02":
+          additionalData.mobileNumber = c.value;
+          break;
+        case "03":
+          additionalData.storeLabel = c.value;
+          break;
+        case "04":
+          additionalData.loyaltyNumber = c.value;
+          break;
+        case "05":
+          additionalData.referenceLabel = c.value;
+          break;
+        case "06":
+          additionalData.customerLabel = c.value;
+          break;
+        case "07":
+          additionalData.terminalLabel = c.value;
+          break;
+        case "08":
+          additionalData.purposeOfTransaction = c.value;
+          break;
+      }
+    }
+  }
+  return {
+    payloadFormatIndicator: pfi,
+    pointOfInitiation,
+    merchantAccountInfo: mais,
+    merchantCategoryCode: mcc,
+    transactionCurrency: currency,
+    transactionAmount,
+    countryCode: country,
+    merchantName,
+    merchantCity,
+    postalCode,
+    additionalData,
+    flurReference: additionalData?.referenceLabel?.startsWith("FL-") ? additionalData.referenceLabel : void 0,
+    raw: payload
+  };
+}
+// src/nqr/routing.ts
+function routingHint(parsed) {
+  if (parsed.flurReference && parsed.flurReference.startsWith("FL-")) {
+    return "flur-onus";
+  }
+  if (parsed.merchantAccountInfo.length > 0) return "nibss";
+  return "unknown";
+}
+// src/crypto/canonical.ts
+function canonicalJSONStringify(value) {
+  return stringify(value);
+}
+function canonicalJSONBytes(value) {
+  return new TextEncoder().encode(canonicalJSONStringify(value));
+}
+function stringify(v) {
+  if (v === null) return "null";
+  const t = typeof v;
+  if (t === "string") return JSON.stringify(v);
+  if (t === "boolean") return v ? "true" : "false";
+  if (t === "number") {
+    if (!Number.isFinite(v)) {
+      throw new Error("canonicalJSON: non-finite number not allowed");
+    }
+    return JSON.stringify(v);
+  }
+  if (t === "bigint" || t === "function" || t === "symbol" || t === "undefined") {
+    throw new Error(`canonicalJSON: unsupported value type ${t}`);
+  }
+  if (Array.isArray(v)) {
+    const parts = [];
+    for (const item of v) parts.push(stringify(item));
+    return "[" + parts.join(",") + "]";
+  }
+  if (t === "object") {
+    const obj = v;
+    const keys = Object.keys(obj).sort();
+    const parts = [];
+    for (const k of keys) {
+      const val = obj[k];
+      if (val === void 0) {
+        throw new Error(`canonicalJSON: undefined value at key "${k}"`);
+      }
+      parts.push(JSON.stringify(k) + ":" + stringify(val));
+    }
+    return "{" + parts.join(",") + "}";
+  }
+  throw new Error(`canonicalJSON: unsupported value type ${t}`);
+}
+// src/crypto/ct.ts
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+// src/crypto/ed25519.ts
+import { ed25519 } from "@noble/curves/ed25519";
+function generateKeyPair() {
+  const privateKey = ed25519.utils.randomPrivateKey();
+  const publicKey = ed25519.getPublicKey(privateKey);
+  return { privateKey, publicKey };
+}
+function publicKeyFromPrivate(privateKey) {
+  return ed25519.getPublicKey(privateKey);
+}
+function sign(message, privateKey) {
+  return ed25519.sign(message, privateKey);
+}
+function verify(message, signature, publicKey) {
+  try {
+    return ed25519.verify(signature, message, publicKey);
+  } catch {
+    return false;
+  }
+}
+function signCanonical(value, privateKey) {
+  return sign(canonicalJSONBytes(value), privateKey);
+}
+function verifyCanonical(value, signature, publicKey) {
+  return verify(canonicalJSONBytes(value), signature, publicKey);
+}
+// src/offline/oac.ts
+import { z as z4 } from "zod";
+var OAC_DEFAULT_PER_TX_KOBO = 5e5;
+var OAC_DEFAULT_CUMULATIVE_KOBO = 2e6;
+var OAC_DEFAULT_VALIDITY_MS = 24 * 60 * 60 * 1e3;
+var HexString = (length) => z4.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var OACSchema = z4.object({
+  userId: z4.string().min(1),
+  deviceId: z4.string().min(1),
+  devicePublicKey: HexString(32),
+  perTxCapKobo: z4.number().int().nonnegative(),
+  cumulativeCapKobo: z4.number().int().nonnegative(),
+  validFromMs: z4.number().int().nonnegative(),
+  validUntilMs: z4.number().int().positive(),
+  counterSeed: z4.number().int().nonnegative(),
+  nonce: z4.string().min(1),
+  issuerSig: HexString(64)
+}).refine((v) => v.validUntilMs > v.validFromMs, {
+  message: "validUntilMs must be greater than validFromMs"
+}).refine((v) => v.perTxCapKobo <= v.cumulativeCapKobo, {
+  message: "perTxCapKobo must not exceed cumulativeCapKobo"
+});
+function buildOAC(input) {
+  const devicePublicKey = typeof input.devicePublicKey === "string" ? input.devicePublicKey : bytesToHex(input.devicePublicKey);
+  return {
+    userId: input.userId,
+    deviceId: input.deviceId,
+    devicePublicKey,
+    perTxCapKobo: input.perTxCapKobo ?? OAC_DEFAULT_PER_TX_KOBO,
+    cumulativeCapKobo: input.cumulativeCapKobo ?? OAC_DEFAULT_CUMULATIVE_KOBO,
+    validFromMs: input.validFromMs,
+    validUntilMs: input.validUntilMs,
+    counterSeed: input.counterSeed ?? 0,
+    nonce: input.nonce
+  };
+}
+function signOAC(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyOAC(oac, issuerPublicKey) {
+  try {
+    const parsed = OACSchema.parse(oac);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+function bytesToHex(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+function hexToBytes(s) {
+  if (s.length % 2 !== 0) throw new Error("hex: odd length");
+  const out = new Uint8Array(s.length / 2);
+  for (let i = 0; i < out.length; i++)
+    out[i] = parseInt(s.slice(i * 2, i * 2 + 2), 16);
+  return out;
+}
+// src/offline/codec.ts
+var ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:";
+var REVERSE = {};
+for (let i = 0; i < ALPHABET.length; i++) REVERSE[ALPHABET[i]] = i;
+function encodeBase45(bytes) {
+  let out = "";
+  let i = 0;
+  for (; i + 1 < bytes.length; i += 2) {
+    const x = bytes[i] << 8 | bytes[i + 1];
+    const e = Math.floor(x / (45 * 45));
+    const d = Math.floor(x % (45 * 45) / 45);
+    const c = x % 45;
+    out += ALPHABET[c] + ALPHABET[d] + ALPHABET[e];
+  }
+  if (i < bytes.length) {
+    const x = bytes[i];
+    const d = Math.floor(x / 45);
+    const c = x % 45;
+    out += ALPHABET[c] + ALPHABET[d];
+  }
+  return out;
+}
+function decodeBase45(s) {
+  if (s.length === 0) return new Uint8Array(0);
+  const fullChunks = Math.floor(s.length / 3);
+  const tail = s.length - fullChunks * 3;
+  if (tail === 1) throw new Error("base45: invalid length");
+  const out = new Uint8Array(fullChunks * 2 + (tail === 2 ? 1 : 0));
+  let oi = 0;
+  for (let i = 0; i < fullChunks; i++) {
+    const c = REVERSE[s[i * 3]];
+    const d = REVERSE[s[i * 3 + 1]];
+    const e = REVERSE[s[i * 3 + 2]];
+    if (c === void 0 || d === void 0 || e === void 0) {
+      throw new Error("base45: invalid character");
+    }
+    const x = c + 45 * d + 45 * 45 * e;
+    if (x > 65535) throw new Error("base45: chunk overflow");
+    out[oi++] = x >> 8 & 255;
+    out[oi++] = x & 255;
+  }
+  if (tail === 2) {
+    const c = REVERSE[s[fullChunks * 3]];
+    const d = REVERSE[s[fullChunks * 3 + 1]];
+    if (c === void 0 || d === void 0)
+      throw new Error("base45: invalid character");
+    const x = c + 45 * d;
+    if (x > 255) throw new Error("base45: tail overflow");
+    out[oi++] = x & 255;
+  }
+  return out;
+}
+// src/offline/messages.ts
+import { z as z5 } from "zod";
+var HexSig = z5.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var OfflinePaymentRequestSchema = z5.object({
+  reference: z5.string().min(1),
+  amountKobo: z5.number().int().positive(),
+  merchantOAC: OACSchema,
+  expiresAtMs: z5.number().int().positive(),
+  merchantSig: HexSig
+});
+var OfflinePaymentAuthorizationSchema = z5.object({
+  request: OfflinePaymentRequestSchema,
+  payerOAC: OACSchema,
+  payerCounter: z5.number().int().positive(),
+  payerSig: HexSig
+});
+function buildPaymentRequest(input) {
+  if (!Number.isInteger(input.amountKobo) || input.amountKobo <= 0) {
+    throw new Error("amountKobo must be a positive integer");
+  }
+  if (input.amountKobo > input.merchantOAC.perTxCapKobo) {
+    throw new Error("amountKobo exceeds merchant OAC perTxCapKobo");
+  }
+  return {
+    reference: input.reference,
+    amountKobo: input.amountKobo,
+    merchantOAC: input.merchantOAC,
+    expiresAtMs: input.expiresAtMs
+  };
+}
+function signPaymentRequest(unsigned, merchantDevicePrivateKey) {
+  const merchantSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), merchantDevicePrivateKey)
+  );
+  return { ...unsigned, merchantSig };
+}
+function verifyPaymentRequest(req, issuerPublicKey) {
+  try {
+    const parsed = OfflinePaymentRequestSchema.parse(req);
+    const { issuerSig: merchantOacSig, ...merchantOacUnsigned } = parsed.merchantOAC;
+    if (!verify(
+      canonicalJSONBytes(merchantOacUnsigned),
+      hexToBytes(merchantOacSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const { merchantSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(merchantSig),
+      hexToBytes(parsed.merchantOAC.devicePublicKey)
+    );
+  } catch {
+    return false;
+  }
+}
+function buildAuthorization(input) {
+  if (!Number.isInteger(input.payerCounter) || input.payerCounter <= 0) {
+    throw new Error("payerCounter must be a positive integer");
+  }
+  if (input.request.amountKobo > input.payerOAC.perTxCapKobo) {
+    throw new Error("amountKobo exceeds payer OAC perTxCapKobo");
+  }
+  return {
+    request: input.request,
+    payerOAC: input.payerOAC,
+    payerCounter: input.payerCounter
+  };
+}
+function signAuthorization(unsigned, payerDevicePrivateKey) {
+  const payerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), payerDevicePrivateKey)
+  );
+  return { ...unsigned, payerSig };
+}
+function verifyAuthorization(auth, issuerPublicKey) {
+  try {
+    const parsed = OfflinePaymentAuthorizationSchema.parse(auth);
+    if (!verifyPaymentRequest(parsed.request, issuerPublicKey)) return false;
+    const { issuerSig: payerOacSig, ...payerOacUnsigned } = parsed.payerOAC;
+    if (!verify(
+      canonicalJSONBytes(payerOacUnsigned),
+      hexToBytes(payerOacSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const { payerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(payerSig),
+      hexToBytes(parsed.payerOAC.devicePublicKey)
+    );
+  } catch {
+    return false;
+  }
+}
+function encodePaymentRequestQR(req) {
+  const json = JSON.stringify(req);
+  return "FLUR1:" + encodeBase45(new TextEncoder().encode(json));
+}
+function decodePaymentRequestQR(s) {
+  if (!s.startsWith("FLUR1:"))
+    throw new Error("not a Flur offline payment request QR");
+  const bytes = decodeBase45(s.slice("FLUR1:".length));
+  const json = new TextDecoder().decode(bytes);
+  return OfflinePaymentRequestSchema.parse(JSON.parse(json));
+}
+function encodeAuthorizationQR(auth) {
+  const json = JSON.stringify(auth);
+  return "FLUR2:" + encodeBase45(new TextEncoder().encode(json));
+}
+function decodeAuthorizationQR(s) {
+  if (!s.startsWith("FLUR2:"))
+    throw new Error("not a Flur offline authorization QR");
+  const bytes = decodeBase45(s.slice("FLUR2:".length));
+  const json = new TextDecoder().decode(bytes);
+  return OfflinePaymentAuthorizationSchema.parse(JSON.parse(json));
+}
+// src/auth/hmac.ts
+import { hmac } from "@noble/hashes/hmac";
+import { sha256 } from "@noble/hashes/sha256";
+function bytesToHex2(b) {
+  let s = "";
+  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
+  return s;
+}
+function constantTimeStringEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+function bodySha256Hex(body) {
+  return bytesToHex2(sha256(new TextEncoder().encode(body)));
+}
+function canonicalRequestString(input) {
+  return [
+    input.method.toUpperCase(),
+    input.path,
+    input.timestamp,
+    input.nonce,
+    bodySha256Hex(input.body)
+  ].join("\n");
+}
+function signRequestHMAC(input) {
+  return bytesToHex2(
+    hmac(sha256, input.apiSecret, canonicalRequestString(input))
+  );
+}
+function verifyRequestHMAC(input) {
+  const expected = signRequestHMAC(input);
+  return constantTimeStringEqual(expected, input.signature.toLowerCase());
+}
+// src/auth/middleware.ts
+var REPLAY_WINDOW_MS = 5 * 60 * 1e3;
+var SERVER_TIME_HEADER = "x-flur-server-time";
+function defaultNonce() {
+  const c = globalThis.crypto;
+  if (typeof c?.randomUUID === "function") return c.randomUUID();
+  if (typeof c?.getRandomValues !== "function") {
+    throw new Error(
+      "Flur SDK: no CSPRNG available (globalThis.crypto.getRandomValues missing). Refusing to fall back to Math.random for HMAC nonce generation."
+    );
+  }
+  const arr = new Uint8Array(16);
+  c.getRandomValues(arr);
+  let s = "";
+  for (let i = 0; i < arr.length; i++)
+    s += arr[i].toString(16).padStart(2, "0");
+  return s;
+}
+function assertCSPRNG() {
+  const c = globalThis.crypto;
+  if (typeof c?.getRandomValues !== "function" && typeof c?.randomUUID !== "function") {
+    throw new Error(
+      "Flur SDK: no CSPRNG available (globalThis.crypto missing). Initialize on a runtime that provides Web Crypto (Node 19+, modern browsers, RN 0.74+)."
+    );
+  }
+}
+function parseServerTimeMs(value) {
+  if (!value) return null;
+  const trimmed = value.trim();
+  if (/^\d+$/.test(trimmed)) {
+    const n = Number(trimmed);
+    return n < 1e12 ? n * 1e3 : n;
+  }
+  const t = Date.parse(trimmed);
+  return Number.isFinite(t) ? t : null;
+}
+function createHmacFetch(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createHmacFetch: no fetch implementation available");
+  if (!opts.nonceFn) assertCSPRNG();
+  const nowMs = opts.nowMs ?? (() => Date.now());
+  const nonceFn = opts.nonceFn ?? defaultNonce;
+  const scopeHeader = opts.scope && opts.scope.length > 0 ? opts.scope.join(",") : void 0;
+  async function signAndSend(req, skewOffsetMs) {
+    const cloned = req.clone();
+    const url = new URL(cloned.url);
+    const path = url.pathname + url.search;
+    const method = cloned.method.toUpperCase();
+    const bodyText = method === "GET" || method === "HEAD" ? "" : await cloned.clone().text();
+    const timestamp = Math.floor((nowMs() + skewOffsetMs) / 1e3).toString();
+    const nonce = nonceFn();
+    const signature = signRequestHMAC({
+      method,
+      path,
+      timestamp,
+      nonce,
+      body: bodyText,
+      apiSecret: opts.apiSecret
+    });
+    const headers = new Headers(cloned.headers);
+    headers.set("x-flur-key", opts.apiKey);
+    headers.set("x-flur-timestamp", timestamp);
+    headers.set("x-flur-nonce", nonce);
+    headers.set("x-flur-signature", signature);
+    if (scopeHeader) headers.set("x-flur-scope", scopeHeader);
+    const signed = new Request(cloned, { headers });
+    return fetchImpl(signed);
+  }
+  return (async (input, init2) => {
+    const req = input instanceof Request ? input : new Request(input, init2);
+    let resp = await signAndSend(req, 0);
+    if (resp.status === 401) {
+      const serverTimeMs = parseServerTimeMs(
+        resp.headers.get(SERVER_TIME_HEADER)
+      );
+      if (serverTimeMs !== null) {
+        const skew = serverTimeMs - nowMs();
+        if (Math.abs(skew) > 0) {
+          resp = await signAndSend(req, skew);
+        }
+      }
+    }
+    return resp;
+  });
+}
+// src/passes/pass.ts
+import { z as z6 } from "zod";
+var PASS_KINDS = [
+  "ride-ticket",
+  "transit-pass",
+  "event-ticket",
+  "voucher",
+  "loyalty",
+  "receipt-link"
+];
+var PASS_STATES = [
+  "issued",
+  "active",
+  "redeemed",
+  "expired",
+  "revoked"
+];
+var HexString2 = (length) => z6.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var PassMetadataSchema = z6.record(
+  z6.union([z6.string(), z6.number(), z6.boolean(), z6.null()])
+);
+var PassSchema = z6.object({
+  passId: z6.string().min(1),
+  /** Optional client/template grouping id (server may omit). */
+  templateId: z6.string().min(1).optional(),
+  /** Optional human-facing holder identity (server may omit). The cryptographic binding
+   *  is `holderDevicePubkey` below. */
+  holderUserId: z6.string().min(1).optional(),
+  kind: z6.enum(PASS_KINDS),
+  issuerId: z6.string().min(1),
+  issuedAtMs: z6.number().int().nonnegative(),
+  validFromMs: z6.number().int().nonnegative(),
+  validUntilMs: z6.number().int().positive(),
+  state: z6.enum(PASS_STATES),
+  metadata: PassMetadataSchema,
+  nonce: z6.string().min(1),
+  /** Device id this pass is bound to (FK to backend `device_keys`). */
+  holderDeviceId: z6.string().min(1),
+  /** 32-byte hex Ed25519 public key of the bound device. The redemption signature
+   *  is verified against this key — it is the security-critical binding. */
+  holderDevicePubkey: HexString2(32),
+  /** Optional fixed amount for monetary passes (vouchers, gift cards) in kobo. */
+  amountKobo: z6.number().int().nonnegative().optional(),
+  /** ISO-4217-ish currency code; required on the wire. SDK builders default to NGN. */
+  currency: z6.string().min(3).max(8),
+  /** Monotonic redemption counter floor. Redemption.counter MUST be > counterSeed. */
+  counterSeed: z6.number().int().nonnegative(),
+  /** Optional cumulative spend cap in kobo across all redemptions of this pass. */
+  cumulativeCapKobo: z6.number().int().nonnegative().optional(),
+  issuerSig: HexString2(64)
+}).refine((v) => v.validUntilMs > v.validFromMs, {
+  message: "validUntilMs must be greater than validFromMs"
+});
+function buildPass(input) {
+  if (input.validUntilMs <= input.validFromMs) {
+    throw new Error("validUntilMs must be greater than validFromMs");
+  }
+  const out = {
+    passId: input.passId,
+    kind: input.kind,
+    issuerId: input.issuerId,
+    issuedAtMs: input.issuedAtMs,
+    validFromMs: input.validFromMs,
+    validUntilMs: input.validUntilMs,
+    state: input.state,
+    metadata: input.metadata,
+    nonce: input.nonce,
+    holderDeviceId: input.holderDeviceId,
+    holderDevicePubkey: input.holderDevicePubkey,
+    currency: input.currency ?? "NGN",
+    counterSeed: input.counterSeed
+  };
+  if (typeof input.templateId === "string") out.templateId = input.templateId;
+  if (typeof input.holderUserId === "string")
+    out.holderUserId = input.holderUserId;
+  if (typeof input.amountKobo === "number") out.amountKobo = input.amountKobo;
+  if (typeof input.cumulativeCapKobo === "number") {
+    out.cumulativeCapKobo = input.cumulativeCapKobo;
+  }
+  return out;
+}
+function signPass(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyPass(pass, issuerPublicKey) {
+  try {
+    const parsed = PassSchema.parse(pass);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+function isPassWithinValidity(pass, nowMs) {
+  return nowMs >= pass.validFromMs && nowMs < pass.validUntilMs;
+}
+// src/passes/redemption.ts
+import { z as z7 } from "zod";
+var HexSig2 = z7.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var RedemptionSchema = z7.object({
+  pass: PassSchema,
+  redeemerId: z7.string().min(1),
+  redeemedAtMs: z7.number().int().nonnegative(),
+  /** Strictly monotonic counter scoped to a single pass. Must be > pass.counterSeed
+   *  and > the redeemer's lastSeenCounter for this pass. */
+  counter: z7.number().int().positive(),
+  /** Amount being redeemed in kobo (0 for non-monetary passes like ride tickets). */
+  amountKobo: z7.number().int().nonnegative(),
+  nonce: z7.string().min(1),
+  holderSig: HexSig2
+});
+var REDEEMABLE_STATES = /* @__PURE__ */ new Set(["issued", "active"]);
+function buildRedemption(input) {
+  if (!REDEEMABLE_STATES.has(input.pass.state)) {
+    throw new Error(`pass not in redeemable state: ${input.pass.state}`);
+  }
+  if (input.redeemedAtMs < input.pass.validFromMs) {
+    throw new Error("redeemedAtMs is before pass validFromMs");
+  }
+  if (input.redeemedAtMs >= input.pass.validUntilMs) {
+    throw new FlurExpiredError(
+      `pass ${input.pass.passId} expired at ${input.pass.validUntilMs}`
+    );
+  }
+  const now = typeof input.nowMs === "number" ? input.nowMs : input.redeemedAtMs;
+  if (now >= input.pass.validUntilMs) {
+    throw new FlurExpiredError(
+      `pass ${input.pass.passId} expired at ${input.pass.validUntilMs}`
+    );
+  }
+  if (!input.pass.holderDevicePubkey) {
+    throw new Error(
+      "pass.holderDevicePubkey is required to build a redemption"
+    );
+  }
+  const lastSeen = Math.max(
+    input.pass.counterSeed,
+    typeof input.lastSeenCounter === "number" ? input.lastSeenCounter : 0
+  );
+  if (input.counter <= lastSeen) {
+    throw new FlurReplayError(
+      `redemption counter ${input.counter} must be > lastSeenCounter ${lastSeen}`
+    );
+  }
+  const amount = input.amountKobo ?? 0;
+  if (typeof input.pass.cumulativeCapKobo === "number") {
+    const used = input.cumulativeUsedKobo ?? 0;
+    if (used + amount > input.pass.cumulativeCapKobo) {
+      throw new FlurCapExceededError(
+        `pass ${input.pass.passId} cap ${input.pass.cumulativeCapKobo} would be exceeded (used ${used} + ${amount})`
+      );
+    }
+  }
+  return {
+    pass: input.pass,
+    redeemerId: input.redeemerId,
+    redeemedAtMs: input.redeemedAtMs,
+    counter: input.counter,
+    amountKobo: amount,
+    nonce: input.nonce
+  };
+}
+function signRedemption(unsigned, holderDevicePrivateKey) {
+  const holderSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), holderDevicePrivateKey)
+  );
+  return { ...unsigned, holderSig };
+}
+function verifyRedemption(r, issuerPublicKey) {
+  try {
+    const parsed = RedemptionSchema.parse(r);
+    if (parsed.counter <= parsed.pass.counterSeed) return false;
+    const { issuerSig, ...passUnsigned } = parsed.pass;
+    if (!verify(
+      canonicalJSONBytes(passUnsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    )) {
+      return false;
+    }
+    const holderHex = parsed.pass.holderDevicePubkey;
+    if (typeof holderHex !== "string") return false;
+    const { holderSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(holderSig),
+      hexToBytes(holderHex)
+    );
+  } catch {
+    return false;
+  }
+}
+// src/passes/client.ts
+function createPassesClient(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createPassesClient: no fetch implementation available");
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  async function call(method, path, body, parser) {
+    const init2 = {
+      method,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      }
+    };
+    if (body !== void 0) init2.body = JSON.stringify(body);
+    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
+    const text = await resp.text();
+    let raw = void 0;
+    if (text) {
+      try {
+        raw = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!resp.ok) {
+      const code = (raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : void 0) ?? `http_${resp.status}`;
+      const message = (raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : void 0) ?? `request failed with status ${resp.status}`;
+      throw new FlurApiError(resp.status, code, message, raw);
+    }
+    return parser(raw);
+  }
+  return {
+    issuePass: (input) => call("POST", "/v1/passes", input, (raw) => PassSchema.parse(raw)),
+    listPasses: (input) => {
+      const qs = new URLSearchParams();
+      if (input.holderDeviceId) qs.set("holderDeviceId", input.holderDeviceId);
+      if (input.holderUserId) qs.set("holderUserId", input.holderUserId);
+      if (input.state) qs.set("state", input.state);
+      if (input.kind) qs.set("kind", input.kind);
+      if (input.templateId) qs.set("templateId", input.templateId);
+      if (typeof input.limit === "number") qs.set("limit", String(input.limit));
+      if (input.cursor) qs.set("cursor", input.cursor);
+      const path = `/v1/passes${qs.size > 0 ? `?${qs.toString()}` : ""}`;
+      return call("GET", path, void 0, (raw) => {
+        const obj = raw;
+        const items = obj.items.map(
+          (it) => PassSchema.parse(it)
+        );
+        const nextCursor = typeof obj.nextCursor === "string" ? obj.nextCursor : null;
+        return { items, nextCursor };
+      });
+    },
+    getPass: (passId) => call(
+      "GET",
+      `/v1/passes/${encodeURIComponent(passId)}`,
+      void 0,
+      (raw) => PassSchema.parse(raw)
+    ),
+    redeemPass: (passId, redemption) => call(
+      "POST",
+      `/v1/passes/${encodeURIComponent(passId)}/redeem`,
+      RedemptionSchema.parse(redemption),
+      (raw) => PassSchema.parse(raw)
+    ),
+    revokePass: (passId, input) => call(
+      "POST",
+      `/v1/passes/${encodeURIComponent(passId)}/revoke`,
+      input,
+      (raw) => PassSchema.parse(raw)
+    ),
+    verifyPass: (pass, issuerPublicKey) => verifyPass(pass, issuerPublicKey)
+  };
+}
+// src/receipts/receipt.ts
+import { z as z8 } from "zod";
+var RECEIPT_CHANNELS = ["cash", "pass"];
+var RECEIPT_KINDS = RECEIPT_CHANNELS;
+var HexString3 = (length) => z8.string().regex(
+  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
+  `expected ${length}-byte hex string`
+);
+var ReceiptPayloadSchema = z8.record(
+  z8.union([z8.string(), z8.number(), z8.boolean(), z8.null()])
+);
+var ReceiptSchema = z8.object({
+  receiptId: z8.string().min(1),
+  channel: z8.enum(RECEIPT_CHANNELS),
+  /** Cash-channel: send_intents.id. Required when channel === 'cash'. */
+  intentId: z8.string().min(1).optional(),
+  /** Pass-channel: pass_redemptions.id. Required when channel === 'pass'. */
+  passRedemptionId: z8.string().min(1).optional(),
+  payerUserId: z8.string().min(1),
+  payeeUserId: z8.string().min(1),
+  amountKobo: z8.number().int().nonnegative(),
+  currency: z8.string().min(3).max(8),
+  issuedAtMs: z8.number().int().nonnegative(),
+  issuerId: z8.string().min(1),
+  payload: ReceiptPayloadSchema,
+  issuerSig: HexString3(64)
+}).superRefine((v, ctx) => {
+  if (v.channel === "cash") {
+    if (!v.intentId) {
+      ctx.addIssue({
+        code: z8.ZodIssueCode.custom,
+        message: "cash receipts require intentId",
+        path: ["intentId"]
+      });
+    }
+    if (v.passRedemptionId) {
+      ctx.addIssue({
+        code: z8.ZodIssueCode.custom,
+        message: "cash receipts must not carry passRedemptionId",
+        path: ["passRedemptionId"]
+      });
+    }
+  } else if (v.channel === "pass") {
+    if (!v.passRedemptionId) {
+      ctx.addIssue({
+        code: z8.ZodIssueCode.custom,
+        message: "pass receipts require passRedemptionId",
+        path: ["passRedemptionId"]
+      });
+    }
+    if (v.intentId) {
+      ctx.addIssue({
+        code: z8.ZodIssueCode.custom,
+        message: "pass receipts must not carry intentId",
+        path: ["intentId"]
+      });
+    }
+  }
+});
+function buildReceipt(input) {
+  if (input.channel === "cash") {
+    if (!input.intentId) {
+      throw new Error("cash receipts require intentId");
+    }
+    if (input.passRedemptionId) {
+      throw new Error("cash receipts must not carry passRedemptionId");
+    }
+  } else {
+    if (!input.passRedemptionId) {
+      throw new Error("pass receipts require passRedemptionId");
+    }
+    if (input.intentId) {
+      throw new Error("pass receipts must not carry intentId");
+    }
+  }
+  const out = {
+    receiptId: input.receiptId,
+    channel: input.channel,
+    payerUserId: input.payerUserId,
+    payeeUserId: input.payeeUserId,
+    amountKobo: input.amountKobo,
+    currency: input.currency,
+    issuedAtMs: input.issuedAtMs,
+    issuerId: input.issuerId,
+    payload: input.payload ?? {}
+  };
+  if (input.intentId) out.intentId = input.intentId;
+  if (input.passRedemptionId) out.passRedemptionId = input.passRedemptionId;
+  return out;
+}
+function signReceipt(unsigned, issuerPrivateKey) {
+  const issuerSig = bytesToHex(
+    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  );
+  return { ...unsigned, issuerSig };
+}
+function verifyReceipt(r, issuerPublicKey) {
+  try {
+    const parsed = ReceiptSchema.parse(r);
+    const { issuerSig, ...unsigned } = parsed;
+    return verify(
+      canonicalJSONBytes(unsigned),
+      hexToBytes(issuerSig),
+      issuerPublicKey
+    );
+  } catch {
+    return false;
+  }
+}
+// src/receipts/client.ts
+function createReceiptsClient(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl)
+    throw new Error("createReceiptsClient: no fetch implementation available");
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  async function call(method, path, body, parser) {
+    const init2 = {
+      method,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      }
+    };
+    if (body !== void 0) init2.body = JSON.stringify(body);
+    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
+    const text = await resp.text();
+    let raw = void 0;
+    if (text) {
+      try {
+        raw = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!resp.ok) {
+      const code = raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : `http_${resp.status}`;
+      const message = raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : `request failed with status ${resp.status}`;
+      throw new FlurApiError(resp.status, code, message, raw);
+    }
+    return parser(raw);
+  }
+  const getById = (receiptId) => call(
+    "GET",
+    `/v1/receipts/${encodeURIComponent(receiptId)}`,
+    void 0,
+    (raw) => ReceiptSchema.parse(raw)
+  );
+  return {
+    issueReceipt: (input) => call("POST", "/v1/receipts", input, (raw) => ReceiptSchema.parse(raw)),
+    getReceipt: getById,
+    getById,
+    getByIntentId: (intentId) => call(
+      "GET",
+      `/v1/receipts/by-intent/${encodeURIComponent(intentId)}`,
+      void 0,
+      (raw) => ReceiptSchema.parse(raw)
+    ),
+    getByPassRedemptionId: (passRedemptionId) => call(
+      "GET",
+      `/v1/receipts/by-pass-redemption/${encodeURIComponent(passRedemptionId)}`,
+      void 0,
+      (raw) => ReceiptSchema.parse(raw)
+    ),
+    listForUser: (input) => {
+      const qs = new URLSearchParams();
+      if (input.payerUserId) qs.set("payerUserId", input.payerUserId);
+      if (input.payeeUserId) qs.set("payeeUserId", input.payeeUserId);
+      if (input.channel) qs.set("channel", input.channel);
+      if (typeof input.limit === "number") qs.set("limit", String(input.limit));
+      if (input.cursor) qs.set("cursor", input.cursor);
+      const path = `/v1/receipts${qs.size > 0 ? `?${qs.toString()}` : ""}`;
+      return call("GET", path, void 0, (raw) => {
+        const obj = raw;
+        const items = obj.items.map(
+          (it) => ReceiptSchema.parse(it)
+        );
+        const nextCursor = typeof obj.nextCursor === "string" ? obj.nextCursor : null;
+        return { items, nextCursor };
+      });
+    },
+    verifyReceipt: (receipt, issuerPublicKey) => verifyReceipt(receipt, issuerPublicKey)
+  };
+}
+// src/client/flur.ts
+function generateStaticQR(input) {
+  return encodeNQR({ ...input, pointOfInitiation: "static" });
+}
+function generateDynamicQR(input) {
+  return encodeNQR({ ...input, pointOfInitiation: "dynamic" });
+}
+function parseQR(payload) {
+  return parseNQR(payload);
+}
+function init(opts) {
+  const signedFetch = createHmacFetch({
+    apiKey: opts.apiKey,
+    apiSecret: opts.apiSecret,
+    fetchImpl: opts.fetchImpl,
+    scope: opts.scope
+  });
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  function subscribeToPayments(s) {
+    const controller = new AbortController();
+    let cancelled = false;
+    (async () => {
+      try {
+        const url = `${baseUrl}/v1/payments/subscribe?reference=${encodeURIComponent(s.reference)}`;
+        const resp = await signedFetch(url, {
+          method: "GET",
+          headers: { accept: "text/event-stream" },
+          signal: controller.signal
+        });
+        if (!resp.body) return;
+        const reader = resp.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = "";
+        while (!cancelled) {
+          const { value, done } = await reader.read();
+          if (done) return;
+          buffer += decoder.decode(value, { stream: true });
+          let idx;
+          while ((idx = buffer.indexOf("\n\n")) >= 0) {
+            const chunk = buffer.slice(0, idx);
+            buffer = buffer.slice(idx + 2);
+            for (const line of chunk.split("\n")) {
+              if (!line.startsWith("data:")) continue;
+              const json = line.slice(5).trim();
+              if (!json) continue;
+              try {
+                s.onEvent(JSON.parse(json));
+              } catch (err) {
+                s.onError?.(err);
+              }
+            }
+          }
+        }
+      } catch (err) {
+        if (!cancelled) s.onError?.(err);
+      }
+    })();
+    return () => {
+      cancelled = true;
+      controller.abort();
+    };
+  }
+  const cash = {
+    generateStaticQR,
+    generateDynamicQR,
+    parseQR,
+    subscribeToPayments
+  };
+  const passes = createPassesClient({ baseUrl, fetchImpl: signedFetch });
+  const receipts = createReceiptsClient({ baseUrl, fetchImpl: signedFetch });
+  return {
+    // top-level back-compat surface
+    generateStaticQR,
+    generateDynamicQR,
+    parseQR,
+    subscribeToPayments,
+    // namespaces
+    cash,
+    passes,
+    receipts
+  };
+}
 export {
+  ADDITIONAL_DATA_SUBFIELD,
+  FIELD,
+  FlurApiError,
+  FlurCapExceededError,
   FlurClient,
   FlurError,
+  FlurExpiredError,
+  FlurReplayError,
+  NGN_CURRENCY_CODE,
+  NG_COUNTRY_CODE,
+  NQRParseError,
+  OACSchema,
+  OAC_DEFAULT_CUMULATIVE_KOBO,
+  OAC_DEFAULT_PER_TX_KOBO,
+  OAC_DEFAULT_VALIDITY_MS,
+  OfflinePaymentAuthorizationSchema,
+  OfflinePaymentRequestSchema,
+  PASS_KINDS,
+  PASS_STATES,
+  PAYLOAD_FORMAT_INDICATOR_VALUE,
+  POINT_OF_INITIATION,
+  PassMetadataSchema,
+  PassSchema,
+  RECEIPT_CHANNELS,
+  RECEIPT_KINDS,
+  REPLAY_WINDOW_MS,
+  ReceiptPayloadSchema,
+  ReceiptSchema,
+  RedemptionSchema,
+  bodySha256Hex,
+  buildAuthorization,
+  buildOAC,
+  buildPass,
+  buildPaymentRequest,
+  buildReceipt,
+  buildRedemption,
+  canonicalJSONBytes,
+  canonicalJSONStringify,
+  canonicalRequestString,
+  constantTimeEqual,
+  crc16ccitt,
+  crc16ccittHex,
+  createHmacFetch,
+  createPassesClient,
+  createReceiptsClient,
+  decodeAuthorizationQR,
+  decodeBase45,
+  decodePaymentRequestQR,
+  encodeAuthorizationQR,
+  encodeBase45,
+  encodeNQR,
+  encodePaymentRequestQR,
   formatAmount,
+  generateDynamicQR,
+  generateKeyPair,
+  generateStaticQR,
+  init,
+  isPassWithinValidity,
   moneyMinorToNumber,
   normalizeE164,
-  parseAmountInput
+  parseAmountInput,
+  parseNQR,
+  parseQR,
+  publicKeyFromPrivate,
+  readTLV,
+  routingHint,
+  sign,
+  signAuthorization,
+  signCanonical,
+  signOAC,
+  signPass,
+  signPaymentRequest,
+  signReceipt,
+  signRedemption,
+  signRequestHMAC,
+  verify,
+  verifyAuthorization,
+  verifyCanonical,
+  verifyOAC,
+  verifyPass,
+  verifyPaymentRequest,
+  verifyReceipt,
+  verifyRedemption,
+  verifyRequestHMAC,
+  writeTLV
 };
 //# sourceMappingURL=index.js.map