@nokinc-flur/sdk 1.1.2 → 1.1.4

package/dist/index.cjs

@@ -29,6 +29,8 @@ __export(index_exports, {
   AccountSchema: () => AccountSchema,
   ApiCredentialPublicSchema: () => ApiCredentialPublicSchema,
   ArtifactHeaderSchema: () => ArtifactHeaderSchema,
+  AttestationSecurityLevelSchema: () => AttestationSecurityLevelSchema,
+  CLAIM_DOMAIN_V2: () => CLAIM_DOMAIN_V2,
   COLLECTION_INTENT_STATUSES: () => COLLECTION_INTENT_STATUSES,
   COLLECTION_PAYMENT_STATUSES: () => COLLECTION_PAYMENT_STATUSES,
   CUSTODIAL_MODES: () => CUSTODIAL_MODES,
@@ -47,6 +49,7 @@ __export(index_exports, {
   CreatePayoutInputSchema: () => CreatePayoutInputSchema,
   CreateWithdrawalInputSchema: () => CreateWithdrawalInputSchema,
   CreateWithdrawalResultSchema: () => CreateWithdrawalResultSchema,
+  DeviceKeyAlgSchema: () => DeviceKeyAlgSchema,
   DeviceKeyRecordSchema: () => DeviceKeyRecordSchema,
   DisableOfflineInputSchema: () => DisableOfflineInputSchema,
   DisableOfflineResultSchema: () => DisableOfflineResultSchema,
@@ -83,6 +86,7 @@ __export(index_exports, {
   OAC_DEFAULT_CUMULATIVE_KOBO: () => OAC_DEFAULT_CUMULATIVE_KOBO,
   OAC_DEFAULT_PER_TX_KOBO: () => OAC_DEFAULT_PER_TX_KOBO,
   OAC_DEFAULT_VALIDITY_MS: () => OAC_DEFAULT_VALIDITY_MS,
+  OFFLINE_CLAIM_SMS_PREFIX: () => OFFLINE_CLAIM_SMS_PREFIX,
   OfflineClaimArtifactSchema: () => OfflineClaimArtifactSchema,
   OfflineHoldRecordSchema: () => OfflineHoldRecordSchema,
   OfflinePaymentAuthorizationArtifactSchema: () => OfflinePaymentAuthorizationArtifactSchema,
@@ -91,6 +95,8 @@ __export(index_exports, {
   OfflineStateResultSchema: () => OfflineStateResultSchema,
   OfflineStatusResultSchema: () => OfflineStatusResultSchema,
   OfflineTokenSchema: () => OfflineTokenSchema,
+  P256EnrollmentChallengeInputSchema: () => P256EnrollmentChallengeInputSchema,
+  P256EnrollmentChallengeResultSchema: () => P256EnrollmentChallengeResultSchema,
   PARTNER_FUNDING_DIRECTIONS: () => PARTNER_FUNDING_DIRECTIONS,
   PARTNER_FUNDING_STATUSES: () => PARTNER_FUNDING_STATUSES,
   PARTNER_KINDS: () => PARTNER_KINDS,
@@ -114,6 +120,8 @@ __export(index_exports, {
   PayoutEventInputSchema: () => PayoutEventInputSchema,
   ProviderEventInputSchema: () => ProviderEventInputSchema,
   ProviderEventRecordSchema: () => ProviderEventRecordSchema,
+  ProvisionOfflineAllowanceInputSchema: () => ProvisionOfflineAllowanceInputSchema,
+  ProvisionOfflineAllowanceResultSchema: () => ProvisionOfflineAllowanceResultSchema,
   PublicCollectionIntentSchema: () => PublicCollectionIntentSchema,
   RECEIPT_CHANNELS: () => RECEIPT_CHANNELS,
   RECEIPT_KINDS: () => RECEIPT_KINDS,
@@ -125,6 +133,7 @@ __export(index_exports, {
   RecordPayoutEventResultSchema: () => RecordPayoutEventResultSchema,
   RedemptionSchema: () => RedemptionSchema,
   RegisterDeviceKeyInputSchema: () => RegisterDeviceKeyInputSchema,
+  RegisterDeviceKeyP256InputSchema: () => RegisterDeviceKeyP256InputSchema,
   ReversalRecordArtifactSchema: () => ReversalRecordArtifactSchema,
   RevokeDeviceKeyInputSchema: () => RevokeDeviceKeyInputSchema,
   SETTLEMENT_SCHEDULES: () => SETTLEMENT_SCHEDULES,
@@ -147,6 +156,8 @@ __export(index_exports, {
   buildPaymentRequest: () => buildPaymentRequest,
   buildReceipt: () => buildReceipt,
   buildRedemption: () => buildRedemption,
+  canonicalClaimSigningBytes: () => canonicalClaimSigningBytes,
+  canonicalClaimSigningPayload: () => canonicalClaimSigningPayload,
   canonicalJSONBytes: () => canonicalJSONBytes,
   canonicalJSONStringify: () => canonicalJSONStringify,
   canonicalRequestString: () => canonicalRequestString,
@@ -171,18 +182,21 @@ __export(index_exports, {
   createPassesClient: () => createPassesClient,
   createReceiptArtifactUri: () => createReceiptArtifactUri,
   createReceiptsClient: () => createReceiptsClient,
+  createSoftwareP256Signer: () => createSoftwareP256Signer,
   decodeArtifactUri: () => decodeArtifactUri,
   decodeAuthorizationQR: () => decodeAuthorizationQR,
   decodeBase45: () => decodeBase45,
+  decodeOfflineClaimSmsMessage: () => decodeOfflineClaimSmsMessage,
   decodePaymentRequestQR: () => decodePaymentRequestQR,
   encodeArtifactUri: () => encodeArtifactUri,
   encodeAuthorizationQR: () => encodeAuthorizationQR,
   encodeBase45: () => encodeBase45,
   encodeNQR: () => encodeNQR,
+  encodeOfflineClaimSmsMessage: () => encodeOfflineClaimSmsMessage,
   encodePaymentRequestQR: () => encodePaymentRequestQR,
+  extractOfflineClaimSmsToken: () => extractOfflineClaimSmsToken,
   formatAmount: () => formatAmount,
   generateDynamicQR: () => generateDynamicQR,
-  generateKeyPair: () => generateKeyPair,
   generateStaticQR: () => generateStaticQR,
   init: () => init,
   isHardenedArtifactType: () => isHardenedArtifactType,
@@ -193,13 +207,10 @@ __export(index_exports, {
   parseAmountInput: () => parseAmountInput,
   parseNQR: () => parseNQR,
   parseQR: () => parseQR,
-  publicKeyFromPrivate: () => publicKeyFromPrivate,
   readTLV: () => readTLV,
   routingHint: () => routingHint,
-  sign: () => sign,
   signArtifact: () => signArtifact,
   signAuthorization: () => signAuthorization,
-  signCanonical: () => signCanonical,
   signOAC: () => signOAC,
   signPartnerRequest: () => signPartnerRequest,
   signPass: () => signPass,
@@ -207,11 +218,10 @@ __export(index_exports, {
   signReceipt: () => signReceipt,
   signRedemption: () => signRedemption,
   signRequestHMAC: () => signRequestHMAC,
-  verify: () => verify,
   verifyArtifactSignature: () => verifyArtifactSignature,
   verifyArtifactUri: () => verifyArtifactUri,
   verifyAuthorization: () => verifyAuthorization,
-  verifyCanonical: () => verifyCanonical,
+  verifyClaimSignature: () => verifyClaimSignature,
   verifyOAC: () => verifyOAC,
   verifyPass: () => verifyPass,
   verifyPaymentRequest: () => verifyPaymentRequest,
@@ -1787,64 +1797,113 @@ function constantTimeEqual(a, b) {
   return diff === 0;
 }
 
-// src/crypto/ed25519.ts
-var import_ed25519 = require("@noble/curves/ed25519");
-function generateKeyPair() {
-  const privateKey = import_ed25519.ed25519.utils.randomPrivateKey();
-  const publicKey = import_ed25519.ed25519.getPublicKey(privateKey);
-  return { privateKey, publicKey };
+// src/offline/oac.ts
+var import_zod5 = require("zod");
+
+// src/crypto/p256-issuer.ts
+var import_nist = require("@noble/curves/nist");
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin);
 }
-function publicKeyFromPrivate(privateKey) {
-  return import_ed25519.ed25519.getPublicKey(privateKey);
+function base64ToBytes(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+var P256_SPKI_HEADER = new Uint8Array([
+  48,
+  89,
+  48,
+  19,
+  6,
+  7,
+  42,
+  134,
+  72,
+  206,
+  61,
+  2,
+  1,
+  6,
+  8,
+  42,
+  134,
+  72,
+  206,
+  61,
+  3,
+  1,
+  7,
+  3,
+  66,
+  0
+]);
+function p256SpkiB64ToRaw(spkiB64) {
+  const spki = base64ToBytes(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER.length + 65) {
+    throw new Error("p256: invalid SPKI length");
+  }
+  for (let i = 0; i < P256_SPKI_HEADER.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER[i]) {
+      throw new Error("p256: invalid SPKI header");
+    }
+  }
+  return spki.slice(P256_SPKI_HEADER.length);
 }
-function sign(message, privateKey) {
-  return import_ed25519.ed25519.sign(message, privateKey);
+function signIssuerP256(bytes, issuerPrivateKey) {
+  const sig = import_nist.p256.sign(bytes, issuerPrivateKey, { prehash: true });
+  return bytesToBase64(sig.toBytes("der"));
 }
-function verify(message, signature, publicKey) {
+function verifyIssuerP256(bytes, signatureB64, issuerPublicKeySpkiB64) {
   try {
-    return import_ed25519.ed25519.verify(signature, message, publicKey);
+    const pubRaw = p256SpkiB64ToRaw(issuerPublicKeySpkiB64);
+    const sigBytes = base64ToBytes(signatureB64);
+    return import_nist.p256.verify(sigBytes, bytes, pubRaw, {
+      prehash: true,
+      format: "der"
+    });
   } catch {
     return false;
   }
 }
-function signCanonical(value, privateKey) {
-  return sign(canonicalJSONBytes(value), privateKey);
-}
-function verifyCanonical(value, signature, publicKey) {
-  return verify(canonicalJSONBytes(value), signature, publicKey);
-}
 
 // src/offline/oac.ts
-var import_zod5 = require("zod");
 var OAC_DEFAULT_PER_TX_KOBO = 5e5;
 var OAC_DEFAULT_CUMULATIVE_KOBO = 2e6;
 var OAC_DEFAULT_VALIDITY_MS = 24 * 60 * 60 * 1e3;
-var HexString = (length) => import_zod5.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
+var Base64Std = import_zod5.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (standard) string");
 var OACSchema = import_zod5.z.object({
   userId: import_zod5.z.string().min(1),
   deviceId: import_zod5.z.string().min(1),
-  devicePublicKey: HexString(32),
+  /** SubjectPublicKeyInfo DER, base64 (P-256). */
+  devicePublicKey: Base64Std,
   perTxCapKobo: import_zod5.z.number().int().nonnegative(),
   cumulativeCapKobo: import_zod5.z.number().int().nonnegative(),
   validFromMs: import_zod5.z.number().int().nonnegative(),
   validUntilMs: import_zod5.z.number().int().positive(),
   counterSeed: import_zod5.z.number().int().nonnegative(),
   nonce: import_zod5.z.string().min(1),
-  issuerSig: HexString(64)
+  /** ASN.1 DER ECDSA(SHA-256) signature, base64. */
+  issuerSig: Base64Std
 }).refine((v) => v.validUntilMs > v.validFromMs, {
   message: "validUntilMs must be greater than validFromMs"
 }).refine((v) => v.perTxCapKobo <= v.cumulativeCapKobo, {
   message: "perTxCapKobo must not exceed cumulativeCapKobo"
 });
 function buildOAC(input) {
-  const devicePublicKey = typeof input.devicePublicKey === "string" ? input.devicePublicKey : bytesToHex(input.devicePublicKey);
   return {
     userId: input.userId,
     deviceId: input.deviceId,
-    devicePublicKey,
+    devicePublicKey: input.devicePublicKey,
     perTxCapKobo: input.perTxCapKobo ?? OAC_DEFAULT_PER_TX_KOBO,
     cumulativeCapKobo: input.cumulativeCapKobo ?? OAC_DEFAULT_CUMULATIVE_KOBO,
     validFromMs: input.validFromMs,
@@ -1854,36 +1913,25 @@ function buildOAC(input) {
   };
 }
 function signOAC(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyOAC(oac, issuerPublicKey) {
+function verifyOAC(oac, issuerPublicKeySpkiB64) {
   try {
     const parsed = OACSchema.parse(oac);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
   }
 }
-function bytesToHex(b) {
-  let s = "";
-  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
-  return s;
-}
-function hexToBytes(s) {
-  if (s.length % 2 !== 0) throw new Error("hex: odd length");
-  const out = new Uint8Array(s.length / 2);
-  for (let i = 0; i < out.length; i++)
-    out[i] = parseInt(s.slice(i * 2, i * 2 + 2), 16);
-  return out;
-}
 
 // src/offline/codec.ts
 var ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:";
@@ -1940,19 +1988,19 @@ function decodeBase45(s) {
 
 // src/offline/messages.ts
 var import_zod6 = require("zod");
-var HexSig = import_zod6.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var Base64Sig = import_zod6.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (standard) signature");
 var OfflinePaymentRequestSchema = import_zod6.z.object({
   reference: import_zod6.z.string().min(1),
   amountKobo: import_zod6.z.number().int().positive(),
   merchantOAC: OACSchema,
   expiresAtMs: import_zod6.z.number().int().positive(),
-  merchantSig: HexSig
+  merchantSig: Base64Sig
 });
 var OfflinePaymentAuthorizationSchema = import_zod6.z.object({
   request: OfflinePaymentRequestSchema,
   payerOAC: OACSchema,
   payerCounter: import_zod6.z.number().int().positive(),
-  payerSig: HexSig
+  payerSig: Base64Sig
 });
 function buildPaymentRequest(input) {
   if (!Number.isInteger(input.amountKobo) || input.amountKobo <= 0) {
@@ -1969,27 +2017,28 @@ function buildPaymentRequest(input) {
   };
 }
 function signPaymentRequest(unsigned, merchantDevicePrivateKey) {
-  const merchantSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), merchantDevicePrivateKey)
+  const merchantSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    merchantDevicePrivateKey
   );
   return { ...unsigned, merchantSig };
 }
-function verifyPaymentRequest(req, issuerPublicKey) {
+function verifyPaymentRequest(req, issuerPublicKeySpkiB64) {
   try {
     const parsed = OfflinePaymentRequestSchema.parse(req);
     const { issuerSig: merchantOacSig, ...merchantOacUnsigned } = parsed.merchantOAC;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(merchantOacUnsigned),
-      hexToBytes(merchantOacSig),
-      issuerPublicKey
+      merchantOacSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
     const { merchantSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(merchantSig),
-      hexToBytes(parsed.merchantOAC.devicePublicKey)
+      merchantSig,
+      parsed.merchantOAC.devicePublicKey
     );
   } catch {
     return false;
@@ -2009,28 +2058,30 @@ function buildAuthorization(input) {
   };
 }
 function signAuthorization(unsigned, payerDevicePrivateKey) {
-  const payerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), payerDevicePrivateKey)
+  const payerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    payerDevicePrivateKey
   );
   return { ...unsigned, payerSig };
 }
-function verifyAuthorization(auth, issuerPublicKey) {
+function verifyAuthorization(auth, issuerPublicKeySpkiB64) {
   try {
     const parsed = OfflinePaymentAuthorizationSchema.parse(auth);
-    if (!verifyPaymentRequest(parsed.request, issuerPublicKey)) return false;
+    if (!verifyPaymentRequest(parsed.request, issuerPublicKeySpkiB64))
+      return false;
     const { issuerSig: payerOacSig, ...payerOacUnsigned } = parsed.payerOAC;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(payerOacUnsigned),
-      hexToBytes(payerOacSig),
-      issuerPublicKey
+      payerOacSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
     const { payerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(payerSig),
-      hexToBytes(parsed.payerOAC.devicePublicKey)
+      payerSig,
+      parsed.payerOAC.devicePublicKey
     );
   } catch {
     return false;
@@ -2086,10 +2137,14 @@ var PaymentClaimSchema = import_zod7.z.object({
   occurredAtMs: import_zod7.z.number().int().nonnegative(),
   completedAtMs: import_zod7.z.number().int().nonnegative().optional(),
   contextId: import_zod7.z.string().optional(),
-  payerPubkey: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i),
-  payerSignature: import_zod7.z.string().regex(/^[0-9a-f]+$/i),
-  payeePubkey: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i).optional(),
-  payeeSignature: import_zod7.z.string().regex(/^[0-9a-f]+$/i).optional()
+  // Stage 2c: P-256 device keys are now SubjectPublicKeyInfo DER, base64.
+  // Signatures are ASN.1 DER ECDSA(SHA-256), base64. Backwards-incompatible
+  // wire change; the backend has the matching widening in offline-settlements
+  // service + zod schema.
+  payerPubkey: import_zod7.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
+  payerSignature: import_zod7.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
+  payeePubkey: import_zod7.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/).optional(),
+  payeeSignature: import_zod7.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/).optional()
 });
 var SettlementSchema = import_zod7.z.object({
   settlementId: import_zod7.z.string().uuid(),
@@ -2517,10 +2572,6 @@ var PASS_STATES = [
   "expired",
   "revoked"
 ];
-var HexString2 = (length) => import_zod9.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
 var PassMetadataSchema = import_zod9.z.record(
   import_zod9.z.union([import_zod9.z.string(), import_zod9.z.number(), import_zod9.z.boolean(), import_zod9.z.null()])
 );
@@ -2541,9 +2592,9 @@ var PassSchema = import_zod9.z.object({
   nonce: import_zod9.z.string().min(1),
   /** Device id this pass is bound to (FK to backend `device_keys`). */
   holderDeviceId: import_zod9.z.string().min(1),
-  /** 32-byte hex Ed25519 public key of the bound device. The redemption signature
-   *  is verified against this key — it is the security-critical binding. */
-  holderDevicePubkey: HexString2(32),
+  /** SubjectPublicKeyInfo DER (P-256) of the bound device, base64. The redemption
+   *  signature is verified against this key — it is the security-critical binding. */
+  holderDevicePubkey: import_zod9.z.string().min(64).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
   /** Optional fixed amount for monetary passes (vouchers, gift cards) in kobo. */
   amountKobo: import_zod9.z.number().int().nonnegative().optional(),
   /** ISO-4217-ish currency code; required on the wire. SDK builders default to NGN. */
@@ -2552,7 +2603,8 @@ var PassSchema = import_zod9.z.object({
   counterSeed: import_zod9.z.number().int().nonnegative(),
   /** Optional cumulative spend cap in kobo across all redemptions of this pass. */
   cumulativeCapKobo: import_zod9.z.number().int().nonnegative().optional(),
-  issuerSig: HexString2(64)
+  /** ASN.1 DER ECDSA P-256 signature, base64. */
+  issuerSig: import_zod9.z.string().min(64).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/)
 }).refine((v) => v.validUntilMs > v.validFromMs, {
   message: "validUntilMs must be greater than validFromMs"
 });
@@ -2585,19 +2637,20 @@ function buildPass(input) {
   return out;
 }
 function signPass(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyPass(pass, issuerPublicKey) {
+function verifyPass(pass, issuerPublicKeySpkiB64) {
   try {
     const parsed = PassSchema.parse(pass);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
@@ -2609,7 +2662,7 @@ function isPassWithinValidity(pass, nowMs) {
 
 // src/passes/redemption.ts
 var import_zod10 = require("zod");
-var HexSig2 = import_zod10.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
+var Base64Std2 = import_zod10.z.string().min(16).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (std)");
 var RedemptionSchema = import_zod10.z.object({
   pass: PassSchema,
   redeemerId: import_zod10.z.string().min(1),
@@ -2620,7 +2673,8 @@ var RedemptionSchema = import_zod10.z.object({
   /** Amount being redeemed in kobo (0 for non-monetary passes like ride tickets). */
   amountKobo: import_zod10.z.number().int().nonnegative(),
   nonce: import_zod10.z.string().min(1),
-  holderSig: HexSig2
+  /** ASN.1 DER ECDSA P-256 signature over canonicalJSONBytes(unsigned), base64. */
+  holderSig: Base64Std2
 });
 var REDEEMABLE_STATES = /* @__PURE__ */ new Set(["issued", "active"]);
 function buildRedemption(input) {
@@ -2674,31 +2728,28 @@ function buildRedemption(input) {
   };
 }
 function signRedemption(unsigned, holderDevicePrivateKey) {
-  const holderSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), holderDevicePrivateKey)
+  const holderSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    holderDevicePrivateKey
   );
   return { ...unsigned, holderSig };
 }
-function verifyRedemption(r, issuerPublicKey) {
+function verifyRedemption(r, issuerPublicKeySpkiB64) {
   try {
     const parsed = RedemptionSchema.parse(r);
     if (parsed.counter <= parsed.pass.counterSeed) return false;
     const { issuerSig, ...passUnsigned } = parsed.pass;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(passUnsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
-    const holderHex = parsed.pass.holderDevicePubkey;
-    if (typeof holderHex !== "string") return false;
+    const holderPub = parsed.pass.holderDevicePubkey;
+    if (typeof holderPub !== "string") return false;
     const { holderSig, ...unsigned } = parsed;
-    return verify(
-      canonicalJSONBytes(unsigned),
-      hexToBytes(holderSig),
-      hexToBytes(holderHex)
-    );
+    return verifyIssuerP256(canonicalJSONBytes(unsigned), holderSig, holderPub);
   } catch {
     return false;
   }
@@ -2708,10 +2759,6 @@ function verifyRedemption(r, issuerPublicKey) {
 var import_zod11 = require("zod");
 var RECEIPT_CHANNELS = ["cash", "pass"];
 var RECEIPT_KINDS = RECEIPT_CHANNELS;
-var HexString3 = (length) => import_zod11.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
 var ReceiptPayloadSchema = import_zod11.z.record(
   import_zod11.z.union([import_zod11.z.string(), import_zod11.z.number(), import_zod11.z.boolean(), import_zod11.z.null()])
 );
@@ -2729,7 +2776,8 @@ var ReceiptSchema = import_zod11.z.object({
   issuedAtMs: import_zod11.z.number().int().nonnegative(),
   issuerId: import_zod11.z.string().min(1),
   payload: ReceiptPayloadSchema,
-  issuerSig: HexString3(64)
+  /** ASN.1 DER ECDSA P-256 signature, base64. */
+  issuerSig: import_zod11.z.string().min(64).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/)
 }).superRefine((v, ctx) => {
   if (v.channel === "cash") {
     if (!v.intentId) {
@@ -2795,19 +2843,20 @@ function buildReceipt(input) {
   return out;
 }
 function signReceipt(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyReceipt(r, issuerPublicKey) {
+function verifyReceipt(r, issuerPublicKeySpkiB64) {
   try {
     const parsed = ReceiptSchema.parse(r);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
@@ -3142,17 +3191,49 @@ function createAccountsClient(opts) {
 // src/me-offline/client.ts
 var import_zod13 = require("zod");
 var Hex64 = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
-var HexAny = import_zod13.z.string().regex(/^[0-9a-f]+$/i);
 var Sha256Hex = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
+var Base64Std3 = import_zod13.z.string().regex(/^[A-Za-z0-9+/]+={0,2}$/);
 var RegisterDeviceKeyInputSchema = import_zod13.z.object({
   deviceId: import_zod13.z.string().min(1).max(128),
   publicKeyHex: Hex64
 });
+var AttestationSecurityLevelSchema = import_zod13.z.enum([
+  "STRONGBOX",
+  "TEE",
+  "SECURE_ENCLAVE",
+  "SOFTWARE"
+]);
+var DeviceKeyAlgSchema = import_zod13.z.literal("p256");
+var RegisterDeviceKeyP256InputSchema = import_zod13.z.object({
+  deviceId: import_zod13.z.string().min(1).max(128),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  publicKeySpkiB64: Base64Std3.min(64).max(4096),
+  /** Base64 of the server-issued enrollment challenge string. */
+  challengeB64: Base64Std3.min(8).max(1024),
+  /** iOS App Attest payload or Android X.509 Key Attestation chain. */
+  attestationChainB64: import_zod13.z.array(Base64Std3.min(16).max(16384)).min(1).max(16),
+  securityLevel: AttestationSecurityLevelSchema
+});
+var P256EnrollmentChallengeInputSchema = import_zod13.z.object({
+  deviceId: import_zod13.z.string().min(1).max(128)
+});
+var P256EnrollmentChallengeResultSchema = import_zod13.z.object({
+  challenge: import_zod13.z.string().min(16),
+  expiresAtMs: import_zod13.z.number().int().positive()
+});
 var DeviceKeyRecordSchema = import_zod13.z.object({
   id: import_zod13.z.string().uuid(),
   userId: import_zod13.z.string().uuid(),
   deviceId: import_zod13.z.string(),
-  publicKeyHex: Hex64,
+  /** Always 'p256' on the consumer offline rail. Field retained for forward-compat. */
+  alg: DeviceKeyAlgSchema.default("p256"),
+  /** Legacy ed25519 hex key. Always null on new records (kept for back-compat reads). */
+  publicKeyHex: Hex64.nullable().default(null),
+  /** P-256 SubjectPublicKeyInfo DER, base64. Required for new records. */
+  publicKeySpkiB64: Base64Std3.nullable().default(null),
+  securityLevel: AttestationSecurityLevelSchema.nullable().default(null),
+  hardwareBacked: import_zod13.z.boolean().default(false),
+  attestedAtMs: import_zod13.z.number().int().nonnegative().nullable().default(null),
   createdAtMs: import_zod13.z.number().int().nonnegative(),
   revokedAtMs: import_zod13.z.number().int().nonnegative().nullable()
 });
@@ -3161,7 +3242,10 @@ var ConsumerOACSchema = import_zod13.z.object({
   issuerId: import_zod13.z.string().min(1).max(64),
   userId: import_zod13.z.string().uuid(),
   deviceId: import_zod13.z.string().min(1).max(128),
-  devicePubkeyHex: Hex64,
+  /** Always 'p256'. Field retained for forward-compat. */
+  alg: import_zod13.z.literal("p256").default("p256"),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  devicePubkeySpkiB64: Base64Std3.min(64).max(4096),
   perTxCapKobo: import_zod13.z.number().int().positive(),
   cumulativeCapKobo: import_zod13.z.number().int().positive(),
   currency: import_zod13.z.string().length(3),
@@ -3172,8 +3256,10 @@ var ConsumerOACSchema = import_zod13.z.object({
 });
 var SignedConsumerOACSchema = import_zod13.z.object({
   oac: ConsumerOACSchema,
-  issuerSig: HexAny,
-  issuerPublicKeyHex: Hex64
+  /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
+  issuerSig: Base64Std3.min(16).max(2048),
+  /** Issuer's P-256 public key as SubjectPublicKeyInfo DER, base64. */
+  issuerPublicKeySpkiB64: Base64Std3.min(64).max(4096)
 });
 var OACRecordSchema = SignedConsumerOACSchema.extend({
   currentOfflineSpentKobo: import_zod13.z.number().int().nonnegative(),
@@ -3205,6 +3291,7 @@ var EnableOfflineInputSchema = import_zod13.z.object({
   installId: import_zod13.z.string().min(1).max(128),
   partnerId: import_zod13.z.string().min(1).max(64).optional()
 });
+var ProvisionOfflineAllowanceInputSchema = EnableOfflineInputSchema;
 var DisableOfflineInputSchema = import_zod13.z.object({
   deviceId: import_zod13.z.string().min(1).max(128),
   installId: import_zod13.z.string().min(1).max(128).optional(),
@@ -3242,6 +3329,7 @@ var EnableOfflineResultSchema = import_zod13.z.object({
   hold: OfflineHoldRecordSchema,
   oac: OACRecordSchema
 });
+var ProvisionOfflineAllowanceResultSchema = EnableOfflineResultSchema;
 var DisableOfflineResultSchema = import_zod13.z.object({
   hold: OfflineHoldRecordSchema,
   trusted: import_zod13.z.boolean(),
@@ -3255,6 +3343,8 @@ var OfflineStateResultSchema = import_zod13.z.object({
   active: OACRecordSchema.nullable()
 });
 var ConsumerPaymentClaimSchema = import_zod13.z.object({
+  /** Always 'p256'. Retained for forward-compat and as an explicit domain marker. */
+  alg: import_zod13.z.literal("p256").default("p256"),
   oacId: import_zod13.z.string().uuid(),
   encounterId: Sha256Hex.optional(),
   payerUserId: import_zod13.z.string().uuid(),
@@ -3267,10 +3357,10 @@ var ConsumerPaymentClaimSchema = import_zod13.z.object({
   occurredAtMs: import_zod13.z.number().int().nonnegative(),
   completedAtMs: import_zod13.z.number().int().nonnegative().optional(),
   contextId: import_zod13.z.string().max(128).optional(),
-  payerPubkeyHex: Hex64,
-  payerSignature: HexAny,
-  payeePubkeyHex: Hex64.optional(),
-  payeeSignature: HexAny.optional()
+  payerPubkeySpkiB64: Base64Std3.min(64).max(4096),
+  payerSignatureDerB64: Base64Std3.min(16).max(2048),
+  payeePubkeySpkiB64: Base64Std3.min(64).max(4096).optional(),
+  payeeSignatureDerB64: Base64Std3.min(16).max(2048).optional()
 });
 var ConsumerSettlementSchema = import_zod13.z.object({
   settlementId: import_zod13.z.string().uuid(),
@@ -3284,7 +3374,8 @@ var ConsumerSettlementSchema = import_zod13.z.object({
   status: import_zod13.z.enum(["SETTLED", "REVIEW"]),
   reviewReason: import_zod13.z.string().nullable(),
   ledgerRef: import_zod13.z.string().nullable(),
-  issuerSig: HexAny,
+  /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
+  issuerSig: Base64Std3.min(16).max(2048),
   createdAtMs: import_zod13.z.number().int().nonnegative()
 });
 var ConsumerSettleResultSchema = import_zod13.z.object({
@@ -3336,6 +3427,18 @@ function createMeOfflineClient(opts) {
       RegisterDeviceKeyInputSchema.parse(input),
       (raw) => DeviceKeyRecordSchema.parse(raw)
     ),
+    issueP256EnrollmentChallenge: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256/challenge",
+      P256EnrollmentChallengeInputSchema.parse(input),
+      (raw) => P256EnrollmentChallengeResultSchema.parse(raw)
+    ),
+    registerDeviceKeyP256: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256",
+      RegisterDeviceKeyP256InputSchema.parse(input),
+      (raw) => DeviceKeyRecordSchema.parse(raw)
+    ),
     listDeviceKeys: () => call(
       "GET",
       "/v1/me/offline/keys",
@@ -3348,6 +3451,12 @@ function createMeOfflineClient(opts) {
       RevokeDeviceKeyInputSchema.parse(input),
       () => void 0
     ),
+    provisionAllowance: (input) => call(
+      "POST",
+      "/v1/me/offline/allowance",
+      ProvisionOfflineAllowanceInputSchema.parse(input),
+      (raw) => ProvisionOfflineAllowanceResultSchema.parse(raw)
+    ),
     enable: (input) => call(
       "POST",
       "/v1/me/offline/enable",
@@ -3393,6 +3502,185 @@ function createMeOfflineClient(opts) {
   };
 }
 
+// src/me-offline/signer.ts
+var import_nist2 = require("@noble/curves/nist");
+var CLAIM_DOMAIN_V2 = "flur:consumer-offline:v2:claim";
+function canonicalClaimSigningPayload(claim) {
+  return {
+    domain: CLAIM_DOMAIN_V2,
+    alg: claim.alg,
+    oacId: claim.oacId,
+    payerUserId: claim.payerUserId,
+    payeeUserId: claim.payeeUserId,
+    payerDeviceId: claim.payerDeviceId,
+    payerNonce: claim.payerNonce,
+    payeeNonce: claim.payeeNonce,
+    amountKobo: claim.amountKobo,
+    currency: claim.currency,
+    occurredAtMs: claim.occurredAtMs,
+    completedAtMs: claim.completedAtMs ?? null,
+    contextId: claim.contextId ?? null
+  };
+}
+function canonicalClaimSigningBytes(claim) {
+  return canonicalJSONBytes(canonicalClaimSigningPayload(claim));
+}
+function bytesToBase642(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin);
+}
+function base64ToBytes2(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+var P256_SPKI_HEADER2 = new Uint8Array([
+  48,
+  89,
+  48,
+  19,
+  6,
+  7,
+  42,
+  134,
+  72,
+  206,
+  61,
+  2,
+  1,
+  6,
+  8,
+  42,
+  134,
+  72,
+  206,
+  61,
+  3,
+  1,
+  7,
+  3,
+  66,
+  0
+]);
+function p256PublicKeyToSpkiB64(rawUncompressed) {
+  if (rawUncompressed.length !== 65 || rawUncompressed[0] !== 4) {
+    throw new Error("p256: expected 65-byte uncompressed point");
+  }
+  const out = new Uint8Array(P256_SPKI_HEADER2.length + rawUncompressed.length);
+  out.set(P256_SPKI_HEADER2, 0);
+  out.set(rawUncompressed, P256_SPKI_HEADER2.length);
+  return bytesToBase642(out);
+}
+function p256SpkiB64ToPublicKey(spkiB64) {
+  const spki = base64ToBytes2(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER2.length + 65) {
+    throw new Error("p256: invalid SPKI length");
+  }
+  for (let i = 0; i < P256_SPKI_HEADER2.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER2[i]) {
+      throw new Error("p256: invalid SPKI header");
+    }
+  }
+  return spki.slice(P256_SPKI_HEADER2.length);
+}
+function createSoftwareP256Signer(privateKey) {
+  const raw = import_nist2.p256.getPublicKey(privateKey, false);
+  const spkiB64 = p256PublicKeyToSpkiB64(raw);
+  return {
+    alg: "p256",
+    async getPublicKey() {
+      return { alg: "p256", publicKey: spkiB64 };
+    },
+    async sign(bytes) {
+      const sig = import_nist2.p256.sign(bytes, privateKey, { prehash: true });
+      const der = sig.toBytes("der");
+      return { alg: "p256", signature: bytesToBase642(der) };
+    }
+  };
+}
+function verifyClaimSignature(input) {
+  try {
+    if (input.alg !== "p256") return false;
+    const sigDer = base64ToBytes2(input.signature);
+    const pub = p256SpkiB64ToPublicKey(input.publicKey);
+    return import_nist2.p256.verify(sigDer, input.bytes, pub, {
+      prehash: true,
+      format: "der"
+    });
+  } catch {
+    return false;
+  }
+}
+
+// src/me-offline/sms.ts
+var OFFLINE_CLAIM_SMS_PREFIX = "FLURC1.";
+var TOKEN_RE = /(?:^|\s)(FLURC1\.[A-Za-z0-9_-]+={0,2})(?:\s|$)/;
+function encodeOfflineClaimSmsMessage(claim) {
+  const parsed = ConsumerPaymentClaimSchema.parse(claim);
+  const json = JSON.stringify(parsed);
+  return `${OFFLINE_CLAIM_SMS_PREFIX}${base64UrlEncodeUtf8(json)}`;
+}
+function decodeOfflineClaimSmsMessage(message) {
+  const token = extractOfflineClaimSmsToken(message);
+  if (!token) {
+    throw new Error("offline claim SMS token not found");
+  }
+  const encoded = token.slice(OFFLINE_CLAIM_SMS_PREFIX.length);
+  let raw;
+  try {
+    raw = JSON.parse(base64UrlDecodeUtf8(encoded));
+  } catch {
+    throw new Error("offline claim SMS token is malformed");
+  }
+  const parsed = ConsumerPaymentClaimSchema.safeParse(raw);
+  if (!parsed.success) {
+    throw new Error("offline claim SMS token is invalid");
+  }
+  return parsed.data;
+}
+function extractOfflineClaimSmsToken(message) {
+  const trimmed = message.trim();
+  if (trimmed.startsWith(OFFLINE_CLAIM_SMS_PREFIX)) {
+    return trimmed.split(/\s+/, 1)[0] ?? null;
+  }
+  return TOKEN_RE.exec(message)?.[1] ?? null;
+}
+function base64UrlEncodeUtf8(input) {
+  const bytes = new TextEncoder().encode(input);
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  const base64 = typeof btoa === "function" ? btoa(binary) : typeof Buffer !== "undefined" ? Buffer.from(bytes).toString("base64") : void 0;
+  if (!base64) throw new Error("base64 encoder unavailable");
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecodeUtf8(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64.padEnd(
+    base64.length + (4 - base64.length % 4) % 4,
+    "="
+  );
+  if (typeof atob === "function") {
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let index = 0; index < binary.length; index++) {
+      bytes[index] = binary.charCodeAt(index);
+    }
+    return new TextDecoder().decode(bytes);
+  }
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(padded, "base64").toString("utf8");
+  }
+  throw new Error("base64 decoder unavailable");
+}
+
 // src/partner-funding/client.ts
 var import_zod14 = require("zod");
 var MinorString = import_zod14.z.string().regex(/^-?\d+$/);
@@ -3768,14 +4056,15 @@ function buildArtifactBody(input) {
   return { ...header, data: input.data };
 }
 function signArtifact(body, privateKey) {
-  const sig = bytesToHex(sign(canonicalJSONBytes(body), privateKey));
+  const sig = signIssuerP256(canonicalJSONBytes(body), privateKey);
   return { body, sig };
 }
 function encodeArtifactUri(signed) {
   const bodyBytes = canonicalJSONBytes(signed.body);
   const bodyB64 = base64UrlEncode(bodyBytes);
-  const sigB64 = base64UrlEncode(hexToBytes(signed.sig));
-  return `${FLUR_ARTIFACT_URI_PREFIX}${signed.body.t}/${bodyB64}.${sigB64}`;
+  const sigBytes = base64UrlDecode(signed.sig);
+  const sigB64Url = base64UrlEncode(sigBytes);
+  return `${FLUR_ARTIFACT_URI_PREFIX}${signed.body.t}/${bodyB64}.${sigB64Url}`;
 }
 function decodeArtifactUri(uri) {
   if (!uri.startsWith(FLUR_ARTIFACT_URI_PREFIX)) {
@@ -3806,9 +4095,9 @@ function decodeArtifactUri(uri) {
   }
   const bodyBytes = base64UrlDecode(payload.slice(0, dot));
   const sigBytes = base64UrlDecode(payload.slice(dot + 1));
-  if (sigBytes.length !== 64) {
+  if (sigBytes.length < 64 || sigBytes.length > 80) {
     throw new FlurArtifactError(
-      `Signature must be 64 bytes, got ${sigBytes.length}`,
+      `Signature length out of range: ${sigBytes.length}`,
       "INVALID_SIGNATURE"
     );
   }
@@ -3835,17 +4124,26 @@ function decodeArtifactUri(uri) {
     type,
     bodyBytes,
     body: bodyJson,
-    sig: bytesToHex(sigBytes)
+    // Encode as standard base64 (not url-safe) for sig field consistency.
+    sig: encodeStdBase64(sigBytes)
   };
 }
-function verifyArtifactSignature(decoded, publicKey, options = {}) {
+function encodeStdBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return typeof btoa === "function" ? btoa(bin) : "";
+}
+function verifyArtifactSignature(decoded, publicKeySpkiB64, options = {}) {
   if (options.enforceExpiry !== false && decoded.body.exp !== void 0) {
     const now = options.nowSeconds ?? Math.floor(Date.now() / 1e3);
     if (decoded.body.exp < now) {
       throw new FlurArtifactError("Artifact has expired", "EXPIRED");
     }
   }
-  return verify(decoded.bodyBytes, hexToBytes(decoded.sig), publicKey);
+  return verifyIssuerP256(decoded.bodyBytes, decoded.sig, publicKeySpkiB64);
 }
 
 // src/artifacts/types.ts
@@ -3864,7 +4162,7 @@ var ARTIFACT_TYPES = {
   PASS: "pass",
   IDENTITY: "identity"
 };
-var HexString4 = (length) => import_zod16.z.string().regex(
+var HexString = (length) => import_zod16.z.string().regex(
   new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
   `expected ${length}-byte hex string`
 );
@@ -3882,7 +4180,7 @@ var ReceiptArtifactSchema = import_zod16.z.object({
   settledAtMs: import_zod16.z.number().int().positive(),
   ledgerTxnId: import_zod16.z.string().min(1).max(64).optional(),
   memo: import_zod16.z.string().max(140).optional(),
-  hashChainPrev: HexString4(32).optional()
+  hashChainPrev: HexString(32).optional()
 });
 var ShortId = import_zod16.z.string().min(1).max(64);
 var PositiveInt = import_zod16.z.number().int().positive();
@@ -3964,7 +4262,7 @@ var StatementArtifactSchema = import_zod16.z.object({
   closingBalanceKobo: import_zod16.z.number().int(),
   transactionCount: NonNegativeInt,
   currency: Currency2,
-  hashChainPrev: HexString4(32).optional()
+  hashChainPrev: HexString(32).optional()
 }).refine((v) => v.periodEndMs > v.periodStartMs, {
   message: "periodEndMs must be greater than periodStartMs",
   path: ["periodEndMs"]
@@ -3997,7 +4295,7 @@ var IdentityArtifactSchema = import_zod16.z.object({
     "kyc_tier",
     "age_band"
   ]),
-  claimValueHash: HexString4(32),
+  claimValueHash: HexString(32),
   attestedAtMs: PositiveInt
 });
 var ARTIFACT_BODY_SCHEMAS = {
@@ -4061,7 +4359,7 @@ function createArtifactUri(input) {
   const signed = signArtifact(body, input.privateKey);
   return { uri: encodeArtifactUri(signed), signed };
 }
-function verifyArtifactUri(uri, publicKey, options = {}) {
+function verifyArtifactUri(uri, publicKeySpkiB64, options = {}) {
   const decoded = decodeArtifactUri(uri);
   if (!isKnownArtifactType(decoded.type)) {
     throw new FlurArtifactError(
@@ -4083,7 +4381,7 @@ function verifyArtifactUri(uri, publicKey, options = {}) {
       "INVALID_BODY"
     );
   }
-  const ok = verifyArtifactSignature(decoded, publicKey, options);
+  const ok = verifyArtifactSignature(decoded, publicKeySpkiB64, options);
   if (!ok) {
     throw new FlurArtifactError(
       "Artifact signature verification failed",
@@ -4120,6 +4418,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   AccountSchema,
   ApiCredentialPublicSchema,
   ArtifactHeaderSchema,
+  AttestationSecurityLevelSchema,
+  CLAIM_DOMAIN_V2,
   COLLECTION_INTENT_STATUSES,
   COLLECTION_PAYMENT_STATUSES,
   CUSTODIAL_MODES,
@@ -4138,6 +4438,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   CreatePayoutInputSchema,
   CreateWithdrawalInputSchema,
   CreateWithdrawalResultSchema,
+  DeviceKeyAlgSchema,
   DeviceKeyRecordSchema,
   DisableOfflineInputSchema,
   DisableOfflineResultSchema,
@@ -4174,6 +4475,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   OAC_DEFAULT_CUMULATIVE_KOBO,
   OAC_DEFAULT_PER_TX_KOBO,
   OAC_DEFAULT_VALIDITY_MS,
+  OFFLINE_CLAIM_SMS_PREFIX,
   OfflineClaimArtifactSchema,
   OfflineHoldRecordSchema,
   OfflinePaymentAuthorizationArtifactSchema,
@@ -4182,6 +4484,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   OfflineStateResultSchema,
   OfflineStatusResultSchema,
   OfflineTokenSchema,
+  P256EnrollmentChallengeInputSchema,
+  P256EnrollmentChallengeResultSchema,
   PARTNER_FUNDING_DIRECTIONS,
   PARTNER_FUNDING_STATUSES,
   PARTNER_KINDS,
@@ -4205,6 +4509,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   PayoutEventInputSchema,
   ProviderEventInputSchema,
   ProviderEventRecordSchema,
+  ProvisionOfflineAllowanceInputSchema,
+  ProvisionOfflineAllowanceResultSchema,
   PublicCollectionIntentSchema,
   RECEIPT_CHANNELS,
   RECEIPT_KINDS,
@@ -4216,6 +4522,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   RecordPayoutEventResultSchema,
   RedemptionSchema,
   RegisterDeviceKeyInputSchema,
+  RegisterDeviceKeyP256InputSchema,
   ReversalRecordArtifactSchema,
   RevokeDeviceKeyInputSchema,
   SETTLEMENT_SCHEDULES,
@@ -4238,6 +4545,8 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   buildPaymentRequest,
   buildReceipt,
   buildRedemption,
+  canonicalClaimSigningBytes,
+  canonicalClaimSigningPayload,
   canonicalJSONBytes,
   canonicalJSONStringify,
   canonicalRequestString,
@@ -4262,18 +4571,21 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   createPassesClient,
   createReceiptArtifactUri,
   createReceiptsClient,
+  createSoftwareP256Signer,
   decodeArtifactUri,
   decodeAuthorizationQR,
   decodeBase45,
+  decodeOfflineClaimSmsMessage,
   decodePaymentRequestQR,
   encodeArtifactUri,
   encodeAuthorizationQR,
   encodeBase45,
   encodeNQR,
+  encodeOfflineClaimSmsMessage,
   encodePaymentRequestQR,
+  extractOfflineClaimSmsToken,
   formatAmount,
   generateDynamicQR,
-  generateKeyPair,
   generateStaticQR,
   init,
   isHardenedArtifactType,
@@ -4284,13 +4596,10 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   parseAmountInput,
   parseNQR,
   parseQR,
-  publicKeyFromPrivate,
   readTLV,
   routingHint,
-  sign,
   signArtifact,
   signAuthorization,
-  signCanonical,
   signOAC,
   signPartnerRequest,
   signPass,
@@ -4298,11 +4607,10 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   signReceipt,
   signRedemption,
   signRequestHMAC,
-  verify,
   verifyArtifactSignature,
   verifyArtifactUri,
   verifyAuthorization,
-  verifyCanonical,
+  verifyClaimSignature,
   verifyOAC,
   verifyPass,
   verifyPaymentRequest,