@nokinc-flur/sdk 1.1.3 → 1.1.5

package/dist/index.cjs

@@ -69,6 +69,7 @@ __export(index_exports, {
   HARDENED_ARTIFACT_TYPES: () => HARDENED_ARTIFACT_TYPES,
   IdentityArtifactSchema: () => IdentityArtifactSchema,
   IngestFundingResultSchema: () => IngestFundingResultSchema,
+  IssueAccountOacInputSchema: () => IssueAccountOacInputSchema,
   IssueOACInputSchema: () => IssueOACInputSchema,
   LedgerJournalEntryArtifactSchema: () => LedgerJournalEntryArtifactSchema,
   ListPayoutDestinationsResultSchema: () => ListPayoutDestinationsResultSchema,
@@ -86,6 +87,7 @@ __export(index_exports, {
   OAC_DEFAULT_CUMULATIVE_KOBO: () => OAC_DEFAULT_CUMULATIVE_KOBO,
   OAC_DEFAULT_PER_TX_KOBO: () => OAC_DEFAULT_PER_TX_KOBO,
   OAC_DEFAULT_VALIDITY_MS: () => OAC_DEFAULT_VALIDITY_MS,
+  OFFLINE_CLAIM_SMS_PREFIX: () => OFFLINE_CLAIM_SMS_PREFIX,
   OfflineClaimArtifactSchema: () => OfflineClaimArtifactSchema,
   OfflineHoldRecordSchema: () => OfflineHoldRecordSchema,
   OfflinePaymentAuthorizationArtifactSchema: () => OfflinePaymentAuthorizationArtifactSchema,
@@ -181,20 +183,21 @@ __export(index_exports, {
   createPassesClient: () => createPassesClient,
   createReceiptArtifactUri: () => createReceiptArtifactUri,
   createReceiptsClient: () => createReceiptsClient,
-  createSoftwareEd25519Signer: () => createSoftwareEd25519Signer,
   createSoftwareP256Signer: () => createSoftwareP256Signer,
   decodeArtifactUri: () => decodeArtifactUri,
   decodeAuthorizationQR: () => decodeAuthorizationQR,
   decodeBase45: () => decodeBase45,
+  decodeOfflineClaimSmsMessage: () => decodeOfflineClaimSmsMessage,
   decodePaymentRequestQR: () => decodePaymentRequestQR,
   encodeArtifactUri: () => encodeArtifactUri,
   encodeAuthorizationQR: () => encodeAuthorizationQR,
   encodeBase45: () => encodeBase45,
   encodeNQR: () => encodeNQR,
+  encodeOfflineClaimSmsMessage: () => encodeOfflineClaimSmsMessage,
   encodePaymentRequestQR: () => encodePaymentRequestQR,
+  extractOfflineClaimSmsToken: () => extractOfflineClaimSmsToken,
   formatAmount: () => formatAmount,
   generateDynamicQR: () => generateDynamicQR,
-  generateKeyPair: () => generateKeyPair,
   generateStaticQR: () => generateStaticQR,
   init: () => init,
   isHardenedArtifactType: () => isHardenedArtifactType,
@@ -205,13 +208,10 @@ __export(index_exports, {
   parseAmountInput: () => parseAmountInput,
   parseNQR: () => parseNQR,
   parseQR: () => parseQR,
-  publicKeyFromPrivate: () => publicKeyFromPrivate,
   readTLV: () => readTLV,
   routingHint: () => routingHint,
-  sign: () => sign,
   signArtifact: () => signArtifact,
   signAuthorization: () => signAuthorization,
-  signCanonical: () => signCanonical,
   signOAC: () => signOAC,
   signPartnerRequest: () => signPartnerRequest,
   signPass: () => signPass,
@@ -219,11 +219,9 @@ __export(index_exports, {
   signReceipt: () => signReceipt,
   signRedemption: () => signRedemption,
   signRequestHMAC: () => signRequestHMAC,
-  verify: () => verify,
   verifyArtifactSignature: () => verifyArtifactSignature,
   verifyArtifactUri: () => verifyArtifactUri,
   verifyAuthorization: () => verifyAuthorization,
-  verifyCanonical: () => verifyCanonical,
   verifyClaimSignature: () => verifyClaimSignature,
   verifyOAC: () => verifyOAC,
   verifyPass: () => verifyPass,
@@ -236,203 +234,13 @@ __export(index_exports, {
 module.exports = __toCommonJS(index_exports);
 
 // src/client.ts
-var import_zod4 = require("zod");
+var import_zod5 = require("zod");
 
 // src/contracts.ts
+var import_zod2 = require("zod");
+
+// src/me-offline/client.ts
 var import_zod = require("zod");
-var E164Regex = /^\+[1-9]\d{7,14}$/;
-var UuidSchema = import_zod.z.string().uuid();
-var IsoDateSchema = import_zod.z.string().datetime({ offset: true });
-var CurrencySchema = import_zod.z.string().trim().length(3).transform((value) => value.toUpperCase());
-var HealthResponseSchema = import_zod.z.object({
-  ok: import_zod.z.boolean()
-});
-var WelcomeResponseSchema = import_zod.z.object({
-  message: import_zod.z.string()
-});
-var OnboardingStartRequestSchema = import_zod.z.object({
-  phoneE164: import_zod.z.string().regex(E164Regex),
-  appInstanceId: import_zod.z.string().min(3),
-  platform: import_zod.z.enum(["android", "ios", "web"]),
-  turnstileToken: import_zod.z.string().min(20).optional(),
-  appAttestation: import_zod.z.object({
-    provider: import_zod.z.enum(["android", "ios", "web"]),
-    token: import_zod.z.string().min(24)
-  }).optional(),
-  firstName: import_zod.z.string().trim().min(1).max(80).optional(),
-  lastName: import_zod.z.string().trim().min(1).max(80).optional()
-});
-var OnboardingStartResponseSchema = import_zod.z.object({
-  requestId: import_zod.z.string().min(1),
-  checkUrl: import_zod.z.string().url().optional(),
-  expiresInSec: import_zod.z.number().int().positive(),
-  fallback: import_zod.z.enum(["SILENT_AUTH", "OTP"])
-});
-var OnboardingCompleteRequestSchema = import_zod.z.object({
-  requestId: import_zod.z.string().min(1),
-  code: import_zod.z.string().min(1).max(32),
-  appInstanceId: import_zod.z.string().min(3),
-  fingerprintHash: import_zod.z.string().min(3).optional()
-});
-var OnboardingCompleteResponseSchema = import_zod.z.object({
-  sessionToken: import_zod.z.string().min(1),
-  userId: UuidSchema,
-  restricted: import_zod.z.boolean(),
-  risk_reasons: import_zod.z.array(
-    import_zod.z.enum(["SIM_SWAP_RECENT", "ROAMING", "CARRIER_CHANGED"])
-  ),
-  stepUpRequired: import_zod.z.boolean().optional(),
-  riskStatus: import_zod.z.enum(["ok", "unavailable"]).optional()
-});
-var RegisterDeviceRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  appInstanceId: import_zod.z.string().min(3),
-  platform: import_zod.z.string().min(2),
-  model: import_zod.z.string().optional(),
-  networkSignals: import_zod.z.object({
-    ip: import_zod.z.string().min(3),
-    asn: import_zod.z.number().int().optional(),
-    country: import_zod.z.string().min(2).optional(),
-    carrier: import_zod.z.string().optional()
-  })
-});
-var RegisterDeviceResponseSchema = import_zod.z.object({
-  deviceId: import_zod.z.string().min(1),
-  fingerprintHash: import_zod.z.string().min(1),
-  driftScore: import_zod.z.number(),
-  trustState: import_zod.z.enum(["TRUSTED_PRIMARY", "TRUSTED_SECONDARY", "UNVERIFIED"]),
-  stepUpRequired: import_zod.z.boolean()
-});
-var AuthRefreshRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  refreshToken: import_zod.z.string().min(8),
-  appInstanceId: import_zod.z.string().min(3),
-  fingerprintHash: import_zod.z.string().min(3)
-});
-var AuthRefreshResponseSchema = import_zod.z.object({
-  refreshToken: import_zod.z.string().min(8),
-  stepUpRequired: import_zod.z.boolean()
-});
-var AuthLogoutRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  refreshToken: import_zod.z.string().min(8)
-});
-var PinSetRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  pin: import_zod.z.string().regex(/^\d{6}$/)
-});
-var PinVerifyRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  pin: import_zod.z.string().regex(/^\d{6}$/)
-});
-var OkResponseSchema = import_zod.z.object({
-  ok: import_zod.z.boolean()
-});
-var RegisterSendDeviceKeyRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  deviceId: import_zod.z.string().min(3),
-  publicKey: import_zod.z.string().min(32)
-});
-var SEND_AUTH_PURPOSES = ["send_money", "offline_revoke"];
-var SendChallengeRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  deviceId: import_zod.z.string().min(3),
-  purpose: import_zod.z.enum(SEND_AUTH_PURPOSES).optional()
-});
-var SendChallengeResponseSchema = import_zod.z.object({
-  challengeId: UuidSchema,
-  nonce: import_zod.z.string().min(1),
-  expiresAt: IsoDateSchema
-});
-var SendVerifyRequestSchema = import_zod.z.object({
-  userId: UuidSchema,
-  deviceId: import_zod.z.string().min(3),
-  challengeId: UuidSchema,
-  signature: import_zod.z.string().min(16)
-});
-var SendVerifyResponseSchema = import_zod.z.object({
-  sendAuthToken: import_zod.z.string().min(16)
-});
-var ResolveRecipientRequestSchema = import_zod.z.object({
-  identifier: import_zod.z.string().min(3)
-});
-var ResolveRecipientResponseSchema = import_zod.z.object({
-  recipientUserId: UuidSchema,
-  displayName: import_zod.z.string().min(1),
-  normalizedIdentifier: import_zod.z.string().regex(E164Regex),
-  isActive: import_zod.z.boolean()
-});
-var CreateTransferRequestSchema = import_zod.z.object({
-  recipientIdentifier: import_zod.z.string().min(3),
-  amountMinor: import_zod.z.number().int().positive(),
-  currency: CurrencySchema,
-  sendAuthToken: import_zod.z.string().min(16)
-});
-var TransferStatusSchema = import_zod.z.enum(["SETTLED", "PENDING_REVIEW", "DECLINED"]);
-var TransferResponseSchema = import_zod.z.object({
-  transactionId: import_zod.z.string().min(1),
-  status: TransferStatusSchema,
-  userStatus: TransferStatusSchema,
-  recipientName: import_zod.z.string().min(1),
-  timestamp: IsoDateSchema
-});
-var DirectionSchema = import_zod.z.enum(["OUTGOING", "INCOMING"]);
-var AccountActivityItemSchema = import_zod.z.object({
-  id: import_zod.z.string().min(1),
-  type: import_zod.z.string().min(1),
-  direction: DirectionSchema,
-  name: import_zod.z.string().min(1),
-  identifier: import_zod.z.string().min(1),
-  amountMinor: import_zod.z.number().int(),
-  currency: CurrencySchema,
-  status: import_zod.z.string().min(1),
-  timestamp: IsoDateSchema
-});
-var AccountSummaryResponseSchema = import_zod.z.object({
-  /** Authenticated user's stable internal id. */
-  userId: UuidSchema,
-  /**
-   * 10-digit Nigeria Uniform Bank Account Number (NUBAN) allocated by the
-   * bank partner. `null` when the user has no partner-allocated account yet.
-   */
-  nuban: import_zod.z.string().regex(/^[0-9]{10}$/).nullable(),
-  balance: import_zod.z.number().int(),
-  currency: CurrencySchema,
-  dailySendLimit: import_zod.z.number().int().nonnegative(),
-  dailySendRemaining: import_zod.z.number().int().nonnegative(),
-  kycTier: import_zod.z.string().min(1),
-  kycStatus: import_zod.z.string().min(1),
-  recentActivity: import_zod.z.array(AccountActivityItemSchema)
-});
-var TransactionsListResponseSchema = import_zod.z.object({
-  items: import_zod.z.array(AccountActivityItemSchema),
-  nextCursor: import_zod.z.string().nullable()
-});
-var TransactionDetailResponseSchema = import_zod.z.object({
-  transactionId: import_zod.z.string().min(1),
-  type: import_zod.z.string().min(1),
-  direction: DirectionSchema,
-  counterpartyName: import_zod.z.string().min(1),
-  counterpartyIdentifier: import_zod.z.string().min(1),
-  amountMinor: import_zod.z.number().int(),
-  currency: CurrencySchema,
-  status: import_zod.z.string().min(1),
-  timestamp: IsoDateSchema
-});
-var PushRegisterRequestSchema = import_zod.z.object({
-  deviceId: import_zod.z.string().min(3),
-  platform: import_zod.z.enum(["ios", "android", "web"]),
-  token: import_zod.z.string().min(16)
-});
-var CreatePayLinkResponseSchema = import_zod.z.object({
-  token: import_zod.z.string().min(1)
-});
-var ResolvePayLinkResponseSchema = import_zod.z.object({
-  recipientUserId: UuidSchema,
-  displayName: import_zod.z.string().min(1),
-  normalizedIdentifier: import_zod.z.string().regex(E164Regex),
-  isActive: import_zod.z.boolean()
-});
 
 // src/errors.ts
 var backendErrorCodeSet = /* @__PURE__ */ new Set([
@@ -536,9 +344,556 @@ async function mapToFlurError(res) {
   });
 }
 
+// src/me-offline/client.ts
+var Hex64 = import_zod.z.string().regex(/^[0-9a-f]{64}$/i);
+var Sha256Hex = import_zod.z.string().regex(/^[0-9a-f]{64}$/i);
+var Base64Std = import_zod.z.string().regex(/^[A-Za-z0-9+/]+={0,2}$/);
+var RegisterDeviceKeyInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  publicKeyHex: Hex64
+});
+var AttestationSecurityLevelSchema = import_zod.z.enum([
+  "STRONGBOX",
+  "TEE",
+  "SECURE_ENCLAVE",
+  "SOFTWARE"
+]);
+var DeviceKeyAlgSchema = import_zod.z.literal("p256");
+var RegisterDeviceKeyP256InputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  publicKeySpkiB64: Base64Std.min(64).max(4096),
+  /** Base64 of the server-issued enrollment challenge string. */
+  challengeB64: Base64Std.min(8).max(1024),
+  /** iOS App Attest payload or Android X.509 Key Attestation chain. */
+  attestationChainB64: import_zod.z.array(Base64Std.min(16).max(16384)).min(1).max(16),
+  securityLevel: AttestationSecurityLevelSchema
+});
+var P256EnrollmentChallengeInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128)
+});
+var P256EnrollmentChallengeResultSchema = import_zod.z.object({
+  challenge: import_zod.z.string().min(16),
+  expiresAtMs: import_zod.z.number().int().positive()
+});
+var DeviceKeyRecordSchema = import_zod.z.object({
+  id: import_zod.z.string().uuid(),
+  userId: import_zod.z.string().uuid(),
+  deviceId: import_zod.z.string(),
+  /** Always 'p256' on the consumer offline rail. Field retained for forward-compat. */
+  alg: DeviceKeyAlgSchema.default("p256"),
+  /** Legacy ed25519 hex key. Always null on new records (kept for back-compat reads). */
+  publicKeyHex: Hex64.nullable().default(null),
+  /** P-256 SubjectPublicKeyInfo DER, base64. Required for new records. */
+  publicKeySpkiB64: Base64Std.nullable().default(null),
+  securityLevel: AttestationSecurityLevelSchema.nullable().default(null),
+  hardwareBacked: import_zod.z.boolean().default(false),
+  attestedAtMs: import_zod.z.number().int().nonnegative().nullable().default(null),
+  createdAtMs: import_zod.z.number().int().nonnegative(),
+  revokedAtMs: import_zod.z.number().int().nonnegative().nullable()
+});
+var ConsumerOACSchema = import_zod.z.object({
+  oacId: import_zod.z.string().uuid(),
+  issuerId: import_zod.z.string().min(1).max(64),
+  userId: import_zod.z.string().uuid(),
+  deviceId: import_zod.z.string().min(1).max(128),
+  /**
+   * Always 'p256'. Required on the wire (backend always emits it).
+   * Kept as a literal so input/output infer identically and the schema
+   * can be nested inside other response shapes without Zod input/output
+   * divergence under tsup DTS bundling.
+   */
+  alg: import_zod.z.literal("p256"),
+  /** P-256 SubjectPublicKeyInfo DER, base64. */
+  devicePubkeySpkiB64: Base64Std.min(64).max(4096),
+  perTxCapKobo: import_zod.z.number().int().positive(),
+  cumulativeCapKobo: import_zod.z.number().int().positive(),
+  currency: import_zod.z.string().length(3),
+  validFromMs: import_zod.z.number().int().nonnegative(),
+  validUntilMs: import_zod.z.number().int().nonnegative(),
+  counterSeed: import_zod.z.number().int().nonnegative(),
+  issuedAtMs: import_zod.z.number().int().nonnegative()
+});
+var SignedConsumerOACSchema = import_zod.z.object({
+  oac: ConsumerOACSchema,
+  /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
+  issuerSig: Base64Std.min(16).max(2048),
+  /** Issuer's P-256 public key as SubjectPublicKeyInfo DER, base64. */
+  issuerPublicKeySpkiB64: Base64Std.min(64).max(4096)
+});
+var OACRecordSchema = SignedConsumerOACSchema.extend({
+  currentOfflineSpentKobo: import_zod.z.number().int().nonnegative(),
+  status: import_zod.z.enum([
+    "active",
+    "superseded",
+    "expired",
+    "revoked",
+    "disabling",
+    "draining",
+    "closed"
+  ]),
+  supersededAtMs: import_zod.z.number().int().nonnegative().nullable(),
+  revokedAtMs: import_zod.z.number().int().nonnegative().nullable(),
+  holdId: import_zod.z.string().uuid().nullable().optional()
+});
+var IssueOACInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  perTxCapKobo: import_zod.z.number().int().positive().optional(),
+  cumulativeCapKobo: import_zod.z.number().int().positive().optional(),
+  ttlMs: import_zod.z.number().int().min(6e4).max(1e3 * 60 * 60 * 24 * 7).optional(),
+  spendableOnlineKobo: import_zod.z.number().int().nonnegative().optional()
+});
+var IssueAccountOacInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  perTxCapKobo: import_zod.z.number().int().positive().optional(),
+  cumulativeCapKobo: import_zod.z.number().int().positive().optional(),
+  ttlMs: import_zod.z.number().int().min(6e4).max(1e3 * 60 * 60 * 24 * 7).optional()
+});
+var EnableOfflineInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  amountKobo: import_zod.z.number().int().positive(),
+  perTxCapKobo: import_zod.z.number().int().positive().optional(),
+  ttlMs: import_zod.z.number().int().min(6e4).max(1e3 * 60 * 60 * 24 * 7).optional(),
+  installId: import_zod.z.string().min(1).max(128),
+  partnerId: import_zod.z.string().min(1).max(64).optional()
+});
+var ProvisionOfflineAllowanceInputSchema = EnableOfflineInputSchema;
+var DisableOfflineInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  installId: import_zod.z.string().min(1).max(128).optional(),
+  claims: import_zod.z.array(import_zod.z.unknown()).max(256).optional()
+});
+var OfflineHoldRecordSchema = import_zod.z.object({
+  holdId: import_zod.z.string().uuid(),
+  userId: import_zod.z.string().uuid(),
+  deviceId: import_zod.z.string(),
+  partnerId: import_zod.z.string(),
+  adapterKind: import_zod.z.string(),
+  externalHoldRef: import_zod.z.string().nullable(),
+  amountKobo: import_zod.z.number().int().nonnegative(),
+  capturedKobo: import_zod.z.number().int().nonnegative(),
+  releasedKobo: import_zod.z.number().int().nonnegative(),
+  remainingKobo: import_zod.z.number().int().nonnegative(),
+  currency: import_zod.z.string().length(3),
+  status: import_zod.z.enum([
+    "placing",
+    "active",
+    "disabling",
+    "draining",
+    "closed",
+    "revoked",
+    "failed"
+  ]),
+  installId: import_zod.z.string().nullable(),
+  drainDeadlineMs: import_zod.z.number().int().nonnegative(),
+  disableRequestedAtMs: import_zod.z.number().int().nonnegative().nullable(),
+  createdAtMs: import_zod.z.number().int().nonnegative(),
+  closedAtMs: import_zod.z.number().int().nonnegative().nullable(),
+  isTrusted: import_zod.z.boolean().optional()
+});
+var EnableOfflineResultSchema = import_zod.z.object({
+  hold: OfflineHoldRecordSchema,
+  oac: OACRecordSchema
+});
+var ProvisionOfflineAllowanceResultSchema = EnableOfflineResultSchema;
+var DisableOfflineResultSchema = import_zod.z.object({
+  hold: OfflineHoldRecordSchema,
+  trusted: import_zod.z.boolean(),
+  settledClaims: import_zod.z.number().int().nonnegative()
+});
+var OfflineStatusResultSchema = import_zod.z.object({
+  hold: OfflineHoldRecordSchema.nullable(),
+  active: OACRecordSchema.nullable()
+});
+var OfflineStateResultSchema = import_zod.z.object({
+  active: OACRecordSchema.nullable()
+});
+var ConsumerPaymentClaimSchema = import_zod.z.object({
+  /** Always 'p256'. Retained for forward-compat and as an explicit domain marker. */
+  alg: import_zod.z.literal("p256").default("p256"),
+  oacId: import_zod.z.string().uuid(),
+  encounterId: Sha256Hex.optional(),
+  payerUserId: import_zod.z.string().uuid(),
+  payeeUserId: import_zod.z.string().uuid(),
+  payerDeviceId: import_zod.z.string().min(1).max(128),
+  payerNonce: import_zod.z.string().min(8).max(128),
+  payeeNonce: import_zod.z.string().min(8).max(128),
+  amountKobo: import_zod.z.number().int().positive(),
+  currency: import_zod.z.string().length(3).default("NGN"),
+  occurredAtMs: import_zod.z.number().int().nonnegative(),
+  completedAtMs: import_zod.z.number().int().nonnegative().optional(),
+  contextId: import_zod.z.string().max(128).optional(),
+  payerPubkeySpkiB64: Base64Std.min(64).max(4096),
+  payerSignatureDerB64: Base64Std.min(16).max(2048),
+  payeePubkeySpkiB64: Base64Std.min(64).max(4096).optional(),
+  payeeSignatureDerB64: Base64Std.min(16).max(2048).optional()
+});
+var ConsumerSettlementSchema = import_zod.z.object({
+  settlementId: import_zod.z.string().uuid(),
+  settlementKey: Sha256Hex,
+  encounterId: Sha256Hex,
+  oacId: import_zod.z.string().uuid(),
+  payerUserId: import_zod.z.string().uuid(),
+  payeeUserId: import_zod.z.string().uuid(),
+  amountKobo: import_zod.z.number().int().positive(),
+  currency: import_zod.z.string().length(3),
+  status: import_zod.z.enum(["SETTLED", "REVIEW"]),
+  reviewReason: import_zod.z.string().nullable(),
+  ledgerRef: import_zod.z.string().nullable(),
+  /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
+  issuerSig: Base64Std.min(16).max(2048),
+  createdAtMs: import_zod.z.number().int().nonnegative()
+});
+var ConsumerSettleResultSchema = import_zod.z.object({
+  settlement: ConsumerSettlementSchema,
+  encounterId: Sha256Hex,
+  replayed: import_zod.z.boolean()
+});
+var RevokeDeviceKeyInputSchema = import_zod.z.object({
+  deviceId: import_zod.z.string().min(1).max(128),
+  /** Step-up token from /api/v1/auth/send/verify with purpose='offline_revoke'. */
+  sendAuthToken: import_zod.z.string().min(16)
+});
+function createMeOfflineClient(opts) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  if (!fetchImpl) {
+    throw new Error("createMeOfflineClient: no fetch implementation available");
+  }
+  const baseUrl = opts.baseUrl.replace(/\/$/, "");
+  async function call(method, path, body, parser) {
+    const init2 = {
+      method,
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      }
+    };
+    if (body !== void 0) init2.body = JSON.stringify(body);
+    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
+    const text = await resp.text();
+    let raw = void 0;
+    if (text) {
+      try {
+        raw = JSON.parse(text);
+      } catch {
+      }
+    }
+    if (!resp.ok) {
+      const code = raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : `http_${resp.status}`;
+      const message = raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : `request failed with status ${resp.status}`;
+      throw new FlurApiError(resp.status, code, message, raw);
+    }
+    return parser(raw);
+  }
+  const deviceKeyItems = import_zod.z.object({ items: import_zod.z.array(DeviceKeyRecordSchema) });
+  return {
+    registerDeviceKey: (input) => call(
+      "POST",
+      "/v1/me/offline/keys",
+      RegisterDeviceKeyInputSchema.parse(input),
+      (raw) => DeviceKeyRecordSchema.parse(raw)
+    ),
+    issueP256EnrollmentChallenge: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256/challenge",
+      P256EnrollmentChallengeInputSchema.parse(input),
+      (raw) => P256EnrollmentChallengeResultSchema.parse(raw)
+    ),
+    registerDeviceKeyP256: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/p256",
+      RegisterDeviceKeyP256InputSchema.parse(input),
+      (raw) => DeviceKeyRecordSchema.parse(raw)
+    ),
+    listDeviceKeys: () => call(
+      "GET",
+      "/v1/me/offline/keys",
+      void 0,
+      (raw) => deviceKeyItems.parse(raw)
+    ),
+    revokeDeviceKey: (input) => call(
+      "POST",
+      "/v1/me/offline/keys/revoke",
+      RevokeDeviceKeyInputSchema.parse(input),
+      () => void 0
+    ),
+    issueAccountOac: (input) => call(
+      "POST",
+      "/v1/me/offline/oac",
+      IssueAccountOacInputSchema.parse(input),
+      (raw) => OACRecordSchema.parse(raw)
+    ),
+    provisionAllowance: (input) => call(
+      "POST",
+      "/v1/me/offline/allowance",
+      ProvisionOfflineAllowanceInputSchema.parse(input),
+      (raw) => ProvisionOfflineAllowanceResultSchema.parse(raw)
+    ),
+    enable: (input) => call(
+      "POST",
+      "/v1/me/offline/enable",
+      EnableOfflineInputSchema.parse(input),
+      (raw) => EnableOfflineResultSchema.parse(raw)
+    ),
+    refresh: (input) => call(
+      "POST",
+      "/v1/me/offline/refresh",
+      IssueOACInputSchema.parse(input),
+      (raw) => OACRecordSchema.parse(raw)
+    ),
+    disable: (input) => call(
+      "POST",
+      "/v1/me/offline/disable",
+      DisableOfflineInputSchema.parse(input),
+      (raw) => DisableOfflineResultSchema.parse(raw)
+    ),
+    getStatus: (deviceId) => {
+      const qs = deviceId ? `?deviceId=${encodeURIComponent(deviceId)}` : "";
+      return call(
+        "GET",
+        `/v1/me/offline/status${qs}`,
+        void 0,
+        (raw) => OfflineStatusResultSchema.parse(raw)
+      );
+    },
+    getState: (deviceId) => {
+      const qs = deviceId ? `?deviceId=${encodeURIComponent(deviceId)}` : "";
+      return call(
+        "GET",
+        `/v1/me/offline/state${qs}`,
+        void 0,
+        (raw) => OfflineStateResultSchema.parse(raw)
+      );
+    },
+    submitClaim: (claim) => call(
+      "POST",
+      "/v1/me/offline/claims",
+      ConsumerPaymentClaimSchema.parse(claim),
+      (raw) => ConsumerSettleResultSchema.parse(raw)
+    )
+  };
+}
+
+// src/contracts.ts
+var E164Regex = /^\+[1-9]\d{7,14}$/;
+var UuidSchema = import_zod2.z.string().uuid();
+var IsoDateSchema = import_zod2.z.string().datetime({ offset: true });
+var CurrencySchema = import_zod2.z.string().trim().length(3).transform((value) => value.toUpperCase());
+var HealthResponseSchema = import_zod2.z.object({
+  ok: import_zod2.z.boolean()
+});
+var WelcomeResponseSchema = import_zod2.z.object({
+  message: import_zod2.z.string()
+});
+var OnboardingStartRequestSchema = import_zod2.z.object({
+  phoneE164: import_zod2.z.string().regex(E164Regex),
+  appInstanceId: import_zod2.z.string().min(3),
+  platform: import_zod2.z.enum(["android", "ios", "web"]),
+  turnstileToken: import_zod2.z.string().min(20).optional(),
+  appAttestation: import_zod2.z.object({
+    provider: import_zod2.z.enum(["android", "ios", "web"]),
+    token: import_zod2.z.string().min(24)
+  }).optional(),
+  firstName: import_zod2.z.string().trim().min(1).max(80).optional(),
+  lastName: import_zod2.z.string().trim().min(1).max(80).optional()
+});
+var OnboardingStartResponseSchema = import_zod2.z.object({
+  requestId: import_zod2.z.string().min(1),
+  checkUrl: import_zod2.z.string().url().optional(),
+  expiresInSec: import_zod2.z.number().int().positive(),
+  fallback: import_zod2.z.enum(["SILENT_AUTH", "OTP"])
+});
+var OnboardingCompleteRequestSchema = import_zod2.z.object({
+  requestId: import_zod2.z.string().min(1),
+  code: import_zod2.z.string().min(1).max(32),
+  appInstanceId: import_zod2.z.string().min(3),
+  fingerprintHash: import_zod2.z.string().min(3).optional()
+});
+var OnboardingCompleteResponseSchema = import_zod2.z.object({
+  sessionToken: import_zod2.z.string().min(1),
+  userId: UuidSchema,
+  restricted: import_zod2.z.boolean(),
+  risk_reasons: import_zod2.z.array(
+    import_zod2.z.enum(["SIM_SWAP_RECENT", "ROAMING", "CARRIER_CHANGED"])
+  ),
+  stepUpRequired: import_zod2.z.boolean().optional(),
+  riskStatus: import_zod2.z.enum(["ok", "unavailable"]).optional()
+});
+var RegisterDeviceRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  appInstanceId: import_zod2.z.string().min(3),
+  platform: import_zod2.z.string().min(2),
+  model: import_zod2.z.string().optional(),
+  networkSignals: import_zod2.z.object({
+    ip: import_zod2.z.string().min(3),
+    asn: import_zod2.z.number().int().optional(),
+    country: import_zod2.z.string().min(2).optional(),
+    carrier: import_zod2.z.string().optional()
+  })
+});
+var RegisterDeviceResponseSchema = import_zod2.z.object({
+  deviceId: import_zod2.z.string().min(1),
+  fingerprintHash: import_zod2.z.string().min(1),
+  driftScore: import_zod2.z.number(),
+  trustState: import_zod2.z.enum(["TRUSTED_PRIMARY", "TRUSTED_SECONDARY", "UNVERIFIED"]),
+  stepUpRequired: import_zod2.z.boolean()
+});
+var AuthRefreshRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  refreshToken: import_zod2.z.string().min(8),
+  appInstanceId: import_zod2.z.string().min(3),
+  fingerprintHash: import_zod2.z.string().min(3)
+});
+var AuthRefreshResponseSchema = import_zod2.z.object({
+  refreshToken: import_zod2.z.string().min(8),
+  stepUpRequired: import_zod2.z.boolean()
+});
+var AuthLogoutRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  refreshToken: import_zod2.z.string().min(8)
+});
+var PinSetRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  pin: import_zod2.z.string().regex(/^\d{6}$/)
+});
+var PinVerifyRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  pin: import_zod2.z.string().regex(/^\d{6}$/)
+});
+var OkResponseSchema = import_zod2.z.object({
+  ok: import_zod2.z.boolean()
+});
+var RegisterSendDeviceKeyRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod2.z.string().min(3),
+  publicKey: import_zod2.z.string().min(32)
+});
+var SEND_AUTH_PURPOSES = ["send_money", "offline_revoke"];
+var SendChallengeRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod2.z.string().min(3),
+  purpose: import_zod2.z.enum(SEND_AUTH_PURPOSES).optional()
+});
+var SendChallengeResponseSchema = import_zod2.z.object({
+  challengeId: UuidSchema,
+  nonce: import_zod2.z.string().min(1),
+  expiresAt: IsoDateSchema
+});
+var SendVerifyRequestSchema = import_zod2.z.object({
+  userId: UuidSchema,
+  deviceId: import_zod2.z.string().min(3),
+  challengeId: UuidSchema,
+  signature: import_zod2.z.string().min(16)
+});
+var SendVerifyResponseSchema = import_zod2.z.object({
+  sendAuthToken: import_zod2.z.string().min(16)
+});
+var ResolveRecipientRequestSchema = import_zod2.z.object({
+  identifier: import_zod2.z.string().min(3)
+});
+var ResolveRecipientResponseSchema = import_zod2.z.object({
+  recipientUserId: UuidSchema,
+  displayName: import_zod2.z.string().min(1),
+  normalizedIdentifier: import_zod2.z.string().regex(E164Regex),
+  isActive: import_zod2.z.boolean()
+});
+var CreateTransferRequestSchema = import_zod2.z.object({
+  recipientIdentifier: import_zod2.z.string().min(3),
+  amountMinor: import_zod2.z.number().int().positive(),
+  currency: CurrencySchema,
+  sendAuthToken: import_zod2.z.string().min(16)
+});
+var TransferStatusSchema = import_zod2.z.enum(["SETTLED", "PENDING_REVIEW", "DECLINED"]);
+var TransferResponseSchema = import_zod2.z.object({
+  transactionId: import_zod2.z.string().min(1),
+  status: TransferStatusSchema,
+  userStatus: TransferStatusSchema,
+  recipientName: import_zod2.z.string().min(1),
+  timestamp: IsoDateSchema,
+  /**
+   * Fresh issuer-signed OACs returned by the backend's post-commit
+   * rotation hook on `SETTLED` transfers.
+   *
+   * In the current backend implementation this hook rotates LEGACY
+   * hold-backed OACs only. Account-funded (no-hold) OACs introduced by
+   * the unified-pay-rails refactor are NOT rotated here — their
+   * cumulative spend counter and main-balance check are enforced at
+   * claim submission time via `createTransfer` under the per-sender
+   * advisory lock, so a stale no-hold OAC cannot authorise overspending
+   * (it can only resolve to REVIEW on submission).
+   *
+   * Optional: omitted when the sender has no registered hold-backed
+   * devices, when the refresh failed (best-effort), or on retry replays
+   * that pre-date the refresh. When present, the entries supersede any
+   * locally cached OACs for the listed devices; when absent, clients
+   * should fall back to `/v1/me/offline/refresh`.
+   *
+   * Each entry is validated against the canonical `OACRecordSchema`,
+   * so consumers can trust the runtime shape matches the static type.
+   */
+  offlineOacs: OACRecordSchema.array().optional()
+});
+var DirectionSchema = import_zod2.z.enum(["OUTGOING", "INCOMING"]);
+var AccountActivityItemSchema = import_zod2.z.object({
+  id: import_zod2.z.string().min(1),
+  type: import_zod2.z.string().min(1),
+  direction: DirectionSchema,
+  name: import_zod2.z.string().min(1),
+  identifier: import_zod2.z.string().min(1),
+  amountMinor: import_zod2.z.number().int(),
+  currency: CurrencySchema,
+  status: import_zod2.z.string().min(1),
+  timestamp: IsoDateSchema
+});
+var AccountSummaryResponseSchema = import_zod2.z.object({
+  /** Authenticated user's stable internal id. */
+  userId: UuidSchema,
+  /**
+   * 10-digit Nigeria Uniform Bank Account Number (NUBAN) allocated by the
+   * bank partner. `null` when the user has no partner-allocated account yet.
+   */
+  nuban: import_zod2.z.string().regex(/^[0-9]{10}$/).nullable(),
+  balance: import_zod2.z.number().int(),
+  currency: CurrencySchema,
+  dailySendLimit: import_zod2.z.number().int().nonnegative(),
+  dailySendRemaining: import_zod2.z.number().int().nonnegative(),
+  kycTier: import_zod2.z.string().min(1),
+  kycStatus: import_zod2.z.string().min(1),
+  recentActivity: import_zod2.z.array(AccountActivityItemSchema)
+});
+var TransactionsListResponseSchema = import_zod2.z.object({
+  items: import_zod2.z.array(AccountActivityItemSchema),
+  nextCursor: import_zod2.z.string().nullable()
+});
+var TransactionDetailResponseSchema = import_zod2.z.object({
+  transactionId: import_zod2.z.string().min(1),
+  type: import_zod2.z.string().min(1),
+  direction: DirectionSchema,
+  counterpartyName: import_zod2.z.string().min(1),
+  counterpartyIdentifier: import_zod2.z.string().min(1),
+  amountMinor: import_zod2.z.number().int(),
+  currency: CurrencySchema,
+  status: import_zod2.z.string().min(1),
+  timestamp: IsoDateSchema
+});
+var PushRegisterRequestSchema = import_zod2.z.object({
+  deviceId: import_zod2.z.string().min(3),
+  platform: import_zod2.z.enum(["ios", "android", "web"]),
+  token: import_zod2.z.string().min(16)
+});
+var CreatePayLinkResponseSchema = import_zod2.z.object({
+  token: import_zod2.z.string().min(1)
+});
+var ResolvePayLinkResponseSchema = import_zod2.z.object({
+  recipientUserId: UuidSchema,
+  displayName: import_zod2.z.string().min(1),
+  normalizedIdentifier: import_zod2.z.string().regex(E164Regex),
+  isActive: import_zod2.z.boolean()
+});
+
 // src/primitives.ts
-var import_zod2 = require("zod");
-var CurrencyCodeSchema = import_zod2.z.string().trim().length(3).transform((value) => value.toUpperCase());
+var import_zod3 = require("zod");
+var CurrencyCodeSchema = import_zod3.z.string().trim().length(3).transform((value) => value.toUpperCase());
 var currencyFractionDigits = {
   NGN: 2,
   USD: 2,
@@ -632,7 +987,7 @@ function moneyMinorToNumber(amountMinor) {
 }
 
 // src/collections/client.ts
-var import_zod3 = require("zod");
+var import_zod4 = require("zod");
 var MERCHANT_PROFILE_STATUSES = [
   "pending",
   "active",
@@ -662,172 +1017,172 @@ var MERCHANT_PAYOUT_STATUSES = [
   "failed",
   "cancelled"
 ];
-var MoneyKoboSchema = import_zod3.z.number().int().positive().max(Number.MAX_SAFE_INTEGER);
-var MetadataSchema = import_zod3.z.record(
-  import_zod3.z.union([import_zod3.z.string(), import_zod3.z.number(), import_zod3.z.boolean(), import_zod3.z.null()])
+var MoneyKoboSchema = import_zod4.z.number().int().positive().max(Number.MAX_SAFE_INTEGER);
+var MetadataSchema = import_zod4.z.record(
+  import_zod4.z.union([import_zod4.z.string(), import_zod4.z.number(), import_zod4.z.boolean(), import_zod4.z.null()])
 );
-var CurrencySchema2 = import_zod3.z.string().trim().length(3).transform((value) => value.toUpperCase());
-var ReferenceSchema = import_zod3.z.string().trim().min(6).max(128).regex(/^[A-Za-z0-9._:-]+$/);
-var MerchantProfileSchema = import_zod3.z.object({
-  accountId: import_zod3.z.string().uuid(),
-  legalName: import_zod3.z.string(),
-  tradingName: import_zod3.z.string(),
-  merchantCategoryCode: import_zod3.z.string().regex(/^\d{4}$/),
-  nqrMerchantId: import_zod3.z.string(),
-  settlementBankCode: import_zod3.z.string(),
-  settlementAccountNumber: import_zod3.z.string(),
-  settlementAccountName: import_zod3.z.string(),
-  settlementSchedule: import_zod3.z.enum(SETTLEMENT_SCHEDULES),
-  status: import_zod3.z.enum(MERCHANT_PROFILE_STATUSES),
-  offlineEnabled: import_zod3.z.boolean(),
+var CurrencySchema2 = import_zod4.z.string().trim().length(3).transform((value) => value.toUpperCase());
+var ReferenceSchema = import_zod4.z.string().trim().min(6).max(128).regex(/^[A-Za-z0-9._:-]+$/);
+var MerchantProfileSchema = import_zod4.z.object({
+  accountId: import_zod4.z.string().uuid(),
+  legalName: import_zod4.z.string(),
+  tradingName: import_zod4.z.string(),
+  merchantCategoryCode: import_zod4.z.string().regex(/^\d{4}$/),
+  nqrMerchantId: import_zod4.z.string(),
+  settlementBankCode: import_zod4.z.string(),
+  settlementAccountNumber: import_zod4.z.string(),
+  settlementAccountName: import_zod4.z.string(),
+  settlementSchedule: import_zod4.z.enum(SETTLEMENT_SCHEDULES),
+  status: import_zod4.z.enum(MERCHANT_PROFILE_STATUSES),
+  offlineEnabled: import_zod4.z.boolean(),
   perTxLimitKobo: MoneyKoboSchema,
   dailyLimitKobo: MoneyKoboSchema,
   metadata: MetadataSchema,
-  createdAtMs: import_zod3.z.number().int().nonnegative(),
-  updatedAtMs: import_zod3.z.number().int().nonnegative()
+  createdAtMs: import_zod4.z.number().int().nonnegative(),
+  updatedAtMs: import_zod4.z.number().int().nonnegative()
 });
-var UpsertMerchantProfileInputSchema = import_zod3.z.object({
-  legalName: import_zod3.z.string().trim().min(1).max(200),
-  tradingName: import_zod3.z.string().trim().min(1).max(25),
-  merchantCategoryCode: import_zod3.z.string().trim().regex(/^\d{4}$/),
-  nqrMerchantId: import_zod3.z.string().trim().min(3).max(64),
-  settlementBankCode: import_zod3.z.string().trim().min(2).max(16),
-  settlementAccountNumber: import_zod3.z.string().trim().min(5).max(32),
-  settlementAccountName: import_zod3.z.string().trim().min(1).max(200),
-  settlementSchedule: import_zod3.z.enum(SETTLEMENT_SCHEDULES).optional(),
-  status: import_zod3.z.enum(MERCHANT_PROFILE_STATUSES).optional(),
-  offlineEnabled: import_zod3.z.boolean().optional(),
+var UpsertMerchantProfileInputSchema = import_zod4.z.object({
+  legalName: import_zod4.z.string().trim().min(1).max(200),
+  tradingName: import_zod4.z.string().trim().min(1).max(25),
+  merchantCategoryCode: import_zod4.z.string().trim().regex(/^\d{4}$/),
+  nqrMerchantId: import_zod4.z.string().trim().min(3).max(64),
+  settlementBankCode: import_zod4.z.string().trim().min(2).max(16),
+  settlementAccountNumber: import_zod4.z.string().trim().min(5).max(32),
+  settlementAccountName: import_zod4.z.string().trim().min(1).max(200),
+  settlementSchedule: import_zod4.z.enum(SETTLEMENT_SCHEDULES).optional(),
+  status: import_zod4.z.enum(MERCHANT_PROFILE_STATUSES).optional(),
+  offlineEnabled: import_zod4.z.boolean().optional(),
   perTxLimitKobo: MoneyKoboSchema.optional(),
   dailyLimitKobo: MoneyKoboSchema.optional(),
   metadata: MetadataSchema.optional()
 });
-var CollectionIntentSchema = import_zod3.z.object({
-  intentId: import_zod3.z.string().uuid(),
-  accountId: import_zod3.z.string().uuid(),
-  terminalId: import_zod3.z.string().uuid().nullable(),
-  reference: import_zod3.z.string(),
-  amountKobo: import_zod3.z.number().int().positive().nullable(),
-  currency: import_zod3.z.string().length(3),
-  status: import_zod3.z.enum(COLLECTION_INTENT_STATUSES),
-  description: import_zod3.z.string().nullable(),
-  nqrPayload: import_zod3.z.string(),
-  provider: import_zod3.z.string(),
-  providerReference: import_zod3.z.string().nullable(),
+var CollectionIntentSchema = import_zod4.z.object({
+  intentId: import_zod4.z.string().uuid(),
+  accountId: import_zod4.z.string().uuid(),
+  terminalId: import_zod4.z.string().uuid().nullable(),
+  reference: import_zod4.z.string(),
+  amountKobo: import_zod4.z.number().int().positive().nullable(),
+  currency: import_zod4.z.string().length(3),
+  status: import_zod4.z.enum(COLLECTION_INTENT_STATUSES),
+  description: import_zod4.z.string().nullable(),
+  nqrPayload: import_zod4.z.string(),
+  provider: import_zod4.z.string(),
+  providerReference: import_zod4.z.string().nullable(),
   metadata: MetadataSchema,
-  expiresAtMs: import_zod3.z.number().int().nonnegative().nullable(),
-  paidAtMs: import_zod3.z.number().int().nonnegative().nullable(),
-  createdAtMs: import_zod3.z.number().int().nonnegative(),
-  updatedAtMs: import_zod3.z.number().int().nonnegative()
+  expiresAtMs: import_zod4.z.number().int().nonnegative().nullable(),
+  paidAtMs: import_zod4.z.number().int().nonnegative().nullable(),
+  createdAtMs: import_zod4.z.number().int().nonnegative(),
+  updatedAtMs: import_zod4.z.number().int().nonnegative()
 });
-var CreateCollectionIntentInputSchema = import_zod3.z.object({
+var CreateCollectionIntentInputSchema = import_zod4.z.object({
   reference: ReferenceSchema.optional(),
   amountKobo: MoneyKoboSchema.optional(),
   currency: CurrencySchema2.optional(),
-  terminalId: import_zod3.z.string().uuid().optional(),
-  terminalLabel: import_zod3.z.string().trim().min(1).max(25).optional(),
-  merchantCity: import_zod3.z.string().trim().min(1).max(15).optional(),
-  description: import_zod3.z.string().trim().min(1).max(280).optional(),
-  expiresAtMs: import_zod3.z.number().int().positive().optional(),
-  provider: import_zod3.z.string().trim().min(1).max(40).optional(),
+  terminalId: import_zod4.z.string().uuid().optional(),
+  terminalLabel: import_zod4.z.string().trim().min(1).max(25).optional(),
+  merchantCity: import_zod4.z.string().trim().min(1).max(15).optional(),
+  description: import_zod4.z.string().trim().min(1).max(280).optional(),
+  expiresAtMs: import_zod4.z.number().int().positive().optional(),
+  provider: import_zod4.z.string().trim().min(1).max(40).optional(),
   metadata: MetadataSchema.optional()
 });
-var PublicCollectionIntentSchema = import_zod3.z.object({
-  intentId: import_zod3.z.string().uuid(),
-  reference: import_zod3.z.string(),
-  amountKobo: import_zod3.z.number().int().positive().nullable(),
-  currency: import_zod3.z.string().length(3),
-  status: import_zod3.z.enum(COLLECTION_INTENT_STATUSES),
-  merchantAccountId: import_zod3.z.string().uuid(),
-  merchantName: import_zod3.z.string(),
-  merchantCategoryCode: import_zod3.z.string(),
-  description: import_zod3.z.string().nullable(),
-  expiresAtMs: import_zod3.z.number().int().nonnegative().nullable()
+var PublicCollectionIntentSchema = import_zod4.z.object({
+  intentId: import_zod4.z.string().uuid(),
+  reference: import_zod4.z.string(),
+  amountKobo: import_zod4.z.number().int().positive().nullable(),
+  currency: import_zod4.z.string().length(3),
+  status: import_zod4.z.enum(COLLECTION_INTENT_STATUSES),
+  merchantAccountId: import_zod4.z.string().uuid(),
+  merchantName: import_zod4.z.string(),
+  merchantCategoryCode: import_zod4.z.string(),
+  description: import_zod4.z.string().nullable(),
+  expiresAtMs: import_zod4.z.number().int().nonnegative().nullable()
 });
-var PayCollectionInputSchema = import_zod3.z.object({
+var PayCollectionInputSchema = import_zod4.z.object({
   reference: ReferenceSchema,
   amountKobo: MoneyKoboSchema.optional(),
   currency: CurrencySchema2.optional(),
-  idempotencyKey: import_zod3.z.string().trim().min(8).max(160).optional()
+  idempotencyKey: import_zod4.z.string().trim().min(8).max(160).optional()
 });
-var CollectionPaymentSchema = import_zod3.z.object({
-  paymentId: import_zod3.z.string().uuid(),
-  intentId: import_zod3.z.string().uuid(),
-  accountId: import_zod3.z.string().uuid(),
-  payerUserId: import_zod3.z.string().uuid().nullable(),
-  merchantOwnerUserId: import_zod3.z.string().uuid(),
+var CollectionPaymentSchema = import_zod4.z.object({
+  paymentId: import_zod4.z.string().uuid(),
+  intentId: import_zod4.z.string().uuid(),
+  accountId: import_zod4.z.string().uuid(),
+  payerUserId: import_zod4.z.string().uuid().nullable(),
+  merchantOwnerUserId: import_zod4.z.string().uuid(),
   amountKobo: MoneyKoboSchema,
-  currency: import_zod3.z.string().length(3),
-  status: import_zod3.z.enum(COLLECTION_PAYMENT_STATUSES),
-  provider: import_zod3.z.string(),
-  providerReference: import_zod3.z.string().nullable(),
-  idempotencyKey: import_zod3.z.string().nullable(),
-  ledgerRef: import_zod3.z.string(),
-  failureCode: import_zod3.z.string().nullable(),
-  failureMessage: import_zod3.z.string().nullable(),
-  paidAtMs: import_zod3.z.number().int().nonnegative().nullable(),
-  createdAtMs: import_zod3.z.number().int().nonnegative(),
-  updatedAtMs: import_zod3.z.number().int().nonnegative()
+  currency: import_zod4.z.string().length(3),
+  status: import_zod4.z.enum(COLLECTION_PAYMENT_STATUSES),
+  provider: import_zod4.z.string(),
+  providerReference: import_zod4.z.string().nullable(),
+  idempotencyKey: import_zod4.z.string().nullable(),
+  ledgerRef: import_zod4.z.string(),
+  failureCode: import_zod4.z.string().nullable(),
+  failureMessage: import_zod4.z.string().nullable(),
+  paidAtMs: import_zod4.z.number().int().nonnegative().nullable(),
+  createdAtMs: import_zod4.z.number().int().nonnegative(),
+  updatedAtMs: import_zod4.z.number().int().nonnegative()
 });
-var CollectionPaymentResultSchema = import_zod3.z.object({
+var CollectionPaymentResultSchema = import_zod4.z.object({
   payment: CollectionPaymentSchema,
   intent: CollectionIntentSchema,
-  receipt: import_zod3.z.unknown().optional(),
-  replayed: import_zod3.z.boolean()
+  receipt: import_zod4.z.unknown().optional(),
+  replayed: import_zod4.z.boolean()
 });
-var CollectionReportSummarySchema = import_zod3.z.object({
-  accountId: import_zod3.z.string().uuid(),
-  fromMs: import_zod3.z.number().int().nonnegative(),
-  toMs: import_zod3.z.number().int().nonnegative(),
-  currency: import_zod3.z.string().length(3),
-  paidCount: import_zod3.z.number().int().nonnegative(),
-  paidAmountKobo: import_zod3.z.number().int().nonnegative(),
-  pendingCount: import_zod3.z.number().int().nonnegative(),
-  failedCount: import_zod3.z.number().int().nonnegative(),
-  reversedCount: import_zod3.z.number().int().nonnegative(),
-  availableBalanceKobo: import_zod3.z.number().int().nonnegative()
+var CollectionReportSummarySchema = import_zod4.z.object({
+  accountId: import_zod4.z.string().uuid(),
+  fromMs: import_zod4.z.number().int().nonnegative(),
+  toMs: import_zod4.z.number().int().nonnegative(),
+  currency: import_zod4.z.string().length(3),
+  paidCount: import_zod4.z.number().int().nonnegative(),
+  paidAmountKobo: import_zod4.z.number().int().nonnegative(),
+  pendingCount: import_zod4.z.number().int().nonnegative(),
+  failedCount: import_zod4.z.number().int().nonnegative(),
+  reversedCount: import_zod4.z.number().int().nonnegative(),
+  availableBalanceKobo: import_zod4.z.number().int().nonnegative()
 });
-var CollectionStatementSchema = import_zod3.z.object({
-  accountId: import_zod3.z.string().uuid(),
-  year: import_zod3.z.number().int(),
-  month: import_zod3.z.number().int().min(1).max(12),
-  currency: import_zod3.z.string().length(3),
-  totalPaidKobo: import_zod3.z.number().int().nonnegative(),
-  items: import_zod3.z.array(CollectionPaymentSchema)
+var CollectionStatementSchema = import_zod4.z.object({
+  accountId: import_zod4.z.string().uuid(),
+  year: import_zod4.z.number().int(),
+  month: import_zod4.z.number().int().min(1).max(12),
+  currency: import_zod4.z.string().length(3),
+  totalPaidKobo: import_zod4.z.number().int().nonnegative(),
+  items: import_zod4.z.array(CollectionPaymentSchema)
 });
-var CreatePayoutInputSchema = import_zod3.z.object({
+var CreatePayoutInputSchema = import_zod4.z.object({
   amountKobo: MoneyKoboSchema,
   currency: CurrencySchema2.optional(),
-  idempotencyKey: import_zod3.z.string().trim().min(8).max(160)
+  idempotencyKey: import_zod4.z.string().trim().min(8).max(160)
 });
-var MerchantPayoutSchema = import_zod3.z.object({
-  payoutId: import_zod3.z.string().uuid(),
-  accountId: import_zod3.z.string().uuid(),
+var MerchantPayoutSchema = import_zod4.z.object({
+  payoutId: import_zod4.z.string().uuid(),
+  accountId: import_zod4.z.string().uuid(),
   amountKobo: MoneyKoboSchema,
-  currency: import_zod3.z.string().length(3),
-  status: import_zod3.z.enum(MERCHANT_PAYOUT_STATUSES),
-  idempotencyKey: import_zod3.z.string().nullable(),
-  ledgerRef: import_zod3.z.string(),
-  providerReference: import_zod3.z.string().nullable(),
-  requestedByUserId: import_zod3.z.string().uuid().nullable(),
-  failureCode: import_zod3.z.string().nullable(),
-  failureMessage: import_zod3.z.string().nullable(),
-  createdAtMs: import_zod3.z.number().int().nonnegative(),
-  updatedAtMs: import_zod3.z.number().int().nonnegative()
+  currency: import_zod4.z.string().length(3),
+  status: import_zod4.z.enum(MERCHANT_PAYOUT_STATUSES),
+  idempotencyKey: import_zod4.z.string().nullable(),
+  ledgerRef: import_zod4.z.string(),
+  providerReference: import_zod4.z.string().nullable(),
+  requestedByUserId: import_zod4.z.string().uuid().nullable(),
+  failureCode: import_zod4.z.string().nullable(),
+  failureMessage: import_zod4.z.string().nullable(),
+  createdAtMs: import_zod4.z.number().int().nonnegative(),
+  updatedAtMs: import_zod4.z.number().int().nonnegative()
 });
-var ProviderEventInputSchema = import_zod3.z.object({
-  provider: import_zod3.z.string().trim().min(1).max(80),
-  eventId: import_zod3.z.string().trim().min(1).max(160),
-  eventType: import_zod3.z.string().trim().min(1).max(120),
-  payload: import_zod3.z.record(import_zod3.z.unknown()).optional()
+var ProviderEventInputSchema = import_zod4.z.object({
+  provider: import_zod4.z.string().trim().min(1).max(80),
+  eventId: import_zod4.z.string().trim().min(1).max(160),
+  eventType: import_zod4.z.string().trim().min(1).max(120),
+  payload: import_zod4.z.record(import_zod4.z.unknown()).optional()
 });
-var ProviderEventRecordSchema = import_zod3.z.object({
-  id: import_zod3.z.string().uuid(),
-  provider: import_zod3.z.string(),
-  eventId: import_zod3.z.string(),
-  eventType: import_zod3.z.string(),
-  signatureVerified: import_zod3.z.boolean(),
-  receivedAtMs: import_zod3.z.number().int().nonnegative(),
-  processedAtMs: import_zod3.z.number().int().nonnegative().nullable()
+var ProviderEventRecordSchema = import_zod4.z.object({
+  id: import_zod4.z.string().uuid(),
+  provider: import_zod4.z.string(),
+  eventId: import_zod4.z.string(),
+  eventType: import_zod4.z.string(),
+  signatureVerified: import_zod4.z.boolean(),
+  receivedAtMs: import_zod4.z.number().int().nonnegative(),
+  processedAtMs: import_zod4.z.number().int().nonnegative().nullable()
 });
 function createCollectionsClient(opts) {
   const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
@@ -1342,7 +1697,7 @@ var FlurClient = class {
     try {
       body = requestSchema ? JSON.stringify(requestSchema.parse(input)) : init2.body;
     } catch (err) {
-      if (err instanceof import_zod4.z.ZodError) {
+      if (err instanceof import_zod5.z.ZodError) {
         throw new FlurError("Invalid request payload", "INVALID_REQUEST", {
           details: err.flatten()
         });
@@ -1370,7 +1725,7 @@ var FlurClient = class {
       try {
         return responseSchema.parse(payload);
       } catch (err) {
-        if (err instanceof import_zod4.z.ZodError) {
+        if (err instanceof import_zod5.z.ZodError) {
           throw new FlurError(
             "SDK contract validation failed",
             "INVALID_REQUEST",
@@ -1800,64 +2155,113 @@ function constantTimeEqual(a, b) {
   return diff === 0;
 }
 
-// src/crypto/ed25519.ts
-var import_ed25519 = require("@noble/curves/ed25519");
-function generateKeyPair() {
-  const privateKey = import_ed25519.ed25519.utils.randomPrivateKey();
-  const publicKey = import_ed25519.ed25519.getPublicKey(privateKey);
-  return { privateKey, publicKey };
+// src/offline/oac.ts
+var import_zod6 = require("zod");
+
+// src/crypto/p256-issuer.ts
+var import_nist = require("@noble/curves/nist");
+function bytesToBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return btoa(bin);
 }
-function publicKeyFromPrivate(privateKey) {
-  return import_ed25519.ed25519.getPublicKey(privateKey);
+function base64ToBytes(b64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(b64, "base64"));
+  }
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
 }
-function sign(message, privateKey) {
-  return import_ed25519.ed25519.sign(message, privateKey);
+var P256_SPKI_HEADER = new Uint8Array([
+  48,
+  89,
+  48,
+  19,
+  6,
+  7,
+  42,
+  134,
+  72,
+  206,
+  61,
+  2,
+  1,
+  6,
+  8,
+  42,
+  134,
+  72,
+  206,
+  61,
+  3,
+  1,
+  7,
+  3,
+  66,
+  0
+]);
+function p256SpkiB64ToRaw(spkiB64) {
+  const spki = base64ToBytes(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER.length + 65) {
+    throw new Error("p256: invalid SPKI length");
+  }
+  for (let i = 0; i < P256_SPKI_HEADER.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER[i]) {
+      throw new Error("p256: invalid SPKI header");
+    }
+  }
+  return spki.slice(P256_SPKI_HEADER.length);
+}
+function signIssuerP256(bytes, issuerPrivateKey) {
+  const sig = import_nist.p256.sign(bytes, issuerPrivateKey, { prehash: true });
+  return bytesToBase64(sig.toBytes("der"));
 }
-function verify(message, signature, publicKey) {
+function verifyIssuerP256(bytes, signatureB64, issuerPublicKeySpkiB64) {
   try {
-    return import_ed25519.ed25519.verify(signature, message, publicKey);
+    const pubRaw = p256SpkiB64ToRaw(issuerPublicKeySpkiB64);
+    const sigBytes = base64ToBytes(signatureB64);
+    return import_nist.p256.verify(sigBytes, bytes, pubRaw, {
+      prehash: true,
+      format: "der"
+    });
   } catch {
     return false;
   }
 }
-function signCanonical(value, privateKey) {
-  return sign(canonicalJSONBytes(value), privateKey);
-}
-function verifyCanonical(value, signature, publicKey) {
-  return verify(canonicalJSONBytes(value), signature, publicKey);
-}
 
 // src/offline/oac.ts
-var import_zod5 = require("zod");
 var OAC_DEFAULT_PER_TX_KOBO = 5e5;
 var OAC_DEFAULT_CUMULATIVE_KOBO = 2e6;
 var OAC_DEFAULT_VALIDITY_MS = 24 * 60 * 60 * 1e3;
-var HexString = (length) => import_zod5.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
-var OACSchema = import_zod5.z.object({
-  userId: import_zod5.z.string().min(1),
-  deviceId: import_zod5.z.string().min(1),
-  devicePublicKey: HexString(32),
-  perTxCapKobo: import_zod5.z.number().int().nonnegative(),
-  cumulativeCapKobo: import_zod5.z.number().int().nonnegative(),
-  validFromMs: import_zod5.z.number().int().nonnegative(),
-  validUntilMs: import_zod5.z.number().int().positive(),
-  counterSeed: import_zod5.z.number().int().nonnegative(),
-  nonce: import_zod5.z.string().min(1),
-  issuerSig: HexString(64)
+var Base64Std2 = import_zod6.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (standard) string");
+var OACSchema = import_zod6.z.object({
+  userId: import_zod6.z.string().min(1),
+  deviceId: import_zod6.z.string().min(1),
+  /** SubjectPublicKeyInfo DER, base64 (P-256). */
+  devicePublicKey: Base64Std2,
+  perTxCapKobo: import_zod6.z.number().int().nonnegative(),
+  cumulativeCapKobo: import_zod6.z.number().int().nonnegative(),
+  validFromMs: import_zod6.z.number().int().nonnegative(),
+  validUntilMs: import_zod6.z.number().int().positive(),
+  counterSeed: import_zod6.z.number().int().nonnegative(),
+  nonce: import_zod6.z.string().min(1),
+  /** ASN.1 DER ECDSA(SHA-256) signature, base64. */
+  issuerSig: Base64Std2
 }).refine((v) => v.validUntilMs > v.validFromMs, {
   message: "validUntilMs must be greater than validFromMs"
 }).refine((v) => v.perTxCapKobo <= v.cumulativeCapKobo, {
   message: "perTxCapKobo must not exceed cumulativeCapKobo"
 });
 function buildOAC(input) {
-  const devicePublicKey = typeof input.devicePublicKey === "string" ? input.devicePublicKey : bytesToHex(input.devicePublicKey);
   return {
     userId: input.userId,
     deviceId: input.deviceId,
-    devicePublicKey,
+    devicePublicKey: input.devicePublicKey,
     perTxCapKobo: input.perTxCapKobo ?? OAC_DEFAULT_PER_TX_KOBO,
     cumulativeCapKobo: input.cumulativeCapKobo ?? OAC_DEFAULT_CUMULATIVE_KOBO,
     validFromMs: input.validFromMs,
@@ -1867,36 +2271,25 @@ function buildOAC(input) {
   };
 }
 function signOAC(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyOAC(oac, issuerPublicKey) {
+function verifyOAC(oac, issuerPublicKeySpkiB64) {
   try {
     const parsed = OACSchema.parse(oac);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
   }
 }
-function bytesToHex(b) {
-  let s = "";
-  for (let i = 0; i < b.length; i++) s += b[i].toString(16).padStart(2, "0");
-  return s;
-}
-function hexToBytes(s) {
-  if (s.length % 2 !== 0) throw new Error("hex: odd length");
-  const out = new Uint8Array(s.length / 2);
-  for (let i = 0; i < out.length; i++)
-    out[i] = parseInt(s.slice(i * 2, i * 2 + 2), 16);
-  return out;
-}
 
 // src/offline/codec.ts
 var ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ $%*+-./:";
@@ -1952,20 +2345,20 @@ function decodeBase45(s) {
 }
 
 // src/offline/messages.ts
-var import_zod6 = require("zod");
-var HexSig = import_zod6.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
-var OfflinePaymentRequestSchema = import_zod6.z.object({
-  reference: import_zod6.z.string().min(1),
-  amountKobo: import_zod6.z.number().int().positive(),
+var import_zod7 = require("zod");
+var Base64Sig = import_zod7.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (standard) signature");
+var OfflinePaymentRequestSchema = import_zod7.z.object({
+  reference: import_zod7.z.string().min(1),
+  amountKobo: import_zod7.z.number().int().positive(),
   merchantOAC: OACSchema,
-  expiresAtMs: import_zod6.z.number().int().positive(),
-  merchantSig: HexSig
+  expiresAtMs: import_zod7.z.number().int().positive(),
+  merchantSig: Base64Sig
 });
-var OfflinePaymentAuthorizationSchema = import_zod6.z.object({
+var OfflinePaymentAuthorizationSchema = import_zod7.z.object({
   request: OfflinePaymentRequestSchema,
   payerOAC: OACSchema,
-  payerCounter: import_zod6.z.number().int().positive(),
-  payerSig: HexSig
+  payerCounter: import_zod7.z.number().int().positive(),
+  payerSig: Base64Sig
 });
 function buildPaymentRequest(input) {
   if (!Number.isInteger(input.amountKobo) || input.amountKobo <= 0) {
@@ -1982,27 +2375,28 @@ function buildPaymentRequest(input) {
   };
 }
 function signPaymentRequest(unsigned, merchantDevicePrivateKey) {
-  const merchantSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), merchantDevicePrivateKey)
+  const merchantSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    merchantDevicePrivateKey
   );
   return { ...unsigned, merchantSig };
 }
-function verifyPaymentRequest(req, issuerPublicKey) {
+function verifyPaymentRequest(req, issuerPublicKeySpkiB64) {
   try {
     const parsed = OfflinePaymentRequestSchema.parse(req);
     const { issuerSig: merchantOacSig, ...merchantOacUnsigned } = parsed.merchantOAC;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(merchantOacUnsigned),
-      hexToBytes(merchantOacSig),
-      issuerPublicKey
+      merchantOacSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
     const { merchantSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(merchantSig),
-      hexToBytes(parsed.merchantOAC.devicePublicKey)
+      merchantSig,
+      parsed.merchantOAC.devicePublicKey
     );
   } catch {
     return false;
@@ -2022,28 +2416,30 @@ function buildAuthorization(input) {
   };
 }
 function signAuthorization(unsigned, payerDevicePrivateKey) {
-  const payerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), payerDevicePrivateKey)
+  const payerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    payerDevicePrivateKey
   );
   return { ...unsigned, payerSig };
 }
-function verifyAuthorization(auth, issuerPublicKey) {
+function verifyAuthorization(auth, issuerPublicKeySpkiB64) {
   try {
     const parsed = OfflinePaymentAuthorizationSchema.parse(auth);
-    if (!verifyPaymentRequest(parsed.request, issuerPublicKey)) return false;
+    if (!verifyPaymentRequest(parsed.request, issuerPublicKeySpkiB64))
+      return false;
     const { issuerSig: payerOacSig, ...payerOacUnsigned } = parsed.payerOAC;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(payerOacUnsigned),
-      hexToBytes(payerOacSig),
-      issuerPublicKey
+      payerOacSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
     const { payerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(payerSig),
-      hexToBytes(parsed.payerOAC.devicePublicKey)
+      payerSig,
+      parsed.payerOAC.devicePublicKey
     );
   } catch {
     return false;
@@ -2073,56 +2469,60 @@ function decodeAuthorizationQR(s) {
 }
 
 // src/offline/settlements.ts
-var import_zod7 = require("zod");
+var import_zod8 = require("zod");
 var import_sha256 = require("@noble/hashes/sha256");
 var import_utils = require("@noble/hashes/utils");
-var OfflineTokenSchema = import_zod7.z.object({
-  tokenId: import_zod7.z.string().uuid(),
-  tokenSerial: import_zod7.z.string(),
-  issuerAccountId: import_zod7.z.string().uuid(),
-  payerUserId: import_zod7.z.string().uuid(),
-  maxAmountKobo: import_zod7.z.number().int().positive(),
-  currency: import_zod7.z.string().length(3),
-  issuedAtMs: import_zod7.z.number().int().nonnegative(),
-  expiresAtMs: import_zod7.z.number().int().nonnegative(),
-  issuerSig: import_zod7.z.string()
+var OfflineTokenSchema = import_zod8.z.object({
+  tokenId: import_zod8.z.string().uuid(),
+  tokenSerial: import_zod8.z.string(),
+  issuerAccountId: import_zod8.z.string().uuid(),
+  payerUserId: import_zod8.z.string().uuid(),
+  maxAmountKobo: import_zod8.z.number().int().positive(),
+  currency: import_zod8.z.string().length(3),
+  issuedAtMs: import_zod8.z.number().int().nonnegative(),
+  expiresAtMs: import_zod8.z.number().int().nonnegative(),
+  issuerSig: import_zod8.z.string()
 });
-var PaymentClaimSchema = import_zod7.z.object({
-  encounterId: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i).optional(),
-  tokenSerial: import_zod7.z.string(),
-  payerUserId: import_zod7.z.string().uuid(),
-  payeeUserId: import_zod7.z.string().uuid(),
-  payerNonce: import_zod7.z.string(),
-  payeeNonce: import_zod7.z.string(),
-  amountKobo: import_zod7.z.number().int().positive(),
-  currency: import_zod7.z.string().length(3).default("NGN"),
-  occurredAtMs: import_zod7.z.number().int().nonnegative(),
-  completedAtMs: import_zod7.z.number().int().nonnegative().optional(),
-  contextId: import_zod7.z.string().optional(),
-  payerPubkey: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i),
-  payerSignature: import_zod7.z.string().regex(/^[0-9a-f]+$/i),
-  payeePubkey: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i).optional(),
-  payeeSignature: import_zod7.z.string().regex(/^[0-9a-f]+$/i).optional()
+var PaymentClaimSchema = import_zod8.z.object({
+  encounterId: import_zod8.z.string().regex(/^[0-9a-f]{64}$/i).optional(),
+  tokenSerial: import_zod8.z.string(),
+  payerUserId: import_zod8.z.string().uuid(),
+  payeeUserId: import_zod8.z.string().uuid(),
+  payerNonce: import_zod8.z.string(),
+  payeeNonce: import_zod8.z.string(),
+  amountKobo: import_zod8.z.number().int().positive(),
+  currency: import_zod8.z.string().length(3).default("NGN"),
+  occurredAtMs: import_zod8.z.number().int().nonnegative(),
+  completedAtMs: import_zod8.z.number().int().nonnegative().optional(),
+  contextId: import_zod8.z.string().optional(),
+  // Stage 2c: P-256 device keys are now SubjectPublicKeyInfo DER, base64.
+  // Signatures are ASN.1 DER ECDSA(SHA-256), base64. Backwards-incompatible
+  // wire change; the backend has the matching widening in offline-settlements
+  // service + zod schema.
+  payerPubkey: import_zod8.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
+  payerSignature: import_zod8.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
+  payeePubkey: import_zod8.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/).optional(),
+  payeeSignature: import_zod8.z.string().min(16).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/).optional()
 });
-var SettlementSchema = import_zod7.z.object({
-  settlementId: import_zod7.z.string().uuid(),
-  settlementKey: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i),
-  encounterId: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i),
-  issuerAccountId: import_zod7.z.string().uuid(),
-  tokenSerial: import_zod7.z.string(),
-  payerUserId: import_zod7.z.string().uuid(),
-  payeeUserId: import_zod7.z.string().uuid(),
-  amountKobo: import_zod7.z.number().int().nonnegative(),
-  currency: import_zod7.z.string().length(3),
-  receiptId: import_zod7.z.string().nullable(),
-  status: import_zod7.z.enum(["SETTLED", "REVIEW", "REJECTED"]),
-  issuerSig: import_zod7.z.string(),
-  createdAtMs: import_zod7.z.number().int().nonnegative()
+var SettlementSchema = import_zod8.z.object({
+  settlementId: import_zod8.z.string().uuid(),
+  settlementKey: import_zod8.z.string().regex(/^[0-9a-f]{64}$/i),
+  encounterId: import_zod8.z.string().regex(/^[0-9a-f]{64}$/i),
+  issuerAccountId: import_zod8.z.string().uuid(),
+  tokenSerial: import_zod8.z.string(),
+  payerUserId: import_zod8.z.string().uuid(),
+  payeeUserId: import_zod8.z.string().uuid(),
+  amountKobo: import_zod8.z.number().int().nonnegative(),
+  currency: import_zod8.z.string().length(3),
+  receiptId: import_zod8.z.string().nullable(),
+  status: import_zod8.z.enum(["SETTLED", "REVIEW", "REJECTED"]),
+  issuerSig: import_zod8.z.string(),
+  createdAtMs: import_zod8.z.number().int().nonnegative()
 });
-var SettleResponseSchema = import_zod7.z.object({
+var SettleResponseSchema = import_zod8.z.object({
   settlement: SettlementSchema,
-  encounterId: import_zod7.z.string().regex(/^[0-9a-f]{64}$/i),
-  replayed: import_zod7.z.boolean()
+  encounterId: import_zod8.z.string().regex(/^[0-9a-f]{64}$/i),
+  replayed: import_zod8.z.boolean()
 });
 var ENCOUNTER_DOMAIN = "offline:v1:encounter";
 async function sha256Hex(input) {
@@ -2296,7 +2696,7 @@ function createHmacFetch(opts) {
 }
 
 // src/partner/client.ts
-var import_zod8 = require("zod");
+var import_zod9 = require("zod");
 var import_sha2563 = require("@noble/hashes/sha256");
 var import_hmac4 = require("@noble/hashes/hmac");
 var import_utils2 = require("@noble/hashes/utils");
@@ -2320,18 +2720,18 @@ var PARTNER_SCOPES = [
   "partner:payout:write",
   "partner:reconciliation:read"
 ];
-var ApiCredentialPublicSchema = import_zod8.z.object({
-  id: import_zod8.z.string().uuid(),
-  accountId: import_zod8.z.string().uuid(),
-  keyId: import_zod8.z.string(),
-  scopes: import_zod8.z.array(import_zod8.z.enum(PARTNER_SCOPES)),
-  label: import_zod8.z.string().nullable(),
-  createdAtMs: import_zod8.z.number().int().nonnegative(),
-  lastUsedAtMs: import_zod8.z.number().int().nonnegative().nullable(),
-  revokedAtMs: import_zod8.z.number().int().nonnegative().nullable()
+var ApiCredentialPublicSchema = import_zod9.z.object({
+  id: import_zod9.z.string().uuid(),
+  accountId: import_zod9.z.string().uuid(),
+  keyId: import_zod9.z.string(),
+  scopes: import_zod9.z.array(import_zod9.z.enum(PARTNER_SCOPES)),
+  label: import_zod9.z.string().nullable(),
+  createdAtMs: import_zod9.z.number().int().nonnegative(),
+  lastUsedAtMs: import_zod9.z.number().int().nonnegative().nullable(),
+  revokedAtMs: import_zod9.z.number().int().nonnegative().nullable()
 });
 var MintedApiCredentialSchema = ApiCredentialPublicSchema.extend({
-  secret: import_zod8.z.string().min(1)
+  secret: import_zod9.z.string().min(1)
 });
 var enc = new TextEncoder();
 async function sha256Hex2(input) {
@@ -2488,8 +2888,8 @@ function createApiCredentialsAdminClient(opts) {
     }
     return parser(raw);
   }
-  const listSchema = import_zod8.z.object({
-    items: import_zod8.z.array(ApiCredentialPublicSchema)
+  const listSchema = import_zod9.z.object({
+    items: import_zod9.z.array(ApiCredentialPublicSchema)
   });
   return {
     list: (accountId) => call(
@@ -2514,7 +2914,7 @@ function createApiCredentialsAdminClient(opts) {
 }
 
 // src/passes/pass.ts
-var import_zod9 = require("zod");
+var import_zod10 = require("zod");
 var PASS_KINDS = [
   "ride-ticket",
   "transit-pass",
@@ -2530,42 +2930,39 @@ var PASS_STATES = [
   "expired",
   "revoked"
 ];
-var HexString2 = (length) => import_zod9.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
-var PassMetadataSchema = import_zod9.z.record(
-  import_zod9.z.union([import_zod9.z.string(), import_zod9.z.number(), import_zod9.z.boolean(), import_zod9.z.null()])
+var PassMetadataSchema = import_zod10.z.record(
+  import_zod10.z.union([import_zod10.z.string(), import_zod10.z.number(), import_zod10.z.boolean(), import_zod10.z.null()])
 );
-var PassSchema = import_zod9.z.object({
-  passId: import_zod9.z.string().min(1),
+var PassSchema = import_zod10.z.object({
+  passId: import_zod10.z.string().min(1),
   /** Optional client/template grouping id (server may omit). */
-  templateId: import_zod9.z.string().min(1).optional(),
+  templateId: import_zod10.z.string().min(1).optional(),
   /** Optional human-facing holder identity (server may omit). The cryptographic binding
    *  is `holderDevicePubkey` below. */
-  holderUserId: import_zod9.z.string().min(1).optional(),
-  kind: import_zod9.z.enum(PASS_KINDS),
-  issuerId: import_zod9.z.string().min(1),
-  issuedAtMs: import_zod9.z.number().int().nonnegative(),
-  validFromMs: import_zod9.z.number().int().nonnegative(),
-  validUntilMs: import_zod9.z.number().int().positive(),
-  state: import_zod9.z.enum(PASS_STATES),
+  holderUserId: import_zod10.z.string().min(1).optional(),
+  kind: import_zod10.z.enum(PASS_KINDS),
+  issuerId: import_zod10.z.string().min(1),
+  issuedAtMs: import_zod10.z.number().int().nonnegative(),
+  validFromMs: import_zod10.z.number().int().nonnegative(),
+  validUntilMs: import_zod10.z.number().int().positive(),
+  state: import_zod10.z.enum(PASS_STATES),
   metadata: PassMetadataSchema,
-  nonce: import_zod9.z.string().min(1),
+  nonce: import_zod10.z.string().min(1),
   /** Device id this pass is bound to (FK to backend `device_keys`). */
-  holderDeviceId: import_zod9.z.string().min(1),
-  /** 32-byte hex Ed25519 public key of the bound device. The redemption signature
-   *  is verified against this key — it is the security-critical binding. */
-  holderDevicePubkey: HexString2(32),
+  holderDeviceId: import_zod10.z.string().min(1),
+  /** SubjectPublicKeyInfo DER (P-256) of the bound device, base64. The redemption
+   *  signature is verified against this key — it is the security-critical binding. */
+  holderDevicePubkey: import_zod10.z.string().min(64).max(4096).regex(/^[A-Za-z0-9+/]+={0,2}$/),
   /** Optional fixed amount for monetary passes (vouchers, gift cards) in kobo. */
-  amountKobo: import_zod9.z.number().int().nonnegative().optional(),
+  amountKobo: import_zod10.z.number().int().nonnegative().optional(),
   /** ISO-4217-ish currency code; required on the wire. SDK builders default to NGN. */
-  currency: import_zod9.z.string().min(3).max(8),
+  currency: import_zod10.z.string().min(3).max(8),
   /** Monotonic redemption counter floor. Redemption.counter MUST be > counterSeed. */
-  counterSeed: import_zod9.z.number().int().nonnegative(),
+  counterSeed: import_zod10.z.number().int().nonnegative(),
   /** Optional cumulative spend cap in kobo across all redemptions of this pass. */
-  cumulativeCapKobo: import_zod9.z.number().int().nonnegative().optional(),
-  issuerSig: HexString2(64)
+  cumulativeCapKobo: import_zod10.z.number().int().nonnegative().optional(),
+  /** ASN.1 DER ECDSA P-256 signature, base64. */
+  issuerSig: import_zod10.z.string().min(64).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/)
 }).refine((v) => v.validUntilMs > v.validFromMs, {
   message: "validUntilMs must be greater than validFromMs"
 });
@@ -2598,19 +2995,20 @@ function buildPass(input) {
   return out;
 }
 function signPass(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyPass(pass, issuerPublicKey) {
+function verifyPass(pass, issuerPublicKeySpkiB64) {
   try {
     const parsed = PassSchema.parse(pass);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
@@ -2621,19 +3019,20 @@ function isPassWithinValidity(pass, nowMs) {
 }
 
 // src/passes/redemption.ts
-var import_zod10 = require("zod");
-var HexSig2 = import_zod10.z.string().regex(/^[0-9a-fA-F]{128}$/, "expected 64-byte hex signature");
-var RedemptionSchema = import_zod10.z.object({
+var import_zod11 = require("zod");
+var Base64Std3 = import_zod11.z.string().min(16).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/, "expected base64 (std)");
+var RedemptionSchema = import_zod11.z.object({
   pass: PassSchema,
-  redeemerId: import_zod10.z.string().min(1),
-  redeemedAtMs: import_zod10.z.number().int().nonnegative(),
+  redeemerId: import_zod11.z.string().min(1),
+  redeemedAtMs: import_zod11.z.number().int().nonnegative(),
   /** Strictly monotonic counter scoped to a single pass. Must be > pass.counterSeed
    *  and > the redeemer's lastSeenCounter for this pass. */
-  counter: import_zod10.z.number().int().positive(),
+  counter: import_zod11.z.number().int().positive(),
   /** Amount being redeemed in kobo (0 for non-monetary passes like ride tickets). */
-  amountKobo: import_zod10.z.number().int().nonnegative(),
-  nonce: import_zod10.z.string().min(1),
-  holderSig: HexSig2
+  amountKobo: import_zod11.z.number().int().nonnegative(),
+  nonce: import_zod11.z.string().min(1),
+  /** ASN.1 DER ECDSA P-256 signature over canonicalJSONBytes(unsigned), base64. */
+  holderSig: Base64Std3
 });
 var REDEEMABLE_STATES = /* @__PURE__ */ new Set(["issued", "active"]);
 function buildRedemption(input) {
@@ -2687,74 +3086,68 @@ function buildRedemption(input) {
   };
 }
 function signRedemption(unsigned, holderDevicePrivateKey) {
-  const holderSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), holderDevicePrivateKey)
+  const holderSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    holderDevicePrivateKey
   );
   return { ...unsigned, holderSig };
 }
-function verifyRedemption(r, issuerPublicKey) {
+function verifyRedemption(r, issuerPublicKeySpkiB64) {
   try {
     const parsed = RedemptionSchema.parse(r);
     if (parsed.counter <= parsed.pass.counterSeed) return false;
     const { issuerSig, ...passUnsigned } = parsed.pass;
-    if (!verify(
+    if (!verifyIssuerP256(
       canonicalJSONBytes(passUnsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     )) {
       return false;
     }
-    const holderHex = parsed.pass.holderDevicePubkey;
-    if (typeof holderHex !== "string") return false;
+    const holderPub = parsed.pass.holderDevicePubkey;
+    if (typeof holderPub !== "string") return false;
     const { holderSig, ...unsigned } = parsed;
-    return verify(
-      canonicalJSONBytes(unsigned),
-      hexToBytes(holderSig),
-      hexToBytes(holderHex)
-    );
+    return verifyIssuerP256(canonicalJSONBytes(unsigned), holderSig, holderPub);
   } catch {
     return false;
   }
 }
 
 // src/receipts/receipt.ts
-var import_zod11 = require("zod");
+var import_zod12 = require("zod");
 var RECEIPT_CHANNELS = ["cash", "pass"];
 var RECEIPT_KINDS = RECEIPT_CHANNELS;
-var HexString3 = (length) => import_zod11.z.string().regex(
-  new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
-  `expected ${length}-byte hex string`
-);
-var ReceiptPayloadSchema = import_zod11.z.record(
-  import_zod11.z.union([import_zod11.z.string(), import_zod11.z.number(), import_zod11.z.boolean(), import_zod11.z.null()])
+var ReceiptPayloadSchema = import_zod12.z.record(
+  import_zod12.z.union([import_zod12.z.string(), import_zod12.z.number(), import_zod12.z.boolean(), import_zod12.z.null()])
 );
-var ReceiptSchema = import_zod11.z.object({
-  receiptId: import_zod11.z.string().min(1),
-  channel: import_zod11.z.enum(RECEIPT_CHANNELS),
+var ReceiptSchema = import_zod12.z.object({
+  receiptId: import_zod12.z.string().min(1),
+  channel: import_zod12.z.enum(RECEIPT_CHANNELS),
   /** Cash-channel: send_intents.id. Required when channel === 'cash'. */
-  intentId: import_zod11.z.string().min(1).optional(),
+  intentId: import_zod12.z.string().min(1).optional(),
   /** Pass-channel: pass_redemptions.id. Required when channel === 'pass'. */
-  passRedemptionId: import_zod11.z.string().min(1).optional(),
-  payerUserId: import_zod11.z.string().min(1),
-  payeeUserId: import_zod11.z.string().min(1),
-  amountKobo: import_zod11.z.number().int().nonnegative(),
-  currency: import_zod11.z.string().min(3).max(8),
-  issuedAtMs: import_zod11.z.number().int().nonnegative(),
-  issuerId: import_zod11.z.string().min(1),
+  passRedemptionId: import_zod12.z.string().min(1).optional(),
+  payerUserId: import_zod12.z.string().min(1),
+  payeeUserId: import_zod12.z.string().min(1),
+  amountKobo: import_zod12.z.number().int().nonnegative(),
+  currency: import_zod12.z.string().min(3).max(8),
+  issuedAtMs: import_zod12.z.number().int().nonnegative(),
+  issuerId: import_zod12.z.string().min(1),
   payload: ReceiptPayloadSchema,
-  issuerSig: HexString3(64)
+  /** ASN.1 DER ECDSA P-256 signature, base64. */
+  issuerSig: import_zod12.z.string().min(64).max(2048).regex(/^[A-Za-z0-9+/]+={0,2}$/)
 }).superRefine((v, ctx) => {
   if (v.channel === "cash") {
     if (!v.intentId) {
       ctx.addIssue({
-        code: import_zod11.z.ZodIssueCode.custom,
+        code: import_zod12.z.ZodIssueCode.custom,
         message: "cash receipts require intentId",
         path: ["intentId"]
       });
     }
     if (v.passRedemptionId) {
       ctx.addIssue({
-        code: import_zod11.z.ZodIssueCode.custom,
+        code: import_zod12.z.ZodIssueCode.custom,
         message: "cash receipts must not carry passRedemptionId",
         path: ["passRedemptionId"]
       });
@@ -2762,14 +3155,14 @@ var ReceiptSchema = import_zod11.z.object({
   } else if (v.channel === "pass") {
     if (!v.passRedemptionId) {
       ctx.addIssue({
-        code: import_zod11.z.ZodIssueCode.custom,
+        code: import_zod12.z.ZodIssueCode.custom,
         message: "pass receipts require passRedemptionId",
         path: ["passRedemptionId"]
       });
     }
     if (v.intentId) {
       ctx.addIssue({
-        code: import_zod11.z.ZodIssueCode.custom,
+        code: import_zod12.z.ZodIssueCode.custom,
         message: "pass receipts must not carry intentId",
         path: ["intentId"]
       });
@@ -2808,19 +3201,20 @@ function buildReceipt(input) {
   return out;
 }
 function signReceipt(unsigned, issuerPrivateKey) {
-  const issuerSig = bytesToHex(
-    sign(canonicalJSONBytes(unsigned), issuerPrivateKey)
+  const issuerSig = signIssuerP256(
+    canonicalJSONBytes(unsigned),
+    issuerPrivateKey
   );
   return { ...unsigned, issuerSig };
 }
-function verifyReceipt(r, issuerPublicKey) {
+function verifyReceipt(r, issuerPublicKeySpkiB64) {
   try {
     const parsed = ReceiptSchema.parse(r);
     const { issuerSig, ...unsigned } = parsed;
-    return verify(
+    return verifyIssuerP256(
       canonicalJSONBytes(unsigned),
-      hexToBytes(issuerSig),
-      issuerPublicKey
+      issuerSig,
+      issuerPublicKeySpkiB64
     );
   } catch {
     return false;
@@ -3070,23 +3464,23 @@ function init(opts) {
 }
 
 // src/accounts/client.ts
-var import_zod12 = require("zod");
+var import_zod13 = require("zod");
 var ACCOUNT_TYPES = ["personal", "business", "partner"];
 var ACCOUNT_STATUSES = ["active", "suspended", "closed"];
 var MEMBERSHIP_ROLES = ["owner", "admin", "driver", "staff"];
-var AccountSchema = import_zod12.z.object({
-  accountId: import_zod12.z.string().uuid(),
-  type: import_zod12.z.enum(ACCOUNT_TYPES),
-  displayName: import_zod12.z.string().min(1),
-  status: import_zod12.z.enum(ACCOUNT_STATUSES),
-  ownerUserId: import_zod12.z.string().uuid().nullable(),
-  createdAtMs: import_zod12.z.number().int().nonnegative()
+var AccountSchema = import_zod13.z.object({
+  accountId: import_zod13.z.string().uuid(),
+  type: import_zod13.z.enum(ACCOUNT_TYPES),
+  displayName: import_zod13.z.string().min(1),
+  status: import_zod13.z.enum(ACCOUNT_STATUSES),
+  ownerUserId: import_zod13.z.string().uuid().nullable(),
+  createdAtMs: import_zod13.z.number().int().nonnegative()
 });
-var AccountMembershipSchema = import_zod12.z.object({
-  accountId: import_zod12.z.string().uuid(),
-  userId: import_zod12.z.string().uuid(),
-  role: import_zod12.z.enum(MEMBERSHIP_ROLES),
-  createdAtMs: import_zod12.z.number().int().nonnegative()
+var AccountMembershipSchema = import_zod13.z.object({
+  accountId: import_zod13.z.string().uuid(),
+  userId: import_zod13.z.string().uuid(),
+  role: import_zod13.z.enum(MEMBERSHIP_ROLES),
+  createdAtMs: import_zod13.z.number().int().nonnegative()
 });
 function createAccountsClient(opts) {
   const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
@@ -3119,9 +3513,9 @@ function createAccountsClient(opts) {
     }
     return parser(raw);
   }
-  const itemsSchema = import_zod12.z.object({ items: import_zod12.z.array(AccountSchema) });
-  const memberItemsSchema = import_zod12.z.object({
-    items: import_zod12.z.array(AccountMembershipSchema)
+  const itemsSchema = import_zod13.z.object({ items: import_zod13.z.array(AccountSchema) });
+  const memberItemsSchema = import_zod13.z.object({
+    items: import_zod13.z.array(AccountMembershipSchema)
   });
   return {
     listMyAccounts: () => call(
@@ -3152,345 +3546,8 @@ function createAccountsClient(opts) {
   };
 }
 
-// src/me-offline/client.ts
-var import_zod13 = require("zod");
-var Hex64 = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
-var HexAny = import_zod13.z.string().regex(/^[0-9a-f]+$/i);
-var Sha256Hex = import_zod13.z.string().regex(/^[0-9a-f]{64}$/i);
-var Base64Std = import_zod13.z.string().regex(/^[A-Za-z0-9+/]+={0,2}$/);
-var RegisterDeviceKeyInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  publicKeyHex: Hex64
-});
-var AttestationSecurityLevelSchema = import_zod13.z.enum([
-  "STRONGBOX",
-  "TEE",
-  "SECURE_ENCLAVE",
-  "SOFTWARE"
-]);
-var DeviceKeyAlgSchema = import_zod13.z.enum(["ed25519", "p256"]);
-var RegisterDeviceKeyP256InputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  /** P-256 SubjectPublicKeyInfo DER, base64. */
-  publicKeySpkiB64: Base64Std.min(64).max(4096),
-  /** Base64 of the server-issued enrollment challenge string. */
-  challengeB64: Base64Std.min(8).max(1024),
-  /** iOS App Attest payload or Android X.509 Key Attestation chain. */
-  attestationChainB64: import_zod13.z.array(Base64Std.min(16).max(16384)).min(1).max(16),
-  securityLevel: AttestationSecurityLevelSchema
-});
-var P256EnrollmentChallengeInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128)
-});
-var P256EnrollmentChallengeResultSchema = import_zod13.z.object({
-  challenge: import_zod13.z.string().min(16),
-  expiresAtMs: import_zod13.z.number().int().positive()
-});
-var DeviceKeyRecordSchema = import_zod13.z.object({
-  id: import_zod13.z.string().uuid(),
-  userId: import_zod13.z.string().uuid(),
-  deviceId: import_zod13.z.string(),
-  alg: DeviceKeyAlgSchema.default("ed25519"),
-  publicKeyHex: Hex64.nullable().default(null),
-  publicKeySpkiB64: Base64Std.nullable().default(null),
-  securityLevel: AttestationSecurityLevelSchema.nullable().default(null),
-  hardwareBacked: import_zod13.z.boolean().default(false),
-  attestedAtMs: import_zod13.z.number().int().nonnegative().nullable().default(null),
-  createdAtMs: import_zod13.z.number().int().nonnegative(),
-  revokedAtMs: import_zod13.z.number().int().nonnegative().nullable()
-});
-var ConsumerOACSchema = import_zod13.z.object({
-  oacId: import_zod13.z.string().uuid(),
-  issuerId: import_zod13.z.string().min(1).max(64),
-  userId: import_zod13.z.string().uuid(),
-  deviceId: import_zod13.z.string().min(1).max(128),
-  alg: import_zod13.z.enum(["ed25519", "p256"]).optional(),
-  devicePubkeyHex: Hex64.optional(),
-  devicePubkeySpkiB64: Base64Std.min(64).max(4096).optional(),
-  perTxCapKobo: import_zod13.z.number().int().positive(),
-  cumulativeCapKobo: import_zod13.z.number().int().positive(),
-  currency: import_zod13.z.string().length(3),
-  validFromMs: import_zod13.z.number().int().nonnegative(),
-  validUntilMs: import_zod13.z.number().int().nonnegative(),
-  counterSeed: import_zod13.z.number().int().nonnegative(),
-  issuedAtMs: import_zod13.z.number().int().nonnegative()
-}).refine(
-  (o) => {
-    const alg = o.alg ?? "ed25519";
-    if (alg === "ed25519") {
-      return Boolean(o.devicePubkeyHex) && !o.devicePubkeySpkiB64;
-    }
-    return Boolean(o.devicePubkeySpkiB64) && !o.devicePubkeyHex;
-  },
-  { message: "OAC device pubkey shape must match alg" }
-);
-var SignedConsumerOACSchema = import_zod13.z.object({
-  oac: ConsumerOACSchema,
-  issuerSig: HexAny,
-  issuerPublicKeyHex: Hex64
-});
-var OACRecordSchema = SignedConsumerOACSchema.extend({
-  currentOfflineSpentKobo: import_zod13.z.number().int().nonnegative(),
-  status: import_zod13.z.enum([
-    "active",
-    "superseded",
-    "expired",
-    "revoked",
-    "disabling",
-    "draining",
-    "closed"
-  ]),
-  supersededAtMs: import_zod13.z.number().int().nonnegative().nullable(),
-  revokedAtMs: import_zod13.z.number().int().nonnegative().nullable(),
-  holdId: import_zod13.z.string().uuid().nullable().optional()
-});
-var IssueOACInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  perTxCapKobo: import_zod13.z.number().int().positive().optional(),
-  cumulativeCapKobo: import_zod13.z.number().int().positive().optional(),
-  ttlMs: import_zod13.z.number().int().min(6e4).max(1e3 * 60 * 60 * 24 * 7).optional(),
-  spendableOnlineKobo: import_zod13.z.number().int().nonnegative().optional()
-});
-var EnableOfflineInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  amountKobo: import_zod13.z.number().int().positive(),
-  perTxCapKobo: import_zod13.z.number().int().positive().optional(),
-  ttlMs: import_zod13.z.number().int().min(6e4).max(1e3 * 60 * 60 * 24 * 7).optional(),
-  installId: import_zod13.z.string().min(1).max(128),
-  partnerId: import_zod13.z.string().min(1).max(64).optional()
-});
-var ProvisionOfflineAllowanceInputSchema = EnableOfflineInputSchema;
-var DisableOfflineInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  installId: import_zod13.z.string().min(1).max(128).optional(),
-  claims: import_zod13.z.array(import_zod13.z.unknown()).max(256).optional()
-});
-var OfflineHoldRecordSchema = import_zod13.z.object({
-  holdId: import_zod13.z.string().uuid(),
-  userId: import_zod13.z.string().uuid(),
-  deviceId: import_zod13.z.string(),
-  partnerId: import_zod13.z.string(),
-  adapterKind: import_zod13.z.string(),
-  externalHoldRef: import_zod13.z.string().nullable(),
-  amountKobo: import_zod13.z.number().int().nonnegative(),
-  capturedKobo: import_zod13.z.number().int().nonnegative(),
-  releasedKobo: import_zod13.z.number().int().nonnegative(),
-  remainingKobo: import_zod13.z.number().int().nonnegative(),
-  currency: import_zod13.z.string().length(3),
-  status: import_zod13.z.enum([
-    "placing",
-    "active",
-    "disabling",
-    "draining",
-    "closed",
-    "revoked",
-    "failed"
-  ]),
-  installId: import_zod13.z.string().nullable(),
-  drainDeadlineMs: import_zod13.z.number().int().nonnegative(),
-  disableRequestedAtMs: import_zod13.z.number().int().nonnegative().nullable(),
-  createdAtMs: import_zod13.z.number().int().nonnegative(),
-  closedAtMs: import_zod13.z.number().int().nonnegative().nullable(),
-  isTrusted: import_zod13.z.boolean().optional()
-});
-var EnableOfflineResultSchema = import_zod13.z.object({
-  hold: OfflineHoldRecordSchema,
-  oac: OACRecordSchema
-});
-var ProvisionOfflineAllowanceResultSchema = EnableOfflineResultSchema;
-var DisableOfflineResultSchema = import_zod13.z.object({
-  hold: OfflineHoldRecordSchema,
-  trusted: import_zod13.z.boolean(),
-  settledClaims: import_zod13.z.number().int().nonnegative()
-});
-var OfflineStatusResultSchema = import_zod13.z.object({
-  hold: OfflineHoldRecordSchema.nullable(),
-  active: OACRecordSchema.nullable()
-});
-var OfflineStateResultSchema = import_zod13.z.object({
-  active: OACRecordSchema.nullable()
-});
-var ClaimAlgSchema = import_zod13.z.enum(["ed25519", "p256"]);
-var ConsumerPaymentClaimSchema = import_zod13.z.object({
-  /** Algorithm discriminator. Omit / 'ed25519' for V1 clients. */
-  alg: ClaimAlgSchema.optional(),
-  oacId: import_zod13.z.string().uuid(),
-  encounterId: Sha256Hex.optional(),
-  payerUserId: import_zod13.z.string().uuid(),
-  payeeUserId: import_zod13.z.string().uuid(),
-  payerDeviceId: import_zod13.z.string().min(1).max(128),
-  payerNonce: import_zod13.z.string().min(8).max(128),
-  payeeNonce: import_zod13.z.string().min(8).max(128),
-  amountKobo: import_zod13.z.number().int().positive(),
-  currency: import_zod13.z.string().length(3).default("NGN"),
-  occurredAtMs: import_zod13.z.number().int().nonnegative(),
-  completedAtMs: import_zod13.z.number().int().nonnegative().optional(),
-  contextId: import_zod13.z.string().max(128).optional(),
-  // ed25519 path
-  payerPubkeyHex: Hex64.optional(),
-  payerSignature: HexAny.optional(),
-  payeePubkeyHex: Hex64.optional(),
-  payeeSignature: HexAny.optional(),
-  // p256 path
-  payerPubkeySpkiB64: import_zod13.z.string().min(64).max(4096).optional(),
-  payerSignatureDerB64: import_zod13.z.string().min(16).max(2048).optional(),
-  payeePubkeySpkiB64: import_zod13.z.string().min(64).max(4096).optional(),
-  payeeSignatureDerB64: import_zod13.z.string().min(16).max(2048).optional()
-}).refine(
-  (c) => {
-    const alg = c.alg ?? "ed25519";
-    if (alg === "ed25519") {
-      return Boolean(c.payerPubkeyHex) && Boolean(c.payerSignature);
-    }
-    return Boolean(c.payerPubkeySpkiB64) && Boolean(c.payerSignatureDerB64);
-  },
-  {
-    message: "payer key/signature fields must match alg (ed25519: hex; p256: SPKI+DER b64)"
-  }
-);
-var ConsumerSettlementSchema = import_zod13.z.object({
-  settlementId: import_zod13.z.string().uuid(),
-  settlementKey: Sha256Hex,
-  encounterId: Sha256Hex,
-  oacId: import_zod13.z.string().uuid(),
-  payerUserId: import_zod13.z.string().uuid(),
-  payeeUserId: import_zod13.z.string().uuid(),
-  amountKobo: import_zod13.z.number().int().positive(),
-  currency: import_zod13.z.string().length(3),
-  status: import_zod13.z.enum(["SETTLED", "REVIEW"]),
-  reviewReason: import_zod13.z.string().nullable(),
-  ledgerRef: import_zod13.z.string().nullable(),
-  issuerSig: HexAny,
-  createdAtMs: import_zod13.z.number().int().nonnegative()
-});
-var ConsumerSettleResultSchema = import_zod13.z.object({
-  settlement: ConsumerSettlementSchema,
-  encounterId: Sha256Hex,
-  replayed: import_zod13.z.boolean()
-});
-var RevokeDeviceKeyInputSchema = import_zod13.z.object({
-  deviceId: import_zod13.z.string().min(1).max(128),
-  /** Step-up token from /api/v1/auth/send/verify with purpose='offline_revoke'. */
-  sendAuthToken: import_zod13.z.string().min(16)
-});
-function createMeOfflineClient(opts) {
-  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
-  if (!fetchImpl) {
-    throw new Error("createMeOfflineClient: no fetch implementation available");
-  }
-  const baseUrl = opts.baseUrl.replace(/\/$/, "");
-  async function call(method, path, body, parser) {
-    const init2 = {
-      method,
-      headers: {
-        "content-type": "application/json",
-        accept: "application/json"
-      }
-    };
-    if (body !== void 0) init2.body = JSON.stringify(body);
-    const resp = await fetchImpl(`${baseUrl}${path}`, init2);
-    const text = await resp.text();
-    let raw = void 0;
-    if (text) {
-      try {
-        raw = JSON.parse(text);
-      } catch {
-      }
-    }
-    if (!resp.ok) {
-      const code = raw && typeof raw === "object" && "code" in raw && typeof raw.code === "string" ? raw.code : `http_${resp.status}`;
-      const message = raw && typeof raw === "object" && "message" in raw && typeof raw.message === "string" ? raw.message : `request failed with status ${resp.status}`;
-      throw new FlurApiError(resp.status, code, message, raw);
-    }
-    return parser(raw);
-  }
-  const deviceKeyItems = import_zod13.z.object({ items: import_zod13.z.array(DeviceKeyRecordSchema) });
-  return {
-    registerDeviceKey: (input) => call(
-      "POST",
-      "/v1/me/offline/keys",
-      RegisterDeviceKeyInputSchema.parse(input),
-      (raw) => DeviceKeyRecordSchema.parse(raw)
-    ),
-    issueP256EnrollmentChallenge: (input) => call(
-      "POST",
-      "/v1/me/offline/keys/p256/challenge",
-      P256EnrollmentChallengeInputSchema.parse(input),
-      (raw) => P256EnrollmentChallengeResultSchema.parse(raw)
-    ),
-    registerDeviceKeyP256: (input) => call(
-      "POST",
-      "/v1/me/offline/keys/p256",
-      RegisterDeviceKeyP256InputSchema.parse(input),
-      (raw) => DeviceKeyRecordSchema.parse(raw)
-    ),
-    listDeviceKeys: () => call(
-      "GET",
-      "/v1/me/offline/keys",
-      void 0,
-      (raw) => deviceKeyItems.parse(raw)
-    ),
-    revokeDeviceKey: (input) => call(
-      "POST",
-      "/v1/me/offline/keys/revoke",
-      RevokeDeviceKeyInputSchema.parse(input),
-      () => void 0
-    ),
-    provisionAllowance: (input) => call(
-      "POST",
-      "/v1/me/offline/allowance",
-      ProvisionOfflineAllowanceInputSchema.parse(input),
-      (raw) => ProvisionOfflineAllowanceResultSchema.parse(raw)
-    ),
-    enable: (input) => call(
-      "POST",
-      "/v1/me/offline/enable",
-      EnableOfflineInputSchema.parse(input),
-      (raw) => EnableOfflineResultSchema.parse(raw)
-    ),
-    refresh: (input) => call(
-      "POST",
-      "/v1/me/offline/refresh",
-      IssueOACInputSchema.parse(input),
-      (raw) => OACRecordSchema.parse(raw)
-    ),
-    disable: (input) => call(
-      "POST",
-      "/v1/me/offline/disable",
-      DisableOfflineInputSchema.parse(input),
-      (raw) => DisableOfflineResultSchema.parse(raw)
-    ),
-    getStatus: (deviceId) => {
-      const qs = deviceId ? `?deviceId=${encodeURIComponent(deviceId)}` : "";
-      return call(
-        "GET",
-        `/v1/me/offline/status${qs}`,
-        void 0,
-        (raw) => OfflineStatusResultSchema.parse(raw)
-      );
-    },
-    getState: (deviceId) => {
-      const qs = deviceId ? `?deviceId=${encodeURIComponent(deviceId)}` : "";
-      return call(
-        "GET",
-        `/v1/me/offline/state${qs}`,
-        void 0,
-        (raw) => OfflineStateResultSchema.parse(raw)
-      );
-    },
-    submitClaim: (claim) => call(
-      "POST",
-      "/v1/me/offline/claims",
-      ConsumerPaymentClaimSchema.parse(claim),
-      (raw) => ConsumerSettleResultSchema.parse(raw)
-    )
-  };
-}
-
 // src/me-offline/signer.ts
-var import_ed255198 = require("@noble/curves/ed25519");
-var import_nist = require("@noble/curves/nist");
-var import_utils3 = require("@noble/hashes/utils");
+var import_nist2 = require("@noble/curves/nist");
 var CLAIM_DOMAIN_V2 = "flur:consumer-offline:v2:claim";
 function canonicalClaimSigningPayload(claim) {
   return {
@@ -3512,7 +3569,7 @@ function canonicalClaimSigningPayload(claim) {
 function canonicalClaimSigningBytes(claim) {
   return canonicalJSONBytes(canonicalClaimSigningPayload(claim));
 }
-function bytesToBase64(bytes) {
+function bytesToBase642(bytes) {
   if (typeof Buffer !== "undefined") {
     return Buffer.from(bytes).toString("base64");
   }
@@ -3520,7 +3577,7 @@ function bytesToBase64(bytes) {
   for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
   return btoa(bin);
 }
-function base64ToBytes(b64) {
+function base64ToBytes2(b64) {
   if (typeof Buffer !== "undefined") {
     return new Uint8Array(Buffer.from(b64, "base64"));
   }
@@ -3529,7 +3586,7 @@ function base64ToBytes(b64) {
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
   return out;
 }
-var P256_SPKI_HEADER = new Uint8Array([
+var P256_SPKI_HEADER2 = new Uint8Array([
   48,
   89,
   48,
@@ -3561,38 +3618,25 @@ function p256PublicKeyToSpkiB64(rawUncompressed) {
   if (rawUncompressed.length !== 65 || rawUncompressed[0] !== 4) {
     throw new Error("p256: expected 65-byte uncompressed point");
   }
-  const out = new Uint8Array(P256_SPKI_HEADER.length + rawUncompressed.length);
-  out.set(P256_SPKI_HEADER, 0);
-  out.set(rawUncompressed, P256_SPKI_HEADER.length);
-  return bytesToBase64(out);
+  const out = new Uint8Array(P256_SPKI_HEADER2.length + rawUncompressed.length);
+  out.set(P256_SPKI_HEADER2, 0);
+  out.set(rawUncompressed, P256_SPKI_HEADER2.length);
+  return bytesToBase642(out);
 }
 function p256SpkiB64ToPublicKey(spkiB64) {
-  const spki = base64ToBytes(spkiB64);
-  if (spki.length !== P256_SPKI_HEADER.length + 65) {
+  const spki = base64ToBytes2(spkiB64);
+  if (spki.length !== P256_SPKI_HEADER2.length + 65) {
     throw new Error("p256: invalid SPKI length");
   }
-  for (let i = 0; i < P256_SPKI_HEADER.length; i++) {
-    if (spki[i] !== P256_SPKI_HEADER[i]) {
+  for (let i = 0; i < P256_SPKI_HEADER2.length; i++) {
+    if (spki[i] !== P256_SPKI_HEADER2[i]) {
       throw new Error("p256: invalid SPKI header");
     }
   }
-  return spki.slice(P256_SPKI_HEADER.length);
-}
-function createSoftwareEd25519Signer(privateKey) {
-  const pub = import_ed255198.ed25519.getPublicKey(privateKey);
-  return {
-    alg: "ed25519",
-    async getPublicKey() {
-      return { alg: "ed25519", publicKey: (0, import_utils3.bytesToHex)(pub) };
-    },
-    async sign(bytes) {
-      const sig = import_ed255198.ed25519.sign(bytes, privateKey);
-      return { alg: "ed25519", signature: (0, import_utils3.bytesToHex)(sig) };
-    }
-  };
+  return spki.slice(P256_SPKI_HEADER2.length);
 }
 function createSoftwareP256Signer(privateKey) {
-  const raw = import_nist.p256.getPublicKey(privateKey, false);
+  const raw = import_nist2.p256.getPublicKey(privateKey, false);
   const spkiB64 = p256PublicKeyToSpkiB64(raw);
   return {
     alg: "p256",
@@ -3600,35 +3644,87 @@ function createSoftwareP256Signer(privateKey) {
       return { alg: "p256", publicKey: spkiB64 };
     },
     async sign(bytes) {
-      const sig = import_nist.p256.sign(bytes, privateKey, { prehash: true });
+      const sig = import_nist2.p256.sign(bytes, privateKey, { prehash: true });
       const der = sig.toBytes("der");
-      return { alg: "p256", signature: bytesToBase64(der) };
+      return { alg: "p256", signature: bytesToBase642(der) };
     }
   };
 }
 function verifyClaimSignature(input) {
   try {
-    if (input.alg === "ed25519") {
-      return import_ed255198.ed25519.verify(
-        (0, import_utils3.hexToBytes)(input.signature),
-        input.bytes,
-        (0, import_utils3.hexToBytes)(input.publicKey)
-      );
-    }
-    if (input.alg === "p256") {
-      const sigDer = base64ToBytes(input.signature);
-      const pub = p256SpkiB64ToPublicKey(input.publicKey);
-      return import_nist.p256.verify(sigDer, input.bytes, pub, {
-        prehash: true,
-        format: "der"
-      });
-    }
-    return false;
+    if (input.alg !== "p256") return false;
+    const sigDer = base64ToBytes2(input.signature);
+    const pub = p256SpkiB64ToPublicKey(input.publicKey);
+    return import_nist2.p256.verify(sigDer, input.bytes, pub, {
+      prehash: true,
+      format: "der"
+    });
   } catch {
     return false;
   }
 }
 
+// src/me-offline/sms.ts
+var OFFLINE_CLAIM_SMS_PREFIX = "FLURC1.";
+var TOKEN_RE = /(?:^|\s)(FLURC1\.[A-Za-z0-9_-]+={0,2})(?:\s|$)/;
+function encodeOfflineClaimSmsMessage(claim) {
+  const parsed = ConsumerPaymentClaimSchema.parse(claim);
+  const json = JSON.stringify(parsed);
+  return `${OFFLINE_CLAIM_SMS_PREFIX}${base64UrlEncodeUtf8(json)}`;
+}
+function decodeOfflineClaimSmsMessage(message) {
+  const token = extractOfflineClaimSmsToken(message);
+  if (!token) {
+    throw new Error("offline claim SMS token not found");
+  }
+  const encoded = token.slice(OFFLINE_CLAIM_SMS_PREFIX.length);
+  let raw;
+  try {
+    raw = JSON.parse(base64UrlDecodeUtf8(encoded));
+  } catch {
+    throw new Error("offline claim SMS token is malformed");
+  }
+  const parsed = ConsumerPaymentClaimSchema.safeParse(raw);
+  if (!parsed.success) {
+    throw new Error("offline claim SMS token is invalid");
+  }
+  return parsed.data;
+}
+function extractOfflineClaimSmsToken(message) {
+  const trimmed = message.trim();
+  if (trimmed.startsWith(OFFLINE_CLAIM_SMS_PREFIX)) {
+    return trimmed.split(/\s+/, 1)[0] ?? null;
+  }
+  return TOKEN_RE.exec(message)?.[1] ?? null;
+}
+function base64UrlEncodeUtf8(input) {
+  const bytes = new TextEncoder().encode(input);
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  const base64 = typeof btoa === "function" ? btoa(binary) : typeof Buffer !== "undefined" ? Buffer.from(bytes).toString("base64") : void 0;
+  if (!base64) throw new Error("base64 encoder unavailable");
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecodeUtf8(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64.padEnd(
+    base64.length + (4 - base64.length % 4) % 4,
+    "="
+  );
+  if (typeof atob === "function") {
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let index = 0; index < binary.length; index++) {
+      bytes[index] = binary.charCodeAt(index);
+    }
+    return new TextDecoder().decode(bytes);
+  }
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(padded, "base64").toString("utf8");
+  }
+  throw new Error("base64 decoder unavailable");
+}
+
 // src/partner-funding/client.ts
 var import_zod14 = require("zod");
 var MinorString = import_zod14.z.string().regex(/^-?\d+$/);
@@ -4004,14 +4100,15 @@ function buildArtifactBody(input) {
   return { ...header, data: input.data };
 }
 function signArtifact(body, privateKey) {
-  const sig = bytesToHex(sign(canonicalJSONBytes(body), privateKey));
+  const sig = signIssuerP256(canonicalJSONBytes(body), privateKey);
   return { body, sig };
 }
 function encodeArtifactUri(signed) {
   const bodyBytes = canonicalJSONBytes(signed.body);
   const bodyB64 = base64UrlEncode(bodyBytes);
-  const sigB64 = base64UrlEncode(hexToBytes(signed.sig));
-  return `${FLUR_ARTIFACT_URI_PREFIX}${signed.body.t}/${bodyB64}.${sigB64}`;
+  const sigBytes = base64UrlDecode(signed.sig);
+  const sigB64Url = base64UrlEncode(sigBytes);
+  return `${FLUR_ARTIFACT_URI_PREFIX}${signed.body.t}/${bodyB64}.${sigB64Url}`;
 }
 function decodeArtifactUri(uri) {
   if (!uri.startsWith(FLUR_ARTIFACT_URI_PREFIX)) {
@@ -4042,9 +4139,9 @@ function decodeArtifactUri(uri) {
   }
   const bodyBytes = base64UrlDecode(payload.slice(0, dot));
   const sigBytes = base64UrlDecode(payload.slice(dot + 1));
-  if (sigBytes.length !== 64) {
+  if (sigBytes.length < 64 || sigBytes.length > 80) {
     throw new FlurArtifactError(
-      `Signature must be 64 bytes, got ${sigBytes.length}`,
+      `Signature length out of range: ${sigBytes.length}`,
       "INVALID_SIGNATURE"
     );
   }
@@ -4071,17 +4168,26 @@ function decodeArtifactUri(uri) {
     type,
     bodyBytes,
     body: bodyJson,
-    sig: bytesToHex(sigBytes)
+    // Encode as standard base64 (not url-safe) for sig field consistency.
+    sig: encodeStdBase64(sigBytes)
   };
 }
-function verifyArtifactSignature(decoded, publicKey, options = {}) {
+function encodeStdBase64(bytes) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  return typeof btoa === "function" ? btoa(bin) : "";
+}
+function verifyArtifactSignature(decoded, publicKeySpkiB64, options = {}) {
   if (options.enforceExpiry !== false && decoded.body.exp !== void 0) {
     const now = options.nowSeconds ?? Math.floor(Date.now() / 1e3);
     if (decoded.body.exp < now) {
       throw new FlurArtifactError("Artifact has expired", "EXPIRED");
     }
   }
-  return verify(decoded.bodyBytes, hexToBytes(decoded.sig), publicKey);
+  return verifyIssuerP256(decoded.bodyBytes, decoded.sig, publicKeySpkiB64);
 }
 
 // src/artifacts/types.ts
@@ -4100,7 +4206,7 @@ var ARTIFACT_TYPES = {
   PASS: "pass",
   IDENTITY: "identity"
 };
-var HexString4 = (length) => import_zod16.z.string().regex(
+var HexString = (length) => import_zod16.z.string().regex(
   new RegExp(`^[0-9a-fA-F]{${length * 2}}$`),
   `expected ${length}-byte hex string`
 );
@@ -4118,7 +4224,7 @@ var ReceiptArtifactSchema = import_zod16.z.object({
   settledAtMs: import_zod16.z.number().int().positive(),
   ledgerTxnId: import_zod16.z.string().min(1).max(64).optional(),
   memo: import_zod16.z.string().max(140).optional(),
-  hashChainPrev: HexString4(32).optional()
+  hashChainPrev: HexString(32).optional()
 });
 var ShortId = import_zod16.z.string().min(1).max(64);
 var PositiveInt = import_zod16.z.number().int().positive();
@@ -4200,7 +4306,7 @@ var StatementArtifactSchema = import_zod16.z.object({
   closingBalanceKobo: import_zod16.z.number().int(),
   transactionCount: NonNegativeInt,
   currency: Currency2,
-  hashChainPrev: HexString4(32).optional()
+  hashChainPrev: HexString(32).optional()
 }).refine((v) => v.periodEndMs > v.periodStartMs, {
   message: "periodEndMs must be greater than periodStartMs",
   path: ["periodEndMs"]
@@ -4233,7 +4339,7 @@ var IdentityArtifactSchema = import_zod16.z.object({
     "kyc_tier",
     "age_band"
   ]),
-  claimValueHash: HexString4(32),
+  claimValueHash: HexString(32),
   attestedAtMs: PositiveInt
 });
 var ARTIFACT_BODY_SCHEMAS = {
@@ -4297,7 +4403,7 @@ function createArtifactUri(input) {
   const signed = signArtifact(body, input.privateKey);
   return { uri: encodeArtifactUri(signed), signed };
 }
-function verifyArtifactUri(uri, publicKey, options = {}) {
+function verifyArtifactUri(uri, publicKeySpkiB64, options = {}) {
   const decoded = decodeArtifactUri(uri);
   if (!isKnownArtifactType(decoded.type)) {
     throw new FlurArtifactError(
@@ -4319,7 +4425,7 @@ function verifyArtifactUri(uri, publicKey, options = {}) {
       "INVALID_BODY"
     );
   }
-  const ok = verifyArtifactSignature(decoded, publicKey, options);
+  const ok = verifyArtifactSignature(decoded, publicKeySpkiB64, options);
   if (!ok) {
     throw new FlurArtifactError(
       "Artifact signature verification failed",
@@ -4396,6 +4502,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   HARDENED_ARTIFACT_TYPES,
   IdentityArtifactSchema,
   IngestFundingResultSchema,
+  IssueAccountOacInputSchema,
   IssueOACInputSchema,
   LedgerJournalEntryArtifactSchema,
   ListPayoutDestinationsResultSchema,
@@ -4413,6 +4520,7 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   OAC_DEFAULT_CUMULATIVE_KOBO,
   OAC_DEFAULT_PER_TX_KOBO,
   OAC_DEFAULT_VALIDITY_MS,
+  OFFLINE_CLAIM_SMS_PREFIX,
   OfflineClaimArtifactSchema,
   OfflineHoldRecordSchema,
   OfflinePaymentAuthorizationArtifactSchema,
@@ -4508,20 +4616,21 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   createPassesClient,
   createReceiptArtifactUri,
   createReceiptsClient,
-  createSoftwareEd25519Signer,
   createSoftwareP256Signer,
   decodeArtifactUri,
   decodeAuthorizationQR,
   decodeBase45,
+  decodeOfflineClaimSmsMessage,
   decodePaymentRequestQR,
   encodeArtifactUri,
   encodeAuthorizationQR,
   encodeBase45,
   encodeNQR,
+  encodeOfflineClaimSmsMessage,
   encodePaymentRequestQR,
+  extractOfflineClaimSmsToken,
   formatAmount,
   generateDynamicQR,
-  generateKeyPair,
   generateStaticQR,
   init,
   isHardenedArtifactType,
@@ -4532,13 +4641,10 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   parseAmountInput,
   parseNQR,
   parseQR,
-  publicKeyFromPrivate,
   readTLV,
   routingHint,
-  sign,
   signArtifact,
   signAuthorization,
-  signCanonical,
   signOAC,
   signPartnerRequest,
   signPass,
@@ -4546,11 +4652,9 @@ function createOfflinePaymentAuthorizationArtifactUri(input) {
   signReceipt,
   signRedemption,
   signRequestHMAC,
-  verify,
   verifyArtifactSignature,
   verifyArtifactUri,
   verifyAuthorization,
-  verifyCanonical,
   verifyClaimSignature,
   verifyOAC,
   verifyPass,