npm - @nokinc-flur/sdk - Versions diffs - 2.4.0 → 2.5.0 - Mend

@nokinc-flur/sdk 2.4.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -2878,6 +2878,331 @@ type AccountsClient = {
 };
 declare function createAccountsClient(opts: AccountsClientOptions): AccountsClient;
+/**
+ * Offline verification of the unified Offline Authorization Certificate (OAC).
+ *
+ * The OAC is issuer-signed and folds identity (phoneE164, displayName, bound
+ * device key) into the same credential that carries offline spend authority.
+ * This lets two users who meet for the first time recognise and pay each
+ * other WITHOUT a network round-trip: the verifier checks the issuer
+ * signature against a *pinned* trusted issuer key (a Trust Bundle refreshed
+ * whenever the device is online), never the key embedded in the credential.
+ *
+ * Trust model:
+ *   - Provisional offline authorization, authoritative online settlement.
+ *     A successful offline verify proves the credential was issued by Flur
+ *     and is within its validity window; the backend still re-checks
+ *     revocation, balance, and caps at settlement. Short OAC TTL is the
+ *     revocation-propagation mechanism — a revoked user cannot refresh and
+ *     their OAC expires within the issuance TTL.
+ *
+ * Wire format mirrors `flur-backend/src/offline-consumer/service.ts`
+ * (`oacSigningPayload`): the issuer signs `canonicalJSONBytes({ domain, ...oac })`
+ * with its P-256 key. Adding fields to `ConsumerOAC` automatically includes
+ * them in the signed bytes, so identity is covered without a new domain.
+ */
+/**
+ * Domain tag bound into the OAC issuer signature. MUST match
+ * `OAC_DOMAIN` in `flur-backend/src/offline-consumer/service.ts`.
+ */
+declare const CONSUMER_OAC_DOMAIN: "flur:consumer-offline:v1:oac";
+/**
+ * A pinned issuer key the device trusts for offline OAC verification.
+ * Sourced from the backend Trust Bundle (`GET /v1/issuer/keys`) and cached
+ * on-device. `notBeforeMs` / `notAfterMs` bound the key's own validity so a
+ * rotated-out key cannot be used to verify a freshly minted credential.
+ */
+interface TrustedIssuerKey {
+    issuerId: string;
+    /** Issuer P-256 public key as SubjectPublicKeyInfo DER, base64. */
+    publicKeySpkiB64: string;
+    notBeforeMs?: number;
+    notAfterMs?: number;
+}
+/** Identity surfaced to the caller after a successful offline verify. */
+interface OacOfflineIdentity {
+    oacId: string;
+    issuerId: string;
+    userId: string;
+    phoneE164: string;
+    displayName: string;
+    /** Holder's bound device key; lets the caller verify receipts offline. */
+    devicePubkeySpkiB64: string;
+}
+type VerifyOacOfflineResult = {
+    ok: true;
+    oac: ConsumerOAC;
+    identity: OacOfflineIdentity;
+} | {
+    ok: false;
+    reason: 'malformed' | 'untrusted_issuer' | 'signature_invalid' | 'window_too_long' | 'not_yet_valid' | 'expired' | 'revoked';
+};
+interface VerifyOacOfflineOptions {
+    /** Override the wall clock; defaults to `Date.now()`. */
+    nowMs?: number;
+    /**
+     * Verified revoked-OAC id set from a pinned revocation status-list (see
+     * `verifyRevocationList`). When supplied, an otherwise-valid OAC whose
+     * `oacId` is present is rejected with reason `'revoked'`. Omitting this
+     * preserves the TTL-only revocation baseline.
+     */
+    revokedOacIds?: ReadonlySet<string>;
+}
+/** Canonical OAC payload (domain-bound) the backend issuer signs. */
+declare function consumerOacSigningPayload(oac: ConsumerOAC): {
+    phoneE164: string;
+    userId: string;
+    deviceId: string;
+    displayName: string;
+    currency: string;
+    perTxCapKobo: number;
+    cumulativeCapKobo: number;
+    validFromMs: number;
+    validUntilMs: number;
+    counterSeed: number;
+    issuedAtMs: number;
+    issuerId: string;
+    oacId: string;
+    alg: "p256";
+    devicePubkeySpkiB64: string;
+    domain: "flur:consumer-offline:v1:oac";
+};
+/**
+ * Verify a signed OAC offline against a pinned set of trusted issuer keys.
+ *
+ * Security invariants:
+ *   - The signature is checked against the PINNED key for `oac.issuerId`,
+ *     never the credential-embedded `issuerPublicKeySpkiB64`. An attacker who
+ *     forges an OAC with their own key (and a matching embedded key) fails
+ *     because their key is not pinned.
+ *   - The pinned key's own validity window is enforced.
+ *   - The OAC validity window is enforced (`validFromMs <= now < validUntilMs`).
+ */
+declare function verifyOacOffline(signed: SignedConsumerOAC, trustedKeys: readonly TrustedIssuerKey[], options?: VerifyOacOfflineOptions): VerifyOacOfflineResult;
+/**
+ * QR prefix for a presented unified OAC. A holder shows this QR to be paid
+ * and/or identified offline; the scanner decodes it and calls
+ * `verifyOacOffline` against its pinned trust bundle. Distinct from the
+ * settlement-receipt (`FLURSR1.`) and pay-card prefixes so the scanner can
+ * dispatch by prefix without ambiguity.
+ */
+declare const CONSUMER_OAC_QR_PREFIX: "FLUROAC1.";
+/** True iff `value` looks like a presented OAC QR payload. */
+declare function isConsumerOacQR(value: string): boolean;
+/**
+ * Advisory "pay me" request a holder may attach to a presented OAC pay code:
+ * an amount, a purpose/intent, and a free-text reference. This rides as an
+ * UNSIGNED suffix on the QR (see {@link encodeConsumerOacQR}) — it is never
+ * part of the issuer-signed credential and carries no authority. The payer's
+ * app treats it purely as a prefill hint and always confirms the amount,
+ * exactly as with a NIBSS dynamic QR.
+ */
+declare const OacPresentmentRequestSchema: z.ZodObject<{
+    /** Requested amount in minor units (kobo). */
+    amountMinor: z.ZodOptional<z.ZodNumber>;
+    /** Purpose/intent code (mirrors the NIBSS intent vocabulary). */
+    intent: z.ZodOptional<z.ZodString>;
+    /** Free-text reference / note. */
+    reference: z.ZodOptional<z.ZodString>;
+}, "strict", z.ZodTypeAny, {
+    amountMinor?: number | undefined;
+    reference?: string | undefined;
+    intent?: string | undefined;
+}, {
+    amountMinor?: number | undefined;
+    reference?: string | undefined;
+    intent?: string | undefined;
+}>;
+type OacPresentmentRequest = z.infer<typeof OacPresentmentRequestSchema>;
+/**
+ * Encode a signed OAC as a scannable QR payload. The envelope is validated
+ * before encoding so a malformed credential can never be presented.
+ *
+ * An optional advisory {@link OacPresentmentRequest} is appended as a
+ * dot-separated, base64url-encoded suffix:
+ *   `FLUROAC1.<base64url(signed)>.<base64url(request)>`
+ * The signed segment is byte-identical with or without the suffix, so the
+ * credential's verifiability is unaffected. An empty request adds no suffix.
+ */
+declare function encodeConsumerOacQR(signed: SignedConsumerOAC, request?: OacPresentmentRequest): string;
+/**
+ * Decode (WITHOUT verifying) a presented OAC QR back into a signed envelope.
+ * Any advisory request suffix is ignored here — use
+ * {@link decodeConsumerOacRequest} to read it. The caller MUST pass the result
+ * to `verifyOacOffline` against pinned keys before trusting any field —
+ * decoding proves nothing about authenticity.
+ */
+declare function decodeUnverifiedConsumerOacQR(value: string): SignedConsumerOAC;
+/**
+ * Read the advisory {@link OacPresentmentRequest} from a presented OAC QR, or
+ * `null` if absent/malformed. This is purely a prefill hint and is NEVER
+ * authoritative — a malformed suffix is treated as "no request" and never
+ * throws, so a bad suffix can never block a verifiable credential.
+ */
+declare function decodeConsumerOacRequest(value: string): OacPresentmentRequest | null;
+/**
+ * OAC revocation status-list — offline verification.
+ *
+ * Short OAC TTL (24h, rolling) is the BASELINE revocation-propagation
+ * mechanism: a revoked user cannot refresh, so their credential lapses within
+ * the issuance window. The revocation status-list shrinks that window from
+ * "up to 24h" to "time since the device last pinned a fresh list": the issuer
+ * publishes a signed list of OAC IDs that are revoked AND not yet expired, and
+ * the offline verifier rejects any scanned OAC whose id appears in it.
+ *
+ * The list is naturally bounded: an OAC that lapses on its own TTL drops off
+ * the list (expiry already covers it), so the published set only ever carries
+ * revocations from roughly the last 24h.
+ *
+ * Trust model mirrors the OAC itself: the list is issuer-signed and verified
+ * OFFLINE against the SAME pinned issuer trust bundle (`GET /v1/issuer/keys`),
+ * never the key embedded in the payload. A `sequence` makes the list
+ * monotonic so a device never accepts an older snapshot over a newer one.
+ */
+/**
+ * Domain tag bound into the revocation-list issuer signature. MUST match
+ * `REVOCATION_DOMAIN` in `flur-backend/src/offline-consumer/service.ts`.
+ */
+declare const CONSUMER_REVOCATION_DOMAIN: "flur:consumer-offline:v1:revocation";
+/**
+ * Hard cap on the number of revoked ids in a single list. Because the list
+ * only carries unexpired revocations (~24h window), this bounds the payload
+ * while comfortably exceeding any realistic revocation rate.
+ */
+declare const REVOCATION_LIST_MAX_ENTRIES = 100000;
+declare const RevocationListSchema: z.ZodObject<{
+    issuerId: z.ZodString;
+    /**
+     * Monotonic snapshot counter. A device MUST NOT replace a pinned list with
+     * one carrying a lower sequence — this defeats a downgrade/rollback attack
+     * that replays an older list to resurrect a revoked credential.
+     */
+    sequence: z.ZodNumber;
+    issuedAtMs: z.ZodNumber;
+    /**
+     * Freshness bound. After this instant the list is considered stale and the
+     * verifier treats it as untrustworthy (fail-closed), forcing a re-pin.
+     * Optional so the issuer may publish a list without a hard expiry.
+     */
+    notAfterMs: z.ZodOptional<z.ZodNumber>;
+    /** OAC ids that are revoked AND not yet past their own validity window. */
+    revokedOacIds: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    issuedAtMs: number;
+    issuerId: string;
+    sequence: number;
+    revokedOacIds: string[];
+    notAfterMs?: number | undefined;
+}, {
+    issuedAtMs: number;
+    issuerId: string;
+    sequence: number;
+    revokedOacIds: string[];
+    notAfterMs?: number | undefined;
+}>;
+type RevocationList = z.infer<typeof RevocationListSchema>;
+declare const SignedRevocationListSchema: z.ZodObject<{
+    list: z.ZodObject<{
+        issuerId: z.ZodString;
+        /**
+         * Monotonic snapshot counter. A device MUST NOT replace a pinned list with
+         * one carrying a lower sequence — this defeats a downgrade/rollback attack
+         * that replays an older list to resurrect a revoked credential.
+         */
+        sequence: z.ZodNumber;
+        issuedAtMs: z.ZodNumber;
+        /**
+         * Freshness bound. After this instant the list is considered stale and the
+         * verifier treats it as untrustworthy (fail-closed), forcing a re-pin.
+         * Optional so the issuer may publish a list without a hard expiry.
+         */
+        notAfterMs: z.ZodOptional<z.ZodNumber>;
+        /** OAC ids that are revoked AND not yet past their own validity window. */
+        revokedOacIds: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        issuedAtMs: number;
+        issuerId: string;
+        sequence: number;
+        revokedOacIds: string[];
+        notAfterMs?: number | undefined;
+    }, {
+        issuedAtMs: number;
+        issuerId: string;
+        sequence: number;
+        revokedOacIds: string[];
+        notAfterMs?: number | undefined;
+    }>;
+    /** ASN.1 DER ECDSA P-256 issuer signature over the signing payload, base64. */
+    issuerSig: z.ZodString;
+    /** Issuer's P-256 public key as SubjectPublicKeyInfo DER, base64. */
+    issuerPublicKeySpkiB64: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    issuerSig: string;
+    issuerPublicKeySpkiB64: string;
+    list: {
+        issuedAtMs: number;
+        issuerId: string;
+        sequence: number;
+        revokedOacIds: string[];
+        notAfterMs?: number | undefined;
+    };
+}, {
+    issuerSig: string;
+    issuerPublicKeySpkiB64: string;
+    list: {
+        issuedAtMs: number;
+        issuerId: string;
+        sequence: number;
+        revokedOacIds: string[];
+        notAfterMs?: number | undefined;
+    };
+}>;
+type SignedRevocationList = z.infer<typeof SignedRevocationListSchema>;
+type VerifyRevocationListResult = {
+    ok: true;
+    list: RevocationList;
+    revokedOacIds: ReadonlySet<string>;
+} | {
+    ok: false;
+    reason: 'malformed' | 'untrusted_issuer' | 'signature_invalid' | 'stale';
+};
+interface VerifyRevocationListOptions {
+    /** Override the wall clock; defaults to `Date.now()`. */
+    nowMs?: number;
+}
+/**
+ * Canonical revocation-list payload (domain-bound) the issuer signs.
+ *
+ * Cross-implementation contract (MUST match the backend signer byte-for-byte):
+ * optional fields with no value are OMITTED from the signed object, never
+ * emitted as `null` or `undefined`. `canonicalJSONBytes` rejects `undefined`
+ * object values outright, so building the payload explicitly (rather than
+ * spreading a `list` that may carry an explicit `notAfterMs: undefined`) keeps
+ * verification total — it can never throw on a well-typed list — and keeps the
+ * signed bytes identical whether `notAfterMs` was absent or explicitly unset.
+ */
+declare function revocationListSigningPayload(list: RevocationList): Record<string, unknown>;
+/**
+ * Verify a signed revocation list offline against pinned issuer keys.
+ *
+ * Security invariants (identical to `verifyOacOffline`):
+ *   - The signature is checked against the PINNED key for `list.issuerId`,
+ *     never the payload-embedded key.
+ *   - The pinned key's own validity window is enforced.
+ *   - A list past `notAfterMs` fails closed (`stale`) so a long-offline device
+ *     cannot keep trusting a frozen snapshot forever.
+ *
+ * Note: rollback protection via `sequence` is intentionally NOT enforced here
+ * (verification is stateless). The caller persisting the pinned list MUST
+ * reject any replacement whose `sequence` is lower than the pinned one.
+ */
+declare function verifyRevocationList(signed: SignedRevocationList, trustedKeys: readonly TrustedIssuerKey[], options?: VerifyRevocationListOptions): VerifyRevocationListResult;
+/** True iff `oacId` appears in a verified revocation set. */
+declare function isOacRevoked(oacId: string, revokedOacIds: ReadonlySet<string>): boolean;
 /**
  * Consumer-side Offline Collect SDK client.
  *
@@ -2915,14 +3240,14 @@ declare const IssuerTrustKeySchema: z.ZodObject<{
     issuerId: string;
     alg: "p256";
     publicKeySpkiB64: string;
-    notBeforeMs?: number | undefined;
     notAfterMs?: number | undefined;
+    notBeforeMs?: number | undefined;
 }, {
     issuerId: string;
     alg: "p256";
     publicKeySpkiB64: string;
-    notBeforeMs?: number | undefined;
     notAfterMs?: number | undefined;
+    notBeforeMs?: number | undefined;
 }>;
 type IssuerTrustKey = z.infer<typeof IssuerTrustKeySchema>;
 declare const IssuerTrustBundleSchema: z.ZodObject<{
@@ -2936,30 +3261,30 @@ declare const IssuerTrustBundleSchema: z.ZodObject<{
         issuerId: string;
         alg: "p256";
         publicKeySpkiB64: string;
-        notBeforeMs?: number | undefined;
         notAfterMs?: number | undefined;
+        notBeforeMs?: number | undefined;
     }, {
         issuerId: string;
         alg: "p256";
         publicKeySpkiB64: string;
-        notBeforeMs?: number | undefined;
         notAfterMs?: number | undefined;
+        notBeforeMs?: number | undefined;
     }>, "many">;
 }, "strip", z.ZodTypeAny, {
     keys: {
         issuerId: string;
         alg: "p256";
         publicKeySpkiB64: string;
-        notBeforeMs?: number | undefined;
         notAfterMs?: number | undefined;
+        notBeforeMs?: number | undefined;
     }[];
 }, {
     keys: {
         issuerId: string;
         alg: "p256";
         publicKeySpkiB64: string;
-        notBeforeMs?: number | undefined;
         notAfterMs?: number | undefined;
+        notBeforeMs?: number | undefined;
     }[];
 }>;
 type IssuerTrustBundle = z.infer<typeof IssuerTrustBundleSchema>;
@@ -3107,8 +3432,8 @@ declare const ConsumerOACSchema: z.ZodObject<{
     counterSeed: number;
     issuedAtMs: number;
     issuerId: string;
-    alg: "p256";
     oacId: string;
+    alg: "p256";
     devicePubkeySpkiB64: string;
 }, {
     phoneE164: string;
@@ -3123,8 +3448,8 @@ declare const ConsumerOACSchema: z.ZodObject<{
     counterSeed: number;
     issuedAtMs: number;
     issuerId: string;
-    alg: "p256";
     oacId: string;
+    alg: "p256";
     devicePubkeySpkiB64: string;
 }>;
 type ConsumerOAC = z.infer<typeof ConsumerOACSchema>;
@@ -3178,8 +3503,8 @@ declare const SignedConsumerOACSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     }, {
         phoneE164: string;
@@ -3194,8 +3519,8 @@ declare const SignedConsumerOACSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     }>;
     /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
@@ -3217,8 +3542,8 @@ declare const SignedConsumerOACSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     };
     issuerPublicKeySpkiB64: string;
@@ -3237,8 +3562,8 @@ declare const SignedConsumerOACSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     };
     issuerPublicKeySpkiB64: string;
@@ -3294,8 +3619,8 @@ declare const OACRecordSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     }, {
         phoneE164: string;
@@ -3310,8 +3635,8 @@ declare const OACRecordSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     }>;
     /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
@@ -3340,8 +3665,8 @@ declare const OACRecordSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     };
     issuerPublicKeySpkiB64: string;
@@ -3364,8 +3689,8 @@ declare const OACRecordSchema: z.ZodObject<{
         counterSeed: number;
         issuedAtMs: number;
         issuerId: string;
-        alg: "p256";
         oacId: string;
+        alg: "p256";
         devicePubkeySpkiB64: string;
     };
     issuerPublicKeySpkiB64: string;
@@ -3450,8 +3775,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         }, {
             phoneE164: string;
@@ -3466,8 +3791,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         }>;
         /** ASN.1 DER ECDSA P-256 issuer signature, base64. */
@@ -3496,8 +3821,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         };
         issuerPublicKeySpkiB64: string;
@@ -3520,8 +3845,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         };
         issuerPublicKeySpkiB64: string;
@@ -3546,8 +3871,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         };
         issuerPublicKeySpkiB64: string;
@@ -3572,8 +3897,8 @@ declare const OfflineStatusResultSchema: z.ZodObject<{
             counterSeed: number;
             issuedAtMs: number;
             issuerId: string;
-            alg: "p256";
             oacId: string;
+            alg: "p256";
             devicePubkeySpkiB64: string;
         };
         issuerPublicKeySpkiB64: string;
@@ -3621,8 +3946,8 @@ declare const ConsumerPaymentClaimSchema: z.ZodObject<{
     payerNonce: string;
     payeeNonce: string;
     occurredAtMs: number;
-    alg: "p256";
     oacId: string;
+    alg: "p256";
     payerDeviceId: string;
     payerPubkeySpkiB64: string;
     payerSignatureDerB64: string;
@@ -3848,6 +4173,12 @@ type MeOfflineClient = {
     getSettlement: (idOrKey: string) => Promise<ConsumerSettlement>;
     /** Fetch the public pinned issuer trust bundle (`GET /v1/issuer/keys`). */
     getIssuerKeys: () => Promise<IssuerTrustBundle>;
+    /**
+     * Fetch the issuer-signed OAC revocation status-list
+     * (`GET /v1/issuer/revocations`). Pinned and checked offline alongside the
+     * issuer trust bundle to bound the revocation window below the OAC TTL.
+     */
+    getRevocations: () => Promise<SignedRevocationList>;
 };
 declare function createMeOfflineClient(opts: MeOfflineClientOptions): MeOfflineClient;
@@ -4104,163 +4435,6 @@ declare function verifyConsumerSettlementReceiptQR(value: string, issuerPublicKe
 declare function decodeConsumerSettlementReceiptQR(value: string): ConsumerSettlement;
 declare function decodeConsumerSettlementReceiptQR(value: string, issuerPublicKeySpkiB64: string): ConsumerSettlement;
-/**
- * Offline verification of the unified Offline Authorization Certificate (OAC).
- *
- * The OAC is issuer-signed and folds identity (phoneE164, displayName, bound
- * device key) into the same credential that carries offline spend authority.
- * This lets two users who meet for the first time recognise and pay each
- * other WITHOUT a network round-trip: the verifier checks the issuer
- * signature against a *pinned* trusted issuer key (a Trust Bundle refreshed
- * whenever the device is online), never the key embedded in the credential.
- *
- * Trust model:
- *   - Provisional offline authorization, authoritative online settlement.
- *     A successful offline verify proves the credential was issued by Flur
- *     and is within its validity window; the backend still re-checks
- *     revocation, balance, and caps at settlement. Short OAC TTL is the
- *     revocation-propagation mechanism — a revoked user cannot refresh and
- *     their OAC expires within the issuance TTL.
- *
- * Wire format mirrors `flur-backend/src/offline-consumer/service.ts`
- * (`oacSigningPayload`): the issuer signs `canonicalJSONBytes({ domain, ...oac })`
- * with its P-256 key. Adding fields to `ConsumerOAC` automatically includes
- * them in the signed bytes, so identity is covered without a new domain.
- */
-/**
- * Domain tag bound into the OAC issuer signature. MUST match
- * `OAC_DOMAIN` in `flur-backend/src/offline-consumer/service.ts`.
- */
-declare const CONSUMER_OAC_DOMAIN: "flur:consumer-offline:v1:oac";
-/**
- * A pinned issuer key the device trusts for offline OAC verification.
- * Sourced from the backend Trust Bundle (`GET /v1/issuer/keys`) and cached
- * on-device. `notBeforeMs` / `notAfterMs` bound the key's own validity so a
- * rotated-out key cannot be used to verify a freshly minted credential.
- */
-interface TrustedIssuerKey {
-    issuerId: string;
-    /** Issuer P-256 public key as SubjectPublicKeyInfo DER, base64. */
-    publicKeySpkiB64: string;
-    notBeforeMs?: number;
-    notAfterMs?: number;
-}
-/** Identity surfaced to the caller after a successful offline verify. */
-interface OacOfflineIdentity {
-    oacId: string;
-    issuerId: string;
-    userId: string;
-    phoneE164: string;
-    displayName: string;
-    /** Holder's bound device key; lets the caller verify receipts offline. */
-    devicePubkeySpkiB64: string;
-}
-type VerifyOacOfflineResult = {
-    ok: true;
-    oac: ConsumerOAC;
-    identity: OacOfflineIdentity;
-} | {
-    ok: false;
-    reason: 'malformed' | 'untrusted_issuer' | 'signature_invalid' | 'window_too_long' | 'not_yet_valid' | 'expired';
-};
-interface VerifyOacOfflineOptions {
-    /** Override the wall clock; defaults to `Date.now()`. */
-    nowMs?: number;
-}
-/** Canonical OAC payload (domain-bound) the backend issuer signs. */
-declare function consumerOacSigningPayload(oac: ConsumerOAC): {
-    phoneE164: string;
-    userId: string;
-    deviceId: string;
-    displayName: string;
-    currency: string;
-    perTxCapKobo: number;
-    cumulativeCapKobo: number;
-    validFromMs: number;
-    validUntilMs: number;
-    counterSeed: number;
-    issuedAtMs: number;
-    issuerId: string;
-    alg: "p256";
-    oacId: string;
-    devicePubkeySpkiB64: string;
-    domain: "flur:consumer-offline:v1:oac";
-};
-/**
- * Verify a signed OAC offline against a pinned set of trusted issuer keys.
- *
- * Security invariants:
- *   - The signature is checked against the PINNED key for `oac.issuerId`,
- *     never the credential-embedded `issuerPublicKeySpkiB64`. An attacker who
- *     forges an OAC with their own key (and a matching embedded key) fails
- *     because their key is not pinned.
- *   - The pinned key's own validity window is enforced.
- *   - The OAC validity window is enforced (`validFromMs <= now < validUntilMs`).
- */
-declare function verifyOacOffline(signed: SignedConsumerOAC, trustedKeys: readonly TrustedIssuerKey[], options?: VerifyOacOfflineOptions): VerifyOacOfflineResult;
-/**
- * QR prefix for a presented unified OAC. A holder shows this QR to be paid
- * and/or identified offline; the scanner decodes it and calls
- * `verifyOacOffline` against its pinned trust bundle. Distinct from the
- * settlement-receipt (`FLURSR1.`) and pay-card prefixes so the scanner can
- * dispatch by prefix without ambiguity.
- */
-declare const CONSUMER_OAC_QR_PREFIX: "FLUROAC1.";
-/** True iff `value` looks like a presented OAC QR payload. */
-declare function isConsumerOacQR(value: string): boolean;
-/**
- * Advisory "pay me" request a holder may attach to a presented OAC pay code:
- * an amount, a purpose/intent, and a free-text reference. This rides as an
- * UNSIGNED suffix on the QR (see {@link encodeConsumerOacQR}) — it is never
- * part of the issuer-signed credential and carries no authority. The payer's
- * app treats it purely as a prefill hint and always confirms the amount,
- * exactly as with a NIBSS dynamic QR.
- */
-declare const OacPresentmentRequestSchema: z.ZodObject<{
-    /** Requested amount in minor units (kobo). */
-    amountMinor: z.ZodOptional<z.ZodNumber>;
-    /** Purpose/intent code (mirrors the NIBSS intent vocabulary). */
-    intent: z.ZodOptional<z.ZodString>;
-    /** Free-text reference / note. */
-    reference: z.ZodOptional<z.ZodString>;
-}, "strict", z.ZodTypeAny, {
-    amountMinor?: number | undefined;
-    reference?: string | undefined;
-    intent?: string | undefined;
-}, {
-    amountMinor?: number | undefined;
-    reference?: string | undefined;
-    intent?: string | undefined;
-}>;
-type OacPresentmentRequest = z.infer<typeof OacPresentmentRequestSchema>;
-/**
- * Encode a signed OAC as a scannable QR payload. The envelope is validated
- * before encoding so a malformed credential can never be presented.
- *
- * An optional advisory {@link OacPresentmentRequest} is appended as a
- * dot-separated, base64url-encoded suffix:
- *   `FLUROAC1.<base64url(signed)>.<base64url(request)>`
- * The signed segment is byte-identical with or without the suffix, so the
- * credential's verifiability is unaffected. An empty request adds no suffix.
- */
-declare function encodeConsumerOacQR(signed: SignedConsumerOAC, request?: OacPresentmentRequest): string;
-/**
- * Decode (WITHOUT verifying) a presented OAC QR back into a signed envelope.
- * Any advisory request suffix is ignored here — use
- * {@link decodeConsumerOacRequest} to read it. The caller MUST pass the result
- * to `verifyOacOffline` against pinned keys before trusting any field —
- * decoding proves nothing about authenticity.
- */
-declare function decodeUnverifiedConsumerOacQR(value: string): SignedConsumerOAC;
-/**
- * Read the advisory {@link OacPresentmentRequest} from a presented OAC QR, or
- * `null` if absent/malformed. This is purely a prefill hint and is NEVER
- * authoritative — a malformed suffix is treated as "no request" and never
- * throws, so a bad suffix can never block a verifiable credential.
- */
-declare function decodeConsumerOacRequest(value: string): OacPresentmentRequest | null;
 /**
  * FLURA1 — single-SMS consumer-offline settle token.
  *
@@ -6671,4 +6845,4 @@ declare function createOfflinePaymentAuthorizationArtifactUri(input: {
     }>;
 };
-export { ACCOUNT_FUNDED_OAC_MAX_TTL_MS, ACCOUNT_STATUSES, ACCOUNT_TYPES, ADDITIONAL_DATA_SUBFIELD, ARTIFACT_BODY_SCHEMAS, ARTIFACT_TYPES, type Account, type AccountActivityItem, type AccountMembership, AccountMembershipSchema, AccountSchema, type AccountStatus, type AccountSummaryResponse, type AccountType, type AccountsClient, type AccountsClientOptions, type AddMemberInput, type AdditionalData, type ApiCredentialPublic, ApiCredentialPublicSchema, type ApiCredentialsAdminClient, type ArtifactBody, type ArtifactHeader, ArtifactHeaderSchema, type ArtifactType, type AtomicRedeemReceiptInput, type AtomicRedeemResponse, type AttestationSecurityLevel, AttestationSecurityLevelSchema, type AuthLogoutInput, type AuthRefreshInput, type AuthRefreshResponse, type AuthorizeSendWithBiometricInput, type AuthorizedOptions, type BiometricSigner, type BuildPassInput, type BuildReceiptInput, type BuildRedemptionInput, CLAIM_DOMAIN_V2, COLLECTION_INTENT_STATUSES, COLLECTION_PAYMENT_STATUSES, CONSUMER_OAC_DOMAIN, CONSUMER_OAC_QR_PREFIX, CONSUMER_OFFLINE_CLAIM_SUBMIT_GRACE_MS, CONSUMER_PAYMENT_REQUEST_DOMAIN, CONSUMER_SETTLEMENT_DOMAIN, CONSUMER_SETTLEMENT_RECEIPT_QR_PREFIX, CUSTODIAL_MODES, type CanonicalClaimInput, type CashNamespace, type ClaimSignature, type CollectionIntent, CollectionIntentSchema, type CollectionPayment, type CollectionPaymentResult, CollectionPaymentResultSchema, CollectionPaymentSchema, type CollectionReportSummary, CollectionReportSummarySchema, type CollectionStatement, CollectionStatementSchema, type CollectionsClient, type CollectionsClientOptions, type ConsumerCollectionsClient, type ConsumerOAC, type OACRecord as ConsumerOACRecord, OACRecordSchema as ConsumerOACRecordSchema, ConsumerOACSchema, type ConsumerPaymentClaim, ConsumerPaymentClaimSchema, type ConsumerPaymentRequestEnvelope, ConsumerPaymentRequestEnvelopeSchema, type ConsumerSettleResult, ConsumerSettleResultSchema, type ConsumerSettlement, ConsumerSettlementSchema, type ConsumerWithdrawalsClient, type ConsumerWithdrawalsClientOptions, type CreateBusinessAccountInput, type CreateCollectionIntentInput, CreateCollectionIntentInputSchema, type CreatePayLinkResponse, type CreatePayoutDestinationInput, CreatePayoutDestinationInputSchema, type CreatePayoutInput, CreatePayoutInputSchema, type CreateTransferOptions, type CreateWithdrawalInput, CreateWithdrawalInputSchema, type CreateWithdrawalResult, CreateWithdrawalResultSchema, type CustodialMode, type DecodedArtifactUri, type DecodedOfflineSmsSettleToken, type DeviceKeyAlg, DeviceKeyAlgSchema, type DeviceKeyRecord, DeviceKeyRecordSchema, type DeviceTrustState, FIELD, FLUR_ARTIFACT_URI_PREFIX, FLUR_ARTIFACT_URI_SCHEME, FLUR_ARTIFACT_VERSION, FlurApiError, FlurArtifactError, FlurCapExceededError, FlurClient, type FlurClientOptions, FlurError, type FlurErrorCode, FlurExpiredError, type FlurHandle, type FlurInitOptions, type FlurOfflineSettlementsClient, type FlurPartnerClient, type FlurPaymentEvent, FlurReplayError, HARDENED_ARTIFACT_TYPES, type HmacFetchOptions, IdentityArtifactSchema, type IngestFundingResult, IngestFundingResultSchema, type IssueAccountOacInput, IssueAccountOacInputSchema, type IssueOfflineTokenInput, type IssuePassInput, type IssueReceiptInput, type IssuerTrustBundle, IssuerTrustBundleSchema, type IssuerTrustKey, IssuerTrustKeySchema, LedgerJournalEntryArtifactSchema, type ListPassesInput, type ListPassesResponse, type ListPayoutDestinationsResult, ListPayoutDestinationsResultSchema, type ListReceiptsInput, type ListReceiptsResponse, type ListTransactionsOptions, MEMBERSHIP_ROLES, MERCHANT_PAYOUT_STATUSES, MERCHANT_PROFILE_STATUSES, type MeOfflineClient, type MeOfflineClientOptions, type MembershipRole, type MerchantAccountInfo, type MerchantPayout, MerchantPayoutSchema, type MerchantProfile, MerchantProfileSchema, type MintedApiCredential, MintedApiCredentialSchema, type Money, NGN_CURRENCY_CODE, NG_COUNTRY_CODE, NQRParseError, type NQRPayloadInput, NqrPaymentRequestArtifactSchema, type OAC, OACSchema, OAC_DEFAULT_CUMULATIVE_KOBO, OAC_DEFAULT_PER_TX_KOBO, OAC_DEFAULT_VALIDITY_MS, OFFLINE_CLAIM_SMS_PREFIX, OFFLINE_SMS_SETTLE_DOMAIN, OFFLINE_SMS_SETTLE_HEADER_BYTES, OFFLINE_SMS_SETTLE_PREFIX, OFFLINE_SMS_SETTLE_SIGNATURE_BYTES, OFFLINE_SMS_SETTLE_TOKEN_BYTES, OFFLINE_SMS_SETTLE_VERSION, type OacOfflineIdentity, type OacPresentmentRequest, OacPresentmentRequestSchema, type OfflineClaimAlgorithm, OfflineClaimArtifactSchema, type OfflineClaimSigner, type OfflinePaymentAuthorization, type OfflinePaymentAuthorizationArtifact, OfflinePaymentAuthorizationArtifactSchema, OfflinePaymentAuthorizationSchema, type OfflinePaymentRequest, OfflinePaymentRequestSchema, type OfflineSmsSettleInput, type OfflineSmsSettleSigner, type OfflineStatusResult, OfflineStatusResultSchema, type OfflineToken, OfflineTokenSchema, type OnboardingCompleteInput, type OnboardingCompleteResponse, type OnboardingFallback, type OnboardingRiskReason, type OnboardingStartInput, type OnboardingStartResponse, type P256EnrollmentChallengeInput, P256EnrollmentChallengeInputSchema, type P256EnrollmentChallengeResult, P256EnrollmentChallengeResultSchema, PARTNER_FUNDING_DIRECTIONS, PARTNER_FUNDING_STATUSES, PARTNER_KINDS, PARTNER_PROFILE_STATUSES, PARTNER_SCOPES, PASS_KINDS, PASS_STATES, PAYLOAD_FORMAT_INDICATOR_VALUE, PAYOUT_DESTINATION_STATUSES, POINT_OF_INITIATION, type ParsedNQR, type PartnerClientOptions, type PartnerCollectionsClient, type PartnerFunding, type PartnerFundingClient, type PartnerFundingDirection, type PartnerFundingEventInput, PartnerFundingEventInputSchema, PartnerFundingSchema, type PartnerFundingStatus, type PartnerKind, type PartnerProfile, type PartnerProfileAdminClient, type PartnerProfileAdminClientOptions, PartnerProfileSchema, type PartnerProfileStatus, type PartnerScope, type PartnerSignResult, type Pass, PassArtifactSchema, type PassKind, type PassMetadata, PassMetadataSchema, PassSchema, type PassState, type PassesClient, type PassesClientOptions, type PayCollectionInput, PayCollectionInputSchema, type PayCollectionOptions, type PayCollectionResponse, type PaymentClaim, PaymentClaimSchema, PaymentIntentArtifactSchema, type PayoutDestination, PayoutDestinationSchema, type PayoutDestinationStatus, type PayoutEventInput, PayoutEventInputSchema, type PinSetInput, type PinVerifyInput, type ProviderEventInput, ProviderEventInputSchema, type ProviderEventRecord, ProviderEventRecordSchema, type PublicCollectionIntent, PublicCollectionIntentSchema, type PushPlatform, type PushRegisterInput, RECEIPT_CHANNELS, RECEIPT_KINDS, REPLAY_WINDOW_MS, type Receipt, type ReceiptArtifact, ReceiptArtifactSchema, type ReceiptChannel, type ReceiptKind, type ReceiptPayload, ReceiptPayloadSchema, ReceiptSchema, type ReceiptsClient, type ReceiptsClientOptions, type RecipientResolveInput, type RecipientResolveResponse, type ReconciliationReport, ReconciliationReportSchema, type RecordPayoutEventResult, RecordPayoutEventResultSchema, type RedeemPassResponse, type Redemption, RedemptionSchema, type RegisterDeviceInput, type RegisterDeviceKeyP256Input, RegisterDeviceKeyP256InputSchema, type RegisterDeviceResponse, type RegisterSendDeviceKeyInput, type ResolveCollectionOptions, type ResolveCollectionResponse, type ResolvePayLinkResponse, ReversalRecordArtifactSchema, RevokeDeviceKeyInputSchema, type RevokePassInput, type RoutingHint, SETTLEMENT_SCHEDULES, type SendChallengeInput, type SendChallengeResponse, type SendMoneyInput, type SendMoneyOptions, type SendVerifyInput, type SendVerifyResponse, type SettleResponse, SettleResponseSchema, type Settlement, SettlementRecordArtifactSchema, SettlementSchema, type SignedArtifact, type SignedConsumerOAC, SignedConsumerOACSchema, type SignerPublicKey, StatementArtifactSchema, type SubscribeOptions, type TLVField, type TransactionDetailResponse, type TransactionDirection, type TransactionsListResponse, type TransferInput, type TransferResponse, type TransferStatus, type TrustedIssuerKey, type UnsignedConsumerPaymentRequest, type UnsignedOAC, type UnsignedOfflinePaymentAuthorization, type UnsignedOfflinePaymentRequest, type UnsignedPass, type UnsignedReceipt, type UnsignedRedemption, type UpsertMerchantProfileInput, UpsertMerchantProfileInputSchema, type UpsertPartnerProfileInput, UpsertPartnerProfileInputSchema, type VerifiedArtifact, type VerifyArtifactOptions, type VerifyClaimSignatureInput, type VerifyOacOfflineOptions, type VerifyOacOfflineResult, WITHDRAWAL_STATES, type Withdrawal, WithdrawalSchema, type WithdrawalState, base64UrlDecode, base64UrlEncode, bodySha256Hex, buildArtifactBody, buildAuthorization, buildConsumerPaymentRequest, buildOAC, buildPass, buildPaymentRequest, buildReceipt, buildRedemption, buildSmsSettleHeader, domainTag as buildSmsSettleSignedBytes, canonicalClaimSigningBytes, canonicalClaimSigningPayload, canonicalJSONBytes, canonicalJSONStringify, canonicalRequestString, computeConsumerClaimEncounterId, computeEncounterId, constantTimeEqual, consumerOacSigningPayload, consumerPaymentRequestSigningBytes, consumerPaymentRequestSigningPayload, consumerSettlementSigningPayload, crc16ccitt, crc16ccittHex, createAccountsClient, createApiCredentialsAdminClient, createArtifactUri, createCollectionsClient, createConsumerCollectionsClient, createConsumerWithdrawalsClient, createFlurPartnerClient, createHmacFetch, createMeOfflineClient, createOfflinePaymentAuthorizationArtifactUri, createOfflineSettlementsClient, createPartnerCollectionsClient, createPartnerFundingClient, createPartnerProfileAdminClient, createPassesClient, createReceiptArtifactUri, createReceiptsClient, createSoftwareP256Signer, decodeArtifactUri, decodeAuthorizationQR, decodeBase45, decodeConsumerOacRequest, decodeConsumerSettlementReceiptQR, decodeOfflineClaimSmsMessage, decodeOfflineSmsSettleToken, decodePaymentRequestQR, decodeUnverifiedConsumerOacQR, decodeUnverifiedConsumerSettlementReceiptQR, derToRawP256Signature, encodeArtifactUri, encodeAuthorizationQR, encodeBase45, encodeConsumerOacQR, encodeConsumerSettlementReceiptQR, encodeNQR, encodeOfflineClaimSmsMessage, encodeOfflineSmsSettleToken, encodePaymentRequestQR, extractOfflineClaimSmsToken, extractOfflineSmsSettleToken, formatAmount, generateDynamicQR, generateStaticQR, init, isConsumerOacQR, isConsumerPaymentRequestExpired, isHardenedArtifactType, isKnownArtifactType, isPassWithinValidity, moneyMinorToNumber, normalizeE164, parseAmountInput, parseNQR, parseQR, readTLV, routingHint, signArtifact, signAuthorization, signConsumerPaymentRequest, signOAC, signPartnerRequest, signPass, signPaymentRequest, signReceipt, signRedemption, signRequestHMAC, verifyArtifactSignature, verifyArtifactUri, verifyAuthorization, verifyClaimSignature, verifyConsumerPaymentRequest, verifyConsumerSettlement, verifyConsumerSettlementReceiptQR, verifyOAC, verifyOacOffline, verifyOfflineSmsSettleToken, verifyPass, verifyPaymentRequest, verifyReceipt, verifyRedemption, verifyRequestHMAC, writeTLV };
+export { ACCOUNT_FUNDED_OAC_MAX_TTL_MS, ACCOUNT_STATUSES, ACCOUNT_TYPES, ADDITIONAL_DATA_SUBFIELD, ARTIFACT_BODY_SCHEMAS, ARTIFACT_TYPES, type Account, type AccountActivityItem, type AccountMembership, AccountMembershipSchema, AccountSchema, type AccountStatus, type AccountSummaryResponse, type AccountType, type AccountsClient, type AccountsClientOptions, type AddMemberInput, type AdditionalData, type ApiCredentialPublic, ApiCredentialPublicSchema, type ApiCredentialsAdminClient, type ArtifactBody, type ArtifactHeader, ArtifactHeaderSchema, type ArtifactType, type AtomicRedeemReceiptInput, type AtomicRedeemResponse, type AttestationSecurityLevel, AttestationSecurityLevelSchema, type AuthLogoutInput, type AuthRefreshInput, type AuthRefreshResponse, type AuthorizeSendWithBiometricInput, type AuthorizedOptions, type BiometricSigner, type BuildPassInput, type BuildReceiptInput, type BuildRedemptionInput, CLAIM_DOMAIN_V2, COLLECTION_INTENT_STATUSES, COLLECTION_PAYMENT_STATUSES, CONSUMER_OAC_DOMAIN, CONSUMER_OAC_QR_PREFIX, CONSUMER_OFFLINE_CLAIM_SUBMIT_GRACE_MS, CONSUMER_PAYMENT_REQUEST_DOMAIN, CONSUMER_REVOCATION_DOMAIN, CONSUMER_SETTLEMENT_DOMAIN, CONSUMER_SETTLEMENT_RECEIPT_QR_PREFIX, CUSTODIAL_MODES, type CanonicalClaimInput, type CashNamespace, type ClaimSignature, type CollectionIntent, CollectionIntentSchema, type CollectionPayment, type CollectionPaymentResult, CollectionPaymentResultSchema, CollectionPaymentSchema, type CollectionReportSummary, CollectionReportSummarySchema, type CollectionStatement, CollectionStatementSchema, type CollectionsClient, type CollectionsClientOptions, type ConsumerCollectionsClient, type ConsumerOAC, type OACRecord as ConsumerOACRecord, OACRecordSchema as ConsumerOACRecordSchema, ConsumerOACSchema, type ConsumerPaymentClaim, ConsumerPaymentClaimSchema, type ConsumerPaymentRequestEnvelope, ConsumerPaymentRequestEnvelopeSchema, type ConsumerSettleResult, ConsumerSettleResultSchema, type ConsumerSettlement, ConsumerSettlementSchema, type ConsumerWithdrawalsClient, type ConsumerWithdrawalsClientOptions, type CreateBusinessAccountInput, type CreateCollectionIntentInput, CreateCollectionIntentInputSchema, type CreatePayLinkResponse, type CreatePayoutDestinationInput, CreatePayoutDestinationInputSchema, type CreatePayoutInput, CreatePayoutInputSchema, type CreateTransferOptions, type CreateWithdrawalInput, CreateWithdrawalInputSchema, type CreateWithdrawalResult, CreateWithdrawalResultSchema, type CustodialMode, type DecodedArtifactUri, type DecodedOfflineSmsSettleToken, type DeviceKeyAlg, DeviceKeyAlgSchema, type DeviceKeyRecord, DeviceKeyRecordSchema, type DeviceTrustState, FIELD, FLUR_ARTIFACT_URI_PREFIX, FLUR_ARTIFACT_URI_SCHEME, FLUR_ARTIFACT_VERSION, FlurApiError, FlurArtifactError, FlurCapExceededError, FlurClient, type FlurClientOptions, FlurError, type FlurErrorCode, FlurExpiredError, type FlurHandle, type FlurInitOptions, type FlurOfflineSettlementsClient, type FlurPartnerClient, type FlurPaymentEvent, FlurReplayError, HARDENED_ARTIFACT_TYPES, type HmacFetchOptions, IdentityArtifactSchema, type IngestFundingResult, IngestFundingResultSchema, type IssueAccountOacInput, IssueAccountOacInputSchema, type IssueOfflineTokenInput, type IssuePassInput, type IssueReceiptInput, type IssuerTrustBundle, IssuerTrustBundleSchema, type IssuerTrustKey, IssuerTrustKeySchema, LedgerJournalEntryArtifactSchema, type ListPassesInput, type ListPassesResponse, type ListPayoutDestinationsResult, ListPayoutDestinationsResultSchema, type ListReceiptsInput, type ListReceiptsResponse, type ListTransactionsOptions, MEMBERSHIP_ROLES, MERCHANT_PAYOUT_STATUSES, MERCHANT_PROFILE_STATUSES, type MeOfflineClient, type MeOfflineClientOptions, type MembershipRole, type MerchantAccountInfo, type MerchantPayout, MerchantPayoutSchema, type MerchantProfile, MerchantProfileSchema, type MintedApiCredential, MintedApiCredentialSchema, type Money, NGN_CURRENCY_CODE, NG_COUNTRY_CODE, NQRParseError, type NQRPayloadInput, NqrPaymentRequestArtifactSchema, type OAC, OACSchema, OAC_DEFAULT_CUMULATIVE_KOBO, OAC_DEFAULT_PER_TX_KOBO, OAC_DEFAULT_VALIDITY_MS, OFFLINE_CLAIM_SMS_PREFIX, OFFLINE_SMS_SETTLE_DOMAIN, OFFLINE_SMS_SETTLE_HEADER_BYTES, OFFLINE_SMS_SETTLE_PREFIX, OFFLINE_SMS_SETTLE_SIGNATURE_BYTES, OFFLINE_SMS_SETTLE_TOKEN_BYTES, OFFLINE_SMS_SETTLE_VERSION, type OacOfflineIdentity, type OacPresentmentRequest, OacPresentmentRequestSchema, type OfflineClaimAlgorithm, OfflineClaimArtifactSchema, type OfflineClaimSigner, type OfflinePaymentAuthorization, type OfflinePaymentAuthorizationArtifact, OfflinePaymentAuthorizationArtifactSchema, OfflinePaymentAuthorizationSchema, type OfflinePaymentRequest, OfflinePaymentRequestSchema, type OfflineSmsSettleInput, type OfflineSmsSettleSigner, type OfflineStatusResult, OfflineStatusResultSchema, type OfflineToken, OfflineTokenSchema, type OnboardingCompleteInput, type OnboardingCompleteResponse, type OnboardingFallback, type OnboardingRiskReason, type OnboardingStartInput, type OnboardingStartResponse, type P256EnrollmentChallengeInput, P256EnrollmentChallengeInputSchema, type P256EnrollmentChallengeResult, P256EnrollmentChallengeResultSchema, PARTNER_FUNDING_DIRECTIONS, PARTNER_FUNDING_STATUSES, PARTNER_KINDS, PARTNER_PROFILE_STATUSES, PARTNER_SCOPES, PASS_KINDS, PASS_STATES, PAYLOAD_FORMAT_INDICATOR_VALUE, PAYOUT_DESTINATION_STATUSES, POINT_OF_INITIATION, type ParsedNQR, type PartnerClientOptions, type PartnerCollectionsClient, type PartnerFunding, type PartnerFundingClient, type PartnerFundingDirection, type PartnerFundingEventInput, PartnerFundingEventInputSchema, PartnerFundingSchema, type PartnerFundingStatus, type PartnerKind, type PartnerProfile, type PartnerProfileAdminClient, type PartnerProfileAdminClientOptions, PartnerProfileSchema, type PartnerProfileStatus, type PartnerScope, type PartnerSignResult, type Pass, PassArtifactSchema, type PassKind, type PassMetadata, PassMetadataSchema, PassSchema, type PassState, type PassesClient, type PassesClientOptions, type PayCollectionInput, PayCollectionInputSchema, type PayCollectionOptions, type PayCollectionResponse, type PaymentClaim, PaymentClaimSchema, PaymentIntentArtifactSchema, type PayoutDestination, PayoutDestinationSchema, type PayoutDestinationStatus, type PayoutEventInput, PayoutEventInputSchema, type PinSetInput, type PinVerifyInput, type ProviderEventInput, ProviderEventInputSchema, type ProviderEventRecord, ProviderEventRecordSchema, type PublicCollectionIntent, PublicCollectionIntentSchema, type PushPlatform, type PushRegisterInput, RECEIPT_CHANNELS, RECEIPT_KINDS, REPLAY_WINDOW_MS, REVOCATION_LIST_MAX_ENTRIES, type Receipt, type ReceiptArtifact, ReceiptArtifactSchema, type ReceiptChannel, type ReceiptKind, type ReceiptPayload, ReceiptPayloadSchema, ReceiptSchema, type ReceiptsClient, type ReceiptsClientOptions, type RecipientResolveInput, type RecipientResolveResponse, type ReconciliationReport, ReconciliationReportSchema, type RecordPayoutEventResult, RecordPayoutEventResultSchema, type RedeemPassResponse, type Redemption, RedemptionSchema, type RegisterDeviceInput, type RegisterDeviceKeyP256Input, RegisterDeviceKeyP256InputSchema, type RegisterDeviceResponse, type RegisterSendDeviceKeyInput, type ResolveCollectionOptions, type ResolveCollectionResponse, type ResolvePayLinkResponse, ReversalRecordArtifactSchema, type RevocationList, RevocationListSchema, RevokeDeviceKeyInputSchema, type RevokePassInput, type RoutingHint, SETTLEMENT_SCHEDULES, type SendChallengeInput, type SendChallengeResponse, type SendMoneyInput, type SendMoneyOptions, type SendVerifyInput, type SendVerifyResponse, type SettleResponse, SettleResponseSchema, type Settlement, SettlementRecordArtifactSchema, SettlementSchema, type SignedArtifact, type SignedConsumerOAC, SignedConsumerOACSchema, type SignedRevocationList, SignedRevocationListSchema, type SignerPublicKey, StatementArtifactSchema, type SubscribeOptions, type TLVField, type TransactionDetailResponse, type TransactionDirection, type TransactionsListResponse, type TransferInput, type TransferResponse, type TransferStatus, type TrustedIssuerKey, type UnsignedConsumerPaymentRequest, type UnsignedOAC, type UnsignedOfflinePaymentAuthorization, type UnsignedOfflinePaymentRequest, type UnsignedPass, type UnsignedReceipt, type UnsignedRedemption, type UpsertMerchantProfileInput, UpsertMerchantProfileInputSchema, type UpsertPartnerProfileInput, UpsertPartnerProfileInputSchema, type VerifiedArtifact, type VerifyArtifactOptions, type VerifyClaimSignatureInput, type VerifyOacOfflineOptions, type VerifyOacOfflineResult, type VerifyRevocationListOptions, type VerifyRevocationListResult, WITHDRAWAL_STATES, type Withdrawal, WithdrawalSchema, type WithdrawalState, base64UrlDecode, base64UrlEncode, bodySha256Hex, buildArtifactBody, buildAuthorization, buildConsumerPaymentRequest, buildOAC, buildPass, buildPaymentRequest, buildReceipt, buildRedemption, buildSmsSettleHeader, domainTag as buildSmsSettleSignedBytes, canonicalClaimSigningBytes, canonicalClaimSigningPayload, canonicalJSONBytes, canonicalJSONStringify, canonicalRequestString, computeConsumerClaimEncounterId, computeEncounterId, constantTimeEqual, consumerOacSigningPayload, consumerPaymentRequestSigningBytes, consumerPaymentRequestSigningPayload, consumerSettlementSigningPayload, crc16ccitt, crc16ccittHex, createAccountsClient, createApiCredentialsAdminClient, createArtifactUri, createCollectionsClient, createConsumerCollectionsClient, createConsumerWithdrawalsClient, createFlurPartnerClient, createHmacFetch, createMeOfflineClient, createOfflinePaymentAuthorizationArtifactUri, createOfflineSettlementsClient, createPartnerCollectionsClient, createPartnerFundingClient, createPartnerProfileAdminClient, createPassesClient, createReceiptArtifactUri, createReceiptsClient, createSoftwareP256Signer, decodeArtifactUri, decodeAuthorizationQR, decodeBase45, decodeConsumerOacRequest, decodeConsumerSettlementReceiptQR, decodeOfflineClaimSmsMessage, decodeOfflineSmsSettleToken, decodePaymentRequestQR, decodeUnverifiedConsumerOacQR, decodeUnverifiedConsumerSettlementReceiptQR, derToRawP256Signature, encodeArtifactUri, encodeAuthorizationQR, encodeBase45, encodeConsumerOacQR, encodeConsumerSettlementReceiptQR, encodeNQR, encodeOfflineClaimSmsMessage, encodeOfflineSmsSettleToken, encodePaymentRequestQR, extractOfflineClaimSmsToken, extractOfflineSmsSettleToken, formatAmount, generateDynamicQR, generateStaticQR, init, isConsumerOacQR, isConsumerPaymentRequestExpired, isHardenedArtifactType, isKnownArtifactType, isOacRevoked, isPassWithinValidity, moneyMinorToNumber, normalizeE164, parseAmountInput, parseNQR, parseQR, readTLV, revocationListSigningPayload, routingHint, signArtifact, signAuthorization, signConsumerPaymentRequest, signOAC, signPartnerRequest, signPass, signPaymentRequest, signReceipt, signRedemption, signRequestHMAC, verifyArtifactSignature, verifyArtifactUri, verifyAuthorization, verifyClaimSignature, verifyConsumerPaymentRequest, verifyConsumerSettlement, verifyConsumerSettlementReceiptQR, verifyOAC, verifyOacOffline, verifyOfflineSmsSettleToken, verifyPass, verifyPaymentRequest, verifyReceipt, verifyRedemption, verifyRequestHMAC, verifyRevocationList, writeTLV };