@obelyzk/sdk 1.0.0 → 1.0.1

package/dist/index.mjs

@@ -84,7 +84,7 @@ import {
   powMod,
   randomScalar,
   subMod
-} from "./chunk-O2PF7VJA.mjs";
+} from "./chunk-CGPFHXUF.mjs";
 
 // src/types.ts
 function getMinStake(tier) {

package/dist/obelysk/index.d.mts

@@ -924,7 +924,14 @@ declare class VM31VaultClient {
     private get contractAddress();
     private get relayerUrl();
     private get relayerApiKey();
+    /** Cached relayer X25519 public key (fetched on first encrypted submit) */
+    private _relayerPubkey;
     private relayerFetch;
+    /**
+     * Submit a payload to the relayer, encrypted with ECIES.
+     * Falls back to plaintext if `encrypt: false` is passed.
+     */
+    private relayerSubmit;
     /** Get the current Merkle root of the VM31 commitment tree */
     getMerkleRoot(): Promise<PackedDigest>;
     /** Get the number of leaves in the commitment tree */
@@ -969,12 +976,24 @@ declare class VM31VaultClient {
         version: number;
         algorithm: string;
     }>;
-    /** Submit a deposit transaction to the relayer */
-    submitDeposit(params: VaultDepositParams): Promise<VaultSubmitResult>;
-    /** Submit a withdrawal transaction to the relayer */
-    submitWithdraw(params: VaultWithdrawParams): Promise<VaultSubmitResult>;
-    /** Submit a private transfer transaction to the relayer */
-    submitTransfer(params: VaultTransferParams): Promise<VaultSubmitResult>;
+    /**
+     * Submit a deposit transaction to the relayer.
+     * Validates denomination (privacy gap #7) and encrypts with ECIES by default.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitDeposit(params: VaultDepositParams, encrypt?: boolean): Promise<VaultSubmitResult>;
+    /**
+     * Submit a withdrawal transaction to the relayer.
+     * Withdrawals are not denomination-restricted.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitWithdraw(params: VaultWithdrawParams, encrypt?: boolean): Promise<VaultSubmitResult>;
+    /**
+     * Submit a private transfer transaction to the relayer.
+     * Transfers are not denomination-restricted.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitTransfer(params: VaultTransferParams, encrypt?: boolean): Promise<VaultSubmitResult>;
     /** Query batch info from the relayer */
     queryBatch(batchId: string): Promise<VaultBatchInfo>;
     /** Fetch Merkle path for a commitment from the relayer */
@@ -1342,4 +1361,74 @@ declare class ObelyskClient {
     requireAccount(): Account;
 }
 
-export { type AssetPair, type BatchStatus, type BridgeConfig, type ClaimFillParams, type ClaimParams, type CommitOrderParams, ConfidentialTransferClient, DARKPOOL_ASSET_IDS, DarkPoolClient, type DarkPoolDepositParams, type DarkPoolOrderData, type DepositParams, type DepositResult, ECPoint, type EpochInfo, type FundParams, type GpuTier, MAINNET_PRIVACY_POOLS, MAINNET_TOKENS, type OTCOrder, OTCOrderbookClient, type OTCTrade, ObelyskClient, type ObelyskConfig, type ObelyskNetwork, ObelyskPrivacy, OrderSide, OrderStatus, OrderType, type OrderbookConfig, type OrderbookDepth, type OrderbookDepthLevel, type PackedDigest, type PlaceLimitOrderParams, type PlaceMarketOrderParams, type PrivacyNote, PrivacyPoolClient, PrivacyRouterClient, type PrivateAccount, ProverStakingClient, type RelayerInfo, type RevealOrderParams, ShieldedSwapClient, type ShieldedSwapParams, type StakingConfig, type Stats24h, type StealthAnnouncement, StealthClient, type StealthMetaAddress, type StealthSendParams, type StealthSpendingProof, TOKEN_DECIMALS, type TradingPair, type TransferParams, type VM31AssetId, VM31BridgeClient, VM31VaultClient, VM31_ASSET_IDS, type VaultBatchInfo, type VaultDepositParams, type VaultMerklePath, type VaultNote, type VaultSubmitResult, type VaultTransferParams, type VaultWithdrawParams, type WithdrawCTParams, type WithdrawParams, type WithdrawResult, type WorkerStake, commitmentToHash, createAEHint, createEncryptionProof, deriveNullifier, ecAdd, ecMul, elgamalEncrypt, formatAmount, getContracts, getRpcUrl, mod, modInverse, parseAmount, pedersenCommit, randomScalar };
+/**
+ * ECIES Encryption for VM31 Relayer
+ *
+ * X25519 ECDH + HKDF-SHA256 + AES-256-GCM
+ * Compatible with the Obelysk VM31 relayer (Rust: x25519-dalek + aes-gcm + hkdf)
+ *
+ * Uses Web Crypto API (works in Node 20+ and all modern browsers).
+ */
+interface ECIESEnvelope {
+    ephemeral_pubkey: string;
+    ciphertext: string;
+    nonce: string;
+    version: number;
+}
+/**
+ * Encrypt a JSON payload for the VM31 relayer using ECIES.
+ *
+ * @param payload - The SubmitRequest object to encrypt
+ * @param relayerPubkeyHex - The relayer's X25519 public key (hex, 64 chars)
+ * @returns ECIES envelope ready to POST to /submit
+ */
+declare function eciesEncrypt(payload: unknown, relayerPubkeyHex: string): Promise<ECIESEnvelope>;
+
+/**
+ * VM31 Deposit Denomination Whitelists
+ *
+ * Privacy gap #7 mitigation: deposits must use standard denominations
+ * to prevent exact-amount correlation attacks.
+ *
+ * Only deposits are restricted — withdrawals and transfers are unrestricted.
+ */
+/** wBTC denominations (8 decimals) */
+declare const WBTC_DENOMINATIONS: readonly bigint[];
+/** SAGE denominations (18 decimals) */
+declare const SAGE_DENOMINATIONS: readonly bigint[];
+/** ETH denominations (18 decimals) */
+declare const ETH_DENOMINATIONS: readonly bigint[];
+/** STRK denominations (18 decimals) */
+declare const STRK_DENOMINATIONS: readonly bigint[];
+/** USDC denominations (6 decimals) */
+declare const USDC_DENOMINATIONS: readonly bigint[];
+/** All denomination lists by VM31 asset ID */
+declare const VM31_DENOMINATIONS: Record<number, readonly bigint[]>;
+/** Denomination lists by token symbol */
+declare const DENOMINATION_BY_SYMBOL: Record<string, readonly bigint[]>;
+/**
+ * Validate that a deposit amount is a standard denomination.
+ * Throws if the amount is not in the whitelist.
+ * Unknown assets pass through (forward-compatible).
+ *
+ * @param amount - Amount in base units (e.g., wei, satoshis)
+ * @param assetIdOrSymbol - VM31 asset ID (0-4) or token symbol
+ */
+declare function validateDenomination(amount: bigint, assetIdOrSymbol: number | string): void;
+/**
+ * Split an amount into the fewest standard denominations (greedy, largest first).
+ * Useful for automatically batching a deposit into multiple denomination-safe transactions.
+ *
+ * @returns denominations array and any remainder that can't be represented
+ */
+declare function splitIntoDenominations(amount: bigint, assetIdOrSymbol: number | string): {
+    denominations: bigint[];
+    remainder: bigint;
+};
+/**
+ * Get valid denominations for an asset.
+ * Returns undefined for unknown assets.
+ */
+declare function getDenominations(assetIdOrSymbol: number | string): readonly bigint[] | undefined;
+
+export { type AssetPair, type BatchStatus, type BridgeConfig, type ClaimFillParams, type ClaimParams, type CommitOrderParams, ConfidentialTransferClient, DARKPOOL_ASSET_IDS, DENOMINATION_BY_SYMBOL, DarkPoolClient, type DarkPoolDepositParams, type DarkPoolOrderData, type DepositParams, type DepositResult, type ECIESEnvelope, ECPoint, ETH_DENOMINATIONS, type EpochInfo, type FundParams, type GpuTier, MAINNET_PRIVACY_POOLS, MAINNET_TOKENS, type OTCOrder, OTCOrderbookClient, type OTCTrade, ObelyskClient, type ObelyskConfig, type ObelyskNetwork, ObelyskPrivacy, OrderSide, OrderStatus, OrderType, type OrderbookConfig, type OrderbookDepth, type OrderbookDepthLevel, type PackedDigest, type PlaceLimitOrderParams, type PlaceMarketOrderParams, type PrivacyNote, PrivacyPoolClient, PrivacyRouterClient, type PrivateAccount, ProverStakingClient, type RelayerInfo, type RevealOrderParams, SAGE_DENOMINATIONS, STRK_DENOMINATIONS, ShieldedSwapClient, type ShieldedSwapParams, type StakingConfig, type Stats24h, type StealthAnnouncement, StealthClient, type StealthMetaAddress, type StealthSendParams, type StealthSpendingProof, TOKEN_DECIMALS, type TradingPair, type TransferParams, USDC_DENOMINATIONS, type VM31AssetId, VM31BridgeClient, VM31VaultClient, VM31_ASSET_IDS, VM31_DENOMINATIONS, type VaultBatchInfo, type VaultDepositParams, type VaultMerklePath, type VaultNote, type VaultSubmitResult, type VaultTransferParams, type VaultWithdrawParams, WBTC_DENOMINATIONS, type WithdrawCTParams, type WithdrawParams, type WithdrawResult, type WorkerStake, commitmentToHash, createAEHint, createEncryptionProof, deriveNullifier, ecAdd, ecMul, eciesEncrypt, elgamalEncrypt, formatAmount, getContracts, getDenominations, getRpcUrl, mod, modInverse, parseAmount, pedersenCommit, randomScalar, splitIntoDenominations, validateDenomination };

package/dist/obelysk/index.d.ts

@@ -924,7 +924,14 @@ declare class VM31VaultClient {
     private get contractAddress();
     private get relayerUrl();
     private get relayerApiKey();
+    /** Cached relayer X25519 public key (fetched on first encrypted submit) */
+    private _relayerPubkey;
     private relayerFetch;
+    /**
+     * Submit a payload to the relayer, encrypted with ECIES.
+     * Falls back to plaintext if `encrypt: false` is passed.
+     */
+    private relayerSubmit;
     /** Get the current Merkle root of the VM31 commitment tree */
     getMerkleRoot(): Promise<PackedDigest>;
     /** Get the number of leaves in the commitment tree */
@@ -969,12 +976,24 @@ declare class VM31VaultClient {
         version: number;
         algorithm: string;
     }>;
-    /** Submit a deposit transaction to the relayer */
-    submitDeposit(params: VaultDepositParams): Promise<VaultSubmitResult>;
-    /** Submit a withdrawal transaction to the relayer */
-    submitWithdraw(params: VaultWithdrawParams): Promise<VaultSubmitResult>;
-    /** Submit a private transfer transaction to the relayer */
-    submitTransfer(params: VaultTransferParams): Promise<VaultSubmitResult>;
+    /**
+     * Submit a deposit transaction to the relayer.
+     * Validates denomination (privacy gap #7) and encrypts with ECIES by default.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitDeposit(params: VaultDepositParams, encrypt?: boolean): Promise<VaultSubmitResult>;
+    /**
+     * Submit a withdrawal transaction to the relayer.
+     * Withdrawals are not denomination-restricted.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitWithdraw(params: VaultWithdrawParams, encrypt?: boolean): Promise<VaultSubmitResult>;
+    /**
+     * Submit a private transfer transaction to the relayer.
+     * Transfers are not denomination-restricted.
+     * @param encrypt - Set to false for legacy plaintext mode (default: true)
+     */
+    submitTransfer(params: VaultTransferParams, encrypt?: boolean): Promise<VaultSubmitResult>;
     /** Query batch info from the relayer */
     queryBatch(batchId: string): Promise<VaultBatchInfo>;
     /** Fetch Merkle path for a commitment from the relayer */
@@ -1342,4 +1361,74 @@ declare class ObelyskClient {
     requireAccount(): Account;
 }
 
-export { type AssetPair, type BatchStatus, type BridgeConfig, type ClaimFillParams, type ClaimParams, type CommitOrderParams, ConfidentialTransferClient, DARKPOOL_ASSET_IDS, DarkPoolClient, type DarkPoolDepositParams, type DarkPoolOrderData, type DepositParams, type DepositResult, ECPoint, type EpochInfo, type FundParams, type GpuTier, MAINNET_PRIVACY_POOLS, MAINNET_TOKENS, type OTCOrder, OTCOrderbookClient, type OTCTrade, ObelyskClient, type ObelyskConfig, type ObelyskNetwork, ObelyskPrivacy, OrderSide, OrderStatus, OrderType, type OrderbookConfig, type OrderbookDepth, type OrderbookDepthLevel, type PackedDigest, type PlaceLimitOrderParams, type PlaceMarketOrderParams, type PrivacyNote, PrivacyPoolClient, PrivacyRouterClient, type PrivateAccount, ProverStakingClient, type RelayerInfo, type RevealOrderParams, ShieldedSwapClient, type ShieldedSwapParams, type StakingConfig, type Stats24h, type StealthAnnouncement, StealthClient, type StealthMetaAddress, type StealthSendParams, type StealthSpendingProof, TOKEN_DECIMALS, type TradingPair, type TransferParams, type VM31AssetId, VM31BridgeClient, VM31VaultClient, VM31_ASSET_IDS, type VaultBatchInfo, type VaultDepositParams, type VaultMerklePath, type VaultNote, type VaultSubmitResult, type VaultTransferParams, type VaultWithdrawParams, type WithdrawCTParams, type WithdrawParams, type WithdrawResult, type WorkerStake, commitmentToHash, createAEHint, createEncryptionProof, deriveNullifier, ecAdd, ecMul, elgamalEncrypt, formatAmount, getContracts, getRpcUrl, mod, modInverse, parseAmount, pedersenCommit, randomScalar };
+/**
+ * ECIES Encryption for VM31 Relayer
+ *
+ * X25519 ECDH + HKDF-SHA256 + AES-256-GCM
+ * Compatible with the Obelysk VM31 relayer (Rust: x25519-dalek + aes-gcm + hkdf)
+ *
+ * Uses Web Crypto API (works in Node 20+ and all modern browsers).
+ */
+interface ECIESEnvelope {
+    ephemeral_pubkey: string;
+    ciphertext: string;
+    nonce: string;
+    version: number;
+}
+/**
+ * Encrypt a JSON payload for the VM31 relayer using ECIES.
+ *
+ * @param payload - The SubmitRequest object to encrypt
+ * @param relayerPubkeyHex - The relayer's X25519 public key (hex, 64 chars)
+ * @returns ECIES envelope ready to POST to /submit
+ */
+declare function eciesEncrypt(payload: unknown, relayerPubkeyHex: string): Promise<ECIESEnvelope>;
+
+/**
+ * VM31 Deposit Denomination Whitelists
+ *
+ * Privacy gap #7 mitigation: deposits must use standard denominations
+ * to prevent exact-amount correlation attacks.
+ *
+ * Only deposits are restricted — withdrawals and transfers are unrestricted.
+ */
+/** wBTC denominations (8 decimals) */
+declare const WBTC_DENOMINATIONS: readonly bigint[];
+/** SAGE denominations (18 decimals) */
+declare const SAGE_DENOMINATIONS: readonly bigint[];
+/** ETH denominations (18 decimals) */
+declare const ETH_DENOMINATIONS: readonly bigint[];
+/** STRK denominations (18 decimals) */
+declare const STRK_DENOMINATIONS: readonly bigint[];
+/** USDC denominations (6 decimals) */
+declare const USDC_DENOMINATIONS: readonly bigint[];
+/** All denomination lists by VM31 asset ID */
+declare const VM31_DENOMINATIONS: Record<number, readonly bigint[]>;
+/** Denomination lists by token symbol */
+declare const DENOMINATION_BY_SYMBOL: Record<string, readonly bigint[]>;
+/**
+ * Validate that a deposit amount is a standard denomination.
+ * Throws if the amount is not in the whitelist.
+ * Unknown assets pass through (forward-compatible).
+ *
+ * @param amount - Amount in base units (e.g., wei, satoshis)
+ * @param assetIdOrSymbol - VM31 asset ID (0-4) or token symbol
+ */
+declare function validateDenomination(amount: bigint, assetIdOrSymbol: number | string): void;
+/**
+ * Split an amount into the fewest standard denominations (greedy, largest first).
+ * Useful for automatically batching a deposit into multiple denomination-safe transactions.
+ *
+ * @returns denominations array and any remainder that can't be represented
+ */
+declare function splitIntoDenominations(amount: bigint, assetIdOrSymbol: number | string): {
+    denominations: bigint[];
+    remainder: bigint;
+};
+/**
+ * Get valid denominations for an asset.
+ * Returns undefined for unknown assets.
+ */
+declare function getDenominations(assetIdOrSymbol: number | string): readonly bigint[] | undefined;
+
+export { type AssetPair, type BatchStatus, type BridgeConfig, type ClaimFillParams, type ClaimParams, type CommitOrderParams, ConfidentialTransferClient, DARKPOOL_ASSET_IDS, DENOMINATION_BY_SYMBOL, DarkPoolClient, type DarkPoolDepositParams, type DarkPoolOrderData, type DepositParams, type DepositResult, type ECIESEnvelope, ECPoint, ETH_DENOMINATIONS, type EpochInfo, type FundParams, type GpuTier, MAINNET_PRIVACY_POOLS, MAINNET_TOKENS, type OTCOrder, OTCOrderbookClient, type OTCTrade, ObelyskClient, type ObelyskConfig, type ObelyskNetwork, ObelyskPrivacy, OrderSide, OrderStatus, OrderType, type OrderbookConfig, type OrderbookDepth, type OrderbookDepthLevel, type PackedDigest, type PlaceLimitOrderParams, type PlaceMarketOrderParams, type PrivacyNote, PrivacyPoolClient, PrivacyRouterClient, type PrivateAccount, ProverStakingClient, type RelayerInfo, type RevealOrderParams, SAGE_DENOMINATIONS, STRK_DENOMINATIONS, ShieldedSwapClient, type ShieldedSwapParams, type StakingConfig, type Stats24h, type StealthAnnouncement, StealthClient, type StealthMetaAddress, type StealthSendParams, type StealthSpendingProof, TOKEN_DECIMALS, type TradingPair, type TransferParams, USDC_DENOMINATIONS, type VM31AssetId, VM31BridgeClient, VM31VaultClient, VM31_ASSET_IDS, VM31_DENOMINATIONS, type VaultBatchInfo, type VaultDepositParams, type VaultMerklePath, type VaultNote, type VaultSubmitResult, type VaultTransferParams, type VaultWithdrawParams, WBTC_DENOMINATIONS, type WithdrawCTParams, type WithdrawParams, type WithdrawResult, type WorkerStake, commitmentToHash, createAEHint, createEncryptionProof, deriveNullifier, ecAdd, ecMul, eciesEncrypt, elgamalEncrypt, formatAmount, getContracts, getDenominations, getRpcUrl, mod, modInverse, parseAmount, pedersenCommit, randomScalar, splitIntoDenominations, validateDenomination };

package/dist/obelysk/index.js

@@ -23,7 +23,9 @@ __export(obelysk_exports, {
   CURVE_ORDER: () => CURVE_ORDER,
   ConfidentialTransferClient: () => ConfidentialTransferClient,
   DARKPOOL_ASSET_IDS: () => DARKPOOL_ASSET_IDS,
+  DENOMINATION_BY_SYMBOL: () => DENOMINATION_BY_SYMBOL,
   DarkPoolClient: () => DarkPoolClient,
+  ETH_DENOMINATIONS: () => ETH_DENOMINATIONS,
   FIELD_PRIME: () => FIELD_PRIME,
   GENERATOR_G: () => GENERATOR_G,
   GENERATOR_H: () => GENERATOR_H,
@@ -38,27 +40,36 @@ __export(obelysk_exports, {
   PrivacyPoolClient: () => PrivacyPoolClient,
   PrivacyRouterClient: () => PrivacyRouterClient,
   ProverStakingClient: () => ProverStakingClient,
+  SAGE_DENOMINATIONS: () => SAGE_DENOMINATIONS,
+  STRK_DENOMINATIONS: () => STRK_DENOMINATIONS,
   ShieldedSwapClient: () => ShieldedSwapClient,
   StealthClient: () => StealthClient,
   TOKEN_DECIMALS: () => TOKEN_DECIMALS,
+  USDC_DENOMINATIONS: () => USDC_DENOMINATIONS,
   VM31BridgeClient: () => VM31BridgeClient,
   VM31VaultClient: () => VM31VaultClient,
   VM31_ASSET_IDS: () => VM31_ASSET_IDS,
+  VM31_DENOMINATIONS: () => VM31_DENOMINATIONS,
+  WBTC_DENOMINATIONS: () => WBTC_DENOMINATIONS,
   commitmentToHash: () => commitmentToHash,
   createAEHint: () => createAEHint,
   createEncryptionProof: () => createEncryptionProof,
   deriveNullifier: () => deriveNullifier,
   ecAdd: () => ecAdd2,
   ecMul: () => ecMul2,
+  eciesEncrypt: () => eciesEncrypt,
   elgamalEncrypt: () => elgamalEncrypt,
   formatAmount: () => formatAmount,
   getContracts: () => getContracts,
+  getDenominations: () => getDenominations,
   getRpcUrl: () => getRpcUrl,
   mod: () => mod,
   modInverse: () => modInverse,
   parseAmount: () => parseAmount,
   pedersenCommit: () => pedersenCommit,
-  randomScalar: () => randomScalar2
+  randomScalar: () => randomScalar2,
+  splitIntoDenominations: () => splitIntoDenominations,
+  validateDenomination: () => validateDenomination
 });
 module.exports = __toCommonJS(obelysk_exports);
 
@@ -2104,6 +2115,225 @@ var ShieldedSwapClient = class {
   }
 };
 
+// src/obelysk/ecies.ts
+var HKDF_INFO = "obelysk-ecies-v1";
+var ECIES_VERSION = 1;
+async function eciesEncrypt(payload, relayerPubkeyHex) {
+  const subtle = getCrypto();
+  const relayerPubkeyBytes = hexToBytes(relayerPubkeyHex);
+  if (relayerPubkeyBytes.length !== 32) {
+    throw new Error(`Invalid relayer public key length: ${relayerPubkeyBytes.length} (expected 32)`);
+  }
+  const relayerPubkey = await subtle.importKey(
+    "raw",
+    relayerPubkeyBytes.buffer,
+    { name: "X25519" },
+    false,
+    []
+  );
+  const ephemeralKeyPair = await subtle.generateKey(
+    { name: "X25519" },
+    true,
+    ["deriveBits"]
+  );
+  const sharedBits = await subtle.deriveBits(
+    { name: "X25519", public: relayerPubkey },
+    ephemeralKeyPair.privateKey,
+    256
+  );
+  const sharedKey = await subtle.importKey(
+    "raw",
+    sharedBits,
+    { name: "HKDF" },
+    false,
+    ["deriveKey"]
+  );
+  const aesKey = await subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new ArrayBuffer(0),
+      info: new TextEncoder().encode(HKDF_INFO)
+    },
+    sharedKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const nonce = getRandomBytes(12);
+  const plaintext = new TextEncoder().encode(JSON.stringify(payload));
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv: nonce },
+    aesKey,
+    plaintext
+  );
+  const ephPubRaw = await subtle.exportKey("raw", ephemeralKeyPair.publicKey);
+  return {
+    ephemeral_pubkey: bytesToHex(new Uint8Array(ephPubRaw)),
+    ciphertext: bytesToBase64(new Uint8Array(ciphertext)),
+    nonce: bytesToHex(nonce),
+    version: ECIES_VERSION
+  };
+}
+function getCrypto() {
+  if (typeof globalThis.crypto?.subtle !== "undefined") {
+    return globalThis.crypto.subtle;
+  }
+  try {
+    const { webcrypto } = require("crypto");
+    return webcrypto.subtle;
+  } catch {
+    throw new Error("ECIES requires Web Crypto API (Node 20+ or a modern browser)");
+  }
+}
+function getRandomBytes(n) {
+  if (typeof globalThis.crypto?.getRandomValues !== "undefined") {
+    return globalThis.crypto.getRandomValues(new Uint8Array(n));
+  }
+  const { randomBytes: randomBytes2 } = require("crypto");
+  return new Uint8Array(randomBytes2(n));
+}
+function hexToBytes(hex) {
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const bytes = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function bytesToBase64(bytes) {
+  if (typeof btoa === "function") {
+    return btoa(String.fromCharCode(...bytes));
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// src/obelysk/denominations.ts
+var WBTC_DENOMINATIONS = [
+  50000n,
+  // 0.0005 BTC
+  100000n,
+  // 0.001 BTC
+  500000n,
+  // 0.005 BTC
+  1000000n,
+  // 0.01 BTC
+  5000000n,
+  // 0.05 BTC
+  10000000n
+  // 0.1 BTC
+];
+var SAGE_DENOMINATIONS = [
+  10000000000000000n,
+  // 0.01 SAGE
+  50000000000000000n,
+  // 0.05 SAGE
+  100000000000000000n,
+  // 0.1 SAGE
+  500000000000000000n,
+  // 0.5 SAGE
+  1000000000000000000n,
+  // 1 SAGE
+  5000000000000000000n
+  // 5 SAGE
+];
+var ETH_DENOMINATIONS = [
+  1000000000000000n,
+  // 0.001 ETH
+  5000000000000000n,
+  // 0.005 ETH
+  10000000000000000n,
+  // 0.01 ETH
+  50000000000000000n,
+  // 0.05 ETH
+  100000000000000000n,
+  // 0.1 ETH
+  500000000000000000n
+  // 0.5 ETH
+];
+var STRK_DENOMINATIONS = [
+  50000000000000000n,
+  // 0.05 STRK
+  100000000000000000n,
+  // 0.1 STRK
+  500000000000000000n,
+  // 0.5 STRK
+  1000000000000000000n,
+  // 1 STRK
+  5000000000000000000n
+  // 5 STRK
+];
+var USDC_DENOMINATIONS = [
+  1000000n,
+  // 1 USDC
+  5000000n,
+  // 5 USDC
+  10000000n,
+  // 10 USDC
+  50000000n,
+  // 50 USDC
+  100000000n,
+  // 100 USDC
+  500000000n
+  // 500 USDC
+];
+var VM31_DENOMINATIONS = {
+  0: WBTC_DENOMINATIONS,
+  1: SAGE_DENOMINATIONS,
+  2: ETH_DENOMINATIONS,
+  3: STRK_DENOMINATIONS,
+  4: USDC_DENOMINATIONS
+};
+var DENOMINATION_BY_SYMBOL = {
+  wbtc: WBTC_DENOMINATIONS,
+  sage: SAGE_DENOMINATIONS,
+  eth: ETH_DENOMINATIONS,
+  strk: STRK_DENOMINATIONS,
+  usdc: USDC_DENOMINATIONS
+};
+function validateDenomination(amount, assetIdOrSymbol) {
+  let denoms;
+  if (typeof assetIdOrSymbol === "number") {
+    denoms = VM31_DENOMINATIONS[assetIdOrSymbol];
+  } else {
+    denoms = DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+  }
+  if (!denoms) return;
+  if (!denoms.includes(amount)) {
+    throw new Error(
+      `Deposit must use a standard denomination for asset ${assetIdOrSymbol}. Got ${amount}. Valid: [${denoms.join(", ")}]`
+    );
+  }
+}
+function splitIntoDenominations(amount, assetIdOrSymbol) {
+  let denoms;
+  if (typeof assetIdOrSymbol === "number") {
+    denoms = VM31_DENOMINATIONS[assetIdOrSymbol];
+  } else {
+    denoms = DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+  }
+  if (!denoms) return { denominations: [amount], remainder: 0n };
+  const sorted = [...denoms].sort((a, b) => b > a ? 1 : b < a ? -1 : 0);
+  const result = [];
+  let remaining = amount;
+  for (const denom of sorted) {
+    while (remaining >= denom) {
+      result.push(denom);
+      remaining -= denom;
+    }
+  }
+  return { denominations: result, remainder: remaining };
+}
+function getDenominations(assetIdOrSymbol) {
+  if (typeof assetIdOrSymbol === "number") {
+    return VM31_DENOMINATIONS[assetIdOrSymbol];
+  }
+  return DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+}
+
 // src/obelysk/vm31Vault.ts
 var VM31VaultClient = class {
   constructor(obelysk) {
@@ -2118,6 +2348,8 @@ var VM31VaultClient = class {
   get relayerApiKey() {
     return this.obelysk.relayerApiKey;
   }
+  /** Cached relayer X25519 public key (fetched on first encrypted submit) */
+  _relayerPubkey = null;
   async relayerFetch(path, init) {
     const url = `${this.relayerUrl}${path}`;
     const headers = { "Content-Type": "application/json" };
@@ -2129,6 +2361,27 @@ var VM31VaultClient = class {
     }
     return res.json();
   }
+  /**
+   * Submit a payload to the relayer, encrypted with ECIES.
+   * Falls back to plaintext if `encrypt: false` is passed.
+   */
+  async relayerSubmit(payload, encrypt = true) {
+    if (!encrypt) {
+      return this.relayerFetch("/submit", {
+        method: "POST",
+        body: JSON.stringify(payload)
+      });
+    }
+    if (!this._relayerPubkey) {
+      const keyInfo = await this.getRelayerPublicKey();
+      this._relayerPubkey = keyInfo.publicKey;
+    }
+    const envelope = await eciesEncrypt(payload, this._relayerPubkey);
+    return this.relayerFetch("/submit", {
+      method: "POST",
+      body: JSON.stringify(envelope)
+    });
+  }
   // --------------------------------------------------------------------------
   // On-chain reads (callContract to vm31_pool)
   // --------------------------------------------------------------------------
@@ -2292,61 +2545,65 @@ var VM31VaultClient = class {
       algorithm: data.algorithm
     };
   }
-  /** Submit a deposit transaction to the relayer */
-  async submitDeposit(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "deposit",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        recipient_pubkey: params.recipientPubkey,
-        recipient_viewing_key: params.recipientViewingKey
-      })
-    });
-  }
-  /** Submit a withdrawal transaction to the relayer */
-  async submitWithdraw(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "withdraw",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        note: {
-          owner_pubkey: params.note.owner_pubkey,
-          asset_id: params.note.asset_id,
-          amount_lo: params.note.amount_lo,
-          amount_hi: params.note.amount_hi,
-          blinding: params.note.blinding
-        },
-        spending_key: params.spendingKey,
-        merkle_path: params.merklePath,
-        merkle_root: params.merkleRoot,
-        withdrawal_binding: params.withdrawalBinding,
-        binding_salt: params.bindingSalt
-      })
-    });
-  }
-  /** Submit a private transfer transaction to the relayer */
-  async submitTransfer(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "transfer",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        recipient_pubkey: params.recipientPubkey,
-        recipient_viewing_key: params.recipientViewingKey,
-        sender_viewing_key: params.senderViewingKey,
-        input_notes: params.inputNotes.map((n) => ({
-          note: n.note,
-          spending_key: n.spendingKey,
-          merkle_path: n.merklePath
-        })),
-        merkle_root: params.merkleRoot
-      })
-    });
+  /**
+   * Submit a deposit transaction to the relayer.
+   * Validates denomination (privacy gap #7) and encrypts with ECIES by default.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitDeposit(params, encrypt = true) {
+    validateDenomination(params.amount, params.assetId);
+    return this.relayerSubmit({
+      type: "deposit",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      recipient_pubkey: params.recipientPubkey,
+      recipient_viewing_key: params.recipientViewingKey
+    }, encrypt);
+  }
+  /**
+   * Submit a withdrawal transaction to the relayer.
+   * Withdrawals are not denomination-restricted.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitWithdraw(params, encrypt = true) {
+    return this.relayerSubmit({
+      type: "withdraw",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      note: {
+        owner_pubkey: params.note.owner_pubkey,
+        asset_id: params.note.asset_id,
+        amount_lo: params.note.amount_lo,
+        amount_hi: params.note.amount_hi,
+        blinding: params.note.blinding
+      },
+      spending_key: params.spendingKey,
+      merkle_path: params.merklePath,
+      merkle_root: params.merkleRoot,
+      withdrawal_binding: params.withdrawalBinding,
+      binding_salt: params.bindingSalt
+    }, encrypt);
+  }
+  /**
+   * Submit a private transfer transaction to the relayer.
+   * Transfers are not denomination-restricted.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitTransfer(params, encrypt = true) {
+    return this.relayerSubmit({
+      type: "transfer",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      recipient_pubkey: params.recipientPubkey,
+      recipient_viewing_key: params.recipientViewingKey,
+      sender_viewing_key: params.senderViewingKey,
+      input_notes: params.inputNotes.map((n) => ({
+        note: n.note,
+        spending_key: n.spendingKey,
+        merkle_path: n.merklePath
+      })),
+      merkle_root: params.merkleRoot
+    }, encrypt);
   }
   /** Query batch info from the relayer */
   async queryBatch(batchId) {
@@ -3064,7 +3321,9 @@ var ObelyskClient = class {
   CURVE_ORDER,
   ConfidentialTransferClient,
   DARKPOOL_ASSET_IDS,
+  DENOMINATION_BY_SYMBOL,
   DarkPoolClient,
+  ETH_DENOMINATIONS,
   FIELD_PRIME,
   GENERATOR_G,
   GENERATOR_H,
@@ -3079,25 +3338,34 @@ var ObelyskClient = class {
   PrivacyPoolClient,
   PrivacyRouterClient,
   ProverStakingClient,
+  SAGE_DENOMINATIONS,
+  STRK_DENOMINATIONS,
   ShieldedSwapClient,
   StealthClient,
   TOKEN_DECIMALS,
+  USDC_DENOMINATIONS,
   VM31BridgeClient,
   VM31VaultClient,
   VM31_ASSET_IDS,
+  VM31_DENOMINATIONS,
+  WBTC_DENOMINATIONS,
   commitmentToHash,
   createAEHint,
   createEncryptionProof,
   deriveNullifier,
   ecAdd,
   ecMul,
+  eciesEncrypt,
   elgamalEncrypt,
   formatAmount,
   getContracts,
+  getDenominations,
   getRpcUrl,
   mod,
   modInverse,
   parseAmount,
   pedersenCommit,
-  randomScalar
+  randomScalar,
+  splitIntoDenominations,
+  validateDenomination
 });

package/dist/obelysk/index.mjs

@@ -4,11 +4,12 @@ import {
   GENERATOR_G,
   GENERATOR_H,
   ObelyskPrivacy,
+  __require,
   ecAdd,
   ecMul,
   invMod,
   randomScalar
-} from "../chunk-O2PF7VJA.mjs";
+} from "../chunk-CGPFHXUF.mjs";
 
 // src/obelysk/client.ts
 import { RpcProvider } from "starknet";
@@ -1788,6 +1789,225 @@ var ShieldedSwapClient = class {
   }
 };
 
+// src/obelysk/ecies.ts
+var HKDF_INFO = "obelysk-ecies-v1";
+var ECIES_VERSION = 1;
+async function eciesEncrypt(payload, relayerPubkeyHex) {
+  const subtle = getCrypto();
+  const relayerPubkeyBytes = hexToBytes(relayerPubkeyHex);
+  if (relayerPubkeyBytes.length !== 32) {
+    throw new Error(`Invalid relayer public key length: ${relayerPubkeyBytes.length} (expected 32)`);
+  }
+  const relayerPubkey = await subtle.importKey(
+    "raw",
+    relayerPubkeyBytes.buffer,
+    { name: "X25519" },
+    false,
+    []
+  );
+  const ephemeralKeyPair = await subtle.generateKey(
+    { name: "X25519" },
+    true,
+    ["deriveBits"]
+  );
+  const sharedBits = await subtle.deriveBits(
+    { name: "X25519", public: relayerPubkey },
+    ephemeralKeyPair.privateKey,
+    256
+  );
+  const sharedKey = await subtle.importKey(
+    "raw",
+    sharedBits,
+    { name: "HKDF" },
+    false,
+    ["deriveKey"]
+  );
+  const aesKey = await subtle.deriveKey(
+    {
+      name: "HKDF",
+      hash: "SHA-256",
+      salt: new ArrayBuffer(0),
+      info: new TextEncoder().encode(HKDF_INFO)
+    },
+    sharedKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt"]
+  );
+  const nonce = getRandomBytes(12);
+  const plaintext = new TextEncoder().encode(JSON.stringify(payload));
+  const ciphertext = await subtle.encrypt(
+    { name: "AES-GCM", iv: nonce },
+    aesKey,
+    plaintext
+  );
+  const ephPubRaw = await subtle.exportKey("raw", ephemeralKeyPair.publicKey);
+  return {
+    ephemeral_pubkey: bytesToHex(new Uint8Array(ephPubRaw)),
+    ciphertext: bytesToBase64(new Uint8Array(ciphertext)),
+    nonce: bytesToHex(nonce),
+    version: ECIES_VERSION
+  };
+}
+function getCrypto() {
+  if (typeof globalThis.crypto?.subtle !== "undefined") {
+    return globalThis.crypto.subtle;
+  }
+  try {
+    const { webcrypto } = __require("crypto");
+    return webcrypto.subtle;
+  } catch {
+    throw new Error("ECIES requires Web Crypto API (Node 20+ or a modern browser)");
+  }
+}
+function getRandomBytes(n) {
+  if (typeof globalThis.crypto?.getRandomValues !== "undefined") {
+    return globalThis.crypto.getRandomValues(new Uint8Array(n));
+  }
+  const { randomBytes } = __require("crypto");
+  return new Uint8Array(randomBytes(n));
+}
+function hexToBytes(hex) {
+  const clean = hex.startsWith("0x") ? hex.slice(2) : hex;
+  const bytes = new Uint8Array(clean.length / 2);
+  for (let i = 0; i < bytes.length; i++) {
+    bytes[i] = parseInt(clean.slice(i * 2, i * 2 + 2), 16);
+  }
+  return bytes;
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function bytesToBase64(bytes) {
+  if (typeof btoa === "function") {
+    return btoa(String.fromCharCode(...bytes));
+  }
+  return Buffer.from(bytes).toString("base64");
+}
+
+// src/obelysk/denominations.ts
+var WBTC_DENOMINATIONS = [
+  50000n,
+  // 0.0005 BTC
+  100000n,
+  // 0.001 BTC
+  500000n,
+  // 0.005 BTC
+  1000000n,
+  // 0.01 BTC
+  5000000n,
+  // 0.05 BTC
+  10000000n
+  // 0.1 BTC
+];
+var SAGE_DENOMINATIONS = [
+  10000000000000000n,
+  // 0.01 SAGE
+  50000000000000000n,
+  // 0.05 SAGE
+  100000000000000000n,
+  // 0.1 SAGE
+  500000000000000000n,
+  // 0.5 SAGE
+  1000000000000000000n,
+  // 1 SAGE
+  5000000000000000000n
+  // 5 SAGE
+];
+var ETH_DENOMINATIONS = [
+  1000000000000000n,
+  // 0.001 ETH
+  5000000000000000n,
+  // 0.005 ETH
+  10000000000000000n,
+  // 0.01 ETH
+  50000000000000000n,
+  // 0.05 ETH
+  100000000000000000n,
+  // 0.1 ETH
+  500000000000000000n
+  // 0.5 ETH
+];
+var STRK_DENOMINATIONS = [
+  50000000000000000n,
+  // 0.05 STRK
+  100000000000000000n,
+  // 0.1 STRK
+  500000000000000000n,
+  // 0.5 STRK
+  1000000000000000000n,
+  // 1 STRK
+  5000000000000000000n
+  // 5 STRK
+];
+var USDC_DENOMINATIONS = [
+  1000000n,
+  // 1 USDC
+  5000000n,
+  // 5 USDC
+  10000000n,
+  // 10 USDC
+  50000000n,
+  // 50 USDC
+  100000000n,
+  // 100 USDC
+  500000000n
+  // 500 USDC
+];
+var VM31_DENOMINATIONS = {
+  0: WBTC_DENOMINATIONS,
+  1: SAGE_DENOMINATIONS,
+  2: ETH_DENOMINATIONS,
+  3: STRK_DENOMINATIONS,
+  4: USDC_DENOMINATIONS
+};
+var DENOMINATION_BY_SYMBOL = {
+  wbtc: WBTC_DENOMINATIONS,
+  sage: SAGE_DENOMINATIONS,
+  eth: ETH_DENOMINATIONS,
+  strk: STRK_DENOMINATIONS,
+  usdc: USDC_DENOMINATIONS
+};
+function validateDenomination(amount, assetIdOrSymbol) {
+  let denoms;
+  if (typeof assetIdOrSymbol === "number") {
+    denoms = VM31_DENOMINATIONS[assetIdOrSymbol];
+  } else {
+    denoms = DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+  }
+  if (!denoms) return;
+  if (!denoms.includes(amount)) {
+    throw new Error(
+      `Deposit must use a standard denomination for asset ${assetIdOrSymbol}. Got ${amount}. Valid: [${denoms.join(", ")}]`
+    );
+  }
+}
+function splitIntoDenominations(amount, assetIdOrSymbol) {
+  let denoms;
+  if (typeof assetIdOrSymbol === "number") {
+    denoms = VM31_DENOMINATIONS[assetIdOrSymbol];
+  } else {
+    denoms = DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+  }
+  if (!denoms) return { denominations: [amount], remainder: 0n };
+  const sorted = [...denoms].sort((a, b) => b > a ? 1 : b < a ? -1 : 0);
+  const result = [];
+  let remaining = amount;
+  for (const denom of sorted) {
+    while (remaining >= denom) {
+      result.push(denom);
+      remaining -= denom;
+    }
+  }
+  return { denominations: result, remainder: remaining };
+}
+function getDenominations(assetIdOrSymbol) {
+  if (typeof assetIdOrSymbol === "number") {
+    return VM31_DENOMINATIONS[assetIdOrSymbol];
+  }
+  return DENOMINATION_BY_SYMBOL[assetIdOrSymbol.toLowerCase()];
+}
+
 // src/obelysk/vm31Vault.ts
 var VM31VaultClient = class {
   constructor(obelysk) {
@@ -1802,6 +2022,8 @@ var VM31VaultClient = class {
   get relayerApiKey() {
     return this.obelysk.relayerApiKey;
   }
+  /** Cached relayer X25519 public key (fetched on first encrypted submit) */
+  _relayerPubkey = null;
   async relayerFetch(path, init) {
     const url = `${this.relayerUrl}${path}`;
     const headers = { "Content-Type": "application/json" };
@@ -1813,6 +2035,27 @@ var VM31VaultClient = class {
     }
     return res.json();
   }
+  /**
+   * Submit a payload to the relayer, encrypted with ECIES.
+   * Falls back to plaintext if `encrypt: false` is passed.
+   */
+  async relayerSubmit(payload, encrypt = true) {
+    if (!encrypt) {
+      return this.relayerFetch("/submit", {
+        method: "POST",
+        body: JSON.stringify(payload)
+      });
+    }
+    if (!this._relayerPubkey) {
+      const keyInfo = await this.getRelayerPublicKey();
+      this._relayerPubkey = keyInfo.publicKey;
+    }
+    const envelope = await eciesEncrypt(payload, this._relayerPubkey);
+    return this.relayerFetch("/submit", {
+      method: "POST",
+      body: JSON.stringify(envelope)
+    });
+  }
   // --------------------------------------------------------------------------
   // On-chain reads (callContract to vm31_pool)
   // --------------------------------------------------------------------------
@@ -1976,61 +2219,65 @@ var VM31VaultClient = class {
       algorithm: data.algorithm
     };
   }
-  /** Submit a deposit transaction to the relayer */
-  async submitDeposit(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "deposit",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        recipient_pubkey: params.recipientPubkey,
-        recipient_viewing_key: params.recipientViewingKey
-      })
-    });
+  /**
+   * Submit a deposit transaction to the relayer.
+   * Validates denomination (privacy gap #7) and encrypts with ECIES by default.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitDeposit(params, encrypt = true) {
+    validateDenomination(params.amount, params.assetId);
+    return this.relayerSubmit({
+      type: "deposit",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      recipient_pubkey: params.recipientPubkey,
+      recipient_viewing_key: params.recipientViewingKey
+    }, encrypt);
   }
-  /** Submit a withdrawal transaction to the relayer */
-  async submitWithdraw(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "withdraw",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        note: {
-          owner_pubkey: params.note.owner_pubkey,
-          asset_id: params.note.asset_id,
-          amount_lo: params.note.amount_lo,
-          amount_hi: params.note.amount_hi,
-          blinding: params.note.blinding
-        },
-        spending_key: params.spendingKey,
-        merkle_path: params.merklePath,
-        merkle_root: params.merkleRoot,
-        withdrawal_binding: params.withdrawalBinding,
-        binding_salt: params.bindingSalt
-      })
-    });
+  /**
+   * Submit a withdrawal transaction to the relayer.
+   * Withdrawals are not denomination-restricted.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitWithdraw(params, encrypt = true) {
+    return this.relayerSubmit({
+      type: "withdraw",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      note: {
+        owner_pubkey: params.note.owner_pubkey,
+        asset_id: params.note.asset_id,
+        amount_lo: params.note.amount_lo,
+        amount_hi: params.note.amount_hi,
+        blinding: params.note.blinding
+      },
+      spending_key: params.spendingKey,
+      merkle_path: params.merklePath,
+      merkle_root: params.merkleRoot,
+      withdrawal_binding: params.withdrawalBinding,
+      binding_salt: params.bindingSalt
+    }, encrypt);
   }
-  /** Submit a private transfer transaction to the relayer */
-  async submitTransfer(params) {
-    return this.relayerFetch("/submit", {
-      method: "POST",
-      body: JSON.stringify({
-        type: "transfer",
-        amount: Number(params.amount),
-        asset_id: params.assetId,
-        recipient_pubkey: params.recipientPubkey,
-        recipient_viewing_key: params.recipientViewingKey,
-        sender_viewing_key: params.senderViewingKey,
-        input_notes: params.inputNotes.map((n) => ({
-          note: n.note,
-          spending_key: n.spendingKey,
-          merkle_path: n.merklePath
-        })),
-        merkle_root: params.merkleRoot
-      })
-    });
+  /**
+   * Submit a private transfer transaction to the relayer.
+   * Transfers are not denomination-restricted.
+   * @param encrypt - Set to false for legacy plaintext mode (default: true)
+   */
+  async submitTransfer(params, encrypt = true) {
+    return this.relayerSubmit({
+      type: "transfer",
+      amount: Number(params.amount),
+      asset_id: params.assetId,
+      recipient_pubkey: params.recipientPubkey,
+      recipient_viewing_key: params.recipientViewingKey,
+      sender_viewing_key: params.senderViewingKey,
+      input_notes: params.inputNotes.map((n) => ({
+        note: n.note,
+        spending_key: n.spendingKey,
+        merkle_path: n.merklePath
+      })),
+      merkle_root: params.merkleRoot
+    }, encrypt);
   }
   /** Query batch info from the relayer */
   async queryBatch(batchId) {
@@ -2747,7 +2994,9 @@ export {
   CURVE_ORDER,
   ConfidentialTransferClient,
   DARKPOOL_ASSET_IDS,
+  DENOMINATION_BY_SYMBOL,
   DarkPoolClient,
+  ETH_DENOMINATIONS,
   FIELD_PRIME,
   GENERATOR_G,
   GENERATOR_H,
@@ -2762,25 +3011,34 @@ export {
   PrivacyPoolClient,
   PrivacyRouterClient,
   ProverStakingClient,
+  SAGE_DENOMINATIONS,
+  STRK_DENOMINATIONS,
   ShieldedSwapClient,
   StealthClient,
   TOKEN_DECIMALS,
+  USDC_DENOMINATIONS,
   VM31BridgeClient,
   VM31VaultClient,
   VM31_ASSET_IDS,
+  VM31_DENOMINATIONS,
+  WBTC_DENOMINATIONS,
   commitmentToHash,
   createAEHint,
   createEncryptionProof,
   deriveNullifier,
   ecAdd2 as ecAdd,
   ecMul2 as ecMul,
+  eciesEncrypt,
   elgamalEncrypt,
   formatAmount,
   getContracts,
+  getDenominations,
   getRpcUrl,
   mod,
   modInverse,
   parseAmount,
   pedersenCommit,
-  randomScalar2 as randomScalar
+  randomScalar2 as randomScalar,
+  splitIntoDenominations,
+  validateDenomination
 };

package/dist/privacy/index.mjs

@@ -19,7 +19,7 @@ import {
   randomBytes,
   randomScalar,
   subMod
-} from "../chunk-O2PF7VJA.mjs";
+} from "../chunk-CGPFHXUF.mjs";
 export {
   AssetId,
   CURVE_ORDER,

package/dist/react/index.mjs

@@ -16,7 +16,7 @@ import {
   WorkersClient,
   getContractsForNetwork
 } from "../chunk-LXJT3QK6.mjs";
-import "../chunk-O2PF7VJA.mjs";
+import "../chunk-CGPFHXUF.mjs";
 
 // src/react/providers/BitSageProvider.tsx
 import {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@obelyzk/sdk",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "BitSage Network SDK - Client library for distributed compute, privacy swaps, and Obelysk encryption",
   "main": "dist/index.js",
   "module": "dist/index.mjs",