@opendatalabs/vana-sdk 3.0.1 → 3.2.0-canary.0911ffc

package/dist/index.node.js

@@ -29015,7 +29015,7 @@ async function buildWeb3SignedHeader(params) {
 }
 
 // src/storage/providers/vana-storage.ts
-var DEFAULT_ENDPOINT = "https://storage.vana.com";
+var DEFAULT_ENDPOINT = "https://storage.vana.org";
 var BLOB_PATH_PREFIX = "/v1/blobs";
 var DEFAULT_TOKEN_TTL_SECONDS = 300;
 var VanaStorage = class {
@@ -32284,9 +32284,232 @@ var InMemoryTokenStore = class {
   }
 };
 
+// src/auth/oauth-client.ts
+var VERIFIER_TTL_SECONDS = 600;
+var RESERVED_AUTHORIZE_PARAMS = /* @__PURE__ */ new Set([
+  "response_type",
+  "client_id",
+  "redirect_uri",
+  "scope",
+  "state",
+  "code_challenge",
+  "code_challenge_method"
+]);
+var OAuthClient = class {
+  #config;
+  constructor(config) {
+    const fetchImpl = config.fetchImpl ?? globalThis.fetch;
+    if (typeof fetchImpl !== "function") {
+      throw new TypeError(
+        "OAuthClient requires a global `fetch` or an explicit `fetchImpl`"
+      );
+    }
+    this.#config = {
+      authorizationEndpoint: config.authorizationEndpoint,
+      tokenEndpoint: config.tokenEndpoint,
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scope: config.scope,
+      tokenStore: config.tokenStore ?? new InMemoryTokenStore(),
+      fetchImpl,
+      generateState: config.generateState ?? defaultGenerateState
+    };
+  }
+  /** Build the authorize URL and persist the PKCE verifier keyed by `state`. */
+  async buildAuthorizationUrl(opts = {}) {
+    const state = opts.state ?? this.#config.generateState();
+    const scope = opts.scope ?? this.#config.scope;
+    const verifier = generatePkceVerifier();
+    const challenge = await computePkceChallenge(verifier);
+    await this.#config.tokenStore.set(this.#verifierKey(state), {
+      token: verifier,
+      expiresAt: Math.floor(Date.now() / 1e3) + VERIFIER_TTL_SECONDS
+    });
+    const params = new URLSearchParams();
+    params.set("response_type", "code");
+    params.set("client_id", this.#config.clientId);
+    params.set("redirect_uri", this.#config.redirectUri);
+    if (scope !== void 0 && scope.length > 0) {
+      params.set("scope", scope);
+    }
+    params.set("state", state);
+    params.set("code_challenge", challenge);
+    params.set("code_challenge_method", "S256");
+    if (opts.extraParams !== void 0) {
+      for (const k of Object.keys(opts.extraParams)) {
+        if (RESERVED_AUTHORIZE_PARAMS.has(k)) {
+          throw new Error(
+            `extraParams may not override the reserved OAuth/PKCE parameter "${k}"`
+          );
+        }
+      }
+      for (const [k, v] of Object.entries(opts.extraParams)) {
+        params.set(k, v);
+      }
+    }
+    const sep = this.#config.authorizationEndpoint.includes("?") ? "&" : "?";
+    const url = `${this.#config.authorizationEndpoint}${sep}${params.toString()}`;
+    return { url, state };
+  }
+  /**
+   * Handle the redirect-callback URL. Validates `state`, retrieves the saved
+   * verifier, exchanges the authorization code + verifier for tokens, and
+   * persists them. Returns the access {@link TokenRecord}.
+   */
+  async handleCallback(callbackUrl) {
+    const parsed = new URL(callbackUrl);
+    const params = parsed.searchParams;
+    const errorCode = params.get("error");
+    if (errorCode !== null) {
+      throw new Error(
+        formatOAuthError({
+          error: errorCode,
+          error_description: params.get("error_description") ?? void 0
+        })
+      );
+    }
+    const code = params.get("code");
+    const state = params.get("state");
+    if (code === null || state === null) {
+      throw new Error("OAuth callback is missing `code` or `state`");
+    }
+    const verifierRecord = await this.#config.tokenStore.get(
+      this.#verifierKey(state)
+    );
+    if (verifierRecord === null) {
+      throw new Error(
+        "OAuth callback state does not match any in-flight verifier (possible CSRF or expired flow)"
+      );
+    }
+    const body = new URLSearchParams();
+    body.set("grant_type", "authorization_code");
+    body.set("code", code);
+    body.set("redirect_uri", this.#config.redirectUri);
+    body.set("client_id", this.#config.clientId);
+    body.set("code_verifier", verifierRecord.token);
+    let tokens;
+    try {
+      tokens = await this.#tokenRequest(body);
+    } finally {
+      await this.#config.tokenStore.delete(this.#verifierKey(state));
+    }
+    return this.#persistTokens(tokens);
+  }
+  /**
+   * Exchange a stored refresh token for a fresh access token. Throws if no
+   * refresh token is available.
+   */
+  async refresh() {
+    const refreshRecord = await this.#config.tokenStore.get(this.#refreshKey());
+    if (refreshRecord === null) {
+      throw new Error("OAuth refresh failed: no refresh token stored");
+    }
+    const body = new URLSearchParams();
+    body.set("grant_type", "refresh_token");
+    body.set("refresh_token", refreshRecord.token);
+    body.set("client_id", this.#config.clientId);
+    const tokens = await this.#tokenRequest(body);
+    return this.#persistTokens(tokens, refreshRecord.token);
+  }
+  /**
+   * Get the current access token if valid (refreshing first if expired and a
+   * refresh token is available). Returns `null` when no usable token exists.
+   */
+  async getAccessToken() {
+    const stored = await this.#config.tokenStore.get(this.#accessKey());
+    if (stored !== null) return stored.token;
+    const refresh = await this.#config.tokenStore.get(this.#refreshKey());
+    if (refresh === null) return null;
+    try {
+      const refreshed = await this.refresh();
+      return refreshed.token;
+    } catch {
+      return null;
+    }
+  }
+  /** Forget tokens (logout). Does NOT call any remote revocation endpoint. */
+  async signOut() {
+    await this.#config.tokenStore.delete(this.#accessKey());
+    await this.#config.tokenStore.delete(this.#refreshKey());
+  }
+  #accessKey() {
+    return `oauth:tokens:${this.#config.clientId}`;
+  }
+  #refreshKey() {
+    return `oauth:refresh:${this.#config.clientId}`;
+  }
+  #verifierKey(state) {
+    return `oauth:verifier:${state}`;
+  }
+  async #tokenRequest(body) {
+    const response = await this.#config.fetchImpl(this.#config.tokenEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: body.toString()
+    });
+    const text = await response.text();
+    const parsed = parseJsonBody(text);
+    if (!response.ok) {
+      throw new Error(formatOAuthError(parsed ?? {}, response.status));
+    }
+    if (parsed === null || typeof parsed !== "object" || typeof parsed.access_token !== "string") {
+      throw new Error(
+        "OAuth token endpoint returned a response without an `access_token` string"
+      );
+    }
+    return parsed;
+  }
+  async #persistTokens(tokens, previousRefreshToken) {
+    const record = { token: tokens.access_token };
+    if (typeof tokens.expires_in === "number" && tokens.expires_in > 0) {
+      record.expiresAt = Math.floor(Date.now() / 1e3) + tokens.expires_in;
+    }
+    await this.#config.tokenStore.set(this.#accessKey(), record);
+    const newRefresh = tokens.refresh_token ?? previousRefreshToken;
+    if (newRefresh !== void 0) {
+      await this.#config.tokenStore.set(this.#refreshKey(), {
+        token: newRefresh
+      });
+    }
+    return record;
+  }
+};
+function defaultGenerateState() {
+  const bytes = new Uint8Array(24);
+  crypto.getRandomValues(bytes);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function parseJsonBody(text) {
+  if (text.length === 0) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return null;
+  }
+}
+function formatOAuthError(body, status) {
+  const parts = ["OAuth token request failed"];
+  if (status !== void 0) parts.push(`(HTTP ${String(status)})`);
+  if (body.error !== void 0 && body.error.length > 0) {
+    parts.push(`: ${body.error}`);
+    if (body.error_description !== void 0 && body.error_description.length > 0) {
+      parts.push(`- ${body.error_description}`);
+    }
+  }
+  return parts.join(" ").replace(" : ", ": ").replace(" - ", " - ");
+}
+
 // src/protocol/eip712.ts
 var DOMAIN_NAME = "Vana Data Portability";
 var DOMAIN_VERSION = "1";
+var NATIVE_VANA_ASSET = "0x0000000000000000000000000000000000000000";
 function buildDomain(chainId, verifyingContract) {
   return {
     name: DOMAIN_NAME,
@@ -32301,6 +32524,12 @@ function fileRegistrationDomain(config) {
     config.contracts.dataRegistry
   );
 }
+function dataRegistryDomain(config) {
+  return buildDomain(
+    config.chainId,
+    config.contracts.dataRegistry
+  );
+}
 function grantRegistrationDomain(config) {
   return buildDomain(
     config.chainId,
@@ -32325,6 +32554,12 @@ function builderRegistrationDomain(config) {
     config.contracts.dataPortabilityGrantees
   );
 }
+function escrowPaymentDomain(config) {
+  return buildDomain(
+    config.chainId,
+    config.contracts.dataPortabilityEscrow
+  );
+}
 var FILE_REGISTRATION_TYPES = {
   FileRegistration: [
     { name: "ownerAddress", type: "address" },
@@ -32336,14 +32571,16 @@ var GRANT_REGISTRATION_TYPES = {
   GrantRegistration: [
     { name: "grantorAddress", type: "address" },
     { name: "granteeId", type: "bytes32" },
-    { name: "grant", type: "string" },
-    { name: "fileIds", type: "uint256[]" }
+    { name: "scopes", type: "string[]" },
+    { name: "grantVersion", type: "uint256" },
+    { name: "expiresAt", type: "uint256" }
   ]
 };
 var GRANT_REVOCATION_TYPES = {
   GrantRevocation: [
     { name: "grantorAddress", type: "address" },
-    { name: "grantId", type: "bytes32" }
+    { name: "grantId", type: "bytes32" },
+    { name: "grantVersion", type: "uint256" }
   ]
 };
 var SERVER_REGISTRATION_TYPES = {
@@ -32362,83 +32599,500 @@ var BUILDER_REGISTRATION_TYPES = {
     { name: "appUrl", type: "string" }
   ]
 };
+var GENERIC_PAYMENT_TYPES = {
+  GenericPayment: [
+    { name: "payerAddress", type: "address" },
+    { name: "opType", type: "string" },
+    { name: "opId", type: "bytes32" },
+    { name: "asset", type: "address" },
+    { name: "amount", type: "uint256" },
+    { name: "paymentNonce", type: "uint256" }
+  ]
+};
+var ADD_DATA_TYPES = {
+  AddData: [
+    { name: "ownerAddress", type: "address" },
+    { name: "scope", type: "string" },
+    { name: "dataHash", type: "bytes32" },
+    { name: "metadataHash", type: "bytes32" },
+    { name: "expectedVersion", type: "uint256" }
+  ]
+};
+var RECORD_DATA_ACCESS_TYPES = {
+  RecordDataAccess: [
+    { name: "ownerAddress", type: "address" },
+    { name: "scope", type: "string" },
+    { name: "version", type: "uint256" },
+    { name: "accessor", type: "address" },
+    { name: "recordId", type: "bytes32" }
+  ]
+};
 
-// src/protocol/grants.ts
-import { verifyTypedData } from "viem";
-function isHexString(value) {
-  return typeof value === "string" && value.startsWith("0x");
+// src/protocol/personal-server-registration.ts
+import {
+  isAddress
+} from "viem";
+var PERSONAL_SERVER_REGISTRATION_DEFAULT_CHAIN_ID = 1480;
+var PERSONAL_SERVER_REGISTRATION_DEFAULT_VERIFYING_CONTRACT = "0x1483B1F634DBA75AeaE60da7f01A679aabd5ee2c";
+function assertAddress(value, name) {
+  if (!isAddress(value)) {
+    throw new Error(`${name} must be a valid EVM address`);
+  }
 }
-function isDataPortabilityGatewayConfig(value) {
-  if (value === null || typeof value !== "object" || Array.isArray(value)) {
-    return false;
+function getAccountAddress(account) {
+  if (!account) {
+    return void 0;
   }
-  const config = value;
-  const contracts = config["contracts"];
-  if (typeof config["chainId"] !== "number" || !Number.isInteger(config["chainId"]) || config["chainId"] <= 0 || contracts === null || typeof contracts !== "object" || Array.isArray(contracts)) {
-    return false;
+  return typeof account === "string" ? account : account.address;
+}
+function isPersonalServerRegistrationSigner(source) {
+  return "address" in source && typeof source.signTypedData === "function";
+}
+function createViemPersonalServerRegistrationSigner(source, options = {}) {
+  if (isPersonalServerRegistrationSigner(source)) {
+    return source;
   }
-  const c = contracts;
-  return isHexString(c["dataRegistry"]) && isHexString(c["dataPortabilityPermissions"]) && isHexString(c["dataPortabilityServer"]) && isHexString(c["dataPortabilityGrantees"]);
+  const accountAddress = getAccountAddress(options.account) ?? getAccountAddress(source.account);
+  if (accountAddress) {
+    return {
+      address: accountAddress,
+      signTypedData: (typedData) => source.signTypedData({
+        ...typedData,
+        account: options.account ?? source.account ?? accountAddress
+      })
+    };
+  }
+  throw new Error(
+    "Viem wallet client requires an account option or account property"
+  );
 }
-function parseGrantRegistrationPayload(grant) {
-  let parsed;
-  try {
-    parsed = JSON.parse(grant);
-  } catch {
-    return null;
+function personalServerRegistrationDomain(input = {}) {
+  if (input.config) {
+    return serverRegistrationDomain(input.config);
   }
-  if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
-    return null;
+  const verifyingContract = input.verifyingContract ?? PERSONAL_SERVER_REGISTRATION_DEFAULT_VERIFYING_CONTRACT;
+  assertAddress(verifyingContract, "verifyingContract");
+  return {
+    name: "Vana Data Portability",
+    version: "1",
+    chainId: input.chainId ?? PERSONAL_SERVER_REGISTRATION_DEFAULT_CHAIN_ID,
+    verifyingContract
+  };
+}
+function buildPersonalServerRegistrationTypedData(input) {
+  assertAddress(input.ownerAddress, "ownerAddress");
+  assertAddress(input.serverAddress, "serverAddress");
+  return {
+    domain: personalServerRegistrationDomain(input),
+    types: SERVER_REGISTRATION_TYPES,
+    primaryType: "ServerRegistration",
+    message: {
+      ownerAddress: input.ownerAddress,
+      serverAddress: input.serverAddress,
+      publicKey: input.serverPublicKey,
+      serverUrl: input.serverUrl
+    }
+  };
+}
+async function buildPersonalServerRegistrationSignature(input) {
+  const typedData = buildPersonalServerRegistrationTypedData({
+    ownerAddress: input.signer.address,
+    serverAddress: input.serverAddress,
+    serverPublicKey: input.serverPublicKey,
+    serverUrl: input.serverUrl,
+    config: input.config,
+    chainId: input.chainId,
+    verifyingContract: input.verifyingContract
+  });
+  const signature = await input.signer.signTypedData(typedData);
+  return {
+    signature,
+    signerAddress: input.signer.address,
+    typedData
+  };
+}
+var registerPersonalServerSignature = buildPersonalServerRegistrationSignature;
+
+// src/protocol/personal-server-lite-owner-binding.ts
+import {
+  isAddress as isAddress2
+} from "viem";
+var PERSONAL_SERVER_LITE_OWNER_BINDING_VERSION = "vana.account.v1";
+var PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE = "ps-lite-owner";
+var PERSONAL_SERVER_LITE_OWNER_BINDING_PREFIX = `${PERSONAL_SERVER_LITE_OWNER_BINDING_VERSION}:${PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE}:`;
+function assertAddress2(value, name) {
+  if (!isAddress2(value)) {
+    throw new Error(`${name} must be a valid EVM address`);
   }
-  const value = parsed;
-  if (!Array.isArray(value["scopes"]) || value["scopes"].length === 0) {
-    return null;
+}
+function getAccountAddress2(account) {
+  if (!account) {
+    return void 0;
   }
-  if (!value["scopes"].every((scope) => typeof scope === "string")) {
-    return null;
+  return typeof account === "string" ? account : account.address;
+}
+function isPersonalServerLiteOwnerBindingSigner(source) {
+  return "address" in source && typeof source.signMessage === "function";
+}
+function buildPersonalServerLiteOwnerBindingMessage(ownerAddress) {
+  assertAddress2(ownerAddress, "ownerAddress");
+  return `${PERSONAL_SERVER_LITE_OWNER_BINDING_PREFIX}${ownerAddress.toLowerCase()}`;
+}
+function createViemPersonalServerLiteOwnerBindingSigner(source, options = {}) {
+  if (isPersonalServerLiteOwnerBindingSigner(source)) {
+    return source;
   }
-  if (typeof value["expiresAt"] !== "number" || !Number.isFinite(value["expiresAt"])) {
-    return null;
+  const accountAddress = getAccountAddress2(options.account) ?? getAccountAddress2(source.account);
+  if (accountAddress) {
+    return {
+      address: accountAddress,
+      signMessage: ({ message }) => source.signMessage({
+        account: options.account ?? source.account ?? accountAddress,
+        message
+      })
+    };
   }
-  if (value["user"] !== void 0 && !isHexString(value["user"])) {
-    return null;
+  throw new Error(
+    "Viem wallet client requires an account option or account property"
+  );
+}
+async function buildPersonalServerLiteOwnerBindingSignature(input) {
+  const message = buildPersonalServerLiteOwnerBindingMessage(
+    input.signer.address
+  );
+  const signature = await input.signer.signMessage({ message });
+  return {
+    signature,
+    signerAddress: input.signer.address,
+    message,
+    purpose: PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE
+  };
+}
+var signPersonalServerLiteOwnerBinding = buildPersonalServerLiteOwnerBindingSignature;
+
+// src/account/personal-server-registration.ts
+import { isAddress as isAddress3 } from "viem";
+var ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT = "personal_server.server_registration.v1";
+var AccountPersonalServerRegistrationError = class extends Error {
+  status;
+  code;
+  details;
+  constructor(input) {
+    super(input.message);
+    this.name = "AccountPersonalServerRegistrationError";
+    this.status = input.status;
+    this.code = input.code;
+    this.details = input.details;
   }
-  if (value["builder"] !== void 0 && !isHexString(value["builder"])) {
-    return null;
+};
+var DEFAULT_ACCOUNT_PS_REGISTRATION_PATH = "/api/v1/intents/personal-server-registration/sign";
+function trimTrailingSlash(value) {
+  return value.replace(/\/+$/, "");
+}
+function assertAddress3(value, name) {
+  if (!isAddress3(value)) {
+    throw new Error(`${name} must be a valid EVM address`);
   }
-  if (value["nonce"] !== void 0 && (typeof value["nonce"] !== "number" || !Number.isFinite(value["nonce"]))) {
-    return null;
+}
+async function parseAccountResponse(response) {
+  const body = await response.json().catch(() => void 0);
+  if (!response.ok) {
+    throw new AccountPersonalServerRegistrationError({
+      status: response.status,
+      code: accountErrorCode(body),
+      message: accountErrorMessage(response.status, body),
+      details: body
+    });
+  }
+  return body;
+}
+function accountErrorMessage(status, body) {
+  const nestedMessage = nestedAccountErrorField(body, "message");
+  if (nestedMessage) {
+    return nestedMessage;
+  }
+  if (isRecord(body) && typeof body.message === "string") {
+    return body.message;
+  }
+  const code = accountErrorCode(body);
+  if (code) {
+    return `Account PS registration signing failed: ${code}`;
+  }
+  return `Account PS registration signing failed: ${status}`;
+}
+function accountErrorCode(body) {
+  const nestedCode = nestedAccountErrorField(body, "code");
+  if (nestedCode) {
+    return nestedCode;
+  }
+  if (isRecord(body)) {
+    if (typeof body.code === "string") {
+      return body.code;
+    }
+    if (typeof body.error === "string") {
+      return body.error;
+    }
   }
+  return void 0;
+}
+function nestedAccountErrorField(body, field) {
+  if (!isRecord(body) || !isRecord(body.error)) {
+    return void 0;
+  }
+  const value = body.error[field];
+  return typeof value === "string" ? value : void 0;
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function normalizeAccountResponse(response) {
   return {
-    user: value["user"],
-    builder: value["builder"],
-    scopes: value["scopes"],
-    expiresAt: value["expiresAt"],
-    nonce: value["nonce"]
+    ...response,
+    status: response.status === "fallback_required" ? "confirmation_required" : response.status,
+    signerAddress: response.signerAddress ?? response.signer?.address,
+    typedData: response.typedData ?? response.typed_data
   };
 }
-function parseFileIds(fileIds) {
-  try {
-    const values = (fileIds ?? []).map((fileId) => BigInt(fileId));
+function buildSignedResult(response, request) {
+  assertAddress3(response.signerAddress, "signerAddress");
+  if (response.typedData) {
+    assertTypedDataMatchesRequest(
+      response.typedData,
+      request,
+      response.signerAddress
+    );
+  }
+  return {
+    signature: response.signature,
+    signerAddress: response.signerAddress,
+    typedData: response.typedData ?? buildPersonalServerRegistrationTypedData({
+      ownerAddress: response.signerAddress,
+      ...request
+    }),
+    intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT
+  };
+}
+function assertTypedDataMatchesRequest(typedData, request, expectedSignerAddress) {
+  assertAddress3(
+    typedData.message.ownerAddress,
+    "typedData.message.ownerAddress"
+  );
+  assertAddress3(
+    typedData.message.serverAddress,
+    "typedData.message.serverAddress"
+  );
+  if (expectedSignerAddress && !sameAddress(typedData.message.ownerAddress, expectedSignerAddress)) {
+    throw new Error(
+      "Account typedData ownerAddress must match the expected signer address"
+    );
+  }
+  if (!sameAddress(typedData.message.serverAddress, request.serverAddress)) {
+    throw new Error(
+      "Account typedData serverAddress must match the requested serverAddress"
+    );
+  }
+  if (typedData.message.publicKey !== request.serverPublicKey) {
+    throw new Error(
+      "Account typedData publicKey must match the requested serverPublicKey"
+    );
+  }
+  if (typedData.message.serverUrl !== request.serverUrl) {
+    throw new Error(
+      "Account typedData serverUrl must match the requested serverUrl"
+    );
+  }
+  if (typedData.primaryType !== "ServerRegistration") {
+    throw new Error("Account typedData primaryType must be ServerRegistration");
+  }
+  if (JSON.stringify(typedData.types) !== JSON.stringify(SERVER_REGISTRATION_TYPES)) {
+    throw new Error("Account typedData types must be ServerRegistration types");
+  }
+  const expectedDomain = personalServerRegistrationDomain({
+    config: request.config,
+    chainId: request.chainId,
+    verifyingContract: request.verifyingContract
+  });
+  if (!domainsEqual(typedData.domain, expectedDomain)) {
+    throw new Error("Account typedData domain must match the requested domain");
+  }
+}
+function sameAddress(a, b) {
+  return a.toLowerCase() === b.toLowerCase();
+}
+function domainsEqual(a, b) {
+  if (!a || !b) {
+    return false;
+  }
+  return a.name === b.name && a.version === b.version && Number(a.chainId) === Number(b.chainId) && String(a.verifyingContract ?? "").toLowerCase() === String(b.verifyingContract ?? "").toLowerCase() && a.salt === b.salt;
+}
+async function signPersonalServerRegistrationWithAccount(config, request) {
+  assertAddress3(request.serverAddress, "serverAddress");
+  const fetchImpl = config.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  const endpoint = new URL(
+    config.endpointPath ?? DEFAULT_ACCOUNT_PS_REGISTRATION_PATH,
+    `${trimTrailingSlash(config.accountOrigin)}/`
+  );
+  const response = await fetchImpl(endpoint, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    credentials: "include",
+    body: JSON.stringify({
+      intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT,
+      serverAddress: request.serverAddress,
+      serverPublicKey: request.serverPublicKey,
+      serverUrl: request.serverUrl,
+      config: request.config,
+      chainId: request.chainId,
+      verifyingContract: request.verifyingContract
+    })
+  });
+  const body = normalizeAccountResponse(await parseAccountResponse(response));
+  if (body.status === "signed") {
+    if (!body.signature || !body.signerAddress) {
+      throw new Error(
+        "Account signed response must include signature and signerAddress"
+      );
+    }
     return {
-      values,
-      display: values.map((fileId) => fileId.toString())
+      status: "signed",
+      result: buildSignedResult(
+        {
+          signature: body.signature,
+          signerAddress: body.signerAddress,
+          typedData: body.typedData
+        },
+        request
+      )
     };
+  }
+  if (body.status === "confirmation_required") {
+    if (!body.typedData) {
+      throw new Error(
+        "Account confirmation_required response must include typedData"
+      );
+    }
+    assertTypedDataMatchesRequest(body.typedData, request, body.signerAddress);
+    if (!config.fallbackSigner) {
+      return {
+        status: "confirmation_required",
+        typedData: body.typedData,
+        signerAddress: body.signerAddress
+      };
+    }
+    assertTypedDataMatchesRequest(
+      body.typedData,
+      request,
+      config.fallbackSigner.address
+    );
+    const signature = await config.fallbackSigner.signTypedData(body.typedData);
+    return {
+      status: "fallback_signed",
+      accountStatus: "confirmation_required",
+      result: {
+        signature,
+        signerAddress: config.fallbackSigner.address,
+        typedData: body.typedData,
+        intent: ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT
+      }
+    };
+  }
+  throw new Error(
+    `Unsupported Account PS registration signing status: ${String(body.status)}`
+  );
+}
+
+// src/account/personal-server-lite-owner-binding.ts
+var AccountPersonalServerLiteOwnerBindingError = class extends Error {
+  code;
+  details;
+  constructor(input) {
+    super(input.message);
+    this.name = "AccountPersonalServerLiteOwnerBindingError";
+    this.code = input.code;
+    this.details = input.details;
+  }
+};
+async function signPersonalServerLiteOwnerBindingWithAccountClient(config) {
+  let address;
+  try {
+    address = await config.client.getAddress();
+  } catch (error) {
+    throw accountOwnerBindingError(error);
+  }
+  if (!address) {
+    throw new AccountPersonalServerLiteOwnerBindingError({
+      message: "Account did not return a wallet address",
+      code: "account_address_required"
+    });
+  }
+  const message = buildPersonalServerLiteOwnerBindingMessage(address);
+  let signature;
+  try {
+    signature = await config.client.signMessage({ message });
+  } catch (error) {
+    throw accountOwnerBindingError(error);
+  }
+  return {
+    signature,
+    signerAddress: address,
+    message,
+    purpose: PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE
+  };
+}
+function accountOwnerBindingError(error) {
+  if (error instanceof AccountPersonalServerLiteOwnerBindingError) {
+    return error;
+  }
+  const rpcError = error;
+  const code = rpcError?.code;
+  const message = typeof rpcError?.message === "string" && rpcError.message.length > 0 ? rpcError.message : "Account PS Lite owner-binding signature failed";
+  return new AccountPersonalServerLiteOwnerBindingError({
+    message,
+    code,
+    details: error
+  });
+}
+
+// src/protocol/grants.ts
+import { verifyTypedData } from "viem";
+function isHexString(value) {
+  return typeof value === "string" && value.startsWith("0x");
+}
+function isDataPortabilityGatewayConfig(value) {
+  if (value === null || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const config = value;
+  const contracts = config["contracts"];
+  if (typeof config["chainId"] !== "number" || !Number.isInteger(config["chainId"]) || config["chainId"] <= 0 || contracts === null || typeof contracts !== "object" || Array.isArray(contracts)) {
+    return false;
+  }
+  const c = contracts;
+  return isHexString(c["dataRegistry"]) && isHexString(c["dataPortabilityPermissions"]) && isHexString(c["dataPortabilityServer"]) && isHexString(c["dataPortabilityGrantees"]) && isHexString(c["dataPortabilityEscrow"]) && isHexString(c["feeRegistry"]);
+}
+function toUint256(value) {
+  try {
+    const big = typeof value === "bigint" ? value : BigInt(value);
+    if (big < 0n) return null;
+    return big;
   } catch {
     return null;
   }
 }
 async function verifyGrantRegistration(input) {
-  const payload = parseGrantRegistrationPayload(input.grant);
-  if (!payload) {
-    return {
-      valid: false,
-      error: "Grant must be JSON with scopes and expiresAt"
-    };
+  if (!Array.isArray(input.scopes) || input.scopes.length === 0) {
+    return { valid: false, error: "scopes must be a non-empty array" };
+  }
+  if (!input.scopes.every((scope) => typeof scope === "string")) {
+    return { valid: false, error: "scopes must contain only strings" };
+  }
+  const grantVersion = toUint256(input.grantVersion);
+  if (grantVersion === null || grantVersion < 1n) {
+    return { valid: false, error: "grantVersion must be a uint256 >= 1" };
   }
-  const fileIds = parseFileIds(input.fileIds);
-  if (!fileIds) {
-    return { valid: false, error: "fileIds must contain integer values" };
+  const expiresAt = toUint256(input.expiresAt);
+  if (expiresAt === null) {
+    return { valid: false, error: "expiresAt must be a non-negative uint256" };
   }
   let valid;
   try {
@@ -32450,8 +33104,9 @@ async function verifyGrantRegistration(input) {
       message: {
         grantorAddress: input.grantorAddress,
         granteeId: input.granteeId,
-        grant: input.grant,
-        fileIds: fileIds.values
+        scopes: input.scopes,
+        grantVersion,
+        expiresAt
       },
       signature: input.signature
     });
@@ -32462,19 +33117,128 @@ async function verifyGrantRegistration(input) {
     return { valid: false, error: "Grant signature does not match grantor" };
   }
   const nowSeconds = input.nowSeconds ?? Math.floor(Date.now() / 1e3);
-  if (payload.expiresAt > 0 && payload.expiresAt < nowSeconds) {
+  if (expiresAt > 0n && expiresAt < BigInt(nowSeconds)) {
     return { valid: false, error: "Grant has expired" };
   }
-  if (payload.user !== void 0 && payload.user.toLowerCase() !== input.grantorAddress.toLowerCase()) {
-    return { valid: false, error: "Grant user does not match grantorAddress" };
-  }
   return {
     valid: true,
     grantorAddress: input.grantorAddress,
     granteeId: input.granteeId,
-    grant: input.grant,
-    payload,
-    fileIds: fileIds.display
+    scopes: input.scopes,
+    grantVersion: grantVersion.toString(),
+    expiresAt: expiresAt.toString()
+  };
+}
+
+// src/protocol/escrow-deposit.ts
+import { encodeFunctionData } from "viem";
+var ESCROW_DEPOSIT_ABI = [
+  {
+    type: "function",
+    name: "depositNative",
+    stateMutability: "payable",
+    inputs: [{ name: "account", type: "address" }],
+    outputs: []
+  },
+  {
+    type: "function",
+    name: "depositToken",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "account", type: "address" },
+      { name: "token", type: "address" },
+      { name: "amount", type: "uint256" }
+    ],
+    outputs: []
+  }
+];
+function escrowContractAddress(config) {
+  return config.contracts.dataPortabilityEscrow;
+}
+function encodeDepositNativeData(input) {
+  return encodeFunctionData({
+    abi: ESCROW_DEPOSIT_ABI,
+    functionName: "depositNative",
+    args: [input.account]
+  });
+}
+function encodeDepositTokenData(input) {
+  return encodeFunctionData({
+    abi: ESCROW_DEPOSIT_ABI,
+    functionName: "depositToken",
+    args: [input.account, input.token, input.amount]
+  });
+}
+function buildDepositNativeRequest(config, input) {
+  return {
+    to: escrowContractAddress(config),
+    data: encodeDepositNativeData({ account: input.account }),
+    value: input.amount
+  };
+}
+function buildDepositTokenRequest(config, input) {
+  return {
+    to: escrowContractAddress(config),
+    data: encodeDepositTokenData(input)
+  };
+}
+
+// src/protocol/fee-registry.ts
+import { parseAbi } from "viem";
+var FEE_REGISTRY_ABI = parseAbi([
+  "struct Fee { uint256 amount; address asset; address payee; bool enabled; }",
+  "function fees(bytes32 operation) view returns (Fee)",
+  "function operationKey(string name) pure returns (bytes32)"
+]);
+function operationNameFor(kind, opts) {
+  if (kind === "registration") {
+    return opts?.registrationOpName ?? "registration";
+  }
+  return opts?.dataAccessOpName ?? "data_access";
+}
+async function getFee(client, config, kind, opts) {
+  const address = config.contracts.feeRegistry;
+  const opName = operationNameFor(kind, opts);
+  const opKey = await client.readContract({
+    address,
+    abi: FEE_REGISTRY_ABI,
+    functionName: "operationKey",
+    args: [opName]
+  });
+  const fee = await client.readContract({
+    address,
+    abi: FEE_REGISTRY_ABI,
+    functionName: "fees",
+    args: [opKey]
+  });
+  if (!fee.enabled) {
+    throw new Error(
+      `FeeRegistry: operation "${opName}" (kind=${kind}) is not enabled \u2014 operator must call setFeeByName before payments will validate`
+    );
+  }
+  if (fee.payee === "0x0000000000000000000000000000000000000000") {
+    throw new Error(
+      `FeeRegistry: operation "${opName}" has zero-address payee \u2014 contract pre-flight rejects payouts to 0x0`
+    );
+  }
+  return fee;
+}
+async function getOpFee(client, config, opts) {
+  const [registration, dataAccess] = await Promise.all([
+    getFee(client, config, "registration", opts),
+    getFee(client, config, "data_access", opts)
+  ]);
+  if (registration.asset.toLowerCase() !== dataAccess.asset.toLowerCase()) {
+    throw new Error(
+      `FeeRegistry asset mismatch: registration=${registration.asset} vs data_access=${dataAccess.asset}. The gateway requires both fees to settle in the same asset.`
+    );
+  }
+  return {
+    asset: registration.asset,
+    registrationFee: registration.amount,
+    dataAccessFee: dataAccess.amount,
+    registrationPayee: registration.payee,
+    dataAccessPayee: dataAccess.payee
   };
 }
 
@@ -32674,6 +33438,68 @@ function createGatewayClient(baseUrl) {
         alreadyRegistered: false
       };
     },
+    async registerBuilder(params) {
+      const res = await fetch(`${base}/v1/builders`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Web3Signed ${params.signature}`
+        },
+        body: JSON.stringify({
+          ownerAddress: params.ownerAddress,
+          granteeAddress: params.granteeAddress,
+          publicKey: params.publicKey,
+          appUrl: params.appUrl
+        })
+      });
+      if (res.status === 409) {
+        const body2 = await res.json().catch(() => ({}));
+        return {
+          builderId: getMutationId(
+            body2,
+            "builderId"
+          ),
+          alreadyRegistered: true
+        };
+      }
+      if (!res.ok) {
+        throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
+      }
+      const body = await res.json().catch(() => ({}));
+      return {
+        builderId: getMutationId(body, "builderId"),
+        alreadyRegistered: false
+      };
+    },
+    async registerDataPoint(params) {
+      const res = await fetch(`${base}/v1/data`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Web3Signed ${params.signature}`
+        },
+        body: JSON.stringify({
+          ownerAddress: params.ownerAddress,
+          scope: params.scope,
+          dataHash: params.dataHash,
+          metadataHash: params.metadataHash,
+          expectedVersion: params.expectedVersion
+        })
+      });
+      if (!res.ok) {
+        const body2 = await res.json().catch(() => ({}));
+        const detail = body2.error ?? res.statusText;
+        throw new Error(`Gateway error: ${res.status} ${detail}`);
+      }
+      const body = await res.json().catch(() => ({}));
+      return {
+        dataPointId: getMutationId(
+          body,
+          "dataPointId"
+        ),
+        expectedVersion: body.expectedVersion
+      };
+    },
     async registerFile(params) {
       const res = await fetch(`${base}/v1/files`, {
         method: "POST",
@@ -32711,8 +33537,9 @@ function createGatewayClient(baseUrl) {
         body: JSON.stringify({
           grantorAddress: params.grantorAddress,
           granteeId: params.granteeId,
-          grant: params.grant,
-          fileIds: params.fileIds
+          scopes: params.scopes,
+          grantVersion: params.grantVersion,
+          expiresAt: params.expiresAt
         })
       });
       if (res.status === 409) {
@@ -32737,13 +33564,71 @@ function createGatewayClient(baseUrl) {
           Authorization: `Web3Signed ${params.signature}`
         },
         body: JSON.stringify({
-          grantorAddress: params.grantorAddress
+          grantorAddress: params.grantorAddress,
+          grantVersion: params.grantVersion
         })
       });
       if (res.status === 409) return;
       if (!res.ok) {
         throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
       }
+    },
+    async getEscrowBalance(account) {
+      const res = await fetch(`${base}/v1/escrow/balance?account=${account}`);
+      if (!res.ok) {
+        throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
+      }
+      return await res.json();
+    },
+    async submitEscrowDeposit(params) {
+      const res = await fetch(`${base}/v1/escrow/deposit`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ txHash: params.txHash })
+      });
+      if (res.status !== 200 && res.status !== 202) {
+        throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
+      }
+      return await res.json();
+    },
+    async payForOperation(params) {
+      const body = {
+        payerAddress: params.payerAddress,
+        opType: params.opType,
+        opId: params.opId,
+        asset: params.asset,
+        amount: params.amount,
+        paymentNonce: params.paymentNonce
+      };
+      if (params.accessRecord) {
+        body["accessRecord"] = params.accessRecord;
+      }
+      const res = await fetch(`${base}/v1/escrow/pay`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Web3Signed ${params.signature}`
+        },
+        body: JSON.stringify(body)
+      });
+      if (!res.ok) {
+        throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
+      }
+      return await res.json();
+    },
+    async settle(params) {
+      const res = await fetch(`${base}/v1/settle`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        // The gateway accepts an empty body; only `limit` is recognised.
+        // Always send a JSON body so the gateway's req.body shape parse
+        // doesn't have to deal with an undefined.
+        body: JSON.stringify(params ?? {})
+      });
+      if (!res.ok) {
+        throw new Error(`Gateway error: ${res.status} ${res.statusText}`);
+      }
+      return await res.json();
     }
   };
 }
@@ -32773,7 +33658,7 @@ var KNOWN_CODES = /* @__PURE__ */ new Set([
   "server_not_configured",
   "content_too_large"
 ]);
-function isRecord(value) {
+function isRecord2(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 function normalizeCode(value) {
@@ -32784,10 +33669,10 @@ function normalizeCode(value) {
   return KNOWN_CODES.has(code) ? code : null;
 }
 function extractPSErrorBody(body) {
-  if (!isRecord(body)) {
+  if (!isRecord2(body)) {
     return null;
   }
-  const nested = isRecord(body.error) ? body.error : null;
+  const nested = isRecord2(body.error) ? body.error : null;
   const code = normalizeCode(
     nested?.errorCode ?? nested?.code ?? body.errorCode ?? body.code
   );
@@ -32811,6 +33696,10 @@ async function parsePSError(response) {
   return errorBody ? new PSError(errorBody.code, errorBody.message) : null;
 }
 export {
+  ACCOUNT_PERSONAL_SERVER_REGISTRATION_INTENT,
+  ADD_DATA_TYPES,
+  AccountPersonalServerLiteOwnerBindingError,
+  AccountPersonalServerRegistrationError,
   BUILDER_REGISTRATION_TYPES,
   BlockchainError,
   BrowserPlatformAdapter,
@@ -32821,8 +33710,11 @@ export {
   DataFileEnvelopeSchema,
   DropboxStorage,
   ECIESError,
+  ESCROW_DEPOSIT_ABI,
   ExpiredTokenError,
+  FEE_REGISTRY_ABI,
   FILE_REGISTRATION_TYPES,
+  GENERIC_PAYMENT_TYPES,
   GRANT_REGISTRATION_TYPES,
   GRANT_REVOCATION_TYPES,
   GoogleDriveStorage,
@@ -32833,10 +33725,17 @@ export {
   IpfsStorage,
   MASTER_KEY_MESSAGE,
   MissingAuthError,
+  NATIVE_VANA_ASSET,
   NetworkError,
   NodeECIESUint8Provider as NodeECIESProvider,
   NodePlatformAdapter,
   NonceError,
+  OAuthClient,
+  PERSONAL_SERVER_LITE_OWNER_BINDING_PREFIX,
+  PERSONAL_SERVER_LITE_OWNER_BINDING_PURPOSE,
+  PERSONAL_SERVER_LITE_OWNER_BINDING_VERSION,
+  PERSONAL_SERVER_REGISTRATION_DEFAULT_CHAIN_ID,
+  PERSONAL_SERVER_REGISTRATION_DEFAULT_VERIFYING_CONTRACT,
   PKCE_CHALLENGE_PATTERN,
   PKCE_VERIFIER_PATTERN,
   PSError,
@@ -32844,6 +33743,7 @@ export {
   PersonalServerError,
   PinataStorage,
   R2Storage,
+  RECORD_DATA_ACCESS_TYPES,
   ReadOnlyError,
   RelayerError,
   SERVER_REGISTRATION_TYPES,
@@ -32858,6 +33758,12 @@ export {
   VanaError,
   VanaStorage,
   assertValidPkceVerifier,
+  buildDepositNativeRequest,
+  buildDepositTokenRequest,
+  buildPersonalServerLiteOwnerBindingMessage,
+  buildPersonalServerLiteOwnerBindingSignature,
+  buildPersonalServerRegistrationSignature,
+  buildPersonalServerRegistrationTypedData,
   buildWeb3SignedHeader,
   builderRegistrationDomain,
   chains,
@@ -32873,12 +33779,19 @@ export {
   createPlatformAdapterFor,
   createPlatformAdapterSafe,
   createVanaStorageProvider,
+  createViemPersonalServerLiteOwnerBindingSigner,
+  createViemPersonalServerRegistrationSigner,
+  dataRegistryDomain,
   decryptWithPassword,
   deriveMasterKey,
   deriveScopeKey,
   deserializeECIES,
   detectPlatform,
+  encodeDepositNativeData,
+  encodeDepositTokenData,
   encryptWithPassword,
+  escrowContractAddress,
+  escrowPaymentDomain,
   fileRegistrationDomain,
   generatePkceVerifier,
   getAbi,
@@ -32887,6 +33800,8 @@ export {
   getContractAddress,
   getContractController,
   getContractInfo,
+  getFee,
+  getOpFee,
   getPlatformCapabilities,
   getServiceEndpoints,
   grantRegistrationDomain,
@@ -32898,16 +33813,20 @@ export {
   moksha,
   mokshaServices,
   mokshaTestnet2 as mokshaTestnet,
-  parseGrantRegistrationPayload,
   parsePSError,
   parseScope,
   parseWeb3SignedHeader,
+  personalServerRegistrationDomain,
   recoverServerOwner,
+  registerPersonalServerSignature,
   scopeCoveredByGrant,
   scopeMatchesPattern,
   scopeToPathSegments,
   serializeECIES,
   serverRegistrationDomain,
+  signPersonalServerLiteOwnerBinding,
+  signPersonalServerLiteOwnerBindingWithAccountClient,
+  signPersonalServerRegistrationWithAccount,
   vanaMainnet2 as vanaMainnet,
   verifyGrantRegistration,
   verifyPkceChallenge,