npm - @rialo/ts-cdk - Versions diffs - 0.2.0-alpha.0 → 0.2.0-alpha.1 - Mend

@rialo/ts-cdk 0.2.0-alpha.0 → 0.2.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
+export { field, fixedArray, option, vec } from '@dao-xyz/borsh';
 interface HttpTransportConfig {
     /** Request timeout in milliseconds */
     timeout?: number;
@@ -731,6 +733,341 @@ declare class RialoError extends Error {
     static serialization(message: string): RialoError;
 }
+/**
+ * Error codes for HPKE encryption operations.
+ */
+declare enum HpkeErrorCode {
+    /** Key length does not match expected size */
+    INVALID_KEY_LENGTH = "INVALID_KEY_LENGTH",
+    /** Ciphertext is shorter than minimum required length */
+    CIPHERTEXT_TOO_SHORT = "CIPHERTEXT_TOO_SHORT",
+    /** HPKE encryption operation failed */
+    ENCRYPTION_FAILED = "ENCRYPTION_FAILED",
+    /** Failed to deserialize Borsh data */
+    BORSH_DESERIALIZE_FAILED = "BORSH_DESERIALIZE_FAILED",
+    /** RexValue has invalid variant byte */
+    INVALID_ORACLE_VALUE = "INVALID_ORACLE_VALUE"
+}
+/**
+ * Error class for HPKE encryption operations.
+ *
+ * Provides detailed error information for encryption failures,
+ * including error codes and contextual details.
+ */
+declare class HpkeError extends Error {
+    readonly code: HpkeErrorCode;
+    readonly cause?: Error;
+    constructor(code: HpkeErrorCode, message: string, cause?: Error);
+    /**
+     * Create an error for invalid key length.
+     *
+     * @param expected - Expected key length in bytes
+     * @param actual - Actual key length in bytes
+     * @param keyType - Description of the key type (e.g., "REX public key")
+     */
+    static invalidKeyLength(expected: number, actual: number, keyType: string): HpkeError;
+    /**
+     * Create an error for ciphertext that is too short.
+     *
+     * @param minLength - Minimum required length
+     * @param actual - Actual length
+     */
+    static ciphertextTooShort(minLength: number, actual: number): HpkeError;
+    /**
+     * Create an error for encryption failure.
+     *
+     * @param cause - The underlying error
+     */
+    static encryptionFailed(cause: Error): HpkeError;
+    /**
+     * Create an error for Borsh deserialization failure.
+     *
+     * @param cause - The underlying error
+     */
+    static borshDeserializeFailed(cause: Error): HpkeError;
+    /**
+     * Create an error for invalid RexValue variant.
+     *
+     * @param variant - The invalid variant byte
+     */
+    static invalidRexValue(variant: number): HpkeError;
+}
+/**
+ * Constants for REX HPKE encryption.
+ *
+ * These constants MUST match the Rust implementation exactly:
+ * - `crates/tee/secret-sharing/src/constants.rs`
+ *
+ * @module
+ */
+/**
+ * Additional Authenticated Data (AAD) prefix for user secrets.
+ *
+ * This 13-byte string is prepended to the sender's public key to form
+ * the complete AAD for HPKE encryption. It provides domain separation
+ * to prevent cross-protocol attacks.
+ *
+ * Format: `USER_SECRET_AAD || senderPubkey` = 45 bytes total AAD
+ *
+ * @remarks
+ * Must match Rust: `pub const USER_SECRET_AAD: &[u8] = b"rex-secret-v1";`
+ */
+declare const USER_SECRET_AAD: Uint8Array<ArrayBuffer>;
+/**
+ * HPKE info string for secret sharing context.
+ *
+ * This 32-byte string is used as the `info` parameter in HPKE encryption,
+ * providing domain separation for secret sharing operations.
+ *
+ * @remarks
+ * Must match Rust: `pub const SECRET_SHARING_HPKE_INFO: &[u8; 32] = b"rialo/tee/secret-sharing-hpke/v1";`
+ */
+declare const SECRET_SHARING_HPKE_INFO: Uint8Array<ArrayBuffer>;
+/**
+ * Length of an X25519 public key in bytes.
+ *
+ * Used for the REX encryption public key (secret sharing key).
+ */
+declare const X25519_PUBLIC_KEY_LENGTH = 32;
+/**
+ * Length of an Ed25519 public key in bytes.
+ *
+ * Used for sender identity binding in AAD construction.
+ */
+declare const ED25519_PUBLIC_KEY_LENGTH = 32;
+/**
+ * Length of the HPKE encapsulated key (enc) in bytes.
+ *
+ * For X25519, this is always 32 bytes.
+ */
+declare const HPKE_ENC_LENGTH = 32;
+/**
+ * Length of the ChaCha20-Poly1305 authentication tag in bytes.
+ */
+declare const CHACHA20_POLY1305_TAG_LENGTH = 16;
+/**
+ * Total overhead added by HPKE encryption.
+ *
+ * This is the additional bytes beyond the plaintext:
+ * - enc (32 bytes): Encapsulated ephemeral public key
+ * - tag (16 bytes): ChaCha20-Poly1305 authentication tag
+ *
+ * Ciphertext length = plaintext length + 48 bytes
+ */
+declare const HPKE_OVERHEAD_LENGTH: number;
+/**
+ * Variant discriminator for RexValue Borsh serialization.
+ */
+declare enum RexValueVariant {
+    /** Plain (unencrypted) data variant */
+    Plain = 0,
+    /** Encrypted data variant */
+    Encrypted = 1
+}
+/**
+ * Represents an rex value that can be plain or encrypted.
+ *
+ * This class provides Borsh-compatible serialization that matches
+ * the Rust `RexValue` enum:
+ *
+ * ```rust
+ * pub enum RexValue {
+ *     Plain(Vec<u8>),
+ *     Encrypted(Vec<u8>),
+ * }
+ * ```
+ *
+ * ## Borsh Format
+ *
+ * - Plain: `[0x00] [length: u32 LE] [data bytes]`
+ * - Encrypted: `[0x01] [length: u32 LE] [ciphertext bytes]`
+ *
+ * @example
+ * ```typescript
+ * // Plain value (unencrypted)
+ * const plain = RexValue.plain(new TextEncoder().encode("hello"));
+ *
+ * // Encrypted value (via HPKE)
+ * const encrypted = RexValue.encrypted(ciphertextBytes);
+ *
+ * // Serialize to Borsh
+ * const borsh = plain.toBorsh();
+ *
+ * // Deserialize from Borsh
+ * const restored = RexValue.fromBorsh(borsh);
+ * ```
+ */
+declare class RexValue {
+    private readonly variant;
+    private readonly data;
+    private constructor();
+    /**
+     * Create a plain (unencrypted) RexValue from raw bytes.
+     *
+     * @param data - The raw byte data
+     * @returns A new RexValue with Plain variant
+     */
+    static plain(data: Uint8Array): RexValue;
+    /**
+     * Create a plain (unencrypted) RexValue from a UTF-8 string.
+     *
+     * @param s - The string to encode
+     * @returns A new RexValue with Plain variant
+     */
+    static plainString(s: string): RexValue;
+    /**
+     * Create an encrypted RexValue from HPKE ciphertext.
+     *
+     * @param ciphertext - The HPKE-encrypted ciphertext (enc || ct || tag)
+     * @returns A new RexValue with Encrypted variant
+     */
+    static encrypted(ciphertext: Uint8Array): RexValue;
+    /**
+     * Check if this is a plain (unencrypted) value.
+     */
+    isPlain(): boolean;
+    /**
+     * Check if this is an encrypted value.
+     */
+    isEncrypted(): boolean;
+    /**
+     * Get the variant type.
+     */
+    getVariant(): RexValueVariant;
+    /**
+     * Get the raw bytes (plaintext or ciphertext).
+     *
+     * For Plain values, returns the plaintext.
+     * For Encrypted values, returns the ciphertext.
+     */
+    asBytes(): Uint8Array;
+    /**
+     * Try to decode the plain value as a UTF-8 string.
+     *
+     * @returns The decoded string, or null if encrypted or not valid UTF-8
+     */
+    asString(): string | null;
+    /**
+     * Serialize to Borsh format.
+     *
+     * Format: `[variant: u8] [length: u32 LE] [data bytes]`
+     *
+     * @returns The Borsh-serialized bytes
+     */
+    toBorsh(): Uint8Array;
+    /**
+     * Deserialize from Borsh format.
+     *
+     * @param data - The Borsh-serialized bytes
+     * @returns A new RexValue
+     * @throws {HpkeError} If deserialization fails
+     */
+    static fromBorsh(data: Uint8Array): RexValue;
+}
+/**
+ * Encrypt data using HPKE for REX secret sharing.
+ *
+ * This function performs HPKE encryption using the Base mode with:
+ * - X25519 for key encapsulation
+ * - HKDF-SHA256 for key derivation
+ * - ChaCha20-Poly1305 for authenticated encryption
+ *
+ * The output format is: `enc (32 bytes) || ciphertext || tag (16 bytes)`
+ *
+ * @param rexPubkey - The REX X25519 public key (32 bytes)
+ * @param data - The plaintext data to encrypt
+ * @param senderPubkey - The sender's Ed25519 public key (32 bytes) for AAD construction
+ * @returns The encrypted ciphertext including enc and tag
+ * @throws {HpkeError} If key lengths are invalid or encryption fails
+ *
+ * @example
+ * ```typescript
+ * const rexPubkey = await client.getSecretSharingPubkey();
+ * const ciphertext = await hpkeEncrypt(
+ *   rexPubkey,
+ *   new TextEncoder().encode("secret data"),
+ *   keypair.publicKey.toBytes()
+ * );
+ * ```
+ */
+declare function hpkeEncrypt(rexPubkey: Uint8Array, data: Uint8Array, senderPubkey: Uint8Array): Promise<Uint8Array>;
+/**
+ * Encrypt data for REX and wrap it in an RexValue.
+ *
+ * This is a convenience function that combines:
+ * 1. HPKE encryption using `hpkeEncrypt`
+ * 2. Wrapping the ciphertext in an `RexValue.encrypted`
+ *
+ * The resulting RexValue can be serialized to Borsh and sent to the network.
+ *
+ * @param rexPubkey - The REX X25519 public key (32 bytes)
+ * @param data - The plaintext data to encrypt
+ * @param senderPubkey - The sender's Ed25519 public key (32 bytes)
+ * @returns An RexValue containing the encrypted ciphertext
+ * @throws {HpkeError} If key lengths are invalid or encryption fails
+ *
+ * @example
+ * ```typescript
+ * import { RpcClient, Keypair } from "@rialo/ts-cdk";
+ * import { encryptForRex, RexValue } from "@rialo/ts-cdk/rex";
+ *
+ * // Get REX public key from the network
+ * const client = new RpcClient("https://rpc.rialo.xyz");
+ * const rexPubkey = await client.getSecretSharingPubkey();
+ *
+ * // Create keypair for signing
+ * const keypair = Keypair.generate();
+ *
+ * // Encrypt secret data
+ * const oracleValue = await encryptForRex(
+ *   rexPubkey,
+ *   new TextEncoder().encode("my secret API key"),
+ *   keypair.publicKey.toBytes()
+ * );
+ *
+ * // The RexValue can now be serialized and used in transactions
+ * const borshBytes = oracleValue.toBorsh();
+ * ```
+ */
+declare function encryptForRex(rexPubkey: Uint8Array, data: Uint8Array, senderPubkey: Uint8Array): Promise<RexValue>;
+/**
+ * Calculate the expected ciphertext length for a given plaintext length.
+ *
+ * The ciphertext consists of:
+ * - enc (32 bytes): Encapsulated ephemeral public key
+ * - ciphertext (plaintext.length bytes): Encrypted data
+ * - tag (16 bytes): ChaCha20-Poly1305 authentication tag
+ *
+ * @param plaintextLength - Length of the plaintext in bytes
+ * @returns Expected ciphertext length
+ *
+ * @example
+ * ```typescript
+ * const ciphertextLen = getCiphertextLength(100);
+ * console.log(ciphertextLen); // 148 (32 + 100 + 16)
+ * ```
+ */
+declare function getCiphertextLength(plaintextLength: number): number;
+/**
+ * Validate that a ciphertext has a valid length.
+ *
+ * A valid HPKE ciphertext must be at least 48 bytes (32 enc + 16 tag).
+ *
+ * @param ciphertext - The ciphertext to validate
+ * @returns true if the ciphertext length is valid
+ *
+ * @example
+ * ```typescript
+ * if (!isValidCiphertextLength(ciphertext)) {
+ *   throw new Error("Ciphertext too short");
+ * }
+ * ```
+ */
+declare function isValidCiphertextLength(ciphertext: Uint8Array): boolean;
 /**
  * Base client with JSON-RPC protocol handling.
  *
@@ -973,15 +1310,6 @@ interface SignatureInfo {
  * Get health response.
  */
 type GetHealthResponse = "ok" | string;
-/**
- * Get transactions configuration.
- */
-interface GetTransactionsConfig {
-    /** Maximum number of transactions to return */
-    limit?: number;
-    /** Encoding format */
-    encoding?: "json" | "base58" | "base64";
-}
 /**
  * Get transactions response.
  */
@@ -1029,8 +1357,6 @@ interface ConfirmedTransaction {
  * Configuration for getAccountsByOwner.
  */
 interface GetAccountsByOwnerConfig {
-    /** Encoding format for account data */
-    encoding?: "base64" | "base58" | "json" | "jsonParsed";
     /** Maximum number of accounts to return */
     limit?: number;
     /** Cursor for pagination (base58 pubkey) */
@@ -1073,6 +1399,15 @@ interface GetAccountsByOwnerResponse {
     /** Pagination information */
     pagination?: PaginationInfo;
 }
+/**
+ * Get secret sharing public key response.
+ *
+ * Contains the TEE's X25519 public key for HPKE encryption.
+ */
+interface GetSecretSharingPubkeyResponse {
+    /** The TEE's X25519 public key as a hex-encoded string */
+    public_key: string;
+}
 /**
  * Main Rialo RPC client for blockchain interactions.
@@ -1554,6 +1889,50 @@ declare class QueryRpcClient extends BaseRpcClient {
      * ```
      */
     getTriggeredTransactions(subscriptionAccount: PublicKey, limit?: number): Promise<TriggeredTransaction[]>;
+    /**
+     * Retrieve the REX X25519 public key for secret sharing encryption.
+     *
+     * This key is used for HPKE encryption when sending encrypted data
+     * that should only be decryptable within the REX execution environment.
+     *
+     * @returns The REX X25519 public key as a 32-byte Uint8Array
+     *
+     * @example
+     * ```typescript
+     * import { encryptForRex } from "@rialo/ts-cdk";
+     *
+     * // Get the REX public key
+     * const rexPubkey = await client.getSecretSharingPubkey();
+     *
+     * // Use it for HPKE encryption
+     * const encrypted = await encryptForRex(
+     *   rexPubkey,
+     *   new TextEncoder().encode("secret data"),
+     *   keypair.publicKey.toBytes()
+     * );
+     * ```
+     */
+    getSecretSharingPubkey(): Promise<Uint8Array>;
+    /**
+     * Get the config hash prefix for replay protection.
+     *
+     * Returns the first 64 bits of the config hash, which is used
+     * for transaction replay protection across chains.
+     *
+     * @returns The config hash prefix as a bigint
+     *
+     * @example
+     * ```typescript
+     * const configHashPrefix = await client.getConfigHashPrefix();
+     * const tx = TransactionBuilder.create()
+     *   .setPayer(payer)
+     *   .setValidFrom(validFrom)
+     *   .setConfigHashPrefix(configHashPrefix)
+     *   .addInstruction(instruction)
+     *   .build();
+     * ```
+     */
+    getConfigHashPrefix(): Promise<bigint>;
 }
 /**
@@ -1805,6 +2184,387 @@ declare function createRialoClient(config: RialoClientConfig): RialoClient;
  */
 declare function getDefaultRialoClientConfig(network: RialoNetwork): RialoClientConfig;
+/**
+ * Bincode deserialization reader
+ *
+ * Matches Rust's bincode crate with default configuration:
+ * - Little-endian byte order
+ * - Fixed-size integer encoding (no varint)
+ * - u64 length prefixes for dynamic collections
+ * - u32 enum variant indices
+ */
+declare class BincodeReader {
+    private view;
+    private offset;
+    private bytes;
+    constructor(data: Uint8Array);
+    getOffset(): number;
+    remaining(): number;
+    isExhausted(): boolean;
+    skip(bytes: number): this;
+    /**
+     * Peek at bytes without advancing the offset
+     */
+    peek(length: number): Uint8Array;
+    /**
+     * Reset reader to beginning
+     */
+    reset(): this;
+    /**
+     * Seek to specific offset
+     */
+    seek(offset: number): this;
+    readU8(): number;
+    readU16(): number;
+    readU32(): number;
+    readU64(): bigint;
+    readU128(): bigint;
+    readI8(): number;
+    readI16(): number;
+    readI32(): number;
+    readI64(): bigint;
+    readI128(): bigint;
+    readF32(): number;
+    readF64(): number;
+    readBool(): boolean;
+    readBytes(length: number): Uint8Array;
+    readFixedArray(length: number): Uint8Array;
+    readVecBytes(): Uint8Array;
+    readString(): string;
+    readVariant(): number;
+    readOption<T>(readValue: () => T): T | null;
+    readVec<T>(readElement: () => T): T[];
+    /**
+     * Read a tuple of fixed size with heterogeneous types
+     */
+    readTuple<T extends unknown[]>(readers: {
+        [K in keyof T]: () => T[K];
+    }): T;
+    readMap<K, V>(readKey: () => K, readValue: () => V): Map<K, V>;
+    /**
+     * Read length as u64 but validate it's within safe integer range
+     */
+    private readLength;
+    private ensureAvailable;
+}
+/**
+ * Type definitions for bincode schemas
+ *
+ * IMPORTANT: For structs and enums, field/variant order MUST match Rust definition order.
+ * Use arrays of tuples instead of objects to guarantee order preservation.
+ */
+type BincodeSchema = {
+    type: "u8";
+} | {
+    type: "u16";
+} | {
+    type: "u32";
+} | {
+    type: "u64";
+} | {
+    type: "u128";
+} | {
+    type: "i8";
+} | {
+    type: "i16";
+} | {
+    type: "i32";
+} | {
+    type: "i64";
+} | {
+    type: "i128";
+} | {
+    type: "f32";
+} | {
+    type: "f64";
+} | {
+    type: "bool";
+} | {
+    type: "string";
+} | {
+    type: "bytes";
+} | {
+    type: "unit";
+} | {
+    type: "fixedArray";
+    length: number;
+} | {
+    type: "vec";
+    element: BincodeSchema;
+} | {
+    type: "option";
+    inner: BincodeSchema;
+} | {
+    type: "tuple";
+    elements: BincodeSchema[];
+} | {
+    type: "struct";
+    fields: StructField[];
+} | {
+    type: "enum";
+    variants: EnumVariant[];
+} | {
+    type: "map";
+    key: BincodeSchema;
+    value: BincodeSchema;
+} | {
+    type: "pubkey";
+};
+/**
+ * Struct field definition - order matters!
+ */
+interface StructField {
+    name: string;
+    schema: BincodeSchema;
+}
+/**
+ * Enum variant definition - order matters!
+ */
+interface EnumVariant {
+    name: string;
+    schema: BincodeSchema | null;
+}
+declare const Schema: {
+    readonly u8: () => BincodeSchema;
+    readonly u16: () => BincodeSchema;
+    readonly u32: () => BincodeSchema;
+    readonly u64: () => BincodeSchema;
+    readonly u128: () => BincodeSchema;
+    readonly i8: () => BincodeSchema;
+    readonly i16: () => BincodeSchema;
+    readonly i32: () => BincodeSchema;
+    readonly i64: () => BincodeSchema;
+    readonly i128: () => BincodeSchema;
+    readonly f32: () => BincodeSchema;
+    readonly f64: () => BincodeSchema;
+    readonly bool: () => BincodeSchema;
+    readonly string: () => BincodeSchema;
+    readonly bytes: () => BincodeSchema;
+    readonly unit: () => BincodeSchema;
+    readonly fixedArray: (length: number) => BincodeSchema;
+    readonly vec: (element: BincodeSchema) => BincodeSchema;
+    readonly option: (inner: BincodeSchema) => BincodeSchema;
+    readonly tuple: (...elements: BincodeSchema[]) => BincodeSchema;
+    /**
+     * Define a struct with ordered fields
+     * @example
+     * Schema.struct([
+     *   ["id", Schema.u64()],
+     *   ["name", Schema.string()],
+     *   ["active", Schema.bool()],
+     * ])
+     */
+    readonly struct: (fields: [string, BincodeSchema][]) => BincodeSchema;
+    /**
+     * Define an enum with ordered variants
+     * @example
+     * Schema.enum([
+     *   ["None", null],
+     *   ["Some", Schema.u64()],
+     *   ["Error", Schema.string()],
+     * ])
+     */
+    readonly enum: (variants: [string, BincodeSchema | null][]) => BincodeSchema;
+    readonly map: (key: BincodeSchema, value: BincodeSchema) => BincodeSchema;
+    readonly pubkey: () => BincodeSchema;
+};
+/**
+ * Serialize a value according to a schema
+ */
+declare function serialize(schema: BincodeSchema, value: unknown): Uint8Array;
+/**
+ * Deserialize bytes according to a schema
+ */
+declare function deserialize<T>(schema: BincodeSchema, data: Uint8Array): T;
+/**
+ * Deserialize bytes with strict validation
+ */
+declare function deserializeStrict<T>(schema: BincodeSchema, data: Uint8Array): T;
+/**
+ * Infer TypeScript type from schema (for documentation purposes)
+ *
+ * Usage:
+ * const mySchema = Schema.struct([...]);
+ * type MyType = InferSchema<typeof mySchema>;
+ */
+type InferSchema<S extends BincodeSchema> = S extends {
+    type: "u8";
+} ? number : S extends {
+    type: "u16";
+} ? number : S extends {
+    type: "u32";
+} ? number : S extends {
+    type: "u64";
+} ? bigint : S extends {
+    type: "u128";
+} ? bigint : S extends {
+    type: "i8";
+} ? number : S extends {
+    type: "i16";
+} ? number : S extends {
+    type: "i32";
+} ? number : S extends {
+    type: "i64";
+} ? bigint : S extends {
+    type: "i128";
+} ? bigint : S extends {
+    type: "f32";
+} ? number : S extends {
+    type: "f64";
+} ? number : S extends {
+    type: "bool";
+} ? boolean : S extends {
+    type: "string";
+} ? string : S extends {
+    type: "bytes";
+} ? Uint8Array : S extends {
+    type: "unit";
+} ? undefined : S extends {
+    type: "fixedArray";
+} ? Uint8Array : S extends {
+    type: "pubkey";
+} ? Uint8Array : S extends {
+    type: "vec";
+    element: infer E;
+} ? E extends BincodeSchema ? InferSchema<E>[] : never : S extends {
+    type: "option";
+    inner: infer I;
+} ? I extends BincodeSchema ? InferSchema<I> | null : never : unknown;
+/**
+ * Bincode serialization writer
+ *
+ * Matches Rust's bincode crate with default configuration:
+ * - Little-endian byte order
+ * - Fixed-size integer encoding (no varint)
+ * - u64 length prefixes for dynamic collections
+ * - u32 enum variant indices
+ */
+declare class BincodeWriter {
+    private buffer;
+    private offset;
+    private view;
+    constructor(initialCapacity?: number);
+    writeU8(value: number): this;
+    writeU16(value: number): this;
+    writeU32(value: number): this;
+    writeU64(value: bigint | number): this;
+    writeU128(value: bigint): this;
+    writeI8(value: number): this;
+    writeI16(value: number): this;
+    writeI32(value: number): this;
+    writeI64(value: bigint): this;
+    writeI128(value: bigint): this;
+    writeF32(value: number): this;
+    writeF64(value: number): this;
+    writeBool(value: boolean): this;
+    writeBytes(bytes: Uint8Array): this;
+    writeFixedArray(bytes: Uint8Array, expectedLength?: number): this;
+    writeVecBytes(bytes: Uint8Array): this;
+    writeString(str: string): this;
+    writeVariant(index: number): this;
+    writeOption<T>(value: T | null | undefined, writeValue: (writer: BincodeWriter, val: T) => void): this;
+    writeVec<T>(items: T[], writeItem: (writer: BincodeWriter, item: T) => void): this;
+    /**
+     * Write a tuple (fixed-size heterogeneous collection)
+     */
+    writeTuple<T extends unknown[]>(items: T, writers: {
+        [K in keyof T]: (writer: BincodeWriter, val: T[K]) => void;
+    }): this;
+    writeMap<K, V>(map: Map<K, V>, writeKey: (writer: BincodeWriter, key: K) => void, writeValue: (writer: BincodeWriter, value: V) => void): this;
+    toBytes(): Uint8Array;
+    /**
+     * Get a view of the written bytes WITHOUT copying.
+     *
+     * ⚠️ WARNING: This returns a view into the internal buffer.
+     * The view becomes INVALID if:
+     * - The writer continues writing (may trigger resize)
+     * - The writer is cleared via clear()
+     *
+     * Use toBytes() for a safe copy, or use this only for immediate
+     * read-only access when performance is critical.
+     */
+    toView(): Uint8Array;
+    length(): number;
+    clear(): this;
+    /**
+     * Reserve additional capacity
+     */
+    reserve(additionalBytes: number): this;
+    private ensureCapacity;
+}
+/**
+ * Serializes data using Borsh (Binary Object Representation Serializer for Hashing) encoding.
+ *
+ * Borsh is efficient for complex types like enums, Options, vectors, and nested structs.
+ * Use the exported decorators (@field, @option, @vec) to define your data structures.
+ *
+ * @param data - Data object to serialize
+ * @returns Serialized bytes
+ *
+ * @example
+ * ```typescript
+ * import { serializeBorsh, field, option } from '@rialo/ts-cdk';
+ *
+ * class SwapInstruction {
+ *   @field({ type: 'u8' })
+ *   instruction: number;
+ *
+ *   @field({ type: 'u64' })
+ *   amountIn: bigint;
+ *
+ *   @field({ type: option('u64') })
+ *   minAmountOut?: bigint;
+ * }
+ *
+ * const data = serializeBorsh(new SwapInstruction({
+ *   instruction: 1,
+ *   amountIn: 1000n,
+ *   minAmountOut: 900n,
+ * }));
+ * ```
+ */
+declare function serializeBorsh<T>(data: T): Uint8Array;
+/**
+ * Deserializes Borsh-encoded data into a typed object.
+ *
+ * @param data - Borsh-encoded bytes
+ * @param type - Class constructor for the target type
+ * @returns Deserialized object instance
+ */
+declare function deserializeBorsh<T>(data: Uint8Array, type: new () => T): T;
+/**
+ * Serializes a u16 value into compact encoding.
+ *
+ * @param buffer - Output buffer to append bytes to
+ * @param value - Value to encode (0-65535)
+ * @throws {TransactionError} If value is out of range
+ */
+declare function serializeCompactU16(buffer: number[], value: number): void;
+/**
+ * Deserializes a compact-u16 value from bytes.
+ *
+ * @param data - Input byte array
+ * @param currentCursor - Starting position in the array
+ * @returns Tuple of [decoded value, new cursor position]
+ * @throws {TransactionError} If data is insufficient or malformed
+ */
+declare function deserializeCompactU16(data: Uint8Array, currentCursor: number): [number, number];
+/**
+ * Writes a compact-u16 value directly to a buffer (zero-copy).
+ *
+ * Optimized version for in-place writing without intermediate allocations.
+ *
+ * @param buffer - Target buffer
+ * @param offset - Starting position to write at
+ * @param value - Value to encode (0-127 only, uses 1-2 bytes)
+ * @returns New offset after writing
+ */
+declare function writeCompactU16(buffer: Uint8Array, offset: number, value: number): number;
 /**
  * Interface for signing messages and transactions.
  *
@@ -2181,11 +2941,13 @@ declare class Message {
     readonly accountKeys: readonly PublicKey[];
     /** Transaction valid from (milliseconds since Unix epoch) */
     validFrom?: bigint;
+    /** Config hash prefix for replay protection across chains */
+    readonly configHashPrefix: bigint;
     /** Compiled instructions with account indices */
     readonly instructions: readonly CompiledInstruction[];
     /** Cached serialized bytes */
     private serializedCache?;
-    constructor(header: MessageHeader, accountKeys: readonly PublicKey[], validFrom: bigint, instructions: readonly CompiledInstruction[]);
+    constructor(header: MessageHeader, accountKeys: readonly PublicKey[], validFrom: bigint, configHashPrefix: bigint, instructions: readonly CompiledInstruction[]);
     /**
      * Serialize message to bytes for signing.
      * Result is cached for performance.
@@ -2415,6 +3177,7 @@ declare class Transaction {
 declare class TransactionBuilder {
     private payer?;
     private validFrom?;
+    private configHashPrefix?;
     private readonly instructions;
     private constructor();
     /**
@@ -2439,6 +3202,15 @@ declare class TransactionBuilder {
      * @param validFrom - Transaction valid from in milliseconds since Unix epoch
      */
     setValidFrom(validFrom: bigint): this;
+    /**
+     * Set the config hash prefix for replay protection.
+     *
+     * This is the first 64 bits of the config hash, used to ensure
+     * transactions cannot be replayed on different chains.
+     *
+     * @param configHashPrefix - config hash prefix as a u64
+     */
+    setConfigHashPrefix(configHashPrefix: bigint): this;
     /**
      * Add an instruction to the transaction.
      *
@@ -2512,4 +3284,4 @@ declare function getMainnetUrl(): string;
  */
 declare function getLocalnetUrl(): string;
-export { type AccountFilter, type AccountInfo, type AccountMeta, AccountMetaTable, BASE_DERIVATION_PATH, BaseRpcClient, type Bump, type ChainDefinition, type CompiledInstruction, type ConfirmTransactionOptions, type ConfirmedTransaction, CryptoError, CryptoErrorCode, DEFAULT_NUM_ACCOUNTS, type EpochInfoResponse, type EventData, type GetAccountsByOwnerConfig, type GetAccountsByOwnerResponse, type GetHealthResponse, type GetSignaturesForAddressConfig, type GetTransactionsConfig, type GetTransactionsResponse, type GetWorkflowLineageRequest, type GetWorkflowLineageResponse, HttpTransport, type HttpTransportConfig, type IdentifierString, type Instruction, KELVIN_PER_RLO, Keypair, KeypairSigner, Message, type MessageHeader, Mnemonic, type MnemonicStrength, type OwnerAccount, type PDA, PUBLIC_KEY_LENGTH, type PaginationInfo, PublicKey, QueryRpcClient, RIALO_DEVNET_CHAIN, RIALO_LOCALNET_CHAIN, RIALO_MAINNET_CHAIN, RIALO_SHITNET_CHAIN, RIALO_TESTNET_CHAIN, RialoClient, type RialoClientConfig, RialoError, RialoErrorType, type RialoNetwork, RpcError, RpcErrorCode, type RpcErrorDetails$1 as RpcErrorDetails, SECRET_KEY_LENGTH, SIGNATURE_LENGTH, SYSTEM_PROGRAM_ID, type Seed, type SendAndConfirmOptions, type SendTransactionOptions, Signature, type SignatureInfo, type SignatureStatus, type Signer, type Subscription, type SubscriptionKind, SystemInstruction, type TimestampRange, Transaction, TransactionBuilder, TransactionError, TransactionErrorCode, type TransactionNodeData, type TransactionResponse, TransactionRpcClient, type TriggerInfo, type TriggeredTransaction, type TruncationReason, URL_DEVNET, URL_LOCALNET, URL_MAINNET, URL_SHITNET, URL_TESTNET, type WorkflowLineage, type WorkflowNode, allocateInstruction, assignInstruction, calculateBackoff, concatBytes, createAccount, createBorshInstruction, createRialoClient, encodeBorshData, fromBase64, getDefaultRialoClientConfig, getDevnetUrl, getLocalnetUrl, getMainnetUrl, getTestnetUrl, isOnCurve, seedToBytes, sleep, toBase64, transferInstruction };
+export { type AccountFilter, type AccountInfo, type AccountMeta, AccountMetaTable, BASE_DERIVATION_PATH, BaseRpcClient, BincodeReader, type BincodeSchema, BincodeWriter, type Bump, CHACHA20_POLY1305_TAG_LENGTH, type ChainDefinition, type CompiledInstruction, type ConfirmTransactionOptions, type ConfirmedTransaction, CryptoError, CryptoErrorCode, DEFAULT_NUM_ACCOUNTS, ED25519_PUBLIC_KEY_LENGTH, type EnumVariant, type EpochInfoResponse, type EventData, type GetAccountsByOwnerConfig, type GetAccountsByOwnerResponse, type GetHealthResponse, type GetSecretSharingPubkeyResponse, type GetSignaturesForAddressConfig, type GetTransactionsResponse, type GetWorkflowLineageRequest, type GetWorkflowLineageResponse, HPKE_ENC_LENGTH, HPKE_OVERHEAD_LENGTH, HpkeError, HpkeErrorCode, HttpTransport, type HttpTransportConfig, type IdentifierString, type InferSchema, type Instruction, KELVIN_PER_RLO, Keypair, KeypairSigner, Message, type MessageHeader, Mnemonic, type MnemonicStrength, type OwnerAccount, type PDA, PUBLIC_KEY_LENGTH, type PaginationInfo, PublicKey, QueryRpcClient, RIALO_DEVNET_CHAIN, RIALO_LOCALNET_CHAIN, RIALO_MAINNET_CHAIN, RIALO_SHITNET_CHAIN, RIALO_TESTNET_CHAIN, RexValue, RexValueVariant, RialoClient, type RialoClientConfig, RialoError, RialoErrorType, type RialoNetwork, RpcError, RpcErrorCode, type RpcErrorDetails$1 as RpcErrorDetails, SECRET_KEY_LENGTH, SECRET_SHARING_HPKE_INFO, SIGNATURE_LENGTH, SYSTEM_PROGRAM_ID, Schema, type Seed, type SendAndConfirmOptions, type SendTransactionOptions, Signature, type SignatureInfo, type SignatureStatus, type Signer, type StructField, type Subscription, type SubscriptionKind, SystemInstruction, type TimestampRange, Transaction, TransactionBuilder, TransactionError, TransactionErrorCode, type TransactionNodeData, type TransactionResponse, TransactionRpcClient, type TriggerInfo, type TriggeredTransaction, type TruncationReason, URL_DEVNET, URL_LOCALNET, URL_MAINNET, URL_SHITNET, URL_TESTNET, USER_SECRET_AAD, type WorkflowLineage, type WorkflowNode, X25519_PUBLIC_KEY_LENGTH, allocateInstruction, assignInstruction, calculateBackoff, concatBytes, createAccount, createBorshInstruction, createRialoClient, deserialize, deserializeBorsh, deserializeCompactU16, deserializeStrict, encodeBorshData, encryptForRex, fromBase64, getCiphertextLength, getDefaultRialoClientConfig, getDevnetUrl, getLocalnetUrl, getMainnetUrl, getTestnetUrl, hpkeEncrypt, isOnCurve, isValidCiphertextLength, seedToBytes, serialize, serializeBorsh, serializeCompactU16, sleep, toBase64, transferInstruction, writeCompactU16 };