@rialo/ts-cdk 0.2.0 → 0.3.0-alpha.0

package/dist/index.d.ts

@@ -93,13 +93,10 @@ declare const URL_TESTNET: string;
 declare const URL_DEVNET: string;
 /** Rialo localnet RPC URL */
 declare const URL_LOCALNET: string;
-/** Rialo shitnet RPC URL */
-declare const URL_SHITNET: string;
 declare const RIALO_MAINNET_CHAIN: ChainDefinition;
 declare const RIALO_TESTNET_CHAIN: ChainDefinition;
 declare const RIALO_DEVNET_CHAIN: ChainDefinition;
 declare const RIALO_LOCALNET_CHAIN: ChainDefinition;
-declare const RIALO_SHITNET_CHAIN: ChainDefinition;
 /** System program ID */
 declare const SYSTEM_PROGRAM_ID: string;
 /** Base derivation path for Rialo wallets (BIP44 coin type 756) */
@@ -158,7 +155,7 @@ declare class CryptoError extends Error {
  * const base58 = sig.toString();
  * ```
  */
-declare class Signature {
+declare class Signature$1 {
     private readonly bytes;
     private constructor();
     /**
@@ -167,14 +164,14 @@ declare class Signature {
      * @param bytes - 64-byte Ed25519 signature
      * @throws {CryptoError} If bytes length is not 64
      */
-    static fromBytes(bytes: Uint8Array): Signature;
+    static fromBytes(bytes: Uint8Array): Signature$1;
     /**
      * Creates a Signature from a base58-encoded string.
      *
      * @param str - Base58-encoded signature
      * @throws {CryptoError} If string is invalid or decodes to wrong length
      */
-    static fromString(str: string): Signature;
+    static fromString(str: string): Signature$1;
     /**
      * Returns a copy of the raw bytes.
      */
@@ -335,7 +332,7 @@ declare class PublicKey {
      * const isValid = keypair.publicKey.verify(message, signature);
      * ```
      */
-    verify(message: Uint8Array, signature: Signature): boolean;
+    verify(message: Uint8Array, signature: Signature$1): boolean;
     /**
      * Checks if the public key is on the Ed25519 curve.
      *
@@ -403,7 +400,7 @@ declare class Keypair {
      * @returns Ed25519 signature
      * @throws {CryptoError} If keypair has been disposed
      */
-    sign(message: Uint8Array): Signature;
+    sign(message: Uint8Array): Signature$1;
     /**
      * Verifies a signature against a message using this keypair's public key.
      *
@@ -411,7 +408,7 @@ declare class Keypair {
      * @param signature - Signature to verify
      * @returns true if signature is valid
      */
-    verify(message: Uint8Array, signature: Signature): boolean;
+    verify(message: Uint8Array, signature: Signature$1): boolean;
     /**
      * Exports the secret key for storage.
      *
@@ -733,6 +730,341 @@ declare class RialoError extends Error {
     static serialization(message: string): RialoError;
 }
 
+/**
+ * Error codes for HPKE encryption operations.
+ */
+declare enum HpkeErrorCode {
+    /** Key length does not match expected size */
+    INVALID_KEY_LENGTH = "INVALID_KEY_LENGTH",
+    /** Ciphertext is shorter than minimum required length */
+    CIPHERTEXT_TOO_SHORT = "CIPHERTEXT_TOO_SHORT",
+    /** HPKE encryption operation failed */
+    ENCRYPTION_FAILED = "ENCRYPTION_FAILED",
+    /** Failed to deserialize Borsh data */
+    BORSH_DESERIALIZE_FAILED = "BORSH_DESERIALIZE_FAILED",
+    /** RexValue has invalid variant byte */
+    INVALID_REX_VALUE = "INVALID_REX_VALUE"
+}
+/**
+ * Error class for HPKE encryption operations.
+ *
+ * Provides detailed error information for encryption failures,
+ * including error codes and contextual details.
+ */
+declare class HpkeError extends Error {
+    readonly code: HpkeErrorCode;
+    readonly cause?: Error;
+    constructor(code: HpkeErrorCode, message: string, cause?: Error);
+    /**
+     * Create an error for invalid key length.
+     *
+     * @param expected - Expected key length in bytes
+     * @param actual - Actual key length in bytes
+     * @param keyType - Description of the key type (e.g., "REX public key")
+     */
+    static invalidKeyLength(expected: number, actual: number, keyType: string): HpkeError;
+    /**
+     * Create an error for ciphertext that is too short.
+     *
+     * @param minLength - Minimum required length
+     * @param actual - Actual length
+     */
+    static ciphertextTooShort(minLength: number, actual: number): HpkeError;
+    /**
+     * Create an error for encryption failure.
+     *
+     * @param cause - The underlying error
+     */
+    static encryptionFailed(cause: Error): HpkeError;
+    /**
+     * Create an error for Borsh deserialization failure.
+     *
+     * @param cause - The underlying error
+     */
+    static borshDeserializeFailed(cause: Error): HpkeError;
+    /**
+     * Create an error for invalid RexValue variant.
+     *
+     * @param variant - The invalid variant byte
+     */
+    static invalidRexValue(variant: number): HpkeError;
+}
+
+/**
+ * Constants for REX HPKE encryption.
+ *
+ * These constants MUST match the Rust implementation exactly:
+ * - `crates/tee/secret-sharing/src/constants.rs`
+ *
+ * @module
+ */
+/**
+ * Additional Authenticated Data (AAD) prefix for user secrets.
+ *
+ * This 13-byte string is prepended to the sender's public key to form
+ * the complete AAD for HPKE encryption. It provides domain separation
+ * to prevent cross-protocol attacks.
+ *
+ * Format: `USER_SECRET_AAD || senderPubkey` = 45 bytes total AAD
+ *
+ * @remarks
+ * Must match Rust: `pub const USER_SECRET_AAD: &[u8] = b"rex-secret-v1";`
+ */
+declare const USER_SECRET_AAD: Uint8Array<ArrayBuffer>;
+/**
+ * HPKE info string for secret sharing context.
+ *
+ * This 32-byte string is used as the `info` parameter in HPKE encryption,
+ * providing domain separation for secret sharing operations.
+ *
+ * @remarks
+ * Must match Rust: `pub const SECRET_SHARING_HPKE_INFO: &[u8; 32] = b"rialo/tee/secret-sharing-hpke/v1";`
+ */
+declare const SECRET_SHARING_HPKE_INFO: Uint8Array<ArrayBuffer>;
+/**
+ * Length of an X25519 public key in bytes.
+ *
+ * Used for the REX encryption public key (secret sharing key).
+ */
+declare const X25519_PUBLIC_KEY_LENGTH = 32;
+/**
+ * Length of an Ed25519 public key in bytes.
+ *
+ * Used for sender identity binding in AAD construction.
+ */
+declare const ED25519_PUBLIC_KEY_LENGTH = 32;
+/**
+ * Length of the HPKE encapsulated key (enc) in bytes.
+ *
+ * For X25519, this is always 32 bytes.
+ */
+declare const HPKE_ENC_LENGTH = 32;
+/**
+ * Length of the ChaCha20-Poly1305 authentication tag in bytes.
+ */
+declare const CHACHA20_POLY1305_TAG_LENGTH = 16;
+/**
+ * Total overhead added by HPKE encryption.
+ *
+ * This is the additional bytes beyond the plaintext:
+ * - enc (32 bytes): Encapsulated ephemeral public key
+ * - tag (16 bytes): ChaCha20-Poly1305 authentication tag
+ *
+ * Ciphertext length = plaintext length + 48 bytes
+ */
+declare const HPKE_OVERHEAD_LENGTH: number;
+
+/**
+ * Variant discriminator for RexValue Borsh serialization.
+ */
+declare enum RexValueVariant {
+    /** Plain (unencrypted) data variant */
+    Plain = 0,
+    /** Encrypted data variant */
+    Encrypted = 1
+}
+/**
+ * Represents an rex value that can be plain or encrypted.
+ *
+ * This class provides Borsh-compatible serialization that matches
+ * the Rust `RexValue` enum:
+ *
+ * ```rust
+ * pub enum RexValue {
+ *     Plain(Vec<u8>),
+ *     Encrypted(Vec<u8>),
+ * }
+ * ```
+ *
+ * ## Borsh Format
+ *
+ * - Plain: `[0x00] [length: u32 LE] [data bytes]`
+ * - Encrypted: `[0x01] [length: u32 LE] [ciphertext bytes]`
+ *
+ * @example
+ * ```typescript
+ * // Plain value (unencrypted)
+ * const plain = RexValue.plain(new TextEncoder().encode("hello"));
+ *
+ * // Encrypted value (via HPKE)
+ * const encrypted = RexValue.encrypted(ciphertextBytes);
+ *
+ * // Serialize to Borsh
+ * const borsh = plain.toBorsh();
+ *
+ * // Deserialize from Borsh
+ * const restored = RexValue.fromBorsh(borsh);
+ * ```
+ */
+declare class RexValue {
+    private readonly variant;
+    private readonly data;
+    private constructor();
+    /**
+     * Create a plain (unencrypted) RexValue from raw bytes.
+     *
+     * @param data - The raw byte data
+     * @returns A new RexValue with Plain variant
+     */
+    static plain(data: Uint8Array): RexValue;
+    /**
+     * Create a plain (unencrypted) RexValue from a UTF-8 string.
+     *
+     * @param s - The string to encode
+     * @returns A new RexValue with Plain variant
+     */
+    static plainString(s: string): RexValue;
+    /**
+     * Create an encrypted RexValue from HPKE ciphertext.
+     *
+     * @param ciphertext - The HPKE-encrypted ciphertext (enc || ct || tag)
+     * @returns A new RexValue with Encrypted variant
+     */
+    static encrypted(ciphertext: Uint8Array): RexValue;
+    /**
+     * Check if this is a plain (unencrypted) value.
+     */
+    isPlain(): boolean;
+    /**
+     * Check if this is an encrypted value.
+     */
+    isEncrypted(): boolean;
+    /**
+     * Get the variant type.
+     */
+    getVariant(): RexValueVariant;
+    /**
+     * Get the raw bytes (plaintext or ciphertext).
+     *
+     * For Plain values, returns the plaintext.
+     * For Encrypted values, returns the ciphertext.
+     */
+    asBytes(): Uint8Array;
+    /**
+     * Try to decode the plain value as a UTF-8 string.
+     *
+     * @returns The decoded string, or null if encrypted or not valid UTF-8
+     */
+    asString(): string | null;
+    /**
+     * Serialize to Borsh format.
+     *
+     * Format: `[variant: u8] [length: u32 LE] [data bytes]`
+     *
+     * @returns The Borsh-serialized bytes
+     */
+    toBorsh(): Uint8Array;
+    /**
+     * Deserialize from Borsh format.
+     *
+     * @param data - The Borsh-serialized bytes
+     * @returns A new RexValue
+     * @throws {HpkeError} If deserialization fails
+     */
+    static fromBorsh(data: Uint8Array): RexValue;
+}
+
+/**
+ * Encrypt data using HPKE for REX secret sharing.
+ *
+ * This function performs HPKE encryption using the Base mode with:
+ * - X25519 for key encapsulation
+ * - HKDF-SHA256 for key derivation
+ * - ChaCha20-Poly1305 for authenticated encryption
+ *
+ * The output format is: `enc (32 bytes) || ciphertext || tag (16 bytes)`
+ *
+ * @param rexPubkey - The REX X25519 public key (32 bytes)
+ * @param data - The plaintext data to encrypt
+ * @param senderPubkey - The sender's Ed25519 public key (32 bytes) for AAD construction
+ * @returns The encrypted ciphertext including enc and tag
+ * @throws {HpkeError} If key lengths are invalid or encryption fails
+ *
+ * @example
+ * ```typescript
+ * const rexPubkey = await client.getSecretSharingPubkey();
+ * const ciphertext = await hpkeEncrypt(
+ *   rexPubkey,
+ *   new TextEncoder().encode("secret data"),
+ *   keypair.publicKey.toBytes()
+ * );
+ * ```
+ */
+declare function hpkeEncrypt(rexPubkey: Uint8Array, data: Uint8Array, senderPubkey: Uint8Array): Promise<Uint8Array>;
+/**
+ * Encrypt data for REX and wrap it in an RexValue.
+ *
+ * This is a convenience function that combines:
+ * 1. HPKE encryption using `hpkeEncrypt`
+ * 2. Wrapping the ciphertext in an `RexValue.encrypted`
+ *
+ * The resulting RexValue can be serialized to Borsh and sent to the network.
+ *
+ * @param rexPubkey - The REX X25519 public key (32 bytes)
+ * @param data - The plaintext data to encrypt
+ * @param senderPubkey - The sender's Ed25519 public key (32 bytes)
+ * @returns An RexValue containing the encrypted ciphertext
+ * @throws {HpkeError} If key lengths are invalid or encryption fails
+ *
+ * @example
+ * ```typescript
+ * import { RpcClient, Keypair } from "@rialo/ts-cdk";
+ * import { encryptForRex, RexValue } from "@rialo/ts-cdk/rex";
+ *
+ * // Get REX public key from the network
+ * const client = new RpcClient("https://rpc.rialo.xyz");
+ * const rexPubkey = await client.getSecretSharingPubkey();
+ *
+ * // Create keypair for signing
+ * const keypair = Keypair.generate();
+ *
+ * // Encrypt secret data
+ * const rexValue = await encryptForRex(
+ *   rexPubkey,
+ *   new TextEncoder().encode("my secret API key"),
+ *   keypair.publicKey.toBytes()
+ * );
+ *
+ * // The RexValue can now be serialized and used in transactions
+ * const borshBytes = rexValue.toBorsh();
+ * ```
+ */
+declare function encryptForRex(rexPubkey: Uint8Array, data: Uint8Array, senderPubkey: Uint8Array): Promise<RexValue>;
+/**
+ * Calculate the expected ciphertext length for a given plaintext length.
+ *
+ * The ciphertext consists of:
+ * - enc (32 bytes): Encapsulated ephemeral public key
+ * - ciphertext (plaintext.length bytes): Encrypted data
+ * - tag (16 bytes): ChaCha20-Poly1305 authentication tag
+ *
+ * @param plaintextLength - Length of the plaintext in bytes
+ * @returns Expected ciphertext length
+ *
+ * @example
+ * ```typescript
+ * const ciphertextLen = getCiphertextLength(100);
+ * console.log(ciphertextLen); // 148 (32 + 100 + 16)
+ * ```
+ */
+declare function getCiphertextLength(plaintextLength: number): number;
+/**
+ * Validate that a ciphertext has a valid length.
+ *
+ * A valid HPKE ciphertext must be at least 48 bytes (32 enc + 16 tag).
+ *
+ * @param ciphertext - The ciphertext to validate
+ * @returns true if the ciphertext length is valid
+ *
+ * @example
+ * ```typescript
+ * if (!isValidCiphertextLength(ciphertext)) {
+ *   throw new Error("Ciphertext too short");
+ * }
+ * ```
+ */
+declare function isValidCiphertextLength(ciphertext: Uint8Array): boolean;
+
 /**
  * Base client with JSON-RPC protocol handling.
  *
@@ -747,7 +1079,7 @@ declare class BaseRpcClient {
      *
      * Handles request serialization, response validation, and error mapping.
      */
-    protected call<T>(method: string, params?: unknown[]): Promise<T>;
+    call<T>(method: string, params?: unknown[]): Promise<T>;
     /**
      * Validate JSON-RPC response structure
      */
@@ -763,306 +1095,1319 @@ declare class BaseRpcClient {
     getUrl(): string;
 }
 
-/**
- * RPC type definitions for the Rialo blockchain.
- */
+/** A 32-byte public key, base58-encoded on the wire. */
 
+/** A 64-byte Ed25519 signature, base58-encoded on the wire. */
+type Signature = Uint8Array;
+/** A 32-byte hash, base58-encoded on the wire. */
+type Hash = Uint8Array;
+/** Smallest unit of the native token. */
+type Kelvin = bigint;
+/** First 64 bits of the config hash, used for replay protection. */
+type ConfigHashPrefix = bigint;
 /**
- * Account information response.
+ * Information about an on-chain account.
  */
-interface AccountInfo {
-    /** Account balance in smallest denomination */
-    balance: bigint;
-    /** Owner program public key */
+interface AccountInfo$1 {
+    /** Account balance in kelvins. */
+    kelvin: Kelvin;
+    /** Owner program public key. */
     owner: PublicKey;
-    /** Account data */
-    data: Uint8Array;
-    /** Whether the account is executable */
+    /** Account data as encoded strings (typically [encoded_data, encoding_format]). */
+    data: string[];
+    /** Whether the account contains executable code. */
     executable: boolean;
-    /** Rent epoch */
+    /** Rent epoch. */
     rentEpoch: bigint;
+    /** Account data size in bytes. */
+    space: bigint;
 }
 /**
- * Transaction response.
+ * A compiled instruction within a transaction message.
  */
-interface TransactionResponse {
-    /** Transaction signature */
-    signature: string;
-    /** Block height */
-    blockHeight?: bigint;
-    /** Error message if transaction failed */
+interface CompiledInstruction$1 {
+    /** Index into the account keys array identifying the program. */
+    programIdIndex: number;
+    /** Indices into the account keys array for this instruction. */
+    accounts: Uint8Array;
+    /** Instruction data (base58-encoded on the wire). */
+    data: string;
+}
+/**
+ * Header of a transaction message.
+ */
+interface MessageHeader$1 {
+    /** Number of signatures required. */
+    numRequiredSignatures: number;
+    /** Number of read-only signed accounts. */
+    numReadonlySignedAccounts: number;
+    /** Number of read-only unsigned accounts. */
+    numReadonlyUnsignedAccounts: number;
+}
+/**
+ * The message portion of a transaction.
+ */
+interface TransactionMessage {
+    header: MessageHeader$1;
+    accountKeys: PublicKey[];
+    instructions: CompiledInstruction$1[];
+}
+/**
+ * A full transaction (signatures + message).
+ */
+interface TransactionData {
+    signatures: Signature[];
+    message: TransactionMessage;
+    /** Timestamp from which the transaction is valid. */
+    validFrom: bigint;
+}
+/**
+ * Metadata about transaction execution.
+ */
+interface TransactionStatusMetadata {
+    /** Fee paid for the transaction in kelvins. */
+    fee: bigint;
+    /** Error message if the transaction failed, absent if successful. */
     err?: string;
+    /** Log messages emitted during execution (if available). */
+    logMessages?: string[];
 }
 /**
- * Options for sending a transaction.
+ * Full response for a transaction query.
  */
-interface SendTransactionOptions {
-    /** Skip preflight transaction checks */
-    skipPreflight?: boolean;
-    /** Maximum number of times to retry */
-    maxRetries?: number;
+interface TransactionResponse$1 {
+    /** Block height where this transaction was processed. */
+    blockHeight: bigint;
+    /** Unix timestamp of the block (if available). */
+    blockTime?: bigint;
+    /** Execution metadata (fee, error). */
+    meta: TransactionStatusMetadata;
+    /** The full transaction content. */
+    transaction: TransactionData;
 }
 /**
- * Epoch information response.
+ * A transaction paired with its metadata (used in block responses).
  */
-interface EpochInfoResponse {
-    /** Current epoch */
+interface TransactionWithMeta {
+    /** The full transaction content. */
+    transaction: TransactionData;
+    /** Execution metadata (fee, error), absent if not available. */
+    meta?: TransactionStatusMetadata;
+}
+/**
+ * Status of a transaction signature.
+ */
+interface SignatureStatus$1 {
+    /** Slot in which the transaction was processed. */
+    slot: bigint;
+    /** Whether the transaction has been executed. */
+    executed: boolean;
+    /** Error message if the transaction failed. */
+    err?: string;
+}
+/**
+ * Information about the current epoch.
+ */
+interface EpochInfo {
+    /** Current epoch number. */
     epoch: bigint;
-    /** Current slot in the epoch */
+    /** Current slot within the epoch. */
     slotIndex: bigint;
-    /** Total slots in the epoch */
+    /** Total slots in the epoch. */
     slotsInEpoch: bigint;
-    /** Absolute slot number */
+    /** Absolute slot number. */
     absoluteSlot: bigint;
-    /** Block height */
+    /** Current block height. */
     blockHeight: bigint;
-    /** Transaction count */
+    /** Total transaction count (if available). */
     transactionCount?: bigint;
 }
 /**
- * Subscription kind.
+ * Options for submitting a transaction.
  */
-type SubscriptionKind = "Persistent" | "OneShot";
+interface SendTransactionOptions$1 {
+    /** Skip preflight simulation. */
+    skipPreflight: boolean;
+    /** Maximum retries by the RPC node. */
+    maxRetries: number;
+    /** Wait until the transaction has been executed before returning. */
+    waitForExecution: boolean;
+}
 /**
- * Subscription data.
+ * Options for confirming a transaction.
  */
-interface Subscription {
-    /** Type of subscription */
-    kind: SubscriptionKind;
-    /** Topic for the subscription */
-    topic: string;
-    /** Instructions to execute when triggered */
-    instructions: unknown[];
-    /** Subscriber public key (base58) */
-    subscriber: string;
-    /** Event account public key (base58) */
-    eventAccount?: string;
-    /** Timestamp range [start, end] */
-    timestampRange?: [bigint, bigint];
+interface ConfirmTransactionOptions$1 {
+    /** Maximum polling attempts (default: 30). */
+    maxRetries: number;
+    /** Delay between polls in milliseconds (default: 1000). */
+    retryDelayMs: number;
 }
 /**
- * Triggered transaction data.
+ * Combined options for send-and-confirm.
  */
-interface TriggeredTransaction {
-    /** Transaction signature (base58) */
-    signature: string;
-    /** Block number where the transaction was executed */
-    blockNumber: bigint;
+interface SendAndConfirmOptions$1 {
+    /** Send options. */
+    skipPreflight: boolean;
+    maxRetries: number;
+    /** Confirm options. */
+    confirmMaxRetries: number;
+    confirmRetryDelayMs: number;
 }
 /**
- * Get workflow lineage request.
+ * Result of a confirmed transaction.
  */
-interface GetWorkflowLineageRequest {
-    /** Root transaction signature (base58) */
+interface ConfirmedTransaction$1 {
+    /** Transaction signature (base58). */
     signature: string;
-    /** Maximum depth to traverse (1-100, default 3) */
-    maxDepth?: number;
-    /** Whether to include event details */
-    includeEvents?: boolean;
+    /** Whether the transaction was executed. */
+    executed: boolean;
+    /** Error message if failed. */
+    err?: string;
 }
 /**
- * Event data from a workflow trigger.
+ * Fee calculation response.
  */
-interface EventData {
-    /** Event topic */
-    topic: string;
-    /** Event attributes */
-    attributes: Record<string, unknown>;
+interface FeeResponse {
+    /** The fee in kelvins, absent if message is invalid. */
+    value?: bigint;
 }
 /**
- * Timestamp range.
+ * Response from blockhash validation.
  */
-interface TimestampRange {
-    /** Start timestamp (unix) */
-    from: bigint;
-    /** End timestamp (unix) */
-    to: bigint;
+interface IsBlockhashValidResponse {
+    /** Slot from the response context. */
+    slot: bigint;
+    /** Whether the blockhash is still valid. */
+    isValid: boolean;
 }
 /**
- * Information about what triggered a workflow transaction.
+ * Configuration for getSignaturesForAddress.
  */
-interface TriggerInfo {
-    /** Event that triggered the transaction */
-    event: EventData;
-    /** Subscription public key (base58) */
-    subscriptionPubkey: string;
-    /** Timestamp range for the trigger */
-    timestampRange?: TimestampRange;
-    /** Event account public key (base58) */
-    eventAccount?: string;
+interface GetSignaturesForAddressConfig$1 {
+    /** Maximum number of signatures to return. */
+    limit?: number;
+    /** Search backwards from this signature (base58). */
+    before?: string;
+    /** Search forwards from this signature (base58). */
+    until?: string;
 }
 /**
- * Transaction node data within a workflow.
+ * Information about a single signature.
  */
-interface TransactionNodeData {
-    /** Block height */
+interface SignatureInfo$1 {
+    /** Transaction signature (base58). */
+    signature: string;
+    /** Block height where the transaction was processed. */
+    blockHeight: bigint;
+    /** Unix timestamp of the block. */
+    blockTime: bigint;
+    /** Error message if the transaction failed. */
+    err?: string;
+}
+/**
+ * Kind of subscription.
+ */
+type SubscriptionKind$1 = "Persistent" | "OneShot";
+/**
+ * Metadata about an account used in a subscription instruction.
+ */
+interface SubscriptionAccountMeta {
+    /** The account's public key (base58). */
+    pubkey: string;
+    /** Whether the account must sign the transaction. */
+    isSigner: boolean;
+    /** Whether the account can be written to during execution. */
+    isWritable: boolean;
+}
+/**
+ * A single instruction within a subscription.
+ */
+interface SubscriptionInstruction {
+    /** The program ID invoked (base58). */
+    programId: string;
+    /** Metadata for the accounts involved in the instruction. */
+    accounts: SubscriptionAccountMeta[];
+    /** Opaque binary data passed to the program. */
+    data: Uint8Array;
+}
+/**
+ * A subscription record.
+ */
+interface Subscription$1 {
+    kind: SubscriptionKind$1;
+    topic: string;
+    /** Instructions to be executed when triggered. */
+    instructions: SubscriptionInstruction[];
+    subscriber: string;
+    /** The account pubkey (base58) that stores the event data. */
+    eventAccount?: string;
+    /** Timestamp range for triggering (start inclusive, end exclusive). */
+    timestampRange?: [bigint, bigint];
+}
+/**
+ * A transaction triggered by a subscription.
+ */
+interface TriggeredTransaction$1 {
+    /** Transaction signature (base58). */
+    signature: string;
+    /** Block number where executed. */
+    blockNumber: bigint;
+}
+/**
+ * Event data from a workflow trigger.
+ */
+interface EventData$1 {
+    topic: string;
+}
+/**
+ * Timestamp range.
+ */
+interface TimestampRange$1 {
+    start: bigint;
+    end: bigint;
+}
+/**
+ * Information about what triggered a workflow transaction.
+ */
+interface TriggerInfo$1 {
+    event: EventData$1;
+    subscriptionPubkey: string;
+    timestampRange?: TimestampRange$1;
+    eventAccount?: string;
+}
+/**
+ * Transaction data within a workflow node.
+ */
+interface TransactionNodeData$1 {
     blockHeight: bigint;
-    /** Timestamp (unix) */
     timestamp: bigint;
-    /** Whether the transaction succeeded */
     success: boolean;
-    /** Number of instructions */
     instructionCount: number;
-    /** Program IDs of instructions (base58) */
     instructionProgramIds: string[];
 }
 /**
  * A node in the workflow lineage tree.
  */
-interface WorkflowNode {
-    /** Transaction signature (base58) */
+interface WorkflowNode$1 {
+    /** Transaction signature (base58). */
     id: string;
-    /** Distance from root transaction */
+    /** Distance from the root transaction. */
     depth: number;
-    /** Transaction data */
-    data: TransactionNodeData;
-    /** Subscriptions on this transaction */
-    subscriptions: Subscription[];
-    /** What triggered this transaction */
-    triggeredBy?: TriggerInfo;
-    /** Child transaction signatures (base58) */
+    /** Transaction data. */
+    data: TransactionNodeData$1;
+    /** Subscriptions associated with this transaction. */
+    subscriptions: Subscription$1[];
+    /** Trigger information if this node was triggered by a subscription event. */
+    triggeredBy?: TriggerInfo$1;
+    /** Child transaction signatures. */
     workflowChildren: string[];
-    /** Whether there are more children not shown */
+    /** Whether more children exist beyond what is shown. */
     hasMoreChildren: boolean;
 }
 /**
- * Workflow lineage tree.
+ * Reason for truncating workflow traversal.
  */
-interface WorkflowLineage {
-    /** Nodes in the workflow tree */
-    workflowNodes: WorkflowNode[];
+type TruncationReason$1 = "maxDepth" | "maxNodes" | "none";
+/**
+ * Workflow lineage request parameters.
+ */
+interface GetWorkflowLineageRequest$1 {
+    /** Root transaction signature (base58). */
+    signature: string;
+    /** Maximum traversal depth (1-100, default 3). */
+    maxDepth?: number;
+    /** Whether to include event details. */
+    includeEvents?: boolean;
 }
 /**
- * Reason for truncating workflow lineage traversal.
+ * Workflow lineage response.
+ * The lineage tree structure.
  */
-type TruncationReason = "MaxDepth" | "MaxNodes" | "None";
+interface WorkflowLineage$1 {
+    /** All nodes (transactions) in the lineage tree. */
+    workflowNodes: WorkflowNode$1[];
+}
 /**
- * Get workflow lineage response.
+ * Workflow lineage response.
  */
-interface GetWorkflowLineageResponse {
-    /** Workflow lineage tree */
-    lineage: WorkflowLineage;
-    /** Leaf transaction signatures (base58) */
+interface GetWorkflowLineageResponse$1 {
+    /** The lineage graph data. */
+    lineage: WorkflowLineage$1;
+    /** Leaf transaction signatures (base58-encoded). */
     leaves: string[];
-    /** Whether traversal was truncated */
+    /** Whether the traversal was truncated due to max-depth. */
     truncated: boolean;
-    /** Reason for truncation */
-    truncationReason: TruncationReason;
-    /** Hints for continuing traversal (base58 signatures) */
+    /** The reason for truncation. */
+    truncationReason: TruncationReason$1;
+    /** Hints for continuation (base58-encoded). */
     continuationHints: string[];
 }
 /**
- * Get signatures for address configuration.
+ * Configuration for paginated transaction queries.
  */
-interface GetSignaturesForAddressConfig {
-    /** Maximum number of signatures to return */
+interface GetTransactionsConfig {
+    /** Maximum number of transactions to return. */
     limit?: number;
-    /** Start searching backwards from this signature */
+    /** Cursor for pagination. */
     before?: string;
-    /** Start searching forwards from this signature */
-    until?: string;
 }
 /**
- * Signature information.
+ * Brief info about a transaction in a paginated list.
  */
-interface SignatureInfo {
+interface TransactionInfo {
+    /** Transaction signature (base58). */
     signature: string;
-    blockHeight: bigint;
-    blockTime: bigint;
+    /** Slot where the transaction was processed. */
+    slot: bigint;
+    /** Block time (unix timestamp). */
+    blockTime?: bigint;
+    /** Error message if failed. */
     err?: string;
+    /** Transaction version. */
+    version?: string;
 }
 /**
- * Get health response.
+ * Filter for what kind of accounts to return.
  */
-type GetHealthResponse = "ok" | string;
+type AccountFilter$1 = "programAccounts" | "tokenAccounts";
 /**
- * Get transactions response.
+ * Configuration for getAccountsByOwner pagination.
  */
-interface GetTransactionsResponse {
-    /** Array of transaction data */
-    transactions: Array<Record<string, unknown>>;
+interface GetAccountsByOwnerConfig$1 {
+    /** Maximum number of accounts to return. */
+    limit?: number;
+    /** Cursor for pagination: accounts after this pubkey (base58). */
+    after?: string;
 }
 /**
- * Signature status from the RPC.
+ * An account returned by getAccountsByOwner.
  */
-interface SignatureStatus {
-    /** Slot in which the transaction was processed */
-    slot: bigint;
-    /** Whether the transaction has been executed */
-    executed: boolean;
-    /** Error message if transaction failed */
-    err?: string;
+interface OwnerAccount$1 {
+    /** Account public key. */
+    pubkey: PublicKey;
+    /** Account information. */
+    account: AccountInfo$1;
 }
 /**
- * Options for confirming a transaction.
+ * Pagination metadata.
  */
-interface ConfirmTransactionOptions {
-    /** Maximum number of retry attempts (default: 30) */
-    maxRetries?: number;
-    /** Delay between retries in milliseconds (default: 1000) */
-    retryDelay?: number;
+interface PaginationInfo$1 {
+    hasMore: boolean;
+    nextCursor?: string;
 }
+/** A single entry in a getMultipleAccounts response.
+Absent if the account does not exist. */
+type OptionalAccountInfo = AccountInfo$1 | undefined;
 /**
- * Options for sending and confirming a transaction.
+ * Validator health status.
  */
-interface SendAndConfirmOptions extends SendTransactionOptions, ConfirmTransactionOptions {
+interface ValidatorHealth {
+    status: string;
 }
 /**
- * Result of a confirmed transaction.
+ * Connected full node info.
  */
-interface ConfirmedTransaction {
-    /** Transaction signature */
-    signature: string;
-    /** Whether the transaction was executed */
-    executed: boolean;
-    /** Error message if transaction failed */
-    err?: string;
+interface ConnectedNode {
+    /** Network public key (hex or base58). */
+    publicKey: string;
+    /** Connection duration in milliseconds. */
+    connectedMs: bigint;
 }
 /**
- * Configuration for getAccountsByOwner.
+ * The TEE's X25519 public key for HPKE encryption.
  */
-interface GetAccountsByOwnerConfig {
-    /** Maximum number of accounts to return */
-    limit?: number;
-    /** Cursor for pagination (base58 pubkey) */
-    after?: string;
+interface SecretSharingPubkey {
+    /** Hex-encoded public key. */
+    publicKey: string;
 }
 /**
- * Filter for getAccountsByOwner.
- * Matches Rust serde serialization format.
+ * Request to submit an epoch change (admin-only).
+ * Validator information for epoch change requests.
  */
-type AccountFilter = {
-    type: "programAccounts";
-} | {
-    type: "tokenAccounts";
-    mint?: string;
-};
+interface ValidatorInfoRequest {
+    /** Validator stake amount. */
+    stake: bigint;
+    /** Consensus network address (Multiaddr string). */
+    consensusAddress: string;
+    /** State sync network address (Multiaddr string). */
+    stateSyncAddress: string;
+    /** Validator hostname. */
+    hostname: string;
+    /** Authority public key. */
+    authorityKey: string;
+    /** Protocol public key. */
+    protocolKey: string;
+    /** Network public key. */
+    networkKey: string;
+    /** Signing public key. */
+    signingKey: string;
+}
 /**
- * An account owned by a program or address.
+ * Consensus configuration parameters for an epoch change.
  */
-interface OwnerAccount {
-    /** Account public key */
-    pubkey: PublicKey;
-    /** Account information */
-    account: AccountInfo;
+interface EpochConsensusConfigRequest {
+    /** Number of leaders per round. */
+    numLeadersPerRound?: number;
+    /** Maximum transaction bytes per block. */
+    maxTransactionsInBlockBytes?: bigint;
+    /** Maximum number of transactions per block. */
+    maxNumTransactionsInBlock?: bigint;
+    /** Maximum size of a single transaction in bytes. */
+    maxTransactionSizeBytes?: bigint;
+    /** Garbage collection depth. */
+    gcDepth?: number;
+    /** Whether to enable zstd compression. */
+    zstdCompression?: boolean;
 }
 /**
- * Pagination information.
+ * Request to submit an epoch change (admin-only).
  */
-interface PaginationInfo {
-    /** Whether there are more results */
-    hasMore: boolean;
-    /** Cursor for next page (base58 pubkey) */
-    nextCursor?: string;
+interface SubmitEpochChangeRequest {
+    /** The new epoch number. */
+    newEpoch: bigint;
+    /** List of validators for the new epoch. */
+    validators: ValidatorInfoRequest[];
+    /** Optional consensus configuration overrides. */
+    consensusConfig?: EpochConsensusConfigRequest;
 }
 /**
- * Get accounts by owner response.
+ * Response from submitting an epoch change.
  */
-interface GetAccountsByOwnerResponse {
-    /** Array of owned accounts */
-    value: OwnerAccount[];
-    /** Pagination information */
-    pagination?: PaginationInfo;
+interface SubmitEpochChangeResponse {
+    /** Whether the submission was accepted. */
+    success: boolean;
+}
+/**
+ * Configuration for block queries.
+ */
+interface GetBlockConfig {
+    /** Transaction detail level: "full", "signatures", or "none".
+  Default: "full". */
+    transactionDetails?: string;
+}
+/**
+ * Information about a block.
+ */
+interface BlockInfo {
+    /** The blockhash (base58). */
+    blockhash: string;
+    /** Block height. */
+    blockHeight: bigint;
+    /** Unix timestamp of the block. */
+    blockTime: bigint;
+    /** Full transactions with metadata (present when transaction-details = "full"). */
+    transactions?: TransactionWithMeta[];
+    /** Transaction signatures only (present when transaction-details = "signatures"). */
+    signatures?: string[];
+}
+/**
+ * Configuration for getAllAccounts.
+ */
+interface GetAllAccountsConfig {
+    /** Encoding for account data (e.g. "base64"). */
+    encoding?: string;
+    /** Whether to include account data in the response. */
+    includeData?: boolean;
+}
+/**
+ * An entry in the getAllAccounts response.
+ */
+interface AllAccountsEntry {
+    /** Account public key (base58). */
+    pubkey: string;
+    /** Account information. */
+    account: AccountInfo$1;
+}
+/**
+ * State of a stake account.
+ */
+type StakeState = "inactive" | "activating" | "active" | "deactivating" | "unbonding";
+/**
+ * Information about a stake account.
+ */
+interface StakeAccountInfo {
+    /** Current state of the stake account. */
+    state: StakeState;
+    /** Total kelvins in the account. */
+    kelvins: bigint;
+    /** Amount delegated to validator (0 when inactive). */
+    delegatedBalance: bigint;
+    /** Undelegated amount. */
+    undelegatedBalance: bigint;
+    /** Unix timestamp (ms) when ActivateStake was called. */
+    activationRequested?: bigint;
+    /** Unix timestamp (ms) when DeactivateStake was called. */
+    deactivationRequested?: bigint;
+    /** Validator info account (base58), absent if not delegated. */
+    validator?: string;
+    /** Admin authority (hot wallet, base58). */
+    adminAuthority: string;
+    /** Withdraw authority (cold wallet, base58). */
+    withdrawAuthority: string;
+}
+/**
+ * Request parameters for getValidatorAccounts.
+ */
+interface GetValidatorAccountsRequest {
+    /** If true, return from last frozen epoch; if false, return from pending. */
+    useFrozen: boolean;
+}
+/**
+ * Information about a validator account.
+ */
+interface ValidatorAccountInfo {
+    /** Accumulated commission (kelvins) in the validator account. */
+    commission: bigint;
+    /** Public key of the validator info account (base58). */
+    pubkey: string;
+    /** Node's public key / initial authorized withdrawer (base58). */
+    nodeIdentity: string;
+    /** Authority who can withdraw rewards (base58). */
+    authorizedWithdrawer: string;
+    /** Amount of token staked for next epoch. */
+    stakeNext: bigint;
+    /** Amount of token staked for current epoch (from last frozen snapshot). */
+    stakeCurrent?: bigint;
+    /** Network address for communicating with the validator. */
+    address: string;
+}
+/**
+ * SPL Token account balance information.
+ */
+interface TokenBalance {
+    /** Raw token amount as string. */
+    amount: string;
+    /** Number of decimals for the token. */
+    decimals: number;
+    /** Human-readable amount string. */
+    uiAmountString: string;
+}
+/**
+ * Information about a node in the cluster.
+ */
+interface ClusterNodeInfo {
+    /** Stake amount in kelvins. */
+    stake: bigint;
+    /** Network address. */
+    address: string;
+    /** Hostname of the node. */
+    hostname: string;
+    /** Authority public key (base58). */
+    authorityPubkey: string;
+    /** Protocol public key (base58). */
+    protocolPubkey: string;
+    /** Network public key (base58). */
+    networkPubkey: string;
+    /** Last committed consensus round (if available). */
+    lastCommittedRound?: number;
+}
+/**
+ * A single REX duty assignment.
+ */
+interface RexDuty {
+    /** Target timestamp for the duty. */
+    targetTimestamp: string;
+    /** Validators assigned to this duty (base58 pubkeys). */
+    assignedValidators: string[];
+}
+/**
+ * Information about a REX request and its duties.
+ */
+interface RexInfoAndDuties {
+    /** Pubkey of account that created the REX (base58). */
+    creator: string;
+    /** Hex representation of the REX's nonce. */
+    nonce: string;
+    /** Whether the REX is currently active. */
+    isActive: boolean;
+    /** Description of the REX request. */
+    description: string;
+    /** Update frequency. */
+    updateFrequency: string;
+    /** Starting timestamp. */
+    startingTimestamp: string;
+    /** Creation timestamp. */
+    createdAt: string;
+    /** Number of validators per duty. */
+    validatorsPerDuty: number;
+    /** Delay in milliseconds for REX request processing. */
+    rexRequestDelayMs: bigint;
+    /** List of duties expecting updates or commitment. */
+    duties: RexDuty[];
+}
+
+/**
+ * RpcClient interface — generated from spec.wit.
+ *
+ * Every method corresponds to a function in the `rpc-client` interface.
+ */
+declare abstract class RpcClient {
+    /**
+     * Gets the balance of an account in kelvins.
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key (address) of the account to query.
+     *
+     * # Returns
+     *
+     * The account balance in the smallest denomination of the native token (kelvins).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the account does not exist.
+     */
+    abstract getBalance(pubkey: PublicKey): Promise<Kelvin>;
+    /**
+     * Gets detailed information about an on-chain account.
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key (address) of the account to query.
+     *
+     * # Returns
+     *
+     * Detailed account information including balance, owner, data, and executable flag.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the account does not exist.
+     */
+    abstract getAccountInfo(pubkey: PublicKey): Promise<AccountInfo$1>;
+    /**
+     * Gets the current finalized block height from the blockchain.
+     *
+     * The block height represents the number of blocks produced since genesis.
+     * Always returns the finalized block height for consistency.
+     *
+     * # Returns
+     *
+     * The current finalized block height.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getBlockHeight(): Promise<bigint>;
+    /**
+     * Gets the current finalized block height with advanced configuration.
+     *
+     * Provides access to advanced parameters for block height retrieval,
+     * specifically minimum context slot requirements.
+     *
+     * # Parameters
+     *
+     * * `min-context-slot` - The minimum context slot that the server must have
+     * reached before responding. If absent, no minimum is required.
+     *
+     * # Returns
+     *
+     * The current finalized block height.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getBlockHeightWithConfig(minContextSlot: bigint | undefined): Promise<bigint>;
+    /**
+     * Gets detailed information about a transaction by its signature.
+     *
+     * # Parameters
+     *
+     * * `sig` - The transaction signature to look up.
+     *
+     * # Returns
+     *
+     * Full transaction details including block height, block hash, timestamp,
+     * execution metadata (fee, errors), and the transaction content.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the transaction is not found.
+     */
+    abstract getTransaction(sig: Signature): Promise<TransactionResponse$1>;
+    /**
+     * Gets the total number of transactions processed since genesis.
+     *
+     * # Returns
+     *
+     * The total transaction count.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getTransactionCount(): Promise<bigint>;
+    /**
+     * Calculates the minimum balance required for rent exemption.
+     *
+     * Accounts with at least this balance are exempt from paying rent.
+     *
+     * # Parameters
+     *
+     * * `data-size` - The size of the account data in bytes.
+     *
+     * # Returns
+     *
+     * The minimum balance (in kelvins) required for rent exemption.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getMinimumBalanceForRentExemption(dataSize: bigint): Promise<bigint>;
+    /**
+     * Gets the status of multiple transaction signatures.
+     *
+     * # Parameters
+     *
+     * * `signatures` - A list of transaction signatures to query.
+     *
+     * # Returns
+     *
+     * A list of signature statuses (slot, executed, error) corresponding
+     * to the input signatures.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getSignatureStatuses(signatures: Signature[]): Promise<(SignatureStatus$1 | undefined)[]>;
+    /**
+     * Gets signatures associated with an address, with optional pagination.
+     *
+     * # Parameters
+     *
+     * * `address` - The address to query signatures for.
+     * * `config` - Optional configuration for pagination (limit, before, until).
+     *
+     * # Returns
+     *
+     * A list of signature info records for the given address.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getSignaturesForAddress(address: PublicKey, config: GetSignaturesForAddressConfig$1 | undefined): Promise<SignatureInfo$1[]>;
+    /**
+     * Gets current epoch information.
+     *
+     * # Returns
+     *
+     * Epoch information including epoch number, slot indices, block height,
+     * and transaction count.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getEpochInfo(): Promise<EpochInfo>;
+    /**
+     * Gets the fee for a given serialized message.
+     *
+     * # Parameters
+     *
+     * * `message` - The base64-encoded serialized message to calculate fees for.
+     *
+     * # Returns
+     *
+     * A fee response containing the fee in kelvins, or absent if the message
+     * is invalid.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getFeeForMessage(message: string): Promise<FeeResponse>;
+    /**
+     * Gets information for multiple accounts in a single request.
+     *
+     * # Parameters
+     *
+     * * `pubkeys` - A list of public keys to query.
+     *
+     * # Returns
+     *
+     * A list of optional account info records. Each entry is absent if that
+     * account does not exist.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getMultipleAccounts(pubkeys: PublicKey[]): Promise<OptionalAccountInfo[]>;
+    /**
+     * Gets accounts owned by a given program or address.
+     *
+     * Returns all accounts whose owner matches the specified public key,
+     * along with optional pagination metadata.
+     *
+     * # Parameters
+     *
+     * * `owner` - The public key of the owner/program to query accounts for.
+     * * `filter` - Optional filter to specify account type (program accounts
+     * or token accounts). Defaults to program-accounts if absent.
+     * * `config` - Optional pagination configuration (limit, after cursor).
+     *
+     * # Returns
+     *
+     * A tuple of (accounts list, optional pagination info).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getAccountsByOwner(owner: PublicKey, filter: AccountFilter$1 | undefined, config: GetAccountsByOwnerConfig$1 | undefined): Promise<[OwnerAccount$1[], PaginationInfo$1 | undefined]>;
+    /**
+     * Gets a subscription by subscriber public key and nonce.
+     *
+     * # Parameters
+     *
+     * * `subscriber` - The public key of the subscriber.
+     * * `nonce` - The nonce identifying the specific subscription.
+     *
+     * # Returns
+     *
+     * The subscription record (kind, topic, subscriber, event-account).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the subscription is not found.
+     */
+    abstract getSubscription(subscriber: PublicKey, nonce: string): Promise<Subscription$1>;
+    /**
+     * Gets transactions triggered by a subscription.
+     *
+     * Returns transactions that were automatically triggered in response to
+     * subscription matches or other programmatic conditions.
+     *
+     * # Parameters
+     *
+     * * `subscription-account` - The public key of the subscription account.
+     * * `limit` - Optional maximum number of transactions to return.
+     *
+     * # Returns
+     *
+     * A list of triggered transaction records (signature, block number).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getTriggeredTransactions(subscriptionAccount: PublicKey, limit: number | undefined): Promise<TriggeredTransaction$1[]>;
+    /**
+     * Gets the workflow lineage tree for a transaction.
+     *
+     * Traverses the chain of workflow-triggered transactions starting from
+     * a root transaction, building a tree of parent-child relationships.
+     *
+     * # Parameters
+     *
+     * * `request` - The lineage request including root signature, max depth,
+     * and whether to include event details.
+     *
+     * # Returns
+     *
+     * The workflow lineage response with nodes, leaves, and truncation info.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the root transaction is not found.
+     */
+    abstract getWorkflowLineage(request: GetWorkflowLineageRequest$1): Promise<GetWorkflowLineageResponse$1>;
+    /**
+     * Gets paginated transactions from the blockchain.
+     *
+     * Returns a list of transactions, optionally filtered and paginated.
+     * Useful for transaction monitoring, analytics, and debugging.
+     *
+     * # Parameters
+     *
+     * * `config` - Optional configuration for pagination (limit, before cursor).
+     * If absent, defaults apply (limit: 100).
+     *
+     * # Returns
+     *
+     * A list of transaction info records with signatures, slots, block times,
+     * and error status.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getTransactions(config: GetTransactionsConfig | undefined): Promise<TransactionInfo[]>;
+    /**
+     * Checks if a blockhash is still valid for transaction submission.
+     *
+     * # Parameters
+     *
+     * * `blockhash` - The blockhash to validate.
+     *
+     * # Returns
+     *
+     * `true` if the blockhash is still valid, `false` otherwise.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract isBlockhashValid(blockhash: Hash): Promise<IsBlockhashValidResponse>;
+    /**
+     * Gets the health status of the RPC node.
+     *
+     * # Returns
+     *
+     * A health status string, typically "ok" when the node is healthy.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the node is unhealthy.
+     */
+    abstract getHealth(): Promise<string>;
+    /**
+     * Gets the health status of the validator.
+     *
+     * # Returns
+     *
+     * The validator health status record.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getValidatorHealth(): Promise<ValidatorHealth>;
+    /**
+     * Gets the list of full nodes connected to the validator or full node.
+     *
+     * # Returns
+     *
+     * A list of connected nodes, each identified by a network public key
+     * and connection duration in milliseconds.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getConnectedFullNodes(): Promise<ConnectedNode[]>;
+    /**
+     * Gets the TEE's secret sharing public key for HPKE encryption.
+     *
+     * This public key is used to encrypt secrets that only the TEE cluster
+     * can decrypt.
+     *
+     * # Returns
+     *
+     * The X25519 public key (hex-encoded) used for HPKE encryption.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails, the TEE Registry state account
+     * doesn't exist, or the secret sharing public key has not been registered.
+     */
+    abstract getSecretSharingPubkey(): Promise<SecretSharingPubkey>;
+    /**
+     * Gets the config hash prefix for protecting against replay attacks.
+     *
+     * Retrieves the first 64 bits of the config hash, which is used for
+     * transaction replay protection across chains.
+     *
+     * # Returns
+     *
+     * The config hash prefix as a u64 value.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getConfigHashPrefix(): Promise<ConfigHashPrefix>;
+    /**
+     * Gets all accounts in the system.
+     *
+     * **Warning:** This can be very expensive on large networks. Intended
+     * primarily for testing and debugging on local/devnet.
+     *
+     * # Parameters
+     *
+     * * `config` - Optional configuration for encoding and data inclusion.
+     *
+     * # Returns
+     *
+     * A list of all account entries (pubkey + account info).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getAllAccounts(config: GetAllAccountsConfig | undefined): Promise<AllAccountsEntry[]>;
+    /**
+     * Gets a block by its height.
+     *
+     * # Parameters
+     *
+     * * `block-height` - The block height to query.
+     * * `config` - Optional configuration for transaction detail level
+     * ("full", "signatures", or "none"). Defaults to "full".
+     *
+     * # Returns
+     *
+     * Block information including blockhash, timestamp, and transactions
+     * (detail level depends on config).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the block is not found.
+     */
+    abstract getBlock(blockHeight: bigint, config: GetBlockConfig | undefined): Promise<BlockInfo>;
+    /**
+     * Gets a list of confirmed block heights in a range (inclusive).
+     *
+     * # Parameters
+     *
+     * * `start-height` - The start of the block height range.
+     * * `end-height` - The end of the range. If absent, returns up to the
+     * latest confirmed block.
+     *
+     * # Returns
+     *
+     * A list of confirmed block height numbers.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getBlocks(startHeight: bigint, endHeight: bigint | undefined): Promise<bigint[]>;
+    /**
+     * Gets detailed information about a stake account.
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key of the stake account.
+     *
+     * # Returns
+     *
+     * The stake account info (state, balances, authorities), or absent if
+     * the account is not a valid stake account.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getStakeAccount(pubkey: PublicKey): Promise<StakeAccountInfo | undefined>;
+    /**
+     * Gets all registered validator accounts.
+     *
+     * # Parameters
+     *
+     * * `request` - Request parameters specifying whether to use the frozen
+     * (last epoch) or pending (current) snapshot.
+     *
+     * # Returns
+     *
+     * A list of validator account info records.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getValidatorAccounts(request: GetValidatorAccountsRequest): Promise<ValidatorAccountInfo[]>;
+    /**
+     * Gets the token balance of an SPL Token account.
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key of the SPL Token account.
+     *
+     * # Returns
+     *
+     * Token balance information including raw amount, decimals, and
+     * human-readable amount string.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the account is not a valid
+     * token account.
+     */
+    abstract getTokenAccountBalance(pubkey: PublicKey): Promise<TokenBalance>;
+    /**
+     * Gets registered REX requests for a creator.
+     *
+     * # Parameters
+     *
+     * * `creator` - The public key of the REX creator.
+     * * `nonce` - Optional nonce to filter for a specific REX request.
+     * If absent, returns all requests by the creator.
+     *
+     * # Returns
+     *
+     * A list of REX request records with their associated duties.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getRexRequests(creator: PublicKey, nonce: string | undefined): Promise<RexInfoAndDuties[]>;
+    /**
+     * Gets missed REX duty proposal rounds for a specific REX request.
+     *
+     * # Parameters
+     *
+     * * `creator` - The public key of the REX creator.
+     * * `nonce` - The nonce identifying the specific REX request.
+     *
+     * # Returns
+     *
+     * A list of proposal round numbers where duties were missed.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getRexMissedDuties(creator: PublicKey, nonce: string): Promise<bigint[]>;
+    /**
+     * Gets information about all known cluster nodes.
+     *
+     * # Returns
+     *
+     * A list of cluster node info records including stake, addresses,
+     * and public keys.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getClusterNodes(): Promise<ClusterNodeInfo[]>;
+    /**
+     * Gets the list of validator indices this node is connected to.
+     *
+     * # Returns
+     *
+     * A list of validator indices (u32).
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails.
+     */
+    abstract getConnectedValidators(): Promise<number[]>;
+    /**
+     * Submits a signed transaction to the network.
+     *
+     * # Parameters
+     *
+     * * `transaction` - The serialized, signed transaction as a byte array.
+     * * `options` - Optional send options (skip preflight, max retries).
+     * If absent, default options are used.
+     *
+     * # Returns
+     *
+     * The transaction signature, which can be used to check its status.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the transaction is rejected.
+     */
+    abstract sendTransaction(transaction: Uint8Array, options: SendTransactionOptions$1 | undefined): Promise<Signature>;
+    /**
+     * Requests an airdrop of tokens to the specified account.
+     *
+     * This method is typically only available on test networks (localnet, devnet).
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key of the recipient account.
+     * * `amount` - The amount of kelvins to airdrop.
+     *
+     * # Returns
+     *
+     * The transaction signature of the airdrop transaction.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or airdrops are not supported.
+     */
+    abstract requestAirdrop(pubkey: PublicKey, amount: Kelvin): Promise<Signature>;
+    /**
+     * Polls until a transaction is confirmed or times out.
+     *
+     * This is a CDK compound method (not a single RPC call). It repeatedly
+     * calls getSignatureStatuses until the transaction is confirmed or the
+     * retry limit is reached.
+     *
+     * # Parameters
+     *
+     * * `sig` - The transaction signature (base58) to monitor.
+     * * `options` - Optional confirmation options (max retries, retry delay).
+     * Defaults: 30 retries, 1000ms delay.
+     *
+     * # Returns
+     *
+     * A confirmed transaction record with signature, executed status, and error.
+     *
+     * # Errors
+     *
+     * Returns an error if the transaction fails or confirmation times out.
+     */
+    abstract confirmTransaction(sig: string, options: ConfirmTransactionOptions$1 | undefined): Promise<ConfirmedTransaction$1>;
+    /**
+     * Sends a transaction and waits for confirmation.
+     *
+     * This is a CDK compound method that combines send-transaction and
+     * confirm-transaction into a single call.
+     *
+     * # Parameters
+     *
+     * * `transaction` - The serialized, signed transaction as a byte array.
+     * * `options` - Optional combined send-and-confirm options.
+     *
+     * # Returns
+     *
+     * A confirmed transaction record with signature, executed status, and error.
+     *
+     * # Errors
+     *
+     * Returns an error if sending fails, the transaction is rejected,
+     * or confirmation times out.
+     */
+    abstract sendAndConfirmTransaction(transaction: Uint8Array, options: SendAndConfirmOptions$1 | undefined): Promise<ConfirmedTransaction$1>;
+    /**
+     * Requests an airdrop and waits for confirmation.
+     *
+     * This is a CDK compound method that combines request-airdrop and
+     * confirm-transaction into a single call.
+     *
+     * # Parameters
+     *
+     * * `pubkey` - The public key of the recipient account.
+     * * `amount` - The amount of kelvins to airdrop.
+     *
+     * # Returns
+     *
+     * A confirmed transaction record for the airdrop.
+     *
+     * # Errors
+     *
+     * Returns an error if the airdrop fails or confirmation times out.
+     */
+    abstract requestAirdropAndConfirm(pubkey: PublicKey, amount: Kelvin): Promise<ConfirmedTransaction$1>;
+    /**
+     * Submits an epoch change transaction (admin-only).
+     *
+     * This is a restricted admin method used for epoch management.
+     * Only available to authorized admin accounts.
+     *
+     * # Parameters
+     *
+     * * `request` - The epoch change request containing serialized data.
+     *
+     * # Returns
+     *
+     * A response indicating whether the submission was accepted.
+     *
+     * # Errors
+     *
+     * Returns an error if the RPC call fails or the sender is not authorized.
+     */
+    abstract sendAdminTransaction(request: SubmitEpochChangeRequest): Promise<SubmitEpochChangeResponse>;
 }
 
 /**
@@ -1090,11 +2435,12 @@ interface GetAccountsByOwnerResponse {
  * const signature = await client.sendTransaction(signedTx);
  * ```
  */
-declare class RialoClient {
+declare class RialoClient extends RpcClient {
     private readonly queryClient;
     private readonly transactionClient;
     private readonly transport;
     private readonly chain;
+    private readonly rpcHelper;
     constructor(transport: HttpTransport, chain: ChainDefinition);
     /**
      * Returns the configured RPC endpoint URL.
@@ -1111,27 +2457,31 @@ declare class RialoClient {
     /**
      * Retrieves the balance of an account in kelvins (smallest unit).
      */
-    getBalance(pubkey: PublicKey): Promise<bigint>;
+    getBalance(pubkey: PublicKey): Promise<Kelvin>;
     /**
      * Retrieves detailed information about an account.
      *
      * @returns Account info or null if account doesn't exist
      */
-    getAccountInfo(pubkey: PublicKey): Promise<AccountInfo | null>;
+    getAccountInfo(pubkey: PublicKey): Promise<AccountInfo$1>;
     /**
      * Retrieves the current block height.
      */
     getBlockHeight(): Promise<bigint>;
+    /**
+     * Retrieves the current block height with advanced configuration.
+     */
+    getBlockHeightWithConfig(minContextSlot: bigint | undefined): Promise<bigint>;
     /**
      * Retrieves the signatures for an address.
      */
-    getSignaturesForAddress(address: PublicKey, config?: GetSignaturesForAddressConfig): Promise<SignatureInfo[]>;
+    getSignaturesForAddress(address: PublicKey, config: GetSignaturesForAddressConfig$1 | undefined): Promise<SignatureInfo$1[]>;
     /**
      * Retrieves detailed information about a transaction.
      *
-     * @returns Transaction info or null if transaction not found
+     * @returns Full transaction response
      */
-    getTransaction(signature: string): Promise<TransactionResponse | null>;
+    getTransaction(sig: Signature): Promise<TransactionResponse$1>;
     /**
      * Retrieves the total number of transactions processed since genesis.
      */
@@ -1139,17 +2489,17 @@ declare class RialoClient {
     /**
      * Retrieves the status of multiple transaction signatures.
      */
-    getSignatureStatuses(signatures: string[]): Promise<(SignatureStatus | null)[]>;
+    getSignatureStatuses(signatures: Signature[]): Promise<(SignatureStatus$1 | undefined)[]>;
     /**
      * Retrieves current epoch information.
      */
-    getEpochInfo(): Promise<EpochInfoResponse>;
+    getEpochInfo(): Promise<EpochInfo>;
     /**
      * Checks the health status of the RPC node.
      *
      * @returns "ok" if healthy, error message otherwise
      */
-    getHealth(): Promise<"ok" | string>;
+    getHealth(): Promise<string>;
     /**
      * Submits a signed transaction to the blockchain.
      *
@@ -1157,7 +2507,7 @@ declare class RialoClient {
      * @param options - Transaction submission options
      * @returns Transaction signature
      */
-    sendTransaction(transaction: Uint8Array, options?: SendTransactionOptions): Promise<string>;
+    sendTransaction(transaction: Uint8Array, options?: Partial<SendTransactionOptions$1>): Promise<Signature>;
     /**
      * Requests an airdrop of tokens to an account.
      *
@@ -1167,7 +2517,7 @@ declare class RialoClient {
      * @param amount - Amount in kelvins (smallest unit)
      * @returns Transaction signature
      */
-    requestAirdrop(pubkey: PublicKey, amount: bigint): Promise<string>;
+    requestAirdrop(pubkey: PublicKey, amount: Kelvin): Promise<Signature>;
     /**
      * Submits a signed transaction and waits for confirmation.
      *
@@ -1183,7 +2533,7 @@ declare class RialoClient {
      * console.log(`Confirmed in slot ${result.slot}`);
      * ```
      */
-    sendAndConfirmTransaction(transaction: Uint8Array, options?: SendAndConfirmOptions): Promise<ConfirmedTransaction>;
+    sendAndConfirmTransaction(transaction: Uint8Array, options?: Partial<SendAndConfirmOptions$1>): Promise<ConfirmedTransaction$1>;
     /**
      * Waits for a transaction to be confirmed.
      *
@@ -1191,50 +2541,50 @@ declare class RialoClient {
      * @param options - Confirmation options
      * @returns Confirmed transaction details
      */
-    confirmTransaction(signature: string, options?: ConfirmTransactionOptions): Promise<ConfirmedTransaction>;
+    confirmTransaction(sig: string, options?: Partial<ConfirmTransactionOptions$1>): Promise<ConfirmedTransaction$1>;
     /**
      * Requests an airdrop and waits for confirmation.
      *
      * **Note**: Only available on devnet and testnet.
      */
-    requestAirdropAndConfirm(pubkey: PublicKey, amount: bigint, options?: ConfirmTransactionOptions): Promise<ConfirmedTransaction>;
+    requestAirdropAndConfirm(pubkey: PublicKey, amount: Kelvin): Promise<ConfirmedTransaction$1>;
     /**
      * Calculate the minimum balance required for an account to be rent-exempt.
      *
      * @param accountDataSize - The size of the account data in bytes
      * @returns The minimum balance in kelvins required for rent exemption
      */
-    getMinimumBalanceForRentExemption(accountDataSize: number): Promise<bigint>;
+    getMinimumBalanceForRentExemption(dataSize: bigint): Promise<bigint>;
     /**
      * Get the fee required to process a specific message.
      *
      * @param message - Base64-encoded serialized versioned message
-     * @returns Fee in kelvins, or null if message is invalid
+     * @returns Fee response with value in kelvins
      */
-    getFeeForMessage(message: string): Promise<bigint | null>;
+    getFeeForMessage(message: string): Promise<FeeResponse>;
     /**
      * Get information for multiple accounts in a single request.
      *
      * @param pubkeys - Array of public keys to query (1-100)
      * @returns Account information for each address
      */
-    getMultipleAccounts(pubkeys: PublicKey[]): Promise<Array<AccountInfo | null>>;
+    getMultipleAccounts(pubkeys: PublicKey[]): Promise<OptionalAccountInfo[]>;
     /**
      * Get all accounts owned by a specific program or address.
      *
      * @param owner - Program ID or owner public key
-     * @param filter - Filter type (ProgramAccounts or TokenAccounts)
+     * @param filter - Filter type (programAccounts or tokenAccounts)
      * @param config - Optional configuration for pagination and encoding
-     * @returns Accounts owned by the specified owner
+     * @returns Tuple of accounts and optional pagination info
      */
-    getAccountsByOwner(owner: PublicKey, filter?: AccountFilter, config?: GetAccountsByOwnerConfig): Promise<GetAccountsByOwnerResponse>;
+    getAccountsByOwner(owner: PublicKey, filter: AccountFilter$1 | undefined, config: GetAccountsByOwnerConfig$1 | undefined): Promise<[OwnerAccount$1[], PaginationInfo$1 | undefined]>;
     /**
      * Get workflow lineage information for tracking execution history.
      *
      * @param request - Workflow lineage request with signature and options
      * @returns Workflow lineage tree with nodes and metadata
      */
-    getWorkflowLineage(request: GetWorkflowLineageRequest): Promise<GetWorkflowLineageResponse>;
+    getWorkflowLineage(request: GetWorkflowLineageRequest$1): Promise<GetWorkflowLineageResponse$1>;
     /**
      * Get subscription for a given subscriber address and nonce.
      *
@@ -1242,7 +2592,7 @@ declare class RialoClient {
      * @param nonce - The nonce identifying the subscription
      * @returns The subscription for the subscriber and nonce
      */
-    getSubscription(subscriber: PublicKey, nonce: string): Promise<Subscription>;
+    getSubscription(subscriber: PublicKey, nonce: string): Promise<Subscription$1>;
     /**
      * Get transactions triggered by a subscription account.
      *
@@ -1250,13 +2600,96 @@ declare class RialoClient {
      * @param limit - Optional limit on transactions returned
      * @returns Triggered transactions for the subscription
      */
-    getTriggeredTransactions(subscriptionAccount: PublicKey, limit?: number): Promise<TriggeredTransaction[]>;
+    getTriggeredTransactions(subscriptionAccount: PublicKey, limit: number | undefined): Promise<TriggeredTransaction$1[]>;
+    /**
+     * Gets paginated transactions from the blockchain.
+     */
+    getTransactions(config: GetTransactionsConfig | undefined): Promise<TransactionInfo[]>;
+    /**
+     * Checks if a blockhash is still valid for transaction submission.
+     */
+    isBlockhashValid(blockhash: Hash): Promise<IsBlockhashValidResponse>;
+    /**
+     * Gets the health status of the validator.
+     */
+    getValidatorHealth(): Promise<ValidatorHealth>;
+    /**
+     * Gets the list of full nodes connected to the validator or full node.
+     */
+    getConnectedFullNodes(): Promise<ConnectedNode[]>;
+    /**
+     * Gets the TEE's secret sharing public key for HPKE encryption.
+     */
+    getSecretSharingPubkey(): Promise<SecretSharingPubkey>;
+    /**
+     * Gets the config hash prefix for protecting against replay attacks.
+     */
+    getConfigHashPrefix(): Promise<ConfigHashPrefix>;
+    /**
+     * Submits an epoch change transaction (admin-only).
+     */
+    sendAdminTransaction(request: SubmitEpochChangeRequest): Promise<SubmitEpochChangeResponse>;
+    /**
+     * Gets all accounts in the system.
+     */
+    getAllAccounts(config: GetAllAccountsConfig | undefined): Promise<AllAccountsEntry[]>;
+    /**
+     * Gets a block by its height.
+     */
+    getBlock(blockHeight: bigint, config: GetBlockConfig | undefined): Promise<BlockInfo>;
+    /**
+     * Gets a list of confirmed block heights in a range.
+     */
+    getBlocks(startHeight: bigint, endHeight: bigint | undefined): Promise<bigint[]>;
+    /**
+     * Gets detailed information about a stake account.
+     */
+    getStakeAccount(pubkey: PublicKey): Promise<StakeAccountInfo | undefined>;
+    /**
+     * Gets all registered validator accounts.
+     */
+    getValidatorAccounts(request: GetValidatorAccountsRequest): Promise<ValidatorAccountInfo[]>;
+    /**
+     * Gets the token balance of an SPL Token account.
+     */
+    getTokenAccountBalance(pubkey: PublicKey): Promise<TokenBalance>;
+    /**
+     * Gets registered REX requests for a creator.
+     */
+    getRexRequests(creator: PublicKey, nonce: string | undefined): Promise<RexInfoAndDuties[]>;
+    /**
+     * Gets missed REX duty proposal rounds for a specific REX request.
+     */
+    getRexMissedDuties(creator: PublicKey, nonce: string): Promise<bigint[]>;
+    /**
+     * Gets information about all known cluster nodes.
+     */
+    getClusterNodes(): Promise<ClusterNodeInfo[]>;
+    /**
+     * Gets the list of validator indices this node is connected to.
+     */
+    getConnectedValidators(): Promise<number[]>;
+    /**
+     * Calls an arbitrary RPC method with a JSON string body.
+     * Utility method for methods not yet in the generated interface.
+     */
+    callWithJson(method: string, params: string): Promise<string>;
 }
 
 /**
  * Query client for read-only RPC operations.
  */
 
+/**
+ * Filter for what kind of accounts to return from getAccountsByOwner.
+ * Uses the serde-compatible discriminated union format expected by the RPC.
+ */
+type AccountFilterParam = {
+    type: "programAccounts";
+} | {
+    type: "tokenAccounts";
+    mint?: string;
+};
 /**
  * Client for querying blockchain state.
  *
@@ -1295,7 +2728,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * }
      * ```
      */
-    getAccountInfo(pubkey: PublicKey): Promise<AccountInfo | null>;
+    getAccountInfo(pubkey: PublicKey): Promise<AccountInfo$1 | null>;
     /**
      * Retrieve the current block height of the blockchain.
      *
@@ -1330,28 +2763,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * });
      * ```
      */
-    getSignaturesForAddress(address: PublicKey, config?: GetSignaturesForAddressConfig): Promise<SignatureInfo[]>;
-    /**
-     * Retrieve detailed information about a confirmed transaction.
-     *
-     * Returns transaction metadata including the block height it was
-     * confirmed in and any execution errors.
-     *
-     * @param signature - The transaction signature to query
-     * @returns Transaction information, or null if the transaction is not found
-     *
-     * @example
-     * ```typescript
-     * const tx = await client.getTransaction(signature);
-     * if (tx) {
-     *   console.log(`Confirmed in block: ${tx.blockHeight}`);
-     *   if (tx.err) {
-     *     console.log(`Transaction failed: ${tx.err}`);
-     *   }
-     * }
-     * ```
-     */
-    getTransaction(signature: string): Promise<TransactionResponse | null>;
+    getSignaturesForAddress(address: PublicKey, config?: GetSignaturesForAddressConfig$1): Promise<SignatureInfo$1[]>;
     /**
      * Retrieve the total number of transactions processed since genesis.
      *
@@ -1385,7 +2797,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * });
      * ```
      */
-    getSignatureStatuses(signatures: string[]): Promise<(SignatureStatus | null)[]>;
+    getSignatureStatuses(signatures: string[]): Promise<(SignatureStatus$1 | null)[]>;
     /**
      * Retrieve information about the current epoch.
      *
@@ -1402,7 +2814,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * console.log(`Block height: ${info.blockHeight}`);
      * ```
      */
-    getEpochInfo(): Promise<EpochInfoResponse>;
+    getEpochInfo(): Promise<EpochInfo>;
     /**
      * Check the health status of the RPC node.
      *
@@ -1470,7 +2882,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * });
      * ```
      */
-    getMultipleAccounts(pubkeys: PublicKey[]): Promise<Array<AccountInfo | null>>;
+    getMultipleAccounts(pubkeys: PublicKey[]): Promise<Array<AccountInfo$1 | null>>;
     /**
      * Get all accounts owned by a specific program or address.
      *
@@ -1490,7 +2902,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * });
      * ```
      */
-    getAccountsByOwner(owner: PublicKey, filter?: AccountFilter, config?: GetAccountsByOwnerConfig): Promise<GetAccountsByOwnerResponse>;
+    getAccountsByOwner(owner: PublicKey, filter?: AccountFilterParam, config?: GetAccountsByOwnerConfig$1): Promise<[OwnerAccount$1[], PaginationInfo$1 | undefined]>;
     /**
      * Get workflow lineage information for tracking execution history.
      *
@@ -1509,7 +2921,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * console.log(`Found ${lineage.lineage.workflowNodes.length} nodes`);
      * ```
      */
-    getWorkflowLineage(request: GetWorkflowLineageRequest): Promise<GetWorkflowLineageResponse>;
+    getWorkflowLineage(request: GetWorkflowLineageRequest$1): Promise<GetWorkflowLineageResponse$1>;
     /**
      * Get subscriptions for a given subscriber address.
      *
@@ -1525,7 +2937,7 @@ declare class QueryRpcClient extends BaseRpcClient {
      * console.log(`Topic: ${subscription.topic}, Kind: ${subscription.kind}`);
      * ```
      */
-    getSubscription(subscriber: PublicKey, nonce: string): Promise<Subscription>;
+    getSubscription(subscriber: PublicKey, nonce: string): Promise<Subscription$1>;
     /**
      * Get transactions triggered by a subscription account.
      *
@@ -1544,7 +2956,362 @@ declare class QueryRpcClient extends BaseRpcClient {
      * });
      * ```
      */
-    getTriggeredTransactions(subscriptionAccount: PublicKey, limit?: number): Promise<TriggeredTransaction[]>;
+    getTriggeredTransactions(subscriptionAccount: PublicKey, limit?: number): Promise<TriggeredTransaction$1[]>;
+    /**
+     * Retrieve the REX X25519 public key for secret sharing encryption.
+     *
+     * This key is used for HPKE encryption when sending encrypted data
+     * that should only be decryptable within the REX execution environment.
+     *
+     * @returns The REX X25519 public key as a 32-byte Uint8Array
+     *
+     * @example
+     * ```typescript
+     * import { encryptForREX } from "@rialo/ts-cdk";
+     *
+     * // Get the REX public key
+     * const rexPubkey = await client.getSecretSharingPubkey();
+     *
+     * // Use it for HPKE encryption
+     * const encrypted = await encryptForRex(
+     *   rexPubkey,
+     *   new TextEncoder().encode("secret data"),
+     *   keypair.publicKey.toBytes()
+     * );
+     * ```
+     */
+    getSecretSharingPubkey(): Promise<Uint8Array>;
+    /**
+     * Get the config hash prefix for replay protection.
+     *
+     * Returns the first 64 bits of the config hash, which is used
+     * for transaction replay protection across chains.
+     *
+     * @returns The config hash prefix as a bigint
+     *
+     * @example
+     * ```typescript
+     * const configHashPrefix = await client.getConfigHashPrefix();
+     * const tx = TransactionBuilder.create()
+     *   .setPayer(payer)
+     *   .setValidFrom(validFrom)
+     *   .setConfigHashPrefix(configHashPrefix)
+     *   .addInstruction(instruction)
+     *   .build();
+     * ```
+     */
+    getConfigHashPrefix(): Promise<bigint>;
+}
+
+/**
+ * RPC type definitions for the Rialo blockchain.
+ */
+
+/**
+ * Account information response.
+ */
+interface AccountInfo {
+    /** Account balance in smallest denomination */
+    balance: bigint;
+    /** Owner program public key */
+    owner: PublicKey;
+    /** Account data */
+    data: Uint8Array;
+    /** Whether the account is executable */
+    executable: boolean;
+    /** Rent epoch */
+    rentEpoch: bigint;
+}
+/**
+ * Transaction response.
+ */
+interface TransactionResponse {
+    /** Transaction signature */
+    signature: string;
+    /** Block height */
+    blockHeight?: bigint;
+    /** Error message if transaction failed */
+    err?: string;
+}
+/**
+ * Options for sending a transaction.
+ */
+interface SendTransactionOptions {
+    /** Skip preflight transaction checks */
+    skipPreflight?: boolean;
+    /** Maximum number of times to retry */
+    maxRetries?: number;
+}
+/**
+ * Epoch information response.
+ */
+interface EpochInfoResponse {
+    /** Current epoch */
+    epoch: bigint;
+    /** Current slot in the epoch */
+    slotIndex: bigint;
+    /** Total slots in the epoch */
+    slotsInEpoch: bigint;
+    /** Absolute slot number */
+    absoluteSlot: bigint;
+    /** Block height */
+    blockHeight: bigint;
+    /** Transaction count */
+    transactionCount?: bigint;
+}
+/**
+ * Subscription kind.
+ */
+type SubscriptionKind = "Persistent" | "OneShot";
+/**
+ * Subscription data.
+ */
+interface Subscription {
+    /** Type of subscription */
+    kind: SubscriptionKind;
+    /** Topic for the subscription */
+    topic: string;
+    /** Instructions to execute when triggered */
+    instructions: unknown[];
+    /** Subscriber public key (base58) */
+    subscriber: string;
+    /** Event account public key (base58) */
+    eventAccount?: string;
+    /** Timestamp range [start, end] */
+    timestampRange?: [bigint, bigint];
+}
+/**
+ * Triggered transaction data.
+ */
+interface TriggeredTransaction {
+    /** Transaction signature (base58) */
+    signature: string;
+    /** Block number where the transaction was executed */
+    blockNumber: bigint;
+}
+/**
+ * Get workflow lineage request.
+ */
+interface GetWorkflowLineageRequest {
+    /** Root transaction signature (base58) */
+    signature: string;
+    /** Maximum depth to traverse (1-100, default 3) */
+    maxDepth?: number;
+    /** Whether to include event details */
+    includeEvents?: boolean;
+}
+/**
+ * Event data from a workflow trigger.
+ */
+interface EventData {
+    /** Event topic */
+    topic: string;
+    /** Event attributes */
+    attributes: Record<string, unknown>;
+}
+/**
+ * Timestamp range.
+ */
+interface TimestampRange {
+    /** Start timestamp (unix) */
+    from: bigint;
+    /** End timestamp (unix) */
+    to: bigint;
+}
+/**
+ * Information about what triggered a workflow transaction.
+ */
+interface TriggerInfo {
+    /** Event that triggered the transaction */
+    event: EventData;
+    /** Subscription public key (base58) */
+    subscriptionPubkey: string;
+    /** Timestamp range for the trigger */
+    timestampRange?: TimestampRange;
+    /** Event account public key (base58) */
+    eventAccount?: string;
+}
+/**
+ * Transaction node data within a workflow.
+ */
+interface TransactionNodeData {
+    /** Block height */
+    blockHeight: bigint;
+    /** Timestamp (unix) */
+    timestamp: bigint;
+    /** Whether the transaction succeeded */
+    success: boolean;
+    /** Number of instructions */
+    instructionCount: number;
+    /** Program IDs of instructions (base58) */
+    instructionProgramIds: string[];
+}
+/**
+ * A node in the workflow lineage tree.
+ */
+interface WorkflowNode {
+    /** Transaction signature (base58) */
+    id: string;
+    /** Distance from root transaction */
+    depth: number;
+    /** Transaction data */
+    data: TransactionNodeData;
+    /** Subscriptions on this transaction */
+    subscriptions: Subscription[];
+    /** What triggered this transaction */
+    triggeredBy?: TriggerInfo;
+    /** Child transaction signatures (base58) */
+    workflowChildren: string[];
+    /** Whether there are more children not shown */
+    hasMoreChildren: boolean;
+}
+/**
+ * Workflow lineage tree.
+ */
+interface WorkflowLineage {
+    /** Nodes in the workflow tree */
+    workflowNodes: WorkflowNode[];
+}
+/**
+ * Reason for truncating workflow lineage traversal.
+ */
+type TruncationReason = "MaxDepth" | "MaxNodes" | "None";
+/**
+ * Get workflow lineage response.
+ */
+interface GetWorkflowLineageResponse {
+    /** Workflow lineage tree */
+    lineage: WorkflowLineage;
+    /** Leaf transaction signatures (base58) */
+    leaves: string[];
+    /** Whether traversal was truncated */
+    truncated: boolean;
+    /** Reason for truncation */
+    truncationReason: TruncationReason;
+    /** Hints for continuing traversal (base58 signatures) */
+    continuationHints: string[];
+}
+/**
+ * Get signatures for address configuration.
+ */
+interface GetSignaturesForAddressConfig {
+    /** Maximum number of signatures to return */
+    limit?: number;
+    /** Start searching backwards from this signature */
+    before?: string;
+    /** Start searching forwards from this signature */
+    until?: string;
+}
+/**
+ * Signature information.
+ */
+interface SignatureInfo {
+    signature: string;
+    blockHeight: bigint;
+    blockTime: bigint;
+    err?: string;
+}
+/**
+ * Get health response.
+ */
+type GetHealthResponse = "ok" | string;
+/**
+ * Get transactions response.
+ */
+interface GetTransactionsResponse {
+    /** Array of transaction data */
+    transactions: Array<Record<string, unknown>>;
+}
+/**
+ * Signature status from the RPC.
+ */
+interface SignatureStatus {
+    /** Slot in which the transaction was processed */
+    slot: bigint;
+    /** Whether the transaction has been executed */
+    executed: boolean;
+    /** Error message if transaction failed */
+    err?: string;
+}
+/**
+ * Options for confirming a transaction.
+ */
+interface ConfirmTransactionOptions {
+    /** Maximum number of retry attempts (default: 30) */
+    maxRetries?: number;
+    /** Delay between retries in milliseconds (default: 1000) */
+    retryDelay?: number;
+}
+/**
+ * Options for sending and confirming a transaction.
+ */
+interface SendAndConfirmOptions extends SendTransactionOptions, ConfirmTransactionOptions {
+}
+/**
+ * Result of a confirmed transaction.
+ */
+interface ConfirmedTransaction {
+    /** Transaction signature */
+    signature: string;
+    /** Whether the transaction was executed */
+    executed: boolean;
+    /** Error message if transaction failed */
+    err?: string;
+}
+/**
+ * Configuration for getAccountsByOwner.
+ */
+interface GetAccountsByOwnerConfig {
+    /** Maximum number of accounts to return */
+    limit?: number;
+    /** Cursor for pagination (base58 pubkey) */
+    after?: string;
+}
+/**
+ * Filter for getAccountsByOwner.
+ * Matches Rust serde serialization format.
+ */
+type AccountFilter = {
+    type: "programAccounts";
+} | {
+    type: "tokenAccounts";
+    mint?: string;
+};
+/**
+ * An account owned by a program or address.
+ */
+interface OwnerAccount {
+    /** Account public key */
+    pubkey: PublicKey;
+    /** Account information */
+    account: AccountInfo;
+}
+/**
+ * Pagination information.
+ */
+interface PaginationInfo {
+    /** Whether there are more results */
+    hasMore: boolean;
+    /** Cursor for next page (base58 pubkey) */
+    nextCursor?: string;
+}
+/**
+ * Get accounts by owner response.
+ */
+interface GetAccountsByOwnerResponse {
+    /** Array of owned accounts */
+    value: OwnerAccount[];
+    /** Pagination information */
+    pagination?: PaginationInfo;
+}
+/**
+ * Get secret sharing public key response.
+ *
+ * Contains the TEE's X25519 public key for HPKE encryption.
+ */
+interface GetSecretSharingPubkeyResponse {
+    /** The TEE's X25519 public key as a hex-encoded string */
+    public_key: string;
 }
 
 /**
@@ -2220,7 +3987,7 @@ interface Signer {
      * @param message - Message bytes to sign
      * @returns Ed25519 signature over the message
      */
-    signMessage(message: Uint8Array): Promise<Signature>;
+    signMessage(message: Uint8Array): Promise<Signature$1>;
 }
 
 /**
@@ -2257,7 +4024,7 @@ declare class KeypairSigner implements Signer {
     /**
      * Signs a message using the keypair's private key.
      */
-    signMessage(message: Uint8Array): Promise<Signature>;
+    signMessage(message: Uint8Array): Promise<Signature$1>;
 }
 
 /**
@@ -2561,11 +4328,15 @@ declare class Message {
     readonly accountKeys: readonly PublicKey[];
     /** Transaction valid from (milliseconds since Unix epoch) */
     validFrom?: bigint;
+    /** Config hash prefix for replay protection across chains */
+    readonly configHashPrefix: bigint;
+    /** Whether the transaction should use OCC (optimistic concurrency control) scheduling */
+    readonly occ: boolean;
     /** Compiled instructions with account indices */
     readonly instructions: readonly CompiledInstruction[];
     /** Cached serialized bytes */
     private serializedCache?;
-    constructor(header: MessageHeader, accountKeys: readonly PublicKey[], validFrom: bigint, instructions: readonly CompiledInstruction[]);
+    constructor(header: MessageHeader, accountKeys: readonly PublicKey[], validFrom: bigint, configHashPrefix: bigint, occ: boolean, instructions: readonly CompiledInstruction[]);
     /**
      * Serialize message to bytes for signing.
      * Result is cached for performance.
@@ -2703,14 +4474,14 @@ declare class Transaction {
      *
      * Most users should use sign() or signAll() instead.
      */
-    addSignature(index: number, signature: Signature | Uint8Array): Transaction;
+    addSignature(index: number, signature: Signature$1 | Uint8Array): Transaction;
     /**
      * Add a signature for a specific public key.
      * Returns a NEW Transaction instance.
      *
      * Most users should use sign() or signAll() instead.
      */
-    addSignatureForPubkey(pubkey: PublicKey, signature: Signature | Uint8Array): Transaction;
+    addSignatureForPubkey(pubkey: PublicKey, signature: Signature$1 | Uint8Array): Transaction;
     /**
      * Check if transaction is fully signed (all signatures present).
      */
@@ -2795,6 +4566,8 @@ declare class Transaction {
 declare class TransactionBuilder {
     private payer?;
     private validFrom?;
+    private configHashPrefix?;
+    private occ;
     private readonly instructions;
     private constructor();
     /**
@@ -2819,6 +4592,21 @@ declare class TransactionBuilder {
      * @param validFrom - Transaction valid from in milliseconds since Unix epoch
      */
     setValidFrom(validFrom: bigint): this;
+    /**
+     * Set the config hash prefix for replay protection.
+     *
+     * This is the first 64 bits of the config hash, used to ensure
+     * transactions cannot be replayed on different chains.
+     *
+     * @param configHashPrefix - config hash prefix as a u64
+     */
+    setConfigHashPrefix(configHashPrefix: bigint): this;
+    /**
+     * Enable OCC (optimistic concurrency control) scheduling for this transaction.
+     *
+     * @param occ - Whether to use OCC scheduling (default: false)
+     */
+    setOcc(occ: boolean): this;
     /**
      * Add an instruction to the transaction.
      *
@@ -2892,4 +4680,4 @@ declare function getMainnetUrl(): string;
  */
 declare function getLocalnetUrl(): string;
 
-export { type AccountFilter, type AccountInfo, type AccountMeta, AccountMetaTable, BASE_DERIVATION_PATH, BaseRpcClient, BincodeReader, type BincodeSchema, BincodeWriter, type Bump, type ChainDefinition, type CompiledInstruction, type ConfirmTransactionOptions, type ConfirmedTransaction, CryptoError, CryptoErrorCode, DEFAULT_NUM_ACCOUNTS, type EnumVariant, type EpochInfoResponse, type EventData, type GetAccountsByOwnerConfig, type GetAccountsByOwnerResponse, type GetHealthResponse, type GetSignaturesForAddressConfig, type GetTransactionsResponse, type GetWorkflowLineageRequest, type GetWorkflowLineageResponse, HttpTransport, type HttpTransportConfig, type IdentifierString, type InferSchema, type Instruction, KELVIN_PER_RLO, Keypair, KeypairSigner, Message, type MessageHeader, Mnemonic, type MnemonicStrength, type OwnerAccount, type PDA, PUBLIC_KEY_LENGTH, type PaginationInfo, PublicKey, QueryRpcClient, RIALO_DEVNET_CHAIN, RIALO_LOCALNET_CHAIN, RIALO_MAINNET_CHAIN, RIALO_SHITNET_CHAIN, RIALO_TESTNET_CHAIN, RialoClient, type RialoClientConfig, RialoError, RialoErrorType, type RialoNetwork, RpcError, RpcErrorCode, type RpcErrorDetails$1 as RpcErrorDetails, SECRET_KEY_LENGTH, SIGNATURE_LENGTH, SYSTEM_PROGRAM_ID, Schema, type Seed, type SendAndConfirmOptions, type SendTransactionOptions, Signature, type SignatureInfo, type SignatureStatus, type Signer, type StructField, type Subscription, type SubscriptionKind, SystemInstruction, type TimestampRange, Transaction, TransactionBuilder, TransactionError, TransactionErrorCode, type TransactionNodeData, type TransactionResponse, TransactionRpcClient, type TriggerInfo, type TriggeredTransaction, type TruncationReason, URL_DEVNET, URL_LOCALNET, URL_MAINNET, URL_SHITNET, URL_TESTNET, type WorkflowLineage, type WorkflowNode, allocateInstruction, assignInstruction, calculateBackoff, concatBytes, createAccount, createBorshInstruction, createRialoClient, deserialize, deserializeBorsh, deserializeCompactU16, deserializeStrict, encodeBorshData, fromBase64, getDefaultRialoClientConfig, getDevnetUrl, getLocalnetUrl, getMainnetUrl, getTestnetUrl, isOnCurve, seedToBytes, serialize, serializeBorsh, serializeCompactU16, sleep, toBase64, transferInstruction, writeCompactU16 };
+export { type AccountFilter, type AccountFilterParam, type AccountInfo, type AccountMeta, AccountMetaTable, BASE_DERIVATION_PATH, BaseRpcClient, BincodeReader, type BincodeSchema, BincodeWriter, type Bump, CHACHA20_POLY1305_TAG_LENGTH, type ChainDefinition, type CompiledInstruction, type ConfirmTransactionOptions, type ConfirmedTransaction, CryptoError, CryptoErrorCode, DEFAULT_NUM_ACCOUNTS, ED25519_PUBLIC_KEY_LENGTH, type EnumVariant, type EpochInfoResponse, type EventData, type GetAccountsByOwnerConfig, type GetAccountsByOwnerResponse, type GetHealthResponse, type GetSecretSharingPubkeyResponse, type GetSignaturesForAddressConfig, type GetTransactionsResponse, type GetWorkflowLineageRequest, type GetWorkflowLineageResponse, HPKE_ENC_LENGTH, HPKE_OVERHEAD_LENGTH, HpkeError, HpkeErrorCode, HttpTransport, type HttpTransportConfig, type IdentifierString, type InferSchema, type Instruction, KELVIN_PER_RLO, Keypair, KeypairSigner, Message, type MessageHeader, Mnemonic, type MnemonicStrength, type OwnerAccount, type PDA, PUBLIC_KEY_LENGTH, type PaginationInfo, PublicKey, QueryRpcClient, RIALO_DEVNET_CHAIN, RIALO_LOCALNET_CHAIN, RIALO_MAINNET_CHAIN, RIALO_TESTNET_CHAIN, RexValue, RexValueVariant, RialoClient, type RialoClientConfig, RialoError, RialoErrorType, type RialoNetwork, RpcError, RpcErrorCode, type RpcErrorDetails$1 as RpcErrorDetails, SECRET_KEY_LENGTH, SECRET_SHARING_HPKE_INFO, SIGNATURE_LENGTH, SYSTEM_PROGRAM_ID, Schema, type Seed, type SendAndConfirmOptions, type SendTransactionOptions, Signature$1 as Signature, type SignatureInfo, type SignatureStatus, type Signer, type StructField, type Subscription, type SubscriptionKind, SystemInstruction, type TimestampRange, Transaction, TransactionBuilder, TransactionError, TransactionErrorCode, type TransactionNodeData, type TransactionResponse, TransactionRpcClient, type TriggerInfo, type TriggeredTransaction, type TruncationReason, URL_DEVNET, URL_LOCALNET, URL_MAINNET, URL_TESTNET, USER_SECRET_AAD, type WorkflowLineage, type WorkflowNode, X25519_PUBLIC_KEY_LENGTH, allocateInstruction, assignInstruction, calculateBackoff, concatBytes, createAccount, createBorshInstruction, createRialoClient, deserialize, deserializeBorsh, deserializeCompactU16, deserializeStrict, encodeBorshData, encryptForRex, fromBase64, getCiphertextLength, getDefaultRialoClientConfig, getDevnetUrl, getLocalnetUrl, getMainnetUrl, getTestnetUrl, hpkeEncrypt, isOnCurve, isValidCiphertextLength, seedToBytes, serialize, serializeBorsh, serializeCompactU16, sleep, toBase64, transferInstruction, writeCompactU16 };