@veridex/sdk 1.0.0-beta.9 → 1.1.0

package/dist/index.d.mts

@@ -1,18 +1,27 @@
-import { c as WalletManagerConfig, P as PasskeyCredential, U as UnifiedIdentity, d as ChainAddress, B as BridgeParams, a as ChainConfig, e as VAA, f as VeridexPayload, g as PreparedTransfer, h as PreparedBridge, i as VeridexConfig, C as ChainClient, T as TransferParams, E as ExecuteParams, D as DispatchResult, j as BridgeResult, k as TransferResult, l as ReceiveAddress, m as VaultInfo, V as VaultCreationResult, I as IdentityState, A as AuthorizedKey, n as AddBackupKeyResult, o as RemoveKeyResult } from './types-ChIsqCiw.mjs';
-export { u as ActionPayload, r as BridgeAction, t as ConfigAction, p as ConfigParams, y as CrossChainFees, s as ExecuteAction, w as TestResult, x as TransactionHistoryEntry, q as TransferAction, v as VAASignature, W as WebAuthnSignature } from './types-ChIsqCiw.mjs';
-import { P as PasskeyManager } from './index-D0dLVjTA.mjs';
-export { E as EVMHubClientAdapter, H as HubClient, S as SessionManager } from './index-D0dLVjTA.mjs';
+import { b as WalletManagerConfig, P as PasskeyCredential, U as UnifiedIdentity, c as ChainAddress, B as BridgeParams, a as ChainConfig, d as VAA, e as VeridexPayload, f as PreparedTransfer, g as PreparedBridge, C as ChainClient, W as WebAuthnSignature, T as TransferParams, E as ExecuteParams, D as DispatchResult, h as VeridexConfig, i as BridgeResult, j as TransferResult, R as ReceiveAddress, k as VaultInfo, V as VaultCreationResult, I as IdentityState, A as AuthorizedKey, l as AddBackupKeyResult, m as RemoveKeyResult } from './types-DP2CQT8p.mjs';
+export { s as ActionPayload, p as BridgeAction, r as ConfigAction, n as ConfigParams, w as CrossChainFees, q as ExecuteAction, u as TestResult, v as TransactionHistoryEntry, o as TransferAction, t as VAASignature } from './types-DP2CQT8p.mjs';
+import { PasskeyManager, PasskeyCredential as PasskeyCredential$1, WebAuthnSignature as WebAuthnSignature$1 } from './passkey.mjs';
+export { PasskeyManagerConfig, VERIDEX_RP_ID, detectRpId, supportsRelatedOrigins } from './passkey.mjs';
 import { ethers } from 'ethers';
-import { BridgeParams as BridgeParams$1, ChainConfig as ChainConfig$1 } from './types.mjs';
-export { AddGuardianResult, ApproveRecoveryResult, CancelRecoveryResult, ExecuteRecoveryResult, ExecutionPath, GuardianConfig, InitiateRecoveryResult, QueryProof, QuerySubmissionResult, RecoveryStatus, RegisterSessionParams, RemoveGuardianResult, RevokeSessionParams, SessionKey, SessionValidationResult, SetupGuardiansResult } from './types.mjs';
-import { a as SessionStorage, S as SessionKey } from './types-FJL7j6gQ.mjs';
-export { A as ActionParams, b as SessionConfig, i as SessionError, h as SessionErrorCode, e as SessionEvent, f as SessionEventCallback, d as SessionManagerConfig, c as SessionSignature, g as SessionSignedAction } from './types-FJL7j6gQ.mjs';
+import { BridgeParams as BridgeParams$1, ChainConfig as ChainConfig$1, SessionKey } from './types.mjs';
+export { AddGuardianResult, ApproveRecoveryResult, CancelRecoveryResult, ExecuteRecoveryResult, ExecutionPath, GuardianConfig, InitiateRecoveryResult, QueryProof, QuerySubmissionResult, RecoveryStatus, RegisterSessionParams, RemoveGuardianResult, RevokeSessionParams, SessionValidationResult, SetupGuardiansResult } from './types.mjs';
+export { E as EVMHubClientAdapter, H as HubClient, S as SessionManager } from './index-DDalBhAm.mjs';
+export { E as EVMClient, a as EVMClientConfig } from './EVMClient-DtqvdfUP.mjs';
+export { SolanaClient, SolanaClientConfig } from './chains/solana/index.mjs';
+export { AptosClient, AptosClientConfig } from './chains/aptos/index.mjs';
+export { SuiClient, SuiClientConfig } from './chains/sui/index.mjs';
+export { StarknetClient, StarknetClientConfig } from './chains/starknet/index.mjs';
+export { FtPostCondition, NftPostCondition, PostConditionComparison, STACKS_ACTION_TYPES, StacksClient, StacksClientConfig, PostCondition as StacksPostCondition, StxPostCondition, buildSbtcWithdrawalPostConditions, buildExecutePostConditions as buildStacksExecutePostConditions, buildStxDepositPostConditions, buildStxWithdrawalPostConditions, getContractPrincipal as getStacksContractPrincipal, getStacksExplorerAddressUrl, getStacksExplorerTxUrl, getNetworkFromAddress as getStacksNetworkFromAddress, isContractPrincipal as isStacksContractPrincipal, isValidContractName as isValidStacksContractName, isValidStacksPrincipal, isValidStandardPrincipal as isValidStacksStandardPrincipal, parseContractPrincipal as parseStacksContractPrincipal, buildExecuteHash as stacksBuildExecuteHash, buildRegistrationHash as stacksBuildRegistrationHash, buildRevocationHash as stacksBuildRevocationHash, buildSessionRegistrationHash as stacksBuildSessionRegistrationHash, buildWithdrawalHash as stacksBuildWithdrawalHash, compressPublicKey as stacksCompressPublicKey, computeKeyHash as stacksComputeKeyHash, computeKeyHashFromCoords as stacksComputeKeyHashFromCoords, derToCompactSignature as stacksDerToCompactSignature, rsToCompactSignature as stacksRsToCompactSignature, validatePostConditions as validateStacksPostConditions } from './chains/stacks/index.mjs';
+import { S as SessionStorage, a as SessionKey$1 } from './types-B7V5VNbO.mjs';
+export { A as ActionParams, b as SessionConfig, i as SessionError, h as SessionErrorCode, e as SessionEvent, f as SessionEventCallback, d as SessionManagerConfig, c as SessionSignature, g as SessionSignedAction } from './types-B7V5VNbO.mjs';
+export { CONSISTENCY_LEVELS, FetchVAAOptions, GUARDIAN_CONFIG, WaitForSignaturesOptions, emitterToEvmAddress, encodeVAAForSolana, encodeVAAToBytes, evmAddressToBytes32, fetchVAA, fetchVAAByTxHash, fetchVAAByTxHashFallback, getSequenceFromTxReceipt, getWormholeCoreBridge, getWormholeRelayer, getWormholeTokenBridge, hasQuorum, normalizeEmitterAddress, parseVAA, parseVAABytes, parseVeridexPayload, supportsRelayer, validateEmitter, waitForGuardianSignatures } from './wormhole.mjs';
 export { ACTION_BRIDGE, ACTION_CONFIG, ACTION_EXECUTE, ACTION_TRANSFER, ACTION_TYPES, HUB_ABI, MAINNET_CHAINS, PROTOCOL_VERSION, TESTNET_CHAINS, VAULT_ABI, VAULT_FACTORY_ABI, WORMHOLE_API, WORMHOLE_CHAIN_IDS, WORMHOLE_CHAIN_IDS_FLAT } from './constants.mjs';
 export { base64URLDecode, base64URLEncode, computeKeyHash, encodeSignatureForSolidity, getAddressExplorerUrl, getChainByEvmId, getChainByWormholeId, getTxExplorerUrl, isEvmChain, isValidBytes32, isValidEvmAddress, isValidWormholeChainId, parseDERSignature, retryWithBackoff } from './utils.mjs';
 export { buildChallenge, buildGaslessChallenge, createGaslessMessageHash, createMessageHash, decodeActionPayload, decodeBridgeAction, decodeExecuteAction, decodeTransferAction, encodeAptosTransferAction, encodeBridgeAction, encodeConfigAction, encodeExecuteAction, encodeSolanaTransferAction, encodeSuiTransferAction, encodeTransferAction, encodeVeridexPayload, formatAmount, generateNonce, padTo32Bytes, parseAmount, solanaAddressToBytes32, trimTo20Bytes } from './payload.mjs';
-export { HubStateQuery, HubStateResult, PortfolioChainErrorCode, PortfolioChainResult, PortfolioQuery, PortfolioResult, QueryConfig, QueryHubStateError, QueryHubStateErrorCode, QueryHubStateNetwork, QueryHubStateOptions, QueryNetwork, QueryOperation, QueryOperationType, QueryPortfolioError, QueryPortfolioErrorCode, QueryPortfolioNetwork, QueryPortfolioOptions, QueryRequest, QueryResponse, WORMHOLE_QUERY_CHAIN_IDS, WORMHOLE_QUERY_PROXY_URLS, WORMHOLE_QUERY_RATE_LIMIT_PER_SECOND, queryHubState, queryPortfolio } from './queries/index.mjs';
-export { CONSISTENCY_LEVELS, FetchVAAOptions, GUARDIAN_CONFIG, WaitForSignaturesOptions, emitterToEvmAddress, encodeVAAForSolana, encodeVAAToBytes, evmAddressToBytes32, fetchVAA, fetchVAAByTxHash, fetchVAAByTxHashFallback, getSequenceFromTxReceipt, getWormholeCoreBridge, getWormholeRelayer, getWormholeTokenBridge, hasQuorum, normalizeEmitterAddress, parseVAA, parseVAABytes, parseVeridexPayload, supportsRelayer, validateEmitter, waitForGuardianSignatures } from './wormhole.mjs';
-import '@wormhole-foundation/wormhole-query-sdk';
+import '@solana/web3.js';
+import '@aptos-labs/ts-sdk';
+import '@mysten/sui/client';
+import 'starknet';
 
 /**
  * Veridex Protocol SDK - Wallet Manager
@@ -174,6 +183,8 @@ declare const EVM_ZERO_ADDRESS = "0x0000000000000000000000000000000000000000";
 declare const BASE_SEPOLIA_TOKENS: ChainTokenList;
 declare const OPTIMISM_SEPOLIA_TOKENS: ChainTokenList;
 declare const ARBITRUM_SEPOLIA_TOKENS: ChainTokenList;
+declare const ETHEREUM_SEPOLIA_TOKENS: ChainTokenList;
+declare const MONAD_TESTNET_TOKENS: ChainTokenList;
 /**
  * All token lists indexed by Wormhole chain ID
  */
@@ -1406,199 +1417,1401 @@ declare class SpendingLimitsManager {
 declare function createSpendingLimitsManager(config?: SpendingLimitsManagerConfig): SpendingLimitsManager;
 
 /**
- * Gas Sponsor Module
+ * Veridex Protocol SDK - Chain Presets
  *
- * Handles sponsored (gasless) vault creation for Veridex users.
- * Uses a Veridex-owned wallet to pay gas fees on behalf of users.
+ * Pre-configured chain settings for easy SDK initialization.
+ * Developers only need to specify chain name and network type.
  *
- * This is a temporary solution until the full relayer is built.
- * In the future, this will be handled by:
- * - ERC-4337 Account Abstraction with Paymasters
- * - Dedicated Relayer service
+ * @example
+ * ```typescript
+ * import { createSDK } from '@veridex/sdk';
+ *
+ * // Simple initialization - testnet by default
+ * const sdk = await createSDK('base');
+ *
+ * // Or specify mainnet
+ * const mainnetSdk = await createSDK('base', { network: 'mainnet' });
+ * ```
  */
-interface ChainDeploymentConfig {
-    name: string;
-    chainId: number;
-    wormholeChainId: number;
-    rpcUrl: string;
-    vaultFactory?: string;
-    hubAddress?: string;
-    isHub?: boolean;
-}
-interface SponsoredVaultResult {
-    success: boolean;
-    chain: string;
-    wormholeChainId: number;
-    vaultAddress?: string;
-    transactionHash?: string;
-    error?: string;
-    alreadyExists?: boolean;
-}
-interface MultiChainVaultResult {
-    keyHash: string;
-    results: SponsoredVaultResult[];
-    allSuccessful: boolean;
-    vaultAddresses: Record<number, string>;
-}
-interface GasSponsorConfig {
-    /**
-     * Private key for the sponsor wallet (from env or secure storage)
-     * This is the fallback when relayer is not available
-     */
-    sponsorPrivateKey?: string;
-    /**
-     * Integrator-provided sponsor key (for platforms using Veridex SDK)
-     * Takes priority over Veridex default sponsorship
-     */
-    integratorSponsorKey?: string;
-    /**
-     * Relayer API endpoint for remote sponsorship (primary method)
-     * When available, this takes priority over local wallet sponsorship
-     */
-    relayerUrl?: string;
-    /** API key for relayer service authentication */
-    relayerApiKey?: string;
-    /** @deprecated Use relayerUrl instead */
-    sponsorApiUrl?: string;
-    /** @deprecated Use relayerApiKey instead */
-    sponsorApiKey?: string;
-    /** Whether to use testnet configurations */
-    testnet?: boolean;
-    /** Custom RPC URLs by wormhole chain ID */
-    customRpcUrls?: Record<number, string>;
-}
-/** Sponsorship source type */
-type SponsorshipSource = 'relayer' | 'integrator' | 'veridex' | 'none';
+
 /**
- * Gas Sponsorship with layered fallback:
- * 1. Relayer (primary) - Remote relayer service handles gas
- * 2. Integrator wallet - Platform using SDK provides their own sponsor key
- * 3. Veridex wallet (fallback) - Veridex's default sponsor wallet
+ * All supported chain names for easy reference
  */
-declare class GasSponsor {
-    private config;
-    private sponsorWallet?;
-    private integratorWallet?;
-    private chains;
-    constructor(config?: GasSponsorConfig);
-    /**
-     * Determine which sponsorship source is available
-     * Priority: Relayer > Integrator > Veridex > None
-     */
-    getSponsorshipSource(): SponsorshipSource;
-    /**
-     * Get the active sponsor wallet (integrator takes priority)
-     */
-    private getActiveWallet;
-    /**
-     * Get supported chains for vault deployment
-     */
-    getSupportedChains(): ChainDeploymentConfig[];
-    /**
-     * Get the hub chain configuration
-     */
-    getHubChain(): ChainDeploymentConfig | undefined;
-    /**
-     * Check if sponsor is configured (has relayer, integrator key, or Veridex key)
-     */
-    isConfigured(): boolean;
-    /**
-     * Get sponsor wallet balance on a specific chain
-     */
-    getSponsorBalance(wormholeChainId: number): Promise<bigint>;
-    /**
-     * Check if a vault exists for a given key hash on a chain
-     */
-    checkVaultExists(keyHash: string, wormholeChainId: number): Promise<{
-        exists: boolean;
-        address: string;
-    }>;
-    /**
-     * Get predicted vault address for a key hash on a chain
-     */
-    computeVaultAddress(keyHash: string, wormholeChainId: number): Promise<string | null>;
-    /**
-     * Create a vault on a specific chain (sponsored)
-     *
-     * Sponsorship priority:
-     * 1. Relayer API (future - not yet implemented)
-     * 2. Integrator wallet (if provided)
-     * 3. Veridex sponsor wallet (fallback)
-     */
-    createVaultOnChain(keyHash: string, wormholeChainId: number): Promise<SponsoredVaultResult>;
-    /**
-     * Create vault via relayer service (future primary method)
-     *
-     * The relayer handles:
-     * - Gas payment on behalf of users
-     * - Transaction submission and monitoring
-     * - Rate limiting and abuse prevention
-     */
-    private createVaultViaRelayer;
-    /**
-     * Create vault with a specific wallet (internal helper)
-     */
-    private createVaultWithWallet;
-    /**
-     * Create vaults on all supported chains (sponsored)
-     */
-    createVaultsOnAllChains(keyHash: string): Promise<MultiChainVaultResult>;
-    /**
-     * Check vault status on all chains
-     */
-    checkVaultsOnAllChains(keyHash: string): Promise<Record<number, {
-        exists: boolean;
-        address: string;
-    }>>;
+declare const CHAIN_NAMES: {
+    readonly BASE: "base";
+    readonly OPTIMISM: "optimism";
+    readonly ARBITRUM: "arbitrum";
+    readonly SCROLL: "scroll";
+    readonly BLAST: "blast";
+    readonly MANTLE: "mantle";
+    readonly ETHEREUM: "ethereum";
+    readonly POLYGON: "polygon";
+    readonly BSC: "bsc";
+    readonly AVALANCHE: "avalanche";
+    readonly FANTOM: "fantom";
+    readonly CELO: "celo";
+    readonly MOONBEAM: "moonbeam";
+    readonly MONAD: "monad";
+    readonly SOLANA: "solana";
+    readonly APTOS: "aptos";
+    readonly SUI: "sui";
+    readonly STARKNET: "starknet";
+    readonly STACKS: "stacks";
+    readonly NEAR: "near";
+    readonly SEI: "sei";
+};
+type ChainName = typeof CHAIN_NAMES[keyof typeof CHAIN_NAMES];
+type NetworkType = 'mainnet' | 'testnet';
+interface ChainPreset {
+    /** Human-readable chain name */
+    displayName: string;
+    /** Chain type for client selection */
+    type: 'evm' | 'solana' | 'aptos' | 'sui' | 'starknet' | 'stacks' | 'near' | 'cosmos';
+    /** Whether this chain can be a hub */
+    canBeHub: boolean;
+    /** Testnet configuration */
+    testnet: ChainConfig$1;
+    /** Mainnet configuration */
+    mainnet: ChainConfig$1;
 }
+declare const CHAIN_PRESETS: Record<ChainName, ChainPreset>;
 /**
- * Create a GasSponsor instance
+ * Get chain configuration by name and network
+ */
+declare function getChainConfig(chain: ChainName, network?: NetworkType): ChainConfig$1;
+/**
+ * Get chain preset by name
+ */
+declare function getChainPreset(chain: ChainName): ChainPreset;
+/**
+ * Get all supported chain names
+ */
+declare function getSupportedChains(): ChainName[];
+/**
+ * Get hub-capable chains.
  *
- * @example
- * ```ts
- * // With environment variable
- * const sponsor = createGasSponsor({
- *   sponsorPrivateKey: process.env.VERIDEX_SPONSOR_KEY,
- *   testnet: true,
- * });
+ * When multi-hub feature flag is disabled, returns only the primary hub chain ('base').
+ * When enabled, returns all chains with canBeHub: true.
+ */
+declare function getHubChains(): ChainName[];
+/**
+ * Check if chain is supported
+ */
+declare function isChainSupported(chain: string): chain is ChainName;
+/**
+ * Check if a specific chain is currently acting as a hub.
  *
- * // Create vaults for a user
- * const result = await sponsor.createVaultsOnAllChains(userKeyHash);
- * ```
+ * When multi-hub is disabled, only the primary hub ('base') returns true.
+ * When enabled, any chain with canBeHub: true returns true.
  */
-declare function createGasSponsor(config?: GasSponsorConfig): GasSponsor;
+declare function isHubChain(chain: ChainName): boolean;
+/**
+ * Get default hub chain.
+ *
+ * Returns the effective primary hub's config. When multi-hub is disabled,
+ * this always returns Base. When enabled, it returns the configured primary hub.
+ */
+declare function getDefaultHub(network?: NetworkType): ChainConfig$1;
 
-declare class VeridexSDK {
-    readonly passkey: PasskeyManager;
-    readonly wallet: WalletManager;
-    readonly balance: BalanceManager;
-    readonly transactions: TransactionTracker;
-    readonly crossChain: CrossChainManager;
-    readonly sponsor: GasSponsor;
-    readonly transactionParser: TransactionParser;
-    readonly spendingLimits: SpendingLimitsManager;
-    private readonly chain;
-    private readonly relayer?;
-    private readonly queryApiKey?;
-    private readonly testnet;
-    private readonly sponsorPrivateKey?;
-    private readonly chainRpcUrls?;
-    private readonly chainDetector;
-    private unifiedIdentity;
-    constructor(config: VeridexConfig);
-    getChainConfig(): ChainConfig;
-    getChainClient(): ChainClient;
-    getNonce(): Promise<bigint>;
-    getMessageFee(): Promise<bigint>;
-    buildTransferPayload(params: TransferParams): Promise<string>;
-    buildExecutePayload(params: ExecuteParams): Promise<string>;
-    buildBridgePayload(params: BridgeParams): Promise<string>;
-    transfer(params: TransferParams, signer: any): Promise<DispatchResult>;
-    execute(params: ExecuteParams, signer: any): Promise<DispatchResult>;
-    bridge(params: BridgeParams, signer: any): Promise<DispatchResult>;
-    /**
-     * Prepare a bridge/cross-chain transfer with fee estimation
-     *
+/**
+ * Veridex Protocol SDK - Relayer Client
+ *
+ * Client for interacting with the Veridex relayer service.
+ * The relayer automatically submits VAAs to destination chains.
+ *
+ * Features:
+ * - Submit VAA for relay
+ * - Check relay status
+ * - Get supported routes
+ * - Fee estimation
+ */
+/**
+ * Relay request status
+ */
+type RelayStatus = 'pending' | 'processing' | 'submitted' | 'confirmed' | 'failed';
+/**
+ * Relay request result
+ */
+interface RelayRequest {
+    /** Unique relay request ID */
+    id: string;
+    /** VAA sequence number */
+    sequence: bigint;
+    /** Source chain Wormhole ID */
+    sourceChain: number;
+    /** Destination chain Wormhole ID */
+    destinationChain: number;
+    /** Relay status */
+    status: RelayStatus;
+    /** Source transaction hash */
+    sourceTxHash: string;
+    /** Destination transaction hash (when completed) */
+    destinationTxHash?: string;
+    /** Timestamp when request was created */
+    createdAt: number;
+    /** Timestamp when request was last updated */
+    updatedAt: number;
+    /** Error message if failed */
+    error?: string;
+    /** Gas used on destination chain */
+    gasUsed?: bigint;
+    /** Fee paid */
+    feePaid?: bigint;
+}
+/**
+ * Supported route information
+ */
+interface RelayRoute {
+    /** Source chain Wormhole ID */
+    sourceChain: number;
+    /** Destination chain Wormhole ID */
+    destinationChain: number;
+    /** Whether the route is active */
+    active: boolean;
+    /** Estimated relay time in seconds */
+    estimatedTimeSeconds: number;
+    /** Base fee in destination chain native token */
+    baseFee: bigint;
+    /** Fee per gas unit */
+    gasPrice: bigint;
+    /** Maximum gas limit */
+    maxGas: bigint;
+}
+/**
+ * Relayer service info
+ */
+interface RelayerInfo {
+    /** Relayer name/identifier */
+    name: string;
+    /** Relayer version */
+    version: string;
+    /** Supported chains */
+    supportedChains: number[];
+    /** Available routes */
+    routes: RelayRoute[];
+    /** Whether the relayer is online */
+    online: boolean;
+    /** Current queue depth */
+    queueDepth: number;
+}
+/**
+ * Request body for submitting a signed action to the relayer (gasless)
+ * Uses full WebAuthn data for authenticateAndDispatch
+ */
+interface SubmitSignedActionRequest {
+    /** WebAuthn authenticatorData (hex) */
+    authenticatorData: string;
+    /** WebAuthn clientDataJSON (raw string) */
+    clientDataJSON: string;
+    /** Index of "challenge":"..." in clientDataJSON */
+    challengeIndex: number;
+    /** Index of "type":"..." in clientDataJSON */
+    typeIndex: number;
+    /** P-256 signature r component (hex) */
+    r: string;
+    /** P-256 signature s component (hex) */
+    s: string;
+    /** P-256 public key X coordinate (hex) */
+    publicKeyX: string;
+    /** P-256 public key Y coordinate (hex) */
+    publicKeyY: string;
+    /** Target chain Wormhole ID */
+    targetChain: number;
+    /** Action payload (hex) */
+    actionPayload: string;
+    /** User nonce */
+    nonce: number;
+}
+/**
+ * Response from submitting a signed action
+ */
+interface SubmitActionResult {
+    /** Whether the submission was successful */
+    success: boolean;
+    /** Transaction hash on Hub chain */
+    txHash?: string;
+    /** Wormhole sequence number */
+    sequence?: string;
+    /** Error message if failed */
+    error?: string;
+    /** Human-readable message */
+    message?: string;
+}
+/**
+ * Query submission request (Issue #11/#12)
+ * For optimistic execution via Wormhole Query proofs (~5-7s vs ~120s)
+ */
+interface SubmitQueryRequest {
+    /** Target spoke chain Wormhole ID */
+    targetChain: number;
+    /** User's key hash */
+    userKeyHash: string;
+    /** Serialized transaction for spoke chain */
+    serializedTx: string;
+    /** Query proof with Guardian signatures */
+    queryProof: {
+        /** Raw query response bytes */
+        queryResponse: string;
+        /** Guardian signatures */
+        signatures: string;
+    };
+    /** Whether to fallback to VAA if Query fails */
+    fallbackToVaa?: boolean;
+    /** Optional metadata */
+    metadata?: {
+        /** User's preferred execution path */
+        preferredPath?: 'query' | 'vaa';
+        /** Transaction value in USD (for routing decisions) */
+        estimatedValueUSD?: number;
+    };
+}
+/**
+ * Query submission result (Issue #11/#12)
+ */
+interface SubmitQueryResult {
+    /** Whether submission succeeded */
+    success: boolean;
+    /** Transaction hash on spoke chain */
+    txHash?: string;
+    /** Execution path used */
+    path: 'query' | 'vaa';
+    /** Latency in milliseconds */
+    latencyMs?: number;
+    /** Error message if failed */
+    error?: string;
+    /** Whether fallback to VAA occurred */
+    fellBack?: boolean;
+}
+/**
+ * Fee quote for a relay
+ */
+interface RelayFeeQuote {
+    /** Source chain Wormhole ID */
+    sourceChain: number;
+    /** Destination chain Wormhole ID */
+    destinationChain: number;
+    /** Estimated fee in source chain native token */
+    feeInSourceToken: bigint;
+    /** Estimated fee in destination chain native token */
+    feeInDestinationToken: bigint;
+    /** Estimated gas on destination */
+    estimatedGas: bigint;
+    /** Quote expiration timestamp */
+    expiresAt: number;
+    /** Quote ID for submission */
+    quoteId: string;
+}
+/**
+ * Configuration for RelayerClient
+ */
+interface RelayerClientConfig {
+    /** Base URL of the relayer service */
+    baseUrl: string;
+    /** API key for authentication (optional) */
+    apiKey?: string;
+    /** Timeout for requests in ms */
+    timeoutMs?: number;
+    /** Max retries for failed requests */
+    maxRetries?: number;
+}
+type RegisteredAppStatus = 'active' | 'suspended' | 'revoked';
+type RegisteredAppTrustLevel = 'verified' | 'registered' | 'pending';
+interface RegisteredAppSummary {
+    id: string;
+    name: string;
+    origin: string;
+    trustLevel: RegisteredAppTrustLevel;
+    status: RegisteredAppStatus;
+    requestCount: number;
+    createdAt: number;
+    lastUsedAt?: number;
+}
+interface RegisteredAppDetail extends RegisteredAppSummary {
+    description?: string;
+    apiKey?: string;
+    activeSessionCount?: number;
+}
+interface RelayerAppSession {
+    id: string;
+    keyHash: string;
+    appOrigin: string;
+    sessionPublicKey: string;
+    permissions: string[];
+    expiresAt: number;
+    createdAt: number;
+    revoked: boolean;
+    active: boolean;
+}
+interface CredentialMetadataRecord {
+    credentialId: string;
+    keyHash: string;
+    displayName: string;
+    platformHint: string;
+    backupEligible: boolean | null;
+    backupState: boolean | null;
+    isRoot: boolean;
+    status: 'active' | 'revoked';
+    lastUsedAt: number | null;
+    useCount: number;
+    createdAt: number;
+    updatedAt: number;
+}
+/**
+ * Client for the Veridex relayer service
+ */
+declare class RelayerClient {
+    private baseUrl;
+    private config;
+    constructor(config: RelayerClientConfig);
+    /**
+     * Submit a VAA for relay to destination chain
+     */
+    submitRelay(vaaBase64: string, sourceChain: number, destinationChain: number, sourceTxHash: string, sequence: bigint, feeQuoteId?: string): Promise<RelayRequest>;
+    /**
+     * Submit a signed action to the relayer for gasless execution
+     *
+     * This allows users to execute transfers without paying gas themselves.
+     * The relayer will submit the transaction to the Hub chain and pay the gas.
+     * The relayer then automatically relays the VAA to the destination spoke chain.
+     *
+     * @param request - The signed action request with passkey signature
+     * @returns Result including Hub tx hash and Wormhole sequence
+     */
+    submitSignedAction(request: SubmitSignedActionRequest): Promise<SubmitActionResult>;
+    /**
+     * Submit a Query-based transaction for optimistic execution (Issue #11/#12)
+     *
+     * Uses Wormhole Cross-Chain Queries (CCQ) to achieve ~5-7 second latency
+     * vs ~120+ seconds for traditional VAA flow.
+     *
+     * Flow:
+     * 1. Client fetches Hub state via queryHubState() from SDK
+     * 2. Client constructs and signs transaction
+     * 3. Client submits Query proof + tx to this endpoint
+     * 4. Relayer validates format and submits to spoke chain
+     * 5. Spoke chain verifies Guardian signatures on-chain
+     *
+     * @param request - Query submission with Guardian-signed proof
+     * @returns Result including spoke tx hash and execution path
+     */
+    submitQuery(request: SubmitQueryRequest): Promise<SubmitQueryResult>;
+    /**
+     * Get relay request status
+     */
+    getRelayStatus(requestId: string): Promise<RelayRequest>;
+    /**
+     * Get relay status by source transaction hash
+     */
+    getRelayBySourceTx(sourceTxHash: string): Promise<RelayRequest | null>;
+    /**
+     * Get relay status by sequence number
+     */
+    getRelayBySequence(sourceChain: number, sequence: bigint): Promise<RelayRequest | null>;
+    /**
+     * Cancel a pending relay request
+     */
+    cancelRelay(requestId: string): Promise<boolean>;
+    /**
+     * Poll for relay completion
+     */
+    waitForRelay(requestId: string, timeoutMs?: number, pollingIntervalMs?: number, onProgress?: (status: RelayStatus) => void): Promise<RelayRequest>;
+    /**
+     * Get fee quote for a relay
+     */
+    getFeeQuote(sourceChain: number, destinationChain: number, estimatedGas?: bigint): Promise<RelayFeeQuote>;
+    /**
+     * Get relayer service info
+     */
+    getInfo(): Promise<RelayerInfo>;
+    /**
+     * Get supported routes
+     */
+    getRoutes(): Promise<RelayRoute[]>;
+    /**
+     * Check if a route is supported
+     */
+    isRouteSupported(sourceChain: number, destinationChain: number): Promise<boolean>;
+    /**
+     * Check relayer health
+     */
+    healthCheck(): Promise<boolean>;
+    listApps(): Promise<RegisteredAppSummary[]>;
+    getApp(appId: string): Promise<RegisteredAppDetail>;
+    updateAppStatus(appId: string, status: RegisteredAppStatus): Promise<void>;
+    updateAppTrustLevel(appId: string, trustLevel: RegisteredAppTrustLevel): Promise<void>;
+    listAppSessions(appId: string, options?: {
+        includeRevoked?: boolean;
+    }): Promise<RelayerAppSession[]>;
+    revokeAppSessions(appId: string, sessionId?: string): Promise<number>;
+    listCredentialMetadata(keyHash: string): Promise<CredentialMetadataRecord[]>;
+    /**
+     * Get all pending relay requests for a user
+     */
+    getPendingRelays(userKeyHash: string): Promise<RelayRequest[]>;
+    /**
+     * Get relay history for a user
+     */
+    getRelayHistory(userKeyHash: string, limit?: number, offset?: number): Promise<RelayRequest[]>;
+    /**
+     * SDK version for telemetry
+     */
+    private static readonly SDK_VERSION;
+    /**
+     * Make an HTTP request to the relayer
+     */
+    private fetch;
+    /**
+     * Sleep helper
+     */
+    private sleep;
+}
+/**
+ * Create a RelayerClient instance
+ */
+declare function createRelayerClient(config: RelayerClientConfig): RelayerClient;
+
+type RecoveryStatusResult$1 = {
+    isActive: boolean;
+    newOwnerKeyHash: string;
+    initiatedAt: bigint;
+    approvalCount: bigint;
+    threshold: bigint;
+    canExecuteAt: bigint;
+    expiresAt: bigint;
+};
+interface PortabilityOverview {
+    credential: PasskeyCredential$1;
+    unifiedIdentity: UnifiedIdentity;
+    supportedChainIdentity: UnifiedIdentity;
+    localCredentialCount: number;
+    remoteCredentials: CredentialMetadataRecord[];
+    syncedCredentialCount: number;
+    backupEligibleCount: number;
+    backupBackedCount: number;
+    rootCredentialCount: number;
+    supportedChainCount: number;
+    nonEvmAddressCount: number;
+}
+interface RecoveryOverview {
+    identityKeyHash: string;
+    guardians: string[];
+    threshold: bigint;
+    isConfigured: boolean;
+    recovery: RecoveryStatusResult$1;
+}
+interface AccountManagerConfig {
+    passkey: PasskeyManager;
+    wallet: WalletManager;
+    chain: ChainClient;
+    relayer?: RelayerClient;
+    testnet?: boolean;
+    getUnifiedIdentity: () => Promise<UnifiedIdentity>;
+}
+declare class AccountManager {
+    private readonly passkey;
+    private readonly wallet;
+    private readonly chain;
+    private readonly relayer?;
+    private readonly network;
+    private readonly getUnifiedIdentityImpl;
+    constructor(config: AccountManagerConfig);
+    private requireCredential;
+    private requireRelayer;
+    getPortabilityOverview(): Promise<PortabilityOverview>;
+    getSupportedChainIdentity(chainNames?: ChainName[]): Promise<UnifiedIdentity>;
+    getSupportedChainAddresses(chainNames?: ChainName[]): Promise<ChainAddress[]>;
+    listCredentialMetadata(keyHash?: string): Promise<CredentialMetadataRecord[]>;
+    getRecoveryOverview(identityKeyHash?: string): Promise<RecoveryOverview>;
+    getOnchainSessions(identityKeyHash?: string): Promise<SessionKey[]>;
+    listApps(): Promise<RegisteredAppSummary[]>;
+    getApp(appId: string): Promise<RegisteredAppDetail>;
+    updateAppStatus(appId: string, status: RegisteredAppStatus): Promise<void>;
+    updateAppTrustLevel(appId: string, trustLevel: RegisteredAppTrustLevel): Promise<void>;
+    listAppSessions(appId: string, options?: {
+        includeRevoked?: boolean;
+    }): Promise<RelayerAppSession[]>;
+    revokeAppSession(appId: string, sessionId: string): Promise<number>;
+    revokeAllAppSessions(appId: string): Promise<number>;
+    private buildChainAddressConfigMap;
+}
+
+/**
+ * Veridex Protocol SDK — Recovery Manager
+ *
+ * Orchestrates the full guardian-based social recovery lifecycle on top of the
+ * low-level EVMClient methods.  Provides a high-level, ergonomic API for:
+ *
+ *  1. Guardian configuration  (setup / add / remove)
+ *  2. Recovery initiation      (initiateRecovery — called from a guardian device)
+ *  3. Approval collection      (approveRecovery  — each guardian signs)
+ *  4. Execution                (executeRecovery  — permissionless after threshold + timelock)
+ *  5. Cancellation             (cancelRecovery   — by the current owner)
+ *  6. Status monitoring        (readiness, state, approvals)
+ *
+ * Design rationale
+ * ────────────────
+ * • All mutating operations require a WebAuthn signature and an on-chain signer
+ *   (ethers.Signer).  The SDK never holds private-key material — ADR-0040.
+ * • The manager delegates on-chain calls to the provided ChainClient, which must
+ *   implement {@link RecoveryCapableChainClient}.  At runtime this is checked via
+ *   duck-typing so non-EVM chains that lack recovery simply throw clearly.
+ * • Cross-chain propagation of recovery results (new-owner VAA) is out of scope
+ *   for this manager; it is handled by the relayer once the Hub emits the VAA.
+ *
+ * @module RecoveryManager
+ */
+
+/**
+ * Subset of ChainClient that supports the guardian / recovery contract surface.
+ * EVMClient satisfies this; non-EVM clients currently do not.
+ */
+interface RecoveryCapableChainClient extends ChainClient {
+    getGuardians(identityKeyHash: string): Promise<GuardiansResult>;
+    getRecoveryStatus(identityKeyHash: string): Promise<RecoveryStatusResult>;
+    hasGuardianApproved(identityKeyHash: string, guardianKeyHash: string): Promise<boolean>;
+    setupGuardians(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, guardians: string[], threshold: bigint, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    addGuardian(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, guardianKeyHash: string, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    removeGuardian(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, guardianKeyHash: string, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    initiateRecovery(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, identityToRecover: string, newOwnerKeyHash: string, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    approveRecovery(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, identityToRecover: string, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    executeRecovery(identityToRecover: string, newPublicKeyX: bigint, newPublicKeyY: bigint, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    cancelRecovery(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+}
+interface GuardiansResult {
+    guardians: string[];
+    threshold: bigint;
+    isConfigured: boolean;
+}
+interface RecoveryStatusResult {
+    isActive: boolean;
+    newOwnerKeyHash: string;
+    initiatedAt: bigint;
+    approvalCount: bigint;
+    threshold: bigint;
+    canExecuteAt: bigint;
+    expiresAt: bigint;
+}
+interface RecoveryReadiness {
+    /** Whether at least one guardian is configured */
+    guardiansConfigured: boolean;
+    /** Number of guardians */
+    guardianCount: number;
+    /** Required approval count */
+    threshold: bigint;
+    /** Whether a recovery is currently in progress */
+    recoveryInProgress: boolean;
+    /** If in progress, whether it can be executed now */
+    canExecuteNow: boolean;
+    /** If in progress, whether it has expired */
+    isExpired: boolean;
+    /** If in progress, how many more approvals are needed (0 when ready) */
+    approvalsRemaining: number;
+    /** Full recovery status if active */
+    recoveryStatus: RecoveryStatusResult | null;
+    /** List of guardian key hashes */
+    guardians: string[];
+}
+interface SetupGuardiansParams {
+    /** WebAuthn assertion for the operation */
+    signature: WebAuthnSignature;
+    /** Guardian key hashes to set */
+    guardians: string[];
+    /** Approval threshold (must be >= 1 and <= guardians.length) */
+    threshold: number;
+    /** Ethers signer to submit the transaction */
+    signer: unknown;
+}
+interface AddGuardianParams {
+    signature: WebAuthnSignature;
+    guardianKeyHash: string;
+    signer: unknown;
+}
+interface RemoveGuardianParams {
+    signature: WebAuthnSignature;
+    guardianKeyHash: string;
+    signer: unknown;
+}
+interface InitiateRecoveryParams {
+    signature: WebAuthnSignature;
+    /** Identity key hash to recover */
+    identityToRecover: string;
+    /** New owner key hash that will replace the old one */
+    newOwnerKeyHash: string;
+    signer: unknown;
+}
+interface ApproveRecoveryParams {
+    signature: WebAuthnSignature;
+    identityToRecover: string;
+    signer: unknown;
+}
+interface ExecuteRecoveryParams {
+    identityToRecover: string;
+    /** The new owner's P-256 public key X coordinate */
+    newPublicKeyX: bigint;
+    /** The new owner's P-256 public key Y coordinate */
+    newPublicKeyY: bigint;
+    signer: unknown;
+}
+interface CancelRecoveryParams {
+    signature: WebAuthnSignature;
+    signer: unknown;
+}
+interface RecoveryManagerConfig {
+    passkey: PasskeyManager;
+    chain: ChainClient;
+}
+declare class RecoveryManager {
+    private readonly passkey;
+    private readonly chain;
+    constructor(config: RecoveryManagerConfig);
+    /**
+     * Get full recovery readiness — combines guardian config and recovery state
+     * into a single, user-friendly view.
+     */
+    getReadiness(identityKeyHash?: string): Promise<RecoveryReadiness>;
+    /**
+     * Check whether a specific guardian has already approved the active recovery.
+     */
+    hasGuardianApproved(identityKeyHash: string, guardianKeyHash: string): Promise<boolean>;
+    /**
+     * Get the raw guardian configuration for a given identity.
+     */
+    getGuardians(identityKeyHash?: string): Promise<GuardiansResult>;
+    /**
+     * Get the raw recovery status for a given identity.
+     */
+    getRecoveryStatus(identityKeyHash?: string): Promise<RecoveryStatusResult>;
+    /**
+     * Configure the guardian set and approval threshold for the current identity.
+     *
+     * @throws If threshold < 1 or threshold > guardians.length
+     */
+    setupGuardians(params: SetupGuardiansParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Add a single guardian to the current identity's guardian set.
+     */
+    addGuardian(params: AddGuardianParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Remove a guardian from the current identity's guardian set.
+     */
+    removeGuardian(params: RemoveGuardianParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Initiate social recovery — typically called from a guardian's device.
+     *
+     * The caller must be a guardian of the identity being recovered.
+     */
+    initiateRecovery(params: InitiateRecoveryParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Approve an in-progress recovery — each guardian calls this once.
+     */
+    approveRecovery(params: ApproveRecoveryParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Execute a recovery after threshold + timelock are satisfied.
+     *
+     * This is permissionless — anyone may call it.  No WebAuthn signature required.
+     */
+    executeRecovery(params: ExecuteRecoveryParams): Promise<{
+        sequence: bigint;
+    }>;
+    /**
+     * Cancel an in-progress recovery — only the current owner can do this.
+     */
+    cancelRecovery(params: CancelRecoveryParams): Promise<{
+        sequence: bigint;
+    }>;
+    private requireCredential;
+}
+
+/**
+ * Veridex Protocol SDK — Multisig Manager (ADR-0037)
+ *
+ * Implements the SDK surface for **threshold multisig transaction authorization**.
+ *
+ * Architecture summary (from ADR-0037):
+ * ─────────────────────────────────────
+ *  • A per-identity **TransactionPolicy** on the Hub defines whether threshold
+ *    approval is required.  When `policy.enabled === true`, direct dispatch of
+ *    protected actions (transfer, execute, bridge, config) reverts on-chain.
+ *  • Instead, an authorized key **creates a proposal**.  Other authorized keys
+ *    **approve** it.  Once `approvalCount >= threshold`, anyone may **execute** it.
+ *  • Sessions are disabled for threshold-governed identities in Phase 1.
+ *  • Proposals expire after `proposalTtl`.
+ *  • Execution emits a Wormhole VAA wrapping the inner action
+ *    (ACTION_EXECUTE_MULTISIG = 14).
+ *
+ * This manager exposes:
+ *   1. Policy configuration & queries
+ *   2. Proposal lifecycle (create / approve / cancel / execute / query)
+ *   3. Convenience proposal creators for transfer, execute, bridge
+ *   4. Policy-aware guard for direct dispatch (`assertDirectDispatchAllowed`)
+ *
+ * @module MultisigManager
+ */
+
+/** Phase 1 action type bitmask values (ADR-0037 §2) */
+declare const PROTECTED_ACTION: {
+    readonly TRANSFER: number;
+    readonly EXECUTE: number;
+    readonly BRIDGE: number;
+    readonly CONFIG: number;
+};
+/** Default protected-action mask covering all sensitive operations */
+declare const DEFAULT_PROTECTED_ACTION_MASK: number;
+/** Default proposal TTL in seconds (24 hours) */
+declare const DEFAULT_PROPOSAL_TTL = 86400;
+type ProposalState = 'none' | 'pending' | 'approved' | 'executed' | 'cancelled' | 'expired';
+/**
+ * Per-identity transaction policy stored on-chain (Hub).
+ */
+interface MultisigPolicy {
+    enabled: boolean;
+    threshold: number;
+    protectedActionMask: number;
+    proposalTtl: number;
+    disableSessions: boolean;
+}
+/**
+ * On-chain transaction proposal.
+ */
+interface TransactionProposal {
+    proposalId: string;
+    identityKeyHash: string;
+    proposerKeyHash: string;
+    targetChain: number;
+    actionType: number;
+    actionHash: string;
+    actionPayload: string;
+    createdAt: bigint;
+    expiresAt: bigint;
+    approvalCount: number;
+    requiredThreshold: number;
+    state: ProposalState;
+}
+/**
+ * Human-readable summary of a proposal's action payload.
+ */
+interface ProposalActionSummary {
+    type: 'transfer' | 'execute' | 'bridge' | 'config' | 'unknown';
+    description: string;
+    targetChain: number;
+    /** Decoded parameters — shape depends on `type` */
+    params: TransferParams | ExecuteParams | BridgeParams | Record<string, unknown>;
+}
+interface CreateProposalResult {
+    proposalId: string;
+    sequence: bigint;
+    summary: ProposalActionSummary;
+}
+interface ApproveProposalResult {
+    proposalId: string;
+    approvalCount: number;
+    thresholdReached: boolean;
+}
+interface ExecuteProposalResult {
+    proposalId: string;
+    sequence: bigint;
+    dispatch: DispatchResult;
+}
+/**
+ * Chain client methods required for threshold multisig.
+ * In Phase 1 these exist only on EVMClient (Hub chain).
+ */
+interface MultisigCapableChainClient extends ChainClient {
+    configureTransactionPolicy(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, threshold: number, protectedActionMask: number, proposalTtl: number, disableSessions: boolean, signer: unknown): Promise<{
+        receipt: unknown;
+    }>;
+    getTransactionPolicy(identityKeyHash: string): Promise<MultisigPolicy>;
+    createTransactionProposal(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, targetChain: number, actionPayload: string, signer: unknown): Promise<{
+        proposalId: string;
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    approveTransactionProposal(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, proposalId: string, signer: unknown): Promise<{
+        receipt: unknown;
+        approvalCount: number;
+        thresholdReached: boolean;
+    }>;
+    cancelTransactionProposal(signature: WebAuthnSignature, publicKeyX: bigint, publicKeyY: bigint, proposalId: string, signer: unknown): Promise<{
+        receipt: unknown;
+    }>;
+    executeTransactionProposal(proposalId: string, signer: unknown): Promise<{
+        receipt: unknown;
+        sequence: bigint;
+    }>;
+    getTransactionProposal(proposalId: string): Promise<TransactionProposal>;
+    hasApprovedTransactionProposal(proposalId: string, keyHash: string): Promise<boolean>;
+}
+interface MultisigManagerConfig {
+    passkey: PasskeyManager;
+    chain: ChainClient;
+}
+interface ConfigurePolicyParams {
+    signature: WebAuthnSignature;
+    threshold: number;
+    protectedActionMask?: number;
+    proposalTtl?: number;
+    disableSessions?: boolean;
+    signer: unknown;
+}
+interface CreateProposalParams {
+    signature: WebAuthnSignature;
+    targetChain: number;
+    actionPayload: string;
+    signer: unknown;
+}
+interface ApproveProposalParams {
+    signature: WebAuthnSignature;
+    proposalId: string;
+    signer: unknown;
+}
+interface CancelProposalParams {
+    signature: WebAuthnSignature;
+    proposalId: string;
+    signer: unknown;
+}
+interface ExecuteProposalParams {
+    proposalId: string;
+    signer: unknown;
+}
+declare class MultisigManager {
+    private readonly passkey;
+    private readonly chain;
+    constructor(config: MultisigManagerConfig);
+    /**
+     * Query the current transaction policy for the active identity.
+     */
+    getPolicy(identityKeyHash?: string): Promise<MultisigPolicy>;
+    /**
+     * Configure (or update) the transaction policy for the current identity.
+     *
+     * @throws If threshold < 2
+     */
+    configurePolicy(params: ConfigurePolicyParams): Promise<void>;
+    /**
+     * Check whether direct (single-signer) dispatch is allowed for the given
+     * action type under the current policy.  Throws a descriptive error when
+     * threshold approval is required instead.
+     *
+     * Call this before `sdk.transfer()` / `sdk.execute()` / `sdk.bridge()`
+     * to fail fast in the SDK rather than reverting on-chain.
+     */
+    assertDirectDispatchAllowed(actionType: 'transfer' | 'execute' | 'bridge' | 'config', identityKeyHash?: string): Promise<void>;
+    /**
+     * Create a new transaction proposal.
+     *
+     * The proposer's signature counts as the first approval automatically.
+     */
+    createProposal(params: CreateProposalParams): Promise<CreateProposalResult>;
+    /**
+     * Approve an existing proposal.  Each authorized key may approve once.
+     */
+    approveProposal(params: ApproveProposalParams): Promise<ApproveProposalResult>;
+    /**
+     * Cancel a proposal — only allowed by an authorized key of the identity.
+     */
+    cancelProposal(params: CancelProposalParams): Promise<void>;
+    /**
+     * Execute a proposal after threshold + timelock are satisfied.
+     * Permissionless — anyone may call.
+     */
+    executeProposal(params: ExecuteProposalParams): Promise<ExecuteProposalResult>;
+    /**
+     * Retrieve a proposal by ID.
+     */
+    getProposal(proposalId: string): Promise<TransactionProposal>;
+    /**
+     * Check whether a specific key has approved a given proposal.
+     */
+    hasApproved(proposalId: string, keyHash?: string): Promise<boolean>;
+    /**
+     * Convenience: check if a proposal is ready for execution.
+     */
+    isProposalExecutable(proposalId: string): Promise<boolean>;
+    private requireCredential;
+}
+
+/**
+ * Veridex Protocol SDK — Launch Gate & Policy Enforcement (ADR-0040)
+ *
+ * Runtime validation layer that enforces the product boundaries defined in
+ * ADR-0040 across the SDK surface.  Every SDK operation that touches
+ * credentials, sessions, or dispatch is funnelled through this module's
+ * `validate*` helpers to catch violations early with clear developer errors.
+ *
+ * Non-negotiables enforced here:
+ *
+ *   1. Passkeys are non-extractable.  No API may expose private-key material.
+ *   2. Self-custody is preserved.  The SDK never constructs or transmits
+ *      private keys.
+ *   3. Cross-site passkey reuse is scoped to the Veridex RP federation model.
+ *   4. Cross-ecosystem portability requires explicit credential registration.
+ *   5. MetaMask interop is limited to smart-account / injected-wallet flows.
+ *   6. Chain parity claims require real cryptographic verification.
+ *
+ * Additionally this module exposes a lightweight **CapabilityMatrix** that
+ * integrators can use to understand what is available on a given platform,
+ * browser, and chain combination — preventing false assumptions at the UI
+ * level.
+ *
+ * @module PolicyEnforcement
+ */
+/**
+ * Capability tiers per chain type — used to gate SDK features at runtime.
+ */
+type ChainCapabilityTier = 'full' | 'partial' | 'unsupported';
+interface ChainCapabilities {
+    /** WebAuthn P-256 verification on-chain */
+    passkeyVerification: ChainCapabilityTier;
+    /** On-chain session key registration and validation */
+    sessionKeys: ChainCapabilityTier;
+    /** Guardian recovery initiation, approval, execution */
+    recovery: ChainCapabilityTier;
+    /** Threshold multisig (ADR-0037) */
+    multisig: ChainCapabilityTier;
+    /** Cross-chain VAA reception (Wormhole spoke) */
+    crossChainReceive: ChainCapabilityTier;
+}
+/**
+ * Canonical capability definitions per chain type.
+ * These are validated before claiming "supported" status.
+ */
+declare const CHAIN_CAPABILITIES: Record<string, ChainCapabilities>;
+/**
+ * Prevent any code path that would attempt to export or derive private keys
+ * from passkey material (ADR-0040, Non-Negotiable #1).
+ */
+declare function validateNoKeyExtraction(operation: string): void;
+/**
+ * Validate that a chain has real (not placeholder) support for a capability
+ * before claiming it is available (ADR-0040, Non-Negotiable #6).
+ */
+declare function validateChainCapability(chainType: string, capability: keyof ChainCapabilities, operation: string): void;
+/**
+ * Validate that MetaMask interop claims are limited to the smart-account
+ * execution path (ADR-0040, Non-Negotiable #5).
+ */
+declare function validateMetaMaskInteropClaim(interopType: string): void;
+/**
+ * Validate that session creation is allowed for the given identity's
+ * multisig policy state (ADR-0037 §9).
+ */
+declare function validateSessionCreationPolicy(policyEnabled: boolean, sessionsDisabled: boolean): void;
+/**
+ * Validate that cross-site passkey reuse is within the Veridex federation
+ * model (ADR-0040, Non-Negotiable #3).
+ */
+declare function validateFederatedOrigin(rpId: string, allowedRpIds?: string[]): void;
+interface PlatformCapabilityMatrix {
+    /** Whether passkeys (WebAuthn) are supported on this platform */
+    webauthnSupported: boolean;
+    /** Whether conditional UI (autofill) is available */
+    conditionalUISupported: boolean;
+    /** Whether platform authenticators are available (Touch ID, Face ID, etc.) */
+    platformAuthenticatorAvailable: boolean;
+    /** Chain-specific capabilities */
+    chainCapabilities: ChainCapabilities;
+    /** Feature set available for the current configuration */
+    features: {
+        passkeyAuth: boolean;
+        sessionKeys: boolean;
+        socialRecovery: boolean;
+        thresholdMultisig: boolean;
+        crossChainBridge: boolean;
+        injectedWalletInterop: boolean;
+        gaslessTransactions: boolean;
+    };
+}
+/**
+ * Build a capability matrix for the current platform and chain configuration.
+ * Used by integrator UIs to show/hide features appropriately.
+ */
+declare function buildCapabilityMatrix(chainType: string, platformInfo: {
+    webauthnSupported: boolean;
+    conditionalUISupported: boolean;
+    platformAuthenticatorAvailable: boolean;
+}, hasRelayer: boolean): PlatformCapabilityMatrix;
+type PolicyViolationCode = 'NON_EXTRACTABLE_CREDENTIAL' | 'UNKNOWN_CHAIN_TYPE' | 'UNSUPPORTED_CAPABILITY' | 'UNSUPPORTED_METAMASK_INTEROP' | 'SESSIONS_DISABLED_BY_POLICY' | 'UNFEDERATED_ORIGIN';
+declare class PolicyViolationError extends Error {
+    readonly code: PolicyViolationCode;
+    constructor(message: string, code: PolicyViolationCode);
+}
+
+/**
+ * Veridex Protocol SDK — Balance Watcher
+ *
+ * Provides a polling-based subscription API for vault balance changes.
+ * Returns an unsubscribe function so integrators can react to incoming
+ * transfers, outgoing withdrawals, or spending limit resets without
+ * manually implementing polling.
+ *
+ * Where chains expose WebSocket endpoints in the future, this module
+ * can be extended to use push-based notifications without changing the
+ * public API surface.
+ */
+
+/** Event types emitted by the balance watcher */
+type BalanceEventType = 'balanceChange' | 'error';
+/** Callback signature for balance change events */
+type BalanceChangeCallback = (event: BalanceChangeEvent) => void;
+/** Callback signature for error events */
+type BalanceErrorCallback = (error: Error) => void;
+/** A balance change event delivered to subscribers */
+interface BalanceChangeEvent {
+    /** Wormhole chain ID */
+    wormholeChainId: number;
+    /** Vault address */
+    address: string;
+    /** Updated portfolio snapshot */
+    portfolio: PortfolioBalance;
+    /** Individual tokens whose balance changed since last poll */
+    changes: TokenBalanceChange[];
+    /** Timestamp of this poll */
+    timestamp: number;
+}
+/** Describes a single token balance that changed */
+interface TokenBalanceChange {
+    token: TokenBalance['token'];
+    previousBalance: bigint;
+    currentBalance: bigint;
+    /** Positive = received, negative = sent/withdrawn */
+    delta: bigint;
+}
+/** Options for the watcher */
+interface BalanceWatcherOptions {
+    /** Poll interval in milliseconds (default: 15_000 — 15 seconds) */
+    intervalMs?: number;
+    /** Minimum interval allowed (floor, to protect against aggressive polling) */
+    minIntervalMs?: number;
+    /** Whether to emit an initial event immediately with current balances */
+    emitInitial?: boolean;
+}
+/** Function to stop watching */
+type Unsubscribe = () => void;
+/**
+ * Watch vault balances for changes via periodic polling.
+ *
+ * @example
+ * ```typescript
+ * const watcher = new BalanceWatcher(fetchBalance);
+ *
+ * const unsub = watcher.watch(
+ *   10004, '0xVaultAddr',
+ *   (event) => {
+ *     for (const c of event.changes) {
+ *       console.log(`${c.token.symbol}: ${c.delta > 0n ? '+' : ''}${c.delta}`);
+ *     }
+ *   },
+ *   { intervalMs: 10_000 }
+ * );
+ *
+ * // Later:
+ * unsub();
+ * ```
+ */
+declare class BalanceWatcher {
+    private readonly fetchBalance;
+    private subscriptions;
+    /**
+     * @param fetchBalance - Function that fetches the current portfolio balance.
+     *   Typically bound to `BalanceManager.getPortfolioBalance` or the SDK's
+     *   `getVaultBalances()`.
+     */
+    constructor(fetchBalance: (wormholeChainId: number, address: string) => Promise<PortfolioBalance>);
+    /**
+     * Start watching a vault's balances.
+     *
+     * @returns An unsubscribe function that stops polling.
+     */
+    watch(wormholeChainId: number, address: string, onChange: BalanceChangeCallback, options?: BalanceWatcherOptions, onError?: BalanceErrorCallback): Unsubscribe;
+    /**
+     * Stop all watchers.
+     */
+    stopAll(): void;
+    /**
+     * Get the number of active subscriptions.
+     */
+    get activeCount(): number;
+    private removeCallback;
+    private diffBalances;
+}
+
+/**
+ * Gas Sponsor Module
+ *
+ * Handles sponsored (gasless) vault creation for Veridex users.
+ * Uses a Veridex-owned wallet to pay gas fees on behalf of users.
+ *
+ * This is a temporary solution until the full relayer is built.
+ * In the future, this will be handled by:
+ * - ERC-4337 Account Abstraction with Paymasters
+ * - Dedicated Relayer service
+ */
+interface ChainDeploymentConfig {
+    name: string;
+    chainId: number;
+    wormholeChainId: number;
+    rpcUrl: string;
+    vaultFactory?: string;
+    hubAddress?: string;
+    isHub?: boolean;
+}
+interface SponsoredVaultResult {
+    success: boolean;
+    chain: string;
+    wormholeChainId: number;
+    vaultAddress?: string;
+    transactionHash?: string;
+    error?: string;
+    alreadyExists?: boolean;
+}
+interface MultiChainVaultResult {
+    keyHash: string;
+    results: SponsoredVaultResult[];
+    allSuccessful: boolean;
+    vaultAddresses: Record<number, string>;
+}
+interface GasSponsorConfig {
+    /**
+     * Private key for the sponsor wallet (from env or secure storage)
+     * This is the fallback when relayer is not available
+     */
+    sponsorPrivateKey?: string;
+    /**
+     * Integrator-provided sponsor key (for platforms using Veridex SDK)
+     * Takes priority over Veridex default sponsorship
+     */
+    integratorSponsorKey?: string;
+    /**
+     * Relayer API endpoint for remote sponsorship (primary method)
+     * When available, this takes priority over local wallet sponsorship
+     */
+    relayerUrl?: string;
+    /** API key for relayer service authentication */
+    relayerApiKey?: string;
+    /** @deprecated Use relayerUrl instead */
+    sponsorApiUrl?: string;
+    /** @deprecated Use relayerApiKey instead */
+    sponsorApiKey?: string;
+    /** Whether to use testnet configurations */
+    testnet?: boolean;
+    /** Custom RPC URLs by wormhole chain ID */
+    customRpcUrls?: Record<number, string>;
+}
+/** Sponsorship source type */
+type SponsorshipSource = 'relayer' | 'integrator' | 'veridex' | 'none';
+/**
+ * Gas Sponsorship with layered fallback:
+ * 1. Relayer (primary) - Remote relayer service handles gas
+ * 2. Integrator wallet - Platform using SDK provides their own sponsor key
+ * 3. Veridex wallet (fallback) - Veridex's default sponsor wallet
+ */
+declare class GasSponsor {
+    private config;
+    private sponsorWallet?;
+    private integratorWallet?;
+    private chains;
+    constructor(config?: GasSponsorConfig);
+    /**
+     * Determine which sponsorship source is available
+     * Priority: Relayer > Integrator > Veridex > None
+     */
+    getSponsorshipSource(): SponsorshipSource;
+    /**
+     * Get the active sponsor wallet (integrator takes priority)
+     */
+    private getActiveWallet;
+    /**
+     * Get supported chains for vault deployment
+     */
+    getSupportedChains(): ChainDeploymentConfig[];
+    /**
+     * Get the hub chain configuration
+     */
+    getHubChain(): ChainDeploymentConfig | undefined;
+    /**
+     * Check if sponsor is configured (has relayer, integrator key, or Veridex key)
+     */
+    isConfigured(): boolean;
+    /**
+     * Get sponsor wallet balance on a specific chain
+     */
+    getSponsorBalance(wormholeChainId: number): Promise<bigint>;
+    /**
+     * Check if a vault exists for a given key hash on a chain
+     */
+    checkVaultExists(keyHash: string, wormholeChainId: number): Promise<{
+        exists: boolean;
+        address: string;
+    }>;
+    /**
+     * Get predicted vault address for a key hash on a chain
+     */
+    computeVaultAddress(keyHash: string, wormholeChainId: number): Promise<string | null>;
+    /**
+     * Create a vault on a specific chain (sponsored)
+     *
+     * Sponsorship priority:
+     * 1. Relayer API (future - not yet implemented)
+     * 2. Integrator wallet (if provided)
+     * 3. Veridex sponsor wallet (fallback)
+     */
+    createVaultOnChain(keyHash: string, wormholeChainId: number): Promise<SponsoredVaultResult>;
+    /**
+     * Create vault via relayer service (future primary method)
+     *
+     * The relayer handles:
+     * - Gas payment on behalf of users
+     * - Transaction submission and monitoring
+     * - Rate limiting and abuse prevention
+     */
+    private createVaultViaRelayer;
+    /**
+     * Create vault with a specific wallet (internal helper)
+     */
+    private createVaultWithWallet;
+    /**
+     * Create vaults on all supported chains (sponsored)
+     */
+    createVaultsOnAllChains(keyHash: string): Promise<MultiChainVaultResult>;
+    /**
+     * Check vault status on all chains
+     */
+    checkVaultsOnAllChains(keyHash: string): Promise<Record<number, {
+        exists: boolean;
+        address: string;
+    }>>;
+}
+/**
+ * Create a GasSponsor instance
+ *
+ * @example
+ * ```ts
+ * // With environment variable
+ * const sponsor = createGasSponsor({
+ *   sponsorPrivateKey: process.env.VERIDEX_SPONSOR_KEY,
+ *   testnet: true,
+ * });
+ *
+ * // Create vaults for a user
+ * const result = await sponsor.createVaultsOnAllChains(userKeyHash);
+ * ```
+ */
+declare function createGasSponsor(config?: GasSponsorConfig): GasSponsor;
+
+declare class VeridexSDK {
+    readonly passkey: PasskeyManager;
+    readonly wallet: WalletManager;
+    readonly account: AccountManager;
+    readonly balance: BalanceManager;
+    readonly transactions: TransactionTracker;
+    readonly crossChain: CrossChainManager;
+    readonly sponsor: GasSponsor;
+    readonly transactionParser: TransactionParser;
+    readonly spendingLimits: SpendingLimitsManager;
+    readonly recovery: RecoveryManager | null;
+    readonly multisig: MultisigManager | null;
+    readonly balanceWatcher: BalanceWatcher;
+    private readonly chain;
+    private readonly relayer?;
+    private readonly queryApiKey?;
+    private readonly testnet;
+    private readonly sponsorPrivateKey?;
+    private readonly chainRpcUrls?;
+    private readonly chainDetector;
+    private readonly preparedTransferTtl;
+    private unifiedIdentity;
+    constructor(config: VeridexConfig);
+    getChainConfig(): ChainConfig;
+    getChainClient(): ChainClient;
+    /**
+     * Returns a capability matrix for the current chain, useful for integrator
+     * UIs to understand what operations the platform supports.
+     */
+    getCapabilityMatrix(platformInfo?: {
+        webauthnSupported: boolean;
+        conditionalUISupported: boolean;
+        platformAuthenticatorAvailable: boolean;
+    }): PlatformCapabilityMatrix;
+    /**
+     * Check if a specific feature is supported on the current chain.
+     *
+     * Unlike `getCapabilityMatrix()` which returns the full matrix, this is a
+     * simple boolean check for the most common per-chain capability queries.
+     *
+     * @param feature - Feature name to check
+     * @returns `true` if fully or partially supported; `false` if unsupported
+     *
+     * @example
+     * ```typescript
+     * if (sdk.supportsFeature('recovery')) {
+     *   // Show recovery UI
+     * }
+     * ```
+     */
+    supportsFeature(feature: keyof ChainCapabilities): boolean;
+    /**
+     * Resolve a chain name to its CHAIN_CAPABILITIES key.
+     */
+    private resolveChainType;
+    /**
+     * Watch for balance changes on a vault.
+     *
+     * Uses polling under the hood; the returned function stops the watcher.
+     *
+     * @example
+     * ```typescript
+     * const unsub = sdk.watchBalance(
+     *   (event) => console.log('Balance changed:', event.changes),
+     *   { intervalMs: 10_000 },
+     * );
+     *
+     * // later
+     * unsub();
+     * ```
+     */
+    watchBalance(onChange: BalanceChangeCallback, options?: BalanceWatcherOptions, onError?: BalanceErrorCallback): Unsubscribe;
+    getNonce(): Promise<bigint>;
+    getMessageFee(): Promise<bigint>;
+    buildTransferPayload(params: TransferParams): Promise<string>;
+    buildExecutePayload(params: ExecuteParams): Promise<string>;
+    buildBridgePayload(params: BridgeParams): Promise<string>;
+    transfer(params: TransferParams, signer: any): Promise<DispatchResult>;
+    execute(params: ExecuteParams, signer: any): Promise<DispatchResult>;
+    bridge(params: BridgeParams, signer: any): Promise<DispatchResult>;
+    /**
+     * Prepare a bridge/cross-chain transfer with fee estimation
+     *
      * @param params - Bridge parameters
      * @returns PreparedBridge with fee estimates
      */
@@ -1842,6 +3055,38 @@ declare class VeridexSDK {
      * Get token by symbol
      */
     getTokenBySymbol(symbol: string, wormholeChainId?: number): TokenInfo$1 | null;
+    /**
+     * Get vault addresses across all supported chains at once.
+     *
+     * Unlike calling `getVaultAddressForChain()` in a loop, this returns a
+     * structured map that frontends can render directly.
+     *
+     * @example
+     * ```typescript
+     * const addresses = sdk.getMultiChainAddresses();
+     * for (const [chainId, addr] of Object.entries(addresses)) {
+     *   console.log(`Chain ${chainId}: ${addr}`);
+     * }
+     * ```
+     */
+    getMultiChainAddresses(): Record<number, string>;
+    /**
+     * Get a combined portfolio view across multiple chains.
+     *
+     * Returns vault address + balances per chain, suitable for a dashboard or
+     * portfolio summary screen.
+     *
+     * @example
+     * ```typescript
+     * const portfolio = await sdk.getMultiChainPortfolio();
+     * for (const entry of portfolio) {
+     *   console.log(`${entry.chainName}: ${entry.tokens.length} tokens`);
+     * }
+     * ```
+     *
+     * @param chainIds - Optional array of Wormhole chain IDs. Defaults to all sponsored chains.
+     */
+    getMultiChainPortfolio(chainIds?: number[]): Promise<PortfolioBalance[]>;
     /**
      * Get receive address information for sharing
      * Use this to generate QR codes or share your vault address
@@ -2072,86 +3317,108 @@ declare class VeridexSDK {
 }
 
 /**
- * Veridex Protocol SDK - Chain Presets
+ * Veridex Protocol SDK - Feature Flags
  *
- * Pre-configured chain settings for easy SDK initialization.
- * Developers only need to specify chain name and network type.
+ * Centralized feature flag management for toggling SDK capabilities.
+ * These flags allow operators to enable/disable features at runtime,
+ * which is critical for:
+ * - Hackathon demos (Avalanche Build Games: single hub for simplicity)
+ * - Enterprise deployments (controlled rollout of multi-hub)
+ * - Compliance (restrict routing to audited chains only)
+ *
+ * ## Multi-Hub Feature
+ *
+ * When `multiHub` is **disabled** (default):
+ * - Only the primary hub chain (Base) is used for identity and session management
+ * - `getHubChains()` returns only `['base']`
+ * - `getDefaultHub()` returns Base config
+ * - Avalanche operates as a spoke chain (payments only, identity on Base)
+ *
+ * When `multiHub` is **enabled**:
+ * - All chains marked `canBeHub: true` are available as hubs
+ * - `getHubChains()` returns all hub-capable chains
+ * - `getDefaultHub()` can be overridden to point at any hub chain
+ * - Avalanche can operate as a secondary hub with its own identity registry
+ *
+ * ## Enterprise Risk Alignment
+ *
+ * Feature flags enable the "Enterprise Trust Firewall" narrative:
+ * - Single hub = single source of truth = simpler audit trail
+ * - Multi-hub = horizontal scaling for enterprise multi-region deployments
+ * - Trace logging integration points are hub-aware
  *
  * @example
  * ```typescript
- * import { createSDK } from '@veridex/sdk';
+ * import { setFeatureFlags, getFeatureFlags } from '@veridex/sdk';
  *
- * // Simple initialization - testnet by default
- * const sdk = await createSDK('base');
+ * // Disable multi-hub (default for hackathon demos)
+ * setFeatureFlags({ multiHub: false });
  *
- * // Or specify mainnet
- * const mainnetSdk = await createSDK('base', { network: 'mainnet' });
+ * // Enable multi-hub for enterprise deployment
+ * setFeatureFlags({ multiHub: true });
+ *
+ * // Check current flags
+ * const flags = getFeatureFlags();
+ * console.log(flags.multiHub); // false
  * ```
  */
 
-/**
- * All supported chain names for easy reference
- */
-declare const CHAIN_NAMES: {
-    readonly BASE: "base";
-    readonly OPTIMISM: "optimism";
-    readonly ARBITRUM: "arbitrum";
-    readonly SCROLL: "scroll";
-    readonly BLAST: "blast";
-    readonly MANTLE: "mantle";
-    readonly ETHEREUM: "ethereum";
-    readonly POLYGON: "polygon";
-    readonly BSC: "bsc";
-    readonly AVALANCHE: "avalanche";
-    readonly FANTOM: "fantom";
-    readonly CELO: "celo";
-    readonly MOONBEAM: "moonbeam";
-    readonly SOLANA: "solana";
-    readonly APTOS: "aptos";
-    readonly SUI: "sui";
-    readonly STARKNET: "starknet";
-    readonly NEAR: "near";
-    readonly SEI: "sei";
-};
-type ChainName = typeof CHAIN_NAMES[keyof typeof CHAIN_NAMES];
-type NetworkType = 'mainnet' | 'testnet';
-interface ChainPreset {
-    /** Human-readable chain name */
-    displayName: string;
-    /** Chain type for client selection */
-    type: 'evm' | 'solana' | 'aptos' | 'sui' | 'starknet' | 'near' | 'cosmos';
-    /** Whether this chain can be a hub */
-    canBeHub: boolean;
-    /** Testnet configuration */
-    testnet: ChainConfig$1;
-    /** Mainnet configuration */
-    mainnet: ChainConfig$1;
+interface FeatureFlags {
+    /**
+     * Enable multi-hub architecture.
+     *
+     * When false (default), only 'base' is treated as a hub chain.
+     * When true, all chains with `canBeHub: true` in presets are available.
+     *
+     * @default false
+     */
+    multiHub: boolean;
+    /**
+     * Primary hub chain override.
+     *
+     * When multiHub is false, this is ignored (always 'base').
+     * When multiHub is true, this sets the preferred hub chain.
+     *
+     * @default 'base'
+     */
+    primaryHub: ChainName;
 }
-declare const CHAIN_PRESETS: Record<ChainName, ChainPreset>;
-/**
- * Get chain configuration by name and network
- */
-declare function getChainConfig(chain: ChainName, network?: NetworkType): ChainConfig$1;
 /**
- * Get chain preset by name
+ * Get current feature flags (immutable copy).
  */
-declare function getChainPreset(chain: ChainName): ChainPreset;
+declare function getFeatureFlags(): Readonly<FeatureFlags>;
 /**
- * Get all supported chain names
+ * Set feature flags. Merges with current flags.
+ *
+ * @param flags - Partial flags to merge
+ *
+ * @example
+ * ```typescript
+ * // Enable multi-hub
+ * setFeatureFlags({ multiHub: true });
+ *
+ * // Set Avalanche as primary hub
+ * setFeatureFlags({ multiHub: true, primaryHub: 'avalanche' });
+ * ```
  */
-declare function getSupportedChains(): ChainName[];
+declare function setFeatureFlags(flags: Partial<FeatureFlags>): void;
 /**
- * Get hub-capable chains
+ * Reset feature flags to defaults.
+ * Useful for testing and cleanup.
  */
-declare function getHubChains(): ChainName[];
+declare function resetFeatureFlags(): void;
 /**
- * Check if chain is supported
+ * Check if multi-hub is enabled.
+ * Convenience function used throughout the SDK.
  */
-declare function isChainSupported(chain: string): chain is ChainName;
+declare function isMultiHubEnabled(): boolean;
 /**
- * Get default hub chain
+ * Get the effective primary hub chain name.
+ *
+ * When multiHub is false, always returns 'base'.
+ * When multiHub is true, returns the configured primaryHub.
  */
-declare function getDefaultHub(network?: NetworkType): ChainConfig$1;
+declare function getEffectivePrimaryHub(): ChainName;
 
 /**
  * Veridex Protocol SDK - Simplified Initialization
@@ -2238,6 +3505,14 @@ interface SessionConfig {
      */
     requireUV?: boolean;
 }
+/**
+ * Create the appropriate chain client based on chain type.
+ *
+ * Exposed as a public API so integrators can instantiate chain clients
+ * independently of the full VeridexSDK constructor (e.g. for testing
+ * or for dynamic multi-chain client access).
+ */
+declare function createChainClient(chain: ChainName, network: NetworkType, customRpcUrl?: string): ChainClient;
 /**
  * Create a Veridex SDK instance with minimal configuration
  *
@@ -2260,17 +3535,20 @@ interface SessionConfig {
  *
  * // With relayer for gasless transactions
  * const gaslessSdk = await createSDK('base', {
- *   relayerUrl: 'https://relayer.veridex.io',
+ *   relayerUrl: 'https://relayer.veridex.network',
  *   relayerApiKey: 'your-api-key',
  * });
  * ```
  */
 declare function createSDK(chain: ChainName, config?: SimpleSDKConfig): VeridexSDK;
 /**
- * Create SDK for the default hub chain (Base)
+ * Create SDK for the default hub chain.
+ *
+ * When multi-hub is disabled, always creates SDK for Base.
+ * When enabled, uses the configured primary hub chain.
  *
  * @param config - Optional configuration
- * @returns SDK configured for Base hub chain
+ * @returns SDK configured for the primary hub chain
  *
  * @example
  * ```typescript
@@ -2320,356 +3598,632 @@ declare function createMainnetSDK(chain?: ChainName, config?: Omit<SimpleSDKConf
  * ```
  */
 declare function createSessionSDK(chain?: ChainName, config?: SimpleSDKConfig): VeridexSDK;
-
 /**
- * Veridex Protocol SDK - Chain Detector
- *
- * Phase 4: Multi-chain client support helper.
- *
- * Provides:
- * - Chain config lookup (testnet/mainnet)
- * - Auto-configuration for non-EVM ChainClient instances
+ * Enterprise SDK configuration — extends SimpleSDKConfig with required sponsor/relayer keys.
  */
-
-interface ChainDetectorConfig {
-    testnet?: boolean;
-    rpcUrls?: Record<number, string>;
-}
-interface NativeBalanceCapable {
-    getNativeBalance(address: string): Promise<bigint>;
-}
-declare class ChainDetector {
-    private readonly testnet;
-    private readonly rpcUrls;
-    private readonly walletManager;
-    constructor(config?: ChainDetectorConfig);
-    getChainConfig(wormholeChainId: number): ChainConfig | undefined;
+interface EnterpriseSDKConfig extends SimpleSDKConfig {
     /**
-     * Create a chain client for non-EVM chains using repo constants.
-     * For EVM, callers should instantiate EVMClient directly (Hub-driven).
+     * Sponsor private key for gasless vault creation (required for batch ops)
      */
-    createClient(wormholeChainId: number): ChainClient;
+    sponsorPrivateKey: string;
     /**
-     * Derive a best-effort vault address for a chain from the passkey credential.
-     *
-     * - EVM chains: requires vaultFactory/vaultImplementation in constants.
-     * - Non-EVM chains: uses WalletManager chain-specific derivation.
+     * Relayer URL (required for enterprise)
      */
-    deriveVaultAddress(credential: PasskeyCredential, wormholeChainId: number): ChainAddress | null;
-    getNonEvmNativeTokenMeta(wormholeChainId: number): {
-        symbol: string;
-        name: string;
-        decimals: number;
-    } | null;
-    private normalizeSuiAddress;
+    relayerUrl: string;
+    /**
+     * Relayer API key (required for enterprise)
+     */
+    relayerApiKey: string;
 }
-declare function createChainDetector(config?: ChainDetectorConfig): ChainDetector;
+/**
+ * Create an SDK pre-configured for enterprise / integrator back-end use.
+ *
+ * This factory requires `sponsorPrivateKey`, `relayerUrl`, and `relayerApiKey`
+ * — features that enterprise environments always need.
+ *
+ * @param chain - Chain name (e.g., 'base')
+ * @param config - Enterprise-specific configuration
+ * @returns VeridexSDK ready for enterprise operations
+ *
+ * @example
+ * ```typescript
+ * import { createEnterpriseSDK, EnterpriseManager } from '@veridex/sdk';
+ *
+ * const sdk = createEnterpriseSDK('base', {
+ *   sponsorPrivateKey: process.env.SPONSOR_KEY!,
+ *   relayerUrl: 'https://relayer.veridex.network',
+ *   relayerApiKey: process.env.RELAYER_KEY!,
+ * });
+ *
+ * const enterprise = new EnterpriseManager({ sdk });
+ * ```
+ */
+declare function createEnterpriseSDK(chain: ChainName, config: EnterpriseSDKConfig): VeridexSDK;
 
 /**
- * Veridex Protocol SDK - Relayer Client
+ * Veridex Protocol SDK - Browser Capabilities Detection
  *
- * Client for interacting with the Veridex relayer service.
- * The relayer automatically submits VAAs to destination chains.
+ * Detects WebAuthn and passkey capabilities of the current browser/platform.
+ * Used to drive UI branching (ROR vs Auth Portal fallback, conditional UI,
+ * PRF availability, backup-state awareness, hybrid transport support).
  *
- * Features:
- * - Submit VAA for relay
- * - Check relay status
- * - Get supported routes
- * - Fee estimation
+ * @example
+ * ```typescript
+ * import { detectCapabilities } from '@veridex/sdk';
+ *
+ * const caps = await detectCapabilities();
+ * if (caps.relatedOrigins) {
+ *   // Direct cross-domain passkey usage
+ * } else {
+ *   // Auth Portal popup/redirect fallback
+ * }
+ *
+ * if (caps.prf) {
+ *   // Can use PRF extension for recovery vault encryption
+ * }
+ * ```
  */
 /**
- * Relay request status
+ * Complete browser capability report for passkey-related features.
+ */
+interface BrowserCapabilities {
+    /** Basic WebAuthn support (navigator.credentials + PublicKeyCredential) */
+    webauthn: boolean;
+    /** Platform authenticator available (Touch ID, Face ID, Windows Hello) */
+    platformAuthenticator: boolean;
+    /** Related Origin Requests (WebAuthn L3) — cross-domain passkey use */
+    relatedOrigins: boolean;
+    /** Conditional UI / autofill-assisted passkey selection */
+    conditionalMediation: boolean;
+    /** Hybrid transport (phone as authenticator via QR/BLE) */
+    hybridTransport: boolean;
+    /** PRF extension (pseudo-random function for key wrapping) */
+    prf: boolean;
+    /** User-verifying platform authenticator (biometric bound) */
+    userVerification: boolean;
+    /** Whether passkeys on this device are backed up / synced to cloud */
+    backupEligible: boolean | null;
+    /** Detected platform / ecosystem */
+    platform: PlatformHint;
+    /** Raw getClientCapabilities result (if available) */
+    rawCapabilities: Record<string, boolean> | null;
+}
+/**
+ * Platform hint for ecosystem-specific guidance.
  */
-type RelayStatus = 'pending' | 'processing' | 'submitted' | 'confirmed' | 'failed';
+type PlatformHint = 'apple' | 'google' | 'windows' | 'android' | 'linux' | 'unknown';
 /**
- * Relay request result
+ * Recommendation for the best authentication strategy on this browser.
  */
-interface RelayRequest {
-    /** Unique relay request ID */
-    id: string;
-    /** VAA sequence number */
-    sequence: bigint;
-    /** Source chain Wormhole ID */
-    sourceChain: number;
-    /** Destination chain Wormhole ID */
-    destinationChain: number;
-    /** Relay status */
-    status: RelayStatus;
-    /** Source transaction hash */
-    sourceTxHash: string;
-    /** Destination transaction hash (when completed) */
-    destinationTxHash?: string;
-    /** Timestamp when request was created */
-    createdAt: number;
-    /** Timestamp when request was last updated */
-    updatedAt: number;
-    /** Error message if failed */
-    error?: string;
-    /** Gas used on destination chain */
-    gasUsed?: bigint;
-    /** Fee paid */
-    feePaid?: bigint;
+interface AuthStrategy {
+    /** Primary method to attempt */
+    primary: 'ror' | 'conditional' | 'portal-popup' | 'portal-redirect';
+    /** Fallback if primary fails */
+    fallback: 'portal-popup' | 'portal-redirect' | 'none';
+    /** Whether hybrid transport is available as an additional option */
+    hybridAvailable: boolean;
+    /** Human-readable explanation */
+    reason: string;
 }
 /**
- * Supported route information
+ * Detect the current platform/ecosystem from user agent and platform strings.
  */
-interface RelayRoute {
-    /** Source chain Wormhole ID */
-    sourceChain: number;
-    /** Destination chain Wormhole ID */
-    destinationChain: number;
-    /** Whether the route is active */
-    active: boolean;
-    /** Estimated relay time in seconds */
-    estimatedTimeSeconds: number;
-    /** Base fee in destination chain native token */
-    baseFee: bigint;
-    /** Fee per gas unit */
-    gasPrice: bigint;
-    /** Maximum gas limit */
-    maxGas: bigint;
-}
+declare function detectPlatform(): PlatformHint;
 /**
- * Relayer service info
+ * Detect all browser capabilities related to passkeys and WebAuthn.
+ *
+ * This performs multiple async checks in parallel for efficiency.
+ * Safe to call on any browser — returns sensible defaults for unsupported features.
  */
-interface RelayerInfo {
-    /** Relayer name/identifier */
-    name: string;
-    /** Relayer version */
-    version: string;
-    /** Supported chains */
-    supportedChains: number[];
-    /** Available routes */
-    routes: RelayRoute[];
-    /** Whether the relayer is online */
-    online: boolean;
-    /** Current queue depth */
-    queueDepth: number;
-}
+declare function detectCapabilities(): Promise<BrowserCapabilities>;
 /**
- * Request body for submitting a signed action to the relayer (gasless)
- * Uses full WebAuthn data for authenticateAndDispatch
+ * Get the recommended authentication strategy based on detected capabilities.
  */
-interface SubmitSignedActionRequest {
-    /** WebAuthn authenticatorData (hex) */
-    authenticatorData: string;
-    /** WebAuthn clientDataJSON (raw string) */
-    clientDataJSON: string;
-    /** Index of "challenge":"..." in clientDataJSON */
-    challengeIndex: number;
-    /** Index of "type":"..." in clientDataJSON */
-    typeIndex: number;
-    /** P-256 signature r component (hex) */
-    r: string;
-    /** P-256 signature s component (hex) */
-    s: string;
-    /** P-256 public key X coordinate (hex) */
-    publicKeyX: string;
-    /** P-256 public key Y coordinate (hex) */
-    publicKeyY: string;
-    /** Target chain Wormhole ID */
-    targetChain: number;
-    /** Action payload (hex) */
-    actionPayload: string;
-    /** User nonce */
-    nonce: number;
-}
+declare function getAuthStrategy(): Promise<AuthStrategy>;
+
 /**
- * Response from submitting a signed action
+ * Veridex Protocol SDK - Credential Manager
+ *
+ * First-class credential inventory management: list, rename, track usage,
+ * detect device/platform hints, revoke, and add-backup flows.
+ *
+ * This module sits on top of PasskeyManager and provides the account-management
+ * layer that PasskeyManager's low-level credential storage doesn't cover.
+ *
+ * @example
+ * ```typescript
+ * import { CredentialManager } from '@veridex/sdk';
+ *
+ * const manager = new CredentialManager({ relayerUrl: '...' });
+ *
+ * // List all credentials with metadata
+ * const credentials = manager.listCredentials();
+ *
+ * // Rename a credential
+ * manager.renameCredential(credentialId, 'MacBook Pro');
+ *
+ * // Check which credential was used most recently
+ * const recent = manager.getMostRecentCredential();
+ * ```
  */
-interface SubmitActionResult {
-    /** Whether the submission was successful */
-    success: boolean;
-    /** Transaction hash on Hub chain */
-    txHash?: string;
-    /** Wormhole sequence number */
-    sequence?: string;
-    /** Error message if failed */
-    error?: string;
-    /** Human-readable message */
-    message?: string;
-}
+
 /**
- * Query submission request (Issue #11/#12)
- * For optimistic execution via Wormhole Query proofs (~5-7s vs ~120s)
+ * Extended credential metadata stored alongside the base PasskeyCredential.
  */
-interface SubmitQueryRequest {
-    /** Target spoke chain Wormhole ID */
-    targetChain: number;
-    /** User's key hash */
-    userKeyHash: string;
-    /** Serialized transaction for spoke chain */
-    serializedTx: string;
-    /** Query proof with Guardian signatures */
-    queryProof: {
-        /** Raw query response bytes */
-        queryResponse: string;
-        /** Guardian signatures */
-        signatures: string;
-    };
-    /** Whether to fallback to VAA if Query fails */
-    fallbackToVaa?: boolean;
-    /** Optional metadata */
-    metadata?: {
-        /** User's preferred execution path */
-        preferredPath?: 'query' | 'vaa';
-        /** Transaction value in USD (for routing decisions) */
-        estimatedValueUSD?: number;
-    };
+interface CredentialMetadata {
+    /** User-assigned display name (e.g., "MacBook Pro", "iPhone 15") */
+    displayName: string;
+    /** When this credential was first registered (ISO 8601) */
+    createdAt: string;
+    /** When this credential was last used for authentication (ISO 8601) */
+    lastUsedAt: string | null;
+    /** Number of times this credential has been used */
+    useCount: number;
+    /** Platform/ecosystem hint from registration context */
+    platformHint: PlatformHint;
+    /** User agent string at registration time (for device identification) */
+    registrationUserAgent: string;
+    /** Whether the authenticator indicated backup eligibility */
+    backupEligible: boolean | null;
+    /** Whether the authenticator indicated the credential is currently backed up */
+    backupState: boolean | null;
+    /** Whether this is the root (first) credential for the identity */
+    isRoot: boolean;
+    /** Credential status */
+    status: 'active' | 'revoked';
 }
 /**
- * Query submission result (Issue #11/#12)
+ * A credential entry combining the base credential with metadata.
  */
-interface SubmitQueryResult {
-    /** Whether submission succeeded */
-    success: boolean;
-    /** Transaction hash on spoke chain */
-    txHash?: string;
-    /** Execution path used */
-    path: 'query' | 'vaa';
-    /** Latency in milliseconds */
-    latencyMs?: number;
-    /** Error message if failed */
-    error?: string;
-    /** Whether fallback to VAA occurred */
-    fellBack?: boolean;
+interface ManagedCredential {
+    /** Base passkey credential (credentialId, publicKey, keyHash) */
+    credential: PasskeyCredential$1;
+    /** Extended metadata */
+    metadata: CredentialMetadata;
 }
 /**
- * Fee quote for a relay
- */
-interface RelayFeeQuote {
-    /** Source chain Wormhole ID */
-    sourceChain: number;
-    /** Destination chain Wormhole ID */
-    destinationChain: number;
-    /** Estimated fee in source chain native token */
-    feeInSourceToken: bigint;
-    /** Estimated fee in destination chain native token */
-    feeInDestinationToken: bigint;
-    /** Estimated gas on destination */
-    estimatedGas: bigint;
-    /** Quote expiration timestamp */
-    expiresAt: number;
-    /** Quote ID for submission */
-    quoteId: string;
+ * Options for adding a credential to the inventory.
+ */
+interface AddCredentialOptions {
+    /** Display name for this credential */
+    displayName?: string;
+    /** Whether this is the root credential */
+    isRoot?: boolean;
+    /** Backup eligibility from authenticator response */
+    backupEligible?: boolean;
+    /** Backup state from authenticator response */
+    backupState?: boolean;
+}
+interface CredentialManagerConfig {
+    /** localStorage key for credential metadata */
+    storageKey?: string;
+    /** Relayer URL for remote credential metadata sync */
+    relayerUrl?: string;
+}
+declare class CredentialManager {
+    private config;
+    constructor(config?: CredentialManagerConfig);
+    /**
+     * List all credentials with their metadata.
+     * Merges base credentials (from PasskeyManager storage) with metadata.
+     */
+    listCredentials(): ManagedCredential[];
+    /**
+     * Get a single credential by ID with metadata.
+     */
+    getCredential(credentialId: string): ManagedCredential | null;
+    /**
+     * Get the most recently used credential.
+     */
+    getMostRecentCredential(): ManagedCredential | null;
+    /**
+     * Get the root (first) credential for the identity.
+     */
+    getRootCredential(): ManagedCredential | null;
+    /**
+     * Get count of active credentials.
+     */
+    getActiveCount(): number;
+    /**
+     * Add a newly registered credential to the inventory with metadata.
+     * Call this after PasskeyManager.register() to track the credential.
+     */
+    addCredential(credential: PasskeyCredential$1, options?: AddCredentialOptions): ManagedCredential;
+    /**
+     * Record that a credential was used for authentication.
+     */
+    recordUsage(credentialId: string): void;
+    /**
+     * Rename a credential's display name.
+     */
+    renameCredential(credentialId: string, displayName: string): boolean;
+    /**
+     * Mark a credential as revoked (local metadata only).
+     * Actual on-chain revocation happens through VeridexHub.removeKey().
+     */
+    markRevoked(credentialId: string): boolean;
+    /**
+     * Update backup state flags (call after authenticator response provides these).
+     */
+    updateBackupState(credentialId: string, backupEligible: boolean, backupState: boolean): void;
+    /**
+     * Remove a credential's metadata from local storage.
+     * Does NOT remove the base credential from PasskeyManager storage.
+     */
+    removeMetadata(credentialId: string): void;
+    /**
+     * Sync credential metadata to the relayer for cross-device availability.
+     * Only syncs public metadata (display name, platform, timestamps), never keys.
+     */
+    syncToRelayer(credentialId: string): Promise<boolean>;
+    /**
+     * Fetch credential metadata from the relayer (for cross-device restore).
+     */
+    fetchFromRelayer(keyHash: string): Promise<ManagedCredential[] | null>;
+    /**
+     * Get a summary suitable for migration/device-addition flows.
+     * Returns what the user should see when deciding to add another device.
+     */
+    getMigrationSummary(): {
+        totalCredentials: number;
+        activeCredentials: number;
+        platforms: PlatformHint[];
+        hasBackup: boolean;
+        rootDevice: string | null;
+    };
+    private loadMetadataMap;
+    private saveMetadataMap;
+    private saveMetadata;
+    private loadBaseCredentials;
+    private generateDisplayName;
+    private createDefaultMetadata;
 }
+
 /**
- * Configuration for RelayerClient
+ * Veridex Protocol SDK - Cross-Origin Authentication
+ *
+ * Enables passkey sharing across different domains using WebAuthn Related Origin Requests.
+ *
+ * There are two approaches for cross-domain passkey usage:
+ *
+ * 1. **Related Origin Requests (Recommended)** - W3C Standard
+ *    - Host a `.well-known/webauthn` file at veridex.network
+ *    - Third-party apps use rpId: 'veridex.network' directly
+ *    - Requires browser support for Related Origin Requests
+ *    - No popup needed, seamless UX
+ *
+ * 2. **Auth Portal Flow (Fallback)** - Popup/Redirect Pattern
+ *    - User is redirected to auth.veridex.network
+ *    - Signs with their passkey at veridex.network
+ *    - Returns a session token to the third-party app
+ *    - Works on all browsers, but requires popup/redirect
+ *
+ * @example Related Origins (Recommended)
+ * ```typescript
+ * import { createCrossOriginAuth } from '@veridex/sdk';
+ *
+ * const auth = createCrossOriginAuth();
+ *
+ * // Check if browser supports Related Origin Requests
+ * if (await auth.supportsRelatedOrigins()) {
+ *   // Direct passkey usage with veridex.network rpId
+ *   const credential = await auth.authenticate();
+ * } else {
+ *   // Fallback to Auth Portal
+ *   const session = await auth.authenticateViaPortal();
+ * }
+ * ```
+ *
+ * @example Auth Portal Flow
+ * ```typescript
+ * const auth = createCrossOriginAuth({
+ *   authPortalUrl: 'https://auth.veridex.network',
+ *   mode: 'popup', // or 'redirect'
+ * });
+ *
+ * const session = await auth.connectWithVeridex();
+ * // session contains: { address, sessionKey, expiresAt }
+ * ```
  */
-interface RelayerClientConfig {
-    /** Base URL of the relayer service */
-    baseUrl: string;
-    /** API key for authentication (optional) */
-    apiKey?: string;
-    /** Timeout for requests in ms */
-    timeoutMs?: number;
-    /** Max retries for failed requests */
-    maxRetries?: number;
+
+/** Default auth portal URL */
+declare const DEFAULT_AUTH_PORTAL_URL = "https://auth.veridex.network";
+/** Default relayer API URL for server-side session tokens */
+declare const DEFAULT_RELAYER_URL = "https://amused-kameko-veridex-demo-37453117.koyeb.app/api/v1";
+/** Message types for postMessage communication */
+declare const AUTH_MESSAGE_TYPES: {
+    readonly AUTH_REQUEST: "VERIDEX_AUTH_REQUEST";
+    readonly AUTH_RESPONSE: "VERIDEX_AUTH_RESPONSE";
+    readonly AUTH_ERROR: "VERIDEX_AUTH_ERROR";
+};
+interface CrossOriginAuthConfig {
+    /** The Veridex RP ID (defaults to veridex.network) */
+    rpId?: string;
+    /** Auth portal URL for popup/redirect flow */
+    authPortalUrl?: string;
+    /** Relayer API URL for server-side session tokens */
+    relayerUrl?: string;
+    /** Authentication mode: popup or redirect */
+    mode?: 'popup' | 'redirect';
+    /** Popup window features */
+    popupFeatures?: string;
+    /** Timeout for auth operations (ms) */
+    timeout?: number;
+    /** Callback URL for redirect mode */
+    redirectUri?: string;
+}
+interface CrossOriginSession {
+    /** User's vault address */
+    address: string;
+    /** Session key public key (for signing transactions) */
+    sessionPublicKey: string;
+    /** Session key (encrypted, stored on client) */
+    encryptedSessionKey?: string;
+    /** When the session expires */
+    expiresAt: number;
+    /** Proof of passkey ownership */
+    signature: WebAuthnSignature$1;
+    /** The credential used */
+    credential: PasskeyCredential$1;
+    /** Server-validated session token ID (from relayer) */
+    serverSessionId?: string;
+    /** Relayer-issued challenge binding for server session creation */
+    serverChallengeId?: string;
+}
+/** Server-side session token returned by the relayer */
+interface ServerSessionToken {
+    id: string;
+    keyHash: string;
+    appOrigin: string;
+    permissions: string[];
+    expiresAt: number;
+    createdAt: number;
+}
+interface AuthPortalMessage {
+    type: typeof AUTH_MESSAGE_TYPES[keyof typeof AUTH_MESSAGE_TYPES];
+    payload: CrossOriginSession | {
+        error: string;
+        code: string;
+    };
+    origin: string;
 }
 /**
- * Client for the Veridex relayer service
+ * Manages cross-origin passkey authentication for third-party apps.
+ *
+ * Third-party developers can use this to enable Veridex passkey authentication
+ * in their own applications without users having to create new passkeys.
  */
-declare class RelayerClient {
-    private baseUrl;
+declare class CrossOriginAuth {
     private config;
-    constructor(config: RelayerClientConfig);
+    constructor(config?: CrossOriginAuthConfig);
     /**
-     * Submit a VAA for relay to destination chain
+     * Check if the browser supports Related Origin Requests.
+     * This is a WebAuthn Level 3 feature that allows using passkeys across different domains.
      */
-    submitRelay(vaaBase64: string, sourceChain: number, destinationChain: number, sourceTxHash: string, sequence: bigint, feeQuoteId?: string): Promise<RelayRequest>;
+    supportsRelatedOrigins(): Promise<boolean>;
     /**
-     * Submit a signed action to the relayer for gasless execution
-     *
-     * This allows users to execute transfers without paying gas themselves.
-     * The relayer will submit the transaction to the Hub chain and pay the gas.
-     * The relayer then automatically relays the VAA to the destination spoke chain.
-     *
-     * @param request - The signed action request with passkey signature
-     * @returns Result including Hub tx hash and Wormhole sequence
+     * Check if WebAuthn is supported at all.
      */
-    submitSignedAction(request: SubmitSignedActionRequest): Promise<SubmitActionResult>;
+    isSupported(): boolean;
     /**
-     * Submit a Query-based transaction for optimistic execution (Issue #11/#12)
-     *
-     * Uses Wormhole Cross-Chain Queries (CCQ) to achieve ~5-7 second latency
-     * vs ~120+ seconds for traditional VAA flow.
-     *
-     * Flow:
-     * 1. Client fetches Hub state via queryHubState() from SDK
-     * 2. Client constructs and signs transaction
-     * 3. Client submits Query proof + tx to this endpoint
-     * 4. Relayer validates format and submits to spoke chain
-     * 5. Spoke chain verifies Guardian signatures on-chain
+     * Authenticate using Related Origin Requests.
+     * This allows using a passkey registered at veridex.network from any origin
+     * listed in the /.well-known/webauthn file.
      *
-     * @param request - Query submission with Guardian-signed proof
-     * @returns Result including spoke tx hash and execution path
-     */
-    submitQuery(request: SubmitQueryRequest): Promise<SubmitQueryResult>;
-    /**
-     * Get relay request status
+     * @throws If browser doesn't support Related Origin Requests
+     * @throws If the current origin isn't listed in veridex.network's well-known file
      */
-    getRelayStatus(requestId: string): Promise<RelayRequest>;
+    authenticate(challenge?: Uint8Array): Promise<{
+        credential: PasskeyCredential$1;
+        signature: WebAuthnSignature$1;
+    }>;
     /**
-     * Get relay status by source transaction hash
+     * Register a new passkey with veridex.network as the RP.
+     * This should only be called from veridex.network origins.
      */
-    getRelayBySourceTx(sourceTxHash: string): Promise<RelayRequest | null>;
+    register(username: string, displayName: string): Promise<PasskeyCredential$1>;
     /**
-     * Get relay status by sequence number
+     * Authenticate via the Veridex Auth Portal.
+     * Opens a popup or redirects to auth.veridex.network where the user
+     * signs with their passkey, then returns a session to the calling app.
      */
-    getRelayBySequence(sourceChain: number, sequence: bigint): Promise<RelayRequest | null>;
+    connectWithVeridex(options?: {
+        sessionChallengeId?: string;
+        sessionChallenge?: string;
+        register?: boolean;
+        username?: string;
+        displayName?: string;
+    }): Promise<CrossOriginSession>;
     /**
-     * Cancel a pending relay request
+     * Popup-based authentication flow.
      */
-    cancelRelay(requestId: string): Promise<boolean>;
+    private authenticateViaPopup;
     /**
-     * Poll for relay completion
+     * Redirect-based authentication flow.
+     * Stores state in sessionStorage and redirects to auth portal.
      */
-    waitForRelay(requestId: string, timeoutMs?: number, pollingIntervalMs?: number, onProgress?: (status: RelayStatus) => void): Promise<RelayRequest>;
+    private initiateRedirectAuth;
     /**
-     * Get fee quote for a relay
+     * Complete redirect-based authentication.
+     * Call this on your callback page to extract the session from URL params.
      */
-    getFeeQuote(sourceChain: number, destinationChain: number, estimatedGas?: bigint): Promise<RelayFeeQuote>;
+    completeRedirectAuth(): CrossOriginSession | null;
     /**
-     * Get relayer service info
+     * Generate a random state string for CSRF protection.
      */
-    getInfo(): Promise<RelayerInfo>;
+    private generateState;
+    private decodeBase64Url;
+    private requestServerSessionChallenge;
     /**
-     * Get supported routes
+     * Get the RP ID being used.
      */
-    getRoutes(): Promise<RelayRoute[]>;
+    getRpId(): string;
     /**
-     * Check if a route is supported
+     * Get the auth portal URL.
      */
-    isRouteSupported(sourceChain: number, destinationChain: number): Promise<boolean>;
+    getAuthPortalUrl(): string;
     /**
-     * Check relayer health
+     * Create a server-validated session token via the relayer.
+     * Call this after authenticating (via ROR or auth portal) to get a
+     * server-side session that the relayer can verify on subsequent requests.
      */
-    healthCheck(): Promise<boolean>;
+    createServerSession(session: CrossOriginSession): Promise<ServerSessionToken>;
     /**
-     * Get all pending relay requests for a user
+     * Validate an existing server session token.
+     * Returns the session details if valid, null if expired/revoked.
      */
-    getPendingRelays(userKeyHash: string): Promise<RelayRequest[]>;
+    validateServerSession(sessionId: string): Promise<ServerSessionToken | null>;
     /**
-     * Get relay history for a user
+     * Revoke a server session token.
      */
-    getRelayHistory(userKeyHash: string, limit?: number, offset?: number): Promise<RelayRequest[]>;
+    revokeServerSession(sessionId: string): Promise<boolean>;
     /**
-     * SDK version for telemetry
+     * Full authentication flow: authenticate + create server session.
+     * Automatically detects ROR support and falls back to auth portal.
      */
-    private static readonly SDK_VERSION;
+    authenticateAndCreateSession(options?: {
+        permissions?: string[];
+        expiresInMs?: number;
+    }): Promise<{
+        session: CrossOriginSession;
+        serverSession: ServerSessionToken;
+    }>;
+}
+/**
+ * Create a CrossOriginAuth instance for third-party app integration.
+ *
+ * @example
+ * ```typescript
+ * const auth = createCrossOriginAuth();
+ *
+ * // Check for Related Origin support
+ * if (await auth.supportsRelatedOrigins()) {
+ *   const { credential, signature } = await auth.authenticate();
+ * } else {
+ *   const session = await auth.connectWithVeridex();
+ * }
+ * ```
+ */
+declare function createCrossOriginAuth(config?: CrossOriginAuthConfig): CrossOriginAuth;
+/**
+ * Helper for the auth portal page to send results back to the calling app.
+ * Only used on auth.veridex.network, not in third-party apps.
+ */
+declare function sendAuthResponse(session: CrossOriginSession, targetOrigin: string): void;
+/**
+ * Helper for the auth portal to send an error back to the calling app.
+ */
+declare function sendAuthError(error: string, code: string, targetOrigin: string): void;
+
+/**
+ * Veridex Protocol SDK — Injected Wallet Adapter
+ *
+ * Provides a standardized adapter for browser-injected EIP-1193 wallets
+ * (MetaMask, Rabby, Coinbase Wallet, etc.).  Used as the on-chain signer
+ * for Veridex SDK operations that require a funded EOA for gas payment.
+ *
+ * Capabilities beyond basic connect:
+ *   - EIP-1193 event forwarding (accountsChanged, chainChanged, disconnect)
+ *   - Connection state tracking
+ *   - Clean disconnect with listener teardown
+ *   - Static availability detection
+ *
+ * ADR-0040 compliance: This adapter never touches passkey material.
+ * It only provides an ethers.Signer for on-chain transaction submission.
+ *
+ * @module InjectedWalletAdapter
+ */
+
+interface InjectedWalletConnection {
+    provider: ethers.BrowserProvider;
+    signer: ethers.JsonRpcSigner;
+    address: string;
+    chainId: number;
+}
+type WalletEvent = {
+    type: 'accountsChanged';
+    accounts: string[];
+} | {
+    type: 'chainChanged';
+    chainId: number;
+} | {
+    type: 'disconnect';
+    error?: unknown;
+};
+type WalletEventCallback = (event: WalletEvent) => void;
+interface InjectedWalletAdapterConfig {
+    expectedChainId?: number;
+    autoSwitchChain?: boolean;
+}
+declare class InjectedWalletAdapter {
+    private readonly config;
+    private eventCallbacks;
+    private ethereum;
+    private boundAccountsChanged;
+    private boundChainChanged;
+    private boundDisconnect;
+    private connection;
+    constructor(config?: InjectedWalletAdapterConfig);
+    private getEthereum;
+    isAvailable(): boolean;
+    /** Returns the current active connection, or null. */
+    getConnection(): InjectedWalletConnection | null;
+    connect(expectedChainId?: number | undefined): Promise<InjectedWalletConnection>;
+    /** Disconnect: clears local state and removes event listeners. */
+    disconnect(): void;
+    switchChain(chainId: number): Promise<void>;
+    getCurrentChainId(): Promise<number>;
+    /** Subscribe to wallet events (accountsChanged, chainChanged, disconnect). */
+    on(callback: WalletEventCallback): () => void;
+    private emit;
+    private attachEventListeners;
+    private detachEventListeners;
+}
+declare function createInjectedWalletAdapter(config?: InjectedWalletAdapterConfig): InjectedWalletAdapter;
+
+/**
+ * Veridex Protocol SDK - Chain Detector
+ *
+ * Phase 4: Multi-chain client support helper.
+ *
+ * Provides:
+ * - Chain config lookup (testnet/mainnet)
+ * - Auto-configuration for non-EVM ChainClient instances
+ */
+
+interface ChainDetectorConfig {
+    testnet?: boolean;
+    rpcUrls?: Record<number, string>;
+}
+interface NativeBalanceCapable {
+    getNativeBalance(address: string): Promise<bigint>;
+}
+declare class ChainDetector {
+    private readonly testnet;
+    private readonly rpcUrls;
+    private readonly walletManager;
+    constructor(config?: ChainDetectorConfig);
+    getChainConfig(wormholeChainId: number): ChainConfig | undefined;
     /**
-     * Make an HTTP request to the relayer
+     * Create a chain client for non-EVM chains using repo constants.
+     * For EVM, callers should instantiate EVMClient directly (Hub-driven).
      */
-    private fetch;
+    createClient(wormholeChainId: number): ChainClient;
     /**
-     * Sleep helper
+     * Derive a best-effort vault address for a chain from the passkey credential.
+     *
+     * - EVM chains: requires vaultFactory/vaultImplementation in constants.
+     * - Non-EVM chains: uses WalletManager chain-specific derivation.
      */
-    private sleep;
+    deriveVaultAddress(credential: PasskeyCredential, wormholeChainId: number): ChainAddress | null;
+    getNonEvmNativeTokenMeta(wormholeChainId: number): {
+        symbol: string;
+        name: string;
+        decimals: number;
+    } | null;
+    private normalizeSuiAddress;
 }
-/**
- * Create a RelayerClient instance
- */
-declare function createRelayerClient(config: RelayerClientConfig): RelayerClient;
+declare function createChainDetector(config?: ChainDetectorConfig): ChainDetector;
 
 /**
  * Veridex Protocol SDK - Session Cryptography Utilities
@@ -2846,11 +4400,11 @@ declare class IndexedDBSessionStorage implements SessionStorage {
     /**
      * Save a session (encrypts private key)
      */
-    save(session: SessionKey): Promise<void>;
+    save(session: SessionKey$1): Promise<void>;
     /**
      * Load the active session (decrypts private key)
      */
-    load(): Promise<SessionKey | null>;
+    load(): Promise<SessionKey$1 | null>;
     /**
      * Get all stored sessions (internal helper)
      */
@@ -2893,11 +4447,11 @@ declare class LocalStorageSessionStorage implements SessionStorage {
     /**
      * Save a session (encrypts private key)
      */
-    save(session: SessionKey): Promise<void>;
+    save(session: SessionKey$1): Promise<void>;
     /**
      * Load the active session (decrypts private key)
      */
-    load(): Promise<SessionKey | null>;
+    load(): Promise<SessionKey$1 | null>;
     /**
      * Clear all sessions
      */
@@ -3049,11 +4603,11 @@ declare const VERIDEX_ERRORS: {
     /** ABI decoding failed (parsing) */
     readonly QUERY_PARSE_ABI_FAILED: 6216;
 };
-type VeridexErrorCode = (typeof VERIDEX_ERRORS)[keyof typeof VERIDEX_ERRORS];
+type VeridexErrorCode$1 = (typeof VERIDEX_ERRORS)[keyof typeof VERIDEX_ERRORS];
 /**
  * Human-readable error messages for each error code.
  */
-declare const ERROR_MESSAGES: Record<VeridexErrorCode, string>;
+declare const ERROR_MESSAGES: Record<VeridexErrorCode$1, string>;
 /**
  * Check if an error code is in the core protocol range.
  */
@@ -3088,7 +4642,7 @@ declare function getErrorMessage(code: number): string;
  * @param error - The error object from a failed transaction
  * @returns The error code if found, undefined otherwise
  */
-declare function parseVeridexError(error: unknown): VeridexErrorCode | undefined;
+declare function parseVeridexError(error: unknown): VeridexErrorCode$1 | undefined;
 /**
  * Check if the error is a retryable error (e.g., expired query can be refreshed).
  */
@@ -3098,26 +4652,427 @@ declare function isRetryableError(code: number): boolean;
  */
 declare function getSuggestedAction(code: number): string;
 
-type AuthenticateAndPrepareParams = {
-    credential: PasskeyCredential;
-    action?: TransferParams | ExecuteParams | BridgeParams;
-    /** Pre-encoded Hub action payload (hex string). If provided, `action` is ignored. */
-    actionPayload?: string;
-    targetChain: number;
+/**
+ * Veridex Protocol SDK — Unified Error Normalization
+ *
+ * Wraps chain-specific errors (ethers, Anchor, Clarity, Starknet felt, etc.)
+ * into a single VeridexError class with a unified code, human-readable message,
+ * and chain identifier.  Integrators can catch `VeridexError` consistently
+ * regardless of which chain's SDK surfaced the underlying fault.
+ */
+/**
+ * Language-agnostic error codes that map consistently across all chains.
+ */
+declare enum VeridexErrorCode {
+    NO_CREDENTIAL = "NO_CREDENTIAL",
+    UNAUTHORIZED = "UNAUTHORIZED",
+    INVALID_SIGNATURE = "INVALID_SIGNATURE",
+    VAULT_NOT_FOUND = "VAULT_NOT_FOUND",
+    VAULT_PAUSED = "VAULT_PAUSED",
+    PROTOCOL_PAUSED = "PROTOCOL_PAUSED",
+    INSUFFICIENT_FUNDS = "INSUFFICIENT_FUNDS",
+    DAILY_LIMIT_EXCEEDED = "DAILY_LIMIT_EXCEEDED",
+    INVALID_PAYLOAD = "INVALID_PAYLOAD",
+    INVALID_ACTION = "INVALID_ACTION",
+    EXPIRED = "EXPIRED",
+    VAA_ALREADY_PROCESSED = "VAA_ALREADY_PROCESSED",
+    INVALID_VAA = "INVALID_VAA",
+    INVALID_EMITTER = "INVALID_EMITTER",
+    BRIDGE_ERROR = "BRIDGE_ERROR",
+    RPC_ERROR = "RPC_ERROR",
+    TIMEOUT = "TIMEOUT",
+    RELAYER_ERROR = "RELAYER_ERROR",
+    SESSION_EXPIRED = "SESSION_EXPIRED",
+    SESSION_INVALID = "SESSION_INVALID",
+    UNSUPPORTED_FEATURE = "UNSUPPORTED_FEATURE",
+    UNKNOWN = "UNKNOWN"
+}
+/**
+ * Unified error class for all Veridex SDK operations.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await sdk.executeTransfer(prepared, signer);
+ * } catch (err) {
+ *   if (err instanceof VeridexError) {
+ *     console.log(err.code);   // 'INSUFFICIENT_FUNDS'
+ *     console.log(err.chain);  // 'base'
+ *     console.log(err.cause);  // original ethers error
+ *   }
+ * }
+ * ```
+ */
+declare class VeridexError extends Error {
+    /** Unified error code */
+    readonly code: VeridexErrorCode;
+    /** Chain name where the error originated (e.g. 'base', 'solana') */
+    readonly chain: string | undefined;
+    /** Original chain-specific error */
+    readonly cause: unknown;
+    /** Whether the operation could succeed if retried */
+    readonly retryable: boolean;
+    constructor(code: VeridexErrorCode, message?: string, options?: {
+        chain?: string;
+        cause?: unknown;
+        retryable?: boolean;
+    });
+}
+/**
+ * Normalize any chain-specific error into a VeridexError.
+ *
+ * Call this at SDK boundaries (dispatch, balance fetch, vault creation) to
+ * give integrators a consistent error surface.
+ *
+ * @param error  - The original error from chain client / RPC / Anchor / etc.
+ * @param chain  - Chain identifier string (e.g. 'base', 'solana', 'starknet')
+ * @returns A VeridexError wrapping the original
+ */
+declare function normalizeError(error: unknown, chain?: string): VeridexError;
+
+/**
+ * Veridex Protocol SDK — Enterprise Manager
+ *
+ * Bundles the operations that enterprise / integrator back-ends need:
+ *   - Batch vault creation across chains
+ *   - Admin spending limit management for multiple vaults
+ *   - Server-side signing helpers (non-WebAuthn path)
+ *   - Pre-built webhook-style event subscription
+ *
+ * All features delegate to existing SDK primitives — this is an
+ * orchestration layer, not a divergent code path.
+ */
+
+interface EnterpriseManagerConfig {
+    /**
+     * The VeridexSDK instance (typically created via `createSDK` or
+     * `createEnterpriseSDK` with a sponsor key).
+     */
+    sdk: VeridexSDK;
+    /**
+     * Maximum concurrent operations for batch methods (default: 3).
+     */
+    maxConcurrency?: number;
+}
+interface BatchVaultRequest {
+    /** Key hashes to create vaults for */
+    keyHashes: string[];
+    /** Optional: specific chain IDs to create vaults on (defaults to all sponsored chains) */
+    chainIds?: number[];
+    /** Maximum concurrent vault creations (overrides config default) */
+    maxConcurrency?: number;
+}
+interface BatchVaultResult {
+    total: number;
+    succeeded: number;
+    failed: number;
+    results: Array<{
+        keyHash: string;
+        result: MultiChainVaultResult | null;
+        error?: string;
+    }>;
+}
+interface BatchTransferRequest {
+    /** Transfers to execute */
+    transfers: TransferParams[];
+    /** Signer to pay for gas */
+    signer: any;
+    /** Maximum concurrent transfers (overrides config default) */
+    maxConcurrency?: number;
+}
+interface BatchTransferResult {
+    total: number;
+    succeeded: number;
+    failed: number;
+    results: Array<{
+        params: TransferParams;
+        result: TransferResult | null;
+        error?: string;
+    }>;
+}
+interface BatchSpendingLimitRequest {
+    /** Vault addresses and their new daily limit */
+    updates: Array<{
+        /** New daily limit in wei/base units (0 = unlimited) */
+        newLimit: bigint;
+    }>;
+    /** Signer to pay for gas */
+    signer: any;
+}
+interface BatchSpendingLimitResult {
+    total: number;
+    succeeded: number;
+    failed: number;
+    results: Array<{
+        newLimit: bigint;
+        result: TransferResult | null;
+        error?: string;
+    }>;
+}
+/** Lifecycle event types for batch operations */
+type BatchLifecycleEvent = {
+    type: 'started';
+    total: number;
+} | {
+    type: 'item_started';
+    index: number;
+    total: number;
+} | {
+    type: 'item_completed';
+    index: number;
+    total: number;
+    success: boolean;
+    error?: string;
+} | {
+    type: 'completed';
+    succeeded: number;
+    failed: number;
+    total: number;
 };
-type AuthenticateAndPrepareResult = {
-    serializedTx: Uint8Array;
-    queryProof: Uint8Array<ArrayBufferLike>;
-    estimatedLatency: number;
-    fallbackAvailable: boolean;
+/** Callback for batch operation lifecycle events */
+type BatchLifecycleCallback = (event: BatchLifecycleEvent) => void;
+interface VaultOverview {
+    keyHash: string;
+    vaultAddress: string;
+    wormholeChainId: number;
+    exists: boolean;
+    balance?: PortfolioBalance;
+    limits?: SpendingLimits;
+}
+/**
+ * High-level orchestration for enterprise / integrator use cases.
+ *
+ * @example
+ * ```typescript
+ * import { createEnterpriseSDK, EnterpriseManager } from '@veridex/sdk';
+ *
+ * const sdk = createEnterpriseSDK({
+ *   sponsorPrivateKey: process.env.SPONSOR_KEY!,
+ *   relayerUrl: 'https://relayer.veridex.network',
+ *   relayerApiKey: 'key',
+ * });
+ *
+ * const enterprise = new EnterpriseManager({ sdk });
+ *
+ * // Batch create vaults for 50 users
+ * const result = await enterprise.batchCreateVaults({
+ *   keyHashes: userKeyHashes,
+ * });
+ *
+ * // Watch all vaults for balance changes
+ * const unsub = enterprise.watchVaultBalance(
+ *   10004, vaultAddress,
+ *   (event) => callWebhook(event),
+ * );
+ * ```
+ */
+declare class EnterpriseManager {
+    private readonly sdk;
+    private readonly balanceWatcher;
+    private readonly maxConcurrency;
+    constructor(config: EnterpriseManagerConfig);
+    /**
+     * Run tasks with bounded concurrency.
+     */
+    private runWithConcurrency;
+    /**
+     * Create sponsored vaults for multiple users with concurrency control.
+     *
+     * Uses the SDK's GasSponsor under the hood.  Errors for individual
+     * key hashes are captured, not thrown — the batch continues.
+     */
+    batchCreateVaults(request: BatchVaultRequest, onLifecycle?: BatchLifecycleCallback): Promise<BatchVaultResult>;
+    /**
+     * Check vault existence across all sponsored chains for a key hash.
+     */
+    checkVaults(keyHash: string): Promise<Record<number, {
+        exists: boolean;
+        address: string;
+    }>>;
+    /**
+     * List all chains where sponsorship is available.
+     */
+    getSponsoredChains(): ChainDeploymentConfig[];
+    /**
+     * Execute multiple transfers with concurrency control.
+     *
+     * Each transfer is prepared and executed independently. Errors are
+     * captured per-transfer so the batch continues on individual failures.
+     *
+     * @example
+     * ```typescript
+     * const result = await enterprise.batchTransfer({
+     *   transfers: [
+     *     { targetChain: 10004, token: '0x...', recipient: '0xAlice', amount: 1000000n },
+     *     { targetChain: 10004, token: '0x...', recipient: '0xBob',   amount: 2000000n },
+     *   ],
+     *   signer,
+     *   maxConcurrency: 2,
+     * }, (event) => console.log(event.type, event));
+     * ```
+     */
+    batchTransfer(request: BatchTransferRequest, onLifecycle?: BatchLifecycleCallback): Promise<BatchTransferResult>;
+    /**
+     * Update daily spending limits for the current vault in sequence.
+     *
+     * Each limit update requires a passkey signature, so these are executed
+     * one-at-a-time (signing cannot be parallelized).
+     *
+     * @example
+     * ```typescript
+     * const result = await enterprise.batchSetSpendingLimits({
+     *   updates: [
+     *     { newLimit: ethers.parseEther('5.0') },
+     *     { newLimit: ethers.parseEther('10.0') },
+     *   ],
+     *   signer,
+     * });
+     * ```
+     */
+    batchSetSpendingLimits(request: BatchSpendingLimitRequest, onLifecycle?: BatchLifecycleCallback): Promise<BatchSpendingLimitResult>;
+    /**
+     * Read spending limits for any vault address on the current chain.
+     * Useful for admin dashboards that need to inspect user vaults.
+     */
+    getSpendingLimitsForVault(vaultAddress: string, wormholeChainId?: number): Promise<SpendingLimits>;
+    /**
+     * Read spending limits for multiple vaults in parallel.
+     */
+    getSpendingLimitsForVaults(vaultAddresses: string[], wormholeChainId?: number): Promise<Map<string, SpendingLimits | Error>>;
+    /**
+     * Watch a vault's balance for changes.
+     *
+     * The callback fires whenever the polling interval detects a difference.
+     * Returns an unsubscribe function.
+     *
+     * @example
+     * ```typescript
+     * const unsub = enterprise.watchVaultBalance(
+     *   10004,
+     *   '0xVaultAddr',
+     *   (event) => {
+     *     // Push to webhook, update dashboard, etc.
+     *     fetch(webhookUrl, { method: 'POST', body: JSON.stringify(event) });
+     *   },
+     *   { intervalMs: 10_000 },
+     * );
+     * ```
+     */
+    watchVaultBalance(wormholeChainId: number, address: string, onChange: BalanceChangeCallback, options?: BalanceWatcherOptions, onError?: BalanceErrorCallback): Unsubscribe;
+    /**
+     * Stop all active balance watchers.
+     */
+    stopAllWatchers(): void;
+    /**
+     * Get number of active balance watchers.
+     */
+    get activeWatcherCount(): number;
+    /**
+     * Get a combined overview for a vault: existence, balances, limits.
+     *
+     * Useful for rendering an admin dashboard row.
+     */
+    getVaultOverview(keyHash: string, wormholeChainId?: number): Promise<VaultOverview>;
+}
+
+/**
+ * @packageDocumentation
+ * @module erc8004/contracts
+ * @description
+ * Low-level ERC-8004 contract utilities shared across SDK layers.
+ *
+ * Provides:
+ * - Contract instance creation for Identity, Reputation, and Validation registries
+ * - Address resolution by chain and network
+ * - ABI references
+ *
+ * This module lives in the core SDK (`@veridex/sdk`) so that both the agent-sdk
+ * and relayer can share the same contract interaction utilities.
+ *
+ * References:
+ * - ADR-0029 §SDK Module Structure
+ * - ERC8004_IMPLEMENTATION_PLAN.md Phase 1
+ */
+/** Identity Registry — same address on ALL EVM mainnets */
+declare const ERC8004_MAINNET_IDENTITY = "0x8004A169FB4a3325136EB29fA0ceB6D2e539a432";
+/** Reputation Registry — same address on ALL EVM mainnets */
+declare const ERC8004_MAINNET_REPUTATION = "0x8004BAa17C55a88189AE136b182e5fdA19dE9b63";
+/** Identity Registry — same address on ALL EVM testnets */
+declare const ERC8004_TESTNET_IDENTITY = "0x8004A818BFB912233c491871b3d84c89A494BD9e";
+/** Reputation Registry — same address on ALL EVM testnets */
+declare const ERC8004_TESTNET_REPUTATION = "0x8004B663056A597Dffe9eCcC1965A193B7388713";
+/**
+ * Resolve canonical ERC-8004 registry addresses for a given network.
+ */
+declare function getERC8004Addresses(testnet: boolean): {
+    identityRegistry: string;
+    reputationRegistry: string;
 };
 /**
- * Client-first authentication preparation:
- * - user signs locally (FaceID/TouchID)
- * - client queries Wormhole Query Proxy for Guardian-attested nonce/state
- * - client returns a ready-to-submit relayer payload (JSON bytes)
- * - falls back to RPC nonce if Queries fails
+ * Check if a chain has ERC-8004 singletons deployed.
  */
-declare function authenticateAndPrepare(userParams: AuthenticateAndPrepareParams, apiKey: string): Promise<AuthenticateAndPrepareResult>;
+declare function isERC8004Chain(chainName: string): boolean;
+/** Chains where ERC-8004 singletons are deployed */
+declare const ERC8004_CHAINS: {
+    readonly mainnet: readonly ["ethereum", "base", "polygon", "arbitrum", "optimism", "linea", "megaeth", "monad"];
+    readonly testnet: readonly ["ethereum-sepolia", "base-sepolia", "polygon-amoy", "arbitrum-sepolia", "optimism-sepolia", "monad-testnet"];
+};
+/** Minimal Identity Registry ABI for read operations */
+declare const IDENTITY_REGISTRY_READ_ABI: readonly ["function ownerOf(uint256 tokenId) view returns (address)", "function balanceOf(address owner) view returns (uint256)", "function totalSupply() view returns (uint256)", "function agentURI(uint256 agentId) view returns (string)", "function agentWallet(uint256 agentId) view returns (address)", "function getMetadata(uint256 agentId, string key) view returns (string)"];
+/** Minimal Reputation Registry ABI for read operations */
+declare const REPUTATION_REGISTRY_READ_ABI: readonly ["function getSummary(uint256 agentId, address[] clientAddresses, string tag1, string tag2) view returns (uint256 count, int128 summaryValue, uint8 summaryValueDecimals)", "function readFeedback(uint256 agentId, address clientAddress, uint256 feedbackIndex) view returns (int128 value, uint8 valueDecimals, string tag1, string tag2, bool isRevoked)", "function getClients(uint256 agentId) view returns (address[])", "function getLastIndex(uint256 agentId, address clientAddress) view returns (uint256)"];
+/** Full Identity Registry ABI (read + write) */
+declare const IDENTITY_REGISTRY_ABI: readonly ["function register(string agentURI) returns (uint256)", "function register(string agentURI, tuple(string key, string value)[] metadata) returns (uint256)", "function ownerOf(uint256 tokenId) view returns (address)", "function balanceOf(address owner) view returns (uint256)", "function totalSupply() view returns (uint256)", "function agentURI(uint256 agentId) view returns (string)", "function agentWallet(uint256 agentId) view returns (address)", "function getMetadata(uint256 agentId, string key) view returns (string)", "function setAgentURI(uint256 agentId, string newURI)", "function setAgentWallet(uint256 agentId, address wallet, uint256 deadline, bytes signature)", "function unsetAgentWallet(uint256 agentId)", "function setMetadata(uint256 agentId, string key, string value)", "event Transfer(address indexed from, address indexed to, uint256 indexed tokenId)", "event AgentURIUpdated(uint256 indexed agentId, string newURI)", "event AgentWalletSet(uint256 indexed agentId, address wallet)", "event AgentWalletUnset(uint256 indexed agentId)", "event MetadataUpdated(uint256 indexed agentId, string key, string value)"];
+/** Full Reputation Registry ABI (read + write) */
+declare const REPUTATION_REGISTRY_ABI: readonly ["function giveFeedback(uint256 agentId, int128 value, uint8 valueDecimals, string tag1, string tag2)", "function giveFeedback(uint256 agentId, int128 value, uint8 valueDecimals, string tag1, string tag2, string endpointURI, string feedbackURI, bytes32 feedbackHash)", "function revokeFeedback(uint256 agentId, uint256 feedbackIndex)", "function appendResponse(uint256 agentId, address clientAddress, uint256 feedbackIndex, string responseURI, bytes32 responseHash)", "function getSummary(uint256 agentId, address[] clientAddresses, string tag1, string tag2) view returns (uint256 count, int128 summaryValue, uint8 summaryValueDecimals)", "function readFeedback(uint256 agentId, address clientAddress, uint256 feedbackIndex) view returns (int128 value, uint8 valueDecimals, string tag1, string tag2, bool isRevoked)", "function getClients(uint256 agentId) view returns (address[])", "function getLastIndex(uint256 agentId, address clientAddress) view returns (uint256)", "event FeedbackGiven(uint256 indexed agentId, address indexed client, int128 value, uint8 valueDecimals)", "event FeedbackRevoked(uint256 indexed agentId, address indexed client, uint256 feedbackIndex)", "event ResponseAppended(uint256 indexed agentId, address indexed client, uint256 feedbackIndex)"];
+/** Validation Registry ABI (Phase 3 — spec still under active update) */
+declare const VALIDATION_REGISTRY_ABI: readonly ["function validationRequest(address validatorAddress, uint256 agentId, string requestURI, bytes32 requestHash) returns (bytes32)", "function getValidationStatus(bytes32 requestHash) view returns (address validatorAddress, uint256 agentId, uint8 response, bytes32 responseHash, string tag, uint256 lastUpdate)", "function getSummary(uint256 agentId, address[] validatorAddresses, string tag) view returns (uint256 count, uint256 averageResponse)", "function getAgentValidations(uint256 agentId) view returns (bytes32[])"];
+
+/**
+ * @packageDocumentation
+ * @module erc8004/types
+ * @description
+ * On-chain types for ERC-8004 registries.
+ * These are the low-level types that map directly to contract return values.
+ *
+ * Higher-level SDK config types live in `@veridex/agent-sdk/identity/types`.
+ */
+/** Agent registration as stored on-chain in the ERC-8004 Identity Registry */
+interface ERC8004AgentRegistration {
+    agentId: bigint;
+    owner: string;
+    agentURI: string;
+    agentWallet: string;
+}
+/** Key-value metadata entry */
+interface ERC8004MetadataEntry {
+    key: string;
+    value: string;
+}
+/** Individual feedback entry from the Reputation Registry */
+interface ERC8004FeedbackEntry {
+    value: bigint;
+    valueDecimals: number;
+    tag1: string;
+    tag2: string;
+    isRevoked: boolean;
+}
+/** Aggregated feedback summary from the Reputation Registry */
+interface ERC8004FeedbackSummary {
+    count: bigint;
+    summaryValue: bigint;
+    summaryValueDecimals: number;
+}
+/** Validation status from the Validation Registry */
+interface ERC8004ValidationStatus {
+    validatorAddress: string;
+    agentId: bigint;
+    response: number;
+    responseHash: string;
+    tag: string;
+    lastUpdate: bigint;
+}
+/** CAIP-2 universal agent identifier format */
+type UniversalAgentIdentifier = string;
 
-export { ARBITRUM_SEPOLIA_TOKENS, type ActionDetails, type ActionDisplayType, AddBackupKeyResult, type AuthenticateAndPrepareParams, type AuthenticateAndPrepareResult, AuthorizedKey, BASE_SEPOLIA_TOKENS, BalanceManager, type BalanceManagerConfig, type BridgeDetails, BridgeParams, BridgeResult, CHAIN_DISPLAY_INFO, CHAIN_NAMES, CHAIN_PRESETS, CONFIG_TYPE, ChainAddress, type ChainAddressConfig, ChainClient, ChainConfig, type ChainDeploymentConfig, ChainDetector, type ChainDetectorConfig, type ChainDisplay, type ChainName, type ChainTokenList, type ConfigDetails, type CrossChainConfig, CrossChainManager, type CrossChainProgress, type CrossChainProgressCallback, type CrossChainResult, type CrossChainStatus, DEFAULT_REFRESH_BUFFER, DEFAULT_SESSION_DURATION, type DailySpendingSummary, DispatchResult, type DurationDisplay, ERROR_MESSAGES, ERROR_RANGES, EVM_ZERO_ADDRESS, type ExecuteDetails, ExecuteParams, type FormattedSpendingLimits, GasSponsor, type GasSponsorConfig, IdentityState, IndexedDBSessionStorage, type KeyPair, LIMIT_PRESETS, type LimitCheckResult, type LimitPreset, type LimitViolationSuggestion, type LimitViolationType, LocalStorageSessionStorage, MAX_SESSION_DURATION, MIN_SESSION_DURATION, type MultiChainVaultResult, NATIVE_TOKEN_ADDRESS, type NativeBalanceCapable, type NetworkType, OPTIMISM_SEPOLIA_TOKENS, PasskeyCredential, PasskeyManager, type PortfolioBalance, PreparedBridge, PreparedTransfer, ReceiveAddress, type RecipientDisplay, type RelayFeeQuote, type RelayRequest, type RelayRoute, type RelayStatus, RelayerClient, type RelayerClientConfig, type RelayerInfo, RemoveKeyResult, type RiskLevel, type RiskWarning, type RiskWarningType, SessionStorage, type SetDailyLimitParams, type SetTransactionLimitParams, type SimpleSDKConfig, type SessionConfig as SimpleSessionConfig, type SpendingLimitChangedEvent, type SpendingLimitConfig, type SpendingLimitEventCallback, type SpendingLimits, SpendingLimitsManager, type SpendingLimitsManagerConfig, type SpendingTransaction, type SponsoredVaultResult, type SponsorshipSource, type SubmitActionResult, type SubmitQueryRequest, type SubmitQueryResult, type SubmitSignedActionRequest, TOKEN_REGISTRY, type TokenBalance, type TokenDisplay, type TokenInfo$1 as TokenInfo, type TrackerConfig, type TransactionAuditEntry, type TransactionCallback, TransactionParser, type TransactionParserConfig, type TransactionState, type TransactionStatus, type TransactionSummary, TransactionTracker, type TransferDetails, TransferParams, TransferResult, UnifiedIdentity, VAA, VERIDEX_ERRORS, VaultCreationResult, VaultInfo, VeridexConfig, type VeridexErrorCode, VeridexPayload, VeridexSDK, WalletManager, WalletManagerConfig, authenticateAndPrepare, calculatePercentage, computeSessionKeyHash, createAuditEntry, createChainDetector, createGasSponsor, createHubSDK, createMainnetSDK, createRelayerClient, createSDK, createSessionSDK, createSessionStorage, createSpendingLimitsManager, createTestnetSDK, createTransactionParser, crossChainManager, decrypt, VeridexSDK as default, deriveEncryptionKey, encrypt, formatDuration, formatLargeAmount, formatTransactionState, generateSecp256k1KeyPair, getAllTokens, getChainConfig, getChainDisplay, getChainName, getChainPreset, getConfigTypeName, getDefaultHub, getErrorCategory, getErrorMessage, getExplorerUrl, getHubChains, getSuggestedAction, getSupportedChainIds, getSupportedChains, getTokenByAddress, getTokenBySymbol, getTokenList, hashAction, isAbiError, isChainSupported, isCoreError, isNativeToken, isQueryError, isQueryExecutionError, isQueryParsingError, isRetryableError, logTransactionSummary, parseVeridexError, signWithSessionKey, validateSessionConfig, verifySessionSignature };
+export { ARBITRUM_SEPOLIA_TOKENS, AUTH_MESSAGE_TYPES, AccountManager, type AccountManagerConfig, type ActionDetails, type ActionDisplayType, AddBackupKeyResult, type AddCredentialOptions, type AddGuardianParams, type ApproveProposalParams, type ApproveProposalResult, type ApproveRecoveryParams, type AuthPortalMessage, type AuthStrategy, AuthorizedKey, BASE_SEPOLIA_TOKENS, type BalanceChangeCallback, type BalanceChangeEvent, type BalanceErrorCallback, type BalanceEventType, BalanceManager, type BalanceManagerConfig, BalanceWatcher, type BalanceWatcherOptions, type BatchLifecycleCallback, type BatchLifecycleEvent, type BatchSpendingLimitRequest, type BatchSpendingLimitResult, type BatchTransferRequest, type BatchTransferResult, type BatchVaultRequest, type BatchVaultResult, type BridgeDetails, BridgeParams, BridgeResult, type BrowserCapabilities, CHAIN_CAPABILITIES, CHAIN_DISPLAY_INFO, CHAIN_NAMES, CHAIN_PRESETS, CONFIG_TYPE, type CancelProposalParams, type CancelRecoveryParams, ChainAddress, type ChainAddressConfig, type ChainCapabilities, type ChainCapabilityTier, ChainClient, ChainConfig, type ChainDeploymentConfig, ChainDetector, type ChainDetectorConfig, type ChainDisplay, type ChainName, type ChainTokenList, type ConfigDetails, type ConfigurePolicyParams, type CreateProposalParams, type CreateProposalResult, CredentialManager, type CredentialMetadata, type CredentialMetadataRecord, type CrossChainConfig, CrossChainManager, type CrossChainProgress, type CrossChainProgressCallback, type CrossChainResult, type CrossChainStatus, CrossOriginAuth, type CrossOriginAuthConfig, type CrossOriginSession, DEFAULT_AUTH_PORTAL_URL, DEFAULT_PROPOSAL_TTL, DEFAULT_PROTECTED_ACTION_MASK, DEFAULT_REFRESH_BUFFER, DEFAULT_RELAYER_URL, DEFAULT_SESSION_DURATION, type DailySpendingSummary, DispatchResult, type DurationDisplay, type ERC8004AgentRegistration, type ERC8004FeedbackEntry, type ERC8004FeedbackSummary, type ERC8004MetadataEntry, type ERC8004ValidationStatus, ERC8004_CHAINS, ERC8004_MAINNET_IDENTITY, ERC8004_MAINNET_REPUTATION, ERC8004_TESTNET_IDENTITY, ERC8004_TESTNET_REPUTATION, ERROR_MESSAGES, ERROR_RANGES, ETHEREUM_SEPOLIA_TOKENS, EVM_ZERO_ADDRESS, EnterpriseManager, type EnterpriseManagerConfig, type EnterpriseSDKConfig, type ExecuteDetails, ExecuteParams, type ExecuteProposalParams, type ExecuteProposalResult, type ExecuteRecoveryParams, type FeatureFlags, type FormattedSpendingLimits, GasSponsor, type GasSponsorConfig, type GuardiansResult, IDENTITY_REGISTRY_ABI, IDENTITY_REGISTRY_READ_ABI, IdentityState, IndexedDBSessionStorage, type InitiateRecoveryParams, InjectedWalletAdapter, type InjectedWalletAdapterConfig, type InjectedWalletConnection, type KeyPair, LIMIT_PRESETS, type LimitCheckResult, type LimitPreset, type LimitViolationSuggestion, type LimitViolationType, LocalStorageSessionStorage, MAX_SESSION_DURATION, MIN_SESSION_DURATION, MONAD_TESTNET_TOKENS, type ManagedCredential, type MultiChainVaultResult, type MultisigCapableChainClient, MultisigManager, type MultisigManagerConfig, type MultisigPolicy, NATIVE_TOKEN_ADDRESS, type NativeBalanceCapable, type NetworkType, OPTIMISM_SEPOLIA_TOKENS, PROTECTED_ACTION, PasskeyCredential$1 as PasskeyCredential, PasskeyManager, type PlatformCapabilityMatrix, type PlatformHint, type PolicyViolationCode, PolicyViolationError, type PortabilityOverview, type PortfolioBalance, PreparedBridge, PreparedTransfer, type ProposalActionSummary, type ProposalState, REPUTATION_REGISTRY_ABI, REPUTATION_REGISTRY_READ_ABI, ReceiveAddress, type RecipientDisplay, type RecoveryCapableChainClient, RecoveryManager, type RecoveryManagerConfig, type RecoveryOverview, type RecoveryReadiness, type RecoveryStatusResult, type RegisteredAppDetail, type RegisteredAppStatus, type RegisteredAppSummary, type RegisteredAppTrustLevel, type RelayFeeQuote, type RelayRequest, type RelayRoute, type RelayStatus, type RelayerAppSession, RelayerClient, type RelayerClientConfig, type RelayerInfo, type RemoveGuardianParams, RemoveKeyResult, type RiskLevel, type RiskWarning, type RiskWarningType, type ServerSessionToken, SessionKey, SessionStorage, type SetDailyLimitParams, type SetTransactionLimitParams, type SetupGuardiansParams, type SimpleSDKConfig, type SessionConfig as SimpleSessionConfig, type SpendingLimitChangedEvent, type SpendingLimitConfig, type SpendingLimitEventCallback, type SpendingLimits, SpendingLimitsManager, type SpendingLimitsManagerConfig, type SpendingTransaction, type SponsoredVaultResult, type SponsorshipSource, type SubmitActionResult, type SubmitQueryRequest, type SubmitQueryResult, type SubmitSignedActionRequest, TOKEN_REGISTRY, type TokenBalance, type TokenBalanceChange, type TokenDisplay, type TokenInfo$1 as TokenInfo, type TrackerConfig, type TransactionAuditEntry, type TransactionCallback, TransactionParser, type TransactionParserConfig, type TransactionProposal, type TransactionState, type TransactionStatus, type TransactionSummary, TransactionTracker, type TransferDetails, TransferParams, TransferResult, VeridexErrorCode as UnifiedErrorCode, UnifiedIdentity, type UniversalAgentIdentifier, type Unsubscribe, VAA, VALIDATION_REGISTRY_ABI, VERIDEX_ERRORS, VaultCreationResult, VaultInfo, type VaultOverview, VeridexConfig, VeridexError, type VeridexErrorCode$1 as VeridexErrorCode, VeridexPayload, VeridexSDK, type WalletEvent, type WalletEventCallback, WalletManager, WalletManagerConfig, WebAuthnSignature$1 as WebAuthnSignature, buildCapabilityMatrix, calculatePercentage, computeSessionKeyHash, createAuditEntry, createChainClient, createChainDetector, createCrossOriginAuth, createEnterpriseSDK, createGasSponsor, createHubSDK, createInjectedWalletAdapter, createMainnetSDK, createRelayerClient, createSDK, createSessionSDK, createSessionStorage, createSpendingLimitsManager, createTestnetSDK, createTransactionParser, crossChainManager, decrypt, VeridexSDK as default, deriveEncryptionKey, detectCapabilities, detectPlatform, encrypt, formatDuration, formatLargeAmount, formatTransactionState, generateSecp256k1KeyPair, getAllTokens, getAuthStrategy, getChainConfig, getChainDisplay, getChainName, getChainPreset, getConfigTypeName, getDefaultHub, getERC8004Addresses, getEffectivePrimaryHub, getErrorCategory, getErrorMessage, getExplorerUrl, getFeatureFlags, getHubChains, getSuggestedAction, getSupportedChainIds, getSupportedChains, getTokenByAddress, getTokenBySymbol, getTokenList, hashAction, isAbiError, isChainSupported, isCoreError, isERC8004Chain, isHubChain, isMultiHubEnabled, isNativeToken, isQueryError, isQueryExecutionError, isQueryParsingError, isRetryableError, logTransactionSummary, normalizeError, parseVeridexError, resetFeatureFlags, sendAuthError, sendAuthResponse, setFeatureFlags, signWithSessionKey, validateChainCapability, validateFederatedOrigin, validateMetaMaskInteropClaim, validateNoKeyExtraction, validateSessionConfig, validateSessionCreationPolicy, verifySessionSignature };