diff --git a/Cargo.lock b/Cargo.lock
index eb4ddbf5..fc383767 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2041,8 +2041,14 @@ version = "0.1.0"
 dependencies = [
  "criterion",
  "key_protocol",
+<<<<<<< HEAD
  "lee_core",
  "rand 0.8.6",
+=======
+ "nssa_core",
+ "serde",
+ "serde_json",
+>>>>>>> 8492f995 (ci fixes)
 ]
 
 [[package]]
@@ -2203,7 +2209,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ccc2776f0c61eca1ca32528f85548abd1a4be8fb53d1b21c013e4f18da1e7090"
 dependencies = [
  "data-encoding",
- "syn 2.0.117",
+ "syn 1.0.109",
 ]
 
 [[package]]
@@ -2387,7 +2393,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -2707,7 +2713,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -3714,8 +3720,12 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
+<<<<<<< HEAD
  "socket2 0.6.4",
  "system-configuration 0.7.0",
+=======
+ "socket2 0.5.10",
+>>>>>>> 8492f995 (ci fixes)
  "tokio",
  "tower-service",
  "tracing",
@@ -6706,12 +6716,60 @@ dependencies = [
 ]
 
 [[package]]
+<<<<<<< HEAD
+=======
+name = "nssa"
+version = "0.1.0"
+dependencies = [
+ "anyhow",
+ "authenticated_transfer_core",
+ "borsh",
+ "clock_core",
+ "env_logger",
+ "faucet_core",
+ "hex",
+ "hex-literal 1.1.0",
+ "k256",
+ "log",
+ "nssa_core",
+ "rand 0.8.5",
+ "risc0-binfmt",
+ "risc0-build",
+ "risc0-zkvm",
+ "serde",
+ "serde_with",
+ "sha2",
+ "test-case",
+ "test_program_methods",
+ "thiserror 2.0.18",
+ "token_core",
+]
+
+[[package]]
+name = "nssa_core"
+version = "0.1.0"
+dependencies = [
+ "base58",
+ "borsh",
+ "bytemuck",
+ "bytesize",
+ "chacha20",
+ "ml-kem",
+ "risc0-zkvm",
+ "serde",
+ "serde_json",
+ "serde_with",
+ "thiserror 2.0.18",
+]
+
+[[package]]
+>>>>>>> 8492f995 (ci fixes)
 name = "nu-ansi-term"
 version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]
 
 [[package]]
@@ -7738,7 +7796,11 @@ dependencies = [
  "quinn-udp",
  "rustc-hash",
  "rustls",
+<<<<<<< HEAD
  "socket2 0.6.4",
+=======
+ "socket2 0.5.10",
+>>>>>>> 8492f995 (ci fixes)
  "thiserror 2.0.18",
  "tokio",
  "tracing",
@@ -7775,7 +7837,11 @@ dependencies = [
  "cfg_aliases",
  "libc",
  "once_cell",
+<<<<<<< HEAD
  "socket2 0.6.4",
+=======
+ "socket2 0.5.10",
+>>>>>>> 8492f995 (ci fixes)
  "tracing",
  "windows-sys 0.60.2",
 ]
@@ -8688,7 +8754,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -9688,7 +9754,7 @@ dependencies = [
  "getrandom 0.4.2",
  "once_cell",
  "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -11110,7 +11176,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
diff --git a/artifacts/program_methods/authenticated_transfer.bin b/artifacts/program_methods/authenticated_transfer.bin
index 20360688..29f68451 100644
Binary files a/artifacts/program_methods/authenticated_transfer.bin and b/artifacts/program_methods/authenticated_transfer.bin differ
diff --git a/artifacts/program_methods/faucet.bin b/artifacts/program_methods/faucet.bin
index 4ad52fb9..95c53175 100644
Binary files a/artifacts/program_methods/faucet.bin and b/artifacts/program_methods/faucet.bin differ
diff --git a/artifacts/program_methods/pinata.bin b/artifacts/program_methods/pinata.bin
index b15aa385..af6c9d67 100644
Binary files a/artifacts/program_methods/pinata.bin and b/artifacts/program_methods/pinata.bin differ
diff --git a/artifacts/program_methods/pinata_token.bin b/artifacts/program_methods/pinata_token.bin
index e28ff793..e7b27854 100644
Binary files a/artifacts/program_methods/pinata_token.bin and b/artifacts/program_methods/pinata_token.bin differ
diff --git a/artifacts/program_methods/privacy_preserving_circuit.bin b/artifacts/program_methods/privacy_preserving_circuit.bin
index f1317ebc..4e643391 100644
Binary files a/artifacts/program_methods/privacy_preserving_circuit.bin and b/artifacts/program_methods/privacy_preserving_circuit.bin differ
diff --git a/artifacts/program_methods/vault.bin b/artifacts/program_methods/vault.bin
index 5cfa89d4..c7fa230c 100644
Binary files a/artifacts/program_methods/vault.bin and b/artifacts/program_methods/vault.bin differ
diff --git a/artifacts/test_program_methods/auth_asserting_noop.bin b/artifacts/test_program_methods/auth_asserting_noop.bin
index 3ead7c7b..fdd38449 100644
Binary files a/artifacts/test_program_methods/auth_asserting_noop.bin and b/artifacts/test_program_methods/auth_asserting_noop.bin differ
diff --git a/artifacts/test_program_methods/auth_transfer_proxy.bin b/artifacts/test_program_methods/auth_transfer_proxy.bin
index 26f4df47..c21da0d8 100644
Binary files a/artifacts/test_program_methods/auth_transfer_proxy.bin and b/artifacts/test_program_methods/auth_transfer_proxy.bin differ
diff --git a/artifacts/test_program_methods/changer_claimer.bin b/artifacts/test_program_methods/changer_claimer.bin
index e2639c45..9f84db84 100644
Binary files a/artifacts/test_program_methods/changer_claimer.bin and b/artifacts/test_program_methods/changer_claimer.bin differ
diff --git a/artifacts/test_program_methods/clock_chain_caller.bin b/artifacts/test_program_methods/clock_chain_caller.bin
index fd0f52ef..cf9afefc 100644
Binary files a/artifacts/test_program_methods/clock_chain_caller.bin and b/artifacts/test_program_methods/clock_chain_caller.bin differ
diff --git a/artifacts/test_program_methods/data_changer.bin b/artifacts/test_program_methods/data_changer.bin
index 31689af4..086d01d6 100644
Binary files a/artifacts/test_program_methods/data_changer.bin and b/artifacts/test_program_methods/data_changer.bin differ
diff --git a/artifacts/test_program_methods/extra_output.bin b/artifacts/test_program_methods/extra_output.bin
index 121a7a29..16651f55 100644
Binary files a/artifacts/test_program_methods/extra_output.bin and b/artifacts/test_program_methods/extra_output.bin differ
diff --git a/artifacts/test_program_methods/faucet_chain_caller.bin b/artifacts/test_program_methods/faucet_chain_caller.bin
index faa150dd..82516111 100644
Binary files a/artifacts/test_program_methods/faucet_chain_caller.bin and b/artifacts/test_program_methods/faucet_chain_caller.bin differ
diff --git a/artifacts/test_program_methods/malicious_caller_program_id.bin b/artifacts/test_program_methods/malicious_caller_program_id.bin
index 2a1358a0..08bf3c36 100644
Binary files a/artifacts/test_program_methods/malicious_caller_program_id.bin and b/artifacts/test_program_methods/malicious_caller_program_id.bin differ
diff --git a/artifacts/test_program_methods/malicious_self_program_id.bin b/artifacts/test_program_methods/malicious_self_program_id.bin
index 91f88c58..5521c1d1 100644
Binary files a/artifacts/test_program_methods/malicious_self_program_id.bin and b/artifacts/test_program_methods/malicious_self_program_id.bin differ
diff --git a/artifacts/test_program_methods/noop.bin b/artifacts/test_program_methods/noop.bin
index 4b59b8b7..91cc98f6 100644
Binary files a/artifacts/test_program_methods/noop.bin and b/artifacts/test_program_methods/noop.bin differ
diff --git a/artifacts/test_program_methods/pda_claimer.bin b/artifacts/test_program_methods/pda_claimer.bin
index 6ac0067d..26e4ffd0 100644
Binary files a/artifacts/test_program_methods/pda_claimer.bin and b/artifacts/test_program_methods/pda_claimer.bin differ
diff --git a/artifacts/test_program_methods/pda_fund_spend_proxy.bin b/artifacts/test_program_methods/pda_fund_spend_proxy.bin
index 03e85c2e..43cf7c5b 100644
Binary files a/artifacts/test_program_methods/pda_fund_spend_proxy.bin and b/artifacts/test_program_methods/pda_fund_spend_proxy.bin differ
diff --git a/artifacts/test_program_methods/private_pda_delegator.bin b/artifacts/test_program_methods/private_pda_delegator.bin
index e3370b50..677ac659 100644
Binary files a/artifacts/test_program_methods/private_pda_delegator.bin and b/artifacts/test_program_methods/private_pda_delegator.bin differ
diff --git a/artifacts/test_program_methods/time_locked_transfer.bin b/artifacts/test_program_methods/time_locked_transfer.bin
index 7606f56c..202e4271 100644
Binary files a/artifacts/test_program_methods/time_locked_transfer.bin and b/artifacts/test_program_methods/time_locked_transfer.bin differ
diff --git a/artifacts/test_program_methods/two_pda_claimer.bin b/artifacts/test_program_methods/two_pda_claimer.bin
index ebc6e2ae..ad02644d 100644
Binary files a/artifacts/test_program_methods/two_pda_claimer.bin and b/artifacts/test_program_methods/two_pda_claimer.bin differ
diff --git a/artifacts/test_program_methods/validity_window.bin b/artifacts/test_program_methods/validity_window.bin
index d2e203a5..fd810c11 100644
Binary files a/artifacts/test_program_methods/validity_window.bin and b/artifacts/test_program_methods/validity_window.bin differ
diff --git a/artifacts/test_program_methods/validity_window_chain_caller.bin b/artifacts/test_program_methods/validity_window_chain_caller.bin
index 1958ee4d..63bff3fe 100644
Binary files a/artifacts/test_program_methods/validity_window_chain_caller.bin and b/artifacts/test_program_methods/validity_window_chain_caller.bin differ
diff --git a/integration_tests/tests/shared_accounts.rs b/integration_tests/tests/shared_accounts.rs
index 6dd9f1fd..5db6e7a9 100644
--- a/integration_tests/tests/shared_accounts.rs
+++ b/integration_tests/tests/shared_accounts.rs
@@ -107,10 +107,9 @@ async fn group_invite_join_key_agreement() -> Result<()> {
         .key_chain()
         .sealing_secret_key()
         .context("Sealing key not found")?;
-    let sealing_pk =
-        key_protocol::key_management::group_key_holder::SealingPublicKey::from_bytes(
-            nssa_core::encryption::ViewingPublicKey::from_seed(&sealing_sk.d, &sealing_sk.r).0,
-        );
+    let sealing_pk = key_protocol::key_management::group_key_holder::SealingPublicKey::from_bytes(
+        nssa_core::encryption::ViewingPublicKey::from_seed(&sealing_sk.d, &sealing_sk.r).0,
+    );
 
     let holder = ctx
         .wallet()
diff --git a/lee/state_machine/core/Cargo.toml b/lee/state_machine/core/Cargo.toml
index c14d9117..04fd2dc9 100644
--- a/lee/state_machine/core/Cargo.toml
+++ b/lee/state_machine/core/Cargo.toml
@@ -16,7 +16,6 @@ thiserror.workspace = true
 bytemuck.workspace = true
 bytesize.workspace = true
 base58.workspace = true
-k256 = { workspace = true, optional = true }
 ml-kem = { workspace = true, optional = true, features = ["getrandom"] }
 chacha20 = { version = "0.10" }
 
@@ -25,4 +24,4 @@ serde_json.workspace = true
 
 [features]
 default = []
-host = ["dep:k256", "dep:ml-kem"]
+host = ["dep:ml-kem"]
diff --git a/lee/state_machine/core/src/encryption/mod.rs b/lee/state_machine/core/src/encryption/mod.rs
index de5e8c1c..b0e8e88a 100644
--- a/lee/state_machine/core/src/encryption/mod.rs
+++ b/lee/state_machine/core/src/encryption/mod.rs
@@ -156,7 +156,7 @@ mod tests {
     }
 
     /// Verifies the full account-note pipeline: ML-KEM-768 encapsulation/decapsulation
-    /// feeds the correct shared secret into the SHA-256 KDF and ChaCha20 round-trip.
+    /// feeds the correct shared secret into the SHA-256 KDF and `ChaCha20` round-trip.
     #[cfg(feature = "host")]
     #[test]
     fn kem_to_chacha20_round_trip() {
diff --git a/lee/state_machine/core/src/encryption/shared_key_derivation.rs b/lee/state_machine/core/src/encryption/shared_key_derivation.rs
index 72b5d950..c75c7f6f 100644
--- a/lee/state_machine/core/src/encryption/shared_key_derivation.rs
+++ b/lee/state_machine/core/src/encryption/shared_key_derivation.rs
@@ -10,7 +10,18 @@ use crate::SharedSecretKey;
 pub struct EphemeralPublicKey(pub Vec<u8>);
 
 /// ML-KEM-768 encapsulation key bytes (1184 bytes, opaque to this crate).
-#[derive(Serialize, Deserialize, Clone, Debug, PartialEq, Eq, PartialOrd, Ord, BorshSerialize, BorshDeserialize)]
+#[derive(
+    Serialize,
+    Deserialize,
+    Clone,
+    Debug,
+    PartialEq,
+    Eq,
+    PartialOrd,
+    Ord,
+    BorshSerialize,
+    BorshDeserialize,
+)]
 pub struct ViewingPublicKey(pub Vec<u8>);
 
 impl ViewingPublicKey {
@@ -73,8 +84,8 @@ impl SharedSecretKey {
         input.extend_from_slice(message_hash);
         input.extend_from_slice(&output_index.to_le_bytes());
         let hash = Impl::hash_bytes(&input);
-        let m: ml_kem::B32 = ml_kem::array::Array::try_from(hash.as_bytes())
-            .expect("SHA-256 output is 32 bytes");
+        let m: ml_kem::B32 =
+            ml_kem::array::Array::try_from(hash.as_bytes()).expect("SHA-256 output is 32 bytes");
 
         let ek_bytes: ml_kem::kem::Key<ml_kem::EncapsulationKey768> = vpk
             .0
diff --git a/lez/testnet_initial_state/src/lib.rs b/lez/testnet_initial_state/src/lib.rs
index 89b59cf3..83af41b0 100644
--- a/lez/testnet_initial_state/src/lib.rs
+++ b/lez/testnet_initial_state/src/lib.rs
@@ -2,11 +2,10 @@ use common::PINATA_BASE58;
 use key_protocol::key_management::{
     KeyChain,
     key_tree::chain_index::ChainIndex,
-    secret_holders::{PrivateKeyHolder, SecretSpendingKey},
+    secret_holders::{PrivateKeyHolder, SecretSpendingKey, ViewingSecretKey},
 };
 use lee::{Account, AccountId, Data, PrivateKey, PublicKey, V03State};
 use lee_core::{NullifierPublicKey, encryption::ViewingPublicKey};
-use key_protocol::key_management::secret_holders::ViewingSecretKey;
 use serde::{Deserialize, Serialize};
 
 const PRIVATE_KEY_PUB_ACC_A: [u8; 32] = [
@@ -49,8 +48,6 @@ const VSK_PRIV_ACC_B: [u8; 32] = [
     154, 161, 34, 208, 74, 27, 1, 119, 13, 88, 128,
 ];
 
-
-
 const NPK_PRIV_ACC_A: [u8; 32] = [
     167, 108, 50, 153, 74, 47, 151, 188, 140, 79, 195, 31, 181, 9, 40, 167, 201, 32, 175, 129, 45,
     245, 223, 193, 210, 170, 247, 128, 167, 140, 155, 129,
@@ -129,7 +126,10 @@ pub fn initial_priv_accounts_private_keys() -> Vec<PrivateAccountPrivateInitialD
         secret_spending_key: SecretSpendingKey(SSK_PRIV_ACC_A),
         private_key_holder: PrivateKeyHolder {
             nullifier_secret_key: NSK_PRIV_ACC_A,
-            viewing_secret_key: ViewingSecretKey { d: VSK_PRIV_ACC_A, r: [0_u8; 32] },
+            viewing_secret_key: ViewingSecretKey {
+                d: VSK_PRIV_ACC_A,
+                r: [0_u8; 32],
+            },
         },
         nullifier_public_key: NullifierPublicKey(NPK_PRIV_ACC_A),
         viewing_public_key: ViewingPublicKey::from_seed(&VSK_PRIV_ACC_A, &[0_u8; 32]),
@@ -139,7 +139,10 @@ pub fn initial_priv_accounts_private_keys() -> Vec<PrivateAccountPrivateInitialD
         secret_spending_key: SecretSpendingKey(SSK_PRIV_ACC_B),
         private_key_holder: PrivateKeyHolder {
             nullifier_secret_key: NSK_PRIV_ACC_B,
-            viewing_secret_key: ViewingSecretKey { d: VSK_PRIV_ACC_B, r: [0_u8; 32] },
+            viewing_secret_key: ViewingSecretKey {
+                d: VSK_PRIV_ACC_B,
+                r: [0_u8; 32],
+            },
         },
         nullifier_public_key: NullifierPublicKey(NPK_PRIV_ACC_B),
         viewing_public_key: ViewingPublicKey::from_seed(&VSK_PRIV_ACC_B, &[0_u8; 32]),
diff --git a/lez/wallet/src/cli/group.rs b/lez/wallet/src/cli/group.rs
index 12e639b7..5491b6e4 100644
--- a/lez/wallet/src/cli/group.rs
+++ b/lez/wallet/src/cli/group.rs
@@ -1,6 +1,9 @@
 use anyhow::{Context as _, Result};
 use clap::Subcommand;
-use key_protocol::key_management::{group_key_holder::{GroupKeyHolder, SealingPublicKey}, secret_holders::ViewingSecretKey};
+use key_protocol::key_management::{
+    group_key_holder::{GroupKeyHolder, SealingPublicKey},
+    secret_holders::ViewingSecretKey,
+};
 
 use crate::{
     WalletCore,
diff --git a/lez/wallet/src/lib.rs b/lez/wallet/src/lib.rs
index 5369386a..9befbf04 100644
--- a/lez/wallet/src/lib.rs
+++ b/lez/wallet/src/lib.rs
@@ -269,7 +269,10 @@ impl WalletCore {
     }
 
     /// Set the wallet's dedicated sealing secret key.
-    pub const fn set_sealing_secret_key(&mut self, key: key_protocol::key_management::secret_holders::ViewingSecretKey) {
+    pub const fn set_sealing_secret_key(
+        &mut self,
+        key: key_protocol::key_management::secret_holders::ViewingSecretKey,
+    ) {
         self.storage.key_chain_mut().set_sealing_secret_key(key);
     }
 
@@ -823,7 +826,8 @@ impl WalletCore {
                     continue;
                 }
 
-                let shared_secret = SharedSecretKey::decapsulate(&encrypted_data.epk, &vsk.d, &vsk.r);
+                let shared_secret =
+                    SharedSecretKey::decapsulate(&encrypted_data.epk, &vsk.d, &vsk.r);
                 let commitment = &tx.message.new_commitments[ciph_id];
 
                 if let Some((_kind, new_acc)) = lee_core::EncryptionScheme::decrypt(