@0xio/sdk 2.2.0 → 2.4.0

package/CHANGELOG.md

@@ -2,6 +2,57 @@
 
 All notable changes to the 0xio Wallet SDK will be documented in this file.
 
+## [2.4.0] - 2026-03-24
+
+### Added
+- **Desktop/Mobile DApp Bridge**: SDK now supports running inside iframes (desktop browser) and WebViews (mobile browser). Requests are relayed to the parent frame automatically.
+- **Parent Frame Detection**: `postMessageToExtension()` now posts to both `window` (extension content script) and `window.parent` (iframe bridge) when running inside a frame.
+- **Frame-Aware Message Listener**: `setupMessageListener()` now accepts messages from `window.parent` in addition to same-window, enabling desktop/mobile wallet bridges to communicate with DApps.
+- **walletReady via postMessage**: `startExtensionDetection()` now detects `walletReady` events sent via `postMessage` from parent frames, in addition to DOM events and global signals.
+- **Auto Frame Detection**: When `window.parent !== window`, the SDK assumes a wallet bridge is available and marks the wallet as detected.
+
+### Security
+- Parent frame messages are only accepted from `window.parent`, not arbitrary origins
+- Extension content script messages continue to use strict origin validation
+
+### Compatibility
+- Fully backward compatible — extension-based DApps work unchanged
+- Desktop (0xio Desktop): DApps loaded in BrowserScreen iframe now auto-connect
+- Mobile (0xio App): DApps loaded in WebView browser now auto-connect via existing bridge
+- Mainnet Alpha: Extension v2.0.1+
+- Devnet: Extension v2.2.1+
+
+---
+
+## [2.3.0] - 2026-03-10
+
+### Added
+- **Smart Contract Interaction**: New `callContract()` method for state-changing contract calls. The extension builds, signs, and submits via `octra_submit` — works on both mainnet and devnet.
+- **Contract View Calls**: New `contractCallView()` method for read-only contract queries. No wallet unlock or approval popup required.
+- **Contract Storage**: New `getContractStorage()` method to read contract storage by key directly from the chain.
+- **New Types**: `ContractCallData`, `ContractViewCallData`, and `ContractParams` for type-safe contract interaction.
+- **Devnet Version Constant**: New `MIN_EXTENSION_VERSION_DEVNET` export (`'2.2.1'`) for programmatic devnet compatibility checks.
+
+### Improved
+- **Type Safety**: Replaced `any` with `ContractParams` (`ReadonlyArray<string | number | boolean>`) in `ContractCallData.params` and `ContractViewCallData.params`.
+- **Event Handler Typing**: Three internal event handlers (`handleAccountChanged`, `handleNetworkChanged`, `handleBalanceChanged`) now use properly typed parameters instead of `any`.
+- **Error Consistency**: `getNetworkConfig()` now throws `ZeroXIOWalletError` with `ErrorCode.NETWORK_ERROR` instead of a generic `Error`.
+- **UMD Global Name**: Fixed UMD build global from `OctraWalletSDK` to `ZeroXIOWalletSDK` to match SDK branding.
+
+### Security
+- **Fixed wildcard origin**: `simulateExtensionEvent` now uses `window.location.origin` instead of `'*'` wildcard, preventing cross-origin message injection.
+- **signMessage length limit**: Added 10,000 character max to prevent memory exhaustion from oversized signing requests.
+- **Narrowed dev detection**: Removed overly broad `hostname.includes('dev')` check that would enable debug mode on any domain containing "dev" (e.g., `developer.mozilla.org`). Dev mode now only activates on `localhost`, `127.0.0.1`, or when `NODE_ENV=development`.
+
+### Fixed
+- **Message validation**: Increased `isValidMessage()` limit from 280 to 100,000 characters. The 280-char limit was blocking contract call parameters which are serialized JSON and can be large.
+
+### Compatibility
+- **Mainnet Alpha**: Requires 0xio Wallet Extension v2.0.1 or higher
+- **Devnet**: Requires 0xio Wallet Extension v2.2.1 or higher (contract calls, privacy features)
+
+---
+
 ## [2.2.0] - 2026-03-08
 
 ### Added
@@ -18,7 +69,7 @@ All notable changes to the 0xio Wallet SDK will be documented in this file.
 
 | Network | RPC | Explorer | Privacy | Testnet |
 |---------|-----|----------|---------|---------|
-| Mainnet Alpha | `https://octra.network` | `https://octrascan.io` | No | No |
+| Mainnet | `http://46.101.86.250:8080` | `https://lite.octrascan.io` | Yes | No |
 | Devnet | `http://165.227.225.79:8080` | `https://devnet.octrascan.io` | Yes | Yes |
 | Custom | User-defined | User-defined | No | No |
 

package/README.md

@@ -1,15 +1,16 @@
 # 0xio Wallet SDK
 
-**Version:** 2.2.0
+**Version:** 2.4.0
 
 Official TypeScript SDK for integrating DApps with 0xio Wallet on Octra Network.
 
-## What's New in v2.2.0
+## What's New in v2.4.0
 
-- **Devnet Support**: Built-in Octra Devnet network configuration — DApps can now target devnet out of the box
-- **Expanded `NetworkInfo`**: New fields `explorerAddressUrl`, `indexerUrl`, and `supportsPrivacy` for richer network metadata
-- **Privacy Detection**: `supportsPrivacy` flag lets DApps check if a network supports FHE/encrypted balances
-- **Explorer URL Fix**: Mainnet explorer URLs now include trailing `/` for correct link generation
+- **Desktop/Mobile DApp Bridge**: SDK now supports running inside iframes (0xio Desktop) and WebViews (0xio App). Requests are relayed to the parent frame automatically.
+- **Auto Frame Detection**: When `window.parent !== window`, the SDK assumes a wallet bridge is available and marks the wallet as detected.
+- **Frame-Aware Messaging**: `postMessageToExtension()` posts to both `window` and `window.parent` when running inside a frame; `setupMessageListener()` accepts messages from `window.parent`.
+- **walletReady via postMessage**: Extension detection now recognizes `walletReady` events from parent frames.
+- **Fully backward compatible** — extension-based DApps work unchanged with no code changes needed.
 
 ## Installation
 
@@ -103,6 +104,42 @@ interface TransactionResult {
 }
 ```
 
+### Smart Contracts
+
+#### `wallet.callContract(data: ContractCallData): Promise<TransactionResult>`
+Execute a state-changing contract call. The extension signs and submits via `octra_submit`.
+
+```typescript
+const result = await wallet.callContract({
+  contract: 'oct26Lia...',  // Contract address
+  method: 'swap',           // AML method name
+  params: [100, true, 90],  // Method arguments (flat, not array-wrapped)
+  amount: '0',              // Native OCT to send (optional, default '0')
+  ou: '10000',              // Operational units (optional, default '10000')
+});
+console.log('TX Hash:', result.txHash);
+```
+
+#### `wallet.contractCallView(data: ContractViewCallData): Promise<any>`
+Read-only contract query. No signing, no approval popup, no wallet unlock required.
+
+```typescript
+const price = await wallet.contractCallView({
+  contract: 'oct26Lia...',
+  method: 'get_active_price',
+  params: [],
+});
+console.log('Price:', price);
+```
+
+#### `wallet.getContractStorage(contract: string, key: string): Promise<string | null>`
+Read contract storage by key.
+
+```typescript
+const value = await wallet.getContractStorage('oct26Lia...', 'total_supply');
+console.log('Total supply:', value);
+```
+
 ### Message Signing
 
 #### `wallet.signMessage(message: string): Promise<string>`
@@ -184,8 +221,8 @@ console.log(devnet.isTestnet);        // true
 
 // Get mainnet config
 const mainnet = getNetworkConfig('mainnet');
-console.log(mainnet.rpcUrl);          // https://octra.network
-console.log(mainnet.supportsPrivacy); // false
+console.log(mainnet.rpcUrl);          // http://46.101.86.250:8080
+console.log(mainnet.supportsPrivacy); // true
 ```
 
 | Network | Privacy (FHE) | Explorer |
@@ -209,9 +246,22 @@ interface NetworkInfo {
 }
 ```
 
+## Desktop & Mobile Support
+
+The SDK automatically detects when your DApp is running inside:
+
+- **0xio Desktop's built-in browser** — Your DApp is loaded in an iframe. The SDK detects `window.parent !== window` and relays all requests to the desktop wallet via the iframe bridge.
+- **0xio App's built-in browser** — Your DApp is loaded in a WebView. The SDK communicates with the mobile wallet via the existing WebView bridge.
+- **0xio Wallet Extension** — Standard browser extension communication (unchanged).
+
+No code changes are needed for DApp developers. Just use the SDK as normal and it will auto-detect the environment and choose the correct transport.
+
 ## Requirements
 
-- 0xio Wallet Extension v2.0.1 or higher
+- 0xio Wallet Extension v2.0.1 or higher (Mainnet Alpha)
+- 0xio Wallet Extension v2.2.1 or higher (Devnet — required for contract calls and privacy features)
+- 0xio Desktop v1.0+ (for iframe bridge support)
+- 0xio App v1.0+ (for WebView bridge support)
 - Modern browser (Chrome, Firefox, Edge, Brave)
 
 ## Documentation

package/dist/index.d.ts

@@ -30,6 +30,30 @@ interface TransactionData {
     readonly feeLevel?: 1 | 3;
     readonly isPrivate?: boolean;
 }
+/** Flat array of AML-compatible primitive values for contract method arguments. */
+type ContractParams = ReadonlyArray<string | number | boolean>;
+interface ContractCallData {
+    /** Contract address (oct-prefixed, 47 chars) */
+    readonly contract: string;
+    /** Contract method name (e.g. 'swap', 'approve') */
+    readonly method: string;
+    /** Method arguments — flat primitives, NOT array-wrapped: `[amount, flag]` not `[[amount, flag]]` */
+    readonly params: ContractParams;
+    /** Native OCT to send with call (human-readable for sendTransaction, micro-units for callContract) */
+    readonly amount?: string | number;
+    /** Operation units / gas limit (default: 10000) */
+    readonly ou?: string | number;
+}
+interface ContractViewCallData {
+    /** Contract address (oct-prefixed, 47 chars) */
+    readonly contract: string;
+    /** Contract method name (e.g. 'balance_of', 'get_active_bin') */
+    readonly method: string;
+    /** Method arguments — flat primitives, NOT array-wrapped */
+    readonly params: ContractParams;
+    /** Caller address for view context (defaults to connected wallet) */
+    readonly caller?: string;
+}
 interface SignedTransaction {
     readonly from: string;
     readonly to_: string;
@@ -292,6 +316,20 @@ declare class ZeroXIOWallet extends EventEmitter {
      * Send transaction
      */
     sendTransaction(txData: TransactionData): Promise<TransactionResult>;
+    /**
+     * Call a smart contract method (state-changing).
+     * The extension builds, signs, and submits the transaction via octra_submit.
+     */
+    callContract(callData: ContractCallData): Promise<TransactionResult>;
+    /**
+     * Read-only contract view call (no signing, no approval popup).
+     * Use this to query contract state without submitting a transaction.
+     */
+    contractCallView(viewData: ContractViewCallData): Promise<any>;
+    /**
+     * Read contract storage by key.
+     */
+    getContractStorage(contract: string, key: string): Promise<string | null>;
     /**
      * Get transaction history
      */
@@ -585,7 +623,7 @@ declare function createDefaultBalance(total?: number): Balance;
  * SDK Configuration constants
  */
 declare const SDK_CONFIG: {
-    readonly version: "2.2.0";
+    readonly version: "2.3.0";
     readonly defaultNetworkId: "mainnet";
     readonly communicationTimeout: 30000;
     readonly retryAttempts: 3;
@@ -712,8 +750,9 @@ declare function createLogger(prefix: string, debug: boolean): {
     groupEnd: () => void;
 };
 
-declare const SDK_VERSION = "2.2.0";
+declare const SDK_VERSION = "2.3.0";
 declare const MIN_EXTENSION_VERSION = "2.0.1";
+declare const MIN_EXTENSION_VERSION_DEVNET = "2.2.1";
 declare const SUPPORTED_EXTENSION_VERSIONS = "^2.0.1";
 declare function createZeroXIOWallet(config: {
     appName: string;
@@ -728,5 +767,5 @@ declare function checkSDKCompatibility(): {
     recommendations: string[];
 };
 
-export { DEFAULT_NETWORK_ID, ErrorCode, EventEmitter, ExtensionCommunicator, MIN_EXTENSION_VERSION, NETWORKS, SDK_CONFIG, SDK_VERSION, SUPPORTED_EXTENSION_VERSIONS, ZeroXIOWallet, ZeroXIOWalletError, checkBrowserSupport, checkSDKCompatibility, createDefaultBalance, createErrorMessage, createLogger, createOctraWallet, createZeroXIOWallet, delay, formatAddress, formatOCT, formatTimestamp, formatTxHash, formatOCT as formatZeroXIO, fromMicroOCT, fromMicroOCT as fromMicroZeroXIO, generateMockData, getAllNetworks, getDefaultNetwork, getNetworkConfig, isBrowser, isErrorType, isValidAddress, isValidAmount, isValidFeeLevel, isValidMessage, isValidNetworkId, retry, toMicroOCT, toMicroOCT as toMicroZeroXIO, withTimeout };
-export type { AccountChangedEvent, Balance, BalanceChangedEvent, ConnectEvent, ConnectOptions, ConnectionInfo, DisconnectEvent, ErrorEvent, ExtensionRequest, ExtensionResponse, NetworkChangedEvent, NetworkInfo, PendingPrivateTransfer, Permission, PrivateBalanceInfo, PrivateTransferData, SDKConfig, SignedTransaction, Transaction, TransactionConfirmedEvent, TransactionData, TransactionFinality, TransactionHistory, TransactionResult, WalletAddress, WalletEvent, WalletEventType };
+export { DEFAULT_NETWORK_ID, ErrorCode, EventEmitter, ExtensionCommunicator, MIN_EXTENSION_VERSION, MIN_EXTENSION_VERSION_DEVNET, NETWORKS, SDK_CONFIG, SDK_VERSION, SUPPORTED_EXTENSION_VERSIONS, ZeroXIOWallet, ZeroXIOWalletError, checkBrowserSupport, checkSDKCompatibility, createDefaultBalance, createErrorMessage, createLogger, createOctraWallet, createZeroXIOWallet, delay, formatAddress, formatOCT, formatTimestamp, formatTxHash, formatOCT as formatZeroXIO, fromMicroOCT, fromMicroOCT as fromMicroZeroXIO, generateMockData, getAllNetworks, getDefaultNetwork, getNetworkConfig, isBrowser, isErrorType, isValidAddress, isValidAmount, isValidFeeLevel, isValidMessage, isValidNetworkId, retry, toMicroOCT, toMicroOCT as toMicroZeroXIO, withTimeout };
+export type { AccountChangedEvent, Balance, BalanceChangedEvent, ConnectEvent, ConnectOptions, ConnectionInfo, ContractCallData, ContractParams, ContractViewCallData, DisconnectEvent, ErrorEvent, ExtensionRequest, ExtensionResponse, NetworkChangedEvent, NetworkInfo, PendingPrivateTransfer, Permission, PrivateBalanceInfo, PrivateTransferData, SDKConfig, SignedTransaction, Transaction, TransactionConfirmedEvent, TransactionData, TransactionFinality, TransactionHistory, TransactionResult, WalletAddress, WalletEvent, WalletEventType };

package/dist/index.esm.js

@@ -184,8 +184,8 @@ function isValidMessage(message) {
     if (typeof message !== 'string') {
         return false;
     }
-    // Check length (adjust based on network limits)
-    return message.length <= 280;
+    // 100KB limit — contract call params can be large (serialized JSON)
+    return message.length <= 100000;
 }
 /**
  * Validate fee level
@@ -394,12 +394,12 @@ function generateMockData() {
         },
         networkInfo: {
             id: 'mainnet',
-            name: 'Octra Mainnet Alpha',
-            rpcUrl: 'https://octra.network',
-            explorerUrl: 'https://octrascan.io/transactions/',
-            explorerAddressUrl: 'https://octrascan.io/addresses/',
-            indexerUrl: 'https://network.octrascan.com',
-            supportsPrivacy: false,
+            name: 'Octra Mainnet',
+            rpcUrl: 'http://46.101.86.250:8080',
+            explorerUrl: 'https://lite.octrascan.io/tx.html?hash=',
+            explorerAddressUrl: 'https://lite.octrascan.io/address.html?addr=',
+            indexerUrl: 'https://lite.octrascan.io',
+            supportsPrivacy: true,
             color: '#f59e0b',
             isTestnet: false
         }
@@ -411,41 +411,44 @@ function generateMockData() {
 function createLogger(prefix, debug) {
     const isDevelopment = typeof window !== 'undefined' && (window.location.hostname === 'localhost' ||
         window.location.hostname === '127.0.0.1' ||
-        window.location.hostname.includes('dev') ||
         window.__OCTRA_SDK_DEBUG__);
     // Only enable logging in development mode AND when debug is explicitly enabled
     const shouldLog = debug && isDevelopment;
+    const ts = () => {
+        const d = new Date();
+        return `${d.toTimeString().slice(0, 8)}.${String(d.getMilliseconds()).padStart(3, '0')}`;
+    };
     return {
         log: (...args) => {
             if (shouldLog) {
-                console.log(`[${prefix}]`, ...args);
+                console.log(`[${ts()}][${prefix}]`, ...args);
             }
         },
         warn: (...args) => {
             if (shouldLog) {
-                console.warn(`[${prefix}]`, ...args);
+                console.warn(`[${ts()}][${prefix}]`, ...args);
             }
         },
         error: (...args) => {
             // Always show errors in development, even without debug flag
             if (isDevelopment) {
-                console.error(`[${prefix}]`, ...args);
+                console.error(`[${ts()}][${prefix}]`, ...args);
             }
         },
         debug: (...args) => {
             if (shouldLog) {
-                console.debug(`[${prefix}]`, ...args);
+                console.debug(`[${ts()}][${prefix}]`, ...args);
             }
         },
         table: (data) => {
             if (shouldLog) {
-                console.log(`[${prefix}] Table data:`);
+                console.log(`[${ts()}][${prefix}] Table data:`);
                 console.table(data);
             }
         },
         group: (label) => {
             if (shouldLog) {
-                console.group(`[${prefix}] ${label}`);
+                console.group(`[${ts()}][${prefix}] ${label}`);
             }
         },
         groupEnd: () => {
@@ -647,13 +650,14 @@ class ExtensionCommunicator extends EventEmitter {
         }
         const allowedOrigin = window.location.origin;
         window.addEventListener('message', (event) => {
-            // ✅ SECURITY: Validate origin first - critical security check
-            if (event.origin !== allowedOrigin) {
-                this.logger.warn('Blocked message from untrusted origin:', event.origin);
+            // Accept messages from same origin OR from parent frame (desktop/mobile bridge)
+            const isFromSameOrigin = event.origin === allowedOrigin;
+            const isFromParent = event.source === window.parent && window.parent !== window;
+            if (!isFromSameOrigin && !isFromParent) {
                 return;
             }
-            // Only accept messages from same window
-            if (event.source !== window) {
+            // Accept from same window or parent frame
+            if (event.source !== window && event.source !== window.parent) {
                 return;
             }
             // Check if it's a 0xio SDK response
@@ -725,12 +729,13 @@ class ExtensionCommunicator extends EventEmitter {
      * Post message to extension via content script
      */
     postMessageToExtension(request) {
-        // ✅ SECURITY: Use specific origin instead of wildcard
-        const targetOrigin = window.location.origin;
-        window.postMessage({
-            source: '0xio-sdk-request',
-            request
-        }, targetOrigin);
+        const msg = { source: '0xio-sdk-request', request };
+        // Post to same window (extension content script picks it up)
+        window.postMessage(msg, window.location.origin);
+        // Also post to parent frame if in an iframe (desktop/mobile bridge picks it up)
+        if (window.parent !== window) {
+            window.parent.postMessage(msg, '*');
+        }
     }
     /**
      * Check if we're in a context that can communicate with extension
@@ -825,6 +830,18 @@ class ExtensionCommunicator extends EventEmitter {
             this.logger.log('Received octraWalletReady event');
             this.isExtensionAvailableState = true;
         });
+        // Listen for desktop/mobile bridge walletReady via postMessage
+        window.addEventListener('message', (event) => {
+            if (event.data?.source === '0xio-sdk-bridge' && event.data?.event?.type === 'walletReady') {
+                this.logger.log('Received walletReady via postMessage (desktop/mobile bridge)');
+                this.isExtensionAvailableState = true;
+            }
+        });
+        // Also detect if running inside a frame with a wallet bridge parent
+        if (window.parent !== window) {
+            this.logger.log('Running inside a frame — checking for parent wallet bridge');
+            this.isExtensionAvailableState = true;
+        }
         // Initial check (in case extension was already injected)
         this.checkExtensionAvailability();
         // Set up periodic checks as fallback
@@ -984,12 +1001,12 @@ class ExtensionCommunicator extends EventEmitter {
 const NETWORKS = {
     'mainnet': {
         id: 'mainnet',
-        name: 'Octra Mainnet Alpha',
-        rpcUrl: 'https://octra.network',
-        explorerUrl: 'https://octrascan.io/transactions/',
-        explorerAddressUrl: 'https://octrascan.io/addresses/',
-        indexerUrl: 'https://network.octrascan.com',
-        supportsPrivacy: false,
+        name: 'Octra Mainnet',
+        rpcUrl: 'http://46.101.86.250:8080',
+        explorerUrl: 'https://lite.octrascan.io/tx.html?hash=',
+        explorerAddressUrl: 'https://lite.octrascan.io/address.html?addr=',
+        indexerUrl: 'https://lite.octrascan.io',
+        supportsPrivacy: true,
         color: '#f59e0b',
         isTestnet: false
     },
@@ -1023,7 +1040,7 @@ const DEFAULT_NETWORK_ID = 'mainnet';
 function getNetworkConfig(networkId = DEFAULT_NETWORK_ID) {
     const network = NETWORKS[networkId];
     if (!network) {
-        throw new Error(`Unknown network ID: ${networkId}`);
+        throw new ZeroXIOWalletError(ErrorCode.NETWORK_ERROR, `Unknown network ID: ${networkId}`);
     }
     return network;
 }
@@ -1052,7 +1069,7 @@ function createDefaultBalance(total = 0) {
  * SDK Configuration constants
  */
 const SDK_CONFIG = {
-    version: '2.2.0',
+    version: '2.3.0',
     defaultNetworkId: DEFAULT_NETWORK_ID,
     communicationTimeout: 30000, // 30 seconds
     retryAttempts: 3,
@@ -1360,6 +1377,78 @@ class ZeroXIOWallet extends EventEmitter {
             throw new ZeroXIOWalletError(ErrorCode.TRANSACTION_FAILED, 'Failed to send transaction', error);
         }
     }
+    /**
+     * Call a smart contract method (state-changing).
+     * The extension builds, signs, and submits the transaction via octra_submit.
+     */
+    async callContract(callData) {
+        this.ensureConnected();
+        try {
+            this.logger.log('Calling contract:', callData);
+            const result = await this.communicator.sendRequest('call_contract', {
+                contract: callData.contract,
+                method: callData.method,
+                params: callData.params,
+                amount: callData.amount != null ? String(callData.amount) : '0',
+                ou: callData.ou != null ? String(callData.ou) : '10000',
+            });
+            this.logger.log('Contract call result:', result);
+            return result;
+        }
+        catch (error) {
+            this.logger.error('Contract call failed:', error);
+            if (error instanceof ZeroXIOWalletError) {
+                throw error;
+            }
+            throw new ZeroXIOWalletError(ErrorCode.TRANSACTION_FAILED, 'Failed to call contract', error);
+        }
+    }
+    /**
+     * Read-only contract view call (no signing, no approval popup).
+     * Use this to query contract state without submitting a transaction.
+     */
+    async contractCallView(viewData) {
+        this.ensureInitialized();
+        try {
+            this.logger.log('Contract view call:', viewData);
+            const result = await this.communicator.sendRequest('contract_call_view', {
+                contract: viewData.contract,
+                method: viewData.method,
+                params: viewData.params,
+                caller: viewData.caller || this.getAddress() || '',
+            });
+            this.logger.log('Contract view result:', result);
+            return result;
+        }
+        catch (error) {
+            this.logger.error('Contract view call failed:', error);
+            if (error instanceof ZeroXIOWalletError) {
+                throw error;
+            }
+            throw new ZeroXIOWalletError(ErrorCode.NETWORK_ERROR, 'Failed to call contract view', error);
+        }
+    }
+    /**
+     * Read contract storage by key.
+     */
+    async getContractStorage(contract, key) {
+        this.ensureInitialized();
+        try {
+            this.logger.log('Getting contract storage:', { contract, key });
+            const result = await this.communicator.sendRequest('get_contract_storage', {
+                contract,
+                key,
+            });
+            return result;
+        }
+        catch (error) {
+            this.logger.error('Get contract storage failed:', error);
+            if (error instanceof ZeroXIOWalletError) {
+                throw error;
+            }
+            throw new ZeroXIOWalletError(ErrorCode.NETWORK_ERROR, 'Failed to get contract storage', error);
+        }
+    }
     /**
      * Get transaction history
      */
@@ -1500,6 +1589,9 @@ class ZeroXIOWallet extends EventEmitter {
         if (!message || typeof message !== 'string') {
             throw new ZeroXIOWalletError(ErrorCode.SIGNATURE_FAILED, 'Message must be a non-empty string');
         }
+        if (message.length > 10000) {
+            throw new ZeroXIOWalletError(ErrorCode.SIGNATURE_FAILED, 'Message too long (max 10,000 characters)');
+        }
         try {
             this.logger.log('Requesting message signature for:', message.substring(0, 100) + (message.length > 100 ? '...' : ''));
             const result = await this.communicator.sendRequest('signMessage', { message });
@@ -1564,7 +1656,7 @@ class ZeroXIOWallet extends EventEmitter {
         const accountChangedEvent = {
             previousAddress,
             newAddress: data.address,
-            balance: data.balance
+            balance: data.balance ?? this.connectionInfo.balance
         };
         this.emit('accountChanged', accountChangedEvent);
         this.logger.log('Account changed:', accountChangedEvent);
@@ -1678,8 +1770,9 @@ var wallet = /*#__PURE__*/Object.freeze({
  */
 // Main exports
 // Version information
-const SDK_VERSION = '2.2.0';
-const MIN_EXTENSION_VERSION = '2.0.1';
+const SDK_VERSION = '2.3.0';
+const MIN_EXTENSION_VERSION = '2.0.1'; // Mainnet Alpha
+const MIN_EXTENSION_VERSION_DEVNET = '2.2.1'; // Devnet (contract calls, privacy)
 const SUPPORTED_EXTENSION_VERSIONS = '^2.0.1'; // Supports all versions >= 2.0.1
 // Quick setup function for simple use cases
 async function createZeroXIOWallet(config) {
@@ -1733,8 +1826,7 @@ if (typeof window !== 'undefined') {
     window.__ZEROXIO_SDK_VERSION__ = SDK_VERSION;
     // Development mode detection
     const isDevelopment = window.location.hostname === 'localhost' ||
-        window.location.hostname === '127.0.0.1' ||
-        window.location.hostname.includes('dev');
+        window.location.hostname === '127.0.0.1';
     if (isDevelopment) {
         // Set debug flag but don't automatically log
         window.__OCTRA_SDK_DEBUG__ = true;
@@ -1762,7 +1854,7 @@ if (typeof window !== 'undefined') {
                 window.postMessage({
                     source: '0xio-sdk-bridge',
                     event: { type: eventType, data }
-                }, '*');
+                }, window.location.origin);
                 console.log('[0xio SDK] Simulated extension event:', eventType, data);
             },
             showWelcome: () => {
@@ -1779,5 +1871,5 @@ if (typeof window !== 'undefined') {
     }
 }
 
-export { DEFAULT_NETWORK_ID, ErrorCode, EventEmitter, ExtensionCommunicator, MIN_EXTENSION_VERSION, NETWORKS, SDK_CONFIG, SDK_VERSION, SUPPORTED_EXTENSION_VERSIONS, ZeroXIOWallet, ZeroXIOWalletError, checkBrowserSupport, checkSDKCompatibility, createDefaultBalance, createErrorMessage, createLogger, createOctraWallet, createZeroXIOWallet, delay, formatAddress, formatOCT, formatTimestamp, formatTxHash, formatOCT as formatZeroXIO, fromMicroOCT, fromMicroOCT as fromMicroZeroXIO, generateMockData, getAllNetworks, getDefaultNetwork, getNetworkConfig, isBrowser, isErrorType, isValidAddress, isValidAmount, isValidFeeLevel, isValidMessage, isValidNetworkId, retry, toMicroOCT, toMicroOCT as toMicroZeroXIO, withTimeout };
+export { DEFAULT_NETWORK_ID, ErrorCode, EventEmitter, ExtensionCommunicator, MIN_EXTENSION_VERSION, MIN_EXTENSION_VERSION_DEVNET, NETWORKS, SDK_CONFIG, SDK_VERSION, SUPPORTED_EXTENSION_VERSIONS, ZeroXIOWallet, ZeroXIOWalletError, checkBrowserSupport, checkSDKCompatibility, createDefaultBalance, createErrorMessage, createLogger, createOctraWallet, createZeroXIOWallet, delay, formatAddress, formatOCT, formatTimestamp, formatTxHash, formatOCT as formatZeroXIO, fromMicroOCT, fromMicroOCT as fromMicroZeroXIO, generateMockData, getAllNetworks, getDefaultNetwork, getNetworkConfig, isBrowser, isErrorType, isValidAddress, isValidAmount, isValidFeeLevel, isValidMessage, isValidNetworkId, retry, toMicroOCT, toMicroOCT as toMicroZeroXIO, withTimeout };
 //# sourceMappingURL=index.esm.js.map