@bsv/wallet-toolbox 1.1.23 → 1.1.25

package/docs/wallet.md

@@ -13,57 +13,60 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 | | | |
 | --- | --- | --- |
-| [ArcConfig](#interface-arcconfig) | [PostBeefResultForTxidApi](#interface-postbeefresultfortxidapi) | [TableProvenTx](#interface-tableproventx) |
-| [ArcMinerGetTxData](#interface-arcminergettxdata) | [PostReqsToNetworkDetails](#interface-postreqstonetworkdetails) | [TableProvenTxReq](#interface-tableproventxreq) |
-| [AuthId](#interface-authid) | [PostReqsToNetworkResult](#interface-postreqstonetworkresult) | [TableProvenTxReqDynamics](#interface-tableproventxreqdynamics) |
-| [BaseBlockHeader](#interface-baseblockheader) | [PostTxResultForTxid](#interface-posttxresultfortxid) | [TableSettings](#interface-tablesettings) |
-| [BlockHeader](#interface-blockheader) | [PostTxResultForTxidError](#interface-posttxresultfortxiderror) | [TableSyncState](#interface-tablesyncstate) |
-| [BsvExchangeRate](#interface-bsvexchangerate) | [PostTxsResult](#interface-posttxsresult) | [TableTransaction](#interface-tabletransaction) |
-| [CertOpsWallet](#interface-certopswallet) | [ProcessSyncChunkResult](#interface-processsyncchunkresult) | [TableTxLabel](#interface-tabletxlabel) |
-| [CommitNewTxResults](#interface-commitnewtxresults) | [ProvenOrRawTx](#interface-provenorrawtx) | [TableTxLabelMap](#interface-tabletxlabelmap) |
-| [EntitySyncMap](#interface-entitysyncmap) | [ProvenTxFromTxidResult](#interface-proventxfromtxidresult) | [TableUser](#interface-tableuser) |
-| [EntityTimeStamp](#interface-entitytimestamp) | [ProvenTxReqHistory](#interface-proventxreqhistory) | [TaskPurgeParams](#interface-taskpurgeparams) |
-| [ExchangeRatesIoApi](#interface-exchangeratesioapi) | [ProvenTxReqHistorySummaryApi](#interface-proventxreqhistorysummaryapi) | [TrxToken](#interface-trxtoken) |
-| [FiatExchangeRates](#interface-fiatexchangerates) | [ProvenTxReqNotify](#interface-proventxreqnotify) | [TscMerkleProofApi](#interface-tscmerkleproofapi) |
-| [FindCertificateFieldsArgs](#interface-findcertificatefieldsargs) | [PurgeParams](#interface-purgeparams) | [TxScriptOffsets](#interface-txscriptoffsets) |
-| [FindCertificatesArgs](#interface-findcertificatesargs) | [PurgeResults](#interface-purgeresults) | [UpdateProvenTxReqWithNewProvenTxArgs](#interface-updateproventxreqwithnewproventxargs) |
-| [FindCommissionsArgs](#interface-findcommissionsargs) | [RequestSyncChunkArgs](#interface-requestsyncchunkargs) | [UpdateProvenTxReqWithNewProvenTxResult](#interface-updateproventxreqwithnewproventxresult) |
-| [FindForUserSincePagedArgs](#interface-findforusersincepagedargs) | [ScriptTemplateParamsBRC29](#interface-scripttemplateparamsbrc29) | [ValidAbortActionArgs](#interface-validabortactionargs) |
-| [FindMonitorEventsArgs](#interface-findmonitoreventsargs) | [ScriptTemplateUnlock](#interface-scripttemplateunlock) | [ValidAcquireCertificateArgs](#interface-validacquirecertificateargs) |
-| [FindOutputBasketsArgs](#interface-findoutputbasketsargs) | [SetupEnv](#interface-setupenv) | [ValidAcquireDirectCertificateArgs](#interface-validacquiredirectcertificateargs) |
-| [FindOutputTagMapsArgs](#interface-findoutputtagmapsargs) | [SetupWallet](#interface-setupwallet) | [ValidAcquireIssuanceCertificateArgs](#interface-validacquireissuancecertificateargs) |
-| [FindOutputTagsArgs](#interface-findoutputtagsargs) | [SetupWalletArgs](#interface-setupwalletargs) | [ValidBasketInsertion](#interface-validbasketinsertion) |
-| [FindOutputsArgs](#interface-findoutputsargs) | [SetupWalletClient](#interface-setupwalletclient) | [ValidCreateActionArgs](#interface-validcreateactionargs) |
-| [FindPartialSincePagedArgs](#interface-findpartialsincepagedargs) | [SetupWalletClientArgs](#interface-setupwalletclientargs) | [ValidCreateActionInput](#interface-validcreateactioninput) |
-| [FindProvenTxReqsArgs](#interface-findproventxreqsargs) | [StorageCreateActionResult](#interface-storagecreateactionresult) | [ValidCreateActionOptions](#interface-validcreateactionoptions) |
-| [FindProvenTxsArgs](#interface-findproventxsargs) | [StorageCreateTransactionSdkInput](#interface-storagecreatetransactionsdkinput) | [ValidCreateActionOutput](#interface-validcreateactionoutput) |
-| [FindSincePagedArgs](#interface-findsincepagedargs) | [StorageCreateTransactionSdkOutput](#interface-storagecreatetransactionsdkoutput) | [ValidDiscoverByAttributesArgs](#interface-validdiscoverbyattributesargs) |
-| [FindSyncStatesArgs](#interface-findsyncstatesargs) | [StorageFeeModel](#interface-storagefeemodel) | [ValidDiscoverByIdentityKeyArgs](#interface-validdiscoverbyidentitykeyargs) |
-| [FindTransactionsArgs](#interface-findtransactionsargs) | [StorageGetBeefOptions](#interface-storagegetbeefoptions) | [ValidInternalizeActionArgs](#interface-validinternalizeactionargs) |
-| [FindTxLabelMapsArgs](#interface-findtxlabelmapsargs) | [StorageIdentity](#interface-storageidentity) | [ValidInternalizeOutput](#interface-validinternalizeoutput) |
-| [FindTxLabelsArgs](#interface-findtxlabelsargs) | [StorageInternalizeActionResult](#interface-storageinternalizeactionresult) | [ValidListActionsArgs](#interface-validlistactionsargs) |
-| [FindUsersArgs](#interface-findusersargs) | [StorageProcessActionArgs](#interface-storageprocessactionargs) | [ValidListCertificatesArgs](#interface-validlistcertificatesargs) |
-| [GenerateChangeSdkChangeInput](#interface-generatechangesdkchangeinput) | [StorageProcessActionResults](#interface-storageprocessactionresults) | [ValidListOutputsArgs](#interface-validlistoutputsargs) |
-| [GenerateChangeSdkChangeOutput](#interface-generatechangesdkchangeoutput) | [StorageProvenOrReq](#interface-storageprovenorreq) | [ValidProcessActionArgs](#interface-validprocessactionargs) |
-| [GenerateChangeSdkInput](#interface-generatechangesdkinput) | [StorageProviderOptions](#interface-storageprovideroptions) | [ValidProcessActionOptions](#interface-validprocessactionoptions) |
-| [GenerateChangeSdkOutput](#interface-generatechangesdkoutput) | [StorageReaderOptions](#interface-storagereaderoptions) | [ValidProveCertificateArgs](#interface-validprovecertificateargs) |
-| [GenerateChangeSdkParams](#interface-generatechangesdkparams) | [StorageReaderWriterOptions](#interface-storagereaderwriteroptions) | [ValidRelinquishCertificateArgs](#interface-validrelinquishcertificateargs) |
-| [GenerateChangeSdkResult](#interface-generatechangesdkresult) | [StorageSyncReader](#interface-storagesyncreader) | [ValidRelinquishOutputArgs](#interface-validrelinquishoutputargs) |
-| [GenerateChangeSdkStorageChange](#interface-generatechangesdkstoragechange) | [StorageSyncReaderOptions](#interface-storagesyncreaderoptions) | [ValidSignActionArgs](#interface-validsignactionargs) |
-| [GetMerklePathResult](#interface-getmerklepathresult) | [StorageSyncReaderWriter](#interface-storagesyncreaderwriter) | [ValidSignActionOptions](#interface-validsignactionoptions) |
-| [GetRawTxResult](#interface-getrawtxresult) | [SyncChunk](#interface-syncchunk) | [ValidWalletPayment](#interface-validwalletpayment) |
-| [GetReqsAndBeefDetail](#interface-getreqsandbeefdetail) | [SyncError](#interface-syncerror) | [ValidWalletSignerArgs](#interface-validwalletsignerargs) |
-| [GetReqsAndBeefResult](#interface-getreqsandbeefresult) | [SyncMap](#interface-syncmap) | [ValidateGenerateChangeSdkParamsResult](#interface-validategeneratechangesdkparamsresult) |
-| [GetUtxoStatusDetails](#interface-getutxostatusdetails) | [TableCertificate](#interface-tablecertificate) | [WalletArgs](#interface-walletargs) |
-| [GetUtxoStatusResult](#interface-getutxostatusresult) | [TableCertificateField](#interface-tablecertificatefield) | [WalletServices](#interface-walletservices) |
-| [KeyPair](#interface-keypair) | [TableCertificateX](#interface-tablecertificatex) | [WalletServicesOptions](#interface-walletservicesoptions) |
-| [KeyPairAddress](#interface-keypairaddress) | [TableCommission](#interface-tablecommission) | [WalletSigner](#interface-walletsigner) |
-| [MonitorOptions](#interface-monitoroptions) | [TableMonitorEvent](#interface-tablemonitorevent) | [WalletStorage](#interface-walletstorage) |
-| [OutPoint](#interface-outpoint) | [TableOutput](#interface-tableoutput) | [WalletStorageProvider](#interface-walletstorageprovider) |
-| [Paged](#interface-paged) | [TableOutputBasket](#interface-tableoutputbasket) | [WalletStorageReader](#interface-walletstoragereader) |
-| [PendingSignAction](#interface-pendingsignaction) | [TableOutputTag](#interface-tableoutputtag) | [WalletStorageSync](#interface-walletstoragesync) |
-| [PendingStorageInput](#interface-pendingstorageinput) | [TableOutputTagMap](#interface-tableoutputtagmap) | [WalletStorageWriter](#interface-walletstoragewriter) |
-| [PostBeefResult](#interface-postbeefresult) | [TableOutputX](#interface-tableoutputx) | [XValidCreateActionOutput](#interface-xvalidcreateactionoutput) |
+| [ArcConfig](#interface-arcconfig) | [PermissionToken](#interface-permissiontoken) | [TableSyncState](#interface-tablesyncstate) |
+| [ArcMinerGetTxData](#interface-arcminergettxdata) | [PermissionsManagerConfig](#interface-permissionsmanagerconfig) | [TableTransaction](#interface-tabletransaction) |
+| [AuthId](#interface-authid) | [PostBeefResult](#interface-postbeefresult) | [TableTxLabel](#interface-tabletxlabel) |
+| [AuthPayload](#interface-authpayload) | [PostBeefResultForTxidApi](#interface-postbeefresultfortxidapi) | [TableTxLabelMap](#interface-tabletxlabelmap) |
+| [BaseBlockHeader](#interface-baseblockheader) | [PostReqsToNetworkDetails](#interface-postreqstonetworkdetails) | [TableUser](#interface-tableuser) |
+| [BlockHeader](#interface-blockheader) | [PostReqsToNetworkResult](#interface-postreqstonetworkresult) | [TaskPurgeParams](#interface-taskpurgeparams) |
+| [BsvExchangeRate](#interface-bsvexchangerate) | [PostTxResultForTxid](#interface-posttxresultfortxid) | [TrustSettings](#interface-trustsettings) |
+| [CertOpsWallet](#interface-certopswallet) | [PostTxResultForTxidError](#interface-posttxresultfortxiderror) | [TrxToken](#interface-trxtoken) |
+| [Certifier](#interface-certifier) | [PostTxsResult](#interface-posttxsresult) | [TscMerkleProofApi](#interface-tscmerkleproofapi) |
+| [CommitNewTxResults](#interface-commitnewtxresults) | [ProcessSyncChunkResult](#interface-processsyncchunkresult) | [TxScriptOffsets](#interface-txscriptoffsets) |
+| [CompleteAuthResponse](#interface-completeauthresponse) | [ProvenOrRawTx](#interface-provenorrawtx) | [UMPToken](#interface-umptoken) |
+| [EntitySyncMap](#interface-entitysyncmap) | [ProvenTxFromTxidResult](#interface-proventxfromtxidresult) | [UMPTokenInteractor](#interface-umptokeninteractor) |
+| [EntityTimeStamp](#interface-entitytimestamp) | [ProvenTxReqHistory](#interface-proventxreqhistory) | [UpdateProvenTxReqWithNewProvenTxArgs](#interface-updateproventxreqwithnewproventxargs) |
+| [ExchangeRatesIoApi](#interface-exchangeratesioapi) | [ProvenTxReqHistorySummaryApi](#interface-proventxreqhistorysummaryapi) | [UpdateProvenTxReqWithNewProvenTxResult](#interface-updateproventxreqwithnewproventxresult) |
+| [ExtendedVerifiableCertificate](#interface-extendedverifiablecertificate) | [ProvenTxReqNotify](#interface-proventxreqnotify) | [ValidAbortActionArgs](#interface-validabortactionargs) |
+| [FiatExchangeRates](#interface-fiatexchangerates) | [PurgeParams](#interface-purgeparams) | [ValidAcquireCertificateArgs](#interface-validacquirecertificateargs) |
+| [FindCertificateFieldsArgs](#interface-findcertificatefieldsargs) | [PurgeResults](#interface-purgeresults) | [ValidAcquireDirectCertificateArgs](#interface-validacquiredirectcertificateargs) |
+| [FindCertificatesArgs](#interface-findcertificatesargs) | [RequestSyncChunkArgs](#interface-requestsyncchunkargs) | [ValidAcquireIssuanceCertificateArgs](#interface-validacquireissuancecertificateargs) |
+| [FindCommissionsArgs](#interface-findcommissionsargs) | [ScriptTemplateParamsBRC29](#interface-scripttemplateparamsbrc29) | [ValidBasketInsertion](#interface-validbasketinsertion) |
+| [FindForUserSincePagedArgs](#interface-findforusersincepagedargs) | [ScriptTemplateUnlock](#interface-scripttemplateunlock) | [ValidCreateActionArgs](#interface-validcreateactionargs) |
+| [FindMonitorEventsArgs](#interface-findmonitoreventsargs) | [StartAuthResponse](#interface-startauthresponse) | [ValidCreateActionInput](#interface-validcreateactioninput) |
+| [FindOutputBasketsArgs](#interface-findoutputbasketsargs) | [StorageCreateActionResult](#interface-storagecreateactionresult) | [ValidCreateActionOptions](#interface-validcreateactionoptions) |
+| [FindOutputTagMapsArgs](#interface-findoutputtagmapsargs) | [StorageCreateTransactionSdkInput](#interface-storagecreatetransactionsdkinput) | [ValidCreateActionOutput](#interface-validcreateactionoutput) |
+| [FindOutputTagsArgs](#interface-findoutputtagsargs) | [StorageCreateTransactionSdkOutput](#interface-storagecreatetransactionsdkoutput) | [ValidDiscoverByAttributesArgs](#interface-validdiscoverbyattributesargs) |
+| [FindOutputsArgs](#interface-findoutputsargs) | [StorageFeeModel](#interface-storagefeemodel) | [ValidDiscoverByIdentityKeyArgs](#interface-validdiscoverbyidentitykeyargs) |
+| [FindPartialSincePagedArgs](#interface-findpartialsincepagedargs) | [StorageGetBeefOptions](#interface-storagegetbeefoptions) | [ValidInternalizeActionArgs](#interface-validinternalizeactionargs) |
+| [FindProvenTxReqsArgs](#interface-findproventxreqsargs) | [StorageIdentity](#interface-storageidentity) | [ValidInternalizeOutput](#interface-validinternalizeoutput) |
+| [FindProvenTxsArgs](#interface-findproventxsargs) | [StorageInternalizeActionResult](#interface-storageinternalizeactionresult) | [ValidListActionsArgs](#interface-validlistactionsargs) |
+| [FindSincePagedArgs](#interface-findsincepagedargs) | [StorageProcessActionArgs](#interface-storageprocessactionargs) | [ValidListCertificatesArgs](#interface-validlistcertificatesargs) |
+| [FindSyncStatesArgs](#interface-findsyncstatesargs) | [StorageProcessActionResults](#interface-storageprocessactionresults) | [ValidListOutputsArgs](#interface-validlistoutputsargs) |
+| [FindTransactionsArgs](#interface-findtransactionsargs) | [StorageProvenOrReq](#interface-storageprovenorreq) | [ValidProcessActionArgs](#interface-validprocessactionargs) |
+| [FindTxLabelMapsArgs](#interface-findtxlabelmapsargs) | [StorageProviderOptions](#interface-storageprovideroptions) | [ValidProcessActionOptions](#interface-validprocessactionoptions) |
+| [FindTxLabelsArgs](#interface-findtxlabelsargs) | [StorageReaderOptions](#interface-storagereaderoptions) | [ValidProveCertificateArgs](#interface-validprovecertificateargs) |
+| [FindUsersArgs](#interface-findusersargs) | [StorageReaderWriterOptions](#interface-storagereaderwriteroptions) | [ValidRelinquishCertificateArgs](#interface-validrelinquishcertificateargs) |
+| [GenerateChangeSdkChangeInput](#interface-generatechangesdkchangeinput) | [StorageSyncReader](#interface-storagesyncreader) | [ValidRelinquishOutputArgs](#interface-validrelinquishoutputargs) |
+| [GenerateChangeSdkChangeOutput](#interface-generatechangesdkchangeoutput) | [StorageSyncReaderOptions](#interface-storagesyncreaderoptions) | [ValidSignActionArgs](#interface-validsignactionargs) |
+| [GenerateChangeSdkInput](#interface-generatechangesdkinput) | [StorageSyncReaderWriter](#interface-storagesyncreaderwriter) | [ValidSignActionOptions](#interface-validsignactionoptions) |
+| [GenerateChangeSdkOutput](#interface-generatechangesdkoutput) | [SyncChunk](#interface-syncchunk) | [ValidWalletPayment](#interface-validwalletpayment) |
+| [GenerateChangeSdkParams](#interface-generatechangesdkparams) | [SyncError](#interface-syncerror) | [ValidWalletSignerArgs](#interface-validwalletsignerargs) |
+| [GenerateChangeSdkResult](#interface-generatechangesdkresult) | [SyncMap](#interface-syncmap) | [ValidateGenerateChangeSdkParamsResult](#interface-validategeneratechangesdkparamsresult) |
+| [GenerateChangeSdkStorageChange](#interface-generatechangesdkstoragechange) | [TableCertificate](#interface-tablecertificate) | [WalletArgs](#interface-walletargs) |
+| [GetMerklePathResult](#interface-getmerklepathresult) | [TableCertificateField](#interface-tablecertificatefield) | [WalletPermissionsManagerCallbacks](#interface-walletpermissionsmanagercallbacks) |
+| [GetRawTxResult](#interface-getrawtxresult) | [TableCertificateX](#interface-tablecertificatex) | [WalletServices](#interface-walletservices) |
+| [GetReqsAndBeefDetail](#interface-getreqsandbeefdetail) | [TableCommission](#interface-tablecommission) | [WalletServicesOptions](#interface-walletservicesoptions) |
+| [GetReqsAndBeefResult](#interface-getreqsandbeefresult) | [TableMonitorEvent](#interface-tablemonitorevent) | [WalletSettings](#interface-walletsettings) |
+| [GetUtxoStatusDetails](#interface-getutxostatusdetails) | [TableOutput](#interface-tableoutput) | [WalletSettingsManagerConfig](#interface-walletsettingsmanagerconfig) |
+| [GetUtxoStatusResult](#interface-getutxostatusresult) | [TableOutputBasket](#interface-tableoutputbasket) | [WalletSigner](#interface-walletsigner) |
+| [KeyPair](#interface-keypair) | [TableOutputTag](#interface-tableoutputtag) | [WalletStorage](#interface-walletstorage) |
+| [MonitorOptions](#interface-monitoroptions) | [TableOutputTagMap](#interface-tableoutputtagmap) | [WalletStorageProvider](#interface-walletstorageprovider) |
+| [OutPoint](#interface-outpoint) | [TableOutputX](#interface-tableoutputx) | [WalletStorageReader](#interface-walletstoragereader) |
+| [Paged](#interface-paged) | [TableProvenTx](#interface-tableproventx) | [WalletStorageSync](#interface-walletstoragesync) |
+| [PendingSignAction](#interface-pendingsignaction) | [TableProvenTxReq](#interface-tableproventxreq) | [WalletStorageWriter](#interface-walletstoragewriter) |
+| [PendingStorageInput](#interface-pendingstorageinput) | [TableProvenTxReqDynamics](#interface-tableproventxreqdynamics) | [WalletTheme](#interface-wallettheme) |
+| [PermissionRequest](#interface-permissionrequest) | [TableSettings](#interface-tablesettings) | [XValidCreateActionOutput](#interface-xvalidcreateactionoutput) |
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -167,6 +170,22 @@ export interface AuthId {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: AuthPayload
+
+AuthMethodInteractor
+
+A base interface/class for client-side logic to interact with a server
+for a specific Auth Method's flow (start, complete).
+
+```ts
+export interface AuthPayload {
+    [key: string]: any;
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: BaseBlockHeader
 
@@ -294,6 +313,22 @@ export interface CertOpsWallet {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: Certifier
+
+```ts
+export interface Certifier {
+    name: string;
+    description: string;
+    identityKey: PubKeyHex;
+    trust: number;
+    iconUrl?: string;
+    baseURL?: string;
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: CommitNewTxResults
 
@@ -308,6 +343,19 @@ See also: [EntityProvenTxReq](./storage.md#class-entityproventxreq)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: CompleteAuthResponse
+
+```ts
+export interface CompleteAuthResponse {
+    success: boolean;
+    message?: string;
+    presentationKey?: string;
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: EntitySyncMap
 
@@ -378,6 +426,18 @@ export interface ExchangeRatesIoApi {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: ExtendedVerifiableCertificate
+
+```ts
+export interface ExtendedVerifiableCertificate extends IdentityCertificate {
+    certifierInfo: IdentityCertifier;
+    publiclyRevealedKeyring: Record<string, Base64String>;
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: FiatExchangeRates
 
@@ -1046,21 +1106,6 @@ export interface KeyPair {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
----
-##### Interface: KeyPairAddress
-
-A private key and associated public key and address.
-
-```ts
-export interface KeyPairAddress {
-    privateKey: PrivateKey;
-    publicKey: PublicKey;
-    address: string;
-}
-```
-
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
-
 ---
 ##### Interface: MonitorOptions
 
@@ -1167,767 +1212,876 @@ export interface PendingStorageInput {
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: PostBeefResult
+##### Interface: PermissionRequest
+
+Describes a single requested permission that the user must either grant or deny.
+
+Four categories of permission are supported, each with a unique protocol:
+ 1) protocol - "DPACP" (Domain Protocol Access Control Protocol)
+ 2) basket   - "DBAP"  (Domain Basket Access Protocol)
+ 3) certificate - "DCAP" (Domain Certificate Access Protocol)
+ 4) spending - "DSAP"  (Domain Spending Authorization Protocol)
+
+This model underpins "requests" made to the user for permission, which the user can
+either grant or deny. The manager can then create on-chain tokens (PushDrop outputs)
+if permission is granted. Denying requests cause the underlying operation to throw,
+and no token is created. An "ephemeral" grant is also possible, denoting a one-time
+authorization without an associated persistent on-chain token.
 
 ```ts
-export interface PostBeefResult extends PostTxsResult {
+export interface PermissionRequest {
+    type: "protocol" | "basket" | "certificate" | "spending";
+    originator: string;
+    privileged?: boolean;
+    protocolID?: [
+        0 | 1 | 2,
+        string
+    ];
+    counterparty?: string;
+    basket?: string;
+    certificate?: {
+        verifier: string;
+        certType: string;
+        fields: string[];
+    };
+    spending?: {
+        satoshis: number;
+        lineItems?: Array<{
+            type: "input" | "output" | "fee";
+            description: string;
+            satoshis: number;
+        }>;
+    };
+    reason?: string;
+    renewal?: boolean;
+    previousToken?: PermissionToken;
 }
 ```
 
-See also: [PostTxsResult](./client.md#interface-posttxsresult)
+See also: [PermissionToken](./client.md#interface-permissiontoken)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: PostBeefResultForTxidApi
+##### Interface: PermissionToken
+
+Data structure representing an on-chain permission token.
+It is typically stored as a single unspent PushDrop output in a special "internal" admin basket belonging to
+the user, held in their underlying wallet.
+
+It can represent any of the four permission categories by having the relevant fields:
+ - DPACP: originator, privileged, protocol, securityLevel, counterparty
+ - DBAP:  originator, basketName
+ - DCAP:  originator, privileged, verifier, certType, certFields
+ - DSAP:  originator, authorizedAmount
 
 ```ts
-export interface PostBeefResultForTxidApi {
+export interface PermissionToken {
     txid: string;
-    status: "success" | "error";
-    alreadyKnown?: boolean;
-    blockHash?: string;
-    blockHeight?: number;
-    merklePath?: string;
+    outputIndex: number;
+    outputScript: string;
+    satoshis: number;
+    originator: string;
+    expiry: number;
+    privileged?: boolean;
+    protocol?: string;
+    securityLevel?: 0 | 1 | 2;
+    counterparty?: string;
+    basketName?: string;
+    certType?: string;
+    certFields?: string[];
+    verifier?: string;
+    authorizedAmount?: number;
 }
 ```
 
-###### Property alreadyKnown
-
-if true, the transaction was already known to this service. Usually treat as a success.
+###### Property authorizedAmount
 
-Potentially stop posting to additional transaction processors.
+For DSAP, the maximum authorized spending for the month.
 
 ```ts
-alreadyKnown?: boolean
+authorizedAmount?: number
 ```
 
-###### Property status
+###### Property basketName
 
-'success' - The transaction was accepted for processing
+The name of a basket, if this is a DBAP token.
 
 ```ts
-status: "success" | "error"
+basketName?: string
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property certFields
 
----
-##### Interface: PostReqsToNetworkDetails
+The certificate fields that this token covers, if DCAP token.
 
 ```ts
-export interface PostReqsToNetworkDetails {
-    txid: string;
-    req: EntityProvenTxReq;
-    status: PostReqsToNetworkDetailsStatus;
-    pbrft: sdk.PostTxResultForTxid;
-    data?: string;
-    error?: string;
-}
+certFields?: string[]
 ```
 
-See also: [EntityProvenTxReq](./storage.md#class-entityproventxreq), [PostReqsToNetworkDetailsStatus](./storage.md#type-postreqstonetworkdetailsstatus), [PostTxResultForTxid](./client.md#interface-posttxresultfortxid)
+###### Property certType
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
-
----
-##### Interface: PostReqsToNetworkResult
+The certificate type, if this is a DCAP token.
 
 ```ts
-export interface PostReqsToNetworkResult {
-    status: "success" | "error";
-    beef: Beef;
-    details: PostReqsToNetworkDetails[];
-    pbr?: sdk.PostBeefResult;
-    log: string;
-}
+certType?: string
 ```
 
-See also: [PostBeefResult](./client.md#interface-postbeefresult), [PostReqsToNetworkDetails](./storage.md#interface-postreqstonetworkdetails)
-
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property counterparty
 
----
-##### Interface: PostTxResultForTxid
+The counterparty, for DPACP.
 
 ```ts
-export interface PostTxResultForTxid {
-    txid: string;
-    status: "success" | "error";
-    alreadyKnown?: boolean;
-    doubleSpend?: boolean;
-    blockHash?: string;
-    blockHeight?: number;
-    merklePath?: MerklePath;
-    competingTxs?: string[];
-    data?: object | string | PostTxResultForTxidError;
-}
+counterparty?: string
 ```
 
-See also: [PostTxResultForTxidError](./client.md#interface-posttxresultfortxiderror)
+###### Property expiry
 
-###### Property alreadyKnown
+The expiration time for this token in UNIX epoch seconds. (0 or omitted for spending authorizations, which are indefinite)
 
-if true, the transaction was already known to this service. Usually treat as a success.
+```ts
+expiry: number
+```
 
-Potentially stop posting to additional transaction processors.
+###### Property originator
+
+The originator domain or FQDN that is allowed to use this permission.
 
 ```ts
-alreadyKnown?: boolean
+originator: string
 ```
 
-###### Property doubleSpend
+###### Property outputIndex
 
-service indicated this broadcast double spends at least one input
-`competingTxs` may be an array of txids that were first seen spends of at least one input.
+The output index within that transaction.
 
 ```ts
-doubleSpend?: boolean
+outputIndex: number
 ```
 
-###### Property status
+###### Property outputScript
 
-'success' - The transaction was accepted for processing
+The exact script hex for the locking script.
 
 ```ts
-status: "success" | "error"
+outputScript: string
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property privileged
 
----
-##### Interface: PostTxResultForTxidError
+Whether this token grants privileged usage (for protocol or certificate).
 
 ```ts
-export interface PostTxResultForTxidError {
-    status?: string;
-    detail?: string;
-    more?: object;
-}
+privileged?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
-
----
-##### Interface: PostTxsResult
+###### Property protocol
 
-Properties on array items of result returned from `WalletServices` function `postBeef`.
+The protocol name, if this is a DPACP token.
 
 ```ts
-export interface PostTxsResult {
-    name: string;
-    status: "success" | "error";
-    error?: sdk.WalletError;
-    txidResults: PostTxResultForTxid[];
-    data?: object;
-}
+protocol?: string
 ```
 
-See also: [PostTxResultForTxid](./client.md#interface-posttxresultfortxid), [WalletError](./client.md#class-walleterror)
+###### Property satoshis
 
-###### Property data
+The amount of satoshis assigned to the permission output (often 1).
 
-Service response object. Use service name and status to infer type of object.
+```ts
+satoshis: number
+```
+
+###### Property securityLevel
+
+The security level (0,1,2) for DPACP.
 
 ```ts
-data?: object
+securityLevel?: 0 | 1 | 2
 ```
 
-###### Property name
+###### Property txid
 
-The name of the service to which the transaction was submitted for processing
+The transaction ID where this token resides.
 
 ```ts
-name: string
+txid: string
 ```
 
-###### Property status
+###### Property verifier
 
-'success' all txids returned status of 'success'
-'error' one or more txids returned status of 'error'. See txidResults for details.
+The "verifier" public key string, if DCAP.
 
 ```ts
-status: "success" | "error"
+verifier?: string
 ```
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: ProcessSyncChunkResult
+##### Interface: PermissionsManagerConfig
+
+Configuration object for the WalletPermissionsManager. If a given option is `false`,
+the manager will skip or alter certain permission checks or behaviors.
+
+By default, all of these are `true` unless specified otherwise. This is the most secure configuration.
 
 ```ts
-export interface ProcessSyncChunkResult {
-    done: boolean;
-    maxUpdated_at: Date | undefined;
-    updates: number;
-    inserts: number;
-    error?: sdk.WalletError;
+export interface PermissionsManagerConfig {
+    seekProtocolPermissionsForSigning?: boolean;
+    seekProtocolPermissionsForEncrypting?: boolean;
+    seekProtocolPermissionsForHMAC?: boolean;
+    seekPermissionsForKeyLinkageRevelation?: boolean;
+    seekPermissionsForPublicKeyRevelation?: boolean;
+    seekPermissionsForIdentityKeyRevelation?: boolean;
+    seekPermissionsForIdentityResolution?: boolean;
+    seekBasketInsertionPermissions?: boolean;
+    seekBasketRemovalPermissions?: boolean;
+    seekBasketListingPermissions?: boolean;
+    seekPermissionWhenApplyingActionLabels?: boolean;
+    seekPermissionWhenListingActionsByLabel?: boolean;
+    seekCertificateDisclosurePermissions?: boolean;
+    seekCertificateAcquisitionPermissions?: boolean;
+    seekCertificateRelinquishmentPermissions?: boolean;
+    seekCertificateListingPermissions?: boolean;
+    encryptWalletMetadata?: boolean;
+    seekSpendingPermissions?: boolean;
+    differentiatePrivilegedOperations?: boolean;
 }
 ```
 
-See also: [WalletError](./client.md#class-walleterror)
+###### Property differentiatePrivilegedOperations
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+If false, permissions are checked without regard for whether we are in
+privileged mode. Privileged status is ignored with respect to whether
+permissions are granted. Internally, they are always sought and checked
+with privileged=false, regardless of the actual value.
 
----
-##### Interface: ProvenOrRawTx
+```ts
+differentiatePrivilegedOperations?: boolean
+```
+
+###### Property encryptWalletMetadata
+
+Should transaction descriptions, input descriptions, and output descriptions be encrypted
+when before they are passed to the underlying wallet, and transparently decrypted when retrieved?
 
 ```ts
-export interface ProvenOrRawTx {
-    proven?: TableProvenTx;
-    rawTx?: number[];
-    inputBEEF?: number[];
-}
+encryptWalletMetadata?: boolean
 ```
 
-See also: [TableProvenTx](./storage.md#interface-tableproventx)
+###### Property seekBasketInsertionPermissions
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+When we do internalizeAction with `basket insertion`, or include outputs in baskets
+with `createAction, do we ask for basket permission?
 
----
-##### Interface: ProvenTxFromTxidResult
+```ts
+seekBasketInsertionPermissions?: boolean
+```
+
+###### Property seekBasketListingPermissions
+
+When listOutputs is called, do we ask for basket permission?
 
 ```ts
-export interface ProvenTxFromTxidResult {
-    proven?: EntityProvenTx;
-    rawTx?: number[];
-}
+seekBasketListingPermissions?: boolean
 ```
 
-See also: [EntityProvenTx](./storage.md#class-entityproventx)
+###### Property seekBasketRemovalPermissions
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+When relinquishOutput is called, do we ask for basket permission?
 
----
-##### Interface: ProvenTxReqHistory
+```ts
+seekBasketRemovalPermissions?: boolean
+```
+
+###### Property seekCertificateAcquisitionPermissions
+
+If acquiring a certificate (acquireCertificate), do we require a permission check?
 
 ```ts
-export interface ProvenTxReqHistory {
-    notes?: Record<string, string>;
-}
+seekCertificateAcquisitionPermissions?: boolean
 ```
 
-###### Property notes
+###### Property seekCertificateDisclosurePermissions
 
-Keys are Date().toISOString()
-Values are a description of what happened.
+If proving a certificate (proveCertificate) or revealing certificate fields,
+do we require a "certificate access" permission?
 
 ```ts
-notes?: Record<string, string>
+seekCertificateDisclosurePermissions?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property seekCertificateListingPermissions
 
----
-##### Interface: ProvenTxReqHistorySummaryApi
+If listing a user's certificates (listCertificates), do we require a permission check?
 
 ```ts
-export interface ProvenTxReqHistorySummaryApi {
-    setToCompleted: boolean;
-    setToCallback: boolean;
-    setToUnmined: boolean;
-    setToDoubleSpend: boolean;
-    setToSending: boolean;
-    setToUnconfirmed: boolean;
-}
+seekCertificateListingPermissions?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property seekCertificateRelinquishmentPermissions
 
----
-##### Interface: ProvenTxReqNotify
+If relinquishing a certificate (relinquishCertificate), do we require a permission check?
 
 ```ts
-export interface ProvenTxReqNotify {
-    transactionIds?: number[];
-}
+seekCertificateRelinquishmentPermissions?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property seekPermissionWhenApplyingActionLabels
 
----
-##### Interface: PurgeParams
+When createAction is called with labels, do we ask for "label usage" permission?
 
 ```ts
-export interface PurgeParams {
-    purgeCompleted: boolean;
-    purgeFailed: boolean;
-    purgeSpent: boolean;
-    purgeCompletedAge?: number;
-    purgeFailedAge?: number;
-    purgeSpentAge?: number;
-}
+seekPermissionWhenApplyingActionLabels?: boolean
 ```
 
-###### Property purgeCompletedAge
+###### Property seekPermissionWhenListingActionsByLabel
 
-Minimum age in msecs for transient completed transaction data purge.
-Default is 14 days.
+When listActions is called with labels, do we ask for "label usage" permission?
 
 ```ts
-purgeCompletedAge?: number
+seekPermissionWhenListingActionsByLabel?: boolean
 ```
 
-###### Property purgeFailedAge
+###### Property seekPermissionsForIdentityKeyRevelation
 
-Minimum age in msecs for failed transaction data purge.
-Default is 14 days.
+If getPublicKey is requested with `identityKey=true`, do we require permission?
 
 ```ts
-purgeFailedAge?: number
+seekPermissionsForIdentityKeyRevelation?: boolean
 ```
 
-###### Property purgeSpentAge
+###### Property seekPermissionsForIdentityResolution
 
-Minimum age in msecs for failed transaction data purge.
-Default is 14 days.
+If discoverByIdentityKey / discoverByAttributes are called, do we require permission
+for "identity resolution" usage?
 
 ```ts
-purgeSpentAge?: number
+seekPermissionsForIdentityResolution?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property seekPermissionsForKeyLinkageRevelation
 
----
-##### Interface: PurgeResults
+For revealing counterparty-level or specific key linkage revelation information,
+should we require permission?
 
 ```ts
-export interface PurgeResults {
-    count: number;
-    log: string;
-}
+seekPermissionsForKeyLinkageRevelation?: boolean
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property seekPermissionsForPublicKeyRevelation
 
----
-##### Interface: RequestSyncChunkArgs
+For revealing any user public key (getPublicKey) **other** than the identity key,
+should we require permission?
 
 ```ts
-export interface RequestSyncChunkArgs {
-    fromStorageIdentityKey: string;
-    toStorageIdentityKey: string;
-    identityKey: string;
-    since?: Date;
-    maxRoughSize: number;
-    maxItems: number;
-    offsets: {
-        name: string;
-        offset: number;
-    }[];
-}
+seekPermissionsForPublicKeyRevelation?: boolean
 ```
 
-###### Property fromStorageIdentityKey
+###### Property seekProtocolPermissionsForEncrypting
 
-The storageIdentityKey of the storage supplying the update SyncChunk data.
+For methods that perform encryption (encrypt/decrypt), require
+a "protocol usage" permission check?
 
 ```ts
-fromStorageIdentityKey: string
+seekProtocolPermissionsForEncrypting?: boolean
 ```
 
-###### Property identityKey
+###### Property seekProtocolPermissionsForHMAC
 
-The identity of whose data is being requested
+For methods that perform HMAC creation or verification (createHmac, verifyHmac),
+require a "protocol usage" permission check?
 
 ```ts
-identityKey: string
+seekProtocolPermissionsForHMAC?: boolean
 ```
 
-###### Property maxItems
+###### Property seekProtocolPermissionsForSigning
 
-The maximum number of items (records) to be returned.
+For `createSignature` and `verifySignature`,
+require a "protocol usage" permission check?
 
 ```ts
-maxItems: number
+seekProtocolPermissionsForSigning?: boolean
 ```
 
-###### Property maxRoughSize
+###### Property seekSpendingPermissions
 
-A rough limit on how large the response should be.
-The item that exceeds the limit is included and ends adding more items.
+If the originator tries to spend wallet funds (netSpent > 0 in createAction),
+do we seek spending authorization?
 
 ```ts
-maxRoughSize: number
+seekSpendingPermissions?: boolean
 ```
 
-###### Property offsets
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-For each entity in dependency order, the offset at which to start returning items
-from `since`.
+---
+##### Interface: PostBeefResult
 
-The entity order is:
-0 ProvenTxs
-1 ProvenTxReqs
-2 OutputBaskets
-3 TxLabels
-4 OutputTags
-5 Transactions
-6 TxLabelMaps
-7 Commissions
-8 Outputs
-9 OutputTagMaps
-10 Certificates
-11 CertificateFields
+```ts
+export interface PostBeefResult extends PostTxsResult {
+}
+```
+
+See also: [PostTxsResult](./client.md#interface-posttxsresult)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: PostBeefResultForTxidApi
 
 ```ts
-offsets: {
-    name: string;
-    offset: number;
-}[]
+export interface PostBeefResultForTxidApi {
+    txid: string;
+    status: "success" | "error";
+    alreadyKnown?: boolean;
+    blockHash?: string;
+    blockHeight?: number;
+    merklePath?: string;
+}
 ```
 
-###### Property since
+###### Property alreadyKnown
 
-The max updated_at time received from the storage service receiving the request.
-Will be undefiend if this is the first request or if no data was previously sync'ed.
+if true, the transaction was already known to this service. Usually treat as a success.
 
-`since` must include items if 'updated_at' is greater or equal. Thus, when not undefined, a sync request should always return at least one item already seen.
+Potentially stop posting to additional transaction processors.
 
 ```ts
-since?: Date
+alreadyKnown?: boolean
 ```
 
-###### Property toStorageIdentityKey
+###### Property status
 
-The storageIdentityKey of the storage consuming the update SyncChunk data.
+'success' - The transaction was accepted for processing
 
 ```ts
-toStorageIdentityKey: string
+status: "success" | "error"
 ```
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: ScriptTemplateParamsBRC29
+##### Interface: PostReqsToNetworkDetails
 
 ```ts
-export interface ScriptTemplateParamsBRC29 {
-    derivationPrefix?: string;
-    derivationSuffix?: string;
-    keyDeriver: KeyDeriverApi;
+export interface PostReqsToNetworkDetails {
+    txid: string;
+    req: EntityProvenTxReq;
+    status: PostReqsToNetworkDetailsStatus;
+    pbrft: sdk.PostTxResultForTxid;
+    data?: string;
+    error?: string;
 }
 ```
 
+See also: [EntityProvenTxReq](./storage.md#class-entityproventxreq), [PostReqsToNetworkDetailsStatus](./storage.md#type-postreqstonetworkdetailsstatus), [PostTxResultForTxid](./client.md#interface-posttxresultfortxid)
+
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: ScriptTemplateUnlock
+##### Interface: PostReqsToNetworkResult
 
 ```ts
-export interface ScriptTemplateUnlock {
-    sign: (tx: Transaction, inputIndex: number) => Promise<UnlockingScript>;
-    estimateLength: (tx: Transaction, inputIndex: number) => Promise<number>;
+export interface PostReqsToNetworkResult {
+    status: "success" | "error";
+    beef: Beef;
+    details: PostReqsToNetworkDetails[];
+    pbr?: sdk.PostBeefResult;
+    log: string;
 }
 ```
 
+See also: [PostBeefResult](./client.md#interface-postbeefresult), [PostReqsToNetworkDetails](./storage.md#interface-postreqstonetworkdetails)
+
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: SetupEnv
+##### Interface: PostTxResultForTxid
 
-`SetupEnv` provides a starting point for managing secrets that
-must not appear in source code.
+```ts
+export interface PostTxResultForTxid {
+    txid: string;
+    status: "success" | "error";
+    alreadyKnown?: boolean;
+    doubleSpend?: boolean;
+    blockHash?: string;
+    blockHeight?: number;
+    merklePath?: MerklePath;
+    competingTxs?: string[];
+    data?: object | string | PostTxResultForTxidError;
+}
+```
 
-The `makeEnv` and `getEnv` functions of the `Setup` and `SetupClient` classes
-provide an easy way to create and import these secrets and related properties.
+See also: [PostTxResultForTxidError](./client.md#interface-posttxresultfortxiderror)
+
+###### Property alreadyKnown
+
+if true, the transaction was already known to this service. Usually treat as a success.
+
+Potentially stop posting to additional transaction processors.
 
 ```ts
-export interface SetupEnv {
-    chain: sdk.Chain;
-    identityKey: string;
-    identityKey2: string;
-    filePath: string | undefined;
-    taalApiKey: string;
-    devKeys: Record<string, string>;
-    mySQLConnection: string;
-}
+alreadyKnown?: boolean
 ```
 
-See also: [Chain](./client.md#type-chain)
+###### Property doubleSpend
 
-###### Property chain
+service indicated this broadcast double spends at least one input
+`competingTxs` may be an array of txids that were first seen spends of at least one input.
+
+```ts
+doubleSpend?: boolean
+```
+
+###### Property status
 
-The chan being accessed: 'main' for mainnet, 'test' for 'testnet'.
+'success' - The transaction was accepted for processing
 
 ```ts
-chain: sdk.Chain
+status: "success" | "error"
 ```
-See also: [Chain](./client.md#type-chain)
 
-###### Property devKeys
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-A map of public keys (identity keys, hex strings) to private keys (hex strings).
+---
+##### Interface: PostTxResultForTxidError
 
 ```ts
-devKeys: Record<string, string>
+export interface PostTxResultForTxidError {
+    status?: string;
+    detail?: string;
+    more?: object;
+}
 ```
 
-###### Property filePath
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: PostTxsResult
 
-Filepath to sqlite file to be used for identityKey wallet.
+Properties on array items of result returned from `WalletServices` function `postBeef`.
 
 ```ts
-filePath: string | undefined
+export interface PostTxsResult {
+    name: string;
+    status: "success" | "error";
+    error?: sdk.WalletError;
+    txidResults: PostTxResultForTxid[];
+    data?: object;
+}
 ```
 
-###### Property identityKey
+See also: [PostTxResultForTxid](./client.md#interface-posttxresultfortxid), [WalletError](./client.md#class-walleterror)
+
+###### Property data
 
-The user's primary identity key (public key).
+Service response object. Use service name and status to infer type of object.
 
 ```ts
-identityKey: string
+data?: object
 ```
 
-###### Property identityKey2
+###### Property name
 
-A secondary identity key (public key), used to test exchanges with other users.
+The name of the service to which the transaction was submitted for processing
 
 ```ts
-identityKey2: string
+name: string
 ```
 
-###### Property mySQLConnection
+###### Property status
 
-A MySQL connection string including user and password properties.
-Must be valid to make use of MySQL `Setup` class support.
+'success' all txids returned status of 'success'
+'error' one or more txids returned status of 'error'. See txidResults for details.
 
 ```ts
-mySQLConnection: string
+status: "success" | "error"
 ```
 
-###### Property taalApiKey
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-A vaild TAAL API key for use by `Services`
+---
+##### Interface: ProcessSyncChunkResult
 
 ```ts
-taalApiKey: string
+export interface ProcessSyncChunkResult {
+    done: boolean;
+    maxUpdated_at: Date | undefined;
+    updates: number;
+    inserts: number;
+    error?: sdk.WalletError;
+}
 ```
 
+See also: [WalletError](./client.md#class-walleterror)
+
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: SetupWallet
+##### Interface: ProvenOrRawTx
+
+```ts
+export interface ProvenOrRawTx {
+    proven?: TableProvenTx;
+    rawTx?: number[];
+    inputBEEF?: number[];
+}
+```
 
-When creating a BRC-100 compatible `Wallet`, many components come into play.
+See also: [TableProvenTx](./storage.md#interface-tableproventx)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-All of the `createWallet` functions in the `Setup` and `SetupClient` classes return
-an object with direct access to each component to facilitate experimentation, testing
-and customization.
+---
+##### Interface: ProvenTxFromTxidResult
 
 ```ts
-export interface SetupWallet {
-    rootKey: PrivateKey;
-    identityKey: string;
-    keyDeriver: KeyDeriver;
-    chain: sdk.Chain;
-    storage: WalletStorageManager;
-    services: Services;
-    monitor: Monitor;
-    wallet: Wallet;
+export interface ProvenTxFromTxidResult {
+    proven?: EntityProvenTx;
+    rawTx?: number[];
 }
 ```
 
-See also: [Chain](./client.md#type-chain), [Monitor](./monitor.md#class-monitor), [Services](./services.md#class-services), [Wallet](./client.md#class-wallet), [WalletStorageManager](./storage.md#class-walletstoragemanager)
+See also: [EntityProvenTx](./storage.md#class-entityproventx)
 
-###### Property chain
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-The chain ('main' or 'test') which the wallet accesses.
+---
+##### Interface: ProvenTxReqHistory
 
 ```ts
-chain: sdk.Chain
+export interface ProvenTxReqHistory {
+    notes?: Record<string, string>;
+}
 ```
-See also: [Chain](./client.md#type-chain)
 
-###### Property identityKey
+###### Property notes
 
-The pubilc key associated with the `rootKey` which also serves as the wallet's identity.
+Keys are Date().toISOString()
+Values are a description of what happened.
 
 ```ts
-identityKey: string
+notes?: Record<string, string>
 ```
 
-###### Property keyDeriver
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-The `KeyDeriver` component used by the wallet for key derivation and cryptographic functions.
+---
+##### Interface: ProvenTxReqHistorySummaryApi
 
 ```ts
-keyDeriver: KeyDeriver
+export interface ProvenTxReqHistorySummaryApi {
+    setToCompleted: boolean;
+    setToCallback: boolean;
+    setToUnmined: boolean;
+    setToDoubleSpend: boolean;
+    setToSending: boolean;
+    setToUnconfirmed: boolean;
+}
 ```
 
-###### Property monitor
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-The background task `Monitor` component available to the wallet to offload tasks
-that speed up wallet operations and maintain data integrity.
+---
+##### Interface: ProvenTxReqNotify
 
 ```ts
-monitor: Monitor
+export interface ProvenTxReqNotify {
+    transactionIds?: number[];
+}
 ```
-See also: [Monitor](./monitor.md#class-monitor)
 
-###### Property rootKey
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-The rootKey of the `KeyDeriver`. The private key from which other keys are derived.
+---
+##### Interface: PurgeParams
 
 ```ts
-rootKey: PrivateKey
+export interface PurgeParams {
+    purgeCompleted: boolean;
+    purgeFailed: boolean;
+    purgeSpent: boolean;
+    purgeCompletedAge?: number;
+    purgeFailedAge?: number;
+    purgeSpentAge?: number;
+}
 ```
 
-###### Property services
+###### Property purgeCompletedAge
 
-The network `Services` component which provides the wallet with access to external services hosted
-on the public network.
+Minimum age in msecs for transient completed transaction data purge.
+Default is 14 days.
 
 ```ts
-services: Services
+purgeCompletedAge?: number
 ```
-See also: [Services](./services.md#class-services)
 
-###### Property storage
+###### Property purgeFailedAge
 
-The `WalletStorageManager` that manages all the configured storage providers (active and backups)
-accessed by the wallet.
+Minimum age in msecs for failed transaction data purge.
+Default is 14 days.
 
 ```ts
-storage: WalletStorageManager
+purgeFailedAge?: number
 ```
-See also: [WalletStorageManager](./storage.md#class-walletstoragemanager)
-
-###### Property wallet
 
-The actual BRC-100 `Wallet` to which all the other properties and components contribute.
+###### Property purgeSpentAge
 
-Note that internally, the wallet is itself linked to all these properties and components.
-They are included in this interface to facilitate access after wallet construction for
-experimentation, testing and customization. Any changes made to the configuration of these
-components after construction may disrupt the normal operation of the wallet.
+Minimum age in msecs for failed transaction data purge.
+Default is 14 days.
 
 ```ts
-wallet: Wallet
+purgeSpentAge?: number
 ```
-See also: [Wallet](./client.md#class-wallet)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: SetupWalletArgs
-
-Arguments used by `createWallet` to construct a `SetupWallet`.
-
-Extension `SetupWalletClientArgs` used by `createWalletClient` to construct a `SetupWalletClient`.
+##### Interface: PurgeResults
 
-Extension `SetupWalletKnexArgs` used by `createWalletKnex` to construct a `SetupWalletKnex`.
+```ts
+export interface PurgeResults {
+    count: number;
+    log: string;
+}
+```
 
-Extension `SetupWalletMySQLArgs` used by `createWalletMySQL` to construct a `SetupWalletKnex`.
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-Extension `SetupWalletSQLiteArgs` used by `createWalletSQLite` to construct a `SetupWalletKnex`.
+---
+##### Interface: RequestSyncChunkArgs
 
 ```ts
-export interface SetupWalletArgs {
-    env: SetupEnv;
-    rootKeyHex?: string;
-    privilegedKeyGetter?: () => Promise<PrivateKey>;
-    active?: sdk.WalletStorageProvider;
-    backups?: sdk.WalletStorageProvider[];
+export interface RequestSyncChunkArgs {
+    fromStorageIdentityKey: string;
+    toStorageIdentityKey: string;
+    identityKey: string;
+    since?: Date;
+    maxRoughSize: number;
+    maxItems: number;
+    offsets: {
+        name: string;
+        offset: number;
+    }[];
 }
 ```
 
-See also: [SetupEnv](./setup.md#interface-setupenv), [WalletStorageProvider](./client.md#interface-walletstorageprovider)
-
-###### Property active
+###### Property fromStorageIdentityKey
 
-Optional. Active wallet storage. Can be added later.
+The storageIdentityKey of the storage supplying the update SyncChunk data.
 
 ```ts
-active?: sdk.WalletStorageProvider
+fromStorageIdentityKey: string
 ```
-See also: [WalletStorageProvider](./client.md#interface-walletstorageprovider)
 
-###### Property backups
+###### Property identityKey
 
-Optional. One or more storage providers managed as backup destinations. Can be added later.
+The identity of whose data is being requested
 
 ```ts
-backups?: sdk.WalletStorageProvider[]
+identityKey: string
 ```
-See also: [WalletStorageProvider](./client.md#interface-walletstorageprovider)
 
-###### Property env
+###### Property maxItems
 
-Configuration "secrets" typically obtained by `Setup.makeEnv` and `Setup.getEnv` functions.
+The maximum number of items (records) to be returned.
 
 ```ts
-env: SetupEnv
+maxItems: number
 ```
-See also: [SetupEnv](./setup.md#interface-setupenv)
 
-###### Property privilegedKeyGetter
+###### Property maxRoughSize
 
-Optional. The privileged private key getter used to initialize the `PrivilegedKeyManager`.
-Defaults to undefined.
+A rough limit on how large the response should be.
+The item that exceeds the limit is included and ends adding more items.
 
 ```ts
-privilegedKeyGetter?: () => Promise<PrivateKey>
+maxRoughSize: number
 ```
 
-###### Property rootKeyHex
+###### Property offsets
+
+For each entity in dependency order, the offset at which to start returning items
+from `since`.
 
-Optional. The non-privileged private key used to initialize the `KeyDeriver` and determine the `identityKey`.
-Defaults to `env.devKeys[env.identityKey]
+The entity order is:
+0 ProvenTxs
+1 ProvenTxReqs
+2 OutputBaskets
+3 TxLabels
+4 OutputTags
+5 Transactions
+6 TxLabelMaps
+7 Commissions
+8 Outputs
+9 OutputTagMaps
+10 Certificates
+11 CertificateFields
 
 ```ts
-rootKeyHex?: string
+offsets: {
+    name: string;
+    offset: number;
+}[]
 ```
 
-Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+###### Property since
 
----
-##### Interface: SetupWalletClient
+The max updated_at time received from the storage service receiving the request.
+Will be undefiend if this is the first request or if no data was previously sync'ed.
 
-Extension `SetupWalletClient` of `SetupWallet` is returned by `createWalletClient`
+`since` must include items if 'updated_at' is greater or equal. Thus, when not undefined, a sync request should always return at least one item already seen.
 
 ```ts
-export interface SetupWalletClient extends SetupWallet {
-    endpointUrl: string;
-}
+since?: Date
 ```
 
-See also: [SetupWallet](./setup.md#interface-setupwallet)
-
-###### Property endpointUrl
+###### Property toStorageIdentityKey
 
-The endpoint URL of the service hosting the `StorageServer` JSON-RPC service to
-which a `StorageClient` instance is connected to function as
-the active storage provider of the wallet.
+The storageIdentityKey of the storage consuming the update SyncChunk data.
 
 ```ts
-endpointUrl: string
+toStorageIdentityKey: string
 ```
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Interface: SetupWalletClientArgs
-
-Extension `SetupWalletClientArgs` of `SetupWalletArgs` is used by `createWalletClient`
-to construct a `SetupWalletClient`.
+##### Interface: ScriptTemplateParamsBRC29
 
 ```ts
-export interface SetupWalletClientArgs extends SetupWalletArgs {
-    endpointUrl?: string;
+export interface ScriptTemplateParamsBRC29 {
+    derivationPrefix?: string;
+    derivationSuffix?: string;
+    keyDeriver: KeyDeriverApi;
 }
 ```
 
-See also: [SetupWalletArgs](./setup.md#interface-setupwalletargs)
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: ScriptTemplateUnlock
+
+```ts
+export interface ScriptTemplateUnlock {
+    sign: (tx: Transaction, inputIndex: number) => Promise<UnlockingScript>;
+    estimateLength: (tx: Transaction, inputIndex: number) => Promise<number>;
+}
+```
 
-###### Property endpointUrl
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
-The endpoint URL of a service hosting the `StorageServer` JSON-RPC service to
-which a `StorageClient` instance should connect to function as
-the active storage provider of the newly created wallet.
+---
+##### Interface: StartAuthResponse
 
 ```ts
-endpointUrl?: string
+export interface StartAuthResponse {
+    success: boolean;
+    message?: string;
+    data?: any;
+}
 ```
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
@@ -3063,6 +3217,20 @@ See also: [PurgeParams](./client.md#interface-purgeparams)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: TrustSettings
+
+```ts
+export interface TrustSettings {
+    trustLevel: number;
+    trustedCertifiers: Certifier[];
+}
+```
+
+See also: [Certifier](./client.md#interface-certifier)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: TrxToken
 
@@ -3108,6 +3276,172 @@ export interface TxScriptOffsets {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: UMPToken
+
+Describes the structure of a User Management Protocol (UMP) token.
+
+```ts
+export interface UMPToken {
+    passwordPresentationPrimary: number[];
+    passwordRecoveryPrimary: number[];
+    presentationRecoveryPrimary: number[];
+    passwordPrimaryPrivileged: number[];
+    presentationRecoveryPrivileged: number[];
+    presentationHash: number[];
+    passwordSalt: number[];
+    recoveryHash: number[];
+    presentationKeyEncrypted: number[];
+    recoveryKeyEncrypted: number[];
+    passwordKeyEncrypted: number[];
+    currentOutpoint?: OutpointString;
+}
+```
+
+###### Property currentOutpoint
+
+Describes the token's location on-chain, if it's already been published.
+
+```ts
+currentOutpoint?: OutpointString
+```
+
+###### Property passwordKeyEncrypted
+
+A copy of the password key encrypted with the privileged key.
+
+```ts
+passwordKeyEncrypted: number[]
+```
+
+###### Property passwordPresentationPrimary
+
+Primary key encrypted by the XOR of the password and presentation keys.
+
+```ts
+passwordPresentationPrimary: number[]
+```
+
+###### Property passwordPrimaryPrivileged
+
+Privileged key encrypted by the XOR of the password and primary keys.
+
+```ts
+passwordPrimaryPrivileged: number[]
+```
+
+###### Property passwordRecoveryPrimary
+
+Primary key encrypted by the XOR of the password and recovery keys.
+
+```ts
+passwordRecoveryPrimary: number[]
+```
+
+###### Property passwordSalt
+
+PBKDF2 salt used in conjunction with the password to derive the password key.
+
+```ts
+passwordSalt: number[]
+```
+
+###### Property presentationHash
+
+Hash of the presentation key.
+
+```ts
+presentationHash: number[]
+```
+
+###### Property presentationKeyEncrypted
+
+A copy of the presentation key encrypted with the privileged key.
+
+```ts
+presentationKeyEncrypted: number[]
+```
+
+###### Property presentationRecoveryPrimary
+
+Primary key encrypted by the XOR of the presentation and recovery keys.
+
+```ts
+presentationRecoveryPrimary: number[]
+```
+
+###### Property presentationRecoveryPrivileged
+
+Privileged key encrypted by the XOR of the presentation and recovery keys.
+
+```ts
+presentationRecoveryPrivileged: number[]
+```
+
+###### Property recoveryHash
+
+Hash of the recovery key.
+
+```ts
+recoveryHash: number[]
+```
+
+###### Property recoveryKeyEncrypted
+
+A copy of the recovery key encrypted with the privileged key.
+
+```ts
+recoveryKeyEncrypted: number[]
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: UMPTokenInteractor
+
+Describes a system capable of finding and updating UMP tokens on the blockchain.
+
+```ts
+export interface UMPTokenInteractor {
+    findByPresentationKeyHash: (hash: number[]) => Promise<UMPToken | undefined>;
+    findByRecoveryKeyHash: (hash: number[]) => Promise<UMPToken | undefined>;
+    buildAndSend: (wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes, token: UMPToken, oldTokenToConsume?: UMPToken) => Promise<OutpointString>;
+}
+```
+
+See also: [UMPToken](./client.md#interface-umptoken)
+
+###### Property buildAndSend
+
+Creates (and optionally consumes the previous version of) a UMP token on-chain.
+
+```ts
+buildAndSend: (wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes, token: UMPToken, oldTokenToConsume?: UMPToken) => Promise<OutpointString>
+```
+See also: [UMPToken](./client.md#interface-umptoken)
+
+###### Property findByPresentationKeyHash
+
+Locates the latest valid copy of a UMP token (including its outpoint)
+based on the presentation key hash.
+
+```ts
+findByPresentationKeyHash: (hash: number[]) => Promise<UMPToken | undefined>
+```
+See also: [UMPToken](./client.md#interface-umptoken)
+
+###### Property findByRecoveryKeyHash
+
+Locates the latest valid copy of a UMP token (including its outpoint)
+based on the recovery key hash.
+
+```ts
+findByRecoveryKeyHash: (hash: number[]) => Promise<UMPToken | undefined>
+```
+See also: [UMPToken](./client.md#interface-umptoken)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: UpdateProvenTxReqWithNewProvenTxArgs
 
@@ -3624,10 +3958,31 @@ export interface WalletArgs {
     services?: sdk.WalletServices;
     monitor?: Monitor;
     privilegedKeyManager?: sdk.PrivilegedKeyManager;
+    settingsManager?: WalletSettingsManager;
+    lookupResolver?: LookupResolver;
+}
+```
+
+See also: [Chain](./client.md#type-chain), [Monitor](./monitor.md#class-monitor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [WalletServices](./client.md#interface-walletservices), [WalletSettingsManager](./client.md#class-walletsettingsmanager), [WalletStorageManager](./storage.md#class-walletstoragemanager)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: WalletPermissionsManagerCallbacks
+
+The set of callbacks that external code can bind to, e.g. to display UI prompts or logs
+when a permission is requested.
+
+```ts
+export interface WalletPermissionsManagerCallbacks {
+    onProtocolPermissionRequested?: PermissionEventHandler[];
+    onBasketAccessRequested?: PermissionEventHandler[];
+    onCertificateAccessRequested?: PermissionEventHandler[];
+    onSpendingAuthorizationRequested?: PermissionEventHandler[];
 }
 ```
 
-See also: [Chain](./client.md#type-chain), [Monitor](./monitor.md#class-monitor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [WalletServices](./client.md#interface-walletservices), [WalletStorageManager](./storage.md#class-walletstoragemanager)
+See also: [PermissionEventHandler](./client.md#type-permissioneventhandler)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -3851,7 +4206,34 @@ export interface WalletServicesOptions {
 }
 ```
 
-See also: [ArcConfig](./services.md#interface-arcconfig), [BsvExchangeRate](./client.md#interface-bsvexchangerate), [Chain](./client.md#type-chain), [FiatExchangeRates](./client.md#interface-fiatexchangerates)
+See also: [ArcConfig](./services.md#interface-arcconfig), [BsvExchangeRate](./client.md#interface-bsvexchangerate), [Chain](./client.md#type-chain), [FiatExchangeRates](./client.md#interface-fiatexchangerates)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: WalletSettings
+
+```ts
+export interface WalletSettings {
+    trustSettings: TrustSettings;
+    theme?: WalletTheme;
+}
+```
+
+See also: [TrustSettings](./client.md#interface-trustsettings), [WalletTheme](./client.md#interface-wallettheme)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Interface: WalletSettingsManagerConfig
+
+```ts
+export interface WalletSettingsManagerConfig {
+    defaultSettings: WalletSettings;
+}
+```
+
+See also: [WalletSettings](./client.md#interface-walletsettings)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -4019,6 +4401,17 @@ See also: [AuthId](./client.md#interface-authid), [StorageCreateActionResult](./
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Interface: WalletTheme
+
+```ts
+export interface WalletTheme {
+    mode: string;
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Interface: XValidCreateActionOutput
 
@@ -4041,25 +4434,28 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 | | | |
 | --- | --- | --- |
-| [ARC](#class-arc) | [PrivilegedKeyManager](#class-privilegedkeymanager) | [WERR_BAD_REQUEST](#class-werr_bad_request) |
-| [CertOps](#class-certops) | [ScriptTemplateBRC29](#class-scripttemplatebrc29) | [WERR_BROADCAST_UNAVAILABLE](#class-werr_broadcast_unavailable) |
-| [EntityBase](#class-entitybase) | [SdkWhatsOnChain](#class-sdkwhatsonchain) | [WERR_INSUFFICIENT_FUNDS](#class-werr_insufficient_funds) |
-| [EntityCertificate](#class-entitycertificate) | [ServiceCollection](#class-servicecollection) | [WERR_INTERNAL](#class-werr_internal) |
-| [EntityCertificateField](#class-entitycertificatefield) | [Services](#class-services) | [WERR_INVALID_OPERATION](#class-werr_invalid_operation) |
-| [EntityCommission](#class-entitycommission) | [SetupClient](#class-setupclient) | [WERR_INVALID_PARAMETER](#class-werr_invalid_parameter) |
-| [EntityOutput](#class-entityoutput) | [StorageClient](#class-storageclient) | [WERR_INVALID_PUBLIC_KEY](#class-werr_invalid_public_key) |
-| [EntityOutputBasket](#class-entityoutputbasket) | [StorageProvider](#class-storageprovider) | [WERR_MISSING_PARAMETER](#class-werr_missing_parameter) |
-| [EntityOutputTag](#class-entityoutputtag) | [StorageReader](#class-storagereader) | [WERR_NETWORK_CHAIN](#class-werr_network_chain) |
-| [EntityOutputTagMap](#class-entityoutputtagmap) | [StorageReaderWriter](#class-storagereaderwriter) | [WERR_NOT_ACTIVE](#class-werr_not_active) |
-| [EntityProvenTx](#class-entityproventx) | [StorageSyncReader](#class-storagesyncreader) | [WERR_NOT_IMPLEMENTED](#class-werr_not_implemented) |
-| [EntityProvenTxReq](#class-entityproventxreq) | [TaskCheckForProofs](#class-taskcheckforproofs) | [WERR_UNAUTHORIZED](#class-werr_unauthorized) |
-| [EntitySyncState](#class-entitysyncstate) | [TaskClock](#class-taskclock) | [Wallet](#class-wallet) |
-| [EntityTransaction](#class-entitytransaction) | [TaskFailAbandoned](#class-taskfailabandoned) | [WalletError](#class-walleterror) |
-| [EntityTxLabel](#class-entitytxlabel) | [TaskNewHeader](#class-tasknewheader) | [WalletMonitorTask](#class-walletmonitortask) |
-| [EntityTxLabelMap](#class-entitytxlabelmap) | [TaskPurge](#class-taskpurge) | [WalletSigner](#class-walletsigner) |
-| [EntityUser](#class-entityuser) | [TaskReviewStatus](#class-taskreviewstatus) | [WalletStorageManager](#class-walletstoragemanager) |
-| [MergeEntity](#class-mergeentity) | [TaskSendWaiting](#class-tasksendwaiting) | [WhatsOnChain](#class-whatsonchain) |
-| [Monitor](#class-monitor) | [TaskSyncWhenIdle](#class-tasksyncwhenidle) |  |
+| [ARC](#class-arc) | [PersonaIDInteractor](#class-personaidinteractor) | [WERR_BAD_REQUEST](#class-werr_bad_request) |
+| [AuthMethodInteractor](#class-authmethodinteractor) | [PrivilegedKeyManager](#class-privilegedkeymanager) | [WERR_BROADCAST_UNAVAILABLE](#class-werr_broadcast_unavailable) |
+| [CWIStyleWalletManager](#class-cwistylewalletmanager) | [ScriptTemplateBRC29](#class-scripttemplatebrc29) | [WERR_INSUFFICIENT_FUNDS](#class-werr_insufficient_funds) |
+| [CertOps](#class-certops) | [SdkWhatsOnChain](#class-sdkwhatsonchain) | [WERR_INTERNAL](#class-werr_internal) |
+| [EntityBase](#class-entitybase) | [ServiceCollection](#class-servicecollection) | [WERR_INVALID_OPERATION](#class-werr_invalid_operation) |
+| [EntityCertificate](#class-entitycertificate) | [Services](#class-services) | [WERR_INVALID_PARAMETER](#class-werr_invalid_parameter) |
+| [EntityCertificateField](#class-entitycertificatefield) | [SimpleWalletManager](#class-simplewalletmanager) | [WERR_INVALID_PUBLIC_KEY](#class-werr_invalid_public_key) |
+| [EntityCommission](#class-entitycommission) | [StorageClient](#class-storageclient) | [WERR_MISSING_PARAMETER](#class-werr_missing_parameter) |
+| [EntityOutput](#class-entityoutput) | [StorageProvider](#class-storageprovider) | [WERR_NETWORK_CHAIN](#class-werr_network_chain) |
+| [EntityOutputBasket](#class-entityoutputbasket) | [StorageReader](#class-storagereader) | [WERR_NOT_ACTIVE](#class-werr_not_active) |
+| [EntityOutputTag](#class-entityoutputtag) | [StorageReaderWriter](#class-storagereaderwriter) | [WERR_NOT_IMPLEMENTED](#class-werr_not_implemented) |
+| [EntityOutputTagMap](#class-entityoutputtagmap) | [StorageSyncReader](#class-storagesyncreader) | [WERR_UNAUTHORIZED](#class-werr_unauthorized) |
+| [EntityProvenTx](#class-entityproventx) | [TaskCheckForProofs](#class-taskcheckforproofs) | [Wallet](#class-wallet) |
+| [EntityProvenTxReq](#class-entityproventxreq) | [TaskClock](#class-taskclock) | [WalletAuthenticationManager](#class-walletauthenticationmanager) |
+| [EntitySyncState](#class-entitysyncstate) | [TaskFailAbandoned](#class-taskfailabandoned) | [WalletError](#class-walleterror) |
+| [EntityTransaction](#class-entitytransaction) | [TaskNewHeader](#class-tasknewheader) | [WalletMonitorTask](#class-walletmonitortask) |
+| [EntityTxLabel](#class-entitytxlabel) | [TaskPurge](#class-taskpurge) | [WalletPermissionsManager](#class-walletpermissionsmanager) |
+| [EntityTxLabelMap](#class-entitytxlabelmap) | [TaskReviewStatus](#class-taskreviewstatus) | [WalletSettingsManager](#class-walletsettingsmanager) |
+| [EntityUser](#class-entityuser) | [TaskSendWaiting](#class-tasksendwaiting) | [WalletSigner](#class-walletsigner) |
+| [MergeEntity](#class-mergeentity) | [TaskSyncWhenIdle](#class-tasksyncwhenidle) | [WalletStorageManager](#class-walletstoragemanager) |
+| [Monitor](#class-monitor) | [TwilioPhoneInteractor](#class-twiliophoneinteractor) | [WhatsOnChain](#class-whatsonchain) |
+| [OverlayUMPTokenInteractor](#class-overlayumptokeninteractor) | [WABClient](#class-wabclient) |  |
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -4157,6 +4553,304 @@ See also: [PostTxResultForTxid](./client.md#interface-posttxresultfortxid)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Class: AuthMethodInteractor
+
+Abstract client-side interactor for an Auth Method
+
+```ts
+export abstract class AuthMethodInteractor {
+    public abstract methodType: string;
+    public abstract startAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<StartAuthResponse>;
+    public abstract completeAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<CompleteAuthResponse>;
+}
+```
+
+See also: [AuthPayload](./client.md#interface-authpayload), [CompleteAuthResponse](./client.md#interface-completeauthresponse), [StartAuthResponse](./client.md#interface-startauthresponse)
+
+###### Method completeAuth
+
+Complete the flow (e.g. confirm OTP).
+
+```ts
+public abstract completeAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<CompleteAuthResponse>
+```
+See also: [AuthPayload](./client.md#interface-authpayload), [CompleteAuthResponse](./client.md#interface-completeauthresponse)
+
+###### Method startAuth
+
+Start the flow (e.g. request an OTP or create a session).
+
+```ts
+public abstract startAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<StartAuthResponse>
+```
+See also: [AuthPayload](./client.md#interface-authpayload), [StartAuthResponse](./client.md#interface-startauthresponse)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: CWIStyleWalletManager
+
+Manages a "CWI-style" wallet that uses a UMP token and a
+multi-key authentication scheme (password, presentation key, and recovery key).
+
+```ts
+export class CWIStyleWalletManager implements WalletInterface {
+    authenticated: boolean;
+    authenticationMode: "presentation-key-and-password" | "presentation-key-and-recovery-key" | "recovery-key-and-password" = "presentation-key-and-password";
+    authenticationFlow: "new-user" | "existing-user" = "new-user";
+    constructor(adminOriginator: OriginatorDomainNameStringUnder250Bytes, walletBuilder: (primaryKey: number[], privilegedKeyManager: PrivilegedKeyManager) => Promise<WalletInterface>, interactor: UMPTokenInteractor = new OverlayUMPTokenInteractor(), recoveryKeySaver: (key: number[]) => Promise<true>, passwordRetriever: (reason: string, test: (passwordCandidate: string) => boolean) => Promise<string>, newWalletFunder?: (presentationKey: number[], wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes) => Promise<void>, stateSnapshot?: number[]) 
+    async providePresentationKey(key: number[]): Promise<void> 
+    async providePassword(password: string): Promise<void> 
+    async provideRecoveryKey(recoveryKey: number[]): Promise<void> 
+    saveSnapshot(): number[] 
+    async loadSnapshot(snapshot: number[]): Promise<void> 
+    destroy(): void 
+    async changePassword(newPassword: string): Promise<void> 
+    async changeRecoveryKey(): Promise<void> 
+    async changePresentationKey(presentationKey: number[]): Promise<void> 
+    async getPublicKey(args: GetPublicKeyArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetPublicKeyResult> 
+    async revealCounterpartyKeyLinkage(args: RevealCounterpartyKeyLinkageArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RevealCounterpartyKeyLinkageResult> 
+    async revealSpecificKeyLinkage(args: RevealSpecificKeyLinkageArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RevealSpecificKeyLinkageResult> 
+    async encrypt(args: WalletEncryptArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<WalletEncryptResult> 
+    async decrypt(args: WalletDecryptArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<WalletDecryptResult> 
+    async createHmac(args: CreateHmacArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateHmacResult> 
+    async verifyHmac(args: VerifyHmacArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<VerifyHmacResult> 
+    async createSignature(args: CreateSignatureArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateSignatureResult> 
+    async verifySignature(args: VerifySignatureArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<VerifySignatureResult> 
+    async createAction(args: CreateActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateActionResult> 
+    async signAction(args: SignActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<SignActionResult> 
+    async abortAction(args: AbortActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AbortActionResult> 
+    async listActions(args: ListActionsArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListActionsResult> 
+    async internalizeAction(args: InternalizeActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<InternalizeActionResult> 
+    async listOutputs(args: ListOutputsArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListOutputsResult> 
+    async relinquishOutput(args: RelinquishOutputArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RelinquishOutputResult> 
+    async acquireCertificate(args: AcquireCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AcquireCertificateResult> 
+    async listCertificates(args: ListCertificatesArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListCertificatesResult> 
+    async proveCertificate(args: ProveCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ProveCertificateResult> 
+    async relinquishCertificate(args: RelinquishCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RelinquishCertificateResult> 
+    async discoverByIdentityKey(args: DiscoverByIdentityKeyArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<DiscoverCertificatesResult> 
+    async discoverByAttributes(args: DiscoverByAttributesArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<DiscoverCertificatesResult> 
+    async isAuthenticated(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+    async waitForAuthentication(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+    async getHeight(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetHeightResult> 
+    async getHeaderForHeight(args: GetHeaderArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetHeaderResult> 
+    async getNetwork(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetNetworkResult> 
+    async getVersion(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetVersionResult> 
+}
+```
+
+See also: [OverlayUMPTokenInteractor](./client.md#class-overlayumptokeninteractor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [UMPTokenInteractor](./client.md#interface-umptokeninteractor), [createAction](./storage.md#function-createaction), [internalizeAction](./storage.md#function-internalizeaction), [listActions](./storage.md#function-listactions), [listCertificates](./storage.md#function-listcertificates), [listOutputs](./storage.md#function-listoutputs), [proveCertificate](./client.md#function-provecertificate), [signAction](./client.md#function-signaction)
+
+###### Constructor
+
+Constructs a new CWIStyleWalletManager.
+
+```ts
+constructor(adminOriginator: OriginatorDomainNameStringUnder250Bytes, walletBuilder: (primaryKey: number[], privilegedKeyManager: PrivilegedKeyManager) => Promise<WalletInterface>, interactor: UMPTokenInteractor = new OverlayUMPTokenInteractor(), recoveryKeySaver: (key: number[]) => Promise<true>, passwordRetriever: (reason: string, test: (passwordCandidate: string) => boolean) => Promise<string>, newWalletFunder?: (presentationKey: number[], wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes) => Promise<void>, stateSnapshot?: number[]) 
+```
+See also: [OverlayUMPTokenInteractor](./client.md#class-overlayumptokeninteractor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [UMPTokenInteractor](./client.md#interface-umptokeninteractor)
+
+Argument Details
+
++ **adminOriginator**
+  + The domain name of the administrative originator.
++ **walletBuilder**
+  + A function that can build an underlying wallet instance
+from a primary key and a privileged key manager
++ **interactor**
+  + An instance of UMPTokenInteractor capable of managing UMP tokens.
++ **recoveryKeySaver**
+  + A function that can persist or display a newly generated recovery key.
++ **passwordRetriever**
+  + A function to request the user's password, given a reason and a test function.
++ **newWalletFunder**
+  + An optional function called with the presentation key and a new Wallet post-construction to fund it before use.
++ **stateSnapshot**
+  + If provided, a previously saved snapshot of the wallet's state.
+
+###### Property authenticated
+
+Whether the user is currently authenticated.
+
+```ts
+authenticated: boolean
+```
+
+###### Property authenticationFlow
+
+Indicates whether this is a new user or an existing user flow:
+ - 'new-user'
+ - 'existing-user'
+
+```ts
+authenticationFlow: "new-user" | "existing-user" = "new-user"
+```
+
+###### Property authenticationMode
+
+The current mode of authentication:
+ - 'presentation-key-and-password'
+ - 'presentation-key-and-recovery-key'
+ - 'recovery-key-and-password'
+
+```ts
+authenticationMode: "presentation-key-and-password" | "presentation-key-and-recovery-key" | "recovery-key-and-password" = "presentation-key-and-password"
+```
+
+###### Method changePassword
+
+Changes the user's password, re-wrapping the primary and privileged keys with the new password factor.
+
+```ts
+async changePassword(newPassword: string): Promise<void> 
+```
+
+Argument Details
+
++ **newPassword**
+  + The user's new password as a string.
+
+Throws
+
+If the user is not authenticated, or if underlying token references are missing.
+
+###### Method changePresentationKey
+
+Changes the user's presentation key.
+
+```ts
+async changePresentationKey(presentationKey: number[]): Promise<void> 
+```
+
+Argument Details
+
++ **presentationKey**
+  + The new presentation key (32 bytes).
+
+Throws
+
+If the user is not authenticated, or if underlying token references are missing.
+
+###### Method changeRecoveryKey
+
+Changes the user's recovery key, prompting the user to save the new key.
+
+```ts
+async changeRecoveryKey(): Promise<void> 
+```
+
+Throws
+
+If the user is not authenticated, or if underlying token references are missing.
+
+###### Method destroy
+
+Destroys the underlying wallet, returning to a default state
+
+```ts
+destroy(): void 
+```
+
+###### Method loadSnapshot
+
+Loads a previously saved state snapshot (e.g. from `saveSnapshot`).
+Upon success, the wallet becomes authenticated without needing to re-enter keys.
+
+```ts
+async loadSnapshot(snapshot: number[]): Promise<void> 
+```
+
+Argument Details
+
++ **snapshot**
+  + An array of bytes that was previously produced by `saveSnapshot`.
+
+Throws
+
+If the snapshot format is invalid or decryption fails.
+
+###### Method providePassword
+
+Provides the password in an authentication mode that requires it.
+
+- **Existing user**:
+  Decrypts the primary key using the provided password (and either the presentation key or recovery key, depending on the mode).
+  Then builds the underlying wallet, marking the user as authenticated.
+
+- **New user**:
+  Generates a new UMP token with fresh keys (primary, privileged, recovery). Publishes it on-chain and builds the wallet.
+
+```ts
+async providePassword(password: string): Promise<void> 
+```
+
+Argument Details
+
++ **password**
+  + The user's password as a string.
+
+Throws
+
+If the user is already authenticated, if the mode does not use a password, or if required keys are missing.
+
+###### Method providePresentationKey
+
+Provides the presentation key in an authentication mode that requires it.
+If a UMP token is found based on the key's hash, this is an existing-user flow.
+Otherwise, it is treated as a new-user flow.
+
+```ts
+async providePresentationKey(key: number[]): Promise<void> 
+```
+
+Argument Details
+
++ **key**
+  + The user's presentation key (32 bytes).
+
+Throws
+
+if user is already authenticated, or if the current mode does not require a presentation key.
+
+###### Method provideRecoveryKey
+
+Provides the recovery key in an authentication flow that requires it.
+
+```ts
+async provideRecoveryKey(recoveryKey: number[]): Promise<void> 
+```
+
+Argument Details
+
++ **recoveryKey**
+  + The user's recovery key (32 bytes).
+
+Throws
+
+if user is already authenticated, if the mode does not use a recovery key,
+or if a required presentation key is missing in "presentation-key-and-recovery-key" mode.
+
+###### Method saveSnapshot
+
+Saves the current wallet state (including the current UMP token and primary key)
+into an encrypted snapshot. This snapshot can be stored locally and later passed
+to `loadSnapshot` to restore the wallet state without re-authenticating manually.
+
+```ts
+saveSnapshot(): number[] 
+```
+
+Returns
+
+An array of bytes representing the encrypted snapshot.
+
+Throws
+
+if no primary key or token is currently set.
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Class: CertOps
 
@@ -5285,48 +5979,159 @@ See also: [WalletMonitorTask](./monitor.md#class-walletmonitortask)
 
 ###### Method addDefaultTasks
 
-Default tasks with settings appropriate for a single user storage
-possibly with sync'ing enabled
+Default tasks with settings appropriate for a single user storage
+possibly with sync'ing enabled
+
+```ts
+addDefaultTasks(): void 
+```
+
+###### Method addMultiUserTasks
+
+Tasks appropriate for multi-user storage
+without sync'ing enabled.
+
+```ts
+addMultiUserTasks(): void 
+```
+
+###### Method processNewBlockHeader
+
+Process new chain header event received from Chaintracks
+
+Kicks processing 'unconfirmed' and 'unmined' request processing.
+
+```ts
+processNewBlockHeader(header: BlockHeader): void 
+```
+See also: [BlockHeader](./client.md#interface-blockheader)
+
+###### Method processReorg
+
+Process reorg event received from Chaintracks
+
+Reorgs can move recent transactions to new blocks at new index positions.
+Affected transaction proofs become invalid and must be updated.
+
+It is possible for a transaction to become invalid.
+
+Coinbase transactions always become invalid.
+
+```ts
+processReorg(depth: number, oldTip: BlockHeader, newTip: BlockHeader): void 
+```
+See also: [BlockHeader](./client.md#interface-blockheader)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: OverlayUMPTokenInteractor
+
+```ts
+export class OverlayUMPTokenInteractor implements UMPTokenInteractor {
+    constructor(resolver: LookupResolver = new LookupResolver(), broadcaster: SHIPBroadcaster = new SHIPBroadcaster(["tm_users"])) 
+    public async findByPresentationKeyHash(hash: number[]): Promise<UMPToken | undefined> 
+    public async findByRecoveryKeyHash(hash: number[]): Promise<UMPToken | undefined> 
+    public async buildAndSend(wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes, token: UMPToken, oldTokenToConsume?: UMPToken): Promise<OutpointString> 
+}
+```
+
+See also: [UMPToken](./client.md#interface-umptoken), [UMPTokenInteractor](./client.md#interface-umptokeninteractor)
+
+###### Constructor
+
+Construct a new OverlayUMPTokenInteractor.
+
+```ts
+constructor(resolver: LookupResolver = new LookupResolver(), broadcaster: SHIPBroadcaster = new SHIPBroadcaster(["tm_users"])) 
+```
+
+Argument Details
+
++ **resolver**
+  + A LookupResolver instance for performing overlay queries (ls_users).
++ **broadcaster**
+  + A SHIPBroadcaster instance for sharing new or updated tokens across the `tm_users` overlay.
+
+###### Method buildAndSend
+
+Creates or updates (replaces) a UMP token on-chain. If `oldTokenToConsume` is provided,
+it is spent in the same transaction that creates the new token output. The new token is
+then broadcast and published under the `tm_users` topic using a SHIP broadcast, ensuring
+overlay participants see the updated token.
+
+```ts
+public async buildAndSend(wallet: WalletInterface, adminOriginator: OriginatorDomainNameStringUnder250Bytes, token: UMPToken, oldTokenToConsume?: UMPToken): Promise<OutpointString> 
+```
+See also: [UMPToken](./client.md#interface-umptoken)
+
+Returns
+
+The outpoint of the newly created UMP token (e.g. "abcd1234...ef.0").
+
+Argument Details
+
++ **wallet**
+  + The wallet used to build and sign the transaction.
++ **adminOriginator**
+  + The domain/FQDN of the administrative originator (wallet operator).
++ **token**
+  + The new UMPToken to create on-chain.
++ **oldTokenToConsume**
+  + Optionally, an existing token to consume/spend in the same transaction.
+
+###### Method findByPresentationKeyHash
+
+Finds a UMP token on-chain by the given presentation key hash, if it exists.
+Uses the ls_users overlay service to perform the lookup.
 
 ```ts
-addDefaultTasks(): void 
+public async findByPresentationKeyHash(hash: number[]): Promise<UMPToken | undefined> 
 ```
+See also: [UMPToken](./client.md#interface-umptoken)
 
-###### Method addMultiUserTasks
+Returns
 
-Tasks appropriate for multi-user storage
-without sync'ing enabled.
+A UMPToken object (including currentOutpoint) if found, otherwise undefined.
 
-```ts
-addMultiUserTasks(): void 
-```
+Argument Details
 
-###### Method processNewBlockHeader
++ **hash**
+  + The 32-byte SHA-256 hash of the presentation key.
 
-Process new chain header event received from Chaintracks
+###### Method findByRecoveryKeyHash
 
-Kicks processing 'unconfirmed' and 'unmined' request processing.
+Finds a UMP token on-chain by the given recovery key hash, if it exists.
+Uses the ls_users overlay service to perform the lookup.
 
 ```ts
-processNewBlockHeader(header: BlockHeader): void 
+public async findByRecoveryKeyHash(hash: number[]): Promise<UMPToken | undefined> 
 ```
-See also: [BlockHeader](./client.md#interface-blockheader)
+See also: [UMPToken](./client.md#interface-umptoken)
 
-###### Method processReorg
+Returns
 
-Process reorg event received from Chaintracks
+A UMPToken object (including currentOutpoint) if found, otherwise undefined.
 
-Reorgs can move recent transactions to new blocks at new index positions.
-Affected transaction proofs become invalid and must be updated.
+Argument Details
 
-It is possible for a transaction to become invalid.
++ **hash**
+  + The 32-byte SHA-256 hash of the recovery key.
 
-Coinbase transactions always become invalid.
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: PersonaIDInteractor
 
 ```ts
-processReorg(depth: number, oldTip: BlockHeader, newTip: BlockHeader): void 
+export class PersonaIDInteractor extends AuthMethodInteractor {
+    public methodType = "PersonaID";
+    public async startAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<StartAuthResponse> 
+    public async completeAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<CompleteAuthResponse> 
+}
 ```
-See also: [BlockHeader](./client.md#interface-blockheader)
+
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor), [AuthPayload](./client.md#interface-authpayload), [CompleteAuthResponse](./client.md#interface-completeauthresponse), [StartAuthResponse](./client.md#interface-startauthresponse)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -5526,377 +6331,224 @@ See also: [ARC](./services.md#class-arc), [BlockHeader](./client.md#interface-bl
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
-##### Class: SetupClient
-
-The `SetupClient` class provides static setup functions to construct BRC-100 compatible
-wallets in a variety of configurations.
-
-It serves as a starting point for experimentation and customization.
-
-`SetupClient` references only browser compatible code including storage via `StorageClient`.
-`Setup` extends `SetupClient` adding database storage via `Knex` and `StorageKnex`.
-
-```ts
-export abstract class SetupClient {
-    static noEnv(chain: sdk.Chain): boolean 
-    static makeEnv(): string {
-        const testPrivKey1 = PrivateKey.fromRandom();
-        const testIdentityKey1 = testPrivKey1.toPublicKey().toString();
-        const testPrivKey2 = PrivateKey.fromRandom();
-        const testIdentityKey2 = testPrivKey2.toPublicKey().toString();
-        const mainPrivKey1 = PrivateKey.fromRandom();
-        const mainIdentityKey1 = mainPrivKey1.toPublicKey().toString();
-        const mainPrivKey2 = PrivateKey.fromRandom();
-        const mainIdentityKey2 = mainPrivKey2.toPublicKey().toString();
-        const log = `
-# .env file template for working with wallet-toolbox Setup functions.
-MY_TEST_IDENTITY = '${testIdentityKey1}'
-MY_TEST_IDENTITY2 = '${testIdentityKey2}'
-MY_MAIN_IDENTITY = '${mainIdentityKey1}'
-MY_MAIN_IDENTITY2 = '${mainIdentityKey2}'
-MAIN_TAAL_API_KEY='mainnet_9596de07e92300c6287e4393594ae39c'
-TEST_TAAL_API_KEY='testnet_0e6cf72133b43ea2d7861da2a38684e3'
-MYSQL_CONNECTION='{"port":3306,"host":"127.0.0.1","user":"root","password":"your_password","database":"your_database", "timezone": "Z"}'
-DEV_KEYS = '{
-    "${testIdentityKey1}": "${testPrivKey1.toString()}",
-    "${testIdentityKey2}": "${testPrivKey2.toString()}",
-    "${mainIdentityKey1}": "${mainPrivKey1.toString()}",
-    "${mainIdentityKey2}": "${mainPrivKey2.toString()}"
-}'
-`;
-        console.log(log);
-        return log;
-    }
-    static getEnv(chain: sdk.Chain): SetupEnv {
-        const identityKey = chain === "main"
-            ? process.env.MY_MAIN_IDENTITY
-            : process.env.MY_TEST_IDENTITY;
-        const identityKey2 = chain === "main"
-            ? process.env.MY_MAIN_IDENTITY2
-            : process.env.MY_TEST_IDENTITY2;
-        const filePath = chain === "main"
-            ? process.env.MY_MAIN_FILEPATH
-            : process.env.MY_TEST_FILEPATH;
-        const DEV_KEYS = process.env.DEV_KEYS || "{}";
-        const mySQLConnection = process.env.MYSQL_CONNECTION || "{}";
-        const taalApiKey = verifyTruthy(chain === "main"
-            ? process.env.MAIN_TAAL_API_KEY
-            : process.env.TEST_TAAL_API_KEY, `.env value for '${chain.toUpperCase()}_TAAL_API_KEY' is required.`);
-        if (!identityKey || !identityKey2)
-            throw new sdk.WERR_INVALID_OPERATION(".env is not a valid SetupEnv configuration.");
-        return {
-            chain,
-            identityKey,
-            identityKey2,
-            filePath,
-            taalApiKey,
-            devKeys: JSON.parse(DEV_KEYS) as Record<string, string>,
-            mySQLConnection
-        };
-    }
-    static async createWallet(args: SetupWalletArgs): Promise<SetupWallet> {
-        const chain = args.env.chain;
-        args.rootKeyHex ||= args.env.devKeys[args.env.identityKey];
-        const rootKey = PrivateKey.fromHex(args.rootKeyHex);
-        const identityKey = rootKey.toPublicKey().toString();
-        const keyDeriver = new KeyDeriver(rootKey);
-        const storage = new WalletStorageManager(identityKey, args.active, args.backups);
-        if (storage.stores.length > 0)
-            await storage.makeAvailable();
-        const serviceOptions = Services.createDefaultOptions(chain);
-        serviceOptions.taalApiKey = args.env.taalApiKey;
-        const services = new Services(serviceOptions);
-        const monopts = Monitor.createDefaultWalletMonitorOptions(chain, storage, services);
-        const monitor = new Monitor(monopts);
-        monitor.addDefaultTasks();
-        const privilegedKeyManager = args.privilegedKeyGetter
-            ? new sdk.PrivilegedKeyManager(args.privilegedKeyGetter)
-            : undefined;
-        const wallet = new Wallet({
-            chain,
-            keyDeriver,
-            storage,
-            services,
-            monitor,
-            privilegedKeyManager
-        });
-        const r: SetupWallet = {
-            rootKey,
-            identityKey,
-            keyDeriver,
-            chain,
-            storage,
-            services,
-            monitor,
-            wallet
-        };
-        return r;
-    }
-    static async createWalletClientNoEnv(args: {
-        chain: sdk.Chain;
-        rootKeyHex: string;
-        storageUrl?: string;
-        privilegedKeyGetter?: () => Promise<PrivateKey>;
-    }): Promise<Wallet> 
-    static async createWalletClient(args: SetupWalletClientArgs): Promise<SetupWalletClient> {
-        const wo = await SetupClient.createWallet(args);
-        const endpointUrl = args.endpointUrl ||
-            `https://${args.env.chain !== "main" ? "staging-" : ""}storage.babbage.systems`;
-        const client = new StorageClient(wo.wallet, endpointUrl);
-        await wo.storage.addWalletStorageProvider(client);
-        await wo.storage.makeAvailable();
-        return {
-            ...wo,
-            endpointUrl
-        };
-    }
-    static getKeyPair(priv?: string | PrivateKey): KeyPairAddress {
-        if (priv === undefined)
-            priv = PrivateKey.fromRandom();
-        else if (typeof priv === "string")
-            priv = new PrivateKey(priv, "hex");
-        const pub = PublicKey.fromPrivateKey(priv);
-        const address = pub.toAddress();
-        return { privateKey: priv, publicKey: pub, address };
-    }
-    static getLockP2PKH(address: string): LockingScript {
-        const p2pkh = new P2PKH();
-        const lock = p2pkh.lock(address);
-        return lock;
-    }
-    static getUnlockP2PKH(priv: PrivateKey, satoshis: number): sdk.ScriptTemplateUnlock {
-        const p2pkh = new P2PKH();
-        const lock = SetupClient.getLockP2PKH(SetupClient.getKeyPair(priv).address);
-        const unlock = p2pkh.unlock(priv, "all", false, satoshis, lock);
-        return unlock;
-    }
-    static createP2PKHOutputs(outputs: {
-        address: string;
-        satoshis: number;
-        outputDescription?: string;
-        basket?: string;
-        tags?: string[];
-    }[]): CreateActionOutput[] {
-        const os: CreateActionOutput[] = [];
-        const count = outputs.length;
-        for (let i = 0; i < count; i++) {
-            const o = outputs[i];
-            os.push({
-                basket: o.basket,
-                tags: o.tags,
-                satoshis: o.satoshis,
-                lockingScript: SetupClient.getLockP2PKH(o.address).toHex(),
-                outputDescription: o.outputDescription || `p2pkh ${i}`
-            });
-        }
-        return os;
-    }
-    static async createP2PKHOutputsAction(wallet: WalletInterface, outputs: {
-        address: string;
-        satoshis: number;
-        outputDescription?: string;
-        basket?: string;
-        tags?: string[];
-    }[], options?: CreateActionOptions): Promise<{
-        cr: CreateActionResult;
-        outpoints: string[] | undefined;
-    }> {
-        const os = SetupClient.createP2PKHOutputs(outputs);
-        const createArgs: CreateActionArgs = {
-            description: `createP2PKHOutputs`,
-            outputs: os,
-            options: {
-                ...options,
-                randomizeOutputs: false
-            }
-        };
-        const cr = await wallet.createAction(createArgs);
-        let outpoints: string[] | undefined;
-        if (cr.txid) {
-            outpoints = os.map((o, i) => `${cr.txid}.${i}`);
-        }
-        return { cr, outpoints };
-    }
-    static async fundWalletFromP2PKHOutpoints(wallet: WalletInterface, outpoints: string[], p2pkhKey: KeyPairAddress, inputBEEF?: BEEF) {
-    }
-}
-```
+##### Class: SimpleWalletManager
 
-See also: [Chain](./client.md#type-chain), [KeyPairAddress](./setup.md#interface-keypairaddress), [Monitor](./monitor.md#class-monitor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [ScriptTemplateUnlock](./client.md#interface-scripttemplateunlock), [Services](./services.md#class-services), [Setup](./setup.md#class-setup), [SetupEnv](./setup.md#interface-setupenv), [SetupWallet](./setup.md#interface-setupwallet), [SetupWalletArgs](./setup.md#interface-setupwalletargs), [SetupWalletClient](./setup.md#interface-setupwalletclient), [SetupWalletClientArgs](./setup.md#interface-setupwalletclientargs), [StorageClient](./storage.md#class-storageclient), [WERR_INVALID_OPERATION](./client.md#class-werr_invalid_operation), [Wallet](./client.md#class-wallet), [WalletStorageManager](./storage.md#class-walletstoragemanager), [createAction](./storage.md#function-createaction), [verifyTruthy](./client.md#function-verifytruthy)
-
-###### Method createWallet
-
-Create a `Wallet`. Storage can optionally be provided or configured later.
-
-The following components are configured: KeyDeriver, WalletStorageManager, WalletService, WalletStorage.
-Optionally, PrivilegedKeyManager is also configured.
-
-```ts
-static async createWallet(args: SetupWalletArgs): Promise<SetupWallet> {
-    const chain = args.env.chain;
-    args.rootKeyHex ||= args.env.devKeys[args.env.identityKey];
-    const rootKey = PrivateKey.fromHex(args.rootKeyHex);
-    const identityKey = rootKey.toPublicKey().toString();
-    const keyDeriver = new KeyDeriver(rootKey);
-    const storage = new WalletStorageManager(identityKey, args.active, args.backups);
-    if (storage.stores.length > 0)
-        await storage.makeAvailable();
-    const serviceOptions = Services.createDefaultOptions(chain);
-    serviceOptions.taalApiKey = args.env.taalApiKey;
-    const services = new Services(serviceOptions);
-    const monopts = Monitor.createDefaultWalletMonitorOptions(chain, storage, services);
-    const monitor = new Monitor(monopts);
-    monitor.addDefaultTasks();
-    const privilegedKeyManager = args.privilegedKeyGetter
-        ? new sdk.PrivilegedKeyManager(args.privilegedKeyGetter)
-        : undefined;
-    const wallet = new Wallet({
-        chain,
-        keyDeriver,
-        storage,
-        services,
-        monitor,
-        privilegedKeyManager
-    });
-    const r: SetupWallet = {
-        rootKey,
-        identityKey,
-        keyDeriver,
-        chain,
-        storage,
-        services,
-        monitor,
-        wallet
-    };
-    return r;
+SimpleWalletManager is a slimmed-down wallet manager that only requires two things to authenticate:
+ 1. A primary key (32 bytes), which represents the core secret for the wallet.
+ 2. A privileged key manager (an instance of `PrivilegedKeyManager`), responsible for
+    more sensitive operations.
+
+Once both pieces are provided (or if a snapshot containing the primary key is loaded,
+and the privileged key manager is provided separately), the wallet becomes authenticated.
+
+After authentication, calls to the standard wallet methods (`createAction`, `signAction`, etc.)
+are proxied to an underlying `WalletInterface` instance returned by a user-supplied `walletBuilder`.
+
+**Important**: This manager does not handle user password flows, recovery, or on-chain
+token management. It is a straightforward wrapper that ensures the user has provided
+both their main secret (primary key) and a privileged key manager before allowing usage.
+
+It also prevents calls from the special "admin originator" from being used externally.
+(Any call that tries to use the admin originator as its originator, other than the manager itself,
+will result in an error, ensuring that only internal operations can use that originator.)
+
+The manager can also save and load snapshots of its state. In this simplified version,
+the snapshot only contains the primary key. If you load a snapshot, you still need to
+re-provide the privileged key manager to complete authentication.
+
+```ts
+export class SimpleWalletManager implements WalletInterface {
+    authenticated: boolean;
+    constructor(adminOriginator: OriginatorDomainNameStringUnder250Bytes, walletBuilder: (primaryKey: number[], privilegedKeyManager: PrivilegedKeyManager) => Promise<WalletInterface>, stateSnapshot?: number[]) 
+    async providePrimaryKey(key: number[]): Promise<void> 
+    async providePrivilegedKeyManager(manager: PrivilegedKeyManager): Promise<void> 
+    destroy(): void 
+    saveSnapshot(): number[] 
+    async loadSnapshot(snapshot: number[]): Promise<void> 
+    async isAuthenticated(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+    async waitForAuthentication(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+    async getPublicKey(args: GetPublicKeyArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetPublicKeyResult> 
+    async revealCounterpartyKeyLinkage(args: RevealCounterpartyKeyLinkageArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RevealCounterpartyKeyLinkageResult> 
+    async revealSpecificKeyLinkage(args: RevealSpecificKeyLinkageArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RevealSpecificKeyLinkageResult> 
+    async encrypt(args: WalletEncryptArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<WalletEncryptResult> 
+    async decrypt(args: WalletDecryptArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<WalletDecryptResult> 
+    async createHmac(args: CreateHmacArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateHmacResult> 
+    async verifyHmac(args: VerifyHmacArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<VerifyHmacResult> 
+    async createSignature(args: CreateSignatureArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateSignatureResult> 
+    async verifySignature(args: VerifySignatureArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<VerifySignatureResult> 
+    async createAction(args: CreateActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<CreateActionResult> 
+    async signAction(args: SignActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<SignActionResult> 
+    async abortAction(args: AbortActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AbortActionResult> 
+    async listActions(args: ListActionsArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListActionsResult> 
+    async internalizeAction(args: InternalizeActionArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<InternalizeActionResult> 
+    async listOutputs(args: ListOutputsArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListOutputsResult> 
+    async relinquishOutput(args: RelinquishOutputArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RelinquishOutputResult> 
+    async acquireCertificate(args: AcquireCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AcquireCertificateResult> 
+    async listCertificates(args: ListCertificatesArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ListCertificatesResult> 
+    async proveCertificate(args: ProveCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<ProveCertificateResult> 
+    async relinquishCertificate(args: RelinquishCertificateArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<RelinquishCertificateResult> 
+    async discoverByIdentityKey(args: DiscoverByIdentityKeyArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<DiscoverCertificatesResult> 
+    async discoverByAttributes(args: DiscoverByAttributesArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<DiscoverCertificatesResult> 
+    async getHeight(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetHeightResult> 
+    async getHeaderForHeight(args: GetHeaderArgs, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetHeaderResult> 
+    async getNetwork(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetNetworkResult> 
+    async getVersion(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<GetVersionResult> 
 }
 ```
-See also: [Monitor](./monitor.md#class-monitor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [Services](./services.md#class-services), [SetupWallet](./setup.md#interface-setupwallet), [SetupWalletArgs](./setup.md#interface-setupwalletargs), [Wallet](./client.md#class-wallet), [WalletStorageManager](./storage.md#class-walletstoragemanager)
 
-###### Method createWalletClientNoEnv
+See also: [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [createAction](./storage.md#function-createaction), [internalizeAction](./storage.md#function-internalizeaction), [listActions](./storage.md#function-listactions), [listCertificates](./storage.md#function-listcertificates), [listOutputs](./storage.md#function-listoutputs), [proveCertificate](./client.md#function-provecertificate), [signAction](./client.md#function-signaction)
+
+###### Constructor
 
-Setup a new `Wallet` without requiring a .env file.
+Constructs a new `SimpleWalletManager`.
 
 ```ts
-static async createWalletClientNoEnv(args: {
-    chain: sdk.Chain;
-    rootKeyHex: string;
-    storageUrl?: string;
-    privilegedKeyGetter?: () => Promise<PrivateKey>;
-}): Promise<Wallet> 
+constructor(adminOriginator: OriginatorDomainNameStringUnder250Bytes, walletBuilder: (primaryKey: number[], privilegedKeyManager: PrivilegedKeyManager) => Promise<WalletInterface>, stateSnapshot?: number[]) 
 ```
-See also: [Chain](./client.md#type-chain), [Wallet](./client.md#class-wallet)
+See also: [PrivilegedKeyManager](./client.md#class-privilegedkeymanager)
 
 Argument Details
 
-+ **args.chain**
-  + 'main' or 'test'
-+ **args.rootKeyHex**
-  + Root private key for wallet's key deriver.
-+ **args.storageUrl**
-  + Optional. `StorageClient` and `chain` compatible endpoint URL.
-+ **args.privilegedKeyGetter**
-  + Optional. Method that will return the privileged `PrivateKey`, on demand.
-
-###### Method getEnv
-
-Reads a .env file of the format created by `makeEnv`.
-
-Returns values for designated `chain`.
-
-Access private keys through the `devKeys` object: `devKeys[identityKey]`
-
-```ts
-static getEnv(chain: sdk.Chain): SetupEnv {
-    const identityKey = chain === "main"
-        ? process.env.MY_MAIN_IDENTITY
-        : process.env.MY_TEST_IDENTITY;
-    const identityKey2 = chain === "main"
-        ? process.env.MY_MAIN_IDENTITY2
-        : process.env.MY_TEST_IDENTITY2;
-    const filePath = chain === "main"
-        ? process.env.MY_MAIN_FILEPATH
-        : process.env.MY_TEST_FILEPATH;
-    const DEV_KEYS = process.env.DEV_KEYS || "{}";
-    const mySQLConnection = process.env.MYSQL_CONNECTION || "{}";
-    const taalApiKey = verifyTruthy(chain === "main"
-        ? process.env.MAIN_TAAL_API_KEY
-        : process.env.TEST_TAAL_API_KEY, `.env value for '${chain.toUpperCase()}_TAAL_API_KEY' is required.`);
-    if (!identityKey || !identityKey2)
-        throw new sdk.WERR_INVALID_OPERATION(".env is not a valid SetupEnv configuration.");
-    return {
-        chain,
-        identityKey,
-        identityKey2,
-        filePath,
-        taalApiKey,
-        devKeys: JSON.parse(DEV_KEYS) as Record<string, string>,
-        mySQLConnection
-    };
-}
++ **adminOriginator**
+  + The domain name of the administrative originator.
++ **walletBuilder**
+  + A function that, given a primary key and privileged key manager,
+returns a fully functional `WalletInterface`.
++ **stateSnapshot**
+  + If provided, a previously saved snapshot of the wallet's state.
+If the snapshot contains a primary key, it will be loaded immediately
+(though you will still need to provide a privileged key manager to authenticate).
+
+###### Property authenticated
+
+Whether the user is currently authenticated (meaning both the primary key
+and privileged key manager have been provided).
+
+```ts
+authenticated: boolean
 ```
-See also: [Chain](./client.md#type-chain), [SetupEnv](./setup.md#interface-setupenv), [WERR_INVALID_OPERATION](./client.md#class-werr_invalid_operation), [verifyTruthy](./client.md#function-verifytruthy)
 
-Returns
+###### Method destroy
+
+Destroys the underlying wallet, returning to a default (unauthenticated) state.
+
+This clears the primary key, the privileged key manager, and the `authenticated` flag.
+
+```ts
+destroy(): void 
+```
+
+###### Method isAuthenticated
 
-with configuration environment secrets used by `Setup` functions.
+Returns whether the user is currently authenticated (the wallet has a primary key
+and a privileged key manager). If not authenticated, an error is thrown.
+
+```ts
+async isAuthenticated(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+```
 
 Argument Details
 
-+ **chain**
-  + Which chain to use: 'test' or 'main'
++ **_**
+  + Not used in this manager.
++ **originator**
+  + The originator domain, which must not be the admin originator.
 
-###### Method makeEnv
+Throws
 
-Creates content for .env file with some private keys, identity keys, sample API keys, and sample MySQL connection string.
+If not authenticated, or if the originator is the admin.
 
-Two new, random private keys are generated each time, with their associated public identity keys.
+###### Method loadSnapshot
 
-Loading secrets from a .env file is intended only for experimentation and getting started.
-Private keys should never be included directly in your source code.
+Loads a previously saved state snapshot (produced by `saveSnapshot`).
+This will restore the primary key but will **not** restore the privileged key manager
+(that must be provided separately to complete authentication).
 
 ```ts
-static makeEnv(): string {
-    const testPrivKey1 = PrivateKey.fromRandom();
-    const testIdentityKey1 = testPrivKey1.toPublicKey().toString();
-    const testPrivKey2 = PrivateKey.fromRandom();
-    const testIdentityKey2 = testPrivKey2.toPublicKey().toString();
-    const mainPrivKey1 = PrivateKey.fromRandom();
-    const mainIdentityKey1 = mainPrivKey1.toPublicKey().toString();
-    const mainPrivKey2 = PrivateKey.fromRandom();
-    const mainIdentityKey2 = mainPrivKey2.toPublicKey().toString();
-    const log = `
-# .env file template for working with wallet-toolbox Setup functions.
-MY_TEST_IDENTITY = '${testIdentityKey1}'
-MY_TEST_IDENTITY2 = '${testIdentityKey2}'
-MY_MAIN_IDENTITY = '${mainIdentityKey1}'
-MY_MAIN_IDENTITY2 = '${mainIdentityKey2}'
-MAIN_TAAL_API_KEY='mainnet_9596de07e92300c6287e4393594ae39c'
-TEST_TAAL_API_KEY='testnet_0e6cf72133b43ea2d7861da2a38684e3'
-MYSQL_CONNECTION='{"port":3306,"host":"127.0.0.1","user":"root","password":"your_password","database":"your_database", "timezone": "Z"}'
-DEV_KEYS = '{
-    "${testIdentityKey1}": "${testPrivKey1.toString()}",
-    "${testIdentityKey2}": "${testPrivKey2.toString()}",
-    "${mainIdentityKey1}": "${mainPrivKey1.toString()}",
-    "${mainIdentityKey2}": "${mainPrivKey2.toString()}"
-}'
-`;
-    console.log(log);
-    return log;
-}
+async loadSnapshot(snapshot: number[]): Promise<void> 
 ```
-See also: [Setup](./setup.md#class-setup)
 
-###### Method noEnv
+Argument Details
+
++ **snapshot**
+  + A byte array that was previously returned by `saveSnapshot`.
+
+Throws
+
+If the snapshot format is invalid or decryption fails.
+
+###### Method providePrimaryKey
+
+Provides the primary key (32 bytes) needed for authentication.
+If a privileged key manager has already been provided, we attempt to build
+the underlying wallet. Otherwise, we wait until the manager is also provided.
 
 ```ts
-static noEnv(chain: sdk.Chain): boolean 
+async providePrimaryKey(key: number[]): Promise<void> 
+```
+
+Argument Details
+
++ **key**
+  + A 32-byte primary key.
+
+###### Method providePrivilegedKeyManager
+
+Provides the privileged key manager needed for sensitive tasks.
+If a primary key has already been provided (or loaded from a snapshot),
+we attempt to build the underlying wallet. Otherwise, we wait until the key is provided.
+
+```ts
+async providePrivilegedKeyManager(manager: PrivilegedKeyManager): Promise<void> 
+```
+See also: [PrivilegedKeyManager](./client.md#class-privilegedkeymanager)
+
+Argument Details
+
++ **manager**
+  + An instance of `PrivilegedKeyManager`.
+
+###### Method saveSnapshot
+
+Saves the current wallet state (including just the primary key)
+into an encrypted snapshot. This snapshot can be stored and later
+passed to `loadSnapshot` to restore the primary key (and partially authenticate).
+
+**Note**: The snapshot does NOT include the privileged key manager.
+You must still provide that separately after loading the snapshot
+in order to complete authentication.
+
+```ts
+saveSnapshot(): number[] 
 ```
-See also: [Chain](./client.md#type-chain)
 
 Returns
 
-true if .env is not valid for chain
+A byte array representing the encrypted snapshot.
+
+Throws
+
+if no primary key is currently set.
+
+###### Method waitForAuthentication
+
+Blocks until the user is authenticated (by providing primaryKey and privileged manager).
+If not authenticated yet, it waits until that occurs.
+
+```ts
+async waitForAuthentication(_: {}, originator?: OriginatorDomainNameStringUnder250Bytes): Promise<AuthenticatedResult> 
+```
+
+Argument Details
+
++ **_**
+  + Not used in this manager.
++ **originator**
+  + The originator domain, which must not be the admin originator.
+
+Throws
+
+If the originator is the admin.
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -7120,6 +7772,158 @@ See also: [Monitor](./monitor.md#class-monitor), [WalletMonitorTask](./monitor.m
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Class: TwilioPhoneInteractor
+
+TwilioPhoneInteractor
+
+A client-side class that knows how to call the WAB server for Twilio-based phone verification.
+
+```ts
+export class TwilioPhoneInteractor extends AuthMethodInteractor {
+    public methodType = "TwilioPhone";
+    public async startAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<StartAuthResponse> 
+    public async completeAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<CompleteAuthResponse> 
+}
+```
+
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor), [AuthPayload](./client.md#interface-authpayload), [CompleteAuthResponse](./client.md#interface-completeauthresponse), [StartAuthResponse](./client.md#interface-startauthresponse)
+
+###### Method completeAuth
+
+Complete the Twilio phone verification on the server.
+- The server will verify the code with Twilio Verify’s verificationChecks endpoint.
+
+```ts
+public async completeAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<CompleteAuthResponse> 
+```
+See also: [AuthPayload](./client.md#interface-authpayload), [CompleteAuthResponse](./client.md#interface-completeauthresponse)
+
+Returns
+
+- { success, message, presentationKey }
+
+Argument Details
+
++ **serverUrl**
+  + The base URL of the WAB server
++ **presentationKey**
+  + The 256-bit key
++ **payload**
+  + { phoneNumber: string, otp: string } (the code that was received via SMS)
+
+###### Method startAuth
+
+Start the Twilio phone verification on the server.
+- The server will send an SMS code to the user’s phone, using Twilio Verify.
+
+```ts
+public async startAuth(serverUrl: string, presentationKey: string, payload: AuthPayload): Promise<StartAuthResponse> 
+```
+See also: [AuthPayload](./client.md#interface-authpayload), [StartAuthResponse](./client.md#interface-startauthresponse)
+
+Returns
+
+- { success, message, data }
+
+Argument Details
+
++ **serverUrl**
+  + The base URL of the WAB server (e.g. http://localhost:3000)
++ **presentationKey**
+  + The 256-bit key the client is attempting to authenticate with
++ **payload**
+  + { phoneNumber: string } (the phone number to verify)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: WABClient
+
+```ts
+export class WABClient {
+    constructor(private serverUrl: string) 
+    public async getInfo() 
+    public generateRandomPresentationKey(): string 
+    public async startAuthMethod(authMethod: AuthMethodInteractor, presentationKey: string, payload: any) 
+    public async completeAuthMethod(authMethod: AuthMethodInteractor, presentationKey: string, payload: any) 
+    public async listLinkedMethods(presentationKey: string) 
+    public async unlinkMethod(presentationKey: string, authMethodId: number) 
+    public async requestFaucet(presentationKey: string) 
+    public async deleteUser(presentationKey: string) 
+}
+```
+
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor)
+
+###### Method completeAuthMethod
+
+Complete an Auth Method flow
+
+```ts
+public async completeAuthMethod(authMethod: AuthMethodInteractor, presentationKey: string, payload: any) 
+```
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor)
+
+###### Method deleteUser
+
+Delete user
+
+```ts
+public async deleteUser(presentationKey: string) 
+```
+
+###### Method generateRandomPresentationKey
+
+Generate a random 256-bit presentation key as a hex string (client side).
+
+```ts
+public generateRandomPresentationKey(): string 
+```
+
+###### Method getInfo
+
+Return the WAB server info
+
+```ts
+public async getInfo() 
+```
+
+###### Method listLinkedMethods
+
+List user-linked methods
+
+```ts
+public async listLinkedMethods(presentationKey: string) 
+```
+
+###### Method requestFaucet
+
+Request faucet
+
+```ts
+public async requestFaucet(presentationKey: string) 
+```
+
+###### Method startAuthMethod
+
+Start an Auth Method flow
+
+```ts
+public async startAuthMethod(authMethod: AuthMethodInteractor, presentationKey: string, payload: any) 
+```
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor)
+
+###### Method unlinkMethod
+
+Unlink a given Auth Method by ID
+
+```ts
+public async unlinkMethod(presentationKey: string, authMethodId: number) 
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Class: WERR_BAD_REQUEST
 
@@ -7343,6 +8147,8 @@ export class Wallet implements WalletInterface, ProtoWallet {
     chain: sdk.Chain;
     keyDeriver: KeyDeriver;
     storage: WalletStorageManager;
+    settingsManager: WalletSettingsManager;
+    lookupResolver: LookupResolver;
     services?: sdk.WalletServices;
     monitor?: Monitor;
     identityKey: string;
@@ -7393,7 +8199,7 @@ export class Wallet implements WalletInterface, ProtoWallet {
 }
 ```
 
-See also: [Chain](./client.md#type-chain), [KeyPair](./client.md#interface-keypair), [Monitor](./monitor.md#class-monitor), [PendingSignAction](./client.md#interface-pendingsignaction), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [StorageIdentity](./client.md#interface-storageidentity), [WalletArgs](./client.md#interface-walletargs), [WalletServices](./client.md#interface-walletservices), [WalletSigner](./client.md#class-walletsigner), [WalletStorageManager](./storage.md#class-walletstoragemanager), [createAction](./storage.md#function-createaction), [getIdentityKey](./client.md#function-getidentitykey), [internalizeAction](./storage.md#function-internalizeaction), [listActions](./storage.md#function-listactions), [listCertificates](./storage.md#function-listcertificates), [listOutputs](./storage.md#function-listoutputs), [proveCertificate](./client.md#function-provecertificate), [signAction](./client.md#function-signaction)
+See also: [Chain](./client.md#type-chain), [KeyPair](./client.md#interface-keypair), [Monitor](./monitor.md#class-monitor), [PendingSignAction](./client.md#interface-pendingsignaction), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [StorageIdentity](./client.md#interface-storageidentity), [WalletArgs](./client.md#interface-walletargs), [WalletServices](./client.md#interface-walletservices), [WalletSettingsManager](./client.md#class-walletsettingsmanager), [WalletSigner](./client.md#class-walletsigner), [WalletStorageManager](./storage.md#class-walletstoragemanager), [createAction](./storage.md#function-createaction), [getIdentityKey](./client.md#function-getidentitykey), [internalizeAction](./storage.md#function-internalizeaction), [listActions](./storage.md#function-listactions), [listCertificates](./storage.md#function-listcertificates), [listOutputs](./storage.md#function-listoutputs), [proveCertificate](./client.md#function-provecertificate), [signAction](./client.md#function-signaction)
 
 ###### Property beef
 
@@ -7424,28 +8230,76 @@ randomVals?: number[] = undefined
 getKnownTxids(newKnownTxids?: string[]): string[] 
 ```
 
-Returns
+Returns
+
+the full list of txids whose validity this wallet claims to know.
+
+Argument Details
+
++ **newKnownTxids**
+  + Optional. Additional new txids known to be valid by the caller to be merged.
+
+###### Method sweepTo
+
+Transfer all possible satoshis held by this wallet to `toWallet`.
+
+```ts
+async sweepTo(toWallet: Wallet): Promise<void> 
+```
+See also: [Wallet](./client.md#class-wallet)
+
+Argument Details
+
++ **toWallet**
+  + wallet which will receive this wallet's satoshis.
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: WalletAuthenticationManager
+
+WalletAuthenticationManager
+
+A wallet manager that integrates
+with a WABClient for user authentication flows (e.g. Twilio phone).
+
+```ts
+export class WalletAuthenticationManager extends CWIStyleWalletManager {
+    constructor(adminOriginator: string, walletBuilder: (primaryKey: number[], privilegedKeyManager: PrivilegedKeyManager) => Promise<WalletInterface>, interactor: UMPTokenInteractor = new OverlayUMPTokenInteractor(), recoveryKeySaver: (key: number[]) => Promise<true>, passwordRetriever: (reason: string, test: (passwordCandidate: string) => boolean) => Promise<string>, wabClient: WABClient, authMethod?: AuthMethodInteractor, stateSnapshot?: number[]) 
+    public setAuthMethod(method: AuthMethodInteractor) 
+    public async startAuth(payload: any): Promise<void> 
+    public async completeAuth(payload: any): Promise<void> 
+}
+```
+
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor), [CWIStyleWalletManager](./client.md#class-cwistylewalletmanager), [OverlayUMPTokenInteractor](./client.md#class-overlayumptokeninteractor), [PrivilegedKeyManager](./client.md#class-privilegedkeymanager), [UMPTokenInteractor](./client.md#interface-umptokeninteractor), [WABClient](./client.md#class-wabclient)
 
-the full list of txids whose validity this wallet claims to know.
+###### Method completeAuth
 
-Argument Details
+Completes the WAB-based flow, retrieving the final presentationKey from WAB if successful.
 
-+ **newKnownTxids**
-  + Optional. Additional new txids known to be valid by the caller to be merged.
+```ts
+public async completeAuth(payload: any): Promise<void> 
+```
 
-###### Method sweepTo
+###### Method setAuthMethod
 
-Transfer all possible satoshis held by this wallet to `toWallet`.
+Sets (or switches) the chosen AuthMethodInteractor at runtime,
+in case the user changes their mind or picks a new method in the UI.
 
 ```ts
-async sweepTo(toWallet: Wallet): Promise<void> 
+public setAuthMethod(method: AuthMethodInteractor) 
 ```
-See also: [Wallet](./client.md#class-wallet)
+See also: [AuthMethodInteractor](./client.md#class-authmethodinteractor)
 
-Argument Details
+###### Method startAuth
 
-+ **toWallet**
-  + wallet which will receive this wallet's satoshis.
+Initiate the WAB-based flow, e.g. sending an SMS code or starting an ID check,
+using the chosen AuthMethodInteractor.
+
+```ts
+public async startAuth(payload: any): Promise<void> 
+```
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -7569,6 +8423,497 @@ abstract trigger(nowMsecsSinceEpoch: number): {
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Class: WalletPermissionsManager
+
+```ts
+export class WalletPermissionsManager implements WalletInterface {
+    constructor(underlyingWallet: WalletInterface, adminOriginator: string, config: PermissionsManagerConfig = {}) 
+    public bindCallback(eventName: keyof WalletPermissionsManagerCallbacks, handler: PermissionEventHandler): number 
+    public unbindCallback(eventName: keyof WalletPermissionsManagerCallbacks, reference: number | Function): boolean 
+    public async grantPermission(params: {
+        requestID: string;
+        expiry?: number;
+        ephemeral?: boolean;
+        amount?: number;
+    }): Promise<void> 
+    public async denyPermission(requestID: string): Promise<void> 
+    public async ensureProtocolPermission({ originator, privileged, protocolID, counterparty, reason, seekPermission = true, usageType }: {
+        originator: string;
+        privileged: boolean;
+        protocolID: [
+            0 | 1 | 2,
+            string
+        ];
+        counterparty: string;
+        reason?: string;
+        seekPermission?: boolean;
+        usageType: "signing" | "encrypting" | "hmac" | "publicKey" | "identityKey" | "linkageRevelation" | "generic";
+    }): Promise<boolean> 
+    public async ensureBasketAccess({ originator, basket, reason, seekPermission = true, usageType }: {
+        originator: string;
+        basket: string;
+        reason?: string;
+        seekPermission?: boolean;
+        usageType: "insertion" | "removal" | "listing";
+    }): Promise<boolean> 
+    public async ensureCertificateAccess({ originator, privileged, verifier, certType, fields, reason, seekPermission = true, usageType }: {
+        originator: string;
+        privileged: boolean;
+        verifier: string;
+        certType: string;
+        fields: string[];
+        reason?: string;
+        seekPermission?: boolean;
+        usageType: "disclosure";
+    }): Promise<boolean> 
+    public async ensureSpendingAuthorization({ originator, satoshis, lineItems, reason, seekPermission = true }: {
+        originator: string;
+        satoshis: number;
+        lineItems?: Array<{
+            type: "input" | "output" | "fee";
+            description: string;
+            satoshis: number;
+        }>;
+        reason?: string;
+        seekPermission?: boolean;
+    }): Promise<boolean> 
+    public async ensureLabelAccess({ originator, label, reason, seekPermission = true, usageType }: {
+        originator: string;
+        label: string;
+        reason?: string;
+        seekPermission?: boolean;
+        usageType: "apply" | "list";
+    }): Promise<boolean> 
+    public async querySpentSince(token: PermissionToken): Promise<number> 
+    public async listProtocolPermissions({ originator }: {
+        originator?: string;
+    }): Promise<PermissionToken[]> 
+    public async hasProtocolPermission(params: {
+        originator: string;
+        privileged: boolean;
+        protocolID: [
+            0 | 1 | 2,
+            string
+        ];
+        counterparty: string;
+    }): Promise<boolean> 
+    public async listBasketAccess(params: {
+        originator?: string;
+    }): Promise<PermissionToken[]> 
+    public async hasBasketAccess(params: {
+        originator: string;
+        basket: string;
+    }): Promise<boolean> 
+    public async listSpendingAuthorizations(params: {
+        originator?: string;
+    }): Promise<PermissionToken[]> 
+    public async hasSpendingAuthorization(params: {
+        originator: string;
+        satoshis: number;
+    }): Promise<boolean> 
+    public async listCertificateAccess(params: {
+        originator?: string;
+    }): Promise<PermissionToken[]> 
+    public async hasCertificateAccess(params: {
+        originator: string;
+        privileged: boolean;
+        verifier: string;
+        certType: string;
+        fields: string[];
+    }): Promise<boolean> 
+    public async revokePermission(oldToken: PermissionToken): Promise<void> 
+    public async createAction(args: Parameters<WalletInterface["createAction"]>[0], originator?: string): ReturnType<WalletInterface["createAction"]> 
+    public async signAction(...args: Parameters<WalletInterface["signAction"]>): ReturnType<WalletInterface["signAction"]> 
+    public async abortAction(...args: Parameters<WalletInterface["abortAction"]>): ReturnType<WalletInterface["abortAction"]> 
+    public async listActions(...args: Parameters<WalletInterface["listActions"]>): ReturnType<WalletInterface["listActions"]> 
+    public async internalizeAction(...args: Parameters<WalletInterface["internalizeAction"]>): ReturnType<WalletInterface["internalizeAction"]> 
+    public async listOutputs(...args: Parameters<WalletInterface["listOutputs"]>): ReturnType<WalletInterface["listOutputs"]> 
+    public async relinquishOutput(...args: Parameters<WalletInterface["relinquishOutput"]>): ReturnType<WalletInterface["relinquishOutput"]> 
+    public async getPublicKey(...args: Parameters<WalletInterface["getPublicKey"]>): ReturnType<WalletInterface["getPublicKey"]> 
+    public async revealCounterpartyKeyLinkage(...args: Parameters<WalletInterface["revealCounterpartyKeyLinkage"]>): ReturnType<WalletInterface["revealCounterpartyKeyLinkage"]> 
+    public async revealSpecificKeyLinkage(...args: Parameters<WalletInterface["revealSpecificKeyLinkage"]>): ReturnType<WalletInterface["revealSpecificKeyLinkage"]> 
+    public async encrypt(...args: Parameters<WalletInterface["encrypt"]>): ReturnType<WalletInterface["encrypt"]> 
+    public async decrypt(...args: Parameters<WalletInterface["decrypt"]>): ReturnType<WalletInterface["decrypt"]> 
+    public async createHmac(...args: Parameters<WalletInterface["createHmac"]>): ReturnType<WalletInterface["createHmac"]> 
+    public async verifyHmac(...args: Parameters<WalletInterface["verifyHmac"]>): ReturnType<WalletInterface["verifyHmac"]> 
+    public async createSignature(...args: Parameters<WalletInterface["createSignature"]>): ReturnType<WalletInterface["createSignature"]> 
+    public async verifySignature(...args: Parameters<WalletInterface["verifySignature"]>): ReturnType<WalletInterface["verifySignature"]> 
+    public async acquireCertificate(...args: Parameters<WalletInterface["acquireCertificate"]>): ReturnType<WalletInterface["acquireCertificate"]> 
+    public async listCertificates(...args: Parameters<WalletInterface["listCertificates"]>): ReturnType<WalletInterface["listCertificates"]> 
+    public async proveCertificate(...args: Parameters<WalletInterface["proveCertificate"]>): ReturnType<WalletInterface["proveCertificate"]> 
+    public async relinquishCertificate(...args: Parameters<WalletInterface["relinquishCertificate"]>): ReturnType<WalletInterface["relinquishCertificate"]> 
+    public async discoverByIdentityKey(...args: Parameters<WalletInterface["discoverByIdentityKey"]>): ReturnType<WalletInterface["discoverByIdentityKey"]> 
+    public async discoverByAttributes(...args: Parameters<WalletInterface["discoverByAttributes"]>): ReturnType<WalletInterface["discoverByAttributes"]> 
+    public async isAuthenticated(...args: Parameters<WalletInterface["isAuthenticated"]>): ReturnType<WalletInterface["isAuthenticated"]> 
+    public async waitForAuthentication(...args: Parameters<WalletInterface["waitForAuthentication"]>): ReturnType<WalletInterface["waitForAuthentication"]> 
+    public async getHeight(...args: Parameters<WalletInterface["getHeight"]>): ReturnType<WalletInterface["getHeight"]> 
+    public async getHeaderForHeight(...args: Parameters<WalletInterface["getHeaderForHeight"]>): ReturnType<WalletInterface["getHeaderForHeight"]> 
+    public async getNetwork(...args: Parameters<WalletInterface["getNetwork"]>): ReturnType<WalletInterface["getNetwork"]> 
+    public async getVersion(...args: Parameters<WalletInterface["getVersion"]>): ReturnType<WalletInterface["getVersion"]> 
+}
+```
+
+See also: [PermissionEventHandler](./client.md#type-permissioneventhandler), [PermissionToken](./client.md#interface-permissiontoken), [PermissionsManagerConfig](./client.md#interface-permissionsmanagerconfig), [WalletPermissionsManagerCallbacks](./client.md#interface-walletpermissionsmanagercallbacks), [createAction](./storage.md#function-createaction), [internalizeAction](./storage.md#function-internalizeaction), [listActions](./storage.md#function-listactions), [listCertificates](./storage.md#function-listcertificates), [listOutputs](./storage.md#function-listoutputs), [proveCertificate](./client.md#function-provecertificate), [signAction](./client.md#function-signaction)
+
+###### Constructor
+
+Constructs a new Permissions Manager instance.
+
+```ts
+constructor(underlyingWallet: WalletInterface, adminOriginator: string, config: PermissionsManagerConfig = {}) 
+```
+See also: [PermissionsManagerConfig](./client.md#interface-permissionsmanagerconfig)
+
+Argument Details
+
++ **underlyingWallet**
+  + The underlying BRC-100 wallet, where requests are forwarded after permission is granted
++ **adminOriginator**
+  + The domain or FQDN that is automatically allowed everything
++ **config**
+  + A set of boolean flags controlling how strictly permissions are enforced
+
+###### Method bindCallback
+
+Binds a callback function to a named event, such as `onProtocolPermissionRequested`.
+
+```ts
+public bindCallback(eventName: keyof WalletPermissionsManagerCallbacks, handler: PermissionEventHandler): number 
+```
+See also: [PermissionEventHandler](./client.md#type-permissioneventhandler), [WalletPermissionsManagerCallbacks](./client.md#interface-walletpermissionsmanagercallbacks)
+
+Returns
+
+A numeric ID you can use to unbind later
+
+Argument Details
+
++ **eventName**
+  + The name of the event to listen to
++ **handler**
+  + A function that handles the event
+
+###### Method denyPermission
+
+Denies a previously requested permission.
+This method rejects all pending promise calls waiting on that request
+
+```ts
+public async denyPermission(requestID: string): Promise<void> 
+```
+
+Argument Details
+
++ **requestID**
+  + requestID identifying which request to deny
+
+###### Method ensureBasketAccess
+
+Ensures the originator has basket usage permission for the specified basket.
+If not, triggers a permission request flow.
+
+```ts
+public async ensureBasketAccess({ originator, basket, reason, seekPermission = true, usageType }: {
+    originator: string;
+    basket: string;
+    reason?: string;
+    seekPermission?: boolean;
+    usageType: "insertion" | "removal" | "listing";
+}): Promise<boolean> 
+```
+
+###### Method ensureCertificateAccess
+
+Ensures the originator has a valid certificate permission.
+This is relevant when revealing certificate fields in DCAP contexts.
+
+```ts
+public async ensureCertificateAccess({ originator, privileged, verifier, certType, fields, reason, seekPermission = true, usageType }: {
+    originator: string;
+    privileged: boolean;
+    verifier: string;
+    certType: string;
+    fields: string[];
+    reason?: string;
+    seekPermission?: boolean;
+    usageType: "disclosure";
+}): Promise<boolean> 
+```
+
+###### Method ensureLabelAccess
+
+Ensures the originator has label usage permission.
+If no valid (unexpired) permission token is found, triggers a permission request flow.
+
+```ts
+public async ensureLabelAccess({ originator, label, reason, seekPermission = true, usageType }: {
+    originator: string;
+    label: string;
+    reason?: string;
+    seekPermission?: boolean;
+    usageType: "apply" | "list";
+}): Promise<boolean> 
+```
+
+###### Method ensureProtocolPermission
+
+Ensures the originator has protocol usage permission.
+If no valid (unexpired) permission token is found, triggers a permission request flow.
+
+```ts
+public async ensureProtocolPermission({ originator, privileged, protocolID, counterparty, reason, seekPermission = true, usageType }: {
+    originator: string;
+    privileged: boolean;
+    protocolID: [
+        0 | 1 | 2,
+        string
+    ];
+    counterparty: string;
+    reason?: string;
+    seekPermission?: boolean;
+    usageType: "signing" | "encrypting" | "hmac" | "publicKey" | "identityKey" | "linkageRevelation" | "generic";
+}): Promise<boolean> 
+```
+
+###### Method ensureSpendingAuthorization
+
+Ensures the originator has spending authorization (DSAP) for a certain satoshi amount.
+If the existing token limit is insufficient, attempts to renew. If no token, attempts to create one.
+
+```ts
+public async ensureSpendingAuthorization({ originator, satoshis, lineItems, reason, seekPermission = true }: {
+    originator: string;
+    satoshis: number;
+    lineItems?: Array<{
+        type: "input" | "output" | "fee";
+        description: string;
+        satoshis: number;
+    }>;
+    reason?: string;
+    seekPermission?: boolean;
+}): Promise<boolean> 
+```
+
+###### Method grantPermission
+
+Grants a previously requested permission.
+This method:
+ 1) Resolves all pending promise calls waiting on this request
+ 2) Optionally creates or renews an on-chain PushDrop token (unless `ephemeral===true`)
+
+```ts
+public async grantPermission(params: {
+    requestID: string;
+    expiry?: number;
+    ephemeral?: boolean;
+    amount?: number;
+}): Promise<void> 
+```
+
+Argument Details
+
++ **params**
+  + requestID to identify which request is granted, plus optional expiry
+or `ephemeral` usage, etc.
+
+###### Method hasBasketAccess
+
+Returns `true` if the originator already holds a valid unexpired basket permission for `basket`.
+
+```ts
+public async hasBasketAccess(params: {
+    originator: string;
+    basket: string;
+}): Promise<boolean> 
+```
+
+###### Method hasCertificateAccess
+
+Returns `true` if the originator already holds a valid unexpired certificate access
+for the given certType/fields. Does not prompt the user.
+
+```ts
+public async hasCertificateAccess(params: {
+    originator: string;
+    privileged: boolean;
+    verifier: string;
+    certType: string;
+    fields: string[];
+}): Promise<boolean> 
+```
+
+###### Method hasProtocolPermission
+
+Returns true if the originator already holds a valid unexpired protocol permission.
+This calls `ensureProtocolPermission` with `seekPermission=false`, so it won't prompt.
+
+```ts
+public async hasProtocolPermission(params: {
+    originator: string;
+    privileged: boolean;
+    protocolID: [
+        0 | 1 | 2,
+        string
+    ];
+    counterparty: string;
+}): Promise<boolean> 
+```
+
+###### Method hasSpendingAuthorization
+
+Returns `true` if the originator already holds a valid spending authorization token
+with enough available monthly spend. We do not prompt (seekPermission=false).
+
+```ts
+public async hasSpendingAuthorization(params: {
+    originator: string;
+    satoshis: number;
+}): Promise<boolean> 
+```
+
+###### Method listBasketAccess
+
+Lists basket permission tokens (DBAP) for a given originator (or for all if not specified).
+
+```ts
+public async listBasketAccess(params: {
+    originator?: string;
+}): Promise<PermissionToken[]> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method listCertificateAccess
+
+Lists certificate permission tokens (DCAP) for a given originator (or all).
+
+```ts
+public async listCertificateAccess(params: {
+    originator?: string;
+}): Promise<PermissionToken[]> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method listProtocolPermissions
+
+Lists all protocol permission tokens (DPACP) for a given originator or for all if originator is undefined.
+This is a convenience method for UI or debug.
+
+```ts
+public async listProtocolPermissions({ originator }: {
+    originator?: string;
+}): Promise<PermissionToken[]> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method listSpendingAuthorizations
+
+Lists spending authorization tokens (DSAP) for a given originator (or all).
+
+```ts
+public async listSpendingAuthorizations(params: {
+    originator?: string;
+}): Promise<PermissionToken[]> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method querySpentSince
+
+Returns spending for an originator in the current calendar month.
+
+```ts
+public async querySpentSince(token: PermissionToken): Promise<number> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method revokePermission
+
+Revokes a permission token by spending it with no replacement output.
+The manager builds a BRC-100 transaction that consumes the token, effectively invalidating it.
+
+```ts
+public async revokePermission(oldToken: PermissionToken): Promise<void> 
+```
+See also: [PermissionToken](./client.md#interface-permissiontoken)
+
+###### Method unbindCallback
+
+Unbinds a previously registered callback by either its numeric ID (returned by `bindCallback`)
+or by exact function reference.
+
+```ts
+public unbindCallback(eventName: keyof WalletPermissionsManagerCallbacks, reference: number | Function): boolean 
+```
+See also: [WalletPermissionsManagerCallbacks](./client.md#interface-walletpermissionsmanagercallbacks)
+
+Returns
+
+True if successfully unbound, false otherwise
+
+Argument Details
+
++ **eventName**
+  + The event name, e.g. "onProtocolPermissionRequested"
++ **reference**
+  + Either the numeric ID or the function reference
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Class: WalletSettingsManager
+
+Manages wallet settings
+
+```ts
+export class WalletSettingsManager {
+    constructor(private wallet: WalletInterface, private config: WalletSettingsManagerConfig = {
+        defaultSettings: DEFAULT_SETTINGS
+    }) 
+    async get(): Promise<WalletSettings> 
+    async set(settings: WalletSettings): Promise<void> 
+    async delete(): Promise<void> 
+}
+```
+
+See also: [DEFAULT_SETTINGS](./client.md#variable-default_settings), [WalletSettings](./client.md#interface-walletsettings), [WalletSettingsManagerConfig](./client.md#interface-walletsettingsmanagerconfig)
+
+###### Method delete
+
+Deletes the user's settings token.
+
+```ts
+async delete(): Promise<void> 
+```
+
+###### Method get
+
+Returns a user's wallet settings
+
+```ts
+async get(): Promise<WalletSettings> 
+```
+See also: [WalletSettings](./client.md#interface-walletsettings)
+
+Returns
+
+- Wallet settings object
+
+###### Method set
+
+Creates (or updates) the user's settings token.
+
+```ts
+async set(settings: WalletSettings): Promise<void> 
+```
+See also: [WalletSettings](./client.md#interface-walletsettings)
+
+Argument Details
+
++ **settings**
+  + The wallet settings to be stored.
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Class: WalletSigner
 
@@ -9256,15 +10601,15 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 | | |
 | --- | --- |
-| [Chain](#type-chain) | [PostReqsToNetworkDetailsStatus](#type-postreqstonetworkdetailsstatus) |
-| [DBType](#type-dbtype) | [PostTxsService](#type-posttxsservice) |
-| [EntityStorage](#type-entitystorage) | [ProvenTxReqStatus](#type-proventxreqstatus) |
-| [GetMerklePathService](#type-getmerklepathservice) | [StorageProvidedBy](#type-storageprovidedby) |
-| [GetRawTxService](#type-getrawtxservice) | [SyncProtocolVersion](#type-syncprotocolversion) |
-| [GetUtxoStatusOutputFormat](#type-getutxostatusoutputformat) | [SyncStatus](#type-syncstatus) |
-| [GetUtxoStatusService](#type-getutxostatusservice) | [TransactionStatus](#type-transactionstatus) |
-| [MonitorStorage](#type-monitorstorage) | [UpdateFiatExchangeRateService](#type-updatefiatexchangerateservice) |
-| [PostBeefService](#type-postbeefservice) |  |
+| [Chain](#type-chain) | [PostBeefService](#type-postbeefservice) |
+| [DBType](#type-dbtype) | [PostReqsToNetworkDetailsStatus](#type-postreqstonetworkdetailsstatus) |
+| [EntityStorage](#type-entitystorage) | [PostTxsService](#type-posttxsservice) |
+| [GetMerklePathService](#type-getmerklepathservice) | [ProvenTxReqStatus](#type-proventxreqstatus) |
+| [GetRawTxService](#type-getrawtxservice) | [StorageProvidedBy](#type-storageprovidedby) |
+| [GetUtxoStatusOutputFormat](#type-getutxostatusoutputformat) | [SyncProtocolVersion](#type-syncprotocolversion) |
+| [GetUtxoStatusService](#type-getutxostatusservice) | [SyncStatus](#type-syncstatus) |
+| [MonitorStorage](#type-monitorstorage) | [TransactionStatus](#type-transactionstatus) |
+| [PermissionEventHandler](#type-permissioneventhandler) | [UpdateFiatExchangeRateService](#type-updatefiatexchangerateservice) |
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
@@ -9351,6 +10696,21 @@ See also: [WalletStorageManager](./storage.md#class-walletstoragemanager)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Type: PermissionEventHandler
+
+Signature for functions that handle a permission request event, e.g. "Please ask the user to allow basket X".
+
+```ts
+export type PermissionEventHandler = (request: PermissionRequest & {
+    requestID: string;
+}) => void | Promise<void>
+```
+
+See also: [PermissionRequest](./client.md#interface-permissionrequest)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Type: PostBeefService
 
@@ -9483,17 +10843,71 @@ Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](
 
 | |
 | --- |
+| [DEFAULT_SETTINGS](#variable-default_settings) |
+| [PBKDF2_NUM_ROUNDS](#variable-pbkdf2_num_rounds) |
 | [ProvenTxReqNonTerminalStatus](#variable-proventxreqnonterminalstatus) |
 | [ProvenTxReqTerminalStatus](#variable-proventxreqterminalstatus) |
+| [TESTNET_DEFAULT_SETTINGS](#variable-testnet_default_settings) |
 | [brc29ProtocolID](#variable-brc29protocolid) |
 | [maxPossibleSatoshis](#variable-maxpossiblesatoshis) |
 | [outputColumnsWithoutLockingScript](#variable-outputcolumnswithoutlockingscript) |
+| [parseResults](#variable-parseresults) |
+| [queryOverlay](#variable-queryoverlay) |
 | [transactionColumnsWithoutRawTx](#variable-transactioncolumnswithoutrawtx) |
+| [transformVerifiableCertificatesWithTrust](#variable-transformverifiablecertificateswithtrust) |
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+
+##### Variable: DEFAULT_SETTINGS
+
+```ts
+DEFAULT_SETTINGS = {
+    trustSettings: {
+        trustLevel: 2,
+        trustedCertifiers: [
+            {
+                name: "Babbage Trust Services",
+                description: "Resolves identity information for Babbage-run APIs and Bitcoin infrastructure.",
+                iconUrl: "https://projectbabbage.com/favicon.ico",
+                identityKey: "028703956178067ea7ca405111f1ca698290a0112a3d7cf3d843e195bf58a7cfa6",
+                trust: 4
+            },
+            {
+                name: "IdentiCert",
+                description: "Certifies legal first and last name, and photos",
+                iconUrl: "https://identicert.me/favicon.ico",
+                trust: 5,
+                identityKey: "0295bf1c7842d14babf60daf2c733956c331f9dcb2c79e41f85fd1dda6a3fa4549"
+            },
+            {
+                name: "SocialCert",
+                description: "Certifies social media handles, phone numbers and emails",
+                iconUrl: "https://socialcert.net/favicon.ico",
+                trust: 3,
+                identityKey: "03285263f06139b66fb27f51cf8a92e9dd007c4c4b83876ad6c3e7028db450a4c2"
+            }
+        ]
+    },
+    theme: { mode: "dark" }
+} as WalletSettings
+```
+
+See also: [WalletSettings](./client.md#interface-walletsettings)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
 ---
+##### Variable: PBKDF2_NUM_ROUNDS
 
+```ts
+PBKDF2_NUM_ROUNDS = 7777
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
 ##### Variable: ProvenTxReqNonTerminalStatus
 
 ```ts
@@ -9529,6 +10943,26 @@ See also: [ProvenTxReqStatus](./client.md#type-proventxreqstatus)
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Variable: TESTNET_DEFAULT_SETTINGS
+
+```ts
+TESTNET_DEFAULT_SETTINGS: WalletSettings = {
+    ...DEFAULT_SETTINGS,
+    trustSettings: {
+        ...DEFAULT_SETTINGS.trustSettings,
+        trustedCertifiers: DEFAULT_SETTINGS.trustSettings.trustedCertifiers.map(certifier => ({
+            ...certifier,
+            identityKey: TESTNET_IDENTITY_KEYS[certifier.name] || certifier.identityKey
+        }))
+    }
+}
+```
+
+See also: [DEFAULT_SETTINGS](./client.md#variable-default_settings), [WalletSettings](./client.md#interface-walletsettings)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Variable: brc29ProtocolID
 
@@ -9581,6 +11015,52 @@ outputColumnsWithoutLockingScript = [
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Variable: parseResults
+
+```ts
+parseResults = async (lookupResult: LookupAnswer): Promise<VerifiableCertificate[]> => {
+    if (lookupResult.type === "output-list") {
+        const parsedResults: VerifiableCertificate[] = [];
+        for (const output of lookupResult.outputs) {
+            try {
+                const tx = Transaction.fromAtomicBEEF(output.beef);
+                const decodedOutput = PushDrop.decode(tx.outputs[OUTPUT_INDEX].lockingScript);
+                const certificate: VerifiableCertificate = JSON.parse(Utils.toUTF8(decodedOutput.fields[0]));
+                const verifiableCert = new VerifiableCertificate(certificate.type, certificate.serialNumber, certificate.subject, certificate.revocationOutpoint, certificate.certifier, certificate.fields, certificate.keyring, certificate.signature);
+                const decryptedFields = await verifiableCert.decryptFields(new ProtoWallet("anyone"));
+                verifiableCert.decryptedFields = decryptedFields;
+                parsedResults.push(verifiableCert);
+            }
+            catch (error) {
+                console.error(error);
+            }
+        }
+        return parsedResults;
+    }
+    return [];
+}
+```
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
+---
+##### Variable: queryOverlay
+
+```ts
+queryOverlay = async (query: unknown, resolver: LookupResolver): Promise<VerifiableCertificate[]> => {
+    const results = await resolver.query({
+        service: "ls_identity",
+        query
+    });
+    return await parseResults(results);
+}
+```
+
+See also: [parseResults](./client.md#variable-parseresults)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 ##### Variable: transactionColumnsWithoutRawTx
 
@@ -9604,6 +11084,60 @@ transactionColumnsWithoutRawTx = [
 
 Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
 
+---
+##### Variable: transformVerifiableCertificatesWithTrust
+
+```ts
+transformVerifiableCertificatesWithTrust = (trustSettings: TrustSettings, certificates: VerifiableCertificate[]): DiscoverCertificatesResult => {
+    const identityGroups: Record<string, IdentityGroup> = {};
+    const certifierCache: Record<string, Certifier> = {};
+    certificates.forEach(cert => {
+        const { subject, certifier } = cert;
+        if (!subject || !certifier)
+            return;
+        if (!certifierCache[certifier]) {
+            const found = trustSettings.trustedCertifiers.find(x => x.identityKey === certifier);
+            if (!found)
+                return;
+            certifierCache[certifier] = found;
+        }
+        const certifierInfo: IdentityCertifier = {
+            name: certifierCache[certifier].name,
+            iconUrl: certifierCache[certifier].iconUrl || "",
+            description: certifierCache[certifier].description,
+            trust: certifierCache[certifier].trust
+        };
+        const extendedCert: IdentityCertificate = {
+            ...cert,
+            signature: cert.signature!,
+            decryptedFields: cert.decryptedFields as Record<string, string>,
+            publiclyRevealedKeyring: cert.keyring,
+            certifierInfo
+        };
+        if (!identityGroups[subject]) {
+            identityGroups[subject] = { totalTrust: 0, members: [] };
+        }
+        identityGroups[subject].totalTrust += certifierInfo.trust;
+        identityGroups[subject].members.push(extendedCert);
+    });
+    const finalResults: ExtendedVerifiableCertificate[] = [];
+    Object.values(identityGroups).forEach(group => {
+        if (group.totalTrust >= trustSettings.trustLevel) {
+            finalResults.push(...group.members);
+        }
+    });
+    finalResults.sort((a, b) => b.certifierInfo.trust - a.certifierInfo.trust);
+    return {
+        totalCertificates: finalResults.length,
+        certificates: finalResults
+    };
+}
+```
+
+See also: [Certifier](./client.md#interface-certifier), [ExtendedVerifiableCertificate](./client.md#interface-extendedverifiablecertificate), [TrustSettings](./client.md#interface-trustsettings)
+
+Links: [API](#api), [Interfaces](#interfaces), [Classes](#classes), [Functions](#functions), [Types](#types), [Variables](#variables)
+
 ---
 
 <!--#endregion ts2md-api-merged-here-->