@clianta/sdk 1.4.0 → 1.5.1

package/dist/react.esm.js

@@ -1,10 +1,10 @@
 /*!
- * Clianta SDK v1.4.0
+ * Clianta SDK v1.5.1
  * (c) 2026 Clianta
  * Released under the MIT License.
  */
 import { jsx } from 'react/jsx-runtime';
-import { createContext, useRef, useEffect, useContext } from 'react';
+import { createContext, useState, useRef, useEffect, useContext } from 'react';
 
 /**
  * Clianta SDK - Configuration
@@ -12,15 +12,22 @@ import { createContext, useRef, useEffect, useContext } from 'react';
  */
 /** SDK Version */
 const SDK_VERSION = '1.4.0';
-/** Default API endpoint based on environment */
+/** Default API endpoint — reads from env or falls back to localhost */
 const getDefaultApiEndpoint = () => {
-    if (typeof window === 'undefined')
-        return 'https://api.clianta.online';
-    const hostname = window.location.hostname;
-    if (hostname.includes('localhost') || hostname.includes('127.0.0.1')) {
-        return 'http://localhost:5000';
+    // Build-time env var (works with Next.js, Vite, CRA, etc.)
+    if (typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_CLIANTA_API_ENDPOINT) {
+        return process.env.NEXT_PUBLIC_CLIANTA_API_ENDPOINT;
+    }
+    if (typeof process !== 'undefined' && process.env?.VITE_CLIANTA_API_ENDPOINT) {
+        return process.env.VITE_CLIANTA_API_ENDPOINT;
+    }
+    if (typeof process !== 'undefined' && process.env?.REACT_APP_CLIANTA_API_ENDPOINT) {
+        return process.env.REACT_APP_CLIANTA_API_ENDPOINT;
     }
-    return 'https://api.clianta.online';
+    if (typeof process !== 'undefined' && process.env?.CLIANTA_API_ENDPOINT) {
+        return process.env.CLIANTA_API_ENDPOINT;
+    }
+    return 'http://localhost:5000';
 };
 /** Core plugins enabled by default */
 const DEFAULT_PLUGINS = [
@@ -53,6 +60,7 @@ const DEFAULT_CONFIG = {
     cookieDomain: '',
     useCookies: false,
     cookielessMode: false,
+    persistMode: 'session',
 };
 /** Storage keys */
 const STORAGE_KEYS = {
@@ -246,6 +254,39 @@ class Transport {
             return false;
         }
     }
+    /**
+     * Fetch data from the tracking API (GET request)
+     * Used for read-back APIs (visitor profile, activity, etc.)
+     */
+    async fetchData(path, params) {
+        const url = new URL(`${this.config.apiEndpoint}${path}`);
+        if (params) {
+            Object.entries(params).forEach(([key, value]) => {
+                if (value !== undefined && value !== null) {
+                    url.searchParams.set(key, value);
+                }
+            });
+        }
+        try {
+            const response = await this.fetchWithTimeout(url.toString(), {
+                method: 'GET',
+                headers: {
+                    'Accept': 'application/json',
+                },
+            });
+            if (response.ok) {
+                const body = await response.json();
+                logger.debug('Fetch successful:', path);
+                return { success: true, data: body.data ?? body, status: response.status };
+            }
+            logger.error(`Fetch failed with status ${response.status}`);
+            return { success: false, status: response.status };
+        }
+        catch (error) {
+            logger.error('Fetch request failed:', error);
+            return { success: false, error: error };
+        }
+    }
     /**
      * Internal send with retry logic
      */
@@ -410,7 +451,9 @@ function cookie(name, value, days) {
         date.setTime(date.getTime() + days * 24 * 60 * 60 * 1000);
         expires = '; expires=' + date.toUTCString();
     }
-    document.cookie = name + '=' + value + expires + '; path=/; SameSite=Lax';
+    // Add Secure flag on HTTPS to prevent cookie leakage over plaintext
+    const secure = typeof location !== 'undefined' && location.protocol === 'https:' ? '; Secure' : '';
+    document.cookie = name + '=' + value + expires + '; path=/; SameSite=Lax' + secure;
     return value;
 }
 // ============================================
@@ -574,6 +617,17 @@ function isMobile() {
     return /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent);
 }
 // ============================================
+// VALIDATION UTILITIES
+// ============================================
+/**
+ * Validate email format
+ */
+function isValidEmail(email) {
+    if (typeof email !== 'string' || !email)
+        return false;
+    return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+// ============================================
 // DEVICE INFO
 // ============================================
 /**
@@ -627,6 +681,7 @@ class EventQueue {
             maxQueueSize: config.maxQueueSize ?? MAX_QUEUE_SIZE,
             storageKey: config.storageKey ?? STORAGE_KEYS.EVENT_QUEUE,
         };
+        this.persistMode = config.persistMode || 'session';
         // Restore persisted queue
         this.restoreQueue();
         // Start auto-flush timer
@@ -732,6 +787,13 @@ class EventQueue {
     clear() {
         this.queue = [];
         this.persistQueue([]);
+        // Also clear localStorage if used
+        if (this.persistMode === 'local' && typeof localStorage !== 'undefined') {
+            try {
+                localStorage.removeItem(this.config.storageKey);
+            }
+            catch { /* ignore */ }
+        }
     }
     /**
      * Stop the flush timer and cleanup handlers
@@ -786,22 +848,44 @@ class EventQueue {
         window.addEventListener('pagehide', this.boundPageHide);
     }
     /**
-     * Persist queue to localStorage
+     * Persist queue to storage based on persistMode
      */
     persistQueue(events) {
+        if (this.persistMode === 'none')
+            return;
         try {
-            setLocalStorage(this.config.storageKey, JSON.stringify(events));
+            const serialized = JSON.stringify(events);
+            if (this.persistMode === 'local' && typeof localStorage !== 'undefined') {
+                try {
+                    localStorage.setItem(this.config.storageKey, serialized);
+                }
+                catch {
+                    // localStorage quota exceeded — fallback to sessionStorage
+                    setSessionStorage(this.config.storageKey, serialized);
+                }
+            }
+            else {
+                setSessionStorage(this.config.storageKey, serialized);
+            }
         }
         catch {
             // Ignore storage errors
         }
     }
     /**
-     * Restore queue from localStorage
+     * Restore queue from storage
      */
     restoreQueue() {
         try {
-            const stored = getLocalStorage(this.config.storageKey);
+            let stored = null;
+            // Check localStorage first (cross-session persistence)
+            if (this.persistMode === 'local' && typeof localStorage !== 'undefined') {
+                stored = localStorage.getItem(this.config.storageKey);
+            }
+            // Fall back to sessionStorage
+            if (!stored) {
+                stored = getSessionStorage(this.config.storageKey);
+            }
             if (stored) {
                 const events = JSON.parse(stored);
                 if (Array.isArray(events) && events.length > 0) {
@@ -869,10 +953,13 @@ class PageViewPlugin extends BasePlugin {
             history.pushState = function (...args) {
                 self.originalPushState.apply(history, args);
                 self.trackPageView();
+                // Notify other plugins (e.g. ScrollPlugin) about navigation
+                window.dispatchEvent(new Event('clianta:navigation'));
             };
             history.replaceState = function (...args) {
                 self.originalReplaceState.apply(history, args);
                 self.trackPageView();
+                window.dispatchEvent(new Event('clianta:navigation'));
             };
             // Handle back/forward navigation
             this.popstateHandler = () => this.trackPageView();
@@ -926,9 +1013,8 @@ class ScrollPlugin extends BasePlugin {
         this.pageLoadTime = 0;
         this.scrollTimeout = null;
         this.boundHandler = null;
-        /** SPA navigation support */
-        this.originalPushState = null;
-        this.originalReplaceState = null;
+        /** SPA navigation — listen for PageViewPlugin's custom event instead of patching history */
+        this.navigationHandler = null;
         this.popstateHandler = null;
     }
     init(tracker) {
@@ -937,8 +1023,13 @@ class ScrollPlugin extends BasePlugin {
         if (typeof window !== 'undefined') {
             this.boundHandler = this.handleScroll.bind(this);
             window.addEventListener('scroll', this.boundHandler, { passive: true });
-            // Setup SPA navigation reset
-            this.setupNavigationReset();
+            // Listen for navigation events dispatched by PageViewPlugin
+            // instead of independently monkey-patching history.pushState
+            this.navigationHandler = () => this.resetForNavigation();
+            window.addEventListener('clianta:navigation', this.navigationHandler);
+            // Handle back/forward navigation
+            this.popstateHandler = () => this.resetForNavigation();
+            window.addEventListener('popstate', this.popstateHandler);
         }
     }
     destroy() {
@@ -948,16 +1039,10 @@ class ScrollPlugin extends BasePlugin {
         if (this.scrollTimeout) {
             clearTimeout(this.scrollTimeout);
         }
-        // Restore original history methods
-        if (this.originalPushState) {
-            history.pushState = this.originalPushState;
-            this.originalPushState = null;
-        }
-        if (this.originalReplaceState) {
-            history.replaceState = this.originalReplaceState;
-            this.originalReplaceState = null;
+        if (this.navigationHandler && typeof window !== 'undefined') {
+            window.removeEventListener('clianta:navigation', this.navigationHandler);
+            this.navigationHandler = null;
         }
-        // Remove popstate listener
         if (this.popstateHandler && typeof window !== 'undefined') {
             window.removeEventListener('popstate', this.popstateHandler);
             this.popstateHandler = null;
@@ -972,29 +1057,6 @@ class ScrollPlugin extends BasePlugin {
         this.maxScrollDepth = 0;
         this.pageLoadTime = Date.now();
     }
-    /**
-     * Setup History API interception for SPA navigation
-     */
-    setupNavigationReset() {
-        if (typeof window === 'undefined')
-            return;
-        // Store originals for cleanup
-        this.originalPushState = history.pushState;
-        this.originalReplaceState = history.replaceState;
-        // Intercept pushState and replaceState
-        const self = this;
-        history.pushState = function (...args) {
-            self.originalPushState.apply(history, args);
-            self.resetForNavigation();
-        };
-        history.replaceState = function (...args) {
-            self.originalReplaceState.apply(history, args);
-            self.resetForNavigation();
-        };
-        // Handle back/forward navigation
-        this.popstateHandler = () => this.resetForNavigation();
-        window.addEventListener('popstate', this.popstateHandler);
-    }
     handleScroll() {
         // Debounce scroll tracking
         if (this.scrollTimeout) {
@@ -1194,6 +1256,10 @@ class ClicksPlugin extends BasePlugin {
             elementId: elementInfo.id,
             elementClass: elementInfo.className,
             href: target.href || undefined,
+            x: Math.round((e.clientX / window.innerWidth) * 100),
+            y: Math.round((e.clientY / window.innerHeight) * 100),
+            viewportWidth: window.innerWidth,
+            viewportHeight: window.innerHeight,
         });
     }
 }
@@ -1216,6 +1282,9 @@ class EngagementPlugin extends BasePlugin {
         this.boundMarkEngaged = null;
         this.boundTrackTimeOnPage = null;
         this.boundVisibilityHandler = null;
+        /** SPA navigation — listen for PageViewPlugin's custom event instead of patching history */
+        this.navigationHandler = null;
+        this.popstateHandler = null;
     }
     init(tracker) {
         super.init(tracker);
@@ -1241,6 +1310,13 @@ class EngagementPlugin extends BasePlugin {
         // Track time on page before unload
         window.addEventListener('beforeunload', this.boundTrackTimeOnPage);
         document.addEventListener('visibilitychange', this.boundVisibilityHandler);
+        // Listen for navigation events dispatched by PageViewPlugin
+        // instead of independently monkey-patching history.pushState
+        this.navigationHandler = () => this.resetForNavigation();
+        window.addEventListener('clianta:navigation', this.navigationHandler);
+        // Handle back/forward navigation
+        this.popstateHandler = () => this.resetForNavigation();
+        window.addEventListener('popstate', this.popstateHandler);
     }
     destroy() {
         if (this.boundMarkEngaged && typeof document !== 'undefined') {
@@ -1254,11 +1330,28 @@ class EngagementPlugin extends BasePlugin {
         if (this.boundVisibilityHandler && typeof document !== 'undefined') {
             document.removeEventListener('visibilitychange', this.boundVisibilityHandler);
         }
+        if (this.navigationHandler && typeof window !== 'undefined') {
+            window.removeEventListener('clianta:navigation', this.navigationHandler);
+            this.navigationHandler = null;
+        }
+        if (this.popstateHandler && typeof window !== 'undefined') {
+            window.removeEventListener('popstate', this.popstateHandler);
+            this.popstateHandler = null;
+        }
         if (this.engagementTimeout) {
             clearTimeout(this.engagementTimeout);
         }
         super.destroy();
     }
+    resetForNavigation() {
+        this.pageLoadTime = Date.now();
+        this.engagementStartTime = Date.now();
+        this.isEngaged = false;
+        if (this.engagementTimeout) {
+            clearTimeout(this.engagementTimeout);
+            this.engagementTimeout = null;
+        }
+    }
     markEngaged() {
         if (!this.isEngaged) {
             this.isEngaged = true;
@@ -1298,9 +1391,8 @@ class DownloadsPlugin extends BasePlugin {
         this.name = 'downloads';
         this.trackedDownloads = new Set();
         this.boundHandler = null;
-        /** SPA navigation support */
-        this.originalPushState = null;
-        this.originalReplaceState = null;
+        /** SPA navigation — listen for PageViewPlugin's custom event instead of patching history */
+        this.navigationHandler = null;
         this.popstateHandler = null;
     }
     init(tracker) {
@@ -1308,24 +1400,25 @@ class DownloadsPlugin extends BasePlugin {
         if (typeof document !== 'undefined') {
             this.boundHandler = this.handleClick.bind(this);
             document.addEventListener('click', this.boundHandler, true);
-            // Setup SPA navigation reset
-            this.setupNavigationReset();
+        }
+        if (typeof window !== 'undefined') {
+            // Listen for navigation events dispatched by PageViewPlugin
+            // instead of independently monkey-patching history.pushState
+            this.navigationHandler = () => this.resetForNavigation();
+            window.addEventListener('clianta:navigation', this.navigationHandler);
+            // Handle back/forward navigation
+            this.popstateHandler = () => this.resetForNavigation();
+            window.addEventListener('popstate', this.popstateHandler);
         }
     }
     destroy() {
         if (this.boundHandler && typeof document !== 'undefined') {
             document.removeEventListener('click', this.boundHandler, true);
         }
-        // Restore original history methods
-        if (this.originalPushState) {
-            history.pushState = this.originalPushState;
-            this.originalPushState = null;
+        if (this.navigationHandler && typeof window !== 'undefined') {
+            window.removeEventListener('clianta:navigation', this.navigationHandler);
+            this.navigationHandler = null;
         }
-        if (this.originalReplaceState) {
-            history.replaceState = this.originalReplaceState;
-            this.originalReplaceState = null;
-        }
-        // Remove popstate listener
         if (this.popstateHandler && typeof window !== 'undefined') {
             window.removeEventListener('popstate', this.popstateHandler);
             this.popstateHandler = null;
@@ -1338,29 +1431,6 @@ class DownloadsPlugin extends BasePlugin {
     resetForNavigation() {
         this.trackedDownloads.clear();
     }
-    /**
-     * Setup History API interception for SPA navigation
-     */
-    setupNavigationReset() {
-        if (typeof window === 'undefined')
-            return;
-        // Store originals for cleanup
-        this.originalPushState = history.pushState;
-        this.originalReplaceState = history.replaceState;
-        // Intercept pushState and replaceState
-        const self = this;
-        history.pushState = function (...args) {
-            self.originalPushState.apply(history, args);
-            self.resetForNavigation();
-        };
-        history.replaceState = function (...args) {
-            self.originalReplaceState.apply(history, args);
-            self.resetForNavigation();
-        };
-        // Handle back/forward navigation
-        this.popstateHandler = () => this.resetForNavigation();
-        window.addEventListener('popstate', this.popstateHandler);
-    }
     handleClick(e) {
         const link = e.target.closest('a');
         if (!link || !link.href)
@@ -1396,6 +1466,9 @@ class ExitIntentPlugin extends BasePlugin {
         this.exitIntentShown = false;
         this.pageLoadTime = 0;
         this.boundHandler = null;
+        /** SPA navigation — listen for PageViewPlugin's custom event instead of patching history */
+        this.navigationHandler = null;
+        this.popstateHandler = null;
     }
     init(tracker) {
         super.init(tracker);
@@ -1407,13 +1480,34 @@ class ExitIntentPlugin extends BasePlugin {
             this.boundHandler = this.handleMouseLeave.bind(this);
             document.addEventListener('mouseleave', this.boundHandler);
         }
+        if (typeof window !== 'undefined') {
+            // Listen for navigation events dispatched by PageViewPlugin
+            // instead of independently monkey-patching history.pushState
+            this.navigationHandler = () => this.resetForNavigation();
+            window.addEventListener('clianta:navigation', this.navigationHandler);
+            // Handle back/forward navigation
+            this.popstateHandler = () => this.resetForNavigation();
+            window.addEventListener('popstate', this.popstateHandler);
+        }
     }
     destroy() {
         if (this.boundHandler && typeof document !== 'undefined') {
             document.removeEventListener('mouseleave', this.boundHandler);
         }
+        if (this.navigationHandler && typeof window !== 'undefined') {
+            window.removeEventListener('clianta:navigation', this.navigationHandler);
+            this.navigationHandler = null;
+        }
+        if (this.popstateHandler && typeof window !== 'undefined') {
+            window.removeEventListener('popstate', this.popstateHandler);
+            this.popstateHandler = null;
+        }
         super.destroy();
     }
+    resetForNavigation() {
+        this.exitIntentShown = false;
+        this.pageLoadTime = Date.now();
+    }
     handleMouseLeave(e) {
         // Only trigger when mouse leaves from the top of the page
         if (e.clientY > 0 || this.exitIntentShown)
@@ -1641,6 +1735,8 @@ class PopupFormsPlugin extends BasePlugin {
         this.shownForms = new Set();
         this.scrollHandler = null;
         this.exitHandler = null;
+        this.delayTimers = [];
+        this.clickTriggerListeners = [];
     }
     async init(tracker) {
         super.init(tracker);
@@ -1655,6 +1751,14 @@ class PopupFormsPlugin extends BasePlugin {
     }
     destroy() {
         this.removeTriggers();
+        for (const timer of this.delayTimers) {
+            clearTimeout(timer);
+        }
+        this.delayTimers = [];
+        for (const { element, handler } of this.clickTriggerListeners) {
+            element.removeEventListener('click', handler);
+        }
+        this.clickTriggerListeners = [];
         super.destroy();
     }
     loadShownForms() {
@@ -1685,7 +1789,7 @@ class PopupFormsPlugin extends BasePlugin {
             return;
         const config = this.tracker.getConfig();
         const workspaceId = this.tracker.getWorkspaceId();
-        const apiEndpoint = config.apiEndpoint || 'https://api.clianta.online';
+        const apiEndpoint = config.apiEndpoint || 'http://localhost:5000';
         try {
             const url = encodeURIComponent(window.location.href);
             const response = await fetch(`${apiEndpoint}/api/public/lead-forms/${workspaceId}?url=${url}`);
@@ -1717,7 +1821,7 @@ class PopupFormsPlugin extends BasePlugin {
         this.forms.forEach(form => {
             switch (form.trigger.type) {
                 case 'delay':
-                    setTimeout(() => this.showForm(form), (form.trigger.value || 5) * 1000);
+                    this.delayTimers.push(setTimeout(() => this.showForm(form), (form.trigger.value || 5) * 1000));
                     break;
                 case 'scroll':
                     this.setupScrollTrigger(form);
@@ -1760,7 +1864,9 @@ class PopupFormsPlugin extends BasePlugin {
             return;
         const elements = document.querySelectorAll(form.trigger.selector);
         elements.forEach(el => {
-            el.addEventListener('click', () => this.showForm(form));
+            const handler = () => this.showForm(form);
+            el.addEventListener('click', handler);
+            this.clickTriggerListeners.push({ element: el, handler });
         });
     }
     removeTriggers() {
@@ -1788,7 +1894,7 @@ class PopupFormsPlugin extends BasePlugin {
         if (!this.tracker)
             return;
         const config = this.tracker.getConfig();
-        const apiEndpoint = config.apiEndpoint || 'https://api.clianta.online';
+        const apiEndpoint = config.apiEndpoint || 'http://localhost:5000';
         try {
             await fetch(`${apiEndpoint}/api/public/lead-forms/${formId}/view`, {
                 method: 'POST',
@@ -2035,7 +2141,7 @@ class PopupFormsPlugin extends BasePlugin {
         if (!this.tracker)
             return;
         const config = this.tracker.getConfig();
-        const apiEndpoint = config.apiEndpoint || 'https://api.clianta.online';
+        const apiEndpoint = config.apiEndpoint || 'http://localhost:5000';
         const visitorId = this.tracker.getVisitorId();
         // Collect form data
         const formData = new FormData(formElement);
@@ -2047,7 +2153,7 @@ class PopupFormsPlugin extends BasePlugin {
         const submitBtn = formElement.querySelector('button[type="submit"]');
         if (submitBtn) {
             submitBtn.disabled = true;
-            submitBtn.innerHTML = 'Submitting...';
+            submitBtn.textContent = 'Submitting...';
         }
         try {
             const response = await fetch(`${apiEndpoint}/api/public/lead-forms/${form._id}/submit`, {
@@ -2088,11 +2194,24 @@ class PopupFormsPlugin extends BasePlugin {
                 if (data.email) {
                     this.tracker?.identify(data.email, data);
                 }
-                // Redirect if configured
+                // Redirect if configured (validate URL to prevent open redirect)
                 if (form.redirectUrl) {
-                    setTimeout(() => {
-                        window.location.href = form.redirectUrl;
-                    }, 1500);
+                    try {
+                        const redirect = new URL(form.redirectUrl, window.location.origin);
+                        const isSameOrigin = redirect.origin === window.location.origin;
+                        const isSafeProtocol = redirect.protocol === 'https:' || redirect.protocol === 'http:';
+                        if (isSameOrigin || isSafeProtocol) {
+                            setTimeout(() => {
+                                window.location.href = redirect.href;
+                            }, 1500);
+                        }
+                        else {
+                            console.warn('[Clianta] Blocked unsafe redirect URL:', form.redirectUrl);
+                        }
+                    }
+                    catch {
+                        console.warn('[Clianta] Invalid redirect URL:', form.redirectUrl);
+                    }
                 }
                 // Close after delay
                 setTimeout(() => {
@@ -2107,7 +2226,7 @@ class PopupFormsPlugin extends BasePlugin {
             console.error('[Clianta] Form submit error:', error);
             if (submitBtn) {
                 submitBtn.disabled = false;
-                submitBtn.innerHTML = form.submitButtonText || 'Subscribe';
+                submitBtn.textContent = form.submitButtonText || 'Subscribe';
             }
         }
     }
@@ -2917,7 +3036,7 @@ class CRMClient {
      * The contact is upserted in the CRM and matching workflow automations fire automatically.
      *
      * @example
-     * const crm = new CRMClient('https://api.clianta.online', 'WORKSPACE_ID');
+     * const crm = new CRMClient('http://localhost:5000', 'WORKSPACE_ID');
      * crm.setApiKey('mm_live_...');
      *
      * await crm.sendEvent({
@@ -3438,6 +3557,114 @@ class CRMClient {
         });
     }
     // ============================================
+    // READ-BACK / DATA RETRIEVAL API
+    // ============================================
+    /**
+     * Get a contact by email address.
+     * Returns the first matching contact from a search query.
+     */
+    async getContactByEmail(email) {
+        this.validateRequired('email', email, 'getContactByEmail');
+        const queryParams = new URLSearchParams({ search: email, limit: '1' });
+        return this.request(`/api/workspaces/${this.workspaceId}/contacts?${queryParams.toString()}`);
+    }
+    /**
+     * Get activity timeline for a contact
+     */
+    async getContactActivity(contactId, params) {
+        this.validateRequired('contactId', contactId, 'getContactActivity');
+        const queryParams = new URLSearchParams();
+        if (params?.page)
+            queryParams.set('page', params.page.toString());
+        if (params?.limit)
+            queryParams.set('limit', params.limit.toString());
+        if (params?.type)
+            queryParams.set('type', params.type);
+        if (params?.startDate)
+            queryParams.set('startDate', params.startDate);
+        if (params?.endDate)
+            queryParams.set('endDate', params.endDate);
+        const query = queryParams.toString();
+        const endpoint = `/api/workspaces/${this.workspaceId}/contacts/${contactId}/activities${query ? `?${query}` : ''}`;
+        return this.request(endpoint);
+    }
+    /**
+     * Get engagement metrics for a contact (via their linked visitor data)
+     */
+    async getContactEngagement(contactId) {
+        this.validateRequired('contactId', contactId, 'getContactEngagement');
+        return this.request(`/api/workspaces/${this.workspaceId}/contacts/${contactId}/engagement`);
+    }
+    /**
+     * Get a full timeline for a contact including events, activities, and opportunities
+     */
+    async getContactTimeline(contactId, params) {
+        this.validateRequired('contactId', contactId, 'getContactTimeline');
+        const queryParams = new URLSearchParams();
+        if (params?.page)
+            queryParams.set('page', params.page.toString());
+        if (params?.limit)
+            queryParams.set('limit', params.limit.toString());
+        const query = queryParams.toString();
+        const endpoint = `/api/workspaces/${this.workspaceId}/contacts/${contactId}/timeline${query ? `?${query}` : ''}`;
+        return this.request(endpoint);
+    }
+    /**
+     * Search contacts with advanced filters
+     */
+    async searchContacts(query, filters) {
+        const queryParams = new URLSearchParams();
+        queryParams.set('search', query);
+        if (filters?.status)
+            queryParams.set('status', filters.status);
+        if (filters?.lifecycleStage)
+            queryParams.set('lifecycleStage', filters.lifecycleStage);
+        if (filters?.source)
+            queryParams.set('source', filters.source);
+        if (filters?.tags)
+            queryParams.set('tags', filters.tags.join(','));
+        if (filters?.page)
+            queryParams.set('page', filters.page.toString());
+        if (filters?.limit)
+            queryParams.set('limit', filters.limit.toString());
+        const qs = queryParams.toString();
+        const endpoint = `/api/workspaces/${this.workspaceId}/contacts${qs ? `?${qs}` : ''}`;
+        return this.request(endpoint);
+    }
+    // ============================================
+    // WEBHOOK MANAGEMENT API
+    // ============================================
+    /**
+     * List all webhook subscriptions
+     */
+    async listWebhooks(params) {
+        const queryParams = new URLSearchParams();
+        if (params?.page)
+            queryParams.set('page', params.page.toString());
+        if (params?.limit)
+            queryParams.set('limit', params.limit.toString());
+        const query = queryParams.toString();
+        return this.request(`/api/workspaces/${this.workspaceId}/webhooks${query ? `?${query}` : ''}`);
+    }
+    /**
+     * Create a new webhook subscription
+     */
+    async createWebhook(data) {
+        return this.request(`/api/workspaces/${this.workspaceId}/webhooks`, {
+            method: 'POST',
+            body: JSON.stringify(data),
+        });
+    }
+    /**
+     * Delete a webhook subscription
+     */
+    async deleteWebhook(webhookId) {
+        this.validateRequired('webhookId', webhookId, 'deleteWebhook');
+        return this.request(`/api/workspaces/${this.workspaceId}/webhooks/${webhookId}`, {
+            method: 'DELETE',
+        });
+    }
+    // ============================================
     // EVENT TRIGGERS API (delegated to triggers manager)
     // ============================================
     /**
@@ -3481,6 +3708,8 @@ class Tracker {
         this.contactId = null;
         /** Pending identify retry on next flush */
         this.pendingIdentify = null;
+        /** Registered event schemas for validation */
+        this.eventSchemas = new Map();
         if (!workspaceId) {
             throw new Error('[Clianta] Workspace ID is required');
         }
@@ -3506,6 +3735,16 @@ class Tracker {
         this.visitorId = this.createVisitorId();
         this.sessionId = this.createSessionId();
         logger.debug('IDs created', { visitorId: this.visitorId, sessionId: this.sessionId });
+        // Security warnings
+        if (this.config.apiEndpoint.startsWith('http://') &&
+            typeof window !== 'undefined' &&
+            !window.location.hostname.includes('localhost') &&
+            !window.location.hostname.includes('127.0.0.1')) {
+            logger.warn('apiEndpoint uses HTTP — events and visitor data will be sent unencrypted. Use HTTPS in production.');
+        }
+        if (this.config.apiKey && typeof window !== 'undefined') {
+            logger.warn('API key is exposed in client-side code. Use API keys only in server-side (Node.js) environments.');
+        }
         // Initialize plugins
         this.initPlugins();
         this.isInitialized = true;
@@ -3611,6 +3850,7 @@ class Tracker {
             properties: {
                 ...properties,
                 eventId: generateUUID(), // Unique ID for deduplication on retry
+                websiteDomain: typeof window !== 'undefined' ? window.location.hostname : undefined,
             },
             device: getDeviceInfo(),
             ...getUTMParams(),
@@ -3621,6 +3861,8 @@ class Tracker {
         if (this.contactId) {
             event.contactId = this.contactId;
         }
+        // Validate event against registered schema (debug mode only)
+        this.validateEventSchema(eventType, properties);
         // Check consent before tracking
         if (!this.consentManager.canTrack()) {
             // Buffer event for later if waitForConsent is enabled
@@ -3655,6 +3897,10 @@ class Tracker {
             logger.warn('Email is required for identification');
             return null;
         }
+        if (!isValidEmail(email)) {
+            logger.warn('Invalid email format, identification skipped:', email);
+            return null;
+        }
         logger.info('Identifying visitor:', email);
         const result = await this.transport.sendIdentify({
             workspaceId: this.workspaceId,
@@ -3689,6 +3935,83 @@ class Tracker {
         const client = new CRMClient(this.config.apiEndpoint, this.workspaceId, undefined, apiKey);
         return client.sendEvent(payload);
     }
+    /**
+     * Get the current visitor's profile from the CRM.
+     * Returns visitor data and linked contact info if identified.
+     * Only returns data for the current visitor (privacy-safe for frontend).
+     */
+    async getVisitorProfile() {
+        if (!this.isInitialized) {
+            logger.warn('SDK not initialized');
+            return null;
+        }
+        const result = await this.transport.fetchData(`/api/public/track/visitor/${this.workspaceId}/${this.visitorId}/profile`);
+        if (result.success && result.data) {
+            logger.debug('Visitor profile fetched:', result.data);
+            return result.data;
+        }
+        logger.warn('Failed to fetch visitor profile:', result.error);
+        return null;
+    }
+    /**
+     * Get the current visitor's recent activity/events.
+     * Returns paginated list of tracking events for this visitor.
+     */
+    async getVisitorActivity(options) {
+        if (!this.isInitialized) {
+            logger.warn('SDK not initialized');
+            return null;
+        }
+        const params = {};
+        if (options?.page)
+            params.page = options.page.toString();
+        if (options?.limit)
+            params.limit = options.limit.toString();
+        if (options?.eventType)
+            params.eventType = options.eventType;
+        if (options?.startDate)
+            params.startDate = options.startDate;
+        if (options?.endDate)
+            params.endDate = options.endDate;
+        const result = await this.transport.fetchData(`/api/public/track/visitor/${this.workspaceId}/${this.visitorId}/activity`, params);
+        if (result.success && result.data) {
+            return result.data;
+        }
+        logger.warn('Failed to fetch visitor activity:', result.error);
+        return null;
+    }
+    /**
+     * Get a summarized journey timeline for the current visitor.
+     * Includes top pages, sessions, time spent, and recent activities.
+     */
+    async getVisitorTimeline() {
+        if (!this.isInitialized) {
+            logger.warn('SDK not initialized');
+            return null;
+        }
+        const result = await this.transport.fetchData(`/api/public/track/visitor/${this.workspaceId}/${this.visitorId}/timeline`);
+        if (result.success && result.data) {
+            return result.data;
+        }
+        logger.warn('Failed to fetch visitor timeline:', result.error);
+        return null;
+    }
+    /**
+     * Get engagement metrics for the current visitor.
+     * Includes time on site, page views, bounce rate, and engagement score.
+     */
+    async getVisitorEngagement() {
+        if (!this.isInitialized) {
+            logger.warn('SDK not initialized');
+            return null;
+        }
+        const result = await this.transport.fetchData(`/api/public/track/visitor/${this.workspaceId}/${this.visitorId}/engagement`);
+        if (result.success && result.data) {
+            return result.data;
+        }
+        logger.warn('Failed to fetch visitor engagement:', result.error);
+        return null;
+    }
     /**
      * Retry pending identify call
      */
@@ -3718,6 +4041,59 @@ class Tracker {
         logger.enabled = enabled;
         logger.info(`Debug mode ${enabled ? 'enabled' : 'disabled'}`);
     }
+    /**
+     * Register a schema for event validation.
+     * When debug mode is enabled, events will be validated against registered schemas.
+     *
+     * @example
+     * tracker.registerEventSchema('purchase', {
+     *   productId: 'string',
+     *   price: 'number',
+     *   quantity: 'number',
+     * });
+     */
+    registerEventSchema(eventType, schema) {
+        this.eventSchemas.set(eventType, schema);
+        logger.debug('Event schema registered:', eventType);
+    }
+    /**
+     * Validate event properties against a registered schema (debug mode only)
+     */
+    validateEventSchema(eventType, properties) {
+        if (!this.config.debug)
+            return;
+        const schema = this.eventSchemas.get(eventType);
+        if (!schema)
+            return;
+        for (const [key, expectedType] of Object.entries(schema)) {
+            const value = properties[key];
+            if (value === undefined) {
+                logger.warn(`[Schema] Missing property "${key}" for event type "${eventType}"`);
+                continue;
+            }
+            let valid = false;
+            switch (expectedType) {
+                case 'string':
+                    valid = typeof value === 'string';
+                    break;
+                case 'number':
+                    valid = typeof value === 'number';
+                    break;
+                case 'boolean':
+                    valid = typeof value === 'boolean';
+                    break;
+                case 'object':
+                    valid = typeof value === 'object' && !Array.isArray(value);
+                    break;
+                case 'array':
+                    valid = Array.isArray(value);
+                    break;
+            }
+            if (!valid) {
+                logger.warn(`[Schema] Property "${key}" for event "${eventType}" expected ${expectedType}, got ${typeof value}`);
+            }
+        }
+    }
     /**
      * Get visitor ID
      */
@@ -3757,6 +4133,8 @@ class Tracker {
         resetIds(this.config.useCookies);
         this.visitorId = this.createVisitorId();
         this.sessionId = this.createSessionId();
+        this.contactId = null;
+        this.pendingIdentify = null;
         this.queue.clear();
     }
     /**
@@ -3798,6 +4176,86 @@ class Tracker {
         this.sessionId = this.createSessionId();
         logger.info('All user data deleted');
     }
+    // ============================================
+    // PUBLIC CRM METHODS (no API key required)
+    // ============================================
+    /**
+     * Create or update a contact by email (upsert).
+     * Secured by domain whitelist — no API key needed.
+     */
+    async createContact(data) {
+        return this.publicCrmRequest('/api/public/crm/contacts', 'POST', {
+            workspaceId: this.workspaceId,
+            ...data,
+        });
+    }
+    /**
+     * Update an existing contact by ID (limited fields only).
+     */
+    async updateContact(contactId, data) {
+        return this.publicCrmRequest(`/api/public/crm/contacts/${contactId}`, 'PUT', {
+            workspaceId: this.workspaceId,
+            ...data,
+        });
+    }
+    /**
+     * Submit a form — creates/updates contact from form data.
+     */
+    async submitForm(formId, data) {
+        const payload = {
+            ...data,
+            metadata: {
+                ...data.metadata,
+                visitorId: this.visitorId,
+                sessionId: this.sessionId,
+                pageUrl: typeof window !== 'undefined' ? window.location.href : undefined,
+                referrer: typeof document !== 'undefined' ? document.referrer || undefined : undefined,
+            },
+        };
+        return this.publicCrmRequest(`/api/public/crm/forms/${formId}/submit`, 'POST', payload);
+    }
+    /**
+     * Log an activity linked to a contact (append-only).
+     */
+    async logActivity(data) {
+        return this.publicCrmRequest('/api/public/crm/activities', 'POST', {
+            workspaceId: this.workspaceId,
+            ...data,
+        });
+    }
+    /**
+     * Create an opportunity (e.g., from "Request Demo" forms).
+     */
+    async createOpportunity(data) {
+        return this.publicCrmRequest('/api/public/crm/opportunities', 'POST', {
+            workspaceId: this.workspaceId,
+            ...data,
+        });
+    }
+    /**
+     * Internal helper for public CRM API calls.
+     */
+    async publicCrmRequest(path, method, body) {
+        const url = `${this.config.apiEndpoint}${path}`;
+        try {
+            const response = await fetch(url, {
+                method,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(body),
+            });
+            const data = await response.json().catch(() => ({}));
+            if (response.ok) {
+                logger.debug(`Public CRM ${method} ${path} succeeded`);
+                return { success: true, data: data.data ?? data, status: response.status };
+            }
+            logger.error(`Public CRM ${method} ${path} failed (${response.status}):`, data.message);
+            return { success: false, error: data.message, status: response.status };
+        }
+        catch (error) {
+            logger.error(`Public CRM ${method} ${path} error:`, error);
+            return { success: false, error: error.message };
+        }
+    }
     /**
      * Destroy tracker and cleanup
      */
@@ -3891,7 +4349,7 @@ const CliantaContext = createContext(null);
  *
  * const config: CliantaConfig = {
  *   projectId: 'your-project-id',
- *   apiEndpoint: 'https://api.clianta.online',
+ *   apiEndpoint: process.env.NEXT_PUBLIC_CLIANTA_API_ENDPOINT || 'http://localhost:5000',
  *   debug: process.env.NODE_ENV === 'development',
  * };
  *
@@ -3906,7 +4364,9 @@ const CliantaContext = createContext(null);
  * </CliantaProvider>
  */
 function CliantaProvider({ config, children }) {
-    const trackerRef = useRef(null);
+    const [tracker, setTracker] = useState(null);
+    // Stable ref to projectId — the only value that truly identifies the tracker
+    const projectIdRef = useRef(config.projectId);
     useEffect(() => {
         // Initialize tracker with config
         const projectId = config.projectId;
@@ -3914,15 +4374,21 @@ function CliantaProvider({ config, children }) {
             console.error('[Clianta] Missing projectId in config. Please add projectId to your clianta.config.ts');
             return;
         }
+        // Only re-initialize if projectId actually changed
+        if (projectIdRef.current !== projectId) {
+            projectIdRef.current = projectId;
+        }
         // Extract projectId (handled separately) and pass rest as options
         const { projectId: _, ...options } = config;
-        trackerRef.current = clianta(projectId, options);
+        const instance = clianta(projectId, options);
+        setTracker(instance);
         // Cleanup: flush pending events on unmount
         return () => {
-            trackerRef.current?.flush();
+            instance?.flush();
         };
-    }, [config]);
-    return (jsx(CliantaContext.Provider, { value: trackerRef.current, children: children }));
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [config.projectId]);
+    return (jsx(CliantaContext.Provider, { value: tracker, children: children }));
 }
 /**
  * useClianta - Hook to access tracker in any component