@dynamic-labs-sdk/client 0.25.0 → 0.25.1

package/dist/{getNetworkProviderFromNetworkId-5dK99mQR.esm.js → getNetworkProviderFromNetworkId-BRWuk0I8.native.esm.js}

@@ -1,9 +1,12 @@
-import { F as getDefaultClient, R as BaseError, c as CHAINS_INFO_MAP, k as assertDefined, u as __createApiClient_wrapped, w as instrumentFunction, z as getCore } from "./InvalidParamError-BiVmL7nM.esm.js";
-import { _ as __createRuntimeServiceAccessKey_wrapped, d as checkAndRaiseWalletAccountsChangedEvent, m as __getWalletProviderFromWalletAccount_wrapped, x as normalizeWalletNameWithChain } from "./getVerifiedCredentialForWalletAccount-ByUSFAHs.esm.js";
+import { F as getDefaultClient, M as CLIENT_SDK_NAME, O as isCookieEnabled, R as BaseError, c as CHAINS_INFO_MAP, k as assertDefined, u as __createApiClient_wrapped, w as instrumentFunction, z as getCore } from "./InvalidParamError-BDHw6nr1.native.esm.js";
+import { A as setCookie, _ as __createRuntimeServiceAccessKey_wrapped, d as checkAndRaiseWalletAccountsChangedEvent, k as emitEvent, m as __getWalletProviderFromWalletAccount_wrapped, p as DYNAMIC_AUTH_COOKIE_NAME, x as normalizeWalletNameWithChain, y as __getWalletAccounts_wrapped } from "./getVerifiedCredentialForWalletAccount-d_bHvLLE.native.esm.js";
 import { AuthModeEnum } from "@dynamic-labs/sdk-api-core";
 import * as z from "zod/mini";
+import AsyncStorage from "@react-native-async-storage/async-storage";
+import { getGenericPassword, resetGenericPassword, setGenericPassword } from "react-native-keychain";
 import { Buffer as Buffer$1 } from "buffer";
 import EventEmitter, { EventEmitter as EventEmitter$1 } from "eventemitter3";
+import { TurboModuleRegistry } from "react-native";
 
 //#region src/utils/isEqualShallow/isEqualShallow.ts
 /**
@@ -67,16 +70,84 @@ const __subscribeWithSelector_wrapped = instrumentFunction({
 });
 
 //#endregion
-//#region src/services/storage/createLocalStorageAdapter/createLocalStorageAdapter.ts
+//#region src/utils/retryOnFail/InvalidRetryOnFailCallError.ts
 /**
-* Creates a localStorage adapter
+* This error is thrown when the `retryOnFail` function is called with an invalid
+* number of retries (i.e. less than 0).
+*/
+var InvalidRetryOnFailCallError = class extends BaseError {
+	constructor(maxRetries) {
+		super({
+			cause: null,
+			code: "invalid_retry_on_fail_call_error",
+			docsUrl: null,
+			name: "InvalidRetryOnFailCallError",
+			shortMessage: `Invalid retries parameter for retryOnFail call: ${maxRetries}`
+		});
+	}
+};
+
+//#endregion
+//#region src/utils/retryOnFail/retryOnFail.ts
+/** @not-instrumented */
+const retryOnFail = async ({ delay = 0, fn, maxRetries }) => {
+	for (let retry = 0; retry <= maxRetries; retry++) try {
+		return await fn();
+	} catch (error) {
+		if (retry >= maxRetries) throw error;
+		if (delay > 0) await new Promise((resolve) => setTimeout(resolve, delay));
+	}
+	/**
+	* Reaching this point should never happen and this
+	* error is thrown to help us debug the issue.
+	*/
+	throw new InvalidRetryOnFailCallError(maxRetries);
+};
+
+//#endregion
+//#region src/modules/auth/isSignedIn/isSignedIn.ts
+/**
+* Checks if the user is currently signed in to the Dynamic client.
+*
+* The client is considered to be in a signed in state if a user has
+* authenticated or if the client has at least one wallet connected.
+*
+* @param [client] - The Dynamic client instance. Only required when using multiple Dynamic clients.
+* @returns True if the user is signed in, false otherwise.
+* @not-instrumented
+*/
+const isSignedIn = (client = getDefaultClient()) => Boolean(client.user || __getWalletAccounts_wrapped(client).length > 0);
+
+//#endregion
+//#region src/services/storage/createLocalStorageAdapter/createLocalStorageAdapter.native.ts
+const NAMESPACE = "dynamic";
+const namespaceKey = (key) => `${NAMESPACE}:${key}`;
+/**
+* Creates a localStorage adapter for React Native.
+* Routes operations based on the `storageTier` option:
+* - `'default'`: uses AsyncStorage
+* - `'secure'`: uses react-native-keychain
 * @instrumented
 */
-const createLocalStorageAdapter = () => ({
-	getItem: async (key) => localStorage.getItem(key),
-	removeItem: async (key) => localStorage.removeItem(key),
-	setItem: async (key, value) => localStorage.setItem(key, value)
-});
+const createLocalStorageAdapter = () => {
+	return {
+		getItem: async (key, options) => {
+			if (options.storageTier === "secure") {
+				const result = await getGenericPassword({ service: key });
+				if (!result) return null;
+				return result.password;
+			} else return AsyncStorage.getItem(namespaceKey(key));
+		},
+		removeItem: async (key, options) => {
+			if (options.storageTier === "secure") await resetGenericPassword({ service: key });
+			else await AsyncStorage.removeItem(namespaceKey(key));
+		},
+		setItem: async (key, value, options) => {
+			if (options.storageTier === "secure") await setGenericPassword(key, value, { service: key });
+			else await AsyncStorage.setItem(namespaceKey(key), value);
+		}
+	};
+};
 const __createLocalStorageAdapter_impl = createLocalStorageAdapter;
 const __createLocalStorageAdapter_wrapped = instrumentFunction({
 	fn: __createLocalStorageAdapter_impl,
@@ -144,14 +215,19 @@ const parseFromStorage = (value) => {
 //#endregion
 //#region src/services/storage/createStorage/createStorage.ts
 /**
-* Creates a Storage service to interact with storage adapter
+* Creates a Storage service to interact with storage adapter.
+* Reads the `storageTier` from each key's config and passes it
+* to the adapter on every operation, defaulting to `'default'`.
 * @instrumented
 */
 const createStorage = ({ prefix = "", storageAdapter }) => {
 	const getPrefixedKey = (key) => prefix ? `${prefix}_${key}` : key;
+	const getAdapterOptions = (storageTier) => ({ storageTier: storageTier ?? "default" });
 	return {
 		getItem: async (storageKeySchema) => {
-			const rawItem = await storageAdapter.getItem(getPrefixedKey(storageKeySchema.key));
+			const prefixedKey = getPrefixedKey(storageKeySchema.key);
+			const options = getAdapterOptions(storageKeySchema.config?.storageTier);
+			const rawItem = await storageAdapter.getItem(prefixedKey, options);
 			const parsedItem = rawItem ? parseFromStorage(rawItem) : null;
 			/**
 			* The item saved to localStorage may be malformed.
@@ -165,11 +241,11 @@ const createStorage = ({ prefix = "", storageAdapter }) => {
 			* The item saved to localStorage may be malformed.
 			* In this case, we remove it and return null.
 			*/
-			await storageAdapter.removeItem(getPrefixedKey(storageKeySchema.key));
+			await storageAdapter.removeItem(prefixedKey, options);
 			return null;
 		},
 		removeItem: async (storageKeySchema) => {
-			await storageAdapter.removeItem(getPrefixedKey(storageKeySchema.key));
+			await storageAdapter.removeItem(getPrefixedKey(storageKeySchema.key), getAdapterOptions(storageKeySchema.config?.storageTier));
 		},
 		setItem: async (storageKeySchema, value) => {
 			const parsed = storageKeySchema.schema.safeParse(value);
@@ -178,7 +254,7 @@ const createStorage = ({ prefix = "", storageAdapter }) => {
 				value: JSON.stringify(value)
 			});
 			const item = formatForStorage(parsed.data);
-			await storageAdapter.setItem(getPrefixedKey(storageKeySchema.key), item);
+			await storageAdapter.setItem(getPrefixedKey(storageKeySchema.key), item, getAdapterOptions(storageKeySchema.config?.storageTier));
 		}
 	};
 };
@@ -214,6 +290,64 @@ const __createStorageKeySchema_wrapped = instrumentFunction({
 	}
 });
 
+//#endregion
+//#region src/modules/projectSettings/fetchProjectSettings/projectSettingsExpirationScheme.ts
+/**
+* The schema to track the expiration time of the project settings.
+*/
+const projectSettingsExpirationStorageKeySchema = __createStorageKeySchema_wrapped({
+	key: "projectSettingsExpiration",
+	schema: z.number()
+});
+
+//#endregion
+//#region src/modules/projectSettings/fetchProjectSettings/fetchProjectSettings.ts
+/**
+* Expiration time of the project settings in milliseconds.
+*/
+const PROJECT_SETTINGS_EXPIRATION_TIME = 1e3 * 60 * 5;
+/**
+* Fetches and updates the project settings from the API.
+*
+* This function retrieves the latest project configuration settings
+* from Dynamic's servers, including authentication options, enabled chains,
+* and security configurations. The settings are cached for performance.
+*
+* @param [client] - The Dynamic client instance. Only required when using multiple Dynamic clients.
+* @returns A promise that resolves to the updated project settings.
+* @instrumented
+*/
+const fetchProjectSettings = async (client = getDefaultClient()) => {
+	const core = getCore(client);
+	const currentExpiration = await core.storage.getItem(projectSettingsExpirationStorageKeySchema);
+	if (Boolean(client.projectSettings) && !(currentExpiration && currentExpiration < Date.now()) && isSignedIn(client)) return client.projectSettings;
+	const apiClient = __createApiClient_wrapped({}, client);
+	core.logger.debug("[fetchProjectSettings] Fetching project settings...");
+	const doFetch = async () => apiClient.getEnvironmentSettings({
+		environmentId: core.environmentId,
+		sdkVersion: `${CLIENT_SDK_NAME}/${core.version}`
+	}, { credentials: "omit" });
+	const projectSettings = await retryOnFail({
+		fn: doFetch,
+		maxRetries: 2
+	});
+	core.state.set({ projectSettings: projectSettings ?? null });
+	await core.storage.setItem(projectSettingsExpirationStorageKeySchema, Date.now() + PROJECT_SETTINGS_EXPIRATION_TIME);
+	return projectSettings;
+};
+const __fetchProjectSettings_impl = fetchProjectSettings;
+const __fetchProjectSettings_wrapped = instrumentFunction({
+	fn: __fetchProjectSettings_impl,
+	functionName: "fetchProjectSettings",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
 //#endregion
 //#region src/modules/sessionKeys/generateSessionKeys/generateSessionKeys.ts
 /** @instrumented */
@@ -236,6 +370,115 @@ const __generateSessionKeys_wrapped = instrumentFunction({
 	}
 });
 
+//#endregion
+//#region src/modules/wallets/utils/getAvailableWalletProvidersFromWalletAccounts/getAvailableWalletProvidersFromWalletAccounts.ts
+/** @not-instrumented */
+const getAvailableWalletProvidersFromWalletAccounts = (client) => {
+	const core = getCore(client);
+	const walletProvidersMap = /* @__PURE__ */ new Map();
+	__getWalletAccounts_wrapped(client).forEach((walletAccount) => {
+		if (walletProvidersMap.has(walletAccount.walletProviderKey)) return;
+		try {
+			const walletProvider = __getWalletProviderFromWalletAccount_wrapped({ walletAccount }, client);
+			walletProvidersMap.set(walletAccount.walletProviderKey, walletProvider);
+		} catch (error) {
+			core.logger.debug("Wallet provider not found for wallet account", {
+				error,
+				walletAccount: walletAccount.address
+			});
+		}
+	});
+	return Array.from(walletProvidersMap.values());
+};
+
+//#endregion
+//#region src/modules/wallets/disconnectAndTerminateWalletProviders/disconnectAndTerminateWalletProviders.ts
+/**
+* Disconnect and terminate each wallet provider, if available.
+* @not-instrumented
+*/
+const disconnectAndTerminateWalletProviders = async ({ reason }, client) => {
+	const core = getCore(client);
+	const walletProviders = getAvailableWalletProvidersFromWalletAccounts(client);
+	await Promise.all(walletProviders.map(async (walletProvider) => {
+		if (walletProvider.terminate) await walletProvider.terminate({ reason });
+		if (walletProvider.disconnect) try {
+			await walletProvider.disconnect();
+		} catch (err) {
+			core.logger.error(`Error disconnecting from wallet ${walletProvider.key}`, err);
+		}
+	}));
+};
+
+//#endregion
+//#region src/modules/auth/logoutWithReason/logoutWithReason.ts
+/**
+* Logs the user out with an explicit reason.
+*
+* Revokes the session, clears auth state, terminates wallet providers, and
+* emits the `logout` client event with the given reason. The reason is also
+* captured as an argument on the function-instrumentation event, which is
+* how Datadog distinguishes between different logout causes.
+*
+* Use this instead of the public `logout` when triggering a logout from
+* internal or extension code — the caller owns the reason string, so the
+* telemetry correctly attributes *why* the logout happened.
+*
+* @param params - The logout params.
+* @param params.reason - Why the logout is being triggered. Extension authors
+*   needing a reason outside the SDK catalog can cast with `as LogoutReason`.
+* @param client - The Dynamic client instance.
+* @instrumented
+*/
+const logoutWithReason = async ({ reason }, client) => {
+	const core = getCore(client);
+	core.logger.debug("[logoutWithReason] Logging out...", { reason });
+	await disconnectAndTerminateWalletProviders({ reason }, client);
+	if (client.user !== null) {
+		const apiClient = __createApiClient_wrapped({}, client);
+		try {
+			await apiClient.revokeSession({ environmentId: core.environmentId });
+		} catch (error) {
+			core.logger.error("Failed to revoke session", error);
+		}
+		/**
+		* This deletes the auth cookie if it exists.
+		* If the cookie doesn't exist, this sets a new cookie that expires immediately.
+		*/
+		if (isCookieEnabled(client)) setCookie(`${DYNAMIC_AUTH_COOKIE_NAME}=; Max-Age=-99999999; path=/; SameSite=Lax`);
+	}
+	await core.keychain.removeKey("session");
+	core.state.set({
+		captchaToken: null,
+		elevatedAccessTokens: [],
+		legacyToken: null,
+		mfaToken: null,
+		sessionExpiresAt: null,
+		sessionKeys: null,
+		token: null,
+		unverifiedWalletAccounts: [],
+		user: null
+	});
+	emitEvent({
+		args: { reason },
+		event: "logout"
+	}, client);
+	__fetchProjectSettings_wrapped(client);
+	__generateSessionKeys_wrapped(client);
+};
+const __logoutWithReason_impl = logoutWithReason;
+const __logoutWithReason_wrapped = instrumentFunction({
+	fn: __logoutWithReason_impl,
+	functionName: "logoutWithReason",
+	getCore: () => {
+		try {
+			return getCore(getDefaultClient());
+		} catch {
+			return;
+		}
+	}
+});
+
 //#endregion
 //#region src/utils/getBuffer/getBuffer.ts
 /** @not-instrumented */
@@ -420,6 +663,49 @@ const __createLogger_wrapped = instrumentFunction({
 	}
 });
 
+//#endregion
+//#region src/errors/NativeModuleNotLinkedError.ts
+var NativeModuleNotLinkedError = class extends BaseError {
+	constructor({ moduleName }) {
+		super({
+			cause: null,
+			code: "native_module_not_linked_error",
+			details: [
+				`The "${moduleName}" TurboModule is not registered with React Native.`,
+				"This usually means the native module was not autolinked into the host app,",
+				"or the app binary was not rebuilt after installing the SDK.",
+				"",
+				"To resolve:",
+				"  1. Ensure \"@dynamic-labs-sdk/client\" is a direct dependency of the app",
+				"     and reinstall (e.g. `pnpm install`).",
+				"  2. Rebuild the native app:",
+				"       iOS:     `cd ios && pod install && cd .. && npx react-native run-ios`",
+				"       Android: `npx react-native run-android`",
+				"       Expo:    `npx expo prebuild --clean` then run the app.",
+				"  3. Confirm autolinking sees the package:",
+				"       `npx expo-modules-autolinking react-native-config --json`"
+			].join("\n"),
+			docsUrl: null,
+			name: "NativeModuleNotLinkedError",
+			shortMessage: `Native TurboModule "${moduleName}" is not linked.`
+		});
+	}
+};
+
+//#endregion
+//#region src/turboModules/NativeKeychain.ts
+var NativeKeychain_default = TurboModuleRegistry.getEnforcing("Keychain");
+
+//#endregion
+//#region src/utils/base64urlFromBytes/base64urlFromBytes.ts
+/**
+* Encodes a Uint8Array to a base64url string (RFC 4648 S5, no padding).
+* Used to encode binary data before sending to native modules over the bridge.
+*
+* @not-instrumented
+*/
+const base64urlFromBytes = (bytes) => btoa(String.fromCodePoint(...bytes)).replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
+
 //#endregion
 //#region src/utils/bufferToHex/bufferToHex.ts
 /**
@@ -428,6 +714,19 @@ const __createLogger_wrapped = instrumentFunction({
 */
 const bufferToHex = (buffer) => [...buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer)].map((x) => x.toString(16).padStart(2, "0")).join("");
 
+//#endregion
+//#region src/utils/bytesFromBase64url/bytesFromBase64url.ts
+/**
+* Decodes a base64url-encoded string (RFC 4648 S5, no padding) to a Uint8Array.
+* Used to decode binary data received from native modules over the bridge.
+*
+* @not-instrumented
+*/
+const bytesFromBase64url = (s) => {
+	const base64 = s.replaceAll("-", "+").replaceAll("_", "/");
+	return Uint8Array.from(atob(base64), (c) => c.codePointAt(0) ?? 0);
+};
+
 //#endregion
 //#region src/utils/compressRawPublicKey/compressRawPublicKey.ts
 /**
@@ -443,157 +742,125 @@ const compressRawPublicKey = (rawPublicKey) => {
 };
 
 //#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/KeyNotFoundError.ts
-var KeyNotFoundError = class extends BaseError {
-	constructor(keyName) {
+//#region src/utils/derToP1363/InvalidDERSignatureError.ts
+var InvalidDERSignatureError = class extends BaseError {
+	constructor(message) {
 		super({
 			cause: null,
-			code: "key_not_found",
+			code: "invalid_der_signature_error",
 			docsUrl: null,
-			name: "KeyNotFoundError",
-			shortMessage: `Key "${keyName}" not found in keychain`
+			name: "InvalidDERSignatureError",
+			shortMessage: message
 		});
 	}
 };
 
 //#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/constants.ts
-const STORE_NAME = "keys";
-
-//#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/deleteIndexedDBItem.ts
-/** @not-instrumented */
-const deleteIndexedDBItem = (db, keyName) => new Promise((resolve, reject) => {
-	const request = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).delete(keyName);
-	request.onsuccess = () => resolve();
-	request.onerror = () => reject(request.error);
-});
-
-//#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/getIndexedDBItem.ts
-/** @not-instrumented */
-const getIndexedDBItem = (db, keyName) => new Promise((resolve, reject) => {
-	const request = db.transaction(STORE_NAME, "readonly").objectStore(STORE_NAME).get(keyName);
-	request.onsuccess = () => resolve(request.result);
-	request.onerror = () => reject(request.error);
-});
-
-//#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/setIndexedDBItem.ts
-/** @not-instrumented */
-const setIndexedDBItem = (db, entry) => new Promise((resolve, reject) => {
-	const request = db.transaction(STORE_NAME, "readwrite").objectStore(STORE_NAME).put(entry);
-	request.onsuccess = () => resolve();
-	request.onerror = () => reject(request.error);
-});
+//#region src/utils/derToP1363/derToP1363.ts
+/**
+* Converts a DER/X9.62 encoded ECDSA signature to IEEE P1363 format (r || s).
+* Native secure enclaves produce DER-encoded signatures; the server expects P1363.
+*
+* @not-instrumented
+*/
+const derToP1363 = (der) => {
+	if (der.length < 8 || der[0] !== 48) throw new InvalidDERSignatureError("Invalid DER signature format");
+	let offset = 2;
+	if (offset >= der.length || der[offset] !== 2) throw new InvalidDERSignatureError("Invalid DER signature: missing r INTEGER tag");
+	offset += 1;
+	if (offset >= der.length) throw new InvalidDERSignatureError("Invalid DER signature: missing r length");
+	const rLen = der[offset];
+	offset += 1;
+	if (offset + rLen > der.length) throw new InvalidDERSignatureError("Invalid DER signature: r bytes out of bounds");
+	let rBytes = der.slice(offset, offset + rLen);
+	offset += rLen;
+	if (offset >= der.length || der[offset] !== 2) throw new InvalidDERSignatureError("Invalid DER signature: missing s INTEGER tag");
+	offset += 1;
+	if (offset >= der.length) throw new InvalidDERSignatureError("Invalid DER signature: missing s length");
+	const sLen = der[offset];
+	offset += 1;
+	if (offset + sLen > der.length) throw new InvalidDERSignatureError("Invalid DER signature: s bytes out of bounds");
+	let sBytes = der.slice(offset, offset + sLen);
+	if (rBytes.length === 33 && rBytes[0] === 0) rBytes = rBytes.slice(1);
+	if (sBytes.length === 33 && sBytes[0] === 0) sBytes = sBytes.slice(1);
+	const result = new Uint8Array(64);
+	result.set(rBytes, 32 - rBytes.length);
+	result.set(sBytes, 64 - sBytes.length);
+	return result;
+};
 
 //#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/openDatabase.ts
-/** @not-instrumented */
-const openDatabase = (dbName) => new Promise((resolve, reject) => {
-	const request = indexedDB.open(dbName, 1);
-	request.onupgradeneeded = () => {
-		const db = request.result;
-		if (!db.objectStoreNames.contains(STORE_NAME)) db.createObjectStore(STORE_NAME, { keyPath: "keyName" });
-	};
-	request.onsuccess = () => resolve(request.result);
-	request.onerror = () => reject(request.error);
-});
+//#region src/services/keychain/createKeychainService/ImportKeyNotSupportedError.ts
+var ImportKeyNotSupportedError = class extends BaseError {
+	constructor() {
+		super({
+			cause: null,
+			code: "import_key_not_supported_error",
+			details: "Hardware-backed keystores cannot import external private keys.",
+			docsUrl: null,
+			name: "ImportKeyNotSupportedError",
+			shortMessage: "importKey is not supported on React Native."
+		});
+	}
+};
 
 //#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/utils/withDatabase/withDatabase.ts
-/**
-* Scopes a database connection to the lifetime of a callback.
-* Opens a connection, passes it to the operation, and guarantees
-* the connection is closed when the operation completes or throws.
-* @not-instrumented
-*/
-const withDatabase = async ({ dbName, operation }) => {
-	const db = await openDatabase(dbName);
-	try {
-		return await operation(db);
-	} finally {
-		db.close();
+//#region src/services/keychain/createKeychainService/KeyNotFoundError.ts
+var KeyNotFoundError = class extends BaseError {
+	constructor(keyName) {
+		super({
+			cause: null,
+			code: "key_not_found",
+			docsUrl: null,
+			name: "KeyNotFoundError",
+			shortMessage: `Key "${keyName}" not found in keychain`
+		});
 	}
 };
 
 //#endregion
-//#region src/services/keychain/createIndexedDBKeychainService/createIndexedDBKeychainService.ts
-const DEFAULT_DB_NAME = "dynamic_keychain";
-/** @instrumented */
-const createIndexedDBKeychainService = (params) => {
-	const dbName = params?.dbName ?? DEFAULT_DB_NAME;
+//#region src/services/keychain/createKeychainService/createKeychainService.native.ts
+/**
+* Creates a KeychainService backed by the platform's secure hardware
+* (iOS Secure Enclave / Android KeyStore with StrongBox or TEE).
+*
+* Keys are generated and stored inside the secure hardware and never
+* leave the device. The native module returns base64url-encoded data
+* which this wrapper converts to the hex format the SDK expects.
+*
+* @throws NativeModuleNotLinkedError if the native Keychain TurboModule is not available.
+*
+* @instrumented
+*/
+const createKeychainService = () => {
+	if (NativeKeychain_default == null) throw new NativeModuleNotLinkedError({ moduleName: "Keychain" });
+	const nativeModule = NativeKeychain_default;
 	const generateKey = async (keyName) => {
-		const keyPair = await crypto.subtle.generateKey({
-			name: "ECDSA",
-			namedCurve: "P-256"
-		}, false, ["sign"]);
-		const publicKeyHex = bufferToHex(compressRawPublicKey(await crypto.subtle.exportKey("raw", keyPair.publicKey)));
-		await withDatabase({
-			dbName,
-			operation: (db) => setIndexedDBItem(db, {
-				keyName,
-				privateKey: keyPair.privateKey,
-				publicKeyHex
-			})
-		});
-		return publicKeyHex;
+		return bufferToHex(compressRawPublicKey(bytesFromBase64url((await nativeModule.generateKeyPair(keyName)).publicKey).buffer));
 	};
-	const importKey = async (keyName, jwk) => {
-		const privateKey = await crypto.subtle.importKey("jwk", jwk, {
-			name: "ECDSA",
-			namedCurve: "P-256"
-		}, false, ["sign"]);
-		const publicJwk = {
-			crv: jwk.crv,
-			kty: jwk.kty,
-			x: jwk.x,
-			y: jwk.y
-		};
-		const publicCryptoKey = await crypto.subtle.importKey("jwk", publicJwk, {
-			name: "ECDSA",
-			namedCurve: "P-256"
-		}, true, ["verify"]);
-		const publicKeyHex = bufferToHex(compressRawPublicKey(await crypto.subtle.exportKey("raw", publicCryptoKey)));
-		await withDatabase({
-			dbName,
-			operation: (db) => setIndexedDBItem(db, {
-				keyName,
-				privateKey,
-				publicKeyHex
-			})
-		});
-		return publicKeyHex;
+	/**
+	* Importing external private keys is not supported on hardware-backed
+	* keystores (Secure Enclave / Android KeyStore). Keys must be generated
+	* on-device via generateKey().
+	*/
+	const importKey = () => {
+		throw new ImportKeyNotSupportedError();
 	};
 	const getPublicKey = async (keyName) => {
-		return (await withDatabase({
-			dbName,
-			operation: (db) => getIndexedDBItem(db, keyName)
-		}))?.publicKeyHex ?? null;
+		const result = await nativeModule.getPublicKey(keyName);
+		if (result == null) return null;
+		return bufferToHex(compressRawPublicKey(bytesFromBase64url(result.publicKey).buffer));
 	};
 	const sign = async (keyName, message) => {
-		const entry = await withDatabase({
-			dbName,
-			operation: (db) => getIndexedDBItem(db, keyName)
-		});
-		if (!entry) throw new KeyNotFoundError(keyName);
-		const data = new TextEncoder().encode(message);
-		return bufferToHex(await crypto.subtle.sign({
-			hash: { name: "SHA-256" },
-			name: "ECDSA"
-		}, entry.privateKey, data));
+		if (!await nativeModule.hasKey(keyName)) throw new KeyNotFoundError(keyName);
+		const base64urlPayload = base64urlFromBytes(new TextEncoder().encode(message));
+		return bufferToHex(derToP1363(bytesFromBase64url((await nativeModule.sign(keyName, base64urlPayload)).signature)));
 	};
 	const hasKey = async (keyName) => {
-		return await withDatabase({
-			dbName,
-			operation: (db) => getIndexedDBItem(db, keyName)
-		}) !== void 0;
+		return nativeModule.hasKey(keyName);
 	};
 	const removeKey = async (keyName) => {
-		await withDatabase({
-			dbName,
-			operation: (db) => deleteIndexedDBItem(db, keyName)
-		});
+		await nativeModule.deleteKey(keyName);
 	};
 	return {
 		generateKey,
@@ -604,18 +871,6 @@ const createIndexedDBKeychainService = (params) => {
 		sign
 	};
 };
-const __createIndexedDBKeychainService_impl = createIndexedDBKeychainService;
-const __createIndexedDBKeychainService_wrapped = instrumentFunction({
-	fn: __createIndexedDBKeychainService_impl,
-	functionName: "createIndexedDBKeychainService",
-	getCore: () => {
-		try {
-			return getCore(getDefaultClient());
-		} catch {
-			return;
-		}
-	}
-});
 
 //#endregion
 //#region src/errors/InvalidRealtimePublishError.ts
@@ -1298,5 +1553,5 @@ const __getNetworkProviderFromNetworkId_wrapped = instrumentFunction({
 });
 
 //#endregion
-export { REFRESH_USER_STATE_FROM_VALID_TOKEN_TRACKER_KEY as A, CrossTabBroadcastMessageSchema as C, GENERATE_SESSION_KEYS_TRACKER_KEY as D, FETCH_PROJECT_SETTINGS_TRACKER_KEY as E, __createStorage_wrapped as F, InvalidStorageSet as I, __createLocalStorageAdapter_wrapped as L, getBuffer as M, __generateSessionKeys_wrapped as N, INITIALIZE_STORAGE_SYNC_TRACKER_KEY as O, __createStorageKeySchema_wrapped as P, __subscribeWithSelector_wrapped as R, __createCrossTabBroadcast_wrapped as S, __createDeferredPromise_wrapped as T, WalletAlreadyLinkedToAnotherUserError as _, __updateWalletProviderKeysForVerifiedCredentials_wrapped as a, __createIndexedDBKeychainService_wrapped as b, __createSignInMessageStatement_wrapped as c, __createVisit_wrapped as d, hasExtension as f, isCaptchaRequired as g, __consumeCaptchaToken_wrapped as h, __getNetworksData_wrapped as i, isServerSideRendering as j, REFRESH_USER_STATE_FROM_COOKIE_TRACKER_KEY as k, formatSignInMessage as l, __setCaptchaToken_wrapped as m, __getNetworkProviders_wrapped as n, __verifyMessageSignatureOwnership_wrapped as o, __createRealtimeChannelSchema_wrapped as p, getNetworkProviderBuilderRegistry as r, __removeUnverifiedWalletAccount_wrapped as s, __getNetworkProviderFromNetworkId_wrapped as t, __setUnverifiedWalletAccounts_wrapped as u, NoNetworkProvidersError as v, CannotTrackError as w, __createLogger_wrapped as x, __createRealtimeService_wrapped as y, isEqualShallow as z };
-//# sourceMappingURL=getNetworkProviderFromNetworkId-5dK99mQR.esm.js.map
+export { REFRESH_USER_STATE_FROM_COOKIE_TRACKER_KEY as A, __createLocalStorageAdapter_wrapped as B, __createCrossTabBroadcast_wrapped as C, FETCH_PROJECT_SETTINGS_TRACKER_KEY as D, __createDeferredPromise_wrapped as E, __generateSessionKeys_wrapped as F, retryOnFail as H, __fetchProjectSettings_wrapped as I, __createStorageKeySchema_wrapped as L, isServerSideRendering as M, getBuffer as N, GENERATE_SESSION_KEYS_TRACKER_KEY as O, __logoutWithReason_wrapped as P, __createStorage_wrapped as R, __createLogger_wrapped as S, CannotTrackError as T, __subscribeWithSelector_wrapped as U, isSignedIn as V, isEqualShallow as W, WalletAlreadyLinkedToAnotherUserError as _, __updateWalletProviderKeysForVerifiedCredentials_wrapped as a, createKeychainService as b, __createSignInMessageStatement_wrapped as c, __createVisit_wrapped as d, hasExtension as f, isCaptchaRequired as g, __consumeCaptchaToken_wrapped as h, __getNetworksData_wrapped as i, REFRESH_USER_STATE_FROM_VALID_TOKEN_TRACKER_KEY as j, INITIALIZE_STORAGE_SYNC_TRACKER_KEY as k, formatSignInMessage as l, __setCaptchaToken_wrapped as m, __getNetworkProviders_wrapped as n, __verifyMessageSignatureOwnership_wrapped as o, __createRealtimeChannelSchema_wrapped as p, getNetworkProviderBuilderRegistry as r, __removeUnverifiedWalletAccount_wrapped as s, __getNetworkProviderFromNetworkId_wrapped as t, __setUnverifiedWalletAccounts_wrapped as u, NoNetworkProvidersError as v, CrossTabBroadcastMessageSchema as w, NativeModuleNotLinkedError as x, __createRealtimeService_wrapped as y, InvalidStorageSet as z };
+//# sourceMappingURL=getNetworkProviderFromNetworkId-BRWuk0I8.native.esm.js.map