@dynamic-labs/waas 4.88.6 → 4.90.0

package/CHANGELOG.md

@@ -1,4 +1,38 @@
 
+## [4.90.0](https://github.com/dynamic-labs/dynamic-auth/compare/v4.89.0...v4.90.0) (2026-06-19)
+
+
+### Features
+
+* add microsoft to social providers list ([#11631](https://github.com/dynamic-labs/dynamic-auth/issues/11631)) ([761b82d](https://github.com/dynamic-labs/dynamic-auth/commit/761b82dea2e2e86ec1c8b3fc8bab32ed72492132))
+* **sdk-react-core:** preconnect to waas iframe origin at auth-flow start ([#11549](https://github.com/dynamic-labs/dynamic-auth/issues/11549)) ([1bb810c](https://github.com/dynamic-labs/dynamic-auth/commit/1bb810c4eb3d592b43f62c1eaf5450a0e42981c9)), closes [dynamic-labs/dynamic-wallet-sdk#1314](https://github.com/dynamic-labs/dynamic-wallet-sdk/issues/1314)
+* **waas:** opt into SDK eager key-share recovery, drop host RECOVER loop (DYNT-1125) ([#11620](https://github.com/dynamic-labs/dynamic-auth/issues/11620)) ([4bef955](https://github.com/dynamic-labs/dynamic-auth/commit/4bef955b902a7e484ba8bd6323582843bb692a17))
+* **wallet-connector-core:** add isMidnightConnector util + Midnight interface hooks ([#11005](https://github.com/dynamic-labs/dynamic-auth/issues/11005)) ([55117a8](https://github.com/dynamic-labs/dynamic-auth/commit/55117a8cf59640d00b358f68be8df6b29231fab5))
+
+
+### Bug Fixes
+
+* **sdk-react-core:** gate smart-wallet init on user:basic scope ([#11624](https://github.com/dynamic-labs/dynamic-auth/issues/11624)) ([9f891a4](https://github.com/dynamic-labs/dynamic-auth/commit/9f891a46a191532acdd4a91b74c4586089ef0e1a)), closes [#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623) [#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623) [#11626](https://github.com/dynamic-labs/dynamic-auth/issues/11626)
+* **sdk-react-core:** search wallet list by metadata name in addition to connector name ([#11638](https://github.com/dynamic-labs/dynamic-auth/issues/11638)) ([a647614](https://github.com/dynamic-labs/dynamic-auth/commit/a647614bcba769e09ef59bf1ddb925ce9835842e))
+* **waas:** rebuild WaaS client on session change after step-up reauth ([#11581](https://github.com/dynamic-labs/dynamic-auth/issues/11581)) ([2b7093e](https://github.com/dynamic-labs/dynamic-auth/commit/2b7093e27f57f1dfcdd303361d436d9bf33e28a9))
+* **waas:** refuse to build WaaS client while auth scope is pending (createRooms 401 chokepoint) ([#11623](https://github.com/dynamic-labs/dynamic-auth/issues/11623)) ([08755f0](https://github.com/dynamic-labs/dynamic-auth/commit/08755f0bda2b74c7bcdff3d0ac9c228a5205ad6e)), closes [#11624](https://github.com/dynamic-labs/dynamic-auth/issues/11624)
+* **wallet-connect:** skip address comparison on reconnect when expectedAddress is empty ([#11639](https://github.com/dynamic-labs/dynamic-auth/issues/11639)) ([8d665cf](https://github.com/dynamic-labs/dynamic-auth/commit/8d665cf3bf1fb0e498d71f14cc8a53d91593c23d))
+
+## [4.89.0](https://github.com/dynamic-labs/dynamic-auth/compare/v4.88.6...v4.89.0) (2026-06-16)
+
+
+### Features
+
+* **moonpay:** add useMoonPayOnramp hook ([#11405](https://github.com/dynamic-labs/dynamic-auth/issues/11405)) ([48cb62f](https://github.com/dynamic-labs/dynamic-auth/commit/48cb62fefecb511fcba9359ee6f6096dfef0b125))
+
+
+### Bug Fixes
+
+* get wallet metadata from wallet-book when its present ([#11566](https://github.com/dynamic-labs/dynamic-auth/issues/11566)) ([a1a8ad5](https://github.com/dynamic-labs/dynamic-auth/commit/a1a8ad53c063157b189aea138fa338fcc67dc4dd))
+* **waas:** instant logout — clear key share host-side, background iframe cleanup ([#11583](https://github.com/dynamic-labs/dynamic-auth/issues/11583)) ([0ab3378](https://github.com/dynamic-labs/dynamic-auth/commit/0ab3378efdbbe233069b17fad62b0c126397bc3a))
+* **wagmi-connector:** await disconnect before connect to defuse SyncDynamicWagmi race DYNT-549 ([#11579](https://github.com/dynamic-labs/dynamic-auth/issues/11579)) ([6ac7c0e](https://github.com/dynamic-labs/dynamic-auth/commit/6ac7c0e02ed863342047bc5a1e60be3a66b8a425)), closes [#11131](https://github.com/dynamic-labs/dynamic-auth/issues/11131) [#11513](https://github.com/dynamic-labs/dynamic-auth/issues/11513) [#11516](https://github.com/dynamic-labs/dynamic-auth/issues/11516) [#11496](https://github.com/dynamic-labs/dynamic-auth/issues/11496) [#11513](https://github.com/dynamic-labs/dynamic-auth/issues/11513) [/github.com/dynamic-labs/dynamic-auth/blob/main/packages/wagmi-connector/src/lib/hooks/useConnectorId/useConnectorId.ts#L19-L26](https://github.com/dynamic-labs//github.com/dynamic-labs/dynamic-auth/blob/main/packages/wagmi-connector/src/lib/hooks/useConnectorId/useConnectorId.ts/issues/L19-L26) [#11131](https://github.com/dynamic-labs/dynamic-auth/issues/11131) [#11516](https://github.com/dynamic-labs/dynamic-auth/issues/11516) [#11513](https://github.com/dynamic-labs/dynamic-auth/issues/11513)
+* **react-native:** resolve intermittent "Wallet with id <uuid> not found" after login ([#11575](https://github.com/dynamic-labs/dynamic-auth/issues/11575)) ([9d7a246](https://github.com/dynamic-labs/dynamic-auth/commit/9d7a246167927b9339dc33c10977c6d12783ab88))
+
 ### [4.88.6](https://github.com/dynamic-labs/dynamic-auth/compare/v4.88.5...v4.88.6) (2026-06-13)
 
 

package/package.cjs

@@ -3,6 +3,6 @@
 
 Object.defineProperty(exports, '__esModule', { value: true });
 
-var version = "4.88.6";
+var version = "4.90.0";
 
 exports.version = version;

package/package.js

@@ -1,4 +1,4 @@
 'use client'
-var version = "4.88.6";
+var version = "4.90.0";
 
 export { version };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dynamic-labs/waas",
-  "version": "4.88.6",
+  "version": "4.90.0",
   "type": "module",
   "author": "Dynamic Labs, Inc.",
   "license": "MIT",
@@ -16,18 +16,18 @@
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@dynamic-labs-sdk/client": "1.8.2",
-    "@dynamic-labs/assert-package-version": "4.88.6",
-    "@dynamic-labs/sdk-api-core": "0.0.1015",
-    "@dynamic-labs-wallet/browser-wallet-client": "1.0.16",
-    "@dynamic-labs-wallet/forward-mpc-client": "0.10.1",
-    "@dynamic-labs/ethereum-core": "4.88.6",
-    "@dynamic-labs/logger": "4.88.6",
-    "@dynamic-labs/solana-core": "4.88.6",
-    "@dynamic-labs/sui-core": "4.88.6",
-    "@dynamic-labs/utils": "4.88.6",
-    "@dynamic-labs/wallet-book": "4.88.6",
-    "@dynamic-labs/wallet-connector-core": "4.88.6"
+    "@dynamic-labs-sdk/client": "1.12.1",
+    "@dynamic-labs/assert-package-version": "4.90.0",
+    "@dynamic-labs/sdk-api-core": "0.0.1046",
+    "@dynamic-labs-wallet/browser-wallet-client": "1.0.42",
+    "@dynamic-labs-wallet/forward-mpc-client": "0.12.0",
+    "@dynamic-labs/ethereum-core": "4.90.0",
+    "@dynamic-labs/logger": "4.90.0",
+    "@dynamic-labs/solana-core": "4.90.0",
+    "@dynamic-labs/sui-core": "4.90.0",
+    "@dynamic-labs/utils": "4.90.0",
+    "@dynamic-labs/wallet-book": "4.90.0",
+    "@dynamic-labs/wallet-connector-core": "4.90.0"
   },
   "peerDependencies": {}
 }

package/src/DynamicWaasMixin.cjs

@@ -11,7 +11,11 @@ var _package = require('../package.cjs');
 var constants = require('../utils/constants.cjs');
 var createWaasClientSecureStorage = require('../utils/createWaasClientSecureStorage.cjs');
 var instrumentation = require('../utils/instrumentation.cjs');
+var tokenHasPendingAuthScope = require('../utils/tokenHasPendingAuthScope.cjs');
 
+// Fallback error code used when a thrown value carries no code, or when
+// formatting the error itself fails.
+const UNKNOWN_ERROR_CODE = 'unknown';
 // This class is common across all waas connectors
 class WaasExportHandler {
     constructor() {
@@ -32,9 +36,6 @@ const withDynamicWaas = (BaseClass) => {
         setGetAuthTokenFunction(getAuthToken) {
             this.getAuthToken = getAuthToken;
         }
-        setOnUnauthorizedFunction(onUnauthorized) {
-            this.onUnauthorized = onUnauthorized;
-        }
         setWaasAuthMode(authMode) {
             this.authMode = authMode;
         }
@@ -191,14 +192,15 @@ const withDynamicWaas = (BaseClass) => {
                     baseClientKeysharesRelayApiUrl: this.baseClientKeysharesRelayApiUrl,
                     baseMPCRelayApiUrl: this.relayUrl || constants.DEFAULT_BASE_MPC_RELAY_API_URL,
                     chainName: this.chainName,
+                    // Opt into the SDK self-driving eager key-share recovery on auth-token
+                    // arrival, so the host no longer runs its own per-wallet RECOVER loop.
+                    eagerlyRecoverKeyShares: true,
                     environmentId: this.environmentId,
                     sdkVersion: _package.version,
-                }, Object.assign(Object.assign(Object.assign({}, (utils.PlatformService.isWaasSecureStorageSupported
+                }, Object.assign(Object.assign({}, (utils.PlatformService.isWaasSecureStorageSupported
                     ? { secureStorage: createWaasClientSecureStorage.createWaasClientSecureStorage() }
                     : {})), (this.getSignedSessionId
                     ? { getSignedSessionId: this.getSignedSessionId }
-                    : {})), (this.onUnauthorized
-                    ? { onUnauthorized: this.onUnauthorized }
                     : {})));
                 this.instrumentAsync({
                     context: traceContext,
@@ -209,9 +211,29 @@ const withDynamicWaas = (BaseClass) => {
                 return client;
             });
         }
-        getWaasWalletClient(traceContext) {
-            return _tslib.__awaiter(this, void 0, void 0, function* () {
+        getWaasWalletClient(traceContext_1) {
+            return _tslib.__awaiter(this, arguments, void 0, function* (traceContext, { forceRebuild = false } = {}) {
+                var _a;
+                // forceRebuild drops the cached client so the iframe re-auths with the
+                // fresh session (e.g. after a step-up reauth) instead of 401-ing on the
+                // stale cached token. Callers must only force a rebuild when a token is
+                // available (see getWaasWalletConnector's live-token guard); otherwise
+                // createDynamicWaasClient would throw "Auth token is required".
+                if (forceRebuild) {
+                    this.dynamicWaasClient = undefined;
+                }
                 if (!this.dynamicWaasClient) {
+                    // Chokepoint: never build + initialize the iframe client while the auth
+                    // token is still pending MFA/KYC/device registration. The iframe's
+                    // init-time room-cache pre-warm fires `createRooms` using the token
+                    // captured at construction — before any per-operation token resync
+                    // exists to correct it. Built during the pending window, that pre-warm
+                    // 401s and trips the iframe's unauthorized → forced-logout path. Every
+                    // WaaS caller funnels through here, so this single guard covers auto
+                    // wallet creation, ZeroDev smart-wallet init, getWallet, etc.
+                    if (tokenHasPendingAuthScope.tokenHasPendingAuthScope((_a = this.getAuthToken) === null || _a === void 0 ? void 0 : _a.call(this))) {
+                        throw new utils.WaasAuthScopePendingError();
+                    }
                     this.dynamicWaasClient = yield this.createDynamicWaasClient(traceContext);
                 }
                 return this.dynamicWaasClient;
@@ -609,9 +631,18 @@ const withDynamicWaas = (BaseClass) => {
         }
         endSession(reason) {
             return _tslib.__awaiter(this, void 0, void 0, function* () {
-                const waasClient = yield this.getWaasWalletClient();
-                if (!waasClient) {
-                    return;
+                // Building the wallet client requires an auth token (createDynamicWaasClient
+                // throws in header auth mode when none is present); the new scope guard in
+                // getWaasWalletClient also throws during pending-auth (MFA/KYC/device). On
+                // logout we must not let either throw abort logout — the security-critical
+                // key share removal below does not need the client. Only the iframe cleanup
+                // does, so we proceed without it if the client can't be obtained.
+                let waasClient;
+                try {
+                    waasClient = yield this.getWaasWalletClient();
+                }
+                catch (error) {
+                    this.instrument('[endSession] getWaasWalletClient failed; proceeding', Object.assign({ key: 'endSession-getClient-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
                 }
                 // When a session token expires, we preserve key shares in storage instead
                 // of clearing them. Customers with short-lived sessions (minutes) were
@@ -624,7 +655,32 @@ const withDynamicWaas = (BaseClass) => {
                 // in. On explicit user-initiated logout, shares are always cleared for
                 // security.
                 if (reason !== 'token-expired') {
-                    yield waasClient.cleanup();
+                    // Clear the MPC key share directly on the host's local secure storage.
+                    // This is fast and guaranteed, independent of the iframe round-trip
+                    // cleanup below — whose request-channel timeout (plus a recovery retry)
+                    // can block logout for ~10s on slow devices where secureStorage is slow
+                    // to ACK. Awaited because it is a local operation (milliseconds).
+                    const accountAddress = yield this.getActiveAccountAddress();
+                    if (accountAddress) {
+                        try {
+                            yield createWaasClientSecureStorage.createWaasClientSecureStorage().removeClientKeyShare(accountAddress);
+                        }
+                        catch (error) {
+                            this.instrument('[endSession] direct key share removal failed', Object.assign({ key: 'endSession-removeClientKeyShare-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        }
+                    }
+                    // Tear down the iframe and run its best-effort storage cleanup in the
+                    // background so logout returns immediately instead of blocking on the
+                    // iframe cleanup's request-channel timeout. The iframe handler already
+                    // swallows its own errors, and the DOM teardown obsoletes anything it
+                    // misses. Promise.resolve guards against a non-promise return in tests.
+                    // Skipped when the client could not be built/obtained (no token, or
+                    // pending-auth scope guard) — there is no iframe to tear down then.
+                    if (waasClient) {
+                        void Promise.resolve(waasClient.cleanup()).catch((error) => {
+                            this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        });
+                    }
                 }
                 this.dynamicWaasClient = undefined;
             });
@@ -661,6 +717,33 @@ const withDynamicWaas = (BaseClass) => {
                 .map((byte) => byte.toString(16).padStart(2, '0'))
                 .join('');
         }
+        /**
+         * Normalizes an unknown thrown value into the error fields used across
+         * instrumentation so callers don't re-derive them at each catch site.
+         *
+         * Wrapped in try/catch: this is best-effort logging, and a value that
+         * resists formatting (e.g. an object whose toString throws) must never
+         * turn a log line into an exception that blocks the calling flow such as
+         * logout.
+         *
+         * `public` (not `private`) because the TS `private` keyword can't be used
+         * on this mixin's exported class expression (TS4094), and ECMAScript
+         * `#private` isn't supported by the package's Jest/Babel transform. It is
+         * internal-only despite the modifier — same constraint as `instrument`.
+         */
+        buildErrorInstrumentContext(error) {
+            var _a, _b;
+            try {
+                return {
+                    errorCode: (_a = error === null || error === void 0 ? void 0 : error.code) !== null && _a !== void 0 ? _a : UNKNOWN_ERROR_CODE,
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                    errorType: (_b = error === null || error === void 0 ? void 0 : error.constructor) === null || _b === void 0 ? void 0 : _b.name,
+                };
+            }
+            catch (_c) {
+                return { errorCode: UNKNOWN_ERROR_CODE };
+            }
+        }
         /**
          * Helper method to instrument with automatic properties inclusion
          */
@@ -676,7 +759,6 @@ const withDynamicWaas = (BaseClass) => {
         }
         instrumentAsync(_a) {
             return _tslib.__awaiter(this, arguments, void 0, function* ({ operation, resource, fn, context, }) {
-                var _b, _c;
                 const timing = new instrumentation.InstrumentationTimer(context === null || context === void 0 ? void 0 : context.startTime);
                 if (context === null || context === void 0 ? void 0 : context.stepStartTime) {
                     timing.setStepStartTime(context.stepStartTime);
@@ -693,11 +775,7 @@ const withDynamicWaas = (BaseClass) => {
                 catch (error) {
                     const isUserRejection = error instanceof utils.UserRejectedRequestError ||
                         (error === null || error === void 0 ? void 0 : error.code) === 'user_rejected_request';
-                    const errorContext = {
-                        errorCode: (_b = error === null || error === void 0 ? void 0 : error.code) !== null && _b !== void 0 ? _b : 'unknown',
-                        errorMessage: error instanceof Error ? error.message : String(error),
-                        errorType: (_c = error === null || error === void 0 ? void 0 : error.constructor) === null || _c === void 0 ? void 0 : _c.name,
-                    };
+                    const errorContext = this.buildErrorInstrumentContext(error);
                     if (isUserRejection) {
                         // User-initiated cancellations are expected — debug only, no backend noise
                         this.logger.debug(`[${operation}] ${resource} - cancelled`, Object.assign(Object.assign({ key: `${resource}-cancelled`, operation, stepTime: timing.getStepElapsed(), time: timing.getElapsed() }, context), errorContext));

package/src/DynamicWaasMixin.d.ts

@@ -23,7 +23,6 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
     getElevatedAccessToken?: ((props: {
         scope: TokenScope;
     }) => Promise<string | undefined>) | undefined;
-    onUnauthorized?: (() => void | Promise<void>) | undefined;
     environmentId?: string | undefined;
     baseApiUrl?: string | undefined;
     relayUrl?: string | undefined;
@@ -35,7 +34,6 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
     __exportHandler: WaasExportHandler;
     validateActiveWallet(expectedAddress: string): Promise<void>;
     setGetAuthTokenFunction(getAuthToken: () => string): void;
-    setOnUnauthorizedFunction(onUnauthorized: () => void | Promise<void>): void;
     setWaasAuthMode(authMode: 'cookie' | 'header'): void;
     setGetMfaTokenFunction(getMfaToken: (props?: {
         mfaAction?: MFAAction;
@@ -76,7 +74,9 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
         password?: string;
     }): Promise<void>;
     createDynamicWaasClient(traceContext?: TraceContext): Promise<DynamicWalletClient>;
-    getWaasWalletClient(traceContext?: TraceContext): Promise<DynamicWalletClient>;
+    getWaasWalletClient(traceContext?: TraceContext, { forceRebuild }?: {
+        forceRebuild?: boolean;
+    }): Promise<DynamicWalletClient>;
     createWalletAccount({ thresholdSignatureScheme, password, bitcoinConfig, }?: {
         thresholdSignatureScheme?: string;
         password?: string;
@@ -166,6 +166,29 @@ export declare const withDynamicWaas: <T extends abstract new (...args: any[]) =
      */
     getConnectedAccounts(): Promise<string[]>;
     generateTraceId(): string;
+    /**
+     * Normalizes an unknown thrown value into the error fields used across
+     * instrumentation so callers don't re-derive them at each catch site.
+     *
+     * Wrapped in try/catch: this is best-effort logging, and a value that
+     * resists formatting (e.g. an object whose toString throws) must never
+     * turn a log line into an exception that blocks the calling flow such as
+     * logout.
+     *
+     * `public` (not `private`) because the TS `private` keyword can't be used
+     * on this mixin's exported class expression (TS4094), and ECMAScript
+     * `#private` isn't supported by the package's Jest/Babel transform. It is
+     * internal-only despite the modifier — same constraint as `instrument`.
+     */
+    buildErrorInstrumentContext(error: unknown): {
+        errorCode: string | import("@dynamic-labs/utils").ErrorCode;
+        errorMessage: string;
+        errorType: string | undefined;
+    } | {
+        errorCode: string;
+        errorMessage?: undefined;
+        errorType?: undefined;
+    };
     /**
      * Helper method to instrument with automatic properties inclusion
      */

package/src/DynamicWaasMixin.js

@@ -2,12 +2,16 @@
 import { __awaiter } from '../_virtual/_tslib.js';
 import { DynamicWalletClient } from '@dynamic-labs-wallet/browser-wallet-client';
 import { MFAAction, TokenScope } from '@dynamic-labs/sdk-api-core';
-import { DynamicError, UserRejectedRequestError, PlatformService } from '@dynamic-labs/utils';
+import { DynamicError, UserRejectedRequestError, PlatformService, WaasAuthScopePendingError } from '@dynamic-labs/utils';
 import { version } from '../package.js';
 import { DEFAULT_BASE_API_URL, DEFAULT_BASE_MPC_RELAY_API_URL } from '../utils/constants.js';
 import { createWaasClientSecureStorage } from '../utils/createWaasClientSecureStorage.js';
 import { InstrumentationTimer } from '../utils/instrumentation.js';
+import { tokenHasPendingAuthScope } from '../utils/tokenHasPendingAuthScope.js';
 
+// Fallback error code used when a thrown value carries no code, or when
+// formatting the error itself fails.
+const UNKNOWN_ERROR_CODE = 'unknown';
 // This class is common across all waas connectors
 class WaasExportHandler {
     constructor() {
@@ -28,9 +32,6 @@ const withDynamicWaas = (BaseClass) => {
         setGetAuthTokenFunction(getAuthToken) {
             this.getAuthToken = getAuthToken;
         }
-        setOnUnauthorizedFunction(onUnauthorized) {
-            this.onUnauthorized = onUnauthorized;
-        }
         setWaasAuthMode(authMode) {
             this.authMode = authMode;
         }
@@ -187,14 +188,15 @@ const withDynamicWaas = (BaseClass) => {
                     baseClientKeysharesRelayApiUrl: this.baseClientKeysharesRelayApiUrl,
                     baseMPCRelayApiUrl: this.relayUrl || DEFAULT_BASE_MPC_RELAY_API_URL,
                     chainName: this.chainName,
+                    // Opt into the SDK self-driving eager key-share recovery on auth-token
+                    // arrival, so the host no longer runs its own per-wallet RECOVER loop.
+                    eagerlyRecoverKeyShares: true,
                     environmentId: this.environmentId,
                     sdkVersion: version,
-                }, Object.assign(Object.assign(Object.assign({}, (PlatformService.isWaasSecureStorageSupported
+                }, Object.assign(Object.assign({}, (PlatformService.isWaasSecureStorageSupported
                     ? { secureStorage: createWaasClientSecureStorage() }
                     : {})), (this.getSignedSessionId
                     ? { getSignedSessionId: this.getSignedSessionId }
-                    : {})), (this.onUnauthorized
-                    ? { onUnauthorized: this.onUnauthorized }
                     : {})));
                 this.instrumentAsync({
                     context: traceContext,
@@ -205,9 +207,29 @@ const withDynamicWaas = (BaseClass) => {
                 return client;
             });
         }
-        getWaasWalletClient(traceContext) {
-            return __awaiter(this, void 0, void 0, function* () {
+        getWaasWalletClient(traceContext_1) {
+            return __awaiter(this, arguments, void 0, function* (traceContext, { forceRebuild = false } = {}) {
+                var _a;
+                // forceRebuild drops the cached client so the iframe re-auths with the
+                // fresh session (e.g. after a step-up reauth) instead of 401-ing on the
+                // stale cached token. Callers must only force a rebuild when a token is
+                // available (see getWaasWalletConnector's live-token guard); otherwise
+                // createDynamicWaasClient would throw "Auth token is required".
+                if (forceRebuild) {
+                    this.dynamicWaasClient = undefined;
+                }
                 if (!this.dynamicWaasClient) {
+                    // Chokepoint: never build + initialize the iframe client while the auth
+                    // token is still pending MFA/KYC/device registration. The iframe's
+                    // init-time room-cache pre-warm fires `createRooms` using the token
+                    // captured at construction — before any per-operation token resync
+                    // exists to correct it. Built during the pending window, that pre-warm
+                    // 401s and trips the iframe's unauthorized → forced-logout path. Every
+                    // WaaS caller funnels through here, so this single guard covers auto
+                    // wallet creation, ZeroDev smart-wallet init, getWallet, etc.
+                    if (tokenHasPendingAuthScope((_a = this.getAuthToken) === null || _a === void 0 ? void 0 : _a.call(this))) {
+                        throw new WaasAuthScopePendingError();
+                    }
                     this.dynamicWaasClient = yield this.createDynamicWaasClient(traceContext);
                 }
                 return this.dynamicWaasClient;
@@ -605,9 +627,18 @@ const withDynamicWaas = (BaseClass) => {
         }
         endSession(reason) {
             return __awaiter(this, void 0, void 0, function* () {
-                const waasClient = yield this.getWaasWalletClient();
-                if (!waasClient) {
-                    return;
+                // Building the wallet client requires an auth token (createDynamicWaasClient
+                // throws in header auth mode when none is present); the new scope guard in
+                // getWaasWalletClient also throws during pending-auth (MFA/KYC/device). On
+                // logout we must not let either throw abort logout — the security-critical
+                // key share removal below does not need the client. Only the iframe cleanup
+                // does, so we proceed without it if the client can't be obtained.
+                let waasClient;
+                try {
+                    waasClient = yield this.getWaasWalletClient();
+                }
+                catch (error) {
+                    this.instrument('[endSession] getWaasWalletClient failed; proceeding', Object.assign({ key: 'endSession-getClient-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
                 }
                 // When a session token expires, we preserve key shares in storage instead
                 // of clearing them. Customers with short-lived sessions (minutes) were
@@ -620,7 +651,32 @@ const withDynamicWaas = (BaseClass) => {
                 // in. On explicit user-initiated logout, shares are always cleared for
                 // security.
                 if (reason !== 'token-expired') {
-                    yield waasClient.cleanup();
+                    // Clear the MPC key share directly on the host's local secure storage.
+                    // This is fast and guaranteed, independent of the iframe round-trip
+                    // cleanup below — whose request-channel timeout (plus a recovery retry)
+                    // can block logout for ~10s on slow devices where secureStorage is slow
+                    // to ACK. Awaited because it is a local operation (milliseconds).
+                    const accountAddress = yield this.getActiveAccountAddress();
+                    if (accountAddress) {
+                        try {
+                            yield createWaasClientSecureStorage().removeClientKeyShare(accountAddress);
+                        }
+                        catch (error) {
+                            this.instrument('[endSession] direct key share removal failed', Object.assign({ key: 'endSession-removeClientKeyShare-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        }
+                    }
+                    // Tear down the iframe and run its best-effort storage cleanup in the
+                    // background so logout returns immediately instead of blocking on the
+                    // iframe cleanup's request-channel timeout. The iframe handler already
+                    // swallows its own errors, and the DOM teardown obsoletes anything it
+                    // misses. Promise.resolve guards against a non-promise return in tests.
+                    // Skipped when the client could not be built/obtained (no token, or
+                    // pending-auth scope guard) — there is no iframe to tear down then.
+                    if (waasClient) {
+                        void Promise.resolve(waasClient.cleanup()).catch((error) => {
+                            this.instrument('[endSession] background iframe cleanup failed', Object.assign({ key: 'endSession-cleanup-failed', time: 0 }, this.buildErrorInstrumentContext(error)));
+                        });
+                    }
                 }
                 this.dynamicWaasClient = undefined;
             });
@@ -657,6 +713,33 @@ const withDynamicWaas = (BaseClass) => {
                 .map((byte) => byte.toString(16).padStart(2, '0'))
                 .join('');
         }
+        /**
+         * Normalizes an unknown thrown value into the error fields used across
+         * instrumentation so callers don't re-derive them at each catch site.
+         *
+         * Wrapped in try/catch: this is best-effort logging, and a value that
+         * resists formatting (e.g. an object whose toString throws) must never
+         * turn a log line into an exception that blocks the calling flow such as
+         * logout.
+         *
+         * `public` (not `private`) because the TS `private` keyword can't be used
+         * on this mixin's exported class expression (TS4094), and ECMAScript
+         * `#private` isn't supported by the package's Jest/Babel transform. It is
+         * internal-only despite the modifier — same constraint as `instrument`.
+         */
+        buildErrorInstrumentContext(error) {
+            var _a, _b;
+            try {
+                return {
+                    errorCode: (_a = error === null || error === void 0 ? void 0 : error.code) !== null && _a !== void 0 ? _a : UNKNOWN_ERROR_CODE,
+                    errorMessage: error instanceof Error ? error.message : String(error),
+                    errorType: (_b = error === null || error === void 0 ? void 0 : error.constructor) === null || _b === void 0 ? void 0 : _b.name,
+                };
+            }
+            catch (_c) {
+                return { errorCode: UNKNOWN_ERROR_CODE };
+            }
+        }
         /**
          * Helper method to instrument with automatic properties inclusion
          */
@@ -672,7 +755,6 @@ const withDynamicWaas = (BaseClass) => {
         }
         instrumentAsync(_a) {
             return __awaiter(this, arguments, void 0, function* ({ operation, resource, fn, context, }) {
-                var _b, _c;
                 const timing = new InstrumentationTimer(context === null || context === void 0 ? void 0 : context.startTime);
                 if (context === null || context === void 0 ? void 0 : context.stepStartTime) {
                     timing.setStepStartTime(context.stepStartTime);
@@ -689,11 +771,7 @@ const withDynamicWaas = (BaseClass) => {
                 catch (error) {
                     const isUserRejection = error instanceof UserRejectedRequestError ||
                         (error === null || error === void 0 ? void 0 : error.code) === 'user_rejected_request';
-                    const errorContext = {
-                        errorCode: (_b = error === null || error === void 0 ? void 0 : error.code) !== null && _b !== void 0 ? _b : 'unknown',
-                        errorMessage: error instanceof Error ? error.message : String(error),
-                        errorType: (_c = error === null || error === void 0 ? void 0 : error.constructor) === null || _c === void 0 ? void 0 : _c.name,
-                    };
+                    const errorContext = this.buildErrorInstrumentContext(error);
                     if (isUserRejection) {
                         // User-initiated cancellations are expected — debug only, no backend noise
                         this.logger.debug(`[${operation}] ${resource} - cancelled`, Object.assign(Object.assign({ key: `${resource}-cancelled`, operation, stepTime: timing.getStepElapsed(), time: timing.getElapsed() }, context), errorContext));

package/utils/tokenHasPendingAuthScope.cjs

@@ -0,0 +1,55 @@
+'use client'
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var sdkApiCore = require('@dynamic-labs/sdk-api-core');
+
+// Scopes that mean the user has not finished authenticating (MFA / KYC /
+// device registration still pending). A JWT carrying any of these has not
+// upgraded to `user:basic`, and the WaaS backend rejects calls made with it
+// (e.g. createRooms) with a 401.
+//
+// Note `user:basic` and `waasBackupToken` are intentionally NOT in this list:
+// backup / recovery flows legitimately run with a `waasBackupToken` scope, so
+// only the pending-auth scopes below should block WaaS client creation.
+const PENDING_AUTH_SCOPES = [
+    sdkApiCore.JwtScope.RequiresAdditionalAuth,
+    sdkApiCore.JwtScope.UserDataForm,
+    sdkApiCore.JwtScope.Deviceregister,
+];
+const decodeScope = (authToken) => {
+    const payload = authToken === null || authToken === void 0 ? void 0 : authToken.split('.')[1];
+    if (!payload) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(atob(payload)).scope;
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+const tokenHasPendingAuthScope = (authToken) => {
+    var _a, _b;
+    const scopes = (_b = (_a = decodeScope(authToken)) === null || _a === void 0 ? void 0 : _a.split(' ')) !== null && _b !== void 0 ? _b : [];
+    return scopes.some((scope) => PENDING_AUTH_SCOPES.includes(scope));
+};
+
+exports.tokenHasPendingAuthScope = tokenHasPendingAuthScope;

package/utils/tokenHasPendingAuthScope.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+export declare const tokenHasPendingAuthScope: (authToken?: string) => boolean;

package/utils/tokenHasPendingAuthScope.js

@@ -0,0 +1,51 @@
+'use client'
+import { JwtScope } from '@dynamic-labs/sdk-api-core';
+
+// Scopes that mean the user has not finished authenticating (MFA / KYC /
+// device registration still pending). A JWT carrying any of these has not
+// upgraded to `user:basic`, and the WaaS backend rejects calls made with it
+// (e.g. createRooms) with a 401.
+//
+// Note `user:basic` and `waasBackupToken` are intentionally NOT in this list:
+// backup / recovery flows legitimately run with a `waasBackupToken` scope, so
+// only the pending-auth scopes below should block WaaS client creation.
+const PENDING_AUTH_SCOPES = [
+    JwtScope.RequiresAdditionalAuth,
+    JwtScope.UserDataForm,
+    JwtScope.Deviceregister,
+];
+const decodeScope = (authToken) => {
+    const payload = authToken === null || authToken === void 0 ? void 0 : authToken.split('.')[1];
+    if (!payload) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(atob(payload)).scope;
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+/**
+ * Returns true when the auth token still carries a pending-authentication
+ * scope (`requiresAdditionalAuth` / `userDataForm` / `device:register`).
+ *
+ * The WaaS iframe's API client is a shared, mutable axios instance. The token
+ * captured at client construction is what the init-time room-cache pre-warm
+ * `createRooms` uses — it runs before any per-operation token resync. So if the
+ * client is built during this pending window, that pre-warm fires with the
+ * stale pre-`user:basic` token and 401s; the iframe reports the 401 back to the
+ * host, which force-logs-out the user. Callers must therefore refuse to build
+ * the client until the token clears (the vulnerable window is construction +
+ * init, not the whole client lifetime).
+ *
+ * A token with no decodable scope is treated as not-pending (returns false):
+ * the backend remains the source of truth and will reject anything invalid.
+ */
+const tokenHasPendingAuthScope = (authToken) => {
+    var _a, _b;
+    const scopes = (_b = (_a = decodeScope(authToken)) === null || _a === void 0 ? void 0 : _a.split(' ')) !== null && _b !== void 0 ? _b : [];
+    return scopes.some((scope) => PENDING_AUTH_SCOPES.includes(scope));
+};
+
+export { tokenHasPendingAuthScope };