@getpara/core-sdk 3.0.0-alpha.1 → 3.0.0

package/dist/esm/ParaCore.js

@@ -8,7 +8,7 @@ import {
   __spreadProps,
   __spreadValues
 } from "./chunk-7B52C2XE.js";
-var _stateManager, _authService, _walletService, _externalWalletService, _pregenWalletService, _pollingService, _portalUrlService, _sessionManagementService, _debugLogsEnabled, _ParaCore_instances, assertPartner_fn, toAuthInfo_fn, _servicesInitialized, assertIsLinkingAccount_fn, assertIsLinkingAccountOrStart_fn, waitForLoginProcess_fn, logout_fn;
+var _stateManager, _authService, _walletService, _externalWalletService, _pregenWalletService, _pollingService, _portalUrlService, _sessionManagementService, _debugLogsEnabled, _configChangeListeners, _ParaCore_instances, notifyConfigChange_fn, _sdkConfigOverrides, _configMemo, warnPartnerConfigDrift_fn, configWithoutSdkOverrides_fn, assertPartner_fn, toAuthInfo_fn, _servicesInitialized, assertIsLinkingAccount_fn, assertIsLinkingAccountOrStart_fn, waitForLoginProcess_fn, waitForLoginProcessImpl_fn, logout_fn;
 import { Buffer as NodeBuffer } from "buffer";
 if (typeof global !== "undefined") {
   global.Buffer = global.Buffer || NodeBuffer;
@@ -29,7 +29,7 @@ import {
 import forge from "node-forge";
 const { pki, jsbn } = forge;
 import { decryptWithPrivateKey, getAsymmetricKeyPair } from "./cryptography/utils.js";
-import { initClient } from "./external/userManagementClient.js";
+import { getBaseUrl, initClient } from "./external/userManagementClient.js";
 import * as mpcComputationClient from "./external/mpcComputationClient.js";
 import {
   Environment,
@@ -44,12 +44,16 @@ import {
   getParaConnectBaseUrl,
   jsonParse,
   migrateWallet,
+  mergePartnerAppConfig,
+  partnerToAppConfigLayer,
+  DEFAULT_PARTNER_APP_CONFIG,
   setupListeners,
   WalletSchemeTypeMap,
   isPortal
 } from "./utils/index.js";
 import { waitForAuthStateChange } from "./utils/stateListener.js";
-import { warnPregenDeprecation } from "./utils/deprecation.js";
+import { warnOnce } from "./utils/deprecation.js";
+import { assertConfigAllowed } from "./utils/partnerConfigGating.js";
 import { TransactionReviewDenied, TransactionReviewTimeout } from "./errors.js";
 import * as constants from "./constants.js";
 import { EnclaveClient } from "./shares/enclave.js";
@@ -61,6 +65,10 @@ import { PregenWalletService } from "./services/PregenWalletService.js";
 import { PortalUrlService } from "./services/PortalUrlService.js";
 import { SessionManagementService } from "./services/SessionManagementService.js";
 import { ExternalWalletService } from "./services/ExternalWalletService.js";
+import { wrapWithSpan } from "./telemetry/tracer.js";
+import { setCurrentUserId } from "./telemetry/uxStateSpanProcessor.js";
+import { initTelemetry } from "./telemetry/init.js";
+import { recordActionOnSpan } from "./telemetry/uxAction.js";
 const _ParaCore = class _ParaCore {
   constructor(envOrApiKey, apiKeyOrOpts, opts) {
     __privateAdd(this, _ParaCore_instances);
@@ -77,6 +85,28 @@ const _ParaCore = class _ParaCore {
     this.isSwitchingWallets = false;
     this.isNativePasskey = false;
     this.isSetup = false;
+    // Notified whenever an input to `paraCore.config` changes — either the
+    // partner record (via `getPartner`) or the SDK override layer (via
+    // `setSdkConfigOverrides`). One signal covers both async-load and
+    // runtime-mutation cases, so consumers wire one subscription.
+    __privateAdd(this, _configChangeListeners, /* @__PURE__ */ new Set());
+    /**
+     * Phase 3 — SDK-side override layer applied on top of the partner layer.
+     *
+     *   merge chain: defaults ⊕ ecosystem (future) ⊕ partner ⊕ #sdkConfigOverrides
+     *
+     * Initialized from `ConstructorOpts.configOverrides`. Mutable post-construction
+     * via `setSdkConfigOverrides` so reactive callers (e.g. `ParaProviderMin`'s
+     * `configOverrides` prop) can update it without rebuilding the ParaCore
+     * instance.
+     *
+     * Typed `Partial<SdkOverridableAppConfig>` — security/posture fields
+     * (`supportedAuthMethods`, `authConfig.twoFactorAuthEnabled`, etc.) are
+     * excluded at compile time, so no caller path can override them.
+     */
+    __privateAdd(this, _sdkConfigOverrides);
+    /** Memoization for the `config` getter — invalidates on partner / overrides identity change. */
+    __privateAdd(this, _configMemo);
     this.accountLinkInProgress = void 0;
     this.isWorkerInitialized = false;
     this.onRampPopup = void 0;
@@ -161,17 +191,45 @@ const _ParaCore = class _ParaCore {
       }
       throw err;
     });
-    this.wrapMethodsWithErrorTracking = (methodNames) => {
-      for (const methodName of methodNames) {
+    // Each wrapped method becomes one named span. wrapWithSpan handles recordException +
+    // ERROR status; the legacy /errors/sdk POST stays in trackError as a fallback during
+    // the cutover window — PR D removes it once we verify span error coverage in prod.
+    // Until telemetry is initialized (cold-start window before partner-config arrives),
+    // wrapWithSpan delegates to a no-op tracer so spans are dropped without overhead.
+    // The original method MUST be invoked inside wrapWithSpan's callback so its async
+    // chain (Promises, setTimeout, fetch) is created under the active-span context.
+    // Calling original.apply BEFORE wrapWithSpan starts the work in the root Zone —
+    // child spans then root independently because Zone.js can't trace context through
+    // Promises that were already in flight when the active span was set. All currently
+    // wrapped methods are async, so always returning a Promise here is safe.
+    this.wrapMethodsWithTracing = (entries) => {
+      for (const entry of entries) {
+        const methodName = typeof entry === "string" ? entry : entry.method;
+        const uxTargetId = typeof entry === "string" ? void 0 : entry.uxTargetId;
         const original = this[methodName];
         if (typeof original === "function") {
           this[methodName] = (...args) => {
-            try {
-              const result = original.apply(this, args);
-              return result instanceof Promise ? result.catch((err) => this.trackError(methodName, err)) : result;
-            } catch (err) {
-              return this.trackError(methodName, err);
-            }
+            var _a;
+            const attrs = __spreadValues({
+              "para.platform": this.platformUtils.sdkType,
+              "para.sdk_version": _ParaCore.version
+            }, ((_a = this.partner) == null ? void 0 : _a.id) ? { "para.partner_id": this.partner.id } : {});
+            return wrapWithSpan(
+              methodName,
+              (span) => __async(this, null, function* () {
+                if (!uxTargetId) return original.apply(this, args);
+                let outcome = "success";
+                try {
+                  return yield original.apply(this, args);
+                } catch (err) {
+                  outcome = "error";
+                  throw err;
+                } finally {
+                  recordActionOnSpan(span, uxTargetId, outcome);
+                }
+              }),
+              attrs
+            ).catch((err) => this.trackError(methodName, err));
           };
         }
       }
@@ -347,6 +405,7 @@ const _ParaCore = class _ParaCore {
     }
     if (!opts) opts = {};
     __privateSet(this, _debugLogsEnabled, !!opts.enableDebugLogs);
+    __privateSet(this, _sdkConfigOverrides, opts.configOverrides);
     const isE2E = env === "E2E" || envOrApiKey === "E2E";
     if (isE2E && env !== Environment.SANDBOX) {
       env = Environment.SANDBOX;
@@ -439,19 +498,32 @@ const _ParaCore = class _ParaCore {
     this.initializeFromStorage();
     setupListeners.bind(this)();
     autoBind(this);
-    this.wrapMethodsWithErrorTracking([
+    this.wrapMethodsWithTracing([
       "signUpOrLogIn",
+      // Methods marked with uxTargetId double as user-perceived UX actions —
+      // the wrap stamps ui.target_id / ui.outcome and emits a
+      // ui.action.completed event so the action's existing span IS the
+      // user-perceived measurement. No separate orphan span needed.
+      { method: "authenticateWithEmailOrPhone", uxTargetId: "sign-in" },
+      "authenticateWithOAuth",
       "verifyNewAccount",
+      "resendVerificationCode",
       "waitForLogin",
       "waitForSignup",
       "waitForWalletCreation",
       "verifyOAuth",
       "verifyTelegram",
       "verifyFarcaster",
+      "connectExternalWallet",
+      "loginExternalWallet",
+      "verifyExternalWallet",
+      "createWallet",
+      "createWalletPerType",
       "createPregenWallet",
       "claimPregenWallets",
       "signMessage",
-      "signTransaction"
+      "signTransaction",
+      "logout"
     ]);
     __privateGet(this, _stateManager).start();
   }
@@ -579,6 +651,25 @@ const _ParaCore = class _ParaCore {
     });
     return () => unsubscribe();
   }
+  /**
+   * Subscribe to changes in any input to `paraCore.config`:
+   *   - partner record updates (lazy load after a failed eager fetch, etc.)
+   *   - SDK override layer replacement (`setSdkConfigOverrides`)
+   *
+   * The callback fires after the relevant state has settled; subscribers
+   * should re-read `paraCore.config` to get the new merged value. Returns
+   * an unsubscribe function.
+   *
+   * Used by the React layer to bump its reactive `paraConfigVersion`
+   * counter; non-React consumers (server SDK, telemetry, etc.) can wire
+   * the same signal to invalidate their caches.
+   */
+  onConfigChange(callback) {
+    __privateGet(this, _configChangeListeners).add(callback);
+    return () => {
+      __privateGet(this, _configChangeListeners).delete(callback);
+    };
+  }
   get authInfo() {
     var _a;
     return (_a = __privateGet(this, _authService)) == null ? void 0 : _a.authInfo;
@@ -605,6 +696,73 @@ const _ParaCore = class _ParaCore {
   get externalWalletConnectionType() {
     return __privateGet(this, _externalWalletService).externalWalletConnectionType;
   }
+  /**
+   * Resolved partner app config: partner ⊕ SDK overrides.
+   * Read-only view; safe to call before `getPartner` returns (yields `{}` via
+   * the merge of no layers).
+   *
+   * Memoized on `(this.partner, this.#sdkConfigOverrides)` identity. Multiple
+   * consumers read this (assertConfigAllowed at 9 sites, PortalUrlService,
+   * ExternalWalletWrapper); without memoization each access re-allocates a
+   * fresh merged object graph. Cache invalidates whenever `this.partner` is
+   * replaced (via getPartner) or `setSdkConfigOverrides` is called.
+   */
+  get config() {
+    if (__privateGet(this, _configMemo) && __privateGet(this, _configMemo).partner === this.partner && __privateGet(this, _configMemo).overrides === __privateGet(this, _sdkConfigOverrides)) {
+      return __privateGet(this, _configMemo).result;
+    }
+    const partnerLayer = this.partner ? partnerToAppConfigLayer(this.partner) : void 0;
+    const result = mergePartnerAppConfig(DEFAULT_PARTNER_APP_CONFIG, partnerLayer, __privateGet(this, _sdkConfigOverrides));
+    __privateSet(this, _configMemo, { partner: this.partner, overrides: __privateGet(this, _sdkConfigOverrides), result });
+    return result;
+  }
+  /**
+   * Read-only accessor for the raw partner record. Returns `undefined` until
+   * `getPartner` resolves (typically during `setup()`).
+   *
+   * The vast majority of partner-driven UX should consume `this.config`
+   * instead — that layer applies SDK overrides, exposes a stable shape, and
+   * is memoized. Use this getter only for fields that live on `PartnerEntity`
+   * but aren't promoted onto `PartnerAppConfig` (e.g. `logoUrl`, internal
+   * policy state). Whatever this returns is exactly what the public
+   * `getPartner(id)` API resolved on the last fetch — no additional
+   * processing.
+   */
+  get partnerRecord() {
+    return this.partner;
+  }
+  /**
+   * Replace the SDK-side override layer. Generic surface — any post-construction
+   * caller (React provider, server-sdk, custom integration) can update overrides
+   * without rebuilding the ParaCore instance.
+   *
+   * Replaces wholesale (last writer wins). Pass undefined to clear.
+   */
+  setSdkConfigOverrides(overrides) {
+    __privateSet(this, _sdkConfigOverrides, overrides);
+    __privateSet(this, _configMemo, void 0);
+    __privateMethod(this, _ParaCore_instances, notifyConfigChange_fn).call(this);
+  }
+  /**
+   * Read the raw SDK override layer (NOT the merged config). Used by analytics
+   * to distinguish "what the consumer passed" from "what the resolver
+   * produced." For the resolved view, use `paraCore.config`.
+   *
+   * @internal — analytics-only. App code should read `paraCore.config` instead;
+   *   this getter exposes pre-merge values that can change shape across
+   *   versions without notice.
+   *
+   * @remarks Redaction contract — any analytics consumer dispatching this
+   *   value to an external sink MUST sanitize first. Specifically `rpcUrl`
+   *   commonly embeds API keys (Alchemy `/v2/<key>`, Infura `/v3/<key>`).
+   *   Today the React modal owns redaction in
+   *   `react-sdk-lite/src/modal/ParaModal.tsx` (`sanitizeSdkConfigOverridesForAnalytics`).
+   *   When Phase 7's non-React analytics lands here, lift that helper next
+   *   to this getter so all consumers share one sanitizer.
+   */
+  get sdkConfigOverrides() {
+    return __privateGet(this, _sdkConfigOverrides);
+  }
   get userId() {
     var _a;
     return (_a = __privateGet(this, _authService)) == null ? void 0 : _a.userId;
@@ -694,6 +852,27 @@ const _ParaCore = class _ParaCore {
     var _a;
     return (_a = this.partner) == null ? void 0 : _a.cosmosPrefix;
   }
+  /**
+   * Auth methods the partner has enabled. Read off the raw partner record —
+   * partner-authoritative and excluded from `SdkOverridableAppConfig`, so it
+   * does NOT participate in the override merge chain.
+   *
+   * Named `supportedAuthMethodsList` (not `supportedAuthMethods`) to avoid
+   * colliding with the existing protected async `supportedAuthMethods(auth)`
+   * method that performs a backend lookup. Different concept, different shape.
+   */
+  get supportedAuthMethodsList() {
+    var _a, _b;
+    return (_b = (_a = this.partner) == null ? void 0 : _a.supportedAuthMethods) != null ? _b : [AuthMethod.BASIC_LOGIN];
+  }
+  /**
+   * Balance display config from the partner record. Partner-authoritative;
+   * excluded from `SdkOverridableAppConfig`.
+   */
+  get balancesConfig() {
+    var _a;
+    return (_a = this.partner) == null ? void 0 : _a.balancesConfig;
+  }
   get supportedAccountLinks() {
     var _a, _b;
     return (_b = (_a = this.partner) == null ? void 0 : _a.supportedAccountLinks) != null ? _b : [...LINKED_ACCOUNT_TYPES];
@@ -950,6 +1129,9 @@ const _ParaCore = class _ParaCore {
       },
       get accountLinkInProgress() {
         return self2.accountLinkInProgress;
+      },
+      get config() {
+        return self2.config;
       }
     };
   }
@@ -1325,6 +1507,29 @@ const _ParaCore = class _ParaCore {
       }
       const res = yield this.ctx.client.getPartner(partnerId);
       this.partner = res.data.partner;
+      __privateMethod(this, _ParaCore_instances, warnPartnerConfigDrift_fn).call(this);
+      __privateMethod(this, _ParaCore_instances, notifyConfigChange_fn).call(this);
+      const telemetry = res.data.partner.telemetry;
+      if ((telemetry == null ? void 0 : telemetry.enabled) && this.ctx.env) {
+        void initTelemetry({
+          tunnelUrl: `${getBaseUrl(this.ctx.env)}telemetry`,
+          sampleRate: telemetry.sample_rate,
+          sdkType: this.platformUtils.sdkType,
+          sdkVersion: _ParaCore.version,
+          partnerId: this.partner.id,
+          // Only true in DEV — adds localhost to the trace-propagation allow-list
+          // so FE → local user-management requests carry traceparent. Never set in
+          // sandbox/beta/prod, where localhost shouldn't appear in our request URLs.
+          isDev: this.ctx.env === Environment.DEV,
+          // Portal pages run the same ParaCore code path as the partner-app SDK, but
+          // they're a different process boundary (popup/iframe) and a different surface
+          // for ops to debug. Pass through the portal posture so initTelemetry can stamp
+          // the right `service.name` and split SDK-side vs portal-side spans in the
+          // backend. Uses the class-level isPortal() (same logic the rest of the SDK
+          // gates portal-only paths on).
+          isPortal: this.isPortal()
+        });
+      }
       return this.partner;
     });
   }
@@ -1350,15 +1555,30 @@ const _ParaCore = class _ParaCore {
       if (!wallet) {
         throw new Error("wallet not found");
       }
-      if (wallet.scheme !== "DKLS") {
-        throw new Error("invalid wallet scheme");
-      }
-      return yield this.platformUtils.getPrivateKey(
-        this.ctx,
-        this.userId,
-        wallet.id,
-        wallet.signer,
-        this.retrieveSessionCookie()
+      return wrapWithSpan(
+        "mpc.export",
+        () => __async(this, null, function* () {
+          if (wallet.scheme === "ED25519") {
+            return yield this.platformUtils.getED25519PrivateKey(
+              this.ctx,
+              this.userId,
+              wallet.id,
+              wallet.signer,
+              this.retrieveSessionCookie()
+            );
+          }
+          if (wallet.scheme !== "DKLS") {
+            throw new Error("invalid wallet scheme");
+          }
+          return yield this.platformUtils.getPrivateKey(
+            this.ctx,
+            this.userId,
+            wallet.id,
+            wallet.signer,
+            this.retrieveSessionCookie()
+          );
+        }),
+        { "wallet.scheme": wallet.scheme, "wallet.id": wallet.id, "wallet.type": wallet.type }
       );
     });
   }
@@ -1413,6 +1633,19 @@ const _ParaCore = class _ParaCore {
       return yield __privateGet(this, _authService).signExternalWalletVerification(params);
     });
   }
+  // Direct-to-wallet sign for an external-wallet user who's already authenticated.
+  // The signExternalWalletVerification() path above dispatches a state-machine event
+  // that's only handled from the `awaiting_wallet_signature` state — after login
+  // the machine has moved past that, so the event is silently dropped and the
+  // wallet never gets prompted. The re-auth flow (popup-driven SIWE for export-key
+  // / transaction-review) needs the signature regardless of machine state, so it
+  // routes here and reads the signature back synchronously.
+  signExternalWalletMessageForReauth(params) {
+    return __async(this, null, function* () {
+      const _a = yield __privateGet(this, _externalWalletService).signMessage(params), { signature } = _a, rest = __objRest(_a, ["signature"]);
+      return __spreadValues({ externalWallet: params.externalWallet, signedMessage: signature }, rest);
+    });
+  }
   verifyExternalWalletLink(opts) {
     return __async(this, null, function* () {
       const accountLinkInProgress = __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, ["EXTERNAL_WALLET"]);
@@ -1489,6 +1722,8 @@ const _ParaCore = class _ParaCore {
    */
   verify2fa(_0) {
     return __async(this, arguments, function* ({ auth, verificationCode }) {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "2fa" });
       const res = yield this.ctx.client.verify2FA(auth, verificationCode);
       return {
         initiatedAt: res.data.initiatedAt,
@@ -1504,6 +1739,8 @@ const _ParaCore = class _ParaCore {
    * */
   setup2fa() {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "2fa" });
       const userId = this.assertUserId();
       const res = yield this.ctx.client.setup2FA(userId);
       return res;
@@ -1516,6 +1753,8 @@ const _ParaCore = class _ParaCore {
    */
   enable2fa(_0) {
     return __async(this, arguments, function* ({ verificationCode }) {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "2fa" });
       const userId = this.assertUserId();
       yield this.ctx.client.enable2FA(userId, verificationCode);
     });
@@ -1524,8 +1763,8 @@ const _ParaCore = class _ParaCore {
    * Resend a verification email for the current user.
    */
   resendVerificationCode(_0) {
-    return __async(this, arguments, function* ({ type: reason = "SIGNUP" }) {
-      return yield __privateGet(this, _authService).resendVerificationCode({ type: reason });
+    return __async(this, arguments, function* ({ type: reason = "SIGNUP", deliveryChannel }) {
+      return yield __privateGet(this, _authService).resendVerificationCode({ type: reason, deliveryChannel });
     });
   }
   /**
@@ -1700,6 +1939,8 @@ const _ParaCore = class _ParaCore {
    */
   getOAuthUrl(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "oauth", method: params.method });
       return yield __privateGet(this, _portalUrlService).getOAuthUrl(params);
     });
   }
@@ -1773,6 +2014,8 @@ const _ParaCore = class _ParaCore {
   }
   verifyOAuth(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "oauth", method: params.method });
       return yield this.verifyOAuthProcess(__spreadProps(__spreadValues({}, params), { isLinkAccount: false }));
     });
   }
@@ -1944,8 +2187,6 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Creates a new pregenerated wallet.
    *
    * @param {Object} opts the options object.
@@ -1956,13 +2197,10 @@ const _ParaCore = class _ParaCore {
    **/
   createPregenWallet(params) {
     return __async(this, null, function* () {
-      warnPregenDeprecation("createPregenWallet");
       return yield __privateGet(this, _pregenWalletService).createPregenWallet(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Creates new pregenerated wallets for each desired type.
    * If no types are provided, this method will create one for each of the non-optional types
    * specified in the instance's `supportedWalletTypes` array that are not already present.
@@ -1974,13 +2212,10 @@ const _ParaCore = class _ParaCore {
    **/
   createPregenWalletPerType(params) {
     return __async(this, null, function* () {
-      warnPregenDeprecation("createPregenWalletPerType");
       return yield __privateGet(this, _pregenWalletService).createPregenWalletPerType(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Claims a pregenerated wallet.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier string the identifier of the user claiming the wallet
@@ -1989,13 +2224,10 @@ const _ParaCore = class _ParaCore {
    **/
   claimPregenWallets() {
     return __async(this, arguments, function* (params = {}) {
-      warnPregenDeprecation("claimPregenWallets");
       return yield __privateGet(this, _pregenWalletService).claimPregenWallets(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`PATCH /v1/wallets/:id`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Updates the identifier for a pregen wallet.
    * @param {Object} opts the options object.
    * @param {string} opts.walletId the pregen wallet ID
@@ -2004,13 +2236,10 @@ const _ParaCore = class _ParaCore {
    **/
   updatePregenWalletIdentifier(params) {
     return __async(this, null, function* () {
-      warnPregenDeprecation("updatePregenWalletIdentifier");
       return yield __privateGet(this, _pregenWalletService).updatePregenWalletIdentifier(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`GET /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Checks if a pregen Wallet exists for the given identifier with the current partner.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier string the identifier of the user claiming the wallet
@@ -2019,13 +2248,10 @@ const _ParaCore = class _ParaCore {
    **/
   hasPregenWallet(params) {
     return __async(this, null, function* () {
-      warnPregenDeprecation("hasPregenWallet");
       return yield __privateGet(this, _pregenWalletService).hasPregenWallet(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`GET /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Get pregen wallets for the given identifier.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier - the identifier of the user claiming the wallet
@@ -2034,12 +2260,13 @@ const _ParaCore = class _ParaCore {
    **/
   getPregenWallets() {
     return __async(this, arguments, function* (params = {}) {
-      warnPregenDeprecation("getPregenWallets");
       return yield __privateGet(this, _pregenWalletService).getPregenWallets(params);
     });
   }
   createGuestWallets() {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "guest" });
       return yield __privateGet(this, _pregenWalletService).createGuestWallets();
     });
   }
@@ -2079,6 +2306,9 @@ const _ParaCore = class _ParaCore {
   }
   getTransactionReviewUrl(transactionId, timeoutMs) {
     return __async(this, null, function* () {
+      if (this.isExternalWalletAuth) {
+        yield this.ctx.client.sessionAddPortalVerification();
+      }
       const authMethods = yield this.supportedUserAuthMethods();
       const result = yield this.constructPortalUrl("txReview", {
         pathId: transactionId,
@@ -2106,11 +2336,11 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * Requests testnet funds from the faucet for the specified wallet.
+   * Submits a testnet faucet funding transaction for the specified wallet.
    * @param {RequestFaucetParams} params the options object.
    * @param {string} params.walletId the id of the wallet to fund.
    * @param {string} [params.chain] optional chain identifier to target a specific testnet.
-   * @returns the faucet transaction details, including the transaction hash and amount sent.
+   * @returns the submitted faucet transaction details. Wait for the returned transaction hash to confirm before spending.
    */
   requestFaucet(params) {
     return __async(this, null, function* () {
@@ -2139,14 +2369,17 @@ const _ParaCore = class _ParaCore {
       onPoll,
       onTransactionReviewUrl
     }) {
-      var _a;
       __privateGet(this, _walletService).assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
       if (wallet.partnerId && !wallet.userId) {
         signerId = wallet.partnerId;
       }
-      let signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
+      let signRes = yield wrapWithSpan(
+        "mpc.sign",
+        () => this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 }),
+        { "wallet.scheme": wallet.scheme, "wallet.id": walletId }
+      );
       let timeStart = Date.now();
       const effectiveTimeoutMs = Math.max(timeoutMs, constants.TRANSACTION_REVIEW_TIMEOUT_MS);
       if (signRes.pendingTransactionId) {
@@ -2173,7 +2406,16 @@ const _ParaCore = class _ParaCore {
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
         let pendingTransaction;
         try {
-          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+          pendingTransaction = yield wrapWithSpan(
+            "tx.review.poll",
+            (span) => __async(this, null, function* () {
+              var _a;
+              const res = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+              span.setAttribute("polling.status", (res == null ? void 0 : res.approvedAt) ? "approved" : "pending");
+              return res;
+            }),
+            { "pending_transaction.id": signRes.pendingTransactionId }
+          );
         } catch (e) {
           const error = new TransactionReviewDenied();
           dispatchEvent(ParaEvent.SIGN_MESSAGE_EVENT, signRes, error.message);
@@ -2183,7 +2425,11 @@ const _ParaCore = class _ParaCore {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
-          signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
+          signRes = yield wrapWithSpan(
+            "mpc.sign",
+            () => this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 }),
+            { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "mpc.attempt": "post-review" }
+          );
           break;
         }
       }
@@ -2253,22 +2499,25 @@ const _ParaCore = class _ParaCore {
       onPoll,
       onTransactionReviewUrl
     }) {
-      var _a;
       __privateGet(this, _walletService).assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
       if (wallet.partnerId && !wallet.userId) {
         signerId = wallet.partnerId;
       }
-      let signRes = yield this.platformUtils.signTransaction(
-        this.ctx,
-        signerId,
-        walletId,
-        this.wallets[walletId].signer,
-        rlpEncodedTxBase64,
-        chainId,
-        this.retrieveSessionCookie(),
-        wallet.scheme === "DKLS"
+      let signRes = yield wrapWithSpan(
+        "mpc.sign",
+        () => this.platformUtils.signTransaction(
+          this.ctx,
+          signerId,
+          walletId,
+          this.wallets[walletId].signer,
+          rlpEncodedTxBase64,
+          chainId,
+          this.retrieveSessionCookie(),
+          wallet.scheme === "DKLS"
+        ),
+        { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "tx.kind": "transaction" }
       );
       let timeStart = Date.now();
       const effectiveTimeoutMs = Math.max(timeoutMs, constants.TRANSACTION_REVIEW_TIMEOUT_MS);
@@ -2292,9 +2541,19 @@ const _ParaCore = class _ParaCore {
           break;
         }
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
+        const pendingTxId = signRes.pendingTransactionId;
         let pendingTransaction;
         try {
-          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+          pendingTransaction = yield wrapWithSpan(
+            "tx.review.poll",
+            (span) => __async(this, null, function* () {
+              var _a;
+              const res = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, pendingTxId)).data) == null ? void 0 : _a.pendingTransaction;
+              span.setAttribute("polling.status", (res == null ? void 0 : res.approvedAt) ? "approved" : "pending");
+              return res;
+            }),
+            { "pending_transaction.id": pendingTxId }
+          );
         } catch (e) {
           const error = new TransactionReviewDenied();
           dispatchEvent(ParaEvent.SIGN_TRANSACTION_EVENT, signRes, error.message);
@@ -2304,15 +2563,19 @@ const _ParaCore = class _ParaCore {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
-          signRes = yield this.platformUtils.signTransaction(
-            this.ctx,
-            signerId,
-            walletId,
-            this.wallets[walletId].signer,
-            rlpEncodedTxBase64,
-            chainId,
-            this.retrieveSessionCookie(),
-            wallet.scheme === "DKLS"
+          signRes = yield wrapWithSpan(
+            "mpc.sign",
+            () => this.platformUtils.signTransaction(
+              this.ctx,
+              signerId,
+              walletId,
+              this.wallets[walletId].signer,
+              rlpEncodedTxBase64,
+              chainId,
+              this.retrieveSessionCookie(),
+              wallet.scheme === "DKLS"
+            ),
+            { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "tx.kind": "transaction", "mpc.attempt": "post-review" }
           );
           break;
         }
@@ -2584,7 +2847,8 @@ const _ParaCore = class _ParaCore {
         useLocalFiles: this.ctx.useLocalFiles,
         useDKLS: this.ctx.useDKLS,
         cosmosPrefix: this.ctx.cosmosPrefix
-      }
+      },
+      config: this.config
     });
     return `Para ${JSON.stringify(obj, null, 2)}`;
   }
@@ -2619,16 +2883,26 @@ const _ParaCore = class _ParaCore {
   }
   signUpOrLogIn(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, {
+        kind: extractAuthInfo(params.auth, { isRequired: true }).authType
+      });
       return yield __privateGet(this, _authService).signUpOrLogIn(params);
     });
   }
   authenticateWithEmailOrPhone(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, {
+        kind: extractAuthInfo(params.auth, { isRequired: true }).authType
+      });
       return yield __privateGet(this, _authService).authenticateWithEmailOrPhone(params);
     });
   }
   authenticateWithOAuth(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      assertConfigAllowed(this.config, { kind: "oauth", method: params.method });
       return yield __privateGet(this, _authService).authenticateWithOAuth(params);
     });
   }
@@ -2764,16 +3038,17 @@ const _ParaCore = class _ParaCore {
   }
   sendLoginCode() {
     return __async(this, null, function* () {
-      const { userId } = yield this.ctx.client.sendLoginVerificationCode(this.authInfo);
+      const { userId, deliveryChannel, fallbackUsed, fallbackChannel, isSmsAllowed } = yield this.ctx.client.sendLoginVerificationCode(this.authInfo);
       yield this.setUserId(userId);
-      return { userId };
+      return { userId, deliveryChannel, fallbackUsed, fallbackChannel, isSmsAllowed };
     });
   }
   exportPrivateKey() {
     return __async(this, arguments, function* (args = {}) {
+      var _a;
       let walletId = args == null ? void 0 : args.walletId;
       if (!(args == null ? void 0 : args.walletId)) {
-        walletId = this.findWalletId(void 0, { forbidPregen: true, scheme: ["DKLS"] });
+        walletId = this.findWalletId(void 0, { forbidPregen: true, scheme: ["DKLS", "ED25519"] });
       }
       const wallet = this.wallets[walletId];
       if (this.externalWallets[walletId]) {
@@ -2782,28 +3057,38 @@ const _ParaCore = class _ParaCore {
       if (!wallet || !wallet.signer) {
         throw new Error("Wallet not found with id: " + walletId);
       }
-      if (wallet.scheme !== "DKLS") {
-        throw new Error("Cannot export private key for a Solana wallet");
-      }
       if (wallet.isPregen && !!wallet.pregenIdentifier && wallet.pregenIdentifierType !== "GUEST_ID") {
         throw new Error("Cannot export private key for a pregenerated wallet");
       }
       if (args.shouldOpenPopup) {
         this.popupWindow = yield this.platformUtils.openPopup("about:blank", { type: PopupType.EXPORT_PRIVATE_KEY });
       }
-      const authMethods = yield this.supportedUserAuthMethods();
-      const exportPrivateKeyResult = yield this.constructPortalUrl("exportPrivateKey", {
-        pathId: walletId,
-        useLegacyUrl: authMethods.has(AuthMethod.PASSKEY)
-      });
-      const exportPrivateKeyUrl = exportPrivateKeyResult.url;
-      if (args.shouldOpenPopup) {
-        this.popupWindow.location.href = exportPrivateKeyUrl;
+      try {
+        if (this.isExternalWalletAuth) {
+          yield this.ctx.client.sessionAddPortalVerification();
+        }
+        const authMethods = yield this.supportedUserAuthMethods();
+        const exportPrivateKeyResult = yield this.constructPortalUrl("exportPrivateKey", {
+          pathId: walletId,
+          useLegacyUrl: authMethods.has(AuthMethod.PASSKEY)
+        });
+        const exportPrivateKeyUrl = exportPrivateKeyResult.url;
+        if (args.shouldOpenPopup) {
+          this.popupWindow.location.href = exportPrivateKeyUrl;
+        }
+        return {
+          url: exportPrivateKeyUrl,
+          popupWindow: this.popupWindow
+        };
+      } catch (err) {
+        if (args.shouldOpenPopup) {
+          try {
+            (_a = this.popupWindow) == null ? void 0 : _a.close();
+          } catch (e) {
+          }
+        }
+        throw err;
       }
-      return {
-        url: exportPrivateKeyUrl,
-        popupWindow: this.popupWindow
-      };
     });
   }
 };
@@ -2816,7 +3101,54 @@ _pollingService = new WeakMap();
 _portalUrlService = new WeakMap();
 _sessionManagementService = new WeakMap();
 _debugLogsEnabled = new WeakMap();
+_configChangeListeners = new WeakMap();
 _ParaCore_instances = new WeakSet();
+notifyConfigChange_fn = function() {
+  __privateGet(this, _configChangeListeners).forEach((cb) => cb());
+};
+_sdkConfigOverrides = new WeakMap();
+_configMemo = new WeakMap();
+/**
+ * Drift telemetry. Currently fires only on `rpcUrl` (the only
+ * remaining override-able field that's typically authoritative server-side
+ * — `rpcUrl` SDK override is legitimate for local-dev, but if a consumer
+ * silently overrides it in prod we want operators to know).
+ *
+ * Fires once per `(scope, key)` per session.
+ *
+ * Comparison baseline is the merge chain WITHOUT the SDK overrides layer
+ * (i.e. the authoritative chain: `defaults ⊕ ecosystem ⊕ partner`). Today
+ * with no ecosystem layer this resolves to the partner record values, but
+ * computing it via the merge keeps the comparison correct when ecosystem
+ * ships and an org overrides `rpcUrl` for its child partners.
+ *
+ * `appName` and `partnerLinks.*` are no longer overridable — they're 1:1
+ * with the apikey/project and have no per-instance use case. Drift
+ * telemetry for those was removed when they were excluded from
+ * `SdkOverridableAppConfig`.
+ */
+warnPartnerConfigDrift_fn = function() {
+  var _a;
+  if (!this.partner || !__privateGet(this, _sdkConfigOverrides)) return;
+  const baseline = __privateMethod(this, _ParaCore_instances, configWithoutSdkOverrides_fn).call(this);
+  const sdkRpcUrl = __privateGet(this, _sdkConfigOverrides).rpcUrl;
+  if (sdkRpcUrl && sdkRpcUrl !== baseline.rpcUrl) {
+    warnOnce(
+      "partnerConfigDrift",
+      "rpcUrl",
+      `rpcUrl SDK override "${sdkRpcUrl}" disagrees with the partner record "${(_a = baseline.rpcUrl) != null ? _a : "(unset)"}". This is expected for local-dev; in production, configure rpcUrl via the developer portal.`
+    );
+  }
+};
+/**
+ * Resolved config WITHOUT the SDK override layer. Used by drift telemetry
+ * to compare overrides against the authoritative chain. Slot for the
+ * future ecosystem layer between `defaults` and `partner`.
+ */
+configWithoutSdkOverrides_fn = function() {
+  const partnerLayer = this.partner ? partnerToAppConfigLayer(this.partner) : void 0;
+  return mergePartnerAppConfig(DEFAULT_PARTNER_APP_CONFIG, partnerLayer);
+};
 assertPartner_fn = function() {
   return __async(this, null, function* () {
     var _a, _b;
@@ -2881,6 +3213,26 @@ assertIsLinkingAccountOrStart_fn = function(type) {
   });
 };
 waitForLoginProcess_fn = function() {
+  return __async(this, arguments, function* ({
+    isCanceled = () => false,
+    onCancel,
+    onPoll,
+    skipSessionRefresh = false,
+    isSwitchingWallets = false
+  } = {}) {
+    return wrapWithSpan("polling.waitForLoginProcess", (span) => __async(this, null, function* () {
+      span.setAttribute("polling.is_switching_wallets", isSwitchingWallets);
+      return __privateMethod(this, _ParaCore_instances, waitForLoginProcessImpl_fn).call(this, {
+        isCanceled,
+        onCancel,
+        onPoll,
+        skipSessionRefresh,
+        isSwitchingWallets
+      });
+    }));
+  });
+};
+waitForLoginProcessImpl_fn = function() {
   return __async(this, arguments, function* ({
     isCanceled = () => false,
     onCancel,
@@ -3014,7 +3366,7 @@ waitForLoginProcess_fn = function() {
               yield this.setupAfterLogin({ temporaryShares: tempSharesRes.data.temporaryShares, skipSessionRefresh });
               this.devLog("[waitForLoginProcess] Setup after login complete");
               this.devLog("[waitForLoginProcess] Claiming pregen wallets");
-              yield __privateGet(this, _pregenWalletService).claimPregenWallets();
+              yield this.claimPregenWallets();
               this.devLog("[waitForLoginProcess] Pregen wallets claimed");
               const resp = {
                 needsWallet: needsWallet || Object.values(this.wallets).length === 0,
@@ -3075,6 +3427,7 @@ logout_fn = function() {
     __privateGet(this, _authService).userId = void 0;
     __privateGet(this, _sessionManagementService).sessionCookie = void 0;
     this.isEnclaveUser = false;
+    setCurrentUserId(void 0);
     if (isSessionActive) {
       dispatchEvent(ParaEvent.LOGOUT_EVENT, null);
       if (!skipStateReset) {