@getpara/core-sdk 3.0.0-alpha.1 → 3.1.0

package/dist/cjs/ParaCore.js

@@ -97,6 +97,7 @@ var import_types = require("./types/index.js");
 var import_utils2 = require("./utils/index.js");
 var import_stateListener = require("./utils/stateListener.js");
 var import_deprecation = require("./utils/deprecation.js");
+var import_partnerConfigGating = require("./utils/partnerConfigGating.js");
 var import_errors = require("./errors.js");
 var constants = __toESM(require("./constants.js"));
 var import_enclave = require("./shares/enclave.js");
@@ -108,7 +109,11 @@ var import_PregenWalletService = require("./services/PregenWalletService.js");
 var import_PortalUrlService = require("./services/PortalUrlService.js");
 var import_SessionManagementService = require("./services/SessionManagementService.js");
 var import_ExternalWalletService = require("./services/ExternalWalletService.js");
-var _stateManager, _authService, _walletService, _externalWalletService, _pregenWalletService, _pollingService, _portalUrlService, _sessionManagementService, _debugLogsEnabled, _ParaCore_instances, assertPartner_fn, toAuthInfo_fn, _servicesInitialized, assertIsLinkingAccount_fn, assertIsLinkingAccountOrStart_fn, waitForLoginProcess_fn, logout_fn;
+var import_tracer = require("./telemetry/tracer.js");
+var import_uxStateSpanProcessor = require("./telemetry/uxStateSpanProcessor.js");
+var import_init = require("./telemetry/init.js");
+var import_uxAction = require("./telemetry/uxAction.js");
+var _stateManager, _authService, _walletService, _externalWalletService, _pregenWalletService, _pollingService, _portalUrlService, _sessionManagementService, _debugLogsEnabled, _configChangeListeners, _ParaCore_instances, notifyConfigChange_fn, _sdkConfigOverrides, _configMemo, warnPartnerConfigDrift_fn, configWithoutSdkOverrides_fn, assertPartner_fn, toAuthInfo_fn, _servicesInitialized, assertIsLinkingAccount_fn, assertIsLinkingAccountOrStart_fn, waitForLoginProcess_fn, waitForLoginProcessImpl_fn, logout_fn;
 if (typeof global !== "undefined") {
   global.Buffer = global.Buffer || import_buffer.Buffer;
 } else if (typeof window !== "undefined") {
@@ -135,6 +140,28 @@ const _ParaCore = class _ParaCore {
     this.isSwitchingWallets = false;
     this.isNativePasskey = false;
     this.isSetup = false;
+    // Notified whenever an input to `paraCore.config` changes — either the
+    // partner record (via `getPartner`) or the SDK override layer (via
+    // `setSdkConfigOverrides`). One signal covers both async-load and
+    // runtime-mutation cases, so consumers wire one subscription.
+    __privateAdd(this, _configChangeListeners, /* @__PURE__ */ new Set());
+    /**
+     * Phase 3 — SDK-side override layer applied on top of the partner layer.
+     *
+     *   merge chain: defaults ⊕ ecosystem (future) ⊕ partner ⊕ #sdkConfigOverrides
+     *
+     * Initialized from `ConstructorOpts.configOverrides`. Mutable post-construction
+     * via `setSdkConfigOverrides` so reactive callers (e.g. `ParaProviderMin`'s
+     * `configOverrides` prop) can update it without rebuilding the ParaCore
+     * instance.
+     *
+     * Typed `Partial<SdkOverridableAppConfig>` — security/posture fields
+     * (`supportedAuthMethods`, `authConfig.twoFactorAuthEnabled`, etc.) are
+     * excluded at compile time, so no caller path can override them.
+     */
+    __privateAdd(this, _sdkConfigOverrides);
+    /** Memoization for the `config` getter — invalidates on partner / overrides identity change. */
+    __privateAdd(this, _configMemo);
     this.accountLinkInProgress = void 0;
     this.isWorkerInitialized = false;
     this.onRampPopup = void 0;
@@ -219,17 +246,45 @@ const _ParaCore = class _ParaCore {
       }
       throw err;
     });
-    this.wrapMethodsWithErrorTracking = (methodNames) => {
-      for (const methodName of methodNames) {
+    // Each wrapped method becomes one named span. wrapWithSpan handles recordException +
+    // ERROR status; the legacy /errors/sdk POST stays in trackError as a fallback during
+    // the cutover window — PR D removes it once we verify span error coverage in prod.
+    // Until telemetry is initialized (cold-start window before partner-config arrives),
+    // wrapWithSpan delegates to a no-op tracer so spans are dropped without overhead.
+    // The original method MUST be invoked inside wrapWithSpan's callback so its async
+    // chain (Promises, setTimeout, fetch) is created under the active-span context.
+    // Calling original.apply BEFORE wrapWithSpan starts the work in the root Zone —
+    // child spans then root independently because Zone.js can't trace context through
+    // Promises that were already in flight when the active span was set. All currently
+    // wrapped methods are async, so always returning a Promise here is safe.
+    this.wrapMethodsWithTracing = (entries) => {
+      for (const entry of entries) {
+        const methodName = typeof entry === "string" ? entry : entry.method;
+        const uxTargetId = typeof entry === "string" ? void 0 : entry.uxTargetId;
         const original = this[methodName];
         if (typeof original === "function") {
           this[methodName] = (...args) => {
-            try {
-              const result = original.apply(this, args);
-              return result instanceof Promise ? result.catch((err) => this.trackError(methodName, err)) : result;
-            } catch (err) {
-              return this.trackError(methodName, err);
-            }
+            var _a;
+            const attrs = __spreadValues({
+              "para.platform": this.platformUtils.sdkType,
+              "para.sdk_version": _ParaCore.version
+            }, ((_a = this.partner) == null ? void 0 : _a.id) ? { "para.partner_id": this.partner.id } : {});
+            return (0, import_tracer.wrapWithSpan)(
+              methodName,
+              (span) => __async(this, null, function* () {
+                if (!uxTargetId) return original.apply(this, args);
+                let outcome = "success";
+                try {
+                  return yield original.apply(this, args);
+                } catch (err) {
+                  outcome = "error";
+                  throw err;
+                } finally {
+                  (0, import_uxAction.recordActionOnSpan)(span, uxTargetId, outcome);
+                }
+              }),
+              attrs
+            ).catch((err) => this.trackError(methodName, err));
           };
         }
       }
@@ -405,6 +460,7 @@ const _ParaCore = class _ParaCore {
     }
     if (!opts) opts = {};
     __privateSet(this, _debugLogsEnabled, !!opts.enableDebugLogs);
+    __privateSet(this, _sdkConfigOverrides, opts.configOverrides);
     const isE2E = env === "E2E" || envOrApiKey === "E2E";
     if (isE2E && env !== import_types.Environment.SANDBOX) {
       env = import_types.Environment.SANDBOX;
@@ -497,19 +553,32 @@ const _ParaCore = class _ParaCore {
     this.initializeFromStorage();
     import_utils2.setupListeners.bind(this)();
     (0, import_utils2.autoBind)(this);
-    this.wrapMethodsWithErrorTracking([
+    this.wrapMethodsWithTracing([
       "signUpOrLogIn",
+      // Methods marked with uxTargetId double as user-perceived UX actions —
+      // the wrap stamps ui.target_id / ui.outcome and emits a
+      // ui.action.completed event so the action's existing span IS the
+      // user-perceived measurement. No separate orphan span needed.
+      { method: "authenticateWithEmailOrPhone", uxTargetId: "sign-in" },
+      "authenticateWithOAuth",
       "verifyNewAccount",
+      "resendVerificationCode",
       "waitForLogin",
       "waitForSignup",
       "waitForWalletCreation",
       "verifyOAuth",
       "verifyTelegram",
       "verifyFarcaster",
+      "connectExternalWallet",
+      "loginExternalWallet",
+      "verifyExternalWallet",
+      "createWallet",
+      "createWalletPerType",
       "createPregenWallet",
       "claimPregenWallets",
       "signMessage",
-      "signTransaction"
+      "signTransaction",
+      "logout"
     ]);
     __privateGet(this, _stateManager).start();
   }
@@ -637,6 +706,25 @@ const _ParaCore = class _ParaCore {
     });
     return () => unsubscribe();
   }
+  /**
+   * Subscribe to changes in any input to `paraCore.config`:
+   *   - partner record updates (lazy load after a failed eager fetch, etc.)
+   *   - SDK override layer replacement (`setSdkConfigOverrides`)
+   *
+   * The callback fires after the relevant state has settled; subscribers
+   * should re-read `paraCore.config` to get the new merged value. Returns
+   * an unsubscribe function.
+   *
+   * Used by the React layer to bump its reactive `paraConfigVersion`
+   * counter; non-React consumers (server SDK, telemetry, etc.) can wire
+   * the same signal to invalidate their caches.
+   */
+  onConfigChange(callback) {
+    __privateGet(this, _configChangeListeners).add(callback);
+    return () => {
+      __privateGet(this, _configChangeListeners).delete(callback);
+    };
+  }
   get authInfo() {
     var _a;
     return (_a = __privateGet(this, _authService)) == null ? void 0 : _a.authInfo;
@@ -663,6 +751,73 @@ const _ParaCore = class _ParaCore {
   get externalWalletConnectionType() {
     return __privateGet(this, _externalWalletService).externalWalletConnectionType;
   }
+  /**
+   * Resolved partner app config: partner ⊕ SDK overrides.
+   * Read-only view; safe to call before `getPartner` returns (yields `{}` via
+   * the merge of no layers).
+   *
+   * Memoized on `(this.partner, this.#sdkConfigOverrides)` identity. Multiple
+   * consumers read this (assertConfigAllowed at 9 sites, PortalUrlService,
+   * ExternalWalletWrapper); without memoization each access re-allocates a
+   * fresh merged object graph. Cache invalidates whenever `this.partner` is
+   * replaced (via getPartner) or `setSdkConfigOverrides` is called.
+   */
+  get config() {
+    if (__privateGet(this, _configMemo) && __privateGet(this, _configMemo).partner === this.partner && __privateGet(this, _configMemo).overrides === __privateGet(this, _sdkConfigOverrides)) {
+      return __privateGet(this, _configMemo).result;
+    }
+    const partnerLayer = this.partner ? (0, import_utils2.partnerToAppConfigLayer)(this.partner) : void 0;
+    const result = (0, import_utils2.mergePartnerAppConfig)(import_utils2.DEFAULT_PARTNER_APP_CONFIG, partnerLayer, __privateGet(this, _sdkConfigOverrides));
+    __privateSet(this, _configMemo, { partner: this.partner, overrides: __privateGet(this, _sdkConfigOverrides), result });
+    return result;
+  }
+  /**
+   * Read-only accessor for the raw partner record. Returns `undefined` until
+   * `getPartner` resolves (typically during `setup()`).
+   *
+   * The vast majority of partner-driven UX should consume `this.config`
+   * instead — that layer applies SDK overrides, exposes a stable shape, and
+   * is memoized. Use this getter only for fields that live on `PartnerEntity`
+   * but aren't promoted onto `PartnerAppConfig` (e.g. `logoUrl`, internal
+   * policy state). Whatever this returns is exactly what the public
+   * `getPartner(id)` API resolved on the last fetch — no additional
+   * processing.
+   */
+  get partnerRecord() {
+    return this.partner;
+  }
+  /**
+   * Replace the SDK-side override layer. Generic surface — any post-construction
+   * caller (React provider, server-sdk, custom integration) can update overrides
+   * without rebuilding the ParaCore instance.
+   *
+   * Replaces wholesale (last writer wins). Pass undefined to clear.
+   */
+  setSdkConfigOverrides(overrides) {
+    __privateSet(this, _sdkConfigOverrides, overrides);
+    __privateSet(this, _configMemo, void 0);
+    __privateMethod(this, _ParaCore_instances, notifyConfigChange_fn).call(this);
+  }
+  /**
+   * Read the raw SDK override layer (NOT the merged config). Used by analytics
+   * to distinguish "what the consumer passed" from "what the resolver
+   * produced." For the resolved view, use `paraCore.config`.
+   *
+   * @internal — analytics-only. App code should read `paraCore.config` instead;
+   *   this getter exposes pre-merge values that can change shape across
+   *   versions without notice.
+   *
+   * @remarks Redaction contract — any analytics consumer dispatching this
+   *   value to an external sink MUST sanitize first. Specifically `rpcUrl`
+   *   commonly embeds API keys (Alchemy `/v2/<key>`, Infura `/v3/<key>`).
+   *   Today the React modal owns redaction in
+   *   `react-sdk-lite/src/modal/ParaModal.tsx` (`sanitizeSdkConfigOverridesForAnalytics`).
+   *   When Phase 7's non-React analytics lands here, lift that helper next
+   *   to this getter so all consumers share one sanitizer.
+   */
+  get sdkConfigOverrides() {
+    return __privateGet(this, _sdkConfigOverrides);
+  }
   get userId() {
     var _a;
     return (_a = __privateGet(this, _authService)) == null ? void 0 : _a.userId;
@@ -752,6 +907,27 @@ const _ParaCore = class _ParaCore {
     var _a;
     return (_a = this.partner) == null ? void 0 : _a.cosmosPrefix;
   }
+  /**
+   * Auth methods the partner has enabled. Read off the raw partner record —
+   * partner-authoritative and excluded from `SdkOverridableAppConfig`, so it
+   * does NOT participate in the override merge chain.
+   *
+   * Named `supportedAuthMethodsList` (not `supportedAuthMethods`) to avoid
+   * colliding with the existing protected async `supportedAuthMethods(auth)`
+   * method that performs a backend lookup. Different concept, different shape.
+   */
+  get supportedAuthMethodsList() {
+    var _a, _b;
+    return (_b = (_a = this.partner) == null ? void 0 : _a.supportedAuthMethods) != null ? _b : [import_user_management_client.AuthMethod.BASIC_LOGIN];
+  }
+  /**
+   * Balance display config from the partner record. Partner-authoritative;
+   * excluded from `SdkOverridableAppConfig`.
+   */
+  get balancesConfig() {
+    var _a;
+    return (_a = this.partner) == null ? void 0 : _a.balancesConfig;
+  }
   get supportedAccountLinks() {
     var _a, _b;
     return (_b = (_a = this.partner) == null ? void 0 : _a.supportedAccountLinks) != null ? _b : [...import_user_management_client.LINKED_ACCOUNT_TYPES];
@@ -1008,6 +1184,9 @@ const _ParaCore = class _ParaCore {
       },
       get accountLinkInProgress() {
         return self2.accountLinkInProgress;
+      },
+      get config() {
+        return self2.config;
       }
     };
   }
@@ -1383,6 +1562,29 @@ const _ParaCore = class _ParaCore {
       }
       const res = yield this.ctx.client.getPartner(partnerId);
       this.partner = res.data.partner;
+      __privateMethod(this, _ParaCore_instances, warnPartnerConfigDrift_fn).call(this);
+      __privateMethod(this, _ParaCore_instances, notifyConfigChange_fn).call(this);
+      const telemetry = res.data.partner.telemetry;
+      if ((telemetry == null ? void 0 : telemetry.enabled) && this.ctx.env) {
+        void (0, import_init.initTelemetry)({
+          tunnelUrl: `${(0, import_userManagementClient.getBaseUrl)(this.ctx.env)}telemetry`,
+          sampleRate: telemetry.sample_rate,
+          sdkType: this.platformUtils.sdkType,
+          sdkVersion: _ParaCore.version,
+          partnerId: this.partner.id,
+          // Only true in DEV — adds localhost to the trace-propagation allow-list
+          // so FE → local user-management requests carry traceparent. Never set in
+          // sandbox/beta/prod, where localhost shouldn't appear in our request URLs.
+          isDev: this.ctx.env === import_types.Environment.DEV,
+          // Portal pages run the same ParaCore code path as the partner-app SDK, but
+          // they're a different process boundary (popup/iframe) and a different surface
+          // for ops to debug. Pass through the portal posture so initTelemetry can stamp
+          // the right `service.name` and split SDK-side vs portal-side spans in the
+          // backend. Uses the class-level isPortal() (same logic the rest of the SDK
+          // gates portal-only paths on).
+          isPortal: this.isPortal()
+        });
+      }
       return this.partner;
     });
   }
@@ -1408,15 +1610,30 @@ const _ParaCore = class _ParaCore {
       if (!wallet) {
         throw new Error("wallet not found");
       }
-      if (wallet.scheme !== "DKLS") {
-        throw new Error("invalid wallet scheme");
-      }
-      return yield this.platformUtils.getPrivateKey(
-        this.ctx,
-        this.userId,
-        wallet.id,
-        wallet.signer,
-        this.retrieveSessionCookie()
+      return (0, import_tracer.wrapWithSpan)(
+        "mpc.export",
+        () => __async(this, null, function* () {
+          if (wallet.scheme === "ED25519") {
+            return yield this.platformUtils.getED25519PrivateKey(
+              this.ctx,
+              this.userId,
+              wallet.id,
+              wallet.signer,
+              this.retrieveSessionCookie()
+            );
+          }
+          if (wallet.scheme !== "DKLS") {
+            throw new Error("invalid wallet scheme");
+          }
+          return yield this.platformUtils.getPrivateKey(
+            this.ctx,
+            this.userId,
+            wallet.id,
+            wallet.signer,
+            this.retrieveSessionCookie()
+          );
+        }),
+        { "wallet.scheme": wallet.scheme, "wallet.id": wallet.id, "wallet.type": wallet.type }
       );
     });
   }
@@ -1471,6 +1688,19 @@ const _ParaCore = class _ParaCore {
       return yield __privateGet(this, _authService).signExternalWalletVerification(params);
     });
   }
+  // Direct-to-wallet sign for an external-wallet user who's already authenticated.
+  // The signExternalWalletVerification() path above dispatches a state-machine event
+  // that's only handled from the `awaiting_wallet_signature` state — after login
+  // the machine has moved past that, so the event is silently dropped and the
+  // wallet never gets prompted. The re-auth flow (popup-driven SIWE for export-key
+  // / transaction-review) needs the signature regardless of machine state, so it
+  // routes here and reads the signature back synchronously.
+  signExternalWalletMessageForReauth(params) {
+    return __async(this, null, function* () {
+      const _a = yield __privateGet(this, _externalWalletService).signMessage(params), { signature } = _a, rest = __objRest(_a, ["signature"]);
+      return __spreadValues({ externalWallet: params.externalWallet, signedMessage: signature }, rest);
+    });
+  }
   verifyExternalWalletLink(opts) {
     return __async(this, null, function* () {
       const accountLinkInProgress = __privateMethod(this, _ParaCore_instances, assertIsLinkingAccount_fn).call(this, ["EXTERNAL_WALLET"]);
@@ -1547,6 +1777,8 @@ const _ParaCore = class _ParaCore {
    */
   verify2fa(_0) {
     return __async(this, arguments, function* ({ auth, verificationCode }) {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "2fa" });
       const res = yield this.ctx.client.verify2FA(auth, verificationCode);
       return {
         initiatedAt: res.data.initiatedAt,
@@ -1562,6 +1794,8 @@ const _ParaCore = class _ParaCore {
    * */
   setup2fa() {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "2fa" });
       const userId = this.assertUserId();
       const res = yield this.ctx.client.setup2FA(userId);
       return res;
@@ -1574,6 +1808,8 @@ const _ParaCore = class _ParaCore {
    */
   enable2fa(_0) {
     return __async(this, arguments, function* ({ verificationCode }) {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "2fa" });
       const userId = this.assertUserId();
       yield this.ctx.client.enable2FA(userId, verificationCode);
     });
@@ -1582,8 +1818,8 @@ const _ParaCore = class _ParaCore {
    * Resend a verification email for the current user.
    */
   resendVerificationCode(_0) {
-    return __async(this, arguments, function* ({ type: reason = "SIGNUP" }) {
-      return yield __privateGet(this, _authService).resendVerificationCode({ type: reason });
+    return __async(this, arguments, function* ({ type: reason = "SIGNUP", deliveryChannel }) {
+      return yield __privateGet(this, _authService).resendVerificationCode({ type: reason, deliveryChannel });
     });
   }
   /**
@@ -1758,6 +1994,8 @@ const _ParaCore = class _ParaCore {
    */
   getOAuthUrl(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "oauth", method: params.method });
       return yield __privateGet(this, _portalUrlService).getOAuthUrl(params);
     });
   }
@@ -1831,6 +2069,8 @@ const _ParaCore = class _ParaCore {
   }
   verifyOAuth(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "oauth", method: params.method });
       return yield this.verifyOAuthProcess(__spreadProps(__spreadValues({}, params), { isLinkAccount: false }));
     });
   }
@@ -2002,8 +2242,6 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Creates a new pregenerated wallet.
    *
    * @param {Object} opts the options object.
@@ -2014,13 +2252,10 @@ const _ParaCore = class _ParaCore {
    **/
   createPregenWallet(params) {
     return __async(this, null, function* () {
-      (0, import_deprecation.warnPregenDeprecation)("createPregenWallet");
       return yield __privateGet(this, _pregenWalletService).createPregenWallet(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Creates new pregenerated wallets for each desired type.
    * If no types are provided, this method will create one for each of the non-optional types
    * specified in the instance's `supportedWalletTypes` array that are not already present.
@@ -2032,13 +2267,10 @@ const _ParaCore = class _ParaCore {
    **/
   createPregenWalletPerType(params) {
     return __async(this, null, function* () {
-      (0, import_deprecation.warnPregenDeprecation)("createPregenWalletPerType");
       return yield __privateGet(this, _pregenWalletService).createPregenWalletPerType(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`POST /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Claims a pregenerated wallet.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier string the identifier of the user claiming the wallet
@@ -2047,13 +2279,10 @@ const _ParaCore = class _ParaCore {
    **/
   claimPregenWallets() {
     return __async(this, arguments, function* (params = {}) {
-      (0, import_deprecation.warnPregenDeprecation)("claimPregenWallets");
       return yield __privateGet(this, _pregenWalletService).claimPregenWallets(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`PATCH /v1/wallets/:id`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Updates the identifier for a pregen wallet.
    * @param {Object} opts the options object.
    * @param {string} opts.walletId the pregen wallet ID
@@ -2062,13 +2291,10 @@ const _ParaCore = class _ParaCore {
    **/
   updatePregenWalletIdentifier(params) {
     return __async(this, null, function* () {
-      (0, import_deprecation.warnPregenDeprecation)("updatePregenWalletIdentifier");
       return yield __privateGet(this, _pregenWalletService).updatePregenWalletIdentifier(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`GET /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Checks if a pregen Wallet exists for the given identifier with the current partner.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier string the identifier of the user claiming the wallet
@@ -2077,13 +2303,10 @@ const _ParaCore = class _ParaCore {
    **/
   hasPregenWallet(params) {
     return __async(this, null, function* () {
-      (0, import_deprecation.warnPregenDeprecation)("hasPregenWallet");
       return yield __privateGet(this, _pregenWalletService).hasPregenWallet(params);
     });
   }
   /**
-   * @deprecated Use the REST API (`GET /v1/wallets`) instead. See {@link https://docs.getpara.com/v2/rest/migrate-from-sdk-pregen | migration guide}.
-   *
    * Get pregen wallets for the given identifier.
    * @param {Object} opts the options object.
    * @param {string} opts.pregenIdentifier - the identifier of the user claiming the wallet
@@ -2092,12 +2315,13 @@ const _ParaCore = class _ParaCore {
    **/
   getPregenWallets() {
     return __async(this, arguments, function* (params = {}) {
-      (0, import_deprecation.warnPregenDeprecation)("getPregenWallets");
       return yield __privateGet(this, _pregenWalletService).getPregenWallets(params);
     });
   }
   createGuestWallets() {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "guest" });
       return yield __privateGet(this, _pregenWalletService).createGuestWallets();
     });
   }
@@ -2137,6 +2361,9 @@ const _ParaCore = class _ParaCore {
   }
   getTransactionReviewUrl(transactionId, timeoutMs) {
     return __async(this, null, function* () {
+      if (this.isExternalWalletAuth) {
+        yield this.ctx.client.sessionAddPortalVerification();
+      }
       const authMethods = yield this.supportedUserAuthMethods();
       const result = yield this.constructPortalUrl("txReview", {
         pathId: transactionId,
@@ -2164,11 +2391,11 @@ const _ParaCore = class _ParaCore {
     });
   }
   /**
-   * Requests testnet funds from the faucet for the specified wallet.
+   * Submits a testnet faucet funding transaction for the specified wallet.
    * @param {RequestFaucetParams} params the options object.
    * @param {string} params.walletId the id of the wallet to fund.
    * @param {string} [params.chain] optional chain identifier to target a specific testnet.
-   * @returns the faucet transaction details, including the transaction hash and amount sent.
+   * @returns the submitted faucet transaction details. Wait for the returned transaction hash to confirm before spending.
    */
   requestFaucet(params) {
     return __async(this, null, function* () {
@@ -2197,14 +2424,17 @@ const _ParaCore = class _ParaCore {
       onPoll,
       onTransactionReviewUrl
     }) {
-      var _a;
       __privateGet(this, _walletService).assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
       if (wallet.partnerId && !wallet.userId) {
         signerId = wallet.partnerId;
       }
-      let signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
+      let signRes = yield (0, import_tracer.wrapWithSpan)(
+        "mpc.sign",
+        () => this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 }),
+        { "wallet.scheme": wallet.scheme, "wallet.id": walletId }
+      );
       let timeStart = Date.now();
       const effectiveTimeoutMs = Math.max(timeoutMs, constants.TRANSACTION_REVIEW_TIMEOUT_MS);
       if (signRes.pendingTransactionId) {
@@ -2231,7 +2461,16 @@ const _ParaCore = class _ParaCore {
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
         let pendingTransaction;
         try {
-          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+          pendingTransaction = yield (0, import_tracer.wrapWithSpan)(
+            "tx.review.poll",
+            (span) => __async(this, null, function* () {
+              var _a;
+              const res = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+              span.setAttribute("polling.status", (res == null ? void 0 : res.approvedAt) ? "approved" : "pending");
+              return res;
+            }),
+            { "pending_transaction.id": signRes.pendingTransactionId }
+          );
         } catch (e) {
           const error = new import_errors.TransactionReviewDenied();
           (0, import_utils2.dispatchEvent)(import_types.ParaEvent.SIGN_MESSAGE_EVENT, signRes, error.message);
@@ -2241,7 +2480,11 @@ const _ParaCore = class _ParaCore {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
-          signRes = yield this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 });
+          signRes = yield (0, import_tracer.wrapWithSpan)(
+            "mpc.sign",
+            () => this.signMessageInner({ wallet, signerId, messageBase64, cosmosSignDocBase64 }),
+            { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "mpc.attempt": "post-review" }
+          );
           break;
         }
       }
@@ -2311,22 +2554,25 @@ const _ParaCore = class _ParaCore {
       onPoll,
       onTransactionReviewUrl
     }) {
-      var _a;
       __privateGet(this, _walletService).assertIsValidWalletId(walletId);
       const wallet = this.wallets[walletId];
       let signerId = this.userId;
       if (wallet.partnerId && !wallet.userId) {
         signerId = wallet.partnerId;
       }
-      let signRes = yield this.platformUtils.signTransaction(
-        this.ctx,
-        signerId,
-        walletId,
-        this.wallets[walletId].signer,
-        rlpEncodedTxBase64,
-        chainId,
-        this.retrieveSessionCookie(),
-        wallet.scheme === "DKLS"
+      let signRes = yield (0, import_tracer.wrapWithSpan)(
+        "mpc.sign",
+        () => this.platformUtils.signTransaction(
+          this.ctx,
+          signerId,
+          walletId,
+          this.wallets[walletId].signer,
+          rlpEncodedTxBase64,
+          chainId,
+          this.retrieveSessionCookie(),
+          wallet.scheme === "DKLS"
+        ),
+        { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "tx.kind": "transaction" }
       );
       let timeStart = Date.now();
       const effectiveTimeoutMs = Math.max(timeoutMs, constants.TRANSACTION_REVIEW_TIMEOUT_MS);
@@ -2350,9 +2596,19 @@ const _ParaCore = class _ParaCore {
           break;
         }
         yield new Promise((resolve) => setTimeout(resolve, constants.POLLING_INTERVAL_MS));
+        const pendingTxId = signRes.pendingTransactionId;
         let pendingTransaction;
         try {
-          pendingTransaction = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, signRes.pendingTransactionId)).data) == null ? void 0 : _a.pendingTransaction;
+          pendingTransaction = yield (0, import_tracer.wrapWithSpan)(
+            "tx.review.poll",
+            (span) => __async(this, null, function* () {
+              var _a;
+              const res = (_a = (yield this.ctx.client.getPendingTransaction(this.userId, pendingTxId)).data) == null ? void 0 : _a.pendingTransaction;
+              span.setAttribute("polling.status", (res == null ? void 0 : res.approvedAt) ? "approved" : "pending");
+              return res;
+            }),
+            { "pending_transaction.id": pendingTxId }
+          );
         } catch (e) {
           const error = new import_errors.TransactionReviewDenied();
           (0, import_utils2.dispatchEvent)(import_types.ParaEvent.SIGN_TRANSACTION_EVENT, signRes, error.message);
@@ -2362,15 +2618,19 @@ const _ParaCore = class _ParaCore {
           onPoll == null ? void 0 : onPoll();
           continue;
         } else {
-          signRes = yield this.platformUtils.signTransaction(
-            this.ctx,
-            signerId,
-            walletId,
-            this.wallets[walletId].signer,
-            rlpEncodedTxBase64,
-            chainId,
-            this.retrieveSessionCookie(),
-            wallet.scheme === "DKLS"
+          signRes = yield (0, import_tracer.wrapWithSpan)(
+            "mpc.sign",
+            () => this.platformUtils.signTransaction(
+              this.ctx,
+              signerId,
+              walletId,
+              this.wallets[walletId].signer,
+              rlpEncodedTxBase64,
+              chainId,
+              this.retrieveSessionCookie(),
+              wallet.scheme === "DKLS"
+            ),
+            { "wallet.scheme": wallet.scheme, "wallet.id": walletId, "tx.kind": "transaction", "mpc.attempt": "post-review" }
           );
           break;
         }
@@ -2642,7 +2902,8 @@ const _ParaCore = class _ParaCore {
         useLocalFiles: this.ctx.useLocalFiles,
         useDKLS: this.ctx.useDKLS,
         cosmosPrefix: this.ctx.cosmosPrefix
-      }
+      },
+      config: this.config
     });
     return `Para ${JSON.stringify(obj, null, 2)}`;
   }
@@ -2677,16 +2938,26 @@ const _ParaCore = class _ParaCore {
   }
   signUpOrLogIn(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, {
+        kind: (0, import_user_management_client.extractAuthInfo)(params.auth, { isRequired: true }).authType
+      });
       return yield __privateGet(this, _authService).signUpOrLogIn(params);
     });
   }
   authenticateWithEmailOrPhone(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, {
+        kind: (0, import_user_management_client.extractAuthInfo)(params.auth, { isRequired: true }).authType
+      });
       return yield __privateGet(this, _authService).authenticateWithEmailOrPhone(params);
     });
   }
   authenticateWithOAuth(params) {
     return __async(this, null, function* () {
+      yield __privateMethod(this, _ParaCore_instances, assertPartner_fn).call(this);
+      (0, import_partnerConfigGating.assertConfigAllowed)(this.config, { kind: "oauth", method: params.method });
       return yield __privateGet(this, _authService).authenticateWithOAuth(params);
     });
   }
@@ -2822,16 +3093,17 @@ const _ParaCore = class _ParaCore {
   }
   sendLoginCode() {
     return __async(this, null, function* () {
-      const { userId } = yield this.ctx.client.sendLoginVerificationCode(this.authInfo);
+      const { userId, deliveryChannel, fallbackUsed, fallbackChannel, isSmsAllowed } = yield this.ctx.client.sendLoginVerificationCode(this.authInfo);
       yield this.setUserId(userId);
-      return { userId };
+      return { userId, deliveryChannel, fallbackUsed, fallbackChannel, isSmsAllowed };
     });
   }
   exportPrivateKey() {
     return __async(this, arguments, function* (args = {}) {
+      var _a;
       let walletId = args == null ? void 0 : args.walletId;
       if (!(args == null ? void 0 : args.walletId)) {
-        walletId = this.findWalletId(void 0, { forbidPregen: true, scheme: ["DKLS"] });
+        walletId = this.findWalletId(void 0, { forbidPregen: true, scheme: ["DKLS", "ED25519"] });
       }
       const wallet = this.wallets[walletId];
       if (this.externalWallets[walletId]) {
@@ -2840,28 +3112,38 @@ const _ParaCore = class _ParaCore {
       if (!wallet || !wallet.signer) {
         throw new Error("Wallet not found with id: " + walletId);
       }
-      if (wallet.scheme !== "DKLS") {
-        throw new Error("Cannot export private key for a Solana wallet");
-      }
       if (wallet.isPregen && !!wallet.pregenIdentifier && wallet.pregenIdentifierType !== "GUEST_ID") {
         throw new Error("Cannot export private key for a pregenerated wallet");
       }
       if (args.shouldOpenPopup) {
         this.popupWindow = yield this.platformUtils.openPopup("about:blank", { type: import_types.PopupType.EXPORT_PRIVATE_KEY });
       }
-      const authMethods = yield this.supportedUserAuthMethods();
-      const exportPrivateKeyResult = yield this.constructPortalUrl("exportPrivateKey", {
-        pathId: walletId,
-        useLegacyUrl: authMethods.has(import_user_management_client.AuthMethod.PASSKEY)
-      });
-      const exportPrivateKeyUrl = exportPrivateKeyResult.url;
-      if (args.shouldOpenPopup) {
-        this.popupWindow.location.href = exportPrivateKeyUrl;
+      try {
+        if (this.isExternalWalletAuth) {
+          yield this.ctx.client.sessionAddPortalVerification();
+        }
+        const authMethods = yield this.supportedUserAuthMethods();
+        const exportPrivateKeyResult = yield this.constructPortalUrl("exportPrivateKey", {
+          pathId: walletId,
+          useLegacyUrl: authMethods.has(import_user_management_client.AuthMethod.PASSKEY)
+        });
+        const exportPrivateKeyUrl = exportPrivateKeyResult.url;
+        if (args.shouldOpenPopup) {
+          this.popupWindow.location.href = exportPrivateKeyUrl;
+        }
+        return {
+          url: exportPrivateKeyUrl,
+          popupWindow: this.popupWindow
+        };
+      } catch (err) {
+        if (args.shouldOpenPopup) {
+          try {
+            (_a = this.popupWindow) == null ? void 0 : _a.close();
+          } catch (e) {
+          }
+        }
+        throw err;
       }
-      return {
-        url: exportPrivateKeyUrl,
-        popupWindow: this.popupWindow
-      };
     });
   }
 };
@@ -2874,7 +3156,54 @@ _pollingService = new WeakMap();
 _portalUrlService = new WeakMap();
 _sessionManagementService = new WeakMap();
 _debugLogsEnabled = new WeakMap();
+_configChangeListeners = new WeakMap();
 _ParaCore_instances = new WeakSet();
+notifyConfigChange_fn = function() {
+  __privateGet(this, _configChangeListeners).forEach((cb) => cb());
+};
+_sdkConfigOverrides = new WeakMap();
+_configMemo = new WeakMap();
+/**
+ * Drift telemetry. Currently fires only on `rpcUrl` (the only
+ * remaining override-able field that's typically authoritative server-side
+ * — `rpcUrl` SDK override is legitimate for local-dev, but if a consumer
+ * silently overrides it in prod we want operators to know).
+ *
+ * Fires once per `(scope, key)` per session.
+ *
+ * Comparison baseline is the merge chain WITHOUT the SDK overrides layer
+ * (i.e. the authoritative chain: `defaults ⊕ ecosystem ⊕ partner`). Today
+ * with no ecosystem layer this resolves to the partner record values, but
+ * computing it via the merge keeps the comparison correct when ecosystem
+ * ships and an org overrides `rpcUrl` for its child partners.
+ *
+ * `appName` and `partnerLinks.*` are no longer overridable — they're 1:1
+ * with the apikey/project and have no per-instance use case. Drift
+ * telemetry for those was removed when they were excluded from
+ * `SdkOverridableAppConfig`.
+ */
+warnPartnerConfigDrift_fn = function() {
+  var _a;
+  if (!this.partner || !__privateGet(this, _sdkConfigOverrides)) return;
+  const baseline = __privateMethod(this, _ParaCore_instances, configWithoutSdkOverrides_fn).call(this);
+  const sdkRpcUrl = __privateGet(this, _sdkConfigOverrides).rpcUrl;
+  if (sdkRpcUrl && sdkRpcUrl !== baseline.rpcUrl) {
+    (0, import_deprecation.warnOnce)(
+      "partnerConfigDrift",
+      "rpcUrl",
+      `rpcUrl SDK override "${sdkRpcUrl}" disagrees with the partner record "${(_a = baseline.rpcUrl) != null ? _a : "(unset)"}". This is expected for local-dev; in production, configure rpcUrl via the developer portal.`
+    );
+  }
+};
+/**
+ * Resolved config WITHOUT the SDK override layer. Used by drift telemetry
+ * to compare overrides against the authoritative chain. Slot for the
+ * future ecosystem layer between `defaults` and `partner`.
+ */
+configWithoutSdkOverrides_fn = function() {
+  const partnerLayer = this.partner ? (0, import_utils2.partnerToAppConfigLayer)(this.partner) : void 0;
+  return (0, import_utils2.mergePartnerAppConfig)(import_utils2.DEFAULT_PARTNER_APP_CONFIG, partnerLayer);
+};
 assertPartner_fn = function() {
   return __async(this, null, function* () {
     var _a, _b;
@@ -2939,6 +3268,26 @@ assertIsLinkingAccountOrStart_fn = function(type) {
   });
 };
 waitForLoginProcess_fn = function() {
+  return __async(this, arguments, function* ({
+    isCanceled = () => false,
+    onCancel,
+    onPoll,
+    skipSessionRefresh = false,
+    isSwitchingWallets = false
+  } = {}) {
+    return (0, import_tracer.wrapWithSpan)("polling.waitForLoginProcess", (span) => __async(this, null, function* () {
+      span.setAttribute("polling.is_switching_wallets", isSwitchingWallets);
+      return __privateMethod(this, _ParaCore_instances, waitForLoginProcessImpl_fn).call(this, {
+        isCanceled,
+        onCancel,
+        onPoll,
+        skipSessionRefresh,
+        isSwitchingWallets
+      });
+    }));
+  });
+};
+waitForLoginProcessImpl_fn = function() {
   return __async(this, arguments, function* ({
     isCanceled = () => false,
     onCancel,
@@ -3072,7 +3421,7 @@ waitForLoginProcess_fn = function() {
               yield this.setupAfterLogin({ temporaryShares: tempSharesRes.data.temporaryShares, skipSessionRefresh });
               this.devLog("[waitForLoginProcess] Setup after login complete");
               this.devLog("[waitForLoginProcess] Claiming pregen wallets");
-              yield __privateGet(this, _pregenWalletService).claimPregenWallets();
+              yield this.claimPregenWallets();
               this.devLog("[waitForLoginProcess] Pregen wallets claimed");
               const resp = {
                 needsWallet: needsWallet || Object.values(this.wallets).length === 0,
@@ -3133,6 +3482,7 @@ logout_fn = function() {
     __privateGet(this, _authService).userId = void 0;
     __privateGet(this, _sessionManagementService).sessionCookie = void 0;
     this.isEnclaveUser = false;
+    (0, import_uxStateSpanProcessor.setCurrentUserId)(void 0);
     if (isSessionActive) {
       (0, import_utils2.dispatchEvent)(import_types.ParaEvent.LOGOUT_EVENT, null);
       if (!skipStateReset) {