@incodetech/core 0.0.0-dev-20260512-e44bacb → 0.0.0-dev-20260512-cffbe28

package/dist/{setup-h75-vL1d.esm.js → setup-DyspWyTY.esm.js}

@@ -1,11 +1,137 @@
-import { c as SemaphoreProvider, n as warmupWasm, o as wasmCallWrapper, s as loadWasmModule } from "./BaseWasmProvider-C2cw9STp.esm.js";
-import { t as WasmUtilProvider } from "./WasmUtilProvider-B8VtGgvF.esm.js";
+import { c as SemaphoreProvider, i as wasmCallWrapper, n as warmupWasm, s as loadWasmModule } from "./BaseWasmProvider-IiHnsP8E.esm.js";
+import { t as WasmUtilProvider } from "./WasmUtilProvider-BrEYcdhY.esm.js";
 import { t as BrowserTimerProvider } from "./BrowserTimerProvider-BZGH3sYJ.esm.js";
 import { a as resetApi, i as isApiConfigured, n as getApi, o as setClient, r as getToken, s as setToken, t as api } from "./api-eqRXuVG-.esm.js";
 import { _ as resetAnalyticsBatcher, g as getAnalyticsBatcher, m as createAnalyticsBatchingService, v as setAnalyticsBatcher } from "./events-Bt1azl2B.esm.js";
 import { t as endpoints } from "./endpoints-B3V1U9Dg.esm.js";
-import { i as resetSessionInit, r as initializeSession } from "./session-DWFMKdX6.esm.js";
+import { i as resetSessionInit, r as initializeSession } from "./session-DAspZUCj.esm.js";
 
+//#region ../infra/src/wasm/wasmDefaults.ts
+const WASM_CDN_BASE_URL = "https://cdn.incodesmile.com/ml-wasm-kit-release";
+/** The WASM version bundled and tested with this SDK release. */
+const DEFAULT_WASM_VERSION = "v2.13.14";
+const PATH_KEYS = [
+	"wasmPath",
+	"wasmSimdPath",
+	"glueCodePath",
+	"modelsBasePath"
+];
+function isBlank(value) {
+	return value.trim() === "";
+}
+function hasDisallowedControlChars(value) {
+	for (let i = 0; i < value.length; i += 1) {
+		const code = value.charCodeAt(i);
+		if (code < 32 || code === 127) return true;
+	}
+	return false;
+}
+function isMalformedPath(value) {
+	const trimmed = value.trim();
+	if (trimmed === "") return false;
+	if (hasDisallowedControlChars(trimmed)) return true;
+	if (/^https?:\/\//i.test(trimmed)) try {
+		new URL(trimmed);
+		return false;
+	} catch {
+		return true;
+	}
+	return false;
+}
+function warnInvalidWasmPath(field, reason) {
+	if (reason === "empty") {
+		console.warn(`[Incode SDK] wasm.${field} is empty. Falling back to CDN default.`);
+		return;
+	}
+	console.warn(`[Incode SDK] wasm.${field} appears malformed. Falling back to CDN default.`);
+}
+function warnMalformedWasmPath(field) {
+	console.warn(`[Incode SDK] wasm.${field} appears malformed. Check the URL or path.`);
+}
+/**
+* Validates merged WASM path strings. When overrides contained blank path
+* values, callers should have already fallen back to defaults before this runs.
+*/
+function validateWasmPaths(config) {
+	for (const key of PATH_KEYS) {
+		const value = config[key];
+		if (typeof value === "string" && isMalformedPath(value)) warnMalformedWasmPath(key);
+	}
+}
+function pickPath(key, overrides, defaultValue) {
+	if (!overrides || !(key in overrides)) return defaultValue;
+	const raw = overrides[key];
+	if (raw === void 0) return defaultValue;
+	if (typeof raw !== "string") return defaultValue;
+	if (isBlank(raw)) {
+		warnInvalidWasmPath(key, "empty");
+		return defaultValue;
+	}
+	if (isMalformedPath(raw)) {
+		warnInvalidWasmPath(key, "malformed");
+		return defaultValue;
+	}
+	return raw.trim();
+}
+/** Builds the standard WarmupConfig from the Incode CDN. */
+function buildDefaultWasmConfig() {
+	const base = `${WASM_CDN_BASE_URL}/${DEFAULT_WASM_VERSION}`;
+	return {
+		wasmPath: `${base}/webLib.wasm`,
+		wasmSimdPath: `${base}/webLibSimd.wasm`,
+		glueCodePath: `${base}/webLib.js`,
+		modelsBasePath: `${base}/models`
+	};
+}
+/**
+* Merges optional WASM path overrides with CDN defaults. Explicit non-blank
+* paths take precedence. Blank override strings log a warning and fall back to defaults.
+*/
+function resolveWasmConfig(overrides) {
+	const defaults = buildDefaultWasmConfig();
+	if (!overrides) return defaults;
+	const simdDefault = defaults.wasmSimdPath ?? defaults.wasmPath;
+	const modelsDefault = defaults.modelsBasePath ?? (() => {
+		const lastSlash = defaults.wasmPath.lastIndexOf("/");
+		return lastSlash === -1 ? "models" : `${defaults.wasmPath.substring(0, lastSlash)}/models`;
+	})();
+	const merged = {
+		wasmPath: pickPath("wasmPath", overrides, defaults.wasmPath),
+		wasmSimdPath: pickPath("wasmSimdPath", overrides, simdDefault),
+		glueCodePath: pickPath("glueCodePath", overrides, defaults.glueCodePath),
+		modelsBasePath: pickPath("modelsBasePath", overrides, modelsDefault),
+		useSimd: overrides.useSimd,
+		pipelines: overrides.pipelines,
+		pipelineModels: overrides.pipelineModels
+	};
+	validateWasmPaths(merged);
+	return merged;
+}
+
+//#endregion
+//#region ../infra/src/providers/browser/BrowserPageLifecycleProvider.ts
+var BrowserPageLifecycleProvider = class {
+	sendBeacon(url, body, contentType = "application/json") {
+		if (typeof navigator === "undefined" || typeof navigator.sendBeacon !== "function") return false;
+		const blob = new Blob([body], { type: contentType });
+		return navigator.sendBeacon(url, blob);
+	}
+	onPageHide(listener) {
+		const onVisibilityChange = () => {
+			if (document.visibilityState === "hidden") listener();
+		};
+		document.addEventListener("visibilitychange", onVisibilityChange);
+		window.addEventListener("pagehide", listener);
+		window.addEventListener("beforeunload", listener);
+		return () => {
+			document.removeEventListener("visibilitychange", onVisibilityChange);
+			window.removeEventListener("pagehide", listener);
+			window.removeEventListener("beforeunload", listener);
+		};
+	}
+};
+
+//#endregion
 //#region ../infra/src/http/createApi.ts
 var FetchHttpError = class extends Error {
 	constructor(status, statusText, url, method, headers, data) {
@@ -244,9 +370,12 @@ var createApi_default = createApi;
 *   busy-poll via {@link wasmCallWrapper}.
 * - Result extraction (`getRequestResult`) is per-thread.
 *
-* Encryption is wired through the `encryptionEnabled` flag but defaults to
-* `false`. End-to-end encryption (Phase 2) will re-call `setupConnection` with
-* a real token + `encryptionEnabled = true`; that helper is a follow-up.
+* Encryption support: `setupConnection` accepts an `encryptionEnabled` flag
+* that triggers the in-binary RSA/AES handshake (always using SHA-256 OAEP).
+* {@link enableWasmEncryption} is a stateless helper that re-runs the
+* handshake with the caller-supplied connection params. State lives in the
+* C++ binary and (for SDK config) in `@incodetech/core`'s `setup.ts` — this
+* module caches nothing.
 */
 const HTTP_CONCURRENCY = 4;
 var WasmWebClientError = class extends Error {
@@ -304,12 +433,30 @@ async function initializeWasmWebClient(wasmPath, wasmSimdPath, glueCodePath, use
 /**
 * Configures the C++ WebClient connection. Safe to call multiple times — each
 * call resets the underlying session and re-applies default headers.
+*
+* `defaultHeaders` are applied **before** `createApi`, so the in-binary RSA
+* handshake (`GET /e2ee/key/v2` + `POST /e2ee/key`) sees the same headers as
+* data requests. Without this ordering, environments that require auth/version
+* headers on the handshake (e.g. `x-api-key`, `api-version`) would 401/4xx
+* before any encrypted traffic ever flowed.
+*
+* OAEP padding is hardcoded to SHA-256 (we always pass `useSha256 = true` into
+* the C++ binary).
 */
-async function setupWasmConnection(apiURL, token, useSha256, encryptionEnabled, defaultHeaders) {
+async function setupWasmConnection(apiURL, token, encryptionEnabled, defaultHeaders) {
 	const api$1 = ensureReady();
 	api$1.resetSessionState?.();
-	api$1.createApi(apiURL, token, useSha256, encryptionEnabled);
 	api$1.setDefaultHeaders?.(defaultHeaders);
+	api$1.createApi(apiURL, token, true, encryptionEnabled);
+}
+/**
+* Re-runs the connection handshake with `encryptionEnabled = true`. Stateless:
+* callers (currently `@incodetech/core`'s `setup()`) own the connection params
+* and supply them on every call. Use this to upgrade an existing non-encrypted
+* WASM connection to encrypted at runtime.
+*/
+async function enableWasmEncryption(params) {
+	await setupWasmConnection(params.apiURL, params.token ?? "", true, params.defaultHeaders);
 }
 /**
 * Executes a single HTTP request through the WASM WebClient.
@@ -364,6 +511,22 @@ function ensureReady() {
 
 //#endregion
 //#region ../infra/src/http/createWasmApi.ts
+const RSA_OAEP_SHA256_SCHEME = "RSA/NONE/OAEPWITHSHA-256ANDMGF1PADDING";
+/**
+* Builds the base set of HTTP headers that the WASM WebClient sends on every
+* request (including the internal `/e2ee/key/v2` and `/e2ee/key` handshake
+* calls). Exported so callers that drive `setupWasmConnection` /
+* `enableWasmEncryption` directly (e.g. core's runtime encryption upgrade
+* path) can build the same headers without duplicating constants.
+*/
+function buildWasmDefaultHeaders(customHeaders) {
+	return {
+		"Content-Type": "application/json",
+		Accept: "application/json",
+		"api-version": "1.0",
+		...customHeaders ?? {}
+	};
+}
 var WasmHttpError = class extends Error {
 	constructor(status, statusText, url, method, headers, data) {
 		super(`HTTP ${status} ${statusText}`);
@@ -439,14 +602,10 @@ const withAbortSignal = async (promise, signal, error) => {
 	});
 };
 const createWasmApi = async (config) => {
-	const headers = {
-		"Content-Type": "application/json",
-		Accept: "application/json",
-		"api-version": "1.0",
-		...config.customHeaders ?? {}
-	};
+	const headers = buildWasmDefaultHeaders(config.customHeaders);
+	const isEncryptionEnabled = config.isEncryptionEnabled ?? (() => false);
 	await initializeWasmWebClient(config.wasm.wasmPath, config.wasm.wasmSimdPath ?? config.wasm.wasmPath, config.wasm.glueCodePath, config.wasm.useSimd ?? true);
-	await setupWasmConnection(config.apiURL, "", config.useSha256 ?? false, config.encryptionEnabled ?? false, headers);
+	await setupWasmConnection(config.apiURL, "", config.encryptionEnabled ?? false, headers);
 	const defaults = {
 		baseURL: config.apiURL,
 		headers
@@ -460,6 +619,7 @@ const createWasmApi = async (config) => {
 			const fullUrl = buildUrl(defaults.baseURL, url, requestParams);
 			const mergedHeaders = {
 				...defaults.headers,
+				...isEncryptionEnabled() ? { "X-RSA-Encryption-Scheme": RSA_OAEP_SHA256_SCHEME } : {},
 				...requestHeaders
 			};
 			const requestBody = prepareBody(body);
@@ -537,135 +697,153 @@ const createWasmApi = async (config) => {
 var createWasmApi_default = createWasmApi;
 
 //#endregion
-//#region ../infra/src/wasm/wasmDefaults.ts
-const WASM_CDN_BASE_URL = "https://cdn.incodesmile.com/ml-wasm-kit-release";
-/** The WASM version bundled and tested with this SDK release. */
-const DEFAULT_WASM_VERSION = "v2.13.14";
-const PATH_KEYS = [
-	"wasmPath",
-	"wasmSimdPath",
-	"glueCodePath",
-	"modelsBasePath"
-];
-function isBlank(value) {
-	return value.trim() === "";
-}
-function hasDisallowedControlChars(value) {
-	for (let i = 0; i < value.length; i += 1) {
-		const code = value.charCodeAt(i);
-		if (code < 32 || code === 127) return true;
-	}
-	return false;
+//#region src/internal/http/clientLifecycle.ts
+/**
+* HTTP client lifecycle for the SDK.
+*
+* Owns the active `StoredHttpConfig` and the procedures that mutate it:
+*
+* - {@link installFreshHttpClient} — first-time setup, or full reconfigure
+*   when a new `apiURL` is provided to `setup()`.
+* - {@link enableEncryptionOnExistingClient} — runtime upgrade from a plain
+*   or non-encrypted WASM client to an encrypted WASM client.
+* - {@link upgradeToWasmHttpClient} — lazy XHR→WASM swap used by
+*   `<incode-flow>` / `<incode-workflow>` when WASM finishes warming up.
+*
+* Everything that touches the encrypted-transport handshake is wrapped in
+* {@link withHandshakeFailureContext} so callers see a single descriptive
+* error instead of an opaque infra exception.
+*
+* Module-scoped state intentional: there is one HTTP client per SDK
+* instance.
+*/
+let storedHttpConfig;
+/** Reads the current HTTP-client config (or `undefined` if none installed). */
+function getStoredHttpConfig() {
+	return storedHttpConfig;
 }
-function isMalformedPath(value) {
-	const trimmed = value.trim();
-	if (trimmed === "") return false;
-	if (hasDisallowedControlChars(trimmed)) return true;
-	if (/^https?:\/\//i.test(trimmed)) try {
-		new URL(trimmed);
-		return false;
-	} catch {
-		return true;
-	}
-	return false;
+/** Whether encryption is currently active on the installed HTTP client. */
+function isHttpEncrypted() {
+	return storedHttpConfig?.encryption ?? false;
 }
-function warnInvalidWasmPath(field, reason) {
-	if (reason === "empty") {
-		console.warn(`[Incode SDK] wasm.${field} is empty. Falling back to CDN default.`);
-		return;
-	}
-	console.warn(`[Incode SDK] wasm.${field} appears malformed. Falling back to CDN default.`);
+/** Clears all HTTP-client state. Called by `reset()`. */
+function resetHttpClientState() {
+	storedHttpConfig = void 0;
 }
-function warnMalformedWasmPath(field) {
-	console.warn(`[Incode SDK] wasm.${field} appears malformed. Check the URL or path.`);
+/**
+* Builds (or replaces) the HTTP client when `setup()` receives an `apiURL`.
+* Picks `createWasmApi` when `effectiveWasm` is set, otherwise plain
+* `createApi`. Wraps the call in handshake-failure context when encryption
+* is requested.
+*/
+async function installFreshHttpClient(apiURL, options, effectiveWasm, wantsEncryption) {
+	setClient(effectiveWasm ? await withHandshakeFailureContext(wantsEncryption, () => createWasmApi_default({
+		apiURL,
+		customHeaders: options.customHeaders,
+		timeout: options.timeout,
+		wasm: effectiveWasm,
+		encryptionEnabled: wantsEncryption,
+		isEncryptionEnabled: isHttpEncrypted
+	})) : createApi_default({
+		apiURL,
+		customHeaders: options.customHeaders,
+		timeout: options.timeout
+	}));
+	storedHttpConfig = {
+		apiURL,
+		customHeaders: options.customHeaders,
+		timeout: options.timeout,
+		isWasm: Boolean(effectiveWasm),
+		encryption: wantsEncryption
+	};
 }
 /**
-* Validates merged WASM path strings. When overrides contained blank path
-* values, callers should have already fallen back to defaults before this runs.
+* Upgrades an existing non-encrypted connection to encrypted. Merges new
+* `customHeaders` / `timeout` over the stored ones (new values win). If the
+* existing client was plain fetch/XHR, swaps it for a WASM client; if it
+* was already a non-encrypted WASM client, flips encryption on in place.
+*
+* No-op if no HTTP client was previously installed.
 */
-function validateWasmPaths(config) {
-	for (const key of PATH_KEYS) {
-		const value = config[key];
-		if (typeof value === "string" && isMalformedPath(value)) warnMalformedWasmPath(key);
-	}
+async function enableEncryptionOnExistingClient(options, effectiveWasm) {
+	const stored = storedHttpConfig;
+	if (!stored) return;
+	const customHeaders = mergeHeaders(stored.customHeaders, options.customHeaders);
+	const timeout = options.timeout ?? stored.timeout;
+	if (!stored.isWasm) setClient(await withHandshakeFailureContext(true, () => createWasmApi_default({
+		apiURL: stored.apiURL,
+		customHeaders,
+		timeout,
+		wasm: effectiveWasm,
+		encryptionEnabled: true,
+		isEncryptionEnabled: isHttpEncrypted
+	})));
+	else if (!stored.encryption) await withHandshakeFailureContext(true, () => enableWasmEncryption({
+		apiURL: stored.apiURL,
+		defaultHeaders: buildWasmDefaultHeaders(customHeaders),
+		token: options.token
+	}));
+	storedHttpConfig = {
+		...stored,
+		customHeaders,
+		timeout,
+		isWasm: true,
+		encryption: true
+	};
 }
-function pickPath(key, overrides, defaultValue) {
-	if (!overrides || !(key in overrides)) return defaultValue;
-	const raw = overrides[key];
-	if (raw === void 0) return defaultValue;
-	if (typeof raw !== "string") return defaultValue;
-	if (isBlank(raw)) {
-		warnInvalidWasmPath(key, "empty");
-		return defaultValue;
-	}
-	if (isMalformedPath(raw)) {
-		warnInvalidWasmPath(key, "malformed");
-		return defaultValue;
-	}
-	return raw.trim();
+/**
+* Replaces the active HTTP client with the WASM-backed one. Used internally
+* by lazy-loading UI components (`<incode-flow>`, `<incode-workflow>`) when
+* WASM finishes warming up.
+*
+* No-op when no apiURL was previously configured, or when the active client
+* is already WASM-backed.
+*
+* @internal NOT a public API. Application code should use
+*   `setup({ wasm: {...} })` instead.
+*/
+async function upgradeToWasmHttpClient(resolved) {
+	const stored = storedHttpConfig;
+	if (!stored || stored.isWasm) return;
+	setClient(await createWasmApi_default({
+		apiURL: stored.apiURL,
+		customHeaders: stored.customHeaders,
+		timeout: stored.timeout,
+		wasm: resolved,
+		encryptionEnabled: stored.encryption,
+		isEncryptionEnabled: isHttpEncrypted
+	}));
+	storedHttpConfig = {
+		...stored,
+		isWasm: true
+	};
 }
-/** Builds the standard WarmupConfig from the Incode CDN. */
-function buildDefaultWasmConfig() {
-	const base = `${WASM_CDN_BASE_URL}/${DEFAULT_WASM_VERSION}`;
+function mergeHeaders(base, override) {
+	if (!base && !override) return void 0;
 	return {
-		wasmPath: `${base}/webLib.wasm`,
-		wasmSimdPath: `${base}/webLibSimd.wasm`,
-		glueCodePath: `${base}/webLib.js`,
-		modelsBasePath: `${base}/models`
+		...base ?? {},
+		...override ?? {}
 	};
 }
 /**
-* Merges optional WASM path overrides with CDN defaults. Explicit non-blank
-* paths take precedence. Blank override strings log a warning and fall back to defaults.
+* When `wantsEncryption` is true, wraps a call that triggers the in-binary
+* RSA/AES handshake so its rejection surfaces as a single, descriptive error
+* with the original error preserved as `cause`. Pass-through otherwise.
 */
-function resolveWasmConfig(overrides) {
-	const defaults = buildDefaultWasmConfig();
-	if (!overrides) return defaults;
-	const simdDefault = defaults.wasmSimdPath ?? defaults.wasmPath;
-	const modelsDefault = defaults.modelsBasePath ?? (() => {
-		const lastSlash = defaults.wasmPath.lastIndexOf("/");
-		return lastSlash === -1 ? "models" : `${defaults.wasmPath.substring(0, lastSlash)}/models`;
-	})();
-	const merged = {
-		wasmPath: pickPath("wasmPath", overrides, defaults.wasmPath),
-		wasmSimdPath: pickPath("wasmSimdPath", overrides, simdDefault),
-		glueCodePath: pickPath("glueCodePath", overrides, defaults.glueCodePath),
-		modelsBasePath: pickPath("modelsBasePath", overrides, modelsDefault),
-		useSimd: overrides.useSimd,
-		pipelines: overrides.pipelines,
-		pipelineModels: overrides.pipelineModels
-	};
-	validateWasmPaths(merged);
-	return merged;
-}
-
-//#endregion
-//#region ../infra/src/providers/browser/BrowserPageLifecycleProvider.ts
-var BrowserPageLifecycleProvider = class {
-	sendBeacon(url, body, contentType = "application/json") {
-		if (typeof navigator === "undefined" || typeof navigator.sendBeacon !== "function") return false;
-		const blob = new Blob([body], { type: contentType });
-		return navigator.sendBeacon(url, blob);
+async function withHandshakeFailureContext(wantsEncryption, fn) {
+	if (!wantsEncryption) return fn();
+	try {
+		return await fn();
+	} catch (cause) {
+		const error = /* @__PURE__ */ new Error("Failed to establish encrypted transport. The /e2ee/key handshake did not complete. Verify the apiURL is reachable and that the environment supports E2EE.");
+		error.cause = cause;
+		throw error;
 	}
-	onPageHide(listener) {
-		const onVisibilityChange = () => {
-			if (document.visibilityState === "hidden") listener();
-		};
-		document.addEventListener("visibilitychange", onVisibilityChange);
-		window.addEventListener("pagehide", listener);
-		window.addEventListener("beforeunload", listener);
-		return () => {
-			document.removeEventListener("visibilitychange", onVisibilityChange);
-			window.removeEventListener("pagehide", listener);
-			window.removeEventListener("beforeunload", listener);
-		};
-	}
-};
+}
 
 //#endregion
 //#region src/setup.ts
 let wasmConfig;
-let storedHttpConfig;
 let configured = false;
 /**
 * Initializes the SDK with the provided configuration.
@@ -717,7 +895,9 @@ let configured = false;
 *     pipelines: ['selfie'],
 *   },
 * });
-* ```
+*
+* // Enable end-to-end encryption at boot
+* await setup({ apiURL: 'https://api.incode.com', encryption: true });
 */
 async function setup(options) {
 	const batcher = getAnalyticsBatcher() ?? setAnalyticsBatcher(createAnalyticsBatchingService({
@@ -728,26 +908,12 @@ async function setup(options) {
 		pageLifecycle: new BrowserPageLifecycleProvider(),
 		timer: BrowserTimerProvider.getInstance()
 	}));
-	const effectiveWasm = options.wasm ? resolveWasmConfig(options.wasm) : void 0;
-	if (options.apiURL) {
-		const client = effectiveWasm ? await createWasmApi_default({
-			apiURL: options.apiURL,
-			customHeaders: options.customHeaders,
-			timeout: options.timeout,
-			wasm: effectiveWasm
-		}) : createApi_default({
-			apiURL: options.apiURL,
-			customHeaders: options.customHeaders,
-			timeout: options.timeout
-		});
-		storedHttpConfig = {
-			apiURL: options.apiURL,
-			customHeaders: options.customHeaders,
-			timeout: options.timeout,
-			isWasm: Boolean(effectiveWasm)
-		};
-		setClient(client);
-	}
+	const wantsEncryption = options.encryption === true;
+	if (wantsEncryption && options.wasm === false) throw new Error("Encryption is incompatible with `wasm: false`. Either remove `wasm: false` or omit `encryption`.");
+	if (options.encryption === false && getStoredHttpConfig()?.encryption === true) throw new Error("Encryption cannot be disabled once enabled. Call reset() to fully reinitialize the SDK if you need a non-encrypted client.");
+	const effectiveWasm = options.wasm || wantsEncryption ? resolveWasmConfig(options.wasm || {}) : void 0;
+	if (options.apiURL) await installFreshHttpClient(options.apiURL, options, effectiveWasm, wantsEncryption);
+	else if (wantsEncryption && getStoredHttpConfig() && effectiveWasm) await enableEncryptionOnExistingClient(options, effectiveWasm);
 	if (options.token && isApiConfigured()) {
 		setToken(options.token);
 		resetSessionInit();
@@ -793,32 +959,23 @@ async function initializeWasmUtil(config) {
 	});
 }
 /**
-* Replaces the active HTTP client with the WASM-backed one. Used when WASM is
-* loaded lazily (e.g. by the flow component) — `setup()` originally wired the
-* fetch/XHR client because no `wasm` was provided, and this swap upgrades to
-* `createWasmApi` once the WASM module is ready.
+* Replaces the active HTTP client with the WASM-backed one. Used internally
+* by lazy-loading UI components (`<incode-flow>`, `<incode-workflow>`) when
+* WASM finishes warming up.
 *
 * No-op when no apiURL was originally configured, or when the active client is
 * already the WASM one.
 *
+* @internal NOT a public API. Application code should use
+*   `setup({ wasm: {...} })` instead — that path is the supported way to opt
+*   into the WASM HTTP client.
+*
 * @param config - Optional WASM configuration. Defaults to the config stored via `setWasmConfig`.
 */
-async function upgradeToWasmHttpClient(config) {
-	if (!storedHttpConfig) return;
-	if (storedHttpConfig.isWasm) return;
-	const wasmConfigToUse = config ?? wasmConfig;
-	if (!wasmConfigToUse) return;
-	const resolved = resolveWasmConfig(wasmConfigToUse);
-	setClient(await createWasmApi_default({
-		apiURL: storedHttpConfig.apiURL,
-		customHeaders: storedHttpConfig.customHeaders,
-		timeout: storedHttpConfig.timeout,
-		wasm: resolved
-	}));
-	storedHttpConfig = {
-		...storedHttpConfig,
-		isWasm: true
-	};
+async function upgradeToWasmHttpClient$1(config) {
+	const configToUse = config ?? wasmConfig;
+	if (!configToUse) return;
+	await upgradeToWasmHttpClient(resolveWasmConfig(configToUse));
 }
 /**
 * Checks if the SDK has been configured.
@@ -835,11 +992,11 @@ function reset() {
 	resetApi();
 	resetSessionInit();
 	resetAnalyticsBatcher();
+	resetHttpClientState();
 	configured = false;
 	wasmConfig = void 0;
-	storedHttpConfig = void 0;
 	WasmUtilProvider.resetInstance();
 }
 
 //#endregion
-export { setup as a, buildDefaultWasmConfig as c, setWasmConfig as i, resolveWasmConfig as l, isConfigured as n, upgradeToWasmHttpClient as o, reset as r, DEFAULT_WASM_VERSION as s, initializeWasmUtil as t };
+export { setup as a, buildDefaultWasmConfig as c, setWasmConfig as i, resolveWasmConfig as l, isConfigured as n, upgradeToWasmHttpClient$1 as o, reset as r, DEFAULT_WASM_VERSION as s, initializeWasmUtil as t };

package/dist/wasm.d.ts

@@ -1,5 +1,5 @@
 import { n as WasmPipeline, r as warmupWasm, t as WarmupConfig } from "./warmup-DHGg8wQZ.js";
-import { c as upgradeToWasmHttpClient, n as WasmConfig, o as setWasmConfig, r as initializeWasmUtil } from "./setup-D3rE3N3K.js";
+import { c as upgradeToWasmHttpClient, n as WasmConfig, o as setWasmConfig, r as initializeWasmUtil } from "./setup-DM301Lyz.js";
 
 //#region ../infra/src/wasm/wasmDefaults.d.ts
 /** The WASM version bundled and tested with this SDK release. */

package/dist/wasm.esm.js

@@ -1,11 +1,11 @@
-import { c as buildDefaultWasmConfig, i as setWasmConfig, l as resolveWasmConfig, o as upgradeToWasmHttpClient, s as DEFAULT_WASM_VERSION, t as initializeWasmUtil } from "./setup-h75-vL1d.esm.js";
-import { n as warmupWasm } from "./BaseWasmProvider-C2cw9STp.esm.js";
-import "./WasmUtilProvider-B8VtGgvF.esm.js";
+import { c as buildDefaultWasmConfig, i as setWasmConfig, l as resolveWasmConfig, o as upgradeToWasmHttpClient, s as DEFAULT_WASM_VERSION, t as initializeWasmUtil } from "./setup-DyspWyTY.esm.js";
+import { n as warmupWasm } from "./BaseWasmProvider-IiHnsP8E.esm.js";
+import "./WasmUtilProvider-BrEYcdhY.esm.js";
 import "./BrowserTimerProvider-BZGH3sYJ.esm.js";
 import "./api-eqRXuVG-.esm.js";
 import "./events-Bt1azl2B.esm.js";
 import "./endpoints-B3V1U9Dg.esm.js";
-import "./session-DWFMKdX6.esm.js";
+import "./session-DAspZUCj.esm.js";
 import "./IpifyProvider-ByL6JYxg.esm.js";
 import "./browserSimulation-CAH-V_iE.esm.js";