npm - @pollar/core - Versions diffs - 0.6.0 → 0.7.1 - Mend

@pollar/core 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/README.md +276 -42
package/dist/adapters/expo-secure-store.d.mts +26 -0
package/dist/adapters/expo-secure-store.d.ts +26 -0
package/dist/adapters/expo-secure-store.js +53 -0
package/dist/adapters/expo-secure-store.js.map +1 -0
package/dist/adapters/expo-secure-store.mjs +50 -0
package/dist/adapters/expo-secure-store.mjs.map +1 -0
package/dist/adapters/react-native-keychain.d.mts +25 -0
package/dist/adapters/react-native-keychain.d.ts +25 -0
package/dist/adapters/react-native-keychain.js +60 -0
package/dist/adapters/react-native-keychain.js.map +1 -0
package/dist/adapters/react-native-keychain.mjs +57 -0
package/dist/adapters/react-native-keychain.mjs.map +1 -0
package/dist/index.d.mts +1101 -88
package/dist/index.d.ts +1101 -88
package/dist/index.js +871 -128
package/dist/index.js.map +1 -1
package/dist/index.mjs +861 -129
package/dist/index.mjs.map +1 -1
package/dist/index.rn.d.mts +30 -0
package/dist/index.rn.d.ts +30 -0
package/dist/index.rn.js +2675 -0
package/dist/index.rn.js.map +1 -0
package/dist/index.rn.mjs +2645 -0
package/dist/index.rn.mjs.map +1 -0
package/dist/types-DqgJIJBl.d.mts +19 -0
package/dist/types-DqgJIJBl.d.ts +19 -0
package/package.json +54 -2

package/dist/index.js CHANGED Viewed

@@ -171,6 +171,250 @@ var require_index_min = __commonJS({
   }
 });
+// src/keys/factory.ts
+var _factory = null;
+function _setDefaultKeyManagerFactory(factory) {
+  _factory = factory;
+}
+function defaultKeyManager(storage, apiKey) {
+  if (!_factory) {
+    throw new Error(
+      '[PollarClient] No default KeyManager factory registered. Did you import from "@pollar/core" via a non-standard path?'
+    );
+  }
+  return _factory(storage, apiKey);
+}
+// src/lib/sha256.ts
+async function sha256(data) {
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(buf);
+}
+// src/lib/api-key-hash.ts
+async function hashApiKey(apiKey) {
+  const digest = await sha256(new TextEncoder().encode(apiKey));
+  let hex = "";
+  for (let i = 0; i < 4; i++) hex += digest[i].toString(16).padStart(2, "0");
+  return hex;
+}
+// src/lib/base64url.ts
+var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+(() => {
+  const m = /* @__PURE__ */ new Map();
+  for (let i = 0; i < ALPHABET.length; i++) m.set(ALPHABET[i], i);
+  return m;
+})();
+function base64urlEncode(bytes) {
+  let result = "";
+  let i = 0;
+  for (; i + 2 < bytes.length; i += 3) {
+    const b1 = bytes[i];
+    const b2 = bytes[i + 1];
+    const b3 = bytes[i + 2];
+    result += ALPHABET[b1 >> 2];
+    result += ALPHABET[(b1 & 3) << 4 | b2 >> 4];
+    result += ALPHABET[(b2 & 15) << 2 | b3 >> 6];
+    result += ALPHABET[b3 & 63];
+  }
+  if (i < bytes.length) {
+    const b1 = bytes[i];
+    if (i + 1 === bytes.length) {
+      result += ALPHABET[b1 >> 2];
+      result += ALPHABET[(b1 & 3) << 4];
+    } else {
+      const b2 = bytes[i + 1];
+      result += ALPHABET[b1 >> 2];
+      result += ALPHABET[(b1 & 3) << 4 | b2 >> 4];
+      result += ALPHABET[(b2 & 15) << 2];
+    }
+  }
+  return result;
+}
+function base64urlEncodeString(s) {
+  return base64urlEncode(new TextEncoder().encode(s));
+}
+// src/keys/thumbprint.ts
+async function computeJwkThumbprint(jwk) {
+  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || !jwk.x || !jwk.y) {
+    throw new Error("[PollarClient:thumbprint] Expected EC P-256 JWK with x and y");
+  }
+  const canonical = `{"crv":"${jwk.crv}","kty":"${jwk.kty}","x":"${jwk.x}","y":"${jwk.y}"}`;
+  const digest = await sha256(new TextEncoder().encode(canonical));
+  return base64urlEncode(digest);
+}
+function canonicalEcJwk(jwk) {
+  if (jwk.kty !== "EC" || jwk.crv !== "P-256" || typeof jwk.x !== "string" || typeof jwk.y !== "string") {
+    throw new Error("[PollarClient:thumbprint] Source JWK is not an EC P-256 public key");
+  }
+  return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
+}
+// src/keys/web-crypto.ts
+var DB_NAME = "pollar-keys";
+var DB_VERSION = 1;
+var STORE_NAME = "keys";
+function openDb() {
+  return new Promise((resolve, reject) => {
+    if (typeof indexedDB === "undefined") {
+      reject(new Error("[PollarClient:keys] IndexedDB not available"));
+      return;
+    }
+    const req = indexedDB.open(DB_NAME, DB_VERSION);
+    req.onerror = () => reject(req.error ?? new Error("IDB open failed"));
+    req.onsuccess = () => resolve(req.result);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(STORE_NAME)) {
+        db.createObjectStore(STORE_NAME);
+      }
+    };
+  });
+}
+function awaitTx(req) {
+  return new Promise((resolve, reject) => {
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error ?? new Error("IDB request failed"));
+  });
+}
+async function dbGet(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readonly");
+    const result = await awaitTx(tx.objectStore(STORE_NAME).get(key));
+    return result;
+  } finally {
+    db.close();
+  }
+}
+async function dbPut(key, value) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).put(value, key));
+  } finally {
+    db.close();
+  }
+}
+async function dbDelete(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).delete(key));
+  } finally {
+    db.close();
+  }
+}
+function isCryptoKeyPair(v) {
+  if (typeof v !== "object" || v === null) return false;
+  const obj = v;
+  return obj.privateKey !== void 0 && obj.publicKey !== void 0;
+}
+var WebCryptoKeyManager = class {
+  constructor(apiKey) {
+    this.apiKeyHash = null;
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    /**
+     * Cached in-flight init. Lets `init()` be called concurrently (or implicitly
+     * from `getPublicJwk` / `sign`) without doing the work twice. Cleared on
+     * failure so callers can retry, and cleared on `reset()`.
+     */
+    this._initPromise = null;
+    if (typeof globalThis.crypto === "undefined" || !globalThis.crypto.subtle) {
+      throw new Error(
+        "[PollarClient:keys] SubtleCrypto is unavailable. DPoP requires a secure context (HTTPS or localhost)."
+      );
+    }
+    this.apiKey = apiKey;
+  }
+  /**
+   * Idempotent and safe under concurrency. The first call kicks off the real
+   * init; subsequent (and concurrent) calls return the same in-flight promise.
+   * Other methods (`getPublicJwk`, `getThumbprint`, `sign`) auto-await this so
+   * the manager is self-healing if `init()` was never explicitly invoked.
+   */
+  async init() {
+    if (this.keyPair) return;
+    if (!this._initPromise) {
+      this._initPromise = this._doInit().catch((err) => {
+        console.error("[PollarClient:keys] WebCryptoKeyManager init failed", err);
+        this._initPromise = null;
+        throw err;
+      });
+    }
+    return this._initPromise;
+  }
+  async _doInit() {
+    if (!this.apiKeyHash) {
+      this.apiKeyHash = await hashApiKey(this.apiKey);
+    }
+    let pair;
+    try {
+      pair = await dbGet(this.apiKeyHash);
+      if (pair && !isCryptoKeyPair(pair)) pair = void 0;
+    } catch {
+      pair = void 0;
+    }
+    if (!pair) {
+      pair = await globalThis.crypto.subtle.generateKey(
+        { name: "ECDSA", namedCurve: "P-256" },
+        // false → private key non-extractable; per W3C ECDSA spec the public
+        // key is always extractable regardless of this flag.
+        false,
+        ["sign", "verify"]
+      );
+      try {
+        await dbPut(this.apiKeyHash, pair);
+      } catch {
+      }
+    }
+    this.keyPair = pair;
+    const exported = await globalThis.crypto.subtle.exportKey("jwk", pair.publicKey);
+    this.publicJwk = canonicalEcJwk(exported);
+    this.thumbprint = await computeJwkThumbprint(this.publicJwk);
+  }
+  async reset() {
+    try {
+      if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
+    } catch {
+    }
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    this._initPromise = null;
+  }
+  async getPublicJwk() {
+    if (!this.publicJwk) await this.init();
+    if (!this.publicJwk) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getPublicJwk unavailable");
+    }
+    return { kty: this.publicJwk.kty, crv: this.publicJwk.crv, x: this.publicJwk.x, y: this.publicJwk.y };
+  }
+  async getThumbprint() {
+    if (!this.thumbprint) await this.init();
+    if (!this.thumbprint) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getThumbprint unavailable");
+    }
+    return this.thumbprint;
+  }
+  async sign(payload) {
+    if (!this.keyPair) await this.init();
+    if (!this.keyPair) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
+    }
+    const sig = await globalThis.crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this.keyPair.privateKey,
+      payload
+    );
+    return new Uint8Array(sig);
+  }
+};
 // ../../node_modules/openapi-fetch/dist/index.mjs
 var PATH_PARAM_RE = /\{[^{}]+\}/g;
 var supportsRequestInitExt = () => {
@@ -198,7 +442,7 @@ function createClient(clientOptions) {
     const {
       baseUrl: localBaseUrl,
       fetch: fetch2 = baseFetch,
-      Request = CustomRequest,
+      Request: Request2 = CustomRequest,
       headers,
       params = {},
       parseAs = "json",
@@ -250,7 +494,7 @@ function createClient(clientOptions) {
     };
     let id;
     let options;
-    let request = new Request(
+    let request = new Request2(
       createFinalURL(schemaPath, { baseUrl: finalBaseUrl, params, querySerializer, pathSerializer }),
       requestInit
     );
@@ -280,7 +524,7 @@ function createClient(clientOptions) {
             id
           });
           if (result) {
-            if (result instanceof Request) {
+            if (result instanceof Request2) {
               request = result;
             } else if (result instanceof Response) {
               response = result;
@@ -652,6 +896,22 @@ function createApiClient(baseUrl) {
   return createClient({ baseUrl });
 }
+// src/api/endpoints/distribution.ts
+async function listDistributionRules(api) {
+  const { data, error } = await api.GET("/distribution/rules");
+  if (!data?.content || error) {
+    throw new Error(error?.error ?? "Failed to list distribution rules");
+  }
+  return data.content.rules;
+}
+async function claimDistributionRule(api, body) {
+  const { data, error } = await api.POST("/distribution/claim", { body });
+  if (!data?.content || error) {
+    throw new Error(error?.error ?? "Failed to claim distribution rule");
+  }
+  return data.content;
+}
 // src/api/endpoints/kyc.ts
 async function getKycStatus(api, providerId) {
   const { data, error } = await api.GET("/kyc/status", {
@@ -719,6 +979,68 @@ async function pollRampTransaction(api, txId, { intervalMs = 5e3, timeoutMs = 6e
   throw new Error("Ramp transaction polling timed out");
 }
+// src/dpop.ts
+async function buildProof(args, keyManager) {
+  const jwk = await keyManager.getPublicJwk();
+  const header = {
+    typ: "dpop+jwt",
+    alg: "ES256",
+    jwk
+  };
+  const payload = {
+    jti: generateJti(),
+    htm: args.htm.toUpperCase(),
+    htu: normalizeHtu(args.htu),
+    iat: Math.floor(Date.now() / 1e3)
+  };
+  if (args.accessToken !== void 0 && args.accessToken !== "") {
+    payload.ath = base64urlEncode(await sha256(new TextEncoder().encode(args.accessToken)));
+  }
+  if (args.nonce !== void 0 && args.nonce !== "") {
+    payload.nonce = args.nonce;
+  }
+  const encodedHeader = base64urlEncodeString(JSON.stringify(header));
+  const encodedPayload = base64urlEncodeString(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signature = await keyManager.sign(new TextEncoder().encode(signingInput));
+  const encodedSignature = base64urlEncode(signature);
+  return `${signingInput}.${encodedSignature}`;
+}
+function normalizeHtu(rawUrl) {
+  let url;
+  try {
+    url = new URL(rawUrl);
+  } catch {
+    return rawUrl.split("#")[0].split("?")[0];
+  }
+  const scheme = url.protocol.toLowerCase();
+  const host = url.hostname.toLowerCase();
+  let port = url.port;
+  if (scheme === "https:" && port === "443" || scheme === "http:" && port === "80") {
+    port = "";
+  }
+  const portPart = port ? `:${port}` : "";
+  return `${scheme}//${host}${portPart}${url.pathname}`;
+}
+function generateJti() {
+  const c = globalThis.crypto;
+  if (c && typeof c.randomUUID === "function") {
+    return c.randomUUID();
+  }
+  if (c && typeof c.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    c.getRandomValues(bytes);
+    bytes[6] = bytes[6] & 15 | 64;
+    bytes[8] = bytes[8] & 63 | 128;
+    const hex = [];
+    for (let i = 0; i < 16; i++) hex.push(bytes[i].toString(16).padStart(2, "0"));
+    return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(6, 8).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10, 16).join("")}`;
+  }
+  throw new Error(
+    "[PollarClient:dpop] No secure random source available (crypto.randomUUID / crypto.getRandomValues). DPoP requires a secure context (HTTPS) or, in React Native, the `react-native-get-random-values` polyfill."
+  );
+}
 // src/stellar/StellarClient.ts
 var HORIZON_URLS = {
   mainnet: "https://horizon.stellar.org",
@@ -747,6 +1069,93 @@ var StellarClient = class {
   }
 };
+// src/storage/web.ts
+var LOG_PREFIX = "[PollarClient:storage]";
+function createMemoryAdapter() {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    async get(key) {
+      const value = store.get(key);
+      return value === void 0 ? null : value;
+    },
+    async set(key, value) {
+      store.set(key, value);
+    },
+    async remove(key) {
+      store.delete(key);
+    }
+  };
+}
+function createLocalStorageAdapter(options = {}) {
+  const fallback = createMemoryAdapter();
+  let degraded = false;
+  function degrade(reason, error) {
+    if (degraded) return;
+    degraded = true;
+    console.warn(`${LOG_PREFIX} localStorage unavailable (${reason}); degrading to in-memory storage`);
+    options.onDegrade?.(reason, error);
+  }
+  return {
+    async get(key) {
+      if (degraded) return fallback.get(key);
+      try {
+        return globalThis.localStorage.getItem(key);
+      } catch (error) {
+        degrade("read-failed", error);
+        return fallback.get(key);
+      }
+    },
+    async set(key, value) {
+      if (degraded) return fallback.set(key, value);
+      try {
+        globalThis.localStorage.setItem(key, value);
+      } catch (error) {
+        const reason = isQuotaError(error) ? "quota-exceeded" : "write-failed";
+        degrade(reason, error);
+        await fallback.set(key, value);
+      }
+    },
+    async remove(key) {
+      if (degraded) return fallback.remove(key);
+      try {
+        globalThis.localStorage.removeItem(key);
+      } catch (error) {
+        degrade("remove-failed", error);
+        await fallback.remove(key);
+      }
+    }
+  };
+}
+function isQuotaError(error) {
+  if (typeof error !== "object" || error === null) return false;
+  const name = error.name;
+  const code = error.code;
+  return name === "QuotaExceededError" || name === "NS_ERROR_DOM_QUOTA_REACHED" || code === 22 || code === 1014;
+}
+// src/storage/autodetect.ts
+var PROBE_KEY = "__pollar_storage_probe__";
+function defaultStorage(options = {}) {
+  if (typeof globalThis === "undefined" || typeof globalThis.localStorage === "undefined") {
+    options.onDegrade?.("unavailable");
+    return createMemoryAdapter();
+  }
+  try {
+    const probeValue = String(Date.now());
+    globalThis.localStorage.setItem(PROBE_KEY, probeValue);
+    const read = globalThis.localStorage.getItem(PROBE_KEY);
+    globalThis.localStorage.removeItem(PROBE_KEY);
+    if (read !== probeValue) {
+      options.onDegrade?.("probe-failed");
+      return createMemoryAdapter();
+    }
+  } catch (error) {
+    options.onDegrade?.("probe-failed", error);
+    return createMemoryAdapter();
+  }
+  return createLocalStorageAdapter(options);
+}
 // src/types.ts
 var AUTH_ERROR_CODES = {
   SESSION_CREATE_FAILED: "SESSION_CREATE_FAILED",
@@ -935,24 +1344,42 @@ var AlbedoAdapter = class {
 };
 // src/client/session.ts
-var STORAGE_KEY = "pollar:session";
-var WALLET_TYPE_KEY = "pollar:walletType";
+var SESSION_SUFFIX = ":session";
+var WALLET_TYPE_SUFFIX = ":walletType";
+function sessionStorageKey(apiKeyHash) {
+  return `pollar:${apiKeyHash}${SESSION_SUFFIX}`;
+}
+function walletTypeStorageKey(apiKeyHash) {
+  return `pollar:${apiKeyHash}${WALLET_TYPE_SUFFIX}`;
+}
+var MAX_ACCESS_TOKEN = 4096;
+var MAX_REFRESH_TOKEN = 4096;
+var MAX_USER_ID = 64;
+var MAX_CLIENT_SESSION_ID = 64;
+var MAX_STATUS = 64;
+var MAX_WALLET_PUBLIC_KEY = 128;
+var MAX_WALLET_TYPE = 32;
+function isBoundedString(v, max, allowEmpty = false) {
+  if (typeof v !== "string") return false;
+  if (!allowEmpty && v.length === 0) return false;
+  return v.length <= max;
+}
 function isValidSession(value) {
   if (typeof value !== "object" || value === null) {
     console.warn("[PollarClient:session] Invalid session \u2014 value is not an object");
     return false;
   }
   const s = value;
-  if (typeof s["clientSessionId"] !== "string" || s["clientSessionId"] === "") {
-    console.warn("[PollarClient:session] Invalid session \u2014 clientSessionId missing or empty");
+  if (!isBoundedString(s["clientSessionId"], MAX_CLIENT_SESSION_ID)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 clientSessionId missing/empty/too long");
     return false;
   }
-  if (s["userId"] !== null && typeof s["userId"] !== "string") {
-    console.warn("[PollarClient:session] Invalid session \u2014 userId must be string or null, got:", typeof s["userId"]);
+  if (s["userId"] !== null && !isBoundedString(s["userId"], MAX_USER_ID)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 userId must be string|null");
     return false;
   }
-  if (typeof s["status"] !== "string") {
-    console.warn("[PollarClient:session] Invalid session \u2014 status must be string, got:", typeof s["status"]);
+  if (!isBoundedString(s["status"], MAX_STATUS)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 status must be string");
     return false;
   }
   const token = s["token"];
@@ -961,12 +1388,12 @@ function isValidSession(value) {
     return false;
   }
   const t = token;
-  if (typeof t["accessToken"] !== "string" || t["accessToken"] === "") {
-    console.warn("[PollarClient:session] Invalid session \u2014 token.accessToken missing or empty");
+  if (!isBoundedString(t["accessToken"], MAX_ACCESS_TOKEN)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 token.accessToken missing/empty/too long");
     return false;
   }
-  if (typeof t["refreshToken"] !== "string" || t["refreshToken"] === "") {
-    console.warn("[PollarClient:session] Invalid session \u2014 token.refreshToken missing or empty");
+  if (!isBoundedString(t["refreshToken"], MAX_REFRESH_TOKEN)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 token.refreshToken missing/empty/too long");
     return false;
   }
   if (typeof t["expiresAt"] !== "number" || !Number.isFinite(t["expiresAt"])) {
@@ -979,12 +1406,12 @@ function isValidSession(value) {
     return false;
   }
   const u = user;
-  if (u["id"] !== void 0 && typeof u["id"] !== "string") {
-    console.warn("[PollarClient:session] Invalid session \u2014 user.id must be string if present, got:", typeof u["id"]);
+  if (u["id"] !== void 0 && !isBoundedString(u["id"], MAX_USER_ID)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 user.id must be string if present");
     return false;
   }
   if (typeof u["ready"] !== "boolean") {
-    console.warn("[PollarClient:session] Invalid session \u2014 user.ready must be boolean, got:", typeof u["ready"]);
+    console.warn("[PollarClient:session] Invalid session \u2014 user.ready must be boolean");
     return false;
   }
   const wallet = s["wallet"];
@@ -993,11 +1420,8 @@ function isValidSession(value) {
     return false;
   }
   const w = wallet;
-  if (w["publicKey"] !== null && typeof w["publicKey"] !== "string") {
-    console.warn(
-      "[PollarClient:session] Invalid session \u2014 wallet.publicKey must be string or null, got:",
-      typeof w["publicKey"]
-    );
+  if (w["publicKey"] !== null && !isBoundedString(w["publicKey"], MAX_WALLET_PUBLIC_KEY)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.publicKey must be string|null");
     return false;
   }
   if (w["existsOnStellar"] !== void 0 && typeof w["existsOnStellar"] !== "boolean") {
@@ -1008,78 +1432,43 @@ function isValidSession(value) {
     console.warn("[PollarClient:session] Invalid session \u2014 wallet.createdAt must be a finite number if present");
     return false;
   }
-  const data = s["data"];
-  if (typeof data !== "object" || data === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 data missing or not an object");
-    return false;
-  }
-  const d = data;
-  for (const field of ["mail", "first_name", "last_name", "avatar"]) {
-    if (typeof d[field] !== "string") {
-      console.warn(`[PollarClient:session] Invalid session \u2014 data.${field} must be string, got:`, typeof d[field]);
-      return false;
-    }
-  }
-  const providers = d["providers"];
-  if (typeof providers !== "object" || providers === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 data.providers missing or not an object");
-    return false;
-  }
-  const p = providers;
-  const providerInnerField = { email: "address", google: "id", github: "id", wallet: "address" };
-  for (const [field, innerField] of Object.entries(providerInnerField)) {
-    const v = p[field];
-    if (v === null) continue;
-    if (typeof v !== "object") {
-      console.warn(`[PollarClient:session] Invalid session \u2014 data.providers.${field} must be object or null, got:`, typeof v);
-      return false;
-    }
-    const vObj = v;
-    if (typeof vObj[innerField] !== "string" || vObj[innerField] === "") {
-      console.warn(`[PollarClient:session] Invalid session \u2014 data.providers.${field}.${innerField} must be a non-empty string`);
-      return false;
-    }
-  }
   return true;
 }
-function readStorage() {
-  const raw = localStorage.getItem(STORAGE_KEY);
-  if (!raw) {
-    return null;
-  }
+async function readStorage(storage, apiKeyHash) {
+  const raw = await storage.get(sessionStorageKey(apiKeyHash));
+  if (!raw) return null;
   try {
     const session = JSON.parse(raw);
     if (!isValidSession(session)) {
-      localStorage.removeItem(STORAGE_KEY);
+      await storage.remove(sessionStorageKey(apiKeyHash));
       console.warn("[PollarClient:session] Stored session is invalid \u2014 clearing storage");
       return null;
     }
     if (session.token.expiresAt * 1e3 < Date.now()) {
-      localStorage.removeItem(STORAGE_KEY);
-      console.warn("[PollarClient:session] Session token has expired \u2014 clearing storage");
-      return null;
+      return session;
     }
     return session;
   } catch (error) {
     console.error("[PollarClient:session] Failed to parse session from storage", error);
-    localStorage.removeItem(STORAGE_KEY);
+    await storage.remove(sessionStorageKey(apiKeyHash));
     return null;
   }
 }
-function writeStorage(session) {
-  localStorage.setItem(STORAGE_KEY, JSON.stringify(session));
-  console.info("[PollarClient:session] Session written to storage");
+async function writeStorage(storage, apiKeyHash, session) {
+  await storage.set(sessionStorageKey(apiKeyHash), JSON.stringify(session));
 }
-function removeStorage() {
-  localStorage.removeItem(STORAGE_KEY);
-  localStorage.removeItem(WALLET_TYPE_KEY);
-  console.info("[PollarClient:session] Session removed from storage");
+async function removeStorage(storage, apiKeyHash) {
+  await storage.remove(sessionStorageKey(apiKeyHash));
+  await storage.remove(walletTypeStorageKey(apiKeyHash));
 }
-function writeWalletType(type) {
-  localStorage.setItem(WALLET_TYPE_KEY, type);
+async function writeWalletType(storage, apiKeyHash, type) {
+  if (type.length > MAX_WALLET_TYPE) {
+    throw new Error(`[PollarClient:session] walletType too long: ${type.length} > ${MAX_WALLET_TYPE}`);
+  }
+  await storage.set(walletTypeStorageKey(apiKeyHash), type);
 }
-function readWalletType() {
-  return localStorage.getItem(WALLET_TYPE_KEY);
+async function readWalletType(storage, apiKeyHash) {
+  return storage.get(walletTypeStorageKey(apiKeyHash));
 }
 // src/client/stream.ts
@@ -1096,7 +1485,14 @@ function abortableDelay(ms, signal) {
     );
   });
 }
+var MAX_BACKOFF_MS = 5e3;
 async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200, signal) {
+  let backoff = retryDelayMs;
+  const sleep = async (ms) => {
+    if (ms <= 0) return;
+    if (signal) await abortableDelay(ms, signal);
+    else await new Promise((r) => setTimeout(r, ms));
+  };
   while (true) {
     signal?.throwIfAborted();
     let data, error;
@@ -1111,13 +1507,14 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
       console.warn(e);
     }
     if (error || !data) {
-      if (signal) await abortableDelay(retryDelayMs, signal);
-      else await new Promise((r) => setTimeout(r, retryDelayMs));
+      await sleep(backoff);
+      backoff = Math.min(backoff * 2, MAX_BACKOFF_MS);
       continue;
     }
     const reader = data.getReader();
     const decoder = new TextDecoder();
     let streamDone = false;
+    let sawAnyChunk = false;
     try {
       while (true) {
         signal?.throwIfAborted();
@@ -1126,6 +1523,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
           streamDone = true;
           break;
         }
+        sawAnyChunk = true;
         const chunk = decoder.decode(value);
         for (const message of chunk.split("\n\n").filter(Boolean)) {
           const dataLine = message.split("\n").find((l) => l.startsWith("data:"));
@@ -1145,11 +1543,10 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     } finally {
       reader.releaseLock();
     }
-    const delay = streamDone ? retryDelayMs : 0;
-    if (delay) {
-      if (signal) await abortableDelay(delay, signal);
-      else await new Promise((r) => setTimeout(r, delay));
-    }
+    if (sawAnyChunk) backoff = retryDelayMs;
+    else backoff = Math.min(backoff * 2, MAX_BACKOFF_MS);
+    const delay = streamDone ? backoff : 0;
+    if (delay) await sleep(delay);
   }
 }
@@ -1158,8 +1555,13 @@ async function authenticate(clientSessionId, deps, expectedWallet) {
   const { api, signal, setAuthState, storeSession, clearSession } = deps;
   setAuthState({ step: "authenticating" });
   await streamUntilFound(api, clientSessionId, (data2) => data2?.status === "READY", 200, signal);
+  const dpopJwk = await deps.getPublicJwk();
   const { data, error } = await api.POST("/auth/login", {
-    body: { clientSessionId },
+    body: {
+      clientSessionId,
+      dpopJwk,
+      ...deps.deviceLabel ? { deviceLabel: deps.deviceLabel } : {}
+    },
     signal
   });
   if (data?.code === "SDK_LOGIN_SUCCESS" && isValidSession(data?.content)) {
@@ -1269,9 +1671,17 @@ async function verifyAndAuthenticate(code, clientSessionId, email, deps) {
 }
 // src/client/auth/oauthFlow.ts
+function severOpener(popup) {
+  if (!popup) return;
+  try {
+    popup.opener = null;
+  } catch {
+  }
+}
 async function loginOAuth(provider, deps) {
   const { setAuthState, basePath, apiKey } = deps;
   const popup = window.open("about:blank", "_blank");
+  severOpener(popup);
   const clientSessionId = await createAuthSession(deps);
   if (!clientSessionId) {
     popup?.close();
@@ -1284,8 +1694,9 @@ async function loginOAuth(provider, deps) {
   url.searchParams.set("redirect_uri", window.location.origin);
   if (popup) {
     popup.location.href = url.toString();
+    severOpener(popup);
   } else {
-    window.open(url.toString(), "_blank");
+    window.open(url.toString(), "_blank", "noopener,noreferrer");
   }
   await authenticate(clientSessionId, deps);
 }
@@ -1310,7 +1721,7 @@ async function loginWallet(type, deps) {
   let connectedWallet;
   try {
     setAuthState({ step: "connecting_wallet", walletType: type });
-    const adapter = type === "freighter" /* FREIGHTER */ ? new FreighterAdapter() : new AlbedoAdapter();
+    const adapter = await deps.resolveWalletAdapter(type);
     const available = await withSignal(adapter.isAvailable(), signal);
     if (!available) {
       setAuthState({ step: "wallet_not_installed", walletType: type });
@@ -1354,7 +1765,26 @@ function warnServerSide(method) {
 }
 var PollarClient = class {
   constructor(config) {
+    /**
+     * Per-API-key storage namespace. Computed asynchronously inside
+     * `_initialize()` because SHA-256 lives behind `crypto.subtle.digest`.
+     * Accessing `apiKeyHash` before `await client.ready()` throws.
+     */
+    this._apiKeyHash = null;
     this._session = null;
+    this._profile = null;
+    /** Last `DPoP-Nonce` we saw from a server response. Carried into the next proof. */
+    this._dpopNonce = null;
+    /**
+     * Snapshot of each in-flight request's body, taken in `onRequest` before
+     * `fetch()` consumes the stream. Needed because `Request.clone()` throws
+     * once the body is disturbed, so the auto-retry path (DPoP nonce challenge
+     * / 401 refresh) must rebuild the request from scratch instead of cloning.
+     */
+    this._requestBodyCache = /* @__PURE__ */ new WeakMap();
+    /** Singleton in-flight refresh — concurrent 401s coalesce into one /auth/refresh call. */
+    this._refreshPromise = null;
+    this._storageEventHandler = null;
     this._transactionState = null;
     this._transactionStateListeners = /* @__PURE__ */ new Set();
     this._txHistoryState = { step: "idle" };
@@ -1370,33 +1800,213 @@ var PollarClient = class {
     this.apiKey = config.apiKey;
     this.id = crypto.randomUUID();
     this.basePath = `${config.baseUrl || "https://sdk.api.pollar.xyz"}/v1`;
+    this._storage = config.storage ?? defaultStorage(config.onStorageDegrade ? { onDegrade: config.onStorageDegrade } : void 0);
+    this._keyManager = config.keyManager ?? defaultKeyManager(this._storage, config.apiKey);
+    this._walletAdapterResolver = config.walletAdapter ?? null;
+    this._deviceLabel = config.deviceLabel;
     this._api = createApiClient(this.basePath);
+    this._wireMiddlewares();
+    this._networkState = { step: "connected", network: config.stellarNetwork ?? "testnet" };
+    if (!isBrowser) {
+      warnServerSide("constructor");
+      this._initialized = Promise.resolve();
+      return;
+    }
+    console.info(`[PollarClient] Initialized \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`);
+    this._initialized = this._initialize();
+  }
+  /**
+   * Short SHA-256-derived namespace for this client's persisted state.
+   * Available after `await client.ready()` (or any awaited method); throws
+   * if read before initialization completes.
+   */
+  get apiKeyHash() {
+    if (this._apiKeyHash === null) {
+      throw new Error("[PollarClient] apiKeyHash is not available until client.ready() resolves");
+    }
+    return this._apiKeyHash;
+  }
+  /** Awaitable handle for the initial keypair + session restore. */
+  ready() {
+    return this._initialized;
+  }
+  // ─── Lifecycle ────────────────────────────────────────────────────────────
+  async _initialize() {
+    this._apiKeyHash = await hashApiKey(this.apiKey);
+    if (typeof window !== "undefined") {
+      const sessionKey = sessionStorageKey(this._apiKeyHash);
+      const handler = (e) => {
+        if (e.key === sessionKey) {
+          this._restoreSession().catch((err) => console.error("[PollarClient] Cross-tab restore failed", err));
+        }
+      };
+      window.addEventListener("storage", handler);
+      this._storageEventHandler = handler;
+    }
+    try {
+      await this._keyManager.init();
+    } catch (err) {
+      console.warn("[PollarClient] KeyManager init failed; DPoP unavailable for this session", err);
+    }
+    await this._restoreSession();
+  }
+  /** Detach the cross-tab storage listener and abort any in-flight login. */
+  destroy() {
+    if (this._storageEventHandler && typeof window !== "undefined") {
+      window.removeEventListener("storage", this._storageEventHandler);
+      this._storageEventHandler = null;
+    }
+    this._loginController?.abort();
+    this._loginController = null;
+  }
+  // ─── Middlewares (DPoP + auto-refresh) ────────────────────────────────────
+  _wireMiddlewares() {
     const self = this;
     this._api.use({
-      onRequest({ request }) {
-        request.headers.set("x-pollar-api-key", config.apiKey);
+      onRequest: async ({ request }) => {
+        request.headers.set("x-pollar-api-key", self.apiKey);
+        await self._initialized;
+        if (request.body !== null) {
+          try {
+            self._requestBodyCache.set(request, await request.clone().arrayBuffer());
+          } catch (err) {
+            console.warn("[PollarClient] Could not snapshot request body for retry", err);
+          }
+        }
+        const isRefresh = request.url.includes("/auth/refresh");
+        if (!isRefresh && self._refreshPromise) await self._refreshPromise;
+        if (isRefresh) {
+          const refreshProof = await self._buildProofForRequest(request, void 0);
+          if (refreshProof) request.headers.set("DPoP", refreshProof);
+          return request;
+        }
         const accessToken = self._session?.token?.accessToken;
-        if (accessToken) {
+        if (!accessToken) return request;
+        const proof = await self._buildProofForRequest(request, accessToken);
+        if (proof) {
+          request.headers.set("Authorization", `DPoP ${accessToken}`);
+          request.headers.set("DPoP", proof);
+        } else {
           request.headers.set("Authorization", `Bearer ${accessToken}`);
         }
         return request;
+      },
+      onResponse: async ({ request, response }) => {
+        const newNonce = response.headers.get("DPoP-Nonce");
+        if (newNonce) self._dpopNonce = newNonce;
+        if (response.status !== 401) return response;
+        if (request.url.includes("/auth/refresh")) return response;
+        const wwwAuth = response.headers.get("WWW-Authenticate") ?? "";
+        const isNonceChallenge = wwwAuth.includes("use_dpop_nonce");
+        if (!isNonceChallenge) {
+          try {
+            await self.refresh();
+          } catch {
+            return response;
+          }
+        }
+        return self._retryRequest(request);
       }
     });
-    this._networkState = { step: "connected", network: config.stellarNetwork ?? "testnet" };
-    if (!isBrowser) {
-      warnServerSide("constructor");
-      this._session = null;
-      return;
+  }
+  async _buildProofForRequest(request, accessToken) {
+    try {
+      const htu = request.url.split("?")[0].split("#")[0];
+      return await buildProof(
+        {
+          htm: request.method,
+          htu,
+          ...accessToken ? { accessToken } : {},
+          ...this._dpopNonce !== null ? { nonce: this._dpopNonce } : {}
+        },
+        this._keyManager
+      );
+    } catch (err) {
+      console.warn("[PollarClient] DPoP proof build failed", err);
+      return null;
     }
-    console.info(`[PollarClient] Initialized \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`);
-    this._restoreSession();
-    window.addEventListener("storage", (e) => {
-      if (e.key === STORAGE_KEY) {
-        const prev = this._session;
-        console.info(`[PollarClient] Storage event \u2014 session ${this._session ? "updated" : prev ? "cleared" : "unchanged"}`);
-        this._restoreSession();
+  }
+  async _retryRequest(originalRequest) {
+    const headers = new Headers(originalRequest.headers);
+    const accessToken = this._session?.token?.accessToken;
+    if (accessToken) {
+      const proof = await this._buildProofForRequest(originalRequest, accessToken);
+      if (proof) {
+        headers.set("Authorization", `DPoP ${accessToken}`);
+        headers.set("DPoP", proof);
+      } else {
+        headers.set("Authorization", `Bearer ${accessToken}`);
       }
+    }
+    const cachedBody = this._requestBodyCache.get(originalRequest);
+    const retried = new Request(originalRequest.url, {
+      method: originalRequest.method,
+      headers,
+      body: cachedBody ?? null,
+      credentials: originalRequest.credentials,
+      mode: originalRequest.mode,
+      redirect: originalRequest.redirect,
+      referrer: originalRequest.referrer,
+      integrity: originalRequest.integrity
+    });
+    return fetch(retried);
+  }
+  // ─── Refresh (race-safe singleton) ───────────────────────────────────────
+  /**
+   * Coalesce concurrent refresh attempts. The first caller does the work;
+   * everyone else awaits the same promise and sees the new tokens.
+   */
+  refresh() {
+    if (this._refreshPromise) return this._refreshPromise;
+    this._refreshPromise = this._doRefresh().finally(() => {
+      this._refreshPromise = null;
     });
+    return this._refreshPromise;
+  }
+  async _doRefresh() {
+    const refreshToken = this._session?.token?.refreshToken;
+    if (!refreshToken) {
+      console.warn("[PollarClient] Refresh skipped: no refresh token in session");
+      await this._clearSession();
+      throw new Error("No refresh token available");
+    }
+    let data;
+    let error;
+    try {
+      const response = await this._api.POST("/auth/refresh", { body: { refreshToken } });
+      data = response.data;
+      error = response.error;
+    } catch (err) {
+      console.error("[PollarClient] /auth/refresh request threw", err);
+      await this._clearSession();
+      throw err;
+    }
+    if (error || !data) {
+      console.warn("[PollarClient] /auth/refresh returned error", { error });
+      await this._clearSession();
+      throw new Error("Refresh failed");
+    }
+    const successData = data;
+    if (!successData.success || !successData.content?.token) {
+      console.warn("[PollarClient] /auth/refresh response malformed", successData);
+      await this._clearSession();
+      throw new Error("Refresh response malformed");
+    }
+    const newToken = successData.content.token;
+    if (typeof newToken.accessToken !== "string" || typeof newToken.refreshToken !== "string" || typeof newToken.expiresAt !== "number") {
+      console.warn("[PollarClient] /auth/refresh token shape invalid", newToken);
+      await this._clearSession();
+      throw new Error("Refresh response token shape invalid");
+    }
+    if (this._session) {
+      try {
+        this._session = { ...this._session, token: newToken };
+        await writeStorage(this._storage, this.apiKeyHash, this._session);
+        console.info("[PollarClient] Tokens refreshed");
+      } catch (err) {
+        console.error("[PollarClient] Failed to persist refreshed session", err);
+      }
+    }
   }
   // ─── Auth state ──────────────────────────────────────────────────────────────
   getAuthState() {
@@ -1407,6 +2017,10 @@ var PollarClient = class {
     cb(this._authState);
     return () => this._authStateListeners.delete(cb);
   }
+  /** PII (email, names, avatar, providers). Held in memory only — never persisted. */
+  getUserProfile() {
+    return this._profile;
+  }
   // ─── Login (unified entry point) ─────────────────────────────────────────
   login(options) {
     if (!isBrowser) {
@@ -1488,13 +2102,80 @@ var PollarClient = class {
     this._setAuthState({ step: "idle" });
   }
   // ─── Logout ───────────────────────────────────────────────────────────────
-  logout() {
+  /**
+   * Revoke the current session server-side, then clear local storage.
+   *
+   * Server revocation is best-effort: if the POST fails (offline, server
+   * down), local state is wiped regardless. The orphan refresh token then
+   * remains unused until its natural expiry. The in-flight access token
+   * stays valid until its own TTL elapses (≤10 min for DPoP-bound tokens).
+   *
+   * Pass `everywhere: true` to revoke every active session for this user
+   * across all devices.
+   */
+  async logout(options = {}) {
     if (!isBrowser) {
       warnServerSide("logout");
       return;
     }
-    console.info("[PollarClient] Logout requested");
-    this._clearSession();
+    console.info("[PollarClient] Logout requested", { everywhere: !!options.everywhere });
+    if (this._session?.token?.accessToken) {
+      try {
+        await this._api.POST("/auth/logout", {
+          body: options.everywhere ? { everywhere: true } : {}
+        });
+      } catch (err) {
+        console.warn("[PollarClient] Server logout failed (continuing with local clear)", err);
+      }
+    }
+    try {
+      await this._clearSession();
+    } catch (err) {
+      console.warn("[PollarClient] Local logout cleanup failed", err);
+    }
+  }
+  /** Convenience: revoke every active session for this user (all devices). */
+  logoutEverywhere() {
+    return this.logout({ everywhere: true });
+  }
+  /**
+   * List active sessions for the authenticated user. Returns one entry per
+   * refresh-token family with the metadata captured at issuance time. The
+   * `current` flag identifies which entry corresponds to this client.
+   */
+  async listSessions() {
+    if (!isBrowser) {
+      warnServerSide("listSessions");
+      return [];
+    }
+    if (!this._session?.token?.accessToken) {
+      throw new Error("[PollarClient] listSessions requires an authenticated session");
+    }
+    const { data, error } = await this._api.GET("/auth/sessions");
+    if (error || !data?.success) {
+      throw new Error("[PollarClient] Failed to list sessions");
+    }
+    return data.content.sessions;
+  }
+  /**
+   * Revoke a specific refresh-token family (a single device session). Use
+   * `listSessions` to enumerate the familyIds. Revoking the current session
+   * does NOT clear local state — call `logout()` for that case.
+   */
+  async revokeSession(familyId) {
+    if (!isBrowser) {
+      warnServerSide("revokeSession");
+      return;
+    }
+    if (!this._session?.token?.accessToken) {
+      throw new Error("[PollarClient] revokeSession requires an authenticated session");
+    }
+    const { error } = await this._api.DELETE("/auth/sessions/{familyId}", {
+      params: { path: { familyId } }
+    });
+    if (error) {
+      throw new Error("[PollarClient] Failed to revoke session");
+    }
   }
   // ─── Network ──────────────────────────────────────────────────────────────
   getNetwork() {
@@ -1593,7 +2274,8 @@ var PollarClient = class {
         const details = error?.details;
         this._setTransactionState({ step: "error", ...details && { details } });
       }
-    } catch {
+    } catch (err) {
+      console.error("[PollarClient] buildTx failed", err);
       this._setTransactionState({ step: "error" });
     }
   }
@@ -1603,10 +2285,9 @@ var PollarClient = class {
   async signAndSubmitTx(unsignedXdr) {
     const state = this._transactionState;
     const buildData = state?.step === "built" ? state.buildData : state?.step === "error" ? state.buildData : void 0;
-    const isBuiltFlow = !!buildData;
     const stateExtra = buildData ? { buildData } : { external: true };
     this._setTransactionState({ step: "signing", ...stateExtra });
-    const accountToSign = isBuiltFlow ? this._session?.wallet?.publicKey : this._session?.data?.providers?.wallet?.address ?? this._session?.wallet?.publicKey;
+    const accountToSign = this._session?.wallet?.publicKey;
     if (this._walletAdapter) {
       try {
         const signOpts = accountToSign ? { networkPassphrase: this._networkPassphrase(), accountToSign } : { networkPassphrase: this._networkPassphrase() };
@@ -1682,6 +2363,13 @@ var PollarClient = class {
   pollRampTransaction(txId, opts) {
     return pollRampTransaction(this._api, txId, opts);
   }
+  // ─── Distribution ─────────────────────────────────────────────────────────
+  listDistributionRules() {
+    return listDistributionRules(this._api);
+  }
+  claimDistributionRule(body) {
+    return claimDistributionRule(this._api, body);
+  }
   _setTxHistoryState(next) {
     this._txHistoryState = next;
     for (const cb of this._txHistoryStateListeners) cb(next);
@@ -1691,13 +2379,11 @@ var PollarClient = class {
     for (const cb of this._walletBalanceStateListeners) cb(next);
   }
   // ─── Private ──────────────────────────────────────────────────────────────
-  /** Creates a new AbortController, cancelling any existing flow first. */
   _newController() {
     this._loginController?.abort();
     this._loginController = new AbortController();
     return this._loginController;
   }
-  /** Builds the deps object passed to flow functions via bind pattern. */
   _flowDeps(signal) {
     return {
       api: this._api,
@@ -1705,12 +2391,31 @@ var PollarClient = class {
       setAuthState: this._setAuthState.bind(this),
       storeSession: this._storeSession.bind(this),
       clearSession: this._clearSession.bind(this),
-      storeWalletAdapter: (adapter, type) => {
+      getPublicJwk: () => this._keyManager.getPublicJwk(),
+      resolveWalletAdapter: (id) => this._resolveWalletAdapter(id),
+      storeWalletAdapter: async (adapter, id) => {
         this._walletAdapter = adapter;
-        writeWalletType(type);
-      }
+        await writeWalletType(this._storage, this.apiKeyHash, id);
+      },
+      ...this._deviceLabel ? { deviceLabel: this._deviceLabel } : {}
     };
   }
+  /**
+   * Resolves a wallet adapter for the requested id. Uses the consumer's
+   * injected `walletAdapter` resolver when present; otherwise falls back to
+   * the built-in `FreighterAdapter` / `AlbedoAdapter`. Throws if the id is
+   * unknown and no resolver is configured.
+   */
+  async _resolveWalletAdapter(id) {
+    if (this._walletAdapterResolver) {
+      return Promise.resolve(this._walletAdapterResolver(id));
+    }
+    if (id === "freighter" /* FREIGHTER */) return new FreighterAdapter();
+    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter();
+    throw new Error(
+      `[PollarClient] No wallet adapter configured for "${id}". Pass a walletAdapter resolver in PollarClientConfig.`
+    );
+  }
   _handleFlowError(error) {
     if (error instanceof Error && error.name === "AbortError") {
       console.info("[PollarClient] Login cancelled");
@@ -1725,34 +2430,58 @@ var PollarClient = class {
       errorCode: AUTH_ERROR_CODES.UNEXPECTED_ERROR
     });
   }
-  _restoreSession() {
-    this._session = readStorage();
+  async _restoreSession() {
+    this._session = await readStorage(this._storage, this.apiKeyHash);
     if (this._session) {
-      this._authState = { step: "authenticated", session: this._session };
-      if (this._session.data?.providers?.wallet?.address) {
-        const storedType = readWalletType();
-        if (storedType === "freighter" /* FREIGHTER */) {
-          this._walletAdapter = new FreighterAdapter();
-        } else if (storedType === "albedo" /* ALBEDO */) {
-          this._walletAdapter = new AlbedoAdapter();
+      const storedType = await readWalletType(this._storage, this.apiKeyHash);
+      if (storedType) {
+        try {
+          this._walletAdapter = await this._resolveWalletAdapter(storedType);
+        } catch (err) {
+          console.warn("[PollarClient] Could not restore wallet adapter for stored id", { id: storedType, err });
         }
       }
       console.info("[PollarClient] Session restored from storage");
+      this._setAuthState({ step: "authenticated", session: this._session });
     } else {
       console.info("[PollarClient] No session in storage");
     }
   }
-  _storeSession(session) {
-    console.info(`[PollarClient] Session stored \u2014 user: ${session.userId ?? "anonymous"}`);
-    this._session = session;
-    writeStorage(session);
-    this._setAuthState({ step: "authenticated", session });
+  async _storeSession(session) {
+    console.info("[PollarClient] Session stored");
+    const persisted = {
+      clientSessionId: session.clientSessionId,
+      userId: session.userId ?? null,
+      status: session.status,
+      token: session.token,
+      user: session.user,
+      wallet: session.wallet
+    };
+    this._session = persisted;
+    if (session.data) {
+      this._profile = {
+        mail: session.data.mail,
+        first_name: session.data.first_name,
+        last_name: session.data.last_name,
+        avatar: session.data.avatar,
+        providers: session.data.providers
+      };
+    }
+    await writeStorage(this._storage, this.apiKeyHash, persisted);
+    this._setAuthState({ step: "authenticated", session: persisted });
   }
-  _clearSession() {
+  async _clearSession() {
     console.info("[PollarClient] Session cleared");
     this._session = null;
+    this._profile = null;
     this._walletAdapter = null;
-    removeStorage();
+    this._dpopNonce = null;
+    try {
+      await this._keyManager.reset();
+    } catch (err) {
+      console.warn("[PollarClient] KeyManager reset failed during clearSession", err);
+    }
+    await removeStorage(this._storage, this.apiKeyHash);
     this._transactionState = null;
     this._setAuthState({ step: "idle" });
   }
@@ -1777,19 +2506,33 @@ var PollarClient = class {
   }
 };
+// src/index.ts
+_setDefaultKeyManagerFactory((_storage, apiKey) => new WebCryptoKeyManager(apiKey));
 exports.AUTH_ERROR_CODES = AUTH_ERROR_CODES;
 exports.AlbedoAdapter = AlbedoAdapter;
 exports.FreighterAdapter = FreighterAdapter;
 exports.PollarClient = PollarClient;
 exports.StellarClient = StellarClient;
 exports.WalletType = WalletType;
+exports.WebCryptoKeyManager = WebCryptoKeyManager;
+exports.buildProof = buildProof;
+exports.canonicalEcJwk = canonicalEcJwk;
+exports.claimDistributionRule = claimDistributionRule;
+exports.computeJwkThumbprint = computeJwkThumbprint;
+exports.createLocalStorageAdapter = createLocalStorageAdapter;
+exports.createMemoryAdapter = createMemoryAdapter;
 exports.createOffRamp = createOffRamp;
 exports.createOnRamp = createOnRamp;
+exports.defaultKeyManager = defaultKeyManager;
+exports.defaultStorage = defaultStorage;
 exports.getKycProviders = getKycProviders;
 exports.getKycStatus = getKycStatus;
 exports.getRampTransaction = getRampTransaction;
 exports.getRampsQuote = getRampsQuote;
 exports.isValidSession = isValidSession;
+exports.listDistributionRules = listDistributionRules;
+exports.normalizeHtu = normalizeHtu;
 exports.pollKycStatus = pollKycStatus;
 exports.pollRampTransaction = pollRampTransaction;
 exports.resolveKyc = resolveKyc;