@pollar/core 0.8.1 → 0.9.0-rc.0

package/dist/index.js

@@ -1,5 +1,7 @@
 'use strict';
 
+var sha2 = require('@noble/hashes/sha2');
+
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -185,20 +187,6 @@ function defaultKeyManager(storage, apiKey) {
   return _factory(storage, apiKey);
 }
 
-// src/lib/sha256.ts
-async function sha256(data) {
-  const buf = await crypto.subtle.digest("SHA-256", data);
-  return new Uint8Array(buf);
-}
-
-// src/lib/api-key-hash.ts
-async function hashApiKey(apiKey) {
-  const digest = await sha256(new TextEncoder().encode(apiKey));
-  let hex = "";
-  for (let i = 0; i < 4; i++) hex += digest[i].toString(16).padStart(2, "0");
-  return hex;
-}
-
 // src/lib/base64url.ts
 var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
 (() => {
@@ -235,6 +223,17 @@ function base64urlEncode(bytes) {
 function base64urlEncodeString(s) {
   return base64urlEncode(new TextEncoder().encode(s));
 }
+async function sha256(data) {
+  return sha2.sha256(data);
+}
+
+// src/lib/api-key-hash.ts
+async function hashApiKey(apiKey) {
+  const digest = await sha256(new TextEncoder().encode(apiKey));
+  let hex = "";
+  for (let i = 0; i < 4; i++) hex += digest[i].toString(16).padStart(2, "0");
+  return hex;
+}
 
 // src/keys/thumbprint.ts
 async function computeJwkThumbprint(jwk) {
@@ -245,11 +244,14 @@ async function computeJwkThumbprint(jwk) {
   const digest = await sha256(new TextEncoder().encode(canonical));
   return base64urlEncode(digest);
 }
+function toBase64url(value) {
+  return value.replace(/\+/g, "-").replace(/\//g, "_").replace(/[^A-Za-z0-9_-]/g, "");
+}
 function canonicalEcJwk(jwk) {
   if (jwk.kty !== "EC" || jwk.crv !== "P-256" || typeof jwk.x !== "string" || typeof jwk.y !== "string") {
     throw new Error("[PollarClient:thumbprint] Source JWK is not an EC P-256 public key");
   }
-  return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
+  return { kty: "EC", crv: "P-256", x: toBase64url(jwk.x), y: toBase64url(jwk.y) };
 }
 
 // src/keys/web-crypto.ts
@@ -263,7 +265,7 @@ function openDb() {
       return;
     }
     const req = indexedDB.open(DB_NAME, DB_VERSION);
-    req.onerror = () => reject(req.error ?? new Error("IDB open failed"));
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB open failed"));
     req.onsuccess = () => resolve(req.result);
     req.onupgradeneeded = () => {
       const db = req.result;
@@ -276,7 +278,7 @@ function openDb() {
 function awaitTx(req) {
   return new Promise((resolve, reject) => {
     req.onsuccess = () => resolve(req.result);
-    req.onerror = () => reject(req.error ?? new Error("IDB request failed"));
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB request failed"));
   });
 }
 async function dbGet(key) {
@@ -371,10 +373,39 @@ var WebCryptoKeyManager = class {
       }
     }
     this.keyPair = pair;
-    const exported = await globalThis.crypto.subtle.exportKey("jwk", pair.publicKey);
-    this.publicJwk = canonicalEcJwk(exported);
+    this.publicJwk = await this._exportPublicJwk(pair.publicKey);
     this.thumbprint = await computeJwkThumbprint(this.publicJwk);
   }
+  /**
+   * Derive the public JWK from a `CryptoKey`. Prefers the `'raw'` export (the
+   * 65-byte uncompressed point `0x04 || X(32) || Y(32)`) and base64url-encodes
+   * the coordinates ourselves — that sidesteps polyfills whose `exportKey('jwk')`
+   * emits non-base64url `x`/`y` (standard base64, `=` padding, or — as seen with
+   * `react-native-quick-crypto` — a stray `.`). Real browsers and most polyfills
+   * support `'raw'` for public EC keys.
+   *
+   * Falls back to the `'jwk'` export (normalized via `canonicalEcJwk`) if `'raw'`
+   * is unsupported or returns an unexpected shape, so this can't regress on a
+   * runtime that only implements the JWK path. Both routes yield identical
+   * coordinate bytes, so the `cnf.jkt` thumbprint is unchanged either way.
+   */
+  async _exportPublicJwk(publicKey) {
+    try {
+      const raw = new Uint8Array(await globalThis.crypto.subtle.exportKey("raw", publicKey));
+      if (raw.length !== 65 || raw[0] !== 4) {
+        throw new Error(`[PollarClient:keys] Unexpected raw EC point (len=${raw.length}, tag=${raw[0]})`);
+      }
+      return {
+        kty: "EC",
+        crv: "P-256",
+        x: base64urlEncode(raw.slice(1, 33)),
+        y: base64urlEncode(raw.slice(33, 65))
+      };
+    } catch {
+      const jwk = await globalThis.crypto.subtle.exportKey("jwk", publicKey);
+      return canonicalEcJwk(jwk);
+    }
+  }
   async reset() {
     try {
       if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
@@ -1132,6 +1163,9 @@ function defaultStorage(options = {}) {
   return createLocalStorageAdapter(options);
 }
 
+// src/version.ts
+var POLLAR_CORE_VERSION = "0.9.0-rc.0" ;
+
 // src/visibility/noop.ts
 function createNoopVisibilityProvider() {
   return {
@@ -1196,6 +1230,7 @@ var AUTH_ERROR_CODES = {
   WALLET_CONNECT_FAILED: "WALLET_CONNECT_FAILED",
   WALLET_AUTH_FAILED: "WALLET_AUTH_FAILED",
   WALLET_RESOLVER_TIMEOUT: "WALLET_RESOLVER_TIMEOUT",
+  PASSKEY_FAILED: "PASSKEY_FAILED",
   UNEXPECTED_ERROR: "UNEXPECTED_ERROR"
 };
 var PollarFlowError = class extends Error {
@@ -1241,7 +1276,7 @@ var FreighterAdapter = class {
     if (!userInfo?.publicKey) {
       throw new Error("Failed to get user information from Freighter");
     }
-    return { address: userInfo.publicKey, publicKey: userInfo.publicKey };
+    return { address: userInfo.publicKey };
   }
   async disconnect() {
   }
@@ -1279,6 +1314,19 @@ var FreighterAdapter = class {
 };
 
 // src/wallets/AlbedoAdapter.ts
+var PUBLIC_PASSPHRASE = "Public Global Stellar Network ; September 2015";
+var TESTNET_PASSPHRASE = "Test SDF Network ; September 2015";
+function albedoNetwork(options, fallback) {
+  switch (options?.networkPassphrase) {
+    case PUBLIC_PASSPHRASE:
+      return "public";
+    case TESTNET_PASSPHRASE:
+      return "testnet";
+  }
+  if (options?.network === "public" || options?.network === "mainnet") return "public";
+  if (options?.network === "testnet") return "testnet";
+  return fallback;
+}
 function openAlbedoPopup(url) {
   const popup = window.open(url, "albedo", "width=420,height=720,resizable=yes,scrollbars=yes");
   if (!popup) {
@@ -1317,7 +1365,13 @@ function waitForAlbedoResult() {
   });
 }
 var AlbedoAdapter = class {
-  constructor() {
+  /**
+   * Network used for `connect` and `signAuthEntry` (which carry no per-call
+   * network) and as the fallback for `signTransaction`. Defaults to `'testnet'`
+   * to preserve the previous behavior when constructed with no argument.
+   */
+  constructor(network = "testnet") {
+    this.network = network;
     this.type = "albedo" /* ALBEDO */;
   }
   async isAvailable() {
@@ -1327,7 +1381,7 @@ var AlbedoAdapter = class {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "public-key");
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", `${window.location.origin}/albedo-callback`);
     url.searchParams.set("origin", window.location.origin);
     openAlbedoPopup(url.toString());
@@ -1335,7 +1389,7 @@ var AlbedoAdapter = class {
     if (!result.pubkey) {
       throw new Error("Albedo connection rejected");
     }
-    return { address: result.pubkey, publicKey: result.pubkey };
+    return { address: result.pubkey };
   }
   async disconnect() {
   }
@@ -1345,12 +1399,12 @@ var AlbedoAdapter = class {
   async getNetwork() {
     throw new Error("Albedo does not expose network");
   }
-  async signTransaction(xdr, _options) {
+  async signTransaction(xdr, options) {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "tx");
     url.searchParams.set("xdr", xdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", albedoNetwork(options, this.network));
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1363,7 +1417,7 @@ var AlbedoAdapter = class {
     url.searchParams.set("intent", "sign-auth-entry");
     url.searchParams.set("xdr", entryXdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1450,8 +1504,12 @@ function isValidSession(value) {
     return false;
   }
   const w = wallet;
-  if (w["publicKey"] !== null && !isBoundedString(w["publicKey"], MAX_WALLET_PUBLIC_KEY)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet.publicKey must be string|null");
+  if (w["type"] !== "custodial" && w["type"] !== "smart" && w["type"] !== "external") {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.type must be custodial|smart|external");
+    return false;
+  }
+  if (w["address"] !== null && !isBoundedString(w["address"], MAX_WALLET_PUBLIC_KEY)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.address must be string|null");
     return false;
   }
   if (w["existsOnStellar"] !== void 0 && typeof w["existsOnStellar"] !== "boolean") {
@@ -1462,6 +1520,10 @@ function isValidSession(value) {
     console.warn("[PollarClient:session] Invalid session \u2014 wallet.createdAt must be a finite number if present");
     return false;
   }
+  if (w["linkedAt"] !== void 0 && (typeof w["linkedAt"] !== "number" || !Number.isFinite(w["linkedAt"]))) {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.linkedAt must be a finite number if present");
+    return false;
+  }
   return true;
 }
 async function readStorage(storage, apiKeyHash) {
@@ -1469,6 +1531,12 @@ async function readStorage(storage, apiKeyHash) {
   if (!raw) return null;
   try {
     const session = JSON.parse(raw);
+    if (typeof session === "object" && session !== null) {
+      const w = session.wallet;
+      if (w && w["address"] == null && typeof w["publicKey"] === "string") {
+        w["address"] = w["publicKey"];
+      }
+    }
     if (!isValidSession(session)) {
       await storage.remove(sessionStorageKey(apiKeyHash));
       console.warn("[PollarClient:session] Stored session is invalid \u2014 clearing storage");
@@ -1559,7 +1627,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
       }));
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status request failed; will retry", e);
     }
     if (error || !data) {
       await sleep(backoff);
@@ -1599,7 +1667,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
       if (e instanceof SessionStatusError) throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status stream read failed; will retry", e);
     } finally {
       reader.releaseLock();
     }
@@ -1627,7 +1695,7 @@ async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500,
       envelope = await response.json().catch(() => null);
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status poll failed; will retry", e);
     }
     if (httpStatus === 404 || envelope?.code === "INVALID_CLIENT_SESSION_ID") {
       throw new SessionStatusError("INVALID_CLIENT_SESSION_ID");
@@ -1831,6 +1899,55 @@ async function loginOAuth(provider, deps) {
   await authenticate(clientSessionId, deps);
 }
 
+// src/client/auth/passkeyFlow.ts
+async function loginSmartWallet(deps) {
+  const { api, signal, setAuthState, passkey } = deps;
+  if (!passkey) {
+    setAuthState({
+      step: "error",
+      previousStep: "creating_session",
+      message: "Passkey support is not configured",
+      errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED
+    });
+    return;
+  }
+  const clientSessionId = await createAuthSession(deps);
+  if (!clientSessionId) return;
+  try {
+    const { data: challengeData } = await api.POST("/auth/passkey/challenge", {
+      body: { clientSessionId },
+      signal
+    });
+    const challenge = challengeData?.content?.challenge;
+    if (!challengeData?.success || !challenge) {
+      return failPasskey(setAuthState, "Failed to start passkey");
+    }
+    setAuthState({ step: "creating_passkey" });
+    const ceremony = await passkey({ challenge });
+    const response = ceremony.response;
+    if (ceremony.kind === "register") {
+      setAuthState({ step: "deploying_smart_account" });
+      const { data } = await api.POST("/auth/passkey/register", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey registration failed");
+    } else {
+      const { data } = await api.POST("/auth/passkey/login", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey authentication failed");
+    }
+  } catch {
+    return failPasskey(setAuthState, "Passkey login failed");
+  }
+  await authenticate(clientSessionId, deps);
+}
+function failPasskey(setAuthState, message) {
+  setAuthState({ step: "error", previousStep: "creating_passkey", message, errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED });
+}
+
 // src/client/auth/walletFlow.ts
 function withSignal(promise, signal) {
   return Promise.race([
@@ -1857,12 +1974,12 @@ async function loginWallet(type, deps) {
       setAuthState({ step: "wallet_not_installed", walletType: type });
       return;
     }
-    const { publicKey } = await withSignal(adapter.connect(), signal);
-    connectedWallet = publicKey;
+    const { address } = await withSignal(adapter.connect(), signal);
+    connectedWallet = address;
     deps.storeWalletAdapter(adapter, type);
     setAuthState({ step: "authenticating_wallet" });
     const { data: walletData, error: walletError } = await api.POST("/auth/wallet", {
-      body: { clientSessionId, walletAddress: publicKey },
+      body: { clientSessionId, walletAddress: address },
       signal
     });
     if (walletError || !walletData?.success) {
@@ -1927,8 +2044,12 @@ var PollarClient = class {
     this._transactionStateListeners = /* @__PURE__ */ new Set();
     this._txHistoryState = { step: "idle" };
     this._txHistoryStateListeners = /* @__PURE__ */ new Set();
+    this._sessionsState = { step: "idle" };
+    this._sessionsStateListeners = /* @__PURE__ */ new Set();
     this._walletBalanceState = { step: "idle" };
     this._walletBalanceStateListeners = /* @__PURE__ */ new Set();
+    this._enabledAssetsState = { step: "idle" };
+    this._enabledAssetsStateListeners = /* @__PURE__ */ new Set();
     this._authState = { step: "idle" };
     this._authStateListeners = /* @__PURE__ */ new Set();
     this._networkState = { step: "idle" };
@@ -1944,6 +2065,8 @@ var PollarClient = class {
     this._storageDegradeListeners = /* @__PURE__ */ new Set();
     this._walletAdapter = null;
     this._loginController = null;
+    /** Aborts an in-flight `/auth/session/resume` on destroy() or re-trigger. */
+    this._resumeController = null;
     this.apiKey = config.apiKey;
     this.id = randomUUID();
     this.basePath = `${config.baseUrl || "https://sdk.api.pollar.xyz"}/v1`;
@@ -1956,6 +2079,8 @@ var PollarClient = class {
     this._keyManager = config.keyManager ?? defaultKeyManager(this._storage, config.apiKey);
     this._walletAdapterResolver = config.walletAdapter ?? null;
     this._walletResolverTimeoutMs = config.walletResolverTimeoutMs ?? 5e3;
+    this._passkey = config.passkey ?? null;
+    this._passkeySign = config.passkeySign ?? null;
     this._deviceLabel = config.deviceLabel;
     this._visibilityProvider = config.visibilityProvider ?? defaultVisibilityProvider();
     this._maxIdleMs = config.maxIdleMs;
@@ -1969,7 +2094,9 @@ var PollarClient = class {
       this._initialized = Promise.resolve();
       return;
     }
-    console.info(`[PollarClient] Initialized \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`);
+    console.info(
+      `[PollarClient] Initialized v${POLLAR_CORE_VERSION} \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`
+    );
     this._initialized = this._initialize();
   }
   /**
@@ -2007,7 +2134,11 @@ var PollarClient = class {
     }
     await this._restoreSession();
     this._visibilityUnsubscribe = this._visibilityProvider.onChange((visible) => {
-      if (visible) void this._maybeProactiveRefresh();
+      if (!visible) return;
+      void this._maybeProactiveRefresh();
+      if (this._authState.step === "authenticated" && !this._authState.verified) {
+        void this._resume();
+      }
     });
   }
   /** Detach the cross-tab storage listener and abort any in-flight login. */
@@ -2018,6 +2149,8 @@ var PollarClient = class {
     }
     this._loginController?.abort();
     this._loginController = null;
+    this._resumeController?.abort();
+    this._resumeController = null;
     this._clearRefreshTimer();
     if (this._visibilityUnsubscribe) {
       this._visibilityUnsubscribe();
@@ -2032,7 +2165,9 @@ var PollarClient = class {
         request.headers.set("x-pollar-api-key", self.apiKey);
         self._lastRequestAt = Date.now();
         await self._initialized;
-        if (request.body !== null) {
+        const cacheMethod = request.method.toUpperCase();
+        const cacheBodyAllowed = cacheMethod !== "GET" && cacheMethod !== "HEAD";
+        if (cacheBodyAllowed && request.body != null) {
           try {
             self._requestBodyCache.set(request, await request.clone().arrayBuffer());
           } catch (err) {
@@ -2119,7 +2254,9 @@ var PollarClient = class {
         }
       }
     }
-    const cachedBody = this._requestBodyCache.get(originalRequest);
+    const retryMethod = originalRequest.method.toUpperCase();
+    const retryBodyAllowed = retryMethod !== "GET" && retryMethod !== "HEAD";
+    const cachedBody = retryBodyAllowed ? this._requestBodyCache.get(originalRequest) : void 0;
     const retried = new Request(originalRequest.url, {
       method: originalRequest.method,
       headers,
@@ -2163,19 +2300,26 @@ var PollarClient = class {
       throw err;
     }
     if (error || !data) {
-      console.warn("[PollarClient] /auth/refresh returned error", { error });
+      console.error("[PollarClient] /auth/refresh returned error", { error });
       await this._clearSession();
       throw new Error("Refresh failed");
     }
     const successData = data;
     if (!successData.success || !successData.content?.token) {
-      console.warn("[PollarClient] /auth/refresh response malformed", successData);
+      console.error("[PollarClient] /auth/refresh response malformed", {
+        success: successData.success,
+        hasToken: !!successData.content?.token
+      });
       await this._clearSession();
       throw new Error("Refresh response malformed");
     }
     const newToken = successData.content.token;
     if (typeof newToken.accessToken !== "string" || typeof newToken.refreshToken !== "string" || typeof newToken.expiresAt !== "number") {
-      console.warn("[PollarClient] /auth/refresh token shape invalid", newToken);
+      console.error("[PollarClient] /auth/refresh token shape invalid", {
+        accessToken: typeof newToken.accessToken,
+        refreshToken: typeof newToken.refreshToken,
+        expiresAt: typeof newToken.expiresAt
+      });
       await this._clearSession();
       throw new Error("Refresh response token shape invalid");
     }
@@ -2369,6 +2513,19 @@ var PollarClient = class {
     const controller = this._newController();
     loginWallet(type, this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
   }
+  /**
+   * "Smart Wallet" login: runs the passkey (WebAuthn) ceremony and, for a new
+   * user, creates a sponsored smart-account C-address. Requires the `passkey`
+   * ceremony to be configured (e.g. via `@pollar/react`).
+   */
+  loginSmartWallet() {
+    if (!isClientRuntime) {
+      warnServerSide("loginSmartWallet");
+      return;
+    }
+    const controller = this._newController();
+    loginSmartWallet(this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
+  }
   // ─── Cancel ───────────────────────────────────────────────────────────────
   cancelLogin() {
     this._loginController?.abort();
@@ -2431,6 +2588,29 @@ var PollarClient = class {
     }
     return data.content.sessions;
   }
+  getSessionsState() {
+    return this._sessionsState;
+  }
+  onSessionsStateChange(cb) {
+    this._sessionsStateListeners.add(cb);
+    cb(this._sessionsState);
+    return () => this._sessionsStateListeners.delete(cb);
+  }
+  /**
+   * Fire-and-forget variant of {@link listSessions} that drives the observable
+   * `SessionsState` store instead of returning the array. UI layers subscribe
+   * via `onSessionsStateChange` and stay pure readers — mirrors `fetchTxHistory`.
+   */
+  async fetchSessions() {
+    this._setSessionsState({ step: "loading" });
+    try {
+      const sessions = await this.listSessions();
+      this._setSessionsState({ step: "loaded", sessions });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to load sessions";
+      this._setSessionsState({ step: "error", message });
+    }
+  }
   /**
    * Revoke a specific refresh-token family (a single device session). Use
    * `listSessions` to enumerate the familyIds. Revoking the current session
@@ -2507,16 +2687,19 @@ var PollarClient = class {
     cb(this._walletBalanceState);
     return () => this._walletBalanceStateListeners.delete(cb);
   }
-  async refreshBalance(publicKey) {
-    const pk = publicKey ?? this._session?.wallet?.publicKey;
-    if (!pk) {
+  /**
+   * Refreshes the balances of the authenticated user's OWN wallet. The wallet
+   * and network are resolved server-side from the session — no arguments. Drives
+   * `walletBalanceState`. For an arbitrary wallet, use {@link getWalletBalance}.
+   */
+  async refreshBalance() {
+    if (!this._session?.wallet?.address) {
       this._setWalletBalanceState({ step: "error", message: "No wallet connected" });
       return;
     }
     this._setWalletBalanceState({ step: "loading" });
     try {
-      const network = this.getNetwork();
-      const { data, error } = await this._api.GET("/wallet/balance", { params: { query: { publicKey: pk, network } } });
+      const { data, error } = await this._api.GET("/wallet/balance");
       if (!error && data?.success && data.content) {
         this._setWalletBalanceState({ step: "loaded", data: data.content });
       } else {
@@ -2526,6 +2709,53 @@ var PollarClient = class {
       this._setWalletBalanceState({ step: "error", message: "Failed to load balance" });
     }
   }
+  /**
+   * General-purpose balance lookup for ANY wallet on ANY network — not scoped
+   * to this application. Enumerates the account's real on-chain holdings via
+   * Horizon (server-side) and returns the data directly (no reactive state).
+   * `network` defaults to the client's current network.
+   */
+  async getWalletBalance(publicKey, network) {
+    const { data, error } = await this._api.GET("/wallet/{publicKey}/balance", {
+      params: { path: { publicKey }, query: { network: network ?? this.getNetwork() } }
+    });
+    if (error || !data?.success || !data.content) {
+      throw new Error("[PollarClient] Failed to load wallet balance");
+    }
+    return data.content;
+  }
+  // ─── Enabled assets ───────────────────────────────────────────────────────
+  getEnabledAssetsState() {
+    return this._enabledAssetsState;
+  }
+  onEnabledAssetsStateChange(cb) {
+    this._enabledAssetsStateListeners.add(cb);
+    cb(this._enabledAssetsState);
+    return () => this._enabledAssetsStateListeners.delete(cb);
+  }
+  /**
+   * Loads the application's enabled assets paired with the authenticated
+   * wallet's on-chain trustline state — so the SDK knows which trustlines still
+   * need to be added. Wallet and network are resolved server-side from the
+   * session. Drives `enabledAssetsState`; mirrors {@link refreshBalance}.
+   */
+  async refreshAssets() {
+    if (!this._session?.wallet?.address) {
+      this._setEnabledAssetsState({ step: "error", message: "No wallet connected" });
+      return;
+    }
+    this._setEnabledAssetsState({ step: "loading" });
+    try {
+      const { data, error } = await this._api.GET("/wallet/assets");
+      if (!error && data?.success && data.content) {
+        this._setEnabledAssetsState({ step: "loaded", data: data.content });
+      } else {
+        this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+      }
+    } catch {
+      this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+    }
+  }
   // ─── Transactions ─────────────────────────────────────────────────────────
   /**
    * Builds an unsigned XDR. Drives `_setTransactionState` for modal-style UIs
@@ -2533,14 +2763,14 @@ var PollarClient = class {
    * inspect the result without subscribing to state changes.
    */
   async buildTx(operation, params, options) {
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       const details = "No wallet connected";
       this._setTransactionState({ step: "error", phase: "building", details });
       return { status: "error", details };
     }
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session.wallet.publicKey,
+      address: this._session.wallet.address,
       operation,
       params,
       options: options ?? {}
@@ -2581,7 +2811,7 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     this._setTransactionState({ step: "signing", ...buildData && { buildData } });
     if (this._walletAdapter) {
-      const accountToSign = this._session?.wallet?.publicKey;
+      const accountToSign = this._session?.wallet?.address;
       const signOpts = accountToSign ? { networkPassphrase: this._networkPassphrase(), accountToSign } : { networkPassphrase: this._networkPassphrase() };
       try {
         const { signedTxXdr } = await this._walletAdapter.signTransaction(unsignedXdr, signOpts);
@@ -2602,10 +2832,10 @@ var PollarClient = class {
         return { status: "error", ...details && { details } };
       }
     }
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/sign", {
-        body: { network: this.getNetwork(), publicKey, unsignedXdr }
+        body: { network: this.getNetwork(), address, unsignedXdr }
       });
       if (!error && data?.success && data.content?.signedXdr) {
         const { signedXdr, idempotencyKey } = data.content;
@@ -2658,12 +2888,12 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     const outcomeExtra = buildData ? { buildData } : {};
     this._setTransactionState({ step: "submitting", signedXdr, ...buildData && { buildData } });
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/submit", {
         body: {
           network: this.getNetwork(),
-          publicKey,
+          address,
           signedXdr,
           ...opts?.submissionToken && { idempotencyKey: opts.submissionToken }
         }
@@ -2723,6 +2953,19 @@ var PollarClient = class {
    *   `success` (ledger-confirmed), or `error[phase: 'signing-submitting']`.
    */
   async signAndSubmitTx(unsignedXdr) {
+    if (this._session?.wallet?.type === "smart") {
+      const buildData2 = this._currentBuildData();
+      if (!buildData2?.smart) {
+        const details = "no prepared smart transaction; call buildTx first";
+        this._setTransactionState({ step: "error", phase: "signing", details });
+        return { status: "error", details };
+      }
+      return this._signSubmitSmart(buildData2);
+    }
+    if (!unsignedXdr) {
+      this._setTransactionState({ step: "error", phase: "signing", details: "missing unsigned transaction" });
+      return { status: "error", details: "missing unsigned transaction" };
+    }
     if (this._walletAdapter) {
       const signed = await this.signTx(unsignedXdr);
       if (signed.status === "error") {
@@ -2740,7 +2983,7 @@ var PollarClient = class {
     this._setTransactionState({ step: "signing-submitting", ...buildData && { buildData } });
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session?.wallet?.publicKey ?? "",
+      address: this._session?.wallet?.address ?? "",
       unsignedXdr
     };
     try {
@@ -2809,14 +3052,20 @@ var PollarClient = class {
    * `signTx`, and `submitTx` separately instead.
    */
   async buildAndSignAndSubmitTx(operation, params, options) {
+    if (this._session?.wallet?.type === "smart") {
+      return this._runSmartTx(operation, params, options);
+    }
     if (this._walletAdapter) {
       const built = await this.buildTx(operation, params, options);
       if (built.status === "error") {
         return { status: "error", ...built.details && { details: built.details } };
       }
+      if (!built.buildData.unsignedXdr) {
+        return { status: "error", details: "build returned no unsigned transaction" };
+      }
       return this.signAndSubmitTx(built.buildData.unsignedXdr);
     }
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       this._setTransactionState({ step: "error", phase: "building-signing-submitting", details: "No wallet connected" });
       return { status: "error", details: "No wallet connected" };
     }
@@ -2825,7 +3074,7 @@ var PollarClient = class {
       const { data, error } = await this._api.POST("/tx/build-sign-submit", {
         body: {
           network: this.getNetwork(),
-          publicKey: this._session.wallet.publicKey,
+          address: this._session.wallet.address,
           operation,
           params,
           options: options ?? {}
@@ -2869,6 +3118,113 @@ var PollarClient = class {
   async runTx(operation, params, options) {
     return this.buildAndSignAndSubmitTx(operation, params, options);
   }
+  /**
+   * Smart-wallet (passkey / C-address) transaction: build (server prepares the
+   * SAC transfer + returns the auth digest) → sign the digest with the passkey
+   * → submit (server assembles the signed auth entry and broadcasts; the
+   * sponsor pays the fee). State machine: building → built → signing →
+   * submitting → success.
+   */
+  async _runSmartTx(operation, params, options) {
+    const address = this._session?.wallet?.address;
+    if (!address) {
+      this._setTransactionState({ step: "error", phase: "building", details: "No wallet connected" });
+      return { status: "error", details: "No wallet connected" };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", details });
+      return { status: "error", details };
+    }
+    this._setTransactionState({ step: "building" });
+    let buildData;
+    try {
+      const body = {
+        network: this.getNetwork(),
+        address,
+        operation,
+        params,
+        options: options ?? {}
+      };
+      const { data, error } = await this._api.POST("/tx/build", { body });
+      if (error || !data?.success || !data.content?.smart) {
+        const details = error?.details ?? "Failed to build transaction";
+        this._setTransactionState({ step: "error", phase: "building", details });
+        return { status: "error", details };
+      }
+      buildData = data.content;
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "building", ...details && { details } });
+      return { status: "error", ...details && { details } };
+    }
+    this._setTransactionState({ step: "built", buildData });
+    return this._signSubmitSmart(buildData);
+  }
+  /**
+   * Steps 2–3 of the smart-wallet flow: sign the prepared auth digest with the
+   * passkey, then submit. Shared by `_runSmartTx` (atomic) and `signAndSubmitTx`
+   * (split flow, when a smart build is already on the state machine).
+   */
+  async _signSubmitSmart(buildData) {
+    const address = this._session?.wallet?.address;
+    const smart = buildData.smart;
+    if (!address || !smart) {
+      const details = "no prepared smart transaction";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    this._setTransactionState({ step: "signing", buildData });
+    let assertion;
+    try {
+      assertion = await this._passkeySign({ credentialId: smart.credentialId, challenge: smart.digest });
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "signing", buildData, ...details && { details } });
+      return { status: "error", buildData, ...details && { details } };
+    }
+    this._setTransactionState({ step: "submitting", buildData });
+    const outcomeExtra = { buildData };
+    try {
+      const { data, error } = await this._api.POST("/tx/submit", {
+        body: {
+          network: this.getNetwork(),
+          address,
+          smart: { entryXdr: smart.entryXdr, funcXdr: smart.funcXdr, assertion }
+        }
+      });
+      if (!error && data?.success && data.content) {
+        const { hash, status: backendStatus, resultCode } = data.content;
+        if (backendStatus === "SUCCESS") {
+          this._setTransactionState({ step: "success", hash, buildData });
+          return { status: "success", hash, ...outcomeExtra };
+        }
+        if (backendStatus === "PENDING") {
+          this._setTransactionState({ step: "submitted", hash, buildData });
+          return { status: "pending", hash, ...outcomeExtra };
+        }
+        this._setTransactionState({
+          step: "error",
+          phase: "submitting",
+          buildData,
+          ...resultCode && { details: resultCode }
+        });
+        return { status: "error", hash, ...outcomeExtra, ...resultCode && { details: resultCode, resultCode } };
+      }
+      const details = error?.details;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    }
+  }
   // ─── App config ───────────────────────────────────────────────────────────
   async getAppConfig() {
     try {
@@ -2922,10 +3278,18 @@ var PollarClient = class {
     this._txHistoryState = next;
     for (const cb of this._txHistoryStateListeners) cb(next);
   }
+  _setSessionsState(next) {
+    this._sessionsState = next;
+    for (const cb of this._sessionsStateListeners) cb(next);
+  }
   _setWalletBalanceState(next) {
     this._walletBalanceState = next;
     for (const cb of this._walletBalanceStateListeners) cb(next);
   }
+  _setEnabledAssetsState(next) {
+    this._enabledAssetsState = next;
+    for (const cb of this._enabledAssetsStateListeners) cb(next);
+  }
   // ─── Private ──────────────────────────────────────────────────────────────
   _newController() {
     this._loginController?.abort();
@@ -2950,6 +3314,7 @@ var PollarClient = class {
         this._walletAdapter = adapter;
         await writeWalletType(this._storage, this.apiKeyHash, id);
       },
+      ...this._passkey ? { passkey: this._passkey } : {},
       ...this._deviceLabel ? { deviceLabel: this._deviceLabel } : {}
     };
   }
@@ -2979,7 +3344,7 @@ var PollarClient = class {
       }
     }
     if (id === "freighter" /* FREIGHTER */) return new FreighterAdapter();
-    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter();
+    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter(this.getNetwork() === "mainnet" ? "public" : "testnet");
     throw new Error(
       `[PollarClient] No wallet adapter configured for "${id}". Pass a walletAdapter resolver in PollarClientConfig.`
     );
@@ -3020,21 +3385,66 @@ var PollarClient = class {
         }
       }
       console.info("[PollarClient] Session restored from storage");
-      this._setAuthState({ step: "authenticated", session: this._session });
+      this._setAuthState({ step: "authenticated", session: this._session, verified: false });
       this._scheduleNextRefresh();
+      void this._resume();
     } else {
       console.info("[PollarClient] No session in storage");
     }
   }
+  /**
+   * Validate the restored session against the server and repopulate the
+   * in-memory profile (PII is never persisted, so it's null after a cold
+   * reload). Goes through the normal authed client, so it coalesces with any
+   * in-flight refresh (onRequest awaits `_refreshPromise`) and, being a GET,
+   * is auto-retried after a 401-triggered refresh.
+   *
+   * - 200          → store profile, mark the session `verified`.
+   * - 401          → the refresh-on-401 path already ran; if the family was
+   *                  revoked, refresh failed and `_clearSession()` took us to
+   *                  idle. Nothing to do here — don't double-handle.
+   * - network error → stay optimistic (do NOT log out); revalidated later on
+   *                  `visibilitychange` or first use.
+   */
+  async _resume() {
+    if (!this._session) return;
+    this._resumeController?.abort();
+    const controller = new AbortController();
+    this._resumeController = controller;
+    try {
+      const { data, error } = await this._api.GET("/auth/session/resume", { signal: controller.signal });
+      if (error || !data) return;
+      const content = data.content;
+      if (!content || !this._session) return;
+      this._profile = { ...content };
+      this._setAuthState({ step: "authenticated", session: this._session, verified: true });
+    } catch (err) {
+      if (err?.name === "AbortError") return;
+      console.warn("[PollarClient] resume failed (network); will retry", err);
+    } finally {
+      if (this._resumeController === controller) this._resumeController = null;
+    }
+  }
   async _storeSession(session) {
     console.info("[PollarClient] Session stored");
+    const w = session.wallet;
     const persisted = {
       clientSessionId: session.clientSessionId,
       userId: session.userId ?? null,
       status: session.status,
       token: session.token,
       user: session.user,
-      wallet: session.wallet
+      // The wire response still carries the legacy `publicKey` alias (kept for
+      // older SDKs); the persisted session standardizes on `address` only.
+      wallet: {
+        type: w.type,
+        address: w.address ?? w.publicKey ?? null,
+        ...w.existsOnStellar !== void 0 ? { existsOnStellar: w.existsOnStellar } : {},
+        ...w.createdAt !== void 0 ? { createdAt: w.createdAt } : {},
+        ...w.linkedAt !== void 0 ? { linkedAt: w.linkedAt } : {},
+        ...w.network !== void 0 ? { network: w.network } : {},
+        ...w.deployTxHash !== void 0 ? { deployTxHash: w.deployTxHash } : {}
+      }
     };
     this._session = persisted;
     if (session.data) {
@@ -3047,7 +3457,7 @@ var PollarClient = class {
       };
     }
     await writeStorage(this._storage, this.apiKeyHash, persisted);
-    this._setAuthState({ step: "authenticated", session: persisted });
+    this._setAuthState({ step: "authenticated", session: persisted, verified: true });
     this._scheduleNextRefresh();
   }
   async _clearSession() {
@@ -3133,6 +3543,7 @@ _setDefaultKeyManagerFactory((_storage, apiKey) => new WebCryptoKeyManager(apiKe
 exports.AUTH_ERROR_CODES = AUTH_ERROR_CODES;
 exports.AlbedoAdapter = AlbedoAdapter;
 exports.FreighterAdapter = FreighterAdapter;
+exports.POLLAR_CORE_VERSION = POLLAR_CORE_VERSION;
 exports.PollarClient = PollarClient;
 exports.StellarClient = StellarClient;
 exports.WalletType = WalletType;