@pollar/core 0.8.1 → 0.9.0-rc.0

package/dist/index.rn.js

@@ -1,6 +1,7 @@
 'use strict';
 
-var p256 = require('@noble/curves/p256');
+var nist = require('@noble/curves/nist');
+var sha2 = require('@noble/hashes/sha2');
 
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -186,11 +187,8 @@ function defaultKeyManager(storage, apiKey) {
   }
   return _factory(storage, apiKey);
 }
-
-// src/lib/sha256.ts
 async function sha256(data) {
-  const buf = await crypto.subtle.digest("SHA-256", data);
-  return new Uint8Array(buf);
+  return sha2.sha256(data);
 }
 
 // src/lib/api-key-hash.ts
@@ -269,11 +267,14 @@ async function computeJwkThumbprint(jwk) {
   const digest = await sha256(new TextEncoder().encode(canonical));
   return base64urlEncode(digest);
 }
+function toBase64url(value) {
+  return value.replace(/\+/g, "-").replace(/\//g, "_").replace(/[^A-Za-z0-9_-]/g, "");
+}
 function canonicalEcJwk(jwk) {
   if (jwk.kty !== "EC" || jwk.crv !== "P-256" || typeof jwk.x !== "string" || typeof jwk.y !== "string") {
     throw new Error("[PollarClient:thumbprint] Source JWK is not an EC P-256 public key");
   }
-  return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
+  return { kty: "EC", crv: "P-256", x: toBase64url(jwk.x), y: toBase64url(jwk.y) };
 }
 
 // src/keys/noble.ts
@@ -325,14 +326,14 @@ var NobleKeyManager = class {
       priv = null;
     }
     if (!priv) {
-      priv = p256.p256.utils.randomPrivateKey();
+      priv = nist.p256.utils.randomPrivateKey();
       try {
         await this.storage.set(this.storageKey, base64urlEncode(priv));
       } catch {
       }
     }
     this.privateKey = priv;
-    const pub = p256.p256.getPublicKey(priv, false);
+    const pub = nist.p256.getPublicKey(priv, false);
     if (pub.length !== 65 || pub[0] !== 4) {
       throw new Error("[PollarClient:keys] Unexpected public key format from @noble/curves");
     }
@@ -374,172 +375,11 @@ var NobleKeyManager = class {
       throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
     }
     const digest = await sha256(payload);
-    const signature = p256.p256.sign(digest, this.privateKey, { prehash: false });
+    const signature = nist.p256.sign(digest, this.privateKey, { prehash: false });
     return signature.toCompactRawBytes();
   }
 };
 
-// src/keys/web-crypto.ts
-var DB_NAME = "pollar-keys";
-var DB_VERSION = 1;
-var STORE_NAME = "keys";
-function openDb() {
-  return new Promise((resolve, reject) => {
-    if (typeof indexedDB === "undefined") {
-      reject(new Error("[PollarClient:keys] IndexedDB not available"));
-      return;
-    }
-    const req = indexedDB.open(DB_NAME, DB_VERSION);
-    req.onerror = () => reject(req.error ?? new Error("IDB open failed"));
-    req.onsuccess = () => resolve(req.result);
-    req.onupgradeneeded = () => {
-      const db = req.result;
-      if (!db.objectStoreNames.contains(STORE_NAME)) {
-        db.createObjectStore(STORE_NAME);
-      }
-    };
-  });
-}
-function awaitTx(req) {
-  return new Promise((resolve, reject) => {
-    req.onsuccess = () => resolve(req.result);
-    req.onerror = () => reject(req.error ?? new Error("IDB request failed"));
-  });
-}
-async function dbGet(key) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readonly");
-    const result = await awaitTx(tx.objectStore(STORE_NAME).get(key));
-    return result;
-  } finally {
-    db.close();
-  }
-}
-async function dbPut(key, value) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readwrite");
-    await awaitTx(tx.objectStore(STORE_NAME).put(value, key));
-  } finally {
-    db.close();
-  }
-}
-async function dbDelete(key) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readwrite");
-    await awaitTx(tx.objectStore(STORE_NAME).delete(key));
-  } finally {
-    db.close();
-  }
-}
-function isCryptoKeyPair(v) {
-  if (typeof v !== "object" || v === null) return false;
-  const obj = v;
-  return obj.privateKey !== void 0 && obj.publicKey !== void 0;
-}
-var WebCryptoKeyManager = class {
-  constructor(apiKey) {
-    this.apiKeyHash = null;
-    this.keyPair = null;
-    this.publicJwk = null;
-    this.thumbprint = null;
-    /**
-     * Cached in-flight init. Lets `init()` be called concurrently (or implicitly
-     * from `getPublicJwk` / `sign`) without doing the work twice. Cleared on
-     * failure so callers can retry, and cleared on `reset()`.
-     */
-    this._initPromise = null;
-    if (typeof globalThis.crypto === "undefined" || !globalThis.crypto.subtle) {
-      throw new Error("[PollarClient:keys] SubtleCrypto is unavailable. DPoP requires a secure context (HTTPS or localhost).");
-    }
-    this.apiKey = apiKey;
-  }
-  /**
-   * Idempotent and safe under concurrency. The first call kicks off the real
-   * init; subsequent (and concurrent) calls return the same in-flight promise.
-   * Other methods (`getPublicJwk`, `getThumbprint`, `sign`) auto-await this so
-   * the manager is self-healing if `init()` was never explicitly invoked.
-   */
-  async init() {
-    if (this.keyPair) return;
-    if (!this._initPromise) {
-      this._initPromise = this._doInit().catch((err) => {
-        console.error("[PollarClient:keys] WebCryptoKeyManager init failed", err);
-        this._initPromise = null;
-        throw err;
-      });
-    }
-    return this._initPromise;
-  }
-  async _doInit() {
-    if (!this.apiKeyHash) {
-      this.apiKeyHash = await hashApiKey(this.apiKey);
-    }
-    let pair;
-    try {
-      pair = await dbGet(this.apiKeyHash);
-      if (pair && !isCryptoKeyPair(pair)) pair = void 0;
-    } catch {
-      pair = void 0;
-    }
-    if (!pair) {
-      pair = await globalThis.crypto.subtle.generateKey(
-        { name: "ECDSA", namedCurve: "P-256" },
-        // false → private key non-extractable; per W3C ECDSA spec the public
-        // key is always extractable regardless of this flag.
-        false,
-        ["sign", "verify"]
-      );
-      try {
-        await dbPut(this.apiKeyHash, pair);
-      } catch {
-      }
-    }
-    this.keyPair = pair;
-    const exported = await globalThis.crypto.subtle.exportKey("jwk", pair.publicKey);
-    this.publicJwk = canonicalEcJwk(exported);
-    this.thumbprint = await computeJwkThumbprint(this.publicJwk);
-  }
-  async reset() {
-    try {
-      if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
-    } catch {
-    }
-    this.keyPair = null;
-    this.publicJwk = null;
-    this.thumbprint = null;
-    this._initPromise = null;
-  }
-  async getPublicJwk() {
-    if (!this.publicJwk) await this.init();
-    if (!this.publicJwk) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; getPublicJwk unavailable");
-    }
-    return { kty: this.publicJwk.kty, crv: this.publicJwk.crv, x: this.publicJwk.x, y: this.publicJwk.y };
-  }
-  async getThumbprint() {
-    if (!this.thumbprint) await this.init();
-    if (!this.thumbprint) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; getThumbprint unavailable");
-    }
-    return this.thumbprint;
-  }
-  async sign(payload) {
-    if (!this.keyPair) await this.init();
-    if (!this.keyPair) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
-    }
-    const sig = await globalThis.crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
-      payload
-    );
-    return new Uint8Array(sig);
-  }
-};
-
 // ../../node_modules/openapi-fetch/dist/index.mjs
 var PATH_PARAM_RE = /\{[^{}]+\}/g;
 var supportsRequestInitExt = () => {
@@ -1259,6 +1099,9 @@ function defaultStorage(options = {}) {
   return createLocalStorageAdapter(options);
 }
 
+// src/version.ts
+var POLLAR_CORE_VERSION = "0.9.0-rc.0" ;
+
 // src/visibility/noop.ts
 function createNoopVisibilityProvider() {
   return {
@@ -1323,6 +1166,7 @@ var AUTH_ERROR_CODES = {
   WALLET_CONNECT_FAILED: "WALLET_CONNECT_FAILED",
   WALLET_AUTH_FAILED: "WALLET_AUTH_FAILED",
   WALLET_RESOLVER_TIMEOUT: "WALLET_RESOLVER_TIMEOUT",
+  PASSKEY_FAILED: "PASSKEY_FAILED",
   UNEXPECTED_ERROR: "UNEXPECTED_ERROR"
 };
 var PollarFlowError = class extends Error {
@@ -1368,7 +1212,7 @@ var FreighterAdapter = class {
     if (!userInfo?.publicKey) {
       throw new Error("Failed to get user information from Freighter");
     }
-    return { address: userInfo.publicKey, publicKey: userInfo.publicKey };
+    return { address: userInfo.publicKey };
   }
   async disconnect() {
   }
@@ -1406,6 +1250,19 @@ var FreighterAdapter = class {
 };
 
 // src/wallets/AlbedoAdapter.ts
+var PUBLIC_PASSPHRASE = "Public Global Stellar Network ; September 2015";
+var TESTNET_PASSPHRASE = "Test SDF Network ; September 2015";
+function albedoNetwork(options, fallback) {
+  switch (options?.networkPassphrase) {
+    case PUBLIC_PASSPHRASE:
+      return "public";
+    case TESTNET_PASSPHRASE:
+      return "testnet";
+  }
+  if (options?.network === "public" || options?.network === "mainnet") return "public";
+  if (options?.network === "testnet") return "testnet";
+  return fallback;
+}
 function openAlbedoPopup(url) {
   const popup = window.open(url, "albedo", "width=420,height=720,resizable=yes,scrollbars=yes");
   if (!popup) {
@@ -1444,7 +1301,13 @@ function waitForAlbedoResult() {
   });
 }
 var AlbedoAdapter = class {
-  constructor() {
+  /**
+   * Network used for `connect` and `signAuthEntry` (which carry no per-call
+   * network) and as the fallback for `signTransaction`. Defaults to `'testnet'`
+   * to preserve the previous behavior when constructed with no argument.
+   */
+  constructor(network = "testnet") {
+    this.network = network;
     this.type = "albedo" /* ALBEDO */;
   }
   async isAvailable() {
@@ -1454,7 +1317,7 @@ var AlbedoAdapter = class {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "public-key");
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", `${window.location.origin}/albedo-callback`);
     url.searchParams.set("origin", window.location.origin);
     openAlbedoPopup(url.toString());
@@ -1462,7 +1325,7 @@ var AlbedoAdapter = class {
     if (!result.pubkey) {
       throw new Error("Albedo connection rejected");
     }
-    return { address: result.pubkey, publicKey: result.pubkey };
+    return { address: result.pubkey };
   }
   async disconnect() {
   }
@@ -1472,12 +1335,12 @@ var AlbedoAdapter = class {
   async getNetwork() {
     throw new Error("Albedo does not expose network");
   }
-  async signTransaction(xdr, _options) {
+  async signTransaction(xdr, options) {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "tx");
     url.searchParams.set("xdr", xdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", albedoNetwork(options, this.network));
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1490,7 +1353,7 @@ var AlbedoAdapter = class {
     url.searchParams.set("intent", "sign-auth-entry");
     url.searchParams.set("xdr", entryXdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1577,8 +1440,12 @@ function isValidSession(value) {
     return false;
   }
   const w = wallet;
-  if (w["publicKey"] !== null && !isBoundedString(w["publicKey"], MAX_WALLET_PUBLIC_KEY)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet.publicKey must be string|null");
+  if (w["type"] !== "custodial" && w["type"] !== "smart" && w["type"] !== "external") {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.type must be custodial|smart|external");
+    return false;
+  }
+  if (w["address"] !== null && !isBoundedString(w["address"], MAX_WALLET_PUBLIC_KEY)) {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.address must be string|null");
     return false;
   }
   if (w["existsOnStellar"] !== void 0 && typeof w["existsOnStellar"] !== "boolean") {
@@ -1589,6 +1456,10 @@ function isValidSession(value) {
     console.warn("[PollarClient:session] Invalid session \u2014 wallet.createdAt must be a finite number if present");
     return false;
   }
+  if (w["linkedAt"] !== void 0 && (typeof w["linkedAt"] !== "number" || !Number.isFinite(w["linkedAt"]))) {
+    console.warn("[PollarClient:session] Invalid session \u2014 wallet.linkedAt must be a finite number if present");
+    return false;
+  }
   return true;
 }
 async function readStorage(storage, apiKeyHash) {
@@ -1596,6 +1467,12 @@ async function readStorage(storage, apiKeyHash) {
   if (!raw) return null;
   try {
     const session = JSON.parse(raw);
+    if (typeof session === "object" && session !== null) {
+      const w = session.wallet;
+      if (w && w["address"] == null && typeof w["publicKey"] === "string") {
+        w["address"] = w["publicKey"];
+      }
+    }
     if (!isValidSession(session)) {
       await storage.remove(sessionStorageKey(apiKeyHash));
       console.warn("[PollarClient:session] Stored session is invalid \u2014 clearing storage");
@@ -1686,7 +1563,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
       }));
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status request failed; will retry", e);
     }
     if (error || !data) {
       await sleep(backoff);
@@ -1726,7 +1603,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
       if (e instanceof SessionStatusError) throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status stream read failed; will retry", e);
     } finally {
       reader.releaseLock();
     }
@@ -1754,7 +1631,7 @@ async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500,
       envelope = await response.json().catch(() => null);
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      console.warn("[PollarClient:stream] session-status poll failed; will retry", e);
     }
     if (httpStatus === 404 || envelope?.code === "INVALID_CLIENT_SESSION_ID") {
       throw new SessionStatusError("INVALID_CLIENT_SESSION_ID");
@@ -1958,6 +1835,55 @@ async function loginOAuth(provider, deps) {
   await authenticate(clientSessionId, deps);
 }
 
+// src/client/auth/passkeyFlow.ts
+async function loginSmartWallet(deps) {
+  const { api, signal, setAuthState, passkey } = deps;
+  if (!passkey) {
+    setAuthState({
+      step: "error",
+      previousStep: "creating_session",
+      message: "Passkey support is not configured",
+      errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED
+    });
+    return;
+  }
+  const clientSessionId = await createAuthSession(deps);
+  if (!clientSessionId) return;
+  try {
+    const { data: challengeData } = await api.POST("/auth/passkey/challenge", {
+      body: { clientSessionId },
+      signal
+    });
+    const challenge = challengeData?.content?.challenge;
+    if (!challengeData?.success || !challenge) {
+      return failPasskey(setAuthState, "Failed to start passkey");
+    }
+    setAuthState({ step: "creating_passkey" });
+    const ceremony = await passkey({ challenge });
+    const response = ceremony.response;
+    if (ceremony.kind === "register") {
+      setAuthState({ step: "deploying_smart_account" });
+      const { data } = await api.POST("/auth/passkey/register", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey registration failed");
+    } else {
+      const { data } = await api.POST("/auth/passkey/login", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey authentication failed");
+    }
+  } catch {
+    return failPasskey(setAuthState, "Passkey login failed");
+  }
+  await authenticate(clientSessionId, deps);
+}
+function failPasskey(setAuthState, message) {
+  setAuthState({ step: "error", previousStep: "creating_passkey", message, errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED });
+}
+
 // src/client/auth/walletFlow.ts
 function withSignal(promise, signal) {
   return Promise.race([
@@ -1984,12 +1910,12 @@ async function loginWallet(type, deps) {
       setAuthState({ step: "wallet_not_installed", walletType: type });
       return;
     }
-    const { publicKey } = await withSignal(adapter.connect(), signal);
-    connectedWallet = publicKey;
+    const { address } = await withSignal(adapter.connect(), signal);
+    connectedWallet = address;
     deps.storeWalletAdapter(adapter, type);
     setAuthState({ step: "authenticating_wallet" });
     const { data: walletData, error: walletError } = await api.POST("/auth/wallet", {
-      body: { clientSessionId, walletAddress: publicKey },
+      body: { clientSessionId, walletAddress: address },
       signal
     });
     if (walletError || !walletData?.success) {
@@ -2054,8 +1980,12 @@ var PollarClient = class {
     this._transactionStateListeners = /* @__PURE__ */ new Set();
     this._txHistoryState = { step: "idle" };
     this._txHistoryStateListeners = /* @__PURE__ */ new Set();
+    this._sessionsState = { step: "idle" };
+    this._sessionsStateListeners = /* @__PURE__ */ new Set();
     this._walletBalanceState = { step: "idle" };
     this._walletBalanceStateListeners = /* @__PURE__ */ new Set();
+    this._enabledAssetsState = { step: "idle" };
+    this._enabledAssetsStateListeners = /* @__PURE__ */ new Set();
     this._authState = { step: "idle" };
     this._authStateListeners = /* @__PURE__ */ new Set();
     this._networkState = { step: "idle" };
@@ -2071,6 +2001,8 @@ var PollarClient = class {
     this._storageDegradeListeners = /* @__PURE__ */ new Set();
     this._walletAdapter = null;
     this._loginController = null;
+    /** Aborts an in-flight `/auth/session/resume` on destroy() or re-trigger. */
+    this._resumeController = null;
     this.apiKey = config.apiKey;
     this.id = randomUUID();
     this.basePath = `${config.baseUrl || "https://sdk.api.pollar.xyz"}/v1`;
@@ -2083,6 +2015,8 @@ var PollarClient = class {
     this._keyManager = config.keyManager ?? defaultKeyManager(this._storage, config.apiKey);
     this._walletAdapterResolver = config.walletAdapter ?? null;
     this._walletResolverTimeoutMs = config.walletResolverTimeoutMs ?? 5e3;
+    this._passkey = config.passkey ?? null;
+    this._passkeySign = config.passkeySign ?? null;
     this._deviceLabel = config.deviceLabel;
     this._visibilityProvider = config.visibilityProvider ?? defaultVisibilityProvider();
     this._maxIdleMs = config.maxIdleMs;
@@ -2096,7 +2030,9 @@ var PollarClient = class {
       this._initialized = Promise.resolve();
       return;
     }
-    console.info(`[PollarClient] Initialized \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`);
+    console.info(
+      `[PollarClient] Initialized v${POLLAR_CORE_VERSION} \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`
+    );
     this._initialized = this._initialize();
   }
   /**
@@ -2134,7 +2070,11 @@ var PollarClient = class {
     }
     await this._restoreSession();
     this._visibilityUnsubscribe = this._visibilityProvider.onChange((visible) => {
-      if (visible) void this._maybeProactiveRefresh();
+      if (!visible) return;
+      void this._maybeProactiveRefresh();
+      if (this._authState.step === "authenticated" && !this._authState.verified) {
+        void this._resume();
+      }
     });
   }
   /** Detach the cross-tab storage listener and abort any in-flight login. */
@@ -2145,6 +2085,8 @@ var PollarClient = class {
     }
     this._loginController?.abort();
     this._loginController = null;
+    this._resumeController?.abort();
+    this._resumeController = null;
     this._clearRefreshTimer();
     if (this._visibilityUnsubscribe) {
       this._visibilityUnsubscribe();
@@ -2159,7 +2101,9 @@ var PollarClient = class {
         request.headers.set("x-pollar-api-key", self.apiKey);
         self._lastRequestAt = Date.now();
         await self._initialized;
-        if (request.body !== null) {
+        const cacheMethod = request.method.toUpperCase();
+        const cacheBodyAllowed = cacheMethod !== "GET" && cacheMethod !== "HEAD";
+        if (cacheBodyAllowed && request.body != null) {
           try {
             self._requestBodyCache.set(request, await request.clone().arrayBuffer());
           } catch (err) {
@@ -2246,7 +2190,9 @@ var PollarClient = class {
         }
       }
     }
-    const cachedBody = this._requestBodyCache.get(originalRequest);
+    const retryMethod = originalRequest.method.toUpperCase();
+    const retryBodyAllowed = retryMethod !== "GET" && retryMethod !== "HEAD";
+    const cachedBody = retryBodyAllowed ? this._requestBodyCache.get(originalRequest) : void 0;
     const retried = new Request(originalRequest.url, {
       method: originalRequest.method,
       headers,
@@ -2290,19 +2236,26 @@ var PollarClient = class {
       throw err;
     }
     if (error || !data) {
-      console.warn("[PollarClient] /auth/refresh returned error", { error });
+      console.error("[PollarClient] /auth/refresh returned error", { error });
       await this._clearSession();
       throw new Error("Refresh failed");
     }
     const successData = data;
     if (!successData.success || !successData.content?.token) {
-      console.warn("[PollarClient] /auth/refresh response malformed", successData);
+      console.error("[PollarClient] /auth/refresh response malformed", {
+        success: successData.success,
+        hasToken: !!successData.content?.token
+      });
       await this._clearSession();
       throw new Error("Refresh response malformed");
     }
     const newToken = successData.content.token;
     if (typeof newToken.accessToken !== "string" || typeof newToken.refreshToken !== "string" || typeof newToken.expiresAt !== "number") {
-      console.warn("[PollarClient] /auth/refresh token shape invalid", newToken);
+      console.error("[PollarClient] /auth/refresh token shape invalid", {
+        accessToken: typeof newToken.accessToken,
+        refreshToken: typeof newToken.refreshToken,
+        expiresAt: typeof newToken.expiresAt
+      });
       await this._clearSession();
       throw new Error("Refresh response token shape invalid");
     }
@@ -2496,6 +2449,19 @@ var PollarClient = class {
     const controller = this._newController();
     loginWallet(type, this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
   }
+  /**
+   * "Smart Wallet" login: runs the passkey (WebAuthn) ceremony and, for a new
+   * user, creates a sponsored smart-account C-address. Requires the `passkey`
+   * ceremony to be configured (e.g. via `@pollar/react`).
+   */
+  loginSmartWallet() {
+    if (!isClientRuntime) {
+      warnServerSide("loginSmartWallet");
+      return;
+    }
+    const controller = this._newController();
+    loginSmartWallet(this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
+  }
   // ─── Cancel ───────────────────────────────────────────────────────────────
   cancelLogin() {
     this._loginController?.abort();
@@ -2558,6 +2524,29 @@ var PollarClient = class {
     }
     return data.content.sessions;
   }
+  getSessionsState() {
+    return this._sessionsState;
+  }
+  onSessionsStateChange(cb) {
+    this._sessionsStateListeners.add(cb);
+    cb(this._sessionsState);
+    return () => this._sessionsStateListeners.delete(cb);
+  }
+  /**
+   * Fire-and-forget variant of {@link listSessions} that drives the observable
+   * `SessionsState` store instead of returning the array. UI layers subscribe
+   * via `onSessionsStateChange` and stay pure readers — mirrors `fetchTxHistory`.
+   */
+  async fetchSessions() {
+    this._setSessionsState({ step: "loading" });
+    try {
+      const sessions = await this.listSessions();
+      this._setSessionsState({ step: "loaded", sessions });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to load sessions";
+      this._setSessionsState({ step: "error", message });
+    }
+  }
   /**
    * Revoke a specific refresh-token family (a single device session). Use
    * `listSessions` to enumerate the familyIds. Revoking the current session
@@ -2634,16 +2623,19 @@ var PollarClient = class {
     cb(this._walletBalanceState);
     return () => this._walletBalanceStateListeners.delete(cb);
   }
-  async refreshBalance(publicKey) {
-    const pk = publicKey ?? this._session?.wallet?.publicKey;
-    if (!pk) {
+  /**
+   * Refreshes the balances of the authenticated user's OWN wallet. The wallet
+   * and network are resolved server-side from the session — no arguments. Drives
+   * `walletBalanceState`. For an arbitrary wallet, use {@link getWalletBalance}.
+   */
+  async refreshBalance() {
+    if (!this._session?.wallet?.address) {
       this._setWalletBalanceState({ step: "error", message: "No wallet connected" });
       return;
     }
     this._setWalletBalanceState({ step: "loading" });
     try {
-      const network = this.getNetwork();
-      const { data, error } = await this._api.GET("/wallet/balance", { params: { query: { publicKey: pk, network } } });
+      const { data, error } = await this._api.GET("/wallet/balance");
       if (!error && data?.success && data.content) {
         this._setWalletBalanceState({ step: "loaded", data: data.content });
       } else {
@@ -2653,6 +2645,53 @@ var PollarClient = class {
       this._setWalletBalanceState({ step: "error", message: "Failed to load balance" });
     }
   }
+  /**
+   * General-purpose balance lookup for ANY wallet on ANY network — not scoped
+   * to this application. Enumerates the account's real on-chain holdings via
+   * Horizon (server-side) and returns the data directly (no reactive state).
+   * `network` defaults to the client's current network.
+   */
+  async getWalletBalance(publicKey, network) {
+    const { data, error } = await this._api.GET("/wallet/{publicKey}/balance", {
+      params: { path: { publicKey }, query: { network: network ?? this.getNetwork() } }
+    });
+    if (error || !data?.success || !data.content) {
+      throw new Error("[PollarClient] Failed to load wallet balance");
+    }
+    return data.content;
+  }
+  // ─── Enabled assets ───────────────────────────────────────────────────────
+  getEnabledAssetsState() {
+    return this._enabledAssetsState;
+  }
+  onEnabledAssetsStateChange(cb) {
+    this._enabledAssetsStateListeners.add(cb);
+    cb(this._enabledAssetsState);
+    return () => this._enabledAssetsStateListeners.delete(cb);
+  }
+  /**
+   * Loads the application's enabled assets paired with the authenticated
+   * wallet's on-chain trustline state — so the SDK knows which trustlines still
+   * need to be added. Wallet and network are resolved server-side from the
+   * session. Drives `enabledAssetsState`; mirrors {@link refreshBalance}.
+   */
+  async refreshAssets() {
+    if (!this._session?.wallet?.address) {
+      this._setEnabledAssetsState({ step: "error", message: "No wallet connected" });
+      return;
+    }
+    this._setEnabledAssetsState({ step: "loading" });
+    try {
+      const { data, error } = await this._api.GET("/wallet/assets");
+      if (!error && data?.success && data.content) {
+        this._setEnabledAssetsState({ step: "loaded", data: data.content });
+      } else {
+        this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+      }
+    } catch {
+      this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+    }
+  }
   // ─── Transactions ─────────────────────────────────────────────────────────
   /**
    * Builds an unsigned XDR. Drives `_setTransactionState` for modal-style UIs
@@ -2660,14 +2699,14 @@ var PollarClient = class {
    * inspect the result without subscribing to state changes.
    */
   async buildTx(operation, params, options) {
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       const details = "No wallet connected";
       this._setTransactionState({ step: "error", phase: "building", details });
       return { status: "error", details };
     }
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session.wallet.publicKey,
+      address: this._session.wallet.address,
       operation,
       params,
       options: options ?? {}
@@ -2708,7 +2747,7 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     this._setTransactionState({ step: "signing", ...buildData && { buildData } });
     if (this._walletAdapter) {
-      const accountToSign = this._session?.wallet?.publicKey;
+      const accountToSign = this._session?.wallet?.address;
       const signOpts = accountToSign ? { networkPassphrase: this._networkPassphrase(), accountToSign } : { networkPassphrase: this._networkPassphrase() };
       try {
         const { signedTxXdr } = await this._walletAdapter.signTransaction(unsignedXdr, signOpts);
@@ -2729,10 +2768,10 @@ var PollarClient = class {
         return { status: "error", ...details && { details } };
       }
     }
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/sign", {
-        body: { network: this.getNetwork(), publicKey, unsignedXdr }
+        body: { network: this.getNetwork(), address, unsignedXdr }
       });
       if (!error && data?.success && data.content?.signedXdr) {
         const { signedXdr, idempotencyKey } = data.content;
@@ -2785,12 +2824,12 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     const outcomeExtra = buildData ? { buildData } : {};
     this._setTransactionState({ step: "submitting", signedXdr, ...buildData && { buildData } });
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/submit", {
         body: {
           network: this.getNetwork(),
-          publicKey,
+          address,
           signedXdr,
           ...opts?.submissionToken && { idempotencyKey: opts.submissionToken }
         }
@@ -2850,6 +2889,19 @@ var PollarClient = class {
    *   `success` (ledger-confirmed), or `error[phase: 'signing-submitting']`.
    */
   async signAndSubmitTx(unsignedXdr) {
+    if (this._session?.wallet?.type === "smart") {
+      const buildData2 = this._currentBuildData();
+      if (!buildData2?.smart) {
+        const details = "no prepared smart transaction; call buildTx first";
+        this._setTransactionState({ step: "error", phase: "signing", details });
+        return { status: "error", details };
+      }
+      return this._signSubmitSmart(buildData2);
+    }
+    if (!unsignedXdr) {
+      this._setTransactionState({ step: "error", phase: "signing", details: "missing unsigned transaction" });
+      return { status: "error", details: "missing unsigned transaction" };
+    }
     if (this._walletAdapter) {
       const signed = await this.signTx(unsignedXdr);
       if (signed.status === "error") {
@@ -2867,7 +2919,7 @@ var PollarClient = class {
     this._setTransactionState({ step: "signing-submitting", ...buildData && { buildData } });
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session?.wallet?.publicKey ?? "",
+      address: this._session?.wallet?.address ?? "",
       unsignedXdr
     };
     try {
@@ -2936,14 +2988,20 @@ var PollarClient = class {
    * `signTx`, and `submitTx` separately instead.
    */
   async buildAndSignAndSubmitTx(operation, params, options) {
+    if (this._session?.wallet?.type === "smart") {
+      return this._runSmartTx(operation, params, options);
+    }
     if (this._walletAdapter) {
       const built = await this.buildTx(operation, params, options);
       if (built.status === "error") {
         return { status: "error", ...built.details && { details: built.details } };
       }
+      if (!built.buildData.unsignedXdr) {
+        return { status: "error", details: "build returned no unsigned transaction" };
+      }
       return this.signAndSubmitTx(built.buildData.unsignedXdr);
     }
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       this._setTransactionState({ step: "error", phase: "building-signing-submitting", details: "No wallet connected" });
       return { status: "error", details: "No wallet connected" };
     }
@@ -2952,7 +3010,7 @@ var PollarClient = class {
       const { data, error } = await this._api.POST("/tx/build-sign-submit", {
         body: {
           network: this.getNetwork(),
-          publicKey: this._session.wallet.publicKey,
+          address: this._session.wallet.address,
           operation,
           params,
           options: options ?? {}
@@ -2996,6 +3054,113 @@ var PollarClient = class {
   async runTx(operation, params, options) {
     return this.buildAndSignAndSubmitTx(operation, params, options);
   }
+  /**
+   * Smart-wallet (passkey / C-address) transaction: build (server prepares the
+   * SAC transfer + returns the auth digest) → sign the digest with the passkey
+   * → submit (server assembles the signed auth entry and broadcasts; the
+   * sponsor pays the fee). State machine: building → built → signing →
+   * submitting → success.
+   */
+  async _runSmartTx(operation, params, options) {
+    const address = this._session?.wallet?.address;
+    if (!address) {
+      this._setTransactionState({ step: "error", phase: "building", details: "No wallet connected" });
+      return { status: "error", details: "No wallet connected" };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", details });
+      return { status: "error", details };
+    }
+    this._setTransactionState({ step: "building" });
+    let buildData;
+    try {
+      const body = {
+        network: this.getNetwork(),
+        address,
+        operation,
+        params,
+        options: options ?? {}
+      };
+      const { data, error } = await this._api.POST("/tx/build", { body });
+      if (error || !data?.success || !data.content?.smart) {
+        const details = error?.details ?? "Failed to build transaction";
+        this._setTransactionState({ step: "error", phase: "building", details });
+        return { status: "error", details };
+      }
+      buildData = data.content;
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "building", ...details && { details } });
+      return { status: "error", ...details && { details } };
+    }
+    this._setTransactionState({ step: "built", buildData });
+    return this._signSubmitSmart(buildData);
+  }
+  /**
+   * Steps 2–3 of the smart-wallet flow: sign the prepared auth digest with the
+   * passkey, then submit. Shared by `_runSmartTx` (atomic) and `signAndSubmitTx`
+   * (split flow, when a smart build is already on the state machine).
+   */
+  async _signSubmitSmart(buildData) {
+    const address = this._session?.wallet?.address;
+    const smart = buildData.smart;
+    if (!address || !smart) {
+      const details = "no prepared smart transaction";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    this._setTransactionState({ step: "signing", buildData });
+    let assertion;
+    try {
+      assertion = await this._passkeySign({ credentialId: smart.credentialId, challenge: smart.digest });
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "signing", buildData, ...details && { details } });
+      return { status: "error", buildData, ...details && { details } };
+    }
+    this._setTransactionState({ step: "submitting", buildData });
+    const outcomeExtra = { buildData };
+    try {
+      const { data, error } = await this._api.POST("/tx/submit", {
+        body: {
+          network: this.getNetwork(),
+          address,
+          smart: { entryXdr: smart.entryXdr, funcXdr: smart.funcXdr, assertion }
+        }
+      });
+      if (!error && data?.success && data.content) {
+        const { hash, status: backendStatus, resultCode } = data.content;
+        if (backendStatus === "SUCCESS") {
+          this._setTransactionState({ step: "success", hash, buildData });
+          return { status: "success", hash, ...outcomeExtra };
+        }
+        if (backendStatus === "PENDING") {
+          this._setTransactionState({ step: "submitted", hash, buildData });
+          return { status: "pending", hash, ...outcomeExtra };
+        }
+        this._setTransactionState({
+          step: "error",
+          phase: "submitting",
+          buildData,
+          ...resultCode && { details: resultCode }
+        });
+        return { status: "error", hash, ...outcomeExtra, ...resultCode && { details: resultCode, resultCode } };
+      }
+      const details = error?.details;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    }
+  }
   // ─── App config ───────────────────────────────────────────────────────────
   async getAppConfig() {
     try {
@@ -3049,10 +3214,18 @@ var PollarClient = class {
     this._txHistoryState = next;
     for (const cb of this._txHistoryStateListeners) cb(next);
   }
+  _setSessionsState(next) {
+    this._sessionsState = next;
+    for (const cb of this._sessionsStateListeners) cb(next);
+  }
   _setWalletBalanceState(next) {
     this._walletBalanceState = next;
     for (const cb of this._walletBalanceStateListeners) cb(next);
   }
+  _setEnabledAssetsState(next) {
+    this._enabledAssetsState = next;
+    for (const cb of this._enabledAssetsStateListeners) cb(next);
+  }
   // ─── Private ──────────────────────────────────────────────────────────────
   _newController() {
     this._loginController?.abort();
@@ -3077,6 +3250,7 @@ var PollarClient = class {
         this._walletAdapter = adapter;
         await writeWalletType(this._storage, this.apiKeyHash, id);
       },
+      ...this._passkey ? { passkey: this._passkey } : {},
       ...this._deviceLabel ? { deviceLabel: this._deviceLabel } : {}
     };
   }
@@ -3106,7 +3280,7 @@ var PollarClient = class {
       }
     }
     if (id === "freighter" /* FREIGHTER */) return new FreighterAdapter();
-    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter();
+    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter(this.getNetwork() === "mainnet" ? "public" : "testnet");
     throw new Error(
       `[PollarClient] No wallet adapter configured for "${id}". Pass a walletAdapter resolver in PollarClientConfig.`
     );
@@ -3147,21 +3321,66 @@ var PollarClient = class {
         }
       }
       console.info("[PollarClient] Session restored from storage");
-      this._setAuthState({ step: "authenticated", session: this._session });
+      this._setAuthState({ step: "authenticated", session: this._session, verified: false });
       this._scheduleNextRefresh();
+      void this._resume();
     } else {
       console.info("[PollarClient] No session in storage");
     }
   }
+  /**
+   * Validate the restored session against the server and repopulate the
+   * in-memory profile (PII is never persisted, so it's null after a cold
+   * reload). Goes through the normal authed client, so it coalesces with any
+   * in-flight refresh (onRequest awaits `_refreshPromise`) and, being a GET,
+   * is auto-retried after a 401-triggered refresh.
+   *
+   * - 200          → store profile, mark the session `verified`.
+   * - 401          → the refresh-on-401 path already ran; if the family was
+   *                  revoked, refresh failed and `_clearSession()` took us to
+   *                  idle. Nothing to do here — don't double-handle.
+   * - network error → stay optimistic (do NOT log out); revalidated later on
+   *                  `visibilitychange` or first use.
+   */
+  async _resume() {
+    if (!this._session) return;
+    this._resumeController?.abort();
+    const controller = new AbortController();
+    this._resumeController = controller;
+    try {
+      const { data, error } = await this._api.GET("/auth/session/resume", { signal: controller.signal });
+      if (error || !data) return;
+      const content = data.content;
+      if (!content || !this._session) return;
+      this._profile = { ...content };
+      this._setAuthState({ step: "authenticated", session: this._session, verified: true });
+    } catch (err) {
+      if (err?.name === "AbortError") return;
+      console.warn("[PollarClient] resume failed (network); will retry", err);
+    } finally {
+      if (this._resumeController === controller) this._resumeController = null;
+    }
+  }
   async _storeSession(session) {
     console.info("[PollarClient] Session stored");
+    const w = session.wallet;
     const persisted = {
       clientSessionId: session.clientSessionId,
       userId: session.userId ?? null,
       status: session.status,
       token: session.token,
       user: session.user,
-      wallet: session.wallet
+      // The wire response still carries the legacy `publicKey` alias (kept for
+      // older SDKs); the persisted session standardizes on `address` only.
+      wallet: {
+        type: w.type,
+        address: w.address ?? w.publicKey ?? null,
+        ...w.existsOnStellar !== void 0 ? { existsOnStellar: w.existsOnStellar } : {},
+        ...w.createdAt !== void 0 ? { createdAt: w.createdAt } : {},
+        ...w.linkedAt !== void 0 ? { linkedAt: w.linkedAt } : {},
+        ...w.network !== void 0 ? { network: w.network } : {},
+        ...w.deployTxHash !== void 0 ? { deployTxHash: w.deployTxHash } : {}
+      }
     };
     this._session = persisted;
     if (session.data) {
@@ -3174,7 +3393,7 @@ var PollarClient = class {
       };
     }
     await writeStorage(this._storage, this.apiKeyHash, persisted);
-    this._setAuthState({ step: "authenticated", session: persisted });
+    this._setAuthState({ step: "authenticated", session: persisted, verified: true });
     this._scheduleNextRefresh();
   }
   async _clearSession() {
@@ -3226,6 +3445,196 @@ var PollarClient = class {
   }
 };
 
+// src/keys/web-crypto.ts
+var DB_NAME = "pollar-keys";
+var DB_VERSION = 1;
+var STORE_NAME = "keys";
+function openDb() {
+  return new Promise((resolve, reject) => {
+    if (typeof indexedDB === "undefined") {
+      reject(new Error("[PollarClient:keys] IndexedDB not available"));
+      return;
+    }
+    const req = indexedDB.open(DB_NAME, DB_VERSION);
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB open failed"));
+    req.onsuccess = () => resolve(req.result);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(STORE_NAME)) {
+        db.createObjectStore(STORE_NAME);
+      }
+    };
+  });
+}
+function awaitTx(req) {
+  return new Promise((resolve, reject) => {
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB request failed"));
+  });
+}
+async function dbGet(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readonly");
+    const result = await awaitTx(tx.objectStore(STORE_NAME).get(key));
+    return result;
+  } finally {
+    db.close();
+  }
+}
+async function dbPut(key, value) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).put(value, key));
+  } finally {
+    db.close();
+  }
+}
+async function dbDelete(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).delete(key));
+  } finally {
+    db.close();
+  }
+}
+function isCryptoKeyPair(v) {
+  if (typeof v !== "object" || v === null) return false;
+  const obj = v;
+  return obj.privateKey !== void 0 && obj.publicKey !== void 0;
+}
+var WebCryptoKeyManager = class {
+  constructor(apiKey) {
+    this.apiKeyHash = null;
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    /**
+     * Cached in-flight init. Lets `init()` be called concurrently (or implicitly
+     * from `getPublicJwk` / `sign`) without doing the work twice. Cleared on
+     * failure so callers can retry, and cleared on `reset()`.
+     */
+    this._initPromise = null;
+    if (typeof globalThis.crypto === "undefined" || !globalThis.crypto.subtle) {
+      throw new Error("[PollarClient:keys] SubtleCrypto is unavailable. DPoP requires a secure context (HTTPS or localhost).");
+    }
+    this.apiKey = apiKey;
+  }
+  /**
+   * Idempotent and safe under concurrency. The first call kicks off the real
+   * init; subsequent (and concurrent) calls return the same in-flight promise.
+   * Other methods (`getPublicJwk`, `getThumbprint`, `sign`) auto-await this so
+   * the manager is self-healing if `init()` was never explicitly invoked.
+   */
+  async init() {
+    if (this.keyPair) return;
+    if (!this._initPromise) {
+      this._initPromise = this._doInit().catch((err) => {
+        console.error("[PollarClient:keys] WebCryptoKeyManager init failed", err);
+        this._initPromise = null;
+        throw err;
+      });
+    }
+    return this._initPromise;
+  }
+  async _doInit() {
+    if (!this.apiKeyHash) {
+      this.apiKeyHash = await hashApiKey(this.apiKey);
+    }
+    let pair;
+    try {
+      pair = await dbGet(this.apiKeyHash);
+      if (pair && !isCryptoKeyPair(pair)) pair = void 0;
+    } catch {
+      pair = void 0;
+    }
+    if (!pair) {
+      pair = await globalThis.crypto.subtle.generateKey(
+        { name: "ECDSA", namedCurve: "P-256" },
+        // false → private key non-extractable; per W3C ECDSA spec the public
+        // key is always extractable regardless of this flag.
+        false,
+        ["sign", "verify"]
+      );
+      try {
+        await dbPut(this.apiKeyHash, pair);
+      } catch {
+      }
+    }
+    this.keyPair = pair;
+    this.publicJwk = await this._exportPublicJwk(pair.publicKey);
+    this.thumbprint = await computeJwkThumbprint(this.publicJwk);
+  }
+  /**
+   * Derive the public JWK from a `CryptoKey`. Prefers the `'raw'` export (the
+   * 65-byte uncompressed point `0x04 || X(32) || Y(32)`) and base64url-encodes
+   * the coordinates ourselves — that sidesteps polyfills whose `exportKey('jwk')`
+   * emits non-base64url `x`/`y` (standard base64, `=` padding, or — as seen with
+   * `react-native-quick-crypto` — a stray `.`). Real browsers and most polyfills
+   * support `'raw'` for public EC keys.
+   *
+   * Falls back to the `'jwk'` export (normalized via `canonicalEcJwk`) if `'raw'`
+   * is unsupported or returns an unexpected shape, so this can't regress on a
+   * runtime that only implements the JWK path. Both routes yield identical
+   * coordinate bytes, so the `cnf.jkt` thumbprint is unchanged either way.
+   */
+  async _exportPublicJwk(publicKey) {
+    try {
+      const raw = new Uint8Array(await globalThis.crypto.subtle.exportKey("raw", publicKey));
+      if (raw.length !== 65 || raw[0] !== 4) {
+        throw new Error(`[PollarClient:keys] Unexpected raw EC point (len=${raw.length}, tag=${raw[0]})`);
+      }
+      return {
+        kty: "EC",
+        crv: "P-256",
+        x: base64urlEncode(raw.slice(1, 33)),
+        y: base64urlEncode(raw.slice(33, 65))
+      };
+    } catch {
+      const jwk = await globalThis.crypto.subtle.exportKey("jwk", publicKey);
+      return canonicalEcJwk(jwk);
+    }
+  }
+  async reset() {
+    try {
+      if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
+    } catch {
+    }
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    this._initPromise = null;
+  }
+  async getPublicJwk() {
+    if (!this.publicJwk) await this.init();
+    if (!this.publicJwk) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getPublicJwk unavailable");
+    }
+    return { kty: this.publicJwk.kty, crv: this.publicJwk.crv, x: this.publicJwk.x, y: this.publicJwk.y };
+  }
+  async getThumbprint() {
+    if (!this.thumbprint) await this.init();
+    if (!this.thumbprint) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getThumbprint unavailable");
+    }
+    return this.thumbprint;
+  }
+  async sign(payload) {
+    if (!this.keyPair) await this.init();
+    if (!this.keyPair) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
+    }
+    const sig = await globalThis.crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this.keyPair.privateKey,
+      payload
+    );
+    return new Uint8Array(sig);
+  }
+};
+
 // src/stellar/StellarClient.ts
 var HORIZON_URLS = {
   mainnet: "https://horizon.stellar.org",
@@ -3256,10 +3665,6 @@ var StellarClient = class {
 
 // src/index.rn.ts
 _setDefaultKeyManagerFactory((storage, apiKey) => {
-  const subtle = globalThis.crypto?.subtle;
-  if (subtle && typeof subtle.generateKey === "function" && typeof subtle.sign === "function") {
-    return new WebCryptoKeyManager(apiKey);
-  }
   return new NobleKeyManager(storage, apiKey);
 });
 
@@ -3267,6 +3672,7 @@ exports.AUTH_ERROR_CODES = AUTH_ERROR_CODES;
 exports.AlbedoAdapter = AlbedoAdapter;
 exports.FreighterAdapter = FreighterAdapter;
 exports.NobleKeyManager = NobleKeyManager;
+exports.POLLAR_CORE_VERSION = POLLAR_CORE_VERSION;
 exports.PollarClient = PollarClient;
 exports.StellarClient = StellarClient;
 exports.WalletType = WalletType;