npm - @pollar/core - Versions diffs - 0.8.2 → 0.9.0-rc.1 - Mend

@pollar/core 0.8.2 → 0.9.0-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +35 -0
package/dist/adapters/react-native-appstate.d.mts +1 -1
package/dist/adapters/react-native-appstate.d.ts +1 -1
package/dist/index.d.mts +996 -96
package/dist/index.d.ts +996 -96
package/dist/index.js +546 -112
package/dist/index.js.map +1 -1
package/dist/index.mjs +545 -113
package/dist/index.mjs.map +1 -1
package/dist/index.rn.d.mts +2 -2
package/dist/index.rn.d.ts +2 -2
package/dist/index.rn.js +691 -262
package/dist/index.rn.js.map +1 -1
package/dist/index.rn.mjs +690 -263
package/dist/index.rn.mjs.map +1 -1
package/dist/{types-84G_htcn.d.mts → types-Dyky8g0p.d.mts} +5 -12
package/dist/{types-84G_htcn.d.ts → types-Dyky8g0p.d.ts} +5 -12
package/package.json +1 -1

package/dist/index.rn.mjs CHANGED Viewed

@@ -265,11 +265,14 @@ async function computeJwkThumbprint(jwk) {
   const digest = await sha256(new TextEncoder().encode(canonical));
   return base64urlEncode(digest);
 }
+function toBase64url(value) {
+  return value.replace(/\+/g, "-").replace(/\//g, "_").replace(/[^A-Za-z0-9_-]/g, "");
+}
 function canonicalEcJwk(jwk) {
   if (jwk.kty !== "EC" || jwk.crv !== "P-256" || typeof jwk.x !== "string" || typeof jwk.y !== "string") {
     throw new Error("[PollarClient:thumbprint] Source JWK is not an EC P-256 public key");
   }
-  return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
+  return { kty: "EC", crv: "P-256", x: toBase64url(jwk.x), y: toBase64url(jwk.y) };
 }
 // src/keys/noble.ts
@@ -299,7 +302,6 @@ var NobleKeyManager = class {
     if (this.privateKey) return;
     if (!this._initPromise) {
       this._initPromise = this._doInit().catch((err) => {
-        console.error("[PollarClient:keys] NobleKeyManager init failed", err);
         this._initPromise = null;
         throw err;
       });
@@ -375,167 +377,6 @@ var NobleKeyManager = class {
   }
 };
-// src/keys/web-crypto.ts
-var DB_NAME = "pollar-keys";
-var DB_VERSION = 1;
-var STORE_NAME = "keys";
-function openDb() {
-  return new Promise((resolve, reject) => {
-    if (typeof indexedDB === "undefined") {
-      reject(new Error("[PollarClient:keys] IndexedDB not available"));
-      return;
-    }
-    const req = indexedDB.open(DB_NAME, DB_VERSION);
-    req.onerror = () => reject(req.error ?? new Error("IDB open failed"));
-    req.onsuccess = () => resolve(req.result);
-    req.onupgradeneeded = () => {
-      const db = req.result;
-      if (!db.objectStoreNames.contains(STORE_NAME)) {
-        db.createObjectStore(STORE_NAME);
-      }
-    };
-  });
-}
-function awaitTx(req) {
-  return new Promise((resolve, reject) => {
-    req.onsuccess = () => resolve(req.result);
-    req.onerror = () => reject(req.error ?? new Error("IDB request failed"));
-  });
-}
-async function dbGet(key) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readonly");
-    const result = await awaitTx(tx.objectStore(STORE_NAME).get(key));
-    return result;
-  } finally {
-    db.close();
-  }
-}
-async function dbPut(key, value) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readwrite");
-    await awaitTx(tx.objectStore(STORE_NAME).put(value, key));
-  } finally {
-    db.close();
-  }
-}
-async function dbDelete(key) {
-  const db = await openDb();
-  try {
-    const tx = db.transaction(STORE_NAME, "readwrite");
-    await awaitTx(tx.objectStore(STORE_NAME).delete(key));
-  } finally {
-    db.close();
-  }
-}
-function isCryptoKeyPair(v) {
-  if (typeof v !== "object" || v === null) return false;
-  const obj = v;
-  return obj.privateKey !== void 0 && obj.publicKey !== void 0;
-}
-var WebCryptoKeyManager = class {
-  constructor(apiKey) {
-    this.apiKeyHash = null;
-    this.keyPair = null;
-    this.publicJwk = null;
-    this.thumbprint = null;
-    /**
-     * Cached in-flight init. Lets `init()` be called concurrently (or implicitly
-     * from `getPublicJwk` / `sign`) without doing the work twice. Cleared on
-     * failure so callers can retry, and cleared on `reset()`.
-     */
-    this._initPromise = null;
-    if (typeof globalThis.crypto === "undefined" || !globalThis.crypto.subtle) {
-      throw new Error("[PollarClient:keys] SubtleCrypto is unavailable. DPoP requires a secure context (HTTPS or localhost).");
-    }
-    this.apiKey = apiKey;
-  }
-  /**
-   * Idempotent and safe under concurrency. The first call kicks off the real
-   * init; subsequent (and concurrent) calls return the same in-flight promise.
-   * Other methods (`getPublicJwk`, `getThumbprint`, `sign`) auto-await this so
-   * the manager is self-healing if `init()` was never explicitly invoked.
-   */
-  async init() {
-    if (this.keyPair) return;
-    if (!this._initPromise) {
-      this._initPromise = this._doInit().catch((err) => {
-        console.error("[PollarClient:keys] WebCryptoKeyManager init failed", err);
-        this._initPromise = null;
-        throw err;
-      });
-    }
-    return this._initPromise;
-  }
-  async _doInit() {
-    if (!this.apiKeyHash) {
-      this.apiKeyHash = await hashApiKey(this.apiKey);
-    }
-    let pair;
-    try {
-      pair = await dbGet(this.apiKeyHash);
-      if (pair && !isCryptoKeyPair(pair)) pair = void 0;
-    } catch {
-      pair = void 0;
-    }
-    if (!pair) {
-      pair = await globalThis.crypto.subtle.generateKey(
-        { name: "ECDSA", namedCurve: "P-256" },
-        // false → private key non-extractable; per W3C ECDSA spec the public
-        // key is always extractable regardless of this flag.
-        false,
-        ["sign", "verify"]
-      );
-      try {
-        await dbPut(this.apiKeyHash, pair);
-      } catch {
-      }
-    }
-    this.keyPair = pair;
-    const exported = await globalThis.crypto.subtle.exportKey("jwk", pair.publicKey);
-    this.publicJwk = canonicalEcJwk(exported);
-    this.thumbprint = await computeJwkThumbprint(this.publicJwk);
-  }
-  async reset() {
-    try {
-      if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
-    } catch {
-    }
-    this.keyPair = null;
-    this.publicJwk = null;
-    this.thumbprint = null;
-    this._initPromise = null;
-  }
-  async getPublicJwk() {
-    if (!this.publicJwk) await this.init();
-    if (!this.publicJwk) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; getPublicJwk unavailable");
-    }
-    return { kty: this.publicJwk.kty, crv: this.publicJwk.crv, x: this.publicJwk.x, y: this.publicJwk.y };
-  }
-  async getThumbprint() {
-    if (!this.thumbprint) await this.init();
-    if (!this.thumbprint) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; getThumbprint unavailable");
-    }
-    return this.thumbprint;
-  }
-  async sign(payload) {
-    if (!this.keyPair) await this.init();
-    if (!this.keyPair) {
-      throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
-    }
-    const sig = await globalThis.crypto.subtle.sign(
-      { name: "ECDSA", hash: "SHA-256" },
-      this.keyPair.privateKey,
-      payload
-    );
-    return new Uint8Array(sig);
-  }
-};
 // ../../node_modules/openapi-fetch/dist/index.mjs
 var PATH_PARAM_RE = /\{[^{}]+\}/g;
 var supportsRequestInitExt = () => {
@@ -1168,6 +1009,16 @@ function normalizeHtu(rawUrl) {
   return `${scheme}//${host}${portPart}${url.pathname}`;
 }
+// src/lib/logger.ts
+var RANK = { silent: 0, error: 1, warn: 2, info: 3, debug: 4 };
+function createLogger(level = "info", sink = console) {
+  const threshold = RANK[level];
+  const gate = (lvl) => (...args) => {
+    if (threshold >= RANK[lvl]) sink[lvl](...args);
+  };
+  return { error: gate("error"), warn: gate("warn"), info: gate("info"), debug: gate("debug") };
+}
 // src/storage/web.ts
 var LOG_PREFIX = "[PollarClient:storage]";
 function createMemoryAdapter() {
@@ -1191,7 +1042,7 @@ function createLocalStorageAdapter(options = {}) {
   function degrade(reason, error) {
     if (degraded) return;
     degraded = true;
-    console.warn(`${LOG_PREFIX} localStorage unavailable (${reason}); degrading to in-memory storage`);
+    (options.logger ?? console).warn(`${LOG_PREFIX} localStorage unavailable (${reason}); degrading to in-memory storage`);
     options.onDegrade?.(reason, error);
   }
   return {
@@ -1255,6 +1106,9 @@ function defaultStorage(options = {}) {
   return createLocalStorageAdapter(options);
 }
+// src/version.ts
+var POLLAR_CORE_VERSION = "0.9.0-rc.1" ;
 // src/visibility/noop.ts
 function createNoopVisibilityProvider() {
   return {
@@ -1319,6 +1173,7 @@ var AUTH_ERROR_CODES = {
   WALLET_CONNECT_FAILED: "WALLET_CONNECT_FAILED",
   WALLET_AUTH_FAILED: "WALLET_AUTH_FAILED",
   WALLET_RESOLVER_TIMEOUT: "WALLET_RESOLVER_TIMEOUT",
+  PASSKEY_FAILED: "PASSKEY_FAILED",
   UNEXPECTED_ERROR: "UNEXPECTED_ERROR"
 };
 var PollarFlowError = class extends Error {
@@ -1364,7 +1219,7 @@ var FreighterAdapter = class {
     if (!userInfo?.publicKey) {
       throw new Error("Failed to get user information from Freighter");
     }
-    return { address: userInfo.publicKey, publicKey: userInfo.publicKey };
+    return { address: userInfo.publicKey };
   }
   async disconnect() {
   }
@@ -1402,6 +1257,19 @@ var FreighterAdapter = class {
 };
 // src/wallets/AlbedoAdapter.ts
+var PUBLIC_PASSPHRASE = "Public Global Stellar Network ; September 2015";
+var TESTNET_PASSPHRASE = "Test SDF Network ; September 2015";
+function albedoNetwork(options, fallback) {
+  switch (options?.networkPassphrase) {
+    case PUBLIC_PASSPHRASE:
+      return "public";
+    case TESTNET_PASSPHRASE:
+      return "testnet";
+  }
+  if (options?.network === "public" || options?.network === "mainnet") return "public";
+  if (options?.network === "testnet") return "testnet";
+  return fallback;
+}
 function openAlbedoPopup(url) {
   const popup = window.open(url, "albedo", "width=420,height=720,resizable=yes,scrollbars=yes");
   if (!popup) {
@@ -1440,7 +1308,13 @@ function waitForAlbedoResult() {
   });
 }
 var AlbedoAdapter = class {
-  constructor() {
+  /**
+   * Network used for `connect` and `signAuthEntry` (which carry no per-call
+   * network) and as the fallback for `signTransaction`. Defaults to `'testnet'`
+   * to preserve the previous behavior when constructed with no argument.
+   */
+  constructor(network = "testnet") {
+    this.network = network;
     this.type = "albedo" /* ALBEDO */;
   }
   async isAvailable() {
@@ -1450,7 +1324,7 @@ var AlbedoAdapter = class {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "public-key");
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", `${window.location.origin}/albedo-callback`);
     url.searchParams.set("origin", window.location.origin);
     openAlbedoPopup(url.toString());
@@ -1458,7 +1332,7 @@ var AlbedoAdapter = class {
     if (!result.pubkey) {
       throw new Error("Albedo connection rejected");
     }
-    return { address: result.pubkey, publicKey: result.pubkey };
+    return { address: result.pubkey };
   }
   async disconnect() {
   }
@@ -1468,12 +1342,12 @@ var AlbedoAdapter = class {
   async getNetwork() {
     throw new Error("Albedo does not expose network");
   }
-  async signTransaction(xdr, _options) {
+  async signTransaction(xdr, options) {
     const url = new URL("https://albedo.link");
     url.searchParams.set("intent", "tx");
     url.searchParams.set("xdr", xdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", albedoNetwork(options, this.network));
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1486,7 +1360,7 @@ var AlbedoAdapter = class {
     url.searchParams.set("intent", "sign-auth-entry");
     url.searchParams.set("xdr", entryXdr);
     url.searchParams.set("app_name", "Pollar");
-    url.searchParams.set("network", "testnet");
+    url.searchParams.set("network", this.network);
     url.searchParams.set("callback", window.location.href);
     url.searchParams.set("origin", window.location.origin);
     window.location.href = url.toString();
@@ -1517,84 +1391,98 @@ function isBoundedString(v, max, allowEmpty = false) {
   if (!allowEmpty && v.length === 0) return false;
   return v.length <= max;
 }
-function isValidSession(value) {
+function isValidSession(value, logger = console) {
   if (typeof value !== "object" || value === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 value is not an object");
+    logger.debug("[PollarClient:session] Invalid session \u2014 value is not an object");
     return false;
   }
   const s = value;
   if (!isBoundedString(s["clientSessionId"], MAX_CLIENT_SESSION_ID)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 clientSessionId missing/empty/too long");
+    logger.debug("[PollarClient:session] Invalid session \u2014 clientSessionId missing/empty/too long");
     return false;
   }
   if (s["userId"] !== null && !isBoundedString(s["userId"], MAX_USER_ID)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 userId must be string|null");
+    logger.debug("[PollarClient:session] Invalid session \u2014 userId must be string|null");
     return false;
   }
   if (!isBoundedString(s["status"], MAX_STATUS)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 status must be string");
+    logger.debug("[PollarClient:session] Invalid session \u2014 status must be string");
     return false;
   }
   const token = s["token"];
   if (typeof token !== "object" || token === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 token missing or not an object");
+    logger.debug("[PollarClient:session] Invalid session \u2014 token missing or not an object");
     return false;
   }
   const t = token;
   if (!isBoundedString(t["accessToken"], MAX_ACCESS_TOKEN)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 token.accessToken missing/empty/too long");
+    logger.debug("[PollarClient:session] Invalid session \u2014 token.accessToken missing/empty/too long");
     return false;
   }
   if (!isBoundedString(t["refreshToken"], MAX_REFRESH_TOKEN)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 token.refreshToken missing/empty/too long");
+    logger.debug("[PollarClient:session] Invalid session \u2014 token.refreshToken missing/empty/too long");
     return false;
   }
   if (typeof t["expiresAt"] !== "number" || !Number.isFinite(t["expiresAt"])) {
-    console.warn("[PollarClient:session] Invalid session \u2014 token.expiresAt must be a finite number");
+    logger.debug("[PollarClient:session] Invalid session \u2014 token.expiresAt must be a finite number");
     return false;
   }
   const user = s["user"];
   if (typeof user !== "object" || user === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 user missing or not an object");
+    logger.debug("[PollarClient:session] Invalid session \u2014 user missing or not an object");
     return false;
   }
   const u = user;
   if (u["id"] !== void 0 && !isBoundedString(u["id"], MAX_USER_ID)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 user.id must be string if present");
+    logger.debug("[PollarClient:session] Invalid session \u2014 user.id must be string if present");
     return false;
   }
   if (typeof u["ready"] !== "boolean") {
-    console.warn("[PollarClient:session] Invalid session \u2014 user.ready must be boolean");
+    logger.debug("[PollarClient:session] Invalid session \u2014 user.ready must be boolean");
     return false;
   }
   const wallet = s["wallet"];
   if (typeof wallet !== "object" || wallet === null) {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet missing or not an object");
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet missing or not an object");
     return false;
   }
   const w = wallet;
-  if (w["publicKey"] !== null && !isBoundedString(w["publicKey"], MAX_WALLET_PUBLIC_KEY)) {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet.publicKey must be string|null");
+  if (w["type"] !== "custodial" && w["type"] !== "smart" && w["type"] !== "external") {
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet.type must be custodial|smart|external");
+    return false;
+  }
+  if (w["address"] !== null && !isBoundedString(w["address"], MAX_WALLET_PUBLIC_KEY)) {
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet.address must be string|null");
     return false;
   }
   if (w["existsOnStellar"] !== void 0 && typeof w["existsOnStellar"] !== "boolean") {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet.existsOnStellar must be boolean if present");
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet.existsOnStellar must be boolean if present");
     return false;
   }
   if (w["createdAt"] !== void 0 && (typeof w["createdAt"] !== "number" || !Number.isFinite(w["createdAt"]))) {
-    console.warn("[PollarClient:session] Invalid session \u2014 wallet.createdAt must be a finite number if present");
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet.createdAt must be a finite number if present");
+    return false;
+  }
+  if (w["linkedAt"] !== void 0 && (typeof w["linkedAt"] !== "number" || !Number.isFinite(w["linkedAt"]))) {
+    logger.debug("[PollarClient:session] Invalid session \u2014 wallet.linkedAt must be a finite number if present");
     return false;
   }
   return true;
 }
-async function readStorage(storage, apiKeyHash) {
+async function readStorage(storage, apiKeyHash, logger = console) {
   const raw = await storage.get(sessionStorageKey(apiKeyHash));
   if (!raw) return null;
   try {
     const session = JSON.parse(raw);
-    if (!isValidSession(session)) {
+    if (typeof session === "object" && session !== null) {
+      const w = session.wallet;
+      if (w && w["address"] == null && typeof w["publicKey"] === "string") {
+        w["address"] = w["publicKey"];
+      }
+    }
+    if (!isValidSession(session, logger)) {
       await storage.remove(sessionStorageKey(apiKeyHash));
-      console.warn("[PollarClient:session] Stored session is invalid \u2014 clearing storage");
+      logger.warn("[PollarClient:session] Stored session is invalid \u2014 clearing storage");
       return null;
     }
     if (session.token.expiresAt * 1e3 < Date.now()) {
@@ -1602,7 +1490,7 @@ async function readStorage(storage, apiKeyHash) {
     }
     return session;
   } catch (error) {
-    console.error("[PollarClient:session] Failed to parse session from storage", error);
+    logger.error("[PollarClient:session] Failed to parse session from storage", error);
     await storage.remove(sessionStorageKey(apiKeyHash));
     return null;
   }
@@ -1664,7 +1552,7 @@ function abortableDelay(ms, signal) {
   });
 }
 var MAX_BACKOFF_MS = 5e3;
-async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200, signal) {
+async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200, signal, logger = console) {
   let backoff = retryDelayMs;
   const sleep = async (ms) => {
     if (ms <= 0) return;
@@ -1682,7 +1570,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
       }));
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      logger.debug("[PollarClient:stream] session-status request failed; will retry", e);
     }
     if (error || !data) {
       await sleep(backoff);
@@ -1722,7 +1610,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
       if (e instanceof SessionStatusError) throw e;
-      console.warn(e);
+      logger.debug("[PollarClient:stream] session-status stream read failed; will retry", e);
     } finally {
       reader.releaseLock();
     }
@@ -1732,7 +1620,7 @@ async function streamUntilFound(api, clientSessionId, check, retryDelayMs = 200,
     if (delay) await sleep(delay);
   }
 }
-async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500, signal) {
+async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500, signal, logger = console) {
   const url = `${baseUrl}/auth/session/status/${encodeURIComponent(clientSessionId)}/poll`;
   let backoff = intervalMs;
   const sleep = async (ms) => {
@@ -1750,7 +1638,7 @@ async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500,
       envelope = await response.json().catch(() => null);
     } catch (e) {
       if (e instanceof Error && e.name === "AbortError") throw e;
-      console.warn(e);
+      logger.debug("[PollarClient:stream] session-status poll failed; will retry", e);
     }
     if (httpStatus === 404 || envelope?.code === "INVALID_CLIENT_SESSION_ID") {
       throw new SessionStatusError("INVALID_CLIENT_SESSION_ID");
@@ -1767,13 +1655,13 @@ async function pollUntilFound(baseUrl, clientSessionId, check, intervalMs = 500,
   }
 }
 function waitForSessionReady(args) {
-  const { api, baseUrl, clientSessionId, check, useStreaming, retryDelayMs, signal } = args;
-  return useStreaming ? streamUntilFound(api, clientSessionId, check, retryDelayMs ?? 200, signal) : pollUntilFound(baseUrl, clientSessionId, check, retryDelayMs ?? 500, signal);
+  const { api, baseUrl, clientSessionId, check, useStreaming, retryDelayMs, signal, logger = console } = args;
+  return useStreaming ? streamUntilFound(api, clientSessionId, check, retryDelayMs ?? 200, signal, logger) : pollUntilFound(baseUrl, clientSessionId, check, retryDelayMs ?? 500, signal, logger);
 }
 // src/client/auth/authenticate.ts
 async function authenticate(clientSessionId, deps, expectedWallet) {
-  const { api, basePath, useStreaming, signal, setAuthState, storeSession, clearSession } = deps;
+  const { api, logger, basePath, useStreaming, signal, setAuthState, storeSession, clearSession } = deps;
   setAuthState({ step: "authenticating" });
   try {
     await waitForSessionReady({
@@ -1782,7 +1670,8 @@ async function authenticate(clientSessionId, deps, expectedWallet) {
       clientSessionId,
       check: (data2) => data2?.status === "READY",
       useStreaming,
-      signal
+      signal,
+      logger
     });
   } catch (err) {
     if (err instanceof SessionStatusError) {
@@ -1807,7 +1696,7 @@ async function authenticate(clientSessionId, deps, expectedWallet) {
     },
     signal
   });
-  if (data?.code === "SDK_LOGIN_SUCCESS" && isValidSession(data?.content)) {
+  if (data?.code === "SDK_LOGIN_SUCCESS" && isValidSession(data?.content, logger)) {
     if (expectedWallet && data.content.data.providers.wallet?.address !== expectedWallet) {
       setAuthState({
         step: "error",
@@ -1954,6 +1843,55 @@ async function loginOAuth(provider, deps) {
   await authenticate(clientSessionId, deps);
 }
+// src/client/auth/passkeyFlow.ts
+async function loginSmartWallet(deps) {
+  const { api, signal, setAuthState, passkey } = deps;
+  if (!passkey) {
+    setAuthState({
+      step: "error",
+      previousStep: "creating_session",
+      message: "Passkey support is not configured",
+      errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED
+    });
+    return;
+  }
+  const clientSessionId = await createAuthSession(deps);
+  if (!clientSessionId) return;
+  try {
+    const { data: challengeData } = await api.POST("/auth/passkey/challenge", {
+      body: { clientSessionId },
+      signal
+    });
+    const challenge = challengeData?.content?.challenge;
+    if (!challengeData?.success || !challenge) {
+      return failPasskey(setAuthState, "Failed to start passkey");
+    }
+    setAuthState({ step: "creating_passkey" });
+    const ceremony = await passkey({ challenge });
+    const response = ceremony.response;
+    if (ceremony.kind === "register") {
+      setAuthState({ step: "deploying_smart_account" });
+      const { data } = await api.POST("/auth/passkey/register", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey registration failed");
+    } else {
+      const { data } = await api.POST("/auth/passkey/login", {
+        body: { clientSessionId, response },
+        signal
+      });
+      if (!data?.success) return failPasskey(setAuthState, "Passkey authentication failed");
+    }
+  } catch {
+    return failPasskey(setAuthState, "Passkey login failed");
+  }
+  await authenticate(clientSessionId, deps);
+}
+function failPasskey(setAuthState, message) {
+  setAuthState({ step: "error", previousStep: "creating_passkey", message, errorCode: AUTH_ERROR_CODES.PASSKEY_FAILED });
+}
 // src/client/auth/walletFlow.ts
 function withSignal(promise, signal) {
   return Promise.race([
@@ -1980,12 +1918,12 @@ async function loginWallet(type, deps) {
       setAuthState({ step: "wallet_not_installed", walletType: type });
       return;
     }
-    const { publicKey } = await withSignal(adapter.connect(), signal);
-    connectedWallet = publicKey;
+    const { address } = await withSignal(adapter.connect(), signal);
+    connectedWallet = address;
     deps.storeWalletAdapter(adapter, type);
     setAuthState({ step: "authenticating_wallet" });
     const { data: walletData, error: walletError } = await api.POST("/auth/wallet", {
-      body: { clientSessionId, walletAddress: publicKey },
+      body: { clientSessionId, walletAddress: address },
       signal
     });
     if (walletError || !walletData?.success) {
@@ -2050,8 +1988,12 @@ var PollarClient = class {
     this._transactionStateListeners = /* @__PURE__ */ new Set();
     this._txHistoryState = { step: "idle" };
     this._txHistoryStateListeners = /* @__PURE__ */ new Set();
+    this._sessionsState = { step: "idle" };
+    this._sessionsStateListeners = /* @__PURE__ */ new Set();
     this._walletBalanceState = { step: "idle" };
     this._walletBalanceStateListeners = /* @__PURE__ */ new Set();
+    this._enabledAssetsState = { step: "idle" };
+    this._enabledAssetsStateListeners = /* @__PURE__ */ new Set();
     this._authState = { step: "idle" };
     this._authStateListeners = /* @__PURE__ */ new Set();
     this._networkState = { step: "idle" };
@@ -2067,10 +2009,14 @@ var PollarClient = class {
     this._storageDegradeListeners = /* @__PURE__ */ new Set();
     this._walletAdapter = null;
     this._loginController = null;
+    /** Aborts an in-flight `/auth/session/resume` on destroy() or re-trigger. */
+    this._resumeController = null;
     this.apiKey = config.apiKey;
     this.id = randomUUID();
     this.basePath = `${config.baseUrl || "https://sdk.api.pollar.xyz"}/v1`;
+    this._log = createLogger(config.logLevel ?? "info", config.logger);
     this._storage = config.storage ?? defaultStorage({
+      logger: this._log,
       onDegrade: (reason, error) => {
         config.onStorageDegrade?.(reason, error);
         this._dispatchStorageDegrade(reason, error);
@@ -2079,6 +2025,8 @@ var PollarClient = class {
     this._keyManager = config.keyManager ?? defaultKeyManager(this._storage, config.apiKey);
     this._walletAdapterResolver = config.walletAdapter ?? null;
     this._walletResolverTimeoutMs = config.walletResolverTimeoutMs ?? 5e3;
+    this._passkey = config.passkey ?? null;
+    this._passkeySign = config.passkeySign ?? null;
     this._deviceLabel = config.deviceLabel;
     this._visibilityProvider = config.visibilityProvider ?? defaultVisibilityProvider();
     this._maxIdleMs = config.maxIdleMs;
@@ -2092,7 +2040,9 @@ var PollarClient = class {
       this._initialized = Promise.resolve();
       return;
     }
-    console.info(`[PollarClient] Initialized \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`);
+    this._log.info(
+      `[PollarClient] Initialized v${POLLAR_CORE_VERSION} \u2014 endpoint: ${this.basePath}, network: ${this._networkState.network}`
+    );
     this._initialized = this._initialize();
   }
   /**
@@ -2117,7 +2067,7 @@ var PollarClient = class {
       const sessionKey = sessionStorageKey(this._apiKeyHash);
       const handler = (e) => {
         if (e.key === sessionKey) {
-          this._restoreSession().catch((err) => console.error("[PollarClient] Cross-tab restore failed", err));
+          this._restoreSession().catch((err) => this._log.error("[PollarClient] Cross-tab restore failed", err));
         }
       };
       window.addEventListener("storage", handler);
@@ -2126,11 +2076,15 @@ var PollarClient = class {
     try {
       await this._keyManager.init();
     } catch (err) {
-      console.warn("[PollarClient] KeyManager init failed; DPoP unavailable for this session", err);
+      this._log.warn("[PollarClient] KeyManager init failed; DPoP unavailable for this session", err);
     }
     await this._restoreSession();
     this._visibilityUnsubscribe = this._visibilityProvider.onChange((visible) => {
-      if (visible) void this._maybeProactiveRefresh();
+      if (!visible) return;
+      void this._maybeProactiveRefresh();
+      if (this._authState.step === "authenticated" && !this._authState.verified) {
+        void this._resume();
+      }
     });
   }
   /** Detach the cross-tab storage listener and abort any in-flight login. */
@@ -2141,6 +2095,8 @@ var PollarClient = class {
     }
     this._loginController?.abort();
     this._loginController = null;
+    this._resumeController?.abort();
+    this._resumeController = null;
     this._clearRefreshTimer();
     if (this._visibilityUnsubscribe) {
       this._visibilityUnsubscribe();
@@ -2155,11 +2111,13 @@ var PollarClient = class {
         request.headers.set("x-pollar-api-key", self.apiKey);
         self._lastRequestAt = Date.now();
         await self._initialized;
-        if (request.body !== null) {
+        const cacheMethod = request.method.toUpperCase();
+        const cacheBodyAllowed = cacheMethod !== "GET" && cacheMethod !== "HEAD";
+        if (cacheBodyAllowed && request.body != null) {
           try {
             self._requestBodyCache.set(request, await request.clone().arrayBuffer());
           } catch (err) {
-            console.warn("[PollarClient] Could not snapshot request body for retry", err);
+            this._log.warn("[PollarClient] Could not snapshot request body for retry", err);
           }
         }
         const isRefresh = request.url.includes("/auth/refresh");
@@ -2218,7 +2176,7 @@ var PollarClient = class {
         this._keyManager
       );
     } catch (err) {
-      console.warn("[PollarClient] DPoP proof build failed", err);
+      this._log.warn("[PollarClient] DPoP proof build failed", err);
       return null;
     }
   }
@@ -2242,7 +2200,9 @@ var PollarClient = class {
         }
       }
     }
-    const cachedBody = this._requestBodyCache.get(originalRequest);
+    const retryMethod = originalRequest.method.toUpperCase();
+    const retryBodyAllowed = retryMethod !== "GET" && retryMethod !== "HEAD";
+    const cachedBody = retryBodyAllowed ? this._requestBodyCache.get(originalRequest) : void 0;
     const retried = new Request(originalRequest.url, {
       method: originalRequest.method,
       headers,
@@ -2270,7 +2230,7 @@ var PollarClient = class {
   async _doRefresh() {
     const refreshToken = this._session?.token?.refreshToken;
     if (!refreshToken) {
-      console.warn("[PollarClient] Refresh skipped: no refresh token in session");
+      this._log.warn("[PollarClient] Refresh skipped: no refresh token in session");
       await this._clearSession();
       throw new Error("No refresh token available");
     }
@@ -2281,24 +2241,31 @@ var PollarClient = class {
       data = response.data;
       error = response.error;
     } catch (err) {
-      console.error("[PollarClient] /auth/refresh request threw", err);
+      this._log.error("[PollarClient] /auth/refresh request threw", err);
       await this._clearSession();
       throw err;
     }
     if (error || !data) {
-      console.warn("[PollarClient] /auth/refresh returned error", { error });
+      this._log.error("[PollarClient] /auth/refresh returned error", { error });
       await this._clearSession();
       throw new Error("Refresh failed");
     }
     const successData = data;
     if (!successData.success || !successData.content?.token) {
-      console.warn("[PollarClient] /auth/refresh response malformed", successData);
+      this._log.error("[PollarClient] /auth/refresh response malformed", {
+        success: successData.success,
+        hasToken: !!successData.content?.token
+      });
       await this._clearSession();
       throw new Error("Refresh response malformed");
     }
     const newToken = successData.content.token;
     if (typeof newToken.accessToken !== "string" || typeof newToken.refreshToken !== "string" || typeof newToken.expiresAt !== "number") {
-      console.warn("[PollarClient] /auth/refresh token shape invalid", newToken);
+      this._log.error("[PollarClient] /auth/refresh token shape invalid", {
+        accessToken: typeof newToken.accessToken,
+        refreshToken: typeof newToken.refreshToken,
+        expiresAt: typeof newToken.expiresAt
+      });
       await this._clearSession();
       throw new Error("Refresh response token shape invalid");
     }
@@ -2306,9 +2273,9 @@ var PollarClient = class {
       try {
         this._session = { ...this._session, token: newToken };
         await writeStorage(this._storage, this.apiKeyHash, this._session);
-        console.info("[PollarClient] Tokens refreshed");
+        this._log.info("[PollarClient] Tokens refreshed");
       } catch (err) {
-        console.error("[PollarClient] Failed to persist refreshed session", err);
+        this._log.error("[PollarClient] Failed to persist refreshed session", err);
       }
       this._scheduleNextRefresh();
     }
@@ -2362,7 +2329,7 @@ var PollarClient = class {
     try {
       await this.refresh();
     } catch (err) {
-      console.warn("[PollarClient] Proactive refresh failed; session cleared", err);
+      this._log.warn("[PollarClient] Proactive refresh failed; session cleared", err);
     }
   }
   _clearRefreshTimer() {
@@ -2408,7 +2375,7 @@ var PollarClient = class {
       try {
         cb(reason, error);
       } catch (err) {
-        console.error("[PollarClient] onStorageDegrade listener threw", err);
+        this._log.error("[PollarClient] onStorageDegrade listener threw", err);
       }
     }
   }
@@ -2492,6 +2459,19 @@ var PollarClient = class {
     const controller = this._newController();
     loginWallet(type, this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
   }
+  /**
+   * "Smart Wallet" login: runs the passkey (WebAuthn) ceremony and, for a new
+   * user, creates a sponsored smart-account C-address. Requires the `passkey`
+   * ceremony to be configured (e.g. via `@pollar/react`).
+   */
+  loginSmartWallet() {
+    if (!isClientRuntime) {
+      warnServerSide("loginSmartWallet");
+      return;
+    }
+    const controller = this._newController();
+    loginSmartWallet(this._flowDeps(controller.signal)).catch((err) => this._handleFlowError(err));
+  }
   // ─── Cancel ───────────────────────────────────────────────────────────────
   cancelLogin() {
     this._loginController?.abort();
@@ -2515,20 +2495,20 @@ var PollarClient = class {
       warnServerSide("logout");
       return;
     }
-    console.info("[PollarClient] Logout requested", { everywhere: !!options.everywhere });
+    this._log.info("[PollarClient] Logout requested", { everywhere: !!options.everywhere });
     if (this._session?.token?.accessToken) {
       try {
         await this._api.POST("/auth/logout", {
           body: options.everywhere ? { everywhere: true } : {}
         });
       } catch (err) {
-        console.warn("[PollarClient] Server logout failed (continuing with local clear)", err);
+        this._log.warn("[PollarClient] Server logout failed (continuing with local clear)", err);
       }
     }
     try {
       await this._clearSession();
     } catch (err) {
-      console.warn("[PollarClient] Local logout cleanup failed", err);
+      this._log.warn("[PollarClient] Local logout cleanup failed", err);
     }
   }
   /** Convenience: revoke every active session for this user (all devices). */
@@ -2554,6 +2534,29 @@ var PollarClient = class {
     }
     return data.content.sessions;
   }
+  getSessionsState() {
+    return this._sessionsState;
+  }
+  onSessionsStateChange(cb) {
+    this._sessionsStateListeners.add(cb);
+    cb(this._sessionsState);
+    return () => this._sessionsStateListeners.delete(cb);
+  }
+  /**
+   * Fire-and-forget variant of {@link listSessions} that drives the observable
+   * `SessionsState` store instead of returning the array. UI layers subscribe
+   * via `onSessionsStateChange` and stay pure readers — mirrors `fetchTxHistory`.
+   */
+  async fetchSessions() {
+    this._setSessionsState({ step: "loading" });
+    try {
+      const sessions = await this.listSessions();
+      this._setSessionsState({ step: "loaded", sessions });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to load sessions";
+      this._setSessionsState({ step: "error", message });
+    }
+  }
   /**
    * Revoke a specific refresh-token family (a single device session). Use
    * `listSessions` to enumerate the familyIds. Revoking the current session
@@ -2581,6 +2584,14 @@ var PollarClient = class {
   getNetworkState() {
     return this._networkState;
   }
+  /**
+   * The client's level-gated logger (built from `logLevel` / `logger`). Exposed
+   * so the runtime layer (`@pollar/react`) can route its own logs through the
+   * same level and sink instead of calling `console` directly.
+   */
+  getLogger() {
+    return this._log;
+  }
   setNetwork(network) {
     this._setNetworkState({ step: "connected", network });
   }
@@ -2630,16 +2641,19 @@ var PollarClient = class {
     cb(this._walletBalanceState);
     return () => this._walletBalanceStateListeners.delete(cb);
   }
-  async refreshBalance(publicKey) {
-    const pk = publicKey ?? this._session?.wallet?.publicKey;
-    if (!pk) {
+  /**
+   * Refreshes the balances of the authenticated user's OWN wallet. The wallet
+   * and network are resolved server-side from the session — no arguments. Drives
+   * `walletBalanceState`. For an arbitrary wallet, use {@link getWalletBalance}.
+   */
+  async refreshBalance() {
+    if (!this._session?.wallet?.address) {
       this._setWalletBalanceState({ step: "error", message: "No wallet connected" });
       return;
     }
     this._setWalletBalanceState({ step: "loading" });
     try {
-      const network = this.getNetwork();
-      const { data, error } = await this._api.GET("/wallet/balance", { params: { query: { publicKey: pk, network } } });
+      const { data, error } = await this._api.GET("/wallet/balance");
       if (!error && data?.success && data.content) {
         this._setWalletBalanceState({ step: "loaded", data: data.content });
       } else {
@@ -2649,6 +2663,53 @@ var PollarClient = class {
       this._setWalletBalanceState({ step: "error", message: "Failed to load balance" });
     }
   }
+  /**
+   * General-purpose balance lookup for ANY wallet on ANY network — not scoped
+   * to this application. Enumerates the account's real on-chain holdings via
+   * Horizon (server-side) and returns the data directly (no reactive state).
+   * `network` defaults to the client's current network.
+   */
+  async getWalletBalance(publicKey, network) {
+    const { data, error } = await this._api.GET("/wallet/{publicKey}/balance", {
+      params: { path: { publicKey }, query: { network: network ?? this.getNetwork() } }
+    });
+    if (error || !data?.success || !data.content) {
+      throw new Error("[PollarClient] Failed to load wallet balance");
+    }
+    return data.content;
+  }
+  // ─── Enabled assets ───────────────────────────────────────────────────────
+  getEnabledAssetsState() {
+    return this._enabledAssetsState;
+  }
+  onEnabledAssetsStateChange(cb) {
+    this._enabledAssetsStateListeners.add(cb);
+    cb(this._enabledAssetsState);
+    return () => this._enabledAssetsStateListeners.delete(cb);
+  }
+  /**
+   * Loads the application's enabled assets paired with the authenticated
+   * wallet's on-chain trustline state — so the SDK knows which trustlines still
+   * need to be added. Wallet and network are resolved server-side from the
+   * session. Drives `enabledAssetsState`; mirrors {@link refreshBalance}.
+   */
+  async refreshAssets() {
+    if (!this._session?.wallet?.address) {
+      this._setEnabledAssetsState({ step: "error", message: "No wallet connected" });
+      return;
+    }
+    this._setEnabledAssetsState({ step: "loading" });
+    try {
+      const { data, error } = await this._api.GET("/wallet/assets");
+      if (!error && data?.success && data.content) {
+        this._setEnabledAssetsState({ step: "loaded", data: data.content });
+      } else {
+        this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+      }
+    } catch {
+      this._setEnabledAssetsState({ step: "error", message: "Failed to load assets" });
+    }
+  }
   // ─── Transactions ─────────────────────────────────────────────────────────
   /**
    * Builds an unsigned XDR. Drives `_setTransactionState` for modal-style UIs
@@ -2656,14 +2717,14 @@ var PollarClient = class {
    * inspect the result without subscribing to state changes.
    */
   async buildTx(operation, params, options) {
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       const details = "No wallet connected";
       this._setTransactionState({ step: "error", phase: "building", details });
       return { status: "error", details };
     }
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session.wallet.publicKey,
+      address: this._session.wallet.address,
       operation,
       params,
       options: options ?? {}
@@ -2679,7 +2740,7 @@ var PollarClient = class {
       this._setTransactionState({ step: "error", phase: "building", ...details && { details } });
       return { status: "error", ...details && { details } };
     } catch (err) {
-      console.error("[PollarClient] buildTx failed", err);
+      this._log.error("[PollarClient] buildTx failed", err);
       this._setTransactionState({ step: "error", phase: "building" });
       return { status: "error" };
     }
@@ -2704,7 +2765,7 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     this._setTransactionState({ step: "signing", ...buildData && { buildData } });
     if (this._walletAdapter) {
-      const accountToSign = this._session?.wallet?.publicKey;
+      const accountToSign = this._session?.wallet?.address;
       const signOpts = accountToSign ? { networkPassphrase: this._networkPassphrase(), accountToSign } : { networkPassphrase: this._networkPassphrase() };
       try {
         const { signedTxXdr } = await this._walletAdapter.signTransaction(unsignedXdr, signOpts);
@@ -2725,10 +2786,10 @@ var PollarClient = class {
         return { status: "error", ...details && { details } };
       }
     }
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/sign", {
-        body: { network: this.getNetwork(), publicKey, unsignedXdr }
+        body: { network: this.getNetwork(), address, unsignedXdr }
       });
       if (!error && data?.success && data.content?.signedXdr) {
         const { signedXdr, idempotencyKey } = data.content;
@@ -2781,12 +2842,12 @@ var PollarClient = class {
     const buildData = this._currentBuildData();
     const outcomeExtra = buildData ? { buildData } : {};
     this._setTransactionState({ step: "submitting", signedXdr, ...buildData && { buildData } });
-    const publicKey = this._session?.wallet?.publicKey ?? "";
+    const address = this._session?.wallet?.address ?? "";
     try {
       const { data, error } = await this._api.POST("/tx/submit", {
         body: {
           network: this.getNetwork(),
-          publicKey,
+          address,
           signedXdr,
           ...opts?.submissionToken && { idempotencyKey: opts.submissionToken }
         }
@@ -2846,6 +2907,19 @@ var PollarClient = class {
    *   `success` (ledger-confirmed), or `error[phase: 'signing-submitting']`.
    */
   async signAndSubmitTx(unsignedXdr) {
+    if (this._session?.wallet?.type === "smart") {
+      const buildData2 = this._currentBuildData();
+      if (!buildData2?.smart) {
+        const details = "no prepared smart transaction; call buildTx first";
+        this._setTransactionState({ step: "error", phase: "signing", details });
+        return { status: "error", details };
+      }
+      return this._signSubmitSmart(buildData2);
+    }
+    if (!unsignedXdr) {
+      this._setTransactionState({ step: "error", phase: "signing", details: "missing unsigned transaction" });
+      return { status: "error", details: "missing unsigned transaction" };
+    }
     if (this._walletAdapter) {
       const signed = await this.signTx(unsignedXdr);
       if (signed.status === "error") {
@@ -2863,7 +2937,7 @@ var PollarClient = class {
     this._setTransactionState({ step: "signing-submitting", ...buildData && { buildData } });
     const body = {
       network: this.getNetwork(),
-      publicKey: this._session?.wallet?.publicKey ?? "",
+      address: this._session?.wallet?.address ?? "",
       unsignedXdr
     };
     try {
@@ -2932,14 +3006,20 @@ var PollarClient = class {
    * `signTx`, and `submitTx` separately instead.
    */
   async buildAndSignAndSubmitTx(operation, params, options) {
+    if (this._session?.wallet?.type === "smart") {
+      return this._runSmartTx(operation, params, options);
+    }
     if (this._walletAdapter) {
       const built = await this.buildTx(operation, params, options);
       if (built.status === "error") {
         return { status: "error", ...built.details && { details: built.details } };
       }
+      if (!built.buildData.unsignedXdr) {
+        return { status: "error", details: "build returned no unsigned transaction" };
+      }
       return this.signAndSubmitTx(built.buildData.unsignedXdr);
     }
-    if (!this._session?.wallet?.publicKey) {
+    if (!this._session?.wallet?.address) {
       this._setTransactionState({ step: "error", phase: "building-signing-submitting", details: "No wallet connected" });
       return { status: "error", details: "No wallet connected" };
     }
@@ -2948,7 +3028,7 @@ var PollarClient = class {
       const { data, error } = await this._api.POST("/tx/build-sign-submit", {
         body: {
           network: this.getNetwork(),
-          publicKey: this._session.wallet.publicKey,
+          address: this._session.wallet.address,
           operation,
           params,
           options: options ?? {}
@@ -2992,6 +3072,113 @@ var PollarClient = class {
   async runTx(operation, params, options) {
     return this.buildAndSignAndSubmitTx(operation, params, options);
   }
+  /**
+   * Smart-wallet (passkey / C-address) transaction: build (server prepares the
+   * SAC transfer + returns the auth digest) → sign the digest with the passkey
+   * → submit (server assembles the signed auth entry and broadcasts; the
+   * sponsor pays the fee). State machine: building → built → signing →
+   * submitting → success.
+   */
+  async _runSmartTx(operation, params, options) {
+    const address = this._session?.wallet?.address;
+    if (!address) {
+      this._setTransactionState({ step: "error", phase: "building", details: "No wallet connected" });
+      return { status: "error", details: "No wallet connected" };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", details });
+      return { status: "error", details };
+    }
+    this._setTransactionState({ step: "building" });
+    let buildData;
+    try {
+      const body = {
+        network: this.getNetwork(),
+        address,
+        operation,
+        params,
+        options: options ?? {}
+      };
+      const { data, error } = await this._api.POST("/tx/build", { body });
+      if (error || !data?.success || !data.content?.smart) {
+        const details = error?.details ?? "Failed to build transaction";
+        this._setTransactionState({ step: "error", phase: "building", details });
+        return { status: "error", details };
+      }
+      buildData = data.content;
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "building", ...details && { details } });
+      return { status: "error", ...details && { details } };
+    }
+    this._setTransactionState({ step: "built", buildData });
+    return this._signSubmitSmart(buildData);
+  }
+  /**
+   * Steps 2–3 of the smart-wallet flow: sign the prepared auth digest with the
+   * passkey, then submit. Shared by `_runSmartTx` (atomic) and `signAndSubmitTx`
+   * (split flow, when a smart build is already on the state machine).
+   */
+  async _signSubmitSmart(buildData) {
+    const address = this._session?.wallet?.address;
+    const smart = buildData.smart;
+    if (!address || !smart) {
+      const details = "no prepared smart transaction";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    if (!this._passkeySign) {
+      const details = "Passkey signer not configured";
+      this._setTransactionState({ step: "error", phase: "signing", buildData, details });
+      return { status: "error", buildData, details };
+    }
+    this._setTransactionState({ step: "signing", buildData });
+    let assertion;
+    try {
+      assertion = await this._passkeySign({ credentialId: smart.credentialId, challenge: smart.digest });
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "signing", buildData, ...details && { details } });
+      return { status: "error", buildData, ...details && { details } };
+    }
+    this._setTransactionState({ step: "submitting", buildData });
+    const outcomeExtra = { buildData };
+    try {
+      const { data, error } = await this._api.POST("/tx/submit", {
+        body: {
+          network: this.getNetwork(),
+          address,
+          smart: { entryXdr: smart.entryXdr, funcXdr: smart.funcXdr, assertion }
+        }
+      });
+      if (!error && data?.success && data.content) {
+        const { hash, status: backendStatus, resultCode } = data.content;
+        if (backendStatus === "SUCCESS") {
+          this._setTransactionState({ step: "success", hash, buildData });
+          return { status: "success", hash, ...outcomeExtra };
+        }
+        if (backendStatus === "PENDING") {
+          this._setTransactionState({ step: "submitted", hash, buildData });
+          return { status: "pending", hash, ...outcomeExtra };
+        }
+        this._setTransactionState({
+          step: "error",
+          phase: "submitting",
+          buildData,
+          ...resultCode && { details: resultCode }
+        });
+        return { status: "error", hash, ...outcomeExtra, ...resultCode && { details: resultCode, resultCode } };
+      }
+      const details = error?.details;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    } catch (err) {
+      const details = err instanceof Error ? err.message : void 0;
+      this._setTransactionState({ step: "error", phase: "submitting", buildData, ...details && { details } });
+      return { status: "error", ...outcomeExtra, ...details && { details } };
+    }
+  }
   // ─── App config ───────────────────────────────────────────────────────────
   async getAppConfig() {
     try {
@@ -3045,10 +3232,18 @@ var PollarClient = class {
     this._txHistoryState = next;
     for (const cb of this._txHistoryStateListeners) cb(next);
   }
+  _setSessionsState(next) {
+    this._sessionsState = next;
+    for (const cb of this._sessionsStateListeners) cb(next);
+  }
   _setWalletBalanceState(next) {
     this._walletBalanceState = next;
     for (const cb of this._walletBalanceStateListeners) cb(next);
   }
+  _setEnabledAssetsState(next) {
+    this._enabledAssetsState = next;
+    for (const cb of this._enabledAssetsStateListeners) cb(next);
+  }
   // ─── Private ──────────────────────────────────────────────────────────────
   _newController() {
     this._loginController?.abort();
@@ -3058,6 +3253,7 @@ var PollarClient = class {
   _flowDeps(signal) {
     return {
       api: this._api,
+      logger: this._log,
       basePath: this.basePath,
       // SSE status streaming works on web; React Native's `fetch` has no
       // readable `response.body`, so those clients poll the non-streaming
@@ -3073,6 +3269,7 @@ var PollarClient = class {
         this._walletAdapter = adapter;
         await writeWalletType(this._storage, this.apiKeyHash, id);
       },
+      ...this._passkey ? { passkey: this._passkey } : {},
       ...this._deviceLabel ? { deviceLabel: this._deviceLabel } : {}
     };
   }
@@ -3102,19 +3299,19 @@ var PollarClient = class {
       }
     }
     if (id === "freighter" /* FREIGHTER */) return new FreighterAdapter();
-    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter();
+    if (id === "albedo" /* ALBEDO */) return new AlbedoAdapter(this.getNetwork() === "mainnet" ? "public" : "testnet");
     throw new Error(
       `[PollarClient] No wallet adapter configured for "${id}". Pass a walletAdapter resolver in PollarClientConfig.`
     );
   }
   _handleFlowError(error) {
     if (error instanceof Error && error.name === "AbortError") {
-      console.info("[PollarClient] Login cancelled");
+      this._log.debug("[PollarClient] Login cancelled");
       this._setAuthState({ step: "idle" });
       return;
     }
     if (error instanceof Error && error.code === AUTH_ERROR_CODES.WALLET_RESOLVER_TIMEOUT) {
-      console.error("[PollarClient]", error.message);
+      this._log.error("[PollarClient]", error.message);
       this._setAuthState({
         step: "error",
         previousStep: this._authState.step,
@@ -3123,7 +3320,7 @@ var PollarClient = class {
       });
       return;
     }
-    console.error("[PollarClient] Unexpected error in auth flow", error);
+    this._log.error("[PollarClient] Unexpected error in auth flow", error);
     this._setAuthState({
       step: "error",
       previousStep: this._authState.step,
@@ -3132,32 +3329,77 @@ var PollarClient = class {
     });
   }
   async _restoreSession() {
-    this._session = await readStorage(this._storage, this.apiKeyHash);
+    this._session = await readStorage(this._storage, this.apiKeyHash, this._log);
     if (this._session) {
       const storedType = await readWalletType(this._storage, this.apiKeyHash);
       if (storedType) {
         try {
           this._walletAdapter = await this._resolveWalletAdapter(storedType);
         } catch (err) {
-          console.warn("[PollarClient] Could not restore wallet adapter for stored id", { id: storedType, err });
+          this._log.warn("[PollarClient] Could not restore wallet adapter for stored id", { id: storedType, err });
         }
       }
-      console.info("[PollarClient] Session restored from storage");
-      this._setAuthState({ step: "authenticated", session: this._session });
+      this._log.info("[PollarClient] Session restored from storage");
+      this._setAuthState({ step: "authenticated", session: this._session, verified: false });
       this._scheduleNextRefresh();
+      void this._resume();
     } else {
-      console.info("[PollarClient] No session in storage");
+      this._log.info("[PollarClient] No session in storage");
+    }
+  }
+  /**
+   * Validate the restored session against the server and repopulate the
+   * in-memory profile (PII is never persisted, so it's null after a cold
+   * reload). Goes through the normal authed client, so it coalesces with any
+   * in-flight refresh (onRequest awaits `_refreshPromise`) and, being a GET,
+   * is auto-retried after a 401-triggered refresh.
+   *
+   * - 200          → store profile, mark the session `verified`.
+   * - 401          → the refresh-on-401 path already ran; if the family was
+   *                  revoked, refresh failed and `_clearSession()` took us to
+   *                  idle. Nothing to do here — don't double-handle.
+   * - network error → stay optimistic (do NOT log out); revalidated later on
+   *                  `visibilitychange` or first use.
+   */
+  async _resume() {
+    if (!this._session) return;
+    this._resumeController?.abort();
+    const controller = new AbortController();
+    this._resumeController = controller;
+    try {
+      const { data, error } = await this._api.GET("/auth/session/resume", { signal: controller.signal });
+      if (error || !data) return;
+      const content = data.content;
+      if (!content || !this._session) return;
+      this._profile = { ...content };
+      this._setAuthState({ step: "authenticated", session: this._session, verified: true });
+    } catch (err) {
+      if (err?.name === "AbortError") return;
+      this._log.warn("[PollarClient] resume failed (network); will retry", err);
+    } finally {
+      if (this._resumeController === controller) this._resumeController = null;
     }
   }
   async _storeSession(session) {
-    console.info("[PollarClient] Session stored");
+    this._log.info("[PollarClient] Session stored");
+    const w = session.wallet;
     const persisted = {
       clientSessionId: session.clientSessionId,
       userId: session.userId ?? null,
       status: session.status,
       token: session.token,
       user: session.user,
-      wallet: session.wallet
+      // The wire response still carries the legacy `publicKey` alias (kept for
+      // older SDKs); the persisted session standardizes on `address` only.
+      wallet: {
+        type: w.type,
+        address: w.address ?? w.publicKey ?? null,
+        ...w.existsOnStellar !== void 0 ? { existsOnStellar: w.existsOnStellar } : {},
+        ...w.createdAt !== void 0 ? { createdAt: w.createdAt } : {},
+        ...w.linkedAt !== void 0 ? { linkedAt: w.linkedAt } : {},
+        ...w.network !== void 0 ? { network: w.network } : {},
+        ...w.deployTxHash !== void 0 ? { deployTxHash: w.deployTxHash } : {}
+      }
     };
     this._session = persisted;
     if (session.data) {
@@ -3170,11 +3412,11 @@ var PollarClient = class {
       };
     }
     await writeStorage(this._storage, this.apiKeyHash, persisted);
-    this._setAuthState({ step: "authenticated", session: persisted });
+    this._setAuthState({ step: "authenticated", session: persisted, verified: true });
     this._scheduleNextRefresh();
   }
   async _clearSession() {
-    console.info("[PollarClient] Session cleared");
+    this._log.info("[PollarClient] Session cleared");
     this._clearRefreshTimer();
     this._session = null;
     this._profile = null;
@@ -3183,7 +3425,7 @@ var PollarClient = class {
     try {
       await this._keyManager.reset();
     } catch (err) {
-      console.warn("[PollarClient] KeyManager reset failed during clearSession", err);
+      this._log.warn("[PollarClient] KeyManager reset failed during clearSession", err);
     }
     await removeStorage(this._storage, this.apiKeyHash);
     this._transactionState = null;
@@ -3195,17 +3437,17 @@ var PollarClient = class {
   _setNetworkState(next) {
     this._networkState = next;
     const label = next.step === "connected" ? next.network : next.step;
-    console.info(`[PollarClient] network:${label}`);
+    this._log.debug(`[PollarClient] network:${label}`);
     for (const cb of this._networkStateListeners) cb(next);
   }
   _setAuthState(next) {
     this._authState = next;
-    console.info(`[PollarClient] auth:${next.step}`);
+    this._log.debug(`[PollarClient] auth:${next.step}`);
     for (const cb of this._authStateListeners) cb(next);
   }
   _setTransactionState(next) {
     this._transactionState = next;
-    console.info(`[PollarClient] transaction:${next.step}`);
+    this._log.debug(`[PollarClient] transaction:${next.step}`);
     for (const cb of this._transactionStateListeners) cb(next);
   }
   /**
@@ -3222,6 +3464,195 @@ var PollarClient = class {
   }
 };
+// src/keys/web-crypto.ts
+var DB_NAME = "pollar-keys";
+var DB_VERSION = 1;
+var STORE_NAME = "keys";
+function openDb() {
+  return new Promise((resolve, reject) => {
+    if (typeof indexedDB === "undefined") {
+      reject(new Error("[PollarClient:keys] IndexedDB not available"));
+      return;
+    }
+    const req = indexedDB.open(DB_NAME, DB_VERSION);
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB open failed"));
+    req.onsuccess = () => resolve(req.result);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(STORE_NAME)) {
+        db.createObjectStore(STORE_NAME);
+      }
+    };
+  });
+}
+function awaitTx(req) {
+  return new Promise((resolve, reject) => {
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error ?? new Error("[PollarClient:keys] IDB request failed"));
+  });
+}
+async function dbGet(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readonly");
+    const result = await awaitTx(tx.objectStore(STORE_NAME).get(key));
+    return result;
+  } finally {
+    db.close();
+  }
+}
+async function dbPut(key, value) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).put(value, key));
+  } finally {
+    db.close();
+  }
+}
+async function dbDelete(key) {
+  const db = await openDb();
+  try {
+    const tx = db.transaction(STORE_NAME, "readwrite");
+    await awaitTx(tx.objectStore(STORE_NAME).delete(key));
+  } finally {
+    db.close();
+  }
+}
+function isCryptoKeyPair(v) {
+  if (typeof v !== "object" || v === null) return false;
+  const obj = v;
+  return obj.privateKey !== void 0 && obj.publicKey !== void 0;
+}
+var WebCryptoKeyManager = class {
+  constructor(apiKey) {
+    this.apiKeyHash = null;
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    /**
+     * Cached in-flight init. Lets `init()` be called concurrently (or implicitly
+     * from `getPublicJwk` / `sign`) without doing the work twice. Cleared on
+     * failure so callers can retry, and cleared on `reset()`.
+     */
+    this._initPromise = null;
+    if (typeof globalThis.crypto === "undefined" || !globalThis.crypto.subtle) {
+      throw new Error("[PollarClient:keys] SubtleCrypto is unavailable. DPoP requires a secure context (HTTPS or localhost).");
+    }
+    this.apiKey = apiKey;
+  }
+  /**
+   * Idempotent and safe under concurrency. The first call kicks off the real
+   * init; subsequent (and concurrent) calls return the same in-flight promise.
+   * Other methods (`getPublicJwk`, `getThumbprint`, `sign`) auto-await this so
+   * the manager is self-healing if `init()` was never explicitly invoked.
+   */
+  async init() {
+    if (this.keyPair) return;
+    if (!this._initPromise) {
+      this._initPromise = this._doInit().catch((err) => {
+        this._initPromise = null;
+        throw err;
+      });
+    }
+    return this._initPromise;
+  }
+  async _doInit() {
+    if (!this.apiKeyHash) {
+      this.apiKeyHash = await hashApiKey(this.apiKey);
+    }
+    let pair;
+    try {
+      pair = await dbGet(this.apiKeyHash);
+      if (pair && !isCryptoKeyPair(pair)) pair = void 0;
+    } catch {
+      pair = void 0;
+    }
+    if (!pair) {
+      pair = await globalThis.crypto.subtle.generateKey(
+        { name: "ECDSA", namedCurve: "P-256" },
+        // false → private key non-extractable; per W3C ECDSA spec the public
+        // key is always extractable regardless of this flag.
+        false,
+        ["sign", "verify"]
+      );
+      try {
+        await dbPut(this.apiKeyHash, pair);
+      } catch {
+      }
+    }
+    this.keyPair = pair;
+    this.publicJwk = await this._exportPublicJwk(pair.publicKey);
+    this.thumbprint = await computeJwkThumbprint(this.publicJwk);
+  }
+  /**
+   * Derive the public JWK from a `CryptoKey`. Prefers the `'raw'` export (the
+   * 65-byte uncompressed point `0x04 || X(32) || Y(32)`) and base64url-encodes
+   * the coordinates ourselves — that sidesteps polyfills whose `exportKey('jwk')`
+   * emits non-base64url `x`/`y` (standard base64, `=` padding, or — as seen with
+   * `react-native-quick-crypto` — a stray `.`). Real browsers and most polyfills
+   * support `'raw'` for public EC keys.
+   *
+   * Falls back to the `'jwk'` export (normalized via `canonicalEcJwk`) if `'raw'`
+   * is unsupported or returns an unexpected shape, so this can't regress on a
+   * runtime that only implements the JWK path. Both routes yield identical
+   * coordinate bytes, so the `cnf.jkt` thumbprint is unchanged either way.
+   */
+  async _exportPublicJwk(publicKey) {
+    try {
+      const raw = new Uint8Array(await globalThis.crypto.subtle.exportKey("raw", publicKey));
+      if (raw.length !== 65 || raw[0] !== 4) {
+        throw new Error(`[PollarClient:keys] Unexpected raw EC point (len=${raw.length}, tag=${raw[0]})`);
+      }
+      return {
+        kty: "EC",
+        crv: "P-256",
+        x: base64urlEncode(raw.slice(1, 33)),
+        y: base64urlEncode(raw.slice(33, 65))
+      };
+    } catch {
+      const jwk = await globalThis.crypto.subtle.exportKey("jwk", publicKey);
+      return canonicalEcJwk(jwk);
+    }
+  }
+  async reset() {
+    try {
+      if (this.apiKeyHash) await dbDelete(this.apiKeyHash);
+    } catch {
+    }
+    this.keyPair = null;
+    this.publicJwk = null;
+    this.thumbprint = null;
+    this._initPromise = null;
+  }
+  async getPublicJwk() {
+    if (!this.publicJwk) await this.init();
+    if (!this.publicJwk) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getPublicJwk unavailable");
+    }
+    return { kty: this.publicJwk.kty, crv: this.publicJwk.crv, x: this.publicJwk.x, y: this.publicJwk.y };
+  }
+  async getThumbprint() {
+    if (!this.thumbprint) await this.init();
+    if (!this.thumbprint) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; getThumbprint unavailable");
+    }
+    return this.thumbprint;
+  }
+  async sign(payload) {
+    if (!this.keyPair) await this.init();
+    if (!this.keyPair) {
+      throw new Error("[PollarClient:keys] Keypair initialization failed; sign unavailable");
+    }
+    const sig = await globalThis.crypto.subtle.sign(
+      { name: "ECDSA", hash: "SHA-256" },
+      this.keyPair.privateKey,
+      payload
+    );
+    return new Uint8Array(sig);
+  }
+};
 // src/stellar/StellarClient.ts
 var HORIZON_URLS = {
   mainnet: "https://horizon.stellar.org",
@@ -3252,13 +3683,9 @@ var StellarClient = class {
 // src/index.rn.ts
 _setDefaultKeyManagerFactory((storage, apiKey) => {
-  const subtle = globalThis.crypto?.subtle;
-  if (subtle && typeof subtle.generateKey === "function" && typeof subtle.sign === "function") {
-    return new WebCryptoKeyManager(apiKey);
-  }
   return new NobleKeyManager(storage, apiKey);
 });
-export { AUTH_ERROR_CODES, AlbedoAdapter, FreighterAdapter, NobleKeyManager, PollarClient, StellarClient, WalletType, WebCryptoKeyManager, buildProof, canonicalEcJwk, claimDistributionRule, computeJwkThumbprint, createLocalStorageAdapter, createMemoryAdapter, createOffRamp, createOnRamp, defaultKeyManager, defaultStorage, getKycProviders, getKycStatus, getRampTransaction, getRampsQuote, isValidSession, listDistributionRules, normalizeHtu, pollKycStatus, pollRampTransaction, resolveKyc, startKyc };
+export { AUTH_ERROR_CODES, AlbedoAdapter, FreighterAdapter, NobleKeyManager, POLLAR_CORE_VERSION, PollarClient, StellarClient, WalletType, WebCryptoKeyManager, buildProof, canonicalEcJwk, claimDistributionRule, computeJwkThumbprint, createLocalStorageAdapter, createLogger, createMemoryAdapter, createOffRamp, createOnRamp, defaultKeyManager, defaultStorage, getKycProviders, getKycStatus, getRampTransaction, getRampsQuote, isValidSession, listDistributionRules, normalizeHtu, pollKycStatus, pollRampTransaction, resolveKyc, startKyc };
 //# sourceMappingURL=index.rn.mjs.map
 //# sourceMappingURL=index.rn.mjs.map