@pooflabs/web 0.0.82 → 0.0.83-rc1

package/dist/{index-BicMkamC.js → index-CYhzBf0k.js}

@@ -22,21 +22,6 @@ function _interopNamespaceDefault(e) {
 	return Object.freeze(n);
 }
 
-function _mergeNamespaces(n, m) {
-	m.forEach(function (e) {
-		e && typeof e !== 'string' && !Array.isArray(e) && Object.keys(e).forEach(function (k) {
-			if (k !== 'default' && !(k in n)) {
-				var d = Object.getOwnPropertyDescriptor(e, k);
-				Object.defineProperty(n, k, d.get ? d : {
-					enumerable: true,
-					get: function () { return e[k]; }
-				});
-			}
-		});
-	});
-	return Object.freeze(n);
-}
-
 var anchor__namespace = /*#__PURE__*/_interopNamespaceDefault(anchor);
 var React__namespace = /*#__PURE__*/_interopNamespaceDefault(React$2);
 
@@ -6785,6 +6770,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -9273,15 +9280,15 @@ function requireBuffer$1 () {
 
 var bufferExports$1 = requireBuffer$1();
 
-var safeBuffer$1 = {exports: {}};
+var safeBuffer = {exports: {}};
 
 /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
 
-var hasRequiredSafeBuffer$1;
+var hasRequiredSafeBuffer;
 
-function requireSafeBuffer$1 () {
-	if (hasRequiredSafeBuffer$1) return safeBuffer$1.exports;
-	hasRequiredSafeBuffer$1 = 1;
+function requireSafeBuffer () {
+	if (hasRequiredSafeBuffer) return safeBuffer.exports;
+	hasRequiredSafeBuffer = 1;
 	(function (module, exports$1) {
 		/* eslint-disable node/no-deprecated-api */
 		var buffer = requireBuffer$1();
@@ -9347,23 +9354,23 @@ function requireSafeBuffer$1 () {
 		  }
 		  return buffer.SlowBuffer(size)
 		}; 
-	} (safeBuffer$1, safeBuffer$1.exports));
-	return safeBuffer$1.exports;
+	} (safeBuffer, safeBuffer.exports));
+	return safeBuffer.exports;
 }
 
-var src$1;
-var hasRequiredSrc$1;
+var src;
+var hasRequiredSrc;
 
-function requireSrc$1 () {
-	if (hasRequiredSrc$1) return src$1;
-	hasRequiredSrc$1 = 1;
+function requireSrc () {
+	if (hasRequiredSrc) return src;
+	hasRequiredSrc = 1;
 	// base-x encoding / decoding
 	// Copyright (c) 2018 base-x contributors
 	// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
 	// Distributed under the MIT software license, see the accompanying
 	// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
 	// @ts-ignore
-	var _Buffer = requireSafeBuffer$1().Buffer;
+	var _Buffer = requireSafeBuffer().Buffer;
 	function base (ALPHABET) {
 	  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
 	  var BASE_MAP = new Uint8Array(256);
@@ -9478,25 +9485,25 @@ function requireSrc$1 () {
 	    decode: decode
 	  }
 	}
-	src$1 = base;
-	return src$1;
+	src = base;
+	return src;
 }
 
-var bs58$1$1;
-var hasRequiredBs58$1;
+var bs58$1;
+var hasRequiredBs58;
 
-function requireBs58$1 () {
-	if (hasRequiredBs58$1) return bs58$1$1;
-	hasRequiredBs58$1 = 1;
-	var basex = requireSrc$1();
+function requireBs58 () {
+	if (hasRequiredBs58) return bs58$1;
+	hasRequiredBs58 = 1;
+	var basex = requireSrc();
 	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
 
-	bs58$1$1 = basex(ALPHABET);
-	return bs58$1$1;
+	bs58$1 = basex(ALPHABET);
+	return bs58$1;
 }
 
-var bs58Exports$1 = requireBs58$1();
-var bs58$2 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports$1);
+var bs58Exports = requireBs58();
+var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
 
 // ─────────────────────────────────────────────────────────────
 // Local implementation of getSimulationComputeUnits
@@ -9575,12 +9582,6 @@ async function genSolanaMessage(address, nonce) {
 // Serialization Helpers
 // ─────────────────────────────────────────────────────────────
 function isHexString(value) {
-    // Only strings can be hex-encoded. Numbers, BNs, and other shapes coming back
-    // from the API for u64Val/i64Val should fall through to `new BN(value)` which
-    // accepts those shapes natively. Without this guard, calling .startsWith on a
-    // non-string blows up with TypeError.
-    if (typeof value !== "string")
-        return false;
     // Matches strings containing only 0-9, a-f, or A-F (optionally prefixed with 0x)
     let testValue = value;
     // Handle negative values
@@ -9676,11 +9677,8 @@ async function buildSetDocumentsTransaction(connection, idl, anchorProvider, pay
     }
     else if (idl.address === "poof4b5pk1L9tmThvBmaABjcyjfhFGbMbQP5BXk2QZp") {
         const program = new anchor.Program(idl, anchorProvider);
-        // Targets `set_documents_v2` (Vec<u8> ra_indices). The on-chain program
-        // also exposes the legacy `set_documents` (Vec<u64>) so SDKs already on npm
-        // continue to work — but new releases of this SDK speak v2 only.
         tx = await program.methods
-            .setDocumentsV2(args.app_id, prepareAnchorArgs(args.documents), args.delete_paths, args.txData, simulate)
+            .setDocuments(args.app_id, prepareAnchorArgs(args.documents), args.delete_paths, args.txData, simulate)
             .preInstructions(instructions)
             .accounts({
             payer: payerPublicKey
@@ -9758,7 +9756,7 @@ function loadKeypairFromEnv() {
     try {
         const secretKey = secret.trim().startsWith("[")
             ? Uint8Array.from(JSON.parse(secret))
-            : bs58$2.decode(secret.trim());
+            : bs58.decode(secret.trim());
         return web3_js.Keypair.fromSecretKey(secretKey);
     }
     catch (err) {
@@ -10035,17 +10033,11 @@ async function makeApiRequest(method, urlPath, data, _overrides) {
         if (_overrides === null || _overrides === void 0 ? void 0 : _overrides.headers) {
             Object.assign(headers, _overrides.headers);
         }
-        // Writes (PUT/POST/DELETE) can take significantly longer than reads —
-        // server-side they may trigger ad-hoc LUT creation (create + extend +
-        // wait-for-finalization, ~15-30s on mainnet). Use a larger default for
-        // non-GET so the SDK doesn't time out before client-api responds.
-        const isRead = method.toUpperCase() === "GET";
-        const defaultTimeout = isRead ? 30000 : 90000;
         const requestConfig = {
             method,
             url: `${config.apiUrl}${urlPath.startsWith("/") ? urlPath : `/${urlPath}`}`,
             headers,
-            timeout: (_a = _overrides === null || _overrides === void 0 ? void 0 : _overrides.timeout) !== null && _a !== void 0 ? _a : defaultTimeout,
+            timeout: (_a = _overrides === null || _overrides === void 0 ? void 0 : _overrides.timeout) !== null && _a !== void 0 ? _a : 30000,
         };
         if (method !== "GET" && method !== "get") {
             requestConfig.data = data ? JSON.stringify(data) : {};
@@ -10690,38 +10682,21 @@ async function setMany(many, options) {
             setDocumentData: tx.transactionArgs.setDocumentData,
             deletePaths: tx.transactionArgs.deletePaths,
             idl: tx.idl,
-            txData: (_b = (_a = tx.txData) === null || _a === void 0 ? void 0 : _a.map((txData) => ({
-                pluginFunctionKey: txData.pluginFunctionKey,
-                txData: bufferExports$1.Buffer.from(txData.txData),
-                // raIndices is Vec<u8> on-chain (serialized as Buffer/bytes). The server may send
-                // it as a Buffer, a number[], a Uint8Array, or — over JSON — as Node's serialized
-                // Buffer shape {type: "Buffer", data: number[]} (the default `JSON.stringify(buf)`
-                // output). Normalise all of those to Buffer here. Each value must fit in u8 (matches
-                // Solana's instruction-level account indexing); throw clearly if anything is out of range.
-                raIndices: (() => {
-                    const raw = txData.raIndices;
-                    if (raw == null)
-                        return bufferExports$1.Buffer.alloc(0);
-                    if (bufferExports$1.Buffer.isBuffer(raw))
-                        return raw;
-                    if (raw instanceof Uint8Array)
-                        return bufferExports$1.Buffer.from(raw);
-                    // Node's JSON-serialised Buffer: {type: "Buffer", data: number[]}
-                    const arrayLike = Array.isArray(raw)
-                        ? raw
-                        : (raw && typeof raw === 'object' && Array.isArray(raw.data))
-                            ? raw.data
-                            : (() => { throw new Error(`raIndices has unexpected shape: ${typeof raw}`); })();
-                    const bytes = arrayLike.map((raIndex) => {
-                        const n = isHexString(raIndex) ? parseInt(raIndex, 16) : Number(raIndex);
-                        if (!Number.isInteger(n) || n < 0 || n > 255) {
-                            throw new Error(`raIndex ${raIndex} is not a valid u8 (must be integer in 0..255)`);
+            txData: (_b = (_a = tx.txData) === null || _a === void 0 ? void 0 : _a.map((txData) => {
+                var _a;
+                return ({
+                    pluginFunctionKey: txData.pluginFunctionKey,
+                    txData: bufferExports$1.Buffer.from(txData.txData),
+                    raIndices: (_a = txData.raIndices) === null || _a === void 0 ? void 0 : _a.map((raIndex) => {
+                        if (isHexString(raIndex)) {
+                            return new BN(raIndex, "hex");
                         }
-                        return n;
-                    });
-                    return bufferExports$1.Buffer.from(bytes);
-                })(),
-            }))) !== null && _b !== void 0 ? _b : [],
+                        else {
+                            return new BN(raIndex);
+                        }
+                    }),
+                });
+            })) !== null && _b !== void 0 ? _b : [],
         };
         const config = await getConfig();
         const solTransaction = {
@@ -11703,6 +11678,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -15701,7 +15698,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            Promise.resolve().then(function () { return require('./index-Ci3m3diI.js'); })
+            Promise.resolve().then(function () { return require('./index-BAz5F9Qr.js'); })
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -15895,6 +15892,16 @@ class PhantomWalletProvider {
                     if (!(phantom === null || phantom === void 0 ? void 0 : phantom.isConnected) || (phantom === null || phantom === void 0 ? void 0 : phantom.isLoading) || that.loginInProgress || that.autoLoginInProgress || that.pendingLogin) {
                         return;
                     }
+                    // Don't clobber a session owned by MWA on Seeker. MWA marks the
+                    // auth method as soon as login starts (see solana-mobile-wallet-provider),
+                    // and clears it on logout, so this guard is correct in both
+                    // steady-state and post-logout cases.
+                    try {
+                        if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                            return;
+                        }
+                    }
+                    catch (_b) { }
                     // Need solana to be available AND connected for signing
                     if (!solana || !solanaHook.isAvailable || !solana.connected) {
                         return;
@@ -15924,12 +15931,21 @@ class PhantomWalletProvider {
                         const signatureBytes = signResult.signature;
                         const signature = bufferExports.Buffer.from(signatureBytes).toString('base64');
                         const createSessionResult = await createSessionWithSignature(publicKey, messageText, signature);
+                        // Pre-write guard: MWA may have started a login while we were
+                        // in flight. If MWA owns the auth method now, abort before we
+                        // overwrite its session (or its in-flight session).
+                        try {
+                            if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                                return;
+                            }
+                        }
+                        catch (_c) { }
                         await WebSessionManager.storeSession(publicKey, createSessionResult.accessToken, createSessionResult.idToken, createSessionResult.refreshToken);
                         // Mark auth method so clearIncompatibleSession() doesn't wipe this session
                         try {
                             getPlatform().storage.setItem('tarobase_last_auth_method', 'phantom');
                         }
-                        catch (_b) { }
+                        catch (_d) { }
                         setCurrentUser({ provider: that, address: publicKey });
                     }
                     catch (error) {
@@ -20119,235 +20135,137 @@ function createSolanaRpcSubscriptionsFromTransport(transport) {
   });
 }
 
-var safeBuffer = {exports: {}};
-
-/*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
-
-var hasRequiredSafeBuffer;
-
-function requireSafeBuffer () {
-	if (hasRequiredSafeBuffer) return safeBuffer.exports;
-	hasRequiredSafeBuffer = 1;
-	(function (module, exports$1) {
-		/* eslint-disable node/no-deprecated-api */
-		var buffer = requireBuffer();
-		var Buffer = buffer.Buffer;
-
-		// alternative to using Object.keys for old browsers
-		function copyProps (src, dst) {
-		  for (var key in src) {
-		    dst[key] = src[key];
-		  }
-		}
-		if (Buffer.from && Buffer.alloc && Buffer.allocUnsafe && Buffer.allocUnsafeSlow) {
-		  module.exports = buffer;
-		} else {
-		  // Copy properties from require('buffer')
-		  copyProps(buffer, exports$1);
-		  exports$1.Buffer = SafeBuffer;
-		}
-
-		function SafeBuffer (arg, encodingOrOffset, length) {
-		  return Buffer(arg, encodingOrOffset, length)
-		}
-
-		SafeBuffer.prototype = Object.create(Buffer.prototype);
-
-		// Copy static methods from Buffer
-		copyProps(Buffer, SafeBuffer);
-
-		SafeBuffer.from = function (arg, encodingOrOffset, length) {
-		  if (typeof arg === 'number') {
-		    throw new TypeError('Argument must not be a number')
-		  }
-		  return Buffer(arg, encodingOrOffset, length)
-		};
-
-		SafeBuffer.alloc = function (size, fill, encoding) {
-		  if (typeof size !== 'number') {
-		    throw new TypeError('Argument must be a number')
-		  }
-		  var buf = Buffer(size);
-		  if (fill !== undefined) {
-		    if (typeof encoding === 'string') {
-		      buf.fill(fill, encoding);
-		    } else {
-		      buf.fill(fill);
-		    }
-		  } else {
-		    buf.fill(0);
-		  }
-		  return buf
-		};
-
-		SafeBuffer.allocUnsafe = function (size) {
-		  if (typeof size !== 'number') {
-		    throw new TypeError('Argument must be a number')
-		  }
-		  return Buffer(size)
-		};
-
-		SafeBuffer.allocUnsafeSlow = function (size) {
-		  if (typeof size !== 'number') {
-		    throw new TypeError('Argument must be a number')
-		  }
-		  return buffer.SlowBuffer(size)
-		}; 
-	} (safeBuffer, safeBuffer.exports));
-	return safeBuffer.exports;
-}
-
-var src;
-var hasRequiredSrc;
-
-function requireSrc () {
-	if (hasRequiredSrc) return src;
-	hasRequiredSrc = 1;
-	// base-x encoding / decoding
-	// Copyright (c) 2018 base-x contributors
-	// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
-	// Distributed under the MIT software license, see the accompanying
-	// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
-	// @ts-ignore
-	var _Buffer = requireSafeBuffer().Buffer;
-	function base (ALPHABET) {
-	  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
-	  var BASE_MAP = new Uint8Array(256);
-	  for (var j = 0; j < BASE_MAP.length; j++) {
-	    BASE_MAP[j] = 255;
-	  }
-	  for (var i = 0; i < ALPHABET.length; i++) {
-	    var x = ALPHABET.charAt(i);
-	    var xc = x.charCodeAt(0);
-	    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
-	    BASE_MAP[xc] = i;
-	  }
-	  var BASE = ALPHABET.length;
-	  var LEADER = ALPHABET.charAt(0);
-	  var FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
-	  var iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
-	  function encode (source) {
-	    if (Array.isArray(source) || source instanceof Uint8Array) { source = _Buffer.from(source); }
-	    if (!_Buffer.isBuffer(source)) { throw new TypeError('Expected Buffer') }
-	    if (source.length === 0) { return '' }
-	        // Skip & count leading zeroes.
-	    var zeroes = 0;
-	    var length = 0;
-	    var pbegin = 0;
-	    var pend = source.length;
-	    while (pbegin !== pend && source[pbegin] === 0) {
-	      pbegin++;
-	      zeroes++;
-	    }
-	        // Allocate enough space in big-endian base58 representation.
-	    var size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
-	    var b58 = new Uint8Array(size);
-	        // Process the bytes.
-	    while (pbegin !== pend) {
-	      var carry = source[pbegin];
-	            // Apply "b58 = b58 * 256 + ch".
-	      var i = 0;
-	      for (var it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
-	        carry += (256 * b58[it1]) >>> 0;
-	        b58[it1] = (carry % BASE) >>> 0;
-	        carry = (carry / BASE) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      pbegin++;
-	    }
-	        // Skip leading zeroes in base58 result.
-	    var it2 = size - length;
-	    while (it2 !== size && b58[it2] === 0) {
-	      it2++;
-	    }
-	        // Translate the result into a string.
-	    var str = LEADER.repeat(zeroes);
-	    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
-	    return str
-	  }
-	  function decodeUnsafe (source) {
-	    if (typeof source !== 'string') { throw new TypeError('Expected String') }
-	    if (source.length === 0) { return _Buffer.alloc(0) }
-	    var psz = 0;
-	        // Skip and count leading '1's.
-	    var zeroes = 0;
-	    var length = 0;
-	    while (source[psz] === LEADER) {
-	      zeroes++;
-	      psz++;
-	    }
-	        // Allocate enough space in big-endian base256 representation.
-	    var size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
-	    var b256 = new Uint8Array(size);
-	        // Process the characters.
-	    while (psz < source.length) {
-	            // Find code of next character
-	      var charCode = source.charCodeAt(psz);
-	            // Base map can not be indexed using char code
-	      if (charCode > 255) { return }
-	            // Decode character
-	      var carry = BASE_MAP[charCode];
-	            // Invalid character
-	      if (carry === 255) { return }
-	      var i = 0;
-	      for (var it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
-	        carry += (BASE * b256[it3]) >>> 0;
-	        b256[it3] = (carry % 256) >>> 0;
-	        carry = (carry / 256) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      psz++;
-	    }
-	        // Skip leading zeroes in b256.
-	    var it4 = size - length;
-	    while (it4 !== size && b256[it4] === 0) {
-	      it4++;
-	    }
-	    var vch = _Buffer.allocUnsafe(zeroes + (size - it4));
-	    vch.fill(0x00, 0, zeroes);
-	    var j = zeroes;
-	    while (it4 !== size) {
-	      vch[j++] = b256[it4++];
-	    }
-	    return vch
-	  }
-	  function decode (string) {
-	    var buffer = decodeUnsafe(string);
-	    if (buffer) { return buffer }
-	    throw new Error('Non-base' + BASE + ' character')
-	  }
-	  return {
-	    encode: encode,
-	    decodeUnsafe: decodeUnsafe,
-	    decode: decode
-	  }
-	}
-	src = base;
-	return src;
-}
-
-var bs58$1;
-var hasRequiredBs58;
-
-function requireBs58 () {
-	if (hasRequiredBs58) return bs58$1;
-	hasRequiredBs58 = 1;
-	var basex = requireSrc();
-	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-
-	bs58$1 = basex(ALPHABET);
-	return bs58$1;
+// base-x encoding / decoding
+// Copyright (c) 2018 base-x contributors
+// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
+// Distributed under the MIT software license, see the accompanying
+// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
+function base (ALPHABET) {
+  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
+  const BASE_MAP = new Uint8Array(256);
+  for (let j = 0; j < BASE_MAP.length; j++) {
+    BASE_MAP[j] = 255;
+  }
+  for (let i = 0; i < ALPHABET.length; i++) {
+    const x = ALPHABET.charAt(i);
+    const xc = x.charCodeAt(0);
+    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
+    BASE_MAP[xc] = i;
+  }
+  const BASE = ALPHABET.length;
+  const LEADER = ALPHABET.charAt(0);
+  const FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
+  const iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
+  function encode (source) {
+    // eslint-disable-next-line no-empty
+    if (source instanceof Uint8Array) ; else if (ArrayBuffer.isView(source)) {
+      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
+    } else if (Array.isArray(source)) {
+      source = Uint8Array.from(source);
+    }
+    if (!(source instanceof Uint8Array)) { throw new TypeError('Expected Uint8Array') }
+    if (source.length === 0) { return '' }
+    // Skip & count leading zeroes.
+    let zeroes = 0;
+    let length = 0;
+    let pbegin = 0;
+    const pend = source.length;
+    while (pbegin !== pend && source[pbegin] === 0) {
+      pbegin++;
+      zeroes++;
+    }
+    // Allocate enough space in big-endian base58 representation.
+    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
+    const b58 = new Uint8Array(size);
+    // Process the bytes.
+    while (pbegin !== pend) {
+      let carry = source[pbegin];
+      // Apply "b58 = b58 * 256 + ch".
+      let i = 0;
+      for (let it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
+        carry += (256 * b58[it1]) >>> 0;
+        b58[it1] = (carry % BASE) >>> 0;
+        carry = (carry / BASE) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      pbegin++;
+    }
+    // Skip leading zeroes in base58 result.
+    let it2 = size - length;
+    while (it2 !== size && b58[it2] === 0) {
+      it2++;
+    }
+    // Translate the result into a string.
+    let str = LEADER.repeat(zeroes);
+    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
+    return str
+  }
+  function decodeUnsafe (source) {
+    if (typeof source !== 'string') { throw new TypeError('Expected String') }
+    if (source.length === 0) { return new Uint8Array() }
+    let psz = 0;
+    // Skip and count leading '1's.
+    let zeroes = 0;
+    let length = 0;
+    while (source[psz] === LEADER) {
+      zeroes++;
+      psz++;
+    }
+    // Allocate enough space in big-endian base256 representation.
+    const size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
+    const b256 = new Uint8Array(size);
+    // Process the characters.
+    while (psz < source.length) {
+      // Find code of next character
+      const charCode = source.charCodeAt(psz);
+      // Base map can not be indexed using char code
+      if (charCode > 255) { return }
+      // Decode character
+      let carry = BASE_MAP[charCode];
+      // Invalid character
+      if (carry === 255) { return }
+      let i = 0;
+      for (let it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
+        carry += (BASE * b256[it3]) >>> 0;
+        b256[it3] = (carry % 256) >>> 0;
+        carry = (carry / 256) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      psz++;
+    }
+    // Skip leading zeroes in b256.
+    let it4 = size - length;
+    while (it4 !== size && b256[it4] === 0) {
+      it4++;
+    }
+    const vch = new Uint8Array(zeroes + (size - it4));
+    let j = zeroes;
+    while (it4 !== size) {
+      vch[j++] = b256[it4++];
+    }
+    return vch
+  }
+  function decode (string) {
+    const buffer = decodeUnsafe(string);
+    if (buffer) { return buffer }
+    throw new Error('Non-base' + BASE + ' character')
+  }
+  return {
+    encode,
+    decodeUnsafe,
+    decode
+  }
 }
 
-var bs58Exports = requireBs58();
-var bs58 = /*@__PURE__*/getDefaultExportFromCjs$1(bs58Exports);
+var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+var base58 = base(ALPHABET);
 
-var index = /*#__PURE__*/_mergeNamespaces({
+var index = /*#__PURE__*/Object.freeze({
 	__proto__: null,
-	default: bs58
-}, [bs58Exports]);
+	default: base58
+});
 
 const SURFNET_RPC_URL$1 = "https://surfpool.fly.dev";
 let React;
@@ -21081,7 +20999,7 @@ class PrivyWalletProvider {
             // Handle case where signature might be bytes instead of string
             const rawSig = result.signature;
             if (rawSig instanceof Uint8Array || Array.isArray(rawSig)) {
-                signature = bs58.encode(rawSig instanceof Uint8Array ? rawSig : new Uint8Array(rawSig));
+                signature = base58.encode(rawSig instanceof Uint8Array ? rawSig : new Uint8Array(rawSig));
             }
             else {
                 signature = rawSig;
@@ -21261,7 +21179,7 @@ async function loadMwaProtocol() {
         return mwaProtocolLoadPromise;
     mwaProtocolLoadPromise = (async () => {
         try {
-            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-Df7yN8D5.js'); });
+            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-XpeHKCJM.js'); });
         }
         catch (e) {
             console.warn('[SolanaMobileWallet] @solana-mobile/mobile-wallet-adapter-protocol-web3js not installed. Install it to enable Seeker wallet support.');
@@ -21283,7 +21201,7 @@ async function registerMobileWalletAdapter(config) {
     if (typeof window === 'undefined')
         return;
     try {
-        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-BkMiHSON.js'); });
+        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-BgibQtKi.js'); });
         const registerMwa = walletStandardMobile.registerMwa || ((_a = walletStandardMobile.default) === null || _a === void 0 ? void 0 : _a.registerMwa);
         if (!registerMwa) {
             console.warn('[SolanaMobileWallet] registerMwa not found in @solana-mobile/wallet-standard-mobile');
@@ -21413,6 +21331,19 @@ class SolanaMobileWalletProvider {
     async login() {
         var _a, _b, _c, _d, _e;
         setAuthLoading(true);
+        // Mark the auth method early so a concurrent Phantom auto-create can see
+        // 'mobile-wallet-adapter' during our slow transact() / session-creation
+        // roundtrip and back off (see phantom-wallet-provider autoCreateSession).
+        // Capture the previous value so we can restore it if login fails.
+        let prevAuthMethod = null;
+        try {
+            prevAuthMethod = getPlatform().storage.getItem('tarobase_last_auth_method');
+        }
+        catch (_f) { }
+        try {
+            getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
+        }
+        catch (_g) { }
         try {
             await loadMwaProtocol();
             const { transact } = mwaProtocolModule;
@@ -21478,12 +21409,22 @@ class SolanaMobileWalletProvider {
             try {
                 getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
             }
-            catch (_f) { }
+            catch (_h) { }
             const user = { provider: this, address: result.base58Address };
             setCurrentUser(user);
             return user;
         }
         catch (error) {
+            // Restore the previous auth method since this login attempt failed.
+            try {
+                if (prevAuthMethod === null) {
+                    getPlatform().storage.removeItem('tarobase_last_auth_method');
+                }
+                else {
+                    getPlatform().storage.setItem('tarobase_last_auth_method', prevAuthMethod);
+                }
+            }
+            catch (_j) { }
             const isUserRejection = (error === null || error === void 0 ? void 0 : error.code) === 4001 ||
                 ((_a = error === null || error === void 0 ? void 0 : error.message) === null || _a === void 0 ? void 0 : _a.toLowerCase().includes('user rejected')) ||
                 ((_b = error === null || error === void 0 ? void 0 : error.message) === null || _b === void 0 ? void 0 : _b.toLowerCase().includes('user denied')) ||
@@ -21529,6 +21470,12 @@ class SolanaMobileWalletProvider {
         this.authorizedPublicKey = null;
         this.publicKeyObj = null;
         WebSessionManager.clearSession();
+        // Clear the auth-method marker so Phantom auto-create is unblocked
+        // for any subsequent fresh login on this device.
+        try {
+            getPlatform().storage.removeItem('tarobase_last_auth_method');
+        }
+        catch (_a) { }
         setCurrentUser(null);
     }
     async signMessage(message) {
@@ -22036,7 +21983,7 @@ class PrivyExpoProvider {
         const wallet = await this.getWalletOrThrow();
         const messageBytes = getPlatform().textEncode(message);
         const result = await wallet.signMessage(messageBytes);
-        return bs58.encode(result.signature);
+        return base58.encode(result.signature);
     }
     async signTransaction(transaction) {
         await this.ensureReady();
@@ -22203,11 +22150,11 @@ exports.ServerSessionManager = ServerSessionManager;
 exports.SolanaMobileWalletProvider = SolanaMobileWalletProvider;
 exports.WebSessionManager = WebSessionManager;
 exports.aggregate = aggregate;
+exports.base58 = base58;
 exports.bufferExports = bufferExports;
 exports.buildSetDocumentsTransaction = buildSetDocumentsTransaction;
 exports.clearCache = clearCache;
 exports.closeAllSubscriptions = closeAllSubscriptions;
-exports.commonjsRequire = commonjsRequire;
 exports.convertRemainingAccounts = convertRemainingAccounts;
 exports.count = count;
 exports.createSessionWithPrivy = createSessionWithPrivy;
@@ -22235,7 +22182,6 @@ exports.onAuthStateChanged = onAuthStateChanged;
 exports.reconnectWithNewAuth = reconnectWithNewAuth;
 exports.refreshSession = refreshSession;
 exports.registerMobileWalletAdapter = registerMobileWalletAdapter;
-exports.require$$0 = require$$0;
 exports.runExpression = runExpression;
 exports.runExpressionMany = runExpressionMany;
 exports.runQuery = runQuery;
@@ -22250,4 +22196,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index-BicMkamC.js.map
+//# sourceMappingURL=index-CYhzBf0k.js.map