@volr/react 0.1.0

package/dist/index.js

@@ -0,0 +1,2559 @@
+import { createContext, useRef, useEffect, useMemo, useState, useCallback, useContext } from 'react';
+import { signSession, getAuthNonce, signAuthorization, createPasskeyProvider, createMpcProvider, ZERO_HASH, deriveWrapKey, createMasterKeyProvider, sealMasterSeed, uploadBlob, deriveEvmKey, selectSigner, VolrError } from '@volr/sdk-core';
+export { createMasterKeyProvider, createMpcProvider, createPasskeyProvider, deriveEvmKey, deriveWrapKey, sealMasterSeed, uploadBlob } from '@volr/sdk-core';
+import axios from 'axios';
+import { jsx } from 'react/jsx-runtime';
+import { encodeFunctionData, getAddress, createPublicClient, http } from 'viem';
+
+// src/react/Provider.tsx
+var VolrContext = createContext(null);
+var InternalAuthContext = createContext(null);
+function mapBackendError(error) {
+  return new VolrError(error.code, error.message);
+}
+function isErrorResponse(response) {
+  return !response.ok;
+}
+function unwrapResponse(response) {
+  if (isErrorResponse(response)) {
+    throw mapBackendError(response.error);
+  }
+  return response.data;
+}
+
+// src/utils/ssr.ts
+function isBrowser() {
+  return typeof window !== "undefined" && typeof document !== "undefined";
+}
+var safeStorage = {
+  getItem(key) {
+    if (!isBrowser()) {
+      return null;
+    }
+    try {
+      const value = localStorage.getItem(key);
+      if (!value || value === "undefined" || value === "null") {
+        return null;
+      }
+      return value;
+    } catch {
+      return null;
+    }
+  },
+  setItem(key, value) {
+    if (!isBrowser()) {
+      return;
+    }
+    try {
+      localStorage.setItem(key, value);
+    } catch {
+    }
+  },
+  removeItem(key) {
+    if (!isBrowser()) {
+      return;
+    }
+    try {
+      localStorage.removeItem(key);
+    } catch {
+    }
+  },
+  clear() {
+    if (!isBrowser()) {
+      return;
+    }
+    try {
+      localStorage.clear();
+    } catch {
+    }
+  }
+};
+
+// node_modules/@volr/shared/src/constants/storage.ts
+var STORAGE_KEYS = {
+  accessToken: "volr:accessToken",
+  user: "volr:user",
+  provider: "volr:provider",
+  credentialId: "volr:credentialId",
+  selectedProject: "volr:selectedProject",
+  lastEmail: "volr:lastEmail"
+};
+var STORAGE_CHANNELS = {
+  session: "volr:session"
+};
+
+// src/headless/client.ts
+var APIClient = class {
+  constructor(config) {
+    this.refreshPromise = null;
+    this.accessToken = null;
+    this.apiKey = null;
+    this.apiKey = config.apiKey || null;
+    this.accessToken = safeStorage.getItem(STORAGE_KEYS.accessToken);
+    this.api = axios.create({
+      baseURL: config.baseUrl.replace(/\/+$/, ""),
+      withCredentials: true,
+      headers: {
+        "Content-Type": "application/json"
+      },
+      transformRequest: [
+        (data) => {
+          if (data && typeof data === "object") {
+            return JSON.stringify(
+              data,
+              (_, value) => typeof value === "bigint" ? value.toString() : value
+            );
+          }
+          return data;
+        }
+      ]
+    });
+    this.api.interceptors.request.use((config2) => {
+      if (!config2.headers) {
+        config2.headers = {};
+      }
+      if (this.apiKey) {
+        config2.headers["X-API-Key"] = this.apiKey;
+      } else {
+        console.warn("[APIClient] X-API-Key not set. Some endpoints may fail.");
+      }
+      if (this.accessToken) {
+        config2.headers["Authorization"] = `Bearer ${this.accessToken}`;
+      }
+      return config2;
+    });
+    this.api.interceptors.response.use(
+      (response) => response,
+      async (error) => {
+        const originalRequest = error.config;
+        if (error.response?.status === 401 && !originalRequest._retry) {
+          originalRequest._retry = true;
+          try {
+            await this.refreshAccessToken();
+            if (this.accessToken) {
+              originalRequest.headers["Authorization"] = `Bearer ${this.accessToken}`;
+            }
+            return this.api(originalRequest);
+          } catch (refreshError) {
+            return Promise.reject(refreshError);
+          }
+        }
+        return Promise.reject(error);
+      }
+    );
+  }
+  /**
+   * Set API key
+   */
+  setApiKey(apiKey) {
+    this.apiKey = apiKey;
+  }
+  /**
+   * Get API key
+   */
+  getApiKey() {
+    return this.apiKey;
+  }
+  /**
+   * Set access token
+   */
+  setAccessToken(token) {
+    this.accessToken = token;
+    if (token) {
+      safeStorage.setItem(STORAGE_KEYS.accessToken, token);
+    } else {
+      safeStorage.removeItem(STORAGE_KEYS.accessToken);
+    }
+  }
+  /**
+   * Get access token
+   */
+  getAccessToken() {
+    return this.accessToken;
+  }
+  /**
+   * Refresh access token (single-flight)
+   */
+  async refreshAccessToken() {
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.refreshPromise = (async () => {
+      try {
+        const response = await this.api.post(
+          "/auth/refresh",
+          {}
+        );
+        const data = response.data;
+        if (isErrorResponse(data)) {
+          this.setAccessToken(null);
+          safeStorage.removeItem(STORAGE_KEYS.user);
+          throw new Error(data.error.message);
+        }
+        this.setAccessToken(data.data.accessToken);
+        if (data.data.user) {
+          safeStorage.setItem(STORAGE_KEYS.user, JSON.stringify(data.data.user));
+        }
+      } finally {
+        this.refreshPromise = null;
+      }
+    })();
+    return this.refreshPromise;
+  }
+  /**
+   * Make API request with automatic retry on 401
+   */
+  async request(endpoint, options = {}, idempotencyKey) {
+    const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
+    const config = {
+      method: options.method || "GET",
+      url: normalizedEndpoint
+    };
+    if (options.body) {
+      config.data = typeof options.body === "string" ? JSON.parse(options.body) : options.body;
+    }
+    if (idempotencyKey) {
+      config.headers = {
+        ...config.headers,
+        "Idempotency-Key": idempotencyKey
+      };
+    }
+    const response = await this.api.request(config);
+    return unwrapResponse(response.data);
+  }
+  /**
+   * POST request
+   */
+  async post(endpoint, body, idempotencyKey) {
+    const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
+    const config = {
+      method: "POST",
+      url: normalizedEndpoint,
+      data: body
+    };
+    if (idempotencyKey) {
+      config.headers = {
+        "Idempotency-Key": idempotencyKey
+      };
+    }
+    const response = await this.api.request(config);
+    return unwrapResponse(response.data);
+  }
+  /**
+   * POST request that returns raw binary (ArrayBuffer)
+   * - Uses axios instance with interceptors (auto 401 refresh)
+   * - Applies X-API-Key and Authorization automatically
+   */
+  async postBinary(endpoint, body) {
+    const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
+    if (!this.apiKey) {
+      throw new Error(
+        "API key not configured. Please ensure VolrProvider is initialized with projectApiKey in config."
+      );
+    }
+    const response = await this.api.request({
+      method: "POST",
+      url: normalizedEndpoint,
+      data: body,
+      responseType: "arraybuffer",
+      headers: {
+        "X-API-Key": this.apiKey,
+        // Explicitly set API key header
+        ...this.accessToken && { Authorization: `Bearer ${this.accessToken}` }
+      }
+    });
+    return response.data;
+  }
+  /**
+   * GET request
+   */
+  async get(endpoint) {
+    const normalizedEndpoint = endpoint.startsWith("/") ? endpoint : `/${endpoint}`;
+    const response = await this.api.get(normalizedEndpoint);
+    return unwrapResponse(response.data);
+  }
+};
+
+// src/headless/auth-sync.ts
+var SessionSync = class {
+  constructor() {
+    this.channel = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    if (typeof window !== "undefined" && "BroadcastChannel" in window) {
+      this.channel = new BroadcastChannel(STORAGE_CHANNELS.session);
+      this.channel.onmessage = (e) => {
+        this.handleChannelMessage(e.data);
+      };
+    }
+    if (typeof window !== "undefined") {
+      window.addEventListener("storage", (e) => {
+        if (e.key === STORAGE_KEYS.accessToken || e.key === STORAGE_KEYS.user) {
+          this.notifyListeners({
+            type: "REFRESH",
+            payload: {
+              accessToken: safeStorage.getItem(STORAGE_KEYS.accessToken) || ""
+            }
+          });
+        }
+      });
+    }
+  }
+  /**
+   * Subscribe to session events
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+  /**
+   * Broadcast session event to other tabs
+   */
+  broadcast(event) {
+    if (this.channel) {
+      this.channel.postMessage(event);
+    }
+  }
+  /**
+   * Handle channel message
+   */
+  handleChannelMessage(event) {
+    this.notifyListeners(event);
+  }
+  /**
+   * Notify all listeners
+   */
+  notifyListeners(event) {
+    for (const listener of this.listeners) {
+      try {
+        listener(event);
+      } catch (error) {
+        console.error("SessionSync listener error:", error);
+      }
+    }
+  }
+  /**
+   * Cleanup
+   */
+  destroy() {
+    if (this.channel) {
+      this.channel.close();
+      this.channel = null;
+    }
+    this.listeners.clear();
+  }
+};
+
+// src/config/webauthn.ts
+var AUTHENTICATOR_SELECTION = {
+  authenticatorAttachment: "platform",
+  userVerification: "required",
+  residentKey: "required"
+};
+var CREDENTIAL_MEDIATION = "required";
+var USER_VERIFICATION = "required";
+var WEBAUTHN_TIMEOUT = 6e4;
+var PUBKEY_CRED_PARAMS = [
+  {
+    type: "public-key",
+    alg: -7
+    // ES256 (P-256)
+  }
+];
+var ATTESTATION = "direct";
+
+// src/adapters/passkey.ts
+function createPasskeyAdapter(options = {}) {
+  const rpId = options.rpId || (typeof window !== "undefined" ? window.location.hostname : "localhost");
+  return {
+    async getPublicKey() {
+      const credential = await navigator.credentials.get({
+        publicKey: {
+          challenge: new Uint8Array(32),
+          // Dummy challenge for getting public key
+          allowCredentials: [],
+          // Empty = any credential
+          userVerification: "required"
+        }
+      });
+      if (!credential || !("response" in credential)) {
+        throw new Error("Failed to get passkey credential");
+      }
+      throw new Error(
+        "getPublicKey not implemented - use credential creation response"
+      );
+    },
+    async signP256(msgHash32) {
+      if (msgHash32.length !== 32) {
+        throw new Error("Message hash must be 32 bytes");
+      }
+      const credential = await navigator.credentials.get({
+        publicKey: {
+          challenge: msgHash32,
+          allowCredentials: [],
+          // Empty = any credential
+          userVerification: "required"
+        }
+      });
+      if (!credential || !("response" in credential)) {
+        throw new Error("Failed to get passkey credential for signing");
+      }
+      const response = credential.response;
+      const signature = response.signature;
+      const derSignature = new Uint8Array(signature);
+      if (derSignature[0] !== 48) {
+        throw new Error("Invalid DER signature format");
+      }
+      let offset = 2;
+      if (derSignature[offset] !== 2) {
+        throw new Error("Invalid DER signature: expected r marker");
+      }
+      offset++;
+      const rLength = derSignature[offset++];
+      const rBytes = derSignature.slice(offset, offset + rLength);
+      offset += rLength;
+      if (derSignature[offset] !== 2) {
+        throw new Error("Invalid DER signature: expected s marker");
+      }
+      offset++;
+      const sLength = derSignature[offset++];
+      const sBytes = derSignature.slice(offset, offset + sLength);
+      const r = new Uint8Array(32);
+      const s = new Uint8Array(32);
+      if (rBytes.length > 32 || sBytes.length > 32) {
+        throw new Error("Signature r or s exceeds 32 bytes");
+      }
+      r.set(rBytes, 32 - rBytes.length);
+      s.set(sBytes, 32 - sBytes.length);
+      return { r, s };
+    },
+    async authenticate(prfInput) {
+      if (!prfInput.credentialId) {
+        throw new Error(
+          "[PasskeyAdapter] credentialId is required for authentication. This usually means the passkey was not properly registered or user data is incomplete. Please re-enroll your passkey."
+        );
+      }
+      const hexString = prfInput.credentialId.startsWith("0x") ? prfInput.credentialId.slice(2) : prfInput.credentialId;
+      if (!/^[0-9a-fA-F]+$/.test(hexString)) {
+        console.error(
+          "[PasskeyAdapter] Invalid credentialId format (not hex):",
+          prfInput.credentialId
+        );
+        throw new Error(
+          `[PasskeyAdapter] Invalid credentialId format. Expected hex string, got: ${prfInput.credentialId}`
+        );
+      }
+      const normalizedHex = hexString.length % 2 === 0 ? hexString : "0" + hexString;
+      const hexPairs = normalizedHex.match(/.{1,2}/g);
+      if (!hexPairs) {
+        throw new Error(
+          `[PasskeyAdapter] Failed to parse hex string: ${normalizedHex}`
+        );
+      }
+      const credIdBytes = new Uint8Array(
+        hexPairs.map((byte) => parseInt(byte, 16))
+      );
+      const reconvertedHex = Array.from(credIdBytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+      if (reconvertedHex.toLowerCase() !== normalizedHex.toLowerCase()) {
+        throw new Error(
+          `[PasskeyAdapter] credentialId conversion failed. Original: ${normalizedHex}, Reconverted: ${reconvertedHex}`
+        );
+      }
+      const allowCredentials = [
+        {
+          id: credIdBytes,
+          type: "public-key"
+        }
+      ];
+      let credential = null;
+      try {
+        credential = await navigator.credentials.get({
+          publicKey: {
+            challenge: crypto.getRandomValues(new Uint8Array(32)),
+            rpId,
+            allowCredentials,
+            userVerification: USER_VERIFICATION,
+            // Shared constant
+            extensions: {
+              prf: {
+                eval: {
+                  first: prfInput.salt.buffer
+                }
+              }
+            }
+          },
+          mediation: CREDENTIAL_MEDIATION
+          // Use shared constant
+        });
+      } catch (error) {
+        console.error("[PasskeyAdapter] WebAuthn get() failed:", error);
+        console.error("[PasskeyAdapter] Error name:", error?.name);
+        console.error("[PasskeyAdapter] Error message:", error?.message);
+        if (error?.name === "NotAllowedError") {
+          throw new Error(
+            "[PasskeyAdapter] User cancelled the passkey prompt or authentication was denied. Please try again and complete the authentication."
+          );
+        } else if (error?.name === "NotFoundError" || error?.name === "InvalidStateError") {
+          throw new Error(
+            "[PasskeyAdapter] No passkey found matching the provided credentialId. This may happen if the passkey was deleted or the credentialId is incorrect. Please re-enroll your passkey."
+          );
+        } else if (error?.name === "NotSupportedError") {
+          throw new Error(
+            "[PasskeyAdapter] WebAuthn PRF extension is not supported by this browser or device. Please use a browser that supports WebAuthn PRF extension (Chrome 108+, Edge 108+, Safari 16.4+)."
+          );
+        }
+        throw new Error(
+          `[PasskeyAdapter] WebAuthn authentication failed: ${error?.message || "Unknown error"}`
+        );
+      }
+      if (!credential || !credential.response) {
+        console.error(
+          "[PasskeyAdapter] credential is null or missing response"
+        );
+        throw new Error(
+          "[PasskeyAdapter] Failed to get passkey credential for PRF. The passkey prompt may have been cancelled or no matching credential was found."
+        );
+      }
+      const extensionResults = credential.getClientExtensionResults();
+      if (!extensionResults.prf || !extensionResults.prf.results || !extensionResults.prf.results.first) {
+        throw new Error(
+          "[PasskeyAdapter] PRF extension not supported or PRF output missing"
+        );
+      }
+      const prfOutputBuffer = extensionResults.prf.results.first;
+      const prfOutput = new Uint8Array(prfOutputBuffer);
+      const credentialIdBytes = new Uint8Array(credential.rawId);
+      const credentialIdBase64 = btoa(String.fromCharCode(...credentialIdBytes)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+      console.log("[PasskeyAdapter] WebAuthn prompt completed successfully");
+      return {
+        prfOutput,
+        credentialId: credentialIdBase64
+      };
+    }
+  };
+}
+
+// src/headless/passkey-restore.ts
+async function restorePasskey(params) {
+  const {
+    client,
+    userId,
+    blobUrl,
+    prfInput,
+    credentialId: providedCredentialId
+  } = params;
+  const credentialId = providedCredentialId || prfInput.credentialId || safeStorage.getItem(STORAGE_KEYS.credentialId);
+  if (!credentialId) {
+    throw new Error(
+      "Credential ID not found. Please provide credentialId in params, prfInput, or ensure it is stored in localStorage. If you recently enrolled a passkey, try refreshing the page or re-enrolling."
+    );
+  }
+  console.log("[restorePasskey] Using credentialId:", credentialId ? "present" : "MISSING");
+  console.log(
+    "[restorePasskey] credentialId source:",
+    providedCredentialId ? "params" : prfInput.credentialId ? "prfInput" : "localStorage"
+  );
+  console.log("[restorePasskey] prfInput:", prfInput);
+  console.log("[restorePasskey] Step 1: Ensuring access token is fresh...");
+  const currentToken = client.getAccessToken();
+  if (!currentToken) {
+    console.log("[restorePasskey] No access token found, calling /auth/refresh...");
+    try {
+      await client.post("/auth/refresh", {});
+      console.log("[restorePasskey] Access token refreshed successfully");
+    } catch (error) {
+      console.error("[restorePasskey] Failed to refresh access token:", error);
+      throw new Error("Failed to refresh access token. Please log in again.");
+    }
+  }
+  console.log("[restorePasskey] Step 2: Downloading blob via backend proxy for blobUrl:", blobUrl);
+  const apiKey = client.getApiKey();
+  if (!apiKey) {
+    console.error("[restorePasskey] API key not set in client. This is required for blob download.");
+    throw new Error(
+      "API key not configured. Please ensure VolrProvider is initialized with projectApiKey in config."
+    );
+  }
+  console.log("[restorePasskey] API key is set:", apiKey ? "present" : "MISSING");
+  const arrayBuffer = await client.postBinary("/blob/download", { key: blobUrl });
+  const blobBytes = new Uint8Array(arrayBuffer);
+  const nonceLength = 12;
+  const cipherLength = blobBytes.length - nonceLength;
+  if (cipherLength <= 0) {
+    throw new Error("Invalid blob format: blob too small");
+  }
+  const cipher = blobBytes.slice(0, cipherLength);
+  const nonce = blobBytes.slice(cipherLength);
+  const keyStorageType = "passkey";
+  const version = "v1";
+  const aadBytes = new TextEncoder().encode(
+    `volr/master-seed/v1|${userId}|${keyStorageType}|${version}`
+  );
+  const passkeyAdapter = createPasskeyAdapter({
+    rpId: typeof window !== "undefined" ? window.location.hostname : "localhost"});
+  const provider = createPasskeyProvider(passkeyAdapter, {
+    prfInput: {
+      ...prfInput,
+      credentialId
+      // Add credentialId to prfInput
+    },
+    encryptedBlob: {
+      cipher,
+      nonce
+    },
+    aad: aadBytes
+  });
+  console.log("[restorePasskey] Provider created with credentialId:", credentialId);
+  return {
+    provider
+  };
+}
+function serializeBigIntDeep(obj) {
+  if (obj === null || obj === void 0) {
+    return obj;
+  }
+  if (typeof obj === "bigint") {
+    return obj.toString();
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(serializeBigIntDeep);
+  }
+  if (typeof obj === "object") {
+    const result = {};
+    for (const key in obj) {
+      if (Object.prototype.hasOwnProperty.call(obj, key)) {
+        result[key] = serializeBigIntDeep(obj[key]);
+      }
+    }
+    return result;
+  }
+  return obj;
+}
+function VolrProvider({ config, children }) {
+  const REQUIRE_USER_GESTURE_TO_RESTORE = true;
+  const providerCountRef = useRef(0);
+  useEffect(() => {
+    providerCountRef.current++;
+    if (providerCountRef.current > 1) {
+      console.warn(
+        "Multiple VolrProvider components detected. This may cause session synchronization issues."
+      );
+    }
+    return () => {
+      providerCountRef.current--;
+    };
+  }, []);
+  const client = useMemo(() => {
+    if (!config.projectApiKey) {
+      throw new Error(
+        "VolrProvider requires config.projectApiKey. Please set VITE_PROJECT_API_KEY environment variable or provide projectApiKey in config."
+      );
+    }
+    const baseUrl = config.__devApiBaseUrl || config.apiBaseUrl;
+    return new APIClient({
+      baseUrl,
+      apiKey: config.projectApiKey
+    });
+  }, [config.apiBaseUrl, config.projectApiKey]);
+  const [user, setUser] = useState(() => {
+    if (typeof window === "undefined") return null;
+    const userStr = safeStorage.getItem(STORAGE_KEYS.user);
+    if (!userStr || userStr === "undefined" || userStr === "null") {
+      return null;
+    }
+    try {
+      return JSON.parse(userStr);
+    } catch {
+      return null;
+    }
+  });
+  const [provider, setProviderState] = useState(
+    null
+  );
+  const [isLoading, setIsLoading] = useState(true);
+  const [error, setError] = useState(null);
+  const [chainId] = useState(config.defaultChainId);
+  const [accessToken, setAccessTokenState] = useState(() => {
+    return client.getAccessToken();
+  });
+  const syncRef = useRef(null);
+  useEffect(() => {
+    syncRef.current = new SessionSync();
+    const unsubscribe = syncRef.current.subscribe((event) => {
+      if (event.type === "LOGIN") {
+        client.setAccessToken(event.payload.accessToken);
+        setAccessTokenState(event.payload.accessToken);
+        setUser(event.payload.user);
+        safeStorage.setItem(
+          STORAGE_KEYS.user,
+          JSON.stringify(event.payload.user)
+        );
+        client.setApiKey(config.projectApiKey);
+      } else if (event.type === "LOGOUT") {
+        client.setAccessToken(null);
+        setAccessTokenState(null);
+        setUser(null);
+        setProviderState(null);
+        safeStorage.removeItem(STORAGE_KEYS.user);
+        safeStorage.removeItem(STORAGE_KEYS.provider);
+      } else if (event.type === "REFRESH") {
+        client.setAccessToken(event.payload.accessToken);
+        setAccessTokenState(event.payload.accessToken);
+      } else if (event.type === "PROVIDER_SET") {
+        setUser((prev) => ({
+          ...prev,
+          keyStorageType: event.payload.keyStorageType,
+          address: event.payload.address
+        }));
+        safeStorage.setItem(STORAGE_KEYS.provider, event.payload.keyStorageType);
+      }
+    });
+    return () => {
+      unsubscribe();
+      syncRef.current?.destroy();
+    };
+  }, [client, config.projectApiKey]);
+  const setProvider = useCallback(
+    async (newProvider) => {
+      try {
+        setError(null);
+        const keyStorageType = newProvider.keyStorageType;
+        setProviderState(newProvider);
+        try {
+          const refreshResponse = await client.post(
+            "/auth/refresh",
+            {}
+          );
+          if (refreshResponse.user) {
+            console.log(
+              "[Provider] setProvider: User data refreshed from backend:",
+              refreshResponse.user
+            );
+            setUser(refreshResponse.user);
+            safeStorage.setItem(
+              STORAGE_KEYS.user,
+              JSON.stringify(refreshResponse.user)
+            );
+          } else {
+            setUser((prev) => ({
+              ...prev,
+              keyStorageType
+            }));
+            safeStorage.setItem(
+              STORAGE_KEYS.user,
+              JSON.stringify({
+                ...user,
+                keyStorageType
+              })
+            );
+          }
+        } catch (error2) {
+          console.warn(
+            "[Provider] setProvider: Failed to refresh user data, using partial update:",
+            error2
+          );
+          setUser((prev) => ({
+            ...prev,
+            keyStorageType
+          }));
+          safeStorage.setItem(
+            STORAGE_KEYS.user,
+            JSON.stringify({
+              ...user,
+              keyStorageType
+            })
+          );
+        }
+        safeStorage.setItem(STORAGE_KEYS.provider, keyStorageType);
+        syncRef.current?.broadcast({
+          type: "PROVIDER_SET",
+          payload: {
+            keyStorageType
+          }
+        });
+      } catch (err) {
+        const error2 = err instanceof Error ? err : new Error("Failed to set provider");
+        setError(error2);
+        throw error2;
+      }
+    },
+    [client, user]
+  );
+  const hasRecoveredRef = useRef(false);
+  const restorationAttemptedRef = useRef(false);
+  useEffect(() => {
+    if (config.autoRecoverOnLogin !== false && !hasRecoveredRef.current) {
+      hasRecoveredRef.current = true;
+      const recover = async () => {
+        try {
+          setIsLoading(true);
+          const response = await client.post(
+            "/auth/refresh",
+            {}
+          );
+          console.log("[Provider] /auth/refresh response:", response);
+          const refreshedToken = client.getAccessToken();
+          if (refreshedToken) {
+            if (response.user) {
+              console.log(
+                "[Provider] Setting user from response:",
+                response.user
+              );
+              console.log("[Provider] User fields:", {
+                id: response.user.id,
+                email: response.user.email,
+                accountId: response.user.accountId,
+                evmAddress: response.user.evmAddress,
+                signerType: response.user.signerType,
+                keyStorageType: response.user.keyStorageType,
+                walletConnector: response.user.walletConnector,
+                blobUrl: response.user.blobUrl,
+                prfInput: response.user.prfInput,
+                credentialId: response.user.credentialId
+              });
+              setUser(response.user);
+              safeStorage.setItem(
+                STORAGE_KEYS.user,
+                JSON.stringify(response.user)
+              );
+              if (!REQUIRE_USER_GESTURE_TO_RESTORE) ; else {
+                if (response.user.keyStorageType === "passkey") {
+                  console.log(
+                    "[Provider] TTL=0 mode: Provider restoration deferred until transaction (requires user gesture)"
+                  );
+                  if (!response.user.blobUrl || !response.user.prfInput) {
+                    console.warn(
+                      "[Provider] Passkey user detected but missing blobUrl or prfInput. User needs to re-enroll passkey."
+                    );
+                  }
+                }
+              }
+            } else {
+              console.log(
+                "[Provider] No user in response, loading from storage"
+              );
+              const userStr = safeStorage.getItem(STORAGE_KEYS.user);
+              if (userStr) {
+                try {
+                  const storedUser = JSON.parse(userStr);
+                  console.log(
+                    "[Provider] Loaded user from storage:",
+                    storedUser
+                  );
+                  setUser(storedUser);
+                } catch {
+                  safeStorage.removeItem(STORAGE_KEYS.user);
+                }
+              }
+            }
+            setAccessTokenState(refreshedToken);
+          }
+        } catch {
+          client.setAccessToken(null);
+          setAccessTokenState(null);
+          setUser(null);
+          setProviderState(null);
+          safeStorage.removeItem(STORAGE_KEYS.user);
+          safeStorage.removeItem(STORAGE_KEYS.provider);
+        } finally {
+          setIsLoading(false);
+        }
+      };
+      recover();
+    } else {
+      setIsLoading(false);
+    }
+  }, [client, config.autoRecoverOnLogin]);
+  const precheck = useCallback(
+    async (input) => {
+      try {
+        setError(null);
+        if (!client.getAccessToken()) {
+          try {
+            await client.post("/auth/refresh", {});
+          } catch {
+          }
+        }
+        const response = await client.post(
+          "/wallet/precheck",
+          input
+        );
+        return response.quote;
+      } catch (err) {
+        const error2 = err instanceof Error ? err : new Error("Precheck failed");
+        const diag = err?.response?.data?.error?.developerDiagnostics;
+        if (diag) {
+          console.error("[volr][precheck] developerDiagnostics:", diag);
+        }
+        setError(error2);
+        throw error2;
+      }
+    },
+    [client]
+  );
+  const relay = useCallback(
+    async (input, opts) => {
+      try {
+        setError(null);
+        if (!client.getAccessToken()) {
+          try {
+            await client.post("/auth/refresh", {});
+          } catch {
+          }
+        }
+        const idempotencyKey = opts?.idempotencyKey ?? (typeof crypto !== "undefined" && crypto.randomUUID ? crypto.randomUUID() : `${Date.now()}-${Math.random()}`);
+        const serializedInput = serializeBigIntDeep(input);
+        const response = await client.post(
+          "/wallet/relay",
+          serializedInput,
+          idempotencyKey
+        );
+        return response;
+      } catch (err) {
+        const error2 = err instanceof Error ? err : new Error("Relay failed");
+        const diag = err?.response?.data?.error?.developerDiagnostics;
+        if (diag) {
+          console.error("[volr][relay] developerDiagnostics:", diag);
+        }
+        setError(error2);
+        throw error2;
+      }
+    },
+    [client]
+  );
+  const logout = useCallback(async () => {
+    try {
+      setError(null);
+      client.setAccessToken(null);
+      setUser(null);
+      setProviderState(null);
+      safeStorage.removeItem(STORAGE_KEYS.user);
+      safeStorage.removeItem(STORAGE_KEYS.accessToken);
+      safeStorage.removeItem(STORAGE_KEYS.provider);
+      syncRef.current?.broadcast({ type: "LOGOUT" });
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error("Logout failed");
+      setError(error2);
+      throw error2;
+    }
+  }, [client]);
+  useEffect(() => {
+    if (!user) return;
+    if (typeof window === "undefined" || !window.ethereum) {
+      return;
+    }
+    const ethereum = window.ethereum;
+    const handleAccountsChanged = (accounts) => {
+      console.log("[Provider] accountsChanged event:", accounts);
+      if (accounts.length === 0) {
+        console.warn("[Provider] Wallet disconnected, logging out...");
+        setTimeout(() => logout(), 3e3);
+      } else if (user.evmAddress && accounts[0].toLowerCase() !== user.evmAddress.toLowerCase()) {
+        console.warn("[Provider] Account changed, logging out in 3 seconds...");
+        setTimeout(() => logout(), 3e3);
+      }
+    };
+    const handleChainChanged = (chainIdHex) => {
+      const newChainId = parseInt(chainIdHex, 16);
+      console.log("[Provider] chainChanged event:", newChainId);
+      setUser(
+        (prev) => prev ? { ...prev, lastWalletChainId: newChainId } : null
+      );
+      window.location.reload();
+    };
+    const handleDisconnect = () => {
+      console.log("[Provider] disconnect event");
+      setProviderState(null);
+      safeStorage.removeItem(STORAGE_KEYS.provider);
+    };
+    ethereum.on("accountsChanged", handleAccountsChanged);
+    ethereum.on("chainChanged", handleChainChanged);
+    ethereum.on("disconnect", handleDisconnect);
+    return () => {
+      ethereum.removeListener("accountsChanged", handleAccountsChanged);
+      ethereum.removeListener("chainChanged", handleChainChanged);
+      ethereum.removeListener("disconnect", handleDisconnect);
+    };
+  }, [user, logout, setUser]);
+  const publicValue = useMemo(
+    () => ({
+      config,
+      user,
+      provider,
+      setProvider,
+      setUser: (newUser) => {
+        setUser(newUser);
+        if (newUser) {
+          safeStorage.setItem(STORAGE_KEYS.user, JSON.stringify(newUser));
+        } else {
+          safeStorage.removeItem(STORAGE_KEYS.user);
+        }
+      },
+      chainId,
+      precheck,
+      relay,
+      logout,
+      isLoading,
+      error
+    }),
+    [
+      config,
+      user,
+      provider,
+      setProvider,
+      chainId,
+      precheck,
+      relay,
+      logout,
+      isLoading,
+      error
+    ]
+  );
+  const internalValue = useMemo(
+    () => ({
+      session: {
+        accessToken,
+        refreshToken: null
+        // Cookie-based, opaque
+      },
+      refreshAccessToken: async () => {
+        await client.post("/auth/refresh", {});
+        const token = client.getAccessToken();
+        setAccessTokenState(token);
+      },
+      setAccessToken: (token) => {
+        client.setAccessToken(token);
+        setAccessTokenState(token);
+      },
+      client
+      // Expose APIClient instance
+    }),
+    [client, accessToken]
+  );
+  return /* @__PURE__ */ jsx(VolrContext.Provider, { value: publicValue, children: /* @__PURE__ */ jsx(InternalAuthContext.Provider, { value: internalValue, children }) });
+}
+function useVolr() {
+  const context = useContext(VolrContext);
+  if (!context) {
+    throw new Error("useVolr must be used within VolrProvider");
+  }
+  return context;
+}
+
+// src/utils/validation.ts
+var DEFAULT_LIMITS = {
+  MAX_CALLS: 8,
+  MAX_GAS_LIMIT: 10000000n,
+  MAX_DATA_BYTES: 1e5
+};
+function validatePolicyId(policyId) {
+  if (!/^0x[a-fA-F0-9]{64}$/.test(policyId)) {
+    throw new Error("policyId must be 0x-prefixed 32-byte hex string");
+  }
+}
+function validateCallValue(value) {
+  if (value !== 0n) {
+    throw new Error("call.value must be 0 (policy does not allow ETH transfers)");
+  }
+}
+function validateCalls(calls, config = {}) {
+  const maxCalls = config.maxCalls ?? DEFAULT_LIMITS.MAX_CALLS;
+  const maxGasLimit = config.maxGasLimit ?? DEFAULT_LIMITS.MAX_GAS_LIMIT;
+  const maxDataBytes = config.maxDataBytes ?? DEFAULT_LIMITS.MAX_DATA_BYTES;
+  if (!calls || calls.length === 0) {
+    throw new Error("calls must not be empty");
+  }
+  if (calls.length > maxCalls) {
+    throw new Error(`calls.length (${calls.length}) exceeds maximum (${maxCalls})`);
+  }
+  for (const call of calls) {
+    validateCallValue(call.value);
+    if (call.gasLimit <= 0n) {
+      throw new Error("call.gasLimit must be > 0");
+    }
+    if (call.gasLimit > maxGasLimit) {
+      throw new Error(`call.gasLimit (${call.gasLimit}) exceeds maximum (${maxGasLimit})`);
+    }
+    const dataBytes = call.data.startsWith("0x") ? (call.data.length - 2) / 2 : call.data.length / 2;
+    if (dataBytes > maxDataBytes) {
+      throw new Error(`call.data length (${dataBytes} bytes) exceeds maximum (${maxDataBytes} bytes)`);
+    }
+    if (!call.target.startsWith("0x") || call.target.length !== 42) {
+      throw new Error("call.target must be valid Ethereum address");
+    }
+  }
+}
+function validatePrecheckInput(input, config = {}) {
+  validatePolicyId(input.auth.policyId);
+  validateCalls(input.calls, config);
+  const now = Math.floor(Date.now() / 1e3);
+  const skew = 60;
+  if (input.auth.expiresAt <= now + skew) {
+    throw new Error("auth.expiresAt must be > now + 60s");
+  }
+  if (input.auth.nonce < 0n) {
+    throw new Error("auth.nonce must be >= 0");
+  }
+}
+function validateRelayInput(input, config = {}) {
+  if (input.chainId === 0) {
+    throw new Error("chainId cannot be 0");
+  }
+  validatePrecheckInput(
+    {
+      auth: input.auth,
+      calls: input.calls
+    },
+    config
+  );
+  if (!input.authorizationList || input.authorizationList.length !== 1) {
+    throw new Error("authorizationList must have exactly 1 element");
+  }
+  input.authorizationList[0];
+  if (!input.sessionSig.startsWith("0x") || input.sessionSig.length !== 132) {
+    throw new Error("sessionSig must be 65-byte hex string (0x + 130 hex chars)");
+  }
+}
+
+// src/hooks/usePrecheck.ts
+function usePrecheck() {
+  const { precheck: precheckContext } = useVolr();
+  const [isLoading, setIsLoading] = useState(false);
+  const [error, setError] = useState(null);
+  const precheck = useCallback(
+    async (input) => {
+      try {
+        setIsLoading(true);
+        setError(null);
+        validatePrecheckInput(input);
+        return await precheckContext(input);
+      } catch (err) {
+        const error2 = err instanceof Error ? err : new Error("Precheck failed");
+        setError(error2);
+        throw error2;
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    [precheckContext]
+  );
+  return {
+    precheck,
+    isLoading,
+    error
+  };
+}
+function useInternalAuth() {
+  const context = useContext(InternalAuthContext);
+  if (!context) {
+    throw new Error("useInternalAuth must be used within VolrProvider");
+  }
+  return context;
+}
+function useRelay() {
+  const { relay: relayContext } = useVolr();
+  const { client } = useInternalAuth();
+  const [isLoading, setIsLoading] = useState(false);
+  const [error, setError] = useState(null);
+  const relay = useCallback(
+    async (input, opts) => {
+      if (!opts?.signer) {
+        throw new Error("signer is required");
+      }
+      try {
+        setIsLoading(true);
+        setError(null);
+        if (input.chainId === 0) {
+          throw new Error("chainId cannot be 0");
+        }
+        const networkData = await client.get(
+          `/networks/${input.chainId}`
+        );
+        const invokerAddress = networkData.invokerAddress;
+        if (!invokerAddress) {
+          throw new Error(
+            `Invoker address not configured for chainId ${input.chainId}`
+          );
+        }
+        const { sessionSig } = await signSession({
+          signer: opts.signer,
+          from: input.from,
+          auth: input.auth,
+          calls: input.calls,
+          invokerAddress: input.from
+        });
+        if (!opts.rpcClient) {
+          throw new Error("rpcClient is required for relay");
+        }
+        const authNonce = await getAuthNonce(
+          opts.rpcClient,
+          input.from,
+          "sponsored"
+        );
+        const authorizationTuple = await signAuthorization({
+          signer: opts.signer,
+          chainId: input.chainId,
+          address: invokerAddress,
+          nonce: authNonce
+        });
+        if (authorizationTuple.address.toLowerCase() !== invokerAddress.toLowerCase()) {
+          throw new Error(
+            `Authorization tuple address mismatch: expected ${invokerAddress}, got ${authorizationTuple.address}`
+          );
+        }
+        const relayInput = {
+          ...input,
+          sessionSig,
+          authorizationList: [authorizationTuple]
+        };
+        validateRelayInput(relayInput);
+        return await relayContext(relayInput, {
+          idempotencyKey: opts.idempotencyKey
+        });
+      } catch (err) {
+        const error2 = err instanceof Error ? err : new Error("Relay failed");
+        setError(error2);
+        throw error2;
+      } finally {
+        setIsLoading(false);
+      }
+    },
+    [relayContext, client]
+  );
+  return {
+    relay,
+    isLoading,
+    error
+  };
+}
+
+// src/utils/normalize.ts
+function normalizeHex(value) {
+  const hex = value.startsWith("0x") ? value.slice(2) : value;
+  return `0x${hex.toLowerCase()}`;
+}
+function normalizeHexArray(values) {
+  return values.map(normalizeHex);
+}
+function buildCall(options) {
+  const data = encodeFunctionData({
+    abi: options.abi,
+    functionName: options.functionName,
+    args: options.args
+  });
+  if (options.estimateGas) ;
+  return {
+    target: options.target,
+    data,
+    value: options.value ?? BigInt(0),
+    gasLimit: options.gasLimit ?? BigInt(0)
+  };
+}
+function buildCalls(options) {
+  return options.map(buildCall);
+}
+
+// src/utils/rpc.ts
+function createExtendedRPCClient(publicClient) {
+  return {
+    call: async (args) => {
+      const result = await publicClient.call({
+        to: args.to,
+        data: args.data
+      });
+      return result?.data || "0x";
+    },
+    getTransactionCount: async (address, blockTag) => {
+      const count = await publicClient.getTransactionCount({
+        address,
+        blockTag: blockTag || "pending"
+      });
+      return BigInt(count);
+    }
+  };
+}
+
+// src/utils/network.ts
+var networkCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+function createGetRpcUrl(deps) {
+  const { client, rpcOverrides } = deps;
+  return async function getRpcUrl(chainId) {
+    const overrideUrl = rpcOverrides?.[chainId.toString()];
+    if (overrideUrl) {
+      return overrideUrl;
+    }
+    const cached = networkCache.get(chainId);
+    if (cached && cached.rpcUrl && Date.now() - cached.timestamp < CACHE_TTL_MS) {
+      return cached.rpcUrl;
+    }
+    const response = await client.get(`/networks/${chainId}?includeRpcUrl=true`);
+    if (!response.rpcUrl) {
+      throw new Error(
+        `RPC URL not available for chainId ${chainId}. Please provide it in config.rpcOverrides[${chainId}]`
+      );
+    }
+    networkCache.set(chainId, {
+      rpcUrl: response.rpcUrl,
+      name: response.name,
+      timestamp: Date.now()
+    });
+    return response.rpcUrl;
+  };
+}
+function createGetNetworkInfo(deps) {
+  const { client } = deps;
+  return async function getNetworkInfo(chainId, includeRpcUrl = false) {
+    const cached = networkCache.get(chainId);
+    if (cached && Date.now() - cached.timestamp < CACHE_TTL_MS) {
+      return {
+        name: cached.name || `Chain ${chainId}`,
+        rpcUrl: includeRpcUrl ? cached.rpcUrl : void 0
+      };
+    }
+    const response = await client.get(`/networks/${chainId}${includeRpcUrl ? "?includeRpcUrl=true" : ""}`);
+    networkCache.set(chainId, {
+      name: response.name,
+      rpcUrl: response.rpcUrl,
+      timestamp: Date.now()
+    });
+    return {
+      name: response.name,
+      rpcUrl: includeRpcUrl ? response.rpcUrl : void 0
+    };
+  };
+}
+function validatePolicyId2(policyId) {
+  if (!policyId) {
+    return;
+  }
+  if (!policyId.startsWith("0x")) {
+    throw new Error("policyId must start with 0x");
+  }
+  const hexPart = policyId.slice(2);
+  if (hexPart.length !== 64) {
+    throw new Error(`policyId must be 32 bytes (64 hex chars), got ${hexPart.length / 2} bytes`);
+  }
+  if (!/^[0-9a-f]+$/i.test(hexPart)) {
+    throw new Error("policyId must be valid hex string");
+  }
+  if (policyId.toLowerCase() === ZERO_HASH.toLowerCase()) {
+    throw new Error("Zero policyId is not allowed. Omit policyId to use project-specific policyId from backend.");
+  }
+}
+function validateCalls2(calls) {
+  if (calls.length === 0) {
+    throw new Error("calls array must not be empty");
+  }
+  if (calls.length > 8) {
+    throw new Error("calls array must not exceed 8 items");
+  }
+  for (const call of calls) {
+    if (call.value > 0n) {
+      console.warn("Call has non-zero value. Most policies forbid ETH transfers.");
+    }
+  }
+}
+function defaultGasLimit(data) {
+  const normalized = normalizeHex(data);
+  return normalized === "0x" || normalized === "0x0" ? 21000n : 100000n;
+}
+function normalizeCall(call) {
+  const normalizedTarget = getAddress(call.target);
+  const normalizedData = normalizeHex(call.data);
+  const value = call.value ?? 0n;
+  const gasLimit = call.gasLimit && call.gasLimit > 0n ? call.gasLimit : defaultGasLimit(normalizedData);
+  return {
+    target: normalizedTarget,
+    data: normalizedData,
+    value,
+    gasLimit
+  };
+}
+function normalizeCalls(calls) {
+  return calls.map(normalizeCall);
+}
+
+// src/wallet/preflight.ts
+function extractErrorMessage(err) {
+  if (err && typeof err === "object") {
+    const e = err;
+    const parts = [];
+    if (typeof e.shortMessage === "string") parts.push(e.shortMessage);
+    if (typeof e.message === "string") parts.push(e.message);
+    if (typeof e.cause?.message === "string") parts.push(e.cause.message);
+    if (typeof e.details === "string") parts.push(e.details);
+    const msg = parts.filter(Boolean).join(" | ");
+    if (msg) return msg;
+  }
+  try {
+    return String(err);
+  } catch {
+    return "Unknown error";
+  }
+}
+function isIgnorableFundingError(err, message) {
+  const m = message.toLowerCase();
+  const e = err;
+  const name = typeof e?.name === "string" ? e.name.toLowerCase() : "";
+  if (name === "insufficientfundserror" || name.includes("insufficientfunds")) {
+    return true;
+  }
+  if (typeof e?.code === "string") {
+    const code = e.code.toLowerCase();
+    if (code.includes("execution_reverted") || code.includes("call_exception")) {
+      return false;
+    }
+    if (code.includes("insufficient_funds")) {
+      return true;
+    }
+  }
+  const fundingPatterns = [
+    "insufficient funds for gas * price",
+    "insufficient funds for gas",
+    "for gas * price + value",
+    "not enough funds for l1 fee",
+    "insufficient funds for l1 fee",
+    "insufficient balance for gas",
+    "account balance too low"
+  ];
+  const hasFundingPattern = fundingPatterns.some((pattern) => m.includes(pattern));
+  const hasRevertIndicator = m.includes("revert") || m.includes("execution reverted") || m.includes("call exception") || m.includes("vm execution error");
+  return hasFundingPattern && !hasRevertIndicator;
+}
+async function preflightEstimate(publicClient, from, calls, opts) {
+  for (let i = 0; i < calls.length; i++) {
+    const c = calls[i];
+    try {
+      await publicClient.estimateGas({
+        account: from,
+        to: c.target,
+        data: c.data,
+        value: c.value ?? 0n
+      });
+    } catch (e) {
+      const message = extractErrorMessage(e);
+      const tolerateFunding = opts?.tolerateFundingErrors !== false;
+      const isFundingError = isIgnorableFundingError(e, message);
+      if (tolerateFunding && isFundingError) {
+        try {
+          await publicClient.call({
+            account: from,
+            to: c.target,
+            data: c.data,
+            value: c.value ?? 0n
+          });
+          console.log(
+            `[preflightEstimate] Ignoring funding error for call #${i} (target ${c.target}): ${message}`
+          );
+          continue;
+        } catch (callError) {
+          const callMessage = extractErrorMessage(callError);
+          console.error(
+            `[preflightEstimate] Static call after funding error also failed for call #${i} (target ${c.target}):`,
+            {
+              originalError: { message, errorName: e?.name, errorCode: e?.code },
+              callError: {
+                message: callMessage,
+                name: callError?.name,
+                code: callError?.code
+              }
+            }
+          );
+          throw new Error(
+            `Preflight failed (call #${i} target ${c.target}): ${callMessage}`
+          );
+        }
+      }
+      console.error(
+        `[preflightEstimate] Preflight failed for call #${i} (target ${c.target}):`,
+        {
+          message,
+          errorName: e?.name,
+          errorCode: e?.code,
+          isFundingError,
+          tolerateFunding
+        }
+      );
+      throw new Error(`Preflight failed (call #${i} target ${c.target}): ${message}`);
+    }
+  }
+}
+async function resolveSigner(input) {
+  const { explicitSigner, provider, chainId, client, user, setProvider } = input;
+  if (explicitSigner) {
+    return { signer: explicitSigner, activeProvider: null };
+  }
+  if (provider) {
+    await provider.ensureSession({ interactive: true, force: true });
+    const signerContext = {
+      provider,
+      chainId,
+      // Citrea testnet (5115) doesn't support P-256
+      p256Hint: false
+    };
+    const signer = await selectSigner(signerContext);
+    return { signer, activeProvider: provider };
+  }
+  if (user?.keyStorageType === "passkey" && user.blobUrl && user.prfInput && user.id) {
+    const { provider: restoredProvider } = await restorePasskey({
+      client,
+      userId: user.id,
+      blobUrl: user.blobUrl,
+      prfInput: user.prfInput,
+      credentialId: user.credentialId
+    });
+    await setProvider(restoredProvider);
+    await restoredProvider.ensureSession({ interactive: true, force: true });
+    const signerContext = {
+      provider: restoredProvider,
+      chainId,
+      p256Hint: false
+    };
+    const signer = await selectSigner(signerContext);
+    return { signer, activeProvider: restoredProvider };
+  }
+  throw new Error(
+    "No wallet provider configured. Please set up a Passkey provider to sign transactions. SIWE is authentication-only."
+  );
+}
+
+// src/utils/defaults.ts
+var DEFAULT_EXPIRES_IN_SEC = 900;
+var DEFAULT_MODE = "sponsored";
+function defaultIdempotencyKey() {
+  const c = globalThis.crypto;
+  return c?.randomUUID?.() ?? `${Date.now()}-${Math.random().toString(36).substring(2, 15)}`;
+}
+
+// src/wallet/auth.ts
+var GAS_CAP_BUFFER = 150000n;
+function computeTotalGasCap(calls) {
+  return calls.reduce((sum, c) => sum + (c.gasLimit ?? 0n), 0n) + GAS_CAP_BUFFER;
+}
+function buildTempAuth(input) {
+  const expiresAt = Math.floor(Date.now() / 1e3) + (input.expiresInSec ?? DEFAULT_EXPIRES_IN_SEC);
+  const totalGasCap = computeTotalGasCap(input.calls);
+  const sessionId = input.sessionId ?? 0n;
+  const policySnapshotHash = input.policySnapshotHash ?? ZERO_HASH;
+  const gasLimitMax = input.gasLimitMax ?? totalGasCap;
+  const maxFeePerGas = input.maxFeePerGas ?? 1000000000n;
+  const maxPriorityFeePerGas = input.maxPriorityFeePerGas ?? 1000000n;
+  return {
+    chainId: input.chainId,
+    sessionKey: input.from,
+    sessionId,
+    expiresAt,
+    policyId: normalizeHex(input.policyId),
+    nonce: 0n,
+    policySnapshotHash,
+    gasLimitMax,
+    maxFeePerGas,
+    maxPriorityFeePerGas,
+    totalGasCap
+  };
+}
+function finalizeAuthWithNonce(tempAuth, quote) {
+  let finalNonce;
+  if (quote?.currentOpNonce !== void 0 && quote.currentOpNonce !== null && quote.currentOpNonce !== "") {
+    const currentNonce = BigInt(quote.currentOpNonce);
+    finalNonce = currentNonce + 1n;
+  } else {
+    finalNonce = BigInt(Math.floor(Date.now() / 1e3));
+  }
+  const finalAuth = {
+    ...tempAuth,
+    nonce: finalNonce
+  };
+  if (quote?.policyId) {
+    finalAuth.policyId = normalizeHex(quote.policyId);
+  }
+  if (quote?.policySnapshotHash) {
+    finalAuth.policySnapshotHash = quote.policySnapshotHash;
+  }
+  return finalAuth;
+}
+
+// src/utils/tx-polling.ts
+async function pollTransactionStatus(txId, client, maxAttempts = 60, intervalMs = 5e3) {
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    try {
+      const response = await client.get(`/wallet/transactions/${txId}`);
+      const { status, txHash } = response;
+      if (status === "CONFIRMED") {
+        console.log(`[pollTransactionStatus] Transaction ${txId} confirmed with txHash ${txHash}`);
+        return {
+          txId,
+          status: "CONFIRMED",
+          txHash
+        };
+      }
+      if (status === "FAILED") {
+        console.error(`[pollTransactionStatus] Transaction ${txId} failed`);
+        const diag = response.meta?.developerDiagnostics;
+        if (diag) {
+          console.error("[volr][relay] developerDiagnostics:", diag);
+        }
+        return {
+          txId,
+          status: "FAILED",
+          txHash
+        };
+      }
+      console.log(`[pollTransactionStatus] Transaction ${txId} is ${status}, attempt ${attempt + 1}/${maxAttempts}`);
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    } catch (error) {
+      console.error(`[pollTransactionStatus] Error polling transaction ${txId}:`, error);
+      await new Promise((resolve) => setTimeout(resolve, intervalMs));
+    }
+  }
+  console.warn(`[pollTransactionStatus] Polling timeout for transaction ${txId}`);
+  return {
+    txId,
+    status: "PENDING"
+  };
+}
+
+// src/wallet/sender.ts
+async function sendCalls(args) {
+  const { chainId, from, calls, opts, deps } = args;
+  if (chainId === 0) {
+    throw new Error("chainId cannot be 0");
+  }
+  const effectivePolicyId = opts.policyId?.toLowerCase() === ZERO_HASH.toLowerCase() ? void 0 : opts.policyId;
+  validatePolicyId2(effectivePolicyId);
+  const normalizedFrom = from;
+  const normalizedCalls = normalizeCalls(calls);
+  validateCalls2(normalizedCalls);
+  let currentUser = deps.user;
+  if (deps.user?.keyStorageType === "passkey" && !deps.provider) {
+    try {
+      const refreshResponse = await deps.client.post("/auth/refresh", {});
+      if (refreshResponse.user) {
+        currentUser = refreshResponse.user;
+      }
+    } catch (error) {
+      console.warn("[sendCalls] Failed to refresh user data before transaction:", error);
+    }
+  }
+  if (opts.preflight !== false) {
+    const tolerateFundingErrors = (opts.mode ?? "sponsored") !== "self";
+    await preflightEstimate(deps.publicClient, normalizedFrom, normalizedCalls, { tolerateFundingErrors });
+  }
+  const { signer, activeProvider } = await resolveSigner({
+    explicitSigner: opts.signer,
+    provider: deps.provider,
+    chainId,
+    client: deps.client,
+    user: currentUser,
+    setProvider: deps.setProvider
+  });
+  let projectPolicyId;
+  if (!effectivePolicyId) {
+    const tempAuthForPrecheck = buildTempAuth({
+      chainId,
+      from: normalizedFrom,
+      policyId: ZERO_HASH,
+      calls: normalizedCalls,
+      expiresInSec: opts.expiresInSec ?? DEFAULT_EXPIRES_IN_SEC
+    });
+    let precheckQuote;
+    try {
+      precheckQuote = await deps.precheck({ auth: tempAuthForPrecheck, calls: normalizedCalls });
+    } catch (err) {
+      throw new Error(`Precheck failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const quotePolicyId = precheckQuote.policyId;
+    if (!quotePolicyId) {
+      throw new Error("Backend did not return policyId in precheck response");
+    }
+    projectPolicyId = quotePolicyId;
+  } else {
+    projectPolicyId = effectivePolicyId;
+  }
+  const tempAuth = buildTempAuth({
+    chainId,
+    from: normalizedFrom,
+    policyId: projectPolicyId,
+    calls: normalizedCalls,
+    expiresInSec: opts.expiresInSec ?? DEFAULT_EXPIRES_IN_SEC
+  });
+  let quote;
+  try {
+    quote = await deps.precheck({ auth: tempAuth, calls: normalizedCalls });
+  } catch (err) {
+    console.warn("[useVolrWallet] Precheck failed:", err);
+  }
+  const auth = finalizeAuthWithNonce(tempAuth, quote);
+  const idempotencyKey = opts.idempotencyKey ?? defaultIdempotencyKey();
+  try {
+    const result = await deps.relay(
+      { chainId, from: normalizedFrom, auth, calls: normalizedCalls },
+      { signer, rpcClient: deps.rpcClient, idempotencyKey }
+    );
+    if (result.status === "QUEUED" || result.status === "PENDING") {
+      console.log(`[useVolrWallet] Transaction ${result.txId} is ${result.status}, starting polling...`);
+      return await pollTransactionStatus(result.txId, deps.client);
+    }
+    return result;
+  } finally {
+    if (activeProvider && activeProvider.lock) {
+      try {
+        await activeProvider.lock();
+      } catch {
+      }
+    }
+  }
+}
+
+// src/hooks/useVolrWallet.ts
+function useVolrWallet() {
+  const { user, config, provider, setProvider } = useVolr();
+  const { precheck } = usePrecheck();
+  const { relay } = useRelay();
+  const { client } = useInternalAuth();
+  const getRpcUrl = useCallback(
+    createGetRpcUrl({ client, rpcOverrides: config.rpcOverrides }),
+    [client, config.rpcOverrides]
+  );
+  const evm = useCallback(
+    (chainId) => {
+      if (chainId === 0) {
+        throw new Error("chainId cannot be 0");
+      }
+      let publicClient = null;
+      let extendedRpcClient = null;
+      const ensureRpcClient = async () => {
+        if (!publicClient) {
+          const rpcUrl = await getRpcUrl(chainId);
+          publicClient = createPublicClient({
+            transport: http(rpcUrl)
+          });
+          extendedRpcClient = createExtendedRPCClient(publicClient);
+        }
+        return { publicClient, extendedRpcClient };
+      };
+      return {
+        readContract: async (args) => {
+          const { publicClient: client2 } = await ensureRpcClient();
+          return client2.readContract(args);
+        },
+        sendTransaction: async (tx, opts) => {
+          const { publicClient: publicClient2, extendedRpcClient: rpcClient } = await ensureRpcClient();
+          const from = opts.from ?? user?.evmAddress;
+          if (!from) {
+            throw new Error(
+              "from address is required. Provide it in opts.from or set user.evmAddress in VolrProvider. If you haven't set up a wallet provider yet, please complete the onboarding flow."
+            );
+          }
+          const call = {
+            target: getAddress(tx.to),
+            data: normalizeHex(tx.data),
+            value: tx.value ?? 0n,
+            gasLimit: tx.gasLimit ?? 0n
+          };
+          return await sendCalls({
+            chainId,
+            from: getAddress(from),
+            calls: [call],
+            opts,
+            deps: {
+              publicClient: publicClient2,
+              rpcClient,
+              precheck,
+              relay,
+              client,
+              user: user ?? null,
+              provider: provider ?? null,
+              setProvider
+            }
+          });
+        },
+        sendBatch: (async (calls, opts) => {
+          const { publicClient: publicClient2, extendedRpcClient: rpcClient } = await ensureRpcClient();
+          const from = opts.from ?? user?.evmAddress;
+          if (!from) {
+            throw new Error(
+              "from address is required. Provide it in opts.from or set user.evmAddress in VolrProvider. If you haven't set up a wallet provider yet, please complete the onboarding flow."
+            );
+          }
+          const isCallArray = (calls2) => {
+            return Array.isArray(calls2) && calls2.length > 0 && "data" in calls2[0] && !("abi" in calls2[0]);
+          };
+          const builtCalls = isCallArray(calls) ? calls : buildCalls(calls);
+          return await sendCalls({
+            chainId,
+            from: getAddress(from),
+            calls: builtCalls.map((c) => ({
+              target: getAddress(c.target),
+              data: normalizeHex(c.data),
+              value: c.value ?? 0n,
+              gasLimit: c.gasLimit ?? 0n
+            })),
+            opts,
+            deps: {
+              publicClient: publicClient2,
+              rpcClient,
+              precheck,
+              relay,
+              client,
+              user: user ?? null,
+              provider: provider ?? null,
+              setProvider
+            }
+          });
+        })
+      };
+    },
+    [user, config, provider, precheck, relay, getRpcUrl]
+  );
+  return { evm };
+}
+function createAxiosInstance(baseUrl, apiKey) {
+  const instance = axios.create({
+    baseURL: baseUrl.replace(/\/+$/, ""),
+    // Remove trailing slashes
+    withCredentials: true,
+    // Include cookies
+    headers: {
+      "Content-Type": "application/json"
+    }
+  });
+  instance.interceptors.request.use((config) => {
+    if (apiKey) {
+      config.headers["X-API-Key"] = apiKey;
+    }
+    return config;
+  });
+  instance.interceptors.response.use(
+    (response) => response,
+    (error) => {
+      if (error.response?.data) {
+        const errorData = error.response.data;
+        if (errorData.error?.message) {
+          error.message = errorData.error.message;
+        }
+      }
+      return Promise.reject(error);
+    }
+  );
+  return instance;
+}
+
+// src/hooks/useVolrLogin.ts
+function useVolrLogin() {
+  const { config, setUser } = useVolr();
+  const { refreshAccessToken, setAccessToken } = useInternalAuth();
+  const toVolrUser = useCallback((u) => {
+    return {
+      id: u.id,
+      email: u.email,
+      accountId: u.accountId ?? void 0,
+      evmAddress: u.evmAddress,
+      keyStorageType: u.keyStorageType ?? void 0,
+      signerType: u.signerType ?? void 0,
+      walletConnector: u.walletConnector ?? void 0,
+      lastWalletChainId: u.lastWalletChainId ?? void 0,
+      blobUrl: u.blobUrl ?? void 0,
+      prfInput: u.prfInput ?? void 0,
+      credentialId: u.credentialId ?? void 0
+    };
+  }, []);
+  const api = useMemo(
+    () => createAxiosInstance(config.apiBaseUrl, config.projectApiKey),
+    [config.apiBaseUrl, config.projectApiKey]
+  );
+  const requestEmailCode = useCallback(
+    async (email) => {
+      const normalizedEmail = email.trim().toLowerCase();
+      if (!normalizedEmail || !normalizedEmail.includes("@")) {
+        throw new Error("Invalid email address");
+      }
+      const response = await api.post("/auth/email/send", {
+        email: normalizedEmail
+      });
+      if (!response.data?.ok) {
+        throw new Error(
+          response.data?.error?.message || "Failed to send verification code"
+        );
+      }
+      safeStorage.setItem(STORAGE_KEYS.lastEmail, normalizedEmail);
+    },
+    [api]
+  );
+  const verifyEmailCode = useCallback(
+    async (email, code) => {
+      const normalizedEmail = email.trim().toLowerCase();
+      if (!normalizedEmail || !normalizedEmail.includes("@")) {
+        throw new Error("Invalid email address");
+      }
+      const normalizedCode = code.trim();
+      if (!/^\d{6}$/.test(normalizedCode)) {
+        throw new Error("Invalid code format");
+      }
+      const response = await api.post("/auth/email/verify", {
+        email: normalizedEmail,
+        code: normalizedCode
+      });
+      if (!response.data?.ok) {
+        throw new Error(
+          response.data?.error?.message || "Invalid verification code"
+        );
+      }
+      const verifyData = response.data;
+      const userFromServer = verifyData?.data?.user;
+      const isNewUser = !!verifyData?.data?.isNewUser;
+      const accessToken = verifyData?.data?.accessToken || "";
+      if (!accessToken) {
+        throw new Error(
+          "Access token is required but was not provided by the server"
+        );
+      }
+      setAccessToken(accessToken);
+      await refreshAccessToken();
+      if (userFromServer) {
+        setUser(toVolrUser(userFromServer));
+      } else {
+        setUser({ id: "", email: normalizedEmail });
+      }
+      return {
+        userId: userFromServer?.id || "",
+        isNewUser,
+        keyStorageType: userFromServer?.keyStorageType ?? null,
+        signerType: userFromServer?.signerType ?? null,
+        accessToken
+      };
+    },
+    [api, refreshAccessToken, setAccessToken, setUser, toVolrUser]
+  );
+  const handleSocialLogin = useCallback(
+    async (provider) => {
+      if (typeof window !== "undefined") {
+        const baseUrl = config.apiBaseUrl.replace(/\/+$/, "");
+        window.location.href = `${baseUrl}/auth/${provider}`;
+      }
+    },
+    [config.apiBaseUrl]
+  );
+  const requestSiweNonce = useCallback(async () => {
+    const response = await api.get("/auth/siwe/nonce");
+    if (!response.data?.ok) {
+      throw new Error(
+        response.data?.error?.message || "Failed to generate nonce"
+      );
+    }
+    return response.data.data.nonce;
+  }, [api]);
+  const verifySiweSignature = useCallback(
+    async (message, signature, options) => {
+      try {
+        const response = await api.post("/auth/siwe/verify", {
+          message,
+          signature,
+          walletConnector: options?.walletConnector,
+          chainId: options?.chainId
+        });
+        if (!response.data?.ok) {
+          console.error(
+            "[verifySiweSignature] Backend returned error:",
+            response.data
+          );
+          throw new Error(
+            response.data?.error?.message || "Invalid SIWE signature"
+          );
+        }
+        const verifyData = response.data;
+        const userFromServer = verifyData?.data?.user;
+        const isNewUser = !!verifyData?.data?.isNewUser;
+        const accessToken = verifyData?.data?.accessToken || "";
+        if (!accessToken) {
+          throw new Error(
+            "Access token is required but was not provided by the server"
+          );
+        }
+        setAccessToken(accessToken);
+        await refreshAccessToken();
+        if (userFromServer) {
+          setUser(toVolrUser(userFromServer));
+        }
+        return {
+          userId: userFromServer?.id || "",
+          isNewUser,
+          keyStorageType: userFromServer?.keyStorageType ?? null,
+          signerType: userFromServer?.signerType ?? null,
+          accessToken
+        };
+      } catch (error) {
+        console.error("[verifySiweSignature] Error details:", {
+          message: error.message,
+          response: error.response?.data,
+          status: error.response?.status
+        });
+        throw error;
+      }
+    },
+    [api, refreshAccessToken, setAccessToken, setUser, toVolrUser]
+  );
+  const handlePasskeyComplete = useCallback(async () => {
+  }, []);
+  return {
+    requestEmailCode,
+    verifyEmailCode,
+    handleSocialLogin,
+    requestSiweNonce,
+    verifySiweSignature,
+    handlePasskeyComplete
+  };
+}
+async function jsonRpc(rpcUrl, method, params) {
+  const payload = {
+    jsonrpc: "2.0",
+    id: Date.now(),
+    method,
+    params
+  };
+  const res = await fetch(rpcUrl, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(payload)
+  });
+  if (!res.ok) {
+    throw new Error(`RPC ${method} failed: ${res.status} ${res.statusText}`);
+  }
+  const body = await res.json();
+  if (body.error) {
+    throw new Error(body.error.message || "RPC error");
+  }
+  return body.result;
+}
+function hexToBigInt(hex) {
+  if (!hex) return 0n;
+  return BigInt(hex);
+}
+function pad32(address) {
+  return `0x${address.toLowerCase().replace(/^0x/, "").padStart(64, "0")}`;
+}
+function balanceOfCalldata(address) {
+  const selector = "0x70a08231";
+  return `${selector}${pad32(address).slice(2)}`;
+}
+function useDepositListener(input) {
+  const { config } = useVolr();
+  const { client } = useInternalAuth();
+  const [status, setStatus] = useState({ state: "idle" });
+  const intervalRef = useRef(null);
+  const rpcUrlRef = useRef(null);
+  const getRpcUrl = useCallback(
+    createGetRpcUrl({ client, rpcOverrides: config.rpcOverrides }),
+    [client, config.rpcOverrides]
+  );
+  useEffect(() => {
+    let cancelled = false;
+    const fetchBalance = async () => {
+      try {
+        if (!rpcUrlRef.current) {
+          throw new Error("RPC URL not initialized");
+        }
+        const rpcUrl = rpcUrlRef.current;
+        if (input.asset.kind === "native") {
+          const result = await jsonRpc(rpcUrl, "eth_getBalance", [
+            input.address,
+            "latest"
+          ]);
+          return hexToBigInt(result);
+        } else {
+          const data = balanceOfCalldata(input.address);
+          const result = await jsonRpc(rpcUrl, "eth_call", [
+            { to: input.asset.token.address, data },
+            "latest"
+          ]);
+          return hexToBigInt(result);
+        }
+      } catch (err) {
+        throw new Error(
+          err?.message || "Failed to fetch balance from RPC endpoint"
+        );
+      }
+    };
+    const start = async () => {
+      try {
+        if (!rpcUrlRef.current) {
+          rpcUrlRef.current = await getRpcUrl(input.chainId);
+          console.log("[DepositListener] RPC URL:", rpcUrlRef.current);
+        }
+        const initial = await fetchBalance();
+        console.log("[DepositListener] Initial balance:", initial.toString());
+        if (cancelled) return;
+        setStatus({ state: "listening", balance: initial });
+      } catch (e) {
+        console.error("[DepositListener] Error:", e);
+        if (cancelled) return;
+        setStatus({ state: "error", message: e.message || String(e) });
+        return;
+      }
+      const intervalMs = input.pollIntervalMs ?? config.deposit?.pollIntervalMs ?? 6e3;
+      console.log("[DepositListener] Polling interval:", intervalMs, "ms");
+      intervalRef.current = window.setInterval(async () => {
+        try {
+          const current = await fetchBalance();
+          console.log("[DepositListener] Current balance:", current.toString());
+          if (cancelled) return;
+          setStatus((prev) => {
+            if (prev.state === "listening") {
+              if (current > prev.balance) {
+                console.log("[DepositListener] \u2705 DEPOSIT DETECTED! Previous:", prev.balance.toString(), "New:", current.toString());
+                return {
+                  state: "detected",
+                  previousBalance: prev.balance,
+                  newBalance: current,
+                  delta: current - prev.balance
+                };
+              }
+              if (current !== prev.balance) {
+                console.log("[DepositListener] \u26A0\uFE0F Balance changed (decreased or other). Previous:", prev.balance.toString(), "New:", current.toString());
+                return {
+                  state: "detected",
+                  previousBalance: prev.balance,
+                  newBalance: current,
+                  delta: current - prev.balance
+                };
+              }
+              return prev;
+            }
+            if (prev.state === "detected") {
+              console.log("[DepositListener] Resuming listening from new balance:", current.toString());
+              return { state: "listening", balance: current };
+            }
+            return prev;
+          });
+        } catch (err) {
+          console.error("[DepositListener] Polling error:", err);
+          if (cancelled) return;
+          setStatus({ state: "error", message: err.message || String(err) });
+        }
+      }, intervalMs);
+    };
+    start();
+    return () => {
+      cancelled = true;
+      rpcUrlRef.current = null;
+      if (intervalRef.current !== null) {
+        clearInterval(intervalRef.current);
+      }
+    };
+  }, [getRpcUrl, input.chainId, input.address, JSON.stringify(input.asset)]);
+  return status;
+}
+async function enrollPasskey(params) {
+  const {
+    client,
+    baseUrl,
+    apiKey,
+    userId,
+    userEmail,
+    projectId,
+    rpId = typeof window !== "undefined" ? window.location.hostname : "localhost",
+    rpName = "Volr"
+  } = params;
+  if (!userId) {
+    throw new Error("userId is required");
+  }
+  if (!userEmail) {
+    throw new Error("userEmail is required");
+  }
+  if (!projectId) {
+    throw new Error("projectId is required");
+  }
+  if (!baseUrl) {
+    throw new Error("baseUrl is required");
+  }
+  if (!apiKey) {
+    throw new Error("apiKey is required");
+  }
+  if (!navigator.credentials || !navigator.credentials.create) {
+    throw new Error("WebAuthn API is not supported");
+  }
+  const challenge = new Uint8Array(32);
+  crypto.getRandomValues(challenge);
+  const userHandle = new TextEncoder().encode(userId);
+  const tempCredentialId = "temp-" + Date.now();
+  const origin = typeof window !== "undefined" ? window.location.origin : "https://localhost";
+  const tempPrfInput = {
+    origin,
+    projectId,
+    credentialId: tempCredentialId
+  };
+  const prfSalt = deriveWrapKey(tempPrfInput);
+  const publicKeyCredentialCreationOptions = {
+    challenge,
+    rp: {
+      name: rpName,
+      id: rpId
+    },
+    user: {
+      id: userHandle,
+      name: userEmail,
+      displayName: userEmail
+    },
+    pubKeyCredParams: PUBKEY_CRED_PARAMS,
+    authenticatorSelection: AUTHENTICATOR_SELECTION,
+    timeout: WEBAUTHN_TIMEOUT,
+    attestation: ATTESTATION,
+    extensions: {
+      prf: {
+        eval: {
+          first: prfSalt.buffer
+        }
+      }
+    }
+  };
+  const credential = await navigator.credentials.create({
+    publicKey: publicKeyCredentialCreationOptions
+  });
+  if (!credential || !("response" in credential)) {
+    throw new Error("Failed to create passkey credential");
+  }
+  const credentialId = Array.from(new Uint8Array(credential.rawId)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  const extensionResults = credential.getClientExtensionResults();
+  if (!extensionResults.prf || !extensionResults.prf.results || !extensionResults.prf.results.first) {
+    throw new Error("PRF extension not supported or PRF output missing. Please use a browser that supports WebAuthn PRF extension.");
+  }
+  const prfOutputBuffer = extensionResults.prf.results.first;
+  const prfOutput = new Uint8Array(prfOutputBuffer);
+  const prfInput = {
+    origin,
+    projectId,
+    credentialId
+  };
+  const wrapKey = prfOutput;
+  const masterKeyProvider = createMasterKeyProvider();
+  const masterSeedHandle = await masterKeyProvider.generate();
+  try {
+    const keyStorageType = "passkey";
+    const version = "v1";
+    const aadBytes = new TextEncoder().encode(
+      `volr/master-seed/v1|${userId}|${keyStorageType}|${version}`
+    );
+    const encryptedBlob = await sealMasterSeed(
+      masterSeedHandle.bytes,
+      wrapKey,
+      aadBytes
+    );
+    const blob = new Blob(
+      [
+        encryptedBlob.cipher,
+        encryptedBlob.nonce
+      ],
+      {
+        type: "application/octet-stream"
+      }
+    );
+    const accessToken = client.getAccessToken();
+    if (!accessToken) {
+      throw new Error("Access token is required for blob upload");
+    }
+    const { key: blobUrl } = await uploadBlob({
+      baseUrl,
+      apiKey,
+      accessToken,
+      blob
+      // Don't pass axiosInstance - let uploadBlob create its own
+    });
+    if (!blobUrl) {
+      throw new Error("Failed to upload blob: missing key");
+    }
+    const keypair = deriveEvmKey({ masterSeed: masterSeedHandle.bytes });
+    const address = keypair.address;
+    const registerResponse = await client.post("/wallet/provider/register", {
+      keyStorageType: "passkey",
+      credentialId,
+      blobUrl,
+      prfInput: {
+        origin,
+        projectId,
+        credentialId
+      },
+      address
+    });
+    return {
+      credentialId,
+      blobUrl,
+      prfInput,
+      address,
+      encryptedBlob: {
+        cipher: encryptedBlob.cipher,
+        nonce: encryptedBlob.nonce
+      },
+      aad: aadBytes,
+      user: registerResponse.user
+    };
+  } finally {
+    masterSeedHandle.destroy();
+  }
+}
+function usePasskeyEnrollment() {
+  const { config, setProvider, setUser, user } = useVolr();
+  const { client } = useInternalAuth();
+  const [step, setStep] = useState("idle");
+  const [isEnrolling, setIsEnrolling] = useState(false);
+  const [error, setError] = useState(null);
+  const isEnrollingRef = useRef(false);
+  const enroll = useCallback(async () => {
+    if (isEnrollingRef.current || isEnrolling) return;
+    isEnrollingRef.current = true;
+    setIsEnrolling(true);
+    setError(null);
+    setStep("creating");
+    try {
+      if (!user?.id) {
+        throw new Error("User ID is required for passkey enrollment");
+      }
+      if (!user?.email) {
+        throw new Error("User email is required for passkey enrollment");
+      }
+      const accessToken = client.getAccessToken();
+      if (!accessToken) {
+        throw new Error("Access token is required for passkey enrollment. Please login first.");
+      }
+      const projectId = user.id;
+      setStep("encrypting");
+      const result = await enrollPasskey({
+        client,
+        baseUrl: config.apiBaseUrl,
+        apiKey: config.projectApiKey,
+        userId: user.id,
+        userEmail: user.email,
+        projectId
+      });
+      setStep("registering");
+      if (typeof window !== "undefined") {
+        safeStorage.setItem(STORAGE_KEYS.credentialId, result.credentialId);
+      }
+      const passkeyAdapter = createPasskeyAdapter({
+        rpId: typeof window !== "undefined" ? window.location.hostname : "localhost",
+        rpName: "Volr"
+      });
+      const provider = createPasskeyProvider(passkeyAdapter, {
+        prfInput: result.prfInput,
+        encryptedBlob: result.encryptedBlob,
+        aad: result.aad
+      });
+      if (result.user) {
+        setUser(result.user);
+      } else {
+        const nextUser = {
+          ...user,
+          id: user.id,
+          email: user.email,
+          keyStorageType: "passkey",
+          evmAddress: result.address,
+          blobUrl: result.blobUrl,
+          prfInput: result.prfInput,
+          credentialId: result.credentialId
+        };
+        setUser(nextUser);
+      }
+      await setProvider(provider);
+      setStep("idle");
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error("Failed to enroll passkey");
+      setError(error2);
+      setStep("idle");
+      throw error2;
+    } finally {
+      setIsEnrolling(false);
+      isEnrollingRef.current = false;
+    }
+  }, [
+    client,
+    config.apiBaseUrl,
+    config.projectApiKey,
+    user,
+    setProvider,
+    setUser,
+    isEnrolling
+  ]);
+  return {
+    enroll,
+    step,
+    isEnrolling,
+    error
+  };
+}
+
+// src/headless/mpc-transport.ts
+function createBackendMpcTransport(params) {
+  const { client } = params;
+  let currentSessionToken;
+  let cachedAddress;
+  return {
+    async ensureSession() {
+      if (currentSessionToken) {
+        return;
+      }
+      const response = await client.post(
+        "/wallet/mpc/connect",
+        {}
+      );
+      currentSessionToken = response.sessionToken;
+    },
+    async getAddress() {
+      if (cachedAddress) {
+        return cachedAddress;
+      }
+      await this.ensureSession();
+      const response = await client.get(
+        "/wallet/mpc/address"
+      );
+      cachedAddress = response.address;
+      return cachedAddress;
+    },
+    async signMessage(hash32) {
+      await this.ensureSession();
+      const hashHex = Array.from(hash32).map((b) => b.toString(16).padStart(2, "0")).join("");
+      const response = await client.post("/wallet/mpc/sign", {
+        hash: hashHex
+      });
+      const rHex = response.r.startsWith("0x") ? response.r.slice(2) : response.r;
+      const sHex = response.s.startsWith("0x") ? response.s.slice(2) : response.s;
+      const r = new Uint8Array(32);
+      const s = new Uint8Array(32);
+      for (let i = 0; i < 32; i++) {
+        r[i] = parseInt(rHex.slice(i * 2, i * 2 + 2), 16);
+        s[i] = parseInt(sHex.slice(i * 2, i * 2 + 2), 16);
+      }
+      return {
+        r,
+        s,
+        yParity: response.yParity
+      };
+    },
+    async signTypedData(input) {
+      await this.ensureSession();
+      const response = await client.post(
+        "/wallet/mpc/sign-typed",
+        {
+          domain: input.domain,
+          types: input.types,
+          message: input.message
+        }
+      );
+      return response.signature;
+    },
+    async getPublicKey() {
+      await this.ensureSession();
+      const response = await client.get(
+        "/wallet/mpc/public-key"
+      );
+      const pubKeyHex = response.publicKey.startsWith("0x") ? response.publicKey.slice(2) : response.publicKey;
+      const pubKey = new Uint8Array(65);
+      for (let i = 0; i < 65; i++) {
+        pubKey[i] = parseInt(pubKeyHex.slice(i * 2, i * 2 + 2), 16);
+      }
+      return pubKey;
+    }
+  };
+}
+
+// src/headless/wallet-provider.ts
+async function registerWalletProvider(params) {
+  const { client, keyStorageType, address, credentialId, blobUrl, prfInput } = params;
+  if (!keyStorageType) {
+    throw new Error("keyStorageType is required");
+  }
+  if (!address) {
+    throw new Error("address is required");
+  }
+  if (keyStorageType === "passkey") {
+    if (!credentialId) {
+      throw new Error("credentialId is required for passkey");
+    }
+    if (!blobUrl) {
+      throw new Error("blobUrl is required for passkey");
+    }
+    if (!prfInput) {
+      throw new Error("prfInput is required for passkey");
+    }
+  }
+  await client.post("/wallet/provider/register", {
+    keyStorageType,
+    address,
+    ...keyStorageType === "passkey" && {
+      credentialId,
+      blobUrl,
+      prfInput
+    }
+  });
+}
+function useMpcConnection() {
+  const { setProvider } = useVolr();
+  const { client } = useInternalAuth();
+  const [step, setStep] = useState("idle");
+  const [isConnecting, setIsConnecting] = useState(false);
+  const [error, setError] = useState(null);
+  const connect = useCallback(async () => {
+    if (isConnecting) return;
+    setIsConnecting(true);
+    setError(null);
+    setStep("connecting");
+    try {
+      const transport = createBackendMpcTransport({ client });
+      await transport.ensureSession();
+      const address = await transport.getAddress();
+      setStep("registering");
+      await registerWalletProvider({
+        client,
+        keyStorageType: "mpc",
+        address
+      });
+      const provider = createMpcProvider(transport);
+      await setProvider(provider);
+      setStep("idle");
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error("Failed to connect to MPC provider");
+      setError(error2);
+      setStep("idle");
+      throw error2;
+    } finally {
+      setIsConnecting(false);
+    }
+  }, [client, setProvider, isConnecting]);
+  return {
+    connect,
+    step,
+    isConnecting,
+    error
+  };
+}
+
+// src/headless/blobs.ts
+async function uploadBlobViaPresign(params) {
+  const { baseUrl, apiKey, blob, contentType = "application/octet-stream" } = params;
+  const api = createAxiosInstance(baseUrl, apiKey);
+  const presignResponse = await api.post("/blob/presign", {
+    op: "put",
+    contentType
+  });
+  const presignData = presignResponse.data?.data || presignResponse.data;
+  const uploadUrl = presignData.url;
+  const s3Key = presignData.s3Key;
+  const putRes = await fetch(uploadUrl, {
+    method: "PUT",
+    body: blob,
+    headers: {
+      "Content-Type": contentType,
+      "x-amz-server-side-encryption": "AES256"
+    },
+    mode: "cors"
+  });
+  if (!putRes.ok) {
+    const text = await putRes.text().catch(() => "");
+    throw new Error(`Failed to upload to S3 (${putRes.status}): ${text || putRes.statusText}`);
+  }
+  return { s3Key };
+}
+
+export { DEFAULT_EXPIRES_IN_SEC, DEFAULT_MODE, VolrProvider, buildCall, buildCalls, createGetNetworkInfo, createPasskeyAdapter, defaultIdempotencyKey, normalizeHex, normalizeHexArray, uploadBlobViaPresign, useDepositListener, useInternalAuth, useMpcConnection, usePasskeyEnrollment, usePrecheck, useRelay, useVolr, useVolrLogin, useVolrWallet };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map