@zendfi/sdk 0.3.1 → 0.5.0

package/dist/index.js

@@ -30,14 +30,49 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  AuthenticationError: () => AuthenticationError,
+  AgentAPI: () => AgentAPI,
+  ApiError: () => ApiError,
+  AuthenticationError: () => AuthenticationError2,
+  AutonomyAPI: () => AutonomyAPI,
   ConfigLoader: () => ConfigLoader,
-  NetworkError: () => NetworkError,
-  RateLimitError: () => RateLimitError,
-  ValidationError: () => ValidationError,
+  DeviceBoundSessionKey: () => DeviceBoundSessionKey,
+  DeviceFingerprintGenerator: () => DeviceFingerprintGenerator,
+  ERROR_CODES: () => ERROR_CODES,
+  InterceptorManager: () => InterceptorManager,
+  LitCryptoSigner: () => LitCryptoSigner,
+  NetworkError: () => NetworkError2,
+  PaymentError: () => PaymentError,
+  PaymentIntentsAPI: () => PaymentIntentsAPI,
+  PricingAPI: () => PricingAPI,
+  RateLimitError: () => RateLimitError2,
+  RateLimiter: () => RateLimiter,
+  RecoveryQRGenerator: () => RecoveryQRGenerator,
+  SPENDING_LIMIT_ACTION_CID: () => SPENDING_LIMIT_ACTION_CID,
+  SessionKeyCrypto: () => SessionKeyCrypto,
+  SmartPaymentsAPI: () => SmartPaymentsAPI,
+  ValidationError: () => ValidationError2,
+  WebhookError: () => WebhookError,
   ZendFiClient: () => ZendFiClient,
-  ZendFiError: () => ZendFiError,
+  ZendFiError: () => ZendFiError2,
+  ZendFiSessionKeyManager: () => ZendFiSessionKeyManager,
+  asAgentKeyId: () => asAgentKeyId,
+  asEscrowId: () => asEscrowId,
+  asInstallmentPlanId: () => asInstallmentPlanId,
+  asIntentId: () => asIntentId,
+  asInvoiceId: () => asInvoiceId,
+  asMerchantId: () => asMerchantId,
+  asPaymentId: () => asPaymentId,
+  asPaymentLinkCode: () => asPaymentLinkCode,
+  asSessionId: () => asSessionId,
+  asSubscriptionId: () => asSubscriptionId,
+  createZendFiError: () => createZendFiError,
+  decodeSignatureFromLit: () => decodeSignatureFromLit,
+  encodeTransactionForLit: () => encodeTransactionForLit,
+  generateIdempotencyKey: () => generateIdempotencyKey,
+  isZendFiError: () => isZendFiError,
   processWebhook: () => processWebhook,
+  requiresLitSigning: () => requiresLitSigning,
+  sleep: () => sleep,
   verifyExpressWebhook: () => verifyExpressWebhook,
   verifyNextWebhook: () => verifyNextWebhook,
   verifyWebhookSignature: () => verifyWebhookSignature,
@@ -50,39 +85,16 @@ var import_cross_fetch = __toESM(require("cross-fetch"));
 var import_crypto = require("crypto");
 
 // src/types.ts
-var ZendFiError = class extends Error {
-  constructor(message, statusCode, code, details) {
-    super(message);
-    this.statusCode = statusCode;
-    this.code = code;
-    this.details = details;
-    this.name = "ZendFiError";
-  }
-};
-var AuthenticationError = class extends ZendFiError {
-  constructor(message = "Authentication failed") {
-    super(message, 401, "AUTHENTICATION_ERROR");
-    this.name = "AuthenticationError";
-  }
-};
-var ValidationError = class extends ZendFiError {
-  constructor(message, details) {
-    super(message, 400, "VALIDATION_ERROR", details);
-    this.name = "ValidationError";
-  }
-};
-var NetworkError = class extends ZendFiError {
-  constructor(message) {
-    super(message, 0, "NETWORK_ERROR");
-    this.name = "NetworkError";
-  }
-};
-var RateLimitError = class extends ZendFiError {
-  constructor(message = "Rate limit exceeded") {
-    super(message, 429, "RATE_LIMIT_ERROR");
-    this.name = "RateLimitError";
-  }
-};
+var asPaymentId = (id) => id;
+var asSessionId = (id) => id;
+var asAgentKeyId = (id) => id;
+var asMerchantId = (id) => id;
+var asInvoiceId = (id) => id;
+var asSubscriptionId = (id) => id;
+var asEscrowId = (id) => id;
+var asInstallmentPlanId = (id) => id;
+var asPaymentLinkCode = (id) => id;
+var asIntentId = (id) => id;
 
 // src/utils.ts
 var ConfigLoader = class {
@@ -101,7 +113,8 @@ var ConfigLoader = class {
       mode,
       timeout: options?.timeout ?? 3e4,
       retries: options?.retries ?? 3,
-      idempotencyEnabled: options?.idempotencyEnabled ?? true
+      idempotencyEnabled: options?.idempotencyEnabled ?? true,
+      debug: options?.debug ?? false
     };
   }
   /**
@@ -213,28 +226,6 @@ var ConfigLoader = class {
     }
   }
 };
-function parseError(response, body) {
-  const statusCode = response.status;
-  const errorMessage = body?.error || body?.message || response.statusText || "Unknown error";
-  const errorCode = body?.code;
-  const details = body?.details;
-  switch (statusCode) {
-    case 401:
-    case 403:
-      return new AuthenticationError(errorMessage);
-    case 400:
-      return new ValidationError(errorMessage, details);
-    case 429:
-      return new RateLimitError(errorMessage);
-    case 500:
-    case 502:
-    case 503:
-    case 504:
-      return new NetworkError(errorMessage);
-    default:
-      return new ZendFiError(errorMessage, statusCode, errorCode, details);
-  }
-}
 function generateIdempotencyKey() {
   const timestamp = Date.now();
   const random = Math.random().toString(36).substring(2, 15);
@@ -243,268 +234,1510 @@ function generateIdempotencyKey() {
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
-
-// src/client.ts
-var ZendFiClient = class {
-  config;
-  constructor(options) {
-    this.config = ConfigLoader.load(options);
-    ConfigLoader.validateApiKey(this.config.apiKey);
-    if (this.config.environment === "development") {
-      console.log(
-        `\u2713 ZendFi SDK initialized in ${this.config.mode} mode (${this.config.mode === "test" ? "devnet" : "mainnet"})`
-      );
-    }
+var RateLimiter = class {
+  requests = [];
+  maxRequests;
+  windowMs;
+  constructor(options = {}) {
+    this.maxRequests = options.maxRequests ?? 100;
+    this.windowMs = options.windowMs ?? 6e4;
   }
   /**
-   * Create a new payment
+   * Check if a request can be made without exceeding rate limit
    */
-  async createPayment(request) {
-    return this.request("POST", "/api/v1/payments", {
-      ...request,
-      currency: request.currency || "USD",
-      token: request.token || "USDC"
-    });
+  canMakeRequest() {
+    this.pruneOldRequests();
+    return this.requests.length < this.maxRequests;
   }
   /**
-   * Get payment by ID
+   * Record a request timestamp
    */
-  async getPayment(paymentId) {
-    return this.request("GET", `/api/v1/payments/${paymentId}`);
+  recordRequest() {
+    this.requests.push(Date.now());
   }
   /**
-   * List all payments with pagination
+   * Get remaining requests in current window
    */
-  async listPayments(request) {
-    const params = new URLSearchParams();
-    if (request?.page) params.append("page", request.page.toString());
-    if (request?.limit) params.append("limit", request.limit.toString());
-    if (request?.status) params.append("status", request.status);
-    if (request?.from_date) params.append("from_date", request.from_date);
-    if (request?.to_date) params.append("to_date", request.to_date);
-    const query = params.toString() ? `?${params.toString()}` : "";
-    return this.request("GET", `/api/v1/payments${query}`);
+  getRemainingRequests() {
+    this.pruneOldRequests();
+    return Math.max(0, this.maxRequests - this.requests.length);
   }
   /**
-   * Create a subscription plan
+   * Get time in ms until the rate limit window resets
    */
-  async createSubscriptionPlan(request) {
-    return this.request("POST", "/api/v1/subscriptions/plans", {
-      ...request,
-      currency: request.currency || "USD",
-      interval_count: request.interval_count || 1,
-      trial_days: request.trial_days || 0
-    });
+  getTimeUntilReset() {
+    if (this.requests.length === 0) return 0;
+    const oldestRequest = Math.min(...this.requests);
+    const resetTime = oldestRequest + this.windowMs;
+    return Math.max(0, resetTime - Date.now());
   }
   /**
-   * Get subscription plan by ID
+   * Get current rate limit status
    */
-  async getSubscriptionPlan(planId) {
-    return this.request("GET", `/api/v1/subscriptions/plans/${planId}`);
+  getStatus() {
+    this.pruneOldRequests();
+    return {
+      remaining: this.getRemainingRequests(),
+      limit: this.maxRequests,
+      resetInMs: this.getTimeUntilReset(),
+      isLimited: !this.canMakeRequest()
+    };
   }
   /**
-   * Create a subscription
+   * Reset the rate limiter (useful for testing)
    */
-  async createSubscription(request) {
-    return this.request("POST", "/api/v1/subscriptions", request);
+  reset() {
+    this.requests = [];
   }
-  /**
-   * Get subscription by ID
-   */
-  async getSubscription(subscriptionId) {
-    return this.request("GET", `/api/v1/subscriptions/${subscriptionId}`);
+  pruneOldRequests() {
+    const cutoff = Date.now() - this.windowMs;
+    this.requests = this.requests.filter((t) => t > cutoff);
   }
-  /**
-   * Cancel a subscription
-   */
-  async cancelSubscription(subscriptionId) {
-    return this.request(
-      "POST",
-      `/api/v1/subscriptions/${subscriptionId}/cancel`
-    );
+};
+
+// src/errors.ts
+var ZendFiError2 = class _ZendFiError extends Error {
+  code;
+  type;
+  suggestion;
+  docs_url;
+  statusCode;
+  response;
+  constructor(data) {
+    super(data.message);
+    this.name = "ZendFiError";
+    this.code = data.code;
+    this.type = data.type;
+    this.suggestion = data.suggestion;
+    this.statusCode = data.statusCode;
+    this.response = data.response;
+    this.docs_url = `https://docs.zendfi.com/errors/${data.code}`;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _ZendFiError);
+    }
   }
   /**
-   * Create a payment link (shareable checkout URL)
+   * Format error for display
    */
-  async createPaymentLink(request) {
-    const response = await this.request("POST", "/api/v1/payment-links", {
-      ...request,
-      currency: request.currency || "USD",
-      token: request.token || "USDC"
-    });
-    return {
-      ...response,
-      url: response.hosted_page_url
-    };
+  toString() {
+    let message = `[${this.code}] ${this.message}`;
+    if (this.suggestion) {
+      message += `
+\u{1F4A1} Suggestion: ${this.suggestion}`;
+    }
+    message += `
+\u{1F4DA} Docs: ${this.docs_url}`;
+    return message;
   }
   /**
-   * Get payment link by link code
+   * Convert error to JSON
    */
-  async getPaymentLink(linkCode) {
-    const response = await this.request("GET", `/api/v1/payment-links/${linkCode}`);
+  toJSON() {
     return {
-      ...response,
-      url: response.hosted_page_url
+      name: this.name,
+      code: this.code,
+      type: this.type,
+      message: this.message,
+      suggestion: this.suggestion,
+      docs_url: this.docs_url,
+      statusCode: this.statusCode
     };
   }
-  /**
-   * List all payment links for the authenticated merchant
-   */
-  async listPaymentLinks() {
-    const response = await this.request("GET", "/api/v1/payment-links");
-    return response.map((link) => ({
-      ...link,
-      url: link.hosted_page_url
-    }));
+};
+var AuthenticationError2 = class extends ZendFiError2 {
+  constructor(message, code = "authentication_failed", suggestion) {
+    super({
+      code,
+      message,
+      type: "authentication_error",
+      suggestion: suggestion || "Check your API key in the dashboard at https://app.zendfi.com/settings/api-keys",
+      statusCode: 401
+    });
+    this.name = "AuthenticationError";
   }
-  /**
-   * Create an installment plan
-   * Split a purchase into multiple scheduled payments
-   */
-  async createInstallmentPlan(request) {
-    const response = await this.request(
-      "POST",
-      "/api/v1/installment-plans",
-      request
-    );
-    return {
-      id: response.plan_id,
-      plan_id: response.plan_id,
-      status: response.status
-    };
+};
+var PaymentError = class extends ZendFiError2 {
+  constructor(message, code = "payment_failed", suggestion) {
+    super({
+      code,
+      message,
+      type: "payment_error",
+      suggestion,
+      statusCode: 400
+    });
+    this.name = "PaymentError";
   }
-  /**
-   * Get installment plan by ID
-   */
-  async getInstallmentPlan(planId) {
-    return this.request("GET", `/api/v1/installment-plans/${planId}`);
+};
+var ValidationError2 = class extends ZendFiError2 {
+  constructor(message, code = "validation_failed", suggestion) {
+    super({
+      code,
+      message,
+      type: "validation_error",
+      suggestion,
+      statusCode: 400
+    });
+    this.name = "ValidationError";
   }
-  /**
-   * List all installment plans for merchant
-   */
-  async listInstallmentPlans(params) {
-    const query = new URLSearchParams();
-    if (params?.limit) query.append("limit", params.limit.toString());
-    if (params?.offset) query.append("offset", params.offset.toString());
-    const queryString = query.toString() ? `?${query.toString()}` : "";
-    return this.request("GET", `/api/v1/installment-plans${queryString}`);
+};
+var NetworkError2 = class extends ZendFiError2 {
+  constructor(message, code = "network_error", suggestion) {
+    super({
+      code,
+      message,
+      type: "network_error",
+      suggestion: suggestion || "Check your internet connection and try again",
+      statusCode: 0
+    });
+    this.name = "NetworkError";
   }
-  /**
-   * List installment plans for a specific customer
-   */
-  async listCustomerInstallmentPlans(customerWallet) {
-    return this.request(
-      "GET",
-      `/api/v1/customers/${customerWallet}/installment-plans`
-    );
+};
+var RateLimitError2 = class extends ZendFiError2 {
+  constructor(message, retryAfter) {
+    super({
+      code: "rate_limit_exceeded",
+      message,
+      type: "rate_limit_error",
+      suggestion: retryAfter ? `Wait ${retryAfter} seconds before retrying` : "You are making too many requests. Please slow down.",
+      statusCode: 429
+    });
+    this.name = "RateLimitError";
   }
-  /**
-   * Cancel an installment plan
-   */
-  async cancelInstallmentPlan(planId) {
-    return this.request(
-      "POST",
-      `/api/v1/installment-plans/${planId}/cancel`
-    );
+};
+var ApiError = class extends ZendFiError2 {
+  constructor(message, code, statusCode, response) {
+    super({
+      code,
+      message,
+      type: "api_error",
+      statusCode,
+      response
+    });
+    this.name = "ApiError";
   }
-  /**
-   * Create an escrow transaction
-   * Hold funds until conditions are met
-   */
-  async createEscrow(request) {
-    return this.request("POST", "/api/v1/escrows", {
-      ...request,
-      currency: request.currency || "USD",
-      token: request.token || "USDC"
+};
+var WebhookError = class extends ZendFiError2 {
+  constructor(message, code = "webhook_verification_failed", suggestion) {
+    super({
+      code,
+      message,
+      type: "webhook_error",
+      suggestion: suggestion || "Check your webhook secret matches the one in your dashboard",
+      statusCode: 400
     });
+    this.name = "WebhookError";
   }
-  /**
-   * Get escrow by ID
-   */
-  async getEscrow(escrowId) {
-    return this.request("GET", `/api/v1/escrows/${escrowId}`);
+};
+function createZendFiError(statusCode, responseBody, message) {
+  const errorMessage = message || responseBody?.error?.message || responseBody?.message || "An error occurred";
+  const errorCode = responseBody?.error?.code || responseBody?.code || "unknown_error";
+  if (statusCode === 401) {
+    return new AuthenticationError2(
+      errorMessage,
+      errorCode,
+      "Verify your API key is correct and not expired"
+    );
   }
-  /**
-   * List all escrows for merchant
-   */
-  async listEscrows(params) {
-    const query = new URLSearchParams();
-    if (params?.limit) query.append("limit", params.limit.toString());
-    if (params?.offset) query.append("offset", params.offset.toString());
-    const queryString = query.toString() ? `?${query.toString()}` : "";
-    return this.request("GET", `/api/v1/escrows${queryString}`);
+  if (statusCode === 429) {
+    const retryAfter = responseBody?.retry_after;
+    return new RateLimitError2(errorMessage, retryAfter);
   }
-  /**
-   * Approve escrow release to seller
-   */
-  async approveEscrow(escrowId, request) {
-    return this.request(
-      "POST",
-      `/api/v1/escrows/${escrowId}/approve`,
-      request
+  if (statusCode === 400 || statusCode === 422) {
+    return new ValidationError2(errorMessage, errorCode);
+  }
+  if (statusCode === 402) {
+    return new PaymentError(errorMessage, errorCode);
+  }
+  if (statusCode === 0 || statusCode >= 500) {
+    return new NetworkError2(
+      errorMessage,
+      errorCode,
+      statusCode >= 500 ? "The ZendFi API is experiencing issues. Please try again later." : void 0
     );
   }
+  return new ApiError(errorMessage, errorCode, statusCode, responseBody);
+}
+var ERROR_CODES = {
+  // Authentication
+  INVALID_API_KEY: "invalid_api_key",
+  API_KEY_EXPIRED: "api_key_expired",
+  API_KEY_REVOKED: "api_key_revoked",
+  // Payment
+  INSUFFICIENT_BALANCE: "insufficient_balance",
+  PAYMENT_DECLINED: "payment_declined",
+  PAYMENT_EXPIRED: "payment_expired",
+  INVALID_AMOUNT: "invalid_amount",
+  INVALID_CURRENCY: "invalid_currency",
+  // Validation
+  MISSING_REQUIRED_FIELD: "missing_required_field",
+  INVALID_PARAMETER: "invalid_parameter",
+  // Network
+  NETWORK_ERROR: "network_error",
+  TIMEOUT: "timeout",
+  // Rate limiting
+  RATE_LIMIT_EXCEEDED: "rate_limit_exceeded",
+  // Webhook
+  WEBHOOK_SIGNATURE_INVALID: "webhook_signature_invalid",
+  WEBHOOK_TIMESTAMP_TOO_OLD: "webhook_timestamp_too_old"
+};
+function isZendFiError(error) {
+  return error instanceof ZendFiError2;
+}
+
+// src/interceptors.ts
+var InterceptorManager = class {
+  handlers = [];
   /**
-   * Refund escrow to buyer
+   * Add an interceptor
    */
-  async refundEscrow(escrowId, request) {
-    return this.request("POST", `/api/v1/escrows/${escrowId}/refund`, request);
+  use(handler) {
+    this.handlers.push(handler);
+    return this.handlers.length - 1;
   }
   /**
-   * Raise a dispute for an escrow
+   * Remove an interceptor
    */
-  async disputeEscrow(escrowId, request) {
-    return this.request("POST", `/api/v1/escrows/${escrowId}/dispute`, request);
+  eject(id) {
+    if (this.handlers[id]) {
+      this.handlers[id] = null;
+    }
   }
   /**
-   * Create an invoice
+   * Execute all interceptors in sequence
    */
-  async createInvoice(request) {
-    return this.request("POST", "/api/v1/invoices", {
-      ...request,
-      token: request.token || "USDC"
-    });
+  async execute(initialValue) {
+    let result = initialValue;
+    for (const handler of this.handlers) {
+      if (handler !== null) {
+        result = await handler(result);
+      }
+    }
+    return result;
   }
   /**
-   * Get invoice by ID
+   * Check if any interceptors are registered
    */
-  async getInvoice(invoiceId) {
-    return this.request("GET", `/api/v1/invoices/${invoiceId}`);
+  has() {
+    return this.handlers.some((h) => h !== null);
   }
   /**
-   * List all invoices for merchant
+   * Clear all interceptors
    */
-  async listInvoices() {
-    return this.request("GET", "/api/v1/invoices");
+  clear() {
+    this.handlers = [];
   }
-  /**
-   * Send invoice to customer via email
-   */
-  async sendInvoice(invoiceId) {
-    return this.request("POST", `/api/v1/invoices/${invoiceId}/send`);
+};
+function createInterceptors() {
+  return {
+    request: new InterceptorManager(),
+    response: new InterceptorManager(),
+    error: new InterceptorManager()
+  };
+}
+
+// src/api/agent.ts
+function normalizeArrayResponse(response, key) {
+  if (Array.isArray(response)) {
+    return response;
   }
+  return response[key] || [];
+}
+var AgentAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  // ============================================
+  // Agent API Keys
+  // ============================================
   /**
-   * Verify webhook signature using HMAC-SHA256
+   * Create a new agent API key with scoped permissions
    * 
-   * @param request - Webhook verification request containing payload, signature, and secret
-   * @returns true if signature is valid, false otherwise
+   * Agent keys (prefixed with `zai_`) have limited permissions compared to
+   * merchant keys. This enables safe delegation to AI agents.
+   * 
+   * @param request - Agent key configuration
+   * @returns The created agent key (full_key only returned on creation!)
    * 
    * @example
    * ```typescript
-   * const isValid = zendfi.verifyWebhook({
-   *   payload: req.body,
-   *   signature: req.headers['x-zendfi-signature'],
-   *   secret: process.env.ZENDFI_WEBHOOK_SECRET
+   * const agentKey = await zendfi.agent.createKey({
+   *   name: 'Shopping Assistant',
+   *   agent_id: 'shopping-assistant-v1',
+   *   scopes: ['create_payments'],
+   *   rate_limit_per_hour: 500,
    * });
    * 
-   * if (!isValid) {
-   *   return res.status(401).json({ error: 'Invalid signature' });
-   * }
+   * // IMPORTANT: Save the full_key now - it won't be shown again!
+   * console.log(agentKey.full_key); // => "zai_test_abc123..."
    * ```
    */
-  verifyWebhook(request) {
-    try {
-      if (!request.payload || !request.signature || !request.secret) {
+  async createKey(request) {
+    return this.request("POST", "/api/v1/agent-keys", {
+      name: request.name,
+      agent_id: request.agent_id,
+      agent_name: request.agent_name,
+      scopes: request.scopes || ["create_payments"],
+      rate_limit_per_hour: request.rate_limit_per_hour || 1e3,
+      metadata: request.metadata
+    });
+  }
+  /**
+   * List all agent API keys for the merchant
+   * 
+   * @returns Array of agent API keys (without full_key for security)
+   * 
+   * @example
+   * ```typescript
+   * const keys = await zendfi.agent.listKeys();
+   * keys.forEach(key => {
+   *   console.log(`${key.name}: ${key.key_prefix}*** (${key.scopes.join(', ')})`);
+   * });
+   * ```
+   */
+  async listKeys() {
+    const response = await this.request(
+      "GET",
+      "/api/v1/agent-keys"
+    );
+    return normalizeArrayResponse(response, "keys");
+  }
+  /**
+   * Revoke an agent API key
+   * 
+   * Once revoked, the key cannot be used for any API calls.
+   * This action is irreversible.
+   * 
+   * @param keyId - UUID of the agent key to revoke
+   * 
+   * @example
+   * ```typescript
+   * await zendfi.agent.revokeKey('ak_123...');
+   * console.log('Agent key revoked');
+   * ```
+   */
+  async revokeKey(keyId) {
+    await this.request("POST", `/api/v1/agent-keys/${keyId}/revoke`);
+  }
+  // ============================================
+  // Agent Sessions
+  // ============================================
+  /**
+   * Create an agent session with spending limits
+   * 
+   * Sessions provide time-bounded authorization for agents to make payments
+   * on behalf of users, with configurable spending limits.
+   * 
+   * @param request - Session configuration
+   * @returns The created session with token
+   * 
+   * @example
+   * ```typescript
+   * const session = await zendfi.agent.createSession({
+   *   agent_id: 'shopping-assistant-v1',
+   *   agent_name: 'Shopping Assistant',
+   *   user_wallet: 'Hx7B...abc',
+   *   limits: {
+   *     max_per_transaction: 100,
+   *     max_per_day: 500,
+   *     require_approval_above: 50,
+   *   },
+   *   duration_hours: 24,
+   * });
+   * 
+   * // Use session_token for subsequent API calls
+   * console.log(session.session_token); // => "zai_session_..."
+   * ```
+   */
+  async createSession(request) {
+    return this.request("POST", "/api/v1/ai/sessions", {
+      agent_id: request.agent_id,
+      agent_name: request.agent_name,
+      user_wallet: request.user_wallet,
+      limits: request.limits || {
+        max_per_transaction: 1e3,
+        max_per_day: 5e3,
+        max_per_week: 2e4,
+        max_per_month: 5e4,
+        require_approval_above: 500
+      },
+      allowed_merchants: request.allowed_merchants,
+      duration_hours: request.duration_hours || 24,
+      mint_pkp: request.mint_pkp,
+      metadata: request.metadata
+    });
+  }
+  /**
+   * List all agent sessions
+   * 
+   * @returns Array of agent sessions (both active and expired)
+   * 
+   * @example
+   * ```typescript
+   * const sessions = await zendfi.agent.listSessions();
+   * const activeSessions = sessions.filter(s => s.is_active);
+   * console.log(`${activeSessions.length} active sessions`);
+   * ```
+   */
+  async listSessions() {
+    const response = await this.request(
+      "GET",
+      "/api/v1/ai/sessions"
+    );
+    return normalizeArrayResponse(response, "sessions");
+  }
+  /**
+   * Get a specific agent session by ID
+   * 
+   * @param sessionId - UUID of the session
+   * @returns The session details with remaining limits
+   * 
+   * @example
+   * ```typescript
+   * const session = await zendfi.agent.getSession('sess_123...');
+   * console.log(`Remaining today: $${session.remaining_today}`);
+   * console.log(`Expires: ${session.expires_at}`);
+   * ```
+   */
+  async getSession(sessionId) {
+    return this.request("GET", `/api/v1/ai/sessions/${sessionId}`);
+  }
+  /**
+   * Revoke an agent session
+   * 
+   * Immediately invalidates the session, preventing any further payments.
+   * This action is irreversible.
+   * 
+   * @param sessionId - UUID of the session to revoke
+   * 
+   * @example
+   * ```typescript
+   * await zendfi.agent.revokeSession('sess_123...');
+   * console.log('Session revoked - agent can no longer make payments');
+   * ```
+   */
+  async revokeSession(sessionId) {
+    await this.request("POST", `/api/v1/ai/sessions/${sessionId}/revoke`);
+  }
+  // ============================================
+  // Agent Analytics
+  // ============================================
+  /**
+   * Get analytics for all agent activity
+   * 
+   * @returns Comprehensive analytics including payments, success rate, and PPP savings
+   * 
+   * @example
+   * ```typescript
+   * const analytics = await zendfi.agent.getAnalytics();
+   * console.log(`Total volume: $${analytics.total_volume_usd}`);
+   * console.log(`Success rate: ${(analytics.success_rate * 100).toFixed(1)}%`);
+   * console.log(`PPP savings: $${analytics.ppp_savings_usd}`);
+   * ```
+   */
+  async getAnalytics() {
+    return this.request("GET", "/api/v1/analytics/agents");
+  }
+};
+
+// src/api/intents.ts
+var PaymentIntentsAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  /**
+   * Create a payment intent
+   * 
+   * This is step 1 of the two-phase payment flow. The intent reserves
+   * the payment amount and provides a client_secret for confirmation.
+   * 
+   * @param request - Payment intent configuration
+   * @returns The created payment intent with client_secret
+   * 
+   * @example
+   * ```typescript
+   * const intent = await zendfi.intents.create({
+   *   amount: 49.99,
+   *   description: 'Pro Plan - Monthly',
+   *   capture_method: 'automatic', // or 'manual' for auth-only
+   *   expires_in_seconds: 3600, // 1 hour
+   * });
+   * 
+   * // Store intent.id and pass intent.client_secret to frontend
+   * console.log(`Intent created: ${intent.id}`);
+   * console.log(`Status: ${intent.status}`); // "requires_payment"
+   * ```
+   */
+  async create(request) {
+    return this.request("POST", "/api/v1/payment-intents", {
+      amount: request.amount,
+      currency: request.currency || "USD",
+      description: request.description,
+      capture_method: request.capture_method || "automatic",
+      agent_id: request.agent_id,
+      agent_name: request.agent_name,
+      metadata: request.metadata,
+      expires_in_seconds: request.expires_in_seconds || 86400
+      // 24h default
+    });
+  }
+  /**
+   * Get a payment intent by ID
+   * 
+   * @param intentId - UUID of the payment intent
+   * @returns The payment intent details
+   * 
+   * @example
+   * ```typescript
+   * const intent = await zendfi.intents.get('pi_123...');
+   * console.log(`Status: ${intent.status}`);
+   * if (intent.payment_id) {
+   *   console.log(`Payment: ${intent.payment_id}`);
+   * }
+   * ```
+   */
+  async get(intentId) {
+    return this.request("GET", `/api/v1/payment-intents/${intentId}`);
+  }
+  /**
+   * List payment intents
+   * 
+   * @param options - Filter and pagination options
+   * @returns Array of payment intents
+   * 
+   * @example
+   * ```typescript
+   * // Get recent pending intents
+   * const intents = await zendfi.intents.list({
+   *   status: 'requires_payment',
+   *   limit: 20,
+   * });
+   * ```
+   */
+  async list(options) {
+    const params = new URLSearchParams();
+    if (options?.status) params.append("status", options.status);
+    if (options?.limit) params.append("limit", options.limit.toString());
+    if (options?.offset) params.append("offset", options.offset.toString());
+    const query = params.toString() ? `?${params.toString()}` : "";
+    const response = await this.request(
+      "GET",
+      `/api/v1/payment-intents${query}`
+    );
+    return Array.isArray(response) ? response : response.intents;
+  }
+  /**
+   * Confirm a payment intent
+   * 
+   * This is step 2 of the two-phase payment flow. Confirmation triggers
+   * the actual payment using the customer's wallet.
+   * 
+   * @param intentId - UUID of the payment intent
+   * @param request - Confirmation details including customer wallet
+   * @returns The confirmed payment intent with payment_id
+   * 
+   * @example
+   * ```typescript
+   * const confirmed = await zendfi.intents.confirm('pi_123...', {
+   *   client_secret: 'pi_secret_abc...',
+   *   customer_wallet: 'Hx7B...abc',
+   *   auto_gasless: true,
+   * });
+   * 
+   * if (confirmed.status === 'succeeded') {
+   *   console.log(`Payment complete: ${confirmed.payment_id}`);
+   * }
+   * ```
+   */
+  async confirm(intentId, request) {
+    return this.request("POST", `/api/v1/payment-intents/${intentId}/confirm`, {
+      client_secret: request.client_secret,
+      customer_wallet: request.customer_wallet,
+      payment_type: request.payment_type,
+      auto_gasless: request.auto_gasless,
+      metadata: request.metadata
+    });
+  }
+  /**
+   * Cancel a payment intent
+   * 
+   * Canceling releases any hold on the payment amount. Cannot cancel
+   * intents that are already processing or succeeded.
+   * 
+   * @param intentId - UUID of the payment intent
+   * @returns The canceled payment intent
+   * 
+   * @example
+   * ```typescript
+   * const canceled = await zendfi.intents.cancel('pi_123...');
+   * console.log(`Status: ${canceled.status}`); // "canceled"
+   * ```
+   */
+  async cancel(intentId) {
+    return this.request("POST", `/api/v1/payment-intents/${intentId}/cancel`);
+  }
+  /**
+   * Get events for a payment intent
+   * 
+   * Events track the full lifecycle of the intent, including creation,
+   * confirmation attempts, and status changes.
+   * 
+   * @param intentId - UUID of the payment intent
+   * @returns Array of events in chronological order
+   * 
+   * @example
+   * ```typescript
+   * const events = await zendfi.intents.getEvents('pi_123...');
+   * events.forEach(event => {
+   *   console.log(`${event.created_at}: ${event.event_type}`);
+   * });
+   * ```
+   */
+  async getEvents(intentId) {
+    const response = await this.request(
+      "GET",
+      `/api/v1/payment-intents/${intentId}/events`
+    );
+    return Array.isArray(response) ? response : response.events;
+  }
+};
+
+// src/api/pricing.ts
+var PricingAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  /**
+   * Get PPP factor for a specific country
+   * 
+   * Returns the purchasing power parity adjustment factor for the given
+   * country code. Use this to calculate localized pricing.
+   * 
+   * @param countryCode - ISO 3166-1 alpha-2 country code (e.g., "BR", "IN", "NG")
+   * @returns PPP factor and suggested adjustment
+   * 
+   * @example
+   * ```typescript
+   * const factor = await zendfi.pricing.getPPPFactor('BR');
+   * // {
+   * //   country_code: 'BR',
+   * //   country_name: 'Brazil',
+   * //   ppp_factor: 0.35,
+   * //   currency_code: 'BRL',
+   * //   adjustment_percentage: 35.0
+   * // }
+   * 
+   * // Calculate localized price
+   * const usdPrice = 100;
+   * const localPrice = usdPrice * (1 - factor.adjustment_percentage / 100);
+   * console.log(`$${localPrice} for Brazilian customers`);
+   * ```
+   */
+  async getPPPFactor(countryCode) {
+    return this.request("POST", "/api/v1/ai/pricing/ppp-factor", {
+      country_code: countryCode.toUpperCase()
+    });
+  }
+  /**
+   * List all available PPP factors
+   * 
+   * Returns PPP factors for all supported countries. Useful for building
+   * pricing tables or pre-computing regional prices.
+   * 
+   * @returns Array of PPP factors for all supported countries
+   * 
+   * @example
+   * ```typescript
+   * const factors = await zendfi.pricing.listFactors();
+   * 
+   * // Create pricing tiers
+   * const tiers = factors.map(f => ({
+   *   country: f.country_name,
+   *   price: (100 * f.ppp_factor).toFixed(2),
+   * }));
+   * 
+   * console.table(tiers);
+   * ```
+   */
+  async listFactors() {
+    const response = await this.request(
+      "GET",
+      "/api/v1/ai/pricing/ppp-factors"
+    );
+    return Array.isArray(response) ? response : response.factors;
+  }
+  /**
+   * Get AI-powered pricing suggestion
+   * 
+   * Returns an intelligent pricing recommendation based on the user's
+   * location, wallet history, and your pricing configuration.
+   * 
+   * @param request - Pricing suggestion request with user context
+   * @returns AI-generated pricing suggestion with reasoning
+   * 
+   * @example
+   * ```typescript
+   * const suggestion = await zendfi.pricing.getSuggestion({
+   *   agent_id: 'shopping-assistant',
+   *   base_price: 99.99,
+   *   user_profile: {
+   *     location_country: 'BR',
+   *     context: 'first-time',
+   *   },
+   *   ppp_config: {
+   *     enabled: true,
+   *     max_discount_percent: 50,
+   *     floor_price: 29.99,
+   *   },
+   * });
+   * 
+   * console.log(`Suggested: $${suggestion.suggested_amount}`);
+   * console.log(`Reason: ${suggestion.reasoning}`);
+   * // => "Price adjusted for Brazilian purchasing power (35% PPP discount) 
+   * //     plus 10% first-time customer discount"
+   * ```
+   */
+  async getSuggestion(request) {
+    return this.request("POST", "/api/v1/ai/pricing/suggest", {
+      agent_id: request.agent_id,
+      product_id: request.product_id,
+      base_price: request.base_price,
+      currency: request.currency || "USD",
+      user_profile: request.user_profile,
+      ppp_config: request.ppp_config
+    });
+  }
+  /**
+   * Calculate localized price for a given base price and country
+   * 
+   * Convenience method that combines getPPPFactor with price calculation.
+   * 
+   * @param basePrice - Original price in USD
+   * @param countryCode - ISO 3166-1 alpha-2 country code
+   * @returns Object with original and adjusted prices
+   * 
+   * @example
+   * ```typescript
+   * const result = await zendfi.pricing.calculateLocalPrice(100, 'IN');
+   * console.log(`Original: $${result.original}`);
+   * console.log(`Local: $${result.adjusted}`);
+   * console.log(`Savings: $${result.savings} (${result.discount_percentage}%)`);
+   * ```
+   */
+  async calculateLocalPrice(basePrice, countryCode) {
+    const factor = await this.getPPPFactor(countryCode);
+    const adjusted = Number((basePrice * factor.ppp_factor).toFixed(2));
+    const savings = Number((basePrice - adjusted).toFixed(2));
+    return {
+      original: basePrice,
+      adjusted,
+      savings,
+      discount_percentage: factor.adjustment_percentage,
+      country: factor.country_name,
+      ppp_factor: factor.ppp_factor
+    };
+  }
+};
+
+// src/api/autonomy.ts
+var AutonomyAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  /**
+   * Enable autonomous signing for a session key
+   * 
+   * This grants an AI agent the ability to sign transactions on behalf of
+   * the user, up to the specified spending limit and duration.
+   * 
+   * **Prerequisites:**
+   * 1. Create a device-bound session key first
+   * 2. Generate a delegation signature (see `createDelegationMessage`)
+   * 3. Optionally encrypt keypair with Lit Protocol for true autonomy
+   * 
+   * @param sessionKeyId - UUID of the session key
+   * @param request - Autonomy configuration including delegation signature
+   * @returns The created autonomous delegate
+   * 
+   * @example
+   * ```typescript
+   * // The user must sign this exact message format
+   * const message = zendfi.autonomy.createDelegationMessage(
+   *   sessionKeyId, 100, '2024-12-10T00:00:00Z'
+   * );
+   * 
+   * // Have user sign with their session key
+   * const signature = await signWithSessionKey(message, pin);
+   * 
+   * // Enable autonomous mode
+   * const delegate = await zendfi.autonomy.enable(sessionKeyId, {
+   *   max_amount_usd: 100,
+   *   duration_hours: 24,
+   *   delegation_signature: signature,
+   * });
+   * 
+   * console.log(`Delegate ID: ${delegate.delegate_id}`);
+   * console.log(`Expires: ${delegate.expires_at}`);
+   * ```
+   */
+  async enable(sessionKeyId, request) {
+    return this.request(
+      "POST",
+      `/api/v1/ai/session-keys/${sessionKeyId}/enable-autonomy`,
+      {
+        max_amount_usd: request.max_amount_usd,
+        duration_hours: request.duration_hours,
+        delegation_signature: request.delegation_signature,
+        expires_at: request.expires_at,
+        lit_encrypted_keypair: request.lit_encrypted_keypair,
+        lit_data_hash: request.lit_data_hash,
+        metadata: request.metadata
+      }
+    );
+  }
+  /**
+   * Revoke autonomous mode for a session key
+   * 
+   * Immediately invalidates the autonomous delegate, preventing any further
+   * automatic payments. The session key itself remains valid for manual use.
+   * 
+   * @param sessionKeyId - UUID of the session key
+   * @param reason - Optional reason for revocation (logged for audit)
+   * 
+   * @example
+   * ```typescript
+   * await zendfi.autonomy.revoke('sk_123...', 'User requested revocation');
+   * console.log('Autonomous mode disabled');
+   * ```
+   */
+  async revoke(sessionKeyId, reason) {
+    const request = { reason };
+    await this.request(
+      "POST",
+      `/api/v1/ai/session-keys/${sessionKeyId}/revoke-autonomy`,
+      request
+    );
+  }
+  /**
+   * Get autonomy status for a session key
+   * 
+   * Returns whether autonomous mode is enabled and details about the
+   * active delegate including remaining spending allowance.
+   * 
+   * @param sessionKeyId - UUID of the session key
+   * @returns Autonomy status with delegate details
+   * 
+   * @example
+   * ```typescript
+   * const status = await zendfi.autonomy.getStatus('sk_123...');
+   * 
+   * if (status.autonomous_mode_enabled && status.delegate) {
+   *   console.log(`Remaining: $${status.delegate.remaining_usd}`);
+   *   console.log(`Expires: ${status.delegate.expires_at}`);
+   * } else {
+   *   console.log('Autonomous mode not enabled');
+   * }
+   * ```
+   */
+  async getStatus(sessionKeyId) {
+    return this.request(
+      "GET",
+      `/api/v1/ai/session-keys/${sessionKeyId}/autonomy-status`
+    );
+  }
+  /**
+   * Create the delegation message that needs to be signed
+   * 
+   * This generates the exact message format required for the delegation
+   * signature. The user must sign this message with their session key.
+   * 
+   * **Message format:**
+   * ```
+   * I authorize autonomous delegate for session {id} to spend up to ${amount} until {expiry}
+   * ```
+   * 
+   * @param sessionKeyId - UUID of the session key
+   * @param maxAmountUsd - Maximum spending amount in USD
+   * @param expiresAt - ISO 8601 expiration timestamp
+   * @returns The message to be signed
+   * 
+   * @example
+   * ```typescript
+   * const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+   * const message = zendfi.autonomy.createDelegationMessage(
+   *   'sk_123...',
+   *   100,
+   *   expiresAt
+   * );
+   * // => "I authorize autonomous delegate for session sk_123... to spend up to $100 until 2024-12-06T..."
+   * 
+   * // Sign with nacl.sign.detached() or similar
+   * const signature = signMessage(message, keypair);
+   * ```
+   */
+  createDelegationMessage(sessionKeyId, maxAmountUsd, expiresAt) {
+    return `I authorize autonomous delegate for session ${sessionKeyId} to spend up to $${maxAmountUsd} until ${expiresAt}`;
+  }
+  /**
+   * Validate delegation signature parameters
+   * 
+   * Helper method to check if autonomy parameters are valid before
+   * making the API call.
+   * 
+   * @param request - The enable autonomy request to validate
+   * @throws Error if validation fails
+   * 
+   * @example
+   * ```typescript
+   * try {
+   *   zendfi.autonomy.validateRequest(request);
+   *   const delegate = await zendfi.autonomy.enable(sessionKeyId, request);
+   * } catch (error) {
+   *   console.error('Invalid request:', error.message);
+   * }
+   * ```
+   */
+  validateRequest(request) {
+    if (request.max_amount_usd <= 0) {
+      throw new Error("max_amount_usd must be positive");
+    }
+    if (request.duration_hours < 1 || request.duration_hours > 168) {
+      throw new Error("duration_hours must be between 1 and 168 (7 days)");
+    }
+    if (!request.delegation_signature || request.delegation_signature.length === 0) {
+      throw new Error("delegation_signature is required");
+    }
+    const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+    if (!base64Regex.test(request.delegation_signature)) {
+      throw new Error("delegation_signature must be base64 encoded");
+    }
+  }
+};
+
+// src/api/smart-payments.ts
+var SmartPaymentsAPI = class {
+  constructor(request) {
+    this.request = request;
+  }
+  /**
+   * Execute an AI-powered smart payment
+   * 
+   * Smart payments analyze the context and automatically apply optimizations:
+   * - **PPP Pricing**: Auto-adjusts based on customer location
+   * - **Gasless**: Detects when user needs gas subsidization
+   * - **Instant Settlement**: Optional immediate merchant payout
+   * - **Escrow**: Optional fund holding for service delivery
+   * 
+   * @param request - Smart payment request configuration
+   * @returns Payment result with status and receipt
+   * 
+   * @example
+   * ```typescript
+   * // Basic smart payment
+   * const result = await zendfi.payments.smart({
+   *   agent_id: 'my-agent',
+   *   user_wallet: 'Hx7B...abc',
+   *   amount_usd: 99.99,
+   *   description: 'Annual Pro Plan',
+   * });
+   * 
+   * // With all options
+   * const result = await zendfi.payments.smart({
+   *   agent_id: 'my-agent',
+   *   session_token: 'zai_session_...', // For limit enforcement
+   *   user_wallet: 'Hx7B...abc',
+   *   amount_usd: 99.99,
+   *   token: 'USDC',
+   *   auto_detect_gasless: true,
+   *   instant_settlement: true,
+   *   enable_escrow: false,
+   *   description: 'Annual Pro Plan',
+   *   product_details: {
+   *     name: 'Pro Plan',
+   *     sku: 'PRO-ANNUAL',
+   *   },
+   *   metadata: {
+   *     user_id: 'usr_123',
+   *   },
+   * });
+   * 
+   * if (result.requires_signature) {
+   *   // Device-bound flow: need user to sign
+   *   console.log('Please sign:', result.unsigned_transaction);
+   *   console.log('Submit to:', result.submit_url);
+   * } else {
+   *   // Auto-signed (custodial or autonomous delegate)
+   *   console.log('Payment complete:', result.transaction_signature);
+   * }
+   * ```
+   */
+  async execute(request) {
+    return this.request("POST", "/api/v1/ai/smart-payment", {
+      session_token: request.session_token,
+      agent_id: request.agent_id,
+      user_wallet: request.user_wallet,
+      amount_usd: request.amount_usd,
+      merchant_id: request.merchant_id,
+      token: request.token || "USDC",
+      auto_detect_gasless: request.auto_detect_gasless,
+      instant_settlement: request.instant_settlement,
+      enable_escrow: request.enable_escrow,
+      description: request.description,
+      product_details: request.product_details,
+      metadata: request.metadata
+    });
+  }
+  /**
+   * Submit a signed transaction from device-bound flow
+   * 
+   * When a smart payment returns `requires_signature: true`, the client
+   * must sign the transaction and submit it here.
+   * 
+   * @param paymentId - UUID of the payment
+   * @param signedTransaction - Base64 encoded signed transaction
+   * @returns Updated payment response
+   * 
+   * @example
+   * ```typescript
+   * // After user signs the transaction
+   * const result = await zendfi.payments.submitSigned(
+   *   payment.payment_id,
+   *   signedTransaction
+   * );
+   * 
+   * console.log(`Confirmed in ${result.confirmed_in_ms}ms`);
+   * ```
+   */
+  async submitSigned(paymentId, signedTransaction) {
+    return this.request(
+      "POST",
+      `/api/v1/ai/payments/${paymentId}/submit-signed`,
+      {
+        signed_transaction: signedTransaction
+      }
+    );
+  }
+};
+
+// src/client.ts
+var ZendFiClient = class {
+  config;
+  interceptors;
+  // ============================================
+  // Agentic Intent Protocol APIs
+  // ============================================
+  /**
+   * Agent API - Manage agent API keys and sessions
+   * 
+   * @example
+   * ```typescript
+   * // Create an agent API key
+   * const agentKey = await zendfi.agent.createKey({
+   *   name: 'Shopping Assistant',
+   *   agent_id: 'shopping-assistant-v1',
+   *   scopes: ['create_payments'],
+   * });
+   * 
+   * // Create an agent session
+   * const session = await zendfi.agent.createSession({
+   *   agent_id: 'shopping-assistant-v1',
+   *   user_wallet: 'Hx7B...abc',
+   *   limits: { max_per_day: 500 },
+   * });
+   * ```
+   */
+  agent;
+  /**
+   * Payment Intents API - Two-phase payment flow
+   * 
+   * @example
+   * ```typescript
+   * // Create intent
+   * const intent = await zendfi.intents.create({ amount: 99.99 });
+   * 
+   * // Confirm when ready
+   * await zendfi.intents.confirm(intent.id, {
+   *   client_secret: intent.client_secret,
+   *   customer_wallet: 'Hx7B...abc',
+   * });
+   * ```
+   */
+  intents;
+  /**
+   * Pricing API - PPP and AI-powered pricing
+   * 
+   * @example
+   * ```typescript
+   * // Get PPP factor for Brazil
+   * const factor = await zendfi.pricing.getPPPFactor('BR');
+   * const localPrice = 100 * factor.ppp_factor; // $35 for Brazil
+   * 
+   * // Get AI pricing suggestion
+   * const suggestion = await zendfi.pricing.getSuggestion({
+   *   agent_id: 'my-agent',
+   *   base_price: 100,
+   *   user_profile: { location_country: 'BR' },
+   * });
+   * ```
+   */
+  pricing;
+  /**
+   * Autonomy API - Enable autonomous agent signing
+   * 
+   * @example
+   * ```typescript
+   * // Enable autonomous mode for a session key
+   * const delegate = await zendfi.autonomy.enable(sessionKeyId, {
+   *   max_amount_usd: 100,
+   *   duration_hours: 24,
+   *   delegation_signature: signature,
+   * });
+   * 
+   * // Check status
+   * const status = await zendfi.autonomy.getStatus(sessionKeyId);
+   * ```
+   */
+  autonomy;
+  /**
+   * Smart Payments API - AI-powered payment routing
+   * 
+   * Create intelligent payments that automatically:
+   * - Apply PPP discounts based on user location
+   * - Use agent sessions when available
+   * - Route to optimal payment paths
+   * 
+   * @example
+   * ```typescript
+   * const payment = await zendfi.smart.create({
+   *   amount_usd: 99.99,
+   *   wallet_address: 'Hx7B...abc',
+   *   merchant_id: 'merch_123',
+   *   country_code: 'BR', // Apply PPP
+   *   enable_ppp: true,
+   * });
+   * 
+   * console.log(`Original: $${payment.original_amount_usd}`);
+   * console.log(`Final: $${payment.final_amount_usd}`);
+   * // Original: $99.99
+   * // Final: $64.99 (35% PPP discount applied)
+   * ```
+   */
+  smart;
+  constructor(options) {
+    this.config = ConfigLoader.load(options);
+    ConfigLoader.validateApiKey(this.config.apiKey);
+    this.interceptors = createInterceptors();
+    const boundRequest = this.request.bind(this);
+    this.agent = new AgentAPI(boundRequest);
+    this.intents = new PaymentIntentsAPI(boundRequest);
+    this.pricing = new PricingAPI(boundRequest);
+    this.autonomy = new AutonomyAPI(boundRequest);
+    this.smart = new SmartPaymentsAPI(boundRequest);
+    if (this.config.environment === "development" || this.config.debug) {
+      console.log(
+        `\u2713 ZendFi SDK initialized in ${this.config.mode} mode (${this.config.mode === "test" ? "devnet" : "mainnet"})`
+      );
+      if (this.config.debug) {
+        console.log("[ZendFi] Debug mode enabled");
+      }
+    }
+  }
+  /**
+   * Create a new payment
+   */
+  async createPayment(request) {
+    return this.request("POST", "/api/v1/payments", {
+      ...request,
+      currency: request.currency || "USD",
+      token: request.token || "USDC"
+    });
+  }
+  /**
+   * Get payment by ID
+   */
+  async getPayment(paymentId) {
+    return this.request("GET", `/api/v1/payments/${paymentId}`);
+  }
+  /**
+   * List all payments with pagination
+   */
+  async listPayments(request) {
+    const params = new URLSearchParams();
+    if (request?.page) params.append("page", request.page.toString());
+    if (request?.limit) params.append("limit", request.limit.toString());
+    if (request?.status) params.append("status", request.status);
+    if (request?.from_date) params.append("from_date", request.from_date);
+    if (request?.to_date) params.append("to_date", request.to_date);
+    const query = params.toString() ? `?${params.toString()}` : "";
+    return this.request("GET", `/api/v1/payments${query}`);
+  }
+  /**
+   * Create a subscription plan
+   */
+  async createSubscriptionPlan(request) {
+    return this.request("POST", "/api/v1/subscriptions/plans", {
+      ...request,
+      currency: request.currency || "USD",
+      interval_count: request.interval_count || 1,
+      trial_days: request.trial_days || 0
+    });
+  }
+  /**
+   * Get subscription plan by ID
+   */
+  async getSubscriptionPlan(planId) {
+    return this.request("GET", `/api/v1/subscriptions/plans/${planId}`);
+  }
+  /**
+   * Create a subscription
+   */
+  async createSubscription(request) {
+    return this.request("POST", "/api/v1/subscriptions", request);
+  }
+  /**
+   * Get subscription by ID
+   */
+  async getSubscription(subscriptionId) {
+    return this.request("GET", `/api/v1/subscriptions/${subscriptionId}`);
+  }
+  /**
+   * Cancel a subscription
+   */
+  async cancelSubscription(subscriptionId) {
+    return this.request(
+      "POST",
+      `/api/v1/subscriptions/${subscriptionId}/cancel`
+    );
+  }
+  /**
+   * Create a payment link (shareable checkout URL)
+   */
+  async createPaymentLink(request) {
+    const response = await this.request("POST", "/api/v1/payment-links", {
+      ...request,
+      currency: request.currency || "USD",
+      token: request.token || "USDC"
+    });
+    return {
+      ...response,
+      url: response.hosted_page_url
+    };
+  }
+  /**
+   * Get payment link by link code
+   */
+  async getPaymentLink(linkCode) {
+    const response = await this.request("GET", `/api/v1/payment-links/${linkCode}`);
+    return {
+      ...response,
+      url: response.hosted_page_url
+    };
+  }
+  /**
+   * List all payment links for the authenticated merchant
+   */
+  async listPaymentLinks() {
+    const response = await this.request("GET", "/api/v1/payment-links");
+    return response.map((link) => ({
+      ...link,
+      url: link.hosted_page_url
+    }));
+  }
+  /**
+   * Create an installment plan
+   * Split a purchase into multiple scheduled payments
+   */
+  async createInstallmentPlan(request) {
+    const response = await this.request(
+      "POST",
+      "/api/v1/installment-plans",
+      request
+    );
+    return {
+      id: response.plan_id,
+      plan_id: response.plan_id,
+      status: response.status
+    };
+  }
+  /**
+   * Get installment plan by ID
+   */
+  async getInstallmentPlan(planId) {
+    return this.request("GET", `/api/v1/installment-plans/${planId}`);
+  }
+  /**
+   * List all installment plans for merchant
+   */
+  async listInstallmentPlans(params) {
+    const query = new URLSearchParams();
+    if (params?.limit) query.append("limit", params.limit.toString());
+    if (params?.offset) query.append("offset", params.offset.toString());
+    const queryString = query.toString() ? `?${query.toString()}` : "";
+    return this.request("GET", `/api/v1/installment-plans${queryString}`);
+  }
+  /**
+   * List installment plans for a specific customer
+   */
+  async listCustomerInstallmentPlans(customerWallet) {
+    return this.request(
+      "GET",
+      `/api/v1/customers/${customerWallet}/installment-plans`
+    );
+  }
+  /**
+   * Cancel an installment plan
+   */
+  async cancelInstallmentPlan(planId) {
+    return this.request(
+      "POST",
+      `/api/v1/installment-plans/${planId}/cancel`
+    );
+  }
+  /**
+   * Create an escrow transaction
+   * Hold funds until conditions are met
+   */
+  async createEscrow(request) {
+    return this.request("POST", "/api/v1/escrows", {
+      ...request,
+      currency: request.currency || "USD",
+      token: request.token || "USDC"
+    });
+  }
+  /**
+   * Get escrow by ID
+   */
+  async getEscrow(escrowId) {
+    return this.request("GET", `/api/v1/escrows/${escrowId}`);
+  }
+  /**
+   * List all escrows for merchant
+   */
+  async listEscrows(params) {
+    const query = new URLSearchParams();
+    if (params?.limit) query.append("limit", params.limit.toString());
+    if (params?.offset) query.append("offset", params.offset.toString());
+    const queryString = query.toString() ? `?${query.toString()}` : "";
+    return this.request("GET", `/api/v1/escrows${queryString}`);
+  }
+  /**
+   * Approve escrow release to seller
+   */
+  async approveEscrow(escrowId, request) {
+    return this.request(
+      "POST",
+      `/api/v1/escrows/${escrowId}/approve`,
+      request
+    );
+  }
+  /**
+   * Refund escrow to buyer
+   */
+  async refundEscrow(escrowId, request) {
+    return this.request("POST", `/api/v1/escrows/${escrowId}/refund`, request);
+  }
+  /**
+   * Raise a dispute for an escrow
+   */
+  async disputeEscrow(escrowId, request) {
+    return this.request("POST", `/api/v1/escrows/${escrowId}/dispute`, request);
+  }
+  /**
+   * Create an invoice
+   */
+  async createInvoice(request) {
+    return this.request("POST", "/api/v1/invoices", {
+      ...request,
+      token: request.token || "USDC"
+    });
+  }
+  /**
+   * Get invoice by ID
+   */
+  async getInvoice(invoiceId) {
+    return this.request("GET", `/api/v1/invoices/${invoiceId}`);
+  }
+  /**
+   * List all invoices for merchant
+   */
+  async listInvoices() {
+    return this.request("GET", "/api/v1/invoices");
+  }
+  /**
+   * Send invoice to customer via email
+   */
+  async sendInvoice(invoiceId) {
+    return this.request("POST", `/api/v1/invoices/${invoiceId}/send`);
+  }
+  // ============================================
+  // Agentic Intent Protocol - Smart Payments
+  // ============================================
+  /**
+   * Execute an AI-powered smart payment
+   * 
+   * Smart payments combine multiple features:
+   * - Automatic PPP pricing adjustments
+   * - Gasless transaction detection
+   * - Instant settlement options
+   * - Escrow integration
+   * - Receipt generation
+   * 
+   * @param request - Smart payment configuration
+   * @returns Payment result with status and receipt
+   * 
+   * @example
+   * ```typescript
+   * const result = await zendfi.smartPayment({
+   *   agent_id: 'shopping-assistant',
+   *   user_wallet: 'Hx7B...abc',
+   *   amount_usd: 50,
+   *   auto_detect_gasless: true,
+   *   description: 'Premium subscription',
+   * });
+   * 
+   * if (result.requires_signature) {
+   *   // Device-bound flow: user needs to sign
+   *   console.log('Sign and submit:', result.submit_url);
+   * } else {
+   *   // Auto-signed
+   *   console.log('Payment complete:', result.transaction_signature);
+   * }
+   * ```
+   */
+  async smartPayment(request) {
+    return this.smart.execute(request);
+  }
+  /**
+   * Submit a signed transaction for device-bound smart payment
+   * 
+   * @param paymentId - UUID of the payment
+   * @param signedTransaction - Base64 encoded signed transaction
+   * @returns Updated payment response
+   */
+  async submitSignedPayment(paymentId, signedTransaction) {
+    return this.smart.submitSigned(paymentId, signedTransaction);
+  }
+  /**
+   * Verify webhook signature using HMAC-SHA256
+   * 
+   * @param request - Webhook verification request containing payload, signature, and secret
+   * @returns true if signature is valid, false otherwise
+   * 
+   * @example
+   * ```typescript
+   * const isValid = zendfi.verifyWebhook({
+   *   payload: req.body,
+   *   signature: req.headers['x-zendfi-signature'],
+   *   secret: process.env.ZENDFI_WEBHOOK_SECRET
+   * });
+   * 
+   * if (!isValid) {
+   *   return res.status(401).json({ error: 'Invalid signature' });
+   * }
+   * ```
+   */
+  verifyWebhook(request) {
+    try {
+      if (!request.payload || !request.signature || !request.secret) {
         return false;
       }
       let payloadString;
@@ -516,194 +1749,1173 @@ var ZendFiClient = class {
         } catch (e) {
           return false;
         }
-      } else if (typeof request.payload === "object") {
-        parsedPayload = request.payload;
+      } else if (typeof request.payload === "object") {
+        parsedPayload = request.payload;
+        try {
+          payloadString = JSON.stringify(request.payload);
+        } catch (e) {
+          return false;
+        }
+      } else {
+        return false;
+      }
+      if (!parsedPayload || !parsedPayload.event || !parsedPayload.merchant_id || !parsedPayload.timestamp) {
+        return false;
+      }
+      const computedSignature = this.computeHmacSignature(payloadString, request.secret);
+      return this.timingSafeEqual(request.signature, computedSignature);
+    } catch (err) {
+      const error = err;
+      if (this.config.environment === "development") {
+        console.error("Webhook verification error:", error?.message || String(error));
+      }
+      return false;
+    }
+  }
+  /**
+   * Compute HMAC-SHA256 signature
+   * Works in both Node.js and browser environments
+   */
+  computeHmacSignature(payload, secret) {
+    if (typeof process !== "undefined" && process.versions?.node) {
+      return (0, import_crypto.createHmac)("sha256", secret).update(payload, "utf8").digest("hex");
+    }
+    throw new Error(
+      "Webhook verification in browser is not supported. Use this method in your backend/server environment."
+    );
+  }
+  /**
+   * Timing-safe string comparison to prevent timing attacks
+   */
+  timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+      return false;
+    }
+    if (typeof process !== "undefined" && process.versions?.node) {
+      try {
+        const bufferA = Buffer.from(a, "utf8");
+        const bufferB = Buffer.from(b, "utf8");
+        return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
+      } catch {
+      }
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+      result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+  }
+  /**
+   * Make an HTTP request with retry logic, interceptors, and debug logging
+   */
+  async request(method, endpoint, data, options = {}) {
+    const attempt = options.attempt || 1;
+    const idempotencyKey = options.idempotencyKey || (this.config.idempotencyEnabled && method !== "GET" ? generateIdempotencyKey() : void 0);
+    const startTime = Date.now();
+    try {
+      const url = `${this.config.baseURL}${endpoint}`;
+      const headers = {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.apiKey}`
+      };
+      if (idempotencyKey) {
+        headers["Idempotency-Key"] = idempotencyKey;
+      }
+      let requestConfig = {
+        method,
+        url,
+        headers,
+        body: data
+      };
+      if (this.interceptors.request.has()) {
+        requestConfig = await this.interceptors.request.execute(requestConfig);
+      }
+      if (this.config.debug) {
+        console.log(`[ZendFi] ${method} ${endpoint}`);
+        if (data) {
+          console.log("[ZendFi] Request:", JSON.stringify(data, null, 2));
+        }
+      }
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
+      const response = await (0, import_cross_fetch.default)(requestConfig.url, {
+        method: requestConfig.method,
+        headers: requestConfig.headers,
+        body: requestConfig.body ? JSON.stringify(requestConfig.body) : void 0,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      let body;
+      try {
+        body = await response.json();
+      } catch {
+        body = null;
+      }
+      const duration = Date.now() - startTime;
+      if (!response.ok) {
+        const error = createZendFiError(response.status, body);
+        if (this.config.debug) {
+          console.error(`[ZendFi] \u274C ${response.status} ${response.statusText} (${duration}ms)`);
+          console.error(`[ZendFi] Error:`, error.toString());
+        }
+        if (response.status >= 500 && attempt < this.config.retries) {
+          const delay = Math.pow(2, attempt) * 1e3;
+          if (this.config.debug) {
+            console.log(`[ZendFi] Retrying in ${delay}ms... (attempt ${attempt + 1}/${this.config.retries})`);
+          }
+          await sleep(delay);
+          return this.request(method, endpoint, data, {
+            idempotencyKey,
+            attempt: attempt + 1
+          });
+        }
+        if (this.interceptors.error.has()) {
+          const interceptedError = await this.interceptors.error.execute(error);
+          throw interceptedError;
+        }
+        throw error;
+      }
+      if (this.config.debug) {
+        console.log(`[ZendFi] \u2713 ${response.status} ${response.statusText} (${duration}ms)`);
+        if (body) {
+          console.log("[ZendFi] Response:", JSON.stringify(body, null, 2));
+        }
+      }
+      const headersObj = {};
+      response.headers.forEach((value, key) => {
+        headersObj[key] = value;
+      });
+      let responseData = {
+        status: response.status,
+        statusText: response.statusText,
+        headers: headersObj,
+        data: body,
+        config: requestConfig
+      };
+      if (this.interceptors.response.has()) {
+        responseData = await this.interceptors.response.execute(responseData);
+      }
+      return responseData.data;
+    } catch (error) {
+      if (error.name === "AbortError") {
+        const timeoutError = createZendFiError(0, {}, `Request timeout after ${this.config.timeout}ms`);
+        if (this.config.debug) {
+          console.error(`[ZendFi] \u274C Timeout (${this.config.timeout}ms)`);
+        }
+        throw timeoutError;
+      }
+      if (attempt < this.config.retries && (error.message?.includes("fetch") || error.message?.includes("network"))) {
+        const delay = Math.pow(2, attempt) * 1e3;
+        if (this.config.debug) {
+          console.log(`[ZendFi] Network error, retrying in ${delay}ms... (attempt ${attempt + 1}/${this.config.retries})`);
+        }
+        await sleep(delay);
+        return this.request(method, endpoint, data, {
+          idempotencyKey,
+          attempt: attempt + 1
+        });
+      }
+      if (isZendFiError(error)) {
+        throw error;
+      }
+      const wrappedError = createZendFiError(0, {}, error.message || "An unknown error occurred");
+      if (this.config.debug) {
+        console.error(`[ZendFi] \u274C Unexpected error:`, error);
+      }
+      throw wrappedError;
+    }
+  }
+};
+var zendfi = (() => {
+  try {
+    return new ZendFiClient();
+  } catch (error) {
+    if (process.env.NODE_ENV === "test" || !process.env.ZENDFI_API_KEY) {
+      return new Proxy({}, {
+        get() {
+          throw new Error(
+            'ZendFi singleton not initialized. Set ZENDFI_API_KEY environment variable or create a custom instance: new ZendFiClient({ apiKey: "..." })'
+          );
+        }
+      });
+    }
+    throw error;
+  }
+})();
+
+// src/webhooks.ts
+async function verifyNextWebhook(request, secret) {
+  try {
+    const payload = await request.text();
+    const signature = request.headers.get("x-zendfi-signature");
+    if (!signature) {
+      return null;
+    }
+    const webhookSecret = secret || process.env.ZENDFI_WEBHOOK_SECRET;
+    if (!webhookSecret) {
+      throw new Error("ZENDFI_WEBHOOK_SECRET not configured");
+    }
+    const isValid = zendfi.verifyWebhook({
+      payload,
+      signature,
+      secret: webhookSecret
+    });
+    if (!isValid) {
+      return null;
+    }
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+async function verifyExpressWebhook(request, secret) {
+  try {
+    const payload = request.rawBody || JSON.stringify(request.body);
+    const signature = request.headers["x-zendfi-signature"];
+    if (!signature) {
+      return null;
+    }
+    const webhookSecret = secret || process.env.ZENDFI_WEBHOOK_SECRET;
+    if (!webhookSecret) {
+      throw new Error("ZENDFI_WEBHOOK_SECRET not configured");
+    }
+    const isValid = zendfi.verifyWebhook({
+      payload,
+      signature,
+      secret: webhookSecret
+    });
+    if (!isValid) {
+      return null;
+    }
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+}
+function verifyWebhookSignature(payload, signature, secret) {
+  return zendfi.verifyWebhook({
+    payload,
+    signature,
+    secret
+  });
+}
+
+// src/device-bound-crypto.ts
+var import_web3 = require("@solana/web3.js");
+var crypto = __toESM(require("crypto"));
+var DeviceFingerprintGenerator = class {
+  /**
+   * Generate a unique device fingerprint
+   * Combines multiple browser attributes for uniqueness
+   */
+  static async generate() {
+    const components = {};
+    try {
+      components.canvas = await this.getCanvasFingerprint();
+      components.webgl = await this.getWebGLFingerprint();
+      components.audio = await this.getAudioFingerprint();
+      components.screen = `${screen.width}x${screen.height}x${screen.colorDepth}`;
+      components.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+      components.languages = navigator.languages?.join(",") || navigator.language;
+      components.platform = navigator.platform;
+      components.hardwareConcurrency = navigator.hardwareConcurrency?.toString() || "unknown";
+      const combined = Object.entries(components).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}:${value}`).join("|");
+      const fingerprint = await this.sha256(combined);
+      return {
+        fingerprint,
+        generatedAt: Date.now(),
+        components
+      };
+    } catch (error) {
+      console.warn("Device fingerprinting failed, using fallback", error);
+      return this.generateFallbackFingerprint();
+    }
+  }
+  /**
+   * Graceful fallback fingerprint generation
+   * Works in headless browsers, SSR, and restricted environments
+   */
+  static async generateFallbackFingerprint() {
+    const components = {};
+    try {
+      if (typeof navigator !== "undefined") {
+        components.platform = navigator.platform || "unknown";
+        components.languages = navigator.languages?.join(",") || navigator.language || "unknown";
+        components.hardwareConcurrency = navigator.hardwareConcurrency?.toString() || "unknown";
+      }
+      if (typeof screen !== "undefined") {
+        components.screen = `${screen.width || 0}x${screen.height || 0}x${screen.colorDepth || 0}`;
+      }
+      if (typeof Intl !== "undefined") {
         try {
-          payloadString = JSON.stringify(request.payload);
-        } catch (e) {
-          return false;
+          components.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone;
+        } catch {
+          components.timezone = "unknown";
         }
-      } else {
-        return false;
       }
-      if (!parsedPayload || !parsedPayload.event || !parsedPayload.merchant_id || !parsedPayload.timestamp) {
-        return false;
+    } catch {
+      components.platform = "fallback";
+    }
+    let randomEntropy = "";
+    try {
+      if (typeof window !== "undefined" && window.crypto?.getRandomValues) {
+        const arr = new Uint8Array(16);
+        window.crypto.getRandomValues(arr);
+        randomEntropy = Array.from(arr).map((b) => b.toString(16).padStart(2, "0")).join("");
+      } else if (typeof crypto !== "undefined" && crypto.randomBytes) {
+        randomEntropy = crypto.randomBytes(16).toString("hex");
       }
-      const computedSignature = this.computeHmacSignature(payloadString, request.secret);
-      return this.timingSafeEqual(request.signature, computedSignature);
-    } catch (err) {
-      const error = err;
-      if (this.config.environment === "development") {
-        console.error("Webhook verification error:", error?.message || String(error));
+    } catch {
+      randomEntropy = Date.now().toString(36) + Math.random().toString(36);
+    }
+    const combined = Object.entries(components).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}:${value}`).join("|") + "|entropy:" + randomEntropy;
+    const fingerprint = await this.sha256(combined);
+    return {
+      fingerprint,
+      generatedAt: Date.now(),
+      components
+    };
+  }
+  static async getCanvasFingerprint() {
+    const canvas = document.createElement("canvas");
+    const ctx = canvas.getContext("2d");
+    if (!ctx) return "no-canvas";
+    canvas.width = 200;
+    canvas.height = 50;
+    ctx.textBaseline = "top";
+    ctx.font = '14px "Arial"';
+    ctx.fillStyle = "#f60";
+    ctx.fillRect(0, 0, 100, 50);
+    ctx.fillStyle = "#069";
+    ctx.fillText("ZendFi \u{1F510}", 2, 2);
+    ctx.fillStyle = "rgba(102, 204, 0, 0.7)";
+    ctx.fillText("Device-Bound", 4, 17);
+    return canvas.toDataURL();
+  }
+  static async getWebGLFingerprint() {
+    const canvas = document.createElement("canvas");
+    const gl = canvas.getContext("webgl") || canvas.getContext("experimental-webgl");
+    if (!gl) return "no-webgl";
+    const debugInfo = gl.getExtension("WEBGL_debug_renderer_info");
+    if (!debugInfo) return "no-debug-info";
+    const vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL);
+    const renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL);
+    return `${vendor}|${renderer}`;
+  }
+  static async getAudioFingerprint() {
+    try {
+      const AudioContext = window.AudioContext || window.webkitAudioContext;
+      if (!AudioContext) return "no-audio";
+      const context = new AudioContext();
+      const oscillator = context.createOscillator();
+      const analyser = context.createAnalyser();
+      const gainNode = context.createGain();
+      const scriptProcessor = context.createScriptProcessor(4096, 1, 1);
+      gainNode.gain.value = 0;
+      oscillator.connect(analyser);
+      analyser.connect(scriptProcessor);
+      scriptProcessor.connect(gainNode);
+      gainNode.connect(context.destination);
+      oscillator.start(0);
+      return new Promise((resolve) => {
+        scriptProcessor.onaudioprocess = (event) => {
+          const output = event.inputBuffer.getChannelData(0);
+          const hash = Array.from(output.slice(0, 30)).reduce((acc, val) => acc + Math.abs(val), 0);
+          oscillator.stop();
+          scriptProcessor.disconnect();
+          context.close();
+          resolve(hash.toString());
+        };
+      });
+    } catch (error) {
+      return "audio-error";
+    }
+  }
+  static async sha256(data) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const encoder = new TextEncoder();
+      const dataBuffer = encoder.encode(data);
+      const hashBuffer = await window.crypto.subtle.digest("SHA-256", dataBuffer);
+      const hashArray = Array.from(new Uint8Array(hashBuffer));
+      return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+    } else {
+      return crypto.createHash("sha256").update(data).digest("hex");
+    }
+  }
+};
+var SessionKeyCrypto = class {
+  /**
+   * Encrypt a Solana keypair with PIN + device fingerprint
+   * Uses Argon2id for key derivation and AES-256-GCM for encryption
+   */
+  static async encrypt(keypair, pin, deviceFingerprint) {
+    if (!/^\d{6}$/.test(pin)) {
+      throw new Error("PIN must be exactly 6 numeric digits");
+    }
+    const encryptionKey = await this.deriveKey(pin, deviceFingerprint);
+    const nonce = this.generateNonce();
+    const secretKey = keypair.secretKey;
+    const encryptedData = await this.aesEncrypt(secretKey, encryptionKey, nonce);
+    return {
+      encryptedData: Buffer.from(encryptedData).toString("base64"),
+      nonce: Buffer.from(nonce).toString("base64"),
+      publicKey: keypair.publicKey.toBase58(),
+      deviceFingerprint,
+      version: "argon2id-aes256gcm-v1"
+    };
+  }
+  /**
+   * Decrypt an encrypted session key with PIN + device fingerprint
+   */
+  static async decrypt(encrypted, pin, deviceFingerprint) {
+    if (!/^\d{6}$/.test(pin)) {
+      throw new Error("PIN must be exactly 6 numeric digits");
+    }
+    if (encrypted.deviceFingerprint !== deviceFingerprint) {
+      throw new Error("Device fingerprint mismatch - wrong device or security threat");
+    }
+    const encryptionKey = await this.deriveKey(pin, deviceFingerprint);
+    const encryptedData = Buffer.from(encrypted.encryptedData, "base64");
+    const nonce = Buffer.from(encrypted.nonce, "base64");
+    try {
+      const secretKey = await this.aesDecrypt(encryptedData, encryptionKey, nonce);
+      return import_web3.Keypair.fromSecretKey(secretKey);
+    } catch (error) {
+      throw new Error("Decryption failed - wrong PIN or corrupted data");
+    }
+  }
+  /**
+   * Derive encryption key from PIN + device fingerprint using Argon2id
+   * 
+   * Argon2id parameters (OWASP recommended):
+   * - Memory: 64MB (65536 KB)
+   * - Iterations: 3
+   * - Parallelism: 4
+   * - Salt: device fingerprint
+   */
+  static async deriveKey(pin, deviceFingerprint) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const encoder = new TextEncoder();
+      const keyMaterial = await window.crypto.subtle.importKey(
+        "raw",
+        encoder.encode(pin),
+        { name: "PBKDF2" },
+        false,
+        ["deriveBits"]
+      );
+      const derivedBits = await window.crypto.subtle.deriveBits(
+        {
+          name: "PBKDF2",
+          salt: encoder.encode(deviceFingerprint),
+          iterations: 1e5,
+          // High iteration count for security
+          hash: "SHA-256"
+        },
+        keyMaterial,
+        256
+        // 256 bits = 32 bytes for AES-256
+      );
+      return new Uint8Array(derivedBits);
+    } else {
+      const salt = crypto.createHash("sha256").update(deviceFingerprint).digest();
+      return crypto.pbkdf2Sync(pin, salt, 1e5, 32, "sha256");
+    }
+  }
+  /**
+   * Generate random nonce for AES-GCM (12 bytes)
+   */
+  static generateNonce() {
+    if (typeof window !== "undefined" && window.crypto) {
+      return window.crypto.getRandomValues(new Uint8Array(12));
+    } else {
+      return crypto.randomBytes(12);
+    }
+  }
+  /**
+   * Encrypt with AES-256-GCM
+   */
+  static async aesEncrypt(plaintext, key, nonce) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+      const nonceBuffer = nonce.buffer.slice(nonce.byteOffset, nonce.byteOffset + nonce.byteLength);
+      const plaintextBuffer = plaintext.buffer.slice(plaintext.byteOffset, plaintext.byteOffset + plaintext.byteLength);
+      const cryptoKey = await window.crypto.subtle.importKey(
+        "raw",
+        keyBuffer,
+        { name: "AES-GCM" },
+        false,
+        ["encrypt"]
+      );
+      const encrypted = await window.crypto.subtle.encrypt(
+        {
+          name: "AES-GCM",
+          iv: nonceBuffer
+        },
+        cryptoKey,
+        plaintextBuffer
+      );
+      return new Uint8Array(encrypted);
+    } else {
+      const cipher = crypto.createCipheriv("aes-256-gcm", key, nonce);
+      const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+      const authTag = cipher.getAuthTag();
+      return new Uint8Array(Buffer.concat([encrypted, authTag]));
+    }
+  }
+  /**
+   * Decrypt with AES-256-GCM
+   */
+  static async aesDecrypt(ciphertext, key, nonce) {
+    if (typeof window !== "undefined" && window.crypto && window.crypto.subtle) {
+      const keyBuffer = key.buffer.slice(key.byteOffset, key.byteOffset + key.byteLength);
+      const nonceBuffer = nonce.buffer.slice(nonce.byteOffset, nonce.byteOffset + nonce.byteLength);
+      const ciphertextBuffer = ciphertext.buffer.slice(ciphertext.byteOffset, ciphertext.byteOffset + ciphertext.byteLength);
+      const cryptoKey = await window.crypto.subtle.importKey(
+        "raw",
+        keyBuffer,
+        { name: "AES-GCM" },
+        false,
+        ["decrypt"]
+      );
+      const decrypted = await window.crypto.subtle.decrypt(
+        {
+          name: "AES-GCM",
+          iv: nonceBuffer
+        },
+        cryptoKey,
+        ciphertextBuffer
+      );
+      return new Uint8Array(decrypted);
+    } else {
+      const authTag = ciphertext.slice(-16);
+      const encrypted = ciphertext.slice(0, -16);
+      const decipher = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+      decipher.setAuthTag(authTag);
+      const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+      return new Uint8Array(decrypted);
+    }
+  }
+};
+var RecoveryQRGenerator = class {
+  /**
+   * Generate recovery QR data
+   * This allows users to recover their session key on a new device
+   */
+  static generate(encrypted) {
+    return {
+      encryptedSessionKey: encrypted.encryptedData,
+      nonce: encrypted.nonce,
+      publicKey: encrypted.publicKey,
+      version: "v1",
+      createdAt: Date.now()
+    };
+  }
+  /**
+   * Encode recovery QR as JSON string
+   */
+  static encode(recoveryQR) {
+    return JSON.stringify(recoveryQR);
+  }
+  /**
+   * Decode recovery QR from JSON string
+   */
+  static decode(qrData) {
+    try {
+      const parsed = JSON.parse(qrData);
+      if (!parsed.encryptedSessionKey || !parsed.nonce || !parsed.publicKey) {
+        throw new Error("Invalid recovery QR data");
+      }
+      return parsed;
+    } catch (error) {
+      throw new Error("Failed to decode recovery QR");
+    }
+  }
+  /**
+   * Re-encrypt session key for new device
+   */
+  static async reEncryptForNewDevice(recoveryQR, oldPin, oldDeviceFingerprint, newPin, newDeviceFingerprint) {
+    const oldEncrypted = {
+      encryptedData: recoveryQR.encryptedSessionKey,
+      nonce: recoveryQR.nonce,
+      publicKey: recoveryQR.publicKey,
+      deviceFingerprint: oldDeviceFingerprint,
+      version: "argon2id-aes256gcm-v1"
+    };
+    const keypair = await SessionKeyCrypto.decrypt(oldEncrypted, oldPin, oldDeviceFingerprint);
+    return await SessionKeyCrypto.encrypt(keypair, newPin, newDeviceFingerprint);
+  }
+};
+var DeviceBoundSessionKey = class _DeviceBoundSessionKey {
+  encrypted = null;
+  deviceFingerprint = null;
+  sessionKeyId = null;
+  recoveryQR = null;
+  // Auto-signing cache: decrypted keypair stored in memory
+  // Enables instant signing without re-entering PIN for subsequent payments
+  cachedKeypair = null;
+  cacheExpiry = null;
+  // Timestamp when cache expires
+  DEFAULT_CACHE_TTL_MS = 30 * 60 * 1e3;
+  // 30 minutes
+  /**
+   * Create a new device-bound session key
+   */
+  static async create(options) {
+    const deviceFingerprint = await DeviceFingerprintGenerator.generate();
+    const keypair = import_web3.Keypair.generate();
+    const encrypted = await SessionKeyCrypto.encrypt(
+      keypair,
+      options.pin,
+      deviceFingerprint.fingerprint
+    );
+    const instance = new _DeviceBoundSessionKey();
+    instance.encrypted = encrypted;
+    instance.deviceFingerprint = deviceFingerprint;
+    if (options.generateRecoveryQR) {
+      instance.recoveryQR = RecoveryQRGenerator.generate(encrypted);
+    }
+    return instance;
+  }
+  /**
+   * Get encrypted data for backend storage
+   */
+  getEncryptedData() {
+    if (!this.encrypted) {
+      throw new Error("Session key not created yet");
+    }
+    return this.encrypted;
+  }
+  /**
+   * Get device fingerprint
+   */
+  getDeviceFingerprint() {
+    if (!this.deviceFingerprint) {
+      throw new Error("Device fingerprint not generated yet");
+    }
+    return this.deviceFingerprint.fingerprint;
+  }
+  /**
+   * Get public key
+   */
+  getPublicKey() {
+    if (!this.encrypted) {
+      throw new Error("Session key not created yet");
+    }
+    return this.encrypted.publicKey;
+  }
+  /**
+   * Get recovery QR data (if generated)
+   */
+  getRecoveryQR() {
+    return this.recoveryQR;
+  }
+  /**
+   * Decrypt and sign a transaction
+   * 
+   * @param transaction - The transaction to sign
+   * @param pin - User's PIN (required only if keypair not cached)
+   * @param cacheKeypair - Whether to cache the decrypted keypair for future use (default: true)
+   * @param cacheTTL - Cache time-to-live in milliseconds (default: 30 minutes)
+   * 
+   * @example
+   * ```typescript
+   * // First payment: requires PIN, caches keypair
+   * await sessionKey.signTransaction(tx1, '123456', true);
+   * 
+   * // Subsequent payments: uses cached keypair, no PIN needed!
+   * await sessionKey.signTransaction(tx2, '', false); // PIN ignored if cached
+   * 
+   * // Clear cache when done
+   * sessionKey.clearCache();
+   * ```
+   */
+  async signTransaction(transaction, pin = "", cacheKeypair = true, cacheTTL) {
+    if (!this.encrypted || !this.deviceFingerprint) {
+      throw new Error("Session key not initialized");
+    }
+    let keypair;
+    if (this.isCached()) {
+      keypair = this.cachedKeypair;
+      if (typeof console !== "undefined") {
+        console.log("\u{1F680} Using cached keypair - instant signing (no PIN required)");
+      }
+    } else {
+      if (!pin) {
+        throw new Error("PIN required: no cached keypair available");
       }
+      keypair = await SessionKeyCrypto.decrypt(
+        this.encrypted,
+        pin,
+        this.deviceFingerprint.fingerprint
+      );
+      if (cacheKeypair) {
+        const ttl = cacheTTL || this.DEFAULT_CACHE_TTL_MS;
+        this.cacheKeypair(keypair, ttl);
+        if (typeof console !== "undefined") {
+          console.log(`\u2705 Keypair decrypted and cached for ${ttl / 1e3 / 60} minutes`);
+        }
+      }
+    }
+    transaction.sign(keypair);
+    return transaction;
+  }
+  /**
+   * Check if keypair is cached and valid
+   */
+  isCached() {
+    if (!this.cachedKeypair || !this.cacheExpiry) {
+      return false;
+    }
+    const now = Date.now();
+    if (now > this.cacheExpiry) {
+      this.clearCache();
       return false;
     }
+    return true;
+  }
+  /**
+   * Manually cache a keypair
+   * Called internally after PIN decryption
+   */
+  cacheKeypair(keypair, ttl) {
+    this.cachedKeypair = keypair;
+    this.cacheExpiry = Date.now() + ttl;
+  }
+  /**
+   * Clear cached keypair
+   * Should be called when user logs out or session ends
+   * 
+   * @example
+   * ```typescript
+   * // Clear cache on logout
+   * sessionKey.clearCache();
+   * 
+   * // Or clear automatically on tab close
+   * window.addEventListener('beforeunload', () => {
+   *   sessionKey.clearCache();
+   * });
+   * ```
+   */
+  clearCache() {
+    this.cachedKeypair = null;
+    this.cacheExpiry = null;
+    if (typeof console !== "undefined") {
+      console.log("\u{1F9F9} Keypair cache cleared");
+    }
+  }
+  /**
+   * Decrypt and cache keypair without signing a transaction
+   * Useful for pre-warming the cache before user makes payments
+   * 
+   * @example
+   * ```typescript
+   * // After session key creation, decrypt and cache
+   * await sessionKey.unlockWithPin('123456');
+   * 
+   * // Now all subsequent payments are instant (no PIN)
+   * await sessionKey.signTransaction(tx1, '', false); // Instant!
+   * await sessionKey.signTransaction(tx2, '', false); // Instant!
+   * ```
+   */
+  async unlockWithPin(pin, cacheTTL) {
+    if (!this.encrypted || !this.deviceFingerprint) {
+      throw new Error("Session key not initialized");
+    }
+    const keypair = await SessionKeyCrypto.decrypt(
+      this.encrypted,
+      pin,
+      this.deviceFingerprint.fingerprint
+    );
+    const ttl = cacheTTL || this.DEFAULT_CACHE_TTL_MS;
+    this.cacheKeypair(keypair, ttl);
+    if (typeof console !== "undefined") {
+      console.log(`\u{1F513} Session key unlocked and cached for ${ttl / 1e3 / 60} minutes`);
+    }
+  }
+  /**
+   * Get time remaining until cache expires (in milliseconds)
+   * Returns 0 if not cached
+   */
+  getCacheTimeRemaining() {
+    if (!this.isCached() || !this.cacheExpiry) {
+      return 0;
+    }
+    const remaining = this.cacheExpiry - Date.now();
+    return Math.max(0, remaining);
+  }
+  /**
+   * Extend cache expiry time
+   * Useful to keep session active during user activity
+   * 
+   * @example
+   * ```typescript
+   * // Extend cache by 15 minutes on each payment
+   * await sessionKey.signTransaction(tx, '');
+   * sessionKey.extendCache(15 * 60 * 1000);
+   * ```
+   */
+  extendCache(additionalTTL) {
+    if (!this.isCached()) {
+      throw new Error("Cannot extend cache: no cached keypair");
+    }
+    this.cacheExpiry += additionalTTL;
+    if (typeof console !== "undefined") {
+      const remainingMinutes = this.getCacheTimeRemaining() / 1e3 / 60;
+      console.log(`\u23F0 Cache extended - ${remainingMinutes.toFixed(1)} minutes remaining`);
+    }
+  }
+  /**
+   * Set session key ID after backend creation
+   */
+  setSessionKeyId(id) {
+    this.sessionKeyId = id;
+  }
+  /**
+   * Get session key ID
+   */
+  getSessionKeyId() {
+    if (!this.sessionKeyId) {
+      throw new Error("Session key not registered with backend");
+    }
+    return this.sessionKeyId;
+  }
+};
+
+// src/device-bound-session-keys.ts
+var import_web32 = require("@solana/web3.js");
+var ZendFiSessionKeyManager = class {
+  baseURL;
+  apiKey;
+  sessionKey = null;
+  sessionKeyId = null;
+  constructor(apiKey, baseURL = "https://api.zendfi.com") {
+    this.apiKey = apiKey;
+    this.baseURL = baseURL;
   }
   /**
-   * Compute HMAC-SHA256 signature
-   * Works in both Node.js and browser environments
+   * Create a new device-bound session key
+   * 
+   * @example
+   * ```typescript
+   * const manager = new ZendFiSessionKeyManager('your-api-key');
+   * 
+   * const sessionKey = await manager.createSessionKey({
+   *   userWallet: '7xKNH....',
+   *   limitUSDC: 100,
+   *   durationDays: 7,
+   *   pin: '123456',
+   *   generateRecoveryQR: true,
+   * });
+   * 
+   * console.log('Session key created:', sessionKey.sessionKeyId);
+   * console.log('Recovery QR:', sessionKey.recoveryQR);
+   * ```
    */
-  computeHmacSignature(payload, secret) {
-    if (typeof process !== "undefined" && process.versions?.node) {
-      return (0, import_crypto.createHmac)("sha256", secret).update(payload, "utf8").digest("hex");
+  async createSessionKey(options) {
+    const sessionKey = await DeviceBoundSessionKey.create({
+      pin: options.pin,
+      limitUSDC: options.limitUSDC,
+      durationDays: options.durationDays,
+      userWallet: options.userWallet,
+      generateRecoveryQR: options.generateRecoveryQR
+    });
+    const encrypted = sessionKey.getEncryptedData();
+    let recoveryQR;
+    if (options.generateRecoveryQR) {
+      const qr = RecoveryQRGenerator.generate(encrypted);
+      recoveryQR = RecoveryQRGenerator.encode(qr);
     }
-    throw new Error(
-      "Webhook verification in browser is not supported. Use this method in your backend/server environment."
+    const request = {
+      userWallet: options.userWallet,
+      limitUsdc: options.limitUSDC,
+      durationDays: options.durationDays,
+      encryptedSessionKey: encrypted.encryptedData,
+      nonce: encrypted.nonce,
+      sessionPublicKey: encrypted.publicKey,
+      deviceFingerprint: sessionKey.getDeviceFingerprint(),
+      recoveryQrData: recoveryQR
+    };
+    const response = await this.request(
+      "POST",
+      "/api/v1/ai/session-keys/device-bound/create",
+      request
     );
+    this.sessionKey = sessionKey;
+    this.sessionKeyId = response.sessionKeyId;
+    sessionKey.setSessionKeyId(response.sessionKeyId);
+    return {
+      sessionKeyId: response.sessionKeyId,
+      sessionWallet: response.sessionWallet,
+      expiresAt: response.expiresAt,
+      recoveryQR,
+      limitUsdc: response.limitUsdc
+    };
   }
   /**
-   * Timing-safe string comparison to prevent timing attacks
+   * Load an existing session key from backend
+   * Requires PIN to decrypt
    */
-  timingSafeEqual(a, b) {
-    if (a.length !== b.length) {
-      return false;
-    }
-    if (typeof process !== "undefined" && process.versions?.node) {
-      try {
-        const bufferA = Buffer.from(a, "utf8");
-        const bufferB = Buffer.from(b, "utf8");
-        return (0, import_crypto.timingSafeEqual)(bufferA, bufferB);
-      } catch {
+  async loadSessionKey(sessionKeyId, pin) {
+    const deviceInfo = await DeviceFingerprintGenerator.generate();
+    const response = await this.request(
+      "POST",
+      "/api/v1/ai/session-keys/device-bound/get-encrypted",
+      {
+        sessionKeyId,
+        deviceFingerprint: deviceInfo.fingerprint
       }
+    );
+    if (!response.deviceFingerprintValid) {
+      throw new Error(
+        "Device fingerprint mismatch - this session key was created on a different device. Use recovery QR to migrate."
+      );
     }
-    let result = 0;
-    for (let i = 0; i < a.length; i++) {
-      result |= a.charCodeAt(i) ^ b.charCodeAt(i);
-    }
-    return result === 0;
+    const encrypted = {
+      encryptedData: response.encryptedSessionKey,
+      nonce: response.nonce,
+      publicKey: "",
+      // Will be populated after decryption
+      deviceFingerprint: deviceInfo.fingerprint,
+      version: "argon2id-aes256gcm-v1"
+    };
+    const keypair = await SessionKeyCrypto.decrypt(encrypted, pin, deviceInfo.fingerprint);
+    encrypted.publicKey = keypair.publicKey.toBase58();
+    this.sessionKey = new DeviceBoundSessionKey();
+    this.sessionKey.encrypted = encrypted;
+    this.sessionKey.deviceFingerprint = deviceInfo;
+    this.sessionKey.setSessionKeyId(sessionKeyId);
+    this.sessionKeyId = sessionKeyId;
   }
   /**
-   * Make an HTTP request with retry logic
+   * Make a payment using the session key
+   * 
+   * First payment: Requires PIN to decrypt session key
+   * Subsequent payments: Uses cached keypair (no PIN needed!) ✨
+   * 
+   * @example
+   * ```typescript
+   * // First payment: requires PIN
+   * const result1 = await manager.makePayment({
+   *   amount: 5.0,
+   *   recipient: '7xKNH....',
+   *   pin: '123456',
+   *   description: 'Coffee purchase',
+   * });
+   * 
+   * // Second payment: NO PIN NEEDED! Instant signing!
+   * const result2 = await manager.makePayment({
+   *   amount: 3.0,
+   *   recipient: '7xKNH....',
+   *   description: 'Donut purchase',
+   * }); // <- No PIN! Uses cached keypair
+   * 
+   * console.log('Payment signature:', result2.signature);
+   * 
+   * // Disable auto-signing for single payment
+   * const result3 = await manager.makePayment({
+   *   amount: 100.0,
+   *   recipient: '7xKNH....',
+   *   pin: '123456',
+   *   enableAutoSign: false, // Will require PIN every time
+   * });
+   * ```
    */
-  async request(method, endpoint, data, options = {}) {
-    const attempt = options.attempt || 1;
-    const idempotencyKey = options.idempotencyKey || (this.config.idempotencyEnabled && method !== "GET" ? generateIdempotencyKey() : void 0);
-    try {
-      const url = `${this.config.baseURL}${endpoint}`;
-      const headers = {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${this.config.apiKey}`
+  async makePayment(options) {
+    if (!this.sessionKey || !this.sessionKeyId) {
+      throw new Error("No session key loaded. Call createSessionKey() or loadSessionKey() first.");
+    }
+    const enableAutoSign = options.enableAutoSign !== false;
+    const needsPin = !this.sessionKey.isCached();
+    if (needsPin && !options.pin) {
+      throw new Error(
+        "PIN required: no cached keypair available. Please provide PIN or call unlockSessionKey() first."
+      );
+    }
+    const paymentResponse = await this.request("POST", "/api/v1/ai/smart-payment", {
+      amount_usd: options.amount,
+      user_wallet: options.recipient,
+      token: options.token || "USDC",
+      description: options.description
+    }, {
+      "X-Session-Key-ID": this.sessionKeyId
+    });
+    if (!paymentResponse.requires_signature && paymentResponse.status === "confirmed") {
+      return {
+        paymentId: paymentResponse.paymentId,
+        signature: "",
+        // Backend signed
+        status: paymentResponse.status
       };
-      if (idempotencyKey) {
-        headers["Idempotency-Key"] = idempotencyKey;
-      }
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), this.config.timeout);
-      const response = await (0, import_cross_fetch.default)(url, {
-        method,
-        headers,
-        body: data ? JSON.stringify(data) : void 0,
-        signal: controller.signal
-      });
-      clearTimeout(timeoutId);
-      let body;
-      try {
-        body = await response.json();
-      } catch {
-        body = null;
-      }
-      if (!response.ok) {
-        const error = parseError(response, body);
-        if (response.status >= 500 && attempt < this.config.retries) {
-          const delay = Math.pow(2, attempt) * 1e3;
-          await sleep(delay);
-          return this.request(method, endpoint, data, {
-            idempotencyKey,
-            attempt: attempt + 1
-          });
-        }
-        throw error;
-      }
-      return body;
-    } catch (error) {
-      if (error.name === "AbortError") {
-        throw new Error(`Request timeout after ${this.config.timeout}ms`);
-      }
-      if (attempt < this.config.retries && error.message?.includes("fetch")) {
-        const delay = Math.pow(2, attempt) * 1e3;
-        await sleep(delay);
-        return this.request(method, endpoint, data, {
-          idempotencyKey,
-          attempt: attempt + 1
-        });
-      }
-      throw error;
     }
-  }
-};
-var zendfi = (() => {
-  try {
-    return new ZendFiClient();
-  } catch (error) {
-    if (process.env.NODE_ENV === "test" || !process.env.ZENDFI_API_KEY) {
-      return new Proxy({}, {
-        get() {
-          throw new Error(
-            'ZendFi singleton not initialized. Set ZENDFI_API_KEY environment variable or create a custom instance: new ZendFiClient({ apiKey: "..." })'
-          );
-        }
-      });
+    if (!paymentResponse.unsigned_transaction) {
+      throw new Error("Backend did not return unsigned transaction");
     }
-    throw error;
+    const transactionBuffer = Buffer.from(paymentResponse.unsigned_transaction, "base64");
+    const transaction = import_web32.Transaction.from(transactionBuffer);
+    const signedTransaction = await this.sessionKey.signTransaction(
+      transaction,
+      options.pin || "",
+      // PIN only needed if not cached
+      enableAutoSign
+      // Cache for future payments
+    );
+    const submitResponse = await this.request("POST", `/api/v1/ai/payments/${paymentResponse.paymentId}/submit-signed`, {
+      signed_transaction: signedTransaction.serialize().toString("base64")
+    });
+    return {
+      paymentId: paymentResponse.paymentId,
+      signature: submitResponse.signature,
+      status: submitResponse.status
+    };
   }
-})();
-
-// src/webhooks.ts
-async function verifyNextWebhook(request, secret) {
-  try {
-    const payload = await request.text();
-    const signature = request.headers.get("x-zendfi-signature");
-    if (!signature) {
-      return null;
-    }
-    const webhookSecret = secret || process.env.ZENDFI_WEBHOOK_SECRET;
-    if (!webhookSecret) {
-      throw new Error("ZENDFI_WEBHOOK_SECRET not configured");
+  /**
+   * Recover session key on new device
+   * Requires recovery QR and PIN from original device
+   * 
+   * @example
+   * ```typescript
+   * const recovered = await manager.recoverSessionKey({
+   *   sessionKeyId: 'uuid...',
+   *   recoveryQR: '{"encryptedSessionKey":"..."}',
+   *   oldPin: '123456',
+   *   newPin: '654321',
+   * });
+   * ```
+   */
+  async recoverSessionKey(options) {
+    const recoveryData = RecoveryQRGenerator.decode(options.recoveryQR);
+    const oldDeviceFingerprint = "recovery-mode";
+    const newDeviceInfo = await DeviceFingerprintGenerator.generate();
+    const newEncrypted = await RecoveryQRGenerator.reEncryptForNewDevice(
+      recoveryData,
+      options.oldPin,
+      oldDeviceFingerprint,
+      options.newPin,
+      newDeviceInfo.fingerprint
+    );
+    await this.request("POST", `/api/v1/ai/session-keys/device-bound/${options.sessionKeyId}/recover`, {
+      recoveryQrData: options.recoveryQR,
+      newDeviceFingerprint: newDeviceInfo.fingerprint,
+      newEncryptedSessionKey: newEncrypted.encryptedData,
+      newNonce: newEncrypted.nonce
+    });
+    await this.loadSessionKey(options.sessionKeyId, options.newPin);
+  }
+  /**
+   * Revoke session key
+   */
+  async revokeSessionKey(sessionKeyId) {
+    const keyId = sessionKeyId || this.sessionKeyId;
+    if (!keyId) {
+      throw new Error("No session key ID provided");
     }
-    const isValid = zendfi.verifyWebhook({
-      payload,
-      signature,
-      secret: webhookSecret
+    await this.request("POST", "/api/v1/ai/session-keys/revoke", {
+      session_key_id: keyId
     });
-    if (!isValid) {
-      return null;
+    if (keyId === this.sessionKeyId) {
+      this.sessionKey = null;
+      this.sessionKeyId = null;
     }
-    return JSON.parse(payload);
-  } catch {
-    return null;
   }
-}
-async function verifyExpressWebhook(request, secret) {
-  try {
-    const payload = request.rawBody || JSON.stringify(request.body);
-    const signature = request.headers["x-zendfi-signature"];
-    if (!signature) {
-      return null;
+  /**
+   * Unlock session key with PIN and cache for auto-signing
+   * Call this after creating/loading session key to enable instant payments
+   * 
+   * @example
+   * ```typescript
+   * // Create session key
+   * await manager.createSessionKey({...});
+   * 
+   * // Unlock with PIN (one-time)
+   * await manager.unlockSessionKey('123456');
+   * 
+   * // Now all payments are instant (no PIN!)
+   * await manager.makePayment({amount: 5, ...}); // Instant!
+   * await manager.makePayment({amount: 3, ...}); // Instant!
+   * ```
+   */
+  async unlockSessionKey(pin, cacheTTL) {
+    if (!this.sessionKey) {
+      throw new Error("No session key loaded");
     }
-    const webhookSecret = secret || process.env.ZENDFI_WEBHOOK_SECRET;
-    if (!webhookSecret) {
-      throw new Error("ZENDFI_WEBHOOK_SECRET not configured");
+    await this.sessionKey.unlockWithPin(pin, cacheTTL);
+  }
+  /**
+   * Clear cached keypair
+   * Should be called on logout or when session ends
+   * 
+   * @example
+   * ```typescript
+   * // Clear on logout
+   * manager.clearCache();
+   * 
+   * // Or auto-clear on tab close
+   * window.addEventListener('beforeunload', () => {
+   *   manager.clearCache();
+   * });
+   * ```
+   */
+  clearCache() {
+    if (this.sessionKey) {
+      this.sessionKey.clearCache();
     }
-    const isValid = zendfi.verifyWebhook({
-      payload,
-      signature,
-      secret: webhookSecret
+  }
+  /**
+   * Check if keypair is cached (auto-signing enabled)
+   */
+  isCached() {
+    return this.sessionKey?.isCached() || false;
+  }
+  /**
+   * Get time remaining until cache expires (in milliseconds)
+   */
+  getCacheTimeRemaining() {
+    return this.sessionKey?.getCacheTimeRemaining() || 0;
+  }
+  /**
+   * Extend cache expiry time
+   * Useful to keep session active during user activity
+   */
+  extendCache(additionalTTL) {
+    if (!this.sessionKey) {
+      throw new Error("No session key loaded");
+    }
+    this.sessionKey.extendCache(additionalTTL);
+  }
+  /**
+   * Get session key status
+   */
+  async getStatus(sessionKeyId) {
+    const keyId = sessionKeyId || this.sessionKeyId;
+    if (!keyId) {
+      throw new Error("No session key ID provided");
+    }
+    return await this.request("POST", "/api/v1/ai/session-keys/status", {
+      session_key_id: keyId
     });
-    if (!isValid) {
-      return null;
+  }
+  // ============================================
+  // Private HTTP Helper
+  // ============================================
+  async request(method, path, body, additionalHeaders) {
+    const url = `${this.baseURL}${path}`;
+    const headers = {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${this.apiKey}`,
+      ...additionalHeaders
+    };
+    const response = await fetch(url, {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ error: "Unknown error" }));
+      throw new Error(`API Error: ${error.error || response.statusText}`);
     }
-    return JSON.parse(payload);
-  } catch {
-    return null;
+    return await response.json();
   }
-}
-function verifyWebhookSignature(payload, signature, secret) {
-  return zendfi.verifyWebhook({
-    payload,
-    signature,
-    secret
-  });
-}
+};
 
 // src/webhook-handler.ts
 var import_crypto2 = require("crypto");
@@ -845,16 +3057,197 @@ async function processWebhook(a, b, c) {
     };
   }
 }
+
+// src/lit-crypto-signer.ts
+var SPENDING_LIMIT_ACTION_CID = "QmXXunoMeNhXhnr4onzBuvnMzDqH8rf1qdM94RKXayypX3";
+var LitCryptoSigner = class {
+  config;
+  litNodeClient = null;
+  connected = false;
+  constructor(config = {}) {
+    this.config = {
+      network: config.network || "datil-dev",
+      apiEndpoint: config.apiEndpoint || "https://api.zendfi.tech",
+      apiKey: config.apiKey || "",
+      debug: config.debug || false
+    };
+  }
+  async connect() {
+    if (this.connected && this.litNodeClient) {
+      return;
+    }
+    this.log("Connecting to Lit Protocol network:", this.config.network);
+    const { LitNodeClient } = await import("@lit-protocol/lit-node-client");
+    this.litNodeClient = new LitNodeClient({
+      litNetwork: this.config.network,
+      debug: this.config.debug
+    });
+    await this.litNodeClient.connect();
+    this.connected = true;
+    this.log("Connected to Lit Protocol");
+  }
+  async disconnect() {
+    if (this.litNodeClient) {
+      await this.litNodeClient.disconnect();
+      this.litNodeClient = null;
+      this.connected = false;
+    }
+  }
+  async signPayment(params) {
+    if (!this.connected || !this.litNodeClient) {
+      throw new Error("Not connected to Lit Protocol. Call connect() first.");
+    }
+    this.log("Signing payment with Lit Protocol");
+    this.log("  Session:", params.sessionId);
+    this.log("  Amount: $" + params.amountUsd);
+    try {
+      let sessionSigs = params.sessionSigs;
+      if (!sessionSigs) {
+        sessionSigs = await this.getSessionSigs(params.pkpPublicKey);
+      }
+      const result = await this.litNodeClient.executeJs({
+        ipfsId: SPENDING_LIMIT_ACTION_CID,
+        sessionSigs,
+        jsParams: {
+          sessionId: params.sessionId,
+          requestedAmountUsd: params.amountUsd,
+          merchantId: params.merchantId,
+          transactionToSign: params.transactionToSign,
+          apiEndpoint: this.config.apiEndpoint,
+          apiKey: this.config.apiKey,
+          pkpPublicKey: params.pkpPublicKey
+        }
+      });
+      this.log("Lit Action result:", result);
+      const response = JSON.parse(result.response);
+      return {
+        success: response.success,
+        signature: response.signature,
+        publicKey: response.publicKey,
+        recid: response.recid,
+        sessionId: response.session_id,
+        amountUsd: response.amount_usd,
+        remainingBudget: response.remaining_budget,
+        cryptoEnforced: response.crypto_enforced ?? true,
+        error: response.error,
+        code: response.code,
+        currentSpent: response.current_spent,
+        limit: response.limit,
+        remaining: response.remaining
+      };
+    } catch (error) {
+      this.log("Lit signing error:", error);
+      return {
+        success: false,
+        cryptoEnforced: true,
+        error: error instanceof Error ? error.message : "Unknown error",
+        code: "LIT_ERROR"
+      };
+    }
+  }
+  async getSessionSigs(pkpPublicKey) {
+    this.log("Generating Lit session signatures");
+    if (typeof window !== "undefined" && window.ethereum) {
+      const { ethers } = await import("ethers");
+      const provider = new ethers.BrowserProvider(window.ethereum);
+      const signer = await provider.getSigner();
+      const { LitAbility, LitPKPResource } = await import("@lit-protocol/auth-helpers");
+      const sessionSigs = await this.litNodeClient.getSessionSigs({
+        pkpPublicKey,
+        chain: "ethereum",
+        expiration: new Date(Date.now() + 1e3 * 60 * 10).toISOString(),
+        resourceAbilityRequests: [
+          {
+            resource: new LitPKPResource("*"),
+            ability: LitAbility.PKPSigning
+          }
+        ],
+        authNeededCallback: async (params) => {
+          const message = params.message;
+          const signature = await signer.signMessage(message);
+          return {
+            sig: signature,
+            derivedVia: "web3.eth.personal.sign",
+            signedMessage: message,
+            address: await signer.getAddress()
+          };
+        }
+      });
+      return sessionSigs;
+    }
+    throw new Error(
+      "No wallet available. In browser, ensure MetaMask or similar is connected. In Node.js, pass pre-generated sessionSigs to signPayment()."
+    );
+  }
+  log(...args) {
+    if (this.config.debug) {
+      console.log("[LitCryptoSigner]", ...args);
+    }
+  }
+};
+function requiresLitSigning(session) {
+  return session.crypto_enforced === true || session.mint_pkp === true;
+}
+function encodeTransactionForLit(transaction) {
+  const bytes = transaction instanceof Uint8Array ? transaction : new Uint8Array(transaction);
+  return btoa(String.fromCharCode(...bytes));
+}
+function decodeSignatureFromLit(result) {
+  if (!result.success || !result.signature) {
+    return null;
+  }
+  const hex = result.signature.startsWith("0x") ? result.signature.slice(2) : result.signature;
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+  }
+  return bytes;
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AgentAPI,
+  ApiError,
   AuthenticationError,
+  AutonomyAPI,
   ConfigLoader,
+  DeviceBoundSessionKey,
+  DeviceFingerprintGenerator,
+  ERROR_CODES,
+  InterceptorManager,
+  LitCryptoSigner,
   NetworkError,
+  PaymentError,
+  PaymentIntentsAPI,
+  PricingAPI,
   RateLimitError,
+  RateLimiter,
+  RecoveryQRGenerator,
+  SPENDING_LIMIT_ACTION_CID,
+  SessionKeyCrypto,
+  SmartPaymentsAPI,
   ValidationError,
+  WebhookError,
   ZendFiClient,
   ZendFiError,
+  ZendFiSessionKeyManager,
+  asAgentKeyId,
+  asEscrowId,
+  asInstallmentPlanId,
+  asIntentId,
+  asInvoiceId,
+  asMerchantId,
+  asPaymentId,
+  asPaymentLinkCode,
+  asSessionId,
+  asSubscriptionId,
+  createZendFiError,
+  decodeSignatureFromLit,
+  encodeTransactionForLit,
+  generateIdempotencyKey,
+  isZendFiError,
   processWebhook,
+  requiresLitSigning,
+  sleep,
   verifyExpressWebhook,
   verifyNextWebhook,
   verifyWebhookSignature,