docs(sdk): sync auth-client@2.18.0

src/pages/sdk/auth-client/README.mdx

@@ -23,6 +23,7 @@ export const metadata = {
 - [OcSessionState](interfaces/OcSessionState.mdx)
 - [OcSignInButtonProps](interfaces/OcSignInButtonProps.mdx)
 - [OcSignInProps](interfaces/OcSignInProps.mdx)
+- [OcTabSession](interfaces/OcTabSession.mdx)
 - [RedirectToSudoArgs](interfaces/RedirectToSudoArgs.mdx)
 - [UseOcAddressSuggestionOptions](interfaces/UseOcAddressSuggestionOptions.mdx)
 - [UseOcAddressSuggestionReturn](interfaces/UseOcAddressSuggestionReturn.mdx)
@@ -49,23 +50,32 @@ export const metadata = {
 - [DEFAULT\_CONFIG](variables/DEFAULT_CONFIG.mdx)
 - [DISPLAY\_IDENTITY\_KINDS](variables/DISPLAY_IDENTITY_KINDS.mdx)
 - [OcAddressInput](variables/OcAddressInput.mdx)
+- [TAB\_ADOPT\_HASH](variables/TAB_ADOPT_HASH.mdx)
+- [TAB\_SESSION\_HEADER](variables/TAB_SESSION_HEADER.mdx)
+- [TAB\_SESSION\_STORAGE\_KEY](variables/TAB_SESSION_STORAGE_KEY.mdx)
 
 ## Functions
 
 - [buildAddAccountUrl](functions/buildAddAccountUrl.mdx)
 - [buildSignInUrl](functions/buildSignInUrl.mdx)
+- [clearTabSession](functions/clearTabSession.mdx)
+- [consumeTabAdoptMarker](functions/consumeTabAdoptMarker.mdx)
 - [fetchOcLinkedIdentities](functions/fetchOcLinkedIdentities.mdx)
 - [handleSudoRequired](functions/handleSudoRequired.mdx)
+- [installTabFetchInterceptor](functions/installTabFetchInterceptor.mdx)
 - [OcAccountChip](functions/OcAccountChip.mdx)
 - [OcAccountPill](functions/OcAccountPill.mdx)
 - [OcLinkedIdentities](functions/OcLinkedIdentities.mdx)
 - [OcSessionProvider](functions/OcSessionProvider.mdx)
 - [OcSignIn](functions/OcSignIn.mdx)
 - [OcSignInButton](functions/OcSignInButton.mdx)
+- [readTabSession](functions/readTabSession.mdx)
 - [redirectToSudo](functions/redirectToSudo.mdx)
+- [tabSessionHeader](functions/tabSessionHeader.mdx)
 - [useOcAddressSuggestion](functions/useOcAddressSuggestion.mdx)
 - [useOcSession](functions/useOcSession.mdx)
 - [useOptionalOcSession](functions/useOptionalOcSession.mdx)
 - [useStepUpAuth](functions/useStepUpAuth.mdx)
 - [useWebAuthnList](functions/useWebAuthnList.mdx)
 - [useWebAuthnRegister](functions/useWebAuthnRegister.mdx)
+- [writeTabSession](functions/writeTabSession.mdx)

src/pages/sdk/auth-client/functions/OcSessionProvider.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function OcSessionProvider(__namedParameters: OcSessionProviderProps): ReactElement;
 ```
 
-Defined in: [provider.tsx:180](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L180)
+Defined in: [provider.tsx:190](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L190)
 
 Top-level provider that exposes the cross-subdomain oc_session to every
 component below it. Mount once, near the root of your tree.

src/pages/sdk/auth-client/functions/OcSignIn.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function OcSignIn(__namedParameters: OcSignInProps): ReactElement;
 ```
 
-Defined in: [signin.tsx:163](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L163)
+Defined in: [signin.tsx:191](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/signin.tsx#L191)
 
 ## Parameters
 

src/pages/sdk/auth-client/functions/buildAddAccountUrl.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function buildAddAccountUrl(cfg: Required<OcAuthConfig>, returnTo?: string): string;
 ```
 
-Defined in: [types.ts:246](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L246)
+Defined in: [types.ts:255](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L255)
 
 Multi-account · build the URL for the "add another account" entry
 point. Same as [buildSignInUrl](buildSignInUrl.mdx) but appends `?add=1` so the

src/pages/sdk/auth-client/functions/buildSignInUrl.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function buildSignInUrl(cfg: Required<OcAuthConfig>, returnTo?: string): string;
 ```
 
-Defined in: [types.ts:231](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L231)
+Defined in: [types.ts:240](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L240)
 
 ## Parameters
 

src/pages/sdk/auth-client/functions/clearTabSession.mdx

@@ -0,0 +1,22 @@
+export const metadata = {
+    title: "Function: clearTabSession()",
+    description: "Auto-generated API reference for Function: clearTabSession(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / clearTabSession
+
+# Function: clearTabSession()
+
+```ts
+function clearTabSession(): void;
+```
+
+Defined in: [tab-session.ts:64](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L64)
+
+## Returns
+
+`void`

src/pages/sdk/auth-client/functions/consumeTabAdoptMarker.mdx

@@ -0,0 +1,26 @@
+export const metadata = {
+    title: "Function: consumeTabAdoptMarker()",
+    description: "Auto-generated API reference for Function: consumeTabAdoptMarker(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / consumeTabAdoptMarker
+
+# Function: consumeTabAdoptMarker()
+
+```ts
+function consumeTabAdoptMarker(): boolean;
+```
+
+Defined in: [tab-session.ts:148](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L148)
+
+If the URL carries the [TAB\_ADOPT\_HASH](../variables/TAB_ADOPT_HASH.mdx) marker, clear the pin
+(so the tab adopts the cookie account) and strip the marker from the
+address bar. Returns `true` when adoption happened.
+
+## Returns
+
+`boolean`

src/pages/sdk/auth-client/functions/installTabFetchInterceptor.mdx

@@ -0,0 +1,41 @@
+export const metadata = {
+    title: "Function: installTabFetchInterceptor()",
+    description: "Auto-generated API reference for Function: installTabFetchInterceptor(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / installTabFetchInterceptor
+
+# Function: installTabFetchInterceptor()
+
+```ts
+function installTabFetchInterceptor(authOrigin: string): () => void;
+```
+
+Defined in: [tab-session.ts:108](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L108)
+
+Install a scoped `window.fetch` wrapper that attaches the tab pin to
+every same-site request, so app-level data fetches (vault shares, me
+wallet, fleet projects, …) execute as the account this tab displays —
+without touching any call site. Returns an uninstaller.
+
+Conservative by design:
+  - no pin → pass-through (zero behavior change)
+  - only same-origin + auth-host URLs (see isPinnableUrl)
+  - never overrides an existing `Authorization` or `x-oc-tab-session`
+    header (programmatic Bearer / integrator-token paths keep their
+    own credential semantics)
+  - any internal error → original fetch, untouched
+
+## Parameters
+
+| Parameter | Type |
+| ------ | ------ |
+| `authOrigin` | `string` |
+
+## Returns
+
+() => `void`

src/pages/sdk/auth-client/functions/readTabSession.mdx

@@ -0,0 +1,22 @@
+export const metadata = {
+    title: "Function: readTabSession()",
+    description: "Auto-generated API reference for Function: readTabSession(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / readTabSession
+
+# Function: readTabSession()
+
+```ts
+function readTabSession(): OcTabSession | null;
+```
+
+Defined in: [tab-session.ts:40](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L40)
+
+## Returns
+
+[`OcTabSession`](../interfaces/OcTabSession.mdx) \| `null`

src/pages/sdk/auth-client/functions/tabSessionHeader.mdx

@@ -0,0 +1,24 @@
+export const metadata = {
+    title: "Function: tabSessionHeader()",
+    description: "Auto-generated API reference for Function: tabSessionHeader(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / tabSessionHeader
+
+# Function: tabSessionHeader()
+
+```ts
+function tabSessionHeader(): Record<string, string>;
+```
+
+Defined in: [tab-session.ts:74](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L74)
+
+`{ 'x-oc-tab-session': <jwt> }` when this tab is pinned, else `{}`.
+
+## Returns
+
+`Record`\&lt;`string`, `string`\>

src/pages/sdk/auth-client/functions/useOcSession.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function useOcSession(): OcSessionState;
 ```
 
-Defined in: [provider.tsx:388](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L388)
+Defined in: [provider.tsx:529](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L529)
 
 Access the current cross-subdomain oc_session. Must be called inside
 an `<OcSessionProvider>`.

src/pages/sdk/auth-client/functions/useOptionalOcSession.mdx

@@ -15,7 +15,7 @@ export const metadata = {
 function useOptionalOcSession(): OcSessionState | null;
 ```
 
-Defined in: [provider.tsx:403](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L403)
+Defined in: [provider.tsx:544](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/provider.tsx#L544)
 
 Non-throwing variant — returns `null` if called outside a provider.
 Useful for libraries that want to read the session *if it exists* but

src/pages/sdk/auth-client/functions/writeTabSession.mdx

@@ -0,0 +1,28 @@
+export const metadata = {
+    title: "Function: writeTabSession()",
+    description: "Auto-generated API reference for Function: writeTabSession(). Source: TypeScript types in oc-packages.",
+};
+
+[**@orangecheck/auth-client**](../README.mdx)
+
+***
+
+[@orangecheck/auth-client](../README.mdx) / writeTabSession
+
+# Function: writeTabSession()
+
+```ts
+function writeTabSession(session: OcTabSession): void;
+```
+
+Defined in: [tab-session.ts:55](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/tab-session.ts#L55)
+
+## Parameters
+
+| Parameter | Type |
+| ------ | ------ |
+| `session` | [`OcTabSession`](../interfaces/OcTabSession.mdx) |
+
+## Returns
+
+`void`

src/pages/sdk/auth-client/interfaces/OcAuthConfig.mdx

@@ -11,13 +11,13 @@ export const metadata = {
 
 # Interface: OcAuthConfig
 
-Defined in: [types.ts:186](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L186)
+Defined in: [types.ts:195](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L195)
 
 ## Properties
 
 | Property | Type | Description | Defined in |
 | ------ | ------ | ------ | ------ |
-| <a id="property-authorigin"></a> `authOrigin?` | `string` | Origin of the auth host — the subdomain that runs the sign-in UI, issues session cookies, and exposes `/api/auth/me` + `/api/auth/logout`. Defaults to `https://ochk.io`. Override in preview/dev. | [types.ts:193](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L193) |
-| <a id="property-logoutpath"></a> `logoutPath?` | `string` | Path on the auth host to hit to clear the session cookie. Defaults to `/api/auth/logout`. Called with `credentials: 'include'` so the `.ochk.io` cookie is sent along. | [types.ts:217](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L217) |
-| <a id="property-mepath"></a> `mePath?` | `string` | Local path (same origin as the current app) that exposes the crypto-verified session. If your app ships one at `/api/auth/me`, leave as default. Returns 200 `{ account }` or 401. | [types.ts:211](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L211) |
-| &lt;a id="property-signinpath">&lt;/a> `signInPath?` | `string` | Path on the auth host that accepts `?return_to=<url>` and drives the sign-in flow. The page offers two paths in-place: - email + OTP (default — federation-custodied wallet provisioned for the user; identity is `did:email:<sha256(email)>`) - BIP-322 wallet sign (paste address → in-page wallet sign; identity is the Bitcoin address itself) Defaults to `/signin`. | [types.ts:205](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L205) |
+| &lt;a id="property-authorigin">&lt;/a> `authOrigin?` | `string` | Origin of the auth host — the subdomain that runs the sign-in UI, issues session cookies, and exposes `/api/auth/me` + `/api/auth/logout`. Defaults to `https://ochk.io`. Override in preview/dev. | [types.ts:202](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L202) |
+| &lt;a id="property-logoutpath">&lt;/a> `logoutPath?` | `string` | Path on the auth host to hit to clear the session cookie. Defaults to `/api/auth/logout`. Called with `credentials: 'include'` so the `.ochk.io` cookie is sent along. | [types.ts:226](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L226) |
+| &lt;a id="property-mepath">&lt;/a> `mePath?` | `string` | Local path (same origin as the current app) that exposes the crypto-verified session. If your app ships one at `/api/auth/me`, leave as default. Returns 200 `{ account }` or 401. | [types.ts:220](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L220) |
+| &lt;a id="property-signinpath">&lt;/a> `signInPath?` | `string` | Path on the auth host that accepts `?return_to=<url>` and drives the sign-in flow. The page offers two paths in-place: - email + OTP (default — federation-custodied wallet provisioned for the user; identity is `did:email:<sha256(email)>`) - BIP-322 wallet sign (paste address → in-page wallet sign; identity is the Bitcoin address itself) Defaults to `/signin`. | [types.ts:214](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L214) |

src/pages/sdk/auth-client/interfaces/OcSessionState.mdx

@@ -18,12 +18,13 @@ Defined in: [types.ts:137](https://github.com/orangecheck/oc-packages/blob/main/
 | Property | Type | Description | Defined in |
 | ------ | ------ | ------ | ------ |
 | <a id="property-account"></a> `account` | [`OcAccount`](OcAccount.mdx) \| `null` | - | [types.ts:139](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L139) |
-| <a id="property-addaccounturl"></a> `addAccountUrl` | (`returnTo?`: `string`) => `string` | Multi-account · open the sign-in flow in "add" mode — the new account joins the current browser's roster instead of replacing it. Returns the URL to navigate to (so callers can mount it in a popup or hard-navigate as they prefer); pass `returnTo` to route back to a specific page after the add completes. | [types.ts:172](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L172) |
-| <a id="property-error"></a> `error` | `Error` \| `null` | `null` while loading; an `Error` instance when `status === 'error'`. | [types.ts:148](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L148) |
-| <a id="property-refresh"></a> `refresh` | () => `Promise`\<`void`\> | Re-fetch the session. Useful after sign-in/sign-out happens elsewhere. | [types.ts:150](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L150) |
+| <a id="property-addaccounturl"></a> `addAccountUrl` | (`returnTo?`: `string`) => `string` | Multi-account · open the sign-in flow in "add" mode — the new account joins the current browser's roster instead of replacing it. Returns the URL to navigate to (so callers can mount it in a popup or hard-navigate as they prefer); pass `returnTo` to route back to a specific page after the add completes. | [types.ts:181](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L181) |
+| <a id="property-error"></a> `error` | `Error` \| `null` | `null` while loading; an `Error` instance when `status === 'error'`. | [types.ts:157](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L157) |
+| <a id="property-refresh"></a> `refresh` | () => `Promise`\<`void`\> | Re-fetch the session. Useful after sign-in/sign-out happens elsewhere. | [types.ts:159](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L159) |
 | <a id="property-roster"></a> `roster` | [`OcAccountSummary`](OcAccountSummary.mdx)[] | Multi-account · other accounts the user has signed into in this browser. `[]` for single-account sessions and for tokens minted before multi-account shipped. The active account (`account` above) is NOT included — these are the *switch targets*. | [types.ts:146](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L146) |
-| <a id="property-setdisplayidentity"></a> `setDisplayIdentity` | (`kind`: `"email"` \| `"btc"` \| `"did"` \| `"nostr"`) => `Promise`\<`void`\> | Promote a linked identity to be the account-badge label across every `.ochk.io` site. PATCHes the auth host, which re-mints the session cookie with the new `display_identity` claim, then `refresh()`es this session. Rejects if the chosen kind is not a verified identity on the account (`btc` / `email` / `nostr` must actually be linked; `did` is always valid). | [types.ts:181](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L181) |
-| <a id="property-signinurl"></a> `signInUrl` | `string` | URL to navigate to for sign-in on the auth host. | [types.ts:183](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L183) |
-| <a id="property-signout"></a> `signOut` | (`opts?`: \{ `scope?`: [`OcSignOutScope`](../type-aliases/OcSignOutScope.mdx); \}) => `Promise`\<`void`\> | Trigger a sign-out. By default signs out of EVERY account in the roster (back-compat); pass `{ scope: 'current' }` to sign out of just the active account and stay logged into the next peer. | [types.ts:156](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L156) |
+| <a id="property-setdisplayidentity"></a> `setDisplayIdentity` | (`kind`: `"email"` \| `"btc"` \| `"did"` \| `"nostr"`) => `Promise`\<`void`\> | Promote a linked identity to be the account-badge label across every `.ochk.io` site. PATCHes the auth host, which re-mints the session cookie with the new `display_identity` claim, then `refresh()`es this session. Rejects if the chosen kind is not a verified identity on the account (`btc` / `email` / `nostr` must actually be linked; `did` is always valid). | [types.ts:190](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L190) |
+| <a id="property-signinurl"></a> `signInUrl` | `string` | URL to navigate to for sign-in on the auth host. | [types.ts:192](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L192) |
+| <a id="property-signout"></a> `signOut` | (`opts?`: \{ `scope?`: [`OcSignOutScope`](../type-aliases/OcSignOutScope.mdx); \}) => `Promise`\<`void`\> | Trigger a sign-out. By default signs out of EVERY account in the roster (back-compat); pass `{ scope: 'current' }` to sign out of just the active account and stay logged into the next peer. | [types.ts:165](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L165) |
 | <a id="property-status"></a> `status` | [`OcSessionStatus`](../type-aliases/OcSessionStatus.mdx) | - | [types.ts:138](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L138) |
-| <a id="property-switchaccount"></a> `switchAccount` | (`didOc`: `string`) => `Promise`\<`void`\> | Multi-account · flip the active session to a different account in the roster. Resolves once the new cookie has been set and the session has been re-fetched. Throws if the target `did_oc` isn't in the current roster (the user must add it via addAccount first) or if the auth host is unreachable. | [types.ts:164](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L164) |
+| <a id="property-switchaccount"></a> `switchAccount` | (`didOc`: `string`) => `Promise`\<`void`\> | Multi-account · flip the active session to a different account in the roster. Resolves once the new cookie has been set and the session has been re-fetched. Throws if the target `did_oc` isn't in the current roster (the user must add it via addAccount first) or if the auth host is unreachable. | [types.ts:173](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L173) |
+| <a id="property-tabpinned"></a> `tabPinned` | `boolean` | Per-tab pinning · `true` when this tab holds its own session token (sessionStorage) and operates as `account` independently of the shared `.ochk.io` cookie — i.e. switching accounts in another tab will NOT change this tab's identity. `false` on hosts that predate `/api/auth/tab`, in privacy modes without sessionStorage, and while anonymous. | [types.ts:155](https://github.com/orangecheck/oc-packages/blob/main/auth-client/src/types.ts#L155) |