@ab-org/sdk-core 0.1.0 → 0.1.2-beta.0

package/dist/chunk-5HURLKIK.js

@@ -0,0 +1,1005 @@
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), member.set(obj, value), value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+
+// src/providers/social/cubistRuntime.ts
+var DEFAULT_EXPIRATION_BUFFER_SECS = 30;
+var DEFAULT_RETRY_ATTEMPTS = 3;
+var DEV_STACK_NAME = "Dev-CubeSignerStack";
+var EVM_KEY_TYPE = "SecpEthAddr";
+var EMPTY_ORG_EVENTS_TOPIC_ARN = "";
+var CUBESIGNER_TOKEN_PREFIX = "3d6fd7397:";
+var envs = {
+  prod: {
+    SignerApiRoot: "https://prod.signer.cubist.dev",
+    OrgEventsTopicArn: EMPTY_ORG_EVENTS_TOPIC_ARN
+  },
+  gamma: {
+    SignerApiRoot: "https://gamma.signer.cubist.dev",
+    OrgEventsTopicArn: EMPTY_ORG_EVENTS_TOPIC_ARN
+  },
+  beta: {
+    SignerApiRoot: "https://beta.signer.cubist.dev",
+    OrgEventsTopicArn: EMPTY_ORG_EVENTS_TOPIC_ARN
+  }
+};
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl.replace(/\/+$/, "");
+}
+function base64Decode(value) {
+  if (typeof globalThis.atob === "function") {
+    return globalThis.atob(value);
+  }
+  const maybeBuffer = globalThis.Buffer;
+  if (maybeBuffer) {
+    return maybeBuffer.from(value, "base64").toString("utf8");
+  }
+  throw new Error("No base64 decoder available in this runtime");
+}
+function base64UrlEncode(bytes) {
+  let encoded;
+  if (typeof globalThis.btoa === "function") {
+    let binary = "";
+    for (const byte of bytes) {
+      binary += String.fromCharCode(byte);
+    }
+    encoded = globalThis.btoa(binary);
+  } else {
+    const maybeBuffer = globalThis.Buffer;
+    if (!maybeBuffer) {
+      throw new Error("No base64 encoder available in this runtime");
+    }
+    encoded = maybeBuffer.from(bytes).toString("base64");
+  }
+  return encoded.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function isAcceptedResponse(value) {
+  return typeof value === "object" && value !== null && "accepted" in value;
+}
+function isManyMfaReceipts(value) {
+  if (!value || typeof value !== "object") return false;
+  return "orgId" in value && "receipts" in value;
+}
+function getMfaHeaders(mfaReceipt) {
+  if (!mfaReceipt) return void 0;
+  const normalized = isManyMfaReceipts(mfaReceipt) ? mfaReceipt : {
+    orgId: mfaReceipt.mfaOrgId,
+    receipts: [
+      {
+        id: mfaReceipt.mfaId,
+        confirmation: mfaReceipt.mfaConf
+      }
+    ]
+  };
+  if (normalized.receipts.length === 0) return void 0;
+  const payload = new TextEncoder().encode(JSON.stringify(normalized.receipts));
+  return {
+    "x-cubist-mfa-org-id": normalized.orgId,
+    "x-cubist-mfa-receipts": base64UrlEncode(payload)
+  };
+}
+function isStale(session) {
+  return session.session_info.auth_token_exp < Date.now() / 1e3 + DEFAULT_EXPIRATION_BUFFER_SECS;
+}
+function parseSessionLike(session) {
+  if (typeof session !== "string") {
+    return session;
+  }
+  const trimmed = session.trim();
+  if (trimmed.startsWith("{")) {
+    return JSON.parse(trimmed);
+  }
+  return JSON.parse(base64Decode(trimmed));
+}
+function getSessionMetadata(session) {
+  return {
+    env: session.env,
+    org_id: session.org_id,
+    role_id: session.role_id,
+    purpose: session.purpose,
+    session_exp: session.session_exp,
+    session_id: session.session_info.session_id,
+    epoch: session.session_info.epoch
+  };
+}
+function getPrimarySessionEnv(session) {
+  return session.env[DEV_STACK_NAME] ?? Object.values(session.env)[0];
+}
+function readSessionInfoRefreshToken(session) {
+  const token = session.session_info.refresh_token;
+  return typeof token === "string" && token.trim() ? token.trim() : void 0;
+}
+function decodeSerializedRefreshToken(session) {
+  const serialized = session.refresh_token?.trim();
+  if (!serialized) {
+    return void 0;
+  }
+  if (!serialized.startsWith(CUBESIGNER_TOKEN_PREFIX)) {
+    return serialized;
+  }
+  const parts = serialized.slice(CUBESIGNER_TOKEN_PREFIX.length).split(".");
+  if (parts.length !== 3 || parts.some((part) => part.length === 0)) {
+    throw new Error("CubeSigner refresh token has an unexpected format");
+  }
+  const [encodedSessionId, encodedAuthData, rawRefreshToken] = parts;
+  const sessionId = base64Decode(encodedSessionId);
+  if (sessionId !== session.session_info.session_id) {
+    throw new Error("CubeSigner refresh token does not match the active session");
+  }
+  let authData;
+  try {
+    authData = JSON.parse(base64Decode(encodedAuthData));
+  } catch {
+    throw new Error("CubeSigner refresh token auth payload is invalid");
+  }
+  if (authData.epoch_num !== session.session_info.epoch || authData.epoch_token !== session.session_info.epoch_token) {
+    throw new Error("CubeSigner refresh token is out of sync with the active session");
+  }
+  return rawRefreshToken;
+}
+function resolveRefreshOtherToken(session) {
+  const nestedToken = readSessionInfoRefreshToken(session);
+  if (nestedToken) {
+    return nestedToken;
+  }
+  const fallbackToken = decodeSerializedRefreshToken(session);
+  if (fallbackToken) {
+    return fallbackToken;
+  }
+  throw new Error("CubeSigner session is missing refresh token data");
+}
+function assertSessionManager(session) {
+  if (!session || typeof session !== "object" || typeof session.metadata !== "function" || typeof session.token !== "function") {
+    throw new Error("Invalid CubeSigner session input");
+  }
+}
+var NetworkError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "NetworkError";
+  }
+};
+var HttpError = class extends Error {
+  constructor(status, message, body) {
+    super(message);
+    this.name = "HttpError";
+    this.status = status;
+    this.body = body;
+  }
+};
+async function requestJson(baseUrl, pathname, init) {
+  let lastError = null;
+  for (let attempt = 0; attempt < DEFAULT_RETRY_ATTEMPTS; attempt += 1) {
+    const response = await fetch(`${normalizeBaseUrl(baseUrl)}${pathname}`, init);
+    if (response.status >= 500 && response.status < 600 && attempt < DEFAULT_RETRY_ATTEMPTS - 1) {
+      await delay(200 * (attempt + 1));
+      continue;
+    }
+    if (!response.ok) {
+      const detail = await response.text().catch(() => "");
+      lastError = new HttpError(
+        response.status,
+        `${init.method ?? "GET"} ${pathname} failed (${response.status}): ${detail || response.statusText}`,
+        detail || void 0
+      );
+      break;
+    }
+    if (response.status === 204) {
+      return void 0;
+    }
+    const rawText = await response.text();
+    if (!rawText) {
+      return void 0;
+    }
+    return JSON.parse(rawText);
+  }
+  if (!lastError) throw new NetworkError(`${init.method ?? "GET"} ${pathname} failed`);
+  throw lastError;
+}
+var _data, _refreshing;
+var MemorySessionManager = class {
+  constructor(data) {
+    __privateAdd(this, _data);
+    __privateAdd(this, _refreshing);
+    __privateSet(this, _data, data);
+  }
+  async retrieve() {
+    return __privateGet(this, _data);
+  }
+  async store(data) {
+    __privateSet(this, _data, data);
+  }
+  async metadata() {
+    return getSessionMetadata(__privateGet(this, _data));
+  }
+  async token() {
+    if (!isStale(__privateGet(this, _data))) {
+      return __privateGet(this, _data).token;
+    }
+    __privateGet(this, _refreshing) ?? __privateSet(this, _refreshing, refreshSession(__privateGet(this, _data)).then(async (refreshed2) => {
+      await this.store(refreshed2);
+      return refreshed2;
+    }).catch((error) => {
+      if (error instanceof Error && /\(401\)|\(403\)/.test(error.message) && typeof this.onInvalidToken === "function") {
+        this.onInvalidToken();
+      }
+      throw error;
+    }).finally(() => {
+      __privateSet(this, _refreshing, void 0);
+    }));
+    const refreshed = await __privateGet(this, _refreshing);
+    return refreshed.token;
+  }
+};
+_data = new WeakMap();
+_refreshing = new WeakMap();
+async function refreshSession(session1) {
+  const secretB64Token = btoa(JSON.stringify(session1)).replace(/\s/g, "");
+  const session = JSON.parse(atob(secretB64Token));
+  const env = getPrimarySessionEnv(session);
+  const payload = {
+    epoch_num: session.session_info.epoch,
+    epoch_token: session.session_info.epoch_token,
+    other_token: resolveRefreshOtherToken(session)
+  };
+  const refreshed = await requestJson(env.SignerApiRoot, `/v1/org/${encodeURIComponent(session.org_id)}/token/refresh`, {
+    method: "PATCH",
+    headers: {
+      Authorization: session.token,
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify(payload)
+  });
+  return {
+    ...session,
+    ...refreshed,
+    org_id: session.org_id
+  };
+}
+var _sessionManager, _sessionMeta, _targetOrgId, _CubistApiClient_instances, request_fn;
+var _CubistApiClient = class _CubistApiClient {
+  constructor(sessionManager, sessionMeta, targetOrgId) {
+    __privateAdd(this, _CubistApiClient_instances);
+    __privateAdd(this, _sessionManager);
+    __privateAdd(this, _sessionMeta);
+    __privateAdd(this, _targetOrgId);
+    __privateSet(this, _sessionManager, sessionManager);
+    __privateSet(this, _sessionMeta, sessionMeta);
+    __privateSet(this, _targetOrgId, targetOrgId ?? sessionMeta.org_id);
+  }
+  get env() {
+    return __privateGet(this, _sessionMeta).env[DEV_STACK_NAME] ?? Object.values(__privateGet(this, _sessionMeta).env)[0];
+  }
+  get orgId() {
+    return __privateGet(this, _targetOrgId);
+  }
+  get sessionMeta() {
+    return __privateGet(this, _sessionMeta);
+  }
+  withOrg(orgId) {
+    return new _CubistApiClient(__privateGet(this, _sessionManager), __privateGet(this, _sessionMeta), orgId);
+  }
+  async sessionKeysList() {
+    const data = await __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, "/v0/org/{org_id}/token/keys", {
+      method: "GET"
+    });
+    return data.keys;
+  }
+  async keyGetByMaterialId(keyType, materialId) {
+    return __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/keys/${encodeURIComponent(keyType)}/${encodeURIComponent(materialId)}`, {
+      method: "GET"
+    });
+  }
+  async sessionRevoke(sessionId) {
+    await __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/session/${encodeURIComponent(sessionId ?? "self")}`, {
+      method: "DELETE"
+    });
+  }
+  async mfaGet(mfaId) {
+    return __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/mfa/${encodeURIComponent(mfaId)}`, {
+      method: "GET"
+    });
+  }
+  async mfaVoteCs(mfaId, mfaVote) {
+    return __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/mfa/${encodeURIComponent(mfaId)}?mfa_vote=${encodeURIComponent(mfaVote)}`, {
+      method: "PATCH"
+    });
+  }
+  async signEvm(key, req, mfaReceipt) {
+    const pubkey = typeof key === "string" ? key : key.materialId;
+    const requestFn = async (headers) => __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v1/org/{org_id}/eth1/sign/${encodeURIComponent(pubkey)}`, {
+      method: "POST",
+      body: req,
+      headers
+    });
+    return CubeSignerResponse.create(this.env, requestFn, mfaReceipt);
+  }
+  async signEip191(key, req, mfaReceipt) {
+    const pubkey = typeof key === "string" ? key : key.materialId;
+    const requestFn = async (headers) => __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/evm/eip191/sign/${encodeURIComponent(pubkey)}`, {
+      method: "POST",
+      body: req,
+      headers
+    });
+    return CubeSignerResponse.create(this.env, requestFn, mfaReceipt);
+  }
+  async signEip712(key, req, mfaReceipt) {
+    const pubkey = typeof key === "string" ? key : key.materialId;
+    const requestFn = async (headers) => __privateMethod(this, _CubistApiClient_instances, request_fn).call(this, `/v0/org/{org_id}/evm/eip712/sign/${encodeURIComponent(pubkey)}`, {
+      method: "POST",
+      body: req,
+      headers
+    });
+    return CubeSignerResponse.create(this.env, requestFn, mfaReceipt);
+  }
+};
+_sessionManager = new WeakMap();
+_sessionMeta = new WeakMap();
+_targetOrgId = new WeakMap();
+_CubistApiClient_instances = new WeakSet();
+request_fn = async function(pathTemplate, options) {
+  let token;
+  try {
+    token = await __privateGet(this, _sessionManager).token();
+  } catch (error) {
+    if (error instanceof Error && /\(401\)|\(403\)/.test(error.message) && typeof __privateGet(this, _sessionManager).onInvalidToken === "function") {
+      __privateGet(this, _sessionManager).onInvalidToken();
+    }
+    throw error;
+  }
+  const headers = new Headers(options.headers);
+  headers.set("Authorization", token);
+  if (options.body !== void 0) {
+    headers.set("Content-Type", "application/json");
+  }
+  try {
+    return await requestJson(
+      this.env.SignerApiRoot,
+      pathTemplate.replace("{org_id}", encodeURIComponent(__privateGet(this, _targetOrgId))),
+      {
+        method: options.method,
+        headers,
+        body: options.body === void 0 ? void 0 : JSON.stringify(options.body)
+      }
+    );
+  } catch (error) {
+    if (error instanceof Error && /\(401\)|\(403\)/.test(error.message) && typeof __privateGet(this, _sessionManager).onInvalidToken === "function") {
+      __privateGet(this, _sessionManager).onInvalidToken();
+    }
+    throw error;
+  }
+};
+var CubistApiClient = _CubistApiClient;
+var _apiClient;
+var Key = class {
+  constructor(client, data) {
+    __privateAdd(this, _apiClient);
+    __privateSet(this, _apiClient, client instanceof CubeSignerClient ? client.apiClient : client);
+    this.id = data.key_id;
+    this.materialId = data.material_id;
+    this.publicKey = data.public_key;
+    this.cached = data;
+  }
+  async signEvm(req, mfaReceipt) {
+    return __privateGet(this, _apiClient).signEvm(this, req, mfaReceipt);
+  }
+  async signEip191(req, mfaReceipt) {
+    return __privateGet(this, _apiClient).signEip191(this, req, mfaReceipt);
+  }
+  async signEip712(req, mfaReceipt) {
+    return __privateGet(this, _apiClient).signEip712(this, req, mfaReceipt);
+  }
+};
+_apiClient = new WeakMap();
+var _apiClient2, _id, _data2;
+var _MfaRequest = class _MfaRequest {
+  constructor(apiClient, data) {
+    __privateAdd(this, _apiClient2);
+    __privateAdd(this, _id);
+    __privateAdd(this, _data2);
+    __privateSet(this, _apiClient2, apiClient);
+    if (typeof data === "string") {
+      __privateSet(this, _id, data);
+      return;
+    }
+    __privateSet(this, _id, data.id);
+    __privateSet(this, _data2, data);
+  }
+  get id() {
+    return __privateGet(this, _id);
+  }
+  async fetch() {
+    __privateSet(this, _data2, await __privateGet(this, _apiClient2).mfaGet(__privateGet(this, _id)));
+    return __privateGet(this, _data2);
+  }
+  async receipt() {
+    const data = __privateGet(this, _data2) ?? await this.fetch();
+    const confirmation = data.receipt?.confirmation;
+    if (!confirmation) return void 0;
+    return {
+      mfaId: __privateGet(this, _id),
+      mfaOrgId: __privateGet(this, _apiClient2).orgId,
+      mfaConf: confirmation
+    };
+  }
+  async approve() {
+    const data = await __privateGet(this, _apiClient2).mfaVoteCs(__privateGet(this, _id), "approve");
+    return new _MfaRequest(__privateGet(this, _apiClient2), data);
+  }
+};
+_apiClient2 = new WeakMap();
+_id = new WeakMap();
+_data2 = new WeakMap();
+var MfaRequest = _MfaRequest;
+var _apiClient3;
+var OrgClient = class {
+  constructor(apiClient) {
+    __privateAdd(this, _apiClient3);
+    __privateSet(this, _apiClient3, apiClient);
+  }
+  get id() {
+    return __privateGet(this, _apiClient3).orgId;
+  }
+  getMfaRequest(mfaId) {
+    return new MfaRequest(__privateGet(this, _apiClient3), mfaId);
+  }
+};
+_apiClient3 = new WeakMap();
+var _env, _requestFn, _resp, _mfaRequired;
+var _CubeSignerResponse = class _CubeSignerResponse {
+  constructor(env, requestFn, resp) {
+    __privateAdd(this, _env);
+    __privateAdd(this, _requestFn);
+    __privateAdd(this, _resp);
+    __privateAdd(this, _mfaRequired);
+    __privateSet(this, _env, env);
+    __privateSet(this, _requestFn, requestFn);
+    __privateSet(this, _resp, resp);
+    __privateSet(this, _mfaRequired, isAcceptedResponse(resp) ? resp.accepted?.MfaRequired : void 0);
+  }
+  static async create(env, requestFn, mfaReceipt) {
+    const seed = await requestFn(getMfaHeaders(mfaReceipt));
+    return new _CubeSignerResponse(env, requestFn, seed);
+  }
+  mfaId() {
+    return __privateGet(this, _mfaRequired)?.id ?? __privateGet(this, _mfaRequired)?.ids?.[0];
+  }
+  mfaIds() {
+    if (!__privateGet(this, _mfaRequired)) return [];
+    if (__privateGet(this, _mfaRequired).ids?.length) return __privateGet(this, _mfaRequired).ids;
+    return __privateGet(this, _mfaRequired).id ? [__privateGet(this, _mfaRequired).id] : [];
+  }
+  requiresMfa() {
+    return __privateGet(this, _mfaRequired) !== void 0;
+  }
+  async mfaClient() {
+    const session = __privateGet(this, _mfaRequired)?.session;
+    if (!session) return void 0;
+    return CubeSignerClient.create({
+      env: {
+        [DEV_STACK_NAME]: __privateGet(this, _env)
+      },
+      org_id: __privateGet(this, _mfaRequired)?.org_id ?? "",
+      token: session.token,
+      refresh_token: session.refresh_token,
+      session_exp: session.expiration,
+      session_info: session.session_info
+    });
+  }
+  data() {
+    if (this.requiresMfa()) {
+      throw new Error("Cannot call `data()` while MFA is required");
+    }
+    return __privateGet(this, _resp);
+  }
+  async approve(client) {
+    const mfaId = this.mfaId();
+    if (!mfaId || !__privateGet(this, _mfaRequired)) return this;
+    const approval = await client.apiClient.mfaVoteCs(mfaId, "approve");
+    const confirmation = approval.receipt?.confirmation;
+    if (!confirmation) return this;
+    return this.execWithMfaApproval({
+      mfaId,
+      mfaOrgId: __privateGet(this, _mfaRequired).org_id,
+      mfaConf: confirmation
+    });
+  }
+  async execWithMfaApproval(mfaReceipt) {
+    return new _CubeSignerResponse(
+      __privateGet(this, _env),
+      __privateGet(this, _requestFn),
+      await __privateGet(this, _requestFn).call(this, getMfaHeaders(mfaReceipt))
+    );
+  }
+};
+_env = new WeakMap();
+_requestFn = new WeakMap();
+_resp = new WeakMap();
+_mfaRequired = new WeakMap();
+var CubeSignerResponse = _CubeSignerResponse;
+var _apiClient4;
+var _CubeSignerClient = class _CubeSignerClient {
+  constructor(apiClient) {
+    __privateAdd(this, _apiClient4);
+    __privateSet(this, _apiClient4, apiClient);
+  }
+  get apiClient() {
+    return __privateGet(this, _apiClient4);
+  }
+  get env() {
+    return __privateGet(this, _apiClient4).env;
+  }
+  get orgId() {
+    return __privateGet(this, _apiClient4).orgId;
+  }
+  static async create(session, targetOrgId) {
+    const created = typeof session === "string" || isSessionData(session) ? new MemorySessionManager(parseSessionLike(session)) : session;
+    if (typeof session === "object" && session !== null && session.onInvalidToken && created instanceof MemorySessionManager) {
+      created.onInvalidToken = session.onInvalidToken;
+    }
+    assertSessionManager(created);
+    const metadata = await created.metadata();
+    return new _CubeSignerClient(new CubistApiClient(created, metadata, targetOrgId));
+  }
+  static async createOidcSession(env, orgId, token, scopes, lifetimes, mfaReceipt, purpose) {
+    const requestFn = async (headers) => {
+      const response = await requestJson(
+        env.SignerApiRoot,
+        `/v0/org/${encodeURIComponent(orgId)}/oidc`,
+        {
+          method: "POST",
+          headers: {
+            Authorization: token,
+            "Content-Type": "application/json",
+            ...headers ?? {}
+          },
+          body: JSON.stringify({
+            scopes,
+            purpose,
+            tokens: lifetimes ? {
+              auth_lifetime: lifetimes.auth,
+              refresh_lifetime: lifetimes.refresh,
+              session_lifetime: lifetimes.session,
+              grace_lifetime: lifetimes.grace
+            } : void 0
+          })
+        }
+      );
+      if (isAcceptedResponse(response)) {
+        return response;
+      }
+      return {
+        env: {
+          [DEV_STACK_NAME]: env
+        },
+        org_id: orgId,
+        token: response.token,
+        refresh_token: response.refresh_token,
+        session_exp: response.expiration,
+        purpose: "sign in via oidc",
+        session_info: response.session_info
+      };
+    };
+    return CubeSignerResponse.create(env, requestFn, mfaReceipt);
+  }
+  static async proveOidcIdentity(env, orgId, token) {
+    return requestJson(
+      env.SignerApiRoot,
+      `/v0/org/${encodeURIComponent(orgId)}/identity/prove/oidc`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: token
+        }
+      }
+    );
+  }
+  org() {
+    return new OrgClient(__privateGet(this, _apiClient4));
+  }
+  getOrg(orgId) {
+    return new OrgClient(__privateGet(this, _apiClient4).withOrg(orgId));
+  }
+  async sessionKeys() {
+    const keys = await __privateGet(this, _apiClient4).sessionKeysList();
+    return keys.map((keyInfo) => new Key(this, keyInfo));
+  }
+  async getKeyByMaterialId(keyType, materialId) {
+    const keyInfo = await __privateGet(this, _apiClient4).keyGetByMaterialId(keyType, materialId);
+    return new Key(this, keyInfo);
+  }
+  async revokeSession() {
+    await __privateGet(this, _apiClient4).sessionRevoke();
+  }
+};
+_apiClient4 = new WeakMap();
+var CubeSignerClient = _CubeSignerClient;
+function isSessionData(value) {
+  return typeof value === "object" && value !== null && "token" in value && "refresh_token" in value;
+}
+var _address, _key, _client, _options;
+var EvmSigner = class {
+  constructor(address, client, options) {
+    __privateAdd(this, _address);
+    __privateAdd(this, _key);
+    __privateAdd(this, _client);
+    __privateAdd(this, _options);
+    if (typeof address === "string") {
+      __privateSet(this, _address, address);
+    } else {
+      __privateSet(this, _address, address.materialId);
+      __privateSet(this, _key, address);
+    }
+    __privateSet(this, _client, client);
+    __privateSet(this, _options, {
+      onMfaPoll: options?.onMfaPoll,
+      mfaPollIntervalMs: options?.mfaPollIntervalMs ?? 1e3
+    });
+  }
+  async signTransaction(req) {
+    const res = await this.signEvm(req);
+    return (await this.handleMfa(res)).rlp_signed_tx;
+  }
+  async signEvm(req) {
+    const key = await this.key();
+    return key.signEvm(req);
+  }
+  async signEip712(req) {
+    const key = await this.key();
+    return (await this.handleMfa(await key.signEip712(req))).signature;
+  }
+  async signEip191(req) {
+    const key = await this.key();
+    return (await this.handleMfa(await key.signEip191(req))).signature;
+  }
+  async key() {
+    if (!__privateGet(this, _key)) {
+      __privateSet(this, _key, await __privateGet(this, _client).getKeyByMaterialId(EVM_KEY_TYPE, __privateGet(this, _address).toLowerCase()));
+    }
+    return __privateGet(this, _key);
+  }
+  async handleMfa(res) {
+    let pending = res;
+    let mfaId = pending.mfaId();
+    while (mfaId) {
+      await delay(__privateGet(this, _options).mfaPollIntervalMs ?? 1e3);
+      const mfaInfo = await __privateGet(this, _client).org().getMfaRequest(mfaId).fetch();
+      __privateGet(this, _options).onMfaPoll?.(mfaInfo);
+      const confirmation = mfaInfo.receipt?.confirmation;
+      if (confirmation) {
+        pending = await pending.execWithMfaApproval({
+          mfaId,
+          mfaOrgId: __privateGet(this, _client).orgId,
+          mfaConf: confirmation
+        });
+      }
+      mfaId = pending.mfaId();
+    }
+    return pending.data();
+  }
+};
+_address = new WeakMap();
+_key = new WeakMap();
+_client = new WeakMap();
+_options = new WeakMap();
+
+// src/providers/social/cubeSignerAuth.ts
+function resolveEnv(env) {
+  return typeof env === "string" ? envs[env] : env;
+}
+var CubeSignerAuth = class {
+  constructor(config) {
+    this._client = null;
+    this._sessionData = null;
+    this.env = resolveEnv(config.env);
+    this.orgId = config.orgId;
+    this.scopes = config.scopes ?? ["sign:*", "manage:*"];
+    this.defaultSessionPolicy = config.defaultSessionPolicy;
+    this.oidcLoginHooks = config.oidcLoginHooks;
+  }
+  /** Currently authenticated client (null if not logged in). */
+  get client() {
+    return this._client;
+  }
+  get currentSession() {
+    if (!this._client || !this._sessionData) return null;
+    return {
+      client: this._client,
+      sessionData: this._sessionData
+    };
+  }
+  /* ── Google ───────────────────────────────── */
+  /**
+   * Login with a Google ID token (JWT).
+   * The token is used directly as the OIDC credential.
+   */
+  async loginWithGoogle(idToken) {
+    return this.loginWithOidcToken(idToken);
+  }
+  /**
+   * Login with a generic OIDC ID token.
+   * Useful when the caller already finished the upstream provider flow.
+   */
+  async loginWithOidcToken(idToken) {
+    return this.authenticateWithOidcToken(idToken);
+  }
+  /* ── Twitter / X ──────────────────────────── */
+  /**
+   * Login with a Twitter OAuth 2.0 authorization code.
+   *
+   * 1. Exchange the code for an OIDC `id_token` via CubeSigner's
+   *    `/v0/org/{org_id}/oauth2/twitter` endpoint.
+   * 2. Create a CubeSigner session with that token.
+   */
+  async loginWithTwitter(params) {
+    const idToken = await this.exchangeTwitterCode(params);
+    return this.loginWithOidcToken(idToken);
+  }
+  /* ── Sign-out ─────────────────────────────── */
+  async signOut() {
+    if (this._client) {
+      try {
+        await this._client.revokeSession();
+      } catch {
+      }
+      this._client = null;
+      this._sessionData = null;
+    }
+  }
+  /* ── Session restore ────────────────────── */
+  /**
+   * Restore a CubeSigner session from previously persisted SessionData.
+   * Useful for reconnecting after page reload without re-authentication.
+   */
+  async restoreSession(sessionData) {
+    if (this._client) {
+      await this.signOut();
+    }
+    const client = await CubeSignerClient.create(sessionData);
+    this._client = client;
+    this._sessionData = sessionData;
+    return { client, sessionData };
+  }
+  /* ── Private ──────────────────────────────── */
+  async authenticateWithOidcToken(oidcToken) {
+    if (this._client) {
+      await this.signOut();
+    }
+    const hooks = this.oidcLoginHooks;
+    if (hooks) {
+      const proof = await CubeSignerClient.proveOidcIdentity(
+        this.env,
+        this.orgId,
+        oidcToken
+      );
+      if (!proof.user_info?.initialized) {
+        await hooks.registerUser(oidcToken);
+      }
+    }
+    return this.createOidcSession(oidcToken);
+  }
+  /**
+   * Exchange a Twitter authorization code for an OIDC id_token
+   * via CubeSigner's dedicated endpoint.
+   *
+   * `POST {SignerApiRoot}/v0/org/{org_id}/oauth2/twitter`
+   */
+  async exchangeTwitterCode(params) {
+    const url = `${this.env.SignerApiRoot}/v0/org/${this.orgId}/oauth2/twitter`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        code: params.code,
+        code_verifier: params.codeVerifier,
+        redirect_uri: params.redirectUri
+      })
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      throw new Error(
+        `Twitter code exchange failed (${res.status}): ${text}`
+      );
+    }
+    const data = await res.json();
+    if (!data.id_token) {
+      throw new Error("CubeSigner twitter exchange did not return id_token");
+    }
+    return data.id_token;
+  }
+  /**
+   * Create a CubeSigner OIDC session from a generic OIDC id_token.
+   */
+  async createOidcSession(oidcToken) {
+    const resp = await CubeSignerClient.createOidcSession(
+      this.env,
+      this.orgId,
+      oidcToken,
+      this.scopes
+    );
+    const sessionData = resp.data();
+    const client = await CubeSignerClient.create(sessionData);
+    this._client = client;
+    this._sessionData = sessionData;
+    return { client, sessionData };
+  }
+};
+
+// src/providers/social/cubistEvmWalletProvider.ts
+var evmChainIdMap = {
+  ETH: 1,
+  BSC: 56,
+  ETH_TENDERLY: 3030,
+  BSC_TENDERLY: 3131
+};
+var isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+var toBigIntQuantity = (value) => {
+  if (typeof value === "bigint") return value;
+  if (typeof value === "number") {
+    if (!Number.isInteger(value) || value < 0) {
+      throw new Error(`Invalid EVM quantity number: ${value}`);
+    }
+    return BigInt(value);
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    throw new Error("EVM quantity cannot be empty");
+  }
+  if (/^0x[0-9a-fA-F]+$/.test(trimmed) || /^\d+$/.test(trimmed)) {
+    return BigInt(trimmed);
+  }
+  throw new Error(`Invalid EVM quantity string: ${value}`);
+};
+var toHexQuantity = (value) => {
+  if (value === void 0) return void 0;
+  return `0x${toBigIntQuantity(value).toString(16)}`;
+};
+var normalizeAccessList = (accessList) => {
+  if (!accessList) return void 0;
+  return accessList.map((item) => ({
+    address: item.address,
+    storageKeys: item.storageKeys
+  }));
+};
+var textEncoder = new TextEncoder();
+var resolveTransactionType = (transaction) => {
+  if (transaction.type !== void 0) {
+    const normalized = toHexQuantity(transaction.type);
+    if (normalized === "0x0" || normalized === "0x1" || normalized === "0x2") {
+      return normalized;
+    }
+    throw new Error(`Unsupported EVM transaction type for Cubist: ${normalized}`);
+  }
+  if (transaction.maxFeePerGas !== void 0 || transaction.maxPriorityFeePerGas !== void 0) {
+    return "0x2";
+  }
+  if (transaction.accessList?.length) {
+    return "0x1";
+  }
+  return "0x0";
+};
+var toCubistSignRequest = (address, chain, transaction) => {
+  const resolvedChainId = (transaction.chainId !== void 0 ? Number(toBigIntQuantity(transaction.chainId)) : void 0) ?? evmChainIdMap[chain];
+  if (!resolvedChainId) {
+    throw new Error("Cubist signing requires an EVM chainId");
+  }
+  const type = resolveTransactionType(transaction);
+  const commonFields = {
+    from: transaction.from ?? address,
+    to: transaction.to,
+    data: transaction.data,
+    gas: toHexQuantity(transaction.gas),
+    nonce: toHexQuantity(transaction.nonce),
+    value: toHexQuantity(transaction.value)
+  };
+  const accessList = normalizeAccessList(transaction.accessList);
+  const tx = type === "0x2" ? {
+    ...commonFields,
+    type,
+    ...accessList ? { accessList } : {},
+    maxFeePerGas: toHexQuantity(transaction.maxFeePerGas),
+    maxPriorityFeePerGas: toHexQuantity(transaction.maxPriorityFeePerGas)
+  } : type === "0x1" ? {
+    ...commonFields,
+    type,
+    ...accessList ? { accessList } : {},
+    gasPrice: toHexQuantity(transaction.gasPrice)
+  } : {
+    ...commonFields,
+    type,
+    gasPrice: toHexQuantity(transaction.gasPrice)
+  };
+  return {
+    chain_id: resolvedChainId,
+    tx
+  };
+};
+var getTransactionParam = (params) => {
+  const candidate = params?.[0];
+  if (!isRecord(candidate)) {
+    throw new Error("eth_signTransaction requires a transaction object");
+  }
+  return candidate;
+};
+var toHexBytes = (value) => {
+  if (/^0x[0-9a-fA-F]*$/.test(value)) return value;
+  return `0x${Array.from(textEncoder.encode(value)).map((byte) => byte.toString(16).padStart(2, "0")).join("")}`;
+};
+var getMessageParam = (address, params) => {
+  const [first, second] = params ?? [];
+  if (typeof second === "string" && second.toLowerCase() === address.toLowerCase()) {
+    return String(first ?? "");
+  }
+  if (typeof first === "string" && first.toLowerCase() === address.toLowerCase()) {
+    return String(second ?? "");
+  }
+  return String(first ?? "");
+};
+var getTypedDataParam = (address, params) => {
+  const [first, second] = params ?? [];
+  if (typeof first === "string" && first.toLowerCase() === address.toLowerCase()) {
+    return typeof second === "string" ? JSON.parse(second) : second ?? {};
+  }
+  return typeof second === "string" ? JSON.parse(second) : second ?? first ?? {};
+};
+var createCubistEvmWalletProvider = ({
+  session,
+  address,
+  chain
+}) => {
+  const signer = new EvmSigner(address, session.client);
+  return {
+    async request(payload) {
+      switch (payload.method) {
+        case "eth_accounts":
+        case "eth_requestAccounts":
+          return [address];
+        case "eth_chainId": {
+          const chainId = evmChainIdMap[chain];
+          if (!chainId) {
+            throw new Error(`CubistProvider: chain ${chain} does not expose an EVM chainId`);
+          }
+          return `0x${chainId.toString(16)}`;
+        }
+        case "eth_signTransaction": {
+          const transaction = getTransactionParam(payload.params);
+          const signRequest = toCubistSignRequest(address, chain, transaction);
+          return await signer.signTransaction(signRequest);
+        }
+        case "personal_sign": {
+          const message = getMessageParam(address, payload.params);
+          return await signer.signEip191({
+            data: toHexBytes(message)
+          });
+        }
+        case "eth_signTypedData_v4": {
+          const typedData = getTypedDataParam(address, payload.params);
+          const domain = typedData.domain;
+          const chainId = domain?.chainId !== void 0 ? Number(toBigIntQuantity(domain.chainId)) : evmChainIdMap[chain];
+          if (!chainId) {
+            throw new Error("CubistProvider: typed data signing requires an EVM chainId");
+          }
+          return await signer.signEip712({
+            chain_id: chainId,
+            typed_data: typedData
+          });
+        }
+        default:
+          throw new Error(`CubistProvider: unsupported RPC method "${payload.method}"`);
+      }
+    },
+    async disconnect() {
+      await session.client.revokeSession();
+    }
+  };
+};
+
+export { CubeSignerAuth, createCubistEvmWalletProvider };