@aztec/wallet-sdk 4.0.0-devnet.2-patch.4 → 4.0.0-devnet.3-patch.1

package/dest/crypto.js

@@ -392,3 +392,91 @@ const FINGERPRINT_DATA = new TextEncoder().encode('aztec-wallet-verification-ver
     }
     return emojis.join('');
 }
+// ─── Passphrase-based encryption (PBKDF2 + AES-256-GCM) ───────────────────
+/** Default PBKDF2 iteration count. High to compensate for short PINs (~1-2s on modern hardware). */ const DEFAULT_PBKDF2_ITERATIONS = 2_000_000;
+const PBKDF2_SALT_BYTES = 16;
+const PBKDF2_IV_BYTES = 12;
+/**
+ * Derives an AES-256-GCM key from a passphrase using PBKDF2-SHA256.
+ *
+ * @param passphrase - The user-provided passphrase or PIN
+ * @param salt - Random salt bytes
+ * @param iterations - PBKDF2 iteration count (default: 2,000,000)
+ * @returns An AES-256-GCM CryptoKey
+ */ export async function deriveKeyFromPassphrase(passphrase, salt, iterations = DEFAULT_PBKDF2_ITERATIONS) {
+    const keyMaterial = await crypto.subtle.importKey('raw', new TextEncoder().encode(passphrase), 'PBKDF2', false, [
+        'deriveKey'
+    ]);
+    return crypto.subtle.deriveKey({
+        name: 'PBKDF2',
+        salt: salt,
+        iterations,
+        hash: 'SHA-256'
+    }, keyMaterial, {
+        name: 'AES-GCM',
+        length: 256
+    }, false, [
+        'encrypt',
+        'decrypt'
+    ]);
+}
+/**
+ * Encrypts arbitrary bytes with a passphrase using PBKDF2 + AES-256-GCM.
+ *
+ * Output layout: `[salt (16)] [iv (12)] [ciphertext (...)]`
+ *
+ * @param plaintext - Data to encrypt
+ * @param passphrase - User passphrase or PIN
+ * @param iterations - PBKDF2 iteration count (default: 2,000,000)
+ * @returns A Uint8Array containing salt + iv + ciphertext
+ */ export async function encryptWithPassphrase(plaintext, passphrase, iterations = DEFAULT_PBKDF2_ITERATIONS) {
+    const salt = crypto.getRandomValues(new Uint8Array(PBKDF2_SALT_BYTES));
+    const iv = crypto.getRandomValues(new Uint8Array(PBKDF2_IV_BYTES));
+    const key = await deriveKeyFromPassphrase(passphrase, salt, iterations);
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+        name: 'AES-GCM',
+        iv
+    }, key, plaintext));
+    const result = new Uint8Array(PBKDF2_SALT_BYTES + PBKDF2_IV_BYTES + ciphertext.length);
+    result.set(salt, 0);
+    result.set(iv, PBKDF2_SALT_BYTES);
+    result.set(ciphertext, PBKDF2_SALT_BYTES + PBKDF2_IV_BYTES);
+    return result;
+}
+/**
+ * Decrypts data produced by {@link encryptWithPassphrase}.
+ *
+ * @param data - The encrypted blob (salt + iv + ciphertext)
+ * @param passphrase - The passphrase used during encryption
+ * @param iterations - PBKDF2 iteration count (must match encryption)
+ * @returns The decrypted plaintext bytes
+ * @throws On wrong passphrase (AES-GCM auth tag mismatch)
+ */ export async function decryptWithPassphrase(data, passphrase, iterations = DEFAULT_PBKDF2_ITERATIONS) {
+    const salt = data.slice(0, PBKDF2_SALT_BYTES);
+    const iv = data.slice(PBKDF2_SALT_BYTES, PBKDF2_SALT_BYTES + PBKDF2_IV_BYTES);
+    const ciphertext = data.slice(PBKDF2_SALT_BYTES + PBKDF2_IV_BYTES);
+    const key = await deriveKeyFromPassphrase(passphrase, salt, iterations);
+    return new Uint8Array(await crypto.subtle.decrypt({
+        name: 'AES-GCM',
+        iv
+    }, key, ciphertext));
+}
+/**
+ * Converts a Uint8Array to a base64 string.
+ */ export function uint8ToBase64(bytes) {
+    let binary = '';
+    for (const b of bytes){
+        binary += String.fromCharCode(b);
+    }
+    return btoa(binary);
+}
+/**
+ * Converts a base64 string to a Uint8Array.
+ */ export function base64ToUint8(b64) {
+    const binary = atob(b64);
+    const bytes = new Uint8Array(binary.length);
+    for(let i = 0; i < binary.length; i++){
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}

package/dest/extension/provider/extension_wallet.d.ts

@@ -1,9 +1,6 @@
 import type { ChainInfo } from '@aztec/aztec.js/account';
 import { type Wallet } from '@aztec/aztec.js/wallet';
-/**
- * Callback type for wallet disconnect events.
- */
-export type DisconnectCallback = () => void;
+import { type DisconnectCallback } from '../../types.js';
 /**
  * A wallet implementation that communicates with browser extension wallets
  * using an encrypted MessageChannel.
@@ -129,4 +126,4 @@ export declare class ExtensionWallet {
      */
     disconnect(): Promise<void>;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXh0ZW5zaW9uX3dhbGxldC5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2V4dGVuc2lvbi9wcm92aWRlci9leHRlbnNpb25fd2FsbGV0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLFNBQVMsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQ3pELE9BQU8sRUFBRSxLQUFLLE1BQU0sRUFBZ0IsTUFBTSx3QkFBd0IsQ0FBQztBQW9CbkU7O0dBRUc7QUFDSCxNQUFNLE1BQU0sa0JBQWtCLEdBQUcsTUFBTSxJQUFJLENBQUM7QUFFNUM7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQThCRztBQUNILHFCQUFhLGVBQWU7SUFleEIsT0FBTyxDQUFDLFNBQVM7SUFDakIsT0FBTyxDQUFDLEtBQUs7SUFDYixPQUFPLENBQUMsV0FBVztJQUNuQixPQUFPLENBQUMsSUFBSTtJQUNaLE9BQU8sQ0FBQyxTQUFTO0lBbEJuQixzRUFBc0U7SUFDdEUsT0FBTyxDQUFDLFFBQVEsQ0FBb0Q7SUFDcEUsT0FBTyxDQUFDLFlBQVksQ0FBUztJQUM3QixPQUFPLENBQUMsbUJBQW1CLENBQTRCO0lBRXZEOzs7Ozs7O09BT0c7SUFDSCxPQUFPLGVBTUg7SUFFSjs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztPQXlCRztJQUNILE1BQU0sQ0FBQyxNQUFNLENBQ1gsV0FBVyxFQUFFLE1BQU0sRUFDbkIsSUFBSSxFQUFFLFdBQVcsRUFDakIsU0FBUyxFQUFFLFNBQVMsRUFDcEIsU0FBUyxFQUFFLFNBQVMsRUFDcEIsS0FBSyxFQUFFLE1BQU0sR0FDWixlQUFlLENBa0NqQjtJQUVELFFBQVEsSUFBSSxNQUFNLENBSWpCO1lBVWEsdUJBQXVCO1lBOEN2QixXQUFXO0lBMEJ6Qjs7OztPQUlHO0lBQ0gsT0FBTyxDQUFDLGdCQUFnQjtJQTBCeEI7Ozs7Ozs7Ozs7Ozs7OztPQWVHO0lBQ0gsWUFBWSxDQUFDLFFBQVEsRUFBRSxrQkFBa0IsR0FBRyxNQUFNLElBQUksQ0FRckQ7SUFFRDs7OztPQUlHO0lBQ0gsY0FBYyxJQUFJLE9BQU8sQ0FFeEI7SUFFRDs7Ozs7Ozs7Ozs7OztPQWFHO0lBRUcsVUFBVSxJQUFJLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FhaEM7Q0FDRiJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXh0ZW5zaW9uX3dhbGxldC5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2V4dGVuc2lvbi9wcm92aWRlci9leHRlbnNpb25fd2FsbGV0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxFQUFFLFNBQVMsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQ3pELE9BQU8sRUFBRSxLQUFLLE1BQU0sRUFBZ0IsTUFBTSx3QkFBd0IsQ0FBQztBQU9uRSxPQUFPLEVBQUUsS0FBSyxrQkFBa0IsRUFBOEQsTUFBTSxnQkFBZ0IsQ0FBQztBQWFySDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0dBOEJHO0FBQ0gscUJBQWEsZUFBZTtJQWV4QixPQUFPLENBQUMsU0FBUztJQUNqQixPQUFPLENBQUMsS0FBSztJQUNiLE9BQU8sQ0FBQyxXQUFXO0lBQ25CLE9BQU8sQ0FBQyxJQUFJO0lBQ1osT0FBTyxDQUFDLFNBQVM7SUFsQm5CLHNFQUFzRTtJQUN0RSxPQUFPLENBQUMsUUFBUSxDQUFvRDtJQUNwRSxPQUFPLENBQUMsWUFBWSxDQUFTO0lBQzdCLE9BQU8sQ0FBQyxtQkFBbUIsQ0FBNEI7SUFFdkQ7Ozs7Ozs7T0FPRztJQUNILE9BQU8sZUFNSDtJQUVKOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O09BeUJHO0lBQ0gsTUFBTSxDQUFDLE1BQU0sQ0FDWCxXQUFXLEVBQUUsTUFBTSxFQUNuQixJQUFJLEVBQUUsV0FBVyxFQUNqQixTQUFTLEVBQUUsU0FBUyxFQUNwQixTQUFTLEVBQUUsU0FBUyxFQUNwQixLQUFLLEVBQUUsTUFBTSxHQUNaLGVBQWUsQ0FrQ2pCO0lBRUQsUUFBUSxJQUFJLE1BQU0sQ0FJakI7WUFVYSx1QkFBdUI7WUE4Q3ZCLFdBQVc7SUEwQnpCOzs7O09BSUc7SUFDSCxPQUFPLENBQUMsZ0JBQWdCO0lBMEJ4Qjs7Ozs7Ozs7Ozs7Ozs7O09BZUc7SUFDSCxZQUFZLENBQUMsUUFBUSxFQUFFLGtCQUFrQixHQUFHLE1BQU0sSUFBSSxDQVFyRDtJQUVEOzs7O09BSUc7SUFDSCxjQUFjLElBQUksT0FBTyxDQUV4QjtJQUVEOzs7Ozs7Ozs7Ozs7O09BYUc7SUFFRyxVQUFVLElBQUksT0FBTyxDQUFDLElBQUksQ0FBQyxDQWFoQztDQUNGIn0=

package/dest/extension/provider/extension_wallet.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"extension_wallet.d.ts","sourceRoot":"","sources":["../../../src/extension/provider/extension_wallet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,KAAK,MAAM,EAAgB,MAAM,wBAAwB,CAAC;AAoBnE;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC;AAE5C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,eAAe;IAexB,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IAlBnB,sEAAsE;IACtE,OAAO,CAAC,QAAQ,CAAoD;IACpE,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,mBAAmB,CAA4B;IAEvD;;;;;;;OAOG;IACH,OAAO,eAMH;IAEJ;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,MAAM,CAAC,MAAM,CACX,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,WAAW,EACjB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE,MAAM,GACZ,eAAe,CAkCjB;IAED,QAAQ,IAAI,MAAM,CAIjB;YAUa,uBAAuB;YA8CvB,WAAW;IA0BzB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IA0BxB;;;;;;;;;;;;;;;OAeG;IACH,YAAY,CAAC,QAAQ,EAAE,kBAAkB,GAAG,MAAM,IAAI,CAQrD;IAED;;;;OAIG;IACH,cAAc,IAAI,OAAO,CAExB;IAED;;;;;;;;;;;;;OAaG;IAEG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAahC;CACF"}
+{"version":3,"file":"extension_wallet.d.ts","sourceRoot":"","sources":["../../../src/extension/provider/extension_wallet.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,KAAK,MAAM,EAAgB,MAAM,wBAAwB,CAAC;AAOnE,OAAO,EAAE,KAAK,kBAAkB,EAA8D,MAAM,gBAAgB,CAAC;AAarH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,qBAAa,eAAe;IAexB,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IAlBnB,sEAAsE;IACtE,OAAO,CAAC,QAAQ,CAAoD;IACpE,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,mBAAmB,CAA4B;IAEvD;;;;;;;OAOG;IACH,OAAO,eAMH;IAEJ;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,MAAM,CAAC,MAAM,CACX,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,WAAW,EACjB,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE,MAAM,GACZ,eAAe,CAkCjB;IAED,QAAQ,IAAI,MAAM,CAIjB;YAUa,uBAAuB;YA8CvB,WAAW;IA0BzB;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IA0BxB;;;;;;;;;;;;;;;OAeG;IACH,YAAY,CAAC,QAAQ,EAAE,kBAAkB,GAAG,MAAM,IAAI,CAQrD;IAED;;;;OAIG;IACH,cAAc,IAAI,OAAO,CAExB;IAED;;;;;;;;;;;;;OAaG;IAEG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAahC;CACF"}

package/dest/extension/provider/index.d.ts

@@ -1,3 +1,3 @@
-export { ExtensionWallet, type DisconnectCallback } from './extension_wallet.js';
+export { ExtensionWallet } from './extension_wallet.js';
 export { ExtensionProvider, type DiscoveredWallet, type ConnectedWallet, type DiscoveryOptions, } from './extension_provider.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9leHRlbnNpb24vcHJvdmlkZXIvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGVBQWUsRUFBRSxLQUFLLGtCQUFrQixFQUFFLE1BQU0sdUJBQXVCLENBQUM7QUFDakYsT0FBTyxFQUNMLGlCQUFpQixFQUNqQixLQUFLLGdCQUFnQixFQUNyQixLQUFLLGVBQWUsRUFDcEIsS0FBSyxnQkFBZ0IsR0FDdEIsTUFBTSx5QkFBeUIsQ0FBQyJ9
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9leHRlbnNpb24vcHJvdmlkZXIvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGVBQWUsRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBQ3hELE9BQU8sRUFDTCxpQkFBaUIsRUFDakIsS0FBSyxnQkFBZ0IsRUFDckIsS0FBSyxlQUFlLEVBQ3BCLEtBQUssZ0JBQWdCLEdBQ3RCLE1BQU0seUJBQXlCLENBQUMifQ==

package/dest/extension/provider/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/extension/provider/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,KAAK,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AACjF,OAAO,EACL,iBAAiB,EACjB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/extension/provider/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,iBAAiB,EACjB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC"}

package/dest/iframe/handlers/iframe_connection_handler.d.ts

@@ -0,0 +1,118 @@
+/**
+ * IframeConnectionHandler — wallet-side of the cross-origin iframe protocol.
+ *
+ * This mirrors {@link BackgroundConnectionHandler} from `@aztec/wallet-sdk/extension/handlers`
+ * but uses `window.postMessage` instead of browser.runtime messaging.
+ *
+ * Message flow (wallet receives):
+ *   parent → DISCOVERY            → show approval UI → send DISCOVERY_RESPONSE
+ *   parent → KEY_EXCHANGE_REQUEST → ECDH             → send KEY_EXCHANGE_RESPONSE
+ *   parent → SECURE_MESSAGE       → decrypt → Wallet → encrypt → SECURE_RESPONSE
+ *   parent → DISCONNECT           → terminate session
+ *
+ * The wallet announces itself by posting WALLET_READY as soon as the handler starts,
+ * so the dApp knows it can send a discovery request.
+ */
+import type { ChainInfo } from '@aztec/aztec.js/account';
+import type { Wallet } from '@aztec/aztec.js/wallet';
+/**
+ * A pending discovery request from a dApp (before user approval).
+ */
+export interface PendingSession {
+    /** Unique request identifier */
+    requestId: string;
+    /** Application identifier */
+    appId: string;
+    /** Origin URL of the requesting page */
+    origin: string;
+    /** Approval status */
+    status: 'pending' | 'approved';
+}
+/**
+ * An active session (after key exchange).
+ */
+export interface ActiveSession {
+    /** Session identifier (same as the discovery requestId) */
+    sessionId: string;
+    /** AES-256-GCM shared key for this session */
+    sharedKey: CryptoKey;
+    /** Verification hash for emoji display */
+    verificationHash: string;
+    /** Origin URL of the connected dApp */
+    origin: string;
+    /** Application identifier */
+    appId: string;
+}
+/**
+ * Configuration for the iframe connection handler.
+ */
+export interface IframeConnectionConfig {
+    /** Unique wallet identifier */
+    walletId: string;
+    /** Display name for the wallet */
+    walletName: string;
+    /** Wallet version string */
+    walletVersion: string;
+    /** Optional wallet icon URL */
+    walletIcon?: string;
+    /** Origins allowed to connect. If empty or undefined, all origins are allowed (dev mode). */
+    allowedOrigins?: string[];
+}
+/**
+ * Event callbacks for the iframe connection handler.
+ */
+export interface IframeConnectionCallbacks {
+    /** Called when a new discovery request arrives — wallet can show approval UI */
+    onPendingDiscovery?: (session: PendingSession) => void;
+    /** Called when a session is established (key exchange complete) */
+    onSessionEstablished?: (session: ActiveSession) => void;
+    /** Called when a session is terminated */
+    onSessionTerminated?: (sessionId: string) => void;
+    /** Called when a key exchange completes — show verificationHash as emojis to the user */
+    onVerificationHash?: (verificationHash: string) => void;
+    /**
+     * Resolves the Wallet instance to use for a given dApp and chain.
+     * Called when an encrypted message arrives and needs to be dispatched.
+     */
+    getWallet: (appId: string, chainInfo: ChainInfo) => Promise<Wallet>;
+}
+/**
+ * Handles the wallet side of the cross-origin iframe protocol.
+ *
+ * Manages the full lifecycle: discovery, ECDH key exchange, encrypted message
+ * dispatch to a {@link Wallet} instance, and session termination.
+ *
+ * @example
+ * ```typescript
+ * const handler = new IframeConnectionHandler(
+ *   { walletId: 'my-wallet', walletName: 'My Wallet', walletVersion: '1.0.0' },
+ *   {
+ *     onPendingDiscovery: (session) => showApprovalUI(session),
+ *     getWallet: (appId, chainInfo) => createWalletForApp(appId, chainInfo),
+ *   },
+ * );
+ * handler.start();
+ * ```
+ */
+export declare class IframeConnectionHandler {
+    private config;
+    private callbacks;
+    private pendingSessions;
+    private activeSessions;
+    private log;
+    constructor(config: IframeConnectionConfig, callbacks: IframeConnectionCallbacks);
+    start(): void;
+    stop(): void;
+    approveDiscovery(requestId: string): void;
+    rejectDiscovery(requestId: string): void;
+    terminateSession(sessionId: string): void;
+    getPendingSessions(): PendingSession[];
+    private handleMessage;
+    private handleMessageAsync;
+    private handleDiscoveryRequest;
+    private handleKeyExchangeRequest;
+    private handleSecureMessage;
+    private postToParent;
+    private postToOrigin;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaWZyYW1lX2Nvbm5lY3Rpb25faGFuZGxlci5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2lmcmFtZS9oYW5kbGVycy9pZnJhbWVfY29ubmVjdGlvbl9oYW5kbGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7Ozs7Ozs7OztHQWNHO0FBQ0gsT0FBTyxLQUFLLEVBQUUsU0FBUyxFQUFFLE1BQU0seUJBQXlCLENBQUM7QUFFekQsT0FBTyxLQUFLLEVBQUUsTUFBTSxFQUFFLE1BQU0sd0JBQXdCLENBQUM7QUFnQnJEOztHQUVHO0FBQ0gsTUFBTSxXQUFXLGNBQWM7SUFDN0IsZ0NBQWdDO0lBQ2hDLFNBQVMsRUFBRSxNQUFNLENBQUM7SUFDbEIsNkJBQTZCO0lBQzdCLEtBQUssRUFBRSxNQUFNLENBQUM7SUFDZCx3Q0FBd0M7SUFDeEMsTUFBTSxFQUFFLE1BQU0sQ0FBQztJQUNmLHNCQUFzQjtJQUN0QixNQUFNLEVBQUUsU0FBUyxHQUFHLFVBQVUsQ0FBQztDQUNoQztBQUVEOztHQUVHO0FBQ0gsTUFBTSxXQUFXLGFBQWE7SUFDNUIsMkRBQTJEO0lBQzNELFNBQVMsRUFBRSxNQUFNLENBQUM7SUFDbEIsOENBQThDO0lBQzlDLFNBQVMsRUFBRSxTQUFTLENBQUM7SUFDckIsMENBQTBDO0lBQzFDLGdCQUFnQixFQUFFLE1BQU0sQ0FBQztJQUN6Qix1Q0FBdUM7SUFDdkMsTUFBTSxFQUFFLE1BQU0sQ0FBQztJQUNmLDZCQUE2QjtJQUM3QixLQUFLLEVBQUUsTUFBTSxDQUFDO0NBQ2Y7QUFFRDs7R0FFRztBQUNILE1BQU0sV0FBVyxzQkFBc0I7SUFDckMsK0JBQStCO0lBQy9CLFFBQVEsRUFBRSxNQUFNLENBQUM7SUFDakIsa0NBQWtDO0lBQ2xDLFVBQVUsRUFBRSxNQUFNLENBQUM7SUFDbkIsNEJBQTRCO0lBQzVCLGFBQWEsRUFBRSxNQUFNLENBQUM7SUFDdEIsK0JBQStCO0lBQy9CLFVBQVUsQ0FBQyxFQUFFLE1BQU0sQ0FBQztJQUNwQiw2RkFBNkY7SUFDN0YsY0FBYyxDQUFDLEVBQUUsTUFBTSxFQUFFLENBQUM7Q0FDM0I7QUFFRDs7R0FFRztBQUNILE1BQU0sV0FBVyx5QkFBeUI7SUFDeEMsa0ZBQWdGO0lBQ2hGLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxPQUFPLEVBQUUsY0FBYyxLQUFLLElBQUksQ0FBQztJQUN2RCxtRUFBbUU7SUFDbkUsb0JBQW9CLENBQUMsRUFBRSxDQUFDLE9BQU8sRUFBRSxhQUFhLEtBQUssSUFBSSxDQUFDO0lBQ3hELDBDQUEwQztJQUMxQyxtQkFBbUIsQ0FBQyxFQUFFLENBQUMsU0FBUyxFQUFFLE1BQU0sS0FBSyxJQUFJLENBQUM7SUFDbEQsMkZBQXlGO0lBQ3pGLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxnQkFBZ0IsRUFBRSxNQUFNLEtBQUssSUFBSSxDQUFDO0lBQ3hEOzs7T0FHRztJQUNILFNBQVMsRUFBRSxDQUFDLEtBQUssRUFBRSxNQUFNLEVBQUUsU0FBUyxFQUFFLFNBQVMsS0FBSyxPQUFPLENBQUMsTUFBTSxDQUFDLENBQUM7Q0FDckU7QUFFRDs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FpQkc7QUFDSCxxQkFBYSx1QkFBdUI7SUFNaEMsT0FBTyxDQUFDLE1BQU07SUFDZCxPQUFPLENBQUMsU0FBUztJQU5uQixPQUFPLENBQUMsZUFBZSxDQUFxQztJQUM1RCxPQUFPLENBQUMsY0FBYyxDQUFvQztJQUMxRCxPQUFPLENBQUMsR0FBRyxDQUF5QztJQUVwRCxZQUNVLE1BQU0sRUFBRSxzQkFBc0IsRUFDOUIsU0FBUyxFQUFFLHlCQUF5QixFQUMxQztJQUVKLEtBQUssSUFBSSxJQUFJLENBSVo7SUFFRCxJQUFJLElBQUksSUFBSSxDQUVYO0lBRUQsZ0JBQWdCLENBQUMsU0FBUyxFQUFFLE1BQU0sR0FBRyxJQUFJLENBa0J4QztJQUVELGVBQWUsQ0FBQyxTQUFTLEVBQUUsTUFBTSxHQUFHLElBQUksQ0FFdkM7SUFFRCxnQkFBZ0IsQ0FBQyxTQUFTLEVBQUUsTUFBTSxHQUFHLElBQUksQ0FVeEM7SUFFRCxrQkFBa0IsSUFBSSxjQUFjLEVBQUUsQ0FFckM7SUFFRCxPQUFPLENBQUMsYUFBYSxDQUVuQjtZQUVZLGtCQUFrQjtJQTRCaEMsT0FBTyxDQUFDLHNCQUFzQjtZQVNoQix3QkFBd0I7WUE2Q3hCLG1CQUFtQjtJQXNEakMsT0FBTyxDQUFDLFlBQVk7SUFNcEIsT0FBTyxDQUFDLFlBQVk7Q0FLckIifQ==

package/dest/iframe/handlers/iframe_connection_handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iframe_connection_handler.d.ts","sourceRoot":"","sources":["../../../src/iframe/handlers/iframe_connection_handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAEzD,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAgBrD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,gCAAgC;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,6BAA6B;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB;IACtB,MAAM,EAAE,SAAS,GAAG,UAAU,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,8CAA8C;IAC9C,SAAS,EAAE,SAAS,CAAC;IACrB,0CAA0C;IAC1C,gBAAgB,EAAE,MAAM,CAAC;IACzB,uCAAuC;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,4BAA4B;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,+BAA+B;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6FAA6F;IAC7F,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,kFAAgF;IAChF,kBAAkB,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,IAAI,CAAC;IACvD,mEAAmE;IACnE,oBAAoB,CAAC,EAAE,CAAC,OAAO,EAAE,aAAa,KAAK,IAAI,CAAC;IACxD,0CAA0C;IAC1C,mBAAmB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,CAAC;IAClD,2FAAyF;IACzF,kBAAkB,CAAC,EAAE,CAAC,gBAAgB,EAAE,MAAM,KAAK,IAAI,CAAC;IACxD;;;OAGG;IACH,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;CACrE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,uBAAuB;IAMhC,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,SAAS;IANnB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,cAAc,CAAoC;IAC1D,OAAO,CAAC,GAAG,CAAyC;IAEpD,YACU,MAAM,EAAE,sBAAsB,EAC9B,SAAS,EAAE,yBAAyB,EAC1C;IAEJ,KAAK,IAAI,IAAI,CAIZ;IAED,IAAI,IAAI,IAAI,CAEX;IAED,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAkBxC;IAED,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAEvC;IAED,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAUxC;IAED,kBAAkB,IAAI,cAAc,EAAE,CAErC;IAED,OAAO,CAAC,aAAa,CAEnB;YAEY,kBAAkB;IA4BhC,OAAO,CAAC,sBAAsB;YAShB,wBAAwB;YA6CxB,mBAAmB;IAsDjC,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,YAAY;CAKrB"}

package/dest/iframe/handlers/iframe_connection_handler.js

@@ -0,0 +1,228 @@
+/**
+ * IframeConnectionHandler — wallet-side of the cross-origin iframe protocol.
+ *
+ * This mirrors {@link BackgroundConnectionHandler} from `@aztec/wallet-sdk/extension/handlers`
+ * but uses `window.postMessage` instead of browser.runtime messaging.
+ *
+ * Message flow (wallet receives):
+ *   parent → DISCOVERY            → show approval UI → send DISCOVERY_RESPONSE
+ *   parent → KEY_EXCHANGE_REQUEST → ECDH             → send KEY_EXCHANGE_RESPONSE
+ *   parent → SECURE_MESSAGE       → decrypt → Wallet → encrypt → SECURE_RESPONSE
+ *   parent → DISCONNECT           → terminate session
+ *
+ * The wallet announces itself by posting WALLET_READY as soon as the handler starts,
+ * so the dApp knows it can send a discovery request.
+ */ import { createLogger } from '@aztec/aztec.js/log';
+import { WalletSchema } from '@aztec/aztec.js/wallet';
+import { jsonStringify } from '@aztec/foundation/json-rpc';
+import { parseWithOptionals, schemaHasMethod } from '@aztec/foundation/schemas';
+import { decrypt, deriveSessionKeys, encrypt, exportPublicKey, generateKeyPair, importPublicKey } from '../../crypto.js';
+import { WalletMessageType } from '../../types.js';
+/**
+ * Handles the wallet side of the cross-origin iframe protocol.
+ *
+ * Manages the full lifecycle: discovery, ECDH key exchange, encrypted message
+ * dispatch to a {@link Wallet} instance, and session termination.
+ *
+ * @example
+ * ```typescript
+ * const handler = new IframeConnectionHandler(
+ *   { walletId: 'my-wallet', walletName: 'My Wallet', walletVersion: '1.0.0' },
+ *   {
+ *     onPendingDiscovery: (session) => showApprovalUI(session),
+ *     getWallet: (appId, chainInfo) => createWalletForApp(appId, chainInfo),
+ *   },
+ * );
+ * handler.start();
+ * ```
+ */ export class IframeConnectionHandler {
+    config;
+    callbacks;
+    pendingSessions;
+    activeSessions;
+    log;
+    constructor(config, callbacks){
+        this.config = config;
+        this.callbacks = callbacks;
+        this.pendingSessions = new Map();
+        this.activeSessions = new Map();
+        this.log = createLogger('wallet:iframe-handler');
+        this.handleMessage = (event)=>{
+            void this.handleMessageAsync(event);
+        };
+    }
+    start() {
+        window.addEventListener('message', this.handleMessage);
+        this.postToParent({
+            type: WalletMessageType.WALLET_READY
+        });
+        this.log.info('IframeConnectionHandler started, posted WALLET_READY');
+    }
+    stop() {
+        window.removeEventListener('message', this.handleMessage);
+    }
+    approveDiscovery(requestId) {
+        const pending = this.pendingSessions.get(requestId);
+        if (!pending || pending.status !== 'pending') {
+            return;
+        }
+        pending.status = 'approved';
+        this.postToOrigin(pending.origin, {
+            type: WalletMessageType.DISCOVERY_RESPONSE,
+            requestId,
+            walletInfo: {
+                id: this.config.walletId,
+                name: this.config.walletName,
+                version: this.config.walletVersion,
+                icon: this.config.walletIcon
+            }
+        });
+        this.log.info(`Discovery approved for requestId=${requestId}`);
+    }
+    rejectDiscovery(requestId) {
+        this.pendingSessions.delete(requestId);
+    }
+    terminateSession(sessionId) {
+        const session = this.activeSessions.get(sessionId);
+        if (session) {
+            this.postToOrigin(session.origin, {
+                type: WalletMessageType.SESSION_DISCONNECTED,
+                sessionId
+            });
+            this.activeSessions.delete(sessionId);
+            this.callbacks.onSessionTerminated?.(sessionId);
+        }
+    }
+    getPendingSessions() {
+        return Array.from(this.pendingSessions.values()).filter((s)=>s.status === 'pending');
+    }
+    handleMessage;
+    async handleMessageAsync(event) {
+        if (this.config.allowedOrigins && this.config.allowedOrigins.length > 0) {
+            if (!this.config.allowedOrigins.includes(event.origin)) {
+                return;
+            }
+        }
+        const msg = event.data;
+        if (!msg || typeof msg !== 'object' || !msg.type) {
+            return;
+        }
+        switch(msg.type){
+            case WalletMessageType.DISCOVERY:
+                this.handleDiscoveryRequest(msg, event.origin);
+                break;
+            case WalletMessageType.KEY_EXCHANGE_REQUEST:
+                await this.handleKeyExchangeRequest(msg, event.origin);
+                break;
+            case WalletMessageType.SECURE_MESSAGE:
+                await this.handleSecureMessage(msg);
+                break;
+            case WalletMessageType.DISCONNECT:
+                this.terminateSession(msg.sessionId);
+                break;
+        }
+    }
+    handleDiscoveryRequest(msg, origin) {
+        // eslint-disable-next-line jsdoc/require-jsdoc
+        const { requestId, appId } = msg;
+        const pending = {
+            requestId,
+            appId,
+            origin,
+            status: 'pending'
+        };
+        this.pendingSessions.set(requestId, pending);
+        this.log.info(`Discovery request from appId=${appId} origin=${origin}`);
+        this.callbacks.onPendingDiscovery?.(pending);
+    }
+    async handleKeyExchangeRequest(msg, origin) {
+        const { requestId, publicKey: appPublicKeyRaw } = msg;
+        const pending = this.pendingSessions.get(requestId);
+        if (!pending || pending.status !== 'approved') {
+            this.log.warn(`Key exchange for unknown/unapproved requestId=${requestId}`);
+            return;
+        }
+        try {
+            const keyPair = await generateKeyPair();
+            const walletPublicKey = await exportPublicKey(keyPair.publicKey);
+            const appPublicKey = await importPublicKey(appPublicKeyRaw);
+            const sessionKeys = await deriveSessionKeys(keyPair, appPublicKey, false);
+            const session = {
+                sessionId: requestId,
+                sharedKey: sessionKeys.encryptionKey,
+                verificationHash: sessionKeys.verificationHash,
+                origin: pending.origin,
+                appId: pending.appId
+            };
+            this.activeSessions.set(requestId, session);
+            this.pendingSessions.delete(requestId);
+            this.postToOrigin(origin, {
+                type: WalletMessageType.KEY_EXCHANGE_RESPONSE,
+                requestId,
+                publicKey: walletPublicKey,
+                verificationHash: sessionKeys.verificationHash
+            });
+            this.callbacks.onVerificationHash?.(sessionKeys.verificationHash);
+            this.callbacks.onSessionEstablished?.(session);
+            this.log.info(`Key exchange complete, sessionId=${requestId}`);
+        } catch (err) {
+            this.log.error(`Key exchange failed: ${err}`);
+        }
+    }
+    async handleSecureMessage(msg) {
+        // eslint-disable-next-line jsdoc/require-jsdoc
+        const { sessionId, encrypted } = msg;
+        const session = this.activeSessions.get(sessionId);
+        if (!session) {
+            return;
+        }
+        let walletMessage;
+        try {
+            walletMessage = await decrypt(session.sharedKey, encrypted);
+        } catch  {
+            this.log.warn(`Decryption failed for sessionId=${sessionId}`);
+            return;
+        }
+        const { messageId, type, args, chainInfo, appId } = walletMessage;
+        let result;
+        let error;
+        try {
+            const wallet = await this.callbacks.getWallet(appId, chainInfo);
+            if (!schemaHasMethod(WalletSchema, type)) {
+                throw new Error(`Unknown wallet method: ${type}`);
+            }
+            // Zod's AnyZodTuple rejects optional tuple items typed as `T | undefined`
+            const sanitizedArgs = await parseWithOptionals(args, WalletSchema[type].parameters());
+            result = await wallet[type](...sanitizedArgs);
+        } catch (err) {
+            error = err instanceof Error ? err.message : String(err);
+            this.log.error(`Error handling ${type}: ${error}`);
+        }
+        const response = {
+            messageId,
+            walletId: this.config.walletId,
+            result,
+            error
+        };
+        try {
+            const encryptedResponse = await encrypt(session.sharedKey, jsonStringify(response));
+            this.postToOrigin(session.origin, {
+                type: WalletMessageType.SECURE_RESPONSE,
+                sessionId,
+                encrypted: encryptedResponse
+            });
+        } catch (err) {
+            this.log.error(`Encryption of response failed: ${err}`);
+        }
+    }
+    postToParent(msg) {
+        if (window.parent !== window) {
+            window.parent.postMessage(msg, '*');
+        }
+    }
+    postToOrigin(origin, msg) {
+        if (window.parent !== window) {
+            window.parent.postMessage(msg, origin);
+        }
+    }
+}

package/dest/iframe/handlers/index.d.ts

@@ -0,0 +1,2 @@
+export { IframeConnectionHandler, type IframeConnectionConfig, type IframeConnectionCallbacks, type PendingSession, type ActiveSession, } from './iframe_connection_handler.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9pZnJhbWUvaGFuZGxlcnMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUNMLHVCQUF1QixFQUN2QixLQUFLLHNCQUFzQixFQUMzQixLQUFLLHlCQUF5QixFQUM5QixLQUFLLGNBQWMsRUFDbkIsS0FBSyxhQUFhLEdBQ25CLE1BQU0sZ0NBQWdDLENBQUMifQ==

package/dest/iframe/handlers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/iframe/handlers/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,uBAAuB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,aAAa,GACnB,MAAM,gCAAgC,CAAC"}

package/dest/iframe/handlers/index.js

@@ -0,0 +1 @@
+export { IframeConnectionHandler } from './iframe_connection_handler.js';

package/dest/iframe/provider/iframe_discovery.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Web wallet discovery — creates {@link IframeWalletProvider} instances from a list of URLs.
+ *
+ * For each configured URL we probe the wallet by loading a tiny invisible iframe,
+ * waiting for WALLET_READY, then sending a DISCOVERY request. On a successful
+ * DISCOVERY_RESPONSE we emit an IframeWalletProvider to the caller.
+ *
+ * This is intentionally lightweight (no key exchange yet) — key exchange happens
+ * later when the user selects the wallet and calls `provider.establishSecureChannel()`.
+ */
+import type { ChainInfo } from '@aztec/aztec.js/account';
+import type { DiscoverySession } from '../../manager/types.js';
+/**
+ * Probes a list of web wallet URLs and returns a {@link DiscoverySession} compatible
+ * with WalletManager's `getAvailableWallets()` interface.
+ *
+ * Discovered {@link IframeWalletProvider} instances are yielded asynchronously as each
+ * wallet responds to the probe.
+ *
+ * @param walletUrls - URLs of web wallets to probe
+ * @param chainInfo - Network information to pass during discovery
+ * @returns A cancellable discovery session
+ */
+export declare function discoverWebWallets(walletUrls: string[], chainInfo: ChainInfo): DiscoverySession;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaWZyYW1lX2Rpc2NvdmVyeS5kLnRzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2lmcmFtZS9wcm92aWRlci9pZnJhbWVfZGlzY292ZXJ5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7Ozs7R0FTRztBQUNILE9BQU8sS0FBSyxFQUFFLFNBQVMsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBR3pELE9BQU8sS0FBSyxFQUFFLGdCQUFnQixFQUFrQixNQUFNLHdCQUF3QixDQUFDO0FBTS9FOzs7Ozs7Ozs7O0dBVUc7QUFDSCx3QkFBZ0Isa0JBQWtCLENBQUMsVUFBVSxFQUFFLE1BQU0sRUFBRSxFQUFFLFNBQVMsRUFBRSxTQUFTLEdBQUcsZ0JBQWdCLENBdUYvRiJ9

package/dest/iframe/provider/iframe_discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"iframe_discovery.d.ts","sourceRoot":"","sources":["../../../src/iframe/provider/iframe_discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAGzD,OAAO,KAAK,EAAE,gBAAgB,EAAkB,MAAM,wBAAwB,CAAC;AAM/E;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,SAAS,GAAG,gBAAgB,CAuF/F"}