@bsv/wallet-toolbox-client 2.1.24 → 2.1.25

package/out/src/CWIStyleWalletManager.js

@@ -43,8 +43,8 @@ function stripVerifiedPushDropSignature(fields, lockingPublicKey) {
         let writeOffset = 0;
         for (let i = 0; i < protocolFieldCount; i++) {
             const field = fields[i];
-            for (let j = 0; j < field.length; j++) {
-                dataToVerify[writeOffset++] = field[j];
+            for (const byte of field) {
+                dataToVerify[writeOffset++] = byte;
             }
         }
         const signature = sdk_1.Signature.fromDER(trailingField);
@@ -71,10 +71,10 @@ async function pbkdf2NativeOrWasm(passwordBytes, salt, iterations, keyLen, hash
     var _a;
     // ----- fast-path: WebCrypto (both browser & recent Node expose globalThis.crypto.subtle)
     const subtle = (_a = globalThis === null || globalThis === void 0 ? void 0 : globalThis.crypto) === null || _a === void 0 ? void 0 : _a.subtle;
-    if (subtle) {
+    if (subtle != null) {
         try {
             const baseKey = await subtle.importKey('raw', new Uint8Array(passwordBytes), { name: 'PBKDF2' }, 
-            /*extractable*/ false, ['deriveBits']);
+            /* extractable */ false, ['deriveBits']);
             const bits = await subtle.deriveBits({
                 name: 'PBKDF2',
                 salt: new Uint8Array(salt),
@@ -83,9 +83,10 @@ async function pbkdf2NativeOrWasm(passwordBytes, salt, iterations, keyLen, hash
             }, baseKey, keyLen * 8);
             return Array.from(new Uint8Array(bits));
         }
-        catch (err) {
-            //console.warn('[pbkdf2] WebCrypto path failed → falling back to JS implementation', err)
-            /* fall through */
+        catch (webCryptoErr) {
+            // WebCrypto is unavailable or refused the algorithm (e.g. non-secure context, old
+            // Safari).  Fall through to the pure-JS hash-wasm implementation below.
+            console.debug('[pbkdf2] WebCrypto path failed, falling back to JS implementation', webCryptoErr);
         }
     }
     const hashFunction = hash === 'sha256' ? (0, hash_wasm_1.createSHA256)() : (0, hash_wasm_1.createSHA512)();
@@ -113,8 +114,8 @@ async function derivePasswordKey(token, passwordBytes, overrideKdf) {
     var _a, _b, _c, _d, _e;
     const kdf = overrideKdf || token.passwordKdf;
     // Legacy token or explicit PBKDF2 request
-    if (!kdf || kdf.algorithm === 'pbkdf2-sha512') {
-        return pbkdf2NativeOrWasm(passwordBytes, token.passwordSalt, (_a = kdf === null || kdf === void 0 ? void 0 : kdf.iterations) !== null && _a !== void 0 ? _a : exports.PBKDF2_NUM_ROUNDS, 32, 'sha512');
+    if ((kdf == null) || kdf.algorithm === 'pbkdf2-sha512') {
+        return await pbkdf2NativeOrWasm(passwordBytes, token.passwordSalt, (_a = kdf === null || kdf === void 0 ? void 0 : kdf.iterations) !== null && _a !== void 0 ? _a : exports.PBKDF2_NUM_ROUNDS, 32, 'sha512');
     }
     // Argon2id path (UMP v3)
     if (kdf.algorithm === 'argon2id') {
@@ -207,7 +208,32 @@ class OverlayUMPTokenInteractor {
      */
     async buildAndSend(wallet, // This wallet MUST be the one built for the default profile
     adminOriginator, token, oldTokenToConsume) {
-        // 1) Construct the data fields for the new UMP token.
+        // 1) Construct the data fields and PushDrop locking script for the new UMP token.
+        const fields = this.buildUMPTokenFields(token);
+        const script = await new sdk_1.PushDrop(wallet, adminOriginator).lock(fields, [2, 'admin user management token'], '1', 'self', 
+        /* forSelf= */ true, 
+        /* includeSignature= */ true);
+        const tokenOutput = [{ lockingScript: script.toHex(), satoshis: 1, outputDescription: 'New UMP token output' }];
+        // 2) Resolve the old-token input (if provided) and create the action.
+        const { resolvedOldToken, inputToken } = await this.resolveOldTokenInput(oldTokenToConsume);
+        const inputs = (resolvedOldToken === null || resolvedOldToken === void 0 ? void 0 : resolvedOldToken.currentOutpoint)
+            ? [{ outpoint: resolvedOldToken.currentOutpoint, unlockingScriptLength: 73, inputDescription: 'Consume old UMP token' }]
+            : [];
+        const createResult = await this.createUMPAction(wallet, adminOriginator, inputs, tokenOutput, inputToken, resolvedOldToken);
+        // 3) If the wallet fully processed it (no signable tx), broadcast and return.
+        if (!createResult.signableTransaction) {
+            return await this.broadcastFinishedUMPAction(createResult);
+        }
+        // 4) Sign and broadcast: with old token input or without.
+        const reference = createResult.signableTransaction.reference;
+        const partialTx = sdk_1.Transaction.fromBEEF(createResult.signableTransaction.tx);
+        if (resolvedOldToken === null || resolvedOldToken === void 0 ? void 0 : resolvedOldToken.currentOutpoint) {
+            return await this.signAndBroadcastWithOldToken(wallet, adminOriginator, reference, partialTx);
+        }
+        return await this.signAndBroadcastNewToken(wallet, adminOriginator, reference);
+    }
+    /** Assembles the ordered number[][] fields array from a UMPToken. */
+    buildUMPTokenFields(token) {
         const fields = [];
         fields[0] = token.passwordSalt;
         fields[1] = token.passwordPresentationPrimary;
@@ -220,148 +246,90 @@ class OverlayUMPTokenInteractor {
         fields[8] = token.presentationKeyEncrypted;
         fields[9] = token.passwordKeyEncrypted;
         fields[10] = token.recoveryKeyEncrypted;
-        // Optional field for encrypted profiles
-        if (token.profilesEncrypted) {
+        if (token.profilesEncrypted != null)
             fields[11] = token.profilesEncrypted;
-        }
-        // V3 fields: umpVersion, kdfAlgorithm, kdfParams
-        if (token.umpVersion === 3 && token.passwordKdf) {
-            const versionFieldIndex = token.profilesEncrypted ? 12 : 11;
-            fields[versionFieldIndex] = [token.umpVersion]; // Single byte
-            fields[versionFieldIndex + 1] = sdk_1.Utils.toArray(token.passwordKdf.algorithm, 'utf8');
-            // Construct kdfParams JSON
-            const kdfParams = {
-                iterations: token.passwordKdf.iterations
-            };
-            if (token.passwordKdf.memoryKiB !== undefined) {
+        if (token.umpVersion === 3 && token.passwordKdf != null) {
+            const vi = (token.profilesEncrypted == null) ? 11 : 12;
+            fields[vi] = [token.umpVersion];
+            fields[vi + 1] = sdk_1.Utils.toArray(token.passwordKdf.algorithm, 'utf8');
+            const kdfParams = { iterations: token.passwordKdf.iterations };
+            if (token.passwordKdf.memoryKiB !== undefined)
                 kdfParams.memoryKiB = token.passwordKdf.memoryKiB;
-            }
-            if (token.passwordKdf.parallelism !== undefined) {
+            if (token.passwordKdf.parallelism !== undefined)
                 kdfParams.parallelism = token.passwordKdf.parallelism;
-            }
-            if (token.passwordKdf.hashLength !== undefined) {
+            if (token.passwordKdf.hashLength !== undefined)
                 kdfParams.hashLength = token.passwordKdf.hashLength;
-            }
-            fields[versionFieldIndex + 2] = sdk_1.Utils.toArray(JSON.stringify(kdfParams), 'utf8');
-        }
-        // 2) Create a PushDrop script referencing these fields, locked with the admin key.
-        // The signature will be added as trailing metadata by PushDrop (not part of protocol fields).
-        const script = await new sdk_1.PushDrop(wallet, adminOriginator).lock(fields, [2, 'admin user management token'], // protocolID
-        '1', // keyID
-        'self', // counterparty
-        /*forSelf=*/ true, 
-        /*includeSignature=*/ true);
-        // 3) Prepare the createAction call. If oldTokenToConsume is provided, gather the outpoint.
-        const inputs = [];
-        let inputToken;
-        if (oldTokenToConsume === null || oldTokenToConsume === void 0 ? void 0 : oldTokenToConsume.currentOutpoint) {
-            inputToken = await this.findByOutpoint(oldTokenToConsume.currentOutpoint);
-            // If there is no token on the overlay, we can't consume it. Just start over with a new token.
-            if (!inputToken) {
-                oldTokenToConsume = undefined;
-                // Otherwise, add the input
-            }
-            else {
-                inputs.push({
-                    outpoint: oldTokenToConsume.currentOutpoint,
-                    unlockingScriptLength: 73, // typical signature length
-                    inputDescription: 'Consume old UMP token'
-                });
-            }
+            fields[vi + 2] = sdk_1.Utils.toArray(JSON.stringify(kdfParams), 'utf8');
         }
-        const outputs = [
-            {
-                lockingScript: script.toHex(),
-                satoshis: 1,
-                outputDescription: 'New UMP token output'
-            }
-        ];
-        // 4) Build the partial transaction via createAction.
-        let createResult;
+        return fields;
+    }
+    /** Looks up the old token on the overlay; returns undefined resolved token if not found. */
+    async resolveOldTokenInput(oldTokenToConsume) {
+        if (!(oldTokenToConsume === null || oldTokenToConsume === void 0 ? void 0 : oldTokenToConsume.currentOutpoint))
+            return { resolvedOldToken: undefined, inputToken: undefined };
+        const inputToken = await this.findByOutpoint(oldTokenToConsume.currentOutpoint);
+        if (inputToken == null)
+            return { resolvedOldToken: undefined, inputToken: undefined };
+        return { resolvedOldToken: oldTokenToConsume, inputToken };
+    }
+    /** Creates the UMP action; falls back to a bare recovery action on failure. */
+    async createUMPAction(wallet, adminOriginator, inputs, outputs, inputToken, resolvedOldToken) {
         try {
-            createResult = await wallet.createAction({
-                description: oldTokenToConsume ? 'Renew UMP token (consume old, create new)' : 'Create new UMP token',
+            return await wallet.createAction({
+                description: (resolvedOldToken == null) ? 'Create new UMP token' : 'Renew UMP token (consume old, create new)',
                 inputs,
                 outputs,
                 inputBEEF: inputToken === null || inputToken === void 0 ? void 0 : inputToken.beef,
-                options: {
-                    randomizeOutputs: false,
-                    acceptDelayedBroadcast: false
-                }
+                options: { randomizeOutputs: false, acceptDelayedBroadcast: false }
             }, adminOriginator);
         }
         catch (e) {
             console.error('Error with UMP token update. Attempting a last-ditch effort to get a new one', e);
-            createResult = await wallet.createAction({
+            return await wallet.createAction({
                 description: 'Recover UMP token',
                 outputs,
-                options: {
-                    randomizeOutputs: false,
-                    acceptDelayedBroadcast: false
-                }
-            }, adminOriginator);
-        }
-        // If the transaction is fully processed by the wallet
-        if (!createResult.signableTransaction) {
-            const finalTxid = createResult.txid || (createResult.tx ? sdk_1.Transaction.fromAtomicBEEF(createResult.tx).id('hex') : undefined);
-            if (!finalTxid) {
-                throw new Error('No signableTransaction and no final TX found.');
-            }
-            // Now broadcast to `tm_users` using SHIP
-            const broadcastTx = sdk_1.Transaction.fromAtomicBEEF(createResult.tx);
-            const result = await this.broadcaster.broadcast(broadcastTx);
-            console.log('BROADCAST RESULT', result);
-            return `${finalTxid}.0`;
-        }
-        // 5) If oldTokenToConsume is present, we must sign the input referencing it.
-        //    (If there's no old token, there's nothing to sign for the input.)
-        let finalTxid = '';
-        const reference = createResult.signableTransaction.reference;
-        const partialTx = sdk_1.Transaction.fromBEEF(createResult.signableTransaction.tx);
-        if (oldTokenToConsume === null || oldTokenToConsume === void 0 ? void 0 : oldTokenToConsume.currentOutpoint) {
-            // Unlock the old token with a matching PushDrop unlocker
-            const unlocker = new sdk_1.PushDrop(wallet, adminOriginator).unlock([2, 'admin user management token'], '1', 'self');
-            const unlockingScript = await unlocker.sign(partialTx, 0);
-            // Provide it to the wallet
-            const signResult = await wallet.signAction({
-                reference,
-                spends: {
-                    0: {
-                        unlockingScript: unlockingScript.toHex()
-                    }
-                }
+                options: { randomizeOutputs: false, acceptDelayedBroadcast: false }
             }, adminOriginator);
-            finalTxid = signResult.txid || (signResult.tx ? sdk_1.Transaction.fromAtomicBEEF(signResult.tx).id('hex') : '');
-            if (!finalTxid) {
-                throw new Error('Could not finalize transaction for renewed UMP token.');
-            }
-            // 6) Broadcast to `tm_users`
-            const finalAtomicTx = signResult.tx;
-            if (!finalAtomicTx) {
-                throw new Error('Final transaction data missing after signing renewed UMP token.');
-            }
-            const broadcastTx = sdk_1.Transaction.fromAtomicBEEF(finalAtomicTx);
-            const result = await this.broadcaster.broadcast(broadcastTx);
-            console.log('BROADCAST RESULT', result);
-            return `${finalTxid}.0`;
-        }
-        else {
-            // Fallback for creating a new token (no input spending)
-            const signResult = await wallet.signAction({ reference, spends: {} }, adminOriginator);
-            finalTxid = signResult.txid || (signResult.tx ? sdk_1.Transaction.fromAtomicBEEF(signResult.tx).id('hex') : '');
-            if (!finalTxid) {
-                throw new Error('Failed to finalize new UMP token transaction.');
-            }
-            const finalAtomicTx = signResult.tx;
-            if (!finalAtomicTx) {
-                throw new Error('Final transaction data missing after signing new UMP token.');
-            }
-            const broadcastTx = sdk_1.Transaction.fromAtomicBEEF(finalAtomicTx);
-            const result = await this.broadcaster.broadcast(broadcastTx);
-            console.log('BROADCAST RESULT', result);
-            return `${finalTxid}.0`;
         }
     }
+    /** Handles a fully-finalized (no signable tx) createAction result — broadcasts and returns outpoint. */
+    async broadcastFinishedUMPAction(createResult) {
+        const finalTxid = createResult.txid || (createResult.tx != null ? sdk_1.Transaction.fromAtomicBEEF(createResult.tx).id('hex') : undefined);
+        if (!finalTxid)
+            throw new Error('No signableTransaction and no final TX found.');
+        if (createResult.tx == null)
+            throw new Error('No final TX data to broadcast.');
+        const broadcastTx = sdk_1.Transaction.fromAtomicBEEF(createResult.tx);
+        const result = await this.broadcaster.broadcast(broadcastTx);
+        console.log('BROADCAST RESULT', result);
+        return `${finalTxid}.0`;
+    }
+    /** Signs the old-token input and broadcasts — used during UMP token renewal. */
+    async signAndBroadcastWithOldToken(wallet, adminOriginator, reference, partialTx) {
+        const unlocker = new sdk_1.PushDrop(wallet, adminOriginator).unlock([2, 'admin user management token'], '1', 'self');
+        const unlockingScript = await unlocker.sign(partialTx, 0);
+        const signResult = await wallet.signAction({ reference, spends: { 0: { unlockingScript: unlockingScript.toHex() } } }, adminOriginator);
+        const finalTxid = signResult.txid || ((signResult.tx == null) ? '' : sdk_1.Transaction.fromAtomicBEEF(signResult.tx).id('hex'));
+        if (!finalTxid)
+            throw new Error('Could not finalize transaction for renewed UMP token.');
+        if (signResult.tx == null)
+            throw new Error('Final transaction data missing after signing renewed UMP token.');
+        const result = await this.broadcaster.broadcast(sdk_1.Transaction.fromAtomicBEEF(signResult.tx));
+        console.log('BROADCAST RESULT', result);
+        return `${finalTxid}.0`;
+    }
+    /** Signs without input spending and broadcasts — used when creating a brand-new UMP token. */
+    async signAndBroadcastNewToken(wallet, adminOriginator, reference) {
+        const signResult = await wallet.signAction({ reference, spends: {} }, adminOriginator);
+        const finalTxid = signResult.txid || ((signResult.tx == null) ? '' : sdk_1.Transaction.fromAtomicBEEF(signResult.tx).id('hex'));
+        if (!finalTxid)
+            throw new Error('Failed to finalize new UMP token transaction.');
+        if (signResult.tx == null)
+            throw new Error('Final transaction data missing after signing new UMP token.');
+        const result = await this.broadcaster.broadcast(sdk_1.Transaction.fromAtomicBEEF(signResult.tx));
+        console.log('BROADCAST RESULT', result);
+        return `${finalTxid}.0`;
+    }
     /**
      * Attempts to parse a LookupAnswer from the UMP lookup service. If successful,
      * extracts the token fields from the resulting transaction and constructs
@@ -390,13 +358,19 @@ class OverlayUMPTokenInteractor {
             }
             // Parse protocol fields, excluding the trailing PushDrop signature only when
             // it is cryptographically valid for the preceding field payload.
-            let protocolFields = stripVerifiedPushDropSignature(decoded.fields, decoded.lockingPublicKey);
+            const protocolFields = stripVerifiedPushDropSignature(decoded.fields, decoded.lockingPublicKey);
             // Detect v3 token metadata in either layout:
             // - with profilesEncrypted present: [0..10]=core, [11]=profiles, [12]=version, [13]=algorithm, [14]=params
             // - without profilesEncrypted:      [0..10]=core, [11]=version, [12]=algorithm, [13]=params
             const hasV3MetadataWithProfiles = protocolFields.length >= 15 && ((_b = protocolFields[12]) === null || _b === void 0 ? void 0 : _b.length) === 1 && protocolFields[12][0] === 3;
             const hasV3MetadataWithoutProfiles = protocolFields.length >= 14 && ((_c = protocolFields[11]) === null || _c === void 0 ? void 0 : _c.length) === 1 && protocolFields[11][0] === 3;
-            const kdfVersionFieldIndex = hasV3MetadataWithProfiles ? 12 : hasV3MetadataWithoutProfiles ? 11 : -1;
+            let kdfVersionFieldIndex;
+            if (hasV3MetadataWithProfiles)
+                kdfVersionFieldIndex = 12;
+            else if (hasV3MetadataWithoutProfiles)
+                kdfVersionFieldIndex = 11;
+            else
+                kdfVersionFieldIndex = -1;
             // Build the UMP token from these fields, preserving outpoint
             const t = {
                 // Core fields (unchanged for all versions)
@@ -464,7 +438,7 @@ class OverlayUMPTokenInteractor {
         if (results.type !== 'output-list') {
             return undefined;
         }
-        if (!results.outputs || !results.outputs.length) {
+        if (!results.outputs || (results.outputs.length === 0)) {
             return undefined;
         }
         return results.outputs[0];
@@ -477,6 +451,18 @@ exports.OverlayUMPTokenInteractor = OverlayUMPTokenInteractor;
  * supporting multiple user profiles under a single account.
  */
 class CWIStyleWalletManager {
+    /**
+     * Resolves once the optional snapshot (if provided to the constructor) has been
+     * fully loaded and the wallet is ready to accept calls.
+     * When no snapshot is provided this resolves immediately.
+     * Await `ready` before calling wallet methods after constructing with a snapshot.
+     */
+    get ready() {
+        if (this._readyInit === undefined) {
+            this._readyInit = this._init();
+        }
+        return this._readyInit;
+    }
     /**
      * Constructs a new CWIStyleWalletManager.
      *
@@ -522,14 +508,14 @@ class CWIStyleWalletManager {
             parallelism: (_d = kdfConfig === null || kdfConfig === void 0 ? void 0 : kdfConfig.parallelism) !== null && _d !== void 0 ? _d : exports.ARGON2ID_DEFAULT_PARALLELISM,
             hashLength: (_e = kdfConfig === null || kdfConfig === void 0 ? void 0 : kdfConfig.hashLength) !== null && _e !== void 0 ? _e : exports.ARGON2ID_DEFAULT_HASH_LENGTH
         };
-        // If a saved snapshot is provided, attempt to load it.
-        // Note: loadSnapshot now returns a promise. We don't await it here,
-        // as the constructor must be synchronous. The caller should check
-        // `this.authenticated` after construction if a snapshot was provided.
-        if (stateSnapshot) {
-            this.loadSnapshot(stateSnapshot).catch(err => {
+        // Store snapshot for lazy init; callers await ready before calling wallet methods.
+        this._initSnapshot = stateSnapshot;
+    }
+    async _init() {
+        if (this._initSnapshot !== undefined) {
+            await this.loadSnapshot(this._initSnapshot).catch((err) => {
                 console.error('Failed to load snapshot during construction:', err);
-                // Clear potentially partially loaded state
+                // Clear potentially partially loaded state. destroy() is synchronous.
                 this.destroy();
             });
         }
@@ -547,7 +533,7 @@ class CWIStyleWalletManager {
         }
         const hash = sdk_1.Hash.sha256(key);
         const token = await this.UMPTokenInteractor.findByPresentationKeyHash(hash);
-        if (!token) {
+        if (token == null) {
             // No token found -> New user
             this.authenticationFlow = 'new-user';
             this.presentationKey = key;
@@ -563,119 +549,98 @@ class CWIStyleWalletManager {
      * Provides the password.
      */
     async providePassword(password) {
-        if (this.authenticated) {
+        if (this.authenticated)
             throw new Error('User is already authenticated');
-        }
         if (this.authenticationMode === 'presentation-key-and-recovery-key') {
             throw new Error('Password is not needed in this mode');
         }
         if (this.authenticationFlow === 'existing-user') {
-            // Existing user flow
-            if (!this.currentUMPToken) {
-                throw new Error('Provide presentation or recovery key first.');
-            }
-            // Use token-driven KDF (legacy PBKDF2 or v3 Argon2id)
-            const derivedPasswordKey = await derivePasswordKey(this.currentUMPToken, sdk_1.Utils.toArray(password, 'utf8'));
-            let rootPrimaryKey;
-            let rootPrivilegedKey; // Only needed for recovery mode
-            if (this.authenticationMode === 'presentation-key-and-password') {
-                if (!this.presentationKey)
-                    throw new Error('No presentation key found!');
-                const xorKey = this.XOR(this.presentationKey, derivedPasswordKey);
-                rootPrimaryKey = new sdk_1.SymmetricKey(xorKey).decrypt(this.currentUMPToken.passwordPresentationPrimary);
-            }
-            else {
-                // 'recovery-key-and-password'
-                if (!this.recoveryKey)
-                    throw new Error('No recovery key found!');
-                const primaryDecryptionKey = this.XOR(this.recoveryKey, derivedPasswordKey);
-                rootPrimaryKey = new sdk_1.SymmetricKey(primaryDecryptionKey).decrypt(this.currentUMPToken.passwordRecoveryPrimary);
-                const privilegedDecryptionKey = this.XOR(rootPrimaryKey, derivedPasswordKey);
-                rootPrivilegedKey = new sdk_1.SymmetricKey(privilegedDecryptionKey).decrypt(this.currentUMPToken.passwordPrimaryPrivileged);
-            }
-            // Build root infrastructure, load profiles, and switch to default profile initially
-            await this.setupRootInfrastructure(rootPrimaryKey, rootPrivilegedKey);
-            await this.switchProfile(this.activeProfileId);
+            await this.handleExistingUserPassword(password);
         }
         else {
-            // New user flow (only 'presentation-key-and-password')
-            if (this.authenticationMode !== 'presentation-key-and-password') {
-                throw new Error('New-user flow requires presentation key and password mode.');
-            }
-            if (!this.presentationKey) {
-                throw new Error('No presentation key provided for new-user flow.');
-            }
-            // Generate new keys/salt
-            const recoveryKey = (0, sdk_1.Random)(32);
-            await this.recoveryKeySaver(recoveryKey);
-            const passwordSalt = (0, sdk_1.Random)(32);
-            // Build temporary token with KDF config for password derivation
-            const tempTokenForKdf = {
-                passwordSalt,
-                passwordKdf: this.kdfConfig
-            };
-            const passwordKey = await derivePasswordKey(tempTokenForKdf, sdk_1.Utils.toArray(password, 'utf8'));
-            const rootPrimaryKey = (0, sdk_1.Random)(32);
-            const rootPrivilegedKey = (0, sdk_1.Random)(32);
-            // Build XOR keys
-            const presentationPassword = new sdk_1.SymmetricKey(this.XOR(this.presentationKey, passwordKey));
-            const presentationRecovery = new sdk_1.SymmetricKey(this.XOR(this.presentationKey, recoveryKey));
-            const recoveryPassword = new sdk_1.SymmetricKey(this.XOR(recoveryKey, passwordKey));
-            const primaryPassword = new sdk_1.SymmetricKey(this.XOR(rootPrimaryKey, passwordKey));
-            // Temp manager for encryption
-            const tempPrivilegedKeyManager = new PrivilegedKeyManager_1.PrivilegedKeyManager(async () => new sdk_1.PrivateKey(rootPrivilegedKey));
-            // Build new UMP token (v3 with KDF metadata, no profiles initially)
-            const newToken = {
-                passwordSalt,
-                passwordPresentationPrimary: presentationPassword.encrypt(rootPrimaryKey),
-                passwordRecoveryPrimary: recoveryPassword.encrypt(rootPrimaryKey),
-                presentationRecoveryPrimary: presentationRecovery.encrypt(rootPrimaryKey),
-                passwordPrimaryPrivileged: primaryPassword.encrypt(rootPrivilegedKey),
-                presentationRecoveryPrivileged: presentationRecovery.encrypt(rootPrivilegedKey),
-                presentationHash: sdk_1.Hash.sha256(this.presentationKey),
-                recoveryHash: sdk_1.Hash.sha256(recoveryKey),
-                presentationKeyEncrypted: (await tempPrivilegedKeyManager.encrypt({
-                    plaintext: this.presentationKey,
-                    protocolID: [2, 'admin key wrapping'],
-                    keyID: '1'
-                })).ciphertext,
-                passwordKeyEncrypted: (await tempPrivilegedKeyManager.encrypt({
-                    plaintext: passwordKey,
-                    protocolID: [2, 'admin key wrapping'],
-                    keyID: '1'
-                })).ciphertext,
-                recoveryKeyEncrypted: (await tempPrivilegedKeyManager.encrypt({
-                    plaintext: recoveryKey,
-                    protocolID: [2, 'admin key wrapping'],
-                    keyID: '1'
-                })).ciphertext,
-                profilesEncrypted: undefined, // No profiles yet
-                umpVersion: 3, // UMP protocol version 3
-                passwordKdf: this.kdfConfig // KDF metadata for v3
-            };
-            this.currentUMPToken = newToken;
-            // Setup root infrastructure and switch to default profile
-            await this.setupRootInfrastructure(rootPrimaryKey);
-            await this.switchProfile(exports.DEFAULT_PROFILE_ID);
-            // Fund the *default* wallet if funder provided
-            if (this.newWalletFunder && this.underlying) {
-                try {
-                    await this.newWalletFunder(this.presentationKey, this.underlying, this.adminOriginator);
-                }
-                catch (e) {
-                    console.error('Error funding new wallet:', e);
-                    const message = e instanceof Error ? e.message : String(e);
-                    throw new Error(`Failed to fund new wallet before publishing UMP token: ${message}`);
-                }
+            await this.handleNewUserPassword(password);
+        }
+    }
+    /** Handles the password step for an existing user — derives keys, sets up infrastructure. */
+    async handleExistingUserPassword(password) {
+        if (this.currentUMPToken == null)
+            throw new Error('Provide presentation or recovery key first.');
+        const derivedPasswordKey = await derivePasswordKey(this.currentUMPToken, sdk_1.Utils.toArray(password, 'utf8'));
+        let rootPrimaryKey;
+        let rootPrivilegedKey;
+        if (this.authenticationMode === 'presentation-key-and-password') {
+            if (this.presentationKey == null)
+                throw new Error('No presentation key found!');
+            rootPrimaryKey = new sdk_1.SymmetricKey(this.XOR(this.presentationKey, derivedPasswordKey))
+                .decrypt(this.currentUMPToken.passwordPresentationPrimary);
+        }
+        else {
+            // 'recovery-key-and-password'
+            if (this.recoveryKey == null)
+                throw new Error('No recovery key found!');
+            const primaryDecryptionKey = this.XOR(this.recoveryKey, derivedPasswordKey);
+            rootPrimaryKey = new sdk_1.SymmetricKey(primaryDecryptionKey).decrypt(this.currentUMPToken.passwordRecoveryPrimary);
+            rootPrivilegedKey = new sdk_1.SymmetricKey(this.XOR(rootPrimaryKey, derivedPasswordKey))
+                .decrypt(this.currentUMPToken.passwordPrimaryPrivileged);
+        }
+        await this.setupRootInfrastructure(rootPrimaryKey, rootPrivilegedKey);
+        await this.switchProfile(this.activeProfileId);
+    }
+    /** Handles the password step for a new user — generates keys, builds UMP token, publishes on-chain. */
+    async handleNewUserPassword(password) {
+        if (this.authenticationMode !== 'presentation-key-and-password') {
+            throw new Error('New-user flow requires presentation key and password mode.');
+        }
+        if (this.presentationKey == null)
+            throw new Error('No presentation key provided for new-user flow.');
+        // Generate new keys/salt
+        const recoveryKey = (0, sdk_1.Random)(32);
+        await this.recoveryKeySaver(recoveryKey);
+        const passwordSalt = (0, sdk_1.Random)(32);
+        const passwordKey = await derivePasswordKey({ passwordSalt, passwordKdf: this.kdfConfig }, sdk_1.Utils.toArray(password, 'utf8'));
+        const rootPrimaryKey = (0, sdk_1.Random)(32);
+        const rootPrivilegedKey = (0, sdk_1.Random)(32);
+        // Build XOR-combined symmetric keys
+        const presentationPassword = new sdk_1.SymmetricKey(this.XOR(this.presentationKey, passwordKey));
+        const presentationRecovery = new sdk_1.SymmetricKey(this.XOR(this.presentationKey, recoveryKey));
+        const recoveryPassword = new sdk_1.SymmetricKey(this.XOR(recoveryKey, passwordKey));
+        const primaryPassword = new sdk_1.SymmetricKey(this.XOR(rootPrimaryKey, passwordKey));
+        const tempPrivilegedKeyManager = new PrivilegedKeyManager_1.PrivilegedKeyManager(async () => new sdk_1.PrivateKey(rootPrivilegedKey));
+        const wrapKey = async (plaintext) => (await tempPrivilegedKeyManager.encrypt({ plaintext, protocolID: [2, 'admin key wrapping'], keyID: '1' })).ciphertext;
+        // Build new UMP token (v3 with KDF metadata, no profiles initially)
+        const newToken = {
+            passwordSalt,
+            passwordPresentationPrimary: presentationPassword.encrypt(rootPrimaryKey),
+            passwordRecoveryPrimary: recoveryPassword.encrypt(rootPrimaryKey),
+            presentationRecoveryPrimary: presentationRecovery.encrypt(rootPrimaryKey),
+            passwordPrimaryPrivileged: primaryPassword.encrypt(rootPrivilegedKey),
+            presentationRecoveryPrivileged: presentationRecovery.encrypt(rootPrivilegedKey),
+            presentationHash: sdk_1.Hash.sha256(this.presentationKey),
+            recoveryHash: sdk_1.Hash.sha256(recoveryKey),
+            presentationKeyEncrypted: await wrapKey(this.presentationKey),
+            passwordKeyEncrypted: await wrapKey(passwordKey),
+            recoveryKeyEncrypted: await wrapKey(recoveryKey),
+            profilesEncrypted: undefined,
+            umpVersion: 3,
+            passwordKdf: this.kdfConfig
+        };
+        this.currentUMPToken = newToken;
+        await this.setupRootInfrastructure(rootPrimaryKey);
+        await this.switchProfile(exports.DEFAULT_PROFILE_ID);
+        // Fund the *default* wallet if funder provided
+        if ((this.newWalletFunder != null) && (this.underlying != null)) {
+            try {
+                await this.newWalletFunder(this.presentationKey, this.underlying, this.adminOriginator);
             }
-            // Publish the new UMP token *after* potentially funding
-            // We need the default profile wallet to sign the UMP creation TX
-            if (!this.underlying) {
-                throw new Error('Default profile wallet not built before attempting to publish UMP token.');
+            catch (e) {
+                console.error('Error funding new wallet:', e);
+                const message = e instanceof Error ? e.message : String(e);
+                throw new Error(`Failed to fund new wallet before publishing UMP token: ${message}`);
             }
-            this.currentUMPToken.currentOutpoint = await this.UMPTokenInteractor.buildAndSend(this.underlying, // Use the default profile wallet
-            this.adminOriginator, newToken);
         }
+        if (this.underlying == null)
+            throw new Error('Default profile wallet not built before attempting to publish UMP token.');
+        this.currentUMPToken.currentOutpoint = await this.UMPTokenInteractor.buildAndSend(this.underlying, this.adminOriginator, newToken);
     }
     /**
      * Provides the recovery key.
@@ -694,7 +659,7 @@ class CWIStyleWalletManager {
             // Wait for password
             const hash = sdk_1.Hash.sha256(recoveryKey);
             const token = await this.UMPTokenInteractor.findByRecoveryKeyHash(hash);
-            if (!token)
+            if (token == null)
                 throw new Error('No user found with this recovery key');
             this.authenticationFlow = 'existing-user';
             this.recoveryKey = recoveryKey;
@@ -702,9 +667,9 @@ class CWIStyleWalletManager {
         }
         else {
             // 'presentation-key-and-recovery-key'
-            if (!this.presentationKey)
+            if (this.presentationKey == null)
                 throw new Error('Provide the presentation key first');
-            if (!this.currentUMPToken)
+            if (this.currentUMPToken == null)
                 throw new Error('Current UMP token not found');
             const xorKey = this.XOR(this.presentationKey, recoveryKey);
             const rootPrimaryKey = new sdk_1.SymmetricKey(xorKey).decrypt(this.currentUMPToken.presentationRecoveryPrimary);
@@ -723,7 +688,7 @@ class CWIStyleWalletManager {
      * @returns Encrypted snapshot bytes.
      */
     saveSnapshot() {
-        if (!this.rootPrimaryKey || !this.currentUMPToken) {
+        if ((this.rootPrimaryKey == null) || (this.currentUMPToken == null)) {
             throw new Error('No root primary key or current UMP token set');
         }
         const snapshotKey = (0, sdk_1.Random)(32);
@@ -795,18 +760,18 @@ class CWIStyleWalletManager {
         }
     }
     async syncUMPToken() {
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrimaryKey) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrimaryKey == null)) {
             throw new Error('Wallet not authenticated or missing UMP token.');
         }
         const currentToken = this.currentUMPToken;
         let refreshed;
-        if (currentToken.presentationHash && currentToken.presentationHash.length) {
+        if (currentToken.presentationHash && (currentToken.presentationHash.length > 0)) {
             refreshed = await this.UMPTokenInteractor.findByPresentationKeyHash(currentToken.presentationHash);
         }
-        if (!refreshed && currentToken.recoveryHash && currentToken.recoveryHash.length) {
+        if ((refreshed == null) && currentToken.recoveryHash && (currentToken.recoveryHash.length > 0)) {
             refreshed = await this.UMPTokenInteractor.findByRecoveryKeyHash(currentToken.recoveryHash);
         }
-        if (!refreshed) {
+        if (refreshed == null) {
             return false;
         }
         if (refreshed.currentOutpoint &&
@@ -873,7 +838,7 @@ class CWIStyleWalletManager {
      * @returns The ID of the newly created profile.
      */
     async addProfile(name) {
-        if (!this.authenticated || !this.rootPrimaryKey || !this.currentUMPToken || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.rootPrimaryKey == null) || (this.currentUMPToken == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Wallet not fully initialized or authenticated.');
         }
         // Ensure name is unique (including 'default')
@@ -904,7 +869,7 @@ class CWIStyleWalletManager {
      * @param profileId The 16-byte ID of the profile to delete.
      */
     async deleteProfile(profileId) {
-        if (!this.authenticated || !this.rootPrimaryKey || !this.currentUMPToken || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.rootPrimaryKey == null) || (this.currentUMPToken == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Wallet not fully initialized or authenticated.');
         }
         if (profileId.every(x => x === 0)) {
@@ -931,7 +896,7 @@ class CWIStyleWalletManager {
      * @param profileId The 16-byte ID of the profile to switch to (use DEFAULT_PROFILE_ID for default).
      */
     async switchProfile(profileId) {
-        if (!this.authenticated || !this.rootPrimaryKey || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.rootPrimaryKey == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Cannot switch profile: Wallet not authenticated or root keys missing.');
         }
         let profilePrimaryKey;
@@ -945,7 +910,7 @@ class CWIStyleWalletManager {
         else {
             // Switching to a non-default profile
             const profile = this.profiles.find(p => p.id.every((x, i) => x === profileId[i]));
-            if (!profile) {
+            if (profile == null) {
                 throw new Error('Profile not found.');
             }
             profilePrimaryKey = this.XOR(this.rootPrimaryKey, profile.primaryPad);
@@ -959,9 +924,9 @@ class CWIStyleWalletManager {
             const rootPrivileged = await this.rootPrivilegedKeyManager.getPrivilegedKey(reason);
             const rootPrivilegedBytes = rootPrivileged.toArray();
             // Apply the profile's pad if applicable
-            const profilePrivilegedBytes = profilePrivilegedPad
-                ? this.XOR(rootPrivilegedBytes, profilePrivilegedPad)
-                : rootPrivilegedBytes;
+            const profilePrivilegedBytes = (profilePrivilegedPad == null)
+                ? rootPrivilegedBytes
+                : this.XOR(rootPrivilegedBytes, profilePrivilegedPad);
             return new sdk_1.PrivateKey(profilePrivilegedBytes);
         });
         // Build the underlying wallet for the specific profile
@@ -975,7 +940,7 @@ class CWIStyleWalletManager {
      */
     async changePassword(newPassword) {
         var _a;
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrimaryKey || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrimaryKey == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Not authenticated or missing required data.');
         }
         const passwordSalt = (0, sdk_1.Random)(32);
@@ -998,16 +963,16 @@ class CWIStyleWalletManager {
      * Retrieves the current recovery key. Requires privileged access.
      */
     async getRecoveryKey() {
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Not authenticated or missing required data.');
         }
-        return this.getFactor('recoveryKey');
+        return await this.getFactor('recoveryKey');
     }
     /**
      * Changes the user's recovery key. Prompts user to save the new key.
      */
     async changeRecoveryKey() {
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrimaryKey || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrimaryKey == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Not authenticated or missing required data.');
         }
         // Decrypt existing factors needed
@@ -1025,7 +990,7 @@ class CWIStyleWalletManager {
      * Changes the user's presentation key.
      */
     async changePresentationKey(newPresentationKey) {
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrimaryKey || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrimaryKey == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error('Not authenticated or missing required data.');
         }
         if (newPresentationKey.length !== 32) {
@@ -1039,7 +1004,7 @@ class CWIStyleWalletManager {
         recoveryKey, this.rootPrimaryKey, rootPrivilegedKey, this.profiles // Preserve profiles
         );
         // Update the temporarily stored key if it was set
-        if (this.presentationKey) {
+        if (this.presentationKey != null) {
             this.presentationKey = newPresentationKey;
         }
     }
@@ -1066,7 +1031,7 @@ class CWIStyleWalletManager {
      * @returns The decrypted key bytes.
      */
     async getFactor(factorName) {
-        if (!this.authenticated || !this.currentUMPToken || !this.rootPrivilegedKeyManager) {
+        if (!this.authenticated || (this.currentUMPToken == null) || (this.rootPrivilegedKeyManager == null)) {
             throw new Error(`Cannot get factor "${factorName}": Wallet not ready.`);
         }
         const protocolID = [2, 'admin key wrapping']; // Protocol used for encrypting factors
@@ -1114,7 +1079,7 @@ class CWIStyleWalletManager {
     async updateAuthFactors(passwordSalt, passwordKey, presentationKey, recoveryKey, rootPrimaryKey, rootPrivilegedKey, // Explicitly pass the root key bytes
     profiles // Pass current/new profiles list
     ) {
-        if (!this.authenticated || !this.rootPrimaryKey || !this.currentUMPToken) {
+        if (!this.authenticated || (this.rootPrimaryKey == null) || (this.currentUMPToken == null)) {
             throw new Error('Wallet is not properly authenticated or missing data for update.');
         }
         // Ensure we have the OLD token to consume
@@ -1131,7 +1096,7 @@ class CWIStyleWalletManager {
         const tempRootPrivilegedKeyManager = new PrivilegedKeyManager_1.PrivilegedKeyManager(async () => new sdk_1.PrivateKey(rootPrivilegedKey));
         // Encrypt profiles if provided
         let profilesEncrypted;
-        if (profiles && profiles.length > 0) {
+        if ((profiles != null) && profiles.length > 0) {
             const profilesJson = JSON.stringify(profiles);
             const profilesBytes = sdk_1.Utils.toArray(profilesJson, 'utf8');
             profilesEncrypted = new sdk_1.SymmetricKey(rootPrimaryKey).encrypt(profilesBytes);
@@ -1166,12 +1131,12 @@ class CWIStyleWalletManager {
                 keyID: '1'
             })).ciphertext,
             profilesEncrypted, // Add encrypted profiles
-            ...(kdfMetadata
-                ? {
+            ...(kdfMetadata == null
+                ? {}
+                : {
                     umpVersion: 3,
                     passwordKdf: kdfMetadata
-                }
-                : {})
+                })
             // currentOutpoint will be set after publishing
         };
         // We need the wallet built for the DEFAULT profile to publish the UMP token.
@@ -1183,7 +1148,7 @@ class CWIStyleWalletManager {
             await this.switchProfile(exports.DEFAULT_PROFILE_ID); // This rebuilds this.underlying
             walletToUse = this.underlying;
         }
-        if (!walletToUse) {
+        if (walletToUse == null) {
             throw new Error('Default profile wallet could not be activated for UMP token update.');
         }
         // Publish the new token on-chain, consuming the old one
@@ -1230,7 +1195,7 @@ class CWIStyleWalletManager {
         writeArray(token.passwordKeyEncrypted); // 9
         writeArray(token.recoveryKeyEncrypted); // 10
         // Write optional profiles field
-        if (token.profilesEncrypted && token.profilesEncrypted.length > 0) {
+        if ((token.profilesEncrypted != null) && token.profilesEncrypted.length > 0) {
             writer.writeUInt8(1); // Flag indicating profiles present
             writeArray(token.profilesEncrypted);
         }
@@ -1360,18 +1325,18 @@ class CWIStyleWalletManager {
      * @param ephemeralRootPrivilegedKey Optional root privileged key (e.g., during recovery flows).
      */
     async setupRootInfrastructure(rootPrimaryKey, ephemeralRootPrivilegedKey) {
-        if (!this.currentUMPToken) {
+        if (this.currentUMPToken == null) {
             throw new Error('A UMP token must exist before setting up root infrastructure!');
         }
         this.rootPrimaryKey = rootPrimaryKey;
         // Store ephemeral key if provided, for one-time use by the manager
-        let oneTimePrivilegedKey = ephemeralRootPrivilegedKey
-            ? new sdk_1.PrivateKey(ephemeralRootPrivilegedKey)
-            : undefined;
+        let oneTimePrivilegedKey = (ephemeralRootPrivilegedKey == null)
+            ? undefined
+            : new sdk_1.PrivateKey(ephemeralRootPrivilegedKey);
         // Create the ROOT PrivilegedKeyManager
         this.rootPrivilegedKeyManager = new PrivilegedKeyManager_1.PrivilegedKeyManager(async (reason) => {
             // 1. Use one-time key if available (for recovery)
-            if (oneTimePrivilegedKey) {
+            if (oneTimePrivilegedKey != null) {
                 const tempKey = oneTimePrivilegedKey;
                 oneTimePrivilegedKey = undefined; // Consume it
                 return tempKey;
@@ -1384,7 +1349,10 @@ class CWIStyleWalletManager {
                     const decryptedPrivileged = new sdk_1.SymmetricKey(privilegedDecryptor).decrypt(this.currentUMPToken.passwordPrimaryPrivileged);
                     return !!decryptedPrivileged; // Test passes if decryption works
                 }
-                catch (e) {
+                catch (_intentionallyIgnored) {
+                    // Decryption failure means the password candidate is wrong — this is the
+                    // expected rejection path for an incorrect password.  Returning false causes
+                    // the password-retriever loop to prompt the user again rather than crashing.
                     return false;
                 }
             });
@@ -1396,7 +1364,7 @@ class CWIStyleWalletManager {
         });
         // Decrypt and load profiles if present in the token
         this.profiles = []; // Clear existing profiles before loading
-        if (this.currentUMPToken.profilesEncrypted && this.currentUMPToken.profilesEncrypted.length > 0) {
+        if ((this.currentUMPToken.profilesEncrypted != null) && this.currentUMPToken.profilesEncrypted.length > 0) {
             try {
                 const decryptedProfileBytes = new sdk_1.SymmetricKey(rootPrimaryKey).decrypt(this.currentUMPToken.profilesEncrypted);
                 const profilesJson = sdk_1.Utils.toUTF8(decryptedProfileBytes);
@@ -1424,7 +1392,7 @@ class CWIStyleWalletManager {
         if (!this.authenticated) {
             throw new Error('User is not authenticated.');
         }
-        if (!this.underlying) {
+        if (this.underlying == null) {
             // This might happen if authentication succeeded but profile switching failed
             throw new Error('Underlying wallet for the active profile is not initialized.');
         }
@@ -1435,91 +1403,91 @@ class CWIStyleWalletManager {
     // Example proxy method (repeat pattern for all others)
     async getPublicKey(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.getPublicKey(args, originator);
+        return await this.underlying.getPublicKey(args, originator);
     }
     async revealCounterpartyKeyLinkage(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.revealCounterpartyKeyLinkage(args, originator);
+        return await this.underlying.revealCounterpartyKeyLinkage(args, originator);
     }
     async revealSpecificKeyLinkage(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.revealSpecificKeyLinkage(args, originator);
+        return await this.underlying.revealSpecificKeyLinkage(args, originator);
     }
     async encrypt(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.encrypt(args, originator);
+        return await this.underlying.encrypt(args, originator);
     }
     async decrypt(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.decrypt(args, originator);
+        return await this.underlying.decrypt(args, originator);
     }
     async createHmac(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.createHmac(args, originator);
+        return await this.underlying.createHmac(args, originator);
     }
     async verifyHmac(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.verifyHmac(args, originator);
+        return await this.underlying.verifyHmac(args, originator);
     }
     async createSignature(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.createSignature(args, originator);
+        return await this.underlying.createSignature(args, originator);
     }
     async verifySignature(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.verifySignature(args, originator);
+        return await this.underlying.verifySignature(args, originator);
     }
     async createAction(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.createAction(args, originator);
+        return await this.underlying.createAction(args, originator);
     }
     async signAction(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.signAction(args, originator);
+        return await this.underlying.signAction(args, originator);
     }
     async abortAction(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.abortAction(args, originator);
+        return await this.underlying.abortAction(args, originator);
     }
     async listActions(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.listActions(args, originator);
+        return await this.underlying.listActions(args, originator);
     }
     async internalizeAction(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.internalizeAction(args, originator);
+        return await this.underlying.internalizeAction(args, originator);
     }
     async listOutputs(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.listOutputs(args, originator);
+        return await this.underlying.listOutputs(args, originator);
     }
     async relinquishOutput(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.relinquishOutput(args, originator);
+        return await this.underlying.relinquishOutput(args, originator);
     }
     async acquireCertificate(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.acquireCertificate(args, originator);
+        return await this.underlying.acquireCertificate(args, originator);
     }
     async listCertificates(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.listCertificates(args, originator);
+        return await this.underlying.listCertificates(args, originator);
     }
     async proveCertificate(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.proveCertificate(args, originator);
+        return await this.underlying.proveCertificate(args, originator);
     }
     async relinquishCertificate(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.relinquishCertificate(args, originator);
+        return await this.underlying.relinquishCertificate(args, originator);
     }
     async discoverByIdentityKey(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.discoverByIdentityKey(args, originator);
+        return await this.underlying.discoverByIdentityKey(args, originator);
     }
     async discoverByAttributes(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.discoverByAttributes(args, originator);
+        return await this.underlying.discoverByAttributes(args, originator);
     }
     async isAuthenticated(_, originator) {
         if (!this.authenticated) {
@@ -1534,26 +1502,26 @@ class CWIStyleWalletManager {
         if (originator === this.adminOriginator) {
             throw new Error('External applications are not allowed to use the admin originator.');
         }
-        while (!this.authenticated || !this.underlying) {
+        while (!this.authenticated || (this.underlying == null)) {
             await new Promise(resolve => setTimeout(resolve, 100));
         }
         return await this.underlying.waitForAuthentication({}, originator);
     }
     async getHeight(_, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.getHeight({}, originator);
+        return await this.underlying.getHeight({}, originator);
     }
     async getHeaderForHeight(args, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.getHeaderForHeight(args, originator);
+        return await this.underlying.getHeaderForHeight(args, originator);
     }
     async getNetwork(_, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.getNetwork({}, originator);
+        return await this.underlying.getNetwork({}, originator);
     }
     async getVersion(_, originator) {
         this.checkAuthAndUnderlying(originator);
-        return this.underlying.getVersion({}, originator);
+        return await this.underlying.getVersion({}, originator);
     }
 }
 exports.CWIStyleWalletManager = CWIStyleWalletManager;