@cartridge/controller 0.13.9 → 0.13.10

package/dist/types.d.ts

@@ -91,6 +91,7 @@ export interface Keychain {
     deploy(): Promise<DeployReply | ConnectError>;
     execute(calls: Call | Call[], abis?: Abi[], transactionsDetail?: InvocationsDetails, sync?: boolean, feeSource?: any, error?: ControllerError): Promise<ExecuteReply | ConnectError>;
     signMessage(typedData: TypedData, account: string, async?: boolean): Promise<Signature | ConnectError>;
+    updateSession(policies?: SessionPolicies, preset?: string): Promise<ConnectReply | ConnectError>;
     openSettings(): Promise<void | ConnectError>;
     session(): Promise<KeychainSession>;
     sessions(): Promise<{
@@ -161,6 +162,8 @@ export type KeychainOptions = IFrameOptions & {
     tokens?: Tokens;
     /** When true, defer iframe mounting until connect() is called. Reduces initial load and resource fetching. */
     lazyload?: boolean;
+    /** When true, force WebAuthn operations to run in a popup window instead of the iframe. Useful for development and testing. */
+    webauthnPopup?: boolean;
 };
 export type ProfileContextTypeVariant = "inventory" | "trophies" | "achievements" | "quests" | "leaderboard" | "activity";
 export type Token = "eth" | "strk" | "lords" | "usdc" | "usdt";
@@ -187,6 +190,13 @@ export interface ConnectOptions {
     /** Required when signer is "password" */
     password?: string;
 }
+/** Options for updating session policies at runtime */
+export type UpdateSessionOptions = {
+    /** Session policies to set */
+    policies?: SessionPolicies;
+    /** Preset name to resolve policies from */
+    preset?: string;
+};
 export type HeadlessConnectOptions = Required<Pick<ConnectOptions, "username" | "signer">> & Pick<ConnectOptions, "password">;
 export type HeadlessConnectReply = {
     code: ResponseCodes.SUCCESS;

package/dist/utils.d.ts

@@ -23,5 +23,4 @@ export declare function toWasmPolicies(policies: ParsedSessionPolicies): Policy[
 export declare function toArray<T>(val: T | T[]): T[];
 export declare function humanizeString(str: string): string;
 export declare function parseChainId(url: URL): ChainId;
-export declare function isMobile(): boolean;
 export declare function sanitizeImageSrc(src: string): string;

package/dist/wallets/ethereum-base.d.ts

@@ -6,12 +6,16 @@ export declare abstract class EthereumWalletBase implements WalletAdapter {
     abstract readonly displayName: string;
     platform: ExternalPlatform | undefined;
     protected account: string | undefined;
-    protected store: import('mipd').Store;
     protected provider: EIP6963ProviderDetail | undefined;
     protected connectedAccounts: string[];
     constructor();
     private getProvider;
     private getEthereumProvider;
+    /**
+     * Fallback provider detection when EIP-6963 announcement is missed.
+     * Subclasses can override to provide wallet-specific fallback logic.
+     */
+    protected getFallbackProvider(): any;
     private initializeIfAvailable;
     private initialized;
     private initializeProvider;

package/dist/wallets/metamask/index.d.ts

@@ -4,4 +4,5 @@ export declare class MetaMaskWallet extends EthereumWalletBase {
     readonly type: ExternalWalletType;
     readonly rdns = "io.metamask";
     readonly displayName = "MetaMask";
+    protected getFallbackProvider(): any;
 }

package/dist/wallets/phantom-evm/index.d.ts

@@ -4,4 +4,5 @@ export declare class PhantomEVMWallet extends EthereumWalletBase {
     readonly type: ExternalWalletType;
     readonly rdns = "app.phantom";
     readonly displayName = "Phantom";
+    protected getFallbackProvider(): any;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cartridge/controller",
-  "version": "0.13.9",
+  "version": "0.13.10",
   "description": "Cartridge Controller",
   "repository": {
     "type": "git",
@@ -26,14 +26,13 @@
     }
   },
   "dependencies": {
-    "@cartridge/controller-wasm": "0.9.4",
+    "@cartridge/controller-wasm": "0.9.6",
     "@cartridge/penpal": "^6.2.4",
     "micro-sol-signer": "^0.5.0",
     "bs58": "^6.0.0",
     "ethers": "^6.13.5",
     "@starknet-io/get-starknet-wallet-standard": "5.0.0-beta.0",
     "@starknet-io/types-js": "0.9.1",
-    "@telegram-apps/sdk": "^2.4.0",
     "@turnkey/sdk-browser": "^4.0.0",
     "cbor-x": "^1.5.0",
     "starknet": "^8.5.2",
@@ -56,7 +55,7 @@
     "vite-plugin-node-polyfills": "^0.23.0",
     "vite-plugin-top-level-await": "^1.4.4",
     "vite-plugin-wasm": "^3.4.1",
-    "@cartridge/tsconfig": "0.13.9"
+    "@cartridge/tsconfig": "0.13.10"
   },
   "scripts": {
     "build:deps": "pnpm build:browser && pnpm build:node",

package/src/__tests__/disconnect.test.ts

@@ -98,6 +98,24 @@ describe("ControllerProvider.disconnect", () => {
     expect(keychainDisconnect).toHaveBeenCalledTimes(1);
   });
 
+  test("closes iframe to reset keychain state for subsequent connect", async () => {
+    const controller = new ControllerProvider({});
+    const keychainDisconnect = jest.fn().mockResolvedValue(undefined);
+    (controller as any).keychain = {
+      disconnect: keychainDisconnect,
+    };
+
+    const mockClose = jest.fn();
+    (controller as any).iframes = {
+      keychain: { close: mockClose },
+    };
+
+    await controller.disconnect();
+
+    expect(keychainDisconnect).toHaveBeenCalledTimes(1);
+    expect(mockClose).toHaveBeenCalledTimes(1);
+  });
+
   test("does not throw when localStorage is unavailable", async () => {
     delete (global as any).localStorage;
     const controller = new ControllerProvider({});

package/src/controller.ts

@@ -31,6 +31,7 @@ import {
   OpenOptions,
   HeadlessUsernameLookupResult,
   StarterpackOptions,
+  UpdateSessionOptions,
 } from "./types";
 import { validateRedirectUrl } from "./url-validator";
 import { parseChainId } from "./utils";
@@ -308,8 +309,9 @@ export default class ControllerProvider extends BaseProvider {
         return this.account;
       }
 
-      // Only open modal if NOT headless
-      this.iframes.keychain.open();
+      if (!headless) {
+        this.iframes.keychain.open();
+      }
 
       // Use connect() parameter if provided, otherwise fall back to constructor options
       const effectiveOptions = Array.isArray(options)
@@ -352,7 +354,6 @@ export default class ControllerProvider extends BaseProvider {
       }
       console.log(e);
     } finally {
-      // Only close modal if it was opened (not headless)
       if (!headless) {
         this.iframes.keychain.close();
       }
@@ -412,7 +413,8 @@ export default class ControllerProvider extends BaseProvider {
       return;
     }
 
-    return this.keychain.disconnect();
+    await this.keychain.disconnect();
+    return this.close();
   }
 
   async openProfile(tab: ProfileContextTypeVariant = "inventory") {
@@ -508,6 +510,47 @@ export default class ControllerProvider extends BaseProvider {
     this.iframes.keychain.close();
   }
 
+  async updateSession(options: UpdateSessionOptions = {}) {
+    if (!options.policies && !options.preset) {
+      throw new Error("Either `policies` or `preset` must be provided");
+    }
+
+    if (!this.iframes) {
+      return;
+    }
+
+    // Ensure iframe is created if using lazy loading
+    if (!this.iframes.keychain) {
+      this.iframes.keychain = this.createKeychainIframe();
+    }
+
+    await this.waitForKeychain();
+
+    if (!this.keychain || !this.iframes.keychain) {
+      console.error(new NotReadyToConnect().message);
+      return;
+    }
+
+    this.iframes.keychain.open();
+
+    try {
+      const response = await this.keychain.updateSession(
+        options.policies,
+        options.preset,
+      );
+
+      if (response.code !== ResponseCodes.SUCCESS) {
+        throw new Error((response as ConnectError).message);
+      }
+
+      return response as ConnectReply;
+    } catch (e) {
+      console.error(e);
+    } finally {
+      this.iframes.keychain.close();
+    }
+  }
+
   revoke(origin: string, _policy: Policy[]) {
     if (!this.keychain) {
       console.error(new NotReadyToConnect().message);

package/src/iframe/keychain.ts

@@ -40,6 +40,7 @@ export class KeychainIFrame extends IFrame<Keychain> {
     encryptedBlob,
     propagateSessionErrors,
     errorDisplayMode,
+    webauthnPopup,
     ...iframeOptions
   }: KeychainIframeOptions) {
     let onStarterpackPlayHandler: (() => Promise<void>) | undefined;
@@ -101,6 +102,10 @@ export class KeychainIFrame extends IFrame<Keychain> {
       _url.searchParams.set("should_override_preset_policies", "true");
     }
 
+    if (webauthnPopup) {
+      _url.searchParams.set("webauthn_popup", "true");
+    }
+
     // Policy precedence logic:
     // 1. If shouldOverridePresetPolicies is true and policies are provided, use policies
     // 2. Otherwise, if preset is defined, ignore provided policies

package/src/types.ts

@@ -157,6 +157,10 @@ export interface Keychain {
     account: string,
     async?: boolean,
   ): Promise<Signature | ConnectError>;
+  updateSession(
+    policies?: SessionPolicies,
+    preset?: string,
+  ): Promise<ConnectReply | ConnectError>;
   openSettings(): Promise<void | ConnectError>;
   session(): Promise<KeychainSession>;
   sessions(): Promise<{
@@ -255,6 +259,8 @@ export type KeychainOptions = IFrameOptions & {
   tokens?: Tokens;
   /** When true, defer iframe mounting until connect() is called. Reduces initial load and resource fetching. */
   lazyload?: boolean;
+  /** When true, force WebAuthn operations to run in a popup window instead of the iframe. Useful for development and testing. */
+  webauthnPopup?: boolean;
 };
 
 export type ProfileContextTypeVariant =
@@ -295,6 +301,14 @@ export interface ConnectOptions {
   password?: string;
 }
 
+/** Options for updating session policies at runtime */
+export type UpdateSessionOptions = {
+  /** Session policies to set */
+  policies?: SessionPolicies;
+  /** Preset name to resolve policies from */
+  preset?: string;
+};
+
 export type HeadlessConnectOptions = Required<
   Pick<ConnectOptions, "username" | "signer">
 > &

package/src/utils.ts

@@ -256,14 +256,6 @@ export function parseChainId(url: URL): ChainId {
   throw new Error(`Chain ${url.toString()} not supported`);
 }
 
-export function isMobile() {
-  return (
-    window.matchMedia("(max-width: 768px)").matches ||
-    "ontouchstart" in window ||
-    navigator.maxTouchPoints > 0
-  );
-}
-
 // Sanitize image src to prevent XSS
 export function sanitizeImageSrc(src: string): string {
   // Allow only http/https URLs (absolute)

package/src/wallets/ethereum-base.ts

@@ -1,6 +1,5 @@
 import { getAddress } from "ethers/address";
-import { createStore, EIP6963ProviderDetail } from "mipd";
-import { isMobile } from "../utils";
+import { createStore, EIP6963ProviderDetail, Store } from "mipd";
 import { chainIdToPlatform } from "./platform";
 import {
   ExternalPlatform,
@@ -10,6 +9,17 @@ import {
   WalletAdapter,
 } from "./types";
 
+// Shared store across all EthereumWalletBase instances so late EIP-6963
+// announcements are captured once and visible to every wallet adapter.
+let sharedStore: Store | undefined;
+
+function getSharedStore(): Store {
+  if (!sharedStore) {
+    sharedStore = createStore();
+  }
+  return sharedStore;
+}
+
 export abstract class EthereumWalletBase implements WalletAdapter {
   abstract readonly type: ExternalWalletType;
   abstract readonly rdns: string;
@@ -17,7 +27,6 @@ export abstract class EthereumWalletBase implements WalletAdapter {
 
   platform: ExternalPlatform | undefined;
   protected account: string | undefined = undefined;
-  protected store = createStore();
   protected provider: EIP6963ProviderDetail | undefined;
   protected connectedAccounts: string[] = [];
 
@@ -26,10 +35,10 @@ export abstract class EthereumWalletBase implements WalletAdapter {
   }
 
   private getProvider(): EIP6963ProviderDetail | undefined {
-    if (!this.provider) {
-      this.provider = this.store
-        .getProviders()
-        .find((provider) => provider.info.rdns === this.rdns);
+    // Use shared store's findProvider which reflects late announcements
+    const found = getSharedStore().findProvider({ rdns: this.rdns as any });
+    if (found) {
+      this.provider = found;
     }
     return this.provider;
   }
@@ -40,15 +49,14 @@ export abstract class EthereumWalletBase implements WalletAdapter {
       return provider.provider;
     }
 
-    // Fallback for MetaMask when not announced via EIP-6963
-    if (
-      this.rdns === "io.metamask" &&
-      typeof window !== "undefined" &&
-      (window as any).ethereum?.isMetaMask
-    ) {
-      return (window as any).ethereum;
-    }
+    return this.getFallbackProvider();
+  }
 
+  /**
+   * Fallback provider detection when EIP-6963 announcement is missed.
+   * Subclasses can override to provide wallet-specific fallback logic.
+   */
+  protected getFallbackProvider(): any {
     return null;
   }
 
@@ -101,29 +109,20 @@ export abstract class EthereumWalletBase implements WalletAdapter {
   }
 
   isAvailable(): boolean {
-    if (isMobile()) {
-      return false;
-    }
-
     // Check dynamically each time, as the provider might be announced after instantiation
     const provider = this.getProvider();
 
-    // Also check for MetaMask via window.ethereum as a fallback for MetaMask specifically
-    if (
-      !provider &&
-      this.rdns === "io.metamask" &&
-      typeof window !== "undefined"
-    ) {
-      // MetaMask might be available via window.ethereum even if not announced via EIP-6963 yet
-      return !!(window as any).ethereum?.isMetaMask;
-    }
-
     // Initialize if we just found the provider
     if (provider && !this.initialized) {
       this.initializeIfAvailable();
     }
 
-    return typeof window !== "undefined" && !!provider;
+    if (provider) {
+      return true;
+    }
+
+    // Fall back to wallet-specific detection when EIP-6963 announcement is missed
+    return typeof window !== "undefined" && !!this.getFallbackProvider();
   }
 
   getInfo(): ExternalWallet {
@@ -158,18 +157,7 @@ export abstract class EthereumWalletBase implements WalletAdapter {
         throw new Error(`${this.displayName} is not available`);
       }
 
-      let ethereum: any;
-      const provider = this.getProvider();
-
-      if (provider) {
-        ethereum = provider.provider;
-      } else if (
-        this.rdns === "io.metamask" &&
-        (window as any).ethereum?.isMetaMask
-      ) {
-        // Fallback for MetaMask when not announced via EIP-6963
-        ethereum = (window as any).ethereum;
-      }
+      const ethereum = this.getEthereumProvider();
 
       if (!ethereum) {
         throw new Error(`${this.displayName} provider not found`);
@@ -183,15 +171,14 @@ export abstract class EthereumWalletBase implements WalletAdapter {
         this.account = getAddress(accounts[0]);
         this.connectedAccounts = accounts.map(getAddress);
 
-        // If we used the fallback, store the ethereum provider for future use
-        if (!provider && this.rdns === "io.metamask") {
-          // Create a mock EIP6963ProviderDetail for consistency
+        // If we used a fallback provider, store it for future use
+        if (!this.getProvider()) {
           this.provider = {
             info: {
-              uuid: "metamask-fallback",
-              name: "MetaMask",
+              uuid: `${this.rdns}-fallback`,
+              name: this.displayName,
               icon: "data:image/svg+xml;base64,",
-              rdns: "io.metamask",
+              rdns: this.rdns,
             },
             provider: ethereum,
           } as EIP6963ProviderDetail;

package/src/wallets/metamask/index.ts

@@ -5,4 +5,10 @@ export class MetaMaskWallet extends EthereumWalletBase {
   readonly type: ExternalWalletType = "metamask";
   readonly rdns = "io.metamask";
   readonly displayName = "MetaMask";
+
+  protected getFallbackProvider(): any {
+    return (window as any).ethereum?.isMetaMask
+      ? (window as any).ethereum
+      : null;
+  }
 }

package/src/wallets/phantom-evm/index.ts

@@ -5,4 +5,8 @@ export class PhantomEVMWallet extends EthereumWalletBase {
   readonly type: ExternalWalletType = "phantom-evm";
   readonly rdns = "app.phantom";
   readonly displayName = "Phantom";
+
+  protected getFallbackProvider(): any {
+    return (window as any).phantom?.ethereum ?? null;
+  }
 }