@getpara/core-sdk 2.0.0-dev.3 → 2.0.0-dev.6

package/dist/esm/constants.js

@@ -1,6 +1,7 @@
 import "./chunk-7B52C2XE.js";
-const PARA_CORE_VERSION = "2.0.0-dev.0";
+const PARA_CORE_VERSION = "2.0.0-alpha.50";
 const PREFIX = "@CAPSULE/";
+const PARA_PREFIX = "@PARA/";
 const LOCAL_STORAGE_AUTH_INFO = `${PREFIX}authInfo`;
 const LOCAL_STORAGE_EMAIL = `${PREFIX}e-mail`;
 const LOCAL_STORAGE_PHONE = `${PREFIX}phone`;
@@ -14,6 +15,8 @@ const LOCAL_STORAGE_WALLETS = `${PREFIX}wallets`;
 const LOCAL_STORAGE_EXTERNAL_WALLETS = `${PREFIX}externalWallets`;
 const LOCAL_STORAGE_CURRENT_WALLET_IDS = `${PREFIX}currentWalletIds`;
 const LOCAL_STORAGE_SESSION_COOKIE = `${PREFIX}sessionCookie`;
+const LOCAL_STORAGE_ENCLAVE_JWT = `${PREFIX}enclaveJwt`;
+const LOCAL_STORAGE_ENCLAVE_REFRESH_JWT = `${PREFIX}enclaveRefreshJwt`;
 const SESSION_STORAGE_LOGIN_ENCRYPTION_KEY_PAIR = `${PREFIX}loginEncryptionKeyPair`;
 const POLLING_INTERVAL_MS = 2e3;
 const SHORT_POLLING_INTERVAL_MS = 1e3;
@@ -28,6 +31,8 @@ export {
   LOCAL_STORAGE_CURRENT_WALLET_IDS,
   LOCAL_STORAGE_ED25519_WALLETS,
   LOCAL_STORAGE_EMAIL,
+  LOCAL_STORAGE_ENCLAVE_JWT,
+  LOCAL_STORAGE_ENCLAVE_REFRESH_JWT,
   LOCAL_STORAGE_EXTERNAL_WALLETS,
   LOCAL_STORAGE_EXTERNAL_WALLET_USER_ID,
   LOCAL_STORAGE_FARCASTER_USERNAME,
@@ -37,6 +42,7 @@ export {
   LOCAL_STORAGE_USER_ID,
   LOCAL_STORAGE_WALLETS,
   PARA_CORE_VERSION,
+  PARA_PREFIX,
   POLLING_INTERVAL_MS,
   POLLING_TIMEOUT_MS,
   PREFIX,

package/dist/esm/index.js

@@ -33,7 +33,7 @@ export * from "./types/coreApi.js";
 export * from "./types/events.js";
 export * from "./types/config.js";
 import { getPortalDomain, entityToWallet, constructUrl, shortenUrl } from "./utils/index.js";
-import { PREFIX } from "./constants.js";
+import { PREFIX, PARA_PREFIX } from "./constants.js";
 import { distributeNewShare } from "./shares/shareDistribution.js";
 import { KeyContainer } from "./shares/KeyContainer.js";
 import { getBaseUrl, initClient } from "./external/userManagementClient.js";
@@ -85,6 +85,7 @@ export {
   OnRampProvider,
   OnRampPurchaseStatus,
   OnRampPurchaseType,
+  PARA_PREFIX as PARA_STORAGE_PREFIX,
   PREGEN_IDENTIFIER_TYPES,
   PopupType,
   PregenIdentifierType,

package/dist/esm/shares/enclave.js

@@ -0,0 +1,216 @@
+import {
+  __async
+} from "../chunk-7B52C2XE.js";
+class EnclaveClient {
+  constructor({
+    userManagementClient,
+    retrieveJwt,
+    persistJwt,
+    retrieveRefreshJwt,
+    persistRefreshJwt
+  }) {
+    this.enclavePublicKey = null;
+    this.frontendKeyPair = null;
+    this.userManagementClient = userManagementClient;
+    this.retrieveJwt = retrieveJwt;
+    this.persistJwt = persistJwt;
+    this.retrieveRefreshJwt = retrieveRefreshJwt;
+    this.persistRefreshJwt = persistRefreshJwt;
+  }
+  refreshJwt() {
+    return __async(this, null, function* () {
+      const encryptedPayload = yield this.encryptForEnclave(JSON.stringify({ refreshJwt: this.retrieveRefreshJwt() }));
+      const response = yield this.userManagementClient.refreshEnclaveJwt(JSON.stringify(encryptedPayload));
+      const decryptedResponse = yield this.decryptForFrontend(JSON.parse(response.payload));
+      this.persistJwt(decryptedResponse.jwt);
+      this.persistRefreshJwt(decryptedResponse.refreshJwt);
+    });
+  }
+  withJwtRefreshRetry(fn) {
+    return __async(this, null, function* () {
+      try {
+        return yield fn();
+      } catch (error) {
+        yield this.refreshJwt();
+        return yield fn();
+      }
+    });
+  }
+  /**
+   * Generate a P-256 keypair for the frontend to receive encrypted responses
+   */
+  generateFrontendKeyPair() {
+    return __async(this, null, function* () {
+      if (this.frontendKeyPair) {
+        return this.frontendKeyPair;
+      }
+      this.frontendKeyPair = yield crypto.subtle.generateKey({ name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits"]);
+      return this.frontendKeyPair;
+    });
+  }
+  /**
+   * Get the enclave's public key from the user-management service
+   */
+  getEnclavePublicKey() {
+    return __async(this, null, function* () {
+      if (this.enclavePublicKey) {
+        return this.enclavePublicKey;
+      }
+      const response = yield this.userManagementClient.getEnclavePublicKey();
+      this.enclavePublicKey = response.publicKey;
+      return this.enclavePublicKey;
+    });
+  }
+  /**
+   * Import a PEM-formatted public key for use with Web Crypto API
+   */
+  importPublicKeyFromPEM(pemString) {
+    return __async(this, null, function* () {
+      const pemContents = pemString.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").replace(/\s/g, "");
+      const keyData = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+      return yield crypto.subtle.importKey("spki", keyData, { name: "ECDH", namedCurve: "P-256" }, false, []);
+    });
+  }
+  /**
+   * Export a public key to PEM format
+   */
+  exportPublicKeyToPEM(publicKey) {
+    return __async(this, null, function* () {
+      const exported = yield crypto.subtle.exportKey("spki", publicKey);
+      const exportedAsBase64 = btoa(String.fromCharCode(...new Uint8Array(exported)));
+      return `-----BEGIN PUBLIC KEY-----
+${exportedAsBase64}
+-----END PUBLIC KEY-----`;
+    });
+  }
+  /**
+   * Encrypt data using P-256 ECIES for the enclave
+   */
+  encryptForEnclave(plaintext) {
+    return __async(this, null, function* () {
+      const enclavePublicKeyPEM = yield this.getEnclavePublicKey();
+      const enclavePublicKey = yield this.importPublicKeyFromPEM(enclavePublicKeyPEM);
+      const ephemeralKeyPair = yield crypto.subtle.generateKey({ name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits"]);
+      const sharedSecretBits = yield crypto.subtle.deriveBits(
+        { name: "ECDH", public: enclavePublicKey },
+        ephemeralKeyPair.privateKey,
+        256
+        // 32 bytes = 256 bits
+      );
+      const encryptionKeyBuffer = yield crypto.subtle.digest("SHA-256", sharedSecretBits);
+      const encryptionKey = yield crypto.subtle.importKey("raw", encryptionKeyBuffer, { name: "AES-GCM" }, false, ["encrypt"]);
+      const iv = crypto.getRandomValues(new Uint8Array(12));
+      const encrypted = yield crypto.subtle.encrypt(
+        { name: "AES-GCM", iv },
+        encryptionKey,
+        new TextEncoder().encode(plaintext)
+      );
+      const encryptedArray = new Uint8Array(encrypted);
+      const combined = new Uint8Array(iv.length + encryptedArray.length);
+      combined.set(iv);
+      combined.set(encryptedArray, iv.length);
+      const ephemeralPublicKeyBuffer = yield crypto.subtle.exportKey("spki", ephemeralKeyPair.publicKey);
+      return {
+        encryptedData: btoa(String.fromCharCode(...combined)),
+        keyId: "",
+        // Will be set by the enclave
+        algorithm: "ECIES-P256-AES256-SHA256",
+        ephemeral: btoa(String.fromCharCode(...new Uint8Array(ephemeralPublicKeyBuffer)))
+      };
+    });
+  }
+  /**
+   * Decrypt response encrypted for the frontend
+   */
+  decryptForFrontend(encryptedPayload) {
+    return __async(this, null, function* () {
+      if (!this.frontendKeyPair) {
+        throw new Error("Frontend keypair not available");
+      }
+      const encryptedData = Uint8Array.from(atob(encryptedPayload.encryptedData), (c) => c.charCodeAt(0));
+      const ephemeralPublicKeyData = Uint8Array.from(atob(encryptedPayload.ephemeral), (c) => c.charCodeAt(0));
+      const ephemeralPublicKey = yield crypto.subtle.importKey(
+        "spki",
+        ephemeralPublicKeyData,
+        { name: "ECDH", namedCurve: "P-256" },
+        false,
+        []
+      );
+      const sharedSecretBits = yield crypto.subtle.deriveBits(
+        { name: "ECDH", public: ephemeralPublicKey },
+        this.frontendKeyPair.privateKey,
+        256
+      );
+      const encryptionKeyBuffer = yield crypto.subtle.digest("SHA-256", sharedSecretBits);
+      const encryptionKey = yield crypto.subtle.importKey("raw", encryptionKeyBuffer, { name: "AES-GCM" }, false, ["decrypt"]);
+      const iv = encryptedData.slice(0, 12);
+      const ciphertext = encryptedData.slice(12);
+      const decrypted = yield crypto.subtle.decrypt({ name: "AES-GCM", iv }, encryptionKey, ciphertext);
+      console.log("decryptForFrontend decrypted", decrypted);
+      return JSON.parse(new TextDecoder().decode(decrypted));
+    });
+  }
+  /**
+   * Persist key shares to the enclave
+   * @param shares Array of share data to persist
+   */
+  persistShares(shares) {
+    return __async(this, null, function* () {
+      console.log("persistShares about to call encryptForEnclave");
+      console.log("shares", shares);
+      const payload = {
+        shares,
+        jwt: this.retrieveJwt()
+      };
+      const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
+      const encryptedPayloadStr = JSON.stringify(encryptedPayload);
+      return yield this.userManagementClient.persistEnclaveShares(encryptedPayloadStr);
+    });
+  }
+  /**
+   * Retrieve key shares from the enclave
+   * @param query Query parameters for finding shares (single query or array of queries)
+   */
+  retrieveShares(query) {
+    return __async(this, null, function* () {
+      console.log("retrieveShares about to call generateFrontendKeyPair");
+      console.log("query", query);
+      const frontendKeyPair = yield this.generateFrontendKeyPair();
+      const responsePublicKeyPEM = yield this.exportPublicKeyToPEM(frontendKeyPair.publicKey);
+      const fullQuery = query.map((q) => ({
+        userId: q.userId
+      }));
+      const payload = {
+        query: fullQuery,
+        responsePublicKey: responsePublicKeyPEM,
+        jwt: this.retrieveJwt()
+      };
+      const encryptedPayload = yield this.encryptForEnclave(JSON.stringify(payload));
+      const encryptedPayloadStr = JSON.stringify(encryptedPayload);
+      const response = yield this.userManagementClient.retrieveEnclaveShares(encryptedPayloadStr);
+      console.log("retrieveShares response", response);
+      const encryptedResponse = JSON.parse(response.payload);
+      console.log("retrieveShares encryptedResponse", encryptedResponse);
+      const decryptedData = yield this.decryptForFrontend(encryptedResponse);
+      console.log("retrieveShares decryptedData", decryptedData);
+      return decryptedData;
+    });
+  }
+  retrieveSharesWithRetry(query) {
+    return __async(this, null, function* () {
+      return yield this.withJwtRefreshRetry(() => __async(this, null, function* () {
+        return this.retrieveShares(query);
+      }));
+    });
+  }
+  persistSharesWithRetry(shares) {
+    return __async(this, null, function* () {
+      return yield this.withJwtRefreshRetry(() => __async(this, null, function* () {
+        return this.persistShares(shares);
+      }));
+    });
+  }
+}
+export {
+  EnclaveClient
+};

package/dist/esm/shares/shareDistribution.js

@@ -13,8 +13,23 @@ function distributeNewShare(_0) {
     ignoreRedistributingBackupEncryptedShare = false,
     emailProps = {},
     partnerId,
-    protocolId
+    protocolId,
+    isEnclaveUser,
+    walletScheme
   }) {
+    if (isEnclaveUser) {
+      yield ctx.enclaveClient.persistSharesWithRetry([
+        {
+          userId,
+          walletId,
+          walletScheme,
+          signer: userShare,
+          partnerId,
+          protocolId
+        }
+      ]);
+      return "";
+    }
     const publicKeysRes = yield ctx.client.getSessionPublicKeys(userId);
     const biometricEncryptedShares = publicKeysRes.data.keys.map((key) => {
       if (!key.publicKey) {

package/dist/esm/types/coreApi.js

@@ -58,7 +58,9 @@ const PARA_INTERNAL_METHODS = [
   "verifyFarcasterLink",
   "verifyTelegramLink",
   "verifyExternalWalletLink",
-  "accountLinkInProgress"
+  "accountLinkInProgress",
+  "prepareLogin",
+  "sendLoginCode"
 ];
 export {
   PARA_CORE_METHODS,

package/dist/types/ParaCore.d.ts

@@ -1,9 +1,10 @@
-import { AuthMethod, AuthExtras, CurrentWalletIds, EmailTheme, TWalletType, PregenIds, BiometricLocationHint, Auth, SupportedWalletTypes, AuthIdentifier, AuthType, ExternalWalletInfo, PrimaryAuthInfo, SessionInfo, PrimaryAuth, PrimaryAuthType, AccountMetadata, LinkedAccounts, VerifyLinkParams, VerifyExternalWalletParams, SupportedAccountLinks } from '@getpara/user-management-client';
+import { AuthMethod, AuthExtras, CurrentWalletIds, EmailTheme, PartnerEntity, TWalletType, PregenIds, BiometricLocationHint, Auth, SupportedWalletTypes, AuthIdentifier, AuthType, ExternalWalletInfo, PrimaryAuthInfo, SessionInfo, PrimaryAuth, PrimaryAuthType, AccountMetadata, LinkedAccounts, VerifyLinkParams, VerifyExternalWalletParams, SupportedAccountLinks, OnRampPurchase } from '@getpara/user-management-client';
 import type { pki as pkiType } from 'node-forge';
 import { Ctx, Environment, Theme, WalletFilters, Wallet, PortalUrlOptions, ConstructorOpts, CoreAuthInfo, PortalUrlType, CoreMethodParams, CoreMethodResponse, NewCredentialUrlParams, LoginUrlParams, CoreInterface, ExternalWalletConnectionType, AccountLinkInProgress, InternalMethodParams, InternalMethodResponse } from './types/index.js';
 import { PlatformUtils } from './PlatformUtils.js';
 export declare abstract class ParaCore implements CoreInterface {
     #private;
+    popupWindow: Window | null;
     static version?: string;
     ctx: Ctx;
     protected isNativePasskey: boolean;
@@ -16,13 +17,18 @@ export declare abstract class ParaCore implements CoreInterface {
     get telegramUserId(): AuthIdentifier<'telegram'> | undefined;
     get externalWalletWithParaAuth(): Wallet | undefined;
     get externalWalletConnectionType(): ExternalWalletConnectionType;
+    protected partner?: PartnerEntity;
     userId?: string;
     accountLinkInProgress: AccountLinkInProgress | undefined;
     private sessionCookie?;
+    isEnclaveUser: boolean;
+    private enclaveJwt?;
+    private enclaveRefreshJwt?;
     private isAwaitingAccountCreation;
     private isAwaitingLogin;
     private isAwaitingFarcaster;
     private isAwaitingOAuth;
+    private isWorkerInitialized;
     get isEmail(): boolean;
     get isPhone(): boolean;
     get isFarcaster(): boolean;
@@ -30,6 +36,8 @@ export declare abstract class ParaCore implements CoreInterface {
     get isExternalWalletAuth(): boolean;
     get isExternalWalletWithVerification(): boolean;
     get partnerId(): string | undefined;
+    protected get partnerName(): string | undefined;
+    protected get partnerLogo(): string | undefined;
     /**
      * The IDs of the currently active wallets, for each supported wallet type. Any signer integrations will default to the first viable wallet ID in this dictionary.
      */
@@ -129,7 +137,11 @@ export declare abstract class ParaCore implements CoreInterface {
     get cosmosPrefix(): string | undefined;
     get supportedAccountLinks(): SupportedAccountLinks;
     get isWalletTypeEnabled(): Partial<Record<TWalletType, boolean>>;
-    private platformUtils;
+    protected onRampPopup: {
+        window: Window;
+        onRampPurchase: OnRampPurchase;
+    } | undefined;
+    protected platformUtils: PlatformUtils;
     private localStorageGetItem;
     private localStorageSetItem;
     private localStorageRemoveItem;
@@ -138,6 +150,10 @@ export declare abstract class ParaCore implements CoreInterface {
     private sessionStorageRemoveItem;
     retrieveSessionCookie: () => string | undefined;
     persistSessionCookie: (cookie: string) => void;
+    retrieveEnclaveJwt: () => string;
+    persistEnclaveJwt: (jwt: string) => void;
+    retrieveEnclaveRefreshJwt: () => string;
+    persistEnclaveRefreshJwt: (jwt: string) => void;
     /**
      * Remove all local storage and prefixed session storage.
      * @param {'local' | 'session' | 'secure' | 'all'} type - Type of storage to clear. Defaults to 'all'.
@@ -145,7 +161,7 @@ export declare abstract class ParaCore implements CoreInterface {
     clearStorage: (type?: CoreMethodParams<"clearStorage">) => CoreMethodResponse<"clearStorage">;
     private convertBigInt;
     private convertEncryptionKeyPair;
-    private isPortal;
+    protected isPortal(envOverride?: Environment): boolean;
     private isParaConnect;
     private requireApiKey;
     private isWalletSupported;
@@ -179,24 +195,28 @@ export declare abstract class ParaCore implements CoreInterface {
     protected abstract getPlatformUtils(): PlatformUtils;
     abstract isPasskeySupported(): Promise<boolean>;
     protected constructPortalUrl(type: PortalUrlType, opts?: PortalUrlOptions): Promise<string>;
+    static resolveEnvironment(env: Environment | undefined, apiKey: string | undefined): Environment;
     /**
      * Constructs a new `ParaCore` instance.
-     * @param env - `Environment` to use.
+     * @param env - `Environment` to use. Optional if the apiKey contains an environment prefix (e.g., "prod_your_api_key"). Updated API keys can be found at https://developer.getpara.com.
      * @param apiKey - API key to use.
      * @param opts - Additional constructor options; see `ConstructorOpts`.
      * @returns - A new ParaCore instance.
      */
-    constructor(env: Environment, apiKey: string, opts?: ConstructorOpts);
+    constructor(env: Environment | undefined, apiKey: string, opts?: ConstructorOpts);
+    constructor(apiKey: string, opts?: ConstructorOpts);
     private trackError;
     private wrapMethodsWithErrorTracking;
     private initializeFromStorage;
     private updateAuthInfoFromStorage;
+    private updateEnclaveJwtFromStorage;
     private updateUserIdFromStorage;
     private updateWalletsFromStorage;
     private updateWalletIdsFromStorage;
     private updateSessionCookieFromStorage;
     private updateLoginEncryptionKeyPairFromStorage;
     private updateExternalWalletsFromStorage;
+    protected initializeWorker: () => Promise<void>;
     touchSession(regenerate?: boolean): Promise<SessionInfo>;
     private getVerificationEmailProps;
     private getBackupKitEmailProps;
@@ -206,12 +226,19 @@ export declare abstract class ParaCore implements CoreInterface {
      * Init only needs to be called for storage that is async.
      */
     init(): Promise<void>;
-    protected abstract ready(): Promise<void>;
+    /**
+     * Call this method to perform initial setup for the `ParaCore` instance.
+     *
+     * This method will be called automatically if you use the React `ParaProvider` or when you call any methods that request an updated session.
+     */
+    abstract ready(): Promise<void>;
     protected setAuth(auth: PrimaryAuth, { extras, userId }?: {
         extras?: AuthExtras;
         userId?: string;
     }): Promise<typeof this.authInfo>;
-    protected assertUserId(): string;
+    protected assertUserId({ allowGuestMode }?: {
+        allowGuestMode?: boolean;
+    }): string;
     protected assertIsAuthSet(allowed?: AuthType[]): PrimaryAuthInfo;
     /**
      * Sets the email associated with the `ParaCore` instance.
@@ -240,6 +267,7 @@ export declare abstract class ParaCore implements CoreInterface {
      * @param externalType - Type of external wallet to set.
      */
     setExternalWallet(externalWallet: ExternalWalletInfo[] | ExternalWalletInfo): Promise<void>;
+    protected addExternalWallets(externalWallets: ExternalWalletInfo[]): Promise<void>;
     /**
      * Sets the user id associated with the `ParaCore` instance.
      * @param userId - User id to set.
@@ -394,6 +422,9 @@ export declare abstract class ParaCore implements CoreInterface {
      **/
     isFullyLoggedIn(): CoreMethodResponse<'isFullyLoggedIn'>;
     get isGuestMode(): boolean;
+    /**
+     * Get the auth methods available to an existing user
+     */
     protected supportedAuthMethods(auth: Auth<PrimaryAuthType | 'userId'>): Promise<Set<AuthMethod>>;
     /**
      * Get hints associated with the users stored biometrics.
@@ -668,7 +699,7 @@ export declare abstract class ParaCore implements CoreInterface {
         url?: string;
     }>;
     /**
-     * Returns a Para Portal URL for logging in with a WebAuth passkey or a password.
+     * Returns a Para Portal URL for logging in with a WebAuth passkey, password, PIN or OTP.
      * @param {Object} opts the options object
      * @param {String} opts.auth - the user auth to sign up or log in with, in the form ` { email: string } | { phone: `+${number}` } `
      * @param {boolean} opts.useShortUrls - whether to shorten the generated portal URLs
@@ -676,6 +707,7 @@ export declare abstract class ParaCore implements CoreInterface {
      * @returns {SignUpOrLogInResponse} an object in the form of either: `{ stage: 'verify' }` or `{ stage: 'login'; passkeyUrl?: string; passwordUrl?: string; biometricHints?: BiometricLocationHint[] }`
      */
     protected getLoginUrl({ authMethod, shorten, portalTheme, sessionId, }: LoginUrlParams): Promise<string>;
+    protected prepareLogin(): InternalMethodResponse<'prepareLogin'>;
     signUpOrLogIn({ auth, ...urlOptions }: CoreMethodParams<'signUpOrLogIn'>): CoreMethodResponse<'signUpOrLogIn'>;
     verifyNewAccount({ verificationCode, ...urlOptions }: CoreMethodParams<'verifyNewAccount'>): CoreMethodResponse<'verifyNewAccount'>;
     getLinkedAccounts({ withMetadata, }?: CoreMethodParams<'getLinkedAccounts'>): CoreMethodResponse<'getLinkedAccounts'>;
@@ -685,4 +717,5 @@ export declare abstract class ParaCore implements CoreInterface {
         accountLinkInProgress?: AccountLinkInProgress;
     } & Partial<Pick<VerifyLinkParams, 'verificationCode' | 'telegramAuthResponse'> & VerifyExternalWalletParams>): Promise<LinkedAccounts>;
     protected verifyEmailOrPhoneLink({ verificationCode, }: InternalMethodParams<'verifyEmailOrPhoneLink'>): InternalMethodResponse<'verifyEmailOrPhoneLink'>;
+    protected sendLoginCode(): Promise<void>;
 }

package/dist/types/PlatformUtils.d.ts

@@ -42,5 +42,6 @@ export interface PlatformUtils {
     disableProviderModal?: boolean;
     openPopup(popupUrl: string, opts?: {
         type: PopupType;
-    }): Window;
+    }): Promise<Window>;
+    initializeWorker(ctx: Ctx): Promise<void>;
 }

package/dist/types/constants.d.ts

@@ -1,5 +1,6 @@
 export declare const PARA_CORE_VERSION: string;
 export declare const PREFIX = "@CAPSULE/";
+export declare const PARA_PREFIX = "@PARA/";
 export declare const LOCAL_STORAGE_AUTH_INFO = "@CAPSULE/authInfo";
 export declare const LOCAL_STORAGE_EMAIL = "@CAPSULE/e-mail";
 export declare const LOCAL_STORAGE_PHONE = "@CAPSULE/phone";
@@ -13,6 +14,8 @@ export declare const LOCAL_STORAGE_WALLETS = "@CAPSULE/wallets";
 export declare const LOCAL_STORAGE_EXTERNAL_WALLETS = "@CAPSULE/externalWallets";
 export declare const LOCAL_STORAGE_CURRENT_WALLET_IDS = "@CAPSULE/currentWalletIds";
 export declare const LOCAL_STORAGE_SESSION_COOKIE = "@CAPSULE/sessionCookie";
+export declare const LOCAL_STORAGE_ENCLAVE_JWT = "@CAPSULE/enclaveJwt";
+export declare const LOCAL_STORAGE_ENCLAVE_REFRESH_JWT = "@CAPSULE/enclaveRefreshJwt";
 export declare const SESSION_STORAGE_LOGIN_ENCRYPTION_KEY_PAIR = "@CAPSULE/loginEncryptionKeyPair";
 export declare const POLLING_INTERVAL_MS = 2000;
 export declare const SHORT_POLLING_INTERVAL_MS = 1000;

package/dist/types/index.d.ts

@@ -5,7 +5,7 @@ export * from './types/coreApi.js';
 export * from './types/events.js';
 export * from './types/config.js';
 export { getPortalDomain, entityToWallet, constructUrl, shortenUrl } from './utils/index.js';
-export { PREFIX as STORAGE_PREFIX } from './constants.js';
+export { PREFIX as STORAGE_PREFIX, PARA_PREFIX as PARA_STORAGE_PREFIX } from './constants.js';
 export { distributeNewShare } from './shares/shareDistribution.js';
 export { KeyContainer } from './shares/KeyContainer.js';
 export type { PlatformUtils } from './PlatformUtils.js';
@@ -22,5 +22,6 @@ export { isWalletSupported } from './utils/wallet.js';
 export { getNetworkPrefix, getOnRampAssets, getOnRampNetworks, toAssetInfoArray } from './utils/onRamps.js';
 export { getPortalBaseURL } from './utils/url.js';
 export { retrieve as transmissionUtilsRetrieve } from './transmission/transmissionUtils.js';
+export type { ShareData } from './shares/enclave.js';
 export declare const paraVersion: string;
 export default ParaCore;

package/dist/types/shares/enclave.d.ts

@@ -0,0 +1,80 @@
+import UserManagementClient from '@getpara/user-management-client';
+export interface ShareData {
+    userId: string;
+    walletId: string;
+    walletScheme: string;
+    partnerId?: string;
+    protocolId?: string;
+    signer: string;
+    createdAt?: string;
+    updatedAt?: string;
+}
+export interface ShareQuery {
+    userId: string;
+    walletId?: string;
+    partnerId?: string;
+}
+export interface EncryptedPayload {
+    encryptedData: string;
+    keyId: string;
+    algorithm: string;
+    ephemeral: string;
+}
+/**
+ * Enclave client for secure key share operations
+ * Handles encryption/decryption and communication with the enclave service
+ */
+export declare class EnclaveClient {
+    private userManagementClient;
+    private enclavePublicKey;
+    private frontendKeyPair;
+    private retrieveJwt;
+    private persistJwt;
+    private retrieveRefreshJwt;
+    private persistRefreshJwt;
+    constructor({ userManagementClient, retrieveJwt, persistJwt, retrieveRefreshJwt, persistRefreshJwt, }: {
+        userManagementClient: UserManagementClient;
+        retrieveJwt: () => string;
+        persistJwt: (jwt: string) => void;
+        retrieveRefreshJwt: () => string;
+        persistRefreshJwt: (refreshJwt: string) => void;
+    });
+    private refreshJwt;
+    private withJwtRefreshRetry;
+    /**
+     * Generate a P-256 keypair for the frontend to receive encrypted responses
+     */
+    private generateFrontendKeyPair;
+    /**
+     * Get the enclave's public key from the user-management service
+     */
+    private getEnclavePublicKey;
+    /**
+     * Import a PEM-formatted public key for use with Web Crypto API
+     */
+    private importPublicKeyFromPEM;
+    /**
+     * Export a public key to PEM format
+     */
+    private exportPublicKeyToPEM;
+    /**
+     * Encrypt data using P-256 ECIES for the enclave
+     */
+    private encryptForEnclave;
+    /**
+     * Decrypt response encrypted for the frontend
+     */
+    private decryptForFrontend;
+    /**
+     * Persist key shares to the enclave
+     * @param shares Array of share data to persist
+     */
+    private persistShares;
+    /**
+     * Retrieve key shares from the enclave
+     * @param query Query parameters for finding shares (single query or array of queries)
+     */
+    private retrieveShares;
+    retrieveSharesWithRetry(query: ShareQuery[]): Promise<ShareData[]>;
+    persistSharesWithRetry(shares: ShareData[]): Promise<any>;
+}

package/dist/types/shares/shareDistribution.d.ts

@@ -1,6 +1,6 @@
-import { BackupKitEmailProps } from '@getpara/user-management-client';
+import { BackupKitEmailProps, TWalletScheme } from '@getpara/user-management-client';
 import { Ctx } from '../types/index.js';
-export declare function distributeNewShare({ ctx, userId, walletId, userShare, ignoreRedistributingBackupEncryptedShare, emailProps, partnerId, protocolId, }: {
+export declare function distributeNewShare({ ctx, userId, walletId, userShare, ignoreRedistributingBackupEncryptedShare, emailProps, partnerId, protocolId, isEnclaveUser, walletScheme, }: {
     ctx: Ctx;
     userId: string;
     walletId: string;
@@ -9,4 +9,6 @@ export declare function distributeNewShare({ ctx, userId, walletId, userShare, i
     emailProps?: BackupKitEmailProps;
     partnerId?: string;
     protocolId?: string;
+    isEnclaveUser: boolean;
+    walletScheme: TWalletScheme;
 }): Promise<string>;

package/dist/types/types/config.d.ts

@@ -1,6 +1,7 @@
 import { AxiosInstance } from 'axios';
 import Client, { EmailTheme, Network, OnRampAsset, OnRampProvider, PregenAuth, TWalletScheme, TWalletType } from '@getpara/user-management-client';
 import { Theme } from './theme.js';
+import { EnclaveClient } from '../shares/enclave.js';
 export declare enum Environment {
     DEV = "DEV",
     SANDBOX = "SANDBOX",
@@ -13,6 +14,7 @@ export interface Ctx {
     env: Environment;
     apiKey: string;
     client: Client;
+    enclaveClient?: EnclaveClient;
     disableWorkers?: boolean;
     offloadMPCComputationURL?: string;
     mpcComputationClient?: AxiosInstance;

package/dist/types/types/coreApi.d.ts

@@ -4,7 +4,7 @@ import { ParaCore } from '../ParaCore.js';
 import { FullSignatureRes, Wallet } from './wallet.js';
 import { AccountLinkInProgress } from './auth.js';
 export declare const PARA_CORE_METHODS: readonly ["getAuthInfo", "signUpOrLogIn", "verifyNewAccount", "waitForLogin", "waitForSignup", "waitForWalletCreation", "getOAuthUrl", "verifyOAuth", "getFarcasterConnectUri", "verifyFarcaster", "verifyTelegram", "resendVerificationCode", "loginExternalWallet", "verifyExternalWallet", "setup2fa", "enable2fa", "verify2fa", "logout", "clearStorage", "isSessionActive", "isFullyLoggedIn", "refreshSession", "keepSessionAlive", "exportSession", "importSession", "getVerificationToken", "getWallets", "getWalletsByType", "fetchWallets", "createWallet", "createWalletPerType", "getPregenWallets", "hasPregenWallet", "updatePregenWalletIdentifier", "createPregenWallet", "createPregenWalletPerType", "claimPregenWallets", "createGuestWallets", "distributeNewWalletShare", "getUserShare", "setUserShare", "refreshShare", "signMessage", "signTransaction", "initiateOnRampTransaction", "getWalletBalance", "issueJwt", "getLinkedAccounts", "accountLinkInProgress"];
-export declare const PARA_INTERNAL_METHODS: readonly ["linkAccount", "unlinkAccount", "verifyEmailOrPhoneLink", "verifyOAuthLink", "verifyFarcasterLink", "verifyTelegramLink", "verifyExternalWalletLink", "accountLinkInProgress"];
+export declare const PARA_INTERNAL_METHODS: readonly ["linkAccount", "unlinkAccount", "verifyEmailOrPhoneLink", "verifyOAuthLink", "verifyFarcasterLink", "verifyTelegramLink", "verifyExternalWalletLink", "accountLinkInProgress", "prepareLogin", "sendLoginCode"];
 export type CoreMethodName = (typeof PARA_CORE_METHODS)[number];
 export type CoreMethodParams<method extends CoreMethodName & keyof CoreMethods> = CoreMethods[method] extends {
     params: infer P;
@@ -118,6 +118,7 @@ export type CoreMethods = Record<CoreMethodName, {
     getOAuthUrl: {
         params: OAuthUrlParams & {
             sessionLookupId?: string;
+            encryptionKey?: string;
         };
         response: string;
     };
@@ -148,11 +149,11 @@ export type CoreMethods = Record<CoreMethodName, {
     };
     verifyExternalWallet: {
         params: AuthStateBaseParams & VerifyExternalWalletParams;
-        response: AuthStateSignup;
+        response: AuthStateSignup | AuthStateLogin;
     };
     resendVerificationCode: {
         params: {
-            type?: 'SIGNUP' | 'LINK_ACCOUNT';
+            type?: 'SIGNUP' | 'LINK_ACCOUNT' | 'LOGIN';
         } | undefined;
         response: void;
     };
@@ -522,6 +523,14 @@ export type InternalMethods = {
         params: Omit<VerifyExternalWalletParams, 'externalWallet'>;
         response: LinkedAccounts;
     };
+    prepareLogin: {
+        params: void;
+        response: string;
+    };
+    sendLoginCode: {
+        params: void;
+        response: void;
+    };
 };
 export type CoreInterface = {
     [key in keyof CoreMethods]: Partial<CoreMethod<key>>;