npm - @kasflow/passkey-wallet - Versions diffs - 0.1.0 - Mend

@kasflow/passkey-wallet 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,1798 @@
+// src/constants.ts
+var WEBAUTHN_RP_NAME = "KasFlow";
+var WEBAUTHN_RP_ID = typeof window !== "undefined" ? window.location.hostname : "localhost";
+var WEBAUTHN_TIMEOUT_MS = 6e4;
+var WEBAUTHN_PUB_KEY_CRED_PARAMS = [
+  { alg: -7, type: "public-key" },
+  // ES256 (recommended)
+  { alg: -257, type: "public-key" }
+  // RS256 (fallback)
+];
+var WEBAUTHN_USER_VERIFICATION = "required";
+var WEBAUTHN_AUTHENTICATOR_ATTACHMENT = "platform";
+var IDB_DATABASE_NAME = "kasflow-wallet";
+var IDB_STORE_NAME = "keystore";
+var STORAGE_KEY_CREDENTIAL_ID = "credential-id";
+var STORAGE_KEY_METADATA = "wallet-metadata";
+var NETWORK_ID = {
+  MAINNET: "mainnet",
+  TESTNET_10: "testnet-10",
+  TESTNET_11: "testnet-11"
+};
+var DEFAULT_NETWORK = NETWORK_ID.TESTNET_10;
+var RPC_TIMEOUT_MS = 3e4;
+var DEFAULT_PRIORITY_FEE_SOMPI = 100000n;
+var SOMPI_PER_KAS = 100000000n;
+var MIN_FEE_SOMPI = 1000n;
+var ERROR_MESSAGES = {
+  WALLET_NOT_FOUND: "No wallet found. Please create a wallet first.",
+  WALLET_ALREADY_EXISTS: "A wallet already exists. Delete it before creating a new one.",
+  PASSKEY_REGISTRATION_FAILED: "Failed to register passkey. Please try again.",
+  PASSKEY_AUTHENTICATION_FAILED: "Failed to authenticate with passkey. Please try again.",
+  INVALID_ADDRESS: "Invalid Kaspa address format.",
+  INSUFFICIENT_BALANCE: "Insufficient balance for this transaction.",
+  WEBAUTHN_NOT_SUPPORTED: "WebAuthn is not supported in this browser.",
+  USER_CANCELLED: "Operation was cancelled by the user.",
+  WASM_NOT_INITIALIZED: "Kaspa WASM module not initialized. Call initKaspa() first.",
+  RPC_NOT_CONNECTED: "Not connected to Kaspa network. Call connect() first.",
+  RPC_CONNECTION_FAILED: "Failed to connect to Kaspa network.",
+  TRANSACTION_FAILED: "Transaction failed to submit.",
+  INVALID_AMOUNT: "Invalid transaction amount."
+};
+// src/crypto.ts
+var generateRandomBytes = (length) => {
+  return crypto.getRandomValues(new Uint8Array(length));
+};
+var uint8ArrayToBase64 = (bytes) => {
+  const binary = String.fromCharCode(...bytes);
+  return btoa(binary);
+};
+var base64ToUint8Array = (base64) => {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+};
+var base64urlToUint8Array = (base64url) => {
+  let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  return base64ToUint8Array(base64);
+};
+var uint8ArrayToHex = (bytes) => {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+};
+var hexToUint8Array = (hex) => {
+  const matches = hex.match(/.{1,2}/g);
+  if (!matches) {
+    throw new Error("Invalid hex string");
+  }
+  return new Uint8Array(matches.map((byte) => parseInt(byte, 16)));
+};
+// src/deterministic-keys.ts
+import { sha256 } from "@noble/hashes/sha256";
+import { bytesToHex } from "@noble/hashes/utils";
+// src/logger.ts
+var DEBUG_ENABLED = typeof process !== "undefined" ? process.env.NODE_ENV === "development" : true;
+var Logger = class {
+  module;
+  constructor(module) {
+    this.module = module;
+  }
+  formatMessage(level, ...args) {
+    return [`[${this.module}] ${level}:`, ...args];
+  }
+  /**
+   * Log info message
+   */
+  info(...args) {
+    console.log(...this.formatMessage("INFO", ...args));
+  }
+  /**
+   * Log warning message
+   */
+  warn(...args) {
+    console.warn(...this.formatMessage("WARN", ...args));
+  }
+  /**
+   * Log error message
+   */
+  error(...args) {
+    console.error(...this.formatMessage("ERROR", ...args));
+  }
+  /**
+   * Log debug message (only in development)
+   */
+  debug(...args) {
+    if (DEBUG_ENABLED) {
+      console.log(...this.formatMessage("DEBUG", ...args));
+    }
+  }
+};
+function createLogger(module) {
+  return new Logger(module);
+}
+// src/deterministic-keys.ts
+var logger = createLogger("DeterministicKeys");
+function deriveKaspaKeysFromPasskey(passkeyPublicKey) {
+  logger.info("[DeterministicKeys] Deriving Kaspa keys from passkey public key");
+  if (passkeyPublicKey.length !== 65) {
+    throw new Error(`Invalid passkey public key length: ${passkeyPublicKey.length} (expected 65)`);
+  }
+  if (passkeyPublicKey[0] !== 4) {
+    throw new Error(`Invalid passkey public key prefix: 0x${passkeyPublicKey[0].toString(16)} (expected 0x04)`);
+  }
+  const seed = sha256(passkeyPublicKey);
+  logger.info("[DeterministicKeys] Seed derived:", {
+    seedLength: seed.length,
+    seedHex: bytesToHex(seed).substring(0, 16) + "..."
+    // Log first 8 bytes only
+  });
+  const privateKeyHex = bytesToHex(seed);
+  logger.info("[DeterministicKeys] Kaspa private key derived successfully");
+  return {
+    privateKeyHex,
+    seed
+  };
+}
+function verifyDeterminism(passkeyPublicKey, expectedPrivateKeyHex) {
+  try {
+    const { privateKeyHex } = deriveKaspaKeysFromPasskey(passkeyPublicKey);
+    return privateKeyHex === expectedPrivateKeyHex;
+  } catch {
+    return false;
+  }
+}
+// src/kaspa.ts
+import {
+  PrivateKey,
+  PublicKey,
+  Address,
+  NetworkType,
+  signTransaction as wasmSignTransaction,
+  signMessage as wasmSignMessage,
+  kaspaToSompi as wasmKaspaToSompi,
+  sompiToKaspaString as wasmSompiToKaspaString,
+  sompiToKaspaStringWithSuffix as wasmSompiToKaspaStringWithSuffix,
+  createAddress
+} from "@onekeyfe/kaspa-wasm";
+import { KaspaAddress, KaspaPrefix } from "@kluster/kaspa-address";
+// src/wasm-init.ts
+import init, { initConsolePanicHook } from "@onekeyfe/kaspa-wasm";
+var wasmInitialized = false;
+var initPromise = null;
+async function ensureWasmInitialized() {
+  if (wasmInitialized) {
+    return;
+  }
+  if (initPromise) {
+    return initPromise;
+  }
+  initPromise = (async () => {
+    try {
+      if (typeof WebAssembly === "undefined") {
+        throw new Error(
+          "WebAssembly is not supported in this browser. Please use a modern browser (Chrome 57+, Firefox 52+, Safari 11+, Edge 16+)"
+        );
+      }
+      console.log("[WASM] Initializing Kaspa WASM module...");
+      await init();
+      if (process.env.NODE_ENV !== "production") {
+        try {
+          initConsolePanicHook();
+          console.log("[WASM] Console panic hook enabled for better error messages");
+        } catch (error) {
+          console.warn("[WASM] Failed to initialize console panic hook:", error);
+        }
+      }
+      wasmInitialized = true;
+      console.log("[WASM] Kaspa WASM module initialized successfully");
+    } catch (error) {
+      initPromise = null;
+      wasmInitialized = false;
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      console.error("[WASM] Initialization failed:", errorMessage);
+      throw new Error(`WASM initialization failed: ${errorMessage}`);
+    }
+  })();
+  return initPromise;
+}
+// src/kaspa.ts
+var getNetworkType = (network) => {
+  switch (network) {
+    case NETWORK_ID.MAINNET:
+      return "mainnet";
+    case NETWORK_ID.TESTNET_10:
+      return "testnet-10";
+    case NETWORK_ID.TESTNET_11:
+      return "testnet-11";
+    default:
+      return "testnet-11";
+  }
+};
+var getNetworkIdString = (network) => getNetworkType(network);
+var generatePrivateKey = () => {
+  const randomBytes = generateRandomBytes(32);
+  return uint8ArrayToHex(randomBytes);
+};
+var createPrivateKey = async (privateKeyHex) => {
+  await ensureWasmInitialized();
+  return new PrivateKey(privateKeyHex);
+};
+var getPublicKeyHex = async (privateKeyHex) => {
+  await ensureWasmInitialized();
+  const privateKey = new PrivateKey(privateKeyHex);
+  return privateKey.toPublicKey().toString();
+};
+var getAddressFromPrivateKey = async (privateKeyHex, network) => {
+  await ensureWasmInitialized();
+  const privateKey = new PrivateKey(privateKeyHex);
+  const networkType = getNetworkType(network);
+  return privateKey.toAddress(networkType).toString();
+};
+var isValidPrivateKey = async (privateKeyHex) => {
+  await ensureWasmInitialized();
+  try {
+    new PrivateKey(privateKeyHex);
+    return true;
+  } catch {
+    return false;
+  }
+};
+var publicKeyToAddress = async (publicKeyHex, network) => {
+  await ensureWasmInitialized();
+  const networkType = getNetworkType(network);
+  const address = createAddress(publicKeyHex, networkType);
+  return address.toString();
+};
+var isValidAddress = (address) => {
+  try {
+    KaspaAddress.fromString(address);
+    return true;
+  } catch {
+    return false;
+  }
+};
+var parseAddress = (address) => {
+  const parsed = KaspaAddress.fromString(address);
+  return {
+    prefix: parsed.prefix,
+    version: parsed.version,
+    payload: parsed.payload
+  };
+};
+var getNetworkFromAddress = (address) => {
+  const parsed = KaspaAddress.fromString(address);
+  switch (parsed.prefix) {
+    case KaspaPrefix.MAINNET:
+      return NETWORK_ID.MAINNET;
+    case KaspaPrefix.TESTNET:
+      return NETWORK_ID.TESTNET_11;
+    default:
+      return NETWORK_ID.TESTNET_11;
+  }
+};
+var signMessageWithKey = async (message, privateKeyHex) => {
+  await ensureWasmInitialized();
+  const privateKey = new PrivateKey(privateKeyHex);
+  return wasmSignMessage({
+    message,
+    privateKey
+  });
+};
+var signTransaction = async (transaction, privateKeys, verifySig = true) => {
+  await ensureWasmInitialized();
+  const keys = privateKeys.map((k) => typeof k === "string" ? new PrivateKey(k) : k);
+  return wasmSignTransaction(transaction, keys, verifySig);
+};
+var kasStringToSompi = (kasString) => {
+  const result = wasmKaspaToSompi(kasString);
+  if (result === void 0) {
+    throw new Error(ERROR_MESSAGES.INVALID_AMOUNT);
+  }
+  return result;
+};
+var sompiToKasString = (sompi) => {
+  return wasmSompiToKaspaString(sompi);
+};
+var sompiToKasStringWithSuffix = (sompi, network) => {
+  return wasmSompiToKaspaStringWithSuffix(sompi, getNetworkType(network));
+};
+var sompiToKas = (sompi) => {
+  return Number(sompi) / Number(SOMPI_PER_KAS);
+};
+var kasToSompi = (kas) => {
+  return BigInt(Math.floor(kas * Number(SOMPI_PER_KAS)));
+};
+var formatKas = (sompi, decimals = 8) => {
+  const kas = sompiToKas(sompi);
+  return kas.toFixed(decimals).replace(/\.?0+$/, "");
+};
+var parseKas = kasStringToSompi;
+var computeTransactionHash = (tx) => {
+  const txId = tx.id;
+  if (!txId || typeof txId !== "string") {
+    throw new Error("Invalid transaction: missing transaction ID");
+  }
+  const hashBytes = hexToUint8Array(txId);
+  if (hashBytes.length !== 32) {
+    throw new Error(`Invalid transaction hash length: expected 32 bytes, got ${hashBytes.length}`);
+  }
+  return hashBytes;
+};
+// src/webauthn.ts
+import {
+  startRegistration,
+  startAuthentication,
+  browserSupportsWebAuthn
+} from "@simplewebauthn/browser";
+// src/cose-parser.ts
+import { decode } from "cbor-x";
+var logger2 = createLogger("COSEParser");
+function extractPublicKeyFromAttestation(attestationObjectBase64) {
+  logger2.info("[COSEParser] Extracting public key from attestation object");
+  try {
+    const attestationBuffer = base64urlToUint8Array(attestationObjectBase64);
+    logger2.info("[COSEParser] Attestation buffer length:", attestationBuffer.length);
+    const attestation = decode(attestationBuffer);
+    logger2.info("[COSEParser] Attestation decoded:", {
+      fmt: attestation.fmt,
+      authDataLength: attestation.authData?.length
+    });
+    if (!attestation.authData) {
+      throw new Error("Attestation object missing authData");
+    }
+    const publicKey = parseAuthenticatorData(attestation.authData);
+    logger2.info("[COSEParser] Public key extracted:", {
+      length: publicKey.length,
+      prefix: publicKey[0]
+    });
+    return publicKey;
+  } catch (error) {
+    logger2.error("[COSEParser] Failed to extract public key:", error);
+    if (error instanceof Error) {
+      throw new Error(`Failed to extract public key: ${error.message}`);
+    }
+    throw new Error("Failed to extract public key from attestation object");
+  }
+}
+function parseAuthenticatorData(authData) {
+  logger2.info("[COSEParser] Parsing authenticator data:", {
+    length: authData.length
+  });
+  if (authData.length < 37) {
+    throw new Error(`Authenticator data too short: ${authData.length} bytes`);
+  }
+  const flags = authData[32];
+  const attestedCredentialDataIncluded = (flags & 64) !== 0;
+  logger2.info("[COSEParser] Flags:", {
+    raw: flags.toString(2).padStart(8, "0"),
+    attestedCredentialData: attestedCredentialDataIncluded
+  });
+  if (!attestedCredentialDataIncluded) {
+    throw new Error("Attested credential data not included in authenticator data");
+  }
+  let offset = 37;
+  let publicKeyOffset = 0;
+  let credIdLength = 0;
+  if (authData.length >= 55) {
+    offset = 53;
+    const view = new DataView(authData.buffer, authData.byteOffset + offset, 2);
+    credIdLength = view.getUint16(0, false);
+    logger2.info("[COSEParser] Attempting parse WITH AAGUID - Credential ID length:", credIdLength);
+    if (credIdLength > 0 && credIdLength <= 1024) {
+      publicKeyOffset = 55 + credIdLength;
+      if (authData.length > publicKeyOffset) {
+        logger2.info("[COSEParser] Successfully parsed with AAGUID");
+      } else {
+        logger2.info("[COSEParser] AAGUID parse failed, trying without AAGUID");
+        offset = 37;
+      }
+    } else {
+      logger2.info("[COSEParser] Unreasonable cred ID length with AAGUID, trying without");
+      offset = 37;
+    }
+  }
+  if (offset === 37) {
+    if (authData.length < 39) {
+      throw new Error("Authenticator data too short for credential ID length");
+    }
+    const view = new DataView(authData.buffer, authData.byteOffset + offset, 2);
+    credIdLength = view.getUint16(0, false);
+    logger2.info("[COSEParser] Attempting parse WITHOUT AAGUID - Credential ID length:", credIdLength);
+    if (credIdLength > 1024) {
+      throw new Error(`Credential ID length too large: ${credIdLength} bytes`);
+    }
+    publicKeyOffset = 39 + credIdLength;
+  }
+  logger2.info("[COSEParser] Offset calculation:", {
+    authDataLength: authData.length,
+    credIdLength,
+    publicKeyOffset,
+    remainingBytes: authData.length - publicKeyOffset
+  });
+  if (authData.length <= publicKeyOffset) {
+    throw new Error(
+      `Authenticator data missing COSE public key (authData length: ${authData.length}, expected offset: ${publicKeyOffset})`
+    );
+  }
+  const coseKey = authData.slice(publicKeyOffset);
+  logger2.info("[COSEParser] COSE key length:", coseKey.length);
+  return parseCOSEPublicKey(coseKey);
+}
+function parseCOSEPublicKey(coseKey) {
+  logger2.info("[COSEParser] Parsing COSE public key");
+  try {
+    const key = decode(coseKey);
+    logger2.info("[COSEParser] COSE key decoded:", {
+      kty: key[1],
+      alg: key[3],
+      crv: key[-1],
+      hasX: !!key[-2],
+      hasY: !!key[-3]
+    });
+    const x = key[-2];
+    const y = key[-3];
+    if (!x || !y) {
+      throw new Error("COSE key missing x or y coordinate");
+    }
+    if (x.length !== 32 || y.length !== 32) {
+      throw new Error(`Invalid coordinate length: x=${x.length}, y=${y.length}`);
+    }
+    const publicKey = new Uint8Array(65);
+    publicKey[0] = 4;
+    publicKey.set(x, 1);
+    publicKey.set(y, 33);
+    logger2.info("[COSEParser] Public key constructed successfully");
+    return publicKey;
+  } catch (error) {
+    logger2.error("[COSEParser] Failed to parse COSE key:", error);
+    if (error instanceof Error) {
+      throw new Error(`Failed to parse COSE public key: ${error.message}`);
+    }
+    throw new Error("Failed to parse COSE public key");
+  }
+}
+// src/webauthn.ts
+var logger3 = createLogger("WebAuthn");
+var isWebAuthnSupported = () => {
+  return browserSupportsWebAuthn();
+};
+var registerPasskey = async (walletName) => {
+  logger3.info("[WebAuthn] registerPasskey() called with name:", walletName);
+  if (!isWebAuthnSupported()) {
+    logger3.error("[WebAuthn] WebAuthn not supported");
+    return {
+      success: false,
+      error: ERROR_MESSAGES.WEBAUTHN_NOT_SUPPORTED
+    };
+  }
+  try {
+    logger3.info("[WebAuthn] Generating challenge...");
+    const challenge = generateRandomBytes(32);
+    const challengeBase64 = uint8ArrayToBase64(challenge);
+    const userId = generateRandomBytes(32);
+    const userIdBase64 = uint8ArrayToBase64(userId);
+    const registrationOptions = {
+      challenge: challengeBase64,
+      rp: {
+        name: WEBAUTHN_RP_NAME,
+        id: WEBAUTHN_RP_ID
+      },
+      user: {
+        id: userIdBase64,
+        name: walletName,
+        displayName: walletName
+      },
+      pubKeyCredParams: WEBAUTHN_PUB_KEY_CRED_PARAMS,
+      timeout: WEBAUTHN_TIMEOUT_MS,
+      authenticatorSelection: {
+        authenticatorAttachment: WEBAUTHN_AUTHENTICATOR_ATTACHMENT,
+        userVerification: WEBAUTHN_USER_VERIFICATION,
+        residentKey: "required",
+        requireResidentKey: true
+      },
+      attestation: "none"
+    };
+    logger3.info("[WebAuthn] Registration options:", {
+      rpName: registrationOptions.rp.name,
+      rpId: registrationOptions.rp.id,
+      userName: registrationOptions.user.name,
+      timeout: registrationOptions.timeout
+    });
+    logger3.info("[WebAuthn] Starting WebAuthn registration ceremony...");
+    const credential = await startRegistration({ optionsJSON: registrationOptions });
+    logger3.info("[WebAuthn] Registration ceremony completed, credential received:", {
+      id: credential.id,
+      type: credential.type,
+      hasPublicKey: !!credential.response.publicKey,
+      hasAttestationObject: !!credential.response.attestationObject,
+      rawId: credential.rawId
+    });
+    const publicKeyBytes = credential.response.publicKey ? credential.response.publicKey : "";
+    logger3.info("[WebAuthn] Extracting passkey public key from attestation object...");
+    let passkeyPublicKey;
+    try {
+      passkeyPublicKey = extractPublicKeyFromAttestation(credential.response.attestationObject);
+      logger3.info("[WebAuthn] Passkey public key extracted successfully:", {
+        length: passkeyPublicKey.length,
+        prefix: passkeyPublicKey[0]
+        // Should be 0x04 for uncompressed
+      });
+    } catch (error) {
+      logger3.error("[WebAuthn] Failed to extract passkey public key:", error);
+    }
+    const storedCredential = {
+      id: credential.id,
+      rawId: base64urlToUint8Array(credential.rawId),
+      publicKey: publicKeyBytes,
+      counter: 0,
+      transports: credential.response.transports
+    };
+    logger3.info("[WebAuthn] Passkey registered successfully");
+    return {
+      success: true,
+      credential: storedCredential,
+      userId,
+      // Included for WebAuthn spec compliance (not used for key derivation)
+      passkeyPublicKey
+      // Used for deterministic key derivation
+    };
+  } catch (error) {
+    logger3.error("[WebAuthn] Registration failed with error:", error);
+    if (error instanceof Error && error.name === "NotAllowedError") {
+      logger3.warn("[WebAuthn] User cancelled the registration");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.USER_CANCELLED
+      };
+    }
+    if (error instanceof Error) {
+      logger3.error("[WebAuthn] Error details:", {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      });
+    }
+    return {
+      success: false,
+      error: ERROR_MESSAGES.PASSKEY_REGISTRATION_FAILED
+    };
+  }
+};
+var authenticateWithPasskey = async (credentialId) => {
+  logger3.info("[WebAuthn] authenticateWithPasskey() called with credentialId:", credentialId);
+  if (!isWebAuthnSupported()) {
+    logger3.error("[WebAuthn] WebAuthn not supported");
+    return {
+      success: false,
+      error: ERROR_MESSAGES.WEBAUTHN_NOT_SUPPORTED
+    };
+  }
+  try {
+    logger3.info("[WebAuthn] Generating challenge for authentication...");
+    const challenge = generateRandomBytes(32);
+    const challengeBase64 = uint8ArrayToBase64(challenge);
+    const allowCredentials = credentialId ? [
+      {
+        id: credentialId,
+        type: "public-key"
+      }
+    ] : void 0;
+    const authenticationOptions = {
+      challenge: challengeBase64,
+      rpId: WEBAUTHN_RP_ID,
+      timeout: WEBAUTHN_TIMEOUT_MS,
+      userVerification: WEBAUTHN_USER_VERIFICATION,
+      allowCredentials
+    };
+    logger3.info("[WebAuthn] Authentication options:", {
+      rpId: authenticationOptions.rpId,
+      timeout: authenticationOptions.timeout,
+      hasAllowedCredentials: !!allowCredentials
+    });
+    logger3.info("[WebAuthn] Starting WebAuthn authentication ceremony...");
+    const assertion = await startAuthentication({ optionsJSON: authenticationOptions });
+    logger3.info("[WebAuthn] Authentication ceremony completed, assertion received");
+    const authenticatorData = base64urlToUint8Array(assertion.response.authenticatorData);
+    const clientDataJSON = base64urlToUint8Array(assertion.response.clientDataJSON);
+    const signature = base64urlToUint8Array(assertion.response.signature);
+    logger3.info("[WebAuthn] Authentication successful");
+    return {
+      success: true,
+      authenticatorData,
+      clientDataJSON,
+      signature
+    };
+  } catch (error) {
+    logger3.error("[WebAuthn] Authentication failed with error:", error);
+    if (error instanceof Error && error.name === "NotAllowedError") {
+      logger3.warn("[WebAuthn] User cancelled the authentication");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.USER_CANCELLED
+      };
+    }
+    if (error instanceof Error) {
+      logger3.error("[WebAuthn] Error details:", {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      });
+    }
+    return {
+      success: false,
+      error: ERROR_MESSAGES.PASSKEY_AUTHENTICATION_FAILED
+    };
+  }
+};
+var authenticateWithChallenge = async (credentialId, challenge) => {
+  logger3.info("[WebAuthn] authenticateWithChallenge() called");
+  logger3.info("[WebAuthn] Challenge length:", challenge.length, "bytes");
+  if (!isWebAuthnSupported()) {
+    logger3.error("[WebAuthn] WebAuthn not supported");
+    return {
+      success: false,
+      error: ERROR_MESSAGES.WEBAUTHN_NOT_SUPPORTED
+    };
+  }
+  if (!credentialId) {
+    logger3.error("[WebAuthn] No credential ID provided");
+    return {
+      success: false,
+      error: "Credential ID is required for authentication"
+    };
+  }
+  try {
+    const challengeBase64 = uint8ArrayToBase64(challenge);
+    const authenticationOptions = {
+      challenge: challengeBase64,
+      rpId: WEBAUTHN_RP_ID,
+      timeout: WEBAUTHN_TIMEOUT_MS,
+      userVerification: WEBAUTHN_USER_VERIFICATION,
+      allowCredentials: [
+        {
+          id: credentialId,
+          type: "public-key"
+        }
+      ]
+    };
+    logger3.info("[WebAuthn] Authentication options with custom challenge:", {
+      rpId: authenticationOptions.rpId,
+      timeout: authenticationOptions.timeout,
+      challengePreview: challengeBase64.substring(0, 16) + "..."
+    });
+    logger3.info("[WebAuthn] Starting WebAuthn authentication ceremony with custom challenge...");
+    const assertion = await startAuthentication({ optionsJSON: authenticationOptions });
+    logger3.info("[WebAuthn] Authentication ceremony completed, assertion received");
+    const authenticatorData = base64urlToUint8Array(assertion.response.authenticatorData);
+    const clientDataJSON = base64urlToUint8Array(assertion.response.clientDataJSON);
+    const signature = base64urlToUint8Array(assertion.response.signature);
+    logger3.info("[WebAuthn] Authentication with custom challenge successful");
+    return {
+      success: true,
+      authenticatorData,
+      clientDataJSON,
+      signature
+    };
+  } catch (error) {
+    logger3.error("[WebAuthn] Authentication with custom challenge failed:", error);
+    if (error instanceof Error && error.name === "NotAllowedError") {
+      logger3.warn("[WebAuthn] User cancelled the authentication");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.USER_CANCELLED
+      };
+    }
+    if (error instanceof Error) {
+      logger3.error("[WebAuthn] Error details:", {
+        name: error.name,
+        message: error.message,
+        stack: error.stack
+      });
+    }
+    return {
+      success: false,
+      error: ERROR_MESSAGES.PASSKEY_AUTHENTICATION_FAILED
+    };
+  }
+};
+// src/keystore.ts
+import { get, set, del, createStore } from "idb-keyval";
+var customStore = null;
+var getStore = () => {
+  if (!customStore) {
+    customStore = createStore(IDB_DATABASE_NAME, IDB_STORE_NAME);
+  }
+  return customStore;
+};
+var hasStoredWallet = async () => {
+  try {
+    const metadata = await get(STORAGE_KEY_METADATA, getStore());
+    return metadata !== void 0;
+  } catch {
+    return false;
+  }
+};
+var storeWalletMetadata = async (metadata) => {
+  await set(STORAGE_KEY_METADATA, metadata, getStore());
+};
+var getWalletMetadata = async () => {
+  try {
+    const data = await get(STORAGE_KEY_METADATA, getStore());
+    return data ?? null;
+  } catch {
+    return null;
+  }
+};
+var deleteWalletMetadata = async () => {
+  await del(STORAGE_KEY_METADATA, getStore());
+};
+var storeCredentialId = async (credentialId) => {
+  await set(STORAGE_KEY_CREDENTIAL_ID, credentialId, getStore());
+};
+var getCredentialId = async () => {
+  try {
+    const id = await get(STORAGE_KEY_CREDENTIAL_ID, getStore());
+    return id ?? null;
+  } catch {
+    return null;
+  }
+};
+var deleteCredentialId = async () => {
+  await del(STORAGE_KEY_CREDENTIAL_ID, getStore());
+};
+var clearAllData = async () => {
+  await Promise.all([
+    deleteWalletMetadata(),
+    deleteCredentialId()
+  ]);
+};
+// src/rpc.ts
+import {
+  RpcClient,
+  Resolver
+} from "@onekeyfe/kaspa-wasm";
+var KaspaRpc = class {
+  rpc = null;
+  network = null;
+  eventHandlers = {};
+  /**
+   * Check if connected to the network
+   */
+  get isConnected() {
+    return this.rpc !== null;
+  }
+  /**
+   * Get the current network
+   */
+  get currentNetwork() {
+    return this.network;
+  }
+  /**
+   * Get the underlying RpcClient instance
+   * Only use for advanced operations
+   */
+  get client() {
+    return this.rpc;
+  }
+  /**
+   * Set event handlers for connection events
+   */
+  setEventHandlers(handlers) {
+    this.eventHandlers = { ...this.eventHandlers, ...handlers };
+  }
+  /**
+   * Connect to the Kaspa network
+   *
+   * @param options - Connection options
+   * @throws Error if connection fails
+   */
+  async connect(options) {
+    await ensureWasmInitialized();
+    const { network, url, timeout = RPC_TIMEOUT_MS } = options;
+    const networkType = getNetworkType(network);
+    if (this.rpc) {
+      await this.disconnect();
+    }
+    try {
+      if (url) {
+        this.rpc = new RpcClient({
+          url,
+          networkId: networkType
+        });
+      } else {
+        this.rpc = new RpcClient({
+          resolver: new Resolver(),
+          networkId: networkType
+        });
+      }
+      this.rpc.addEventListener("connect", (event) => {
+        this.eventHandlers.onConnect?.(event?.url || "unknown");
+      });
+      this.rpc.addEventListener("disconnect", () => {
+        this.eventHandlers.onDisconnect?.();
+      });
+      await Promise.race([
+        this.rpc.connect(),
+        new Promise(
+          (_, reject) => setTimeout(() => reject(new Error("Connection timeout")), timeout)
+        )
+      ]);
+      this.network = network;
+    } catch (error) {
+      this.rpc = null;
+      this.network = null;
+      const message = error instanceof Error ? error.message : String(error);
+      this.eventHandlers.onError?.(message);
+      throw new Error(`${ERROR_MESSAGES.RPC_CONNECTION_FAILED}: ${message}`);
+    }
+  }
+  /**
+   * Disconnect from the network
+   */
+  async disconnect() {
+    if (this.rpc) {
+      try {
+        await this.rpc.disconnect();
+      } catch {
+      }
+      this.rpc = null;
+      this.network = null;
+    }
+  }
+  /**
+   * Ensure RPC is connected, throw if not
+   */
+  ensureConnected() {
+    if (!this.rpc) {
+      throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+    }
+    return this.rpc;
+  }
+  /**
+   * Get balance for an address
+   *
+   * @param address - Kaspa address
+   * @returns Balance info with available, pending, and total amounts
+   */
+  async getBalance(address) {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getBalanceByAddress({ address });
+    const available = response.balance;
+    return {
+      available,
+      pending: 0n,
+      total: available
+    };
+  }
+  /**
+   * Get UTXOs for an address
+   *
+   * @param address - Kaspa address
+   * @returns Array of UTXO entries
+   */
+  async getUtxos(address) {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getUtxosByAddresses({ addresses: [address] });
+    return response.entries;
+  }
+  /**
+   * Get UTXOs for multiple addresses
+   *
+   * @param addresses - Array of Kaspa addresses
+   * @returns Array of UTXO entries
+   */
+  async getUtxosForAddresses(addresses) {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getUtxosByAddresses({ addresses });
+    return response.entries;
+  }
+  /**
+   * Submit a signed transaction to the network
+   *
+   * @param transaction - Signed transaction object
+   * @param allowOrphan - Allow orphan transactions (default: false)
+   * @returns Transaction ID
+   */
+  async submitTransaction(transaction, allowOrphan = false) {
+    const rpc = this.ensureConnected();
+    const response = await rpc.submitTransaction({
+      transaction,
+      allowOrphan
+    });
+    return response.transactionId;
+  }
+  /**
+   * Get the current block count
+   */
+  async getBlockCount() {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getBlockCount();
+    return response.blockCount;
+  }
+  /**
+   * Get network info (DAG info)
+   */
+  async getNetworkInfo() {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getBlockDagInfo();
+    return {
+      network: response.network,
+      blockCount: response.blockCount,
+      headerCount: response.headerCount,
+      tipHashes: response.tipHashes,
+      difficulty: response.difficulty,
+      pastMedianTime: response.pastMedianTime,
+      virtualParentHashes: response.virtualParentHashes,
+      pruningPointHash: response.pruningPointHash,
+      virtualDaaScore: response.virtualDaaScore,
+      sink: response.sink
+    };
+  }
+  /**
+   * Get the current server info
+   */
+  async getServerInfo() {
+    const rpc = this.ensureConnected();
+    const response = await rpc.getServerInfo();
+    return {
+      serverVersion: response.serverVersion,
+      rpcApiVersion: response.rpcApiVersion,
+      isSynced: response.isSynced,
+      hasUtxoIndex: response.hasUtxoIndex
+    };
+  }
+};
+var defaultRpcInstance = null;
+var getDefaultRpc = () => {
+  if (!defaultRpcInstance) {
+    defaultRpcInstance = new KaspaRpc();
+  }
+  return defaultRpcInstance;
+};
+var resetDefaultRpc = async () => {
+  if (defaultRpcInstance) {
+    await defaultRpcInstance.disconnect();
+    defaultRpcInstance = null;
+  }
+};
+// src/transaction.ts
+import {
+  createTransactions,
+  estimateTransactions,
+  Generator
+} from "@onekeyfe/kaspa-wasm";
+import { PendingTransaction as PendingTransaction2, Generator as Generator2 } from "@onekeyfe/kaspa-wasm";
+var buildTransactions = async (utxos, outputs, changeAddress, priorityFee = DEFAULT_PRIORITY_FEE_SOMPI, network) => {
+  await ensureWasmInitialized();
+  const settings = {
+    outputs,
+    changeAddress,
+    priorityFee,
+    entries: utxos,
+    networkId: getNetworkType(network)
+  };
+  const result = await createTransactions(settings);
+  return {
+    transactions: result.transactions,
+    summary: {
+      transactionCount: result.summary.transactions,
+      fees: result.summary.fees,
+      utxoCount: result.summary.utxos,
+      finalAmount: result.summary.finalAmount
+    }
+  };
+};
+var estimateFee = async (utxos, outputs, changeAddress, priorityFee = DEFAULT_PRIORITY_FEE_SOMPI, network) => {
+  await ensureWasmInitialized();
+  const settings = {
+    outputs,
+    changeAddress,
+    priorityFee,
+    entries: utxos,
+    networkId: getNetworkType(network)
+  };
+  const summary = await estimateTransactions(settings);
+  return {
+    transactionCount: summary.transactions,
+    fees: summary.fees,
+    utxoCount: summary.utxos,
+    finalAmount: summary.finalAmount ?? 0n
+  };
+};
+var signTransactions = async (transactions, privateKeyHex) => {
+  await ensureWasmInitialized();
+  const privateKey = await createPrivateKey(privateKeyHex);
+  for (const tx of transactions) {
+    tx.sign([privateKey]);
+  }
+  return transactions;
+};
+var submitTransactions = async (transactions, rpc) => {
+  if (!rpc.client) {
+    throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+  }
+  const transactionIds = [];
+  for (const tx of transactions) {
+    const txId = await tx.submit(rpc.client);
+    transactionIds.push(txId);
+  }
+  return transactionIds;
+};
+var sendTransaction = async (options, utxos, changeAddress, privateKeyHex, rpc, network) => {
+  await ensureWasmInitialized();
+  const { to, amount, priorityFee = DEFAULT_PRIORITY_FEE_SOMPI } = options;
+  if (!rpc.isConnected) {
+    throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+  }
+  const outputs = [{ address: to, amount }];
+  const { transactions, summary } = await buildTransactions(
+    utxos,
+    outputs,
+    changeAddress,
+    priorityFee,
+    network
+  );
+  if (transactions.length === 0) {
+    throw new Error(ERROR_MESSAGES.TRANSACTION_FAILED);
+  }
+  const signedTransactions = await signTransactions(transactions, privateKeyHex);
+  const transactionIds = await submitTransactions(signedTransactions, rpc);
+  return {
+    transactionId: transactionIds[0],
+    amount,
+    fee: summary.fees
+  };
+};
+var createGenerator = async (settings) => {
+  await ensureWasmInitialized();
+  return new Generator(settings);
+};
+// src/wallet.ts
+var logger4 = createLogger("PasskeyWallet");
+var PasskeyWallet = class _PasskeyWallet {
+  privateKeyHex;
+  publicKeyHex;
+  address;
+  network;
+  eventHandlers = /* @__PURE__ */ new Set();
+  rpc;
+  credentialId = null;
+  passkeyPublicKey = null;
+  constructor(privateKeyHex, publicKeyHex, address, network, credentialId, passkeyPublicKey) {
+    this.privateKeyHex = privateKeyHex;
+    this.publicKeyHex = publicKeyHex;
+    this.address = address;
+    this.network = network;
+    this.credentialId = credentialId ?? null;
+    this.passkeyPublicKey = passkeyPublicKey ?? null;
+    this.rpc = new KaspaRpc();
+    this.rpc.setEventHandlers({
+      onConnect: (url) => {
+        logger4.info(`Connected to Kaspa network: ${url}`);
+      },
+      onDisconnect: () => {
+        logger4.info("Disconnected from Kaspa network");
+      },
+      onError: (error) => {
+        logger4.error("RPC error:", error);
+      }
+    });
+  }
+  // ===========================================================================
+  // Static Factory Methods
+  // ===========================================================================
+  /**
+   * Check if WebAuthn/passkeys are supported in the current browser
+   */
+  static isSupported() {
+    return isWebAuthnSupported();
+  }
+  /**
+   * Check if a wallet already exists in storage
+   */
+  static async exists() {
+    return hasStoredWallet();
+  }
+  /**
+   * Create a new passkey-protected wallet
+   *
+   * @param options - Configuration options
+   * @returns Result containing the wallet instance or error
+   */
+  static async create(options = {}) {
+    logger4.info("create() called with options:", options);
+    const { name = "KasFlow Wallet", network = DEFAULT_NETWORK } = options;
+    logger4.debug("Checking if wallet already exists...");
+    if (await hasStoredWallet()) {
+      logger4.warn("Wallet already exists in storage");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.WALLET_ALREADY_EXISTS
+      };
+    }
+    logger4.debug("Checking WebAuthn support...");
+    if (!isWebAuthnSupported()) {
+      logger4.error("WebAuthn not supported");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.WEBAUTHN_NOT_SUPPORTED
+      };
+    }
+    logger4.debug("WebAuthn is supported");
+    logger4.info("Starting passkey registration...");
+    const registration = await registerPasskey(name);
+    logger4.debug("Registration result:", {
+      success: registration.success,
+      hasCredential: !!registration.credential,
+      hasPasskeyPublicKey: !!registration.passkeyPublicKey,
+      error: registration.error
+    });
+    if (!registration.success || !registration.credential || !registration.passkeyPublicKey) {
+      logger4.error("Passkey registration failed:", registration.error);
+      return {
+        success: false,
+        error: registration.error ?? ERROR_MESSAGES.PASSKEY_REGISTRATION_FAILED
+      };
+    }
+    logger4.info("Deriving Kaspa keys from passkey public key...");
+    const { privateKeyHex } = deriveKaspaKeysFromPasskey(registration.passkeyPublicKey);
+    logger4.debug("Getting public key...");
+    const publicKeyHex = await getPublicKeyHex(privateKeyHex);
+    logger4.info("Generating addresses for all networks...");
+    const addresses = {
+      [NETWORK_ID.MAINNET]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.MAINNET),
+      [NETWORK_ID.TESTNET_10]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.TESTNET_10),
+      [NETWORK_ID.TESTNET_11]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.TESTNET_11)
+    };
+    const address = addresses[network];
+    logger4.info("Wallet created for all networks:", {
+      primaryNetwork: network,
+      mainnetAddress: addresses[NETWORK_ID.MAINNET],
+      testnet10Address: addresses[NETWORK_ID.TESTNET_10],
+      testnet11Address: addresses[NETWORK_ID.TESTNET_11],
+      publicKeyPrefix: publicKeyHex.substring(0, 10) + "..."
+    });
+    const passkeyPublicKeyBase64 = uint8ArrayToBase64(registration.passkeyPublicKey);
+    logger4.debug("Storing wallet metadata...");
+    await storeWalletMetadata({
+      passkeyPublicKey: passkeyPublicKeyBase64,
+      addresses,
+      primaryNetwork: network,
+      createdAt: Date.now(),
+      // Backward compatibility fields
+      address,
+      network
+    });
+    await storeCredentialId(registration.credential.id);
+    logger4.debug("Wallet metadata stored successfully");
+    logger4.debug("Creating wallet instance...");
+    const wallet = new _PasskeyWallet(
+      privateKeyHex,
+      publicKeyHex,
+      address,
+      network,
+      registration.credential.id,
+      registration.passkeyPublicKey
+    );
+    wallet.emit({ type: "connected", address });
+    logger4.info("Wallet created successfully!");
+    return {
+      success: true,
+      data: wallet
+    };
+  }
+  /**
+   * Unlock an existing wallet using passkey authentication
+   *
+   * @param options - Configuration options
+   * @returns Result containing the wallet instance or error
+   */
+  static async unlock(options = {}) {
+    logger4.info("unlock() called with options:", options);
+    logger4.debug("Checking if wallet exists in storage...");
+    if (!await hasStoredWallet()) {
+      logger4.error("No wallet found in storage");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.WALLET_NOT_FOUND
+      };
+    }
+    logger4.debug("Wallet exists in storage");
+    logger4.debug("Getting stored credential ID and wallet metadata...");
+    const credentialId = await getCredentialId();
+    const metadata = await getWalletMetadata();
+    logger4.debug("Stored credential ID:", credentialId);
+    logger4.debug("Wallet metadata:", metadata ? "found" : "not found");
+    if (!metadata || !metadata.passkeyPublicKey) {
+      logger4.error("No passkey public key found in metadata");
+      return {
+        success: false,
+        error: ERROR_MESSAGES.WALLET_NOT_FOUND
+      };
+    }
+    logger4.info("Authenticating with passkey...");
+    const auth = await authenticateWithPasskey(credentialId ?? void 0);
+    logger4.debug("Authentication result:", {
+      success: auth.success,
+      error: auth.error
+    });
+    if (!auth.success) {
+      logger4.error("Passkey authentication failed:", auth.error);
+      return {
+        success: false,
+        error: auth.error ?? ERROR_MESSAGES.PASSKEY_AUTHENTICATION_FAILED
+      };
+    }
+    logger4.info("Deriving keys from passkey public key...");
+    const passkeyPublicKey = base64ToUint8Array(metadata.passkeyPublicKey);
+    const { privateKeyHex } = deriveKaspaKeysFromPasskey(passkeyPublicKey);
+    const publicKeyHex = await getPublicKeyHex(privateKeyHex);
+    let currentMetadata = metadata;
+    if (!metadata.addresses && metadata.address && metadata.network) {
+      logger4.info("Migrating wallet to multi-network format...");
+      const addresses = {
+        [NETWORK_ID.MAINNET]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.MAINNET),
+        [NETWORK_ID.TESTNET_10]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.TESTNET_10),
+        [NETWORK_ID.TESTNET_11]: await getAddressFromPrivateKey(privateKeyHex, NETWORK_ID.TESTNET_11)
+      };
+      if (addresses[metadata.network] !== metadata.address) {
+        logger4.error("Migration validation failed", {
+          expectedAddress: metadata.address,
+          derivedAddress: addresses[metadata.network],
+          network: metadata.network
+        });
+        return {
+          success: false,
+          error: "Failed to migrate wallet to multi-network format"
+        };
+      }
+      currentMetadata = {
+        passkeyPublicKey: metadata.passkeyPublicKey,
+        addresses,
+        primaryNetwork: metadata.network,
+        createdAt: metadata.createdAt,
+        // Keep old fields for rollback safety
+        address: metadata.address,
+        network: metadata.network
+      };
+      await storeWalletMetadata(currentMetadata);
+      logger4.info("Migration complete - wallet now supports all networks");
+    }
+    const network = options.network ?? currentMetadata.primaryNetwork ?? currentMetadata.network ?? NETWORK_ID.TESTNET_10;
+    const address = await getAddressFromPrivateKey(privateKeyHex, network);
+    const expectedAddress = currentMetadata.addresses ? currentMetadata.addresses[network] : currentMetadata.address;
+    if (address !== expectedAddress) {
+      logger4.error("Derived address mismatch for network", {
+        network,
+        expected: expectedAddress,
+        derived: address
+      });
+      return {
+        success: false,
+        error: "Failed to derive correct wallet address for network"
+      };
+    }
+    logger4.debug("Keys derived successfully, address verified for network:", network);
+    const wallet = new _PasskeyWallet(
+      privateKeyHex,
+      publicKeyHex,
+      address,
+      network,
+      credentialId ?? void 0,
+      passkeyPublicKey
+    );
+    wallet.emit({ type: "connected", address });
+    logger4.info("Wallet unlocked successfully!");
+    return {
+      success: true,
+      data: wallet
+    };
+  }
+  /**
+   * Delete the wallet from storage
+   * This is irreversible - make sure user has backed up their keys!
+   */
+  static async delete() {
+    await clearAllData();
+    return { success: true };
+  }
+  // ===========================================================================
+  // Instance Methods - Basic Info
+  // ===========================================================================
+  /**
+   * Get the wallet's Kaspa address
+   */
+  getAddress() {
+    return this.address;
+  }
+  /**
+   * Get the wallet's public key as hex string
+   */
+  getPublicKey() {
+    return this.publicKeyHex;
+  }
+  /**
+   * Get the current network
+   */
+  getNetwork() {
+    return this.network;
+  }
+  /**
+   * Sign a message with the wallet's private key
+   * Uses Kaspa's message signing scheme
+   *
+   * @param message - Message to sign
+   * @returns Signature as hex string
+   */
+  async signMessage(message) {
+    return await signMessageWithKey(message, this.privateKeyHex);
+  }
+  /**
+   * Get the private key hex (for advanced usage like transaction signing)
+   * WARNING: Handle with care - this is sensitive data
+   */
+  getPrivateKeyHex() {
+    return this.privateKeyHex;
+  }
+  // ===========================================================================
+  // Network Connection
+  // ===========================================================================
+  /**
+   * Check if connected to the network
+   */
+  get isConnected() {
+    return this.rpc.isConnected;
+  }
+  /**
+   * Get the underlying RPC client for advanced usage
+   */
+  getRpcClient() {
+    return this.rpc;
+  }
+  /**
+   * Connect to the Kaspa network
+   *
+   * @param options - Optional connection options (defaults to current network with public resolver)
+   */
+  async connect(options) {
+    await this.rpc.connect({
+      network: options?.network ?? this.network,
+      url: options?.url,
+      timeout: options?.timeout
+    });
+  }
+  /**
+   * Disconnect from the Kaspa network
+   */
+  async disconnectNetwork() {
+    await this.rpc.disconnect();
+  }
+  /**
+   * Switch to a different network without re-authentication
+   * Uses pre-computed addresses from wallet creation
+   *
+   * @param network - Target network to switch to
+   * @returns Result with success status
+   */
+  async switchNetwork(network) {
+    logger4.info("switchNetwork() called:", { from: this.network, to: network });
+    if (network === this.network) {
+      logger4.info("Already on target network");
+      return { success: true };
+    }
+    const metadata = await getWalletMetadata();
+    if (!metadata || !metadata.addresses || !metadata.addresses[network]) {
+      logger4.error("Address for target network not found in metadata");
+      return {
+        success: false,
+        error: `Address for network ${network} not found. Wallet may need to be recreated.`
+      };
+    }
+    const newAddress = await getAddressFromPrivateKey(this.privateKeyHex, network);
+    if (newAddress !== metadata.addresses[network]) {
+      logger4.error("Derived address does not match stored address for network", {
+        network,
+        stored: metadata.addresses[network],
+        derived: newAddress
+      });
+      return {
+        success: false,
+        error: "Failed to validate address for network switch"
+      };
+    }
+    if (this.isConnected) {
+      logger4.debug("Disconnecting from current network...");
+      await this.disconnectNetwork();
+    }
+    this.network = network;
+    this.address = newAddress;
+    logger4.info("Network switched successfully:", { network, address: newAddress });
+    this.emit({ type: "connected", address: newAddress });
+    return { success: true };
+  }
+  // ===========================================================================
+  // Balance & UTXOs
+  // ===========================================================================
+  /**
+   * Get the wallet's balance
+   *
+   * @returns Balance info with available, pending, and total amounts
+   * @throws Error if not connected to network
+   */
+  async getBalance() {
+    if (!this.rpc.isConnected) {
+      throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+    }
+    const balance = await this.rpc.getBalance(this.address);
+    this.emit({ type: "balance_updated", balance });
+    return balance;
+  }
+  // ===========================================================================
+  // Transactions
+  // ===========================================================================
+  /**
+   * Send KAS to an address
+   *
+   * @param options - Send options (to, amount, priorityFee)
+   * @returns Send result with transaction ID and details
+   * @throws Error if not connected or insufficient balance
+   *
+   * @example
+   * ```typescript
+   * const result = await wallet.send({
+   *   to: 'kaspatest:qz...',
+   *   amount: 100000000n, // 1 KAS
+   * });
+   * console.log('Transaction ID:', result.transactionId);
+   * ```
+   */
+  async send(options) {
+    if (!this.rpc.isConnected) {
+      throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+    }
+    const utxos = await this.rpc.getUtxos(this.address);
+    const totalAvailable = utxos.reduce((sum, utxo) => sum + utxo.amount, 0n);
+    if (totalAvailable < options.amount) {
+      throw new Error(ERROR_MESSAGES.INSUFFICIENT_BALANCE);
+    }
+    const result = await sendTransaction(
+      options,
+      utxos,
+      this.address,
+      // Use same address for change
+      this.privateKeyHex,
+      this.rpc,
+      this.network
+    );
+    this.emit({ type: "transaction_sent", txId: result.transactionId });
+    return result;
+  }
+  /**
+   * Send transaction with per-transaction passkey authentication
+   *
+   * **RECOMMENDED:** Use this method instead of `send()` for better security.
+   *
+   * This method prompts for passkey authentication for EACH transaction, using the
+   * transaction hash as the WebAuthn challenge. This provides cryptographic proof
+   * that the user approved THIS specific transaction.
+   *
+   * Benefits over `send()`:
+   * - Per-transaction authentication (user approves each transaction)
+   * - Transaction hash cryptographically bound to WebAuthn signature
+   * - Keys derived only when needed, not stored in memory
+   * - Matches standard wallet UX (MetaMask, hardware wallets)
+   *
+   * @param options - Send options (to, amount, priorityFee)
+   * @returns Transaction result with ID and fees
+   * @throws Error if authentication fails, insufficient balance, or network error
+   *
+   * @example
+   * ```typescript
+   * const result = await wallet.sendWithAuth({
+   *   to: 'kaspatest:qz...',
+   *   amount: 100000000n, // 1 KAS
+   * });
+   * console.log('Transaction ID:', result.transactionId);
+   * ```
+   */
+  async sendWithAuth(options) {
+    if (!this.rpc.isConnected) {
+      throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+    }
+    if (!this.credentialId) {
+      throw new Error("Credential ID not available. Cannot authenticate transaction.");
+    }
+    if (!this.passkeyPublicKey) {
+      throw new Error("Passkey public key not available. Cannot derive signing key.");
+    }
+    logger4.info("[PasskeyWallet] sendWithAuth() - Starting per-transaction auth flow");
+    const utxos = await this.rpc.getUtxos(this.address);
+    const totalAvailable = utxos.reduce((sum, utxo) => sum + utxo.amount, 0n);
+    if (totalAvailable < options.amount) {
+      throw new Error(ERROR_MESSAGES.INSUFFICIENT_BALANCE);
+    }
+    const outputs = [
+      {
+        address: options.to,
+        amount: options.amount
+      }
+    ];
+    const buildResult = await buildTransactions(
+      utxos,
+      outputs,
+      this.address,
+      options.priorityFee,
+      this.network
+    );
+    const { transactions, summary } = buildResult;
+    logger4.info("[PasskeyWallet] Built unsigned transactions:", {
+      count: transactions.length,
+      totalFee: summary.fees.toString()
+    });
+    const signedTransactions = [];
+    for (let i = 0; i < transactions.length; i++) {
+      const tx = transactions[i];
+      logger4.info(`[PasskeyWallet] Processing transaction ${i + 1}/${transactions.length}`);
+      const txHash = computeTransactionHash(tx);
+      logger4.info("[PasskeyWallet] Transaction hash computed:", {
+        length: txHash.length,
+        previewHex: Array.from(txHash.slice(0, 8)).map((b) => b.toString(16).padStart(2, "0")).join("")
+      });
+      logger4.info(
+        "[PasskeyWallet] Requesting passkey authentication for this transaction..."
+      );
+      const authResult = await authenticateWithChallenge(this.credentialId, txHash);
+      if (!authResult.success) {
+        throw new Error(
+          authResult.error ?? "Passkey authentication failed for transaction"
+        );
+      }
+      logger4.info("[PasskeyWallet] User authenticated - passkey signature received");
+      const verified = this.verifyAuthenticationForTransaction(authResult, txHash);
+      if (!verified) {
+        throw new Error(
+          "Authentication signature does not match transaction. Possible security issue."
+        );
+      }
+      logger4.info("[PasskeyWallet] \u2713 WebAuthn signature verified for this transaction");
+      const { privateKeyHex } = deriveKaspaKeysFromPasskey(this.passkeyPublicKey);
+      logger4.info("[PasskeyWallet] Derived secp256k1 signing key for this transaction");
+      await signTransactions([tx], privateKeyHex);
+      logger4.info("[PasskeyWallet] Transaction signed successfully");
+      signedTransactions.push(tx);
+    }
+    logger4.info("[PasskeyWallet] All transactions signed successfully");
+    const transactionIds = await submitTransactions(signedTransactions, this.rpc);
+    logger4.info("[PasskeyWallet] Transactions submitted:", transactionIds);
+    this.emit({
+      type: "transaction_sent",
+      txId: transactionIds[0]
+    });
+    return {
+      transactionId: transactionIds[0],
+      amount: options.amount,
+      fee: summary.fees
+    };
+  }
+  /**
+   * Estimate the fee for a transaction
+   *
+   * @param options - Send options (to, amount, priorityFee)
+   * @returns Transaction estimate with fees and UTXO count
+   * @throws Error if not connected
+   */
+  async estimateFee(options) {
+    if (!this.rpc.isConnected) {
+      throw new Error(ERROR_MESSAGES.RPC_NOT_CONNECTED);
+    }
+    const utxos = await this.rpc.getUtxos(this.address);
+    return estimateFee(
+      utxos,
+      [{ address: options.to, amount: options.amount }],
+      this.address,
+      options.priorityFee,
+      this.network
+    );
+  }
+  // ===========================================================================
+  // Event Handling
+  // ===========================================================================
+  /**
+   * Subscribe to wallet events
+   *
+   * @param handler - Event handler function
+   * @returns Unsubscribe function
+   */
+  on(handler) {
+    this.eventHandlers.add(handler);
+    return () => this.eventHandlers.delete(handler);
+  }
+  /**
+   * Emit an event to all subscribers
+   */
+  emit(event) {
+    this.eventHandlers.forEach((handler) => {
+      try {
+        handler(event);
+      } catch (error) {
+        logger4.error("Event handler error:", error);
+      }
+    });
+  }
+  // ===========================================================================
+  // Per-Transaction Authentication Helpers
+  // ===========================================================================
+  /**
+   * Verify that WebAuthn authentication result is for specific transaction
+   *
+   * This method ensures the WebAuthn signature was created for THIS specific
+   * transaction by verifying that the challenge in clientDataJSON matches the
+   * transaction hash.
+   *
+   * This prevents replay attacks where an attacker could try to reuse a signature
+   * from a different transaction.
+   *
+   * @param authResult - Authentication result from passkey
+   * @param txHash - Transaction hash that should be in the challenge
+   * @returns true if verified, false otherwise
+   */
+  verifyAuthenticationForTransaction(authResult, txHash) {
+    try {
+      const clientDataText = new TextDecoder().decode(authResult.clientDataJSON);
+      const clientData = JSON.parse(clientDataText);
+      logger4.debug("[PasskeyWallet] Verifying clientDataJSON:", {
+        type: clientData.type,
+        origin: clientData.origin,
+        challengePreview: clientData.challenge?.substring(0, 16)
+      });
+      const challengeBase64url = clientData.challenge;
+      if (!challengeBase64url) {
+        logger4.error("[PasskeyWallet] No challenge found in clientDataJSON");
+        return false;
+      }
+      const challengeBytes = base64urlToUint8Array(challengeBase64url);
+      if (challengeBytes.length !== txHash.length) {
+        logger4.error("[PasskeyWallet] Challenge length mismatch:", {
+          expected: txHash.length,
+          actual: challengeBytes.length
+        });
+        return false;
+      }
+      for (let i = 0; i < txHash.length; i++) {
+        if (challengeBytes[i] !== txHash[i]) {
+          logger4.error("[PasskeyWallet] Challenge byte mismatch at index:", i);
+          return false;
+        }
+      }
+      logger4.info("[PasskeyWallet] \u2713 WebAuthn challenge verified = transaction hash");
+      if (clientData.type !== "webauthn.get") {
+        logger4.error("[PasskeyWallet] Invalid clientData type:", clientData.type);
+        return false;
+      }
+      return true;
+    } catch (error) {
+      logger4.error("[PasskeyWallet] Failed to verify authentication:", error);
+      return false;
+    }
+  }
+  /**
+   * Disconnect the wallet (clears in-memory keys and network connection)
+   */
+  async disconnect() {
+    await this.rpc.disconnect();
+    this.privateKeyHex = "";
+    this.emit({ type: "disconnected" });
+    this.eventHandlers.clear();
+  }
+};
+// src/wasm.ts
+import {
+  PrivateKey as PrivateKey2,
+  PublicKey as PublicKey2,
+  Address as Address2,
+  NetworkType as NetworkType2,
+  NetworkId,
+  RpcClient as RpcClient2,
+  Resolver as Resolver2,
+  UtxoProcessor,
+  UtxoContext,
+  Generator as Generator3,
+  PendingTransaction as PendingTransaction3,
+  Transaction,
+  UtxoEntryReference as UtxoEntryReference3,
+  kaspaToSompi,
+  sompiToKaspaString,
+  sompiToKaspaStringWithSuffix,
+  signMessage,
+  verifyMessage,
+  signTransaction as signTransaction2,
+  createAddress as createAddress2,
+  payToAddressScript,
+  addressFromScriptPublicKey,
+  initConsolePanicHook as initConsolePanicHook2,
+  initBrowserPanicHook
+} from "@onekeyfe/kaspa-wasm";
+var initDebugMode = async () => {
+  const { initConsolePanicHook: initConsolePanicHook3 } = await import("@onekeyfe/kaspa-wasm");
+  initConsolePanicHook3();
+};
+export {
+  Address,
+  DEFAULT_NETWORK,
+  DEFAULT_PRIORITY_FEE_SOMPI,
+  ERROR_MESSAGES,
+  Generator3 as Generator,
+  KaspaRpc,
+  MIN_FEE_SOMPI,
+  NETWORK_ID,
+  NetworkType,
+  PasskeyWallet,
+  PendingTransaction3 as PendingTransaction,
+  PrivateKey,
+  PublicKey,
+  Resolver2 as Resolver,
+  RpcClient2 as RpcClient,
+  SOMPI_PER_KAS,
+  Transaction,
+  UtxoContext,
+  UtxoEntryReference3 as UtxoEntryReference,
+  UtxoProcessor,
+  authenticateWithChallenge,
+  buildTransactions,
+  computeTransactionHash,
+  createGenerator,
+  createLogger,
+  createPrivateKey,
+  deriveKaspaKeysFromPasskey,
+  estimateFee,
+  extractPublicKeyFromAttestation,
+  formatKas,
+  generatePrivateKey,
+  getAddressFromPrivateKey,
+  getDefaultRpc,
+  getNetworkFromAddress,
+  getNetworkIdString,
+  getNetworkType,
+  getPublicKeyHex,
+  hexToUint8Array,
+  initDebugMode,
+  isValidAddress,
+  isValidPrivateKey,
+  isWebAuthnSupported,
+  kasStringToSompi,
+  kasToSompi,
+  parseAddress,
+  parseKas,
+  publicKeyToAddress,
+  resetDefaultRpc,
+  sendTransaction,
+  signMessageWithKey,
+  signTransaction,
+  signTransactions,
+  sompiToKas,
+  sompiToKasString,
+  sompiToKasStringWithSuffix,
+  submitTransactions,
+  uint8ArrayToHex,
+  verifyDeterminism
+};