@le-space/p2pass 0.1.0

package/dist/identity/identity-service.js

@@ -0,0 +1,524 @@
+/**
+ * Identity service — orchestrates WebAuthn passkey auth with auto mode detection.
+ * Combines hardware signer and worker Ed25519 flows.
+ *
+ * Credential data is stored in an OrbitDB registry DB when available.
+ * Falls back to in-memory storage until setRegistry() is called.
+ */
+
+import {
+  WebAuthnHardwareSignerService,
+  loadWebAuthnCredentialSafe,
+  getStoredWebAuthnHardwareSignerInfo,
+  extractPrfSeedFromCredential,
+  initEd25519KeystoreWithPrfSeed,
+  generateWorkerEd25519DID,
+  loadWorkerEd25519Archive,
+  encryptArchive,
+  decryptArchive,
+} from '@le-space/orbitdb-identity-provider-webauthn-did/standalone';
+
+import {
+  storeKeypairEntry,
+  getKeypairEntry,
+  storeArchiveEntry,
+  getArchiveEntry,
+  listKeypairs,
+} from '../registry/device-registry.js';
+
+import {
+  computeDeterministicPrfSalt,
+  deriveIPNSKeyPair,
+  recoverPrfSeed,
+} from '../recovery/ipns-key.js';
+
+import { resolveSigningPreference } from './signing-preference.js';
+
+const ARCHIVE_CACHE_KEY = 'p2p_passkeys_worker_archive';
+
+/**
+ * Best-effort: this origin likely already has passkey / identity material (no WebAuthn prompt).
+ * Uses the same signals as restore paths — false negatives are OK (same handlers still apply).
+ *
+ * @returns {boolean}
+ */
+export function hasLocalPasskeyHint() {
+  if (typeof globalThis.localStorage === 'undefined') return false;
+  try {
+    const hw = getStoredWebAuthnHardwareSignerInfo();
+    if (hw?.did) return true;
+  } catch {
+    /* ignore */
+  }
+  try {
+    if (loadWebAuthnCredentialSafe()) return true;
+  } catch {
+    /* ignore */
+  }
+  try {
+    const raw = localStorage.getItem(ARCHIVE_CACHE_KEY);
+    if (!raw) return false;
+    const parsed = JSON.parse(raw);
+    if (parsed && (parsed.did || parsed.ciphertext)) return true;
+  } catch {
+    /* ignore */
+  }
+  return false;
+}
+
+export class IdentityService {
+  #mode = null;
+  #did = null;
+  #algorithm = null;
+  #signer = null;
+  #hardwareService = null;
+  #archive = null;
+  #registryDb = null;
+
+  // Hold credentials in memory until registry DB is available
+  #pendingCredentials = null;
+  #prfSeed = null;
+  #ipnsKeyPair = null;
+
+  constructor() {
+    this.#hardwareService = new WebAuthnHardwareSignerService();
+  }
+
+  /**
+   * Bind an OrbitDB registry database for credential storage.
+   * If pending credentials exist from a prior initialize() call, flushes them.
+   *
+   * @param {Object} db - OrbitDB KeyValue database (from openDeviceRegistry)
+   */
+  async setRegistry(db) {
+    this.#registryDb = db;
+    console.log('[identity] Registry DB bound');
+
+    // Flush pending credentials to registry
+    if (this.#pendingCredentials) {
+      const { publicKeyHex, did, ciphertext, iv } = this.#pendingCredentials;
+      await storeKeypairEntry(db, did, publicKeyHex);
+      await storeArchiveEntry(db, did, ciphertext, iv);
+      console.log('[identity] Flushed pending credentials to registry DB');
+      this.#pendingCredentials = null;
+    }
+  }
+
+  /**
+   * Get the bound registry DB (or null).
+   * @returns {Object|null}
+   */
+  getRegistry() {
+    return this.#registryDb;
+  }
+
+  /**
+   * Initialize identity — auto-detect hardware vs worker mode.
+   * If existing credentials found, restores them (may prompt biometric for worker PRF).
+   * If no credentials, creates new passkey.
+   *
+   * @param {'platform'|'cross-platform'} [authenticatorType]
+   * @param {{ preferWorkerMode?: boolean, signingPreference?: import('./signing-preference.js').SigningPreference }} [options]
+   * @returns {Promise<{ mode: string, did: string, algorithm: string }>}
+   */
+  async initialize(authenticatorType, options = {}) {
+    const { preferWorkerMode = false, signingPreference = null } = options;
+    const pref = resolveSigningPreference({ preferWorkerMode, signingPreference });
+    const preferWorker = pref === 'worker';
+    const forceP256Hardware = pref === 'hardware-p256';
+
+    console.log(
+      '[identity] Initializing...',
+      preferWorker ? '(worker)' : `(hardware, forceP256=${forceP256Hardware})`
+    );
+
+    // Try hardware mode first (unless worker mode is selected)
+    if (!preferWorker) {
+      try {
+        const signer = await this.#hardwareService.initialize({
+          authenticatorType,
+          forceP256: forceP256Hardware,
+        });
+
+        if (signer) {
+          this.#mode = 'hardware';
+          this.#did = this.#hardwareService.getDID();
+          this.#algorithm = this.#hardwareService.getAlgorithm() || 'Ed25519';
+          this.#signer = signer;
+          console.log(`[identity] Hardware mode (${this.#algorithm}), DID: ${this.#did}`);
+          return this.getSigningMode();
+        }
+      } catch (err) {
+        console.warn('[identity] Hardware mode failed, trying worker...', err.message);
+      }
+    }
+
+    // Worker mode — try to restore existing identity
+    const restored = await this.#tryRestoreWorkerIdentity();
+    if (restored) {
+      console.log(`[identity] Restored worker identity, DID: ${this.#did}`);
+      return this.getSigningMode();
+    }
+
+    // No existing identity — create new worker identity
+    await this.#createWorkerIdentity(authenticatorType);
+    console.log(`[identity] Created new worker identity, DID: ${this.#did}`);
+    return this.getSigningMode();
+  }
+
+  /**
+   * Force create a new identity (discards existing).
+   * @param {'platform'|'cross-platform'} [authenticatorType]
+   * @param {{ preferWorkerMode?: boolean, signingPreference?: import('./signing-preference.js').SigningPreference }} [options]
+   * @returns {Promise<{ mode: string, did: string, algorithm: string }>}
+   */
+  async createNewIdentity(authenticatorType, options = {}) {
+    this.#hardwareService.clear();
+    this.#mode = null;
+    this.#did = null;
+    this.#signer = null;
+    this.#archive = null;
+    this.#pendingCredentials = null;
+
+    return this.initialize(authenticatorType, options);
+  }
+
+  /**
+   * Recovery entry point — uses discoverable credentials to derive IPNS key.
+   * Does NOT restore the DID — caller must resolve manifest and restore registry first.
+   * @returns {Promise<{ prfSeed: Uint8Array, ipnsKeyPair: Object, rawCredentialId: Uint8Array }>}
+   */
+  async initializeFromRecovery() {
+    console.log('[identity] Starting recovery via discoverable credential...');
+    const { prfSeed, rawCredentialId, credential } = await recoverPrfSeed();
+
+    this.#prfSeed = prfSeed;
+    this.#ipnsKeyPair = await deriveIPNSKeyPair(prfSeed);
+
+    console.log('[identity] Recovery: IPNS keypair derived');
+    return { prfSeed, ipnsKeyPair: this.#ipnsKeyPair, rawCredentialId };
+  }
+
+  /**
+   * Restore DID from an encrypted archive entry (from registry DB after recovery).
+   * Uses the PRF seed stored during initializeFromRecovery().
+   * @param {Object} archiveEntry - { ciphertext: string (hex), iv: string (hex) }
+   * @param {string} did - The owner DID from the manifest
+   * @returns {Promise<void>}
+   */
+  async restoreFromManifest(archiveEntry, did) {
+    if (!this.#prfSeed) {
+      throw new Error('No PRF seed available. Call initializeFromRecovery() first.');
+    }
+
+    console.log('[identity] Restoring DID from manifest + registry archive...');
+
+    // Init worker keystore with PRF
+    await initEd25519KeystoreWithPrfSeed(this.#prfSeed);
+
+    // Decrypt archive
+    const ciphertext = hexToBytes(archiveEntry.ciphertext);
+    const iv = hexToBytes(archiveEntry.iv);
+    const archive = await decryptArchive(ciphertext, iv);
+
+    // Load archive into worker
+    await loadWorkerEd25519Archive(archive);
+
+    this.#mode = 'worker';
+    this.#did = did;
+    this.#algorithm = 'Ed25519';
+    this.#archive = archive;
+
+    console.log(`[identity] DID restored from manifest: ${did}`);
+  }
+
+  /**
+   * Get current signing mode info.
+   * @returns {{ mode: string|null, did: string|null, algorithm: string|null, secure: boolean }}
+   */
+  getSigningMode() {
+    return {
+      mode: this.#mode,
+      did: this.#did,
+      algorithm: this.#algorithm,
+      secure: this.#mode === 'hardware',
+    };
+  }
+
+  /**
+   * Get a UCAN-compatible principal/signer.
+   * For hardware mode: returns varsig signer via toUcantoSigner()
+   * For worker mode: returns Ed25519 principal from archive
+   *
+   * @returns {Promise<any>} UCAN signer
+   */
+  async getPrincipal() {
+    if (this.#mode === 'hardware' && this.#signer) {
+      return this.#signer.toUcantoSigner();
+    }
+
+    if (this.#mode === 'worker' && this.#archive) {
+      const { from } = await import('@ucanto/principal/ed25519');
+      return from(this.#archive);
+    }
+
+    throw new Error('No identity initialized. Call initialize() first.');
+  }
+
+  /**
+   * @returns {boolean}
+   */
+  isInitialized() {
+    return this.#mode !== null && this.#did !== null;
+  }
+
+  /**
+   * Get the derived IPNS keypair (available after initialize or recovery).
+   * @returns {{ privateKey: Object, publicKey: Object }|null}
+   */
+  getIPNSKeyPair() {
+    return this.#ipnsKeyPair;
+  }
+
+  /**
+   * Get the stored PRF seed (available after initialize or recovery).
+   * @returns {Uint8Array|null}
+   */
+  getPrfSeed() {
+    return this.#prfSeed;
+  }
+
+  /**
+   * Get the encrypted archive data (ciphertext + iv as hex strings) for the current identity.
+   * Used by manifest publishing to upload the archive to IPFS for auth-free recovery.
+   *
+   * @returns {Promise<{ ciphertext: string, iv: string }|null>}
+   */
+  async getEncryptedArchiveData() {
+    if (!this.#did) return null;
+
+    // From pending credentials (not yet flushed to registry)
+    if (this.#pendingCredentials) {
+      return { ciphertext: this.#pendingCredentials.ciphertext, iv: this.#pendingCredentials.iv };
+    }
+
+    // From registry DB
+    if (this.#registryDb) {
+      const entry = await getArchiveEntry(this.#registryDb, this.#did);
+      if (entry) return { ciphertext: entry.ciphertext, iv: entry.iv };
+    }
+
+    // From localStorage cache
+    const cached = this.#loadCachedArchive();
+    if (cached && cached.did === this.#did) {
+      return { ciphertext: cached.ciphertext, iv: cached.iv };
+    }
+
+    return null;
+  }
+
+  /**
+   * Try to restore a worker identity.
+   * Checks registry DB first, falls back to in-memory pending credentials.
+   * Requires WebAuthn re-auth to get PRF seed for archive decryption.
+   */
+  async #tryRestoreWorkerIdentity() {
+    try {
+      // Try registry DB first
+      if (this.#registryDb) {
+        const keypairs = await listKeypairs(this.#registryDb);
+        if (keypairs.length > 0) {
+          const keypair = keypairs[0]; // use first keypair
+          const archiveEntry = await getArchiveEntry(this.#registryDb, keypair.did);
+
+          if (archiveEntry) {
+            return await this.#restoreFromEncryptedArchive(keypair, archiveEntry);
+          }
+        }
+      }
+
+      // Fallback: try localStorage cache (bootstrap before registry is available)
+      const cached = this.#loadCachedArchive();
+      if (cached) {
+        const credential = loadWebAuthnCredentialSafe();
+        if (credential) {
+          console.log('[identity] Found cached archive, attempting restore via biometric...');
+          return await this.#restoreFromEncryptedArchive(
+            { did: cached.did, publicKey: cached.publicKeyHex },
+            { ciphertext: cached.ciphertext, iv: cached.iv }
+          );
+        }
+      }
+
+      return false;
+    } catch (err) {
+      console.warn('[identity] Failed to restore worker identity:', err.message);
+      return false;
+    }
+  }
+
+  /**
+   * Restore worker identity from encrypted archive data.
+   * @param {Object} keypair - { did, publicKey }
+   * @param {Object} archiveEntry - { ciphertext, iv }
+   * @returns {Promise<boolean>}
+   */
+  async #restoreFromEncryptedArchive(keypair, archiveEntry) {
+    // Need PRF seed to decrypt — requires WebAuthn re-auth
+    const credential = loadWebAuthnCredentialSafe();
+    if (!credential) {
+      console.warn('[identity] Stored keypair but no WebAuthn credential for PRF');
+      return false;
+    }
+
+    console.log('[identity] Restoring worker identity (biometric required)...');
+    const { seed: prfSeed } = await extractPrfSeedFromCredential(credential);
+
+    // Store PRF seed and derive IPNS keypair
+    this.#prfSeed = prfSeed;
+    try {
+      this.#ipnsKeyPair = await deriveIPNSKeyPair(prfSeed);
+      console.log('[identity] IPNS keypair derived (restore)');
+    } catch (err) {
+      console.warn('[identity] Failed to derive IPNS keypair:', err.message);
+    }
+
+    // Init worker keystore with PRF
+    await initEd25519KeystoreWithPrfSeed(prfSeed);
+
+    // Decrypt archive
+    const ciphertext = hexToBytes(archiveEntry.ciphertext);
+    const iv = hexToBytes(archiveEntry.iv);
+    const archive = await decryptArchive(ciphertext, iv);
+
+    // Load archive into worker
+    await loadWorkerEd25519Archive(archive);
+
+    this.#mode = 'worker';
+    this.#did = keypair.did;
+    this.#algorithm = 'Ed25519';
+    this.#archive = archive;
+
+    return true;
+  }
+
+  #loadCachedArchive() {
+    try {
+      const raw = localStorage.getItem(ARCHIVE_CACHE_KEY);
+      if (!raw) return null;
+      return JSON.parse(raw);
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Create a new worker-mode Ed25519 identity.
+   */
+  async #createWorkerIdentity(authenticatorType) {
+    // Create WebAuthn credential with PRF
+    const credential = await this.#createWebAuthnCredential(authenticatorType);
+
+    // Extract PRF seed
+    const { seed: prfSeed } = await extractPrfSeedFromCredential(credential);
+
+    // Store PRF seed and derive IPNS keypair
+    this.#prfSeed = prfSeed;
+    try {
+      this.#ipnsKeyPair = await deriveIPNSKeyPair(prfSeed);
+      console.log('[identity] IPNS keypair derived');
+    } catch (err) {
+      console.warn('[identity] Failed to derive IPNS keypair:', err.message);
+    }
+
+    // Init worker with PRF seed
+    await initEd25519KeystoreWithPrfSeed(prfSeed);
+
+    // Generate Ed25519 DID in worker
+    const { publicKey, did, archive } = await generateWorkerEd25519DID();
+
+    // Encrypt archive for storage
+    const { ciphertext, iv } = await encryptArchive(archive);
+
+    const publicKeyHex = bytesToHex(publicKey);
+    const ciphertextHex = bytesToHex(ciphertext);
+    const ivHex = bytesToHex(iv);
+
+    // Store in registry DB if available, otherwise hold in memory
+    if (this.#registryDb) {
+      await storeKeypairEntry(this.#registryDb, did, publicKeyHex);
+      await storeArchiveEntry(this.#registryDb, did, ciphertextHex, ivHex);
+      console.log('[identity] Credentials stored in registry DB');
+    } else {
+      this.#pendingCredentials = {
+        publicKeyHex,
+        did,
+        ciphertext: ciphertextHex,
+        iv: ivHex,
+      };
+      console.log('[identity] Credentials held in memory (registry not yet bound)');
+    }
+
+    this.#mode = 'worker';
+    this.#did = did;
+    this.#algorithm = 'Ed25519';
+    this.#archive = archive;
+  }
+
+  /**
+   * Create a WebAuthn credential with PRF extension.
+   */
+  async #createWebAuthnCredential(authenticatorType) {
+    const challenge = crypto.getRandomValues(new Uint8Array(32));
+    const prfSalt = await computeDeterministicPrfSalt();
+
+    const createOptions = {
+      publicKey: {
+        rp: {
+          name: 'P2P Passkeys',
+          id: globalThis.location?.hostname || 'localhost',
+        },
+        user: {
+          id: crypto.getRandomValues(new Uint8Array(16)),
+          name: 'p2p-user',
+          displayName: 'P2P User',
+        },
+        challenge,
+        pubKeyCredParams: [
+          { type: 'public-key', alg: -7 }, // ES256 (P-256)
+          { type: 'public-key', alg: -257 }, // RS256
+        ],
+        authenticatorSelection: {
+          authenticatorAttachment: authenticatorType || 'platform',
+          residentKey: 'required',
+          userVerification: 'preferred',
+        },
+        extensions: {
+          prf: { eval: { first: prfSalt } },
+        },
+      },
+    };
+
+    const credential = await navigator.credentials.create(createOptions);
+
+    // Attach metadata for storage
+    credential.prfInput = prfSalt;
+    credential.rawCredentialId = new Uint8Array(credential.rawId);
+
+    return credential;
+  }
+}
+
+function bytesToHex(bytes) {
+  return Array.from(bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+function hexToBytes(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+  }
+  return bytes;
+}

package/dist/identity/mode-detector.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Detect the best available signing mode.
+ * Priority: hardware Ed25519 > hardware P-256 > stored worker keypair > null (needs setup)
+ *
+ * @param {{ authenticatorType?: 'platform'|'cross-platform', forceWorker?: boolean, registryDb?: Object }} options
+ * @returns {Promise<{ mode: 'hardware'|'worker'|null, signer?: any, did?: string, algorithm?: string }>}
+ */
+export function detectSigningMode(options?: {
+    authenticatorType?: "platform" | "cross-platform";
+    forceWorker?: boolean;
+    registryDb?: Object;
+}): Promise<{
+    mode: "hardware" | "worker" | null;
+    signer?: any;
+    did?: string;
+    algorithm?: string;
+}>;
+/**
+ * Get stored signing mode info without requiring biometric auth.
+ * Checks registry DB first if provided, then falls back to hardware signer storage.
+ *
+ * @param {Object} [registryDb] - OrbitDB registry database
+ * @returns {Promise<{ mode: 'hardware'|'worker'|null, did?: string, algorithm?: string }>}
+ */
+export function getStoredSigningMode(registryDb?: Object): Promise<{
+    mode: "hardware" | "worker" | null;
+    did?: string;
+    algorithm?: string;
+}>;

package/dist/identity/mode-detector.js

@@ -0,0 +1,124 @@
+/**
+ * Signing mode detection — auto-detects hardware vs worker WebAuthn mode.
+ * Ported from ucan-upload-wall's ucan-delegation.ts mode detection logic.
+ */
+
+import {
+  WebAuthnHardwareSignerService,
+  checkEd25519Support,
+  getStoredWebAuthnHardwareSignerInfo,
+} from '@le-space/orbitdb-identity-provider-webauthn-did/standalone';
+
+import { listKeypairs } from '../registry/device-registry.js';
+
+/**
+ * Detect the best available signing mode.
+ * Priority: hardware Ed25519 > hardware P-256 > stored worker keypair > null (needs setup)
+ *
+ * @param {{ authenticatorType?: 'platform'|'cross-platform', forceWorker?: boolean, registryDb?: Object }} options
+ * @returns {Promise<{ mode: 'hardware'|'worker'|null, signer?: any, did?: string, algorithm?: string }>}
+ */
+export async function detectSigningMode(options = {}) {
+  const { forceWorker = false, registryDb } = options;
+
+  // Check for stored mode first (fast path, no biometric)
+  const stored = await getStoredSigningMode(registryDb);
+  if (stored.mode) {
+    console.log(`Stored signing mode found: ${stored.mode} (${stored.algorithm})`);
+    return stored;
+  }
+
+  // Try hardware mode unless forced to worker
+  if (!forceWorker) {
+    try {
+      const hardwareResult = await tryHardwareMode(options);
+      if (hardwareResult) {
+        console.log(`Hardware mode initialized: ${hardwareResult.algorithm}`);
+        return hardwareResult;
+      }
+    } catch (err) {
+      console.warn('Hardware mode detection failed:', err.message);
+    }
+  }
+
+  // No stored mode and hardware failed — needs setup
+  return { mode: null };
+}
+
+/**
+ * Get stored signing mode info without requiring biometric auth.
+ * Checks registry DB first if provided, then falls back to hardware signer storage.
+ *
+ * @param {Object} [registryDb] - OrbitDB registry database
+ * @returns {Promise<{ mode: 'hardware'|'worker'|null, did?: string, algorithm?: string }>}
+ */
+export async function getStoredSigningMode(registryDb) {
+  // Check hardware signer storage
+  try {
+    const hardwareInfo = getStoredWebAuthnHardwareSignerInfo();
+    if (hardwareInfo && hardwareInfo.did) {
+      return {
+        mode: 'hardware',
+        did: hardwareInfo.did,
+        algorithm: hardwareInfo.algorithm || 'Ed25519',
+      };
+    }
+  } catch {
+    // No stored hardware signer
+  }
+
+  // Check registry DB for worker keypairs
+  if (registryDb) {
+    try {
+      const keypairs = await listKeypairs(registryDb);
+      if (keypairs.length > 0 && keypairs[0].did) {
+        return {
+          mode: 'worker',
+          did: keypairs[0].did,
+          algorithm: 'Ed25519',
+        };
+      }
+    } catch {
+      // Registry read failed
+    }
+  }
+
+  return { mode: null };
+}
+
+/**
+ * Try to initialize hardware signing mode.
+ * @returns {Promise<{ mode: 'hardware', signer: any, did: string, algorithm: string }|null>}
+ */
+async function tryHardwareMode(options = {}) {
+  const { authenticatorType } = options;
+
+  // Check browser support
+  const ed25519Supported = await checkEd25519Support();
+  console.log(`Ed25519 hardware support: ${ed25519Supported}`);
+
+  const service = new WebAuthnHardwareSignerService();
+
+  try {
+    const signer = await service.initialize({
+      authenticatorType,
+      preferEd25519: true,
+    });
+
+    if (signer) {
+      const did = service.getDID();
+      const algorithm = service.getAlgorithm() || 'Ed25519';
+
+      return {
+        mode: 'hardware',
+        signer,
+        did,
+        algorithm,
+      };
+    }
+  } catch (err) {
+    console.warn('Hardware signer initialization failed:', err.message);
+  }
+
+  return null;
+}

package/dist/identity/signing-preference.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @param {unknown} v
+ * @returns {v is SigningPreference}
+ */
+export function isSigningPreference(v: unknown): v is SigningPreference;
+/**
+ * @returns {SigningPreference|null}
+ */
+export function readSigningPreferenceFromStorage(): SigningPreference | null;
+/**
+ * @param {SigningPreference} pref
+ */
+export function writeSigningPreferenceToStorage(pref: SigningPreference): void;
+/**
+ * @param {{ signingPreference?: SigningPreference | null, preferWorkerMode?: boolean }} opts
+ * @returns {SigningPreference}
+ */
+export function resolveSigningPreference(opts: {
+    signingPreference?: SigningPreference | null;
+    preferWorkerMode?: boolean;
+}): SigningPreference;
+/**
+ * User-selectable signing strategy for OrbitDB WebAuthn DID (hardware Ed25519 / hardware P-256 / worker Ed25519).
+ * Maps to {@link IdentityService} `initialize` options and WebAuthn `forceP256` in the upstream provider.
+ */
+export const SIGNING_PREFERENCE_STORAGE_KEY: "p2p_passkeys_signing_preference";
+/** @typedef {'hardware-ed25519' | 'hardware-p256' | 'worker'} SigningPreference */
+/** @type {SigningPreference[]} */
+export const SIGNING_PREFERENCE_LIST: SigningPreference[];
+export type SigningPreference = "hardware-ed25519" | "hardware-p256" | "worker";