@metamask-previews/passkey-controller 0.0.0-preview-4c0846313

package/dist/ceremony-manager.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"ceremony-manager.cjs","sourceRoot":"","sources":["../src/ceremony-manager.ts"],"names":[],"mappings":";;;;;;;;;AAKA,qEAAqE;AACxD,QAAA,mBAAmB,GAAG,KAAM,CAAC;AAE1C;;;GAGG;AACU,QAAA,qBAAqB,GAAG,KAAM,CAAC;AAE5C;;;;GAIG;AACU,QAAA,mBAAmB,GAAG,2BAAmB,GAAG,6BAAqB,CAAC;AAE/E;;;GAGG;AACU,QAAA,iCAAiC,GAAG,EAAE,CAAC;AAIpD;;;GAGG;AACH,MAAa,eAAe;IAA5B;;QACW,2CAAmB,IAAI,GAAG,EAAuC,EAAC;QAElE,6CAAqB,IAAI,GAAG,EAGlC,EAAC;IAkIN,CAAC;IAjFC;;;;;OAKG;IACH,wBAAwB,CACtB,SAAiB,EACjB,QAAqC;QAErC,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,cAAc,CAAC,CAAC;QACnC,uBAAA,IAAI,oEAAiB,MAArB,IAAI,EAAkB,cAAc,CAAC,CAAC;QACtC,uBAAA,IAAI,wCAAiB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACH,0BAA0B,CACxB,SAAiB,EACjB,QAAuC;QAEvC,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,gBAAgB,CAAC,CAAC;QACrC,uBAAA,IAAI,oEAAiB,MAArB,IAAI,EAAkB,gBAAgB,CAAC,CAAC;QACxC,uBAAA,IAAI,0CAAmB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,uBAAuB,CACrB,SAAiB;QAEjB,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,cAAc,CAAC,CAAC;QACnC,OAAO,uBAAA,IAAI,wCAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED;;;;;OAKG;IACH,yBAAyB,CACvB,SAAiB;QAEjB,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,gBAAgB,CAAC,CAAC;QACrC,OAAO,uBAAA,IAAI,0CAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChD,CAAC;IAED;;;;;OAKG;IACH,0BAA0B,CAAC,SAAiB;QAC1C,OAAO,uBAAA,IAAI,wCAAiB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACH,4BAA4B,CAAC,SAAiB;QAC5C,OAAO,uBAAA,IAAI,0CAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,sEAAsE;IACtE,KAAK;QACH,uBAAA,IAAI,wCAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,uBAAA,IAAI,0CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CACF;AAxID,0CAwIC;6MAzHG,YAA0B;IAE1B,OAAO,YAAY,KAAK,cAAc;QACpC,CAAC,CAAC,uBAAA,IAAI,wCAAiB;QACvB,CAAC,CAAC,uBAAA,IAAI,0CAAmB,CAAC;AAC9B,CAAC,yEAEa,YAA0B;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,GAAG,GAAG,uBAAA,IAAI,2DAAQ,MAAZ,IAAI,EAAS,YAAY,CAAC,CAAC;IACvC,KAAK,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC;QAClC,IAAI,GAAG,GAAG,QAAQ,CAAC,SAAS,GAAG,2BAAmB,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC,+EAOgB,YAA0B;IACzC,MAAM,GAAG,GAAG,uBAAA,IAAI,2DAAQ,MAAZ,IAAI,EAAS,YAAY,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC,IAAI,IAAI,yCAAiC,EAAE,CAAC;QACrD,IAAI,SAA6B,CAAC;QAClC,IAAI,UAAU,GAAG,QAAQ,CAAC;QAC1B,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC;YACrC,IAAI,QAAQ,CAAC,SAAS,GAAG,UAAU,EAAE,CAAC;gBACpC,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC;gBAChC,SAAS,GAAG,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM;QACR,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACxB,CAAC;AACH,CAAC","sourcesContent":["import type {\n  PasskeyAuthenticationCeremony,\n  PasskeyRegistrationCeremony,\n} from './types';\n\n/** WebAuthn `timeout` for credential creation and assertion (ms). */\nexport const WEBAUTHN_TIMEOUT_MS = 60_000;\n\n/**\n * Extra allowance beyond {@link WEBAUTHN_TIMEOUT_MS} before in-memory\n * ceremony state is discarded (covers slow UX and clock skew).\n */\nexport const CEREMONY_TTL_SLACK_MS = 15_000;\n\n/**\n * Maximum age for in-flight registration or authentication ceremony state\n * (between options and verified response). This bounds the lifetime of a\n * single WebAuthn ceremony only; it is not a user login session timeout.\n */\nexport const CEREMONY_MAX_AGE_MS = WEBAUTHN_TIMEOUT_MS + CEREMONY_TTL_SLACK_MS;\n\n/**\n * Upper bound on concurrent in-memory ceremonies per flow type (registration\n * vs authentication), for abuse / leak protection.\n */\nexport const MAX_CONCURRENT_PASSKEY_CEREMONIES = 16;\n\ntype CeremonyFlow = 'registration' | 'authentication';\n\n/**\n * In-memory store for in-flight WebAuthn ceremonies (registration vs authentication),\n * keyed by base64url challenge. Enforces TTL and a per-flow size cap; not user session state.\n */\nexport class CeremonyManager {\n  readonly #registrationMap = new Map<string, PasskeyRegistrationCeremony>();\n\n  readonly #authenticationMap = new Map<\n    string,\n    PasskeyAuthenticationCeremony\n  >();\n\n  /**\n   * Challenge-keyed map for prune/capacity helpers.\n   *\n   * @param ceremonyType - Which in-flight ceremony map to use.\n   * @returns The registration or authentication ceremony map for the given flow.\n   */\n  #getMap(\n    ceremonyType: CeremonyFlow,\n  ): Map<string, PasskeyRegistrationCeremony | PasskeyAuthenticationCeremony> {\n    return ceremonyType === 'registration'\n      ? this.#registrationMap\n      : this.#authenticationMap;\n  }\n\n  #pruneExpired(ceremonyType: CeremonyFlow): void {\n    const now = Date.now();\n    const map = this.#getMap(ceremonyType);\n    for (const [key, ceremony] of map) {\n      if (now - ceremony.createdAt > CEREMONY_MAX_AGE_MS) {\n        map.delete(key);\n      }\n    }\n  }\n\n  /**\n   * Removes the oldest entry (by `createdAt`) until size is below the cap.\n   *\n   * @param ceremonyType - Which in-flight ceremony map to evict from.\n   */\n  #enforceCapacity(ceremonyType: CeremonyFlow): void {\n    const map = this.#getMap(ceremonyType);\n    while (map.size >= MAX_CONCURRENT_PASSKEY_CEREMONIES) {\n      let oldestKey: string | undefined;\n      let oldestTime = Infinity;\n      for (const [mapKey, ceremony] of map) {\n        if (ceremony.createdAt < oldestTime) {\n          oldestTime = ceremony.createdAt;\n          oldestKey = mapKey;\n        }\n      }\n      if (oldestKey === undefined) {\n        break;\n      }\n      map.delete(oldestKey);\n    }\n  }\n\n  /**\n   * Records registration ceremony state after pruning expired rows and evicting oldest if at cap.\n   *\n   * @param challenge - Same base64url challenge as in the creation options `challenge` field.\n   * @param ceremony - Payload to retrieve when the registration response returns.\n   */\n  saveRegistrationCeremony(\n    challenge: string,\n    ceremony: PasskeyRegistrationCeremony,\n  ): void {\n    this.#pruneExpired('registration');\n    this.#enforceCapacity('registration');\n    this.#registrationMap.set(challenge, ceremony);\n  }\n\n  /**\n   * Records authentication ceremony state after pruning expired rows and evicting oldest if at cap.\n   *\n   * @param challenge - Same base64url challenge as in the request options `challenge` field.\n   * @param ceremony - Payload to retrieve when the assertion response returns.\n   */\n  saveAuthenticationCeremony(\n    challenge: string,\n    ceremony: PasskeyAuthenticationCeremony,\n  ): void {\n    this.#pruneExpired('authentication');\n    this.#enforceCapacity('authentication');\n    this.#authenticationMap.set(challenge, ceremony);\n  }\n\n  /**\n   * Returns registration ceremony for a challenge, pruning expired entries on this map first.\n   *\n   * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).\n   * @returns Stored ceremony, or `undefined` if none or expired.\n   */\n  getRegistrationCeremony(\n    challenge: string,\n  ): PasskeyRegistrationCeremony | undefined {\n    this.#pruneExpired('registration');\n    return this.#registrationMap.get(challenge);\n  }\n\n  /**\n   * Returns authentication ceremony for a challenge, pruning expired entries on this map first.\n   *\n   * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).\n   * @returns Stored ceremony, or `undefined` if none or expired.\n   */\n  getAuthenticationCeremony(\n    challenge: string,\n  ): PasskeyAuthenticationCeremony | undefined {\n    this.#pruneExpired('authentication');\n    return this.#authenticationMap.get(challenge);\n  }\n\n  /**\n   * Removes a registration ceremony by challenge.\n   *\n   * @param challenge - Map key for the ceremony to remove.\n   * @returns Whether an entry was deleted.\n   */\n  deleteRegistrationCeremony(challenge: string): boolean {\n    return this.#registrationMap.delete(challenge);\n  }\n\n  /**\n   * Removes an authentication ceremony by challenge.\n   *\n   * @param challenge - Map key for the ceremony to remove.\n   * @returns Whether an entry was deleted.\n   */\n  deleteAuthenticationCeremony(challenge: string): boolean {\n    return this.#authenticationMap.delete(challenge);\n  }\n\n  /** Drops all in-flight registration and authentication ceremonies. */\n  clear(): void {\n    this.#registrationMap.clear();\n    this.#authenticationMap.clear();\n  }\n}\n"]}

package/dist/ceremony-manager.d.cts

@@ -0,0 +1,71 @@
+import type { PasskeyAuthenticationCeremony, PasskeyRegistrationCeremony } from "./types.cjs";
+/** WebAuthn `timeout` for credential creation and assertion (ms). */
+export declare const WEBAUTHN_TIMEOUT_MS = 60000;
+/**
+ * Extra allowance beyond {@link WEBAUTHN_TIMEOUT_MS} before in-memory
+ * ceremony state is discarded (covers slow UX and clock skew).
+ */
+export declare const CEREMONY_TTL_SLACK_MS = 15000;
+/**
+ * Maximum age for in-flight registration or authentication ceremony state
+ * (between options and verified response). This bounds the lifetime of a
+ * single WebAuthn ceremony only; it is not a user login session timeout.
+ */
+export declare const CEREMONY_MAX_AGE_MS: number;
+/**
+ * Upper bound on concurrent in-memory ceremonies per flow type (registration
+ * vs authentication), for abuse / leak protection.
+ */
+export declare const MAX_CONCURRENT_PASSKEY_CEREMONIES = 16;
+/**
+ * In-memory store for in-flight WebAuthn ceremonies (registration vs authentication),
+ * keyed by base64url challenge. Enforces TTL and a per-flow size cap; not user session state.
+ */
+export declare class CeremonyManager {
+    #private;
+    /**
+     * Records registration ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the creation options `challenge` field.
+     * @param ceremony - Payload to retrieve when the registration response returns.
+     */
+    saveRegistrationCeremony(challenge: string, ceremony: PasskeyRegistrationCeremony): void;
+    /**
+     * Records authentication ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the request options `challenge` field.
+     * @param ceremony - Payload to retrieve when the assertion response returns.
+     */
+    saveAuthenticationCeremony(challenge: string, ceremony: PasskeyAuthenticationCeremony): void;
+    /**
+     * Returns registration ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getRegistrationCeremony(challenge: string): PasskeyRegistrationCeremony | undefined;
+    /**
+     * Returns authentication ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getAuthenticationCeremony(challenge: string): PasskeyAuthenticationCeremony | undefined;
+    /**
+     * Removes a registration ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteRegistrationCeremony(challenge: string): boolean;
+    /**
+     * Removes an authentication ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteAuthenticationCeremony(challenge: string): boolean;
+    /** Drops all in-flight registration and authentication ceremonies. */
+    clear(): void;
+}
+//# sourceMappingURL=ceremony-manager.d.cts.map

package/dist/ceremony-manager.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ceremony-manager.d.cts","sourceRoot":"","sources":["../src/ceremony-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,6BAA6B,EAC7B,2BAA2B,EAC5B,oBAAgB;AAEjB,qEAAqE;AACrE,eAAO,MAAM,mBAAmB,QAAS,CAAC;AAE1C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAS,CAAC;AAE5C;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAA8C,CAAC;AAE/E;;;GAGG;AACH,eAAO,MAAM,iCAAiC,KAAK,CAAC;AAIpD;;;GAGG;AACH,qBAAa,eAAe;;IAuD1B;;;;;OAKG;IACH,wBAAwB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,2BAA2B,GACpC,IAAI;IAMP;;;;;OAKG;IACH,0BAA0B,CACxB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,6BAA6B,GACtC,IAAI;IAMP;;;;;OAKG;IACH,uBAAuB,CACrB,SAAS,EAAE,MAAM,GAChB,2BAA2B,GAAG,SAAS;IAK1C;;;;;OAKG;IACH,yBAAyB,CACvB,SAAS,EAAE,MAAM,GAChB,6BAA6B,GAAG,SAAS;IAK5C;;;;;OAKG;IACH,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAItD;;;;;OAKG;IACH,4BAA4B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIxD,sEAAsE;IACtE,KAAK,IAAI,IAAI;CAId"}

package/dist/ceremony-manager.d.mts

@@ -0,0 +1,71 @@
+import type { PasskeyAuthenticationCeremony, PasskeyRegistrationCeremony } from "./types.mjs";
+/** WebAuthn `timeout` for credential creation and assertion (ms). */
+export declare const WEBAUTHN_TIMEOUT_MS = 60000;
+/**
+ * Extra allowance beyond {@link WEBAUTHN_TIMEOUT_MS} before in-memory
+ * ceremony state is discarded (covers slow UX and clock skew).
+ */
+export declare const CEREMONY_TTL_SLACK_MS = 15000;
+/**
+ * Maximum age for in-flight registration or authentication ceremony state
+ * (between options and verified response). This bounds the lifetime of a
+ * single WebAuthn ceremony only; it is not a user login session timeout.
+ */
+export declare const CEREMONY_MAX_AGE_MS: number;
+/**
+ * Upper bound on concurrent in-memory ceremonies per flow type (registration
+ * vs authentication), for abuse / leak protection.
+ */
+export declare const MAX_CONCURRENT_PASSKEY_CEREMONIES = 16;
+/**
+ * In-memory store for in-flight WebAuthn ceremonies (registration vs authentication),
+ * keyed by base64url challenge. Enforces TTL and a per-flow size cap; not user session state.
+ */
+export declare class CeremonyManager {
+    #private;
+    /**
+     * Records registration ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the creation options `challenge` field.
+     * @param ceremony - Payload to retrieve when the registration response returns.
+     */
+    saveRegistrationCeremony(challenge: string, ceremony: PasskeyRegistrationCeremony): void;
+    /**
+     * Records authentication ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the request options `challenge` field.
+     * @param ceremony - Payload to retrieve when the assertion response returns.
+     */
+    saveAuthenticationCeremony(challenge: string, ceremony: PasskeyAuthenticationCeremony): void;
+    /**
+     * Returns registration ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getRegistrationCeremony(challenge: string): PasskeyRegistrationCeremony | undefined;
+    /**
+     * Returns authentication ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getAuthenticationCeremony(challenge: string): PasskeyAuthenticationCeremony | undefined;
+    /**
+     * Removes a registration ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteRegistrationCeremony(challenge: string): boolean;
+    /**
+     * Removes an authentication ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteAuthenticationCeremony(challenge: string): boolean;
+    /** Drops all in-flight registration and authentication ceremonies. */
+    clear(): void;
+}
+//# sourceMappingURL=ceremony-manager.d.mts.map

package/dist/ceremony-manager.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ceremony-manager.d.mts","sourceRoot":"","sources":["../src/ceremony-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,6BAA6B,EAC7B,2BAA2B,EAC5B,oBAAgB;AAEjB,qEAAqE;AACrE,eAAO,MAAM,mBAAmB,QAAS,CAAC;AAE1C;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAS,CAAC;AAE5C;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,QAA8C,CAAC;AAE/E;;;GAGG;AACH,eAAO,MAAM,iCAAiC,KAAK,CAAC;AAIpD;;;GAGG;AACH,qBAAa,eAAe;;IAuD1B;;;;;OAKG;IACH,wBAAwB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,2BAA2B,GACpC,IAAI;IAMP;;;;;OAKG;IACH,0BAA0B,CACxB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,6BAA6B,GACtC,IAAI;IAMP;;;;;OAKG;IACH,uBAAuB,CACrB,SAAS,EAAE,MAAM,GAChB,2BAA2B,GAAG,SAAS;IAK1C;;;;;OAKG;IACH,yBAAyB,CACvB,SAAS,EAAE,MAAM,GAChB,6BAA6B,GAAG,SAAS;IAK5C;;;;;OAKG;IACH,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAItD;;;;;OAKG;IACH,4BAA4B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAIxD,sEAAsE;IACtE,KAAK,IAAI,IAAI;CAId"}

package/dist/ceremony-manager.mjs

@@ -0,0 +1,130 @@
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _CeremonyManager_instances, _CeremonyManager_registrationMap, _CeremonyManager_authenticationMap, _CeremonyManager_getMap, _CeremonyManager_pruneExpired, _CeremonyManager_enforceCapacity;
+/** WebAuthn `timeout` for credential creation and assertion (ms). */
+export const WEBAUTHN_TIMEOUT_MS = 60000;
+/**
+ * Extra allowance beyond {@link WEBAUTHN_TIMEOUT_MS} before in-memory
+ * ceremony state is discarded (covers slow UX and clock skew).
+ */
+export const CEREMONY_TTL_SLACK_MS = 15000;
+/**
+ * Maximum age for in-flight registration or authentication ceremony state
+ * (between options and verified response). This bounds the lifetime of a
+ * single WebAuthn ceremony only; it is not a user login session timeout.
+ */
+export const CEREMONY_MAX_AGE_MS = WEBAUTHN_TIMEOUT_MS + CEREMONY_TTL_SLACK_MS;
+/**
+ * Upper bound on concurrent in-memory ceremonies per flow type (registration
+ * vs authentication), for abuse / leak protection.
+ */
+export const MAX_CONCURRENT_PASSKEY_CEREMONIES = 16;
+/**
+ * In-memory store for in-flight WebAuthn ceremonies (registration vs authentication),
+ * keyed by base64url challenge. Enforces TTL and a per-flow size cap; not user session state.
+ */
+export class CeremonyManager {
+    constructor() {
+        _CeremonyManager_instances.add(this);
+        _CeremonyManager_registrationMap.set(this, new Map());
+        _CeremonyManager_authenticationMap.set(this, new Map());
+    }
+    /**
+     * Records registration ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the creation options `challenge` field.
+     * @param ceremony - Payload to retrieve when the registration response returns.
+     */
+    saveRegistrationCeremony(challenge, ceremony) {
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_pruneExpired).call(this, 'registration');
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_enforceCapacity).call(this, 'registration');
+        __classPrivateFieldGet(this, _CeremonyManager_registrationMap, "f").set(challenge, ceremony);
+    }
+    /**
+     * Records authentication ceremony state after pruning expired rows and evicting oldest if at cap.
+     *
+     * @param challenge - Same base64url challenge as in the request options `challenge` field.
+     * @param ceremony - Payload to retrieve when the assertion response returns.
+     */
+    saveAuthenticationCeremony(challenge, ceremony) {
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_pruneExpired).call(this, 'authentication');
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_enforceCapacity).call(this, 'authentication');
+        __classPrivateFieldGet(this, _CeremonyManager_authenticationMap, "f").set(challenge, ceremony);
+    }
+    /**
+     * Returns registration ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getRegistrationCeremony(challenge) {
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_pruneExpired).call(this, 'registration');
+        return __classPrivateFieldGet(this, _CeremonyManager_registrationMap, "f").get(challenge);
+    }
+    /**
+     * Returns authentication ceremony for a challenge, pruning expired entries on this map first.
+     *
+     * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).
+     * @returns Stored ceremony, or `undefined` if none or expired.
+     */
+    getAuthenticationCeremony(challenge) {
+        __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_pruneExpired).call(this, 'authentication');
+        return __classPrivateFieldGet(this, _CeremonyManager_authenticationMap, "f").get(challenge);
+    }
+    /**
+     * Removes a registration ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteRegistrationCeremony(challenge) {
+        return __classPrivateFieldGet(this, _CeremonyManager_registrationMap, "f").delete(challenge);
+    }
+    /**
+     * Removes an authentication ceremony by challenge.
+     *
+     * @param challenge - Map key for the ceremony to remove.
+     * @returns Whether an entry was deleted.
+     */
+    deleteAuthenticationCeremony(challenge) {
+        return __classPrivateFieldGet(this, _CeremonyManager_authenticationMap, "f").delete(challenge);
+    }
+    /** Drops all in-flight registration and authentication ceremonies. */
+    clear() {
+        __classPrivateFieldGet(this, _CeremonyManager_registrationMap, "f").clear();
+        __classPrivateFieldGet(this, _CeremonyManager_authenticationMap, "f").clear();
+    }
+}
+_CeremonyManager_registrationMap = new WeakMap(), _CeremonyManager_authenticationMap = new WeakMap(), _CeremonyManager_instances = new WeakSet(), _CeremonyManager_getMap = function _CeremonyManager_getMap(ceremonyType) {
+    return ceremonyType === 'registration'
+        ? __classPrivateFieldGet(this, _CeremonyManager_registrationMap, "f")
+        : __classPrivateFieldGet(this, _CeremonyManager_authenticationMap, "f");
+}, _CeremonyManager_pruneExpired = function _CeremonyManager_pruneExpired(ceremonyType) {
+    const now = Date.now();
+    const map = __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_getMap).call(this, ceremonyType);
+    for (const [key, ceremony] of map) {
+        if (now - ceremony.createdAt > CEREMONY_MAX_AGE_MS) {
+            map.delete(key);
+        }
+    }
+}, _CeremonyManager_enforceCapacity = function _CeremonyManager_enforceCapacity(ceremonyType) {
+    const map = __classPrivateFieldGet(this, _CeremonyManager_instances, "m", _CeremonyManager_getMap).call(this, ceremonyType);
+    while (map.size >= MAX_CONCURRENT_PASSKEY_CEREMONIES) {
+        let oldestKey;
+        let oldestTime = Infinity;
+        for (const [mapKey, ceremony] of map) {
+            if (ceremony.createdAt < oldestTime) {
+                oldestTime = ceremony.createdAt;
+                oldestKey = mapKey;
+            }
+        }
+        if (oldestKey === undefined) {
+            break;
+        }
+        map.delete(oldestKey);
+    }
+};
+//# sourceMappingURL=ceremony-manager.mjs.map

package/dist/ceremony-manager.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"ceremony-manager.mjs","sourceRoot":"","sources":["../src/ceremony-manager.ts"],"names":[],"mappings":";;;;;;AAKA,qEAAqE;AACrE,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAM,CAAC;AAE1C;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAM,CAAC;AAE5C;;;;GAIG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,mBAAmB,GAAG,qBAAqB,CAAC;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAAG,EAAE,CAAC;AAIpD;;;GAGG;AACH,MAAM,OAAO,eAAe;IAA5B;;QACW,2CAAmB,IAAI,GAAG,EAAuC,EAAC;QAElE,6CAAqB,IAAI,GAAG,EAGlC,EAAC;IAkIN,CAAC;IAjFC;;;;;OAKG;IACH,wBAAwB,CACtB,SAAiB,EACjB,QAAqC;QAErC,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,cAAc,CAAC,CAAC;QACnC,uBAAA,IAAI,oEAAiB,MAArB,IAAI,EAAkB,cAAc,CAAC,CAAC;QACtC,uBAAA,IAAI,wCAAiB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACH,0BAA0B,CACxB,SAAiB,EACjB,QAAuC;QAEvC,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,gBAAgB,CAAC,CAAC;QACrC,uBAAA,IAAI,oEAAiB,MAArB,IAAI,EAAkB,gBAAgB,CAAC,CAAC;QACxC,uBAAA,IAAI,0CAAmB,CAAC,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACH,uBAAuB,CACrB,SAAiB;QAEjB,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,cAAc,CAAC,CAAC;QACnC,OAAO,uBAAA,IAAI,wCAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED;;;;;OAKG;IACH,yBAAyB,CACvB,SAAiB;QAEjB,uBAAA,IAAI,iEAAc,MAAlB,IAAI,EAAe,gBAAgB,CAAC,CAAC;QACrC,OAAO,uBAAA,IAAI,0CAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAChD,CAAC;IAED;;;;;OAKG;IACH,0BAA0B,CAAC,SAAiB;QAC1C,OAAO,uBAAA,IAAI,wCAAiB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;;;;OAKG;IACH,4BAA4B,CAAC,SAAiB;QAC5C,OAAO,uBAAA,IAAI,0CAAmB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,sEAAsE;IACtE,KAAK;QACH,uBAAA,IAAI,wCAAiB,CAAC,KAAK,EAAE,CAAC;QAC9B,uBAAA,IAAI,0CAAmB,CAAC,KAAK,EAAE,CAAC;IAClC,CAAC;CACF;6MAzHG,YAA0B;IAE1B,OAAO,YAAY,KAAK,cAAc;QACpC,CAAC,CAAC,uBAAA,IAAI,wCAAiB;QACvB,CAAC,CAAC,uBAAA,IAAI,0CAAmB,CAAC;AAC9B,CAAC,yEAEa,YAA0B;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,GAAG,GAAG,uBAAA,IAAI,2DAAQ,MAAZ,IAAI,EAAS,YAAY,CAAC,CAAC;IACvC,KAAK,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC;QAClC,IAAI,GAAG,GAAG,QAAQ,CAAC,SAAS,GAAG,mBAAmB,EAAE,CAAC;YACnD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;AACH,CAAC,+EAOgB,YAA0B;IACzC,MAAM,GAAG,GAAG,uBAAA,IAAI,2DAAQ,MAAZ,IAAI,EAAS,YAAY,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC,IAAI,IAAI,iCAAiC,EAAE,CAAC;QACrD,IAAI,SAA6B,CAAC;QAClC,IAAI,UAAU,GAAG,QAAQ,CAAC;QAC1B,KAAK,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC;YACrC,IAAI,QAAQ,CAAC,SAAS,GAAG,UAAU,EAAE,CAAC;gBACpC,UAAU,GAAG,QAAQ,CAAC,SAAS,CAAC;gBAChC,SAAS,GAAG,MAAM,CAAC;YACrB,CAAC;QACH,CAAC;QACD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM;QACR,CAAC;QACD,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACxB,CAAC;AACH,CAAC","sourcesContent":["import type {\n  PasskeyAuthenticationCeremony,\n  PasskeyRegistrationCeremony,\n} from './types';\n\n/** WebAuthn `timeout` for credential creation and assertion (ms). */\nexport const WEBAUTHN_TIMEOUT_MS = 60_000;\n\n/**\n * Extra allowance beyond {@link WEBAUTHN_TIMEOUT_MS} before in-memory\n * ceremony state is discarded (covers slow UX and clock skew).\n */\nexport const CEREMONY_TTL_SLACK_MS = 15_000;\n\n/**\n * Maximum age for in-flight registration or authentication ceremony state\n * (between options and verified response). This bounds the lifetime of a\n * single WebAuthn ceremony only; it is not a user login session timeout.\n */\nexport const CEREMONY_MAX_AGE_MS = WEBAUTHN_TIMEOUT_MS + CEREMONY_TTL_SLACK_MS;\n\n/**\n * Upper bound on concurrent in-memory ceremonies per flow type (registration\n * vs authentication), for abuse / leak protection.\n */\nexport const MAX_CONCURRENT_PASSKEY_CEREMONIES = 16;\n\ntype CeremonyFlow = 'registration' | 'authentication';\n\n/**\n * In-memory store for in-flight WebAuthn ceremonies (registration vs authentication),\n * keyed by base64url challenge. Enforces TTL and a per-flow size cap; not user session state.\n */\nexport class CeremonyManager {\n  readonly #registrationMap = new Map<string, PasskeyRegistrationCeremony>();\n\n  readonly #authenticationMap = new Map<\n    string,\n    PasskeyAuthenticationCeremony\n  >();\n\n  /**\n   * Challenge-keyed map for prune/capacity helpers.\n   *\n   * @param ceremonyType - Which in-flight ceremony map to use.\n   * @returns The registration or authentication ceremony map for the given flow.\n   */\n  #getMap(\n    ceremonyType: CeremonyFlow,\n  ): Map<string, PasskeyRegistrationCeremony | PasskeyAuthenticationCeremony> {\n    return ceremonyType === 'registration'\n      ? this.#registrationMap\n      : this.#authenticationMap;\n  }\n\n  #pruneExpired(ceremonyType: CeremonyFlow): void {\n    const now = Date.now();\n    const map = this.#getMap(ceremonyType);\n    for (const [key, ceremony] of map) {\n      if (now - ceremony.createdAt > CEREMONY_MAX_AGE_MS) {\n        map.delete(key);\n      }\n    }\n  }\n\n  /**\n   * Removes the oldest entry (by `createdAt`) until size is below the cap.\n   *\n   * @param ceremonyType - Which in-flight ceremony map to evict from.\n   */\n  #enforceCapacity(ceremonyType: CeremonyFlow): void {\n    const map = this.#getMap(ceremonyType);\n    while (map.size >= MAX_CONCURRENT_PASSKEY_CEREMONIES) {\n      let oldestKey: string | undefined;\n      let oldestTime = Infinity;\n      for (const [mapKey, ceremony] of map) {\n        if (ceremony.createdAt < oldestTime) {\n          oldestTime = ceremony.createdAt;\n          oldestKey = mapKey;\n        }\n      }\n      if (oldestKey === undefined) {\n        break;\n      }\n      map.delete(oldestKey);\n    }\n  }\n\n  /**\n   * Records registration ceremony state after pruning expired rows and evicting oldest if at cap.\n   *\n   * @param challenge - Same base64url challenge as in the creation options `challenge` field.\n   * @param ceremony - Payload to retrieve when the registration response returns.\n   */\n  saveRegistrationCeremony(\n    challenge: string,\n    ceremony: PasskeyRegistrationCeremony,\n  ): void {\n    this.#pruneExpired('registration');\n    this.#enforceCapacity('registration');\n    this.#registrationMap.set(challenge, ceremony);\n  }\n\n  /**\n   * Records authentication ceremony state after pruning expired rows and evicting oldest if at cap.\n   *\n   * @param challenge - Same base64url challenge as in the request options `challenge` field.\n   * @param ceremony - Payload to retrieve when the assertion response returns.\n   */\n  saveAuthenticationCeremony(\n    challenge: string,\n    ceremony: PasskeyAuthenticationCeremony,\n  ): void {\n    this.#pruneExpired('authentication');\n    this.#enforceCapacity('authentication');\n    this.#authenticationMap.set(challenge, ceremony);\n  }\n\n  /**\n   * Returns registration ceremony for a challenge, pruning expired entries on this map first.\n   *\n   * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).\n   * @returns Stored ceremony, or `undefined` if none or expired.\n   */\n  getRegistrationCeremony(\n    challenge: string,\n  ): PasskeyRegistrationCeremony | undefined {\n    this.#pruneExpired('registration');\n    return this.#registrationMap.get(challenge);\n  }\n\n  /**\n   * Returns authentication ceremony for a challenge, pruning expired entries on this map first.\n   *\n   * @param challenge - Base64url challenge from decoded `clientDataJSON` (matches stored key).\n   * @returns Stored ceremony, or `undefined` if none or expired.\n   */\n  getAuthenticationCeremony(\n    challenge: string,\n  ): PasskeyAuthenticationCeremony | undefined {\n    this.#pruneExpired('authentication');\n    return this.#authenticationMap.get(challenge);\n  }\n\n  /**\n   * Removes a registration ceremony by challenge.\n   *\n   * @param challenge - Map key for the ceremony to remove.\n   * @returns Whether an entry was deleted.\n   */\n  deleteRegistrationCeremony(challenge: string): boolean {\n    return this.#registrationMap.delete(challenge);\n  }\n\n  /**\n   * Removes an authentication ceremony by challenge.\n   *\n   * @param challenge - Map key for the ceremony to remove.\n   * @returns Whether an entry was deleted.\n   */\n  deleteAuthenticationCeremony(challenge: string): boolean {\n    return this.#authenticationMap.delete(challenge);\n  }\n\n  /** Drops all in-flight registration and authentication ceremonies. */\n  clear(): void {\n    this.#registrationMap.clear();\n    this.#authenticationMap.clear();\n  }\n}\n"]}

package/dist/constants.cjs

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyControllerErrorMessage = exports.PasskeyControllerErrorCode = exports.controllerName = void 0;
+exports.controllerName = 'PasskeyController';
+/**
+ * Stable programmatic codes for {@link PasskeyControllerError}.
+ * Use these instead of matching `message` strings.
+ */
+exports.PasskeyControllerErrorCode = {
+    NotEnrolled: 'not_enrolled',
+    NoRegistrationCeremony: 'no_registration_ceremony',
+    RegistrationVerificationFailed: 'registration_verification_failed',
+    NoAuthenticationCeremony: 'no_authentication_ceremony',
+    AuthenticationVerificationFailed: 'authentication_verification_failed',
+    MissingKeyMaterial: 'missing_key_material',
+    VaultKeyDecryptionFailed: 'vault_key_decryption_failed',
+    VaultKeyMismatch: 'vault_key_mismatch',
+};
+/**
+ * Human-readable messages for {@link PasskeyControllerError}.
+ */
+var PasskeyControllerErrorMessage;
+(function (PasskeyControllerErrorMessage) {
+    PasskeyControllerErrorMessage["NotEnrolled"] = "PasskeyController - Passkey is not enrolled";
+    PasskeyControllerErrorMessage["NoRegistrationCeremony"] = "PasskeyController - No active passkey registration ceremony";
+    PasskeyControllerErrorMessage["RegistrationVerificationFailed"] = "PasskeyController - Passkey registration verification failed";
+    PasskeyControllerErrorMessage["NoAuthenticationCeremony"] = "PasskeyController - No active passkey authentication ceremony";
+    PasskeyControllerErrorMessage["AuthenticationVerificationFailed"] = "PasskeyController - Passkey authentication verification failed";
+    PasskeyControllerErrorMessage["MissingKeyMaterial"] = "PasskeyController - Passkey assertion missing required key material";
+    PasskeyControllerErrorMessage["VaultKeyDecryptionFailed"] = "PasskeyController - Passkey vault key decryption failed";
+    PasskeyControllerErrorMessage["VaultKeyMismatch"] = "PasskeyController - Passkey authentication does not match the current vault key";
+})(PasskeyControllerErrorMessage || (exports.PasskeyControllerErrorMessage = PasskeyControllerErrorMessage = {}));
+//# sourceMappingURL=constants.cjs.map

package/dist/constants.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.cjs","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,mBAAmB,CAAC;AAElD;;;GAGG;AACU,QAAA,0BAA0B,GAAG;IACxC,WAAW,EAAE,cAAc;IAC3B,sBAAsB,EAAE,0BAA0B;IAClD,8BAA8B,EAAE,kCAAkC;IAClE,wBAAwB,EAAE,4BAA4B;IACtD,gCAAgC,EAAE,oCAAoC;IACtE,kBAAkB,EAAE,sBAAsB;IAC1C,wBAAwB,EAAE,6BAA6B;IACvD,gBAAgB,EAAE,oBAAoB;CAC9B,CAAC;AAKX;;GAEG;AACH,IAAY,6BASX;AATD,WAAY,6BAA6B;IACvC,4FAA2D,CAAA;IAC3D,uHAAsF,CAAA;IACtF,gIAA+F,CAAA;IAC/F,2HAA0F,CAAA;IAC1F,oIAAmG,CAAA;IACnG,2HAA0F,CAAA;IAC1F,qHAAoF,CAAA;IACpF,qIAAoG,CAAA;AACtG,CAAC,EATW,6BAA6B,6CAA7B,6BAA6B,QASxC","sourcesContent":["export const controllerName = 'PasskeyController';\n\n/**\n * Stable programmatic codes for {@link PasskeyControllerError}.\n * Use these instead of matching `message` strings.\n */\nexport const PasskeyControllerErrorCode = {\n  NotEnrolled: 'not_enrolled',\n  NoRegistrationCeremony: 'no_registration_ceremony',\n  RegistrationVerificationFailed: 'registration_verification_failed',\n  NoAuthenticationCeremony: 'no_authentication_ceremony',\n  AuthenticationVerificationFailed: 'authentication_verification_failed',\n  MissingKeyMaterial: 'missing_key_material',\n  VaultKeyDecryptionFailed: 'vault_key_decryption_failed',\n  VaultKeyMismatch: 'vault_key_mismatch',\n} as const;\n\nexport type PasskeyControllerErrorCode =\n  (typeof PasskeyControllerErrorCode)[keyof typeof PasskeyControllerErrorCode];\n\n/**\n * Human-readable messages for {@link PasskeyControllerError}.\n */\nexport enum PasskeyControllerErrorMessage {\n  NotEnrolled = `${controllerName} - Passkey is not enrolled`,\n  NoRegistrationCeremony = `${controllerName} - No active passkey registration ceremony`,\n  RegistrationVerificationFailed = `${controllerName} - Passkey registration verification failed`,\n  NoAuthenticationCeremony = `${controllerName} - No active passkey authentication ceremony`,\n  AuthenticationVerificationFailed = `${controllerName} - Passkey authentication verification failed`,\n  MissingKeyMaterial = `${controllerName} - Passkey assertion missing required key material`,\n  VaultKeyDecryptionFailed = `${controllerName} - Passkey vault key decryption failed`,\n  VaultKeyMismatch = `${controllerName} - Passkey authentication does not match the current vault key`,\n}\n"]}

package/dist/constants.d.cts

@@ -0,0 +1,30 @@
+export declare const controllerName = "PasskeyController";
+/**
+ * Stable programmatic codes for {@link PasskeyControllerError}.
+ * Use these instead of matching `message` strings.
+ */
+export declare const PasskeyControllerErrorCode: {
+    readonly NotEnrolled: "not_enrolled";
+    readonly NoRegistrationCeremony: "no_registration_ceremony";
+    readonly RegistrationVerificationFailed: "registration_verification_failed";
+    readonly NoAuthenticationCeremony: "no_authentication_ceremony";
+    readonly AuthenticationVerificationFailed: "authentication_verification_failed";
+    readonly MissingKeyMaterial: "missing_key_material";
+    readonly VaultKeyDecryptionFailed: "vault_key_decryption_failed";
+    readonly VaultKeyMismatch: "vault_key_mismatch";
+};
+export type PasskeyControllerErrorCode = (typeof PasskeyControllerErrorCode)[keyof typeof PasskeyControllerErrorCode];
+/**
+ * Human-readable messages for {@link PasskeyControllerError}.
+ */
+export declare enum PasskeyControllerErrorMessage {
+    NotEnrolled = "PasskeyController - Passkey is not enrolled",
+    NoRegistrationCeremony = "PasskeyController - No active passkey registration ceremony",
+    RegistrationVerificationFailed = "PasskeyController - Passkey registration verification failed",
+    NoAuthenticationCeremony = "PasskeyController - No active passkey authentication ceremony",
+    AuthenticationVerificationFailed = "PasskeyController - Passkey authentication verification failed",
+    MissingKeyMaterial = "PasskeyController - Passkey assertion missing required key material",
+    VaultKeyDecryptionFailed = "PasskeyController - Passkey vault key decryption failed",
+    VaultKeyMismatch = "PasskeyController - Passkey authentication does not match the current vault key"
+}
+//# sourceMappingURL=constants.d.cts.map

package/dist/constants.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.cts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,cAAc,sBAAsB,CAAC;AAElD;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;CAS7B,CAAC;AAEX,MAAM,MAAM,0BAA0B,GACpC,CAAC,OAAO,0BAA0B,CAAC,CAAC,MAAM,OAAO,0BAA0B,CAAC,CAAC;AAE/E;;GAEG;AACH,oBAAY,6BAA6B;IACvC,WAAW,gDAAgD;IAC3D,sBAAsB,gEAAgE;IACtF,8BAA8B,iEAAiE;IAC/F,wBAAwB,kEAAkE;IAC1F,gCAAgC,mEAAmE;IACnG,kBAAkB,wEAAwE;IAC1F,wBAAwB,4DAA4D;IACpF,gBAAgB,oFAAoF;CACrG"}

package/dist/constants.d.mts

@@ -0,0 +1,30 @@
+export declare const controllerName = "PasskeyController";
+/**
+ * Stable programmatic codes for {@link PasskeyControllerError}.
+ * Use these instead of matching `message` strings.
+ */
+export declare const PasskeyControllerErrorCode: {
+    readonly NotEnrolled: "not_enrolled";
+    readonly NoRegistrationCeremony: "no_registration_ceremony";
+    readonly RegistrationVerificationFailed: "registration_verification_failed";
+    readonly NoAuthenticationCeremony: "no_authentication_ceremony";
+    readonly AuthenticationVerificationFailed: "authentication_verification_failed";
+    readonly MissingKeyMaterial: "missing_key_material";
+    readonly VaultKeyDecryptionFailed: "vault_key_decryption_failed";
+    readonly VaultKeyMismatch: "vault_key_mismatch";
+};
+export type PasskeyControllerErrorCode = (typeof PasskeyControllerErrorCode)[keyof typeof PasskeyControllerErrorCode];
+/**
+ * Human-readable messages for {@link PasskeyControllerError}.
+ */
+export declare enum PasskeyControllerErrorMessage {
+    NotEnrolled = "PasskeyController - Passkey is not enrolled",
+    NoRegistrationCeremony = "PasskeyController - No active passkey registration ceremony",
+    RegistrationVerificationFailed = "PasskeyController - Passkey registration verification failed",
+    NoAuthenticationCeremony = "PasskeyController - No active passkey authentication ceremony",
+    AuthenticationVerificationFailed = "PasskeyController - Passkey authentication verification failed",
+    MissingKeyMaterial = "PasskeyController - Passkey assertion missing required key material",
+    VaultKeyDecryptionFailed = "PasskeyController - Passkey vault key decryption failed",
+    VaultKeyMismatch = "PasskeyController - Passkey authentication does not match the current vault key"
+}
+//# sourceMappingURL=constants.d.mts.map

package/dist/constants.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.mts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,cAAc,sBAAsB,CAAC;AAElD;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;CAS7B,CAAC;AAEX,MAAM,MAAM,0BAA0B,GACpC,CAAC,OAAO,0BAA0B,CAAC,CAAC,MAAM,OAAO,0BAA0B,CAAC,CAAC;AAE/E;;GAEG;AACH,oBAAY,6BAA6B;IACvC,WAAW,gDAAgD;IAC3D,sBAAsB,gEAAgE;IACtF,8BAA8B,iEAAiE;IAC/F,wBAAwB,kEAAkE;IAC1F,gCAAgC,mEAAmE;IACnG,kBAAkB,wEAAwE;IAC1F,wBAAwB,4DAA4D;IACpF,gBAAgB,oFAAoF;CACrG"}

package/dist/constants.mjs

@@ -0,0 +1,30 @@
+export const controllerName = 'PasskeyController';
+/**
+ * Stable programmatic codes for {@link PasskeyControllerError}.
+ * Use these instead of matching `message` strings.
+ */
+export const PasskeyControllerErrorCode = {
+    NotEnrolled: 'not_enrolled',
+    NoRegistrationCeremony: 'no_registration_ceremony',
+    RegistrationVerificationFailed: 'registration_verification_failed',
+    NoAuthenticationCeremony: 'no_authentication_ceremony',
+    AuthenticationVerificationFailed: 'authentication_verification_failed',
+    MissingKeyMaterial: 'missing_key_material',
+    VaultKeyDecryptionFailed: 'vault_key_decryption_failed',
+    VaultKeyMismatch: 'vault_key_mismatch',
+};
+/**
+ * Human-readable messages for {@link PasskeyControllerError}.
+ */
+export var PasskeyControllerErrorMessage;
+(function (PasskeyControllerErrorMessage) {
+    PasskeyControllerErrorMessage["NotEnrolled"] = "PasskeyController - Passkey is not enrolled";
+    PasskeyControllerErrorMessage["NoRegistrationCeremony"] = "PasskeyController - No active passkey registration ceremony";
+    PasskeyControllerErrorMessage["RegistrationVerificationFailed"] = "PasskeyController - Passkey registration verification failed";
+    PasskeyControllerErrorMessage["NoAuthenticationCeremony"] = "PasskeyController - No active passkey authentication ceremony";
+    PasskeyControllerErrorMessage["AuthenticationVerificationFailed"] = "PasskeyController - Passkey authentication verification failed";
+    PasskeyControllerErrorMessage["MissingKeyMaterial"] = "PasskeyController - Passkey assertion missing required key material";
+    PasskeyControllerErrorMessage["VaultKeyDecryptionFailed"] = "PasskeyController - Passkey vault key decryption failed";
+    PasskeyControllerErrorMessage["VaultKeyMismatch"] = "PasskeyController - Passkey authentication does not match the current vault key";
+})(PasskeyControllerErrorMessage || (PasskeyControllerErrorMessage = {}));
+//# sourceMappingURL=constants.mjs.map

package/dist/constants.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.mjs","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAElD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,WAAW,EAAE,cAAc;IAC3B,sBAAsB,EAAE,0BAA0B;IAClD,8BAA8B,EAAE,kCAAkC;IAClE,wBAAwB,EAAE,4BAA4B;IACtD,gCAAgC,EAAE,oCAAoC;IACtE,kBAAkB,EAAE,sBAAsB;IAC1C,wBAAwB,EAAE,6BAA6B;IACvD,gBAAgB,EAAE,oBAAoB;CAC9B,CAAC;AAKX;;GAEG;AACH,MAAM,CAAN,IAAY,6BASX;AATD,WAAY,6BAA6B;IACvC,4FAA2D,CAAA;IAC3D,uHAAsF,CAAA;IACtF,gIAA+F,CAAA;IAC/F,2HAA0F,CAAA;IAC1F,oIAAmG,CAAA;IACnG,2HAA0F,CAAA;IAC1F,qHAAoF,CAAA;IACpF,qIAAoG,CAAA;AACtG,CAAC,EATW,6BAA6B,KAA7B,6BAA6B,QASxC","sourcesContent":["export const controllerName = 'PasskeyController';\n\n/**\n * Stable programmatic codes for {@link PasskeyControllerError}.\n * Use these instead of matching `message` strings.\n */\nexport const PasskeyControllerErrorCode = {\n  NotEnrolled: 'not_enrolled',\n  NoRegistrationCeremony: 'no_registration_ceremony',\n  RegistrationVerificationFailed: 'registration_verification_failed',\n  NoAuthenticationCeremony: 'no_authentication_ceremony',\n  AuthenticationVerificationFailed: 'authentication_verification_failed',\n  MissingKeyMaterial: 'missing_key_material',\n  VaultKeyDecryptionFailed: 'vault_key_decryption_failed',\n  VaultKeyMismatch: 'vault_key_mismatch',\n} as const;\n\nexport type PasskeyControllerErrorCode =\n  (typeof PasskeyControllerErrorCode)[keyof typeof PasskeyControllerErrorCode];\n\n/**\n * Human-readable messages for {@link PasskeyControllerError}.\n */\nexport enum PasskeyControllerErrorMessage {\n  NotEnrolled = `${controllerName} - Passkey is not enrolled`,\n  NoRegistrationCeremony = `${controllerName} - No active passkey registration ceremony`,\n  RegistrationVerificationFailed = `${controllerName} - Passkey registration verification failed`,\n  NoAuthenticationCeremony = `${controllerName} - No active passkey authentication ceremony`,\n  AuthenticationVerificationFailed = `${controllerName} - Passkey authentication verification failed`,\n  MissingKeyMaterial = `${controllerName} - Passkey assertion missing required key material`,\n  VaultKeyDecryptionFailed = `${controllerName} - Passkey vault key decryption failed`,\n  VaultKeyMismatch = `${controllerName} - Passkey authentication does not match the current vault key`,\n}\n"]}

package/dist/errors.cjs

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PasskeyControllerError = void 0;
+/**
+ * Error class for PasskeyController-related errors.
+ */
+class PasskeyControllerError extends Error {
+    /**
+     * @param message - The error message.
+     * @param options - Error options or an `Error` instance used as `cause` (Keyring-style overload).
+     */
+    constructor(message, options) {
+        super(message);
+        this.name = 'PasskeyControllerError';
+        const cause = options instanceof Error ? options : options?.cause;
+        const code = options instanceof Error ? undefined : options?.code;
+        const context = options instanceof Error ? undefined : options?.context;
+        if (cause) {
+            this.cause = cause;
+        }
+        if (code) {
+            this.code = code;
+        }
+        if (context) {
+            this.context = context;
+        }
+        Object.setPrototypeOf(this, PasskeyControllerError.prototype);
+    }
+    toJSON() {
+        return {
+            name: this.name,
+            message: this.message,
+            code: this.code,
+            context: this.context,
+            stack: this.stack,
+            cause: this.cause
+                ? {
+                    name: this.cause.name,
+                    message: this.cause.message,
+                    stack: this.cause.stack,
+                }
+                : undefined,
+        };
+    }
+    toString() {
+        let result = `${this.name}: ${this.message}`;
+        if (this.code) {
+            result += ` [${this.code}]`;
+        }
+        if (this.cause) {
+            result += `\n  Caused by: ${this.cause}`;
+        }
+        return result;
+    }
+}
+exports.PasskeyControllerError = PasskeyControllerError;
+//# sourceMappingURL=errors.cjs.map

package/dist/errors.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.cjs","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAoBA;;GAEG;AACH,MAAa,sBAAuB,SAAQ,KAAK;IAO/C;;;OAGG;IACH,YACE,OAAe,EACf,OAA+C;QAE/C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;QAErC,MAAM,KAAK,GAAG,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,EAAE,KAAK,CAAC;QAClE,MAAM,IAAI,GAAG,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,IAAI,CAAC;QAClE,MAAM,OAAO,GAAG,OAAO,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC;QAExE,IAAI,KAAK,EAAE,CAAC;YACV,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACrB,CAAC;QACD,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACnB,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACzB,CAAC;QAED,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,sBAAsB,CAAC,SAAS,CAAC,CAAC;IAChE,CAAC;IAED,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACf,CAAC,CAAC;oBACE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI;oBACrB,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;oBAC3B,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK;iBACxB;gBACH,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAEQ,QAAQ;QACf,IAAI,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;QAC7C,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,CAAC;QAC9B,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,kBAAkB,IAAI,CAAC,KAAK,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AA9DD,wDA8DC","sourcesContent":["import type { PasskeyControllerErrorCode as PasskeyControllerErrorCodeType } from './constants';\n\n/**\n * Options for creating a {@link PasskeyControllerError}.\n */\nexport type PasskeyControllerErrorOptions = {\n  /**\n   * The underlying error that caused this error (for error chaining).\n   */\n  cause?: Error;\n  /**\n   * Stable code for programmatic handling (see {@link PasskeyControllerErrorCode}).\n   */\n  code?: PasskeyControllerErrorCodeType;\n  /**\n   * Additional context for debugging or reporting.\n   */\n  context?: Record<string, unknown>;\n};\n\n/**\n * Error class for PasskeyController-related errors.\n */\nexport class PasskeyControllerError extends Error {\n  code?: PasskeyControllerErrorCodeType;\n\n  context?: Record<string, unknown>;\n\n  cause?: Error;\n\n  /**\n   * @param message - The error message.\n   * @param options - Error options or an `Error` instance used as `cause` (Keyring-style overload).\n   */\n  constructor(\n    message: string,\n    options?: PasskeyControllerErrorOptions | Error,\n  ) {\n    super(message);\n    this.name = 'PasskeyControllerError';\n\n    const cause = options instanceof Error ? options : options?.cause;\n    const code = options instanceof Error ? undefined : options?.code;\n    const context = options instanceof Error ? undefined : options?.context;\n\n    if (cause) {\n      this.cause = cause;\n    }\n    if (code) {\n      this.code = code;\n    }\n    if (context) {\n      this.context = context;\n    }\n\n    Object.setPrototypeOf(this, PasskeyControllerError.prototype);\n  }\n\n  toJSON(): Record<string, unknown> {\n    return {\n      name: this.name,\n      message: this.message,\n      code: this.code,\n      context: this.context,\n      stack: this.stack,\n      cause: this.cause\n        ? {\n            name: this.cause.name,\n            message: this.cause.message,\n            stack: this.cause.stack,\n          }\n        : undefined,\n    };\n  }\n\n  override toString(): string {\n    let result = `${this.name}: ${this.message}`;\n    if (this.code) {\n      result += ` [${this.code}]`;\n    }\n    if (this.cause) {\n      result += `\\n  Caused by: ${this.cause}`;\n    }\n    return result;\n  }\n}\n"]}

package/dist/errors.d.cts

@@ -0,0 +1,34 @@
+import type { PasskeyControllerErrorCode as PasskeyControllerErrorCodeType } from "./constants.cjs";
+/**
+ * Options for creating a {@link PasskeyControllerError}.
+ */
+export type PasskeyControllerErrorOptions = {
+    /**
+     * The underlying error that caused this error (for error chaining).
+     */
+    cause?: Error;
+    /**
+     * Stable code for programmatic handling (see {@link PasskeyControllerErrorCode}).
+     */
+    code?: PasskeyControllerErrorCodeType;
+    /**
+     * Additional context for debugging or reporting.
+     */
+    context?: Record<string, unknown>;
+};
+/**
+ * Error class for PasskeyController-related errors.
+ */
+export declare class PasskeyControllerError extends Error {
+    code?: PasskeyControllerErrorCodeType;
+    context?: Record<string, unknown>;
+    cause?: Error;
+    /**
+     * @param message - The error message.
+     * @param options - Error options or an `Error` instance used as `cause` (Keyring-style overload).
+     */
+    constructor(message: string, options?: PasskeyControllerErrorOptions | Error);
+    toJSON(): Record<string, unknown>;
+    toString(): string;
+}
+//# sourceMappingURL=errors.d.cts.map

package/dist/errors.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.cts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,IAAI,8BAA8B,EAAE,wBAAoB;AAEhG;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C;;OAEG;IACH,KAAK,CAAC,EAAE,KAAK,CAAC;IACd;;OAEG;IACH,IAAI,CAAC,EAAE,8BAA8B,CAAC;IACtC;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,CAAC;AAEF;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,IAAI,CAAC,EAAE,8BAA8B,CAAC;IAEtC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAElC,KAAK,CAAC,EAAE,KAAK,CAAC;IAEd;;;OAGG;gBAED,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,6BAA6B,GAAG,KAAK;IAsBjD,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAiBxB,QAAQ,IAAI,MAAM;CAU5B"}

package/dist/errors.d.mts

@@ -0,0 +1,34 @@
+import type { PasskeyControllerErrorCode as PasskeyControllerErrorCodeType } from "./constants.mjs";
+/**
+ * Options for creating a {@link PasskeyControllerError}.
+ */
+export type PasskeyControllerErrorOptions = {
+    /**
+     * The underlying error that caused this error (for error chaining).
+     */
+    cause?: Error;
+    /**
+     * Stable code for programmatic handling (see {@link PasskeyControllerErrorCode}).
+     */
+    code?: PasskeyControllerErrorCodeType;
+    /**
+     * Additional context for debugging or reporting.
+     */
+    context?: Record<string, unknown>;
+};
+/**
+ * Error class for PasskeyController-related errors.
+ */
+export declare class PasskeyControllerError extends Error {
+    code?: PasskeyControllerErrorCodeType;
+    context?: Record<string, unknown>;
+    cause?: Error;
+    /**
+     * @param message - The error message.
+     * @param options - Error options or an `Error` instance used as `cause` (Keyring-style overload).
+     */
+    constructor(message: string, options?: PasskeyControllerErrorOptions | Error);
+    toJSON(): Record<string, unknown>;
+    toString(): string;
+}
+//# sourceMappingURL=errors.d.mts.map

package/dist/errors.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.mts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,0BAA0B,IAAI,8BAA8B,EAAE,wBAAoB;AAEhG;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C;;OAEG;IACH,KAAK,CAAC,EAAE,KAAK,CAAC;IACd;;OAEG;IACH,IAAI,CAAC,EAAE,8BAA8B,CAAC;IACtC;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC,CAAC;AAEF;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,IAAI,CAAC,EAAE,8BAA8B,CAAC;IAEtC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAElC,KAAK,CAAC,EAAE,KAAK,CAAC;IAEd;;;OAGG;gBAED,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,6BAA6B,GAAG,KAAK;IAsBjD,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAiBxB,QAAQ,IAAI,MAAM;CAU5B"}