@moon-x/core 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/README.md +2 -2
  2. package/dist/{chunk-CDT4MC7S.mjs → chunk-6LTEG7VN.mjs} +0 -39
  3. package/dist/{chunk-SOKLPX7V.mjs → chunk-VVL65GIB.mjs} +10 -0
  4. package/dist/index.d.mts +2 -2
  5. package/dist/index.d.ts +2 -2
  6. package/dist/index.js +10 -0
  7. package/dist/index.mjs +1 -1
  8. package/dist/interfaces-cdKh3sLA.d.mts +192 -0
  9. package/dist/interfaces-pNTEOKaK.d.ts +192 -0
  10. package/dist/lib/index.d.mts +1 -1
  11. package/dist/lib/index.d.ts +1 -1
  12. package/dist/lib/index.js +2 -47
  13. package/dist/lib/index.mjs +3 -15
  14. package/dist/passkey-cache-WnDFQ-v4.d.mts +26 -0
  15. package/dist/passkey-cache-WnDFQ-v4.d.ts +26 -0
  16. package/dist/{post-message-C_99BCBh.d.mts → post-message-CmgAfkOS.d.mts} +2 -0
  17. package/dist/{post-message-C_99BCBh.d.ts → post-message-CmgAfkOS.d.ts} +2 -0
  18. package/dist/react/index.d.mts +1 -0
  19. package/dist/react/index.d.ts +1 -0
  20. package/dist/react/index.js +2 -1
  21. package/dist/react/index.mjs +3 -2
  22. package/dist/sdk/index.d.mts +52 -21
  23. package/dist/sdk/index.d.ts +52 -21
  24. package/dist/sdk/index.js +252 -102
  25. package/dist/sdk/index.mjs +241 -80
  26. package/dist/types/index.d.mts +19 -12
  27. package/dist/types/index.d.ts +19 -12
  28. package/dist/utils/index.d.mts +1 -1
  29. package/dist/utils/index.d.ts +1 -1
  30. package/dist/utils/index.js +10 -0
  31. package/dist/utils/index.mjs +1 -1
  32. package/dist/web/index.d.mts +2 -2
  33. package/dist/web/index.d.ts +2 -2
  34. package/dist/web/index.js +50 -114
  35. package/dist/web/index.mjs +51 -58
  36. package/package.json +6 -2
  37. package/dist/interfaces-9k0eKCc4.d.ts +0 -120
  38. package/dist/interfaces-fNhwnCeY.d.mts +0 -120
  39. package/dist/passkey-cache-B9PT3AWX.d.mts +0 -47
  40. package/dist/passkey-cache-B9PT3AWX.d.ts +0 -47
@@ -205,6 +205,23 @@ interface IdentityTokenClaims extends BaseTokenClaims {
205
205
  picture?: string;
206
206
  [key: string]: unknown;
207
207
  }
208
+ /**
209
+ * Presence-token claims. Minted after a verified passkey assertion
210
+ * (the parent-side "step-up" ceremony). Customer backends verify these
211
+ * via the app's JWKS to gate high-risk routes without holding their
212
+ * own session/step-up model. Short-lived (5min by default, server-side
213
+ * configurable).
214
+ *
215
+ * `tt: "presence"` is the type discriminator — the verify primitive
216
+ * rejects anything else, so a long-lived access token cannot be
217
+ * substituted for a presence proof.
218
+ */
219
+ interface PresenceTokenClaims extends BaseTokenClaims {
220
+ /** Token type discriminator. Always "presence" for this shape. */
221
+ tt: "presence";
222
+ /** Base64url credential id of the WebAuthn credential that asserted. */
223
+ cid: string;
224
+ }
208
225
  /** Result of `@moon-x/node-sdk`'s `client.auth.verifySession(...)`. */
209
226
  interface VerifiedSession {
210
227
  access: AccessTokenClaims;
@@ -263,7 +280,6 @@ type Sign7702AuthorizationResponse = Sign7702AuthorizationResult | Sign7702Autho
263
280
  interface EthereumSignMessageParams {
264
281
  message: string;
265
282
  wallet: PublicWallet;
266
- requireFreshAssertion?: boolean;
267
283
  options?: {
268
284
  uiOptions?: {
269
285
  title?: string;
@@ -281,7 +297,6 @@ interface EthereumSignMessageResult {
281
297
  interface EthereumSignTransactionParams {
282
298
  transaction: string;
283
299
  wallet: PublicWallet;
284
- requireFreshAssertion?: boolean;
285
300
  options?: {
286
301
  preflightCommitment?: "finalized" | "confirmed" | "processed";
287
302
  minContextSlot?: number;
@@ -307,7 +322,6 @@ interface EthereumSignTypedDataParams {
307
322
  primaryType: SignTypedDataParams["primaryType"];
308
323
  message: SignTypedDataParams["message"];
309
324
  wallet: PublicWallet;
310
- requireFreshAssertion?: boolean;
311
325
  options?: {
312
326
  uiOptions?: any;
313
327
  };
@@ -318,7 +332,6 @@ interface EthereumSignTypedDataResult {
318
332
  interface EthereumSignHashParams {
319
333
  hash: `0x${string}` | string;
320
334
  wallet: PublicWallet;
321
- requireFreshAssertion?: boolean;
322
335
  options?: {
323
336
  uiOptions?: any;
324
337
  };
@@ -332,7 +345,6 @@ interface EthereumSign7702AuthorizationParams {
332
345
  nonce?: number;
333
346
  executor?: "self" | `0x${string}`;
334
347
  wallet: PublicWallet;
335
- requireFreshAssertion?: boolean;
336
348
  options?: {
337
349
  uiOptions?: any;
338
350
  };
@@ -361,7 +373,6 @@ interface EthereumSendTransactionParams {
361
373
  };
362
374
  wallet: PublicWallet;
363
375
  rpcUrl: string;
364
- requireFreshAssertion?: boolean;
365
376
  options?: {
366
377
  commitment?: TransactionCommitment;
367
378
  skipPreflight?: boolean;
@@ -505,7 +516,6 @@ interface UseFundWalletInterface {
505
516
  interface SolanaSignMessageParams {
506
517
  message: string;
507
518
  wallet: PublicWallet;
508
- requireFreshAssertion?: boolean;
509
519
  options?: {
510
520
  uiOptions?: {
511
521
  title?: string;
@@ -524,7 +534,6 @@ interface SolanaSignMessageResult {
524
534
  interface SolanaSignTransactionParams {
525
535
  transaction: string;
526
536
  wallet: PublicWallet;
527
- requireFreshAssertion?: boolean;
528
537
  options?: {
529
538
  preflightCommitment?: "finalized" | "confirmed" | "processed";
530
539
  minContextSlot?: number;
@@ -547,7 +556,6 @@ interface SolanaSendTransactionParams {
547
556
  transaction: string;
548
557
  wallet: PublicWallet;
549
558
  rpcUrl: string;
550
- requireFreshAssertion?: boolean;
551
559
  options?: {
552
560
  commitment?: TransactionCommitment;
553
561
  skipPreflight?: boolean;
@@ -728,7 +736,6 @@ interface PasskeyEnrollConfig {
728
736
  }
729
737
  interface EmailOtpConfig {
730
738
  skipVerifiedSuccess?: boolean;
731
- expiresIn?: number;
732
739
  verifiedDisplayTime?: number;
733
740
  verifyEmailTitle?: string;
734
741
  verifyEmailResendTitle?: string;
@@ -897,7 +904,6 @@ interface AuthProviderConfig {
897
904
  interface SendEmailOtpRequest {
898
905
  publishableKey: string;
899
906
  email: string;
900
- expiresIn?: number;
901
907
  }
902
908
  interface VerifyEmailOtpRequest {
903
909
  publishableKey: string;
@@ -906,6 +912,7 @@ interface VerifyEmailOtpRequest {
906
912
  }
907
913
  interface SendEmailOtpResponse {
908
914
  ok: boolean;
915
+ expires_at: number;
909
916
  }
910
917
  interface VerifyEmailOtpUser {
911
918
  id: string;
@@ -1187,4 +1194,4 @@ interface WalletVerifyRequest {
1187
1194
  sessionExpiresIn: number;
1188
1195
  }
1189
1196
 
1190
- export { type AccessTokenClaims, type AppConfigRequest, type AppConfigResponse, type AttachOAuthTokenRequest, type AttachOAuthTokenResponse, type AuthAppearance, type AuthFlow, type AuthFlowComponent, type AuthLoginMethod, type AuthProviderConfig, type BaseGetBalanceParams, type BaseGetBalanceResult, type BaseGetTokenAccountsParams, type BaseSendTransactionParams, type BaseSendTransactionResult, type BaseSignMessageParams, type BaseSignMessageResult, type BaseSignTransactionParams, type BaseSignTransactionResult, type BaseTokenClaims, type BaseUIOptions, type BaseWalletHooks, Chain, ChainLikeWithId, type ContractUIOptions, type CreateWalletResponse, type DefaultFundingMethod, type DeleteSessionRequest, type DeleteSessionResponse, type DetachOAuthTokenRequest, type DeviceFingerprint, type DisplayMode, type EmailOtpConfig, type EmailOtpFlowState, type EthereumFundingConfig, type EthereumGetBalanceParams, type EthereumGetBalanceResult, type EthereumGetTokenAccountsByOwnerParams, type EthereumGetTokenAccountsByOwnerResult, type EthereumSendTransactionParams, type EthereumSendTransactionRequest, type EthereumSendTransactionResult, type EthereumSign7702AuthorizationParams, type EthereumSign7702AuthorizationResult, type EthereumSignHashParams, type EthereumSignHashResult, type EthereumSignMessageParams, type EthereumSignMessageResult, type EthereumSignTransactionParams, type EthereumSignTransactionResult, type EthereumSignTypedDataParams, type EthereumSignTypedDataResult, type EthereumSwitchChainParams, type ExportKeyConfig, type Factor, type FlexibleTheme, type FundWalletConfig, type FundingEvents, type FundingMethod, type FundingUIConfig, type GetCurrentSessionRequest, type GetCurrentSessionResponse, type Hex, type IdentityTokenClaims, type IdpProvider, type IsAuthenticatedRequest, type IsAuthenticatedResponse, type LoginTokenBundle, type LogoutRequest, type LogoutResponse, type MessageTypeProperty, type MessageTypes, type MoonKeyThemeConfig, type MoonPaySignRequest, type MoonPaySignResponse, type MpcKeyShares, Network, type OAuthRequest, type OAuthResponse, type OnrampFundingSettings, type PasskeyEnrollConfig, type PasskeySettings, type PreferredCardProvider, type PrefillConfig, type PublicEthereumWallet, type PublicSessionData, type PublicWallet, type RefreshSessionRequest, type RefreshSessionResponse, type RetrieveWalletKeyRequest, type RetrieveWalletKeyResponse, type SdkSettings, type SendEmailOtpRequest, type SendEmailOtpResponse, type SendTransactionConfig, type SendTransactionRequest, type SessionData, type SharesDeviceRequest, type SharesDeviceResponse, type Sign7702AuthorizationError, type Sign7702AuthorizationParams, type Sign7702AuthorizationResponse, type Sign7702AuthorizationResult, type SignMessageConfig, type SignTransactionConfig, type SignTypedDataError, type SignTypedDataParams, type SignTypedDataResponse, type SignTypedDataResult, type SmsSettings, type SolanaChain, type SolanaFundingConfig, type SolanaGetBalanceParams, type SolanaGetBalanceResult, type SolanaGetTokenAccountsByOwnerParams, type SolanaGetTokenAccountsByOwnerResult, type SolanaSendTransactionParams, type SolanaSendTransactionResult, type SolanaSignMessageParams, type SolanaSignMessageResult, type SolanaSignTransactionParams, type SolanaSignTransactionResult, type TransactionCommitment, type TransactionEncoding, type TransactionUIOptions, type TypedMessage, type UseFundWalletInterface, type UsersMePublicResponse, type UsersMeRequest, type UsersMeResponse, type VerifiedSession, type VerifyEmailOtpRequest, type VerifyEmailOtpResponse, type VerifyEmailOtpUser, type VerifyOAuthTokenRequest, type VerifyOAuthTokenResponse, type VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, type Wallet, type WalletChain, type WalletChainType, type WalletConnectConfig, WalletCreationError, type WalletError, type WalletErrorCode, type WalletKeyRequest, type WalletListEntry, type WalletRegistrationNonceRequest, type WalletRegistrationNonceResponse, type WalletType, type WalletVerifyRequest };
1197
+ export { type AccessTokenClaims, type AppConfigRequest, type AppConfigResponse, type AttachOAuthTokenRequest, type AttachOAuthTokenResponse, type AuthAppearance, type AuthFlow, type AuthFlowComponent, type AuthLoginMethod, type AuthProviderConfig, type BaseGetBalanceParams, type BaseGetBalanceResult, type BaseGetTokenAccountsParams, type BaseSendTransactionParams, type BaseSendTransactionResult, type BaseSignMessageParams, type BaseSignMessageResult, type BaseSignTransactionParams, type BaseSignTransactionResult, type BaseTokenClaims, type BaseUIOptions, type BaseWalletHooks, Chain, ChainLikeWithId, type ContractUIOptions, type CreateWalletResponse, type DefaultFundingMethod, type DeleteSessionRequest, type DeleteSessionResponse, type DetachOAuthTokenRequest, type DeviceFingerprint, type DisplayMode, type EmailOtpConfig, type EmailOtpFlowState, type EthereumFundingConfig, type EthereumGetBalanceParams, type EthereumGetBalanceResult, type EthereumGetTokenAccountsByOwnerParams, type EthereumGetTokenAccountsByOwnerResult, type EthereumSendTransactionParams, type EthereumSendTransactionRequest, type EthereumSendTransactionResult, type EthereumSign7702AuthorizationParams, type EthereumSign7702AuthorizationResult, type EthereumSignHashParams, type EthereumSignHashResult, type EthereumSignMessageParams, type EthereumSignMessageResult, type EthereumSignTransactionParams, type EthereumSignTransactionResult, type EthereumSignTypedDataParams, type EthereumSignTypedDataResult, type EthereumSwitchChainParams, type ExportKeyConfig, type Factor, type FlexibleTheme, type FundWalletConfig, type FundingEvents, type FundingMethod, type FundingUIConfig, type GetCurrentSessionRequest, type GetCurrentSessionResponse, type Hex, type IdentityTokenClaims, type IdpProvider, type IsAuthenticatedRequest, type IsAuthenticatedResponse, type LoginTokenBundle, type LogoutRequest, type LogoutResponse, type MessageTypeProperty, type MessageTypes, type MoonKeyThemeConfig, type MoonPaySignRequest, type MoonPaySignResponse, type MpcKeyShares, Network, type OAuthRequest, type OAuthResponse, type OnrampFundingSettings, type PasskeyEnrollConfig, type PasskeySettings, type PreferredCardProvider, type PrefillConfig, type PresenceTokenClaims, type PublicEthereumWallet, type PublicSessionData, type PublicWallet, type RefreshSessionRequest, type RefreshSessionResponse, type RetrieveWalletKeyRequest, type RetrieveWalletKeyResponse, type SdkSettings, type SendEmailOtpRequest, type SendEmailOtpResponse, type SendTransactionConfig, type SendTransactionRequest, type SessionData, type SharesDeviceRequest, type SharesDeviceResponse, type Sign7702AuthorizationError, type Sign7702AuthorizationParams, type Sign7702AuthorizationResponse, type Sign7702AuthorizationResult, type SignMessageConfig, type SignTransactionConfig, type SignTypedDataError, type SignTypedDataParams, type SignTypedDataResponse, type SignTypedDataResult, type SmsSettings, type SolanaChain, type SolanaFundingConfig, type SolanaGetBalanceParams, type SolanaGetBalanceResult, type SolanaGetTokenAccountsByOwnerParams, type SolanaGetTokenAccountsByOwnerResult, type SolanaSendTransactionParams, type SolanaSendTransactionResult, type SolanaSignMessageParams, type SolanaSignMessageResult, type SolanaSignTransactionParams, type SolanaSignTransactionResult, type TransactionCommitment, type TransactionEncoding, type TransactionUIOptions, type TypedMessage, type UseFundWalletInterface, type UsersMePublicResponse, type UsersMeRequest, type UsersMeResponse, type VerifiedSession, type VerifyEmailOtpRequest, type VerifyEmailOtpResponse, type VerifyEmailOtpUser, type VerifyOAuthTokenRequest, type VerifyOAuthTokenResponse, type VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, type Wallet, type WalletChain, type WalletChainType, type WalletConnectConfig, WalletCreationError, type WalletError, type WalletErrorCode, type WalletKeyRequest, type WalletListEntry, type WalletRegistrationNonceRequest, type WalletRegistrationNonceResponse, type WalletType, type WalletVerifyRequest };
@@ -205,6 +205,23 @@ interface IdentityTokenClaims extends BaseTokenClaims {
205
205
  picture?: string;
206
206
  [key: string]: unknown;
207
207
  }
208
+ /**
209
+ * Presence-token claims. Minted after a verified passkey assertion
210
+ * (the parent-side "step-up" ceremony). Customer backends verify these
211
+ * via the app's JWKS to gate high-risk routes without holding their
212
+ * own session/step-up model. Short-lived (5min by default, server-side
213
+ * configurable).
214
+ *
215
+ * `tt: "presence"` is the type discriminator — the verify primitive
216
+ * rejects anything else, so a long-lived access token cannot be
217
+ * substituted for a presence proof.
218
+ */
219
+ interface PresenceTokenClaims extends BaseTokenClaims {
220
+ /** Token type discriminator. Always "presence" for this shape. */
221
+ tt: "presence";
222
+ /** Base64url credential id of the WebAuthn credential that asserted. */
223
+ cid: string;
224
+ }
208
225
  /** Result of `@moon-x/node-sdk`'s `client.auth.verifySession(...)`. */
209
226
  interface VerifiedSession {
210
227
  access: AccessTokenClaims;
@@ -263,7 +280,6 @@ type Sign7702AuthorizationResponse = Sign7702AuthorizationResult | Sign7702Autho
263
280
  interface EthereumSignMessageParams {
264
281
  message: string;
265
282
  wallet: PublicWallet;
266
- requireFreshAssertion?: boolean;
267
283
  options?: {
268
284
  uiOptions?: {
269
285
  title?: string;
@@ -281,7 +297,6 @@ interface EthereumSignMessageResult {
281
297
  interface EthereumSignTransactionParams {
282
298
  transaction: string;
283
299
  wallet: PublicWallet;
284
- requireFreshAssertion?: boolean;
285
300
  options?: {
286
301
  preflightCommitment?: "finalized" | "confirmed" | "processed";
287
302
  minContextSlot?: number;
@@ -307,7 +322,6 @@ interface EthereumSignTypedDataParams {
307
322
  primaryType: SignTypedDataParams["primaryType"];
308
323
  message: SignTypedDataParams["message"];
309
324
  wallet: PublicWallet;
310
- requireFreshAssertion?: boolean;
311
325
  options?: {
312
326
  uiOptions?: any;
313
327
  };
@@ -318,7 +332,6 @@ interface EthereumSignTypedDataResult {
318
332
  interface EthereumSignHashParams {
319
333
  hash: `0x${string}` | string;
320
334
  wallet: PublicWallet;
321
- requireFreshAssertion?: boolean;
322
335
  options?: {
323
336
  uiOptions?: any;
324
337
  };
@@ -332,7 +345,6 @@ interface EthereumSign7702AuthorizationParams {
332
345
  nonce?: number;
333
346
  executor?: "self" | `0x${string}`;
334
347
  wallet: PublicWallet;
335
- requireFreshAssertion?: boolean;
336
348
  options?: {
337
349
  uiOptions?: any;
338
350
  };
@@ -361,7 +373,6 @@ interface EthereumSendTransactionParams {
361
373
  };
362
374
  wallet: PublicWallet;
363
375
  rpcUrl: string;
364
- requireFreshAssertion?: boolean;
365
376
  options?: {
366
377
  commitment?: TransactionCommitment;
367
378
  skipPreflight?: boolean;
@@ -505,7 +516,6 @@ interface UseFundWalletInterface {
505
516
  interface SolanaSignMessageParams {
506
517
  message: string;
507
518
  wallet: PublicWallet;
508
- requireFreshAssertion?: boolean;
509
519
  options?: {
510
520
  uiOptions?: {
511
521
  title?: string;
@@ -524,7 +534,6 @@ interface SolanaSignMessageResult {
524
534
  interface SolanaSignTransactionParams {
525
535
  transaction: string;
526
536
  wallet: PublicWallet;
527
- requireFreshAssertion?: boolean;
528
537
  options?: {
529
538
  preflightCommitment?: "finalized" | "confirmed" | "processed";
530
539
  minContextSlot?: number;
@@ -547,7 +556,6 @@ interface SolanaSendTransactionParams {
547
556
  transaction: string;
548
557
  wallet: PublicWallet;
549
558
  rpcUrl: string;
550
- requireFreshAssertion?: boolean;
551
559
  options?: {
552
560
  commitment?: TransactionCommitment;
553
561
  skipPreflight?: boolean;
@@ -728,7 +736,6 @@ interface PasskeyEnrollConfig {
728
736
  }
729
737
  interface EmailOtpConfig {
730
738
  skipVerifiedSuccess?: boolean;
731
- expiresIn?: number;
732
739
  verifiedDisplayTime?: number;
733
740
  verifyEmailTitle?: string;
734
741
  verifyEmailResendTitle?: string;
@@ -897,7 +904,6 @@ interface AuthProviderConfig {
897
904
  interface SendEmailOtpRequest {
898
905
  publishableKey: string;
899
906
  email: string;
900
- expiresIn?: number;
901
907
  }
902
908
  interface VerifyEmailOtpRequest {
903
909
  publishableKey: string;
@@ -906,6 +912,7 @@ interface VerifyEmailOtpRequest {
906
912
  }
907
913
  interface SendEmailOtpResponse {
908
914
  ok: boolean;
915
+ expires_at: number;
909
916
  }
910
917
  interface VerifyEmailOtpUser {
911
918
  id: string;
@@ -1187,4 +1194,4 @@ interface WalletVerifyRequest {
1187
1194
  sessionExpiresIn: number;
1188
1195
  }
1189
1196
 
1190
- export { type AccessTokenClaims, type AppConfigRequest, type AppConfigResponse, type AttachOAuthTokenRequest, type AttachOAuthTokenResponse, type AuthAppearance, type AuthFlow, type AuthFlowComponent, type AuthLoginMethod, type AuthProviderConfig, type BaseGetBalanceParams, type BaseGetBalanceResult, type BaseGetTokenAccountsParams, type BaseSendTransactionParams, type BaseSendTransactionResult, type BaseSignMessageParams, type BaseSignMessageResult, type BaseSignTransactionParams, type BaseSignTransactionResult, type BaseTokenClaims, type BaseUIOptions, type BaseWalletHooks, Chain, ChainLikeWithId, type ContractUIOptions, type CreateWalletResponse, type DefaultFundingMethod, type DeleteSessionRequest, type DeleteSessionResponse, type DetachOAuthTokenRequest, type DeviceFingerprint, type DisplayMode, type EmailOtpConfig, type EmailOtpFlowState, type EthereumFundingConfig, type EthereumGetBalanceParams, type EthereumGetBalanceResult, type EthereumGetTokenAccountsByOwnerParams, type EthereumGetTokenAccountsByOwnerResult, type EthereumSendTransactionParams, type EthereumSendTransactionRequest, type EthereumSendTransactionResult, type EthereumSign7702AuthorizationParams, type EthereumSign7702AuthorizationResult, type EthereumSignHashParams, type EthereumSignHashResult, type EthereumSignMessageParams, type EthereumSignMessageResult, type EthereumSignTransactionParams, type EthereumSignTransactionResult, type EthereumSignTypedDataParams, type EthereumSignTypedDataResult, type EthereumSwitchChainParams, type ExportKeyConfig, type Factor, type FlexibleTheme, type FundWalletConfig, type FundingEvents, type FundingMethod, type FundingUIConfig, type GetCurrentSessionRequest, type GetCurrentSessionResponse, type Hex, type IdentityTokenClaims, type IdpProvider, type IsAuthenticatedRequest, type IsAuthenticatedResponse, type LoginTokenBundle, type LogoutRequest, type LogoutResponse, type MessageTypeProperty, type MessageTypes, type MoonKeyThemeConfig, type MoonPaySignRequest, type MoonPaySignResponse, type MpcKeyShares, Network, type OAuthRequest, type OAuthResponse, type OnrampFundingSettings, type PasskeyEnrollConfig, type PasskeySettings, type PreferredCardProvider, type PrefillConfig, type PublicEthereumWallet, type PublicSessionData, type PublicWallet, type RefreshSessionRequest, type RefreshSessionResponse, type RetrieveWalletKeyRequest, type RetrieveWalletKeyResponse, type SdkSettings, type SendEmailOtpRequest, type SendEmailOtpResponse, type SendTransactionConfig, type SendTransactionRequest, type SessionData, type SharesDeviceRequest, type SharesDeviceResponse, type Sign7702AuthorizationError, type Sign7702AuthorizationParams, type Sign7702AuthorizationResponse, type Sign7702AuthorizationResult, type SignMessageConfig, type SignTransactionConfig, type SignTypedDataError, type SignTypedDataParams, type SignTypedDataResponse, type SignTypedDataResult, type SmsSettings, type SolanaChain, type SolanaFundingConfig, type SolanaGetBalanceParams, type SolanaGetBalanceResult, type SolanaGetTokenAccountsByOwnerParams, type SolanaGetTokenAccountsByOwnerResult, type SolanaSendTransactionParams, type SolanaSendTransactionResult, type SolanaSignMessageParams, type SolanaSignMessageResult, type SolanaSignTransactionParams, type SolanaSignTransactionResult, type TransactionCommitment, type TransactionEncoding, type TransactionUIOptions, type TypedMessage, type UseFundWalletInterface, type UsersMePublicResponse, type UsersMeRequest, type UsersMeResponse, type VerifiedSession, type VerifyEmailOtpRequest, type VerifyEmailOtpResponse, type VerifyEmailOtpUser, type VerifyOAuthTokenRequest, type VerifyOAuthTokenResponse, type VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, type Wallet, type WalletChain, type WalletChainType, type WalletConnectConfig, WalletCreationError, type WalletError, type WalletErrorCode, type WalletKeyRequest, type WalletListEntry, type WalletRegistrationNonceRequest, type WalletRegistrationNonceResponse, type WalletType, type WalletVerifyRequest };
1197
+ export { type AccessTokenClaims, type AppConfigRequest, type AppConfigResponse, type AttachOAuthTokenRequest, type AttachOAuthTokenResponse, type AuthAppearance, type AuthFlow, type AuthFlowComponent, type AuthLoginMethod, type AuthProviderConfig, type BaseGetBalanceParams, type BaseGetBalanceResult, type BaseGetTokenAccountsParams, type BaseSendTransactionParams, type BaseSendTransactionResult, type BaseSignMessageParams, type BaseSignMessageResult, type BaseSignTransactionParams, type BaseSignTransactionResult, type BaseTokenClaims, type BaseUIOptions, type BaseWalletHooks, Chain, ChainLikeWithId, type ContractUIOptions, type CreateWalletResponse, type DefaultFundingMethod, type DeleteSessionRequest, type DeleteSessionResponse, type DetachOAuthTokenRequest, type DeviceFingerprint, type DisplayMode, type EmailOtpConfig, type EmailOtpFlowState, type EthereumFundingConfig, type EthereumGetBalanceParams, type EthereumGetBalanceResult, type EthereumGetTokenAccountsByOwnerParams, type EthereumGetTokenAccountsByOwnerResult, type EthereumSendTransactionParams, type EthereumSendTransactionRequest, type EthereumSendTransactionResult, type EthereumSign7702AuthorizationParams, type EthereumSign7702AuthorizationResult, type EthereumSignHashParams, type EthereumSignHashResult, type EthereumSignMessageParams, type EthereumSignMessageResult, type EthereumSignTransactionParams, type EthereumSignTransactionResult, type EthereumSignTypedDataParams, type EthereumSignTypedDataResult, type EthereumSwitchChainParams, type ExportKeyConfig, type Factor, type FlexibleTheme, type FundWalletConfig, type FundingEvents, type FundingMethod, type FundingUIConfig, type GetCurrentSessionRequest, type GetCurrentSessionResponse, type Hex, type IdentityTokenClaims, type IdpProvider, type IsAuthenticatedRequest, type IsAuthenticatedResponse, type LoginTokenBundle, type LogoutRequest, type LogoutResponse, type MessageTypeProperty, type MessageTypes, type MoonKeyThemeConfig, type MoonPaySignRequest, type MoonPaySignResponse, type MpcKeyShares, Network, type OAuthRequest, type OAuthResponse, type OnrampFundingSettings, type PasskeyEnrollConfig, type PasskeySettings, type PreferredCardProvider, type PrefillConfig, type PresenceTokenClaims, type PublicEthereumWallet, type PublicSessionData, type PublicWallet, type RefreshSessionRequest, type RefreshSessionResponse, type RetrieveWalletKeyRequest, type RetrieveWalletKeyResponse, type SdkSettings, type SendEmailOtpRequest, type SendEmailOtpResponse, type SendTransactionConfig, type SendTransactionRequest, type SessionData, type SharesDeviceRequest, type SharesDeviceResponse, type Sign7702AuthorizationError, type Sign7702AuthorizationParams, type Sign7702AuthorizationResponse, type Sign7702AuthorizationResult, type SignMessageConfig, type SignTransactionConfig, type SignTypedDataError, type SignTypedDataParams, type SignTypedDataResponse, type SignTypedDataResult, type SmsSettings, type SolanaChain, type SolanaFundingConfig, type SolanaGetBalanceParams, type SolanaGetBalanceResult, type SolanaGetTokenAccountsByOwnerParams, type SolanaGetTokenAccountsByOwnerResult, type SolanaSendTransactionParams, type SolanaSendTransactionResult, type SolanaSignMessageParams, type SolanaSignMessageResult, type SolanaSignTransactionParams, type SolanaSignTransactionResult, type TransactionCommitment, type TransactionEncoding, type TransactionUIOptions, type TypedMessage, type UseFundWalletInterface, type UsersMePublicResponse, type UsersMeRequest, type UsersMeResponse, type VerifiedSession, type VerifyEmailOtpRequest, type VerifyEmailOtpResponse, type VerifyEmailOtpUser, type VerifyOAuthTokenRequest, type VerifyOAuthTokenResponse, type VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, type Wallet, type WalletChain, type WalletChainType, type WalletConnectConfig, WalletCreationError, type WalletError, type WalletErrorCode, type WalletKeyRequest, type WalletListEntry, type WalletRegistrationNonceRequest, type WalletRegistrationNonceResponse, type WalletType, type WalletVerifyRequest };
@@ -1,4 +1,4 @@
1
- export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from '../post-message-C_99BCBh.mjs';
1
+ export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from '../post-message-CmgAfkOS.mjs';
2
2
 
3
3
  /**
4
4
  * Get the appropriate MoonKey API URL based on environment configuration
@@ -1,4 +1,4 @@
1
- export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from '../post-message-C_99BCBh.js';
1
+ export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from '../post-message-CmgAfkOS.js';
2
2
 
3
3
  /**
4
4
  * Get the appropriate MoonKey API URL based on environment configuration
@@ -156,6 +156,16 @@ var PostMessageMethod = {
156
156
  // begin/verify HTTP calls (where the session JWT lives).
157
157
  PASSKEY_REGISTER_BEGIN: "PASSKEY_REGISTER_BEGIN",
158
158
  PASSKEY_REGISTER_VERIFY: "PASSKEY_REGISTER_VERIFY",
159
+ // Passkey-asserted step-up ("presence token"). Same split as register:
160
+ // parent owns the WebAuthn API call; iframe owns the begin/verify
161
+ // HTTP halves (where the session JWT lives). Mints a short-lived
162
+ // (`tt:"presence"`) JWT app backends can verify over JWKS.
163
+ // CRITICAL: parent MUST strip response.userHandle from the assertion
164
+ // before posting PASSKEY_PRESENCE_VERIFY. The userHandle carries DEK
165
+ // material in MoonX's overloaded model and has no business reaching
166
+ // the server. The server also defensively never reads it.
167
+ PASSKEY_PRESENCE_BEGIN: "PASSKEY_PRESENCE_BEGIN",
168
+ PASSKEY_PRESENCE_VERIFY: "PASSKEY_PRESENCE_VERIFY",
159
169
  GET_PASSKEY_STATUS: "GET_PASSKEY_STATUS",
160
170
  // Parent-side passkey assertion plumbing. Parent calls GET_DEK_INFO
161
171
  // to learn which credential IDs to put in allowCredentials and to
@@ -9,7 +9,7 @@ import {
9
9
  PostMessageMethod,
10
10
  PostMessageServer,
11
11
  PostMessageType
12
- } from "../chunk-SOKLPX7V.mjs";
12
+ } from "../chunk-VVL65GIB.mjs";
13
13
  import {
14
14
  getMoonKeyApiUrl
15
15
  } from "../chunk-GQKIA37O.mjs";
@@ -1,5 +1,5 @@
1
- import { P as PostMessageClient } from '../post-message-C_99BCBh.mjs';
2
- import { T as Transport, P as PasskeyAssertor, K as KvStorage } from '../interfaces-fNhwnCeY.mjs';
1
+ import { P as PostMessageClient } from '../post-message-CmgAfkOS.mjs';
2
+ import { T as Transport, P as PasskeyAssertor, K as KvStorage } from '../interfaces-cdKh3sLA.mjs';
3
3
 
4
4
  declare const getCachedPostMessageClient: (contentWindow: Window) => PostMessageClient;
5
5
  /**
@@ -1,5 +1,5 @@
1
- import { P as PostMessageClient } from '../post-message-C_99BCBh.js';
2
- import { T as Transport, P as PasskeyAssertor, K as KvStorage } from '../interfaces-9k0eKCc4.js';
1
+ import { P as PostMessageClient } from '../post-message-CmgAfkOS.js';
2
+ import { T as Transport, P as PasskeyAssertor, K as KvStorage } from '../interfaces-pNTEOKaK.js';
3
3
 
4
4
  declare const getCachedPostMessageClient: (contentWindow: Window) => PostMessageClient;
5
5
  /**
package/dist/web/index.js CHANGED
@@ -1,9 +1,7 @@
1
1
  "use strict";
2
- var __create = Object.create;
3
2
  var __defProp = Object.defineProperty;
4
3
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
4
  var __getOwnPropNames = Object.getOwnPropertyNames;
6
- var __getProtoOf = Object.getPrototypeOf;
7
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
8
6
  var __export = (target, all) => {
9
7
  for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
17
15
  }
18
16
  return to;
19
17
  };
20
- var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
21
- // If the importer is in node compatibility mode or this is not an ESM
22
- // file that has been converted to a CommonJS file using a Babel-
23
- // compatible transform (i.e. "__esModule" has not been set), then set
24
- // "default" to the CommonJS "module.exports" for node compatibility.
25
- isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
26
- mod
27
- ));
28
18
  var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
29
19
 
30
20
  // src/web/index.ts
@@ -310,126 +300,72 @@ var createIframeTransport = ({
310
300
  isReady
311
301
  });
312
302
 
313
- // src/lib/auth/authentication-state.ts
314
- var AuthenticationState = class {
315
- constructor() {
316
- this.email = null;
317
- }
318
- setEmail(email) {
319
- this.email = email;
320
- }
321
- getEmail() {
322
- return this.email;
323
- }
324
- clearEmail() {
325
- this.email = null;
326
- }
327
- clear() {
328
- this.clearEmail();
329
- }
330
- };
331
- var authState = new AuthenticationState();
332
-
333
- // src/lib/passkey/passkey-codec.ts
334
- var fromB64url = (b64url) => {
335
- const base64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
336
- const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
337
- const binary = atob(padded);
338
- const bytes = new Uint8Array(binary.length);
339
- for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
340
- return bytes;
341
- };
342
- var toB64url = (bytes) => {
343
- let str = "";
344
- for (let i = 0; i < bytes.length; i++) str += String.fromCharCode(bytes[i]);
345
- return btoa(str).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
346
- };
347
-
348
- // src/lib/ethereum/chains.ts
349
- var import_viem = require("viem");
350
-
351
- // src/lib/ethereum/siwe.ts
352
- var import_siwe = require("siwe");
353
- var import_viem2 = require("viem");
354
-
355
- // src/lib/ethereum/tx-prep.ts
356
- var import_viem3 = require("viem");
357
-
358
- // src/lib/solana/siws.ts
359
- var nacl = __toESM(require("tweetnacl"));
360
-
361
- // src/lib/solana/transaction-log-parser.ts
362
- var import_web3 = require("@solana/web3.js");
363
- var import_bn = __toESM(require("bn.js"));
364
-
365
303
  // src/web/webauthn-passkey.ts
304
+ var import_browser = require("@simplewebauthn/browser");
366
305
  var createWebAuthnPasskey = () => ({
367
306
  assert: async ({ rpId, challenge }) => {
368
- const challengeBytes = fromB64url(challenge);
369
- const credential = await navigator.credentials.get({
370
- publicKey: {
371
- challenge: challengeBytes,
307
+ const result = await (0, import_browser.startAuthentication)({
308
+ optionsJSON: {
309
+ challenge,
372
310
  rpId,
373
311
  userVerification: "preferred",
374
- // Empty allowCredentials → discoverable login → userHandle is
375
- // REQUIRED on the response. See `parent-passkey-assert.ts`
376
- // for the full rationale.
377
312
  allowCredentials: []
378
313
  }
379
314
  });
380
- if (!credential) throw new Error("passkey_assertion_cancelled");
381
- const assertion = credential.response;
382
- if (!assertion.userHandle) {
315
+ if (!result.response.userHandle) {
383
316
  throw new Error("user_handle_missing");
384
317
  }
385
318
  return {
386
- rawIdB64url: toB64url(new Uint8Array(credential.rawId)),
387
- userHandleB64url: toB64url(new Uint8Array(assertion.userHandle))
319
+ rawIdB64url: result.rawId,
320
+ userHandleB64url: result.response.userHandle
388
321
  };
389
322
  },
390
- create: async ({
391
- rpId,
392
- rpName,
393
- userId,
394
- userName,
395
- userDisplayName,
396
- challenge,
397
- excludeCredentials
398
- }) => {
399
- const challengeBytes = fromB64url(challenge);
400
- const credential = await navigator.credentials.create({
401
- publicKey: {
402
- rp: { id: rpId, name: rpName },
403
- user: {
404
- id: userId,
405
- name: userName,
406
- displayName: userDisplayName
407
- },
408
- challenge: challengeBytes,
409
- pubKeyCredParams: [
410
- { type: "public-key", alg: -7 },
411
- // ES256
412
- { type: "public-key", alg: -257 }
413
- // RS256
414
- ],
415
- authenticatorSelection: {
416
- residentKey: "required",
417
- userVerification: "preferred"
418
- },
419
- excludeCredentials: (excludeCredentials ?? []).map((id) => ({
420
- id: fromB64url(id),
421
- type: "public-key"
422
- }))
323
+ assertForServer: async ({ optionsJSON }) => {
324
+ const result = await (0, import_browser.startAuthentication)({
325
+ optionsJSON
326
+ });
327
+ const sanitized = {
328
+ id: result.id,
329
+ rawId: result.rawId,
330
+ type: result.type,
331
+ response: {
332
+ clientDataJSON: result.response.clientDataJSON,
333
+ authenticatorData: result.response.authenticatorData,
334
+ signature: result.response.signature,
335
+ userHandle: void 0
336
+ },
337
+ clientExtensionResults: result.clientExtensionResults,
338
+ authenticatorAttachment: result.authenticatorAttachment
339
+ };
340
+ return sanitized;
341
+ },
342
+ assertForInternalPresence: async ({ optionsJSON }) => {
343
+ const result = await (0, import_browser.startAuthentication)({
344
+ optionsJSON: {
345
+ ...optionsJSON,
346
+ allowCredentials: []
423
347
  }
424
348
  });
425
- if (!credential) throw new Error("passkey_registration_cancelled");
426
- const attestation = credential.response;
349
+ if (!result.response.userHandle) {
350
+ throw new Error("user_handle_missing");
351
+ }
352
+ const sanitized = {
353
+ id: result.id,
354
+ rawId: result.rawId,
355
+ type: result.type,
356
+ response: {
357
+ clientDataJSON: result.response.clientDataJSON,
358
+ authenticatorData: result.response.authenticatorData,
359
+ signature: result.response.signature,
360
+ userHandle: void 0
361
+ },
362
+ clientExtensionResults: result.clientExtensionResults,
363
+ authenticatorAttachment: result.authenticatorAttachment
364
+ };
427
365
  return {
428
- rawIdB64url: toB64url(new Uint8Array(credential.rawId)),
429
- clientDataJSONB64url: toB64url(new Uint8Array(attestation.clientDataJSON)),
430
- attestationObjectB64url: toB64url(
431
- new Uint8Array(attestation.attestationObject)
432
- )
366
+ response: sanitized,
367
+ userHandleB64url: result.response.userHandle,
368
+ credentialIdB64url: result.rawId
433
369
  };
434
370
  }
435
371
  });
@@ -5,12 +5,7 @@ import {
5
5
  import {
6
6
  PostMessageClient,
7
7
  PostMessageServer
8
- } from "../chunk-SOKLPX7V.mjs";
9
- import {
10
- fromB64url,
11
- toB64url
12
- } from "../chunk-CDT4MC7S.mjs";
13
- import "../chunk-GQKIA37O.mjs";
8
+ } from "../chunk-VVL65GIB.mjs";
14
9
 
15
10
  // src/web/iframe-transport.ts
16
11
  var clientCache = /* @__PURE__ */ new WeakMap();
@@ -49,73 +44,71 @@ var createIframeTransport = ({
49
44
  });
50
45
 
51
46
  // src/web/webauthn-passkey.ts
47
+ import { startAuthentication } from "@simplewebauthn/browser";
52
48
  var createWebAuthnPasskey = () => ({
53
49
  assert: async ({ rpId, challenge }) => {
54
- const challengeBytes = fromB64url(challenge);
55
- const credential = await navigator.credentials.get({
56
- publicKey: {
57
- challenge: challengeBytes,
50
+ const result = await startAuthentication({
51
+ optionsJSON: {
52
+ challenge,
58
53
  rpId,
59
54
  userVerification: "preferred",
60
- // Empty allowCredentials → discoverable login → userHandle is
61
- // REQUIRED on the response. See `parent-passkey-assert.ts`
62
- // for the full rationale.
63
55
  allowCredentials: []
64
56
  }
65
57
  });
66
- if (!credential) throw new Error("passkey_assertion_cancelled");
67
- const assertion = credential.response;
68
- if (!assertion.userHandle) {
58
+ if (!result.response.userHandle) {
69
59
  throw new Error("user_handle_missing");
70
60
  }
71
61
  return {
72
- rawIdB64url: toB64url(new Uint8Array(credential.rawId)),
73
- userHandleB64url: toB64url(new Uint8Array(assertion.userHandle))
62
+ rawIdB64url: result.rawId,
63
+ userHandleB64url: result.response.userHandle
64
+ };
65
+ },
66
+ assertForServer: async ({ optionsJSON }) => {
67
+ const result = await startAuthentication({
68
+ optionsJSON
69
+ });
70
+ const sanitized = {
71
+ id: result.id,
72
+ rawId: result.rawId,
73
+ type: result.type,
74
+ response: {
75
+ clientDataJSON: result.response.clientDataJSON,
76
+ authenticatorData: result.response.authenticatorData,
77
+ signature: result.response.signature,
78
+ userHandle: void 0
79
+ },
80
+ clientExtensionResults: result.clientExtensionResults,
81
+ authenticatorAttachment: result.authenticatorAttachment
74
82
  };
83
+ return sanitized;
75
84
  },
76
- create: async ({
77
- rpId,
78
- rpName,
79
- userId,
80
- userName,
81
- userDisplayName,
82
- challenge,
83
- excludeCredentials
84
- }) => {
85
- const challengeBytes = fromB64url(challenge);
86
- const credential = await navigator.credentials.create({
87
- publicKey: {
88
- rp: { id: rpId, name: rpName },
89
- user: {
90
- id: userId,
91
- name: userName,
92
- displayName: userDisplayName
93
- },
94
- challenge: challengeBytes,
95
- pubKeyCredParams: [
96
- { type: "public-key", alg: -7 },
97
- // ES256
98
- { type: "public-key", alg: -257 }
99
- // RS256
100
- ],
101
- authenticatorSelection: {
102
- residentKey: "required",
103
- userVerification: "preferred"
104
- },
105
- excludeCredentials: (excludeCredentials ?? []).map((id) => ({
106
- id: fromB64url(id),
107
- type: "public-key"
108
- }))
85
+ assertForInternalPresence: async ({ optionsJSON }) => {
86
+ const result = await startAuthentication({
87
+ optionsJSON: {
88
+ ...optionsJSON,
89
+ allowCredentials: []
109
90
  }
110
91
  });
111
- if (!credential) throw new Error("passkey_registration_cancelled");
112
- const attestation = credential.response;
92
+ if (!result.response.userHandle) {
93
+ throw new Error("user_handle_missing");
94
+ }
95
+ const sanitized = {
96
+ id: result.id,
97
+ rawId: result.rawId,
98
+ type: result.type,
99
+ response: {
100
+ clientDataJSON: result.response.clientDataJSON,
101
+ authenticatorData: result.response.authenticatorData,
102
+ signature: result.response.signature,
103
+ userHandle: void 0
104
+ },
105
+ clientExtensionResults: result.clientExtensionResults,
106
+ authenticatorAttachment: result.authenticatorAttachment
107
+ };
113
108
  return {
114
- rawIdB64url: toB64url(new Uint8Array(credential.rawId)),
115
- clientDataJSONB64url: toB64url(new Uint8Array(attestation.clientDataJSON)),
116
- attestationObjectB64url: toB64url(
117
- new Uint8Array(attestation.attestationObject)
118
- )
109
+ response: sanitized,
110
+ userHandleB64url: result.response.userHandle,
111
+ credentialIdB64url: result.rawId
119
112
  };
120
113
  }
121
114
  });