@moon-x/core 0.3.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +1 -1
  2. package/dist/{chunk-CDT4MC7S.mjs → chunk-I56GRKAG.mjs} +19 -39
  3. package/dist/{chunk-VVL65GIB.mjs → chunk-JU5MWLXH.mjs} +14 -0
  4. package/dist/index.d.mts +2 -3
  5. package/dist/index.d.ts +2 -3
  6. package/dist/index.js +14 -0
  7. package/dist/index.mjs +1 -1
  8. package/dist/{interfaces-Bm7fGOAI.d.ts → interfaces-1vfik3Ef.d.ts} +24 -1
  9. package/dist/{interfaces-CYtJHALV.d.mts → interfaces-BdIeMGGD.d.mts} +24 -1
  10. package/dist/lib/index.d.mts +33 -3
  11. package/dist/lib/index.d.ts +33 -3
  12. package/dist/lib/index.js +23 -47
  13. package/dist/lib/index.mjs +7 -15
  14. package/dist/passkey-cache-WnDFQ-v4.d.mts +26 -0
  15. package/dist/passkey-cache-WnDFQ-v4.d.ts +26 -0
  16. package/dist/{post-message-CmgAfkOS.d.mts → post-message-Z6cLf0mS.d.mts} +3 -0
  17. package/dist/{post-message-CmgAfkOS.d.ts → post-message-Z6cLf0mS.d.ts} +3 -0
  18. package/dist/react/ethereum.d.mts +0 -1
  19. package/dist/react/ethereum.d.ts +0 -1
  20. package/dist/react/index.d.mts +41 -3
  21. package/dist/react/index.d.ts +41 -3
  22. package/dist/react/index.js +138 -12
  23. package/dist/react/index.mjs +137 -12
  24. package/dist/react/solana.d.mts +0 -1
  25. package/dist/react/solana.d.ts +0 -1
  26. package/dist/sdk/index.d.mts +87 -16
  27. package/dist/sdk/index.d.ts +87 -16
  28. package/dist/sdk/index.js +456 -102
  29. package/dist/sdk/index.mjs +440 -80
  30. package/dist/types/index.d.mts +135 -12
  31. package/dist/types/index.d.ts +135 -12
  32. package/dist/utils/index.d.mts +1 -1
  33. package/dist/utils/index.d.ts +1 -1
  34. package/dist/utils/index.js +14 -0
  35. package/dist/utils/index.mjs +1 -1
  36. package/dist/web/index.d.mts +2 -2
  37. package/dist/web/index.d.ts +2 -2
  38. package/dist/web/index.js +29 -0
  39. package/dist/web/index.mjs +30 -1
  40. package/package.json +3 -1
  41. package/dist/chain-C9dvKXUY.d.mts +0 -48
  42. package/dist/chain-C9dvKXUY.d.ts +0 -48
  43. package/dist/passkey-cache-B9PT3AWX.d.mts +0 -47
  44. package/dist/passkey-cache-B9PT3AWX.d.ts +0 -47
package/README.md CHANGED
@@ -18,7 +18,7 @@ This package owns everything that's identical between web and mobile:
18
18
  - **Headless SDK factories** (`@moon-x/core/sdk`) — platform-agnostic implementations of `signMessage`, `signTransaction`, `sendTransaction`, etc. that take a `Transport` + `PasskeyAssertor` + `KvStorage` via DI. Web and RN both wire their platform impls into these factories.
19
19
  - **Web platform impls** (`@moon-x/core/web`) — `createIframeTransport`, `createWebAuthnPasskey`, `createLocalStorageKv`. React-native has its own equivalents inside `@moon-x/react-native-sdk/platform/*`.
20
20
  - **Shared React hooks** (`@moon-x/core/react`) — hooks that run identically on web + RN (`useUser`, `useWallets`, `useLogout`, `useLoginWithEmail`, `usePasskeyStatus`, `useAddPasskey`, `useRemovePasskey`, `useCreateWallet`, `useImportKey`, plus per-chain hooks under `@moon-x/core/react/ethereum` and `@moon-x/core/react/solana`). The platform SDKs re-export these directly so consumers never import from core.
21
- - **Pure utilities** (`@moon-x/core/lib`) — EVM chain/gas helpers (`getEvmGasPrice`, `estimateEvmGas`, `getEvmNonce`, `chains`), `prepareEvmSignTransaction` / `prepareEvmSendTransaction` (chain + RPC + nonce/gas/fee auto-fill), SIWE/SIWS message builders, passkey codec + cache (safe-by-default TTL=0; integrator opts in via `setAssertCacheTtlMs`) + AAGUID registry, Solana transaction log parser, etc.
21
+ - **Pure utilities** (`@moon-x/core/lib`) — EVM chain/gas helpers (`getEvmGasPrice`, `estimateEvmGas`, `getEvmNonce`, `chains`), `prepareEvmSignTransaction` / `prepareEvmSendTransaction` (chain + RPC + nonce/gas/fee auto-fill), SIWE/SIWS message builders, passkey codec + `generatePasskeyUserId`, AAGUID registry, Solana transaction log parser, etc. (The parent-side passkey-assertion cache was removed in Phase 4 of the presence-token gating work every sensitive op now mints scope-bound single-use tokens via `getInternalPresenceTokens`.)
22
22
 
23
23
  ## Subpath exports
24
24
 
@@ -100,39 +100,6 @@ var toB64url = (bytes) => {
100
100
  };
101
101
 
102
102
  // src/lib/passkey/passkey-cache.ts
103
- var cacheTtlMs = 0;
104
- var cache = null;
105
- var setAssertCacheTtlMs = (ms) => {
106
- cacheTtlMs = Math.max(0, Math.floor(ms));
107
- if (cacheTtlMs === 0) {
108
- cache = null;
109
- }
110
- };
111
- var getAssertCacheTtlMs = () => cacheTtlMs;
112
- var clearParentAssertCache = () => {
113
- cache = null;
114
- };
115
- var readParentAssertCache = () => {
116
- if (cacheTtlMs <= 0) return null;
117
- if (!cache) return null;
118
- if (Date.now() - cache.ts >= cacheTtlMs) return null;
119
- return {
120
- userHandleB64url: cache.userHandleB64url,
121
- credentialIdB64url: cache.credentialIdB64url
122
- };
123
- };
124
- var writeParentAssertCache = (entry) => {
125
- if (cacheTtlMs <= 0) return;
126
- cache = { ...entry, ts: Date.now() };
127
- };
128
- var withClearOnFailure = async (fn) => {
129
- try {
130
- return await fn();
131
- } catch (error) {
132
- clearParentAssertCache();
133
- throw error;
134
- }
135
- };
136
103
  var generatePasskeyUserId = () => {
137
104
  const bytes = crypto.getRandomValues(new Uint8Array(32));
138
105
  return { userIdB64url: toB64url(bytes), userIdBytes: bytes };
@@ -1458,6 +1425,23 @@ var broadcastSolanaSigned = async (rpcUrl, signedBase58) => {
1458
1425
  return result.result;
1459
1426
  };
1460
1427
 
1428
+ // src/lib/wallet-algorithm.ts
1429
+ function canonicalAlgorithmFor(chain) {
1430
+ switch (chain) {
1431
+ case "ethereum":
1432
+ return "ecdsa";
1433
+ case "solana":
1434
+ return "exportable-ed25519";
1435
+ default:
1436
+ throw new Error(`No canonical algorithm for chain: ${chain}`);
1437
+ }
1438
+ }
1439
+ function parseDerivationPath(path) {
1440
+ if (!path || path === "m") return new Uint32Array([]);
1441
+ const rest = path.startsWith("m/") ? path.slice(2) : path;
1442
+ return new Uint32Array(rest.split("/").map((s) => Number(s)));
1443
+ }
1444
+
1461
1445
  // src/lib/wire-codec.ts
1462
1446
  var arrayLikeToBytes = (value) => {
1463
1447
  if (value instanceof Uint8Array) return value;
@@ -1492,12 +1476,6 @@ export {
1492
1476
  verifyIdToken,
1493
1477
  fromB64url,
1494
1478
  toB64url,
1495
- setAssertCacheTtlMs,
1496
- getAssertCacheTtlMs,
1497
- clearParentAssertCache,
1498
- readParentAssertCache,
1499
- writeParentAssertCache,
1500
- withClearOnFailure,
1501
1479
  generatePasskeyUserId,
1502
1480
  formatPasskeyLabel,
1503
1481
  resolvePasskeyMetadata,
@@ -1527,6 +1505,8 @@ export {
1527
1505
  serializeEthereumTransaction,
1528
1506
  broadcastEthereumRaw,
1529
1507
  broadcastSolanaSigned,
1508
+ canonicalAlgorithmFor,
1509
+ parseDerivationPath,
1530
1510
  arrayLikeToBytes,
1531
1511
  bs58ToBytes
1532
1512
  };
@@ -51,6 +51,20 @@ var PostMessageMethod = {
51
51
  // dispatcher boring.
52
52
  SIGN_HASH: "SIGN_HASH",
53
53
  SIGN_7702_AUTHORIZATION: "SIGN_7702_AUTHORIZATION",
54
+ // Provision a SES (Secure Ephemeral Signer) over one or more of the
55
+ // user's MPC wallets. Iframe verifies the Nitro attestation, decrypts
56
+ // the selected keyshares, HPKE-seals them to the verified enclave
57
+ // pubkey, and returns a freshly-generated Ed25519 signer keypair.
58
+ // MoonX never persists the private key — the parent must hand it to
59
+ // the user immediately.
60
+ PROVISION_EPHEMERAL_SIGNER: "PROVISION_EPHEMERAL_SIGNER",
61
+ // List the user's active provisioned ephemeral signers from the
62
+ // wallets backend. Read-only; doesn't touch SES or the enclave.
63
+ LIST_EPHEMERAL_SIGNERS: "LIST_EPHEMERAL_SIGNERS",
64
+ // Soft-revoke a previously-provisioned ephemeral signer. The wallets
65
+ // backend updates revoked_at locally and forwards the revoke to SES
66
+ // so the enclave drops the policy.
67
+ REVOKE_EPHEMERAL_SIGNER: "REVOKE_EPHEMERAL_SIGNER",
54
68
  VERIFY_EMAIL_OTP: "VERIFY_EMAIL_OTP",
55
69
  VERIFY_OAUTH: "VERIFY_OAUTH",
56
70
  START_OAUTH: "START_OAUTH",
package/dist/index.d.mts CHANGED
@@ -1,4 +1,3 @@
1
- export { AccessTokenClaims, AppConfigRequest, AppConfigResponse, AttachOAuthTokenRequest, AttachOAuthTokenResponse, AuthAppearance, AuthFlow, AuthFlowComponent, AuthLoginMethod, AuthProviderConfig, BaseGetBalanceParams, BaseGetBalanceResult, BaseGetTokenAccountsParams, BaseSendTransactionParams, BaseSendTransactionResult, BaseSignMessageParams, BaseSignMessageResult, BaseSignTransactionParams, BaseSignTransactionResult, BaseTokenClaims, BaseUIOptions, BaseWalletHooks, ContractUIOptions, CreateWalletResponse, DefaultFundingMethod, DeleteSessionRequest, DeleteSessionResponse, DetachOAuthTokenRequest, DeviceFingerprint, DisplayMode, EmailOtpConfig, EmailOtpFlowState, EthereumFundingConfig, EthereumGetBalanceParams, EthereumGetBalanceResult, EthereumGetTokenAccountsByOwnerParams, EthereumGetTokenAccountsByOwnerResult, EthereumSendTransactionParams, EthereumSendTransactionRequest, EthereumSendTransactionResult, EthereumSign7702AuthorizationParams, EthereumSign7702AuthorizationResult, EthereumSignHashParams, EthereumSignHashResult, EthereumSignMessageParams, EthereumSignMessageResult, EthereumSignTransactionParams, EthereumSignTransactionResult, EthereumSignTypedDataParams, EthereumSignTypedDataResult, EthereumSwitchChainParams, ExportKeyConfig, Factor, FlexibleTheme, FundWalletConfig, FundingEvents, FundingMethod, FundingUIConfig, GetCurrentSessionRequest, GetCurrentSessionResponse, Hex, IdentityTokenClaims, IdpProvider, IsAuthenticatedRequest, IsAuthenticatedResponse, LoginTokenBundle, LogoutRequest, LogoutResponse, MessageTypeProperty, MessageTypes, MoonKeyThemeConfig, MoonPaySignRequest, MoonPaySignResponse, MpcKeyShares, Network, OAuthRequest, OAuthResponse, OnrampFundingSettings, PasskeyEnrollConfig, PasskeySettings, PreferredCardProvider, PrefillConfig, PresenceTokenClaims, PublicEthereumWallet, PublicSessionData, PublicWallet, RefreshSessionRequest, RefreshSessionResponse, RetrieveWalletKeyRequest, RetrieveWalletKeyResponse, SdkSettings, SendEmailOtpRequest, SendEmailOtpResponse, SendTransactionConfig, SendTransactionRequest, SessionData, SharesDeviceRequest, SharesDeviceResponse, Sign7702AuthorizationError, Sign7702AuthorizationParams, Sign7702AuthorizationResponse, Sign7702AuthorizationResult, SignMessageConfig, SignTransactionConfig, SignTypedDataError, SignTypedDataParams, SignTypedDataResponse, SignTypedDataResult, SmsSettings, SolanaChain, SolanaFundingConfig, SolanaGetBalanceParams, SolanaGetBalanceResult, SolanaGetTokenAccountsByOwnerParams, SolanaGetTokenAccountsByOwnerResult, SolanaSendTransactionParams, SolanaSendTransactionResult, SolanaSignMessageParams, SolanaSignMessageResult, SolanaSignTransactionParams, SolanaSignTransactionResult, TransactionCommitment, TransactionEncoding, TransactionUIOptions, TypedMessage, UseFundWalletInterface, UsersMePublicResponse, UsersMeRequest, UsersMeResponse, VerifiedSession, VerifyEmailOtpRequest, VerifyEmailOtpResponse, VerifyEmailOtpUser, VerifyOAuthTokenRequest, VerifyOAuthTokenResponse, VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, Wallet, WalletChain, WalletChainType, WalletConnectConfig, WalletCreationError, WalletError, WalletErrorCode, WalletKeyRequest, WalletListEntry, WalletRegistrationNonceRequest, WalletRegistrationNonceResponse, WalletType, WalletVerifyRequest } from './types/index.mjs';
1
+ export { AccessTokenClaims, AppConfigRequest, AppConfigResponse, AttachOAuthTokenRequest, AttachOAuthTokenResponse, AuthAppearance, AuthFlow, AuthFlowComponent, AuthLoginMethod, AuthProviderConfig, BaseGetBalanceParams, BaseGetBalanceResult, BaseGetTokenAccountsParams, BaseSendTransactionParams, BaseSendTransactionResult, BaseSignMessageParams, BaseSignMessageResult, BaseSignTransactionParams, BaseSignTransactionResult, BaseTokenClaims, BaseUIOptions, BaseWalletHooks, BlockExplorer, Chain, ChainLikeWithId, ContractUIOptions, CreateWalletResponse, DefaultFundingMethod, DeleteSessionRequest, DeleteSessionResponse, DetachOAuthTokenRequest, DeviceFingerprint, DisplayMode, EmailOtpConfig, EmailOtpFlowState, EphemeralSigner, EphemeralSignerChain, EphemeralSignerScheme, EphemeralSignerWallet, EthereumChainConfig, EthereumFundingConfig, EthereumGetBalanceParams, EthereumGetBalanceResult, EthereumGetTokenAccountsByOwnerParams, EthereumGetTokenAccountsByOwnerResult, EthereumSendTransactionParams, EthereumSendTransactionRequest, EthereumSendTransactionResult, EthereumSign7702AuthorizationParams, EthereumSign7702AuthorizationResult, EthereumSignHashParams, EthereumSignHashResult, EthereumSignMessageParams, EthereumSignMessageResult, EthereumSignTransactionParams, EthereumSignTransactionResult, EthereumSignTypedDataParams, EthereumSignTypedDataResult, EthereumSwitchChainParams, ExportKeyConfig, Factor, FlexibleTheme, FundWalletConfig, FundingEvents, FundingMethod, FundingUIConfig, GetCurrentSessionRequest, GetCurrentSessionResponse, Hex, IdentityTokenClaims, IdpProvider, IsAuthenticatedRequest, IsAuthenticatedResponse, ListEphemeralSignersResult, LoginTokenBundle, LogoutRequest, LogoutResponse, MessageTypeProperty, MessageTypes, MoonKeyThemeConfig, MoonPaySignRequest, MoonPaySignResponse, MpcKeyShares, NativeCurrency, Network, OAuthRequest, OAuthResponse, OnrampFundingSettings, PasskeyEnrollConfig, PasskeySettings, PreferredCardProvider, PrefillConfig, PresenceTokenClaims, ProvisionEphemeralSignerParams, ProvisionEphemeralSignerResult, PublicEthereumWallet, PublicSessionData, PublicWallet, RefreshSessionRequest, RefreshSessionResponse, RetrieveWalletKeyRequest, RetrieveWalletKeyResponse, RevokeEphemeralSignerParams, RpcConfig, RpcUrls, SdkSettings, SendEmailOtpRequest, SendEmailOtpResponse, SendTransactionConfig, SendTransactionRequest, SessionData, SharesDeviceRequest, SharesDeviceResponse, Sign7702AuthorizationError, Sign7702AuthorizationParams, Sign7702AuthorizationResponse, Sign7702AuthorizationResult, SignMessageConfig, SignTransactionConfig, SignTypedDataError, SignTypedDataParams, SignTypedDataResponse, SignTypedDataResult, SmsSettings, SolanaChain, SolanaFundingConfig, SolanaGetBalanceParams, SolanaGetBalanceResult, SolanaGetTokenAccountsByOwnerParams, SolanaGetTokenAccountsByOwnerResult, SolanaSendTransactionParams, SolanaSendTransactionResult, SolanaSignMessageParams, SolanaSignMessageResult, SolanaSignTransactionParams, SolanaSignTransactionResult, TransactionCommitment, TransactionEncoding, TransactionUIOptions, TypedMessage, UseFundWalletInterface, UsersMePublicResponse, UsersMeRequest, UsersMeResponse, VerifiedSession, VerifyEmailOtpRequest, VerifyEmailOtpResponse, VerifyEmailOtpUser, VerifyOAuthTokenRequest, VerifyOAuthTokenResponse, VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, Wallet, WalletChain, WalletChainType, WalletConnectConfig, WalletCreationError, WalletError, WalletErrorCode, WalletKeyRequest, WalletListEntry, WalletRegistrationNonceRequest, WalletRegistrationNonceResponse, WalletType, WalletVerifyRequest } from './types/index.mjs';
2
2
  export { getIframeOrigin, getIframeUrl, getMoonKeyApiUrl } from './utils/index.mjs';
3
- export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from './post-message-CmgAfkOS.mjs';
4
- export { B as BlockExplorer, C as Chain, a as ChainLikeWithId, E as EthereumChainConfig, N as NativeCurrency, R as RpcConfig, b as RpcUrls } from './chain-C9dvKXUY.mjs';
3
+ export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from './post-message-Z6cLf0mS.mjs';
package/dist/index.d.ts CHANGED
@@ -1,4 +1,3 @@
1
- export { AccessTokenClaims, AppConfigRequest, AppConfigResponse, AttachOAuthTokenRequest, AttachOAuthTokenResponse, AuthAppearance, AuthFlow, AuthFlowComponent, AuthLoginMethod, AuthProviderConfig, BaseGetBalanceParams, BaseGetBalanceResult, BaseGetTokenAccountsParams, BaseSendTransactionParams, BaseSendTransactionResult, BaseSignMessageParams, BaseSignMessageResult, BaseSignTransactionParams, BaseSignTransactionResult, BaseTokenClaims, BaseUIOptions, BaseWalletHooks, ContractUIOptions, CreateWalletResponse, DefaultFundingMethod, DeleteSessionRequest, DeleteSessionResponse, DetachOAuthTokenRequest, DeviceFingerprint, DisplayMode, EmailOtpConfig, EmailOtpFlowState, EthereumFundingConfig, EthereumGetBalanceParams, EthereumGetBalanceResult, EthereumGetTokenAccountsByOwnerParams, EthereumGetTokenAccountsByOwnerResult, EthereumSendTransactionParams, EthereumSendTransactionRequest, EthereumSendTransactionResult, EthereumSign7702AuthorizationParams, EthereumSign7702AuthorizationResult, EthereumSignHashParams, EthereumSignHashResult, EthereumSignMessageParams, EthereumSignMessageResult, EthereumSignTransactionParams, EthereumSignTransactionResult, EthereumSignTypedDataParams, EthereumSignTypedDataResult, EthereumSwitchChainParams, ExportKeyConfig, Factor, FlexibleTheme, FundWalletConfig, FundingEvents, FundingMethod, FundingUIConfig, GetCurrentSessionRequest, GetCurrentSessionResponse, Hex, IdentityTokenClaims, IdpProvider, IsAuthenticatedRequest, IsAuthenticatedResponse, LoginTokenBundle, LogoutRequest, LogoutResponse, MessageTypeProperty, MessageTypes, MoonKeyThemeConfig, MoonPaySignRequest, MoonPaySignResponse, MpcKeyShares, Network, OAuthRequest, OAuthResponse, OnrampFundingSettings, PasskeyEnrollConfig, PasskeySettings, PreferredCardProvider, PrefillConfig, PresenceTokenClaims, PublicEthereumWallet, PublicSessionData, PublicWallet, RefreshSessionRequest, RefreshSessionResponse, RetrieveWalletKeyRequest, RetrieveWalletKeyResponse, SdkSettings, SendEmailOtpRequest, SendEmailOtpResponse, SendTransactionConfig, SendTransactionRequest, SessionData, SharesDeviceRequest, SharesDeviceResponse, Sign7702AuthorizationError, Sign7702AuthorizationParams, Sign7702AuthorizationResponse, Sign7702AuthorizationResult, SignMessageConfig, SignTransactionConfig, SignTypedDataError, SignTypedDataParams, SignTypedDataResponse, SignTypedDataResult, SmsSettings, SolanaChain, SolanaFundingConfig, SolanaGetBalanceParams, SolanaGetBalanceResult, SolanaGetTokenAccountsByOwnerParams, SolanaGetTokenAccountsByOwnerResult, SolanaSendTransactionParams, SolanaSendTransactionResult, SolanaSignMessageParams, SolanaSignMessageResult, SolanaSignTransactionParams, SolanaSignTransactionResult, TransactionCommitment, TransactionEncoding, TransactionUIOptions, TypedMessage, UseFundWalletInterface, UsersMePublicResponse, UsersMeRequest, UsersMeResponse, VerifiedSession, VerifyEmailOtpRequest, VerifyEmailOtpResponse, VerifyEmailOtpUser, VerifyOAuthTokenRequest, VerifyOAuthTokenResponse, VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, Wallet, WalletChain, WalletChainType, WalletConnectConfig, WalletCreationError, WalletError, WalletErrorCode, WalletKeyRequest, WalletListEntry, WalletRegistrationNonceRequest, WalletRegistrationNonceResponse, WalletType, WalletVerifyRequest } from './types/index.js';
1
+ export { AccessTokenClaims, AppConfigRequest, AppConfigResponse, AttachOAuthTokenRequest, AttachOAuthTokenResponse, AuthAppearance, AuthFlow, AuthFlowComponent, AuthLoginMethod, AuthProviderConfig, BaseGetBalanceParams, BaseGetBalanceResult, BaseGetTokenAccountsParams, BaseSendTransactionParams, BaseSendTransactionResult, BaseSignMessageParams, BaseSignMessageResult, BaseSignTransactionParams, BaseSignTransactionResult, BaseTokenClaims, BaseUIOptions, BaseWalletHooks, BlockExplorer, Chain, ChainLikeWithId, ContractUIOptions, CreateWalletResponse, DefaultFundingMethod, DeleteSessionRequest, DeleteSessionResponse, DetachOAuthTokenRequest, DeviceFingerprint, DisplayMode, EmailOtpConfig, EmailOtpFlowState, EphemeralSigner, EphemeralSignerChain, EphemeralSignerScheme, EphemeralSignerWallet, EthereumChainConfig, EthereumFundingConfig, EthereumGetBalanceParams, EthereumGetBalanceResult, EthereumGetTokenAccountsByOwnerParams, EthereumGetTokenAccountsByOwnerResult, EthereumSendTransactionParams, EthereumSendTransactionRequest, EthereumSendTransactionResult, EthereumSign7702AuthorizationParams, EthereumSign7702AuthorizationResult, EthereumSignHashParams, EthereumSignHashResult, EthereumSignMessageParams, EthereumSignMessageResult, EthereumSignTransactionParams, EthereumSignTransactionResult, EthereumSignTypedDataParams, EthereumSignTypedDataResult, EthereumSwitchChainParams, ExportKeyConfig, Factor, FlexibleTheme, FundWalletConfig, FundingEvents, FundingMethod, FundingUIConfig, GetCurrentSessionRequest, GetCurrentSessionResponse, Hex, IdentityTokenClaims, IdpProvider, IsAuthenticatedRequest, IsAuthenticatedResponse, ListEphemeralSignersResult, LoginTokenBundle, LogoutRequest, LogoutResponse, MessageTypeProperty, MessageTypes, MoonKeyThemeConfig, MoonPaySignRequest, MoonPaySignResponse, MpcKeyShares, NativeCurrency, Network, OAuthRequest, OAuthResponse, OnrampFundingSettings, PasskeyEnrollConfig, PasskeySettings, PreferredCardProvider, PrefillConfig, PresenceTokenClaims, ProvisionEphemeralSignerParams, ProvisionEphemeralSignerResult, PublicEthereumWallet, PublicSessionData, PublicWallet, RefreshSessionRequest, RefreshSessionResponse, RetrieveWalletKeyRequest, RetrieveWalletKeyResponse, RevokeEphemeralSignerParams, RpcConfig, RpcUrls, SdkSettings, SendEmailOtpRequest, SendEmailOtpResponse, SendTransactionConfig, SendTransactionRequest, SessionData, SharesDeviceRequest, SharesDeviceResponse, Sign7702AuthorizationError, Sign7702AuthorizationParams, Sign7702AuthorizationResponse, Sign7702AuthorizationResult, SignMessageConfig, SignTransactionConfig, SignTypedDataError, SignTypedDataParams, SignTypedDataResponse, SignTypedDataResult, SmsSettings, SolanaChain, SolanaFundingConfig, SolanaGetBalanceParams, SolanaGetBalanceResult, SolanaGetTokenAccountsByOwnerParams, SolanaGetTokenAccountsByOwnerResult, SolanaSendTransactionParams, SolanaSendTransactionResult, SolanaSignMessageParams, SolanaSignMessageResult, SolanaSignTransactionParams, SolanaSignTransactionResult, TransactionCommitment, TransactionEncoding, TransactionUIOptions, TypedMessage, UseFundWalletInterface, UsersMePublicResponse, UsersMeRequest, UsersMeResponse, VerifiedSession, VerifyEmailOtpRequest, VerifyEmailOtpResponse, VerifyEmailOtpUser, VerifyOAuthTokenRequest, VerifyOAuthTokenResponse, VerifySiweWalletRegistrationRequest, WALLET_ERROR_CODES, Wallet, WalletChain, WalletChainType, WalletConnectConfig, WalletCreationError, WalletError, WalletErrorCode, WalletKeyRequest, WalletListEntry, WalletRegistrationNonceRequest, WalletRegistrationNonceResponse, WalletType, WalletVerifyRequest } from './types/index.js';
2
2
  export { getIframeOrigin, getIframeUrl, getMoonKeyApiUrl } from './utils/index.js';
3
- export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from './post-message-CmgAfkOS.js';
4
- export { B as BlockExplorer, C as Chain, a as ChainLikeWithId, E as EthereumChainConfig, N as NativeCurrency, R as RpcConfig, b as RpcUrls } from './chain-C9dvKXUY.js';
3
+ export { F as FORWARDED_ERROR_FIELDS, P as PostMessageClient, a as PostMessageMethod, b as PostMessageServer, c as PostMessageType } from './post-message-Z6cLf0mS.js';
package/dist/index.js CHANGED
@@ -177,6 +177,20 @@ var PostMessageMethod = {
177
177
  // dispatcher boring.
178
178
  SIGN_HASH: "SIGN_HASH",
179
179
  SIGN_7702_AUTHORIZATION: "SIGN_7702_AUTHORIZATION",
180
+ // Provision a SES (Secure Ephemeral Signer) over one or more of the
181
+ // user's MPC wallets. Iframe verifies the Nitro attestation, decrypts
182
+ // the selected keyshares, HPKE-seals them to the verified enclave
183
+ // pubkey, and returns a freshly-generated Ed25519 signer keypair.
184
+ // MoonX never persists the private key — the parent must hand it to
185
+ // the user immediately.
186
+ PROVISION_EPHEMERAL_SIGNER: "PROVISION_EPHEMERAL_SIGNER",
187
+ // List the user's active provisioned ephemeral signers from the
188
+ // wallets backend. Read-only; doesn't touch SES or the enclave.
189
+ LIST_EPHEMERAL_SIGNERS: "LIST_EPHEMERAL_SIGNERS",
190
+ // Soft-revoke a previously-provisioned ephemeral signer. The wallets
191
+ // backend updates revoked_at locally and forwards the revoke to SES
192
+ // so the enclave drops the policy.
193
+ REVOKE_EPHEMERAL_SIGNER: "REVOKE_EPHEMERAL_SIGNER",
180
194
  VERIFY_EMAIL_OTP: "VERIFY_EMAIL_OTP",
181
195
  VERIFY_OAUTH: "VERIFY_OAUTH",
182
196
  START_OAUTH: "START_OAUTH",
package/dist/index.mjs CHANGED
@@ -14,7 +14,7 @@ import {
14
14
  PostMessageMethod,
15
15
  PostMessageServer,
16
16
  PostMessageType
17
- } from "./chunk-VVL65GIB.mjs";
17
+ } from "./chunk-JU5MWLXH.mjs";
18
18
  import {
19
19
  getMoonKeyApiUrl
20
20
  } from "./chunk-GQKIA37O.mjs";
@@ -1,4 +1,4 @@
1
- import { c as PostMessageType, a as PostMessageMethod } from './post-message-CmgAfkOS.js';
1
+ import { c as PostMessageType, a as PostMessageMethod } from './post-message-Z6cLf0mS.js';
2
2
 
3
3
  /**
4
4
  * Transport — the bidirectional postMessage channel between the parent
@@ -87,6 +87,29 @@ interface PasskeyAssertor {
87
87
  assertForServer(opts: {
88
88
  optionsJSON: WebAuthnRequestOptions;
89
89
  }): Promise<WebAuthnAssertionResponse>;
90
+ /**
91
+ * Internal-use variant of assertForServer. Runs the same WebAuthn
92
+ * ceremony and returns the same sanitized assertion (userHandle
93
+ * stripped on the platform boundary), but ALSO surfaces the
94
+ * captured userHandle + credential id separately for the SDK
95
+ * orchestrator's downstream postMessage payload — the iframe needs
96
+ * the userHandle bytes to do AES-GCM unwrap of the DEK after the
97
+ * presence ceremony mints the scoped tokens.
98
+ *
99
+ * DEK hygiene boundary: the sanitized `response` field still has
100
+ * `response.userHandle === undefined`. The separate
101
+ * `userHandleB64url` field stays inside the orchestrator and is
102
+ * postMessaged to the iframe — never sent over the network to the
103
+ * presence-verify server call. The strip is enforced by the impl;
104
+ * the separate surfacing is opt-in via this method.
105
+ */
106
+ assertForInternalPresence(opts: {
107
+ optionsJSON: WebAuthnRequestOptions;
108
+ }): Promise<{
109
+ response: WebAuthnAssertionResponse;
110
+ userHandleB64url: string;
111
+ credentialIdB64url: string;
112
+ }>;
90
113
  }
91
114
  /**
92
115
  * Subset of `PublicKeyCredentialRequestOptionsJSON` we forward to the
@@ -1,4 +1,4 @@
1
- import { c as PostMessageType, a as PostMessageMethod } from './post-message-CmgAfkOS.mjs';
1
+ import { c as PostMessageType, a as PostMessageMethod } from './post-message-Z6cLf0mS.mjs';
2
2
 
3
3
  /**
4
4
  * Transport — the bidirectional postMessage channel between the parent
@@ -87,6 +87,29 @@ interface PasskeyAssertor {
87
87
  assertForServer(opts: {
88
88
  optionsJSON: WebAuthnRequestOptions;
89
89
  }): Promise<WebAuthnAssertionResponse>;
90
+ /**
91
+ * Internal-use variant of assertForServer. Runs the same WebAuthn
92
+ * ceremony and returns the same sanitized assertion (userHandle
93
+ * stripped on the platform boundary), but ALSO surfaces the
94
+ * captured userHandle + credential id separately for the SDK
95
+ * orchestrator's downstream postMessage payload — the iframe needs
96
+ * the userHandle bytes to do AES-GCM unwrap of the DEK after the
97
+ * presence ceremony mints the scoped tokens.
98
+ *
99
+ * DEK hygiene boundary: the sanitized `response` field still has
100
+ * `response.userHandle === undefined`. The separate
101
+ * `userHandleB64url` field stays inside the orchestrator and is
102
+ * postMessaged to the iframe — never sent over the network to the
103
+ * presence-verify server call. The strip is enforced by the impl;
104
+ * the separate surfacing is opt-in via this method.
105
+ */
106
+ assertForInternalPresence(opts: {
107
+ optionsJSON: WebAuthnRequestOptions;
108
+ }): Promise<{
109
+ response: WebAuthnAssertionResponse;
110
+ userHandleB64url: string;
111
+ credentialIdB64url: string;
112
+ }>;
90
113
  }
91
114
  /**
92
115
  * Subset of `PublicKeyCredentialRequestOptionsJSON` we forward to the
@@ -1,6 +1,6 @@
1
- export { C as CachedAssertion, c as clearParentAssertCache, g as generatePasskeyUserId, a as getAssertCacheTtlMs, r as readParentAssertCache, s as setAssertCacheTtlMs, w as withClearOnFailure, b as writeParentAssertCache } from '../passkey-cache-B9PT3AWX.mjs';
1
+ export { C as CachedAssertion, g as generatePasskeyUserId } from '../passkey-cache-WnDFQ-v4.mjs';
2
2
  export { a as PasskeyFormFactor, P as PasskeyMetadata, b as PasskeyMetadataInput, f as formatPasskeyLabel, r as resolvePasskeyMetadata } from '../passkey-metadata-QqFF2SWQ.mjs';
3
- import { C as Chain } from '../chain-C9dvKXUY.mjs';
3
+ import { Chain, WalletChain } from '../types/index.mjs';
4
4
  import { SiweMessage } from 'siwe';
5
5
  import { Connection, PublicKey } from '@solana/web3.js';
6
6
 
@@ -389,6 +389,36 @@ declare const serializeEthereumTransaction: (transaction: any) => Promise<string
389
389
  declare const broadcastEthereumRaw: (rpcUrl: string, signedSerialized: string) => Promise<string>;
390
390
  declare const broadcastSolanaSigned: (rpcUrl: string, signedBase58: string) => Promise<string>;
391
391
 
392
+ /**
393
+ * Canonical algorithm name written to `app_user_wallet_keyshares.algorithm`.
394
+ *
395
+ * Matches Sodot's Vertex API path segment exactly:
396
+ *
397
+ * ethereum → "ecdsa"
398
+ * solana → "exportable-ed25519"
399
+ *
400
+ * `Algorithm.name.toLowerCase()` from the Sodot SDK would give
401
+ * `"exportableed25519"` (no hyphen) for Solana, which doesn't match
402
+ * anything else in the stack and causes sign dispatch to fall through
403
+ * to the default error branch. Use this helper instead.
404
+ */
405
+ declare function canonicalAlgorithmFor(chain: WalletChain): string;
406
+ /**
407
+ * Parse the canonical SES wire form of a derivation path into the
408
+ * integer array the Sodot MPC client expects.
409
+ *
410
+ * "m" → [] (root — imports + all
411
+ * exportable-ed25519 wallets)
412
+ * "m/44/60/0/0/0" → [44, 60, 0, 0, 0]
413
+ * "" → [] (legacy fallback; same as "m")
414
+ *
415
+ * Stays byte-for-byte identical to the Go-side `ParseDerivationPath`
416
+ * in `apps/wallets/internal/service/wallet.go` — both halves of the
417
+ * MPC ceremony have to agree on the path or Sodot returns "End-to-end
418
+ * decryption failed" with no further hint as to which input mismatched.
419
+ */
420
+ declare function parseDerivationPath(path: string): Uint32Array;
421
+
392
422
  /**
393
423
  * Convert any wire representation of a byte array back into Uint8Array.
394
424
  * Pass-through for actual `Uint8Array` and regular `number[]`. Used
@@ -407,4 +437,4 @@ declare const arrayLikeToBytes: (value: unknown) => Uint8Array;
407
437
  */
408
438
  declare const bs58ToBytes: (value: unknown) => Promise<Uint8Array>;
409
439
 
410
- export { type BuildUrlConfig, DEFAULT_AUTH_URL, EthereumSiweMessage, type EthereumSiweMessageProps, type EvmTransactionInput, type EvmTxPrepWallet, type ManualSiweMessageProps, SiwsMessage, SolanaTransactionParser, type VerifyIdTokenResponse, arrayLikeToBytes, authState, broadcastEthereumRaw, broadcastSolanaSigned, bs58ToBytes, buildUrl, createManualSiweMessage, estimateEvmGas, estimateEvmGasReserve, fromB64url, getChainById, getDefaultChain, getEvmGasPrice, getEvmMaxPriorityFeePerGas, getEvmNonce, getInstructionsForHTML, getRpcUrl, getSOLTransfersFromInstructions, getTransferInfoFromInstructions, isChainSupported, prepareEvmSendTransaction, prepareEvmSignTransaction, resolveEvmChain, sanitizeUserData, serializeEthereumTransaction, setChainRpcUrl, toB64url, validateChainConfig, verifyIdToken };
440
+ export { type BuildUrlConfig, DEFAULT_AUTH_URL, EthereumSiweMessage, type EthereumSiweMessageProps, type EvmTransactionInput, type EvmTxPrepWallet, type ManualSiweMessageProps, SiwsMessage, SolanaTransactionParser, type VerifyIdTokenResponse, arrayLikeToBytes, authState, broadcastEthereumRaw, broadcastSolanaSigned, bs58ToBytes, buildUrl, canonicalAlgorithmFor, createManualSiweMessage, estimateEvmGas, estimateEvmGasReserve, fromB64url, getChainById, getDefaultChain, getEvmGasPrice, getEvmMaxPriorityFeePerGas, getEvmNonce, getInstructionsForHTML, getRpcUrl, getSOLTransfersFromInstructions, getTransferInfoFromInstructions, isChainSupported, parseDerivationPath, prepareEvmSendTransaction, prepareEvmSignTransaction, resolveEvmChain, sanitizeUserData, serializeEthereumTransaction, setChainRpcUrl, toB64url, validateChainConfig, verifyIdToken };
@@ -1,6 +1,6 @@
1
- export { C as CachedAssertion, c as clearParentAssertCache, g as generatePasskeyUserId, a as getAssertCacheTtlMs, r as readParentAssertCache, s as setAssertCacheTtlMs, w as withClearOnFailure, b as writeParentAssertCache } from '../passkey-cache-B9PT3AWX.js';
1
+ export { C as CachedAssertion, g as generatePasskeyUserId } from '../passkey-cache-WnDFQ-v4.js';
2
2
  export { a as PasskeyFormFactor, P as PasskeyMetadata, b as PasskeyMetadataInput, f as formatPasskeyLabel, r as resolvePasskeyMetadata } from '../passkey-metadata-QqFF2SWQ.js';
3
- import { C as Chain } from '../chain-C9dvKXUY.js';
3
+ import { Chain, WalletChain } from '../types/index.js';
4
4
  import { SiweMessage } from 'siwe';
5
5
  import { Connection, PublicKey } from '@solana/web3.js';
6
6
 
@@ -389,6 +389,36 @@ declare const serializeEthereumTransaction: (transaction: any) => Promise<string
389
389
  declare const broadcastEthereumRaw: (rpcUrl: string, signedSerialized: string) => Promise<string>;
390
390
  declare const broadcastSolanaSigned: (rpcUrl: string, signedBase58: string) => Promise<string>;
391
391
 
392
+ /**
393
+ * Canonical algorithm name written to `app_user_wallet_keyshares.algorithm`.
394
+ *
395
+ * Matches Sodot's Vertex API path segment exactly:
396
+ *
397
+ * ethereum → "ecdsa"
398
+ * solana → "exportable-ed25519"
399
+ *
400
+ * `Algorithm.name.toLowerCase()` from the Sodot SDK would give
401
+ * `"exportableed25519"` (no hyphen) for Solana, which doesn't match
402
+ * anything else in the stack and causes sign dispatch to fall through
403
+ * to the default error branch. Use this helper instead.
404
+ */
405
+ declare function canonicalAlgorithmFor(chain: WalletChain): string;
406
+ /**
407
+ * Parse the canonical SES wire form of a derivation path into the
408
+ * integer array the Sodot MPC client expects.
409
+ *
410
+ * "m" → [] (root — imports + all
411
+ * exportable-ed25519 wallets)
412
+ * "m/44/60/0/0/0" → [44, 60, 0, 0, 0]
413
+ * "" → [] (legacy fallback; same as "m")
414
+ *
415
+ * Stays byte-for-byte identical to the Go-side `ParseDerivationPath`
416
+ * in `apps/wallets/internal/service/wallet.go` — both halves of the
417
+ * MPC ceremony have to agree on the path or Sodot returns "End-to-end
418
+ * decryption failed" with no further hint as to which input mismatched.
419
+ */
420
+ declare function parseDerivationPath(path: string): Uint32Array;
421
+
392
422
  /**
393
423
  * Convert any wire representation of a byte array back into Uint8Array.
394
424
  * Pass-through for actual `Uint8Array` and regular `number[]`. Used
@@ -407,4 +437,4 @@ declare const arrayLikeToBytes: (value: unknown) => Uint8Array;
407
437
  */
408
438
  declare const bs58ToBytes: (value: unknown) => Promise<Uint8Array>;
409
439
 
410
- export { type BuildUrlConfig, DEFAULT_AUTH_URL, EthereumSiweMessage, type EthereumSiweMessageProps, type EvmTransactionInput, type EvmTxPrepWallet, type ManualSiweMessageProps, SiwsMessage, SolanaTransactionParser, type VerifyIdTokenResponse, arrayLikeToBytes, authState, broadcastEthereumRaw, broadcastSolanaSigned, bs58ToBytes, buildUrl, createManualSiweMessage, estimateEvmGas, estimateEvmGasReserve, fromB64url, getChainById, getDefaultChain, getEvmGasPrice, getEvmMaxPriorityFeePerGas, getEvmNonce, getInstructionsForHTML, getRpcUrl, getSOLTransfersFromInstructions, getTransferInfoFromInstructions, isChainSupported, prepareEvmSendTransaction, prepareEvmSignTransaction, resolveEvmChain, sanitizeUserData, serializeEthereumTransaction, setChainRpcUrl, toB64url, validateChainConfig, verifyIdToken };
440
+ export { type BuildUrlConfig, DEFAULT_AUTH_URL, EthereumSiweMessage, type EthereumSiweMessageProps, type EvmTransactionInput, type EvmTxPrepWallet, type ManualSiweMessageProps, SiwsMessage, SolanaTransactionParser, type VerifyIdTokenResponse, arrayLikeToBytes, authState, broadcastEthereumRaw, broadcastSolanaSigned, bs58ToBytes, buildUrl, canonicalAlgorithmFor, createManualSiweMessage, estimateEvmGas, estimateEvmGasReserve, fromB64url, getChainById, getDefaultChain, getEvmGasPrice, getEvmMaxPriorityFeePerGas, getEvmNonce, getInstructionsForHTML, getRpcUrl, getSOLTransfersFromInstructions, getTransferInfoFromInstructions, isChainSupported, parseDerivationPath, prepareEvmSendTransaction, prepareEvmSignTransaction, resolveEvmChain, sanitizeUserData, serializeEthereumTransaction, setChainRpcUrl, toB64url, validateChainConfig, verifyIdToken };
package/dist/lib/index.js CHANGED
@@ -40,14 +40,13 @@ __export(lib_exports, {
40
40
  broadcastSolanaSigned: () => broadcastSolanaSigned,
41
41
  bs58ToBytes: () => bs58ToBytes,
42
42
  buildUrl: () => buildUrl,
43
- clearParentAssertCache: () => clearParentAssertCache,
43
+ canonicalAlgorithmFor: () => canonicalAlgorithmFor,
44
44
  createManualSiweMessage: () => createManualSiweMessage,
45
45
  estimateEvmGas: () => estimateEvmGas,
46
46
  estimateEvmGasReserve: () => estimateEvmGasReserve,
47
47
  formatPasskeyLabel: () => formatPasskeyLabel,
48
48
  fromB64url: () => fromB64url,
49
49
  generatePasskeyUserId: () => generatePasskeyUserId,
50
- getAssertCacheTtlMs: () => getAssertCacheTtlMs,
51
50
  getChainById: () => getChainById,
52
51
  getDefaultChain: () => getDefaultChain,
53
52
  getEvmGasPrice: () => getEvmGasPrice,
@@ -58,20 +57,17 @@ __export(lib_exports, {
58
57
  getSOLTransfersFromInstructions: () => getSOLTransfersFromInstructions,
59
58
  getTransferInfoFromInstructions: () => getTransferInfoFromInstructions,
60
59
  isChainSupported: () => isChainSupported,
60
+ parseDerivationPath: () => parseDerivationPath,
61
61
  prepareEvmSendTransaction: () => prepareEvmSendTransaction,
62
62
  prepareEvmSignTransaction: () => prepareEvmSignTransaction,
63
- readParentAssertCache: () => readParentAssertCache,
64
63
  resolveEvmChain: () => resolveEvmChain,
65
64
  resolvePasskeyMetadata: () => resolvePasskeyMetadata,
66
65
  sanitizeUserData: () => sanitizeUserData,
67
66
  serializeEthereumTransaction: () => serializeEthereumTransaction,
68
- setAssertCacheTtlMs: () => setAssertCacheTtlMs,
69
67
  setChainRpcUrl: () => setChainRpcUrl,
70
68
  toB64url: () => toB64url,
71
69
  validateChainConfig: () => validateChainConfig,
72
- verifyIdToken: () => verifyIdToken,
73
- withClearOnFailure: () => withClearOnFailure,
74
- writeParentAssertCache: () => writeParentAssertCache
70
+ verifyIdToken: () => verifyIdToken
75
71
  });
76
72
  module.exports = __toCommonJS(lib_exports);
77
73
 
@@ -190,39 +186,6 @@ var toB64url = (bytes) => {
190
186
  };
191
187
 
192
188
  // src/lib/passkey/passkey-cache.ts
193
- var cacheTtlMs = 0;
194
- var cache = null;
195
- var setAssertCacheTtlMs = (ms) => {
196
- cacheTtlMs = Math.max(0, Math.floor(ms));
197
- if (cacheTtlMs === 0) {
198
- cache = null;
199
- }
200
- };
201
- var getAssertCacheTtlMs = () => cacheTtlMs;
202
- var clearParentAssertCache = () => {
203
- cache = null;
204
- };
205
- var readParentAssertCache = () => {
206
- if (cacheTtlMs <= 0) return null;
207
- if (!cache) return null;
208
- if (Date.now() - cache.ts >= cacheTtlMs) return null;
209
- return {
210
- userHandleB64url: cache.userHandleB64url,
211
- credentialIdB64url: cache.credentialIdB64url
212
- };
213
- };
214
- var writeParentAssertCache = (entry) => {
215
- if (cacheTtlMs <= 0) return;
216
- cache = { ...entry, ts: Date.now() };
217
- };
218
- var withClearOnFailure = async (fn) => {
219
- try {
220
- return await fn();
221
- } catch (error) {
222
- clearParentAssertCache();
223
- throw error;
224
- }
225
- };
226
189
  var generatePasskeyUserId = () => {
227
190
  const bytes = crypto.getRandomValues(new Uint8Array(32));
228
191
  return { userIdB64url: toB64url(bytes), userIdBytes: bytes };
@@ -1548,6 +1511,23 @@ var broadcastSolanaSigned = async (rpcUrl, signedBase58) => {
1548
1511
  return result.result;
1549
1512
  };
1550
1513
 
1514
+ // src/lib/wallet-algorithm.ts
1515
+ function canonicalAlgorithmFor(chain) {
1516
+ switch (chain) {
1517
+ case "ethereum":
1518
+ return "ecdsa";
1519
+ case "solana":
1520
+ return "exportable-ed25519";
1521
+ default:
1522
+ throw new Error(`No canonical algorithm for chain: ${chain}`);
1523
+ }
1524
+ }
1525
+ function parseDerivationPath(path) {
1526
+ if (!path || path === "m") return new Uint32Array([]);
1527
+ const rest = path.startsWith("m/") ? path.slice(2) : path;
1528
+ return new Uint32Array(rest.split("/").map((s) => Number(s)));
1529
+ }
1530
+
1551
1531
  // src/lib/wire-codec.ts
1552
1532
  var arrayLikeToBytes = (value) => {
1553
1533
  if (value instanceof Uint8Array) return value;
@@ -1587,14 +1567,13 @@ var bs58ToBytes = async (value) => {
1587
1567
  broadcastSolanaSigned,
1588
1568
  bs58ToBytes,
1589
1569
  buildUrl,
1590
- clearParentAssertCache,
1570
+ canonicalAlgorithmFor,
1591
1571
  createManualSiweMessage,
1592
1572
  estimateEvmGas,
1593
1573
  estimateEvmGasReserve,
1594
1574
  formatPasskeyLabel,
1595
1575
  fromB64url,
1596
1576
  generatePasskeyUserId,
1597
- getAssertCacheTtlMs,
1598
1577
  getChainById,
1599
1578
  getDefaultChain,
1600
1579
  getEvmGasPrice,
@@ -1605,18 +1584,15 @@ var bs58ToBytes = async (value) => {
1605
1584
  getSOLTransfersFromInstructions,
1606
1585
  getTransferInfoFromInstructions,
1607
1586
  isChainSupported,
1587
+ parseDerivationPath,
1608
1588
  prepareEvmSendTransaction,
1609
1589
  prepareEvmSignTransaction,
1610
- readParentAssertCache,
1611
1590
  resolveEvmChain,
1612
1591
  resolvePasskeyMetadata,
1613
1592
  sanitizeUserData,
1614
1593
  serializeEthereumTransaction,
1615
- setAssertCacheTtlMs,
1616
1594
  setChainRpcUrl,
1617
1595
  toB64url,
1618
1596
  validateChainConfig,
1619
- verifyIdToken,
1620
- withClearOnFailure,
1621
- writeParentAssertCache
1597
+ verifyIdToken
1622
1598
  });
@@ -9,14 +9,13 @@ import {
9
9
  broadcastSolanaSigned,
10
10
  bs58ToBytes,
11
11
  buildUrl,
12
- clearParentAssertCache,
12
+ canonicalAlgorithmFor,
13
13
  createManualSiweMessage,
14
14
  estimateEvmGas,
15
15
  estimateEvmGasReserve,
16
16
  formatPasskeyLabel,
17
17
  fromB64url,
18
18
  generatePasskeyUserId,
19
- getAssertCacheTtlMs,
20
19
  getChainById,
21
20
  getDefaultChain,
22
21
  getEvmGasPrice,
@@ -27,21 +26,18 @@ import {
27
26
  getSOLTransfersFromInstructions,
28
27
  getTransferInfoFromInstructions,
29
28
  isChainSupported,
29
+ parseDerivationPath,
30
30
  prepareEvmSendTransaction,
31
31
  prepareEvmSignTransaction,
32
- readParentAssertCache,
33
32
  resolveEvmChain,
34
33
  resolvePasskeyMetadata,
35
34
  sanitizeUserData,
36
35
  serializeEthereumTransaction,
37
- setAssertCacheTtlMs,
38
36
  setChainRpcUrl,
39
37
  toB64url,
40
38
  validateChainConfig,
41
- verifyIdToken,
42
- withClearOnFailure,
43
- writeParentAssertCache
44
- } from "../chunk-CDT4MC7S.mjs";
39
+ verifyIdToken
40
+ } from "../chunk-I56GRKAG.mjs";
45
41
  import "../chunk-GQKIA37O.mjs";
46
42
  export {
47
43
  DEFAULT_AUTH_URL,
@@ -54,14 +50,13 @@ export {
54
50
  broadcastSolanaSigned,
55
51
  bs58ToBytes,
56
52
  buildUrl,
57
- clearParentAssertCache,
53
+ canonicalAlgorithmFor,
58
54
  createManualSiweMessage,
59
55
  estimateEvmGas,
60
56
  estimateEvmGasReserve,
61
57
  formatPasskeyLabel,
62
58
  fromB64url,
63
59
  generatePasskeyUserId,
64
- getAssertCacheTtlMs,
65
60
  getChainById,
66
61
  getDefaultChain,
67
62
  getEvmGasPrice,
@@ -72,18 +67,15 @@ export {
72
67
  getSOLTransfersFromInstructions,
73
68
  getTransferInfoFromInstructions,
74
69
  isChainSupported,
70
+ parseDerivationPath,
75
71
  prepareEvmSendTransaction,
76
72
  prepareEvmSignTransaction,
77
- readParentAssertCache,
78
73
  resolveEvmChain,
79
74
  resolvePasskeyMetadata,
80
75
  sanitizeUserData,
81
76
  serializeEthereumTransaction,
82
- setAssertCacheTtlMs,
83
77
  setChainRpcUrl,
84
78
  toB64url,
85
79
  validateChainConfig,
86
- verifyIdToken,
87
- withClearOnFailure,
88
- writeParentAssertCache
80
+ verifyIdToken
89
81
  };
@@ -0,0 +1,26 @@
1
+ interface CachedAssertion {
2
+ userHandleB64url: string;
3
+ credentialIdB64url: string;
4
+ }
5
+ /**
6
+ * Generate fresh user.id bytes for a new WebAuthn credential. The
7
+ * caller overrides `options.user.id` with these bytes before
8
+ * navigator.credentials.create so the authenticator persists them as
9
+ * the credential's user.id; on every subsequent assertion they come
10
+ * back as response.userHandle and serve as the AES-GCM key for that
11
+ * credential's DEK wrap.
12
+ *
13
+ * Returns the bytes both as base64url (what the WebAuthn options
14
+ * accept and what we ship over postMessage) and as raw bytes (for
15
+ * any caller that prefers direct binary).
16
+ *
17
+ * Requires a working `crypto.getRandomValues`. On RN this is provided
18
+ * by the `react-native-get-random-values` polyfill that the SDK's
19
+ * docs ask consumers to import at app entry.
20
+ */
21
+ declare const generatePasskeyUserId: () => {
22
+ userIdB64url: string;
23
+ userIdBytes: Uint8Array;
24
+ };
25
+
26
+ export { type CachedAssertion as C, generatePasskeyUserId as g };
@@ -0,0 +1,26 @@
1
+ interface CachedAssertion {
2
+ userHandleB64url: string;
3
+ credentialIdB64url: string;
4
+ }
5
+ /**
6
+ * Generate fresh user.id bytes for a new WebAuthn credential. The
7
+ * caller overrides `options.user.id` with these bytes before
8
+ * navigator.credentials.create so the authenticator persists them as
9
+ * the credential's user.id; on every subsequent assertion they come
10
+ * back as response.userHandle and serve as the AES-GCM key for that
11
+ * credential's DEK wrap.
12
+ *
13
+ * Returns the bytes both as base64url (what the WebAuthn options
14
+ * accept and what we ship over postMessage) and as raw bytes (for
15
+ * any caller that prefers direct binary).
16
+ *
17
+ * Requires a working `crypto.getRandomValues`. On RN this is provided
18
+ * by the `react-native-get-random-values` polyfill that the SDK's
19
+ * docs ask consumers to import at app entry.
20
+ */
21
+ declare const generatePasskeyUserId: () => {
22
+ userIdB64url: string;
23
+ userIdBytes: Uint8Array;
24
+ };
25
+
26
+ export { type CachedAssertion as C, generatePasskeyUserId as g };
@@ -31,6 +31,9 @@ declare const PostMessageMethod: {
31
31
  readonly SIGN_TYPED_DATA: "SIGN_TYPED_DATA";
32
32
  readonly SIGN_HASH: "SIGN_HASH";
33
33
  readonly SIGN_7702_AUTHORIZATION: "SIGN_7702_AUTHORIZATION";
34
+ readonly PROVISION_EPHEMERAL_SIGNER: "PROVISION_EPHEMERAL_SIGNER";
35
+ readonly LIST_EPHEMERAL_SIGNERS: "LIST_EPHEMERAL_SIGNERS";
36
+ readonly REVOKE_EPHEMERAL_SIGNER: "REVOKE_EPHEMERAL_SIGNER";
34
37
  readonly VERIFY_EMAIL_OTP: "VERIFY_EMAIL_OTP";
35
38
  readonly VERIFY_OAUTH: "VERIFY_OAUTH";
36
39
  readonly START_OAUTH: "START_OAUTH";