@pooflabs/web 0.0.61 → 0.0.63

package/dist/auth/providers/transaction-utils.d.ts

@@ -0,0 +1,10 @@
+import { Connection } from '@solana/web3.js';
+/**
+ * Extracts a human-readable error message from Solana transaction logs.
+ */
+export declare function extractTransactionError(err: any, logMessages?: string[] | null): string;
+/**
+ * Polls getSignatureStatuses until the transaction is confirmed, then checks for errors.
+ * Throws if the transaction failed on-chain. Returns parsed transaction info on success.
+ */
+export declare function confirmAndCheckTransaction(connection: Connection, signature: string): Promise<any>;

package/dist/{index-BcHdE9FZ.esm.js → index-AjAeq_x4.esm.js}

@@ -6536,10 +6536,14 @@ class WebSessionManager {
                     const newObj = JSON.parse(newSession);
                     return { address: newObj.address, session: newObj };
                 }
+                // Refresh failed — clear stale session to prevent retry loops
+                this.clearSession();
                 return null;
             }
         }
         catch (err) {
+            // Token decode or refresh failed — clear stale session to prevent retry loops
+            this.clearSession();
             return null;
         }
         return { address: sessionObj.address, session: sessionObj };
@@ -9463,15 +9467,30 @@ class ServerSessionManager {
     constructor() {
         /* Private cache (lives for the life of the process) */
         this.session = null;
+        /* Coalesce concurrent getSession() calls into a single in-flight request */
+        this.pendingSession = null;
     }
     /* ---------------------------------------------- *
      * GET (lazy-fetch)
      * ---------------------------------------------- */
     async getSession() {
-        if (this.session === null) {
-            this.session = await createSession();
-        }
-        return this.session;
+        if (this.session !== null) {
+            return this.session;
+        }
+        // If a session creation is already in-flight, reuse that promise
+        // instead of firing a second concurrent request.
+        if (this.pendingSession !== null) {
+            return this.pendingSession;
+        }
+        this.pendingSession = createSession()
+            .then((session) => {
+            this.session = session;
+            return session;
+        })
+            .finally(() => {
+            this.pendingSession = null;
+        });
+        return this.pendingSession;
     }
     /* ---------------------------------------------- *
      * STORE  (overwrites the cached value)
@@ -9484,6 +9503,7 @@ class ServerSessionManager {
      * ---------------------------------------------- */
     clearSession() {
         this.session = null;
+        this.pendingSession = null;
     }
     /* ---------------------------------------------- *
      * QUICK helpers
@@ -9786,6 +9806,150 @@ function hashForKey$1(value) {
     }
     return h.toString(36);
 }
+/**
+ * Validates that a field name is a safe identifier (alphanumeric, underscores, dots for nested paths).
+ * Prevents prompt injection via crafted field names.
+ */
+function validateFieldName(field) {
+    if (!/^[a-zA-Z0-9_.]+$/.test(field)) {
+        throw new Error(`Invalid field name "${field}". Field names must only contain letters, numbers, underscores, and dots.`);
+    }
+}
+/**
+ * Parses a raw aggregation result (e.g. [{ count: 42 }] or [{ _id: null, total: 100 }])
+ * into a single numeric value.
+ */
+function parseAggregateValue(result) {
+    if (typeof result === 'number')
+        return result;
+    if (Array.isArray(result)) {
+        if (result.length === 0)
+            return 0;
+        // Multiple elements — not a collapsed aggregate result
+        if (result.length > 1) {
+            throw new Error(`Unexpected aggregate result: got array with ${result.length} elements. The AI may have returned full documents instead of an aggregation.`);
+        }
+        const first = result[0];
+        if (typeof first === 'number')
+            return first;
+        if (first && typeof first === 'object') {
+            // $count stage returns { count: N }
+            if (typeof first.count === 'number')
+                return first.count;
+            // $group stage returns { _id: null, result: N } — expect _id + one numeric field
+            const numericEntries = Object.entries(first).filter(([key, val]) => key !== '_id' && typeof val === 'number');
+            if (numericEntries.length === 1)
+                return numericEntries[0][1];
+        }
+        // Avoid leaking document contents into error messages
+        const shape = first && typeof first === 'object' ? `{${Object.keys(first).join(', ')}}` : String(first);
+        throw new Error(`Unexpected aggregate result shape: ${shape}. Expected {count: N} or {_id: null, <field>: N}.`);
+    }
+    if (result && typeof result === 'object' && typeof result.count === 'number') {
+        return result.count;
+    }
+    throw new Error(`Unexpected aggregate result type: ${typeof result}. Expected a number, array, or object with a count field.`);
+}
+/**
+ * Count items in a collection path. Returns a numeric result.
+ *
+ * This uses the AI query engine with a count-specific prompt prefix,
+ * so TaroBase will generate a $count aggregation pipeline and return
+ * just the count rather than full documents.
+ *
+ * IMPORTANT: This only works for collections where the read policy is "true".
+ * If the read policy requires per-document checks, the server will return
+ * an error because aggregate counts cannot be performed without pulling all
+ * documents for access control evaluation.
+ *
+ * @param path - Collection path (e.g., "posts", "users/abc/comments")
+ * @param opts - Optional filter prompt and overrides
+ * @returns AggregateResult with the count value
+ */
+async function count(path, opts = {}) {
+    const prefix = 'Return ONLY the total count of matching documents. Use the $count stage to produce a field named "count". Do NOT return the documents themselves.';
+    const fullPrompt = opts.prompt
+        ? `${prefix} Filter: ${opts.prompt}`
+        : prefix;
+    const result = await get$2(path, { prompt: fullPrompt, bypassCache: true, _overrides: opts._overrides });
+    return { value: parseAggregateValue(result) };
+}
+/**
+ * Run an aggregate operation on a collection path. Returns a numeric result.
+ *
+ * Supported operations:
+ * - count: Total number of documents
+ * - uniqueCount: Number of distinct values for a field
+ * - sum: Sum of a numeric field
+ * - avg: Average of a numeric field
+ * - min: Minimum value of a numeric field
+ * - max: Maximum value of a numeric field
+ *
+ * IMPORTANT: This only works for collections where the read policy is "true".
+ * If the read policy requires per-document checks, the server will return
+ * an error because aggregate operations cannot be performed without pulling
+ * all documents for access control evaluation.
+ *
+ * @param path - Collection path (e.g., "posts", "users/abc/comments")
+ * @param operation - The aggregate operation to perform
+ * @param opts - Options including optional filter prompt and field name
+ * @returns AggregateResult with the computed numeric value
+ */
+async function aggregate(path, operation, opts = {}) {
+    let prefix;
+    switch (operation) {
+        case 'count':
+            prefix = 'Return ONLY the total count of matching documents. Use the $count stage to produce a field named "count". Do NOT return the documents themselves.';
+            break;
+        case 'uniqueCount':
+            if (!opts.field)
+                throw new Error('aggregate "uniqueCount" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the count of unique/distinct values of the "${opts.field}" field. Use $group with _id set to "$${opts.field}" then $count to produce a field named "count". Do NOT return the documents themselves.`;
+            break;
+        case 'sum':
+            if (!opts.field)
+                throw new Error('aggregate "sum" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the sum of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $sum: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'avg':
+            if (!opts.field)
+                throw new Error('aggregate "avg" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the average of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $avg: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'min':
+            if (!opts.field)
+                throw new Error('aggregate "min" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the minimum value of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $min: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'max':
+            if (!opts.field)
+                throw new Error('aggregate "max" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the maximum value of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $max: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        default:
+            throw new Error(`Unsupported aggregate operation: ${operation}`);
+    }
+    const fullPrompt = opts.prompt
+        ? `${prefix} Filter: ${opts.prompt}`
+        : prefix;
+    const result = await get$2(path, { prompt: fullPrompt, bypassCache: true, _overrides: opts._overrides });
+    // For uniqueCount, the AI may return $group results without the final $count
+    // stage, producing [{_id: "val1"}, {_id: "val2"}, ...]. Verify elements look
+    // like $group output (only _id key) before using array length as the count.
+    if (operation === 'uniqueCount' && Array.isArray(result) && result.length > 1) {
+        const looksLikeGroupOutput = result.every((el) => el && typeof el === 'object' && Object.keys(el).length === 1 && '_id' in el);
+        if (looksLikeGroupOutput) {
+            return { value: result.length };
+        }
+        throw new Error(`Unexpected uniqueCount result: got ${result.length} elements that don't match $group output shape.`);
+    }
+    return { value: parseAggregateValue(result) };
+}
 async function get$2(path, opts = {}) {
     try {
         let normalizedPath = path.startsWith("/") ? path.slice(1) : path;
@@ -10252,7 +10416,7 @@ const BASE_MIN_RECONNECT_DELAY_MS = 1000;
 const MIN_RECONNECT_DELAY_JITTER_MS = 1000;
 const MAX_RECONNECT_DELAY_MS = 300000;
 const RECONNECT_DELAY_GROW_FACTOR = 1.8;
-const MIN_BROWSER_RECONNECT_INTERVAL_MS = 30000;
+const MIN_BROWSER_RECONNECT_INTERVAL_MS = 5000;
 const WS_CONFIG = {
     // Keep retrying indefinitely so long outages recover without page refresh.
     maxRetries: Infinity,
@@ -10417,6 +10581,8 @@ async function getOrCreateConnection(appId, isServer) {
         isConnected: false,
         appId,
         tokenRefreshTimer: null,
+        lastMessageAt: Date.now(),
+        keepaliveTimer: null,
     };
     connections.set(appId, connection);
     // URL provider for reconnection with fresh tokens
@@ -10453,6 +10619,7 @@ async function getOrCreateConnection(appId, isServer) {
     ws.addEventListener('open', () => {
         connection.isConnecting = false;
         connection.isConnected = true;
+        connection.lastMessageAt = Date.now();
         // Schedule token refresh before expiry
         (async () => {
             const token = await getIdToken$1(isServer);
@@ -10460,11 +10627,28 @@ async function getOrCreateConnection(appId, isServer) {
         })();
         // Re-subscribe to all existing subscriptions after reconnect
         for (const sub of connection.subscriptions.values()) {
+            sub.lastData = undefined;
             sendSubscribe(connection, sub);
         }
+        // Start keepalive detection — if no messages for 90s, force reconnect
+        if (connection.keepaliveTimer) {
+            clearInterval(connection.keepaliveTimer);
+        }
+        connection.keepaliveTimer = setInterval(() => {
+            var _a;
+            if (Date.now() - connection.lastMessageAt > 90000) {
+                console.warn('[WS v2] No messages received for 90s, forcing reconnect');
+                if (connection.keepaliveTimer) {
+                    clearInterval(connection.keepaliveTimer);
+                    connection.keepaliveTimer = null;
+                }
+                (_a = connection.ws) === null || _a === void 0 ? void 0 : _a.reconnect();
+            }
+        }, 30000);
     });
     // Handle incoming messages
     ws.addEventListener('message', (event) => {
+        connection.lastMessageAt = Date.now();
         try {
             const message = JSON.parse(event.data);
             handleServerMessage(connection, message);
@@ -10476,20 +10660,22 @@ async function getOrCreateConnection(appId, isServer) {
     // Handle errors
     ws.addEventListener('error', (event) => {
         console.error('[WS v2] WebSocket error:', event);
-        // Reject all pending subscriptions
-        for (const [id, pending] of connection.pendingSubscriptions) {
+        for (const [, pending] of connection.pendingSubscriptions) {
             pending.reject(new Error('WebSocket error'));
-            connection.pendingSubscriptions.delete(id);
         }
+        connection.pendingSubscriptions.clear();
     });
     // Handle close
     ws.addEventListener('close', () => {
         connection.isConnected = false;
-        // Clear token refresh timer
         if (connection.tokenRefreshTimer) {
             clearTimeout(connection.tokenRefreshTimer);
             connection.tokenRefreshTimer = null;
         }
+        if (connection.keepaliveTimer) {
+            clearInterval(connection.keepaliveTimer);
+            connection.keepaliveTimer = null;
+        }
     });
     return connection;
 }
@@ -10689,9 +10875,7 @@ async function subscribeV2(path, subscriptionOptions) {
             await subscriptionPromise;
         }
         catch (error) {
-            // Remove subscription on error
-            connection.subscriptions.delete(subscriptionId);
-            throw error;
+            console.warn('[WS v2] Subscription confirmation failed, keeping for reconnect recovery:', error);
         }
     }
     // Return unsubscribe function
@@ -10807,8 +10991,6 @@ async function reconnectWithNewAuthV2() {
         if (!connection.ws) {
             continue;
         }
-        // Reject any pending subscriptions - they'll need to be retried after reconnect
-        // This prevents hanging promises during auth transitions
         for (const [, pending] of connection.pendingSubscriptions) {
             pending.reject(new Error('Connection reconnecting due to auth change'));
         }
@@ -13271,6 +13453,54 @@ function requireBuffer () {
 
 var bufferExports = requireBuffer();
 
+/**
+ * Extracts a human-readable error message from Solana transaction logs.
+ */
+function extractTransactionError(err, logMessages) {
+    if (logMessages) {
+        return JSON.stringify(logMessages);
+    }
+    if (err) {
+        try {
+            return JSON.stringify(err);
+        }
+        catch (_a) {
+            return String(err);
+        }
+    }
+    return 'Unknown transaction error';
+}
+/**
+ * Polls getSignatureStatuses until the transaction is confirmed, then checks for errors.
+ * Throws if the transaction failed on-chain. Returns parsed transaction info on success.
+ */
+async function confirmAndCheckTransaction(connection, signature) {
+    var _a;
+    const maxAttempts = 15;
+    for (let i = 0; i < maxAttempts; i++) {
+        const { value } = await connection.getSignatureStatuses([signature]);
+        const status = value[0];
+        if (status) {
+            if (status.err) {
+                const txInfo = await connection.getParsedTransaction(signature, {
+                    maxSupportedTransactionVersion: 0,
+                    commitment: 'confirmed'
+                });
+                const errorMessage = extractTransactionError(status.err, (_a = txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta) === null || _a === void 0 ? void 0 : _a.logMessages);
+                throw new Error(`Transaction failed: ${errorMessage}`);
+            }
+            if (status.confirmationStatus === 'confirmed' || status.confirmationStatus === 'finalized') {
+                return await connection.getParsedTransaction(signature, {
+                    maxSupportedTransactionVersion: 0,
+                    commitment: 'confirmed'
+                });
+            }
+        }
+        await new Promise(resolve => setTimeout(resolve, 1000));
+    }
+    throw new Error('Transaction confirmation timeout');
+}
+
 const VALID_PROVIDERS = ['injected', 'google', 'apple', 'deeplink', 'phantom'];
 // Dynamically import React and Phantom SDK - only when needed
 let React$1;
@@ -13292,7 +13522,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            import('./index-Dphggtap.esm.js')
+            import('./index-Dcrdb8rn.esm.js')
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -14127,10 +14357,7 @@ class PhantomWalletProvider {
                 };
             }
             const signature = await this.signAndSendViaPhantom(tx);
-            const txInfo = await connection.getParsedTransaction(signature, {
-                maxSupportedTransactionVersion: 0,
-                commitment: 'confirmed'
-            });
+            const txInfo = await confirmAndCheckTransaction(connection, signature);
             return {
                 transactionSignature: signature,
                 blockNumber: (txInfo === null || txInfo === void 0 ? void 0 : txInfo.slot) || 0,
@@ -14316,7 +14543,9 @@ class PhantomWalletProvider {
                 const { signature } = await this.submitSignedTransactionWithBlockhash(signedTx, connection, blockhash, lastValidBlockHeight);
                 return signature;
             }
-            return await this.signAndSendViaPhantom(transaction);
+            const signature = await this.signAndSendViaPhantom(transaction);
+            await confirmAndCheckTransaction(connection, signature);
+            return signature;
         }
         catch (error) {
             // Check if this is a connection error - if so, log out
@@ -32982,7 +33211,7 @@ class PrivyWalletProvider {
         await this.privyMethods.logout();
     }
     async runTransaction(_evmTransactionData, solTransactionData, options) {
-        var _a;
+        var _a, _b;
         await this.ensureReady({ waitForWallets: true });
         let session = await WebSessionManager.getSession();
         let sessionAddress = session === null || session === void 0 ? void 0 : session.address;
@@ -33064,12 +33293,12 @@ class PrivyWalletProvider {
                 };
             }
             // Sign and submit using shared helper
-            const txSignature = await this.signAndSubmitInternal(tx, privyWallet, rpcUrl);
+            const { signature, txInfo } = await this.signAndSubmitInternal(tx, privyWallet, rpcUrl, connection);
             return {
-                transactionSignature: txSignature,
-                blockNumber: 0,
-                gasUsed: "0",
-                data: ""
+                transactionSignature: signature,
+                blockNumber: (txInfo === null || txInfo === void 0 ? void 0 : txInfo.slot) || 0,
+                gasUsed: ((_b = txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta) === null || _b === void 0 ? void 0 : _b.fee.toString()) || '0',
+                data: txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta,
             };
         }
         catch (err) {
@@ -33215,7 +33444,8 @@ class PrivyWalletProvider {
             // and cannot be modified after creation
         }
         // Use shared sign and submit logic
-        return this.signAndSubmitInternal(transaction, privyWallet, rpcUrl);
+        const { signature } = await this.signAndSubmitInternal(transaction, privyWallet, rpcUrl, connection);
+        return signature;
     }
     // ============ Private Helpers ============
     getRpcUrl(network) {
@@ -33299,15 +33529,14 @@ class PrivyWalletProvider {
      * For Surfnet: sign with signTransactionRaw, then sendRawTransaction
      * For non-Surfnet: use Privy's signAndSendTransaction (combined operation)
      */
-    async signAndSubmitInternal(transaction, privyWallet, rpcUrl) {
+    async signAndSubmitInternal(transaction, privyWallet, rpcUrl, connection) {
         var _a;
         const isSurfnet = rpcUrl === SURFNET_RPC_URL$1;
+        let signature;
         if (isSurfnet) {
             // For Surfnet: sign with signTransactionRaw, then sendRawTransaction
             const signedTx = await this.signTransactionRaw(transaction, privyWallet);
-            const connection = new Connection(rpcUrl, 'confirmed');
-            const signature = await connection.sendRawTransaction(signedTx);
-            return signature;
+            signature = await connection.sendRawTransaction(signedTx);
         }
         else {
             // For non-Surfnet: use Privy's combined signAndSendTransaction
@@ -33327,13 +33556,16 @@ class PrivyWalletProvider {
                 chain: this.chainId
             }));
             // Handle case where signature might be bytes instead of string
-            let signature = result.signature;
-            if (signature instanceof Uint8Array || Array.isArray(signature)) {
-                // Convert bytes to base58
-                signature = bs58.encode(signature instanceof Uint8Array ? signature : new Uint8Array(signature));
+            const rawSig = result.signature;
+            if (rawSig instanceof Uint8Array || Array.isArray(rawSig)) {
+                signature = bs58.encode(rawSig instanceof Uint8Array ? rawSig : new Uint8Array(rawSig));
+            }
+            else {
+                signature = rawSig;
             }
-            return signature;
         }
+        const txInfo = await confirmAndCheckTransaction(connection, signature);
+        return { signature, txInfo };
     }
     async signMessage(message) {
         var _a, _b;
@@ -34593,5 +34825,5 @@ async function getIdToken() {
     return getIdToken$1(false);
 }
 
-export { PrivyWalletProvider as A, buildSetDocumentsTransaction as B, clearCache as C, DEFAULT_TEST_ADDRESS as D, closeAllSubscriptions as E, convertRemainingAccounts as F, createSessionWithPrivy as G, createSessionWithSignature as H, genAuthNonce as I, genSolanaMessage as J, getCachedData as K, reconnectWithNewAuth as L, MockAuthProvider as M, refreshSession as N, OffchainAuthProvider as O, PhantomWalletProvider as P, signSessionCreateMessage as Q, ServerSessionManager as S, WebSessionManager as W, getCurrentUser as a, bufferExports as b, onAuthLoadingChanged as c, getAuthLoading as d, logout as e, getConfig as f, getDefaultExportFromCjs$1 as g, getAuthProvider as h, init as i, get$2 as j, setMany as k, login as l, setFile as m, getFiles as n, onAuthStateChanged as o, runQueryMany as p, runExpression as q, runQuery as r, set$1 as s, runExpressionMany as t, signMessage as u, signTransaction as v, signAndSubmitTransaction as w, subscribe as x, useAuth as y, getIdToken as z };
-//# sourceMappingURL=index-BcHdE9FZ.esm.js.map
+export { useAuth as A, getIdToken as B, PrivyWalletProvider as C, DEFAULT_TEST_ADDRESS as D, buildSetDocumentsTransaction as E, clearCache as F, closeAllSubscriptions as G, convertRemainingAccounts as H, createSessionWithPrivy as I, createSessionWithSignature as J, genAuthNonce as K, genSolanaMessage as L, MockAuthProvider as M, getCachedData as N, OffchainAuthProvider as O, PhantomWalletProvider as P, reconnectWithNewAuth as Q, refreshSession as R, ServerSessionManager as S, signSessionCreateMessage as T, WebSessionManager as W, getCurrentUser as a, bufferExports as b, onAuthLoadingChanged as c, getAuthLoading as d, logout as e, getConfig as f, getDefaultExportFromCjs$1 as g, getAuthProvider as h, init as i, get$2 as j, setMany as k, login as l, setFile as m, getFiles as n, onAuthStateChanged as o, runQueryMany as p, runExpression as q, runQuery as r, set$1 as s, runExpressionMany as t, signMessage as u, signTransaction as v, signAndSubmitTransaction as w, count as x, aggregate as y, subscribe as z };
+//# sourceMappingURL=index-AjAeq_x4.esm.js.map