@pooflabs/web 0.0.62 → 0.0.64

package/dist/auth/providers/privy-wallet-provider.d.ts

@@ -70,5 +70,11 @@ export declare class PrivyWalletProvider implements AuthProvider {
     signMessage(message: string): Promise<string>;
     restoreSession(): Promise<User | null>;
     private createSession;
+    /**
+     * Waits for a wallet matching the session address to appear in the wallets array.
+     * This handles the timing gap where Privy's embedded wallet (created for email login users)
+     * may not yet be in the useWallets() array when signTransaction is called immediately after login.
+     */
+    private waitForMatchingWallet;
     private ensureReady;
 }

package/dist/{index-BCpgjKea.js → index-9kQbe-Gv.js}

@@ -6541,10 +6541,14 @@ class WebSessionManager {
                     const newObj = JSON.parse(newSession);
                     return { address: newObj.address, session: newObj };
                 }
+                // Refresh failed — clear stale session to prevent retry loops
+                this.clearSession();
                 return null;
             }
         }
         catch (err) {
+            // Token decode or refresh failed — clear stale session to prevent retry loops
+            this.clearSession();
             return null;
         }
         return { address: sessionObj.address, session: sessionObj };
@@ -9468,15 +9472,30 @@ class ServerSessionManager {
     constructor() {
         /* Private cache (lives for the life of the process) */
         this.session = null;
+        /* Coalesce concurrent getSession() calls into a single in-flight request */
+        this.pendingSession = null;
     }
     /* ---------------------------------------------- *
      * GET (lazy-fetch)
      * ---------------------------------------------- */
     async getSession() {
-        if (this.session === null) {
-            this.session = await createSession();
-        }
-        return this.session;
+        if (this.session !== null) {
+            return this.session;
+        }
+        // If a session creation is already in-flight, reuse that promise
+        // instead of firing a second concurrent request.
+        if (this.pendingSession !== null) {
+            return this.pendingSession;
+        }
+        this.pendingSession = createSession()
+            .then((session) => {
+            this.session = session;
+            return session;
+        })
+            .finally(() => {
+            this.pendingSession = null;
+        });
+        return this.pendingSession;
     }
     /* ---------------------------------------------- *
      * STORE  (overwrites the cached value)
@@ -9489,6 +9508,7 @@ class ServerSessionManager {
      * ---------------------------------------------- */
     clearSession() {
         this.session = null;
+        this.pendingSession = null;
     }
     /* ---------------------------------------------- *
      * QUICK helpers
@@ -9791,6 +9811,150 @@ function hashForKey$1(value) {
     }
     return h.toString(36);
 }
+/**
+ * Validates that a field name is a safe identifier (alphanumeric, underscores, dots for nested paths).
+ * Prevents prompt injection via crafted field names.
+ */
+function validateFieldName(field) {
+    if (!/^[a-zA-Z0-9_.]+$/.test(field)) {
+        throw new Error(`Invalid field name "${field}". Field names must only contain letters, numbers, underscores, and dots.`);
+    }
+}
+/**
+ * Parses a raw aggregation result (e.g. [{ count: 42 }] or [{ _id: null, total: 100 }])
+ * into a single numeric value.
+ */
+function parseAggregateValue(result) {
+    if (typeof result === 'number')
+        return result;
+    if (Array.isArray(result)) {
+        if (result.length === 0)
+            return 0;
+        // Multiple elements — not a collapsed aggregate result
+        if (result.length > 1) {
+            throw new Error(`Unexpected aggregate result: got array with ${result.length} elements. The AI may have returned full documents instead of an aggregation.`);
+        }
+        const first = result[0];
+        if (typeof first === 'number')
+            return first;
+        if (first && typeof first === 'object') {
+            // $count stage returns { count: N }
+            if (typeof first.count === 'number')
+                return first.count;
+            // $group stage returns { _id: null, result: N } — expect _id + one numeric field
+            const numericEntries = Object.entries(first).filter(([key, val]) => key !== '_id' && typeof val === 'number');
+            if (numericEntries.length === 1)
+                return numericEntries[0][1];
+        }
+        // Avoid leaking document contents into error messages
+        const shape = first && typeof first === 'object' ? `{${Object.keys(first).join(', ')}}` : String(first);
+        throw new Error(`Unexpected aggregate result shape: ${shape}. Expected {count: N} or {_id: null, <field>: N}.`);
+    }
+    if (result && typeof result === 'object' && typeof result.count === 'number') {
+        return result.count;
+    }
+    throw new Error(`Unexpected aggregate result type: ${typeof result}. Expected a number, array, or object with a count field.`);
+}
+/**
+ * Count items in a collection path. Returns a numeric result.
+ *
+ * This uses the AI query engine with a count-specific prompt prefix,
+ * so TaroBase will generate a $count aggregation pipeline and return
+ * just the count rather than full documents.
+ *
+ * IMPORTANT: This only works for collections where the read policy is "true".
+ * If the read policy requires per-document checks, the server will return
+ * an error because aggregate counts cannot be performed without pulling all
+ * documents for access control evaluation.
+ *
+ * @param path - Collection path (e.g., "posts", "users/abc/comments")
+ * @param opts - Optional filter prompt and overrides
+ * @returns AggregateResult with the count value
+ */
+async function count(path, opts = {}) {
+    const prefix = 'Return ONLY the total count of matching documents. Use the $count stage to produce a field named "count". Do NOT return the documents themselves.';
+    const fullPrompt = opts.prompt
+        ? `${prefix} Filter: ${opts.prompt}`
+        : prefix;
+    const result = await get$2(path, { prompt: fullPrompt, bypassCache: true, _overrides: opts._overrides });
+    return { value: parseAggregateValue(result) };
+}
+/**
+ * Run an aggregate operation on a collection path. Returns a numeric result.
+ *
+ * Supported operations:
+ * - count: Total number of documents
+ * - uniqueCount: Number of distinct values for a field
+ * - sum: Sum of a numeric field
+ * - avg: Average of a numeric field
+ * - min: Minimum value of a numeric field
+ * - max: Maximum value of a numeric field
+ *
+ * IMPORTANT: This only works for collections where the read policy is "true".
+ * If the read policy requires per-document checks, the server will return
+ * an error because aggregate operations cannot be performed without pulling
+ * all documents for access control evaluation.
+ *
+ * @param path - Collection path (e.g., "posts", "users/abc/comments")
+ * @param operation - The aggregate operation to perform
+ * @param opts - Options including optional filter prompt and field name
+ * @returns AggregateResult with the computed numeric value
+ */
+async function aggregate(path, operation, opts = {}) {
+    let prefix;
+    switch (operation) {
+        case 'count':
+            prefix = 'Return ONLY the total count of matching documents. Use the $count stage to produce a field named "count". Do NOT return the documents themselves.';
+            break;
+        case 'uniqueCount':
+            if (!opts.field)
+                throw new Error('aggregate "uniqueCount" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the count of unique/distinct values of the "${opts.field}" field. Use $group with _id set to "$${opts.field}" then $count to produce a field named "count". Do NOT return the documents themselves.`;
+            break;
+        case 'sum':
+            if (!opts.field)
+                throw new Error('aggregate "sum" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the sum of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $sum: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'avg':
+            if (!opts.field)
+                throw new Error('aggregate "avg" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the average of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $avg: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'min':
+            if (!opts.field)
+                throw new Error('aggregate "min" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the minimum value of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $min: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        case 'max':
+            if (!opts.field)
+                throw new Error('aggregate "max" requires a field option');
+            validateFieldName(opts.field);
+            prefix = `Return ONLY the maximum value of the "${opts.field}" field across all matching documents. Use $group with _id: null and result: { $max: "$${opts.field}" }. Do NOT return the documents themselves.`;
+            break;
+        default:
+            throw new Error(`Unsupported aggregate operation: ${operation}`);
+    }
+    const fullPrompt = opts.prompt
+        ? `${prefix} Filter: ${opts.prompt}`
+        : prefix;
+    const result = await get$2(path, { prompt: fullPrompt, bypassCache: true, _overrides: opts._overrides });
+    // For uniqueCount, the AI may return $group results without the final $count
+    // stage, producing [{_id: "val1"}, {_id: "val2"}, ...]. Verify elements look
+    // like $group output (only _id key) before using array length as the count.
+    if (operation === 'uniqueCount' && Array.isArray(result) && result.length > 1) {
+        const looksLikeGroupOutput = result.every((el) => el && typeof el === 'object' && Object.keys(el).length === 1 && '_id' in el);
+        if (looksLikeGroupOutput) {
+            return { value: result.length };
+        }
+        throw new Error(`Unexpected uniqueCount result: got ${result.length} elements that don't match $group output shape.`);
+    }
+    return { value: parseAggregateValue(result) };
+}
 async function get$2(path, opts = {}) {
     try {
         let normalizedPath = path.startsWith("/") ? path.slice(1) : path;
@@ -10257,7 +10421,7 @@ const BASE_MIN_RECONNECT_DELAY_MS = 1000;
 const MIN_RECONNECT_DELAY_JITTER_MS = 1000;
 const MAX_RECONNECT_DELAY_MS = 300000;
 const RECONNECT_DELAY_GROW_FACTOR = 1.8;
-const MIN_BROWSER_RECONNECT_INTERVAL_MS = 30000;
+const MIN_BROWSER_RECONNECT_INTERVAL_MS = 5000;
 const WS_CONFIG = {
     // Keep retrying indefinitely so long outages recover without page refresh.
     maxRetries: Infinity,
@@ -10422,6 +10586,8 @@ async function getOrCreateConnection(appId, isServer) {
         isConnected: false,
         appId,
         tokenRefreshTimer: null,
+        lastMessageAt: Date.now(),
+        keepaliveTimer: null,
     };
     connections.set(appId, connection);
     // URL provider for reconnection with fresh tokens
@@ -10458,6 +10624,7 @@ async function getOrCreateConnection(appId, isServer) {
     ws.addEventListener('open', () => {
         connection.isConnecting = false;
         connection.isConnected = true;
+        connection.lastMessageAt = Date.now();
         // Schedule token refresh before expiry
         (async () => {
             const token = await getIdToken$1(isServer);
@@ -10465,11 +10632,28 @@ async function getOrCreateConnection(appId, isServer) {
         })();
         // Re-subscribe to all existing subscriptions after reconnect
         for (const sub of connection.subscriptions.values()) {
+            sub.lastData = undefined;
             sendSubscribe(connection, sub);
         }
+        // Start keepalive detection — if no messages for 90s, force reconnect
+        if (connection.keepaliveTimer) {
+            clearInterval(connection.keepaliveTimer);
+        }
+        connection.keepaliveTimer = setInterval(() => {
+            var _a;
+            if (Date.now() - connection.lastMessageAt > 90000) {
+                console.warn('[WS v2] No messages received for 90s, forcing reconnect');
+                if (connection.keepaliveTimer) {
+                    clearInterval(connection.keepaliveTimer);
+                    connection.keepaliveTimer = null;
+                }
+                (_a = connection.ws) === null || _a === void 0 ? void 0 : _a.reconnect();
+            }
+        }, 30000);
     });
     // Handle incoming messages
     ws.addEventListener('message', (event) => {
+        connection.lastMessageAt = Date.now();
         try {
             const message = JSON.parse(event.data);
             handleServerMessage(connection, message);
@@ -10481,20 +10665,22 @@ async function getOrCreateConnection(appId, isServer) {
     // Handle errors
     ws.addEventListener('error', (event) => {
         console.error('[WS v2] WebSocket error:', event);
-        // Reject all pending subscriptions
-        for (const [id, pending] of connection.pendingSubscriptions) {
+        for (const [, pending] of connection.pendingSubscriptions) {
             pending.reject(new Error('WebSocket error'));
-            connection.pendingSubscriptions.delete(id);
         }
+        connection.pendingSubscriptions.clear();
     });
     // Handle close
     ws.addEventListener('close', () => {
         connection.isConnected = false;
-        // Clear token refresh timer
         if (connection.tokenRefreshTimer) {
             clearTimeout(connection.tokenRefreshTimer);
             connection.tokenRefreshTimer = null;
         }
+        if (connection.keepaliveTimer) {
+            clearInterval(connection.keepaliveTimer);
+            connection.keepaliveTimer = null;
+        }
     });
     return connection;
 }
@@ -10694,9 +10880,7 @@ async function subscribeV2(path, subscriptionOptions) {
             await subscriptionPromise;
         }
         catch (error) {
-            // Remove subscription on error
-            connection.subscriptions.delete(subscriptionId);
-            throw error;
+            console.warn('[WS v2] Subscription confirmation failed, keeping for reconnect recovery:', error);
         }
     }
     // Return unsubscribe function
@@ -10812,8 +10996,6 @@ async function reconnectWithNewAuthV2() {
         if (!connection.ws) {
             continue;
         }
-        // Reject any pending subscriptions - they'll need to be retried after reconnect
-        // This prevents hanging promises during auth transitions
         for (const [, pending] of connection.pendingSubscriptions) {
             pending.reject(new Error('Connection reconnecting due to auth change'));
         }
@@ -13345,7 +13527,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            Promise.resolve().then(function () { return require('./index-C2cjjAWD.js'); })
+            Promise.resolve().then(function () { return require('./index-BmJDdk1y.js'); })
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -33327,13 +33509,21 @@ class PrivyWalletProvider {
         await this.privyMethods.logout();
     }
     async runTransaction(_evmTransactionData, solTransactionData, options) {
-        var _a, _b;
+        var _a, _b, _c;
         await this.ensureReady({ waitForWallets: true });
         let session = await WebSessionManager.getSession();
         let sessionAddress = session === null || session === void 0 ? void 0 : session.address;
         let privyWallets = (_a = this.privyMethods) === null || _a === void 0 ? void 0 : _a.wallets;
         let privyWallet = privyWallets === null || privyWallets === void 0 ? void 0 : privyWallets.find((wallet) => wallet.address === sessionAddress);
+        // If wallet not found yet, it may be an embedded wallet (email login) that hasn't
+        // appeared in the wallets array due to React state timing. Wait for it before
+        // falling back to connectWallet() which shows an unwanted wallet selection modal.
         if (!privyWallets || privyWallets.length === 0 || !privyWallet) {
+            if (((_b = this.privyMethods) === null || _b === void 0 ? void 0 : _b.authenticated) && sessionAddress) {
+                privyWallet = await this.waitForMatchingWallet(sessionAddress);
+            }
+        }
+        if (!privyWallet) {
             // If there's already a pending transaction, throw an error to prevent overlapping calls
             if (this.pendingTransaction) {
                 throw new Error("Oops... something went wrong. Please try again.");
@@ -33413,7 +33603,7 @@ class PrivyWalletProvider {
             return {
                 transactionSignature: signature,
                 blockNumber: (txInfo === null || txInfo === void 0 ? void 0 : txInfo.slot) || 0,
-                gasUsed: ((_b = txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta) === null || _b === void 0 ? void 0 : _b.fee.toString()) || '0',
+                gasUsed: ((_c = txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta) === null || _c === void 0 ? void 0 : _c.fee.toString()) || '0',
                 data: txInfo === null || txInfo === void 0 ? void 0 : txInfo.meta,
             };
         }
@@ -33433,7 +33623,7 @@ class PrivyWalletProvider {
      * @returns The signed transaction
      */
     async signTransaction(transaction) {
-        var _a;
+        var _a, _b;
         await this.ensureReady({ waitForWallets: true });
         let privyWallets = (_a = this.privyMethods) === null || _a === void 0 ? void 0 : _a.wallets;
         let session = await WebSessionManager.getSession();
@@ -33443,8 +33633,16 @@ class PrivyWalletProvider {
         if (this.pendingSignTransaction) {
             throw new Error("Oops... something went wrong. Please try again.");
         }
-        // If wallet not connected, trigger connection and queue the signing
+        // If wallet not found yet, it may be an embedded wallet (email login) that hasn't
+        // appeared in the wallets array due to React state timing. Wait for it before
+        // falling back to connectWallet() which shows an unwanted wallet selection modal.
         if (!privyWallets || privyWallets.length === 0 || !privyWallet) {
+            if (((_b = this.privyMethods) === null || _b === void 0 ? void 0 : _b.authenticated) && sessionAddress) {
+                privyWallet = await this.waitForMatchingWallet(sessionAddress);
+            }
+        }
+        // If still no wallet after waiting, trigger connection and queue the signing
+        if (!privyWallet) {
             return new Promise((resolve, reject) => {
                 this.pendingSignTransaction = {
                     resolve,
@@ -33507,7 +33705,7 @@ class PrivyWalletProvider {
      * @returns The transaction signature
      */
     async signAndSubmitTransaction(transaction, feePayer) {
-        var _a;
+        var _a, _b;
         await this.ensureReady({ waitForWallets: true });
         let privyWallets = (_a = this.privyMethods) === null || _a === void 0 ? void 0 : _a.wallets;
         let session = await WebSessionManager.getSession();
@@ -33517,8 +33715,16 @@ class PrivyWalletProvider {
         if (this.pendingSignAndSubmitTransaction) {
             throw new Error("Oops... something went wrong. Please try again.");
         }
-        // If wallet not connected, trigger connection and queue the signing
+        // If wallet not found yet, it may be an embedded wallet (email login) that hasn't
+        // appeared in the wallets array due to React state timing. Wait for it before
+        // falling back to connectWallet() which shows an unwanted wallet selection modal.
         if (!privyWallets || privyWallets.length === 0 || !privyWallet) {
+            if (((_b = this.privyMethods) === null || _b === void 0 ? void 0 : _b.authenticated) && sessionAddress) {
+                privyWallet = await this.waitForMatchingWallet(sessionAddress);
+            }
+        }
+        // If still no wallet after waiting, trigger connection and queue the signing
+        if (!privyWallet) {
             return new Promise((resolve, reject) => {
                 this.pendingSignAndSubmitTransaction = {
                     resolve,
@@ -33684,7 +33890,7 @@ class PrivyWalletProvider {
         return { signature, txInfo };
     }
     async signMessage(message) {
-        var _a, _b;
+        var _a, _b, _c;
         await this.ensureReady({ waitForWallets: true });
         const session = await WebSessionManager.getSession();
         let sessionAddress = session === null || session === void 0 ? void 0 : session.address;
@@ -33692,23 +33898,47 @@ class PrivyWalletProvider {
         if (this.pendingSignMessage) {
             throw new Error("Oops... something went wrong. Please try again.");
         }
-        // If no wallets connected, trigger wallet connection and queue the signing
+        // If no wallets connected yet, it may be an embedded wallet (email login) that hasn't
+        // appeared in the wallets array due to React state timing. Wait for it before
+        // falling back to connectWallet() which shows an unwanted wallet selection modal.
         if (!((_a = this.privyMethods) === null || _a === void 0 ? void 0 : _a.wallets) || this.privyMethods.wallets.length === 0) {
-            return new Promise((resolve, reject) => {
-                this.pendingSignMessage = {
-                    resolve,
-                    reject,
-                    message
-                };
-                this.privyMethods.connectWallet();
-                // Set a timeout to reject the promise if connection takes too long
-                setTimeout(() => {
-                    if (this.pendingSignMessage) {
-                        this.pendingSignMessage.reject(new Error("Wallet connection timed out"));
-                        this.pendingSignMessage = null;
-                    }
-                }, 30000); // 30 seconds timeout
-            });
+            if (((_b = this.privyMethods) === null || _b === void 0 ? void 0 : _b.authenticated) && sessionAddress) {
+                const matchedWallet = await this.waitForMatchingWallet(sessionAddress);
+                if (!matchedWallet) {
+                    return new Promise((resolve, reject) => {
+                        this.pendingSignMessage = {
+                            resolve,
+                            reject,
+                            message
+                        };
+                        this.privyMethods.connectWallet();
+                        // Set a timeout to reject the promise if connection takes too long
+                        setTimeout(() => {
+                            if (this.pendingSignMessage) {
+                                this.pendingSignMessage.reject(new Error("Wallet connection timed out"));
+                                this.pendingSignMessage = null;
+                            }
+                        }, 30000); // 30 seconds timeout
+                    });
+                }
+            }
+            else {
+                return new Promise((resolve, reject) => {
+                    this.pendingSignMessage = {
+                        resolve,
+                        reject,
+                        message
+                    };
+                    this.privyMethods.connectWallet();
+                    // Set a timeout to reject the promise if connection takes too long
+                    setTimeout(() => {
+                        if (this.pendingSignMessage) {
+                            this.pendingSignMessage.reject(new Error("Wallet connection timed out"));
+                            this.pendingSignMessage = null;
+                        }
+                    }, 30000); // 30 seconds timeout
+                });
+            }
         }
         let privyWallet = this.privyMethods.wallets.find((wallet) => wallet.address === sessionAddress);
         if (!privyWallet) {
@@ -33726,7 +33956,7 @@ class PrivyWalletProvider {
         // Use the Privy signMessage hook for Solana wallets
         // The message needs to be passed as a Uint8Array
         const messageBytes = new TextEncoder().encode(message);
-        const result = await ((_b = this.privyMethods) === null || _b === void 0 ? void 0 : _b.signMessage({
+        const result = await ((_c = this.privyMethods) === null || _c === void 0 ? void 0 : _c.signMessage({
             message: messageBytes,
             wallet: privyWallet,
         }));
@@ -33751,6 +33981,25 @@ class PrivyWalletProvider {
         const createSessionResult = await createSessionWithPrivy(accessToken, address, idToken);
         await WebSessionManager.storeSession(address, createSessionResult.accessToken, createSessionResult.idToken, createSessionResult.refreshToken);
     }
+    /**
+     * Waits for a wallet matching the session address to appear in the wallets array.
+     * This handles the timing gap where Privy's embedded wallet (created for email login users)
+     * may not yet be in the useWallets() array when signTransaction is called immediately after login.
+     */
+    async waitForMatchingWallet(sessionAddress, timeoutMs = 10000) {
+        var _a;
+        const startTime = Date.now();
+        while (Date.now() - startTime < timeoutMs) {
+            const wallets = (_a = this.privyMethods) === null || _a === void 0 ? void 0 : _a.wallets;
+            if (wallets && wallets.length > 0) {
+                const wallet = wallets.find((w) => w.address === sessionAddress);
+                if (wallet)
+                    return wallet;
+            }
+            await new Promise(resolve => setTimeout(resolve, 200));
+        }
+        return null;
+    }
     async ensureReady({ waitForWallets = false, timeoutMs = 15000 } = {}) {
         const isReady = () => {
             var _a, _b;
@@ -34949,12 +35198,14 @@ exports.PhantomWalletProvider = PhantomWalletProvider;
 exports.PrivyWalletProvider = PrivyWalletProvider;
 exports.ServerSessionManager = ServerSessionManager;
 exports.WebSessionManager = WebSessionManager;
+exports.aggregate = aggregate;
 exports.bs58 = bs58;
 exports.bufferExports = bufferExports;
 exports.buildSetDocumentsTransaction = buildSetDocumentsTransaction;
 exports.clearCache = clearCache;
 exports.closeAllSubscriptions = closeAllSubscriptions;
 exports.convertRemainingAccounts = convertRemainingAccounts;
+exports.count = count;
 exports.createSessionWithPrivy = createSessionWithPrivy;
 exports.createSessionWithSignature = createSessionWithSignature;
 exports.genAuthNonce = genAuthNonce;
@@ -34987,4 +35238,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index-BCpgjKea.js.map
+//# sourceMappingURL=index-9kQbe-Gv.js.map