@pooflabs/web 0.0.81 → 0.0.83-rc1

package/dist/{index.native-CyA-RdvW.js → index.native-lubRe8nA.js}

@@ -22,21 +22,6 @@ function _interopNamespaceDefault(e) {
 	return Object.freeze(n);
 }
 
-function _mergeNamespaces(n, m) {
-	m.forEach(function (e) {
-		e && typeof e !== 'string' && !Array.isArray(e) && Object.keys(e).forEach(function (k) {
-			if (k !== 'default' && !(k in n)) {
-				var d = Object.getOwnPropertyDescriptor(e, k);
-				Object.defineProperty(n, k, d.get ? d : {
-					enumerable: true,
-					get: function () { return e[k]; }
-				});
-			}
-		});
-	});
-	return Object.freeze(n);
-}
-
 var anchor__namespace = /*#__PURE__*/_interopNamespaceDefault(anchor);
 var React__namespace = /*#__PURE__*/_interopNamespaceDefault(React);
 
@@ -6785,6 +6770,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -9483,11 +9490,11 @@ function requireSrc () {
 }
 
 var bs58$1;
-var hasRequiredBs58$1;
+var hasRequiredBs58;
 
-function requireBs58$1 () {
-	if (hasRequiredBs58$1) return bs58$1;
-	hasRequiredBs58$1 = 1;
+function requireBs58 () {
+	if (hasRequiredBs58) return bs58$1;
+	hasRequiredBs58 = 1;
 	var basex = requireSrc();
 	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
 
@@ -9495,8 +9502,8 @@ function requireBs58$1 () {
 	return bs58$1;
 }
 
-var bs58Exports$1 = requireBs58$1();
-var bs58$2 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports$1);
+var bs58Exports = requireBs58();
+var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
 
 // ─────────────────────────────────────────────────────────────
 // Local implementation of getSimulationComputeUnits
@@ -9749,7 +9756,7 @@ function loadKeypairFromEnv() {
     try {
         const secretKey = secret.trim().startsWith("[")
             ? Uint8Array.from(JSON.parse(secret))
-            : bs58$2.decode(secret.trim());
+            : bs58.decode(secret.trim());
         return web3_js.Keypair.fromSecretKey(secretKey);
     }
     catch (err) {
@@ -11671,6 +11678,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -12825,15 +12854,15 @@ function clearIncompatibleSession() {
 // Lazy loaders for web-only providers.
 // Using dynamic import() ensures Metro (RN) never resolves these modules.
 async function loadPrivyWalletProvider() {
-    const mod = await Promise.resolve().then(function () { return require('./privy-wallet-provider-BMg_S_d0.js'); });
+    const mod = await Promise.resolve().then(function () { return require('./privy-wallet-provider-CeH9zTfE.js'); });
     return mod.PrivyWalletProvider;
 }
 async function loadPhantomWalletProvider() {
-    const mod = await Promise.resolve().then(function () { return require('./phantom-wallet-provider-DWCaMkyz.js'); });
+    const mod = await Promise.resolve().then(function () { return require('./phantom-wallet-provider-CfJti5dZ.js'); });
     return { PhantomWalletProvider: mod.PhantomWalletProvider };
 }
 async function loadSolanaMobileWalletProvider() {
-    const mod = await Promise.resolve().then(function () { return require('./solana-mobile-wallet-provider-t22Ie8lY.js'); });
+    const mod = await Promise.resolve().then(function () { return require('./solana-mobile-wallet-provider-4PG6JNmJ.js'); });
     return mod.SolanaMobileWalletProvider;
 }
 async function hotSwapToPrivyProvider(config) {
@@ -13251,161 +13280,137 @@ async function confirmAndCheckTransaction(connection, signature) {
     throw new Error('Transaction confirmation timeout');
 }
 
-var cjs = {};
-
-var hasRequiredCjs;
-
-function requireCjs () {
-	if (hasRequiredCjs) return cjs;
-	hasRequiredCjs = 1;
-	// base-x encoding / decoding
-	// Copyright (c) 2018 base-x contributors
-	// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
-	// Distributed under the MIT software license, see the accompanying
-	// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
-	Object.defineProperty(cjs, '__esModule', { value: true });
-	function base (ALPHABET) {
-	  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
-	  const BASE_MAP = new Uint8Array(256);
-	  for (let j = 0; j < BASE_MAP.length; j++) {
-	    BASE_MAP[j] = 255;
-	  }
-	  for (let i = 0; i < ALPHABET.length; i++) {
-	    const x = ALPHABET.charAt(i);
-	    const xc = x.charCodeAt(0);
-	    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
-	    BASE_MAP[xc] = i;
-	  }
-	  const BASE = ALPHABET.length;
-	  const LEADER = ALPHABET.charAt(0);
-	  const FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
-	  const iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
-	  function encode (source) {
-	    // eslint-disable-next-line no-empty
-	    if (source instanceof Uint8Array) ; else if (ArrayBuffer.isView(source)) {
-	      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
-	    } else if (Array.isArray(source)) {
-	      source = Uint8Array.from(source);
-	    }
-	    if (!(source instanceof Uint8Array)) { throw new TypeError('Expected Uint8Array') }
-	    if (source.length === 0) { return '' }
-	    // Skip & count leading zeroes.
-	    let zeroes = 0;
-	    let length = 0;
-	    let pbegin = 0;
-	    const pend = source.length;
-	    while (pbegin !== pend && source[pbegin] === 0) {
-	      pbegin++;
-	      zeroes++;
-	    }
-	    // Allocate enough space in big-endian base58 representation.
-	    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
-	    const b58 = new Uint8Array(size);
-	    // Process the bytes.
-	    while (pbegin !== pend) {
-	      let carry = source[pbegin];
-	      // Apply "b58 = b58 * 256 + ch".
-	      let i = 0;
-	      for (let it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
-	        carry += (256 * b58[it1]) >>> 0;
-	        b58[it1] = (carry % BASE) >>> 0;
-	        carry = (carry / BASE) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      pbegin++;
-	    }
-	    // Skip leading zeroes in base58 result.
-	    let it2 = size - length;
-	    while (it2 !== size && b58[it2] === 0) {
-	      it2++;
-	    }
-	    // Translate the result into a string.
-	    let str = LEADER.repeat(zeroes);
-	    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
-	    return str
-	  }
-	  function decodeUnsafe (source) {
-	    if (typeof source !== 'string') { throw new TypeError('Expected String') }
-	    if (source.length === 0) { return new Uint8Array() }
-	    let psz = 0;
-	    // Skip and count leading '1's.
-	    let zeroes = 0;
-	    let length = 0;
-	    while (source[psz] === LEADER) {
-	      zeroes++;
-	      psz++;
-	    }
-	    // Allocate enough space in big-endian base256 representation.
-	    const size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
-	    const b256 = new Uint8Array(size);
-	    // Process the characters.
-	    while (psz < source.length) {
-	      // Find code of next character
-	      const charCode = source.charCodeAt(psz);
-	      // Base map can not be indexed using char code
-	      if (charCode > 255) { return }
-	      // Decode character
-	      let carry = BASE_MAP[charCode];
-	      // Invalid character
-	      if (carry === 255) { return }
-	      let i = 0;
-	      for (let it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
-	        carry += (BASE * b256[it3]) >>> 0;
-	        b256[it3] = (carry % 256) >>> 0;
-	        carry = (carry / 256) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      psz++;
-	    }
-	    // Skip leading zeroes in b256.
-	    let it4 = size - length;
-	    while (it4 !== size && b256[it4] === 0) {
-	      it4++;
-	    }
-	    const vch = new Uint8Array(zeroes + (size - it4));
-	    let j = zeroes;
-	    while (it4 !== size) {
-	      vch[j++] = b256[it4++];
-	    }
-	    return vch
-	  }
-	  function decode (string) {
-	    const buffer = decodeUnsafe(string);
-	    if (buffer) { return buffer }
-	    throw new Error('Non-base' + BASE + ' character')
-	  }
-	  return {
-	    encode,
-	    decodeUnsafe,
-	    decode
-	  }
-	}
-	cjs.default = base;
-	return cjs;
-}
-
-var bs58;
-var hasRequiredBs58;
-
-function requireBs58 () {
-	if (hasRequiredBs58) return bs58;
-	hasRequiredBs58 = 1;
-	var basex = requireCjs();
-	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-
-	bs58 = basex(ALPHABET);
-	return bs58;
-}
-
-var bs58Exports = requireBs58();
-var base58 = /*@__PURE__*/getDefaultExportFromCjs$1(bs58Exports);
-
-var index = /*#__PURE__*/_mergeNamespaces({
+// base-x encoding / decoding
+// Copyright (c) 2018 base-x contributors
+// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
+// Distributed under the MIT software license, see the accompanying
+// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
+function base (ALPHABET) {
+  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
+  const BASE_MAP = new Uint8Array(256);
+  for (let j = 0; j < BASE_MAP.length; j++) {
+    BASE_MAP[j] = 255;
+  }
+  for (let i = 0; i < ALPHABET.length; i++) {
+    const x = ALPHABET.charAt(i);
+    const xc = x.charCodeAt(0);
+    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
+    BASE_MAP[xc] = i;
+  }
+  const BASE = ALPHABET.length;
+  const LEADER = ALPHABET.charAt(0);
+  const FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
+  const iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
+  function encode (source) {
+    // eslint-disable-next-line no-empty
+    if (source instanceof Uint8Array) ; else if (ArrayBuffer.isView(source)) {
+      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
+    } else if (Array.isArray(source)) {
+      source = Uint8Array.from(source);
+    }
+    if (!(source instanceof Uint8Array)) { throw new TypeError('Expected Uint8Array') }
+    if (source.length === 0) { return '' }
+    // Skip & count leading zeroes.
+    let zeroes = 0;
+    let length = 0;
+    let pbegin = 0;
+    const pend = source.length;
+    while (pbegin !== pend && source[pbegin] === 0) {
+      pbegin++;
+      zeroes++;
+    }
+    // Allocate enough space in big-endian base58 representation.
+    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
+    const b58 = new Uint8Array(size);
+    // Process the bytes.
+    while (pbegin !== pend) {
+      let carry = source[pbegin];
+      // Apply "b58 = b58 * 256 + ch".
+      let i = 0;
+      for (let it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
+        carry += (256 * b58[it1]) >>> 0;
+        b58[it1] = (carry % BASE) >>> 0;
+        carry = (carry / BASE) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      pbegin++;
+    }
+    // Skip leading zeroes in base58 result.
+    let it2 = size - length;
+    while (it2 !== size && b58[it2] === 0) {
+      it2++;
+    }
+    // Translate the result into a string.
+    let str = LEADER.repeat(zeroes);
+    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
+    return str
+  }
+  function decodeUnsafe (source) {
+    if (typeof source !== 'string') { throw new TypeError('Expected String') }
+    if (source.length === 0) { return new Uint8Array() }
+    let psz = 0;
+    // Skip and count leading '1's.
+    let zeroes = 0;
+    let length = 0;
+    while (source[psz] === LEADER) {
+      zeroes++;
+      psz++;
+    }
+    // Allocate enough space in big-endian base256 representation.
+    const size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
+    const b256 = new Uint8Array(size);
+    // Process the characters.
+    while (psz < source.length) {
+      // Find code of next character
+      const charCode = source.charCodeAt(psz);
+      // Base map can not be indexed using char code
+      if (charCode > 255) { return }
+      // Decode character
+      let carry = BASE_MAP[charCode];
+      // Invalid character
+      if (carry === 255) { return }
+      let i = 0;
+      for (let it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
+        carry += (BASE * b256[it3]) >>> 0;
+        b256[it3] = (carry % 256) >>> 0;
+        carry = (carry / 256) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      psz++;
+    }
+    // Skip leading zeroes in b256.
+    let it4 = size - length;
+    while (it4 !== size && b256[it4] === 0) {
+      it4++;
+    }
+    const vch = new Uint8Array(zeroes + (size - it4));
+    let j = zeroes;
+    while (it4 !== size) {
+      vch[j++] = b256[it4++];
+    }
+    return vch
+  }
+  function decode (string) {
+    const buffer = decodeUnsafe(string);
+    if (buffer) { return buffer }
+    throw new Error('Non-base' + BASE + ' character')
+  }
+  return {
+    encode,
+    decodeUnsafe,
+    decode
+  }
+}
+
+var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+var base58 = base(ALPHABET);
+
+var index = /*#__PURE__*/Object.freeze({
 	__proto__: null,
 	default: base58
-}, [bs58Exports]);
+});
 
 /**
  * Privy Expo Auth Provider — React Native implementation of AuthProvider.
@@ -13762,7 +13767,6 @@ exports.base58 = base58;
 exports.buildSetDocumentsTransaction = buildSetDocumentsTransaction;
 exports.clearCache = clearCache;
 exports.closeAllSubscriptions = closeAllSubscriptions;
-exports.commonjsRequire = commonjsRequire;
 exports.confirmAndCheckTransaction = confirmAndCheckTransaction;
 exports.convertRemainingAccounts = convertRemainingAccounts;
 exports.count = count;
@@ -13792,7 +13796,6 @@ exports.onAuthLoadingChanged = onAuthLoadingChanged;
 exports.onAuthStateChanged = onAuthStateChanged;
 exports.reconnectWithNewAuth = reconnectWithNewAuth;
 exports.refreshSession = refreshSession;
-exports.require$$0 = require$$0;
 exports.runExpression = runExpression;
 exports.runExpressionMany = runExpressionMany;
 exports.runQuery = runQuery;
@@ -13809,4 +13812,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index.native-CyA-RdvW.js.map
+//# sourceMappingURL=index.native-lubRe8nA.js.map