@pooflabs/web 0.0.81 → 0.0.83-rc1

package/dist/{index-B2WGCssJ.js → index-CYhzBf0k.js}

@@ -22,21 +22,6 @@ function _interopNamespaceDefault(e) {
 	return Object.freeze(n);
 }
 
-function _mergeNamespaces(n, m) {
-	m.forEach(function (e) {
-		e && typeof e !== 'string' && !Array.isArray(e) && Object.keys(e).forEach(function (k) {
-			if (k !== 'default' && !(k in n)) {
-				var d = Object.getOwnPropertyDescriptor(e, k);
-				Object.defineProperty(n, k, d.get ? d : {
-					enumerable: true,
-					get: function () { return e[k]; }
-				});
-			}
-		});
-	});
-	return Object.freeze(n);
-}
-
 var anchor__namespace = /*#__PURE__*/_interopNamespaceDefault(anchor);
 var React__namespace = /*#__PURE__*/_interopNamespaceDefault(React$2);
 
@@ -6785,6 +6770,28 @@ class WebSessionManager {
     static async storeSession(address, accessToken, idToken, refreshToken) {
         if (typeof window === "undefined")
             return;
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave localStorage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[WebSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[WebSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[WebSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         localStorage.setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -9483,11 +9490,11 @@ function requireSrc () {
 }
 
 var bs58$1;
-var hasRequiredBs58$1;
+var hasRequiredBs58;
 
-function requireBs58$1 () {
-	if (hasRequiredBs58$1) return bs58$1;
-	hasRequiredBs58$1 = 1;
+function requireBs58 () {
+	if (hasRequiredBs58) return bs58$1;
+	hasRequiredBs58 = 1;
 	var basex = requireSrc();
 	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
 
@@ -9495,8 +9502,8 @@ function requireBs58$1 () {
 	return bs58$1;
 }
 
-var bs58Exports$1 = requireBs58$1();
-var bs58$2 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports$1);
+var bs58Exports = requireBs58();
+var bs58 = /*@__PURE__*/getDefaultExportFromCjs(bs58Exports);
 
 // ─────────────────────────────────────────────────────────────
 // Local implementation of getSimulationComputeUnits
@@ -9749,7 +9756,7 @@ function loadKeypairFromEnv() {
     try {
         const secretKey = secret.trim().startsWith("[")
             ? Uint8Array.from(JSON.parse(secret))
-            : bs58$2.decode(secret.trim());
+            : bs58.decode(secret.trim());
         return web3_js.Keypair.fromSecretKey(secretKey);
     }
     catch (err) {
@@ -11671,6 +11678,28 @@ class ReactNativeSessionManager {
     /* STORE                                                              */
     /* ------------------------------------------------------------------ */
     static async storeSession(address, accessToken, idToken, refreshToken) {
+        // JWT-wallet binding: refuse to store a session whose idToken is bound
+        // to a different wallet than `address`. Prevents races that would otherwise
+        // leave storage with mismatched address/token state.
+        try {
+            const payloadB64 = idToken.split(".")[1];
+            if (payloadB64) {
+                const payload = JSON.parse(this.decodeBase64Url(payloadB64));
+                const tokenWallet = payload["custom:walletAddress"];
+                if (tokenWallet && tokenWallet !== address) {
+                    throw new Error(`[ReactNativeSessionManager] Refusing to store session: address (${address}) does not match idToken custom:walletAddress (${tokenWallet})`);
+                }
+                if (!tokenWallet) {
+                    console.warn("[ReactNativeSessionManager] storeSession: idToken has no custom:walletAddress claim — writing without validation");
+                }
+            }
+        }
+        catch (err) {
+            if (typeof (err === null || err === void 0 ? void 0 : err.message) === "string" && err.message.includes("Refusing to store session")) {
+                throw err;
+            }
+            console.warn("[ReactNativeSessionManager] storeSession: failed to decode idToken for validation:", err);
+        }
         const config = await getConfig();
         const currentAppId = config.appId;
         this.getStorage().setItem(this.TAROBASE_SESSION_STORAGE_KEY, JSON.stringify({
@@ -15669,7 +15698,7 @@ async function loadDependencies() {
         const [reactModule, reactDomModule, phantomModule] = await Promise.all([
             import('react'),
             import('react-dom/client'),
-            Promise.resolve().then(function () { return require('./index-DXPkkq81.js'); })
+            Promise.resolve().then(function () { return require('./index-BAz5F9Qr.js'); })
         ]);
         // Extract default export from ESM module namespace
         // Dynamic import() returns { default: Module, ...exports }, not the module directly
@@ -15863,6 +15892,16 @@ class PhantomWalletProvider {
                     if (!(phantom === null || phantom === void 0 ? void 0 : phantom.isConnected) || (phantom === null || phantom === void 0 ? void 0 : phantom.isLoading) || that.loginInProgress || that.autoLoginInProgress || that.pendingLogin) {
                         return;
                     }
+                    // Don't clobber a session owned by MWA on Seeker. MWA marks the
+                    // auth method as soon as login starts (see solana-mobile-wallet-provider),
+                    // and clears it on logout, so this guard is correct in both
+                    // steady-state and post-logout cases.
+                    try {
+                        if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                            return;
+                        }
+                    }
+                    catch (_b) { }
                     // Need solana to be available AND connected for signing
                     if (!solana || !solanaHook.isAvailable || !solana.connected) {
                         return;
@@ -15892,12 +15931,21 @@ class PhantomWalletProvider {
                         const signatureBytes = signResult.signature;
                         const signature = bufferExports.Buffer.from(signatureBytes).toString('base64');
                         const createSessionResult = await createSessionWithSignature(publicKey, messageText, signature);
+                        // Pre-write guard: MWA may have started a login while we were
+                        // in flight. If MWA owns the auth method now, abort before we
+                        // overwrite its session (or its in-flight session).
+                        try {
+                            if (getPlatform().storage.getItem('tarobase_last_auth_method') === 'mobile-wallet-adapter') {
+                                return;
+                            }
+                        }
+                        catch (_c) { }
                         await WebSessionManager.storeSession(publicKey, createSessionResult.accessToken, createSessionResult.idToken, createSessionResult.refreshToken);
                         // Mark auth method so clearIncompatibleSession() doesn't wipe this session
                         try {
                             getPlatform().storage.setItem('tarobase_last_auth_method', 'phantom');
                         }
-                        catch (_b) { }
+                        catch (_d) { }
                         setCurrentUser({ provider: that, address: publicKey });
                     }
                     catch (error) {
@@ -20087,161 +20135,137 @@ function createSolanaRpcSubscriptionsFromTransport(transport) {
   });
 }
 
-var cjs = {};
-
-var hasRequiredCjs;
-
-function requireCjs () {
-	if (hasRequiredCjs) return cjs;
-	hasRequiredCjs = 1;
-	// base-x encoding / decoding
-	// Copyright (c) 2018 base-x contributors
-	// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
-	// Distributed under the MIT software license, see the accompanying
-	// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
-	Object.defineProperty(cjs, '__esModule', { value: true });
-	function base (ALPHABET) {
-	  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
-	  const BASE_MAP = new Uint8Array(256);
-	  for (let j = 0; j < BASE_MAP.length; j++) {
-	    BASE_MAP[j] = 255;
-	  }
-	  for (let i = 0; i < ALPHABET.length; i++) {
-	    const x = ALPHABET.charAt(i);
-	    const xc = x.charCodeAt(0);
-	    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
-	    BASE_MAP[xc] = i;
-	  }
-	  const BASE = ALPHABET.length;
-	  const LEADER = ALPHABET.charAt(0);
-	  const FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
-	  const iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
-	  function encode (source) {
-	    // eslint-disable-next-line no-empty
-	    if (source instanceof Uint8Array) ; else if (ArrayBuffer.isView(source)) {
-	      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
-	    } else if (Array.isArray(source)) {
-	      source = Uint8Array.from(source);
-	    }
-	    if (!(source instanceof Uint8Array)) { throw new TypeError('Expected Uint8Array') }
-	    if (source.length === 0) { return '' }
-	    // Skip & count leading zeroes.
-	    let zeroes = 0;
-	    let length = 0;
-	    let pbegin = 0;
-	    const pend = source.length;
-	    while (pbegin !== pend && source[pbegin] === 0) {
-	      pbegin++;
-	      zeroes++;
-	    }
-	    // Allocate enough space in big-endian base58 representation.
-	    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
-	    const b58 = new Uint8Array(size);
-	    // Process the bytes.
-	    while (pbegin !== pend) {
-	      let carry = source[pbegin];
-	      // Apply "b58 = b58 * 256 + ch".
-	      let i = 0;
-	      for (let it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
-	        carry += (256 * b58[it1]) >>> 0;
-	        b58[it1] = (carry % BASE) >>> 0;
-	        carry = (carry / BASE) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      pbegin++;
-	    }
-	    // Skip leading zeroes in base58 result.
-	    let it2 = size - length;
-	    while (it2 !== size && b58[it2] === 0) {
-	      it2++;
-	    }
-	    // Translate the result into a string.
-	    let str = LEADER.repeat(zeroes);
-	    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
-	    return str
-	  }
-	  function decodeUnsafe (source) {
-	    if (typeof source !== 'string') { throw new TypeError('Expected String') }
-	    if (source.length === 0) { return new Uint8Array() }
-	    let psz = 0;
-	    // Skip and count leading '1's.
-	    let zeroes = 0;
-	    let length = 0;
-	    while (source[psz] === LEADER) {
-	      zeroes++;
-	      psz++;
-	    }
-	    // Allocate enough space in big-endian base256 representation.
-	    const size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
-	    const b256 = new Uint8Array(size);
-	    // Process the characters.
-	    while (psz < source.length) {
-	      // Find code of next character
-	      const charCode = source.charCodeAt(psz);
-	      // Base map can not be indexed using char code
-	      if (charCode > 255) { return }
-	      // Decode character
-	      let carry = BASE_MAP[charCode];
-	      // Invalid character
-	      if (carry === 255) { return }
-	      let i = 0;
-	      for (let it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
-	        carry += (BASE * b256[it3]) >>> 0;
-	        b256[it3] = (carry % 256) >>> 0;
-	        carry = (carry / 256) >>> 0;
-	      }
-	      if (carry !== 0) { throw new Error('Non-zero carry') }
-	      length = i;
-	      psz++;
-	    }
-	    // Skip leading zeroes in b256.
-	    let it4 = size - length;
-	    while (it4 !== size && b256[it4] === 0) {
-	      it4++;
-	    }
-	    const vch = new Uint8Array(zeroes + (size - it4));
-	    let j = zeroes;
-	    while (it4 !== size) {
-	      vch[j++] = b256[it4++];
-	    }
-	    return vch
-	  }
-	  function decode (string) {
-	    const buffer = decodeUnsafe(string);
-	    if (buffer) { return buffer }
-	    throw new Error('Non-base' + BASE + ' character')
-	  }
-	  return {
-	    encode,
-	    decodeUnsafe,
-	    decode
-	  }
-	}
-	cjs.default = base;
-	return cjs;
-}
-
-var bs58;
-var hasRequiredBs58;
-
-function requireBs58 () {
-	if (hasRequiredBs58) return bs58;
-	hasRequiredBs58 = 1;
-	var basex = requireCjs();
-	var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-
-	bs58 = basex(ALPHABET);
-	return bs58;
+// base-x encoding / decoding
+// Copyright (c) 2018 base-x contributors
+// Copyright (c) 2014-2018 The Bitcoin Core developers (base58.cpp)
+// Distributed under the MIT software license, see the accompanying
+// file LICENSE or http://www.opensource.org/licenses/mit-license.php.
+function base (ALPHABET) {
+  if (ALPHABET.length >= 255) { throw new TypeError('Alphabet too long') }
+  const BASE_MAP = new Uint8Array(256);
+  for (let j = 0; j < BASE_MAP.length; j++) {
+    BASE_MAP[j] = 255;
+  }
+  for (let i = 0; i < ALPHABET.length; i++) {
+    const x = ALPHABET.charAt(i);
+    const xc = x.charCodeAt(0);
+    if (BASE_MAP[xc] !== 255) { throw new TypeError(x + ' is ambiguous') }
+    BASE_MAP[xc] = i;
+  }
+  const BASE = ALPHABET.length;
+  const LEADER = ALPHABET.charAt(0);
+  const FACTOR = Math.log(BASE) / Math.log(256); // log(BASE) / log(256), rounded up
+  const iFACTOR = Math.log(256) / Math.log(BASE); // log(256) / log(BASE), rounded up
+  function encode (source) {
+    // eslint-disable-next-line no-empty
+    if (source instanceof Uint8Array) ; else if (ArrayBuffer.isView(source)) {
+      source = new Uint8Array(source.buffer, source.byteOffset, source.byteLength);
+    } else if (Array.isArray(source)) {
+      source = Uint8Array.from(source);
+    }
+    if (!(source instanceof Uint8Array)) { throw new TypeError('Expected Uint8Array') }
+    if (source.length === 0) { return '' }
+    // Skip & count leading zeroes.
+    let zeroes = 0;
+    let length = 0;
+    let pbegin = 0;
+    const pend = source.length;
+    while (pbegin !== pend && source[pbegin] === 0) {
+      pbegin++;
+      zeroes++;
+    }
+    // Allocate enough space in big-endian base58 representation.
+    const size = ((pend - pbegin) * iFACTOR + 1) >>> 0;
+    const b58 = new Uint8Array(size);
+    // Process the bytes.
+    while (pbegin !== pend) {
+      let carry = source[pbegin];
+      // Apply "b58 = b58 * 256 + ch".
+      let i = 0;
+      for (let it1 = size - 1; (carry !== 0 || i < length) && (it1 !== -1); it1--, i++) {
+        carry += (256 * b58[it1]) >>> 0;
+        b58[it1] = (carry % BASE) >>> 0;
+        carry = (carry / BASE) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      pbegin++;
+    }
+    // Skip leading zeroes in base58 result.
+    let it2 = size - length;
+    while (it2 !== size && b58[it2] === 0) {
+      it2++;
+    }
+    // Translate the result into a string.
+    let str = LEADER.repeat(zeroes);
+    for (; it2 < size; ++it2) { str += ALPHABET.charAt(b58[it2]); }
+    return str
+  }
+  function decodeUnsafe (source) {
+    if (typeof source !== 'string') { throw new TypeError('Expected String') }
+    if (source.length === 0) { return new Uint8Array() }
+    let psz = 0;
+    // Skip and count leading '1's.
+    let zeroes = 0;
+    let length = 0;
+    while (source[psz] === LEADER) {
+      zeroes++;
+      psz++;
+    }
+    // Allocate enough space in big-endian base256 representation.
+    const size = (((source.length - psz) * FACTOR) + 1) >>> 0; // log(58) / log(256), rounded up.
+    const b256 = new Uint8Array(size);
+    // Process the characters.
+    while (psz < source.length) {
+      // Find code of next character
+      const charCode = source.charCodeAt(psz);
+      // Base map can not be indexed using char code
+      if (charCode > 255) { return }
+      // Decode character
+      let carry = BASE_MAP[charCode];
+      // Invalid character
+      if (carry === 255) { return }
+      let i = 0;
+      for (let it3 = size - 1; (carry !== 0 || i < length) && (it3 !== -1); it3--, i++) {
+        carry += (BASE * b256[it3]) >>> 0;
+        b256[it3] = (carry % 256) >>> 0;
+        carry = (carry / 256) >>> 0;
+      }
+      if (carry !== 0) { throw new Error('Non-zero carry') }
+      length = i;
+      psz++;
+    }
+    // Skip leading zeroes in b256.
+    let it4 = size - length;
+    while (it4 !== size && b256[it4] === 0) {
+      it4++;
+    }
+    const vch = new Uint8Array(zeroes + (size - it4));
+    let j = zeroes;
+    while (it4 !== size) {
+      vch[j++] = b256[it4++];
+    }
+    return vch
+  }
+  function decode (string) {
+    const buffer = decodeUnsafe(string);
+    if (buffer) { return buffer }
+    throw new Error('Non-base' + BASE + ' character')
+  }
+  return {
+    encode,
+    decodeUnsafe,
+    decode
+  }
 }
 
-var bs58Exports = requireBs58();
-var base58 = /*@__PURE__*/getDefaultExportFromCjs$1(bs58Exports);
+var ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
+var base58 = base(ALPHABET);
 
-var index = /*#__PURE__*/_mergeNamespaces({
+var index = /*#__PURE__*/Object.freeze({
 	__proto__: null,
 	default: base58
-}, [bs58Exports]);
+});
 
 const SURFNET_RPC_URL$1 = "https://surfpool.fly.dev";
 let React;
@@ -21155,7 +21179,7 @@ async function loadMwaProtocol() {
         return mwaProtocolLoadPromise;
     mwaProtocolLoadPromise = (async () => {
         try {
-            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-d0PlOXpF.js'); });
+            mwaProtocolModule = await Promise.resolve().then(function () { return require('./index.browser-XpeHKCJM.js'); });
         }
         catch (e) {
             console.warn('[SolanaMobileWallet] @solana-mobile/mobile-wallet-adapter-protocol-web3js not installed. Install it to enable Seeker wallet support.');
@@ -21177,7 +21201,7 @@ async function registerMobileWalletAdapter(config) {
     if (typeof window === 'undefined')
         return;
     try {
-        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-CT6PUv9G.js'); });
+        const walletStandardMobile = await Promise.resolve().then(function () { return require('./index.browser-BgibQtKi.js'); });
         const registerMwa = walletStandardMobile.registerMwa || ((_a = walletStandardMobile.default) === null || _a === void 0 ? void 0 : _a.registerMwa);
         if (!registerMwa) {
             console.warn('[SolanaMobileWallet] registerMwa not found in @solana-mobile/wallet-standard-mobile');
@@ -21307,6 +21331,19 @@ class SolanaMobileWalletProvider {
     async login() {
         var _a, _b, _c, _d, _e;
         setAuthLoading(true);
+        // Mark the auth method early so a concurrent Phantom auto-create can see
+        // 'mobile-wallet-adapter' during our slow transact() / session-creation
+        // roundtrip and back off (see phantom-wallet-provider autoCreateSession).
+        // Capture the previous value so we can restore it if login fails.
+        let prevAuthMethod = null;
+        try {
+            prevAuthMethod = getPlatform().storage.getItem('tarobase_last_auth_method');
+        }
+        catch (_f) { }
+        try {
+            getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
+        }
+        catch (_g) { }
         try {
             await loadMwaProtocol();
             const { transact } = mwaProtocolModule;
@@ -21372,12 +21409,22 @@ class SolanaMobileWalletProvider {
             try {
                 getPlatform().storage.setItem('tarobase_last_auth_method', 'mobile-wallet-adapter');
             }
-            catch (_f) { }
+            catch (_h) { }
             const user = { provider: this, address: result.base58Address };
             setCurrentUser(user);
             return user;
         }
         catch (error) {
+            // Restore the previous auth method since this login attempt failed.
+            try {
+                if (prevAuthMethod === null) {
+                    getPlatform().storage.removeItem('tarobase_last_auth_method');
+                }
+                else {
+                    getPlatform().storage.setItem('tarobase_last_auth_method', prevAuthMethod);
+                }
+            }
+            catch (_j) { }
             const isUserRejection = (error === null || error === void 0 ? void 0 : error.code) === 4001 ||
                 ((_a = error === null || error === void 0 ? void 0 : error.message) === null || _a === void 0 ? void 0 : _a.toLowerCase().includes('user rejected')) ||
                 ((_b = error === null || error === void 0 ? void 0 : error.message) === null || _b === void 0 ? void 0 : _b.toLowerCase().includes('user denied')) ||
@@ -21423,6 +21470,12 @@ class SolanaMobileWalletProvider {
         this.authorizedPublicKey = null;
         this.publicKeyObj = null;
         WebSessionManager.clearSession();
+        // Clear the auth-method marker so Phantom auto-create is unblocked
+        // for any subsequent fresh login on this device.
+        try {
+            getPlatform().storage.removeItem('tarobase_last_auth_method');
+        }
+        catch (_a) { }
         setCurrentUser(null);
     }
     async signMessage(message) {
@@ -22102,7 +22155,6 @@ exports.bufferExports = bufferExports;
 exports.buildSetDocumentsTransaction = buildSetDocumentsTransaction;
 exports.clearCache = clearCache;
 exports.closeAllSubscriptions = closeAllSubscriptions;
-exports.commonjsRequire = commonjsRequire;
 exports.convertRemainingAccounts = convertRemainingAccounts;
 exports.count = count;
 exports.createSessionWithPrivy = createSessionWithPrivy;
@@ -22130,7 +22182,6 @@ exports.onAuthStateChanged = onAuthStateChanged;
 exports.reconnectWithNewAuth = reconnectWithNewAuth;
 exports.refreshSession = refreshSession;
 exports.registerMobileWalletAdapter = registerMobileWalletAdapter;
-exports.require$$0 = require$$0;
 exports.runExpression = runExpression;
 exports.runExpressionMany = runExpressionMany;
 exports.runQuery = runQuery;
@@ -22145,4 +22196,4 @@ exports.signSessionCreateMessage = signSessionCreateMessage;
 exports.signTransaction = signTransaction;
 exports.subscribe = subscribe;
 exports.useAuth = useAuth;
-//# sourceMappingURL=index-B2WGCssJ.js.map
+//# sourceMappingURL=index-CYhzBf0k.js.map