@reclaimprotocol/js-sdk 5.4.2-dev.0 → 5.6.0-dev.0

package/dist/index.js

@@ -84,20 +84,10 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@reclaimprotocol/js-sdk",
-      version: "5.4.2-dev.0",
+      version: "5.6.0-dev.0",
       description: "Designed to request proofs from the Reclaim protocol and manage the flow of claims and witness interactions.",
       main: "dist/index.js",
       types: "dist/index.d.ts",
-      exports: {
-        ".": {
-          types: "./dist/index.d.ts",
-          default: "./dist/index.js"
-        },
-        "./internal": {
-          types: "./dist/internal.d.ts",
-          default: "./dist/internal.js"
-        }
-      },
       keywords: [
         "reclaim",
         "protocol",
@@ -118,8 +108,7 @@ var require_package = __commonJS({
       ],
       tsup: {
         entry: [
-          "src/index.ts",
-          "src/internal.ts"
+          "src/index.ts"
         ],
         splitting: false,
         sourcemap: true,
@@ -203,40 +192,8 @@ var require_package = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  ApplicationError: () => ApplicationError,
-  AttestorTeeVerificationError: () => AttestorTeeVerificationError,
-  BackendServerError: () => BackendServerError,
-  CallbackUrlRequiredError: () => CallbackUrlRequiredError,
-  ErrorDuringVerificationError: () => ErrorDuringVerificationError,
-  GetAppCallbackUrlError: () => GetAppCallbackUrlError,
-  GetStatusUrlError: () => GetStatusUrlError,
-  HASH_MATCH_MULTIPLE_DEFAULT: () => HASH_MATCH_MULTIPLE_DEFAULT,
-  HASH_REQUIRED_DEFAULT: () => HASH_REQUIRED_DEFAULT,
-  InavlidParametersError: () => InavlidParametersError,
-  InitError: () => InitError,
-  InitSessionError: () => InitSessionError,
-  InvalidParamError: () => InvalidParamError,
-  InvalidRequestSpecError: () => InvalidRequestSpecError,
-  InvalidSignatureError: () => InvalidSignatureError,
-  NoProviderParamsError: () => NoProviderParamsError,
-  ProofNotValidatedError: () => ProofNotValidatedError,
-  ProofNotVerifiedError: () => ProofNotVerifiedError,
-  ProofSubmissionFailedError: () => ProofSubmissionFailedError,
-  ProviderConfigFetchError: () => ProviderConfigFetchError,
-  ProviderFailedError: () => ProviderFailedError,
-  ProviderNotFoundError: () => ProviderNotFoundError,
   ReclaimProofRequest: () => ReclaimProofRequest,
-  SessionNotStartedError: () => SessionNotStartedError,
-  SetContextError: () => SetContextError,
-  SetParamsError: () => SetParamsError,
-  SetSignatureError: () => SetSignatureError,
-  SignatureGeneratingError: () => SignatureGeneratingError,
-  SignatureNotFoundError: () => SignatureNotFoundError,
-  StatusUrlError: () => StatusUrlError,
   TeeVerificationError: () => TeeVerificationError,
-  TimeoutError: () => TimeoutError,
-  UnknownProofsNotValidatedError: () => UnknownProofsNotValidatedError,
-  UpdateSessionError: () => UpdateSessionError,
   assertValidProofsByHash: () => assertValidProofsByHash,
   assertValidateProof: () => assertValidateProof,
   assertVerifiedProof: () => assertVerifiedProof,
@@ -251,7 +208,6 @@ __export(index_exports, {
   generateSpecsFromRequestSpecTemplate: () => generateSpecsFromRequestSpecTemplate,
   getAttestors: () => getAttestors,
   getDeviceType: () => getDeviceType,
-  getHashFromProof: () => getHashFromProof,
   getHttpProviderClaimParamsFromProof: () => getHttpProviderClaimParamsFromProof,
   getIdentifierFromClaimInfo: () => getIdentifierFromClaimInfo,
   getMobileDeviceType: () => getMobileDeviceType,
@@ -1548,9 +1504,6 @@ function generateAttestationNonce(appSecret, applicationId, sessionId, timestamp
   return import_ethers4.ethers.keccak256(import_ethers4.ethers.toUtf8Bytes(noncePayload)).replace(/^0x/i, "");
 }
 
-// src/utils/proofValidationUtils.ts
-var import_assert = __toESM(require("assert"));
-
 // src/utils/providerUtils.ts
 var logger7 = logger_default.logger;
 function fetchProviderHashRequirementsBy(providerId, exactProviderVersionString, allowedTags, proofs) {
@@ -1672,20 +1625,7 @@ function hashRequestSpec(request) {
 var logger8 = logger_default.logger;
 var HASH_REQUIRED_DEFAULT = true;
 var HASH_MATCH_MULTIPLE_DEFAULT = true;
-function getHashFromProof(proof, piiConfig) {
-  if ((piiConfig == null ? void 0 : piiConfig.hasNoPii) === true) {
-    const contextObject = JSON.parse(proof.claimData.context);
-    (0, import_assert.default)(contextObject, "Context must be present in proof's claimData");
-    const providerHash = contextObject.providerHash;
-    (0, import_assert.default)(providerHash, "Provider hash must be present in proof's claimData.context");
-    return [providerHash];
-  }
-  const claimParams = getHttpProviderClaimParamsFromProof(proof);
-  const computedHashesOfProof = hashProofClaimParams(claimParams);
-  const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
-  return proofHashes;
-}
-function assertValidProofsByHash(proofs, config, piiConfig) {
+function assertValidProofsByHash(proofs, config) {
   var _a, _b;
   if (!config.hashes) {
     throw new ProofNotValidatedError("No proof hash was provided for validation");
@@ -1693,7 +1633,9 @@ function assertValidProofsByHash(proofs, config, piiConfig) {
   const unvalidatedProofHashByIndex = /* @__PURE__ */ new Map();
   for (let i = 0; i < proofs.length; i++) {
     const proof = proofs[i];
-    const proofHashes = getHashFromProof(proof, piiConfig);
+    const claimParams = getHttpProviderClaimParamsFromProof(proof);
+    const computedHashesOfProof = hashProofClaimParams(claimParams);
+    const proofHashes = Array.isArray(computedHashesOfProof) ? computedHashesOfProof.map((h) => h.toLowerCase().trim()) : [computedHashesOfProof.toLowerCase().trim()];
     unvalidatedProofHashByIndex.set(i, proofHashes);
   }
   for (const hashRequirement of config.hashes) {
@@ -1701,9 +1643,7 @@ function assertValidProofsByHash(proofs, config, piiConfig) {
     const expectedHashes = Array.isArray(hashRequirement.value) ? hashRequirement.value.map((h) => h.toLowerCase().trim()) : [hashRequirement.value.toLowerCase().trim()];
     const isRequired = (_a = hashRequirement.required) != null ? _a : HASH_REQUIRED_DEFAULT;
     const canMatchMultiple = (_b = hashRequirement.multiple) != null ? _b : HASH_MATCH_MULTIPLE_DEFAULT;
-    for (let i = 0; i < proofs.length; i++) {
-      if (!unvalidatedProofHashByIndex.has(i)) continue;
-      const proofHashes = unvalidatedProofHashByIndex.get(i);
+    for (const [i, proofHashes] of unvalidatedProofHashByIndex.entries()) {
       const intersection = expectedHashes.filter((eh) => proofHashes.includes(eh));
       if (intersection.length > 0) {
         unvalidatedProofHashByIndex.delete(i);
@@ -1744,7 +1684,7 @@ function getHttpProviderClaimParamsFromProof(proof) {
   }
   throw new ProofNotValidatedError("Proof has no HTTP provider params to hash");
 }
-function assertValidateProof(proofs, config, piiConfig) {
+function assertValidateProof(proofs, config) {
   return __async(this, null, function* () {
     if ("dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
       logger8.warn("Validation skipped because it was disabled during proof verification");
@@ -1765,14 +1705,14 @@ function assertValidateProof(proofs, config, piiConfig) {
         let lastError = null;
         for (const hashRequirement of hashRequirementsFromProvider) {
           try {
-            return yield assertValidateProof(proofs, hashRequirement, piiConfig);
+            return yield assertValidateProof(proofs, hashRequirement);
           } catch (e) {
             lastError = e;
           }
         }
         throw new ProofNotValidatedError("Could not validate proof", lastError);
       } else {
-        return assertValidateProof(proofs, hashRequirementsFromProvider[0], piiConfig);
+        return assertValidateProof(proofs, hashRequirementsFromProvider[0]);
       }
     }
     const effectiveHashRequirement = ("hashes" in config && Array.isArray(config == null ? void 0 : config.hashes) ? config.hashes : []).map((it) => {
@@ -1784,13 +1724,9 @@ function assertValidateProof(proofs, config, piiConfig) {
         return it;
       }
     });
-    return assertValidProofsByHash(
-      proofs,
-      {
-        hashes: effectiveHashRequirement
-      },
-      piiConfig
-    );
+    return assertValidProofsByHash(proofs, {
+      hashes: effectiveHashRequirement
+    });
   });
 }
 
@@ -1804,7 +1740,7 @@ var SUPPORTED_PROOF_VERSIONS = ["v2", "v3"];
 var TOKEN_CLOCK_SKEW_S = 60;
 var NONCE_TIMESTAMP_MAX_SKEW_MS = 10 * 60 * 1e3;
 var BROWSER_ENVIRONMENT_ERROR = "TEE attestation verification is only supported in non-browser environments. Run verifyTeeAttestation on your server or API route.";
-function assert2(condition, message) {
+function assert(condition, message) {
   if (!condition) {
     throw new Error(message);
   }
@@ -1854,7 +1790,7 @@ function decodeUtf8(bytes) {
 }
 function decodeJwt(token) {
   const parts = token.split(".");
-  assert2(parts.length === 3, "attestation token is not a JWT");
+  assert(parts.length === 3, "attestation token is not a JWT");
   return {
     header: JSON.parse(decodeUtf8(decodeBase64Url(parts[0]))),
     payload: JSON.parse(decodeUtf8(decodeBase64Url(parts[1]))),
@@ -1864,7 +1800,7 @@ function decodeJwt(token) {
 }
 function getFetch() {
   const fetchFn = globalThis.fetch;
-  assert2(fetchFn, "fetch is not available in this environment");
+  assert(fetchFn, "fetch is not available in this environment");
   return fetchFn.bind(globalThis);
 }
 function getSubtleCrypto() {
@@ -1900,19 +1836,19 @@ var cachedJwksAt = 0;
 function verifyJwtSignature(token, issuer) {
   return __async(this, null, function* () {
     const { header, payload, signingInput, signature } = decodeJwt(token);
-    assert2(header.alg === "RS256", `unexpected attestation signing algorithm: ${header.alg}`);
-    assert2(typeof header.kid === "string" && header.kid.length > 0, "attestation token kid is missing");
+    assert(header.alg === "RS256", `unexpected attestation signing algorithm: ${header.alg}`);
+    assert(typeof header.kid === "string" && header.kid.length > 0, "attestation token kid is missing");
     const isCacheFresh = cachedJwksKeys && Date.now() - cachedJwksAt < JWKS_CACHE_TTL_MS;
     if (!isCacheFresh) {
       const oidc = yield fetchJson(`${issuer}/.well-known/openid-configuration`);
-      assert2(typeof (oidc == null ? void 0 : oidc.jwks_uri) === "string" && oidc.jwks_uri.length > 0, "issuer JWKS URI is missing");
+      assert(typeof (oidc == null ? void 0 : oidc.jwks_uri) === "string" && oidc.jwks_uri.length > 0, "issuer JWKS URI is missing");
       cachedJwksUri = oidc.jwks_uri;
       const jwks = yield fetchJson(cachedJwksUri);
       cachedJwksKeys = (jwks == null ? void 0 : jwks.keys) || [];
       cachedJwksAt = Date.now();
     }
     const jwk = cachedJwksKeys.find((key) => key.kid === header.kid);
-    assert2(jwk, `no JWKS key found for kid ${header.kid}`);
+    assert(jwk, `no JWKS key found for kid ${header.kid}`);
     const cryptoKey = yield getSubtleCrypto().importKey(
       "jwk",
       jwk,
@@ -1926,7 +1862,7 @@ function verifyJwtSignature(token, issuer) {
       signature,
       new TextEncoder().encode(signingInput)
     );
-    assert2(isValid, "JWT signature verification failed");
+    assert(isValid, "JWT signature verification failed");
     return payload;
   });
 }
@@ -1947,16 +1883,16 @@ function parseProofContext(proof) {
   }
   const ctx = parsedContext;
   const expectedNonce = ctx.attestationNonce;
-  assert2(typeof expectedNonce === "string" && expectedNonce.length > 0, "Proof context is missing attestationNonce");
+  assert(typeof expectedNonce === "string" && expectedNonce.length > 0, "Proof context is missing attestationNonce");
   const nonceDataObj = ctx.attestationNonceData;
-  assert2(isNonceContextData(nonceDataObj), "Proof context is missing or has invalid attestationNonceData (requires applicationId, sessionId, timestamp)");
+  assert(isNonceContextData(nonceDataObj), "Proof context is missing or has invalid attestationNonceData (requires applicationId, sessionId, timestamp)");
   return { parsedContext: ctx, nonceDataObj, expectedNonce };
 }
 function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj, expectedApplicationId) {
   var _a;
   const { applicationId, sessionId, timestamp } = nonceDataObj;
   if (expectedApplicationId) {
-    assert2(
+    assert(
       applicationId.toLowerCase() === expectedApplicationId.toLowerCase(),
       `Application ID Mismatch! Expected ${expectedApplicationId}, but proof context contains ${applicationId}`
     );
@@ -1991,11 +1927,11 @@ function verifyApplicationAndSessionBinding(proof, parsedContext, nonceDataObj,
 function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
   const cleanExpectedNonce = normalizeHex(expectedNonce);
   const { applicationId, sessionId, timestamp } = nonceDataObj;
-  assert2(cleanExpectedNonce.length > 0, "Proof context attestationNonce is empty");
-  assert2(isHex(cleanExpectedNonce), "Proof context attestationNonce is not valid hex");
+  assert(cleanExpectedNonce.length > 0, "Proof context attestationNonce is empty");
+  assert(isHex(cleanExpectedNonce), "Proof context attestationNonce is not valid hex");
   if (expectedAppSecret) {
     const recomputedNonce = generateAttestationNonce(expectedAppSecret, applicationId, sessionId, timestamp);
-    assert2(
+    assert(
       recomputedNonce === cleanExpectedNonce,
       "Attestation nonce verification failed: app secret, application ID, session ID, or timestamp do not match"
     );
@@ -2008,7 +1944,7 @@ function verifyNonceMaterial(expectedNonce, nonceDataObj, expectedAppSecret) {
       nonceMsg,
       expectedNonce.startsWith("0x") ? expectedNonce : `0x${expectedNonce}`
     );
-    assert2(
+    assert(
       recoveredAddress.toLowerCase() === applicationId.toLowerCase(),
       `Nonce signature verification failed: recovered ${recoveredAddress}, expected ${applicationId}`
     );
@@ -2030,12 +1966,12 @@ function assertTokenFresh(claims) {
 }
 function assertAudienceClaim(aud) {
   if (typeof aud === "string") {
-    assert2(aud.length > 0, "attestation token audience is empty");
+    assert(aud.length > 0, "attestation token audience is empty");
     return;
   }
   if (Array.isArray(aud)) {
-    assert2(aud.length > 0, "attestation token audience is empty");
-    assert2(aud.every((entry) => typeof entry === "string" && entry.length > 0), "attestation token audience contains invalid entries");
+    assert(aud.length > 0, "attestation token audience is empty");
+    assert(aud.every((entry) => typeof entry === "string" && entry.length > 0), "attestation token audience contains invalid entries");
     return;
   }
   throw new Error("attestation token audience is missing");
@@ -2050,22 +1986,22 @@ function assertProofShape(teeAttestation) {
     throw new Error(`${teeAttestation.error.code}: ${teeAttestation.error.message}`);
   }
   const proofVersion = getProofVersion(teeAttestation);
-  assert2(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
-  assert2(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
-  assert2(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
-  assert2(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
-  assert2(typeof teeAttestation.timestamp === "string" && teeAttestation.timestamp.length > 0, "tee attestation timestamp missing");
-  assert2(!Number.isNaN(Date.parse(teeAttestation.timestamp)), "tee attestation timestamp is invalid");
-  assert2(typeof ((_a = teeAttestation.workload) == null ? void 0 : _a.image_digest) === "string" && teeAttestation.workload.image_digest.length > 0, "workload image digest missing");
-  assert2(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
-  assert2(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
+  assert(typeof proofVersion === "string" && SUPPORTED_PROOF_VERSIONS.includes(proofVersion), `unexpected proof version: ${proofVersion}`);
+  assert(teeAttestation.tee_provider === EXPECTED_TEE_PROVIDER, `unexpected tee provider: ${teeAttestation.tee_provider}`);
+  assert(teeAttestation.tee_technology === EXPECTED_TEE_TECHNOLOGY, `unexpected tee technology: ${teeAttestation.tee_technology}`);
+  assert(typeof teeAttestation.nonce === "string" && teeAttestation.nonce.length > 0, "tee attestation nonce missing");
+  assert(typeof teeAttestation.timestamp === "string" && teeAttestation.timestamp.length > 0, "tee attestation timestamp missing");
+  assert(!Number.isNaN(Date.parse(teeAttestation.timestamp)), "tee attestation timestamp is invalid");
+  assert(typeof ((_a = teeAttestation.workload) == null ? void 0 : _a.image_digest) === "string" && teeAttestation.workload.image_digest.length > 0, "workload image digest missing");
+  assert(typeof ((_b = teeAttestation.verifier) == null ? void 0 : _b.image_digest) === "string" && teeAttestation.verifier.image_digest.length > 0, "verifier image digest missing");
+  assert(typeof ((_c = teeAttestation.attestation) == null ? void 0 : _c.token) === "string" && teeAttestation.attestation.token.length > 0, "attestation token missing");
 }
 function computeDigestBinding(teeAttestation) {
   return __async(this, null, function* () {
     const proofVersion = getProofVersion(teeAttestation);
     if (proofVersion === "v3") {
-      assert2(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
-      assert2(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
+      assert(typeof teeAttestation.workload.container_name === "string" && teeAttestation.workload.container_name.length > 0, "workload container name missing");
+      assert(typeof teeAttestation.verifier.container_name === "string" && teeAttestation.verifier.container_name.length > 0, "verifier container name missing");
       return sha256Hex([
         "v3",
         `workload.container_name=${teeAttestation.workload.container_name}`,
@@ -2084,15 +2020,15 @@ function verifyGcpClaims(teeAttestation, expectedNonce) {
   return __async(this, null, function* () {
     var _a;
     const claims = yield verifyJwtSignature(teeAttestation.attestation.token, GCP_CONFIDENTIAL_SPACE_ISSUER);
-    assert2(claims.iss === GCP_CONFIDENTIAL_SPACE_ISSUER, `unexpected issuer: ${claims.iss}`);
+    assert(claims.iss === GCP_CONFIDENTIAL_SPACE_ISSUER, `unexpected issuer: ${claims.iss}`);
     assertAudienceClaim(claims.aud);
-    assert2(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
+    assert(Array.isArray(claims.eat_nonce), "eat_nonce claim missing");
     const digestBinding = yield computeDigestBinding(teeAttestation);
-    assert2(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
-    assert2(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
-    assert2(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
-    assert2(claims.secboot === true, "secure boot claim is not true");
-    assert2((_a = claims.submods) == null ? void 0 : _a.gce, "gce submod claim missing");
+    assert(claims.eat_nonce.includes(expectedNonce), "request nonce is not present in attestation token");
+    assert(claims.eat_nonce.includes(digestBinding), "digest-binding nonce is not present in attestation token");
+    assert(claims.hwmodel === EXPECTED_HW_MODEL, `unexpected hwmodel: ${claims.hwmodel}`);
+    assert(claims.secboot === true, "secure boot claim is not true");
+    assert((_a = claims.submods) == null ? void 0 : _a.gce, "gce submod claim missing");
     assertTokenFresh(claims);
   });
 }
@@ -2114,9 +2050,9 @@ function verifyTeeAttestation(proof, appSecret) {
       verifyNonceMaterial(expectedNonce, nonceDataObj, appSecret);
       const cleanExpectedNonce = normalizeHex(expectedNonce);
       const cleanTeeNonce = normalizeHex(teeAttestation.nonce);
-      assert2(cleanTeeNonce.length > 0, "TEE attestation nonce is empty");
-      assert2(isHex(cleanTeeNonce), "TEE attestation nonce is not valid hex");
-      assert2(cleanTeeNonce === cleanExpectedNonce, `Nonce Mismatch! Expected ${cleanExpectedNonce}, got ${cleanTeeNonce}`);
+      assert(cleanTeeNonce.length > 0, "TEE attestation nonce is empty");
+      assert(isHex(cleanTeeNonce), "TEE attestation nonce is not valid hex");
+      assert(cleanTeeNonce === cleanExpectedNonce, `Nonce Mismatch! Expected ${cleanExpectedNonce}, got ${cleanTeeNonce}`);
       yield verifyGcpClaims(teeAttestation, cleanExpectedNonce);
       return { isVerified: true };
     } catch (error) {
@@ -2382,14 +2318,11 @@ function verifyProof(proofOrProofs, config) {
       if (!config) {
         throw new ProofNotValidatedError("Verification configuration is required for `verifyProof(proof, config)`");
       }
-      if (config.hasNoPii !== true) {
-        console.info({ pii: config.hasNoPii });
-        const attestors = yield getAttestors();
-        for (const proof of proofs) {
-          yield assertVerifiedProof(proof, attestors);
-        }
+      const attestors = yield getAttestors();
+      for (const proof of proofs) {
+        yield assertVerifiedProof(proof, attestors);
       }
-      yield assertValidateProof(proofs, config, { hasNoPii: config.hasNoPii });
+      yield assertValidateProof(proofs, config);
       let isTeeAttestationVerified;
       let isAttestorTeeAttestationVerified;
       if (config.teeAttestation && "dangerouslyDisableContentValidation" in config && config.dangerouslyDisableContentValidation) {
@@ -3309,8 +3242,8 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
     template = replaceAll(template, ")", "%29");
     return template;
   }
-  buildSharePageUrl(template) {
-    return `${this.appSharePageUrl}/?template=${template}`;
+  buildSharePageUrl(template, url) {
+    return `${url != null ? url : this.appSharePageUrl}/?template=${template}`;
   }
   openPortalTab(templateData, preOpenedTab) {
     return __async(this, null, function* () {
@@ -3378,6 +3311,49 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
     }
     this.clearInterval();
   }
+  /**
+   * Cancels an in-progress verification session.
+   *
+   * Use this when the user abandons the flow (e.g. navigates back) before a
+   * proof is produced. It tears down all local session machinery — the status
+   * polling interval, the 10-minute interval-ending timeout, and any portal UI
+   * (modal / tab / embedded iframe) — and marks the session CANCELLED on the
+   * backend.
+   *
+   * Marking the session CANCELLED is what prevents a stale, abandoned session
+   * from later being reported as a failure: the portal's inactivity monitor
+   * treats a cancelled session as a clean terminal state and will not emit a
+   * connection-failure error to the cancel/error callback. Because that callback
+   * URL is typically shared across sessions, suppressing it here stops an
+   * abandoned session from contaminating the next one.
+   *
+   * `onSuccess` / `onError` are intentionally NOT invoked — cancellation is a
+   * deliberate, silent teardown, not a verification outcome. Safe to call more
+   * than once; a no-op when no session is active.
+   *
+   * @example
+   * ```typescript
+   * // e.g. in a React effect cleanup when the user navigates away
+   * await proofRequest.cancelSession();
+   * ```
+   */
+  cancelSession() {
+    return __async(this, null, function* () {
+      if (!this.sessionId) {
+        return;
+      }
+      const sessionId = this.sessionId;
+      logger11.info(`Cancelling session: ${sessionId}`);
+      this.closeModal();
+      this.closePortalTab();
+      this.closeEmbeddedFlow();
+      try {
+        yield updateSession(sessionId, "SESSION_CANCELLED" /* SESSION_CANCELLED */);
+      } catch (error) {
+        logger11.info(`cancelSession: backend update failed for ${sessionId}: ${error}`);
+      }
+    });
+  }
   /**
    * Exports the Reclaim proof verification request as a JSON string
    *
@@ -3573,11 +3549,11 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
           }
         } else if (deviceType === "mobile" /* MOBILE */) {
           if (mode === "app") {
-            if (((_d = this.options) == null ? void 0 : _d.useAppClip) && getMobileDeviceType() === "ios" /* IOS */) {
-              logger11.info("Redirecting to iOS app clip");
-              this.redirectToAppClip();
+            if ((((_d = this.options) == null ? void 0 : _d.useAppClip) || options.canUseDeferredDeepLinksFlow) && getMobileDeviceType() === "ios" /* IOS */) {
+              logger11.info("Redirecting for iOS");
+              yield this.redirectToiOSApp(options);
             } else {
-              logger11.info("Redirecting to share page");
+              logger11.info("Redirecting for android");
               yield this.redirectToInstantApp(options);
             }
           } else {
@@ -3676,7 +3652,7 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
         const template = this.encodeTemplateData(this.templateData);
         let instantAppUrl = this.buildSharePageUrl(template);
         logger11.info("Redirecting to Android instant app: " + instantAppUrl);
-        const isDeferredDeeplinksFlowEnabled = (_a = options.canUseDeferredDeepLinksFlow) != null ? _a : false;
+        const isDeferredDeeplinksFlowEnabled = (_a = options.canUseDeferredDeepLinksFlow) != null ? _a : true;
         if (isDeferredDeeplinksFlowEnabled) {
           instantAppUrl = instantAppUrl.replace("/verifier", "/link");
           const deepLink = `intent://details?id=org.reclaimprotocol.app&url=${encodeURIComponent(
@@ -3745,6 +3721,69 @@ var ReclaimProofRequest = class _ReclaimProofRequest {
       throw error;
     }
   }
+  redirectToiOSApp(options) {
+    return __async(this, null, function* () {
+      var _a;
+      try {
+        logger11.info("Preparing to launch for iOS app: ", options);
+        const isDeferredDeeplinksFlowEnabled = (_a = options.canUseDeferredDeepLinksFlow) != null ? _a : false;
+        if (!isDeferredDeeplinksFlowEnabled) {
+          return this.redirectToAppClip();
+        }
+        const template = this.encodeTemplateData(this.templateData);
+        const defaultiOSDeepLinkUrlBase = "reclaimverifier://org.reclaimprotocol.app";
+        const deepLink = this.buildSharePageUrl(
+          template,
+          options.iosDeepLinkBaseUrl || defaultiOSDeepLinkUrlBase
+        );
+        const iosAppInstallUrl = options.iosAppDownloadUrl || "itms-apps://apps.apple.com/in/app/reclaim-verifier/id6503247508";
+        logger11.info("Redirecting to iOS app: " + deepLink, "or store: ", iosAppInstallUrl);
+        try {
+          window.navigator.clipboard.writeText(deepLink).catch(() => {
+            console.error("We can't access the clipboard. Please copy this link and open Reclaim Verifier app.");
+          });
+          let appInstalled = false;
+          let timeoutId;
+          const iframe = document.createElement("iframe");
+          iframe.style.display = "none";
+          iframe.style.width = "1px";
+          iframe.style.height = "1px";
+          document.body.appendChild(iframe);
+          const cleanup = () => {
+            if (iframe.parentNode) {
+              document.body.removeChild(iframe);
+            }
+            if (timeoutId) {
+              clearTimeout(timeoutId);
+            }
+          };
+          const onVisibilityChange = () => {
+            if (document.hidden) {
+              logger11.info("App maybe installed, document hidden");
+              appInstalled = true;
+              cleanup();
+              window.location.href = deepLink;
+            }
+          };
+          document.addEventListener("visibilitychange", onVisibilityChange, { once: true });
+          iframe.src = deepLink;
+          timeoutId = setTimeout(() => {
+            document.removeEventListener("visibilitychange", onVisibilityChange);
+            cleanup();
+            if (!appInstalled) {
+              window.location.href = iosAppInstallUrl;
+            }
+          }, 1500);
+        } catch (e) {
+          console.error("something went wrong during launch, opening store", e);
+          window.location.href = iosAppInstallUrl;
+        }
+      } catch (error) {
+        logger11.info("Error redirecting to instant app:", error);
+        throw error;
+      }
+    });
+  }
   /**
    * Returns the provider id and exact version of the provider that was used in the verification session of this request. 
    * 
@@ -3966,40 +4005,8 @@ function generateInitSignature(appSecret, providerId, timestamp) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  ApplicationError,
-  AttestorTeeVerificationError,
-  BackendServerError,
-  CallbackUrlRequiredError,
-  ErrorDuringVerificationError,
-  GetAppCallbackUrlError,
-  GetStatusUrlError,
-  HASH_MATCH_MULTIPLE_DEFAULT,
-  HASH_REQUIRED_DEFAULT,
-  InavlidParametersError,
-  InitError,
-  InitSessionError,
-  InvalidParamError,
-  InvalidRequestSpecError,
-  InvalidSignatureError,
-  NoProviderParamsError,
-  ProofNotValidatedError,
-  ProofNotVerifiedError,
-  ProofSubmissionFailedError,
-  ProviderConfigFetchError,
-  ProviderFailedError,
-  ProviderNotFoundError,
   ReclaimProofRequest,
-  SessionNotStartedError,
-  SetContextError,
-  SetParamsError,
-  SetSignatureError,
-  SignatureGeneratingError,
-  SignatureNotFoundError,
-  StatusUrlError,
   TeeVerificationError,
-  TimeoutError,
-  UnknownProofsNotValidatedError,
-  UpdateSessionError,
   assertValidProofsByHash,
   assertValidateProof,
   assertVerifiedProof,
@@ -4014,7 +4021,6 @@ function generateInitSignature(appSecret, providerId, timestamp) {
   generateSpecsFromRequestSpecTemplate,
   getAttestors,
   getDeviceType,
-  getHashFromProof,
   getHttpProviderClaimParamsFromProof,
   getIdentifierFromClaimInfo,
   getMobileDeviceType,