@tatchi-xyz/sdk 0.16.0 → 0.18.0

package/dist/cjs/core/WebAuthnManager/touchIdPrompt.js

@@ -4,9 +4,9 @@ const require_encoders = require('../../utils/encoders.js');
 const require_vrf_worker = require('../types/vrf-worker.js');
 const require_credentialsHelpers = require('./credentialsHelpers.js');
 const require_safari_fallbacks = require('./WebAuthnFallbacks/safari-fallbacks.js');
+const require_index = require('./WebAuthnFallbacks/index.js');
 
 //#region src/core/WebAuthnManager/touchIdPrompt.ts
-require_encoders.init_encoders();
 function isRegistrableSuffix(host, cand) {
 	if (!host || !cand) return false;
 	if (host === cand) return true;
@@ -25,184 +25,6 @@ function authenticatorsToAllowCredentials(authenticators) {
 		transports: auth.transports
 	}));
 }
-/**
-* TouchIdPrompt prompts for touchID,
-* creates credentials,
-* manages WebAuthn touchID prompts,
-* and generates credentials, and PRF Outputs
-*/
-var TouchIdPrompt = class TouchIdPrompt {
-	rpIdOverride;
-	safariGetWebauthnRegistrationFallback;
-	abortController;
-	removePageAbortHandlers;
-	removeExternalAbortListener;
-	constructor(rpIdOverride, safariGetWebauthnRegistrationFallback = false) {
-		this.rpIdOverride = rpIdOverride;
-		this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;
-	}
-	getRpId() {
-		try {
-			return resolveRpId(this.rpIdOverride, window?.location?.hostname);
-		} catch {
-			return this.rpIdOverride || "";
-		}
-	}
-	static _inIframe() {
-		try {
-			return window.self !== window.top;
-		} catch {
-			return true;
-		}
-	}
-	/**
-	* Get authentication credentials
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes
-	* @param allowCredentials - Array of allowed credentials for authentication
-	* @returns WebAuthn credential with only the first PRF output
-	*/
-	async getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
-		const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-			nearAccountId,
-			challenge,
-			allowCredentials
-		});
-		if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-		return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
-			credential: credentialMaybe,
-			firstPrfOutput: true,
-			secondPrfOutput: false
-		});
-	}
-	/**
-	*  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs
-	*  (PRF.first + PRF.second).
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes
-	* @param allowCredentials - Array of allowed credentials for authentication
-	* @returns
-	*/
-	async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, allowCredentials }) {
-		const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-			nearAccountId,
-			challenge,
-			allowCredentials
-		});
-		if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-		return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
-			credential: credentialMaybe,
-			firstPrfOutput: true,
-			secondPrfOutput: true
-		});
-	}
-	/**
-	* Internal method for generating WebAuthn registration credentials with PRF output
-	* @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)
-	* @param challenge - Random challenge bytes for the registration ceremony
-	* @param deviceNumber - Device number for device-specific user ID.
-	* @returns Credential with PRF output
-	*/
-	async generateRegistrationCredentialsInternal({ nearAccountId, challenge, deviceNumber }) {
-		this.abortController = new AbortController();
-		this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-		const rpId = this.getRpId();
-		const publicKey = {
-			challenge: require_vrf_worker.outputAs32Bytes(challenge),
-			rp: {
-				name: "WebAuthn VRF Passkey",
-				id: rpId
-			},
-			user: {
-				id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),
-				name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),
-				displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)
-			},
-			pubKeyCredParams: [{
-				alg: -7,
-				type: "public-key"
-			}, {
-				alg: -257,
-				type: "public-key"
-			}],
-			authenticatorSelection: {
-				residentKey: "required",
-				userVerification: "preferred"
-			},
-			timeout: 6e4,
-			attestation: "none",
-			extensions: { prf: { eval: {
-				first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
-				second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
-			} } }
-		};
-		try {
-			const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("create", publicKey, {
-				rpId,
-				inIframe: TouchIdPrompt._inIframe(),
-				timeoutMs: publicKey.timeout,
-				abortSignal: this.abortController.signal
-			});
-			return result;
-		} finally {
-			this.removePageAbortHandlers?.();
-			this.removePageAbortHandlers = void 0;
-			this.removeExternalAbortListener?.();
-			this.removeExternalAbortListener = void 0;
-			this.abortController = void 0;
-		}
-	}
-	/**
-	* Internal method for getting WebAuthn authentication credentials with PRF output
-	* @param nearAccountId - NEAR account ID to authenticate
-	* @param challenge - VRF challenge bytes to use for WebAuthn authentication
-	* @param authenticators - List of stored authenticator data for the user
-	* @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)
-	* ```ts
-	* const credential = await touchIdPrompt.getCredentials({
-	*   nearAccountId,
-	*   challenge,
-	*   authenticators,
-	* });
-	* ```
-	*/
-	async getAuthenticationCredentialsInternal({ nearAccountId, challenge, allowCredentials }) {
-		this.abortController = new AbortController();
-		this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-		const rpId = this.getRpId();
-		const publicKey = {
-			challenge: require_vrf_worker.outputAs32Bytes(challenge),
-			rpId,
-			allowCredentials: allowCredentials.map((credential) => ({
-				id: require_base64.base64UrlDecode(credential.id),
-				type: "public-key",
-				transports: credential.transports
-			})),
-			userVerification: "preferred",
-			timeout: 6e4,
-			extensions: { prf: { eval: {
-				first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
-				second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
-			} } }
-		};
-		try {
-			const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("get", publicKey, {
-				rpId,
-				inIframe: TouchIdPrompt._inIframe(),
-				timeoutMs: publicKey.timeout,
-				permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,
-				abortSignal: this.abortController.signal
-			});
-			return result;
-		} finally {
-			this.removePageAbortHandlers?.();
-			this.removePageAbortHandlers = void 0;
-			this.removeExternalAbortListener?.();
-			this.removeExternalAbortListener = void 0;
-			this.abortController = void 0;
-		}
-	}
-};
 function isSerializedAuthenticationCredential(x) {
 	if (!x || typeof x !== "object") return false;
 	const obj = x;
@@ -240,30 +62,210 @@ function generateUserFriendlyDisplayName(nearAccountId, deviceNumber) {
 	if (deviceNumber === void 0 || deviceNumber === 1) return baseUsername;
 	return `${baseUsername} (device ${deviceNumber})`;
 }
-(function(_TouchIdPrompt) {
-	function attachPageAbortHandlers(controller) {
-		const onVisibility = () => {
-			if (document.hidden) controller.abort();
-		};
-		const onPageHide = () => {
-			controller.abort();
-		};
-		const onBeforeUnload = () => {
-			controller.abort();
-		};
-		document.addEventListener("visibilitychange", onVisibility, { passive: true });
-		window.addEventListener("pagehide", onPageHide, { passive: true });
-		window.addEventListener("beforeunload", onBeforeUnload, { passive: true });
-		return () => {
-			document.removeEventListener("visibilitychange", onVisibility);
-			window.removeEventListener("pagehide", onPageHide);
-			window.removeEventListener("beforeunload", onBeforeUnload);
-		};
-	}
-	_TouchIdPrompt.attachPageAbortHandlers = attachPageAbortHandlers;
-})(TouchIdPrompt || (TouchIdPrompt = {}));
+var TouchIdPrompt;
+var init_touchIdPrompt = require_rolldown_runtime.__esm({ "src/core/WebAuthnManager/touchIdPrompt.ts": (() => {
+	require_encoders.init_encoders();
+	require_vrf_worker.init_vrf_worker();
+	require_credentialsHelpers.init_credentialsHelpers();
+	require_index.init_WebAuthnFallbacks();
+	TouchIdPrompt = class TouchIdPrompt {
+		rpIdOverride;
+		safariGetWebauthnRegistrationFallback;
+		abortController;
+		removePageAbortHandlers;
+		removeExternalAbortListener;
+		constructor(rpIdOverride, safariGetWebauthnRegistrationFallback = false) {
+			this.rpIdOverride = rpIdOverride;
+			this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;
+		}
+		getRpId() {
+			try {
+				return resolveRpId(this.rpIdOverride, window?.location?.hostname);
+			} catch {
+				return this.rpIdOverride || "";
+			}
+		}
+		static _inIframe() {
+			try {
+				return window.self !== window.top;
+			} catch {
+				return true;
+			}
+		}
+		/**
+		* Get authentication credentials
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes
+		* @param allowCredentials - Array of allowed credentials for authentication
+		* @returns WebAuthn credential with only the first PRF output
+		*/
+		async getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
+			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
+				nearAccountId,
+				challenge,
+				allowCredentials
+			});
+			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
+			return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
+				credential: credentialMaybe,
+				firstPrfOutput: true,
+				secondPrfOutput: false
+			});
+		}
+		/**
+		*  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs
+		*  (PRF.first + PRF.second).
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes
+		* @param allowCredentials - Array of allowed credentials for authentication
+		* @returns
+		*/
+		async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, allowCredentials }) {
+			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
+				nearAccountId,
+				challenge,
+				allowCredentials
+			});
+			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
+			return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
+				credential: credentialMaybe,
+				firstPrfOutput: true,
+				secondPrfOutput: true
+			});
+		}
+		/**
+		* Internal method for generating WebAuthn registration credentials with PRF output
+		* @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)
+		* @param challenge - Random challenge bytes for the registration ceremony
+		* @param deviceNumber - Device number for device-specific user ID.
+		* @returns Credential with PRF output
+		*/
+		async generateRegistrationCredentialsInternal({ nearAccountId, challenge, deviceNumber }) {
+			this.abortController = new AbortController();
+			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
+			const rpId = this.getRpId();
+			const publicKey = {
+				challenge: require_vrf_worker.outputAs32Bytes(challenge),
+				rp: {
+					name: "WebAuthn VRF Passkey",
+					id: rpId
+				},
+				user: {
+					id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),
+					name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),
+					displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)
+				},
+				pubKeyCredParams: [{
+					alg: -7,
+					type: "public-key"
+				}, {
+					alg: -257,
+					type: "public-key"
+				}],
+				authenticatorSelection: {
+					residentKey: "required",
+					userVerification: "preferred"
+				},
+				timeout: 6e4,
+				attestation: "none",
+				extensions: { prf: { eval: {
+					first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
+					second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
+				} } }
+			};
+			try {
+				const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("create", publicKey, {
+					rpId,
+					inIframe: TouchIdPrompt._inIframe(),
+					timeoutMs: publicKey.timeout,
+					abortSignal: this.abortController.signal
+				});
+				return result;
+			} finally {
+				this.removePageAbortHandlers?.();
+				this.removePageAbortHandlers = void 0;
+				this.removeExternalAbortListener?.();
+				this.removeExternalAbortListener = void 0;
+				this.abortController = void 0;
+			}
+		}
+		/**
+		* Internal method for getting WebAuthn authentication credentials with PRF output
+		* @param nearAccountId - NEAR account ID to authenticate
+		* @param challenge - VRF challenge bytes to use for WebAuthn authentication
+		* @param authenticators - List of stored authenticator data for the user
+		* @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)
+		* ```ts
+		* const credential = await touchIdPrompt.getCredentials({
+		*   nearAccountId,
+		*   challenge,
+		*   authenticators,
+		* });
+		* ```
+		*/
+		async getAuthenticationCredentialsInternal({ nearAccountId, challenge, allowCredentials }) {
+			this.abortController = new AbortController();
+			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
+			const rpId = this.getRpId();
+			const publicKey = {
+				challenge: require_vrf_worker.outputAs32Bytes(challenge),
+				rpId,
+				allowCredentials: allowCredentials.map((credential) => ({
+					id: require_base64.base64UrlDecode(credential.id),
+					type: "public-key",
+					transports: credential.transports
+				})),
+				userVerification: "preferred",
+				timeout: 6e4,
+				extensions: { prf: { eval: {
+					first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
+					second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
+				} } }
+			};
+			try {
+				const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("get", publicKey, {
+					rpId,
+					inIframe: TouchIdPrompt._inIframe(),
+					timeoutMs: publicKey.timeout,
+					permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,
+					abortSignal: this.abortController.signal
+				});
+				return result;
+			} finally {
+				this.removePageAbortHandlers?.();
+				this.removePageAbortHandlers = void 0;
+				this.removeExternalAbortListener?.();
+				this.removeExternalAbortListener = void 0;
+				this.abortController = void 0;
+			}
+		}
+	};
+	(function(_TouchIdPrompt) {
+		function attachPageAbortHandlers(controller) {
+			const onVisibility = () => {
+				if (document.hidden) controller.abort();
+			};
+			const onPageHide = () => {
+				controller.abort();
+			};
+			const onBeforeUnload = () => {
+				controller.abort();
+			};
+			document.addEventListener("visibilitychange", onVisibility, { passive: true });
+			window.addEventListener("pagehide", onPageHide, { passive: true });
+			window.addEventListener("beforeunload", onBeforeUnload, { passive: true });
+			return () => {
+				document.removeEventListener("visibilitychange", onVisibility);
+				window.removeEventListener("pagehide", onPageHide);
+				window.removeEventListener("beforeunload", onBeforeUnload);
+			};
+		}
+		_TouchIdPrompt.attachPageAbortHandlers = attachPageAbortHandlers;
+	})(TouchIdPrompt || (TouchIdPrompt = {}));
+}) });
 
 //#endregion
+init_touchIdPrompt();
 Object.defineProperty(exports, 'TouchIdPrompt', {
   enumerable: true,
   get: function () {
@@ -271,4 +273,10 @@ Object.defineProperty(exports, 'TouchIdPrompt', {
   }
 });
 exports.authenticatorsToAllowCredentials = authenticatorsToAllowCredentials;
+Object.defineProperty(exports, 'init_touchIdPrompt', {
+  enumerable: true,
+  get: function () {
+    return init_touchIdPrompt;
+  }
+});
 //# sourceMappingURL=touchIdPrompt.js.map

package/dist/cjs/core/WebAuthnManager/touchIdPrompt.js.map

@@ -1 +1 @@
-{"version":3,"file":"touchIdPrompt.js","names":["serializeAuthenticationCredentialWithPRF","publicKey: PublicKeyCredentialCreationOptions","outputAs32Bytes","generateChaCha20Salt","generateEd25519Salt","executeWebAuthnWithParentFallbacksSafari","publicKey: PublicKeyCredentialRequestOptions","base64UrlDecode"],"sources":["../../../../src/core/WebAuthnManager/touchIdPrompt.ts"],"sourcesContent":["import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n  WebAuthnAuthenticationCredential,\n  WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n  if (!host || !cand) return false;\n  if (host === cand) return true;\n  return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string | undefined, host: string | undefined): string {\n  const h = (host || '').toLowerCase();\n  const ov = (override || '').toLowerCase();\n  if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n  return h || ov || '';\n}\n\nexport interface RegisterCredentialsArgs {\n  nearAccountId: string,    // NEAR account ID for PRF salts and keypair derivation (always base account)\n  challenge: VRFChallenge,\n  deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n  nearAccountId: string,\n  challenge: VRFChallenge,\n  allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n  id: string,\n  type: string,\n  transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n  authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n  return authenticators.map(auth => ({\n    id: auth.credentialId,\n    type: 'public-key',\n    transports: auth.transports as AuthenticatorTransport[]\n  }));\n}\n\n/**\n * TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n */\nexport class TouchIdPrompt {\n  private rpIdOverride?: string;\n  private safariGetWebauthnRegistrationFallback: boolean;\n  // create() only: internal abort controller + cleanup hooks\n  private abortController?: AbortController;\n  private removePageAbortHandlers?: () => void;\n  private removeExternalAbortListener?: () => void;\n\n  constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n    this.rpIdOverride = rpIdOverride;\n    this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n  }\n\n  getRpId(): string {\n    try {\n      return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n    } catch {\n      return this.rpIdOverride || '';\n    }\n  }\n\n  // Utility helpers for cross‑origin fallback\n  private static _inIframe(): boolean {\n    try { return window.self !== window.top; } catch { return true; }\n  }\n\n  /**\n   * Get authentication credentials\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes\n   * @param allowCredentials - Array of allowed credentials for authentication\n   * @returns WebAuthn credential with only the first PRF output\n   */\n  async getAuthenticationCredentialsSerialized({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: {\n    nearAccountId: string\n    challenge: VRFChallenge\n    allowCredentials: AllowCredential[]\n  }): Promise<WebAuthnAuthenticationCredential> {\n    const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n      nearAccountId,\n      challenge,\n      allowCredentials,\n    })) as unknown;\n    // Support parent-bridge fallback returning an already-serialized credential\n    if (isSerializedAuthenticationCredential(credentialMaybe)) {\n      return credentialMaybe;\n    }\n    return serializeAuthenticationCredentialWithPRF({\n      credential: credentialMaybe as PublicKeyCredential,\n      firstPrfOutput: true,\n      secondPrfOutput: false,\n    })\n  }\n\n  /**\n   *  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n   *  (PRF.first + PRF.second).\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes\n   * @param allowCredentials - Array of allowed credentials for authentication\n   * @returns\n   */\n  async getAuthenticationCredentialsSerializedDualPrf({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: {\n    nearAccountId: string,\n    challenge: VRFChallenge,\n    allowCredentials: AllowCredential[],\n  }): Promise<WebAuthnAuthenticationCredential> {\n    const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n      nearAccountId,\n      challenge,\n      allowCredentials,\n    })) as unknown;\n    // Support parent-bridge fallback returning an already-serialized credential\n    if (isSerializedAuthenticationCredential(credentialMaybe)) {\n      return credentialMaybe;\n    }\n    return serializeAuthenticationCredentialWithPRF({\n      credential: credentialMaybe as PublicKeyCredential,\n      firstPrfOutput: true,\n      secondPrfOutput: true,\n    });\n  }\n\n  /**\n   * Internal method for generating WebAuthn registration credentials with PRF output\n   * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n   * @param challenge - Random challenge bytes for the registration ceremony\n   * @param deviceNumber - Device number for device-specific user ID.\n   * @returns Credential with PRF output\n   */\n  async generateRegistrationCredentialsInternal({\n    nearAccountId,\n    challenge,\n    deviceNumber,\n  }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n    // New controller per create() call\n    this.abortController = new AbortController();\n    this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n    // Single source of truth for rpId: use getRpId().\n    const rpId = this.getRpId();\n    const publicKey: PublicKeyCredentialCreationOptions = {\n      challenge: outputAs32Bytes(challenge) as BufferSource,\n      rp: {\n        name: 'WebAuthn VRF Passkey',\n        id: rpId\n      },\n      user: {\n        id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n        name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n        displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n      },\n      pubKeyCredParams: [\n        { alg: -7, type: 'public-key' },\n        { alg: -257, type: 'public-key' }\n      ],\n      authenticatorSelection: {\n        residentKey: 'required',\n        userVerification: 'preferred'\n      },\n      timeout: 60000,\n      attestation: 'none',\n      extensions: {\n        prf: {\n          eval: {\n            // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n            first: generateChaCha20Salt(nearAccountId) as BufferSource,  // ChaCha20Poly1305 encryption keys\n            second: generateEd25519Salt(nearAccountId) as BufferSource   // Ed25519 signing keys\n          }\n        }\n      },\n    };\n    try {\n      const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n        rpId,\n        inIframe: TouchIdPrompt._inIframe(),\n        timeoutMs: publicKey.timeout as number | undefined,\n        // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n        abortSignal: this.abortController.signal,\n      });\n      return result as PublicKeyCredential;\n    } finally {\n      this.removePageAbortHandlers?.();\n      this.removePageAbortHandlers = undefined;\n      this.removeExternalAbortListener?.();\n      this.removeExternalAbortListener = undefined;\n      this.abortController = undefined;\n    }\n  }\n\n  /**\n   * Internal method for getting WebAuthn authentication credentials with PRF output\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n   * @param authenticators - List of stored authenticator data for the user\n   * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n   * ```ts\n   * const credential = await touchIdPrompt.getCredentials({\n   *   nearAccountId,\n   *   challenge,\n   *   authenticators,\n   * });\n   * ```\n   */\n  async getAuthenticationCredentialsInternal({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n    // New controller per get() call\n    this.abortController = new AbortController();\n    this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n    // Single source of truth for rpId: use getRpId().\n    const rpId = this.getRpId();\n    const publicKey: PublicKeyCredentialRequestOptions = {\n      challenge: outputAs32Bytes(challenge) as BufferSource,\n      rpId,\n      allowCredentials: allowCredentials.map((credential) => ({\n        id: base64UrlDecode(credential.id) as BufferSource,\n        type: 'public-key' as PublicKeyCredentialType,\n        transports: credential.transports,\n      })),\n      userVerification: 'preferred' as UserVerificationRequirement,\n      timeout: 60000,\n      extensions: {\n        prf: {\n          eval: {\n            // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n            first: generateChaCha20Salt(nearAccountId) as BufferSource,  // ChaCha20Poly1305 encryption keys\n            second: generateEd25519Salt(nearAccountId) as BufferSource   // Ed25519 signing keys\n          }\n        }\n      }\n    };\n    try {\n      const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n        rpId,\n        inIframe: TouchIdPrompt._inIframe(),\n        timeoutMs: publicKey.timeout as number | undefined,\n        permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n        abortSignal: this.abortController.signal,\n      });\n      return result as PublicKeyCredential;\n    } finally {\n      this.removePageAbortHandlers?.();\n      this.removePageAbortHandlers = undefined;\n      this.removeExternalAbortListener?.();\n      this.removeExternalAbortListener = undefined;\n      this.abortController = undefined;\n    }\n  }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n  if (!x || typeof x !== 'object') return false;\n  const obj = x as { response?: unknown };\n  const resp = obj.response as { authenticatorData?: unknown } | undefined;\n  return typeof resp?.authenticatorData === 'string';\n}\n\n/**\n * Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n *   - Device 1: \"serp120.web3-authn.testnet\"\n *   - Device 2: \"serp120.web3-authn.testnet (2)\"\n *   - Device 3: \"serp120.web3-authn.testnet (3)\"\n */\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n  // If no device number provided or device number is 1, this is the first device\n  if (deviceNumber === undefined || deviceNumber === 1) {\n    return nearAccountId;\n  }\n  // For additional devices, add device number in parentheses\n  return `${nearAccountId} (${deviceNumber})`;\n}\n\n/**\n * Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n *   - Device 1: \"serp120\"\n *   - Device 2: \"serp120 (device 2)\"\n *   - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n  // Extract the base username (everything before the first dot)\n  const baseUsername = nearAccountId.split('.')[0];\n  // If no device number provided or device number is 1, this is the first device\n  if (deviceNumber === undefined || deviceNumber === 1) {\n    return baseUsername;\n  }\n  // For additional devices, add device number with friendly label\n  return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n  export function attachPageAbortHandlers(controller: AbortController): () => void {\n    const onVisibility = () => { if (document.hidden) controller.abort(); };\n    const onPageHide = () => { controller.abort(); };\n    const onBeforeUnload = () => { controller.abort(); };\n    document.addEventListener('visibilitychange', onVisibility, { passive: true });\n    window.addEventListener('pagehide', onPageHide, { passive: true });\n    window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n    return () => {\n      document.removeEventListener('visibilitychange', onVisibility);\n      window.removeEventListener('pagehide', onPageHide);\n      window.removeEventListener('beforeunload', onBeforeUnload);\n    };\n  }\n}\n"],"mappings":";;;;;;;;;AAUA,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;;;;;;;AAUrB,IAAa,gBAAb,MAAa,cAAc;CACzB,AAAQ;CACR,AAAQ;CAER,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,OAAK,eAAe;AACpB,OAAK,wCAAwC,0CAA0C;;CAGzF,UAAkB;AAChB,MAAI;AACF,UAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;UAClD;AACN,UAAO,KAAK,gBAAgB;;;CAKhC,OAAe,YAAqB;AAClC,MAAI;AAAE,UAAO,OAAO,SAAS,OAAO;UAAa;AAAE,UAAO;;;;;;;;;;CAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAOA,oEAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;;CAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAOA,oEAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;CAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAMC,YAAgD;GACpD,WAAWC,mCAAgB;GAC3B,IAAI;IACF,MAAM;IACN,IAAI;;GAEN,MAAM;IACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;IACzE,MAAM,6BAA6B,eAAe;IAClD,aAAa,gCAAgC,eAAe;;GAE9D,kBAAkB,CAChB;IAAE,KAAK;IAAI,MAAM;MACjB;IAAE,KAAK;IAAM,MAAM;;GAErB,wBAAwB;IACtB,aAAa;IACb,kBAAkB;;GAEpB,SAAS;GACT,aAAa;GACb,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAOC,gDAAqB;IAC5B,QAAQC,+CAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAMC,kEAAyC,UAAU,WAAW;IACjF;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IAErB,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;;;;;;;;;;;;;;CAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAMC,YAA+C;GACnD,WAAWJ,mCAAgB;GAC3B;GACA,kBAAkB,iBAAiB,KAAK,gBAAgB;IACtD,IAAIK,+BAAgB,WAAW;IAC/B,MAAM;IACN,YAAY,WAAW;;GAEzB,kBAAkB;GAClB,SAAS;GACT,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAOJ,gDAAqB;IAC5B,QAAQC,+CAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAMC,kEAAyC,OAAO,WAAW;IAC9E;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IACrB,gCAAgC,KAAK;IACrC,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;AAM7B,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;CAMxC,SAAS,wBAAwB,YAAyC;EAC/E,MAAM,qBAAqB;AAAE,OAAI,SAAS,OAAQ,YAAW;;EAC7D,MAAM,mBAAmB;AAAE,cAAW;;EACtC,MAAM,uBAAuB;AAAE,cAAW;;AAC1C,WAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,SAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,SAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,eAAa;AACX,YAAS,oBAAoB,oBAAoB;AACjD,UAAO,oBAAoB,YAAY;AACvC,UAAO,oBAAoB,gBAAgB"}
+{"version":3,"file":"touchIdPrompt.js","names":["serializeAuthenticationCredentialWithPRF","publicKey: PublicKeyCredentialCreationOptions","outputAs32Bytes","generateChaCha20Salt","generateEd25519Salt","executeWebAuthnWithParentFallbacksSafari","publicKey: PublicKeyCredentialRequestOptions","base64UrlDecode"],"sources":["../../../../src/core/WebAuthnManager/touchIdPrompt.ts"],"sourcesContent":["import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n  WebAuthnAuthenticationCredential,\n  WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n  if (!host || !cand) return false;\n  if (host === cand) return true;\n  return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string | undefined, host: string | undefined): string {\n  const h = (host || '').toLowerCase();\n  const ov = (override || '').toLowerCase();\n  if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n  return h || ov || '';\n}\n\nexport interface RegisterCredentialsArgs {\n  nearAccountId: string,    // NEAR account ID for PRF salts and keypair derivation (always base account)\n  challenge: VRFChallenge,\n  deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n  nearAccountId: string,\n  challenge: VRFChallenge,\n  allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n  id: string,\n  type: string,\n  transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n  authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n  return authenticators.map(auth => ({\n    id: auth.credentialId,\n    type: 'public-key',\n    transports: auth.transports as AuthenticatorTransport[]\n  }));\n}\n\n/**\n * TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n */\nexport class TouchIdPrompt {\n  private rpIdOverride?: string;\n  private safariGetWebauthnRegistrationFallback: boolean;\n  // create() only: internal abort controller + cleanup hooks\n  private abortController?: AbortController;\n  private removePageAbortHandlers?: () => void;\n  private removeExternalAbortListener?: () => void;\n\n  constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n    this.rpIdOverride = rpIdOverride;\n    this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n  }\n\n  getRpId(): string {\n    try {\n      return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n    } catch {\n      return this.rpIdOverride || '';\n    }\n  }\n\n  // Utility helpers for cross‑origin fallback\n  private static _inIframe(): boolean {\n    try { return window.self !== window.top; } catch { return true; }\n  }\n\n  /**\n   * Get authentication credentials\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes\n   * @param allowCredentials - Array of allowed credentials for authentication\n   * @returns WebAuthn credential with only the first PRF output\n   */\n  async getAuthenticationCredentialsSerialized({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: {\n    nearAccountId: string\n    challenge: VRFChallenge\n    allowCredentials: AllowCredential[]\n  }): Promise<WebAuthnAuthenticationCredential> {\n    const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n      nearAccountId,\n      challenge,\n      allowCredentials,\n    })) as unknown;\n    // Support parent-bridge fallback returning an already-serialized credential\n    if (isSerializedAuthenticationCredential(credentialMaybe)) {\n      return credentialMaybe;\n    }\n    return serializeAuthenticationCredentialWithPRF({\n      credential: credentialMaybe as PublicKeyCredential,\n      firstPrfOutput: true,\n      secondPrfOutput: false,\n    })\n  }\n\n  /**\n   *  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n   *  (PRF.first + PRF.second).\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes\n   * @param allowCredentials - Array of allowed credentials for authentication\n   * @returns\n   */\n  async getAuthenticationCredentialsSerializedDualPrf({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: {\n    nearAccountId: string,\n    challenge: VRFChallenge,\n    allowCredentials: AllowCredential[],\n  }): Promise<WebAuthnAuthenticationCredential> {\n    const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n      nearAccountId,\n      challenge,\n      allowCredentials,\n    })) as unknown;\n    // Support parent-bridge fallback returning an already-serialized credential\n    if (isSerializedAuthenticationCredential(credentialMaybe)) {\n      return credentialMaybe;\n    }\n    return serializeAuthenticationCredentialWithPRF({\n      credential: credentialMaybe as PublicKeyCredential,\n      firstPrfOutput: true,\n      secondPrfOutput: true,\n    });\n  }\n\n  /**\n   * Internal method for generating WebAuthn registration credentials with PRF output\n   * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n   * @param challenge - Random challenge bytes for the registration ceremony\n   * @param deviceNumber - Device number for device-specific user ID.\n   * @returns Credential with PRF output\n   */\n  async generateRegistrationCredentialsInternal({\n    nearAccountId,\n    challenge,\n    deviceNumber,\n  }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n    // New controller per create() call\n    this.abortController = new AbortController();\n    this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n    // Single source of truth for rpId: use getRpId().\n    const rpId = this.getRpId();\n    const publicKey: PublicKeyCredentialCreationOptions = {\n      challenge: outputAs32Bytes(challenge) as BufferSource,\n      rp: {\n        name: 'WebAuthn VRF Passkey',\n        id: rpId\n      },\n      user: {\n        id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n        name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n        displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n      },\n      pubKeyCredParams: [\n        { alg: -7, type: 'public-key' },\n        { alg: -257, type: 'public-key' }\n      ],\n      authenticatorSelection: {\n        residentKey: 'required',\n        userVerification: 'preferred'\n      },\n      timeout: 60000,\n      attestation: 'none',\n      extensions: {\n        prf: {\n          eval: {\n            // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n            first: generateChaCha20Salt(nearAccountId) as BufferSource,  // ChaCha20Poly1305 encryption keys\n            second: generateEd25519Salt(nearAccountId) as BufferSource   // Ed25519 signing keys\n          }\n        }\n      },\n    };\n    try {\n      const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n        rpId,\n        inIframe: TouchIdPrompt._inIframe(),\n        timeoutMs: publicKey.timeout as number | undefined,\n        // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n        abortSignal: this.abortController.signal,\n      });\n      return result as PublicKeyCredential;\n    } finally {\n      this.removePageAbortHandlers?.();\n      this.removePageAbortHandlers = undefined;\n      this.removeExternalAbortListener?.();\n      this.removeExternalAbortListener = undefined;\n      this.abortController = undefined;\n    }\n  }\n\n  /**\n   * Internal method for getting WebAuthn authentication credentials with PRF output\n   * @param nearAccountId - NEAR account ID to authenticate\n   * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n   * @param authenticators - List of stored authenticator data for the user\n   * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n   * ```ts\n   * const credential = await touchIdPrompt.getCredentials({\n   *   nearAccountId,\n   *   challenge,\n   *   authenticators,\n   * });\n   * ```\n   */\n  async getAuthenticationCredentialsInternal({\n    nearAccountId,\n    challenge,\n    allowCredentials,\n  }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n    // New controller per get() call\n    this.abortController = new AbortController();\n    this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n    // Single source of truth for rpId: use getRpId().\n    const rpId = this.getRpId();\n    const publicKey: PublicKeyCredentialRequestOptions = {\n      challenge: outputAs32Bytes(challenge) as BufferSource,\n      rpId,\n      allowCredentials: allowCredentials.map((credential) => ({\n        id: base64UrlDecode(credential.id) as BufferSource,\n        type: 'public-key' as PublicKeyCredentialType,\n        transports: credential.transports,\n      })),\n      userVerification: 'preferred' as UserVerificationRequirement,\n      timeout: 60000,\n      extensions: {\n        prf: {\n          eval: {\n            // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n            first: generateChaCha20Salt(nearAccountId) as BufferSource,  // ChaCha20Poly1305 encryption keys\n            second: generateEd25519Salt(nearAccountId) as BufferSource   // Ed25519 signing keys\n          }\n        }\n      }\n    };\n    try {\n      const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n        rpId,\n        inIframe: TouchIdPrompt._inIframe(),\n        timeoutMs: publicKey.timeout as number | undefined,\n        permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n        abortSignal: this.abortController.signal,\n      });\n      return result as PublicKeyCredential;\n    } finally {\n      this.removePageAbortHandlers?.();\n      this.removePageAbortHandlers = undefined;\n      this.removeExternalAbortListener?.();\n      this.removeExternalAbortListener = undefined;\n      this.abortController = undefined;\n    }\n  }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n  if (!x || typeof x !== 'object') return false;\n  const obj = x as { response?: unknown };\n  const resp = obj.response as { authenticatorData?: unknown } | undefined;\n  return typeof resp?.authenticatorData === 'string';\n}\n\n/**\n * Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n *   - Device 1: \"serp120.web3-authn.testnet\"\n *   - Device 2: \"serp120.web3-authn.testnet (2)\"\n *   - Device 3: \"serp120.web3-authn.testnet (3)\"\n */\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n  // If no device number provided or device number is 1, this is the first device\n  if (deviceNumber === undefined || deviceNumber === 1) {\n    return nearAccountId;\n  }\n  // For additional devices, add device number in parentheses\n  return `${nearAccountId} (${deviceNumber})`;\n}\n\n/**\n * Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n *   - Device 1: \"serp120\"\n *   - Device 2: \"serp120 (device 2)\"\n *   - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n  // Extract the base username (everything before the first dot)\n  const baseUsername = nearAccountId.split('.')[0];\n  // If no device number provided or device number is 1, this is the first device\n  if (deviceNumber === undefined || deviceNumber === 1) {\n    return baseUsername;\n  }\n  // For additional devices, add device number with friendly label\n  return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n  export function attachPageAbortHandlers(controller: AbortController): () => void {\n    const onVisibility = () => { if (document.hidden) controller.abort(); };\n    const onPageHide = () => { controller.abort(); };\n    const onBeforeUnload = () => { controller.abort(); };\n    document.addEventListener('visibilitychange', onVisibility, { passive: true });\n    window.addEventListener('pagehide', onPageHide, { passive: true });\n    window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n    return () => {\n      document.removeEventListener('visibilitychange', onVisibility);\n      window.removeEventListener('pagehide', onPageHide);\n      window.removeEventListener('beforeunload', onBeforeUnload);\n    };\n  }\n}\n"],"mappings":";;;;;;;;;AAUA,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;AAuOrB,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;;;;;;CA3QpC,gBAAb,MAAa,cAAc;EACzB,AAAQ;EACR,AAAQ;EAER,AAAQ;EACR,AAAQ;EACR,AAAQ;EAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,QAAK,eAAe;AACpB,QAAK,wCAAwC,0CAA0C;;EAGzF,UAAkB;AAChB,OAAI;AACF,WAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;WAClD;AACN,WAAO,KAAK,gBAAgB;;;EAKhC,OAAe,YAAqB;AAClC,OAAI;AAAE,WAAO,OAAO,SAAS,OAAO;WAAa;AAAE,WAAO;;;;;;;;;;EAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAOA,oEAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;;EAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAOA,oEAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;EAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMC,YAAgD;IACpD,WAAWC,mCAAgB;IAC3B,IAAI;KACF,MAAM;KACN,IAAI;;IAEN,MAAM;KACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;KACzE,MAAM,6BAA6B,eAAe;KAClD,aAAa,gCAAgC,eAAe;;IAE9D,kBAAkB,CAChB;KAAE,KAAK;KAAI,MAAM;OACjB;KAAE,KAAK;KAAM,MAAM;;IAErB,wBAAwB;KACtB,aAAa;KACb,kBAAkB;;IAEpB,SAAS;IACT,aAAa;IACb,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAOC,gDAAqB;KAC5B,QAAQC,+CAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAMC,kEAAyC,UAAU,WAAW;KACjF;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KAErB,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;;;;;;;;;;;;;;EAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMC,YAA+C;IACnD,WAAWJ,mCAAgB;IAC3B;IACA,kBAAkB,iBAAiB,KAAK,gBAAgB;KACtD,IAAIK,+BAAgB,WAAW;KAC/B,MAAM;KACN,YAAY,WAAW;;IAEzB,kBAAkB;IAClB,SAAS;IACT,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAOJ,gDAAqB;KAC5B,QAAQC,+CAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAMC,kEAAyC,OAAO,WAAW;KAC9E;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KACrB,gCAAgC,KAAK;KACrC,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;AAyDtB;EACE,SAAS,wBAAwB,YAAyC;GAC/E,MAAM,qBAAqB;AAAE,QAAI,SAAS,OAAQ,YAAW;;GAC7D,MAAM,mBAAmB;AAAE,eAAW;;GACtC,MAAM,uBAAuB;AAAE,eAAW;;AAC1C,YAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,UAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,UAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,gBAAa;AACX,aAAS,oBAAoB,oBAAoB;AACjD,WAAO,oBAAoB,YAAY;AACvC,WAAO,oBAAoB,gBAAgB"}

package/dist/cjs/core/WebAuthnManager/userHandle.js

@@ -1,9 +1,10 @@
 const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 const require_validation = require('../../utils/validation.js');
 const require_base64 = require('../../utils/base64.js');
-require('../../utils/index.js');
+const require_index = require('../../utils/index.js');
 
 //#region src/core/WebAuthnManager/userHandle.ts
+require_index.init_utils();
 require_validation.init_validation();
 /**
 * Parse a WebAuthn userHandle into a NEAR account ID.

package/dist/cjs/core/WebAuthnManager/userHandle.js.map

@@ -1 +1 @@
-{"version":3,"file":"userHandle.js","names":["bytes: Uint8Array | null","base64UrlDecode","validateNearAccountId"],"sources":["../../../../src/core/WebAuthnManager/userHandle.ts"],"sourcesContent":["import { base64UrlDecode } from '../../utils';\nimport { validateNearAccountId } from '../../utils/validation';\n\n/**\n * Parse a WebAuthn userHandle into a NEAR account ID.\n * Accepts either a base64url string (serialized) or an ArrayBuffer-like value.\n * Strips optional device suffixes like \" (2)\" appended during registration.\n * Returns a validated account ID string or null if invalid/unavailable.\n */\nexport function parseAccountIdFromUserHandle(userHandle: unknown): string | null {\n  try {\n    let bytes: Uint8Array | null = null;\n    if (typeof userHandle === 'string' && userHandle.length > 0) {\n      try { bytes = base64UrlDecode(userHandle); } catch { bytes = null; }\n    } else if (userHandle && typeof (userHandle as any).byteLength === 'number') {\n      try { bytes = new Uint8Array(userHandle as ArrayBuffer); } catch { bytes = null; }\n    }\n    if (!bytes || bytes.byteLength === 0) return null;\n\n    const decoded = new TextDecoder().decode(bytes);\n    const base = decoded.replace(/ \\(\\d+\\)$/g, '');\n    return validateNearAccountId(base).valid ? base : null;\n  } catch {\n    return null;\n  }\n}\n\n"],"mappings":";;;;;;;;;;;;;AASA,SAAgB,6BAA6B,YAAoC;AAC/E,KAAI;EACF,IAAIA,QAA2B;AAC/B,MAAI,OAAO,eAAe,YAAY,WAAW,SAAS,EACxD,KAAI;AAAE,WAAQC,+BAAgB;UAAqB;AAAE,WAAQ;;WACpD,cAAc,OAAQ,WAAmB,eAAe,SACjE,KAAI;AAAE,WAAQ,IAAI,WAAW;UAAoC;AAAE,WAAQ;;AAE7E,MAAI,CAAC,SAAS,MAAM,eAAe,EAAG,QAAO;EAE7C,MAAM,UAAU,IAAI,cAAc,OAAO;EACzC,MAAM,OAAO,QAAQ,QAAQ,cAAc;AAC3C,SAAOC,yCAAsB,MAAM,QAAQ,OAAO;SAC5C;AACN,SAAO"}
+{"version":3,"file":"userHandle.js","names":["bytes: Uint8Array | null","base64UrlDecode","validateNearAccountId"],"sources":["../../../../src/core/WebAuthnManager/userHandle.ts"],"sourcesContent":["import { base64UrlDecode } from '../../utils';\nimport { validateNearAccountId } from '../../utils/validation';\n\n/**\n * Parse a WebAuthn userHandle into a NEAR account ID.\n * Accepts either a base64url string (serialized) or an ArrayBuffer-like value.\n * Strips optional device suffixes like \" (2)\" appended during registration.\n * Returns a validated account ID string or null if invalid/unavailable.\n */\nexport function parseAccountIdFromUserHandle(userHandle: unknown): string | null {\n  try {\n    let bytes: Uint8Array | null = null;\n    if (typeof userHandle === 'string' && userHandle.length > 0) {\n      try { bytes = base64UrlDecode(userHandle); } catch { bytes = null; }\n    } else if (userHandle && typeof (userHandle as any).byteLength === 'number') {\n      try { bytes = new Uint8Array(userHandle as ArrayBuffer); } catch { bytes = null; }\n    }\n    if (!bytes || bytes.byteLength === 0) return null;\n\n    const decoded = new TextDecoder().decode(bytes);\n    const base = decoded.replace(/ \\(\\d+\\)$/g, '');\n    return validateNearAccountId(base).valid ? base : null;\n  } catch {\n    return null;\n  }\n}\n\n"],"mappings":";;;;;;;;;;;;;;AASA,SAAgB,6BAA6B,YAAoC;AAC/E,KAAI;EACF,IAAIA,QAA2B;AAC/B,MAAI,OAAO,eAAe,YAAY,WAAW,SAAS,EACxD,KAAI;AAAE,WAAQC,+BAAgB;UAAqB;AAAE,WAAQ;;WACpD,cAAc,OAAQ,WAAmB,eAAe,SACjE,KAAI;AAAE,WAAQ,IAAI,WAAW;UAAoC;AAAE,WAAQ;;AAE7E,MAAI,CAAC,SAAS,MAAM,eAAe,EAAG,QAAO;EAE7C,MAAM,UAAU,IAAI,cAAc,OAAO;EACzC,MAAM,OAAO,QAAQ,QAAQ,cAAc;AAC3C,SAAOC,yCAAsB,MAAM,QAAQ,OAAO;SAC5C;AACN,SAAO"}

package/dist/cjs/core/defaultConfigs.js

@@ -54,7 +54,7 @@ function buildConfigsFromEnv(overrides = {}) {
 var PASSKEY_MANAGER_DEFAULT_CONFIGS, DEFAULT_EMAIL_RECOVERY_CONTRACTS;
 var init_defaultConfigs = require_rolldown_runtime.__esm({ "src/core/defaultConfigs.ts": (() => {
 	PASSKEY_MANAGER_DEFAULT_CONFIGS = {
-		nearRpcUrl: "https://test.rpc.fastnear.com",
+		nearRpcUrl: "https://test.rpc.fastnear.com, https://rpc.testnet.near.org",
 		nearNetwork: "testnet",
 		contractId: "w3a-v1.testnet",
 		nearExplorerUrl: "https://testnet.nearblocks.io",

package/dist/cjs/core/defaultConfigs.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaultConfigs.js","names":["merged: TatchiConfigs","PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n  // You can provide a single URL or a comma-separated list for failover.\n  // First URL is treated as primary, subsequent URLs are fallbacks.\n  // nearRpcUrl: 'https://rpc.testnet.near.org',\n  nearRpcUrl: 'https://test.rpc.fastnear.com',\n  nearNetwork: 'testnet',\n  contractId: 'w3a-v1.testnet',\n  nearExplorerUrl: 'https://testnet.nearblocks.io',\n  // Warm signing session defaults used by login/unlock flows.\n  // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n  signingSessionDefaults: {\n    ttlMs: 0, // 0 minutes\n    remainingUses: 0, // default to requiring a touchID prompt for each transaction\n  },\n  relayer: {\n    // accountId: 'w3a-v1.testnet',\n    // No default relayer URL. Force apps to configure via env/overrides.\n    // Using an empty string triggers early validation errors in code paths that require it.\n    url: '',\n    delegateActionRoute: '/signed-delegate',\n    emailRecovery: {\n      // Require at least 0.01 NEAR available to start email recovery.\n      minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n      // Poll every 4 seconds for verification status / access key.\n      pollingIntervalMs: 4000,\n      // Stop polling after 30 minutes.\n      maxPollingDurationMs: 30 * 60 * 1000,\n      // Expire pending recovery records after 30 minutes.\n      pendingTtlMs: 30 * 60 * 1000,\n      // Default recovery mailbox for examples / docs.\n      mailtoAddress: 'recover@web3authn.org',\n      // EmailDKIMVerifier contract that stores verification results.\n      dkimVerifierAccountId: 'email-dkim-verifier-v1.testnet',\n      // View method used to fetch VerificationResult by request_id.\n      verificationViewMethod: 'get_verification_result',\n    },\n  },\n  vrfWorkerConfigs: {\n    shamir3pass: {\n      // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n      p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n      // No default relay server URL to avoid accidental localhost usage in non-dev envs\n      // Defaults to relayer.url when undefined\n      relayServerUrl: '',\n      applyServerLockRoute: '/vrf/apply-server-lock',\n      removeServerLockRoute: '/vrf/remove-server-lock',\n    }\n  },\n  emailRecoveryContracts: {\n    emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n    zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n    emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n  },\n  // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n  iframeWallet: {\n    walletOrigin: 'https://wallet.example.localhost',\n    walletServicePath: '/wallet-service',\n    sdkBasePath: '/sdk',\n    rpIdOverride: 'example.localhost',\n  }\n};\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n  emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n  zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n  emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n  const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n  const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n  // Prefer explicit override for relayer URL; fall back to default preset.\n  // Used below to default VRF relayServerUrl when it is undefined.\n  const relayServerUrlDefault = relayerUrl;\n\n  const merged: TatchiConfigs = {\n    nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n    nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n    contractId: overrides.contractId ?? defaults.contractId,\n    nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n    walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n    signingSessionDefaults: {\n      ttlMs: overrides.signingSessionDefaults?.ttlMs\n        ?? defaults.signingSessionDefaults?.ttlMs,\n      remainingUses: overrides.signingSessionDefaults?.remainingUses\n        ?? defaults.signingSessionDefaults?.remainingUses,\n    },\n    relayer: {\n      url: relayerUrl,\n      delegateActionRoute: overrides.relayer?.delegateActionRoute\n        ?? defaults.relayer?.delegateActionRoute,\n      emailRecovery: {\n        minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n          ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n        pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n          ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n        maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n          ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n        pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n          ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n        mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n          ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n        dkimVerifierAccountId: overrides.relayer?.emailRecovery?.dkimVerifierAccountId\n          ?? defaults.relayer?.emailRecovery?.dkimVerifierAccountId,\n        verificationViewMethod: overrides.relayer?.emailRecovery?.verificationViewMethod\n          ?? defaults.relayer?.emailRecovery?.verificationViewMethod,\n      },\n    },\n    authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n    vrfWorkerConfigs: {\n      shamir3pass: {\n        p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n        relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? relayServerUrlDefault,\n        applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n        removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n      },\n    },\n    emailRecoveryContracts: {\n      emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n        ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n      zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n        ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n      emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n        ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n    },\n    iframeWallet: {\n      walletOrigin: overrides.iframeWallet?.walletOrigin\n        ?? defaults.iframeWallet?.walletOrigin,\n      walletServicePath: overrides.iframeWallet?.walletServicePath\n        ?? defaults.iframeWallet?.walletServicePath\n        ?? '/wallet-service',\n      sdkBasePath: overrides.iframeWallet?.sdkBasePath\n        ?? defaults.iframeWallet?.sdkBasePath\n        ?? '/sdk',\n      rpIdOverride: overrides.iframeWallet?.rpIdOverride\n        ?? defaults.iframeWallet?.rpIdOverride,\n    }\n  };\n  if (!merged.contractId) {\n    throw new Error('[configPresets] Missing required config: contractId');\n  }\n  if (!merged.relayer.url) {\n    throw new Error('[configPresets] Missing required config: relayer.url');\n  }\n  return merged;\n}\n"],"mappings":";;;AA2EA,SAAgB,oBAAoB,YAAgC,IAAmB;CAErF,MAAM,WAAW;CACjB,MAAM,aAAa,UAAU,SAAS,OAAO,SAAS,SAAS,OAAO;CAGtE,MAAM,wBAAwB;CAE9B,MAAMA,SAAwB;EAC5B,YAAY,UAAU,cAAc,SAAS;EAC7C,aAAa,UAAU,eAAe,SAAS;EAC/C,YAAY,UAAU,cAAc,SAAS;EAC7C,iBAAiB,UAAU,mBAAmB,SAAS;EACvD,aAAa,UAAU,eAAe,SAAS;EAC/C,wBAAwB;GACtB,OAAO,UAAU,wBAAwB,SACpC,SAAS,wBAAwB;GACtC,eAAe,UAAU,wBAAwB,iBAC5C,SAAS,wBAAwB;;EAExC,SAAS;GACP,KAAK;GACL,qBAAqB,UAAU,SAAS,uBACnC,SAAS,SAAS;GACvB,eAAe;IACb,iBAAiB,UAAU,SAAS,eAAe,mBAC9C,SAAS,SAAS,eAAe;IACtC,mBAAmB,UAAU,SAAS,eAAe,qBAChD,SAAS,SAAS,eAAe;IACtC,sBAAsB,UAAU,SAAS,eAAe,wBACnD,SAAS,SAAS,eAAe;IACtC,cAAc,UAAU,SAAS,eAAe,gBAC3C,SAAS,SAAS,eAAe;IACtC,eAAe,UAAU,SAAS,eAAe,iBAC5C,SAAS,SAAS,eAAe;IACtC,uBAAuB,UAAU,SAAS,eAAe,yBACpD,SAAS,SAAS,eAAe;IACtC,wBAAwB,UAAU,SAAS,eAAe,0BACrD,SAAS,SAAS,eAAe;;;EAG1C,sBAAsB,UAAU,wBAAwB,SAAS;EACjE,kBAAkB,EAChB,aAAa;GACX,GAAG,UAAU,kBAAkB,aAAa,KACvC,SAAS,kBAAkB,aAAa;GAC7C,gBAAgB,UAAU,kBAAkB,aAAa,kBACpD,SAAS,kBAAkB,aAAa,kBACxC;GACL,sBAAsB,UAAU,kBAAkB,aAAa,wBAC1D,SAAS,kBAAkB,aAAa;GAC7C,uBAAuB,UAAU,kBAAkB,aAAa,yBAC3D,SAAS,kBAAkB,aAAa;;EAGjD,wBAAwB;GACtB,8BAA8B,UAAU,wBAAwB,gCAC3D,SAAS,wBAAwB;GACtC,yBAAyB,UAAU,wBAAwB,2BACtD,SAAS,wBAAwB;GACtC,2BAA2B,UAAU,wBAAwB,6BACxD,SAAS,wBAAwB;;EAExC,cAAc;GACZ,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;GAC5B,mBAAmB,UAAU,cAAc,qBACtC,SAAS,cAAc,qBACvB;GACL,aAAa,UAAU,cAAc,eAChC,SAAS,cAAc,eACvB;GACL,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;;;AAGhC,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,OAAO,QAAQ,IAClB,OAAM,IAAI,MAAM;AAElB,QAAO;;;;CAvJIC,kCAAiD;EAI5D,YAAY;EACZ,aAAa;EACb,YAAY;EACZ,iBAAiB;EAGjB,wBAAwB;GACtB,OAAO;GACP,eAAe;;EAEjB,SAAS;GAIP,KAAK;GACL,qBAAqB;GACrB,eAAe;IAEb,iBAAiB;IAEjB,mBAAmB;IAEnB,sBAAsB,OAAU;IAEhC,cAAc,OAAU;IAExB,eAAe;IAEf,uBAAuB;IAEvB,wBAAwB;;;EAG5B,kBAAkB,EAChB,aAAa;GAEX,GAAG;GAGH,gBAAgB;GAChB,sBAAsB;GACtB,uBAAuB;;EAG3B,wBAAwB;GACtB,8BAA8B;GAC9B,yBAAyB;GACzB,2BAA2B;;EAG7B,cAAc;GACZ,cAAc;GACd,mBAAmB;GACnB,aAAa;GACb,cAAc;;;CAILC,mCAA2D;EACtE,8BAA8B,gCAAgC,uBAAuB;EACrF,yBAAyB,gCAAgC,uBAAuB;EAChF,2BAA2B,gCAAgC,uBAAuB"}
+{"version":3,"file":"defaultConfigs.js","names":["merged: TatchiConfigs","PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts"],"sources":["../../../src/core/defaultConfigs.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n  // You can provide a single URL or a comma-separated list for failover.\n  // First URL is treated as primary, subsequent URLs are fallbacks.\n  nearRpcUrl: 'https://test.rpc.fastnear.com, https://rpc.testnet.near.org',\n  nearNetwork: 'testnet',\n  contractId: 'w3a-v1.testnet',\n  nearExplorerUrl: 'https://testnet.nearblocks.io',\n  // Warm signing session defaults used by login/unlock flows.\n  // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n  signingSessionDefaults: {\n    ttlMs: 0, // 0 minutes\n    remainingUses: 0, // default to requiring a touchID prompt for each transaction\n  },\n  relayer: {\n    // accountId: 'w3a-v1.testnet',\n    // No default relayer URL. Force apps to configure via env/overrides.\n    // Using an empty string triggers early validation errors in code paths that require it.\n    url: '',\n    delegateActionRoute: '/signed-delegate',\n    emailRecovery: {\n      // Require at least 0.01 NEAR available to start email recovery.\n      minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n      // Poll every 4 seconds for verification status / access key.\n      pollingIntervalMs: 4000,\n      // Stop polling after 30 minutes.\n      maxPollingDurationMs: 30 * 60 * 1000,\n      // Expire pending recovery records after 30 minutes.\n      pendingTtlMs: 30 * 60 * 1000,\n      // Default recovery mailbox for examples / docs.\n      mailtoAddress: 'recover@web3authn.org',\n      // EmailDKIMVerifier contract that stores verification results.\n      dkimVerifierAccountId: 'email-dkim-verifier-v1.testnet',\n      // View method used to fetch VerificationResult by request_id.\n      verificationViewMethod: 'get_verification_result',\n    },\n  },\n  vrfWorkerConfigs: {\n    shamir3pass: {\n      // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n      p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n      // No default relay server URL to avoid accidental localhost usage in non-dev envs\n      // Defaults to relayer.url when undefined\n      relayServerUrl: '',\n      applyServerLockRoute: '/vrf/apply-server-lock',\n      removeServerLockRoute: '/vrf/remove-server-lock',\n    }\n  },\n  emailRecoveryContracts: {\n    emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n    zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n    emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n  },\n  // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n  iframeWallet: {\n    walletOrigin: 'https://wallet.example.localhost',\n    walletServicePath: '/wallet-service',\n    sdkBasePath: '/sdk',\n    rpIdOverride: 'example.localhost',\n  }\n};\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n  emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n  zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n  emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n  const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n  const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n  // Prefer explicit override for relayer URL; fall back to default preset.\n  // Used below to default VRF relayServerUrl when it is undefined.\n  const relayServerUrlDefault = relayerUrl;\n\n  const merged: TatchiConfigs = {\n    nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n    nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n    contractId: overrides.contractId ?? defaults.contractId,\n    nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n    walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n    signingSessionDefaults: {\n      ttlMs: overrides.signingSessionDefaults?.ttlMs\n        ?? defaults.signingSessionDefaults?.ttlMs,\n      remainingUses: overrides.signingSessionDefaults?.remainingUses\n        ?? defaults.signingSessionDefaults?.remainingUses,\n    },\n    relayer: {\n      url: relayerUrl,\n      delegateActionRoute: overrides.relayer?.delegateActionRoute\n        ?? defaults.relayer?.delegateActionRoute,\n      emailRecovery: {\n        minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n          ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n        pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n          ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n        maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n          ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n        pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n          ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n        mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n          ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n        dkimVerifierAccountId: overrides.relayer?.emailRecovery?.dkimVerifierAccountId\n          ?? defaults.relayer?.emailRecovery?.dkimVerifierAccountId,\n        verificationViewMethod: overrides.relayer?.emailRecovery?.verificationViewMethod\n          ?? defaults.relayer?.emailRecovery?.verificationViewMethod,\n      },\n    },\n    authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n    vrfWorkerConfigs: {\n      shamir3pass: {\n        p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n        relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? relayServerUrlDefault,\n        applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n        removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n      },\n    },\n    emailRecoveryContracts: {\n      emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n        ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n      zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n        ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n      emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n        ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n    },\n    iframeWallet: {\n      walletOrigin: overrides.iframeWallet?.walletOrigin\n        ?? defaults.iframeWallet?.walletOrigin,\n      walletServicePath: overrides.iframeWallet?.walletServicePath\n        ?? defaults.iframeWallet?.walletServicePath\n        ?? '/wallet-service',\n      sdkBasePath: overrides.iframeWallet?.sdkBasePath\n        ?? defaults.iframeWallet?.sdkBasePath\n        ?? '/sdk',\n      rpIdOverride: overrides.iframeWallet?.rpIdOverride\n        ?? defaults.iframeWallet?.rpIdOverride,\n    }\n  };\n  if (!merged.contractId) {\n    throw new Error('[configPresets] Missing required config: contractId');\n  }\n  if (!merged.relayer.url) {\n    throw new Error('[configPresets] Missing required config: relayer.url');\n  }\n  return merged;\n}\n"],"mappings":";;;AA0EA,SAAgB,oBAAoB,YAAgC,IAAmB;CAErF,MAAM,WAAW;CACjB,MAAM,aAAa,UAAU,SAAS,OAAO,SAAS,SAAS,OAAO;CAGtE,MAAM,wBAAwB;CAE9B,MAAMA,SAAwB;EAC5B,YAAY,UAAU,cAAc,SAAS;EAC7C,aAAa,UAAU,eAAe,SAAS;EAC/C,YAAY,UAAU,cAAc,SAAS;EAC7C,iBAAiB,UAAU,mBAAmB,SAAS;EACvD,aAAa,UAAU,eAAe,SAAS;EAC/C,wBAAwB;GACtB,OAAO,UAAU,wBAAwB,SACpC,SAAS,wBAAwB;GACtC,eAAe,UAAU,wBAAwB,iBAC5C,SAAS,wBAAwB;;EAExC,SAAS;GACP,KAAK;GACL,qBAAqB,UAAU,SAAS,uBACnC,SAAS,SAAS;GACvB,eAAe;IACb,iBAAiB,UAAU,SAAS,eAAe,mBAC9C,SAAS,SAAS,eAAe;IACtC,mBAAmB,UAAU,SAAS,eAAe,qBAChD,SAAS,SAAS,eAAe;IACtC,sBAAsB,UAAU,SAAS,eAAe,wBACnD,SAAS,SAAS,eAAe;IACtC,cAAc,UAAU,SAAS,eAAe,gBAC3C,SAAS,SAAS,eAAe;IACtC,eAAe,UAAU,SAAS,eAAe,iBAC5C,SAAS,SAAS,eAAe;IACtC,uBAAuB,UAAU,SAAS,eAAe,yBACpD,SAAS,SAAS,eAAe;IACtC,wBAAwB,UAAU,SAAS,eAAe,0BACrD,SAAS,SAAS,eAAe;;;EAG1C,sBAAsB,UAAU,wBAAwB,SAAS;EACjE,kBAAkB,EAChB,aAAa;GACX,GAAG,UAAU,kBAAkB,aAAa,KACvC,SAAS,kBAAkB,aAAa;GAC7C,gBAAgB,UAAU,kBAAkB,aAAa,kBACpD,SAAS,kBAAkB,aAAa,kBACxC;GACL,sBAAsB,UAAU,kBAAkB,aAAa,wBAC1D,SAAS,kBAAkB,aAAa;GAC7C,uBAAuB,UAAU,kBAAkB,aAAa,yBAC3D,SAAS,kBAAkB,aAAa;;EAGjD,wBAAwB;GACtB,8BAA8B,UAAU,wBAAwB,gCAC3D,SAAS,wBAAwB;GACtC,yBAAyB,UAAU,wBAAwB,2BACtD,SAAS,wBAAwB;GACtC,2BAA2B,UAAU,wBAAwB,6BACxD,SAAS,wBAAwB;;EAExC,cAAc;GACZ,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;GAC5B,mBAAmB,UAAU,cAAc,qBACtC,SAAS,cAAc,qBACvB;GACL,aAAa,UAAU,cAAc,eAChC,SAAS,cAAc,eACvB;GACL,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;;;AAGhC,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,OAAO,QAAQ,IAClB,OAAM,IAAI,MAAM;AAElB,QAAO;;;;CAtJIC,kCAAiD;EAG5D,YAAY;EACZ,aAAa;EACb,YAAY;EACZ,iBAAiB;EAGjB,wBAAwB;GACtB,OAAO;GACP,eAAe;;EAEjB,SAAS;GAIP,KAAK;GACL,qBAAqB;GACrB,eAAe;IAEb,iBAAiB;IAEjB,mBAAmB;IAEnB,sBAAsB,OAAU;IAEhC,cAAc,OAAU;IAExB,eAAe;IAEf,uBAAuB;IAEvB,wBAAwB;;;EAG5B,kBAAkB,EAChB,aAAa;GAEX,GAAG;GAGH,gBAAgB;GAChB,sBAAsB;GACtB,uBAAuB;;EAG3B,wBAAwB;GACtB,8BAA8B;GAC9B,yBAAyB;GACzB,2BAA2B;;EAG7B,cAAc;GACZ,cAAc;GACd,mBAAmB;GACnB,aAAa;GACb,cAAc;;;CAILC,mCAA2D;EACtE,8BAA8B,gCAAgC,uBAAuB;EACrF,yBAAyB,gCAAgC,uBAAuB;EAChF,2BAA2B,gCAAgC,uBAAuB"}

package/dist/cjs/core/rpcCalls.js

@@ -8,6 +8,13 @@ const require_actions = require('./types/actions.js');
 const require_rpc = require('./types/rpc.js');
 
 //#region src/core/rpcCalls.ts
+async function getEmailRecoveryVerificationResult(nearClient, dkimVerifierAccountId, verificationViewMethod, requestId) {
+	return await nearClient.view({
+		account: dkimVerifierAccountId,
+		method: verificationViewMethod,
+		args: { request_id: requestId }
+	});
+}
 /**
 * Query the contract to get the account linked to a device public key
 * Used in device linking flow to check if a device key has been added
@@ -395,6 +402,7 @@ exports.checkCanRegisterUserContractCall = checkCanRegisterUserContractCall;
 exports.executeDeviceLinkingContractCalls = executeDeviceLinkingContractCalls;
 exports.getCredentialIdsContractCall = getCredentialIdsContractCall;
 exports.getDeviceLinkingAccountContractCall = getDeviceLinkingAccountContractCall;
+exports.getEmailRecoveryVerificationResult = getEmailRecoveryVerificationResult;
 exports.getRecoveryEmailHashesContractCall = getRecoveryEmailHashesContractCall;
 Object.defineProperty(exports, 'init_rpcCalls', {
   enumerable: true,