@tatchi-xyz/sdk 0.16.0 → 0.18.0

package/dist/esm/sdk/getDeviceNumber-CkWRT17I.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"getDeviceNumber-CkWRT17I.js","names":["PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs","DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts","merged: TatchiConfigs"],"sources":["../../../src/core/defaultConfigs.ts","../../../src/core/WebAuthnManager/SignerWorkerManager/getDeviceNumber.ts"],"sourcesContent":["import type { EmailRecoveryContracts, TatchiConfigs, TatchiConfigsInput } from './types/tatchi';\n\n// Default SDK configs suitable for local dev.\n// Cross-origin wallet isolation is recommended; set iframeWallet in your app config when you have a dedicated origin.\n// Consumers can shallow-merge overrides by field.\n\nexport const PASSKEY_MANAGER_DEFAULT_CONFIGS: TatchiConfigs = {\n  // You can provide a single URL or a comma-separated list for failover.\n  // First URL is treated as primary, subsequent URLs are fallbacks.\n  // nearRpcUrl: 'https://rpc.testnet.near.org',\n  nearRpcUrl: 'https://test.rpc.fastnear.com',\n  nearNetwork: 'testnet',\n  contractId: 'w3a-v1.testnet',\n  nearExplorerUrl: 'https://testnet.nearblocks.io',\n  // Warm signing session defaults used by login/unlock flows.\n  // Enforcement (TTL/uses) is owned by the VRF worker; signer workers remain one-shot.\n  signingSessionDefaults: {\n    ttlMs: 0, // 0 minutes\n    remainingUses: 0, // default to requiring a touchID prompt for each transaction\n  },\n  relayer: {\n    // accountId: 'w3a-v1.testnet',\n    // No default relayer URL. Force apps to configure via env/overrides.\n    // Using an empty string triggers early validation errors in code paths that require it.\n    url: '',\n    delegateActionRoute: '/signed-delegate',\n    emailRecovery: {\n      // Require at least 0.01 NEAR available to start email recovery.\n      minBalanceYocto: '10000000000000000000000', // 0.01 NEAR\n      // Poll every 4 seconds for verification status / access key.\n      pollingIntervalMs: 4000,\n      // Stop polling after 30 minutes.\n      maxPollingDurationMs: 30 * 60 * 1000,\n      // Expire pending recovery records after 30 minutes.\n      pendingTtlMs: 30 * 60 * 1000,\n      // Default recovery mailbox for examples / docs.\n      mailtoAddress: 'recover@web3authn.org',\n      // EmailDKIMVerifier contract that stores verification results.\n      dkimVerifierAccountId: 'email-dkim-verifier-v1.testnet',\n      // View method used to fetch VerificationResult by request_id.\n      verificationViewMethod: 'get_verification_result',\n    },\n  },\n  vrfWorkerConfigs: {\n    shamir3pass: {\n      // default Shamir's P in vrf-wasm-worker, needs to match relay server's Shamir P\n      p: '3N5w46AIGjGT2v5Vua_TMD5Ywfa9U2F7-WzW8SNDsIM',\n      // No default relay server URL to avoid accidental localhost usage in non-dev envs\n      // Defaults to relayer.url when undefined\n      relayServerUrl: '',\n      applyServerLockRoute: '/vrf/apply-server-lock',\n      removeServerLockRoute: '/vrf/remove-server-lock',\n    }\n  },\n  emailRecoveryContracts: {\n    emailRecovererGlobalContract: 'w3a-email-recoverer-v1.testnet',\n    zkEmailVerifierContract: 'zk-email-verifier-v1.testnet',\n    emailDkimVerifierContract: 'email-dkim-verifier-v1.testnet',\n  },\n  // Configure iframeWallet in application code to point at your dedicated wallet origin when available.\n  iframeWallet: {\n    walletOrigin: 'https://wallet.example.localhost',\n    walletServicePath: '/wallet-service',\n    sdkBasePath: '/sdk',\n    rpIdOverride: 'example.localhost',\n  }\n};\n\nexport const DEFAULT_EMAIL_RECOVERY_CONTRACTS: EmailRecoveryContracts = {\n  emailRecovererGlobalContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n  zkEmailVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.zkEmailVerifierContract,\n  emailDkimVerifierContract: PASSKEY_MANAGER_DEFAULT_CONFIGS.emailRecoveryContracts.emailDkimVerifierContract,\n};\n\n// Merge defaults with overrides\nexport function buildConfigsFromEnv(overrides: TatchiConfigsInput = {}): TatchiConfigs {\n\n  const defaults = PASSKEY_MANAGER_DEFAULT_CONFIGS;\n  const relayerUrl = overrides.relayer?.url ?? defaults.relayer?.url ?? '';\n  // Prefer explicit override for relayer URL; fall back to default preset.\n  // Used below to default VRF relayServerUrl when it is undefined.\n  const relayServerUrlDefault = relayerUrl;\n\n  const merged: TatchiConfigs = {\n    nearRpcUrl: overrides.nearRpcUrl ?? defaults.nearRpcUrl,\n    nearNetwork: overrides.nearNetwork ?? defaults.nearNetwork,\n    contractId: overrides.contractId ?? defaults.contractId,\n    nearExplorerUrl: overrides.nearExplorerUrl ?? defaults.nearExplorerUrl,\n    walletTheme: overrides.walletTheme ?? defaults.walletTheme,\n    signingSessionDefaults: {\n      ttlMs: overrides.signingSessionDefaults?.ttlMs\n        ?? defaults.signingSessionDefaults?.ttlMs,\n      remainingUses: overrides.signingSessionDefaults?.remainingUses\n        ?? defaults.signingSessionDefaults?.remainingUses,\n    },\n    relayer: {\n      url: relayerUrl,\n      delegateActionRoute: overrides.relayer?.delegateActionRoute\n        ?? defaults.relayer?.delegateActionRoute,\n      emailRecovery: {\n        minBalanceYocto: overrides.relayer?.emailRecovery?.minBalanceYocto\n          ?? defaults.relayer?.emailRecovery?.minBalanceYocto,\n        pollingIntervalMs: overrides.relayer?.emailRecovery?.pollingIntervalMs\n          ?? defaults.relayer?.emailRecovery?.pollingIntervalMs,\n        maxPollingDurationMs: overrides.relayer?.emailRecovery?.maxPollingDurationMs\n          ?? defaults.relayer?.emailRecovery?.maxPollingDurationMs,\n        pendingTtlMs: overrides.relayer?.emailRecovery?.pendingTtlMs\n          ?? defaults.relayer?.emailRecovery?.pendingTtlMs,\n        mailtoAddress: overrides.relayer?.emailRecovery?.mailtoAddress\n          ?? defaults.relayer?.emailRecovery?.mailtoAddress,\n        dkimVerifierAccountId: overrides.relayer?.emailRecovery?.dkimVerifierAccountId\n          ?? defaults.relayer?.emailRecovery?.dkimVerifierAccountId,\n        verificationViewMethod: overrides.relayer?.emailRecovery?.verificationViewMethod\n          ?? defaults.relayer?.emailRecovery?.verificationViewMethod,\n      },\n    },\n    authenticatorOptions: overrides.authenticatorOptions ?? defaults.authenticatorOptions,\n    vrfWorkerConfigs: {\n      shamir3pass: {\n        p: overrides.vrfWorkerConfigs?.shamir3pass?.p\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.p,\n        relayServerUrl: overrides.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.relayServerUrl\n          ?? relayServerUrlDefault,\n        applyServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n        removeServerLockRoute: overrides.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute\n          ?? defaults.vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n      },\n    },\n    emailRecoveryContracts: {\n      emailRecovererGlobalContract: overrides.emailRecoveryContracts?.emailRecovererGlobalContract\n        ?? defaults.emailRecoveryContracts?.emailRecovererGlobalContract,\n      zkEmailVerifierContract: overrides.emailRecoveryContracts?.zkEmailVerifierContract\n        ?? defaults.emailRecoveryContracts?.zkEmailVerifierContract,\n      emailDkimVerifierContract: overrides.emailRecoveryContracts?.emailDkimVerifierContract\n        ?? defaults.emailRecoveryContracts?.emailDkimVerifierContract,\n    },\n    iframeWallet: {\n      walletOrigin: overrides.iframeWallet?.walletOrigin\n        ?? defaults.iframeWallet?.walletOrigin,\n      walletServicePath: overrides.iframeWallet?.walletServicePath\n        ?? defaults.iframeWallet?.walletServicePath\n        ?? '/wallet-service',\n      sdkBasePath: overrides.iframeWallet?.sdkBasePath\n        ?? defaults.iframeWallet?.sdkBasePath\n        ?? '/sdk',\n      rpIdOverride: overrides.iframeWallet?.rpIdOverride\n        ?? defaults.iframeWallet?.rpIdOverride,\n    }\n  };\n  if (!merged.contractId) {\n    throw new Error('[configPresets] Missing required config: contractId');\n  }\n  if (!merged.relayer.url) {\n    throw new Error('[configPresets] Missing required config: relayer.url');\n  }\n  return merged;\n}\n","import type { PasskeyClientDBManager } from '@/core/IndexedDBManager';\nimport { toAccountId, type AccountId } from '../../types/accountIds';\n\nexport function parseDeviceNumber(\n  value: unknown,\n  options: { min?: number } = {}\n): number | null {\n  const deviceNumber = Number(value);\n  const min = options.min ?? 1;\n  if (!Number.isSafeInteger(deviceNumber) || deviceNumber < min) {\n    return null;\n  }\n  return deviceNumber;\n}\n\n/**\n * Return the deviceNumber for the last logged-in user for the given account.\n * This uses the app-state \"last user\" pointer only; if it does not match the\n * requested account, an error is thrown instead of silently falling back.\n */\nexport async function getLastLoggedInDeviceNumber(\n  nearAccountId: AccountId | string,\n  clientDB: PasskeyClientDBManager\n): Promise<number> {\n  const accountId = toAccountId(nearAccountId);\n  const last = await clientDB.getLastUser();\n  if (last && last.nearAccountId === accountId) {\n    const deviceNumber = parseDeviceNumber((last as any).deviceNumber, { min: 1 });\n    if (deviceNumber !== null) {\n      return deviceNumber;\n    }\n  }\n  throw new Error(`No last user session for account ${accountId}`);\n}\n"],"mappings":";;;AAMA,MAAaA,kCAAiD;CAI5D,YAAY;CACZ,aAAa;CACb,YAAY;CACZ,iBAAiB;CAGjB,wBAAwB;EACtB,OAAO;EACP,eAAe;;CAEjB,SAAS;EAIP,KAAK;EACL,qBAAqB;EACrB,eAAe;GAEb,iBAAiB;GAEjB,mBAAmB;GAEnB,sBAAsB,OAAU;GAEhC,cAAc,OAAU;GAExB,eAAe;GAEf,uBAAuB;GAEvB,wBAAwB;;;CAG5B,kBAAkB,EAChB,aAAa;EAEX,GAAG;EAGH,gBAAgB;EAChB,sBAAsB;EACtB,uBAAuB;;CAG3B,wBAAwB;EACtB,8BAA8B;EAC9B,yBAAyB;EACzB,2BAA2B;;CAG7B,cAAc;EACZ,cAAc;EACd,mBAAmB;EACnB,aAAa;EACb,cAAc;;;AAIlB,MAAaC,mCAA2D;CACtE,8BAA8B,gCAAgC,uBAAuB;CACrF,yBAAyB,gCAAgC,uBAAuB;CAChF,2BAA2B,gCAAgC,uBAAuB;;AAIpF,SAAgB,oBAAoB,YAAgC,IAAmB;CAErF,MAAM,WAAW;CACjB,MAAM,aAAa,UAAU,SAAS,OAAO,SAAS,SAAS,OAAO;CAGtE,MAAM,wBAAwB;CAE9B,MAAMC,SAAwB;EAC5B,YAAY,UAAU,cAAc,SAAS;EAC7C,aAAa,UAAU,eAAe,SAAS;EAC/C,YAAY,UAAU,cAAc,SAAS;EAC7C,iBAAiB,UAAU,mBAAmB,SAAS;EACvD,aAAa,UAAU,eAAe,SAAS;EAC/C,wBAAwB;GACtB,OAAO,UAAU,wBAAwB,SACpC,SAAS,wBAAwB;GACtC,eAAe,UAAU,wBAAwB,iBAC5C,SAAS,wBAAwB;;EAExC,SAAS;GACP,KAAK;GACL,qBAAqB,UAAU,SAAS,uBACnC,SAAS,SAAS;GACvB,eAAe;IACb,iBAAiB,UAAU,SAAS,eAAe,mBAC9C,SAAS,SAAS,eAAe;IACtC,mBAAmB,UAAU,SAAS,eAAe,qBAChD,SAAS,SAAS,eAAe;IACtC,sBAAsB,UAAU,SAAS,eAAe,wBACnD,SAAS,SAAS,eAAe;IACtC,cAAc,UAAU,SAAS,eAAe,gBAC3C,SAAS,SAAS,eAAe;IACtC,eAAe,UAAU,SAAS,eAAe,iBAC5C,SAAS,SAAS,eAAe;IACtC,uBAAuB,UAAU,SAAS,eAAe,yBACpD,SAAS,SAAS,eAAe;IACtC,wBAAwB,UAAU,SAAS,eAAe,0BACrD,SAAS,SAAS,eAAe;;;EAG1C,sBAAsB,UAAU,wBAAwB,SAAS;EACjE,kBAAkB,EAChB,aAAa;GACX,GAAG,UAAU,kBAAkB,aAAa,KACvC,SAAS,kBAAkB,aAAa;GAC7C,gBAAgB,UAAU,kBAAkB,aAAa,kBACpD,SAAS,kBAAkB,aAAa,kBACxC;GACL,sBAAsB,UAAU,kBAAkB,aAAa,wBAC1D,SAAS,kBAAkB,aAAa;GAC7C,uBAAuB,UAAU,kBAAkB,aAAa,yBAC3D,SAAS,kBAAkB,aAAa;;EAGjD,wBAAwB;GACtB,8BAA8B,UAAU,wBAAwB,gCAC3D,SAAS,wBAAwB;GACtC,yBAAyB,UAAU,wBAAwB,2BACtD,SAAS,wBAAwB;GACtC,2BAA2B,UAAU,wBAAwB,6BACxD,SAAS,wBAAwB;;EAExC,cAAc;GACZ,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;GAC5B,mBAAmB,UAAU,cAAc,qBACtC,SAAS,cAAc,qBACvB;GACL,aAAa,UAAU,cAAc,eAChC,SAAS,cAAc,eACvB;GACL,cAAc,UAAU,cAAc,gBACjC,SAAS,cAAc;;;AAGhC,KAAI,CAAC,OAAO,WACV,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,OAAO,QAAQ,IAClB,OAAM,IAAI,MAAM;AAElB,QAAO;;;;;AC1JT,SAAgB,kBACd,OACA,UAA4B,IACb;CACf,MAAM,eAAe,OAAO;CAC5B,MAAM,MAAM,QAAQ,OAAO;AAC3B,KAAI,CAAC,OAAO,cAAc,iBAAiB,eAAe,IACxD,QAAO;AAET,QAAO;;;;;;;AAQT,eAAsB,4BACpB,eACA,UACiB;CACjB,MAAM,YAAY,YAAY;CAC9B,MAAM,OAAO,MAAM,SAAS;AAC5B,KAAI,QAAQ,KAAK,kBAAkB,WAAW;EAC5C,MAAM,eAAe,kBAAmB,KAAa,cAAc,EAAE,KAAK;AAC1E,MAAI,iBAAiB,KACnB,QAAO;;AAGX,OAAM,IAAI,MAAM,oCAAoC"}

package/dist/esm/sdk/transactions-jH38BZ-Q.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"transactions-jH38BZ-Q.js","names":["uiVrfChallenge: VRFChallenge | undefined","uiVrfChallengeForUi: Partial<VRFChallenge> | undefined","err: unknown","contractId: string | undefined","nearRpcUrl: string | undefined"],"sources":["../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n  SecureConfirmationType,\n  TransactionSummary,\n  SigningSecureConfirmRequest,\n  SigningAuthMode,\n} from '../types';\nimport { VRFChallenge, TransactionContext } from '../../../../types';\nimport {\n  getNearAccountId,\n  getIntentDigest,\n  getTxCount,\n  isUserCancelledSecureConfirm,\n  ERROR_MESSAGES,\n  getSignTransactionPayload,\n} from './index';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { getLastLoggedInDeviceNumber } from '../../../SignerWorkerManager/getDeviceNumber';\nimport { toError } from '../../../../../utils/errors';\nimport { PASSKEY_MANAGER_DEFAULT_CONFIGS } from '../../../../defaultConfigs';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nfunction getSigningAuthMode(request: SigningSecureConfirmRequest): SigningAuthMode {\n  if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n    return getSignTransactionPayload(request).signingAuthMode ?? 'webauthn';\n  }\n  if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n    const p = request.payload as any;\n    return (p?.signingAuthMode as SigningAuthMode | undefined) ?? 'webauthn';\n  }\n  return 'webauthn';\n}\n\nexport async function handleTransactionSigningFlow(\n  ctx: VrfWorkerManagerContext,\n  request: SigningSecureConfirmRequest,\n  worker: Worker,\n  opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n  const { confirmationConfig, transactionSummary } = opts;\n  const adapters = createConfirmTxFlowAdapters(ctx);\n  const session = createConfirmSession({\n    adapters,\n    worker,\n    request,\n    confirmationConfig,\n    transactionSummary,\n  });\n  const nearAccountId = getNearAccountId(request);\n  const signingAuthMode = getSigningAuthMode(request);\n  const usesNeeded = getTxCount(request);\n\n  // 1) NEAR context + nonce reservation\n  const nearRpc = await adapters.near.fetchNearContext({ nearAccountId, txCount: usesNeeded, reserveNonces: true });\n  if (nearRpc.error && !nearRpc.transactionContext) {\n    // eslint-disable-next-line no-console\n    console.error('[SigningFlow] fetchNearContext failed', { error: nearRpc.error, details: nearRpc.details });\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: `${ERROR_MESSAGES.nearRpcFailed}: ${nearRpc.details}`,\n    });\n  }\n  session.setReservedNonces(nearRpc.reservedNonces);\n  let transactionContext = nearRpc.transactionContext as TransactionContext;\n\n  // 2) Security context shown in the confirmer (rpId + block height).\n  // For warmSession signing we still want to show this context even though\n  // we won't collect a WebAuthn credential.\n  const rpId = adapters.vrf.getRpId();\n  let uiVrfChallenge: VRFChallenge | undefined;\n  let uiVrfChallengeForUi: Partial<VRFChallenge> | undefined = rpId\n    ? {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      }\n    : undefined;\n\n  // Initial VRF challenge (only needed for WebAuthn credential collection)\n  if (signingAuthMode === 'webauthn') {\n    uiVrfChallenge = await adapters.vrf.generateVrfChallengeForSession(\n      {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      },\n      request.requestId,\n    );\n    uiVrfChallengeForUi = uiVrfChallenge;\n  }\n\n  // 3) UI confirm\n  const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallengeForUi });\n  if (!confirmed) {\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: uiError,\n    });\n  }\n\n  // 4) Warm session: dispense WrapKeySeed and skip WebAuthn\n  if (signingAuthMode === 'warmSession') {\n    try {\n      await adapters.vrf.dispenseSessionKey({ sessionId: request.requestId, uses: usesNeeded });\n    } catch (err: unknown) {\n      const msg = String((toError(err))?.message || err || '');\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: msg || 'Failed to dispense warm session key',\n      });\n    }\n\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      transactionContext,\n    });\n    return;\n  }\n\n  // 5) JIT refresh VRF + ctx (best-effort)\n  try {\n    const refreshed = await adapters.vrf.maybeRefreshVrfChallenge(request, nearAccountId);\n    uiVrfChallenge = refreshed.vrfChallenge;\n    transactionContext = refreshed.transactionContext;\n    session.updateUI({ vrfChallenge: uiVrfChallenge });\n  } catch (e) {\n    console.debug('[SigningFlow] VRF JIT refresh skipped', e);\n  }\n\n  // 6) Collect authentication credential\n  try {\n    if (!uiVrfChallenge) {\n      throw new Error('Missing vrfChallenge for WebAuthn signing flow');\n    }\n    const serializedCredential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n      nearAccountId,\n      vrfChallenge: uiVrfChallenge,\n      onBeforePrompt: ({ authenticatorsForPrompt, vrfChallenge }) => {\n        console.debug('[SigningFlow] Authenticators for transaction signing', {\n          nearAccountId,\n          authenticatorCount: authenticatorsForPrompt.length,\n          authenticators: authenticatorsForPrompt.map(a => ({\n            deviceNumber: a.deviceNumber,\n            vrfPublicKey: a.vrfPublicKey,\n            credentialId: a.credentialId,\n          })),\n          vrfChallengePublicKey: vrfChallenge.vrfPublicKey,\n        });\n      },\n    });\n\n    // 5c) Derive WrapKeySeed inside the VRF worker and deliver it to the signer worker via\n    // the reserved WrapKeySeed MessagePort. Main thread only sees wrapKeySalt metadata.\n    try {\n      // Ensure VRF session is active and bound to the same account we are signing for.\n      const vrfStatus = await adapters.vrf.checkVrfStatus();\n      if (!vrfStatus.active) {\n        throw new Error('VRF keypair not active in memory. VRF session may have expired or was not properly initialized. Please refresh and try again.');\n      }\n      if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(toAccountId(nearAccountId))) {\n        throw new Error('VRF session is active but bound to a different account than the one being signed. Please log in again on this device.');\n      }\n\n      const deviceNumber = await getLastLoggedInDeviceNumber(toAccountId(nearAccountId), ctx.indexedDB.clientDB);\n      const encryptedKeyData = await ctx.indexedDB.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n      // For v2+ vaults, wrapKeySalt is the canonical salt.\n      const wrapKeySalt = encryptedKeyData?.wrapKeySalt || '';\n      if (!wrapKeySalt) {\n        throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n      }\n\n      // Extract contract verification context when available.\n      // - SIGN_TRANSACTION: use per-request rpcCall (already normalized by caller).\n      // - SIGN_NEP413_MESSAGE: allow per-request override; fall back to PASSKEY_MANAGER_DEFAULT_CONFIGS.\n      let contractId: string | undefined;\n      let nearRpcUrl: string | undefined;\n      if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n        const payload = getSignTransactionPayload(request);\n        contractId = payload?.rpcCall?.contractId;\n        nearRpcUrl = payload?.rpcCall?.nearRpcUrl;\n      } else if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n        const payload = request.payload as any;\n        contractId = payload?.contractId\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.contractId;\n        nearRpcUrl = payload?.nearRpcUrl\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.nearRpcUrl;\n      }\n\n      await adapters.vrf.mintSessionKeysAndSendToSigner({\n        sessionId: request.requestId,\n        wrapKeySalt,\n        contractId,\n        nearRpcUrl,\n        credential: serializedCredential,\n      });\n\n    } catch (err) {\n      console.error('[SigningFlow] WrapKeySeed derivation failed:', err);\n      throw err; // Don't silently ignore - propagate the error\n    }\n\n    // 6) Respond; keep nonces reserved for worker to use\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      credential: serializedCredential,\n      // prfOutput intentionally omitted to keep signer PRF-free\n      // WrapKeySeed travels only over the dedicated VRF→Signer MessagePort; do not echo in the main-thread envelope\n      vrfChallenge: uiVrfChallenge,\n      transactionContext,\n    });\n  } catch (err: unknown) {\n    // Treat TouchID/FaceID cancellation and related errors as a negative decision\n    const cancelled = isUserCancelledSecureConfirm(err);\n    // For missing PRF outputs, surface the error to caller (defensive path tests expect a throw)\n    const msg = String((toError(err))?.message || err || '');\n    if (/Missing PRF result/i.test(msg) || /Missing PRF results/i.test(msg)) {\n      // Ensure UI is closed and nonces released, then rethrow\n      return session.cleanupAndRethrow(err);\n    }\n    if (cancelled) {\n      window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n    }\n    const isWrongPasskeyError = /multiple passkeys \\(devicenumbers\\) for account/i.test(msg);\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: cancelled\n        ? ERROR_MESSAGES.cancelled\n        : (isWrongPasskeyError ? msg : ERROR_MESSAGES.collectCredentialsFailed),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AAwBA,SAAS,mBAAmB,SAAuD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,QAAO,0BAA0B,SAAS,mBAAmB;AAE/D,KAAI,QAAQ,SAAS,uBAAuB,qBAAqB;EAC/D,MAAM,IAAI,QAAQ;AAClB,SAAQ,GAAG,mBAAmD;;AAEhE,QAAO;;AAGT,eAAsB,6BACpB,KACA,SACA,QACA,MACe;CACf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;CACvC,MAAM,kBAAkB,mBAAmB;CAC3C,MAAM,aAAa,WAAW;CAG9B,MAAM,UAAU,MAAM,SAAS,KAAK,iBAAiB;EAAE;EAAe,SAAS;EAAY,eAAe;;AAC1G,KAAI,QAAQ,SAAS,CAAC,QAAQ,oBAAoB;AAEhD,UAAQ,MAAM,yCAAyC;GAAE,OAAO,QAAQ;GAAO,SAAS,QAAQ;;AAChG,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,GAAG,eAAe,cAAc,IAAI,QAAQ;;;AAGvD,SAAQ,kBAAkB,QAAQ;CAClC,IAAI,qBAAqB,QAAQ;CAKjC,MAAM,OAAO,SAAS,IAAI;CAC1B,IAAIA;CACJ,IAAIC,sBAAyD,OACzD;EACE,QAAQ;EACR;EACA,aAAa,mBAAmB;EAChC,WAAW,mBAAmB;KAEhC;AAGJ,KAAI,oBAAoB,YAAY;AAClC,mBAAiB,MAAM,SAAS,IAAI,+BAClC;GACE,QAAQ;GACR;GACA,aAAa,mBAAmB;GAChC,WAAW,mBAAmB;KAEhC,QAAQ;AAEV,wBAAsB;;CAIxB,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,KAAI,CAAC,UACH,QAAO,QAAQ,qBAAqB;EAClC,WAAW,QAAQ;EACnB,cAAc,gBAAgB;EAC9B,WAAW;EACX,OAAO;;AAKX,KAAI,oBAAoB,eAAe;AACrC,MAAI;AACF,SAAM,SAAS,IAAI,mBAAmB;IAAE,WAAW,QAAQ;IAAW,MAAM;;WACrEC,KAAc;GACrB,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,OAAO;;;AAIlB,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX;;AAEF;;AAIF,KAAI;EACF,MAAM,YAAY,MAAM,SAAS,IAAI,yBAAyB,SAAS;AACvE,mBAAiB,UAAU;AAC3B,uBAAqB,UAAU;AAC/B,UAAQ,SAAS,EAAE,cAAc;UAC1B,GAAG;AACV,UAAQ,MAAM,yCAAyC;;AAIzD,KAAI;AACF,MAAI,CAAC,eACH,OAAM,IAAI,MAAM;EAElB,MAAM,uBAAuB,MAAM,SAAS,SAAS,uCAAuC;GAC1F;GACA,cAAc;GACd,iBAAiB,EAAE,yBAAyB,mBAAmB;AAC7D,YAAQ,MAAM,wDAAwD;KACpE;KACA,oBAAoB,wBAAwB;KAC5C,gBAAgB,wBAAwB,KAAI,OAAM;MAChD,cAAc,EAAE;MAChB,cAAc,EAAE;MAChB,cAAc,EAAE;;KAElB,uBAAuB,aAAa;;;;AAO1C,MAAI;GAEF,MAAM,YAAY,MAAM,SAAS,IAAI;AACrC,OAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,YAAY,gBACrF,OAAM,IAAI,MAAM;GAGlB,MAAM,eAAe,MAAM,4BAA4B,YAAY,gBAAgB,IAAI,UAAU;GACjG,MAAM,mBAAmB,MAAM,IAAI,UAAU,WAAW,gBAAgB,eAAe;GAEvF,MAAM,cAAc,kBAAkB,eAAe;AACrD,OAAI,CAAC,YACH,OAAM,IAAI,MAAM;GAMlB,IAAIC;GACJ,IAAIC;AACJ,OAAI,QAAQ,SAAS,uBAAuB,kBAAkB;IAC5D,MAAM,UAAU,0BAA0B;AAC1C,iBAAa,SAAS,SAAS;AAC/B,iBAAa,SAAS,SAAS;cACtB,QAAQ,SAAS,uBAAuB,qBAAqB;IACtE,MAAM,UAAU,QAAQ;AACxB,iBAAa,SAAS,cACjB,gCAAgC;AACrC,iBAAa,SAAS,cACjB,gCAAgC;;AAGvC,SAAM,SAAS,IAAI,+BAA+B;IAChD,WAAW,QAAQ;IACnB;IACA;IACA;IACA,YAAY;;WAGP,KAAK;AACZ,WAAQ,MAAM,gDAAgD;AAC9D,SAAM;;AAIR,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,YAAY;GAGZ,cAAc;GACd;;UAEKF,KAAc;EAErB,MAAM,YAAY,6BAA6B;EAE/C,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,MAAI,sBAAsB,KAAK,QAAQ,uBAAuB,KAAK,KAEjE,QAAO,QAAQ,kBAAkB;AAEnC,MAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;EAE3D,MAAM,sBAAsB,mDAAmD,KAAK;AACpF,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,YACH,eAAe,YACd,sBAAsB,MAAM,eAAe"}