@tatchi-xyz/sdk 0.19.0 → 0.21.0

package/dist/esm/sdk/{router-DuGYOd3G.js → router-BWtacLJg.js}

@@ -1397,7 +1397,7 @@ var WalletIframeRouter = class {
 			type: "PM_START_EMAIL_RECOVERY",
 			payload: {
 				accountId: payload.accountId,
-				recoveryEmail: payload.recoveryEmail,
+				...payload.recoveryEmail ? { recoveryEmail: payload.recoveryEmail } : {},
 				options: safeOptions && Object.keys(safeOptions).length > 0 ? safeOptions : void 0
 			},
 			options: { onProgress: this.wrapOnEvent(payload.onEvent, isEmailRecoverySSEEvent) }

package/dist/esm/sdk/{rpcCalls-BQrJMTdg.js → rpcCalls-CYGJSCgm.js}

@@ -3,8 +3,8 @@ import "./base64-DBPGuXh4.js";
 import "./actions-O1FD5Bq8.js";
 import "./errors-D9ar28Dr.js";
 import "./sdkSentEvents-_jrJLIhw.js";
-import "./defaultConfigs-DpslkAQd.js";
-import { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getAuthenticatorsByUser, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getEmailRecoveryVerificationResult, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse } from "./rpcCalls-YVeUVMk2.js";
+import "./defaultConfigs-CfQDV-ya.js";
+import { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getAuthenticatorsByUser, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getEmailRecoveryAttempt, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse } from "./rpcCalls-DZZSa-sk.js";
 
 init_rpcCalls();
-export { getEmailRecoveryVerificationResult, syncAuthenticatorsContractCall };
+export { syncAuthenticatorsContractCall };

package/dist/esm/sdk/{rpcCalls-YVeUVMk2.js → rpcCalls-DZZSa-sk.js}

@@ -3,15 +3,29 @@ import { base64UrlDecode, base64UrlEncode } from "./base64-DBPGuXh4.js";
 import { ActionType, init_actions } from "./actions-O1FD5Bq8.js";
 import { errorMessage, init_encoders, init_errors } from "./errors-D9ar28Dr.js";
 import { ActionPhase, DEFAULT_WAIT_STATUS, DeviceLinkingPhase, DeviceLinkingStatus, init_rpc, init_sdkSentEvents } from "./sdkSentEvents-_jrJLIhw.js";
-import { DEFAULT_EMAIL_RECOVERY_CONTRACTS, init_defaultConfigs } from "./defaultConfigs-DpslkAQd.js";
+import { DEFAULT_EMAIL_RECOVERY_CONTRACTS, init_defaultConfigs } from "./defaultConfigs-CfQDV-ya.js";
 
 //#region src/core/rpcCalls.ts
-async function getEmailRecoveryVerificationResult(nearClient, dkimVerifierAccountId, verificationViewMethod, requestId) {
-	return await nearClient.view({
-		account: dkimVerifierAccountId,
-		method: verificationViewMethod,
+async function getEmailRecoveryAttempt(nearClient, accountId, requestId) {
+	const raw = await nearClient.view({
+		account: accountId,
+		method: "get_recovery_attempt",
 		args: { request_id: requestId }
 	});
+	if (!raw) return null;
+	const statusRaw = raw.status;
+	const status = (() => {
+		if (typeof statusRaw === "string") return statusRaw.trim();
+		if (statusRaw && typeof statusRaw === "object") {
+			const keys = Object.keys(statusRaw);
+			if (keys.length === 1) return String(keys[0] || "").trim();
+		}
+		return "";
+	})();
+	return {
+		...raw,
+		status
+	};
 }
 /**
 * Query the contract to get the account linked to a device public key
@@ -223,14 +237,26 @@ async function syncAuthenticatorsContractCall(nearClient, contractId, accountId)
 		return [];
 	}
 }
+async function hasDeployedContractCode(nearClient, accountId) {
+	try {
+		const account = await nearClient.viewAccount(accountId);
+		const codeHash = account?.code_hash;
+		const globalContractHash = account?.global_contract_hash;
+		const globalContractAccountId = account?.global_contract_account_id;
+		const hasLocalCode = typeof codeHash === "string" && codeHash !== EMPTY_NEAR_CODE_HASH;
+		const hasGlobalCode = typeof globalContractHash === "string" && globalContractHash.trim().length > 0 || typeof globalContractAccountId === "string" && globalContractAccountId.trim().length > 0;
+		return hasLocalCode || hasGlobalCode;
+	} catch {
+		return false;
+	}
+}
 /**
 * Fetch on-chain recovery email hashes from the per-account contract.
 * Returns [] when no contract is deployed or on failure.
 */
 async function getRecoveryEmailHashesContractCall(nearClient, accountId) {
 	try {
-		const code = await nearClient.viewCode(accountId);
-		const hasContract = !!code && code.byteLength > 0;
+		const hasContract = await hasDeployedContractCode(nearClient, accountId);
 		if (!hasContract) return [];
 		const hashes = await nearClient.view({
 			account: accountId,
@@ -239,7 +265,6 @@ async function getRecoveryEmailHashesContractCall(nearClient, accountId) {
 		});
 		return Array.isArray(hashes) ? hashes : [];
 	} catch (error) {
-		console.error("[rpcCalls] Failed to fetch recovery email hashes", error);
 		return [];
 	}
 }
@@ -248,27 +273,24 @@ async function getRecoveryEmailHashesContractCall(nearClient, accountId) {
 * If the per-account contract is missing, deploy/attach the global recoverer via `init_email_recovery`.
 */
 async function buildSetRecoveryEmailsActions(nearClient, accountId, recoveryEmailHashes, contracts = DEFAULT_EMAIL_RECOVERY_CONTRACTS) {
-	let hasContract = false;
-	try {
-		const code = await nearClient.viewCode(accountId);
-		hasContract = !!code && code.byteLength > 0;
-	} catch {
-		hasContract = false;
-	}
+	const hasContract = await hasDeployedContractCode(nearClient, accountId);
 	const { emailRecovererGlobalContract, zkEmailVerifierContract, emailDkimVerifierContract } = contracts;
-	return hasContract ? [{
-		type: ActionType.UseGlobalContract,
-		accountId: emailRecovererGlobalContract
-	}, {
-		type: ActionType.FunctionCall,
-		methodName: "set_recovery_emails",
-		args: { recovery_emails: recoveryEmailHashes },
-		gas: "80000000000000",
-		deposit: "0"
-	}] : [{
+	let shouldInit = !hasContract;
+	if (!shouldInit) try {
+		await nearClient.view({
+			account: accountId,
+			method: "get_recovery_emails",
+			args: {}
+		});
+	} catch (err) {
+		const msg = errorMessage(err);
+		if (/Cannot deserialize the contract state/i.test(msg) || /CodeDoesNotExist/i.test(msg) || /MethodNotFound/i.test(msg)) shouldInit = true;
+	}
+	const base = [{
 		type: ActionType.UseGlobalContract,
 		accountId: emailRecovererGlobalContract
-	}, {
+	}];
+	return shouldInit ? [...base, {
 		type: ActionType.FunctionCall,
 		methodName: "init_email_recovery",
 		args: {
@@ -279,6 +301,12 @@ async function buildSetRecoveryEmailsActions(nearClient, accountId, recoveryEmai
 		},
 		gas: "80000000000000",
 		deposit: "0"
+	}] : [...base, {
+		type: ActionType.FunctionCall,
+		methodName: "set_recovery_emails",
+		args: { recovery_emails: recoveryEmailHashes },
+		gas: "80000000000000",
+		deposit: "0"
 	}];
 }
 /**
@@ -384,6 +412,7 @@ async function verifyAuthenticationResponse(relayServerUrl, routePath, sessionKi
 		};
 	}
 }
+var EMPTY_NEAR_CODE_HASH;
 var init_rpcCalls = __esm({ "src/core/rpcCalls.ts": (() => {
 	init_sdkSentEvents();
 	init_actions();
@@ -391,7 +420,8 @@ var init_rpcCalls = __esm({ "src/core/rpcCalls.ts": (() => {
 	init_encoders();
 	init_errors();
 	init_defaultConfigs();
+	EMPTY_NEAR_CODE_HASH = "11111111111111111111111111111111";
 }) });
 
 //#endregion
-export { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getAuthenticatorsByUser, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getEmailRecoveryVerificationResult, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse };
+export { buildSetRecoveryEmailsActions, checkCanRegisterUserContractCall, executeDeviceLinkingContractCalls, getAuthenticatorsByUser, getCredentialIdsContractCall, getDeviceLinkingAccountContractCall, getEmailRecoveryAttempt, getRecoveryEmailHashesContractCall, init_rpcCalls, syncAuthenticatorsContractCall, verifyAuthenticationResponse };

package/dist/esm/sdk/{transactions-bqaAwL4k.js → transactions-Cn9xTWlK.js}

@@ -1,6 +1,6 @@
 import { ERROR_MESSAGES, SecureConfirmationType, getIntentDigest, getNearAccountId, getSignTransactionPayload, getTxCount, isUserCancelledSecureConfirm, toAccountId, toError } from "./requestHelpers-aUKhXiEl.js";
 import "./validation-DhPPUba7.js";
-import { PASSKEY_MANAGER_DEFAULT_CONFIGS, getLastLoggedInDeviceNumber } from "./getDeviceNumber-fXizNGQl.js";
+import { PASSKEY_MANAGER_DEFAULT_CONFIGS, getLastLoggedInDeviceNumber } from "./getDeviceNumber-BpernPnM.js";
 import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-Yga6W0en.js";
 import "./css-loader-BrMMlG4X.js";
 import "./lit-events-BKobq01K.js";
@@ -163,4 +163,4 @@ async function handleTransactionSigningFlow(ctx, request, worker, opts) {
 
 //#endregion
 export { handleTransactionSigningFlow };
-//# sourceMappingURL=transactions-bqaAwL4k.js.map
+//# sourceMappingURL=transactions-Cn9xTWlK.js.map

package/dist/esm/sdk/{transactions-bqaAwL4k.js.map → transactions-Cn9xTWlK.js.map}

@@ -1 +1 @@
-{"version":3,"file":"transactions-bqaAwL4k.js","names":["uiVrfChallenge: VRFChallenge | undefined","uiVrfChallengeForUi: Partial<VRFChallenge> | undefined","err: unknown","contractId: string | undefined","nearRpcUrl: string | undefined"],"sources":["../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n  SecureConfirmationType,\n  TransactionSummary,\n  SigningSecureConfirmRequest,\n  SigningAuthMode,\n} from '../types';\nimport { VRFChallenge, TransactionContext } from '../../../../types';\nimport {\n  getNearAccountId,\n  getIntentDigest,\n  getTxCount,\n  isUserCancelledSecureConfirm,\n  ERROR_MESSAGES,\n  getSignTransactionPayload,\n} from './index';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { getLastLoggedInDeviceNumber } from '../../../SignerWorkerManager/getDeviceNumber';\nimport { toError } from '../../../../../utils/errors';\nimport { PASSKEY_MANAGER_DEFAULT_CONFIGS } from '../../../../defaultConfigs';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nfunction getSigningAuthMode(request: SigningSecureConfirmRequest): SigningAuthMode {\n  if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n    return getSignTransactionPayload(request).signingAuthMode ?? 'webauthn';\n  }\n  if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n    const p = request.payload as any;\n    return (p?.signingAuthMode as SigningAuthMode | undefined) ?? 'webauthn';\n  }\n  return 'webauthn';\n}\n\nexport async function handleTransactionSigningFlow(\n  ctx: VrfWorkerManagerContext,\n  request: SigningSecureConfirmRequest,\n  worker: Worker,\n  opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n  const { confirmationConfig, transactionSummary } = opts;\n  const adapters = createConfirmTxFlowAdapters(ctx);\n  const session = createConfirmSession({\n    adapters,\n    worker,\n    request,\n    confirmationConfig,\n    transactionSummary,\n  });\n  const nearAccountId = getNearAccountId(request);\n  const signingAuthMode = getSigningAuthMode(request);\n  const usesNeeded = getTxCount(request);\n\n  // 1) NEAR context + nonce reservation\n  const nearRpc = await adapters.near.fetchNearContext({ nearAccountId, txCount: usesNeeded, reserveNonces: true });\n  if (nearRpc.error && !nearRpc.transactionContext) {\n    // eslint-disable-next-line no-console\n    console.error('[SigningFlow] fetchNearContext failed', { error: nearRpc.error, details: nearRpc.details });\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: `${ERROR_MESSAGES.nearRpcFailed}: ${nearRpc.details}`,\n    });\n  }\n  session.setReservedNonces(nearRpc.reservedNonces);\n  let transactionContext = nearRpc.transactionContext as TransactionContext;\n\n  // 2) Security context shown in the confirmer (rpId + block height).\n  // For warmSession signing we still want to show this context even though\n  // we won't collect a WebAuthn credential.\n  const rpId = adapters.vrf.getRpId();\n  let uiVrfChallenge: VRFChallenge | undefined;\n  let uiVrfChallengeForUi: Partial<VRFChallenge> | undefined = rpId\n    ? {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      }\n    : undefined;\n\n  // Initial VRF challenge (only needed for WebAuthn credential collection)\n  if (signingAuthMode === 'webauthn') {\n    uiVrfChallenge = await adapters.vrf.generateVrfChallengeForSession(\n      {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      },\n      request.requestId,\n    );\n    uiVrfChallengeForUi = uiVrfChallenge;\n  }\n\n  // 3) UI confirm\n  const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallengeForUi });\n  if (!confirmed) {\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: uiError,\n    });\n  }\n\n  // 4) Warm session: dispense WrapKeySeed and skip WebAuthn\n  if (signingAuthMode === 'warmSession') {\n    try {\n      await adapters.vrf.dispenseSessionKey({ sessionId: request.requestId, uses: usesNeeded });\n    } catch (err: unknown) {\n      const msg = String((toError(err))?.message || err || '');\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: msg || 'Failed to dispense warm session key',\n      });\n    }\n\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      transactionContext,\n    });\n    return;\n  }\n\n  // 5) JIT refresh VRF + ctx (best-effort)\n  try {\n    const refreshed = await adapters.vrf.maybeRefreshVrfChallenge(request, nearAccountId);\n    uiVrfChallenge = refreshed.vrfChallenge;\n    transactionContext = refreshed.transactionContext;\n    session.updateUI({ vrfChallenge: uiVrfChallenge });\n  } catch (e) {\n    console.debug('[SigningFlow] VRF JIT refresh skipped', e);\n  }\n\n  // 6) Collect authentication credential\n  try {\n    if (!uiVrfChallenge) {\n      throw new Error('Missing vrfChallenge for WebAuthn signing flow');\n    }\n    const serializedCredential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n      nearAccountId,\n      vrfChallenge: uiVrfChallenge,\n    });\n\n    // 5c) Derive WrapKeySeed inside the VRF worker and deliver it to the signer worker via\n    // the reserved WrapKeySeed MessagePort. Main thread only sees wrapKeySalt metadata.\n    let contractId: string | undefined;\n    let nearRpcUrl: string | undefined;\n    try {\n      // Ensure VRF session is active and bound to the same account we are signing for.\n      const vrfStatus = await adapters.vrf.checkVrfStatus();\n      if (!vrfStatus.active) {\n        throw new Error('VRF keypair not active in memory. VRF session may have expired or was not properly initialized. Please refresh and try again.');\n      }\n      if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(toAccountId(nearAccountId))) {\n        throw new Error('VRF session is active but bound to a different account than the one being signed. Please log in again on this device.');\n      }\n\n      const deviceNumber = await getLastLoggedInDeviceNumber(toAccountId(nearAccountId), ctx.indexedDB.clientDB);\n      const encryptedKeyData = await ctx.indexedDB.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n      // For v2+ vaults, wrapKeySalt is the canonical salt.\n      const wrapKeySalt = encryptedKeyData?.wrapKeySalt || '';\n      if (!wrapKeySalt) {\n        throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n      }\n\n      // Extract contract verification context when available.\n      // - SIGN_TRANSACTION: use per-request rpcCall (already normalized by caller).\n      // - SIGN_NEP413_MESSAGE: allow per-request override; fall back to PASSKEY_MANAGER_DEFAULT_CONFIGS.\n      if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n        const payload = getSignTransactionPayload(request);\n        contractId = payload?.rpcCall?.contractId;\n        nearRpcUrl = payload?.rpcCall?.nearRpcUrl;\n      } else if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n        const payload = request.payload as any;\n        contractId = payload?.contractId\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.contractId;\n        nearRpcUrl = payload?.nearRpcUrl\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.nearRpcUrl;\n      }\n\n      await adapters.vrf.mintSessionKeysAndSendToSigner({\n        sessionId: request.requestId,\n        wrapKeySalt,\n        contractId,\n        nearRpcUrl,\n        credential: serializedCredential,\n      });\n\t    } catch (err) {\n\t      console.error('[SigningFlow] WrapKeySeed derivation failed:', err);\n\t      throw err; // Don't silently ignore - propagate the error\n\t    }\n\n    // 6) Respond; keep nonces reserved for worker to use\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      credential: serializedCredential,\n      // prfOutput intentionally omitted to keep signer PRF-free\n      // WrapKeySeed travels only over the dedicated VRF→Signer MessagePort; do not echo in the main-thread envelope\n      vrfChallenge: uiVrfChallenge,\n      transactionContext,\n    });\n  } catch (err: unknown) {\n    // Treat TouchID/FaceID cancellation and related errors as a negative decision\n    const cancelled = isUserCancelledSecureConfirm(err);\n    // For missing PRF outputs, surface the error to caller (defensive path tests expect a throw)\n    const msg = String((toError(err))?.message || err || '');\n    if (/Missing PRF result/i.test(msg) || /Missing PRF results/i.test(msg)) {\n      // Ensure UI is closed and nonces released, then rethrow\n      return session.cleanupAndRethrow(err);\n    }\n    if (cancelled) {\n      window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n    }\n    const isWrongPasskeyError = /multiple passkeys \\(devicenumbers\\) for account/i.test(msg);\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: cancelled\n        ? ERROR_MESSAGES.cancelled\n        : (isWrongPasskeyError ? msg : ERROR_MESSAGES.collectCredentialsFailed),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AAwBA,SAAS,mBAAmB,SAAuD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,QAAO,0BAA0B,SAAS,mBAAmB;AAE/D,KAAI,QAAQ,SAAS,uBAAuB,qBAAqB;EAC/D,MAAM,IAAI,QAAQ;AAClB,SAAQ,GAAG,mBAAmD;;AAEhE,QAAO;;AAGT,eAAsB,6BACpB,KACA,SACA,QACA,MACe;CACf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;CACvC,MAAM,kBAAkB,mBAAmB;CAC3C,MAAM,aAAa,WAAW;CAG9B,MAAM,UAAU,MAAM,SAAS,KAAK,iBAAiB;EAAE;EAAe,SAAS;EAAY,eAAe;;AAC1G,KAAI,QAAQ,SAAS,CAAC,QAAQ,oBAAoB;AAEhD,UAAQ,MAAM,yCAAyC;GAAE,OAAO,QAAQ;GAAO,SAAS,QAAQ;;AAChG,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,GAAG,eAAe,cAAc,IAAI,QAAQ;;;AAGvD,SAAQ,kBAAkB,QAAQ;CAClC,IAAI,qBAAqB,QAAQ;CAKjC,MAAM,OAAO,SAAS,IAAI;CAC1B,IAAIA;CACJ,IAAIC,sBAAyD,OACzD;EACE,QAAQ;EACR;EACA,aAAa,mBAAmB;EAChC,WAAW,mBAAmB;KAEhC;AAGJ,KAAI,oBAAoB,YAAY;AAClC,mBAAiB,MAAM,SAAS,IAAI,+BAClC;GACE,QAAQ;GACR;GACA,aAAa,mBAAmB;GAChC,WAAW,mBAAmB;KAEhC,QAAQ;AAEV,wBAAsB;;CAIxB,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,KAAI,CAAC,UACH,QAAO,QAAQ,qBAAqB;EAClC,WAAW,QAAQ;EACnB,cAAc,gBAAgB;EAC9B,WAAW;EACX,OAAO;;AAKX,KAAI,oBAAoB,eAAe;AACrC,MAAI;AACF,SAAM,SAAS,IAAI,mBAAmB;IAAE,WAAW,QAAQ;IAAW,MAAM;;WACrEC,KAAc;GACrB,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,OAAO;;;AAIlB,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX;;AAEF;;AAIF,KAAI;EACF,MAAM,YAAY,MAAM,SAAS,IAAI,yBAAyB,SAAS;AACvE,mBAAiB,UAAU;AAC3B,uBAAqB,UAAU;AAC/B,UAAQ,SAAS,EAAE,cAAc;UAC1B,GAAG;AACV,UAAQ,MAAM,yCAAyC;;AAIzD,KAAI;AACF,MAAI,CAAC,eACH,OAAM,IAAI,MAAM;EAElB,MAAM,uBAAuB,MAAM,SAAS,SAAS,uCAAuC;GAC1F;GACA,cAAc;;EAKhB,IAAIC;EACJ,IAAIC;AACJ,MAAI;GAEF,MAAM,YAAY,MAAM,SAAS,IAAI;AACrC,OAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,YAAY,gBACrF,OAAM,IAAI,MAAM;GAGlB,MAAM,eAAe,MAAM,4BAA4B,YAAY,gBAAgB,IAAI,UAAU;GACjG,MAAM,mBAAmB,MAAM,IAAI,UAAU,WAAW,gBAAgB,eAAe;GAEvF,MAAM,cAAc,kBAAkB,eAAe;AACrD,OAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAMlB,OAAI,QAAQ,SAAS,uBAAuB,kBAAkB;IAC5D,MAAM,UAAU,0BAA0B;AAC1C,iBAAa,SAAS,SAAS;AAC/B,iBAAa,SAAS,SAAS;cACtB,QAAQ,SAAS,uBAAuB,qBAAqB;IACtE,MAAM,UAAU,QAAQ;AACxB,iBAAa,SAAS,cACjB,gCAAgC;AACrC,iBAAa,SAAS,cACjB,gCAAgC;;AAGvC,SAAM,SAAS,IAAI,+BAA+B;IAChD,WAAW,QAAQ;IACnB;IACA;IACA;IACA,YAAY;;WAEN,KAAK;AACZ,WAAQ,MAAM,gDAAgD;AAC9D,SAAM;;AAIT,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,YAAY;GAGZ,cAAc;GACd;;UAEKF,KAAc;EAErB,MAAM,YAAY,6BAA6B;EAE/C,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,MAAI,sBAAsB,KAAK,QAAQ,uBAAuB,KAAK,KAEjE,QAAO,QAAQ,kBAAkB;AAEnC,MAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;EAE3D,MAAM,sBAAsB,mDAAmD,KAAK;AACpF,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,YACH,eAAe,YACd,sBAAsB,MAAM,eAAe"}
+{"version":3,"file":"transactions-Cn9xTWlK.js","names":["uiVrfChallenge: VRFChallenge | undefined","uiVrfChallengeForUi: Partial<VRFChallenge> | undefined","err: unknown","contractId: string | undefined","nearRpcUrl: string | undefined"],"sources":["../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/transactions.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n  SecureConfirmationType,\n  TransactionSummary,\n  SigningSecureConfirmRequest,\n  SigningAuthMode,\n} from '../types';\nimport { VRFChallenge, TransactionContext } from '../../../../types';\nimport {\n  getNearAccountId,\n  getIntentDigest,\n  getTxCount,\n  isUserCancelledSecureConfirm,\n  ERROR_MESSAGES,\n  getSignTransactionPayload,\n} from './index';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { getLastLoggedInDeviceNumber } from '../../../SignerWorkerManager/getDeviceNumber';\nimport { toError } from '../../../../../utils/errors';\nimport { PASSKEY_MANAGER_DEFAULT_CONFIGS } from '../../../../defaultConfigs';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nfunction getSigningAuthMode(request: SigningSecureConfirmRequest): SigningAuthMode {\n  if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n    return getSignTransactionPayload(request).signingAuthMode ?? 'webauthn';\n  }\n  if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n    const p = request.payload as any;\n    return (p?.signingAuthMode as SigningAuthMode | undefined) ?? 'webauthn';\n  }\n  return 'webauthn';\n}\n\nexport async function handleTransactionSigningFlow(\n  ctx: VrfWorkerManagerContext,\n  request: SigningSecureConfirmRequest,\n  worker: Worker,\n  opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n  const { confirmationConfig, transactionSummary } = opts;\n  const adapters = createConfirmTxFlowAdapters(ctx);\n  const session = createConfirmSession({\n    adapters,\n    worker,\n    request,\n    confirmationConfig,\n    transactionSummary,\n  });\n  const nearAccountId = getNearAccountId(request);\n  const signingAuthMode = getSigningAuthMode(request);\n  const usesNeeded = getTxCount(request);\n\n  // 1) NEAR context + nonce reservation\n  const nearRpc = await adapters.near.fetchNearContext({ nearAccountId, txCount: usesNeeded, reserveNonces: true });\n  if (nearRpc.error && !nearRpc.transactionContext) {\n    // eslint-disable-next-line no-console\n    console.error('[SigningFlow] fetchNearContext failed', { error: nearRpc.error, details: nearRpc.details });\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: `${ERROR_MESSAGES.nearRpcFailed}: ${nearRpc.details}`,\n    });\n  }\n  session.setReservedNonces(nearRpc.reservedNonces);\n  let transactionContext = nearRpc.transactionContext as TransactionContext;\n\n  // 2) Security context shown in the confirmer (rpId + block height).\n  // For warmSession signing we still want to show this context even though\n  // we won't collect a WebAuthn credential.\n  const rpId = adapters.vrf.getRpId();\n  let uiVrfChallenge: VRFChallenge | undefined;\n  let uiVrfChallengeForUi: Partial<VRFChallenge> | undefined = rpId\n    ? {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      }\n    : undefined;\n\n  // Initial VRF challenge (only needed for WebAuthn credential collection)\n  if (signingAuthMode === 'webauthn') {\n    uiVrfChallenge = await adapters.vrf.generateVrfChallengeForSession(\n      {\n        userId: nearAccountId,\n        rpId,\n        blockHeight: transactionContext.txBlockHeight,\n        blockHash: transactionContext.txBlockHash,\n      },\n      request.requestId,\n    );\n    uiVrfChallengeForUi = uiVrfChallenge;\n  }\n\n  // 3) UI confirm\n  const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallengeForUi });\n  if (!confirmed) {\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: uiError,\n    });\n  }\n\n  // 4) Warm session: dispense WrapKeySeed and skip WebAuthn\n  if (signingAuthMode === 'warmSession') {\n    try {\n      await adapters.vrf.dispenseSessionKey({ sessionId: request.requestId, uses: usesNeeded });\n    } catch (err: unknown) {\n      const msg = String((toError(err))?.message || err || '');\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: msg || 'Failed to dispense warm session key',\n      });\n    }\n\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      transactionContext,\n    });\n    return;\n  }\n\n  // 5) JIT refresh VRF + ctx (best-effort)\n  try {\n    const refreshed = await adapters.vrf.maybeRefreshVrfChallenge(request, nearAccountId);\n    uiVrfChallenge = refreshed.vrfChallenge;\n    transactionContext = refreshed.transactionContext;\n    session.updateUI({ vrfChallenge: uiVrfChallenge });\n  } catch (e) {\n    console.debug('[SigningFlow] VRF JIT refresh skipped', e);\n  }\n\n  // 6) Collect authentication credential\n  try {\n    if (!uiVrfChallenge) {\n      throw new Error('Missing vrfChallenge for WebAuthn signing flow');\n    }\n    const serializedCredential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n      nearAccountId,\n      vrfChallenge: uiVrfChallenge,\n    });\n\n    // 5c) Derive WrapKeySeed inside the VRF worker and deliver it to the signer worker via\n    // the reserved WrapKeySeed MessagePort. Main thread only sees wrapKeySalt metadata.\n    let contractId: string | undefined;\n    let nearRpcUrl: string | undefined;\n    try {\n      // Ensure VRF session is active and bound to the same account we are signing for.\n      const vrfStatus = await adapters.vrf.checkVrfStatus();\n      if (!vrfStatus.active) {\n        throw new Error('VRF keypair not active in memory. VRF session may have expired or was not properly initialized. Please refresh and try again.');\n      }\n      if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(toAccountId(nearAccountId))) {\n        throw new Error('VRF session is active but bound to a different account than the one being signed. Please log in again on this device.');\n      }\n\n      const deviceNumber = await getLastLoggedInDeviceNumber(toAccountId(nearAccountId), ctx.indexedDB.clientDB);\n      const encryptedKeyData = await ctx.indexedDB.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n      // For v2+ vaults, wrapKeySalt is the canonical salt.\n      const wrapKeySalt = encryptedKeyData?.wrapKeySalt || '';\n      if (!wrapKeySalt) {\n        throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n      }\n\n      // Extract contract verification context when available.\n      // - SIGN_TRANSACTION: use per-request rpcCall (already normalized by caller).\n      // - SIGN_NEP413_MESSAGE: allow per-request override; fall back to PASSKEY_MANAGER_DEFAULT_CONFIGS.\n      if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n        const payload = getSignTransactionPayload(request);\n        contractId = payload?.rpcCall?.contractId;\n        nearRpcUrl = payload?.rpcCall?.nearRpcUrl;\n      } else if (request.type === SecureConfirmationType.SIGN_NEP413_MESSAGE) {\n        const payload = request.payload as any;\n        contractId = payload?.contractId\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.contractId;\n        nearRpcUrl = payload?.nearRpcUrl\n          || PASSKEY_MANAGER_DEFAULT_CONFIGS.nearRpcUrl;\n      }\n\n      await adapters.vrf.mintSessionKeysAndSendToSigner({\n        sessionId: request.requestId,\n        wrapKeySalt,\n        contractId,\n        nearRpcUrl,\n        credential: serializedCredential,\n      });\n\t    } catch (err) {\n\t      console.error('[SigningFlow] WrapKeySeed derivation failed:', err);\n\t      throw err; // Don't silently ignore - propagate the error\n\t    }\n\n    // 6) Respond; keep nonces reserved for worker to use\n    session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: true,\n      credential: serializedCredential,\n      // prfOutput intentionally omitted to keep signer PRF-free\n      // WrapKeySeed travels only over the dedicated VRF→Signer MessagePort; do not echo in the main-thread envelope\n      vrfChallenge: uiVrfChallenge,\n      transactionContext,\n    });\n  } catch (err: unknown) {\n    // Treat TouchID/FaceID cancellation and related errors as a negative decision\n    const cancelled = isUserCancelledSecureConfirm(err);\n    // For missing PRF outputs, surface the error to caller (defensive path tests expect a throw)\n    const msg = String((toError(err))?.message || err || '');\n    if (/Missing PRF result/i.test(msg) || /Missing PRF results/i.test(msg)) {\n      // Ensure UI is closed and nonces released, then rethrow\n      return session.cleanupAndRethrow(err);\n    }\n    if (cancelled) {\n      window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n    }\n    const isWrongPasskeyError = /multiple passkeys \\(devicenumbers\\) for account/i.test(msg);\n    return session.confirmAndCloseModal({\n      requestId: request.requestId,\n      intentDigest: getIntentDigest(request),\n      confirmed: false,\n      error: cancelled\n        ? ERROR_MESSAGES.cancelled\n        : (isWrongPasskeyError ? msg : ERROR_MESSAGES.collectCredentialsFailed),\n    });\n  }\n}\n"],"mappings":";;;;;;;;;AAwBA,SAAS,mBAAmB,SAAuD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,QAAO,0BAA0B,SAAS,mBAAmB;AAE/D,KAAI,QAAQ,SAAS,uBAAuB,qBAAqB;EAC/D,MAAM,IAAI,QAAQ;AAClB,SAAQ,GAAG,mBAAmD;;AAEhE,QAAO;;AAGT,eAAsB,6BACpB,KACA,SACA,QACA,MACe;CACf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;CACvC,MAAM,kBAAkB,mBAAmB;CAC3C,MAAM,aAAa,WAAW;CAG9B,MAAM,UAAU,MAAM,SAAS,KAAK,iBAAiB;EAAE;EAAe,SAAS;EAAY,eAAe;;AAC1G,KAAI,QAAQ,SAAS,CAAC,QAAQ,oBAAoB;AAEhD,UAAQ,MAAM,yCAAyC;GAAE,OAAO,QAAQ;GAAO,SAAS,QAAQ;;AAChG,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,GAAG,eAAe,cAAc,IAAI,QAAQ;;;AAGvD,SAAQ,kBAAkB,QAAQ;CAClC,IAAI,qBAAqB,QAAQ;CAKjC,MAAM,OAAO,SAAS,IAAI;CAC1B,IAAIA;CACJ,IAAIC,sBAAyD,OACzD;EACE,QAAQ;EACR;EACA,aAAa,mBAAmB;EAChC,WAAW,mBAAmB;KAEhC;AAGJ,KAAI,oBAAoB,YAAY;AAClC,mBAAiB,MAAM,SAAS,IAAI,+BAClC;GACE,QAAQ;GACR;GACA,aAAa,mBAAmB;GAChC,WAAW,mBAAmB;KAEhC,QAAQ;AAEV,wBAAsB;;CAIxB,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,KAAI,CAAC,UACH,QAAO,QAAQ,qBAAqB;EAClC,WAAW,QAAQ;EACnB,cAAc,gBAAgB;EAC9B,WAAW;EACX,OAAO;;AAKX,KAAI,oBAAoB,eAAe;AACrC,MAAI;AACF,SAAM,SAAS,IAAI,mBAAmB;IAAE,WAAW,QAAQ;IAAW,MAAM;;WACrEC,KAAc;GACrB,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,OAAO;;;AAIlB,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX;;AAEF;;AAIF,KAAI;EACF,MAAM,YAAY,MAAM,SAAS,IAAI,yBAAyB,SAAS;AACvE,mBAAiB,UAAU;AAC3B,uBAAqB,UAAU;AAC/B,UAAQ,SAAS,EAAE,cAAc;UAC1B,GAAG;AACV,UAAQ,MAAM,yCAAyC;;AAIzD,KAAI;AACF,MAAI,CAAC,eACH,OAAM,IAAI,MAAM;EAElB,MAAM,uBAAuB,MAAM,SAAS,SAAS,uCAAuC;GAC1F;GACA,cAAc;;EAKhB,IAAIC;EACJ,IAAIC;AACJ,MAAI;GAEF,MAAM,YAAY,MAAM,SAAS,IAAI;AACrC,OAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,YAAY,gBACrF,OAAM,IAAI,MAAM;GAGlB,MAAM,eAAe,MAAM,4BAA4B,YAAY,gBAAgB,IAAI,UAAU;GACjG,MAAM,mBAAmB,MAAM,IAAI,UAAU,WAAW,gBAAgB,eAAe;GAEvF,MAAM,cAAc,kBAAkB,eAAe;AACrD,OAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAMlB,OAAI,QAAQ,SAAS,uBAAuB,kBAAkB;IAC5D,MAAM,UAAU,0BAA0B;AAC1C,iBAAa,SAAS,SAAS;AAC/B,iBAAa,SAAS,SAAS;cACtB,QAAQ,SAAS,uBAAuB,qBAAqB;IACtE,MAAM,UAAU,QAAQ;AACxB,iBAAa,SAAS,cACjB,gCAAgC;AACrC,iBAAa,SAAS,cACjB,gCAAgC;;AAGvC,SAAM,SAAS,IAAI,+BAA+B;IAChD,WAAW,QAAQ;IACnB;IACA;IACA;IACA,YAAY;;WAEN,KAAK;AACZ,WAAQ,MAAM,gDAAgD;AAC9D,SAAM;;AAIT,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,YAAY;GAGZ,cAAc;GACd;;UAEKF,KAAc;EAErB,MAAM,YAAY,6BAA6B;EAE/C,MAAM,MAAM,OAAQ,QAAQ,MAAO,WAAW,OAAO;AACrD,MAAI,sBAAsB,KAAK,QAAQ,uBAAuB,KAAK,KAEjE,QAAO,QAAQ,kBAAkB;AAEnC,MAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;EAE3D,MAAM,sBAAsB,mDAAmD,KAAK;AACpF,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,YACH,eAAe,YACd,sBAAsB,MAAM,eAAe"}

package/dist/esm/sdk/{transactions-BalIhtJ9.js → transactions-DfdwDQCn.js}

@@ -11,7 +11,7 @@ import "./tx-confirmer-wrapper-lHNgz9i4.js";
 import { init_errors, toError } from "./errors-D9ar28Dr.js";
 import "./WebAuthnFallbacks-Bl4BTsNt.js";
 import { ERROR_MESSAGES, SecureConfirmationType, getIntentDigest, getNearAccountId, getSignTransactionPayload, getTxCount, init_accountIds, isUserCancelledSecureConfirm, toAccountId } from "./requestHelpers-Dh1hEYL9.js";
-import { PASSKEY_MANAGER_DEFAULT_CONFIGS, init_defaultConfigs } from "./defaultConfigs-DpslkAQd.js";
+import { PASSKEY_MANAGER_DEFAULT_CONFIGS, init_defaultConfigs } from "./defaultConfigs-CfQDV-ya.js";
 import { getLastLoggedInDeviceNumber, init_getDeviceNumber } from "./getDeviceNumber-zsOHT_Um.js";
 import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-DIRR8_Z9.js";