npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/server/core/ThresholdService/signingHandlers.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signingHandlers.js","names":["toOptionalTrimmedString","base64UrlDecode","e: unknown","normalizeCosignerIds","normalizeThresholdEd25519ParticipantIds","ed25519","base64UrlEncode","signThresholdEd25519CosignerGrantV1","verifyThresholdEd25519CosignerGrantV1","logExtra: Record<string, unknown> | undefined","signerSetRes","ensureRelayerKeyIsActiveAccessKey","deriveRelayerCosignerSharesFromRelayerSigningShare","lastErr: { code: string; message: string } | null","commitmentsById: ThresholdEd25519CommitmentsById","cosignerRelayerUrlsById: Record<string, string>","cosignerCoordinatorGrantsById: Record<string, string>","lagrangeCoefficientAtZeroForCosigner","multiplyEd25519ScalarB64uByScalarBytesLE32","sharesByCosignerId: Record<string, string>","lastPeerErr: { code: string; message: string } | null","cosignerShare: string | null","addEd25519ScalarsB64u","json: any"],"sources":["../../../../../src/server/core/ThresholdService/signingHandlers.ts"],"sourcesContent":["import type { AccessKeyList } from '../../../core/NearClient';\nimport { base64UrlDecode, base64UrlEncode } from '../../../utils/encoders';\nimport { toOptionalTrimmedString } from '../../../utils/validation';\nimport type { NormalizedLogger } from '../logger';\nimport type {\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignFinalizeResponse,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519CosignInitResponse,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignFinalizeResponse,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SignInitResponse,\n} from '../types';\nimport {\n threshold_ed25519_round1_commit,\n threshold_ed25519_round2_sign,\n threshold_ed25519_round2_sign_cosigner,\n} from '../../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nimport { ed25519 } from '@noble/curves/ed25519.js';\nimport { ensureRelayerKeyIsActiveAccessKey } from './validation';\nimport type {\n ThresholdEd25519Commitments,\n ThresholdEd25519CommitmentsById,\n ThresholdEd25519MpcSessionRecord,\n ThresholdEd25519SessionStore,\n} from './stores/SessionStore';\nimport {\n normalizeThresholdEd25519ParticipantIds,\n} from '../../../threshold/participants';\nimport type { ThresholdNodeRole, ThresholdRelayerCosignerPeer } from './config';\nimport type {\n ParsedThresholdEd25519MpcSession,\n ThresholdEd25519CosignerGrantV1,\n} from './coordinatorGrant';\nimport {\n signThresholdEd25519CosignerGrantV1,\n verifyThresholdEd25519CosignerGrantV1,\n} from './coordinatorGrant';\nimport {\n addEd25519ScalarsB64u,\n deriveRelayerCosignerSharesFromRelayerSigningShare,\n lagrangeCoefficientAtZeroForCosigner,\n multiplyEd25519ScalarB64uByScalarBytesLE32,\n normalizeCosignerIds,\n} from './cosigners';\n\ntype ParseOk<T> = { ok: true; value: T };\ntype ParseErr = { ok: false; code: string; message: string };\ntype ParseResult<T> = ParseOk<T> | ParseErr;\n\ntype PeerSignInitOk = {\n ok: true;\n signingSessionId: string;\n relayerCommitments: ThresholdEd25519Commitments;\n relayerVerifyingShareB64u: string;\n};\ntype PeerSignInitResult = PeerSignInitOk | ParseErr;\n\ntype PeerSignFinalizeOk = { ok: true; relayerSignatureShareB64u: string };\ntype PeerSignFinalizeResult = PeerSignFinalizeOk | ParseErr;\n\nfunction parseCommitments(input: unknown, label: string): ParseResult<ThresholdEd25519Commitments> {\n if (!input || typeof input !== 'object' || Array.isArray(input)) {\n return { ok: false, code: 'invalid_body', message: `${label}{hiding,binding} are required` };\n }\n const rec = input as Record<string, unknown>;\n const hiding = toOptionalTrimmedString(rec.hiding);\n const binding = toOptionalTrimmedString(rec.binding);\n if (!hiding || !binding) {\n return { ok: false, code: 'invalid_body', message: `${label}{hiding,binding} are required` };\n }\n return { ok: true, value: { hiding, binding } };\n}\n\nfunction parseThresholdEd25519SignInitRequest(request: ThresholdEd25519SignInitRequest): ParseResult<{\n mpcSessionId: string;\n relayerKeyId: string;\n nearAccountId: string;\n signingDigestB64u: string;\n clientCommitments: ThresholdEd25519Commitments;\n}> {\n const mpcSessionId = toOptionalTrimmedString(request.mpcSessionId);\n if (!mpcSessionId) return { ok: false, code: 'invalid_body', message: 'mpcSessionId is required' };\n\n const relayerKeyId = toOptionalTrimmedString(request.relayerKeyId);\n if (!relayerKeyId) return { ok: false, code: 'invalid_body', message: 'relayerKeyId is required' };\n\n const nearAccountId = toOptionalTrimmedString(request.nearAccountId);\n if (!nearAccountId) return { ok: false, code: 'invalid_body', message: 'nearAccountId is required' };\n\n const signingDigestB64u = toOptionalTrimmedString(request.signingDigestB64u);\n if (!signingDigestB64u) return { ok: false, code: 'invalid_body', message: 'signingDigestB64u is required' };\n\n const commitments = parseCommitments((request as unknown as { clientCommitments?: unknown }).clientCommitments, 'clientCommitments');\n if (!commitments.ok) return commitments;\n\n return {\n ok: true,\n value: {\n mpcSessionId,\n relayerKeyId,\n nearAccountId,\n signingDigestB64u,\n clientCommitments: commitments.value,\n },\n };\n}\n\nfunction parseThresholdEd25519FinalizeRequest(request: {\n signingSessionId: unknown;\n clientSignatureShareB64u: unknown;\n}): ParseResult<{\n signingSessionId: string;\n clientSignatureShareB64u: string;\n}> {\n const signingSessionId = toOptionalTrimmedString(request.signingSessionId);\n if (!signingSessionId) return { ok: false, code: 'invalid_body', message: 'signingSessionId is required' };\n const clientSignatureShareB64u = toOptionalTrimmedString(request.clientSignatureShareB64u);\n if (!clientSignatureShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientSignatureShareB64u is required' };\n }\n return { ok: true, value: { signingSessionId, clientSignatureShareB64u } };\n}\n\nfunction parseThresholdEd25519CosignInitRequest(request: ThresholdEd25519CosignInitRequest): ParseResult<{\n signingSessionId: string;\n cosignerShareB64u: string;\n clientCommitments: ThresholdEd25519Commitments;\n}> {\n const signingSessionId = toOptionalTrimmedString(request.signingSessionId);\n if (!signingSessionId) return { ok: false, code: 'invalid_body', message: 'signingSessionId is required' };\n\n const cosignerShareB64u = toOptionalTrimmedString(request.cosignerShareB64u);\n if (!cosignerShareB64u) return { ok: false, code: 'invalid_body', message: 'cosignerShareB64u is required' };\n try {\n const decoded = base64UrlDecode(cosignerShareB64u);\n if (decoded.length !== 32) {\n return { ok: false, code: 'invalid_body', message: `cosignerShareB64u must be 32 bytes, got ${decoded.length}` };\n }\n } catch (e: unknown) {\n return { ok: false, code: 'invalid_body', message: `Invalid cosignerShareB64u: ${String(e || 'decode failed')}` };\n }\n\n const commitments = parseCommitments((request as unknown as { clientCommitments?: unknown }).clientCommitments, 'clientCommitments');\n if (!commitments.ok) return commitments;\n\n return { ok: true, value: { signingSessionId, cosignerShareB64u, clientCommitments: commitments.value } };\n}\n\nfunction parseThresholdEd25519CosignFinalizeRequest(request: ThresholdEd25519CosignFinalizeRequest): ParseResult<{\n signingSessionId: string;\n cosignerIds: number[];\n groupPublicKey: string;\n relayerCommitments: ThresholdEd25519Commitments;\n}> {\n const signingSessionId = toOptionalTrimmedString(request.signingSessionId);\n if (!signingSessionId) return { ok: false, code: 'invalid_body', message: 'signingSessionId is required' };\n\n const groupPublicKey = toOptionalTrimmedString(request.groupPublicKey);\n if (!groupPublicKey) return { ok: false, code: 'invalid_body', message: 'groupPublicKey is required' };\n\n const cosignerIds = normalizeCosignerIds((request as unknown as { cosignerIds?: unknown }).cosignerIds);\n if (!cosignerIds) return { ok: false, code: 'invalid_body', message: 'cosignerIds must be a non-empty list of u16 ids' };\n\n const relayerCommitments = parseCommitments((request as unknown as { relayerCommitments?: unknown }).relayerCommitments, 'relayerCommitments');\n if (!relayerCommitments.ok) return relayerCommitments;\n\n return { ok: true, value: { signingSessionId, cosignerIds, groupPublicKey, relayerCommitments: relayerCommitments.value } };\n}\n\nfunction requireParticipantIdsIncludeSignerSet(raw: unknown, signerSet2p: number[], label: string): ParseResult<number[]> {\n const expected = normalizeThresholdEd25519ParticipantIds(signerSet2p) || [...signerSet2p];\n const participantIds = normalizeThresholdEd25519ParticipantIds(raw) || [...expected];\n\n for (const id of expected) {\n if (!participantIds.includes(id)) {\n return {\n ok: false,\n code: 'unauthorized',\n message: `${label} does not include the server signer set (expected participantIds to include [${expected.join(',')}])`,\n };\n }\n }\n\n return { ok: true, value: participantIds };\n}\n\ntype ResolveRelayerKeyMaterialFn = (input: {\n relayerKeyId: string;\n nearAccountId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n}) => Promise<\n | { ok: true; publicKey: string; relayerSigningShareB64u: string; relayerVerifyingShareB64u: string }\n | { ok: false; code: string; message: string }\n>;\n\ntype ThresholdEd25519Round1CommitWasmOutput = {\n relayerNoncesB64u: string;\n relayerCommitments: ThresholdEd25519Commitments;\n};\n\nfunction expectThresholdEd25519Round1CommitWasmOutput(out: unknown): ThresholdEd25519Round1CommitWasmOutput {\n const parsed = out as ThresholdEd25519Round1CommitWasmOutput;\n if (!parsed?.relayerNoncesB64u || !parsed?.relayerCommitments?.hiding || !parsed?.relayerCommitments?.binding) {\n throw new Error('threshold-ed25519 /sign/init: invalid relayer commitments');\n }\n return parsed;\n}\n\ntype ThresholdEd25519Round2SignWasmOutput = {\n relayerSignatureShareB64u: string;\n};\n\nfunction expectThresholdEd25519Round2SignWasmOutput(out: unknown): ThresholdEd25519Round2SignWasmOutput {\n const parsed = out as ThresholdEd25519Round2SignWasmOutput;\n if (!parsed?.relayerSignatureShareB64u) {\n throw new Error('threshold-ed25519 /sign/finalize: missing relayerSignatureShareB64u');\n }\n return parsed;\n}\n\nfunction sumEd25519PointsB64u(pointsB64u: string[], label: string): string {\n if (!pointsB64u.length) throw new Error(`${label}: empty point list`);\n let acc = ed25519.Point.ZERO;\n for (const p of pointsB64u) {\n const raw = toOptionalTrimmedString(p);\n if (!raw) throw new Error(`${label}: missing point`);\n const bytes = base64UrlDecode(raw);\n if (bytes.length !== 32) throw new Error(`${label}: expected 32-byte point, got ${bytes.length}`);\n const pt = ed25519.Point.fromBytes(bytes);\n acc = acc.add(pt);\n }\n return base64UrlEncode(acc.toBytes());\n}\n\nfunction combineCommitmentsByAddition(commitments: ThresholdEd25519Commitments[], label: string): ThresholdEd25519Commitments {\n if (!commitments.length) throw new Error(`${label}: empty commitments`);\n const hiding = sumEd25519PointsB64u(commitments.map((c) => c.hiding), `${label}.hiding`);\n const binding = sumEd25519PointsB64u(commitments.map((c) => c.binding), `${label}.binding`);\n return { hiding, binding };\n}\n\nexport class ThresholdEd25519SigningHandlers {\n private readonly logger: NormalizedLogger;\n private readonly nodeRole: ThresholdNodeRole;\n private readonly relayerCosigners: ThresholdRelayerCosignerPeer[];\n private readonly relayerCosignerThreshold: number | null;\n private readonly relayerCosignerId: number | null;\n private readonly coordinatorSharedSecretBytes: Uint8Array | null;\n private coordinatorHmacKeyPromise: Promise<CryptoKey> | null = null;\n private readonly clientParticipantId: number;\n private readonly relayerParticipantId: number;\n private readonly participantIds2p: number[];\n private readonly sessionStore: ThresholdEd25519SessionStore;\n private readonly ensureReady: () => Promise<void>;\n private readonly ensureSignerWasm: () => Promise<void>;\n private readonly viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n private readonly resolveRelayerKeyMaterial: ResolveRelayerKeyMaterialFn;\n\n constructor(input: {\n logger: NormalizedLogger;\n nodeRole: ThresholdNodeRole;\n relayerCosigners: ThresholdRelayerCosignerPeer[];\n relayerCosignerThreshold: number | null;\n relayerCosignerId: number | null;\n coordinatorSharedSecretBytes: Uint8Array | null;\n clientParticipantId: number;\n relayerParticipantId: number;\n participantIds2p: number[];\n sessionStore: ThresholdEd25519SessionStore;\n ensureReady: () => Promise<void>;\n ensureSignerWasm: () => Promise<void>;\n viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n resolveRelayerKeyMaterial: ResolveRelayerKeyMaterialFn;\n }) {\n this.logger = input.logger;\n this.nodeRole = input.nodeRole;\n this.relayerCosigners = input.relayerCosigners;\n this.relayerCosignerThreshold = input.relayerCosignerThreshold;\n this.relayerCosignerId = input.relayerCosignerId;\n this.coordinatorSharedSecretBytes = input.coordinatorSharedSecretBytes;\n this.clientParticipantId = input.clientParticipantId;\n this.relayerParticipantId = input.relayerParticipantId;\n this.participantIds2p = input.participantIds2p;\n this.sessionStore = input.sessionStore;\n this.ensureReady = input.ensureReady;\n this.ensureSignerWasm = input.ensureSignerWasm;\n this.viewAccessKeyList = input.viewAccessKeyList;\n this.resolveRelayerKeyMaterial = input.resolveRelayerKeyMaterial;\n }\n\n private logResult(route: string, startedAtMs: number, result: { ok: boolean; code?: string; message?: string }, extra?: Record<string, unknown>): void {\n const elapsedMs = Math.max(0, Date.now() - startedAtMs);\n const msg = typeof result.message === 'string' ? result.message : undefined;\n const message = msg && msg.length > 300 ? `${msg.slice(0, 297)}...` : msg;\n const payload = {\n route,\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n ...(!result.ok && message ? { message } : {}),\n elapsedMs,\n ...(extra || {}),\n };\n if (result.ok) {\n this.logger.info('[threshold-ed25519] response', payload);\n return;\n }\n if (result.code === 'internal') {\n this.logger.error('[threshold-ed25519] response', payload);\n return;\n }\n this.logger.warn('[threshold-ed25519] response', payload);\n }\n\n private createThresholdEd25519SigningSessionId(): string {\n const id = typeof globalThis.crypto?.randomUUID === 'function'\n ? globalThis.crypto.randomUUID()\n : `${Date.now()}-${Math.random().toString(16).slice(2)}`;\n return `sign-${id}`;\n }\n\n private async signCosignerGrant(payload: ThresholdEd25519CosignerGrantV1): Promise<string | null> {\n const out = await signThresholdEd25519CosignerGrantV1({\n secretBytes: this.coordinatorSharedSecretBytes,\n keyPromise: this.coordinatorHmacKeyPromise,\n payload,\n });\n this.coordinatorHmacKeyPromise = out.keyPromise;\n return out.token;\n }\n\n private async verifyCosignerGrant(token: unknown): Promise<\n | { ok: true; grant: ThresholdEd25519CosignerGrantV1; mpcSession: ParsedThresholdEd25519MpcSession }\n | { ok: false; code: string; message: string }\n > {\n const verified = await verifyThresholdEd25519CosignerGrantV1({\n secretBytes: this.coordinatorSharedSecretBytes,\n keyPromise: this.coordinatorHmacKeyPromise,\n token,\n });\n this.coordinatorHmacKeyPromise = verified.keyPromise;\n if (!verified.ok) return verified;\n return { ok: true, grant: verified.grant, mpcSession: verified.mpcSession };\n }\n\n async thresholdEd25519SignInit(request: ThresholdEd25519SignInitRequest): Promise<ThresholdEd25519SignInitResponse> {\n const route = '/threshold-ed25519/sign/init';\n const startedAtMs = Date.now();\n let logExtra: Record<string, unknown> | undefined;\n\n const result = await (async (): Promise<ThresholdEd25519SignInitResponse> => {\n if (this.nodeRole !== 'coordinator') {\n return {\n ok: false,\n code: 'not_found',\n message: 'threshold-ed25519 signing endpoints are not enabled on this server (set THRESHOLD_NODE_ROLE=coordinator)',\n };\n }\n\n await this.ensureReady();\n const parsedRequest = parseThresholdEd25519SignInitRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n const { mpcSessionId, relayerKeyId, nearAccountId, signingDigestB64u, clientCommitments } = parsedRequest.value;\n\n this.logger.info('[threshold-ed25519] request', {\n route,\n mpcSessionId,\n relayerKeyId,\n nearAccountId,\n signingDigestB64u_len: signingDigestB64u.length,\n });\n\n const sess = await this.sessionStore.takeMpcSession(mpcSessionId);\n if (!sess) {\n return { ok: false, code: 'unauthorized', message: 'mpcSessionId expired or invalid' };\n }\n if (Date.now() > sess.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'mpcSessionId expired' };\n }\n\n const groupParticipantIds =\n normalizeThresholdEd25519ParticipantIds(sess.participantIds) || [...this.participantIds2p];\n\n if (relayerKeyId !== sess.relayerKeyId) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId does not match mpcSessionId scope' };\n }\n\n if (nearAccountId !== sess.userId) {\n return { ok: false, code: 'unauthorized', message: 'nearAccountId does not match mpcSessionId scope' };\n }\n\n if (signingDigestB64u !== sess.signingDigestB64u) {\n return { ok: false, code: 'unauthorized', message: 'signingDigestB64u does not match mpcSessionId scope' };\n }\n\n const hasRelayerCosignerConfig = this.relayerCosigners.length > 0 || this.relayerCosignerThreshold !== null;\n if (hasRelayerCosignerConfig) {\n logExtra = { mode: 'cosigner' };\n if (!this.relayerCosigners.length) {\n return { ok: false, code: 'missing_config', message: 'THRESHOLD_ED25519_RELAYER_COSIGNERS is required for relayer cosigning mode' };\n }\n const t = this.relayerCosignerThreshold;\n if (!t) {\n return { ok: false, code: 'missing_config', message: 'THRESHOLD_ED25519_RELAYER_COSIGNER_T is required for relayer cosigning mode' };\n }\n\n const signerSetRes = requireParticipantIdsIncludeSignerSet(groupParticipantIds, this.participantIds2p, 'mpcSessionId');\n if (!signerSetRes.ok) return signerSetRes;\n\n const cosignerIdsAll =\n normalizeCosignerIds(Array.from(new Set(this.relayerCosigners.map((p) => p.cosignerId)))) || [];\n logExtra = { ...logExtra, cosignerIdsAll, t };\n if (cosignerIdsAll.length === 0) {\n return { ok: false, code: 'missing_config', message: 'THRESHOLD_ED25519_RELAYER_COSIGNERS must include at least one cosignerId' };\n }\n if (t > cosignerIdsAll.length) {\n return {\n ok: false,\n code: 'missing_config',\n message: `THRESHOLD_ED25519_RELAYER_COSIGNER_T must be <= number of cosigners (got t=${t}, n=${cosignerIdsAll.length})`,\n };\n }\n\n const key = await this.resolveRelayerKeyMaterial({\n relayerKeyId: sess.relayerKeyId,\n nearAccountId: sess.userId,\n rpId: sess.rpId,\n clientVerifyingShareB64u: sess.clientVerifyingShareB64u,\n });\n if (!key.ok) {\n return { ok: false, code: key.code, message: key.message };\n }\n\n const scope = await ensureRelayerKeyIsActiveAccessKey({\n nearAccountId: sess.userId,\n relayerPublicKey: key.publicKey,\n viewAccessKeyList: this.viewAccessKeyList,\n });\n if (!scope.ok) {\n return { ok: false, code: scope.code, message: scope.message };\n }\n\n const shares = deriveRelayerCosignerSharesFromRelayerSigningShare({\n relayerSigningShareB64u: key.relayerSigningShareB64u,\n cosignerIds: cosignerIdsAll,\n cosignerThreshold: t,\n });\n if (!shares.ok) {\n return { ok: false, code: shares.code, message: shares.message };\n }\n\n const now = Math.floor(Date.now() / 1000);\n const exp = now + 60;\n const signingSessionId = this.createThresholdEd25519SigningSessionId();\n const ttlMs = 60_000;\n const expiresAtMs = Date.now() + ttlMs;\n this.logger.info('[threshold-ed25519] cosign/init fanout', { route, signingSessionId, cosignerIdsAll, t });\n\n const initResults = await Promise.all(cosignerIdsAll.map(async (cosignerId) => {\n const cosignerShareB64u = shares.sharesByCosignerId[String(cosignerId)];\n if (!cosignerShareB64u) {\n return { ok: false as const, cosignerId, code: 'internal', message: 'missing derived cosigner share' };\n }\n\n const grant = await this.signCosignerGrant({\n v: 1,\n typ: 'threshold_ed25519_cosigner_grant_v1',\n iat: now,\n exp,\n mpcSessionId,\n cosignerId,\n mpcSession: sess,\n });\n if (!grant) {\n return { ok: false as const, cosignerId, code: 'missing_config', message: 'THRESHOLD_COORDINATOR_SHARED_SECRET_B64U is required for relayer cosigning' };\n }\n\n const candidates = this.relayerCosigners.filter((p) => p.cosignerId === cosignerId);\n if (!candidates.length) {\n return { ok: false as const, cosignerId, code: 'missing_config', message: `Missing relayer cosigner peer for cosignerId=${cosignerId}` };\n }\n\n let lastErr: { code: string; message: string } | null = null;\n for (const peer of candidates) {\n const initUrl = `${peer.relayerUrl}/threshold-ed25519/internal/cosign/init`;\n const peerInit = await this.postJsonWithTimeout(initUrl, {\n coordinatorGrant: grant,\n signingSessionId,\n cosignerShareB64u,\n clientCommitments,\n }, 10_000);\n if (!peerInit.ok) {\n lastErr = peerInit;\n continue;\n }\n\n const initJson = peerInit.json as ThresholdEd25519CosignInitResponse;\n if (!initJson?.ok) {\n lastErr = { code: initJson?.code || 'internal', message: initJson?.message || 'cosign/init failed' };\n continue;\n }\n const commitments = initJson.relayerCommitments;\n if (!commitments?.hiding || !commitments?.binding) {\n lastErr = { code: 'internal', message: 'cosign/init produced incomplete commitments' };\n continue;\n }\n return {\n ok: true as const,\n cosignerId,\n cosignerGrant: grant,\n relayerUrl: peer.relayerUrl,\n relayerCommitments: commitments,\n };\n }\n\n if (lastErr) {\n this.logger.warn('[threshold-ed25519] cosign/init failed', {\n route,\n signingSessionId,\n cosignerId,\n candidateRelayerUrls: candidates.map((p) => p.relayerUrl),\n code: lastErr.code,\n message: lastErr.message,\n });\n }\n return { ok: false as const, cosignerId, code: lastErr?.code || 'unavailable', message: lastErr?.message || 'No cosigner available for cosign/init' };\n }));\n\n const okInits = initResults.filter((r): r is {\n ok: true;\n cosignerId: number;\n cosignerGrant: string;\n relayerUrl: string;\n relayerCommitments: ThresholdEd25519Commitments;\n } => r.ok);\n\n if (okInits.length < t) {\n const errors = initResults.filter((r) => !r.ok);\n const lastErr = errors.length ? errors[errors.length - 1] : null;\n logExtra = { ...logExtra, signingSessionId, okCosigners: okInits.length };\n return {\n ok: false,\n code: lastErr?.code || 'unavailable',\n message: `Need at least ${t} relayer cosigners; got ${okInits.length}`,\n };\n }\n\n okInits.sort((a, b) => a.cosignerId - b.cosignerId);\n const selected = okInits.slice(0, t);\n const selectedCosignerIds = selected.map((r) => r.cosignerId);\n\n const relayerCommitments = combineCommitmentsByAddition(\n selected.map((r) => r.relayerCommitments),\n 'cosignerCommitments',\n );\n\n const commitmentsById: ThresholdEd25519CommitmentsById = {\n [String(this.clientParticipantId)]: clientCommitments,\n [String(this.relayerParticipantId)]: relayerCommitments,\n };\n const relayerVerifyingSharesById = {\n [String(this.relayerParticipantId)]: key.relayerVerifyingShareB64u,\n };\n const cosignerRelayerUrlsById: Record<string, string> = {};\n const cosignerCoordinatorGrantsById: Record<string, string> = {};\n for (const r of selected) {\n cosignerRelayerUrlsById[String(r.cosignerId)] = r.relayerUrl;\n cosignerCoordinatorGrantsById[String(r.cosignerId)] = r.cosignerGrant;\n }\n\n await this.sessionStore.putCoordinatorSigningSession(signingSessionId, {\n mode: 'cosigner',\n expiresAtMs,\n mpcSessionId,\n relayerKeyId: sess.relayerKeyId,\n signingDigestB64u: sess.signingDigestB64u,\n userId: sess.userId,\n rpId: sess.rpId,\n clientVerifyingShareB64u: sess.clientVerifyingShareB64u,\n commitmentsById,\n participantIds: [...this.participantIds2p],\n groupPublicKey: key.publicKey,\n cosignerIds: selectedCosignerIds,\n cosignerRelayerUrlsById,\n cosignerCoordinatorGrantsById,\n relayerVerifyingSharesById,\n }, ttlMs);\n\n logExtra = { ...logExtra, signingSessionId, selectedCosignerIds };\n return {\n ok: true,\n signingSessionId,\n commitmentsById,\n relayerVerifyingSharesById,\n participantIds: [...this.participantIds2p],\n };\n }\n\n logExtra = { mode: 'local' };\n const signerSetRes = requireParticipantIdsIncludeSignerSet(groupParticipantIds, this.participantIds2p, 'mpcSessionId');\n if (!signerSetRes.ok) return signerSetRes;\n const out = await this.peerSignInitFromMpcSessionRecord({ mpcSessionId, mpcSession: sess, clientCommitments });\n if (!out.ok) return out;\n\n logExtra = { ...logExtra, signingSessionId: out.signingSessionId };\n return {\n ok: true,\n signingSessionId: out.signingSessionId,\n commitmentsById: {\n [String(this.clientParticipantId)]: clientCommitments,\n [String(this.relayerParticipantId)]: out.relayerCommitments,\n },\n relayerVerifyingSharesById: {\n [String(this.relayerParticipantId)]: out.relayerVerifyingShareB64u,\n },\n participantIds: [...this.participantIds2p],\n };\n })().catch((e: unknown) => {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n });\n\n this.logResult(route, startedAtMs, result, logExtra);\n return result;\n }\n\n async thresholdEd25519CosignInit(request: ThresholdEd25519CosignInitRequest): Promise<ThresholdEd25519CosignInitResponse> {\n const route = '/threshold-ed25519/internal/cosign/init';\n const startedAtMs = Date.now();\n const cosignerId = this.relayerCosignerId;\n const logExtra = cosignerId ? { cosignerId } : undefined;\n\n const result = await (async (): Promise<ThresholdEd25519CosignInitResponse> => {\n if (!cosignerId || (this.nodeRole !== 'cosigner' && this.nodeRole !== 'coordinator')) {\n return { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server (set THRESHOLD_NODE_ROLE=cosigner)' };\n }\n\n await this.ensureReady();\n const parsedRequest = parseThresholdEd25519CosignInitRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n const { signingSessionId, cosignerShareB64u, clientCommitments } = parsedRequest.value;\n\n this.logger.info('[threshold-ed25519] request', {\n route,\n signingSessionId,\n cosignerId,\n cosignerShareB64u_len: cosignerShareB64u.length,\n });\n\n const verified = await this.verifyCosignerGrant(request.coordinatorGrant);\n if (!verified.ok) {\n return { ok: false, code: verified.code, message: verified.message };\n }\n const { grant, mpcSession } = verified;\n\n if (grant.cosignerId !== cosignerId) {\n return { ok: false, code: 'unauthorized', message: 'coordinatorGrant does not match this cosigner id' };\n }\n\n const participantIdsRes = requireParticipantIdsIncludeSignerSet(mpcSession.participantIds, this.participantIds2p, 'coordinatorGrant');\n if (!participantIdsRes.ok) return participantIdsRes;\n\n await this.ensureSignerWasm();\n const commit = expectThresholdEd25519Round1CommitWasmOutput(\n threshold_ed25519_round1_commit(cosignerShareB64u),\n );\n\n const ttlMs = 60_000;\n const expiresAtMs = Date.now() + ttlMs;\n const commitmentsById: ThresholdEd25519CommitmentsById = {\n [String(this.clientParticipantId)]: clientCommitments,\n };\n\n await this.sessionStore.putSigningSession(signingSessionId, {\n expiresAtMs,\n mpcSessionId: grant.mpcSessionId,\n relayerKeyId: mpcSession.relayerKeyId,\n signingDigestB64u: mpcSession.signingDigestB64u,\n userId: mpcSession.userId,\n rpId: mpcSession.rpId,\n clientVerifyingShareB64u: mpcSession.clientVerifyingShareB64u,\n commitmentsById,\n relayerSigningShareB64u: cosignerShareB64u,\n relayerNoncesB64u: commit.relayerNoncesB64u,\n participantIds: [...this.participantIds2p],\n }, ttlMs);\n\n return { ok: true, relayerCommitments: commit.relayerCommitments };\n })().catch((e: unknown) => {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n });\n\n this.logResult(route, startedAtMs, result, logExtra);\n return result;\n }\n\n async thresholdEd25519CosignFinalize(request: ThresholdEd25519CosignFinalizeRequest): Promise<ThresholdEd25519CosignFinalizeResponse> {\n const route = '/threshold-ed25519/internal/cosign/finalize';\n const startedAtMs = Date.now();\n const cosignerId = this.relayerCosignerId;\n const logExtra = cosignerId ? { cosignerId } : undefined;\n\n const result = await (async (): Promise<ThresholdEd25519CosignFinalizeResponse> => {\n if (!cosignerId || (this.nodeRole !== 'cosigner' && this.nodeRole !== 'coordinator')) {\n return { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server (set THRESHOLD_NODE_ROLE=cosigner)' };\n }\n\n await this.ensureReady();\n const parsedRequest = parseThresholdEd25519CosignFinalizeRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n const { signingSessionId, cosignerIds, groupPublicKey, relayerCommitments } = parsedRequest.value;\n\n this.logger.info('[threshold-ed25519] request', {\n route,\n signingSessionId,\n cosignerId,\n cosignerIds,\n });\n\n const verified = await this.verifyCosignerGrant(request.coordinatorGrant);\n if (!verified.ok) {\n return { ok: false, code: verified.code, message: verified.message };\n }\n const { grant, mpcSession } = verified;\n\n if (grant.cosignerId !== cosignerId) {\n return { ok: false, code: 'unauthorized', message: 'coordinatorGrant does not match this cosigner id' };\n }\n\n if (!cosignerIds.includes(cosignerId)) {\n return { ok: false, code: 'unauthorized', message: 'cosignerIds must include this cosigner id' };\n }\n\n const sess = await this.sessionStore.takeSigningSession(signingSessionId);\n if (!sess) {\n return { ok: false, code: 'unauthorized', message: 'signingSessionId expired or invalid' };\n }\n if (Date.now() > sess.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'signingSessionId expired' };\n }\n\n const restoreOnMismatch = async (): Promise<void> => {\n const ttlMs = Math.max(0, sess.expiresAtMs - Date.now());\n if (!ttlMs) return;\n await this.sessionStore.putSigningSession(signingSessionId, sess, ttlMs);\n };\n\n if (sess.mpcSessionId !== grant.mpcSessionId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (sess.relayerKeyId !== mpcSession.relayerKeyId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (sess.signingDigestB64u !== mpcSession.signingDigestB64u) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (sess.userId !== mpcSession.userId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (sess.rpId !== mpcSession.rpId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (sess.clientVerifyingShareB64u !== mpcSession.clientVerifyingShareB64u) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n\n const storedShareB64u = toOptionalTrimmedString(sess.relayerSigningShareB64u);\n if (!storedShareB64u) {\n return { ok: false, code: 'internal', message: 'cosigner signing session missing share material' };\n }\n\n const lambdaRes = lagrangeCoefficientAtZeroForCosigner({ cosignerId, cosignerIds });\n if (!lambdaRes.ok) {\n return { ok: false, code: lambdaRes.code, message: lambdaRes.message };\n }\n\n const effShare = multiplyEd25519ScalarB64uByScalarBytesLE32({\n scalarB64u: storedShareB64u,\n factorBytesLE32: lambdaRes.lambda,\n });\n if (!effShare.ok) {\n return { ok: false, code: effShare.code, message: effShare.message };\n }\n\n await this.ensureSignerWasm();\n const clientCommitments = sess.commitmentsById?.[String(this.clientParticipantId)];\n if (!clientCommitments) {\n return { ok: false, code: 'internal', message: 'signingSessionId missing client commitments' };\n }\n const out = expectThresholdEd25519Round2SignWasmOutput(threshold_ed25519_round2_sign_cosigner({\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n relayerSigningShareB64u: effShare.scalarB64u,\n relayerNoncesB64u: sess.relayerNoncesB64u,\n groupPublicKey,\n signingDigestB64u: sess.signingDigestB64u,\n clientCommitments,\n relayerCommitments,\n }));\n\n return { ok: true, relayerSignatureShareB64u: out.relayerSignatureShareB64u };\n })().catch((e: unknown) => {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n });\n\n this.logResult(route, startedAtMs, result, logExtra);\n return result;\n }\n\n private async peerSignInitFromMpcSessionRecord(input: {\n mpcSessionId: string;\n mpcSession: ThresholdEd25519MpcSessionRecord;\n clientCommitments: ThresholdEd25519Commitments;\n }): Promise<PeerSignInitResult> {\n const mpcSessionId = input.mpcSessionId;\n const sess = input.mpcSession;\n if (Date.now() > sess.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'mpcSessionId expired' };\n }\n\n const participantIdsRes = requireParticipantIdsIncludeSignerSet(sess.participantIds, this.participantIds2p, 'mpcSessionId');\n if (!participantIdsRes.ok) return participantIdsRes;\n const participantIds = participantIdsRes.value;\n const signingDigestB64u = sess.signingDigestB64u;\n\n const key = await this.resolveRelayerKeyMaterial({\n relayerKeyId: sess.relayerKeyId,\n nearAccountId: sess.userId,\n rpId: sess.rpId,\n clientVerifyingShareB64u: sess.clientVerifyingShareB64u,\n });\n if (!key.ok) {\n return { ok: false, code: key.code, message: key.message };\n }\n\n const scope = await ensureRelayerKeyIsActiveAccessKey({\n nearAccountId: sess.userId,\n relayerPublicKey: key.publicKey,\n viewAccessKeyList: this.viewAccessKeyList,\n });\n if (!scope.ok) {\n return { ok: false, code: scope.code, message: scope.message };\n }\n\n await this.ensureSignerWasm();\n const commit = expectThresholdEd25519Round1CommitWasmOutput(\n threshold_ed25519_round1_commit(key.relayerSigningShareB64u),\n );\n\n const signingSessionId = this.createThresholdEd25519SigningSessionId();\n const ttlMs = 60_000;\n const expiresAtMs = Date.now() + ttlMs;\n const commitmentsById: ThresholdEd25519CommitmentsById = {\n [String(this.clientParticipantId)]: input.clientCommitments,\n [String(this.relayerParticipantId)]: commit.relayerCommitments,\n };\n await this.sessionStore.putSigningSession(signingSessionId, {\n expiresAtMs,\n mpcSessionId,\n relayerKeyId: sess.relayerKeyId,\n signingDigestB64u,\n userId: sess.userId,\n rpId: sess.rpId,\n clientVerifyingShareB64u: sess.clientVerifyingShareB64u,\n commitmentsById,\n relayerNoncesB64u: commit.relayerNoncesB64u,\n participantIds,\n }, ttlMs);\n\n return {\n ok: true,\n signingSessionId,\n relayerCommitments: commit.relayerCommitments,\n relayerVerifyingShareB64u: key.relayerVerifyingShareB64u,\n };\n }\n\n private async peerSignFinalizeFromSigningSessionId(input: {\n signingSessionId: string;\n clientSignatureShareB64u: string;\n expectedMpcSessionId?: string;\n expectedRelayerKeyId?: string;\n expectedSigningDigestB64u?: string;\n expectedUserId?: string;\n expectedRpId?: string;\n expectedClientVerifyingShareB64u?: string;\n }): Promise<PeerSignFinalizeResult> {\n const signingSessionId = input.signingSessionId;\n const clientSignatureShareB64u = input.clientSignatureShareB64u;\n\n const sess = await this.sessionStore.takeSigningSession(signingSessionId);\n if (!sess) {\n return { ok: false, code: 'unauthorized', message: 'signingSessionId expired or invalid' };\n }\n if (Date.now() > sess.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'signingSessionId expired' };\n }\n\n const restoreOnMismatch = async (): Promise<void> => {\n const ttlMs = Math.max(0, sess.expiresAtMs - Date.now());\n if (!ttlMs) return;\n await this.sessionStore.putSigningSession(signingSessionId, sess, ttlMs);\n };\n\n if (input.expectedMpcSessionId && sess.mpcSessionId !== input.expectedMpcSessionId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (input.expectedRelayerKeyId && sess.relayerKeyId !== input.expectedRelayerKeyId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (input.expectedSigningDigestB64u && sess.signingDigestB64u !== input.expectedSigningDigestB64u) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (input.expectedUserId && sess.userId !== input.expectedUserId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (input.expectedRpId && sess.rpId !== input.expectedRpId) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n if (input.expectedClientVerifyingShareB64u && sess.clientVerifyingShareB64u !== input.expectedClientVerifyingShareB64u) {\n await restoreOnMismatch();\n return { ok: false, code: 'unauthorized', message: 'signingSessionId does not match coordinatorGrant scope' };\n }\n\n const participantIdsRes = requireParticipantIdsIncludeSignerSet(sess.participantIds, this.participantIds2p, 'signingSessionId');\n if (!participantIdsRes.ok) return participantIdsRes;\n\n const key = await this.resolveRelayerKeyMaterial({\n relayerKeyId: sess.relayerKeyId,\n nearAccountId: sess.userId,\n rpId: sess.rpId,\n clientVerifyingShareB64u: sess.clientVerifyingShareB64u,\n });\n if (!key.ok) {\n return { ok: false, code: key.code, message: key.message };\n }\n\n await this.ensureSignerWasm();\n const clientCommitments = sess.commitmentsById?.[String(this.clientParticipantId)];\n const relayerCommitments = sess.commitmentsById?.[String(this.relayerParticipantId)];\n if (!clientCommitments || !relayerCommitments) {\n return { ok: false, code: 'internal', message: 'signingSessionId missing commitment transcript' };\n }\n const out = expectThresholdEd25519Round2SignWasmOutput(threshold_ed25519_round2_sign({\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n relayerSigningShareB64u: key.relayerSigningShareB64u,\n relayerNoncesB64u: sess.relayerNoncesB64u,\n groupPublicKey: key.publicKey,\n signingDigestB64u: sess.signingDigestB64u,\n clientCommitments,\n relayerCommitments,\n }));\n\n return { ok: true, relayerSignatureShareB64u: out.relayerSignatureShareB64u };\n }\n\n async thresholdEd25519SignFinalize(request: ThresholdEd25519SignFinalizeRequest): Promise<ThresholdEd25519SignFinalizeResponse> {\n const route = '/threshold-ed25519/sign/finalize';\n const startedAtMs = Date.now();\n let logExtra: Record<string, unknown> | undefined;\n\n const result = await (async (): Promise<ThresholdEd25519SignFinalizeResponse> => {\n if (this.nodeRole !== 'coordinator') {\n return {\n ok: false,\n code: 'not_found',\n message: 'threshold-ed25519 signing endpoints are not enabled on this server (set THRESHOLD_NODE_ROLE=coordinator)',\n };\n }\n\n await this.ensureReady();\n const parsedRequest = parseThresholdEd25519FinalizeRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n const { signingSessionId, clientSignatureShareB64u } = parsedRequest.value;\n\n this.logger.info('[threshold-ed25519] request', {\n route,\n signingSessionId,\n clientSignatureShareB64u_len: clientSignatureShareB64u.length,\n });\n\n const coord = await this.sessionStore.takeCoordinatorSigningSession(signingSessionId);\n if (!coord) {\n logExtra = { mode: 'local', signingSessionId };\n const out = await this.peerSignFinalizeFromSigningSessionId({ signingSessionId, clientSignatureShareB64u });\n if (!out.ok) return out;\n return {\n ok: true,\n relayerSignatureSharesById: {\n [String(this.relayerParticipantId)]: out.relayerSignatureShareB64u,\n },\n };\n }\n\n if (Date.now() > coord.expiresAtMs) {\n logExtra = { mode: coord.mode, signingSessionId };\n return { ok: false, code: 'unauthorized', message: 'signingSessionId expired' };\n }\n\n if (coord.mode === 'cosigner') {\n const cosignerIds = normalizeCosignerIds(coord.cosignerIds);\n logExtra = { mode: 'cosigner', signingSessionId, cosignerIds };\n if (!cosignerIds || cosignerIds.length === 0) {\n return { ok: false, code: 'internal', message: 'coordinator signing session missing cosignerIds' };\n }\n\n const relayerCommitments = coord.commitmentsById?.[String(this.relayerParticipantId)];\n if (!relayerCommitments?.hiding || !relayerCommitments?.binding) {\n return { ok: false, code: 'internal', message: 'coordinator signing session missing relayer commitments' };\n }\n\n this.logger.info('[threshold-ed25519] cosign/finalize fanout', { route, signingSessionId, cosignerIds });\n\n const sharesByCosignerId: Record<string, string> = {};\n let lastPeerErr: { code: string; message: string } | null = null;\n\n for (const cosignerId of cosignerIds) {\n const cosignerRelayerUrl = coord.cosignerRelayerUrlsById?.[String(cosignerId)];\n const cosignerGrant = coord.cosignerCoordinatorGrantsById?.[String(cosignerId)];\n if (!cosignerRelayerUrl || !cosignerGrant) {\n return { ok: false, code: 'internal', message: 'coordinator signing session missing cosigner mapping' };\n }\n\n const candidates = [\n cosignerRelayerUrl,\n ...this.relayerCosigners.filter((p) => p.cosignerId === cosignerId).map((p) => p.relayerUrl),\n ].filter((url, idx, arr) => arr.indexOf(url) === idx);\n\n let cosignerShare: string | null = null;\n for (const relayerUrl of candidates) {\n const finalizeUrl = `${relayerUrl}/threshold-ed25519/internal/cosign/finalize`;\n const peerFinalize = await this.postJsonWithTimeout(finalizeUrl, {\n coordinatorGrant: cosignerGrant,\n signingSessionId,\n cosignerIds,\n groupPublicKey: coord.groupPublicKey,\n relayerCommitments,\n }, 10_000);\n if (!peerFinalize.ok) {\n lastPeerErr = peerFinalize;\n continue;\n }\n\n const finalizeJson = peerFinalize.json as ThresholdEd25519CosignFinalizeResponse;\n if (!finalizeJson?.ok) {\n lastPeerErr = { code: finalizeJson?.code || 'internal', message: finalizeJson?.message || 'cosign/finalize failed' };\n continue;\n }\n const share = toOptionalTrimmedString(finalizeJson.relayerSignatureShareB64u);\n if (!share) {\n lastPeerErr = { code: 'internal', message: 'cosign/finalize produced empty signature share' };\n continue;\n }\n cosignerShare = share;\n break;\n }\n if (!cosignerShare) {\n if (lastPeerErr) {\n this.logger.warn('[threshold-ed25519] cosign/finalize failed', {\n route,\n signingSessionId,\n cosignerId,\n candidateRelayerUrls: candidates,\n code: lastPeerErr.code,\n message: lastPeerErr.message,\n });\n }\n logExtra = { ...logExtra, failedCosignerId: cosignerId };\n return {\n ok: false,\n code: lastPeerErr?.code || 'unavailable',\n message: lastPeerErr?.message || `No cosigner available for cosign/finalize (cosignerId=${cosignerId})`,\n };\n }\n\n sharesByCosignerId[String(cosignerId)] = cosignerShare;\n }\n\n const summed = addEd25519ScalarsB64u({ scalarsB64u: Object.values(sharesByCosignerId) });\n if (!summed.ok) {\n return { ok: false, code: summed.code, message: summed.message };\n }\n\n return {\n ok: true,\n relayerSignatureSharesById: {\n [String(this.relayerParticipantId)]: summed.scalarB64u,\n },\n };\n }\n\n logExtra = { mode: (coord as unknown as { mode?: unknown }).mode, signingSessionId };\n return { ok: false, code: 'internal', message: 'coordinator signing session has invalid mode' };\n })().catch((e: unknown) => {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n });\n\n this.logResult(route, startedAtMs, result, logExtra);\n return result;\n }\n\n private async postJsonWithTimeout(\n url: string,\n body: unknown,\n timeoutMs: number,\n ): Promise<\n | { ok: true; status: number; json: any }\n | { ok: false; code: string; message: string }\n > {\n const controller = typeof AbortController !== 'undefined' ? new AbortController() : undefined;\n const id = controller ? setTimeout(() => controller.abort(), Math.max(0, Number(timeoutMs) || 0)) : undefined;\n try {\n const res = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(body ?? {}),\n signal: controller?.signal,\n } as RequestInit);\n const text = await res.text();\n let json: any = {};\n try {\n json = text ? JSON.parse(text) : {};\n } catch {\n json = {};\n }\n return { ok: true, status: res.status, json };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Network error');\n return { ok: false, code: 'internal', message: msg };\n } finally {\n if (id !== undefined) clearTimeout(id);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;AA8DA,SAAS,iBAAiB,OAAgB,OAAyD;AACjG,KAAI,CAAC,SAAS,OAAO,UAAU,YAAY,MAAM,QAAQ,OACvD,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS,GAAG,MAAM;;CAE9D,MAAM,MAAM;CACZ,MAAM,SAASA,2CAAwB,IAAI;CAC3C,MAAM,UAAUA,2CAAwB,IAAI;AAC5C,KAAI,CAAC,UAAU,CAAC,QACd,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS,GAAG,MAAM;;AAE9D,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE;GAAQ;;;;AAGtC,SAAS,qCAAqC,SAM3C;CACD,MAAM,eAAeA,2CAAwB,QAAQ;AACrD,KAAI,CAAC,aAAc,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAEtE,MAAM,eAAeA,2CAAwB,QAAQ;AACrD,KAAI,CAAC,aAAc,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAEtE,MAAM,gBAAgBA,2CAAwB,QAAQ;AACtD,KAAI,CAAC,cAAe,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAEvE,MAAM,oBAAoBA,2CAAwB,QAAQ;AAC1D,KAAI,CAAC,kBAAmB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAE3E,MAAM,cAAc,iBAAkB,QAAuD,mBAAmB;AAChH,KAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAO;EACL,IAAI;EACJ,OAAO;GACL;GACA;GACA;GACA;GACA,mBAAmB,YAAY;;;;AAKrC,SAAS,qCAAqC,SAM3C;CACD,MAAM,mBAAmBA,2CAAwB,QAAQ;AACzD,KAAI,CAAC,iBAAkB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAC1E,MAAM,2BAA2BA,2CAAwB,QAAQ;AACjE,KAAI,CAAC,yBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE;GAAkB;;;;AAGhD,SAAS,uCAAuC,SAI7C;CACD,MAAM,mBAAmBA,2CAAwB,QAAQ;AACzD,KAAI,CAAC,iBAAkB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAE1E,MAAM,oBAAoBA,2CAAwB,QAAQ;AAC1D,KAAI,CAAC,kBAAmB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAC3E,KAAI;EACF,MAAM,UAAUC,+BAAgB;AAChC,MAAI,QAAQ,WAAW,GACrB,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS,2CAA2C,QAAQ;;UAEjGC,GAAY;AACnB,SAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS,8BAA8B,OAAO,KAAK;;;CAG/F,MAAM,cAAc,iBAAkB,QAAuD,mBAAmB;AAChH,KAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE;GAAkB;GAAmB,mBAAmB,YAAY;;;;AAGlG,SAAS,2CAA2C,SAKjD;CACD,MAAM,mBAAmBF,2CAAwB,QAAQ;AACzD,KAAI,CAAC,iBAAkB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAE1E,MAAM,iBAAiBA,2CAAwB,QAAQ;AACvD,KAAI,CAAC,eAAgB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAExE,MAAM,cAAcG,uCAAsB,QAAiD;AAC3F,KAAI,CAAC,YAAa,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErE,MAAM,qBAAqB,iBAAkB,QAAwD,oBAAoB;AACzH,KAAI,CAAC,mBAAmB,GAAI,QAAO;AAEnC,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE;GAAkB;GAAa;GAAgB,oBAAoB,mBAAmB;;;;AAGpH,SAAS,sCAAsC,KAAc,aAAuB,OAAsC;CACxH,MAAM,WAAWC,6DAAwC,gBAAgB,CAAC,GAAG;CAC7E,MAAM,iBAAiBA,6DAAwC,QAAQ,CAAC,GAAG;AAE3E,MAAK,MAAM,MAAM,SACf,KAAI,CAAC,eAAe,SAAS,IAC3B,QAAO;EACL,IAAI;EACJ,MAAM;EACN,SAAS,GAAG,MAAM,+EAA+E,SAAS,KAAK,KAAK;;AAK1H,QAAO;EAAE,IAAI;EAAM,OAAO;;;AAkB5B,SAAS,6CAA6C,KAAsD;CAC1G,MAAM,SAAS;AACf,KAAI,CAAC,QAAQ,qBAAqB,CAAC,QAAQ,oBAAoB,UAAU,CAAC,QAAQ,oBAAoB,QACpG,OAAM,IAAI,MAAM;AAElB,QAAO;;AAOT,SAAS,2CAA2C,KAAoD;CACtG,MAAM,SAAS;AACf,KAAI,CAAC,QAAQ,0BACX,OAAM,IAAI,MAAM;AAElB,QAAO;;AAGT,SAAS,qBAAqB,YAAsB,OAAuB;AACzE,KAAI,CAAC,WAAW,OAAQ,OAAM,IAAI,MAAM,GAAG,MAAM;CACjD,IAAI,MAAMC,wBAAQ,MAAM;AACxB,MAAK,MAAM,KAAK,YAAY;EAC1B,MAAM,MAAML,2CAAwB;AACpC,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM,GAAG,MAAM;EACnC,MAAM,QAAQC,+BAAgB;AAC9B,MAAI,MAAM,WAAW,GAAI,OAAM,IAAI,MAAM,GAAG,MAAM,gCAAgC,MAAM;EACxF,MAAM,KAAKI,wBAAQ,MAAM,UAAU;AACnC,QAAM,IAAI,IAAI;;AAEhB,QAAOC,+BAAgB,IAAI;;AAG7B,SAAS,6BAA6B,aAA4C,OAA4C;AAC5H,KAAI,CAAC,YAAY,OAAQ,OAAM,IAAI,MAAM,GAAG,MAAM;CAClD,MAAM,SAAS,qBAAqB,YAAY,KAAK,MAAM,EAAE,SAAS,GAAG,MAAM;CAC/E,MAAM,UAAU,qBAAqB,YAAY,KAAK,MAAM,EAAE,UAAU,GAAG,MAAM;AACjF,QAAO;EAAE;EAAQ;;;AAGnB,IAAa,kCAAb,MAA6C;CAC3C,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAQ,4BAAuD;CAC/D,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAeT;AACD,OAAK,SAAS,MAAM;AACpB,OAAK,WAAW,MAAM;AACtB,OAAK,mBAAmB,MAAM;AAC9B,OAAK,2BAA2B,MAAM;AACtC,OAAK,oBAAoB,MAAM;AAC/B,OAAK,+BAA+B,MAAM;AAC1C,OAAK,sBAAsB,MAAM;AACjC,OAAK,uBAAuB,MAAM;AAClC,OAAK,mBAAmB,MAAM;AAC9B,OAAK,eAAe,MAAM;AAC1B,OAAK,cAAc,MAAM;AACzB,OAAK,mBAAmB,MAAM;AAC9B,OAAK,oBAAoB,MAAM;AAC/B,OAAK,4BAA4B,MAAM;;CAGzC,AAAQ,UAAU,OAAe,aAAqB,QAA0D,OAAuC;EACrJ,MAAM,YAAY,KAAK,IAAI,GAAG,KAAK,QAAQ;EAC3C,MAAM,MAAM,OAAO,OAAO,YAAY,WAAW,OAAO,UAAU;EAClE,MAAM,UAAU,OAAO,IAAI,SAAS,MAAM,GAAG,IAAI,MAAM,GAAG,KAAK,OAAO;EACtE,MAAM,UAAU;GACd;GACA,IAAI,OAAO;GACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;GAC1C,GAAI,CAAC,OAAO,MAAM,UAAU,EAAE,YAAY;GAC1C;GACA,GAAI,SAAS;;AAEf,MAAI,OAAO,IAAI;AACb,QAAK,OAAO,KAAK,gCAAgC;AACjD;;AAEF,MAAI,OAAO,SAAS,YAAY;AAC9B,QAAK,OAAO,MAAM,gCAAgC;AAClD;;AAEF,OAAK,OAAO,KAAK,gCAAgC;;CAGnD,AAAQ,yCAAiD;EACvD,MAAM,KAAK,OAAO,WAAW,QAAQ,eAAe,aAChD,WAAW,OAAO,eAClB,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;AACtD,SAAO,QAAQ;;CAGjB,MAAc,kBAAkB,SAAkE;EAChG,MAAM,MAAM,MAAMC,6DAAoC;GACpD,aAAa,KAAK;GAClB,YAAY,KAAK;GACjB;;AAEF,OAAK,4BAA4B,IAAI;AACrC,SAAO,IAAI;;CAGb,MAAc,oBAAoB,OAGhC;EACA,MAAM,WAAW,MAAMC,+DAAsC;GAC3D,aAAa,KAAK;GAClB,YAAY,KAAK;GACjB;;AAEF,OAAK,4BAA4B,SAAS;AAC1C,MAAI,CAAC,SAAS,GAAI,QAAO;AACzB,SAAO;GAAE,IAAI;GAAM,OAAO,SAAS;GAAO,YAAY,SAAS;;;CAGjE,MAAM,yBAAyB,SAAqF;EAClH,MAAM,QAAQ;EACd,MAAM,cAAc,KAAK;EACzB,IAAIC;EAEJ,MAAM,SAAS,OAAO,YAAuD;AAC3E,OAAI,KAAK,aAAa,cACpB,QAAO;IACL,IAAI;IACJ,MAAM;IACN,SAAS;;AAIb,SAAM,KAAK;GACX,MAAM,gBAAgB,qCAAqC;AAC3D,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EAAE,cAAc,cAAc,eAAe,mBAAmB,sBAAsB,cAAc;AAE1G,QAAK,OAAO,KAAK,+BAA+B;IAC9C;IACA;IACA;IACA;IACA,uBAAuB,kBAAkB;;GAG3C,MAAM,OAAO,MAAM,KAAK,aAAa,eAAe;AACpD,OAAI,CAAC,KACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,OAAI,KAAK,QAAQ,KAAK,YACpB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,sBACJL,6DAAwC,KAAK,mBAAmB,CAAC,GAAG,KAAK;AAE3E,OAAI,iBAAiB,KAAK,aACxB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAGrD,OAAI,kBAAkB,KAAK,OACzB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAGrD,OAAI,sBAAsB,KAAK,kBAC7B,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,2BAA2B,KAAK,iBAAiB,SAAS,KAAK,KAAK,6BAA6B;AACvG,OAAI,0BAA0B;AAC5B,eAAW,EAAE,MAAM;AACnB,QAAI,CAAC,KAAK,iBAAiB,OACzB,QAAO;KAAE,IAAI;KAAO,MAAM;KAAkB,SAAS;;IAEvD,MAAM,IAAI,KAAK;AACf,QAAI,CAAC,EACH,QAAO;KAAE,IAAI;KAAO,MAAM;KAAkB,SAAS;;IAGvD,MAAMM,iBAAe,sCAAsC,qBAAqB,KAAK,kBAAkB;AACvG,QAAI,CAACA,eAAa,GAAI,QAAOA;IAE7B,MAAM,iBACJP,uCAAqB,MAAM,KAAK,IAAI,IAAI,KAAK,iBAAiB,KAAK,MAAM,EAAE,kBAAkB;AAC/F,eAAW;KAAE,GAAG;KAAU;KAAgB;;AAC1C,QAAI,eAAe,WAAW,EAC5B,QAAO;KAAE,IAAI;KAAO,MAAM;KAAkB,SAAS;;AAEvD,QAAI,IAAI,eAAe,OACrB,QAAO;KACL,IAAI;KACJ,MAAM;KACN,SAAS,8EAA8E,EAAE,MAAM,eAAe,OAAO;;IAIzH,MAAM,MAAM,MAAM,KAAK,0BAA0B;KAC/C,cAAc,KAAK;KACnB,eAAe,KAAK;KACpB,MAAM,KAAK;KACX,0BAA0B,KAAK;;AAEjC,QAAI,CAAC,IAAI,GACP,QAAO;KAAE,IAAI;KAAO,MAAM,IAAI;KAAM,SAAS,IAAI;;IAGnD,MAAM,QAAQ,MAAMQ,uDAAkC;KACpD,eAAe,KAAK;KACpB,kBAAkB,IAAI;KACtB,mBAAmB,KAAK;;AAE1B,QAAI,CAAC,MAAM,GACT,QAAO;KAAE,IAAI;KAAO,MAAM,MAAM;KAAM,SAAS,MAAM;;IAGvD,MAAM,SAASC,qEAAmD;KAChE,yBAAyB,IAAI;KAC7B,aAAa;KACb,mBAAmB;;AAErB,QAAI,CAAC,OAAO,GACV,QAAO;KAAE,IAAI;KAAO,MAAM,OAAO;KAAM,SAAS,OAAO;;IAGzD,MAAM,MAAM,KAAK,MAAM,KAAK,QAAQ;IACpC,MAAM,MAAM,MAAM;IAClB,MAAM,mBAAmB,KAAK;IAC9B,MAAM,QAAQ;IACd,MAAM,cAAc,KAAK,QAAQ;AACjC,SAAK,OAAO,KAAK,0CAA0C;KAAE;KAAO;KAAkB;KAAgB;;IAEtG,MAAM,cAAc,MAAM,QAAQ,IAAI,eAAe,IAAI,OAAO,eAAe;KAC7E,MAAM,oBAAoB,OAAO,mBAAmB,OAAO;AAC3D,SAAI,CAAC,kBACH,QAAO;MAAE,IAAI;MAAgB;MAAY,MAAM;MAAY,SAAS;;KAGtE,MAAM,QAAQ,MAAM,KAAK,kBAAkB;MACzC,GAAG;MACH,KAAK;MACL,KAAK;MACL;MACA;MACA;MACA,YAAY;;AAEd,SAAI,CAAC,MACH,QAAO;MAAE,IAAI;MAAgB;MAAY,MAAM;MAAkB,SAAS;;KAG5E,MAAM,aAAa,KAAK,iBAAiB,QAAQ,MAAM,EAAE,eAAe;AACxE,SAAI,CAAC,WAAW,OACd,QAAO;MAAE,IAAI;MAAgB;MAAY,MAAM;MAAkB,SAAS,gDAAgD;;KAG5H,IAAIC,UAAoD;AACxD,UAAK,MAAM,QAAQ,YAAY;MAC7B,MAAM,UAAU,GAAG,KAAK,WAAW;MACnC,MAAM,WAAW,MAAM,KAAK,oBAAoB,SAAS;OACvD,kBAAkB;OAClB;OACA;OACA;SACC;AACH,UAAI,CAAC,SAAS,IAAI;AAChB,iBAAU;AACV;;MAGF,MAAM,WAAW,SAAS;AAC1B,UAAI,CAAC,UAAU,IAAI;AACjB,iBAAU;QAAE,MAAM,UAAU,QAAQ;QAAY,SAAS,UAAU,WAAW;;AAC9E;;MAEF,MAAM,cAAc,SAAS;AAC7B,UAAI,CAAC,aAAa,UAAU,CAAC,aAAa,SAAS;AACjD,iBAAU;QAAE,MAAM;QAAY,SAAS;;AACvC;;AAEF,aAAO;OACL,IAAI;OACJ;OACA,eAAe;OACf,YAAY,KAAK;OACjB,oBAAoB;;;AAIxB,SAAI,QACF,MAAK,OAAO,KAAK,0CAA0C;MACzD;MACA;MACA;MACA,sBAAsB,WAAW,KAAK,MAAM,EAAE;MAC9C,MAAM,QAAQ;MACd,SAAS,QAAQ;;AAGrB,YAAO;MAAE,IAAI;MAAgB;MAAY,MAAM,SAAS,QAAQ;MAAe,SAAS,SAAS,WAAW;;;IAG9G,MAAM,UAAU,YAAY,QAAQ,MAM/B,EAAE;AAEP,QAAI,QAAQ,SAAS,GAAG;KACtB,MAAM,SAAS,YAAY,QAAQ,MAAM,CAAC,EAAE;KAC5C,MAAM,UAAU,OAAO,SAAS,OAAO,OAAO,SAAS,KAAK;AAC5D,gBAAW;MAAE,GAAG;MAAU;MAAkB,aAAa,QAAQ;;AACjE,YAAO;MACL,IAAI;MACJ,MAAM,SAAS,QAAQ;MACvB,SAAS,iBAAiB,EAAE,0BAA0B,QAAQ;;;AAIlE,YAAQ,MAAM,GAAG,MAAM,EAAE,aAAa,EAAE;IACxC,MAAM,WAAW,QAAQ,MAAM,GAAG;IAClC,MAAM,sBAAsB,SAAS,KAAK,MAAM,EAAE;IAElD,MAAM,qBAAqB,6BACzB,SAAS,KAAK,MAAM,EAAE,qBACtB;IAGF,MAAMC,kBAAmD;MACtD,OAAO,KAAK,uBAAuB;MACnC,OAAO,KAAK,wBAAwB;;IAEvC,MAAM,6BAA6B,GAChC,OAAO,KAAK,wBAAwB,IAAI;IAE3C,MAAMC,0BAAkD;IACxD,MAAMC,gCAAwD;AAC9D,SAAK,MAAM,KAAK,UAAU;AACxB,6BAAwB,OAAO,EAAE,eAAe,EAAE;AAClD,mCAA8B,OAAO,EAAE,eAAe,EAAE;;AAG1D,UAAM,KAAK,aAAa,6BAA6B,kBAAkB;KACrE,MAAM;KACN;KACA;KACA,cAAc,KAAK;KACnB,mBAAmB,KAAK;KACxB,QAAQ,KAAK;KACb,MAAM,KAAK;KACX,0BAA0B,KAAK;KAC/B;KACA,gBAAgB,CAAC,GAAG,KAAK;KACzB,gBAAgB,IAAI;KACpB,aAAa;KACb;KACA;KACA;OACC;AAEH,eAAW;KAAE,GAAG;KAAU;KAAkB;;AAC5C,WAAO;KACL,IAAI;KACJ;KACA;KACA;KACA,gBAAgB,CAAC,GAAG,KAAK;;;AAI7B,cAAW,EAAE,MAAM;GACnB,MAAM,eAAe,sCAAsC,qBAAqB,KAAK,kBAAkB;AACvG,OAAI,CAAC,aAAa,GAAI,QAAO;GAC7B,MAAM,MAAM,MAAM,KAAK,iCAAiC;IAAE;IAAc,YAAY;IAAM;;AAC1F,OAAI,CAAC,IAAI,GAAI,QAAO;AAEpB,cAAW;IAAE,GAAG;IAAU,kBAAkB,IAAI;;AAChD,UAAO;IACL,IAAI;IACJ,kBAAkB,IAAI;IACtB,iBAAiB;MACd,OAAO,KAAK,uBAAuB;MACnC,OAAO,KAAK,wBAAwB,IAAI;;IAE3C,4BAA4B,GACzB,OAAO,KAAK,wBAAwB,IAAI;IAE3C,gBAAgB,CAAC,GAAG,KAAK;;OAExB,OAAO,MAAe;GACzB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;AAGjD,OAAK,UAAU,OAAO,aAAa,QAAQ;AAC3C,SAAO;;CAGT,MAAM,2BAA2B,SAAyF;EACxH,MAAM,QAAQ;EACd,MAAM,cAAc,KAAK;EACzB,MAAM,aAAa,KAAK;EACxB,MAAM,WAAW,aAAa,EAAE,eAAe;EAE/C,MAAM,SAAS,OAAO,YAAyD;AAC7E,OAAI,CAAC,cAAe,KAAK,aAAa,cAAc,KAAK,aAAa,cACpE,QAAO;IAAE,IAAI;IAAO,MAAM;IAAa,SAAS;;AAGlD,SAAM,KAAK;GACX,MAAM,gBAAgB,uCAAuC;AAC7D,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EAAE,kBAAkB,mBAAmB,sBAAsB,cAAc;AAEjF,QAAK,OAAO,KAAK,+BAA+B;IAC9C;IACA;IACA;IACA,uBAAuB,kBAAkB;;GAG3C,MAAM,WAAW,MAAM,KAAK,oBAAoB,QAAQ;AACxD,OAAI,CAAC,SAAS,GACZ,QAAO;IAAE,IAAI;IAAO,MAAM,SAAS;IAAM,SAAS,SAAS;;GAE7D,MAAM,EAAE,OAAO,eAAe;AAE9B,OAAI,MAAM,eAAe,WACvB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,oBAAoB,sCAAsC,WAAW,gBAAgB,KAAK,kBAAkB;AAClH,OAAI,CAAC,kBAAkB,GAAI,QAAO;AAElC,SAAM,KAAK;GACX,MAAM,SAAS,mIACmB;GAGlC,MAAM,QAAQ;GACd,MAAM,cAAc,KAAK,QAAQ;GACjC,MAAMF,kBAAmD,GACtD,OAAO,KAAK,uBAAuB;AAGtC,SAAM,KAAK,aAAa,kBAAkB,kBAAkB;IAC1D;IACA,cAAc,MAAM;IACpB,cAAc,WAAW;IACzB,mBAAmB,WAAW;IAC9B,QAAQ,WAAW;IACnB,MAAM,WAAW;IACjB,0BAA0B,WAAW;IACrC;IACA,yBAAyB;IACzB,mBAAmB,OAAO;IAC1B,gBAAgB,CAAC,GAAG,KAAK;MACxB;AAEH,UAAO;IAAE,IAAI;IAAM,oBAAoB,OAAO;;OAC3C,OAAO,MAAe;GACzB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;AAGjD,OAAK,UAAU,OAAO,aAAa,QAAQ;AAC3C,SAAO;;CAGT,MAAM,+BAA+B,SAAiG;EACpI,MAAM,QAAQ;EACd,MAAM,cAAc,KAAK;EACzB,MAAM,aAAa,KAAK;EACxB,MAAM,WAAW,aAAa,EAAE,eAAe;EAE/C,MAAM,SAAS,OAAO,YAA6D;AACjF,OAAI,CAAC,cAAe,KAAK,aAAa,cAAc,KAAK,aAAa,cACpE,QAAO;IAAE,IAAI;IAAO,MAAM;IAAa,SAAS;;AAGlD,SAAM,KAAK;GACX,MAAM,gBAAgB,2CAA2C;AACjE,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EAAE,kBAAkB,aAAa,gBAAgB,uBAAuB,cAAc;AAE5F,QAAK,OAAO,KAAK,+BAA+B;IAC9C;IACA;IACA;IACA;;GAGF,MAAM,WAAW,MAAM,KAAK,oBAAoB,QAAQ;AACxD,OAAI,CAAC,SAAS,GACZ,QAAO;IAAE,IAAI;IAAO,MAAM,SAAS;IAAM,SAAS,SAAS;;GAE7D,MAAM,EAAE,OAAO,eAAe;AAE9B,OAAI,MAAM,eAAe,WACvB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAGrD,OAAI,CAAC,YAAY,SAAS,YACxB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,OAAO,MAAM,KAAK,aAAa,mBAAmB;AACxD,OAAI,CAAC,KACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,OAAI,KAAK,QAAQ,KAAK,YACpB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,oBAAoB,YAA2B;IACnD,MAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,cAAc,KAAK;AAClD,QAAI,CAAC,MAAO;AACZ,UAAM,KAAK,aAAa,kBAAkB,kBAAkB,MAAM;;AAGpE,OAAI,KAAK,iBAAiB,MAAM,cAAc;AAC5C,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAErD,OAAI,KAAK,iBAAiB,WAAW,cAAc;AACjD,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAErD,OAAI,KAAK,sBAAsB,WAAW,mBAAmB;AAC3D,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAErD,OAAI,KAAK,WAAW,WAAW,QAAQ;AACrC,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAErD,OAAI,KAAK,SAAS,WAAW,MAAM;AACjC,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAErD,OAAI,KAAK,6BAA6B,WAAW,0BAA0B;AACzE,UAAM;AACN,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;GAGrD,MAAM,kBAAkBd,2CAAwB,KAAK;AACrD,OAAI,CAAC,gBACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;GAGjD,MAAM,YAAYiB,uDAAqC;IAAE;IAAY;;AACrE,OAAI,CAAC,UAAU,GACb,QAAO;IAAE,IAAI;IAAO,MAAM,UAAU;IAAM,SAAS,UAAU;;GAG/D,MAAM,WAAWC,6DAA2C;IAC1D,YAAY;IACZ,iBAAiB,UAAU;;AAE7B,OAAI,CAAC,SAAS,GACZ,QAAO;IAAE,IAAI;IAAO,MAAM,SAAS;IAAM,SAAS,SAAS;;AAG7D,SAAM,KAAK;GACX,MAAM,oBAAoB,KAAK,kBAAkB,OAAO,KAAK;AAC7D,OAAI,CAAC,kBACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;GAEjD,MAAM,MAAM,wIAAkF;IAC5F,qBAAqB,KAAK;IAC1B,sBAAsB,KAAK;IAC3B,yBAAyB,SAAS;IAClC,mBAAmB,KAAK;IACxB;IACA,mBAAmB,KAAK;IACxB;IACA;;AAGF,UAAO;IAAE,IAAI;IAAM,2BAA2B,IAAI;;OAC/C,OAAO,MAAe;GACzB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;AAGjD,OAAK,UAAU,OAAO,aAAa,QAAQ;AAC3C,SAAO;;CAGT,MAAc,iCAAiC,OAIf;EAC9B,MAAM,eAAe,MAAM;EAC3B,MAAM,OAAO,MAAM;AACnB,MAAI,KAAK,QAAQ,KAAK,YACpB,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAGrD,MAAM,oBAAoB,sCAAsC,KAAK,gBAAgB,KAAK,kBAAkB;AAC5G,MAAI,CAAC,kBAAkB,GAAI,QAAO;EAClC,MAAM,iBAAiB,kBAAkB;EACzC,MAAM,oBAAoB,KAAK;EAE/B,MAAM,MAAM,MAAM,KAAK,0BAA0B;GAC/C,cAAc,KAAK;GACnB,eAAe,KAAK;GACpB,MAAM,KAAK;GACX,0BAA0B,KAAK;;AAEjC,MAAI,CAAC,IAAI,GACP,QAAO;GAAE,IAAI;GAAO,MAAM,IAAI;GAAM,SAAS,IAAI;;EAGnD,MAAM,QAAQ,MAAMP,uDAAkC;GACpD,eAAe,KAAK;GACpB,kBAAkB,IAAI;GACtB,mBAAmB,KAAK;;AAE1B,MAAI,CAAC,MAAM,GACT,QAAO;GAAE,IAAI;GAAO,MAAM,MAAM;GAAM,SAAS,MAAM;;AAGvD,QAAM,KAAK;EACX,MAAM,SAAS,mIACmB,IAAI;EAGtC,MAAM,mBAAmB,KAAK;EAC9B,MAAM,QAAQ;EACd,MAAM,cAAc,KAAK,QAAQ;EACjC,MAAMG,kBAAmD;IACtD,OAAO,KAAK,uBAAuB,MAAM;IACzC,OAAO,KAAK,wBAAwB,OAAO;;AAE9C,QAAM,KAAK,aAAa,kBAAkB,kBAAkB;GAC1D;GACA;GACA,cAAc,KAAK;GACnB;GACA,QAAQ,KAAK;GACb,MAAM,KAAK;GACX,0BAA0B,KAAK;GAC/B;GACA,mBAAmB,OAAO;GAC1B;KACC;AAEH,SAAO;GACL,IAAI;GACJ;GACA,oBAAoB,OAAO;GAC3B,2BAA2B,IAAI;;;CAInC,MAAc,qCAAqC,OASf;EAClC,MAAM,mBAAmB,MAAM;AACE,QAAM;EAEvC,MAAM,OAAO,MAAM,KAAK,aAAa,mBAAmB;AACxD,MAAI,CAAC,KACH,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAErD,MAAI,KAAK,QAAQ,KAAK,YACpB,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAGrD,MAAM,oBAAoB,YAA2B;GACnD,MAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,cAAc,KAAK;AAClD,OAAI,CAAC,MAAO;AACZ,SAAM,KAAK,aAAa,kBAAkB,kBAAkB,MAAM;;AAGpE,MAAI,MAAM,wBAAwB,KAAK,iBAAiB,MAAM,sBAAsB;AAClF,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,wBAAwB,KAAK,iBAAiB,MAAM,sBAAsB;AAClF,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,6BAA6B,KAAK,sBAAsB,MAAM,2BAA2B;AACjG,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,kBAAkB,KAAK,WAAW,MAAM,gBAAgB;AAChE,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,gBAAgB,KAAK,SAAS,MAAM,cAAc;AAC1D,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,oCAAoC,KAAK,6BAA6B,MAAM,kCAAkC;AACtH,SAAM;AACN,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;EAGrD,MAAM,oBAAoB,sCAAsC,KAAK,gBAAgB,KAAK,kBAAkB;AAC5G,MAAI,CAAC,kBAAkB,GAAI,QAAO;EAElC,MAAM,MAAM,MAAM,KAAK,0BAA0B;GAC/C,cAAc,KAAK;GACnB,eAAe,KAAK;GACpB,MAAM,KAAK;GACX,0BAA0B,KAAK;;AAEjC,MAAI,CAAC,IAAI,GACP,QAAO;GAAE,IAAI;GAAO,MAAM,IAAI;GAAM,SAAS,IAAI;;AAGnD,QAAM,KAAK;EACX,MAAM,oBAAoB,KAAK,kBAAkB,OAAO,KAAK;EAC7D,MAAM,qBAAqB,KAAK,kBAAkB,OAAO,KAAK;AAC9D,MAAI,CAAC,qBAAqB,CAAC,mBACzB,QAAO;GAAE,IAAI;GAAO,MAAM;GAAY,SAAS;;EAEjD,MAAM,MAAM,+HAAyE;GACnF,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;GAC3B,yBAAyB,IAAI;GAC7B,mBAAmB,KAAK;GACxB,gBAAgB,IAAI;GACpB,mBAAmB,KAAK;GACxB;GACA;;AAGF,SAAO;GAAE,IAAI;GAAM,2BAA2B,IAAI;;;CAGpD,MAAM,6BAA6B,SAA6F;EAC9H,MAAM,QAAQ;EACd,MAAM,cAAc,KAAK;EACzB,IAAIL;EAEJ,MAAM,SAAS,OAAO,YAA2D;AAC/E,OAAI,KAAK,aAAa,cACpB,QAAO;IACL,IAAI;IACJ,MAAM;IACN,SAAS;;AAIb,SAAM,KAAK;GACX,MAAM,gBAAgB,qCAAqC;AAC3D,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EAAE,kBAAkB,6BAA6B,cAAc;AAErE,QAAK,OAAO,KAAK,+BAA+B;IAC9C;IACA;IACA,8BAA8B,yBAAyB;;GAGzD,MAAM,QAAQ,MAAM,KAAK,aAAa,8BAA8B;AACpE,OAAI,CAAC,OAAO;AACV,eAAW;KAAE,MAAM;KAAS;;IAC5B,MAAM,MAAM,MAAM,KAAK,qCAAqC;KAAE;KAAkB;;AAChF,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,WAAO;KACL,IAAI;KACJ,4BAA4B,GACzB,OAAO,KAAK,wBAAwB,IAAI;;;AAK/C,OAAI,KAAK,QAAQ,MAAM,aAAa;AAClC,eAAW;KAAE,MAAM,MAAM;KAAM;;AAC/B,WAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;AAGrD,OAAI,MAAM,SAAS,YAAY;IAC7B,MAAM,cAAcN,uCAAqB,MAAM;AAC/C,eAAW;KAAE,MAAM;KAAY;KAAkB;;AACjD,QAAI,CAAC,eAAe,YAAY,WAAW,EACzC,QAAO;KAAE,IAAI;KAAO,MAAM;KAAY,SAAS;;IAGjD,MAAM,qBAAqB,MAAM,kBAAkB,OAAO,KAAK;AAC/D,QAAI,CAAC,oBAAoB,UAAU,CAAC,oBAAoB,QACtD,QAAO;KAAE,IAAI;KAAO,MAAM;KAAY,SAAS;;AAGjD,SAAK,OAAO,KAAK,8CAA8C;KAAE;KAAO;KAAkB;;IAE1F,MAAMgB,qBAA6C;IACnD,IAAIC,cAAwD;AAE5D,SAAK,MAAM,cAAc,aAAa;KACpC,MAAM,qBAAqB,MAAM,0BAA0B,OAAO;KAClE,MAAM,gBAAgB,MAAM,gCAAgC,OAAO;AACnE,SAAI,CAAC,sBAAsB,CAAC,cAC1B,QAAO;MAAE,IAAI;MAAO,MAAM;MAAY,SAAS;;KAGjD,MAAM,aAAa,CACjB,oBACA,GAAG,KAAK,iBAAiB,QAAQ,MAAM,EAAE,eAAe,YAAY,KAAK,MAAM,EAAE,aACjF,QAAQ,KAAK,KAAK,QAAQ,IAAI,QAAQ,SAAS;KAEjD,IAAIC,gBAA+B;AACnC,UAAK,MAAM,cAAc,YAAY;MACnC,MAAM,cAAc,GAAG,WAAW;MAClC,MAAM,eAAe,MAAM,KAAK,oBAAoB,aAAa;OAC/D,kBAAkB;OAClB;OACA;OACA,gBAAgB,MAAM;OACtB;SACC;AACH,UAAI,CAAC,aAAa,IAAI;AACpB,qBAAc;AACd;;MAGF,MAAM,eAAe,aAAa;AAClC,UAAI,CAAC,cAAc,IAAI;AACrB,qBAAc;QAAE,MAAM,cAAc,QAAQ;QAAY,SAAS,cAAc,WAAW;;AAC1F;;MAEF,MAAM,QAAQrB,2CAAwB,aAAa;AACnD,UAAI,CAAC,OAAO;AACV,qBAAc;QAAE,MAAM;QAAY,SAAS;;AAC3C;;AAEF,sBAAgB;AAChB;;AAEF,SAAI,CAAC,eAAe;AAClB,UAAI,YACF,MAAK,OAAO,KAAK,8CAA8C;OAC7D;OACA;OACA;OACA,sBAAsB;OACtB,MAAM,YAAY;OAClB,SAAS,YAAY;;AAGzB,iBAAW;OAAE,GAAG;OAAU,kBAAkB;;AAC5C,aAAO;OACL,IAAI;OACJ,MAAM,aAAa,QAAQ;OAC3B,SAAS,aAAa,WAAW,yDAAyD,WAAW;;;AAIzG,wBAAmB,OAAO,eAAe;;IAG3C,MAAM,SAASsB,wCAAsB,EAAE,aAAa,OAAO,OAAO;AAClE,QAAI,CAAC,OAAO,GACV,QAAO;KAAE,IAAI;KAAO,MAAM,OAAO;KAAM,SAAS,OAAO;;AAGzD,WAAO;KACL,IAAI;KACJ,4BAA4B,GACzB,OAAO,KAAK,wBAAwB,OAAO;;;AAKlD,cAAW;IAAE,MAAO,MAAwC;IAAM;;AAClE,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;OAC5C,OAAO,MAAe;GACzB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;AAGjD,OAAK,UAAU,OAAO,aAAa,QAAQ;AAC3C,SAAO;;CAGT,MAAc,oBACZ,KACA,MACA,WAIA;EACA,MAAM,aAAa,OAAO,oBAAoB,cAAc,IAAI,oBAAoB;EACpF,MAAM,KAAK,aAAa,iBAAiB,WAAW,SAAS,KAAK,IAAI,GAAG,OAAO,cAAc,MAAM;AACpG,MAAI;GACF,MAAM,MAAM,MAAM,MAAM,KAAK;IAC3B,QAAQ;IACR,SAAS,EAAE,gBAAgB;IAC3B,MAAM,KAAK,UAAU,QAAQ;IAC7B,QAAQ,YAAY;;GAEtB,MAAM,OAAO,MAAM,IAAI;GACvB,IAAIC,OAAY;AAChB,OAAI;AACF,WAAO,OAAO,KAAK,MAAM,QAAQ;WAC3B;AACN,WAAO;;AAET,UAAO;IAAE,IAAI;IAAM,QAAQ,IAAI;IAAQ;;WAChCrB,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;YACvC;AACR,OAAI,OAAO,OAAW,cAAa"}

package/dist/cjs/server/core/ThresholdService/stores/AuthSessionStore.js ADDED Viewed

@@ -0,0 +1,258 @@
+const require_validation = require('../../../sdk/src/utils/validation.js');
+const require_validation$1 = require('../validation.js');
+const require_kv = require('../kv.js');
+//#region src/server/core/ThresholdService/stores/AuthSessionStore.ts
+var InMemoryThresholdEd25519AuthSessionStore = class {
+	keyPrefix;
+	map = /* @__PURE__ */ new Map();
+	constructor(input) {
+		this.keyPrefix = require_validation$1.toThresholdEd25519AuthPrefix(input.keyPrefix);
+	}
+	key(id) {
+		return `${this.keyPrefix}${id}`;
+	}
+	async putSession(id, record, opts) {
+		const key = this.key(id);
+		const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);
+		const expiresAtMs = Date.now() + ttlMs;
+		this.map.set(key, {
+			record,
+			remainingUses: Math.max(0, Number(opts.remainingUses) || 0),
+			expiresAtMs
+		});
+	}
+	async getSession(id) {
+		const key = this.key(id);
+		const entry = this.map.get(key);
+		if (!entry) return null;
+		if (Date.now() > entry.expiresAtMs) {
+			this.map.delete(key);
+			return null;
+		}
+		return entry.record;
+	}
+	async consumeUse(id) {
+		const key = this.key(id);
+		const entry = this.map.get(key);
+		if (!entry) return {
+			ok: false,
+			code: "unauthorized",
+			message: "threshold session expired or invalid"
+		};
+		if (Date.now() > entry.expiresAtMs) {
+			this.map.delete(key);
+			return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session expired"
+			};
+		}
+		if (entry.remainingUses <= 0) return {
+			ok: false,
+			code: "unauthorized",
+			message: "threshold session exhausted"
+		};
+		entry.remainingUses -= 1;
+		return {
+			ok: true,
+			record: entry.record,
+			remainingUses: entry.remainingUses
+		};
+	}
+};
+var UpstashRedisRestThresholdEd25519AuthSessionStore = class {
+	client;
+	keyPrefix;
+	constructor(input) {
+		const url = require_validation.toOptionalTrimmedString(input.url);
+		const token = require_validation.toOptionalTrimmedString(input.token);
+		if (!url) throw new Error("Upstash auth session store missing url");
+		if (!token) throw new Error("Upstash auth session store missing token");
+		this.client = new require_kv.UpstashRedisRestClient({
+			url,
+			token
+		});
+		this.keyPrefix = require_validation$1.toThresholdEd25519AuthPrefix(input.keyPrefix);
+	}
+	metaKey(id) {
+		return `${this.keyPrefix}${id}`;
+	}
+	usesKey(id) {
+		return `${this.keyPrefix}${id}:uses`;
+	}
+	async putSession(id, record, opts) {
+		const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);
+		await this.client.setJson(this.metaKey(id), record, ttlMs);
+		await this.client.setRaw(this.usesKey(id), String(Math.max(0, Number(opts.remainingUses) || 0)), ttlMs);
+	}
+	async getSession(id) {
+		const raw = await this.client.getJson(this.metaKey(id));
+		return require_validation$1.parseThresholdEd25519AuthSessionRecord(raw);
+	}
+	async consumeUse(id) {
+		try {
+			const remainingUses = await this.client.incrby(this.usesKey(id), -1);
+			if (remainingUses < 0) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session exhausted"
+			};
+			const record = await this.getSession(id);
+			if (!record) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session expired or invalid"
+			};
+			if (Date.now() > record.expiresAtMs) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session expired"
+			};
+			return {
+				ok: true,
+				record,
+				remainingUses
+			};
+		} catch (e) {
+			const msg = String(e && typeof e === "object" && "message" in e ? e.message : e || "Failed to consume threshold session");
+			return {
+				ok: false,
+				code: "internal",
+				message: msg
+			};
+		}
+	}
+};
+var RedisTcpThresholdEd25519AuthSessionStore = class {
+	client;
+	keyPrefix;
+	constructor(input) {
+		const url = require_validation.toOptionalTrimmedString(input.redisUrl);
+		if (!url) throw new Error("redis-tcp auth session store missing redisUrl");
+		this.client = new require_kv.RedisTcpClient(url);
+		this.keyPrefix = require_validation$1.toThresholdEd25519AuthPrefix(input.keyPrefix);
+	}
+	metaKey(id) {
+		return `${this.keyPrefix}${id}`;
+	}
+	usesKey(id) {
+		return `${this.keyPrefix}${id}:uses`;
+	}
+	async putSession(id, record, opts) {
+		const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);
+		await require_kv.redisSetJson(this.client, this.metaKey(id), record, ttlMs);
+		const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1e3));
+		const uses = String(Math.max(0, Number(opts.remainingUses) || 0));
+		const resp = await this.client.send([
+			"SET",
+			this.usesKey(id),
+			uses,
+			"EX",
+			String(ttlSeconds)
+		]);
+		if (resp.type === "error") throw new Error(`Redis SET error: ${resp.value}`);
+	}
+	async getSession(id) {
+		const raw = await require_kv.redisGetJson(this.client, this.metaKey(id));
+		return require_validation$1.parseThresholdEd25519AuthSessionRecord(raw);
+	}
+	async consumeUse(id) {
+		try {
+			const resp = await this.client.send([
+				"INCRBY",
+				this.usesKey(id),
+				"-1"
+			]);
+			if (resp.type === "error") return {
+				ok: false,
+				code: "internal",
+				message: `Redis INCRBY error: ${resp.value}`
+			};
+			const remainingUses = resp.type === "integer" ? resp.value : Number(resp.value ?? 0);
+			if (!Number.isFinite(remainingUses)) return {
+				ok: false,
+				code: "internal",
+				message: "Redis INCRBY returned non-integer value"
+			};
+			if (remainingUses < 0) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session exhausted"
+			};
+			const record = await this.getSession(id);
+			if (!record) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session expired or invalid"
+			};
+			if (Date.now() > record.expiresAtMs) return {
+				ok: false,
+				code: "unauthorized",
+				message: "threshold session expired"
+			};
+			return {
+				ok: true,
+				record,
+				remainingUses
+			};
+		} catch (e) {
+			const msg = String(e && typeof e === "object" && "message" in e ? e.message : e || "Failed to consume threshold session");
+			return {
+				ok: false,
+				code: "internal",
+				message: msg
+			};
+		}
+	}
+};
+function createThresholdEd25519AuthSessionStore(input) {
+	const config = require_validation$1.isObject(input.config) ? input.config : {};
+	const envPrefix = require_validation.toOptionalTrimmedString(config.THRESHOLD_ED25519_AUTH_PREFIX);
+	const kind = require_validation.toOptionalTrimmedString(config.kind);
+	if (kind === "in-memory") return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || void 0 });
+	if (kind === "upstash-redis-rest") return new UpstashRedisRestThresholdEd25519AuthSessionStore({
+		url: require_validation.toOptionalTrimmedString(config.url) || require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL),
+		token: require_validation.toOptionalTrimmedString(config.token) || require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN),
+		keyPrefix: require_validation.toOptionalTrimmedString(config.keyPrefix) || envPrefix
+	});
+	if (kind === "redis-tcp") {
+		if (!input.isNode) {
+			input.logger.warn("[threshold-ed25519] redis-tcp auth session store is not supported in this runtime; falling back to in-memory");
+			return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || void 0 });
+		}
+		return new RedisTcpThresholdEd25519AuthSessionStore({
+			redisUrl: require_validation.toOptionalTrimmedString(config.redisUrl) || require_validation.toOptionalTrimmedString(config.REDIS_URL),
+			keyPrefix: require_validation.toOptionalTrimmedString(config.keyPrefix) || envPrefix
+		});
+	}
+	const upstashUrl = require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL);
+	const upstashToken = require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN);
+	if (upstashUrl || upstashToken) {
+		if (!upstashUrl || !upstashToken) throw new Error("Upstash auth session store enabled but UPSTASH_REDIS_REST_URL / UPSTASH_REDIS_REST_TOKEN are not both set");
+		input.logger.info("[threshold-ed25519] Using Upstash REST store for threshold auth sessions");
+		return new UpstashRedisRestThresholdEd25519AuthSessionStore({
+			url: upstashUrl,
+			token: upstashToken,
+			keyPrefix: envPrefix || void 0
+		});
+	}
+	const redisUrl = require_validation.toOptionalTrimmedString(config.REDIS_URL);
+	if (redisUrl) {
+		if (!input.isNode) {
+			input.logger.warn("[threshold-ed25519] REDIS_URL is set but TCP Redis is not supported in this runtime; falling back to in-memory");
+			return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || void 0 });
+		}
+		input.logger.info("[threshold-ed25519] Using redis-tcp store for threshold auth sessions");
+		return new RedisTcpThresholdEd25519AuthSessionStore({
+			redisUrl,
+			keyPrefix: envPrefix || void 0
+		});
+	}
+	input.logger.info("[threshold-ed25519] Using in-memory auth session store for threshold sessions (non-persistent)");
+	return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || void 0 });
+}
+//#endregion
+exports.createThresholdEd25519AuthSessionStore = createThresholdEd25519AuthSessionStore;
+//# sourceMappingURL=AuthSessionStore.js.map

package/dist/cjs/server/core/ThresholdService/stores/AuthSessionStore.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"AuthSessionStore.js","names":["toThresholdEd25519AuthPrefix","toOptionalTrimmedString","UpstashRedisRestClient","parseThresholdEd25519AuthSessionRecord","e: unknown","RedisTcpClient","redisSetJson","redisGetJson","isObject"],"sources":["../../../../../../src/server/core/ThresholdService/stores/AuthSessionStore.ts"],"sourcesContent":["import type { NormalizedLogger } from '../../logger';\nimport type { ThresholdEd25519KeyStoreConfigInput } from '../../types';\nimport { RedisTcpClient, UpstashRedisRestClient, redisGetJson, redisSetJson } from '../kv';\nimport { toOptionalTrimmedString } from '../../../../utils/validation';\nimport {\n isObject,\n toThresholdEd25519AuthPrefix,\n parseThresholdEd25519AuthSessionRecord,\n} from '../validation';\n\nexport type ThresholdEd25519AuthSessionRecord = {\n expiresAtMs: number;\n relayerKeyId: string;\n userId: string;\n rpId: string;\n participantIds: number[];\n};\n\nexport type ThresholdEd25519AuthConsumeResult =\n | { ok: true; record: ThresholdEd25519AuthSessionRecord; remainingUses: number }\n | { ok: false; code: string; message: string };\n\nexport interface ThresholdEd25519AuthSessionStore {\n putSession(\n id: string,\n record: ThresholdEd25519AuthSessionRecord,\n opts: { ttlMs: number; remainingUses: number },\n ): Promise<void>;\n getSession(id: string): Promise<ThresholdEd25519AuthSessionRecord | null>;\n consumeUse(id: string): Promise<ThresholdEd25519AuthConsumeResult>;\n}\n\nclass InMemoryThresholdEd25519AuthSessionStore implements ThresholdEd25519AuthSessionStore {\n private readonly keyPrefix: string;\n private readonly map = new Map<string, { record: ThresholdEd25519AuthSessionRecord; remainingUses: number; expiresAtMs: number }>();\n\n constructor(input: { keyPrefix?: string }) {\n this.keyPrefix = toThresholdEd25519AuthPrefix(input.keyPrefix);\n }\n\n private key(id: string): string {\n return `${this.keyPrefix}${id}`;\n }\n\n async putSession(\n id: string,\n record: ThresholdEd25519AuthSessionRecord,\n opts: { ttlMs: number; remainingUses: number },\n ): Promise<void> {\n const key = this.key(id);\n const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);\n const expiresAtMs = Date.now() + ttlMs;\n this.map.set(key, { record, remainingUses: Math.max(0, Number(opts.remainingUses) || 0), expiresAtMs });\n }\n\n async getSession(id: string): Promise<ThresholdEd25519AuthSessionRecord | null> {\n const key = this.key(id);\n const entry = this.map.get(key);\n if (!entry) return null;\n if (Date.now() > entry.expiresAtMs) {\n this.map.delete(key);\n return null;\n }\n return entry.record;\n }\n\n async consumeUse(id: string): Promise<ThresholdEd25519AuthConsumeResult> {\n const key = this.key(id);\n const entry = this.map.get(key);\n if (!entry) return { ok: false, code: 'unauthorized', message: 'threshold session expired or invalid' };\n if (Date.now() > entry.expiresAtMs) {\n this.map.delete(key);\n return { ok: false, code: 'unauthorized', message: 'threshold session expired' };\n }\n if (entry.remainingUses <= 0) {\n return { ok: false, code: 'unauthorized', message: 'threshold session exhausted' };\n }\n entry.remainingUses -= 1;\n return { ok: true, record: entry.record, remainingUses: entry.remainingUses };\n }\n}\n\nclass UpstashRedisRestThresholdEd25519AuthSessionStore implements ThresholdEd25519AuthSessionStore {\n private readonly client: UpstashRedisRestClient;\n private readonly keyPrefix: string;\n\n constructor(input: { url: string; token: string; keyPrefix?: string }) {\n const url = toOptionalTrimmedString(input.url);\n const token = toOptionalTrimmedString(input.token);\n if (!url) throw new Error('Upstash auth session store missing url');\n if (!token) throw new Error('Upstash auth session store missing token');\n this.client = new UpstashRedisRestClient({ url, token });\n this.keyPrefix = toThresholdEd25519AuthPrefix(input.keyPrefix);\n }\n\n private metaKey(id: string): string {\n return `${this.keyPrefix}${id}`;\n }\n\n private usesKey(id: string): string {\n return `${this.keyPrefix}${id}:uses`;\n }\n\n async putSession(\n id: string,\n record: ThresholdEd25519AuthSessionRecord,\n opts: { ttlMs: number; remainingUses: number },\n ): Promise<void> {\n const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);\n await this.client.setJson(this.metaKey(id), record, ttlMs);\n await this.client.setRaw(this.usesKey(id), String(Math.max(0, Number(opts.remainingUses) || 0)), ttlMs);\n }\n\n async getSession(id: string): Promise<ThresholdEd25519AuthSessionRecord | null> {\n const raw = await this.client.getJson(this.metaKey(id));\n return parseThresholdEd25519AuthSessionRecord(raw);\n }\n\n async consumeUse(id: string): Promise<ThresholdEd25519AuthConsumeResult> {\n try {\n const remainingUses = await this.client.incrby(this.usesKey(id), -1);\n if (remainingUses < 0) {\n return { ok: false, code: 'unauthorized', message: 'threshold session exhausted' };\n }\n const record = await this.getSession(id);\n if (!record) {\n return { ok: false, code: 'unauthorized', message: 'threshold session expired or invalid' };\n }\n if (Date.now() > record.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'threshold session expired' };\n }\n return { ok: true, record, remainingUses };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Failed to consume threshold session');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n}\n\nclass RedisTcpThresholdEd25519AuthSessionStore implements ThresholdEd25519AuthSessionStore {\n private readonly client: RedisTcpClient;\n private readonly keyPrefix: string;\n\n constructor(input: { redisUrl: string; keyPrefix?: string }) {\n const url = toOptionalTrimmedString(input.redisUrl);\n if (!url) throw new Error('redis-tcp auth session store missing redisUrl');\n this.client = new RedisTcpClient(url);\n this.keyPrefix = toThresholdEd25519AuthPrefix(input.keyPrefix);\n }\n\n private metaKey(id: string): string {\n return `${this.keyPrefix}${id}`;\n }\n\n private usesKey(id: string): string {\n return `${this.keyPrefix}${id}:uses`;\n }\n\n async putSession(\n id: string,\n record: ThresholdEd25519AuthSessionRecord,\n opts: { ttlMs: number; remainingUses: number },\n ): Promise<void> {\n const ttlMs = Math.max(0, Number(opts.ttlMs) || 0);\n await redisSetJson(this.client, this.metaKey(id), record, ttlMs);\n const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));\n const uses = String(Math.max(0, Number(opts.remainingUses) || 0));\n const resp = await this.client.send(['SET', this.usesKey(id), uses, 'EX', String(ttlSeconds)]);\n if (resp.type === 'error') throw new Error(`Redis SET error: ${resp.value}`);\n }\n\n async getSession(id: string): Promise<ThresholdEd25519AuthSessionRecord | null> {\n const raw = await redisGetJson(this.client, this.metaKey(id));\n return parseThresholdEd25519AuthSessionRecord(raw);\n }\n\n async consumeUse(id: string): Promise<ThresholdEd25519AuthConsumeResult> {\n try {\n const resp = await this.client.send(['INCRBY', this.usesKey(id), '-1']);\n if (resp.type === 'error') return { ok: false, code: 'internal', message: `Redis INCRBY error: ${resp.value}` };\n const remainingUses = resp.type === 'integer' ? resp.value : Number(resp.value ?? 0);\n if (!Number.isFinite(remainingUses)) {\n return { ok: false, code: 'internal', message: 'Redis INCRBY returned non-integer value' };\n }\n if (remainingUses < 0) {\n return { ok: false, code: 'unauthorized', message: 'threshold session exhausted' };\n }\n const record = await this.getSession(id);\n if (!record) {\n return { ok: false, code: 'unauthorized', message: 'threshold session expired or invalid' };\n }\n if (Date.now() > record.expiresAtMs) {\n return { ok: false, code: 'unauthorized', message: 'threshold session expired' };\n }\n return { ok: true, record, remainingUses };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Failed to consume threshold session');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n}\n\nexport function createThresholdEd25519AuthSessionStore(input: {\n config?: ThresholdEd25519KeyStoreConfigInput | null;\n logger: NormalizedLogger;\n isNode: boolean;\n}): ThresholdEd25519AuthSessionStore {\n const config = (isObject(input.config) ? input.config : {}) as Record<string, unknown>;\n const envPrefix = toOptionalTrimmedString(config.THRESHOLD_ED25519_AUTH_PREFIX);\n\n const kind = toOptionalTrimmedString(config.kind);\n if (kind === 'in-memory') return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || undefined });\n if (kind === 'upstash-redis-rest') {\n return new UpstashRedisRestThresholdEd25519AuthSessionStore({\n url: toOptionalTrimmedString(config.url) || toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL),\n token: toOptionalTrimmedString(config.token) || toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN),\n keyPrefix: toOptionalTrimmedString(config.keyPrefix) || envPrefix,\n });\n }\n if (kind === 'redis-tcp') {\n if (!input.isNode) {\n input.logger.warn('[threshold-ed25519] redis-tcp auth session store is not supported in this runtime; falling back to in-memory');\n return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || undefined });\n }\n return new RedisTcpThresholdEd25519AuthSessionStore({\n redisUrl: toOptionalTrimmedString(config.redisUrl) || toOptionalTrimmedString(config.REDIS_URL),\n keyPrefix: toOptionalTrimmedString(config.keyPrefix) || envPrefix,\n });\n }\n\n const upstashUrl = toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL);\n const upstashToken = toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN);\n if (upstashUrl || upstashToken) {\n if (!upstashUrl || !upstashToken) {\n throw new Error('Upstash auth session store enabled but UPSTASH_REDIS_REST_URL / UPSTASH_REDIS_REST_TOKEN are not both set');\n }\n input.logger.info('[threshold-ed25519] Using Upstash REST store for threshold auth sessions');\n return new UpstashRedisRestThresholdEd25519AuthSessionStore({ url: upstashUrl, token: upstashToken, keyPrefix: envPrefix || undefined });\n }\n\n const redisUrl = toOptionalTrimmedString(config.REDIS_URL);\n if (redisUrl) {\n if (!input.isNode) {\n input.logger.warn('[threshold-ed25519] REDIS_URL is set but TCP Redis is not supported in this runtime; falling back to in-memory');\n return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || undefined });\n }\n input.logger.info('[threshold-ed25519] Using redis-tcp store for threshold auth sessions');\n return new RedisTcpThresholdEd25519AuthSessionStore({ redisUrl, keyPrefix: envPrefix || undefined });\n }\n\n input.logger.info('[threshold-ed25519] Using in-memory auth session store for threshold sessions (non-persistent)');\n return new InMemoryThresholdEd25519AuthSessionStore({ keyPrefix: envPrefix || undefined });\n}\n"],"mappings":";;;;;AAgCA,IAAM,2CAAN,MAA2F;CACzF,AAAiB;CACjB,AAAiB,sBAAM,IAAI;CAE3B,YAAY,OAA+B;AACzC,OAAK,YAAYA,kDAA6B,MAAM;;CAGtD,AAAQ,IAAI,IAAoB;AAC9B,SAAO,GAAG,KAAK,YAAY;;CAG7B,MAAM,WACJ,IACA,QACA,MACe;EACf,MAAM,MAAM,KAAK,IAAI;EACrB,MAAM,QAAQ,KAAK,IAAI,GAAG,OAAO,KAAK,UAAU;EAChD,MAAM,cAAc,KAAK,QAAQ;AACjC,OAAK,IAAI,IAAI,KAAK;GAAE;GAAQ,eAAe,KAAK,IAAI,GAAG,OAAO,KAAK,kBAAkB;GAAI;;;CAG3F,MAAM,WAAW,IAA+D;EAC9E,MAAM,MAAM,KAAK,IAAI;EACrB,MAAM,QAAQ,KAAK,IAAI,IAAI;AAC3B,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI,KAAK,QAAQ,MAAM,aAAa;AAClC,QAAK,IAAI,OAAO;AAChB,UAAO;;AAET,SAAO,MAAM;;CAGf,MAAM,WAAW,IAAwD;EACvE,MAAM,MAAM,KAAK,IAAI;EACrB,MAAM,QAAQ,KAAK,IAAI,IAAI;AAC3B,MAAI,CAAC,MAAO,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAC/D,MAAI,KAAK,QAAQ,MAAM,aAAa;AAClC,QAAK,IAAI,OAAO;AAChB,UAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;;AAErD,MAAI,MAAM,iBAAiB,EACzB,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAErD,QAAM,iBAAiB;AACvB,SAAO;GAAE,IAAI;GAAM,QAAQ,MAAM;GAAQ,eAAe,MAAM;;;;AAIlE,IAAM,mDAAN,MAAmG;CACjG,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAA2D;EACrE,MAAM,MAAMC,2CAAwB,MAAM;EAC1C,MAAM,QAAQA,2CAAwB,MAAM;AAC5C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,MAAI,CAAC,MAAO,OAAM,IAAI,MAAM;AAC5B,OAAK,SAAS,IAAIC,kCAAuB;GAAE;GAAK;;AAChD,OAAK,YAAYF,kDAA6B,MAAM;;CAGtD,AAAQ,QAAQ,IAAoB;AAClC,SAAO,GAAG,KAAK,YAAY;;CAG7B,AAAQ,QAAQ,IAAoB;AAClC,SAAO,GAAG,KAAK,YAAY,GAAG;;CAGhC,MAAM,WACJ,IACA,QACA,MACe;EACf,MAAM,QAAQ,KAAK,IAAI,GAAG,OAAO,KAAK,UAAU;AAChD,QAAM,KAAK,OAAO,QAAQ,KAAK,QAAQ,KAAK,QAAQ;AACpD,QAAM,KAAK,OAAO,OAAO,KAAK,QAAQ,KAAK,OAAO,KAAK,IAAI,GAAG,OAAO,KAAK,kBAAkB,KAAK;;CAGnG,MAAM,WAAW,IAA+D;EAC9E,MAAM,MAAM,MAAM,KAAK,OAAO,QAAQ,KAAK,QAAQ;AACnD,SAAOG,4DAAuC;;CAGhD,MAAM,WAAW,IAAwD;AACvE,MAAI;GACF,MAAM,gBAAgB,MAAM,KAAK,OAAO,OAAO,KAAK,QAAQ,KAAK;AACjE,OAAI,gBAAgB,EAClB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAErD,MAAM,SAAS,MAAM,KAAK,WAAW;AACrC,OAAI,CAAC,OACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,OAAI,KAAK,QAAQ,OAAO,YACtB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,UAAO;IAAE,IAAI;IAAM;IAAQ;;WACpBC,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;;AAKrD,IAAM,2CAAN,MAA2F;CACzF,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAAiD;EAC3D,MAAM,MAAMH,2CAAwB,MAAM;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,OAAK,SAAS,IAAII,0BAAe;AACjC,OAAK,YAAYL,kDAA6B,MAAM;;CAGtD,AAAQ,QAAQ,IAAoB;AAClC,SAAO,GAAG,KAAK,YAAY;;CAG7B,AAAQ,QAAQ,IAAoB;AAClC,SAAO,GAAG,KAAK,YAAY,GAAG;;CAGhC,MAAM,WACJ,IACA,QACA,MACe;EACf,MAAM,QAAQ,KAAK,IAAI,GAAG,OAAO,KAAK,UAAU;AAChD,QAAMM,wBAAa,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ;EAC1D,MAAM,aAAa,KAAK,IAAI,GAAG,KAAK,KAAK,QAAQ;EACjD,MAAM,OAAO,OAAO,KAAK,IAAI,GAAG,OAAO,KAAK,kBAAkB;EAC9D,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK;GAAC;GAAO,KAAK,QAAQ;GAAK;GAAM;GAAM,OAAO;;AACjF,MAAI,KAAK,SAAS,QAAS,OAAM,IAAI,MAAM,oBAAoB,KAAK;;CAGtE,MAAM,WAAW,IAA+D;EAC9E,MAAM,MAAM,MAAMC,wBAAa,KAAK,QAAQ,KAAK,QAAQ;AACzD,SAAOJ,4DAAuC;;CAGhD,MAAM,WAAW,IAAwD;AACvE,MAAI;GACF,MAAM,OAAO,MAAM,KAAK,OAAO,KAAK;IAAC;IAAU,KAAK,QAAQ;IAAK;;AACjE,OAAI,KAAK,SAAS,QAAS,QAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS,uBAAuB,KAAK;;GACtG,MAAM,gBAAgB,KAAK,SAAS,YAAY,KAAK,QAAQ,OAAO,KAAK,SAAS;AAClF,OAAI,CAAC,OAAO,SAAS,eACnB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;AAEjD,OAAI,gBAAgB,EAClB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAErD,MAAM,SAAS,MAAM,KAAK,WAAW;AACrC,OAAI,CAAC,OACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,OAAI,KAAK,QAAQ,OAAO,YACtB,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,UAAO;IAAE,IAAI;IAAM;IAAQ;;WACpBC,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;;AAKrD,SAAgB,uCAAuC,OAIlB;CACnC,MAAM,SAAUI,8BAAS,MAAM,UAAU,MAAM,SAAS;CACxD,MAAM,YAAYP,2CAAwB,OAAO;CAEjD,MAAM,OAAOA,2CAAwB,OAAO;AAC5C,KAAI,SAAS,YAAa,QAAO,IAAI,yCAAyC,EAAE,WAAW,aAAa;AACxG,KAAI,SAAS,qBACX,QAAO,IAAI,iDAAiD;EAC1D,KAAKA,2CAAwB,OAAO,QAAQA,2CAAwB,OAAO;EAC3E,OAAOA,2CAAwB,OAAO,UAAUA,2CAAwB,OAAO;EAC/E,WAAWA,2CAAwB,OAAO,cAAc;;AAG5D,KAAI,SAAS,aAAa;AACxB,MAAI,CAAC,MAAM,QAAQ;AACjB,SAAM,OAAO,KAAK;AAClB,UAAO,IAAI,yCAAyC,EAAE,WAAW,aAAa;;AAEhF,SAAO,IAAI,yCAAyC;GAClD,UAAUA,2CAAwB,OAAO,aAAaA,2CAAwB,OAAO;GACrF,WAAWA,2CAAwB,OAAO,cAAc;;;CAI5D,MAAM,aAAaA,2CAAwB,OAAO;CAClD,MAAM,eAAeA,2CAAwB,OAAO;AACpD,KAAI,cAAc,cAAc;AAC9B,MAAI,CAAC,cAAc,CAAC,aAClB,OAAM,IAAI,MAAM;AAElB,QAAM,OAAO,KAAK;AAClB,SAAO,IAAI,iDAAiD;GAAE,KAAK;GAAY,OAAO;GAAc,WAAW,aAAa;;;CAG9H,MAAM,WAAWA,2CAAwB,OAAO;AAChD,KAAI,UAAU;AACZ,MAAI,CAAC,MAAM,QAAQ;AACjB,SAAM,OAAO,KAAK;AAClB,UAAO,IAAI,yCAAyC,EAAE,WAAW,aAAa;;AAEhF,QAAM,OAAO,KAAK;AAClB,SAAO,IAAI,yCAAyC;GAAE;GAAU,WAAW,aAAa;;;AAG1F,OAAM,OAAO,KAAK;AAClB,QAAO,IAAI,yCAAyC,EAAE,WAAW,aAAa"}

package/dist/cjs/server/core/ThresholdService/stores/KeyStore.js ADDED Viewed

@@ -0,0 +1,136 @@
+const require_validation = require('../../../sdk/src/utils/validation.js');
+const require_validation$1 = require('../validation.js');
+const require_kv = require('../kv.js');
+//#region src/server/core/ThresholdService/stores/KeyStore.ts
+var InMemoryThresholdEd25519KeyStore = class {
+	map = /* @__PURE__ */ new Map();
+	async get(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return null;
+		return this.map.get(id) || null;
+	}
+	async put(relayerKeyId, record) {
+		const id = relayerKeyId;
+		if (!id) throw new Error("Missing relayerKeyId");
+		this.map.set(id, record);
+	}
+	async del(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return;
+		this.map.delete(id);
+	}
+};
+var UpstashRedisRestThresholdEd25519KeyStore = class {
+	client;
+	keyPrefix;
+	constructor(input) {
+		const url = require_validation.toOptionalTrimmedString(input.url);
+		const token = require_validation.toOptionalTrimmedString(input.token);
+		if (!url) throw new Error("Upstash key store missing url");
+		if (!token) throw new Error("Upstash key store missing token");
+		this.client = new require_kv.UpstashRedisRestClient({
+			url,
+			token
+		});
+		this.keyPrefix = require_validation$1.toThresholdEd25519KeyPrefix(input.keyPrefix);
+	}
+	key(relayerKeyId) {
+		return `${this.keyPrefix}${relayerKeyId}`;
+	}
+	async get(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return null;
+		const raw = await this.client.getJson(this.key(id));
+		return require_validation$1.parseThresholdEd25519KeyRecord(raw);
+	}
+	async put(relayerKeyId, record) {
+		const id = relayerKeyId;
+		if (!id) throw new Error("Missing relayerKeyId");
+		await this.client.setJson(this.key(id), record);
+	}
+	async del(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return;
+		await this.client.del(this.key(id));
+	}
+};
+var RedisTcpThresholdEd25519KeyStore = class {
+	keyPrefix;
+	client;
+	constructor(input) {
+		const url = require_validation.toOptionalTrimmedString(input.redisUrl);
+		if (!url) throw new Error("redis-tcp key store missing redisUrl");
+		this.client = new require_kv.RedisTcpClient(url);
+		this.keyPrefix = require_validation$1.toThresholdEd25519KeyPrefix(input.keyPrefix);
+	}
+	key(relayerKeyId) {
+		return `${this.keyPrefix}${relayerKeyId}`;
+	}
+	async get(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return null;
+		const raw = await require_kv.redisGetJson(this.client, this.key(id));
+		return require_validation$1.parseThresholdEd25519KeyRecord(raw);
+	}
+	async put(relayerKeyId, record) {
+		const id = relayerKeyId;
+		if (!id) throw new Error("Missing relayerKeyId");
+		await require_kv.redisSetJson(this.client, this.key(id), record);
+	}
+	async del(relayerKeyId) {
+		const id = relayerKeyId;
+		if (!id) return;
+		await require_kv.redisDel(this.client, this.key(id));
+	}
+};
+function createThresholdEd25519KeyStore(input) {
+	const config = require_validation$1.isObject(input.config) ? input.config : {};
+	const envPrefix = require_validation.toOptionalTrimmedString(config.THRESHOLD_ED25519_KEYSTORE_PREFIX);
+	const kind = require_validation.toOptionalTrimmedString(config.kind);
+	if (kind === "in-memory") return new InMemoryThresholdEd25519KeyStore();
+	if (kind === "upstash-redis-rest") return new UpstashRedisRestThresholdEd25519KeyStore({
+		url: require_validation.toOptionalTrimmedString(config.url) || require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL),
+		token: require_validation.toOptionalTrimmedString(config.token) || require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN),
+		keyPrefix: require_validation.toOptionalTrimmedString(config.keyPrefix) || envPrefix
+	});
+	if (kind === "redis-tcp") {
+		if (!input.isNode) {
+			input.logger.warn("[threshold-ed25519] redis-tcp key store is not supported in this runtime; falling back to in-memory");
+			return new InMemoryThresholdEd25519KeyStore();
+		}
+		return new RedisTcpThresholdEd25519KeyStore({
+			redisUrl: require_validation.toOptionalTrimmedString(config.redisUrl) || require_validation.toOptionalTrimmedString(config.REDIS_URL),
+			keyPrefix: require_validation.toOptionalTrimmedString(config.keyPrefix) || envPrefix
+		});
+	}
+	const upstashUrl = require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL);
+	const upstashToken = require_validation.toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN);
+	if (upstashUrl || upstashToken) {
+		if (!upstashUrl || !upstashToken) throw new Error("Upstash key store enabled but UPSTASH_REDIS_REST_URL / UPSTASH_REDIS_REST_TOKEN are not both set");
+		input.logger.info("[threshold-ed25519] Using Upstash REST key store for relayer signing share persistence");
+		return new UpstashRedisRestThresholdEd25519KeyStore({
+			url: upstashUrl,
+			token: upstashToken,
+			keyPrefix: envPrefix || void 0
+		});
+	}
+	const redisUrl = require_validation.toOptionalTrimmedString(config.REDIS_URL);
+	if (redisUrl) {
+		if (!input.isNode) {
+			input.logger.warn("[threshold-ed25519] REDIS_URL is set but TCP Redis is not supported in this runtime; falling back to in-memory");
+			return new InMemoryThresholdEd25519KeyStore();
+		}
+		input.logger.info("[threshold-ed25519] Using redis-tcp key store for relayer signing share persistence");
+		return new RedisTcpThresholdEd25519KeyStore({
+			redisUrl,
+			keyPrefix: envPrefix || void 0
+		});
+	}
+	input.logger.info("[threshold-ed25519] Using in-memory key store for relayer signing share (non-persistent)");
+	return new InMemoryThresholdEd25519KeyStore();
+}
+//#endregion
+exports.createThresholdEd25519KeyStore = createThresholdEd25519KeyStore;
+//# sourceMappingURL=KeyStore.js.map

package/dist/cjs/server/core/ThresholdService/stores/KeyStore.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"KeyStore.js","names":["toOptionalTrimmedString","UpstashRedisRestClient","toThresholdEd25519KeyPrefix","parseThresholdEd25519KeyRecord","RedisTcpClient","redisGetJson","redisSetJson","redisDel","isObject"],"sources":["../../../../../../src/server/core/ThresholdService/stores/KeyStore.ts"],"sourcesContent":["import type { NormalizedLogger } from '../../logger';\nimport type { ThresholdEd25519KeyStoreConfigInput } from '../../types';\nimport {\n RedisTcpClient,\n UpstashRedisRestClient,\n redisDel,\n redisGetJson,\n redisSetJson,\n} from '../kv';\nimport { toOptionalTrimmedString } from '../../../../utils/validation';\nimport {\n isObject,\n toThresholdEd25519KeyPrefix,\n parseThresholdEd25519KeyRecord,\n} from '../validation';\n\nexport type ThresholdEd25519KeyRecord = {\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n};\n\nexport interface ThresholdEd25519KeyStore {\n get(relayerKeyId: string): Promise<ThresholdEd25519KeyRecord | null>;\n put(relayerKeyId: string, record: ThresholdEd25519KeyRecord): Promise<void>;\n del(relayerKeyId: string): Promise<void>;\n}\n\nclass InMemoryThresholdEd25519KeyStore implements ThresholdEd25519KeyStore {\n private readonly map = new Map<string, ThresholdEd25519KeyRecord>();\n\n async get(relayerKeyId: string): Promise<ThresholdEd25519KeyRecord | null> {\n const id = relayerKeyId;\n if (!id) return null;\n return this.map.get(id) || null;\n }\n\n async put(relayerKeyId: string, record: ThresholdEd25519KeyRecord): Promise<void> {\n const id = relayerKeyId;\n if (!id) throw new Error('Missing relayerKeyId');\n this.map.set(id, record);\n }\n\n async del(relayerKeyId: string): Promise<void> {\n const id = relayerKeyId;\n if (!id) return;\n this.map.delete(id);\n }\n}\n\nclass UpstashRedisRestThresholdEd25519KeyStore implements ThresholdEd25519KeyStore {\n private readonly client: UpstashRedisRestClient;\n private readonly keyPrefix: string;\n\n constructor(input: { url: string; token: string; keyPrefix?: string }) {\n const url = toOptionalTrimmedString(input.url);\n const token = toOptionalTrimmedString(input.token);\n if (!url) throw new Error('Upstash key store missing url');\n if (!token) throw new Error('Upstash key store missing token');\n this.client = new UpstashRedisRestClient({ url, token });\n this.keyPrefix = toThresholdEd25519KeyPrefix(input.keyPrefix);\n }\n\n private key(relayerKeyId: string): string {\n return `${this.keyPrefix}${relayerKeyId}`;\n }\n\n async get(relayerKeyId: string): Promise<ThresholdEd25519KeyRecord | null> {\n const id = relayerKeyId;\n if (!id) return null;\n const raw = await this.client.getJson(this.key(id));\n return parseThresholdEd25519KeyRecord(raw);\n }\n\n async put(relayerKeyId: string, record: ThresholdEd25519KeyRecord): Promise<void> {\n const id = relayerKeyId;\n if (!id) throw new Error('Missing relayerKeyId');\n await this.client.setJson(this.key(id), record);\n }\n\n async del(relayerKeyId: string): Promise<void> {\n const id = relayerKeyId;\n if (!id) return;\n await this.client.del(this.key(id));\n }\n}\n\nclass RedisTcpThresholdEd25519KeyStore implements ThresholdEd25519KeyStore {\n private readonly keyPrefix: string;\n private readonly client: RedisTcpClient;\n\n constructor(input: { redisUrl: string; keyPrefix?: string }) {\n const url = toOptionalTrimmedString(input.redisUrl);\n if (!url) throw new Error('redis-tcp key store missing redisUrl');\n this.client = new RedisTcpClient(url);\n this.keyPrefix = toThresholdEd25519KeyPrefix(input.keyPrefix);\n }\n\n private key(relayerKeyId: string): string {\n return `${this.keyPrefix}${relayerKeyId}`;\n }\n\n async get(relayerKeyId: string): Promise<ThresholdEd25519KeyRecord | null> {\n const id = relayerKeyId;\n if (!id) return null;\n const raw = await redisGetJson(this.client, this.key(id));\n return parseThresholdEd25519KeyRecord(raw);\n }\n\n async put(relayerKeyId: string, record: ThresholdEd25519KeyRecord): Promise<void> {\n const id = relayerKeyId;\n if (!id) throw new Error('Missing relayerKeyId');\n await redisSetJson(this.client, this.key(id), record);\n }\n\n async del(relayerKeyId: string): Promise<void> {\n const id = relayerKeyId;\n if (!id) return;\n await redisDel(this.client, this.key(id));\n }\n}\n\nexport function createThresholdEd25519KeyStore(input: {\n config?: ThresholdEd25519KeyStoreConfigInput | null;\n logger: NormalizedLogger;\n isNode: boolean;\n}): ThresholdEd25519KeyStore {\n const config = (isObject(input.config) ? input.config : {}) as Record<string, unknown>;\n const envPrefix = toOptionalTrimmedString(config.THRESHOLD_ED25519_KEYSTORE_PREFIX);\n\n // Explicit config object\n const kind = toOptionalTrimmedString(config.kind);\n if (kind === 'in-memory') return new InMemoryThresholdEd25519KeyStore();\n if (kind === 'upstash-redis-rest') {\n return new UpstashRedisRestThresholdEd25519KeyStore({\n url: toOptionalTrimmedString(config.url) || toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL),\n token: toOptionalTrimmedString(config.token) || toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN),\n keyPrefix: toOptionalTrimmedString(config.keyPrefix) || envPrefix,\n });\n }\n if (kind === 'redis-tcp') {\n if (!input.isNode) {\n input.logger.warn('[threshold-ed25519] redis-tcp key store is not supported in this runtime; falling back to in-memory');\n return new InMemoryThresholdEd25519KeyStore();\n }\n return new RedisTcpThresholdEd25519KeyStore({\n redisUrl: toOptionalTrimmedString(config.redisUrl) || toOptionalTrimmedString(config.REDIS_URL),\n keyPrefix: toOptionalTrimmedString(config.keyPrefix) || envPrefix,\n });\n }\n\n // Env-shaped config\n const upstashUrl = toOptionalTrimmedString(config.UPSTASH_REDIS_REST_URL);\n const upstashToken = toOptionalTrimmedString(config.UPSTASH_REDIS_REST_TOKEN);\n if (upstashUrl || upstashToken) {\n if (!upstashUrl || !upstashToken) {\n throw new Error('Upstash key store enabled but UPSTASH_REDIS_REST_URL / UPSTASH_REDIS_REST_TOKEN are not both set');\n }\n input.logger.info('[threshold-ed25519] Using Upstash REST key store for relayer signing share persistence');\n return new UpstashRedisRestThresholdEd25519KeyStore({ url: upstashUrl, token: upstashToken, keyPrefix: envPrefix || undefined });\n }\n\n const redisUrl = toOptionalTrimmedString(config.REDIS_URL);\n if (redisUrl) {\n if (!input.isNode) {\n input.logger.warn('[threshold-ed25519] REDIS_URL is set but TCP Redis is not supported in this runtime; falling back to in-memory');\n return new InMemoryThresholdEd25519KeyStore();\n }\n input.logger.info('[threshold-ed25519] Using redis-tcp key store for relayer signing share persistence');\n return new RedisTcpThresholdEd25519KeyStore({ redisUrl, keyPrefix: envPrefix || undefined });\n }\n\n input.logger.info('[threshold-ed25519] Using in-memory key store for relayer signing share (non-persistent)');\n return new InMemoryThresholdEd25519KeyStore();\n}\n"],"mappings":";;;;;AA4BA,IAAM,mCAAN,MAA2E;CACzE,AAAiB,sBAAM,IAAI;CAE3B,MAAM,IAAI,cAAiE;EACzE,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,QAAO;AAChB,SAAO,KAAK,IAAI,IAAI,OAAO;;CAG7B,MAAM,IAAI,cAAsB,QAAkD;EAChF,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,OAAM,IAAI,MAAM;AACzB,OAAK,IAAI,IAAI,IAAI;;CAGnB,MAAM,IAAI,cAAqC;EAC7C,MAAM,KAAK;AACX,MAAI,CAAC,GAAI;AACT,OAAK,IAAI,OAAO;;;AAIpB,IAAM,2CAAN,MAAmF;CACjF,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAA2D;EACrE,MAAM,MAAMA,2CAAwB,MAAM;EAC1C,MAAM,QAAQA,2CAAwB,MAAM;AAC5C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,MAAI,CAAC,MAAO,OAAM,IAAI,MAAM;AAC5B,OAAK,SAAS,IAAIC,kCAAuB;GAAE;GAAK;;AAChD,OAAK,YAAYC,iDAA4B,MAAM;;CAGrD,AAAQ,IAAI,cAA8B;AACxC,SAAO,GAAG,KAAK,YAAY;;CAG7B,MAAM,IAAI,cAAiE;EACzE,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,QAAO;EAChB,MAAM,MAAM,MAAM,KAAK,OAAO,QAAQ,KAAK,IAAI;AAC/C,SAAOC,oDAA+B;;CAGxC,MAAM,IAAI,cAAsB,QAAkD;EAChF,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,OAAM,IAAI,MAAM;AACzB,QAAM,KAAK,OAAO,QAAQ,KAAK,IAAI,KAAK;;CAG1C,MAAM,IAAI,cAAqC;EAC7C,MAAM,KAAK;AACX,MAAI,CAAC,GAAI;AACT,QAAM,KAAK,OAAO,IAAI,KAAK,IAAI;;;AAInC,IAAM,mCAAN,MAA2E;CACzE,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAAiD;EAC3D,MAAM,MAAMH,2CAAwB,MAAM;AAC1C,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,OAAK,SAAS,IAAII,0BAAe;AACjC,OAAK,YAAYF,iDAA4B,MAAM;;CAGrD,AAAQ,IAAI,cAA8B;AACxC,SAAO,GAAG,KAAK,YAAY;;CAG7B,MAAM,IAAI,cAAiE;EACzE,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,QAAO;EAChB,MAAM,MAAM,MAAMG,wBAAa,KAAK,QAAQ,KAAK,IAAI;AACrD,SAAOF,oDAA+B;;CAGxC,MAAM,IAAI,cAAsB,QAAkD;EAChF,MAAM,KAAK;AACX,MAAI,CAAC,GAAI,OAAM,IAAI,MAAM;AACzB,QAAMG,wBAAa,KAAK,QAAQ,KAAK,IAAI,KAAK;;CAGhD,MAAM,IAAI,cAAqC;EAC7C,MAAM,KAAK;AACX,MAAI,CAAC,GAAI;AACT,QAAMC,oBAAS,KAAK,QAAQ,KAAK,IAAI;;;AAIzC,SAAgB,+BAA+B,OAIlB;CAC3B,MAAM,SAAUC,8BAAS,MAAM,UAAU,MAAM,SAAS;CACxD,MAAM,YAAYR,2CAAwB,OAAO;CAGjD,MAAM,OAAOA,2CAAwB,OAAO;AAC5C,KAAI,SAAS,YAAa,QAAO,IAAI;AACrC,KAAI,SAAS,qBACX,QAAO,IAAI,yCAAyC;EAClD,KAAKA,2CAAwB,OAAO,QAAQA,2CAAwB,OAAO;EAC3E,OAAOA,2CAAwB,OAAO,UAAUA,2CAAwB,OAAO;EAC/E,WAAWA,2CAAwB,OAAO,cAAc;;AAG5D,KAAI,SAAS,aAAa;AACxB,MAAI,CAAC,MAAM,QAAQ;AACjB,SAAM,OAAO,KAAK;AAClB,UAAO,IAAI;;AAEb,SAAO,IAAI,iCAAiC;GAC1C,UAAUA,2CAAwB,OAAO,aAAaA,2CAAwB,OAAO;GACrF,WAAWA,2CAAwB,OAAO,cAAc;;;CAK5D,MAAM,aAAaA,2CAAwB,OAAO;CAClD,MAAM,eAAeA,2CAAwB,OAAO;AACpD,KAAI,cAAc,cAAc;AAC9B,MAAI,CAAC,cAAc,CAAC,aAClB,OAAM,IAAI,MAAM;AAElB,QAAM,OAAO,KAAK;AAClB,SAAO,IAAI,yCAAyC;GAAE,KAAK;GAAY,OAAO;GAAc,WAAW,aAAa;;;CAGtH,MAAM,WAAWA,2CAAwB,OAAO;AAChD,KAAI,UAAU;AACZ,MAAI,CAAC,MAAM,QAAQ;AACjB,SAAM,OAAO,KAAK;AAClB,UAAO,IAAI;;AAEb,QAAM,OAAO,KAAK;AAClB,SAAO,IAAI,iCAAiC;GAAE;GAAU,WAAW,aAAa;;;AAGlF,OAAM,OAAO,KAAK;AAClB,QAAO,IAAI"}