@tatchi-xyz/sdk 0.20.0 → 0.31.0

package/dist/cjs/server/router/cloudflare.js

@@ -1,136 +1,21 @@
 
-//#region src/core/WalletIframe/validation.ts
-function isString(x) {
-	return typeof x === "string";
-}
-
-//#endregion
-//#region src/server/core/shamirHandlers.ts
-async function handleApplyServerLock(service, request) {
-	try {
-		const kek_c_b64u = request.body?.kek_c_b64u;
-		if (!isString(kek_c_b64u) || !kek_c_b64u) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "kek_c_b64u required and must be a non-empty string" })
-		};
-		const out = await service.applyServerLock(kek_c_b64u);
-		const keyId = service.getCurrentShamirKeyId();
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				...out,
-				keyId
-			})
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
-}
-async function handleRemoveServerLock(service, request) {
-	try {
-		const body = request.body;
-		if (!body) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "Missing body" })
-		};
-		const { kek_cs_b64u, keyId } = body;
-		if (!isString(kek_cs_b64u) || !kek_cs_b64u) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "kek_cs_b64u required and must be a non-empty string" })
-		};
-		if (!isString(keyId) || !keyId) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "keyId required and must be a non-empty string" })
-		};
-		const providedKeyId = String(keyId);
-		const currentKeyId = service.getCurrentShamirKeyId();
-		let out;
-		if (currentKeyId && providedKeyId === currentKeyId) out = await service.removeServerLock(kek_cs_b64u);
-		else if (service.hasGraceKey(providedKeyId)) out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u });
-		else return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "unknown keyId" })
-		};
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(out)
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
+//#region src/utils/validation.ts
+/** Strict string coercion: returns the value only when it's already a string. */
+function toOptionalString(value) {
+	return typeof value === "string" ? value : "";
 }
-async function handleGetShamirKeyInfo(service) {
-	try {
-		await service.ensureReady();
-		const currentKeyId = service.getCurrentShamirKeyId();
-		const graceKeyIds = service.getGraceKeyIds();
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				currentKeyId,
-				p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,
-				graceKeyIds
-			})
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
+/** Ensure a non-empty string starts with `/` (path normalization). */
+function ensureLeadingSlash(value) {
+	const trimmed = String(value ?? "").trim();
+	if (!trimmed) return "";
+	return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
 }
-
-//#endregion
-//#region src/server/core/SessionService.ts
-function parseCsvList(input) {
-	const out = /* @__PURE__ */ new Set();
-	for (const raw of String(input || "").split(",")) {
-		const s = raw.trim();
-		if (!s) continue;
-		try {
-			const u = new URL(s);
-			const host = u.hostname.toLowerCase();
-			const port = u.port ? `:${u.port}` : "";
-			const proto = u.protocol === "http:" || u.protocol === "https:" ? u.protocol : "https:";
-			out.add(`${proto}//${host}${port}`);
-		} catch {
-			const stripped = s.replace(/\/$/, "");
-			if (stripped) out.add(stripped);
-		}
-	}
-	return Array.from(out);
+/** Collapse a string into a single line by normalizing whitespace. */
+function toSingleLine(value) {
+	return String(value ?? "").replace(/[\r\n]+/g, " ").replace(/\s+/g, " ").trim();
 }
-function buildCorsOrigins(...inputs) {
-	const merged = /* @__PURE__ */ new Set();
-	for (const input of inputs) for (const origin of parseCsvList(input)) merged.add(origin);
-	const list = Array.from(merged);
-	return list.length > 0 ? list : "*";
+function isString(x) {
+	return typeof x === "string";
 }
 
 //#endregion
@@ -283,52 +168,15 @@ function normalizeLogger(logger) {
 		error: safe(error)
 	};
 }
+const coerceLogger = normalizeLogger;
 
 //#endregion
 //#region src/server/router/logger.ts
-const normalizeRouterLogger = normalizeLogger;
+const coerceRouterLogger = coerceLogger;
 
 //#endregion
-//#region src/server/router/cloudflare-adaptor.ts
-function normalizePath(path) {
-	const trimmed = String(path || "").trim();
-	if (!trimmed) return "";
-	return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
-}
-function json(body, init, extraHeaders) {
-	const headers = new Headers({ "Content-Type": "application/json; charset=utf-8" });
-	const initHeaders = init?.headers;
-	if (initHeaders) try {
-		new Headers(initHeaders).forEach((v, k) => headers.set(k, v));
-	} catch {}
-	if (extraHeaders) for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);
-	const { headers: _omit,...rest } = init || {};
-	return new Response(JSON.stringify(body), {
-		status: 200,
-		...rest,
-		headers
-	});
-}
-function withCors(headers, opts, request) {
-	if (!opts?.corsOrigins) return;
-	let allowedOrigin;
-	const normalized = buildCorsOrigins(...opts.corsOrigins || []);
-	if (normalized === "*") {
-		allowedOrigin = "*";
-		headers.set("Access-Control-Allow-Origin", "*");
-	} else if (Array.isArray(normalized)) {
-		const origin = request?.headers.get("Origin") || "";
-		if (origin && normalized.includes(origin)) {
-			allowedOrigin = origin;
-			headers.set("Access-Control-Allow-Origin", origin);
-			headers.append("Vary", "Origin");
-		}
-	}
-	headers.set("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
-	headers.set("Access-Control-Allow-Headers", "Content-Type,Authorization");
-	if (allowedOrigin && allowedOrigin !== "*") headers.set("Access-Control-Allow-Credentials", "true");
-}
-function normalizeEmailAddress(input) {
+//#region src/server/router/cloudflare/email.ts
+function toEmailAddress(input) {
 	const trimmed = String(input || "").trim();
 	const angleStart = trimmed.indexOf("<");
 	const angleEnd = trimmed.indexOf(">");
@@ -374,14 +222,14 @@ async function buildForwardableEmailPayloadFromCloudflareMessage(message) {
 	};
 }
 function createCloudflareEmailHandler(service, opts = {}) {
-	const logger = normalizeRouterLogger(opts.logger);
-	const expectedRecipient = normalizeEmailAddress(opts.expectedRecipient || "");
+	const logger = coerceRouterLogger(opts.logger);
+	const expectedRecipient = toEmailAddress(opts.expectedRecipient || "");
 	const allowUnexpectedRecipient = opts.allowUnexpectedRecipient !== false;
 	const verbose = Boolean(opts.verbose);
 	return async (message) => {
 		try {
 			const payload = await buildForwardableEmailPayloadFromCloudflareMessage(message);
-			const to = normalizeEmailAddress(payload.to);
+			const to = toEmailAddress(payload.to);
 			if (expectedRecipient) {
 				if (to !== expectedRecipient) {
 					logger.warn("[email] unexpected recipient", {
@@ -410,7 +258,7 @@ function createCloudflareEmailHandler(service, opts = {}) {
 			}
 			if (!service.emailRecovery) {
 				logger.warn("[email] rejecting: EmailRecoveryService not configured");
-				message.setReject("Recovery relayer rejected email: email recovery service unavailable");
+				message.setReject("Email recovery relayer rejected email: email recovery service unavailable");
 				return;
 			}
 			const result = await service.emailRecovery.requestEmailRecovery({
@@ -421,9 +269,11 @@ function createCloudflareEmailHandler(service, opts = {}) {
 			if (!result?.success) {
 				logger.warn("[email] recovery failed", {
 					accountId: parsed.accountId,
-					error: result?.error || "unknown"
+					error: result?.error || "unknown",
+					message: result?.message
 				});
-				message.setReject(`Email recovery relayer rejected email: ${result?.error || "recovery failed"}`);
+				const reason = toSingleLine(result?.message || result?.error || "recovery failed");
+				message.setReject(`Email recovery relayer rejected email: ${reason}`);
 				return;
 			}
 			logger.info("[email] recovery submitted", { accountId: parsed.accountId });
@@ -433,523 +283,1111 @@ function createCloudflareEmailHandler(service, opts = {}) {
 		}
 	};
 }
-function createCloudflareRouter(service, opts = {}) {
-	const notFound = () => new Response("Not Found", { status: 404 });
-	const mePath = opts.sessionRoutes?.auth || "/session/auth";
-	const logoutPath = opts.sessionRoutes?.logout || "/session/logout";
-	const logger = normalizeRouterLogger(opts.logger);
-	const signedDelegatePath = (() => {
-		if (!opts.signedDelegate) return "";
-		const raw = String(opts.signedDelegate.route || "").trim();
-		if (!raw) throw new Error("RelayRouterOptions.signedDelegate.route is required");
-		return normalizePath(raw);
-	})();
-	const signedDelegatePolicy = opts.signedDelegate?.policy;
-	return async function handler(request, env, ctx) {
-		const url = new URL(request.url);
-		const { pathname } = url;
-		const method = request.method.toUpperCase();
-		if (method === "OPTIONS") {
-			const res = new Response(null, { status: 204 });
-			withCors(res.headers, opts, request);
-			return res;
-		}
-		const toResponse = (out) => {
-			const res = new Response(out.body, {
-				status: out.status,
-				headers: out.headers
-			});
-			withCors(res.headers, opts, request);
-			return res;
-		};
-		const isObject = (v) => typeof v === "object" && v !== null;
+
+//#endregion
+//#region src/server/router/cloudflare/cron.ts
+function createCloudflareCron(service, opts = {}) {
+	const logger = coerceRouterLogger(opts.logger);
+	const enabled = Boolean(opts.enabled);
+	const doRotate = Boolean(opts.rotate);
+	if (!enabled) return async () => {};
+	return async (_event) => {
 		try {
-			if (method === "GET" && (pathname === "/.well-known/webauthn" || pathname === "/.well-known/webauthn/")) {
-				const contractId = (env?.ROR_CONTRACT_ID || env?.WEBAUTHN_CONTRACT_ID || "").toString().trim() || void 0;
-				const methodName = (env?.ROR_METHOD || "").toString().trim() || void 0;
-				const origins = await service.getRorOrigins({
-					contractId,
-					method: methodName
-				});
-				const res = json({ origins }, {
-					status: 200,
-					headers: { "Cache-Control": "max-age=60, stale-while-revalidate=600" }
-				});
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/create_account_and_register_user") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				if (!isObject(body)) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "JSON body required"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const new_account_id = typeof body.new_account_id === "string" ? body.new_account_id : "";
-				const new_public_key = typeof body.new_public_key === "string" ? body.new_public_key : "";
-				const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;
-				const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;
-				const deterministic_vrf_public_key = body.deterministic_vrf_public_key;
-				const authenticator_options = isObject(body.authenticator_options) ? body.authenticator_options : void 0;
-				if (!new_account_id) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid new_account_id"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!new_public_key) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid new_public_key"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!vrf_data) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid vrf_data"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!webauthn_registration) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid webauthn_registration"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const input = {
-					new_account_id,
-					new_public_key,
-					vrf_data,
-					webauthn_registration,
-					deterministic_vrf_public_key,
-					authenticator_options
-				};
-				const result = await service.createAccountAndRegisterUser(input);
-				const res = json(result, { status: result.success ? 200 : 400 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (signedDelegatePath && pathname === signedDelegatePath) {
-				if (method === "OPTIONS") {
-					const res$1 = new Response(null, { status: 204 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (method !== "POST") return notFound();
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.hash === "string" && Boolean(body.hash) && Boolean(body.signedDelegate);
-				if (!valid) {
-					const res$1 = json({
-						ok: false,
-						code: "invalid_body",
-						message: "Expected { hash, signedDelegate }"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const result = await service.executeSignedDelegate({
-					hash: String(body.hash),
-					signedDelegate: body.signedDelegate,
-					policy: signedDelegatePolicy
-				});
-				if (!result || !result.ok) {
-					const res$1 = json({
-						ok: false,
-						code: result?.code || "delegate_execution_failed",
-						message: result?.error || "Failed to execute delegate action"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const res = json({
-					ok: true,
-					relayerTxHash: result.transactionHash || null,
-					status: "submitted",
-					outcome: result.outcome ?? null
-				}, { status: 200 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/vrf/apply-server-lock") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.kek_c_b64u === "string" && body.kek_c_b64u.length > 0;
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "kek_c_b64u is required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleApplyServerLock(shamir, { body: { kek_c_b64u: String(body.kek_c_b64u) } });
-				return toResponse(out);
-			}
-			if (method === "POST" && pathname === "/verify-authentication-response") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && isObject(body.vrf_data) && isObject(body.webauthn_authentication);
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "vrf_data and webauthn_authentication are required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				try {
-					const sessionKind = (body?.sessionKind || body?.session_kind) === "cookie" ? "cookie" : "jwt";
-					const result = await service.verifyAuthenticationResponse(body);
-					const status = result.success ? 200 : 400;
-					if (status !== 200) {
-						const res$1 = json({
-							code: "not_verified",
-							message: result.message || "Authentication verification failed"
-						}, { status });
-						withCors(res$1.headers, opts, request);
-						return res$1;
-					}
-					const res = json(result, { status: 200 });
-					const session = opts.session;
-					if (session && result.verified) try {
-						const userId = String(body.vrf_data?.user_id || "");
-						const token = await session.signJwt(userId, {
-							rpId: body.vrf_data?.rp_id,
-							blockHeight: body.vrf_data?.block_height
-						});
-						logger.info(`[relay] creating ${sessionKind === "cookie" ? "HttpOnly session" : "JWT"} for`, userId);
-						if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
-						else {
-							const payload = await res.clone().json();
-							return new Response(JSON.stringify({
-								...payload,
-								jwt: token
-							}), {
-								status: 200,
-								headers: res.headers
-							});
-						}
-					} catch {}
-					withCors(res.headers, opts, request);
-					return res;
-				} catch (e) {
-					const res = json({
-						code: "internal",
-						message: e?.message || "Internal error"
-					}, { status: 500 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-			}
-			if (method === "GET" && pathname === mePath) try {
-				const headersObj = {};
-				request.headers.forEach((v, k) => {
-					headersObj[k] = v;
-				});
-				const session = opts.session;
-				if (!session) {
-					const res$1 = json({
-						authenticated: false,
-						code: "sessions_disabled",
-						message: "Sessions are not configured"
-					}, { status: 501 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const parsed = await session.parse(headersObj);
-				const res = json(parsed.ok ? {
-					authenticated: true,
-					claims: parsed.claims
-				} : { authenticated: false }, { status: parsed.ok ? 200 : 401 });
-				withCors(res.headers, opts, request);
-				return res;
-			} catch (e) {
-				const res = json({
-					authenticated: false,
-					code: "internal",
-					message: e?.message || "Internal error"
-				}, { status: 500 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === logoutPath) {
-				const res = json({ success: true }, { status: 200 });
-				const session = opts.session;
-				if (session) res.headers.set("Set-Cookie", session.buildClearCookie());
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/session/refresh") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const sessionKind = (body?.sessionKind || body?.session_kind) === "cookie" ? "cookie" : "jwt";
-				const session = opts.session;
-				if (!session) {
-					const res$1 = json({
-						code: "sessions_disabled",
-						message: "Sessions are not configured"
-					}, { status: 501 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const out = await session.refresh(Object.fromEntries(request.headers.entries()));
-				if (!out.ok || !out.jwt) {
-					const res$1 = json({
-						code: out.code || "not_eligible",
-						message: out.message || "Refresh not eligible"
-					}, { status: out.code === "unauthorized" ? 401 : 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const res = json(sessionKind === "cookie" ? { ok: true } : {
-					ok: true,
-					jwt: out.jwt
-				}, { status: 200 });
-				if (sessionKind === "cookie" && out.jwt) try {
-					res.headers.set("Set-Cookie", session.buildSetCookie(out.jwt));
-				} catch {}
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/recover-email") {
-				const prefer = String(request.headers.get("prefer") || "").toLowerCase();
-				const respondAsync = prefer.includes("respond-async") || String(url.searchParams.get("async") || "").trim() === "1" || String(url.searchParams.get("respond_async") || "").trim() === "1";
-				let rawBody;
-				try {
-					rawBody = await request.json();
-				} catch {
-					rawBody = null;
-				}
-				const parsed = parseRecoverEmailRequest(rawBody, { headers: request.headers });
-				if (!parsed.ok) {
-					const res$1 = json({
-						code: parsed.code,
-						message: parsed.message
-					}, { status: parsed.status });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const { accountId, emailBlob, explicitMode } = parsed;
-				if (!service.emailRecovery) {
-					const res$1 = json({
-						code: "email_recovery_unavailable",
-						message: "EmailRecoveryService is not configured on this server"
-					}, { status: 503 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (respondAsync && ctx && typeof ctx.waitUntil === "function") {
-					ctx.waitUntil(service.emailRecovery.requestEmailRecovery({
-						accountId,
-						emailBlob,
-						explicitMode
-					}).then((result$1) => {
-						logger.info("[recover-email] async complete", {
-							success: result$1?.success === true,
-							accountId,
-							error: result$1?.success ? void 0 : result$1?.error
-						});
-					}).catch((err) => {
-						logger.error("[recover-email] async error", {
-							accountId,
-							error: err?.message || String(err)
-						});
-					}));
-					const res$1 = json({
-						success: true,
-						queued: true,
-						accountId
-					}, { status: 202 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const result = await service.emailRecovery.requestEmailRecovery({
-					accountId,
-					emailBlob,
-					explicitMode
-				});
-				const res = json(result, { status: result.success ? 202 : 400 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/vrf/remove-server-lock") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.kek_cs_b64u === "string" && body.kek_cs_b64u.length > 0 && typeof body.keyId === "string" && String(body.keyId).length > 0;
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "kek_cs_b64u and keyId are required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleRemoveServerLock(shamir, { body: {
-					kek_cs_b64u: String(body.kek_cs_b64u),
-					keyId: String(body.keyId)
-				} });
-				return toResponse(out);
-			}
-			if (method === "GET" && pathname === "/shamir/key-info") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleGetShamirKeyInfo(shamir);
-				return toResponse(out);
-			}
-			if (opts.healthz && method === "GET" && pathname === "/healthz") {
-				const allowed = buildCorsOrigins(...opts.corsOrigins || []);
-				const corsAllowed = allowed === "*" ? "*" : allowed;
-				const shamir = service.shamirService;
-				const shamirConfigured = Boolean(shamir && shamir.hasShamir());
-				let currentKeyId = null;
-				if (shamirConfigured && shamir) try {
-					const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
-					currentKeyId = id || null;
-				} catch {}
-				const proverBaseUrl = service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;
-				const zkEmailConfigured = Boolean(proverBaseUrl);
-				const res = json({
-					ok: true,
-					currentKeyId,
-					shamir: {
-						configured: shamirConfigured,
-						currentKeyId
-					},
-					zkEmail: {
-						configured: zkEmailConfigured,
-						proverBaseUrl
-					},
-					cors: { allowedOrigins: corsAllowed }
-				}, { status: 200 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (opts.readyz && method === "GET" && pathname === "/readyz") {
-				const allowed = buildCorsOrigins(...opts.corsOrigins || []);
-				const corsAllowed = allowed === "*" ? "*" : allowed;
+			if (doRotate) {
 				const shamir = service.shamirService;
-				const shamirConfigured = Boolean(shamir && shamir.hasShamir());
-				let shamirReady = null;
-				let shamirCurrentKeyId = null;
-				let shamirError;
-				if (shamirConfigured && shamir) try {
-					await shamir.ensureReady();
-					shamirReady = true;
-					const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
-					shamirCurrentKeyId = currentKeyId || null;
-				} catch (e) {
-					shamirReady = false;
-					shamirError = e?.message || String(e);
+				if (!shamir) logger.warn("[cloudflare-cron] Shamir not configured; skipping rotation");
+				else {
+					const rotation = await shamir.rotateShamirServerKeypair();
+					logger.info("[cloudflare-cron] rotated key", rotation.newKeyId, "graceIds:", rotation.graceKeyIds);
 				}
-				const zk = service.emailRecovery ? await service.emailRecovery.checkZkEmailProverHealth() : {
-					configured: false,
-					baseUrl: null,
-					healthy: null
-				};
-				const ok = (shamirConfigured ? shamirReady === true : true) && (zk.configured ? zk.healthy === true : true);
-				const res = json({
-					ok,
-					shamir: {
-						configured: shamirConfigured,
-						ready: shamirConfigured ? shamirReady : null,
-						currentKeyId: shamirCurrentKeyId,
-						error: shamirError
-					},
-					zkEmail: zk,
-					cors: { allowedOrigins: corsAllowed }
-				}, { status: ok ? 200 : 503 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			return notFound();
+			} else logger.info("[cloudflare-cron] enabled but rotate=false (no action)");
 		} catch (e) {
-			const res = json({
-				code: "internal",
-				message: e instanceof Error ? e.message : String(e)
-			}, { status: 500 });
-			withCors(res.headers, opts, request);
-			return res;
+			logger.error("[cloudflare-cron] failed", e instanceof Error ? e.message : String(e));
 		}
 	};
 }
-function createCloudflareCron(service, opts = {}) {
-	const logger = normalizeRouterLogger(opts.logger);
-	const enabled = Boolean(opts.enabled);
-	const doRotate = Boolean(opts.rotate);
-	if (!enabled) return async () => {};
-	return async (_event) => {
+
+//#endregion
+//#region src/server/core/SessionService.ts
+function parseCsvList(input) {
+	const out = /* @__PURE__ */ new Set();
+	for (const raw of String(input || "").split(",")) {
+		const s = raw.trim();
+		if (!s) continue;
 		try {
-			if (doRotate) {
-				const shamir = service.shamirService;
-				if (!shamir) logger.warn("[cloudflare-cron] Shamir not configured; skipping rotation");
-				else {
-					const rotation = await shamir.rotateShamirServerKeypair();
-					logger.info("[cloudflare-cron] rotated key", rotation.newKeyId, "graceIds:", rotation.graceKeyIds);
+			const u = new URL(s);
+			const host = u.hostname.toLowerCase();
+			const port = u.port ? `:${u.port}` : "";
+			const proto = u.protocol === "http:" || u.protocol === "https:" ? u.protocol : "https:";
+			out.add(`${proto}//${host}${port}`);
+		} catch {
+			const stripped = s.replace(/\/$/, "");
+			if (stripped) out.add(stripped);
+		}
+	}
+	return Array.from(out);
+}
+function buildCorsOrigins(...inputs) {
+	const merged = /* @__PURE__ */ new Set();
+	for (const input of inputs) for (const origin of parseCsvList(input)) merged.add(origin);
+	const list = Array.from(merged);
+	return list.length > 0 ? list : "*";
+}
+
+//#endregion
+//#region src/server/router/cloudflare/http.ts
+function json(body, init, extraHeaders) {
+	const headers = new Headers({ "Content-Type": "application/json; charset=utf-8" });
+	const initHeaders = init?.headers;
+	if (initHeaders) try {
+		new Headers(initHeaders).forEach((v, k) => headers.set(k, v));
+	} catch {}
+	if (extraHeaders) for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);
+	const { headers: _omit,...rest } = init || {};
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		...rest,
+		headers
+	});
+}
+function withCors(headers, opts, request) {
+	if (!opts?.corsOrigins) return;
+	let allowedOrigin;
+	const normalized = buildCorsOrigins(...opts.corsOrigins || []);
+	if (normalized === "*") {
+		allowedOrigin = "*";
+		headers.set("Access-Control-Allow-Origin", "*");
+	} else if (Array.isArray(normalized)) {
+		const origin = request?.headers.get("Origin") || "";
+		if (origin && normalized.includes(origin)) {
+			allowedOrigin = origin;
+			headers.set("Access-Control-Allow-Origin", origin);
+			headers.append("Vary", "Origin");
+		}
+	}
+	headers.set("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
+	headers.set("Access-Control-Allow-Headers", "Content-Type,Authorization");
+	if (allowedOrigin && allowedOrigin !== "*") headers.set("Access-Control-Allow-Credentials", "true");
+}
+function toResponse(out) {
+	return new Response(out.body, {
+		status: out.status,
+		headers: out.headers
+	});
+}
+function isObject(v) {
+	return typeof v === "object" && v !== null;
+}
+async function readJson(request) {
+	try {
+		return await request.json();
+	} catch {
+		return null;
+	}
+}
+function headersToRecord(headers) {
+	const out = {};
+	headers.forEach((v, k) => {
+		out[k] = v;
+	});
+	return out;
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/createAccountAndRegisterUser.ts
+async function handleCreateAccountAndRegisterUser(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/create_account_and_register_user") return null;
+	const body = await readJson(ctx.request);
+	if (!isObject(body)) return json({
+		code: "invalid_body",
+		message: "JSON body required"
+	}, { status: 400 });
+	const new_account_id = typeof body.new_account_id === "string" ? body.new_account_id : "";
+	const new_public_key = typeof body.new_public_key === "string" ? body.new_public_key : "";
+	const threshold_ed25519 = isObject(body.threshold_ed25519) ? body.threshold_ed25519 : void 0;
+	const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;
+	const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;
+	const deterministic_vrf_public_key = body.deterministic_vrf_public_key;
+	const authenticator_options = isObject(body.authenticator_options) ? body.authenticator_options : void 0;
+	if (!new_account_id) return json({
+		code: "invalid_body",
+		message: "Missing or invalid new_account_id"
+	}, { status: 400 });
+	if (!new_public_key) return json({
+		code: "invalid_body",
+		message: "Missing or invalid new_public_key"
+	}, { status: 400 });
+	if (!vrf_data) return json({
+		code: "invalid_body",
+		message: "Missing or invalid vrf_data"
+	}, { status: 400 });
+	if (!webauthn_registration) return json({
+		code: "invalid_body",
+		message: "Missing or invalid webauthn_registration"
+	}, { status: 400 });
+	const threshold = ctx.opts.threshold;
+	const thresholdClientVerifyingShareB64u = isObject(threshold_ed25519) && typeof threshold_ed25519.client_verifying_share_b64u === "string" ? String(threshold_ed25519.client_verifying_share_b64u || "").trim() : "";
+	let thresholdKeygen = null;
+	let thresholdWarning = null;
+	if (thresholdClientVerifyingShareB64u) if (!threshold) thresholdWarning = "threshold signing is not configured on this server";
+	else {
+		const rpId = typeof vrf_data.rp_id === "string" ? String(vrf_data.rp_id || "") : typeof vrf_data.rpId === "string" ? String(vrf_data.rpId || "") : "";
+		if (!rpId.trim()) thresholdWarning = "missing vrf_data.rp_id";
+		else {
+			const out = await threshold.keygenFromClientVerifyingShareForRegistration({
+				nearAccountId: new_account_id,
+				rpId,
+				clientVerifyingShareB64u: thresholdClientVerifyingShareB64u
+			});
+			if (!out.ok) thresholdWarning = out.message || "threshold-ed25519 registration keygen failed";
+			else thresholdKeygen = out;
+		}
+	}
+	const input = {
+		new_account_id,
+		new_public_key,
+		vrf_data,
+		webauthn_registration,
+		deterministic_vrf_public_key,
+		authenticator_options
+	};
+	const result = await ctx.service.createAccountAndRegisterUser(input);
+	let response = result;
+	if (result.success && threshold && thresholdKeygen) try {
+		await threshold.putRelayerKeyMaterial({
+			relayerKeyId: thresholdKeygen.relayerKeyId,
+			publicKey: thresholdKeygen.publicKey,
+			relayerSigningShareB64u: thresholdKeygen.relayerSigningShareB64u,
+			relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u
+		});
+		response = {
+			...response,
+			thresholdEd25519: {
+				relayerKeyId: thresholdKeygen.relayerKeyId,
+				publicKey: thresholdKeygen.publicKey,
+				relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,
+				clientParticipantId: thresholdKeygen.clientParticipantId,
+				relayerParticipantId: thresholdKeygen.relayerParticipantId,
+				participantIds: thresholdKeygen.participantIds
+			}
+		};
+	} catch (e) {
+		thresholdWarning = thresholdWarning || (e && typeof e === "object" && "message" in e ? String(e.message || "threshold signing persistence failed") : String(e || "threshold signing persistence failed"));
+	}
+	if (result.success && thresholdWarning) response = {
+		...response,
+		message: `${response.message || "Account created and registered successfully"} (threshold enrollment skipped: ${thresholdWarning})`
+	};
+	return json(response, { status: response.success ? 200 : 400 });
+}
+
+//#endregion
+//#region src/server/core/shamirHandlers.ts
+async function handleApplyServerLock(service, request) {
+	try {
+		const kek_c_b64u = request.body?.kek_c_b64u;
+		if (!isString(kek_c_b64u) || !kek_c_b64u) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "kek_c_b64u required and must be a non-empty string" })
+		};
+		const out = await service.applyServerLock(kek_c_b64u);
+		const keyId = service.getCurrentShamirKeyId();
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				...out,
+				keyId
+			})
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+async function handleRemoveServerLock(service, request) {
+	try {
+		const body = request.body;
+		if (!body) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "Missing body" })
+		};
+		const { kek_cs_b64u, keyId } = body;
+		if (!isString(kek_cs_b64u) || !kek_cs_b64u) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "kek_cs_b64u required and must be a non-empty string" })
+		};
+		if (!isString(keyId) || !keyId) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "keyId required and must be a non-empty string" })
+		};
+		const providedKeyId = String(keyId);
+		const currentKeyId = service.getCurrentShamirKeyId();
+		let out;
+		if (currentKeyId && providedKeyId === currentKeyId) out = await service.removeServerLock(kek_cs_b64u);
+		else if (service.hasGraceKey(providedKeyId)) out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u });
+		else return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "unknown keyId" })
+		};
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify(out)
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+async function handleGetShamirKeyInfo(service) {
+	try {
+		await service.ensureReady();
+		const currentKeyId = service.getCurrentShamirKeyId();
+		const graceKeyIds = service.getGraceKeyIds();
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				currentKeyId,
+				p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,
+				graceKeyIds
+			})
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/health.ts
+async function handleHealth(ctx) {
+	if (!ctx.opts.healthz || ctx.method !== "GET" || ctx.pathname !== "/healthz") return null;
+	const allowed = buildCorsOrigins(...ctx.opts.corsOrigins || []);
+	const corsAllowed = allowed === "*" ? "*" : allowed;
+	const shamir = ctx.service.shamirService;
+	const shamirConfigured = Boolean(shamir && shamir.hasShamir());
+	const thresholdConfigured = Boolean(ctx.opts.threshold);
+	let currentKeyId = null;
+	if (shamirConfigured && shamir) try {
+		const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
+		currentKeyId = id || null;
+	} catch {}
+	const proverBaseUrl = ctx.service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;
+	const zkEmailConfigured = Boolean(proverBaseUrl);
+	return json({
+		ok: true,
+		currentKeyId,
+		shamir: {
+			configured: shamirConfigured,
+			currentKeyId
+		},
+		zkEmail: {
+			configured: zkEmailConfigured,
+			proverBaseUrl
+		},
+		thresholdEd25519: { configured: thresholdConfigured },
+		cors: { allowedOrigins: corsAllowed }
+	}, { status: 200 });
+}
+async function handleReady(ctx) {
+	if (!ctx.opts.readyz || ctx.method !== "GET" || ctx.pathname !== "/readyz") return null;
+	const allowed = buildCorsOrigins(...ctx.opts.corsOrigins || []);
+	const corsAllowed = allowed === "*" ? "*" : allowed;
+	const shamir = ctx.service.shamirService;
+	const shamirConfigured = Boolean(shamir && shamir.hasShamir());
+	const thresholdConfigured = Boolean(ctx.opts.threshold);
+	let shamirReady = null;
+	let shamirCurrentKeyId = null;
+	let shamirError;
+	if (shamirConfigured && shamir) try {
+		await shamir.ensureReady();
+		shamirReady = true;
+		const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
+		shamirCurrentKeyId = currentKeyId || null;
+	} catch (e) {
+		shamirReady = false;
+		shamirError = e?.message || String(e);
+	}
+	const zk = ctx.service.emailRecovery ? await ctx.service.emailRecovery.checkZkEmailProverHealth() : {
+		configured: false,
+		baseUrl: null,
+		healthy: null
+	};
+	const ok = (shamirConfigured ? shamirReady === true : true) && (zk.configured ? zk.healthy === true : true);
+	return json({
+		ok,
+		shamir: {
+			configured: shamirConfigured,
+			ready: shamirConfigured ? shamirReady : null,
+			currentKeyId: shamirCurrentKeyId,
+			error: shamirError
+		},
+		thresholdEd25519: { configured: thresholdConfigured },
+		zkEmail: zk,
+		cors: { allowedOrigins: corsAllowed }
+	}, { status: ok ? 200 : 503 });
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/recoverEmail.ts
+async function handleRecoverEmail(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/recover-email") return null;
+	const prefer = String(ctx.request.headers.get("prefer") || "").toLowerCase();
+	const respondAsync = prefer.includes("respond-async") || String(ctx.url.searchParams.get("async") || "").trim() === "1" || String(ctx.url.searchParams.get("respond_async") || "").trim() === "1";
+	const rawBody = await readJson(ctx.request);
+	const parsed = parseRecoverEmailRequest(rawBody, { headers: ctx.request.headers });
+	if (!parsed.ok) return json({
+		code: parsed.code,
+		message: parsed.message
+	}, { status: parsed.status });
+	const { accountId, emailBlob, explicitMode } = parsed;
+	if (!ctx.service.emailRecovery) return json({
+		code: "email_recovery_unavailable",
+		message: "EmailRecoveryService is not configured on this server"
+	}, { status: 503 });
+	if (respondAsync && ctx.cfCtx && typeof ctx.cfCtx.waitUntil === "function") {
+		ctx.cfCtx.waitUntil(ctx.service.emailRecovery.requestEmailRecovery({
+			accountId,
+			emailBlob,
+			explicitMode
+		}).then((result$1) => {
+			ctx.logger.info("[recover-email] async complete", {
+				success: result$1?.success === true,
+				accountId,
+				error: result$1?.success ? void 0 : result$1?.error
+			});
+		}).catch((err) => {
+			ctx.logger.error("[recover-email] async error", {
+				accountId,
+				error: err?.message || String(err)
+			});
+		}));
+		return json({
+			success: true,
+			queued: true,
+			accountId
+		}, { status: 202 });
+	}
+	const result = await ctx.service.emailRecovery.requestEmailRecovery({
+		accountId,
+		emailBlob,
+		explicitMode
+	});
+	return json(result, { status: result.success ? 202 : 400 });
+}
+
+//#endregion
+//#region src/server/router/relay.ts
+function parseSessionKind(body) {
+	const v = body && typeof body === "object" && !Array.isArray(body) ? body : {};
+	const raw = v.sessionKind ?? v.session_kind;
+	return raw === "cookie" ? "cookie" : "jwt";
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/sessions.ts
+async function handleSessionAuth(ctx) {
+	if (ctx.method !== "GET" || ctx.pathname !== ctx.mePath) return null;
+	try {
+		const session = ctx.opts.session;
+		if (!session) return json({
+			authenticated: false,
+			code: "sessions_disabled",
+			message: "Sessions are not configured"
+		}, { status: 501 });
+		const parsed = await session.parse(headersToRecord(ctx.request.headers));
+		return json(parsed.ok ? {
+			authenticated: true,
+			claims: parsed.claims
+		} : { authenticated: false }, { status: parsed.ok ? 200 : 401 });
+	} catch (e) {
+		return json({
+			authenticated: false,
+			code: "internal",
+			message: e?.message || "Internal error"
+		}, { status: 500 });
+	}
+}
+async function handleSessionLogout(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== ctx.logoutPath) return null;
+	const res = json({ success: true }, { status: 200 });
+	const session = ctx.opts.session;
+	if (session) res.headers.set("Set-Cookie", session.buildClearCookie());
+	return res;
+}
+async function handleSessionRefresh(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/session/refresh") return null;
+	const body = await readJson(ctx.request);
+	const sessionKind = parseSessionKind(body);
+	const session = ctx.opts.session;
+	if (!session) return json({
+		code: "sessions_disabled",
+		message: "Sessions are not configured"
+	}, { status: 501 });
+	const out = await session.refresh(Object.fromEntries(ctx.request.headers.entries()));
+	if (!out.ok || !out.jwt) return json({
+		code: out.code || "not_eligible",
+		message: out.message || "Refresh not eligible"
+	}, { status: out.code === "unauthorized" ? 401 : 400 });
+	const res = json(sessionKind === "cookie" ? { ok: true } : {
+		ok: true,
+		jwt: out.jwt
+	}, { status: 200 });
+	if (sessionKind === "cookie" && out.jwt) try {
+		res.headers.set("Set-Cookie", session.buildSetCookie(out.jwt));
+	} catch {}
+	return res;
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/shamir.ts
+async function handleShamir(ctx) {
+	if (ctx.method === "POST" && ctx.pathname === "/vrf/apply-server-lock") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const body = await readJson(ctx.request);
+		const valid = isObject(body) && typeof body.kek_c_b64u === "string" && body.kek_c_b64u.length > 0;
+		if (!valid) return json({
+			code: "invalid_body",
+			message: "kek_c_b64u is required"
+		}, { status: 400 });
+		const out = await handleApplyServerLock(shamir, { body: { kek_c_b64u: String(body.kek_c_b64u) } });
+		return toResponse(out);
+	}
+	if (ctx.method === "POST" && ctx.pathname === "/vrf/remove-server-lock") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const body = await readJson(ctx.request);
+		const valid = isObject(body) && typeof body.kek_cs_b64u === "string" && body.kek_cs_b64u.length > 0 && typeof body.keyId === "string" && String(body.keyId).length > 0;
+		if (!valid) return json({
+			code: "invalid_body",
+			message: "kek_cs_b64u and keyId are required"
+		}, { status: 400 });
+		const out = await handleRemoveServerLock(shamir, { body: {
+			kek_cs_b64u: String(body.kek_cs_b64u),
+			keyId: String(body.keyId)
+		} });
+		return toResponse(out);
+	}
+	if (ctx.method === "GET" && ctx.pathname === "/shamir/key-info") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const out = await handleGetShamirKeyInfo(shamir);
+		return toResponse(out);
+	}
+	return null;
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/signedDelegate.ts
+async function handleSignedDelegate(ctx) {
+	if (!ctx.signedDelegatePath || ctx.pathname !== ctx.signedDelegatePath) return null;
+	if (ctx.method !== "POST") return null;
+	const body = await readJson(ctx.request);
+	const valid = isObject(body) && typeof body.hash === "string" && Boolean(body.hash) && Boolean(body.signedDelegate);
+	if (!valid) return json({
+		ok: false,
+		code: "invalid_body",
+		message: "Expected { hash, signedDelegate }"
+	}, { status: 400 });
+	const result = await ctx.service.executeSignedDelegate({
+		hash: String(body.hash),
+		signedDelegate: body.signedDelegate,
+		policy: ctx.signedDelegatePolicy
+	});
+	if (!result || !result.ok) return json({
+		ok: false,
+		code: result?.code || "delegate_execution_failed",
+		message: result?.error || "Failed to execute delegate action"
+	}, { status: 400 });
+	return json({
+		ok: true,
+		relayerTxHash: result.transactionHash || null,
+		status: "submitted",
+		outcome: result.outcome ?? null
+	}, { status: 200 });
+}
+
+//#endregion
+//#region src/server/threshold/statusCodes.ts
+function thresholdEd25519StatusCode(result) {
+	if (result.ok) return 200;
+	switch (result.code) {
+		case "not_found": return 404;
+		case "not_implemented": return 501;
+		case "threshold_disabled": return 503;
+		case "internal": return 500;
+		case "unauthorized": return 401;
+		default: return 400;
+	}
+}
+
+//#endregion
+//#region src/server/core/ThresholdService/validation.ts
+function isObject$1(v) {
+	return !!v && typeof v === "object" && !Array.isArray(v);
+}
+function parseThresholdEd25519SessionClaims(raw) {
+	if (!isObject$1(raw)) return null;
+	const kind = toOptionalString(raw.kind);
+	if (kind !== "threshold_ed25519_session_v1") return null;
+	const sub = toOptionalString(raw.sub);
+	const sessionId = toOptionalString(raw.sessionId);
+	const relayerKeyId = toOptionalString(raw.relayerKeyId);
+	const rpId = toOptionalString(raw.rpId);
+	if (!sub || !sessionId || !relayerKeyId || !rpId) return null;
+	return {
+		sub,
+		kind,
+		sessionId,
+		relayerKeyId,
+		rpId
+	};
+}
+
+//#endregion
+//#region src/server/router/commonRouterUtils.ts
+function isPlainObject(input) {
+	return !!input && typeof input === "object" && !Array.isArray(input);
+}
+function summarizeVrfData(input) {
+	if (!isPlainObject(input)) return void 0;
+	const user_id = typeof input.user_id === "string" ? input.user_id : void 0;
+	const rp_id = typeof input.rp_id === "string" ? input.rp_id : void 0;
+	const block_height = typeof input.block_height === "number" ? input.block_height : void 0;
+	const has_intent_digest_32 = Array.isArray(input.intent_digest_32) ? true : void 0;
+	const intent_digest_32_len = Array.isArray(input.intent_digest_32) ? input.intent_digest_32.length : void 0;
+	const has_session_policy_digest_32 = Array.isArray(input.session_policy_digest_32) ? true : void 0;
+	const session_policy_digest_32_len = Array.isArray(input.session_policy_digest_32) ? input.session_policy_digest_32.length : void 0;
+	return {
+		...user_id ? { user_id } : {},
+		...rp_id ? { rp_id } : {},
+		...block_height != null ? { block_height } : {},
+		...has_intent_digest_32 != null ? { has_intent_digest_32 } : {},
+		...intent_digest_32_len != null ? { intent_digest_32_len } : {},
+		...has_session_policy_digest_32 != null ? { has_session_policy_digest_32 } : {},
+		...session_policy_digest_32_len != null ? { session_policy_digest_32_len } : {}
+	};
+}
+function looksLikeWebauthnAuthorizeBody(input) {
+	if (!isPlainObject(input)) return false;
+	return isPlainObject(input.vrf_data) && isPlainObject(input.webauthn_authentication);
+}
+async function validateThresholdEd25519AuthorizeInputs(input) {
+	if (looksLikeWebauthnAuthorizeBody(input.body)) return {
+		ok: true,
+		mode: "webauthn",
+		request: input.body
+	};
+	const session = input.session;
+	if (!session) return {
+		ok: false,
+		code: "sessions_disabled",
+		message: "Sessions are not configured on this server"
+	};
+	const parsed = await session.parse(input.headers);
+	if (!parsed.ok) return {
+		ok: false,
+		code: "unauthorized",
+		message: "Missing or invalid threshold session token"
+	};
+	const claims = parseThresholdEd25519SessionClaims(parsed.claims);
+	if (!claims) return {
+		ok: false,
+		code: "unauthorized",
+		message: "Invalid threshold session token claims"
+	};
+	const requestBody = isPlainObject(input.body) ? input.body : {};
+	return {
+		ok: true,
+		mode: "session",
+		sessionId: claims.sessionId,
+		userId: claims.sub,
+		request: requestBody
+	};
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/thresholdEd25519.ts
+async function handleThresholdEd25519(ctx) {
+	if (ctx.method === "GET" && ctx.pathname === "/threshold-ed25519/healthz") {
+		const threshold$1 = ctx.opts.threshold;
+		if (!threshold$1) return json({
+			ok: false,
+			configured: false,
+			code: "threshold_disabled",
+			message: "Threshold signing is not configured on this server"
+		}, { status: 503 });
+		return json({
+			ok: true,
+			configured: true
+		}, { status: 200 });
+	}
+	if (ctx.method !== "POST") return null;
+	const pathname = ctx.pathname;
+	if (pathname !== "/threshold-ed25519/keygen" && pathname !== "/threshold-ed25519/session" && pathname !== "/threshold-ed25519/authorize" && pathname !== "/threshold-ed25519/sign/init" && pathname !== "/threshold-ed25519/sign/finalize" && pathname !== "/threshold-ed25519/internal/cosign/init" && pathname !== "/threshold-ed25519/internal/cosign/finalize") return null;
+	const body = await readJson(ctx.request);
+	const threshold = ctx.opts.threshold;
+	switch (pathname) {
+		case "/threshold-ed25519/keygen": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				nearAccountId: typeof b.nearAccountId === "string" ? b.nearAccountId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				registrationTxHash: "registrationTxHash" in b && typeof b.registrationTxHash === "string" ? b.registrationTxHash : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const result = await threshold.thresholdEd25519Keygen(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/session": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const session = ctx.opts.session;
+			if (!session) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					sessions: false
+				});
+				return json({
+					ok: false,
+					code: "sessions_disabled",
+					message: "Sessions are not configured on this server"
+				}, { status: 501 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				sessionPolicy: b.sessionPolicy ? { version: b.sessionPolicy.version } : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const result = await threshold.thresholdEd25519Session(b);
+			const status = thresholdEd25519StatusCode(result);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status,
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			if (!result.ok) return json(result, { status });
+			const sessionId = String(result.sessionId || "").trim();
+			const userId = b.vrf_data.user_id;
+			const rpId = b.vrf_data.rp_id;
+			const relayerKeyId = b.relayerKeyId;
+			const token = await session.signJwt(userId, {
+				kind: "threshold_ed25519_session_v1",
+				sessionId,
+				relayerKeyId,
+				rpId
+			});
+			const sessionKind = parseSessionKind(b);
+			const res = json(sessionKind === "cookie" ? {
+				...result,
+				jwt: void 0
+			} : {
+				...result,
+				jwt: token
+			}, { status: 200 });
+			if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
+			return res;
+		}
+		case "/threshold-ed25519/authorize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				purpose: typeof b.purpose === "string" ? b.purpose : void 0,
+				signing_digest_32_len: Array.isArray(b.signing_digest_32) ? b.signing_digest_32.length : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const respond = (result$1) => {
+				ctx.logger.info("[threshold-ed25519] response", {
+					route: pathname,
+					status: thresholdEd25519StatusCode(result$1),
+					ok: result$1.ok,
+					...result$1.code ? { code: result$1.code } : {}
+				});
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			};
+			const validated = await validateThresholdEd25519AuthorizeInputs({
+				body,
+				headers: Object.fromEntries(ctx.request.headers.entries()),
+				session: ctx.opts.session
+			});
+			if (!validated.ok) return respond(validated);
+			const result = validated.mode === "webauthn" ? await threshold.authorizeThresholdEd25519(validated.request) : await threshold.authorizeThresholdEd25519WithSession({
+				sessionId: validated.sessionId,
+				userId: validated.userId,
+				request: validated.request
+			});
+			return respond(result);
+		}
+		case "/threshold-ed25519/sign/init": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				mpcSessionId: typeof b.mpcSessionId === "string" ? b.mpcSessionId : void 0,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				nearAccountId: typeof b.nearAccountId === "string" ? b.nearAccountId : void 0,
+				signingDigestB64u_len: typeof b.signingDigestB64u === "string" ? b.signingDigestB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519SignInit(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/sign/finalize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				clientSignatureShareB64u_len: typeof b.clientSignatureShareB64u === "string" ? b.clientSignatureShareB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519SignFinalize(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/internal/cosign/init": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			if (!threshold.thresholdEd25519CosignInit) {
+				const result$1 = {
+					ok: false,
+					code: "not_found",
+					message: "threshold-ed25519 cosigner endpoints are not enabled on this server"
+				};
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				coordinatorGrant_len: typeof b.coordinatorGrant === "string" ? b.coordinatorGrant.length : void 0,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				cosignerShareB64u_len: typeof b.cosignerShareB64u === "string" ? b.cosignerShareB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519CosignInit(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/internal/cosign/finalize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			if (!threshold.thresholdEd25519CosignFinalize) {
+				const result$1 = {
+					ok: false,
+					code: "not_found",
+					message: "threshold-ed25519 cosigner endpoints are not enabled on this server"
+				};
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				coordinatorGrant_len: typeof b.coordinatorGrant === "string" ? b.coordinatorGrant.length : void 0,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				cosignerIds_len: Array.isArray(b.cosignerIds) ? b.cosignerIds.length : void 0
+			});
+			const result = await threshold.thresholdEd25519CosignFinalize(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		default: return null;
+	}
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/verifyAuthenticationResponse.ts
+async function handleVerifyAuthenticationResponse(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/verify-authentication-response") return null;
+	const body = await readJson(ctx.request);
+	const valid = isObject(body) && isObject(body.vrf_data) && isObject(body.webauthn_authentication);
+	if (!valid) return json({
+		code: "invalid_body",
+		message: "vrf_data and webauthn_authentication are required"
+	}, { status: 400 });
+	try {
+		const sessionKind = parseSessionKind(body);
+		const req = body;
+		const result = await ctx.service.verifyAuthenticationResponse(req);
+		const status = result.success ? 200 : 400;
+		if (status !== 200) return json({
+			code: "not_verified",
+			message: result.message || "Authentication verification failed"
+		}, { status });
+		const res = json(result, { status: 200 });
+		const session = ctx.opts.session;
+		if (session && result.verified) try {
+			const userId = String(req.vrf_data?.user_id || "");
+			const token = await session.signJwt(userId, {
+				rpId: req.vrf_data?.rp_id,
+				blockHeight: req.vrf_data?.block_height
+			});
+			ctx.logger.info(`[relay] creating ${sessionKind === "cookie" ? "HttpOnly session" : "JWT"} for`, userId);
+			if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
+			else {
+				const payload = await res.clone().json();
+				return new Response(JSON.stringify({
+					...payload,
+					jwt: token
+				}), {
+					status: 200,
+					headers: res.headers
+				});
+			}
+		} catch {}
+		return res;
+	} catch (e) {
+		return json({
+			code: "internal",
+			message: e?.message || "Internal error"
+		}, { status: 500 });
+	}
+}
+
+//#endregion
+//#region src/server/router/cloudflare/routes/wellKnown.ts
+async function handleWellKnown(ctx) {
+	if (ctx.method !== "GET") return null;
+	if (ctx.pathname !== "/.well-known/webauthn" && ctx.pathname !== "/.well-known/webauthn/") return null;
+	const contractId = (ctx.env?.ROR_CONTRACT_ID || ctx.env?.WEBAUTHN_CONTRACT_ID || "").toString().trim() || void 0;
+	const methodName = (ctx.env?.ROR_METHOD || "").toString().trim() || void 0;
+	const origins = await ctx.service.getRorOrigins({
+		contractId,
+		method: methodName
+	});
+	return json({ origins }, {
+		status: 200,
+		headers: { "Cache-Control": "max-age=60, stale-while-revalidate=600" }
+	});
+}
+
+//#endregion
+//#region src/server/router/routerOptions.ts
+function resolveThresholdOption(service, opts) {
+	return opts.threshold !== void 0 ? opts.threshold : service.getThresholdSigningService();
+}
+
+//#endregion
+//#region src/server/router/cloudflare/createCloudflareRouter.ts
+function createCloudflareRouter(service, opts = {}) {
+	const notFound = () => new Response("Not Found", { status: 404 });
+	const threshold = resolveThresholdOption(service, opts);
+	const effectiveOpts = {
+		...opts,
+		threshold
+	};
+	const mePath = effectiveOpts.sessionRoutes?.auth || "/session/auth";
+	const logoutPath = effectiveOpts.sessionRoutes?.logout || "/session/logout";
+	const logger = coerceRouterLogger(effectiveOpts.logger);
+	let signedDelegatePath = "";
+	if (effectiveOpts.signedDelegate) signedDelegatePath = ensureLeadingSlash(effectiveOpts.signedDelegate.route) || "/signed-delegate";
+	const signedDelegatePolicy = effectiveOpts.signedDelegate?.policy;
+	const handlers = [
+		handleWellKnown,
+		handleCreateAccountAndRegisterUser,
+		handleSignedDelegate,
+		handleShamir,
+		handleVerifyAuthenticationResponse,
+		handleThresholdEd25519,
+		handleSessionAuth,
+		handleSessionLogout,
+		handleSessionRefresh,
+		handleRecoverEmail,
+		handleHealth,
+		handleReady
+	];
+	return async function handler(request, env, cfCtx) {
+		const url = new URL(request.url);
+		const { pathname } = url;
+		const method = request.method.toUpperCase();
+		if (method === "OPTIONS") {
+			const res = new Response(null, { status: 204 });
+			withCors(res.headers, effectiveOpts, request);
+			return res;
+		}
+		const baseCtx = {
+			env,
+			cfCtx,
+			service,
+			opts: effectiveOpts,
+			logger,
+			mePath,
+			logoutPath,
+			signedDelegatePath,
+			signedDelegatePolicy
+		};
+		const ctx = {
+			...baseCtx,
+			request,
+			url,
+			pathname,
+			method
+		};
+		try {
+			for (const fn of handlers) {
+				const res = await fn(ctx);
+				if (res) {
+					withCors(res.headers, effectiveOpts, request);
+					return res;
 				}
-			} else logger.info("[cloudflare-cron] enabled but rotate=false (no action)");
+			}
+			return notFound();
 		} catch (e) {
-			logger.error("[cloudflare-cron] failed", e instanceof Error ? e.message : String(e));
+			const res = json({
+				code: "internal",
+				message: e instanceof Error ? e.message : String(e)
+			}, { status: 500 });
+			withCors(res.headers, effectiveOpts, request);
+			return res;
 		}
 	};
 }