npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/core/TatchiPasskey/registration.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"registration.js","names":["RegistrationPhase","RegistrationStatus","confirmationConfig: Partial<ConfirmationConfig>","createAccountAndRegisterWithRelayServer","error: any","getUserFriendlyErrorMessage","validateNearAccountId","rollbackError: any"],"sources":["../../../../src/core/TatchiPasskey/registration.ts"],"sourcesContent":["import type { NearClient, SignedTransaction } from '../NearClient';\nimport { validateNearAccountId } from '../../utils/validation';\nimport type {\n RegistrationHooksOptions,\n RegistrationSSEEvent,\n} from '../types/sdkSentEvents';\nimport type { RegistrationResult, TatchiConfigs } from '../types/tatchi';\nimport type { AuthenticatorOptions } from '../types/authenticatorOptions';\nimport { RegistrationPhase, RegistrationStatus } from '../types/sdkSentEvents';\nimport {\n createAccountAndRegisterWithRelayServer\n} from './faucets/createAccountRelayServer';\nimport { PasskeyManagerContext } from './index';\nimport { WebAuthnManager } from '../WebAuthnManager';\nimport { VRFChallenge } from '../types/vrf-worker';\nimport type { ConfirmationConfig } from '../types/signer-worker';\nimport type { WebAuthnRegistrationCredential } from '../types/webauthn';\nimport type { AccountId } from '../types/accountIds';\nimport { getUserFriendlyErrorMessage } from '../../utils/errors';\nimport { authenticatorsToAllowCredentials } from '../WebAuthnManager/touchIdPrompt';\n// Registration forces a visible, clickable confirmation for cross‑origin safety\n\n/*\n Core registration function that handles passkey registration\n \n VRF Registration Flow (Single VRF Keypair):\n * 1. Generate VRF keypair (ed25519) using crypto.randomUUID() + persist in worker memory\n * 2. Generate VRF proof + output using the VRF keypair\n * - VRF input with domain separator + NEAR block height + hash\n * 3. Use VRF output as WebAuthn challenge in registration ceremony\n * 4. Derive AES key from WebAuthn PRF output and encrypt the SAME VRF keypair\n * 5. Store encrypted VRF keypair in IndexedDB\n * 6. Call contract verify_registration_response with VRF proof + WebAuthn registration payload\n * 7. Contract verifies VRF proof and WebAuthn registration (challenges match!)\n * 8. Contract stores VRF pubkey + authenticator credentials on-chain for\n * future stateless authentication\n /\nexport async function registerPasskeyInternal(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n options: RegistrationHooksOptions,\n authenticatorOptions: AuthenticatorOptions,\n confirmationConfigOverride?: Partial<ConfirmationConfig>\n): Promise<RegistrationResult> {\n\n const { onEvent, onError, afterCall } = options;\n const { webAuthnManager, configs } = context;\n\n // Track registration progress for rollback\n const registrationState = {\n accountCreated: false,\n contractRegistered: false,\n databaseStored: false,\n contractTransactionId: null as string \| null,\n };\n\n console.log('⚡ Registration: Passkey registration with VRF WebAuthn');\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: `Starting registration for ${nearAccountId}`\n } as RegistrationSSEEvent);\n\n try {\n\n await validateRegistrationInputs(context, nearAccountId, onEvent, onError);\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Account available - generating VRF credentials...'\n });\n\n const confirmationConfig: Partial<ConfirmationConfig> = {\n uiMode: 'modal',\n behavior: 'requireClick', // cross‑origin safari requirement: must requireClick\n theme: (context.configs?.walletTheme === 'light') ? 'light' : 'dark',\n ...(confirmationConfigOverride ?? options?.confirmationConfig ?? {}),\n };\n\n const registrationSession = await context.webAuthnManager.requestRegistrationCredentialConfirmation({\n nearAccountId: String(nearAccountId),\n deviceNumber: 1,\n confirmerText: options?.confirmerText,\n confirmationConfigOverride: confirmationConfig,\n });\n\n const credential = registrationSession.credential;\n const vrfChallenge = registrationSession.vrfChallenge;\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.SUCCESS,\n message: 'WebAuthn ceremony successful'\n });\n\n // Start the contract pre-check, run it in parallel to key derivation (await later)\n const canRegisterUserPromise = webAuthnManager.checkCanRegisterUser({\n contractId: context.configs.contractId,\n credential,\n vrfChallenge,\n onEvent: (progress) => {\n console.debug(`Registration progress: ${progress.step} - ${progress.message}`);\n onEvent?.({\n step: 3,\n phase: RegistrationPhase.STEP_3_CONTRACT_PRE_CHECK,\n status: RegistrationStatus.PROGRESS,\n message: `Pre-check: ${progress.message}`\n });\n },\n });\n\n // 1) Ensure VRF keypair is derived and loaded in-memory\n // before deriving WrapKeySeed for NEAR key encryption\n const deterministicVrfKeyResult = await webAuthnManager.deriveVrfKeypair({\n credential,\n nearAccountId,\n saveInMemory: true,\n });\n if (!deterministicVrfKeyResult.success \|\| !deterministicVrfKeyResult.vrfPublicKey) {\n throw new Error('Failed to derive deterministic VRF keypair from PRF');\n }\n\n // 2) Derive NEAR key after VRF keypair exists\n const nearKeyResult = await webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId,\n options: { deviceNumber: 1 },\n });\n if (!nearKeyResult.success \|\| !nearKeyResult.publicKey) {\n const reason = nearKeyResult?.error \|\| 'Failed to generate NEAR keypair with PRF';\n throw new Error(reason);\n }\n\n // 3) Await contract registration check (main blocker)\n const canRegisterUserResult = await canRegisterUserPromise;\n if (!canRegisterUserResult.verified) {\n console.error(canRegisterUserResult);\n const errorMessage = canRegisterUserResult.error \|\| 'User verification failed - account may already exist or contract is unreachable';\n throw new Error(`Web3Authn contract registration check failed: ${errorMessage}`);\n }\n\n // Step 4-5: Create account and register with contract using the relay (atomic)\n onEvent?.({\n step: 2,\n phase: RegistrationPhase.STEP_2_KEY_GENERATION,\n status: RegistrationStatus.SUCCESS,\n message: 'Wallet keys derived successfully from TouchId',\n verified: true,\n nearAccountId: nearAccountId,\n nearPublicKey: nearKeyResult.publicKey,\n vrfPublicKey: vrfChallenge.vrfPublicKey,\n });\n\n let accountAndRegistrationResult;\n accountAndRegistrationResult = await createAccountAndRegisterWithRelayServer(\n context,\n nearAccountId,\n nearKeyResult.publicKey,\n credential,\n vrfChallenge,\n deterministicVrfKeyResult.vrfPublicKey,\n authenticatorOptions,\n onEvent,\n );\n\n if (!accountAndRegistrationResult.success) {\n throw new Error(accountAndRegistrationResult.error \|\| 'Account creation and registration failed');\n }\n\n // Update registration state based on results\n registrationState.accountCreated = true;\n registrationState.contractRegistered = true;\n registrationState.contractTransactionId = accountAndRegistrationResult.transactionId \|\| null;\n\n // Step 6: Post-commit verification: ensure on-chain access key matches expected public key\n onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Verifying on-chain access key matches expected public key...'\n });\n\n const accessKeyVerified = await verifyAccountAccessKeyMatches(\n context.nearClient,\n nearAccountId,\n nearKeyResult.publicKey\n );\n\n if (!accessKeyVerified) {\n throw new Error('On-chain access key mismatch or not found after registration');\n }\n\n onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.SUCCESS,\n message: 'Access key verified on-chain'\n });\n\n // Step 7: Store user data with VRF credentials atomically\n onEvent?.({\n step: 7,\n phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,\n status: RegistrationStatus.PROGRESS,\n message: 'Storing VRF registration data'\n });\n\n await webAuthnManager.atomicStoreRegistrationData({\n nearAccountId,\n credential,\n publicKey: nearKeyResult.publicKey,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n vrfPublicKey: deterministicVrfKeyResult.vrfPublicKey,\n serverEncryptedVrfKeypair: deterministicVrfKeyResult.serverEncryptedVrfKeypair,\n });\n\n // Mark database as stored for rollback tracking\n registrationState.databaseStored = true;\n\n onEvent?.({\n step: 7,\n phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,\n status: RegistrationStatus.SUCCESS,\n message: 'VRF registration data stored successfully'\n });\n\n // Initialize NonceManager with newly stored user before fetching block/nonce\n try {\n context.webAuthnManager.getNonceManager().initializeUser(nearAccountId, nearKeyResult.publicKey);\n await context.webAuthnManager.getNonceManager().prefetchBlockheight(context.nearClient);\n } catch {}\n\n // Step 7: Ensure VRF session is active for auto-login\n // If VRF keypair is already in-memory (saved earlier), skip an extra Touch ID prompt.\n let vrfStatus = await webAuthnManager.checkVrfStatus().catch(() => ({ active: false }));\n if (!vrfStatus?.active) {\n // Obtain an authentication credential for VRF unlock (separate from registration credential)\n // IMPORTANT: Immediately after account creation, the new access key may not be queryable yet on some RPC nodes.\n // We only need fresh block info for the VRF challenge here, so fetch the block directly to avoid AK lookup failures.\n const blockInfo = await context.nearClient.viewBlock({ finality: 'final' });\n const txBlockHash = blockInfo?.header?.hash;\n const txBlockHeight = String(blockInfo.header?.height ?? '');\n const vrfChallenge2 = await webAuthnManager.generateVrfChallengeOnce({\n userId: nearAccountId,\n rpId: webAuthnManager.getRpId(),\n blockHash: txBlockHash,\n blockHeight: txBlockHeight,\n });\n const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const authCredential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: vrfChallenge2,\n credentialIds: authenticators.map((a) => a.credentialId),\n });\n const unlockResult = await webAuthnManager.unlockVRFKeypair({\n nearAccountId: nearAccountId,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n credential: authCredential,\n }).catch((unlockError: any) => {\n return { success: false, error: unlockError.message };\n });\n\n if (!unlockResult.success) {\n console.warn('VRF keypair unlock failed:', unlockResult.error);\n throw new Error(unlockResult.error);\n }\n } else {\n console.debug('Registration: VRF session already active; skipping extra Touch ID unlock');\n }\n\n // Initialize current user only after a successful unlock\n try {\n await webAuthnManager.initializeCurrentUser(nearAccountId, context.nearClient);\n } catch (initErr) {\n console.warn('Failed to initialize current user after registration:', initErr);\n }\n\n onEvent?.({\n step: 8,\n phase: RegistrationPhase.STEP_8_REGISTRATION_COMPLETE,\n status: RegistrationStatus.SUCCESS,\n message: 'Registration completed!'\n });\n\n const successResult = {\n success: true,\n nearAccountId: nearAccountId,\n clientNearPublicKey: nearKeyResult.publicKey,\n transactionId: registrationState.contractTransactionId,\n vrfRegistration: {\n success: true,\n vrfPublicKey: vrfChallenge.vrfPublicKey,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n contractVerified: accountAndRegistrationResult.success,\n }\n };\n\n afterCall?.(true, successResult);\n return successResult;\n\n } catch (error: any) {\n console.error('Registration failed:', error.message, error.stack);\n\n // Perform rollback based on registration state\n await performRegistrationRollback(\n registrationState,\n nearAccountId,\n webAuthnManager,\n configs.nearRpcUrl,\n onEvent\n );\n\n // Use centralized error handling\n const errorMessage = getUserFriendlyErrorMessage(error, 'registration', nearAccountId);\n\n const errorObject = new Error(errorMessage);\n onError?.(errorObject);\n\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: errorMessage,\n error: errorMessage\n } as RegistrationSSEEvent);\n\n const result = { success: false, error: errorMessage };\n afterCall?.(false);\n return result;\n }\n}\n\n// Backward-compatible wrapper without explicit confirmationConfig override\nexport async function registerPasskey(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n options: RegistrationHooksOptions,\n authenticatorOptions: AuthenticatorOptions\n): Promise<RegistrationResult> {\n return registerPasskeyInternal(context, nearAccountId, options, authenticatorOptions, undefined);\n}\n\n//////////////////////////////////////\n// HELPER FUNCTIONS\n//////////////////////////////////////\n\n/\n Generate a VRF keypair + challenge in VRF wasm worker for WebAuthn registration ceremony bootstrapping\n \n ARCHITECTURE: This function solves the chicken-and-egg problem with a single VRF keypair:\n * 1. Generate VRF keypair + challenge (no PRF needed)\n * 2. Persist VRF keypair in worker memory (NOT encrypted yet)\n * 3. Use VRF challenge for WebAuthn ceremony → get PRF output\n * 4. Encrypt the SAME VRF keypair (still in memory) with PRF\n \n @param webAuthnManager - WebAuthn manager instance\n * @param nearAccountId - NEAR account ID for VRF input\n * @param blockHeight - Current NEAR block height for freshness\n * @param blockHashBytes - Current NEAR block hash bytes for entropy\n * @returns VRF challenge data (VRF keypair persisted in worker memory)\n /\nexport async function generateBootstrapVrfChallenge(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n): Promise<VRFChallenge> {\n\n const { webAuthnManager, nearClient } = context;\n\n const blockInfo = await nearClient.viewBlock({ finality: 'final' });\n\n // Generate VRF keypair and persist in worker memory\n const vrfResult = await webAuthnManager.generateVrfKeypairBootstrap({\n vrfInputData: {\n userId: nearAccountId,\n // Keep VRF rpId consistent with WebAuthn rpId selection logic.\n rpId: webAuthnManager.getRpId(),\n blockHeight: String(blockInfo.header.height),\n blockHash: blockInfo.header.hash,\n },\n saveInMemory: true,\n // VRF keypair persists in worker memory until PRF encryption\n });\n\n if (!vrfResult.vrfChallenge) {\n throw new Error('Registration VRF keypair generation failed');\n }\n return vrfResult.vrfChallenge;\n}\n\n/\n Validates registration inputs and throws errors if invalid\n * @param nearAccountId - NEAR account ID to validate\n * @param onEvent - Optional callback for registration progress events\n * @param onError - Optional callback for error handling\n /\nconst validateRegistrationInputs = async (\n context: {\n configs: TatchiConfigs,\n webAuthnManager: WebAuthnManager,\n nearClient: NearClient,\n },\n nearAccountId: AccountId,\n onEvent?: (event: RegistrationSSEEvent) => void,\n onError?: (error: Error) => void,\n) => {\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Validating registration inputs...'\n } as RegistrationSSEEvent);\n\n // Validation\n if (!nearAccountId) {\n const error = new Error('NEAR account ID is required for registration.');\n onError?.(error);\n throw error;\n }\n // Validate the account ID format\n const validation = validateNearAccountId(nearAccountId);\n if (!validation.valid) {\n const error = new Error(`Invalid NEAR account ID: ${validation.error}`);\n onError?.(error);\n throw error;\n }\n if (!window.isSecureContext) {\n const error = new Error('Passkey operations require a secure context (HTTPS or localhost).');\n onError?.(error);\n throw error;\n }\n\n // on-chain account existence check is performed later via signer worker (checkCanRegisterUser),\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: `Account format validated, preparing confirmation`\n } as RegistrationSSEEvent);\n return;\n}\n\n/\n Rollback registration data in case of errors\n /\nasync function performRegistrationRollback(\n registrationState: {\n accountCreated: boolean;\n contractRegistered: boolean;\n databaseStored: boolean;\n contractTransactionId: string \| null;\n },\n nearAccountId: AccountId,\n webAuthnManager: WebAuthnManager,\n rpcNodeUrl: string,\n onEvent?: (event: RegistrationSSEEvent) => void\n): Promise<void> {\n console.debug('Starting registration rollback...', registrationState);\n\n // Rollback in reverse order\n try {\n // 1. Always clear any in-memory VRF session established during bootstrap\n await webAuthnManager.clearVrfSession();\n\n // 2. Rollback database storage\n if (registrationState.databaseStored) {\n console.debug('Rolling back database storage...');\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: 'Rolling back database storage...',\n error: 'Registration failed - rolling back database storage'\n } as RegistrationSSEEvent);\n\n await webAuthnManager.rollbackUserRegistration(nearAccountId);\n console.debug('Database rollback completed');\n }\n\n // 3. Contract rollback on the Web3Authn contract\n // NOT NEEDED - account creation and contract registration are atomic in the relay server flow\n if (registrationState.contractRegistered) {\n console.debug('Contract registration cannot be rolled back (immutable blockchain state)');\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: `Contract registration (tx: ${registrationState.contractTransactionId}) cannot be rolled back`,\n error: 'Registration failed - contract state is immutable'\n } as RegistrationSSEEvent);\n }\n console.debug('Registration rollback completed');\n\n } catch (rollbackError: any) {\n console.error('Rollback failed:', rollbackError);\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: `Rollback failed: ${rollbackError.message}`,\n error: 'Both registration and rollback failed'\n } as RegistrationSSEEvent);\n }\n}\n\n/\n Poll the NEAR RPC to verify the newly created account exposes the expected public key\n * Retries a few times to tolerate RPC indexing delays after transaction finalization.\n */\nasync function verifyAccountAccessKeyMatches(\n nearClient: NearClient,\n nearAccountId: string,\n expectedPublicKey: string,\n opts?: { attempts?: number; delayMs?: number }\n): Promise<boolean> {\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 5));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));\n\n for (let i = 0; i < attempts; i++) {\n try {\n const { fullAccessKeys, functionCallAccessKeys } = await nearClient.getAccessKeys({ account: nearAccountId });\n const keys = [...fullAccessKeys, ...functionCallAccessKeys];\n const found = keys.some(k => String((k as any)?.public_key \|\| '') === expectedPublicKey);\n if (found) return true;\n } catch (e) {\n // Tolerate transient view errors during propagation; retry\n }\n await new Promise(res => setTimeout(res, delayMs));\n }\n return false;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAqCA,eAAsB,wBACpB,SACA,eACA,SACA,sBACA,4BAC6B;CAE7B,MAAM,EAAE,SAAS,SAAS,cAAc;CACxC,MAAM,EAAE,iBAAiB,YAAY;CAGrC,MAAM,oBAAoB;EACxB,gBAAgB;EAChB,oBAAoB;EACpB,gBAAgB;EAChB,uBAAuB;;AAGzB,SAAQ,IAAI;AACZ,WAAU;EACR,MAAM;EACN,OAAOA,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS,6BAA6B;;AAGxC,KAAI;AAEF,QAAM,2BAA2B,SAAS,eAAe,SAAS;AAElE,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAMC,qBAAkD;GACtD,QAAQ;GACR,UAAU;GACV,OAAQ,QAAQ,SAAS,gBAAgB,UAAW,UAAU;GAC9D,GAAI,8BAA8B,SAAS,sBAAsB;;EAGnE,MAAM,sBAAsB,MAAM,QAAQ,gBAAgB,0CAA0C;GAClG,eAAe,OAAO;GACtB,cAAc;GACd,eAAe,SAAS;GACxB,4BAA4B;;EAG9B,MAAM,aAAa,oBAAoB;EACvC,MAAM,eAAe,oBAAoB;AAEzC,YAAU;GACR,MAAM;GACN,OAAOF,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAIX,MAAM,yBAAyB,gBAAgB,qBAAqB;GAClE,YAAY,QAAQ,QAAQ;GAC5B;GACA;GACA,UAAU,aAAa;AACrB,YAAQ,MAAM,0BAA0B,SAAS,KAAK,KAAK,SAAS;AACpE,cAAU;KACR,MAAM;KACN,OAAOD,wCAAkB;KACzB,QAAQC,yCAAmB;KAC3B,SAAS,cAAc,SAAS;;;;EAOtC,MAAM,4BAA4B,MAAM,gBAAgB,iBAAiB;GACvE;GACA;GACA,cAAc;;AAEhB,MAAI,CAAC,0BAA0B,WAAW,CAAC,0BAA0B,aACnE,OAAM,IAAI,MAAM;EAIlB,MAAM,gBAAgB,MAAM,gBAAgB,0CAA0C;GACpF;GACA;GACA,SAAS,EAAE,cAAc;;AAE3B,MAAI,CAAC,cAAc,WAAW,CAAC,cAAc,WAAW;GACtD,MAAM,SAAS,eAAe,SAAS;AACvC,SAAM,IAAI,MAAM;;EAIlB,MAAM,wBAAwB,MAAM;AACpC,MAAI,CAAC,sBAAsB,UAAU;AACnC,WAAQ,MAAM;GACd,MAAM,eAAe,sBAAsB,SAAS;AACpD,SAAM,IAAI,MAAM,iDAAiD;;AAInE,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;GACT,UAAU;GACK;GACf,eAAe,cAAc;GAC7B,cAAc,aAAa;;EAG7B,IAAI;AACJ,iCAA+B,MAAME,yEACnC,SACA,eACA,cAAc,WACd,YACA,cACA,0BAA0B,cAC1B,sBACA;AAGF,MAAI,CAAC,6BAA6B,QAChC,OAAM,IAAI,MAAM,6BAA6B,SAAS;AAIxD,oBAAkB,iBAAiB;AACnC,oBAAkB,qBAAqB;AACvC,oBAAkB,wBAAwB,6BAA6B,iBAAiB;AAGxF,YAAU;GACR,MAAM;GACN,OAAOH,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAM,oBAAoB,MAAM,8BAC9B,QAAQ,YACR,eACA,cAAc;AAGhB,MAAI,CAAC,kBACH,OAAM,IAAI,MAAM;AAGlB,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAIX,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAGX,QAAM,gBAAgB,4BAA4B;GAChD;GACA;GACA,WAAW,cAAc;GACzB,qBAAqB,0BAA0B;GAC/C,cAAc,0BAA0B;GACxC,2BAA2B,0BAA0B;;AAIvD,oBAAkB,iBAAiB;AAEnC,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAIX,MAAI;AACF,WAAQ,gBAAgB,kBAAkB,eAAe,eAAe,cAAc;AACtF,SAAM,QAAQ,gBAAgB,kBAAkB,oBAAoB,QAAQ;UACtE;EAIR,IAAI,YAAY,MAAM,gBAAgB,iBAAiB,aAAa,EAAE,QAAQ;AAC9E,MAAI,CAAC,WAAW,QAAQ;GAItB,MAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,UAAU;GACjE,MAAM,cAAc,WAAW,QAAQ;GACvC,MAAM,gBAAgB,OAAO,UAAU,QAAQ,UAAU;GACzD,MAAM,gBAAgB,MAAM,gBAAgB,yBAAyB;IACnE,QAAQ;IACR,MAAM,gBAAgB;IACtB,WAAW;IACX,aAAa;;GAEf,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;GACrE,MAAM,iBAAiB,MAAM,gBAAgB,8CAA8C;IACzF;IACA,WAAW;IACX,eAAe,eAAe,KAAK,MAAM,EAAE;;GAE7C,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;IAC3C;IACf,qBAAqB,0BAA0B;IAC/C,YAAY;MACX,OAAO,gBAAqB;AAC7B,WAAO;KAAE,SAAS;KAAO,OAAO,YAAY;;;AAG9C,OAAI,CAAC,aAAa,SAAS;AACzB,YAAQ,KAAK,8BAA8B,aAAa;AACxD,UAAM,IAAI,MAAM,aAAa;;QAG/B,SAAQ,MAAM;AAIhB,MAAI;AACF,SAAM,gBAAgB,sBAAsB,eAAe,QAAQ;WAC5D,SAAS;AAChB,WAAQ,KAAK,yDAAyD;;AAGxE,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAM,gBAAgB;GACpB,SAAS;GACM;GACf,qBAAqB,cAAc;GACnC,eAAe,kBAAkB;GACjC,iBAAiB;IACf,SAAS;IACT,cAAc,aAAa;IAC3B,qBAAqB,0BAA0B;IAC/C,kBAAkB,6BAA6B;;;AAInD,cAAY,MAAM;AAClB,SAAO;UAEAG,OAAY;AACnB,UAAQ,MAAM,wBAAwB,MAAM,SAAS,MAAM;AAG3D,QAAM,4BACJ,mBACA,eACA,iBACA,QAAQ,YACR;EAIF,MAAM,eAAeC,2CAA4B,OAAO,gBAAgB;EAExE,MAAM,cAAc,IAAI,MAAM;AAC9B,YAAU;AAEV,YAAU;GACR,MAAM;GACN,OAAOL,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;GACT,OAAO;;EAGT,MAAM,SAAS;GAAE,SAAS;GAAO,OAAO;;AACxC,cAAY;AACZ,SAAO;;;AAKX,eAAsB,gBACpB,SACA,eACA,SACA,sBAC6B;AAC7B,QAAO,wBAAwB,SAAS,eAAe,SAAS,sBAAsB;;;;;;;;AAwDxF,MAAM,6BAA6B,OACjC,SAKA,eACA,SACA,YACG;AAEH,WAAU;EACR,MAAM;EACN,OAAOD,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS;;AAIX,KAAI,CAAC,eAAe;EAClB,MAAM,wBAAQ,IAAI,MAAM;AACxB,YAAU;AACV,QAAM;;CAGR,MAAM,aAAaK,yCAAsB;AACzC,KAAI,CAAC,WAAW,OAAO;EACrB,MAAM,wBAAQ,IAAI,MAAM,4BAA4B,WAAW;AAC/D,YAAU;AACV,QAAM;;AAER,KAAI,CAAC,OAAO,iBAAiB;EAC3B,MAAM,wBAAQ,IAAI,MAAM;AACxB,YAAU;AACV,QAAM;;AAIR,WAAU;EACR,MAAM;EACN,OAAON,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS;;;;;;AAQb,eAAe,4BACb,mBAMA,eACA,iBACA,YACA,SACe;AACf,SAAQ,MAAM,qCAAqC;AAGnD,KAAI;AAEF,QAAM,gBAAgB;AAGtB,MAAI,kBAAkB,gBAAgB;AACpC,WAAQ,MAAM;AACd,aAAU;IACR,MAAM;IACN,OAAOD,wCAAkB;IACzB,QAAQC,yCAAmB;IAC3B,SAAS;IACT,OAAO;;AAGT,SAAM,gBAAgB,yBAAyB;AAC/C,WAAQ,MAAM;;AAKhB,MAAI,kBAAkB,oBAAoB;AACxC,WAAQ,MAAM;AACd,aAAU;IACR,MAAM;IACN,OAAOD,wCAAkB;IACzB,QAAQC,yCAAmB;IAC3B,SAAS,8BAA8B,kBAAkB,sBAAsB;IAC/E,OAAO;;;AAGX,UAAQ,MAAM;UAEPM,eAAoB;AAC3B,UAAQ,MAAM,oBAAoB;AAClC,YAAU;GACR,MAAM;GACN,OAAOP,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS,oBAAoB,cAAc;GAC3C,OAAO;;;;;;;;AASb,eAAe,8BACb,YACA,eACA,mBACA,MACkB;CAClB,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;GACF,MAAM,EAAE,gBAAgB,2BAA2B,MAAM,WAAW,cAAc,EAAE,SAAS;GAC7F,MAAM,OAAO,CAAC,GAAG,gBAAgB,GAAG;GACpC,MAAM,QAAQ,KAAK,MAAK,MAAK,OAAQ,GAAW,cAAc,QAAQ;AACtE,OAAI,MAAO,QAAO;WACX,GAAG;AAGZ,QAAM,IAAI,SAAQ,QAAO,WAAW,KAAK;;AAE3C,QAAO"}
1	+ {"version":3,"file":"registration.js","names":["RegistrationPhase","RegistrationStatus","confirmationConfig: Partial<ConfirmationConfig>","mergeSignerMode","thresholdClientVerifyingShareB64u: string \| null","createAccountAndRegisterWithRelayServer","expectedAccessKeys: string[]","error: unknown","getUserFriendlyErrorMessage","validateNearAccountId","rollbackError: unknown","DEFAULT_WAIT_STATUS","IndexedDBManager","buildThresholdEd25519Participants2pV1","ensureEd25519Prefix"],"sources":["../../../../src/core/TatchiPasskey/registration.ts"],"sourcesContent":["import type { NearClient } from '../NearClient';\nimport { ensureEd25519Prefix, validateNearAccountId } from '../../utils/validation';\nimport type {\n RegistrationHooksOptions,\n RegistrationSSEEvent,\n} from '../types/sdkSentEvents';\nimport type { RegistrationResult, TatchiConfigs } from '../types/tatchi';\nimport type { AuthenticatorOptions } from '../types/authenticatorOptions';\nimport { RegistrationPhase, RegistrationStatus } from '../types/sdkSentEvents';\nimport {\n createAccountAndRegisterWithRelayServer\n} from './faucets/createAccountRelayServer';\nimport { PasskeyManagerContext } from './index';\nimport { WebAuthnManager } from '../WebAuthnManager';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport { VRFChallenge } from '../types/vrf-worker';\nimport { type ConfirmationConfig, type SignerMode, mergeSignerMode } from '../types/signer-worker';\nimport type { WebAuthnRegistrationCredential } from '../types/webauthn';\nimport type { AccountId } from '../types/accountIds';\nimport { getUserFriendlyErrorMessage } from '../../utils/errors';\nimport { authenticatorsToAllowCredentials } from '../WebAuthnManager/touchIdPrompt';\nimport { DEFAULT_WAIT_STATUS } from '../types/rpc';\nimport { buildThresholdEd25519Participants2pV1 } from '../../threshold/participants';\n// Registration forces a visible, clickable confirmation for cross‑origin safety\n\n/*\n Core registration function that handles passkey registration\n \n VRF Registration Flow (Single VRF Keypair):\n * 1. Generate VRF keypair (ed25519) using crypto.randomUUID() + persist in worker memory\n * 2. Generate VRF proof + output using the VRF keypair\n * - VRF input with domain separator + NEAR block height + hash\n * 3. Use VRF output as WebAuthn challenge in registration ceremony\n * 4. Derive AES key from WebAuthn PRF output and encrypt the SAME VRF keypair\n * 5. Store encrypted VRF keypair in IndexedDB\n * 6. Call contract verify_registration_response with VRF proof + WebAuthn registration payload\n * 7. Contract verifies VRF proof and WebAuthn registration (challenges match!)\n * 8. Contract stores VRF pubkey + authenticator credentials on-chain for\n * future stateless authentication\n /\nexport async function registerPasskeyInternal(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n options: RegistrationHooksOptions,\n authenticatorOptions: AuthenticatorOptions,\n confirmationConfigOverride?: Partial<ConfirmationConfig>\n): Promise<RegistrationResult> {\n\n const { onEvent, onError, afterCall } = options;\n const { webAuthnManager, configs } = context;\n\n // Track registration progress for rollback\n const registrationState = {\n accountCreated: false,\n contractRegistered: false,\n databaseStored: false,\n contractTransactionId: null as string \| null,\n };\n\n console.log('⚡ Registration: Passkey registration with VRF WebAuthn');\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: `Starting registration for ${nearAccountId}`\n } as RegistrationSSEEvent);\n\n try {\n\n await validateRegistrationInputs(context, nearAccountId, onEvent, onError);\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Account available, generating credentials...'\n });\n\n const confirmationConfig: Partial<ConfirmationConfig> = {\n uiMode: 'modal',\n behavior: 'requireClick', // cross‑origin safari requirement: must requireClick\n theme: (context.configs?.walletTheme === 'light') ? 'light' : 'dark',\n ...(confirmationConfigOverride ?? options?.confirmationConfig ?? {}),\n };\n\n const registrationSession = await context.webAuthnManager.requestRegistrationCredentialConfirmation({\n nearAccountId: String(nearAccountId),\n deviceNumber: 1,\n confirmerText: options?.confirmerText,\n confirmationConfigOverride: confirmationConfig,\n });\n\n const credential = registrationSession.credential;\n const vrfChallenge = registrationSession.vrfChallenge;\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.SUCCESS,\n message: 'WebAuthn ceremony successful'\n });\n\n // Start the contract pre-check, run it in parallel to key derivation (await later)\n const canRegisterUserPromise = webAuthnManager.checkCanRegisterUser({\n contractId: context.configs.contractId,\n credential,\n vrfChallenge,\n onEvent: (progress) => {\n console.debug(`Registration progress: ${progress.step} - ${progress.message}`);\n onEvent?.({\n step: 3,\n phase: RegistrationPhase.STEP_3_CONTRACT_PRE_CHECK,\n status: RegistrationStatus.PROGRESS,\n message: `${progress.message}`\n });\n },\n });\n\n // 1) Ensure VRF keypair is derived and loaded in-memory\n // before deriving WrapKeySeed for NEAR key encryption\n const deterministicVrfKeyResult = await webAuthnManager.deriveVrfKeypair({\n credential,\n nearAccountId,\n saveInMemory: true,\n });\n if (!deterministicVrfKeyResult.success \|\| !deterministicVrfKeyResult.vrfPublicKey) {\n throw new Error('Failed to derive deterministic VRF keypair from PRF');\n }\n\n const baseSignerMode = webAuthnManager.getUserPreferences().getSignerMode();\n const requestedSignerMode = mergeSignerMode(baseSignerMode, options?.signerMode);\n const requestedSignerModeStr = requestedSignerMode.mode;\n\n // 2) Derive/enroll the local NEAR key after VRF keypair exists.\n const nearKeyResult = await webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId,\n options: { deviceNumber: 1 },\n });\n if (!nearKeyResult.success \|\| !nearKeyResult.publicKey) {\n const reason = nearKeyResult?.error \|\| 'Failed to generate NEAR keypair with PRF';\n throw new Error(reason);\n }\n const nearPublicKey = nearKeyResult.publicKey;\n const wrapKeySalt = String(nearKeyResult.wrapKeySalt \|\| '').trim();\n if (!wrapKeySalt) {\n throw new Error('Missing wrapKeySalt after local key derivation');\n }\n\n // Optional: threshold-signer enrollment during registration.\n // Derive client verifying share (public) and let the relay compute threshold group public key\n // and include it in the on-chain AddKey set during create_account_and_register_user.\n let thresholdClientVerifyingShareB64u: string \| null = null;\n if (requestedSignerModeStr === 'threshold-signer') {\n const derived = await webAuthnManager.deriveThresholdEd25519ClientVerifyingShareFromCredential({\n credential,\n nearAccountId,\n wrapKeySalt,\n });\n if (!derived.success \|\| !derived.clientVerifyingShareB64u) {\n throw new Error(derived.error \|\| 'Failed to derive threshold client verifying share');\n }\n thresholdClientVerifyingShareB64u = derived.clientVerifyingShareB64u;\n }\n\n // 3) Await contract registration check (main blocker)\n const canRegisterUserResult = await canRegisterUserPromise;\n if (!canRegisterUserResult.verified) {\n console.error(canRegisterUserResult);\n const errorMessage = canRegisterUserResult.error \|\| 'User verification failed - account may already exist or contract is unreachable';\n throw new Error(`Web3Authn contract registration check failed: ${errorMessage}`);\n }\n\n // Step 4-5: Create account and register with contract using the relay (atomic)\n onEvent?.({\n step: 2,\n phase: RegistrationPhase.STEP_2_KEY_GENERATION,\n status: RegistrationStatus.SUCCESS,\n message: 'Wallet derived successfully from Passkey',\n verified: true,\n nearAccountId: nearAccountId,\n nearPublicKey: nearPublicKey,\n vrfPublicKey: vrfChallenge.vrfPublicKey,\n });\n\n let accountAndRegistrationResult;\n accountAndRegistrationResult = await createAccountAndRegisterWithRelayServer(\n context,\n nearAccountId,\n nearPublicKey,\n credential,\n vrfChallenge,\n deterministicVrfKeyResult.vrfPublicKey,\n authenticatorOptions,\n onEvent,\n {\n thresholdEd25519: thresholdClientVerifyingShareB64u\n ? { clientVerifyingShareB64u: thresholdClientVerifyingShareB64u }\n : undefined,\n },\n );\n\n if (!accountAndRegistrationResult.success) {\n throw new Error(accountAndRegistrationResult.error \|\| 'Account creation and registration failed');\n }\n\n // Update registration state based on results\n registrationState.accountCreated = true;\n registrationState.contractRegistered = true;\n registrationState.contractTransactionId = accountAndRegistrationResult.transactionId \|\| null;\n\n // Step 6: Post-commit verification: ensure on-chain access key matches expected public key\n onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Verifying on-chain access key matches expected public key...'\n });\n\n const expectedAccessKeys: string[] = [nearPublicKey];\n const thresholdPublicKey = String(accountAndRegistrationResult?.thresholdEd25519?.publicKey \|\| '').trim();\n const relayerKeyId = String(accountAndRegistrationResult?.thresholdEd25519?.relayerKeyId \|\| '').trim();\n\n const accessKeyVerified = await verifyAccountAccessKeysPresent(\n context.nearClient,\n nearAccountId,\n expectedAccessKeys,\n );\n\n if (!accessKeyVerified) {\n throw new Error('On-chain access key mismatch or not found after registration');\n }\n\n onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.SUCCESS,\n message: 'Access key verified on-chain'\n });\n\n await activateThresholdEnrollmentPostRegistration({\n requestedSignerMode: requestedSignerModeStr,\n nearAccountId,\n nearPublicKey,\n thresholdPublicKey,\n relayerKeyId,\n clientParticipantId: accountAndRegistrationResult?.thresholdEd25519?.clientParticipantId,\n relayerParticipantId: accountAndRegistrationResult?.thresholdEd25519?.relayerParticipantId,\n thresholdClientVerifyingShareB64u,\n relayerVerifyingShareB64u: String(\n accountAndRegistrationResult?.thresholdEd25519?.relayerVerifyingShareB64u \|\| '',\n ).trim(),\n credential,\n wrapKeySalt,\n webAuthnManager: context.webAuthnManager,\n nearClient: context.nearClient,\n onEvent,\n });\n\n // Step 7: Store user data with VRF credentials atomically\n onEvent?.({\n step: 7,\n phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,\n status: RegistrationStatus.PROGRESS,\n message: 'Storing passkey wallet metadata...'\n });\n\n await webAuthnManager.atomicStoreRegistrationData({\n nearAccountId,\n credential,\n publicKey: nearPublicKey,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n vrfPublicKey: deterministicVrfKeyResult.vrfPublicKey,\n serverEncryptedVrfKeypair: deterministicVrfKeyResult.serverEncryptedVrfKeypair,\n });\n\n // Mark database as stored for rollback tracking\n registrationState.databaseStored = true;\n\n onEvent?.({\n step: 7,\n phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,\n status: RegistrationStatus.SUCCESS,\n message: 'Registration metadata stored successfully'\n });\n\n // Initialize NonceManager with newly stored user before fetching block/nonce\n try {\n context.webAuthnManager.getNonceManager().initializeUser(nearAccountId, nearPublicKey);\n await context.webAuthnManager.getNonceManager().prefetchBlockheight(context.nearClient);\n } catch {}\n\n // Step 7: Ensure VRF session is active for auto-login\n // If VRF keypair is already in-memory (saved earlier), skip an extra Touch ID prompt.\n let vrfStatus = await webAuthnManager.checkVrfStatus().catch(() => ({ active: false }));\n if (!vrfStatus?.active) {\n // Obtain an authentication credential for VRF unlock (separate from registration credential)\n // IMPORTANT: Immediately after account creation, the new access key may not be queryable yet on some RPC nodes.\n // We only need fresh block info for the VRF challenge here, so fetch the block directly to avoid AK lookup failures.\n const blockInfo = await context.nearClient.viewBlock({ finality: 'final' });\n const txBlockHash = blockInfo?.header?.hash;\n const txBlockHeight = String(blockInfo.header?.height ?? '');\n const vrfChallenge2 = await webAuthnManager.generateVrfChallengeOnce({\n userId: nearAccountId,\n rpId: webAuthnManager.getRpId(),\n blockHash: txBlockHash,\n blockHeight: txBlockHeight,\n });\n const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const authCredential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: vrfChallenge2,\n credentialIds: authenticators.map((a) => a.credentialId),\n });\n const unlockResult = await webAuthnManager.unlockVRFKeypair({\n nearAccountId: nearAccountId,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n credential: authCredential,\n }).catch((unlockError: unknown) => {\n const message = (unlockError && typeof unlockError === 'object' && 'message' in unlockError)\n ? String((unlockError as { message?: unknown }).message \|\| '')\n : String(unlockError \|\| '');\n return { success: false, error: message };\n });\n\n if (!unlockResult.success) {\n console.warn('VRF keypair unlock failed:', unlockResult.error);\n throw new Error(unlockResult.error);\n }\n } else {\n console.debug('Registration: VRF session already active; skipping extra Touch ID unlock');\n }\n\n // Initialize current user only after a successful unlock\n try {\n await webAuthnManager.initializeCurrentUser(nearAccountId, context.nearClient);\n } catch (initErr) {\n console.warn('Failed to initialize current user after registration:', initErr);\n }\n\n onEvent?.({\n step: 8,\n phase: RegistrationPhase.STEP_8_REGISTRATION_COMPLETE,\n status: RegistrationStatus.SUCCESS,\n message: 'Registration completed!'\n });\n\n const successResult = {\n success: true,\n nearAccountId: nearAccountId,\n clientNearPublicKey: nearPublicKey,\n transactionId: registrationState.contractTransactionId,\n vrfRegistration: {\n success: true,\n vrfPublicKey: vrfChallenge.vrfPublicKey,\n encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,\n contractVerified: accountAndRegistrationResult.success,\n }\n };\n\n afterCall?.(true, successResult);\n return successResult;\n\n } catch (error: unknown) {\n const message = (error && typeof error === 'object' && 'message' in error)\n ? String((error as { message?: unknown }).message \|\| '')\n : String(error \|\| '');\n const stack = (error && typeof error === 'object' && 'stack' in error)\n ? String((error as { stack?: unknown }).stack \|\| '')\n : '';\n console.error('Registration failed:', message, stack);\n\n // Perform rollback based on registration state\n await performRegistrationRollback(\n registrationState,\n nearAccountId,\n webAuthnManager,\n onEvent\n );\n\n // Use centralized error handling\n const errorMessage = getUserFriendlyErrorMessage(error, 'registration', nearAccountId);\n\n const errorObject = new Error(errorMessage);\n onError?.(errorObject);\n\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: errorMessage,\n error: errorMessage\n } as RegistrationSSEEvent);\n\n const result = { success: false, error: errorMessage };\n afterCall?.(false);\n return result;\n }\n}\n\n// Backward-compatible wrapper without explicit confirmationConfig override\nexport async function registerPasskey(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n options: RegistrationHooksOptions,\n authenticatorOptions: AuthenticatorOptions\n): Promise<RegistrationResult> {\n return registerPasskeyInternal(context, nearAccountId, options, authenticatorOptions, undefined);\n}\n\n//////////////////////////////////////\n// HELPER FUNCTIONS\n//////////////////////////////////////\n\n/\n Generate a VRF keypair + challenge in VRF wasm worker for WebAuthn registration ceremony bootstrapping\n \n ARCHITECTURE: This function solves the chicken-and-egg problem with a single VRF keypair:\n * 1. Generate VRF keypair + challenge (no PRF needed)\n * 2. Persist VRF keypair in worker memory (NOT encrypted yet)\n * 3. Use VRF challenge for WebAuthn ceremony → get PRF output\n * 4. Encrypt the SAME VRF keypair (still in memory) with PRF\n \n @param webAuthnManager - WebAuthn manager instance\n * @param nearAccountId - NEAR account ID for VRF input\n * @param blockHeight - Current NEAR block height for freshness\n * @param blockHashBytes - Current NEAR block hash bytes for entropy\n * @returns VRF challenge data (VRF keypair persisted in worker memory)\n /\nexport async function generateBootstrapVrfChallenge(\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n): Promise<VRFChallenge> {\n\n const { webAuthnManager, nearClient } = context;\n\n const blockInfo = await nearClient.viewBlock({ finality: 'final' });\n\n // Generate VRF keypair and persist in worker memory\n const vrfResult = await webAuthnManager.generateVrfKeypairBootstrap({\n vrfInputData: {\n userId: nearAccountId,\n // Keep VRF rpId consistent with WebAuthn rpId selection logic.\n rpId: webAuthnManager.getRpId(),\n blockHeight: String(blockInfo.header.height),\n blockHash: blockInfo.header.hash,\n },\n saveInMemory: true,\n // VRF keypair persists in worker memory until PRF encryption\n });\n\n if (!vrfResult.vrfChallenge) {\n throw new Error('Registration VRF keypair generation failed');\n }\n return vrfResult.vrfChallenge;\n}\n\n/\n Validates registration inputs and throws errors if invalid\n * @param nearAccountId - NEAR account ID to validate\n * @param onEvent - Optional callback for registration progress events\n * @param onError - Optional callback for error handling\n /\nconst validateRegistrationInputs = async (\n context: {\n configs: TatchiConfigs,\n webAuthnManager: WebAuthnManager,\n nearClient: NearClient,\n },\n nearAccountId: AccountId,\n onEvent?: (event: RegistrationSSEEvent) => void,\n onError?: (error: Error) => void,\n) => {\n\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Validating registration inputs...'\n } as RegistrationSSEEvent);\n\n // Validation\n if (!nearAccountId) {\n const error = new Error('NEAR account ID is required for registration.');\n onError?.(error);\n throw error;\n }\n // Validate the account ID format\n const validation = validateNearAccountId(nearAccountId);\n if (!validation.valid) {\n const error = new Error(`Invalid NEAR account ID: ${validation.error}`);\n onError?.(error);\n throw error;\n }\n if (!window.isSecureContext) {\n const error = new Error('Passkey operations require a secure context (HTTPS or localhost).');\n onError?.(error);\n throw error;\n }\n\n // on-chain account existence check is performed later via signer worker (checkCanRegisterUser),\n onEvent?.({\n step: 1,\n phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: `Account format validated, preparing confirmation`\n } as RegistrationSSEEvent);\n return;\n}\n\n/\n Rollback registration data in case of errors\n */\nasync function performRegistrationRollback(\n registrationState: {\n accountCreated: boolean;\n contractRegistered: boolean;\n databaseStored: boolean;\n contractTransactionId: string \| null;\n },\n nearAccountId: AccountId,\n webAuthnManager: WebAuthnManager,\n onEvent?: (event: RegistrationSSEEvent) => void\n): Promise<void> {\n console.debug('Starting registration rollback...', registrationState);\n\n // Rollback in reverse order\n try {\n // 1. Always clear any in-memory VRF session established during bootstrap\n await webAuthnManager.clearVrfSession();\n\n // 2. Rollback database storage\n if (registrationState.databaseStored) {\n console.debug('Rolling back database storage...');\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: 'Rolling back database storage...',\n error: 'Registration failed - rolling back database storage'\n } as RegistrationSSEEvent);\n\n await webAuthnManager.rollbackUserRegistration(nearAccountId);\n console.debug('Database rollback completed');\n }\n\n // 3. Contract rollback on the Web3Authn contract\n // NOT NEEDED - account creation and contract registration are atomic in the relay server flow\n if (registrationState.contractRegistered) {\n console.debug('Contract registration cannot be rolled back (immutable blockchain state)');\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: `Contract registration (tx: ${registrationState.contractTransactionId}) cannot be rolled back`,\n error: 'Registration failed - contract state is immutable'\n } as RegistrationSSEEvent);\n }\n console.debug('Registration rollback completed');\n\n } catch (rollbackError: unknown) {\n console.error('Rollback failed:', rollbackError);\n onEvent?.({\n step: 0,\n phase: RegistrationPhase.REGISTRATION_ERROR,\n status: RegistrationStatus.ERROR,\n message: `Rollback failed: ${\n (rollbackError && typeof rollbackError === 'object' && 'message' in rollbackError)\n ? String((rollbackError as { message?: unknown }).message \|\| '')\n : String(rollbackError \|\| '')\n }`,\n error: 'Both registration and rollback failed'\n } as RegistrationSSEEvent);\n }\n}\n\nasync function activateThresholdEnrollmentPostRegistration(opts: {\n requestedSignerMode: SignerMode['mode'];\n nearAccountId: AccountId;\n nearPublicKey: string;\n thresholdPublicKey: string;\n relayerKeyId: string;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n thresholdClientVerifyingShareB64u: string \| null;\n relayerVerifyingShareB64u: string;\n credential: WebAuthnRegistrationCredential;\n wrapKeySalt: string;\n webAuthnManager: WebAuthnManager;\n nearClient: NearClient;\n onEvent?: (event: RegistrationSSEEvent) => void;\n}): Promise<void> {\n // Optional: activate threshold enrollment post-registration by having the client\n // submit AddKey(thresholdPublicKey) signed with the local key.\n if (opts.requestedSignerMode !== 'threshold-signer') return;\n\n const thresholdPublicKey = String(opts.thresholdPublicKey \|\| '').trim();\n const relayerKeyId = String(opts.relayerKeyId \|\| '').trim();\n const clientVerifyingShareB64u = String(opts.thresholdClientVerifyingShareB64u \|\| '').trim();\n const relayerVerifyingShareB64u = String(opts.relayerVerifyingShareB64u \|\| '').trim();\n\n if (!thresholdPublicKey \|\| !relayerKeyId \|\| !clientVerifyingShareB64u \|\| !relayerVerifyingShareB64u) {\n console.warn('[Registration] threshold-signer requested but threshold enrollment details are missing; continuing with local-signer only');\n return;\n }\n\n try {\n opts.onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.PROGRESS,\n message: 'Activating threshold access key onchain...'\n });\n\n // Prepare a single AddKey transaction signed with the local key (no extra TouchID prompt).\n try {\n opts.webAuthnManager.getNonceManager().initializeUser(opts.nearAccountId, opts.nearPublicKey);\n } catch {}\n const txContext = await opts.webAuthnManager.getNonceManager().getNonceBlockHashAndHeight(\n opts.nearClient,\n { force: true },\n );\n\n const signed = await opts.webAuthnManager.signAddKeyThresholdPublicKeyNoPrompt({\n nearAccountId: opts.nearAccountId,\n credential: opts.credential,\n wrapKeySalt: opts.wrapKeySalt,\n transactionContext: txContext,\n thresholdPublicKey,\n relayerVerifyingShareB64u,\n clientParticipantId: opts.clientParticipantId,\n relayerParticipantId: opts.relayerParticipantId,\n });\n\n const signedTx = signed?.signedTransaction;\n if (!signedTx) throw new Error('Failed to sign AddKey(thresholdPublicKey) transaction');\n\n await opts.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.thresholdAddKey);\n\n const thresholdKeyVerified = await verifyAccountAccessKeysPresent(\n opts.nearClient,\n opts.nearAccountId,\n [opts.nearPublicKey, thresholdPublicKey],\n );\n if (!thresholdKeyVerified) {\n throw new Error('Threshold access key not found on-chain after AddKey');\n }\n\n await IndexedDBManager.nearKeysDB.storeKeyMaterial({\n kind: 'threshold_ed25519_2p_v1',\n nearAccountId: opts.nearAccountId,\n deviceNumber: 1,\n publicKey: thresholdPublicKey,\n wrapKeySalt: opts.wrapKeySalt,\n relayerKeyId,\n clientShareDerivation: 'prf_first_v1',\n participants: buildThresholdEd25519Participants2pV1({\n clientParticipantId: opts.clientParticipantId,\n relayerParticipantId: opts.relayerParticipantId,\n relayerKeyId,\n relayerUrl: opts.webAuthnManager.tatchiPasskeyConfigs?.relayer?.url,\n clientVerifyingShareB64u,\n relayerVerifyingShareB64u,\n clientShareDerivation: 'prf_first_v1',\n }),\n timestamp: Date.now(),\n });\n\n opts.onEvent?.({\n step: 6,\n phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,\n status: RegistrationStatus.SUCCESS,\n message: 'Threshold access key activated on-chain'\n });\n } catch (e) {\n console.warn('[Registration] threshold enrollment activation failed; continuing with local-signer only:', e);\n }\n}\n\nasync function verifyAccountAccessKeysPresent(\n nearClient: NearClient,\n nearAccountId: string,\n expectedPublicKeys: string[],\n opts?: { attempts?: number; delayMs?: number },\n): Promise<boolean> {\n const unique = Array.from(\n new Set(expectedPublicKeys.map((k) => ensureEd25519Prefix(k)).filter(Boolean)),\n );\n if (!unique.length) return false;\n\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));\n\n for (let i = 0; i < attempts; i++) {\n try {\n const { fullAccessKeys, functionCallAccessKeys } = await nearClient.getAccessKeys({ account: nearAccountId });\n const keys = [...fullAccessKeys, ...functionCallAccessKeys].map((k) => ensureEd25519Prefix(k.public_key));\n const allPresent = unique.every((expected) => keys.includes(expected));\n if (allPresent) return true;\n } catch {\n // tolerate transient view errors during propagation; retry\n }\n await new Promise((res) => setTimeout(res, delayMs));\n }\n return false;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAwCA,eAAsB,wBACpB,SACA,eACA,SACA,sBACA,4BAC6B;CAE7B,MAAM,EAAE,SAAS,SAAS,cAAc;CACxC,MAAM,EAAE,iBAAiB,YAAY;CAGrC,MAAM,oBAAoB;EACxB,gBAAgB;EAChB,oBAAoB;EACpB,gBAAgB;EAChB,uBAAuB;;AAGzB,SAAQ,IAAI;AACZ,WAAU;EACR,MAAM;EACN,OAAOA,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS,6BAA6B;;AAGxC,KAAI;AAEF,QAAM,2BAA2B,SAAS,eAAe,SAAS;AAElE,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAMC,qBAAkD;GACtD,QAAQ;GACR,UAAU;GACV,OAAQ,QAAQ,SAAS,gBAAgB,UAAW,UAAU;GAC9D,GAAI,8BAA8B,SAAS,sBAAsB;;EAGnE,MAAM,sBAAsB,MAAM,QAAQ,gBAAgB,0CAA0C;GAClG,eAAe,OAAO;GACtB,cAAc;GACd,eAAe,SAAS;GACxB,4BAA4B;;EAG9B,MAAM,aAAa,oBAAoB;EACvC,MAAM,eAAe,oBAAoB;AAEzC,YAAU;GACR,MAAM;GACN,OAAOF,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAIX,MAAM,yBAAyB,gBAAgB,qBAAqB;GAClE,YAAY,QAAQ,QAAQ;GAC5B;GACA;GACA,UAAU,aAAa;AACrB,YAAQ,MAAM,0BAA0B,SAAS,KAAK,KAAK,SAAS;AACpE,cAAU;KACR,MAAM;KACN,OAAOD,wCAAkB;KACzB,QAAQC,yCAAmB;KAC3B,SAAS,GAAG,SAAS;;;;EAO3B,MAAM,4BAA4B,MAAM,gBAAgB,iBAAiB;GACvE;GACA;GACA,cAAc;;AAEhB,MAAI,CAAC,0BAA0B,WAAW,CAAC,0BAA0B,aACnE,OAAM,IAAI,MAAM;EAGlB,MAAM,iBAAiB,gBAAgB,qBAAqB;EAC5D,MAAM,sBAAsBE,sCAAgB,gBAAgB,SAAS;EACrE,MAAM,yBAAyB,oBAAoB;EAGnD,MAAM,gBAAgB,MAAM,gBAAgB,0CAA0C;GACpF;GACA;GACA,SAAS,EAAE,cAAc;;AAE3B,MAAI,CAAC,cAAc,WAAW,CAAC,cAAc,WAAW;GACtD,MAAM,SAAS,eAAe,SAAS;AACvC,SAAM,IAAI,MAAM;;EAElB,MAAM,gBAAgB,cAAc;EACpC,MAAM,cAAc,OAAO,cAAc,eAAe,IAAI;AAC5D,MAAI,CAAC,YACH,OAAM,IAAI,MAAM;EAMlB,IAAIC,oCAAmD;AACvD,MAAI,2BAA2B,oBAAoB;GACjD,MAAM,UAAU,MAAM,gBAAgB,yDAAyD;IAC7F;IACA;IACA;;AAEF,OAAI,CAAC,QAAQ,WAAW,CAAC,QAAQ,yBAC/B,OAAM,IAAI,MAAM,QAAQ,SAAS;AAEnC,uCAAoC,QAAQ;;EAI9C,MAAM,wBAAwB,MAAM;AACpC,MAAI,CAAC,sBAAsB,UAAU;AACnC,WAAQ,MAAM;GACd,MAAM,eAAe,sBAAsB,SAAS;AACpD,SAAM,IAAI,MAAM,iDAAiD;;AAInE,YAAU;GACR,MAAM;GACN,OAAOJ,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;GACT,UAAU;GACK;GACA;GACf,cAAc,aAAa;;EAG7B,IAAI;AACJ,iCAA+B,MAAMI,yEACnC,SACA,eACA,eACA,YACA,cACA,0BAA0B,cAC1B,sBACA,SACA,EACE,kBAAkB,oCACd,EAAE,0BAA0B,sCAC5B;AAIR,MAAI,CAAC,6BAA6B,QAChC,OAAM,IAAI,MAAM,6BAA6B,SAAS;AAIxD,oBAAkB,iBAAiB;AACnC,oBAAkB,qBAAqB;AACvC,oBAAkB,wBAAwB,6BAA6B,iBAAiB;AAGxF,YAAU;GACR,MAAM;GACN,OAAOL,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAMK,qBAA+B,CAAC;EACtC,MAAM,qBAAqB,OAAO,8BAA8B,kBAAkB,aAAa,IAAI;EACnG,MAAM,eAAe,OAAO,8BAA8B,kBAAkB,gBAAgB,IAAI;EAEhG,MAAM,oBAAoB,MAAM,+BAC9B,QAAQ,YACR,eACA;AAGF,MAAI,CAAC,kBACH,OAAM,IAAI,MAAM;AAGlB,YAAU;GACR,MAAM;GACN,OAAON,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAGX,QAAM,4CAA4C;GAChD,qBAAqB;GACrB;GACA;GACA;GACA;GACA,qBAAqB,8BAA8B,kBAAkB;GACrE,sBAAsB,8BAA8B,kBAAkB;GACtE;GACA,2BAA2B,OACzB,8BAA8B,kBAAkB,6BAA6B,IAC7E;GACF;GACA;GACA,iBAAiB,QAAQ;GACzB,YAAY,QAAQ;GACpB;;AAIF,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAGX,QAAM,gBAAgB,4BAA4B;GAChD;GACA;GACA,WAAW;GACX,qBAAqB,0BAA0B;GAC/C,cAAc,0BAA0B;GACxC,2BAA2B,0BAA0B;;AAIvD,oBAAkB,iBAAiB;AAEnC,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAIX,MAAI;AACF,WAAQ,gBAAgB,kBAAkB,eAAe,eAAe;AACxE,SAAM,QAAQ,gBAAgB,kBAAkB,oBAAoB,QAAQ;UACtE;EAIR,IAAI,YAAY,MAAM,gBAAgB,iBAAiB,aAAa,EAAE,QAAQ;AAC9E,MAAI,CAAC,WAAW,QAAQ;GAItB,MAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,UAAU;GACjE,MAAM,cAAc,WAAW,QAAQ;GACvC,MAAM,gBAAgB,OAAO,UAAU,QAAQ,UAAU;GACzD,MAAM,gBAAgB,MAAM,gBAAgB,yBAAyB;IACnE,QAAQ;IACR,MAAM,gBAAgB;IACtB,WAAW;IACX,aAAa;;GAEf,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;GACrE,MAAM,iBAAiB,MAAM,gBAAgB,8CAA8C;IACzF;IACA,WAAW;IACX,eAAe,eAAe,KAAK,MAAM,EAAE;;GAE7C,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;IAC3C;IACf,qBAAqB,0BAA0B;IAC/C,YAAY;MACX,OAAO,gBAAyB;IACjC,MAAM,UAAW,eAAe,OAAO,gBAAgB,YAAY,aAAa,cAC5E,OAAQ,YAAsC,WAAW,MACzD,OAAO,eAAe;AAC1B,WAAO;KAAE,SAAS;KAAO,OAAO;;;AAGlC,OAAI,CAAC,aAAa,SAAS;AACzB,YAAQ,KAAK,8BAA8B,aAAa;AACxD,UAAM,IAAI,MAAM,aAAa;;QAG/B,SAAQ,MAAM;AAIhB,MAAI;AACF,SAAM,gBAAgB,sBAAsB,eAAe,QAAQ;WAC5D,SAAS;AAChB,WAAQ,KAAK,yDAAyD;;AAGxE,YAAU;GACR,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;EAGX,MAAM,gBAAgB;GACpB,SAAS;GACM;GACf,qBAAqB;GACrB,eAAe,kBAAkB;GACjC,iBAAiB;IACf,SAAS;IACT,cAAc,aAAa;IAC3B,qBAAqB,0BAA0B;IAC/C,kBAAkB,6BAA6B;;;AAInD,cAAY,MAAM;AAClB,SAAO;UAEAM,OAAgB;EACvB,MAAM,UAAW,SAAS,OAAO,UAAU,YAAY,aAAa,QAChE,OAAQ,MAAgC,WAAW,MACnD,OAAO,SAAS;EACpB,MAAM,QAAS,SAAS,OAAO,UAAU,YAAY,WAAW,QAC5D,OAAQ,MAA8B,SAAS,MAC/C;AACJ,UAAQ,MAAM,wBAAwB,SAAS;AAG/C,QAAM,4BACJ,mBACA,eACA,iBACA;EAIF,MAAM,eAAeC,2CAA4B,OAAO,gBAAgB;EAExE,MAAM,cAAc,IAAI,MAAM;AAC9B,YAAU;AAEV,YAAU;GACR,MAAM;GACN,OAAOR,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;GACT,OAAO;;EAGT,MAAM,SAAS;GAAE,SAAS;GAAO,OAAO;;AACxC,cAAY;AACZ,SAAO;;;AAKX,eAAsB,gBACpB,SACA,eACA,SACA,sBAC6B;AAC7B,QAAO,wBAAwB,SAAS,eAAe,SAAS,sBAAsB;;;;;;;;AAwDxF,MAAM,6BAA6B,OACjC,SAKA,eACA,SACA,YACG;AAEH,WAAU;EACR,MAAM;EACN,OAAOD,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS;;AAIX,KAAI,CAAC,eAAe;EAClB,MAAM,wBAAQ,IAAI,MAAM;AACxB,YAAU;AACV,QAAM;;CAGR,MAAM,aAAaQ,yCAAsB;AACzC,KAAI,CAAC,WAAW,OAAO;EACrB,MAAM,wBAAQ,IAAI,MAAM,4BAA4B,WAAW;AAC/D,YAAU;AACV,QAAM;;AAER,KAAI,CAAC,OAAO,iBAAiB;EAC3B,MAAM,wBAAQ,IAAI,MAAM;AACxB,YAAU;AACV,QAAM;;AAIR,WAAU;EACR,MAAM;EACN,OAAOT,wCAAkB;EACzB,QAAQC,yCAAmB;EAC3B,SAAS;;;;;;AAQb,eAAe,4BACb,mBAMA,eACA,iBACA,SACe;AACf,SAAQ,MAAM,qCAAqC;AAGnD,KAAI;AAEF,QAAM,gBAAgB;AAGtB,MAAI,kBAAkB,gBAAgB;AACpC,WAAQ,MAAM;AACd,aAAU;IACR,MAAM;IACN,OAAOD,wCAAkB;IACzB,QAAQC,yCAAmB;IAC3B,SAAS;IACT,OAAO;;AAGT,SAAM,gBAAgB,yBAAyB;AAC/C,WAAQ,MAAM;;AAKhB,MAAI,kBAAkB,oBAAoB;AACxC,WAAQ,MAAM;AACd,aAAU;IACR,MAAM;IACN,OAAOD,wCAAkB;IACzB,QAAQC,yCAAmB;IAC3B,SAAS,8BAA8B,kBAAkB,sBAAsB;IAC/E,OAAO;;;AAGX,UAAQ,MAAM;UAEPS,eAAwB;AAC/B,UAAQ,MAAM,oBAAoB;AAClC,YAAU;GACR,MAAM;GACN,OAAOV,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS,oBACN,iBAAiB,OAAO,kBAAkB,YAAY,aAAa,gBAChE,OAAQ,cAAwC,WAAW,MAC3D,OAAO,iBAAiB;GAE9B,OAAO;;;;AAKb,eAAe,4CAA4C,MAezC;AAGhB,KAAI,KAAK,wBAAwB,mBAAoB;CAErD,MAAM,qBAAqB,OAAO,KAAK,sBAAsB,IAAI;CACjE,MAAM,eAAe,OAAO,KAAK,gBAAgB,IAAI;CACrD,MAAM,2BAA2B,OAAO,KAAK,qCAAqC,IAAI;CACtF,MAAM,4BAA4B,OAAO,KAAK,6BAA6B,IAAI;AAE/E,KAAI,CAAC,sBAAsB,CAAC,gBAAgB,CAAC,4BAA4B,CAAC,2BAA2B;AACnG,UAAQ,KAAK;AACb;;AAGF,KAAI;AACF,OAAK,UAAU;GACb,MAAM;GACN,OAAOD,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;AAIX,MAAI;AACF,QAAK,gBAAgB,kBAAkB,eAAe,KAAK,eAAe,KAAK;UACzE;EACR,MAAM,YAAY,MAAM,KAAK,gBAAgB,kBAAkB,2BAC7D,KAAK,YACL,EAAE,OAAO;EAGX,MAAM,SAAS,MAAM,KAAK,gBAAgB,qCAAqC;GAC7E,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,aAAa,KAAK;GAClB,oBAAoB;GACpB;GACA;GACA,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;;EAG7B,MAAM,WAAW,QAAQ;AACzB,MAAI,CAAC,SAAU,OAAM,IAAI,MAAM;AAE/B,QAAM,KAAK,WAAW,gBAAgB,UAAUU,gCAAoB;EAEpE,MAAM,uBAAuB,MAAM,+BACjC,KAAK,YACL,KAAK,eACL,CAAC,KAAK,eAAe;AAEvB,MAAI,CAAC,qBACH,OAAM,IAAI,MAAM;AAGlB,QAAMC,+BAAiB,WAAW,iBAAiB;GACjD,MAAM;GACN,eAAe,KAAK;GACpB,cAAc;GACd,WAAW;GACX,aAAa,KAAK;GAClB;GACA,uBAAuB;GACvB,cAAcC,2DAAsC;IAClD,qBAAqB,KAAK;IAC1B,sBAAsB,KAAK;IAC3B;IACA,YAAY,KAAK,gBAAgB,sBAAsB,SAAS;IAChE;IACA;IACA,uBAAuB;;GAEzB,WAAW,KAAK;;AAGlB,OAAK,UAAU;GACb,MAAM;GACN,OAAOb,wCAAkB;GACzB,QAAQC,yCAAmB;GAC3B,SAAS;;UAEJ,GAAG;AACV,UAAQ,KAAK,6FAA6F;;;AAI9G,eAAe,+BACb,YACA,eACA,oBACA,MACkB;CAClB,MAAM,SAAS,MAAM,KACnB,IAAI,IAAI,mBAAmB,KAAK,MAAMa,uCAAoB,IAAI,OAAO;AAEvE,KAAI,CAAC,OAAO,OAAQ,QAAO;CAE3B,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;GACF,MAAM,EAAE,gBAAgB,2BAA2B,MAAM,WAAW,cAAc,EAAE,SAAS;GAC7F,MAAM,OAAO,CAAC,GAAG,gBAAgB,GAAG,wBAAwB,KAAK,MAAMA,uCAAoB,EAAE;GAC7F,MAAM,aAAa,OAAO,OAAO,aAAa,KAAK,SAAS;AAC5D,OAAI,WAAY,QAAO;UACjB;AAGR,QAAM,IAAI,SAAS,QAAQ,WAAW,KAAK;;AAE7C,QAAO"}

package/dist/cjs/core/TatchiPasskey/relay.js CHANGED Viewed

@@ -1,8 +1,6 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 //#region src/core/TatchiPasskey/relay.ts
-require_sdkSentEvents.init_sdkSentEvents();
 const toNumberArray = (value) => Array.isArray(value) ? value : Array.from(value);
 const normalizeSignedDelegateForRelay = (signedDelegate) => {
 	const delegateAction = signedDelegate.delegateAction;

package/dist/cjs/core/TatchiPasskey/relay.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"relay.js","names":["normalizedPayload: RelayDelegateRequest","ActionPhase","ActionStatus","res: Response","err: unknown","response: DelegateRelayResult","response","json: any"],"sources":["../../../../src/core/TatchiPasskey/relay.ts"],"sourcesContent":["import { ActionPhase, ActionStatus, type ActionSSEEvent, type DelegateRelayHooksOptions } from '../types/sdkSentEvents';\nimport type { DelegateRelayResult } from '../types/tatchi';\nimport type { SignedDelegate } from '../types/delegate';\nimport type { WasmSignedDelegate } from '../types/signer-worker';\n\nexport interface RelayDelegateRequest {\n hash: string;\n signedDelegate: SignedDelegate \| WasmSignedDelegate;\n}\n\nconst toNumberArray = (value: number[] \| Uint8Array): number[] =>\n Array.isArray(value) ? value : Array.from(value);\n\nconst normalizeSignedDelegateForRelay = (\n signedDelegate: SignedDelegate \| WasmSignedDelegate\n): SignedDelegate => {\n const delegateAction = signedDelegate.delegateAction as SignedDelegate['delegateAction'] & {\n publicKey: { keyType: number; keyData: number[] \| Uint8Array };\n };\n const signature = signedDelegate.signature as SignedDelegate['signature'] & {\n keyType: number;\n signatureData: number[] \| Uint8Array;\n };\n\n return {\n delegateAction: {\n ...delegateAction,\n publicKey: {\n ...delegateAction.publicKey,\n keyData: toNumberArray(delegateAction.publicKey.keyData),\n },\n },\n signature: {\n ...signature,\n signatureData: toNumberArray(signature.signatureData),\n },\n };\n};\n\nexport async function sendDelegateActionViaRelayer(args: {\n url: string;\n payload: RelayDelegateRequest;\n signal?: AbortSignal;\n options?: DelegateRelayHooksOptions;\n}): Promise<DelegateRelayResult> {\n\n const { url, payload, signal, options } = args;\n const normalizedPayload: RelayDelegateRequest = {\n ...payload,\n signedDelegate: normalizeSignedDelegateForRelay(payload.signedDelegate),\n };\n\n const emit = (event: ActionSSEEvent) => options?.onEvent?.(event);\n const emitError = (message: string) => {\n emit({\n step: 0,\n phase: ActionPhase.ACTION_ERROR,\n status: ActionStatus.ERROR,\n message,\n error: message,\n });\n };\n\n emit({\n step: 7,\n phase: ActionPhase.STEP_7_BROADCASTING,\n status: ActionStatus.PROGRESS,\n message: 'Submitting delegate to relayer...',\n });\n\n let res: Response;\n try {\n res = await fetch(url, {\n method: 'POST',\n headers: { 'content-type': 'application/json' },\n body: JSON.stringify(normalizedPayload),\n signal,\n });\n } catch (err: unknown) {\n const error = err instanceof Error ? err : new Error(String(err));\n options?.onError?.(error);\n emitError(error.message);\n await options?.afterCall?.(false);\n throw error;\n }\n\n if (!res.ok) {\n const response: DelegateRelayResult = {\n ok: false,\n error: `Relayer HTTP ${res.status}`,\n };\n options?.onError?.(new Error(response.error));\n emitError(response.error!);\n await options?.afterCall?.(false);\n return response;\n }\n\n let json: any;\n try {\n json = await res.json();\n } catch (err: unknown) {\n const response: DelegateRelayResult = {\n ok: false,\n error: 'Relayer returned non-JSON response',\n };\n const error = err instanceof Error ? err : new Error(String(err));\n options?.onError?.(error);\n emitError(response.error!);\n await options?.afterCall?.(false);\n return response;\n }\n\n const response: DelegateRelayResult = {\n ok: Boolean(json?.ok ?? true),\n relayerTxHash: json?.relayerTxHash ?? json?.transactionId ?? json?.txHash,\n status: json?.status,\n outcome: json?.outcome,\n error: json?.error,\n };\n\n const success = response.ok !== false;\n if (success) {\n emit({\n step: 8,\n phase: ActionPhase.STEP_8_ACTION_COMPLETE,\n status: ActionStatus.SUCCESS,\n message: 'Delegate relayed successfully',\n });\n await options?.afterCall?.(true, response);\n } else {\n const message = response.error \|\| 'Relayer execution failed';\n options?.onError?.(new Error(message));\n emitError(message);\n await options?.afterCall?.(false);\n }\n\n return response;\n}\n"],"mappings":"~~;;;;;~~AAUA,MAAM,iBAAiB,UACrB,MAAM,QAAQ,SAAS,QAAQ,MAAM,KAAK;AAE5C,MAAM,mCACJ,mBACmB;CACnB,MAAM,iBAAiB,eAAe;CAGtC,MAAM,YAAY,eAAe;AAKjC,QAAO;EACL,gBAAgB;GACd,GAAG;GACH,WAAW;IACT,GAAG,eAAe;IAClB,SAAS,cAAc,eAAe,UAAU;;;EAGpD,WAAW;GACT,GAAG;GACH,eAAe,cAAc,UAAU;;;;AAK7C,eAAsB,6BAA6B,MAKlB;CAE/B,MAAM,EAAE,KAAK,SAAS,QAAQ,YAAY;CAC1C,MAAMA,oBAA0C;EAC9C,GAAG;EACH,gBAAgB,gCAAgC,QAAQ;;CAG1D,MAAM,QAAQ,UAA0B,SAAS,UAAU;CAC3D,MAAM,aAAa,YAAoB;AACrC,OAAK;GACH,MAAM;GACN,OAAOC,kCAAY;GACnB,QAAQC,mCAAa;GACrB;GACA,OAAO;;;AAIX,MAAK;EACH,MAAM;EACN,OAAOD,kCAAY;EACnB,QAAQC,mCAAa;EACrB,SAAS;;CAGX,IAAIC;AACJ,KAAI;AACF,QAAM,MAAM,MAAM,KAAK;GACrB,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;GACrB;;UAEKC,KAAc;EACrB,MAAM,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO;AAC5D,WAAS,UAAU;AACnB,YAAU,MAAM;AAChB,QAAM,SAAS,YAAY;AAC3B,QAAM;;AAGR,KAAI,CAAC,IAAI,IAAI;EACX,MAAMC,aAAgC;GACpC,IAAI;GACJ,OAAO,gBAAgB,IAAI;;AAE7B,WAAS,UAAU,IAAI,MAAMC,WAAS;AACtC,YAAUA,WAAS;AACnB,QAAM,SAAS,YAAY;AAC3B,SAAOA;;CAGT,IAAIC;AACJ,KAAI;AACF,SAAO,MAAM,IAAI;UACVH,KAAc;EACrB,MAAMC,aAAgC;GACpC,IAAI;GACJ,OAAO;;EAET,MAAM,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO;AAC5D,WAAS,UAAU;AACnB,YAAUC,WAAS;AACnB,QAAM,SAAS,YAAY;AAC3B,SAAOA;;CAGT,MAAMD,WAAgC;EACpC,IAAI,QAAQ,MAAM,MAAM;EACxB,eAAe,MAAM,iBAAiB,MAAM,iBAAiB,MAAM;EACnE,QAAQ,MAAM;EACd,SAAS,MAAM;EACf,OAAO,MAAM;;CAGf,MAAM,UAAU,SAAS,OAAO;AAChC,KAAI,SAAS;AACX,OAAK;GACH,MAAM;GACN,OAAOJ,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;AAEX,QAAM,SAAS,YAAY,MAAM;QAC5B;EACL,MAAM,UAAU,SAAS,SAAS;AAClC,WAAS,UAAU,IAAI,MAAM;AAC7B,YAAU;AACV,QAAM,SAAS,YAAY;;AAG7B,QAAO"}
1	+ {"version":3,"file":"relay.js","names":["normalizedPayload: RelayDelegateRequest","ActionPhase","ActionStatus","res: Response","err: unknown","response: DelegateRelayResult","response","json: any"],"sources":["../../../../src/core/TatchiPasskey/relay.ts"],"sourcesContent":["import { ActionPhase, ActionStatus, type ActionSSEEvent, type DelegateRelayHooksOptions } from '../types/sdkSentEvents';\nimport type { DelegateRelayResult } from '../types/tatchi';\nimport type { SignedDelegate } from '../types/delegate';\nimport type { WasmSignedDelegate } from '../types/signer-worker';\n\nexport interface RelayDelegateRequest {\n hash: string;\n signedDelegate: SignedDelegate \| WasmSignedDelegate;\n}\n\nconst toNumberArray = (value: number[] \| Uint8Array): number[] =>\n Array.isArray(value) ? value : Array.from(value);\n\nconst normalizeSignedDelegateForRelay = (\n signedDelegate: SignedDelegate \| WasmSignedDelegate\n): SignedDelegate => {\n const delegateAction = signedDelegate.delegateAction as SignedDelegate['delegateAction'] & {\n publicKey: { keyType: number; keyData: number[] \| Uint8Array };\n };\n const signature = signedDelegate.signature as SignedDelegate['signature'] & {\n keyType: number;\n signatureData: number[] \| Uint8Array;\n };\n\n return {\n delegateAction: {\n ...delegateAction,\n publicKey: {\n ...delegateAction.publicKey,\n keyData: toNumberArray(delegateAction.publicKey.keyData),\n },\n },\n signature: {\n ...signature,\n signatureData: toNumberArray(signature.signatureData),\n },\n };\n};\n\nexport async function sendDelegateActionViaRelayer(args: {\n url: string;\n payload: RelayDelegateRequest;\n signal?: AbortSignal;\n options?: DelegateRelayHooksOptions;\n}): Promise<DelegateRelayResult> {\n\n const { url, payload, signal, options } = args;\n const normalizedPayload: RelayDelegateRequest = {\n ...payload,\n signedDelegate: normalizeSignedDelegateForRelay(payload.signedDelegate),\n };\n\n const emit = (event: ActionSSEEvent) => options?.onEvent?.(event);\n const emitError = (message: string) => {\n emit({\n step: 0,\n phase: ActionPhase.ACTION_ERROR,\n status: ActionStatus.ERROR,\n message,\n error: message,\n });\n };\n\n emit({\n step: 7,\n phase: ActionPhase.STEP_7_BROADCASTING,\n status: ActionStatus.PROGRESS,\n message: 'Submitting delegate to relayer...',\n });\n\n let res: Response;\n try {\n res = await fetch(url, {\n method: 'POST',\n headers: { 'content-type': 'application/json' },\n body: JSON.stringify(normalizedPayload),\n signal,\n });\n } catch (err: unknown) {\n const error = err instanceof Error ? err : new Error(String(err));\n options?.onError?.(error);\n emitError(error.message);\n await options?.afterCall?.(false);\n throw error;\n }\n\n if (!res.ok) {\n const response: DelegateRelayResult = {\n ok: false,\n error: `Relayer HTTP ${res.status}`,\n };\n options?.onError?.(new Error(response.error));\n emitError(response.error!);\n await options?.afterCall?.(false);\n return response;\n }\n\n let json: any;\n try {\n json = await res.json();\n } catch (err: unknown) {\n const response: DelegateRelayResult = {\n ok: false,\n error: 'Relayer returned non-JSON response',\n };\n const error = err instanceof Error ? err : new Error(String(err));\n options?.onError?.(error);\n emitError(response.error!);\n await options?.afterCall?.(false);\n return response;\n }\n\n const response: DelegateRelayResult = {\n ok: Boolean(json?.ok ?? true),\n relayerTxHash: json?.relayerTxHash ?? json?.transactionId ?? json?.txHash,\n status: json?.status,\n outcome: json?.outcome,\n error: json?.error,\n };\n\n const success = response.ok !== false;\n if (success) {\n emit({\n step: 8,\n phase: ActionPhase.STEP_8_ACTION_COMPLETE,\n status: ActionStatus.SUCCESS,\n message: 'Delegate relayed successfully',\n });\n await options?.afterCall?.(true, response);\n } else {\n const message = response.error \|\| 'Relayer execution failed';\n options?.onError?.(new Error(message));\n emitError(message);\n await options?.afterCall?.(false);\n }\n\n return response;\n}\n"],"mappings":";;;AAUA,MAAM,iBAAiB,UACrB,MAAM,QAAQ,SAAS,QAAQ,MAAM,KAAK;AAE5C,MAAM,mCACJ,mBACmB;CACnB,MAAM,iBAAiB,eAAe;CAGtC,MAAM,YAAY,eAAe;AAKjC,QAAO;EACL,gBAAgB;GACd,GAAG;GACH,WAAW;IACT,GAAG,eAAe;IAClB,SAAS,cAAc,eAAe,UAAU;;;EAGpD,WAAW;GACT,GAAG;GACH,eAAe,cAAc,UAAU;;;;AAK7C,eAAsB,6BAA6B,MAKlB;CAE/B,MAAM,EAAE,KAAK,SAAS,QAAQ,YAAY;CAC1C,MAAMA,oBAA0C;EAC9C,GAAG;EACH,gBAAgB,gCAAgC,QAAQ;;CAG1D,MAAM,QAAQ,UAA0B,SAAS,UAAU;CAC3D,MAAM,aAAa,YAAoB;AACrC,OAAK;GACH,MAAM;GACN,OAAOC,kCAAY;GACnB,QAAQC,mCAAa;GACrB;GACA,OAAO;;;AAIX,MAAK;EACH,MAAM;EACN,OAAOD,kCAAY;EACnB,QAAQC,mCAAa;EACrB,SAAS;;CAGX,IAAIC;AACJ,KAAI;AACF,QAAM,MAAM,MAAM,KAAK;GACrB,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;GACrB;;UAEKC,KAAc;EACrB,MAAM,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO;AAC5D,WAAS,UAAU;AACnB,YAAU,MAAM;AAChB,QAAM,SAAS,YAAY;AAC3B,QAAM;;AAGR,KAAI,CAAC,IAAI,IAAI;EACX,MAAMC,aAAgC;GACpC,IAAI;GACJ,OAAO,gBAAgB,IAAI;;AAE7B,WAAS,UAAU,IAAI,MAAMC,WAAS;AACtC,YAAUA,WAAS;AACnB,QAAM,SAAS,YAAY;AAC3B,SAAOA;;CAGT,IAAIC;AACJ,KAAI;AACF,SAAO,MAAM,IAAI;UACVH,KAAc;EACrB,MAAMC,aAAgC;GACpC,IAAI;GACJ,OAAO;;EAET,MAAM,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO;AAC5D,WAAS,UAAU;AACnB,YAAUC,WAAS;AACnB,QAAM,SAAS,YAAY;AAC3B,SAAOA;;CAGT,MAAMD,WAAgC;EACpC,IAAI,QAAQ,MAAM,MAAM;EACxB,eAAe,MAAM,iBAAiB,MAAM,iBAAiB,MAAM;EACnE,QAAQ,MAAM;EACd,SAAS,MAAM;EACf,OAAO,MAAM;;CAGf,MAAM,UAAU,SAAS,OAAO;AAChC,KAAI,SAAS;AACX,OAAK;GACH,MAAM;GACN,OAAOJ,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;AAEX,QAAM,SAAS,YAAY,MAAM;QAC5B;EACL,MAAM,UAAU,SAAS,SAAS;AAClC,WAAS,UAAU,IAAI,MAAM;AAC7B,YAAU;AACV,QAAM,SAAS,YAAY;;AAG7B,QAAO"}

package/dist/cjs/core/TatchiPasskey/scanDevice.js CHANGED Viewed

@@ -1,16 +1,11 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 const require_validation = require('../../utils/validation.js');
 const require_config = require('../../config.js');
 const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 const require_rpcCalls = require('../rpcCalls.js');
-const require_login = require('./login.js');
 const require_linkDevice = require('../types/linkDevice.js');
+const require_login = require('./login.js');
 //#region src/core/TatchiPasskey/scanDevice.ts
-require_validation.init_validation();
-require_login.init_login();
-require_sdkSentEvents.init_sdkSentEvents();
-require_rpcCalls.init_rpcCalls();
 /**
 * Device1 (original device): Link device using pre-scanned QR data
 */
@@ -28,8 +23,8 @@ async function linkDeviceWithScannedQRData(context, qrData, options) {
 		if (!device1LoginState.isLoggedIn || !device1LoginState.nearAccountId) throw new Error("Device1 must be logged in to authorize device linking");
 		const device1AccountId = device1LoginState.nearAccountId;
 		const fundingAmount = options.fundingAmount;
-		const device2PublicKey = qrData.device2PublicKey;
-		if (!device2PublicKey.startsWith("ed25519:")) throw new Error("Invalid device public key format");
+		const device2PublicKey = require_validation.ensureEd25519Prefix(qrData.device2PublicKey);
+		if (!device2PublicKey || !/^ed25519:/i.test(device2PublicKey)) throw new Error("Invalid device public key format");
 		onEvent?.({
 			step: 3,
 			phase: require_sdkSentEvents.DeviceLinkingPhase.STEP_3_AUTHORIZATION,
@@ -70,7 +65,7 @@ async function linkDeviceWithScannedQRData(context, qrData, options) {
 		});
 		const result = {
 			success: true,
-			device2PublicKey: qrData.device2PublicKey,
+			device2PublicKey,
 			transactionId: addKeyTxResult?.transaction?.hash || storeDeviceLinkingTxResult?.transaction?.hash || "unknown",
 			fundingAmount,
 			linkedToAccount: device1AccountId,

package/dist/cjs/core/TatchiPasskey/scanDevice.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"scanDevice.js","names":["DeviceLinkingPhase","DeviceLinkingStatus","getLoginSession","vrfInputData: VRFInputData","executeDeviceLinkingContractCalls","error: any","DeviceLinkingError","DeviceLinkingErrorCode","DEVICE_LINKING_CONFIG"],"sources":["../../../../src/core/TatchiPasskey/scanDevice.ts"],"sourcesContent":["import type { PasskeyManagerContext } from './index';\nimport { validateNearAccountId } from '../../utils/validation';\nimport { getLoginSession } from './login';\nimport type { VRFInputData } from '../types/vrf-worker';\nimport type {\n DeviceLinkingQRData,\n LinkDeviceResult,\n ScanAndLinkDeviceOptionsDevice1,\n} from '../types/linkDevice';\nimport { DeviceLinkingPhase, DeviceLinkingStatus } from '../types/sdkSentEvents';\nimport { DeviceLinkingError, DeviceLinkingErrorCode } from '../types/linkDevice';\nimport { DEVICE_LINKING_CONFIG } from '../../config.js';\nimport { executeDeviceLinkingContractCalls } from '../rpcCalls';\n\n/*\n Device1 (original device): Link device using pre-scanned QR data\n */\nexport async function linkDeviceWithScannedQRData(\n context: PasskeyManagerContext,\n qrData: DeviceLinkingQRData,\n options: ScanAndLinkDeviceOptionsDevice1\n): Promise<LinkDeviceResult> {\n const { onEvent, onError } = options \|\| {};\n\n try {\n onEvent?.({\n step: 2,\n phase: DeviceLinkingPhase.STEP_2_SCANNING,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'Validating QR data...'\n });\n\n // Validate QR data\n validateDeviceLinkingQRData(qrData);\n\n // 3. Get Device1's current account (the account that will receive the new key)\n const { login: device1LoginState } = await getLoginSession(context);\n\n if (!device1LoginState.isLoggedIn \|\| !device1LoginState.nearAccountId) {\n throw new Error('Device1 must be logged in to authorize device linking');\n }\n\n const device1AccountId = device1LoginState.nearAccountId;\n\n // 4. Execute batched transaction: AddKey + Contract notification\n const fundingAmount = options.fundingAmount;\n\n // Parse the device public key for AddKey action\n const device2PublicKey = qrData.device2PublicKey;\n if (!device2PublicKey.~~startsWith~~(~~'ed25519:'~~)) {\n throw new Error('Invalid device public key format');\n }\n\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: `Performing TouchID authentication for device linking...`\n });\n\n const userData = await context.webAuthnManager.getLastUser();\n const nearPublicKeyStr = userData?.clientNearPublicKey;\n if (!nearPublicKeyStr) {\n throw new Error('Client NEAR public key not found in user data');\n }\n // Generate VRF challenge once for both transactions\n const {\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash\n } = await context.webAuthnManager.getNonceManager().getNonceBlockHashAndHeight(context.nearClient);\n const nextNextNonce = (BigInt(nextNonce) + BigInt(1)).toString();\n const nextNextNextNonce = (BigInt(nextNonce) + BigInt(2)).toString();\n\n const vrfInputData: VRFInputData = {\n userId: device1AccountId,\n rpId: context.webAuthnManager.getRpId(),\n blockHeight: txBlockHeight,\n blockHash: txBlockHash,\n };\n\n const vrfChallenge = await context.webAuthnManager.generateVrfChallengeOnce(vrfInputData);\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'TouchID successful! Signing AddKey transaction...'\n });\n\n // Execute device linking transactions using the centralized RPC function\n const {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction\n } = await executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride: options?.confirmationConfig,\n confirmerText: options?.confirmerText,\n });\n\n const result = {\n success: true,\n device2PublicKey~~: qrData.device2PublicKey~~,\n transactionId: addKeyTxResult?.transaction?.hash\n \|\| storeDeviceLinkingTxResult?.transaction?.hash\n \|\| 'unknown',\n fundingAmount,\n linkedToAccount: device1AccountId, // Include which account the key was added to\n signedDeleteKeyTransaction\n };\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device2's key added to ${device1AccountId} successfully!`\n });\n\n return result;\n\n } catch (error: any) {\n console.error('LinkDeviceFlow: linkDeviceWithQRData caught error:', error);\n\n const errorMessage = `Failed to scan and link device: ${error.message}`;\n onError?.(new Error(errorMessage));\n\n throw new DeviceLinkingError(\n errorMessage,\n DeviceLinkingErrorCode.AUTHORIZATION_TIMEOUT,\n 'authorization'\n );\n }\n}\n\nexport function validateDeviceLinkingQRData(qrData: DeviceLinkingQRData): void {\n if (!qrData.device2PublicKey) {\n throw new DeviceLinkingError(\n 'Missing device public key',\n DeviceLinkingErrorCode.INVALID_QR_DATA,\n 'authorization'\n );\n }\n\n if (!qrData.timestamp) {\n throw new DeviceLinkingError(\n 'Missing timestamp',\n DeviceLinkingErrorCode.INVALID_QR_DATA,\n 'authorization'\n );\n }\n\n // Check timestamp is not too old (max 15 minutes)\n const maxAge = DEVICE_LINKING_CONFIG.TIMEOUTS.QR_CODE_MAX_AGE_MS;\n if (Date.now() - qrData.timestamp > maxAge) {\n throw new DeviceLinkingError(\n 'QR code expired',\n DeviceLinkingErrorCode.SESSION_EXPIRED,\n 'authorization'\n );\n }\n\n // Account ID is optional - Device2 discovers it from contract logs\n if (qrData.accountId) {\n validateNearAccountId(qrData.accountId);\n }\n}\n"],"mappings":"~~;;;;;;;;;;;;;;;;AAiBA~~,eAAsB,4BACpB,SACA,QACA,SAC2B;CAC3B,MAAM,EAAE,SAAS,YAAY,WAAW;AAExC,KAAI;AACF,YAAU;GACR,MAAM;GACN,OAAOA,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;AAIX,8BAA4B;EAG5B,MAAM,EAAE,OAAO,sBAAsB,MAAMC,8BAAgB;AAE3D,MAAI,CAAC,kBAAkB,cAAc,CAAC,kBAAkB,cACtD,OAAM,IAAI,MAAM;EAGlB,MAAM,mBAAmB,kBAAkB;EAG3C,MAAM,gBAAgB,QAAQ;EAG9B,MAAM,~~mBAAmB~~,OAAO;~~AAChC~~,MAAI,CAAC,~~iBAAiB~~,~~WAAW~~,~~YAC/B~~,OAAM,IAAI,MAAM;AAGlB,YAAU;GACR,MAAM;GACN,~~OAAOF~~,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAGX,MAAM,WAAW,MAAM,QAAQ,gBAAgB;EAC/C,MAAM,mBAAmB,UAAU;AACnC,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM;EAGlB,MAAM,EACJ,eACA,WACA,eACA,gBACE,MAAM,QAAQ,gBAAgB,kBAAkB,2BAA2B,QAAQ;EACvF,MAAM,iBAAiB,OAAO,aAAa,OAAO,IAAI;EACtD,MAAM,qBAAqB,OAAO,aAAa,OAAO,IAAI;EAE1D,~~MAAME~~,eAA6B;GACjC,QAAQ;GACR,MAAM,QAAQ,gBAAgB;GAC9B,aAAa;GACb,WAAW;;EAGb,MAAM,eAAe,MAAM,QAAQ,gBAAgB,yBAAyB;AAE5E,YAAU;GACR,MAAM;GACN,~~OAAOH~~,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,EACJ,gBACA,4BACA,+BACE,~~MAAMG~~,mDAAkC;GAC1C;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA,4BAA4B,SAAS;GACrC,eAAe,SAAS;;EAG1B,MAAM,SAAS;GACb,SAAS;GACT~~,kBAAkB,OAAO~~;~~GACzB~~,eAAe,gBAAgB,aAAa,QACvC,4BAA4B,aAAa,QACzC;GACL;GACA,iBAAiB;GACjB;;AAGF,YAAU;GACR,MAAM;GACN,~~OAAOJ~~,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS,0BAA0B,iBAAiB;;AAGtD,SAAO;~~UAEAI~~,OAAY;AACnB,UAAQ,MAAM,sDAAsD;EAEpE,MAAM,eAAe,mCAAmC,MAAM;AAC9D,YAAU,IAAI,MAAM;AAEpB,QAAM,IAAIC,sCACR,cACAC,0CAAuB,uBACvB;;;AAKN,SAAgB,4BAA4B,QAAmC;AAC7E,KAAI,CAAC,OAAO,iBACV,OAAM,IAAID,sCACR,6BACAC,0CAAuB,iBACvB;AAIJ,KAAI,CAAC,OAAO,UACV,OAAM,IAAID,sCACR,qBACAC,0CAAuB,iBACvB;CAKJ,MAAM,SAASC,qCAAsB,SAAS;AAC9C,KAAI,KAAK,QAAQ,OAAO,YAAY,OAClC,OAAM,IAAIF,sCACR,mBACAC,0CAAuB,iBACvB;AAKJ,KAAI,OAAO,UACT,0CAAsB,OAAO"}
1	+ {"version":3,"file":"scanDevice.js","names":["DeviceLinkingPhase","DeviceLinkingStatus","getLoginSession","ensureEd25519Prefix","vrfInputData: VRFInputData","executeDeviceLinkingContractCalls","error: any","DeviceLinkingError","DeviceLinkingErrorCode","DEVICE_LINKING_CONFIG"],"sources":["../../../../src/core/TatchiPasskey/scanDevice.ts"],"sourcesContent":["import type { PasskeyManagerContext } from './index';\nimport { validateNearAccountId } from '../../utils/validation';\nimport { getLoginSession } from './login';\nimport type { VRFInputData } from '../types/vrf-worker';\nimport type {\n DeviceLinkingQRData,\n LinkDeviceResult,\n ScanAndLinkDeviceOptionsDevice1,\n} from '../types/linkDevice';\nimport { DeviceLinkingPhase, DeviceLinkingStatus } from '../types/sdkSentEvents';\nimport { DeviceLinkingError, DeviceLinkingErrorCode } from '../types/linkDevice';\nimport { DEVICE_LINKING_CONFIG } from '../../config.js';\nimport { executeDeviceLinkingContractCalls } from '../rpcCalls';\nimport { ensureEd25519Prefix } from '../nearCrypto';\n\n/*\n Device1 (original device): Link device using pre-scanned QR data\n */\nexport async function linkDeviceWithScannedQRData(\n context: PasskeyManagerContext,\n qrData: DeviceLinkingQRData,\n options: ScanAndLinkDeviceOptionsDevice1\n): Promise<LinkDeviceResult> {\n const { onEvent, onError } = options \|\| {};\n\n try {\n onEvent?.({\n step: 2,\n phase: DeviceLinkingPhase.STEP_2_SCANNING,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'Validating QR data...'\n });\n\n // Validate QR data\n validateDeviceLinkingQRData(qrData);\n\n // 3. Get Device1's current account (the account that will receive the new key)\n const { login: device1LoginState } = await getLoginSession(context);\n\n if (!device1LoginState.isLoggedIn \|\| !device1LoginState.nearAccountId) {\n throw new Error('Device1 must be logged in to authorize device linking');\n }\n\n const device1AccountId = device1LoginState.nearAccountId;\n\n // 4. Execute batched transaction: AddKey + Contract notification\n const fundingAmount = options.fundingAmount;\n\n // Parse the device public key for AddKey action\n const device2PublicKey = ensureEd25519Prefix(qrData.device2PublicKey);\n if (!device2PublicKey \|\| !/^ed25519:/i.test(device2PublicKey)) {\n throw new Error('Invalid device public key format');\n }\n\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: `Performing TouchID authentication for device linking...`\n });\n\n const userData = await context.webAuthnManager.getLastUser();\n const nearPublicKeyStr = userData?.clientNearPublicKey;\n if (!nearPublicKeyStr) {\n throw new Error('Client NEAR public key not found in user data');\n }\n // Generate VRF challenge once for both transactions\n const {\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash\n } = await context.webAuthnManager.getNonceManager().getNonceBlockHashAndHeight(context.nearClient);\n const nextNextNonce = (BigInt(nextNonce) + BigInt(1)).toString();\n const nextNextNextNonce = (BigInt(nextNonce) + BigInt(2)).toString();\n\n const vrfInputData: VRFInputData = {\n userId: device1AccountId,\n rpId: context.webAuthnManager.getRpId(),\n blockHeight: txBlockHeight,\n blockHash: txBlockHash,\n };\n\n const vrfChallenge = await context.webAuthnManager.generateVrfChallengeOnce(vrfInputData);\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'TouchID successful! Signing AddKey transaction...'\n });\n\n // Execute device linking transactions using the centralized RPC function\n const {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction\n } = await executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride: options?.confirmationConfig,\n confirmerText: options?.confirmerText,\n });\n\n const result = {\n success: true,\n device2PublicKey,\n transactionId: addKeyTxResult?.transaction?.hash\n \|\| storeDeviceLinkingTxResult?.transaction?.hash\n \|\| 'unknown',\n fundingAmount,\n linkedToAccount: device1AccountId, // Include which account the key was added to\n signedDeleteKeyTransaction\n };\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device2's key added to ${device1AccountId} successfully!`\n });\n\n return result;\n\n } catch (error: any) {\n console.error('LinkDeviceFlow: linkDeviceWithQRData caught error:', error);\n\n const errorMessage = `Failed to scan and link device: ${error.message}`;\n onError?.(new Error(errorMessage));\n\n throw new DeviceLinkingError(\n errorMessage,\n DeviceLinkingErrorCode.AUTHORIZATION_TIMEOUT,\n 'authorization'\n );\n }\n}\n\nexport function validateDeviceLinkingQRData(qrData: DeviceLinkingQRData): void {\n if (!qrData.device2PublicKey) {\n throw new DeviceLinkingError(\n 'Missing device public key',\n DeviceLinkingErrorCode.INVALID_QR_DATA,\n 'authorization'\n );\n }\n\n if (!qrData.timestamp) {\n throw new DeviceLinkingError(\n 'Missing timestamp',\n DeviceLinkingErrorCode.INVALID_QR_DATA,\n 'authorization'\n );\n }\n\n // Check timestamp is not too old (max 15 minutes)\n const maxAge = DEVICE_LINKING_CONFIG.TIMEOUTS.QR_CODE_MAX_AGE_MS;\n if (Date.now() - qrData.timestamp > maxAge) {\n throw new DeviceLinkingError(\n 'QR code expired',\n DeviceLinkingErrorCode.SESSION_EXPIRED,\n 'authorization'\n );\n }\n\n // Account ID is optional - Device2 discovers it from contract logs\n if (qrData.accountId) {\n validateNearAccountId(qrData.accountId);\n }\n}\n"],"mappings":";;;;;;;;;;;AAkBA,eAAsB,4BACpB,SACA,QACA,SAC2B;CAC3B,MAAM,EAAE,SAAS,YAAY,WAAW;AAExC,KAAI;AACF,YAAU;GACR,MAAM;GACN,OAAOA,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;AAIX,8BAA4B;EAG5B,MAAM,EAAE,OAAO,sBAAsB,MAAMC,8BAAgB;AAE3D,MAAI,CAAC,kBAAkB,cAAc,CAAC,kBAAkB,cACtD,OAAM,IAAI,MAAM;EAGlB,MAAM,mBAAmB,kBAAkB;EAG3C,MAAM,gBAAgB,QAAQ;EAG9B,MAAM,mBAAmBC,uCAAoB,OAAO;AACpD,MAAI,CAAC,oBAAoB,CAAC,aAAa,KAAK,kBAC1C,OAAM,IAAI,MAAM;AAGlB,YAAU;GACR,MAAM;GACN,OAAOH,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAGX,MAAM,WAAW,MAAM,QAAQ,gBAAgB;EAC/C,MAAM,mBAAmB,UAAU;AACnC,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM;EAGlB,MAAM,EACJ,eACA,WACA,eACA,gBACE,MAAM,QAAQ,gBAAgB,kBAAkB,2BAA2B,QAAQ;EACvF,MAAM,iBAAiB,OAAO,aAAa,OAAO,IAAI;EACtD,MAAM,qBAAqB,OAAO,aAAa,OAAO,IAAI;EAE1D,MAAMG,eAA6B;GACjC,QAAQ;GACR,MAAM,QAAQ,gBAAgB;GAC9B,aAAa;GACb,WAAW;;EAGb,MAAM,eAAe,MAAM,QAAQ,gBAAgB,yBAAyB;AAE5E,YAAU;GACR,MAAM;GACN,OAAOJ,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,EACJ,gBACA,4BACA,+BACE,MAAMI,mDAAkC;GAC1C;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA,4BAA4B,SAAS;GACrC,eAAe,SAAS;;EAG1B,MAAM,SAAS;GACb,SAAS;GACT;GACA,eAAe,gBAAgB,aAAa,QACvC,4BAA4B,aAAa,QACzC;GACL;GACA,iBAAiB;GACjB;;AAGF,YAAU;GACR,MAAM;GACN,OAAOL,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS,0BAA0B,iBAAiB;;AAGtD,SAAO;UAEAK,OAAY;AACnB,UAAQ,MAAM,sDAAsD;EAEpE,MAAM,eAAe,mCAAmC,MAAM;AAC9D,YAAU,IAAI,MAAM;AAEpB,QAAM,IAAIC,sCACR,cACAC,0CAAuB,uBACvB;;;AAKN,SAAgB,4BAA4B,QAAmC;AAC7E,KAAI,CAAC,OAAO,iBACV,OAAM,IAAID,sCACR,6BACAC,0CAAuB,iBACvB;AAIJ,KAAI,CAAC,OAAO,UACV,OAAM,IAAID,sCACR,qBACAC,0CAAuB,iBACvB;CAKJ,MAAM,SAASC,qCAAsB,SAAS;AAC9C,KAAI,KAAK,QAAQ,OAAO,YAAY,OAClC,OAAM,IAAIF,sCACR,mBACAC,0CAAuB,iBACvB;AAKJ,KAAI,OAAO,UACT,0CAAsB,OAAO"}

package/dist/cjs/core/TatchiPasskey/signNEP413.js CHANGED Viewed

@@ -1,8 +1,8 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
+const require_signer_worker = require('../types/signer-worker.js');
+const require_base64 = require('../../utils/base64.js');
 const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 //#region src/core/TatchiPasskey/signNEP413.ts
-require_sdkSentEvents.init_sdkSentEvents();
 /**
 * Sign a NEP-413 message using the user's passkey-derived private key
 *
@@ -24,7 +24,9 @@ async function signNEP413Message(args) {
 	const { context, nearAccountId, params, options } = args;
 	const confirmerText = options?.confirmerText;
 	const confirmationConfigOverride = options?.confirmationConfig;
-	const { nearClient, webAuthnManager } = context;
+	const { webAuthnManager } = context;
+	const baseSignerMode = webAuthnManager.getUserPreferences().getSignerMode();
+	const signerMode = require_signer_worker.mergeSignerMode(baseSignerMode, options.signerMode);
 	try {
 		options?.onEvent?.({
 			step: 1,
@@ -35,7 +37,10 @@ async function signNEP413Message(args) {
 		const [vrfStatus, userData] = await Promise.all([webAuthnManager.checkVrfStatus(), webAuthnManager.getLastUser()]);
 		if (!vrfStatus.active) throw new Error("User not authenticated. Please login first.");
 		if (!userData || !userData.clientNearPublicKey) throw new Error(`User data not found for ${nearAccountId}`);
-		const { nextNonce, txBlockHash, txBlockHeight } = await context.webAuthnManager.getNonceManager().getNonceBlockHashAndHeight(nearClient);
+		const nonceBytes = new Uint8Array(32);
+		if (typeof crypto === "undefined" || typeof crypto.getRandomValues !== "function") throw new Error("Secure random not available to generate NEP-413 nonce");
+		crypto.getRandomValues(nonceBytes);
+		const nonce = require_base64.base64Encode(nonceBytes);
 		options?.onEvent?.({
 			step: 5,
 			phase: require_sdkSentEvents.ActionPhase.STEP_5_TRANSACTION_SIGNING_PROGRESS,
@@ -45,9 +50,10 @@ async function signNEP413Message(args) {
 		const result = await context.webAuthnManager.signNEP413Message({
 			message: params.message,
 			recipient: params.recipient,
-			nonce: nextNonce,
+			nonce,
 			state: params.state || null,
 			accountId: nearAccountId,
+			signerMode,
 			title: confirmerText?.title,
 			body: confirmerText?.body,
 			confirmationConfigOverride
@@ -64,6 +70,7 @@ async function signNEP413Message(args) {
 				accountId: result.accountId,
 				publicKey: result.publicKey,
 				signature: result.signature,
+				nonce,
 				state: result.state
 			};
 		} else throw new Error(`NEP-413 signing failed: ${result.error || "Unknown error"}`);

package/dist/cjs/core/TatchiPasskey/signNEP413.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"signNEP413.js","names":["ActionPhase","ActionStatus"],"sources":["../../../../src/core/TatchiPasskey/signNEP413.ts"],"sourcesContent":["import type { PasskeyManagerContext } from './index';\nimport type { SignNEP413HooksOptions } from '../types/sdkSentEvents';\nimport { ActionPhase, ActionStatus } from '../types/sdkSentEvents';\nimport type { AccountId } from '../types/accountIds';\n\n/*\n NEP-413 message signing parameters\n /\nexport interface SignNEP413MessageParams {\n /* The message to sign /\n message: string;\n /* The recipient identifier /\n recipient: string;\n /* Optional state parameter /\n state?: string;\n}\n\n/\n NEP-413 message signing result\n /\nexport interface SignNEP413MessageResult {\n /* Success status /\n success: boolean;\n /* NEAR account ID that signed the message /\n accountId?: string;\n /* Base58-encoded public key /\n publicKey?: string;\n /* Base64-encoded signature /\n signature?: string;\n /* Optional state parameter /\n state?: string;\n /* Error message if signing failed /\n error?: string;\n}\n\n/\n Sign a NEP-413 message using the user's passkey-derived private key\n \n This function implements the NEP-413 standard for off-chain message signing:\n * - Creates a payload with message, recipient, nonce, and state\n * - Serializes using Borsh\n * - Adds NEP-413 prefix (2^31 + 413)\n * - Hashes with SHA-256\n * - Signs with Ed25519\n * - Returns base64-encoded signature\n \n @param context - TatchiPasskey context\n * @param nearAccountId - NEAR account ID to sign with\n * @param params - NEP-413 signing parameters\n * @param options - Action options for event handling\n * @returns Promise resolving to signing result\n */\nexport async function signNEP413Message(args: {\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n params: SignNEP413MessageParams,\n options?: SignNEP413HooksOptions\n}): Promise<SignNEP413MessageResult> {\n\n const { context, nearAccountId, params, options } = args;\n const confirmerText = options?.confirmerText;\n const confirmationConfigOverride = options?.confirmationConfig;\n const { ~~nearClient,~~ webAuthnManager } = context;\n\n try {\n // Emit preparation event\n options?.onEvent?.({\n step: 1,\n phase: ActionPhase.STEP_1_PREPARATION,\n status: ActionStatus.PROGRESS,\n message: 'Preparing NEP-413 message signing'\n });\n\n // Get user data and VRF status for NEP-413 signing\n const [vrfStatus, userData] = await Promise.all([\n webAuthnManager.checkVrfStatus(),\n webAuthnManager.getLastUser(),\n ]);\n // Check VRF status to ensure user is authenticated\n if (!vrfStatus.active) {\n throw new Error('User not authenticated. Please login first.');\n }\n if (!userData \|\| !userData.clientNearPublicKey) {\n throw new Error(`User data not found for ${nearAccountId}`);\n }\n\n // Generate a ~~nonce~~ + ~~block~~ ~~context for~~ NEP-413 ~~signing\~~n const {\n ~~nextNonce,\~~n ~~txBlockHash,\n txBlockHeight~~\n } = ~~await context.webAuthnManager.getNonceManager~~()~~.getNonceBlockHashAndHeight(nearClient)~~;\n\n // Emit signing progress event\n options?.onEvent?.({\n step: 5,\n phase: ActionPhase.STEP_5_TRANSACTION_SIGNING_PROGRESS,\n status: ActionStatus.PROGRESS,\n message: 'Signing NEP-413 message'\n });\n\n // Send to WebAuthnManager for signing.\n // Note: NEP-413 now uses VRF-driven confirmTxFlow inside WebAuthnManager/SignerWorkerManager;\n // this call will trigger its own confirmation + WebAuthn authentication as needed.\n const result = await context.webAuthnManager.signNEP413Message({\n message: params.message,\n recipient: params.recipient,\n nonce~~: nextNonce~~,\n state: params.state \|\| null,\n accountId: nearAccountId,\n title: confirmerText?.title,\n body: confirmerText?.body,\n confirmationConfigOverride,\n });\n\n if (result.success) {\n // Emit completion event\n options?.onEvent?.({\n step: 8,\n phase: ActionPhase.STEP_8_ACTION_COMPLETE,\n status: ActionStatus.SUCCESS,\n message: 'NEP-413 message signed successfully'\n });\n\n return {\n success: true,\n accountId: result.accountId,\n publicKey: result.publicKey,\n signature: result.signature,\n state: result.state\n };\n } else {\n throw new Error(`NEP-413 signing failed: ${result.error \|\| 'Unknown error'}`);\n }\n\n } catch (error) {\n const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n\n // Emit error event\n options?.onEvent?.({\n step: 0,\n phase: 'action-error' as any,\n status: 'error' as any,\n message: `NEP-413 signing failed: ${errorMessage}`,\n error: errorMessage\n });\n\n options?.onError?.(error instanceof Error ? error : new Error(errorMessage));\n\n return {\n success: false,\n error: errorMessage\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;~~AAoDA~~,eAAsB,kBAAkB,MAKH;CAEnC,MAAM,EAAE,SAAS,eAAe,QAAQ,YAAY;CACpD,MAAM,gBAAgB,SAAS;CAC/B,MAAM,6BAA6B,SAAS;CAC5C,MAAM,EAAE,~~YAAY,~~oBAAoB;~~AAExC~~,KAAI;AAEF,WAAS,UAAU;GACjB,MAAM;GACN,~~OAAOA~~,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;EAIX,MAAM,CAAC,WAAW,YAAY,MAAM,QAAQ,IAAI,CAC9C,gBAAgB,kBAChB,gBAAgB;AAGlB,MAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,MAAI,CAAC,YAAY,CAAC,SAAS,oBACzB,OAAM,IAAI,MAAM,2BAA2B;EAI7C,MAAM,~~EACJ~~,~~WACA~~,~~aACA~~,~~kBACE~~,MAAM,~~QAAQ~~,gBAAgB,~~kBAAkB~~,~~2BAA2B~~;~~AAG/E~~,WAAS,UAAU;GACjB,MAAM;GACN,~~OAAOD~~,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;EAMX,MAAM,SAAS,MAAM,QAAQ,gBAAgB,kBAAkB;GAC7D,SAAS,OAAO;GAChB,WAAW,OAAO;GAClB~~,OAAO~~;~~GACP~~,OAAO,OAAO,SAAS;GACvB,WAAW;GACX,OAAO,eAAe;GACtB,MAAM,eAAe;GACrB;;AAGF,MAAI,OAAO,SAAS;AAElB,YAAS,UAAU;IACjB,MAAM;IACN,OAAOD,kCAAY;IACnB,QAAQC,mCAAa;IACrB,SAAS;;AAGX,UAAO;IACL,SAAS;IACT,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,OAAO,OAAO;;QAGhB,OAAM,IAAI,MAAM,2BAA2B,OAAO,SAAS;UAGtD,OAAO;EACd,MAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAG9D,WAAS,UAAU;GACjB,MAAM;GACN,OAAO;GACP,QAAQ;GACR,SAAS,2BAA2B;GACpC,OAAO;;AAGT,WAAS,UAAU,iBAAiB,QAAQ,QAAQ,IAAI,MAAM;AAE9D,SAAO;GACL,SAAS;GACT,OAAO"}
1	+ {"version":3,"file":"signNEP413.js","names":["mergeSignerMode","ActionPhase","ActionStatus","base64Encode"],"sources":["../../../../src/core/TatchiPasskey/signNEP413.ts"],"sourcesContent":["import type { PasskeyManagerContext } from './index';\nimport type { SignNEP413HooksOptions } from '../types/sdkSentEvents';\nimport { ActionPhase, ActionStatus } from '../types/sdkSentEvents';\nimport type { AccountId } from '../types/accountIds';\nimport { mergeSignerMode } from '../types/signer-worker';\nimport { base64Encode } from '../../utils/encoders';\n\n/*\n NEP-413 message signing parameters\n /\nexport interface SignNEP413MessageParams {\n /* The message to sign /\n message: string;\n /* The recipient identifier /\n recipient: string;\n /* Optional state parameter /\n state?: string;\n}\n\n/\n NEP-413 message signing result\n /\nexport interface SignNEP413MessageResult {\n /* Success status /\n success: boolean;\n /* NEAR account ID that signed the message /\n accountId?: string;\n /* Base58-encoded public key /\n publicKey?: string;\n /* Base64-encoded signature /\n signature?: string;\n /* Base64-encoded 32-byte nonce used for signing /\n nonce?: string;\n /* Optional state parameter /\n state?: string;\n /* Error message if signing failed /\n error?: string;\n}\n\n/\n Sign a NEP-413 message using the user's passkey-derived private key\n \n This function implements the NEP-413 standard for off-chain message signing:\n * - Creates a payload with message, recipient, nonce, and state\n * - Serializes using Borsh\n * - Adds NEP-413 prefix (2^31 + 413)\n * - Hashes with SHA-256\n * - Signs with Ed25519\n * - Returns base64-encoded signature\n \n @param context - TatchiPasskey context\n * @param nearAccountId - NEAR account ID to sign with\n * @param params - NEP-413 signing parameters\n * @param options - Action options for event handling\n * @returns Promise resolving to signing result\n */\nexport async function signNEP413Message(args: {\n context: PasskeyManagerContext,\n nearAccountId: AccountId,\n params: SignNEP413MessageParams,\n options: SignNEP413HooksOptions\n}): Promise<SignNEP413MessageResult> {\n\n const { context, nearAccountId, params, options } = args;\n const confirmerText = options?.confirmerText;\n const confirmationConfigOverride = options?.confirmationConfig;\n const { webAuthnManager } = context;\n const baseSignerMode = webAuthnManager.getUserPreferences().getSignerMode();\n const signerMode = mergeSignerMode(baseSignerMode, options.signerMode);\n\n try {\n // Emit preparation event\n options?.onEvent?.({\n step: 1,\n phase: ActionPhase.STEP_1_PREPARATION,\n status: ActionStatus.PROGRESS,\n message: 'Preparing NEP-413 message signing'\n });\n\n // Get user data and VRF status for NEP-413 signing\n const [vrfStatus, userData] = await Promise.all([\n webAuthnManager.checkVrfStatus(),\n webAuthnManager.getLastUser(),\n ]);\n // Check VRF status to ensure user is authenticated\n if (!vrfStatus.active) {\n throw new Error('User not authenticated. Please login first.');\n }\n if (!userData \|\| !userData.clientNearPublicKey) {\n throw new Error(`User data not found for ${nearAccountId}`);\n }\n\n // Generate a random 32-byte nonce (NEP-413 expects base64-encoded nonce bytes).\n const nonceBytes = new Uint8Array(32);\n if (typeof crypto === 'undefined' \|\| typeof crypto.getRandomValues !== 'function') {\n throw new Error('Secure random not available to generate NEP-413 nonce');\n }\n crypto.getRandomValues(nonceBytes);\n const nonce = base64Encode(nonceBytes);\n\n // Emit signing progress event\n options?.onEvent?.({\n step: 5,\n phase: ActionPhase.STEP_5_TRANSACTION_SIGNING_PROGRESS,\n status: ActionStatus.PROGRESS,\n message: 'Signing NEP-413 message'\n });\n\n // Send to WebAuthnManager for signing.\n // Note: NEP-413 now uses VRF-driven confirmTxFlow inside WebAuthnManager/SignerWorkerManager;\n // this call will trigger its own confirmation + WebAuthn authentication as needed.\n const result = await context.webAuthnManager.signNEP413Message({\n message: params.message,\n recipient: params.recipient,\n nonce,\n state: params.state \|\| null,\n accountId: nearAccountId,\n signerMode,\n title: confirmerText?.title,\n body: confirmerText?.body,\n confirmationConfigOverride,\n });\n\n if (result.success) {\n // Emit completion event\n options?.onEvent?.({\n step: 8,\n phase: ActionPhase.STEP_8_ACTION_COMPLETE,\n status: ActionStatus.SUCCESS,\n message: 'NEP-413 message signed successfully'\n });\n\n return {\n success: true,\n accountId: result.accountId,\n publicKey: result.publicKey,\n signature: result.signature,\n nonce,\n state: result.state\n };\n } else {\n throw new Error(`NEP-413 signing failed: ${result.error \|\| 'Unknown error'}`);\n }\n\n } catch (error) {\n const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n\n // Emit error event\n options?.onEvent?.({\n step: 0,\n phase: 'action-error' as any,\n status: 'error' as any,\n message: `NEP-413 signing failed: ${errorMessage}`,\n error: errorMessage\n });\n\n options?.onError?.(error instanceof Error ? error : new Error(errorMessage));\n\n return {\n success: false,\n error: errorMessage\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAwDA,eAAsB,kBAAkB,MAKH;CAEnC,MAAM,EAAE,SAAS,eAAe,QAAQ,YAAY;CACpD,MAAM,gBAAgB,SAAS;CAC/B,MAAM,6BAA6B,SAAS;CAC5C,MAAM,EAAE,oBAAoB;CAC5B,MAAM,iBAAiB,gBAAgB,qBAAqB;CAC5D,MAAM,aAAaA,sCAAgB,gBAAgB,QAAQ;AAE3D,KAAI;AAEF,WAAS,UAAU;GACjB,MAAM;GACN,OAAOC,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;EAIX,MAAM,CAAC,WAAW,YAAY,MAAM,QAAQ,IAAI,CAC9C,gBAAgB,kBAChB,gBAAgB;AAGlB,MAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,MAAI,CAAC,YAAY,CAAC,SAAS,oBACzB,OAAM,IAAI,MAAM,2BAA2B;EAI7C,MAAM,aAAa,IAAI,WAAW;AAClC,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,oBAAoB,WACrE,OAAM,IAAI,MAAM;AAElB,SAAO,gBAAgB;EACvB,MAAM,QAAQC,4BAAa;AAG3B,WAAS,UAAU;GACjB,MAAM;GACN,OAAOF,kCAAY;GACnB,QAAQC,mCAAa;GACrB,SAAS;;EAMX,MAAM,SAAS,MAAM,QAAQ,gBAAgB,kBAAkB;GAC7D,SAAS,OAAO;GAChB,WAAW,OAAO;GAClB;GACA,OAAO,OAAO,SAAS;GACvB,WAAW;GACX;GACA,OAAO,eAAe;GACtB,MAAM,eAAe;GACrB;;AAGF,MAAI,OAAO,SAAS;AAElB,YAAS,UAAU;IACjB,MAAM;IACN,OAAOD,kCAAY;IACnB,QAAQC,mCAAa;IACrB,SAAS;;AAGX,UAAO;IACL,SAAS;IACT,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB;IACA,OAAO,OAAO;;QAGhB,OAAM,IAAI,MAAM,2BAA2B,OAAO,SAAS;UAGtD,OAAO;EACd,MAAM,eAAe,iBAAiB,QAAQ,MAAM,UAAU;AAG9D,WAAS,UAAU;GACjB,MAAM;GACN,OAAO;GACP,QAAQ;GACR,SAAS,2BAA2B;GACpC,OAAO;;AAGT,WAAS,UAAU,iBAAiB,QAAQ,QAAQ,IAAI,MAAM;AAE9D,SAAO;GACL,SAAS;GACT,OAAO"}