npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/react/src/core/WebAuthnManager/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","names":["UserPreferencesInstance","NonceManagerInstance","collectAuthenticationCredentialForVrfChallengeImpl","error: any","result: {\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }","deviceNumber: number","deviceNumberToUse: number | null","credentialId: string","attestationB64u: string","transports: string[]","normalizedRpcCall: RpcCallPayload","error: unknown","keyMaterial: ThresholdEd25519_2p_V1Material"],"sources":["../../../../../../src/core/WebAuthnManager/index.ts"],"sourcesContent":["import {\n IndexedDBManager,\n type ClientUserData,\n type ClientAuthenticatorData,\n type UnifiedIndexedDBManager,\n} from '../IndexedDBManager';\nimport { StoreUserDataInput } from '../IndexedDBManager/passkeyClientDB';\nimport type { ThresholdEd25519_2p_V1Material } from '../IndexedDBManager/passkeyNearKeysDB';\nimport { buildThresholdEd25519Participants2pV1 } from '../../threshold/participants';\nimport { type NearClient, SignedTransaction } from '../NearClient';\nimport { SignerWorkerManager } from './SignerWorkerManager';\nimport { VrfWorkerManager } from './VrfWorkerManager';\nimport { AllowCredential, TouchIdPrompt } from './touchIdPrompt';\nimport { toAccountId } from '../types/accountIds';\nimport { UserPreferencesManager } from './userPreferences';\nimport UserPreferencesInstance from './userPreferences';\nimport { NonceManager } from '../nonceManager';\nimport NonceManagerInstance from '../nonceManager';\nimport {\n EncryptedVRFKeypair,\n ServerEncryptedVrfKeypair,\n VRFInputData,\n VRFChallenge\n} from '../types/vrf-worker';\nimport { ActionType, type ActionArgsWasm, type TransactionInputWasm } from '../types/actions';\nimport type { RegistrationEventStep3, RegistrationHooksOptions, RegistrationSSEEvent, onProgressEvents } from '../types/sdkSentEvents';\nimport type { SignTransactionResult, TatchiConfigs } from '../types/tatchi';\nimport type { AccountId } from '../types/accountIds';\nimport type { AuthenticatorOptions } from '../types/authenticatorOptions';\nimport type { DelegateActionInput } from '../types/delegate';\nimport {\n INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT,\n isSignAddKeyThresholdPublicKeyNoPromptSuccess,\n type ConfirmationConfig,\n type RpcCallPayload,\n type SignerMode,\n type ThresholdBehavior,\n type WasmSignedDelegate,\n} from '../types/signer-worker';\nimport { WebAuthnRegistrationCredential, WebAuthnAuthenticationCredential } from '../types';\nimport { RegistrationCredentialConfirmationPayload } from './SignerWorkerManager/handlers/validation';\nimport { resolveWorkerBaseOrigin, onEmbeddedBaseChange } from '../sdkPaths';\nimport { DEFAULT_WAIT_STATUS, type TransactionContext } from '../types/rpc';\nimport { getLastLoggedInDeviceNumber } from './SignerWorkerManager/getDeviceNumber';\nimport { __isWalletIframeHostMode } from '../WalletIframe/host-mode';\nimport { hasAccessKey } from '../rpcCalls';\nimport { ensureEd25519Prefix } from '../../utils/validation';\nimport { enrollThresholdEd25519KeyHandler } from './threshold/enrollThresholdEd25519Key';\nimport { rotateThresholdEd25519KeyPostRegistrationHandler } from './threshold/rotateThresholdEd25519KeyPostRegistration';\nimport { collectAuthenticationCredentialForVrfChallenge as collectAuthenticationCredentialForVrfChallengeImpl } from './collectAuthenticationCredentialForVrfChallenge';\n\ntype SigningSessionOptions = {\n /** PRF-bearing credential; VRF worker extracts PRF outputs internally */\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n /**\n * Optional wrapKeySalt for WrapKeySeed delivery.\n * When provided, VRF worker will reuse this salt instead of generating a new one.\n */\n wrapKeySalt?: string;\n};\n\n/**\n * WebAuthnManager - Main orchestrator for WebAuthn operations\n *\n * Architecture:\n * - index.ts (this file): Main class orchestrating everything\n * - signerWorkerManager: NEAR transaction signing, and VRF Web3Authn verification RPC calls\n * - vrfWorkerManager: VRF keypair generation, challenge generation\n * - touchIdPrompt: TouchID prompt for biometric authentication\n */\nexport class WebAuthnManager {\n private readonly vrfWorkerManager: VrfWorkerManager;\n private readonly signerWorkerManager: SignerWorkerManager;\n private readonly touchIdPrompt: TouchIdPrompt;\n private readonly userPreferencesManager: UserPreferencesManager;\n private readonly nearClient: NearClient;\n private readonly nonceManager: NonceManager;\n private workerBaseOrigin: string = '';\n // VRF-owned signing session id per account (warm session reuse).\n private activeSigningSessionIds: Map<string, string> = new Map();\n\n readonly tatchiPasskeyConfigs: TatchiConfigs;\n\n constructor(tatchiPasskeyConfigs: TatchiConfigs, nearClient: NearClient) {\n this.tatchiPasskeyConfigs = tatchiPasskeyConfigs;\n this.nearClient = nearClient;\n // Respect rpIdOverride. Safari get() bridge fallback is always enabled.\n this.touchIdPrompt = new TouchIdPrompt(\n tatchiPasskeyConfigs.iframeWallet?.rpIdOverride,\n true,\n );\n this.userPreferencesManager = UserPreferencesInstance;\n // Apply integrator-provided default UI theme (in-memory only; user preferences may override later).\n this.userPreferencesManager.configureWalletTheme?.(tatchiPasskeyConfigs.walletTheme);\n // Apply integrator-provided default signer mode (in-memory only; user preferences may override later).\n this.userPreferencesManager.configureDefaultSignerMode?.(tatchiPasskeyConfigs.signerMode);\n this.nonceManager = NonceManagerInstance;\n const { vrfWorkerConfigs } = tatchiPasskeyConfigs;\n // Group VRF worker configuration and pass context\n this.vrfWorkerManager = new VrfWorkerManager(\n {\n shamirPB64u: vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: vrfWorkerConfigs?.shamir3pass?.relayServerUrl,\n applyServerLockRoute: vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n {\n touchIdPrompt: this.touchIdPrompt,\n nearClient: this.nearClient,\n indexedDB: IndexedDBManager,\n userPreferencesManager: this.userPreferencesManager,\n nonceManager: this.nonceManager,\n rpIdOverride: this.touchIdPrompt.getRpId(),\n nearExplorerUrl: tatchiPasskeyConfigs.nearExplorerUrl,\n }\n );\n this.signerWorkerManager = new SignerWorkerManager(\n this.vrfWorkerManager,\n nearClient,\n this.userPreferencesManager,\n this.nonceManager,\n this.tatchiPasskeyConfigs.relayer.url,\n tatchiPasskeyConfigs.iframeWallet?.rpIdOverride,\n true,\n tatchiPasskeyConfigs.nearExplorerUrl,\n );\n // VRF worker initializes on-demand with proper error propagation\n\n // Compute initial worker base origin once\n this.workerBaseOrigin = resolveWorkerBaseOrigin() || (typeof window !== 'undefined' ? window.location.origin : '');\n this.signerWorkerManager.setWorkerBaseOrigin(this.workerBaseOrigin);\n this.vrfWorkerManager.setWorkerBaseOrigin?.(this.workerBaseOrigin as any);\n\n // Keep base origin updated if the wallet sets a new embedded base\n if (typeof window !== 'undefined') {\n onEmbeddedBaseChange((url) => {\n const origin = new URL(url, window.location.origin).origin;\n if (origin && origin !== this.workerBaseOrigin) {\n this.workerBaseOrigin = origin;\n this.signerWorkerManager.setWorkerBaseOrigin(origin);\n this.vrfWorkerManager.setWorkerBaseOrigin?.(origin as any);\n }\n });\n }\n\n // Best-effort: load persisted preferences unless we are in app-origin iframe mode,\n // where the wallet origin owns persistence and the app should avoid IndexedDB.\n const shouldAvoidAppOriginIndexedDB =\n !!tatchiPasskeyConfigs.iframeWallet?.walletOrigin && !__isWalletIframeHostMode();\n if (!shouldAvoidAppOriginIndexedDB) {\n void this.userPreferencesManager.initFromIndexedDB().catch(() => undefined);\n }\n }\n\n /**\n * Public pre-warm hook to initialize signer workers ahead of time.\n * Safe to call multiple times; errors are non-fatal.\n */\n prewarmSignerWorkers(): void {\n if (typeof window === 'undefined' || typeof (window as any).Worker === 'undefined') return;\n // Avoid noisy SecurityError in cross‑origin dev: only prewarm when same‑origin\n if (this.workerBaseOrigin && this.workerBaseOrigin !== window.location.origin) return;\n this.signerWorkerManager.preWarmWorkerPool().catch(() => { });\n }\n\n /**\n * Warm critical resources to reduce first-action latency.\n * - Initialize current user (sets up NonceManager and local state)\n * - Prefetch latest block context (and nonce if missing)\n * - Pre-open IndexedDB and warm encrypted key for the active account (best-effort)\n * - Pre-warm signer workers in the background\n */\n async warmCriticalResources(nearAccountId?: string): Promise<void> {\n // Initialize current user first (best-effort)\n if (nearAccountId) {\n await this.initializeCurrentUser(toAccountId(nearAccountId), this.nearClient).catch(() => null);\n }\n // Prefetch latest block/nonce context (best-effort)\n await this.nonceManager.prefetchBlockheight(this.nearClient).catch(() => null);\n // Best-effort: open IndexedDB and warm key data for the account\n if (nearAccountId) {\n await IndexedDBManager.getUserWithKeys(toAccountId(nearAccountId)).catch(() => null);\n }\n // Warm signer workers in background\n this.prewarmSignerWorkers();\n }\n\n /**\n * Resolve the effective rpId used for WebAuthn operations.\n * Delegates to TouchIdPrompt to centralize rpId selection logic.\n */\n getRpId(): string {\n return this.touchIdPrompt.getRpId();\n }\n\n /** Getter for NonceManager instance */\n getNonceManager(): NonceManager {\n return this.nonceManager;\n }\n\n /**\n * WebAuthnManager-level orchestrator for VRF-owned signing sessions.\n * Creates sessionId, wires MessagePort between VRF and signer workers, and ensures cleanup.\n *\n * Overload 1: plain signing session (no WrapKeySeed derivation).\n * Overload 2: signing session with WrapKeySeed derivation, when `SigningSessionOptions`\n * (PRF.first_auth) are provided. wrapKeySalt is generated inside the VRF worker\n * when a new vault entry is being created.\n */\n private generateSessionId(prefix: string): string {\n return (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function')\n ? crypto.randomUUID()\n : `${prefix}-${Date.now()}-${Math.random().toString(16).slice(2)}`;\n }\n\n private toNonNegativeInt(value: unknown): number | undefined {\n if (typeof value !== 'number' || !Number.isFinite(value) || value < 0) return undefined;\n return Math.floor(value);\n }\n\n private resolveSigningSessionPolicy(args: {\n ttlMs?: number;\n remainingUses?: number;\n }): {\n ttlMs: number;\n remainingUses: number;\n } {\n const ttlMs = this.toNonNegativeInt(args.ttlMs)\n ?? this.tatchiPasskeyConfigs.signingSessionDefaults.ttlMs;\n const remainingUses = this.toNonNegativeInt(args.remainingUses)\n ?? this.tatchiPasskeyConfigs.signingSessionDefaults.remainingUses;\n return { ttlMs, remainingUses };\n }\n\n private getOrCreateActiveSigningSessionId(nearAccountId: AccountId): string {\n const key = String(toAccountId(nearAccountId));\n const existing = this.activeSigningSessionIds.get(key);\n if (existing) return existing;\n const sessionId = this.generateSessionId('signing-session');\n this.activeSigningSessionIds.set(key, sessionId);\n return sessionId;\n }\n\n private async withSigningSession<T>(args: {\n sessionId?: string;\n prefix?: string;\n options?: SigningSessionOptions;\n handler: (sessionId: string) => Promise<T>;\n }): Promise<T> {\n if (typeof args.handler !== 'function') {\n throw new Error('withSigningSession requires a handler function');\n }\n const sessionId = args.sessionId || (args.prefix ? this.generateSessionId(args.prefix) : '');\n if (!sessionId) {\n throw new Error('withSigningSession requires a sessionId or prefix');\n }\n return await this.withSigningSessionInternal({ sessionId, options: args.options, handler: args.handler });\n }\n\n private async withSigningSessionInternal<T>(args: {\n sessionId: string;\n options?: SigningSessionOptions;\n handler: (sessionId: string) => Promise<T>;\n }): Promise<T> {\n const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(args.sessionId);\n await this.signerWorkerManager.reserveSignerWorkerSession(args.sessionId, { signerPort });\n try {\n // If PRF is provided, derive WrapKeySeed in VRF worker and deliver it\n // (along with PRF.second if credential is provided) to the signer worker\n // via the reserved MessagePort before invoking the handler.\n if (args.options) {\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId: args.sessionId,\n wrapKeySalt: args.options.wrapKeySalt,\n credential: args.options.credential,\n });\n }\n return await args.handler(args.sessionId);\n } finally {\n this.signerWorkerManager.releaseSigningSession(args.sessionId);\n }\n }\n\n /**\n * VRF-driven registration confirmation helper.\n * Runs confirmTxFlow and returns registration artifacts.\n *\n * SecureConfirm wrapper for link-device / registration: prompts user in-iframe to create a\n * new passkey (device N), returning artifacts for subsequent derivation.\n */\n async requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<RegistrationCredentialConfirmationPayload> {\n return this.vrfWorkerManager.requestRegistrationCredentialConfirmation({\n nearAccountId: params.nearAccountId,\n deviceNumber: params.deviceNumber,\n confirmerText: params.confirmerText,\n confirmationConfigOverride: params.confirmationConfigOverride,\n contractId: this.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,\n });\n }\n\n /**\n * Helper for export/decrypt flows:\n * - Read vault wrapKeySalt\n * - Ask VRF worker to run LocalOnly(DECRYPT_PRIVATE_KEY_WITH_PRF) + derive WrapKeySeed\n * - WrapKeySeed travels only over the VRF→Signer MessagePort\n */\n private async confirmDecryptAndDeriveWrapKeySeed(args: {\n nearAccountId: AccountId;\n sessionId: string;\n }): Promise<void> {\n const nearAccountId = toAccountId(args.nearAccountId);\n // Resolve deviceNumber consistently with signer paths so both VRF and signer\n // operate on the same vault entry. Prefer the last logged-in device for this\n // account; if unavailable, fall back to the most recently updated user row.\n const [last, latest] = await Promise.all([\n IndexedDBManager.clientDB.getLastUser().catch(() => null),\n IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId).catch(() => null)\n ]);\n\n const deviceNumber =\n (last && last.nearAccountId === nearAccountId && typeof last.deviceNumber === 'number')\n ? last.deviceNumber\n : (latest && typeof latest.deviceNumber === 'number')\n ? latest.deviceNumber\n : null;\n\n if (deviceNumber === null) {\n throw new Error(`No deviceNumber found for account ${nearAccountId} (decrypt session)`);\n }\n\n // Load VRF material for this device so the VRF worker can unlock the correct\n // VRF keypair in a fresh/offline worker instance.\n const userForDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber).catch(() => null);\n const encryptedVrfKeypair = userForDevice?.encryptedVrfKeypair;\n\n // Gather encrypted key + wrapKeySalt and public key from IndexedDB for this device\n const keyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);\n if (!keyMaterial) {\n console.error('WebAuthnManager: No encrypted key found for decrypt session', {\n nearAccountId: String(nearAccountId),\n deviceNumber,\n });\n throw new Error(`No key material found for account: ${nearAccountId}`);\n }\n const wrapKeySalt = keyMaterial.wrapKeySalt;\n if (!wrapKeySalt) {\n console.error('WebAuthnManager: Missing wrapKeySalt in vault for decrypt session', {\n nearAccountId: String(nearAccountId),\n deviceNumber,\n });\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n try {\n await this.vrfWorkerManager.prepareDecryptSession({\n sessionId: args.sessionId,\n nearAccountId,\n wrapKeySalt,\n encryptedVrfKeypair,\n });\n } catch (error) {\n console.error('WebAuthnManager: VRF decrypt session failed', {\n nearAccountId: String(nearAccountId),\n sessionId: args.sessionId,\n error,\n });\n throw error;\n }\n }\n\n getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials\n }: {\n nearAccountId: AccountId;\n challenge: VRFChallenge;\n allowCredentials: AllowCredential[];\n }): Promise<WebAuthnAuthenticationCredential> {\n return this.touchIdPrompt.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials\n });\n }\n\n async collectAuthenticationCredentialForVrfChallenge(args: {\n nearAccountId: AccountId | string;\n vrfChallenge: VRFChallenge;\n onBeforePrompt?: (info: {\n authenticators: ClientAuthenticatorData[];\n authenticatorsForPrompt: ClientAuthenticatorData[];\n vrfChallenge: VRFChallenge;\n }) => void;\n /**\n * When true, include PRF.second in the serialized credential.\n * Use only for explicit recovery/export flows (higher-friction paths).\n */\n includeSecondPrfOutput?: boolean;\n }): Promise<WebAuthnAuthenticationCredential> {\n return collectAuthenticationCredentialForVrfChallengeImpl({\n indexedDB: IndexedDBManager,\n touchIdPrompt: this.touchIdPrompt,\n nearAccountId: args.nearAccountId,\n vrfChallenge: args.vrfChallenge,\n includeSecondPrfOutput: args.includeSecondPrfOutput,\n onBeforePrompt: args.onBeforePrompt,\n });\n }\n\n ///////////////////////////////////////\n // VRF MANAGER FUNCTIONS\n ///////////////////////////////////////\n\n /**\n * Generate a VRF challenge bound to a specific signing/confirm session.\n * The challenge will be cached in the VRF worker under this sessionId so\n * later contract verification (MINT_SESSION_KEYS_AND_SEND_TO_SIGNER) can look it up.\n */\n async generateVrfChallengeForSession(\n sessionId: string,\n vrfInputData: VRFInputData,\n ): Promise<VRFChallenge> {\n return this.vrfWorkerManager.generateVrfChallengeForSession(vrfInputData, sessionId);\n }\n\n /**\n * Generate a one-off VRF challenge without caching it in the VRF worker.\n * Use this for flows that don't perform contract verification or derive\n * wrap keys via MINT_SESSION_KEYS_AND_SEND_TO_SIGNER.\n */\n async generateVrfChallengeOnce(vrfInputData: VRFInputData): Promise<VRFChallenge> {\n return this.vrfWorkerManager.generateVrfChallengeOnce(vrfInputData);\n }\n\n /**\n * Generate VRF keypair for bootstrapping - stores in memory unencrypted temporarily\n * This is used during registration to generate a VRF keypair that will be used for\n * WebAuthn ceremony and later encrypted with the real PRF output\n *\n * @param saveInMemory - Whether to persist the generated VRF keypair in WASM worker memory\n * @param vrfInputParams - Optional parameters to generate VRF challenge/proof in same call\n * @returns VRF public key and optionally VRF challenge data\n */\n async generateVrfKeypairBootstrap(args: {\n saveInMemory: boolean;\n vrfInputData: VRFInputData;\n sessionId?: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }> {\n return this.vrfWorkerManager.generateVrfKeypairBootstrap({\n vrfInputData: args.vrfInputData,\n saveInMemory: args.saveInMemory,\n sessionId: args.sessionId,\n });\n }\n\n /**\n * Derive NEAR keypair directly from a serialized WebAuthn registration credential\n */\n async deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId,\n options,\n }: {\n credential: WebAuthnRegistrationCredential;\n nearAccountId: string;\n options?: {\n authenticatorOptions?: AuthenticatorOptions;\n deviceNumber?: number;\n };\n }): Promise<{\n success: boolean;\n nearAccountId: string;\n publicKey: string;\n chacha20NonceB64u?: string;\n wrapKeySalt?: string;\n error?: string;\n }> {\n return this.withSigningSession({\n prefix: 'reg',\n options: { credential },\n handler: (sessionId) =>\n this.signerWorkerManager.deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId: toAccountId(nearAccountId),\n options,\n sessionId,\n }),\n });\n }\n\n /**\n * **Sign Device2 registration transaction with already-stored key (no prompt)**\n *\n * Used by linkDevice flow after key swap to sign the registration transaction\n * without prompting the user again. Reuses the credential collected earlier.\n *\n * Flow:\n * 1. Extract PRF.first from the provided credential\n * 2. Create new MessagePort session for WrapKeySeed delivery\n * 3. VRF worker re-derives WrapKeySeed and sends to signer (with PRF.second)\n * 4. Signer worker retrieves encrypted key from IndexedDB\n * 5. Signer worker decrypts key and signs registration transaction\n *\n * @param nearAccountId - NEAR account ID for Device2\n * @param credential - WebAuthn registration credential from earlier prompt\n * @param vrfChallenge - VRF challenge from earlier prompt\n * @param deviceNumber - Device number for Device2\n * @returns Signed registration transaction ready for submission\n */\n async signDevice2RegistrationWithStoredKey(args: {\n nearAccountId: AccountId;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n deviceNumber: number;\n deterministicVrfPublicKey: string;\n }): Promise<{\n success: boolean;\n publicKey?: string;\n signedTransaction?: any;\n error?: string;\n }> {\n const { nearAccountId, credential, vrfChallenge, deviceNumber, deterministicVrfPublicKey } = args;\n const contractId = this.tatchiPasskeyConfigs.contractId;\n\n try {\n // Generate new session ID for this signing operation\n const sessionId = `device2-sign-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;\n\n // Retrieve encrypted key data and wrapKeySalt from IndexedDB\n const keyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(\n nearAccountId,\n deviceNumber\n );\n if (!keyMaterial) {\n throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);\n }\n\n const wrapKeySalt = keyMaterial.wrapKeySalt;\n if (!wrapKeySalt) {\n throw new Error(`Missing wrapKeySalt for account ${nearAccountId} device ${deviceNumber}`);\n }\n\n // === STEP 1: Create MessagePort session for WrapKeySeed delivery ===\n const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(sessionId);\n await this.signerWorkerManager.reserveSignerWorkerSession(sessionId, { signerPort });\n\n // === STEP 2: VRF worker re-derives WrapKeySeed and sends to signer ===\n // This extracts PRF.second from the credential and delivers both WrapKeySeed + PRF.second\n // to the signer worker via MessagePort\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId,\n wrapKeySalt,\n credential, // VRF will extract PRF.second from this\n });\n\n // === STEP 4: Get transaction context for registration ===\n const transactionContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient);\n\n // === STEP 5: Determine deterministic VRF public key ===\n // Try: provided parameter → authenticator table → fallback to ephemeral VRF from challenge\n let vrfPublicKey = deterministicVrfPublicKey;\n // Fallback to ephemeral VRF public key from challenge if still not found\n const finalVrfPublicKey = vrfPublicKey || vrfChallenge.vrfPublicKey;\n\n // === STEP 6: Signer worker signs registration transaction ===\n // WrapKeySeed and PRF.second are already in signer worker via MessagePort\n const signerResult = await this.signerWorkerManager.registerDevice2WithDerivedKey({\n sessionId,\n nearAccountId,\n credential,\n vrfChallenge,\n transactionContext,\n contractId,\n wrapKeySalt,\n deviceNumber,\n deterministicVrfPublicKey: finalVrfPublicKey,\n });\n\n return {\n success: true,\n publicKey: signerResult.publicKey,\n signedTransaction: signerResult.signedTransaction,\n };\n\n } catch (error: any) {\n console.error('[WebAuthnManager] Failed to sign Device2 registration with stored key:', error);\n return {\n success: false,\n error: error.message || String(error),\n };\n }\n }\n\n /**\n * Derive deterministic VRF keypair from PRF output for recovery\n * Optionally generates VRF challenge if input parameters are provided\n * This enables deterministic VRF key derivation from WebAuthn credentials\n *\n * @param credential - WebAuthn credential containing PRF outputs\n * @param nearAccountId - NEAR account ID for key derivation salt\n * @param vrfInputParams - Optional VRF inputs, if provided will generate a challenge\n * @param saveInMemory - Whether to save the derived VRF keypair in worker memory for immediate use\n * @returns Deterministic VRF public key, optional VRF challenge, and encrypted VRF keypair for storage\n */\n async deriveVrfKeypair({\n credential,\n nearAccountId,\n vrfInputData,\n saveInMemory = true,\n }: {\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData; // optional, for challenge generation\n saveInMemory?: boolean; // optional, whether to save in worker memory\n }): Promise<{\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }> {\n try {\n const vrfResult = await this.vrfWorkerManager.deriveVrfKeypairFromPrf({\n credential,\n nearAccountId,\n vrfInputData,\n saveInMemory,\n });\n\n const result: {\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n } = {\n success: true,\n vrfPublicKey: vrfResult.vrfPublicKey,\n encryptedVrfKeypair: vrfResult.encryptedVrfKeypair,\n vrfChallenge: vrfResult.vrfChallenge,\n serverEncryptedVrfKeypair: vrfResult.serverEncryptedVrfKeypair,\n };\n\n return result;\n\n } catch (error: any) {\n console.error('WebAuthnManager: VRF keypair derivation error:', error);\n throw new Error(`VRF keypair derivation failed ${error.message}`);\n }\n }\n\n /**\n * Unlock VRF keypair in memory using PRF output\n * This is called during login to decrypt and load the VRF keypair in-memory\n */\n async unlockVRFKeypair({\n nearAccountId,\n encryptedVrfKeypair,\n credential,\n }: {\n nearAccountId: AccountId;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n credential: WebAuthnAuthenticationCredential | WebAuthnRegistrationCredential;\n }): Promise<{ success: boolean; error?: string }> {\n try {\n const unlockResult = await this.vrfWorkerManager.unlockVrfKeypair({\n credential,\n nearAccountId,\n encryptedVrfKeypair,\n });\n\n if (!unlockResult.success) {\n console.error('WebAuthnManager: VRF keypair unlock failed');\n return { success: false, error: 'VRF keypair unlock failed' };\n }\n\n // Warm up signer workers after a successful unlock to minimize first-use latency\n this.signerWorkerManager.preWarmWorkerPool().catch(() => { });\n\n return { success: true };\n\n } catch (error: any) {\n console.error('WebAuthnManager: VRF keypair unlock failed:', error.message);\n return { success: false, error: error.message };\n }\n }\n\n /**\n * Perform Shamir 3-pass commutative decryption within WASM worker\n * This securely decrypts a server-encrypted KEK (key encryption key)\n * which the wasm worker uses to unlock a key to decrypt the VRF keypair and loads it into memory\n * The server never knows the real value of the KEK, nor the VRF keypair\n */\n async shamir3PassDecryptVrfKeypair({\n nearAccountId,\n kek_s_b64u,\n ciphertextVrfB64u,\n serverKeyId,\n }: {\n nearAccountId: AccountId;\n kek_s_b64u: string;\n ciphertextVrfB64u: string;\n serverKeyId: string;\n }): Promise<{ success: boolean; error?: string }> {\n const result = await this.vrfWorkerManager.shamir3PassDecryptVrfKeypair({\n nearAccountId,\n kek_s_b64u,\n ciphertextVrfB64u,\n serverKeyId,\n });\n\n return {\n success: result.success,\n error: result.error\n };\n }\n\n /**\n * Shamir 3-pass: encrypt the unlocked VRF keypair under the server key\n * Returns a fresh blob to store in IndexedDB for future auto-login.\n */\n async shamir3PassEncryptCurrentVrfKeypair(): Promise<ServerEncryptedVrfKeypair> {\n const res = await this.vrfWorkerManager.shamir3PassEncryptCurrentVrfKeypair();\n return {\n ciphertextVrfB64u: res.ciphertextVrfB64u,\n kek_s_b64u: res.kek_s_b64u,\n serverKeyId: res.serverKeyId,\n };\n }\n\n /**\n * Persist refreshed server-encrypted VRF keypair in IndexedDB.\n */\n async updateServerEncryptedVrfKeypair(\n nearAccountId: AccountId,\n serverEncrypted: ServerEncryptedVrfKeypair\n ): Promise<void> {\n await IndexedDBManager.clientDB.updateUser(nearAccountId, {\n serverEncryptedVrfKeypair: {\n ciphertextVrfB64u: serverEncrypted.ciphertextVrfB64u,\n kek_s_b64u: serverEncrypted.kek_s_b64u,\n serverKeyId: serverEncrypted.serverKeyId,\n updatedAt: Date.now(),\n }\n });\n }\n\n async clearVrfSession(): Promise<void> {\n // In cross-origin dev, skip local worker init; wallet iframe handles PM_LOGOUT\n if (typeof window !== 'undefined' && this.workerBaseOrigin !== window.location.origin) {\n return;\n }\n return await this.vrfWorkerManager.clearVrfSession();\n }\n\n /**\n * Check VRF worker status\n */\n async checkVrfStatus(): Promise<{\n active: boolean;\n nearAccountId: AccountId | null;\n sessionDuration?: number\n }> {\n return this.vrfWorkerManager.checkVrfStatus();\n }\n\n /**\n * Mint/refresh a VRF-owned warm signing session using an already-collected WebAuthn credential.\n *\n * This is used to avoid a second TouchID prompt during login flows when we already\n * performed an authentication ceremony (e.g., to unlock the VRF keypair).\n *\n * Notes:\n * - This method does not initiate a WebAuthn prompt.\n * - Contract verification is optional and only performed when `contractId` + `nearRpcUrl` are provided.\n */\n\t async mintSigningSessionFromCredential(args: {\n\t nearAccountId: AccountId;\n\t credential: WebAuthnAuthenticationCredential;\n\t remainingUses?: number;\n\t ttlMs?: number;\n\t contractId?: string;\n\t nearRpcUrl?: string;\n\t }): Promise<{\n\t sessionId: string;\n\t status: 'active' | 'exhausted' | 'expired' | 'not_found';\n\t remainingUses?: number;\n\t expiresAtMs?: number;\n\t createdAtMs?: number;\n\t }> {\n\t const nearAccountId = toAccountId(args.nearAccountId);\n\t const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n\n\t // Ensure VRF keypair is active and bound to the same account.\n\t const vrfStatus = await this.vrfWorkerManager.checkVrfStatus();\n\t if (!vrfStatus.active) {\n\t throw new Error('VRF keypair not active in memory. Please log in again.');\n\t }\n\t if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(nearAccountId)) {\n\t throw new Error('VRF keypair active but bound to a different account. Please log in again.');\n\t }\n\n\t const credentialRawId = String(args.credential?.rawId || '').trim();\n\t const authenticators = await this.getAuthenticatorsByUser(nearAccountId).catch(() => []);\n\n\t // Fetch wrapKeySalt from vault so the derived WrapKeySeed can decrypt the stored NEAR keys.\n\t let deviceNumber: number;\n\t try {\n\t deviceNumber = await getLastLoggedInDeviceNumber(nearAccountId, IndexedDBManager.clientDB);\n\t } catch (err) {\n\t // Fallback: if lastUser was not set (e.g., cross-origin flows), infer the deviceNumber\n\t // from the credential rawId so we can still mint a session for the selected passkey.\n\t if (credentialRawId) {\n\t const matched = authenticators.find((a) => a.credentialId === credentialRawId);\n\t const inferred =\n\t matched && typeof matched.deviceNumber === 'number' && Number.isFinite(matched.deviceNumber)\n\t ? matched.deviceNumber\n\t : null;\n\t if (inferred !== null) {\n\t deviceNumber = inferred;\n\t // Best-effort: align lastUser to the passkey that was actually used.\n\t await this.setLastUser(nearAccountId, inferred).catch(() => undefined);\n\t } else {\n\t throw err;\n\t }\n\t } else {\n\t throw err;\n\t }\n\t }\n\n\t // If multiple passkeys exist, ensure the credential used for session minting matches\n\t // the currently selected/last-user device. This avoids deriving a WrapKeySeed that\n\t // cannot decrypt the expected vault entry.\n\t if (credentialRawId && authenticators.length > 1) {\n\t const { wrongPasskeyError } = await IndexedDBManager.clientDB.ensureCurrentPasskey(\n\t nearAccountId,\n\t authenticators,\n\t credentialRawId,\n\t );\n\t if (wrongPasskeyError) {\n\t throw new Error(wrongPasskeyError);\n\t }\n\t }\n\n\t const keyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);\n\t if (!keyMaterial) {\n\t throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);\n\t }\n\t const wrapKeySalt = keyMaterial.wrapKeySalt;\n if (!wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n // Extract PRF.first_auth from the already-collected credential.\n const { ttlMs, remainingUses } = this.resolveSigningSessionPolicy(args);\n\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId,\n wrapKeySalt,\n contractId: args.contractId,\n nearRpcUrl: args.nearRpcUrl,\n ttlMs,\n remainingUses,\n credential: args.credential,\n });\n\n return await this.vrfWorkerManager.checkSessionStatus({ sessionId });\n }\n\n /**\n * Introspect the VRF-owned signing session for UI (no prompt, metadata only).\n * Session usage (`remainingUses`) is decremented on `DISPENSE_SESSION_KEY` calls.\n */\n async getWarmSigningSessionStatus(nearAccountId: AccountId): Promise<{\n sessionId: string;\n status: 'active' | 'exhausted' | 'expired' | 'not_found';\n remainingUses?: number;\n expiresAtMs?: number;\n createdAtMs?: number;\n }> {\n const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n return await this.vrfWorkerManager.checkSessionStatus({ sessionId });\n }\n\n /**\n * Fetch Shamir server key info to support proactive refresh.\n */\n async getShamirKeyInfo(): Promise<{\n currentKeyId: string | null;\n p_b64u: string | null;\n graceKeyIds?: string[]\n } | null> {\n try {\n const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;\n if (!relayUrl) return null;\n const res = await fetch(`${relayUrl}/shamir/key-info`, { method: 'GET' });\n if (!res.ok) return null;\n const data = await res.json();\n return {\n currentKeyId: data?.currentKeyId ?? null,\n p_b64u: data?.p_b64u ?? null,\n graceKeyIds: Array.isArray(data?.graceKeyIds) ? data.graceKeyIds : undefined,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * If server key changed and VRF is unlocked in memory, re-encrypt under the new server key.\n * Returns true if refreshed, false otherwise.\n */\n async maybeProactiveShamirRefresh(nearAccountId: AccountId): Promise<boolean> {\n try {\n const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;\n if (!relayUrl) return false;\n const userData = await this.getLastUser();\n const stored = userData?.serverEncryptedVrfKeypair;\n if (!stored || !stored.kek_s_b64u || !stored.ciphertextVrfB64u || !stored.serverKeyId) return false;\n\n const keyInfo = await this.getShamirKeyInfo();\n const currentKeyId = keyInfo?.currentKeyId;\n if (!currentKeyId || currentKeyId === stored.serverKeyId) return false;\n\n const status = await this.checkVrfStatus();\n const active = status.active && status.nearAccountId === nearAccountId;\n if (!active) return false;\n\n const refreshed = await this.shamir3PassEncryptCurrentVrfKeypair();\n await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);\n return true;\n } catch {\n return false;\n }\n }\n\n ///////////////////////////////////////\n // INDEXEDDB OPERATIONS\n ///////////////////////////////////////\n\n async storeUserData(userData: StoreUserDataInput): Promise<void> {\n await IndexedDBManager.clientDB.storeWebAuthnUserData({\n ...userData,\n deviceNumber: userData.deviceNumber ?? 1,\n version: userData.version || 2,\n });\n }\n\n async getAllUsers(): Promise<ClientUserData[]> {\n return await IndexedDBManager.clientDB.getAllUsers();\n }\n\n async getUserByDevice(nearAccountId: AccountId, deviceNumber: number): Promise<ClientUserData | null> {\n return await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber);\n }\n\n async getLastUser(): Promise<ClientUserData | null> {\n return await IndexedDBManager.clientDB.getLastUser();\n }\n\n async getAuthenticatorsByUser(nearAccountId: AccountId): Promise<ClientAuthenticatorData[]> {\n return await IndexedDBManager.clientDB.getAuthenticatorsByUser(nearAccountId);\n }\n\n async updateLastLogin(nearAccountId: AccountId): Promise<void> {\n return await IndexedDBManager.clientDB.updateLastLogin(nearAccountId);\n }\n\n /**\n * Set the last logged-in user\n * @param nearAccountId - The account ID of the user\n * @param deviceNumber - The device number (defaults to 1)\n */\n async setLastUser(nearAccountId: AccountId, deviceNumber: number = 1): Promise<void> {\n return await IndexedDBManager.clientDB.setLastUser(nearAccountId, deviceNumber);\n }\n\n\n /**\n * Initialize current user authentication state\n * This should be called after VRF keypair is successfully unlocked in memory\n * to ensure the user is properly logged in and can perform transactions\n *\n * @param nearAccountId - The NEAR account ID to initialize\n * @param nearClient - The NEAR client for nonce prefetching\n */\n async initializeCurrentUser(\n nearAccountId: AccountId,\n nearClient?: NearClient,\n ): Promise<void> {\n const accountId = toAccountId(nearAccountId);\n\n // Set as last user for future sessions, preserving the current deviceNumber\n // when it is already known for this account.\n let deviceNumberToUse: number | null = null;\n const lastUser = await IndexedDBManager.clientDB.getLastUser().catch(() => null);\n if (\n lastUser &&\n toAccountId(lastUser.nearAccountId) === accountId &&\n Number.isFinite(lastUser.deviceNumber)\n ) {\n deviceNumberToUse = lastUser.deviceNumber;\n }\n\n if (deviceNumberToUse === null) {\n const userForAccount = await IndexedDBManager.clientDB\n .getUserByDevice(accountId, 1)\n .catch(() => null);\n if (userForAccount && Number.isFinite(userForAccount.deviceNumber)) {\n deviceNumberToUse = userForAccount.deviceNumber;\n }\n }\n\n if (deviceNumberToUse === null) {\n deviceNumberToUse = 1;\n }\n\n await this.setLastUser(accountId, deviceNumberToUse);\n\n // Set as current user for immediate use\n this.userPreferencesManager.setCurrentUser(accountId);\n // Ensure confirmation preferences are loaded before callers read them (best-effort)\n await this.userPreferencesManager.reloadUserSettings().catch(() => undefined);\n\n // Initialize NonceManager with the selected user's public key (best-effort)\n const userData = await IndexedDBManager.clientDB\n .getUserByDevice(accountId, deviceNumberToUse)\n .catch(() => null);\n if (userData && userData.clientNearPublicKey) {\n this.nonceManager.initializeUser(accountId, userData.clientNearPublicKey);\n }\n\n // Prefetch block height for better UX (non-fatal if it fails and nearClient is provided)\n if (nearClient) {\n await this.nonceManager\n .prefetchBlockheight(nearClient)\n .catch((prefetchErr) => console.debug('Nonce prefetch after authentication state initialization failed (non-fatal):', prefetchErr));\n }\n }\n\n async registerUser(storeUserData: StoreUserDataInput): Promise<ClientUserData> {\n return await IndexedDBManager.clientDB.registerUser(storeUserData);\n }\n\n async storeAuthenticator(authenticatorData: {\n credentialId: string;\n credentialPublicKey: Uint8Array;\n transports?: string[];\n name?: string;\n nearAccountId: AccountId;\n registered: string;\n syncedAt: string;\n vrfPublicKey: string;\n deviceNumber?: number;\n }): Promise<void> {\n const deviceNumber = Number(authenticatorData.deviceNumber);\n const normalizedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : 1;\n const authData = {\n ...authenticatorData,\n nearAccountId: toAccountId(authenticatorData.nearAccountId),\n deviceNumber: normalizedDeviceNumber, // Default to device 1 (1-indexed)\n };\n return await IndexedDBManager.clientDB.storeAuthenticator(authData);\n }\n\n extractUsername(nearAccountId: AccountId): string {\n return IndexedDBManager.clientDB.extractUsername(nearAccountId);\n }\n\n async atomicOperation<T>(callback: (db: any) => Promise<T>): Promise<T> {\n return await IndexedDBManager.clientDB.atomicOperation(callback);\n }\n\n async rollbackUserRegistration(nearAccountId: AccountId): Promise<void> {\n return await IndexedDBManager.clientDB.rollbackUserRegistration(nearAccountId);\n }\n\n async hasPasskeyCredential(nearAccountId: AccountId): Promise<boolean> {\n return await IndexedDBManager.clientDB.hasPasskeyCredential(nearAccountId);\n }\n\n /**\n * Atomically store all registration data (user, authenticator, VRF credentials)\n */\n async atomicStoreRegistrationData({\n nearAccountId,\n credential,\n publicKey,\n encryptedVrfKeypair,\n vrfPublicKey,\n serverEncryptedVrfKeypair,\n }: {\n nearAccountId: AccountId;\n credential: WebAuthnRegistrationCredential;\n publicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfPublicKey: string;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }): Promise<void> {\n await this.atomicOperation(async (db) => {\n // Store credential for authentication\n const credentialId: string = credential.rawId;\n const attestationB64u: string = credential.response.attestationObject;\n const transports: string[] = credential.response?.transports;\n\n await this.storeAuthenticator({\n nearAccountId: nearAccountId,\n credentialId: credentialId,\n credentialPublicKey: await this.extractCosePublicKey(attestationB64u),\n transports,\n name: `VRF Passkey for ${this.extractUsername(nearAccountId)}`,\n registered: new Date().toISOString(),\n syncedAt: new Date().toISOString(),\n vrfPublicKey: vrfPublicKey,\n });\n\n // Store WebAuthn user data with encrypted VRF credentials\n await this.storeUserData({\n nearAccountId,\n deviceNumber: 1,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: {\n id: credential.id,\n rawId: credentialId\n },\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n version: 2,\n serverEncryptedVrfKeypair: serverEncryptedVrfKeypair ? {\n ciphertextVrfB64u: serverEncryptedVrfKeypair?.ciphertextVrfB64u,\n kek_s_b64u: serverEncryptedVrfKeypair?.kek_s_b64u,\n serverKeyId: serverEncryptedVrfKeypair?.serverKeyId,\n updatedAt: Date.now(),\n } : undefined,\n });\n\n return true;\n });\n }\n\n ///////////////////////////////////////\n // SIGNER WASM WORKER OPERATIONS\n ///////////////////////////////////////\n\n /**\n * Transaction signing with contract verification and progress updates.\n * Demonstrates the \"streaming\" worker pattern similar to SSE.\n *\n * Requires a successful TouchID/biometric prompt before transaction signing in wasm worker\n * Automatically verifies the authentication with the web3authn contract.\n *\n * @param transactions - Transaction payload containing:\n * - receiverId: NEAR account ID receiving the transaction\n * - actions: Array of NEAR actions to execute\n * @param rpcCall: RpcCallPayload containing:\n * - contractId: Web3Authn contract ID for verification\n * - nearRpcUrl: NEAR RPC endpoint URL\n * - nearAccountId: NEAR account ID performing the transaction\n * @param confirmationConfigOverride: Optional confirmation configuration override\n * @param onEvent: Optional callback for progress updates during signing\n * @param onEvent - Optional callback for progress updates during signing\n */\n async signTransactionsWithActions({\n transactions,\n rpcCall,\n signerMode,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n }: {\n transactions: TransactionInputWasm[],\n rpcCall: RpcCallPayload,\n signerMode: SignerMode;\n // Accept partial override; merging happens in handlers layer\n confirmationConfigOverride?: Partial<ConfirmationConfig>,\n title?: string;\n body?: string;\n onEvent?: (update: onProgressEvents) => void,\n }): Promise<SignTransactionResult[]> {\n return this.withSigningSession({\n sessionId: this.getOrCreateActiveSigningSessionId(toAccountId(rpcCall.nearAccountId)),\n handler: (sessionId) =>\n this.signerWorkerManager.signTransactionsWithActions({\n transactions,\n rpcCall,\n signerMode,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n sessionId,\n }),\n });\n }\n\n /**\n * Sign AddKey(thresholdPublicKey) for `receiverId === nearAccountId` without running confirmTxFlow.\n *\n * This is a narrowly-scoped, internal-only helper for post-registration activation flows where\n * the caller already has a PRF-bearing credential in memory (e.g., immediately after registration)\n * and wants to avoid an extra TouchID/WebAuthn prompt.\n */\n async signAddKeyThresholdPublicKeyNoPrompt(args: {\n nearAccountId: AccountId | string;\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n wrapKeySalt: string;\n transactionContext: TransactionContext;\n thresholdPublicKey: string;\n relayerVerifyingShareB64u: string;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n deviceNumber?: number;\n onEvent?: (update: onProgressEvents) => void;\n }): Promise<SignTransactionResult> {\n const nearAccountId = toAccountId(args.nearAccountId);\n const wrapKeySalt = args.wrapKeySalt;\n if (!wrapKeySalt) throw new Error('Missing wrapKeySalt for AddKey(thresholdPublicKey) signing');\n if (!args.credential) throw new Error('Missing credential for AddKey(thresholdPublicKey) signing');\n if (!args.transactionContext) throw new Error('Missing transactionContext for no-prompt signing');\n const thresholdPublicKey = ensureEd25519Prefix(args.thresholdPublicKey);\n if (!thresholdPublicKey) throw new Error('Missing thresholdPublicKey for AddKey(thresholdPublicKey) signing');\n const relayerVerifyingShareB64u = args.relayerVerifyingShareB64u;\n if (!relayerVerifyingShareB64u) throw new Error('Missing relayerVerifyingShareB64u for AddKey(thresholdPublicKey) signing');\n\n const deviceNumber = Number(args.deviceNumber);\n const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1\n ? deviceNumber\n : await getLastLoggedInDeviceNumber(nearAccountId, IndexedDBManager.clientDB).catch(() => 1);\n\n const localKeyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(\n nearAccountId,\n resolvedDeviceNumber,\n );\n if (!localKeyMaterial) {\n throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);\n }\n\n if (localKeyMaterial.wrapKeySalt !== wrapKeySalt) {\n throw new Error('wrapKeySalt mismatch for AddKey(thresholdPublicKey) signing');\n }\n\n return await this.withSigningSession({\n prefix: 'no-prompt-add-threshold-key',\n options: { credential: args.credential, wrapKeySalt },\n handler: async (sessionId) => {\n const response = await this.signerWorkerManager.getContext().sendMessage({\n sessionId,\n message: {\n type: INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT,\n payload: {\n createdAt: Date.now(),\n decryption: {\n encryptedPrivateKeyData: localKeyMaterial.encryptedSk,\n encryptedPrivateKeyChacha20NonceB64u: localKeyMaterial.chacha20NonceB64u,\n },\n transactionContext: args.transactionContext,\n nearAccountId,\n thresholdPublicKey,\n relayerVerifyingShareB64u,\n clientParticipantId: typeof args.clientParticipantId === 'number' ? args.clientParticipantId : undefined,\n relayerParticipantId: typeof args.relayerParticipantId === 'number' ? args.relayerParticipantId : undefined,\n },\n },\n onEvent: args.onEvent,\n });\n\n if (!isSignAddKeyThresholdPublicKeyNoPromptSuccess(response)) {\n throw new Error('AddKey(thresholdPublicKey) signing failed');\n }\n if (!response.payload.success) {\n throw new Error(response.payload.error || 'AddKey(thresholdPublicKey) signing failed');\n }\n\n const signedTransactions = response.payload.signedTransactions || [];\n if (signedTransactions.length !== 1) {\n throw new Error(`Expected 1 signed transaction but received ${signedTransactions.length}`);\n }\n\n const signedTx = signedTransactions[0];\n if (!signedTx || !(signedTx as any).transaction || !(signedTx as any).signature) {\n throw new Error('Incomplete signed transaction data received for AddKey(thresholdPublicKey)');\n }\n return {\n signedTransaction: new SignedTransaction({\n transaction: (signedTx as any).transaction,\n signature: (signedTx as any).signature,\n borsh_bytes: Array.from((signedTx as any).borshBytes || []),\n }),\n nearAccountId: String(nearAccountId),\n logs: response.payload.logs || [],\n };\n },\n });\n }\n\n async signDelegateAction({\n delegate,\n rpcCall,\n signerMode,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n }: {\n delegate: DelegateActionInput;\n rpcCall: RpcCallPayload;\n signerMode: SignerMode;\n // Accept partial override; merging happens in handlers layer\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n title?: string;\n body?: string;\n onEvent?: (update: onProgressEvents) => void;\n }): Promise<{\n signedDelegate: WasmSignedDelegate;\n hash: string;\n nearAccountId: AccountId;\n logs?: string[];\n }> {\n const nearAccountId = toAccountId(rpcCall.nearAccountId || delegate.senderId);\n const normalizedRpcCall: RpcCallPayload = {\n contractId: rpcCall.contractId || this.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: rpcCall.nearRpcUrl || this.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId,\n };\n\n try {\n const activeSessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n return await this.withSigningSession({\n sessionId: activeSessionId,\n handler: (sessionId) => {\n console.debug('[WebAuthnManager][delegate] session created', { sessionId });\n return this.signerWorkerManager.signDelegateAction({\n delegate,\n rpcCall: normalizedRpcCall,\n signerMode,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n sessionId,\n });\n }\n });\n } catch (err) {\n // eslint-disable-next-line no-console\n console.error('[WebAuthnManager][delegate] failed', err);\n throw err;\n }\n }\n\n async signNEP413Message(payload: {\n message: string;\n recipient: string;\n nonce: string;\n state: string | null;\n accountId: AccountId;\n signerMode: SignerMode;\n title?: string;\n body?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<{\n success: boolean;\n accountId: string;\n publicKey: string;\n signature: string;\n state?: string;\n error?: string;\n }> {\n try {\n const activeSessionId = this.getOrCreateActiveSigningSessionId(payload.accountId);\n const contractId = this.tatchiPasskeyConfigs.contractId;\n const nearRpcUrl = (this.tatchiPasskeyConfigs.nearRpcUrl.split(',')[0] || this.tatchiPasskeyConfigs.nearRpcUrl);\n const result = await this.withSigningSession({\n sessionId: activeSessionId,\n handler: (sessionId) =>\n this.signerWorkerManager.signNep413Message({ ...payload, sessionId, contractId, nearRpcUrl }),\n });\n if (result.success) {\n return result;\n } else {\n throw new Error(`NEP-413 signing failed: ${result.error || 'Unknown error'}`);\n }\n } catch (error: any) {\n console.error('WebAuthnManager: NEP-413 signing error:', error);\n return {\n success: false,\n accountId: '',\n publicKey: '',\n signature: '',\n error: error.message || 'Unknown error'\n };\n }\n }\n\n // === COSE OPERATIONS ===\n\n /**\n * Extract COSE public key from WebAuthn attestation object using WASM worker\n */\n async extractCosePublicKey(attestationObjectBase64url: string): Promise<Uint8Array> {\n return await this.signerWorkerManager.extractCosePublicKey(attestationObjectBase64url);\n }\n\n ///////////////////////////////////////\n // PRIVATE KEY EXPORT (Drawer/Modal in sandboxed iframe)\n ///////////////////////////////////////\n\n /** Worker-driven export: two-phase V2 (collect PRF → decrypt → show UI) */\n async exportNearKeypairWithUIWorkerDriven(\n nearAccountId: AccountId,\n options?: { variant?: 'drawer' | 'modal', theme?: 'dark' | 'light' }\n ): Promise<void> {\n await this.withSigningSession({\n prefix: 'export-session', handler: async (sessionId) => {\n // Phase 1: collect PRF via LocalOnly(DECRYPT_PRIVATE_KEY_WITH_PRF) inside VRF worker\n // and derive WrapKeySeed with the vault-provided wrapKeySalt.\n await this.confirmDecryptAndDeriveWrapKeySeed({ nearAccountId, sessionId });\n\n // Phase 2 + 3: decrypt inside signer worker using the reserved session,\n // then show the export viewer UI.\n return this.signerWorkerManager.exportNearKeypairUi({\n nearAccountId,\n variant: options?.variant,\n theme: options?.theme,\n sessionId,\n });\n }\n });\n }\n\n async exportNearKeypairWithUI(\n nearAccountId: AccountId,\n options?: {\n variant?: 'drawer' | 'modal';\n theme?: 'dark' | 'light'\n }\n ): Promise<{ accountId: string; publicKey: string; privateKey: string }> {\n // Route to worker-driven two-phase flow. UI is shown inside the wallet host; no secrets are returned.\n await this.exportNearKeypairWithUIWorkerDriven(nearAccountId, options);\n // Surface the freshest device key for this account to the caller.\n // Prefer last user when it matches the account, else pick the most recently\n // updated user record for this account.\n let userData = await this.getLastUser();\n if (!userData || userData.nearAccountId !== nearAccountId) {\n userData = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);\n }\n return {\n accountId: String(nearAccountId),\n publicKey: userData?.clientNearPublicKey ?? '',\n privateKey: '',\n };\n }\n\n ///////////////////////////////////////\n // REGISTRATION\n ///////////////////////////////////////\n\n async checkCanRegisterUser({\n contractId,\n credential,\n vrfChallenge,\n authenticatorOptions,\n onEvent,\n }: {\n contractId: string,\n credential: WebAuthnRegistrationCredential,\n vrfChallenge: VRFChallenge,\n authenticatorOptions?: AuthenticatorOptions;\n onEvent?: (update: RegistrationEventStep3) => void\n }): Promise<{\n success: boolean;\n verified?: boolean;\n registrationInfo?: any;\n logs?: string[];\n signedTransactionBorsh?: number[];\n error?: string;\n }> {\n return await this.signerWorkerManager.checkCanRegisterUser({\n contractId,\n credential,\n vrfChallenge,\n authenticatorOptions,\n onEvent,\n nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,\n });\n }\n\n ///////////////////////////////////////\n // ACCOUNT RECOVERY\n ///////////////////////////////////////\n\n /**\n * Recover keypair from authentication credential for account recovery\n * Uses dual PRF outputs to re-derive the same NEAR keypair and re-encrypt it\n * @param challenge - Random challenge for WebAuthn authentication ceremony\n * @param authenticationCredential - The authentication credential with dual PRF outputs\n * @param accountIdHint - Optional account ID hint for recovery\n * @returns Public key and encrypted private key for secure storage\n */\n async recoverKeypairFromPasskey(\n authenticationCredential: WebAuthnAuthenticationCredential,\n accountIdHint?: string,\n ): Promise<{\n publicKey: string;\n encryptedPrivateKey: string;\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u: string;\n accountIdHint?: string;\n wrapKeySalt: string;\n stored?: boolean;\n }> {\n try {\n // Verify we have an authentication credential (not registration)\n if (!authenticationCredential) {\n throw new Error(\n 'Authentication credential required for account recovery. ' +\n 'Use an existing credential with dual PRF outputs to re-derive the same NEAR keypair.'\n );\n }\n\n // Verify dual PRF outputs are available\n const prfResults = authenticationCredential.clientExtensionResults?.prf?.results;\n if (!prfResults?.first || !prfResults?.second) {\n throw new Error('Dual PRF outputs required for account recovery - both AES and Ed25519 PRF outputs must be available');\n }\n\n // Extract PRF.first for WrapKeySeed derivation\n // Orchestrate a VRF-owned signing session with WrapKeySeed derivation, then ask\n // the signer to recover and re-encrypt the NEAR keypair.\n const result = await this.withSigningSession({\n prefix: 'recover',\n options: { credential: authenticationCredential },\n handler: (sessionId) =>\n this.signerWorkerManager.recoverKeypairFromPasskey({\n credential: authenticationCredential,\n accountIdHint,\n sessionId,\n }),\n });\n return result;\n\n } catch (error: any) {\n console.error('WebAuthnManager: Deterministic keypair derivation error:', error);\n throw new Error(`Deterministic keypair derivation failed: ${error.message}`);\n }\n }\n\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n credentialIds,\n }: {\n nearAccountId: AccountId;\n challenge: VRFChallenge,\n credentialIds: string[];\n }): Promise<WebAuthnAuthenticationCredential> {\n // Same as getAuthenticationCredentialsSerialized but returns both PRF outputs (PRF.first + PRF.second).\n return this.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials: credentialIds.map(id => ({\n id: id,\n type: 'public-key',\n transports: ['internal', 'hybrid', 'usb', 'ble'] as AuthenticatorTransport[]\n })),\n });\n }\n\n /**\n * Sign transaction with raw private key\n * for key replacement in device linking\n * No TouchID/PRF required - uses provided private key directly\n */\n async signTransactionWithKeyPair({\n nearPrivateKey,\n signerAccountId,\n receiverId,\n nonce,\n blockHash,\n actions\n }: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }): Promise<{\n signedTransaction: SignedTransaction;\n logs?: string[];\n }> {\n return await this.signerWorkerManager.signTransactionWithKeyPair({\n nearPrivateKey,\n signerAccountId,\n receiverId,\n nonce,\n blockHash,\n actions\n });\n }\n\n // ==============================\n // Threshold Signing\n // ==============================\n\n /**\n * Derive the deterministic threshold client verifying share (2-of-2 ed25519) from WrapKeySeed.\n * This is safe to call during registration because it only requires the PRF-bearing credential\n * (no on-chain verification needed) and returns public material only.\n */\n async deriveThresholdEd25519ClientVerifyingShareFromCredential(args: {\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n nearAccountId: AccountId | string;\n wrapKeySalt?: string;\n }): Promise<{\n success: boolean;\n nearAccountId: string;\n clientVerifyingShareB64u: string;\n wrapKeySalt: string;\n error?: string;\n }> {\n const nearAccountId = toAccountId(args.nearAccountId);\n try {\n return await this.withSigningSession({\n prefix: 'threshold-client-share',\n options: { credential: args.credential, wrapKeySalt: args.wrapKeySalt },\n handler: (sessionId) =>\n this.signerWorkerManager.deriveThresholdEd25519ClientVerifyingShare({\n sessionId,\n nearAccountId,\n }),\n });\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return {\n success: false,\n nearAccountId,\n clientVerifyingShareB64u: '',\n wrapKeySalt: '',\n error: message,\n };\n }\n }\n\n /**\n * Threshold key enrollment (post-registration):\n * prompts for a dual-PRF WebAuthn authentication to obtain PRF.first/second,\n * then runs the `/threshold-ed25519/keygen` enrollment flow.\n *\n * This is intended to be called only after the passkey is registered on-chain.\n */\n async enrollThresholdEd25519KeyPostRegistration(args: {\n nearAccountId: AccountId | string;\n deviceNumber?: number;\n }): Promise<{\n success: boolean;\n publicKey: string;\n relayerKeyId: string;\n wrapKeySalt: string;\n error?: string;\n }> {\n const nearAccountId = toAccountId(args.nearAccountId);\n\n try {\n const rpId = this.touchIdPrompt.getRpId();\n if (!rpId) throw new Error('Missing rpId for WebAuthn VRF challenge');\n\n // Generate a fresh VRF challenge for a dual-PRF authentication prompt (PRF.first + PRF.second).\n const block = await this.nearClient.viewBlock({ finality: 'final' } as any);\n const blockHeight = String((block as any)?.header?.height ?? '');\n const blockHash = String((block as any)?.header?.hash ?? '');\n if (!blockHeight || !blockHash) throw new Error('Failed to fetch NEAR block context for VRF challenge');\n\n const vrfChallenge = await this.vrfWorkerManager.generateVrfChallengeOnce({\n userId: nearAccountId,\n rpId,\n blockHeight,\n blockHash,\n });\n\n const authenticators = await this.getAuthenticatorsByUser(nearAccountId);\n if (!authenticators.length) {\n throw new Error(`No passkey authenticators found for account ${nearAccountId}`);\n }\n\n const authCredential = await this.collectAuthenticationCredentialForVrfChallenge({\n nearAccountId,\n vrfChallenge,\n includeSecondPrfOutput: true,\n });\n\n return await this.enrollThresholdEd25519Key({\n credential: authCredential,\n nearAccountId,\n deviceNumber: args.deviceNumber,\n });\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return { success: false, publicKey: '', relayerKeyId: '', wrapKeySalt: '', error: message };\n }\n }\n\n /**\n * Threshold key rotation (post-registration):\n * - keygen (new relayerKeyId + publicKey)\n * - AddKey(new threshold publicKey)\n * - DeleteKey(old threshold publicKey)\n *\n * Uses the local signer key for AddKey/DeleteKey, and requires the account to already\n * have a stored `threshold_ed25519_2p_v1` key material entry for the target device.\n */\n async rotateThresholdEd25519KeyPostRegistration(args: {\n nearAccountId: AccountId | string;\n deviceNumber?: number;\n }): Promise<{\n success: boolean;\n oldPublicKey: string;\n oldRelayerKeyId: string;\n publicKey: string;\n relayerKeyId: string;\n wrapKeySalt: string;\n deleteOldKeyAttempted: boolean;\n deleteOldKeySuccess: boolean;\n warning?: string;\n error?: string;\n }> {\n const nearAccountId = toAccountId(args.nearAccountId);\n\n let oldPublicKey = '';\n let oldRelayerKeyId = '';\n\n try {\n const deviceNumber = Number(args.deviceNumber);\n const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1\n ? deviceNumber\n : await getLastLoggedInDeviceNumber(nearAccountId, IndexedDBManager.clientDB).catch(() => 1);\n\n const existing = await IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(nearAccountId, resolvedDeviceNumber);\n if (!existing) {\n throw new Error(\n `No threshold key material found for account ${nearAccountId} device ${resolvedDeviceNumber}. Call enrollThresholdEd25519Key() first.`,\n );\n }\n oldPublicKey = existing.publicKey;\n oldRelayerKeyId = existing.relayerKeyId;\n\n const enrollment = await this.enrollThresholdEd25519KeyPostRegistration({\n nearAccountId,\n deviceNumber: resolvedDeviceNumber,\n });\n if (!enrollment.success) {\n throw new Error(enrollment.error || 'Threshold keygen/enrollment failed');\n }\n\n return await rotateThresholdEd25519KeyPostRegistrationHandler(\n {\n nearClient: this.nearClient,\n contractId: this.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,\n signTransactionsWithActions: (params) => this.signTransactionsWithActions(params),\n },\n {\n nearAccountId,\n deviceNumber: resolvedDeviceNumber,\n oldPublicKey,\n oldRelayerKeyId,\n newPublicKey: enrollment.publicKey,\n newRelayerKeyId: enrollment.relayerKeyId,\n wrapKeySalt: enrollment.wrapKeySalt,\n },\n );\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return {\n success: false,\n oldPublicKey,\n oldRelayerKeyId,\n publicKey: '',\n relayerKeyId: '',\n wrapKeySalt: '',\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: false,\n error: message,\n };\n }\n }\n\n /**\n * Threshold key enrollment (2-of-2): deterministically derive the client verifying share\n * from WrapKeySeed and register the corresponding relayer share via `/threshold-ed25519/keygen`.\n *\n * Stores a v3 vault entry of kind `threshold_ed25519_2p_v1` (breaking; no migration).\n */\n async enrollThresholdEd25519Key(args: {\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n nearAccountId: AccountId | string;\n deviceNumber?: number;\n }): Promise<{\n success: boolean;\n publicKey: string;\n relayerKeyId: string;\n wrapKeySalt: string;\n error?: string;\n }> {\n const nearAccountId = toAccountId(args.nearAccountId);\n const relayerUrl = this.tatchiPasskeyConfigs.relayer.url;\n\n try {\n if (!relayerUrl) throw new Error('Missing relayer url (configs.relayer.url)');\n if (!args.credential) throw new Error('Missing credential');\n\n const deviceNumber = Number(args.deviceNumber);\n const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1\n ? deviceNumber\n : await getLastLoggedInDeviceNumber(nearAccountId, IndexedDBManager.clientDB).catch(() => 1);\n\n const keygen = await this.withSigningSession({\n prefix: 'threshold-keygen',\n options: { credential: args.credential },\n handler: (sessionId) =>\n enrollThresholdEd25519KeyHandler(\n {\n nearClient: this.nearClient,\n vrfWorkerManager: this.vrfWorkerManager,\n signerWorkerManager: this.signerWorkerManager,\n touchIdPrompt: this.touchIdPrompt,\n relayerUrl,\n },\n { sessionId, nearAccountId },\n ),\n });\n\n if (!keygen.success) {\n throw new Error(keygen.error || 'Threshold keygen failed');\n }\n\n const publicKey = keygen.publicKey;\n const clientVerifyingShareB64u = keygen.clientVerifyingShareB64u;\n const relayerKeyId = keygen.relayerKeyId;\n const relayerVerifyingShareB64u = keygen.relayerVerifyingShareB64u;\n if (!clientVerifyingShareB64u) throw new Error('Threshold keygen returned empty clientVerifyingShareB64u');\n\n // Activate threshold enrollment on-chain by submitting AddKey(publicKey) signed with the local key.\n const localKeyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);\n if (!localKeyMaterial) {\n throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);\n }\n\n // If the key is already present, skip AddKey and just persist local threshold metadata.\n const alreadyActive = await hasAccessKey(this.nearClient, nearAccountId, publicKey, { attempts: 1, delayMs: 0 });\n if (!alreadyActive) {\n this.nonceManager.initializeUser(nearAccountId, localKeyMaterial.publicKey);\n const txContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient, { force: true });\n\n const signed = await this.signAddKeyThresholdPublicKeyNoPrompt({\n nearAccountId,\n credential: args.credential,\n wrapKeySalt: localKeyMaterial.wrapKeySalt,\n transactionContext: txContext,\n thresholdPublicKey: publicKey,\n relayerVerifyingShareB64u,\n clientParticipantId: keygen.clientParticipantId,\n relayerParticipantId: keygen.relayerParticipantId,\n deviceNumber: resolvedDeviceNumber,\n });\n\n const signedTx = signed?.signedTransaction;\n if (!signedTx) throw new Error('Failed to sign AddKey(thresholdPublicKey) transaction');\n\n await this.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.thresholdAddKey);\n\n const activated = await hasAccessKey(this.nearClient, nearAccountId, publicKey);\n if (!activated) throw new Error('Threshold access key not found on-chain after AddKey');\n }\n\n const keyMaterial: ThresholdEd25519_2p_V1Material = {\n kind: 'threshold_ed25519_2p_v1',\n nearAccountId,\n deviceNumber: resolvedDeviceNumber,\n publicKey,\n wrapKeySalt: keygen.wrapKeySalt,\n relayerKeyId,\n clientShareDerivation: 'prf_first_v1',\n participants: buildThresholdEd25519Participants2pV1({\n clientParticipantId: keygen.clientParticipantId,\n relayerParticipantId: keygen.relayerParticipantId,\n relayerKeyId,\n relayerUrl,\n clientVerifyingShareB64u,\n relayerVerifyingShareB64u,\n clientShareDerivation: 'prf_first_v1',\n }),\n timestamp: Date.now(),\n };\n await IndexedDBManager.nearKeysDB.storeKeyMaterial(keyMaterial);\n\n return {\n success: true,\n publicKey,\n relayerKeyId,\n wrapKeySalt: keygen.wrapKeySalt,\n };\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return { success: false, publicKey: '', relayerKeyId: '', wrapKeySalt: '', error: message };\n }\n }\n\n // ==============================\n // USER SETTINGS\n // ==============================\n\n /** * Get user preferences manager */\n getUserPreferences(): UserPreferencesManager {\n return this.userPreferencesManager;\n }\n\n /** * Clean up resources */\n destroy(): void {\n if (this.userPreferencesManager) {\n this.userPreferencesManager.destroy();\n }\n if (this.nonceManager) {\n this.nonceManager.clear();\n }\n this.activeSigningSessionIds.clear();\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsEA,IAAa,kBAAb,MAA6B;CAC3B,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAQ,mBAA2B;CAEnC,AAAQ,0CAA+C,IAAI;CAE3D,AAAS;CAET,YAAY,sBAAqC,YAAwB;AACvE,OAAK,uBAAuB;AAC5B,OAAK,aAAa;AAElB,OAAK,gBAAgB,IAAI,cACvB,qBAAqB,cAAc,cACnC;AAEF,OAAK,yBAAyBA;AAE9B,OAAK,uBAAuB,uBAAuB,qBAAqB;AAExE,OAAK,uBAAuB,6BAA6B,qBAAqB;AAC9E,OAAK,eAAeC;EACpB,MAAM,EAAE,qBAAqB;AAE7B,OAAK,mBAAmB,IAAI,iBAC1B;GACE,aAAa,kBAAkB,aAAa;GAC5C,gBAAgB,kBAAkB,aAAa;GAC/C,sBAAsB,kBAAkB,aAAa;GACrD,uBAAuB,kBAAkB,aAAa;KAExD;GACE,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,WAAW;GACX,wBAAwB,KAAK;GAC7B,cAAc,KAAK;GACnB,cAAc,KAAK,cAAc;GACjC,iBAAiB,qBAAqB;;AAG1C,OAAK,sBAAsB,IAAI,oBAC7B,KAAK,kBACL,YACA,KAAK,wBACL,KAAK,cACL,KAAK,qBAAqB,QAAQ,KAClC,qBAAqB,cAAc,cACnC,MACA,qBAAqB;AAKvB,OAAK,mBAAmB,8BAA8B,OAAO,WAAW,cAAc,OAAO,SAAS,SAAS;AAC/G,OAAK,oBAAoB,oBAAoB,KAAK;AAClD,OAAK,iBAAiB,sBAAsB,KAAK;AAGjD,MAAI,OAAO,WAAW,YACpB,uBAAsB,QAAQ;GAC5B,MAAM,SAAS,IAAI,IAAI,KAAK,OAAO,SAAS,QAAQ;AACpD,OAAI,UAAU,WAAW,KAAK,kBAAkB;AAC9C,SAAK,mBAAmB;AACxB,SAAK,oBAAoB,oBAAoB;AAC7C,SAAK,iBAAiB,sBAAsB;;;EAOlD,MAAM,gCACJ,CAAC,CAAC,qBAAqB,cAAc,gBAAgB,CAAC;AACxD,MAAI,CAAC,8BACH,CAAK,KAAK,uBAAuB,oBAAoB,YAAY;;;;;;CAQrE,uBAA6B;AAC3B,MAAI,OAAO,WAAW,eAAe,OAAQ,OAAe,WAAW,YAAa;AAEpF,MAAI,KAAK,oBAAoB,KAAK,qBAAqB,OAAO,SAAS,OAAQ;AAC/E,OAAK,oBAAoB,oBAAoB,YAAY;;;;;;;;;CAU3D,MAAM,sBAAsB,eAAuC;AAEjE,MAAI,cACF,OAAM,KAAK,sBAAsB,YAAY,gBAAgB,KAAK,YAAY,YAAY;AAG5F,QAAM,KAAK,aAAa,oBAAoB,KAAK,YAAY,YAAY;AAEzE,MAAI,cACF,OAAM,iBAAiB,gBAAgB,YAAY,gBAAgB,YAAY;AAGjF,OAAK;;;;;;CAOP,UAAkB;AAChB,SAAO,KAAK,cAAc;;;CAI5B,kBAAgC;AAC9B,SAAO,KAAK;;;;;;;;;;;CAYd,AAAQ,kBAAkB,QAAwB;AAChD,SAAQ,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,aAClE,OAAO,eACP,GAAG,OAAO,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;;CAGlE,AAAQ,iBAAiB,OAAoC;AAC3D,MAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,UAAU,QAAQ,EAAG,QAAO;AAC9E,SAAO,KAAK,MAAM;;CAGpB,AAAQ,4BAA4B,MAMlC;EACA,MAAM,QAAQ,KAAK,iBAAiB,KAAK,UACpC,KAAK,qBAAqB,uBAAuB;EACtD,MAAM,gBAAgB,KAAK,iBAAiB,KAAK,kBAC5C,KAAK,qBAAqB,uBAAuB;AACtD,SAAO;GAAE;GAAO;;;CAGlB,AAAQ,kCAAkC,eAAkC;EAC1E,MAAM,MAAM,OAAO,YAAY;EAC/B,MAAM,WAAW,KAAK,wBAAwB,IAAI;AAClD,MAAI,SAAU,QAAO;EACrB,MAAM,YAAY,KAAK,kBAAkB;AACzC,OAAK,wBAAwB,IAAI,KAAK;AACtC,SAAO;;CAGT,MAAc,mBAAsB,MAKrB;AACb,MAAI,OAAO,KAAK,YAAY,WAC1B,OAAM,IAAI,MAAM;EAElB,MAAM,YAAY,KAAK,cAAc,KAAK,SAAS,KAAK,kBAAkB,KAAK,UAAU;AACzF,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;AAElB,SAAO,MAAM,KAAK,2BAA2B;GAAE;GAAW,SAAS,KAAK;GAAS,SAAS,KAAK;;;CAGjG,MAAc,2BAA8B,MAI7B;EACb,MAAM,aAAa,MAAM,KAAK,iBAAiB,4BAA4B,KAAK;AAChF,QAAM,KAAK,oBAAoB,2BAA2B,KAAK,WAAW,EAAE;AAC5E,MAAI;AAIF,OAAI,KAAK,QACP,OAAM,KAAK,iBAAiB,+BAA+B;IACzD,WAAW,KAAK;IAChB,aAAa,KAAK,QAAQ;IAC1B,YAAY,KAAK,QAAQ;;AAG7B,UAAO,MAAM,KAAK,QAAQ,KAAK;YACvB;AACR,QAAK,oBAAoB,sBAAsB,KAAK;;;;;;;;;;CAWxD,MAAM,0CAA0C,QAKO;AACrD,SAAO,KAAK,iBAAiB,0CAA0C;GACrE,eAAe,OAAO;GACtB,cAAc,OAAO;GACrB,eAAe,OAAO;GACtB,4BAA4B,OAAO;GACnC,YAAY,KAAK,qBAAqB;GACtC,YAAY,KAAK,qBAAqB;;;;;;;;;CAU1C,MAAc,mCAAmC,MAG/B;EAChB,MAAM,gBAAgB,YAAY,KAAK;EAIvC,MAAM,CAAC,MAAM,UAAU,MAAM,QAAQ,IAAI,CACvC,iBAAiB,SAAS,cAAc,YAAY,OACpD,iBAAiB,SAAS,qBAAqB,eAAe,YAAY;EAG5E,MAAM,eACH,QAAQ,KAAK,kBAAkB,iBAAiB,OAAO,KAAK,iBAAiB,WAC1E,KAAK,eACJ,UAAU,OAAO,OAAO,iBAAiB,WACxC,OAAO,eACP;AAER,MAAI,iBAAiB,KACnB,OAAM,IAAI,MAAM,qCAAqC,cAAc;EAKrE,MAAM,gBAAgB,MAAM,iBAAiB,SAAS,gBAAgB,eAAe,cAAc,YAAY;EAC/G,MAAM,sBAAsB,eAAe;EAG3C,MAAM,cAAc,MAAM,iBAAiB,WAAW,oBAAoB,eAAe;AACzF,MAAI,CAAC,aAAa;AAChB,WAAQ,MAAM,+DAA+D;IAC3E,eAAe,OAAO;IACtB;;AAEF,SAAM,IAAI,MAAM,sCAAsC;;EAExD,MAAM,cAAc,YAAY;AAChC,MAAI,CAAC,aAAa;AAChB,WAAQ,MAAM,qEAAqE;IACjF,eAAe,OAAO;IACtB;;AAEF,SAAM,IAAI,MAAM;;AAGlB,MAAI;AACF,SAAM,KAAK,iBAAiB,sBAAsB;IAChD,WAAW,KAAK;IAChB;IACA;IACA;;WAEK,OAAO;AACd,WAAQ,MAAM,+CAA+C;IAC3D,eAAe,OAAO;IACtB,WAAW,KAAK;IAChB;;AAEF,SAAM;;;CAIV,uCAAuC,EACrC,eACA,WACA,oBAK4C;AAC5C,SAAO,KAAK,cAAc,uCAAuC;GAC/D;GACA;GACA;;;CAIJ,MAAM,+CAA+C,MAaP;AAC5C,SAAOC,+CAAmD;GACxD,WAAW;GACX,eAAe,KAAK;GACpB,eAAe,KAAK;GACpB,cAAc,KAAK;GACnB,wBAAwB,KAAK;GAC7B,gBAAgB,KAAK;;;;;;;;CAazB,MAAM,+BACJ,WACA,cACuB;AACvB,SAAO,KAAK,iBAAiB,+BAA+B,cAAc;;;;;;;CAQ5E,MAAM,yBAAyB,cAAmD;AAChF,SAAO,KAAK,iBAAiB,yBAAyB;;;;;;;;;;;CAYxD,MAAM,4BAA4B,MAO/B;AACD,SAAO,KAAK,iBAAiB,4BAA4B;GACvD,cAAc,KAAK;GACnB,cAAc,KAAK;GACnB,WAAW,KAAK;;;;;;CAOpB,MAAM,0CAA0C,EAC9C,YACA,eACA,WAeC;AACD,SAAO,KAAK,mBAAmB;GAC7B,QAAQ;GACR,SAAS,EAAE;GACX,UAAU,cACR,KAAK,oBAAoB,0CAA0C;IACjE;IACA,eAAe,YAAY;IAC3B;IACA;;;;;;;;;;;;;;;;;;;;;;;CAwBR,MAAM,qCAAqC,MAWxC;EACD,MAAM,EAAE,eAAe,YAAY,cAAc,cAAc,8BAA8B;EAC7F,MAAM,aAAa,KAAK,qBAAqB;AAE7C,MAAI;GAEF,MAAM,YAAY,gBAAgB,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM,GAAG;GAGpF,MAAM,cAAc,MAAM,iBAAiB,WAAW,oBACpD,eACA;AAEF,OAAI,CAAC,YACH,OAAM,IAAI,MAAM,qCAAqC,cAAc,UAAU;GAG/E,MAAM,cAAc,YAAY;AAChC,OAAI,CAAC,YACH,OAAM,IAAI,MAAM,mCAAmC,cAAc,UAAU;GAI7E,MAAM,aAAa,MAAM,KAAK,iBAAiB,4BAA4B;AAC3E,SAAM,KAAK,oBAAoB,2BAA2B,WAAW,EAAE;AAKvE,SAAM,KAAK,iBAAiB,+BAA+B;IACzD;IACA;IACA;;GAIF,MAAM,qBAAqB,MAAM,KAAK,aAAa,2BAA2B,KAAK;GAInF,IAAI,eAAe;GAEnB,MAAM,oBAAoB,gBAAgB,aAAa;GAIvD,MAAM,eAAe,MAAM,KAAK,oBAAoB,8BAA8B;IAChF;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,2BAA2B;;AAG7B,UAAO;IACL,SAAS;IACT,WAAW,aAAa;IACxB,mBAAmB,aAAa;;WAG3BC,OAAY;AACnB,WAAQ,MAAM,0EAA0E;AACxF,UAAO;IACL,SAAS;IACT,OAAO,MAAM,WAAW,OAAO;;;;;;;;;;;;;;;CAgBrC,MAAM,iBAAiB,EACrB,YACA,eACA,cACA,eAAe,QAYd;AACD,MAAI;GACF,MAAM,YAAY,MAAM,KAAK,iBAAiB,wBAAwB;IACpE;IACA;IACA;IACA;;GAGF,MAAMC,SAMF;IACF,SAAS;IACT,cAAc,UAAU;IACxB,qBAAqB,UAAU;IAC/B,cAAc,UAAU;IACxB,2BAA2B,UAAU;;AAGvC,UAAO;WAEAD,OAAY;AACnB,WAAQ,MAAM,kDAAkD;AAChE,SAAM,IAAI,MAAM,iCAAiC,MAAM;;;;;;;CAQ3D,MAAM,iBAAiB,EACrB,eACA,qBACA,cAKgD;AAChD,MAAI;GACF,MAAM,eAAe,MAAM,KAAK,iBAAiB,iBAAiB;IAChE;IACA;IACA;;AAGF,OAAI,CAAC,aAAa,SAAS;AACzB,YAAQ,MAAM;AACd,WAAO;KAAE,SAAS;KAAO,OAAO;;;AAIlC,QAAK,oBAAoB,oBAAoB,YAAY;AAEzD,UAAO,EAAE,SAAS;WAEXA,OAAY;AACnB,WAAQ,MAAM,+CAA+C,MAAM;AACnE,UAAO;IAAE,SAAS;IAAO,OAAO,MAAM;;;;;;;;;;CAU1C,MAAM,6BAA6B,EACjC,eACA,YACA,mBACA,eAMgD;EAChD,MAAM,SAAS,MAAM,KAAK,iBAAiB,6BAA6B;GACtE;GACA;GACA;GACA;;AAGF,SAAO;GACL,SAAS,OAAO;GAChB,OAAO,OAAO;;;;;;;CAQlB,MAAM,sCAA0E;EAC9E,MAAM,MAAM,MAAM,KAAK,iBAAiB;AACxC,SAAO;GACL,mBAAmB,IAAI;GACvB,YAAY,IAAI;GAChB,aAAa,IAAI;;;;;;CAOrB,MAAM,gCACJ,eACA,iBACe;AACf,QAAM,iBAAiB,SAAS,WAAW,eAAe,EACxD,2BAA2B;GACzB,mBAAmB,gBAAgB;GACnC,YAAY,gBAAgB;GAC5B,aAAa,gBAAgB;GAC7B,WAAW,KAAK;;;CAKtB,MAAM,kBAAiC;AAErC,MAAI,OAAO,WAAW,eAAe,KAAK,qBAAqB,OAAO,SAAS,OAC7E;AAEF,SAAO,MAAM,KAAK,iBAAiB;;;;;CAMrC,MAAM,iBAIH;AACD,SAAO,KAAK,iBAAiB;;;;;;;;;;;;CAa9B,MAAM,iCAAiC,MAapC;EACD,MAAM,gBAAgB,YAAY,KAAK;EACvC,MAAM,YAAY,KAAK,kCAAkC;EAGzD,MAAM,YAAY,MAAM,KAAK,iBAAiB;AAC9C,MAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,MAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,eACzE,OAAM,IAAI,MAAM;EAGlB,MAAM,kBAAkB,OAAO,KAAK,YAAY,SAAS,IAAI;EAC7D,MAAM,iBAAiB,MAAM,KAAK,wBAAwB,eAAe,YAAY;EAGrF,IAAIE;AACJ,MAAI;AACF,kBAAe,MAAM,4BAA4B,eAAe,iBAAiB;WAC1E,KAAK;AAGZ,OAAI,iBAAiB;IACnB,MAAM,UAAU,eAAe,MAAM,MAAM,EAAE,iBAAiB;IAC9D,MAAM,WACJ,WAAW,OAAO,QAAQ,iBAAiB,YAAY,OAAO,SAAS,QAAQ,gBAC3E,QAAQ,eACR;AACN,QAAI,aAAa,MAAM;AACrB,oBAAe;AAEf,WAAM,KAAK,YAAY,eAAe,UAAU,YAAY;UAE5D,OAAM;SAGR,OAAM;;AAOV,MAAI,mBAAmB,eAAe,SAAS,GAAG;GAChD,MAAM,EAAE,sBAAsB,MAAM,iBAAiB,SAAS,qBAC5D,eACA,gBACA;AAEF,OAAI,kBACF,OAAM,IAAI,MAAM;;EAIpB,MAAM,cAAc,MAAM,iBAAiB,WAAW,oBAAoB,eAAe;AACzF,MAAI,CAAC,YACH,OAAM,IAAI,MAAM,qCAAqC,cAAc,UAAU;EAE/E,MAAM,cAAc,YAAY;AACjC,MAAI,CAAC,YACH,OAAM,IAAI,MAAM;EAIlB,MAAM,EAAE,OAAO,kBAAkB,KAAK,4BAA4B;AAElE,QAAM,KAAK,iBAAiB,+BAA+B;GACzD;GACA;GACA,YAAY,KAAK;GACjB,YAAY,KAAK;GACjB;GACA;GACA,YAAY,KAAK;;AAGnB,SAAO,MAAM,KAAK,iBAAiB,mBAAmB,EAAE;;;;;;CAO1D,MAAM,4BAA4B,eAM/B;EACD,MAAM,YAAY,KAAK,kCAAkC;AACzD,SAAO,MAAM,KAAK,iBAAiB,mBAAmB,EAAE;;;;;CAM1D,MAAM,mBAII;AACR,MAAI;GACF,MAAM,WAAW,KAAK,sBAAsB,kBAAkB,aAAa;AAC3E,OAAI,CAAC,SAAU,QAAO;GACtB,MAAM,MAAM,MAAM,MAAM,GAAG,SAAS,mBAAmB,EAAE,QAAQ;AACjE,OAAI,CAAC,IAAI,GAAI,QAAO;GACpB,MAAM,OAAO,MAAM,IAAI;AACvB,UAAO;IACL,cAAc,MAAM,gBAAgB;IACpC,QAAQ,MAAM,UAAU;IACxB,aAAa,MAAM,QAAQ,MAAM,eAAe,KAAK,cAAc;;UAE/D;AACN,UAAO;;;;;;;CAQX,MAAM,4BAA4B,eAA4C;AAC5E,MAAI;GACF,MAAM,WAAW,KAAK,sBAAsB,kBAAkB,aAAa;AAC3E,OAAI,CAAC,SAAU,QAAO;GACtB,MAAM,WAAW,MAAM,KAAK;GAC5B,MAAM,SAAS,UAAU;AACzB,OAAI,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,OAAO,qBAAqB,CAAC,OAAO,YAAa,QAAO;GAE9F,MAAM,UAAU,MAAM,KAAK;GAC3B,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,gBAAgB,iBAAiB,OAAO,YAAa,QAAO;GAEjE,MAAM,SAAS,MAAM,KAAK;GAC1B,MAAM,SAAS,OAAO,UAAU,OAAO,kBAAkB;AACzD,OAAI,CAAC,OAAQ,QAAO;GAEpB,MAAM,YAAY,MAAM,KAAK;AAC7B,SAAM,KAAK,gCAAgC,eAAe;AAC1D,UAAO;UACD;AACN,UAAO;;;CAQX,MAAM,cAAc,UAA6C;AAC/D,QAAM,iBAAiB,SAAS,sBAAsB;GACpD,GAAG;GACH,cAAc,SAAS,gBAAgB;GACvC,SAAS,SAAS,WAAW;;;CAIjC,MAAM,cAAyC;AAC7C,SAAO,MAAM,iBAAiB,SAAS;;CAGzC,MAAM,gBAAgB,eAA0B,cAAsD;AACpG,SAAO,MAAM,iBAAiB,SAAS,gBAAgB,eAAe;;CAGxE,MAAM,cAA8C;AAClD,SAAO,MAAM,iBAAiB,SAAS;;CAGzC,MAAM,wBAAwB,eAA8D;AAC1F,SAAO,MAAM,iBAAiB,SAAS,wBAAwB;;CAGjE,MAAM,gBAAgB,eAAyC;AAC7D,SAAO,MAAM,iBAAiB,SAAS,gBAAgB;;;;;;;CAQzD,MAAM,YAAY,eAA0B,eAAuB,GAAkB;AACnF,SAAO,MAAM,iBAAiB,SAAS,YAAY,eAAe;;;;;;;;;;CAYpE,MAAM,sBACJ,eACA,YACe;EACf,MAAM,YAAY,YAAY;EAI9B,IAAIC,oBAAmC;EACvC,MAAM,WAAW,MAAM,iBAAiB,SAAS,cAAc,YAAY;AAC3E,MACE,YACA,YAAY,SAAS,mBAAmB,aACxC,OAAO,SAAS,SAAS,cAEzB,qBAAoB,SAAS;AAG/B,MAAI,sBAAsB,MAAM;GAC9B,MAAM,iBAAiB,MAAM,iBAAiB,SAC3C,gBAAgB,WAAW,GAC3B,YAAY;AACf,OAAI,kBAAkB,OAAO,SAAS,eAAe,cACnD,qBAAoB,eAAe;;AAIvC,MAAI,sBAAsB,KACxB,qBAAoB;AAGtB,QAAM,KAAK,YAAY,WAAW;AAGlC,OAAK,uBAAuB,eAAe;AAE3C,QAAM,KAAK,uBAAuB,qBAAqB,YAAY;EAGnE,MAAM,WAAW,MAAM,iBAAiB,SACrC,gBAAgB,WAAW,mBAC3B,YAAY;AACf,MAAI,YAAY,SAAS,oBACvB,MAAK,aAAa,eAAe,WAAW,SAAS;AAIvD,MAAI,WACF,OAAM,KAAK,aACR,oBAAoB,YACpB,OAAO,gBAAgB,QAAQ,MAAM,gFAAgF;;CAI5H,MAAM,aAAa,eAA4D;AAC7E,SAAO,MAAM,iBAAiB,SAAS,aAAa;;CAGtD,MAAM,mBAAmB,mBAUP;EAChB,MAAM,eAAe,OAAO,kBAAkB;EAC9C,MAAM,yBAAyB,OAAO,cAAc,iBAAiB,gBAAgB,IAAI,eAAe;EACxG,MAAM,WAAW;GACf,GAAG;GACH,eAAe,YAAY,kBAAkB;GAC7C,cAAc;;AAEhB,SAAO,MAAM,iBAAiB,SAAS,mBAAmB;;CAG5D,gBAAgB,eAAkC;AAChD,SAAO,iBAAiB,SAAS,gBAAgB;;CAGnD,MAAM,gBAAmB,UAA+C;AACtE,SAAO,MAAM,iBAAiB,SAAS,gBAAgB;;CAGzD,MAAM,yBAAyB,eAAyC;AACtE,SAAO,MAAM,iBAAiB,SAAS,yBAAyB;;CAGlE,MAAM,qBAAqB,eAA4C;AACrE,SAAO,MAAM,iBAAiB,SAAS,qBAAqB;;;;;CAM9D,MAAM,4BAA4B,EAChC,eACA,YACA,WACA,qBACA,cACA,6BAQgB;AAChB,QAAM,KAAK,gBAAgB,OAAO,OAAO;GAEvC,MAAMC,eAAuB,WAAW;GACxC,MAAMC,kBAA0B,WAAW,SAAS;GACpD,MAAMC,aAAuB,WAAW,UAAU;AAElD,SAAM,KAAK,mBAAmB;IACb;IACD;IACd,qBAAqB,MAAM,KAAK,qBAAqB;IACrD;IACA,MAAM,mBAAmB,KAAK,gBAAgB;IAC9C,6BAAY,IAAI,QAAO;IACvB,2BAAU,IAAI,QAAO;IACP;;AAIhB,SAAM,KAAK,cAAc;IACvB;IACA,cAAc;IACd,qBAAqB;IACrB,aAAa,KAAK;IAClB,mBAAmB;KACjB,IAAI,WAAW;KACf,OAAO;;IAET,qBAAqB;KACnB,sBAAsB,oBAAoB;KAC1C,mBAAmB,oBAAoB;;IAEzC,SAAS;IACT,2BAA2B,4BAA4B;KACrD,mBAAmB,2BAA2B;KAC9C,YAAY,2BAA2B;KACvC,aAAa,2BAA2B;KACxC,WAAW,KAAK;QACd;;AAGN,UAAO;;;;;;;;;;;;;;;;;;;;;CA0BX,MAAM,4BAA4B,EAChC,cACA,SACA,YACA,4BACA,OACA,MACA,WAUmC;AACnC,SAAO,KAAK,mBAAmB;GAC7B,WAAW,KAAK,kCAAkC,YAAY,QAAQ;GACtE,UAAU,cACR,KAAK,oBAAoB,4BAA4B;IACnD;IACA;IACA;IACA;IACA;IACA;IACA;IACA;;;;;;;;;;;CAYR,MAAM,qCAAqC,MAWR;EACjC,MAAM,gBAAgB,YAAY,KAAK;EACvC,MAAM,cAAc,KAAK;AACzB,MAAI,CAAC,YAAa,OAAM,IAAI,MAAM;AAClC,MAAI,CAAC,KAAK,WAAY,OAAM,IAAI,MAAM;AACtC,MAAI,CAAC,KAAK,mBAAoB,OAAM,IAAI,MAAM;EAC9C,MAAM,qBAAqB,oBAAoB,KAAK;AACpD,MAAI,CAAC,mBAAoB,OAAM,IAAI,MAAM;EACzC,MAAM,4BAA4B,KAAK;AACvC,MAAI,CAAC,0BAA2B,OAAM,IAAI,MAAM;EAEhD,MAAM,eAAe,OAAO,KAAK;EACjC,MAAM,uBAAuB,OAAO,cAAc,iBAAiB,gBAAgB,IAC/E,eACA,MAAM,4BAA4B,eAAe,iBAAiB,UAAU,YAAY;EAE5F,MAAM,mBAAmB,MAAM,iBAAiB,WAAW,oBACzD,eACA;AAEF,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM,2CAA2C,cAAc,UAAU;AAGrF,MAAI,iBAAiB,gBAAgB,YACnC,OAAM,IAAI,MAAM;AAGlB,SAAO,MAAM,KAAK,mBAAmB;GACnC,QAAQ;GACR,SAAS;IAAE,YAAY,KAAK;IAAY;;GACxC,SAAS,OAAO,cAAc;IAC5B,MAAM,WAAW,MAAM,KAAK,oBAAoB,aAAa,YAAY;KACvE;KACA,SAAS;MACP,MAAM;MACN,SAAS;OACP,WAAW,KAAK;OAChB,YAAY;QACV,yBAAyB,iBAAiB;QAC1C,sCAAsC,iBAAiB;;OAEzD,oBAAoB,KAAK;OACzB;OACA;OACA;OACA,qBAAqB,OAAO,KAAK,wBAAwB,WAAW,KAAK,sBAAsB;OAC/F,sBAAsB,OAAO,KAAK,yBAAyB,WAAW,KAAK,uBAAuB;;;KAGtG,SAAS,KAAK;;AAGhB,QAAI,CAAC,8CAA8C,UACjD,OAAM,IAAI,MAAM;AAElB,QAAI,CAAC,SAAS,QAAQ,QACpB,OAAM,IAAI,MAAM,SAAS,QAAQ,SAAS;IAG5C,MAAM,qBAAqB,SAAS,QAAQ,sBAAsB;AAClE,QAAI,mBAAmB,WAAW,EAChC,OAAM,IAAI,MAAM,8CAA8C,mBAAmB;IAGnF,MAAM,WAAW,mBAAmB;AACpC,QAAI,CAAC,YAAY,CAAE,SAAiB,eAAe,CAAE,SAAiB,UACpE,OAAM,IAAI,MAAM;AAElB,WAAO;KACL,mBAAmB,IAAI,kBAAkB;MACvC,aAAc,SAAiB;MAC/B,WAAY,SAAiB;MAC7B,aAAa,MAAM,KAAM,SAAiB,cAAc;;KAE1D,eAAe,OAAO;KACtB,MAAM,SAAS,QAAQ,QAAQ;;;;;CAMvC,MAAM,mBAAmB,EACvB,UACA,SACA,YACA,4BACA,OACA,MACA,WAeC;EACD,MAAM,gBAAgB,YAAY,QAAQ,iBAAiB,SAAS;EACpE,MAAMC,oBAAoC;GACxC,YAAY,QAAQ,cAAc,KAAK,qBAAqB;GAC5D,YAAY,QAAQ,cAAc,KAAK,qBAAqB;GAC5D;;AAGF,MAAI;GACF,MAAM,kBAAkB,KAAK,kCAAkC;AAC/D,UAAO,MAAM,KAAK,mBAAmB;IACnC,WAAW;IACX,UAAU,cAAc;AACtB,aAAQ,MAAM,+CAA+C,EAAE;AAC/D,YAAO,KAAK,oBAAoB,mBAAmB;MACjD;MACA,SAAS;MACT;MACA;MACA;MACA;MACA;MACA;;;;WAIC,KAAK;AAEZ,WAAQ,MAAM,sCAAsC;AACpD,SAAM;;;CAIV,MAAM,kBAAkB,SAiBrB;AACD,MAAI;GACF,MAAM,kBAAkB,KAAK,kCAAkC,QAAQ;GACvE,MAAM,aAAa,KAAK,qBAAqB;GAC7C,MAAM,aAAc,KAAK,qBAAqB,WAAW,MAAM,KAAK,MAAM,KAAK,qBAAqB;GACpG,MAAM,SAAS,MAAM,KAAK,mBAAmB;IAC3C,WAAW;IACX,UAAU,cACR,KAAK,oBAAoB,kBAAkB;KAAE,GAAG;KAAS;KAAW;KAAY;;;AAEpF,OAAI,OAAO,QACT,QAAO;OAEP,OAAM,IAAI,MAAM,2BAA2B,OAAO,SAAS;WAEtDP,OAAY;AACnB,WAAQ,MAAM,2CAA2C;AACzD,UAAO;IACL,SAAS;IACT,WAAW;IACX,WAAW;IACX,WAAW;IACX,OAAO,MAAM,WAAW;;;;;;;CAU9B,MAAM,qBAAqB,4BAAyD;AAClF,SAAO,MAAM,KAAK,oBAAoB,qBAAqB;;;CAQ7D,MAAM,oCACJ,eACA,SACe;AACf,QAAM,KAAK,mBAAmB;GAC5B,QAAQ;GAAkB,SAAS,OAAO,cAAc;AAGtD,UAAM,KAAK,mCAAmC;KAAE;KAAe;;AAI/D,WAAO,KAAK,oBAAoB,oBAAoB;KAClD;KACA,SAAS,SAAS;KAClB,OAAO,SAAS;KAChB;;;;;CAMR,MAAM,wBACJ,eACA,SAIuE;AAEvE,QAAM,KAAK,oCAAoC,eAAe;EAI9D,IAAI,WAAW,MAAM,KAAK;AAC1B,MAAI,CAAC,YAAY,SAAS,kBAAkB,cAC1C,YAAW,MAAM,iBAAiB,SAAS,qBAAqB;AAElE,SAAO;GACL,WAAW,OAAO;GAClB,WAAW,UAAU,uBAAuB;GAC5C,YAAY;;;CAQhB,MAAM,qBAAqB,EACzB,YACA,YACA,cACA,sBACA,WAcC;AACD,SAAO,MAAM,KAAK,oBAAoB,qBAAqB;GACzD;GACA;GACA;GACA;GACA;GACA,YAAY,KAAK,qBAAqB;;;;;;;;;;;CAgB1C,MAAM,0BACJ,0BACA,eAWC;AACD,MAAI;AAEF,OAAI,CAAC,yBACH,OAAM,IAAI,MACR;GAMJ,MAAM,aAAa,yBAAyB,wBAAwB,KAAK;AACzE,OAAI,CAAC,YAAY,SAAS,CAAC,YAAY,OACrC,OAAM,IAAI,MAAM;GAMlB,MAAM,SAAS,MAAM,KAAK,mBAAmB;IAC3C,QAAQ;IACR,SAAS,EAAE,YAAY;IACvB,UAAU,cACR,KAAK,oBAAoB,0BAA0B;KACjD,YAAY;KACZ;KACA;;;AAGN,UAAO;WAEAA,OAAY;AACnB,WAAQ,MAAM,4DAA4D;AAC1E,SAAM,IAAI,MAAM,4CAA4C,MAAM;;;CAItE,MAAM,8CAA8C,EAClD,eACA,WACA,iBAK4C;AAE5C,SAAO,KAAK,cAAc,8CAA8C;GACtE;GACA;GACA,kBAAkB,cAAc,KAAI,QAAO;IACrC;IACJ,MAAM;IACN,YAAY;KAAC;KAAY;KAAU;KAAO;;;;;;;;;;CAUhD,MAAM,2BAA2B,EAC/B,gBACA,iBACA,YACA,OACA,WACA,WAWC;AACD,SAAO,MAAM,KAAK,oBAAoB,2BAA2B;GAC/D;GACA;GACA;GACA;GACA;GACA;;;;;;;;CAaJ,MAAM,yDAAyD,MAU5D;EACD,MAAM,gBAAgB,YAAY,KAAK;AACvC,MAAI;AACF,UAAO,MAAM,KAAK,mBAAmB;IACnC,QAAQ;IACR,SAAS;KAAE,YAAY,KAAK;KAAY,aAAa,KAAK;;IAC1D,UAAU,cACR,KAAK,oBAAoB,2CAA2C;KAClE;KACA;;;WAGCQ,OAAgB;GACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,UAAO;IACL,SAAS;IACT;IACA,0BAA0B;IAC1B,aAAa;IACb,OAAO;;;;;;;;;;;CAYb,MAAM,0CAA0C,MAS7C;EACD,MAAM,gBAAgB,YAAY,KAAK;AAEvC,MAAI;GACF,MAAM,OAAO,KAAK,cAAc;AAChC,OAAI,CAAC,KAAM,OAAM,IAAI,MAAM;GAG3B,MAAM,QAAQ,MAAM,KAAK,WAAW,UAAU,EAAE,UAAU;GAC1D,MAAM,cAAc,OAAQ,OAAe,QAAQ,UAAU;GAC7D,MAAM,YAAY,OAAQ,OAAe,QAAQ,QAAQ;AACzD,OAAI,CAAC,eAAe,CAAC,UAAW,OAAM,IAAI,MAAM;GAEhD,MAAM,eAAe,MAAM,KAAK,iBAAiB,yBAAyB;IACxE,QAAQ;IACR;IACA;IACA;;GAGF,MAAM,iBAAiB,MAAM,KAAK,wBAAwB;AAC1D,OAAI,CAAC,eAAe,OAClB,OAAM,IAAI,MAAM,+CAA+C;GAGjE,MAAM,iBAAiB,MAAM,KAAK,+CAA+C;IAC/E;IACA;IACA,wBAAwB;;AAG1B,UAAO,MAAM,KAAK,0BAA0B;IAC1C,YAAY;IACZ;IACA,cAAc,KAAK;;WAEdA,OAAgB;GACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,UAAO;IAAE,SAAS;IAAO,WAAW;IAAI,cAAc;IAAI,aAAa;IAAI,OAAO;;;;;;;;;;;;;CAatF,MAAM,0CAA0C,MAc7C;EACD,MAAM,gBAAgB,YAAY,KAAK;EAEvC,IAAI,eAAe;EACnB,IAAI,kBAAkB;AAEtB,MAAI;GACF,MAAM,eAAe,OAAO,KAAK;GACjC,MAAM,uBAAuB,OAAO,cAAc,iBAAiB,gBAAgB,IAC/E,eACA,MAAM,4BAA4B,eAAe,iBAAiB,UAAU,YAAY;GAE5F,MAAM,WAAW,MAAM,iBAAiB,WAAW,wBAAwB,eAAe;AAC1F,OAAI,CAAC,SACH,OAAM,IAAI,MACR,+CAA+C,cAAc,UAAU,qBAAqB;AAGhG,kBAAe,SAAS;AACxB,qBAAkB,SAAS;GAE3B,MAAM,aAAa,MAAM,KAAK,0CAA0C;IACtE;IACA,cAAc;;AAEhB,OAAI,CAAC,WAAW,QACd,OAAM,IAAI,MAAM,WAAW,SAAS;AAGtC,UAAO,MAAM,iDACX;IACE,YAAY,KAAK;IACjB,YAAY,KAAK,qBAAqB;IACtC,YAAY,KAAK,qBAAqB;IACtC,8BAA8B,WAAW,KAAK,4BAA4B;MAE5E;IACE;IACA,cAAc;IACd;IACA;IACA,cAAc,WAAW;IACzB,iBAAiB,WAAW;IAC5B,aAAa,WAAW;;WAGrBA,OAAgB;GACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,UAAO;IACL,SAAS;IACT;IACA;IACA,WAAW;IACX,cAAc;IACd,aAAa;IACb,uBAAuB;IACvB,qBAAqB;IACrB,OAAO;;;;;;;;;;CAWb,MAAM,0BAA0B,MAU7B;EACD,MAAM,gBAAgB,YAAY,KAAK;EACvC,MAAM,aAAa,KAAK,qBAAqB,QAAQ;AAErD,MAAI;AACF,OAAI,CAAC,WAAY,OAAM,IAAI,MAAM;AACjC,OAAI,CAAC,KAAK,WAAY,OAAM,IAAI,MAAM;GAEtC,MAAM,eAAe,OAAO,KAAK;GACjC,MAAM,uBAAuB,OAAO,cAAc,iBAAiB,gBAAgB,IAC/E,eACA,MAAM,4BAA4B,eAAe,iBAAiB,UAAU,YAAY;GAE5F,MAAM,SAAS,MAAM,KAAK,mBAAmB;IAC3C,QAAQ;IACR,SAAS,EAAE,YAAY,KAAK;IAC5B,UAAU,cACR,iCACE;KACE,YAAY,KAAK;KACjB,kBAAkB,KAAK;KACvB,qBAAqB,KAAK;KAC1B,eAAe,KAAK;KACpB;OAEF;KAAE;KAAW;;;AAInB,OAAI,CAAC,OAAO,QACV,OAAM,IAAI,MAAM,OAAO,SAAS;GAGlC,MAAM,YAAY,OAAO;GACzB,MAAM,2BAA2B,OAAO;GACxC,MAAM,eAAe,OAAO;GAC5B,MAAM,4BAA4B,OAAO;AACzC,OAAI,CAAC,yBAA0B,OAAM,IAAI,MAAM;GAG/C,MAAM,mBAAmB,MAAM,iBAAiB,WAAW,oBAAoB,eAAe;AAC9F,OAAI,CAAC,iBACH,OAAM,IAAI,MAAM,2CAA2C,cAAc,UAAU;GAIrF,MAAM,gBAAgB,MAAM,aAAa,KAAK,YAAY,eAAe,WAAW;IAAE,UAAU;IAAG,SAAS;;AAC5G,OAAI,CAAC,eAAe;AAClB,SAAK,aAAa,eAAe,eAAe,iBAAiB;IACjE,MAAM,YAAY,MAAM,KAAK,aAAa,2BAA2B,KAAK,YAAY,EAAE,OAAO;IAE/F,MAAM,SAAS,MAAM,KAAK,qCAAqC;KAC7D;KACA,YAAY,KAAK;KACjB,aAAa,iBAAiB;KAC9B,oBAAoB;KACpB,oBAAoB;KACpB;KACA,qBAAqB,OAAO;KAC5B,sBAAsB,OAAO;KAC7B,cAAc;;IAGhB,MAAM,WAAW,QAAQ;AACzB,QAAI,CAAC,SAAU,OAAM,IAAI,MAAM;AAE/B,UAAM,KAAK,WAAW,gBAAgB,UAAU,oBAAoB;IAEpE,MAAM,YAAY,MAAM,aAAa,KAAK,YAAY,eAAe;AACrE,QAAI,CAAC,UAAW,OAAM,IAAI,MAAM;;GAGlC,MAAMC,cAA8C;IAClD,MAAM;IACN;IACA,cAAc;IACd;IACA,aAAa,OAAO;IACpB;IACA,uBAAuB;IACvB,cAAc,sCAAsC;KAClD,qBAAqB,OAAO;KAC5B,sBAAsB,OAAO;KAC7B;KACA;KACA;KACA;KACA,uBAAuB;;IAEzB,WAAW,KAAK;;AAElB,SAAM,iBAAiB,WAAW,iBAAiB;AAEnD,UAAO;IACL,SAAS;IACT;IACA;IACA,aAAa,OAAO;;WAEfD,OAAgB;GACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,UAAO;IAAE,SAAS;IAAO,WAAW;IAAI,cAAc;IAAI,aAAa;IAAI,OAAO;;;;;CAStF,qBAA6C;AAC3C,SAAO,KAAK;;;CAId,UAAgB;AACd,MAAI,KAAK,uBACP,MAAK,uBAAuB;AAE9B,MAAI,KAAK,aACP,MAAK,aAAa;AAEpB,OAAK,wBAAwB"}

package/dist/esm/react/src/core/WebAuthnManager/threshold/enrollThresholdEd25519Key.js ADDED Viewed

@@ -0,0 +1,92 @@
+import { ensureEd25519Prefix } from "../../../utils/validation.js";
+import { toAccountId } from "../../types/accountIds.js";
+import { IndexedDBManager } from "../../IndexedDBManager/index.js";
+import { thresholdEd25519Keygen } from "../../rpcCalls.js";
+import { computeThresholdEd25519KeygenIntentDigest } from "../../digests/intentDigest.js";
+import { collectAuthenticationCredentialForVrfChallenge } from "../collectAuthenticationCredentialForVrfChallenge.js";
+//#region src/core/WebAuthnManager/threshold/enrollThresholdEd25519Key.ts
+/**
+* Threshold keygen helper (2-of-2):
+* - derive deterministic client verifying share from WrapKeySeed (via signer worker session)
+* - run `/threshold-ed25519/keygen` to fetch relayer share + group public key
+*/
+async function enrollThresholdEd25519KeyHandler(ctx, args) {
+	const nearAccountId = toAccountId(args.nearAccountId);
+	const sessionId = String(args.sessionId || "").trim();
+	const relayerUrl = String(ctx.relayerUrl || "").trim();
+	try {
+		if (!sessionId) throw new Error("Missing sessionId");
+		if (!relayerUrl) throw new Error("Missing relayer url (configs.relayer.url)");
+		const derived = await ctx.signerWorkerManager.deriveThresholdEd25519ClientVerifyingShare({
+			sessionId,
+			nearAccountId
+		});
+		if (!derived.success) throw new Error(derived.error || "Failed to derive threshold client verifying share");
+		const rpId = ctx.touchIdPrompt.getRpId();
+		if (!rpId) throw new Error("Missing rpId for WebAuthn VRF challenge");
+		const keygenIntentDigestB64u = await computeThresholdEd25519KeygenIntentDigest({
+			nearAccountId,
+			rpId,
+			clientVerifyingShareB64u: derived.clientVerifyingShareB64u
+		});
+		const block = await ctx.nearClient.viewBlock({ finality: "final" });
+		const blockHeight = String(block?.header?.height ?? "");
+		const blockHash = String(block?.header?.hash ?? "");
+		if (!blockHeight || !blockHash) throw new Error("Failed to fetch NEAR block context for keygen VRF challenge");
+		const vrfChallenge = await ctx.vrfWorkerManager.generateVrfChallengeOnce({
+			userId: nearAccountId,
+			rpId,
+			blockHeight,
+			blockHash,
+			intentDigest: keygenIntentDigestB64u
+		});
+		const webauthnAuthentication = await collectAuthenticationCredentialForVrfChallenge({
+			indexedDB: IndexedDBManager,
+			touchIdPrompt: ctx.touchIdPrompt,
+			nearAccountId,
+			vrfChallenge
+		});
+		const keygen = await thresholdEd25519Keygen(relayerUrl, vrfChallenge, webauthnAuthentication, {
+			clientVerifyingShareB64u: derived.clientVerifyingShareB64u,
+			nearAccountId
+		});
+		if (!keygen.ok) throw new Error(keygen.error || keygen.message || keygen.code || "Threshold keygen failed");
+		const publicKeyRaw = keygen.publicKey;
+		const relayerKeyId = keygen.relayerKeyId;
+		const relayerVerifyingShareB64u = keygen.relayerVerifyingShareB64u;
+		if (!publicKeyRaw) throw new Error("Threshold keygen returned empty publicKey");
+		if (!relayerKeyId) throw new Error("Threshold keygen returned empty relayerKeyId");
+		if (!relayerVerifyingShareB64u) throw new Error("Threshold keygen returned empty relayerVerifyingShareB64u");
+		const publicKey = ensureEd25519Prefix(publicKeyRaw);
+		if (!publicKey) throw new Error("Threshold keygen returned empty publicKey");
+		const clientParticipantId = typeof keygen.clientParticipantId === "number" ? keygen.clientParticipantId : void 0;
+		const relayerParticipantId = typeof keygen.relayerParticipantId === "number" ? keygen.relayerParticipantId : void 0;
+		return {
+			success: true,
+			publicKey,
+			clientParticipantId,
+			relayerParticipantId,
+			participantIds: Array.isArray(keygen.participantIds) ? keygen.participantIds : void 0,
+			clientVerifyingShareB64u: derived.clientVerifyingShareB64u,
+			relayerKeyId,
+			relayerVerifyingShareB64u,
+			wrapKeySalt: derived.wrapKeySalt
+		};
+	} catch (error) {
+		const message = String(error?.message ?? error);
+		return {
+			success: false,
+			publicKey: "",
+			clientVerifyingShareB64u: "",
+			relayerKeyId: "",
+			relayerVerifyingShareB64u: "",
+			wrapKeySalt: "",
+			error: message
+		};
+	}
+}
+//#endregion
+export { enrollThresholdEd25519KeyHandler };
+//# sourceMappingURL=enrollThresholdEd25519Key.js.map

package/dist/esm/react/src/core/WebAuthnManager/threshold/enrollThresholdEd25519Key.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"enrollThresholdEd25519Key.js","names":["error: unknown"],"sources":["../../../../../../../src/core/WebAuthnManager/threshold/enrollThresholdEd25519Key.ts"],"sourcesContent":["import type { NearClient } from '../../NearClient';\nimport { IndexedDBManager } from '../../IndexedDBManager';\nimport { toAccountId, type AccountId } from '../../types/accountIds';\nimport type { VRFChallenge, VRFInputData } from '../../types/vrf-worker';\nimport { thresholdEd25519Keygen } from '../../rpcCalls';\nimport { computeThresholdEd25519KeygenIntentDigest } from '../../digests/intentDigest';\nimport { ensureEd25519Prefix } from '../../../utils/validation';\nimport type { TouchIdPrompt } from '../touchIdPrompt';\nimport { collectAuthenticationCredentialForVrfChallenge } from '../collectAuthenticationCredentialForVrfChallenge';\n\ntype DeriveThresholdClientShareResult = {\n success: boolean;\n clientVerifyingShareB64u: string;\n wrapKeySalt: string;\n error?: string;\n};\n\nexport type EnrollThresholdEd25519KeyHandlerContext = {\n nearClient: NearClient;\n vrfWorkerManager: {\n generateVrfChallengeOnce: (inputData: VRFInputData) => Promise<VRFChallenge>;\n };\n signerWorkerManager: {\n deriveThresholdEd25519ClientVerifyingShare: (args: {\n sessionId: string;\n nearAccountId: AccountId;\n }) => Promise<DeriveThresholdClientShareResult>;\n };\n touchIdPrompt: Pick<\n TouchIdPrompt,\n 'getRpId' | 'getAuthenticationCredentialsSerialized' | 'getAuthenticationCredentialsSerializedDualPrf'\n >;\n relayerUrl: string;\n};\n\n/**\n * Threshold keygen helper (2-of-2):\n * - derive deterministic client verifying share from WrapKeySeed (via signer worker session)\n * - run `/threshold-ed25519/keygen` to fetch relayer share + group public key\n */\nexport async function enrollThresholdEd25519KeyHandler(\n ctx: EnrollThresholdEd25519KeyHandlerContext,\n args: {\n sessionId: string;\n nearAccountId: AccountId | string;\n }\n): Promise<{\n success: boolean;\n publicKey: string;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n participantIds?: number[];\n clientVerifyingShareB64u: string;\n relayerKeyId: string;\n relayerVerifyingShareB64u: string;\n wrapKeySalt: string;\n error?: string;\n}> {\n const nearAccountId = toAccountId(args.nearAccountId);\n const sessionId = String(args.sessionId || '').trim();\n const relayerUrl = String(ctx.relayerUrl || '').trim();\n\n try {\n if (!sessionId) throw new Error('Missing sessionId');\n if (!relayerUrl) throw new Error('Missing relayer url (configs.relayer.url)');\n\n const derived = await ctx.signerWorkerManager.deriveThresholdEd25519ClientVerifyingShare({\n sessionId,\n nearAccountId,\n });\n if (!derived.success) {\n throw new Error(derived.error || 'Failed to derive threshold client verifying share');\n }\n\n const rpId = ctx.touchIdPrompt.getRpId();\n if (!rpId) throw new Error('Missing rpId for WebAuthn VRF challenge');\n\n // Keygen intent digest must bind the client verifying share; compute it before generating the VRF challenge.\n const keygenIntentDigestB64u = await computeThresholdEd25519KeygenIntentDigest({\n nearAccountId,\n rpId,\n clientVerifyingShareB64u: derived.clientVerifyingShareB64u,\n });\n\n // Fetch a fresh block height/hash for VRF freshness validation.\n const block = await ctx.nearClient.viewBlock({ finality: 'final' } as any);\n const blockHeight = String((block as any)?.header?.height ?? '');\n const blockHash = String((block as any)?.header?.hash ?? '');\n if (!blockHeight || !blockHash) throw new Error('Failed to fetch NEAR block context for keygen VRF challenge');\n\n const vrfChallenge = await ctx.vrfWorkerManager.generateVrfChallengeOnce({\n userId: nearAccountId,\n rpId,\n blockHeight,\n blockHash,\n intentDigest: keygenIntentDigestB64u,\n });\n\n // Collect a WebAuthn authentication credential with the VRF output as challenge.\n const webauthnAuthentication = await collectAuthenticationCredentialForVrfChallenge({\n indexedDB: IndexedDBManager,\n touchIdPrompt: ctx.touchIdPrompt,\n nearAccountId,\n vrfChallenge,\n });\n\n const keygen = await thresholdEd25519Keygen(relayerUrl, vrfChallenge, webauthnAuthentication, {\n clientVerifyingShareB64u: derived.clientVerifyingShareB64u,\n nearAccountId,\n });\n if (!keygen.ok) {\n throw new Error(keygen.error || keygen.message || keygen.code || 'Threshold keygen failed');\n }\n\n const publicKeyRaw = keygen.publicKey;\n const relayerKeyId = keygen.relayerKeyId;\n const relayerVerifyingShareB64u = keygen.relayerVerifyingShareB64u;\n if (!publicKeyRaw) throw new Error('Threshold keygen returned empty publicKey');\n if (!relayerKeyId) throw new Error('Threshold keygen returned empty relayerKeyId');\n if (!relayerVerifyingShareB64u) throw new Error('Threshold keygen returned empty relayerVerifyingShareB64u');\n\n const publicKey = ensureEd25519Prefix(publicKeyRaw);\n if (!publicKey) throw new Error('Threshold keygen returned empty publicKey');\n\n const clientParticipantId = typeof keygen.clientParticipantId === 'number' ? keygen.clientParticipantId : undefined;\n const relayerParticipantId = typeof keygen.relayerParticipantId === 'number' ? keygen.relayerParticipantId : undefined;\n\n return {\n success: true,\n publicKey,\n clientParticipantId,\n relayerParticipantId,\n participantIds: Array.isArray(keygen.participantIds) ? keygen.participantIds : undefined,\n clientVerifyingShareB64u: derived.clientVerifyingShareB64u,\n relayerKeyId,\n relayerVerifyingShareB64u,\n wrapKeySalt: derived.wrapKeySalt,\n };\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return { success: false, publicKey: '', clientVerifyingShareB64u: '', relayerKeyId: '', relayerVerifyingShareB64u: '', wrapKeySalt: '', error: message };\n }\n}\n"],"mappings":";;;;;;;;;;;;;AAwCA,eAAsB,iCACpB,KACA,MAeC;CACD,MAAM,gBAAgB,YAAY,KAAK;CACvC,MAAM,YAAY,OAAO,KAAK,aAAa,IAAI;CAC/C,MAAM,aAAa,OAAO,IAAI,cAAc,IAAI;AAEhD,KAAI;AACF,MAAI,CAAC,UAAW,OAAM,IAAI,MAAM;AAChC,MAAI,CAAC,WAAY,OAAM,IAAI,MAAM;EAEjC,MAAM,UAAU,MAAM,IAAI,oBAAoB,2CAA2C;GACvF;GACA;;AAEF,MAAI,CAAC,QAAQ,QACX,OAAM,IAAI,MAAM,QAAQ,SAAS;EAGnC,MAAM,OAAO,IAAI,cAAc;AAC/B,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAG3B,MAAM,yBAAyB,MAAM,0CAA0C;GAC7E;GACA;GACA,0BAA0B,QAAQ;;EAIpC,MAAM,QAAQ,MAAM,IAAI,WAAW,UAAU,EAAE,UAAU;EACzD,MAAM,cAAc,OAAQ,OAAe,QAAQ,UAAU;EAC7D,MAAM,YAAY,OAAQ,OAAe,QAAQ,QAAQ;AACzD,MAAI,CAAC,eAAe,CAAC,UAAW,OAAM,IAAI,MAAM;EAEhD,MAAM,eAAe,MAAM,IAAI,iBAAiB,yBAAyB;GACvE,QAAQ;GACR;GACA;GACA;GACA,cAAc;;EAIhB,MAAM,yBAAyB,MAAM,+CAA+C;GAClF,WAAW;GACX,eAAe,IAAI;GACnB;GACA;;EAGF,MAAM,SAAS,MAAM,uBAAuB,YAAY,cAAc,wBAAwB;GAC5F,0BAA0B,QAAQ;GAClC;;AAEF,MAAI,CAAC,OAAO,GACV,OAAM,IAAI,MAAM,OAAO,SAAS,OAAO,WAAW,OAAO,QAAQ;EAGnE,MAAM,eAAe,OAAO;EAC5B,MAAM,eAAe,OAAO;EAC5B,MAAM,4BAA4B,OAAO;AACzC,MAAI,CAAC,aAAc,OAAM,IAAI,MAAM;AACnC,MAAI,CAAC,aAAc,OAAM,IAAI,MAAM;AACnC,MAAI,CAAC,0BAA2B,OAAM,IAAI,MAAM;EAEhD,MAAM,YAAY,oBAAoB;AACtC,MAAI,CAAC,UAAW,OAAM,IAAI,MAAM;EAEhC,MAAM,sBAAsB,OAAO,OAAO,wBAAwB,WAAW,OAAO,sBAAsB;EAC1G,MAAM,uBAAuB,OAAO,OAAO,yBAAyB,WAAW,OAAO,uBAAuB;AAE7G,SAAO;GACL,SAAS;GACT;GACA;GACA;GACA,gBAAgB,MAAM,QAAQ,OAAO,kBAAkB,OAAO,iBAAiB;GAC/E,0BAA0B,QAAQ;GAClC;GACA;GACA,aAAa,QAAQ;;UAEhBA,OAAgB;EACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,SAAO;GAAE,SAAS;GAAO,WAAW;GAAI,0BAA0B;GAAI,cAAc;GAAI,2BAA2B;GAAI,aAAa;GAAI,OAAO"}

package/dist/esm/react/src/core/WebAuthnManager/threshold/rotateThresholdEd25519KeyPostRegistration.js ADDED Viewed

@@ -0,0 +1,144 @@
+import { ensureEd25519Prefix } from "../../../utils/validation.js";
+import { toAccountId } from "../../types/accountIds.js";
+import { IndexedDBManager } from "../../IndexedDBManager/index.js";
+import { DEFAULT_WAIT_STATUS } from "../../types/rpc.js";
+import { ActionType } from "../../types/actions.js";
+import { hasAccessKey, waitForAccessKeyAbsent } from "../../rpcCalls.js";
+//#region src/core/WebAuthnManager/threshold/rotateThresholdEd25519KeyPostRegistration.ts
+/**
+* Threshold key rotation (post-registration):
+* - keygen (new relayerKeyId + publicKey)
+* - AddKey(new threshold publicKey)
+* - DeleteKey(old threshold publicKey)
+*
+* Uses the local signer key for AddKey/DeleteKey, and requires the account to already
+* have a stored `threshold_ed25519_2p_v1` key material entry for the target device.
+*/
+async function rotateThresholdEd25519KeyPostRegistrationHandler(ctx, args) {
+	const nearAccountId = toAccountId(args.nearAccountId);
+	const oldPublicKey = String(args.oldPublicKey || "");
+	const oldRelayerKeyId = String(args.oldRelayerKeyId || "");
+	const newPublicKey = String(args.newPublicKey || "");
+	const newRelayerKeyId = String(args.newRelayerKeyId || "");
+	const wrapKeySalt = String(args.wrapKeySalt || "");
+	const base = {
+		oldPublicKey,
+		oldRelayerKeyId,
+		publicKey: newPublicKey,
+		relayerKeyId: newRelayerKeyId,
+		wrapKeySalt
+	};
+	const ok = (params) => {
+		const { warning,...rest } = params;
+		return {
+			success: true,
+			...base,
+			...rest,
+			...warning ? { warning } : {}
+		};
+	};
+	try {
+		const deviceNumber = Number(args.deviceNumber);
+		const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : NaN;
+		if (!Number.isSafeInteger(resolvedDeviceNumber) || resolvedDeviceNumber < 1) throw new Error("Invalid deviceNumber");
+		const oldNormalized = ensureEd25519Prefix(oldPublicKey);
+		const newNormalized = ensureEd25519Prefix(newPublicKey);
+		if (!oldNormalized) return ok({
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: false,
+			warning: "Rotation completed but old threshold key material had an invalid publicKey; skipped DeleteKey."
+		});
+		if (oldNormalized === newNormalized) return ok({
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: true,
+			warning: "Rotation returned the same threshold public key; skipped DeleteKey(old)."
+		});
+		const localKeyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);
+		if (!localKeyMaterial) return ok({
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: false,
+			warning: `Rotation completed but could not load local key material for DeleteKey(old) (account ${nearAccountId} device ${resolvedDeviceNumber}).`
+		});
+		const localPk = ensureEd25519Prefix(localKeyMaterial.publicKey);
+		if (localPk && localPk === oldNormalized) return ok({
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: false,
+			warning: "Refusing to DeleteKey(old) because it matches the local signer public key."
+		});
+		const oldOnChain = await hasAccessKey(ctx.nearClient, nearAccountId, oldPublicKey, {
+			attempts: 1,
+			delayMs: 0
+		});
+		if (!oldOnChain) return ok({
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: true
+		});
+		const deleteKeyAction = {
+			action_type: ActionType.DeleteKey,
+			public_key: oldNormalized
+		};
+		const txInputs = [{
+			receiverId: nearAccountId,
+			actions: [deleteKeyAction]
+		}];
+		let deleteOldKeyAttempted = false;
+		try {
+			const rpcCall = {
+				contractId: ctx.contractId,
+				nearRpcUrl: ctx.nearRpcUrl,
+				nearAccountId
+			};
+			const signed = await ctx.signTransactionsWithActions({
+				transactions: txInputs,
+				rpcCall,
+				signerMode: { mode: "local-signer" },
+				confirmationConfigOverride: {
+					uiMode: "skip",
+					behavior: "autoProceed",
+					autoProceedDelay: 0
+				},
+				title: "Rotate threshold key",
+				body: "Confirm deletion of the old threshold access key."
+			});
+			const signedTx = signed?.[0]?.signedTransaction;
+			if (!signedTx) throw new Error("Failed to sign DeleteKey(oldThresholdPublicKey) transaction");
+			deleteOldKeyAttempted = true;
+			await ctx.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceDeleteKey);
+			const deleted = await waitForAccessKeyAbsent(ctx.nearClient, nearAccountId, oldPublicKey);
+			if (!deleted) return ok({
+				deleteOldKeyAttempted,
+				deleteOldKeySuccess: false,
+				warning: "DeleteKey(old) submitted but old access key is still present on-chain."
+			});
+			return ok({
+				deleteOldKeyAttempted,
+				deleteOldKeySuccess: true
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return ok({
+				deleteOldKeyAttempted,
+				deleteOldKeySuccess: false,
+				warning: `Rotation completed but failed to DeleteKey(old): ${message}`
+			});
+		}
+	} catch (error) {
+		const message = String(error?.message ?? error);
+		return {
+			success: false,
+			oldPublicKey,
+			oldRelayerKeyId,
+			publicKey: "",
+			relayerKeyId: "",
+			wrapKeySalt: "",
+			deleteOldKeyAttempted: false,
+			deleteOldKeySuccess: false,
+			error: message
+		};
+	}
+}
+//#endregion
+export { rotateThresholdEd25519KeyPostRegistrationHandler };
+//# sourceMappingURL=rotateThresholdEd25519KeyPostRegistration.js.map

package/dist/esm/react/src/core/WebAuthnManager/threshold/rotateThresholdEd25519KeyPostRegistration.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rotateThresholdEd25519KeyPostRegistration.js","names":["deleteKeyAction: ActionArgsWasm","txInputs: TransactionInputWasm[]","rpcCall: RpcCallPayload","error: unknown"],"sources":["../../../../../../../src/core/WebAuthnManager/threshold/rotateThresholdEd25519KeyPostRegistration.ts"],"sourcesContent":["import type { NearClient } from '../../NearClient';\nimport { IndexedDBManager } from '../../IndexedDBManager';\nimport { hasAccessKey, waitForAccessKeyAbsent } from '../../rpcCalls';\nimport { ensureEd25519Prefix } from '../../../utils/validation';\nimport { ActionType, type ActionArgsWasm, type TransactionInputWasm } from '../../types/actions';\nimport { toAccountId, type AccountId } from '../../types/accountIds';\nimport { DEFAULT_WAIT_STATUS } from '../../types/rpc';\nimport type {\n ConfirmationConfig,\n RpcCallPayload,\n SignerMode,\n} from '../../types/signer-worker';\nimport type { SignTransactionResult } from '../../types/tatchi';\n\nexport type RotateThresholdEd25519KeyPostRegistrationHandlerContext = {\n nearClient: NearClient;\n contractId: string;\n nearRpcUrl: string;\n signTransactionsWithActions: (args: {\n transactions: TransactionInputWasm[];\n rpcCall: RpcCallPayload;\n signerMode: SignerMode;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n title?: string;\n body?: string;\n }) => Promise<SignTransactionResult[]>;\n};\n\n/**\n * Threshold key rotation (post-registration):\n * - keygen (new relayerKeyId + publicKey)\n * - AddKey(new threshold publicKey)\n * - DeleteKey(old threshold publicKey)\n *\n * Uses the local signer key for AddKey/DeleteKey, and requires the account to already\n * have a stored `threshold_ed25519_2p_v1` key material entry for the target device.\n */\nexport async function rotateThresholdEd25519KeyPostRegistrationHandler(\n ctx: RotateThresholdEd25519KeyPostRegistrationHandlerContext,\n args: {\n nearAccountId: AccountId | string;\n deviceNumber: number;\n oldPublicKey: string;\n oldRelayerKeyId: string;\n newPublicKey: string;\n newRelayerKeyId: string;\n wrapKeySalt: string;\n }\n): Promise<{\n success: boolean;\n oldPublicKey: string;\n oldRelayerKeyId: string;\n publicKey: string;\n relayerKeyId: string;\n wrapKeySalt: string;\n deleteOldKeyAttempted: boolean;\n deleteOldKeySuccess: boolean;\n warning?: string;\n error?: string;\n}> {\n const nearAccountId = toAccountId(args.nearAccountId);\n\n const oldPublicKey = String(args.oldPublicKey || '');\n const oldRelayerKeyId = String(args.oldRelayerKeyId || '');\n const newPublicKey = String(args.newPublicKey || '');\n const newRelayerKeyId = String(args.newRelayerKeyId || '');\n const wrapKeySalt = String(args.wrapKeySalt || '');\n\n const base = {\n oldPublicKey,\n oldRelayerKeyId,\n publicKey: newPublicKey,\n relayerKeyId: newRelayerKeyId,\n wrapKeySalt,\n };\n\n const ok = (params: { deleteOldKeyAttempted: boolean; deleteOldKeySuccess: boolean; warning?: string }) => {\n const { warning, ...rest } = params;\n return {\n success: true,\n ...base,\n ...rest,\n ...(warning ? { warning } : {}),\n };\n };\n\n try {\n const deviceNumber = Number(args.deviceNumber);\n const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : NaN;\n if (!Number.isSafeInteger(resolvedDeviceNumber) || resolvedDeviceNumber < 1) {\n throw new Error('Invalid deviceNumber');\n }\n\n const oldNormalized = ensureEd25519Prefix(oldPublicKey);\n const newNormalized = ensureEd25519Prefix(newPublicKey);\n\n if (!oldNormalized) {\n return ok({\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: false,\n warning: 'Rotation completed but old threshold key material had an invalid publicKey; skipped DeleteKey.',\n });\n }\n\n if (oldNormalized === newNormalized) {\n return ok({\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: true,\n warning: 'Rotation returned the same threshold public key; skipped DeleteKey(old).',\n });\n }\n\n const localKeyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);\n if (!localKeyMaterial) {\n return ok({\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: false,\n warning: `Rotation completed but could not load local key material for DeleteKey(old) (account ${nearAccountId} device ${resolvedDeviceNumber}).`,\n });\n }\n\n const localPk = ensureEd25519Prefix(localKeyMaterial.publicKey);\n if (localPk && localPk === oldNormalized) {\n return ok({\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: false,\n warning: 'Refusing to DeleteKey(old) because it matches the local signer public key.',\n });\n }\n\n const oldOnChain = await hasAccessKey(ctx.nearClient, nearAccountId, oldPublicKey, { attempts: 1, delayMs: 0 });\n if (!oldOnChain) {\n return ok({ deleteOldKeyAttempted: false, deleteOldKeySuccess: true });\n }\n\n const deleteKeyAction: ActionArgsWasm = {\n action_type: ActionType.DeleteKey,\n public_key: oldNormalized,\n };\n\n const txInputs: TransactionInputWasm[] = [\n {\n receiverId: nearAccountId,\n actions: [deleteKeyAction],\n },\n ];\n\n let deleteOldKeyAttempted = false;\n try {\n const rpcCall: RpcCallPayload = {\n contractId: ctx.contractId,\n nearRpcUrl: ctx.nearRpcUrl,\n nearAccountId,\n };\n\n const signed = await ctx.signTransactionsWithActions({\n transactions: txInputs,\n rpcCall,\n signerMode: { mode: 'local-signer' },\n confirmationConfigOverride: {\n uiMode: 'skip',\n behavior: 'autoProceed',\n autoProceedDelay: 0,\n },\n title: 'Rotate threshold key',\n body: 'Confirm deletion of the old threshold access key.',\n });\n\n const signedTx = signed?.[0]?.signedTransaction;\n if (!signedTx) throw new Error('Failed to sign DeleteKey(oldThresholdPublicKey) transaction');\n deleteOldKeyAttempted = true;\n\n await ctx.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.linkDeviceDeleteKey);\n\n const deleted = await waitForAccessKeyAbsent(ctx.nearClient, nearAccountId, oldPublicKey);\n if (!deleted) {\n return ok({\n deleteOldKeyAttempted,\n deleteOldKeySuccess: false,\n warning: 'DeleteKey(old) submitted but old access key is still present on-chain.',\n });\n }\n\n return ok({ deleteOldKeyAttempted, deleteOldKeySuccess: true });\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return ok({\n deleteOldKeyAttempted,\n deleteOldKeySuccess: false,\n warning: `Rotation completed but failed to DeleteKey(old): ${message}`,\n });\n }\n } catch (error: unknown) {\n const message = String((error as { message?: unknown })?.message ?? error);\n return {\n success: false,\n oldPublicKey,\n oldRelayerKeyId,\n publicKey: '',\n relayerKeyId: '',\n wrapKeySalt: '',\n deleteOldKeyAttempted: false,\n deleteOldKeySuccess: false,\n error: message,\n };\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAqCA,eAAsB,iDACpB,KACA,MAoBC;CACD,MAAM,gBAAgB,YAAY,KAAK;CAEvC,MAAM,eAAe,OAAO,KAAK,gBAAgB;CACjD,MAAM,kBAAkB,OAAO,KAAK,mBAAmB;CACvD,MAAM,eAAe,OAAO,KAAK,gBAAgB;CACjD,MAAM,kBAAkB,OAAO,KAAK,mBAAmB;CACvD,MAAM,cAAc,OAAO,KAAK,eAAe;CAE/C,MAAM,OAAO;EACX;EACA;EACA,WAAW;EACX,cAAc;EACd;;CAGF,MAAM,MAAM,WAA+F;EACzG,MAAM,EAAE,QAAS,GAAG,SAAS;AAC7B,SAAO;GACL,SAAS;GACT,GAAG;GACH,GAAG;GACH,GAAI,UAAU,EAAE,YAAY;;;AAIhC,KAAI;EACF,MAAM,eAAe,OAAO,KAAK;EACjC,MAAM,uBAAuB,OAAO,cAAc,iBAAiB,gBAAgB,IAAI,eAAe;AACtG,MAAI,CAAC,OAAO,cAAc,yBAAyB,uBAAuB,EACxE,OAAM,IAAI,MAAM;EAGlB,MAAM,gBAAgB,oBAAoB;EAC1C,MAAM,gBAAgB,oBAAoB;AAE1C,MAAI,CAAC,cACH,QAAO,GAAG;GACR,uBAAuB;GACvB,qBAAqB;GACrB,SAAS;;AAIb,MAAI,kBAAkB,cACpB,QAAO,GAAG;GACR,uBAAuB;GACvB,qBAAqB;GACrB,SAAS;;EAIb,MAAM,mBAAmB,MAAM,iBAAiB,WAAW,oBAAoB,eAAe;AAC9F,MAAI,CAAC,iBACH,QAAO,GAAG;GACR,uBAAuB;GACvB,qBAAqB;GACrB,SAAS,wFAAwF,cAAc,UAAU,qBAAqB;;EAIlJ,MAAM,UAAU,oBAAoB,iBAAiB;AACrD,MAAI,WAAW,YAAY,cACzB,QAAO,GAAG;GACR,uBAAuB;GACvB,qBAAqB;GACrB,SAAS;;EAIb,MAAM,aAAa,MAAM,aAAa,IAAI,YAAY,eAAe,cAAc;GAAE,UAAU;GAAG,SAAS;;AAC3G,MAAI,CAAC,WACH,QAAO,GAAG;GAAE,uBAAuB;GAAO,qBAAqB;;EAGjE,MAAMA,kBAAkC;GACtC,aAAa,WAAW;GACxB,YAAY;;EAGd,MAAMC,WAAmC,CACvC;GACE,YAAY;GACZ,SAAS,CAAC;;EAId,IAAI,wBAAwB;AAC5B,MAAI;GACF,MAAMC,UAA0B;IAC9B,YAAY,IAAI;IAChB,YAAY,IAAI;IAChB;;GAGF,MAAM,SAAS,MAAM,IAAI,4BAA4B;IACnD,cAAc;IACd;IACA,YAAY,EAAE,MAAM;IACpB,4BAA4B;KAC1B,QAAQ;KACR,UAAU;KACV,kBAAkB;;IAEpB,OAAO;IACP,MAAM;;GAGR,MAAM,WAAW,SAAS,IAAI;AAC9B,OAAI,CAAC,SAAU,OAAM,IAAI,MAAM;AAC/B,2BAAwB;AAExB,SAAM,IAAI,WAAW,gBAAgB,UAAU,oBAAoB;GAEnE,MAAM,UAAU,MAAM,uBAAuB,IAAI,YAAY,eAAe;AAC5E,OAAI,CAAC,QACH,QAAO,GAAG;IACR;IACA,qBAAqB;IACrB,SAAS;;AAIb,UAAO,GAAG;IAAE;IAAuB,qBAAqB;;WACjDC,OAAgB;GACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,UAAO,GAAG;IACR;IACA,qBAAqB;IACrB,SAAS,oDAAoD;;;UAG1DA,OAAgB;EACvB,MAAM,UAAU,OAAQ,OAAiC,WAAW;AACpE,SAAO;GACL,SAAS;GACT;GACA;GACA,WAAW;GACX,cAAc;GACd,aAAa;GACb,uBAAuB;GACvB,qBAAqB;GACrB,OAAO"}