npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/server/core/ThresholdService/ThresholdSigningService.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ThresholdSigningService.js","names":["rpId: string | null","e: unknown","outcome: FinalExecutionOutcome","nearAccountId","rpId","keygen","publicKey","keyMaterial","relayerKeyId"],"sources":["../../../../../src/server/core/ThresholdService/ThresholdSigningService.ts"],"sourcesContent":["import type { NormalizedLogger } from '../logger';\nimport { base64Decode, base64UrlEncode } from '../../../utils/encoders';\nimport { toOptionalTrimmedString } from '../../../utils/validation';\nimport type { AccessKeyList } from '../../../core/NearClient';\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport type { ThresholdEd25519KeyStore } from './stores/KeyStore';\nimport type {\n ThresholdEd25519SessionStore,\n} from './stores/SessionStore';\nimport type {\n ThresholdEd25519AuthSessionStore,\n ThresholdEd25519AuthSessionRecord,\n} from './stores/AuthSessionStore';\nimport type { ThresholdEd25519KeygenStrategy } from './keygenStrategy';\nimport { ThresholdEd25519KeygenStrategyV1 } from './keygenStrategy';\nimport type {\n VerifyAuthenticationRequest,\n VerifyAuthenticationResponse,\n ThresholdEd25519AuthorizeRequest,\n ThresholdEd25519AuthorizeResponse,\n ThresholdEd25519SessionRequest,\n ThresholdEd25519SessionResponse,\n ThresholdEd25519AuthorizeWithSessionRequest,\n ThresholdEd25519KeygenRequest,\n ThresholdEd25519KeygenResponse,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519CosignInitResponse,\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignFinalizeResponse,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SignInitResponse,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignFinalizeResponse,\n ThresholdEd25519KeyStoreConfigInput,\n} from '../types';\nimport {\n threshold_ed25519_compute_delegate_signing_digest,\n threshold_ed25519_compute_near_tx_signing_digests,\n threshold_ed25519_compute_nep413_signing_digest,\n} from '../../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nimport {\n bytesEqual32,\n ensureRelayerKeyIsActiveAccessKey,\n extractAuthorizeSigningPublicKey,\n isObject,\n normalizeByteArray32,\n verifyThresholdEd25519AuthorizeSigningPayloadSigningDigestOnly,\n verifyThresholdEd25519AuthorizeSigningPayload,\n} from './validation';\nimport { alphabetizeStringify, sha256BytesUtf8 } from '../../../utils/digests';\nimport {\n normalizeThresholdEd25519ParticipantIds,\n normalizeThresholdEd25519ParticipantId,\n} from '../../../threshold/participants';\nimport type { ThresholdEd25519ShareMode } from './config';\nimport {\n coerceThresholdEd25519ShareMode,\n coerceThresholdNodeRole,\n parseThresholdCoordinatorSharedSecretBytes,\n parseThresholdEd25519ParticipantIds2p,\n parseThresholdRelayerCosignerThreshold,\n parseThresholdRelayerCosigners,\n validateThresholdEd25519MasterSecretB64u,\n} from './config';\nimport { ThresholdEd25519SigningHandlers } from './signingHandlers';\nimport { resolveThresholdEd25519RelayerKeyMaterial, shouldUseDerivedRelayerShares } from './relayerKeyMaterial';\n\ntype ParseOk<T> = { ok: true; value: T };\ntype ParseErr = { ok: false; code: string; message: string };\ntype ParseResult<T> = ParseOk<T> | ParseErr;\n\ntype ParsedThresholdEd25519KeygenRequest =\n | {\n kind: 'registration_tx';\n nearAccountId: string;\n clientVerifyingShareB64u: string;\n registrationTxHash: string;\n }\n | {\n kind: 'webauthn';\n nearAccountId: string;\n clientVerifyingShareB64u: string;\n rpId: string;\n intentDigest32: Uint8Array;\n };\n\nfunction parseThresholdEd25519KeygenRequest(request: ThresholdEd25519KeygenRequest): ParseResult<ParsedThresholdEd25519KeygenRequest> {\n const rec = (request || {}) as unknown as Record<string, unknown>;\n const nearAccountId = toOptionalTrimmedString(rec.nearAccountId);\n if (!nearAccountId) {\n return { ok: false, code: 'invalid_body', message: 'nearAccountId is required' };\n }\n const clientVerifyingShareB64u = toOptionalTrimmedString(rec.clientVerifyingShareB64u);\n if (!clientVerifyingShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientVerifyingShareB64u is required' };\n }\n\n if (Object.prototype.hasOwnProperty.call(rec, 'registrationTxHash')) {\n const registrationTxHash = toOptionalTrimmedString(rec.registrationTxHash);\n if (!registrationTxHash) {\n return { ok: false, code: 'invalid_body', message: 'registrationTxHash is required' };\n }\n return { ok: true, value: { kind: 'registration_tx', nearAccountId, clientVerifyingShareB64u, registrationTxHash } };\n }\n\n const vrfData = (rec as { vrf_data?: any }).vrf_data;\n const vrfUserId = toOptionalTrimmedString(vrfData?.user_id);\n if (!vrfUserId) {\n return { ok: false, code: 'invalid_body', message: 'vrf_data.user_id is required' };\n }\n if (vrfUserId !== nearAccountId) {\n return { ok: false, code: 'unauthorized', message: 'nearAccountId must match vrf_data.user_id' };\n }\n\n const rpId = toOptionalTrimmedString(vrfData?.rp_id);\n if (!rpId) {\n return { ok: false, code: 'invalid_body', message: 'vrf_data.rp_id is required' };\n }\n\n const intentDigest32 = normalizeByteArray32(vrfData?.intent_digest_32);\n if (!intentDigest32) {\n return {\n ok: false,\n code: 'invalid_body',\n message: 'vrf_data.intent_digest_32 (32 bytes) is required for threshold keygen',\n };\n }\n\n return { ok: true, value: { kind: 'webauthn', nearAccountId, clientVerifyingShareB64u, rpId, intentDigest32 } };\n}\n\nfunction parseThresholdEd25519AuthorizeRequest(request: ThresholdEd25519AuthorizeRequest): ParseResult<{\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n purpose: string;\n userId: string;\n rpId: string;\n intentDigest32: Uint8Array;\n signingDigest32: Uint8Array;\n signingPayload: unknown;\n}> {\n const rec = (request || {}) as unknown as Record<string, unknown>;\n const relayerKeyId = toOptionalTrimmedString(rec.relayerKeyId);\n if (!relayerKeyId) return { ok: false, code: 'invalid_body', message: 'relayerKeyId is required' };\n\n const purpose = toOptionalTrimmedString(rec.purpose);\n if (!purpose) return { ok: false, code: 'invalid_body', message: 'purpose is required' };\n\n const vrfData = (rec as { vrf_data?: any }).vrf_data;\n const userId = toOptionalTrimmedString(vrfData?.user_id);\n if (!userId) return { ok: false, code: 'invalid_body', message: 'vrf_data.user_id is required' };\n const rpId = toOptionalTrimmedString(vrfData?.rp_id);\n if (!rpId) return { ok: false, code: 'invalid_body', message: 'vrf_data.rp_id is required' };\n\n const clientVerifyingShareB64u = toOptionalTrimmedString(rec.clientVerifyingShareB64u);\n if (!clientVerifyingShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientVerifyingShareB64u is required' };\n }\n\n const intentDigest32 = normalizeByteArray32(vrfData?.intent_digest_32);\n if (!intentDigest32) {\n return {\n ok: false,\n code: 'invalid_body',\n message: 'vrf_data.intent_digest_32 (32 bytes) is required for threshold authorization',\n };\n }\n\n const signingDigest32 = normalizeByteArray32(rec.signing_digest_32);\n if (!signingDigest32) {\n return {\n ok: false,\n code: 'invalid_body',\n message: 'signing_digest_32 (32 bytes) is required for threshold authorization',\n };\n }\n\n return {\n ok: true,\n value: {\n relayerKeyId,\n clientVerifyingShareB64u,\n purpose,\n userId,\n rpId,\n intentDigest32,\n signingDigest32,\n signingPayload: rec.signingPayload,\n },\n };\n}\n\nfunction parseThresholdEd25519AuthorizeWithSessionRequest(request: ThresholdEd25519AuthorizeWithSessionRequest): ParseResult<{\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n purpose: string;\n signingDigest32: Uint8Array;\n signingPayload: unknown;\n}> {\n const rec = (request || {}) as unknown as Record<string, unknown>;\n const relayerKeyId = toOptionalTrimmedString(rec.relayerKeyId);\n if (!relayerKeyId) return { ok: false, code: 'invalid_body', message: 'relayerKeyId is required' };\n const clientVerifyingShareB64u = toOptionalTrimmedString(rec.clientVerifyingShareB64u);\n if (!clientVerifyingShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientVerifyingShareB64u is required' };\n }\n const purpose = toOptionalTrimmedString(rec.purpose);\n if (!purpose) return { ok: false, code: 'invalid_body', message: 'purpose is required' };\n const signingDigest32 = normalizeByteArray32(rec.signing_digest_32);\n if (!signingDigest32) {\n return { ok: false, code: 'invalid_body', message: 'signing_digest_32 (32 bytes) is required for threshold authorization' };\n }\n return { ok: true, value: { relayerKeyId, clientVerifyingShareB64u, purpose, signingDigest32, signingPayload: rec.signingPayload } };\n}\n\nfunction parseThresholdEd25519SessionRequest(\n request: ThresholdEd25519SessionRequest,\n participantIds2p: number[],\n): ParseResult<{\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n nearAccountId: string;\n rpId: string;\n sessionId: string;\n ttlMsRaw: number;\n remainingUsesRaw: number;\n policyParticipantIds: number[] | null;\n sessionPolicyDigest32: Uint8Array;\n}> {\n const rec = (request || {}) as unknown as Record<string, unknown>;\n const relayerKeyId = toOptionalTrimmedString(rec.relayerKeyId);\n if (!relayerKeyId) {\n return { ok: false, code: 'invalid_body', message: 'relayerKeyId is required' };\n }\n const clientVerifyingShareB64u = toOptionalTrimmedString(rec.clientVerifyingShareB64u);\n if (!clientVerifyingShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientVerifyingShareB64u is required' };\n }\n\n const policyRaw = (rec as { sessionPolicy?: unknown }).sessionPolicy;\n if (!isObject(policyRaw)) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy (object) is required' };\n }\n const version = toOptionalTrimmedString((policyRaw as Record<string, unknown>).version);\n if (version !== 'threshold_session_v1') {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.version must be threshold_session_v1' };\n }\n const nearAccountId = toOptionalTrimmedString((policyRaw as Record<string, unknown>).nearAccountId);\n const rpId = toOptionalTrimmedString((policyRaw as Record<string, unknown>).rpId);\n const sessionId = toOptionalTrimmedString((policyRaw as Record<string, unknown>).sessionId);\n const policyRelayerKeyId = toOptionalTrimmedString((policyRaw as Record<string, unknown>).relayerKeyId);\n const ttlMsRaw = Number((policyRaw as Record<string, unknown>).ttlMs);\n const remainingUsesRaw = Number((policyRaw as Record<string, unknown>).remainingUses);\n if (!nearAccountId || !rpId || !sessionId || !policyRelayerKeyId) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy{nearAccountId,rpId,relayerKeyId,sessionId} are required' };\n }\n if (policyRelayerKeyId !== relayerKeyId) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.relayerKeyId must match relayerKeyId' };\n }\n\n const policyHasParticipantIds = Object.prototype.hasOwnProperty.call(policyRaw, 'participantIds');\n const policyParticipantIds = normalizeThresholdEd25519ParticipantIds((policyRaw as Record<string, unknown>).participantIds);\n if (policyHasParticipantIds && !policyParticipantIds) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.participantIds must be a non-empty array of positive integers' };\n }\n if (policyParticipantIds) {\n if (policyParticipantIds.length < 2) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.participantIds must contain at least 2 participant ids' };\n }\n for (const id of participantIds2p) {\n if (!policyParticipantIds.includes(id)) {\n return { ok: false, code: 'unauthorized', message: `sessionPolicy.participantIds must include server signer set (expected to include participantIds=[${participantIds2p.join(',')}])` };\n }\n }\n }\n\n if (!Number.isFinite(ttlMsRaw) || ttlMsRaw <= 0) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.ttlMs must be a positive number' };\n }\n if (!Number.isFinite(remainingUsesRaw) || remainingUsesRaw <= 0) {\n return { ok: false, code: 'invalid_body', message: 'sessionPolicy.remainingUses must be a positive number' };\n }\n\n const vrfData = (rec as { vrf_data?: any }).vrf_data;\n const userId = toOptionalTrimmedString(vrfData?.user_id);\n if (!userId) return { ok: false, code: 'invalid_body', message: 'vrf_data.user_id is required' };\n if (userId !== nearAccountId) {\n return { ok: false, code: 'unauthorized', message: 'sessionPolicy.nearAccountId must match vrf_data.user_id' };\n }\n const vrfRpId = toOptionalTrimmedString(vrfData?.rp_id);\n if (!vrfRpId) return { ok: false, code: 'invalid_body', message: 'vrf_data.rp_id is required' };\n if (vrfRpId !== rpId) {\n return { ok: false, code: 'unauthorized', message: 'sessionPolicy.rpId must match vrf_data.rp_id' };\n }\n\n const sessionPolicyDigest32 = normalizeByteArray32(vrfData?.session_policy_digest_32);\n if (!sessionPolicyDigest32) {\n return { ok: false, code: 'invalid_body', message: 'vrf_data.session_policy_digest_32 (32 bytes) is required for threshold sessions' };\n }\n\n return {\n ok: true,\n value: {\n relayerKeyId,\n clientVerifyingShareB64u,\n nearAccountId,\n rpId,\n sessionId,\n ttlMsRaw,\n remainingUsesRaw,\n policyParticipantIds: policyParticipantIds || null,\n sessionPolicyDigest32,\n },\n };\n}\n\nexport class ThresholdSigningService {\n private readonly logger: NormalizedLogger;\n private readonly keyStore: ThresholdEd25519KeyStore;\n private readonly sessionStore: ThresholdEd25519SessionStore;\n private readonly authSessionStore: ThresholdEd25519AuthSessionStore;\n private readonly clientParticipantId: number;\n private readonly relayerParticipantId: number;\n private readonly participantIds2p: number[];\n private readonly shareMode: ThresholdEd25519ShareMode;\n private readonly relayerMasterSecretB64u: string | null;\n private readonly useDerivedRelayerShares: boolean;\n private readonly keygenStrategy: ThresholdEd25519KeygenStrategy;\n private readonly signingHandlers: ThresholdEd25519SigningHandlers;\n private readonly ensureReady: () => Promise<void>;\n private readonly ensureSignerWasm: () => Promise<void>;\n private readonly verifyAuthenticationResponse: (\n request: VerifyAuthenticationRequest\n ) => Promise<VerifyAuthenticationResponse>;\n private readonly viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n private readonly txStatus: (txHash: string, senderAccountId: string) => Promise<FinalExecutionOutcome>;\n private readonly webAuthnContractId: string;\n\n constructor(input: {\n logger: NormalizedLogger;\n keyStore: ThresholdEd25519KeyStore;\n sessionStore: ThresholdEd25519SessionStore;\n authSessionStore: ThresholdEd25519AuthSessionStore;\n config?: ThresholdEd25519KeyStoreConfigInput | null;\n ensureReady: () => Promise<void>;\n ensureSignerWasm: () => Promise<void>;\n verifyAuthenticationResponse: (request: VerifyAuthenticationRequest) => Promise<VerifyAuthenticationResponse>;\n viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n txStatus: (txHash: string, senderAccountId: string) => Promise<FinalExecutionOutcome>;\n webAuthnContractId: string;\n }) {\n this.logger = input.logger;\n this.keyStore = input.keyStore;\n this.sessionStore = input.sessionStore;\n this.authSessionStore = input.authSessionStore;\n const cfg = (isObject(input.config) ? input.config : {}) as Record<string, unknown>;\n\n const nodeRole = coerceThresholdNodeRole(cfg.THRESHOLD_NODE_ROLE);\n const coordinatorSharedSecretBytes =\n parseThresholdCoordinatorSharedSecretBytes(cfg.THRESHOLD_COORDINATOR_SHARED_SECRET_B64U);\n const relayerCosigners = parseThresholdRelayerCosigners(cfg.THRESHOLD_ED25519_RELAYER_COSIGNERS) || [];\n const relayerCosignerThreshold = parseThresholdRelayerCosignerThreshold(cfg.THRESHOLD_ED25519_RELAYER_COSIGNER_T);\n const relayerCosignerIdRaw = cfg.THRESHOLD_ED25519_RELAYER_COSIGNER_ID;\n const relayerCosignerId =\n relayerCosignerIdRaw === undefined ? null : normalizeThresholdEd25519ParticipantId(relayerCosignerIdRaw);\n if (nodeRole === 'cosigner' && !relayerCosignerId) {\n throw new Error('THRESHOLD_ED25519_RELAYER_COSIGNER_ID is required when THRESHOLD_NODE_ROLE=cosigner');\n }\n\n const ids = parseThresholdEd25519ParticipantIds2p({\n THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID: cfg.THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID,\n THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID: cfg.THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID,\n });\n this.clientParticipantId = ids.clientParticipantId;\n this.relayerParticipantId = ids.relayerParticipantId;\n this.participantIds2p = ids.participantIds2p;\n\n this.shareMode = coerceThresholdEd25519ShareMode(cfg.THRESHOLD_ED25519_SHARE_MODE);\n this.relayerMasterSecretB64u = validateThresholdEd25519MasterSecretB64u(cfg.THRESHOLD_ED25519_MASTER_SECRET_B64U);\n if (this.shareMode === 'derived' && !this.relayerMasterSecretB64u) {\n throw new Error('threshold-ed25519 derived share mode requires THRESHOLD_ED25519_MASTER_SECRET_B64U');\n }\n this.useDerivedRelayerShares = shouldUseDerivedRelayerShares({\n shareMode: this.shareMode,\n relayerMasterSecretB64u: this.relayerMasterSecretB64u,\n });\n this.ensureReady = input.ensureReady;\n this.ensureSignerWasm = input.ensureSignerWasm;\n this.verifyAuthenticationResponse = input.verifyAuthenticationResponse;\n this.viewAccessKeyList = input.viewAccessKeyList;\n this.txStatus = input.txStatus;\n this.webAuthnContractId = input.webAuthnContractId;\n this.keygenStrategy = new ThresholdEd25519KeygenStrategyV1({\n useDerivedShares: this.useDerivedRelayerShares,\n relayerMasterSecretB64u: this.relayerMasterSecretB64u,\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n ensureSignerWasm: this.ensureSignerWasm,\n });\n this.signingHandlers = new ThresholdEd25519SigningHandlers({\n logger: this.logger,\n nodeRole,\n relayerCosigners,\n relayerCosignerThreshold,\n relayerCosignerId,\n coordinatorSharedSecretBytes,\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n participantIds2p: this.participantIds2p,\n sessionStore: this.sessionStore,\n ensureReady: this.ensureReady,\n ensureSignerWasm: this.ensureSignerWasm,\n viewAccessKeyList: this.viewAccessKeyList,\n resolveRelayerKeyMaterial: (args) => this.resolveRelayerKeyMaterial(args),\n });\n }\n\n\t private async resolveRelayerKeyMaterial(input: {\n\t relayerKeyId: string;\n\t nearAccountId: string;\n\t rpId: string;\n\t clientVerifyingShareB64u: string;\n }): Promise<\n\t | { ok: true; publicKey: string; relayerSigningShareB64u: string; relayerVerifyingShareB64u: string }\n\t | { ok: false; code: string; message: string }\n\t > {\n\t return await resolveThresholdEd25519RelayerKeyMaterial({\n\t ...input,\n\t shareMode: this.shareMode,\n\t relayerMasterSecretB64u: this.relayerMasterSecretB64u,\n\t keyStore: this.keyStore,\n\t keygenStrategy: this.keygenStrategy,\n\t });\n\t }\n\n private clampSessionPolicy(input: { ttlMs: number; remainingUses: number }): { ttlMs: number; remainingUses: number } {\n const ttlMs = Math.max(0, Math.floor(Number(input.ttlMs) || 0));\n const remainingUses = Math.max(0, Math.floor(Number(input.remainingUses) || 0));\n // Hard caps (server-side). Session policy digest must be computed against these final values.\n const MAX_TTL_MS = 10 * 60_000;\n const MAX_USES = 20;\n return {\n ttlMs: Math.min(ttlMs, MAX_TTL_MS),\n remainingUses: Math.min(remainingUses, MAX_USES),\n };\n }\n\n private async computeSessionPolicyDigest32(policy: unknown): Promise<Uint8Array> {\n const json = alphabetizeStringify(policy);\n return await sha256BytesUtf8(json);\n }\n\n private async putAuthSessionRecord(input: {\n sessionId: string;\n record: ThresholdEd25519AuthSessionRecord;\n ttlMs: number;\n remainingUses: number;\n }): Promise<void> {\n await this.authSessionStore.putSession(input.sessionId, input.record, {\n ttlMs: input.ttlMs,\n remainingUses: input.remainingUses,\n });\n }\n\n private createThresholdEd25519MpcSessionId(): string {\n const id = typeof globalThis.crypto?.randomUUID === 'function'\n ? globalThis.crypto.randomUUID()\n : `${Date.now()}-${Math.random().toString(16).slice(2)}`;\n return `mpc-${id}`;\n }\n\n private createThresholdEd25519SigningSessionId(): string {\n const id = typeof globalThis.crypto?.randomUUID === 'function'\n ? globalThis.crypto.randomUUID()\n : `${Date.now()}-${Math.random().toString(16).slice(2)}`;\n return `sign-${id}`;\n }\n\n private getTxSuccessValueBase64(outcome: FinalExecutionOutcome): string | null {\n const status = (outcome as unknown as { status?: unknown })?.status;\n if (!status || typeof status !== 'object') return null;\n if (!('SuccessValue' in status)) return null;\n const value = (status as { SuccessValue?: unknown }).SuccessValue;\n return typeof value === 'string' && value.length > 0 ? value : null;\n }\n\n private parseTxSuccessValueJson(outcome: FinalExecutionOutcome): unknown {\n const successValueB64 = this.getTxSuccessValueBase64(outcome);\n if (!successValueB64) return null;\n const bytes = base64Decode(successValueB64);\n const text = new TextDecoder().decode(bytes);\n if (!text.trim()) return null;\n return JSON.parse(text) as unknown;\n }\n\n private validateLinkDeviceRegistrationTx(\n outcome: FinalExecutionOutcome,\n expectedNearAccountId: string,\n ): { ok: true; rpId?: string } | { ok: false; code: string; message: string } {\n const txUnknown = (outcome as unknown as { transaction?: unknown })?.transaction;\n if (!txUnknown || typeof txUnknown !== 'object') {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction missing transaction metadata' };\n }\n let rpId: string | null = null;\n const tx = txUnknown as Record<string, unknown>;\n const signerId = toOptionalTrimmedString(tx.signer_id ?? tx.signerId);\n if (signerId && signerId !== expectedNearAccountId) {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction signer_id mismatch' };\n }\n const receiverId = toOptionalTrimmedString(tx.receiver_id ?? tx.receiverId);\n if (receiverId && receiverId !== this.webAuthnContractId) {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction receiver_id mismatch' };\n }\n\n const actions = Array.isArray(tx.actions) ? (tx.actions as unknown[]) : [];\n const fnCalls = actions\n .map((action) => (action && typeof action === 'object')\n ? ((action as Record<string, unknown>).FunctionCall ?? (action as Record<string, unknown>).function_call ?? null)\n : null)\n .filter((v): v is Record<string, unknown> => Boolean(v && typeof v === 'object'));\n\n const linkDeviceCall = fnCalls.find((fc) => toOptionalTrimmedString(fc.method_name ?? fc.methodName) === 'link_device_register_user');\n if (!linkDeviceCall) {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction is not link_device_register_user' };\n }\n\n const argsB64 = toOptionalTrimmedString(linkDeviceCall.args);\n if (argsB64) {\n try {\n const argsText = new TextDecoder().decode(base64Decode(argsB64));\n const parsedArgs = JSON.parse(argsText) as unknown;\n if (parsedArgs && typeof parsedArgs === 'object') {\n const vrf = (parsedArgs as { vrf_data?: unknown }).vrf_data;\n if (vrf && typeof vrf === 'object') {\n const userId = toOptionalTrimmedString((vrf as { user_id?: unknown; userId?: unknown }).user_id ?? (vrf as { userId?: unknown }).userId);\n if (userId && userId !== expectedNearAccountId) {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction vrf_data.user_id mismatch' };\n }\n rpId = toOptionalTrimmedString((vrf as { rp_id?: unknown; rpId?: unknown }).rp_id ?? (vrf as { rpId?: unknown }).rpId) || rpId;\n }\n }\n } catch {\n // tolerate arg decode/parse errors; we still validate via SuccessValue below.\n }\n }\n\n const successJson = this.parseTxSuccessValueJson(outcome);\n if (!successJson || typeof successJson !== 'object') {\n return { ok: false, code: 'unauthorized', message: 'Registration transaction missing JSON SuccessValue' };\n }\n const verified = (successJson as { verified?: unknown }).verified;\n if (verified !== true) {\n return { ok: false, code: 'not_verified', message: 'Registration transaction did not verify on-chain' };\n }\n\n return { ok: true, ...(rpId ? { rpId } : {}) };\n }\n\n /**\n * Registration helper (no WebAuthn verification):\n * compute a threshold group key from the client's verifying share and return the relayer share\n * material. Callers should persist the relayer share only after the on-chain AddKey is confirmed.\n */\n async keygenFromClientVerifyingShareForRegistration(input: {\n nearAccountId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n }): Promise<\n | {\n ok: true;\n clientParticipantId: number;\n relayerParticipantId: number;\n participantIds: number[];\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }\n | { ok: false; code: string; message: string }\n > {\n try {\n await this.ensureReady();\n const nearAccountId = toOptionalTrimmedString(input.nearAccountId);\n if (!nearAccountId) {\n return { ok: false, code: 'invalid_body', message: 'nearAccountId is required' };\n }\n const rpId = toOptionalTrimmedString(input.rpId);\n if (!rpId) {\n return { ok: false, code: 'invalid_body', message: 'rpId is required' };\n }\n const clientVerifyingShareB64u = toOptionalTrimmedString(input.clientVerifyingShareB64u);\n if (!clientVerifyingShareB64u) {\n return { ok: false, code: 'invalid_body', message: 'clientVerifyingShareB64u is required' };\n }\n\n const keygen = await this.keygenStrategy.keygenFromClientVerifyingShare({\n nearAccountId,\n rpId,\n clientVerifyingShareB64u,\n });\n if (!keygen.ok) return keygen;\n const { keyMaterial } = keygen;\n\n return {\n ok: true,\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n participantIds: [...this.participantIds2p],\n relayerKeyId: keyMaterial.relayerKeyId,\n publicKey: keyMaterial.publicKey,\n relayerSigningShareB64u: keyMaterial.relayerSigningShareB64u,\n relayerVerifyingShareB64u: keyMaterial.relayerVerifyingShareB64u,\n };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n\n async putRelayerKeyMaterial(input: {\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }): Promise<void> {\n if (this.useDerivedRelayerShares) {\n // Stateless relayer mode: avoid persisting long-lived relayer signing shares.\n return;\n }\n const relayerKeyId = toOptionalTrimmedString(input.relayerKeyId);\n if (!relayerKeyId) throw new Error('Missing relayerKeyId');\n await this.keyStore.put(relayerKeyId, {\n publicKey: toOptionalTrimmedString(input.publicKey),\n relayerSigningShareB64u: toOptionalTrimmedString(input.relayerSigningShareB64u),\n relayerVerifyingShareB64u: toOptionalTrimmedString(input.relayerVerifyingShareB64u),\n });\n }\n\n async thresholdEd25519Keygen(request: ThresholdEd25519KeygenRequest): Promise<ThresholdEd25519KeygenResponse> {\n try {\n const parsedRequest = parseThresholdEd25519KeygenRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n\n await this.ensureReady();\n\n if (parsedRequest.value.kind === 'registration_tx') {\n const { nearAccountId, clientVerifyingShareB64u, registrationTxHash } = parsedRequest.value;\n\n let outcome: FinalExecutionOutcome;\n try {\n outcome = await this.txStatus(registrationTxHash, nearAccountId);\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || '');\n return { ok: false, code: 'invalid_body', message: `Failed to fetch registration transaction: ${msg || 'tx_status failed'}` };\n }\n\n const validTx = this.validateLinkDeviceRegistrationTx(outcome, nearAccountId);\n if (!validTx.ok) return validTx;\n\n if (this.useDerivedRelayerShares) {\n const rpId = toOptionalTrimmedString(validTx.rpId);\n if (!rpId) {\n return { ok: false, code: 'invalid_body', message: 'registrationTxHash keygen requires vrf_data.rp_id in link_device_register_user args' };\n }\n }\n const keygen = await this.keygenStrategy.keygenFromClientVerifyingShare({\n nearAccountId,\n rpId: toOptionalTrimmedString(validTx.rpId),\n clientVerifyingShareB64u,\n });\n if (!keygen.ok) return keygen;\n const { keyMaterial } = keygen;\n const publicKey = keyMaterial.publicKey;\n const relayerKeyId = keyMaterial.relayerKeyId;\n\n if (!this.useDerivedRelayerShares) {\n await this.keyStore.put(relayerKeyId, {\n publicKey,\n relayerSigningShareB64u: keyMaterial.relayerSigningShareB64u,\n relayerVerifyingShareB64u: keyMaterial.relayerVerifyingShareB64u,\n });\n }\n\n return {\n ok: true,\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n participantIds: [...this.participantIds2p],\n relayerKeyId,\n publicKey,\n relayerVerifyingShareB64u: keyMaterial.relayerVerifyingShareB64u,\n };\n }\n const { nearAccountId, clientVerifyingShareB64u, rpId, intentDigest32 } = parsedRequest.value;\n const vrfData = (request as unknown as { vrf_data?: unknown }).vrf_data;\n const webauthnAuthentication = (request as unknown as { webauthn_authentication?: unknown }).webauthn_authentication;\n\n const expectedIntentJson = alphabetizeStringify({\n kind: 'threshold_ed25519_keygen',\n nearAccountId,\n rpId,\n clientVerifyingShareB64u,\n });\n const expectedIntentDigest32 = await sha256BytesUtf8(expectedIntentJson);\n if (!bytesEqual32(expectedIntentDigest32, intentDigest32)) {\n return {\n ok: false,\n code: 'intent_digest_mismatch',\n message: 'vrf_data.intent_digest_32 does not match expected keygen binding',\n };\n }\n\n const verification = await this.verifyAuthenticationResponse({\n vrf_data: vrfData as any,\n webauthn_authentication: webauthnAuthentication as any,\n });\n\n if (!verification.success || !verification.verified) {\n return {\n ok: false,\n code: verification.code || 'not_verified',\n message: verification.message || 'Authentication verification failed',\n };\n }\n\n const keygen = await this.keygenStrategy.keygenFromClientVerifyingShare({\n nearAccountId,\n rpId,\n clientVerifyingShareB64u,\n });\n if (!keygen.ok) return keygen;\n const { keyMaterial } = keygen;\n const publicKey = keyMaterial.publicKey;\n const relayerKeyId = keyMaterial.relayerKeyId;\n\n if (!this.useDerivedRelayerShares) {\n await this.keyStore.put(relayerKeyId, {\n publicKey,\n relayerSigningShareB64u: keyMaterial.relayerSigningShareB64u,\n relayerVerifyingShareB64u: keyMaterial.relayerVerifyingShareB64u,\n });\n }\n\n return {\n ok: true,\n clientParticipantId: this.clientParticipantId,\n relayerParticipantId: this.relayerParticipantId,\n participantIds: [...this.participantIds2p],\n relayerKeyId,\n publicKey,\n relayerVerifyingShareB64u: keyMaterial.relayerVerifyingShareB64u,\n };\n } catch (e: unknown) {\n this.logger?.error?.('thresholdEd25519Keygen failed:', e);\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n\n async authorizeThresholdEd25519(request: ThresholdEd25519AuthorizeRequest): Promise<ThresholdEd25519AuthorizeResponse> {\n try {\n const parsedRequest = parseThresholdEd25519AuthorizeRequest(request);\n if (!parsedRequest.ok) return parsedRequest;\n const {\n relayerKeyId,\n clientVerifyingShareB64u,\n purpose,\n userId,\n rpId,\n intentDigest32,\n signingDigest32,\n signingPayload,\n } = parsedRequest.value;\n\n await this.ensureReady();\n\n const relayerKey = await this.resolveRelayerKeyMaterial({\n relayerKeyId,\n nearAccountId: userId,\n rpId,\n clientVerifyingShareB64u,\n });\n if (!relayerKey.ok) {\n return { ok: false, code: relayerKey.code, message: relayerKey.message };\n }\n const verifyPayload = await verifyThresholdEd25519AuthorizeSigningPayload({\n purpose,\n signingPayload,\n signingDigest32,\n intentDigest32,\n userId,\n ensureSignerWasm: this.ensureSignerWasm,\n computeNearTxSigningDigests: threshold_ed25519_compute_near_tx_signing_digests,\n computeDelegateSigningDigest: threshold_ed25519_compute_delegate_signing_digest,\n computeNep413SigningDigest: threshold_ed25519_compute_nep413_signing_digest,\n });\n if (!verifyPayload.ok) {\n return { ok: false, code: verifyPayload.code, message: verifyPayload.message };\n }\n\n const verification = await this.verifyAuthenticationResponse({\n vrf_data: request.vrf_data,\n webauthn_authentication: request.webauthn_authentication,\n });\n\n if (!verification.success || !verification.verified) {\n return {\n ok: false,\n code: verification.code || 'not_verified',\n message: verification.message || 'Authentication verification failed',\n };\n }\n\n // Tighten scope: ensure the relayerKeyId public key is actually an access key on nearAccountId.\n const expectedSigningPublicKey = extractAuthorizeSigningPublicKey(purpose, signingPayload);\n const scope = await ensureRelayerKeyIsActiveAccessKey({\n nearAccountId: userId,\n relayerPublicKey: relayerKey.publicKey,\n ...(expectedSigningPublicKey ? { expectedSigningPublicKey } : {}),\n viewAccessKeyList: this.viewAccessKeyList,\n });\n if (!scope.ok) {\n return { ok: false, code: scope.code, message: scope.message };\n }\n\n const ttlMs = 60_000;\n const expiresAtMs = Date.now() + ttlMs; // short-lived single-use authorization\n const mpcSessionId = this.createThresholdEd25519MpcSessionId();\n await this.sessionStore.putMpcSession(mpcSessionId, {\n expiresAtMs,\n relayerKeyId,\n purpose,\n intentDigestB64u: base64UrlEncode(intentDigest32),\n signingDigestB64u: base64UrlEncode(signingDigest32),\n userId,\n rpId,\n clientVerifyingShareB64u,\n participantIds: [...this.participantIds2p],\n }, ttlMs);\n\n return {\n ok: true,\n mpcSessionId,\n expiresAt: new Date(expiresAtMs).toISOString(),\n };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n\n async thresholdEd25519Session(request: ThresholdEd25519SessionRequest): Promise<ThresholdEd25519SessionResponse> {\n try {\n const parsedRequest = parseThresholdEd25519SessionRequest(request, this.participantIds2p);\n if (!parsedRequest.ok) return parsedRequest;\n const {\n relayerKeyId,\n clientVerifyingShareB64u,\n nearAccountId,\n rpId,\n sessionId,\n ttlMsRaw,\n remainingUsesRaw,\n policyParticipantIds,\n sessionPolicyDigest32,\n } = parsedRequest.value;\n\n await this.ensureReady();\n\n const relayerKey = await this.resolveRelayerKeyMaterial({\n relayerKeyId,\n nearAccountId,\n rpId,\n clientVerifyingShareB64u,\n });\n if (!relayerKey.ok) {\n return { ok: false, code: relayerKey.code, message: relayerKey.message };\n }\n\n const { ttlMs, remainingUses } = this.clampSessionPolicy({ ttlMs: ttlMsRaw, remainingUses: remainingUsesRaw });\n const participantIds = policyParticipantIds || [...this.participantIds2p];\n const normalizedPolicy = {\n version: 'threshold_session_v1',\n nearAccountId,\n rpId,\n relayerKeyId,\n sessionId,\n ...(policyParticipantIds ? { participantIds: policyParticipantIds } : {}),\n ttlMs,\n remainingUses,\n };\n const expectedPolicyDigest32 = await this.computeSessionPolicyDigest32(normalizedPolicy);\n if (!bytesEqual32(expectedPolicyDigest32, sessionPolicyDigest32)) {\n return { ok: false, code: 'session_policy_digest_mismatch', message: 'sessionPolicy does not match vrf_data.session_policy_digest_32' };\n }\n\n const existingSession = await this.authSessionStore.getSession(sessionId);\n if (existingSession) {\n if (existingSession.userId !== nearAccountId) {\n return { ok: false, code: 'unauthorized', message: 'threshold sessionId already exists for a different user' };\n }\n if (existingSession.relayerKeyId !== relayerKeyId) {\n return { ok: false, code: 'unauthorized', message: 'threshold sessionId already exists for a different relayerKeyId' };\n }\n if (existingSession.rpId !== rpId) {\n return { ok: false, code: 'unauthorized', message: 'threshold sessionId already exists for a different rpId' };\n }\n const sameParticipantIds = existingSession.participantIds.length === participantIds.length\n && existingSession.participantIds.every((id, i) => id === participantIds[i]);\n if (!sameParticipantIds) {\n return { ok: false, code: 'unauthorized', message: 'threshold sessionId already exists for a different participant set' };\n }\n }\n\n const verification = await this.verifyAuthenticationResponse({\n vrf_data: request.vrf_data,\n webauthn_authentication: request.webauthn_authentication,\n });\n\n if (!verification.success || !verification.verified) {\n return {\n ok: false,\n code: verification.code || 'not_verified',\n message: verification.message || 'Authentication verification failed',\n };\n }\n\n // Tighten scope: ensure the relayerKeyId public key is actually an access key on nearAccountId.\n const scope = await ensureRelayerKeyIsActiveAccessKey({\n nearAccountId,\n relayerPublicKey: relayerKey.publicKey,\n viewAccessKeyList: this.viewAccessKeyList,\n });\n if (!scope.ok) {\n return { ok: false, code: scope.code, message: scope.message };\n }\n\n // Replay protection / idempotency: avoid resetting remainingUses/expiry if the session already exists.\n // A replayed WebAuthn assertion may re-issue a token, but should not extend the server-side session budget.\n if (existingSession) {\n return {\n ok: true,\n sessionId,\n expiresAt: new Date(existingSession.expiresAtMs).toISOString(),\n };\n }\n\n const expiresAtMs = Date.now() + ttlMs;\n await this.putAuthSessionRecord({\n sessionId,\n record: {\n expiresAtMs,\n relayerKeyId,\n userId: nearAccountId,\n rpId,\n participantIds,\n },\n ttlMs,\n remainingUses,\n });\n\n return {\n ok: true,\n sessionId,\n expiresAt: new Date(expiresAtMs).toISOString(),\n remainingUses,\n };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n\n async authorizeThresholdEd25519WithSession(input: {\n sessionId: string;\n userId: string;\n request: ThresholdEd25519AuthorizeWithSessionRequest;\n }): Promise<ThresholdEd25519AuthorizeResponse> {\n try {\n const sessionId = toOptionalTrimmedString(input.sessionId);\n if (!sessionId) return { ok: false, code: 'unauthorized', message: 'Missing threshold sessionId' };\n const userId = toOptionalTrimmedString(input.userId);\n if (!userId) return { ok: false, code: 'unauthorized', message: 'Missing threshold userId' };\n\n const parsedRequest = parseThresholdEd25519AuthorizeWithSessionRequest(input.request);\n if (!parsedRequest.ok) return parsedRequest;\n const { relayerKeyId, clientVerifyingShareB64u, purpose, signingDigest32, signingPayload } = parsedRequest.value;\n\n await this.ensureReady();\n\n const consumed = await this.authSessionStore.consumeUse(sessionId);\n if (!consumed.ok) {\n return { ok: false, code: consumed.code, message: consumed.message };\n }\n const sessionRecord = consumed.record;\n if (sessionRecord.userId !== userId) {\n return { ok: false, code: 'unauthorized', message: 'threshold session token does not match session record user' };\n }\n const sessionParticipantIds = normalizeThresholdEd25519ParticipantIds(sessionRecord.participantIds);\n if (!sessionParticipantIds || sessionParticipantIds.length < 2) {\n return { ok: false, code: 'unauthorized', message: 'threshold session token is missing a valid participantIds set' };\n }\n for (const id of this.participantIds2p) {\n if (!sessionParticipantIds.includes(id)) {\n return { ok: false, code: 'unauthorized', message: `threshold session token does not include server signer set (expected to include participantIds=[${this.participantIds2p.join(',')}])` };\n }\n }\n\n if (relayerKeyId !== sessionRecord.relayerKeyId) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId does not match threshold session scope' };\n }\n\n const relayerKey = await this.resolveRelayerKeyMaterial({\n relayerKeyId,\n nearAccountId: sessionRecord.userId,\n rpId: sessionRecord.rpId,\n clientVerifyingShareB64u,\n });\n if (!relayerKey.ok) {\n return { ok: false, code: relayerKey.code, message: relayerKey.message };\n }\n\n const verifyPayload = await verifyThresholdEd25519AuthorizeSigningPayloadSigningDigestOnly({\n purpose,\n signingPayload,\n signingDigest32,\n userId: sessionRecord.userId,\n ensureSignerWasm: this.ensureSignerWasm,\n computeNearTxSigningDigests: threshold_ed25519_compute_near_tx_signing_digests,\n computeDelegateSigningDigest: threshold_ed25519_compute_delegate_signing_digest,\n computeNep413SigningDigest: threshold_ed25519_compute_nep413_signing_digest,\n });\n if (!verifyPayload.ok) {\n return { ok: false, code: verifyPayload.code, message: verifyPayload.message };\n }\n\n const expectedSigningPublicKey = extractAuthorizeSigningPublicKey(purpose, signingPayload);\n const scope = await ensureRelayerKeyIsActiveAccessKey({\n nearAccountId: sessionRecord.userId,\n relayerPublicKey: relayerKey.publicKey,\n ...(expectedSigningPublicKey ? { expectedSigningPublicKey } : {}),\n viewAccessKeyList: this.viewAccessKeyList,\n });\n if (!scope.ok) {\n return { ok: false, code: scope.code, message: scope.message };\n }\n\n const ttlMs = 60_000;\n const expiresAtMs = Date.now() + ttlMs;\n const mpcSessionId = this.createThresholdEd25519MpcSessionId();\n await this.sessionStore.putMpcSession(mpcSessionId, {\n expiresAtMs,\n relayerKeyId,\n purpose,\n intentDigestB64u: base64UrlEncode(verifyPayload.intentDigest32),\n signingDigestB64u: base64UrlEncode(signingDigest32),\n userId: sessionRecord.userId,\n rpId: sessionRecord.rpId,\n clientVerifyingShareB64u,\n participantIds: [...sessionRecord.participantIds],\n }, ttlMs);\n\n return {\n ok: true,\n mpcSessionId,\n expiresAt: new Date(expiresAtMs).toISOString(),\n };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Internal error');\n return { ok: false, code: 'internal', message: msg };\n }\n }\n\n async thresholdEd25519SignInit(request: ThresholdEd25519SignInitRequest): Promise<ThresholdEd25519SignInitResponse> {\n return await this.signingHandlers.thresholdEd25519SignInit(request);\n }\n\n async thresholdEd25519CosignInit(request: ThresholdEd25519CosignInitRequest): Promise<ThresholdEd25519CosignInitResponse> {\n return await this.signingHandlers.thresholdEd25519CosignInit(request);\n }\n\n async thresholdEd25519CosignFinalize(request: ThresholdEd25519CosignFinalizeRequest): Promise<ThresholdEd25519CosignFinalizeResponse> {\n return await this.signingHandlers.thresholdEd25519CosignFinalize(request);\n }\n\n async thresholdEd25519SignFinalize(request: ThresholdEd25519SignFinalizeRequest): Promise<ThresholdEd25519SignFinalizeResponse> {\n return await this.signingHandlers.thresholdEd25519SignFinalize(request);\n }\n}\n"],"mappings":";;;;;;;;;;;;AAsFA,SAAS,mCAAmC,SAA0F;CACpI,MAAM,MAAO,WAAW;CACxB,MAAM,gBAAgB,wBAAwB,IAAI;AAClD,KAAI,CAAC,cACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,2BAA2B,wBAAwB,IAAI;AAC7D,KAAI,CAAC,yBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAGrD,KAAI,OAAO,UAAU,eAAe,KAAK,KAAK,uBAAuB;EACnE,MAAM,qBAAqB,wBAAwB,IAAI;AACvD,MAAI,CAAC,mBACH,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAErD,SAAO;GAAE,IAAI;GAAM,OAAO;IAAE,MAAM;IAAmB;IAAe;IAA0B;;;;CAGhG,MAAM,UAAW,IAA2B;CAC5C,MAAM,YAAY,wBAAwB,SAAS;AACnD,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,KAAI,cAAc,cAChB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,OAAO,wBAAwB,SAAS;AAC9C,KAAI,CAAC,KACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,iBAAiB,qBAAqB,SAAS;AACrD,KAAI,CAAC,eACH,QAAO;EACL,IAAI;EACJ,MAAM;EACN,SAAS;;AAIb,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE,MAAM;GAAY;GAAe;GAA0B;GAAM;;;;AAG/F,SAAS,sCAAsC,SAS5C;CACD,MAAM,MAAO,WAAW;CACxB,MAAM,eAAe,wBAAwB,IAAI;AACjD,KAAI,CAAC,aAAc,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAEtE,MAAM,UAAU,wBAAwB,IAAI;AAC5C,KAAI,CAAC,QAAS,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAEjE,MAAM,UAAW,IAA2B;CAC5C,MAAM,SAAS,wBAAwB,SAAS;AAChD,KAAI,CAAC,OAAQ,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAChE,MAAM,OAAO,wBAAwB,SAAS;AAC9C,KAAI,CAAC,KAAM,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAE9D,MAAM,2BAA2B,wBAAwB,IAAI;AAC7D,KAAI,CAAC,yBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,iBAAiB,qBAAqB,SAAS;AACrD,KAAI,CAAC,eACH,QAAO;EACL,IAAI;EACJ,MAAM;EACN,SAAS;;CAIb,MAAM,kBAAkB,qBAAqB,IAAI;AACjD,KAAI,CAAC,gBACH,QAAO;EACL,IAAI;EACJ,MAAM;EACN,SAAS;;AAIb,QAAO;EACL,IAAI;EACJ,OAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA,gBAAgB,IAAI;;;;AAK1B,SAAS,iDAAiD,SAMvD;CACD,MAAM,MAAO,WAAW;CACxB,MAAM,eAAe,wBAAwB,IAAI;AACjD,KAAI,CAAC,aAAc,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CACtE,MAAM,2BAA2B,wBAAwB,IAAI;AAC7D,KAAI,CAAC,yBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,UAAU,wBAAwB,IAAI;AAC5C,KAAI,CAAC,QAAS,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CACjE,MAAM,kBAAkB,qBAAqB,IAAI;AACjD,KAAI,CAAC,gBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,QAAO;EAAE,IAAI;EAAM,OAAO;GAAE;GAAc;GAA0B;GAAS;GAAiB,gBAAgB,IAAI;;;;AAGpH,SAAS,oCACP,SACA,kBAWC;CACD,MAAM,MAAO,WAAW;CACxB,MAAM,eAAe,wBAAwB,IAAI;AACjD,KAAI,CAAC,aACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,2BAA2B,wBAAwB,IAAI;AAC7D,KAAI,CAAC,yBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,YAAa,IAAoC;AACvD,KAAI,CAAC,SAAS,WACZ,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,UAAU,wBAAyB,UAAsC;AAC/E,KAAI,YAAY,uBACd,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,gBAAgB,wBAAyB,UAAsC;CACrF,MAAM,OAAO,wBAAyB,UAAsC;CAC5E,MAAM,YAAY,wBAAyB,UAAsC;CACjF,MAAM,qBAAqB,wBAAyB,UAAsC;CAC1F,MAAM,WAAW,OAAQ,UAAsC;CAC/D,MAAM,mBAAmB,OAAQ,UAAsC;AACvE,KAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,aAAa,CAAC,mBAC5C,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,KAAI,uBAAuB,aACzB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,0BAA0B,OAAO,UAAU,eAAe,KAAK,WAAW;CAChF,MAAM,uBAAuB,wCAAyC,UAAsC;AAC5G,KAAI,2BAA2B,CAAC,qBAC9B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,KAAI,sBAAsB;AACxB,MAAI,qBAAqB,SAAS,EAChC,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAErD,OAAK,MAAM,MAAM,iBACf,KAAI,CAAC,qBAAqB,SAAS,IACjC,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS,oGAAoG,iBAAiB,KAAK,KAAK;;;AAKxL,KAAI,CAAC,OAAO,SAAS,aAAa,YAAY,EAC5C,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAErD,KAAI,CAAC,OAAO,SAAS,qBAAqB,oBAAoB,EAC5D,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,UAAW,IAA2B;CAC5C,MAAM,SAAS,wBAAwB,SAAS;AAChD,KAAI,CAAC,OAAQ,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAChE,KAAI,WAAW,cACb,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAErD,MAAM,UAAU,wBAAwB,SAAS;AACjD,KAAI,CAAC,QAAS,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AACjE,KAAI,YAAY,KACd,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,wBAAwB,qBAAqB,SAAS;AAC5D,KAAI,CAAC,sBACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAGrD,QAAO;EACL,IAAI;EACJ,OAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA,sBAAsB,wBAAwB;GAC9C;;;;AAKN,IAAa,0BAAb,MAAqC;CACnC,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAGjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CAEjB,YAAY,OAYT;AACD,OAAK,SAAS,MAAM;AACpB,OAAK,WAAW,MAAM;AACtB,OAAK,eAAe,MAAM;AAC1B,OAAK,mBAAmB,MAAM;EAC9B,MAAM,MAAO,SAAS,MAAM,UAAU,MAAM,SAAS;EAErD,MAAM,WAAW,wBAAwB,IAAI;EAC7C,MAAM,+BACJ,2CAA2C,IAAI;EACjD,MAAM,mBAAmB,+BAA+B,IAAI,wCAAwC;EACpG,MAAM,2BAA2B,uCAAuC,IAAI;EAC5E,MAAM,uBAAuB,IAAI;EACjC,MAAM,oBACJ,yBAAyB,SAAY,OAAO,uCAAuC;AACrF,MAAI,aAAa,cAAc,CAAC,kBAC9B,OAAM,IAAI,MAAM;EAGlB,MAAM,MAAM,sCAAsC;GAChD,yCAAyC,IAAI;GAC7C,0CAA0C,IAAI;;AAEhD,OAAK,sBAAsB,IAAI;AAC/B,OAAK,uBAAuB,IAAI;AAChC,OAAK,mBAAmB,IAAI;AAE5B,OAAK,YAAY,gCAAgC,IAAI;AACrD,OAAK,0BAA0B,yCAAyC,IAAI;AAC5E,MAAI,KAAK,cAAc,aAAa,CAAC,KAAK,wBACxC,OAAM,IAAI,MAAM;AAElB,OAAK,0BAA0B,8BAA8B;GAC3D,WAAW,KAAK;GAChB,yBAAyB,KAAK;;AAEhC,OAAK,cAAc,MAAM;AACzB,OAAK,mBAAmB,MAAM;AAC9B,OAAK,+BAA+B,MAAM;AAC1C,OAAK,oBAAoB,MAAM;AAC/B,OAAK,WAAW,MAAM;AACtB,OAAK,qBAAqB,MAAM;AAChC,OAAK,iBAAiB,IAAI,iCAAiC;GACzD,kBAAkB,KAAK;GACvB,yBAAyB,KAAK;GAC9B,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;GAC3B,kBAAkB,KAAK;;AAEzB,OAAK,kBAAkB,IAAI,gCAAgC;GACzD,QAAQ,KAAK;GACb;GACA;GACA;GACA;GACA;GACA,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;GAC3B,kBAAkB,KAAK;GACvB,cAAc,KAAK;GACnB,aAAa,KAAK;GAClB,kBAAkB,KAAK;GACvB,mBAAmB,KAAK;GACxB,4BAA4B,SAAS,KAAK,0BAA0B;;;CAIvE,MAAc,0BAA0B,OAQtC;AACA,SAAO,MAAM,0CAA0C;GACrD,GAAG;GACH,WAAW,KAAK;GAChB,yBAAyB,KAAK;GAC9B,UAAU,KAAK;GACf,gBAAgB,KAAK;;;CAI1B,AAAQ,mBAAmB,OAA2F;EACpH,MAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,MAAM,OAAO,MAAM,UAAU;EAC5D,MAAM,gBAAgB,KAAK,IAAI,GAAG,KAAK,MAAM,OAAO,MAAM,kBAAkB;EAE5E,MAAM,aAAa,KAAK;EACxB,MAAM,WAAW;AACjB,SAAO;GACL,OAAO,KAAK,IAAI,OAAO;GACvB,eAAe,KAAK,IAAI,eAAe;;;CAI3C,MAAc,6BAA6B,QAAsC;EAC/E,MAAM,OAAO,qBAAqB;AAClC,SAAO,MAAM,gBAAgB;;CAG/B,MAAc,qBAAqB,OAKjB;AAChB,QAAM,KAAK,iBAAiB,WAAW,MAAM,WAAW,MAAM,QAAQ;GACpE,OAAO,MAAM;GACb,eAAe,MAAM;;;CAIzB,AAAQ,qCAA6C;EACnD,MAAM,KAAK,OAAO,WAAW,QAAQ,eAAe,aAChD,WAAW,OAAO,eAClB,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;AACtD,SAAO,OAAO;;CAGhB,AAAQ,yCAAiD;EACvD,MAAM,KAAK,OAAO,WAAW,QAAQ,eAAe,aAChD,WAAW,OAAO,eAClB,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;AACtD,SAAO,QAAQ;;CAGjB,AAAQ,wBAAwB,SAA+C;EAC7E,MAAM,SAAU,SAA6C;AAC7D,MAAI,CAAC,UAAU,OAAO,WAAW,SAAU,QAAO;AAClD,MAAI,EAAE,kBAAkB,QAAS,QAAO;EACxC,MAAM,QAAS,OAAsC;AACrD,SAAO,OAAO,UAAU,YAAY,MAAM,SAAS,IAAI,QAAQ;;CAGjE,AAAQ,wBAAwB,SAAyC;EACvE,MAAM,kBAAkB,KAAK,wBAAwB;AACrD,MAAI,CAAC,gBAAiB,QAAO;EAC7B,MAAM,QAAQ,aAAa;EAC3B,MAAM,OAAO,IAAI,cAAc,OAAO;AACtC,MAAI,CAAC,KAAK,OAAQ,QAAO;AACzB,SAAO,KAAK,MAAM;;CAGpB,AAAQ,iCACN,SACA,uBAC4E;EAC5E,MAAM,YAAa,SAAkD;AACrE,MAAI,CAAC,aAAa,OAAO,cAAc,SACrC,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAErD,IAAIA,OAAsB;EAC1B,MAAM,KAAK;EACX,MAAM,WAAW,wBAAwB,GAAG,aAAa,GAAG;AAC5D,MAAI,YAAY,aAAa,sBAC3B,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAErD,MAAM,aAAa,wBAAwB,GAAG,eAAe,GAAG;AAChE,MAAI,cAAc,eAAe,KAAK,mBACpC,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAGrD,MAAM,UAAU,MAAM,QAAQ,GAAG,WAAY,GAAG,UAAwB;EACxE,MAAM,UAAU,QACb,KAAK,WAAY,UAAU,OAAO,WAAW,WACxC,OAAmC,gBAAiB,OAAmC,iBAAiB,OAC1G,MACH,QAAQ,MAAoC,QAAQ,KAAK,OAAO,MAAM;EAEzE,MAAM,iBAAiB,QAAQ,MAAM,OAAO,wBAAwB,GAAG,eAAe,GAAG,gBAAgB;AACzG,MAAI,CAAC,eACH,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAGrD,MAAM,UAAU,wBAAwB,eAAe;AACvD,MAAI,QACF,KAAI;GACF,MAAM,WAAW,IAAI,cAAc,OAAO,aAAa;GACvD,MAAM,aAAa,KAAK,MAAM;AAC9B,OAAI,cAAc,OAAO,eAAe,UAAU;IAChD,MAAM,MAAO,WAAsC;AACnD,QAAI,OAAO,OAAO,QAAQ,UAAU;KAClC,MAAM,SAAS,wBAAyB,IAAgD,WAAY,IAA6B;AACjI,SAAI,UAAU,WAAW,sBACvB,QAAO;MAAE,IAAI;MAAO,MAAM;MAAgB,SAAS;;AAErD,YAAO,wBAAyB,IAA4C,SAAU,IAA2B,SAAS;;;UAGxH;EAKV,MAAM,cAAc,KAAK,wBAAwB;AACjD,MAAI,CAAC,eAAe,OAAO,gBAAgB,SACzC,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;EAErD,MAAM,WAAY,YAAuC;AACzD,MAAI,aAAa,KACf,QAAO;GAAE,IAAI;GAAO,MAAM;GAAgB,SAAS;;AAGrD,SAAO;GAAE,IAAI;GAAM,GAAI,OAAO,EAAE,SAAS;;;;;;;;CAQ3C,MAAM,8CAA8C,OAgBlD;AACA,MAAI;AACF,SAAM,KAAK;GACX,MAAM,gBAAgB,wBAAwB,MAAM;AACpD,OAAI,CAAC,cACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAErD,MAAM,OAAO,wBAAwB,MAAM;AAC3C,OAAI,CAAC,KACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAErD,MAAM,2BAA2B,wBAAwB,MAAM;AAC/D,OAAI,CAAC,yBACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,SAAS,MAAM,KAAK,eAAe,+BAA+B;IACtE;IACA;IACA;;AAEF,OAAI,CAAC,OAAO,GAAI,QAAO;GACvB,MAAM,EAAE,gBAAgB;AAExB,UAAO;IACL,IAAI;IACJ,qBAAqB,KAAK;IAC1B,sBAAsB,KAAK;IAC3B,gBAAgB,CAAC,GAAG,KAAK;IACzB,cAAc,YAAY;IAC1B,WAAW,YAAY;IACvB,yBAAyB,YAAY;IACrC,2BAA2B,YAAY;;WAElCC,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;CAInD,MAAM,sBAAsB,OAKV;AAChB,MAAI,KAAK,wBAEP;EAEF,MAAM,eAAe,wBAAwB,MAAM;AACnD,MAAI,CAAC,aAAc,OAAM,IAAI,MAAM;AACnC,QAAM,KAAK,SAAS,IAAI,cAAc;GACpC,WAAW,wBAAwB,MAAM;GACzC,yBAAyB,wBAAwB,MAAM;GACvD,2BAA2B,wBAAwB,MAAM;;;CAI7D,MAAM,uBAAuB,SAAiF;AAC5G,MAAI;GACF,MAAM,gBAAgB,mCAAmC;AACzD,OAAI,CAAC,cAAc,GAAI,QAAO;AAE9B,SAAM,KAAK;AAEX,OAAI,cAAc,MAAM,SAAS,mBAAmB;IAClD,MAAM,EAAE,gCAAe,sDAA0B,uBAAuB,cAAc;IAEtF,IAAIC;AACJ,QAAI;AACF,eAAU,MAAM,KAAK,SAAS,oBAAoBC;aAC3CF,GAAY;KACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,YAAO;MAAE,IAAI;MAAO,MAAM;MAAgB,SAAS,6CAA6C,OAAO;;;IAGzG,MAAM,UAAU,KAAK,iCAAiC,SAASE;AAC/D,QAAI,CAAC,QAAQ,GAAI,QAAO;AAExB,QAAI,KAAK,yBAAyB;KAChC,MAAMC,SAAO,wBAAwB,QAAQ;AAC7C,SAAI,CAACA,OACH,QAAO;MAAE,IAAI;MAAO,MAAM;MAAgB,SAAS;;;IAGvD,MAAMC,WAAS,MAAM,KAAK,eAAe,+BAA+B;KACtE;KACA,MAAM,wBAAwB,QAAQ;KACtC;;AAEF,QAAI,CAACA,SAAO,GAAI,QAAOA;IACvB,MAAM,EAAE,+BAAgBA;IACxB,MAAMC,cAAYC,cAAY;IAC9B,MAAMC,iBAAeD,cAAY;AAEjC,QAAI,CAAC,KAAK,wBACR,OAAM,KAAK,SAAS,IAAIC,gBAAc;KACpC;KACA,yBAAyBD,cAAY;KACrC,2BAA2BA,cAAY;;AAI3C,WAAO;KACL,IAAI;KACJ,qBAAqB,KAAK;KAC1B,sBAAsB,KAAK;KAC3B,gBAAgB,CAAC,GAAG,KAAK;KACzB;KACA;KACA,2BAA2BA,cAAY;;;GAG3C,MAAM,EAAE,eAAe,0BAA0B,MAAM,mBAAmB,cAAc;GACxF,MAAM,UAAW,QAA8C;GAC/D,MAAM,yBAA0B,QAA6D;GAE7F,MAAM,qBAAqB,qBAAqB;IAC9C,MAAM;IACN;IACA;IACA;;GAEF,MAAM,yBAAyB,MAAM,gBAAgB;AACrD,OAAI,CAAC,aAAa,wBAAwB,gBACxC,QAAO;IACL,IAAI;IACJ,MAAM;IACN,SAAS;;GAIb,MAAM,eAAe,MAAM,KAAK,6BAA6B;IAC3D,UAAU;IACV,yBAAyB;;AAG3B,OAAI,CAAC,aAAa,WAAW,CAAC,aAAa,SACzC,QAAO;IACL,IAAI;IACJ,MAAM,aAAa,QAAQ;IAC3B,SAAS,aAAa,WAAW;;GAIrC,MAAM,SAAS,MAAM,KAAK,eAAe,+BAA+B;IACtE;IACA;IACA;;AAEF,OAAI,CAAC,OAAO,GAAI,QAAO;GACvB,MAAM,EAAE,gBAAgB;GACxB,MAAM,YAAY,YAAY;GAC9B,MAAM,eAAe,YAAY;AAEjC,OAAI,CAAC,KAAK,wBACR,OAAM,KAAK,SAAS,IAAI,cAAc;IACpC;IACA,yBAAyB,YAAY;IACrC,2BAA2B,YAAY;;AAI3C,UAAO;IACL,IAAI;IACJ,qBAAqB,KAAK;IAC1B,sBAAsB,KAAK;IAC3B,gBAAgB,CAAC,GAAG,KAAK;IACzB;IACA;IACA,2BAA2B,YAAY;;WAElCN,GAAY;AACnB,QAAK,QAAQ,QAAQ,kCAAkC;GACvD,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;CAInD,MAAM,0BAA0B,SAAuF;AACrH,MAAI;GACF,MAAM,gBAAgB,sCAAsC;AAC5D,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EACJ,cACA,0BACA,SACA,QACA,MACA,gBACA,iBACA,mBACE,cAAc;AAElB,SAAM,KAAK;GAEX,MAAM,aAAa,MAAM,KAAK,0BAA0B;IACtD;IACA,eAAe;IACf;IACA;;AAEF,OAAI,CAAC,WAAW,GACd,QAAO;IAAE,IAAI;IAAO,MAAM,WAAW;IAAM,SAAS,WAAW;;GAEjE,MAAM,gBAAgB,MAAM,8CAA8C;IACxE;IACA;IACA;IACA;IACA;IACA,kBAAkB,KAAK;IACvB,6BAA6B;IAC7B,8BAA8B;IAC9B,4BAA4B;;AAE9B,OAAI,CAAC,cAAc,GACjB,QAAO;IAAE,IAAI;IAAO,MAAM,cAAc;IAAM,SAAS,cAAc;;GAGvE,MAAM,eAAe,MAAM,KAAK,6BAA6B;IAC3D,UAAU,QAAQ;IAClB,yBAAyB,QAAQ;;AAGnC,OAAI,CAAC,aAAa,WAAW,CAAC,aAAa,SACzC,QAAO;IACL,IAAI;IACJ,MAAM,aAAa,QAAQ;IAC3B,SAAS,aAAa,WAAW;;GAKrC,MAAM,2BAA2B,iCAAiC,SAAS;GAC3E,MAAM,QAAQ,MAAM,kCAAkC;IACpD,eAAe;IACf,kBAAkB,WAAW;IAC7B,GAAI,2BAA2B,EAAE,6BAA6B;IAC9D,mBAAmB,KAAK;;AAE1B,OAAI,CAAC,MAAM,GACT,QAAO;IAAE,IAAI;IAAO,MAAM,MAAM;IAAM,SAAS,MAAM;;GAGvD,MAAM,QAAQ;GACd,MAAM,cAAc,KAAK,QAAQ;GACjC,MAAM,eAAe,KAAK;AAC1B,SAAM,KAAK,aAAa,cAAc,cAAc;IAClD;IACA;IACA;IACA,kBAAkB,gBAAgB;IAClC,mBAAmB,gBAAgB;IACnC;IACA;IACA;IACA,gBAAgB,CAAC,GAAG,KAAK;MACxB;AAEH,UAAO;IACL,IAAI;IACJ;IACA,WAAW,IAAI,KAAK,aAAa;;WAE5BA,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;CAInD,MAAM,wBAAwB,SAAmF;AAC/G,MAAI;GACF,MAAM,gBAAgB,oCAAoC,SAAS,KAAK;AACxE,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EACJ,cACA,0BACA,eACA,MACA,WACA,UACA,kBACA,sBACA,0BACE,cAAc;AAElB,SAAM,KAAK;GAEX,MAAM,aAAa,MAAM,KAAK,0BAA0B;IACtD;IACA;IACA;IACA;;AAEF,OAAI,CAAC,WAAW,GACd,QAAO;IAAE,IAAI;IAAO,MAAM,WAAW;IAAM,SAAS,WAAW;;GAGjE,MAAM,EAAE,OAAO,kBAAkB,KAAK,mBAAmB;IAAE,OAAO;IAAU,eAAe;;GAC3F,MAAM,iBAAiB,wBAAwB,CAAC,GAAG,KAAK;GACxD,MAAM,mBAAmB;IACvB,SAAS;IACT;IACA;IACA;IACA;IACA,GAAI,uBAAuB,EAAE,gBAAgB,yBAAyB;IACtE;IACA;;GAEF,MAAM,yBAAyB,MAAM,KAAK,6BAA6B;AACvE,OAAI,CAAC,aAAa,wBAAwB,uBACxC,QAAO;IAAE,IAAI;IAAO,MAAM;IAAkC,SAAS;;GAGvE,MAAM,kBAAkB,MAAM,KAAK,iBAAiB,WAAW;AAC/D,OAAI,iBAAiB;AACnB,QAAI,gBAAgB,WAAW,cAC7B,QAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;AAErD,QAAI,gBAAgB,iBAAiB,aACnC,QAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;AAErD,QAAI,gBAAgB,SAAS,KAC3B,QAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;IAErD,MAAM,qBAAqB,gBAAgB,eAAe,WAAW,eAAe,UAC/E,gBAAgB,eAAe,OAAO,IAAI,MAAM,OAAO,eAAe;AAC3E,QAAI,CAAC,mBACH,QAAO;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;;GAIvD,MAAM,eAAe,MAAM,KAAK,6BAA6B;IAC3D,UAAU,QAAQ;IAClB,yBAAyB,QAAQ;;AAGnC,OAAI,CAAC,aAAa,WAAW,CAAC,aAAa,SACzC,QAAO;IACL,IAAI;IACJ,MAAM,aAAa,QAAQ;IAC3B,SAAS,aAAa,WAAW;;GAKrC,MAAM,QAAQ,MAAM,kCAAkC;IACpD;IACA,kBAAkB,WAAW;IAC7B,mBAAmB,KAAK;;AAE1B,OAAI,CAAC,MAAM,GACT,QAAO;IAAE,IAAI;IAAO,MAAM,MAAM;IAAM,SAAS,MAAM;;AAKvD,OAAI,gBACF,QAAO;IACL,IAAI;IACJ;IACA,WAAW,IAAI,KAAK,gBAAgB,aAAa;;GAIrD,MAAM,cAAc,KAAK,QAAQ;AACjC,SAAM,KAAK,qBAAqB;IAC9B;IACA,QAAQ;KACN;KACA;KACA,QAAQ;KACR;KACA;;IAEF;IACA;;AAGF,UAAO;IACL,IAAI;IACJ;IACA,WAAW,IAAI,KAAK,aAAa;IACjC;;WAEKA,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;CAInD,MAAM,qCAAqC,OAII;AAC7C,MAAI;GACF,MAAM,YAAY,wBAAwB,MAAM;AAChD,OAAI,CAAC,UAAW,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GACnE,MAAM,SAAS,wBAAwB,MAAM;AAC7C,OAAI,CAAC,OAAQ,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAEhE,MAAM,gBAAgB,iDAAiD,MAAM;AAC7E,OAAI,CAAC,cAAc,GAAI,QAAO;GAC9B,MAAM,EAAE,cAAc,0BAA0B,SAAS,iBAAiB,mBAAmB,cAAc;AAE3G,SAAM,KAAK;GAEX,MAAM,WAAW,MAAM,KAAK,iBAAiB,WAAW;AACxD,OAAI,CAAC,SAAS,GACZ,QAAO;IAAE,IAAI;IAAO,MAAM,SAAS;IAAM,SAAS,SAAS;;GAE7D,MAAM,gBAAgB,SAAS;AAC/B,OAAI,cAAc,WAAW,OAC3B,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAErD,MAAM,wBAAwB,wCAAwC,cAAc;AACpF,OAAI,CAAC,yBAAyB,sBAAsB,SAAS,EAC3D,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;AAErD,QAAK,MAAM,MAAM,KAAK,iBACpB,KAAI,CAAC,sBAAsB,SAAS,IAClC,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS,mGAAmG,KAAK,iBAAiB,KAAK,KAAK;;AAI1L,OAAI,iBAAiB,cAAc,aACjC,QAAO;IAAE,IAAI;IAAO,MAAM;IAAgB,SAAS;;GAGrD,MAAM,aAAa,MAAM,KAAK,0BAA0B;IACtD;IACA,eAAe,cAAc;IAC7B,MAAM,cAAc;IACpB;;AAEF,OAAI,CAAC,WAAW,GACd,QAAO;IAAE,IAAI;IAAO,MAAM,WAAW;IAAM,SAAS,WAAW;;GAGjE,MAAM,gBAAgB,MAAM,+DAA+D;IACzF;IACA;IACA;IACA,QAAQ,cAAc;IACtB,kBAAkB,KAAK;IACvB,6BAA6B;IAC7B,8BAA8B;IAC9B,4BAA4B;;AAE9B,OAAI,CAAC,cAAc,GACjB,QAAO;IAAE,IAAI;IAAO,MAAM,cAAc;IAAM,SAAS,cAAc;;GAGvE,MAAM,2BAA2B,iCAAiC,SAAS;GAC3E,MAAM,QAAQ,MAAM,kCAAkC;IACpD,eAAe,cAAc;IAC7B,kBAAkB,WAAW;IAC7B,GAAI,2BAA2B,EAAE,6BAA6B;IAC9D,mBAAmB,KAAK;;AAE1B,OAAI,CAAC,MAAM,GACT,QAAO;IAAE,IAAI;IAAO,MAAM,MAAM;IAAM,SAAS,MAAM;;GAGvD,MAAM,QAAQ;GACd,MAAM,cAAc,KAAK,QAAQ;GACjC,MAAM,eAAe,KAAK;AAC1B,SAAM,KAAK,aAAa,cAAc,cAAc;IAClD;IACA;IACA;IACA,kBAAkB,gBAAgB,cAAc;IAChD,mBAAmB,gBAAgB;IACnC,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB;IACA,gBAAgB,CAAC,GAAG,cAAc;MACjC;AAEH,UAAO;IACL,IAAI;IACJ;IACA,WAAW,IAAI,KAAK,aAAa;;WAE5BA,GAAY;GACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,UAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;;;CAInD,MAAM,yBAAyB,SAAqF;AAClH,SAAO,MAAM,KAAK,gBAAgB,yBAAyB;;CAG7D,MAAM,2BAA2B,SAAyF;AACxH,SAAO,MAAM,KAAK,gBAAgB,2BAA2B;;CAG/D,MAAM,+BAA+B,SAAiG;AACpI,SAAO,MAAM,KAAK,gBAAgB,+BAA+B;;CAGnE,MAAM,6BAA6B,SAA6F;AAC9H,SAAO,MAAM,KAAK,gBAAgB,6BAA6B"}

package/dist/esm/server/core/ThresholdService/config.js ADDED Viewed

@@ -0,0 +1,96 @@
+import { toOptionalTrimmedString } from "../../sdk/src/utils/validation.js";
+import { base64UrlDecode } from "../../sdk/src/utils/base64.js";
+import { THRESHOLD_ED25519_2P_PARTICIPANT_IDS, THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID, THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID } from "../../sdk/src/core/defaultConfigs.js";
+import { normalizeThresholdEd25519ParticipantId, normalizeThresholdEd25519ParticipantIds } from "../../sdk/src/threshold/participants.js";
+//#region src/server/core/ThresholdService/config.ts
+function coerceThresholdEd25519ShareMode(input) {
+	const mode = toOptionalTrimmedString(input);
+	if (mode === "derive") return "derived";
+	if (mode === "kv" || mode === "derived" || mode === "auto") return mode;
+	return "auto";
+}
+function coerceThresholdNodeRole(input) {
+	const role = toOptionalTrimmedString(input);
+	if (role === "cosigner") return "cosigner";
+	if (role === "coordinator") return "coordinator";
+	return "coordinator";
+}
+function parseThresholdRelayerCosigners(input) {
+	const asJson = (raw$1) => {
+		try {
+			return JSON.parse(raw$1);
+		} catch {
+			return null;
+		}
+	};
+	const raw = typeof input === "string" ? asJson(input) : input;
+	if (!Array.isArray(raw) || raw.length === 0) return null;
+	const out = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const item of raw) {
+		if (!item || typeof item !== "object" || Array.isArray(item)) return null;
+		const rec = item;
+		const cosignerId = normalizeThresholdEd25519ParticipantId(rec.cosignerId);
+		const relayerUrl = toOptionalTrimmedString(rec.relayerUrl)?.replace(/\/+$/, "");
+		if (!cosignerId || !relayerUrl) return null;
+		const key = `${cosignerId}:${relayerUrl}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		out.push({
+			cosignerId,
+			relayerUrl
+		});
+	}
+	out.sort((a, b) => a.cosignerId - b.cosignerId || a.relayerUrl.localeCompare(b.relayerUrl));
+	return out.length ? out : null;
+}
+function parseThresholdRelayerCosignerThreshold(input) {
+	const raw = toOptionalTrimmedString(input);
+	if (!raw) return null;
+	const n = Number(raw);
+	if (!Number.isFinite(n)) return null;
+	const t = Math.floor(n);
+	if (t < 1) return null;
+	return t;
+}
+function parseThresholdCoordinatorSharedSecretBytes(input) {
+	const coordinatorSharedSecretB64u = toOptionalTrimmedString(input);
+	if (!coordinatorSharedSecretB64u) return null;
+	let decoded;
+	try {
+		decoded = base64UrlDecode(coordinatorSharedSecretB64u);
+	} catch {
+		throw new Error("THRESHOLD_COORDINATOR_SHARED_SECRET_B64U must be valid base64url");
+	}
+	if (decoded.length !== 32) throw new Error(`THRESHOLD_COORDINATOR_SHARED_SECRET_B64U must decode to 32 bytes, got ${decoded.length}`);
+	return decoded;
+}
+function validateThresholdEd25519MasterSecretB64u(input) {
+	const masterSecretB64u = toOptionalTrimmedString(input);
+	if (!masterSecretB64u) return null;
+	const decoded = base64UrlDecode(masterSecretB64u);
+	if (decoded.length !== 32) throw new Error(`THRESHOLD_ED25519_MASTER_SECRET_B64U must decode to 32 bytes, got ${decoded.length}`);
+	return masterSecretB64u;
+}
+function parseThresholdEd25519ParticipantIds2p(input) {
+	const clientIdRaw = input.THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID;
+	const relayerIdRaw = input.THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID;
+	const clientId = clientIdRaw === void 0 ? null : normalizeThresholdEd25519ParticipantId(clientIdRaw);
+	if (clientIdRaw !== void 0 && !clientId) throw new Error("THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID must be an integer in [1,65535]");
+	const relayerId = relayerIdRaw === void 0 ? null : normalizeThresholdEd25519ParticipantId(relayerIdRaw);
+	if (relayerIdRaw !== void 0 && !relayerId) throw new Error("THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID must be an integer in [1,65535]");
+	const clientParticipantId = clientId ?? THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID;
+	const relayerParticipantId = relayerId ?? THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID;
+	if (clientParticipantId === relayerParticipantId) throw new Error("THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID must differ from THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID");
+	const participantIds2p = normalizeThresholdEd25519ParticipantIds([clientParticipantId, relayerParticipantId]) || [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];
+	return {
+		clientParticipantId,
+		relayerParticipantId,
+		participantIds2p
+	};
+}
+//#endregion
+export { coerceThresholdEd25519ShareMode, coerceThresholdNodeRole, parseThresholdCoordinatorSharedSecretBytes, parseThresholdEd25519ParticipantIds2p, parseThresholdRelayerCosignerThreshold, parseThresholdRelayerCosigners, validateThresholdEd25519MasterSecretB64u };
+//# sourceMappingURL=config.js.map

package/dist/esm/server/core/ThresholdService/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","names":["raw","out: ThresholdRelayerCosignerPeer[]","decoded: Uint8Array"],"sources":["../../../../../src/server/core/ThresholdService/config.ts"],"sourcesContent":["import { base64UrlDecode } from '../../../utils/encoders';\nimport { toOptionalTrimmedString } from '../../../utils/validation';\nimport {\n THRESHOLD_ED25519_2P_PARTICIPANT_IDS,\n THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID,\n THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID,\n normalizeThresholdEd25519ParticipantId,\n normalizeThresholdEd25519ParticipantIds,\n} from '../../../threshold/participants';\n\nexport type ThresholdEd25519ShareMode = 'auto' | 'kv' | 'derived';\n\nexport function coerceThresholdEd25519ShareMode(input: unknown): ThresholdEd25519ShareMode {\n const mode = toOptionalTrimmedString(input);\n // Accept a small alias set for env var ergonomics.\n if (mode === 'derive') return 'derived';\n if (mode === 'kv' || mode === 'derived' || mode === 'auto') return mode;\n return 'auto';\n}\n\nexport type ThresholdNodeRole = 'cosigner' | 'coordinator';\n\nexport function coerceThresholdNodeRole(input: unknown): ThresholdNodeRole {\n const role = toOptionalTrimmedString(input);\n if (role === 'cosigner') return 'cosigner';\n if (role === 'coordinator') return 'coordinator';\n return 'coordinator';\n}\n\nexport type ThresholdRelayerCosignerPeer = {\n cosignerId: number;\n relayerUrl: string;\n};\n\nexport function parseThresholdRelayerCosigners(input: unknown): ThresholdRelayerCosignerPeer[] | null {\n const asJson = (raw: string): unknown => {\n try {\n return JSON.parse(raw);\n } catch {\n return null;\n }\n };\n\n const raw = typeof input === 'string' ? asJson(input) : input;\n if (!Array.isArray(raw) || raw.length === 0) return null;\n\n const out: ThresholdRelayerCosignerPeer[] = [];\n const seen = new Set<string>();\n for (const item of raw) {\n if (!item || typeof item !== 'object' || Array.isArray(item)) return null;\n const rec = item as Record<string, unknown>;\n const cosignerId = normalizeThresholdEd25519ParticipantId(rec.cosignerId);\n const relayerUrl = toOptionalTrimmedString(rec.relayerUrl)?.replace(/\\/+$/, '');\n if (!cosignerId || !relayerUrl) return null;\n const key = `${cosignerId}:${relayerUrl}`;\n if (seen.has(key)) continue;\n seen.add(key);\n out.push({ cosignerId, relayerUrl });\n }\n\n out.sort((a, b) => (a.cosignerId - b.cosignerId) || a.relayerUrl.localeCompare(b.relayerUrl));\n return out.length ? out : null;\n}\n\nexport function parseThresholdRelayerCosignerThreshold(input: unknown): number | null {\n const raw = toOptionalTrimmedString(input);\n if (!raw) return null;\n const n = Number(raw);\n if (!Number.isFinite(n)) return null;\n const t = Math.floor(n);\n if (t < 1) return null;\n return t;\n}\n\nexport function parseThresholdCoordinatorSharedSecretBytes(input: unknown): Uint8Array | null {\n const coordinatorSharedSecretB64u = toOptionalTrimmedString(input);\n if (!coordinatorSharedSecretB64u) return null;\n\n let decoded: Uint8Array;\n try {\n decoded = base64UrlDecode(coordinatorSharedSecretB64u);\n } catch {\n throw new Error('THRESHOLD_COORDINATOR_SHARED_SECRET_B64U must be valid base64url');\n }\n if (decoded.length !== 32) {\n throw new Error(`THRESHOLD_COORDINATOR_SHARED_SECRET_B64U must decode to 32 bytes, got ${decoded.length}`);\n }\n return decoded;\n}\n\nexport function validateThresholdEd25519MasterSecretB64u(input: unknown): string | null {\n const masterSecretB64u = toOptionalTrimmedString(input);\n if (!masterSecretB64u) return null;\n const decoded = base64UrlDecode(masterSecretB64u);\n if (decoded.length !== 32) {\n throw new Error(`THRESHOLD_ED25519_MASTER_SECRET_B64U must decode to 32 bytes, got ${decoded.length}`);\n }\n return masterSecretB64u;\n}\n\nexport function parseThresholdEd25519ParticipantIds2p(input: {\n THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID?: unknown;\n THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID?: unknown;\n}): { clientParticipantId: number; relayerParticipantId: number; participantIds2p: number[] } {\n const clientIdRaw = input.THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID;\n const relayerIdRaw = input.THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID;\n const clientId = clientIdRaw === undefined ? null : normalizeThresholdEd25519ParticipantId(clientIdRaw);\n if (clientIdRaw !== undefined && !clientId) {\n throw new Error('THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID must be an integer in [1,65535]');\n }\n const relayerId = relayerIdRaw === undefined ? null : normalizeThresholdEd25519ParticipantId(relayerIdRaw);\n if (relayerIdRaw !== undefined && !relayerId) {\n throw new Error('THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID must be an integer in [1,65535]');\n }\n\n const clientParticipantId = clientId ?? THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID;\n const relayerParticipantId = relayerId ?? THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID;\n if (clientParticipantId === relayerParticipantId) {\n throw new Error('THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID must differ from THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID');\n }\n\n const participantIds2p =\n normalizeThresholdEd25519ParticipantIds([clientParticipantId, relayerParticipantId])\n || [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n\n return { clientParticipantId, relayerParticipantId, participantIds2p };\n}\n"],"mappings":";;;;;;AAYA,SAAgB,gCAAgC,OAA2C;CACzF,MAAM,OAAO,wBAAwB;AAErC,KAAI,SAAS,SAAU,QAAO;AAC9B,KAAI,SAAS,QAAQ,SAAS,aAAa,SAAS,OAAQ,QAAO;AACnE,QAAO;;AAKT,SAAgB,wBAAwB,OAAmC;CACzE,MAAM,OAAO,wBAAwB;AACrC,KAAI,SAAS,WAAY,QAAO;AAChC,KAAI,SAAS,cAAe,QAAO;AACnC,QAAO;;AAQT,SAAgB,+BAA+B,OAAuD;CACpG,MAAM,UAAU,UAAyB;AACvC,MAAI;AACF,UAAO,KAAK,MAAMA;UACZ;AACN,UAAO;;;CAIX,MAAM,MAAM,OAAO,UAAU,WAAW,OAAO,SAAS;AACxD,KAAI,CAAC,MAAM,QAAQ,QAAQ,IAAI,WAAW,EAAG,QAAO;CAEpD,MAAMC,MAAsC;CAC5C,MAAM,uBAAO,IAAI;AACjB,MAAK,MAAM,QAAQ,KAAK;AACtB,MAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,MAAO,QAAO;EACrE,MAAM,MAAM;EACZ,MAAM,aAAa,uCAAuC,IAAI;EAC9D,MAAM,aAAa,wBAAwB,IAAI,aAAa,QAAQ,QAAQ;AAC5E,MAAI,CAAC,cAAc,CAAC,WAAY,QAAO;EACvC,MAAM,MAAM,GAAG,WAAW,GAAG;AAC7B,MAAI,KAAK,IAAI,KAAM;AACnB,OAAK,IAAI;AACT,MAAI,KAAK;GAAE;GAAY;;;AAGzB,KAAI,MAAM,GAAG,MAAO,EAAE,aAAa,EAAE,cAAe,EAAE,WAAW,cAAc,EAAE;AACjF,QAAO,IAAI,SAAS,MAAM;;AAG5B,SAAgB,uCAAuC,OAA+B;CACpF,MAAM,MAAM,wBAAwB;AACpC,KAAI,CAAC,IAAK,QAAO;CACjB,MAAM,IAAI,OAAO;AACjB,KAAI,CAAC,OAAO,SAAS,GAAI,QAAO;CAChC,MAAM,IAAI,KAAK,MAAM;AACrB,KAAI,IAAI,EAAG,QAAO;AAClB,QAAO;;AAGT,SAAgB,2CAA2C,OAAmC;CAC5F,MAAM,8BAA8B,wBAAwB;AAC5D,KAAI,CAAC,4BAA6B,QAAO;CAEzC,IAAIC;AACJ,KAAI;AACF,YAAU,gBAAgB;SACpB;AACN,QAAM,IAAI,MAAM;;AAElB,KAAI,QAAQ,WAAW,GACrB,OAAM,IAAI,MAAM,yEAAyE,QAAQ;AAEnG,QAAO;;AAGT,SAAgB,yCAAyC,OAA+B;CACtF,MAAM,mBAAmB,wBAAwB;AACjD,KAAI,CAAC,iBAAkB,QAAO;CAC9B,MAAM,UAAU,gBAAgB;AAChC,KAAI,QAAQ,WAAW,GACrB,OAAM,IAAI,MAAM,qEAAqE,QAAQ;AAE/F,QAAO;;AAGT,SAAgB,sCAAsC,OAGwC;CAC5F,MAAM,cAAc,MAAM;CAC1B,MAAM,eAAe,MAAM;CAC3B,MAAM,WAAW,gBAAgB,SAAY,OAAO,uCAAuC;AAC3F,KAAI,gBAAgB,UAAa,CAAC,SAChC,OAAM,IAAI,MAAM;CAElB,MAAM,YAAY,iBAAiB,SAAY,OAAO,uCAAuC;AAC7F,KAAI,iBAAiB,UAAa,CAAC,UACjC,OAAM,IAAI,MAAM;CAGlB,MAAM,sBAAsB,YAAY;CACxC,MAAM,uBAAuB,aAAa;AAC1C,KAAI,wBAAwB,qBAC1B,OAAM,IAAI,MAAM;CAGlB,MAAM,mBACJ,wCAAwC,CAAC,qBAAqB,0BAC3D,CAAC,GAAG;AAET,QAAO;EAAE;EAAqB;EAAsB"}

package/dist/esm/server/core/ThresholdService/coordinatorGrant.js ADDED Viewed

@@ -0,0 +1,200 @@
+import { toOptionalTrimmedString } from "../../sdk/src/utils/validation.js";
+import { base64UrlDecode, base64UrlEncode } from "../../sdk/src/utils/base64.js";
+import { normalizeThresholdEd25519ParticipantId } from "../../sdk/src/threshold/participants.js";
+import { bytesEqual32, isObject, parseThresholdEd25519MpcSessionRecord } from "./validation.js";
+//#region src/server/core/ThresholdService/coordinatorGrant.ts
+function toArrayBufferCopy(bytes) {
+	const ab = new ArrayBuffer(bytes.byteLength);
+	new Uint8Array(ab).set(bytes);
+	return ab;
+}
+async function signHmacJsonToken(input) {
+	const { key, keyPromise } = await ensureCoordinatorHmacKey({
+		secretBytes: input.secretBytes,
+		keyPromise: input.keyPromise
+	});
+	if (!key) return {
+		token: null,
+		keyPromise
+	};
+	const payloadBytes = new TextEncoder().encode(JSON.stringify(input.payload));
+	const sig = new Uint8Array(await crypto.subtle.sign("HMAC", key, toArrayBufferCopy(payloadBytes)));
+	return {
+		token: `${base64UrlEncode(payloadBytes)}.${base64UrlEncode(sig)}`,
+		keyPromise
+	};
+}
+async function ensureCoordinatorHmacKey(input) {
+	if (!input.secretBytes) return {
+		key: null,
+		keyPromise: input.keyPromise
+	};
+	const keyPromise = input.keyPromise ?? crypto.subtle.importKey("raw", toArrayBufferCopy(input.secretBytes), {
+		name: "HMAC",
+		hash: "SHA-256"
+	}, false, ["sign"]);
+	return {
+		key: await keyPromise,
+		keyPromise
+	};
+}
+async function signThresholdEd25519CosignerGrantV1(input) {
+	return await signHmacJsonToken(input);
+}
+async function verifyHmacJsonToken(input) {
+	const { key, keyPromise } = await ensureCoordinatorHmacKey({
+		secretBytes: input.secretBytes,
+		keyPromise: input.keyPromise
+	});
+	if (!key) return {
+		ok: false,
+		keyPromise,
+		code: "not_found",
+		message: input.missingSecretMessage
+	};
+	const raw = toOptionalTrimmedString(input.token);
+	if (!raw) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Missing coordinatorGrant"
+	};
+	const parts = raw.split(".");
+	if (parts.length !== 2) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant format"
+	};
+	let payloadBytes;
+	let sigBytes;
+	try {
+		payloadBytes = base64UrlDecode(parts[0]);
+		sigBytes = base64UrlDecode(parts[1]);
+	} catch {
+		return {
+			ok: false,
+			keyPromise,
+			code: "unauthorized",
+			message: "Invalid coordinatorGrant encoding"
+		};
+	}
+	if (sigBytes.length !== 32) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant signature length"
+	};
+	const expected = new Uint8Array(await crypto.subtle.sign("HMAC", key, toArrayBufferCopy(payloadBytes)));
+	if (!bytesEqual32(expected, sigBytes)) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant signature"
+	};
+	let parsed;
+	try {
+		parsed = JSON.parse(new TextDecoder().decode(payloadBytes));
+	} catch {
+		return {
+			ok: false,
+			keyPromise,
+			code: "unauthorized",
+			message: "Invalid coordinatorGrant JSON"
+		};
+	}
+	if (!isObject(parsed)) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant payload"
+	};
+	const g = parsed;
+	if (g.typ !== input.expectedTyp || g.v !== 1) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant type"
+	};
+	const iat = Number(g.iat);
+	const exp = Number(g.exp);
+	if (!Number.isFinite(iat) || !Number.isFinite(exp) || exp <= 0 || exp < iat) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant timestamps"
+	};
+	const now = Math.floor(Date.now() / 1e3);
+	if (now >= exp) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "coordinatorGrant expired"
+	};
+	const mpcSessionId = toOptionalTrimmedString(g.mpcSessionId);
+	if (!mpcSessionId) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant mpcSessionId"
+	};
+	const mpcSession = parseThresholdEd25519MpcSessionRecord(g.mpcSession);
+	if (!mpcSession) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant mpcSession payload"
+	};
+	if (Date.now() > mpcSession.expiresAtMs) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "coordinatorGrant mpcSession expired"
+	};
+	return {
+		ok: true,
+		keyPromise,
+		payload: g,
+		iat,
+		exp,
+		mpcSessionId,
+		mpcSession
+	};
+}
+async function verifyThresholdEd25519CosignerGrantV1(input) {
+	const verified = await verifyHmacJsonToken({
+		secretBytes: input.secretBytes,
+		keyPromise: input.keyPromise,
+		token: input.token,
+		missingSecretMessage: "threshold-ed25519 cosigner grants are not enabled on this server",
+		expectedTyp: "threshold_ed25519_cosigner_grant_v1"
+	});
+	if (!verified.ok) return verified;
+	const { payload: g, iat, exp, mpcSessionId, mpcSession, keyPromise } = verified;
+	const cosignerId = normalizeThresholdEd25519ParticipantId(g.cosignerId);
+	if (!cosignerId) return {
+		ok: false,
+		keyPromise,
+		code: "unauthorized",
+		message: "Invalid coordinatorGrant cosignerId"
+	};
+	return {
+		ok: true,
+		keyPromise,
+		grant: {
+			v: 1,
+			typ: "threshold_ed25519_cosigner_grant_v1",
+			iat,
+			exp,
+			mpcSessionId,
+			cosignerId,
+			mpcSession: g.mpcSession
+		},
+		mpcSession
+	};
+}
+//#endregion
+export { signThresholdEd25519CosignerGrantV1, verifyThresholdEd25519CosignerGrantV1 };
+//# sourceMappingURL=coordinatorGrant.js.map

package/dist/esm/server/core/ThresholdService/coordinatorGrant.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"coordinatorGrant.js","names":["payloadBytes: Uint8Array","sigBytes: Uint8Array","parsed: unknown"],"sources":["../../../../../src/server/core/ThresholdService/coordinatorGrant.ts"],"sourcesContent":["import { base64UrlDecode, base64UrlEncode } from '../../../utils/encoders';\nimport { toOptionalTrimmedString } from '../../../utils/validation';\nimport { bytesEqual32, isObject, parseThresholdEd25519MpcSessionRecord } from './validation';\nimport { normalizeThresholdEd25519ParticipantId } from '../../../threshold/participants';\n\nexport type ThresholdEd25519CosignerGrantV1 = {\n v: 1;\n typ: 'threshold_ed25519_cosigner_grant_v1';\n iat: number;\n exp: number;\n mpcSessionId: string;\n cosignerId: number;\n mpcSession: unknown;\n};\n\nexport type ParsedThresholdEd25519MpcSession = NonNullable<ReturnType<typeof parseThresholdEd25519MpcSessionRecord>>;\n\nfunction toArrayBufferCopy(bytes: Uint8Array): ArrayBuffer {\n const ab = new ArrayBuffer(bytes.byteLength);\n new Uint8Array(ab).set(bytes);\n return ab;\n}\n\nasync function signHmacJsonToken(input: {\n secretBytes: Uint8Array | null;\n keyPromise: Promise<CryptoKey> | null;\n payload: unknown;\n}): Promise<{ token: string | null; keyPromise: Promise<CryptoKey> | null }> {\n const { key, keyPromise } = await ensureCoordinatorHmacKey({ secretBytes: input.secretBytes, keyPromise: input.keyPromise });\n if (!key) return { token: null, keyPromise };\n const payloadBytes = new TextEncoder().encode(JSON.stringify(input.payload));\n const sig = new Uint8Array(await crypto.subtle.sign('HMAC', key, toArrayBufferCopy(payloadBytes)));\n return { token: `${base64UrlEncode(payloadBytes)}.${base64UrlEncode(sig)}`, keyPromise };\n}\n\nasync function ensureCoordinatorHmacKey(input: {\n secretBytes: Uint8Array | null;\n keyPromise: Promise<CryptoKey> | null;\n}): Promise<{ key: CryptoKey | null; keyPromise: Promise<CryptoKey> | null }> {\n if (!input.secretBytes) return { key: null, keyPromise: input.keyPromise };\n const keyPromise = input.keyPromise ?? crypto.subtle.importKey(\n 'raw',\n toArrayBufferCopy(input.secretBytes),\n { name: 'HMAC', hash: 'SHA-256' },\n false,\n ['sign'],\n );\n return { key: await keyPromise, keyPromise };\n}\n\nexport async function signThresholdEd25519CosignerGrantV1(input: {\n secretBytes: Uint8Array | null;\n keyPromise: Promise<CryptoKey> | null;\n payload: ThresholdEd25519CosignerGrantV1;\n}): Promise<{ token: string | null; keyPromise: Promise<CryptoKey> | null }> {\n return await signHmacJsonToken(input);\n}\n\nasync function verifyHmacJsonToken(input: {\n secretBytes: Uint8Array | null;\n keyPromise: Promise<CryptoKey> | null;\n token: unknown;\n missingSecretMessage: string;\n expectedTyp: string;\n}): Promise<\n | {\n ok: true;\n keyPromise: Promise<CryptoKey> | null;\n payload: Record<string, unknown>;\n iat: number;\n exp: number;\n mpcSessionId: string;\n mpcSession: ParsedThresholdEd25519MpcSession;\n }\n | {\n ok: false;\n keyPromise: Promise<CryptoKey> | null;\n code: string;\n message: string;\n }\n> {\n const { key, keyPromise } = await ensureCoordinatorHmacKey({ secretBytes: input.secretBytes, keyPromise: input.keyPromise });\n if (!key) {\n return { ok: false, keyPromise, code: 'not_found', message: input.missingSecretMessage };\n }\n\n const raw = toOptionalTrimmedString(input.token);\n if (!raw) return { ok: false, keyPromise, code: 'unauthorized', message: 'Missing coordinatorGrant' };\n const parts = raw.split('.');\n if (parts.length !== 2) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant format' };\n }\n\n let payloadBytes: Uint8Array;\n let sigBytes: Uint8Array;\n try {\n payloadBytes = base64UrlDecode(parts[0]);\n sigBytes = base64UrlDecode(parts[1]);\n } catch {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant encoding' };\n }\n if (sigBytes.length !== 32) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant signature length' };\n }\n\n const expected = new Uint8Array(await crypto.subtle.sign('HMAC', key, toArrayBufferCopy(payloadBytes)));\n if (!bytesEqual32(expected, sigBytes)) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant signature' };\n }\n\n let parsed: unknown;\n try {\n parsed = JSON.parse(new TextDecoder().decode(payloadBytes)) as unknown;\n } catch {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant JSON' };\n }\n if (!isObject(parsed)) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant payload' };\n }\n\n const g = parsed as Record<string, unknown>;\n if (g.typ !== input.expectedTyp || g.v !== 1) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant type' };\n }\n const iat = Number(g.iat);\n const exp = Number(g.exp);\n if (!Number.isFinite(iat) || !Number.isFinite(exp) || exp <= 0 || exp < iat) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant timestamps' };\n }\n const now = Math.floor(Date.now() / 1000);\n if (now >= exp) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'coordinatorGrant expired' };\n }\n\n const mpcSessionId = toOptionalTrimmedString(g.mpcSessionId);\n if (!mpcSessionId) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant mpcSessionId' };\n }\n\n const mpcSession = parseThresholdEd25519MpcSessionRecord(g.mpcSession);\n if (!mpcSession) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant mpcSession payload' };\n }\n if (Date.now() > mpcSession.expiresAtMs) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'coordinatorGrant mpcSession expired' };\n }\n\n return { ok: true, keyPromise, payload: g, iat, exp, mpcSessionId, mpcSession };\n}\n\nexport async function verifyThresholdEd25519CosignerGrantV1(input: {\n secretBytes: Uint8Array | null;\n keyPromise: Promise<CryptoKey> | null;\n token: unknown;\n}): Promise<\n { ok: true; keyPromise: Promise<CryptoKey> | null; grant: ThresholdEd25519CosignerGrantV1; mpcSession: ParsedThresholdEd25519MpcSession }\n | { ok: false; keyPromise: Promise<CryptoKey> | null; code: string; message: string }\n> {\n const verified = await verifyHmacJsonToken({\n secretBytes: input.secretBytes,\n keyPromise: input.keyPromise,\n token: input.token,\n missingSecretMessage: 'threshold-ed25519 cosigner grants are not enabled on this server',\n expectedTyp: 'threshold_ed25519_cosigner_grant_v1',\n });\n if (!verified.ok) return verified;\n const { payload: g, iat, exp, mpcSessionId, mpcSession, keyPromise } = verified;\n\n const cosignerId = normalizeThresholdEd25519ParticipantId(g.cosignerId);\n if (!cosignerId) {\n return { ok: false, keyPromise, code: 'unauthorized', message: 'Invalid coordinatorGrant cosignerId' };\n }\n\n return {\n ok: true,\n keyPromise,\n grant: {\n v: 1,\n typ: 'threshold_ed25519_cosigner_grant_v1',\n iat,\n exp,\n mpcSessionId,\n cosignerId,\n mpcSession: g.mpcSession,\n },\n mpcSession,\n };\n}\n"],"mappings":";;;;;;AAiBA,SAAS,kBAAkB,OAAgC;CACzD,MAAM,KAAK,IAAI,YAAY,MAAM;AACjC,KAAI,WAAW,IAAI,IAAI;AACvB,QAAO;;AAGT,eAAe,kBAAkB,OAI4C;CAC3E,MAAM,EAAE,KAAK,eAAe,MAAM,yBAAyB;EAAE,aAAa,MAAM;EAAa,YAAY,MAAM;;AAC/G,KAAI,CAAC,IAAK,QAAO;EAAE,OAAO;EAAM;;CAChC,MAAM,eAAe,IAAI,cAAc,OAAO,KAAK,UAAU,MAAM;CACnE,MAAM,MAAM,IAAI,WAAW,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,kBAAkB;AACnF,QAAO;EAAE,OAAO,GAAG,gBAAgB,cAAc,GAAG,gBAAgB;EAAQ;;;AAG9E,eAAe,yBAAyB,OAGsC;AAC5E,KAAI,CAAC,MAAM,YAAa,QAAO;EAAE,KAAK;EAAM,YAAY,MAAM;;CAC9D,MAAM,aAAa,MAAM,cAAc,OAAO,OAAO,UACnD,OACA,kBAAkB,MAAM,cACxB;EAAE,MAAM;EAAQ,MAAM;IACtB,OACA,CAAC;AAEH,QAAO;EAAE,KAAK,MAAM;EAAY;;;AAGlC,eAAsB,oCAAoC,OAImB;AAC3E,QAAO,MAAM,kBAAkB;;AAGjC,eAAe,oBAAoB,OAsBjC;CACA,MAAM,EAAE,KAAK,eAAe,MAAM,yBAAyB;EAAE,aAAa,MAAM;EAAa,YAAY,MAAM;;AAC/G,KAAI,CAAC,IACH,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAa,SAAS,MAAM;;CAGpE,MAAM,MAAM,wBAAwB,MAAM;AAC1C,KAAI,CAAC,IAAK,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CACzE,MAAM,QAAQ,IAAI,MAAM;AACxB,KAAI,MAAM,WAAW,EACnB,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,IAAIA;CACJ,IAAIC;AACJ,KAAI;AACF,iBAAe,gBAAgB,MAAM;AACrC,aAAW,gBAAgB,MAAM;SAC3B;AACN,SAAO;GAAE,IAAI;GAAO;GAAY,MAAM;GAAgB,SAAS;;;AAEjE,KAAI,SAAS,WAAW,GACtB,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,MAAM,WAAW,IAAI,WAAW,MAAM,OAAO,OAAO,KAAK,QAAQ,KAAK,kBAAkB;AACxF,KAAI,CAAC,aAAa,UAAU,UAC1B,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,IAAIC;AACJ,KAAI;AACF,WAAS,KAAK,MAAM,IAAI,cAAc,OAAO;SACvC;AACN,SAAO;GAAE,IAAI;GAAO;GAAY,MAAM;GAAgB,SAAS;;;AAEjE,KAAI,CAAC,SAAS,QACZ,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,MAAM,IAAI;AACV,KAAI,EAAE,QAAQ,MAAM,eAAe,EAAE,MAAM,EACzC,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAEjE,MAAM,MAAM,OAAO,EAAE;CACrB,MAAM,MAAM,OAAO,EAAE;AACrB,KAAI,CAAC,OAAO,SAAS,QAAQ,CAAC,OAAO,SAAS,QAAQ,OAAO,KAAK,MAAM,IACtE,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAEjE,MAAM,MAAM,KAAK,MAAM,KAAK,QAAQ;AACpC,KAAI,OAAO,IACT,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,MAAM,eAAe,wBAAwB,EAAE;AAC/C,KAAI,CAAC,aACH,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;CAGjE,MAAM,aAAa,sCAAsC,EAAE;AAC3D,KAAI,CAAC,WACH,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;AAEjE,KAAI,KAAK,QAAQ,WAAW,YAC1B,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;AAGjE,QAAO;EAAE,IAAI;EAAM;EAAY,SAAS;EAAG;EAAK;EAAK;EAAc;;;AAGrE,eAAsB,sCAAsC,OAO1D;CACA,MAAM,WAAW,MAAM,oBAAoB;EACzC,aAAa,MAAM;EACnB,YAAY,MAAM;EAClB,OAAO,MAAM;EACb,sBAAsB;EACtB,aAAa;;AAEf,KAAI,CAAC,SAAS,GAAI,QAAO;CACzB,MAAM,EAAE,SAAS,GAAG,KAAK,KAAK,cAAc,YAAY,eAAe;CAEvE,MAAM,aAAa,uCAAuC,EAAE;AAC5D,KAAI,CAAC,WACH,QAAO;EAAE,IAAI;EAAO;EAAY,MAAM;EAAgB,SAAS;;AAGjE,QAAO;EACL,IAAI;EACJ;EACA,OAAO;GACL,GAAG;GACH,KAAK;GACL;GACA;GACA;GACA;GACA,YAAY,EAAE;;EAEhB"}