npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/server/core/config.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { toOptionalTrimmedString, toTrimmedString } from "../sdk/src/utils/validation.js";
 //#region src/server/core/config.ts
 const AUTH_SERVICE_CONFIG_DEFAULTS = {
 	nearRpcUrlTestnet: "https://test.rpc.fastnear.com",
@@ -11,19 +13,16 @@ function defaultNearRpcUrl(networkId) {
 	if (net === "mainnet") return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlMainnet;
 	return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlTestnet;
 }
-function normalizeOptionalString(v) {
-	return typeof v === "string" ? v.trim() : "";
-}
 function normalizeZkEmailProverConfig(input) {
 	if (!input) return void 0;
 	if (typeof input.baseUrl === "string") {
-		const baseUrl$1 = normalizeOptionalString(input.baseUrl);
+		const baseUrl$1 = toOptionalTrimmedString(input.baseUrl);
 		if (!baseUrl$1) return void 0;
 		return input;
 	}
 	const envInput = input;
-	const baseUrl = normalizeOptionalString(envInput.ZK_EMAIL_PROVER_BASE_URL);
-	const timeoutMsRaw = normalizeOptionalString(envInput.ZK_EMAIL_PROVER_TIMEOUT_MS);
+	const baseUrl = toOptionalTrimmedString(envInput.ZK_EMAIL_PROVER_BASE_URL);
+	const timeoutMsRaw = toOptionalTrimmedString(envInput.ZK_EMAIL_PROVER_TIMEOUT_MS);
 	const anyProvided = Boolean(baseUrl || timeoutMsRaw);
 	if (!anyProvided) return void 0;
 	if (!baseUrl) throw new Error("zkEmailProver enabled but ZK_EMAIL_PROVER_BASE_URL is not set");
@@ -38,15 +37,15 @@ function normalizeShamirConfig(input) {
 	if (!input) return void 0;
 	if (typeof input.shamir_p_b64u === "string") {
 		const c = input;
-		const anyProvided$1 = Boolean(normalizeOptionalString(c.shamir_p_b64u) || normalizeOptionalString(c.shamir_e_s_b64u) || normalizeOptionalString(c.shamir_d_s_b64u));
+		const anyProvided$1 = Boolean(toOptionalTrimmedString(c.shamir_p_b64u) || toOptionalTrimmedString(c.shamir_e_s_b64u) || toOptionalTrimmedString(c.shamir_d_s_b64u));
 		if (!anyProvided$1) return void 0;
 		return c;
 	}
 	const envInput = input;
-	const p = normalizeOptionalString(envInput.SHAMIR_P_B64U);
-	const e = normalizeOptionalString(envInput.SHAMIR_E_S_B64U);
-	const d = normalizeOptionalString(envInput.SHAMIR_D_S_B64U);
-	const graceFileEnv = normalizeOptionalString(envInput.SHAMIR_GRACE_KEYS_FILE);
+	const p = toOptionalTrimmedString(envInput.SHAMIR_P_B64U);
+	const e = toOptionalTrimmedString(envInput.SHAMIR_E_S_B64U);
+	const d = toOptionalTrimmedString(envInput.SHAMIR_D_S_B64U);
+	const graceFileEnv = toOptionalTrimmedString(envInput.SHAMIR_GRACE_KEYS_FILE);
 	const anyProvided = Boolean(p || e || d || graceFileEnv);
 	if (!anyProvided) return void 0;
 	if (!p || !e || !d) throw new Error("Shamir enabled but SHAMIR_P_B64U / SHAMIR_E_S_B64U / SHAMIR_D_S_B64U are not all set");
@@ -60,18 +59,27 @@ function normalizeShamirConfig(input) {
 		moduleOrPath: envInput.moduleOrPath
 	};
 }
+function normalizeThresholdEd25519KeyStoreConfig(input) {
+	if (!input) return void 0;
+	if (typeof input !== "object" || Array.isArray(input)) return void 0;
+	const c = input;
+	const anyProvided = Boolean(toOptionalTrimmedString(c.THRESHOLD_ED25519_SHARE_MODE) || toOptionalTrimmedString(c.THRESHOLD_ED25519_MASTER_SECRET_B64U) || toOptionalTrimmedString(c.THRESHOLD_NODE_ROLE) || toOptionalTrimmedString(c.THRESHOLD_COORDINATOR_SHARED_SECRET_B64U) || toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNERS) || toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNER_ID) || toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNER_T) || toOptionalTrimmedString(c.THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID) || toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID) || toOptionalTrimmedString(c.THRESHOLD_ED25519_AUTH_PREFIX) || toOptionalTrimmedString(c.THRESHOLD_ED25519_SESSION_PREFIX) || toOptionalTrimmedString(c.THRESHOLD_ED25519_KEYSTORE_PREFIX) || toOptionalTrimmedString(c.kind) || toOptionalTrimmedString(c.url) || toOptionalTrimmedString(c.token) || toOptionalTrimmedString(c.redisUrl) || toOptionalTrimmedString(c.UPSTASH_REDIS_REST_URL) || toOptionalTrimmedString(c.UPSTASH_REDIS_REST_TOKEN) || toOptionalTrimmedString(c.REDIS_URL));
+	if (!anyProvided) return void 0;
+	return input;
+}
 function createAuthServiceConfig(input) {
-	const networkId = String(input.networkId || "").trim() || AUTH_SERVICE_CONFIG_DEFAULTS.networkId;
+	const networkId = toTrimmedString(input.networkId) || AUTH_SERVICE_CONFIG_DEFAULTS.networkId;
 	const config = {
-		relayerAccountId: input.relayerAccountId,
-		relayerPrivateKey: input.relayerPrivateKey,
-		webAuthnContractId: input.webAuthnContractId,
-		nearRpcUrl: String(input.nearRpcUrl || "").trim() || defaultNearRpcUrl(networkId),
+		relayerAccountId: toTrimmedString(input.relayerAccountId),
+		relayerPrivateKey: toTrimmedString(input.relayerPrivateKey),
+		webAuthnContractId: toTrimmedString(input.webAuthnContractId),
+		nearRpcUrl: toTrimmedString(input.nearRpcUrl) || defaultNearRpcUrl(networkId),
 		networkId,
-		accountInitialBalance: String(input.accountInitialBalance || "").trim() || AUTH_SERVICE_CONFIG_DEFAULTS.accountInitialBalance,
-		createAccountAndRegisterGas: String(input.createAccountAndRegisterGas || "").trim() || AUTH_SERVICE_CONFIG_DEFAULTS.createAccountAndRegisterGas,
+		accountInitialBalance: toTrimmedString(input.accountInitialBalance) || AUTH_SERVICE_CONFIG_DEFAULTS.accountInitialBalance,
+		createAccountAndRegisterGas: toTrimmedString(input.createAccountAndRegisterGas) || AUTH_SERVICE_CONFIG_DEFAULTS.createAccountAndRegisterGas,
 		shamir: normalizeShamirConfig(input.shamir),
 		signerWasm: input.signerWasm,
+		thresholdEd25519KeyStore: normalizeThresholdEd25519KeyStoreConfig(input.thresholdEd25519KeyStore),
 		logger: input.logger,
 		zkEmailProver: normalizeZkEmailProverConfig(input.zkEmailProver)
 	};

package/dist/esm/server/core/config.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.js","names":["baseUrl","anyProvided","config: AuthServiceConfig"],"sources":["../../../../src/server/core/config.ts"],"sourcesContent":["import type {\n AuthServiceConfig,\n AuthServiceConfigInput,\n ShamirConfig,\n ShamirConfigEnvInput,\n ZkEmailProverConfigEnvInput,\n} from './types';\n\nexport const AUTH_SERVICE_CONFIG_DEFAULTS = {\n // Prefer FastNEAR for testnet by default (more reliable in practice).\n // If you set `networkId: 'mainnet'` and omit `nearRpcUrl`, the default switches to NEAR mainnet RPC.\n nearRpcUrlTestnet: 'https://test.rpc.fastnear.com',\n nearRpcUrlMainnet: 'https://rpc.mainnet.near.org',\n networkId: 'testnet',\n // 0.03 NEAR (typical for examples; adjust based on your app/storage needs).\n accountInitialBalance: '30000000000000000000000',\n // 85 TGas (tested)\n createAccountAndRegisterGas: '85000000000000',\n} as const;\n\nfunction defaultNearRpcUrl(networkId: string): string {\n const net = String(networkId \|\| '').trim().toLowerCase();\n if (net === 'mainnet') return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlMainnet;\n return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlTestnet;\n}\n\nfunction normalizeOptionalString(v: unknown): string {\n return typeof v === 'string' ? v.trim() : '';\n}\n\nfunction normalizeZkEmailProverConfig(\n input: AuthServiceConfigInput['zkEmailProver'],\n): AuthServiceConfig['zkEmailProver'] \| undefined {\n if (!input) return undefined;\n\n // Full options object\n if (typeof (input as any).baseUrl === 'string') {\n const baseUrl = normalizeOptionalString((input as any).baseUrl);\n if (!baseUrl) return undefined;\n return input as AuthServiceConfig['zkEmailProver'];\n }\n\n // Env-shaped input\n const envInput = input as ZkEmailProverConfigEnvInput;\n const baseUrl = normalizeOptionalString(envInput.ZK_EMAIL_PROVER_BASE_URL);\n const timeoutMsRaw = normalizeOptionalString(envInput.ZK_EMAIL_PROVER_TIMEOUT_MS);\n\n const anyProvided = Boolean(baseUrl \|\| timeoutMsRaw);\n if (!anyProvided) return undefined;\n if (!baseUrl) {\n throw new Error('zkEmailProver enabled but ZK_EMAIL_PROVER_BASE_URL is not set');\n }\n\n const timeoutMs = timeoutMsRaw ? Number(timeoutMsRaw) : undefined;\n if (timeoutMsRaw && (!Number.isFinite(timeoutMs) \|\| timeoutMs! <= 0)) {\n throw new Error('ZK_EMAIL_PROVER_TIMEOUT_MS must be a positive integer (ms)');\n }\n\n return {\n baseUrl,\n timeoutMs,\n };\n}\n\nfunction normalizeShamirConfig(input: AuthServiceConfigInput['shamir']): AuthServiceConfig['shamir'] \| undefined {\n if (!input) return undefined;\n\n // Already normalized config shape\n if (typeof (input as any).shamir_p_b64u === 'string') {\n const c = input as ShamirConfig;\n // Treat all-empty as disabled for safety\n const anyProvided = Boolean(\n normalizeOptionalString(c.shamir_p_b64u) \|\|\n normalizeOptionalString(c.shamir_e_s_b64u) \|\|\n normalizeOptionalString(c.shamir_d_s_b64u),\n );\n if (!anyProvided) return undefined;\n return c;\n }\n\n // Env-shaped input\n const envInput = input as ShamirConfigEnvInput;\n const p = normalizeOptionalString(envInput.SHAMIR_P_B64U);\n const e = normalizeOptionalString(envInput.SHAMIR_E_S_B64U);\n const d = normalizeOptionalString(envInput.SHAMIR_D_S_B64U);\n const graceFileEnv = normalizeOptionalString(envInput.SHAMIR_GRACE_KEYS_FILE);\n\n const anyProvided = Boolean(p \|\| e \|\| d \|\| graceFileEnv);\n if (!anyProvided) return undefined;\n\n if (!p \|\| !e \|\| !d) {\n throw new Error('Shamir enabled but SHAMIR_P_B64U / SHAMIR_E_S_B64U / SHAMIR_D_S_B64U are not all set');\n }\n\n const graceShamirKeysFile =\n // Preserve explicit empty-string overrides (workers use this to disable FS).\n envInput.graceShamirKeysFile !== undefined\n ? envInput.graceShamirKeysFile\n : (graceFileEnv \|\| undefined);\n\n return {\n shamir_p_b64u: p,\n shamir_e_s_b64u: e,\n shamir_d_s_b64u: d,\n graceShamirKeys: envInput.graceShamirKeys,\n graceShamirKeysFile,\n moduleOrPath: envInput.moduleOrPath,\n };\n}\n\nexport function createAuthServiceConfig(input: AuthServiceConfigInput): AuthServiceConfig {\n const networkId = String(input.networkId \|\| '').trim() \|\| AUTH_SERVICE_CONFIG_DEFAULTS.networkId;\n const config: AuthServiceConfig = {\n relayerAccountId: input.relayerAccountId,\n relayerPrivateKey: input.relayerPrivateKey,\n webAuthnContractId: input.webAuthnContractId,\n nearRpcUrl: String(input.nearRpcUrl \|\| '').trim() \|\| defaultNearRpcUrl(networkId),\n networkId: networkId,\n accountInitialBalance: String(input.accountInitialBalance \|\| '').trim()\n \|\| AUTH_SERVICE_CONFIG_DEFAULTS.accountInitialBalance,\n createAccountAndRegisterGas: String(input.createAccountAndRegisterGas \|\| '').trim()\n \|\| AUTH_SERVICE_CONFIG_DEFAULTS.createAccountAndRegisterGas,\n shamir: normalizeShamirConfig(input.shamir),\n signerWasm: input.signerWasm,\n logger: input.logger,\n zkEmailProver: normalizeZkEmailProverConfig(input.zkEmailProver),\n };\n\n validateConfigs(config);\n return config;\n}\n\nexport function validateConfigs(config: AuthServiceConfig): void {\n\n const requiredTop = ['relayerAccountId','relayerPrivateKey','webAuthnContractId'] as const;\n for (const key of requiredTop) {\n if (!(config as any)[key]) throw new Error(`Missing required config variable: ${key}`);\n }\n\n // Shamir configuration is optional. If provided, validate required fields.\n const shamir = config.shamir;\n if (shamir) {\n if (!shamir.shamir_p_b64u) throw new Error('Missing required config variable: shamir.shamir_p_b64u');\n if (!shamir.shamir_e_s_b64u) throw new Error('Missing required config variable: shamir.shamir_e_s_b64u');\n if (!shamir.shamir_d_s_b64u) throw new Error('Missing required config variable: shamir.shamir_d_s_b64u');\n }\n\n // Validate private key format\n if (!config.relayerPrivateKey?.startsWith('ed25519:')) {\n throw new Error('Relayer private key must be in format \"ed25519:base58privatekey\"');\n }\n}\n\nexport function parseBool(v: unknown): boolean {\n const s = String(v ?? '').trim().toLowerCase();\n return s === '1' \|\| s === 'true' \|\| s === 'yes' \|\| s === 'on';\n}\n\nexport function requireEnvVar<T extends object, K extends keyof T & string>(env: T, name: K): string {\n const raw = (env as any)?.[name] as unknown;\n if (typeof raw !== 'string') throw new Error(`Missing required env var: ${name}`);\n const v = raw.trim();\n if (!v) throw new Error(`Missing required env var: ${name}`);\n return v;\n}\n"],"mappings":";AAQA,MAAa,+BAA+B;CAG1C,mBAAmB;CACnB,mBAAmB;CACnB,WAAW;CAEX,uBAAuB;CAEvB,6BAA6B;;AAG/B,SAAS,kBAAkB,WAA2B;CACpD,MAAM,MAAM,OAAO,aAAa,IAAI,OAAO;AAC3C,KAAI,QAAQ,UAAW,QAAO,6BAA6B;AAC3D,QAAO,6BAA6B;;AAGtC,SAAS,wBAAwB,GAAoB;AACnD,QAAO,OAAO,MAAM,WAAW,EAAE,SAAS;;AAG5C,SAAS,6BACP,OACgD;AAChD,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAQ,MAAc,YAAY,UAAU;EAC9C,MAAMA,YAAU,wBAAyB,MAAc;AACvD,MAAI,CAACA,UAAS,QAAO;AACrB,SAAO;;CAIT,MAAM,WAAW;CACjB,MAAM,UAAU,wBAAwB,SAAS;CACjD,MAAM,eAAe,wBAAwB,SAAS;CAEtD,MAAM,cAAc,QAAQ,WAAW;AACvC,KAAI,CAAC,YAAa,QAAO;AACzB,KAAI,CAAC,QACH,OAAM,IAAI,MAAM;CAGlB,MAAM,YAAY,eAAe,OAAO,gBAAgB;AACxD,KAAI,iBAAiB,CAAC,OAAO,SAAS,cAAc,aAAc,GAChE,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL;EACA;;;AAIJ,SAAS,sBAAsB,OAAkF;AAC/G,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAQ,MAAc,kBAAkB,UAAU;EACpD,MAAM,IAAI;EAEV,MAAMC,gBAAc,QAClB,wBAAwB,EAAE,kBAC1B,wBAAwB,EAAE,oBAC1B,wBAAwB,EAAE;AAE5B,MAAI,CAACA,cAAa,QAAO;AACzB,SAAO;;CAIT,MAAM,WAAW;CACjB,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,eAAe,wBAAwB,SAAS;CAEtD,MAAM,cAAc,QAAQ,KAAK,KAAK,KAAK;AAC3C,KAAI,CAAC,YAAa,QAAO;AAEzB,KAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EACf,OAAM,IAAI,MAAM;CAGlB,MAAM,sBAEJ,SAAS,wBAAwB,SAC7B,SAAS,sBACR,gBAAgB;AAEvB,QAAO;EACL,eAAe;EACf,iBAAiB;EACjB,iBAAiB;EACjB,iBAAiB,SAAS;EAC1B;EACA,cAAc,SAAS;;;AAI3B,SAAgB,wBAAwB,OAAkD;CACxF,MAAM,YAAY,OAAO,MAAM,aAAa,IAAI,UAAU,6BAA6B;CACvF,MAAMC,SAA4B;EAChC,kBAAkB,MAAM;EACxB,mBAAmB,MAAM;EACzB,oBAAoB,MAAM;EAC1B,YAAY,OAAO,MAAM,cAAc,IAAI,UAAU,kBAAkB;EAC5D;EACX,uBAAuB,OAAO,MAAM,yBAAyB,IAAI,UAC5D,6BAA6B;EAClC,6BAA6B,OAAO,MAAM,+BAA+B,IAAI,UACxE,6BAA6B;EAClC,QAAQ,sBAAsB,MAAM;EACpC,YAAY,MAAM;EAClB,QAAQ,MAAM;EACd,eAAe,6BAA6B,MAAM;;AAGpD,iBAAgB;AAChB,QAAO;;AAGT,SAAgB,gBAAgB,QAAiC;CAE/D,MAAM,cAAc;EAAC;EAAmB;EAAoB;;AAC5D,MAAK,MAAM,OAAO,YAChB,KAAI,CAAE,OAAe,KAAM,OAAM,IAAI,MAAM,qCAAqC;CAIlF,MAAM,SAAS,OAAO;AACtB,KAAI,QAAQ;AACV,MAAI,CAAC,OAAO,cAAe,OAAM,IAAI,MAAM;AAC3C,MAAI,CAAC,OAAO,gBAAiB,OAAM,IAAI,MAAM;AAC7C,MAAI,CAAC,OAAO,gBAAiB,OAAM,IAAI,MAAM;;AAI/C,KAAI,CAAC,OAAO,mBAAmB,WAAW,YACxC,OAAM,IAAI,MAAM;;AAIpB,SAAgB,UAAU,GAAqB;CAC7C,MAAM,IAAI,OAAO,KAAK,IAAI,OAAO;AACjC,QAAO,MAAM,OAAO,MAAM,UAAU,MAAM,SAAS,MAAM;;AAG3D,SAAgB,cAA4D,KAAQ,MAAiB;CACnG,MAAM,MAAO,MAAc;AAC3B,KAAI,OAAO,QAAQ,SAAU,OAAM,IAAI,MAAM,6BAA6B;CAC1E,MAAM,IAAI,IAAI;AACd,KAAI,CAAC,EAAG,OAAM,IAAI,MAAM,6BAA6B;AACrD,QAAO"}
1	+ {"version":3,"file":"config.js","names":["baseUrl","anyProvided","config: AuthServiceConfig"],"sources":["../../../../src/server/core/config.ts"],"sourcesContent":["import type {\n AuthServiceConfig,\n AuthServiceConfigInput,\n ShamirConfig,\n ShamirConfigEnvInput,\n ZkEmailProverConfigEnvInput,\n} from './types';\nimport { toOptionalTrimmedString, toTrimmedString } from '../../utils/validation';\n\nexport const AUTH_SERVICE_CONFIG_DEFAULTS = {\n // Prefer FastNEAR for testnet by default (more reliable in practice).\n // If you set `networkId: 'mainnet'` and omit `nearRpcUrl`, the default switches to NEAR mainnet RPC.\n nearRpcUrlTestnet: 'https://test.rpc.fastnear.com',\n nearRpcUrlMainnet: 'https://rpc.mainnet.near.org',\n networkId: 'testnet',\n // 0.03 NEAR (typical for examples; adjust based on your app/storage needs).\n accountInitialBalance: '30000000000000000000000',\n // 85 TGas (tested)\n createAccountAndRegisterGas: '85000000000000',\n} as const;\n\nfunction defaultNearRpcUrl(networkId: string): string {\n const net = String(networkId \|\| '').trim().toLowerCase();\n if (net === 'mainnet') return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlMainnet;\n return AUTH_SERVICE_CONFIG_DEFAULTS.nearRpcUrlTestnet;\n}\n\nfunction normalizeZkEmailProverConfig(\n input: AuthServiceConfigInput['zkEmailProver'],\n): AuthServiceConfig['zkEmailProver'] \| undefined {\n if (!input) return undefined;\n\n // Full options object\n if (typeof (input as any).baseUrl === 'string') {\n const baseUrl = toOptionalTrimmedString((input as any).baseUrl);\n if (!baseUrl) return undefined;\n return input as AuthServiceConfig['zkEmailProver'];\n }\n\n // Env-shaped input\n const envInput = input as ZkEmailProverConfigEnvInput;\n const baseUrl = toOptionalTrimmedString(envInput.ZK_EMAIL_PROVER_BASE_URL);\n const timeoutMsRaw = toOptionalTrimmedString(envInput.ZK_EMAIL_PROVER_TIMEOUT_MS);\n\n const anyProvided = Boolean(baseUrl \|\| timeoutMsRaw);\n if (!anyProvided) return undefined;\n if (!baseUrl) {\n throw new Error('zkEmailProver enabled but ZK_EMAIL_PROVER_BASE_URL is not set');\n }\n\n const timeoutMs = timeoutMsRaw ? Number(timeoutMsRaw) : undefined;\n if (timeoutMsRaw && (!Number.isFinite(timeoutMs) \|\| timeoutMs! <= 0)) {\n throw new Error('ZK_EMAIL_PROVER_TIMEOUT_MS must be a positive integer (ms)');\n }\n\n return {\n baseUrl,\n timeoutMs,\n };\n}\n\nfunction normalizeShamirConfig(input: AuthServiceConfigInput['shamir']): AuthServiceConfig['shamir'] \| undefined {\n if (!input) return undefined;\n\n // Already normalized config shape\n if (typeof (input as any).shamir_p_b64u === 'string') {\n const c = input as ShamirConfig;\n // Treat all-empty as disabled for safety\n const anyProvided = Boolean(\n toOptionalTrimmedString(c.shamir_p_b64u) \|\|\n toOptionalTrimmedString(c.shamir_e_s_b64u) \|\|\n toOptionalTrimmedString(c.shamir_d_s_b64u),\n );\n if (!anyProvided) return undefined;\n return c;\n }\n\n // Env-shaped input\n const envInput = input as ShamirConfigEnvInput;\n const p = toOptionalTrimmedString(envInput.SHAMIR_P_B64U);\n const e = toOptionalTrimmedString(envInput.SHAMIR_E_S_B64U);\n const d = toOptionalTrimmedString(envInput.SHAMIR_D_S_B64U);\n const graceFileEnv = toOptionalTrimmedString(envInput.SHAMIR_GRACE_KEYS_FILE);\n\n const anyProvided = Boolean(p \|\| e \|\| d \|\| graceFileEnv);\n if (!anyProvided) return undefined;\n\n if (!p \|\| !e \|\| !d) {\n throw new Error('Shamir enabled but SHAMIR_P_B64U / SHAMIR_E_S_B64U / SHAMIR_D_S_B64U are not all set');\n }\n\n const graceShamirKeysFile =\n // Preserve explicit empty-string overrides (workers use this to disable FS).\n envInput.graceShamirKeysFile !== undefined\n ? envInput.graceShamirKeysFile\n : (graceFileEnv \|\| undefined);\n\n return {\n shamir_p_b64u: p,\n shamir_e_s_b64u: e,\n shamir_d_s_b64u: d,\n graceShamirKeys: envInput.graceShamirKeys,\n graceShamirKeysFile,\n moduleOrPath: envInput.moduleOrPath,\n };\n}\n\nfunction normalizeThresholdEd25519KeyStoreConfig(\n input: AuthServiceConfigInput['thresholdEd25519KeyStore'],\n): AuthServiceConfig['thresholdEd25519KeyStore'] \| undefined {\n if (!input) return undefined;\n if (typeof input !== 'object' \|\| Array.isArray(input)) return undefined;\n\n const c = input as Record<string, unknown>;\n const anyProvided = Boolean(\n // Minimal (env-shaped)\n toOptionalTrimmedString(c.THRESHOLD_ED25519_SHARE_MODE)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_MASTER_SECRET_B64U)\n \|\| toOptionalTrimmedString(c.THRESHOLD_NODE_ROLE)\n \|\| toOptionalTrimmedString(c.THRESHOLD_COORDINATOR_SHARED_SECRET_B64U)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNERS)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNER_ID)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_COSIGNER_T)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_AUTH_PREFIX)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_SESSION_PREFIX)\n \|\| toOptionalTrimmedString(c.THRESHOLD_ED25519_KEYSTORE_PREFIX)\n // Explicit store config (kind-shaped)\n \|\| toOptionalTrimmedString(c.kind)\n \|\| toOptionalTrimmedString(c.url)\n \|\| toOptionalTrimmedString(c.token)\n \|\| toOptionalTrimmedString(c.redisUrl)\n // Env-shaped store toggles\n \|\| toOptionalTrimmedString(c.UPSTASH_REDIS_REST_URL)\n \|\| toOptionalTrimmedString(c.UPSTASH_REDIS_REST_TOKEN)\n \|\| toOptionalTrimmedString(c.REDIS_URL),\n );\n if (!anyProvided) return undefined;\n return input;\n}\n\nexport function createAuthServiceConfig(input: AuthServiceConfigInput): AuthServiceConfig {\n const networkId = toTrimmedString(input.networkId) \|\| AUTH_SERVICE_CONFIG_DEFAULTS.networkId;\n const config: AuthServiceConfig = {\n relayerAccountId: toTrimmedString(input.relayerAccountId),\n relayerPrivateKey: toTrimmedString(input.relayerPrivateKey),\n webAuthnContractId: toTrimmedString(input.webAuthnContractId),\n nearRpcUrl: toTrimmedString(input.nearRpcUrl) \|\| defaultNearRpcUrl(networkId),\n networkId: networkId,\n accountInitialBalance: toTrimmedString(input.accountInitialBalance)\n \|\| AUTH_SERVICE_CONFIG_DEFAULTS.accountInitialBalance,\n createAccountAndRegisterGas: toTrimmedString(input.createAccountAndRegisterGas)\n \|\| AUTH_SERVICE_CONFIG_DEFAULTS.createAccountAndRegisterGas,\n shamir: normalizeShamirConfig(input.shamir),\n signerWasm: input.signerWasm,\n thresholdEd25519KeyStore: normalizeThresholdEd25519KeyStoreConfig(input.thresholdEd25519KeyStore),\n logger: input.logger,\n zkEmailProver: normalizeZkEmailProverConfig(input.zkEmailProver),\n };\n\n validateConfigs(config);\n return config;\n}\n\nexport function validateConfigs(config: AuthServiceConfig): void {\n\n const requiredTop = ['relayerAccountId','relayerPrivateKey','webAuthnContractId'] as const;\n for (const key of requiredTop) {\n if (!(config as any)[key]) throw new Error(`Missing required config variable: ${key}`);\n }\n\n // Shamir configuration is optional. If provided, validate required fields.\n const shamir = config.shamir;\n if (shamir) {\n if (!shamir.shamir_p_b64u) throw new Error('Missing required config variable: shamir.shamir_p_b64u');\n if (!shamir.shamir_e_s_b64u) throw new Error('Missing required config variable: shamir.shamir_e_s_b64u');\n if (!shamir.shamir_d_s_b64u) throw new Error('Missing required config variable: shamir.shamir_d_s_b64u');\n }\n\n // Validate private key format\n if (!config.relayerPrivateKey?.startsWith('ed25519:')) {\n throw new Error('Relayer private key must be in format \"ed25519:base58privatekey\"');\n }\n}\n\nexport function parseBool(v: unknown): boolean {\n const s = String(v ?? '').trim().toLowerCase();\n return s === '1' \|\| s === 'true' \|\| s === 'yes' \|\| s === 'on';\n}\n\nexport function requireEnvVar<T extends object, K extends keyof T & string>(env: T, name: K): string {\n const raw = (env as any)?.[name] as unknown;\n if (typeof raw !== 'string') throw new Error(`Missing required env var: ${name}`);\n const v = raw.trim();\n if (!v) throw new Error(`Missing required env var: ${name}`);\n return v;\n}\n"],"mappings":";;;AASA,MAAa,+BAA+B;CAG1C,mBAAmB;CACnB,mBAAmB;CACnB,WAAW;CAEX,uBAAuB;CAEvB,6BAA6B;;AAG/B,SAAS,kBAAkB,WAA2B;CACpD,MAAM,MAAM,OAAO,aAAa,IAAI,OAAO;AAC3C,KAAI,QAAQ,UAAW,QAAO,6BAA6B;AAC3D,QAAO,6BAA6B;;AAGtC,SAAS,6BACP,OACgD;AAChD,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAQ,MAAc,YAAY,UAAU;EAC9C,MAAMA,YAAU,wBAAyB,MAAc;AACvD,MAAI,CAACA,UAAS,QAAO;AACrB,SAAO;;CAIT,MAAM,WAAW;CACjB,MAAM,UAAU,wBAAwB,SAAS;CACjD,MAAM,eAAe,wBAAwB,SAAS;CAEtD,MAAM,cAAc,QAAQ,WAAW;AACvC,KAAI,CAAC,YAAa,QAAO;AACzB,KAAI,CAAC,QACH,OAAM,IAAI,MAAM;CAGlB,MAAM,YAAY,eAAe,OAAO,gBAAgB;AACxD,KAAI,iBAAiB,CAAC,OAAO,SAAS,cAAc,aAAc,GAChE,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL;EACA;;;AAIJ,SAAS,sBAAsB,OAAkF;AAC/G,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAQ,MAAc,kBAAkB,UAAU;EACpD,MAAM,IAAI;EAEV,MAAMC,gBAAc,QAClB,wBAAwB,EAAE,kBAC1B,wBAAwB,EAAE,oBAC1B,wBAAwB,EAAE;AAE5B,MAAI,CAACA,cAAa,QAAO;AACzB,SAAO;;CAIT,MAAM,WAAW;CACjB,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,IAAI,wBAAwB,SAAS;CAC3C,MAAM,eAAe,wBAAwB,SAAS;CAEtD,MAAM,cAAc,QAAQ,KAAK,KAAK,KAAK;AAC3C,KAAI,CAAC,YAAa,QAAO;AAEzB,KAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EACf,OAAM,IAAI,MAAM;CAGlB,MAAM,sBAEJ,SAAS,wBAAwB,SAC7B,SAAS,sBACR,gBAAgB;AAEvB,QAAO;EACL,eAAe;EACf,iBAAiB;EACjB,iBAAiB;EACjB,iBAAiB,SAAS;EAC1B;EACA,cAAc,SAAS;;;AAI3B,SAAS,wCACP,OAC2D;AAC3D,KAAI,CAAC,MAAO,QAAO;AACnB,KAAI,OAAO,UAAU,YAAY,MAAM,QAAQ,OAAQ,QAAO;CAE9D,MAAM,IAAI;CACV,MAAM,cAAc,QAElB,wBAAwB,EAAE,iCACvB,wBAAwB,EAAE,yCAC1B,wBAAwB,EAAE,wBAC1B,wBAAwB,EAAE,6CAC1B,wBAAwB,EAAE,wCAC1B,wBAAwB,EAAE,0CAC1B,wBAAwB,EAAE,yCAC1B,wBAAwB,EAAE,4CAC1B,wBAAwB,EAAE,6CAC1B,wBAAwB,EAAE,kCAC1B,wBAAwB,EAAE,qCAC1B,wBAAwB,EAAE,sCAE1B,wBAAwB,EAAE,SAC1B,wBAAwB,EAAE,QAC1B,wBAAwB,EAAE,UAC1B,wBAAwB,EAAE,aAE1B,wBAAwB,EAAE,2BAC1B,wBAAwB,EAAE,6BAC1B,wBAAwB,EAAE;AAE/B,KAAI,CAAC,YAAa,QAAO;AACzB,QAAO;;AAGT,SAAgB,wBAAwB,OAAkD;CACxF,MAAM,YAAY,gBAAgB,MAAM,cAAc,6BAA6B;CACnF,MAAMC,SAA4B;EAChC,kBAAkB,gBAAgB,MAAM;EACxC,mBAAmB,gBAAgB,MAAM;EACzC,oBAAoB,gBAAgB,MAAM;EAC1C,YAAY,gBAAgB,MAAM,eAAe,kBAAkB;EACxD;EACX,uBAAuB,gBAAgB,MAAM,0BACxC,6BAA6B;EAClC,6BAA6B,gBAAgB,MAAM,gCAC9C,6BAA6B;EAClC,QAAQ,sBAAsB,MAAM;EACpC,YAAY,MAAM;EAClB,0BAA0B,wCAAwC,MAAM;EACxE,QAAQ,MAAM;EACd,eAAe,6BAA6B,MAAM;;AAGpD,iBAAgB;AAChB,QAAO;;AAGT,SAAgB,gBAAgB,QAAiC;CAE/D,MAAM,cAAc;EAAC;EAAmB;EAAoB;;AAC5D,MAAK,MAAM,OAAO,YAChB,KAAI,CAAE,OAAe,KAAM,OAAM,IAAI,MAAM,qCAAqC;CAIlF,MAAM,SAAS,OAAO;AACtB,KAAI,QAAQ;AACV,MAAI,CAAC,OAAO,cAAe,OAAM,IAAI,MAAM;AAC3C,MAAI,CAAC,OAAO,gBAAiB,OAAM,IAAI,MAAM;AAC7C,MAAI,CAAC,OAAO,gBAAiB,OAAM,IAAI,MAAM;;AAI/C,KAAI,CAAC,OAAO,mBAAmB,WAAW,YACxC,OAAM,IAAI,MAAM;;AAIpB,SAAgB,UAAU,GAAqB;CAC7C,MAAM,IAAI,OAAO,KAAK,IAAI,OAAO;AACjC,QAAO,MAAM,OAAO,MAAM,UAAU,MAAM,SAAS,MAAM;;AAG3D,SAAgB,cAA4D,KAAQ,MAAiB;CACnG,MAAM,MAAO,MAAc;AAC3B,KAAI,OAAO,QAAQ,SAAU,OAAM,IAAI,MAAM,6BAA6B;CAC1E,MAAM,IAAI,IAAI;AACd,KAAI,CAAC,EAAG,OAAM,IAAI,MAAM,6BAA6B;AACrD,QAAO"}

package/dist/esm/server/core/errors.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { isObject, isString } from "../sdk/src/core/WalletIframe/validation.js";
+import { isObject, isString } from "../sdk/src/utils/validation.js";
 //#region src/server/core/errors.ts
 /**
@@ -38,6 +38,8 @@ function parseContractExecutionError(result, accountId) {
 						const balanceInfo = actionKind.LackBalanceForState;
 						return `Insufficient balance for account state: ${balanceInfo.account_id ?? accountId}`;
 					}
+					const executionError = actionKind?.FunctionCallError?.ExecutionError;
+					if (typeof executionError === "string" && executionError.includes("missing field `source`")) return "Contract input JSON is missing required field `source` (Outlayer `request_execution` expects `source`, not legacy `code_source`).";
 					return `Account creation failed: ${JSON.stringify(actionKind)}`;
 				}
 				return `Contract execution failed: ${JSON.stringify(failure)}`;

package/dist/esm/server/core/errors.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"errors.js","names":["failure: NearExecutionFailure","parseError: any"],"sources":["../../../../src/server/core/errors.ts"],"sourcesContent":["import type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearExecutionFailure, NearReceiptOutcomeWithId } from './types';\nimport { isObject, isString } from '~~../../core~~/~~WalletIframe/~~validation';\n\n/*\n Parse a NEAR FinalExecutionOutcome and surface a human-readable error\n * string when common contract/account failures are detected.\n \n This helper is intentionally conservative: it never throws, and returns\n * null when it cannot confidently extract a useful message.\n */\nexport function parseContractExecutionError(\n result: FinalExecutionOutcome,\n accountId: string,\n): string \| null {\n try {\n // Check main transaction status\n if (result.status && isObject(result.status) && 'Failure' in result.status) {\n console.log(`Transaction failed:`, (result.status as any).Failure);\n return `Transaction failed: ${JSON.stringify((result.status as any).Failure)}`;\n }\n\n // Check receipts for failures\n const receipts = (result.receipts_outcome \|\| []) as NearReceiptOutcomeWithId[];\n for (const receipt of receipts) {\n const status = receipt.outcome?.status;\n\n if ((status as any)?.Failure) {\n const failure: NearExecutionFailure = (status as any).Failure;\n console.log(`Receipt failure detected:`, failure);\n\n if (failure.ActionError?.kind) {\n const actionKind = failure.ActionError.kind;\n\n if ((actionKind as any).AccountAlreadyExists) {\n const info = (actionKind as any).AccountAlreadyExists;\n return `Account ${info.accountId ?? info.account_id ?? accountId} already exists on NEAR network`;\n }\n\n if ((actionKind as any).AccountDoesNotExist) {\n const info = (actionKind as any).AccountDoesNotExist;\n return `Referenced account ${info.account_id ?? accountId} does not exist`;\n }\n\n if ((actionKind as any).InsufficientStake) {\n const stakeInfo = (actionKind as any).InsufficientStake;\n return `Insufficient stake for account creation: ${stakeInfo.account_id ?? accountId}`;\n }\n\n if ((actionKind as any).LackBalanceForState) {\n const balanceInfo = (actionKind as any).LackBalanceForState;\n return `Insufficient balance for account state: ${balanceInfo.account_id ?? accountId}`;\n }\n\n return `Account creation failed: ${JSON.stringify(actionKind)}`;\n }\n\n return `Contract execution failed: ${JSON.stringify(failure)}`;\n }\n\n // Check logs for error keywords\n const logs = receipt.outcome?.logs \|\| [];\n for (const log of logs) {\n if (isString(log)) {\n if (log.includes('AccountAlreadyExists') \|\| log.includes('account already exists')) {\n return `Account ${accountId} already exists`;\n }\n if (log.includes('AccountDoesNotExist')) {\n return `Referenced account does not exist`;\n }\n if (log.includes('Cannot deserialize the contract state')) {\n return `Contract state deserialization failed. This may be due to a contract upgrade. Please try again or contact support.`;\n }\n if (log.includes('GuestPanic')) {\n return `Contract execution panic: ${log}`;\n }\n }\n }\n }\n\n return null;\n } catch (parseError: any) {\n console.warn(`Error parsing contract execution results:`, parseError);\n return null;\n }\n}\n"],"mappings":";;;;;;;;;;AAWA,SAAgB,4BACd,QACA,WACe;AACf,KAAI;AAEF,MAAI,OAAO,UAAU,SAAS,OAAO,WAAW,aAAa,OAAO,QAAQ;AAC1E,WAAQ,IAAI,uBAAwB,OAAO,OAAe;AAC1D,UAAO,uBAAuB,KAAK,UAAW,OAAO,OAAe;;EAItE,MAAM,WAAY,OAAO,oBAAoB;AAC7C,OAAK,MAAM,WAAW,UAAU;GAC9B,MAAM,SAAS,QAAQ,SAAS;AAEhC,OAAK,QAAgB,SAAS;IAC5B,MAAMA,UAAiC,OAAe;AACtD,YAAQ,IAAI,6BAA6B;AAEzC,QAAI,QAAQ,aAAa,MAAM;KAC7B,MAAM,aAAa,QAAQ,YAAY;AAEvC,SAAK,WAAmB,sBAAsB;MAC5C,MAAM,OAAQ,WAAmB;AACjC,aAAO,WAAW,KAAK,aAAa,KAAK,cAAc,UAAU;;AAGnE,SAAK,WAAmB,qBAAqB;MAC3C,MAAM,OAAQ,WAAmB;AACjC,aAAO,sBAAsB,KAAK,cAAc,UAAU;;AAG5D,SAAK,WAAmB,mBAAmB;MACzC,MAAM,YAAa,WAAmB;AACtC,aAAO,4CAA4C,UAAU,cAAc;;AAG7E,SAAK,WAAmB,qBAAqB;MAC3C,MAAM,cAAe,WAAmB;AACxC,aAAO,2CAA2C,YAAY,cAAc;;~~AAG9E~~,YAAO,4BAA4B,KAAK,UAAU;;AAGpD,WAAO,8BAA8B,KAAK,UAAU;;GAItD,MAAM,OAAO,QAAQ,SAAS,QAAQ;AACtC,QAAK,MAAM,OAAO,KAChB,KAAI,SAAS,MAAM;AACjB,QAAI,IAAI,SAAS,2BAA2B,IAAI,SAAS,0BACvD,QAAO,WAAW,UAAU;AAE9B,QAAI,IAAI,SAAS,uBACf,QAAO;AAET,QAAI,IAAI,SAAS,yCACf,QAAO;AAET,QAAI,IAAI,SAAS,cACf,QAAO,6BAA6B;;;AAM5C,SAAO;UACAC,YAAiB;AACxB,UAAQ,KAAK,6CAA6C;AAC1D,SAAO"}
1	+ {"version":3,"file":"errors.js","names":["failure: NearExecutionFailure","parseError: any"],"sources":["../../../../src/server/core/errors.ts"],"sourcesContent":["import type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearExecutionFailure, NearReceiptOutcomeWithId } from './types';\nimport { isObject, isString } from '@/utils/validation';\n\n/*\n Parse a NEAR FinalExecutionOutcome and surface a human-readable error\n * string when common contract/account failures are detected.\n \n This helper is intentionally conservative: it never throws, and returns\n * null when it cannot confidently extract a useful message.\n */\nexport function parseContractExecutionError(\n result: FinalExecutionOutcome,\n accountId: string,\n): string \| null {\n try {\n // Check main transaction status\n if (result.status && isObject(result.status) && 'Failure' in result.status) {\n console.log(`Transaction failed:`, (result.status as any).Failure);\n return `Transaction failed: ${JSON.stringify((result.status as any).Failure)}`;\n }\n\n // Check receipts for failures\n const receipts = (result.receipts_outcome \|\| []) as NearReceiptOutcomeWithId[];\n for (const receipt of receipts) {\n const status = receipt.outcome?.status;\n\n if ((status as any)?.Failure) {\n const failure: NearExecutionFailure = (status as any).Failure;\n console.log(`Receipt failure detected:`, failure);\n\n if (failure.ActionError?.kind) {\n const actionKind = failure.ActionError.kind;\n\n if ((actionKind as any).AccountAlreadyExists) {\n const info = (actionKind as any).AccountAlreadyExists;\n return `Account ${info.accountId ?? info.account_id ?? accountId} already exists on NEAR network`;\n }\n\n if ((actionKind as any).AccountDoesNotExist) {\n const info = (actionKind as any).AccountDoesNotExist;\n return `Referenced account ${info.account_id ?? accountId} does not exist`;\n }\n\n if ((actionKind as any).InsufficientStake) {\n const stakeInfo = (actionKind as any).InsufficientStake;\n return `Insufficient stake for account creation: ${stakeInfo.account_id ?? accountId}`;\n }\n\n if ((actionKind as any).LackBalanceForState) {\n const balanceInfo = (actionKind as any).LackBalanceForState;\n return `Insufficient balance for account state: ${balanceInfo.account_id ?? accountId}`;\n }\n\n // Common integration issue: Outlayer changed `request_execution` arg name from `code_source` → `source`.\n const executionError = (actionKind as any)?.FunctionCallError?.ExecutionError;\n if (typeof executionError === 'string' && executionError.includes('missing field `source`')) {\n return 'Contract input JSON is missing required field `source` (Outlayer `request_execution` expects `source`, not legacy `code_source`).';\n }\n\n return `Account creation failed: ${JSON.stringify(actionKind)}`;\n }\n\n return `Contract execution failed: ${JSON.stringify(failure)}`;\n }\n\n // Check logs for error keywords\n const logs = receipt.outcome?.logs \|\| [];\n for (const log of logs) {\n if (isString(log)) {\n if (log.includes('AccountAlreadyExists') \|\| log.includes('account already exists')) {\n return `Account ${accountId} already exists`;\n }\n if (log.includes('AccountDoesNotExist')) {\n return `Referenced account does not exist`;\n }\n if (log.includes('Cannot deserialize the contract state')) {\n return `Contract state deserialization failed. This may be due to a contract upgrade. Please try again or contact support.`;\n }\n if (log.includes('GuestPanic')) {\n return `Contract execution panic: ${log}`;\n }\n }\n }\n }\n\n return null;\n } catch (parseError: any) {\n console.warn(`Error parsing contract execution results:`, parseError);\n return null;\n }\n}\n"],"mappings":";;;;;;;;;;AAWA,SAAgB,4BACd,QACA,WACe;AACf,KAAI;AAEF,MAAI,OAAO,UAAU,SAAS,OAAO,WAAW,aAAa,OAAO,QAAQ;AAC1E,WAAQ,IAAI,uBAAwB,OAAO,OAAe;AAC1D,UAAO,uBAAuB,KAAK,UAAW,OAAO,OAAe;;EAItE,MAAM,WAAY,OAAO,oBAAoB;AAC7C,OAAK,MAAM,WAAW,UAAU;GAC9B,MAAM,SAAS,QAAQ,SAAS;AAEhC,OAAK,QAAgB,SAAS;IAC5B,MAAMA,UAAiC,OAAe;AACtD,YAAQ,IAAI,6BAA6B;AAEzC,QAAI,QAAQ,aAAa,MAAM;KAC7B,MAAM,aAAa,QAAQ,YAAY;AAEvC,SAAK,WAAmB,sBAAsB;MAC5C,MAAM,OAAQ,WAAmB;AACjC,aAAO,WAAW,KAAK,aAAa,KAAK,cAAc,UAAU;;AAGnE,SAAK,WAAmB,qBAAqB;MAC3C,MAAM,OAAQ,WAAmB;AACjC,aAAO,sBAAsB,KAAK,cAAc,UAAU;;AAG5D,SAAK,WAAmB,mBAAmB;MACzC,MAAM,YAAa,WAAmB;AACtC,aAAO,4CAA4C,UAAU,cAAc;;AAG7E,SAAK,WAAmB,qBAAqB;MAC3C,MAAM,cAAe,WAAmB;AACxC,aAAO,2CAA2C,YAAY,cAAc;;KAI9E,MAAM,iBAAkB,YAAoB,mBAAmB;AAC/D,SAAI,OAAO,mBAAmB,YAAY,eAAe,SAAS,0BAChE,QAAO;AAGT,YAAO,4BAA4B,KAAK,UAAU;;AAGpD,WAAO,8BAA8B,KAAK,UAAU;;GAItD,MAAM,OAAO,QAAQ,SAAS,QAAQ;AACtC,QAAK,MAAM,OAAO,KAChB,KAAI,SAAS,MAAM;AACjB,QAAI,IAAI,SAAS,2BAA2B,IAAI,SAAS,0BACvD,QAAO,WAAW,UAAU;AAE9B,QAAI,IAAI,SAAS,uBACf,QAAO;AAET,QAAI,IAAI,SAAS,yCACf,QAAO;AAET,QAAI,IAAI,SAAS,cACf,QAAO,6BAA6B;;;AAM5C,SAAO;UACAC,YAAiB;AACxB,UAAQ,KAAK,6CAA6C;AAC1D,SAAO"}

package/dist/esm/server/core/logger.js CHANGED Viewed

@@ -32,7 +32,8 @@ function normalizeLogger(logger) {
 		error: safe(error)
 	};
 }
+const coerceLogger = normalizeLogger;
 //#endregion
-export { normalizeLogger };
+export { coerceLogger };
 //# sourceMappingURL=logger.js.map

package/dist/esm/server/core/logger.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"logger.js","names":["base: Logger"],"sources":["../../../../src/server/core/logger.ts"],"sourcesContent":["export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/*\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n */\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\n"],"mappings":";AAeA,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMA,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK"}
1	+ {"version":3,"file":"logger.js","names":["base: Logger"],"sources":["../../../../src/server/core/logger.ts"],"sourcesContent":["export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/*\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n */\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\nexport const coerceLogger = normalizeLogger;\n"],"mappings":";AAeA,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMA,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK;;;AAIhB,MAAa,eAAe"}

package/dist/esm/server/core/nearKeys.js ADDED Viewed

@@ -0,0 +1,13 @@
+import { stripEd25519Prefix, toPublicKeyString } from "../sdk/src/core/nearCrypto.js";
+import bs58 from "bs58";
+//#region src/server/core/nearKeys.ts
+function toPublicKeyStringFromSecretKey(secretKey) {
+	const bytes = bs58.decode(stripEd25519Prefix(secretKey));
+	if (bytes.length !== 64) throw new Error(`Invalid NEAR secret key length: ${bytes.length}`);
+	return toPublicKeyString(bytes.subarray(32, 64));
+}
+//#endregion
+export { toPublicKeyStringFromSecretKey };
+//# sourceMappingURL=nearKeys.js.map

package/dist/esm/server/core/nearKeys.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"nearKeys.js","names":[],"sources":["../../../../src/server/core/nearKeys.ts"],"sourcesContent":["import bs58 from 'bs58';\n\nimport { stripEd25519Prefix, toPublicKeyString } from '../../core/nearCrypto';\n\nexport function toPublicKeyStringFromSecretKey(secretKey: string): string {\n const bytes = bs58.decode(stripEd25519Prefix(secretKey));\n if (bytes.length !== 64) {\n throw new Error(`Invalid NEAR secret key length: ${bytes.length}`);\n }\n return toPublicKeyString(bytes.subarray(32, 64));\n}\n"],"mappings":";;;;AAIA,SAAgB,+BAA+B,WAA2B;CACxE,MAAM,QAAQ,KAAK,OAAO,mBAAmB;AAC7C,KAAI,MAAM,WAAW,GACnB,OAAM,IAAI,MAAM,mCAAmC,MAAM;AAE3D,QAAO,kBAAkB,MAAM,SAAS,IAAI"}

package/dist/esm/server/core/shamirHandlers.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { isString } from "../sdk/src/core/WalletIframe/validation.js";
+import { isString } from "../sdk/src/utils/validation.js";
 //#region src/server/core/shamirHandlers.ts
 async function handleApplyServerLock(service, request) {

package/dist/esm/server/core/shamirHandlers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"shamirHandlers.js","names":["out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse"],"sources":["../../../../src/server/core/shamirHandlers.ts"],"sourcesContent":["import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '~~../../core~~/~~WalletIframe/~~validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n"],"mappings":";;;AASA,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMA,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,oBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;AACd,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,aAAa,QAAQ;;UAEvCA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,kBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,EAAE,UAAU,aAAa,WAAY;AAC3C,MAAI,CAAC,SAAS,aAAa,CAAC,YAAY,CAAC,SAAS,aAAa,CAAC,SAC9D,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,QAAM,QAAQ;EACd,MAAM,QAAQ,MAAM,QAAQ,oBAAoB;GAAE;GAAU;KAAY;GAAE,SAAS;GAAM,cAAc;;AACvG,MAAI,CAAC,MACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO,MAAM;;UAE/BA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,qBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,QAAQ,SAAS;AACvB,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,EAAE,SAAS;AACvE,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE;;UAElBA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG"}
1	+ {"version":3,"file":"shamirHandlers.js","names":["out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse"],"sources":["../../../../src/server/core/shamirHandlers.ts"],"sourcesContent":["import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '@/utils/validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n"],"mappings":";;;AASA,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMA,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,oBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;AACd,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,aAAa,QAAQ;;UAEvCA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,kBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,EAAE,UAAU,aAAa,WAAY;AAC3C,MAAI,CAAC,SAAS,aAAa,CAAC,YAAY,CAAC,SAAS,aAAa,CAAC,SAC9D,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,QAAM,QAAQ;EACd,MAAM,QAAQ,MAAM,QAAQ,oBAAoB;GAAE;GAAU;KAAY;GAAE,SAAS;GAAM,cAAc;;AACvG,MAAI,CAAC,MACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO,MAAM;;UAE/BA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,qBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,QAAQ,SAAS;AACvB,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,UAAU,MAAM,QAAQ,uBAAuB,OAAO,EAAE,SAAS;AACvE,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE;;UAElBA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG"}

package/dist/esm/server/core/shamirWorker.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { base64UrlDecode, base64UrlEncode } from "../sdk/src/utils/base64.js";
 import { createWasmLoader, isNodeEnvironment } from "./wasm-loader.js";
 import initWasm, { SHAMIR_P_B64U, configure_shamir_p, get_shamir_p_b64u, handle_message } from "../../wasm_vrf_worker/pkg/wasm_vrf_worker.js";
@@ -5,6 +6,8 @@ import initWasm, { SHAMIR_P_B64U, configure_shamir_p, get_shamir_p_b64u, handle_
 let wasmInitialized = false;
 let wasmModuleOverride = null;
 let wasmInitPromise = null;
+const SHAMIR_REJECTION_SAMPLING_MAX_ATTEMPTS = 10;
+const SHAMIR_RANDOM_BYTES_OVERHEAD = 64;
 function setShamirWasmModuleOverride(supplier) {
 	wasmModuleOverride = supplier;
 	wasmInitialized = false;
@@ -34,6 +37,68 @@ const vrfWasmLoader = createWasmLoader(initWasm, {
 	baseUrl: import.meta.url,
 	fallbackUrls: getVrfWasmUrls()
 });
+function bigintFromBytesBE(bytes) {
+	let out = 0n;
+	for (const b of bytes) out = out << 8n | BigInt(b);
+	return out;
+}
+function bigintToBytesBE(x) {
+	if (x < 0n) throw new Error("bigintToBytesBE: negative input");
+	if (x === 0n) return new Uint8Array([]);
+	const bytes = [];
+	let v = x;
+	while (v > 0n) {
+		bytes.push(Number(v & 255n));
+		v >>= 8n;
+	}
+	bytes.reverse();
+	return new Uint8Array(bytes);
+}
+function bitLengthBigint(x) {
+	if (x <= 0n) return 0;
+	return x.toString(2).length;
+}
+function gcdBigint(a, b) {
+	let x = a < 0n ? -a : a;
+	let y = b < 0n ? -b : b;
+	while (y !== 0n) {
+		const t = x % y;
+		x = y;
+		y = t;
+	}
+	return x;
+}
+function modInvBigint(a, m) {
+	let t = 0n;
+	let newT = 1n;
+	let r = m;
+	let newR = a % m;
+	while (newR !== 0n) {
+		const q = r / newR;
+		[t, newT] = [newT, t - q * newT];
+		[r, newR] = [newR, r - q * newR];
+	}
+	if (r !== 1n) return null;
+	const inv = t % m;
+	return inv >= 0n ? inv : inv + m;
+}
+async function getSecureRandomBytes(byteLength) {
+	const out = new Uint8Array(byteLength);
+	const cryptoObj = globalThis.crypto;
+	if (cryptoObj && typeof cryptoObj.getRandomValues === "function") {
+		cryptoObj.getRandomValues(out);
+		return out;
+	}
+	if (isNodeEnvironment()) {
+		const nodeCrypto = await import("node:crypto");
+		if (typeof nodeCrypto.randomFillSync === "function") {
+			nodeCrypto.randomFillSync(out);
+			return out;
+		}
+		if (typeof nodeCrypto.randomBytes === "function") return new Uint8Array(nodeCrypto.randomBytes(byteLength));
+	}
+	throw new Error("Secure random generator unavailable");
+}
 /**
 * Ensure Shamir WASM module is initialized
 *
@@ -86,6 +151,35 @@ var Shamir3PassUtils = class {
 		return { p_b64u: this.p_b64u };
 	}
 	async generateServerKeypair() {
+		if (!this.p_b64u) await this.initialize();
+		else try {
+			await ensureWasmInitialized();
+			await configure_shamir_p(this.p_b64u);
+		} catch {}
+		const pBytes = base64UrlDecode(this.p_b64u);
+		const p = bigintFromBytesBE(pBytes);
+		if (p <= 3n) throw new Error("Invalid Shamir prime p");
+		const pMinus1 = p - 1n;
+		const maxK = p - 2n;
+		const pBits = bitLengthBigint(p);
+		const minK = pBits >= 1024 ? 1n << 64n : 1n << 32n;
+		const range = maxK - minK;
+		if (range <= 0n) throw new Error("Shamir prime too small for key generation");
+		const bytesNeeded = Math.ceil(bitLengthBigint(range) / 8) + SHAMIR_RANDOM_BYTES_OVERHEAD;
+		for (let attempt = 0; attempt < SHAMIR_REJECTION_SAMPLING_MAX_ATTEMPTS; attempt += 1) {
+			const buf = await getSecureRandomBytes(bytesNeeded);
+			const candidate = bigintFromBytesBE(buf) % range;
+			const e = minK + candidate;
+			if (gcdBigint(e, pMinus1) !== 1n) continue;
+			const d = modInvBigint(e, pMinus1);
+			if (!d) continue;
+			const e_s_b64u = base64UrlEncode(bigintToBytesBE(e));
+			const d_s_b64u = base64UrlEncode(bigintToBytesBE(d));
+			return {
+				e_s_b64u,
+				d_s_b64u
+			};
+		}
 		await ensureWasmInitialized();
 		const msg = {
 			type: "SHAMIR3PASS_GENERATE_SERVER_KEYPAIR",

package/dist/esm/server/core/shamirWorker.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"shamirWorker.js","names":["wasmModuleOverride: ShamirWasmModuleSupplier \| null","wasmInitPromise: Promise<void> \| null","msg: VRFWorkerMessage<Shamir3PassGenerateServerKeypairRequest>","wasmHandleMessage","msg: VRFWorkerMessage<ShamirApplyServerLockRequest>","msg: VRFWorkerMessage<ShamirRemoveServerLockRequest>"],"sources":["../../../../src/server/core/shamirWorker.ts"],"sourcesContent":["// Server-side and Worker-compatible Shamir 3-pass exponent helpers.\n// Implements modular exponentiation over a shared safe prime p.\n// Avoids Node-only imports at module scope so this file can be bundled for\n// Cloudflare Workers without requiring Node built-ins.\n// @ts-ignore - WASM imports\nimport initWasm, {\n handle_message as wasmHandleMessage,\n configure_shamir_p,\n get_shamir_p_b64u,\n SHAMIR_P_B64U,\n type InitInput,\n} from '../../wasm_vrf_worker/pkg/wasm_vrf_worker.js';\nimport {\n VRFWorkerMessage,\n WasmVrfWorkerRequestType,\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n Shamir3PassGenerateServerKeypairRequest,\n type ShamirWasmModuleSupplier,\n} from './types.js';\nimport { createWasmLoader, isNodeEnvironment } from './wasm-loader.js';\n\nexport { SHAMIR_P_B64U, get_shamir_p_b64u };\n\nlet wasmInitialized = false;\nlet wasmModuleOverride: ShamirWasmModuleSupplier \| null = null;\nlet wasmInitPromise: Promise<void> \| null = null;\n\nexport function setShamirWasmModuleOverride(\n supplier: ShamirWasmModuleSupplier \| null\n): void {\n wasmModuleOverride = supplier;\n wasmInitialized = false;\n wasmInitPromise = null;\n}\n\nfunction simpleHash32(str: string): string {\n let h = 0x811c9dc5; // FNV-1a\n for (let i = 0; i < str.length; i++) {\n h ^= str.charCodeAt(i);\n h = Math.imul(h, 0x01000193);\n }\n // Return hex string\n return ('00000000' + (h >>> 0).toString(16)).slice(-8);\n}\n\nconst VRF_WASM_MAIN_PATH = '../../wasm_vrf_worker/pkg/wasm_vrf_worker_bg.wasm';\nconst VRF_WASM_FALLBACK_PATH = '../../../workers/wasm_vrf_worker_bg.wasm';\n\nfunction getVrfWasmUrls(): URL[] {\n // Only construct filesystem/URL fallbacks in Node.js.\n // Cloudflare Workers cannot safely use import.meta.url as a base URL.\n if (!isNodeEnvironment()) {\n return [];\n }\n\n try {\n return [\n new URL(VRF_WASM_MAIN_PATH, import.meta.url),\n new URL(VRF_WASM_FALLBACK_PATH, import.meta.url),\n ];\n } catch (err) {\n console.warn(\n '[ShamirWasmInit] Failed to construct VRF WASM URLs from import.meta.url:',\n (err as Error)?.message \|\| err\n );\n return [];\n }\n}\n\nconst vrfWasmLoader = createWasmLoader(initWasm, {\n logPrefix: 'ShamirWasmInit',\n baseUrl: import.meta.url,\n fallbackUrls: getVrfWasmUrls(),\n});\n\n/*\n Ensure Shamir WASM module is initialized\n \n Priority order:\n * 1. Explicit override (required for Cloudflare Workers)\n * 2. Node.js filesystem (development)\n * 3. URL-based loading (browsers, Node.js)\n */\nasync function ensureWasmInitialized(): Promise<void> {\n if (wasmInitialized) {\n return;\n }\n\n if (wasmInitPromise) {\n await wasmInitPromise;\n return;\n }\n\n wasmInitPromise = (async () => {\n await vrfWasmLoader.load(wasmModuleOverride ?? undefined);\n wasmInitialized = true;\n })();\n\n try {\n await wasmInitPromise;\n } finally {\n wasmInitPromise = null;\n }\n}\n\nexport class Shamir3PassUtils {\n private p_b64u: string;\n private e_s_b64u: string;\n private d_s_b64u: string;\n\n constructor(opts: {\n p_b64u?: string;\n e_s_b64u?: string;\n d_s_b64u?: string;\n }) {\n this.p_b64u = opts.p_b64u ?? '';\n this.e_s_b64u = opts.e_s_b64u ?? '';\n this.d_s_b64u = opts.d_s_b64u ?? '';\n }\n\n getCurrentKeyId(): string \| null {\n if (!this.e_s_b64u) return null;\n // Derive a stable identifier without Node crypto; use a simple hash\n try { return simpleHash32(this.e_s_b64u); } catch { return null; }\n }\n\n async initialize(): Promise<{ p_b64u: string }> {\n await ensureWasmInitialized();\n if (!this.p_b64u) {\n console.warn('No p_b64u provided, using default');\n let default_p_b64u = await getShamirPB64uFromWasm();\n this.p_b64u = default_p_b64u;\n }\n await configure_shamir_p(this.p_b64u);\n return {\n p_b64u: this.p_b64u\n };\n }\n\n async generateServerKeypair(): Promise<{ e_s_b64u: string; d_s_b64u: string }> {\n await ensureWasmInitialized();\n const msg: VRFWorkerMessage<Shamir3PassGenerateServerKeypairRequest> = {\n type: 'SHAMIR3PASS_GENERATE_SERVER_KEYPAIR',\n id: `srv_${Date.now()}`,\n payload: {},\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) throw new Error(res?.error \|\| 'generateServerKeypair failed');\n return {\n e_s_b64u: res.data.e_s_b64u,\n d_s_b64u: res.data.d_s_b64u\n };\n }\n\n async applyServerLock(req: ShamirApplyServerLockRequest): Promise<ShamirApplyServerLockResponse> {\n await ensureWasmInitialized();\n if (!this.e_s_b64u) {\n throw new Error('Server exponent e_s_b64u not configured');\n }\n const msg: VRFWorkerMessage<ShamirApplyServerLockRequest> = {\n type: 'SHAMIR3PASS_APPLY_SERVER_LOCK_KEK',\n id: `srv_${Date.now()}`,\n payload: {\n e_s_b64u: this.e_s_b64u,\n kek_c_b64u: req.kek_c_b64u\n },\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) {\n throw new Error(res?.error \|\| 'applyServerLock failed');\n }\n return {\n kek_cs_b64u: res.data.kek_cs_b64u,\n keyId: res.data.keyId,\n };\n }\n\n async removeServerLock(req: ShamirRemoveServerLockRequest): Promise<ShamirRemoveServerLockResponse> {\n await ensureWasmInitialized();\n if (!this.d_s_b64u) {\n throw new Error('Server exponent d_s_b64u not configured');\n }\n const msg: VRFWorkerMessage<ShamirRemoveServerLockRequest> = {\n type: 'SHAMIR3PASS_REMOVE_SERVER_LOCK_KEK',\n id: `srv_${Date.now()}`,\n payload: {\n d_s_b64u: this.d_s_b64u,\n kek_cs_b64u: req.kek_cs_b64u\n },\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) {\n throw new Error(res?.error \|\| 'removeServerLock failed');\n }\n return {\n kek_c_b64u: res.data.kek_c_b64u,\n };\n }\n}\n\n// Public helper to read the compiled Shamir prime p from the WASM module\nexport async function getShamirPB64uFromWasm(): Promise<string> {\n await ensureWasmInitialized();\n return get_shamir_p_b64u();\n}\n"],"mappings":";;;;AA0BA,IAAI,kBAAkB;AACtB,IAAIA,qBAAsD;AAC1D,IAAIC,kBAAwC;AAE5C,SAAgB,4BACd,UACM;AACN,sBAAqB;AACrB,mBAAkB;AAClB,mBAAkB;;AAGpB,SAAS,aAAa,KAAqB;CACzC,IAAI,IAAI;AACR,MAAK,IAAI,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,OAAK,IAAI,WAAW;AACpB,MAAI,KAAK,KAAK,GAAG;;AAGnB,SAAQ,cAAc,MAAM,GAAG,SAAS,KAAK,MAAM;;AAGrD,MAAM,qBAAqB;AAC3B,MAAM,yBAAyB;AAE/B,SAAS,iBAAwB;AAG/B,KAAI,CAAC,oBACH,QAAO;AAGT,KAAI;AACF,SAAO,CACL,IAAI,IAAI,oBAAoB,OAAO,KAAK,MACxC,IAAI,IAAI,wBAAwB,OAAO,KAAK;UAEvC,KAAK;AACZ,UAAQ,KACN,4EACC,KAAe,WAAW;AAE7B,SAAO;;;AAIX,MAAM,gBAAgB,iBAAiB,UAAU;CAC/C,WAAW;CACX,SAAS,OAAO,KAAK;CACrB,cAAc;;;;;;;;;;AAWhB,eAAe,wBAAuC;AACpD,KAAI,gBACF;AAGF,KAAI,iBAAiB;AACnB,QAAM;AACN;;AAGF,oBAAmB,YAAY;AAC7B,QAAM,cAAc,KAAK,sBAAsB;AAC/C,oBAAkB;;AAGpB,KAAI;AACF,QAAM;WACE;AACR,oBAAkB;;;AAItB,IAAa,mBAAb,MAA8B;CAC5B,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,MAIT;AACD,OAAK,SAAS,KAAK,UAAU;AAC7B,OAAK,WAAW,KAAK,YAAY;AACjC,OAAK,WAAW,KAAK,YAAY;;CAGnC,kBAAiC;AAC/B,MAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAI;AAAE,UAAO,aAAa,KAAK;UAAmB;AAAE,UAAO;;;CAG7D,MAAM,aAA0C;AAC9C,QAAM;AACN,MAAI,CAAC,KAAK,QAAQ;AAChB,WAAQ,KAAK;GACb,IAAI,iBAAiB,MAAM;AAC3B,QAAK,SAAS;;AAEhB,QAAM,mBAAmB,KAAK;AAC9B,SAAO,EACL,QAAQ,KAAK;;CAIjB,MAAM,wBAAyE;AAC7E,QAAM;EACN,MAAMC,MAAiE;GACrE,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;;EAEX,MAAM,MAAM,MAAMC,eAAkB;AACpC,MAAI,CAAC,KAAK,QAAS,OAAM,IAAI,MAAM,KAAK,SAAS;AACjD,SAAO;GACL,UAAU,IAAI,KAAK;GACnB,UAAU,IAAI,KAAK;;;CAIvB,MAAM,gBAAgB,KAA2E;AAC/F,QAAM;AACN,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,MAAM;EAElB,MAAMC,MAAsD;GAC1D,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;IACP,UAAU,KAAK;IACf,YAAY,IAAI;;;EAGpB,MAAM,MAAM,MAAMD,eAAkB;AACpC,MAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,KAAK,SAAS;AAEhC,SAAO;GACL,aAAa,IAAI,KAAK;GACtB,OAAO,IAAI,KAAK;;;CAIpB,MAAM,iBAAiB,KAA6E;AAClG,QAAM;AACN,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,MAAM;EAElB,MAAME,MAAuD;GAC3D,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;IACP,UAAU,KAAK;IACf,aAAa,IAAI;;;EAGrB,MAAM,MAAM,MAAMF,eAAkB;AACpC,MAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,KAAK,SAAS;AAEhC,SAAO,EACL,YAAY,IAAI,KAAK;;;AAM3B,eAAsB,yBAA0C;AAC9D,OAAM;AACN,QAAO"}
1	+ {"version":3,"file":"shamirWorker.js","names":["wasmModuleOverride: ShamirWasmModuleSupplier \| null","wasmInitPromise: Promise<void> \| null","bytes: number[]","cryptoObj: any","nodeCrypto: any","msg: VRFWorkerMessage<Shamir3PassGenerateServerKeypairRequest>","wasmHandleMessage","msg: VRFWorkerMessage<ShamirApplyServerLockRequest>","msg: VRFWorkerMessage<ShamirRemoveServerLockRequest>"],"sources":["../../../../src/server/core/shamirWorker.ts"],"sourcesContent":["// Server-side and Worker-compatible Shamir 3-pass exponent helpers.\n// Implements modular exponentiation over a shared safe prime p.\n// Avoids Node-only imports at module scope so this file can be bundled for\n// Cloudflare Workers without requiring Node built-ins.\n// @ts-ignore - WASM imports\nimport initWasm, {\n handle_message as wasmHandleMessage,\n configure_shamir_p,\n get_shamir_p_b64u,\n SHAMIR_P_B64U,\n type InitInput,\n} from '../../wasm_vrf_worker/pkg/wasm_vrf_worker.js';\nimport {\n VRFWorkerMessage,\n WasmVrfWorkerRequestType,\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n Shamir3PassGenerateServerKeypairRequest,\n type ShamirWasmModuleSupplier,\n} from './types.js';\nimport { createWasmLoader, isNodeEnvironment } from './wasm-loader.js';\nimport { base64UrlDecode, base64UrlEncode } from '../../utils/encoders';\n\nexport { SHAMIR_P_B64U, get_shamir_p_b64u };\n\nlet wasmInitialized = false;\nlet wasmModuleOverride: ShamirWasmModuleSupplier \| null = null;\nlet wasmInitPromise: Promise<void> \| null = null;\n\nconst SHAMIR_REJECTION_SAMPLING_MAX_ATTEMPTS = 10;\nconst SHAMIR_RANDOM_BYTES_OVERHEAD = 64;\n\nexport function setShamirWasmModuleOverride(\n supplier: ShamirWasmModuleSupplier \| null\n): void {\n wasmModuleOverride = supplier;\n wasmInitialized = false;\n wasmInitPromise = null;\n}\n\nfunction simpleHash32(str: string): string {\n let h = 0x811c9dc5; // FNV-1a\n for (let i = 0; i < str.length; i++) {\n h ^= str.charCodeAt(i);\n h = Math.imul(h, 0x01000193);\n }\n // Return hex string\n return ('00000000' + (h >>> 0).toString(16)).slice(-8);\n}\n\nconst VRF_WASM_MAIN_PATH = '../../wasm_vrf_worker/pkg/wasm_vrf_worker_bg.wasm';\nconst VRF_WASM_FALLBACK_PATH = '../../../workers/wasm_vrf_worker_bg.wasm';\n\nfunction getVrfWasmUrls(): URL[] {\n // Only construct filesystem/URL fallbacks in Node.js.\n // Cloudflare Workers cannot safely use import.meta.url as a base URL.\n if (!isNodeEnvironment()) {\n return [];\n }\n\n try {\n return [\n new URL(VRF_WASM_MAIN_PATH, import.meta.url),\n new URL(VRF_WASM_FALLBACK_PATH, import.meta.url),\n ];\n } catch (err) {\n console.warn(\n '[ShamirWasmInit] Failed to construct VRF WASM URLs from import.meta.url:',\n (err as Error)?.message \|\| err\n );\n return [];\n }\n}\n\nconst vrfWasmLoader = createWasmLoader(initWasm, {\n logPrefix: 'ShamirWasmInit',\n baseUrl: import.meta.url,\n fallbackUrls: getVrfWasmUrls(),\n});\n\nfunction bigintFromBytesBE(bytes: Uint8Array): bigint {\n let out = 0n;\n for (const b of bytes) {\n out = (out << 8n) \| BigInt(b);\n }\n return out;\n}\n\nfunction bigintToBytesBE(x: bigint): Uint8Array {\n if (x < 0n) {\n throw new Error('bigintToBytesBE: negative input');\n }\n if (x === 0n) {\n // Match Rust BigUint::to_bytes_be() which returns an empty vec for zero.\n return new Uint8Array([]);\n }\n const bytes: number[] = [];\n let v = x;\n while (v > 0n) {\n bytes.push(Number(v & 0xffn));\n v >>= 8n;\n }\n bytes.reverse();\n return new Uint8Array(bytes);\n}\n\nfunction bitLengthBigint(x: bigint): number {\n if (x <= 0n) return 0;\n return x.toString(2).length;\n}\n\nfunction gcdBigint(a: bigint, b: bigint): bigint {\n let x = a < 0n ? -a : a;\n let y = b < 0n ? -b : b;\n while (y !== 0n) {\n const t = x % y;\n x = y;\n y = t;\n }\n return x;\n}\n\nfunction modInvBigint(a: bigint, m: bigint): bigint \| null {\n // Extended Euclidean algorithm for modular inverse.\n let t = 0n;\n let newT = 1n;\n let r = m;\n let newR = a % m;\n\n while (newR !== 0n) {\n const q = r / newR;\n [t, newT] = [newT, t - q * newT];\n [r, newR] = [newR, r - q * newR];\n }\n\n if (r !== 1n) return null;\n const inv = t % m;\n return inv >= 0n ? inv : inv + m;\n}\n\nasync function getSecureRandomBytes(byteLength: number): Promise<Uint8Array> {\n const out = new Uint8Array(byteLength);\n const cryptoObj: any = (globalThis as any).crypto;\n if (cryptoObj && typeof cryptoObj.getRandomValues === 'function') {\n cryptoObj.getRandomValues(out);\n return out;\n }\n\n if (isNodeEnvironment()) {\n const nodeCrypto: any = await import('node:crypto');\n if (typeof nodeCrypto.randomFillSync === 'function') {\n nodeCrypto.randomFillSync(out);\n return out;\n }\n if (typeof nodeCrypto.randomBytes === 'function') {\n return new Uint8Array(nodeCrypto.randomBytes(byteLength));\n }\n }\n\n throw new Error('Secure random generator unavailable');\n}\n\n/*\n Ensure Shamir WASM module is initialized\n \n Priority order:\n * 1. Explicit override (required for Cloudflare Workers)\n * 2. Node.js filesystem (development)\n * 3. URL-based loading (browsers, Node.js)\n */\nasync function ensureWasmInitialized(): Promise<void> {\n if (wasmInitialized) {\n return;\n }\n\n if (wasmInitPromise) {\n await wasmInitPromise;\n return;\n }\n\n wasmInitPromise = (async () => {\n await vrfWasmLoader.load(wasmModuleOverride ?? undefined);\n wasmInitialized = true;\n })();\n\n try {\n await wasmInitPromise;\n } finally {\n wasmInitPromise = null;\n }\n}\n\nexport class Shamir3PassUtils {\n private p_b64u: string;\n private e_s_b64u: string;\n private d_s_b64u: string;\n\n constructor(opts: {\n p_b64u?: string;\n e_s_b64u?: string;\n d_s_b64u?: string;\n }) {\n this.p_b64u = opts.p_b64u ?? '';\n this.e_s_b64u = opts.e_s_b64u ?? '';\n this.d_s_b64u = opts.d_s_b64u ?? '';\n }\n\n getCurrentKeyId(): string \| null {\n if (!this.e_s_b64u) return null;\n // Derive a stable identifier without Node crypto; use a simple hash\n try { return simpleHash32(this.e_s_b64u); } catch { return null; }\n }\n\n async initialize(): Promise<{ p_b64u: string }> {\n await ensureWasmInitialized();\n if (!this.p_b64u) {\n console.warn('No p_b64u provided, using default');\n let default_p_b64u = await getShamirPB64uFromWasm();\n this.p_b64u = default_p_b64u;\n }\n await configure_shamir_p(this.p_b64u);\n return {\n p_b64u: this.p_b64u\n };\n }\n\n async generateServerKeypair(): Promise<{ e_s_b64u: string; d_s_b64u: string }> {\n // Make sure we have a configured prime `p` (initialize() is cheap + idempotent).\n if (!this.p_b64u) {\n await this.initialize();\n } else {\n // Best-effort: keep WASM configured for subsequent lock/unlock calls.\n try {\n await ensureWasmInitialized();\n await configure_shamir_p(this.p_b64u);\n } catch {\n // Ignore: keygen is pure JS below; WASM load issues are surfaced when needed.\n }\n }\n\n // Pure JS keygen to avoid WASM `getrandom` issues in Node ESM and other runtimes.\n const pBytes = base64UrlDecode(this.p_b64u);\n const p = bigintFromBytesBE(pBytes);\n if (p <= 3n) {\n throw new Error('Invalid Shamir prime p');\n }\n const pMinus1 = p - 1n;\n const maxK = p - 2n;\n const pBits = bitLengthBigint(p);\n const minK = pBits >= 1024 ? (1n << 64n) : (1n << 32n);\n const range = maxK - minK;\n if (range <= 0n) {\n throw new Error('Shamir prime too small for key generation');\n }\n\n const bytesNeeded = Math.ceil(bitLengthBigint(range) / 8) + SHAMIR_RANDOM_BYTES_OVERHEAD;\n\n for (let attempt = 0; attempt < SHAMIR_REJECTION_SAMPLING_MAX_ATTEMPTS; attempt += 1) {\n const buf = await getSecureRandomBytes(bytesNeeded);\n const candidate = bigintFromBytesBE(buf) % range;\n const e = minK + candidate;\n if (gcdBigint(e, pMinus1) !== 1n) continue;\n const d = modInvBigint(e, pMinus1);\n if (!d) continue;\n\n const e_s_b64u = base64UrlEncode(bigintToBytesBE(e));\n const d_s_b64u = base64UrlEncode(bigintToBytesBE(d));\n return { e_s_b64u, d_s_b64u };\n }\n\n // Fallback: attempt WASM-based generation if JS failed (e.g. no crypto available).\n await ensureWasmInitialized();\n const msg: VRFWorkerMessage<Shamir3PassGenerateServerKeypairRequest> = {\n type: 'SHAMIR3PASS_GENERATE_SERVER_KEYPAIR',\n id: `srv_${Date.now()}`,\n payload: {},\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) throw new Error(res?.error \|\| 'generateServerKeypair failed');\n return { e_s_b64u: res.data.e_s_b64u, d_s_b64u: res.data.d_s_b64u };\n }\n\n async applyServerLock(req: ShamirApplyServerLockRequest): Promise<ShamirApplyServerLockResponse> {\n await ensureWasmInitialized();\n if (!this.e_s_b64u) {\n throw new Error('Server exponent e_s_b64u not configured');\n }\n const msg: VRFWorkerMessage<ShamirApplyServerLockRequest> = {\n type: 'SHAMIR3PASS_APPLY_SERVER_LOCK_KEK',\n id: `srv_${Date.now()}`,\n payload: {\n e_s_b64u: this.e_s_b64u,\n kek_c_b64u: req.kek_c_b64u\n },\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) {\n throw new Error(res?.error \|\| 'applyServerLock failed');\n }\n return {\n kek_cs_b64u: res.data.kek_cs_b64u,\n keyId: res.data.keyId,\n };\n }\n\n async removeServerLock(req: ShamirRemoveServerLockRequest): Promise<ShamirRemoveServerLockResponse> {\n await ensureWasmInitialized();\n if (!this.d_s_b64u) {\n throw new Error('Server exponent d_s_b64u not configured');\n }\n const msg: VRFWorkerMessage<ShamirRemoveServerLockRequest> = {\n type: 'SHAMIR3PASS_REMOVE_SERVER_LOCK_KEK',\n id: `srv_${Date.now()}`,\n payload: {\n d_s_b64u: this.d_s_b64u,\n kek_cs_b64u: req.kek_cs_b64u\n },\n };\n const res = await wasmHandleMessage(msg);\n if (!res?.success) {\n throw new Error(res?.error \|\| 'removeServerLock failed');\n }\n return {\n kek_c_b64u: res.data.kek_c_b64u,\n };\n }\n}\n\n// Public helper to read the compiled Shamir prime p from the WASM module\nexport async function getShamirPB64uFromWasm(): Promise<string> {\n await ensureWasmInitialized();\n return get_shamir_p_b64u();\n}\n"],"mappings":";;;;;AA2BA,IAAI,kBAAkB;AACtB,IAAIA,qBAAsD;AAC1D,IAAIC,kBAAwC;AAE5C,MAAM,yCAAyC;AAC/C,MAAM,+BAA+B;AAErC,SAAgB,4BACd,UACM;AACN,sBAAqB;AACrB,mBAAkB;AAClB,mBAAkB;;AAGpB,SAAS,aAAa,KAAqB;CACzC,IAAI,IAAI;AACR,MAAK,IAAI,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK;AACnC,OAAK,IAAI,WAAW;AACpB,MAAI,KAAK,KAAK,GAAG;;AAGnB,SAAQ,cAAc,MAAM,GAAG,SAAS,KAAK,MAAM;;AAGrD,MAAM,qBAAqB;AAC3B,MAAM,yBAAyB;AAE/B,SAAS,iBAAwB;AAG/B,KAAI,CAAC,oBACH,QAAO;AAGT,KAAI;AACF,SAAO,CACL,IAAI,IAAI,oBAAoB,OAAO,KAAK,MACxC,IAAI,IAAI,wBAAwB,OAAO,KAAK;UAEvC,KAAK;AACZ,UAAQ,KACN,4EACC,KAAe,WAAW;AAE7B,SAAO;;;AAIX,MAAM,gBAAgB,iBAAiB,UAAU;CAC/C,WAAW;CACX,SAAS,OAAO,KAAK;CACrB,cAAc;;AAGhB,SAAS,kBAAkB,OAA2B;CACpD,IAAI,MAAM;AACV,MAAK,MAAM,KAAK,MACd,OAAO,OAAO,KAAM,OAAO;AAE7B,QAAO;;AAGT,SAAS,gBAAgB,GAAuB;AAC9C,KAAI,IAAI,GACN,OAAM,IAAI,MAAM;AAElB,KAAI,MAAM,GAER,QAAO,IAAI,WAAW;CAExB,MAAMC,QAAkB;CACxB,IAAI,IAAI;AACR,QAAO,IAAI,IAAI;AACb,QAAM,KAAK,OAAO,IAAI;AACtB,QAAM;;AAER,OAAM;AACN,QAAO,IAAI,WAAW;;AAGxB,SAAS,gBAAgB,GAAmB;AAC1C,KAAI,KAAK,GAAI,QAAO;AACpB,QAAO,EAAE,SAAS,GAAG;;AAGvB,SAAS,UAAU,GAAW,GAAmB;CAC/C,IAAI,IAAI,IAAI,KAAK,CAAC,IAAI;CACtB,IAAI,IAAI,IAAI,KAAK,CAAC,IAAI;AACtB,QAAO,MAAM,IAAI;EACf,MAAM,IAAI,IAAI;AACd,MAAI;AACJ,MAAI;;AAEN,QAAO;;AAGT,SAAS,aAAa,GAAW,GAA0B;CAEzD,IAAI,IAAI;CACR,IAAI,OAAO;CACX,IAAI,IAAI;CACR,IAAI,OAAO,IAAI;AAEf,QAAO,SAAS,IAAI;EAClB,MAAM,IAAI,IAAI;AACd,GAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,IAAI;AAC3B,GAAC,GAAG,QAAQ,CAAC,MAAM,IAAI,IAAI;;AAG7B,KAAI,MAAM,GAAI,QAAO;CACrB,MAAM,MAAM,IAAI;AAChB,QAAO,OAAO,KAAK,MAAM,MAAM;;AAGjC,eAAe,qBAAqB,YAAyC;CAC3E,MAAM,MAAM,IAAI,WAAW;CAC3B,MAAMC,YAAkB,WAAmB;AAC3C,KAAI,aAAa,OAAO,UAAU,oBAAoB,YAAY;AAChE,YAAU,gBAAgB;AAC1B,SAAO;;AAGT,KAAI,qBAAqB;EACvB,MAAMC,aAAkB,MAAM,OAAO;AACrC,MAAI,OAAO,WAAW,mBAAmB,YAAY;AACnD,cAAW,eAAe;AAC1B,UAAO;;AAET,MAAI,OAAO,WAAW,gBAAgB,WACpC,QAAO,IAAI,WAAW,WAAW,YAAY;;AAIjD,OAAM,IAAI,MAAM;;;;;;;;;;AAWlB,eAAe,wBAAuC;AACpD,KAAI,gBACF;AAGF,KAAI,iBAAiB;AACnB,QAAM;AACN;;AAGF,oBAAmB,YAAY;AAC7B,QAAM,cAAc,KAAK,sBAAsB;AAC/C,oBAAkB;;AAGpB,KAAI;AACF,QAAM;WACE;AACR,oBAAkB;;;AAItB,IAAa,mBAAb,MAA8B;CAC5B,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,MAIT;AACD,OAAK,SAAS,KAAK,UAAU;AAC7B,OAAK,WAAW,KAAK,YAAY;AACjC,OAAK,WAAW,KAAK,YAAY;;CAGnC,kBAAiC;AAC/B,MAAI,CAAC,KAAK,SAAU,QAAO;AAE3B,MAAI;AAAE,UAAO,aAAa,KAAK;UAAmB;AAAE,UAAO;;;CAG7D,MAAM,aAA0C;AAC9C,QAAM;AACN,MAAI,CAAC,KAAK,QAAQ;AAChB,WAAQ,KAAK;GACb,IAAI,iBAAiB,MAAM;AAC3B,QAAK,SAAS;;AAEhB,QAAM,mBAAmB,KAAK;AAC9B,SAAO,EACL,QAAQ,KAAK;;CAIjB,MAAM,wBAAyE;AAE7E,MAAI,CAAC,KAAK,OACR,OAAM,KAAK;MAGX,KAAI;AACF,SAAM;AACN,SAAM,mBAAmB,KAAK;UACxB;EAMV,MAAM,SAAS,gBAAgB,KAAK;EACpC,MAAM,IAAI,kBAAkB;AAC5B,MAAI,KAAK,GACP,OAAM,IAAI,MAAM;EAElB,MAAM,UAAU,IAAI;EACpB,MAAM,OAAO,IAAI;EACjB,MAAM,QAAQ,gBAAgB;EAC9B,MAAM,OAAO,SAAS,OAAQ,MAAM,MAAQ,MAAM;EAClD,MAAM,QAAQ,OAAO;AACrB,MAAI,SAAS,GACX,OAAM,IAAI,MAAM;EAGlB,MAAM,cAAc,KAAK,KAAK,gBAAgB,SAAS,KAAK;AAE5D,OAAK,IAAI,UAAU,GAAG,UAAU,wCAAwC,WAAW,GAAG;GACpF,MAAM,MAAM,MAAM,qBAAqB;GACvC,MAAM,YAAY,kBAAkB,OAAO;GAC3C,MAAM,IAAI,OAAO;AACjB,OAAI,UAAU,GAAG,aAAa,GAAI;GAClC,MAAM,IAAI,aAAa,GAAG;AAC1B,OAAI,CAAC,EAAG;GAER,MAAM,WAAW,gBAAgB,gBAAgB;GACjD,MAAM,WAAW,gBAAgB,gBAAgB;AACjD,UAAO;IAAE;IAAU;;;AAIrB,QAAM;EACN,MAAMC,MAAiE;GACrE,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;;EAEX,MAAM,MAAM,MAAMC,eAAkB;AACpC,MAAI,CAAC,KAAK,QAAS,OAAM,IAAI,MAAM,KAAK,SAAS;AACjD,SAAO;GAAE,UAAU,IAAI,KAAK;GAAU,UAAU,IAAI,KAAK;;;CAG3D,MAAM,gBAAgB,KAA2E;AAC/F,QAAM;AACN,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,MAAM;EAElB,MAAMC,MAAsD;GAC1D,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;IACP,UAAU,KAAK;IACf,YAAY,IAAI;;;EAGpB,MAAM,MAAM,MAAMD,eAAkB;AACpC,MAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,KAAK,SAAS;AAEhC,SAAO;GACL,aAAa,IAAI,KAAK;GACtB,OAAO,IAAI,KAAK;;;CAIpB,MAAM,iBAAiB,KAA6E;AAClG,QAAM;AACN,MAAI,CAAC,KAAK,SACR,OAAM,IAAI,MAAM;EAElB,MAAME,MAAuD;GAC3D,MAAM;GACN,IAAI,OAAO,KAAK;GAChB,SAAS;IACP,UAAU,KAAK;IACf,aAAa,IAAI;;;EAGrB,MAAM,MAAM,MAAMF,eAAkB;AACpC,MAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,KAAK,SAAS;AAEhC,SAAO,EACL,YAAY,IAAI,KAAK;;;AAM3B,eAAsB,yBAA0C;AAC9D,OAAM;AACN,QAAO"}

package/dist/esm/server/core/utils.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { isString } from "../sdk/src/core/WalletIframe/validation.js";
+import { isString } from "../sdk/src/utils/validation.js";
 //#region src/server/core/utils.ts
 function formatGasToTGas(gasString) {

package/dist/esm/server/core/utils.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"utils.js","names":[],"sources":["../../../../src/server/core/utils.ts"],"sourcesContent":["import { isString } from '~~../../core~~/~~WalletIframe/~~validation';\n\n// Format NEAR gas (string) to TGas for display in logs.\nexport function formatGasToTGas(gasString: string): string {\n const gasAmount = BigInt(gasString);\n const tGas = Number(gasAmount) / 1e12;\n return `${tGas.toFixed(0)} TGas`;\n}\n\n// Convert yoctoNEAR to NEAR for display in logs.\nexport function formatYoctoToNear(yoctoAmount: string \| bigint): string {\n const amount = isString(yoctoAmount) ? BigInt(yoctoAmount) : yoctoAmount;\n const nearAmount = Number(amount) / 1e24;\n return nearAmount.toFixed(3);\n}\n"],"mappings":";;;AAGA,SAAgB,gBAAgB,WAA2B;CACzD,MAAM,YAAY,OAAO;CACzB,MAAM,OAAO,OAAO,aAAa;AACjC,QAAO,GAAG,KAAK,QAAQ,GAAG;;AAI5B,SAAgB,kBAAkB,aAAsC;CACtE,MAAM,SAAS,SAAS,eAAe,OAAO,eAAe;CAC7D,MAAM,aAAa,OAAO,UAAU;AACpC,QAAO,WAAW,QAAQ"}
1	+ {"version":3,"file":"utils.js","names":[],"sources":["../../../../src/server/core/utils.ts"],"sourcesContent":["import { isString } from '@/utils/validation';\n\n// Format NEAR gas (string) to TGas for display in logs.\nexport function formatGasToTGas(gasString: string): string {\n const gasAmount = BigInt(gasString);\n const tGas = Number(gasAmount) / 1e12;\n return `${tGas.toFixed(0)} TGas`;\n}\n\n// Convert yoctoNEAR to NEAR for display in logs.\nexport function formatYoctoToNear(yoctoAmount: string \| bigint): string {\n const amount = isString(yoctoAmount) ? BigInt(yoctoAmount) : yoctoAmount;\n const nearAmount = Number(amount) / 1e24;\n return nearAmount.toFixed(3);\n}\n"],"mappings":";;;AAGA,SAAgB,gBAAgB,WAA2B;CACzD,MAAM,YAAY,OAAO;CACzB,MAAM,OAAO,OAAO,aAAa;AACjC,QAAO,GAAG,KAAK,QAAQ,GAAG;;AAI5B,SAAgB,kBAAkB,aAAsC;CACtE,MAAM,SAAS,SAAS,eAAe,OAAO,eAAe;CAC7D,MAAM,aAAa,OAAO,UAAU;AACpC,QAAO,WAAW,QAAQ"}

package/dist/esm/server/delegateAction/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["rawDelegate: any","parsedActions: any[]","actions: ActionArgsWasm[]","error: any"],"sources":["../../../../src/server/delegateAction/index.ts"],"sourcesContent":["import type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from '../../core/NearClient';\nimport { ActionType, type ActionArgsWasm, validateActionArgsWasm } from '../../core/types/actions';\nimport type { SignedDelegate as CoreSignedDelegate } from '../../core/types/delegate';\nimport { isObject } from '../../core/WalletIframe/validation';\n\nexport interface DelegateActionPolicy {\n /** Optional allowlist of receiver account IDs. If empty/omitted, any receiver is allowed. /\n allowedReceivers?: string[];\n /* Optional allowlist of function call method names. Empty = any method. /\n allowedMethods?: string[];\n /\n Optional maximum total attached deposit (yoctoNEAR) across all actions.\n * Represented as decimal string to avoid BigInt JSON issues.\n /\n maxTotalDepositYocto?: string;\n /\n Optional custom predicate for additional checks.\n * Return false or throw to reject.\n /\n allow?: (input: {\n hash: string;\n delegate: CoreSignedDelegate['delegateAction'];\n signedDelegate: CoreSignedDelegate;\n }) => boolean \| Promise<boolean>;\n}\n\nexport interface ExecuteSignedDelegateRequest {\n hash: string;\n signedDelegate: CoreSignedDelegate;\n /\n Optional policy configuration. If omitted, only basic hash/signature/expiry checks\n * should be enforced by the caller.\n /\n policy?: DelegateActionPolicy;\n}\n\nexport interface ExecuteSignedDelegateResult {\n ok: boolean;\n transactionHash?: string;\n outcome?: FinalExecutionOutcome;\n error?: string;\n code?: string;\n}\n\n/\n Normalize hash input (hex string with or without `0x` prefix) to a 32-byte Uint8Array.\n /\nexport function normalizeHashToBytes(hash: string): Uint8Array {\n const trimmed = (hash \|\| '').trim().toLowerCase();\n const hex = trimmed.startsWith('0x') ? trimmed.slice(2) : trimmed;\n if (!hex \|\| hex.length !== 64 \|\| !/^[0-9a-f]+$/i.test(hex)) {\n throw new Error('invalid_hash_format');\n }\n const bytes = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n const byte = hex.slice(i 2, i * 2 + 2);\n bytes[i] = parseInt(byte, 16);\n }\n return bytes;\n}\n\n/*\n Validate delegate nonce and expiry against current chain height.\n * The actual SignedDelegate hashing and signature verification is done in the signer worker;\n * this helper only enforces basic replay/expiry constraints expected of a relayer.\n /\nexport async function validateDelegateExpiryAndNonce(params: {\n nearClient: NearClient;\n signedDelegate: CoreSignedDelegate;\n}): Promise<void> {\n const { nearClient, signedDelegate } = params;\n const delegate = signedDelegate?.delegateAction;\n if (!delegate) {\n throw new Error('invalid_delegate');\n }\n\n // Enforce max_block_height against current chain height\n const maxBlockHeight = BigInt(delegate.maxBlockHeight as any);\n // Allow maxBlockHeight <= 0 as \"no expiry\" for convenience/demo flows.\n // Relayers that require strict expiry should enforce a policy on top.\n if (maxBlockHeight <= 0n) {\n return;\n }\n\n const block = await nearClient.viewBlock({ finality: 'final' });\n const currentHeight = BigInt((block as any)?.header?.height ?? 0);\n if (currentHeight <= 0n) {\n throw new Error('invalid_block_height');\n }\n\n if (currentHeight > maxBlockHeight) {\n throw new Error('delegate_expired');\n }\n\n // NOTE: Nonce / replay protection is left to the integrator for now.\n // Implementations are expected to maintain per-publicKey/receiver nonce state\n // (e.g. in a database or KV store) and reject duplicates or out-of-order nonces.\n}\n\n/\n Enforce a simple policy over the delegate action:\n * - Receiver allowlist\n * - FunctionCall method allowlist\n * - Total attached deposit limit\n /\nexport async function enforceDelegatePolicy(input: {\n hash: string;\n signedDelegate: CoreSignedDelegate;\n policy?: DelegateActionPolicy;\n}): Promise<void> {\n const { hash, signedDelegate, policy } = input;\n if (!policy) return;\n\n const delegate = signedDelegate?.delegateAction;\n if (!delegate) {\n throw new Error('invalid_delegate');\n }\n\n const receiverId = String(delegate.receiverId \|\| '');\n\n if (policy.allowedReceivers && policy.allowedReceivers.length > 0) {\n if (!policy.allowedReceivers.includes(receiverId)) {\n throw Object.assign(new Error('receiver_not_allowed'), { code: 'receiver_not_allowed' });\n }\n }\n\n // Compute total deposit and check method allowlist\n let totalDeposit = 0n;\n const actions = delegate.actions \|\| [];\n for (const action of actions as any[]) {\n if (!isObject(action) \|\| !('type' in action)) continue;\n const kind = (action as any).type;\n\n if (kind === ActionType.FunctionCall) {\n const methodName = String((action as any).methodName \|\| '');\n if (policy.allowedMethods && policy.allowedMethods.length > 0) {\n if (!policy.allowedMethods.includes(methodName)) {\n throw Object.assign(new Error('method_not_allowed'), { code: 'method_not_allowed' });\n }\n }\n const deposit = BigInt(String((action as any).deposit \|\| '0'));\n totalDeposit += deposit;\n } else if (kind === ActionType.Transfer) {\n const amount = BigInt(String((action as any).amount \|\| '0'));\n totalDeposit += amount;\n }\n }\n\n if (policy.maxTotalDepositYocto) {\n const limit = BigInt(policy.maxTotalDepositYocto);\n if (totalDeposit > limit) {\n throw Object.assign(new Error('deposit_exceeds_limit'), {\n code: 'deposit_exceeds_limit',\n });\n }\n }\n\n if (policy.allow) {\n const ok = await policy.allow({ hash, delegate, signedDelegate });\n if (!ok) {\n throw Object.assign(new Error('delegate_rejected'), { code: 'delegate_rejected' });\n }\n }\n}\n\n/\n Build a relayer transaction that wraps the SignedDelegate in a NEP-461\n * SignedDelegate action. The relayer account is the signer and receiver.\n \n This helper only builds and sends the outer transaction; it assumes that:\n * - hash/signature/expiry checks have already been performed, and\n * - nonce/replay protection is implemented by the caller if needed.\n /\nexport async function executeSignedDelegateWithRelayer(params: {\n nearClient: NearClient;\n relayerAccountId: string;\n relayerPublicKey: string;\n relayerPrivateKey: string;\n hash: string;\n signedDelegate: CoreSignedDelegate;\n signWithPrivateKey: (input: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }) => Promise<SignedTransaction>;\n}): Promise<ExecuteSignedDelegateResult> {\n const {\n nearClient,\n relayerAccountId,\n relayerPublicKey,\n relayerPrivateKey,\n hash,\n signedDelegate,\n signWithPrivateKey,\n } = params;\n\n try {\n // Basic expiry check (max_block_height) before submitting\n await validateDelegateExpiryAndNonce({ nearClient, signedDelegate });\n\n // Normalize delegateAction shape for the signer worker.\n // Browser SDK currently returns a WasmSignedDelegate where\n // delegateAction.actionsJson is a JSON string of Vec<Action>.\n // The signer expects DelegateAction { actions: Vec<Action> }.\n const rawDelegate: any = signedDelegate?.delegateAction;\n if (!rawDelegate) {\n throw new Error('invalid_delegate_action');\n }\n\n let delegateForWorker = rawDelegate;\n if (rawDelegate && !('actions' in rawDelegate) && 'actionsJson' in rawDelegate) {\n let parsedActions: any[] = [];\n try {\n parsedActions = rawDelegate.actionsJson\n ? JSON.parse(String(rawDelegate.actionsJson))\n : [];\n } catch (err) {\n const error = new Error('delegate_actions_parse_failed');\n (error as any).cause = err;\n throw error;\n }\n\n delegateForWorker = {\n // senderId = user (the account whose access key authorizes the action)\n senderId: rawDelegate.senderId,\n // receiverId = target contract/account (the intended recipient of the inner actions)\n receiverId: rawDelegate.receiverId,\n actions: parsedActions,\n nonce: rawDelegate.nonce,\n maxBlockHeight: rawDelegate.maxBlockHeight,\n publicKey: rawDelegate.publicKey,\n };\n }\n\n // Build SignedDelegate action payload for the signer worker.\n const actions: ActionArgsWasm[] = [\n {\n action_type: ActionType.SignedDelegate,\n // Pass through the fully-typed delegate payload; the signer WASM maps this\n // into the on-chain SignedDelegateAction inside Action::Delegate.\n delegate_action: delegateForWorker,\n signature: signedDelegate.signature,\n },\n ];\n\n actions.forEach(validateActionArgsWasm);\n\n // Fetch nonce + block hash for the relayer* account.\n // This section builds the outer transaction that the relayer signs and\n // submits to NEAR. The nonce here is the relayer access key nonce and is\n // completely separate from the delegate_action.nonce inside SignedDelegate.\n const block = await nearClient.viewBlock({ finality: 'final' });\n const blockHash = String((block as any)?.header?.hash \|\| '');\n if (!blockHash) {\n throw new Error('missing_block_hash');\n }\n\n // Use viewAccessKey to derive next nonce for relayer\n let nonce = 0n;\n try {\n const ak = await nearClient.viewAccessKey(relayerAccountId, relayerPublicKey);\n nonce = BigInt(ak?.nonce ?? 0);\n } catch {\n nonce = 0n;\n }\n const nextNonce = (nonce + 1n).toString();\n\n // The outer transaction must target the delegate sender account so that\n // on-chain DelegateAction processing sees `sender_id` == tx.receiver.\n // The relayer still pays for gas (as the transaction signer), but the\n // receiver is the wallet user's account that owns the access key used\n // to validate delegate_action.nonce and delegate_action.public_key.\n const delegateSenderId = String(\n delegateForWorker?.senderId \|\|\n signedDelegate?.delegateAction?.senderId \|\| ''\n ).trim();\n\n if (!delegateSenderId) {\n throw new Error('missing_delegate_sender_id');\n }\n\n const signedTx = await signWithPrivateKey({\n nearPrivateKey: relayerPrivateKey,\n signerAccountId: relayerAccountId,\n receiverId: delegateSenderId,\n nonce: nextNonce,\n blockHash,\n actions,\n });\n\n const outcome = await nearClient.sendTransaction(signedTx);\n\n const txHash = outcome?.transaction?.hash \|\| null;\n\n return {\n ok: true,\n transactionHash: txHash \|\| undefined,\n outcome,\n };\n } catch (error: any) {\n const code = error?.code \|\| 'delegate_execution_failed';\n const message = error?.message \|\| String(error);\n return {\n ok: false,\n error: message,\n code,\n };\n }\n}\n"],"mappings":";;;;;;;;AAmEA,eAAsB,+BAA+B,QAGnC;CAChB,MAAM,EAAE,YAAY,mBAAmB;CACvC,MAAM,WAAW,gBAAgB;AACjC,KAAI,CAAC,SACH,OAAM,IAAI,MAAM;CAIlB,MAAM,iBAAiB,OAAO,SAAS;AAGvC,KAAI,kBAAkB,GACpB;CAGF,MAAM,QAAQ,MAAM,WAAW,UAAU,EAAE,UAAU;CACrD,MAAM,gBAAgB,OAAQ,OAAe,QAAQ,UAAU;AAC/D,KAAI,iBAAiB,GACnB,OAAM,IAAI,MAAM;AAGlB,KAAI,gBAAgB,eAClB,OAAM,IAAI,MAAM;;;;;;;;;;AAkFpB,eAAsB,iCAAiC,QAed;CACvC,MAAM,EACJ,YACA,kBACA,kBACA,mBACA,MACA,gBACA,uBACE;AAEJ,KAAI;AAEF,QAAM,+BAA+B;GAAE;GAAY;;EAMnD,MAAMA,cAAmB,gBAAgB;AACzC,MAAI,CAAC,YACH,OAAM,IAAI,MAAM;EAGlB,IAAI,oBAAoB;AACxB,MAAI,eAAe,EAAE,aAAa,gBAAgB,iBAAiB,aAAa;GAC9E,IAAIC,gBAAuB;AAC3B,OAAI;AACF,oBAAgB,YAAY,cACxB,KAAK,MAAM,OAAO,YAAY,gBAC9B;YACG,KAAK;IACZ,MAAM,wBAAQ,IAAI,MAAM;AACxB,IAAC,MAAc,QAAQ;AACvB,UAAM;;AAGR,uBAAoB;IAElB,UAAU,YAAY;IAEtB,YAAY,YAAY;IACxB,SAAS;IACT,OAAO,YAAY;IACnB,gBAAgB,YAAY;IAC5B,WAAW,YAAY;;;EAK3B,MAAMC,UAA4B,CAChC;GACE,aAAa,WAAW;GAGxB,iBAAiB;GACjB,WAAW,eAAe;;AAI9B,UAAQ,QAAQ;EAMhB,MAAM,QAAQ,MAAM,WAAW,UAAU,EAAE,UAAU;EACrD,MAAM,YAAY,OAAQ,OAAe,QAAQ,QAAQ;AACzD,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;EAIlB,IAAI,QAAQ;AACZ,MAAI;GACF,MAAM,KAAK,MAAM,WAAW,cAAc,kBAAkB;AAC5D,WAAQ,OAAO,IAAI,SAAS;UACtB;AACN,WAAQ;;EAEV,MAAM,aAAa,QAAQ,IAAI;EAO/B,MAAM,mBAAmB,OACvB,mBAAmB,YACnB,gBAAgB,gBAAgB,YAAY,IAC5C;AAEF,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM;EAGlB,MAAM,WAAW,MAAM,mBAAmB;GACxC,gBAAgB;GAChB,iBAAiB;GACjB,YAAY;GACZ,OAAO;GACP;GACA;;EAGF,MAAM,UAAU,MAAM,WAAW,gBAAgB;EAEjD,MAAM,SAAS,SAAS,aAAa,QAAQ;AAE7C,SAAO;GACL,IAAI;GACJ,iBAAiB,UAAU;GAC3B;;UAEKC,OAAY;EACnB,MAAM,OAAO,OAAO,QAAQ;EAC5B,MAAM,UAAU,OAAO,WAAW,OAAO;AACzC,SAAO;GACL,IAAI;GACJ,OAAO;GACP"}
1	+ {"version":3,"file":"index.js","names":["rawDelegate: any","parsedActions: any[]","actions: ActionArgsWasm[]","error: any"],"sources":["../../../../src/server/delegateAction/index.ts"],"sourcesContent":["import type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from '../../core/NearClient';\nimport { ActionType, type ActionArgsWasm, validateActionArgsWasm } from '../../core/types/actions';\nimport type { SignedDelegate as CoreSignedDelegate } from '../../core/types/delegate';\nimport { isObject } from '@/utils/validation';\n\nexport interface DelegateActionPolicy {\n /** Optional allowlist of receiver account IDs. If empty/omitted, any receiver is allowed. /\n allowedReceivers?: string[];\n /* Optional allowlist of function call method names. Empty = any method. /\n allowedMethods?: string[];\n /\n Optional maximum total attached deposit (yoctoNEAR) across all actions.\n * Represented as decimal string to avoid BigInt JSON issues.\n /\n maxTotalDepositYocto?: string;\n /\n Optional custom predicate for additional checks.\n * Return false or throw to reject.\n /\n allow?: (input: {\n hash: string;\n delegate: CoreSignedDelegate['delegateAction'];\n signedDelegate: CoreSignedDelegate;\n }) => boolean \| Promise<boolean>;\n}\n\nexport interface ExecuteSignedDelegateRequest {\n hash: string;\n signedDelegate: CoreSignedDelegate;\n /\n Optional policy configuration. If omitted, only basic hash/signature/expiry checks\n * should be enforced by the caller.\n /\n policy?: DelegateActionPolicy;\n}\n\nexport interface ExecuteSignedDelegateResult {\n ok: boolean;\n transactionHash?: string;\n outcome?: FinalExecutionOutcome;\n error?: string;\n code?: string;\n}\n\n/\n Normalize hash input (hex string with or without `0x` prefix) to a 32-byte Uint8Array.\n /\nexport function normalizeHashToBytes(hash: string): Uint8Array {\n const trimmed = (hash \|\| '').trim().toLowerCase();\n const hex = trimmed.startsWith('0x') ? trimmed.slice(2) : trimmed;\n if (!hex \|\| hex.length !== 64 \|\| !/^[0-9a-f]+$/i.test(hex)) {\n throw new Error('invalid_hash_format');\n }\n const bytes = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n const byte = hex.slice(i 2, i * 2 + 2);\n bytes[i] = parseInt(byte, 16);\n }\n return bytes;\n}\n\n/*\n Validate delegate nonce and expiry against current chain height.\n * The actual SignedDelegate hashing and signature verification is done in the signer worker;\n * this helper only enforces basic replay/expiry constraints expected of a relayer.\n /\nexport async function validateDelegateExpiryAndNonce(params: {\n nearClient: NearClient;\n signedDelegate: CoreSignedDelegate;\n}): Promise<void> {\n const { nearClient, signedDelegate } = params;\n const delegate = signedDelegate?.delegateAction;\n if (!delegate) {\n throw new Error('invalid_delegate');\n }\n\n // Enforce max_block_height against current chain height\n const maxBlockHeight = BigInt(delegate.maxBlockHeight as any);\n // Allow maxBlockHeight <= 0 as \"no expiry\" for convenience/demo flows.\n // Relayers that require strict expiry should enforce a policy on top.\n if (maxBlockHeight <= 0n) {\n return;\n }\n\n const block = await nearClient.viewBlock({ finality: 'final' });\n const currentHeight = BigInt((block as any)?.header?.height ?? 0);\n if (currentHeight <= 0n) {\n throw new Error('invalid_block_height');\n }\n\n if (currentHeight > maxBlockHeight) {\n throw new Error('delegate_expired');\n }\n\n // NOTE: Nonce / replay protection is left to the integrator for now.\n // Implementations are expected to maintain per-publicKey/receiver nonce state\n // (e.g. in a database or KV store) and reject duplicates or out-of-order nonces.\n}\n\n/\n Enforce a simple policy over the delegate action:\n * - Receiver allowlist\n * - FunctionCall method allowlist\n * - Total attached deposit limit\n /\nexport async function enforceDelegatePolicy(input: {\n hash: string;\n signedDelegate: CoreSignedDelegate;\n policy?: DelegateActionPolicy;\n}): Promise<void> {\n const { hash, signedDelegate, policy } = input;\n if (!policy) return;\n\n const delegate = signedDelegate?.delegateAction;\n if (!delegate) {\n throw new Error('invalid_delegate');\n }\n\n const receiverId = String(delegate.receiverId \|\| '');\n\n if (policy.allowedReceivers && policy.allowedReceivers.length > 0) {\n if (!policy.allowedReceivers.includes(receiverId)) {\n throw Object.assign(new Error('receiver_not_allowed'), { code: 'receiver_not_allowed' });\n }\n }\n\n // Compute total deposit and check method allowlist\n let totalDeposit = 0n;\n const actions = delegate.actions \|\| [];\n for (const action of actions as any[]) {\n if (!isObject(action) \|\| !('type' in action)) continue;\n const kind = (action as any).type;\n\n if (kind === ActionType.FunctionCall) {\n const methodName = String((action as any).methodName \|\| '');\n if (policy.allowedMethods && policy.allowedMethods.length > 0) {\n if (!policy.allowedMethods.includes(methodName)) {\n throw Object.assign(new Error('method_not_allowed'), { code: 'method_not_allowed' });\n }\n }\n const deposit = BigInt(String((action as any).deposit \|\| '0'));\n totalDeposit += deposit;\n } else if (kind === ActionType.Transfer) {\n const amount = BigInt(String((action as any).amount \|\| '0'));\n totalDeposit += amount;\n }\n }\n\n if (policy.maxTotalDepositYocto) {\n const limit = BigInt(policy.maxTotalDepositYocto);\n if (totalDeposit > limit) {\n throw Object.assign(new Error('deposit_exceeds_limit'), {\n code: 'deposit_exceeds_limit',\n });\n }\n }\n\n if (policy.allow) {\n const ok = await policy.allow({ hash, delegate, signedDelegate });\n if (!ok) {\n throw Object.assign(new Error('delegate_rejected'), { code: 'delegate_rejected' });\n }\n }\n}\n\n/\n Build a relayer transaction that wraps the SignedDelegate in a NEP-461\n * SignedDelegate action. The relayer account is the signer and receiver.\n \n This helper only builds and sends the outer transaction; it assumes that:\n * - hash/signature/expiry checks have already been performed, and\n * - nonce/replay protection is implemented by the caller if needed.\n /\nexport async function executeSignedDelegateWithRelayer(params: {\n nearClient: NearClient;\n relayerAccountId: string;\n relayerPublicKey: string;\n relayerPrivateKey: string;\n hash: string;\n signedDelegate: CoreSignedDelegate;\n signWithPrivateKey: (input: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }) => Promise<SignedTransaction>;\n}): Promise<ExecuteSignedDelegateResult> {\n const {\n nearClient,\n relayerAccountId,\n relayerPublicKey,\n relayerPrivateKey,\n hash,\n signedDelegate,\n signWithPrivateKey,\n } = params;\n\n try {\n // Basic expiry check (max_block_height) before submitting\n await validateDelegateExpiryAndNonce({ nearClient, signedDelegate });\n\n // Normalize delegateAction shape for the signer worker.\n // Browser SDK currently returns a WasmSignedDelegate where\n // delegateAction.actionsJson is a JSON string of Vec<Action>.\n // The signer expects DelegateAction { actions: Vec<Action> }.\n const rawDelegate: any = signedDelegate?.delegateAction;\n if (!rawDelegate) {\n throw new Error('invalid_delegate_action');\n }\n\n let delegateForWorker = rawDelegate;\n if (rawDelegate && !('actions' in rawDelegate) && 'actionsJson' in rawDelegate) {\n let parsedActions: any[] = [];\n try {\n parsedActions = rawDelegate.actionsJson\n ? JSON.parse(String(rawDelegate.actionsJson))\n : [];\n } catch (err) {\n const error = new Error('delegate_actions_parse_failed');\n (error as any).cause = err;\n throw error;\n }\n\n delegateForWorker = {\n // senderId = user (the account whose access key authorizes the action)\n senderId: rawDelegate.senderId,\n // receiverId = target contract/account (the intended recipient of the inner actions)\n receiverId: rawDelegate.receiverId,\n actions: parsedActions,\n nonce: rawDelegate.nonce,\n maxBlockHeight: rawDelegate.maxBlockHeight,\n publicKey: rawDelegate.publicKey,\n };\n }\n\n // Build SignedDelegate action payload for the signer worker.\n const actions: ActionArgsWasm[] = [\n {\n action_type: ActionType.SignedDelegate,\n // Pass through the fully-typed delegate payload; the signer WASM maps this\n // into the on-chain SignedDelegateAction inside Action::Delegate.\n delegate_action: delegateForWorker,\n signature: signedDelegate.signature,\n },\n ];\n\n actions.forEach(validateActionArgsWasm);\n\n // Fetch nonce + block hash for the relayer* account.\n // This section builds the outer transaction that the relayer signs and\n // submits to NEAR. The nonce here is the relayer access key nonce and is\n // completely separate from the delegate_action.nonce inside SignedDelegate.\n const block = await nearClient.viewBlock({ finality: 'final' });\n const blockHash = String((block as any)?.header?.hash \|\| '');\n if (!blockHash) {\n throw new Error('missing_block_hash');\n }\n\n // Use viewAccessKey to derive next nonce for relayer\n let nonce = 0n;\n try {\n const ak = await nearClient.viewAccessKey(relayerAccountId, relayerPublicKey);\n nonce = BigInt(ak?.nonce ?? 0);\n } catch {\n nonce = 0n;\n }\n const nextNonce = (nonce + 1n).toString();\n\n // The outer transaction must target the delegate sender account so that\n // on-chain DelegateAction processing sees `sender_id` == tx.receiver.\n // The relayer still pays for gas (as the transaction signer), but the\n // receiver is the wallet user's account that owns the access key used\n // to validate delegate_action.nonce and delegate_action.public_key.\n const delegateSenderId = String(\n delegateForWorker?.senderId \|\|\n signedDelegate?.delegateAction?.senderId \|\| ''\n ).trim();\n\n if (!delegateSenderId) {\n throw new Error('missing_delegate_sender_id');\n }\n\n const signedTx = await signWithPrivateKey({\n nearPrivateKey: relayerPrivateKey,\n signerAccountId: relayerAccountId,\n receiverId: delegateSenderId,\n nonce: nextNonce,\n blockHash,\n actions,\n });\n\n const outcome = await nearClient.sendTransaction(signedTx);\n\n const txHash = outcome?.transaction?.hash \|\| null;\n\n return {\n ok: true,\n transactionHash: txHash \|\| undefined,\n outcome,\n };\n } catch (error: any) {\n const code = error?.code \|\| 'delegate_execution_failed';\n const message = error?.message \|\| String(error);\n return {\n ok: false,\n error: message,\n code,\n };\n }\n}\n"],"mappings":";;;;;;;;AAmEA,eAAsB,+BAA+B,QAGnC;CAChB,MAAM,EAAE,YAAY,mBAAmB;CACvC,MAAM,WAAW,gBAAgB;AACjC,KAAI,CAAC,SACH,OAAM,IAAI,MAAM;CAIlB,MAAM,iBAAiB,OAAO,SAAS;AAGvC,KAAI,kBAAkB,GACpB;CAGF,MAAM,QAAQ,MAAM,WAAW,UAAU,EAAE,UAAU;CACrD,MAAM,gBAAgB,OAAQ,OAAe,QAAQ,UAAU;AAC/D,KAAI,iBAAiB,GACnB,OAAM,IAAI,MAAM;AAGlB,KAAI,gBAAgB,eAClB,OAAM,IAAI,MAAM;;;;;;;;;;AAkFpB,eAAsB,iCAAiC,QAed;CACvC,MAAM,EACJ,YACA,kBACA,kBACA,mBACA,MACA,gBACA,uBACE;AAEJ,KAAI;AAEF,QAAM,+BAA+B;GAAE;GAAY;;EAMnD,MAAMA,cAAmB,gBAAgB;AACzC,MAAI,CAAC,YACH,OAAM,IAAI,MAAM;EAGlB,IAAI,oBAAoB;AACxB,MAAI,eAAe,EAAE,aAAa,gBAAgB,iBAAiB,aAAa;GAC9E,IAAIC,gBAAuB;AAC3B,OAAI;AACF,oBAAgB,YAAY,cACxB,KAAK,MAAM,OAAO,YAAY,gBAC9B;YACG,KAAK;IACZ,MAAM,wBAAQ,IAAI,MAAM;AACxB,IAAC,MAAc,QAAQ;AACvB,UAAM;;AAGR,uBAAoB;IAElB,UAAU,YAAY;IAEtB,YAAY,YAAY;IACxB,SAAS;IACT,OAAO,YAAY;IACnB,gBAAgB,YAAY;IAC5B,WAAW,YAAY;;;EAK3B,MAAMC,UAA4B,CAChC;GACE,aAAa,WAAW;GAGxB,iBAAiB;GACjB,WAAW,eAAe;;AAI9B,UAAQ,QAAQ;EAMhB,MAAM,QAAQ,MAAM,WAAW,UAAU,EAAE,UAAU;EACrD,MAAM,YAAY,OAAQ,OAAe,QAAQ,QAAQ;AACzD,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;EAIlB,IAAI,QAAQ;AACZ,MAAI;GACF,MAAM,KAAK,MAAM,WAAW,cAAc,kBAAkB;AAC5D,WAAQ,OAAO,IAAI,SAAS;UACtB;AACN,WAAQ;;EAEV,MAAM,aAAa,QAAQ,IAAI;EAO/B,MAAM,mBAAmB,OACvB,mBAAmB,YACnB,gBAAgB,gBAAgB,YAAY,IAC5C;AAEF,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM;EAGlB,MAAM,WAAW,MAAM,mBAAmB;GACxC,gBAAgB;GAChB,iBAAiB;GACjB,YAAY;GACZ,OAAO;GACP;GACA;;EAGF,MAAM,UAAU,MAAM,WAAW,gBAAgB;EAEjD,MAAM,SAAS,SAAS,aAAa,QAAQ;AAE7C,SAAO;GACL,IAAI;GACJ,iBAAiB,UAAU;GAC3B;;UAEKC,OAAY;EACnB,MAAM,OAAO,OAAO,QAAQ;EAC5B,MAAM,UAAU,OAAO,WAAW,OAAO;AACzC,SAAO;GACL,IAAI;GACJ,OAAO;GACP"}

package/dist/esm/server/email-recovery/emailEncryptor.js CHANGED Viewed

@@ -1,6 +1,6 @@
-import { canonicalizeEmail } from "./emailParsers.js";
 import { sha256 } from "../node_modules/.pnpm/@noble_hashes@2.0.1/node_modules/@noble/hashes/sha2.js";
 import { x25519 } from "../node_modules/.pnpm/@noble_curves@2.0.1/node_modules/@noble/curves/ed25519.js";
+import { canonicalizeEmail } from "./emailParsers.js";
 import { hkdf } from "../node_modules/.pnpm/@noble_hashes@2.0.1/node_modules/@noble/hashes/hkdf.js";
 import { chacha20poly1305 } from "../node_modules/.pnpm/@noble_ciphers@2.1.1/node_modules/@noble/ciphers/chacha.js";

package/dist/esm/server/email-recovery/emailParsers.js CHANGED Viewed

@@ -1,3 +1,5 @@
+import { ensureEd25519Prefix } from "../sdk/src/utils/validation.js";
 //#region src/server/email-recovery/emailParsers.ts
 let EmailRecoveryModeHint = /* @__PURE__ */ function(EmailRecoveryModeHint$1) {
 	EmailRecoveryModeHint$1["ZkEmail"] = "zk-email";
@@ -5,7 +7,7 @@ let EmailRecoveryModeHint = /* @__PURE__ */ function(EmailRecoveryModeHint$1) {
 	EmailRecoveryModeHint$1["OnchainPublic"] = "onchain-public";
 	return EmailRecoveryModeHint$1;
 }({});
-function normalizeRecoveryMode(raw) {
+function parseRecoveryMode(raw) {
 	if (!raw) return null;
 	const value = raw.trim().toLowerCase();
 	if (value === EmailRecoveryModeHint.ZkEmail) return "zk-email";
@@ -22,7 +24,7 @@ function extractRecoveryModeFromBody(emailBlob) {
 	const firstNonEmptyBodyLine = bodyLines.find((line) => line.trim() !== "");
 	if (!firstNonEmptyBodyLine) return null;
 	const candidate = firstNonEmptyBodyLine.trim();
-	const normalized = normalizeRecoveryMode(candidate);
+	const normalized = parseRecoveryMode(candidate);
 	if (normalized) return normalized;
 	const lower = candidate.toLowerCase();
 	if (lower.includes(EmailRecoveryModeHint.ZkEmail)) return "zk-email";
@@ -81,10 +83,10 @@ function parseRecoverSubjectBindings(rawEmail) {
 	return {
 		requestId,
 		accountId,
-		newPublicKey
+		newPublicKey: ensureEd25519Prefix(newPublicKey)
 	};
 }
 //#endregion
-export { canonicalizeEmail, extractRecoveryModeFromBody, normalizeRecoveryMode, parseHeaderValue, parseRecoverSubjectBindings };
+export { canonicalizeEmail, extractRecoveryModeFromBody, parseHeaderValue, parseRecoverSubjectBindings, parseRecoveryMode };
 //# sourceMappingURL=emailParsers.js.map