npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/server/router/cloudflare.js CHANGED Viewed

@@ -1,135 +1,20 @@
-//#region src/core/WalletIframe/validation.ts
-function isString(x) {
-	return typeof x === "string";
-}
-//#endregion
-//#region src/server/core/shamirHandlers.ts
-async function handleApplyServerLock(service, request) {
-	try {
-		const kek_c_b64u = request.body?.kek_c_b64u;
-		if (!isString(kek_c_b64u) || !kek_c_b64u) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "kek_c_b64u required and must be a non-empty string" })
-		};
-		const out = await service.applyServerLock(kek_c_b64u);
-		const keyId = service.getCurrentShamirKeyId();
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				...out,
-				keyId
-			})
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
-}
-async function handleRemoveServerLock(service, request) {
-	try {
-		const body = request.body;
-		if (!body) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "Missing body" })
-		};
-		const { kek_cs_b64u, keyId } = body;
-		if (!isString(kek_cs_b64u) || !kek_cs_b64u) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "kek_cs_b64u required and must be a non-empty string" })
-		};
-		if (!isString(keyId) || !keyId) return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "keyId required and must be a non-empty string" })
-		};
-		const providedKeyId = String(keyId);
-		const currentKeyId = service.getCurrentShamirKeyId();
-		let out;
-		if (currentKeyId && providedKeyId === currentKeyId) out = await service.removeServerLock(kek_cs_b64u);
-		else if (service.hasGraceKey(providedKeyId)) out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u });
-		else return {
-			status: 400,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({ error: "unknown keyId" })
-		};
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify(out)
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
+//#region src/utils/validation.ts
+/** Strict string coercion: returns the value only when it's already a string. */
+function toOptionalString(value) {
+	return typeof value === "string" ? value : "";
 }
-async function handleGetShamirKeyInfo(service) {
-	try {
-		await service.ensureReady();
-		const currentKeyId = service.getCurrentShamirKeyId();
-		const graceKeyIds = service.getGraceKeyIds();
-		return {
-			status: 200,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				currentKeyId,
-				p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,
-				graceKeyIds
-			})
-		};
-	} catch (e) {
-		return {
-			status: 500,
-			headers: { "Content-Type": "application/json" },
-			body: JSON.stringify({
-				error: "internal",
-				details: e?.message
-			})
-		};
-	}
+/** Ensure a non-empty string starts with `/` (path normalization). */
+function ensureLeadingSlash(value) {
+	const trimmed = String(value ?? "").trim();
+	if (!trimmed) return "";
+	return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
 }
-//#endregion
-//#region src/server/core/SessionService.ts
-function parseCsvList(input) {
-	const out = /* @__PURE__ */ new Set();
-	for (const raw of String(input || "").split(",")) {
-		const s = raw.trim();
-		if (!s) continue;
-		try {
-			const u = new URL(s);
-			const host = u.hostname.toLowerCase();
-			const port = u.port ? `:${u.port}` : "";
-			const proto = u.protocol === "http:" || u.protocol === "https:" ? u.protocol : "https:";
-			out.add(`${proto}//${host}${port}`);
-		} catch {
-			const stripped = s.replace(/\/$/, "");
-			if (stripped) out.add(stripped);
-		}
-	}
-	return Array.from(out);
+/** Collapse a string into a single line by normalizing whitespace. */
+function toSingleLine(value) {
+	return String(value ?? "").replace(/[\r\n]+/g, " ").replace(/\s+/g, " ").trim();
 }
-function buildCorsOrigins(...inputs) {
-	const merged = /* @__PURE__ */ new Set();
-	for (const input of inputs) for (const origin of parseCsvList(input)) merged.add(origin);
-	const list = Array.from(merged);
-	return list.length > 0 ? list : "*";
+function isString(x) {
+	return typeof x === "string";
 }
 //#endregion
@@ -282,52 +167,15 @@ function normalizeLogger(logger) {
 		error: safe(error)
 	};
 }
+const coerceLogger = normalizeLogger;
 //#endregion
 //#region src/server/router/logger.ts
-const normalizeRouterLogger = normalizeLogger;
+const coerceRouterLogger = coerceLogger;
 //#endregion
-//#region src/server/router/cloudflare-adaptor.ts
-function normalizePath(path) {
-	const trimmed = String(path || "").trim();
-	if (!trimmed) return "";
-	return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
-}
-function json(body, init, extraHeaders) {
-	const headers = new Headers({ "Content-Type": "application/json; charset=utf-8" });
-	const initHeaders = init?.headers;
-	if (initHeaders) try {
-		new Headers(initHeaders).forEach((v, k) => headers.set(k, v));
-	} catch {}
-	if (extraHeaders) for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);
-	const { headers: _omit,...rest } = init || {};
-	return new Response(JSON.stringify(body), {
-		status: 200,
-		...rest,
-		headers
-	});
-}
-function withCors(headers, opts, request) {
-	if (!opts?.corsOrigins) return;
-	let allowedOrigin;
-	const normalized = buildCorsOrigins(...opts.corsOrigins || []);
-	if (normalized === "*") {
-		allowedOrigin = "*";
-		headers.set("Access-Control-Allow-Origin", "*");
-	} else if (Array.isArray(normalized)) {
-		const origin = request?.headers.get("Origin") || "";
-		if (origin && normalized.includes(origin)) {
-			allowedOrigin = origin;
-			headers.set("Access-Control-Allow-Origin", origin);
-			headers.append("Vary", "Origin");
-		}
-	}
-	headers.set("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
-	headers.set("Access-Control-Allow-Headers", "Content-Type,Authorization");
-	if (allowedOrigin && allowedOrigin !== "*") headers.set("Access-Control-Allow-Credentials", "true");
-}
-function normalizeEmailAddress(input) {
+//#region src/server/router/cloudflare/email.ts
+function toEmailAddress(input) {
 	const trimmed = String(input || "").trim();
 	const angleStart = trimmed.indexOf("<");
 	const angleEnd = trimmed.indexOf(">");
@@ -373,14 +221,14 @@ async function buildForwardableEmailPayloadFromCloudflareMessage(message) {
 	};
 }
 function createCloudflareEmailHandler(service, opts = {}) {
-	const logger = normalizeRouterLogger(opts.logger);
-	const expectedRecipient = normalizeEmailAddress(opts.expectedRecipient || "");
+	const logger = coerceRouterLogger(opts.logger);
+	const expectedRecipient = toEmailAddress(opts.expectedRecipient || "");
 	const allowUnexpectedRecipient = opts.allowUnexpectedRecipient !== false;
 	const verbose = Boolean(opts.verbose);
 	return async (message) => {
 		try {
 			const payload = await buildForwardableEmailPayloadFromCloudflareMessage(message);
-			const to = normalizeEmailAddress(payload.to);
+			const to = toEmailAddress(payload.to);
 			if (expectedRecipient) {
 				if (to !== expectedRecipient) {
 					logger.warn("[email] unexpected recipient", {
@@ -409,7 +257,7 @@ function createCloudflareEmailHandler(service, opts = {}) {
 			}
 			if (!service.emailRecovery) {
 				logger.warn("[email] rejecting: EmailRecoveryService not configured");
-				message.setReject("Recovery relayer rejected email: email recovery service unavailable");
+				message.setReject("Email recovery relayer rejected email: email recovery service unavailable");
 				return;
 			}
 			const result = await service.emailRecovery.requestEmailRecovery({
@@ -420,9 +268,11 @@ function createCloudflareEmailHandler(service, opts = {}) {
 			if (!result?.success) {
 				logger.warn("[email] recovery failed", {
 					accountId: parsed.accountId,
-					error: result?.error || "unknown"
+					error: result?.error || "unknown",
+					message: result?.message
 				});
-				message.setReject(`Email recovery relayer rejected email: ${result?.error || "recovery failed"}`);
+				const reason = toSingleLine(result?.message || result?.error || "recovery failed");
+				message.setReject(`Email recovery relayer rejected email: ${reason}`);
 				return;
 			}
 			logger.info("[email] recovery submitted", { accountId: parsed.accountId });
@@ -432,523 +282,1111 @@ function createCloudflareEmailHandler(service, opts = {}) {
 		}
 	};
 }
-function createCloudflareRouter(service, opts = {}) {
-	const notFound = () => new Response("Not Found", { status: 404 });
-	const mePath = opts.sessionRoutes?.auth || "/session/auth";
-	const logoutPath = opts.sessionRoutes?.logout || "/session/logout";
-	const logger = normalizeRouterLogger(opts.logger);
-	const signedDelegatePath = (() => {
-		if (!opts.signedDelegate) return "";
-		const raw = String(opts.signedDelegate.route || "").trim();
-		if (!raw) throw new Error("RelayRouterOptions.signedDelegate.route is required");
-		return normalizePath(raw);
-	})();
-	const signedDelegatePolicy = opts.signedDelegate?.policy;
-	return async function handler(request, env, ctx) {
-		const url = new URL(request.url);
-		const { pathname } = url;
-		const method = request.method.toUpperCase();
-		if (method === "OPTIONS") {
-			const res = new Response(null, { status: 204 });
-			withCors(res.headers, opts, request);
-			return res;
-		}
-		const toResponse = (out) => {
-			const res = new Response(out.body, {
-				status: out.status,
-				headers: out.headers
-			});
-			withCors(res.headers, opts, request);
-			return res;
-		};
-		const isObject = (v) => typeof v === "object" && v !== null;
+//#endregion
+//#region src/server/router/cloudflare/cron.ts
+function createCloudflareCron(service, opts = {}) {
+	const logger = coerceRouterLogger(opts.logger);
+	const enabled = Boolean(opts.enabled);
+	const doRotate = Boolean(opts.rotate);
+	if (!enabled) return async () => {};
+	return async (_event) => {
 		try {
-			if (method === "GET" && (pathname === "/.well-known/webauthn" || pathname === "/.well-known/webauthn/")) {
-				const contractId = (env?.ROR_CONTRACT_ID || env?.WEBAUTHN_CONTRACT_ID || "").toString().trim() || void 0;
-				const methodName = (env?.ROR_METHOD || "").toString().trim() || void 0;
-				const origins = await service.getRorOrigins({
-					contractId,
-					method: methodName
-				});
-				const res = json({ origins }, {
-					status: 200,
-					headers: { "Cache-Control": "max-age=60, stale-while-revalidate=600" }
-				});
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/create_account_and_register_user") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				if (!isObject(body)) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "JSON body required"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const new_account_id = typeof body.new_account_id === "string" ? body.new_account_id : "";
-				const new_public_key = typeof body.new_public_key === "string" ? body.new_public_key : "";
-				const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;
-				const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;
-				const deterministic_vrf_public_key = body.deterministic_vrf_public_key;
-				const authenticator_options = isObject(body.authenticator_options) ? body.authenticator_options : void 0;
-				if (!new_account_id) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid new_account_id"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!new_public_key) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid new_public_key"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!vrf_data) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid vrf_data"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (!webauthn_registration) {
-					const res$1 = json({
-						code: "invalid_body",
-						message: "Missing or invalid webauthn_registration"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const input = {
-					new_account_id,
-					new_public_key,
-					vrf_data,
-					webauthn_registration,
-					deterministic_vrf_public_key,
-					authenticator_options
-				};
-				const result = await service.createAccountAndRegisterUser(input);
-				const res = json(result, { status: result.success ? 200 : 400 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (signedDelegatePath && pathname === signedDelegatePath) {
-				if (method === "OPTIONS") {
-					const res$1 = new Response(null, { status: 204 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (method !== "POST") return notFound();
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.hash === "string" && Boolean(body.hash) && Boolean(body.signedDelegate);
-				if (!valid) {
-					const res$1 = json({
-						ok: false,
-						code: "invalid_body",
-						message: "Expected { hash, signedDelegate }"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const result = await service.executeSignedDelegate({
-					hash: String(body.hash),
-					signedDelegate: body.signedDelegate,
-					policy: signedDelegatePolicy
-				});
-				if (!result || !result.ok) {
-					const res$1 = json({
-						ok: false,
-						code: result?.code || "delegate_execution_failed",
-						message: result?.error || "Failed to execute delegate action"
-					}, { status: 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const res = json({
-					ok: true,
-					relayerTxHash: result.transactionHash || null,
-					status: "submitted",
-					outcome: result.outcome ?? null
-				}, { status: 200 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/vrf/apply-server-lock") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.kek_c_b64u === "string" && body.kek_c_b64u.length > 0;
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "kek_c_b64u is required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleApplyServerLock(shamir, { body: { kek_c_b64u: String(body.kek_c_b64u) } });
-				return toResponse(out);
-			}
-			if (method === "POST" && pathname === "/verify-authentication-response") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && isObject(body.vrf_data) && isObject(body.webauthn_authentication);
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "vrf_data and webauthn_authentication are required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				try {
-					const sessionKind = (body?.sessionKind || body?.session_kind) === "cookie" ? "cookie" : "jwt";
-					const result = await service.verifyAuthenticationResponse(body);
-					const status = result.success ? 200 : 400;
-					if (status !== 200) {
-						const res$1 = json({
-							code: "not_verified",
-							message: result.message || "Authentication verification failed"
-						}, { status });
-						withCors(res$1.headers, opts, request);
-						return res$1;
-					}
-					const res = json(result, { status: 200 });
-					const session = opts.session;
-					if (session && result.verified) try {
-						const userId = String(body.vrf_data?.user_id || "");
-						const token = await session.signJwt(userId, {
-							rpId: body.vrf_data?.rp_id,
-							blockHeight: body.vrf_data?.block_height
-						});
-						logger.info(`[relay] creating ${sessionKind === "cookie" ? "HttpOnly session" : "JWT"} for`, userId);
-						if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
-						else {
-							const payload = await res.clone().json();
-							return new Response(JSON.stringify({
-								...payload,
-								jwt: token
-							}), {
-								status: 200,
-								headers: res.headers
-							});
-						}
-					} catch {}
-					withCors(res.headers, opts, request);
-					return res;
-				} catch (e) {
-					const res = json({
-						code: "internal",
-						message: e?.message || "Internal error"
-					}, { status: 500 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-			}
-			if (method === "GET" && pathname === mePath) try {
-				const headersObj = {};
-				request.headers.forEach((v, k) => {
-					headersObj[k] = v;
-				});
-				const session = opts.session;
-				if (!session) {
-					const res$1 = json({
-						authenticated: false,
-						code: "sessions_disabled",
-						message: "Sessions are not configured"
-					}, { status: 501 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const parsed = await session.parse(headersObj);
-				const res = json(parsed.ok ? {
-					authenticated: true,
-					claims: parsed.claims
-				} : { authenticated: false }, { status: parsed.ok ? 200 : 401 });
-				withCors(res.headers, opts, request);
-				return res;
-			} catch (e) {
-				const res = json({
-					authenticated: false,
-					code: "internal",
-					message: e?.message || "Internal error"
-				}, { status: 500 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === logoutPath) {
-				const res = json({ success: true }, { status: 200 });
-				const session = opts.session;
-				if (session) res.headers.set("Set-Cookie", session.buildClearCookie());
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/session/refresh") {
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const sessionKind = (body?.sessionKind || body?.session_kind) === "cookie" ? "cookie" : "jwt";
-				const session = opts.session;
-				if (!session) {
-					const res$1 = json({
-						code: "sessions_disabled",
-						message: "Sessions are not configured"
-					}, { status: 501 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const out = await session.refresh(Object.fromEntries(request.headers.entries()));
-				if (!out.ok || !out.jwt) {
-					const res$1 = json({
-						code: out.code || "not_eligible",
-						message: out.message || "Refresh not eligible"
-					}, { status: out.code === "unauthorized" ? 401 : 400 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const res = json(sessionKind === "cookie" ? { ok: true } : {
-					ok: true,
-					jwt: out.jwt
-				}, { status: 200 });
-				if (sessionKind === "cookie" && out.jwt) try {
-					res.headers.set("Set-Cookie", session.buildSetCookie(out.jwt));
-				} catch {}
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/recover-email") {
-				const prefer = String(request.headers.get("prefer") || "").toLowerCase();
-				const respondAsync = prefer.includes("respond-async") || String(url.searchParams.get("async") || "").trim() === "1" || String(url.searchParams.get("respond_async") || "").trim() === "1";
-				let rawBody;
-				try {
-					rawBody = await request.json();
-				} catch {
-					rawBody = null;
-				}
-				const parsed = parseRecoverEmailRequest(rawBody, { headers: request.headers });
-				if (!parsed.ok) {
-					const res$1 = json({
-						code: parsed.code,
-						message: parsed.message
-					}, { status: parsed.status });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const { accountId, emailBlob, explicitMode } = parsed;
-				if (!service.emailRecovery) {
-					const res$1 = json({
-						code: "email_recovery_unavailable",
-						message: "EmailRecoveryService is not configured on this server"
-					}, { status: 503 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				if (respondAsync && ctx && typeof ctx.waitUntil === "function") {
-					ctx.waitUntil(service.emailRecovery.requestEmailRecovery({
-						accountId,
-						emailBlob,
-						explicitMode
-					}).then((result$1) => {
-						logger.info("[recover-email] async complete", {
-							success: result$1?.success === true,
-							accountId,
-							error: result$1?.success ? void 0 : result$1?.error
-						});
-					}).catch((err) => {
-						logger.error("[recover-email] async error", {
-							accountId,
-							error: err?.message || String(err)
-						});
-					}));
-					const res$1 = json({
-						success: true,
-						queued: true,
-						accountId
-					}, { status: 202 });
-					withCors(res$1.headers, opts, request);
-					return res$1;
-				}
-				const result = await service.emailRecovery.requestEmailRecovery({
-					accountId,
-					emailBlob,
-					explicitMode
-				});
-				const res = json(result, { status: result.success ? 202 : 400 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (method === "POST" && pathname === "/vrf/remove-server-lock") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				let body;
-				try {
-					body = await request.json();
-				} catch {
-					body = null;
-				}
-				const valid = isObject(body) && typeof body.kek_cs_b64u === "string" && body.kek_cs_b64u.length > 0 && typeof body.keyId === "string" && String(body.keyId).length > 0;
-				if (!valid) {
-					const res = json({
-						code: "invalid_body",
-						message: "kek_cs_b64u and keyId are required"
-					}, { status: 400 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleRemoveServerLock(shamir, { body: {
-					kek_cs_b64u: String(body.kek_cs_b64u),
-					keyId: String(body.keyId)
-				} });
-				return toResponse(out);
-			}
-			if (method === "GET" && pathname === "/shamir/key-info") {
-				const shamir = service.shamirService;
-				if (!shamir || !await shamir.ensureReady()) {
-					const res = json({
-						code: "shamir_disabled",
-						message: "Shamir 3-pass is not configured on this server"
-					}, { status: 503 });
-					withCors(res.headers, opts, request);
-					return res;
-				}
-				const out = await handleGetShamirKeyInfo(shamir);
-				return toResponse(out);
-			}
-			if (opts.healthz && method === "GET" && pathname === "/healthz") {
-				const allowed = buildCorsOrigins(...opts.corsOrigins || []);
-				const corsAllowed = allowed === "*" ? "*" : allowed;
-				const shamir = service.shamirService;
-				const shamirConfigured = Boolean(shamir && shamir.hasShamir());
-				let currentKeyId = null;
-				if (shamirConfigured && shamir) try {
-					const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
-					currentKeyId = id || null;
-				} catch {}
-				const proverBaseUrl = service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;
-				const zkEmailConfigured = Boolean(proverBaseUrl);
-				const res = json({
-					ok: true,
-					currentKeyId,
-					shamir: {
-						configured: shamirConfigured,
-						currentKeyId
-					},
-					zkEmail: {
-						configured: zkEmailConfigured,
-						proverBaseUrl
-					},
-					cors: { allowedOrigins: corsAllowed }
-				}, { status: 200 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			if (opts.readyz && method === "GET" && pathname === "/readyz") {
-				const allowed = buildCorsOrigins(...opts.corsOrigins || []);
-				const corsAllowed = allowed === "*" ? "*" : allowed;
+			if (doRotate) {
 				const shamir = service.shamirService;
-				const shamirConfigured = Boolean(shamir && shamir.hasShamir());
-				let shamirReady = null;
-				let shamirCurrentKeyId = null;
-				let shamirError;
-				if (shamirConfigured && shamir) try {
-					await shamir.ensureReady();
-					shamirReady = true;
-					const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
-					shamirCurrentKeyId = currentKeyId || null;
-				} catch (e) {
-					shamirReady = false;
-					shamirError = e?.message || String(e);
+				if (!shamir) logger.warn("[cloudflare-cron] Shamir not configured; skipping rotation");
+				else {
+					const rotation = await shamir.rotateShamirServerKeypair();
+					logger.info("[cloudflare-cron] rotated key", rotation.newKeyId, "graceIds:", rotation.graceKeyIds);
 				}
-				const zk = service.emailRecovery ? await service.emailRecovery.checkZkEmailProverHealth() : {
-					configured: false,
-					baseUrl: null,
-					healthy: null
-				};
-				const ok = (shamirConfigured ? shamirReady === true : true) && (zk.configured ? zk.healthy === true : true);
-				const res = json({
-					ok,
-					shamir: {
-						configured: shamirConfigured,
-						ready: shamirConfigured ? shamirReady : null,
-						currentKeyId: shamirCurrentKeyId,
-						error: shamirError
-					},
-					zkEmail: zk,
-					cors: { allowedOrigins: corsAllowed }
-				}, { status: ok ? 200 : 503 });
-				withCors(res.headers, opts, request);
-				return res;
-			}
-			return notFound();
+			} else logger.info("[cloudflare-cron] enabled but rotate=false (no action)");
 		} catch (e) {
-			const res = json({
-				code: "internal",
-				message: e instanceof Error ? e.message : String(e)
-			}, { status: 500 });
-			withCors(res.headers, opts, request);
-			return res;
+			logger.error("[cloudflare-cron] failed", e instanceof Error ? e.message : String(e));
 		}
 	};
 }
-function createCloudflareCron(service, opts = {}) {
-	const logger = normalizeRouterLogger(opts.logger);
-	const enabled = Boolean(opts.enabled);
-	const doRotate = Boolean(opts.rotate);
-	if (!enabled) return async () => {};
-	return async (_event) => {
+//#endregion
+//#region src/server/core/SessionService.ts
+function parseCsvList(input) {
+	const out = /* @__PURE__ */ new Set();
+	for (const raw of String(input || "").split(",")) {
+		const s = raw.trim();
+		if (!s) continue;
 		try {
-			if (doRotate) {
-				const shamir = service.shamirService;
-				if (!shamir) logger.warn("[cloudflare-cron] Shamir not configured; skipping rotation");
-				else {
-					const rotation = await shamir.rotateShamirServerKeypair();
-					logger.info("[cloudflare-cron] rotated key", rotation.newKeyId, "graceIds:", rotation.graceKeyIds);
+			const u = new URL(s);
+			const host = u.hostname.toLowerCase();
+			const port = u.port ? `:${u.port}` : "";
+			const proto = u.protocol === "http:" || u.protocol === "https:" ? u.protocol : "https:";
+			out.add(`${proto}//${host}${port}`);
+		} catch {
+			const stripped = s.replace(/\/$/, "");
+			if (stripped) out.add(stripped);
+		}
+	}
+	return Array.from(out);
+}
+function buildCorsOrigins(...inputs) {
+	const merged = /* @__PURE__ */ new Set();
+	for (const input of inputs) for (const origin of parseCsvList(input)) merged.add(origin);
+	const list = Array.from(merged);
+	return list.length > 0 ? list : "*";
+}
+//#endregion
+//#region src/server/router/cloudflare/http.ts
+function json(body, init, extraHeaders) {
+	const headers = new Headers({ "Content-Type": "application/json; charset=utf-8" });
+	const initHeaders = init?.headers;
+	if (initHeaders) try {
+		new Headers(initHeaders).forEach((v, k) => headers.set(k, v));
+	} catch {}
+	if (extraHeaders) for (const [k, v] of Object.entries(extraHeaders)) headers.set(k, v);
+	const { headers: _omit,...rest } = init || {};
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		...rest,
+		headers
+	});
+}
+function withCors(headers, opts, request) {
+	if (!opts?.corsOrigins) return;
+	let allowedOrigin;
+	const normalized = buildCorsOrigins(...opts.corsOrigins || []);
+	if (normalized === "*") {
+		allowedOrigin = "*";
+		headers.set("Access-Control-Allow-Origin", "*");
+	} else if (Array.isArray(normalized)) {
+		const origin = request?.headers.get("Origin") || "";
+		if (origin && normalized.includes(origin)) {
+			allowedOrigin = origin;
+			headers.set("Access-Control-Allow-Origin", origin);
+			headers.append("Vary", "Origin");
+		}
+	}
+	headers.set("Access-Control-Allow-Methods", "GET,POST,OPTIONS");
+	headers.set("Access-Control-Allow-Headers", "Content-Type,Authorization");
+	if (allowedOrigin && allowedOrigin !== "*") headers.set("Access-Control-Allow-Credentials", "true");
+}
+function toResponse(out) {
+	return new Response(out.body, {
+		status: out.status,
+		headers: out.headers
+	});
+}
+function isObject(v) {
+	return typeof v === "object" && v !== null;
+}
+async function readJson(request) {
+	try {
+		return await request.json();
+	} catch {
+		return null;
+	}
+}
+function headersToRecord(headers) {
+	const out = {};
+	headers.forEach((v, k) => {
+		out[k] = v;
+	});
+	return out;
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/createAccountAndRegisterUser.ts
+async function handleCreateAccountAndRegisterUser(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/create_account_and_register_user") return null;
+	const body = await readJson(ctx.request);
+	if (!isObject(body)) return json({
+		code: "invalid_body",
+		message: "JSON body required"
+	}, { status: 400 });
+	const new_account_id = typeof body.new_account_id === "string" ? body.new_account_id : "";
+	const new_public_key = typeof body.new_public_key === "string" ? body.new_public_key : "";
+	const threshold_ed25519 = isObject(body.threshold_ed25519) ? body.threshold_ed25519 : void 0;
+	const vrf_data = isObject(body.vrf_data) ? body.vrf_data : null;
+	const webauthn_registration = isObject(body.webauthn_registration) ? body.webauthn_registration : null;
+	const deterministic_vrf_public_key = body.deterministic_vrf_public_key;
+	const authenticator_options = isObject(body.authenticator_options) ? body.authenticator_options : void 0;
+	if (!new_account_id) return json({
+		code: "invalid_body",
+		message: "Missing or invalid new_account_id"
+	}, { status: 400 });
+	if (!new_public_key) return json({
+		code: "invalid_body",
+		message: "Missing or invalid new_public_key"
+	}, { status: 400 });
+	if (!vrf_data) return json({
+		code: "invalid_body",
+		message: "Missing or invalid vrf_data"
+	}, { status: 400 });
+	if (!webauthn_registration) return json({
+		code: "invalid_body",
+		message: "Missing or invalid webauthn_registration"
+	}, { status: 400 });
+	const threshold = ctx.opts.threshold;
+	const thresholdClientVerifyingShareB64u = isObject(threshold_ed25519) && typeof threshold_ed25519.client_verifying_share_b64u === "string" ? String(threshold_ed25519.client_verifying_share_b64u || "").trim() : "";
+	let thresholdKeygen = null;
+	let thresholdWarning = null;
+	if (thresholdClientVerifyingShareB64u) if (!threshold) thresholdWarning = "threshold signing is not configured on this server";
+	else {
+		const rpId = typeof vrf_data.rp_id === "string" ? String(vrf_data.rp_id || "") : typeof vrf_data.rpId === "string" ? String(vrf_data.rpId || "") : "";
+		if (!rpId.trim()) thresholdWarning = "missing vrf_data.rp_id";
+		else {
+			const out = await threshold.keygenFromClientVerifyingShareForRegistration({
+				nearAccountId: new_account_id,
+				rpId,
+				clientVerifyingShareB64u: thresholdClientVerifyingShareB64u
+			});
+			if (!out.ok) thresholdWarning = out.message || "threshold-ed25519 registration keygen failed";
+			else thresholdKeygen = out;
+		}
+	}
+	const input = {
+		new_account_id,
+		new_public_key,
+		vrf_data,
+		webauthn_registration,
+		deterministic_vrf_public_key,
+		authenticator_options
+	};
+	const result = await ctx.service.createAccountAndRegisterUser(input);
+	let response = result;
+	if (result.success && threshold && thresholdKeygen) try {
+		await threshold.putRelayerKeyMaterial({
+			relayerKeyId: thresholdKeygen.relayerKeyId,
+			publicKey: thresholdKeygen.publicKey,
+			relayerSigningShareB64u: thresholdKeygen.relayerSigningShareB64u,
+			relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u
+		});
+		response = {
+			...response,
+			thresholdEd25519: {
+				relayerKeyId: thresholdKeygen.relayerKeyId,
+				publicKey: thresholdKeygen.publicKey,
+				relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,
+				clientParticipantId: thresholdKeygen.clientParticipantId,
+				relayerParticipantId: thresholdKeygen.relayerParticipantId,
+				participantIds: thresholdKeygen.participantIds
+			}
+		};
+	} catch (e) {
+		thresholdWarning = thresholdWarning || (e && typeof e === "object" && "message" in e ? String(e.message || "threshold signing persistence failed") : String(e || "threshold signing persistence failed"));
+	}
+	if (result.success && thresholdWarning) response = {
+		...response,
+		message: `${response.message || "Account created and registered successfully"} (threshold enrollment skipped: ${thresholdWarning})`
+	};
+	return json(response, { status: response.success ? 200 : 400 });
+}
+//#endregion
+//#region src/server/core/shamirHandlers.ts
+async function handleApplyServerLock(service, request) {
+	try {
+		const kek_c_b64u = request.body?.kek_c_b64u;
+		if (!isString(kek_c_b64u) || !kek_c_b64u) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "kek_c_b64u required and must be a non-empty string" })
+		};
+		const out = await service.applyServerLock(kek_c_b64u);
+		const keyId = service.getCurrentShamirKeyId();
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				...out,
+				keyId
+			})
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+async function handleRemoveServerLock(service, request) {
+	try {
+		const body = request.body;
+		if (!body) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "Missing body" })
+		};
+		const { kek_cs_b64u, keyId } = body;
+		if (!isString(kek_cs_b64u) || !kek_cs_b64u) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "kek_cs_b64u required and must be a non-empty string" })
+		};
+		if (!isString(keyId) || !keyId) return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "keyId required and must be a non-empty string" })
+		};
+		const providedKeyId = String(keyId);
+		const currentKeyId = service.getCurrentShamirKeyId();
+		let out;
+		if (currentKeyId && providedKeyId === currentKeyId) out = await service.removeServerLock(kek_cs_b64u);
+		else if (service.hasGraceKey(providedKeyId)) out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u });
+		else return {
+			status: 400,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ error: "unknown keyId" })
+		};
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify(out)
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+async function handleGetShamirKeyInfo(service) {
+	try {
+		await service.ensureReady();
+		const currentKeyId = service.getCurrentShamirKeyId();
+		const graceKeyIds = service.getGraceKeyIds();
+		return {
+			status: 200,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				currentKeyId,
+				p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,
+				graceKeyIds
+			})
+		};
+	} catch (e) {
+		return {
+			status: 500,
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({
+				error: "internal",
+				details: e?.message
+			})
+		};
+	}
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/health.ts
+async function handleHealth(ctx) {
+	if (!ctx.opts.healthz || ctx.method !== "GET" || ctx.pathname !== "/healthz") return null;
+	const allowed = buildCorsOrigins(...ctx.opts.corsOrigins || []);
+	const corsAllowed = allowed === "*" ? "*" : allowed;
+	const shamir = ctx.service.shamirService;
+	const shamirConfigured = Boolean(shamir && shamir.hasShamir());
+	const thresholdConfigured = Boolean(ctx.opts.threshold);
+	let currentKeyId = null;
+	if (shamirConfigured && shamir) try {
+		const { currentKeyId: id } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
+		currentKeyId = id || null;
+	} catch {}
+	const proverBaseUrl = ctx.service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;
+	const zkEmailConfigured = Boolean(proverBaseUrl);
+	return json({
+		ok: true,
+		currentKeyId,
+		shamir: {
+			configured: shamirConfigured,
+			currentKeyId
+		},
+		zkEmail: {
+			configured: zkEmailConfigured,
+			proverBaseUrl
+		},
+		thresholdEd25519: { configured: thresholdConfigured },
+		cors: { allowedOrigins: corsAllowed }
+	}, { status: 200 });
+}
+async function handleReady(ctx) {
+	if (!ctx.opts.readyz || ctx.method !== "GET" || ctx.pathname !== "/readyz") return null;
+	const allowed = buildCorsOrigins(...ctx.opts.corsOrigins || []);
+	const corsAllowed = allowed === "*" ? "*" : allowed;
+	const shamir = ctx.service.shamirService;
+	const shamirConfigured = Boolean(shamir && shamir.hasShamir());
+	const thresholdConfigured = Boolean(ctx.opts.threshold);
+	let shamirReady = null;
+	let shamirCurrentKeyId = null;
+	let shamirError;
+	if (shamirConfigured && shamir) try {
+		await shamir.ensureReady();
+		shamirReady = true;
+		const { currentKeyId } = JSON.parse((await handleGetShamirKeyInfo(shamir)).body);
+		shamirCurrentKeyId = currentKeyId || null;
+	} catch (e) {
+		shamirReady = false;
+		shamirError = e?.message || String(e);
+	}
+	const zk = ctx.service.emailRecovery ? await ctx.service.emailRecovery.checkZkEmailProverHealth() : {
+		configured: false,
+		baseUrl: null,
+		healthy: null
+	};
+	const ok = (shamirConfigured ? shamirReady === true : true) && (zk.configured ? zk.healthy === true : true);
+	return json({
+		ok,
+		shamir: {
+			configured: shamirConfigured,
+			ready: shamirConfigured ? shamirReady : null,
+			currentKeyId: shamirCurrentKeyId,
+			error: shamirError
+		},
+		thresholdEd25519: { configured: thresholdConfigured },
+		zkEmail: zk,
+		cors: { allowedOrigins: corsAllowed }
+	}, { status: ok ? 200 : 503 });
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/recoverEmail.ts
+async function handleRecoverEmail(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/recover-email") return null;
+	const prefer = String(ctx.request.headers.get("prefer") || "").toLowerCase();
+	const respondAsync = prefer.includes("respond-async") || String(ctx.url.searchParams.get("async") || "").trim() === "1" || String(ctx.url.searchParams.get("respond_async") || "").trim() === "1";
+	const rawBody = await readJson(ctx.request);
+	const parsed = parseRecoverEmailRequest(rawBody, { headers: ctx.request.headers });
+	if (!parsed.ok) return json({
+		code: parsed.code,
+		message: parsed.message
+	}, { status: parsed.status });
+	const { accountId, emailBlob, explicitMode } = parsed;
+	if (!ctx.service.emailRecovery) return json({
+		code: "email_recovery_unavailable",
+		message: "EmailRecoveryService is not configured on this server"
+	}, { status: 503 });
+	if (respondAsync && ctx.cfCtx && typeof ctx.cfCtx.waitUntil === "function") {
+		ctx.cfCtx.waitUntil(ctx.service.emailRecovery.requestEmailRecovery({
+			accountId,
+			emailBlob,
+			explicitMode
+		}).then((result$1) => {
+			ctx.logger.info("[recover-email] async complete", {
+				success: result$1?.success === true,
+				accountId,
+				error: result$1?.success ? void 0 : result$1?.error
+			});
+		}).catch((err) => {
+			ctx.logger.error("[recover-email] async error", {
+				accountId,
+				error: err?.message || String(err)
+			});
+		}));
+		return json({
+			success: true,
+			queued: true,
+			accountId
+		}, { status: 202 });
+	}
+	const result = await ctx.service.emailRecovery.requestEmailRecovery({
+		accountId,
+		emailBlob,
+		explicitMode
+	});
+	return json(result, { status: result.success ? 202 : 400 });
+}
+//#endregion
+//#region src/server/router/relay.ts
+function parseSessionKind(body) {
+	const v = body && typeof body === "object" && !Array.isArray(body) ? body : {};
+	const raw = v.sessionKind ?? v.session_kind;
+	return raw === "cookie" ? "cookie" : "jwt";
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/sessions.ts
+async function handleSessionAuth(ctx) {
+	if (ctx.method !== "GET" || ctx.pathname !== ctx.mePath) return null;
+	try {
+		const session = ctx.opts.session;
+		if (!session) return json({
+			authenticated: false,
+			code: "sessions_disabled",
+			message: "Sessions are not configured"
+		}, { status: 501 });
+		const parsed = await session.parse(headersToRecord(ctx.request.headers));
+		return json(parsed.ok ? {
+			authenticated: true,
+			claims: parsed.claims
+		} : { authenticated: false }, { status: parsed.ok ? 200 : 401 });
+	} catch (e) {
+		return json({
+			authenticated: false,
+			code: "internal",
+			message: e?.message || "Internal error"
+		}, { status: 500 });
+	}
+}
+async function handleSessionLogout(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== ctx.logoutPath) return null;
+	const res = json({ success: true }, { status: 200 });
+	const session = ctx.opts.session;
+	if (session) res.headers.set("Set-Cookie", session.buildClearCookie());
+	return res;
+}
+async function handleSessionRefresh(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/session/refresh") return null;
+	const body = await readJson(ctx.request);
+	const sessionKind = parseSessionKind(body);
+	const session = ctx.opts.session;
+	if (!session) return json({
+		code: "sessions_disabled",
+		message: "Sessions are not configured"
+	}, { status: 501 });
+	const out = await session.refresh(Object.fromEntries(ctx.request.headers.entries()));
+	if (!out.ok || !out.jwt) return json({
+		code: out.code || "not_eligible",
+		message: out.message || "Refresh not eligible"
+	}, { status: out.code === "unauthorized" ? 401 : 400 });
+	const res = json(sessionKind === "cookie" ? { ok: true } : {
+		ok: true,
+		jwt: out.jwt
+	}, { status: 200 });
+	if (sessionKind === "cookie" && out.jwt) try {
+		res.headers.set("Set-Cookie", session.buildSetCookie(out.jwt));
+	} catch {}
+	return res;
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/shamir.ts
+async function handleShamir(ctx) {
+	if (ctx.method === "POST" && ctx.pathname === "/vrf/apply-server-lock") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const body = await readJson(ctx.request);
+		const valid = isObject(body) && typeof body.kek_c_b64u === "string" && body.kek_c_b64u.length > 0;
+		if (!valid) return json({
+			code: "invalid_body",
+			message: "kek_c_b64u is required"
+		}, { status: 400 });
+		const out = await handleApplyServerLock(shamir, { body: { kek_c_b64u: String(body.kek_c_b64u) } });
+		return toResponse(out);
+	}
+	if (ctx.method === "POST" && ctx.pathname === "/vrf/remove-server-lock") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const body = await readJson(ctx.request);
+		const valid = isObject(body) && typeof body.kek_cs_b64u === "string" && body.kek_cs_b64u.length > 0 && typeof body.keyId === "string" && String(body.keyId).length > 0;
+		if (!valid) return json({
+			code: "invalid_body",
+			message: "kek_cs_b64u and keyId are required"
+		}, { status: 400 });
+		const out = await handleRemoveServerLock(shamir, { body: {
+			kek_cs_b64u: String(body.kek_cs_b64u),
+			keyId: String(body.keyId)
+		} });
+		return toResponse(out);
+	}
+	if (ctx.method === "GET" && ctx.pathname === "/shamir/key-info") {
+		const shamir = ctx.service.shamirService;
+		if (!shamir || !await shamir.ensureReady()) return json({
+			code: "shamir_disabled",
+			message: "Shamir 3-pass is not configured on this server"
+		}, { status: 503 });
+		const out = await handleGetShamirKeyInfo(shamir);
+		return toResponse(out);
+	}
+	return null;
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/signedDelegate.ts
+async function handleSignedDelegate(ctx) {
+	if (!ctx.signedDelegatePath || ctx.pathname !== ctx.signedDelegatePath) return null;
+	if (ctx.method !== "POST") return null;
+	const body = await readJson(ctx.request);
+	const valid = isObject(body) && typeof body.hash === "string" && Boolean(body.hash) && Boolean(body.signedDelegate);
+	if (!valid) return json({
+		ok: false,
+		code: "invalid_body",
+		message: "Expected { hash, signedDelegate }"
+	}, { status: 400 });
+	const result = await ctx.service.executeSignedDelegate({
+		hash: String(body.hash),
+		signedDelegate: body.signedDelegate,
+		policy: ctx.signedDelegatePolicy
+	});
+	if (!result || !result.ok) return json({
+		ok: false,
+		code: result?.code || "delegate_execution_failed",
+		message: result?.error || "Failed to execute delegate action"
+	}, { status: 400 });
+	return json({
+		ok: true,
+		relayerTxHash: result.transactionHash || null,
+		status: "submitted",
+		outcome: result.outcome ?? null
+	}, { status: 200 });
+}
+//#endregion
+//#region src/server/threshold/statusCodes.ts
+function thresholdEd25519StatusCode(result) {
+	if (result.ok) return 200;
+	switch (result.code) {
+		case "not_found": return 404;
+		case "not_implemented": return 501;
+		case "threshold_disabled": return 503;
+		case "internal": return 500;
+		case "unauthorized": return 401;
+		default: return 400;
+	}
+}
+//#endregion
+//#region src/server/core/ThresholdService/validation.ts
+function isObject$1(v) {
+	return !!v && typeof v === "object" && !Array.isArray(v);
+}
+function parseThresholdEd25519SessionClaims(raw) {
+	if (!isObject$1(raw)) return null;
+	const kind = toOptionalString(raw.kind);
+	if (kind !== "threshold_ed25519_session_v1") return null;
+	const sub = toOptionalString(raw.sub);
+	const sessionId = toOptionalString(raw.sessionId);
+	const relayerKeyId = toOptionalString(raw.relayerKeyId);
+	const rpId = toOptionalString(raw.rpId);
+	if (!sub || !sessionId || !relayerKeyId || !rpId) return null;
+	return {
+		sub,
+		kind,
+		sessionId,
+		relayerKeyId,
+		rpId
+	};
+}
+//#endregion
+//#region src/server/router/commonRouterUtils.ts
+function isPlainObject(input) {
+	return !!input && typeof input === "object" && !Array.isArray(input);
+}
+function summarizeVrfData(input) {
+	if (!isPlainObject(input)) return void 0;
+	const user_id = typeof input.user_id === "string" ? input.user_id : void 0;
+	const rp_id = typeof input.rp_id === "string" ? input.rp_id : void 0;
+	const block_height = typeof input.block_height === "number" ? input.block_height : void 0;
+	const has_intent_digest_32 = Array.isArray(input.intent_digest_32) ? true : void 0;
+	const intent_digest_32_len = Array.isArray(input.intent_digest_32) ? input.intent_digest_32.length : void 0;
+	const has_session_policy_digest_32 = Array.isArray(input.session_policy_digest_32) ? true : void 0;
+	const session_policy_digest_32_len = Array.isArray(input.session_policy_digest_32) ? input.session_policy_digest_32.length : void 0;
+	return {
+		...user_id ? { user_id } : {},
+		...rp_id ? { rp_id } : {},
+		...block_height != null ? { block_height } : {},
+		...has_intent_digest_32 != null ? { has_intent_digest_32 } : {},
+		...intent_digest_32_len != null ? { intent_digest_32_len } : {},
+		...has_session_policy_digest_32 != null ? { has_session_policy_digest_32 } : {},
+		...session_policy_digest_32_len != null ? { session_policy_digest_32_len } : {}
+	};
+}
+function looksLikeWebauthnAuthorizeBody(input) {
+	if (!isPlainObject(input)) return false;
+	return isPlainObject(input.vrf_data) && isPlainObject(input.webauthn_authentication);
+}
+async function validateThresholdEd25519AuthorizeInputs(input) {
+	if (looksLikeWebauthnAuthorizeBody(input.body)) return {
+		ok: true,
+		mode: "webauthn",
+		request: input.body
+	};
+	const session = input.session;
+	if (!session) return {
+		ok: false,
+		code: "sessions_disabled",
+		message: "Sessions are not configured on this server"
+	};
+	const parsed = await session.parse(input.headers);
+	if (!parsed.ok) return {
+		ok: false,
+		code: "unauthorized",
+		message: "Missing or invalid threshold session token"
+	};
+	const claims = parseThresholdEd25519SessionClaims(parsed.claims);
+	if (!claims) return {
+		ok: false,
+		code: "unauthorized",
+		message: "Invalid threshold session token claims"
+	};
+	const requestBody = isPlainObject(input.body) ? input.body : {};
+	return {
+		ok: true,
+		mode: "session",
+		sessionId: claims.sessionId,
+		userId: claims.sub,
+		request: requestBody
+	};
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/thresholdEd25519.ts
+async function handleThresholdEd25519(ctx) {
+	if (ctx.method === "GET" && ctx.pathname === "/threshold-ed25519/healthz") {
+		const threshold$1 = ctx.opts.threshold;
+		if (!threshold$1) return json({
+			ok: false,
+			configured: false,
+			code: "threshold_disabled",
+			message: "Threshold signing is not configured on this server"
+		}, { status: 503 });
+		return json({
+			ok: true,
+			configured: true
+		}, { status: 200 });
+	}
+	if (ctx.method !== "POST") return null;
+	const pathname = ctx.pathname;
+	if (pathname !== "/threshold-ed25519/keygen" && pathname !== "/threshold-ed25519/session" && pathname !== "/threshold-ed25519/authorize" && pathname !== "/threshold-ed25519/sign/init" && pathname !== "/threshold-ed25519/sign/finalize" && pathname !== "/threshold-ed25519/internal/cosign/init" && pathname !== "/threshold-ed25519/internal/cosign/finalize") return null;
+	const body = await readJson(ctx.request);
+	const threshold = ctx.opts.threshold;
+	switch (pathname) {
+		case "/threshold-ed25519/keygen": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				nearAccountId: typeof b.nearAccountId === "string" ? b.nearAccountId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				registrationTxHash: "registrationTxHash" in b && typeof b.registrationTxHash === "string" ? b.registrationTxHash : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const result = await threshold.thresholdEd25519Keygen(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/session": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const session = ctx.opts.session;
+			if (!session) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					sessions: false
+				});
+				return json({
+					ok: false,
+					code: "sessions_disabled",
+					message: "Sessions are not configured on this server"
+				}, { status: 501 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				sessionPolicy: b.sessionPolicy ? { version: b.sessionPolicy.version } : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const result = await threshold.thresholdEd25519Session(b);
+			const status = thresholdEd25519StatusCode(result);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status,
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			if (!result.ok) return json(result, { status });
+			const sessionId = String(result.sessionId || "").trim();
+			const userId = b.vrf_data.user_id;
+			const rpId = b.vrf_data.rp_id;
+			const relayerKeyId = b.relayerKeyId;
+			const token = await session.signJwt(userId, {
+				kind: "threshold_ed25519_session_v1",
+				sessionId,
+				relayerKeyId,
+				rpId
+			});
+			const sessionKind = parseSessionKind(b);
+			const res = json(sessionKind === "cookie" ? {
+				...result,
+				jwt: void 0
+			} : {
+				...result,
+				jwt: token
+			}, { status: 200 });
+			if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
+			return res;
+		}
+		case "/threshold-ed25519/authorize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				clientVerifyingShareB64u_len: typeof b.clientVerifyingShareB64u === "string" ? b.clientVerifyingShareB64u.length : void 0,
+				purpose: typeof b.purpose === "string" ? b.purpose : void 0,
+				signing_digest_32_len: Array.isArray(b.signing_digest_32) ? b.signing_digest_32.length : void 0,
+				vrf_data: summarizeVrfData(b.vrf_data)
+			});
+			const respond = (result$1) => {
+				ctx.logger.info("[threshold-ed25519] response", {
+					route: pathname,
+					status: thresholdEd25519StatusCode(result$1),
+					ok: result$1.ok,
+					...result$1.code ? { code: result$1.code } : {}
+				});
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			};
+			const validated = await validateThresholdEd25519AuthorizeInputs({
+				body,
+				headers: Object.fromEntries(ctx.request.headers.entries()),
+				session: ctx.opts.session
+			});
+			if (!validated.ok) return respond(validated);
+			const result = validated.mode === "webauthn" ? await threshold.authorizeThresholdEd25519(validated.request) : await threshold.authorizeThresholdEd25519WithSession({
+				sessionId: validated.sessionId,
+				userId: validated.userId,
+				request: validated.request
+			});
+			return respond(result);
+		}
+		case "/threshold-ed25519/sign/init": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				mpcSessionId: typeof b.mpcSessionId === "string" ? b.mpcSessionId : void 0,
+				relayerKeyId: typeof b.relayerKeyId === "string" ? b.relayerKeyId : void 0,
+				nearAccountId: typeof b.nearAccountId === "string" ? b.nearAccountId : void 0,
+				signingDigestB64u_len: typeof b.signingDigestB64u === "string" ? b.signingDigestB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519SignInit(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/sign/finalize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				clientSignatureShareB64u_len: typeof b.clientSignatureShareB64u === "string" ? b.clientSignatureShareB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519SignFinalize(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/internal/cosign/init": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			if (!threshold.thresholdEd25519CosignInit) {
+				const result$1 = {
+					ok: false,
+					code: "not_found",
+					message: "threshold-ed25519 cosigner endpoints are not enabled on this server"
+				};
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				coordinatorGrant_len: typeof b.coordinatorGrant === "string" ? b.coordinatorGrant.length : void 0,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				cosignerShareB64u_len: typeof b.cosignerShareB64u === "string" ? b.cosignerShareB64u.length : void 0
+			});
+			const result = await threshold.thresholdEd25519CosignInit(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		case "/threshold-ed25519/internal/cosign/finalize": {
+			if (!threshold) {
+				ctx.logger.warn("[threshold-ed25519] request", {
+					route: pathname,
+					method: ctx.method,
+					configured: false
+				});
+				return json({
+					ok: false,
+					code: "threshold_disabled",
+					message: "Threshold signing is not configured on this server"
+				}, { status: 503 });
+			}
+			if (!threshold.thresholdEd25519CosignFinalize) {
+				const result$1 = {
+					ok: false,
+					code: "not_found",
+					message: "threshold-ed25519 cosigner endpoints are not enabled on this server"
+				};
+				return json(result$1, { status: thresholdEd25519StatusCode(result$1) });
+			}
+			const b = body || {};
+			ctx.logger.info("[threshold-ed25519] request", {
+				route: pathname,
+				method: ctx.method,
+				coordinatorGrant_len: typeof b.coordinatorGrant === "string" ? b.coordinatorGrant.length : void 0,
+				signingSessionId: typeof b.signingSessionId === "string" ? b.signingSessionId : void 0,
+				cosignerIds_len: Array.isArray(b.cosignerIds) ? b.cosignerIds.length : void 0
+			});
+			const result = await threshold.thresholdEd25519CosignFinalize(b);
+			ctx.logger.info("[threshold-ed25519] response", {
+				route: pathname,
+				status: thresholdEd25519StatusCode(result),
+				ok: result.ok,
+				...result.code ? { code: result.code } : {}
+			});
+			return json(result, { status: thresholdEd25519StatusCode(result) });
+		}
+		default: return null;
+	}
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/verifyAuthenticationResponse.ts
+async function handleVerifyAuthenticationResponse(ctx) {
+	if (ctx.method !== "POST" || ctx.pathname !== "/verify-authentication-response") return null;
+	const body = await readJson(ctx.request);
+	const valid = isObject(body) && isObject(body.vrf_data) && isObject(body.webauthn_authentication);
+	if (!valid) return json({
+		code: "invalid_body",
+		message: "vrf_data and webauthn_authentication are required"
+	}, { status: 400 });
+	try {
+		const sessionKind = parseSessionKind(body);
+		const req = body;
+		const result = await ctx.service.verifyAuthenticationResponse(req);
+		const status = result.success ? 200 : 400;
+		if (status !== 200) return json({
+			code: "not_verified",
+			message: result.message || "Authentication verification failed"
+		}, { status });
+		const res = json(result, { status: 200 });
+		const session = ctx.opts.session;
+		if (session && result.verified) try {
+			const userId = String(req.vrf_data?.user_id || "");
+			const token = await session.signJwt(userId, {
+				rpId: req.vrf_data?.rp_id,
+				blockHeight: req.vrf_data?.block_height
+			});
+			ctx.logger.info(`[relay] creating ${sessionKind === "cookie" ? "HttpOnly session" : "JWT"} for`, userId);
+			if (sessionKind === "cookie") res.headers.set("Set-Cookie", session.buildSetCookie(token));
+			else {
+				const payload = await res.clone().json();
+				return new Response(JSON.stringify({
+					...payload,
+					jwt: token
+				}), {
+					status: 200,
+					headers: res.headers
+				});
+			}
+		} catch {}
+		return res;
+	} catch (e) {
+		return json({
+			code: "internal",
+			message: e?.message || "Internal error"
+		}, { status: 500 });
+	}
+}
+//#endregion
+//#region src/server/router/cloudflare/routes/wellKnown.ts
+async function handleWellKnown(ctx) {
+	if (ctx.method !== "GET") return null;
+	if (ctx.pathname !== "/.well-known/webauthn" && ctx.pathname !== "/.well-known/webauthn/") return null;
+	const contractId = (ctx.env?.ROR_CONTRACT_ID || ctx.env?.WEBAUTHN_CONTRACT_ID || "").toString().trim() || void 0;
+	const methodName = (ctx.env?.ROR_METHOD || "").toString().trim() || void 0;
+	const origins = await ctx.service.getRorOrigins({
+		contractId,
+		method: methodName
+	});
+	return json({ origins }, {
+		status: 200,
+		headers: { "Cache-Control": "max-age=60, stale-while-revalidate=600" }
+	});
+}
+//#endregion
+//#region src/server/router/routerOptions.ts
+function resolveThresholdOption(service, opts) {
+	return opts.threshold !== void 0 ? opts.threshold : service.getThresholdSigningService();
+}
+//#endregion
+//#region src/server/router/cloudflare/createCloudflareRouter.ts
+function createCloudflareRouter(service, opts = {}) {
+	const notFound = () => new Response("Not Found", { status: 404 });
+	const threshold = resolveThresholdOption(service, opts);
+	const effectiveOpts = {
+		...opts,
+		threshold
+	};
+	const mePath = effectiveOpts.sessionRoutes?.auth || "/session/auth";
+	const logoutPath = effectiveOpts.sessionRoutes?.logout || "/session/logout";
+	const logger = coerceRouterLogger(effectiveOpts.logger);
+	let signedDelegatePath = "";
+	if (effectiveOpts.signedDelegate) signedDelegatePath = ensureLeadingSlash(effectiveOpts.signedDelegate.route) || "/signed-delegate";
+	const signedDelegatePolicy = effectiveOpts.signedDelegate?.policy;
+	const handlers = [
+		handleWellKnown,
+		handleCreateAccountAndRegisterUser,
+		handleSignedDelegate,
+		handleShamir,
+		handleVerifyAuthenticationResponse,
+		handleThresholdEd25519,
+		handleSessionAuth,
+		handleSessionLogout,
+		handleSessionRefresh,
+		handleRecoverEmail,
+		handleHealth,
+		handleReady
+	];
+	return async function handler(request, env, cfCtx) {
+		const url = new URL(request.url);
+		const { pathname } = url;
+		const method = request.method.toUpperCase();
+		if (method === "OPTIONS") {
+			const res = new Response(null, { status: 204 });
+			withCors(res.headers, effectiveOpts, request);
+			return res;
+		}
+		const baseCtx = {
+			env,
+			cfCtx,
+			service,
+			opts: effectiveOpts,
+			logger,
+			mePath,
+			logoutPath,
+			signedDelegatePath,
+			signedDelegatePolicy
+		};
+		const ctx = {
+			...baseCtx,
+			request,
+			url,
+			pathname,
+			method
+		};
+		try {
+			for (const fn of handlers) {
+				const res = await fn(ctx);
+				if (res) {
+					withCors(res.headers, effectiveOpts, request);
+					return res;
 				}
-			} else logger.info("[cloudflare-cron] enabled but rotate=false (no action)");
+			}
+			return notFound();
 		} catch (e) {
-			logger.error("[cloudflare-cron] failed", e instanceof Error ? e.message : String(e));
+			const res = json({
+				code: "internal",
+				message: e instanceof Error ? e.message : String(e)
+			}, { status: 500 });
+			withCors(res.headers, effectiveOpts, request);
+			return res;
 		}
 	};
 }