npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["BUILD_PATHS","createSigningSessionChannel","mintSessionKeysAndSendToSigner","dispenseSessionKey","checkSessionStatus","clearSession","prepareDecryptSession","confirmAndPrepareSigningSession","requestRegistrationCredentialConfirmation","confirmAndDeriveDevice2RegistrationSession","resolveWorkerUrl","error: any","SecureConfirmMessageType","handlePromptUserConfirmInJsMainThread","unlockVrfKeypair","generateVrfChallengeForSession","generateVrfChallengeOnce","checkVrfStatus","clearVrfSession","generateVrfKeypairBootstrap","deriveVrfKeypairFromPrf","shamir3PassDecryptVrfKeypair","shamir3PassEncryptCurrentVrfKeypair"],"sources":["../../../../../src/core/WebAuthnManager/VrfWorkerManager/index.ts"],"sourcesContent":["/*\n VRF Manager\n * Uses Web Workers for VRF keypair management with client-hosted worker files.\n /\n\nimport type {\n VRFWorkerStatus,\n VrfWorkerManagerConfig,\n EncryptedVRFKeypair,\n VRFInputData,\n VRFWorkerMessage,\n VRFWorkerResponse,\n ServerEncryptedVrfKeypair,\n WasmVrfWorkerRequestType,\n WasmShamir3PassConfigPRequest,\n WasmShamir3PassConfigServerUrlsRequest,\n} from '../../types/vrf-worker';\nimport type { VRFChallenge } from '../../types/vrf-worker';\nimport { BUILD_PATHS } from '../../../../build-paths.js';\nimport { resolveWorkerUrl } from '../../sdkPaths';\nimport type { AccountId } from '../../types/accountIds';\nimport type { TouchIdPrompt } from '../touchIdPrompt';\nimport type { NearClient } from '../../NearClient';\nimport type { UnifiedIndexedDBManager } from '../../IndexedDBManager';\nimport type { UserPreferencesManager } from '../userPreferences';\nimport type { NonceManager } from '../../nonceManager';\nimport {\n SecureConfirmMessageType,\n type SecureConfirmRequest,\n type SerializableCredential,\n} from './confirmTxFlow/types';\nimport type { TransactionInputWasm } from '../../types/actions';\nimport type { RpcCallPayload, ConfirmationConfig } from '../../types/signer-worker';\nimport type { TransactionContext } from '../../types/rpc';\nimport type { RegistrationCredentialConfirmationPayload } from '../SignerWorkerManager/handlers/validation';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../types/webauthn';\nimport { handlePromptUserConfirmInJsMainThread } from './confirmTxFlow';\nimport type { VrfWorkerManagerHandlerContext } from './handlers/types';\nimport {\n checkVrfStatus,\n clearSession,\n clearVrfSession,\n confirmAndDeriveDevice2RegistrationSession,\n confirmAndPrepareSigningSession,\n createSigningSessionChannel,\n deriveVrfKeypairFromPrf,\n mintSessionKeysAndSendToSigner,\n dispenseSessionKey,\n generateVrfChallengeForSession,\n generateVrfChallengeOnce,\n generateVrfKeypairBootstrap,\n checkSessionStatus,\n prepareDecryptSession,\n requestRegistrationCredentialConfirmation,\n shamir3PassDecryptVrfKeypair,\n shamir3PassEncryptCurrentVrfKeypair,\n unlockVrfKeypair,\n} from './handlers';\n\n/\n VRF-owned host context passed into confirmTxFlow.\n /\nexport interface VrfWorkerManagerContext {\n touchIdPrompt: TouchIdPrompt;\n nearClient: NearClient;\n indexedDB: UnifiedIndexedDBManager;\n userPreferencesManager: UserPreferencesManager;\n nonceManager: NonceManager;\n rpIdOverride?: string;\n nearExplorerUrl?: string;\n vrfWorkerManager?: SessionVrfWorkerManager;\n}\n\n/\n Narrow VRF manager surface used by confirmTxFlow. This interface only exposes\n * session-bound operations so confirm flows cannot accidentally call the\n * low-level helpers that take an optional sessionId.\n /\nexport interface SessionVrfWorkerManager {\n generateVrfKeypairBootstrap(args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }>;\n\n generateVrfChallengeForSession(inputData: VRFInputData, sessionId: string): Promise<VRFChallenge>;\n\n mintSessionKeysAndSendToSigner(args: {\n sessionId: string;\n wrapKeySalt?: string;\n contractId?: string;\n nearRpcUrl?: string;\n ttlMs?: number;\n remainingUses?: number;\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n }): Promise<{ sessionId: string; wrapKeySalt: string }>;\n\n dispenseSessionKey(args: {\n sessionId: string;\n uses?: number;\n }): Promise<{\n sessionId: string;\n remainingUses?: number;\n expiresAtMs?: number;\n }>;\n\n prepareDecryptSession(args: {\n sessionId: string;\n nearAccountId: AccountId;\n wrapKeySalt: string;\n encryptedVrfKeypair?: EncryptedVRFKeypair;\n expectedVrfPublicKey?: string;\n }): Promise<void>;\n\n requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n contractId: string;\n nearRpcUrl: string;\n }): Promise<RegistrationCredentialConfirmationPayload>;\n\n confirmAndDeriveDevice2RegistrationSession(params: {\n sessionId: string;\n nearAccountId: AccountId;\n deviceNumber: number;\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: object;\n wrapKeySalt?: string;\n }): Promise<{\n confirmed: boolean;\n sessionId: string;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n wrapKeySalt: string;\n requestId: string;\n intentDigest: string;\n deterministicVrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n error?: string;\n }>;\n\n checkVrfStatus(): Promise<VRFWorkerStatus>;\n}\n\n/\n VRF Worker Manager\n \n This class manages VRF operations using Web Workers for:\n * - VRF keypair unlocking (login)\n * - VRF challenge generation (authentication)\n * - Session management (browser session only)\n * - Client-hosted worker files\n /\nexport class VrfWorkerManager {\n private vrfWorker: Worker \| null = null;\n private initializationPromise: Promise<void> \| null = null;\n private messageId = 0;\n private config: VrfWorkerManagerConfig;\n private currentVrfAccountId: string \| null = null;\n private workerBaseOrigin: string \| undefined;\n private context: VrfWorkerManagerContext;\n\n constructor(config: VrfWorkerManagerConfig, context: VrfWorkerManagerContext) {\n this.config = {\n // Default to client-hosted worker file using centralized config\n vrfWorkerUrl: BUILD_PATHS.RUNTIME.VRF_WORKER,\n workerTimeout: 60_000,\n debug: false,\n ...config\n };\n // Attach a self-reference so confirmTxFlow helpers can call back into VRF APIs.\n this.context = {\n ...context,\n vrfWorkerManager: this,\n };\n }\n\n /\n Context used by confirmTxFlow for VRF-driven flows.\n /\n getContext(): VrfWorkerManagerContext {\n return this.context;\n }\n\n private getHandlerContext(): VrfWorkerManagerHandlerContext {\n return {\n ensureWorkerReady: this.ensureWorkerReady.bind(this),\n sendMessage: this.sendMessage.bind(this),\n generateMessageId: this.generateMessageId.bind(this),\n getContext: this.getContext.bind(this),\n postToWorker: (message: unknown, transfer?: Transferable[]) => {\n if (!this.vrfWorker) {\n throw new Error('VRF Web Worker not available');\n }\n this.vrfWorker.postMessage(message, transfer as any);\n },\n getCurrentVrfAccountId: () => this.currentVrfAccountId,\n setCurrentVrfAccountId: (next: string \| null) => {\n this.currentVrfAccountId = next;\n },\n };\n }\n\n /\n Create a VRF-owned MessageChannel for signing and return the signer-facing port.\n * VRF retains the sibling port for WrapKeySeed delivery.\n /\n async createSigningSessionChannel(sessionId: string): Promise<MessagePort> {\n return createSigningSessionChannel(this.getHandlerContext(), sessionId);\n }\n\n /\n Derive WrapKeySeed in the VRF worker and deliver it (along with PRF.second if credential provided)\n * to the signer worker via the registered port.\n /\n async mintSessionKeysAndSendToSigner(args: {\n sessionId: string;\n // Optional vault wrapKeySalt. When omitted or empty, VRF worker will generate a fresh wrapKeySalt.\n wrapKeySalt?: string;\n // Optional contract verification context; when provided, VRF Rust will call\n // verify_authentication_response before deriving WrapKeySeed.\n contractId?: string;\n nearRpcUrl?: string;\n // Optional signing-session config. When omitted, VRF worker uses defaults.\n ttlMs?: number;\n remainingUses?: number;\n // Optional credential for PRF.second extraction (registration or authentication)\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n }): Promise<{ sessionId: string; wrapKeySalt: string }> {\n return mintSessionKeysAndSendToSigner(this.getHandlerContext(), args);\n }\n\n /\n Dispense an existing VRF-owned session key (WrapKeySeed + wrapKeySalt) over the\n * attached MessagePort for `sessionId`, enforcing TTL/usage in the VRF worker.\n \n This is the primitive needed for \"warm\" signing sessions: 1 VRF worker → N one-shot signer workers.\n /\n async dispenseSessionKey(args: {\n sessionId: string;\n uses?: number;\n }): Promise<{\n sessionId: string;\n remainingUses?: number;\n expiresAtMs?: number;\n }> {\n return dispenseSessionKey(this.getHandlerContext(), args);\n }\n\n /\n Query VRF-owned signing session status for UI introspection.\n * This does not prompt and does not reveal secrets; it only returns metadata.\n /\n async checkSessionStatus(args: {\n sessionId: string;\n }): Promise<{\n sessionId: string;\n status: 'active' \| 'exhausted' \| 'expired' \| 'not_found';\n remainingUses?: number;\n expiresAtMs?: number;\n createdAtMs?: number;\n }> {\n return checkSessionStatus(this.getHandlerContext(), args);\n }\n\n /\n Clear VRF-owned signing session material for a given `sessionId`.\n * Intended for explicit \"Lock\" actions or lifecycle cleanup.\n /\n async clearSession(args: {\n sessionId: string;\n }): Promise<{\n sessionId: string;\n clearedSession: boolean;\n clearedChallenge: boolean;\n clearedPort: boolean;\n }> {\n return clearSession(this.getHandlerContext(), args);\n }\n\n /\n VRF-driven decrypt session for export flows.\n * Kicks off a LocalOnly DECRYPT_PRIVATE_KEY_WITH_PRF confirm via VRF Rust and derives\n * WrapKeySeed using the vault-provided wrapKeySalt. WrapKeySeed + wrapKeySalt are sent to the signer over\n * the dedicated MessagePort for the given sessionId.\n /\n async prepareDecryptSession(args: {\n sessionId: string;\n nearAccountId: AccountId;\n wrapKeySalt: string;\n encryptedVrfKeypair?: EncryptedVRFKeypair;\n expectedVrfPublicKey?: string;\n }): Promise<void> {\n return prepareDecryptSession(this.getHandlerContext(), args);\n }\n\n /\n VRF-driven confirmation + WrapKeySeed derivation for signing flows.\n * Runs confirmTxFlow on the main thread, derives WrapKeySeed in the VRF worker, and returns\n * the session metadata needed by the signer worker. WrapKeySeed itself travels only over the\n * reserved MessagePort registered via registerSignerWrapKeySeedPort.\n /\n async confirmAndPrepareSigningSession(params: {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n kind: 'transaction';\n txSigningRequests: TransactionInputWasm[];\n rpcCall: RpcCallPayload;\n title?: string;\n body?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n } \| {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n kind: 'delegate';\n nearAccountId: string;\n title?: string;\n body?: string;\n delegate: {\n senderId: string;\n receiverId: string;\n actions: TransactionInputWasm['actions'];\n nonce: string \| number \| bigint;\n maxBlockHeight: string \| number \| bigint;\n };\n rpcCall: RpcCallPayload;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n } \| {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n kind: 'nep413';\n nearAccountId: string;\n message: string;\n recipient: string;\n title?: string;\n body?: string;\n contractId?: string;\n nearRpcUrl?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<{\n sessionId: string;\n transactionContext: TransactionContext;\n intentDigest: string;\n credential?: SerializableCredential;\n }> {\n return confirmAndPrepareSigningSession(this.getHandlerContext(), params);\n }\n\n /\n VRF-driven helper for registration confirmation.\n * Runs confirmTxFlow on the main thread and returns registration artifacts.\n * WrapKeySeed derivation is handled later when we call into signing/derivation\n * flows with PRF + withSigningSession.\n /\n async requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n contractId: string;\n nearRpcUrl: string;\n }): Promise<RegistrationCredentialConfirmationPayload> {\n return requestRegistrationCredentialConfirmation(this.getHandlerContext(), params);\n }\n\n /\n Combined Device2 registration session: single WebAuthn ceremony for credential + WrapKeySeed derivation.\n \n This method orchestrates the complete Device2 registration flow:\n * 1. Runs a VRF-driven registration confirmation (single TouchID prompt)\n * 2. Extracts PRF.first from the credential and derives WrapKeySeed\n * 3. Sends WrapKeySeed to signer worker via MessagePort (never exposed to JS)\n * 4. Returns credential (with PRF.second embedded), vrfChallenge, transactionContext, wrapKeySalt\n \n The signer worker can then use PRF.second for NEAR key derivation and WrapKeySeed for encryption.\n /\n async confirmAndDeriveDevice2RegistrationSession(params: {\n sessionId: string;\n nearAccountId: AccountId;\n deviceNumber: number;\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: object;\n wrapKeySalt?: string;\n }): Promise<{\n confirmed: boolean;\n sessionId: string;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n wrapKeySalt: string;\n requestId: string;\n intentDigest: string;\n deterministicVrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n error?: string;\n }> {\n return confirmAndDeriveDevice2RegistrationSession(this.getHandlerContext(), params);\n }\n\n setWorkerBaseOrigin(origin: string \| undefined): void {\n this.workerBaseOrigin = origin;\n }\n\n /\n Ensure VRF worker is ready for operations\n * @param requireHealthCheck - Whether to perform health check after initialization\n /\n private async ensureWorkerReady(requireHealthCheck = false): Promise<void> {\n if (this.initializationPromise) {\n await this.initializationPromise;\n } else if (!this.vrfWorker) {\n await this.initialize();\n }\n if (!this.vrfWorker) {\n throw new Error('VRF Worker failed to initialize');\n }\n // Optional health check for critical operations\n if (requireHealthCheck) {\n try {\n const healthResponse = await this.sendMessage({\n type: 'PING',\n id: this.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n }, 3000);\n\n if (!healthResponse.success) {\n throw new Error('VRF Worker failed health check');\n }\n } catch (error) {\n console.error('VRF Manager: Health check failed:', error);\n throw new Error('VRF Worker failed health check');\n }\n }\n }\n\n /\n Initialize VRF functionality using Web Workers\n /\n async initialize(): Promise<void> {\n if (this.initializationPromise) {\n return this.initializationPromise;\n }\n // =============================================================\n // This improved error handling ensures that:\n // 1. Initialization failures are properly logged with full details\n // 2. Errors are re-thrown to callers (no silent swallowing)\n // 3. Failed initialization promise is reset for retry\n // 4. Debug logs actually appear in test output\n this.initializationPromise = this.createVrfWorker().catch(error => {\n console.error('VRF Manager: Initialization failed:', error);\n console.error('VRF Manager: Error details:', {\n message: error.message,\n stack: error.stack,\n name: error.name\n });\n // Reset promise so initialization can be retried\n this.initializationPromise = null;\n throw error; // Re-throw so callers know it failed\n });\n\n const result = await this.initializationPromise;\n return result;\n }\n\n /\n Initialize Web Worker with client-hosted VRF worker\n /\n private async createVrfWorker(): Promise<void> {\n try {\n const relativePath = this.config.vrfWorkerUrl \|\| BUILD_PATHS.RUNTIME.VRF_WORKER;\n const vrfUrlStr = resolveWorkerUrl(relativePath, { worker: 'vrf', baseOrigin: this.workerBaseOrigin })\n console.debug('VRF Manager: Worker URL:', vrfUrlStr);\n // Create Web Worker from resolved URL\n this.vrfWorker = new Worker(vrfUrlStr, {\n type: 'module',\n name: 'Web3AuthnVRFWorker'\n });\n // Set up error handling\n this.vrfWorker.onerror = (error) => {\n console.error('VRF Manager: Web Worker error:', error);\n };\n // Test communication with the Web Worker\n await this.testWebWorkerCommunication();\n\n // Configure Shamir P if provided\n if (this.config.shamirPB64u) {\n const resp = await this.sendMessage<WasmShamir3PassConfigPRequest>({\n type: 'SHAMIR3PASS_CONFIG_P',\n id: this.generateMessageId(),\n payload: { p_b64u: this.config.shamirPB64u }\n });\n if (!resp.success) {\n throw new Error(`Failed to configure Shamir P: ${resp.error}`);\n }\n }\n\n // Configure relay server URLs if provided\n if (this.config.relayServerUrl && this.config.applyServerLockRoute && this.config.removeServerLockRoute) {\n const resp2 = await this.sendMessage<WasmShamir3PassConfigServerUrlsRequest>({\n type: 'SHAMIR3PASS_CONFIG_SERVER_URLS',\n id: this.generateMessageId(),\n payload: {\n relayServerUrl: this.config.relayServerUrl,\n applyLockRoute: this.config.applyServerLockRoute,\n removeLockRoute: this.config.removeServerLockRoute,\n }\n });\n if (!resp2.success) {\n throw new Error(`Failed to configure Shamir server URLs: ${resp2.error}`);\n }\n }\n\n } catch (error: any) {\n throw new Error(`VRF Web Worker initialization failed: ${error.message}`);\n }\n }\n\n /\n Send message to Web Worker and wait for response\n /\n private async sendMessage<T extends WasmVrfWorkerRequestType>(\n message: VRFWorkerMessage<T>,\n customTimeout?: number\n ): Promise<VRFWorkerResponse> {\n return new Promise((resolve, reject) => {\n if (!this.vrfWorker) {\n reject(new Error('VRF Web Worker not available'));\n return;\n }\n\n const timeoutMs = (customTimeout ?? this.config.workerTimeout ?? 60_000);\n const timeout = setTimeout(() => {\n reject(new Error(`VRF Web Worker communication timeout (${timeoutMs}ms) for message type: ${message.type}`));\n }, timeoutMs);\n\n const handleMessage = (event: MessageEvent) => {\n const payload = event.data as VRFWorkerResponse \| {\n type?: unknown;\n data?: unknown;\n };\n\n // Intercept SecureConfirm handshake messages from the VRF worker and\n // dispatch them through confirmTxFlow on the main thread. The decision\n // is sent back to the worker as USER_PASSKEY_CONFIRM_RESPONSE and\n // consumed by awaitSecureConfirmationV2; this should not resolve the\n // original VRF request promise.\n if ((payload as any)?.type === SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD) {\n const env = payload as {\n type: SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD;\n data: SecureConfirmRequest;\n };\n const ctx = this.getContext();\n if (!this.vrfWorker) {\n console.error('[VRF] SecureConfirm: vrfWorker missing for PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD');\n return;\n }\n void handlePromptUserConfirmInJsMainThread(ctx, env, this.vrfWorker);\n return;\n }\n\n const response = payload as VRFWorkerResponse;\n if (response.id === message.id) {\n clearTimeout(timeout);\n this.vrfWorker!.removeEventListener('message', handleMessage);\n resolve(response);\n }\n };\n\n this.vrfWorker.addEventListener('message', handleMessage);\n this.vrfWorker.postMessage(message);\n });\n }\n\n /\n Generate unique message ID\n /\n private generateMessageId(): string {\n return `vrf_${Date.now()}_${++this.messageId}`;\n }\n\n /\n Unlock VRF keypair in Web Worker memory using PRF output\n * This is called during login to decrypt and load the VRF keypair in-memory\n /\n async unlockVrfKeypair(args: {\n credential: WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n onEvent?: (event: { type: string; data: { step: string; message: string } }) => void;\n }): Promise<VRFWorkerResponse> {\n return unlockVrfKeypair(this.getHandlerContext(), args);\n }\n\n async generateVrfChallengeForSession(inputData: VRFInputData, sessionId: string): Promise<VRFChallenge> {\n return generateVrfChallengeForSession(this.getHandlerContext(), inputData, sessionId);\n }\n\n async generateVrfChallengeOnce(inputData: VRFInputData): Promise<VRFChallenge> {\n return generateVrfChallengeOnce(this.getHandlerContext(), inputData);\n }\n\n /\n Get current VRF session status\n /\n async checkVrfStatus(): Promise<VRFWorkerStatus> {\n return checkVrfStatus(this.getHandlerContext());\n }\n\n /\n Logout and clear VRF session\n /\n async clearVrfSession(): Promise<void> {\n return clearVrfSession(this.getHandlerContext());\n }\n\n /\n Set the current VRF account ID at the TypeScript level\n * Used after VRF keypair is loaded in WASM memory (e.g., after deriveVrfKeypairFromPrf)\n * to track which account has an active VRF session\n /\n setCurrentVrfAccountId(nearAccountId: AccountId): void {\n this.currentVrfAccountId = nearAccountId;\n console.debug(`VRF Manager: Current VRF account ID set to ${nearAccountId}`);\n }\n\n /\n Generate VRF keypair for bootstrapping - stores in memory unencrypted temporarily\n * This is used during registration to generate a VRF keypair that will be used for\n * WebAuthn ceremony and later encrypted with the real PRF output\n \n @param saveInMemory - Always true for bootstrap (VRF keypair stored in memory)\n * @param vrfInputParams - Optional parameters to generate VRF challenge/proof in same call\n * @returns VRF public key and optionally VRF challenge data\n /\n async generateVrfKeypairBootstrap(args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }> {\n return generateVrfKeypairBootstrap(this.getHandlerContext(), args);\n }\n\n /\n Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n * Optionally generates VRF challenge if input parameters are provided\n * This enables deterministic VRF key derivation without needing stored VRF keypairs\n \n @param credential - WebAuthn credential containing PRF outputs\n * @param nearAccountId - NEAR account ID for key derivation salt\n * @param vrfInputParams - Optional VRF input parameters for challenge generation\n * @returns Deterministic VRF public key, optional VRF challenge, and encrypted VRF keypair for storage\n /\n async deriveVrfKeypairFromPrf(args: {\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData; // optional, for challenge generation\n saveInMemory?: boolean; // optional, whether to save in worker memory\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge \| null;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair \| null;\n }> {\n return deriveVrfKeypairFromPrf(this.getHandlerContext(), args);\n }\n\n /\n This securely decrypts the shamir3Pass encrypted VRF keypair and loads it into memory\n * It performs Shamir-3-Pass commutative decryption within WASM worker with the relay-server\n /\n async shamir3PassDecryptVrfKeypair(args: {\n nearAccountId: AccountId;\n kek_s_b64u: string;\n ciphertextVrfB64u: string;\n serverKeyId: string;\n }): Promise<VRFWorkerResponse> {\n return shamir3PassDecryptVrfKeypair(this.getHandlerContext(), args);\n }\n\n /\n Shamir 3-pass: encrypt the currently unlocked VRF keypair under the server key\n * Returns a fresh serverEncryptedVrfKeypair blob for IndexedDB.\n * Requires: current VRF keypair is unlocked and present in worker memory.\n /\n async shamir3PassEncryptCurrentVrfKeypair(): Promise<{\n ciphertextVrfB64u: string;\n kek_s_b64u: string;\n serverKeyId: string;\n }> {\n return shamir3PassEncryptCurrentVrfKeypair(this.getHandlerContext());\n }\n\n /\n Test Web Worker communication\n */\n private async testWebWorkerCommunication(): Promise<void> {\n try {\n const timeoutMs = 2000;\n const pingResponse = await this.sendMessage({\n type: 'PING',\n id: this.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n }, timeoutMs);\n if (!pingResponse.success) {\n throw new Error(`VRF Web Worker PING failed: ${pingResponse.error}`);\n }\n return;\n } catch (error: any) {\n console.warn(`️VRF Manager: testWebWorkerCommunication failed:`, error.message);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgKA,IAAa,mBAAb,MAA8B;CAC5B,AAAQ,YAA2B;CACnC,AAAQ,wBAA8C;CACtD,AAAQ,YAAY;CACpB,AAAQ;CACR,AAAQ,sBAAqC;CAC7C,AAAQ;CACR,AAAQ;CAER,YAAY,QAAgC,SAAkC;AAC5E,OAAK,SAAS;GAEZ,cAAcA,gCAAY,QAAQ;GAClC,eAAe;GACf,OAAO;GACP,GAAG;;AAGL,OAAK,UAAU;GACb,GAAG;GACH,kBAAkB;;;;;;CAOtB,aAAsC;AACpC,SAAO,KAAK;;CAGd,AAAQ,oBAAoD;AAC1D,SAAO;GACL,mBAAmB,KAAK,kBAAkB,KAAK;GAC/C,aAAa,KAAK,YAAY,KAAK;GACnC,mBAAmB,KAAK,kBAAkB,KAAK;GAC/C,YAAY,KAAK,WAAW,KAAK;GACjC,eAAe,SAAkB,aAA8B;AAC7D,QAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM;AAElB,SAAK,UAAU,YAAY,SAAS;;GAEtC,8BAA8B,KAAK;GACnC,yBAAyB,SAAwB;AAC/C,SAAK,sBAAsB;;;;;;;;CASjC,MAAM,4BAA4B,WAAyC;AACzE,SAAOC,gEAA4B,KAAK,qBAAqB;;;;;;CAO/D,MAAM,+BAA+B,MAamB;AACtD,SAAOC,sEAA+B,KAAK,qBAAqB;;;;;;;;CASlE,MAAM,mBAAmB,MAOtB;AACD,SAAOC,8CAAmB,KAAK,qBAAqB;;;;;;CAOtD,MAAM,mBAAmB,MAQtB;AACD,SAAOC,8CAAmB,KAAK,qBAAqB;;;;;;CAOtD,MAAM,aAAa,MAOhB;AACD,SAAOC,kCAAa,KAAK,qBAAqB;;;;;;;;CAShD,MAAM,sBAAsB,MAMV;AAChB,SAAOC,oDAAsB,KAAK,qBAAqB;;;;;;;;CASzD,MAAM,gCAAgC,QA0CnC;AACD,SAAOC,wEAAgC,KAAK,qBAAqB;;;;;;;;CASnE,MAAM,0CAA0C,QAOO;AACrD,SAAOC,4FAA0C,KAAK,qBAAqB;;;;;;;;;;;;;CAc7E,MAAM,2CAA2C,QAoB9C;AACD,SAAOC,8FAA2C,KAAK,qBAAqB;;CAG9E,oBAAoB,QAAkC;AACpD,OAAK,mBAAmB;;;;;;CAO1B,MAAc,kBAAkB,qBAAqB,OAAsB;AACzE,MAAI,KAAK,sBACP,OAAM,KAAK;WACF,CAAC,KAAK,UACf,OAAM,KAAK;AAEb,MAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM;AAGlB,MAAI,mBACF,KAAI;GACF,MAAM,iBAAiB,MAAM,KAAK,YAAY;IAC5C,MAAM;IACN,IAAI,KAAK;IACT,SAAS;MACR;AAEH,OAAI,CAAC,eAAe,QAClB,OAAM,IAAI,MAAM;WAEX,OAAO;AACd,WAAQ,MAAM,qCAAqC;AACnD,SAAM,IAAI,MAAM;;;;;;CAQtB,MAAM,aAA4B;AAChC,MAAI,KAAK,sBACP,QAAO,KAAK;AAQd,OAAK,wBAAwB,KAAK,kBAAkB,OAAM,UAAS;AACjE,WAAQ,MAAM,uCAAuC;AACrD,WAAQ,MAAM,+BAA+B;IAC3C,SAAS,MAAM;IACf,OAAO,MAAM;IACb,MAAM,MAAM;;AAGd,QAAK,wBAAwB;AAC7B,SAAM;;EAGR,MAAM,SAAS,MAAM,KAAK;AAC1B,SAAO;;;;;CAMT,MAAc,kBAAiC;AAC7C,MAAI;GACF,MAAM,eAAe,KAAK,OAAO,gBAAgBT,gCAAY,QAAQ;GACrE,MAAM,YAAYU,iCAAiB,cAAc;IAAE,QAAQ;IAAO,YAAY,KAAK;;AACnF,WAAQ,MAAM,4BAA4B;AAE1C,QAAK,YAAY,IAAI,OAAO,WAAW;IACrC,MAAM;IACN,MAAM;;AAGR,QAAK,UAAU,WAAW,UAAU;AAClC,YAAQ,MAAM,kCAAkC;;AAGlD,SAAM,KAAK;AAGX,OAAI,KAAK,OAAO,aAAa;IAC3B,MAAM,OAAO,MAAM,KAAK,YAA2C;KACjE,MAAM;KACN,IAAI,KAAK;KACT,SAAS,EAAE,QAAQ,KAAK,OAAO;;AAEjC,QAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,iCAAiC,KAAK;;AAK1D,OAAI,KAAK,OAAO,kBAAkB,KAAK,OAAO,wBAAwB,KAAK,OAAO,uBAAuB;IACvG,MAAM,QAAQ,MAAM,KAAK,YAAoD;KAC3E,MAAM;KACN,IAAI,KAAK;KACT,SAAS;MACP,gBAAgB,KAAK,OAAO;MAC5B,gBAAgB,KAAK,OAAO;MAC5B,iBAAiB,KAAK,OAAO;;;AAGjC,QAAI,CAAC,MAAM,QACT,OAAM,IAAI,MAAM,2CAA2C,MAAM;;WAI9DC,OAAY;AACnB,SAAM,IAAI,MAAM,yCAAyC,MAAM;;;;;;CAOnE,MAAc,YACZ,SACA,eAC4B;AAC5B,SAAO,IAAI,SAAS,SAAS,WAAW;AACtC,OAAI,CAAC,KAAK,WAAW;AACnB,2BAAO,IAAI,MAAM;AACjB;;GAGF,MAAM,YAAa,iBAAiB,KAAK,OAAO,iBAAiB;GACjE,MAAM,UAAU,iBAAiB;AAC/B,2BAAO,IAAI,MAAM,yCAAyC,UAAU,wBAAwB,QAAQ;MACnG;GAEH,MAAM,iBAAiB,UAAwB;IAC7C,MAAM,UAAU,MAAM;AAUtB,QAAK,SAAiB,SAASC,uCAAyB,uCAAuC;KAC7F,MAAM,MAAM;KAIZ,MAAM,MAAM,KAAK;AACjB,SAAI,CAAC,KAAK,WAAW;AACnB,cAAQ,MAAM;AACd;;AAEF,KAAKC,yEAAsC,KAAK,KAAK,KAAK;AAC1D;;IAGF,MAAM,WAAW;AACjB,QAAI,SAAS,OAAO,QAAQ,IAAI;AAC9B,kBAAa;AACb,UAAK,UAAW,oBAAoB,WAAW;AAC/C,aAAQ;;;AAIZ,QAAK,UAAU,iBAAiB,WAAW;AAC3C,QAAK,UAAU,YAAY;;;;;;CAO/B,AAAQ,oBAA4B;AAClC,SAAO,OAAO,KAAK,MAAM,GAAG,EAAE,KAAK;;;;;;CAOrC,MAAM,iBAAiB,MAKQ;AAC7B,SAAOC,0CAAiB,KAAK,qBAAqB;;CAGpD,MAAM,+BAA+B,WAAyB,WAA0C;AACtG,SAAOC,4DAA+B,KAAK,qBAAqB,WAAW;;CAG7E,MAAM,yBAAyB,WAAgD;AAC7E,SAAOC,sDAAyB,KAAK,qBAAqB;;;;;CAM5D,MAAM,iBAA2C;AAC/C,SAAOC,sCAAe,KAAK;;;;;CAM7B,MAAM,kBAAiC;AACrC,SAAOC,iCAAgB,KAAK;;;;;;;CAQ9B,uBAAuB,eAAgC;AACrD,OAAK,sBAAsB;AAC3B,UAAQ,MAAM,8CAA8C;;;;;;;;;;;CAY9D,MAAM,4BAA4B,MAO/B;AACD,SAAOC,gEAA4B,KAAK,qBAAqB;;;;;;;;;;;;CAa/D,MAAM,wBAAwB,MAU3B;AACD,SAAOC,wDAAwB,KAAK,qBAAqB;;;;;;CAO3D,MAAM,6BAA6B,MAKJ;AAC7B,SAAOC,kEAA6B,KAAK,qBAAqB;;;;;;;CAQhE,MAAM,sCAIH;AACD,SAAOC,gFAAoC,KAAK;;;;;CAMlD,MAAc,6BAA4C;AACxD,MAAI;GACF,MAAM,YAAY;GAClB,MAAM,eAAe,MAAM,KAAK,YAAY;IAC1C,MAAM;IACN,IAAI,KAAK;IACT,SAAS;MACR;AACH,OAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,+BAA+B,aAAa;AAE9D;WACOX,OAAY;AACnB,WAAQ,KAAK,oDAAoD,MAAM"}
1	+ {"version":3,"file":"index.js","names":["BUILD_PATHS","WorkerControlMessage","mintSessionKeysAndSendToSigner","dispenseSessionKey","checkSessionStatus","clearSession","prepareDecryptSession","confirmAndPrepareSigningSession","requestRegistrationCredentialConfirmation","confirmAndDeriveDevice2RegistrationSession","resolveWorkerUrl","error: any","SecureConfirmMessageType","handlePromptUserConfirmInJsMainThread","unlockVrfKeypair","generateVrfChallengeForSession","generateVrfChallengeOnce","checkVrfStatus","clearVrfSession","generateVrfKeypairBootstrap","deriveVrfKeypairFromPrf","shamir3PassDecryptVrfKeypair","shamir3PassEncryptCurrentVrfKeypair"],"sources":["../../../../../src/core/WebAuthnManager/VrfWorkerManager/index.ts"],"sourcesContent":["/*\n VRF Manager\n * Uses Web Workers for VRF keypair management with client-hosted worker files.\n /\n\nimport type {\n VRFWorkerStatus,\n VrfWorkerManagerConfig,\n EncryptedVRFKeypair,\n VRFInputData,\n VRFWorkerMessage,\n VRFWorkerResponse,\n ServerEncryptedVrfKeypair,\n WasmVrfWorkerRequestType,\n WasmShamir3PassConfigPRequest,\n WasmShamir3PassConfigServerUrlsRequest,\n} from '../../types/vrf-worker';\nimport type { VRFChallenge } from '../../types/vrf-worker';\nimport { BUILD_PATHS } from '../../../../build-paths.js';\nimport { resolveWorkerUrl } from '../../sdkPaths';\nimport type { AccountId } from '../../types/accountIds';\nimport type { TouchIdPrompt } from '../touchIdPrompt';\nimport type { NearClient } from '../../NearClient';\nimport type { UnifiedIndexedDBManager } from '../../IndexedDBManager';\nimport type { UserPreferencesManager } from '../userPreferences';\nimport type { NonceManager } from '../../nonceManager';\nimport {\n SecureConfirmMessageType,\n type SecureConfirmRequest,\n type SerializableCredential,\n type SigningAuthMode,\n} from './confirmTxFlow/types';\nimport type { TransactionInputWasm } from '../../types/actions';\nimport type { RpcCallPayload, ConfirmationConfig } from '../../types/signer-worker';\nimport type { TransactionContext } from '../../types/rpc';\nimport type { RegistrationCredentialConfirmationPayload } from '../SignerWorkerManager/handlers/validation';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../types/webauthn';\nimport { handlePromptUserConfirmInJsMainThread } from './confirmTxFlow';\nimport type { VrfWorkerManagerHandlerContext } from './handlers/types';\nimport { WorkerControlMessage } from '../../workerControlMessages';\nimport {\n checkVrfStatus,\n clearSession,\n clearVrfSession,\n confirmAndDeriveDevice2RegistrationSession,\n confirmAndPrepareSigningSession,\n deriveVrfKeypairFromPrf,\n mintSessionKeysAndSendToSigner,\n dispenseSessionKey,\n generateVrfChallengeForSession,\n generateVrfChallengeOnce,\n generateVrfKeypairBootstrap,\n checkSessionStatus,\n prepareDecryptSession,\n requestRegistrationCredentialConfirmation,\n shamir3PassDecryptVrfKeypair,\n shamir3PassEncryptCurrentVrfKeypair,\n unlockVrfKeypair,\n} from './handlers';\n\n/\n VRF-owned host context passed into confirmTxFlow.\n /\nexport interface VrfWorkerManagerContext {\n touchIdPrompt: TouchIdPrompt;\n nearClient: NearClient;\n indexedDB: UnifiedIndexedDBManager;\n userPreferencesManager: UserPreferencesManager;\n nonceManager: NonceManager;\n rpIdOverride?: string;\n nearExplorerUrl?: string;\n vrfWorkerManager?: SessionVrfWorkerManager;\n}\n\n/\n Narrow VRF manager surface used by confirmTxFlow. This interface only exposes\n * session-bound operations so confirm flows cannot accidentally call the\n * low-level helpers that take an optional sessionId.\n /\nexport interface SessionVrfWorkerManager {\n generateVrfKeypairBootstrap(args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }>;\n\n generateVrfChallengeForSession(inputData: VRFInputData, sessionId: string): Promise<VRFChallenge>;\n\n mintSessionKeysAndSendToSigner(args: {\n sessionId: string;\n wrapKeySalt?: string;\n contractId?: string;\n nearRpcUrl?: string;\n ttlMs?: number;\n remainingUses?: number;\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n }): Promise<{ sessionId: string; wrapKeySalt: string }>;\n\n dispenseSessionKey(args: {\n sessionId: string;\n uses?: number;\n }): Promise<{\n sessionId: string;\n remainingUses?: number;\n expiresAtMs?: number;\n }>;\n\n prepareDecryptSession(args: {\n sessionId: string;\n nearAccountId: AccountId;\n wrapKeySalt: string;\n encryptedVrfKeypair?: EncryptedVRFKeypair;\n expectedVrfPublicKey?: string;\n }): Promise<void>;\n\n requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n contractId: string;\n nearRpcUrl: string;\n }): Promise<RegistrationCredentialConfirmationPayload>;\n\n confirmAndDeriveDevice2RegistrationSession(params: {\n sessionId: string;\n nearAccountId: AccountId;\n deviceNumber: number;\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: object;\n wrapKeySalt?: string;\n }): Promise<{\n confirmed: boolean;\n sessionId: string;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n wrapKeySalt: string;\n requestId: string;\n intentDigest: string;\n deterministicVrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n error?: string;\n }>;\n\n checkVrfStatus(): Promise<VRFWorkerStatus>;\n}\n\n/\n VRF Worker Manager\n \n This class manages VRF operations using Web Workers for:\n * - VRF keypair unlocking (login)\n * - VRF challenge generation (authentication)\n * - Session management (browser session only)\n * - Client-hosted worker files\n /\nexport class VrfWorkerManager {\n private vrfWorker: Worker \| null = null;\n private initializationPromise: Promise<void> \| null = null;\n private messageId = 0;\n private config: VrfWorkerManagerConfig;\n private currentVrfAccountId: string \| null = null;\n private workerBaseOrigin: string \| undefined;\n private context: VrfWorkerManagerContext;\n\n constructor(config: VrfWorkerManagerConfig, context: VrfWorkerManagerContext) {\n this.config = {\n // Default to client-hosted worker file using centralized config\n vrfWorkerUrl: BUILD_PATHS.RUNTIME.VRF_WORKER,\n workerTimeout: 60_000,\n debug: false,\n ...config\n };\n // Attach a self-reference so confirmTxFlow helpers can call back into VRF APIs.\n this.context = {\n ...context,\n vrfWorkerManager: this,\n };\n }\n\n /\n Context used by confirmTxFlow for VRF-driven flows.\n /\n getContext(): VrfWorkerManagerContext {\n return this.context;\n }\n\n private getHandlerContext(): VrfWorkerManagerHandlerContext {\n return {\n ensureWorkerReady: this.ensureWorkerReady.bind(this),\n sendMessage: this.sendMessage.bind(this),\n generateMessageId: this.generateMessageId.bind(this),\n getContext: this.getContext.bind(this),\n postToWorker: (message: unknown, transfer?: Transferable[]) => {\n if (!this.vrfWorker) {\n throw new Error('VRF Web Worker not available');\n }\n this.vrfWorker.postMessage(message, transfer as any);\n },\n getCurrentVrfAccountId: () => this.currentVrfAccountId,\n setCurrentVrfAccountId: (next: string \| null) => {\n this.currentVrfAccountId = next;\n },\n };\n }\n\n /\n Create a VRF-owned MessageChannel for signing and return the signer-facing port.\n * VRF retains the sibling port for WrapKeySeed delivery.\n /\n async createSigningSessionChannel(sessionId: string): Promise<MessagePort> {\n await this.ensureWorkerReady(true);\n if (!this.vrfWorker) {\n throw new Error('VRF Web Worker not available');\n }\n\n const channel = new MessageChannel();\n\n // Wait for VRF worker ACK to avoid a race where MintSessionKeys runs before\n // the VRF worker has stored the port (WrapKeySeed delivery would silently no-op).\n const ackPromise = new Promise<void>((resolve, reject) => {\n const worker = this.vrfWorker!;\n const timeout = setTimeout(() => {\n cleanup();\n reject(new Error(`Timeout waiting for VRF WrapKeySeed port attach for session ${sessionId}`));\n }, 2000);\n\n const onMessage = (event: MessageEvent) => {\n const msg = (event as any)?.data as any;\n if (!msg \|\| typeof msg.type !== 'string') return;\n if (msg.sessionId !== sessionId) return;\n\n if (msg.type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR) {\n cleanup();\n reject(new Error(String(msg.error \|\| 'VRF worker failed to attach WrapKeySeed port')));\n return;\n }\n if (msg.type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK) {\n cleanup();\n resolve();\n }\n };\n\n const cleanup = () => {\n clearTimeout(timeout);\n worker.removeEventListener('message', onMessage);\n };\n\n worker.addEventListener('message', onMessage);\n });\n\n this.vrfWorker.postMessage(\n { type: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT, sessionId },\n [channel.port1],\n );\n\n await ackPromise;\n return channel.port2;\n }\n\n /\n Derive WrapKeySeed in the VRF worker and deliver it (along with PRF.second if credential provided)\n * to the signer worker via the registered port.\n /\n async mintSessionKeysAndSendToSigner(args: {\n sessionId: string;\n // Optional vault wrapKeySalt. When omitted or empty, VRF worker will generate a fresh wrapKeySalt.\n wrapKeySalt?: string;\n // Optional contract verification context; when provided, VRF Rust will call\n // verify_authentication_response before deriving WrapKeySeed.\n contractId?: string;\n nearRpcUrl?: string;\n // Optional signing-session config. When omitted, VRF worker uses defaults.\n ttlMs?: number;\n remainingUses?: number;\n // Optional credential for PRF.second extraction (registration or authentication)\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n }): Promise<{ sessionId: string; wrapKeySalt: string }> {\n return mintSessionKeysAndSendToSigner(this.getHandlerContext(), args);\n }\n\n /\n Dispense an existing VRF-owned session key (WrapKeySeed + wrapKeySalt) over the\n * attached MessagePort for `sessionId`, enforcing TTL/usage in the VRF worker.\n \n This is the primitive needed for \"warm\" signing sessions: 1 VRF worker → N one-shot signer workers.\n /\n async dispenseSessionKey(args: {\n sessionId: string;\n uses?: number;\n }): Promise<{\n sessionId: string;\n remainingUses?: number;\n expiresAtMs?: number;\n }> {\n return dispenseSessionKey(this.getHandlerContext(), args);\n }\n\n /\n Query VRF-owned signing session status for UI introspection.\n * This does not prompt and does not reveal secrets; it only returns metadata.\n /\n async checkSessionStatus(args: {\n sessionId: string;\n }): Promise<{\n sessionId: string;\n status: 'active' \| 'exhausted' \| 'expired' \| 'not_found';\n remainingUses?: number;\n expiresAtMs?: number;\n createdAtMs?: number;\n }> {\n return checkSessionStatus(this.getHandlerContext(), args);\n }\n\n /\n Clear VRF-owned signing session material for a given `sessionId`.\n * Intended for explicit \"Lock\" actions or lifecycle cleanup.\n /\n async clearSession(args: {\n sessionId: string;\n }): Promise<{\n sessionId: string;\n clearedSession: boolean;\n clearedChallenge: boolean;\n clearedPort: boolean;\n }> {\n return clearSession(this.getHandlerContext(), args);\n }\n\n /\n VRF-driven decrypt session for export flows.\n * Kicks off a LocalOnly DECRYPT_PRIVATE_KEY_WITH_PRF confirm via VRF Rust and derives\n * WrapKeySeed using the vault-provided wrapKeySalt. WrapKeySeed + wrapKeySalt are sent to the signer over\n * the dedicated MessagePort for the given sessionId.\n /\n async prepareDecryptSession(args: {\n sessionId: string;\n nearAccountId: AccountId;\n wrapKeySalt: string;\n encryptedVrfKeypair?: EncryptedVRFKeypair;\n expectedVrfPublicKey?: string;\n }): Promise<void> {\n return prepareDecryptSession(this.getHandlerContext(), args);\n }\n\n /\n VRF-driven confirmation + WrapKeySeed derivation for signing flows.\n * Runs confirmTxFlow on the main thread, derives WrapKeySeed in the VRF worker, and returns\n * the session metadata needed by the signer worker. WrapKeySeed itself travels only over the\n * reserved MessagePort registered via registerSignerWrapKeySeedPort.\n /\n async confirmAndPrepareSigningSession(params: {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n signingAuthMode?: SigningAuthMode;\n sessionPolicyDigest32?: string;\n kind: 'transaction';\n txSigningRequests: TransactionInputWasm[];\n rpcCall: RpcCallPayload;\n title?: string;\n body?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n } \| {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n signingAuthMode?: SigningAuthMode;\n sessionPolicyDigest32?: string;\n kind: 'delegate';\n nearAccountId: string;\n title?: string;\n body?: string;\n delegate: {\n senderId: string;\n receiverId: string;\n actions: TransactionInputWasm['actions'];\n nonce: string \| number \| bigint;\n maxBlockHeight: string \| number \| bigint;\n };\n rpcCall: RpcCallPayload;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n } \| {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n signingAuthMode?: SigningAuthMode;\n sessionPolicyDigest32?: string;\n kind: 'nep413';\n nearAccountId: string;\n message: string;\n recipient: string;\n title?: string;\n body?: string;\n contractId?: string;\n nearRpcUrl?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<{\n sessionId: string;\n transactionContext: TransactionContext;\n intentDigest: string;\n credential?: SerializableCredential;\n vrfChallenge?: VRFChallenge;\n }> {\n return confirmAndPrepareSigningSession(this.getHandlerContext(), params);\n }\n\n /\n VRF-driven helper for registration confirmation.\n * Runs confirmTxFlow on the main thread and returns registration artifacts.\n * WrapKeySeed derivation is handled later when we call into signing/derivation\n * flows with PRF + withSigningSession.\n /\n async requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n contractId: string;\n nearRpcUrl: string;\n }): Promise<RegistrationCredentialConfirmationPayload> {\n return requestRegistrationCredentialConfirmation(this.getHandlerContext(), params);\n }\n\n /\n Combined Device2 registration session: single WebAuthn ceremony for credential + WrapKeySeed derivation.\n \n This method orchestrates the complete Device2 registration flow:\n * 1. Runs a VRF-driven registration confirmation (single TouchID prompt)\n * 2. Extracts PRF.first from the credential and derives WrapKeySeed\n * 3. Sends WrapKeySeed to signer worker via MessagePort (never exposed to JS)\n * 4. Returns credential (with PRF.second embedded), vrfChallenge, transactionContext, wrapKeySalt\n \n The signer worker can then use PRF.second for NEAR key derivation and WrapKeySeed for encryption.\n /\n async confirmAndDeriveDevice2RegistrationSession(params: {\n sessionId: string;\n nearAccountId: AccountId;\n deviceNumber: number;\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: object;\n wrapKeySalt?: string;\n }): Promise<{\n confirmed: boolean;\n sessionId: string;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n wrapKeySalt: string;\n requestId: string;\n intentDigest: string;\n deterministicVrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n error?: string;\n }> {\n return confirmAndDeriveDevice2RegistrationSession(this.getHandlerContext(), params);\n }\n\n setWorkerBaseOrigin(origin: string \| undefined): void {\n this.workerBaseOrigin = origin;\n }\n\n /\n Ensure VRF worker is ready for operations\n * @param requireHealthCheck - Whether to perform health check after initialization\n /\n private async ensureWorkerReady(requireHealthCheck = false): Promise<void> {\n if (this.initializationPromise) {\n await this.initializationPromise;\n } else if (!this.vrfWorker) {\n await this.initialize();\n }\n if (!this.vrfWorker) {\n throw new Error('VRF Worker failed to initialize');\n }\n // Optional health check for critical operations\n if (requireHealthCheck) {\n try {\n const healthResponse = await this.sendMessage({\n type: 'PING',\n id: this.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n }, 3000);\n\n if (!healthResponse.success) {\n throw new Error('VRF Worker failed health check');\n }\n } catch (error) {\n console.error('VRF Manager: Health check failed:', error);\n throw new Error('VRF Worker failed health check');\n }\n }\n }\n\n /\n Initialize VRF functionality using Web Workers\n /\n async initialize(): Promise<void> {\n if (this.initializationPromise) {\n return this.initializationPromise;\n }\n // =============================================================\n // This improved error handling ensures that:\n // 1. Initialization failures are properly logged with full details\n // 2. Errors are re-thrown to callers (no silent swallowing)\n // 3. Failed initialization promise is reset for retry\n // 4. Debug logs actually appear in test output\n this.initializationPromise = this.createVrfWorker().catch(error => {\n console.error('VRF Manager: Initialization failed:', error);\n console.error('VRF Manager: Error details:', {\n message: error.message,\n stack: error.stack,\n name: error.name\n });\n // Reset promise so initialization can be retried\n this.initializationPromise = null;\n throw error; // Re-throw so callers know it failed\n });\n\n const result = await this.initializationPromise;\n return result;\n }\n\n /\n Initialize Web Worker with client-hosted VRF worker\n /\n private async createVrfWorker(): Promise<void> {\n try {\n const relativePath = this.config.vrfWorkerUrl \|\| BUILD_PATHS.RUNTIME.VRF_WORKER;\n const vrfUrlStr = resolveWorkerUrl(relativePath, { worker: 'vrf', baseOrigin: this.workerBaseOrigin })\n console.debug('VRF Manager: Worker URL:', vrfUrlStr);\n // Create Web Worker from resolved URL\n this.vrfWorker = new Worker(vrfUrlStr, {\n type: 'module',\n name: 'Web3AuthnVRFWorker'\n });\n // Set up error handling\n this.vrfWorker.onerror = (error) => {\n console.error('VRF Manager: Web Worker error:', error);\n };\n // Test communication with the Web Worker\n await this.testWebWorkerCommunication();\n\n // Configure Shamir P if provided\n if (this.config.shamirPB64u) {\n const resp = await this.sendMessage<WasmShamir3PassConfigPRequest>({\n type: 'SHAMIR3PASS_CONFIG_P',\n id: this.generateMessageId(),\n payload: { p_b64u: this.config.shamirPB64u }\n });\n if (!resp.success) {\n throw new Error(`Failed to configure Shamir P: ${resp.error}`);\n }\n }\n\n // Configure relay server URLs if provided\n if (this.config.relayServerUrl && this.config.applyServerLockRoute && this.config.removeServerLockRoute) {\n const resp2 = await this.sendMessage<WasmShamir3PassConfigServerUrlsRequest>({\n type: 'SHAMIR3PASS_CONFIG_SERVER_URLS',\n id: this.generateMessageId(),\n payload: {\n relayServerUrl: this.config.relayServerUrl,\n applyLockRoute: this.config.applyServerLockRoute,\n removeLockRoute: this.config.removeServerLockRoute,\n }\n });\n if (!resp2.success) {\n throw new Error(`Failed to configure Shamir server URLs: ${resp2.error}`);\n }\n }\n\n } catch (error: any) {\n throw new Error(`VRF Web Worker initialization failed: ${error.message}`);\n }\n }\n\n /\n Send message to Web Worker and wait for response\n /\n private async sendMessage<T extends WasmVrfWorkerRequestType>(\n message: VRFWorkerMessage<T>,\n customTimeout?: number\n ): Promise<VRFWorkerResponse> {\n return new Promise((resolve, reject) => {\n if (!this.vrfWorker) {\n reject(new Error('VRF Web Worker not available'));\n return;\n }\n\n const timeoutMs = (customTimeout ?? this.config.workerTimeout ?? 60_000);\n const timeout = setTimeout(() => {\n reject(new Error(`VRF Web Worker communication timeout (${timeoutMs}ms) for message type: ${message.type}`));\n }, timeoutMs);\n\n const handleMessage = (event: MessageEvent) => {\n const payload = event.data as VRFWorkerResponse \| {\n type?: unknown;\n data?: unknown;\n };\n\n // Intercept SecureConfirm handshake messages from the VRF worker and\n // dispatch them through confirmTxFlow on the main thread. The decision\n // is sent back to the worker as USER_PASSKEY_CONFIRM_RESPONSE and\n // consumed by awaitSecureConfirmationV2; this should not resolve the\n // original VRF request promise.\n if ((payload as any)?.type === SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD) {\n const env = payload as {\n type: SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD;\n data: SecureConfirmRequest;\n };\n const ctx = this.getContext();\n if (!this.vrfWorker) {\n console.error('[VRF] SecureConfirm: vrfWorker missing for PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD');\n return;\n }\n void handlePromptUserConfirmInJsMainThread(ctx, env, this.vrfWorker);\n return;\n }\n\n const response = payload as VRFWorkerResponse;\n if (response.id === message.id) {\n clearTimeout(timeout);\n this.vrfWorker!.removeEventListener('message', handleMessage);\n resolve(response);\n }\n };\n\n this.vrfWorker.addEventListener('message', handleMessage);\n this.vrfWorker.postMessage(message);\n });\n }\n\n /\n Generate unique message ID\n /\n private generateMessageId(): string {\n return `vrf_${Date.now()}_${++this.messageId}`;\n }\n\n /\n Unlock VRF keypair in Web Worker memory using PRF output\n * This is called during login to decrypt and load the VRF keypair in-memory\n /\n async unlockVrfKeypair(args: {\n credential: WebAuthnAuthenticationCredential \| WebAuthnRegistrationCredential;\n nearAccountId: AccountId;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n onEvent?: (event: { type: string; data: { step: string; message: string } }) => void;\n }): Promise<VRFWorkerResponse> {\n return unlockVrfKeypair(this.getHandlerContext(), args);\n }\n\n async generateVrfChallengeForSession(inputData: VRFInputData, sessionId: string): Promise<VRFChallenge> {\n return generateVrfChallengeForSession(this.getHandlerContext(), inputData, sessionId);\n }\n\n async generateVrfChallengeOnce(inputData: VRFInputData): Promise<VRFChallenge> {\n return generateVrfChallengeOnce(this.getHandlerContext(), inputData);\n }\n\n /\n Get current VRF session status\n /\n async checkVrfStatus(): Promise<VRFWorkerStatus> {\n return checkVrfStatus(this.getHandlerContext());\n }\n\n /\n Logout and clear VRF session\n /\n async clearVrfSession(): Promise<void> {\n return clearVrfSession(this.getHandlerContext());\n }\n\n /\n Set the current VRF account ID at the TypeScript level\n * Used after VRF keypair is loaded in WASM memory (e.g., after deriveVrfKeypairFromPrf)\n * to track which account has an active VRF session\n /\n setCurrentVrfAccountId(nearAccountId: AccountId): void {\n this.currentVrfAccountId = nearAccountId;\n console.debug(`VRF Manager: Current VRF account ID set to ${nearAccountId}`);\n }\n\n /\n Generate VRF keypair for bootstrapping - stores in memory unencrypted temporarily\n * This is used during registration to generate a VRF keypair that will be used for\n * WebAuthn ceremony and later encrypted with the real PRF output\n \n @param saveInMemory - Always true for bootstrap (VRF keypair stored in memory)\n * @param vrfInputParams - Optional parameters to generate VRF challenge/proof in same call\n * @returns VRF public key and optionally VRF challenge data\n /\n async generateVrfKeypairBootstrap(args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }> {\n return generateVrfKeypairBootstrap(this.getHandlerContext(), args);\n }\n\n /\n Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n * Optionally generates VRF challenge if input parameters are provided\n * This enables deterministic VRF key derivation without needing stored VRF keypairs\n \n @param credential - WebAuthn credential containing PRF outputs\n * @param nearAccountId - NEAR account ID for key derivation salt\n * @param vrfInputParams - Optional VRF input parameters for challenge generation\n * @returns Deterministic VRF public key, optional VRF challenge, and encrypted VRF keypair for storage\n /\n async deriveVrfKeypairFromPrf(args: {\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData; // optional, for challenge generation\n saveInMemory?: boolean; // optional, whether to save in worker memory\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge \| null;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair \| null;\n }> {\n return deriveVrfKeypairFromPrf(this.getHandlerContext(), args);\n }\n\n /\n This securely decrypts the shamir3Pass encrypted VRF keypair and loads it into memory\n * It performs Shamir-3-Pass commutative decryption within WASM worker with the relay-server\n /\n async shamir3PassDecryptVrfKeypair(args: {\n nearAccountId: AccountId;\n kek_s_b64u: string;\n ciphertextVrfB64u: string;\n serverKeyId: string;\n }): Promise<VRFWorkerResponse> {\n return shamir3PassDecryptVrfKeypair(this.getHandlerContext(), args);\n }\n\n /\n Shamir 3-pass: encrypt the currently unlocked VRF keypair under the server key\n * Returns a fresh serverEncryptedVrfKeypair blob for IndexedDB.\n * Requires: current VRF keypair is unlocked and present in worker memory.\n /\n async shamir3PassEncryptCurrentVrfKeypair(): Promise<{\n ciphertextVrfB64u: string;\n kek_s_b64u: string;\n serverKeyId: string;\n }> {\n return shamir3PassEncryptCurrentVrfKeypair(this.getHandlerContext());\n }\n\n /\n Test Web Worker communication\n */\n private async testWebWorkerCommunication(): Promise<void> {\n try {\n const timeoutMs = 2000;\n const pingResponse = await this.sendMessage({\n type: 'PING',\n id: this.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n }, timeoutMs);\n if (!pingResponse.success) {\n throw new Error(`VRF Web Worker PING failed: ${pingResponse.error}`);\n }\n return;\n } catch (error: any) {\n console.warn(`️VRF Manager: testWebWorkerCommunication failed:`, error.message);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiKA,IAAa,mBAAb,MAA8B;CAC5B,AAAQ,YAA2B;CACnC,AAAQ,wBAA8C;CACtD,AAAQ,YAAY;CACpB,AAAQ;CACR,AAAQ,sBAAqC;CAC7C,AAAQ;CACR,AAAQ;CAER,YAAY,QAAgC,SAAkC;AAC5E,OAAK,SAAS;GAEZ,cAAcA,gCAAY,QAAQ;GAClC,eAAe;GACf,OAAO;GACP,GAAG;;AAGL,OAAK,UAAU;GACb,GAAG;GACH,kBAAkB;;;;;;CAOtB,aAAsC;AACpC,SAAO,KAAK;;CAGd,AAAQ,oBAAoD;AAC1D,SAAO;GACL,mBAAmB,KAAK,kBAAkB,KAAK;GAC/C,aAAa,KAAK,YAAY,KAAK;GACnC,mBAAmB,KAAK,kBAAkB,KAAK;GAC/C,YAAY,KAAK,WAAW,KAAK;GACjC,eAAe,SAAkB,aAA8B;AAC7D,QAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM;AAElB,SAAK,UAAU,YAAY,SAAS;;GAEtC,8BAA8B,KAAK;GACnC,yBAAyB,SAAwB;AAC/C,SAAK,sBAAsB;;;;;;;;CASjC,MAAM,4BAA4B,WAAyC;AACzE,QAAM,KAAK,kBAAkB;AAC7B,MAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM;EAGlB,MAAM,UAAU,IAAI;EAIpB,MAAM,aAAa,IAAI,SAAe,SAAS,WAAW;GACxD,MAAM,SAAS,KAAK;GACpB,MAAM,UAAU,iBAAiB;AAC/B;AACA,2BAAO,IAAI,MAAM,+DAA+D;MAC/E;GAEH,MAAM,aAAa,UAAwB;IACzC,MAAM,MAAO,OAAe;AAC5B,QAAI,CAAC,OAAO,OAAO,IAAI,SAAS,SAAU;AAC1C,QAAI,IAAI,cAAc,UAAW;AAEjC,QAAI,IAAI,SAASC,mDAAqB,iCAAiC;AACrE;AACA,YAAO,IAAI,MAAM,OAAO,IAAI,SAAS;AACrC;;AAEF,QAAI,IAAI,SAASA,mDAAqB,8BAA8B;AAClE;AACA;;;GAIJ,MAAM,gBAAgB;AACpB,iBAAa;AACb,WAAO,oBAAoB,WAAW;;AAGxC,UAAO,iBAAiB,WAAW;;AAGrC,OAAK,UAAU,YACb;GAAE,MAAMA,mDAAqB;GAA2B;KACxD,CAAC,QAAQ;AAGX,QAAM;AACN,SAAO,QAAQ;;;;;;CAOjB,MAAM,+BAA+B,MAamB;AACtD,SAAOC,sEAA+B,KAAK,qBAAqB;;;;;;;;CASlE,MAAM,mBAAmB,MAOtB;AACD,SAAOC,8CAAmB,KAAK,qBAAqB;;;;;;CAOtD,MAAM,mBAAmB,MAQtB;AACD,SAAOC,8CAAmB,KAAK,qBAAqB;;;;;;CAOtD,MAAM,aAAa,MAOhB;AACD,SAAOC,kCAAa,KAAK,qBAAqB;;;;;;;;CAShD,MAAM,sBAAsB,MAMV;AAChB,SAAOC,oDAAsB,KAAK,qBAAqB;;;;;;;;CASzD,MAAM,gCAAgC,QAiDnC;AACD,SAAOC,wEAAgC,KAAK,qBAAqB;;;;;;;;CASnE,MAAM,0CAA0C,QAOO;AACrD,SAAOC,4FAA0C,KAAK,qBAAqB;;;;;;;;;;;;;CAc7E,MAAM,2CAA2C,QAoB9C;AACD,SAAOC,8FAA2C,KAAK,qBAAqB;;CAG9E,oBAAoB,QAAkC;AACpD,OAAK,mBAAmB;;;;;;CAO1B,MAAc,kBAAkB,qBAAqB,OAAsB;AACzE,MAAI,KAAK,sBACP,OAAM,KAAK;WACF,CAAC,KAAK,UACf,OAAM,KAAK;AAEb,MAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM;AAGlB,MAAI,mBACF,KAAI;GACF,MAAM,iBAAiB,MAAM,KAAK,YAAY;IAC5C,MAAM;IACN,IAAI,KAAK;IACT,SAAS;MACR;AAEH,OAAI,CAAC,eAAe,QAClB,OAAM,IAAI,MAAM;WAEX,OAAO;AACd,WAAQ,MAAM,qCAAqC;AACnD,SAAM,IAAI,MAAM;;;;;;CAQtB,MAAM,aAA4B;AAChC,MAAI,KAAK,sBACP,QAAO,KAAK;AAQd,OAAK,wBAAwB,KAAK,kBAAkB,OAAM,UAAS;AACjE,WAAQ,MAAM,uCAAuC;AACrD,WAAQ,MAAM,+BAA+B;IAC3C,SAAS,MAAM;IACf,OAAO,MAAM;IACb,MAAM,MAAM;;AAGd,QAAK,wBAAwB;AAC7B,SAAM;;EAGR,MAAM,SAAS,MAAM,KAAK;AAC1B,SAAO;;;;;CAMT,MAAc,kBAAiC;AAC7C,MAAI;GACF,MAAM,eAAe,KAAK,OAAO,gBAAgBT,gCAAY,QAAQ;GACrE,MAAM,YAAYU,iCAAiB,cAAc;IAAE,QAAQ;IAAO,YAAY,KAAK;;AACnF,WAAQ,MAAM,4BAA4B;AAE1C,QAAK,YAAY,IAAI,OAAO,WAAW;IACrC,MAAM;IACN,MAAM;;AAGR,QAAK,UAAU,WAAW,UAAU;AAClC,YAAQ,MAAM,kCAAkC;;AAGlD,SAAM,KAAK;AAGX,OAAI,KAAK,OAAO,aAAa;IAC3B,MAAM,OAAO,MAAM,KAAK,YAA2C;KACjE,MAAM;KACN,IAAI,KAAK;KACT,SAAS,EAAE,QAAQ,KAAK,OAAO;;AAEjC,QAAI,CAAC,KAAK,QACR,OAAM,IAAI,MAAM,iCAAiC,KAAK;;AAK1D,OAAI,KAAK,OAAO,kBAAkB,KAAK,OAAO,wBAAwB,KAAK,OAAO,uBAAuB;IACvG,MAAM,QAAQ,MAAM,KAAK,YAAoD;KAC3E,MAAM;KACN,IAAI,KAAK;KACT,SAAS;MACP,gBAAgB,KAAK,OAAO;MAC5B,gBAAgB,KAAK,OAAO;MAC5B,iBAAiB,KAAK,OAAO;;;AAGjC,QAAI,CAAC,MAAM,QACT,OAAM,IAAI,MAAM,2CAA2C,MAAM;;WAI9DC,OAAY;AACnB,SAAM,IAAI,MAAM,yCAAyC,MAAM;;;;;;CAOnE,MAAc,YACZ,SACA,eAC4B;AAC5B,SAAO,IAAI,SAAS,SAAS,WAAW;AACtC,OAAI,CAAC,KAAK,WAAW;AACnB,2BAAO,IAAI,MAAM;AACjB;;GAGF,MAAM,YAAa,iBAAiB,KAAK,OAAO,iBAAiB;GACjE,MAAM,UAAU,iBAAiB;AAC/B,2BAAO,IAAI,MAAM,yCAAyC,UAAU,wBAAwB,QAAQ;MACnG;GAEH,MAAM,iBAAiB,UAAwB;IAC7C,MAAM,UAAU,MAAM;AAUtB,QAAK,SAAiB,SAASC,uCAAyB,uCAAuC;KAC7F,MAAM,MAAM;KAIZ,MAAM,MAAM,KAAK;AACjB,SAAI,CAAC,KAAK,WAAW;AACnB,cAAQ,MAAM;AACd;;AAEF,KAAKC,yEAAsC,KAAK,KAAK,KAAK;AAC1D;;IAGF,MAAM,WAAW;AACjB,QAAI,SAAS,OAAO,QAAQ,IAAI;AAC9B,kBAAa;AACb,UAAK,UAAW,oBAAoB,WAAW;AAC/C,aAAQ;;;AAIZ,QAAK,UAAU,iBAAiB,WAAW;AAC3C,QAAK,UAAU,YAAY;;;;;;CAO/B,AAAQ,oBAA4B;AAClC,SAAO,OAAO,KAAK,MAAM,GAAG,EAAE,KAAK;;;;;;CAOrC,MAAM,iBAAiB,MAKQ;AAC7B,SAAOC,0CAAiB,KAAK,qBAAqB;;CAGpD,MAAM,+BAA+B,WAAyB,WAA0C;AACtG,SAAOC,4DAA+B,KAAK,qBAAqB,WAAW;;CAG7E,MAAM,yBAAyB,WAAgD;AAC7E,SAAOC,sDAAyB,KAAK,qBAAqB;;;;;CAM5D,MAAM,iBAA2C;AAC/C,SAAOC,sCAAe,KAAK;;;;;CAM7B,MAAM,kBAAiC;AACrC,SAAOC,iCAAgB,KAAK;;;;;;;CAQ9B,uBAAuB,eAAgC;AACrD,OAAK,sBAAsB;AAC3B,UAAQ,MAAM,8CAA8C;;;;;;;;;;;CAY9D,MAAM,4BAA4B,MAO/B;AACD,SAAOC,gEAA4B,KAAK,qBAAqB;;;;;;;;;;;;CAa/D,MAAM,wBAAwB,MAU3B;AACD,SAAOC,wDAAwB,KAAK,qBAAqB;;;;;;CAO3D,MAAM,6BAA6B,MAKJ;AAC7B,SAAOC,kEAA6B,KAAK,qBAAqB;;;;;;;CAQhE,MAAM,sCAIH;AACD,SAAOC,gFAAoC,KAAK;;;;;CAMlD,MAAc,6BAA4C;AACxD,MAAI;GACF,MAAM,YAAY;GAClB,MAAM,eAAe,MAAM,KAAK,YAAY;IAC1C,MAAM;IACN,IAAI,KAAK;IACT,SAAS;MACR;AACH,OAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,+BAA+B,aAAa;AAE9D;WACOX,OAAY;AACnB,WAAQ,KAAK,oDAAoD,MAAM"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/secureConfirmBridge.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.js');
 const require_types = require('./confirmTxFlow/types.js');
 const require_handleSecureConfirmRequest = require('./confirmTxFlow/handleSecureConfirmRequest.js');

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/secureConfirmBridge.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"secureConfirmBridge.js","names":["SecureConfirmMessageType"],"sources":["../../../../../src/core/WebAuthnManager/VrfWorkerManager/secureConfirmBridge.ts"],"sourcesContent":["import {\n SecureConfirmMessageType,\n SecureConfirmRequest,\n SecureConfirmDecision,\n} from './confirmTxFlow/types';\nimport { handlePromptUserConfirmInJsMainThread } from './confirmTxFlow';\nimport type { VrfWorkerManagerContext } from '.';\n\n/*\n VRF-side helper to run confirmTxFlow directly from JS without going through a worker.\n * Useful while VRF-driven flows migrate off the signer worker.\n \n Returns the USER_PASSKEY_CONFIRM_RESPONSE data once the flow completes.\n */\nexport async function runSecureConfirm(\n ctx: VrfWorkerManagerContext,\n request: SecureConfirmRequest\n): Promise<SecureConfirmDecision> {\n return new Promise<SecureConfirmDecision>((resolve, reject) => {\n // Minimal Worker-like object to capture the response\n const worker = {\n postMessage: (msg: any) => {\n if (msg?.type === SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE) {\n resolve(msg.data as SecureConfirmDecision);\n }\n }\n } as unknown as Worker;\n\n handlePromptUserConfirmInJsMainThread(\n ctx,\n { type: SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD, data: request },\n worker\n ).catch(reject);\n });\n}\n"],"mappings":"~~;;;;;;;;;;;~~AAcA,eAAsB,iBACpB,KACA,SACgC;AAChC,QAAO,IAAI,SAAgC,SAAS,WAAW;EAE7D,MAAM,SAAS,EACb,cAAc,QAAa;AACzB,OAAI,KAAK,SAASA,uCAAyB,8BACzC,SAAQ,IAAI;;AAKlB,2EACE,KACA;GAAE,MAAMA,uCAAyB;GAAuC,MAAM;KAC9E,QACA,MAAM"}
1	+ {"version":3,"file":"secureConfirmBridge.js","names":["SecureConfirmMessageType"],"sources":["../../../../../src/core/WebAuthnManager/VrfWorkerManager/secureConfirmBridge.ts"],"sourcesContent":["import {\n SecureConfirmMessageType,\n SecureConfirmRequest,\n SecureConfirmDecision,\n} from './confirmTxFlow/types';\nimport { handlePromptUserConfirmInJsMainThread } from './confirmTxFlow';\nimport type { VrfWorkerManagerContext } from '.';\n\n/*\n VRF-side helper to run confirmTxFlow directly from JS without going through a worker.\n * Useful while VRF-driven flows migrate off the signer worker.\n \n Returns the USER_PASSKEY_CONFIRM_RESPONSE data once the flow completes.\n */\nexport async function runSecureConfirm(\n ctx: VrfWorkerManagerContext,\n request: SecureConfirmRequest\n): Promise<SecureConfirmDecision> {\n return new Promise<SecureConfirmDecision>((resolve, reject) => {\n // Minimal Worker-like object to capture the response\n const worker = {\n postMessage: (msg: any) => {\n if (msg?.type === SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE) {\n resolve(msg.data as SecureConfirmDecision);\n }\n }\n } as unknown as Worker;\n\n handlePromptUserConfirmInJsMainThread(\n ctx,\n { type: SecureConfirmMessageType.PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD, data: request },\n worker\n ).catch(reject);\n });\n}\n"],"mappings":";;;;;;;;;;AAcA,eAAsB,iBACpB,KACA,SACgC;AAChC,QAAO,IAAI,SAAgC,SAAS,WAAW;EAE7D,MAAM,SAAS,EACb,cAAc,QAAa;AACzB,OAAI,KAAK,SAASA,uCAAyB,8BACzC,SAAQ,IAAI;;AAKlB,2EACE,KACA;GAAE,MAAMA,uCAAyB;GAAuC,MAAM;KAC9E,QACA,MAAM"}

package/dist/cjs/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js CHANGED Viewed

@@ -1,6 +1,11 @@
-const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.js');
 //#region src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts
+const WebAuthnBridgeMessage = {
+	Create: "WALLET_WEBAUTHN_CREATE",
+	Get: "WALLET_WEBAUTHN_GET",
+	CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
+	GetResult: "WALLET_WEBAUTHN_GET_RESULT"
+};
 function getResultTypeFor(kind) {
 	return kind === WebAuthnBridgeMessage.Get ? WebAuthnBridgeMessage.GetResult : WebAuthnBridgeMessage.CreateResult;
 }
@@ -103,6 +108,54 @@ async function requestParentDomainWebAuthn(kind, publicKey, client, timeoutMs) {
 	if (kind === "create") return client.request(WebAuthnBridgeMessage.Create, publicKey, timeoutMs);
 	return client.request(WebAuthnBridgeMessage.Get, publicKey, timeoutMs);
 }
+var WindowParentDomainWebAuthnClient = class {
+	async request(kind, publicKey, timeoutMs = 6e4) {
+		const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
+		const resultType = getResultTypeFor(kind);
+		return new Promise((resolve) => {
+			let settled = false;
+			const finish = (val) => {
+				if (!settled) {
+					settled = true;
+					resolve(val);
+				}
+			};
+			const onMessage = (ev) => {
+				const payload = ev?.data;
+				if (!payload || typeof payload.type !== "string") return;
+				const t = payload.type;
+				if (t !== resultType) return;
+				const rid = payload.requestId;
+				if (rid !== requestId) return;
+				window.removeEventListener("message", onMessage);
+				const ok = !!payload.ok;
+				const cred = payload.credential;
+				const err = payload.error;
+				if (ok && cred) return finish({
+					ok: true,
+					credential: cred
+				});
+				return finish({
+					ok: false,
+					error: typeof err === "string" ? err : void 0
+				});
+			};
+			window.addEventListener("message", onMessage);
+			window.parent?.postMessage({
+				type: kind,
+				requestId,
+				publicKey
+			}, "*");
+			setTimeout(() => {
+				window.removeEventListener("message", onMessage);
+				finish({
+					ok: false,
+					timeout: true
+				});
+			}, timeoutMs);
+		});
+	}
+};
 function notAllowedError(message) {
 	const e = new Error(message);
 	e.name = "NotAllowedError";
@@ -139,72 +192,8 @@ async function attemptRefocus(maxRetries = 2, delays = [50, 120]) {
 	}
 	return document.hasFocus();
 }
-var WebAuthnBridgeMessage, WindowParentDomainWebAuthnClient;
-var init_safari_fallbacks = require_rolldown_runtime.__esm({ "src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts": (() => {
-	WebAuthnBridgeMessage = {
-		Create: "WALLET_WEBAUTHN_CREATE",
-		Get: "WALLET_WEBAUTHN_GET",
-		CreateResult: "WALLET_WEBAUTHN_CREATE_RESULT",
-		GetResult: "WALLET_WEBAUTHN_GET_RESULT"
-	};
-	WindowParentDomainWebAuthnClient = class {
-		async request(kind, publicKey, timeoutMs = 6e4) {
-			const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;
-			const resultType = getResultTypeFor(kind);
-			return new Promise((resolve) => {
-				let settled = false;
-				const finish = (val) => {
-					if (!settled) {
-						settled = true;
-						resolve(val);
-					}
-				};
-				const onMessage = (ev) => {
-					const payload = ev?.data;
-					if (!payload || typeof payload.type !== "string") return;
-					const t = payload.type;
-					if (t !== resultType) return;
-					const rid = payload.requestId;
-					if (rid !== requestId) return;
-					window.removeEventListener("message", onMessage);
-					const ok = !!payload.ok;
-					const cred = payload.credential;
-					const err = payload.error;
-					if (ok && cred) return finish({
-						ok: true,
-						credential: cred
-					});
-					return finish({
-						ok: false,
-						error: typeof err === "string" ? err : void 0
-					});
-				};
-				window.addEventListener("message", onMessage);
-				window.parent?.postMessage({
-					type: kind,
-					requestId,
-					publicKey
-				}, "*");
-				setTimeout(() => {
-					window.removeEventListener("message", onMessage);
-					finish({
-						ok: false,
-						timeout: true
-					});
-				}, timeoutMs);
-			});
-		}
-	};
-}) });
 //#endregion
-init_safari_fallbacks();
 exports.WebAuthnBridgeMessage = WebAuthnBridgeMessage;
 exports.executeWebAuthnWithParentFallbacksSafari = executeWebAuthnWithParentFallbacksSafari;
-Object.defineProperty(exports, 'init_safari_fallbacks', {
-  enumerable: true,
-  get: function () {
-    return init_safari_fallbacks;
-  }
-});
 //# sourceMappingURL=safari-fallbacks.js.map

package/dist/cjs/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";;;AAuBA,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAsCnG,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS;;;;CAvRL,wBAAwB;EACnC,QAAQ;EACR,KAAK;EACL,cAAc;EACd,WAAW;;CAuMA,mCAAb,MAAoF;EAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;GACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;GAC5E,MAAM,aAAa,iBAAiB;AAEpC,UAAO,IAAI,SAAS,YAAY;IAC9B,IAAI,UAAU;IACd,MAAM,UAAU,QAAwB;AAAE,SAAI,CAAC,SAAS;AAAE,gBAAU;AAAM,cAAQ;;;IAElF,MAAM,aAAa,OAAqB;KACtC,MAAM,UAAU,IAAI;AACpB,SAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;KAC1E,MAAM,IAAK,QAA6B;AACxC,SAAI,MAAM,WAAY;KACtB,MAAM,MAAO,QAAoC;AACjD,SAAI,QAAQ,UAAW;AACvB,YAAO,oBAAoB,WAAW;KACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;KAC3C,MAAM,OAAQ,QAAqC;KACnD,MAAM,MAAO,QAAgC;AAC7C,SAAI,MAAM,KAAM,QAAO,OAAO;MAAE,IAAI;MAAM,YAAY;;AACtD,YAAO,OAAO;MAAE,IAAI;MAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,WAAO,iBAAiB,WAAW;AACnC,WAAO,QAAQ,YAAY;KAAE,MAAM;KAAM;KAAW;OAA+D;AACnH,qBAAiB;AAAE,YAAO,oBAAoB,WAAW;AAAY,YAAO;MAAE,IAAI;MAAO,SAAS;;OAAY"}
1	+ {"version":3,"file":"safari-fallbacks.js","names":["be: unknown","e: unknown"],"sources":["../../../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts"],"sourcesContent":["// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' \| 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create \| typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult \| typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk \| BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/*\n Execute a WebAuthn operation with Safari-aware fallbacks.\n \n Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create\|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n /\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential \| unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient \|\| new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) \|\| !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] \|\| 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error \|\| 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message \|\| 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions \| PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload \|\| typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused\|not focused\|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message \|\| '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n"],"mappings":";;AAQA,MAAa,wBAAwB;CACnC,QAAQ;CACR,KAAK;CACL,cAAc;CACd,WAAW;;AAWb,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTA,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAInG,IAAa,mCAAb,MAAoF;CAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;EACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;EAC5E,MAAM,aAAa,iBAAiB;AAEpC,SAAO,IAAI,SAAS,YAAY;GAC9B,IAAI,UAAU;GACd,MAAM,UAAU,QAAwB;AAAE,QAAI,CAAC,SAAS;AAAE,eAAU;AAAM,aAAQ;;;GAElF,MAAM,aAAa,OAAqB;IACtC,MAAM,UAAU,IAAI;AACpB,QAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;IAC1E,MAAM,IAAK,QAA6B;AACxC,QAAI,MAAM,WAAY;IACtB,MAAM,MAAO,QAAoC;AACjD,QAAI,QAAQ,UAAW;AACvB,WAAO,oBAAoB,WAAW;IACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;IAC3C,MAAM,OAAQ,QAAqC;IACnD,MAAM,MAAO,QAAgC;AAC7C,QAAI,MAAM,KAAM,QAAO,OAAO;KAAE,IAAI;KAAM,YAAY;;AACtD,WAAO,OAAO;KAAE,IAAI;KAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,UAAO,iBAAiB,WAAW;AACnC,UAAO,QAAQ,YAAY;IAAE,MAAM;IAAM;IAAW;MAA+D;AACnH,oBAAiB;AAAE,WAAO,oBAAoB,WAAW;AAAY,WAAO;KAAE,IAAI;KAAO,SAAS;;MAAY;;;;AAKpH,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS"}

package/dist/cjs/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.js ADDED Viewed

@@ -0,0 +1,34 @@
+const require_accountIds = require('../types/accountIds.js');
+const require_touchIdPrompt = require('./touchIdPrompt.js');
+//#region src/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.ts
+async function collectAuthenticationCredentialForVrfChallenge(args) {
+	const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+	const authenticators = await args.indexedDB.clientDB.getAuthenticatorsByUser(nearAccountId);
+	let authenticatorsForPrompt = authenticators;
+	if (authenticators.length > 0) ({authenticatorsForPrompt} = await args.indexedDB.clientDB.ensureCurrentPasskey(require_accountIds.toAccountId(nearAccountId), authenticators));
+	args.onBeforePrompt?.({
+		authenticators,
+		authenticatorsForPrompt,
+		vrfChallenge: args.vrfChallenge
+	});
+	const allowCredentials = require_touchIdPrompt.authenticatorsToAllowCredentials(authenticatorsForPrompt);
+	const serialized = args.includeSecondPrfOutput ? await args.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({
+		nearAccountId,
+		challenge: args.vrfChallenge,
+		allowCredentials
+	}) : await args.touchIdPrompt.getAuthenticationCredentialsSerialized({
+		nearAccountId,
+		challenge: args.vrfChallenge,
+		allowCredentials
+	});
+	if (authenticators.length > 0) {
+		const { wrongPasskeyError } = await args.indexedDB.clientDB.ensureCurrentPasskey(require_accountIds.toAccountId(nearAccountId), authenticators, serialized.rawId);
+		if (wrongPasskeyError) throw new Error(wrongPasskeyError);
+	}
+	return serialized;
+}
+//#endregion
+exports.collectAuthenticationCredentialForVrfChallenge = collectAuthenticationCredentialForVrfChallenge;
+//# sourceMappingURL=collectAuthenticationCredentialForVrfChallenge.js.map

package/dist/cjs/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"collectAuthenticationCredentialForVrfChallenge.js","names":["toAccountId","authenticatorsForPrompt: ClientAuthenticatorData[]","authenticatorsToAllowCredentials"],"sources":["../../../../src/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.ts"],"sourcesContent":["import type { ClientAuthenticatorData, UnifiedIndexedDBManager } from '../IndexedDBManager';\nimport type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport type { VRFChallenge } from '../types/vrf-worker';\nimport { authenticatorsToAllowCredentials } from './touchIdPrompt';\nimport type { TouchIdPrompt } from './touchIdPrompt';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\n\nexport async function collectAuthenticationCredentialForVrfChallenge(args: {\n indexedDB: UnifiedIndexedDBManager;\n touchIdPrompt: Pick<TouchIdPrompt, 'getAuthenticationCredentialsSerialized' | 'getAuthenticationCredentialsSerializedDualPrf'>;\n nearAccountId: AccountId | string;\n vrfChallenge: VRFChallenge;\n onBeforePrompt?: (info: {\n authenticators: ClientAuthenticatorData[];\n authenticatorsForPrompt: ClientAuthenticatorData[];\n vrfChallenge: VRFChallenge;\n }) => void;\n /**\n * When true, include PRF.second in the serialized credential.\n * Use only for explicit recovery/export flows (higher-friction paths).\n */\n includeSecondPrfOutput?: boolean;\n}): Promise<WebAuthnAuthenticationCredential> {\n const nearAccountId = toAccountId(args.nearAccountId);\n\n const authenticators = await args.indexedDB.clientDB.getAuthenticatorsByUser(nearAccountId);\n let authenticatorsForPrompt: ClientAuthenticatorData[] = authenticators;\n if (authenticators.length > 0) {\n ({ authenticatorsForPrompt } = await args.indexedDB.clientDB.ensureCurrentPasskey(\n toAccountId(nearAccountId),\n authenticators,\n ));\n }\n\n args.onBeforePrompt?.({ authenticators, authenticatorsForPrompt, vrfChallenge: args.vrfChallenge });\n\n const allowCredentials = authenticatorsToAllowCredentials(authenticatorsForPrompt);\n const serialized = args.includeSecondPrfOutput\n ? await args.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: args.vrfChallenge,\n allowCredentials,\n })\n : await args.touchIdPrompt.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge: args.vrfChallenge,\n allowCredentials,\n });\n\n // Verify that the chosen credential matches the \"current\" passkey device, when applicable.\n if (authenticators.length > 0) {\n const { wrongPasskeyError } = await args.indexedDB.clientDB.ensureCurrentPasskey(\n toAccountId(nearAccountId),\n authenticators,\n serialized.rawId,\n );\n if (wrongPasskeyError) {\n throw new Error(wrongPasskeyError);\n }\n }\n\n return serialized;\n}\n"],"mappings":";;;;AAQA,eAAsB,+CAA+C,MAevB;CAC5C,MAAM,gBAAgBA,+BAAY,KAAK;CAEvC,MAAM,iBAAiB,MAAM,KAAK,UAAU,SAAS,wBAAwB;CAC7E,IAAIC,0BAAqD;AACzD,KAAI,eAAe,SAAS,EAC1B,EAAC,CAAE,2BAA4B,MAAM,KAAK,UAAU,SAAS,qBAC3DD,+BAAY,gBACZ;AAIJ,MAAK,iBAAiB;EAAE;EAAgB;EAAyB,cAAc,KAAK;;CAEpF,MAAM,mBAAmBE,uDAAiC;CAC1D,MAAM,aAAa,KAAK,yBACpB,MAAM,KAAK,cAAc,8CAA8C;EACvE;EACA,WAAW,KAAK;EAChB;MAEA,MAAM,KAAK,cAAc,uCAAuC;EAChE;EACA,WAAW,KAAK;EAChB;;AAIJ,KAAI,eAAe,SAAS,GAAG;EAC7B,MAAM,EAAE,sBAAsB,MAAM,KAAK,UAAU,SAAS,qBAC1DF,+BAAY,gBACZ,gBACA,WAAW;AAEb,MAAI,kBACF,OAAM,IAAI,MAAM;;AAIpB,QAAO"}

package/dist/cjs/core/WebAuthnManager/credentialsHelpers.js CHANGED Viewed

@@ -1,7 +1,5 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
-const require_validation = require('../WalletIframe/validation.js');
+const require_validation = require('../../utils/validation.js');
 const require_base64 = require('../../utils/base64.js');
-const require_index = require('../../utils/index.js');
 //#region src/core/WebAuthnManager/credentialsHelpers.ts
 /**
@@ -112,22 +110,27 @@ function normalizeRegistrationCredential(input) {
 	return normalized;
 }
 /**
-* Removes PRF outputs from the credential
-* @param credential - The WebAuthn credential containing PRF outputs
-* @returns Credential with PRF results cleared
+* Redacts client extension outputs from the credential before sending it over the network.
+*
+* Motivation:
+* - WebAuthn `clientExtensionResults` may contain sensitive material (e.g. PRF outputs).
+* - Even when not sensitive, extension outputs can add fingerprinting surface and bloat payloads.
+*
+* @param credential - The WebAuthn credential potentially containing extension outputs
+* @returns Credential with `clientExtensionResults` removed/redacted
 */
 function removePrfOutputGuard(credential) {
-	const credentialWithoutPrf = {
+	const response = credential.response;
+	const responseWithoutExtensions = require_validation.isObject(response) ? (() => {
+		const cloned = { ...response };
+		if ("clientExtensionResults" in cloned) cloned.clientExtensionResults = null;
+		return cloned;
+	})() : response;
+	return {
 		...credential,
-		clientExtensionResults: {
-			...credential.clientExtensionResults,
-			prf: { results: {
-				first: void 0,
-				second: void 0
-			} }
-		}
+		response: responseWithoutExtensions,
+		clientExtensionResults: null
 	};
-	return credentialWithoutPrf;
 }
 /**
 * Returns true when the input looks like a serialized registration credential
@@ -277,21 +280,10 @@ function normalizeClientExtensionOutputs(input) {
 	}
 	return out;
 }
-var init_credentialsHelpers = require_rolldown_runtime.__esm({ "src/core/WebAuthnManager/credentialsHelpers.ts": (() => {
-	require_index.init_utils();
-	require_validation.init_validation();
-}) });
 //#endregion
-init_credentialsHelpers();
 exports.generateChaCha20Salt = generateChaCha20Salt;
 exports.generateEd25519Salt = generateEd25519Salt;
-Object.defineProperty(exports, 'init_credentialsHelpers', {
-  enumerable: true,
-  get: function () {
-    return init_credentialsHelpers;
-  }
-});
 exports.isSerializedRegistrationCredential = isSerializedRegistrationCredential;
 exports.normalizeRegistrationCredential = normalizeRegistrationCredential;
 exports.removePrfOutputGuard = removePrfOutputGuard;