npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/core/WebAuthnManager/credentialsHelpers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"credentialsHelpers.js","names":["transports: string[]","base64UrlEncode","isObject","normalized: Record<string, unknown>","isString","response: Record<string, unknown>","isArray","credentialWithoutPrf: C","out: AuthenticationExtensionsClientOutputs","outCp: CredentialPropertiesOutput"],"sources":["../../../../src/core/WebAuthnManager/credentialsHelpers.ts"],"sourcesContent":["import { base64UrlEncode } from \"../../utils\";\nimport { isObject, isString, isArray } from '../WalletIframe/validation';\nimport {\n type WebAuthnAuthenticationCredential,\n type WebAuthnRegistrationCredential,\n type AuthenticationExtensionsClientOutputs,\n type CredentialPropertiesOutput,\n} from '../types/webauthn';\n\ntype SerializableCredential = WebAuthnAuthenticationCredential \| WebAuthnRegistrationCredential;\n\n/*\n Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * - Uses base64url encoding for WASM compatibility\n \n @returns SerializableCredential - The serialized credential\n * - Does not return PRF outputs\n /\nexport function serializeRegistrationCredential(\n credential: PublicKeyCredential,\n): WebAuthnRegistrationCredential {\n const response = credential.response as AuthenticatorAttestationResponse;\n // Safari and some platforms may not implement getTransports(); guard it.\n let transports: string[] = [];\n try {\n const fn = (response as { getTransports?: () => string[] })?.getTransports;\n if (typeof fn === 'function') {\n transports = fn.call(response) \|\| [];\n }\n } catch {\n transports = [];\n }\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n attestationObject: base64UrlEncode(response.attestationObject),\n transports,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\nexport function serializeAuthenticationCredential(\n credential: PublicKeyCredential,\n): WebAuthnAuthenticationCredential {\n const response = credential.response as AuthenticatorAssertionResponse;\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n authenticatorData: base64UrlEncode(response.authenticatorData),\n signature: base64UrlEncode(response.signature),\n userHandle: response.userHandle ? base64UrlEncode(response.userHandle as ArrayBuffer) : undefined,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\n/\n Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * @returns SerializableCredential - The serialized credential\n * - INCLUDES PRF outputs\n /\nexport function serializeRegistrationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = true,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnRegistrationCredential {\n const base = serializeRegistrationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\nexport function serializeAuthenticationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnAuthenticationCredential {\n const base = serializeAuthenticationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\n/////////////////////////////////////////\n// RUNTIME VALIDATION / NORMALIZATION\n/////////////////////////////////////////\n\n// Use shared type guards (isString/isArray) from WalletIframe/validation\n\n/\n Validates and normalizes a serialized WebAuthn registration credential.\n * Ensures required fields exist and have the expected primitive types.\n * Populates missing optional arrays like transports with [].\n /\nexport function normalizeRegistrationCredential(input: unknown): WebAuthnRegistrationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.attestationObject)) response.attestationObject = '';\n if (!isArray<string>(response.transports)) response.transports = [];\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnRegistrationCredential;\n}\n\n/\n Validates and normalizes a serialized WebAuthn authentication credential.\n * Ensures required fields exist and have the expected primitive types.\n /\nexport function normalizeAuthenticationCredential(input: unknown): WebAuthnAuthenticationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.authenticatorData)) response.authenticatorData = '';\n if (!isString(response.signature)) response.signature = '';\n if (response.userHandle !== undefined && !isString(response.userHandle)) response.userHandle = undefined;\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnAuthenticationCredential;\n}\n\n/\n Removes PRF outputs from the credential\n * @param credential - The WebAuthn credential containing PRF outputs\n * @returns Credential with PRF results cleared\n /\nexport function removePrfOutputGuard<C extends SerializableCredential>(credential: C): C {\n const credentialWithoutPrf: C = {\n ...credential,\n clientExtensionResults: {\n ...credential.clientExtensionResults,\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n }\n } as C;\n return credentialWithoutPrf;\n}\n\n/////////////////////////////////////////\n// TYPE GUARDS\n/////////////////////////////////////////\n\n/\n Returns true when the input looks like a serialized registration credential\n * (i.e., plain object with base64url string fields), not a live PublicKeyCredential.\n /\nexport function isSerializedRegistrationCredential(x: unknown): x is WebAuthnRegistrationCredential {\n if (!isObject(x)) return false;\n const candidate = x as {\n id?: unknown;\n rawId?: unknown;\n type?: unknown;\n response?: unknown;\n };\n\n if (!isString(candidate.id) \|\| !isString(candidate.rawId) \|\| !isString(candidate.type)) {\n return false;\n }\n\n if (!isObject(candidate.response)) return false;\n const response = candidate.response as {\n clientDataJSON?: unknown;\n attestationObject?: unknown;\n transports?: unknown;\n };\n\n if (!isString(response.clientDataJSON) \|\| !isString(response.attestationObject)) {\n return false;\n }\n\n return response.transports == null \|\| isArray(response.transports);\n}\n\n/\n Generate ChaCha20Poly1305 salt using account-specific HKDF for encryption key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for ChaCha20Poly1305 key derivation\n /\nexport function generateChaCha20Salt(nearAccountId: string): Uint8Array {\n const saltString = `chacha20-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/\n Generate Ed25519 salt using account-specific HKDF for signing key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for Ed25519 key derivation\n /\nexport function generateEd25519Salt(nearAccountId: string): Uint8Array {\n const saltString = `ed25519-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/* Credential that may have extension results (live or serialized) /\ntype CredentialWithExtensions =\n \| PublicKeyCredential\n \| {\n clientExtensionResults?: unknown;\n getClientExtensionResults?: () => unknown;\n };\n\n/* Extension results structure - flexible to handle both live and serialized forms /\ntype ExtensionResults = {\n prf?: {\n enabled?: boolean;\n results?: {\n first?: unknown;\n second?: unknown;\n };\n };\n [key: string]: unknown;\n};\n\n/* PRF output values after extraction /\ntype PrfOutputs = {\n first?: unknown;\n second?: unknown;\n};\n\n/\n Dual PRF outputs for separate encryption and signing key derivation\n /\ninterface DualPrfOutputs {\n /* Base64-encoded PRF output from prf.results.first for ChaCha20Poly1305 encryption /\n chacha20PrfOutput: string;\n /* Base64-encoded PRF output from prf.results.second for Ed25519 signing /\n ed25519PrfOutput: string;\n}\n\n/\n Extract PRF outputs from WebAuthn credential extension results\n * ENCODING: Uses base64url for WASM compatibility\n * @param credential - WebAuthn credential with dual PRF extension results\n * @param firstPrfOutput - Whether to include the first PRF output (default: true)\n * @param secondPrfOutput - Whether to include the second PRF output (default: false)\n * @returns PRF outputs\n /\nfunction extractPrfFromCredential({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: CredentialWithExtensions;\n firstPrfOutput?: boolean \| undefined;\n secondPrfOutput?: boolean;\n}): DualPrfOutputs {\n // Step 1: Get extension results (support both live and serialized credentials)\n const extensionResults = getExtensionResults(credential);\n\n // Step 2: Extract PRF results object\n const prfResults = extractPrfResultsObject(extensionResults);\n\n // Step 3: Validate PRF results exist and are not empty\n validatePrfResults(prfResults, firstPrfOutput, secondPrfOutput);\n\n // Step 4: Normalize and encode PRF outputs\n const firstEncoded = firstPrfOutput ? normalizePrfValueToBase64Url(prfResults.first) : undefined;\n const secondEncoded = secondPrfOutput ? normalizePrfValueToBase64Url(prfResults.second) : undefined;\n\n // Step 5: Validate required outputs are present\n if (firstPrfOutput && !firstEncoded) {\n throw new Error('Missing PRF result: first');\n }\n if (secondPrfOutput && !secondEncoded) {\n throw new Error('Missing PRF result: second');\n }\n\n return {\n chacha20PrfOutput: firstEncoded \|\| '',\n ed25519PrfOutput: secondEncoded \|\| '',\n };\n}\n\n/* Get extension results from credential (live or serialized) /\nfunction getExtensionResults(credential: CredentialWithExtensions): ExtensionResults \| undefined {\n try {\n const fn = (credential as { getClientExtensionResults?: () => unknown }).getClientExtensionResults;\n if (typeof fn === 'function') {\n return fn.call(credential) as ExtensionResults;\n }\n } catch {\n // Fall through to direct property access\n }\n return (credential as { clientExtensionResults?: unknown }).clientExtensionResults as ExtensionResults \| undefined;\n}\n\n/* Extract PRF results object from extension results /\nfunction extractPrfResultsObject(extensionResults: ExtensionResults \| undefined): PrfOutputs \| undefined {\n try {\n return extensionResults?.prf?.results;\n } catch {\n return undefined;\n }\n}\n\n/* Validate PRF results are present and not empty /\nfunction validatePrfResults(\n prfResults: PrfOutputs \| undefined,\n firstRequired: boolean,\n secondRequired: boolean\n): asserts prfResults is PrfOutputs {\n if (!prfResults) {\n throw new Error('Missing PRF results from credential, use a PRF-enabled Authenticator');\n }\n\n // Check if PRF results object exists but is completely empty\n // This indicates a hard failure (not a platform limitation that should trigger GET fallback)\n const hasAnyPrfData = prfResults.first !== undefined \|\| prfResults.second !== undefined;\n if (!hasAnyPrfData && (firstRequired \|\| secondRequired)) {\n throw new Error('Missing PRF result - PRF evaluation failed: results object is empty');\n }\n}\n\n/* Normalize a PRF value to base64url string /\nfunction normalizePrfValueToBase64Url(value: unknown): string \| undefined {\n if (!value) return undefined;\n\n // Already base64url encoded\n if (typeof value === 'string') return value;\n\n // ArrayBuffer\n if (value instanceof ArrayBuffer) return base64UrlEncode(value);\n\n // ArrayBufferView (TypedArray, DataView)\n if (ArrayBuffer.isView(value)) {\n return base64UrlEncode(value.buffer);\n }\n\n // Try to treat as ArrayBuffer-like\n try {\n return base64UrlEncode(value as ArrayBufferLike);\n } catch {\n // Last resort: wrap in Uint8Array\n try {\n return base64UrlEncode(new Uint8Array(value as ArrayBufferLike).buffer);\n } catch {\n return undefined;\n }\n }\n}\n\n/////////////////////////////////////////\n// EXTENSION OUTPUTS NORMALIZATION\n/////////////////////////////////////////\n\n/\n Normalize WebAuthn client extension outputs into an SDK‑local, clone‑safe shape.\n \n Purpose:\n * - Browsers return extension results on PublicKeyCredential in a variety of\n * shapes and with optional presence. This helper takes an unknown value\n * (either a live `credential.getClientExtensionResults()` object or a\n * serialized snapshot) and produces a strictly typed\n * `AuthenticationExtensionsClientOutputs` compatible with our WASM workers\n * and cross‑window message passing (structured‑clone safe).\n */\nfunction normalizeClientExtensionOutputs(input: unknown): AuthenticationExtensionsClientOutputs {\n const out: AuthenticationExtensionsClientOutputs = {\n prf: { results: { first: undefined, second: undefined } },\n } as AuthenticationExtensionsClientOutputs;\n\n const src = isObject(input) ? (input as Record<string, unknown>) : {};\n // appid\n if (typeof src.appid === 'boolean') out.appid = src.appid as boolean;\n // appidExclude\n if (typeof src.appidExclude === 'boolean') out.appidExclude = src.appidExclude as boolean;\n // hmacCreateSecret\n if (typeof src.hmacCreateSecret === 'boolean') out.hmacCreateSecret = src.hmacCreateSecret as boolean;\n // credProps\n if (isObject(src.credProps)) {\n const cp = src.credProps as Record<string, unknown>;\n const outCp: CredentialPropertiesOutput = {};\n if (typeof cp.rk === 'boolean') outCp.rk = cp.rk as boolean;\n out.credProps = outCp;\n }\n // uvm: expect array of 3-number tuples; tolerate nested arrays loosely\n if (isArray(src.uvm)) {\n const uvmArr = (src.uvm as unknown[]).filter(isArray).map((t) => {\n const a = t as unknown[];\n const n0 = typeof a[0] === 'number' ? (a[0] as number) : undefined;\n const n1 = typeof a[1] === 'number' ? (a[1] as number) : undefined;\n const n2 = typeof a[2] === 'number' ? (a[2] as number) : undefined;\n return (typeof n0 === 'number' && typeof n1 === 'number' && typeof n2 === 'number')\n ? [n0, n1, n2] as [number, number, number]\n : undefined;\n }).filter((x): x is [number, number, number] => Array.isArray(x));\n if (uvmArr.length > 0) out.uvm = uvmArr;\n }\n // prf\n if (isObject(src.prf)) {\n const prf = src.prf as Record<string, unknown>;\n const results = isObject(prf.results) ? (prf.results as Record<string, unknown>) : {};\n const first = results.first;\n const second = results.second;\n out.prf = {\n results: {\n first: isString(first) ? first : undefined,\n second: isString(second) ? second : undefined,\n },\n };\n }\n return out;\n}\n"],"mappings":";;;;;;;;;;;;;AAkBA,SAAgB,gCACd,YACgC;CAChC,MAAM,WAAW,WAAW;CAE5B,IAAIA,aAAuB;AAC3B,KAAI;EACF,MAAM,KAAM,UAAiD;AAC7D,MAAI,OAAO,OAAO,WAChB,cAAa,GAAG,KAAK,aAAa;SAE9B;AACN,eAAa;;AAGf,QAAO;EACL,IAAI,WAAW;EACf,OAAOC,+BAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgBA,+BAAgB,SAAS;GACzC,mBAAmBA,+BAAgB,SAAS;GAC5C;;EAEF,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,kCACd,YACkC;CAClC,MAAM,WAAW,WAAW;AAE5B,QAAO;EACL,IAAI,WAAW;EACf,OAAOA,+BAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgBA,+BAAgB,SAAS;GACzC,mBAAmBA,+BAAgB,SAAS;GAC5C,WAAWA,+BAAgB,SAAS;GACpC,YAAY,SAAS,aAAaA,+BAAgB,SAAS,cAA6B;;EAE1F,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAYlB,SAAgB,uCAAuC,EACrD,YACA,iBAAiB,MACjB,kBAAkB,QAKe;CACjC,MAAM,OAAO,gCAAgC;CAC7C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,yCAAyC,EACvD,YACA,iBAAiB,MACjB,kBAAkB,SAKiB;CACnC,MAAM,OAAO,kCAAkC;CAC/C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAkBlB,SAAgB,gCAAgC,OAAgD;AAC9F,KAAI,CAACC,4BAAS,OAAQ,OAAM,IAAI,MAAM;CAEtC,MAAM,YAAY;CAClB,MAAMC,aAAsC,EAAE,GAAG;AAEjD,KAAI,CAACC,4BAAS,WAAW,IAAK,OAAM,IAAI,MAAM;AAC9C,KAAI,CAACA,4BAAS,WAAW,MAAO,OAAM,IAAI,MAAM;AAEhD,KAAI,CAACA,4BAAS,WAAW,OAAQ,YAAW,QAAQ;AACpD,KAAI,WAAW,4BAA4B,UAAa,CAACA,4BAAS,WAAW,yBAC3E,YAAW,0BAA0B,OAAO,WAAW;CAGzD,MAAMC,WAAoCH,4BAAS,WAAW,YAC1D,EAAE,GAAI,WAAW,aACjB;AAEJ,KAAI,CAACE,4BAAS,SAAS,gBAAiB,UAAS,iBAAiB;AAClE,KAAI,CAACA,4BAAS,SAAS,mBAAoB,UAAS,oBAAoB;AACxE,KAAI,CAACE,2BAAgB,SAAS,YAAa,UAAS,aAAa;AAEjE,YAAW,WAAW;AACtB,YAAW,yBAAyB,gCAAgC,WAAW;AAE/E,QAAO;;;;;;;AAyCT,SAAgB,qBAAuD,YAAkB;CACvF,MAAMC,uBAA0B;EAC9B,GAAG;EACH,wBAAwB;GACtB,GAAG,WAAW;GACd,KAAK,EACH,SAAS;IACP,OAAO;IACP,QAAQ;;;;AAKhB,QAAO;;;;;;AAWT,SAAgB,mCAAmC,GAAiD;AAClG,KAAI,CAACL,4BAAS,GAAI,QAAO;CACzB,MAAM,YAAY;AAOlB,KAAI,CAACE,4BAAS,UAAU,OAAO,CAACA,4BAAS,UAAU,UAAU,CAACA,4BAAS,UAAU,MAC/E,QAAO;AAGT,KAAI,CAACF,4BAAS,UAAU,UAAW,QAAO;CAC1C,MAAM,WAAW,UAAU;AAM3B,KAAI,CAACE,4BAAS,SAAS,mBAAmB,CAACA,4BAAS,SAAS,mBAC3D,QAAO;AAGT,QAAO,SAAS,cAAc,QAAQE,2BAAQ,SAAS;;;;;;;AAQzD,SAAgB,qBAAqB,eAAmC;CACtE,MAAM,aAAa,iBAAiB;CACpC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;AAQT,SAAgB,oBAAoB,eAAmC;CACrE,MAAM,aAAa,gBAAgB;CACnC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;;;;AA+CT,SAAS,yBAAyB,EAChC,YACA,iBAAiB,MACjB,kBAAkB,SAKD;CAEjB,MAAM,mBAAmB,oBAAoB;CAG7C,MAAM,aAAa,wBAAwB;AAG3C,oBAAmB,YAAY,gBAAgB;CAG/C,MAAM,eAAe,iBAAiB,6BAA6B,WAAW,SAAS;CACvF,MAAM,gBAAgB,kBAAkB,6BAA6B,WAAW,UAAU;AAG1F,KAAI,kBAAkB,CAAC,aACrB,OAAM,IAAI,MAAM;AAElB,KAAI,mBAAmB,CAAC,cACtB,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,mBAAmB,gBAAgB;EACnC,kBAAkB,iBAAiB;;;;AAKvC,SAAS,oBAAoB,YAAoE;AAC/F,KAAI;EACF,MAAM,KAAM,WAA6D;AACzE,MAAI,OAAO,OAAO,WAChB,QAAO,GAAG,KAAK;SAEX;AAGR,QAAQ,WAAoD;;;AAI9D,SAAS,wBAAwB,kBAAwE;AACvG,KAAI;AACF,SAAO,kBAAkB,KAAK;SACxB;AACN,SAAO;;;;AAKX,SAAS,mBACP,YACA,eACA,gBACkC;AAClC,KAAI,CAAC,WACH,OAAM,IAAI,MAAM;CAKlB,MAAM,gBAAgB,WAAW,UAAU,UAAa,WAAW,WAAW;AAC9E,KAAI,CAAC,kBAAkB,iBAAiB,gBACtC,OAAM,IAAI,MAAM;;;AAKpB,SAAS,6BAA6B,OAAoC;AACxE,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAO,UAAU,SAAU,QAAO;AAGtC,KAAI,iBAAiB,YAAa,QAAOL,+BAAgB;AAGzD,KAAI,YAAY,OAAO,OACrB,QAAOA,+BAAgB,MAAM;AAI/B,KAAI;AACF,SAAOA,+BAAgB;SACjB;AAEN,MAAI;AACF,UAAOA,+BAAgB,IAAI,WAAW,OAA0B;UAC1D;AACN,UAAO;;;;;;;;;;;;;;;AAoBb,SAAS,gCAAgC,OAAuD;CAC9F,MAAMO,MAA6C,EACjD,KAAK,EAAE,SAAS;EAAE,OAAO;EAAW,QAAQ;;CAG9C,MAAM,MAAMN,4BAAS,SAAU,QAAoC;AAEnE,KAAI,OAAO,IAAI,UAAU,UAAW,KAAI,QAAQ,IAAI;AAEpD,KAAI,OAAO,IAAI,iBAAiB,UAAW,KAAI,eAAe,IAAI;AAElE,KAAI,OAAO,IAAI,qBAAqB,UAAW,KAAI,mBAAmB,IAAI;AAE1E,KAAIA,4BAAS,IAAI,YAAY;EAC3B,MAAM,KAAK,IAAI;EACf,MAAMO,QAAoC;AAC1C,MAAI,OAAO,GAAG,OAAO,UAAW,OAAM,KAAK,GAAG;AAC9C,MAAI,YAAY;;AAGlB,KAAIH,2BAAQ,IAAI,MAAM;EACpB,MAAM,SAAU,IAAI,IAAkB,OAAOA,4BAAS,KAAK,MAAM;GAC/D,MAAM,IAAI;GACV,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;AACzD,UAAQ,OAAO,OAAO,YAAY,OAAO,OAAO,YAAY,OAAO,OAAO,WACtE;IAAC;IAAI;IAAI;OACT;KACH,QAAQ,MAAqC,MAAM,QAAQ;AAC9D,MAAI,OAAO,SAAS,EAAG,KAAI,MAAM;;AAGnC,KAAIJ,4BAAS,IAAI,MAAM;EACrB,MAAM,MAAM,IAAI;EAChB,MAAM,UAAUA,4BAAS,IAAI,WAAY,IAAI,UAAsC;EACnF,MAAM,QAAQ,QAAQ;EACtB,MAAM,SAAS,QAAQ;AACvB,MAAI,MAAM,EACR,SAAS;GACP,OAAOE,4BAAS,SAAS,QAAQ;GACjC,QAAQA,4BAAS,UAAU,SAAS;;;AAI1C,QAAO"}
1	+ {"version":3,"file":"credentialsHelpers.js","names":["transports: string[]","base64UrlEncode","isObject","normalized: Record<string, unknown>","isString","response: Record<string, unknown>","isArray","response: unknown","out: AuthenticationExtensionsClientOutputs","outCp: CredentialPropertiesOutput"],"sources":["../../../../src/core/WebAuthnManager/credentialsHelpers.ts"],"sourcesContent":["import { base64UrlEncode } from \"../../utils\";\nimport { isObject, isString, isArray } from '@/utils/validation';\nimport {\n type WebAuthnAuthenticationCredential,\n type WebAuthnRegistrationCredential,\n type AuthenticationExtensionsClientOutputs,\n type CredentialPropertiesOutput,\n} from '../types/webauthn';\n\ntype SerializableCredential = WebAuthnAuthenticationCredential \| WebAuthnRegistrationCredential;\n\n/*\n Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * - Uses base64url encoding for WASM compatibility\n \n @returns SerializableCredential - The serialized credential\n * - Does not return PRF outputs\n /\nexport function serializeRegistrationCredential(\n credential: PublicKeyCredential,\n): WebAuthnRegistrationCredential {\n const response = credential.response as AuthenticatorAttestationResponse;\n // Safari and some platforms may not implement getTransports(); guard it.\n let transports: string[] = [];\n try {\n const fn = (response as { getTransports?: () => string[] })?.getTransports;\n if (typeof fn === 'function') {\n transports = fn.call(response) \|\| [];\n }\n } catch {\n transports = [];\n }\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n attestationObject: base64UrlEncode(response.attestationObject),\n transports,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\nexport function serializeAuthenticationCredential(\n credential: PublicKeyCredential,\n): WebAuthnAuthenticationCredential {\n const response = credential.response as AuthenticatorAssertionResponse;\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n authenticatorData: base64UrlEncode(response.authenticatorData),\n signature: base64UrlEncode(response.signature),\n userHandle: response.userHandle ? base64UrlEncode(response.userHandle as ArrayBuffer) : undefined,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\n/\n Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * @returns SerializableCredential - The serialized credential\n * - INCLUDES PRF outputs\n /\nexport function serializeRegistrationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = true,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnRegistrationCredential {\n const base = serializeRegistrationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\nexport function serializeAuthenticationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnAuthenticationCredential {\n const base = serializeAuthenticationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\n/////////////////////////////////////////\n// RUNTIME VALIDATION / NORMALIZATION\n/////////////////////////////////////////\n\n// Use shared type guards (isString/isArray) from @/utils/validation\n\n/\n Validates and normalizes a serialized WebAuthn registration credential.\n * Ensures required fields exist and have the expected primitive types.\n * Populates missing optional arrays like transports with [].\n /\nexport function normalizeRegistrationCredential(input: unknown): WebAuthnRegistrationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.attestationObject)) response.attestationObject = '';\n if (!isArray<string>(response.transports)) response.transports = [];\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnRegistrationCredential;\n}\n\n/\n Validates and normalizes a serialized WebAuthn authentication credential.\n * Ensures required fields exist and have the expected primitive types.\n /\nexport function normalizeAuthenticationCredential(input: unknown): WebAuthnAuthenticationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.authenticatorData)) response.authenticatorData = '';\n if (!isString(response.signature)) response.signature = '';\n if (response.userHandle !== undefined && !isString(response.userHandle)) response.userHandle = undefined;\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnAuthenticationCredential;\n}\n\n/\n Redacts client extension outputs from the credential before sending it over the network.\n \n Motivation:\n * - WebAuthn `clientExtensionResults` may contain sensitive material (e.g. PRF outputs).\n * - Even when not sensitive, extension outputs can add fingerprinting surface and bloat payloads.\n \n @param credential - The WebAuthn credential potentially containing extension outputs\n * @returns Credential with `clientExtensionResults` removed/redacted\n /\nexport function removePrfOutputGuard<C extends SerializableCredential>(credential: C): C {\n // Never leak PRF (or any other extension outputs) outside the wallet runtime.\n // Use `null` so the field is explicitly redacted in JSON payloads.\n const response: unknown = (credential as { response?: unknown }).response;\n const responseWithoutExtensions = isObject(response)\n ? (() => {\n const cloned = { ...(response as Record<string, unknown>) };\n if ('clientExtensionResults' in cloned) cloned.clientExtensionResults = null;\n return cloned;\n })()\n : response;\n\n return {\n ...credential,\n response: responseWithoutExtensions,\n clientExtensionResults: null ,\n } as C;\n}\n\n/////////////////////////////////////////\n// TYPE GUARDS\n/////////////////////////////////////////\n\n/\n Returns true when the input looks like a serialized registration credential\n * (i.e., plain object with base64url string fields), not a live PublicKeyCredential.\n /\nexport function isSerializedRegistrationCredential(x: unknown): x is WebAuthnRegistrationCredential {\n if (!isObject(x)) return false;\n const candidate = x as {\n id?: unknown;\n rawId?: unknown;\n type?: unknown;\n response?: unknown;\n };\n\n if (!isString(candidate.id) \|\| !isString(candidate.rawId) \|\| !isString(candidate.type)) {\n return false;\n }\n\n if (!isObject(candidate.response)) return false;\n const response = candidate.response as {\n clientDataJSON?: unknown;\n attestationObject?: unknown;\n transports?: unknown;\n };\n\n if (!isString(response.clientDataJSON) \|\| !isString(response.attestationObject)) {\n return false;\n }\n\n return response.transports == null \|\| isArray(response.transports);\n}\n\n/\n Generate ChaCha20Poly1305 salt using account-specific HKDF for encryption key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for ChaCha20Poly1305 key derivation\n /\nexport function generateChaCha20Salt(nearAccountId: string): Uint8Array {\n const saltString = `chacha20-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/\n Generate Ed25519 salt using account-specific HKDF for signing key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for Ed25519 key derivation\n /\nexport function generateEd25519Salt(nearAccountId: string): Uint8Array {\n const saltString = `ed25519-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/* Credential that may have extension results (live or serialized) /\ntype CredentialWithExtensions =\n \| PublicKeyCredential\n \| {\n clientExtensionResults?: unknown;\n getClientExtensionResults?: () => unknown;\n };\n\n/* Extension results structure - flexible to handle both live and serialized forms /\ntype ExtensionResults = {\n prf?: {\n enabled?: boolean;\n results?: {\n first?: unknown;\n second?: unknown;\n };\n };\n [key: string]: unknown;\n};\n\n/* PRF output values after extraction /\ntype PrfOutputs = {\n first?: unknown;\n second?: unknown;\n};\n\n/\n Dual PRF outputs for separate encryption and signing key derivation\n /\ninterface DualPrfOutputs {\n /* Base64-encoded PRF output from prf.results.first for ChaCha20Poly1305 encryption /\n chacha20PrfOutput: string;\n /* Base64-encoded PRF output from prf.results.second for Ed25519 signing /\n ed25519PrfOutput: string;\n}\n\n/\n Extract PRF outputs from WebAuthn credential extension results\n * ENCODING: Uses base64url for WASM compatibility\n * @param credential - WebAuthn credential with dual PRF extension results\n * @param firstPrfOutput - Whether to include the first PRF output (default: true)\n * @param secondPrfOutput - Whether to include the second PRF output (default: false)\n * @returns PRF outputs\n /\nfunction extractPrfFromCredential({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: CredentialWithExtensions;\n firstPrfOutput?: boolean \| undefined;\n secondPrfOutput?: boolean;\n}): DualPrfOutputs {\n // Step 1: Get extension results (support both live and serialized credentials)\n const extensionResults = getExtensionResults(credential);\n\n // Step 2: Extract PRF results object\n const prfResults = extractPrfResultsObject(extensionResults);\n\n // Step 3: Validate PRF results exist and are not empty\n validatePrfResults(prfResults, firstPrfOutput, secondPrfOutput);\n\n // Step 4: Normalize and encode PRF outputs\n const firstEncoded = firstPrfOutput ? normalizePrfValueToBase64Url(prfResults.first) : undefined;\n const secondEncoded = secondPrfOutput ? normalizePrfValueToBase64Url(prfResults.second) : undefined;\n\n // Step 5: Validate required outputs are present\n if (firstPrfOutput && !firstEncoded) {\n throw new Error('Missing PRF result: first');\n }\n if (secondPrfOutput && !secondEncoded) {\n throw new Error('Missing PRF result: second');\n }\n\n return {\n chacha20PrfOutput: firstEncoded \|\| '',\n ed25519PrfOutput: secondEncoded \|\| '',\n };\n}\n\n/* Get extension results from credential (live or serialized) /\nfunction getExtensionResults(credential: CredentialWithExtensions): ExtensionResults \| undefined {\n try {\n const fn = (credential as { getClientExtensionResults?: () => unknown }).getClientExtensionResults;\n if (typeof fn === 'function') {\n return fn.call(credential) as ExtensionResults;\n }\n } catch {\n // Fall through to direct property access\n }\n return (credential as { clientExtensionResults?: unknown }).clientExtensionResults as ExtensionResults \| undefined;\n}\n\n/* Extract PRF results object from extension results /\nfunction extractPrfResultsObject(extensionResults: ExtensionResults \| undefined): PrfOutputs \| undefined {\n try {\n return extensionResults?.prf?.results;\n } catch {\n return undefined;\n }\n}\n\n/* Validate PRF results are present and not empty /\nfunction validatePrfResults(\n prfResults: PrfOutputs \| undefined,\n firstRequired: boolean,\n secondRequired: boolean\n): asserts prfResults is PrfOutputs {\n if (!prfResults) {\n throw new Error('Missing PRF results from credential, use a PRF-enabled Authenticator');\n }\n\n // Check if PRF results object exists but is completely empty\n // This indicates a hard failure (not a platform limitation that should trigger GET fallback)\n const hasAnyPrfData = prfResults.first !== undefined \|\| prfResults.second !== undefined;\n if (!hasAnyPrfData && (firstRequired \|\| secondRequired)) {\n throw new Error('Missing PRF result - PRF evaluation failed: results object is empty');\n }\n}\n\n/* Normalize a PRF value to base64url string /\nfunction normalizePrfValueToBase64Url(value: unknown): string \| undefined {\n if (!value) return undefined;\n\n // Already base64url encoded\n if (typeof value === 'string') return value;\n\n // ArrayBuffer\n if (value instanceof ArrayBuffer) return base64UrlEncode(value);\n\n // ArrayBufferView (TypedArray, DataView)\n if (ArrayBuffer.isView(value)) {\n return base64UrlEncode(value.buffer);\n }\n\n // Try to treat as ArrayBuffer-like\n try {\n return base64UrlEncode(value as ArrayBufferLike);\n } catch {\n // Last resort: wrap in Uint8Array\n try {\n return base64UrlEncode(new Uint8Array(value as ArrayBufferLike).buffer);\n } catch {\n return undefined;\n }\n }\n}\n\n/////////////////////////////////////////\n// EXTENSION OUTPUTS NORMALIZATION\n/////////////////////////////////////////\n\n/\n Normalize WebAuthn client extension outputs into an SDK‑local, clone‑safe shape.\n \n Purpose:\n * - Browsers return extension results on PublicKeyCredential in a variety of\n * shapes and with optional presence. This helper takes an unknown value\n * (either a live `credential.getClientExtensionResults()` object or a\n * serialized snapshot) and produces a strictly typed\n * `AuthenticationExtensionsClientOutputs` compatible with our WASM workers\n * and cross‑window message passing (structured‑clone safe).\n */\nfunction normalizeClientExtensionOutputs(input: unknown): AuthenticationExtensionsClientOutputs {\n const out: AuthenticationExtensionsClientOutputs = {\n prf: { results: { first: undefined, second: undefined } },\n } as AuthenticationExtensionsClientOutputs;\n\n const src = isObject(input) ? (input as Record<string, unknown>) : {};\n // appid\n if (typeof src.appid === 'boolean') out.appid = src.appid as boolean;\n // appidExclude\n if (typeof src.appidExclude === 'boolean') out.appidExclude = src.appidExclude as boolean;\n // hmacCreateSecret\n if (typeof src.hmacCreateSecret === 'boolean') out.hmacCreateSecret = src.hmacCreateSecret as boolean;\n // credProps\n if (isObject(src.credProps)) {\n const cp = src.credProps as Record<string, unknown>;\n const outCp: CredentialPropertiesOutput = {};\n if (typeof cp.rk === 'boolean') outCp.rk = cp.rk as boolean;\n out.credProps = outCp;\n }\n // uvm: expect array of 3-number tuples; tolerate nested arrays loosely\n if (isArray(src.uvm)) {\n const uvmArr = (src.uvm as unknown[]).filter(isArray).map((t) => {\n const a = t as unknown[];\n const n0 = typeof a[0] === 'number' ? (a[0] as number) : undefined;\n const n1 = typeof a[1] === 'number' ? (a[1] as number) : undefined;\n const n2 = typeof a[2] === 'number' ? (a[2] as number) : undefined;\n return (typeof n0 === 'number' && typeof n1 === 'number' && typeof n2 === 'number')\n ? [n0, n1, n2] as [number, number, number]\n : undefined;\n }).filter((x): x is [number, number, number] => Array.isArray(x));\n if (uvmArr.length > 0) out.uvm = uvmArr;\n }\n // prf\n if (isObject(src.prf)) {\n const prf = src.prf as Record<string, unknown>;\n const results = isObject(prf.results) ? (prf.results as Record<string, unknown>) : {};\n const first = results.first;\n const second = results.second;\n out.prf = {\n results: {\n first: isString(first) ? first : undefined,\n second: isString(second) ? second : undefined,\n },\n };\n }\n return out;\n}\n"],"mappings":";;;;;;;;;;;AAkBA,SAAgB,gCACd,YACgC;CAChC,MAAM,WAAW,WAAW;CAE5B,IAAIA,aAAuB;AAC3B,KAAI;EACF,MAAM,KAAM,UAAiD;AAC7D,MAAI,OAAO,OAAO,WAChB,cAAa,GAAG,KAAK,aAAa;SAE9B;AACN,eAAa;;AAGf,QAAO;EACL,IAAI,WAAW;EACf,OAAOC,+BAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgBA,+BAAgB,SAAS;GACzC,mBAAmBA,+BAAgB,SAAS;GAC5C;;EAEF,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,kCACd,YACkC;CAClC,MAAM,WAAW,WAAW;AAE5B,QAAO;EACL,IAAI,WAAW;EACf,OAAOA,+BAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgBA,+BAAgB,SAAS;GACzC,mBAAmBA,+BAAgB,SAAS;GAC5C,WAAWA,+BAAgB,SAAS;GACpC,YAAY,SAAS,aAAaA,+BAAgB,SAAS,cAA6B;;EAE1F,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAYlB,SAAgB,uCAAuC,EACrD,YACA,iBAAiB,MACjB,kBAAkB,QAKe;CACjC,MAAM,OAAO,gCAAgC;CAC7C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,yCAAyC,EACvD,YACA,iBAAiB,MACjB,kBAAkB,SAKiB;CACnC,MAAM,OAAO,kCAAkC;CAC/C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAkBlB,SAAgB,gCAAgC,OAAgD;AAC9F,KAAI,CAACC,4BAAS,OAAQ,OAAM,IAAI,MAAM;CAEtC,MAAM,YAAY;CAClB,MAAMC,aAAsC,EAAE,GAAG;AAEjD,KAAI,CAACC,4BAAS,WAAW,IAAK,OAAM,IAAI,MAAM;AAC9C,KAAI,CAACA,4BAAS,WAAW,MAAO,OAAM,IAAI,MAAM;AAEhD,KAAI,CAACA,4BAAS,WAAW,OAAQ,YAAW,QAAQ;AACpD,KAAI,WAAW,4BAA4B,UAAa,CAACA,4BAAS,WAAW,yBAC3E,YAAW,0BAA0B,OAAO,WAAW;CAGzD,MAAMC,WAAoCH,4BAAS,WAAW,YAC1D,EAAE,GAAI,WAAW,aACjB;AAEJ,KAAI,CAACE,4BAAS,SAAS,gBAAiB,UAAS,iBAAiB;AAClE,KAAI,CAACA,4BAAS,SAAS,mBAAoB,UAAS,oBAAoB;AACxE,KAAI,CAACE,2BAAgB,SAAS,YAAa,UAAS,aAAa;AAEjE,YAAW,WAAW;AACtB,YAAW,yBAAyB,gCAAgC,WAAW;AAE/E,QAAO;;;;;;;;;;;;AA8CT,SAAgB,qBAAuD,YAAkB;CAGvF,MAAMC,WAAqB,WAAsC;CACjE,MAAM,4BAA4BL,4BAAS,mBAChC;EACP,MAAM,SAAS,EAAE,GAAI;AACrB,MAAI,4BAA4B,OAAQ,QAAO,yBAAyB;AACxE,SAAO;QAEP;AAEJ,QAAO;EACL,GAAG;EACH,UAAU;EACV,wBAAwB;;;;;;;AAY5B,SAAgB,mCAAmC,GAAiD;AAClG,KAAI,CAACA,4BAAS,GAAI,QAAO;CACzB,MAAM,YAAY;AAOlB,KAAI,CAACE,4BAAS,UAAU,OAAO,CAACA,4BAAS,UAAU,UAAU,CAACA,4BAAS,UAAU,MAC/E,QAAO;AAGT,KAAI,CAACF,4BAAS,UAAU,UAAW,QAAO;CAC1C,MAAM,WAAW,UAAU;AAM3B,KAAI,CAACE,4BAAS,SAAS,mBAAmB,CAACA,4BAAS,SAAS,mBAC3D,QAAO;AAGT,QAAO,SAAS,cAAc,QAAQE,2BAAQ,SAAS;;;;;;;AAQzD,SAAgB,qBAAqB,eAAmC;CACtE,MAAM,aAAa,iBAAiB;CACpC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;AAQT,SAAgB,oBAAoB,eAAmC;CACrE,MAAM,aAAa,gBAAgB;CACnC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;;;;AA+CT,SAAS,yBAAyB,EAChC,YACA,iBAAiB,MACjB,kBAAkB,SAKD;CAEjB,MAAM,mBAAmB,oBAAoB;CAG7C,MAAM,aAAa,wBAAwB;AAG3C,oBAAmB,YAAY,gBAAgB;CAG/C,MAAM,eAAe,iBAAiB,6BAA6B,WAAW,SAAS;CACvF,MAAM,gBAAgB,kBAAkB,6BAA6B,WAAW,UAAU;AAG1F,KAAI,kBAAkB,CAAC,aACrB,OAAM,IAAI,MAAM;AAElB,KAAI,mBAAmB,CAAC,cACtB,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,mBAAmB,gBAAgB;EACnC,kBAAkB,iBAAiB;;;;AAKvC,SAAS,oBAAoB,YAAoE;AAC/F,KAAI;EACF,MAAM,KAAM,WAA6D;AACzE,MAAI,OAAO,OAAO,WAChB,QAAO,GAAG,KAAK;SAEX;AAGR,QAAQ,WAAoD;;;AAI9D,SAAS,wBAAwB,kBAAwE;AACvG,KAAI;AACF,SAAO,kBAAkB,KAAK;SACxB;AACN,SAAO;;;;AAKX,SAAS,mBACP,YACA,eACA,gBACkC;AAClC,KAAI,CAAC,WACH,OAAM,IAAI,MAAM;CAKlB,MAAM,gBAAgB,WAAW,UAAU,UAAa,WAAW,WAAW;AAC9E,KAAI,CAAC,kBAAkB,iBAAiB,gBACtC,OAAM,IAAI,MAAM;;;AAKpB,SAAS,6BAA6B,OAAoC;AACxE,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAO,UAAU,SAAU,QAAO;AAGtC,KAAI,iBAAiB,YAAa,QAAOL,+BAAgB;AAGzD,KAAI,YAAY,OAAO,OACrB,QAAOA,+BAAgB,MAAM;AAI/B,KAAI;AACF,SAAOA,+BAAgB;SACjB;AAEN,MAAI;AACF,UAAOA,+BAAgB,IAAI,WAAW,OAA0B;UAC1D;AACN,UAAO;;;;;;;;;;;;;;;AAoBb,SAAS,gCAAgC,OAAuD;CAC9F,MAAMO,MAA6C,EACjD,KAAK,EAAE,SAAS;EAAE,OAAO;EAAW,QAAQ;;CAG9C,MAAM,MAAMN,4BAAS,SAAU,QAAoC;AAEnE,KAAI,OAAO,IAAI,UAAU,UAAW,KAAI,QAAQ,IAAI;AAEpD,KAAI,OAAO,IAAI,iBAAiB,UAAW,KAAI,eAAe,IAAI;AAElE,KAAI,OAAO,IAAI,qBAAqB,UAAW,KAAI,mBAAmB,IAAI;AAE1E,KAAIA,4BAAS,IAAI,YAAY;EAC3B,MAAM,KAAK,IAAI;EACf,MAAMO,QAAoC;AAC1C,MAAI,OAAO,GAAG,OAAO,UAAW,OAAM,KAAK,GAAG;AAC9C,MAAI,YAAY;;AAGlB,KAAIH,2BAAQ,IAAI,MAAM;EACpB,MAAM,SAAU,IAAI,IAAkB,OAAOA,4BAAS,KAAK,MAAM;GAC/D,MAAM,IAAI;GACV,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;AACzD,UAAQ,OAAO,OAAO,YAAY,OAAO,OAAO,YAAY,OAAO,OAAO,WACtE;IAAC;IAAI;IAAI;OACT;KACH,QAAQ,MAAqC,MAAM,QAAQ;AAC9D,MAAI,OAAO,SAAS,EAAG,KAAI,MAAM;;AAGnC,KAAIJ,4BAAS,IAAI,MAAM;EACrB,MAAM,MAAM,IAAI;EAChB,MAAM,UAAUA,4BAAS,IAAI,WAAY,IAAI,UAAsC;EACnF,MAAM,QAAQ,QAAQ;EACtB,MAAM,SAAS,QAAQ;AACvB,MAAI,MAAM,EACR,SAAS;GACP,OAAOE,4BAAS,SAAS,QAAQ;GACjC,QAAQA,4BAAS,UAAU,SAAS;;;AAI1C,QAAO"}

package/dist/cjs/core/WebAuthnManager/index.js CHANGED Viewed

@@ -1,21 +1,25 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
+const require_validation = require('../../utils/validation.js');
 const require_accountIds = require('../types/accountIds.js');
+const require_signer_worker = require('../types/signer-worker.js');
+const require_participants = require('../../threshold/participants.js');
 const require_index = require('../IndexedDBManager/index.js');
+const require_rpc = require('../types/rpc.js');
+const require_NearClient = require('../NearClient.js');
 const require_base = require('../sdkPaths/base.js');
 const require_workers = require('../sdkPaths/workers.js');
 const require_touchIdPrompt = require('./touchIdPrompt.js');
+const require_rpcCalls = require('../rpcCalls.js');
 const require_getDeviceNumber = require('./SignerWorkerManager/getDeviceNumber.js');
+const require_collectAuthenticationCredentialForVrfChallenge = require('./collectAuthenticationCredentialForVrfChallenge.js');
 const require_index$1 = require('./SignerWorkerManager/index.js');
 const require_index$2 = require('./VrfWorkerManager/index.js');
 const require_userPreferences = require('./userPreferences.js');
 const require_nonceManager = require('../nonceManager.js');
 const require_host_mode = require('../WalletIframe/host-mode.js');
+const require_enrollThresholdEd25519Key = require('./threshold/enrollThresholdEd25519Key.js');
+const require_rotateThresholdEd25519KeyPostRegistration = require('./threshold/rotateThresholdEd25519KeyPostRegistration.js');
 //#region src/core/WebAuthnManager/index.ts
-require_index.init_IndexedDBManager();
-require_touchIdPrompt.init_touchIdPrompt();
-require_accountIds.init_accountIds();
-require_getDeviceNumber.init_getDeviceNumber();
 /**
 * WebAuthnManager - Main orchestrator for WebAuthn operations
 *
@@ -40,9 +44,8 @@ var WebAuthnManager = class {
 		this.nearClient = nearClient;
 		this.touchIdPrompt = new require_touchIdPrompt.TouchIdPrompt(tatchiPasskeyConfigs.iframeWallet?.rpIdOverride, true);
 		this.userPreferencesManager = require_userPreferences.default;
-		try {
-			this.userPreferencesManager.configureWalletTheme?.(tatchiPasskeyConfigs.walletTheme);
-		} catch {}
+		this.userPreferencesManager.configureWalletTheme?.(tatchiPasskeyConfigs.walletTheme);
+		this.userPreferencesManager.configureDefaultSignerMode?.(tatchiPasskeyConfigs.signerMode);
 		this.nonceManager = require_nonceManager.default;
 		const { vrfWorkerConfigs } = tatchiPasskeyConfigs;
 		this.vrfWorkerManager = new require_index$2.VrfWorkerManager({
@@ -59,7 +62,7 @@ var WebAuthnManager = class {
 			rpIdOverride: this.touchIdPrompt.getRpId(),
 			nearExplorerUrl: tatchiPasskeyConfigs.nearExplorerUrl
 		});
-		this.signerWorkerManager = new require_index$1.SignerWorkerManager(this.vrfWorkerManager, nearClient, this.userPreferencesManager, this.nonceManager, tatchiPasskeyConfigs.iframeWallet?.rpIdOverride, true, tatchiPasskeyConfigs.nearExplorerUrl);
+		this.signerWorkerManager = new require_index$1.SignerWorkerManager(this.vrfWorkerManager, nearClient, this.userPreferencesManager, this.nonceManager, this.tatchiPasskeyConfigs.relayer.url, tatchiPasskeyConfigs.iframeWallet?.rpIdOverride, true, tatchiPasskeyConfigs.nearExplorerUrl);
 		this.workerBaseOrigin = require_workers.resolveWorkerBaseOrigin() || (typeof window !== "undefined" ? window.location.origin : "");
 		this.signerWorkerManager.setWorkerBaseOrigin(this.workerBaseOrigin);
 		this.vrfWorkerManager.setWorkerBaseOrigin?.(this.workerBaseOrigin);
@@ -141,7 +144,7 @@ var WebAuthnManager = class {
 	}
 	async withSigningSession(args) {
 		if (typeof args.handler !== "function") throw new Error("withSigningSession requires a handler function");
-		const sessionId = (args.sessionId || "").trim() || (args.prefix ? this.generateSessionId(args.prefix) : "");
+		const sessionId = args.sessionId || (args.prefix ? this.generateSessionId(args.prefix) : "");
 		if (!sessionId) throw new Error("withSigningSession requires a sessionId or prefix");
 		return await this.withSigningSessionInternal({
 			sessionId,
@@ -155,6 +158,7 @@ var WebAuthnManager = class {
 		try {
 			if (args.options) await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({
 				sessionId: args.sessionId,
+				wrapKeySalt: args.options.wrapKeySalt,
 				credential: args.options.credential
 			});
 			return await args.handler(args.sessionId);
@@ -192,15 +196,15 @@ var WebAuthnManager = class {
 		if (deviceNumber === null) throw new Error(`No deviceNumber found for account ${nearAccountId} (decrypt session)`);
 		const userForDevice = await require_index.IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber).catch(() => null);
 		const encryptedVrfKeypair = userForDevice?.encryptedVrfKeypair;
-		const encryptedKeyData = await require_index.IndexedDBManager.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);
-		if (!encryptedKeyData) {
+		const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+		if (!keyMaterial) {
 			console.error("WebAuthnManager: No encrypted key found for decrypt session", {
 				nearAccountId: String(nearAccountId),
 				deviceNumber
 			});
-			throw new Error(`No encrypted key found for account: ${nearAccountId}`);
+			throw new Error(`No key material found for account: ${nearAccountId}`);
 		}
-		const wrapKeySalt = encryptedKeyData.wrapKeySalt || "";
+		const wrapKeySalt = keyMaterial.wrapKeySalt;
 		if (!wrapKeySalt) {
 			console.error("WebAuthnManager: Missing wrapKeySalt in vault for decrypt session", {
 				nearAccountId: String(nearAccountId),
@@ -231,6 +235,16 @@ var WebAuthnManager = class {
 			allowCredentials
 		});
 	}
+	async collectAuthenticationCredentialForVrfChallenge(args) {
+		return require_collectAuthenticationCredentialForVrfChallenge.collectAuthenticationCredentialForVrfChallenge({
+			indexedDB: require_index.IndexedDBManager,
+			touchIdPrompt: this.touchIdPrompt,
+			nearAccountId: args.nearAccountId,
+			vrfChallenge: args.vrfChallenge,
+			includeSecondPrfOutput: args.includeSecondPrfOutput,
+			onBeforePrompt: args.onBeforePrompt
+		});
+	}
 	/**
 	* Generate a VRF challenge bound to a specific signing/confirm session.
 	* The challenge will be cached in the VRF worker under this sessionId so
@@ -302,9 +316,9 @@ var WebAuthnManager = class {
 		const contractId = this.tatchiPasskeyConfigs.contractId;
 		try {
 			const sessionId = `device2-sign-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
-			const encryptedKeyData = await require_index.IndexedDBManager.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);
-			if (!encryptedKeyData) throw new Error(`No encrypted key found for account ${nearAccountId} device ${deviceNumber}`);
-			const wrapKeySalt = encryptedKeyData.wrapKeySalt;
+			const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+			if (!keyMaterial) throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);
+			const wrapKeySalt = keyMaterial.wrapKeySalt;
 			if (!wrapKeySalt) throw new Error(`Missing wrapKeySalt for account ${nearAccountId} device ${deviceNumber}`);
 			const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(sessionId);
 			await this.signerWorkerManager.reserveSignerWorkerSession(sessionId, { signerPort });
@@ -467,10 +481,28 @@ var WebAuthnManager = class {
 		const vrfStatus = await this.vrfWorkerManager.checkVrfStatus();
 		if (!vrfStatus.active) throw new Error("VRF keypair not active in memory. Please log in again.");
 		if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(nearAccountId)) throw new Error("VRF keypair active but bound to a different account. Please log in again.");
-		const deviceNumber = await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB);
-		const encryptedKeyData = await require_index.IndexedDBManager.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);
-		if (!encryptedKeyData) throw new Error(`No encrypted key found for account ${nearAccountId} device ${deviceNumber}`);
-		const wrapKeySalt = encryptedKeyData.wrapKeySalt || "";
+		const credentialRawId = String(args.credential?.rawId || "").trim();
+		const authenticators = await this.getAuthenticatorsByUser(nearAccountId).catch(() => []);
+		let deviceNumber;
+		try {
+			deviceNumber = await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB);
+		} catch (err) {
+			if (credentialRawId) {
+				const matched = authenticators.find((a) => a.credentialId === credentialRawId);
+				const inferred = matched && typeof matched.deviceNumber === "number" && Number.isFinite(matched.deviceNumber) ? matched.deviceNumber : null;
+				if (inferred !== null) {
+					deviceNumber = inferred;
+					await this.setLastUser(nearAccountId, inferred).catch(() => void 0);
+				} else throw err;
+			} else throw err;
+		}
+		if (credentialRawId && authenticators.length > 1) {
+			const { wrongPasskeyError } = await require_index.IndexedDBManager.clientDB.ensureCurrentPasskey(nearAccountId, authenticators, credentialRawId);
+			if (wrongPasskeyError) throw new Error(wrongPasskeyError);
+		}
+		const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+		if (!keyMaterial) throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);
+		const wrapKeySalt = keyMaterial.wrapKeySalt;
 		if (!wrapKeySalt) throw new Error("Missing wrapKeySalt in vault; re-register to upgrade vault format.");
 		const { ttlMs, remainingUses } = this.resolveSigningSessionPolicy(args);
 		await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({
@@ -675,14 +707,13 @@ var WebAuthnManager = class {
 	* @param onEvent: Optional callback for progress updates during signing
 	* @param onEvent - Optional callback for progress updates during signing
 	*/
-	async signTransactionsWithActions({ transactions, rpcCall, confirmationConfigOverride, title, body, onEvent }) {
-		if (transactions.length === 0) throw new Error("No payloads provided for signing");
-		const activeSessionId = this.getOrCreateActiveSigningSessionId(require_accountIds.toAccountId(rpcCall.nearAccountId));
+	async signTransactionsWithActions({ transactions, rpcCall, signerMode, confirmationConfigOverride, title, body, onEvent }) {
 		return this.withSigningSession({
-			sessionId: activeSessionId,
+			sessionId: this.getOrCreateActiveSigningSessionId(require_accountIds.toAccountId(rpcCall.nearAccountId)),
 			handler: (sessionId) => this.signerWorkerManager.signTransactionsWithActions({
 				transactions,
 				rpcCall,
+				signerMode,
 				confirmationConfigOverride,
 				title,
 				body,
@@ -691,7 +722,74 @@ var WebAuthnManager = class {
 			})
 		});
 	}
-	async signDelegateAction({ delegate, rpcCall, confirmationConfigOverride, title, body, onEvent }) {
+	/**
+	* Sign AddKey(thresholdPublicKey) for `receiverId === nearAccountId` without running confirmTxFlow.
+	*
+	* This is a narrowly-scoped, internal-only helper for post-registration activation flows where
+	* the caller already has a PRF-bearing credential in memory (e.g., immediately after registration)
+	* and wants to avoid an extra TouchID/WebAuthn prompt.
+	*/
+	async signAddKeyThresholdPublicKeyNoPrompt(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const wrapKeySalt = args.wrapKeySalt;
+		if (!wrapKeySalt) throw new Error("Missing wrapKeySalt for AddKey(thresholdPublicKey) signing");
+		if (!args.credential) throw new Error("Missing credential for AddKey(thresholdPublicKey) signing");
+		if (!args.transactionContext) throw new Error("Missing transactionContext for no-prompt signing");
+		const thresholdPublicKey = require_validation.ensureEd25519Prefix(args.thresholdPublicKey);
+		if (!thresholdPublicKey) throw new Error("Missing thresholdPublicKey for AddKey(thresholdPublicKey) signing");
+		const relayerVerifyingShareB64u = args.relayerVerifyingShareB64u;
+		if (!relayerVerifyingShareB64u) throw new Error("Missing relayerVerifyingShareB64u for AddKey(thresholdPublicKey) signing");
+		const deviceNumber = Number(args.deviceNumber);
+		const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+		const localKeyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);
+		if (!localKeyMaterial) throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);
+		if (localKeyMaterial.wrapKeySalt !== wrapKeySalt) throw new Error("wrapKeySalt mismatch for AddKey(thresholdPublicKey) signing");
+		return await this.withSigningSession({
+			prefix: "no-prompt-add-threshold-key",
+			options: {
+				credential: args.credential,
+				wrapKeySalt
+			},
+			handler: async (sessionId) => {
+				const response = await this.signerWorkerManager.getContext().sendMessage({
+					sessionId,
+					message: {
+						type: require_signer_worker.INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT,
+						payload: {
+							createdAt: Date.now(),
+							decryption: {
+								encryptedPrivateKeyData: localKeyMaterial.encryptedSk,
+								encryptedPrivateKeyChacha20NonceB64u: localKeyMaterial.chacha20NonceB64u
+							},
+							transactionContext: args.transactionContext,
+							nearAccountId,
+							thresholdPublicKey,
+							relayerVerifyingShareB64u,
+							clientParticipantId: typeof args.clientParticipantId === "number" ? args.clientParticipantId : void 0,
+							relayerParticipantId: typeof args.relayerParticipantId === "number" ? args.relayerParticipantId : void 0
+						}
+					},
+					onEvent: args.onEvent
+				});
+				if (!require_signer_worker.isSignAddKeyThresholdPublicKeyNoPromptSuccess(response)) throw new Error("AddKey(thresholdPublicKey) signing failed");
+				if (!response.payload.success) throw new Error(response.payload.error || "AddKey(thresholdPublicKey) signing failed");
+				const signedTransactions = response.payload.signedTransactions || [];
+				if (signedTransactions.length !== 1) throw new Error(`Expected 1 signed transaction but received ${signedTransactions.length}`);
+				const signedTx = signedTransactions[0];
+				if (!signedTx || !signedTx.transaction || !signedTx.signature) throw new Error("Incomplete signed transaction data received for AddKey(thresholdPublicKey)");
+				return {
+					signedTransaction: new require_NearClient.SignedTransaction({
+						transaction: signedTx.transaction,
+						signature: signedTx.signature,
+						borsh_bytes: Array.from(signedTx.borshBytes || [])
+					}),
+					nearAccountId: String(nearAccountId),
+					logs: response.payload.logs || []
+				};
+			}
+		});
+	}
+	async signDelegateAction({ delegate, rpcCall, signerMode, confirmationConfigOverride, title, body, onEvent }) {
 		const nearAccountId = require_accountIds.toAccountId(rpcCall.nearAccountId || delegate.senderId);
 		const normalizedRpcCall = {
 			contractId: rpcCall.contractId || this.tatchiPasskeyConfigs.contractId,
@@ -707,6 +805,7 @@ var WebAuthnManager = class {
 					return this.signerWorkerManager.signDelegateAction({
 						delegate,
 						rpcCall: normalizedRpcCall,
+						signerMode,
 						confirmationConfigOverride,
 						title,
 						body,
@@ -753,29 +852,6 @@ var WebAuthnManager = class {
 	async extractCosePublicKey(attestationObjectBase64url) {
 		return await this.signerWorkerManager.extractCosePublicKey(attestationObjectBase64url);
 	}
-	/**
-	* Helper to ensure the local `lastUser` pointer is consistent with the latest DB updates.
-	* This fixes issues where a recovery or registration might have updated the user record
-	* but failed to update the `lastUser` pointer (e.g. due to previous bugs or interruptions),
-	* preventing the strict `ensureCurrentPasskey` check from passing.
-	*/
-	async autoHealLastUserPointer(nearAccountId) {
-		try {
-			const lastUser = await this.getLastUser();
-			if (lastUser && lastUser.nearAccountId === nearAccountId) {
-				const freshest = await require_index.IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
-				if (freshest && freshest.deviceNumber !== lastUser.deviceNumber) {
-					console.log(`[WebAuthnManager] Auto-healing lastUser pointer from device ${lastUser.deviceNumber} to ${freshest.deviceNumber}`);
-					await this.setLastUser(nearAccountId, freshest.deviceNumber);
-				}
-			} else {
-				const freshest = await require_index.IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
-				if (freshest) await this.setLastUser(nearAccountId, freshest.deviceNumber);
-			}
-		} catch (e) {
-			console.warn("[WebAuthnManager] Auto-heal pointer failed (non-fatal):", e);
-		}
-	}
 	/** Worker-driven export: two-phase V2 (collect PRF → decrypt → show UI) */
 	async exportNearKeypairWithUIWorkerDriven(nearAccountId, options) {
 		await this.withSigningSession({
@@ -800,7 +876,7 @@ var WebAuthnManager = class {
 		if (!userData || userData.nearAccountId !== nearAccountId) userData = await require_index.IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
 		return {
 			accountId: String(nearAccountId),
-			publicKey: String(userData?.clientNearPublicKey || ""),
+			publicKey: userData?.clientNearPublicKey ?? "",
 			privateKey: ""
 		};
 	}
@@ -873,6 +949,232 @@ var WebAuthnManager = class {
 			actions
 		});
 	}
+	/**
+	* Derive the deterministic threshold client verifying share (2-of-2 ed25519) from WrapKeySeed.
+	* This is safe to call during registration because it only requires the PRF-bearing credential
+	* (no on-chain verification needed) and returns public material only.
+	*/
+	async deriveThresholdEd25519ClientVerifyingShareFromCredential(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		try {
+			return await this.withSigningSession({
+				prefix: "threshold-client-share",
+				options: {
+					credential: args.credential,
+					wrapKeySalt: args.wrapKeySalt
+				},
+				handler: (sessionId) => this.signerWorkerManager.deriveThresholdEd25519ClientVerifyingShare({
+					sessionId,
+					nearAccountId
+				})
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				nearAccountId,
+				clientVerifyingShareB64u: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key enrollment (post-registration):
+	* prompts for a dual-PRF WebAuthn authentication to obtain PRF.first/second,
+	* then runs the `/threshold-ed25519/keygen` enrollment flow.
+	*
+	* This is intended to be called only after the passkey is registered on-chain.
+	*/
+	async enrollThresholdEd25519KeyPostRegistration(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		try {
+			const rpId = this.touchIdPrompt.getRpId();
+			if (!rpId) throw new Error("Missing rpId for WebAuthn VRF challenge");
+			const block = await this.nearClient.viewBlock({ finality: "final" });
+			const blockHeight = String(block?.header?.height ?? "");
+			const blockHash = String(block?.header?.hash ?? "");
+			if (!blockHeight || !blockHash) throw new Error("Failed to fetch NEAR block context for VRF challenge");
+			const vrfChallenge = await this.vrfWorkerManager.generateVrfChallengeOnce({
+				userId: nearAccountId,
+				rpId,
+				blockHeight,
+				blockHash
+			});
+			const authenticators = await this.getAuthenticatorsByUser(nearAccountId);
+			if (!authenticators.length) throw new Error(`No passkey authenticators found for account ${nearAccountId}`);
+			const authCredential = await this.collectAuthenticationCredentialForVrfChallenge({
+				nearAccountId,
+				vrfChallenge,
+				includeSecondPrfOutput: true
+			});
+			return await this.enrollThresholdEd25519Key({
+				credential: authCredential,
+				nearAccountId,
+				deviceNumber: args.deviceNumber
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key rotation (post-registration):
+	* - keygen (new relayerKeyId + publicKey)
+	* - AddKey(new threshold publicKey)
+	* - DeleteKey(old threshold publicKey)
+	*
+	* Uses the local signer key for AddKey/DeleteKey, and requires the account to already
+	* have a stored `threshold_ed25519_2p_v1` key material entry for the target device.
+	*/
+	async rotateThresholdEd25519KeyPostRegistration(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		let oldPublicKey = "";
+		let oldRelayerKeyId = "";
+		try {
+			const deviceNumber = Number(args.deviceNumber);
+			const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+			const existing = await require_index.IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(nearAccountId, resolvedDeviceNumber);
+			if (!existing) throw new Error(`No threshold key material found for account ${nearAccountId} device ${resolvedDeviceNumber}. Call enrollThresholdEd25519Key() first.`);
+			oldPublicKey = existing.publicKey;
+			oldRelayerKeyId = existing.relayerKeyId;
+			const enrollment = await this.enrollThresholdEd25519KeyPostRegistration({
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber
+			});
+			if (!enrollment.success) throw new Error(enrollment.error || "Threshold keygen/enrollment failed");
+			return await require_rotateThresholdEd25519KeyPostRegistration.rotateThresholdEd25519KeyPostRegistrationHandler({
+				nearClient: this.nearClient,
+				contractId: this.tatchiPasskeyConfigs.contractId,
+				nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,
+				signTransactionsWithActions: (params) => this.signTransactionsWithActions(params)
+			}, {
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber,
+				oldPublicKey,
+				oldRelayerKeyId,
+				newPublicKey: enrollment.publicKey,
+				newRelayerKeyId: enrollment.relayerKeyId,
+				wrapKeySalt: enrollment.wrapKeySalt
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				oldPublicKey,
+				oldRelayerKeyId,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				deleteOldKeyAttempted: false,
+				deleteOldKeySuccess: false,
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key enrollment (2-of-2): deterministically derive the client verifying share
+	* from WrapKeySeed and register the corresponding relayer share via `/threshold-ed25519/keygen`.
+	*
+	* Stores a v3 vault entry of kind `threshold_ed25519_2p_v1` (breaking; no migration).
+	*/
+	async enrollThresholdEd25519Key(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const relayerUrl = this.tatchiPasskeyConfigs.relayer.url;
+		try {
+			if (!relayerUrl) throw new Error("Missing relayer url (configs.relayer.url)");
+			if (!args.credential) throw new Error("Missing credential");
+			const deviceNumber = Number(args.deviceNumber);
+			const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+			const keygen = await this.withSigningSession({
+				prefix: "threshold-keygen",
+				options: { credential: args.credential },
+				handler: (sessionId) => require_enrollThresholdEd25519Key.enrollThresholdEd25519KeyHandler({
+					nearClient: this.nearClient,
+					vrfWorkerManager: this.vrfWorkerManager,
+					signerWorkerManager: this.signerWorkerManager,
+					touchIdPrompt: this.touchIdPrompt,
+					relayerUrl
+				}, {
+					sessionId,
+					nearAccountId
+				})
+			});
+			if (!keygen.success) throw new Error(keygen.error || "Threshold keygen failed");
+			const publicKey = keygen.publicKey;
+			const clientVerifyingShareB64u = keygen.clientVerifyingShareB64u;
+			const relayerKeyId = keygen.relayerKeyId;
+			const relayerVerifyingShareB64u = keygen.relayerVerifyingShareB64u;
+			if (!clientVerifyingShareB64u) throw new Error("Threshold keygen returned empty clientVerifyingShareB64u");
+			const localKeyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);
+			if (!localKeyMaterial) throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);
+			const alreadyActive = await require_rpcCalls.hasAccessKey(this.nearClient, nearAccountId, publicKey, {
+				attempts: 1,
+				delayMs: 0
+			});
+			if (!alreadyActive) {
+				this.nonceManager.initializeUser(nearAccountId, localKeyMaterial.publicKey);
+				const txContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient, { force: true });
+				const signed = await this.signAddKeyThresholdPublicKeyNoPrompt({
+					nearAccountId,
+					credential: args.credential,
+					wrapKeySalt: localKeyMaterial.wrapKeySalt,
+					transactionContext: txContext,
+					thresholdPublicKey: publicKey,
+					relayerVerifyingShareB64u,
+					clientParticipantId: keygen.clientParticipantId,
+					relayerParticipantId: keygen.relayerParticipantId,
+					deviceNumber: resolvedDeviceNumber
+				});
+				const signedTx = signed?.signedTransaction;
+				if (!signedTx) throw new Error("Failed to sign AddKey(thresholdPublicKey) transaction");
+				await this.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.thresholdAddKey);
+				const activated = await require_rpcCalls.hasAccessKey(this.nearClient, nearAccountId, publicKey);
+				if (!activated) throw new Error("Threshold access key not found on-chain after AddKey");
+			}
+			const keyMaterial = {
+				kind: "threshold_ed25519_2p_v1",
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber,
+				publicKey,
+				wrapKeySalt: keygen.wrapKeySalt,
+				relayerKeyId,
+				clientShareDerivation: "prf_first_v1",
+				participants: require_participants.buildThresholdEd25519Participants2pV1({
+					clientParticipantId: keygen.clientParticipantId,
+					relayerParticipantId: keygen.relayerParticipantId,
+					relayerKeyId,
+					relayerUrl,
+					clientVerifyingShareB64u,
+					relayerVerifyingShareB64u,
+					clientShareDerivation: "prf_first_v1"
+				}),
+				timestamp: Date.now()
+			};
+			await require_index.IndexedDBManager.nearKeysDB.storeKeyMaterial(keyMaterial);
+			return {
+				success: true,
+				publicKey,
+				relayerKeyId,
+				wrapKeySalt: keygen.wrapKeySalt
+			};
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
 	/** * Get user preferences manager */
 	getUserPreferences() {
 		return this.userPreferencesManager;