npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/react/sdk/src/core/WebAuthnManager/SignerWorkerManager/index.js DELETED Viewed

@@ -1,452 +0,0 @@
-const require_rolldown_runtime = require('../../../../../_virtual/rolldown_runtime.js');
-const require_signer_worker = require('../../types/signer-worker.js');
-const require_index = require('../../IndexedDBManager/index.js');
-const require_config = require('../../../config.js');
-const require_validation = require('../../WalletIframe/validation.js');
-const require_workers = require('../../sdkPaths/workers.js');
-const require_errors = require('../../../utils/errors.js');
-const require_touchIdPrompt = require('../touchIdPrompt.js');
-const require_workerControlMessages = require('../../workerControlMessages.js');
-const require_sessionMessages = require('./sessionMessages.js');
-const require_checkCanRegisterUser = require('./handlers/checkCanRegisterUser.js');
-const require_session = require('./handlers/session.js');
-const require_deriveNearKeypairAndEncryptFromSerialized = require('./handlers/deriveNearKeypairAndEncryptFromSerialized.js');
-const require_decryptPrivateKeyWithPrf = require('./handlers/decryptPrivateKeyWithPrf.js');
-const require_sessionHandshake = require('./sessionHandshake.js');
-const require_signTransactionsWithActions = require('./handlers/signTransactionsWithActions.js');
-const require_signDelegateAction = require('./handlers/signDelegateAction.js');
-const require_recoverKeypairFromPasskey = require('./handlers/recoverKeypairFromPasskey.js');
-const require_extractCosePublicKey = require('./handlers/extractCosePublicKey.js');
-const require_signTransactionWithKeyPair = require('./handlers/signTransactionWithKeyPair.js');
-const require_signNep413Message = require('./handlers/signNep413Message.js');
-const require_registerDevice2WithDerivedKey = require('./handlers/registerDevice2WithDerivedKey.js');
-const require_exportNearKeypairUi = require('./handlers/exportNearKeypairUi.js');
-//#region src/core/WebAuthnManager/SignerWorkerManager/index.ts
-require_index.init_IndexedDBManager();
-require_validation.init_validation();
-require_signer_worker.init_signer_worker();
-require_touchIdPrompt.init_touchIdPrompt();
-require_errors.init_errors();
-/**
-* WebAuthnWorkers handles PRF, workers, and COSE operations
-*
-* Note: Challenge store removed as VRF provides cryptographic freshness
-* without needing centralized challenge management
-*/
-var SignerWorkerManager = class {
-	indexedDB;
-	touchIdPrompt;
-	vrfWorkerManager;
-	nearClient;
-	userPreferencesManager;
-	nonceManager;
-	workerBaseOrigin;
-	nearExplorerUrl;
-	constructor(vrfWorkerManager, nearClient, userPreferencesManager, nonceManager, rpIdOverride, enableSafariGetWebauthnRegistrationFallback = true, nearExplorerUrl) {
-		this.indexedDB = require_index.IndexedDBManager;
-		this.touchIdPrompt = new require_touchIdPrompt.TouchIdPrompt(rpIdOverride, enableSafariGetWebauthnRegistrationFallback);
-		this.vrfWorkerManager = vrfWorkerManager;
-		this.nearClient = nearClient;
-		this.userPreferencesManager = userPreferencesManager;
-		this.nonceManager = nonceManager;
-		this.nearExplorerUrl = nearExplorerUrl;
-	}
-	setWorkerBaseOrigin(origin) {
-		this.workerBaseOrigin = origin;
-	}
-	getContext() {
-		return {
-			sendMessage: this.sendMessage.bind(this),
-			indexedDB: this.indexedDB,
-			touchIdPrompt: this.touchIdPrompt,
-			vrfWorkerManager: this.vrfWorkerManager,
-			nearClient: this.nearClient,
-			userPreferencesManager: this.userPreferencesManager,
-			nonceManager: this.nonceManager,
-			rpIdOverride: this.touchIdPrompt.getRpId(),
-			nearExplorerUrl: this.nearExplorerUrl
-		};
-	}
-	createSecureWorker() {
-		const workerUrlStr = require_workers.resolveWorkerUrl(require_config.SIGNER_WORKER_MANAGER_CONFIG.WORKER.URL, {
-			worker: "signer",
-			baseOrigin: this.workerBaseOrigin
-		});
-		try {
-			const worker = new Worker(workerUrlStr, {
-				type: require_config.SIGNER_WORKER_MANAGER_CONFIG.WORKER.TYPE,
-				name: require_config.SIGNER_WORKER_MANAGER_CONFIG.WORKER.NAME
-			});
-			worker.onerror = () => {};
-			return worker;
-		} catch (error) {
-			const msg = error instanceof Error ? error.message : String(error);
-			throw new Error(`Failed to create secure worker: ${msg}`);
-		}
-	}
-	/**
-	* Executes a worker operation by sending a message to the secure worker.
-	* Handles progress updates via onEvent callback, supports both single and multiple response patterns.
-	* Intercepts secure confirmation handshake messages for pluggable UI.
-	* Resolves with the final worker response or rejects on error/timeout.
-	*
-	* @template T - Worker request type.
-	* @param params.message - The message to send to the worker.
-	* @param params.onEvent - Optional callback for progress events.
-	* @param params.timeoutMs - Optional timeout in milliseconds.
-	* @returns Promise resolving to the worker response for the request.
-	*/
-	workerPool = [];
-	MAX_WORKER_POOL_SIZE = 3;
-	signingSessions = /* @__PURE__ */ new Map();
-	SIGNING_SESSION_TIMEOUT_MS = 300 * 1e3;
-	getWorkerFromPool() {
-		if (this.workerPool.length > 0) return this.workerPool.pop();
-		return this.createSecureWorker();
-	}
-	terminateAndReplaceWorker(worker) {
-		worker.terminate();
-		this.createReplacementWorker();
-	}
-	/**
-	* Reserve a signer worker "session"
-	*
-	* What this does:
-	* - Reserves a specific `Worker` instance from the pool and pins it to `sessionId`.
-	* - Ensures the signer worker has a dedicated `MessagePort` attached for receiving `WrapKeySeed`
-	*   from the VRF worker (VRF → Signer channel).
-	*
-	* Port wiring:
-	* - The VRF worker retains one end of a `MessageChannel` and the signer worker receives the other.
-	* - This method attaches the signer-facing port via a control message (`ATTACH_WRAP_KEY_SEED_PORT`)
-	*   and waits for an ACK (`ATTACH_WRAP_KEY_SEED_PORT_OK`) before exposing the session.
-	*
-	* @param sessionId - Session identifier used to correlate MessagePorts + ready signals.
-	* @param opts.signerPort - Optional signer-facing `MessagePort` created/owned by the caller (VRF-created channel).
-	*                         If omitted, this method creates a fresh `MessageChannel` and returns `vrfPort` so the
-	*                         caller can transfer it to the VRF worker.
-	* @returns `{ worker, signerPort, vrfPort }` where `vrfPort` is only present when we created the channel here.
-	*/
-	async reserveSignerWorkerSession(sessionId, opts) {
-		if (this.signingSessions.has(sessionId)) throw new Error(`Signing session already exists for id: ${sessionId}`);
-		const worker = this.getWorkerFromPool();
-		let signerPort = opts?.signerPort;
-		let vrfPort;
-		if (!signerPort) {
-			const channel = new MessageChannel();
-			signerPort = channel.port1;
-			vrfPort = channel.port2;
-		}
-		try {
-			if (!signerPort) throw new Error("Missing signerPort for signing session");
-			await require_sessionHandshake.attachSessionPort(worker, sessionId, signerPort);
-			this.signingSessions.set(sessionId, {
-				worker,
-				wrapKeySeedPort: signerPort,
-				createdAt: Date.now()
-			});
-		} catch (err) {
-			console.error("[SignerWorkerManager]: Failed to attach WrapKeySeed port to signer worker", err);
-			try {
-				signerPort?.close();
-			} catch {}
-			try {
-				vrfPort?.close();
-			} catch {}
-			this.terminateAndReplaceWorker(worker);
-			this.signingSessions.delete(sessionId);
-			throw err;
-		}
-		return {
-			worker,
-			signerPort,
-			vrfPort
-		};
-	}
-	/**
-	* Release a signing session: close ports and terminate/replace the worker to zeroize state.
-	*/
-	releaseSigningSession(sessionId) {
-		const entry = this.signingSessions.get(sessionId);
-		if (!entry) return;
-		try {
-			entry.wrapKeySeedPort?.close();
-		} catch {}
-		try {
-			this.terminateAndReplaceWorker(entry.worker);
-		} catch {}
-		this.signingSessions.delete(sessionId);
-	}
-	/**
-	* Sweep expired signing sessions based on createdAt and timeout.
-	*/
-	sweepExpiredSigningSessions() {
-		const now = Date.now();
-		for (const [sessionId, entry] of this.signingSessions.entries()) if (now - entry.createdAt > this.SIGNING_SESSION_TIMEOUT_MS) this.releaseSigningSession(sessionId);
-	}
-	async createReplacementWorker() {
-		try {
-			const worker = this.createSecureWorker();
-			const healthPromise = new Promise((resolve, reject) => {
-				const timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("Health check timeout")), 5e3);
-				const onMessage = (event) => {
-					if (event.data?.type === require_workerControlMessages.WorkerControlMessage.WORKER_READY || event.data?.ready) {
-						worker.removeEventListener("message", onMessage);
-						clearTimeout(timeout);
-						resolve();
-					}
-				};
-				worker.addEventListener("message", onMessage);
-				worker.onerror = () => {
-					worker.removeEventListener("message", onMessage);
-					clearTimeout(timeout);
-					reject(/* @__PURE__ */ new Error("Worker error during health check"));
-				};
-			});
-			await healthPromise;
-			if (this.workerPool.length < this.MAX_WORKER_POOL_SIZE) this.workerPool.push(worker);
-			else worker.terminate();
-		} catch (error) {
-			console.warn("SignerWorkerManager: Failed to create replacement worker:", error);
-		}
-	}
-	/**
-	* Pre-warm worker pool by creating and initializing workers in advance
-	* This reduces latency for the first transaction by having workers ready
-	*/
-	async preWarmWorkerPool() {
-		const promises = [];
-		for (let i = 0; i < this.MAX_WORKER_POOL_SIZE; i++) promises.push(new Promise((resolve, reject) => {
-			try {
-				const worker = this.createSecureWorker();
-				const onReady = (event) => {
-					if (event.data?.type === require_workerControlMessages.WorkerControlMessage.WORKER_READY || event.data?.ready) {
-						worker.removeEventListener("message", onReady);
-						this.terminateAndReplaceWorker(worker);
-						resolve();
-					}
-				};
-				worker.addEventListener("message", onReady);
-				worker.onerror = (error) => {
-					worker.removeEventListener("message", onReady);
-					console.error(`WebAuthnManager: Worker ${i + 1} pre-warm failed:`, error);
-					reject(error);
-				};
-				setTimeout(() => {
-					worker.removeEventListener("message", onReady);
-					reject(/* @__PURE__ */ new Error("Pre-warm timeout"));
-				}, 5e3);
-			} catch (error) {
-				console.error(`WebAuthnManager: Failed to create worker ${i + 1}:`, error);
-				reject(require_errors.toError(error));
-			}
-		}));
-		try {
-			await Promise.allSettled(promises);
-		} catch (error) {
-			console.warn("WebAuthnManager: Some workers failed to pre-warm:", error);
-		}
-	}
-	async sendMessage({ sessionId, message, onEvent, timeoutMs = require_config.SIGNER_WORKER_MANAGER_CONFIG.TIMEOUTS.DEFAULT }) {
-		this.sweepExpiredSigningSessions();
-		const payloadSessionId = message.payload?.sessionId;
-		if (sessionId && payloadSessionId && payloadSessionId !== sessionId) throw new Error(`sendMessage: payload.sessionId (${payloadSessionId}) does not match provided sessionId (${sessionId})`);
-		const effectiveSessionId = sessionId || payloadSessionId;
-		const sessionEntry = effectiveSessionId ? this.signingSessions.get(effectiveSessionId) : void 0;
-		if (effectiveSessionId && !sessionEntry) throw new Error(`Signing session not found for id: ${effectiveSessionId}`);
-		const finalPayload = effectiveSessionId ? require_session.withSessionId(effectiveSessionId, message.payload) : message.payload;
-		const worker = sessionEntry ? sessionEntry.worker : this.getWorkerFromPool();
-		const isSessionWorker = !!sessionEntry;
-		return new Promise((resolve, reject) => {
-			const timeoutId = setTimeout(() => {
-				try {
-					if (isSessionWorker && effectiveSessionId) this.releaseSigningSession(effectiveSessionId);
-					else this.terminateAndReplaceWorker(worker);
-				} catch {}
-				try {
-					const seconds = Math.round(timeoutMs / 1e3);
-					window.postMessage({
-						type: "MODAL_TIMEOUT",
-						payload: `Timed out after ${seconds}s, try again`
-					}, "*");
-				} catch {}
-				reject(/* @__PURE__ */ new Error(`Worker operation timed out after ${timeoutMs}ms`));
-			}, timeoutMs);
-			const responses = [];
-			worker.onmessage = async (event) => {
-				try {
-					if (require_sessionMessages.isSignerWorkerControlMessage(event?.data)) return;
-					if (event?.data?.type === require_workerControlMessages.WorkerControlMessage.WORKER_READY || event?.data?.ready) return;
-					const response = event.data;
-					responses.push(response);
-					if (require_signer_worker.isWorkerProgress(response)) {
-						const progressResponse = response;
-						onEvent?.(progressResponse.payload);
-						return;
-					}
-					if (require_signer_worker.isWorkerError(response)) {
-						clearTimeout(timeoutId);
-						if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-						const errorResponse = response;
-						console.error("Worker error response:", errorResponse);
-						reject(new Error(errorResponse.payload.error));
-						return;
-					}
-					if (require_signer_worker.isWorkerSuccess(response)) {
-						clearTimeout(timeoutId);
-						if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-						resolve(response);
-						return;
-					}
-					console.error("Unexpected worker response format:", { response });
-					if (require_validation.isObject(response) && "message" in response && "stack" in response) {
-						clearTimeout(timeoutId);
-						if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-						console.error("Worker sent generic Error object:", response);
-						reject(/* @__PURE__ */ new Error(`Worker sent generic error: ${response.message}`));
-						return;
-					}
-					clearTimeout(timeoutId);
-					if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-					reject(/* @__PURE__ */ new Error(`Unknown worker response format: ${JSON.stringify(response)}`));
-				} catch (error) {
-					clearTimeout(timeoutId);
-					if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-					console.error("Error processing worker message:", error);
-					const err = require_errors.toError(error);
-					reject(/* @__PURE__ */ new Error(`Worker message processing error: ${err.message}`));
-				}
-			};
-			worker.onerror = (event) => {
-				clearTimeout(timeoutId);
-				if (!isSessionWorker) this.terminateAndReplaceWorker(worker);
-				const errorMessage = event.error?.message || event.message || "Unknown worker error";
-				console.error("Worker error details (progress):", {
-					message: errorMessage,
-					filename: event.filename,
-					lineno: event.lineno,
-					colno: event.colno,
-					error: event.error
-				});
-				reject(/* @__PURE__ */ new Error(`Worker error: ${errorMessage}`));
-			};
-			const formattedMessage = {
-				type: message.type,
-				payload: finalPayload
-			};
-			worker.postMessage(formattedMessage);
-		});
-	}
-	/**
-	* Derive NEAR keypair from a serialized WebAuthn registration credential
-	*/
-	async deriveNearKeypairAndEncryptFromSerialized(args) {
-		return require_deriveNearKeypairAndEncryptFromSerialized.deriveNearKeypairAndEncryptFromSerialized({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Secure private key decryption with dual PRF
-	*/
-	async decryptPrivateKeyWithPrf(args) {
-		return require_decryptPrivateKeyWithPrf.decryptPrivateKeyWithPrf({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	async checkCanRegisterUser(args) {
-		return require_checkCanRegisterUser.checkCanRegisterUser({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Combined Device2 registration: derive NEAR keypair + sign registration transaction
-	* in a single operation without requiring a separate authentication prompt.
-	*
-	* This replaces the old two-step flow (register → authenticate → sign).
-	* PRF.second and WrapKeySeed are already in the signer worker via MessagePort.
-	*/
-	async registerDevice2WithDerivedKey(args) {
-		return require_registerDevice2WithDerivedKey.registerDevice2WithDerivedKey({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Sign multiple transactions with shared VRF challenge and credential
-	* Efficiently processes multiple transactions with one PRF authentication
-	*/
-	async signTransactionsWithActions(args) {
-		return require_signTransactionsWithActions.signTransactionsWithActions({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	async signDelegateAction(args) {
-		return require_signDelegateAction.signDelegateAction({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Recover keypair from authentication credential for account recovery
-	* Uses dual PRF-based Ed25519 key derivation with account-specific HKDF and AES encryption
-	*/
-	async recoverKeypairFromPasskey(args) {
-		return require_recoverKeypairFromPasskey.recoverKeypairFromPasskey({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Extract COSE public key from WebAuthn attestation object
-	* Simple operation that doesn't require TouchID or progress updates
-	*/
-	async extractCosePublicKey(attestationObjectBase64url) {
-		return require_extractCosePublicKey.extractCosePublicKey({
-			ctx: this.getContext(),
-			attestationObjectBase64url
-		});
-	}
-	/**
-	* Sign transaction with raw private key (for key replacement in Option D device linking)
-	* No TouchID/PRF required - uses provided private key directly
-	*/
-	async signTransactionWithKeyPair(args) {
-		return require_signTransactionWithKeyPair.signTransactionWithKeyPair({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-	/**
-	* Sign a NEP-413 message using the user's passkey-derived private key
-	*
-	* @param payload - NEP-413 signing parameters including message, recipient, nonce, and state
-	* @returns Promise resolving to signing result with account ID, public key, and signature
-	*/
-	async signNep413Message(payload) {
-		return require_signNep413Message.signNep413Message({
-			ctx: this.getContext(),
-			payload
-		});
-	}
-	/**
-	* Two-phase export (worker-driven):
-	*  - Phase 1: collect PRF (uiMode: 'skip')
-	*  - Decrypt inside worker
-	*  - Phase 2: show export UI with decrypted key (kept open until user closes)
-	*/
-	async exportNearKeypairUi(args) {
-		return require_exportNearKeypairUi.exportNearKeypairUi({
-			ctx: this.getContext(),
-			...args
-		});
-	}
-};
-//#endregion
-exports.SignerWorkerManager = SignerWorkerManager;
-//# sourceMappingURL=index.js.map

package/dist/cjs/react/sdk/src/core/WebAuthnManager/SignerWorkerManager/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","names":["IndexedDBManager","TouchIdPrompt","resolveWorkerUrl","SIGNER_WORKER_MANAGER_CONFIG","vrfPort: MessagePort | undefined","attachSessionPort","WorkerControlMessage","error: unknown","promises: Promise<void>[]","toError","withSessionId","responses: WorkerResponseForRequest<T>[]","isSignerWorkerControlMessage","isWorkerProgress","isWorkerError","isWorkerSuccess","isObject","deriveNearKeypairAndEncryptFromSerialized","decryptPrivateKeyWithPrf","checkCanRegisterUser","registerDevice2WithDerivedKey","signTransactionsWithActions","signDelegateAction","recoverKeypairFromPasskey","extractCosePublicKey","signTransactionWithKeyPair","signNep413Message","exportNearKeypairUi"],"sources":["../../../../../../../../src/core/WebAuthnManager/SignerWorkerManager/index.ts"],"sourcesContent":["import { SIGNER_WORKER_MANAGER_CONFIG } from \"../../../config\";\nimport { ClientAuthenticatorData, UnifiedIndexedDBManager } from '../../IndexedDBManager';\nimport { IndexedDBManager } from '../../IndexedDBManager';\nimport { SignedTransaction, type NearClient } from '../../NearClient';\nimport { isObject } from '../../WalletIframe/validation';\nimport { resolveWorkerUrl } from '../../sdkPaths';\nimport {\n WorkerRequestType,\n WorkerResponseForRequest,\n isWorkerProgress,\n isWorkerError,\n isWorkerSuccess,\n WorkerProgressResponse,\n WorkerErrorResponse,\n WorkerRequestTypeMap,\n} from '../../types/signer-worker';\nimport { VrfWorkerManager } from '../VrfWorkerManager';\nimport { VRFChallenge } from '../../types/vrf-worker';\nimport type { ActionArgsWasm, TransactionInputWasm } from '../../types/actions';\nimport type { DelegateActionInput } from '../../types/delegate';\nimport type { onProgressEvents } from '../../types/sdkSentEvents';\nimport type { AuthenticatorOptions } from '../../types/authenticatorOptions';\nimport { AccountId } from \"../../types/accountIds\";\nimport { TransactionContext } from '../../types/rpc';\nimport {\n ConfirmationConfig,\n WasmSignedDelegate,\n} from '../../types/signer-worker';\nimport { TouchIdPrompt } from \"../touchIdPrompt\";\nimport { isSignerWorkerControlMessage } from './sessionMessages';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\nimport {\n decryptPrivateKeyWithPrf,\n checkCanRegisterUser,\n signTransactionsWithActions,\n recoverKeypairFromPasskey,\n extractCosePublicKey,\n signTransactionWithKeyPair,\n signNep413Message,\n deriveNearKeypairAndEncryptFromSerialized,\n signDelegateAction,\n registerDevice2WithDerivedKey,\n exportNearKeypairUi,\n} from './handlers';\nimport { RpcCallPayload } from '../../types/signer-worker';\nimport { UserPreferencesManager } from '../userPreferences';\nimport { NonceManager } from '../../nonceManager';\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../types';\nimport { toError } from '@/utils/errors';\nimport { withSessionId } from './handlers/session';\nimport { attachSessionPort } from './sessionHandshake.js';\n\ntype WithOptionalSessionId<T> = T extends { sessionId: string }\n ? Omit<T, 'sessionId'> & { sessionId?: string }\n : T;\n\ntype SigningSessionEntry = {\n worker: Worker;\n wrapKeySeedPort?: MessagePort;\n createdAt: number;\n};\n\nexport interface SignerWorkerManagerContext {\n touchIdPrompt: TouchIdPrompt;\n nearClient: NearClient;\n indexedDB: UnifiedIndexedDBManager;\n userPreferencesManager: UserPreferencesManager;\n nonceManager: NonceManager;\n rpIdOverride?: string;\n nearExplorerUrl?: string;\n vrfWorkerManager?: VrfWorkerManager;\n sendMessage: <T extends keyof WorkerRequestTypeMap>(args: {\n message: {\n type: T;\n payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']>;\n };\n onEvent?: (update: onProgressEvents) => void;\n timeoutMs?: number;\n sessionId?: string;\n }) => Promise<WorkerResponseForRequest<T>>;\n};\n\n/**\n * WebAuthnWorkers handles PRF, workers, and COSE operations\n *\n * Note: Challenge store removed as VRF provides cryptographic freshness\n * without needing centralized challenge management\n */\nexport class SignerWorkerManager {\n\n private indexedDB: UnifiedIndexedDBManager;\n private touchIdPrompt: TouchIdPrompt;\n private vrfWorkerManager: VrfWorkerManager;\n private nearClient: NearClient;\n private userPreferencesManager: UserPreferencesManager;\n private nonceManager: NonceManager;\n private workerBaseOrigin: string | undefined;\n private nearExplorerUrl?: string;\n\n constructor(\n vrfWorkerManager: VrfWorkerManager,\n nearClient: NearClient,\n userPreferencesManager: UserPreferencesManager,\n nonceManager: NonceManager,\n rpIdOverride?: string,\n enableSafariGetWebauthnRegistrationFallback: boolean = true,\n nearExplorerUrl?: string,\n ) {\n this.indexedDB = IndexedDBManager;\n this.touchIdPrompt = new TouchIdPrompt(rpIdOverride, enableSafariGetWebauthnRegistrationFallback);\n this.vrfWorkerManager = vrfWorkerManager;\n this.nearClient = nearClient;\n this.userPreferencesManager = userPreferencesManager;\n this.nonceManager = nonceManager;\n this.nearExplorerUrl = nearExplorerUrl;\n }\n\n setWorkerBaseOrigin(origin: string | undefined): void {\n this.workerBaseOrigin = origin;\n }\n\n getContext(): SignerWorkerManagerContext {\n return {\n sendMessage: this.sendMessage.bind(this), // bind to access this.createSecureWorker\n indexedDB: this.indexedDB,\n touchIdPrompt: this.touchIdPrompt,\n vrfWorkerManager: this.vrfWorkerManager,\n nearClient: this.nearClient,\n userPreferencesManager: this.userPreferencesManager,\n nonceManager: this.nonceManager,\n rpIdOverride: this.touchIdPrompt.getRpId(),\n nearExplorerUrl: this.nearExplorerUrl,\n };\n }\n\n createSecureWorker(): Worker {\n const workerUrlStr = resolveWorkerUrl(\n SIGNER_WORKER_MANAGER_CONFIG.WORKER.URL,\n { worker: 'signer', baseOrigin: this.workerBaseOrigin }\n )\n try {\n const worker = new Worker(workerUrlStr, {\n type: SIGNER_WORKER_MANAGER_CONFIG.WORKER.TYPE,\n name: SIGNER_WORKER_MANAGER_CONFIG.WORKER.NAME\n });\n // minimal error handler in tests; avoid noisy logs\n worker.onerror = () => {};\n return worker;\n } catch (error) {\n // Do not silently downgrade to same‑origin. Cross‑origin workers must be\n // resolvable under the configured wallet origin with proper headers.\n // Surface a precise error so tests assert the real path.\n const msg = error instanceof Error ? error.message : String(error);\n throw new Error(`Failed to create secure worker: ${msg}`);\n }\n }\n\n /**\n * Executes a worker operation by sending a message to the secure worker.\n * Handles progress updates via onEvent callback, supports both single and multiple response patterns.\n * Intercepts secure confirmation handshake messages for pluggable UI.\n * Resolves with the final worker response or rejects on error/timeout.\n *\n * @template T - Worker request type.\n * @param params.message - The message to send to the worker.\n * @param params.onEvent - Optional callback for progress events.\n * @param params.timeoutMs - Optional timeout in milliseconds.\n * @returns Promise resolving to the worker response for the request.\n */\n private workerPool: Worker[] = [];\n private readonly MAX_WORKER_POOL_SIZE = 3; // Increased for security model\n // Map of active signing sessions to reserved workers and optional WrapKeySeed ports\n private signingSessions: Map<string, SigningSessionEntry> = new Map();\n private readonly SIGNING_SESSION_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\n\n private getWorkerFromPool(): Worker {\n if (this.workerPool.length > 0) {\n return this.workerPool.pop()!;\n }\n return this.createSecureWorker();\n }\n\n private terminateAndReplaceWorker(worker: Worker): void {\n // Always terminate workers to clear memory\n worker.terminate();\n // Asynchronously create a replacement worker for the pool\n this.createReplacementWorker();\n }\n\n /**\n * Reserve a signer worker \"session\"\n *\n * What this does:\n * - Reserves a specific `Worker` instance from the pool and pins it to `sessionId`.\n * - Ensures the signer worker has a dedicated `MessagePort` attached for receiving `WrapKeySeed`\n * from the VRF worker (VRF → Signer channel).\n *\n * Port wiring:\n * - The VRF worker retains one end of a `MessageChannel` and the signer worker receives the other.\n * - This method attaches the signer-facing port via a control message (`ATTACH_WRAP_KEY_SEED_PORT`)\n * and waits for an ACK (`ATTACH_WRAP_KEY_SEED_PORT_OK`) before exposing the session.\n *\n * @param sessionId - Session identifier used to correlate MessagePorts + ready signals.\n * @param opts.signerPort - Optional signer-facing `MessagePort` created/owned by the caller (VRF-created channel).\n * If omitted, this method creates a fresh `MessageChannel` and returns `vrfPort` so the\n * caller can transfer it to the VRF worker.\n * @returns `{ worker, signerPort, vrfPort }` where `vrfPort` is only present when we created the channel here.\n */\n async reserveSignerWorkerSession(sessionId: string, opts?: { signerPort?: MessagePort }): Promise<{ worker: Worker; signerPort?: MessagePort; vrfPort?: MessagePort }> {\n if (this.signingSessions.has(sessionId)) {\n throw new Error(`Signing session already exists for id: ${sessionId}`);\n }\n // Reserve a worker from the pool for this sessionId.\n const worker = this.getWorkerFromPool();\n let signerPort = opts?.signerPort;\n let vrfPort: MessagePort | undefined;\n if (!signerPort) {\n // If caller did not provide a signer-facing port, create a channel.\n // - port1 => signer worker (receiver)\n // - port2 => VRF worker (sender) returned to caller\n const channel = new MessageChannel();\n signerPort = channel.port1;\n vrfPort = channel.port2;\n }\n\n // Attach the signerPort to the worker and wait for ACK before adding to signingSessions\n try {\n if (!signerPort) {\n throw new Error('Missing signerPort for signing session');\n }\n\n // Use centralized handshake logic (registers listener, sends message, waits for ACK)\n await attachSessionPort(worker, sessionId, signerPort);\n\n // Only add to signingSessions after successful attachment\n // (prevents callers from observing a session that can't receive WrapKeySeed yet).\n this.signingSessions.set(sessionId, {\n worker,\n wrapKeySeedPort: signerPort,\n createdAt: Date.now(),\n });\n\n } catch (err) {\n console.error('[SignerWorkerManager]: Failed to attach WrapKeySeed port to signer worker', err);\n // Best-effort cleanup\n try { signerPort?.close(); } catch {}\n try { vrfPort?.close(); } catch {}\n this.terminateAndReplaceWorker(worker);\n this.signingSessions.delete(sessionId);\n throw err;\n }\n return { worker, signerPort, vrfPort };\n }\n\n /**\n * Release a signing session: close ports and terminate/replace the worker to zeroize state.\n */\n releaseSigningSession(sessionId: string): void {\n const entry = this.signingSessions.get(sessionId);\n if (!entry) return;\n try { entry.wrapKeySeedPort?.close() } catch {}\n try { this.terminateAndReplaceWorker(entry.worker) } catch {}\n this.signingSessions.delete(sessionId);\n }\n\n /**\n * Sweep expired signing sessions based on createdAt and timeout.\n */\n sweepExpiredSigningSessions(): void {\n const now = Date.now();\n for (const [sessionId, entry] of this.signingSessions.entries()) {\n if (now - entry.createdAt > this.SIGNING_SESSION_TIMEOUT_MS) {\n this.releaseSigningSession(sessionId);\n }\n }\n }\n\n private async createReplacementWorker(): Promise<void> {\n try {\n const worker = this.createSecureWorker();\n\n // Simple health check\n const healthPromise = new Promise<void>((resolve, reject) => {\n const timeout = setTimeout(() => reject(new Error('Health check timeout')), 5000);\n\n const onMessage = (event: MessageEvent) => {\n if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n worker.removeEventListener('message', onMessage);\n clearTimeout(timeout);\n resolve();\n }\n };\n\n worker.addEventListener('message', onMessage);\n worker.onerror = () => {\n worker.removeEventListener('message', onMessage);\n clearTimeout(timeout);\n reject(new Error('Worker error during health check'));\n };\n });\n\n await healthPromise;\n\n if (this.workerPool.length < this.MAX_WORKER_POOL_SIZE) {\n this.workerPool.push(worker);\n } else {\n worker.terminate();\n }\n } catch (error: unknown) {\n console.warn('SignerWorkerManager: Failed to create replacement worker:', error);\n }\n }\n\n /**\n * Pre-warm worker pool by creating and initializing workers in advance\n * This reduces latency for the first transaction by having workers ready\n */\n async preWarmWorkerPool(): Promise<void> {\n const promises: Promise<void>[] = [];\n\n for (let i = 0; i < this.MAX_WORKER_POOL_SIZE; i++) {\n promises.push(\n new Promise<void>((resolve, reject) => {\n try {\n const worker = this.createSecureWorker();\n\n // Set up one-time ready handler\n const onReady = (event: MessageEvent) => {\n if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n worker.removeEventListener('message', onReady);\n this.terminateAndReplaceWorker(worker);\n resolve();\n }\n };\n\n worker.addEventListener('message', onReady);\n\n // Set up error handler\n worker.onerror = (error) => {\n worker.removeEventListener('message', onReady);\n console.error(`WebAuthnManager: Worker ${i + 1} pre-warm failed:`, error);\n reject(error);\n };\n\n // Timeout after 5 seconds\n setTimeout(() => {\n worker.removeEventListener('message', onReady);\n // Pre-warm timeouts are benign; workers will be created on-demand later.\n // console.debug(`WebAuthnManager: Worker ${i + 1} pre-warm timeout`);\n reject(new Error('Pre-warm timeout'));\n }, 5000);\n\n } catch (error: unknown) {\n console.error(`WebAuthnManager: Failed to create worker ${i + 1}:`, error);\n reject(toError(error));\n }\n })\n );\n }\n\n try {\n await Promise.allSettled(promises);\n } catch (error: unknown) {\n console.warn('WebAuthnManager: Some workers failed to pre-warm:', error);\n }\n }\n\n private async sendMessage<T extends WorkerRequestType>({\n sessionId,\n message,\n onEvent,\n timeoutMs = SIGNER_WORKER_MANAGER_CONFIG.TIMEOUTS.DEFAULT, // 60s\n }: {\n sessionId?: string;\n message: { type: T; payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']> };\n onEvent?: (update: onProgressEvents) => void;\n timeoutMs?: number;\n }): Promise<WorkerResponseForRequest<T>> {\n\n // Clean up any expired signing sessions before allocating a worker\n this.sweepExpiredSigningSessions();\n\n const payloadSessionId = (message.payload as any)?.sessionId as string | undefined;\n if (sessionId && payloadSessionId && payloadSessionId !== sessionId) {\n throw new Error(\n `sendMessage: payload.sessionId (${payloadSessionId}) does not match provided sessionId (${sessionId})`\n );\n }\n\n const effectiveSessionId = sessionId || payloadSessionId;\n const sessionEntry = effectiveSessionId ? this.signingSessions.get(effectiveSessionId) : undefined;\n if (effectiveSessionId && !sessionEntry) {\n throw new Error(`Signing session not found for id: ${effectiveSessionId}`);\n }\n\n // Normalize/inject sessionId into payload once to avoid duplication at call sites.\n const finalPayload = effectiveSessionId\n ? withSessionId(effectiveSessionId, message.payload)\n : (message.payload);\n\n const worker = sessionEntry ? sessionEntry.worker : this.getWorkerFromPool();\n const isSessionWorker = !!sessionEntry;\n\n return new Promise((resolve, reject) => {\n const timeoutId = setTimeout(() => {\n try {\n if (isSessionWorker && effectiveSessionId) {\n // Release reserved session to avoid leaking worker/port\n this.releaseSigningSession(effectiveSessionId);\n } else {\n this.terminateAndReplaceWorker(worker);\n }\n } catch {}\n // Notify any open modal host to transition to error state\n try {\n const seconds = Math.round(timeoutMs / 1000);\n window.postMessage({ type: 'MODAL_TIMEOUT', payload: `Timed out after ${seconds}s, try again` }, '*');\n } catch {}\n reject(new Error(`Worker operation timed out after ${timeoutMs}ms`));\n }, timeoutMs);\n\n const responses: WorkerResponseForRequest<T>[] = [];\n\n worker.onmessage = async (event) => {\n try {\n // Ignore control messages (lifecycle/session setup) – they are handled elsewhere.\n if (isSignerWorkerControlMessage(event?.data)) {\n return;\n }\n // Ignore readiness pings that can arrive if a worker was just spawned\n if (event?.data?.type === WorkerControlMessage.WORKER_READY || event?.data?.ready) {\n return; // not a response to an operation\n }\n // Use strong typing from WASM-generated types\n const response = event.data as WorkerResponseForRequest<T>;\n responses.push(response);\n\n // Handle progress updates using WASM-generated numeric enum values\n if (isWorkerProgress(response)) {\n const progressResponse = response as WorkerProgressResponse;\n onEvent?.(progressResponse.payload as onProgressEvents);\n return; // Continue listening for more messages\n }\n\n // Handle errors using WASM-generated enum\n if (isWorkerError(response)) {\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n const errorResponse = response as WorkerErrorResponse;\n console.error('Worker error response:', errorResponse);\n reject(new Error(errorResponse.payload.error));\n return;\n }\n\n // Handle successful completion types using strong typing\n if (isWorkerSuccess(response)) {\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n resolve(response as WorkerResponseForRequest<T>);\n return;\n }\n\n // If we reach here, the response doesn't match any expected type\n console.error('Unexpected worker response format:', {\n response,\n });\n\n // Check if it's a generic Error object\n if (isObject(response) && 'message' in response && 'stack' in response) {\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n console.error('Worker sent generic Error object:', response);\n reject(new Error(`Worker sent generic error: ${(response as Error).message}`));\n return;\n }\n\n // Unknown response format\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n reject(new Error(`Unknown worker response format: ${JSON.stringify(response)}`));\n } catch (error: unknown) {\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n console.error('Error processing worker message:', error);\n const err = toError(error);\n reject(new Error(`Worker message processing error: ${err.message}`));\n }\n };\n\n worker.onerror = (event) => {\n clearTimeout(timeoutId);\n if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n const errorMessage = event.error?.message || event.message || 'Unknown worker error';\n console.error('Worker error details (progress):', {\n message: errorMessage,\n filename: event.filename,\n lineno: event.lineno,\n colno: event.colno,\n error: event.error\n });\n reject(new Error(`Worker error: ${errorMessage}`));\n };\n\n // Format message for Rust SignerWorkerMessage structure using WASM types\n const formattedMessage = {\n type: message.type, // Numeric enum value from WorkerRequestType\n payload: finalPayload,\n };\n\n worker.postMessage(formattedMessage);\n });\n }\n\n /**\n * Derive NEAR keypair from a serialized WebAuthn registration credential\n */\n async deriveNearKeypairAndEncryptFromSerialized(args: {\n credential: WebAuthnRegistrationCredential;\n nearAccountId: AccountId;\n options?: {\n authenticatorOptions?: AuthenticatorOptions;\n deviceNumber?: number;\n };\n sessionId: string;\n }): Promise<{\n success: boolean;\n nearAccountId: AccountId;\n publicKey: string;\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u?: string;\n wrapKeySalt?: string;\n }> {\n return deriveNearKeypairAndEncryptFromSerialized({ ctx: this.getContext(), ...args });\n }\n\n /**\n * Secure private key decryption with dual PRF\n */\n async decryptPrivateKeyWithPrf(args: {\n nearAccountId: AccountId,\n authenticators: ClientAuthenticatorData[],\n sessionId: string,\n }): Promise<{\n decryptedPrivateKey: string;\n nearAccountId: AccountId\n }> {\n return decryptPrivateKeyWithPrf({ ctx: this.getContext(), ...args });\n }\n\n async checkCanRegisterUser(args: {\n vrfChallenge: VRFChallenge,\n credential: WebAuthnRegistrationCredential,\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: AuthenticatorOptions; // Authenticator options for registration check\n onEvent?: (update: onProgressEvents) => void;\n }): Promise<{\n success: boolean;\n verified?: boolean;\n registrationInfo?: unknown;\n logs?: string[];\n signedTransactionBorsh?: number[];\n error?: string;\n }> {\n return checkCanRegisterUser({ ctx: this.getContext(), ...args });\n }\n\n /**\n * Combined Device2 registration: derive NEAR keypair + sign registration transaction\n * in a single operation without requiring a separate authentication prompt.\n *\n * This replaces the old two-step flow (register → authenticate → sign).\n * PRF.second and WrapKeySeed are already in the signer worker via MessagePort.\n */\n async registerDevice2WithDerivedKey(args: {\n sessionId: string;\n nearAccountId: AccountId;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n contractId: string;\n wrapKeySalt: string;\n deviceNumber?: number;\n deterministicVrfPublicKey: string;\n }): Promise<{\n success: boolean;\n publicKey: string;\n signedTransaction: any;\n wrapKeySalt: string;\n encryptedData?: string;\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u?: string;\n error?: string;\n }> {\n return registerDevice2WithDerivedKey({ ctx: this.getContext(), ...args });\n }\n\n // === ACTION-BASED SIGNING METHODS ===\n\n /**\n * Sign multiple transactions with shared VRF challenge and credential\n * Efficiently processes multiple transactions with one PRF authentication\n */\n async signTransactionsWithActions(args: {\n transactions: TransactionInputWasm[],\n rpcCall: RpcCallPayload,\n onEvent?: (update: onProgressEvents) => void,\n confirmationConfigOverride?: Partial<ConfirmationConfig>,\n title?: string;\n body?: string;\n sessionId: string,\n }): Promise<Array<{\n signedTransaction: SignedTransaction;\n nearAccountId: AccountId;\n logs?: string[]\n }>> {\n return signTransactionsWithActions({\n ctx: this.getContext(),\n ...args\n });\n }\n\n async signDelegateAction(args: {\n delegate: DelegateActionInput;\n rpcCall: RpcCallPayload;\n onEvent?: (update: onProgressEvents) => void;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n title?: string;\n body?: string;\n sessionId: string;\n }): Promise<{\n signedDelegate: WasmSignedDelegate;\n hash: string;\n nearAccountId: AccountId;\n logs?: string[];\n }> {\n return signDelegateAction({ ctx: this.getContext(), ...args });\n }\n\n /**\n * Recover keypair from authentication credential for account recovery\n * Uses dual PRF-based Ed25519 key derivation with account-specific HKDF and AES encryption\n */\n async recoverKeypairFromPasskey(args: {\n credential: WebAuthnAuthenticationCredential;\n accountIdHint?: string;\n sessionId: string,\n }): Promise<{\n publicKey: string;\n encryptedPrivateKey: string;\n /** Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for encrypted key */\n chacha20NonceB64u: string;\n accountIdHint?: string;\n wrapKeySalt: string;\n }> {\n return recoverKeypairFromPasskey({ ctx: this.getContext(), ...args });\n }\n\n /**\n * Extract COSE public key from WebAuthn attestation object\n * Simple operation that doesn't require TouchID or progress updates\n */\n async extractCosePublicKey(attestationObjectBase64url: string): Promise<Uint8Array> {\n return extractCosePublicKey({ ctx: this.getContext(), attestationObjectBase64url });\n }\n\n /**\n * Sign transaction with raw private key (for key replacement in Option D device linking)\n * No TouchID/PRF required - uses provided private key directly\n */\n async signTransactionWithKeyPair(args: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }): Promise<{\n signedTransaction: SignedTransaction;\n logs?: string[];\n }> {\n return signTransactionWithKeyPair({ ctx: this.getContext(), ...args });\n }\n\n /**\n * Sign a NEP-413 message using the user's passkey-derived private key\n *\n * @param payload - NEP-413 signing parameters including message, recipient, nonce, and state\n * @returns Promise resolving to signing result with account ID, public key, and signature\n */\n async signNep413Message(payload: {\n message: string;\n recipient: string;\n nonce: string;\n state: string | null;\n accountId: string;\n title?: string;\n body?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n sessionId: string;\n contractId?: string;\n nearRpcUrl?: string;\n }): Promise<{\n success: boolean;\n accountId: string;\n publicKey: string;\n signature: string;\n state?: string;\n error?: string;\n }> {\n return signNep413Message({\n ctx: this.getContext(),\n payload\n });\n }\n\n /**\n * Two-phase export (worker-driven):\n * - Phase 1: collect PRF (uiMode: 'skip')\n * - Decrypt inside worker\n * - Phase 2: show export UI with decrypted key (kept open until user closes)\n */\n async exportNearKeypairUi(args: {\n nearAccountId: AccountId,\n variant?: 'drawer'|'modal',\n theme?: 'dark'|'light',\n sessionId: string,\n }): Promise<void> {\n return exportNearKeypairUi({ ctx: this.getContext(), ...args });\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyFA,IAAa,sBAAb,MAAiC;CAE/B,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,kBACA,YACA,wBACA,cACA,cACA,8CAAuD,MACvD,iBACA;AACA,OAAK,YAAYA;AACjB,OAAK,gBAAgB,IAAIC,oCAAc,cAAc;AACrD,OAAK,mBAAmB;AACxB,OAAK,aAAa;AAClB,OAAK,yBAAyB;AAC9B,OAAK,eAAe;AACpB,OAAK,kBAAkB;;CAGzB,oBAAoB,QAAkC;AACpD,OAAK,mBAAmB;;CAG1B,aAAyC;AACvC,SAAO;GACL,aAAa,KAAK,YAAY,KAAK;GACnC,WAAW,KAAK;GAChB,eAAe,KAAK;GACpB,kBAAkB,KAAK;GACvB,YAAY,KAAK;GACjB,wBAAwB,KAAK;GAC7B,cAAc,KAAK;GACnB,cAAc,KAAK,cAAc;GACjC,iBAAiB,KAAK;;;CAI1B,qBAA6B;EAC3B,MAAM,eAAeC,iCACnBC,4CAA6B,OAAO,KACpC;GAAE,QAAQ;GAAU,YAAY,KAAK;;AAEvC,MAAI;GACF,MAAM,SAAS,IAAI,OAAO,cAAc;IACtC,MAAMA,4CAA6B,OAAO;IAC1C,MAAMA,4CAA6B,OAAO;;AAG5C,UAAO,gBAAgB;AACvB,UAAO;WACA,OAAO;GAId,MAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO;AAC5D,SAAM,IAAI,MAAM,mCAAmC;;;;;;;;;;;;;;;CAgBvD,AAAQ,aAAuB;CAC/B,AAAiB,uBAAuB;CAExC,AAAQ,kCAAoD,IAAI;CAChE,AAAiB,6BAA6B,MAAS;CAEvD,AAAQ,oBAA4B;AAClC,MAAI,KAAK,WAAW,SAAS,EAC3B,QAAO,KAAK,WAAW;AAEzB,SAAO,KAAK;;CAGd,AAAQ,0BAA0B,QAAsB;AAEtD,SAAO;AAEP,OAAK;;;;;;;;;;;;;;;;;;;;;CAsBP,MAAM,2BAA2B,WAAmB,MAAmH;AACrK,MAAI,KAAK,gBAAgB,IAAI,WAC3B,OAAM,IAAI,MAAM,0CAA0C;EAG5D,MAAM,SAAS,KAAK;EACpB,IAAI,aAAa,MAAM;EACvB,IAAIC;AACJ,MAAI,CAAC,YAAY;GAIf,MAAM,UAAU,IAAI;AACpB,gBAAa,QAAQ;AACrB,aAAU,QAAQ;;AAIpB,MAAI;AACF,OAAI,CAAC,WACH,OAAM,IAAI,MAAM;AAIlB,SAAMC,2CAAkB,QAAQ,WAAW;AAI3C,QAAK,gBAAgB,IAAI,WAAW;IAClC;IACA,iBAAiB;IACjB,WAAW,KAAK;;WAGX,KAAK;AACZ,WAAQ,MAAM,6EAA6E;AAE3F,OAAI;AAAE,gBAAY;WAAiB;AACnC,OAAI;AAAE,aAAS;WAAiB;AAChC,QAAK,0BAA0B;AAC/B,QAAK,gBAAgB,OAAO;AAC5B,SAAM;;AAER,SAAO;GAAE;GAAQ;GAAY;;;;;;CAM/B,sBAAsB,WAAyB;EAC7C,MAAM,QAAQ,KAAK,gBAAgB,IAAI;AACvC,MAAI,CAAC,MAAO;AACZ,MAAI;AAAE,SAAM,iBAAiB;UAAgB;AAC7C,MAAI;AAAE,QAAK,0BAA0B,MAAM;UAAgB;AAC3D,OAAK,gBAAgB,OAAO;;;;;CAM9B,8BAAoC;EAClC,MAAM,MAAM,KAAK;AACjB,OAAK,MAAM,CAAC,WAAW,UAAU,KAAK,gBAAgB,UACpD,KAAI,MAAM,MAAM,YAAY,KAAK,2BAC/B,MAAK,sBAAsB;;CAKjC,MAAc,0BAAyC;AACrD,MAAI;GACF,MAAM,SAAS,KAAK;GAGpB,MAAM,gBAAgB,IAAI,SAAe,SAAS,WAAW;IAC3D,MAAM,UAAU,iBAAiB,uBAAO,IAAI,MAAM,0BAA0B;IAE5E,MAAM,aAAa,UAAwB;AACzC,SAAI,MAAM,MAAM,SAASC,mDAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,mBAAa;AACb;;;AAIJ,WAAO,iBAAiB,WAAW;AACnC,WAAO,gBAAgB;AACrB,YAAO,oBAAoB,WAAW;AACtC,kBAAa;AACb,4BAAO,IAAI,MAAM;;;AAIrB,SAAM;AAEN,OAAI,KAAK,WAAW,SAAS,KAAK,qBAChC,MAAK,WAAW,KAAK;OAErB,QAAO;WAEFC,OAAgB;AACvB,WAAQ,KAAK,6DAA6D;;;;;;;CAQ9E,MAAM,oBAAmC;EACvC,MAAMC,WAA4B;AAElC,OAAK,IAAI,IAAI,GAAG,IAAI,KAAK,sBAAsB,IAC7C,UAAS,KACP,IAAI,SAAe,SAAS,WAAW;AACrC,OAAI;IACF,MAAM,SAAS,KAAK;IAGpB,MAAM,WAAW,UAAwB;AACvC,SAAI,MAAM,MAAM,SAASF,mDAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,WAAK,0BAA0B;AAC/B;;;AAIJ,WAAO,iBAAiB,WAAW;AAGnC,WAAO,WAAW,UAAU;AAC1B,YAAO,oBAAoB,WAAW;AACtC,aAAQ,MAAM,2BAA2B,IAAI,EAAE,oBAAoB;AACnE,YAAO;;AAIT,qBAAiB;AACf,YAAO,oBAAoB,WAAW;AAGtC,4BAAO,IAAI,MAAM;OAChB;YAEIC,OAAgB;AACvB,YAAQ,MAAM,4CAA4C,IAAI,EAAE,IAAI;AACpE,WAAOE,uBAAQ;;;AAMvB,MAAI;AACF,SAAM,QAAQ,WAAW;WAClBF,OAAgB;AACvB,WAAQ,KAAK,qDAAqD;;;CAItE,MAAc,YAAyC,EACrD,WACA,SACA,SACA,YAAYJ,4CAA6B,SAAS,WAMX;AAGvC,OAAK;EAEL,MAAM,mBAAoB,QAAQ,SAAiB;AACnD,MAAI,aAAa,oBAAoB,qBAAqB,UACxD,OAAM,IAAI,MACR,mCAAmC,iBAAiB,uCAAuC,UAAU;EAIzG,MAAM,qBAAqB,aAAa;EACxC,MAAM,eAAe,qBAAqB,KAAK,gBAAgB,IAAI,sBAAsB;AACzF,MAAI,sBAAsB,CAAC,aACzB,OAAM,IAAI,MAAM,qCAAqC;EAIvD,MAAM,eAAe,qBACjBO,8BAAc,oBAAoB,QAAQ,WACzC,QAAQ;EAEb,MAAM,SAAS,eAAe,aAAa,SAAS,KAAK;EACzD,MAAM,kBAAkB,CAAC,CAAC;AAE1B,SAAO,IAAI,SAAS,SAAS,WAAW;GACtC,MAAM,YAAY,iBAAiB;AACjC,QAAI;AACF,SAAI,mBAAmB,mBAErB,MAAK,sBAAsB;SAE3B,MAAK,0BAA0B;YAE3B;AAER,QAAI;KACF,MAAM,UAAU,KAAK,MAAM,YAAY;AACvC,YAAO,YAAY;MAAE,MAAM;MAAiB,SAAS,mBAAmB,QAAQ;QAAiB;YAC3F;AACR,2BAAO,IAAI,MAAM,oCAAoC,UAAU;MAC9D;GAEH,MAAMC,YAA2C;AAEjD,UAAO,YAAY,OAAO,UAAU;AAClC,QAAI;AAEF,SAAIC,qDAA6B,OAAO,MACtC;AAGF,SAAI,OAAO,MAAM,SAASN,mDAAqB,gBAAgB,OAAO,MAAM,MAC1E;KAGF,MAAM,WAAW,MAAM;AACvB,eAAU,KAAK;AAGf,SAAIO,uCAAiB,WAAW;MAC9B,MAAM,mBAAmB;AACzB,gBAAU,iBAAiB;AAC3B;;AAIF,SAAIC,oCAAc,WAAW;AAC3B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;MACrD,MAAM,gBAAgB;AACtB,cAAQ,MAAM,0BAA0B;AACxC,aAAO,IAAI,MAAM,cAAc,QAAQ;AACvC;;AAIF,SAAIC,sCAAgB,WAAW;AAC7B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ;AACR;;AAIF,aAAQ,MAAM,sCAAsC,EAClD;AAIF,SAAIC,4BAAS,aAAa,aAAa,YAAY,WAAW,UAAU;AACtE,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ,MAAM,qCAAqC;AACnD,6BAAO,IAAI,MAAM,8BAA+B,SAAmB;AACnE;;AAIF,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,4BAAO,IAAI,MAAM,mCAAmC,KAAK,UAAU;aAC5DT,OAAgB;AACvB,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,aAAQ,MAAM,oCAAoC;KAClD,MAAM,MAAME,uBAAQ;AACpB,4BAAO,IAAI,MAAM,oCAAoC,IAAI;;;AAI7D,UAAO,WAAW,UAAU;AAC1B,iBAAa;AACb,QAAI,CAAC,gBAAiB,MAAK,0BAA0B;IACrD,MAAM,eAAe,MAAM,OAAO,WAAW,MAAM,WAAW;AAC9D,YAAQ,MAAM,oCAAoC;KAChD,SAAS;KACT,UAAU,MAAM;KAChB,QAAQ,MAAM;KACd,OAAO,MAAM;KACb,OAAO,MAAM;;AAEf,2BAAO,IAAI,MAAM,iBAAiB;;GAIpC,MAAM,mBAAmB;IACvB,MAAM,QAAQ;IACd,SAAS;;AAGX,UAAO,YAAY;;;;;;CAOvB,MAAM,0CAA0C,MAiB7C;AACD,SAAOQ,4FAA0C;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;CAMhF,MAAM,yBAAyB,MAO5B;AACD,SAAOC,0DAAyB;GAAE,KAAK,KAAK;GAAc,GAAG;;;CAG/D,MAAM,qBAAqB,MAcxB;AACD,SAAOC,kDAAqB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;;CAU3D,MAAM,8BAA8B,MAqBjC;AACD,SAAOC,oEAA8B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CASpE,MAAM,4BAA4B,MAY9B;AACF,SAAOC,gEAA4B;GACjC,KAAK,KAAK;GACV,GAAG;;;CAIP,MAAM,mBAAmB,MAatB;AACD,SAAOC,8CAAmB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOzD,MAAM,0BAA0B,MAW7B;AACD,SAAOC,4DAA0B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOhE,MAAM,qBAAqB,4BAAyD;AAClF,SAAOC,kDAAqB;GAAE,KAAK,KAAK;GAAc;;;;;;;CAOxD,MAAM,2BAA2B,MAU9B;AACD,SAAOC,8DAA2B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;CASjE,MAAM,kBAAkB,SAmBrB;AACD,SAAOC,4CAAkB;GACvB,KAAK,KAAK;GACV;;;;;;;;;CAUJ,MAAM,oBAAoB,MAKR;AAChB,SAAOC,gDAAoB;GAAE,KAAK,KAAK;GAAc,GAAG"}

package/dist/cjs/react/sdk/src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.js DELETED Viewed

@@ -1,36 +0,0 @@
-const require_rolldown_runtime = require('../../../../../_virtual/rolldown_runtime.js');
-const require_workerControlMessages = require('../../workerControlMessages.js');
-const require_sessionMessages = require('./sessionMessages.js');
-//#region src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.ts
-/**
-* Attach a WrapKeySeed MessagePort to the signer worker and wait for acknowledgment.
-* This ensures the port is successfully attached before proceeding.
-*
-* Flow:
-* 1. Register ACK listener (avoids race where worker responds before we listen)
-* 2. Send ATTACH_WRAP_KEY_SEED_PORT message with port transfer
-* 3. Wait for ATTACH_WRAP_KEY_SEED_PORT_OK acknowledgment
-*
-* @param worker - The signer worker to attach the port to
-* @param sessionId - The signing session ID
-* @param signerPort - The MessagePort for receiving WrapKeySeed material
-* @param timeoutMs - How long to wait for ACK (default: 2000ms)
-* @throws Error if attachment fails or times out
-*/
-async function attachSessionPort(worker, sessionId, signerPort, timeoutMs = 2e3) {
-	const waitPromise = require_sessionMessages.waitForWrapKeyPortAttach(worker, sessionId, timeoutMs);
-	worker.postMessage({
-		type: require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT,
-		sessionId
-	}, [signerPort]);
-	await waitPromise;
-}
-const generateSessionId = () => {
-	return typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `sign-session-${Date.now()}-${Math.random().toString(16).slice(2)}`;
-};
-//#endregion
-exports.attachSessionPort = attachSessionPort;
-exports.generateSessionId = generateSessionId;
-//# sourceMappingURL=sessionHandshake.js.map

package/dist/cjs/react/sdk/src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"sessionHandshake.js","names":["waitForWrapKeyPortAttach","WorkerControlMessage"],"sources":["../../../../../../../../src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.ts"],"sourcesContent":["/**\n * Session Handshake Orchestration for Signer Worker\n *\n * This module provides high-level functions for setting up and validating\n * signing sessions with the signer worker. It orchestrates the complete\n * handshake flow for port attachment so the VRF worker can deliver WrapKeySeed\n * to the signer worker over a session MessagePort.\n */\n\nimport { waitForWrapKeyPortAttach } from './sessionMessages.js';\nimport { computeUiIntentDigestFromTxs, orderActionForDigest } from '../txDigest';\nimport type { NearClient } from '../../NearClient';\nimport type { NonceManager } from '../../nonceManager';\nimport type { TransactionContext } from '../../types/rpc';\nimport type { TransactionInputWasm } from '../../types/actions';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\ntype VrfSessionKeyDispenser = {\n dispenseSessionKey: (args: { sessionId: string; uses?: number }) => Promise<unknown>;\n};\n\n/**\n * Attach a WrapKeySeed MessagePort to the signer worker and wait for acknowledgment.\n * This ensures the port is successfully attached before proceeding.\n *\n * Flow:\n * 1. Register ACK listener (avoids race where worker responds before we listen)\n * 2. Send ATTACH_WRAP_KEY_SEED_PORT message with port transfer\n * 3. Wait for ATTACH_WRAP_KEY_SEED_PORT_OK acknowledgment\n *\n * @param worker - The signer worker to attach the port to\n * @param sessionId - The signing session ID\n * @param signerPort - The MessagePort for receiving WrapKeySeed material\n * @param timeoutMs - How long to wait for ACK (default: 2000ms)\n * @throws Error if attachment fails or times out\n */\nexport async function attachSessionPort(\n worker: Worker,\n sessionId: string,\n signerPort: MessagePort,\n timeoutMs: number = 2000\n): Promise<void> {\n // Register the ACK listener BEFORE sending the message to avoid race condition\n const waitPromise = waitForWrapKeyPortAttach(worker, sessionId, timeoutMs);\n\n // Send the attach command (transfer the port)\n worker.postMessage(\n { type: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT, sessionId },\n [signerPort]\n );\n\n // Wait for the worker to acknowledge successful attachment\n await waitPromise;\n}\n\nexport const generateSessionId = (): string => {\n return (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function')\n ? crypto.randomUUID()\n : `sign-session-${Date.now()}-${Math.random().toString(16).slice(2)}`\n}\n\nexport function isWarmSessionUnavailableError(err: unknown): boolean {\n const msg = err instanceof Error ? err.message : String(err);\n return (\n msg.includes('SESSION_NOT_FOUND') ||\n msg.includes('SESSION_EXPIRED') ||\n msg.includes('SESSION_EXHAUSTED')\n );\n}\n\nfunction releaseNoncesBestEffort(nonceManager: NonceManager, nonces: string[]): void {\n for (const n of nonces) {\n try { nonceManager.releaseNonce(n); } catch {}\n }\n}\n\n/**\n * Warm signing helper for transaction-like operations.\n *\n * - Computes canonical `intentDigest` for UI/signer validation\n * - Reserves nonces for `txCount` to avoid collisions\n * - Attempts VRF session key dispense (WrapKeySeed + wrapKeySalt) without prompting\n *\n * Returns null when the VRF session is missing/expired/exhausted so callers can\n * fall back to full confirmTxFlow.\n */\nexport async function tryPrepareWarmSigningContext(args: {\n nearClient: NearClient;\n nonceManager: NonceManager;\n txInputsForDigest: TransactionInputWasm[];\n sessionId: string;\n vrfWorkerManager: VrfSessionKeyDispenser;\n nonceCount?: number;\n uses?: number;\n}): Promise<{ intentDigest: string; transactionContext: TransactionContext } | null> {\n const baseCtx = await args.nonceManager.getNonceBlockHashAndHeight(args.nearClient);\n const txCount = Math.max(1, args.nonceCount ?? args.txInputsForDigest.length ?? 1);\n const reservedNonces = args.nonceManager.reserveNonces(txCount);\n\n let keepReservations = false;\n try {\n const transactionContext: TransactionContext = {\n ...baseCtx,\n nextNonce: reservedNonces[0] ?? baseCtx.nextNonce,\n };\n\n const intentDigest = await computeUiIntentDigestFromTxs(\n args.txInputsForDigest.map(tx => ({\n receiverId: tx.receiverId,\n actions: tx.actions.map(orderActionForDigest),\n })) as TransactionInputWasm[]\n );\n\n const uses = Math.max(1, args.uses ?? txCount);\n try {\n await args.vrfWorkerManager.dispenseSessionKey({ sessionId: args.sessionId, uses });\n } catch (err) {\n if (isWarmSessionUnavailableError(err)) {\n return null;\n }\n throw err;\n }\n\n keepReservations = true;\n return { intentDigest, transactionContext };\n } finally {\n if (!keepReservations) {\n releaseNoncesBestEffort(args.nonceManager, reservedNonces);\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAoCA,eAAsB,kBACpB,QACA,WACA,YACA,YAAoB,KACL;CAEf,MAAM,cAAcA,iDAAyB,QAAQ,WAAW;AAGhE,QAAO,YACL;EAAE,MAAMC,mDAAqB;EAA2B;IACxD,CAAC;AAIH,OAAM;;AAGR,MAAa,0BAAkC;AAC7C,QAAQ,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,aAClE,OAAO,eACP,gBAAgB,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM"}

package/dist/cjs/react/sdk/src/core/WebAuthnManager/SignerWorkerManager/sessionMessages.js DELETED Viewed

@@ -1,83 +0,0 @@
-const require_rolldown_runtime = require('../../../../../_virtual/rolldown_runtime.js');
-const require_workerControlMessages = require('../../workerControlMessages.js');
-//#region src/core/WebAuthnManager/SignerWorkerManager/sessionMessages.ts
-/**
-* Type guard to check if a message is a control message.
-*/
-function isSignerWorkerControlMessage(msg) {
-	if (!isObject(msg) || typeof msg.type !== "string") return false;
-	const type = msg.type;
-	return type === require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK || type === require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR || type === require_workerControlMessages.WorkerControlMessage.WORKER_READY;
-}
-function isObject(value) {
-	return typeof value === "object" && value !== null;
-}
-/**
-* Generic helper for waiting on session messages from a worker.
-* Registers a listener, sends no message (caller handles that), and waits for a matching response.
-*
-* @param worker - The worker to listen to
-* @param options - Configuration for what to wait for
-* @returns Promise that resolves when the expected message arrives, rejects on timeout or error
-*/
-function waitForSessionMessage(worker, options) {
-	const { successType, errorType, sessionId, timeoutMs = 2e3, validator } = options;
-	const successTypes = Array.isArray(successType) ? successType : [successType];
-	return new Promise((resolve, reject) => {
-		const timeout = setTimeout(() => {
-			cleanup();
-			reject(/* @__PURE__ */ new Error(`Timeout waiting for session message (${successTypes.join("|")})${sessionId ? ` for session ${sessionId}` : ""}`));
-		}, timeoutMs);
-		const messageHandler = (event) => {
-			const msg = event.data;
-			if (!msg || typeof msg.type !== "string") return;
-			if (sessionId && msg.sessionId !== sessionId) return;
-			if (errorType && msg.type === errorType) {
-				cleanup();
-				const error = msg.error || "Unknown error";
-				reject(/* @__PURE__ */ new Error(`Session message error: ${error}`));
-				return;
-			}
-			if (successTypes.includes(msg.type)) {
-				if (validator) try {
-					const shouldResolve = validator(msg);
-					if (!shouldResolve) return;
-				} catch (err) {
-					cleanup();
-					reject(err);
-					return;
-				}
-				cleanup();
-				resolve();
-			}
-		};
-		const cleanup = () => {
-			clearTimeout(timeout);
-			worker.removeEventListener("message", messageHandler);
-		};
-		worker.addEventListener("message", messageHandler);
-	});
-}
-/**
-* Wait for the worker to acknowledge successful attachment of the WrapKeySeed port.
-* This provides early detection of attach failures instead of only seeing late WASM errors.
-*
-* @param worker - The worker that should send the ACK
-* @param sessionId - The session ID to match
-* @param timeoutMs - How long to wait before rejecting (default: 2000ms)
-* @returns Promise that resolves on success ACK, rejects on error or timeout
-*/
-function waitForWrapKeyPortAttach(worker, sessionId, timeoutMs = 2e3) {
-	return waitForSessionMessage(worker, {
-		successType: require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK,
-		errorType: require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR,
-		sessionId,
-		timeoutMs
-	});
-}
-//#endregion
-exports.isSignerWorkerControlMessage = isSignerWorkerControlMessage;
-exports.waitForWrapKeyPortAttach = waitForWrapKeyPortAttach;
-//# sourceMappingURL=sessionMessages.js.map