npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/react/sdk/src/core/WebAuthnManager/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"index.js","names":["TouchIdPrompt","UserPreferencesInstance","NonceManagerInstance","VrfWorkerManager","IndexedDBManager","SignerWorkerManager","resolveWorkerBaseOrigin","__isWalletIframeHostMode","toAccountId","error: any","result: {\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }","getLastLoggedInDeviceNumber","deviceNumberToUse: number | null","credentialId: string","attestationB64u: string","transports: string[]","normalizedRpcCall: RpcCallPayload"],"sources":["../../../../../../../src/core/WebAuthnManager/index.ts"],"sourcesContent":["import {\n IndexedDBManager,\n type ClientUserData,\n type ClientAuthenticatorData,\n type UnifiedIndexedDBManager,\n} from '../IndexedDBManager';\nimport { StoreUserDataInput } from '../IndexedDBManager/passkeyClientDB';\nimport { type NearClient, SignedTransaction } from '../NearClient';\nimport { SignerWorkerManager } from './SignerWorkerManager';\nimport { VrfWorkerManager } from './VrfWorkerManager';\nimport { AllowCredential, TouchIdPrompt, authenticatorsToAllowCredentials } from './touchIdPrompt';\nimport { toAccountId } from '../types/accountIds';\nimport { UserPreferencesManager } from './userPreferences';\nimport UserPreferencesInstance from './userPreferences';\nimport { NonceManager } from '../nonceManager';\nimport NonceManagerInstance from '../nonceManager';\nimport {\n EncryptedVRFKeypair,\n ServerEncryptedVrfKeypair,\n VRFInputData,\n VRFChallenge\n} from '../types/vrf-worker';\nimport type { ActionArgsWasm, TransactionInputWasm } from '../types/actions';\nimport type { RegistrationHooksOptions, RegistrationSSEEvent, onProgressEvents } from '../types/sdkSentEvents';\nimport type { SignTransactionResult, TatchiConfigs } from '../types/tatchi';\nimport type { AccountId } from '../types/accountIds';\nimport type { AuthenticatorOptions } from '../types/authenticatorOptions';\nimport type { DelegateActionInput } from '../types/delegate';\nimport type { ConfirmationConfig, RpcCallPayload, WasmSignedDelegate } from '../types/signer-worker';\nimport { WebAuthnRegistrationCredential, WebAuthnAuthenticationCredential } from '../types';\nimport { RegistrationCredentialConfirmationPayload } from './SignerWorkerManager/handlers/validation';\nimport { resolveWorkerBaseOrigin, onEmbeddedBaseChange } from '../sdkPaths';\nimport { DEFAULT_WAIT_STATUS } from '../types/rpc';\nimport { getLastLoggedInDeviceNumber } from './SignerWorkerManager/getDeviceNumber';\nimport { __isWalletIframeHostMode } from '../WalletIframe/host-mode';\n\ntype SigningSessionOptions = {\n /** PRF-bearing credential; VRF worker extracts PRF outputs internally */\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n};\n\n/**\n * WebAuthnManager - Main orchestrator for WebAuthn operations\n *\n * Architecture:\n * - index.ts (this file): Main class orchestrating everything\n * - signerWorkerManager: NEAR transaction signing, and VRF Web3Authn verification RPC calls\n * - vrfWorkerManager: VRF keypair generation, challenge generation\n * - touchIdPrompt: TouchID prompt for biometric authentication\n */\nexport class WebAuthnManager {\n private readonly vrfWorkerManager: VrfWorkerManager;\n private readonly signerWorkerManager: SignerWorkerManager;\n private readonly touchIdPrompt: TouchIdPrompt;\n private readonly userPreferencesManager: UserPreferencesManager;\n private readonly nearClient: NearClient;\n private readonly nonceManager: NonceManager;\n private workerBaseOrigin: string = '';\n // VRF-owned signing session id per account (warm session reuse).\n private activeSigningSessionIds: Map<string, string> = new Map();\n\n readonly tatchiPasskeyConfigs: TatchiConfigs;\n\n constructor(tatchiPasskeyConfigs: TatchiConfigs, nearClient: NearClient) {\n this.tatchiPasskeyConfigs = tatchiPasskeyConfigs;\n this.nearClient = nearClient;\n // Respect rpIdOverride. Safari get() bridge fallback is always enabled.\n this.touchIdPrompt = new TouchIdPrompt(\n tatchiPasskeyConfigs.iframeWallet?.rpIdOverride,\n true,\n );\n this.userPreferencesManager = UserPreferencesInstance;\n // Apply integrator-provided default UI theme (in-memory only; user preferences may override later).\n try {\n this.userPreferencesManager.configureWalletTheme?.(tatchiPasskeyConfigs.walletTheme);\n } catch { }\n this.nonceManager = NonceManagerInstance;\n const { vrfWorkerConfigs } = tatchiPasskeyConfigs;\n // Group VRF worker configuration and pass context\n this.vrfWorkerManager = new VrfWorkerManager(\n {\n shamirPB64u: vrfWorkerConfigs?.shamir3pass?.p,\n relayServerUrl: vrfWorkerConfigs?.shamir3pass?.relayServerUrl,\n applyServerLockRoute: vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,\n removeServerLockRoute: vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute,\n },\n {\n touchIdPrompt: this.touchIdPrompt,\n nearClient: this.nearClient,\n indexedDB: IndexedDBManager,\n userPreferencesManager: this.userPreferencesManager,\n nonceManager: this.nonceManager,\n rpIdOverride: this.touchIdPrompt.getRpId(),\n nearExplorerUrl: tatchiPasskeyConfigs.nearExplorerUrl,\n }\n );\n this.signerWorkerManager = new SignerWorkerManager(\n this.vrfWorkerManager,\n nearClient,\n this.userPreferencesManager,\n this.nonceManager,\n tatchiPasskeyConfigs.iframeWallet?.rpIdOverride,\n true,\n tatchiPasskeyConfigs.nearExplorerUrl,\n );\n // VRF worker initializes on-demand with proper error propagation\n\n // Compute initial worker base origin once\n this.workerBaseOrigin = resolveWorkerBaseOrigin() || (typeof window !== 'undefined' ? window.location.origin : '');\n this.signerWorkerManager.setWorkerBaseOrigin(this.workerBaseOrigin);\n this.vrfWorkerManager.setWorkerBaseOrigin?.(this.workerBaseOrigin as any);\n\n // Keep base origin updated if the wallet sets a new embedded base\n if (typeof window !== 'undefined') {\n onEmbeddedBaseChange((url) => {\n const origin = new URL(url, window.location.origin).origin;\n if (origin && origin !== this.workerBaseOrigin) {\n this.workerBaseOrigin = origin;\n this.signerWorkerManager.setWorkerBaseOrigin(origin);\n this.vrfWorkerManager.setWorkerBaseOrigin?.(origin as any);\n }\n });\n }\n\n // Best-effort: load persisted preferences unless we are in app-origin iframe mode,\n // where the wallet origin owns persistence and the app should avoid IndexedDB.\n const shouldAvoidAppOriginIndexedDB =\n !!tatchiPasskeyConfigs.iframeWallet?.walletOrigin && !__isWalletIframeHostMode();\n if (!shouldAvoidAppOriginIndexedDB) {\n void this.userPreferencesManager.initFromIndexedDB().catch(() => undefined);\n }\n }\n\n /**\n * Public pre-warm hook to initialize signer workers ahead of time.\n * Safe to call multiple times; errors are non-fatal.\n */\n prewarmSignerWorkers(): void {\n if (typeof window === 'undefined' || typeof (window as any).Worker === 'undefined') return;\n // Avoid noisy SecurityError in cross‑origin dev: only prewarm when same‑origin\n if (this.workerBaseOrigin && this.workerBaseOrigin !== window.location.origin) return;\n this.signerWorkerManager.preWarmWorkerPool().catch(() => { });\n }\n\n /**\n * Warm critical resources to reduce first-action latency.\n * - Initialize current user (sets up NonceManager and local state)\n * - Prefetch latest block context (and nonce if missing)\n * - Pre-open IndexedDB and warm encrypted key for the active account (best-effort)\n * - Pre-warm signer workers in the background\n */\n async warmCriticalResources(nearAccountId?: string): Promise<void> {\n // Initialize current user first (best-effort)\n if (nearAccountId) {\n await this.initializeCurrentUser(toAccountId(nearAccountId), this.nearClient).catch(() => null);\n }\n // Prefetch latest block/nonce context (best-effort)\n await this.nonceManager.prefetchBlockheight(this.nearClient).catch(() => null);\n // Best-effort: open IndexedDB and warm key data for the account\n if (nearAccountId) {\n await IndexedDBManager.getUserWithKeys(toAccountId(nearAccountId)).catch(() => null);\n }\n // Warm signer workers in background\n this.prewarmSignerWorkers();\n }\n\n /**\n * Resolve the effective rpId used for WebAuthn operations.\n * Delegates to TouchIdPrompt to centralize rpId selection logic.\n */\n getRpId(): string {\n return this.touchIdPrompt.getRpId();\n }\n\n /** Getter for NonceManager instance */\n getNonceManager(): NonceManager {\n return this.nonceManager;\n }\n\n /**\n * WebAuthnManager-level orchestrator for VRF-owned signing sessions.\n * Creates sessionId, wires MessagePort between VRF and signer workers, and ensures cleanup.\n *\n * Overload 1: plain signing session (no WrapKeySeed derivation).\n * Overload 2: signing session with WrapKeySeed derivation, when `SigningSessionOptions`\n * (PRF.first_auth) are provided. wrapKeySalt is generated inside the VRF worker\n * when a new vault entry is being created.\n */\n private generateSessionId(prefix: string): string {\n return (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function')\n ? crypto.randomUUID()\n : `${prefix}-${Date.now()}-${Math.random().toString(16).slice(2)}`;\n }\n\n private toNonNegativeInt(value: unknown): number | undefined {\n if (typeof value !== 'number' || !Number.isFinite(value) || value < 0) return undefined;\n return Math.floor(value);\n }\n\n private resolveSigningSessionPolicy(args: {\n ttlMs?: number;\n remainingUses?: number;\n }): {\n ttlMs: number;\n remainingUses: number;\n } {\n const ttlMs = this.toNonNegativeInt(args.ttlMs)\n ?? this.tatchiPasskeyConfigs.signingSessionDefaults.ttlMs;\n const remainingUses = this.toNonNegativeInt(args.remainingUses)\n ?? this.tatchiPasskeyConfigs.signingSessionDefaults.remainingUses;\n return { ttlMs, remainingUses };\n }\n\n private getOrCreateActiveSigningSessionId(nearAccountId: AccountId): string {\n const key = String(toAccountId(nearAccountId));\n const existing = this.activeSigningSessionIds.get(key);\n if (existing) return existing;\n const sessionId = this.generateSessionId('signing-session');\n this.activeSigningSessionIds.set(key, sessionId);\n return sessionId;\n }\n\n private async withSigningSession<T>(args: {\n sessionId?: string;\n prefix?: string;\n options?: SigningSessionOptions;\n handler: (sessionId: string) => Promise<T>;\n }): Promise<T> {\n if (typeof args.handler !== 'function') {\n throw new Error('withSigningSession requires a handler function');\n }\n const sessionId = (args.sessionId || '').trim() || (args.prefix ? this.generateSessionId(args.prefix) : '');\n if (!sessionId) {\n throw new Error('withSigningSession requires a sessionId or prefix');\n }\n return await this.withSigningSessionInternal({ sessionId, options: args.options, handler: args.handler });\n }\n\n private async withSigningSessionInternal<T>(args: {\n sessionId: string;\n options?: SigningSessionOptions;\n handler: (sessionId: string) => Promise<T>;\n }): Promise<T> {\n const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(args.sessionId);\n await this.signerWorkerManager.reserveSignerWorkerSession(args.sessionId, { signerPort });\n try {\n // If PRF is provided, derive WrapKeySeed in VRF worker and deliver it\n // (along with PRF.second if credential is provided) to the signer worker\n // via the reserved MessagePort before invoking the handler.\n if (args.options) {\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId: args.sessionId,\n credential: args.options.credential,\n });\n }\n return await args.handler(args.sessionId);\n } finally {\n this.signerWorkerManager.releaseSigningSession(args.sessionId);\n }\n }\n\n /**\n * VRF-driven registration confirmation helper.\n * Runs confirmTxFlow and returns registration artifacts.\n *\n * SecureConfirm wrapper for link-device / registration: prompts user in-iframe to create a\n * new passkey (device N), returning artifacts for subsequent derivation.\n */\n async requestRegistrationCredentialConfirmation(params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<RegistrationCredentialConfirmationPayload> {\n return this.vrfWorkerManager.requestRegistrationCredentialConfirmation({\n nearAccountId: params.nearAccountId,\n deviceNumber: params.deviceNumber,\n confirmerText: params.confirmerText,\n confirmationConfigOverride: params.confirmationConfigOverride,\n contractId: this.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,\n });\n }\n\n /**\n * Helper for export/decrypt flows:\n * - Read vault wrapKeySalt\n * - Ask VRF worker to run LocalOnly(DECRYPT_PRIVATE_KEY_WITH_PRF) + derive WrapKeySeed\n * - WrapKeySeed travels only over the VRF→Signer MessagePort\n */\n private async confirmDecryptAndDeriveWrapKeySeed(args: {\n nearAccountId: AccountId;\n sessionId: string;\n }): Promise<void> {\n const nearAccountId = toAccountId(args.nearAccountId);\n // Resolve deviceNumber consistently with signer paths so both VRF and signer\n // operate on the same vault entry. Prefer the last logged-in device for this\n // account; if unavailable, fall back to the most recently updated user row.\n const [last, latest] = await Promise.all([\n IndexedDBManager.clientDB.getLastUser().catch(() => null),\n IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId).catch(() => null)\n ]);\n\n const deviceNumber =\n (last && last.nearAccountId === nearAccountId && typeof last.deviceNumber === 'number')\n ? last.deviceNumber\n : (latest && typeof latest.deviceNumber === 'number')\n ? latest.deviceNumber\n : null;\n\n if (deviceNumber === null) {\n throw new Error(`No deviceNumber found for account ${nearAccountId} (decrypt session)`);\n }\n\n // Load VRF material for this device so the VRF worker can unlock the correct\n // VRF keypair in a fresh/offline worker instance.\n const userForDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber).catch(() => null);\n const encryptedVrfKeypair = userForDevice?.encryptedVrfKeypair;\n\n // Gather encrypted key + wrapKeySalt and public key from IndexedDB for this device\n const encryptedKeyData = await IndexedDBManager.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n if (!encryptedKeyData) {\n console.error('WebAuthnManager: No encrypted key found for decrypt session', {\n nearAccountId: String(nearAccountId),\n deviceNumber,\n });\n throw new Error(`No encrypted key found for account: ${nearAccountId}`);\n }\n // For v2+ vaults, wrapKeySalt is the canonical salt.\n const wrapKeySalt = encryptedKeyData.wrapKeySalt || '';\n if (!wrapKeySalt) {\n console.error('WebAuthnManager: Missing wrapKeySalt in vault for decrypt session', {\n nearAccountId: String(nearAccountId),\n deviceNumber,\n });\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n try {\n await this.vrfWorkerManager.prepareDecryptSession({\n sessionId: args.sessionId,\n nearAccountId,\n wrapKeySalt,\n encryptedVrfKeypair,\n });\n } catch (error) {\n console.error('WebAuthnManager: VRF decrypt session failed', {\n nearAccountId: String(nearAccountId),\n sessionId: args.sessionId,\n error,\n });\n throw error;\n }\n }\n\n getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials\n }: {\n nearAccountId: AccountId;\n challenge: VRFChallenge;\n allowCredentials: AllowCredential[];\n }): Promise<WebAuthnAuthenticationCredential> {\n return this.touchIdPrompt.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials\n });\n }\n\n ///////////////////////////////////////\n // VRF MANAGER FUNCTIONS\n ///////////////////////////////////////\n\n /**\n * Generate a VRF challenge bound to a specific signing/confirm session.\n * The challenge will be cached in the VRF worker under this sessionId so\n * later contract verification (MINT_SESSION_KEYS_AND_SEND_TO_SIGNER) can look it up.\n */\n async generateVrfChallengeForSession(\n sessionId: string,\n vrfInputData: VRFInputData,\n ): Promise<VRFChallenge> {\n return this.vrfWorkerManager.generateVrfChallengeForSession(vrfInputData, sessionId);\n }\n\n /**\n * Generate a one-off VRF challenge without caching it in the VRF worker.\n * Use this for flows that don't perform contract verification or derive\n * wrap keys via MINT_SESSION_KEYS_AND_SEND_TO_SIGNER.\n */\n async generateVrfChallengeOnce(vrfInputData: VRFInputData): Promise<VRFChallenge> {\n return this.vrfWorkerManager.generateVrfChallengeOnce(vrfInputData);\n }\n\n /**\n * Generate VRF keypair for bootstrapping - stores in memory unencrypted temporarily\n * This is used during registration to generate a VRF keypair that will be used for\n * WebAuthn ceremony and later encrypted with the real PRF output\n *\n * @param saveInMemory - Whether to persist the generated VRF keypair in WASM worker memory\n * @param vrfInputParams - Optional parameters to generate VRF challenge/proof in same call\n * @returns VRF public key and optionally VRF challenge data\n */\n async generateVrfKeypairBootstrap(args: {\n saveInMemory: boolean;\n vrfInputData: VRFInputData;\n sessionId?: string;\n }): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n }> {\n return this.vrfWorkerManager.generateVrfKeypairBootstrap({\n vrfInputData: args.vrfInputData,\n saveInMemory: args.saveInMemory,\n sessionId: args.sessionId,\n });\n }\n\n /**\n * Derive NEAR keypair directly from a serialized WebAuthn registration credential\n */\n async deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId,\n options,\n }: {\n credential: WebAuthnRegistrationCredential;\n nearAccountId: string;\n options?: {\n authenticatorOptions?: AuthenticatorOptions;\n deviceNumber?: number;\n };\n }): Promise<{\n success: boolean;\n nearAccountId: string;\n publicKey: string;\n chacha20NonceB64u?: string;\n wrapKeySalt?: string;\n error?: string;\n }> {\n return this.withSigningSession({\n prefix: 'reg',\n options: { credential },\n handler: (sessionId) =>\n this.signerWorkerManager.deriveNearKeypairAndEncryptFromSerialized({\n credential,\n nearAccountId: toAccountId(nearAccountId),\n options,\n sessionId,\n }),\n });\n }\n\n\n /**\n * **Sign Device2 registration transaction with already-stored key (no prompt)**\n *\n * Used by linkDevice flow after key swap to sign the registration transaction\n * without prompting the user again. Reuses the credential collected earlier.\n *\n * Flow:\n * 1. Extract PRF.first from the provided credential\n * 2. Create new MessagePort session for WrapKeySeed delivery\n * 3. VRF worker re-derives WrapKeySeed and sends to signer (with PRF.second)\n * 4. Signer worker retrieves encrypted key from IndexedDB\n * 5. Signer worker decrypts key and signs registration transaction\n *\n * @param nearAccountId - NEAR account ID for Device2\n * @param credential - WebAuthn registration credential from earlier prompt\n * @param vrfChallenge - VRF challenge from earlier prompt\n * @param deviceNumber - Device number for Device2\n * @returns Signed registration transaction ready for submission\n */\n async signDevice2RegistrationWithStoredKey(args: {\n nearAccountId: AccountId;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n deviceNumber: number;\n deterministicVrfPublicKey: string;\n }): Promise<{\n success: boolean;\n publicKey?: string;\n signedTransaction?: any;\n error?: string;\n }> {\n const { nearAccountId, credential, vrfChallenge, deviceNumber, deterministicVrfPublicKey } = args;\n const contractId = this.tatchiPasskeyConfigs.contractId;\n\n try {\n // Generate new session ID for this signing operation\n const sessionId = `device2-sign-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;\n\n // Retrieve encrypted key data and wrapKeySalt from IndexedDB\n const encryptedKeyData = await IndexedDBManager.nearKeysDB.getEncryptedKey(\n nearAccountId,\n deviceNumber\n );\n if (!encryptedKeyData) {\n throw new Error(`No encrypted key found for account ${nearAccountId} device ${deviceNumber}`);\n }\n\n const wrapKeySalt = encryptedKeyData.wrapKeySalt;\n if (!wrapKeySalt) {\n throw new Error(`Missing wrapKeySalt for account ${nearAccountId} device ${deviceNumber}`);\n }\n\n // === STEP 1: Create MessagePort session for WrapKeySeed delivery ===\n const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(sessionId);\n await this.signerWorkerManager.reserveSignerWorkerSession(sessionId, { signerPort });\n\n // === STEP 2: VRF worker re-derives WrapKeySeed and sends to signer ===\n // This extracts PRF.second from the credential and delivers both WrapKeySeed + PRF.second\n // to the signer worker via MessagePort\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId,\n wrapKeySalt,\n credential, // VRF will extract PRF.second from this\n });\n\n // === STEP 4: Get transaction context for registration ===\n const transactionContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient);\n\n // === STEP 5: Determine deterministic VRF public key ===\n // Try: provided parameter → authenticator table → fallback to ephemeral VRF from challenge\n let vrfPublicKey = deterministicVrfPublicKey;\n // Fallback to ephemeral VRF public key from challenge if still not found\n const finalVrfPublicKey = vrfPublicKey || vrfChallenge.vrfPublicKey;\n\n // === STEP 6: Signer worker signs registration transaction ===\n // WrapKeySeed and PRF.second are already in signer worker via MessagePort\n const signerResult = await this.signerWorkerManager.registerDevice2WithDerivedKey({\n sessionId,\n nearAccountId,\n credential,\n vrfChallenge,\n transactionContext,\n contractId,\n wrapKeySalt,\n deviceNumber,\n deterministicVrfPublicKey: finalVrfPublicKey,\n });\n\n return {\n success: true,\n publicKey: signerResult.publicKey,\n signedTransaction: signerResult.signedTransaction,\n };\n\n } catch (error: any) {\n console.error('[WebAuthnManager] Failed to sign Device2 registration with stored key:', error);\n return {\n success: false,\n error: error.message || String(error),\n };\n }\n }\n\n /**\n * Derive deterministic VRF keypair from PRF output for recovery\n * Optionally generates VRF challenge if input parameters are provided\n * This enables deterministic VRF key derivation from WebAuthn credentials\n *\n * @param credential - WebAuthn credential containing PRF outputs\n * @param nearAccountId - NEAR account ID for key derivation salt\n * @param vrfInputParams - Optional VRF inputs, if provided will generate a challenge\n * @param saveInMemory - Whether to save the derived VRF keypair in worker memory for immediate use\n * @returns Deterministic VRF public key, optional VRF challenge, and encrypted VRF keypair for storage\n */\n async deriveVrfKeypair({\n credential,\n nearAccountId,\n vrfInputData,\n saveInMemory = true,\n }: {\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData; // optional, for challenge generation\n saveInMemory?: boolean; // optional, whether to save in worker memory\n }): Promise<{\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }> {\n try {\n const vrfResult = await this.vrfWorkerManager.deriveVrfKeypairFromPrf({\n credential,\n nearAccountId,\n vrfInputData,\n saveInMemory,\n });\n\n const result: {\n success: boolean;\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfChallenge: VRFChallenge | null;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n } = {\n success: true,\n vrfPublicKey: vrfResult.vrfPublicKey,\n encryptedVrfKeypair: vrfResult.encryptedVrfKeypair,\n vrfChallenge: vrfResult.vrfChallenge,\n serverEncryptedVrfKeypair: vrfResult.serverEncryptedVrfKeypair,\n };\n\n return result;\n\n } catch (error: any) {\n console.error('WebAuthnManager: VRF keypair derivation error:', error);\n throw new Error(`VRF keypair derivation failed ${error.message}`);\n }\n }\n\n /**\n * Unlock VRF keypair in memory using PRF output\n * This is called during login to decrypt and load the VRF keypair in-memory\n */\n async unlockVRFKeypair({\n nearAccountId,\n encryptedVrfKeypair,\n credential,\n }: {\n nearAccountId: AccountId;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n credential: WebAuthnAuthenticationCredential;\n }): Promise<{ success: boolean; error?: string }> {\n try {\n const unlockResult = await this.vrfWorkerManager.unlockVrfKeypair({\n credential,\n nearAccountId,\n encryptedVrfKeypair,\n });\n\n if (!unlockResult.success) {\n console.error('WebAuthnManager: VRF keypair unlock failed');\n return { success: false, error: 'VRF keypair unlock failed' };\n }\n\n // Warm up signer workers after a successful unlock to minimize first-use latency\n this.signerWorkerManager.preWarmWorkerPool().catch(() => { });\n\n return { success: true };\n\n } catch (error: any) {\n console.error('WebAuthnManager: VRF keypair unlock failed:', error.message);\n return { success: false, error: error.message };\n }\n }\n\n /**\n * Perform Shamir 3-pass commutative decryption within WASM worker\n * This securely decrypts a server-encrypted KEK (key encryption key)\n * which the wasm worker uses to unlock a key to decrypt the VRF keypair and loads it into memory\n * The server never knows the real value of the KEK, nor the VRF keypair\n */\n async shamir3PassDecryptVrfKeypair({\n nearAccountId,\n kek_s_b64u,\n ciphertextVrfB64u,\n serverKeyId,\n }: {\n nearAccountId: AccountId;\n kek_s_b64u: string;\n ciphertextVrfB64u: string;\n serverKeyId: string;\n }): Promise<{ success: boolean; error?: string }> {\n const result = await this.vrfWorkerManager.shamir3PassDecryptVrfKeypair({\n nearAccountId,\n kek_s_b64u,\n ciphertextVrfB64u,\n serverKeyId,\n });\n\n return {\n success: result.success,\n error: result.error\n };\n }\n\n /**\n * Shamir 3-pass: encrypt the unlocked VRF keypair under the server key\n * Returns a fresh blob to store in IndexedDB for future auto-login.\n */\n async shamir3PassEncryptCurrentVrfKeypair(): Promise<ServerEncryptedVrfKeypair> {\n const res = await this.vrfWorkerManager.shamir3PassEncryptCurrentVrfKeypair();\n return {\n ciphertextVrfB64u: res.ciphertextVrfB64u,\n kek_s_b64u: res.kek_s_b64u,\n serverKeyId: res.serverKeyId,\n };\n }\n\n /**\n * Persist refreshed server-encrypted VRF keypair in IndexedDB.\n */\n async updateServerEncryptedVrfKeypair(\n nearAccountId: AccountId,\n serverEncrypted: ServerEncryptedVrfKeypair\n ): Promise<void> {\n await IndexedDBManager.clientDB.updateUser(nearAccountId, {\n serverEncryptedVrfKeypair: {\n ciphertextVrfB64u: serverEncrypted.ciphertextVrfB64u,\n kek_s_b64u: serverEncrypted.kek_s_b64u,\n serverKeyId: serverEncrypted.serverKeyId,\n updatedAt: Date.now(),\n }\n });\n }\n\n async clearVrfSession(): Promise<void> {\n // In cross-origin dev, skip local worker init; wallet iframe handles PM_LOGOUT\n if (typeof window !== 'undefined' && this.workerBaseOrigin !== window.location.origin) {\n return;\n }\n return await this.vrfWorkerManager.clearVrfSession();\n }\n\n /**\n * Check VRF worker status\n */\n async checkVrfStatus(): Promise<{\n active: boolean;\n nearAccountId: AccountId | null;\n sessionDuration?: number\n }> {\n return this.vrfWorkerManager.checkVrfStatus();\n }\n\n /**\n * Mint/refresh a VRF-owned warm signing session using an already-collected WebAuthn credential.\n *\n * This is used to avoid a second TouchID prompt during login flows when we already\n * performed an authentication ceremony (e.g., to unlock the VRF keypair).\n *\n * Notes:\n * - This method does not initiate a WebAuthn prompt.\n * - Contract verification is optional and only performed when `contractId` + `nearRpcUrl` are provided.\n */\n async mintSigningSessionFromCredential(args: {\n nearAccountId: AccountId;\n credential: WebAuthnAuthenticationCredential;\n remainingUses?: number;\n ttlMs?: number;\n contractId?: string;\n nearRpcUrl?: string;\n }): Promise<{\n sessionId: string;\n status: 'active' | 'exhausted' | 'expired' | 'not_found';\n remainingUses?: number;\n expiresAtMs?: number;\n createdAtMs?: number;\n }> {\n const nearAccountId = toAccountId(args.nearAccountId);\n const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n\n // Ensure VRF keypair is active and bound to the same account.\n const vrfStatus = await this.vrfWorkerManager.checkVrfStatus();\n if (!vrfStatus.active) {\n throw new Error('VRF keypair not active in memory. Please log in again.');\n }\n if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(nearAccountId)) {\n throw new Error('VRF keypair active but bound to a different account. Please log in again.');\n }\n\n // Fetch wrapKeySalt from vault so the derived WrapKeySeed can decrypt the stored NEAR keys.\n const deviceNumber = await getLastLoggedInDeviceNumber(nearAccountId, IndexedDBManager.clientDB);\n const encryptedKeyData = await IndexedDBManager.nearKeysDB.getEncryptedKey(nearAccountId, deviceNumber);\n if (!encryptedKeyData) {\n throw new Error(`No encrypted key found for account ${nearAccountId} device ${deviceNumber}`);\n }\n const wrapKeySalt = encryptedKeyData.wrapKeySalt || '';\n if (!wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in vault; re-register to upgrade vault format.');\n }\n\n // Extract PRF.first_auth from the already-collected credential.\n const { ttlMs, remainingUses } = this.resolveSigningSessionPolicy(args);\n\n await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({\n sessionId,\n wrapKeySalt,\n contractId: args.contractId,\n nearRpcUrl: args.nearRpcUrl,\n ttlMs,\n remainingUses,\n credential: args.credential,\n });\n\n return await this.vrfWorkerManager.checkSessionStatus({ sessionId });\n }\n\n /**\n * Introspect the VRF-owned signing session for UI (no prompt, metadata only).\n * Session usage (`remainingUses`) is decremented on `DISPENSE_SESSION_KEY` calls.\n */\n async getWarmSigningSessionStatus(nearAccountId: AccountId): Promise<{\n sessionId: string;\n status: 'active' | 'exhausted' | 'expired' | 'not_found';\n remainingUses?: number;\n expiresAtMs?: number;\n createdAtMs?: number;\n }> {\n const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n return await this.vrfWorkerManager.checkSessionStatus({ sessionId });\n }\n\n /**\n * Fetch Shamir server key info to support proactive refresh.\n */\n async getShamirKeyInfo(): Promise<{\n currentKeyId: string | null;\n p_b64u: string | null;\n graceKeyIds?: string[]\n } | null> {\n try {\n const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;\n if (!relayUrl) return null;\n const res = await fetch(`${relayUrl}/shamir/key-info`, { method: 'GET' });\n if (!res.ok) return null;\n const data = await res.json();\n return {\n currentKeyId: data?.currentKeyId ?? null,\n p_b64u: data?.p_b64u ?? null,\n graceKeyIds: Array.isArray(data?.graceKeyIds) ? data.graceKeyIds : undefined,\n };\n } catch {\n return null;\n }\n }\n\n /**\n * If server key changed and VRF is unlocked in memory, re-encrypt under the new server key.\n * Returns true if refreshed, false otherwise.\n */\n async maybeProactiveShamirRefresh(nearAccountId: AccountId): Promise<boolean> {\n try {\n const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;\n if (!relayUrl) return false;\n const userData = await this.getLastUser();\n const stored = userData?.serverEncryptedVrfKeypair;\n if (!stored || !stored.kek_s_b64u || !stored.ciphertextVrfB64u || !stored.serverKeyId) return false;\n\n const keyInfo = await this.getShamirKeyInfo();\n const currentKeyId = keyInfo?.currentKeyId;\n if (!currentKeyId || currentKeyId === stored.serverKeyId) return false;\n\n const status = await this.checkVrfStatus();\n const active = status.active && status.nearAccountId === nearAccountId;\n if (!active) return false;\n\n const refreshed = await this.shamir3PassEncryptCurrentVrfKeypair();\n await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);\n return true;\n } catch {\n return false;\n }\n }\n\n ///////////////////////////////////////\n // INDEXEDDB OPERATIONS\n ///////////////////////////////////////\n\n async storeUserData(userData: StoreUserDataInput): Promise<void> {\n await IndexedDBManager.clientDB.storeWebAuthnUserData({\n ...userData,\n deviceNumber: userData.deviceNumber ?? 1,\n version: userData.version || 2,\n });\n }\n\n async getAllUsers(): Promise<ClientUserData[]> {\n return await IndexedDBManager.clientDB.getAllUsers();\n }\n\n async getUserByDevice(nearAccountId: AccountId, deviceNumber: number): Promise<ClientUserData | null> {\n return await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber);\n }\n\n async getLastUser(): Promise<ClientUserData | null> {\n return await IndexedDBManager.clientDB.getLastUser();\n }\n\n async getAuthenticatorsByUser(nearAccountId: AccountId): Promise<ClientAuthenticatorData[]> {\n return await IndexedDBManager.clientDB.getAuthenticatorsByUser(nearAccountId);\n }\n\n async updateLastLogin(nearAccountId: AccountId): Promise<void> {\n return await IndexedDBManager.clientDB.updateLastLogin(nearAccountId);\n }\n\n /**\n * Set the last logged-in user\n * @param nearAccountId - The account ID of the user\n * @param deviceNumber - The device number (defaults to 1)\n */\n async setLastUser(nearAccountId: AccountId, deviceNumber: number = 1): Promise<void> {\n return await IndexedDBManager.clientDB.setLastUser(nearAccountId, deviceNumber);\n }\n\n\n /**\n * Initialize current user authentication state\n * This should be called after VRF keypair is successfully unlocked in memory\n * to ensure the user is properly logged in and can perform transactions\n *\n * @param nearAccountId - The NEAR account ID to initialize\n * @param nearClient - The NEAR client for nonce prefetching\n */\n async initializeCurrentUser(\n nearAccountId: AccountId,\n nearClient?: NearClient,\n ): Promise<void> {\n const accountId = toAccountId(nearAccountId);\n\n // Set as last user for future sessions, preserving the current deviceNumber\n // when it is already known for this account.\n let deviceNumberToUse: number | null = null;\n const lastUser = await IndexedDBManager.clientDB.getLastUser().catch(() => null);\n if (\n lastUser &&\n toAccountId(lastUser.nearAccountId) === accountId &&\n Number.isFinite(lastUser.deviceNumber)\n ) {\n deviceNumberToUse = lastUser.deviceNumber;\n }\n\n if (deviceNumberToUse === null) {\n const userForAccount = await IndexedDBManager.clientDB\n .getUserByDevice(accountId, 1)\n .catch(() => null);\n if (userForAccount && Number.isFinite(userForAccount.deviceNumber)) {\n deviceNumberToUse = userForAccount.deviceNumber;\n }\n }\n\n if (deviceNumberToUse === null) {\n deviceNumberToUse = 1;\n }\n\n await this.setLastUser(accountId, deviceNumberToUse);\n\n // Set as current user for immediate use\n this.userPreferencesManager.setCurrentUser(accountId);\n // Ensure confirmation preferences are loaded before callers read them (best-effort)\n await this.userPreferencesManager.reloadUserSettings().catch(() => undefined);\n\n // Initialize NonceManager with the selected user's public key (best-effort)\n const userData = await IndexedDBManager.clientDB\n .getUserByDevice(accountId, deviceNumberToUse)\n .catch(() => null);\n if (userData && userData.clientNearPublicKey) {\n this.nonceManager.initializeUser(accountId, userData.clientNearPublicKey);\n }\n\n // Prefetch block height for better UX (non-fatal if it fails and nearClient is provided)\n if (nearClient) {\n await this.nonceManager\n .prefetchBlockheight(nearClient)\n .catch((prefetchErr) => console.debug('Nonce prefetch after authentication state initialization failed (non-fatal):', prefetchErr));\n }\n }\n\n async registerUser(storeUserData: StoreUserDataInput): Promise<ClientUserData> {\n return await IndexedDBManager.clientDB.registerUser(storeUserData);\n }\n\n async storeAuthenticator(authenticatorData: {\n credentialId: string;\n credentialPublicKey: Uint8Array;\n transports?: string[];\n name?: string;\n nearAccountId: AccountId;\n registered: string;\n syncedAt: string;\n vrfPublicKey: string;\n deviceNumber?: number;\n }): Promise<void> {\n const deviceNumber = Number(authenticatorData.deviceNumber);\n const normalizedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : 1;\n const authData = {\n ...authenticatorData,\n nearAccountId: toAccountId(authenticatorData.nearAccountId),\n deviceNumber: normalizedDeviceNumber, // Default to device 1 (1-indexed)\n };\n return await IndexedDBManager.clientDB.storeAuthenticator(authData);\n }\n\n extractUsername(nearAccountId: AccountId): string {\n return IndexedDBManager.clientDB.extractUsername(nearAccountId);\n }\n\n async atomicOperation<T>(callback: (db: any) => Promise<T>): Promise<T> {\n return await IndexedDBManager.clientDB.atomicOperation(callback);\n }\n\n async rollbackUserRegistration(nearAccountId: AccountId): Promise<void> {\n return await IndexedDBManager.clientDB.rollbackUserRegistration(nearAccountId);\n }\n\n async hasPasskeyCredential(nearAccountId: AccountId): Promise<boolean> {\n return await IndexedDBManager.clientDB.hasPasskeyCredential(nearAccountId);\n }\n\n /**\n * Atomically store all registration data (user, authenticator, VRF credentials)\n */\n async atomicStoreRegistrationData({\n nearAccountId,\n credential,\n publicKey,\n encryptedVrfKeypair,\n vrfPublicKey,\n serverEncryptedVrfKeypair,\n }: {\n nearAccountId: AccountId;\n credential: WebAuthnRegistrationCredential;\n publicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfPublicKey: string;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n }): Promise<void> {\n await this.atomicOperation(async (db) => {\n // Store credential for authentication\n const credentialId: string = credential.rawId;\n const attestationB64u: string = credential.response.attestationObject;\n const transports: string[] = credential.response?.transports;\n\n await this.storeAuthenticator({\n nearAccountId: nearAccountId,\n credentialId: credentialId,\n credentialPublicKey: await this.extractCosePublicKey(attestationB64u),\n transports,\n name: `VRF Passkey for ${this.extractUsername(nearAccountId)}`,\n registered: new Date().toISOString(),\n syncedAt: new Date().toISOString(),\n vrfPublicKey: vrfPublicKey,\n });\n\n // Store WebAuthn user data with encrypted VRF credentials\n await this.storeUserData({\n nearAccountId,\n deviceNumber: 1,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: {\n id: credential.id,\n rawId: credentialId\n },\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n version: 2,\n serverEncryptedVrfKeypair: serverEncryptedVrfKeypair ? {\n ciphertextVrfB64u: serverEncryptedVrfKeypair?.ciphertextVrfB64u,\n kek_s_b64u: serverEncryptedVrfKeypair?.kek_s_b64u,\n serverKeyId: serverEncryptedVrfKeypair?.serverKeyId,\n updatedAt: Date.now(),\n } : undefined,\n });\n\n return true;\n });\n }\n\n ///////////////////////////////////////\n // SIGNER WASM WORKER OPERATIONS\n ///////////////////////////////////////\n\n /**\n * Transaction signing with contract verification and progress updates.\n * Demonstrates the \"streaming\" worker pattern similar to SSE.\n *\n * Requires a successful TouchID/biometric prompt before transaction signing in wasm worker\n * Automatically verifies the authentication with the web3authn contract.\n *\n * @param transactions - Transaction payload containing:\n * - receiverId: NEAR account ID receiving the transaction\n * - actions: Array of NEAR actions to execute\n * @param rpcCall: RpcCallPayload containing:\n * - contractId: Web3Authn contract ID for verification\n * - nearRpcUrl: NEAR RPC endpoint URL\n * - nearAccountId: NEAR account ID performing the transaction\n * @param confirmationConfigOverride: Optional confirmation configuration override\n * @param onEvent: Optional callback for progress updates during signing\n * @param onEvent - Optional callback for progress updates during signing\n */\n async signTransactionsWithActions({\n transactions,\n rpcCall,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n }: {\n transactions: TransactionInputWasm[],\n rpcCall: RpcCallPayload,\n // Accept partial override; merging happens in handlers layer\n confirmationConfigOverride?: Partial<ConfirmationConfig>,\n title?: string;\n body?: string;\n onEvent?: (update: onProgressEvents) => void,\n }): Promise<SignTransactionResult[]> {\n\n if (transactions.length === 0) {\n throw new Error('No payloads provided for signing');\n }\n const activeSessionId = this.getOrCreateActiveSigningSessionId(toAccountId(rpcCall.nearAccountId));\n return this.withSigningSession({\n sessionId: activeSessionId,\n handler: (sessionId) =>\n this.signerWorkerManager.signTransactionsWithActions({\n transactions,\n rpcCall,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n sessionId,\n }),\n });\n }\n\n async signDelegateAction({\n delegate,\n rpcCall,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n }: {\n delegate: DelegateActionInput;\n rpcCall: RpcCallPayload;\n // Accept partial override; merging happens in handlers layer\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n title?: string;\n body?: string;\n onEvent?: (update: onProgressEvents) => void;\n }): Promise<{\n signedDelegate: WasmSignedDelegate;\n hash: string;\n nearAccountId: AccountId;\n logs?: string[];\n }> {\n const nearAccountId = toAccountId(rpcCall.nearAccountId || delegate.senderId);\n const normalizedRpcCall: RpcCallPayload = {\n contractId: rpcCall.contractId || this.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: rpcCall.nearRpcUrl || this.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId,\n };\n\n try {\n const activeSessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);\n return await this.withSigningSession({\n sessionId: activeSessionId,\n handler: (sessionId) => {\n console.debug('[WebAuthnManager][delegate] session created', { sessionId });\n return this.signerWorkerManager.signDelegateAction({\n delegate,\n rpcCall: normalizedRpcCall,\n confirmationConfigOverride,\n title,\n body,\n onEvent,\n sessionId,\n });\n }\n });\n } catch (err) {\n // eslint-disable-next-line no-console\n console.error('[WebAuthnManager][delegate] failed', err);\n throw err;\n }\n }\n\n async signNEP413Message(payload: {\n message: string;\n recipient: string;\n nonce: string;\n state: string | null;\n accountId: AccountId;\n title?: string;\n body?: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n }): Promise<{\n success: boolean;\n accountId: string;\n publicKey: string;\n signature: string;\n state?: string;\n error?: string;\n }> {\n try {\n const activeSessionId = this.getOrCreateActiveSigningSessionId(payload.accountId);\n const contractId = this.tatchiPasskeyConfigs.contractId;\n const nearRpcUrl = (this.tatchiPasskeyConfigs.nearRpcUrl.split(',')[0] || this.tatchiPasskeyConfigs.nearRpcUrl);\n const result = await this.withSigningSession({\n sessionId: activeSessionId,\n handler: (sessionId) =>\n this.signerWorkerManager.signNep413Message({ ...payload, sessionId, contractId, nearRpcUrl }),\n });\n if (result.success) {\n return result;\n } else {\n throw new Error(`NEP-413 signing failed: ${result.error || 'Unknown error'}`);\n }\n } catch (error: any) {\n console.error('WebAuthnManager: NEP-413 signing error:', error);\n return {\n success: false,\n accountId: '',\n publicKey: '',\n signature: '',\n error: error.message || 'Unknown error'\n };\n }\n }\n\n // === COSE OPERATIONS ===\n\n /**\n * Extract COSE public key from WebAuthn attestation object using WASM worker\n */\n async extractCosePublicKey(attestationObjectBase64url: string): Promise<Uint8Array> {\n return await this.signerWorkerManager.extractCosePublicKey(attestationObjectBase64url);\n }\n\n ///////////////////////////////////////\n // PRIVATE KEY EXPORT (Drawer/Modal in sandboxed iframe)\n ///////////////////////////////////////\n\n /**\n * Helper to ensure the local `lastUser` pointer is consistent with the latest DB updates.\n * This fixes issues where a recovery or registration might have updated the user record\n * but failed to update the `lastUser` pointer (e.g. due to previous bugs or interruptions),\n * preventing the strict `ensureCurrentPasskey` check from passing.\n */\n private async autoHealLastUserPointer(nearAccountId: AccountId): Promise<void> {\n try {\n const lastUser = await this.getLastUser();\n\n // If we are already pointing to the correct account, check if there's a fresher device.\n if (lastUser && lastUser.nearAccountId === nearAccountId) {\n const freshest = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);\n if (freshest && freshest.deviceNumber !== lastUser.deviceNumber) {\n // We found a fresher record for this account (e.g. newly recovered device).\n // Auto-heal the pointer to respect the user's latest intent.\n console.log(`[WebAuthnManager] Auto-healing lastUser pointer from device ${lastUser.deviceNumber} to ${freshest.deviceNumber}`);\n await this.setLastUser(nearAccountId, freshest.deviceNumber);\n }\n } else {\n // If lastUser is not set or points to another account, try to set it to something valid for this account.\n const freshest = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);\n if (freshest) {\n await this.setLastUser(nearAccountId, freshest.deviceNumber);\n }\n }\n } catch (e) {\n console.warn('[WebAuthnManager] Auto-heal pointer failed (non-fatal):', e);\n }\n }\n\n /** Worker-driven export: two-phase V2 (collect PRF → decrypt → show UI) */\n async exportNearKeypairWithUIWorkerDriven(\n nearAccountId: AccountId,\n options?: { variant?: 'drawer' | 'modal', theme?: 'dark' | 'light' }\n ): Promise<void> {\n await this.withSigningSession({\n prefix: 'export-session', handler: async (sessionId) => {\n // Phase 1: collect PRF via LocalOnly(DECRYPT_PRIVATE_KEY_WITH_PRF) inside VRF worker\n // and derive WrapKeySeed with the vault-provided wrapKeySalt.\n await this.confirmDecryptAndDeriveWrapKeySeed({ nearAccountId, sessionId });\n\n // Phase 2 + 3: decrypt inside signer worker using the reserved session,\n // then show the export viewer UI.\n return this.signerWorkerManager.exportNearKeypairUi({\n nearAccountId,\n variant: options?.variant,\n theme: options?.theme,\n sessionId,\n });\n }\n });\n }\n\n async exportNearKeypairWithUI(\n nearAccountId: AccountId,\n options?: {\n variant?: 'drawer' | 'modal';\n theme?: 'dark' | 'light'\n }\n ): Promise<{ accountId: string; publicKey: string; privateKey: string }> {\n // Route to worker-driven two-phase flow. UI is shown inside the wallet host; no secrets are returned.\n await this.exportNearKeypairWithUIWorkerDriven(nearAccountId, options);\n // Surface the freshest device key for this account to the caller.\n // Prefer last user when it matches the account, else pick the most recently\n // updated user record for this account.\n let userData = await this.getLastUser();\n if (!userData || userData.nearAccountId !== nearAccountId) {\n userData = await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);\n }\n return {\n accountId: String(nearAccountId),\n publicKey: String(userData?.clientNearPublicKey || ''),\n privateKey: '',\n };\n }\n\n ///////////////////////////////////////\n // REGISTRATION\n ///////////////////////////////////////\n\n async checkCanRegisterUser({\n contractId,\n credential,\n vrfChallenge,\n authenticatorOptions,\n onEvent,\n }: {\n contractId: string,\n credential: WebAuthnRegistrationCredential,\n vrfChallenge: VRFChallenge,\n authenticatorOptions?: AuthenticatorOptions;\n onEvent?: (update: onProgressEvents) => void\n }): Promise<{\n success: boolean;\n verified?: boolean;\n registrationInfo?: any;\n logs?: string[];\n signedTransactionBorsh?: number[];\n error?: string;\n }> {\n return await this.signerWorkerManager.checkCanRegisterUser({\n contractId,\n credential,\n vrfChallenge,\n authenticatorOptions,\n onEvent,\n nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,\n });\n }\n\n ///////////////////////////////////////\n // ACCOUNT RECOVERY\n ///////////////////////////////////////\n\n /**\n * Recover keypair from authentication credential for account recovery\n * Uses dual PRF outputs to re-derive the same NEAR keypair and re-encrypt it\n * @param challenge - Random challenge for WebAuthn authentication ceremony\n * @param authenticationCredential - The authentication credential with dual PRF outputs\n * @param accountIdHint - Optional account ID hint for recovery\n * @returns Public key and encrypted private key for secure storage\n */\n async recoverKeypairFromPasskey(\n authenticationCredential: WebAuthnAuthenticationCredential,\n accountIdHint?: string,\n ): Promise<{\n publicKey: string;\n encryptedPrivateKey: string;\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u: string;\n accountIdHint?: string;\n wrapKeySalt: string;\n stored?: boolean;\n }> {\n try {\n // Verify we have an authentication credential (not registration)\n if (!authenticationCredential) {\n throw new Error(\n 'Authentication credential required for account recovery. ' +\n 'Use an existing credential with dual PRF outputs to re-derive the same NEAR keypair.'\n );\n }\n\n // Verify dual PRF outputs are available\n const prfResults = authenticationCredential.clientExtensionResults?.prf?.results;\n if (!prfResults?.first || !prfResults?.second) {\n throw new Error('Dual PRF outputs required for account recovery - both AES and Ed25519 PRF outputs must be available');\n }\n\n // Extract PRF.first for WrapKeySeed derivation\n // Orchestrate a VRF-owned signing session with WrapKeySeed derivation, then ask\n // the signer to recover and re-encrypt the NEAR keypair.\n const result = await this.withSigningSession({\n prefix: 'recover',\n options: { credential: authenticationCredential },\n handler: (sessionId) =>\n this.signerWorkerManager.recoverKeypairFromPasskey({\n credential: authenticationCredential,\n accountIdHint,\n sessionId,\n }),\n });\n return result;\n\n } catch (error: any) {\n console.error('WebAuthnManager: Deterministic keypair derivation error:', error);\n throw new Error(`Deterministic keypair derivation failed: ${error.message}`);\n }\n }\n\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n credentialIds,\n }: {\n nearAccountId: AccountId;\n challenge: VRFChallenge,\n credentialIds: string[];\n }): Promise<WebAuthnAuthenticationCredential> {\n // Same as getAuthenticationCredentialsSerialized but returns both PRF outputs (PRF.first + PRF.second).\n return this.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials: credentialIds.map(id => ({\n id: id,\n type: 'public-key',\n transports: ['internal', 'hybrid', 'usb', 'ble'] as AuthenticatorTransport[]\n })),\n });\n }\n\n /**\n * Sign transaction with raw private key\n * for key replacement in device linking\n * No TouchID/PRF required - uses provided private key directly\n */\n async signTransactionWithKeyPair({\n nearPrivateKey,\n signerAccountId,\n receiverId,\n nonce,\n blockHash,\n actions\n }: {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n }): Promise<{\n signedTransaction: SignedTransaction;\n logs?: string[];\n }> {\n return await this.signerWorkerManager.signTransactionWithKeyPair({\n nearPrivateKey,\n signerAccountId,\n receiverId,\n nonce,\n blockHash,\n actions\n });\n }\n\n // ==============================\n // USER SETTINGS\n // ==============================\n\n /** * Get user preferences manager */\n getUserPreferences(): UserPreferencesManager {\n return this.userPreferencesManager;\n }\n\n /** * Clean up resources */\n destroy(): void {\n if (this.userPreferencesManager) {\n this.userPreferencesManager.destroy();\n }\n if (this.nonceManager) {\n this.nonceManager.clear();\n }\n this.activeSigningSessionIds.clear();\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,IAAa,kBAAb,MAA6B;CAC3B,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAiB;CACjB,AAAQ,mBAA2B;CAEnC,AAAQ,0CAA+C,IAAI;CAE3D,AAAS;CAET,YAAY,sBAAqC,YAAwB;AACvE,OAAK,uBAAuB;AAC5B,OAAK,aAAa;AAElB,OAAK,gBAAgB,IAAIA,oCACvB,qBAAqB,cAAc,cACnC;AAEF,OAAK,yBAAyBC;AAE9B,MAAI;AACF,QAAK,uBAAuB,uBAAuB,qBAAqB;UAClE;AACR,OAAK,eAAeC;EACpB,MAAM,EAAE,qBAAqB;AAE7B,OAAK,mBAAmB,IAAIC,iCAC1B;GACE,aAAa,kBAAkB,aAAa;GAC5C,gBAAgB,kBAAkB,aAAa;GAC/C,sBAAsB,kBAAkB,aAAa;GACrD,uBAAuB,kBAAkB,aAAa;KAExD;GACE,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,WAAWC;GACX,wBAAwB,KAAK;GAC7B,cAAc,KAAK;GACnB,cAAc,KAAK,cAAc;GACjC,iBAAiB,qBAAqB;;AAG1C,OAAK,sBAAsB,IAAIC,oCAC7B,KAAK,kBACL,YACA,KAAK,wBACL,KAAK,cACL,qBAAqB,cAAc,cACnC,MACA,qBAAqB;AAKvB,OAAK,mBAAmBC,8CAA8B,OAAO,WAAW,cAAc,OAAO,SAAS,SAAS;AAC/G,OAAK,oBAAoB,oBAAoB,KAAK;AAClD,OAAK,iBAAiB,sBAAsB,KAAK;AAGjD,MAAI,OAAO,WAAW,YACpB,oCAAsB,QAAQ;GAC5B,MAAM,SAAS,IAAI,IAAI,KAAK,OAAO,SAAS,QAAQ;AACpD,OAAI,UAAU,WAAW,KAAK,kBAAkB;AAC9C,SAAK,mBAAmB;AACxB,SAAK,oBAAoB,oBAAoB;AAC7C,SAAK,iBAAiB,sBAAsB;;;EAOlD,MAAM,gCACJ,CAAC,CAAC,qBAAqB,cAAc,gBAAgB,CAACC;AACxD,MAAI,CAAC,8BACH,CAAK,KAAK,uBAAuB,oBAAoB,YAAY;;;;;;CAQrE,uBAA6B;AAC3B,MAAI,OAAO,WAAW,eAAe,OAAQ,OAAe,WAAW,YAAa;AAEpF,MAAI,KAAK,oBAAoB,KAAK,qBAAqB,OAAO,SAAS,OAAQ;AAC/E,OAAK,oBAAoB,oBAAoB,YAAY;;;;;;;;;CAU3D,MAAM,sBAAsB,eAAuC;AAEjE,MAAI,cACF,OAAM,KAAK,sBAAsBC,+BAAY,gBAAgB,KAAK,YAAY,YAAY;AAG5F,QAAM,KAAK,aAAa,oBAAoB,KAAK,YAAY,YAAY;AAEzE,MAAI,cACF,OAAMJ,+BAAiB,gBAAgBI,+BAAY,gBAAgB,YAAY;AAGjF,OAAK;;;;;;CAOP,UAAkB;AAChB,SAAO,KAAK,cAAc;;;CAI5B,kBAAgC;AAC9B,SAAO,KAAK;;;;;;;;;;;CAYd,AAAQ,kBAAkB,QAAwB;AAChD,SAAQ,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,aAClE,OAAO,eACP,GAAG,OAAO,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;;CAGlE,AAAQ,iBAAiB,OAAoC;AAC3D,MAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,UAAU,QAAQ,EAAG,QAAO;AAC9E,SAAO,KAAK,MAAM;;CAGpB,AAAQ,4BAA4B,MAMlC;EACA,MAAM,QAAQ,KAAK,iBAAiB,KAAK,UACpC,KAAK,qBAAqB,uBAAuB;EACtD,MAAM,gBAAgB,KAAK,iBAAiB,KAAK,kBAC5C,KAAK,qBAAqB,uBAAuB;AACtD,SAAO;GAAE;GAAO;;;CAGlB,AAAQ,kCAAkC,eAAkC;EAC1E,MAAM,MAAM,OAAOA,+BAAY;EAC/B,MAAM,WAAW,KAAK,wBAAwB,IAAI;AAClD,MAAI,SAAU,QAAO;EACrB,MAAM,YAAY,KAAK,kBAAkB;AACzC,OAAK,wBAAwB,IAAI,KAAK;AACtC,SAAO;;CAGT,MAAc,mBAAsB,MAKrB;AACb,MAAI,OAAO,KAAK,YAAY,WAC1B,OAAM,IAAI,MAAM;EAElB,MAAM,aAAa,KAAK,aAAa,IAAI,WAAW,KAAK,SAAS,KAAK,kBAAkB,KAAK,UAAU;AACxG,MAAI,CAAC,UACH,OAAM,IAAI,MAAM;AAElB,SAAO,MAAM,KAAK,2BAA2B;GAAE;GAAW,SAAS,KAAK;GAAS,SAAS,KAAK;;;CAGjG,MAAc,2BAA8B,MAI7B;EACb,MAAM,aAAa,MAAM,KAAK,iBAAiB,4BAA4B,KAAK;AAChF,QAAM,KAAK,oBAAoB,2BAA2B,KAAK,WAAW,EAAE;AAC5E,MAAI;AAIF,OAAI,KAAK,QACP,OAAM,KAAK,iBAAiB,+BAA+B;IACzD,WAAW,KAAK;IAChB,YAAY,KAAK,QAAQ;;AAG7B,UAAO,MAAM,KAAK,QAAQ,KAAK;YACvB;AACR,QAAK,oBAAoB,sBAAsB,KAAK;;;;;;;;;;CAWxD,MAAM,0CAA0C,QAKO;AACrD,SAAO,KAAK,iBAAiB,0CAA0C;GACrE,eAAe,OAAO;GACtB,cAAc,OAAO;GACrB,eAAe,OAAO;GACtB,4BAA4B,OAAO;GACnC,YAAY,KAAK,qBAAqB;GACtC,YAAY,KAAK,qBAAqB;;;;;;;;;CAU1C,MAAc,mCAAmC,MAG/B;EAChB,MAAM,gBAAgBA,+BAAY,KAAK;EAIvC,MAAM,CAAC,MAAM,UAAU,MAAM,QAAQ,IAAI,CACvCJ,+BAAiB,SAAS,cAAc,YAAY,OACpDA,+BAAiB,SAAS,qBAAqB,eAAe,YAAY;EAG5E,MAAM,eACH,QAAQ,KAAK,kBAAkB,iBAAiB,OAAO,KAAK,iBAAiB,WAC1E,KAAK,eACJ,UAAU,OAAO,OAAO,iBAAiB,WACxC,OAAO,eACP;AAER,MAAI,iBAAiB,KACnB,OAAM,IAAI,MAAM,qCAAqC,cAAc;EAKrE,MAAM,gBAAgB,MAAMA,+BAAiB,SAAS,gBAAgB,eAAe,cAAc,YAAY;EAC/G,MAAM,sBAAsB,eAAe;EAG3C,MAAM,mBAAmB,MAAMA,+BAAiB,WAAW,gBAAgB,eAAe;AAC1F,MAAI,CAAC,kBAAkB;AACrB,WAAQ,MAAM,+DAA+D;IAC3E,eAAe,OAAO;IACtB;;AAEF,SAAM,IAAI,MAAM,uCAAuC;;EAGzD,MAAM,cAAc,iBAAiB,eAAe;AACpD,MAAI,CAAC,aAAa;AAChB,WAAQ,MAAM,qEAAqE;IACjF,eAAe,OAAO;IACtB;;AAEF,SAAM,IAAI,MAAM;;AAGlB,MAAI;AACF,SAAM,KAAK,iBAAiB,sBAAsB;IAChD,WAAW,KAAK;IAChB;IACA;IACA;;WAEK,OAAO;AACd,WAAQ,MAAM,+CAA+C;IAC3D,eAAe,OAAO;IACtB,WAAW,KAAK;IAChB;;AAEF,SAAM;;;CAIV,uCAAuC,EACrC,eACA,WACA,oBAK4C;AAC5C,SAAO,KAAK,cAAc,uCAAuC;GAC/D;GACA;GACA;;;;;;;;CAaJ,MAAM,+BACJ,WACA,cACuB;AACvB,SAAO,KAAK,iBAAiB,+BAA+B,cAAc;;;;;;;CAQ5E,MAAM,yBAAyB,cAAmD;AAChF,SAAO,KAAK,iBAAiB,yBAAyB;;;;;;;;;;;CAYxD,MAAM,4BAA4B,MAO/B;AACD,SAAO,KAAK,iBAAiB,4BAA4B;GACvD,cAAc,KAAK;GACnB,cAAc,KAAK;GACnB,WAAW,KAAK;;;;;;CAOpB,MAAM,0CAA0C,EAC9C,YACA,eACA,WAeC;AACD,SAAO,KAAK,mBAAmB;GAC7B,QAAQ;GACR,SAAS,EAAE;GACX,UAAU,cACR,KAAK,oBAAoB,0CAA0C;IACjE;IACA,eAAeI,+BAAY;IAC3B;IACA;;;;;;;;;;;;;;;;;;;;;;;CAyBR,MAAM,qCAAqC,MAWxC;EACD,MAAM,EAAE,eAAe,YAAY,cAAc,cAAc,8BAA8B;EAC7F,MAAM,aAAa,KAAK,qBAAqB;AAE7C,MAAI;GAEF,MAAM,YAAY,gBAAgB,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM,GAAG;GAGpF,MAAM,mBAAmB,MAAMJ,+BAAiB,WAAW,gBACzD,eACA;AAEF,OAAI,CAAC,iBACH,OAAM,IAAI,MAAM,sCAAsC,cAAc,UAAU;GAGhF,MAAM,cAAc,iBAAiB;AACrC,OAAI,CAAC,YACH,OAAM,IAAI,MAAM,mCAAmC,cAAc,UAAU;GAI7E,MAAM,aAAa,MAAM,KAAK,iBAAiB,4BAA4B;AAC3E,SAAM,KAAK,oBAAoB,2BAA2B,WAAW,EAAE;AAKvE,SAAM,KAAK,iBAAiB,+BAA+B;IACzD;IACA;IACA;;GAIF,MAAM,qBAAqB,MAAM,KAAK,aAAa,2BAA2B,KAAK;GAInF,IAAI,eAAe;GAEnB,MAAM,oBAAoB,gBAAgB,aAAa;GAIvD,MAAM,eAAe,MAAM,KAAK,oBAAoB,8BAA8B;IAChF;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA,2BAA2B;;AAG7B,UAAO;IACL,SAAS;IACT,WAAW,aAAa;IACxB,mBAAmB,aAAa;;WAG3BK,OAAY;AACnB,WAAQ,MAAM,0EAA0E;AACxF,UAAO;IACL,SAAS;IACT,OAAO,MAAM,WAAW,OAAO;;;;;;;;;;;;;;;CAgBrC,MAAM,iBAAiB,EACrB,YACA,eACA,cACA,eAAe,QAYd;AACD,MAAI;GACF,MAAM,YAAY,MAAM,KAAK,iBAAiB,wBAAwB;IACpE;IACA;IACA;IACA;;GAGF,MAAMC,SAMF;IACF,SAAS;IACT,cAAc,UAAU;IACxB,qBAAqB,UAAU;IAC/B,cAAc,UAAU;IACxB,2BAA2B,UAAU;;AAGvC,UAAO;WAEAD,OAAY;AACnB,WAAQ,MAAM,kDAAkD;AAChE,SAAM,IAAI,MAAM,iCAAiC,MAAM;;;;;;;CAQ3D,MAAM,iBAAiB,EACrB,eACA,qBACA,cAKgD;AAChD,MAAI;GACF,MAAM,eAAe,MAAM,KAAK,iBAAiB,iBAAiB;IAChE;IACA;IACA;;AAGF,OAAI,CAAC,aAAa,SAAS;AACzB,YAAQ,MAAM;AACd,WAAO;KAAE,SAAS;KAAO,OAAO;;;AAIlC,QAAK,oBAAoB,oBAAoB,YAAY;AAEzD,UAAO,EAAE,SAAS;WAEXA,OAAY;AACnB,WAAQ,MAAM,+CAA+C,MAAM;AACnE,UAAO;IAAE,SAAS;IAAO,OAAO,MAAM;;;;;;;;;;CAU1C,MAAM,6BAA6B,EACjC,eACA,YACA,mBACA,eAMgD;EAChD,MAAM,SAAS,MAAM,KAAK,iBAAiB,6BAA6B;GACtE;GACA;GACA;GACA;;AAGF,SAAO;GACL,SAAS,OAAO;GAChB,OAAO,OAAO;;;;;;;CAQlB,MAAM,sCAA0E;EAC9E,MAAM,MAAM,MAAM,KAAK,iBAAiB;AACxC,SAAO;GACL,mBAAmB,IAAI;GACvB,YAAY,IAAI;GAChB,aAAa,IAAI;;;;;;CAOrB,MAAM,gCACJ,eACA,iBACe;AACf,QAAML,+BAAiB,SAAS,WAAW,eAAe,EACxD,2BAA2B;GACzB,mBAAmB,gBAAgB;GACnC,YAAY,gBAAgB;GAC5B,aAAa,gBAAgB;GAC7B,WAAW,KAAK;;;CAKtB,MAAM,kBAAiC;AAErC,MAAI,OAAO,WAAW,eAAe,KAAK,qBAAqB,OAAO,SAAS,OAC7E;AAEF,SAAO,MAAM,KAAK,iBAAiB;;;;;CAMrC,MAAM,iBAIH;AACD,SAAO,KAAK,iBAAiB;;;;;;;;;;;;CAa/B,MAAM,iCAAiC,MAapC;EACD,MAAM,gBAAgBI,+BAAY,KAAK;EACvC,MAAM,YAAY,KAAK,kCAAkC;EAGzD,MAAM,YAAY,MAAM,KAAK,iBAAiB;AAC9C,MAAI,CAAC,UAAU,OACb,OAAM,IAAI,MAAM;AAElB,MAAI,CAAC,UAAU,iBAAiB,OAAO,UAAU,mBAAmB,OAAO,eACzE,OAAM,IAAI,MAAM;EAIlB,MAAM,eAAe,MAAMG,oDAA4B,eAAeP,+BAAiB;EACvF,MAAM,mBAAmB,MAAMA,+BAAiB,WAAW,gBAAgB,eAAe;AAC1F,MAAI,CAAC,iBACH,OAAM,IAAI,MAAM,sCAAsC,cAAc,UAAU;EAEhF,MAAM,cAAc,iBAAiB,eAAe;AACpD,MAAI,CAAC,YACH,OAAM,IAAI,MAAM;EAIlB,MAAM,EAAE,OAAO,kBAAkB,KAAK,4BAA4B;AAElE,QAAM,KAAK,iBAAiB,+BAA+B;GACzD;GACA;GACA,YAAY,KAAK;GACjB,YAAY,KAAK;GACjB;GACA;GACA,YAAY,KAAK;;AAGnB,SAAO,MAAM,KAAK,iBAAiB,mBAAmB,EAAE;;;;;;CAO1D,MAAM,4BAA4B,eAM/B;EACD,MAAM,YAAY,KAAK,kCAAkC;AACzD,SAAO,MAAM,KAAK,iBAAiB,mBAAmB,EAAE;;;;;CAM1D,MAAM,mBAII;AACR,MAAI;GACF,MAAM,WAAW,KAAK,sBAAsB,kBAAkB,aAAa;AAC3E,OAAI,CAAC,SAAU,QAAO;GACtB,MAAM,MAAM,MAAM,MAAM,GAAG,SAAS,mBAAmB,EAAE,QAAQ;AACjE,OAAI,CAAC,IAAI,GAAI,QAAO;GACpB,MAAM,OAAO,MAAM,IAAI;AACvB,UAAO;IACL,cAAc,MAAM,gBAAgB;IACpC,QAAQ,MAAM,UAAU;IACxB,aAAa,MAAM,QAAQ,MAAM,eAAe,KAAK,cAAc;;UAE/D;AACN,UAAO;;;;;;;CAQX,MAAM,4BAA4B,eAA4C;AAC5E,MAAI;GACF,MAAM,WAAW,KAAK,sBAAsB,kBAAkB,aAAa;AAC3E,OAAI,CAAC,SAAU,QAAO;GACtB,MAAM,WAAW,MAAM,KAAK;GAC5B,MAAM,SAAS,UAAU;AACzB,OAAI,CAAC,UAAU,CAAC,OAAO,cAAc,CAAC,OAAO,qBAAqB,CAAC,OAAO,YAAa,QAAO;GAE9F,MAAM,UAAU,MAAM,KAAK;GAC3B,MAAM,eAAe,SAAS;AAC9B,OAAI,CAAC,gBAAgB,iBAAiB,OAAO,YAAa,QAAO;GAEjE,MAAM,SAAS,MAAM,KAAK;GAC1B,MAAM,SAAS,OAAO,UAAU,OAAO,kBAAkB;AACzD,OAAI,CAAC,OAAQ,QAAO;GAEpB,MAAM,YAAY,MAAM,KAAK;AAC7B,SAAM,KAAK,gCAAgC,eAAe;AAC1D,UAAO;UACD;AACN,UAAO;;;CAQX,MAAM,cAAc,UAA6C;AAC/D,QAAMA,+BAAiB,SAAS,sBAAsB;GACpD,GAAG;GACH,cAAc,SAAS,gBAAgB;GACvC,SAAS,SAAS,WAAW;;;CAIjC,MAAM,cAAyC;AAC7C,SAAO,MAAMA,+BAAiB,SAAS;;CAGzC,MAAM,gBAAgB,eAA0B,cAAsD;AACpG,SAAO,MAAMA,+BAAiB,SAAS,gBAAgB,eAAe;;CAGxE,MAAM,cAA8C;AAClD,SAAO,MAAMA,+BAAiB,SAAS;;CAGzC,MAAM,wBAAwB,eAA8D;AAC1F,SAAO,MAAMA,+BAAiB,SAAS,wBAAwB;;CAGjE,MAAM,gBAAgB,eAAyC;AAC7D,SAAO,MAAMA,+BAAiB,SAAS,gBAAgB;;;;;;;CAQzD,MAAM,YAAY,eAA0B,eAAuB,GAAkB;AACnF,SAAO,MAAMA,+BAAiB,SAAS,YAAY,eAAe;;;;;;;;;;CAYpE,MAAM,sBACJ,eACA,YACe;EACf,MAAM,YAAYI,+BAAY;EAI9B,IAAII,oBAAmC;EACvC,MAAM,WAAW,MAAMR,+BAAiB,SAAS,cAAc,YAAY;AAC3E,MACE,YACAI,+BAAY,SAAS,mBAAmB,aACxC,OAAO,SAAS,SAAS,cAEzB,qBAAoB,SAAS;AAG/B,MAAI,sBAAsB,MAAM;GAC9B,MAAM,iBAAiB,MAAMJ,+BAAiB,SAC3C,gBAAgB,WAAW,GAC3B,YAAY;AACf,OAAI,kBAAkB,OAAO,SAAS,eAAe,cACnD,qBAAoB,eAAe;;AAIvC,MAAI,sBAAsB,KACxB,qBAAoB;AAGtB,QAAM,KAAK,YAAY,WAAW;AAGlC,OAAK,uBAAuB,eAAe;AAE3C,QAAM,KAAK,uBAAuB,qBAAqB,YAAY;EAGnE,MAAM,WAAW,MAAMA,+BAAiB,SACrC,gBAAgB,WAAW,mBAC3B,YAAY;AACf,MAAI,YAAY,SAAS,oBACvB,MAAK,aAAa,eAAe,WAAW,SAAS;AAIvD,MAAI,WACF,OAAM,KAAK,aACR,oBAAoB,YACpB,OAAO,gBAAgB,QAAQ,MAAM,gFAAgF;;CAI5H,MAAM,aAAa,eAA4D;AAC7E,SAAO,MAAMA,+BAAiB,SAAS,aAAa;;CAGtD,MAAM,mBAAmB,mBAUP;EAChB,MAAM,eAAe,OAAO,kBAAkB;EAC9C,MAAM,yBAAyB,OAAO,cAAc,iBAAiB,gBAAgB,IAAI,eAAe;EACxG,MAAM,WAAW;GACf,GAAG;GACH,eAAeI,+BAAY,kBAAkB;GAC7C,cAAc;;AAEhB,SAAO,MAAMJ,+BAAiB,SAAS,mBAAmB;;CAG5D,gBAAgB,eAAkC;AAChD,SAAOA,+BAAiB,SAAS,gBAAgB;;CAGnD,MAAM,gBAAmB,UAA+C;AACtE,SAAO,MAAMA,+BAAiB,SAAS,gBAAgB;;CAGzD,MAAM,yBAAyB,eAAyC;AACtE,SAAO,MAAMA,+BAAiB,SAAS,yBAAyB;;CAGlE,MAAM,qBAAqB,eAA4C;AACrE,SAAO,MAAMA,+BAAiB,SAAS,qBAAqB;;;;;CAM9D,MAAM,4BAA4B,EAChC,eACA,YACA,WACA,qBACA,cACA,6BAQgB;AAChB,QAAM,KAAK,gBAAgB,OAAO,OAAO;GAEvC,MAAMS,eAAuB,WAAW;GACxC,MAAMC,kBAA0B,WAAW,SAAS;GACpD,MAAMC,aAAuB,WAAW,UAAU;AAElD,SAAM,KAAK,mBAAmB;IACb;IACD;IACd,qBAAqB,MAAM,KAAK,qBAAqB;IACrD;IACA,MAAM,mBAAmB,KAAK,gBAAgB;IAC9C,6BAAY,IAAI,QAAO;IACvB,2BAAU,IAAI,QAAO;IACP;;AAIhB,SAAM,KAAK,cAAc;IACvB;IACA,cAAc;IACd,qBAAqB;IACrB,aAAa,KAAK;IAClB,mBAAmB;KACjB,IAAI,WAAW;KACf,OAAO;;IAET,qBAAqB;KACnB,sBAAsB,oBAAoB;KAC1C,mBAAmB,oBAAoB;;IAEzC,SAAS;IACT,2BAA2B,4BAA4B;KACrD,mBAAmB,2BAA2B;KAC9C,YAAY,2BAA2B;KACvC,aAAa,2BAA2B;KACxC,WAAW,KAAK;QACd;;AAGN,UAAO;;;;;;;;;;;;;;;;;;;;;CA0BX,MAAM,4BAA4B,EAChC,cACA,SACA,4BACA,OACA,MACA,WASmC;AAEnC,MAAI,aAAa,WAAW,EAC1B,OAAM,IAAI,MAAM;EAElB,MAAM,kBAAkB,KAAK,kCAAkCP,+BAAY,QAAQ;AACnF,SAAO,KAAK,mBAAmB;GAC7B,WAAW;GACX,UAAU,cACR,KAAK,oBAAoB,4BAA4B;IACnD;IACA;IACA;IACA;IACA;IACA;IACA;;;;CAKR,MAAM,mBAAmB,EACvB,UACA,SACA,4BACA,OACA,MACA,WAcC;EACD,MAAM,gBAAgBA,+BAAY,QAAQ,iBAAiB,SAAS;EACpE,MAAMQ,oBAAoC;GACxC,YAAY,QAAQ,cAAc,KAAK,qBAAqB;GAC5D,YAAY,QAAQ,cAAc,KAAK,qBAAqB;GAC5D;;AAGF,MAAI;GACF,MAAM,kBAAkB,KAAK,kCAAkC;AAC/D,UAAO,MAAM,KAAK,mBAAmB;IACnC,WAAW;IACX,UAAU,cAAc;AACtB,aAAQ,MAAM,+CAA+C,EAAE;AAC/D,YAAO,KAAK,oBAAoB,mBAAmB;MACjD;MACA,SAAS;MACT;MACA;MACA;MACA;MACA;;;;WAIC,KAAK;AAEZ,WAAQ,MAAM,sCAAsC;AACpD,SAAM;;;CAIV,MAAM,kBAAkB,SAgBrB;AACD,MAAI;GACF,MAAM,kBAAkB,KAAK,kCAAkC,QAAQ;GACvE,MAAM,aAAa,KAAK,qBAAqB;GAC7C,MAAM,aAAc,KAAK,qBAAqB,WAAW,MAAM,KAAK,MAAM,KAAK,qBAAqB;GACpG,MAAM,SAAS,MAAM,KAAK,mBAAmB;IAC3C,WAAW;IACX,UAAU,cACR,KAAK,oBAAoB,kBAAkB;KAAE,GAAG;KAAS;KAAW;KAAY;;;AAEpF,OAAI,OAAO,QACT,QAAO;OAEP,OAAM,IAAI,MAAM,2BAA2B,OAAO,SAAS;WAEtDP,OAAY;AACnB,WAAQ,MAAM,2CAA2C;AACzD,UAAO;IACL,SAAS;IACT,WAAW;IACX,WAAW;IACX,WAAW;IACX,OAAO,MAAM,WAAW;;;;;;;CAU9B,MAAM,qBAAqB,4BAAyD;AAClF,SAAO,MAAM,KAAK,oBAAoB,qBAAqB;;;;;;;;CAa7D,MAAc,wBAAwB,eAAyC;AAC7E,MAAI;GACF,MAAM,WAAW,MAAM,KAAK;AAG5B,OAAI,YAAY,SAAS,kBAAkB,eAAe;IACxD,MAAM,WAAW,MAAML,+BAAiB,SAAS,qBAAqB;AACtE,QAAI,YAAY,SAAS,iBAAiB,SAAS,cAAc;AAG/D,aAAQ,IAAI,+DAA+D,SAAS,aAAa,MAAM,SAAS;AAChH,WAAM,KAAK,YAAY,eAAe,SAAS;;UAE5C;IAEL,MAAM,WAAW,MAAMA,+BAAiB,SAAS,qBAAqB;AACtE,QAAI,SACF,OAAM,KAAK,YAAY,eAAe,SAAS;;WAG5C,GAAG;AACV,WAAQ,KAAK,2DAA2D;;;;CAK5E,MAAM,oCACJ,eACA,SACe;AACf,QAAM,KAAK,mBAAmB;GAC5B,QAAQ;GAAkB,SAAS,OAAO,cAAc;AAGtD,UAAM,KAAK,mCAAmC;KAAE;KAAe;;AAI/D,WAAO,KAAK,oBAAoB,oBAAoB;KAClD;KACA,SAAS,SAAS;KAClB,OAAO,SAAS;KAChB;;;;;CAMR,MAAM,wBACJ,eACA,SAIuE;AAEvE,QAAM,KAAK,oCAAoC,eAAe;EAI9D,IAAI,WAAW,MAAM,KAAK;AAC1B,MAAI,CAAC,YAAY,SAAS,kBAAkB,cAC1C,YAAW,MAAMA,+BAAiB,SAAS,qBAAqB;AAElE,SAAO;GACL,WAAW,OAAO;GAClB,WAAW,OAAO,UAAU,uBAAuB;GACnD,YAAY;;;CAQhB,MAAM,qBAAqB,EACzB,YACA,YACA,cACA,sBACA,WAcC;AACD,SAAO,MAAM,KAAK,oBAAoB,qBAAqB;GACzD;GACA;GACA;GACA;GACA;GACA,YAAY,KAAK,qBAAqB;;;;;;;;;;;CAgB1C,MAAM,0BACJ,0BACA,eAWC;AACD,MAAI;AAEF,OAAI,CAAC,yBACH,OAAM,IAAI,MACR;GAMJ,MAAM,aAAa,yBAAyB,wBAAwB,KAAK;AACzE,OAAI,CAAC,YAAY,SAAS,CAAC,YAAY,OACrC,OAAM,IAAI,MAAM;GAMlB,MAAM,SAAS,MAAM,KAAK,mBAAmB;IAC3C,QAAQ;IACR,SAAS,EAAE,YAAY;IACvB,UAAU,cACR,KAAK,oBAAoB,0BAA0B;KACjD,YAAY;KACZ;KACA;;;AAGN,UAAO;WAEAK,OAAY;AACnB,WAAQ,MAAM,4DAA4D;AAC1E,SAAM,IAAI,MAAM,4CAA4C,MAAM;;;CAItE,MAAM,8CAA8C,EAClD,eACA,WACA,iBAK4C;AAE5C,SAAO,KAAK,cAAc,8CAA8C;GACtE;GACA;GACA,kBAAkB,cAAc,KAAI,QAAO;IACrC;IACJ,MAAM;IACN,YAAY;KAAC;KAAY;KAAU;KAAO;;;;;;;;;;CAUhD,MAAM,2BAA2B,EAC/B,gBACA,iBACA,YACA,OACA,WACA,WAWC;AACD,SAAO,MAAM,KAAK,oBAAoB,2BAA2B;GAC/D;GACA;GACA;GACA;GACA;GACA;;;;CASJ,qBAA6C;AAC3C,SAAO,KAAK;;;CAId,UAAgB;AACd,MAAI,KAAK,uBACP,MAAK,uBAAuB;AAE9B,MAAI,KAAK,aACP,MAAK,aAAa;AAEpB,OAAK,wBAAwB"}

package/dist/cjs/react/sdk/src/core/WebAuthnManager/touchIdPrompt.js DELETED Viewed

@@ -1,282 +0,0 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
-const require_base64 = require('../../utils/base64.js');
-const require_encoders = require('../../utils/encoders.js');
-const require_vrf_worker = require('../types/vrf-worker.js');
-const require_credentialsHelpers = require('./credentialsHelpers.js');
-const require_safari_fallbacks = require('./WebAuthnFallbacks/safari-fallbacks.js');
-const require_index = require('./WebAuthnFallbacks/index.js');
-//#region src/core/WebAuthnManager/touchIdPrompt.ts
-function isRegistrableSuffix(host, cand) {
-	if (!host || !cand) return false;
-	if (host === cand) return true;
-	return host.endsWith("." + cand);
-}
-function resolveRpId(override, host) {
-	const h = (host || "").toLowerCase();
-	const ov = (override || "").toLowerCase();
-	if (ov && h && isRegistrableSuffix(h, ov)) return ov;
-	return h || ov || "";
-}
-function authenticatorsToAllowCredentials(authenticators) {
-	return authenticators.map((auth) => ({
-		id: auth.credentialId,
-		type: "public-key",
-		transports: auth.transports
-	}));
-}
-function isSerializedAuthenticationCredential(x) {
-	if (!x || typeof x !== "object") return false;
-	const obj = x;
-	const resp = obj.response;
-	return typeof resp?.authenticatorData === "string";
-}
-/**
-* Generate device-specific user ID to prevent Chrome sync conflicts
-* Creates technical identifiers with full account context
-*
-* @param nearAccountId - The NEAR account ID (e.g., "serp120.w3a-v1.testnet")
-* @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)
-* @returns Technical identifier:
-*   - Device 1: "serp120.web3-authn.testnet"
-*   - Device 2: "serp120.web3-authn.testnet (2)"
-*   - Device 3: "serp120.web3-authn.testnet (3)"
-*/
-function generateDeviceSpecificUserId(nearAccountId, deviceNumber) {
-	if (deviceNumber === void 0 || deviceNumber === 1) return nearAccountId;
-	return `${nearAccountId} (${deviceNumber})`;
-}
-/**
-* Generate user-friendly display name for passkey manager UI
-* Creates clean, intuitive names that users will see
-*
-* @param nearAccountId - The NEAR account ID (e.g., "serp120.w3a-v1.testnet")
-* @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)
-* @returns User-friendly display name:
-*   - Device 1: "serp120"
-*   - Device 2: "serp120 (device 2)"
-*   - Device 3: "serp120 (device 3)"
-*/
-function generateUserFriendlyDisplayName(nearAccountId, deviceNumber) {
-	const baseUsername = nearAccountId.split(".")[0];
-	if (deviceNumber === void 0 || deviceNumber === 1) return baseUsername;
-	return `${baseUsername} (device ${deviceNumber})`;
-}
-var TouchIdPrompt;
-var init_touchIdPrompt = require_rolldown_runtime.__esm({ "src/core/WebAuthnManager/touchIdPrompt.ts": (() => {
-	require_encoders.init_encoders();
-	require_vrf_worker.init_vrf_worker();
-	require_credentialsHelpers.init_credentialsHelpers();
-	require_index.init_WebAuthnFallbacks();
-	TouchIdPrompt = class TouchIdPrompt {
-		rpIdOverride;
-		safariGetWebauthnRegistrationFallback;
-		abortController;
-		removePageAbortHandlers;
-		removeExternalAbortListener;
-		constructor(rpIdOverride, safariGetWebauthnRegistrationFallback = false) {
-			this.rpIdOverride = rpIdOverride;
-			this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;
-		}
-		getRpId() {
-			try {
-				return resolveRpId(this.rpIdOverride, window?.location?.hostname);
-			} catch {
-				return this.rpIdOverride || "";
-			}
-		}
-		static _inIframe() {
-			try {
-				return window.self !== window.top;
-			} catch {
-				return true;
-			}
-		}
-		/**
-		* Get authentication credentials
-		* @param nearAccountId - NEAR account ID to authenticate
-		* @param challenge - VRF challenge bytes
-		* @param allowCredentials - Array of allowed credentials for authentication
-		* @returns WebAuthn credential with only the first PRF output
-		*/
-		async getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
-			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-				nearAccountId,
-				challenge,
-				allowCredentials
-			});
-			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-			return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
-				credential: credentialMaybe,
-				firstPrfOutput: true,
-				secondPrfOutput: false
-			});
-		}
-		/**
-		*  Same as getAuthenticationCredentialsSerialized but returns both PRF outputs
-		*  (PRF.first + PRF.second).
-		* @param nearAccountId - NEAR account ID to authenticate
-		* @param challenge - VRF challenge bytes
-		* @param allowCredentials - Array of allowed credentials for authentication
-		* @returns
-		*/
-		async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, allowCredentials }) {
-			const credentialMaybe = await this.getAuthenticationCredentialsInternal({
-				nearAccountId,
-				challenge,
-				allowCredentials
-			});
-			if (isSerializedAuthenticationCredential(credentialMaybe)) return credentialMaybe;
-			return require_credentialsHelpers.serializeAuthenticationCredentialWithPRF({
-				credential: credentialMaybe,
-				firstPrfOutput: true,
-				secondPrfOutput: true
-			});
-		}
-		/**
-		* Internal method for generating WebAuthn registration credentials with PRF output
-		* @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)
-		* @param challenge - Random challenge bytes for the registration ceremony
-		* @param deviceNumber - Device number for device-specific user ID.
-		* @returns Credential with PRF output
-		*/
-		async generateRegistrationCredentialsInternal({ nearAccountId, challenge, deviceNumber }) {
-			this.abortController = new AbortController();
-			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-			const rpId = this.getRpId();
-			const publicKey = {
-				challenge: require_vrf_worker.outputAs32Bytes(challenge),
-				rp: {
-					name: "WebAuthn VRF Passkey",
-					id: rpId
-				},
-				user: {
-					id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),
-					name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),
-					displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)
-				},
-				pubKeyCredParams: [{
-					alg: -7,
-					type: "public-key"
-				}, {
-					alg: -257,
-					type: "public-key"
-				}],
-				authenticatorSelection: {
-					residentKey: "required",
-					userVerification: "preferred"
-				},
-				timeout: 6e4,
-				attestation: "none",
-				extensions: { prf: { eval: {
-					first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
-					second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
-				} } }
-			};
-			try {
-				const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("create", publicKey, {
-					rpId,
-					inIframe: TouchIdPrompt._inIframe(),
-					timeoutMs: publicKey.timeout,
-					abortSignal: this.abortController.signal
-				});
-				return result;
-			} finally {
-				this.removePageAbortHandlers?.();
-				this.removePageAbortHandlers = void 0;
-				this.removeExternalAbortListener?.();
-				this.removeExternalAbortListener = void 0;
-				this.abortController = void 0;
-			}
-		}
-		/**
-		* Internal method for getting WebAuthn authentication credentials with PRF output
-		* @param nearAccountId - NEAR account ID to authenticate
-		* @param challenge - VRF challenge bytes to use for WebAuthn authentication
-		* @param authenticators - List of stored authenticator data for the user
-		* @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)
-		* ```ts
-		* const credential = await touchIdPrompt.getCredentials({
-		*   nearAccountId,
-		*   challenge,
-		*   authenticators,
-		* });
-		* ```
-		*/
-		async getAuthenticationCredentialsInternal({ nearAccountId, challenge, allowCredentials }) {
-			this.abortController = new AbortController();
-			this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);
-			const rpId = this.getRpId();
-			const publicKey = {
-				challenge: require_vrf_worker.outputAs32Bytes(challenge),
-				rpId,
-				allowCredentials: allowCredentials.map((credential) => ({
-					id: require_base64.base64UrlDecode(credential.id),
-					type: "public-key",
-					transports: credential.transports
-				})),
-				userVerification: "preferred",
-				timeout: 6e4,
-				extensions: { prf: { eval: {
-					first: require_credentialsHelpers.generateChaCha20Salt(nearAccountId),
-					second: require_credentialsHelpers.generateEd25519Salt(nearAccountId)
-				} } }
-			};
-			try {
-				const result = await require_safari_fallbacks.executeWebAuthnWithParentFallbacksSafari("get", publicKey, {
-					rpId,
-					inIframe: TouchIdPrompt._inIframe(),
-					timeoutMs: publicKey.timeout,
-					permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,
-					abortSignal: this.abortController.signal
-				});
-				return result;
-			} finally {
-				this.removePageAbortHandlers?.();
-				this.removePageAbortHandlers = void 0;
-				this.removeExternalAbortListener?.();
-				this.removeExternalAbortListener = void 0;
-				this.abortController = void 0;
-			}
-		}
-	};
-	(function(_TouchIdPrompt) {
-		function attachPageAbortHandlers(controller) {
-			const onVisibility = () => {
-				if (document.hidden) controller.abort();
-			};
-			const onPageHide = () => {
-				controller.abort();
-			};
-			const onBeforeUnload = () => {
-				controller.abort();
-			};
-			document.addEventListener("visibilitychange", onVisibility, { passive: true });
-			window.addEventListener("pagehide", onPageHide, { passive: true });
-			window.addEventListener("beforeunload", onBeforeUnload, { passive: true });
-			return () => {
-				document.removeEventListener("visibilitychange", onVisibility);
-				window.removeEventListener("pagehide", onPageHide);
-				window.removeEventListener("beforeunload", onBeforeUnload);
-			};
-		}
-		_TouchIdPrompt.attachPageAbortHandlers = attachPageAbortHandlers;
-	})(TouchIdPrompt || (TouchIdPrompt = {}));
-}) });
-//#endregion
-init_touchIdPrompt();
-Object.defineProperty(exports, 'TouchIdPrompt', {
-  enumerable: true,
-  get: function () {
-    return TouchIdPrompt;
-  }
-});
-exports.authenticatorsToAllowCredentials = authenticatorsToAllowCredentials;
-Object.defineProperty(exports, 'init_touchIdPrompt', {
-  enumerable: true,
-  get: function () {
-    return init_touchIdPrompt;
-  }
-});
-//# sourceMappingURL=touchIdPrompt.js.map

package/dist/cjs/react/sdk/src/core/WebAuthnManager/touchIdPrompt.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"touchIdPrompt.js","names":["serializeAuthenticationCredentialWithPRF","publicKey: PublicKeyCredentialCreationOptions","outputAs32Bytes","generateChaCha20Salt","generateEd25519Salt","executeWebAuthnWithParentFallbacksSafari","publicKey: PublicKeyCredentialRequestOptions","base64UrlDecode"],"sources":["../../../../../../../src/core/WebAuthnManager/touchIdPrompt.ts"],"sourcesContent":["import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n WebAuthnAuthenticationCredential,\n WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n if (!host || !cand) return false;\n if (host === cand) return true;\n return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string | undefined, host: string | undefined): string {\n const h = (host || '').toLowerCase();\n const ov = (override || '').toLowerCase();\n if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n return h || ov || '';\n}\n\nexport interface RegisterCredentialsArgs {\n nearAccountId: string, // NEAR account ID for PRF salts and keypair derivation (always base account)\n challenge: VRFChallenge,\n deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n id: string,\n type: string,\n transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n return authenticators.map(auth => ({\n id: auth.credentialId,\n type: 'public-key',\n transports: auth.transports as AuthenticatorTransport[]\n }));\n}\n\n/**\n * TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n */\nexport class TouchIdPrompt {\n private rpIdOverride?: string;\n private safariGetWebauthnRegistrationFallback: boolean;\n // create() only: internal abort controller + cleanup hooks\n private abortController?: AbortController;\n private removePageAbortHandlers?: () => void;\n private removeExternalAbortListener?: () => void;\n\n constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n this.rpIdOverride = rpIdOverride;\n this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n }\n\n getRpId(): string {\n try {\n return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n } catch {\n return this.rpIdOverride || '';\n }\n }\n\n // Utility helpers for cross‑origin fallback\n private static _inIframe(): boolean {\n try { return window.self !== window.top; } catch { return true; }\n }\n\n /**\n * Get authentication credentials\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns WebAuthn credential with only the first PRF output\n */\n async getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string\n challenge: VRFChallenge\n allowCredentials: AllowCredential[]\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: false,\n })\n }\n\n /**\n * Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n * (PRF.first + PRF.second).\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns\n */\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: true,\n });\n }\n\n /**\n * Internal method for generating WebAuthn registration credentials with PRF output\n * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n * @param challenge - Random challenge bytes for the registration ceremony\n * @param deviceNumber - Device number for device-specific user ID.\n * @returns Credential with PRF output\n */\n async generateRegistrationCredentialsInternal({\n nearAccountId,\n challenge,\n deviceNumber,\n }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per create() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialCreationOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rp: {\n name: 'WebAuthn VRF Passkey',\n id: rpId\n },\n user: {\n id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n },\n pubKeyCredParams: [\n { alg: -7, type: 'public-key' },\n { alg: -257, type: 'public-key' }\n ],\n authenticatorSelection: {\n residentKey: 'required',\n userVerification: 'preferred'\n },\n timeout: 60000,\n attestation: 'none',\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n },\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number | undefined,\n // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n\n /**\n * Internal method for getting WebAuthn authentication credentials with PRF output\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n * @param authenticators - List of stored authenticator data for the user\n * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n * ```ts\n * const credential = await touchIdPrompt.getCredentials({\n * nearAccountId,\n * challenge,\n * authenticators,\n * });\n * ```\n */\n async getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per get() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialRequestOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rpId,\n allowCredentials: allowCredentials.map((credential) => ({\n id: base64UrlDecode(credential.id) as BufferSource,\n type: 'public-key' as PublicKeyCredentialType,\n transports: credential.transports,\n })),\n userVerification: 'preferred' as UserVerificationRequirement,\n timeout: 60000,\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n }\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number | undefined,\n permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n if (!x || typeof x !== 'object') return false;\n const obj = x as { response?: unknown };\n const resp = obj.response as { authenticatorData?: unknown } | undefined;\n return typeof resp?.authenticatorData === 'string';\n}\n\n/**\n * Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n * - Device 1: \"serp120.web3-authn.testnet\"\n * - Device 2: \"serp120.web3-authn.testnet (2)\"\n * - Device 3: \"serp120.web3-authn.testnet (3)\"\n */\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined || deviceNumber === 1) {\n return nearAccountId;\n }\n // For additional devices, add device number in parentheses\n return `${nearAccountId} (${deviceNumber})`;\n}\n\n/**\n * Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n * - Device 1: \"serp120\"\n * - Device 2: \"serp120 (device 2)\"\n * - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n // Extract the base username (everything before the first dot)\n const baseUsername = nearAccountId.split('.')[0];\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined || deviceNumber === 1) {\n return baseUsername;\n }\n // For additional devices, add device number with friendly label\n return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n export function attachPageAbortHandlers(controller: AbortController): () => void {\n const onVisibility = () => { if (document.hidden) controller.abort(); };\n const onPageHide = () => { controller.abort(); };\n const onBeforeUnload = () => { controller.abort(); };\n document.addEventListener('visibilitychange', onVisibility, { passive: true });\n window.addEventListener('pagehide', onPageHide, { passive: true });\n window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n return () => {\n document.removeEventListener('visibilitychange', onVisibility);\n window.removeEventListener('pagehide', onPageHide);\n window.removeEventListener('beforeunload', onBeforeUnload);\n };\n }\n}\n"],"mappings":";;;;;;;;;AAUA,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;AAuOrB,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;;;;;;CA3QpC,gBAAb,MAAa,cAAc;EACzB,AAAQ;EACR,AAAQ;EAER,AAAQ;EACR,AAAQ;EACR,AAAQ;EAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,QAAK,eAAe;AACpB,QAAK,wCAAwC,0CAA0C;;EAGzF,UAAkB;AAChB,OAAI;AACF,WAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;WAClD;AACN,WAAO,KAAK,gBAAgB;;;EAKhC,OAAe,YAAqB;AAClC,OAAI;AAAE,WAAO,OAAO,SAAS,OAAO;WAAa;AAAE,WAAO;;;;;;;;;;EAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAOA,oEAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;;EAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;GAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;IACvE;IACA;IACA;;AAGF,OAAI,qCAAqC,iBACvC,QAAO;AAET,UAAOA,oEAAyC;IAC9C,YAAY;IACZ,gBAAgB;IAChB,iBAAiB;;;;;;;;;;EAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMC,YAAgD;IACpD,WAAWC,mCAAgB;IAC3B,IAAI;KACF,MAAM;KACN,IAAI;;IAEN,MAAM;KACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;KACzE,MAAM,6BAA6B,eAAe;KAClD,aAAa,gCAAgC,eAAe;;IAE9D,kBAAkB,CAChB;KAAE,KAAK;KAAI,MAAM;OACjB;KAAE,KAAK;KAAM,MAAM;;IAErB,wBAAwB;KACtB,aAAa;KACb,kBAAkB;;IAEpB,SAAS;IACT,aAAa;IACb,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAOC,gDAAqB;KAC5B,QAAQC,+CAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAMC,kEAAyC,UAAU,WAAW;KACjF;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KAErB,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;;;;;;;;;;;;;;EAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,QAAK,kBAAkB,IAAI;AAC3B,QAAK,0BAA0B,cAAc,wBAAwB,KAAK;GAE1E,MAAM,OAAO,KAAK;GAClB,MAAMC,YAA+C;IACnD,WAAWJ,mCAAgB;IAC3B;IACA,kBAAkB,iBAAiB,KAAK,gBAAgB;KACtD,IAAIK,+BAAgB,WAAW;KAC/B,MAAM;KACN,YAAY,WAAW;;IAEzB,kBAAkB;IAClB,SAAS;IACT,YAAY,EACV,KAAK,EACH,MAAM;KAEJ,OAAOJ,gDAAqB;KAC5B,QAAQC,+CAAoB;;;AAKpC,OAAI;IACF,MAAM,SAAS,MAAMC,kEAAyC,OAAO,WAAW;KAC9E;KACA,UAAU,cAAc;KACxB,WAAW,UAAU;KACrB,gCAAgC,KAAK;KACrC,aAAa,KAAK,gBAAgB;;AAEpC,WAAO;aACC;AACR,SAAK;AACL,SAAK,0BAA0B;AAC/B,SAAK;AACL,SAAK,8BAA8B;AACnC,SAAK,kBAAkB;;;;AAyDtB;EACE,SAAS,wBAAwB,YAAyC;GAC/E,MAAM,qBAAqB;AAAE,QAAI,SAAS,OAAQ,YAAW;;GAC7D,MAAM,mBAAmB;AAAE,eAAW;;GACtC,MAAM,uBAAuB;AAAE,eAAW;;AAC1C,YAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,UAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,UAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,gBAAa;AACX,aAAS,oBAAoB,oBAAoB;AACjD,WAAO,oBAAoB,YAAY;AACvC,WAAO,oBAAoB,gBAAgB"}

package/dist/cjs/react/sdk/src/core/WebAuthnManager/txDigest.js DELETED Viewed

@@ -1,85 +0,0 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
-const require_validation = require('../WalletIframe/validation.js');
-const require_base64 = require('../../utils/base64.js');
-//#region src/core/WebAuthnManager/txDigest.ts
-require_validation.init_validation();
-require_base64.init_base64();
-function alphabetizeStringify(input) {
-	const normalizeValue = (value) => {
-		if (Array.isArray(value)) return value.map(normalizeValue);
-		if (require_validation.isObject(value)) {
-			const obj = value;
-			const sortedKeys = Object.keys(obj).sort();
-			const result = {};
-			for (const key of sortedKeys) result[key] = normalizeValue(obj[key]);
-			return result;
-		}
-		return value;
-	};
-	return JSON.stringify(normalizeValue(input));
-}
-async function sha256Base64UrlUtf8(input) {
-	const enc = new TextEncoder();
-	const data = enc.encode(input);
-	const digest = await crypto.subtle.digest("SHA-256", data);
-	return require_base64.base64UrlEncode(digest);
-}
-async function computeUiIntentDigestFromTxs(txInputs) {
-	const json = alphabetizeStringify(txInputs);
-	return sha256Base64UrlUtf8(json);
-}
-function orderActionForDigest(a) {
-	switch (a.action_type) {
-		case "FunctionCall": return {
-			action_type: a.action_type,
-			args: a.args,
-			deposit: a.deposit,
-			gas: a.gas,
-			method_name: a.method_name
-		};
-		case "Transfer": return {
-			action_type: a.action_type,
-			deposit: a.deposit
-		};
-		case "Stake": return {
-			action_type: a.action_type,
-			stake: a.stake,
-			public_key: a.public_key
-		};
-		case "AddKey": return {
-			action_type: a.action_type,
-			public_key: a.public_key,
-			access_key: a.access_key
-		};
-		case "DeleteKey": return {
-			action_type: a.action_type,
-			public_key: a.public_key
-		};
-		case "DeleteAccount": return {
-			action_type: a.action_type,
-			beneficiary_id: a.beneficiary_id
-		};
-		case "DeployContract": return {
-			action_type: a.action_type,
-			code: a.code
-		};
-		case "DeployGlobalContract": return {
-			action_type: a.action_type,
-			code: a.code,
-			deploy_mode: a.deploy_mode
-		};
-		case "UseGlobalContract": return {
-			action_type: a.action_type,
-			account_id: a.account_id,
-			code_hash: a.code_hash
-		};
-		case "CreateAccount":
-		default: return { action_type: a.action_type };
-	}
-}
-//#endregion
-exports.computeUiIntentDigestFromTxs = computeUiIntentDigestFromTxs;
-exports.orderActionForDigest = orderActionForDigest;
-//# sourceMappingURL=txDigest.js.map

package/dist/cjs/react/sdk/src/core/WebAuthnManager/txDigest.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"txDigest.js","names":["isObject","result: Record<string, unknown>","base64UrlEncode"],"sources":["../../../../../../../src/core/WebAuthnManager/txDigest.ts"],"sourcesContent":["// Canonical transaction digest helpers for UI/host validation.\n// Used by both VRF-driven flows and signer-worker signing flows.\n//\n// Uses Web Crypto API (crypto.subtle). Import a minimal base64url helper that does not pull bs58.\nimport { ActionArgsWasm, TransactionInputWasm } from '@/core/types';\nimport { isObject } from '../WalletIframe/validation';\nimport { base64UrlEncode } from '@/utils/base64';\n\n// Deterministic stringify by alphabetizing object keys recursively.\nexport function alphabetizeStringify(input: unknown): string {\n const normalizeValue = (value: unknown): unknown => {\n if (Array.isArray(value)) {\n return value.map(normalizeValue);\n }\n if (isObject(value)) {\n const obj = value as Record<string, unknown>;\n const sortedKeys = Object.keys(obj).sort();\n const result: Record<string, unknown> = {};\n for (const key of sortedKeys) {\n result[key] = normalizeValue(obj[key]);\n }\n return result;\n }\n return value;\n };\n\n return JSON.stringify(normalizeValue(input));\n}\n\nexport async function sha256Base64UrlUtf8(input: string): Promise<string> {\n const enc = new TextEncoder();\n const data = enc.encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n return base64UrlEncode(digest);\n}\n\n// Canonical intent digest for signing flows.\n// Both VRF-side code (confirmAndPrepareSigningSession) and all UI confirmers MUST call this with\n// TransactionInputWasm[] built from:\n// { receiverId, actions: ActionArgsWasm[] }\n// where each ActionArgsWasm has been normalized via orderActionForDigest.\n//\n// IMPORTANT:\n// - The order of transactions and the order of actions within each transaction is preserved.\n// - Only the *keys inside each object* are alphabetically sorted to produce a stable JSON encoding.\n// The arrays themselves are not reordered.\n// - Do NOT include nonce or other per-tx fields in the digest input, or INTENT_DIGEST_MISMATCH errors will occur.\nexport async function computeUiIntentDigestFromTxs(txInputs: TransactionInputWasm[]): Promise<string> {\n // Preserve property insertion order and array order via JSON.stringify over a normalized tree.\n // This must match the Rust worker's serde_json::to_string over the same shape.\n const json = alphabetizeStringify(txInputs);\n return sha256Base64UrlUtf8(json);\n}\n\nexport function orderActionForDigest(a: ActionArgsWasm) {\n switch (a.action_type) {\n case 'FunctionCall':\n return { action_type: a.action_type, args: a.args, deposit: a.deposit, gas: a.gas, method_name: a.method_name };\n case 'Transfer':\n return { action_type: a.action_type, deposit: a.deposit };\n case 'Stake':\n return { action_type: a.action_type, stake: a.stake, public_key: a.public_key };\n case 'AddKey':\n return { action_type: a.action_type, public_key: a.public_key, access_key: a.access_key };\n case 'DeleteKey':\n return { action_type: a.action_type, public_key: a.public_key };\n case 'DeleteAccount':\n return { action_type: a.action_type, beneficiary_id: a.beneficiary_id };\n case 'DeployContract':\n return { action_type: a.action_type, code: a.code };\n case 'DeployGlobalContract':\n return { action_type: a.action_type, code: a.code, deploy_mode: a.deploy_mode };\n case 'UseGlobalContract':\n return { action_type: a.action_type, account_id: a.account_id, code_hash: a.code_hash };\n case 'CreateAccount':\n default:\n return { action_type: a.action_type };\n }\n};\n"],"mappings":";;;;;;;AASA,SAAgB,qBAAqB,OAAwB;CAC3D,MAAM,kBAAkB,UAA4B;AAClD,MAAI,MAAM,QAAQ,OAChB,QAAO,MAAM,IAAI;AAEnB,MAAIA,4BAAS,QAAQ;GACnB,MAAM,MAAM;GACZ,MAAM,aAAa,OAAO,KAAK,KAAK;GACpC,MAAMC,SAAkC;AACxC,QAAK,MAAM,OAAO,WAChB,QAAO,OAAO,eAAe,IAAI;AAEnC,UAAO;;AAET,SAAO;;AAGT,QAAO,KAAK,UAAU,eAAe;;AAGvC,eAAsB,oBAAoB,OAAgC;CACxE,MAAM,MAAM,IAAI;CAChB,MAAM,OAAO,IAAI,OAAO;CACxB,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;AACrD,QAAOC,+BAAgB;;AAczB,eAAsB,6BAA6B,UAAmD;CAGpG,MAAM,OAAO,qBAAqB;AAClC,QAAO,oBAAoB;;AAG7B,SAAgB,qBAAqB,GAAmB;AACtD,SAAQ,EAAE,aAAV;EACE,KAAK,eACH,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;GAAM,SAAS,EAAE;GAAS,KAAK,EAAE;GAAK,aAAa,EAAE;;EACpG,KAAK,WACH,QAAO;GAAE,aAAa,EAAE;GAAa,SAAS,EAAE;;EAClD,KAAK,QACH,QAAO;GAAE,aAAa,EAAE;GAAa,OAAO,EAAE;GAAO,YAAY,EAAE;;EACrE,KAAK,SACH,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;GAAY,YAAY,EAAE;;EAC/E,KAAK,YACH,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;;EACrD,KAAK,gBACH,QAAO;GAAE,aAAa,EAAE;GAAa,gBAAgB,EAAE;;EACzD,KAAK,iBACH,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;;EAC/C,KAAK,uBACH,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;GAAM,aAAa,EAAE;;EACpE,KAAK,oBACH,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;GAAY,WAAW,EAAE;;EAC9E,KAAK;EACL,QACE,QAAO,EAAE,aAAa,EAAE"}

package/dist/cjs/react/sdk/src/core/WebAuthnManager/userHandle.js DELETED Viewed

@@ -1,39 +0,0 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
-const require_validation = require('../../utils/validation.js');
-const require_base64 = require('../../utils/base64.js');
-const require_index = require('../../utils/index.js');
-//#region src/core/WebAuthnManager/userHandle.ts
-require_index.init_utils();
-require_validation.init_validation();
-/**
-* Parse a WebAuthn userHandle into a NEAR account ID.
-* Accepts either a base64url string (serialized) or an ArrayBuffer-like value.
-* Strips optional device suffixes like " (2)" appended during registration.
-* Returns a validated account ID string or null if invalid/unavailable.
-*/
-function parseAccountIdFromUserHandle(userHandle) {
-	try {
-		let bytes = null;
-		if (typeof userHandle === "string" && userHandle.length > 0) try {
-			bytes = require_base64.base64UrlDecode(userHandle);
-		} catch {
-			bytes = null;
-		}
-		else if (userHandle && typeof userHandle.byteLength === "number") try {
-			bytes = new Uint8Array(userHandle);
-		} catch {
-			bytes = null;
-		}
-		if (!bytes || bytes.byteLength === 0) return null;
-		const decoded = new TextDecoder().decode(bytes);
-		const base = decoded.replace(/ \(\d+\)$/g, "");
-		return require_validation.validateNearAccountId(base).valid ? base : null;
-	} catch {
-		return null;
-	}
-}
-//#endregion
-exports.parseAccountIdFromUserHandle = parseAccountIdFromUserHandle;
-//# sourceMappingURL=userHandle.js.map

package/dist/cjs/react/sdk/src/core/WebAuthnManager/userHandle.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"userHandle.js","names":["bytes: Uint8Array | null","base64UrlDecode","validateNearAccountId"],"sources":["../../../../../../../src/core/WebAuthnManager/userHandle.ts"],"sourcesContent":["import { base64UrlDecode } from '../../utils';\nimport { validateNearAccountId } from '../../utils/validation';\n\n/**\n * Parse a WebAuthn userHandle into a NEAR account ID.\n * Accepts either a base64url string (serialized) or an ArrayBuffer-like value.\n * Strips optional device suffixes like \" (2)\" appended during registration.\n * Returns a validated account ID string or null if invalid/unavailable.\n */\nexport function parseAccountIdFromUserHandle(userHandle: unknown): string | null {\n try {\n let bytes: Uint8Array | null = null;\n if (typeof userHandle === 'string' && userHandle.length > 0) {\n try { bytes = base64UrlDecode(userHandle); } catch { bytes = null; }\n } else if (userHandle && typeof (userHandle as any).byteLength === 'number') {\n try { bytes = new Uint8Array(userHandle as ArrayBuffer); } catch { bytes = null; }\n }\n if (!bytes || bytes.byteLength === 0) return null;\n\n const decoded = new TextDecoder().decode(bytes);\n const base = decoded.replace(/ \$\\d+\$$/g, '');\n return validateNearAccountId(base).valid ? base : null;\n } catch {\n return null;\n }\n}\n\n"],"mappings":";;;;;;;;;;;;;;AASA,SAAgB,6BAA6B,YAAoC;AAC/E,KAAI;EACF,IAAIA,QAA2B;AAC/B,MAAI,OAAO,eAAe,YAAY,WAAW,SAAS,EACxD,KAAI;AAAE,WAAQC,+BAAgB;UAAqB;AAAE,WAAQ;;WACpD,cAAc,OAAQ,WAAmB,eAAe,SACjE,KAAI;AAAE,WAAQ,IAAI,WAAW;UAAoC;AAAE,WAAQ;;AAE7E,MAAI,CAAC,SAAS,MAAM,eAAe,EAAG,QAAO;EAE7C,MAAM,UAAU,IAAI,cAAc,OAAO;EACzC,MAAM,OAAO,QAAQ,QAAQ,cAAc;AAC3C,SAAOC,yCAAsB,MAAM,QAAQ,OAAO;SAC5C;AACN,SAAO"}