npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/esm/react/sdk/src/core/TatchiPasskey/recoverAccount.js DELETED Viewed

@@ -1,428 +0,0 @@
-import { init_validation, validateNearAccountId } from "../../utils/validation.js";
-import { init_accountIds, toAccountId } from "../types/accountIds.js";
-import { IndexedDBManager, init_IndexedDBManager } from "../IndexedDBManager/index.js";
-import { createRandomVRFChallenge, init_vrf_worker } from "../types/vrf-worker.js";
-import { AccountRecoveryPhase, AccountRecoveryStatus, init_sdkSentEvents } from "../types/sdkSentEvents.js";
-import { getCredentialIdsContractCall, init_rpcCalls, syncAuthenticatorsContractCall } from "../rpcCalls.js";
-import { parseAccountIdFromUserHandle } from "../WebAuthnManager/userHandle.js";
-//#region src/core/TatchiPasskey/recoverAccount.ts
-init_sdkSentEvents();
-init_validation();
-init_accountIds();
-init_vrf_worker();
-init_IndexedDBManager();
-init_rpcCalls();
-/**
-* Account recovery flow with credential encapsulation
-*
-* Usage:
-* ```typescript
-* const flow = new AccountRecoveryFlow(context);
-* const options = await flow.discover(); // Get safe display options
-* // ... user selects account in UI ...
-* const result = await flow.recover({ credentialId, accountId }); // Execute recovery
-* ```
-*/
-var AccountRecoveryFlow = class {
-	context;
-	options;
-	availableAccounts;
-	phase = "idle";
-	error;
-	constructor(context, options) {
-		this.context = context;
-		this.options = options;
-	}
-	/**
-	* Phase 1: Discover available accounts
-	* Returns safe display data without exposing credentials to UI
-	*/
-	async discover(accountId) {
-		try {
-			this.phase = "discovering";
-			const hasValidAccount = !!accountId && validateNearAccountId(accountId).valid;
-			if (hasValidAccount) {
-				const nearAccountId = toAccountId(accountId);
-				this.availableAccounts = await getRecoverableAccounts(this.context, nearAccountId);
-			} else {
-				const challenge = createRandomVRFChallenge();
-				const credential = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
-					nearAccountId: "",
-					challenge,
-					credentialIds: []
-				});
-				let inferredAccountId = null;
-				try {
-					const assertion = credential.response;
-					inferredAccountId = parseAccountIdFromUserHandle(assertion?.userHandle);
-				} catch {}
-				const option = {
-					credentialId: credential.id,
-					accountId: inferredAccountId ? inferredAccountId : null,
-					publicKey: "",
-					displayName: inferredAccountId ? `${inferredAccountId}` : "Recovered passkey",
-					credential
-				};
-				this.availableAccounts = [option];
-			}
-			if (!this.availableAccounts || this.availableAccounts.length === 0) console.warn("No recoverable accounts found for this passkey");
-			else console.debug(`AccountRecoveryFlow: Found ${this.availableAccounts.length} recoverable accounts`);
-			this.phase = "ready";
-			return this.availableAccounts.map((option) => ({
-				credentialId: option.credentialId,
-				accountId: option.accountId,
-				publicKey: option.publicKey,
-				displayName: option.displayName
-			}));
-		} catch (error) {
-			this.phase = "error";
-			this.error = error;
-			console.error("AccountRecoveryFlow: Discovery failed:", error);
-			throw error;
-		}
-	}
-	/**
-	* Phase 2: Execute recovery with user selection
-	* Securely looks up credential based on selection
-	*/
-	async recover(selection) {
-		if (this.phase !== "ready") throw new Error(`Cannot recover - flow is in ${this.phase} phase. Call discover() first.`);
-		if (!this.availableAccounts) throw new Error("No available accounts found. Call discover() first.");
-		try {
-			this.phase = "recovering";
-			console.debug(`AccountRecoveryFlow: Recovering account: ${selection.accountId}`);
-			const selectedOption = this.availableAccounts.find((option) => option.credentialId === selection.credentialId && option.accountId === selection.accountId);
-			if (!selectedOption) throw new Error("Invalid selection - account not found in available options");
-			if (!selectedOption.accountId) {
-				try {
-					const challenge = createRandomVRFChallenge();
-					const cred = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
-						nearAccountId: "",
-						challenge,
-						credentialIds: selectedOption.credentialId && selectedOption.credentialId !== "manual-input" ? [selectedOption.credentialId] : []
-					});
-					const assertion = cred.response;
-					const maybeAccount = parseAccountIdFromUserHandle(assertion?.userHandle);
-					if (maybeAccount) selectedOption.accountId = maybeAccount;
-				} catch {}
-				if (!selectedOption.accountId) throw new Error("Invalid account selection - no account ID provided");
-			}
-			const allowList = (() => {
-				try {
-					if (!this.availableAccounts) return void 0;
-					if (!selectedOption.credentialId || selectedOption.credentialId === "manual-input") return void 0;
-					const ids = this.availableAccounts.filter((opt) => opt.accountId === selectedOption.accountId && opt.credentialId && opt.credentialId !== "manual-input").map((opt) => opt.credentialId);
-					const uniq = Array.from(new Set(ids));
-					return uniq.length > 0 ? uniq : void 0;
-				} catch {
-					return void 0;
-				}
-			})();
-			const recoveryResult = await recoverAccount(this.context, selectedOption.accountId, this.options, void 0, allowList);
-			this.phase = "complete";
-			return recoveryResult;
-		} catch (error) {
-			this.phase = "error";
-			this.error = error;
-			console.error("AccountRecoveryFlow: Recovery failed:", error);
-			throw error;
-		}
-	}
-	/**
-	* Get current flow state (safe display data only)
-	*/
-	getState() {
-		const safeAccounts = this.availableAccounts?.map((option) => ({
-			credentialId: option.credentialId,
-			accountId: option.accountId,
-			publicKey: option.publicKey,
-			displayName: option.displayName
-		}));
-		return {
-			phase: this.phase,
-			availableAccounts: safeAccounts,
-			error: this.error,
-			isReady: this.phase === "ready",
-			isComplete: this.phase === "complete",
-			hasError: this.phase === "error"
-		};
-	}
-	/**
-	* Reset flow to initial state
-	*/
-	reset() {
-		this.phase = "idle";
-		this.availableAccounts = void 0;
-		this.error = void 0;
-	}
-};
-/**
-* Get available passkeys for account recovery
-*/
-async function getRecoverableAccounts(context, accountId) {
-	const availablePasskeys = await getAvailablePasskeysForDomain(context, accountId);
-	return availablePasskeys.filter((passkey) => passkey.accountId !== null);
-}
-/**
-* Discover passkeys for domain using contract-based lookup
-*/
-async function getAvailablePasskeysForDomain(context, accountId) {
-	const { nearClient, configs } = context;
-	const credentialIds = await getCredentialIdsContractCall(nearClient, configs.contractId, accountId);
-	if (credentialIds.length > 0) return credentialIds.map((credentialId, idx) => ({
-		credentialId,
-		accountId,
-		publicKey: "",
-		displayName: credentialIds.length > 1 ? `${accountId} (passkey ${idx + 1})` : `${accountId}`,
-		credential: null
-	}));
-	return [];
-}
-/**
-* Main account recovery function
-*/
-async function recoverAccount(context, accountId, options, reuseCredential, allowedCredentialIds) {
-	const { onEvent, onError, afterCall } = options || {};
-	const { webAuthnManager, nearClient, configs } = context;
-	onEvent?.({
-		step: 1,
-		phase: AccountRecoveryPhase.STEP_1_PREPARATION,
-		status: AccountRecoveryStatus.PROGRESS,
-		message: "Preparing account recovery..."
-	});
-	try {
-		const validation = validateNearAccountId(accountId);
-		if (!validation.valid) return handleRecoveryError(accountId, `Invalid NEAR account ID: ${validation.error}`, onError, afterCall);
-		onEvent?.({
-			step: 2,
-			phase: AccountRecoveryPhase.STEP_2_WEBAUTHN_AUTHENTICATION,
-			status: AccountRecoveryStatus.PROGRESS,
-			message: "Authenticating with contract..."
-		});
-		const credential = await getOrCreateCredential(webAuthnManager, accountId, reuseCredential, allowedCredentialIds);
-		const assertion = credential?.response;
-		const passkeyAccount = parseAccountIdFromUserHandle(assertion?.userHandle);
-		if (passkeyAccount && passkeyAccount !== accountId) return handleRecoveryError(accountId, `Selected passkey belongs to ${passkeyAccount}, not ${accountId}`, onError, afterCall);
-		const blockInfo = await nearClient.viewBlock({ finality: "final" });
-		const blockHeight = String(blockInfo.header.height);
-		const blockHash = blockInfo.header.hash;
-		const vrfInputData = {
-			userId: accountId,
-			rpId: webAuthnManager.getRpId(),
-			blockHeight,
-			blockHash
-		};
-		const deterministicVrfResult = await webAuthnManager.deriveVrfKeypair({
-			credential,
-			nearAccountId: accountId,
-			vrfInputData
-		});
-		if (!deterministicVrfResult.success) throw new Error("Failed to derive deterministic VRF keypair and generate challenge from PRF");
-		const recoveredKeypair = await webAuthnManager.recoverKeypairFromPasskey(credential, accountId);
-		if (!recoveredKeypair.wrapKeySalt) throw new Error("Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.");
-		const hasAccess = await nearClient.viewAccessKey(accountId, recoveredKeypair.publicKey);
-		if (!hasAccess) return handleRecoveryError(accountId, `Account ${accountId} was not created with this passkey`, onError, afterCall);
-		const recoveryResult = await performAccountRecovery({
-			context,
-			accountId,
-			publicKey: recoveredKeypair.publicKey,
-			encryptedKeypair: {
-				encryptedPrivateKey: recoveredKeypair.encryptedPrivateKey,
-				chacha20NonceB64u: recoveredKeypair.chacha20NonceB64u,
-				wrapKeySalt: recoveredKeypair.wrapKeySalt
-			},
-			credential,
-			encryptedVrfResult: {
-				vrfPublicKey: deterministicVrfResult.vrfPublicKey,
-				encryptedVrfKeypair: deterministicVrfResult.encryptedVrfKeypair,
-				serverEncryptedVrfKeypair: deterministicVrfResult.serverEncryptedVrfKeypair || void 0
-			},
-			onEvent
-		});
-		onEvent?.({
-			step: 5,
-			phase: AccountRecoveryPhase.STEP_5_ACCOUNT_RECOVERY_COMPLETE,
-			status: AccountRecoveryStatus.SUCCESS,
-			message: "Account recovery completed successfully",
-			data: { recoveryResult }
-		});
-		afterCall?.(true, recoveryResult);
-		return recoveryResult;
-	} catch (error) {
-		try {
-			await webAuthnManager.clearVrfSession();
-		} catch (clearError) {
-			console.warn("Failed to clear VRF session after recovery error:", clearError);
-		}
-		onError?.(error);
-		return handleRecoveryError(accountId, error.message, onError, afterCall);
-	}
-}
-/**
-* Get credential (reuse existing or create new)
-*/
-async function getOrCreateCredential(webAuthnManager, accountId, reuseCredential, allowedCredentialIds) {
-	if (reuseCredential) {
-		const prfResults = reuseCredential.clientExtensionResults?.prf?.results;
-		if (!prfResults?.first || !prfResults?.second) throw new Error("Reused credential missing PRF outputs - cannot proceed with recovery");
-		return reuseCredential;
-	}
-	const challenge = createRandomVRFChallenge();
-	return await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
-		nearAccountId: accountId,
-		challenge,
-		credentialIds: allowedCredentialIds ?? []
-	});
-}
-/**
-* Handle recovery error
-*/
-function handleRecoveryError(accountId, errorMessage, onError, afterCall) {
-	console.error("[recoverAccount] Error:", errorMessage);
-	onError?.(new Error(errorMessage));
-	const errorResult = {
-		success: false,
-		accountId,
-		publicKey: "",
-		message: `Recovery failed: ${errorMessage}`,
-		error: errorMessage
-	};
-	afterCall?.(false);
-	return errorResult;
-}
-/**
-* Perform the actual recovery process
-* Syncs on-chain data and restores local IndexedDB data
-*/
-async function performAccountRecovery({ context, accountId, publicKey, encryptedKeypair, credential, encryptedVrfResult, onEvent }) {
-	const { webAuthnManager, nearClient, configs } = context;
-	try {
-		console.debug(`Performing recovery for account: ${accountId}`);
-		onEvent?.({
-			step: 3,
-			phase: AccountRecoveryPhase.STEP_3_SYNC_AUTHENTICATORS_ONCHAIN,
-			status: AccountRecoveryStatus.PROGRESS,
-			message: "Syncing authenticators from onchain..."
-		});
-		const contractAuthenticators = await syncAuthenticatorsContractCall(nearClient, configs.contractId, accountId);
-		const credentialIdUsed = credential.rawId;
-		const matchingAuthenticator = contractAuthenticators.find((auth) => auth.credentialId === credentialIdUsed);
-		if (!matchingAuthenticator) throw new Error(`Could not find authenticator for credential ${credentialIdUsed}`);
-		const deviceNumber = matchingAuthenticator.authenticator.deviceNumber;
-		if (deviceNumber === void 0) throw new Error(`Device number not found for authenticator ${credentialIdUsed}`);
-		const serverEncryptedVrfKeypairObj = encryptedVrfResult.serverEncryptedVrfKeypair;
-		await restoreUserData({
-			webAuthnManager,
-			accountId,
-			deviceNumber,
-			publicKey,
-			encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,
-			serverEncryptedVrfKeypair: serverEncryptedVrfKeypairObj,
-			encryptedNearKeypair: encryptedKeypair,
-			credential
-		});
-		await restoreAuthenticators({
-			webAuthnManager,
-			accountId,
-			contractAuthenticators: [matchingAuthenticator],
-			vrfPublicKey: encryptedVrfResult.vrfPublicKey
-		});
-		onEvent?.({
-			step: 4,
-			phase: AccountRecoveryPhase.STEP_4_AUTHENTICATOR_SAVED,
-			status: AccountRecoveryStatus.SUCCESS,
-			message: "Restored Passkey authenticator..."
-		});
-		console.debug("Unlocking VRF keypair in memory after account recovery");
-		const unlockResult = await webAuthnManager.unlockVRFKeypair({
-			nearAccountId: accountId,
-			encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,
-			credential
-		});
-		if (!unlockResult.success) console.warn("Failed to unlock VRF keypair after recovery:", unlockResult.error);
-		else console.debug("VRF keypair unlocked successfully after account recovery");
-		try {
-			await webAuthnManager.initializeCurrentUser(accountId, context.nearClient);
-		} catch (initErr) {
-			console.warn("Failed to initialize current user after recovery:", initErr);
-		}
-		return {
-			success: true,
-			accountId,
-			publicKey,
-			message: "Account successfully recovered"
-		};
-	} catch (error) {
-		console.error("[performAccountRecovery] Error:", error);
-		throw new Error(`Recovery process failed: ${error.message}`);
-	}
-}
-async function restoreUserData({ webAuthnManager, accountId, deviceNumber, publicKey, encryptedVrfKeypair, serverEncryptedVrfKeypair, encryptedNearKeypair, credential }) {
-	const existingUser = await webAuthnManager.getUserByDevice(accountId, deviceNumber);
-	if (!encryptedNearKeypair.wrapKeySalt) throw new Error("Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.");
-	const wrapKeySalt = encryptedNearKeypair.wrapKeySalt;
-	const chacha20NonceB64u = encryptedNearKeypair.chacha20NonceB64u;
-	if (!chacha20NonceB64u) throw new Error("Missing chacha20NonceB64u in recovered key material; cannot store encrypted NEAR key.");
-	await IndexedDBManager.nearKeysDB.storeEncryptedKey({
-		nearAccountId: accountId,
-		deviceNumber,
-		encryptedData: encryptedNearKeypair.encryptedPrivateKey,
-		chacha20NonceB64u,
-		wrapKeySalt,
-		version: 2,
-		timestamp: Date.now()
-	});
-	if (!existingUser) await webAuthnManager.registerUser({
-		nearAccountId: accountId,
-		deviceNumber,
-		version: 2,
-		clientNearPublicKey: publicKey,
-		lastUpdated: Date.now(),
-		passkeyCredential: {
-			id: credential.id,
-			rawId: credential.rawId
-		},
-		encryptedVrfKeypair: {
-			encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,
-			chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u
-		},
-		serverEncryptedVrfKeypair
-	});
-	else await webAuthnManager.storeUserData({
-		nearAccountId: accountId,
-		clientNearPublicKey: publicKey,
-		lastUpdated: Date.now(),
-		passkeyCredential: existingUser.passkeyCredential,
-		encryptedVrfKeypair: {
-			encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,
-			chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u
-		},
-		serverEncryptedVrfKeypair,
-		deviceNumber
-	});
-}
-async function restoreAuthenticators({ webAuthnManager, accountId, contractAuthenticators, vrfPublicKey }) {
-	for (const { credentialId, authenticator } of contractAuthenticators) {
-		const credentialPublicKey = authenticator.credentialPublicKey;
-		const validTransports = authenticator.transports.filter((transport) => transport !== void 0 && transport !== null && typeof transport === "string");
-		const transports = validTransports?.length > 0 ? validTransports : ["internal"];
-		const deviceNumber = authenticator.deviceNumber;
-		console.debug("Restoring authenticator with device number:", deviceNumber, authenticator);
-		await webAuthnManager.storeAuthenticator({
-			nearAccountId: accountId,
-			credentialId,
-			credentialPublicKey,
-			transports,
-			name: `Recovered Device ${deviceNumber} Passkey`,
-			registered: authenticator.registered.toISOString(),
-			syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
-			vrfPublicKey,
-			deviceNumber
-		});
-	}
-}
-//#endregion
-export { AccountRecoveryFlow };
-//# sourceMappingURL=recoverAccount.js.map

package/dist/esm/react/sdk/src/core/TatchiPasskey/recoverAccount.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"recoverAccount.js","names":["inferredAccountId: string | null","assertion: any","option: PasskeyOption","error: any","vrfInputData: VRFInputData","errorResult: RecoveryResult"],"sources":["../../../../../../../src/core/TatchiPasskey/recoverAccount.ts"],"sourcesContent":["import type { AfterCall, AccountRecoverySSEEvent, EventCallback } from '../types/sdkSentEvents';\nimport { AccountRecoveryPhase, AccountRecoveryStatus, AccountRecoveryHooksOptions } from '../types/sdkSentEvents';\nimport type { PasskeyManagerContext } from './index';\nimport type {\n AccountId,\n StoredAuthenticator,\n VRFChallenge,\n WebAuthnAuthenticationCredential\n} from '../types';\nimport type { EncryptedVRFKeypair, ServerEncryptedVrfKeypair } from '../types/vrf-worker';\nimport { validateNearAccountId } from '../../utils/validation';\nimport { parseAccountIdFromUserHandle } from '../WebAuthnManager/userHandle';\nimport { toAccountId } from '../types/accountIds';\nimport { createRandomVRFChallenge } from '../types/vrf-worker';\nimport { WebAuthnManager } from '../WebAuthnManager';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport type { VRFInputData } from '../types/vrf-worker';\nimport type { OriginPolicyInput, UserVerificationPolicy } from '../types/authenticatorOptions';\nimport {\n getCredentialIdsContractCall,\n syncAuthenticatorsContractCall\n} from '../rpcCalls';\n\n/**\n * Use case:\n * Suppose a user accidentally clears their browser's indexedDB, and deletes their:\n * - encrypted NEAR keypair\n * - encrypted VRF keypair\n * - webauthn authenticator\n * Provide a way for the user to recover their account from onchain authenticator information with their Passkey.\n */\n\nexport interface RecoveryResult {\n success: boolean;\n accountId: string;\n publicKey: string;\n message: string;\n error?: string;\n loginState?: {\n isLoggedIn: boolean;\n vrfActive: boolean;\n vrfSessionDuration?: number;\n };\n}\n\nexport interface AccountLookupResult {\n accountId: string;\n publicKey: string;\n hasAccess: boolean;\n}\n\nexport interface PasskeyOption {\n credentialId: string;\n accountId: AccountId | null;\n publicKey: string;\n displayName: string;\n credential: WebAuthnAuthenticationCredential | null;\n}\n\n// Public-facing passkey option without sensitive credential data\nexport interface PasskeyOptionWithoutCredential {\n credentialId: string;\n accountId: string | null;\n publicKey: string;\n displayName: string;\n}\n\n// Internal selection identifier for secure credential lookup\nexport interface PasskeySelection {\n credentialId: string;\n accountId: string | null;\n}\n\n/**\n * Account recovery flow with credential encapsulation\n *\n * Usage:\n * ```typescript\n * const flow = new AccountRecoveryFlow(context);\n * const options = await flow.discover(); // Get safe display options\n * // ... user selects account in UI ...\n * const result = await flow.recover({ credentialId, accountId }); // Execute recovery\n * ```\n */\nexport class AccountRecoveryFlow {\n private context: PasskeyManagerContext;\n private options?: AccountRecoveryHooksOptions;\n private availableAccounts?: PasskeyOption[]; // Full options with credentials (private)\n private phase: 'idle' | 'discovering' | 'ready' | 'recovering' | 'complete' | 'error' = 'idle';\n private error?: Error;\n\n constructor(context: PasskeyManagerContext, options?: AccountRecoveryHooksOptions) {\n this.context = context;\n this.options = options;\n }\n\n /**\n * Phase 1: Discover available accounts\n * Returns safe display data without exposing credentials to UI\n */\n async discover(accountId: string): Promise<PasskeyOptionWithoutCredential[]> {\n try {\n this.phase = 'discovering';\n const hasValidAccount = !!accountId && validateNearAccountId(accountId).valid;\n\n if (hasValidAccount) {\n const nearAccountId = toAccountId(accountId);\n // Contract-based lookup; no WebAuthn prompt during discovery\n this.availableAccounts = await getRecoverableAccounts(this.context, nearAccountId);\n } else {\n // Fallback discovery without a typed account: prompt once to select a passkey\n // Then infer the accountId from userHandle (set at registration time)\n const challenge = createRandomVRFChallenge();\n const credential = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n // Account is unknown here – salts aren't used downstream for discovery\n nearAccountId: '' as any,\n challenge: challenge as VRFChallenge,\n credentialIds: [],\n });\n\n // Try to infer accountId from userHandle\n let inferredAccountId: string | null = null;\n try {\n const assertion: any = credential.response as any;\n inferredAccountId = parseAccountIdFromUserHandle(assertion?.userHandle);\n } catch {}\n\n const option: PasskeyOption = {\n credentialId: credential.id,\n accountId: inferredAccountId ? (inferredAccountId as any as AccountId) : null,\n publicKey: '',\n displayName: inferredAccountId ? `${inferredAccountId}` : 'Recovered passkey',\n credential,\n };\n this.availableAccounts = [option];\n }\n\n if (!this.availableAccounts || this.availableAccounts.length === 0) {\n console.warn('No recoverable accounts found for this passkey');\n } else {\n console.debug(`AccountRecoveryFlow: Found ${this.availableAccounts.length} recoverable accounts`);\n }\n\n this.phase = 'ready';\n\n // Return safe options without credentials for UI display\n return this.availableAccounts.map(option => ({\n credentialId: option.credentialId,\n accountId: option.accountId,\n publicKey: option.publicKey,\n displayName: option.displayName\n }));\n\n } catch (error: any) {\n this.phase = 'error';\n this.error = error;\n console.error('AccountRecoveryFlow: Discovery failed:', error);\n throw error;\n }\n }\n\n /**\n * Phase 2: Execute recovery with user selection\n * Securely looks up credential based on selection\n */\n async recover(selection: PasskeySelection): Promise<RecoveryResult> {\n if (this.phase !== 'ready') {\n throw new Error(`Cannot recover - flow is in ${this.phase} phase. Call discover() first.`);\n }\n if (!this.availableAccounts) {\n throw new Error('No available accounts found. Call discover() first.');\n }\n\n try {\n this.phase = 'recovering';\n console.debug(`AccountRecoveryFlow: Recovering account: ${selection.accountId}`);\n\n // Securely lookup the full option with credential\n const selectedOption = this.availableAccounts.find(\n option => option.credentialId === selection.credentialId &&\n option.accountId === selection.accountId\n );\n\n if (!selectedOption) {\n throw new Error('Invalid selection - account not found in available options');\n }\n if (!selectedOption.accountId) {\n // Attempt a one-time re-prompt to infer accountId from userHandle for this credential\n try {\n const challenge = createRandomVRFChallenge();\n const cred = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId: '' as any,\n challenge: challenge as VRFChallenge,\n credentialIds: selectedOption.credentialId && selectedOption.credentialId !== 'manual-input'\n ? [selectedOption.credentialId]\n : [],\n });\n const assertion: any = cred.response as any;\n const maybeAccount = parseAccountIdFromUserHandle(assertion?.userHandle);\n if (maybeAccount) {\n selectedOption.accountId = maybeAccount as any as AccountId;\n }\n } catch {}\n if (!selectedOption.accountId) {\n throw new Error('Invalid account selection - no account ID provided');\n }\n }\n\n // If multiple credentials exist for this account, allow the platform chooser UI\n // by passing all known credential IDs for this account as allowCredentials.\n const allowList = (() => {\n try {\n if (!this.availableAccounts) return undefined;\n if (!selectedOption.credentialId || selectedOption.credentialId === 'manual-input') return undefined;\n const ids = this.availableAccounts\n .filter(opt => opt.accountId === selectedOption.accountId && opt.credentialId && opt.credentialId !== 'manual-input')\n .map(opt => opt.credentialId);\n const uniq = Array.from(new Set(ids));\n return uniq.length > 0 ? uniq : undefined;\n } catch { return undefined; }\n })();\n\n const recoveryResult = await recoverAccount(\n this.context,\n selectedOption.accountId,\n this.options,\n undefined,\n allowList\n );\n\n this.phase = 'complete';\n return recoveryResult;\n\n } catch (error: any) {\n this.phase = 'error';\n this.error = error;\n console.error('AccountRecoveryFlow: Recovery failed:', error);\n throw error;\n }\n }\n\n /**\n * Get current flow state (safe display data only)\n */\n getState() {\n // Convert internal accounts to safe display format\n const safeAccounts = this.availableAccounts?.map(option => ({\n credentialId: option.credentialId,\n accountId: option.accountId,\n publicKey: option.publicKey,\n displayName: option.displayName\n }));\n\n return {\n phase: this.phase,\n availableAccounts: safeAccounts,\n error: this.error,\n isReady: this.phase === 'ready',\n isComplete: this.phase === 'complete',\n hasError: this.phase === 'error'\n };\n }\n\n /**\n * Reset flow to initial state\n */\n reset() {\n this.phase = 'idle';\n this.availableAccounts = undefined;\n this.error = undefined;\n }\n}\n\n/**\n * Get available passkeys for account recovery\n */\nasync function getRecoverableAccounts(\n context: PasskeyManagerContext,\n accountId: AccountId\n): Promise<PasskeyOption[]> {\n const availablePasskeys = await getAvailablePasskeysForDomain(context, accountId);\n return availablePasskeys.filter(passkey => passkey.accountId !== null);\n}\n\n/**\n * Discover passkeys for domain using contract-based lookup\n */\nasync function getAvailablePasskeysForDomain(\n context: PasskeyManagerContext,\n accountId: AccountId\n): Promise<PasskeyOption[]> {\n const { nearClient, configs } = context;\n\n const credentialIds = await getCredentialIdsContractCall(nearClient, configs.contractId, accountId);\n\n // Do not invoke WebAuthn here; just return display options bound to credential IDs\n if (credentialIds.length > 0) {\n return credentialIds.map((credentialId, idx) => ({\n credentialId,\n accountId,\n publicKey: '',\n displayName: credentialIds.length > 1 ? `${accountId} (passkey ${idx + 1})` : `${accountId}`,\n credential: null,\n }));\n }\n // If no contract credentials found for this specific account, do not fall back\n // to an unrestricted OS credential prompt here. Returning an empty set lets\n // the caller surface a precise message (no recoverable accounts for this ID),\n // avoiding accidental selection of a passkey from a different account.\n return [];\n}\n\n/**\n * Main account recovery function\n */\nexport async function recoverAccount(\n context: PasskeyManagerContext,\n accountId: AccountId,\n options?: AccountRecoveryHooksOptions,\n reuseCredential?: WebAuthnAuthenticationCredential,\n allowedCredentialIds?: string[]\n): Promise<RecoveryResult> {\n const { onEvent, onError, afterCall } = options || {};\n const { webAuthnManager, nearClient, configs } = context;\n\n onEvent?.({\n step: 1,\n phase: AccountRecoveryPhase.STEP_1_PREPARATION,\n status: AccountRecoveryStatus.PROGRESS,\n message: 'Preparing account recovery...',\n });\n\n try {\n const validation = validateNearAccountId(accountId);\n if (!validation.valid) {\n return handleRecoveryError(accountId, `Invalid NEAR account ID: ${validation.error}`, onError, afterCall);\n }\n\n onEvent?.({\n step: 2,\n phase: AccountRecoveryPhase.STEP_2_WEBAUTHN_AUTHENTICATION,\n status: AccountRecoveryStatus.PROGRESS,\n message: 'Authenticating with contract...',\n });\n\n const credential = await getOrCreateCredential(\n webAuthnManager,\n accountId,\n reuseCredential,\n allowedCredentialIds\n );\n // Cross-check: ensure the authenticator's userHandle maps to the same account,\n // when available. This avoids deriving a key for the wrong account if the user\n // picks an unrelated passkey from the platform chooser.\n const assertion: any = (credential as any)?.response;\n const passkeyAccount = parseAccountIdFromUserHandle(assertion?.userHandle);\n if (passkeyAccount && passkeyAccount !== accountId) {\n return handleRecoveryError(\n accountId,\n `Selected passkey belongs to ${passkeyAccount}, not ${accountId}`,\n onError,\n afterCall\n );\n }\n\n const blockInfo = await nearClient.viewBlock({ finality: 'final' });\n const blockHeight = String(blockInfo.header.height);\n const blockHash = blockInfo.header.hash;\n\n const vrfInputData: VRFInputData = {\n userId: accountId,\n rpId: webAuthnManager.getRpId(),\n blockHeight,\n blockHash,\n };\n\n // Generate VRF keypair first before recovering keypair\n // keypair recovery needs the VRF keypair in memory to derive the WrapKeySeed\n const deterministicVrfResult = await webAuthnManager.deriveVrfKeypair({\n credential,\n nearAccountId: accountId,\n vrfInputData,\n });\n\n if (!deterministicVrfResult.success) {\n throw new Error('Failed to derive deterministic VRF keypair and generate challenge from PRF');\n }\n\n // Now recover the NEAR keypair (uses VRF keypair to derive WrapKeySeed)\n const recoveredKeypair = await webAuthnManager.recoverKeypairFromPasskey(\n credential,\n accountId\n );\n if (!recoveredKeypair.wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.');\n }\n\n // Check if the recovered public key has access to the account\n const hasAccess = await nearClient.viewAccessKey(accountId, recoveredKeypair.publicKey);\n\n if (!hasAccess) {\n return handleRecoveryError(accountId, `Account ${accountId} was not created with this passkey`, onError, afterCall);\n }\n\n const recoveryResult = await performAccountRecovery({\n context,\n accountId,\n publicKey: recoveredKeypair.publicKey,\n encryptedKeypair: {\n encryptedPrivateKey: recoveredKeypair.encryptedPrivateKey,\n chacha20NonceB64u: recoveredKeypair.chacha20NonceB64u,\n wrapKeySalt: recoveredKeypair.wrapKeySalt,\n },\n credential: credential,\n encryptedVrfResult: {\n vrfPublicKey: deterministicVrfResult.vrfPublicKey,\n encryptedVrfKeypair: deterministicVrfResult.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: deterministicVrfResult.serverEncryptedVrfKeypair || undefined,\n },\n onEvent,\n });\n\n onEvent?.({\n step: 5,\n phase: AccountRecoveryPhase.STEP_5_ACCOUNT_RECOVERY_COMPLETE,\n status: AccountRecoveryStatus.SUCCESS,\n message: 'Account recovery completed successfully',\n data: { recoveryResult },\n });\n\n afterCall?.(true, recoveryResult);\n return recoveryResult;\n } catch (error: any) {\n // Clear any VRF session that might have been established during recovery\n try {\n await webAuthnManager.clearVrfSession();\n } catch (clearError) {\n console.warn('Failed to clear VRF session after recovery error:', clearError);\n }\n\n onError?.(error);\n return handleRecoveryError(accountId, error.message, onError, afterCall);\n }\n}\n\n/**\n * Get credential (reuse existing or create new)\n */\nasync function getOrCreateCredential(\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n reuseCredential?: WebAuthnAuthenticationCredential,\n allowedCredentialIds?: string[]\n): Promise<WebAuthnAuthenticationCredential> {\n\n if (reuseCredential) {\n const prfResults = reuseCredential.clientExtensionResults?.prf?.results;\n if (!prfResults?.first || !prfResults?.second) {\n throw new Error('Reused credential missing PRF outputs - cannot proceed with recovery');\n }\n return reuseCredential;\n }\n\n const challenge = createRandomVRFChallenge();\n\n return await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId: accountId,\n challenge: challenge as VRFChallenge,\n credentialIds: allowedCredentialIds ?? []\n });\n}\n\n/**\n * Handle recovery error\n */\nfunction handleRecoveryError(\n accountId: AccountId,\n errorMessage: string,\n onError?: (error: Error) => void,\n afterCall?: AfterCall<any>\n): RecoveryResult {\n console.error('[recoverAccount] Error:', errorMessage);\n onError?.(new Error(errorMessage));\n\n const errorResult: RecoveryResult = {\n success: false,\n accountId,\n publicKey: '',\n message: `Recovery failed: ${errorMessage}`,\n error: errorMessage\n };\n\n const result = { success: false, accountId, error: errorMessage } as any;\n afterCall?.(false);\n return errorResult;\n}\n\n/**\n * Perform the actual recovery process\n * Syncs on-chain data and restores local IndexedDB data\n */\nasync function performAccountRecovery({\n context,\n accountId,\n publicKey,\n encryptedKeypair,\n credential,\n encryptedVrfResult,\n onEvent,\n}: {\n context: PasskeyManagerContext,\n accountId: AccountId,\n publicKey: string,\n encryptedKeypair: {\n encryptedPrivateKey: string,\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u: string,\n wrapKeySalt?: string,\n },\n credential: WebAuthnAuthenticationCredential,\n encryptedVrfResult: {\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfPublicKey: string\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair\n },\n onEvent?: EventCallback<AccountRecoverySSEEvent>,\n}): Promise<RecoveryResult> {\n\n const { webAuthnManager, nearClient, configs } = context;\n\n try {\n console.debug(`Performing recovery for account: ${accountId}`);\n onEvent?.({\n step: 3,\n phase: AccountRecoveryPhase.STEP_3_SYNC_AUTHENTICATORS_ONCHAIN,\n status: AccountRecoveryStatus.PROGRESS,\n message: 'Syncing authenticators from onchain...',\n });\n\n // 1. Sync on-chain authenticator data\n const contractAuthenticators = await syncAuthenticatorsContractCall(nearClient, configs.contractId, accountId);\n\n // 2. Find the matching authenticator to get the correct device number\n // Serialized auth credential.rawId is already base64url-encoded\n const credentialIdUsed = credential.rawId;\n const matchingAuthenticator = contractAuthenticators.find(auth => auth.credentialId === credentialIdUsed);\n\n if (!matchingAuthenticator) {\n throw new Error(`Could not find authenticator for credential ${credentialIdUsed}`);\n }\n\n const deviceNumber = matchingAuthenticator.authenticator.deviceNumber;\n if (deviceNumber === undefined) {\n throw new Error(`Device number not found for authenticator ${credentialIdUsed}`);\n }\n\n // 3. Restore user data to IndexedDB with correct device number\n // Use the server-encrypted VRF keypair directly from the VRF worker result\n const serverEncryptedVrfKeypairObj = encryptedVrfResult.serverEncryptedVrfKeypair;\n\n await restoreUserData({\n webAuthnManager,\n accountId,\n deviceNumber,\n publicKey,\n encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: serverEncryptedVrfKeypairObj,\n encryptedNearKeypair: encryptedKeypair,\n credential\n });\n\n // 4. Restore only the authenticator used for recovery\n await restoreAuthenticators({\n webAuthnManager,\n accountId,\n contractAuthenticators: [matchingAuthenticator],\n vrfPublicKey: encryptedVrfResult.vrfPublicKey\n // deterministically derived VRF keypair\n });\n\n onEvent?.({\n step: 4,\n phase: AccountRecoveryPhase.STEP_4_AUTHENTICATOR_SAVED,\n status: AccountRecoveryStatus.SUCCESS,\n message: 'Restored Passkey authenticator...',\n });\n\n // 5. Unlock VRF keypair in memory for immediate use\n console.debug('Unlocking VRF keypair in memory after account recovery');\n const unlockResult = await webAuthnManager.unlockVRFKeypair({\n nearAccountId: accountId,\n encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,\n credential: credential,\n });\n\n if (!unlockResult.success) {\n console.warn('Failed to unlock VRF keypair after recovery:', unlockResult.error);\n // Don't throw error here - recovery was successful, but VRF unlock failed\n } else {\n console.debug('VRF keypair unlocked successfully after account recovery');\n }\n\n // 6. Initialize current user only after a successful unlock\n try {\n await webAuthnManager.initializeCurrentUser(accountId, context.nearClient);\n } catch (initErr) {\n console.warn('Failed to initialize current user after recovery:', initErr);\n }\n\n return {\n success: true,\n accountId,\n publicKey,\n message: 'Account successfully recovered',\n };\n\n } catch (error: any) {\n console.error('[performAccountRecovery] Error:', error);\n throw new Error(`Recovery process failed: ${error.message}`);\n }\n}\n\n/** Stored authenticator onchain uses snake case */\nexport interface ContractStoredAuthenticator {\n // V4 contract fields (snake_case JSON)\n credential_public_key: number[] | Uint8Array;\n transports?: AuthenticatorTransport[] | null;\n registered: string; // ISO timestamp (legacy contracts may return numeric timestamp string)\n expected_rp_id?: string;\n origin_policy?: OriginPolicyInput;\n user_verification?: UserVerificationPolicy;\n vrf_public_keys?: Array<number[] | Uint8Array> | string[];\n device_number: number; // 1-indexed for UX\n near_public_key?: string;\n}\n\nasync function restoreUserData({\n webAuthnManager,\n accountId,\n deviceNumber,\n publicKey,\n encryptedVrfKeypair,\n serverEncryptedVrfKeypair,\n encryptedNearKeypair,\n credential\n}: {\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n deviceNumber: number,\n publicKey: string,\n encryptedVrfKeypair: EncryptedVRFKeypair,\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair,\n encryptedNearKeypair: {\n encryptedPrivateKey: string;\n /** Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key */\n chacha20NonceB64u: string;\n wrapKeySalt?: string;\n },\n credential: WebAuthnAuthenticationCredential\n}) {\n const existingUser = await webAuthnManager.getUserByDevice(accountId, deviceNumber);\n if (!encryptedNearKeypair.wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.');\n }\n const wrapKeySalt = encryptedNearKeypair.wrapKeySalt;\n\n const chacha20NonceB64u = encryptedNearKeypair.chacha20NonceB64u;\n if (!chacha20NonceB64u) {\n throw new Error('Missing chacha20NonceB64u in recovered key material; cannot store encrypted NEAR key.');\n }\n\n // Store the encrypted NEAR keypair in the encrypted keys database\n await IndexedDBManager.nearKeysDB.storeEncryptedKey({\n nearAccountId: accountId,\n deviceNumber,\n encryptedData: encryptedNearKeypair.encryptedPrivateKey,\n chacha20NonceB64u,\n wrapKeySalt,\n version: 2,\n timestamp: Date.now()\n });\n\n if (!existingUser) {\n await webAuthnManager.registerUser({\n nearAccountId: accountId,\n deviceNumber,\n version: 2,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: {\n id: credential.id,\n rawId: credential.rawId\n },\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n serverEncryptedVrfKeypair,\n });\n } else {\n await webAuthnManager.storeUserData({\n nearAccountId: accountId,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: existingUser.passkeyCredential,\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n serverEncryptedVrfKeypair,\n deviceNumber\n });\n }\n}\n\nasync function restoreAuthenticators({\n webAuthnManager,\n accountId,\n contractAuthenticators,\n vrfPublicKey\n}: {\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n contractAuthenticators: {\n credentialId: string,\n authenticator: StoredAuthenticator\n }[],\n vrfPublicKey: string\n}) {\n for (const { credentialId, authenticator } of contractAuthenticators) {\n const credentialPublicKey = authenticator.credentialPublicKey;\n\n // Fix transport processing: filter out undefined values and provide fallback\n const validTransports = authenticator.transports.filter((transport) =>\n transport !== undefined && transport !== null && typeof transport === 'string'\n );\n\n // If no valid transports, default to 'internal' for platform authenticators\n const transports = validTransports?.length > 0 ? validTransports : ['internal'];\n\n // Extract device number from contract authenticator data (now camelCase)\n const deviceNumber = authenticator.deviceNumber;\n console.debug(\"Restoring authenticator with device number:\", deviceNumber, authenticator);\n\n await webAuthnManager.storeAuthenticator({\n nearAccountId: accountId,\n credentialId: credentialId,\n credentialPublicKey,\n transports,\n name: `Recovered Device ${deviceNumber} Passkey`,\n registered: authenticator.registered.toISOString(),\n syncedAt: new Date().toISOString(),\n vrfPublicKey,\n deviceNumber // Pass the device number from contract data\n });\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAoFA,IAAa,sBAAb,MAAiC;CAC/B,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ,QAAgF;CACxF,AAAQ;CAER,YAAY,SAAgC,SAAuC;AACjF,OAAK,UAAU;AACf,OAAK,UAAU;;;;;;CAOjB,MAAM,SAAS,WAA8D;AAC3E,MAAI;AACF,QAAK,QAAQ;GACb,MAAM,kBAAkB,CAAC,CAAC,aAAa,sBAAsB,WAAW;AAExE,OAAI,iBAAiB;IACnB,MAAM,gBAAgB,YAAY;AAElC,SAAK,oBAAoB,MAAM,uBAAuB,KAAK,SAAS;UAC/D;IAGL,MAAM,YAAY;IAClB,MAAM,aAAa,MAAM,KAAK,QAAQ,gBAAgB,8CAA8C;KAElG,eAAe;KACJ;KACX,eAAe;;IAIjB,IAAIA,oBAAmC;AACvC,QAAI;KACF,MAAMC,YAAiB,WAAW;AAClC,yBAAoB,6BAA6B,WAAW;YACtD;IAER,MAAMC,SAAwB;KAC5B,cAAc,WAAW;KACzB,WAAW,oBAAqB,oBAAyC;KACzE,WAAW;KACX,aAAa,oBAAoB,GAAG,sBAAsB;KAC1D;;AAEF,SAAK,oBAAoB,CAAC;;AAG5B,OAAI,CAAC,KAAK,qBAAqB,KAAK,kBAAkB,WAAW,EAC/D,SAAQ,KAAK;OAEb,SAAQ,MAAM,8BAA8B,KAAK,kBAAkB,OAAO;AAG5E,QAAK,QAAQ;AAGb,UAAO,KAAK,kBAAkB,KAAI,YAAW;IAC3C,cAAc,OAAO;IACrB,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,aAAa,OAAO;;WAGfC,OAAY;AACnB,QAAK,QAAQ;AACb,QAAK,QAAQ;AACb,WAAQ,MAAM,0CAA0C;AACxD,SAAM;;;;;;;CAQV,MAAM,QAAQ,WAAsD;AAClE,MAAI,KAAK,UAAU,QACjB,OAAM,IAAI,MAAM,+BAA+B,KAAK,MAAM;AAE5D,MAAI,CAAC,KAAK,kBACR,OAAM,IAAI,MAAM;AAGlB,MAAI;AACF,QAAK,QAAQ;AACb,WAAQ,MAAM,4CAA4C,UAAU;GAGpE,MAAM,iBAAiB,KAAK,kBAAkB,MAC5C,WAAU,OAAO,iBAAiB,UAAU,gBACnC,OAAO,cAAc,UAAU;AAG1C,OAAI,CAAC,eACH,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,WAAW;AAE7B,QAAI;KACF,MAAM,YAAY;KAClB,MAAM,OAAO,MAAM,KAAK,QAAQ,gBAAgB,8CAA8C;MAC5F,eAAe;MACJ;MACX,eAAe,eAAe,gBAAgB,eAAe,iBAAiB,iBAC1E,CAAC,eAAe,gBAChB;;KAEN,MAAMF,YAAiB,KAAK;KAC5B,MAAM,eAAe,6BAA6B,WAAW;AAC7D,SAAI,aACF,gBAAe,YAAY;YAEvB;AACR,QAAI,CAAC,eAAe,UAClB,OAAM,IAAI,MAAM;;GAMpB,MAAM,mBAAmB;AACvB,QAAI;AACF,SAAI,CAAC,KAAK,kBAAmB,QAAO;AACpC,SAAI,CAAC,eAAe,gBAAgB,eAAe,iBAAiB,eAAgB,QAAO;KAC3F,MAAM,MAAM,KAAK,kBACd,QAAO,QAAO,IAAI,cAAc,eAAe,aAAa,IAAI,gBAAgB,IAAI,iBAAiB,gBACrG,KAAI,QAAO,IAAI;KAClB,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI;AAChC,YAAO,KAAK,SAAS,IAAI,OAAO;YAC1B;AAAE,YAAO;;;GAGnB,MAAM,iBAAiB,MAAM,eAC3B,KAAK,SACL,eAAe,WACf,KAAK,SACL,QACA;AAGF,QAAK,QAAQ;AACb,UAAO;WAEAE,OAAY;AACnB,QAAK,QAAQ;AACb,QAAK,QAAQ;AACb,WAAQ,MAAM,yCAAyC;AACvD,SAAM;;;;;;CAOV,WAAW;EAET,MAAM,eAAe,KAAK,mBAAmB,KAAI,YAAW;GAC1D,cAAc,OAAO;GACrB,WAAW,OAAO;GAClB,WAAW,OAAO;GAClB,aAAa,OAAO;;AAGtB,SAAO;GACL,OAAO,KAAK;GACZ,mBAAmB;GACnB,OAAO,KAAK;GACZ,SAAS,KAAK,UAAU;GACxB,YAAY,KAAK,UAAU;GAC3B,UAAU,KAAK,UAAU;;;;;;CAO7B,QAAQ;AACN,OAAK,QAAQ;AACb,OAAK,oBAAoB;AACzB,OAAK,QAAQ;;;;;;AAOjB,eAAe,uBACb,SACA,WAC0B;CAC1B,MAAM,oBAAoB,MAAM,8BAA8B,SAAS;AACvE,QAAO,kBAAkB,QAAO,YAAW,QAAQ,cAAc;;;;;AAMnE,eAAe,8BACb,SACA,WAC0B;CAC1B,MAAM,EAAE,YAAY,YAAY;CAEhC,MAAM,gBAAgB,MAAM,6BAA6B,YAAY,QAAQ,YAAY;AAGzF,KAAI,cAAc,SAAS,EACzB,QAAO,cAAc,KAAK,cAAc,SAAS;EAC/C;EACA;EACA,WAAW;EACX,aAAa,cAAc,SAAS,IAAI,GAAG,UAAU,YAAY,MAAM,EAAE,KAAK,GAAG;EACjF,YAAY;;AAOhB,QAAO;;;;;AAMT,eAAsB,eACpB,SACA,WACA,SACA,iBACA,sBACyB;CACzB,MAAM,EAAE,SAAS,SAAS,cAAc,WAAW;CACnD,MAAM,EAAE,iBAAiB,YAAY,YAAY;AAEjD,WAAU;EACR,MAAM;EACN,OAAO,qBAAqB;EAC5B,QAAQ,sBAAsB;EAC9B,SAAS;;AAGX,KAAI;EACF,MAAM,aAAa,sBAAsB;AACzC,MAAI,CAAC,WAAW,MACd,QAAO,oBAAoB,WAAW,4BAA4B,WAAW,SAAS,SAAS;AAGjG,YAAU;GACR,MAAM;GACN,OAAO,qBAAqB;GAC5B,QAAQ,sBAAsB;GAC9B,SAAS;;EAGX,MAAM,aAAa,MAAM,sBACvB,iBACA,WACA,iBACA;EAKF,MAAMF,YAAkB,YAAoB;EAC5C,MAAM,iBAAiB,6BAA6B,WAAW;AAC/D,MAAI,kBAAkB,mBAAmB,UACvC,QAAO,oBACL,WACA,+BAA+B,eAAe,QAAQ,aACtD,SACA;EAIJ,MAAM,YAAY,MAAM,WAAW,UAAU,EAAE,UAAU;EACzD,MAAM,cAAc,OAAO,UAAU,OAAO;EAC5C,MAAM,YAAY,UAAU,OAAO;EAEnC,MAAMG,eAA6B;GACjC,QAAQ;GACR,MAAM,gBAAgB;GACtB;GACA;;EAKF,MAAM,yBAAyB,MAAM,gBAAgB,iBAAiB;GACpE;GACA,eAAe;GACf;;AAGF,MAAI,CAAC,uBAAuB,QAC1B,OAAM,IAAI,MAAM;EAIlB,MAAM,mBAAmB,MAAM,gBAAgB,0BAC7C,YACA;AAEF,MAAI,CAAC,iBAAiB,YACpB,OAAM,IAAI,MAAM;EAIlB,MAAM,YAAY,MAAM,WAAW,cAAc,WAAW,iBAAiB;AAE7E,MAAI,CAAC,UACH,QAAO,oBAAoB,WAAW,WAAW,UAAU,qCAAqC,SAAS;EAG3G,MAAM,iBAAiB,MAAM,uBAAuB;GAClD;GACA;GACA,WAAW,iBAAiB;GAC5B,kBAAkB;IAChB,qBAAqB,iBAAiB;IACtC,mBAAmB,iBAAiB;IACpC,aAAa,iBAAiB;;GAEpB;GACZ,oBAAoB;IAClB,cAAc,uBAAuB;IACrC,qBAAqB,uBAAuB;IAC5C,2BAA2B,uBAAuB,6BAA6B;;GAEjF;;AAGF,YAAU;GACR,MAAM;GACN,OAAO,qBAAqB;GAC5B,QAAQ,sBAAsB;GAC9B,SAAS;GACT,MAAM,EAAE;;AAGV,cAAY,MAAM;AAClB,SAAO;UACAD,OAAY;AAEnB,MAAI;AACF,SAAM,gBAAgB;WACf,YAAY;AACnB,WAAQ,KAAK,qDAAqD;;AAGpE,YAAU;AACV,SAAO,oBAAoB,WAAW,MAAM,SAAS,SAAS;;;;;;AAOlE,eAAe,sBACb,iBACA,WACA,iBACA,sBAC2C;AAE3C,KAAI,iBAAiB;EACnB,MAAM,aAAa,gBAAgB,wBAAwB,KAAK;AAChE,MAAI,CAAC,YAAY,SAAS,CAAC,YAAY,OACrC,OAAM,IAAI,MAAM;AAElB,SAAO;;CAGT,MAAM,YAAY;AAElB,QAAO,MAAM,gBAAgB,8CAA8C;EACzE,eAAe;EACJ;EACX,eAAe,wBAAwB;;;;;;AAO3C,SAAS,oBACP,WACA,cACA,SACA,WACgB;AAChB,SAAQ,MAAM,2BAA2B;AACzC,WAAU,IAAI,MAAM;CAEpB,MAAME,cAA8B;EAClC,SAAS;EACT;EACA,WAAW;EACX,SAAS,oBAAoB;EAC7B,OAAO;;AAIT,aAAY;AACZ,QAAO;;;;;;AAOT,eAAe,uBAAuB,EACpC,SACA,WACA,WACA,kBACA,YACA,oBACA,WAoB0B;CAE1B,MAAM,EAAE,iBAAiB,YAAY,YAAY;AAEjD,KAAI;AACF,UAAQ,MAAM,oCAAoC;AAClD,YAAU;GACR,MAAM;GACN,OAAO,qBAAqB;GAC5B,QAAQ,sBAAsB;GAC9B,SAAS;;EAIX,MAAM,yBAAyB,MAAM,+BAA+B,YAAY,QAAQ,YAAY;EAIpG,MAAM,mBAAmB,WAAW;EACpC,MAAM,wBAAwB,uBAAuB,MAAK,SAAQ,KAAK,iBAAiB;AAExF,MAAI,CAAC,sBACH,OAAM,IAAI,MAAM,+CAA+C;EAGjE,MAAM,eAAe,sBAAsB,cAAc;AACzD,MAAI,iBAAiB,OACnB,OAAM,IAAI,MAAM,6CAA6C;EAK/D,MAAM,+BAA+B,mBAAmB;AAExD,QAAM,gBAAgB;GACpB;GACA;GACA;GACA;GACA,qBAAqB,mBAAmB;GACxC,2BAA2B;GAC3B,sBAAsB;GACtB;;AAIF,QAAM,sBAAsB;GAC1B;GACA;GACA,wBAAwB,CAAC;GACzB,cAAc,mBAAmB;;AAInC,YAAU;GACR,MAAM;GACN,OAAO,qBAAqB;GAC5B,QAAQ,sBAAsB;GAC9B,SAAS;;AAIX,UAAQ,MAAM;EACd,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;GAC1D,eAAe;GACf,qBAAqB,mBAAmB;GAC5B;;AAGd,MAAI,CAAC,aAAa,QAChB,SAAQ,KAAK,gDAAgD,aAAa;MAG1E,SAAQ,MAAM;AAIhB,MAAI;AACF,SAAM,gBAAgB,sBAAsB,WAAW,QAAQ;WACxD,SAAS;AAChB,WAAQ,KAAK,qDAAqD;;AAGpE,SAAO;GACL,SAAS;GACT;GACA;GACA,SAAS;;UAGJF,OAAY;AACnB,UAAQ,MAAM,mCAAmC;AACjD,QAAM,IAAI,MAAM,4BAA4B,MAAM;;;AAkBtD,eAAe,gBAAgB,EAC7B,iBACA,WACA,cACA,WACA,qBACA,2BACA,sBACA,cAeC;CACD,MAAM,eAAe,MAAM,gBAAgB,gBAAgB,WAAW;AACtE,KAAI,CAAC,qBAAqB,YACxB,OAAM,IAAI,MAAM;CAElB,MAAM,cAAc,qBAAqB;CAEzC,MAAM,oBAAoB,qBAAqB;AAC/C,KAAI,CAAC,kBACH,OAAM,IAAI,MAAM;AAIlB,OAAM,iBAAiB,WAAW,kBAAkB;EAClD,eAAe;EACf;EACA,eAAe,qBAAqB;EACpC;EACA;EACA,SAAS;EACT,WAAW,KAAK;;AAGlB,KAAI,CAAC,aACH,OAAM,gBAAgB,aAAa;EACjC,eAAe;EACf;EACA,SAAS;EACT,qBAAqB;EACrB,aAAa,KAAK;EAClB,mBAAmB;GACjB,IAAI,WAAW;GACf,OAAO,WAAW;;EAEpB,qBAAqB;GACnB,sBAAsB,oBAAoB;GAC1C,mBAAmB,oBAAoB;;EAEzC;;KAGF,OAAM,gBAAgB,cAAc;EAClC,eAAe;EACf,qBAAqB;EACrB,aAAa,KAAK;EAClB,mBAAmB,aAAa;EAChC,qBAAqB;GACnB,sBAAsB,oBAAoB;GAC1C,mBAAmB,oBAAoB;;EAEzC;EACA;;;AAKN,eAAe,sBAAsB,EACnC,iBACA,WACA,wBACA,gBASC;AACD,MAAK,MAAM,EAAE,cAAc,mBAAmB,wBAAwB;EACpE,MAAM,sBAAsB,cAAc;EAG1C,MAAM,kBAAkB,cAAc,WAAW,QAAQ,cACvD,cAAc,UAAa,cAAc,QAAQ,OAAO,cAAc;EAIxE,MAAM,aAAa,iBAAiB,SAAS,IAAI,kBAAkB,CAAC;EAGpE,MAAM,eAAe,cAAc;AACnC,UAAQ,MAAM,+CAA+C,cAAc;AAE3E,QAAM,gBAAgB,mBAAmB;GACvC,eAAe;GACD;GACd;GACA;GACA,MAAM,oBAAoB,aAAa;GACvC,YAAY,cAAc,WAAW;GACrC,2BAAU,IAAI,QAAO;GACrB;GACA"}