npm - @tatchi-xyz/sdk - Versions diffs - 0.20.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.20.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2491) hide show

package/dist/cjs/core/rpcCalls.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rpcCalls.js","names":["error: any","ActionType","ActionPhase","DeviceLinkingPhase","DeviceLinkingStatus","addKeyTxResult: FinalExecutionOutcome","storeDeviceLinkingTxResult: FinalExecutionOutcome","DEFAULT_WAIT_STATUS","txError: any","base64UrlEncode","DEFAULT_EMAIL_RECOVERY_CONTRACTS","base64UrlDecode","err: unknown","errorMessage"],"sources":["../../../src/core/rpcCalls.ts"],"sourcesContent":["/*\n Consolidated NEAR Contract Calls\n \n This file contains all the NEAR contract calls made to the web3authn contract\n * throughout the passkey SDK. It provides a centralized location for all\n * contract interactions and makes it easier to maintain and update contract\n * call patterns.\n /\n\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from './NearClient';\nimport type { ContractStoredAuthenticator } from './TatchiPasskey/recoverAccount';\nimport type { PasskeyManagerContext } from './TatchiPasskey';\nimport type { AccountId } from './types/accountIds';\nimport type { DeviceLinkingSSEEvent } from './types/sdkSentEvents';\nimport type {\n StoredAuthenticator,\n WebAuthnRegistrationCredential,\n WebAuthnAuthenticationCredential\n} from './types/webauthn';\n\nimport { ActionPhase, DeviceLinkingPhase, DeviceLinkingStatus } from './types/sdkSentEvents';\nimport { ActionType, type ActionArgs } from './types/actions';\nimport { VRFChallenge } from './types/vrf-worker';\nimport { DEFAULT_WAIT_STATUS, TransactionContext } from './types/rpc';\nimport type { AuthenticatorOptions } from './types/authenticatorOptions';\nimport type { ConfirmationConfig } from './types/signer-worker';\nimport { base64UrlDecode, base64UrlEncode } from '../utils/encoders';\nimport { errorMessage } from '../utils/errors';\nimport type { EmailRecoveryContracts } from './types/tatchi';\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from './defaultConfigs';\n\n// ===========================\n// CONTRACT CALL RESPONSES\n// ===========================\n\nexport interface DeviceLinkingResult {\n linkedAccountId: string;\n deviceNumber: number;\n}\n\nexport interface CredentialIdsResult {\n credentialIds: string[];\n}\n\nexport interface AuthenticatorsResult {\n authenticators: Array<[string, ContractStoredAuthenticator]>;\n}\n\nexport type EmailRecoveryVerificationResult = {\n verified: boolean;\n account_id?: string;\n new_public_key?: string;\n transaction_hash?: string;\n error_code?: string;\n error_message?: string;\n};\n\nexport async function getEmailRecoveryVerificationResult(\n nearClient: NearClient,\n dkimVerifierAccountId: string,\n verificationViewMethod: string,\n requestId: string\n): Promise<EmailRecoveryVerificationResult \| null> {\n return await nearClient.view<{ request_id: string }, EmailRecoveryVerificationResult \| null>({\n account: dkimVerifierAccountId,\n method: verificationViewMethod,\n args: { request_id: requestId },\n });\n}\n\n// ===========================\n// DEVICE LINKING CONTRACT CALLS\n// ===========================\n\n/\n Query the contract to get the account linked to a device public key\n * Used in device linking flow to check if a device key has been added\n \n NEAR does not provide a way to lookup the AccountID an access key has access to.\n * So we store a temporary mapping in the contract to lookup pubkey -> account ID.\n /\nexport async function getDeviceLinkingAccountContractCall(\n nearClient: NearClient,\n contractId: string,\n devicePublicKey: string\n): Promise<DeviceLinkingResult \| null> {\n try {\n const result = await nearClient.callFunction<\n { device_public_key: string },\n [string, number \| string]\n >(\n contractId,\n 'get_device_linking_account',\n { device_public_key: devicePublicKey }\n );\n\n // Handle different result formats\n if (result && Array.isArray(result) && result.length >= 2) {\n const [linkedAccountId, deviceNumberRaw] = result;\n const deviceNumber = Number(deviceNumberRaw);\n if (!Number.isSafeInteger(deviceNumber) \|\| deviceNumber < 0) {\n console.warn(\n 'Invalid deviceNumber returned from get_device_linking_account:',\n deviceNumberRaw\n );\n return null;\n }\n return {\n linkedAccountId,\n deviceNumber\n };\n }\n\n return null;\n } catch (error: any) {\n console.warn('Failed to get device linking account:', error.message);\n return null;\n }\n}\n\n// ===========================\n// DEVICE LINKING TRANSACTION CALLS\n// ===========================\n\n/\n Execute device1's linking transactions (AddKey + Contract mapping)\n * This function signs and broadcasts both transactions required for device linking\n /\nexport async function executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride,\n confirmerText,\n}: {\n context: PasskeyManagerContext,\n device1AccountId: AccountId,\n device2PublicKey: string,\n nextNonce: string,\n nextNextNonce: string,\n nextNextNextNonce: string,\n txBlockHash: string,\n vrfChallenge: VRFChallenge,\n onEvent?: (event: DeviceLinkingSSEEvent) => void;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n confirmerText?: { title?: string; body?: string };\n}): Promise<{\n addKeyTxResult: FinalExecutionOutcome;\n storeDeviceLinkingTxResult: FinalExecutionOutcome;\n signedDeleteKeyTransaction: SignedTransaction\n}> {\n\n // Sign three transactions with one PRF authentication\n const signedTransactions = await context.webAuthnManager.signTransactionsWithActions({\n rpcCall: {\n contractId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: context.webAuthnManager.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId: device1AccountId\n },\n confirmationConfigOverride,\n title: confirmerText?.title,\n body: confirmerText?.body,\n transactions: [\n // Transaction 1: AddKey - Add Device2's key to Device1's account\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.AddKey,\n public_key: device2PublicKey,\n access_key: JSON.stringify({\n // NEAR-style AccessKey JSON shape, matching near-api-js:\n // { nonce: number, permission: { FullAccess: {} } }\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }],\n nonce: nextNonce,\n },\n // Transaction 2: Store temporary mapping in contract so Device2 can lookup Device1's accountID.\n {\n receiverId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n actions: [{\n action_type: ActionType.FunctionCall,\n method_name: 'store_device_linking_mapping',\n args: JSON.stringify({\n device_public_key: device2PublicKey,\n target_account_id: device1AccountId,\n }),\n gas: '30000000000000', // 30 TGas for device linking with yield promise automatic cleanup\n deposit: '0'\n }],\n nonce: nextNextNonce,\n },\n // Transaction 3: Remove Device2's temporary key if it fails to complete linking after a timeout\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.DeleteKey,\n public_key: device2PublicKey\n }],\n nonce: nextNextNextNonce,\n }\n ],\n onEvent: (progress) => {\n // Bridge all action progress events to the parent so the wallet iframe overlay\n // can expand during user confirmation in wallet-iframe mode.\n try { onEvent?.(progress as any); } catch { }\n // Keep existing mapping for device linking semantics; surface signing as a loading state\n if (progress.phase == ActionPhase.STEP_6_TRANSACTION_SIGNING_COMPLETE) {\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: progress.message \|\| 'Transaction signing in progress...'\n })\n }\n }\n });\n\n if (!signedTransactions[0].signedTransaction) {\n throw new Error('AddKey transaction signing failed');\n }\n if (!signedTransactions[1].signedTransaction) {\n throw new Error('Contract mapping transaction signing failed');\n }\n if (!signedTransactions[2].signedTransaction) {\n throw new Error('DeleteKey transaction signing failed');\n }\n\n // Broadcast just the first 2 transactions: addKey and store device linking mapping\n let addKeyTxResult: FinalExecutionOutcome;\n let storeDeviceLinkingTxResult: FinalExecutionOutcome;\n try {\n console.debug('LinkDeviceFlow: AddKey transaction details:', {\n receiverId: signedTransactions[0].signedTransaction.transaction.receiverId,\n actions: signedTransactions[0].signedTransaction.transaction.actions \|\| [],\n transactionKeys: Object.keys(signedTransactions[0].signedTransaction.transaction),\n });\n\n addKeyTxResult = await context.nearClient.sendTransaction(\n signedTransactions[0].signedTransaction,\n DEFAULT_WAIT_STATUS.linkDeviceAddKey\n );\n console.log('LinkDeviceFlow: AddKey transaction result:', addKeyTxResult?.transaction?.hash);\n\n // Send success events immediately after AddKey succeeds\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `AddKey transaction completed successfully!`\n });\n\n // Check if contract mapping transaction is valid before attempting to broadcast\n const contractTx = signedTransactions[1].signedTransaction;\n console.log('LinkDeviceFlow: Contract mapping transaction details:', {\n receiverId: contractTx.transaction.receiverId,\n actions: (contractTx.transaction.actions \|\| []).length\n });\n\n // Standard timeout since nonce conflict should be resolved by the 2s delay\n storeDeviceLinkingTxResult = await context.nearClient.sendTransaction(\n contractTx,\n DEFAULT_WAIT_STATUS.linkDeviceAccountMapping\n );\n\n } catch (txError: any) {\n console.error('LinkDeviceFlow: Transaction broadcasting failed:', txError);\n throw new Error(`Transaction broadcasting failed: ${txError.message}`);\n }\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device linking completed successfully!`\n });\n\n return {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction: signedTransactions[2].signedTransaction\n };\n}\n\n// ===========================\n// ACCOUNT RECOVERY CONTRACT CALLS\n// ===========================\n\n/\n Get credential IDs associated with an account from the contract\n * Used in account recovery to discover available credentials\n /\nexport async function getCredentialIdsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<string[]> {\n try {\n const credentialIds = await nearClient.callFunction<{ account_id: AccountId }, string[]>(\n contractId,\n 'get_credential_ids_by_account',\n { account_id: accountId }\n );\n return credentialIds \|\| [];\n } catch (error: any) {\n console.warn('Failed to fetch credential IDs from contract:', error.message);\n return [];\n }\n}\n\n/\n Get all authenticators stored for a user from the contract\n * Used in account recovery to sync authenticator data\n /\nexport async function getAuthenticatorsByUser(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<[string, ContractStoredAuthenticator][]> {\n try {\n const authenticatorsResult = await nearClient.view<{ user_id: AccountId }, [string, ContractStoredAuthenticator][]>({\n account: contractId,\n method: 'get_authenticators_by_user',\n args: { user_id: accountId }\n });\n\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult;\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\nexport async function syncAuthenticatorsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<Array<{ credentialId: string, authenticator: StoredAuthenticator }>> {\n try {\n const authenticatorsResult = await getAuthenticatorsByUser(nearClient, contractId, accountId);\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult.map(([credentialId, contractAuthenticator]) => {\n console.log(`Contract authenticator device_number for ${credentialId}:`, contractAuthenticator.device_number);\n\n const transports = Array.isArray(contractAuthenticator.transports)\n ? contractAuthenticator.transports\n : [];\n\n const registered = (() => {\n const raw = String((contractAuthenticator as any).registered ?? '');\n if (!raw) return new Date(0);\n if (/^\\d+$/.test(raw)) {\n const ts = Number(raw);\n return Number.isFinite(ts) ? new Date(ts) : new Date(0);\n }\n const d = new Date(raw);\n return Number.isFinite(d.getTime()) ? d : new Date(0);\n })();\n\n const vrfPublicKeys = (() => {\n const raw = (contractAuthenticator as any).vrf_public_keys;\n if (!raw) return undefined;\n if (Array.isArray(raw) && raw.length > 0 && typeof raw[0] === 'string') {\n return raw as string[];\n }\n if (Array.isArray(raw)) {\n return raw\n .map((entry: unknown) => {\n if (!entry) return null;\n if (entry instanceof Uint8Array) return base64UrlEncode(entry);\n if (Array.isArray(entry)) return base64UrlEncode(new Uint8Array(entry));\n return null;\n })\n .filter((x): x is string => typeof x === 'string' && x.length > 0);\n }\n return undefined;\n })();\n\n return {\n credentialId,\n authenticator: {\n credentialId,\n credentialPublicKey: new Uint8Array(contractAuthenticator.credential_public_key),\n transports,\n userId: accountId,\n name: `Device ${contractAuthenticator.device_number} Authenticator`,\n registered,\n // Store the actual device number from contract (no fallback)\n deviceNumber: contractAuthenticator.device_number,\n vrfPublicKeys\n }\n };\n });\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\n// ===========================\n// RECOVERY EMAIL CONTRACT CALLS\n// ===========================\n\n/\n Fetch on-chain recovery email hashes from the per-account contract.\n * Returns [] when no contract is deployed or on failure.\n /\nexport async function getRecoveryEmailHashesContractCall(\n nearClient: NearClient,\n accountId: AccountId\n): Promise<number[][]> {\n try {\n const code = await nearClient.viewCode(accountId);\n const hasContract = !!code && code.byteLength > 0;\n if (!hasContract) return [];\n\n const hashes = await nearClient.view<Record<string, never>, number[][]>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n\n return Array.isArray(hashes) ? (hashes as number[][]) : [];\n } catch (error) {\n console.error('[rpcCalls] Failed to fetch recovery email hashes', error);\n return [];\n }\n}\n\n/\n Build action args to update on-chain recovery emails for an account.\n * If the per-account contract is missing, deploy/attach the global recoverer via `init_email_recovery`.\n /\nexport async function buildSetRecoveryEmailsActions(\n nearClient: NearClient,\n accountId: AccountId,\n recoveryEmailHashes: number[][],\n contracts: EmailRecoveryContracts = DEFAULT_EMAIL_RECOVERY_CONTRACTS\n): Promise<ActionArgs[]> {\n let hasContract = false;\n try {\n const code = await nearClient.viewCode(accountId);\n hasContract = !!code && code.byteLength > 0;\n } catch {\n hasContract = false;\n }\n\n const {\n emailRecovererGlobalContract,\n zkEmailVerifierContract,\n emailDkimVerifierContract,\n } = contracts;\n\n return hasContract\n ? [\n {\n type: ActionType.UseGlobalContract,\n accountId: emailRecovererGlobalContract,\n },\n {\n type: ActionType.FunctionCall,\n methodName: 'set_recovery_emails',\n args: {\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ]\n : [\n {\n type: ActionType.UseGlobalContract,\n accountId: emailRecovererGlobalContract,\n },\n {\n type: ActionType.FunctionCall,\n methodName: 'init_email_recovery',\n args: {\n zk_email_verifier: zkEmailVerifierContract,\n email_dkim_verifier: emailDkimVerifierContract,\n policy: null,\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ];\n}\n\nexport async function fetchNonceBlockHashAndHeight({ nearClient, nearPublicKeyStr, nearAccountId }: {\n nearClient: NearClient,\n nearPublicKeyStr: string,\n nearAccountId: AccountId\n}): Promise<TransactionContext> {\n // Get access key and transaction block info concurrently\n const [accessKeyInfo, txBlockInfo] = await Promise.all([\n nearClient.viewAccessKey(nearAccountId, nearPublicKeyStr)\n .catch(e => { throw new Error(`Failed to fetch Access Key`) }),\n nearClient.viewBlock({ finality: 'final' })\n .catch(e => { throw new Error(`Failed to fetch Block Info`) })\n ]);\n if (!accessKeyInfo \|\| accessKeyInfo.nonce === undefined) {\n throw new Error(`Access key not found or invalid for account ${nearAccountId} with public key ${nearPublicKeyStr}. Response: ${JSON.stringify(accessKeyInfo)}`);\n }\n const nextNonce = (BigInt(accessKeyInfo.nonce) + BigInt(1)).toString();\n const txBlockHeight = String(txBlockInfo.header.height);\n const txBlockHash = txBlockInfo.header.hash; // Keep original base58 string\n\n return {\n nearPublicKeyStr,\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash,\n };\n}\n\n// ===========================\n// REGISTRATION PRE-CHECK CALL\n// ===========================\n\nexport interface CheckCanRegisterUserResult {\n success: boolean;\n verified: boolean;\n logs: string[];\n error?: string;\n}\n\n/\n View-only registration pre-check.\n \n Calls the contract's `check_can_register_user` view method with VRF data\n * derived from the provided VRF challenge and a serialized WebAuthn\n * registration credential (typically with PRF outputs embedded).\n /\nexport async function checkCanRegisterUserContractCall({\n nearClient,\n contractId,\n vrfChallenge,\n credential,\n authenticatorOptions,\n}: {\n nearClient: NearClient;\n contractId: string;\n vrfChallenge: VRFChallenge;\n credential: WebAuthnRegistrationCredential;\n authenticatorOptions?: AuthenticatorOptions;\n}): Promise<CheckCanRegisterUserResult> {\n try {\n const vrfData = {\n vrf_input_data: Array.from(base64UrlDecode(vrfChallenge.vrfInput)),\n vrf_output: Array.from(base64UrlDecode(vrfChallenge.vrfOutput)),\n vrf_proof: Array.from(base64UrlDecode(vrfChallenge.vrfProof)),\n public_key: Array.from(base64UrlDecode(vrfChallenge.vrfPublicKey)),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight),\n block_hash: Array.from(base64UrlDecode(vrfChallenge.blockHash)),\n };\n\n const args = {\n vrf_data: vrfData,\n webauthn_registration: credential,\n authenticator_options: authenticatorOptions,\n };\n\n const response = await nearClient.callFunction<typeof args, any>(\n contractId,\n 'check_can_register_user',\n args,\n );\n\n const verified = !!response?.verified;\n return {\n success: true,\n verified,\n logs: [],\n error: verified ? undefined : 'Contract registration check failed',\n };\n } catch (err: unknown) {\n return {\n success: false,\n verified: false,\n logs: [],\n error: errorMessage(err) \|\| 'Failed to call check_can_register_user',\n };\n }\n}\n\n\n/\n Verify authentication response through relay server\n * Routes the request to relay server which calls the web3authn contract for verification\n * and issues a JWT or session credential\n */\nexport async function verifyAuthenticationResponse(\n relayServerUrl: string,\n routePath: string,\n sessionKind: 'jwt' \| 'cookie',\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential\n): Promise<{\n success: boolean;\n verified?: boolean;\n jwt?: string;\n sessionCredential?: any;\n error?: string;\n contractResponse?: any;\n}> {\n try {\n // Map VRFChallenge into server ContractVrfData shape (number arrays)\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n };\n\n // Normalize authenticatorAttachment and userHandle to null for server schema\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n }\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}${routePath.startsWith('/') ? routePath : `/${routePath}`}`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: sessionKind === 'cookie' ? 'include' : 'omit',\n body: JSON.stringify({\n sessionKind: sessionKind,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return {\n success: false,\n error: `HTTP ${response.status}: ${errorText}`,\n };\n }\n\n const result = await response.json();\n return {\n success: true,\n verified: result.verified,\n jwt: result.jwt,\n sessionCredential: result.sessionCredential,\n contractResponse: result.contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n error: error.message \|\| 'Failed to verify authentication response',\n };\n }\n}\n"],"mappings":";;;;;;;;;;AA0DA,eAAsB,mCACpB,YACA,uBACA,wBACA,WACiD;AACjD,QAAO,MAAM,WAAW,KAAqE;EAC3F,SAAS;EACT,QAAQ;EACR,MAAM,EAAE,YAAY;;;;;;;;;;AAexB,eAAsB,oCACpB,YACA,YACA,iBACqC;AACrC,KAAI;EACF,MAAM,SAAS,MAAM,WAAW,aAI9B,YACA,8BACA,EAAE,mBAAmB;AAIvB,MAAI,UAAU,MAAM,QAAQ,WAAW,OAAO,UAAU,GAAG;GACzD,MAAM,CAAC,iBAAiB,mBAAmB;GAC3C,MAAM,eAAe,OAAO;AAC5B,OAAI,CAAC,OAAO,cAAc,iBAAiB,eAAe,GAAG;AAC3D,YAAQ,KACN,kEACA;AAEF,WAAO;;AAET,UAAO;IACL;IACA;;;AAIJ,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,yCAAyC,MAAM;AAC5D,SAAO;;;;;;;AAYX,eAAsB,kCAAkC,EACtD,SACA,kBACA,kBACA,WACA,eACA,mBACA,aACA,cACA,SACA,4BACA,iBAiBC;CAGD,MAAM,qBAAqB,MAAM,QAAQ,gBAAgB,4BAA4B;EACnF,SAAS;GACP,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,eAAe;;EAEjB;EACA,OAAO,eAAe;EACtB,MAAM,eAAe;EACrB,cAAc;GAEZ;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaC,2BAAW;KACxB,YAAY;KACZ,YAAY,KAAK,UAAU;MAGzB,OAAO;MACP,YAAY,EAAE,YAAY;;;IAG9B,OAAO;;GAGT;IACE,YAAY,QAAQ,gBAAgB,qBAAqB;IACzD,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;MACnB,mBAAmB;MACnB,mBAAmB;;KAErB,KAAK;KACL,SAAS;;IAEX,OAAO;;GAGT;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,YAAY;;IAEd,OAAO;;;EAGX,UAAU,aAAa;AAGrB,OAAI;AAAE,cAAU;WAA0B;AAE1C,OAAI,SAAS,SAASC,kCAAY,oCAChC,WAAU;IACR,MAAM;IACN,OAAOC,yCAAmB;IAC1B,QAAQC,0CAAoB;IAC5B,SAAS,SAAS,WAAW;;;;AAMrC,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;CAIlB,IAAIC;CACJ,IAAIC;AACJ,KAAI;AACF,UAAQ,MAAM,+CAA+C;GAC3D,YAAY,mBAAmB,GAAG,kBAAkB,YAAY;GAChE,SAAS,mBAAmB,GAAG,kBAAkB,YAAY,WAAW;GACxE,iBAAiB,OAAO,KAAK,mBAAmB,GAAG,kBAAkB;;AAGvE,mBAAiB,MAAM,QAAQ,WAAW,gBACxC,mBAAmB,GAAG,mBACtBC,gCAAoB;AAEtB,UAAQ,IAAI,8CAA8C,gBAAgB,aAAa;AAGvF,YAAU;GACR,MAAM;GACN,OAAOJ,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,aAAa,mBAAmB,GAAG;AACzC,UAAQ,IAAI,yDAAyD;GACnE,YAAY,WAAW,YAAY;GACnC,UAAU,WAAW,YAAY,WAAW,IAAI;;AAIlD,+BAA6B,MAAM,QAAQ,WAAW,gBACpD,YACAG,gCAAoB;UAGfC,SAAc;AACrB,UAAQ,MAAM,oDAAoD;AAClE,QAAM,IAAI,MAAM,oCAAoC,QAAQ;;AAG9D,WAAU;EACR,MAAM;EACN,OAAOL,yCAAmB;EAC1B,QAAQC,0CAAoB;EAC5B,SAAS;;AAGX,QAAO;EACL;EACA;EACA,4BAA4B,mBAAmB,GAAG;;;;;;;AAYtD,eAAsB,6BACpB,YACA,YACA,WACmB;AACnB,KAAI;EACF,MAAM,gBAAgB,MAAM,WAAW,aACrC,YACA,iCACA,EAAE,YAAY;AAEhB,SAAO,iBAAiB;UACjBJ,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;;;;;AAQX,eAAsB,wBACpB,YACA,YACA,WACkD;AAClD,KAAI;EACF,MAAM,uBAAuB,MAAM,WAAW,KAAsE;GAClH,SAAS;GACT,QAAQ;GACR,MAAM,EAAE,SAAS;;AAGnB,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO;AAET,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAIX,eAAsB,+BACpB,YACA,YACA,WAC8E;AAC9E,KAAI;EACF,MAAM,uBAAuB,MAAM,wBAAwB,YAAY,YAAY;AACnF,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO,qBAAqB,KAAK,CAAC,cAAc,2BAA2B;AACzE,WAAQ,IAAI,4CAA4C,aAAa,IAAI,sBAAsB;GAE/F,MAAM,aAAa,MAAM,QAAQ,sBAAsB,cACnD,sBAAsB,aACtB;GAEJ,MAAM,oBAAoB;IACxB,MAAM,MAAM,OAAQ,sBAA8B,cAAc;AAChE,QAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,QAAI,QAAQ,KAAK,MAAM;KACrB,MAAM,KAAK,OAAO;AAClB,YAAO,OAAO,SAAS,MAAM,IAAI,KAAK,sBAAM,IAAI,KAAK;;IAEvD,MAAM,IAAI,IAAI,KAAK;AACnB,WAAO,OAAO,SAAS,EAAE,aAAa,oBAAI,IAAI,KAAK;;GAGrD,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,MAAM,QAAQ,QAAQ,IAAI,SAAS,KAAK,OAAO,IAAI,OAAO,SAC5D,QAAO;AAET,QAAI,MAAM,QAAQ,KAChB,QAAO,IACJ,KAAK,UAAmB;AACvB,SAAI,CAAC,MAAO,QAAO;AACnB,SAAI,iBAAiB,WAAY,QAAOS,+BAAgB;AACxD,SAAI,MAAM,QAAQ,OAAQ,QAAOA,+BAAgB,IAAI,WAAW;AAChE,YAAO;OAER,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEpE,WAAO;;AAGT,UAAO;IACL;IACA,eAAe;KACb;KACA,qBAAqB,IAAI,WAAW,sBAAsB;KAC1D;KACA,QAAQ;KACR,MAAM,UAAU,sBAAsB,cAAc;KACpD;KAEA,cAAc,sBAAsB;KACpC;;;;AAKR,SAAO;UACAT,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;;;;;AAYX,eAAsB,mCACpB,YACA,WACqB;AACrB,KAAI;EACF,MAAM,OAAO,MAAM,WAAW,SAAS;EACvC,MAAM,cAAc,CAAC,CAAC,QAAQ,KAAK,aAAa;AAChD,MAAI,CAAC,YAAa,QAAO;EAEzB,MAAM,SAAS,MAAM,WAAW,KAAwC;GACtE,SAAS;GACT,QAAQ;GACR,MAAM;;AAGR,SAAO,MAAM,QAAQ,UAAW,SAAwB;UACjD,OAAO;AACd,UAAQ,MAAM,oDAAoD;AAClE,SAAO;;;;;;;AAQX,eAAsB,8BACpB,YACA,WACA,qBACA,YAAoCU,yDACb;CACvB,IAAI,cAAc;AAClB,KAAI;EACF,MAAM,OAAO,MAAM,WAAW,SAAS;AACvC,gBAAc,CAAC,CAAC,QAAQ,KAAK,aAAa;SACpC;AACN,gBAAc;;CAGhB,MAAM,EACJ,8BACA,yBACA,8BACE;AAEJ,QAAO,cACH,CACE;EACE,MAAMT,2BAAW;EACjB,WAAW;IAEb;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM,EACJ,iBAAiB;EAEnB,KAAK;EACL,SAAS;MAGb,CACE;EACE,MAAMA,2BAAW;EACjB,WAAW;IAEb;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM;GACJ,mBAAmB;GACnB,qBAAqB;GACrB,QAAQ;GACR,iBAAiB;;EAEnB,KAAK;EACL,SAAS;;;;;;;;;;AAmDnB,eAAsB,iCAAiC,EACrD,YACA,YACA,cACA,YACA,wBAOsC;AACtC,KAAI;EACF,MAAM,UAAU;GACd,gBAAgB,MAAM,KAAKU,+BAAgB,aAAa;GACxD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,WAAW,MAAM,KAAKA,+BAAgB,aAAa;GACnD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa;GAClC,YAAY,MAAM,KAAKA,+BAAgB,aAAa;;EAGtD,MAAM,OAAO;GACX,UAAU;GACV,uBAAuB;GACvB,uBAAuB;;EAGzB,MAAM,WAAW,MAAM,WAAW,aAChC,YACA,2BACA;EAGF,MAAM,WAAW,CAAC,CAAC,UAAU;AAC7B,SAAO;GACL,SAAS;GACT;GACA,MAAM;GACN,OAAO,WAAW,SAAY;;UAEzBC,KAAc;AACrB,SAAO;GACL,SAAS;GACT,UAAU;GACV,MAAM;GACN,OAAOC,4BAAa,QAAQ;;;;;;;;;AAWlC,eAAsB,6BACpB,gBACA,WACA,aACA,cACA,wBAQC;AACD,KAAI;EAEF,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKF,+BAAgB;;EAEpC,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;;EAInC,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;;EAI9D,MAAM,MAAM,GAAG,eAAe,QAAQ,OAAO,MAAM,UAAU,WAAW,OAAO,YAAY,IAAI;EAC/F,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EACP,gBAAgB;GAElB,aAAa,gBAAgB,WAAW,YAAY;GACpD,MAAM,KAAK,UAAU;IACN;IACb;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IACL,SAAS;IACT,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAIvC,MAAM,SAAS,MAAM,SAAS;AAC9B,SAAO;GACL,SAAS;GACT,UAAU,OAAO;GACjB,KAAK,OAAO;GACZ,mBAAmB,OAAO;GAC1B,kBAAkB,OAAO;;UAEpBX,OAAY;AACnB,SAAO;GACL,SAAS;GACT,OAAO,MAAM,WAAW"}
1	+ {"version":3,"file":"rpcCalls.js","names":["error: any","ActionType","ActionPhase","DeviceLinkingPhase","DeviceLinkingStatus","signedTransactions: Array<{ signedTransaction: SignedTransaction }>","e: unknown","addKeyTxResult: FinalExecutionOutcome","storeDeviceLinkingTxResult: FinalExecutionOutcome","DEFAULT_WAIT_STATUS","txError: any","errorMessage","createRandomVRFChallenge","base64UrlEncode","ensureEd25519Prefix","DEFAULT_EMAIL_RECOVERY_CONTRACTS","err: unknown","base: ActionArgs[]","base64UrlDecode"],"sources":["../../../src/core/rpcCalls.ts"],"sourcesContent":["/*\n Consolidated NEAR Contract Calls\n \n This file contains all the NEAR contract calls made to the web3authn contract\n * throughout the passkey SDK. It provides a centralized location for all\n * contract interactions and makes it easier to maintain and update contract\n * call patterns.\n /\n\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from './NearClient';\nimport type { ContractStoredAuthenticator } from './TatchiPasskey/syncAccount';\nimport type { PasskeyManagerContext } from './TatchiPasskey';\nimport type { AccountId } from './types/accountIds';\nimport type { DeviceLinkingSSEEvent } from './types/sdkSentEvents';\nimport type {\n StoredAuthenticator,\n WebAuthnRegistrationCredential,\n WebAuthnAuthenticationCredential\n} from './types/webauthn';\n\nimport { ActionPhase, DeviceLinkingPhase, DeviceLinkingStatus } from './types/sdkSentEvents';\nimport { ActionType, type ActionArgs } from './types/actions';\nimport { createRandomVRFChallenge, type VRFChallenge } from './types/vrf-worker';\nimport { DEFAULT_WAIT_STATUS, TransactionContext } from './types/rpc';\nimport type { AuthenticatorOptions } from './types/authenticatorOptions';\nimport type { ConfirmationConfig } from './types/signer-worker';\nimport { base64UrlDecode, base64UrlEncode } from '../utils/encoders';\nimport { errorMessage } from '../utils/errors';\nimport { ensureEd25519Prefix } from '../utils/validation';\nimport type { EmailRecoveryContracts } from './types/tatchi';\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from './defaultConfigs';\n\n// ===========================\n// CONTRACT CALL RESPONSES\n// ===========================\n\nexport interface DeviceLinkingResult {\n linkedAccountId: string;\n deviceNumber: number;\n}\n\nexport interface CredentialIdsResult {\n credentialIds: string[];\n}\n\nexport interface AuthenticatorsResult {\n authenticators: Array<[string, ContractStoredAuthenticator]>;\n}\n\nexport type RecoveryAttemptStatus =\n \| \"Started\"\n \| \"VerifyingDkim\"\n \| \"VerifyingZkEmail\"\n \| \"DkimFailed\"\n \| \"ZkEmailFailed\"\n \| \"PolicyFailed\"\n \| \"Recovering\"\n \| \"AwaitingMoreEmails\"\n \| \"Complete\"\n \| \"Failed\";\n\nexport type RecoveryAttempt = {\n request_id: string;\n status: RecoveryAttemptStatus \| string;\n created_at_ms: number;\n updated_at_ms: number;\n error?: string \| null;\n /\n 32-byte SHA-256 hash of \"<canonical_from>\|<account_id_lower>\".\n * Returned by newer EmailRecoverer contracts (replaces `from_address`).\n /\n from_address_hash?: number[] \| null;\n /* Legacy field (string email address). /\n from_address?: string \| null;\n email_timestamp_ms?: number \| null;\n new_public_key?: string \| null;\n};\n\nfunction normalizeByteArray(input: unknown): number[] \| null \| undefined {\n if (input == null) return input as null \| undefined;\n\n if (Array.isArray(input)) {\n return input.map((v) => Number(v)).filter((v) => Number.isFinite(v));\n }\n\n if (typeof input === 'string' && input) {\n try {\n const bytes =\n typeof Buffer !== 'undefined'\n ? Buffer.from(input, 'base64')\n : Uint8Array.from(atob(input), (c) => c.charCodeAt(0));\n const arr = bytes instanceof Uint8Array ? Array.from(bytes) : Array.from(new Uint8Array(bytes));\n return arr;\n } catch {\n return undefined;\n }\n }\n\n return undefined;\n}\n\nexport async function getEmailRecoveryAttempt(\n nearClient: NearClient,\n accountId: string,\n requestId: string\n): Promise<RecoveryAttempt \| null> {\n const raw = await nearClient.view<{ request_id: string }, Omit<RecoveryAttempt, 'status'> & { status: any } \| null>({\n account: accountId,\n method: 'get_recovery_attempt',\n args: { request_id: requestId },\n });\n\n if (!raw) return null;\n\n // Normalization logic for status (string or object enum)\n const statusRaw = raw.status;\n const status = (() => {\n if (typeof statusRaw === 'string') return statusRaw.trim();\n if (statusRaw && typeof statusRaw === 'object') {\n const keys = Object.keys(statusRaw as Record<string, unknown>);\n if (keys.length === 1) {\n return String(keys[0] \|\| '').trim();\n }\n }\n return '';\n })();\n\n return {\n ...raw,\n from_address_hash: normalizeByteArray((raw as any).from_address_hash) ?? (raw as any).from_address_hash,\n status: status as RecoveryAttemptStatus,\n };\n}\n\n// ===========================\n// DEVICE LINKING CONTRACT CALLS\n// ===========================\n\n/\n Query the contract to get the account linked to a device public key\n * Used in device linking flow to check if a device key has been added\n \n NEAR does not provide a way to lookup the AccountID an access key has access to.\n * So we store a temporary mapping in the contract to lookup pubkey -> account ID.\n /\nexport async function getDeviceLinkingAccountContractCall(\n nearClient: NearClient,\n contractId: string,\n devicePublicKey: string\n): Promise<DeviceLinkingResult \| null> {\n try {\n const result = await nearClient.callFunction<\n { device_public_key: string },\n [string, number \| string]\n >(\n contractId,\n 'get_device_linking_account',\n { device_public_key: devicePublicKey }\n );\n\n // Handle different result formats\n if (result && Array.isArray(result) && result.length >= 2) {\n const [linkedAccountId, deviceNumberRaw] = result;\n const deviceNumber = Number(deviceNumberRaw);\n if (!Number.isSafeInteger(deviceNumber) \|\| deviceNumber < 0) {\n console.warn(\n 'Invalid deviceNumber returned from get_device_linking_account:',\n deviceNumberRaw\n );\n return null;\n }\n return {\n linkedAccountId,\n deviceNumber\n };\n }\n\n return null;\n } catch (error: any) {\n console.warn('Failed to get device linking account:', error.message);\n return null;\n }\n}\n\n// ===========================\n// DEVICE LINKING TRANSACTION CALLS\n// ===========================\n\n/\n Execute device1's linking transactions (AddKey + Contract mapping)\n * This function signs and broadcasts both transactions required for device linking\n /\nexport async function executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride,\n confirmerText,\n}: {\n context: PasskeyManagerContext,\n device1AccountId: AccountId,\n device2PublicKey: string,\n nextNonce: string,\n nextNextNonce: string,\n nextNextNextNonce: string,\n txBlockHash: string,\n vrfChallenge: VRFChallenge,\n onEvent?: (event: DeviceLinkingSSEEvent) => void;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n confirmerText?: { title?: string; body?: string };\n}): Promise<{\n addKeyTxResult: FinalExecutionOutcome;\n storeDeviceLinkingTxResult: FinalExecutionOutcome;\n signedDeleteKeyTransaction: SignedTransaction\n}> {\n\n const signTransactions = () => context.webAuthnManager.signTransactionsWithActions({\n rpcCall: {\n contractId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: context.webAuthnManager.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId: device1AccountId\n },\n // Prefer threshold signing when available; fall back to local signing if the account\n // is not enrolled with threshold key material.\n signerMode: { mode: 'threshold-signer', behavior: 'fallback' },\n confirmationConfigOverride,\n title: confirmerText?.title,\n body: confirmerText?.body,\n transactions: [\n // Transaction 1: AddKey - Add Device2's key to Device1's account\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.AddKey,\n public_key: device2PublicKey,\n access_key: JSON.stringify({\n // NEAR-style AccessKey JSON shape, matching near-api-js:\n // { nonce: number, permission: { FullAccess: {} } }\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }],\n nonce: nextNonce,\n },\n // Transaction 2: Store temporary mapping in contract so Device2 can lookup Device1's accountID.\n {\n receiverId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n actions: [{\n action_type: ActionType.FunctionCall,\n method_name: 'store_device_linking_mapping',\n args: JSON.stringify({\n device_public_key: device2PublicKey,\n target_account_id: device1AccountId,\n }),\n gas: '30000000000000', // 30 TGas for device linking with yield promise automatic cleanup\n deposit: '0'\n }],\n nonce: nextNextNonce,\n },\n // Transaction 3: Remove Device2's temporary key if it fails to complete linking after a timeout\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.DeleteKey,\n public_key: device2PublicKey\n }],\n nonce: nextNextNextNonce,\n }\n ],\n onEvent: (progress) => {\n // Bridge all action progress events to the parent so the wallet iframe overlay\n // can expand during user confirmation in wallet-iframe mode.\n try { onEvent?.(progress as any); } catch { }\n // Keep existing mapping for device linking semantics; surface signing as a loading state\n if (progress.phase == ActionPhase.STEP_6_TRANSACTION_SIGNING_COMPLETE) {\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: progress.message \|\| 'Transaction signing in progress...'\n })\n }\n }\n });\n\n // Sign three transactions with one PRF authentication\n let signedTransactions: Array<{ signedTransaction: SignedTransaction }> = [];\n try {\n signedTransactions = await signTransactions();\n } catch (e: unknown) {\n if (!isVrfSessionPasskeyMismatchError(e)) throw e;\n\n // This happens when:\n // - the VRF worker is unlocked for a different device's VRF keypair, but\n // - IndexedDB `lastUser` (and thus allowCredentials) points at another device.\n // Fix by re-unlocking the VRF keypair for the current deviceNumber, then retry once.\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'Session mismatch detected; re-authenticating with TouchID...'\n });\n\n await repairVrfSessionForCurrentDevice({\n context,\n nearAccountId: device1AccountId,\n // Needs to cover 3 txs in a single batch.\n remainingUses: 3,\n ttlMs: 2 60 * 1000,\n });\n\n signedTransactions = await signTransactions();\n }\n\n if (!signedTransactions[0].signedTransaction) {\n throw new Error('AddKey transaction signing failed');\n }\n if (!signedTransactions[1].signedTransaction) {\n throw new Error('Contract mapping transaction signing failed');\n }\n if (!signedTransactions[2].signedTransaction) {\n throw new Error('DeleteKey transaction signing failed');\n }\n\n // Broadcast just the first 2 transactions: addKey and store device linking mapping\n let addKeyTxResult: FinalExecutionOutcome;\n let storeDeviceLinkingTxResult: FinalExecutionOutcome;\n try {\n console.debug('LinkDeviceFlow: AddKey transaction details:', {\n receiverId: signedTransactions[0].signedTransaction.transaction.receiverId,\n actions: signedTransactions[0].signedTransaction.transaction.actions \|\| [],\n transactionKeys: Object.keys(signedTransactions[0].signedTransaction.transaction),\n });\n\n addKeyTxResult = await context.nearClient.sendTransaction(\n signedTransactions[0].signedTransaction,\n DEFAULT_WAIT_STATUS.linkDeviceAddKey\n );\n console.log('LinkDeviceFlow: AddKey transaction result:', addKeyTxResult?.transaction?.hash);\n\n // Send success events immediately after AddKey succeeds\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `AddKey transaction completed successfully!`\n });\n\n // Check if contract mapping transaction is valid before attempting to broadcast\n const contractTx = signedTransactions[1].signedTransaction;\n console.log('LinkDeviceFlow: Contract mapping transaction details:', {\n receiverId: contractTx.transaction.receiverId,\n actions: (contractTx.transaction.actions \|\| []).length\n });\n\n // Standard timeout since nonce conflict should be resolved by the 2s delay\n storeDeviceLinkingTxResult = await context.nearClient.sendTransaction(\n contractTx,\n DEFAULT_WAIT_STATUS.linkDeviceAccountMapping\n );\n\n } catch (txError: any) {\n console.error('LinkDeviceFlow: Transaction broadcasting failed:', txError);\n throw new Error(`Transaction broadcasting failed: ${txError.message}`);\n }\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device linking completed successfully!`\n });\n\n return {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction: signedTransactions[2].signedTransaction\n };\n}\n\nfunction isVrfSessionPasskeyMismatchError(err: unknown): boolean {\n const msg = errorMessage(err) \|\| String(err \|\| '');\n return msg.includes('different passkey/VRF session than the current device');\n}\n\nasync function repairVrfSessionForCurrentDevice(args: {\n context: PasskeyManagerContext;\n nearAccountId: AccountId;\n ttlMs?: number;\n remainingUses?: number;\n}): Promise<void> {\n const { context, nearAccountId } = args;\n const lastUser = await context.webAuthnManager.getLastUser();\n if (!lastUser \|\| lastUser.nearAccountId !== nearAccountId) {\n throw new Error('Cannot repair VRF session: no lastUser for this account. Please log in again.');\n }\n const deviceNumber = lastUser.deviceNumber;\n if (!Number.isFinite(deviceNumber) \|\| deviceNumber < 1) {\n throw new Error('Cannot repair VRF session: invalid lastUser.deviceNumber');\n }\n\n const authenticators = await context.webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const credentialIdsForDevice = authenticators\n .filter((a) => a.deviceNumber === deviceNumber)\n .map((a) => a.credentialId);\n\n const credentialIds = credentialIdsForDevice.length > 0\n ? credentialIdsForDevice\n : authenticators.map((a) => a.credentialId);\n\n if (credentialIds.length === 0) {\n throw new Error(`Cannot repair VRF session: no authenticators found for ${nearAccountId}`);\n }\n\n const challenge = createRandomVRFChallenge();\n const credential = await context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: challenge as VRFChallenge,\n credentialIds,\n });\n\n const unlockResult = await context.webAuthnManager.unlockVRFKeypair({\n nearAccountId,\n encryptedVrfKeypair: lastUser.encryptedVrfKeypair,\n credential: credential as WebAuthnAuthenticationCredential,\n });\n if (!unlockResult.success) {\n throw new Error(unlockResult.error \|\| 'Failed to re-unlock VRF keypair for current device');\n }\n\n // Restore a minimal warm signing session so the retried batch can run without a second TouchID prompt.\n await context.webAuthnManager.mintSigningSessionFromCredential({\n nearAccountId,\n credential: credential as WebAuthnAuthenticationCredential,\n ttlMs: args.ttlMs,\n remainingUses: args.remainingUses,\n });\n}\n\n// ===========================\n// ACCOUNT RECOVERY CONTRACT CALLS\n// ===========================\n\n/*\n Get credential IDs associated with an account from the contract\n * Used in account recovery to discover available credentials\n /\nexport async function getCredentialIdsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<string[]> {\n try {\n const credentialIds = await nearClient.callFunction<{ account_id: AccountId }, string[]>(\n contractId,\n 'get_credential_ids_by_account',\n { account_id: accountId }\n );\n return credentialIds \|\| [];\n } catch (error: any) {\n console.warn('Failed to fetch credential IDs from contract:', error.message);\n return [];\n }\n}\n\n/\n Get all authenticators stored for a user from the contract\n * Used in account recovery to sync authenticator data\n /\nexport async function getAuthenticatorsByUser(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<[string, ContractStoredAuthenticator][]> {\n try {\n const authenticatorsResult = await nearClient.view<{ user_id: AccountId }, [string, ContractStoredAuthenticator][]>({\n account: contractId,\n method: 'get_authenticators_by_user',\n args: { user_id: accountId }\n });\n\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult;\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\nexport async function syncAuthenticatorsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<Array<{ credentialId: string, authenticator: StoredAuthenticator, nearPublicKey?: string }>> {\n try {\n const authenticatorsResult = await getAuthenticatorsByUser(nearClient, contractId, accountId);\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult.map(([credentialId, contractAuthenticator]) => {\n console.log(`Contract authenticator device_number for ${credentialId}:`, contractAuthenticator.device_number);\n\n const transports = Array.isArray(contractAuthenticator.transports)\n ? contractAuthenticator.transports\n : [];\n\n const registered = (() => {\n const raw = String((contractAuthenticator as any).registered ?? '');\n if (!raw) return new Date(0);\n if (/^\\d+$/.test(raw)) {\n const ts = Number(raw);\n return Number.isFinite(ts) ? new Date(ts) : new Date(0);\n }\n const d = new Date(raw);\n return Number.isFinite(d.getTime()) ? d : new Date(0);\n })();\n\n const vrfPublicKeys = (() => {\n const raw = (contractAuthenticator as any).vrf_public_keys;\n if (!raw) return undefined;\n if (Array.isArray(raw) && raw.length > 0 && typeof raw[0] === 'string') {\n return raw as string[];\n }\n if (Array.isArray(raw)) {\n return raw\n .map((entry: unknown) => {\n if (!entry) return null;\n if (entry instanceof Uint8Array) return base64UrlEncode(entry);\n if (Array.isArray(entry)) return base64UrlEncode(new Uint8Array(entry));\n return null;\n })\n .filter((x): x is string => typeof x === 'string' && x.length > 0);\n }\n return undefined;\n })();\n\n const nearPublicKey = (() => {\n const raw = (contractAuthenticator as any).near_public_key;\n if (typeof raw !== 'string') return undefined;\n const trimmed = raw.trim();\n return trimmed ? ensureEd25519Prefix(trimmed) : undefined;\n })();\n\n return {\n credentialId,\n authenticator: {\n credentialId,\n credentialPublicKey: new Uint8Array(contractAuthenticator.credential_public_key),\n transports,\n userId: accountId,\n name: `Device ${contractAuthenticator.device_number} Authenticator`,\n registered,\n // Store the actual device number from contract (no fallback)\n deviceNumber: contractAuthenticator.device_number,\n vrfPublicKeys\n },\n ...(nearPublicKey ? { nearPublicKey } : {})\n };\n });\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\n// ===========================\n// RECOVERY EMAIL CONTRACT CALLS\n// ===========================\n\nconst EMPTY_NEAR_CODE_HASH = '11111111111111111111111111111111';\n\nasync function hasDeployedContractCode(nearClient: NearClient, accountId: AccountId): Promise<boolean> {\n try {\n const account = await nearClient.viewAccount(accountId);\n const codeHash = (account as { code_hash?: unknown } \| null)?.code_hash;\n const globalContractHash = (account as { global_contract_hash?: unknown } \| null)?.global_contract_hash;\n const globalContractAccountId = (account as { global_contract_account_id?: unknown } \| null)?.global_contract_account_id;\n\n const hasLocalCode = typeof codeHash === 'string' && codeHash !== EMPTY_NEAR_CODE_HASH;\n const hasGlobalCode =\n (typeof globalContractHash === 'string' && globalContractHash.trim().length > 0) \|\|\n (typeof globalContractAccountId === 'string' && globalContractAccountId.trim().length > 0);\n\n return hasLocalCode \|\| hasGlobalCode;\n } catch {\n return false;\n }\n}\n\n/\n Fetch on-chain recovery email hashes from the per-account contract.\n * Returns [] when no contract is deployed or on failure.\n /\nexport async function getRecoveryEmailHashesContractCall(\n nearClient: NearClient,\n accountId: AccountId\n): Promise<number[][]> {\n try {\n // Prefer `view_account` over `view_code`:\n // - `view_code` is expected to fail for non-contract accounts and is noisy.\n // - `view_account` is lightweight and tells us whether the account uses local contract code\n // or a NEAR \"global contract\" (via `global_contract_` fields).\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n if (!hasContract) return [];\n\n const hashes = await nearClient.view<Record<string, never>, number[][]>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n\n return Array.isArray(hashes) ? (hashes as number[][]) : [];\n } catch (error) {\n return [];\n }\n}\n\n/*\n Build action args to update on-chain recovery emails for an account.\n * If the per-account contract is missing, deploy/attach the global recoverer via `init_email_recovery`.\n /\nexport async function buildSetRecoveryEmailsActions(\n nearClient: NearClient,\n accountId: AccountId,\n recoveryEmailHashes: number[][],\n contracts: EmailRecoveryContracts = DEFAULT_EMAIL_RECOVERY_CONTRACTS\n): Promise<ActionArgs[]> {\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n\n const {\n emailRecovererGlobalContract,\n zkEmailVerifierContract,\n emailDkimVerifierContract,\n } = contracts;\n\n // If the account already has a contract (local or global), it still might not be a readable\n // EmailRecoverer instance (e.g. stale state after upgrades). In that case, `set_recovery_emails`\n // would fail while `init_email_recovery` (#[init(ignore_state)]) can safely re-initialize.\n //\n // We keep this as a best-effort probe to avoid wiping state on transient RPC issues.\n let shouldInit = !hasContract;\n if (!shouldInit) {\n try {\n await nearClient.view<Record<string, never>, unknown>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n } catch (err: unknown) {\n const msg = errorMessage(err);\n // Common/expected cases where we should fall back to init:\n // - account has a global contract pointer but no EmailRecoverer-compatible state yet\n // - account has stale/incompatible state after a contract upgrade\n // - account has some other contract (method missing)\n if (/Cannot deserialize the contract state/i.test(msg)\n \|\| /CodeDoesNotExist/i.test(msg)\n \|\| /MethodNotFound/i.test(msg)) {\n shouldInit = true;\n }\n }\n }\n\n const base: ActionArgs[] = [\n {\n type: ActionType.UseGlobalContract,\n accountId: emailRecovererGlobalContract,\n },\n ];\n\n return shouldInit\n ? [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'init_email_recovery',\n args: {\n zk_email_verifier: zkEmailVerifierContract,\n email_dkim_verifier: emailDkimVerifierContract,\n policy: null,\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ]\n : [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'set_recovery_emails',\n args: {\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ];\n}\n\nexport async function fetchNonceBlockHashAndHeight({ nearClient, nearPublicKeyStr, nearAccountId }: {\n nearClient: NearClient,\n nearPublicKeyStr: string,\n nearAccountId: AccountId\n}): Promise<TransactionContext> {\n // Get access key and transaction block info concurrently\n const [accessKeyInfo, txBlockInfo] = await Promise.all([\n nearClient.viewAccessKey(nearAccountId, nearPublicKeyStr)\n .catch(e => { throw new Error(`Failed to fetch Access Key`) }),\n nearClient.viewBlock({ finality: 'final' })\n .catch(e => { throw new Error(`Failed to fetch Block Info`) })\n ]);\n if (!accessKeyInfo \|\| accessKeyInfo.nonce === undefined) {\n throw new Error(`Access key not found or invalid for account ${nearAccountId} with public key ${nearPublicKeyStr}. Response: ${JSON.stringify(accessKeyInfo)}`);\n }\n const nextNonce = (BigInt(accessKeyInfo.nonce) + BigInt(1)).toString();\n const txBlockHeight = String(txBlockInfo.header.height);\n const txBlockHash = txBlockInfo.header.hash; // Keep original base58 string\n\n return {\n nearPublicKeyStr,\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash,\n };\n}\n\n// ===========================\n// ACCESS KEY HELPERS\n// ===========================\n\nexport type AccessKeyWaitOptions = {\n attempts?: number;\n delayMs?: number;\n};\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((res) => setTimeout(res, ms));\n}\n\nfunction isAccessKeyNotFoundError(err: unknown): boolean {\n const msg = String(errorMessage(err) \|\| '').toLowerCase();\n if (!msg) return false;\n\n // Common NEAR node / near-api-js phrasing for missing access keys.\n if (msg.includes('unknown access key') \|\| msg.includes('unknown_access_key') \|\| msg.includes('unknownaccesskey')) {\n return true;\n }\n if (msg.includes('accesskeydoesnotexist')) return true;\n if (msg.includes('access key does not exist')) return true;\n if (msg.includes(\"access key doesn't exist\")) return true;\n if (msg.includes('access key not found')) return true;\n if (msg.includes('no such access key')) return true;\n if (msg.includes('viewing access key') && msg.includes('does not exist') && !msg.includes('account')) return true;\n\n return false;\n}\n\nexport async function hasAccessKey(\n nearClient: NearClient,\n nearAccountId: string,\n publicKey: string,\n opts?: AccessKeyWaitOptions,\n): Promise<boolean> {\n const expected = ensureEd25519Prefix(publicKey);\n if (!expected) return false;\n\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));\n\n for (let i = 0; i < attempts; i++) {\n try {\n await nearClient.viewAccessKey(nearAccountId, expected);\n return true;\n } catch {\n // tolerate transient view errors during propagation; retry\n }\n if (i < attempts - 1) {\n await sleep(delayMs);\n }\n }\n return false;\n}\n\nexport async function waitForAccessKeyAbsent(\n nearClient: NearClient,\n nearAccountId: string,\n publicKey: string,\n opts?: AccessKeyWaitOptions,\n): Promise<boolean> {\n const expected = ensureEd25519Prefix(publicKey);\n if (!expected) return true;\n\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 650));\n\n for (let i = 0; i < attempts; i++) {\n try {\n await nearClient.viewAccessKey(nearAccountId, expected);\n } catch (err: unknown) {\n if (isAccessKeyNotFoundError(err)) return true;\n // tolerate transient view errors during propagation; retry\n }\n if (i < attempts - 1) {\n await sleep(delayMs);\n }\n }\n return false;\n}\n\n// ===========================\n// REGISTRATION PRE-CHECK CALL\n// ===========================\n\nexport interface CheckCanRegisterUserResult {\n success: boolean;\n verified: boolean;\n logs: string[];\n error?: string;\n}\n\n/\n View-only registration pre-check.\n \n Calls the contract's `check_can_register_user` view method with VRF data\n * derived from the provided VRF challenge and a serialized WebAuthn\n * registration credential (typically with PRF outputs embedded).\n /\nexport async function checkCanRegisterUserContractCall({\n nearClient,\n contractId,\n vrfChallenge,\n credential,\n authenticatorOptions,\n}: {\n nearClient: NearClient;\n contractId: string;\n vrfChallenge: VRFChallenge;\n credential: WebAuthnRegistrationCredential;\n authenticatorOptions?: AuthenticatorOptions;\n}): Promise<CheckCanRegisterUserResult> {\n try {\n const intent_digest_32 = Array.from(base64UrlDecode(vrfChallenge.intentDigest \|\| ''));\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const session_policy_digest_32 = vrfChallenge.sessionPolicyDigest32\n ? Array.from(base64UrlDecode(vrfChallenge.sessionPolicyDigest32))\n : [];\n if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) {\n throw new Error('Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)');\n }\n const vrfData = {\n vrf_input_data: Array.from(base64UrlDecode(vrfChallenge.vrfInput)),\n vrf_output: Array.from(base64UrlDecode(vrfChallenge.vrfOutput)),\n vrf_proof: Array.from(base64UrlDecode(vrfChallenge.vrfProof)),\n public_key: Array.from(base64UrlDecode(vrfChallenge.vrfPublicKey)),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight),\n block_hash: Array.from(base64UrlDecode(vrfChallenge.blockHash)),\n intent_digest_32,\n ...(session_policy_digest_32.length ? { session_policy_digest_32 } : {}),\n };\n\n const args = {\n vrf_data: vrfData,\n webauthn_registration: credential,\n authenticator_options: authenticatorOptions,\n };\n\n const response = await nearClient.callFunction<typeof args, any>(\n contractId,\n 'check_can_register_user',\n args,\n );\n\n const verified = !!response?.verified;\n return {\n success: true,\n verified,\n logs: [],\n error: verified ? undefined : 'Contract registration check failed',\n };\n } catch (err: unknown) {\n return {\n success: false,\n verified: false,\n logs: [],\n error: errorMessage(err) \|\| 'Failed to call check_can_register_user',\n };\n }\n}\n\n\n/\n Verify authentication response through relay server\n * Routes the request to relay server which calls the web3authn contract for verification\n * and issues a JWT or session credential\n /\nexport async function verifyAuthenticationResponse(\n relayServerUrl: string,\n routePath: string,\n sessionKind: 'jwt' \| 'cookie',\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential\n): Promise<{\n success: boolean;\n verified?: boolean;\n jwt?: string;\n sessionCredential?: any;\n error?: string;\n contractResponse?: any;\n}> {\n try {\n // Map VRFChallenge into server ContractVrfData shape (number arrays)\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const session_policy_digest_32 = toBytes(vrfChallenge.sessionPolicyDigest32);\n if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) {\n throw new Error('Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n ...(session_policy_digest_32.length ? { session_policy_digest_32 } : {}),\n };\n\n // Normalize authenticatorAttachment and userHandle to null for server schema\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n }\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}${routePath.startsWith('/') ? routePath : `/${routePath}`}`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: sessionKind === 'cookie' ? 'include' : 'omit',\n body: JSON.stringify({\n sessionKind: sessionKind,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return {\n success: false,\n error: `HTTP ${response.status}: ${errorText}`,\n };\n }\n\n const result = await response.json();\n return {\n success: true,\n verified: result.verified,\n jwt: result.jwt,\n sessionCredential: result.sessionCredential,\n contractResponse: result.contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n error: error.message \|\| 'Failed to verify authentication response',\n };\n }\n}\n\nexport async function authorizeThresholdEd25519(\n relayServerUrl: string,\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential,\n args: {\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n purpose: string;\n /\n Exact 32-byte digest that will be co-signed (tx hash / delegate hash / NEP-413 hash).\n * The relayer must bind this digest to the VRF-authorized `intent_digest_32`.\n */\n signingDigest32: number[];\n signingPayload?: unknown;\n },\n): Promise<{\n ok: boolean;\n mpcSessionId?: string;\n expiresAt?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n };\n\n const clientVerifyingShareBytes = toBytes(args.clientVerifyingShareB64u);\n if (clientVerifyingShareBytes.length !== 32) {\n throw new Error('Missing or invalid args.clientVerifyingShareB64u (expected base64url-encoded 32 bytes)');\n }\n\n // Strip extension results before sending to the relay (never send PRF outputs).\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n },\n clientExtensionResults: null,\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}/threshold-ed25519/authorize`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: 'include',\n body: JSON.stringify({\n relayerKeyId: args.relayerKeyId,\n clientVerifyingShareB64u: args.clientVerifyingShareB64u,\n purpose: args.purpose,\n signing_digest_32: (() => {\n const d = args.signingDigest32;\n if (!Array.isArray(d) \|\| d.length !== 32) {\n throw new Error('Missing or invalid args.signingDigest32 (expected number[32])');\n }\n return d;\n })(),\n signingPayload: args.signingPayload,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n mpcSessionId: json?.mpcSessionId,\n expiresAt: json?.expiresAt,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to authorize threshold-ed25519 signing' };\n }\n}\n\nexport async function thresholdEd25519Keygen(\n relayServerUrl: string,\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential,\n args: {\n clientVerifyingShareB64u: string;\n nearAccountId: string;\n },\n): Promise<{\n ok: boolean;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n participantIds?: number[];\n relayerKeyId?: string;\n publicKey?: string;\n relayerVerifyingShareB64u?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const base = String(relayServerUrl \|\| '').trim().replace(/\\/$/, '');\n if (!base) throw new Error('Missing relayServerUrl');\n\n const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u \|\| '').trim();\n if (!clientVerifyingShareB64u) throw new Error('Missing clientVerifyingShareB64u');\n\n const nearAccountId = String(args.nearAccountId \|\| '').trim();\n if (!nearAccountId) throw new Error('Missing nearAccountId');\n\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n };\n\n // Strip extension results before sending to the relay (never send PRF outputs).\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n },\n clientExtensionResults: null,\n };\n\n const url = `${base}/threshold-ed25519/keygen`;\n const response = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n credentials: 'include',\n body: JSON.stringify({\n clientVerifyingShareB64u,\n nearAccountId,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n clientParticipantId: json?.clientParticipantId,\n relayerParticipantId: json?.relayerParticipantId,\n participantIds: json?.participantIds,\n relayerKeyId: json?.relayerKeyId,\n publicKey: json?.publicKey,\n relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to keygen threshold-ed25519' };\n }\n}\n\nexport async function thresholdEd25519KeygenFromRegistrationTx(\n relayServerUrl: string,\n args: {\n clientVerifyingShareB64u: string;\n nearAccountId: string;\n registrationTxHash: string;\n },\n): Promise<{\n ok: boolean;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n participantIds?: number[];\n relayerKeyId?: string;\n publicKey?: string;\n relayerVerifyingShareB64u?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const base = String(relayServerUrl \|\| '').trim().replace(/\\/$/, '');\n if (!base) throw new Error('Missing relayServerUrl');\n\n const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u \|\| '').trim();\n if (!clientVerifyingShareB64u) throw new Error('Missing clientVerifyingShareB64u');\n\n const nearAccountId = String(args.nearAccountId \|\| '').trim();\n if (!nearAccountId) throw new Error('Missing nearAccountId');\n\n const registrationTxHash = String(args.registrationTxHash \|\| '').trim();\n if (!registrationTxHash) throw new Error('Missing registrationTxHash');\n\n const url = `${base}/threshold-ed25519/keygen`;\n const response = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n credentials: 'include',\n body: JSON.stringify({\n clientVerifyingShareB64u,\n nearAccountId,\n registrationTxHash,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n clientParticipantId: json?.clientParticipantId,\n relayerParticipantId: json?.relayerParticipantId,\n participantIds: json?.participantIds,\n relayerKeyId: json?.relayerKeyId,\n publicKey: json?.publicKey,\n relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to keygen threshold-ed25519 from registration tx' };\n }\n}\n"],"mappings":";;;;;;;;;;AA+EA,SAAS,mBAAmB,OAA6C;AACvE,KAAI,SAAS,KAAM,QAAO;AAE1B,KAAI,MAAM,QAAQ,OAChB,QAAO,MAAM,KAAK,MAAM,OAAO,IAAI,QAAQ,MAAM,OAAO,SAAS;AAGnE,KAAI,OAAO,UAAU,YAAY,MAC/B,KAAI;EACF,MAAM,QACJ,OAAO,WAAW,cACd,OAAO,KAAK,OAAO,YACnB,WAAW,KAAK,KAAK,SAAS,MAAM,EAAE,WAAW;EACvD,MAAM,MAAM,iBAAiB,aAAa,MAAM,KAAK,SAAS,MAAM,KAAK,IAAI,WAAW;AACxF,SAAO;SACD;AACN,SAAO;;AAIX,QAAO;;AAGT,eAAsB,wBACpB,YACA,WACA,WACiC;CACjC,MAAM,MAAM,MAAM,WAAW,KAAuF;EAClH,SAAS;EACT,QAAQ;EACR,MAAM,EAAE,YAAY;;AAGtB,KAAI,CAAC,IAAK,QAAO;CAGjB,MAAM,YAAY,IAAI;CACtB,MAAM,gBAAgB;AACpB,MAAI,OAAO,cAAc,SAAU,QAAO,UAAU;AACpD,MAAI,aAAa,OAAO,cAAc,UAAU;GAC9C,MAAM,OAAO,OAAO,KAAK;AACzB,OAAI,KAAK,WAAW,EAClB,QAAO,OAAO,KAAK,MAAM,IAAI;;AAGjC,SAAO;;AAGT,QAAO;EACL,GAAG;EACH,mBAAmB,mBAAoB,IAAY,sBAAuB,IAAY;EAC9E;;;;;;;;;;AAeZ,eAAsB,oCACpB,YACA,YACA,iBACqC;AACrC,KAAI;EACF,MAAM,SAAS,MAAM,WAAW,aAI9B,YACA,8BACA,EAAE,mBAAmB;AAIvB,MAAI,UAAU,MAAM,QAAQ,WAAW,OAAO,UAAU,GAAG;GACzD,MAAM,CAAC,iBAAiB,mBAAmB;GAC3C,MAAM,eAAe,OAAO;AAC5B,OAAI,CAAC,OAAO,cAAc,iBAAiB,eAAe,GAAG;AAC3D,YAAQ,KACN,kEACA;AAEF,WAAO;;AAET,UAAO;IACL;IACA;;;AAIJ,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,yCAAyC,MAAM;AAC5D,SAAO;;;;;;;AAYX,eAAsB,kCAAkC,EACtD,SACA,kBACA,kBACA,WACA,eACA,mBACA,aACA,cACA,SACA,4BACA,iBAiBC;CAED,MAAM,yBAAyB,QAAQ,gBAAgB,4BAA4B;EACjF,SAAS;GACP,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,eAAe;;EAIjB,YAAY;GAAE,MAAM;GAAoB,UAAU;;EAClD;EACA,OAAO,eAAe;EACtB,MAAM,eAAe;EACrB,cAAc;GAEZ;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaC,2BAAW;KACxB,YAAY;KACZ,YAAY,KAAK,UAAU;MAGzB,OAAO;MACP,YAAY,EAAE,YAAY;;;IAG9B,OAAO;;GAGT;IACE,YAAY,QAAQ,gBAAgB,qBAAqB;IACzD,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;MACnB,mBAAmB;MACnB,mBAAmB;;KAErB,KAAK;KACL,SAAS;;IAEX,OAAO;;GAGT;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,YAAY;;IAEd,OAAO;;;EAGX,UAAU,aAAa;AAGrB,OAAI;AAAE,cAAU;WAA0B;AAE1C,OAAI,SAAS,SAASC,kCAAY,oCAChC,WAAU;IACR,MAAM;IACN,OAAOC,yCAAmB;IAC1B,QAAQC,0CAAoB;IAC5B,SAAS,SAAS,WAAW;;;;CAOrC,IAAIC,qBAAsE;AAC1E,KAAI;AACF,uBAAqB,MAAM;UACpBC,GAAY;AACnB,MAAI,CAAC,iCAAiC,GAAI,OAAM;AAMhD,YAAU;GACR,MAAM;GACN,OAAOH,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;AAGX,QAAM,iCAAiC;GACrC;GACA,eAAe;GAEf,eAAe;GACf,OAAO,MAAS;;AAGlB,uBAAqB,MAAM;;AAG7B,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;CAIlB,IAAIG;CACJ,IAAIC;AACJ,KAAI;AACF,UAAQ,MAAM,+CAA+C;GAC3D,YAAY,mBAAmB,GAAG,kBAAkB,YAAY;GAChE,SAAS,mBAAmB,GAAG,kBAAkB,YAAY,WAAW;GACxE,iBAAiB,OAAO,KAAK,mBAAmB,GAAG,kBAAkB;;AAGvE,mBAAiB,MAAM,QAAQ,WAAW,gBACxC,mBAAmB,GAAG,mBACtBC,gCAAoB;AAEtB,UAAQ,IAAI,8CAA8C,gBAAgB,aAAa;AAGvF,YAAU;GACR,MAAM;GACN,OAAON,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,aAAa,mBAAmB,GAAG;AACzC,UAAQ,IAAI,yDAAyD;GACnE,YAAY,WAAW,YAAY;GACnC,UAAU,WAAW,YAAY,WAAW,IAAI;;AAIlD,+BAA6B,MAAM,QAAQ,WAAW,gBACpD,YACAK,gCAAoB;UAGfC,SAAc;AACrB,UAAQ,MAAM,oDAAoD;AAClE,QAAM,IAAI,MAAM,oCAAoC,QAAQ;;AAG9D,WAAU;EACR,MAAM;EACN,OAAOP,yCAAmB;EAC1B,QAAQC,0CAAoB;EAC5B,SAAS;;AAGX,QAAO;EACL;EACA;EACA,4BAA4B,mBAAmB,GAAG;;;AAItD,SAAS,iCAAiC,KAAuB;CAC/D,MAAM,MAAMO,4BAAa,QAAQ,OAAO,OAAO;AAC/C,QAAO,IAAI,SAAS;;AAGtB,eAAe,iCAAiC,MAK9B;CAChB,MAAM,EAAE,SAAS,kBAAkB;CACnC,MAAM,WAAW,MAAM,QAAQ,gBAAgB;AAC/C,KAAI,CAAC,YAAY,SAAS,kBAAkB,cAC1C,OAAM,IAAI,MAAM;CAElB,MAAM,eAAe,SAAS;AAC9B,KAAI,CAAC,OAAO,SAAS,iBAAiB,eAAe,EACnD,OAAM,IAAI,MAAM;CAGlB,MAAM,iBAAiB,MAAM,QAAQ,gBAAgB,wBAAwB;CAC7E,MAAM,yBAAyB,eAC5B,QAAQ,MAAM,EAAE,iBAAiB,cACjC,KAAK,MAAM,EAAE;CAEhB,MAAM,gBAAgB,uBAAuB,SAAS,IAClD,yBACA,eAAe,KAAK,MAAM,EAAE;AAEhC,KAAI,cAAc,WAAW,EAC3B,OAAM,IAAI,MAAM,0DAA0D;CAG5E,MAAM,YAAYC;CAClB,MAAM,aAAa,MAAM,QAAQ,gBAAgB,8CAA8C;EAC7F;EACW;EACX;;CAGF,MAAM,eAAe,MAAM,QAAQ,gBAAgB,iBAAiB;EAClE;EACA,qBAAqB,SAAS;EAClB;;AAEd,KAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,aAAa,SAAS;AAIxC,OAAM,QAAQ,gBAAgB,iCAAiC;EAC7D;EACY;EACZ,OAAO,KAAK;EACZ,eAAe,KAAK;;;;;;;AAYxB,eAAsB,6BACpB,YACA,YACA,WACmB;AACnB,KAAI;EACF,MAAM,gBAAgB,MAAM,WAAW,aACrC,YACA,iCACA,EAAE,YAAY;AAEhB,SAAO,iBAAiB;UACjBZ,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;;;;;AAQX,eAAsB,wBACpB,YACA,YACA,WACkD;AAClD,KAAI;EACF,MAAM,uBAAuB,MAAM,WAAW,KAAsE;GAClH,SAAS;GACT,QAAQ;GACR,MAAM,EAAE,SAAS;;AAGnB,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO;AAET,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAIX,eAAsB,+BACpB,YACA,YACA,WACsG;AACtG,KAAI;EACF,MAAM,uBAAuB,MAAM,wBAAwB,YAAY,YAAY;AACnF,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO,qBAAqB,KAAK,CAAC,cAAc,2BAA2B;AACzE,WAAQ,IAAI,4CAA4C,aAAa,IAAI,sBAAsB;GAE/F,MAAM,aAAa,MAAM,QAAQ,sBAAsB,cACnD,sBAAsB,aACtB;GAEJ,MAAM,oBAAoB;IACxB,MAAM,MAAM,OAAQ,sBAA8B,cAAc;AAChE,QAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,QAAI,QAAQ,KAAK,MAAM;KACrB,MAAM,KAAK,OAAO;AAClB,YAAO,OAAO,SAAS,MAAM,IAAI,KAAK,sBAAM,IAAI,KAAK;;IAEvD,MAAM,IAAI,IAAI,KAAK;AACnB,WAAO,OAAO,SAAS,EAAE,aAAa,oBAAI,IAAI,KAAK;;GAGrD,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,MAAM,QAAQ,QAAQ,IAAI,SAAS,KAAK,OAAO,IAAI,OAAO,SAC5D,QAAO;AAET,QAAI,MAAM,QAAQ,KAChB,QAAO,IACJ,KAAK,UAAmB;AACvB,SAAI,CAAC,MAAO,QAAO;AACnB,SAAI,iBAAiB,WAAY,QAAOa,+BAAgB;AACxD,SAAI,MAAM,QAAQ,OAAQ,QAAOA,+BAAgB,IAAI,WAAW;AAChE,YAAO;OAER,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEpE,WAAO;;GAGT,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,OAAO,QAAQ,SAAU,QAAO;IACpC,MAAM,UAAU,IAAI;AACpB,WAAO,UAAUC,uCAAoB,WAAW;;AAGlD,UAAO;IACL;IACA,eAAe;KACb;KACA,qBAAqB,IAAI,WAAW,sBAAsB;KAC1D;KACA,QAAQ;KACR,MAAM,UAAU,sBAAsB,cAAc;KACpD;KAEA,cAAc,sBAAsB;KACpC;;IAEF,GAAI,gBAAgB,EAAE,kBAAkB;;;AAI9C,SAAO;UACAd,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAQX,MAAM,uBAAuB;AAE7B,eAAe,wBAAwB,YAAwB,WAAwC;AACrG,KAAI;EACF,MAAM,UAAU,MAAM,WAAW,YAAY;EAC7C,MAAM,WAAY,SAA4C;EAC9D,MAAM,qBAAsB,SAAuD;EACnF,MAAM,0BAA2B,SAA6D;EAE9F,MAAM,eAAe,OAAO,aAAa,YAAY,aAAa;EAClE,MAAM,gBACH,OAAO,uBAAuB,YAAY,mBAAmB,OAAO,SAAS,KAC7E,OAAO,4BAA4B,YAAY,wBAAwB,OAAO,SAAS;AAE1F,SAAO,gBAAgB;SACjB;AACN,SAAO;;;;;;;AAQX,eAAsB,mCACpB,YACA,WACqB;AACrB,KAAI;EAKF,MAAM,cAAc,MAAM,wBAAwB,YAAY;AAC9D,MAAI,CAAC,YAAa,QAAO;EAEzB,MAAM,SAAS,MAAM,WAAW,KAAwC;GACtE,SAAS;GACT,QAAQ;GACR,MAAM;;AAGR,SAAO,MAAM,QAAQ,UAAW,SAAwB;UACjD,OAAO;AACd,SAAO;;;;;;;AAQX,eAAsB,8BACpB,YACA,WACA,qBACA,YAAoCe,yDACb;CACvB,MAAM,cAAc,MAAM,wBAAwB,YAAY;CAE9D,MAAM,EACJ,8BACA,yBACA,8BACE;CAOJ,IAAI,aAAa,CAAC;AAClB,KAAI,CAAC,WACH,KAAI;AACF,QAAM,WAAW,KAAqC;GACpD,SAAS;GACT,QAAQ;GACR,MAAM;;UAEDC,KAAc;EACrB,MAAM,MAAML,4BAAa;AAKzB,MAAI,yCAAyC,KAAK,QAC7C,oBAAoB,KAAK,QACzB,kBAAkB,KAAK,KAC1B,cAAa;;CAKnB,MAAMM,OAAqB,CACzB;EACE,MAAMhB,2BAAW;EACjB,WAAW;;AAIf,QAAO,aACH,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM;GACJ,mBAAmB;GACnB,qBAAqB;GACrB,QAAQ;GACR,iBAAiB;;EAEnB,KAAK;EACL,SAAS;MAGb,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM,EACJ,iBAAiB;EAEnB,KAAK;EACL,SAAS;;;AA0CnB,SAAS,MAAM,IAA2B;AACxC,QAAO,IAAI,SAAS,QAAQ,WAAW,KAAK;;AAG9C,SAAS,yBAAyB,KAAuB;CACvD,MAAM,MAAM,OAAOU,4BAAa,QAAQ,IAAI;AAC5C,KAAI,CAAC,IAAK,QAAO;AAGjB,KAAI,IAAI,SAAS,yBAAyB,IAAI,SAAS,yBAAyB,IAAI,SAAS,oBAC3F,QAAO;AAET,KAAI,IAAI,SAAS,yBAA0B,QAAO;AAClD,KAAI,IAAI,SAAS,6BAA8B,QAAO;AACtD,KAAI,IAAI,SAAS,4BAA6B,QAAO;AACrD,KAAI,IAAI,SAAS,wBAAyB,QAAO;AACjD,KAAI,IAAI,SAAS,sBAAuB,QAAO;AAC/C,KAAI,IAAI,SAAS,yBAAyB,IAAI,SAAS,qBAAqB,CAAC,IAAI,SAAS,WAAY,QAAO;AAE7G,QAAO;;AAGT,eAAsB,aACpB,YACA,eACA,WACA,MACkB;CAClB,MAAM,WAAWG,uCAAoB;AACrC,KAAI,CAAC,SAAU,QAAO;CAEtB,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;AACF,SAAM,WAAW,cAAc,eAAe;AAC9C,UAAO;UACD;AAGR,MAAI,IAAI,WAAW,EACjB,OAAM,MAAM;;AAGhB,QAAO;;AAGT,eAAsB,uBACpB,YACA,eACA,WACA,MACkB;CAClB,MAAM,WAAWA,uCAAoB;AACrC,KAAI,CAAC,SAAU,QAAO;CAEtB,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;AACF,SAAM,WAAW,cAAc,eAAe;WACvCE,KAAc;AACrB,OAAI,yBAAyB,KAAM,QAAO;;AAG5C,MAAI,IAAI,WAAW,EACjB,OAAM,MAAM;;AAGhB,QAAO;;;;;;;;;AAqBT,eAAsB,iCAAiC,EACrD,YACA,YACA,cACA,YACA,wBAOsC;AACtC,KAAI;EACF,MAAM,mBAAmB,MAAM,KAAKE,+BAAgB,aAAa,gBAAgB;AACjF,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,2BAA2B,aAAa,wBAC1C,MAAM,KAAKA,+BAAgB,aAAa,0BACxC;AACJ,MAAI,yBAAyB,WAAW,KAAK,yBAAyB,WAAW,GAC/E,OAAM,IAAI,MAAM;EAElB,MAAM,UAAU;GACd,gBAAgB,MAAM,KAAKA,+BAAgB,aAAa;GACxD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,WAAW,MAAM,KAAKA,+BAAgB,aAAa;GACnD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa;GAClC,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD;GACA,GAAI,yBAAyB,SAAS,EAAE,6BAA6B;;EAGvE,MAAM,OAAO;GACX,UAAU;GACV,uBAAuB;GACvB,uBAAuB;;EAGzB,MAAM,WAAW,MAAM,WAAW,aAChC,YACA,2BACA;EAGF,MAAM,WAAW,CAAC,CAAC,UAAU;AAC7B,SAAO;GACL,SAAS;GACT;GACA,MAAM;GACN,OAAO,WAAW,SAAY;;UAEzBF,KAAc;AACrB,SAAO;GACL,SAAS;GACT,UAAU;GACV,MAAM;GACN,OAAOL,4BAAa,QAAQ;;;;;;;;;AAWlC,eAAsB,6BACpB,gBACA,WACA,aACA,cACA,wBAQC;AACD,KAAI;EAEF,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKO,+BAAgB;;EAEpC,MAAM,mBAAmB,QAAQ,aAAa;AAC9C,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,2BAA2B,QAAQ,aAAa;AACtD,MAAI,yBAAyB,WAAW,KAAK,yBAAyB,WAAW,GAC/E,OAAM,IAAI,MAAM;EAElB,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;GACjC;GACA,GAAI,yBAAyB,SAAS,EAAE,6BAA6B;;EAIvE,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;;EAI9D,MAAM,MAAM,GAAG,eAAe,QAAQ,OAAO,MAAM,UAAU,WAAW,OAAO,YAAY,IAAI;EAC/F,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EACP,gBAAgB;GAElB,aAAa,gBAAgB,WAAW,YAAY;GACpD,MAAM,KAAK,UAAU;IACN;IACb;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IACL,SAAS;IACT,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAIvC,MAAM,SAAS,MAAM,SAAS;AAC9B,SAAO;GACL,SAAS;GACT,UAAU,OAAO;GACjB,KAAK,OAAO;GACZ,mBAAmB,OAAO;GAC1B,kBAAkB,OAAO;;UAEpBlB,OAAY;AACnB,SAAO;GACL,SAAS;GACT,OAAO,MAAM,WAAW;;;;AA2G9B,eAAsB,uBACpB,gBACA,cACA,wBACA,MAeC;AACD,KAAI;EACF,MAAM,OAAO,OAAO,kBAAkB,IAAI,OAAO,QAAQ,OAAO;AAChE,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAE3B,MAAM,2BAA2B,OAAO,KAAK,4BAA4B,IAAI;AAC7E,MAAI,CAAC,yBAA0B,OAAM,IAAI,MAAM;EAE/C,MAAM,gBAAgB,OAAO,KAAK,iBAAiB,IAAI;AACvD,MAAI,CAAC,cAAe,OAAM,IAAI,MAAM;EAEpC,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKkB,+BAAgB;;EAEpC,MAAM,mBAAmB,QAAQ,aAAa;AAC9C,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;GACjC;;EAIF,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;GAE5D,wBAAwB;;EAG1B,MAAM,MAAM,GAAG,KAAK;EACpB,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,aAAa;GACb,MAAM,KAAK,UAAU;IACnB;IACA;IACA;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IAAE,IAAI;IAAO,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAGzD,MAAM,OAAO,MAAM,SAAS;AAC5B,SAAO;GACL,IAAI,CAAC,CAAC,MAAM;GACZ,qBAAqB,MAAM;GAC3B,sBAAsB,MAAM;GAC5B,gBAAgB,MAAM;GACtB,cAAc,MAAM;GACpB,WAAW,MAAM;GACjB,2BAA2B,MAAM;GACjC,MAAM,MAAM;GACZ,SAAS,MAAM;;UAEVlB,OAAY;AACnB,SAAO;GAAE,IAAI;GAAO,OAAO,OAAO,WAAW;;;;AAIjD,eAAsB,yCACpB,gBACA,MAgBC;AACD,KAAI;EACF,MAAM,OAAO,OAAO,kBAAkB,IAAI,OAAO,QAAQ,OAAO;AAChE,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAE3B,MAAM,2BAA2B,OAAO,KAAK,4BAA4B,IAAI;AAC7E,MAAI,CAAC,yBAA0B,OAAM,IAAI,MAAM;EAE/C,MAAM,gBAAgB,OAAO,KAAK,iBAAiB,IAAI;AACvD,MAAI,CAAC,cAAe,OAAM,IAAI,MAAM;EAEpC,MAAM,qBAAqB,OAAO,KAAK,sBAAsB,IAAI;AACjE,MAAI,CAAC,mBAAoB,OAAM,IAAI,MAAM;EAEzC,MAAM,MAAM,GAAG,KAAK;EACpB,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,aAAa;GACb,MAAM,KAAK,UAAU;IACnB;IACA;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IAAE,IAAI;IAAO,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAGzD,MAAM,OAAO,MAAM,SAAS;AAC5B,SAAO;GACL,IAAI,CAAC,CAAC,MAAM;GACZ,qBAAqB,MAAM;GAC3B,sBAAsB,MAAM;GAC5B,gBAAgB,MAAM;GACtB,cAAc,MAAM;GACpB,WAAW,MAAM;GACjB,2BAA2B,MAAM;GACjC,MAAM,MAAM;GACZ,SAAS,MAAM;;UAEVA,OAAY;AACnB,SAAO;GAAE,IAAI;GAAO,OAAO,OAAO,WAAW"}

package/dist/cjs/core/sdkPaths/base.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 //#region src/core/sdkPaths/base.ts
 const W3A_WALLET_SDK_BASE_EVENT = "W3A_WALLET_SDK_BASE_CHANGED";

package/dist/cjs/core/sdkPaths/base.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"base.js","names":[],"sources":["../../../../src/core/sdkPaths/base.ts"],"sourcesContent":["/*\n SDK Base (wallet origin)\n \n The wallet iframe host announces the absolute SDK base URL so that all\n * embedded assets (host script, Lit bundles) and module workers resolve from\n * the wallet origin in production. This keeps sensitive execution isolated\n * under the wallet site while allowing cross‑origin embedding.\n \n Writers:\n * - Wallet iframe host (service) on boot and after PM_SET_CONFIG\n * - App provider hook in dev when walletOrigin is configured\n \n Readers:\n * - WebAuthnManager (to set worker base origin for managers)\n * - Lit wrappers (to resolve embedded script/css URLs)\n /\nexport const W3A_WALLET_SDK_BASE_KEY = '__W3A_WALLET_SDK_BASE__'\nexport const W3A_WALLET_SDK_BASE_EVENT = 'W3A_WALLET_SDK_BASE_CHANGED'\n\n/\n Typed CustomEvent emitted when the wallet SDK base changes.\n * Detail contains the absolute base URL string (e.g., `${walletOrigin}/sdk/`).\n /\nexport type WalletSdkBaseChangedEvent = CustomEvent<string>\n\nexport interface WalletSDKBase {\n [W3A_WALLET_SDK_BASE_KEY]?: string\n}\n\n/\n @returns Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`) when set, otherwise undefined.\n /\nexport function getEmbeddedBase(): string \| undefined {\n if (typeof window === 'undefined') return undefined\n const w = window as unknown as WalletSDKBase\n const v = w[W3A_WALLET_SDK_BASE_KEY]\n return typeof v === 'string' && v.length > 0 ? v : undefined\n}\n\n/\n @param url - Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`).\n * @returns void\n /\nexport function setEmbeddedBase(url: string): void {\n if (typeof window === 'undefined') return\n const w = window as unknown as WalletSDKBase\n w[W3A_WALLET_SDK_BASE_KEY] = url\n window.dispatchEvent(new CustomEvent(W3A_WALLET_SDK_BASE_EVENT as any, { detail: url }))\n}\n\n/\n @param cb - Callback invoked with the new absolute base URL when it changes.\n * @returns Unsubscribe function to remove the listener.\n */\nexport function onEmbeddedBaseChange(cb: (url: string) => void): () => void {\n if (typeof window === 'undefined') return () => {}\n const handler = (e: WalletSdkBaseChangedEvent) => {\n const d = e.detail\n if (typeof d === 'string' && d.length > 0) cb(d)\n }\n window.addEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener, { passive: true })\n return () => window.removeEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener)\n}\n"],"mappings":"~~;;;~~AAiBA,MAAa,4BAA4B;;;;;AAqCzC,SAAgB,qBAAqB,IAAuC;AAC1E,KAAI,OAAO,WAAW,YAAa,cAAa;CAChD,MAAM,WAAW,MAAiC;EAChD,MAAM,IAAI,EAAE;AACZ,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,IAAG;;AAEhD,QAAO,iBAAiB,2BAA2B,SAA0B,EAAE,SAAS;AACxF,cAAa,OAAO,oBAAoB,2BAA2B"}
1	+ {"version":3,"file":"base.js","names":[],"sources":["../../../../src/core/sdkPaths/base.ts"],"sourcesContent":["/*\n SDK Base (wallet origin)\n \n The wallet iframe host announces the absolute SDK base URL so that all\n * embedded assets (host script, Lit bundles) and module workers resolve from\n * the wallet origin in production. This keeps sensitive execution isolated\n * under the wallet site while allowing cross‑origin embedding.\n \n Writers:\n * - Wallet iframe host (service) on boot and after PM_SET_CONFIG\n * - App provider hook in dev when walletOrigin is configured\n \n Readers:\n * - WebAuthnManager (to set worker base origin for managers)\n * - Lit wrappers (to resolve embedded script/css URLs)\n /\nexport const W3A_WALLET_SDK_BASE_KEY = '__W3A_WALLET_SDK_BASE__'\nexport const W3A_WALLET_SDK_BASE_EVENT = 'W3A_WALLET_SDK_BASE_CHANGED'\n\n/\n Typed CustomEvent emitted when the wallet SDK base changes.\n * Detail contains the absolute base URL string (e.g., `${walletOrigin}/sdk/`).\n /\nexport type WalletSdkBaseChangedEvent = CustomEvent<string>\n\nexport interface WalletSDKBase {\n [W3A_WALLET_SDK_BASE_KEY]?: string\n}\n\n/\n @returns Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`) when set, otherwise undefined.\n /\nexport function getEmbeddedBase(): string \| undefined {\n if (typeof window === 'undefined') return undefined\n const w = window as unknown as WalletSDKBase\n const v = w[W3A_WALLET_SDK_BASE_KEY]\n return typeof v === 'string' && v.length > 0 ? v : undefined\n}\n\n/\n @param url - Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`).\n * @returns void\n /\nexport function setEmbeddedBase(url: string): void {\n if (typeof window === 'undefined') return\n const w = window as unknown as WalletSDKBase\n w[W3A_WALLET_SDK_BASE_KEY] = url\n window.dispatchEvent(new CustomEvent(W3A_WALLET_SDK_BASE_EVENT as any, { detail: url }))\n}\n\n/\n @param cb - Callback invoked with the new absolute base URL when it changes.\n * @returns Unsubscribe function to remove the listener.\n */\nexport function onEmbeddedBaseChange(cb: (url: string) => void): () => void {\n if (typeof window === 'undefined') return () => {}\n const handler = (e: WalletSdkBaseChangedEvent) => {\n const d = e.detail\n if (typeof d === 'string' && d.length > 0) cb(d)\n }\n window.addEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener, { passive: true })\n return () => window.removeEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener)\n}\n"],"mappings":";;AAiBA,MAAa,4BAA4B;;;;;AAqCzC,SAAgB,qBAAqB,IAAuC;AAC1E,KAAI,OAAO,WAAW,YAAa,cAAa;CAChD,MAAM,WAAW,MAAiC;EAChD,MAAM,IAAI,EAAE;AACZ,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,IAAG;;AAEhD,QAAO,iBAAiB,2BAA2B,SAA0B,EAAE,SAAS;AACxF,cAAa,OAAO,oBAAoB,2BAA2B"}

package/dist/cjs/core/sdkPaths/workers.js CHANGED Viewed

@@ -1,23 +1,24 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 //#region src/core/sdkPaths/workers.ts
 /**
 * Resolve the base origin for worker scripts.
 * Priority:
-* 1) window.__W3A_WALLET_SDK_BASE__ (absolute `${walletOrigin}${sdkBasePath}/`) → take its origin
+* 1) window.__W3A_WALLET_SDK_BASE__ (absolute `${walletOrigin}${sdkBasePath}/`) → take its origin (only if same-origin)
 * 2) window.location.origin (host/app origin)
 *
 * @returns The origin (protocol + host [+ port]) used to resolve worker script URLs.
 *          Prefers the wallet SDK base origin; falls back to the current window origin.
 */
 function resolveWorkerBaseOrigin() {
-	let origin = "";
-	if (typeof window !== "undefined" && window.location?.origin) origin = window.location.origin;
+	const currentOrigin = typeof window !== "undefined" && window.location?.origin ? window.location.origin : "";
 	try {
 		const embeddedBase = window?.__W3A_WALLET_SDK_BASE__;
-		if (embeddedBase) origin = new URL(embeddedBase, origin || "https://invalid.local").origin;
+		if (embeddedBase) {
+			const embeddedOrigin = new URL(embeddedBase, currentOrigin || "https://invalid.local").origin;
+			if (embeddedOrigin === currentOrigin) return embeddedOrigin;
+		}
 	} catch {}
-	return origin;
+	return currentOrigin;
 }
 function resolveWorkerUrl(input, opts) {
 	const worker = opts.worker;

package/dist/cjs/core/sdkPaths/workers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"workers.js","names":[],"sources":["../../../../src/core/sdkPaths/workers.ts"],"sourcesContent":["/*\n Resolve the base origin for worker scripts.\n * Priority:\n * 1) window.__W3A_WALLET_SDK_BASE__ (absolute `${walletOrigin}${sdkBasePath}/`) → take its origin\n * 2) window.location.origin (host/app origin)\n \n @returns The origin (protocol + host [+ port]) used to resolve worker script URLs.\n * Prefers the wallet SDK base origin; falls back to the current window origin.\n /\nexport function resolveWorkerBaseOrigin(): string {\n ~~let~~ ~~origin~~ ~~= ''\~~n if (typeof window !== 'undefined' && window.location?.origin) {\n ~~origin~~ = window.location.origin\n }\n try {\n const embeddedBase = (window as any)?.__W3A_WALLET_SDK_BASE__ as string \| undefined\n if (embeddedBase) {\n ~~origin~~ = new URL(embeddedBase, ~~origin~~ \|\| 'https://invalid.local').origin\n }\n } catch {}\n return ~~origin\~~n}\n\n/\n Build an absolute worker script URL from a path or absolute URL.\n * If `input` is a path (e.g., `/sdk/workers/foo.js`), it will be resolved\n * against the wallet origin (from `__W3A_WALLET_SDK_BASE__`) when available,\n * otherwise against the host origin.\n \n @param input - Absolute URL or path (e.g., `/sdk/workers/web3authn-signer.worker.js`).\n * @returns Absolute URL to the worker script, resolved against the wallet origin when available,\n * otherwise against the current window origin.\n */\nexport function resolveWorkerScriptUrl(input: string): string {\n return resolveWorkerUrl(input, { worker: detectWorkerFromPath(input) })\n}\n\nexport function resolveWorkerUrl(\n input: string \| undefined,\n opts: { worker: 'signer' \| 'vrf'; baseOrigin?: string }\n): string {\n const worker = opts.worker\n const baseOrigin = opts.baseOrigin \|\| resolveWorkerBaseOrigin() \|\| (typeof window !== 'undefined' ? window.location.origin : '') \|\| 'https://invalid.local'\n try {\n // Prefer explicit per-worker URL override\n const ovAny = (typeof window !== 'undefined' ? (window as any) : {}) as any\n const override = worker === 'signer' ? ovAny.__W3A_SIGNER_WORKER_URL__ : ovAny.__W3A_VRF_WORKER_URL__\n const candidate = (typeof override === 'string' && override) ? override : (input \|\| defaultWorkerPath(worker))\n if (/^https?:\\/\\//i.test(candidate)) {\n return new URL(candidate).toString()\n }\n return new URL(candidate, baseOrigin).toString()\n } catch {\n try { return new URL(input \|\| defaultWorkerPath(worker), baseOrigin).toString() } catch {}\n return input \|\| defaultWorkerPath(worker)\n }\n}\n\nfunction detectWorkerFromPath(p: string): 'signer' \| 'vrf' {\n return /web3authn-signer\\.worker\\.js(?:$\|\\?)/.test(p) ? 'signer' : 'vrf'\n}\n\nfunction defaultWorkerPath(worker: 'signer' \| 'vrf'): string {\n return worker === 'signer' ? '/sdk/workers/web3authn-signer.worker.js' : '/sdk/workers/web3authn-vrf.worker.js'\n}\n"],"mappings":"~~;;;;;;;;;;;;~~AASA,SAAgB,0BAAkC;CAChD,~~IAAI~~,~~SAAS;AACb~~,~~KAAI,~~OAAO,WAAW,eAAe,OAAO,UAAU,~~OACpD~~,~~UAAS,~~OAAO,SAAS;~~AAE3B~~,KAAI;EACF,MAAM,eAAgB,QAAgB;AACtC,MAAI,~~aACF~~,~~UAAS~~,IAAI,IAAI,cAAc,~~UAAU~~,yBAAyB;~~SAE9D~~;~~AACR~~,QAAO;;AAiBT,SAAgB,iBACd,OACA,MACQ;CACR,MAAM,SAAS,KAAK;CACpB,MAAM,aAAa,KAAK,cAAc,8BAA8B,OAAO,WAAW,cAAc,OAAO,SAAS,SAAS,OAAO;AACpI,KAAI;EAEF,MAAM,QAAS,OAAO,WAAW,cAAe,SAAiB;EACjE,MAAM,WAAW,WAAW,WAAW,MAAM,4BAA4B,MAAM;EAC/E,MAAM,YAAa,OAAO,aAAa,YAAY,WAAY,WAAY,SAAS,kBAAkB;AACtG,MAAI,gBAAgB,KAAK,WACvB,QAAO,IAAI,IAAI,WAAW;AAE5B,SAAO,IAAI,IAAI,WAAW,YAAY;SAChC;AACN,MAAI;AAAE,UAAO,IAAI,IAAI,SAAS,kBAAkB,SAAS,YAAY;UAAmB;AACxF,SAAO,SAAS,kBAAkB;;;AAQtC,SAAS,kBAAkB,QAAkC;AAC3D,QAAO,WAAW,WAAW,4CAA4C"}
1	+ {"version":3,"file":"workers.js","names":[],"sources":["../../../../src/core/sdkPaths/workers.ts"],"sourcesContent":["/*\n Resolve the base origin for worker scripts.\n * Priority:\n * 1) window.__W3A_WALLET_SDK_BASE__ (absolute `${walletOrigin}${sdkBasePath}/`) → take its origin (only if same-origin)\n * 2) window.location.origin (host/app origin)\n \n @returns The origin (protocol + host [+ port]) used to resolve worker script URLs.\n * Prefers the wallet SDK base origin; falls back to the current window origin.\n /\nexport function resolveWorkerBaseOrigin(): string {\n const currentOrigin =\n (typeof window !== 'undefined' && window.location?.origin)\n ? window.location.origin\n : '';\n\n // Only allow worker scripts to resolve from the embedded base when it matches\n // the current origin. Cross-origin worker scripts are not reliably loadable\n // across browsers (even for module workers) and will fail with CORS errors.\n try {\n const embeddedBase = (window as any)?.__W3A_WALLET_SDK_BASE__ as string \| undefined;\n if (embeddedBase) {\n const embeddedOrigin = new URL(embeddedBase, currentOrigin \|\| 'https://invalid.local').origin;\n if (embeddedOrigin === currentOrigin) {\n return embeddedOrigin;\n }\n }\n } catch {}\n\n return currentOrigin;\n}\n\n/\n Build an absolute worker script URL from a path or absolute URL.\n * If `input` is a path (e.g., `/sdk/workers/foo.js`), it will be resolved\n * against the wallet origin (from `__W3A_WALLET_SDK_BASE__`) when available,\n * otherwise against the host origin.\n \n @param input - Absolute URL or path (e.g., `/sdk/workers/web3authn-signer.worker.js`).\n * @returns Absolute URL to the worker script, resolved against the wallet origin when available,\n * otherwise against the current window origin.\n */\nexport function resolveWorkerScriptUrl(input: string): string {\n return resolveWorkerUrl(input, { worker: detectWorkerFromPath(input) })\n}\n\nexport function resolveWorkerUrl(\n input: string \| undefined,\n opts: { worker: 'signer' \| 'vrf'; baseOrigin?: string }\n): string {\n const worker = opts.worker\n const baseOrigin = opts.baseOrigin \|\| resolveWorkerBaseOrigin() \|\| (typeof window !== 'undefined' ? window.location.origin : '') \|\| 'https://invalid.local'\n try {\n // Prefer explicit per-worker URL override\n const ovAny = (typeof window !== 'undefined' ? (window as any) : {}) as any\n const override = worker === 'signer' ? ovAny.__W3A_SIGNER_WORKER_URL__ : ovAny.__W3A_VRF_WORKER_URL__\n const candidate = (typeof override === 'string' && override) ? override : (input \|\| defaultWorkerPath(worker))\n if (/^https?:\\/\\//i.test(candidate)) {\n return new URL(candidate).toString()\n }\n return new URL(candidate, baseOrigin).toString()\n } catch {\n try { return new URL(input \|\| defaultWorkerPath(worker), baseOrigin).toString() } catch {}\n return input \|\| defaultWorkerPath(worker)\n }\n}\n\nfunction detectWorkerFromPath(p: string): 'signer' \| 'vrf' {\n return /web3authn-signer\\.worker\\.js(?:$\|\\?)/.test(p) ? 'signer' : 'vrf'\n}\n\nfunction defaultWorkerPath(worker: 'signer' \| 'vrf'): string {\n return worker === 'signer' ? '/sdk/workers/web3authn-signer.worker.js' : '/sdk/workers/web3authn-vrf.worker.js'\n}\n"],"mappings":";;;;;;;;;;;AASA,SAAgB,0BAAkC;CAChD,MAAM,gBACH,OAAO,WAAW,eAAe,OAAO,UAAU,SAC/C,OAAO,SAAS,SAChB;AAKN,KAAI;EACF,MAAM,eAAgB,QAAgB;AACtC,MAAI,cAAc;GAChB,MAAM,iBAAiB,IAAI,IAAI,cAAc,iBAAiB,yBAAyB;AACvF,OAAI,mBAAmB,cACrB,QAAO;;SAGL;AAER,QAAO;;AAiBT,SAAgB,iBACd,OACA,MACQ;CACR,MAAM,SAAS,KAAK;CACpB,MAAM,aAAa,KAAK,cAAc,8BAA8B,OAAO,WAAW,cAAc,OAAO,SAAS,SAAS,OAAO;AACpI,KAAI;EAEF,MAAM,QAAS,OAAO,WAAW,cAAe,SAAiB;EACjE,MAAM,WAAW,WAAW,WAAW,MAAM,4BAA4B,MAAM;EAC/E,MAAM,YAAa,OAAO,aAAa,YAAY,WAAY,WAAY,SAAS,kBAAkB;AACtG,MAAI,gBAAgB,KAAK,WACvB,QAAO,IAAI,IAAI,WAAW;AAE5B,SAAO,IAAI,IAAI,WAAW,YAAY;SAChC;AACN,MAAI;AAAE,UAAO,IAAI,IAAI,SAAS,kBAAkB,SAAS,YAAY;UAAmB;AACxF,SAAO,SAAS,kBAAkB;;;AAQtC,SAAS,kBAAkB,QAAkC;AAC3D,QAAO,WAAW,WAAW,4CAA4C"}

package/dist/cjs/core/threshold/thresholdEd25519AuthSession.js ADDED Viewed

@@ -0,0 +1,145 @@
+const require_validation = require('../../utils/validation.js');
+const require_base64 = require('../../utils/base64.js');
+const require_participants = require('../../threshold/participants.js');
+const require_credentialsHelpers = require('../WebAuthnManager/credentialsHelpers.js');
+//#region src/core/threshold/thresholdEd25519AuthSession.ts
+const authSessionCache = /* @__PURE__ */ new Map();
+function makeThresholdEd25519AuthSessionCacheKey(args) {
+	const relayerUrl = require_validation.stripTrailingSlashes(require_validation.toTrimmedString(args.relayerUrl));
+	const participantIds = require_participants.normalizeThresholdEd25519ParticipantIds(args.participantIds);
+	return [
+		String(args.nearAccountId || "").trim(),
+		String(args.rpId || "").trim(),
+		relayerUrl,
+		String(args.relayerKeyId || "").trim(),
+		...participantIds ? [participantIds.join(",")] : []
+	].join("|");
+}
+function getCachedThresholdEd25519AuthSession(cacheKey) {
+	const entry = authSessionCache.get(cacheKey);
+	if (!entry) return null;
+	if (typeof entry.expiresAtMs === "number" && Number.isFinite(entry.expiresAtMs) && Date.now() >= entry.expiresAtMs) {
+		authSessionCache.delete(cacheKey);
+		return null;
+	}
+	return entry;
+}
+function putCachedThresholdEd25519AuthSession(cacheKey, entry) {
+	authSessionCache.set(cacheKey, entry);
+}
+function clearCachedThresholdEd25519AuthSession(cacheKey) {
+	authSessionCache.delete(cacheKey);
+}
+function clearAllCachedThresholdEd25519AuthSessions() {
+	authSessionCache.clear();
+}
+function getCachedThresholdEd25519AuthSessionJwt(cacheKey) {
+	const cached = getCachedThresholdEd25519AuthSession(cacheKey);
+	const jwt = cached?.jwt;
+	if (typeof jwt === "string") {
+		const trimmed = jwt.trim();
+		if (trimmed) return trimmed;
+	}
+	if (cached) clearCachedThresholdEd25519AuthSession(cacheKey);
+	return void 0;
+}
+async function mintThresholdEd25519AuthSession(args) {
+	const relayerUrl = require_validation.stripTrailingSlashes(require_validation.toTrimmedString(args.relayerUrl));
+	if (!relayerUrl) return {
+		ok: false,
+		code: "invalid_args",
+		message: "Missing relayerUrl for threshold session mint"
+	};
+	if (typeof fetch !== "function") return {
+		ok: false,
+		code: "unsupported",
+		message: "fetch is not available for threshold session mint"
+	};
+	const toBytes = (b64u) => {
+		if (!b64u) return [];
+		return Array.from(require_base64.base64UrlDecode(b64u));
+	};
+	const intent_digest_32 = toBytes(args.vrfChallenge.intentDigest);
+	if (intent_digest_32.length !== 32) return {
+		ok: false,
+		code: "invalid_args",
+		message: "Missing or invalid vrfChallenge.intentDigest (expected base64url 32 bytes)"
+	};
+	const clientVerifyingShareBytes = toBytes(args.clientVerifyingShareB64u);
+	if (clientVerifyingShareBytes.length !== 32) return {
+		ok: false,
+		code: "invalid_args",
+		message: "Missing or invalid clientVerifyingShareB64u (expected base64url 32 bytes)"
+	};
+	const session_policy_digest_32 = toBytes(args.vrfChallenge.sessionPolicyDigest32);
+	if (session_policy_digest_32.length !== 32) return {
+		ok: false,
+		code: "invalid_args",
+		message: "Missing vrfChallenge.sessionPolicyDigest32 (expected base64url 32 bytes) for threshold session mint"
+	};
+	const vrf_data = {
+		vrf_input_data: toBytes(args.vrfChallenge.vrfInput),
+		vrf_output: toBytes(args.vrfChallenge.vrfOutput),
+		vrf_proof: toBytes(args.vrfChallenge.vrfProof),
+		public_key: toBytes(args.vrfChallenge.vrfPublicKey),
+		user_id: args.vrfChallenge.userId,
+		rp_id: args.vrfChallenge.rpId,
+		block_height: Number(args.vrfChallenge.blockHeight || 0),
+		block_hash: toBytes(args.vrfChallenge.blockHash),
+		intent_digest_32,
+		session_policy_digest_32
+	};
+	const webauthn_authentication = require_credentialsHelpers.removePrfOutputGuard(args.webauthnAuthentication);
+	try {
+		const url = `${relayerUrl}/threshold-ed25519/session`;
+		const response = await fetch(url, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			credentials: args.sessionKind === "cookie" ? "include" : "omit",
+			body: JSON.stringify({
+				sessionKind: args.sessionKind,
+				relayerKeyId: args.relayerKeyId,
+				clientVerifyingShareB64u: args.clientVerifyingShareB64u,
+				sessionPolicy: args.sessionPolicy,
+				vrf_data,
+				webauthn_authentication
+			})
+		});
+		const data = await response.json().catch(() => ({}));
+		if (!response.ok) return {
+			ok: false,
+			code: data.code || "http_error",
+			message: data.message || `HTTP ${response.status}`
+		};
+		const expiresAtMs = (() => {
+			const raw = data.expiresAt ? Date.parse(data.expiresAt) : NaN;
+			return Number.isFinite(raw) ? raw : void 0;
+		})();
+		return {
+			ok: data.ok === true,
+			sessionId: data.sessionId,
+			expiresAtMs,
+			remainingUses: data.remainingUses,
+			jwt: data.jwt,
+			...data.code ? { code: data.code } : {},
+			...data.message ? { message: data.message } : {}
+		};
+	} catch (e) {
+		const msg = String(e && typeof e === "object" && "message" in e ? e.message : e || "Failed to mint threshold session");
+		return {
+			ok: false,
+			code: "network_error",
+			message: msg
+		};
+	}
+}
+//#endregion
+exports.clearAllCachedThresholdEd25519AuthSessions = clearAllCachedThresholdEd25519AuthSessions;
+exports.clearCachedThresholdEd25519AuthSession = clearCachedThresholdEd25519AuthSession;
+exports.getCachedThresholdEd25519AuthSessionJwt = getCachedThresholdEd25519AuthSessionJwt;
+exports.makeThresholdEd25519AuthSessionCacheKey = makeThresholdEd25519AuthSessionCacheKey;
+exports.mintThresholdEd25519AuthSession = mintThresholdEd25519AuthSession;
+exports.putCachedThresholdEd25519AuthSession = putCachedThresholdEd25519AuthSession;
+//# sourceMappingURL=thresholdEd25519AuthSession.js.map

package/dist/cjs/core/threshold/thresholdEd25519AuthSession.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"thresholdEd25519AuthSession.js","names":["stripTrailingSlashes","toTrimmedString","normalizeThresholdEd25519ParticipantIds","base64UrlDecode","removePrfOutputGuard","e: unknown"],"sources":["../../../../src/core/threshold/thresholdEd25519AuthSession.ts"],"sourcesContent":["import { base64UrlDecode } from '@/utils/encoders';\nimport { stripTrailingSlashes, toTrimmedString } from '@/utils/validation';\nimport { removePrfOutputGuard } from '../WebAuthnManager/credentialsHelpers';\nimport type { VRFChallenge } from '../types/vrf-worker';\nimport type { ThresholdEd25519SessionPolicy } from './thresholdSessionPolicy';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\nimport { normalizeThresholdEd25519ParticipantIds } from '../../threshold/participants';\n\nexport type ThresholdEd25519SessionKind = 'jwt' | 'cookie';\n\nexport type ThresholdEd25519AuthSession = {\n sessionKind: ThresholdEd25519SessionKind;\n policy: ThresholdEd25519SessionPolicy;\n policyJson: string;\n sessionPolicyDigest32: string;\n jwt?: string;\n expiresAtMs?: number;\n};\n\ntype ThresholdEd25519AuthSessionCacheEntry = ThresholdEd25519AuthSession;\n\nconst authSessionCache = new Map<string, ThresholdEd25519AuthSessionCacheEntry>();\n\nexport function makeThresholdEd25519AuthSessionCacheKey(args: {\n nearAccountId: string;\n rpId: string;\n relayerUrl: string;\n relayerKeyId: string;\n participantIds?: number[];\n}): string {\n const relayerUrl = stripTrailingSlashes(toTrimmedString(args.relayerUrl));\n const participantIds = normalizeThresholdEd25519ParticipantIds(args.participantIds);\n return [\n String(args.nearAccountId || '').trim(),\n String(args.rpId || '').trim(),\n relayerUrl,\n String(args.relayerKeyId || '').trim(),\n ...(participantIds ? [participantIds.join(',')] : []),\n ].join('|');\n}\n\nexport function getCachedThresholdEd25519AuthSession(cacheKey: string): ThresholdEd25519AuthSession | null {\n const entry = authSessionCache.get(cacheKey);\n if (!entry) return null;\n\n if (typeof entry.expiresAtMs === 'number' && Number.isFinite(entry.expiresAtMs) && Date.now() >= entry.expiresAtMs) {\n authSessionCache.delete(cacheKey);\n return null;\n }\n\n return entry;\n}\n\nexport function putCachedThresholdEd25519AuthSession(cacheKey: string, entry: ThresholdEd25519AuthSession): void {\n authSessionCache.set(cacheKey, entry);\n}\n\nexport function clearCachedThresholdEd25519AuthSession(cacheKey: string): void {\n authSessionCache.delete(cacheKey);\n}\n\nexport function clearAllCachedThresholdEd25519AuthSessions(): void {\n authSessionCache.clear();\n}\n\nexport function getCachedThresholdEd25519AuthSessionJwt(cacheKey: string): string | undefined {\n const cached = getCachedThresholdEd25519AuthSession(cacheKey);\n const jwt = cached?.jwt;\n if (typeof jwt === 'string') {\n const trimmed = jwt.trim();\n if (trimmed) return trimmed;\n }\n if (cached) clearCachedThresholdEd25519AuthSession(cacheKey);\n return undefined;\n}\n\nexport async function mintThresholdEd25519AuthSession(args: {\n relayerUrl: string;\n sessionKind: ThresholdEd25519SessionKind;\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n sessionPolicy: ThresholdEd25519SessionPolicy;\n vrfChallenge: VRFChallenge;\n webauthnAuthentication: WebAuthnAuthenticationCredential;\n}): Promise<{\n ok: boolean;\n sessionId?: string;\n expiresAtMs?: number;\n remainingUses?: number;\n jwt?: string;\n code?: string;\n message?: string;\n}> {\n const relayerUrl = stripTrailingSlashes(toTrimmedString(args.relayerUrl));\n if (!relayerUrl) {\n return { ok: false, code: 'invalid_args', message: 'Missing relayerUrl for threshold session mint' };\n }\n\n if (typeof fetch !== 'function') {\n return { ok: false, code: 'unsupported', message: 'fetch is not available for threshold session mint' };\n }\n\n const toBytes = (b64u: string | undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n\n const intent_digest_32 = toBytes(args.vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n return { ok: false, code: 'invalid_args', message: 'Missing or invalid vrfChallenge.intentDigest (expected base64url 32 bytes)' };\n }\n\n const clientVerifyingShareBytes = toBytes(args.clientVerifyingShareB64u);\n if (clientVerifyingShareBytes.length !== 32) {\n return { ok: false, code: 'invalid_args', message: 'Missing or invalid clientVerifyingShareB64u (expected base64url 32 bytes)' };\n }\n\n const session_policy_digest_32 = toBytes(args.vrfChallenge.sessionPolicyDigest32);\n if (session_policy_digest_32.length !== 32) {\n return { ok: false, code: 'invalid_args', message: 'Missing vrfChallenge.sessionPolicyDigest32 (expected base64url 32 bytes) for threshold session mint' };\n }\n\n const vrf_data = {\n vrf_input_data: toBytes(args.vrfChallenge.vrfInput),\n vrf_output: toBytes(args.vrfChallenge.vrfOutput),\n vrf_proof: toBytes(args.vrfChallenge.vrfProof),\n public_key: toBytes(args.vrfChallenge.vrfPublicKey),\n user_id: args.vrfChallenge.userId,\n rp_id: args.vrfChallenge.rpId,\n block_height: Number(args.vrfChallenge.blockHeight || 0),\n block_hash: toBytes(args.vrfChallenge.blockHash),\n intent_digest_32,\n session_policy_digest_32,\n };\n\n // Never send PRF outputs to the relay.\n const webauthn_authentication = removePrfOutputGuard(args.webauthnAuthentication);\n\n type ThresholdEd25519SessionMintResponseBody = Partial<{\n ok: boolean;\n sessionId: string;\n expiresAt: string;\n remainingUses: number;\n jwt: string;\n code: string;\n message: string;\n }>;\n\n try {\n const url = `${relayerUrl}/threshold-ed25519/session`;\n const response = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n credentials: args.sessionKind === 'cookie' ? 'include' : 'omit',\n body: JSON.stringify({\n sessionKind: args.sessionKind,\n relayerKeyId: args.relayerKeyId,\n clientVerifyingShareB64u: args.clientVerifyingShareB64u,\n sessionPolicy: args.sessionPolicy,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n const data = (await response.json().catch(() => ({}))) as ThresholdEd25519SessionMintResponseBody;\n if (!response.ok) {\n return {\n ok: false,\n code: data.code || 'http_error',\n message: data.message || `HTTP ${response.status}`,\n };\n }\n\n const expiresAtMs = (() => {\n const raw = data.expiresAt ? Date.parse(data.expiresAt) : NaN;\n return Number.isFinite(raw) ? raw : undefined;\n })();\n\n return {\n ok: data.ok === true,\n sessionId: data.sessionId,\n expiresAtMs,\n remainingUses: data.remainingUses,\n jwt: data.jwt,\n ...(data.code ? { code: data.code } : {}),\n ...(data.message ? { message: data.message } : {}),\n };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e || 'Failed to mint threshold session');\n return { ok: false, code: 'network_error', message: msg };\n }\n}\n"],"mappings":";;;;;;AAqBA,MAAM,mCAAmB,IAAI;AAE7B,SAAgB,wCAAwC,MAM7C;CACT,MAAM,aAAaA,wCAAqBC,mCAAgB,KAAK;CAC7D,MAAM,iBAAiBC,6DAAwC,KAAK;AACpE,QAAO;EACL,OAAO,KAAK,iBAAiB,IAAI;EACjC,OAAO,KAAK,QAAQ,IAAI;EACxB;EACA,OAAO,KAAK,gBAAgB,IAAI;EAChC,GAAI,iBAAiB,CAAC,eAAe,KAAK,QAAQ;GAClD,KAAK;;AAGT,SAAgB,qCAAqC,UAAsD;CACzG,MAAM,QAAQ,iBAAiB,IAAI;AACnC,KAAI,CAAC,MAAO,QAAO;AAEnB,KAAI,OAAO,MAAM,gBAAgB,YAAY,OAAO,SAAS,MAAM,gBAAgB,KAAK,SAAS,MAAM,aAAa;AAClH,mBAAiB,OAAO;AACxB,SAAO;;AAGT,QAAO;;AAGT,SAAgB,qCAAqC,UAAkB,OAA0C;AAC/G,kBAAiB,IAAI,UAAU;;AAGjC,SAAgB,uCAAuC,UAAwB;AAC7E,kBAAiB,OAAO;;AAG1B,SAAgB,6CAAmD;AACjE,kBAAiB;;AAGnB,SAAgB,wCAAwC,UAAsC;CAC5F,MAAM,SAAS,qCAAqC;CACpD,MAAM,MAAM,QAAQ;AACpB,KAAI,OAAO,QAAQ,UAAU;EAC3B,MAAM,UAAU,IAAI;AACpB,MAAI,QAAS,QAAO;;AAEtB,KAAI,OAAQ,wCAAuC;AACnD,QAAO;;AAGT,eAAsB,gCAAgC,MAgBnD;CACD,MAAM,aAAaF,wCAAqBC,mCAAgB,KAAK;AAC7D,KAAI,CAAC,WACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;AAGrD,KAAI,OAAO,UAAU,WACnB,QAAO;EAAE,IAAI;EAAO,MAAM;EAAe,SAAS;;CAGpD,MAAM,WAAW,SAAuC;AACtD,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,MAAM,KAAKE,+BAAgB;;CAGpC,MAAM,mBAAmB,QAAQ,KAAK,aAAa;AACnD,KAAI,iBAAiB,WAAW,GAC9B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,4BAA4B,QAAQ,KAAK;AAC/C,KAAI,0BAA0B,WAAW,GACvC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,2BAA2B,QAAQ,KAAK,aAAa;AAC3D,KAAI,yBAAyB,WAAW,GACtC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,WAAW;EACf,gBAAgB,QAAQ,KAAK,aAAa;EAC1C,YAAY,QAAQ,KAAK,aAAa;EACtC,WAAW,QAAQ,KAAK,aAAa;EACrC,YAAY,QAAQ,KAAK,aAAa;EACtC,SAAS,KAAK,aAAa;EAC3B,OAAO,KAAK,aAAa;EACzB,cAAc,OAAO,KAAK,aAAa,eAAe;EACtD,YAAY,QAAQ,KAAK,aAAa;EACtC;EACA;;CAIF,MAAM,0BAA0BC,gDAAqB,KAAK;AAY1D,KAAI;EACF,MAAM,MAAM,GAAG,WAAW;EAC1B,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,aAAa,KAAK,gBAAgB,WAAW,YAAY;GACzD,MAAM,KAAK,UAAU;IACnB,aAAa,KAAK;IAClB,cAAc,KAAK;IACnB,0BAA0B,KAAK;IAC/B,eAAe,KAAK;IACpB;IACA;;;EAIJ,MAAM,OAAQ,MAAM,SAAS,OAAO,aAAa;AACjD,MAAI,CAAC,SAAS,GACZ,QAAO;GACL,IAAI;GACJ,MAAM,KAAK,QAAQ;GACnB,SAAS,KAAK,WAAW,QAAQ,SAAS;;EAI9C,MAAM,qBAAqB;GACzB,MAAM,MAAM,KAAK,YAAY,KAAK,MAAM,KAAK,aAAa;AAC1D,UAAO,OAAO,SAAS,OAAO,MAAM;;AAGtC,SAAO;GACL,IAAI,KAAK,OAAO;GAChB,WAAW,KAAK;GAChB;GACA,eAAe,KAAK;GACpB,KAAK,KAAK;GACV,GAAI,KAAK,OAAO,EAAE,MAAM,KAAK,SAAS;GACtC,GAAI,KAAK,UAAU,EAAE,SAAS,KAAK,YAAY;;UAE1CC,GAAY;EACnB,MAAM,MAAM,OAAQ,KAAK,OAAO,MAAM,YAAY,aAAa,IAAM,EAA4B,UAAU,KAAK;AAChH,SAAO;GAAE,IAAI;GAAO,MAAM;GAAiB,SAAS"}

package/dist/cjs/core/threshold/thresholdEd25519RelayerHealth.js ADDED Viewed

@@ -0,0 +1,117 @@
+const require_validation = require('../../utils/validation.js');
+const require_signer_worker = require('../types/signer-worker.js');
+//#region src/core/threshold/thresholdEd25519RelayerHealth.ts
+const DEFAULT_CACHE_TTL_MS = 6e4;
+const cache = /* @__PURE__ */ new Map();
+const inFlight = /* @__PURE__ */ new Map();
+const DEFAULT_WARN_TTL_MS = 10 * 6e4;
+const MAX_WARN_KEYS = 1e3;
+const warnedUnsupportedRelayerByKey = /* @__PURE__ */ new Map();
+async function isRelayerThresholdEd25519ConfiguredBase(base, opts) {
+	if (!base) return false;
+	if (typeof fetch !== "function") return false;
+	const ttlMs = Math.max(0, Number(opts?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS));
+	const now = Date.now();
+	const cached = cache.get(base);
+	if (cached && cached.expiresAtMs > now) return cached.configured;
+	const existing = inFlight.get(base);
+	if (existing) return existing;
+	const req = (async () => {
+		try {
+			const res = await fetch(`${base}/threshold-ed25519/healthz`, { method: "GET" });
+			if (!res.ok) {
+				cache.set(base, {
+					configured: false,
+					expiresAtMs: now + ttlMs
+				});
+				return false;
+			}
+			const data = await res.json().catch(() => null);
+			const configured = data?.configured === true;
+			cache.set(base, {
+				configured,
+				expiresAtMs: now + ttlMs
+			});
+			return configured;
+		} catch {
+			cache.set(base, {
+				configured: false,
+				expiresAtMs: now + ttlMs
+			});
+			return false;
+		} finally {
+			inFlight.delete(base);
+		}
+	})();
+	inFlight.set(base, req);
+	return req;
+}
+function coerceThresholdBehavior(input) {
+	return input === "fallback" || input === "strict" ? input : require_signer_worker.DEFAULT_THRESHOLD_BEHAVIOR;
+}
+function pruneWarned(nowMs) {
+	if (warnedUnsupportedRelayerByKey.size <= MAX_WARN_KEYS) return;
+	for (const [key, expiresAtMs] of warnedUnsupportedRelayerByKey.entries()) if (expiresAtMs <= nowMs) warnedUnsupportedRelayerByKey.delete(key);
+	while (warnedUnsupportedRelayerByKey.size > MAX_WARN_KEYS) {
+		const first = warnedUnsupportedRelayerByKey.keys().next().value;
+		if (!first) break;
+		warnedUnsupportedRelayerByKey.delete(first);
+	}
+}
+function warnOnce(key, message, opts) {
+	const nowMs = Date.now();
+	const ttlMs = Math.max(0, Math.floor(opts?.warnTtlMs ?? DEFAULT_WARN_TTL_MS));
+	if (ttlMs === 0) return;
+	pruneWarned(nowMs);
+	const existing = warnedUnsupportedRelayerByKey.get(key);
+	if (existing && existing > nowMs) return;
+	warnedUnsupportedRelayerByKey.set(key, nowMs + ttlMs);
+	console.warn(message);
+	opts?.warnings?.push(message);
+}
+async function fallbackToLocalSignerIfRelayerUnsupported(args) {
+	const requested = args.signerMode.mode;
+	if (requested !== "threshold-signer") return requested;
+	const base = require_validation.stripTrailingSlashes(require_validation.toTrimmedString(args.relayerUrl));
+	const behavior = coerceThresholdBehavior(require_signer_worker.getThresholdBehaviorFromSignerMode(args.signerMode));
+	const configured = await isRelayerThresholdEd25519ConfiguredBase(base, { cacheTtlMs: args.cacheTtlMs });
+	if (configured) return requested;
+	const msg = "[WebAuthnManager] signerMode=threshold-signer requested but the relayer does not support threshold signing";
+	if (behavior === "fallback") {
+		warnOnce(`${args.nearAccountId}|${base}`, `${msg}; falling back to local-signer`, {
+			warnTtlMs: args.warnTtlMs,
+			warnings: args.warnings
+		});
+		return "local-signer";
+	}
+	throw new Error(`${msg}; set signerMode={ mode: 'threshold-signer', behavior: 'fallback' } to allow local-signer fallback`);
+}
+async function resolveSignerModeForThresholdSigning(args) {
+	const requested = args.signerMode.mode;
+	if (requested !== "threshold-signer") return requested;
+	const behavior = coerceThresholdBehavior(require_signer_worker.getThresholdBehaviorFromSignerMode(args.signerMode));
+	if (!args.hasThresholdKeyMaterial) {
+		const msg = "[WebAuthnManager] signerMode=threshold-signer requested but threshold key material is unavailable";
+		if (behavior === "fallback") {
+			warnOnce(`${args.nearAccountId}|threshold-key-material-missing`, `${msg}; falling back to local-signer`, {
+				warnTtlMs: args.warnTtlMs,
+				warnings: args.warnings
+			});
+			return "local-signer";
+		}
+		throw new Error(`${msg}; set signerMode={ mode: 'threshold-signer', behavior: 'fallback' } to allow local-signer fallback`);
+	}
+	return fallbackToLocalSignerIfRelayerUnsupported({
+		nearAccountId: args.nearAccountId,
+		signerMode: args.signerMode,
+		relayerUrl: args.relayerUrl,
+		warnings: args.warnings,
+		cacheTtlMs: args.cacheTtlMs,
+		warnTtlMs: args.warnTtlMs
+	});
+}
+//#endregion
+exports.resolveSignerModeForThresholdSigning = resolveSignerModeForThresholdSigning;
+//# sourceMappingURL=thresholdEd25519RelayerHealth.js.map

package/dist/cjs/core/threshold/thresholdEd25519RelayerHealth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"thresholdEd25519RelayerHealth.js","names":["DEFAULT_THRESHOLD_BEHAVIOR","stripTrailingSlashes","toTrimmedString","getThresholdBehaviorFromSignerMode"],"sources":["../../../../src/core/threshold/thresholdEd25519RelayerHealth.ts"],"sourcesContent":["import type { SignerMode, ThresholdBehavior } from '../types/signer-worker';\nimport { DEFAULT_THRESHOLD_BEHAVIOR, getThresholdBehaviorFromSignerMode } from '../types/signer-worker';\nimport { stripTrailingSlashes, toTrimmedString } from '../../utils/validation';\n\nexport type ThresholdEd25519HealthzResponse =\n | { ok: true; configured: true }\n | { ok: false; configured: false; code?: string; message?: string };\n\nconst DEFAULT_CACHE_TTL_MS = 60_000;\nconst cache = new Map<string, { configured: boolean; expiresAtMs: number }>();\nconst inFlight = new Map<string, Promise<boolean>>();\nconst DEFAULT_WARN_TTL_MS = 10 * 60_000;\nconst MAX_WARN_KEYS = 1_000;\nconst warnedUnsupportedRelayerByKey = new Map<string, number>();\n\nexport async function isRelayerThresholdEd25519Configured(\n relayerUrl: string,\n opts?: { cacheTtlMs?: number },\n): Promise<boolean> {\n const base = stripTrailingSlashes(toTrimmedString(relayerUrl));\n return isRelayerThresholdEd25519ConfiguredBase(base, opts);\n}\n\nasync function isRelayerThresholdEd25519ConfiguredBase(\n base: string,\n opts?: { cacheTtlMs?: number },\n): Promise<boolean> {\n if (!base) return false;\n if (typeof fetch !== 'function') return false;\n\n const ttlMs = Math.max(0, Number(opts?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS));\n const now = Date.now();\n const cached = cache.get(base);\n if (cached && cached.expiresAtMs > now) return cached.configured;\n\n const existing = inFlight.get(base);\n if (existing) return existing;\n\n const req = (async (): Promise<boolean> => {\n try {\n const res = await fetch(`${base}/threshold-ed25519/healthz`, { method: 'GET' });\n if (!res.ok) {\n cache.set(base, { configured: false, expiresAtMs: now + ttlMs });\n return false;\n }\n const data = (await res.json().catch(() => null)) as ThresholdEd25519HealthzResponse | null;\n const configured = data?.configured === true;\n cache.set(base, { configured, expiresAtMs: now + ttlMs });\n return configured;\n } catch {\n cache.set(base, { configured: false, expiresAtMs: now + ttlMs });\n return false;\n } finally {\n inFlight.delete(base);\n }\n })();\n\n inFlight.set(base, req);\n return req;\n}\n\nfunction coerceThresholdBehavior(input?: ThresholdBehavior): ThresholdBehavior {\n return input === 'fallback' || input === 'strict' ? input : DEFAULT_THRESHOLD_BEHAVIOR;\n}\n\nfunction pruneWarned(nowMs: number): void {\n if (warnedUnsupportedRelayerByKey.size <= MAX_WARN_KEYS) return;\n for (const [key, expiresAtMs] of warnedUnsupportedRelayerByKey.entries()) {\n if (expiresAtMs <= nowMs) warnedUnsupportedRelayerByKey.delete(key);\n }\n while (warnedUnsupportedRelayerByKey.size > MAX_WARN_KEYS) {\n const first = warnedUnsupportedRelayerByKey.keys().next().value as string | undefined;\n if (!first) break;\n warnedUnsupportedRelayerByKey.delete(first);\n }\n}\n\nfunction warnOnce(key: string, message: string, opts?: { warnTtlMs?: number; warnings?: string[] }): void {\n const nowMs = Date.now();\n const ttlMs = Math.max(0, Math.floor(opts?.warnTtlMs ?? DEFAULT_WARN_TTL_MS));\n if (ttlMs === 0) return;\n pruneWarned(nowMs);\n const existing = warnedUnsupportedRelayerByKey.get(key);\n if (existing && existing > nowMs) return;\n warnedUnsupportedRelayerByKey.set(key, nowMs + ttlMs);\n // eslint-disable-next-line no-console\n console.warn(message);\n opts?.warnings?.push(message);\n}\n\nexport async function fallbackToLocalSignerIfRelayerUnsupported(args: {\n nearAccountId: string;\n signerMode: SignerMode;\n relayerUrl: string;\n warnings?: string[];\n cacheTtlMs?: number;\n warnTtlMs?: number;\n}): Promise<SignerMode['mode']> {\n const requested = args.signerMode.mode;\n if (requested !== 'threshold-signer') return requested;\n\n const base = stripTrailingSlashes(toTrimmedString(args.relayerUrl));\n const behavior = coerceThresholdBehavior(getThresholdBehaviorFromSignerMode(args.signerMode));\n const configured = await isRelayerThresholdEd25519ConfiguredBase(base, { cacheTtlMs: args.cacheTtlMs });\n if (configured) return requested;\n\n const msg = '[WebAuthnManager] signerMode=threshold-signer requested but the relayer does not support threshold signing';\n if (behavior === 'fallback') {\n warnOnce(`${args.nearAccountId}|${base}`, `${msg}; falling back to local-signer`, {\n warnTtlMs: args.warnTtlMs,\n warnings: args.warnings,\n });\n return 'local-signer';\n }\n throw new Error(`${msg}; set signerMode={ mode: 'threshold-signer', behavior: 'fallback' } to allow local-signer fallback`);\n}\n\nexport async function resolveSignerModeForThresholdSigning(args: {\n nearAccountId: string;\n signerMode: SignerMode;\n relayerUrl: string;\n hasThresholdKeyMaterial: boolean;\n warnings?: string[];\n cacheTtlMs?: number;\n warnTtlMs?: number;\n}): Promise<SignerMode['mode']> {\n const requested = args.signerMode.mode;\n if (requested !== 'threshold-signer') return requested;\n\n const behavior = coerceThresholdBehavior(getThresholdBehaviorFromSignerMode(args.signerMode));\n\n if (!args.hasThresholdKeyMaterial) {\n const msg = '[WebAuthnManager] signerMode=threshold-signer requested but threshold key material is unavailable';\n if (behavior === 'fallback') {\n warnOnce(`${args.nearAccountId}|threshold-key-material-missing`, `${msg}; falling back to local-signer`, {\n warnTtlMs: args.warnTtlMs,\n warnings: args.warnings,\n });\n return 'local-signer';\n }\n throw new Error(`${msg}; set signerMode={ mode: 'threshold-signer', behavior: 'fallback' } to allow local-signer fallback`);\n }\n\n return fallbackToLocalSignerIfRelayerUnsupported({\n nearAccountId: args.nearAccountId,\n signerMode: args.signerMode,\n relayerUrl: args.relayerUrl,\n warnings: args.warnings,\n cacheTtlMs: args.cacheTtlMs,\n warnTtlMs: args.warnTtlMs,\n });\n}\n"],"mappings":";;;;AAQA,MAAM,uBAAuB;AAC7B,MAAM,wBAAQ,IAAI;AAClB,MAAM,2BAAW,IAAI;AACrB,MAAM,sBAAsB,KAAK;AACjC,MAAM,gBAAgB;AACtB,MAAM,gDAAgC,IAAI;AAU1C,eAAe,wCACb,MACA,MACkB;AAClB,KAAI,CAAC,KAAM,QAAO;AAClB,KAAI,OAAO,UAAU,WAAY,QAAO;CAExC,MAAM,QAAQ,KAAK,IAAI,GAAG,OAAO,MAAM,cAAc;CACrD,MAAM,MAAM,KAAK;CACjB,MAAM,SAAS,MAAM,IAAI;AACzB,KAAI,UAAU,OAAO,cAAc,IAAK,QAAO,OAAO;CAEtD,MAAM,WAAW,SAAS,IAAI;AAC9B,KAAI,SAAU,QAAO;CAErB,MAAM,OAAO,YAA8B;AACzC,MAAI;GACF,MAAM,MAAM,MAAM,MAAM,GAAG,KAAK,6BAA6B,EAAE,QAAQ;AACvE,OAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM;KAAE,YAAY;KAAO,aAAa,MAAM;;AACxD,WAAO;;GAET,MAAM,OAAQ,MAAM,IAAI,OAAO,YAAY;GAC3C,MAAM,aAAa,MAAM,eAAe;AACxC,SAAM,IAAI,MAAM;IAAE;IAAY,aAAa,MAAM;;AACjD,UAAO;UACD;AACN,SAAM,IAAI,MAAM;IAAE,YAAY;IAAO,aAAa,MAAM;;AACxD,UAAO;YACC;AACR,YAAS,OAAO;;;AAIpB,UAAS,IAAI,MAAM;AACnB,QAAO;;AAGT,SAAS,wBAAwB,OAA8C;AAC7E,QAAO,UAAU,cAAc,UAAU,WAAW,QAAQA;;AAG9D,SAAS,YAAY,OAAqB;AACxC,KAAI,8BAA8B,QAAQ,cAAe;AACzD,MAAK,MAAM,CAAC,KAAK,gBAAgB,8BAA8B,UAC7D,KAAI,eAAe,MAAO,+BAA8B,OAAO;AAEjE,QAAO,8BAA8B,OAAO,eAAe;EACzD,MAAM,QAAQ,8BAA8B,OAAO,OAAO;AAC1D,MAAI,CAAC,MAAO;AACZ,gCAA8B,OAAO;;;AAIzC,SAAS,SAAS,KAAa,SAAiB,MAA0D;CACxG,MAAM,QAAQ,KAAK;CACnB,MAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,aAAa;AACxD,KAAI,UAAU,EAAG;AACjB,aAAY;CACZ,MAAM,WAAW,8BAA8B,IAAI;AACnD,KAAI,YAAY,WAAW,MAAO;AAClC,+BAA8B,IAAI,KAAK,QAAQ;AAE/C,SAAQ,KAAK;AACb,OAAM,UAAU,KAAK;;AAGvB,eAAsB,0CAA0C,MAOhC;CAC9B,MAAM,YAAY,KAAK,WAAW;AAClC,KAAI,cAAc,mBAAoB,QAAO;CAE7C,MAAM,OAAOC,wCAAqBC,mCAAgB,KAAK;CACvD,MAAM,WAAW,wBAAwBC,yDAAmC,KAAK;CACjF,MAAM,aAAa,MAAM,wCAAwC,MAAM,EAAE,YAAY,KAAK;AAC1F,KAAI,WAAY,QAAO;CAEvB,MAAM,MAAM;AACZ,KAAI,aAAa,YAAY;AAC3B,WAAS,GAAG,KAAK,cAAc,GAAG,QAAQ,GAAG,IAAI,iCAAiC;GAChF,WAAW,KAAK;GAChB,UAAU,KAAK;;AAEjB,SAAO;;AAET,OAAM,IAAI,MAAM,GAAG,IAAI;;AAGzB,eAAsB,qCAAqC,MAQ3B;CAC9B,MAAM,YAAY,KAAK,WAAW;AAClC,KAAI,cAAc,mBAAoB,QAAO;CAE7C,MAAM,WAAW,wBAAwBA,yDAAmC,KAAK;AAEjF,KAAI,CAAC,KAAK,yBAAyB;EACjC,MAAM,MAAM;AACZ,MAAI,aAAa,YAAY;AAC3B,YAAS,GAAG,KAAK,cAAc,kCAAkC,GAAG,IAAI,iCAAiC;IACvG,WAAW,KAAK;IAChB,UAAU,KAAK;;AAEjB,UAAO;;AAET,QAAM,IAAI,MAAM,GAAG,IAAI;;AAGzB,QAAO,0CAA0C;EAC/C,eAAe,KAAK;EACpB,YAAY,KAAK;EACjB,YAAY,KAAK;EACjB,UAAU,KAAK;EACf,YAAY,KAAK;EACjB,WAAW,KAAK"}