@tatchi-xyz/sdk 0.21.0 → 0.31.0

package/dist/cjs/core/TatchiPasskey/login.js.map

@@ -1 +1 @@
-{"version":3,"file":"login.js","names":["LoginPhase","LoginStatus","signingSession: SigningSessionStatus","finalResult","authenticatorsToAllowCredentials","verifyAuthenticationResponse","e: any","getUserFriendlyErrorMessage","err: any","createRandomVRFChallenge","IndexedDBManager","unlockResult: { success: boolean; error?: string }","unlockCredential: WebAuthnAuthenticationCredential | undefined","error: any","relayerUrl","refreshErr: any","result: LoginResult"],"sources":["../../../../src/core/TatchiPasskey/login.ts"],"sourcesContent":["import type {\n  AfterCall,\n  LoginHooksOptions,\n  LoginSSEvent,\n} from '../types/sdkSentEvents';\nimport { LoginPhase, LoginStatus } from '../types/sdkSentEvents';\nimport type {\n  GetRecentLoginsResult,\n  LoginAndCreateSessionResult,\n  LoginResult,\n  LoginSession,\n  LoginState,\n  SigningSessionStatus,\n} from '../types/tatchi';\nimport type { PasskeyManagerContext } from './index';\nimport type { AccountId } from '../types/accountIds';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\nimport { getUserFriendlyErrorMessage } from '../../utils/errors';\nimport { createRandomVRFChallenge, ServerEncryptedVrfKeypair, VRFChallenge } from '../types/vrf-worker';\nimport { authenticatorsToAllowCredentials } from '../WebAuthnManager/touchIdPrompt';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport type { ClientAuthenticatorData, ClientUserData } from '../IndexedDBManager';\nimport { verifyAuthenticationResponse } from '../rpcCalls';\n\n/**\n * Core login function that handles passkey authentication without React dependencies.\n *\n * - Unlocks the VRF keypair (Shamir 3‑pass auto‑unlock when possible; falls back to TouchID).\n * - Updates local login state and returns success with account/public key info.\n * - Optional: mints a server session when `options.session` is provided.\n *   - Generates a fresh, chain‑anchored VRF challenge (using latest block).\n *   - Collects a WebAuthn assertion over the VRF output and posts to the relay route\n *     (defaults to `/verify-authentication-response`).\n *   - When `kind: 'jwt'`, returns the token in `result.jwt`.\n *   - When `kind: 'cookie'`, the server sets an HttpOnly cookie and no JWT is returned.\n */\nexport async function loginAndCreateSession(\n  context: PasskeyManagerContext,\n  nearAccountId: AccountId,\n  options?: LoginHooksOptions\n): Promise<LoginAndCreateSessionResult> {\n\n  const { onEvent, onError, afterCall } = options || {};\n  const { webAuthnManager } = context;\n\n  onEvent?.({\n    step: 1,\n    phase: LoginPhase.STEP_1_PREPARATION,\n    status: LoginStatus.PROGRESS,\n    message: `Starting login for ${nearAccountId}`\n  });\n\n  const prevStatus = await webAuthnManager.checkVrfStatus();\n  const prevVrfAccountId = prevStatus?.active ? prevStatus.nearAccountId : null;\n\n  // If this call activates VRF then fails, clear the partial session.\n  const rollbackVrfOnFailure = async () => {\n    const status = await webAuthnManager.checkVrfStatus();\n    const current = status?.active ? status.nearAccountId : null;\n    if (current && current !== prevVrfAccountId) {\n      await logoutAndClearSession(context);\n    }\n  };\n\n  try {\n    // Validation\n    if (!window.isSecureContext) {\n      const errorMessage = 'Passkey operations require a secure context (HTTPS or localhost).';\n      const error = new Error(errorMessage);\n      onError?.(error);\n      onEvent?.({\n        step: 0,\n        phase: LoginPhase.LOGIN_ERROR,\n        status: LoginStatus.ERROR,\n        message: errorMessage,\n        error: errorMessage\n      });\n      const result = { success: false, error: errorMessage };\n      return result;\n    }\n\n    // Handle login and unlock VRF keypair in VRF WASM worker for WebAuthn challenge generation\n    const wantsSession = options?.session?.kind == 'jwt' || options?.session?.kind == 'cookie';\n    const base = await handleLoginUnlockVRF(\n      context,\n      nearAccountId,\n      onEvent,\n      onError,\n      afterCall,\n      // Defer final 'login-complete' event & afterCall until warm signing session is minted\n      true\n    );\n    // If base login failed, just return\n    if (!base.result.success) return base.result;\n\n    const attachSigningSession = async (result: LoginResult): Promise<LoginAndCreateSessionResult> => {\n      if (!result?.success) return result;\n      try {\n        const signingSession: SigningSessionStatus = await webAuthnManager.getWarmSigningSessionStatus(nearAccountId);\n        return { ...result, signingSession };\n      } catch {\n        return result;\n      }\n    };\n\n    // Resolve default warm signing session policy from configs.\n    const ttlMsDefault = context.configs.signingSessionDefaults.ttlMs;\n    const remainingUsesDefault = context.configs.signingSessionDefaults.remainingUses;\n    const ttlMs = options?.signingSession?.ttlMs ?? ttlMsDefault;\n    const remainingUses = options?.signingSession?.remainingUses ?? remainingUsesDefault;\n\n    // Optionally mint a server session (JWT or HttpOnly cookie).\n    // When requested, we also mint the warm signing session using the same WebAuthn prompt\n    // so Shamir auto-unlock remains a single-prompt login UX.\n    if (wantsSession) {\n      const { kind, relayUrl: relayUrlOverride, route: routeOverride } = options!.session!;\n      const relayUrl = (relayUrlOverride || context.configs.relayer.url).trim();\n      const route = (routeOverride || '/verify-authentication-response').trim();\n      if (!relayUrl) {\n        // No relay; return base result without session\n        console.warn(\"No relayUrl provided for session\");\n        // Ensure a warm signing session is minted for local signing UX.\n        await mintWarmSigningSession({\n          context,\n          nearAccountId,\n          onEvent,\n          credential: base.unlockCredential,\n          ttlMs,\n          remainingUses,\n        });\n\n        const finalResult = await attachSigningSession(base.result);\n        // Emit completion now since we deferred it\n        onEvent?.({\n          step: 4,\n          phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n          status: LoginStatus.SUCCESS,\n          message: 'Login completed successfully',\n          nearAccountId: nearAccountId,\n          clientNearPublicKey: base.result?.clientNearPublicKey || ''\n        } as unknown as LoginSSEvent);\n        await afterCall?.(true, finalResult);\n        return finalResult;\n      }\n      try {\n        // Build a fresh VRF challenge using current block\n        const blockInfo = await context.nearClient.viewBlock({ finality: 'final' });\n        const txBlockHash = blockInfo?.header?.hash;\n        const txBlockHeight = String(blockInfo.header?.height ?? '');\n        const vrfChallenge = await webAuthnManager.generateVrfChallengeOnce({\n          userId: nearAccountId,\n          rpId: webAuthnManager.getRpId(),\n          blockHash: txBlockHash,\n          blockHeight: txBlockHeight,\n        });\n        const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n        const credential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n          nearAccountId,\n          challenge: vrfChallenge,\n          allowCredentials: authenticatorsToAllowCredentials(authenticators),\n        });\n\n        // Align lastUser deviceNumber with the passkey actually chosen for session minting.\n        try {\n          if (authenticators.length > 1) {\n            const rawId = credential.rawId;\n            const matched = authenticators.find((a) => a.credentialId === rawId);\n            if (matched && typeof matched.deviceNumber === 'number') {\n              await context.webAuthnManager.setLastUser(nearAccountId, matched.deviceNumber);\n            }\n          }\n        } catch {\n          // Non-fatal; session minting can proceed even if last-user update fails here.\n        }\n\n        // Mint the warm signing session using the same prompt used for server-session verification.\n        await mintWarmSigningSession({\n          context,\n          nearAccountId,\n          onEvent,\n          credential,\n          ttlMs,\n          remainingUses,\n        });\n\n        const v = await verifyAuthenticationResponse(relayUrl, route, kind as 'jwt' | 'cookie', vrfChallenge, credential);\n        if (v.success && v.verified) {\n          const finalResult = await attachSigningSession({ ...base.result, jwt: v.jwt });\n          // Now fire completion event and afterCall since we deferred them\n          onEvent?.({\n            step: 4,\n            phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n            status: LoginStatus.SUCCESS,\n            message: 'Login completed successfully',\n            nearAccountId: nearAccountId,\n            clientNearPublicKey: base.result?.clientNearPublicKey || ''\n          } as unknown as LoginSSEvent);\n          await afterCall?.(true, finalResult);\n          return finalResult;\n        }\n        // Session verification returned an error; surface error and afterCall(false)\n        const errMsg = v.error || 'Session verification failed';\n        await rollbackVrfOnFailure();\n        onEvent?.({\n          step: 0,\n          phase: LoginPhase.LOGIN_ERROR,\n          status: LoginStatus.ERROR,\n          message: errMsg,\n          error: errMsg\n        } as unknown as LoginSSEvent);\n        await afterCall?.(false as any);\n        return { success: false, error: errMsg };\n      } catch (e: any) {\n        console.error(\"Failed to start session: \", e);\n        const errMsg = getUserFriendlyErrorMessage(e, 'login') || (e?.message || 'Session verification failed');\n        await rollbackVrfOnFailure();\n        onError?.(e);\n        onEvent?.({\n          step: 0,\n          phase: LoginPhase.LOGIN_ERROR,\n          status: LoginStatus.ERROR,\n          message: errMsg,\n          error: errMsg\n        } as unknown as LoginSSEvent);\n        await afterCall?.(false as any);\n        return { success: false, error: errMsg };\n      }\n    }\n\n    // No server session requested: mint/refresh the warm signing session.\n    await mintWarmSigningSession({\n      context,\n      nearAccountId,\n      onEvent,\n      credential: base.unlockCredential,\n      ttlMs,\n      remainingUses,\n    });\n\n    const finalResult = await attachSigningSession(base.result);\n    // Fire completion event and afterCall since we deferred them.\n    onEvent?.({\n      step: 4,\n      phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n      status: LoginStatus.SUCCESS,\n      message: 'Login completed successfully',\n      nearAccountId: nearAccountId,\n      clientNearPublicKey: base.result?.clientNearPublicKey || ''\n    } as unknown as LoginSSEvent);\n    await afterCall?.(true, finalResult);\n    return finalResult;\n\n  } catch (err: any) {\n\n    await rollbackVrfOnFailure();\n    onError?.(err);\n    const errorMessage = getUserFriendlyErrorMessage(err, 'login') || err?.message || 'Login failed';\n    onEvent?.({\n      step: 0,\n      phase: LoginPhase.LOGIN_ERROR,\n      status: LoginStatus.ERROR,\n      message: errorMessage,\n      error: errorMessage\n    });\n    const result = { success: false, error: errorMessage };\n    afterCall?.(false);\n    return result;\n  }\n}\n\n/**\n * Mint or refresh a \"warm signing session\" in the VRF worker.\n *\n * Notes:\n * - Reuses a previously collected WebAuthn credential when provided (e.g. TouchID fallback),\n *   to avoid prompting the user twice in a single login flow.\n * - Session TTL/remainingUses policy is enforced by the VRF worker.\n */\nasync function mintWarmSigningSession(args: {\n  context: PasskeyManagerContext;\n  nearAccountId: AccountId;\n  onEvent?: (event: LoginSSEvent) => void;\n  credential?: WebAuthnAuthenticationCredential;\n  ttlMs: number;\n  remainingUses: number;\n}): Promise<void> {\n  const { context, nearAccountId, onEvent, credential, ttlMs, remainingUses } = args;\n  const { webAuthnManager } = context;\n\n  onEvent?.({\n    step: 3,\n    phase: LoginPhase.STEP_3_VRF_UNLOCK,\n    status: LoginStatus.PROGRESS,\n    message: 'Unlocking warm signing session...'\n  });\n\n  // If we already performed a TouchID ceremony (e.g., VRF unlock fallback),\n  // reuse that credential to avoid a second prompt.\n  let effectiveCredential = credential;\n  if (!effectiveCredential) {\n    const challenge = createRandomVRFChallenge();\n    const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n    const { authenticatorsForPrompt } = await IndexedDBManager.clientDB.ensureCurrentPasskey(\n      nearAccountId,\n      authenticators,\n    );\n    effectiveCredential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n      nearAccountId,\n      challenge: challenge as VRFChallenge,\n      allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt),\n    });\n  }\n\n  await webAuthnManager.mintSigningSessionFromCredential({\n    nearAccountId,\n    credential: effectiveCredential,\n    ttlMs,\n    remainingUses,\n  });\n\n  onEvent?.({\n    step: 3,\n    phase: LoginPhase.STEP_3_VRF_UNLOCK,\n    status: LoginStatus.SUCCESS,\n    message: 'Warm signing session unlocked'\n  });\n}\n\n/**\n * Handle onchain (serverless) login using VRF flow per docs/vrf_challenges.md\n *\n * VRF AUTHENTICATION FLOW:\n * 1. Unlock VRF keypair in VRF Worker memory, either\n *      - Decrypt via Shamir 3-pass (when Relayer is present), or\n *      - Re-derive the VRF via credentials inside VRF worker dynamically\n * 2. Generate VRF challenge using stored VRF keypair + NEAR block data (no TouchID needed)\n * 3. Use VRF output as WebAuthn challenge for authentication\n * 4. Verify VRF proof and WebAuthn response on contract simultaneously\n *      - VRF proof assures WebAuthn challenge is fresh and valid (replay protection)\n *      - WebAuthn verification for origin + biometric credentials + device authenticity\n */\nasync function handleLoginUnlockVRF(\n  context: PasskeyManagerContext,\n  nearAccountId: AccountId,\n  onEvent?: (event: LoginSSEvent) => void,\n  onError?: (error: Error) => void,\n  afterCall?: AfterCall<any>,\n  deferCompletionHooks?: boolean,\n): Promise<{\n  result: LoginResult;\n  usedFallbackTouchId: boolean;\n  unlockCredential?: WebAuthnAuthenticationCredential;\n}> {\n  const { webAuthnManager } = context;\n\n  try {\n    // Step 1: Get VRF credentials and authenticators, and validate them\n    const [lastUser, latestByAccount, authenticators] = await Promise.all([\n      webAuthnManager.getLastUser(),\n      IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId),\n      webAuthnManager.getAuthenticatorsByUser(nearAccountId),\n    ]);\n\n    // Prefer the most recently updated record for this account; fall back to lastUser pointer.\n    let userData = null as (typeof lastUser) | null;\n    if (latestByAccount && latestByAccount.nearAccountId === nearAccountId) {\n      userData = latestByAccount;\n    } else if (lastUser && lastUser.nearAccountId === nearAccountId) {\n      userData = lastUser;\n    } else {\n      userData = await webAuthnManager.getUserByDevice(nearAccountId, 1);\n    }\n\n    // Validate user data and authenticators\n    if (!userData) {\n      throw new Error(`User data not found for ${nearAccountId} in IndexedDB. Please register an account.`);\n    }\n    if (!userData.clientNearPublicKey) {\n      throw new Error(`No NEAR public key found for ${nearAccountId}. Please register an account.`);\n    }\n    if (\n      !userData.encryptedVrfKeypair?.encryptedVrfDataB64u ||\n      !userData.encryptedVrfKeypair?.chacha20NonceB64u\n    ) {\n      throw new Error('No VRF credentials found. Please register an account.');\n    }\n    if (authenticators.length === 0) {\n      throw new Error(`No authenticators found for account ${nearAccountId}. Please register.`);\n    }\n\n    // Step 2: Try Shamir 3-pass commutative unlock first (no TouchID required), fallback to TouchID\n    onEvent?.({\n      step: 2,\n      phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n      status: LoginStatus.PROGRESS,\n      message: 'Unlocking VRF keys...'\n    });\n\n    let unlockResult: { success: boolean; error?: string } = { success: false };\n    let usedFallbackTouchId = false;\n    let unlockCredential: WebAuthnAuthenticationCredential | undefined;\n    let activeDeviceNumber = userData.deviceNumber;\n    // Effective user row whose VRF/NEAR keys are actually used for this login.\n    // May be switched when multiple devices exist and the user picks a different passkey.\n    let effectiveUserData = userData;\n\n    const hasServerEncrypted = !!userData.serverEncryptedVrfKeypair;\n    const relayerUrl = context.configs.relayer?.url;\n    const useShamir3PassVRFKeyUnlock = hasServerEncrypted && !!relayerUrl && !!userData.serverEncryptedVrfKeypair?.serverKeyId;\n\n    if (useShamir3PassVRFKeyUnlock) {\n      try {\n        const shamir = userData.serverEncryptedVrfKeypair as ServerEncryptedVrfKeypair;\n        if (!shamir.ciphertextVrfB64u || !shamir.kek_s_b64u) {\n          throw new Error('Missing Shamir3Pass fields (ciphertextVrfB64u/kek_s_b64u)');\n        }\n\n        unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({\n          nearAccountId,\n          kek_s_b64u: shamir.kek_s_b64u,\n          ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n          serverKeyId: shamir.serverKeyId,\n        });\n\n        if (unlockResult.success) {\n          const vrfStatus = await webAuthnManager.checkVrfStatus();\n          const active = vrfStatus.active && vrfStatus.nearAccountId === nearAccountId;\n          if (!active) {\n            unlockResult = { success: false, error: 'VRF session inactive after Shamir3Pass' };\n          }\n          if (active) {\n            // Proactive rotation if serverKeyId changed and we unlocked via Shamir\n            await webAuthnManager.maybeProactiveShamirRefresh(nearAccountId);\n          }\n        } else {\n          throw new Error(`Shamir3Pass auto-unlock failed: ${unlockResult.error}`);\n        }\n      } catch (error: any) {\n        unlockResult = { success: false, error: error.message };\n      }\n    }\n\n    // Fallback to TouchID if Shamir3Pass decryption failed\n    if (!unlockResult.success) {\n      const fallback = await fallbackUnlockVrfKeypairWithTouchId({\n        webAuthnManager,\n        nearAccountId,\n        authenticators,\n        userData,\n        onEvent,\n      });\n      unlockResult = fallback.unlockResult;\n      usedFallbackTouchId = fallback.usedFallbackTouchId;\n      unlockCredential = fallback.unlockCredential;\n      effectiveUserData = fallback.effectiveUserData;\n      activeDeviceNumber = fallback.activeDeviceNumber;\n    }\n\n    if (!unlockResult.success) {\n      throw new Error(`Failed to unlock VRF keypair: ${unlockResult.error}`);\n    }\n\n    onEvent?.({\n      step: 3,\n      phase: LoginPhase.STEP_3_VRF_UNLOCK,\n      status: LoginStatus.SUCCESS,\n      message: 'VRF keypair unlocked successfully'\n    });\n\n    // Proactive refresh: if Shamir3Pass failed and we used TouchID, re-encrypt under current server key\n    try {\n      const relayerUrl = context.configs.relayer?.url;\n      if (usedFallbackTouchId && relayerUrl) {\n        const refreshed = await webAuthnManager.shamir3PassEncryptCurrentVrfKeypair();\n        await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);\n      }\n    } catch (refreshErr: any) {\n      console.warn('Non-fatal: Failed to refresh serverEncryptedVrfKeypair:', refreshErr?.message || refreshErr);\n    }\n\n    // Step 3: Update local data and return success\n    // Ensure last-user deviceNumber reflects the passkey actually used for login.\n    try {\n      if (typeof activeDeviceNumber === 'number' && Number.isFinite(activeDeviceNumber)) {\n        await webAuthnManager.setLastUser(nearAccountId, activeDeviceNumber);\n      } else if (typeof userData.deviceNumber === 'number') {\n        await webAuthnManager.setLastUser(nearAccountId, userData.deviceNumber);\n      }\n    } catch {\n      // Non-fatal; continue even if last-user update fails.\n    }\n    await webAuthnManager.updateLastLogin(nearAccountId);\n\n    const result: LoginResult = {\n      success: true,\n      loggedInNearAccountId: nearAccountId,\n      // Ensure the clientNearPublicKey reflects the device whose VRF credentials\n      // are actually active for this login.\n      clientNearPublicKey: effectiveUserData?.clientNearPublicKey!, // non-null, validated above\n      nearAccountId: nearAccountId\n    };\n\n    if (!deferCompletionHooks) {\n      onEvent?.({\n        step: 4,\n        phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n        status: LoginStatus.SUCCESS,\n        message: 'Login completed successfully',\n        nearAccountId: nearAccountId,\n        clientNearPublicKey: effectiveUserData?.clientNearPublicKey || ''\n      });\n      afterCall?.(true, result);\n    }\n    return { result, usedFallbackTouchId, unlockCredential };\n\n  } catch (error: any) {\n    // Use centralized error handling\n    const errorMessage = getUserFriendlyErrorMessage(error, 'login');\n\n    onError?.(error);\n    onEvent?.({\n      step: 0,\n      phase: LoginPhase.LOGIN_ERROR,\n      status: LoginStatus.ERROR,\n      message: errorMessage,\n      error: errorMessage\n    });\n\n    const result: LoginResult = { success: false, error: errorMessage };\n    afterCall?.(false);\n    return { result, usedFallbackTouchId: false };\n  }\n}\n\n/**\n * TouchID fallback path for VRF unlock.\n *\n * Used when Shamir 3-pass auto-unlock fails/unavailable:\n * - Prompts WebAuthn to obtain a serialized credential with PRF.first + PRF.second.\n * - Aligns the local encrypted VRF keypair blob with the passkey the user actually chose\n *   (important when multiple devices/passkeys exist for the same account).\n * - Unlocks the VRF keypair inside the VRF worker and returns updated effective user context.\n */\nasync function fallbackUnlockVrfKeypairWithTouchId(args: {\n  webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n  nearAccountId: AccountId;\n  authenticators: ClientAuthenticatorData[];\n  userData: ClientUserData;\n  onEvent?: (event: LoginSSEvent) => void;\n}): Promise<{\n  unlockResult: { success: boolean; error?: string };\n  usedFallbackTouchId: boolean;\n  unlockCredential: WebAuthnAuthenticationCredential;\n  effectiveUserData: ClientUserData;\n  activeDeviceNumber: number;\n}> {\n  const { webAuthnManager, nearAccountId, authenticators, userData, onEvent } = args;\n\n  onEvent?.({\n    step: 2,\n    phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n    status: LoginStatus.PROGRESS,\n    message: 'Logging in, unlocking VRF credentials...'\n  });\n\n  const challenge = createRandomVRFChallenge();\n  const credential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n    nearAccountId,\n    challenge: challenge as VRFChallenge,\n    credentialIds: authenticators.map((a) => a.credentialId),\n  });\n\n  let effectiveUserData = userData;\n  let activeDeviceNumber = userData.deviceNumber;\n\n  // If multiple authenticators exist, align VRF credentials with the passkey\n  // the user actually chose, based on credentialId → deviceNumber.\n  if (authenticators.length > 1) {\n    const rawId = credential.rawId;\n    const matched = authenticators.find(a => a.credentialId === rawId);\n    if (matched) {\n      try {\n        const byDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, matched.deviceNumber);\n        if (byDevice) {\n          effectiveUserData = byDevice;\n          activeDeviceNumber = matched.deviceNumber;\n        }\n      } catch {\n        // If lookup by device fails, fall back to the base userData.\n      }\n    }\n  }\n\n  const unlockResult = await webAuthnManager.unlockVRFKeypair({\n    nearAccountId: nearAccountId,\n    encryptedVrfKeypair: {\n      encryptedVrfDataB64u: effectiveUserData.encryptedVrfKeypair.encryptedVrfDataB64u,\n      chacha20NonceB64u: effectiveUserData.encryptedVrfKeypair.chacha20NonceB64u,\n    },\n    credential: credential,\n  });\n\n  return {\n    unlockResult,\n    usedFallbackTouchId: unlockResult.success,\n    unlockCredential: credential,\n    effectiveUserData,\n    activeDeviceNumber,\n  };\n}\n\n/**\n * High-level login snapshot used by React contexts/UI.\n *\n * Returns:\n * - `login`: derived from IndexedDB last-user pointer + VRF worker status\n * - `signingSession`: warm signing session status when available\n *\n * The `nearAccountId` argument is treated as a \"query hint\" and must match the\n * last logged-in account to be considered logged in (prevents accidental cross-account reads).\n */\nexport async function getLoginSession(\n  context: PasskeyManagerContext,\n  nearAccountId?: AccountId\n): Promise<LoginSession> {\n  const login = await getLoginStateInternal(context, nearAccountId);\n  if (!login?.isLoggedIn || !login.nearAccountId) return { login, signingSession: null };\n  try {\n    const signingSession = await context.webAuthnManager.getWarmSigningSessionStatus(login.nearAccountId);\n    return { login, signingSession };\n  } catch {\n    return { login, signingSession: null };\n  }\n}\n\n/**\n * Internal helper for computing `LoginState`.\n *\n * Implementation detail:\n * - Trusts the IndexedDB last-user pointer for account selection, then confirms\n *   that the VRF worker is actually active for that same account.\n */\nasync function getLoginStateInternal(\n  context: PasskeyManagerContext,\n  nearAccountId?: AccountId\n): Promise<LoginState> {\n  const { webAuthnManager } = context;\n  try {\n    // Determine target account strictly from the last logged-in device.\n    const lastUser = await webAuthnManager.getLastUser();\n    const targetAccountId = nearAccountId ?? lastUser?.nearAccountId ?? null;\n\n    // If caller requested a specific account, it must match the last logged-in account.\n    if (!lastUser || (targetAccountId && lastUser.nearAccountId !== targetAccountId)) {\n      return {\n        isLoggedIn: false,\n        nearAccountId: targetAccountId || null,\n        publicKey: null,\n        vrfActive: false,\n        userData: null\n      };\n    }\n\n    const userData = lastUser;\n    const publicKey = userData?.clientNearPublicKey || null;\n\n    // Check actual VRF worker status\n    const vrfStatus = await webAuthnManager.checkVrfStatus();\n    const vrfActive = vrfStatus.active && vrfStatus.nearAccountId === targetAccountId;\n\n    // Determine if user is considered \"logged in\"\n    // User is logged in if they have user data and VRF is active\n    const isLoggedIn = !!(userData && userData.clientNearPublicKey && vrfActive);\n\n    return {\n      isLoggedIn,\n      nearAccountId: targetAccountId,\n      publicKey,\n      vrfActive,\n      userData,\n      vrfSessionDuration: vrfStatus.sessionDuration || 0\n    };\n\n  } catch (error: any) {\n    console.warn('Error getting login state:', error);\n    return {\n      isLoggedIn: false,\n      nearAccountId: nearAccountId || null,\n      publicKey: null,\n      vrfActive: false,\n      userData: null\n    };\n  }\n}\n\n/**\n * List recently used accounts from IndexedDB.\n *\n * Used for account picker UIs and initial app bootstrap state.\n */\nexport async function getRecentLogins(\n  context: PasskeyManagerContext\n): Promise<GetRecentLoginsResult> {\n  const { webAuthnManager } = context;\n  // Get all user accounts from IndexDB\n  const allUsersData = await webAuthnManager.getAllUsers();\n  const accountIds = allUsersData.map(user => user.nearAccountId);\n  // Get last used account for initial state\n  const lastUsedAccount = await webAuthnManager.getLastUser();\n  return {\n    accountIds,\n    lastUsedAccount,\n  };\n}\n\n/**\n * Clear the active VRF session and any client-side nonce caches.\n *\n * This is the canonical \"logout\" operation for the SDK (does not delete accounts).\n */\nexport async function logoutAndClearSession(context: PasskeyManagerContext): Promise<void> {\n  const { webAuthnManager } = context;\n  await webAuthnManager.clearVrfSession();\n  try { webAuthnManager.getNonceManager().clear(); } catch {}\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAoCA,eAAsB,sBACpB,SACA,eACA,SACsC;CAEtC,MAAM,EAAE,SAAS,SAAS,cAAc,WAAW;CACnD,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAOA,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS,sBAAsB;;CAGjC,MAAM,aAAa,MAAM,gBAAgB;CACzC,MAAM,mBAAmB,YAAY,SAAS,WAAW,gBAAgB;CAGzE,MAAM,uBAAuB,YAAY;EACvC,MAAM,SAAS,MAAM,gBAAgB;EACrC,MAAM,UAAU,QAAQ,SAAS,OAAO,gBAAgB;AACxD,MAAI,WAAW,YAAY,iBACzB,OAAM,sBAAsB;;AAIhC,KAAI;AAEF,MAAI,CAAC,OAAO,iBAAiB;GAC3B,MAAM,eAAe;GACrB,MAAM,QAAQ,IAAI,MAAM;AACxB,aAAU;AACV,aAAU;IACR,MAAM;IACN,OAAOD,iCAAW;IAClB,QAAQC,kCAAY;IACpB,SAAS;IACT,OAAO;;GAET,MAAM,SAAS;IAAE,SAAS;IAAO,OAAO;;AACxC,UAAO;;EAIT,MAAM,eAAe,SAAS,SAAS,QAAQ,SAAS,SAAS,SAAS,QAAQ;EAClF,MAAM,OAAO,MAAM,qBACjB,SACA,eACA,SACA,SACA,WAEA;AAGF,MAAI,CAAC,KAAK,OAAO,QAAS,QAAO,KAAK;EAEtC,MAAM,uBAAuB,OAAO,WAA8D;AAChG,OAAI,CAAC,QAAQ,QAAS,QAAO;AAC7B,OAAI;IACF,MAAMC,iBAAuC,MAAM,gBAAgB,4BAA4B;AAC/F,WAAO;KAAE,GAAG;KAAQ;;WACd;AACN,WAAO;;;EAKX,MAAM,eAAe,QAAQ,QAAQ,uBAAuB;EAC5D,MAAM,uBAAuB,QAAQ,QAAQ,uBAAuB;EACpE,MAAM,QAAQ,SAAS,gBAAgB,SAAS;EAChD,MAAM,gBAAgB,SAAS,gBAAgB,iBAAiB;AAKhE,MAAI,cAAc;GAChB,MAAM,EAAE,MAAM,UAAU,kBAAkB,OAAO,kBAAkB,QAAS;GAC5E,MAAM,YAAY,oBAAoB,QAAQ,QAAQ,QAAQ,KAAK;GACnE,MAAM,SAAS,iBAAiB,mCAAmC;AACnE,OAAI,CAAC,UAAU;AAEb,YAAQ,KAAK;AAEb,UAAM,uBAAuB;KAC3B;KACA;KACA;KACA,YAAY,KAAK;KACjB;KACA;;IAGF,MAAMC,gBAAc,MAAM,qBAAqB,KAAK;AAEpD,cAAU;KACR,MAAM;KACN,OAAOH,iCAAW;KAClB,QAAQC,kCAAY;KACpB,SAAS;KACM;KACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,UAAM,YAAY,MAAME;AACxB,WAAOA;;AAET,OAAI;IAEF,MAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,UAAU;IACjE,MAAM,cAAc,WAAW,QAAQ;IACvC,MAAM,gBAAgB,OAAO,UAAU,QAAQ,UAAU;IACzD,MAAM,eAAe,MAAM,gBAAgB,yBAAyB;KAClE,QAAQ;KACR,MAAM,gBAAgB;KACtB,WAAW;KACX,aAAa;;IAEf,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;IACrE,MAAM,aAAa,MAAM,gBAAgB,uCAAuC;KAC9E;KACA,WAAW;KACX,kBAAkBC,uDAAiC;;AAIrD,QAAI;AACF,SAAI,eAAe,SAAS,GAAG;MAC7B,MAAM,QAAQ,WAAW;MACzB,MAAM,UAAU,eAAe,MAAM,MAAM,EAAE,iBAAiB;AAC9D,UAAI,WAAW,OAAO,QAAQ,iBAAiB,SAC7C,OAAM,QAAQ,gBAAgB,YAAY,eAAe,QAAQ;;YAG/D;AAKR,UAAM,uBAAuB;KAC3B;KACA;KACA;KACA;KACA;KACA;;IAGF,MAAM,IAAI,MAAMC,8CAA6B,UAAU,OAAO,MAA0B,cAAc;AACtG,QAAI,EAAE,WAAW,EAAE,UAAU;KAC3B,MAAMF,gBAAc,MAAM,qBAAqB;MAAE,GAAG,KAAK;MAAQ,KAAK,EAAE;;AAExE,eAAU;MACR,MAAM;MACN,OAAOH,iCAAW;MAClB,QAAQC,kCAAY;MACpB,SAAS;MACM;MACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,WAAM,YAAY,MAAME;AACxB,YAAOA;;IAGT,MAAM,SAAS,EAAE,SAAS;AAC1B,UAAM;AACN,cAAU;KACR,MAAM;KACN,OAAOH,iCAAW;KAClB,QAAQC,kCAAY;KACpB,SAAS;KACT,OAAO;;AAET,UAAM,YAAY;AAClB,WAAO;KAAE,SAAS;KAAO,OAAO;;YACzBK,GAAQ;AACf,YAAQ,MAAM,6BAA6B;IAC3C,MAAM,SAASC,2CAA4B,GAAG,YAAa,GAAG,WAAW;AACzE,UAAM;AACN,cAAU;AACV,cAAU;KACR,MAAM;KACN,OAAOP,iCAAW;KAClB,QAAQC,kCAAY;KACpB,SAAS;KACT,OAAO;;AAET,UAAM,YAAY;AAClB,WAAO;KAAE,SAAS;KAAO,OAAO;;;;AAKpC,QAAM,uBAAuB;GAC3B;GACA;GACA;GACA,YAAY,KAAK;GACjB;GACA;;EAGF,MAAM,cAAc,MAAM,qBAAqB,KAAK;AAEpD,YAAU;GACR,MAAM;GACN,OAAOD,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;GACM;GACf,qBAAqB,KAAK,QAAQ,uBAAuB;;AAE3D,QAAM,YAAY,MAAM;AACxB,SAAO;UAEAO,KAAU;AAEjB,QAAM;AACN,YAAU;EACV,MAAM,eAAeD,2CAA4B,KAAK,YAAY,KAAK,WAAW;AAClF,YAAU;GACR,MAAM;GACN,OAAOP,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;GACT,OAAO;;EAET,MAAM,SAAS;GAAE,SAAS;GAAO,OAAO;;AACxC,cAAY;AACZ,SAAO;;;;;;;;;;;AAYX,eAAe,uBAAuB,MAOpB;CAChB,MAAM,EAAE,SAAS,eAAe,SAAS,YAAY,OAAO,kBAAkB;CAC9E,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAOD,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;CAKX,IAAI,sBAAsB;AAC1B,KAAI,CAAC,qBAAqB;EACxB,MAAM,YAAYQ;EAClB,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;EACrE,MAAM,EAAE,4BAA4B,MAAMC,+BAAiB,SAAS,qBAClE,eACA;AAEF,wBAAsB,MAAM,gBAAgB,uCAAuC;GACjF;GACW;GACX,kBAAkBN,uDAAiC;;;AAIvD,OAAM,gBAAgB,iCAAiC;EACrD;EACA,YAAY;EACZ;EACA;;AAGF,WAAU;EACR,MAAM;EACN,OAAOJ,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;;;;;;;;;;;;;;;AAiBb,eAAe,qBACb,SACA,eACA,SACA,SACA,WACA,sBAKC;CACD,MAAM,EAAE,oBAAoB;AAE5B,KAAI;EAEF,MAAM,CAAC,UAAU,iBAAiB,kBAAkB,MAAM,QAAQ,IAAI;GACpE,gBAAgB;GAChBS,+BAAiB,SAAS,qBAAqB;GAC/C,gBAAgB,wBAAwB;;EAI1C,IAAI,WAAW;AACf,MAAI,mBAAmB,gBAAgB,kBAAkB,cACvD,YAAW;WACF,YAAY,SAAS,kBAAkB,cAChD,YAAW;MAEX,YAAW,MAAM,gBAAgB,gBAAgB,eAAe;AAIlE,MAAI,CAAC,SACH,OAAM,IAAI,MAAM,2BAA2B,cAAc;AAE3D,MAAI,CAAC,SAAS,oBACZ,OAAM,IAAI,MAAM,gCAAgC,cAAc;AAEhE,MACE,CAAC,SAAS,qBAAqB,wBAC/B,CAAC,SAAS,qBAAqB,kBAE/B,OAAM,IAAI,MAAM;AAElB,MAAI,eAAe,WAAW,EAC5B,OAAM,IAAI,MAAM,uCAAuC,cAAc;AAIvE,YAAU;GACR,MAAM;GACN,OAAOV,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;;EAGX,IAAIU,eAAqD,EAAE,SAAS;EACpE,IAAI,sBAAsB;EAC1B,IAAIC;EACJ,IAAI,qBAAqB,SAAS;EAGlC,IAAI,oBAAoB;EAExB,MAAM,qBAAqB,CAAC,CAAC,SAAS;EACtC,MAAM,aAAa,QAAQ,QAAQ,SAAS;EAC5C,MAAM,6BAA6B,sBAAsB,CAAC,CAAC,cAAc,CAAC,CAAC,SAAS,2BAA2B;AAE/G,MAAI,2BACF,KAAI;GACF,MAAM,SAAS,SAAS;AACxB,OAAI,CAAC,OAAO,qBAAqB,CAAC,OAAO,WACvC,OAAM,IAAI,MAAM;AAGlB,kBAAe,MAAM,gBAAgB,6BAA6B;IAChE;IACA,YAAY,OAAO;IACnB,mBAAmB,OAAO;IAC1B,aAAa,OAAO;;AAGtB,OAAI,aAAa,SAAS;IACxB,MAAM,YAAY,MAAM,gBAAgB;IACxC,MAAM,SAAS,UAAU,UAAU,UAAU,kBAAkB;AAC/D,QAAI,CAAC,OACH,gBAAe;KAAE,SAAS;KAAO,OAAO;;AAE1C,QAAI,OAEF,OAAM,gBAAgB,4BAA4B;SAGpD,OAAM,IAAI,MAAM,mCAAmC,aAAa;WAE3DC,OAAY;AACnB,kBAAe;IAAE,SAAS;IAAO,OAAO,MAAM;;;AAKlD,MAAI,CAAC,aAAa,SAAS;GACzB,MAAM,WAAW,MAAM,oCAAoC;IACzD;IACA;IACA;IACA;IACA;;AAEF,kBAAe,SAAS;AACxB,yBAAsB,SAAS;AAC/B,sBAAmB,SAAS;AAC5B,uBAAoB,SAAS;AAC7B,wBAAqB,SAAS;;AAGhC,MAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,iCAAiC,aAAa;AAGhE,YAAU;GACR,MAAM;GACN,OAAOb,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;;AAIX,MAAI;GACF,MAAMa,eAAa,QAAQ,QAAQ,SAAS;AAC5C,OAAI,uBAAuBA,cAAY;IACrC,MAAM,YAAY,MAAM,gBAAgB;AACxC,UAAM,gBAAgB,gCAAgC,eAAe;;WAEhEC,YAAiB;AACxB,WAAQ,KAAK,2DAA2D,YAAY,WAAW;;AAKjG,MAAI;AACF,OAAI,OAAO,uBAAuB,YAAY,OAAO,SAAS,oBAC5D,OAAM,gBAAgB,YAAY,eAAe;YACxC,OAAO,SAAS,iBAAiB,SAC1C,OAAM,gBAAgB,YAAY,eAAe,SAAS;UAEtD;AAGR,QAAM,gBAAgB,gBAAgB;EAEtC,MAAMC,SAAsB;GAC1B,SAAS;GACT,uBAAuB;GAGvB,qBAAqB,mBAAmB;GACzB;;AAGjB,MAAI,CAAC,sBAAsB;AACzB,aAAU;IACR,MAAM;IACN,OAAOhB,iCAAW;IAClB,QAAQC,kCAAY;IACpB,SAAS;IACM;IACf,qBAAqB,mBAAmB,uBAAuB;;AAEjE,eAAY,MAAM;;AAEpB,SAAO;GAAE;GAAQ;GAAqB;;UAE/BY,OAAY;EAEnB,MAAM,eAAeN,2CAA4B,OAAO;AAExD,YAAU;AACV,YAAU;GACR,MAAM;GACN,OAAOP,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;GACT,OAAO;;EAGT,MAAMe,SAAsB;GAAE,SAAS;GAAO,OAAO;;AACrD,cAAY;AACZ,SAAO;GAAE;GAAQ,qBAAqB;;;;;;;;;;;;;AAa1C,eAAe,oCAAoC,MAYhD;CACD,MAAM,EAAE,iBAAiB,eAAe,gBAAgB,UAAU,YAAY;AAE9E,WAAU;EACR,MAAM;EACN,OAAOhB,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;CAGX,MAAM,YAAYQ;CAClB,MAAM,aAAa,MAAM,gBAAgB,8CAA8C;EACrF;EACW;EACX,eAAe,eAAe,KAAK,MAAM,EAAE;;CAG7C,IAAI,oBAAoB;CACxB,IAAI,qBAAqB,SAAS;AAIlC,KAAI,eAAe,SAAS,GAAG;EAC7B,MAAM,QAAQ,WAAW;EACzB,MAAM,UAAU,eAAe,MAAK,MAAK,EAAE,iBAAiB;AAC5D,MAAI,QACF,KAAI;GACF,MAAM,WAAW,MAAMC,+BAAiB,SAAS,gBAAgB,eAAe,QAAQ;AACxF,OAAI,UAAU;AACZ,wBAAoB;AACpB,yBAAqB,QAAQ;;UAEzB;;CAMZ,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;EAC3C;EACf,qBAAqB;GACnB,sBAAsB,kBAAkB,oBAAoB;GAC5D,mBAAmB,kBAAkB,oBAAoB;;EAE/C;;AAGd,QAAO;EACL;EACA,qBAAqB,aAAa;EAClC,kBAAkB;EAClB;EACA;;;;;;;;;;;;;AAcJ,eAAsB,gBACpB,SACA,eACuB;CACvB,MAAM,QAAQ,MAAM,sBAAsB,SAAS;AACnD,KAAI,CAAC,OAAO,cAAc,CAAC,MAAM,cAAe,QAAO;EAAE;EAAO,gBAAgB;;AAChF,KAAI;EACF,MAAM,iBAAiB,MAAM,QAAQ,gBAAgB,4BAA4B,MAAM;AACvF,SAAO;GAAE;GAAO;;SACV;AACN,SAAO;GAAE;GAAO,gBAAgB;;;;;;;;;;;AAWpC,eAAe,sBACb,SACA,eACqB;CACrB,MAAM,EAAE,oBAAoB;AAC5B,KAAI;EAEF,MAAM,WAAW,MAAM,gBAAgB;EACvC,MAAM,kBAAkB,iBAAiB,UAAU,iBAAiB;AAGpE,MAAI,CAAC,YAAa,mBAAmB,SAAS,kBAAkB,gBAC9D,QAAO;GACL,YAAY;GACZ,eAAe,mBAAmB;GAClC,WAAW;GACX,WAAW;GACX,UAAU;;EAId,MAAM,WAAW;EACjB,MAAM,YAAY,UAAU,uBAAuB;EAGnD,MAAM,YAAY,MAAM,gBAAgB;EACxC,MAAM,YAAY,UAAU,UAAU,UAAU,kBAAkB;EAIlE,MAAM,aAAa,CAAC,EAAE,YAAY,SAAS,uBAAuB;AAElE,SAAO;GACL;GACA,eAAe;GACf;GACA;GACA;GACA,oBAAoB,UAAU,mBAAmB;;UAG5CG,OAAY;AACnB,UAAQ,KAAK,8BAA8B;AAC3C,SAAO;GACL,YAAY;GACZ,eAAe,iBAAiB;GAChC,WAAW;GACX,WAAW;GACX,UAAU;;;;;;;;;AAUhB,eAAsB,gBACpB,SACgC;CAChC,MAAM,EAAE,oBAAoB;CAE5B,MAAM,eAAe,MAAM,gBAAgB;CAC3C,MAAM,aAAa,aAAa,KAAI,SAAQ,KAAK;CAEjD,MAAM,kBAAkB,MAAM,gBAAgB;AAC9C,QAAO;EACL;EACA;;;;;;;;AASJ,eAAsB,sBAAsB,SAA+C;CACzF,MAAM,EAAE,oBAAoB;AAC5B,OAAM,gBAAgB;AACtB,KAAI;AAAE,kBAAgB,kBAAkB;SAAiB"}
+{"version":3,"file":"login.js","names":["LoginPhase","LoginStatus","parseDeviceNumber","err: any","getUserFriendlyErrorMessage","signingSession: SigningSessionStatus","IndexedDBManager","normalizeThresholdEd25519ParticipantIds","buildThresholdSessionPolicy","makeThresholdEd25519AuthSessionCacheKey","e: any","clientVerifyingShareB64u: string | null","mintThresholdEd25519AuthSession","computeLoginIntentDigest","authenticatorsToAllowCredentials","serverSessionJwt: string | undefined","verifyAuthenticationResponse","loginResult: LoginResult","createRandomVRFChallenge","hintUserPromise: Promise<ClientUserData | null>","userData: ClientUserData | null","unlockResult: { success: boolean; error?: string }","unlockCredential: WebAuthnAuthenticationCredential | undefined","error: any","relayerUrl","refreshErr: any","result: LoginResult"],"sources":["../../../../src/core/TatchiPasskey/login.ts"],"sourcesContent":["import type {\n  AfterCall,\n  LoginHooksOptions,\n  LoginSSEvent,\n} from '../types/sdkSentEvents';\nimport { LoginPhase, LoginStatus } from '../types/sdkSentEvents';\nimport type {\n  GetRecentLoginsResult,\n  LoginAndCreateSessionResult,\n  LoginResult,\n  LoginSession,\n  LoginState,\n  SigningSessionStatus,\n} from '../types/tatchi';\nimport type { PasskeyManagerContext } from './index';\nimport type { AccountId } from '../types/accountIds';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\nimport { getUserFriendlyErrorMessage } from '../../utils/errors';\nimport { createRandomVRFChallenge, VRFChallenge } from '../types/vrf-worker';\nimport { authenticatorsToAllowCredentials } from '../WebAuthnManager/touchIdPrompt';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport type { ClientAuthenticatorData, ClientUserData } from '../IndexedDBManager';\nimport { verifyAuthenticationResponse } from '../rpcCalls';\nimport { computeLoginIntentDigest } from '../digests/intentDigest';\nimport { buildThresholdSessionPolicy } from '../threshold/thresholdSessionPolicy';\nimport { parseDeviceNumber } from '../WebAuthnManager/SignerWorkerManager/getDeviceNumber';\nimport {\n  clearAllCachedThresholdEd25519AuthSessions,\n  makeThresholdEd25519AuthSessionCacheKey,\n  mintThresholdEd25519AuthSession,\n  putCachedThresholdEd25519AuthSession,\n} from '../threshold/thresholdEd25519AuthSession';\nimport { normalizeThresholdEd25519ParticipantIds } from '../../threshold/participants';\n\ntype WarmSigningSessionPolicy = { ttlMs: number; remainingUses: number };\n\ntype ThresholdSessionPlan = {\n  sessionKind: 'jwt';\n  relayerUrl: string;\n  relayerKeyId: string;\n  cacheKey: string;\n  policy: Awaited<ReturnType<typeof buildThresholdSessionPolicy>>;\n  deviceNumber: number;\n};\n\n/**\n * Core login function that handles passkey authentication without React dependencies.\n *\n * - Unlocks the VRF keypair (Shamir 3‑pass auto‑unlock when possible; falls back to TouchID).\n * - Updates local login state and returns success with account/public key info.\n * - Optional: mints a server session when `options.session` is provided.\n *   - Generates a fresh, chain‑anchored VRF challenge (using latest block).\n *   - Collects a WebAuthn assertion over the VRF output and posts to the relay route\n *     (defaults to `/verify-authentication-response`).\n *   - When `kind: 'jwt'`, returns the token in `result.jwt`.\n *   - When `kind: 'cookie'`, the server sets an HttpOnly cookie and no JWT is returned.\n */\nexport async function loginAndCreateSession(\n  context: PasskeyManagerContext,\n  nearAccountId: AccountId,\n  options?: LoginHooksOptions\n): Promise<LoginAndCreateSessionResult> {\n  const { onEvent, onError, afterCall } = options || {};\n  const { webAuthnManager } = context;\n\n  onEvent?.({\n    step: 1,\n    phase: LoginPhase.STEP_1_PREPARATION,\n    status: LoginStatus.PROGRESS,\n    message: `Starting login for ${nearAccountId}`\n  });\n\n  const prevStatus = await webAuthnManager.checkVrfStatus();\n  const prevVrfAccountId = prevStatus?.active ? prevStatus.nearAccountId : null;\n\n  // If this call activates VRF then fails, clear the partial session.\n  const rollbackVrfOnFailure = async () => {\n    const status = await webAuthnManager.checkVrfStatus();\n    const current = status?.active ? status.nearAccountId : null;\n    if (current && current !== prevVrfAccountId) {\n      await logoutAndClearSession(context);\n    }\n  };\n\n  try {\n    // Validation\n    if (!window.isSecureContext) {\n      const errorMessage = 'Passkey operations require a secure context (HTTPS or localhost).';\n      return await finalizeLoginError({\n        message: errorMessage,\n        error: new Error(errorMessage),\n        rollbackVrfOnFailure,\n        onEvent,\n        onError,\n        afterCall,\n        callAfterCall: false,\n      });\n    }\n\n    const session = options?.session;\n    const wantsServerSession = session !== undefined;\n    const deviceNumberHint = parseDeviceNumber(options?.deviceNumber, { min: 1 });\n    const base = await handleLoginUnlockVRF(\n      context,\n      nearAccountId,\n      onEvent,\n      onError,\n      afterCall,\n      // Defer final 'login-complete' event & afterCall until warm signing session is minted\n      true,\n      deviceNumberHint\n    );\n    // If base login failed, just return\n    if (!base.result.success) {\n      return base.result;\n    }\n\n    const preferredDeviceNumber = deviceNumberHint ?? base.activeDeviceNumber;\n    const warmPolicy = resolveWarmSigningSessionPolicy(context, options);\n\n    const wantsThresholdSession =\n      webAuthnManager.getUserPreferences().getSignerMode().mode === 'threshold-signer';\n    const relayUrl = (session?.relayUrl || context.configs.relayer.url).trim();\n    const verifyRoute = (session?.route || '/verify-authentication-response').trim();\n\n    const thresholdPlan = await prepareThresholdSessionPlan({\n      context,\n      nearAccountId,\n      preferredDeviceNumber,\n      relayUrl,\n      ttlMs: warmPolicy.ttlMs,\n      remainingUses: warmPolicy.remainingUses,\n      wantsThresholdSession,\n    });\n\n    const wantsRelayerSession = wantsServerSession || thresholdPlan !== null;\n    if (wantsRelayerSession && !relayUrl) {\n      console.warn('[login] No relayUrl provided for session-style signing');\n    }\n\n    if (wantsRelayerSession && relayUrl) {\n      return await runRelayerSessionFlow({\n        context,\n        nearAccountId,\n        baseLoginResult: base.result,\n        baseUnlockCredential: base.unlockCredential,\n        preferredDeviceNumber,\n        session,\n        relayUrl,\n        verifyRoute,\n        thresholdPlan,\n        warmPolicy,\n        rollbackVrfOnFailure,\n        onEvent,\n        onError,\n        afterCall,\n      });\n    }\n\n    // No relayer session requested (or relayUrl missing): mint/refresh warm signing session only.\n    await mintWarmSigningSession({\n      context,\n      nearAccountId,\n      onEvent,\n      credential: base.unlockCredential,\n      ttlMs: warmPolicy.ttlMs,\n      remainingUses: warmPolicy.remainingUses,\n    });\n    return await finalizeLoginSuccess({\n      webAuthnManager,\n      nearAccountId,\n      loginResult: base.result,\n      onEvent,\n      afterCall,\n    });\n  } catch (err: any) {\n    const errorMessage =\n      getUserFriendlyErrorMessage(err, 'login') || err?.message || 'Login failed';\n    return await finalizeLoginError({\n      message: errorMessage,\n      error: err,\n      rollbackVrfOnFailure,\n      onEvent,\n      onError,\n      afterCall,\n    });\n  }\n}\n\nfunction resolveWarmSigningSessionPolicy(\n  context: PasskeyManagerContext,\n  options?: LoginHooksOptions\n): WarmSigningSessionPolicy {\n  const defaults = context.configs.signingSessionDefaults;\n  return {\n    ttlMs: options?.signingSession?.ttlMs ?? defaults.ttlMs,\n    remainingUses: options?.signingSession?.remainingUses ?? defaults.remainingUses,\n  };\n}\n\nasync function attachSigningSessionStatus(args: {\n  webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n  nearAccountId: AccountId;\n  loginResult: LoginResult;\n}): Promise<LoginAndCreateSessionResult> {\n  const { webAuthnManager, nearAccountId, loginResult } = args;\n  if (!loginResult.success) return loginResult;\n  try {\n    const signingSession: SigningSessionStatus =\n      await webAuthnManager.getWarmSigningSessionStatus(nearAccountId);\n    return { ...loginResult, signingSession };\n  } catch {\n    return loginResult;\n  }\n}\n\nasync function finalizeLoginSuccess(args: {\n  webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n  nearAccountId: AccountId;\n  loginResult: LoginResult;\n  onEvent?: (event: LoginSSEvent) => void;\n  afterCall?: AfterCall<LoginAndCreateSessionResult>;\n}): Promise<LoginAndCreateSessionResult> {\n  const { webAuthnManager, nearAccountId, loginResult, onEvent, afterCall } = args;\n  const finalResult = await attachSigningSessionStatus({\n    webAuthnManager,\n    nearAccountId,\n    loginResult,\n  });\n  onEvent?.({\n    step: 4,\n    phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n    status: LoginStatus.SUCCESS,\n    message: 'Login completed successfully',\n    nearAccountId,\n    clientNearPublicKey: loginResult.clientNearPublicKey ?? '',\n  });\n  await afterCall?.(true, finalResult);\n  return finalResult;\n}\n\nasync function finalizeLoginError(args: {\n  message: string;\n  error?: unknown;\n  rollbackVrfOnFailure: () => Promise<void>;\n  onEvent?: (event: LoginSSEvent) => void;\n  onError?: (error: Error) => void;\n  afterCall?: AfterCall<LoginAndCreateSessionResult>;\n  callOnError?: boolean;\n  callAfterCall?: boolean;\n}): Promise<LoginAndCreateSessionResult> {\n  const {\n    message,\n    error,\n    rollbackVrfOnFailure,\n    onEvent,\n    onError,\n    afterCall,\n    callOnError = true,\n    callAfterCall = true,\n  } = args;\n\n  try { await rollbackVrfOnFailure(); } catch {}\n\n  if (callOnError) {\n    onError?.(error as any);\n  }\n\n  onEvent?.({\n    step: 0,\n    phase: LoginPhase.LOGIN_ERROR,\n    status: LoginStatus.ERROR,\n    message,\n    error: message,\n  });\n\n  if (callAfterCall) {\n    await afterCall?.(false);\n  }\n  return { success: false, error: message };\n}\n\nasync function prepareThresholdSessionPlan(args: {\n  context: PasskeyManagerContext;\n  nearAccountId: AccountId;\n  preferredDeviceNumber: number | null;\n  relayUrl: string;\n  ttlMs: number;\n  remainingUses: number;\n  wantsThresholdSession: boolean;\n}): Promise<ThresholdSessionPlan | null> {\n  const {\n    context,\n    nearAccountId,\n    preferredDeviceNumber,\n    relayUrl,\n    ttlMs,\n    remainingUses,\n    wantsThresholdSession,\n  } = args;\n  if (!wantsThresholdSession || !relayUrl) return null;\n\n  const { webAuthnManager } = context;\n\n  try {\n    const rpId = webAuthnManager.getRpId();\n    if (!rpId) throw new Error('Missing rpId for threshold session');\n\n    const lastUser = await webAuthnManager.getLastUser();\n    const deviceNumber = preferredDeviceNumber ??\n      (lastUser?.nearAccountId === nearAccountId\n        ? lastUser.deviceNumber\n        : (await IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId))\n            ?.deviceNumber ?? null);\n\n    if (deviceNumber === null) {\n      console.warn('[login] threshold-signer configured but no threshold key material found; skipping threshold session');\n      return null;\n    }\n\n    const thresholdKeyMaterial = await IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(\n      nearAccountId,\n      deviceNumber\n    );\n    const relayerKeyId = thresholdKeyMaterial?.relayerKeyId || null;\n    const participantIds = thresholdKeyMaterial?.participants?.map((p) => p.id) || null;\n    const normalizedParticipantIds = normalizeThresholdEd25519ParticipantIds(participantIds);\n\n    if (!relayerKeyId) {\n      console.warn('[login] threshold-signer configured but no threshold key material found; skipping threshold session');\n      return null;\n    }\n\n    if (!normalizedParticipantIds || normalizedParticipantIds.length < 2) {\n      console.warn('[login] threshold key material missing/invalid participantIds; skipping threshold session mint');\n      return null;\n    }\n\n    const policy = await buildThresholdSessionPolicy({\n      nearAccountId,\n      rpId,\n      relayerKeyId,\n      ...(normalizedParticipantIds?.length ? { participantIds: normalizedParticipantIds } : {}),\n      ttlMs,\n      remainingUses,\n    });\n\n    const cacheKey = makeThresholdEd25519AuthSessionCacheKey({\n      nearAccountId,\n      rpId,\n      relayerUrl: relayUrl,\n      relayerKeyId,\n      ...(normalizedParticipantIds?.length ? { participantIds: normalizedParticipantIds } : {}),\n    });\n\n    return {\n      sessionKind: 'jwt',\n      relayerUrl: relayUrl,\n      relayerKeyId,\n      cacheKey,\n      policy,\n      deviceNumber,\n    };\n  } catch (e: any) {\n    console.warn(\n      '[login] failed to prepare threshold session policy; skipping threshold session mint:',\n      e?.message || e\n    );\n    return null;\n  }\n}\n\nasync function mintThresholdSessionBestEffort(args: {\n  context: PasskeyManagerContext;\n  nearAccountId: AccountId;\n  plan: ThresholdSessionPlan;\n  vrfChallenge: VRFChallenge;\n  credential: WebAuthnAuthenticationCredential;\n}): Promise<void> {\n  const { context, nearAccountId, plan, vrfChallenge, credential } = args;\n  const { webAuthnManager } = context;\n\n  let clientVerifyingShareB64u: string | null = null;\n  try {\n    const localKeyMaterial = await IndexedDBManager.nearKeysDB.getLocalKeyMaterial(\n      nearAccountId,\n      plan.deviceNumber\n    );\n    const wrapKeySalt = String(localKeyMaterial?.wrapKeySalt || '').trim();\n    if (wrapKeySalt) {\n      const derived =\n        await webAuthnManager.deriveThresholdEd25519ClientVerifyingShareFromCredential({\n          credential,\n          nearAccountId,\n          wrapKeySalt,\n        });\n      if (derived.success && derived.clientVerifyingShareB64u) {\n        clientVerifyingShareB64u = derived.clientVerifyingShareB64u;\n      }\n    }\n  } catch (e: any) {\n    console.warn(\n      '[login] failed to derive clientVerifyingShareB64u for threshold session mint:',\n      e?.message || e\n    );\n  }\n\n  if (!clientVerifyingShareB64u) {\n    console.warn(\n      '[login] threshold session mint skipped: missing clientVerifyingShareB64u'\n    );\n    return;\n  }\n\n  const minted = await mintThresholdEd25519AuthSession({\n    relayerUrl: plan.relayerUrl,\n    sessionKind: plan.sessionKind,\n    relayerKeyId: plan.relayerKeyId,\n    clientVerifyingShareB64u,\n    sessionPolicy: plan.policy.policy,\n    vrfChallenge,\n    webauthnAuthentication: credential,\n  });\n\n  if (minted.ok && minted.jwt) {\n    putCachedThresholdEd25519AuthSession(plan.cacheKey, {\n      sessionKind: plan.sessionKind,\n      policy: plan.policy.policy,\n      policyJson: plan.policy.policyJson,\n      sessionPolicyDigest32: plan.policy.sessionPolicyDigest32,\n      jwt: minted.jwt,\n      ...(minted.expiresAtMs ? { expiresAtMs: minted.expiresAtMs } : {}),\n    });\n    return;\n  }\n\n  if (!minted.ok) {\n    console.warn(\n      '[login] threshold session mint failed:',\n      minted.code || minted.message || 'unknown error'\n    );\n  }\n}\n\nasync function runRelayerSessionFlow(args: {\n  context: PasskeyManagerContext;\n  nearAccountId: AccountId;\n  baseLoginResult: LoginResult;\n  baseUnlockCredential?: WebAuthnAuthenticationCredential;\n  preferredDeviceNumber: number | null;\n  session: LoginHooksOptions['session'] | undefined;\n  relayUrl: string;\n  verifyRoute: string;\n  thresholdPlan: ThresholdSessionPlan | null;\n  warmPolicy: WarmSigningSessionPolicy;\n  rollbackVrfOnFailure: () => Promise<void>;\n  onEvent?: (event: LoginSSEvent) => void;\n  onError?: (error: Error) => void;\n  afterCall?: AfterCall<LoginAndCreateSessionResult>;\n}): Promise<LoginAndCreateSessionResult> {\n  const {\n    context,\n    nearAccountId,\n    baseLoginResult,\n    baseUnlockCredential,\n    preferredDeviceNumber,\n    session,\n    relayUrl,\n    verifyRoute,\n    thresholdPlan,\n    warmPolicy,\n    rollbackVrfOnFailure,\n    onEvent,\n    onError,\n    afterCall,\n  } = args;\n\n  const { webAuthnManager } = context;\n\n  try {\n    const rpId = webAuthnManager.getRpId();\n    if (!rpId) {\n      throw new Error('Missing rpId for VRF challenge generation during login');\n    }\n\n    const blockInfo = await context.nearClient.viewBlock({ finality: 'final' });\n    const txBlockHash = blockInfo?.header?.hash;\n    const txBlockHeight = String(blockInfo.header?.height ?? '');\n    const intentDigest = await computeLoginIntentDigest({ nearAccountId, rpId });\n    const vrfChallenge = await webAuthnManager.generateVrfChallengeOnce({\n      userId: nearAccountId,\n      rpId,\n      blockHash: txBlockHash,\n      blockHeight: txBlockHeight,\n      intentDigest,\n      ...(thresholdPlan ? { sessionPolicyDigest32: thresholdPlan.policy.sessionPolicyDigest32 } : {}),\n    });\n\n    const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n    const authenticatorsForPrompt = prioritizeAuthenticatorsByDeviceNumber(\n      authenticators,\n      preferredDeviceNumber\n    );\n    const credential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n      nearAccountId,\n      challenge: vrfChallenge,\n      allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt),\n    });\n\n    const effectiveLoginResult = await bindVrfToSelectedLoginPasskeyDevice({\n      webAuthnManager,\n      nearAccountId,\n      authenticators,\n      credential,\n      baseUnlockCredential,\n      baseLoginResult: baseLoginResult,\n    });\n\n    await mintWarmSigningSession({\n      context,\n      nearAccountId,\n      onEvent,\n      credential,\n      ttlMs: warmPolicy.ttlMs,\n      remainingUses: warmPolicy.remainingUses,\n    });\n\n    let serverSessionJwt: string | undefined;\n    if (session) {\n      const v = await verifyAuthenticationResponse(\n        relayUrl,\n        verifyRoute,\n        session.kind,\n        vrfChallenge,\n        credential\n      );\n      if (!v.success || !v.verified) {\n        const errMsg = v.error || 'Session verification failed';\n        return await finalizeLoginError({\n          message: errMsg,\n          rollbackVrfOnFailure,\n          onEvent,\n          afterCall,\n          callOnError: false,\n        });\n      }\n      serverSessionJwt = v.jwt;\n    }\n\n    if (thresholdPlan) {\n      await mintThresholdSessionBestEffort({\n        context,\n        nearAccountId,\n        plan: thresholdPlan,\n        vrfChallenge,\n        credential,\n      });\n    }\n\n    const loginResult: LoginResult = serverSessionJwt\n      ? { ...effectiveLoginResult, jwt: serverSessionJwt }\n      : effectiveLoginResult;\n\n    return await finalizeLoginSuccess({\n      webAuthnManager,\n      nearAccountId,\n      loginResult,\n      onEvent,\n      afterCall,\n    });\n  } catch (e: any) {\n    console.error('[login] Failed to start session:', e);\n    const errMsg =\n      getUserFriendlyErrorMessage(e, 'login') ||\n      e?.message ||\n      'Session verification failed';\n    return await finalizeLoginError({\n      message: errMsg,\n      error: e,\n      rollbackVrfOnFailure,\n      onEvent,\n      onError,\n      afterCall,\n    });\n  }\n}\n\n/**\n * When multiple passkeys exist for the same account, the user can select any of them in the WebAuthn prompt.\n * If the VRF worker was auto-unlocked using a different device (e.g. Shamir 3-pass based on the \"latest\" row),\n * we must rebind the VRF worker to the same deviceNumber as the selected credential. Otherwise, WrapKeySeed\n * derivation can mix PRF.first(from selected credential) with vrf_sk(from a different device), which later\n * causes vault decryption failures (e.g. `aead::Error` during private key export).\n */\nasync function bindVrfToSelectedLoginPasskeyDevice(args: {\n  webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n  nearAccountId: AccountId;\n  authenticators: ClientAuthenticatorData[];\n  credential: WebAuthnAuthenticationCredential;\n  baseUnlockCredential?: WebAuthnAuthenticationCredential;\n  baseLoginResult: LoginResult;\n}): Promise<LoginResult> {\n  const {\n    webAuthnManager,\n    nearAccountId,\n    authenticators,\n    credential,\n    baseUnlockCredential,\n    baseLoginResult,\n  } = args;\n\n  // Start with the base login result (may reflect whichever VRF keypair was auto-unlocked).\n  // If the user selects a different passkey below, update it to match the chosen device.\n  let effectiveLoginResult = baseLoginResult;\n\n  if (authenticators.length <= 1) {\n    return effectiveLoginResult;\n  }\n\n  const rawId = credential.rawId;\n  const matched = authenticators.find((a) => a.credentialId === rawId);\n  const selectedDeviceNumber = matched?.deviceNumber ?? null;\n\n  if (selectedDeviceNumber === null) {\n    return effectiveLoginResult;\n  }\n\n  const userForDevice = await IndexedDBManager.clientDB\n    .getUserByDevice(nearAccountId, selectedDeviceNumber)\n    .catch(() => null);\n\n  if (userForDevice?.clientNearPublicKey) {\n    effectiveLoginResult = {\n      ...effectiveLoginResult,\n      clientNearPublicKey: userForDevice.clientNearPublicKey,\n    };\n  }\n\n  const shouldRebindVrf = !baseUnlockCredential || baseUnlockCredential.rawId !== rawId;\n  if (shouldRebindVrf) {\n    const shamir = userForDevice?.serverEncryptedVrfKeypair;\n    if (!shamir?.ciphertextVrfB64u || !shamir?.kek_s_b64u || !shamir?.serverKeyId) {\n      throw new Error(\n        `Missing serverEncryptedVrfKeypair for account ${nearAccountId} device ${selectedDeviceNumber}. ` +\n        'Open the wallet once online to refresh local state, then try again.'\n      );\n    }\n\n    const unlock = await webAuthnManager.shamir3PassDecryptVrfKeypair({\n      nearAccountId,\n      kek_s_b64u: shamir.kek_s_b64u,\n      ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n      serverKeyId: shamir.serverKeyId,\n    });\n    if (!unlock.success) {\n      throw new Error(\n        unlock.error ||\n        'Failed to bind VRF keypair to the passkey you selected. Please try again.'\n      );\n    }\n  }\n\n  // Persist the deviceNumber that the user actually selected so subsequent flows (export/signing)\n  // use the correct vault entry.\n  await webAuthnManager.setLastUser(nearAccountId, selectedDeviceNumber);\n  // Best-effort: stamp the selected device as the one last used for login.\n  await webAuthnManager.updateLastLogin(nearAccountId).catch(() => undefined);\n\n  return effectiveLoginResult;\n}\n\n/**\n * Mint or refresh a \"warm signing session\" in the VRF worker.\n *\n * Notes:\n * - Reuses a previously collected WebAuthn credential when provided (e.g. TouchID fallback),\n *   to avoid prompting the user twice in a single login flow.\n * - Session TTL/remainingUses policy is enforced by the VRF worker.\n */\nasync function mintWarmSigningSession(args: {\n  context: PasskeyManagerContext;\n  nearAccountId: AccountId;\n  onEvent?: (event: LoginSSEvent) => void;\n  credential?: WebAuthnAuthenticationCredential;\n  ttlMs: number;\n  remainingUses: number;\n}): Promise<void> {\n  const { context, nearAccountId, onEvent, credential, ttlMs, remainingUses } = args;\n  const { webAuthnManager } = context;\n\n  onEvent?.({\n    step: 3,\n    phase: LoginPhase.STEP_3_VRF_UNLOCK,\n    status: LoginStatus.PROGRESS,\n    message: 'Unlocking warm signing session...'\n  });\n\n  // If we already performed a TouchID ceremony (e.g., VRF unlock fallback),\n  // reuse that credential to avoid a second prompt.\n  let effectiveCredential = credential;\n  if (!effectiveCredential) {\n    const challenge = createRandomVRFChallenge();\n    const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n    const { authenticatorsForPrompt } = await IndexedDBManager.clientDB.ensureCurrentPasskey(\n      nearAccountId,\n      authenticators,\n    );\n    effectiveCredential = await webAuthnManager.getAuthenticationCredentialsSerialized({\n      nearAccountId,\n      challenge: challenge as VRFChallenge,\n      allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt),\n    });\n  }\n\n  await webAuthnManager.mintSigningSessionFromCredential({\n    nearAccountId,\n    credential: effectiveCredential,\n    ttlMs,\n    remainingUses,\n  });\n\n  onEvent?.({\n    step: 3,\n    phase: LoginPhase.STEP_3_VRF_UNLOCK,\n    status: LoginStatus.SUCCESS,\n    message: 'Warm signing session unlocked'\n  });\n}\n\n/**\n * Handle onchain (serverless) login using VRF flow per docs/vrf_challenges.md\n *\n * VRF AUTHENTICATION FLOW:\n * 1. Unlock VRF keypair in VRF Worker memory, either\n *      - Decrypt via Shamir 3-pass (when Relayer is present), or\n *      - Re-derive the VRF via credentials inside VRF worker dynamically\n * 2. Generate VRF challenge using stored VRF keypair + NEAR block data (no TouchID needed)\n * 3. Use VRF output as WebAuthn challenge for authentication\n * 4. Verify VRF proof and WebAuthn response on contract simultaneously\n *      - VRF proof assures WebAuthn challenge is fresh and valid (replay protection)\n *      - WebAuthn verification for origin + biometric credentials + device authenticity\n */\nasync function handleLoginUnlockVRF(\n  context: PasskeyManagerContext,\n  nearAccountId: AccountId,\n  onEvent?: (event: LoginSSEvent) => void,\n  onError?: (error: Error) => void,\n  afterCall?: AfterCall<LoginAndCreateSessionResult>,\n  deferCompletionHooks?: boolean,\n  deviceNumberHint: number | null = null,\n): Promise<{\n  result: LoginResult;\n  usedFallbackTouchId: boolean;\n  unlockCredential?: WebAuthnAuthenticationCredential;\n  activeDeviceNumber: number | null;\n}> {\n  const { webAuthnManager } = context;\n\n  try {\n    // Step 1: Get VRF credentials and authenticators, and validate them\n    const hintUserPromise: Promise<ClientUserData | null> =\n      deviceNumberHint !== null\n        ? webAuthnManager.getUserByDevice(nearAccountId, deviceNumberHint).catch(() => null)\n        : Promise.resolve(null);\n\n    const [hintUser, lastUser, latestByAccount, authenticators] = await Promise.all([\n      hintUserPromise,\n      webAuthnManager.getLastUser(),\n      IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId),\n      webAuthnManager.getAuthenticatorsByUser(nearAccountId),\n    ]);\n\n    // Prefer the most recently updated record for this account; fall back to lastUser pointer.\n    let userData: ClientUserData | null = null;\n    if (hintUser && hintUser.nearAccountId === nearAccountId) {\n      userData = hintUser;\n    } else if (latestByAccount && latestByAccount.nearAccountId === nearAccountId) {\n      userData = latestByAccount;\n    } else if (lastUser && lastUser.nearAccountId === nearAccountId) {\n      userData = lastUser;\n    } else {\n      userData = await webAuthnManager.getUserByDevice(nearAccountId, 1);\n    }\n\n    // Validate user data and authenticators\n    if (!userData) {\n      throw new Error(`User data not found for ${nearAccountId} in IndexedDB. Please register an account.`);\n    }\n    if (!userData.clientNearPublicKey) {\n      throw new Error(`No NEAR public key found for ${nearAccountId}. Please register an account.`);\n    }\n    if (\n      !userData.encryptedVrfKeypair?.encryptedVrfDataB64u ||\n      !userData.encryptedVrfKeypair?.chacha20NonceB64u\n    ) {\n      throw new Error('No VRF credentials found. Please register an account.');\n    }\n    if (authenticators.length === 0) {\n      throw new Error(`No authenticators found for account ${nearAccountId}. Please register.`);\n    }\n\n    // Step 2: Try Shamir 3-pass commutative unlock first (no TouchID required), fallback to TouchID\n    onEvent?.({\n      step: 2,\n      phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n      status: LoginStatus.PROGRESS,\n      message: 'Unlocking VRF keys...'\n    });\n\n    let unlockResult: { success: boolean; error?: string } = { success: false };\n    let usedFallbackTouchId = false;\n    let unlockCredential: WebAuthnAuthenticationCredential | undefined;\n    let activeDeviceNumber = userData.deviceNumber;\n    // Effective user row whose VRF/NEAR keys are actually used for this login.\n    // May be switched when multiple devices exist and the user picks a different passkey.\n    let effectiveUserData = userData;\n\n    const shamir = userData.serverEncryptedVrfKeypair;\n    const relayerUrl = context.configs.relayer?.url;\n    const useShamir3PassVRFKeyUnlock = !!relayerUrl && !!shamir?.serverKeyId;\n\n    if (useShamir3PassVRFKeyUnlock && shamir) {\n      try {\n        if (!shamir.ciphertextVrfB64u || !shamir.kek_s_b64u) {\n          throw new Error('Missing Shamir3Pass fields (ciphertextVrfB64u/kek_s_b64u)');\n        }\n\n        unlockResult = await webAuthnManager.shamir3PassDecryptVrfKeypair({\n          nearAccountId,\n          kek_s_b64u: shamir.kek_s_b64u,\n          ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n          serverKeyId: shamir.serverKeyId,\n        });\n\n        if (unlockResult.success) {\n          const vrfStatus = await webAuthnManager.checkVrfStatus();\n          const active = vrfStatus.active && vrfStatus.nearAccountId === nearAccountId;\n          if (!active) {\n            unlockResult = { success: false, error: 'VRF session inactive after Shamir3Pass' };\n          }\n          if (active) {\n            // Proactive rotation if serverKeyId changed and we unlocked via Shamir\n            await webAuthnManager.maybeProactiveShamirRefresh(nearAccountId);\n          }\n        } else {\n          throw new Error(`Shamir3Pass auto-unlock failed: ${unlockResult.error}`);\n        }\n      } catch (error: any) {\n        unlockResult = { success: false, error: error.message };\n      }\n    }\n\n    // Fallback to TouchID if Shamir3Pass decryption failed\n    if (!unlockResult.success) {\n      const authenticatorsForPrompt = prioritizeAuthenticatorsByDeviceNumber(authenticators, deviceNumberHint);\n      const fallback = await fallbackUnlockVrfKeypairWithTouchId({\n        webAuthnManager,\n        nearAccountId,\n        authenticators: authenticatorsForPrompt,\n        userData,\n        onEvent,\n      });\n      unlockResult = fallback.unlockResult;\n      usedFallbackTouchId = fallback.usedFallbackTouchId;\n      unlockCredential = fallback.unlockCredential;\n      effectiveUserData = fallback.effectiveUserData;\n      activeDeviceNumber = fallback.activeDeviceNumber;\n    }\n\n    if (!unlockResult.success) {\n      throw new Error(`Failed to unlock VRF keypair: ${unlockResult.error}`);\n    }\n\n    onEvent?.({\n      step: 3,\n      phase: LoginPhase.STEP_3_VRF_UNLOCK,\n      status: LoginStatus.SUCCESS,\n      message: 'VRF keypair unlocked...'\n    });\n\n    // Proactive refresh: if Shamir3Pass failed and we used TouchID, re-encrypt under current server key\n    try {\n      const relayerUrl = context.configs.relayer?.url;\n      if (usedFallbackTouchId && relayerUrl) {\n        const refreshed = await webAuthnManager.shamir3PassEncryptCurrentVrfKeypair();\n        await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);\n      }\n    } catch (refreshErr: any) {\n      console.warn('Non-fatal: Failed to refresh serverEncryptedVrfKeypair:', refreshErr?.message || refreshErr);\n    }\n\n    // Step 3: Update local data and return success\n    // Ensure last-user deviceNumber reflects the passkey actually used for login.\n    try {\n      await webAuthnManager.setLastUser(nearAccountId, activeDeviceNumber);\n    } catch {\n      // Non-fatal; continue even if last-user update fails.\n    }\n    await webAuthnManager.updateLastLogin(nearAccountId);\n\n    const result: LoginResult = {\n      success: true,\n      loggedInNearAccountId: nearAccountId,\n      // Ensure the clientNearPublicKey reflects the device whose VRF credentials\n      // are actually active for this login.\n      clientNearPublicKey: effectiveUserData.clientNearPublicKey,\n      nearAccountId: nearAccountId\n    };\n\n    if (!deferCompletionHooks) {\n      onEvent?.({\n        step: 4,\n        phase: LoginPhase.STEP_4_LOGIN_COMPLETE,\n        status: LoginStatus.SUCCESS,\n        message: 'Login completed successfully',\n        nearAccountId: nearAccountId,\n        clientNearPublicKey: effectiveUserData.clientNearPublicKey\n      });\n      afterCall?.(true, result);\n    }\n    return { result, usedFallbackTouchId, unlockCredential, activeDeviceNumber };\n\n  } catch (error: any) {\n    // Use centralized error handling\n    const errorMessage = getUserFriendlyErrorMessage(error, 'login');\n\n    onError?.(error);\n    onEvent?.({\n      step: 0,\n      phase: LoginPhase.LOGIN_ERROR,\n      status: LoginStatus.ERROR,\n      message: errorMessage,\n      error: errorMessage\n    });\n\n    const result: LoginResult = { success: false, error: errorMessage };\n    afterCall?.(false);\n    return { result, usedFallbackTouchId: false, activeDeviceNumber: null };\n  }\n}\n\n/**\n * TouchID fallback path for VRF unlock.\n *\n * Used when Shamir 3-pass auto-unlock fails/unavailable:\n * - Prompts WebAuthn to obtain a serialized credential with PRF.first + PRF.second.\n * - Aligns the local encrypted VRF keypair blob with the passkey the user actually chose\n *   (important when multiple devices/passkeys exist for the same account).\n * - Unlocks the VRF keypair inside the VRF worker and returns updated effective user context.\n */\nasync function fallbackUnlockVrfKeypairWithTouchId(args: {\n  webAuthnManager: PasskeyManagerContext['webAuthnManager'];\n  nearAccountId: AccountId;\n  authenticators: ClientAuthenticatorData[];\n  userData: ClientUserData;\n  onEvent?: (event: LoginSSEvent) => void;\n}): Promise<{\n  unlockResult: { success: boolean; error?: string };\n  usedFallbackTouchId: boolean;\n  unlockCredential: WebAuthnAuthenticationCredential;\n  effectiveUserData: ClientUserData;\n  activeDeviceNumber: number;\n}> {\n  const { webAuthnManager, nearAccountId, authenticators, userData, onEvent } = args;\n\n  onEvent?.({\n    step: 2,\n    phase: LoginPhase.STEP_2_WEBAUTHN_ASSERTION,\n    status: LoginStatus.PROGRESS,\n    message: 'Logging in, unlocking VRF credentials...'\n  });\n\n  const challenge = createRandomVRFChallenge();\n  const credential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n    nearAccountId,\n    challenge: challenge as VRFChallenge,\n    credentialIds: authenticators.map((a) => a.credentialId),\n  });\n\n  let effectiveUserData = userData;\n  let activeDeviceNumber = userData.deviceNumber;\n\n  // If multiple authenticators exist, align VRF credentials with the passkey\n  // the user actually chose, based on credentialId → deviceNumber.\n  if (authenticators.length > 1) {\n    const rawId = credential.rawId;\n    const matched = authenticators.find(a => a.credentialId === rawId);\n    if (matched) {\n      try {\n        const byDevice = await IndexedDBManager.clientDB.getUserByDevice(nearAccountId, matched.deviceNumber);\n        if (byDevice) {\n          effectiveUserData = byDevice;\n          activeDeviceNumber = matched.deviceNumber;\n        }\n      } catch {\n        // If lookup by device fails, fall back to the base userData.\n      }\n    }\n  }\n\n  const unlockResult = await webAuthnManager.unlockVRFKeypair({\n    nearAccountId: nearAccountId,\n    encryptedVrfKeypair: {\n      encryptedVrfDataB64u: effectiveUserData.encryptedVrfKeypair.encryptedVrfDataB64u,\n      chacha20NonceB64u: effectiveUserData.encryptedVrfKeypair.chacha20NonceB64u,\n    },\n    credential: credential,\n  });\n\n  return {\n    unlockResult,\n    usedFallbackTouchId: unlockResult.success,\n    unlockCredential: credential,\n    effectiveUserData,\n    activeDeviceNumber,\n  };\n}\n\n/**\n * High-level login snapshot used by React contexts/UI.\n *\n * Returns:\n * - `login`: derived from IndexedDB last-user pointer + VRF worker status\n * - `signingSession`: warm signing session status when available\n *\n * The `nearAccountId` argument is treated as a \"query hint\" and must match the\n * last logged-in account to be considered logged in (prevents accidental cross-account reads).\n */\nexport async function getLoginSession(\n  context: PasskeyManagerContext,\n  nearAccountId?: AccountId\n): Promise<LoginSession> {\n  const login = await getLoginStateInternal(context, nearAccountId);\n  if (!login?.isLoggedIn || !login.nearAccountId) return { login, signingSession: null };\n  try {\n    const signingSession = await context.webAuthnManager.getWarmSigningSessionStatus(login.nearAccountId);\n    return { login, signingSession };\n  } catch {\n    return { login, signingSession: null };\n  }\n}\n\n/**\n * Internal helper for computing `LoginState`.\n *\n * Implementation detail:\n * - Trusts the IndexedDB last-user pointer for account selection, then confirms\n *   that the VRF worker is actually active for that same account.\n */\nasync function getLoginStateInternal(\n  context: PasskeyManagerContext,\n  nearAccountId?: AccountId\n): Promise<LoginState> {\n  const { webAuthnManager } = context;\n  try {\n    // Determine target account strictly from the last logged-in device.\n    const lastUser = await webAuthnManager.getLastUser();\n    const targetAccountId = nearAccountId ?? lastUser?.nearAccountId ?? null;\n\n    // If caller requested a specific account, it must match the last logged-in account.\n    if (!lastUser || (targetAccountId && lastUser.nearAccountId !== targetAccountId)) {\n      return {\n        isLoggedIn: false,\n        nearAccountId: targetAccountId || null,\n        publicKey: null,\n        vrfActive: false,\n        userData: null\n      };\n    }\n\n    const userData = lastUser;\n    const publicKey = userData?.clientNearPublicKey || null;\n\n    // Check actual VRF worker status\n    const vrfStatus = await webAuthnManager.checkVrfStatus();\n    const vrfActive = vrfStatus.active && vrfStatus.nearAccountId === targetAccountId;\n\n    // Determine if user is considered \"logged in\"\n    // User is logged in if they have user data and VRF is active\n    const isLoggedIn = !!(userData && userData.clientNearPublicKey && vrfActive);\n\n    return {\n      isLoggedIn,\n      nearAccountId: targetAccountId,\n      publicKey,\n      vrfActive,\n      userData,\n      vrfSessionDuration: vrfStatus.sessionDuration || 0\n    };\n\n  } catch (error: any) {\n    console.warn('Error getting login state:', error);\n    return {\n      isLoggedIn: false,\n      nearAccountId: nearAccountId || null,\n      publicKey: null,\n      vrfActive: false,\n      userData: null\n    };\n  }\n}\n\n/**\n * List recently used accounts from IndexedDB.\n *\n * Used for account picker UIs and initial app bootstrap state.\n */\nexport async function getRecentLogins(\n  context: PasskeyManagerContext\n): Promise<GetRecentLoginsResult> {\n  const { webAuthnManager } = context;\n  // Get all user accounts from IndexDB\n  const allUsersData = await webAuthnManager.getAllUsers();\n  const accountIds = allUsersData.map(user => user.nearAccountId);\n  // Get last used account for initial state\n  const lastUsedAccount = await webAuthnManager.getLastUser();\n  return {\n    accountIds,\n    lastUsedAccount,\n  };\n}\n\n/**\n * Clear the active VRF session and any client-side nonce caches.\n *\n * This is the canonical \"logout\" operation for the SDK (does not delete accounts).\n */\nexport async function logoutAndClearSession(context: PasskeyManagerContext): Promise<void> {\n  const { webAuthnManager } = context;\n  await webAuthnManager.clearVrfSession();\n  try { webAuthnManager.getNonceManager().clear(); } catch {}\n  try { clearAllCachedThresholdEd25519AuthSessions(); } catch {}\n}\n\nfunction prioritizeAuthenticatorsByDeviceNumber(\n  authenticators: ClientAuthenticatorData[],\n  deviceNumber: number | null\n): ClientAuthenticatorData[] {\n  if (authenticators.length <= 1) return authenticators;\n  if (deviceNumber === null) return authenticators;\n  const preferred = authenticators.filter((a) => a.deviceNumber === deviceNumber);\n  if (preferred.length === 0) return authenticators;\n  const rest = authenticators.filter((a) => a.deviceNumber !== deviceNumber);\n  return [...preferred, ...rest];\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAyDA,eAAsB,sBACpB,SACA,eACA,SACsC;CACtC,MAAM,EAAE,SAAS,SAAS,cAAc,WAAW;CACnD,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAOA,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS,sBAAsB;;CAGjC,MAAM,aAAa,MAAM,gBAAgB;CACzC,MAAM,mBAAmB,YAAY,SAAS,WAAW,gBAAgB;CAGzE,MAAM,uBAAuB,YAAY;EACvC,MAAM,SAAS,MAAM,gBAAgB;EACrC,MAAM,UAAU,QAAQ,SAAS,OAAO,gBAAgB;AACxD,MAAI,WAAW,YAAY,iBACzB,OAAM,sBAAsB;;AAIhC,KAAI;AAEF,MAAI,CAAC,OAAO,iBAAiB;GAC3B,MAAM,eAAe;AACrB,UAAO,MAAM,mBAAmB;IAC9B,SAAS;IACT,OAAO,IAAI,MAAM;IACjB;IACA;IACA;IACA;IACA,eAAe;;;EAInB,MAAM,UAAU,SAAS;EACzB,MAAM,qBAAqB,YAAY;EACvC,MAAM,mBAAmBC,0CAAkB,SAAS,cAAc,EAAE,KAAK;EACzE,MAAM,OAAO,MAAM,qBACjB,SACA,eACA,SACA,SACA,WAEA,MACA;AAGF,MAAI,CAAC,KAAK,OAAO,QACf,QAAO,KAAK;EAGd,MAAM,wBAAwB,oBAAoB,KAAK;EACvD,MAAM,aAAa,gCAAgC,SAAS;EAE5D,MAAM,wBACJ,gBAAgB,qBAAqB,gBAAgB,SAAS;EAChE,MAAM,YAAY,SAAS,YAAY,QAAQ,QAAQ,QAAQ,KAAK;EACpE,MAAM,eAAe,SAAS,SAAS,mCAAmC;EAE1E,MAAM,gBAAgB,MAAM,4BAA4B;GACtD;GACA;GACA;GACA;GACA,OAAO,WAAW;GAClB,eAAe,WAAW;GAC1B;;EAGF,MAAM,sBAAsB,sBAAsB,kBAAkB;AACpE,MAAI,uBAAuB,CAAC,SAC1B,SAAQ,KAAK;AAGf,MAAI,uBAAuB,SACzB,QAAO,MAAM,sBAAsB;GACjC;GACA;GACA,iBAAiB,KAAK;GACtB,sBAAsB,KAAK;GAC3B;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACA;;AAKJ,QAAM,uBAAuB;GAC3B;GACA;GACA;GACA,YAAY,KAAK;GACjB,OAAO,WAAW;GAClB,eAAe,WAAW;;AAE5B,SAAO,MAAM,qBAAqB;GAChC;GACA;GACA,aAAa,KAAK;GAClB;GACA;;UAEKC,KAAU;EACjB,MAAM,eACJC,2CAA4B,KAAK,YAAY,KAAK,WAAW;AAC/D,SAAO,MAAM,mBAAmB;GAC9B,SAAS;GACT,OAAO;GACP;GACA;GACA;GACA;;;;AAKN,SAAS,gCACP,SACA,SAC0B;CAC1B,MAAM,WAAW,QAAQ,QAAQ;AACjC,QAAO;EACL,OAAO,SAAS,gBAAgB,SAAS,SAAS;EAClD,eAAe,SAAS,gBAAgB,iBAAiB,SAAS;;;AAItE,eAAe,2BAA2B,MAID;CACvC,MAAM,EAAE,iBAAiB,eAAe,gBAAgB;AACxD,KAAI,CAAC,YAAY,QAAS,QAAO;AACjC,KAAI;EACF,MAAMC,iBACJ,MAAM,gBAAgB,4BAA4B;AACpD,SAAO;GAAE,GAAG;GAAa;;SACnB;AACN,SAAO;;;AAIX,eAAe,qBAAqB,MAMK;CACvC,MAAM,EAAE,iBAAiB,eAAe,aAAa,SAAS,cAAc;CAC5E,MAAM,cAAc,MAAM,2BAA2B;EACnD;EACA;EACA;;AAEF,WAAU;EACR,MAAM;EACN,OAAOL,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;EACT;EACA,qBAAqB,YAAY,uBAAuB;;AAE1D,OAAM,YAAY,MAAM;AACxB,QAAO;;AAGT,eAAe,mBAAmB,MASO;CACvC,MAAM,EACJ,SACA,OACA,sBACA,SACA,SACA,WACA,cAAc,MACd,gBAAgB,SACd;AAEJ,KAAI;AAAE,QAAM;SAAgC;AAE5C,KAAI,YACF,WAAU;AAGZ,WAAU;EACR,MAAM;EACN,OAAOD,iCAAW;EAClB,QAAQC,kCAAY;EACpB;EACA,OAAO;;AAGT,KAAI,cACF,OAAM,YAAY;AAEpB,QAAO;EAAE,SAAS;EAAO,OAAO;;;AAGlC,eAAe,4BAA4B,MAQF;CACvC,MAAM,EACJ,SACA,eACA,uBACA,UACA,OACA,eACA,0BACE;AACJ,KAAI,CAAC,yBAAyB,CAAC,SAAU,QAAO;CAEhD,MAAM,EAAE,oBAAoB;AAE5B,KAAI;EACF,MAAM,OAAO,gBAAgB;AAC7B,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAE3B,MAAM,WAAW,MAAM,gBAAgB;EACvC,MAAM,eAAe,0BAClB,UAAU,kBAAkB,gBACzB,SAAS,gBACR,MAAMK,+BAAiB,SAAS,qBAAqB,iBAClD,gBAAgB;AAE1B,MAAI,iBAAiB,MAAM;AACzB,WAAQ,KAAK;AACb,UAAO;;EAGT,MAAM,uBAAuB,MAAMA,+BAAiB,WAAW,wBAC7D,eACA;EAEF,MAAM,eAAe,sBAAsB,gBAAgB;EAC3D,MAAM,iBAAiB,sBAAsB,cAAc,KAAK,MAAM,EAAE,OAAO;EAC/E,MAAM,2BAA2BC,6DAAwC;AAEzE,MAAI,CAAC,cAAc;AACjB,WAAQ,KAAK;AACb,UAAO;;AAGT,MAAI,CAAC,4BAA4B,yBAAyB,SAAS,GAAG;AACpE,WAAQ,KAAK;AACb,UAAO;;EAGT,MAAM,SAAS,MAAMC,2DAA4B;GAC/C;GACA;GACA;GACA,GAAI,0BAA0B,SAAS,EAAE,gBAAgB,6BAA6B;GACtF;GACA;;EAGF,MAAM,WAAWC,4EAAwC;GACvD;GACA;GACA,YAAY;GACZ;GACA,GAAI,0BAA0B,SAAS,EAAE,gBAAgB,6BAA6B;;AAGxF,SAAO;GACL,aAAa;GACb,YAAY;GACZ;GACA;GACA;GACA;;UAEKC,GAAQ;AACf,UAAQ,KACN,wFACA,GAAG,WAAW;AAEhB,SAAO;;;AAIX,eAAe,+BAA+B,MAM5B;CAChB,MAAM,EAAE,SAAS,eAAe,MAAM,cAAc,eAAe;CACnE,MAAM,EAAE,oBAAoB;CAE5B,IAAIC,2BAA0C;AAC9C,KAAI;EACF,MAAM,mBAAmB,MAAML,+BAAiB,WAAW,oBACzD,eACA,KAAK;EAEP,MAAM,cAAc,OAAO,kBAAkB,eAAe,IAAI;AAChE,MAAI,aAAa;GACf,MAAM,UACJ,MAAM,gBAAgB,yDAAyD;IAC7E;IACA;IACA;;AAEJ,OAAI,QAAQ,WAAW,QAAQ,yBAC7B,4BAA2B,QAAQ;;UAGhCI,GAAQ;AACf,UAAQ,KACN,iFACA,GAAG,WAAW;;AAIlB,KAAI,CAAC,0BAA0B;AAC7B,UAAQ,KACN;AAEF;;CAGF,MAAM,SAAS,MAAME,oEAAgC;EACnD,YAAY,KAAK;EACjB,aAAa,KAAK;EAClB,cAAc,KAAK;EACnB;EACA,eAAe,KAAK,OAAO;EAC3B;EACA,wBAAwB;;AAG1B,KAAI,OAAO,MAAM,OAAO,KAAK;AAC3B,2EAAqC,KAAK,UAAU;GAClD,aAAa,KAAK;GAClB,QAAQ,KAAK,OAAO;GACpB,YAAY,KAAK,OAAO;GACxB,uBAAuB,KAAK,OAAO;GACnC,KAAK,OAAO;GACZ,GAAI,OAAO,cAAc,EAAE,aAAa,OAAO,gBAAgB;;AAEjE;;AAGF,KAAI,CAAC,OAAO,GACV,SAAQ,KACN,0CACA,OAAO,QAAQ,OAAO,WAAW;;AAKvC,eAAe,sBAAsB,MAeI;CACvC,MAAM,EACJ,SACA,eACA,iBACA,sBACA,uBACA,SACA,UACA,aACA,eACA,YACA,sBACA,SACA,SACA,cACE;CAEJ,MAAM,EAAE,oBAAoB;AAE5B,KAAI;EACF,MAAM,OAAO,gBAAgB;AAC7B,MAAI,CAAC,KACH,OAAM,IAAI,MAAM;EAGlB,MAAM,YAAY,MAAM,QAAQ,WAAW,UAAU,EAAE,UAAU;EACjE,MAAM,cAAc,WAAW,QAAQ;EACvC,MAAM,gBAAgB,OAAO,UAAU,QAAQ,UAAU;EACzD,MAAM,eAAe,MAAMC,8CAAyB;GAAE;GAAe;;EACrE,MAAM,eAAe,MAAM,gBAAgB,yBAAyB;GAClE,QAAQ;GACR;GACA,WAAW;GACX,aAAa;GACb;GACA,GAAI,gBAAgB,EAAE,uBAAuB,cAAc,OAAO,0BAA0B;;EAG9F,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;EACrE,MAAM,0BAA0B,uCAC9B,gBACA;EAEF,MAAM,aAAa,MAAM,gBAAgB,uCAAuC;GAC9E;GACA,WAAW;GACX,kBAAkBC,uDAAiC;;EAGrD,MAAM,uBAAuB,MAAM,oCAAoC;GACrE;GACA;GACA;GACA;GACA;GACiB;;AAGnB,QAAM,uBAAuB;GAC3B;GACA;GACA;GACA;GACA,OAAO,WAAW;GAClB,eAAe,WAAW;;EAG5B,IAAIC;AACJ,MAAI,SAAS;GACX,MAAM,IAAI,MAAMC,8CACd,UACA,aACA,QAAQ,MACR,cACA;AAEF,OAAI,CAAC,EAAE,WAAW,CAAC,EAAE,UAAU;IAC7B,MAAM,SAAS,EAAE,SAAS;AAC1B,WAAO,MAAM,mBAAmB;KAC9B,SAAS;KACT;KACA;KACA;KACA,aAAa;;;AAGjB,sBAAmB,EAAE;;AAGvB,MAAI,cACF,OAAM,+BAA+B;GACnC;GACA;GACA,MAAM;GACN;GACA;;EAIJ,MAAMC,cAA2B,mBAC7B;GAAE,GAAG;GAAsB,KAAK;MAChC;AAEJ,SAAO,MAAM,qBAAqB;GAChC;GACA;GACA;GACA;GACA;;UAEKP,GAAQ;AACf,UAAQ,MAAM,oCAAoC;EAClD,MAAM,SACJN,2CAA4B,GAAG,YAC/B,GAAG,WACH;AACF,SAAO,MAAM,mBAAmB;GAC9B,SAAS;GACT,OAAO;GACP;GACA;GACA;GACA;;;;;;;;;;;AAYN,eAAe,oCAAoC,MAO1B;CACvB,MAAM,EACJ,iBACA,eACA,gBACA,YACA,sBACA,oBACE;CAIJ,IAAI,uBAAuB;AAE3B,KAAI,eAAe,UAAU,EAC3B,QAAO;CAGT,MAAM,QAAQ,WAAW;CACzB,MAAM,UAAU,eAAe,MAAM,MAAM,EAAE,iBAAiB;CAC9D,MAAM,uBAAuB,SAAS,gBAAgB;AAEtD,KAAI,yBAAyB,KAC3B,QAAO;CAGT,MAAM,gBAAgB,MAAME,+BAAiB,SAC1C,gBAAgB,eAAe,sBAC/B,YAAY;AAEf,KAAI,eAAe,oBACjB,wBAAuB;EACrB,GAAG;EACH,qBAAqB,cAAc;;CAIvC,MAAM,kBAAkB,CAAC,wBAAwB,qBAAqB,UAAU;AAChF,KAAI,iBAAiB;EACnB,MAAM,SAAS,eAAe;AAC9B,MAAI,CAAC,QAAQ,qBAAqB,CAAC,QAAQ,cAAc,CAAC,QAAQ,YAChE,OAAM,IAAI,MACR,iDAAiD,cAAc,UAAU,qBAAqB;EAKlG,MAAM,SAAS,MAAM,gBAAgB,6BAA6B;GAChE;GACA,YAAY,OAAO;GACnB,mBAAmB,OAAO;GAC1B,aAAa,OAAO;;AAEtB,MAAI,CAAC,OAAO,QACV,OAAM,IAAI,MACR,OAAO,SACP;;AAON,OAAM,gBAAgB,YAAY,eAAe;AAEjD,OAAM,gBAAgB,gBAAgB,eAAe,YAAY;AAEjE,QAAO;;;;;;;;;;AAWT,eAAe,uBAAuB,MAOpB;CAChB,MAAM,EAAE,SAAS,eAAe,SAAS,YAAY,OAAO,kBAAkB;CAC9E,MAAM,EAAE,oBAAoB;AAE5B,WAAU;EACR,MAAM;EACN,OAAON,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;CAKX,IAAI,sBAAsB;AAC1B,KAAI,CAAC,qBAAqB;EACxB,MAAM,YAAYiB;EAClB,MAAM,iBAAiB,MAAM,gBAAgB,wBAAwB;EACrE,MAAM,EAAE,4BAA4B,MAAMZ,+BAAiB,SAAS,qBAClE,eACA;AAEF,wBAAsB,MAAM,gBAAgB,uCAAuC;GACjF;GACW;GACX,kBAAkBQ,uDAAiC;;;AAIvD,OAAM,gBAAgB,iCAAiC;EACrD;EACA,YAAY;EACZ;EACA;;AAGF,WAAU;EACR,MAAM;EACN,OAAOd,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;;;;;;;;;;;;;;;AAiBb,eAAe,qBACb,SACA,eACA,SACA,SACA,WACA,sBACA,mBAAkC,MAMjC;CACD,MAAM,EAAE,oBAAoB;AAE5B,KAAI;EAEF,MAAMkB,kBACJ,qBAAqB,OACjB,gBAAgB,gBAAgB,eAAe,kBAAkB,YAAY,QAC7E,QAAQ,QAAQ;EAEtB,MAAM,CAAC,UAAU,UAAU,iBAAiB,kBAAkB,MAAM,QAAQ,IAAI;GAC9E;GACA,gBAAgB;GAChBb,+BAAiB,SAAS,qBAAqB;GAC/C,gBAAgB,wBAAwB;;EAI1C,IAAIc,WAAkC;AACtC,MAAI,YAAY,SAAS,kBAAkB,cACzC,YAAW;WACF,mBAAmB,gBAAgB,kBAAkB,cAC9D,YAAW;WACF,YAAY,SAAS,kBAAkB,cAChD,YAAW;MAEX,YAAW,MAAM,gBAAgB,gBAAgB,eAAe;AAIlE,MAAI,CAAC,SACH,OAAM,IAAI,MAAM,2BAA2B,cAAc;AAE3D,MAAI,CAAC,SAAS,oBACZ,OAAM,IAAI,MAAM,gCAAgC,cAAc;AAEhE,MACE,CAAC,SAAS,qBAAqB,wBAC/B,CAAC,SAAS,qBAAqB,kBAE/B,OAAM,IAAI,MAAM;AAElB,MAAI,eAAe,WAAW,EAC5B,OAAM,IAAI,MAAM,uCAAuC,cAAc;AAIvE,YAAU;GACR,MAAM;GACN,OAAOpB,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;;EAGX,IAAIoB,eAAqD,EAAE,SAAS;EACpE,IAAI,sBAAsB;EAC1B,IAAIC;EACJ,IAAI,qBAAqB,SAAS;EAGlC,IAAI,oBAAoB;EAExB,MAAM,SAAS,SAAS;EACxB,MAAM,aAAa,QAAQ,QAAQ,SAAS;EAC5C,MAAM,6BAA6B,CAAC,CAAC,cAAc,CAAC,CAAC,QAAQ;AAE7D,MAAI,8BAA8B,OAChC,KAAI;AACF,OAAI,CAAC,OAAO,qBAAqB,CAAC,OAAO,WACvC,OAAM,IAAI,MAAM;AAGlB,kBAAe,MAAM,gBAAgB,6BAA6B;IAChE;IACA,YAAY,OAAO;IACnB,mBAAmB,OAAO;IAC1B,aAAa,OAAO;;AAGtB,OAAI,aAAa,SAAS;IACxB,MAAM,YAAY,MAAM,gBAAgB;IACxC,MAAM,SAAS,UAAU,UAAU,UAAU,kBAAkB;AAC/D,QAAI,CAAC,OACH,gBAAe;KAAE,SAAS;KAAO,OAAO;;AAE1C,QAAI,OAEF,OAAM,gBAAgB,4BAA4B;SAGpD,OAAM,IAAI,MAAM,mCAAmC,aAAa;WAE3DC,OAAY;AACnB,kBAAe;IAAE,SAAS;IAAO,OAAO,MAAM;;;AAKlD,MAAI,CAAC,aAAa,SAAS;GACzB,MAAM,0BAA0B,uCAAuC,gBAAgB;GACvF,MAAM,WAAW,MAAM,oCAAoC;IACzD;IACA;IACA,gBAAgB;IAChB;IACA;;AAEF,kBAAe,SAAS;AACxB,yBAAsB,SAAS;AAC/B,sBAAmB,SAAS;AAC5B,uBAAoB,SAAS;AAC7B,wBAAqB,SAAS;;AAGhC,MAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,iCAAiC,aAAa;AAGhE,YAAU;GACR,MAAM;GACN,OAAOvB,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;;AAIX,MAAI;GACF,MAAMuB,eAAa,QAAQ,QAAQ,SAAS;AAC5C,OAAI,uBAAuBA,cAAY;IACrC,MAAM,YAAY,MAAM,gBAAgB;AACxC,UAAM,gBAAgB,gCAAgC,eAAe;;WAEhEC,YAAiB;AACxB,WAAQ,KAAK,2DAA2D,YAAY,WAAW;;AAKjG,MAAI;AACF,SAAM,gBAAgB,YAAY,eAAe;UAC3C;AAGR,QAAM,gBAAgB,gBAAgB;EAEtC,MAAMC,SAAsB;GAC1B,SAAS;GACT,uBAAuB;GAGvB,qBAAqB,kBAAkB;GACxB;;AAGjB,MAAI,CAAC,sBAAsB;AACzB,aAAU;IACR,MAAM;IACN,OAAO1B,iCAAW;IAClB,QAAQC,kCAAY;IACpB,SAAS;IACM;IACf,qBAAqB,kBAAkB;;AAEzC,eAAY,MAAM;;AAEpB,SAAO;GAAE;GAAQ;GAAqB;GAAkB;;UAEjDsB,OAAY;EAEnB,MAAM,eAAenB,2CAA4B,OAAO;AAExD,YAAU;AACV,YAAU;GACR,MAAM;GACN,OAAOJ,iCAAW;GAClB,QAAQC,kCAAY;GACpB,SAAS;GACT,OAAO;;EAGT,MAAMyB,SAAsB;GAAE,SAAS;GAAO,OAAO;;AACrD,cAAY;AACZ,SAAO;GAAE;GAAQ,qBAAqB;GAAO,oBAAoB;;;;;;;;;;;;;AAarE,eAAe,oCAAoC,MAYhD;CACD,MAAM,EAAE,iBAAiB,eAAe,gBAAgB,UAAU,YAAY;AAE9E,WAAU;EACR,MAAM;EACN,OAAO1B,iCAAW;EAClB,QAAQC,kCAAY;EACpB,SAAS;;CAGX,MAAM,YAAYiB;CAClB,MAAM,aAAa,MAAM,gBAAgB,8CAA8C;EACrF;EACW;EACX,eAAe,eAAe,KAAK,MAAM,EAAE;;CAG7C,IAAI,oBAAoB;CACxB,IAAI,qBAAqB,SAAS;AAIlC,KAAI,eAAe,SAAS,GAAG;EAC7B,MAAM,QAAQ,WAAW;EACzB,MAAM,UAAU,eAAe,MAAK,MAAK,EAAE,iBAAiB;AAC5D,MAAI,QACF,KAAI;GACF,MAAM,WAAW,MAAMZ,+BAAiB,SAAS,gBAAgB,eAAe,QAAQ;AACxF,OAAI,UAAU;AACZ,wBAAoB;AACpB,yBAAqB,QAAQ;;UAEzB;;CAMZ,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;EAC3C;EACf,qBAAqB;GACnB,sBAAsB,kBAAkB,oBAAoB;GAC5D,mBAAmB,kBAAkB,oBAAoB;;EAE/C;;AAGd,QAAO;EACL;EACA,qBAAqB,aAAa;EAClC,kBAAkB;EAClB;EACA;;;;;;;;;;;;;AAcJ,eAAsB,gBACpB,SACA,eACuB;CACvB,MAAM,QAAQ,MAAM,sBAAsB,SAAS;AACnD,KAAI,CAAC,OAAO,cAAc,CAAC,MAAM,cAAe,QAAO;EAAE;EAAO,gBAAgB;;AAChF,KAAI;EACF,MAAM,iBAAiB,MAAM,QAAQ,gBAAgB,4BAA4B,MAAM;AACvF,SAAO;GAAE;GAAO;;SACV;AACN,SAAO;GAAE;GAAO,gBAAgB;;;;;;;;;;;AAWpC,eAAe,sBACb,SACA,eACqB;CACrB,MAAM,EAAE,oBAAoB;AAC5B,KAAI;EAEF,MAAM,WAAW,MAAM,gBAAgB;EACvC,MAAM,kBAAkB,iBAAiB,UAAU,iBAAiB;AAGpE,MAAI,CAAC,YAAa,mBAAmB,SAAS,kBAAkB,gBAC9D,QAAO;GACL,YAAY;GACZ,eAAe,mBAAmB;GAClC,WAAW;GACX,WAAW;GACX,UAAU;;EAId,MAAM,WAAW;EACjB,MAAM,YAAY,UAAU,uBAAuB;EAGnD,MAAM,YAAY,MAAM,gBAAgB;EACxC,MAAM,YAAY,UAAU,UAAU,UAAU,kBAAkB;EAIlE,MAAM,aAAa,CAAC,EAAE,YAAY,SAAS,uBAAuB;AAElE,SAAO;GACL;GACA,eAAe;GACf;GACA;GACA;GACA,oBAAoB,UAAU,mBAAmB;;UAG5CiB,OAAY;AACnB,UAAQ,KAAK,8BAA8B;AAC3C,SAAO;GACL,YAAY;GACZ,eAAe,iBAAiB;GAChC,WAAW;GACX,WAAW;GACX,UAAU;;;;;;;;;AAUhB,eAAsB,gBACpB,SACgC;CAChC,MAAM,EAAE,oBAAoB;CAE5B,MAAM,eAAe,MAAM,gBAAgB;CAC3C,MAAM,aAAa,aAAa,KAAI,SAAQ,KAAK;CAEjD,MAAM,kBAAkB,MAAM,gBAAgB;AAC9C,QAAO;EACL;EACA;;;;;;;;AASJ,eAAsB,sBAAsB,SAA+C;CACzF,MAAM,EAAE,oBAAoB;AAC5B,OAAM,gBAAgB;AACtB,KAAI;AAAE,kBAAgB,kBAAkB;SAAiB;AACzD,KAAI;AAAE;SAAsD;;AAG9D,SAAS,uCACP,gBACA,cAC2B;AAC3B,KAAI,eAAe,UAAU,EAAG,QAAO;AACvC,KAAI,iBAAiB,KAAM,QAAO;CAClC,MAAM,YAAY,eAAe,QAAQ,MAAM,EAAE,iBAAiB;AAClE,KAAI,UAAU,WAAW,EAAG,QAAO;CACnC,MAAM,OAAO,eAAe,QAAQ,MAAM,EAAE,iBAAiB;AAC7D,QAAO,CAAC,GAAG,WAAW,GAAG"}

package/dist/cjs/core/TatchiPasskey/registration.js

@@ -1,13 +1,13 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 const require_validation = require('../../utils/validation.js');
+const require_signer_worker = require('../types/signer-worker.js');
 const require_errors = require('../../utils/errors.js');
+const require_participants = require('../../threshold/participants.js');
+const require_index = require('../IndexedDBManager/index.js');
+const require_rpc = require('../types/rpc.js');
 const require_sdkSentEvents = require('../types/sdkSentEvents.js');
 const require_createAccountRelayServer = require('./faucets/createAccountRelayServer.js');
 
 //#region src/core/TatchiPasskey/registration.ts
-require_validation.init_validation();
-require_sdkSentEvents.init_sdkSentEvents();
-require_errors.init_errors();
 /**
 * Core registration function that handles passkey registration
 *
@@ -45,7 +45,7 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			step: 1,
 			phase: require_sdkSentEvents.RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,
 			status: require_sdkSentEvents.RegistrationStatus.PROGRESS,
-			message: "Account available - generating VRF credentials..."
+			message: "Account available, generating credentials..."
 		});
 		const confirmationConfig = {
 			uiMode: "modal",
@@ -77,7 +77,7 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 					step: 3,
 					phase: require_sdkSentEvents.RegistrationPhase.STEP_3_CONTRACT_PRE_CHECK,
 					status: require_sdkSentEvents.RegistrationStatus.PROGRESS,
-					message: `Pre-check: ${progress.message}`
+					message: `${progress.message}`
 				});
 			}
 		});
@@ -87,6 +87,9 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			saveInMemory: true
 		});
 		if (!deterministicVrfKeyResult.success || !deterministicVrfKeyResult.vrfPublicKey) throw new Error("Failed to derive deterministic VRF keypair from PRF");
+		const baseSignerMode = webAuthnManager.getUserPreferences().getSignerMode();
+		const requestedSignerMode = require_signer_worker.mergeSignerMode(baseSignerMode, options?.signerMode);
+		const requestedSignerModeStr = requestedSignerMode.mode;
 		const nearKeyResult = await webAuthnManager.deriveNearKeypairAndEncryptFromSerialized({
 			credential,
 			nearAccountId,
@@ -96,6 +99,19 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			const reason = nearKeyResult?.error || "Failed to generate NEAR keypair with PRF";
 			throw new Error(reason);
 		}
+		const nearPublicKey = nearKeyResult.publicKey;
+		const wrapKeySalt = String(nearKeyResult.wrapKeySalt || "").trim();
+		if (!wrapKeySalt) throw new Error("Missing wrapKeySalt after local key derivation");
+		let thresholdClientVerifyingShareB64u = null;
+		if (requestedSignerModeStr === "threshold-signer") {
+			const derived = await webAuthnManager.deriveThresholdEd25519ClientVerifyingShareFromCredential({
+				credential,
+				nearAccountId,
+				wrapKeySalt
+			});
+			if (!derived.success || !derived.clientVerifyingShareB64u) throw new Error(derived.error || "Failed to derive threshold client verifying share");
+			thresholdClientVerifyingShareB64u = derived.clientVerifyingShareB64u;
+		}
 		const canRegisterUserResult = await canRegisterUserPromise;
 		if (!canRegisterUserResult.verified) {
 			console.error(canRegisterUserResult);
@@ -106,14 +122,14 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			step: 2,
 			phase: require_sdkSentEvents.RegistrationPhase.STEP_2_KEY_GENERATION,
 			status: require_sdkSentEvents.RegistrationStatus.SUCCESS,
-			message: "Wallet keys derived successfully from TouchId",
+			message: "Wallet derived successfully from Passkey",
 			verified: true,
 			nearAccountId,
-			nearPublicKey: nearKeyResult.publicKey,
+			nearPublicKey,
 			vrfPublicKey: vrfChallenge.vrfPublicKey
 		});
 		let accountAndRegistrationResult;
-		accountAndRegistrationResult = await require_createAccountRelayServer.createAccountAndRegisterWithRelayServer(context, nearAccountId, nearKeyResult.publicKey, credential, vrfChallenge, deterministicVrfKeyResult.vrfPublicKey, authenticatorOptions, onEvent);
+		accountAndRegistrationResult = await require_createAccountRelayServer.createAccountAndRegisterWithRelayServer(context, nearAccountId, nearPublicKey, credential, vrfChallenge, deterministicVrfKeyResult.vrfPublicKey, authenticatorOptions, onEvent, { thresholdEd25519: thresholdClientVerifyingShareB64u ? { clientVerifyingShareB64u: thresholdClientVerifyingShareB64u } : void 0 });
 		if (!accountAndRegistrationResult.success) throw new Error(accountAndRegistrationResult.error || "Account creation and registration failed");
 		registrationState.accountCreated = true;
 		registrationState.contractRegistered = true;
@@ -124,7 +140,10 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			status: require_sdkSentEvents.RegistrationStatus.PROGRESS,
 			message: "Verifying on-chain access key matches expected public key..."
 		});
-		const accessKeyVerified = await verifyAccountAccessKeyMatches(context.nearClient, nearAccountId, nearKeyResult.publicKey);
+		const expectedAccessKeys = [nearPublicKey];
+		const thresholdPublicKey = String(accountAndRegistrationResult?.thresholdEd25519?.publicKey || "").trim();
+		const relayerKeyId = String(accountAndRegistrationResult?.thresholdEd25519?.relayerKeyId || "").trim();
+		const accessKeyVerified = await verifyAccountAccessKeysPresent(context.nearClient, nearAccountId, expectedAccessKeys);
 		if (!accessKeyVerified) throw new Error("On-chain access key mismatch or not found after registration");
 		onEvent?.({
 			step: 6,
@@ -132,16 +151,32 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			status: require_sdkSentEvents.RegistrationStatus.SUCCESS,
 			message: "Access key verified on-chain"
 		});
+		await activateThresholdEnrollmentPostRegistration({
+			requestedSignerMode: requestedSignerModeStr,
+			nearAccountId,
+			nearPublicKey,
+			thresholdPublicKey,
+			relayerKeyId,
+			clientParticipantId: accountAndRegistrationResult?.thresholdEd25519?.clientParticipantId,
+			relayerParticipantId: accountAndRegistrationResult?.thresholdEd25519?.relayerParticipantId,
+			thresholdClientVerifyingShareB64u,
+			relayerVerifyingShareB64u: String(accountAndRegistrationResult?.thresholdEd25519?.relayerVerifyingShareB64u || "").trim(),
+			credential,
+			wrapKeySalt,
+			webAuthnManager: context.webAuthnManager,
+			nearClient: context.nearClient,
+			onEvent
+		});
 		onEvent?.({
 			step: 7,
 			phase: require_sdkSentEvents.RegistrationPhase.STEP_7_DATABASE_STORAGE,
 			status: require_sdkSentEvents.RegistrationStatus.PROGRESS,
-			message: "Storing VRF registration data"
+			message: "Storing passkey wallet metadata..."
 		});
 		await webAuthnManager.atomicStoreRegistrationData({
 			nearAccountId,
 			credential,
-			publicKey: nearKeyResult.publicKey,
+			publicKey: nearPublicKey,
 			encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,
 			vrfPublicKey: deterministicVrfKeyResult.vrfPublicKey,
 			serverEncryptedVrfKeypair: deterministicVrfKeyResult.serverEncryptedVrfKeypair
@@ -151,10 +186,10 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			step: 7,
 			phase: require_sdkSentEvents.RegistrationPhase.STEP_7_DATABASE_STORAGE,
 			status: require_sdkSentEvents.RegistrationStatus.SUCCESS,
-			message: "VRF registration data stored successfully"
+			message: "Registration metadata stored successfully"
 		});
 		try {
-			context.webAuthnManager.getNonceManager().initializeUser(nearAccountId, nearKeyResult.publicKey);
+			context.webAuthnManager.getNonceManager().initializeUser(nearAccountId, nearPublicKey);
 			await context.webAuthnManager.getNonceManager().prefetchBlockheight(context.nearClient);
 		} catch {}
 		let vrfStatus = await webAuthnManager.checkVrfStatus().catch(() => ({ active: false }));
@@ -179,9 +214,10 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 				encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,
 				credential: authCredential
 			}).catch((unlockError) => {
+				const message = unlockError && typeof unlockError === "object" && "message" in unlockError ? String(unlockError.message || "") : String(unlockError || "");
 				return {
 					success: false,
-					error: unlockError.message
+					error: message
 				};
 			});
 			if (!unlockResult.success) {
@@ -203,7 +239,7 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 		const successResult = {
 			success: true,
 			nearAccountId,
-			clientNearPublicKey: nearKeyResult.publicKey,
+			clientNearPublicKey: nearPublicKey,
 			transactionId: registrationState.contractTransactionId,
 			vrfRegistration: {
 				success: true,
@@ -215,8 +251,10 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 		afterCall?.(true, successResult);
 		return successResult;
 	} catch (error) {
-		console.error("Registration failed:", error.message, error.stack);
-		await performRegistrationRollback(registrationState, nearAccountId, webAuthnManager, configs.nearRpcUrl, onEvent);
+		const message = error && typeof error === "object" && "message" in error ? String(error.message || "") : String(error || "");
+		const stack = error && typeof error === "object" && "stack" in error ? String(error.stack || "") : "";
+		console.error("Registration failed:", message, stack);
+		await performRegistrationRollback(registrationState, nearAccountId, webAuthnManager, onEvent);
 		const errorMessage = require_errors.getUserFriendlyErrorMessage(error, "registration", nearAccountId);
 		const errorObject = new Error(errorMessage);
 		onError?.(errorObject);
@@ -277,7 +315,7 @@ const validateRegistrationInputs = async (context, nearAccountId, onEvent, onErr
 /**
 * Rollback registration data in case of errors
 */
-async function performRegistrationRollback(registrationState, nearAccountId, webAuthnManager, rpcNodeUrl, onEvent) {
+async function performRegistrationRollback(registrationState, nearAccountId, webAuthnManager, onEvent) {
 	console.debug("Starting registration rollback...", registrationState);
 	try {
 		await webAuthnManager.clearVrfSession();
@@ -310,25 +348,88 @@ async function performRegistrationRollback(registrationState, nearAccountId, web
 			step: 0,
 			phase: require_sdkSentEvents.RegistrationPhase.REGISTRATION_ERROR,
 			status: require_sdkSentEvents.RegistrationStatus.ERROR,
-			message: `Rollback failed: ${rollbackError.message}`,
+			message: `Rollback failed: ${rollbackError && typeof rollbackError === "object" && "message" in rollbackError ? String(rollbackError.message || "") : String(rollbackError || "")}`,
 			error: "Both registration and rollback failed"
 		});
 	}
 }
-/**
-* Poll the NEAR RPC to verify the newly created account exposes the expected public key
-* Retries a few times to tolerate RPC indexing delays after transaction finalization.
-*/
-async function verifyAccountAccessKeyMatches(nearClient, nearAccountId, expectedPublicKey, opts) {
-	const attempts = Math.max(1, Math.floor(opts?.attempts ?? 5));
+async function activateThresholdEnrollmentPostRegistration(opts) {
+	if (opts.requestedSignerMode !== "threshold-signer") return;
+	const thresholdPublicKey = String(opts.thresholdPublicKey || "").trim();
+	const relayerKeyId = String(opts.relayerKeyId || "").trim();
+	const clientVerifyingShareB64u = String(opts.thresholdClientVerifyingShareB64u || "").trim();
+	const relayerVerifyingShareB64u = String(opts.relayerVerifyingShareB64u || "").trim();
+	if (!thresholdPublicKey || !relayerKeyId || !clientVerifyingShareB64u || !relayerVerifyingShareB64u) {
+		console.warn("[Registration] threshold-signer requested but threshold enrollment details are missing; continuing with local-signer only");
+		return;
+	}
+	try {
+		opts.onEvent?.({
+			step: 6,
+			phase: require_sdkSentEvents.RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,
+			status: require_sdkSentEvents.RegistrationStatus.PROGRESS,
+			message: "Activating threshold access key onchain..."
+		});
+		try {
+			opts.webAuthnManager.getNonceManager().initializeUser(opts.nearAccountId, opts.nearPublicKey);
+		} catch {}
+		const txContext = await opts.webAuthnManager.getNonceManager().getNonceBlockHashAndHeight(opts.nearClient, { force: true });
+		const signed = await opts.webAuthnManager.signAddKeyThresholdPublicKeyNoPrompt({
+			nearAccountId: opts.nearAccountId,
+			credential: opts.credential,
+			wrapKeySalt: opts.wrapKeySalt,
+			transactionContext: txContext,
+			thresholdPublicKey,
+			relayerVerifyingShareB64u,
+			clientParticipantId: opts.clientParticipantId,
+			relayerParticipantId: opts.relayerParticipantId
+		});
+		const signedTx = signed?.signedTransaction;
+		if (!signedTx) throw new Error("Failed to sign AddKey(thresholdPublicKey) transaction");
+		await opts.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.thresholdAddKey);
+		const thresholdKeyVerified = await verifyAccountAccessKeysPresent(opts.nearClient, opts.nearAccountId, [opts.nearPublicKey, thresholdPublicKey]);
+		if (!thresholdKeyVerified) throw new Error("Threshold access key not found on-chain after AddKey");
+		await require_index.IndexedDBManager.nearKeysDB.storeKeyMaterial({
+			kind: "threshold_ed25519_2p_v1",
+			nearAccountId: opts.nearAccountId,
+			deviceNumber: 1,
+			publicKey: thresholdPublicKey,
+			wrapKeySalt: opts.wrapKeySalt,
+			relayerKeyId,
+			clientShareDerivation: "prf_first_v1",
+			participants: require_participants.buildThresholdEd25519Participants2pV1({
+				clientParticipantId: opts.clientParticipantId,
+				relayerParticipantId: opts.relayerParticipantId,
+				relayerKeyId,
+				relayerUrl: opts.webAuthnManager.tatchiPasskeyConfigs?.relayer?.url,
+				clientVerifyingShareB64u,
+				relayerVerifyingShareB64u,
+				clientShareDerivation: "prf_first_v1"
+			}),
+			timestamp: Date.now()
+		});
+		opts.onEvent?.({
+			step: 6,
+			phase: require_sdkSentEvents.RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,
+			status: require_sdkSentEvents.RegistrationStatus.SUCCESS,
+			message: "Threshold access key activated on-chain"
+		});
+	} catch (e) {
+		console.warn("[Registration] threshold enrollment activation failed; continuing with local-signer only:", e);
+	}
+}
+async function verifyAccountAccessKeysPresent(nearClient, nearAccountId, expectedPublicKeys, opts) {
+	const unique = Array.from(new Set(expectedPublicKeys.map((k) => require_validation.ensureEd25519Prefix(k)).filter(Boolean)));
+	if (!unique.length) return false;
+	const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));
 	const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));
 	for (let i = 0; i < attempts; i++) {
 		try {
 			const { fullAccessKeys, functionCallAccessKeys } = await nearClient.getAccessKeys({ account: nearAccountId });
-			const keys = [...fullAccessKeys, ...functionCallAccessKeys];
-			const found = keys.some((k) => String(k?.public_key || "") === expectedPublicKey);
-			if (found) return true;
-		} catch (e) {}
+			const keys = [...fullAccessKeys, ...functionCallAccessKeys].map((k) => require_validation.ensureEd25519Prefix(k.public_key));
+			const allPresent = unique.every((expected) => keys.includes(expected));
+			if (allPresent) return true;
+		} catch {}
 		await new Promise((res) => setTimeout(res, delayMs));
 	}
 	return false;