@tatchi-xyz/sdk 0.21.0 → 0.31.0

package/dist/esm/core/WebAuthnManager/SignerWorkerManager/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["vrfPort: MessagePort | undefined","error: unknown","promises: Promise<void>[]","responses: WorkerResponseForRequest<T>[]"],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/index.ts"],"sourcesContent":["import { SIGNER_WORKER_MANAGER_CONFIG } from \"../../../config\";\nimport { ClientAuthenticatorData, UnifiedIndexedDBManager } from '../../IndexedDBManager';\nimport { IndexedDBManager } from '../../IndexedDBManager';\nimport { SignedTransaction, type NearClient } from '../../NearClient';\nimport { isObject } from '../../WalletIframe/validation';\nimport { resolveWorkerUrl } from '../../sdkPaths';\nimport {\n  WorkerRequestType,\n  WorkerResponseForRequest,\n  isWorkerProgress,\n  isWorkerError,\n  isWorkerSuccess,\n  WorkerProgressResponse,\n  WorkerErrorResponse,\n  WorkerRequestTypeMap,\n} from '../../types/signer-worker';\nimport { VrfWorkerManager } from '../VrfWorkerManager';\nimport { VRFChallenge } from '../../types/vrf-worker';\nimport type { ActionArgsWasm, TransactionInputWasm } from '../../types/actions';\nimport type { DelegateActionInput } from '../../types/delegate';\nimport type { onProgressEvents } from '../../types/sdkSentEvents';\nimport type { AuthenticatorOptions } from '../../types/authenticatorOptions';\nimport { AccountId } from \"../../types/accountIds\";\nimport { TransactionContext } from '../../types/rpc';\nimport {\n  ConfirmationConfig,\n  WasmSignedDelegate,\n} from '../../types/signer-worker';\nimport { TouchIdPrompt } from \"../touchIdPrompt\";\nimport { isSignerWorkerControlMessage } from './sessionMessages';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\nimport {\n  decryptPrivateKeyWithPrf,\n  checkCanRegisterUser,\n  signTransactionsWithActions,\n  recoverKeypairFromPasskey,\n  extractCosePublicKey,\n  signTransactionWithKeyPair,\n  signNep413Message,\n  deriveNearKeypairAndEncryptFromSerialized,\n  signDelegateAction,\n  registerDevice2WithDerivedKey,\n  exportNearKeypairUi,\n} from './handlers';\nimport { RpcCallPayload } from '../../types/signer-worker';\nimport { UserPreferencesManager } from '../userPreferences';\nimport { NonceManager } from '../../nonceManager';\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../types';\nimport { toError } from '@/utils/errors';\nimport { withSessionId } from './handlers/session';\nimport { attachSessionPort } from './sessionHandshake.js';\n\ntype WithOptionalSessionId<T> = T extends { sessionId: string }\n  ? Omit<T, 'sessionId'> & { sessionId?: string }\n  : T;\n\ntype SigningSessionEntry = {\n  worker: Worker;\n  wrapKeySeedPort?: MessagePort;\n  createdAt: number;\n};\n\nexport interface SignerWorkerManagerContext {\n  touchIdPrompt: TouchIdPrompt;\n  nearClient: NearClient;\n  indexedDB: UnifiedIndexedDBManager;\n  userPreferencesManager: UserPreferencesManager;\n  nonceManager: NonceManager;\n  rpIdOverride?: string;\n  nearExplorerUrl?: string;\n  vrfWorkerManager?: VrfWorkerManager;\n  sendMessage: <T extends keyof WorkerRequestTypeMap>(args: {\n    message: {\n      type: T;\n      payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']>;\n    };\n    onEvent?: (update: onProgressEvents) => void;\n    timeoutMs?: number;\n    sessionId?: string;\n  }) => Promise<WorkerResponseForRequest<T>>;\n};\n\n/**\n * WebAuthnWorkers handles PRF, workers, and COSE operations\n *\n * Note: Challenge store removed as VRF provides cryptographic freshness\n * without needing centralized challenge management\n */\nexport class SignerWorkerManager {\n\n  private indexedDB: UnifiedIndexedDBManager;\n  private touchIdPrompt: TouchIdPrompt;\n  private vrfWorkerManager: VrfWorkerManager;\n  private nearClient: NearClient;\n  private userPreferencesManager: UserPreferencesManager;\n  private nonceManager: NonceManager;\n  private workerBaseOrigin: string | undefined;\n  private nearExplorerUrl?: string;\n\n  constructor(\n    vrfWorkerManager: VrfWorkerManager,\n    nearClient: NearClient,\n    userPreferencesManager: UserPreferencesManager,\n    nonceManager: NonceManager,\n    rpIdOverride?: string,\n    enableSafariGetWebauthnRegistrationFallback: boolean = true,\n    nearExplorerUrl?: string,\n  ) {\n    this.indexedDB = IndexedDBManager;\n    this.touchIdPrompt = new TouchIdPrompt(rpIdOverride, enableSafariGetWebauthnRegistrationFallback);\n    this.vrfWorkerManager = vrfWorkerManager;\n    this.nearClient = nearClient;\n    this.userPreferencesManager = userPreferencesManager;\n    this.nonceManager = nonceManager;\n    this.nearExplorerUrl = nearExplorerUrl;\n  }\n\n  setWorkerBaseOrigin(origin: string | undefined): void {\n    this.workerBaseOrigin = origin;\n  }\n\n  getContext(): SignerWorkerManagerContext {\n    return {\n      sendMessage: this.sendMessage.bind(this), // bind to access this.createSecureWorker\n      indexedDB: this.indexedDB,\n      touchIdPrompt: this.touchIdPrompt,\n      vrfWorkerManager: this.vrfWorkerManager,\n      nearClient: this.nearClient,\n      userPreferencesManager: this.userPreferencesManager,\n      nonceManager: this.nonceManager,\n      rpIdOverride: this.touchIdPrompt.getRpId(),\n      nearExplorerUrl: this.nearExplorerUrl,\n    };\n  }\n\n  createSecureWorker(): Worker {\n    const workerUrlStr = resolveWorkerUrl(\n      SIGNER_WORKER_MANAGER_CONFIG.WORKER.URL,\n      { worker: 'signer', baseOrigin: this.workerBaseOrigin }\n    )\n    try {\n      const worker = new Worker(workerUrlStr, {\n        type: SIGNER_WORKER_MANAGER_CONFIG.WORKER.TYPE,\n        name: SIGNER_WORKER_MANAGER_CONFIG.WORKER.NAME\n      });\n      // minimal error handler in tests; avoid noisy logs\n      worker.onerror = () => {};\n      return worker;\n    } catch (error) {\n      // Do not silently downgrade to same‑origin. Cross‑origin workers must be\n      // resolvable under the configured wallet origin with proper headers.\n      // Surface a precise error so tests assert the real path.\n      const msg = error instanceof Error ? error.message : String(error);\n      throw new Error(`Failed to create secure worker: ${msg}`);\n    }\n  }\n\n  /**\n   * Executes a worker operation by sending a message to the secure worker.\n   * Handles progress updates via onEvent callback, supports both single and multiple response patterns.\n   * Intercepts secure confirmation handshake messages for pluggable UI.\n   * Resolves with the final worker response or rejects on error/timeout.\n   *\n   * @template T - Worker request type.\n   * @param params.message - The message to send to the worker.\n   * @param params.onEvent - Optional callback for progress events.\n   * @param params.timeoutMs - Optional timeout in milliseconds.\n   * @returns Promise resolving to the worker response for the request.\n   */\n  private workerPool: Worker[] = [];\n  private readonly MAX_WORKER_POOL_SIZE = 3; // Increased for security model\n  // Map of active signing sessions to reserved workers and optional WrapKeySeed ports\n  private signingSessions: Map<string, SigningSessionEntry> = new Map();\n  private readonly SIGNING_SESSION_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\n\n  private getWorkerFromPool(): Worker {\n    if (this.workerPool.length > 0) {\n      return this.workerPool.pop()!;\n    }\n    return this.createSecureWorker();\n  }\n\n  private terminateAndReplaceWorker(worker: Worker): void {\n    // Always terminate workers to clear memory\n    worker.terminate();\n    // Asynchronously create a replacement worker for the pool\n    this.createReplacementWorker();\n  }\n\n  /**\n   * Reserve a signer worker \"session\"\n   *\n   * What this does:\n   * - Reserves a specific `Worker` instance from the pool and pins it to `sessionId`.\n   * - Ensures the signer worker has a dedicated `MessagePort` attached for receiving `WrapKeySeed`\n   *   from the VRF worker (VRF → Signer channel).\n   *\n   * Port wiring:\n   * - The VRF worker retains one end of a `MessageChannel` and the signer worker receives the other.\n   * - This method attaches the signer-facing port via a control message (`ATTACH_WRAP_KEY_SEED_PORT`)\n   *   and waits for an ACK (`ATTACH_WRAP_KEY_SEED_PORT_OK`) before exposing the session.\n   *\n   * @param sessionId - Session identifier used to correlate MessagePorts + ready signals.\n   * @param opts.signerPort - Optional signer-facing `MessagePort` created/owned by the caller (VRF-created channel).\n   *                         If omitted, this method creates a fresh `MessageChannel` and returns `vrfPort` so the\n   *                         caller can transfer it to the VRF worker.\n   * @returns `{ worker, signerPort, vrfPort }` where `vrfPort` is only present when we created the channel here.\n   */\n  async reserveSignerWorkerSession(sessionId: string, opts?: { signerPort?: MessagePort }): Promise<{ worker: Worker; signerPort?: MessagePort; vrfPort?: MessagePort }> {\n    if (this.signingSessions.has(sessionId)) {\n      throw new Error(`Signing session already exists for id: ${sessionId}`);\n    }\n    // Reserve a worker from the pool for this sessionId.\n    const worker = this.getWorkerFromPool();\n    let signerPort = opts?.signerPort;\n    let vrfPort: MessagePort | undefined;\n    if (!signerPort) {\n      // If caller did not provide a signer-facing port, create a channel.\n      // - port1 => signer worker (receiver)\n      // - port2 => VRF worker (sender) returned to caller\n      const channel = new MessageChannel();\n      signerPort = channel.port1;\n      vrfPort = channel.port2;\n    }\n\n    // Attach the signerPort to the worker and wait for ACK before adding to signingSessions\n    try {\n      if (!signerPort) {\n        throw new Error('Missing signerPort for signing session');\n      }\n\n      // Use centralized handshake logic (registers listener, sends message, waits for ACK)\n      await attachSessionPort(worker, sessionId, signerPort);\n\n      // Only add to signingSessions after successful attachment\n      // (prevents callers from observing a session that can't receive WrapKeySeed yet).\n      this.signingSessions.set(sessionId, {\n        worker,\n        wrapKeySeedPort: signerPort,\n        createdAt: Date.now(),\n      });\n\n    } catch (err) {\n      console.error('[SignerWorkerManager]: Failed to attach WrapKeySeed port to signer worker', err);\n      // Best-effort cleanup\n      try { signerPort?.close(); } catch {}\n      try { vrfPort?.close(); } catch {}\n      this.terminateAndReplaceWorker(worker);\n      this.signingSessions.delete(sessionId);\n      throw err;\n    }\n    return { worker, signerPort, vrfPort };\n  }\n\n  /**\n   * Release a signing session: close ports and terminate/replace the worker to zeroize state.\n   */\n  releaseSigningSession(sessionId: string): void {\n    const entry = this.signingSessions.get(sessionId);\n    if (!entry) return;\n    try { entry.wrapKeySeedPort?.close() } catch {}\n    try { this.terminateAndReplaceWorker(entry.worker) } catch {}\n    this.signingSessions.delete(sessionId);\n  }\n\n  /**\n   * Sweep expired signing sessions based on createdAt and timeout.\n   */\n  sweepExpiredSigningSessions(): void {\n    const now = Date.now();\n    for (const [sessionId, entry] of this.signingSessions.entries()) {\n      if (now - entry.createdAt > this.SIGNING_SESSION_TIMEOUT_MS) {\n        this.releaseSigningSession(sessionId);\n      }\n    }\n  }\n\n  private async createReplacementWorker(): Promise<void> {\n    try {\n      const worker = this.createSecureWorker();\n\n      // Simple health check\n      const healthPromise = new Promise<void>((resolve, reject) => {\n        const timeout = setTimeout(() => reject(new Error('Health check timeout')), 5000);\n\n        const onMessage = (event: MessageEvent) => {\n          if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n            worker.removeEventListener('message', onMessage);\n            clearTimeout(timeout);\n            resolve();\n          }\n        };\n\n        worker.addEventListener('message', onMessage);\n        worker.onerror = () => {\n          worker.removeEventListener('message', onMessage);\n          clearTimeout(timeout);\n          reject(new Error('Worker error during health check'));\n        };\n      });\n\n      await healthPromise;\n\n      if (this.workerPool.length < this.MAX_WORKER_POOL_SIZE) {\n        this.workerPool.push(worker);\n      } else {\n        worker.terminate();\n      }\n    } catch (error: unknown) {\n      console.warn('SignerWorkerManager: Failed to create replacement worker:', error);\n    }\n  }\n\n  /**\n   * Pre-warm worker pool by creating and initializing workers in advance\n   * This reduces latency for the first transaction by having workers ready\n   */\n  async preWarmWorkerPool(): Promise<void> {\n    const promises: Promise<void>[] = [];\n\n    for (let i = 0; i < this.MAX_WORKER_POOL_SIZE; i++) {\n      promises.push(\n        new Promise<void>((resolve, reject) => {\n          try {\n            const worker = this.createSecureWorker();\n\n            // Set up one-time ready handler\n            const onReady = (event: MessageEvent) => {\n              if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n                worker.removeEventListener('message', onReady);\n                this.terminateAndReplaceWorker(worker);\n                resolve();\n              }\n            };\n\n            worker.addEventListener('message', onReady);\n\n            // Set up error handler\n            worker.onerror = (error) => {\n              worker.removeEventListener('message', onReady);\n              console.error(`WebAuthnManager: Worker ${i + 1} pre-warm failed:`, error);\n              reject(error);\n            };\n\n            // Timeout after 5 seconds\n            setTimeout(() => {\n              worker.removeEventListener('message', onReady);\n              // Pre-warm timeouts are benign; workers will be created on-demand later.\n              // console.debug(`WebAuthnManager: Worker ${i + 1} pre-warm timeout`);\n              reject(new Error('Pre-warm timeout'));\n            }, 5000);\n\n          } catch (error: unknown) {\n            console.error(`WebAuthnManager: Failed to create worker ${i + 1}:`, error);\n            reject(toError(error));\n          }\n        })\n      );\n    }\n\n    try {\n      await Promise.allSettled(promises);\n    } catch (error: unknown) {\n      console.warn('WebAuthnManager: Some workers failed to pre-warm:', error);\n    }\n  }\n\n  private async sendMessage<T extends WorkerRequestType>({\n    sessionId,\n    message,\n    onEvent,\n    timeoutMs = SIGNER_WORKER_MANAGER_CONFIG.TIMEOUTS.DEFAULT, // 60s\n  }: {\n    sessionId?: string;\n    message: { type: T; payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']> };\n    onEvent?: (update: onProgressEvents) => void;\n    timeoutMs?: number;\n  }): Promise<WorkerResponseForRequest<T>> {\n\n    // Clean up any expired signing sessions before allocating a worker\n    this.sweepExpiredSigningSessions();\n\n    const payloadSessionId = (message.payload as any)?.sessionId as string | undefined;\n    if (sessionId && payloadSessionId && payloadSessionId !== sessionId) {\n      throw new Error(\n        `sendMessage: payload.sessionId (${payloadSessionId}) does not match provided sessionId (${sessionId})`\n      );\n    }\n\n    const effectiveSessionId = sessionId || payloadSessionId;\n    const sessionEntry = effectiveSessionId ? this.signingSessions.get(effectiveSessionId) : undefined;\n    if (effectiveSessionId && !sessionEntry) {\n      throw new Error(`Signing session not found for id: ${effectiveSessionId}`);\n    }\n\n    // Normalize/inject sessionId into payload once to avoid duplication at call sites.\n    const finalPayload = effectiveSessionId\n      ? withSessionId(effectiveSessionId, message.payload)\n      : (message.payload);\n\n    const worker = sessionEntry ? sessionEntry.worker : this.getWorkerFromPool();\n    const isSessionWorker = !!sessionEntry;\n\n    return new Promise((resolve, reject) => {\n      const timeoutId = setTimeout(() => {\n        try {\n          if (isSessionWorker && effectiveSessionId) {\n            // Release reserved session to avoid leaking worker/port\n            this.releaseSigningSession(effectiveSessionId);\n          } else {\n            this.terminateAndReplaceWorker(worker);\n          }\n        } catch {}\n        // Notify any open modal host to transition to error state\n        try {\n          const seconds = Math.round(timeoutMs / 1000);\n          window.postMessage({ type: 'MODAL_TIMEOUT', payload: `Timed out after ${seconds}s, try again` }, '*');\n        } catch {}\n        reject(new Error(`Worker operation timed out after ${timeoutMs}ms`));\n      }, timeoutMs);\n\n      const responses: WorkerResponseForRequest<T>[] = [];\n\n      worker.onmessage = async (event) => {\n        try {\n          // Ignore control messages (lifecycle/session setup) – they are handled elsewhere.\n          if (isSignerWorkerControlMessage(event?.data)) {\n            return;\n          }\n          // Ignore readiness pings that can arrive if a worker was just spawned\n          if (event?.data?.type === WorkerControlMessage.WORKER_READY || event?.data?.ready) {\n            return; // not a response to an operation\n          }\n          // Use strong typing from WASM-generated types\n          const response = event.data as WorkerResponseForRequest<T>;\n          responses.push(response);\n\n          // Handle progress updates using WASM-generated numeric enum values\n          if (isWorkerProgress(response)) {\n            const progressResponse = response as WorkerProgressResponse;\n            onEvent?.(progressResponse.payload as onProgressEvents);\n            return; // Continue listening for more messages\n          }\n\n          // Handle errors using WASM-generated enum\n          if (isWorkerError(response)) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            const errorResponse = response as WorkerErrorResponse;\n            console.error('Worker error response:', errorResponse);\n            reject(new Error(errorResponse.payload.error));\n            return;\n          }\n\n          // Handle successful completion types using strong typing\n          if (isWorkerSuccess(response)) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            resolve(response as WorkerResponseForRequest<T>);\n            return;\n          }\n\n          // If we reach here, the response doesn't match any expected type\n          console.error('Unexpected worker response format:', {\n            response,\n          });\n\n          // Check if it's a generic Error object\n          if (isObject(response) && 'message' in response && 'stack' in response) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            console.error('Worker sent generic Error object:', response);\n            reject(new Error(`Worker sent generic error: ${(response as Error).message}`));\n            return;\n          }\n\n          // Unknown response format\n          clearTimeout(timeoutId);\n          if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n          reject(new Error(`Unknown worker response format: ${JSON.stringify(response)}`));\n        } catch (error: unknown) {\n          clearTimeout(timeoutId);\n          if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n          console.error('Error processing worker message:', error);\n          const err = toError(error);\n          reject(new Error(`Worker message processing error: ${err.message}`));\n        }\n      };\n\n      worker.onerror = (event) => {\n        clearTimeout(timeoutId);\n        if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n        const errorMessage = event.error?.message || event.message || 'Unknown worker error';\n        console.error('Worker error details (progress):', {\n          message: errorMessage,\n          filename: event.filename,\n          lineno: event.lineno,\n          colno: event.colno,\n          error: event.error\n        });\n        reject(new Error(`Worker error: ${errorMessage}`));\n      };\n\n      // Format message for Rust SignerWorkerMessage structure using WASM types\n      const formattedMessage = {\n        type: message.type, // Numeric enum value from WorkerRequestType\n        payload: finalPayload,\n      };\n\n      worker.postMessage(formattedMessage);\n    });\n  }\n\n  /**\n   * Derive NEAR keypair from a serialized WebAuthn registration credential\n   */\n  async deriveNearKeypairAndEncryptFromSerialized(args: {\n    credential: WebAuthnRegistrationCredential;\n    nearAccountId: AccountId;\n    options?: {\n      authenticatorOptions?: AuthenticatorOptions;\n      deviceNumber?: number;\n    };\n    sessionId: string;\n  }): Promise<{\n    success: boolean;\n    nearAccountId: AccountId;\n    publicKey: string;\n    /**\n     * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n     */\n    chacha20NonceB64u?: string;\n    wrapKeySalt?: string;\n  }> {\n    return deriveNearKeypairAndEncryptFromSerialized({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Secure private key decryption with dual PRF\n   */\n  async decryptPrivateKeyWithPrf(args: {\n    nearAccountId: AccountId,\n    authenticators: ClientAuthenticatorData[],\n    sessionId: string,\n  }): Promise<{\n    decryptedPrivateKey: string;\n    nearAccountId: AccountId\n  }> {\n    return decryptPrivateKeyWithPrf({ ctx: this.getContext(), ...args });\n  }\n\n  async checkCanRegisterUser(args: {\n    vrfChallenge: VRFChallenge,\n    credential: WebAuthnRegistrationCredential,\n    contractId: string;\n    nearRpcUrl: string;\n    authenticatorOptions?: AuthenticatorOptions; // Authenticator options for registration check\n    onEvent?: (update: onProgressEvents) => void;\n  }): Promise<{\n    success: boolean;\n    verified?: boolean;\n    registrationInfo?: unknown;\n    logs?: string[];\n    signedTransactionBorsh?: number[];\n    error?: string;\n  }> {\n    return checkCanRegisterUser({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Combined Device2 registration: derive NEAR keypair + sign registration transaction\n   * in a single operation without requiring a separate authentication prompt.\n   *\n   * This replaces the old two-step flow (register → authenticate → sign).\n   * PRF.second and WrapKeySeed are already in the signer worker via MessagePort.\n   */\n  async registerDevice2WithDerivedKey(args: {\n    sessionId: string;\n    nearAccountId: AccountId;\n    credential: WebAuthnRegistrationCredential;\n    vrfChallenge: VRFChallenge;\n    transactionContext: TransactionContext;\n    contractId: string;\n    wrapKeySalt: string;\n    deviceNumber?: number;\n    deterministicVrfPublicKey: string;\n  }): Promise<{\n    success: boolean;\n    publicKey: string;\n    signedTransaction: any;\n    wrapKeySalt: string;\n    encryptedData?: string;\n    /**\n     * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n     */\n    chacha20NonceB64u?: string;\n    error?: string;\n  }> {\n    return registerDevice2WithDerivedKey({ ctx: this.getContext(), ...args });\n  }\n\n  // === ACTION-BASED SIGNING METHODS ===\n\n  /**\n   * Sign multiple transactions with shared VRF challenge and credential\n   * Efficiently processes multiple transactions with one PRF authentication\n   */\n  async signTransactionsWithActions(args: {\n    transactions: TransactionInputWasm[],\n    rpcCall: RpcCallPayload,\n    onEvent?: (update: onProgressEvents) => void,\n    confirmationConfigOverride?: Partial<ConfirmationConfig>,\n    title?: string;\n    body?: string;\n    sessionId: string,\n  }): Promise<Array<{\n    signedTransaction: SignedTransaction;\n    nearAccountId: AccountId;\n    logs?: string[]\n  }>> {\n    return signTransactionsWithActions({\n      ctx: this.getContext(),\n      ...args\n    });\n  }\n\n  async signDelegateAction(args: {\n    delegate: DelegateActionInput;\n    rpcCall: RpcCallPayload;\n    onEvent?: (update: onProgressEvents) => void;\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    title?: string;\n    body?: string;\n    sessionId: string;\n  }): Promise<{\n    signedDelegate: WasmSignedDelegate;\n    hash: string;\n    nearAccountId: AccountId;\n    logs?: string[];\n  }> {\n    return signDelegateAction({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Recover keypair from authentication credential for account recovery\n   * Uses dual PRF-based Ed25519 key derivation with account-specific HKDF and AES encryption\n   */\n  async recoverKeypairFromPasskey(args: {\n    credential: WebAuthnAuthenticationCredential;\n    accountIdHint?: string;\n    sessionId: string,\n  }): Promise<{\n    publicKey: string;\n    encryptedPrivateKey: string;\n    /** Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for encrypted key */\n    chacha20NonceB64u: string;\n    accountIdHint?: string;\n    wrapKeySalt: string;\n  }> {\n    return recoverKeypairFromPasskey({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Extract COSE public key from WebAuthn attestation object\n   * Simple operation that doesn't require TouchID or progress updates\n   */\n  async extractCosePublicKey(attestationObjectBase64url: string): Promise<Uint8Array> {\n    return extractCosePublicKey({ ctx: this.getContext(), attestationObjectBase64url });\n  }\n\n  /**\n   * Sign transaction with raw private key (for key replacement in Option D device linking)\n   * No TouchID/PRF required - uses provided private key directly\n   */\n  async signTransactionWithKeyPair(args: {\n    nearPrivateKey: string;\n    signerAccountId: string;\n    receiverId: string;\n    nonce: string;\n    blockHash: string;\n    actions: ActionArgsWasm[];\n  }): Promise<{\n    signedTransaction: SignedTransaction;\n    logs?: string[];\n  }> {\n    return signTransactionWithKeyPair({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Sign a NEP-413 message using the user's passkey-derived private key\n   *\n   * @param payload - NEP-413 signing parameters including message, recipient, nonce, and state\n   * @returns Promise resolving to signing result with account ID, public key, and signature\n   */\n  async signNep413Message(payload: {\n    message: string;\n    recipient: string;\n    nonce: string;\n    state: string | null;\n    accountId: string;\n    title?: string;\n    body?: string;\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    sessionId: string;\n    contractId?: string;\n    nearRpcUrl?: string;\n  }): Promise<{\n    success: boolean;\n    accountId: string;\n    publicKey: string;\n    signature: string;\n    state?: string;\n    error?: string;\n  }> {\n    return signNep413Message({\n      ctx: this.getContext(),\n      payload\n    });\n  }\n\n  /**\n   * Two-phase export (worker-driven):\n   *  - Phase 1: collect PRF (uiMode: 'skip')\n   *  - Decrypt inside worker\n   *  - Phase 2: show export UI with decrypted key (kept open until user closes)\n   */\n  async exportNearKeypairUi(args: {\n    nearAccountId: AccountId,\n    variant?: 'drawer'|'modal',\n    theme?: 'dark'|'light',\n    sessionId: string,\n  }): Promise<void> {\n    return exportNearKeypairUi({ ctx: this.getContext(), ...args });\n  }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyFA,IAAa,sBAAb,MAAiC;CAE/B,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,kBACA,YACA,wBACA,cACA,cACA,8CAAuD,MACvD,iBACA;AACA,OAAK,YAAY;AACjB,OAAK,gBAAgB,IAAI,cAAc,cAAc;AACrD,OAAK,mBAAmB;AACxB,OAAK,aAAa;AAClB,OAAK,yBAAyB;AAC9B,OAAK,eAAe;AACpB,OAAK,kBAAkB;;CAGzB,oBAAoB,QAAkC;AACpD,OAAK,mBAAmB;;CAG1B,aAAyC;AACvC,SAAO;GACL,aAAa,KAAK,YAAY,KAAK;GACnC,WAAW,KAAK;GAChB,eAAe,KAAK;GACpB,kBAAkB,KAAK;GACvB,YAAY,KAAK;GACjB,wBAAwB,KAAK;GAC7B,cAAc,KAAK;GACnB,cAAc,KAAK,cAAc;GACjC,iBAAiB,KAAK;;;CAI1B,qBAA6B;EAC3B,MAAM,eAAe,iBACnB,6BAA6B,OAAO,KACpC;GAAE,QAAQ;GAAU,YAAY,KAAK;;AAEvC,MAAI;GACF,MAAM,SAAS,IAAI,OAAO,cAAc;IACtC,MAAM,6BAA6B,OAAO;IAC1C,MAAM,6BAA6B,OAAO;;AAG5C,UAAO,gBAAgB;AACvB,UAAO;WACA,OAAO;GAId,MAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO;AAC5D,SAAM,IAAI,MAAM,mCAAmC;;;;;;;;;;;;;;;CAgBvD,AAAQ,aAAuB;CAC/B,AAAiB,uBAAuB;CAExC,AAAQ,kCAAoD,IAAI;CAChE,AAAiB,6BAA6B,MAAS;CAEvD,AAAQ,oBAA4B;AAClC,MAAI,KAAK,WAAW,SAAS,EAC3B,QAAO,KAAK,WAAW;AAEzB,SAAO,KAAK;;CAGd,AAAQ,0BAA0B,QAAsB;AAEtD,SAAO;AAEP,OAAK;;;;;;;;;;;;;;;;;;;;;CAsBP,MAAM,2BAA2B,WAAmB,MAAmH;AACrK,MAAI,KAAK,gBAAgB,IAAI,WAC3B,OAAM,IAAI,MAAM,0CAA0C;EAG5D,MAAM,SAAS,KAAK;EACpB,IAAI,aAAa,MAAM;EACvB,IAAIA;AACJ,MAAI,CAAC,YAAY;GAIf,MAAM,UAAU,IAAI;AACpB,gBAAa,QAAQ;AACrB,aAAU,QAAQ;;AAIpB,MAAI;AACF,OAAI,CAAC,WACH,OAAM,IAAI,MAAM;AAIlB,SAAM,kBAAkB,QAAQ,WAAW;AAI3C,QAAK,gBAAgB,IAAI,WAAW;IAClC;IACA,iBAAiB;IACjB,WAAW,KAAK;;WAGX,KAAK;AACZ,WAAQ,MAAM,6EAA6E;AAE3F,OAAI;AAAE,gBAAY;WAAiB;AACnC,OAAI;AAAE,aAAS;WAAiB;AAChC,QAAK,0BAA0B;AAC/B,QAAK,gBAAgB,OAAO;AAC5B,SAAM;;AAER,SAAO;GAAE;GAAQ;GAAY;;;;;;CAM/B,sBAAsB,WAAyB;EAC7C,MAAM,QAAQ,KAAK,gBAAgB,IAAI;AACvC,MAAI,CAAC,MAAO;AACZ,MAAI;AAAE,SAAM,iBAAiB;UAAgB;AAC7C,MAAI;AAAE,QAAK,0BAA0B,MAAM;UAAgB;AAC3D,OAAK,gBAAgB,OAAO;;;;;CAM9B,8BAAoC;EAClC,MAAM,MAAM,KAAK;AACjB,OAAK,MAAM,CAAC,WAAW,UAAU,KAAK,gBAAgB,UACpD,KAAI,MAAM,MAAM,YAAY,KAAK,2BAC/B,MAAK,sBAAsB;;CAKjC,MAAc,0BAAyC;AACrD,MAAI;GACF,MAAM,SAAS,KAAK;GAGpB,MAAM,gBAAgB,IAAI,SAAe,SAAS,WAAW;IAC3D,MAAM,UAAU,iBAAiB,uBAAO,IAAI,MAAM,0BAA0B;IAE5E,MAAM,aAAa,UAAwB;AACzC,SAAI,MAAM,MAAM,SAAS,qBAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,mBAAa;AACb;;;AAIJ,WAAO,iBAAiB,WAAW;AACnC,WAAO,gBAAgB;AACrB,YAAO,oBAAoB,WAAW;AACtC,kBAAa;AACb,4BAAO,IAAI,MAAM;;;AAIrB,SAAM;AAEN,OAAI,KAAK,WAAW,SAAS,KAAK,qBAChC,MAAK,WAAW,KAAK;OAErB,QAAO;WAEFC,OAAgB;AACvB,WAAQ,KAAK,6DAA6D;;;;;;;CAQ9E,MAAM,oBAAmC;EACvC,MAAMC,WAA4B;AAElC,OAAK,IAAI,IAAI,GAAG,IAAI,KAAK,sBAAsB,IAC7C,UAAS,KACP,IAAI,SAAe,SAAS,WAAW;AACrC,OAAI;IACF,MAAM,SAAS,KAAK;IAGpB,MAAM,WAAW,UAAwB;AACvC,SAAI,MAAM,MAAM,SAAS,qBAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,WAAK,0BAA0B;AAC/B;;;AAIJ,WAAO,iBAAiB,WAAW;AAGnC,WAAO,WAAW,UAAU;AAC1B,YAAO,oBAAoB,WAAW;AACtC,aAAQ,MAAM,2BAA2B,IAAI,EAAE,oBAAoB;AACnE,YAAO;;AAIT,qBAAiB;AACf,YAAO,oBAAoB,WAAW;AAGtC,4BAAO,IAAI,MAAM;OAChB;YAEID,OAAgB;AACvB,YAAQ,MAAM,4CAA4C,IAAI,EAAE,IAAI;AACpE,WAAO,QAAQ;;;AAMvB,MAAI;AACF,SAAM,QAAQ,WAAW;WAClBA,OAAgB;AACvB,WAAQ,KAAK,qDAAqD;;;CAItE,MAAc,YAAyC,EACrD,WACA,SACA,SACA,YAAY,6BAA6B,SAAS,WAMX;AAGvC,OAAK;EAEL,MAAM,mBAAoB,QAAQ,SAAiB;AACnD,MAAI,aAAa,oBAAoB,qBAAqB,UACxD,OAAM,IAAI,MACR,mCAAmC,iBAAiB,uCAAuC,UAAU;EAIzG,MAAM,qBAAqB,aAAa;EACxC,MAAM,eAAe,qBAAqB,KAAK,gBAAgB,IAAI,sBAAsB;AACzF,MAAI,sBAAsB,CAAC,aACzB,OAAM,IAAI,MAAM,qCAAqC;EAIvD,MAAM,eAAe,qBACjB,cAAc,oBAAoB,QAAQ,WACzC,QAAQ;EAEb,MAAM,SAAS,eAAe,aAAa,SAAS,KAAK;EACzD,MAAM,kBAAkB,CAAC,CAAC;AAE1B,SAAO,IAAI,SAAS,SAAS,WAAW;GACtC,MAAM,YAAY,iBAAiB;AACjC,QAAI;AACF,SAAI,mBAAmB,mBAErB,MAAK,sBAAsB;SAE3B,MAAK,0BAA0B;YAE3B;AAER,QAAI;KACF,MAAM,UAAU,KAAK,MAAM,YAAY;AACvC,YAAO,YAAY;MAAE,MAAM;MAAiB,SAAS,mBAAmB,QAAQ;QAAiB;YAC3F;AACR,2BAAO,IAAI,MAAM,oCAAoC,UAAU;MAC9D;GAEH,MAAME,YAA2C;AAEjD,UAAO,YAAY,OAAO,UAAU;AAClC,QAAI;AAEF,SAAI,6BAA6B,OAAO,MACtC;AAGF,SAAI,OAAO,MAAM,SAAS,qBAAqB,gBAAgB,OAAO,MAAM,MAC1E;KAGF,MAAM,WAAW,MAAM;AACvB,eAAU,KAAK;AAGf,SAAI,iBAAiB,WAAW;MAC9B,MAAM,mBAAmB;AACzB,gBAAU,iBAAiB;AAC3B;;AAIF,SAAI,cAAc,WAAW;AAC3B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;MACrD,MAAM,gBAAgB;AACtB,cAAQ,MAAM,0BAA0B;AACxC,aAAO,IAAI,MAAM,cAAc,QAAQ;AACvC;;AAIF,SAAI,gBAAgB,WAAW;AAC7B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ;AACR;;AAIF,aAAQ,MAAM,sCAAsC,EAClD;AAIF,SAAI,SAAS,aAAa,aAAa,YAAY,WAAW,UAAU;AACtE,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ,MAAM,qCAAqC;AACnD,6BAAO,IAAI,MAAM,8BAA+B,SAAmB;AACnE;;AAIF,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,4BAAO,IAAI,MAAM,mCAAmC,KAAK,UAAU;aAC5DF,OAAgB;AACvB,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,aAAQ,MAAM,oCAAoC;KAClD,MAAM,MAAM,QAAQ;AACpB,4BAAO,IAAI,MAAM,oCAAoC,IAAI;;;AAI7D,UAAO,WAAW,UAAU;AAC1B,iBAAa;AACb,QAAI,CAAC,gBAAiB,MAAK,0BAA0B;IACrD,MAAM,eAAe,MAAM,OAAO,WAAW,MAAM,WAAW;AAC9D,YAAQ,MAAM,oCAAoC;KAChD,SAAS;KACT,UAAU,MAAM;KAChB,QAAQ,MAAM;KACd,OAAO,MAAM;KACb,OAAO,MAAM;;AAEf,2BAAO,IAAI,MAAM,iBAAiB;;GAIpC,MAAM,mBAAmB;IACvB,MAAM,QAAQ;IACd,SAAS;;AAGX,UAAO,YAAY;;;;;;CAOvB,MAAM,0CAA0C,MAiB7C;AACD,SAAO,0CAA0C;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;CAMhF,MAAM,yBAAyB,MAO5B;AACD,SAAO,yBAAyB;GAAE,KAAK,KAAK;GAAc,GAAG;;;CAG/D,MAAM,qBAAqB,MAcxB;AACD,SAAO,qBAAqB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;;CAU3D,MAAM,8BAA8B,MAqBjC;AACD,SAAO,8BAA8B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CASpE,MAAM,4BAA4B,MAY9B;AACF,SAAO,4BAA4B;GACjC,KAAK,KAAK;GACV,GAAG;;;CAIP,MAAM,mBAAmB,MAatB;AACD,SAAO,mBAAmB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOzD,MAAM,0BAA0B,MAW7B;AACD,SAAO,0BAA0B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOhE,MAAM,qBAAqB,4BAAyD;AAClF,SAAO,qBAAqB;GAAE,KAAK,KAAK;GAAc;;;;;;;CAOxD,MAAM,2BAA2B,MAU9B;AACD,SAAO,2BAA2B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;CASjE,MAAM,kBAAkB,SAmBrB;AACD,SAAO,kBAAkB;GACvB,KAAK,KAAK;GACV;;;;;;;;;CAUJ,MAAM,oBAAoB,MAKR;AAChB,SAAO,oBAAoB;GAAE,KAAK,KAAK;GAAc,GAAG"}
+{"version":3,"file":"index.js","names":["vrfPort: MessagePort | undefined","error: unknown","promises: Promise<void>[]","responses: WorkerResponseForRequest<T>[]"],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/index.ts"],"sourcesContent":["import { SIGNER_WORKER_MANAGER_CONFIG } from \"../../../config\";\nimport { ClientAuthenticatorData, UnifiedIndexedDBManager } from '../../IndexedDBManager';\nimport { IndexedDBManager } from '../../IndexedDBManager';\nimport { SignedTransaction, type NearClient } from '../../NearClient';\nimport { isObject } from '@/utils/validation';\nimport { resolveWorkerUrl } from '../../sdkPaths';\nimport {\n  WorkerRequestType,\n  WorkerResponseForRequest,\n  isWorkerProgress,\n  isWorkerError,\n  isWorkerSuccess,\n  WorkerProgressResponse,\n  WorkerErrorResponse,\n  WorkerRequestTypeMap,\n} from '../../types/signer-worker';\nimport { VrfWorkerManager } from '../VrfWorkerManager';\nimport { VRFChallenge } from '../../types/vrf-worker';\nimport type { ActionArgsWasm, TransactionInputWasm } from '../../types/actions';\nimport type { DelegateActionInput } from '../../types/delegate';\nimport type { onProgressEvents, RegistrationEventStep3 } from '../../types/sdkSentEvents';\nimport type { AuthenticatorOptions } from '../../types/authenticatorOptions';\nimport { AccountId } from \"../../types/accountIds\";\nimport { TransactionContext } from '../../types/rpc';\nimport {\n  ConfirmationConfig,\n  type SignerMode,\n  WasmSignedDelegate,\n} from '../../types/signer-worker';\nimport type { ThresholdBehavior } from '../../types/signer-worker';\nimport { TouchIdPrompt } from \"../touchIdPrompt\";\nimport { isSignerWorkerControlMessage } from './sessionMessages';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\nimport {\n  decryptPrivateKeyWithPrf,\n  checkCanRegisterUser,\n  signTransactionsWithActions,\n  recoverKeypairFromPasskey,\n  extractCosePublicKey,\n  signTransactionWithKeyPair,\n  signNep413Message,\n  deriveNearKeypairAndEncryptFromSerialized,\n  signDelegateAction,\n  registerDevice2WithDerivedKey,\n  exportNearKeypairUi,\n  deriveThresholdEd25519ClientVerifyingShare,\n} from './handlers';\nimport { RpcCallPayload } from '../../types/signer-worker';\nimport { UserPreferencesManager } from '../userPreferences';\nimport { NonceManager } from '../../nonceManager';\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../types';\nimport { toError } from '@/utils/errors';\nimport { withSessionId } from './handlers/session';\nimport { attachSessionPort } from './sessionHandshake.js';\n\ntype WithOptionalSessionId<T> = T extends { sessionId: string }\n  ? Omit<T, 'sessionId'> & { sessionId?: string }\n  : T;\n\ntype SigningSessionEntry = {\n  worker: Worker;\n  wrapKeySeedPort?: MessagePort;\n  createdAt: number;\n};\n\nexport interface SignerWorkerManagerContext {\n  touchIdPrompt: TouchIdPrompt;\n  nearClient: NearClient;\n  indexedDB: UnifiedIndexedDBManager;\n  userPreferencesManager: UserPreferencesManager;\n  nonceManager: NonceManager;\n  relayerUrl: string;\n  rpIdOverride?: string;\n  nearExplorerUrl?: string;\n  vrfWorkerManager?: VrfWorkerManager;\n  sendMessage: <T extends keyof WorkerRequestTypeMap>(args: {\n    message: {\n      type: T;\n      payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']>;\n    };\n    onEvent?: (update: onProgressEvents) => void;\n    timeoutMs?: number;\n    sessionId?: string;\n  }) => Promise<WorkerResponseForRequest<T>>;\n};\n\n/**\n * WebAuthnWorkers handles PRF, workers, and COSE operations\n *\n * Note: Challenge store removed as VRF provides cryptographic freshness\n * without needing centralized challenge management\n */\nexport class SignerWorkerManager {\n\n  private indexedDB: UnifiedIndexedDBManager;\n  private touchIdPrompt: TouchIdPrompt;\n  private vrfWorkerManager: VrfWorkerManager;\n  private nearClient: NearClient;\n  private userPreferencesManager: UserPreferencesManager;\n  private nonceManager: NonceManager;\n  private relayerUrl: string;\n  private workerBaseOrigin: string | undefined;\n  private nearExplorerUrl?: string;\n\n  constructor(\n    vrfWorkerManager: VrfWorkerManager,\n    nearClient: NearClient,\n    userPreferencesManager: UserPreferencesManager,\n    nonceManager: NonceManager,\n    relayerUrl: string,\n    rpIdOverride?: string,\n    enableSafariGetWebauthnRegistrationFallback: boolean = true,\n    nearExplorerUrl?: string,\n  ) {\n    this.indexedDB = IndexedDBManager;\n    this.touchIdPrompt = new TouchIdPrompt(rpIdOverride, enableSafariGetWebauthnRegistrationFallback);\n    this.vrfWorkerManager = vrfWorkerManager;\n    this.nearClient = nearClient;\n    this.userPreferencesManager = userPreferencesManager;\n    this.nonceManager = nonceManager;\n    this.relayerUrl = relayerUrl;\n    this.nearExplorerUrl = nearExplorerUrl;\n  }\n\n  setWorkerBaseOrigin(origin: string | undefined): void {\n    this.workerBaseOrigin = origin;\n  }\n\n  getContext(): SignerWorkerManagerContext {\n    return {\n      sendMessage: this.sendMessage.bind(this), // bind to access this.createSecureWorker\n      indexedDB: this.indexedDB,\n      touchIdPrompt: this.touchIdPrompt,\n      vrfWorkerManager: this.vrfWorkerManager,\n      nearClient: this.nearClient,\n      userPreferencesManager: this.userPreferencesManager,\n      nonceManager: this.nonceManager,\n      rpIdOverride: this.touchIdPrompt.getRpId(),\n      nearExplorerUrl: this.nearExplorerUrl,\n      relayerUrl: this.relayerUrl,\n    };\n  }\n\n  createSecureWorker(): Worker {\n    const workerUrlStr = resolveWorkerUrl(\n      SIGNER_WORKER_MANAGER_CONFIG.WORKER.URL,\n      { worker: 'signer', baseOrigin: this.workerBaseOrigin }\n    )\n    try {\n      const worker = new Worker(workerUrlStr, {\n        type: SIGNER_WORKER_MANAGER_CONFIG.WORKER.TYPE,\n        name: SIGNER_WORKER_MANAGER_CONFIG.WORKER.NAME\n      });\n      // minimal error handler in tests; avoid noisy logs\n      worker.onerror = () => {};\n      return worker;\n    } catch (error) {\n      // Do not silently downgrade to same‑origin. Cross‑origin workers must be\n      // resolvable under the configured wallet origin with proper headers.\n      // Surface a precise error so tests assert the real path.\n      const msg = error instanceof Error ? error.message : String(error);\n      throw new Error(`Failed to create secure worker: ${msg}`);\n    }\n  }\n\n  /**\n   * Executes a worker operation by sending a message to the secure worker.\n   * Handles progress updates via onEvent callback, supports both single and multiple response patterns.\n   * Intercepts secure confirmation handshake messages for pluggable UI.\n   * Resolves with the final worker response or rejects on error/timeout.\n   *\n   * @template T - Worker request type.\n   * @param params.message - The message to send to the worker.\n   * @param params.onEvent - Optional callback for progress events.\n   * @param params.timeoutMs - Optional timeout in milliseconds.\n   * @returns Promise resolving to the worker response for the request.\n   */\n  private workerPool: Worker[] = [];\n  private readonly MAX_WORKER_POOL_SIZE = 3; // Increased for security model\n  // Map of active signing sessions to reserved workers and optional WrapKeySeed ports\n  private signingSessions: Map<string, SigningSessionEntry> = new Map();\n  private readonly SIGNING_SESSION_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes\n\n  private getWorkerFromPool(): Worker {\n    if (this.workerPool.length > 0) {\n      return this.workerPool.pop()!;\n    }\n    return this.createSecureWorker();\n  }\n\n  private terminateAndReplaceWorker(worker: Worker): void {\n    // Always terminate workers to clear memory\n    worker.terminate();\n    // Asynchronously create a replacement worker for the pool\n    this.createReplacementWorker();\n  }\n\n  /**\n   * Reserve a signer worker \"session\"\n   *\n   * What this does:\n   * - Reserves a specific `Worker` instance from the pool and pins it to `sessionId`.\n   * - Ensures the signer worker has a dedicated `MessagePort` attached for receiving `WrapKeySeed`\n   *   from the VRF worker (VRF → Signer channel).\n   *\n   * Port wiring:\n   * - The VRF worker retains one end of a `MessageChannel` and the signer worker receives the other.\n   * - This method attaches the signer-facing port via a control message (`ATTACH_WRAP_KEY_SEED_PORT`)\n   *   and waits for an ACK (`ATTACH_WRAP_KEY_SEED_PORT_OK`) before exposing the session.\n   *\n   * @param sessionId - Session identifier used to correlate MessagePorts + ready signals.\n   * @param opts.signerPort - Optional signer-facing `MessagePort` created/owned by the caller (VRF-created channel).\n   *                         If omitted, this method creates a fresh `MessageChannel` and returns `vrfPort` so the\n   *                         caller can transfer it to the VRF worker.\n   * @returns `{ worker, signerPort, vrfPort }` where `vrfPort` is only present when we created the channel here.\n   */\n  async reserveSignerWorkerSession(sessionId: string, opts?: { signerPort?: MessagePort }): Promise<{ worker: Worker; signerPort?: MessagePort; vrfPort?: MessagePort }> {\n    if (this.signingSessions.has(sessionId)) {\n      throw new Error(`Signing session already exists for id: ${sessionId}`);\n    }\n    // Reserve a worker from the pool for this sessionId.\n    const worker = this.getWorkerFromPool();\n    let signerPort = opts?.signerPort;\n    let vrfPort: MessagePort | undefined;\n    if (!signerPort) {\n      // If caller did not provide a signer-facing port, create a channel.\n      // - port1 => signer worker (receiver)\n      // - port2 => VRF worker (sender) returned to caller\n      const channel = new MessageChannel();\n      signerPort = channel.port1;\n      vrfPort = channel.port2;\n    }\n\n    // Attach the signerPort to the worker and wait for ACK before adding to signingSessions\n    try {\n      if (!signerPort) {\n        throw new Error('Missing signerPort for signing session');\n      }\n\n      // Use centralized handshake logic (registers listener, sends message, waits for ACK)\n      await attachSessionPort(worker, sessionId, signerPort);\n\n      // Only add to signingSessions after successful attachment\n      // (prevents callers from observing a session that can't receive WrapKeySeed yet).\n      this.signingSessions.set(sessionId, {\n        worker,\n        wrapKeySeedPort: signerPort,\n        createdAt: Date.now(),\n      });\n\n    } catch (err) {\n      console.error('[SignerWorkerManager]: Failed to attach WrapKeySeed port to signer worker', err);\n      // Best-effort cleanup\n      try { signerPort?.close(); } catch {}\n      try { vrfPort?.close(); } catch {}\n      this.terminateAndReplaceWorker(worker);\n      this.signingSessions.delete(sessionId);\n      throw err;\n    }\n    return { worker, signerPort, vrfPort };\n  }\n\n  /**\n   * Release a signing session: close ports and terminate/replace the worker to zeroize state.\n   */\n  releaseSigningSession(sessionId: string): void {\n    const entry = this.signingSessions.get(sessionId);\n    if (!entry) return;\n    try { entry.wrapKeySeedPort?.close() } catch {}\n    try { this.terminateAndReplaceWorker(entry.worker) } catch {}\n    this.signingSessions.delete(sessionId);\n  }\n\n  /**\n   * Sweep expired signing sessions based on createdAt and timeout.\n   */\n  sweepExpiredSigningSessions(): void {\n    const now = Date.now();\n    for (const [sessionId, entry] of this.signingSessions.entries()) {\n      if (now - entry.createdAt > this.SIGNING_SESSION_TIMEOUT_MS) {\n        this.releaseSigningSession(sessionId);\n      }\n    }\n  }\n\n  private async createReplacementWorker(): Promise<void> {\n    try {\n      const worker = this.createSecureWorker();\n\n      // Simple health check\n      const healthPromise = new Promise<void>((resolve, reject) => {\n        const timeout = setTimeout(() => reject(new Error('Health check timeout')), 5000);\n\n        const onMessage = (event: MessageEvent) => {\n          if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n            worker.removeEventListener('message', onMessage);\n            clearTimeout(timeout);\n            resolve();\n          }\n        };\n\n        worker.addEventListener('message', onMessage);\n        worker.onerror = () => {\n          worker.removeEventListener('message', onMessage);\n          clearTimeout(timeout);\n          reject(new Error('Worker error during health check'));\n        };\n      });\n\n      await healthPromise;\n\n      if (this.workerPool.length < this.MAX_WORKER_POOL_SIZE) {\n        this.workerPool.push(worker);\n      } else {\n        worker.terminate();\n      }\n    } catch (error: unknown) {\n      console.warn('SignerWorkerManager: Failed to create replacement worker:', error);\n    }\n  }\n\n  /**\n   * Pre-warm worker pool by creating and initializing workers in advance\n   * This reduces latency for the first transaction by having workers ready\n   */\n  async preWarmWorkerPool(): Promise<void> {\n    const promises: Promise<void>[] = [];\n\n    for (let i = 0; i < this.MAX_WORKER_POOL_SIZE; i++) {\n      promises.push(\n        new Promise<void>((resolve, reject) => {\n          try {\n            const worker = this.createSecureWorker();\n\n            // Set up one-time ready handler\n            const onReady = (event: MessageEvent) => {\n              if (event.data?.type === WorkerControlMessage.WORKER_READY || event.data?.ready) {\n                worker.removeEventListener('message', onReady);\n                this.terminateAndReplaceWorker(worker);\n                resolve();\n              }\n            };\n\n            worker.addEventListener('message', onReady);\n\n            // Set up error handler\n            worker.onerror = (error) => {\n              worker.removeEventListener('message', onReady);\n              console.error(`WebAuthnManager: Worker ${i + 1} pre-warm failed:`, error);\n              reject(error);\n            };\n\n            // Timeout after 5 seconds\n            setTimeout(() => {\n              worker.removeEventListener('message', onReady);\n              // Pre-warm timeouts are benign; workers will be created on-demand later.\n              // console.debug(`WebAuthnManager: Worker ${i + 1} pre-warm timeout`);\n              reject(new Error('Pre-warm timeout'));\n            }, 5000);\n\n          } catch (error: unknown) {\n            console.error(`WebAuthnManager: Failed to create worker ${i + 1}:`, error);\n            reject(toError(error));\n          }\n        })\n      );\n    }\n\n    try {\n      await Promise.allSettled(promises);\n    } catch (error: unknown) {\n      console.warn('WebAuthnManager: Some workers failed to pre-warm:', error);\n    }\n  }\n\n  private async sendMessage<T extends keyof WorkerRequestTypeMap>({\n    sessionId,\n    message,\n    onEvent,\n    timeoutMs = SIGNER_WORKER_MANAGER_CONFIG.TIMEOUTS.DEFAULT, // 60s\n  }: {\n    sessionId?: string;\n    message: { type: T; payload: WithOptionalSessionId<WorkerRequestTypeMap[T]['request']> };\n    onEvent?: (update: onProgressEvents) => void;\n    timeoutMs?: number;\n  }): Promise<WorkerResponseForRequest<T>> {\n\n    // Clean up any expired signing sessions before allocating a worker\n    this.sweepExpiredSigningSessions();\n\n    const payloadSessionId = (message.payload as any)?.sessionId as string | undefined;\n    if (sessionId && payloadSessionId && payloadSessionId !== sessionId) {\n      throw new Error(\n        `sendMessage: payload.sessionId (${payloadSessionId}) does not match provided sessionId (${sessionId})`\n      );\n    }\n\n    const effectiveSessionId = sessionId || payloadSessionId;\n    const sessionEntry = effectiveSessionId ? this.signingSessions.get(effectiveSessionId) : undefined;\n    if (effectiveSessionId && !sessionEntry) {\n      throw new Error(`Signing session not found for id: ${effectiveSessionId}`);\n    }\n\n    // Normalize/inject sessionId into payload once to avoid duplication at call sites.\n    const finalPayload = effectiveSessionId\n      ? withSessionId(effectiveSessionId, message.payload)\n      : (message.payload);\n\n    const worker = sessionEntry ? sessionEntry.worker : this.getWorkerFromPool();\n    const isSessionWorker = !!sessionEntry;\n\n    return new Promise((resolve, reject) => {\n      const timeoutId = setTimeout(() => {\n        try {\n          if (isSessionWorker && effectiveSessionId) {\n            // Release reserved session to avoid leaking worker/port\n            this.releaseSigningSession(effectiveSessionId);\n          } else {\n            this.terminateAndReplaceWorker(worker);\n          }\n        } catch {}\n        // Notify any open modal host to transition to error state\n        try {\n          const seconds = Math.round(timeoutMs / 1000);\n          window.postMessage({ type: 'MODAL_TIMEOUT', payload: `Timed out after ${seconds}s, try again` }, '*');\n        } catch {}\n        reject(new Error(`Worker operation timed out after ${timeoutMs}ms`));\n      }, timeoutMs);\n\n      const responses: WorkerResponseForRequest<T>[] = [];\n\n      worker.onmessage = async (event) => {\n        try {\n          // Ignore control messages (lifecycle/session setup) – they are handled elsewhere.\n          if (isSignerWorkerControlMessage(event?.data)) {\n            return;\n          }\n          // Ignore readiness pings that can arrive if a worker was just spawned\n          if (event?.data?.type === WorkerControlMessage.WORKER_READY || event?.data?.ready) {\n            return; // not a response to an operation\n          }\n          // Use strong typing from WASM-generated types\n          const response = event.data as WorkerResponseForRequest<T>;\n          responses.push(response);\n\n          // Handle progress updates using WASM-generated numeric enum values\n          if (isWorkerProgress(response)) {\n            const progressResponse = response as WorkerProgressResponse;\n            onEvent?.(progressResponse.payload as onProgressEvents);\n            return; // Continue listening for more messages\n          }\n\n          // Handle errors using WASM-generated enum\n          if (isWorkerError(response)) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            const errorResponse = response as WorkerErrorResponse;\n            console.error('Worker error response:', errorResponse);\n            reject(new Error(errorResponse.payload.error));\n            return;\n          }\n\n          // Handle successful completion types using strong typing\n          if (isWorkerSuccess(response)) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            resolve(response as WorkerResponseForRequest<T>);\n            return;\n          }\n\n          // If we reach here, the response doesn't match any expected type\n          console.error('Unexpected worker response format:', {\n            response,\n          });\n\n          // Check if it's a generic Error object\n          if (isObject(response) && 'message' in response && 'stack' in response) {\n            clearTimeout(timeoutId);\n            if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n            console.error('Worker sent generic Error object:', response);\n            reject(new Error(`Worker sent generic error: ${(response as Error).message}`));\n            return;\n          }\n\n          // Unknown response format\n          clearTimeout(timeoutId);\n          if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n          reject(new Error(`Unknown worker response format: ${JSON.stringify(response)}`));\n        } catch (error: unknown) {\n          clearTimeout(timeoutId);\n          if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n          console.error('Error processing worker message:', error);\n          const err = toError(error);\n          reject(new Error(`Worker message processing error: ${err.message}`));\n        }\n      };\n\n      worker.onerror = (event) => {\n        clearTimeout(timeoutId);\n        if (!isSessionWorker) this.terminateAndReplaceWorker(worker);\n        const errorMessage = event.error?.message || event.message || 'Unknown worker error';\n        console.error('Worker error details (progress):', {\n          message: errorMessage,\n          filename: event.filename,\n          lineno: event.lineno,\n          colno: event.colno,\n          error: event.error\n        });\n        reject(new Error(`Worker error: ${errorMessage}`));\n      };\n\n      // Format message for Rust SignerWorkerMessage structure using WASM types\n      const formattedMessage = {\n        type: message.type, // Numeric enum value from WorkerRequestType\n        payload: finalPayload,\n      };\n\n      worker.postMessage(formattedMessage);\n    });\n  }\n\n  /**\n   * Derive NEAR keypair from a serialized WebAuthn registration credential\n   */\n  async deriveNearKeypairAndEncryptFromSerialized(args: {\n    credential: WebAuthnRegistrationCredential;\n    nearAccountId: AccountId;\n    options?: {\n      authenticatorOptions?: AuthenticatorOptions;\n      deviceNumber?: number;\n    };\n    sessionId: string;\n  }): Promise<{\n    success: boolean;\n    nearAccountId: AccountId;\n    publicKey: string;\n    /**\n     * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n     */\n    chacha20NonceB64u?: string;\n    wrapKeySalt?: string;\n  }> {\n    return deriveNearKeypairAndEncryptFromSerialized({ ctx: this.getContext(), ...args });\n  }\n\n  async deriveThresholdEd25519ClientVerifyingShare(args: {\n    sessionId: string;\n    nearAccountId: AccountId;\n  }): Promise<{\n    success: boolean;\n    nearAccountId: string;\n    clientVerifyingShareB64u: string;\n    wrapKeySalt: string;\n    error?: string;\n  }> {\n    return deriveThresholdEd25519ClientVerifyingShare({\n      ctx: this.getContext(),\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n    });\n  }\n\n  /**\n   * Secure private key decryption with dual PRF\n   */\n  async decryptPrivateKeyWithPrf(args: {\n    nearAccountId: AccountId,\n    authenticators: ClientAuthenticatorData[],\n    sessionId: string,\n  }): Promise<{\n    decryptedPrivateKey: string;\n    nearAccountId: AccountId\n  }> {\n    return decryptPrivateKeyWithPrf({ ctx: this.getContext(), ...args });\n  }\n\n  async checkCanRegisterUser(args: {\n    vrfChallenge: VRFChallenge,\n    credential: WebAuthnRegistrationCredential,\n    contractId: string;\n    nearRpcUrl: string;\n    authenticatorOptions?: AuthenticatorOptions; // Authenticator options for registration check\n    onEvent?: (update: RegistrationEventStep3) => void;\n  }): Promise<{\n    success: boolean;\n    verified?: boolean;\n    registrationInfo?: unknown;\n    logs?: string[];\n    signedTransactionBorsh?: number[];\n    error?: string;\n  }> {\n    return checkCanRegisterUser({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Combined Device2 registration: derive NEAR keypair + sign registration transaction\n   * in a single operation without requiring a separate authentication prompt.\n   *\n   * This replaces the old two-step flow (register → authenticate → sign).\n   * PRF.second and WrapKeySeed are already in the signer worker via MessagePort.\n   */\n  async registerDevice2WithDerivedKey(args: {\n    sessionId: string;\n    nearAccountId: AccountId;\n    credential: WebAuthnRegistrationCredential;\n    vrfChallenge: VRFChallenge;\n    transactionContext: TransactionContext;\n    contractId: string;\n    wrapKeySalt: string;\n    deviceNumber?: number;\n    deterministicVrfPublicKey: string;\n  }): Promise<{\n    success: boolean;\n    publicKey: string;\n    signedTransaction: any;\n    wrapKeySalt: string;\n    encryptedData?: string;\n    /**\n     * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n     */\n    chacha20NonceB64u?: string;\n    error?: string;\n  }> {\n    return registerDevice2WithDerivedKey({ ctx: this.getContext(), ...args });\n  }\n\n  // === ACTION-BASED SIGNING METHODS ===\n\n  /**\n   * Sign multiple transactions with shared VRF challenge and credential\n   * Efficiently processes multiple transactions with one PRF authentication\n   */\n  async signTransactionsWithActions(args: {\n    transactions: TransactionInputWasm[],\n    rpcCall: RpcCallPayload,\n    signerMode: SignerMode,\n    onEvent?: (update: onProgressEvents) => void,\n    confirmationConfigOverride?: Partial<ConfirmationConfig>,\n    title?: string;\n    body?: string;\n    sessionId: string,\n  }): Promise<Array<{\n    signedTransaction: SignedTransaction;\n    nearAccountId: AccountId;\n    logs?: string[]\n  }>> {\n    return signTransactionsWithActions({\n      ctx: this.getContext(),\n      ...args\n    });\n  }\n\n  async signDelegateAction(args: {\n    delegate: DelegateActionInput;\n    rpcCall: RpcCallPayload;\n    signerMode: SignerMode;\n    onEvent?: (update: onProgressEvents) => void;\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    title?: string;\n    body?: string;\n    sessionId: string;\n  }): Promise<{\n    signedDelegate: WasmSignedDelegate;\n    hash: string;\n    nearAccountId: AccountId;\n    logs?: string[];\n  }> {\n    return signDelegateAction({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Recover keypair from authentication credential for account recovery\n   * Uses dual PRF-based Ed25519 key derivation with account-specific HKDF and AES encryption\n   */\n  async recoverKeypairFromPasskey(args: {\n    credential: WebAuthnAuthenticationCredential;\n    accountIdHint?: string;\n    sessionId: string,\n  }): Promise<{\n    publicKey: string;\n    encryptedPrivateKey: string;\n    /** Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for encrypted key */\n    chacha20NonceB64u: string;\n    accountIdHint?: string;\n    wrapKeySalt: string;\n  }> {\n    return recoverKeypairFromPasskey({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Extract COSE public key from WebAuthn attestation object\n   * Simple operation that doesn't require TouchID or progress updates\n   */\n  async extractCosePublicKey(attestationObjectBase64url: string): Promise<Uint8Array> {\n    return extractCosePublicKey({ ctx: this.getContext(), attestationObjectBase64url });\n  }\n\n  /**\n   * Sign transaction with raw private key (for key replacement in Option D device linking)\n   * No TouchID/PRF required - uses provided private key directly\n   */\n  async signTransactionWithKeyPair(args: {\n    nearPrivateKey: string;\n    signerAccountId: string;\n    receiverId: string;\n    nonce: string;\n    blockHash: string;\n    actions: ActionArgsWasm[];\n  }): Promise<{\n    signedTransaction: SignedTransaction;\n    logs?: string[];\n  }> {\n    return signTransactionWithKeyPair({ ctx: this.getContext(), ...args });\n  }\n\n  /**\n   * Sign a NEP-413 message using the user's passkey-derived private key\n   *\n   * @param payload - NEP-413 signing parameters including message, recipient, nonce, and state\n   * @returns Promise resolving to signing result with account ID, public key, and signature\n   */\n  async signNep413Message(payload: {\n    message: string;\n    recipient: string;\n    nonce: string;\n    state: string | null;\n    accountId: string;\n    signerMode: SignerMode;\n    title?: string;\n    body?: string;\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    sessionId: string;\n    contractId?: string;\n    nearRpcUrl?: string;\n  }): Promise<{\n    success: boolean;\n    accountId: string;\n    publicKey: string;\n    signature: string;\n    state?: string;\n    error?: string;\n  }> {\n    return signNep413Message({\n      ctx: this.getContext(),\n      payload\n    });\n  }\n\n  /**\n   * Two-phase export (worker-driven):\n   *  - Phase 1: collect PRF (uiMode: 'skip')\n   *  - Decrypt inside worker\n   *  - Phase 2: show export UI with decrypted key (kept open until user closes)\n   */\n  async exportNearKeypairUi(args: {\n    nearAccountId: AccountId,\n    variant?: 'drawer'|'modal',\n    theme?: 'dark'|'light',\n    sessionId: string,\n  }): Promise<void> {\n    return exportNearKeypairUi({ ctx: this.getContext(), ...args });\n  }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6FA,IAAa,sBAAb,MAAiC;CAE/B,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,kBACA,YACA,wBACA,cACA,YACA,cACA,8CAAuD,MACvD,iBACA;AACA,OAAK,YAAY;AACjB,OAAK,gBAAgB,IAAI,cAAc,cAAc;AACrD,OAAK,mBAAmB;AACxB,OAAK,aAAa;AAClB,OAAK,yBAAyB;AAC9B,OAAK,eAAe;AACpB,OAAK,aAAa;AAClB,OAAK,kBAAkB;;CAGzB,oBAAoB,QAAkC;AACpD,OAAK,mBAAmB;;CAG1B,aAAyC;AACvC,SAAO;GACL,aAAa,KAAK,YAAY,KAAK;GACnC,WAAW,KAAK;GAChB,eAAe,KAAK;GACpB,kBAAkB,KAAK;GACvB,YAAY,KAAK;GACjB,wBAAwB,KAAK;GAC7B,cAAc,KAAK;GACnB,cAAc,KAAK,cAAc;GACjC,iBAAiB,KAAK;GACtB,YAAY,KAAK;;;CAIrB,qBAA6B;EAC3B,MAAM,eAAe,iBACnB,6BAA6B,OAAO,KACpC;GAAE,QAAQ;GAAU,YAAY,KAAK;;AAEvC,MAAI;GACF,MAAM,SAAS,IAAI,OAAO,cAAc;IACtC,MAAM,6BAA6B,OAAO;IAC1C,MAAM,6BAA6B,OAAO;;AAG5C,UAAO,gBAAgB;AACvB,UAAO;WACA,OAAO;GAId,MAAM,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO;AAC5D,SAAM,IAAI,MAAM,mCAAmC;;;;;;;;;;;;;;;CAgBvD,AAAQ,aAAuB;CAC/B,AAAiB,uBAAuB;CAExC,AAAQ,kCAAoD,IAAI;CAChE,AAAiB,6BAA6B,MAAS;CAEvD,AAAQ,oBAA4B;AAClC,MAAI,KAAK,WAAW,SAAS,EAC3B,QAAO,KAAK,WAAW;AAEzB,SAAO,KAAK;;CAGd,AAAQ,0BAA0B,QAAsB;AAEtD,SAAO;AAEP,OAAK;;;;;;;;;;;;;;;;;;;;;CAsBP,MAAM,2BAA2B,WAAmB,MAAmH;AACrK,MAAI,KAAK,gBAAgB,IAAI,WAC3B,OAAM,IAAI,MAAM,0CAA0C;EAG5D,MAAM,SAAS,KAAK;EACpB,IAAI,aAAa,MAAM;EACvB,IAAIA;AACJ,MAAI,CAAC,YAAY;GAIf,MAAM,UAAU,IAAI;AACpB,gBAAa,QAAQ;AACrB,aAAU,QAAQ;;AAIpB,MAAI;AACF,OAAI,CAAC,WACH,OAAM,IAAI,MAAM;AAIlB,SAAM,kBAAkB,QAAQ,WAAW;AAI3C,QAAK,gBAAgB,IAAI,WAAW;IAClC;IACA,iBAAiB;IACjB,WAAW,KAAK;;WAGX,KAAK;AACZ,WAAQ,MAAM,6EAA6E;AAE3F,OAAI;AAAE,gBAAY;WAAiB;AACnC,OAAI;AAAE,aAAS;WAAiB;AAChC,QAAK,0BAA0B;AAC/B,QAAK,gBAAgB,OAAO;AAC5B,SAAM;;AAER,SAAO;GAAE;GAAQ;GAAY;;;;;;CAM/B,sBAAsB,WAAyB;EAC7C,MAAM,QAAQ,KAAK,gBAAgB,IAAI;AACvC,MAAI,CAAC,MAAO;AACZ,MAAI;AAAE,SAAM,iBAAiB;UAAgB;AAC7C,MAAI;AAAE,QAAK,0BAA0B,MAAM;UAAgB;AAC3D,OAAK,gBAAgB,OAAO;;;;;CAM9B,8BAAoC;EAClC,MAAM,MAAM,KAAK;AACjB,OAAK,MAAM,CAAC,WAAW,UAAU,KAAK,gBAAgB,UACpD,KAAI,MAAM,MAAM,YAAY,KAAK,2BAC/B,MAAK,sBAAsB;;CAKjC,MAAc,0BAAyC;AACrD,MAAI;GACF,MAAM,SAAS,KAAK;GAGpB,MAAM,gBAAgB,IAAI,SAAe,SAAS,WAAW;IAC3D,MAAM,UAAU,iBAAiB,uBAAO,IAAI,MAAM,0BAA0B;IAE5E,MAAM,aAAa,UAAwB;AACzC,SAAI,MAAM,MAAM,SAAS,qBAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,mBAAa;AACb;;;AAIJ,WAAO,iBAAiB,WAAW;AACnC,WAAO,gBAAgB;AACrB,YAAO,oBAAoB,WAAW;AACtC,kBAAa;AACb,4BAAO,IAAI,MAAM;;;AAIrB,SAAM;AAEN,OAAI,KAAK,WAAW,SAAS,KAAK,qBAChC,MAAK,WAAW,KAAK;OAErB,QAAO;WAEFC,OAAgB;AACvB,WAAQ,KAAK,6DAA6D;;;;;;;CAQ9E,MAAM,oBAAmC;EACvC,MAAMC,WAA4B;AAElC,OAAK,IAAI,IAAI,GAAG,IAAI,KAAK,sBAAsB,IAC7C,UAAS,KACP,IAAI,SAAe,SAAS,WAAW;AACrC,OAAI;IACF,MAAM,SAAS,KAAK;IAGpB,MAAM,WAAW,UAAwB;AACvC,SAAI,MAAM,MAAM,SAAS,qBAAqB,gBAAgB,MAAM,MAAM,OAAO;AAC/E,aAAO,oBAAoB,WAAW;AACtC,WAAK,0BAA0B;AAC/B;;;AAIJ,WAAO,iBAAiB,WAAW;AAGnC,WAAO,WAAW,UAAU;AAC1B,YAAO,oBAAoB,WAAW;AACtC,aAAQ,MAAM,2BAA2B,IAAI,EAAE,oBAAoB;AACnE,YAAO;;AAIT,qBAAiB;AACf,YAAO,oBAAoB,WAAW;AAGtC,4BAAO,IAAI,MAAM;OAChB;YAEID,OAAgB;AACvB,YAAQ,MAAM,4CAA4C,IAAI,EAAE,IAAI;AACpE,WAAO,QAAQ;;;AAMvB,MAAI;AACF,SAAM,QAAQ,WAAW;WAClBA,OAAgB;AACvB,WAAQ,KAAK,qDAAqD;;;CAItE,MAAc,YAAkD,EAC9D,WACA,SACA,SACA,YAAY,6BAA6B,SAAS,WAMX;AAGvC,OAAK;EAEL,MAAM,mBAAoB,QAAQ,SAAiB;AACnD,MAAI,aAAa,oBAAoB,qBAAqB,UACxD,OAAM,IAAI,MACR,mCAAmC,iBAAiB,uCAAuC,UAAU;EAIzG,MAAM,qBAAqB,aAAa;EACxC,MAAM,eAAe,qBAAqB,KAAK,gBAAgB,IAAI,sBAAsB;AACzF,MAAI,sBAAsB,CAAC,aACzB,OAAM,IAAI,MAAM,qCAAqC;EAIvD,MAAM,eAAe,qBACjB,cAAc,oBAAoB,QAAQ,WACzC,QAAQ;EAEb,MAAM,SAAS,eAAe,aAAa,SAAS,KAAK;EACzD,MAAM,kBAAkB,CAAC,CAAC;AAE1B,SAAO,IAAI,SAAS,SAAS,WAAW;GACtC,MAAM,YAAY,iBAAiB;AACjC,QAAI;AACF,SAAI,mBAAmB,mBAErB,MAAK,sBAAsB;SAE3B,MAAK,0BAA0B;YAE3B;AAER,QAAI;KACF,MAAM,UAAU,KAAK,MAAM,YAAY;AACvC,YAAO,YAAY;MAAE,MAAM;MAAiB,SAAS,mBAAmB,QAAQ;QAAiB;YAC3F;AACR,2BAAO,IAAI,MAAM,oCAAoC,UAAU;MAC9D;GAEH,MAAME,YAA2C;AAEjD,UAAO,YAAY,OAAO,UAAU;AAClC,QAAI;AAEF,SAAI,6BAA6B,OAAO,MACtC;AAGF,SAAI,OAAO,MAAM,SAAS,qBAAqB,gBAAgB,OAAO,MAAM,MAC1E;KAGF,MAAM,WAAW,MAAM;AACvB,eAAU,KAAK;AAGf,SAAI,iBAAiB,WAAW;MAC9B,MAAM,mBAAmB;AACzB,gBAAU,iBAAiB;AAC3B;;AAIF,SAAI,cAAc,WAAW;AAC3B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;MACrD,MAAM,gBAAgB;AACtB,cAAQ,MAAM,0BAA0B;AACxC,aAAO,IAAI,MAAM,cAAc,QAAQ;AACvC;;AAIF,SAAI,gBAAgB,WAAW;AAC7B,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ;AACR;;AAIF,aAAQ,MAAM,sCAAsC,EAClD;AAIF,SAAI,SAAS,aAAa,aAAa,YAAY,WAAW,UAAU;AACtE,mBAAa;AACb,UAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,cAAQ,MAAM,qCAAqC;AACnD,6BAAO,IAAI,MAAM,8BAA+B,SAAmB;AACnE;;AAIF,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,4BAAO,IAAI,MAAM,mCAAmC,KAAK,UAAU;aAC5DF,OAAgB;AACvB,kBAAa;AACb,SAAI,CAAC,gBAAiB,MAAK,0BAA0B;AACrD,aAAQ,MAAM,oCAAoC;KAClD,MAAM,MAAM,QAAQ;AACpB,4BAAO,IAAI,MAAM,oCAAoC,IAAI;;;AAI7D,UAAO,WAAW,UAAU;AAC1B,iBAAa;AACb,QAAI,CAAC,gBAAiB,MAAK,0BAA0B;IACrD,MAAM,eAAe,MAAM,OAAO,WAAW,MAAM,WAAW;AAC9D,YAAQ,MAAM,oCAAoC;KAChD,SAAS;KACT,UAAU,MAAM;KAChB,QAAQ,MAAM;KACd,OAAO,MAAM;KACb,OAAO,MAAM;;AAEf,2BAAO,IAAI,MAAM,iBAAiB;;GAIpC,MAAM,mBAAmB;IACvB,MAAM,QAAQ;IACd,SAAS;;AAGX,UAAO,YAAY;;;;;;CAOvB,MAAM,0CAA0C,MAiB7C;AACD,SAAO,0CAA0C;GAAE,KAAK,KAAK;GAAc,GAAG;;;CAGhF,MAAM,2CAA2C,MAS9C;AACD,SAAO,2CAA2C;GAChD,KAAK,KAAK;GACV,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;;;;;CAO/B,MAAM,yBAAyB,MAO5B;AACD,SAAO,yBAAyB;GAAE,KAAK,KAAK;GAAc,GAAG;;;CAG/D,MAAM,qBAAqB,MAcxB;AACD,SAAO,qBAAqB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;;CAU3D,MAAM,8BAA8B,MAqBjC;AACD,SAAO,8BAA8B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CASpE,MAAM,4BAA4B,MAa9B;AACF,SAAO,4BAA4B;GACjC,KAAK,KAAK;GACV,GAAG;;;CAIP,MAAM,mBAAmB,MActB;AACD,SAAO,mBAAmB;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOzD,MAAM,0BAA0B,MAW7B;AACD,SAAO,0BAA0B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;CAOhE,MAAM,qBAAqB,4BAAyD;AAClF,SAAO,qBAAqB;GAAE,KAAK,KAAK;GAAc;;;;;;;CAOxD,MAAM,2BAA2B,MAU9B;AACD,SAAO,2BAA2B;GAAE,KAAK,KAAK;GAAc,GAAG;;;;;;;;;CASjE,MAAM,kBAAkB,SAoBrB;AACD,SAAO,kBAAkB;GACvB,KAAK,KAAK;GACV;;;;;;;;;CAUJ,MAAM,oBAAoB,MAKR;AAChB,SAAO,oBAAoB;GAAE,KAAK,KAAK;GAAc,GAAG"}

package/dist/esm/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.js.map

@@ -1 +1 @@
-{"version":3,"file":"sessionHandshake.js","names":[],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.ts"],"sourcesContent":["/**\n * Session Handshake Orchestration for Signer Worker\n *\n * This module provides high-level functions for setting up and validating\n * signing sessions with the signer worker. It orchestrates the complete\n * handshake flow for port attachment so the VRF worker can deliver WrapKeySeed\n * to the signer worker over a session MessagePort.\n */\n\nimport { waitForWrapKeyPortAttach } from './sessionMessages.js';\nimport { computeUiIntentDigestFromTxs, orderActionForDigest } from '../txDigest';\nimport type { NearClient } from '../../NearClient';\nimport type { NonceManager } from '../../nonceManager';\nimport type { TransactionContext } from '../../types/rpc';\nimport type { TransactionInputWasm } from '../../types/actions';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\ntype VrfSessionKeyDispenser = {\n  dispenseSessionKey: (args: { sessionId: string; uses?: number }) => Promise<unknown>;\n};\n\n/**\n * Attach a WrapKeySeed MessagePort to the signer worker and wait for acknowledgment.\n * This ensures the port is successfully attached before proceeding.\n *\n * Flow:\n * 1. Register ACK listener (avoids race where worker responds before we listen)\n * 2. Send ATTACH_WRAP_KEY_SEED_PORT message with port transfer\n * 3. Wait for ATTACH_WRAP_KEY_SEED_PORT_OK acknowledgment\n *\n * @param worker - The signer worker to attach the port to\n * @param sessionId - The signing session ID\n * @param signerPort - The MessagePort for receiving WrapKeySeed material\n * @param timeoutMs - How long to wait for ACK (default: 2000ms)\n * @throws Error if attachment fails or times out\n */\nexport async function attachSessionPort(\n  worker: Worker,\n  sessionId: string,\n  signerPort: MessagePort,\n  timeoutMs: number = 2000\n): Promise<void> {\n  // Register the ACK listener BEFORE sending the message to avoid race condition\n  const waitPromise = waitForWrapKeyPortAttach(worker, sessionId, timeoutMs);\n\n  // Send the attach command (transfer the port)\n  worker.postMessage(\n    { type: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT, sessionId },\n    [signerPort]\n  );\n\n  // Wait for the worker to acknowledge successful attachment\n  await waitPromise;\n}\n\nexport const generateSessionId = (): string => {\n  return (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function')\n    ? crypto.randomUUID()\n    : `sign-session-${Date.now()}-${Math.random().toString(16).slice(2)}`\n}\n\nexport function isWarmSessionUnavailableError(err: unknown): boolean {\n  const msg = err instanceof Error ? err.message : String(err);\n  return (\n    msg.includes('SESSION_NOT_FOUND') ||\n    msg.includes('SESSION_EXPIRED') ||\n    msg.includes('SESSION_EXHAUSTED')\n  );\n}\n\nfunction releaseNoncesBestEffort(nonceManager: NonceManager, nonces: string[]): void {\n  for (const n of nonces) {\n    try { nonceManager.releaseNonce(n); } catch {}\n  }\n}\n\n/**\n * Warm signing helper for transaction-like operations.\n *\n * - Computes canonical `intentDigest` for UI/signer validation\n * - Reserves nonces for `txCount` to avoid collisions\n * - Attempts VRF session key dispense (WrapKeySeed + wrapKeySalt) without prompting\n *\n * Returns null when the VRF session is missing/expired/exhausted so callers can\n * fall back to full confirmTxFlow.\n */\nexport async function tryPrepareWarmSigningContext(args: {\n  nearClient: NearClient;\n  nonceManager: NonceManager;\n  txInputsForDigest: TransactionInputWasm[];\n  sessionId: string;\n  vrfWorkerManager: VrfSessionKeyDispenser;\n  nonceCount?: number;\n  uses?: number;\n}): Promise<{ intentDigest: string; transactionContext: TransactionContext } | null> {\n  const baseCtx = await args.nonceManager.getNonceBlockHashAndHeight(args.nearClient);\n  const txCount = Math.max(1, args.nonceCount ?? args.txInputsForDigest.length ?? 1);\n  const reservedNonces = args.nonceManager.reserveNonces(txCount);\n\n  let keepReservations = false;\n  try {\n    const transactionContext: TransactionContext = {\n      ...baseCtx,\n      nextNonce: reservedNonces[0] ?? baseCtx.nextNonce,\n    };\n\n    const intentDigest = await computeUiIntentDigestFromTxs(\n      args.txInputsForDigest.map(tx => ({\n        receiverId: tx.receiverId,\n        actions: tx.actions.map(orderActionForDigest),\n      })) as TransactionInputWasm[]\n    );\n\n    const uses = Math.max(1, args.uses ?? txCount);\n    try {\n      await args.vrfWorkerManager.dispenseSessionKey({ sessionId: args.sessionId, uses });\n    } catch (err) {\n      if (isWarmSessionUnavailableError(err)) {\n        return null;\n      }\n      throw err;\n    }\n\n    keepReservations = true;\n    return { intentDigest, transactionContext };\n  } finally {\n    if (!keepReservations) {\n      releaseNoncesBestEffort(args.nonceManager, reservedNonces);\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAoCA,eAAsB,kBACpB,QACA,WACA,YACA,YAAoB,KACL;CAEf,MAAM,cAAc,yBAAyB,QAAQ,WAAW;AAGhE,QAAO,YACL;EAAE,MAAM,qBAAqB;EAA2B;IACxD,CAAC;AAIH,OAAM;;AAGR,MAAa,0BAAkC;AAC7C,QAAQ,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,aAClE,OAAO,eACP,gBAAgB,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM"}
+{"version":3,"file":"sessionHandshake.js","names":[],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/sessionHandshake.ts"],"sourcesContent":["/**\n * Session Handshake Orchestration for Signer Worker\n *\n * This module provides high-level functions for setting up and validating\n * signing sessions with the signer worker. It orchestrates the complete\n * handshake flow for port attachment so the VRF worker can deliver WrapKeySeed\n * to the signer worker over a session MessagePort.\n */\n\nimport { waitForWrapKeyPortAttach } from './sessionMessages.js';\nimport { computeUiIntentDigestFromTxs, orderActionForDigest } from '../../digests/intentDigest';\nimport type { NearClient } from '../../NearClient';\nimport type { NonceManager } from '../../nonceManager';\nimport type { TransactionContext } from '../../types/rpc';\nimport type { TransactionInputWasm } from '../../types/actions';\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\ntype VrfSessionKeyDispenser = {\n  dispenseSessionKey: (args: { sessionId: string; uses?: number }) => Promise<unknown>;\n};\n\n/**\n * Attach a WrapKeySeed MessagePort to the signer worker and wait for acknowledgment.\n * This ensures the port is successfully attached before proceeding.\n *\n * Flow:\n * 1. Register ACK listener (avoids race where worker responds before we listen)\n * 2. Send ATTACH_WRAP_KEY_SEED_PORT message with port transfer\n * 3. Wait for ATTACH_WRAP_KEY_SEED_PORT_OK acknowledgment\n *\n * @param worker - The signer worker to attach the port to\n * @param sessionId - The signing session ID\n * @param signerPort - The MessagePort for receiving WrapKeySeed material\n * @param timeoutMs - How long to wait for ACK (default: 2000ms)\n * @throws Error if attachment fails or times out\n */\nexport async function attachSessionPort(\n  worker: Worker,\n  sessionId: string,\n  signerPort: MessagePort,\n  timeoutMs: number = 2000\n): Promise<void> {\n  // Register the ACK listener BEFORE sending the message to avoid race condition\n  const waitPromise = waitForWrapKeyPortAttach(worker, sessionId, timeoutMs);\n\n  // Send the attach command (transfer the port)\n  worker.postMessage(\n    { type: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT, sessionId },\n    [signerPort]\n  );\n\n  // Wait for the worker to acknowledge successful attachment\n  await waitPromise;\n}\n\nexport const generateSessionId = (): string => {\n  return (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function')\n    ? crypto.randomUUID()\n    : `sign-session-${Date.now()}-${Math.random().toString(16).slice(2)}`\n}\n\nexport function isWarmSessionUnavailableError(err: unknown): boolean {\n  const msg = err instanceof Error ? err.message : String(err);\n  return (\n    msg.includes('SESSION_NOT_FOUND') ||\n    msg.includes('SESSION_EXPIRED') ||\n    msg.includes('SESSION_EXHAUSTED')\n  );\n}\n\nfunction releaseNoncesBestEffort(nonceManager: NonceManager, nonces: string[]): void {\n  for (const n of nonces) {\n    try { nonceManager.releaseNonce(n); } catch {}\n  }\n}\n\n/**\n * Warm signing helper for transaction-like operations.\n *\n * - Computes canonical `intentDigest` for UI/signer validation\n * - Reserves nonces for `txCount` to avoid collisions\n * - Attempts VRF session key dispense (WrapKeySeed + wrapKeySalt) without prompting\n *\n * Returns null when the VRF session is missing/expired/exhausted so callers can\n * fall back to full confirmTxFlow.\n */\nexport async function tryPrepareWarmSigningContext(args: {\n  nearClient: NearClient;\n  nonceManager: NonceManager;\n  txInputsForDigest: TransactionInputWasm[];\n  sessionId: string;\n  vrfWorkerManager: VrfSessionKeyDispenser;\n  nonceCount?: number;\n  uses?: number;\n}): Promise<{ intentDigest: string; transactionContext: TransactionContext } | null> {\n  const baseCtx = await args.nonceManager.getNonceBlockHashAndHeight(args.nearClient);\n  const txCount = Math.max(1, args.nonceCount ?? args.txInputsForDigest.length ?? 1);\n  const reservedNonces = args.nonceManager.reserveNonces(txCount);\n\n  let keepReservations = false;\n  try {\n    const transactionContext: TransactionContext = {\n      ...baseCtx,\n      nextNonce: reservedNonces[0] ?? baseCtx.nextNonce,\n    };\n\n    const intentDigest = await computeUiIntentDigestFromTxs(\n      args.txInputsForDigest.map(tx => ({\n        receiverId: tx.receiverId,\n        actions: tx.actions.map(orderActionForDigest),\n      })) as TransactionInputWasm[]\n    );\n\n    const uses = Math.max(1, args.uses ?? txCount);\n    try {\n      await args.vrfWorkerManager.dispenseSessionKey({ sessionId: args.sessionId, uses });\n    } catch (err) {\n      if (isWarmSessionUnavailableError(err)) {\n        return null;\n      }\n      throw err;\n    }\n\n    keepReservations = true;\n    return { intentDigest, transactionContext };\n  } finally {\n    if (!keepReservations) {\n      releaseNoncesBestEffort(args.nonceManager, reservedNonces);\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAoCA,eAAsB,kBACpB,QACA,WACA,YACA,YAAoB,KACL;CAEf,MAAM,cAAc,yBAAyB,QAAQ,WAAW;AAGhE,QAAO,YACL;EAAE,MAAM,qBAAqB;EAA2B;IACxD,CAAC;AAIH,OAAM;;AAGR,MAAa,0BAAkC;AAC7C,QAAQ,OAAO,WAAW,eAAe,OAAO,OAAO,eAAe,aAClE,OAAO,eACP,gBAAgB,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM"}

package/dist/esm/core/WebAuthnManager/SignerWorkerManager/sessionMessages.js

@@ -1,13 +1,24 @@
 import { WorkerControlMessage } from "../../workerControlMessages.js";
 
 //#region src/core/WebAuthnManager/SignerWorkerManager/sessionMessages.ts
+function asSessionMessage(msg) {
+	if (!isObject(msg)) return null;
+	if (typeof msg.type !== "string") return null;
+	if (msg.sessionId != null && typeof msg.sessionId !== "string") return null;
+	if (msg.error != null && typeof msg.error !== "string") return null;
+	return msg;
+}
 /**
 * Type guard to check if a message is a control message.
 */
 function isSignerWorkerControlMessage(msg) {
 	if (!isObject(msg) || typeof msg.type !== "string") return false;
-	const type = msg.type;
-	return type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK || type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR || type === WorkerControlMessage.WORKER_READY;
+	switch (msg.type) {
+		case WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK: return typeof msg.sessionId === "string";
+		case WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR: return typeof msg.sessionId === "string" && typeof msg.error === "string";
+		case WorkerControlMessage.WORKER_READY: return typeof msg.ready === "boolean";
+		default: return false;
+	}
 }
 function isObject(value) {
 	return typeof value === "object" && value !== null;
@@ -29,8 +40,8 @@ function waitForSessionMessage(worker, options) {
 			reject(/* @__PURE__ */ new Error(`Timeout waiting for session message (${successTypes.join("|")})${sessionId ? ` for session ${sessionId}` : ""}`));
 		}, timeoutMs);
 		const messageHandler = (event) => {
-			const msg = event.data;
-			if (!msg || typeof msg.type !== "string") return;
+			const msg = asSessionMessage(event.data);
+			if (!msg) return;
 			if (sessionId && msg.sessionId !== sessionId) return;
 			if (errorType && msg.type === errorType) {
 				cleanup();

package/dist/esm/core/WebAuthnManager/SignerWorkerManager/sessionMessages.js.map

@@ -1 +1 @@
-{"version":3,"file":"sessionMessages.js","names":[],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/sessionMessages.ts"],"sourcesContent":["/**\n * Session Message Handling for Signer Worker\n *\n * This module provides helpers for waiting on session lifecycle messages from the signer worker.\n * Session messages are JS-only messages that never go through the Rust JSON pipeline\n * and are used for worker lifecycle management and session setup.\n */\n\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\n// === SESSION MESSAGE TYPES ===\n\n/**\n * Control message sent by the signer worker after successfully attaching\n * a WrapKeySeed MessagePort for a signing session.\n */\nexport interface AttachWrapKeySeedPortOkMessage {\n  type: typeof WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK;\n  sessionId: string;\n}\n\n/**\n * Control message sent by the signer worker when attaching a WrapKeySeed\n * MessagePort fails.\n */\nexport interface AttachWrapKeySeedPortErrorMessage {\n  type: typeof WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR;\n  sessionId: string;\n  error: string;\n}\n\n/**\n * Control message sent by the signer worker when it's ready to receive messages.\n */\nexport interface WorkerReadyMessage {\n  type: typeof WorkerControlMessage.WORKER_READY;\n  ready: boolean;\n}\n\n/**\n * All control messages that can be sent by the signer worker.\n */\nexport type SignerWorkerControlMessage =\n  | AttachWrapKeySeedPortOkMessage\n  | AttachWrapKeySeedPortErrorMessage\n  | WorkerReadyMessage;\n\n/**\n * Type guard to check if a message is a control message.\n */\nexport function isSignerWorkerControlMessage(msg: unknown): msg is SignerWorkerControlMessage {\n  if (!isObject(msg) || typeof (msg as any).type !== 'string') {\n    return false;\n  }\n  const type = (msg as any).type;\n  return type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK\n    || type === WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR\n    || type === WorkerControlMessage.WORKER_READY;\n}\n\nfunction isObject(value: unknown): value is Record<string, unknown> {\n  return typeof value === 'object' && value !== null;\n}\n\n// === SESSION MESSAGE HELPERS ===\n\n/**\n * Generic helper for waiting on session messages from a worker.\n * Registers a listener, sends no message (caller handles that), and waits for a matching response.\n *\n * @param worker - The worker to listen to\n * @param options - Configuration for what to wait for\n * @returns Promise that resolves when the expected message arrives, rejects on timeout or error\n */\nexport function waitForSessionMessage(\n  worker: Worker,\n  options: {\n    /** Message type(s) to wait for (success) */\n    successType: string | string[];\n    /** Optional error type to reject on */\n    errorType?: string;\n    /** Session ID to match (if applicable) */\n    sessionId?: string;\n    /** Timeout in milliseconds */\n    timeoutMs?: number;\n    /** Custom message validator - return true to resolve, false to ignore, throw to reject */\n    validator?: (msg: any) => boolean;\n  }\n): Promise<void> {\n  const {\n    successType,\n    errorType,\n    sessionId,\n    timeoutMs = 2000,\n    validator,\n  } = options;\n\n  const successTypes = Array.isArray(successType) ? successType : [successType];\n\n  return new Promise<void>((resolve, reject) => {\n    const timeout = setTimeout(() => {\n      cleanup();\n      reject(new Error(\n        `Timeout waiting for session message (${successTypes.join('|')})${sessionId ? ` for session ${sessionId}` : ''}`\n      ));\n    }, timeoutMs);\n\n    const messageHandler = (event: MessageEvent) => {\n      const msg = event.data;\n\n      // Skip if message doesn't have a type\n      if (!msg || typeof msg.type !== 'string') {\n        return;\n      }\n\n      // Check if sessionId matches (if specified)\n      if (sessionId && msg.sessionId !== sessionId) {\n        return;\n      }\n\n      // Check for error type\n      if (errorType && msg.type === errorType) {\n        cleanup();\n        const error = msg.error || 'Unknown error';\n        reject(new Error(`Session message error: ${error}`));\n        return;\n      }\n\n      // Check for success type\n      if (successTypes.includes(msg.type)) {\n        // Run custom validator if provided\n        if (validator) {\n          try {\n            const shouldResolve = validator(msg);\n            if (!shouldResolve) {\n              return; // Validator said to ignore this message\n            }\n          } catch (err) {\n            cleanup();\n            reject(err);\n            return;\n          }\n        }\n\n        cleanup();\n        resolve();\n      }\n    };\n\n    const cleanup = () => {\n      clearTimeout(timeout);\n      worker.removeEventListener('message', messageHandler);\n    };\n\n    worker.addEventListener('message', messageHandler);\n  });\n}\n\n/**\n * Wait for the worker to acknowledge successful attachment of the WrapKeySeed port.\n * This provides early detection of attach failures instead of only seeing late WASM errors.\n *\n * @param worker - The worker that should send the ACK\n * @param sessionId - The session ID to match\n * @param timeoutMs - How long to wait before rejecting (default: 2000ms)\n * @returns Promise that resolves on success ACK, rejects on error or timeout\n */\nexport function waitForWrapKeyPortAttach(\n  worker: Worker,\n  sessionId: string,\n  timeoutMs: number = 2000\n): Promise<void> {\n  return waitForSessionMessage(worker, {\n    successType: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK,\n    errorType: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR,\n    sessionId,\n    timeoutMs,\n  });\n}\n"],"mappings":";;;;;;AAkDA,SAAgB,6BAA6B,KAAiD;AAC5F,KAAI,CAAC,SAAS,QAAQ,OAAQ,IAAY,SAAS,SACjD,QAAO;CAET,MAAM,OAAQ,IAAY;AAC1B,QAAO,SAAS,qBAAqB,gCAChC,SAAS,qBAAqB,mCAC9B,SAAS,qBAAqB;;AAGrC,SAAS,SAAS,OAAkD;AAClE,QAAO,OAAO,UAAU,YAAY,UAAU;;;;;;;;;;AAahD,SAAgB,sBACd,QACA,SAYe;CACf,MAAM,EACJ,aACA,WACA,WACA,YAAY,KACZ,cACE;CAEJ,MAAM,eAAe,MAAM,QAAQ,eAAe,cAAc,CAAC;AAEjE,QAAO,IAAI,SAAe,SAAS,WAAW;EAC5C,MAAM,UAAU,iBAAiB;AAC/B;AACA,0BAAO,IAAI,MACT,wCAAwC,aAAa,KAAK,KAAK,GAAG,YAAY,gBAAgB,cAAc;KAE7G;EAEH,MAAM,kBAAkB,UAAwB;GAC9C,MAAM,MAAM,MAAM;AAGlB,OAAI,CAAC,OAAO,OAAO,IAAI,SAAS,SAC9B;AAIF,OAAI,aAAa,IAAI,cAAc,UACjC;AAIF,OAAI,aAAa,IAAI,SAAS,WAAW;AACvC;IACA,MAAM,QAAQ,IAAI,SAAS;AAC3B,2BAAO,IAAI,MAAM,0BAA0B;AAC3C;;AAIF,OAAI,aAAa,SAAS,IAAI,OAAO;AAEnC,QAAI,UACF,KAAI;KACF,MAAM,gBAAgB,UAAU;AAChC,SAAI,CAAC,cACH;aAEK,KAAK;AACZ;AACA,YAAO;AACP;;AAIJ;AACA;;;EAIJ,MAAM,gBAAgB;AACpB,gBAAa;AACb,UAAO,oBAAoB,WAAW;;AAGxC,SAAO,iBAAiB,WAAW;;;;;;;;;;;;AAavC,SAAgB,yBACd,QACA,WACA,YAAoB,KACL;AACf,QAAO,sBAAsB,QAAQ;EACnC,aAAa,qBAAqB;EAClC,WAAW,qBAAqB;EAChC;EACA"}
+{"version":3,"file":"sessionMessages.js","names":[],"sources":["../../../../../src/core/WebAuthnManager/SignerWorkerManager/sessionMessages.ts"],"sourcesContent":["/**\n * Session Message Handling for Signer Worker\n *\n * This module provides helpers for waiting on session lifecycle messages from the signer worker.\n * Session messages are JS-only messages that never go through the Rust JSON pipeline\n * and are used for worker lifecycle management and session setup.\n */\n\nimport { WorkerControlMessage } from '../../workerControlMessages';\n\n// === SESSION MESSAGE TYPES ===\n\n/**\n * Control message sent by the signer worker after successfully attaching\n * a WrapKeySeed MessagePort for a signing session.\n */\nexport interface AttachWrapKeySeedPortOkMessage {\n  type: typeof WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK;\n  sessionId: string;\n}\n\n/**\n * Control message sent by the signer worker when attaching a WrapKeySeed\n * MessagePort fails.\n */\nexport interface AttachWrapKeySeedPortErrorMessage {\n  type: typeof WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR;\n  sessionId: string;\n  error: string;\n}\n\n/**\n * Control message sent by the signer worker when it's ready to receive messages.\n */\nexport interface WorkerReadyMessage {\n  type: typeof WorkerControlMessage.WORKER_READY;\n  ready: boolean;\n}\n\n/**\n * All control messages that can be sent by the signer worker.\n */\nexport type SignerWorkerControlMessage =\n  | AttachWrapKeySeedPortOkMessage\n  | AttachWrapKeySeedPortErrorMessage\n  | WorkerReadyMessage;\n\nexport type SessionMessage = Record<string, unknown> & {\n  type: string;\n  sessionId?: string;\n  error?: string;\n};\n\nfunction asSessionMessage(msg: unknown): SessionMessage | null {\n  if (!isObject(msg)) return null;\n  if (typeof msg.type !== 'string') return null;\n  if (msg.sessionId != null && typeof msg.sessionId !== 'string') return null;\n  if (msg.error != null && typeof msg.error !== 'string') return null;\n  return msg as SessionMessage;\n}\n\n/**\n * Type guard to check if a message is a control message.\n */\nexport function isSignerWorkerControlMessage(msg: unknown): msg is SignerWorkerControlMessage {\n  if (!isObject(msg) || typeof msg.type !== 'string') {\n    return false;\n  }\n\n  switch (msg.type) {\n    case WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK:\n      return typeof msg.sessionId === 'string';\n    case WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR:\n      return typeof msg.sessionId === 'string' && typeof msg.error === 'string';\n    case WorkerControlMessage.WORKER_READY:\n      return typeof msg.ready === 'boolean';\n    default:\n      return false;\n  }\n}\n\nfunction isObject(value: unknown): value is Record<string, unknown> {\n  return typeof value === 'object' && value !== null;\n}\n\n// === SESSION MESSAGE HELPERS ===\n\n/**\n * Generic helper for waiting on session messages from a worker.\n * Registers a listener, sends no message (caller handles that), and waits for a matching response.\n *\n * @param worker - The worker to listen to\n * @param options - Configuration for what to wait for\n * @returns Promise that resolves when the expected message arrives, rejects on timeout or error\n */\nexport function waitForSessionMessage(\n  worker: Worker,\n  options: {\n    /** Message type(s) to wait for (success) */\n    successType: string | string[];\n    /** Optional error type to reject on */\n    errorType?: string;\n    /** Session ID to match (if applicable) */\n    sessionId?: string;\n    /** Timeout in milliseconds */\n    timeoutMs?: number;\n    /** Custom message validator - return true to resolve, false to ignore, throw to reject */\n    validator?: (msg: SessionMessage) => boolean;\n  }\n): Promise<void> {\n  const {\n    successType,\n    errorType,\n    sessionId,\n    timeoutMs = 2000,\n    validator,\n  } = options;\n\n  const successTypes = Array.isArray(successType) ? successType : [successType];\n\n  return new Promise<void>((resolve, reject) => {\n    const timeout = setTimeout(() => {\n      cleanup();\n      reject(new Error(\n        `Timeout waiting for session message (${successTypes.join('|')})${sessionId ? ` for session ${sessionId}` : ''}`\n      ));\n    }, timeoutMs);\n\n    const messageHandler = (event: MessageEvent<unknown>) => {\n      const msg = asSessionMessage(event.data);\n\n      // Skip if message doesn't have a type\n      if (!msg) return;\n\n      // Check if sessionId matches (if specified)\n      if (sessionId && msg.sessionId !== sessionId) {\n        return;\n      }\n\n      // Check for error type\n      if (errorType && msg.type === errorType) {\n        cleanup();\n        const error = msg.error || 'Unknown error';\n        reject(new Error(`Session message error: ${error}`));\n        return;\n      }\n\n      // Check for success type\n      if (successTypes.includes(msg.type)) {\n        // Run custom validator if provided\n        if (validator) {\n          try {\n            const shouldResolve = validator(msg);\n            if (!shouldResolve) {\n              return; // Validator said to ignore this message\n            }\n          } catch (err) {\n            cleanup();\n            reject(err);\n            return;\n          }\n        }\n\n        cleanup();\n        resolve();\n      }\n    };\n\n    const cleanup = () => {\n      clearTimeout(timeout);\n      worker.removeEventListener('message', messageHandler);\n    };\n\n    worker.addEventListener('message', messageHandler);\n  });\n}\n\n/**\n * Wait for the worker to acknowledge successful attachment of the WrapKeySeed port.\n * This provides early detection of attach failures instead of only seeing late WASM errors.\n *\n * @param worker - The worker that should send the ACK\n * @param sessionId - The session ID to match\n * @param timeoutMs - How long to wait before rejecting (default: 2000ms)\n * @returns Promise that resolves on success ACK, rejects on error or timeout\n */\nexport function waitForWrapKeyPortAttach(\n  worker: Worker,\n  sessionId: string,\n  timeoutMs: number = 2000\n): Promise<void> {\n  return waitForSessionMessage(worker, {\n    successType: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK,\n    errorType: WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR,\n    sessionId,\n    timeoutMs,\n  });\n}\n"],"mappings":";;;AAqDA,SAAS,iBAAiB,KAAqC;AAC7D,KAAI,CAAC,SAAS,KAAM,QAAO;AAC3B,KAAI,OAAO,IAAI,SAAS,SAAU,QAAO;AACzC,KAAI,IAAI,aAAa,QAAQ,OAAO,IAAI,cAAc,SAAU,QAAO;AACvE,KAAI,IAAI,SAAS,QAAQ,OAAO,IAAI,UAAU,SAAU,QAAO;AAC/D,QAAO;;;;;AAMT,SAAgB,6BAA6B,KAAiD;AAC5F,KAAI,CAAC,SAAS,QAAQ,OAAO,IAAI,SAAS,SACxC,QAAO;AAGT,SAAQ,IAAI,MAAZ;EACE,KAAK,qBAAqB,6BACxB,QAAO,OAAO,IAAI,cAAc;EAClC,KAAK,qBAAqB,gCACxB,QAAO,OAAO,IAAI,cAAc,YAAY,OAAO,IAAI,UAAU;EACnE,KAAK,qBAAqB,aACxB,QAAO,OAAO,IAAI,UAAU;EAC9B,QACE,QAAO;;;AAIb,SAAS,SAAS,OAAkD;AAClE,QAAO,OAAO,UAAU,YAAY,UAAU;;;;;;;;;;AAahD,SAAgB,sBACd,QACA,SAYe;CACf,MAAM,EACJ,aACA,WACA,WACA,YAAY,KACZ,cACE;CAEJ,MAAM,eAAe,MAAM,QAAQ,eAAe,cAAc,CAAC;AAEjE,QAAO,IAAI,SAAe,SAAS,WAAW;EAC5C,MAAM,UAAU,iBAAiB;AAC/B;AACA,0BAAO,IAAI,MACT,wCAAwC,aAAa,KAAK,KAAK,GAAG,YAAY,gBAAgB,cAAc;KAE7G;EAEH,MAAM,kBAAkB,UAAiC;GACvD,MAAM,MAAM,iBAAiB,MAAM;AAGnC,OAAI,CAAC,IAAK;AAGV,OAAI,aAAa,IAAI,cAAc,UACjC;AAIF,OAAI,aAAa,IAAI,SAAS,WAAW;AACvC;IACA,MAAM,QAAQ,IAAI,SAAS;AAC3B,2BAAO,IAAI,MAAM,0BAA0B;AAC3C;;AAIF,OAAI,aAAa,SAAS,IAAI,OAAO;AAEnC,QAAI,UACF,KAAI;KACF,MAAM,gBAAgB,UAAU;AAChC,SAAI,CAAC,cACH;aAEK,KAAK;AACZ;AACA,YAAO;AACP;;AAIJ;AACA;;;EAIJ,MAAM,gBAAgB;AACpB,gBAAa;AACb,UAAO,oBAAoB,WAAW;;AAGxC,SAAO,iBAAiB,WAAW;;;;;;;;;;;;AAavC,SAAgB,yBACd,QACA,WACA,YAAoB,KACL;AACf,QAAO,sBAAsB,QAAQ;EACnC,aAAa,qBAAqB;EAClC,WAAW,qBAAqB;EAChC;EACA"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.js

@@ -1,10 +1,8 @@
-import { init_validation, isFunction, isObject, isString } from "../../../../WalletIframe/validation.js";
-import { init_errors, isTouchIdCancellationError, toError } from "../../../../../utils/errors.js";
+import { isFunction, isObject, isString } from "../../../../../utils/validation.js";
+import { isTouchIdCancellationError, toError } from "../../../../../utils/errors.js";
 import { SecureConfirmMessageType } from "../types.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.ts
-init_validation();
-init_errors();
 function parseTransactionSummary(summaryData) {
 	if (!summaryData) return {};
 	if (isString(summaryData)) try {

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.js.map

@@ -1 +1 @@
-{"version":3,"file":"common.js","names":["out: Record<string, unknown>"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.ts"],"sourcesContent":["import type { TransactionSummary, SecureConfirmDecision } from '../types';\nimport { SecureConfirmMessageType } from '../types';\nimport { isObject, isFunction, isString } from '../../../../WalletIframe/validation';\nimport { toError, isTouchIdCancellationError } from '../../../../../utils/errors';\n\nexport function parseTransactionSummary(summaryData: unknown): TransactionSummary {\n  if (!summaryData) return {};\n  if (isString(summaryData)) {\n    try {\n      const parsed = JSON.parse(summaryData) as unknown;\n      return isObject(parsed) ? (parsed as TransactionSummary) : {};\n    } catch (parseError) {\n      console.warn('[SignerWorkerManager]: Failed to parse summary string:', parseError);\n      return {};\n    }\n  }\n  return isObject(summaryData) ? (summaryData as TransactionSummary) : {};\n}\n\n// ===== Utility: postMessage sanitization (exported in case flows need to respond directly) =====\nexport type NonFunctionKeys<T> = { [K in keyof T]: T[K] extends Function ? never : K }[keyof T];\n\nexport type ShallowPostMessageSafe<T> = T extends object\n  ? Omit<Pick<T, NonFunctionKeys<T>>, '_confirmHandle'>\n  : T;\n\nexport function sanitizeForPostMessage<T>(data: T): ShallowPostMessageSafe<T> {\n  if (data == null) return data as ShallowPostMessageSafe<T>;\n  if (Array.isArray(data)) return data.map((v) => v) as unknown as ShallowPostMessageSafe<T>;\n  if (isObject(data)) {\n    const src = data as Record<string, unknown>;\n    const out: Record<string, unknown> = {};\n    for (const key of Object.keys(src)) {\n      if (key === '_confirmHandle') continue;\n      const value = src[key];\n      if (isFunction(value)) continue;\n      out[key] = value;\n    }\n    return out as ShallowPostMessageSafe<T>;\n  }\n  return data as ShallowPostMessageSafe<T>;\n}\n\n// ===== Shared worker response + UI close helpers =====\nexport const ERROR_MESSAGES = {\n  cancelled: 'User cancelled secure confirm request',\n  collectCredentialsFailed: 'Failed to collect credentials',\n  nearRpcFailed: 'Failed to fetch NEAR data',\n} as const;\n\nexport function sendConfirmResponse(worker: Worker, response: SecureConfirmDecision) {\n  const sanitized = sanitizeForPostMessage(response);\n  worker.postMessage({ type: SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE, data: sanitized });\n}\n\nexport function isUserCancelledSecureConfirm(error: unknown): boolean {\n  return (\n    isTouchIdCancellationError(error) ||\n    (() => {\n      const e = toError(error);\n      return e?.name === 'NotAllowedError' || e?.name === 'AbortError';\n    })()\n  );\n}\n\n"],"mappings":";;;;;;;AAKA,SAAgB,wBAAwB,aAA0C;AAChF,KAAI,CAAC,YAAa,QAAO;AACzB,KAAI,SAAS,aACX,KAAI;EACF,MAAM,SAAS,KAAK,MAAM;AAC1B,SAAO,SAAS,UAAW,SAAgC;UACpD,YAAY;AACnB,UAAQ,KAAK,0DAA0D;AACvE,SAAO;;AAGX,QAAO,SAAS,eAAgB,cAAqC;;AAUvE,SAAgB,uBAA0B,MAAoC;AAC5E,KAAI,QAAQ,KAAM,QAAO;AACzB,KAAI,MAAM,QAAQ,MAAO,QAAO,KAAK,KAAK,MAAM;AAChD,KAAI,SAAS,OAAO;EAClB,MAAM,MAAM;EACZ,MAAMA,MAA+B;AACrC,OAAK,MAAM,OAAO,OAAO,KAAK,MAAM;AAClC,OAAI,QAAQ,iBAAkB;GAC9B,MAAM,QAAQ,IAAI;AAClB,OAAI,WAAW,OAAQ;AACvB,OAAI,OAAO;;AAEb,SAAO;;AAET,QAAO;;AAIT,MAAa,iBAAiB;CAC5B,WAAW;CACX,0BAA0B;CAC1B,eAAe;;AAGjB,SAAgB,oBAAoB,QAAgB,UAAiC;CACnF,MAAM,YAAY,uBAAuB;AACzC,QAAO,YAAY;EAAE,MAAM,yBAAyB;EAA+B,MAAM;;;AAG3F,SAAgB,6BAA6B,OAAyB;AACpE,QACE,2BAA2B,iBACpB;EACL,MAAM,IAAI,QAAQ;AAClB,SAAO,GAAG,SAAS,qBAAqB,GAAG,SAAS"}
+{"version":3,"file":"common.js","names":["out: Record<string, unknown>"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.ts"],"sourcesContent":["import type { TransactionSummary, SecureConfirmDecision } from '../types';\nimport { SecureConfirmMessageType } from '../types';\nimport { isObject, isFunction, isString } from '@/utils/validation';\nimport { toError, isTouchIdCancellationError } from '../../../../../utils/errors';\n\nexport function parseTransactionSummary(summaryData: unknown): TransactionSummary {\n  if (!summaryData) return {};\n  if (isString(summaryData)) {\n    try {\n      const parsed = JSON.parse(summaryData) as unknown;\n      return isObject(parsed) ? (parsed as TransactionSummary) : {};\n    } catch (parseError) {\n      console.warn('[SignerWorkerManager]: Failed to parse summary string:', parseError);\n      return {};\n    }\n  }\n  return isObject(summaryData) ? (summaryData as TransactionSummary) : {};\n}\n\n// ===== Utility: postMessage sanitization (exported in case flows need to respond directly) =====\nexport type NonFunctionKeys<T> = { [K in keyof T]: T[K] extends Function ? never : K }[keyof T];\n\nexport type ShallowPostMessageSafe<T> = T extends object\n  ? Omit<Pick<T, NonFunctionKeys<T>>, '_confirmHandle'>\n  : T;\n\nexport function sanitizeForPostMessage<T>(data: T): ShallowPostMessageSafe<T> {\n  if (data == null) return data as ShallowPostMessageSafe<T>;\n  if (Array.isArray(data)) return data.map((v) => v) as unknown as ShallowPostMessageSafe<T>;\n  if (isObject(data)) {\n    const src = data as Record<string, unknown>;\n    const out: Record<string, unknown> = {};\n    for (const key of Object.keys(src)) {\n      if (key === '_confirmHandle') continue;\n      const value = src[key];\n      if (isFunction(value)) continue;\n      out[key] = value;\n    }\n    return out as ShallowPostMessageSafe<T>;\n  }\n  return data as ShallowPostMessageSafe<T>;\n}\n\n// ===== Shared worker response + UI close helpers =====\nexport const ERROR_MESSAGES = {\n  cancelled: 'User cancelled secure confirm request',\n  collectCredentialsFailed: 'Failed to collect credentials',\n  nearRpcFailed: 'Failed to fetch NEAR data',\n} as const;\n\nexport function sendConfirmResponse(worker: Worker, response: SecureConfirmDecision) {\n  const sanitized = sanitizeForPostMessage(response);\n  worker.postMessage({ type: SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE, data: sanitized });\n}\n\nexport function isUserCancelledSecureConfirm(error: unknown): boolean {\n  return (\n    isTouchIdCancellationError(error) ||\n    (() => {\n      const e = toError(error);\n      return e?.name === 'NotAllowedError' || e?.name === 'AbortError';\n    })()\n  );\n}\n\n"],"mappings":";;;;;AAKA,SAAgB,wBAAwB,aAA0C;AAChF,KAAI,CAAC,YAAa,QAAO;AACzB,KAAI,SAAS,aACX,KAAI;EACF,MAAM,SAAS,KAAK,MAAM;AAC1B,SAAO,SAAS,UAAW,SAAgC;UACpD,YAAY;AACnB,UAAQ,KAAK,0DAA0D;AACvE,SAAO;;AAGX,QAAO,SAAS,eAAgB,cAAqC;;AAUvE,SAAgB,uBAA0B,MAAoC;AAC5E,KAAI,QAAQ,KAAM,QAAO;AACzB,KAAI,MAAM,QAAQ,MAAO,QAAO,KAAK,KAAK,MAAM;AAChD,KAAI,SAAS,OAAO;EAClB,MAAM,MAAM;EACZ,MAAMA,MAA+B;AACrC,OAAK,MAAM,OAAO,OAAO,KAAK,MAAM;AAClC,OAAI,QAAQ,iBAAkB;GAC9B,MAAM,QAAQ,IAAI;AAClB,OAAI,WAAW,OAAQ;AACvB,OAAI,OAAO;;AAEb,SAAO;;AAET,QAAO;;AAIT,MAAa,iBAAiB;CAC5B,WAAW;CACX,0BAA0B;CAC1B,eAAe;;AAGjB,SAAgB,oBAAoB,QAAgB,UAAiC;CACnF,MAAM,YAAY,uBAAuB;AACzC,QAAO,YAAY;EAAE,MAAM,yBAAyB;EAA+B,MAAM;;;AAG3F,SAAgB,6BAA6B,OAAyB;AACpE,QACE,2BAA2B,iBACpB;EACL,MAAM,IAAI,QAAQ;AAClB,SAAO,GAAG,SAAS,qBAAqB,GAAG,SAAS"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/near.js

@@ -1,7 +1,6 @@
-import { errorMessage, init_errors } from "../../../../../utils/errors.js";
+import { errorMessage } from "../../../../../utils/errors.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/near.ts
-init_errors();
 async function fetchNearContext(ctx, opts) {
 	try {
 		const transactionContext = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient);
@@ -9,11 +8,8 @@ async function fetchNearContext(ctx, opts) {
 		let reservedNonces;
 		if (opts.reserveNonces) try {
 			reservedNonces = ctx.nonceManager.reserveNonces(txCount);
-			console.debug(`[NonceManager]: Reserved ${txCount} nonce(s):`, reservedNonces);
 			transactionContext.nextNonce = reservedNonces[0];
-		} catch (error) {
-			console.debug(`[NonceManager]: Failed to reserve ${txCount} nonce(s):`, error);
-		}
+		} catch (error) {}
 		return {
 			transactionContext,
 			reservedNonces

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/near.js.map

@@ -1 +1 @@
-{"version":3,"file":"near.js","names":["reservedNonces: string[] | undefined","fallback: TransactionContext"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/near.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport { TransactionContext } from '../../../../types';\nimport type { BlockReference, AccessKeyView } from '@near-js/types';\nimport { errorMessage } from '../../../../../utils/errors';\n\nexport async function fetchNearContext(\n  ctx: VrfWorkerManagerContext,\n  opts: { nearAccountId: string; txCount: number; reserveNonces: boolean },\n): Promise<{\n  transactionContext: TransactionContext | null;\n  error?: string;\n  details?: string;\n  reservedNonces?: string[];\n}> {\n  try {\n    // Prefer NonceManager when initialized (signing flows)\n    // Use cached transaction context if fresh; avoid forcing a refresh here.\n    // JIT refresh later will force a new block height for the VRF challenge.\n    const transactionContext = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient);\n\n    const txCount = opts.txCount || 1;\n    let reservedNonces: string[] | undefined;\n    if (opts.reserveNonces) {\n      try {\n        reservedNonces = ctx.nonceManager.reserveNonces(txCount);\n        console.debug(`[NonceManager]: Reserved ${txCount} nonce(s):`, reservedNonces);\n        // Provide the first reserved nonce to the worker context; worker handles per-tx assignment\n        transactionContext.nextNonce = reservedNonces[0];\n      } catch (error) {\n        console.debug(`[NonceManager]: Failed to reserve ${txCount} nonce(s):`, error);\n        // Continue with existing nextNonce; worker may auto-increment where appropriate\n      }\n    }\n\n    return { transactionContext, reservedNonces };\n  } catch (error) {\n    // Registration or pre-login flows may not have NonceManager initialized.\n    // Fallback: fetch latest block info directly; nonces are not required for registration/link flows.\n    try {\n      const block = await ctx.nearClient.viewBlock({ finality: 'final' } as BlockReference);\n      const txBlockHeight = String(block?.header?.height ?? '');\n      const txBlockHash = String(block?.header?.hash ?? '');\n      const fallback: TransactionContext = {\n        nearPublicKeyStr: '', // not needed for registration VRF challenge\n        accessKeyInfo: ({\n          nonce: 0,\n          permission: 'FullAccess',\n          block_height: 0,\n          block_hash: ''\n        } as unknown) as AccessKeyView, // minimal shape; not used in registration/link flows\n        nextNonce: '0',\n        txBlockHeight,\n        txBlockHash,\n      } as TransactionContext;\n      return { transactionContext: fallback };\n    } catch (e) {\n      return {\n        transactionContext: null,\n        error: 'NEAR_RPC_FAILED',\n        details: errorMessage(e) || errorMessage(error),\n      };\n    }\n  }\n}\n\nexport function releaseReservedNonces(ctx: VrfWorkerManagerContext, nonces?: string[]) {\n  nonces?.forEach((n) => ctx.nonceManager.releaseNonce(n));\n}\n\n"],"mappings":";;;;AAKA,eAAsB,iBACpB,KACA,MAMC;AACD,KAAI;EAIF,MAAM,qBAAqB,MAAM,IAAI,aAAa,2BAA2B,IAAI;EAEjF,MAAM,UAAU,KAAK,WAAW;EAChC,IAAIA;AACJ,MAAI,KAAK,cACP,KAAI;AACF,oBAAiB,IAAI,aAAa,cAAc;AAChD,WAAQ,MAAM,4BAA4B,QAAQ,aAAa;AAE/D,sBAAmB,YAAY,eAAe;WACvC,OAAO;AACd,WAAQ,MAAM,qCAAqC,QAAQ,aAAa;;AAK5E,SAAO;GAAE;GAAoB;;UACtB,OAAO;AAGd,MAAI;GACF,MAAM,QAAQ,MAAM,IAAI,WAAW,UAAU,EAAE,UAAU;GACzD,MAAM,gBAAgB,OAAO,OAAO,QAAQ,UAAU;GACtD,MAAM,cAAc,OAAO,OAAO,QAAQ,QAAQ;GAClD,MAAMC,WAA+B;IACnC,kBAAkB;IAClB,eAAgB;KACd,OAAO;KACP,YAAY;KACZ,cAAc;KACd,YAAY;;IAEd,WAAW;IACX;IACA;;AAEF,UAAO,EAAE,oBAAoB;WACtB,GAAG;AACV,UAAO;IACL,oBAAoB;IACpB,OAAO;IACP,SAAS,aAAa,MAAM,aAAa;;;;;AAMjD,SAAgB,sBAAsB,KAA8B,QAAmB;AACrF,SAAQ,SAAS,MAAM,IAAI,aAAa,aAAa"}
+{"version":3,"file":"near.js","names":["reservedNonces: string[] | undefined","fallback: TransactionContext"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/near.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport { TransactionContext } from '../../../../types';\nimport type { BlockReference, AccessKeyView } from '@near-js/types';\nimport { errorMessage } from '../../../../../utils/errors';\n\nexport async function fetchNearContext(\n  ctx: VrfWorkerManagerContext,\n  opts: { nearAccountId: string; txCount: number; reserveNonces: boolean },\n): Promise<{\n  transactionContext: TransactionContext | null;\n  error?: string;\n  details?: string;\n  reservedNonces?: string[];\n}> {\n  try {\n    // Prefer NonceManager when initialized (signing flows)\n    // Use cached transaction context if fresh; avoid forcing a refresh here.\n    // JIT refresh later will force a new block height for the VRF challenge.\n    const transactionContext = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient);\n\n    const txCount = opts.txCount || 1;\n    let reservedNonces: string[] | undefined;\n    if (opts.reserveNonces) {\n      try {\n        reservedNonces = ctx.nonceManager.reserveNonces(txCount);\n        // Provide the first reserved nonce to the worker context; worker handles per-tx assignment\n        transactionContext.nextNonce = reservedNonces[0];\n      } catch (error) {\n        // Continue with existing nextNonce; worker may auto-increment where appropriate\n      }\n    }\n\n    return { transactionContext, reservedNonces };\n  } catch (error) {\n    // Registration or pre-login flows may not have NonceManager initialized.\n    // Fallback: fetch latest block info directly; nonces are not required for registration/link flows.\n    try {\n      const block = await ctx.nearClient.viewBlock({ finality: 'final' } as BlockReference);\n      const txBlockHeight = String(block?.header?.height ?? '');\n      const txBlockHash = String(block?.header?.hash ?? '');\n      const fallback: TransactionContext = {\n        nearPublicKeyStr: '', // not needed for registration VRF challenge\n        accessKeyInfo: ({\n          nonce: 0,\n          permission: 'FullAccess',\n          block_height: 0,\n          block_hash: ''\n        } as unknown) as AccessKeyView, // minimal shape; not used in registration/link flows\n        nextNonce: '0',\n        txBlockHeight,\n        txBlockHash,\n      } as TransactionContext;\n      return { transactionContext: fallback };\n    } catch (e) {\n      return {\n        transactionContext: null,\n        error: 'NEAR_RPC_FAILED',\n        details: errorMessage(e) || errorMessage(error),\n      };\n    }\n  }\n}\n\nexport function releaseReservedNonces(ctx: VrfWorkerManagerContext, nonces?: string[]) {\n  nonces?.forEach((n) => ctx.nonceManager.releaseNonce(n));\n}\n\n"],"mappings":";;;AAKA,eAAsB,iBACpB,KACA,MAMC;AACD,KAAI;EAIF,MAAM,qBAAqB,MAAM,IAAI,aAAa,2BAA2B,IAAI;EAEjF,MAAM,UAAU,KAAK,WAAW;EAChC,IAAIA;AACJ,MAAI,KAAK,cACP,KAAI;AACF,oBAAiB,IAAI,aAAa,cAAc;AAEhD,sBAAmB,YAAY,eAAe;WACvC,OAAO;AAKlB,SAAO;GAAE;GAAoB;;UACtB,OAAO;AAGd,MAAI;GACF,MAAM,QAAQ,MAAM,IAAI,WAAW,UAAU,EAAE,UAAU;GACzD,MAAM,gBAAgB,OAAO,OAAO,QAAQ,UAAU;GACtD,MAAM,cAAc,OAAO,OAAO,QAAQ,QAAQ;GAClD,MAAMC,WAA+B;IACnC,kBAAkB;IAClB,eAAgB;KACd,OAAO;KACP,YAAY;KACZ,cAAc;KACd,YAAY;;IAEd,WAAW;IACX;IACA;;AAEF,UAAO,EAAE,oBAAoB;WACtB,GAAG;AACV,UAAO;IACL,oBAAoB;IACpB,OAAO;IACP,SAAS,aAAa,MAAM,aAAa;;;;;AAMjD,SAAgB,sBAAsB,KAA8B,QAAmB;AACrF,SAAQ,SAAS,MAAM,IAAI,aAAa,aAAa"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestAdapter.js

@@ -1,8 +1,7 @@
-import { init_validation, isObject, isString } from "../../../../WalletIframe/validation.js";
+import { isObject, isString } from "../../../../../utils/validation.js";
 import { SecureConfirmationType } from "../types.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestAdapter.ts
-init_validation();
 /**
 * Validates secure-confirm requests (V2 only).
 * This deliberately does not accept JSON strings or shorthand/legacy shapes.
@@ -11,7 +10,6 @@ function validateSecureConfirmRequest(input) {
 	if (typeof input === "string") throw new Error("Invalid secure confirm request: expected an object (JSON strings are not supported)");
 	if (!isObject(input)) throw new Error("parsed is not an object");
 	const p = input;
-	if (p.schemaVersion !== 2) throw new Error("schemaVersion must be 2");
 	if (!isString(p.requestId) || !p.requestId) throw new Error("missing requestId");
 	if (!isString(p.type) || !p.type) throw new Error("missing type");
 	if (p.summary === void 0 || p.summary === null) throw new Error("missing summary");

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestAdapter.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestAdapter.js","names":["payload: any"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestAdapter.ts"],"sourcesContent":["import type { SecureConfirmRequest } from '../types';\nimport { SecureConfirmationType } from '../types';\nimport { isObject, isString } from '@/core/WalletIframe/validation';\n\n/**\n * Validates secure-confirm requests (V2 only).\n * This deliberately does not accept JSON strings or shorthand/legacy shapes.\n */\nexport function validateSecureConfirmRequest(input: unknown): SecureConfirmRequest {\n  if (typeof input === 'string') {\n    throw new Error('Invalid secure confirm request: expected an object (JSON strings are not supported)');\n  }\n  if (!isObject(input)) throw new Error('parsed is not an object');\n  const p = input as {\n    schemaVersion?: unknown;\n    requestId?: unknown;\n    type?: unknown;\n    summary?: unknown;\n    payload?: unknown;\n  };\n  if (p.schemaVersion !== 2) throw new Error('schemaVersion must be 2');\n  if (!isString(p.requestId) || !p.requestId) throw new Error('missing requestId');\n  if (!isString(p.type) || !p.type) throw new Error('missing type');\n  if (p.summary === undefined || p.summary === null) throw new Error('missing summary');\n  if (p.payload === undefined || p.payload === null) throw new Error('missing payload');\n  return input as unknown as SecureConfirmRequest;\n}\n\nexport function assertNoForbiddenMainThreadSigningSecrets(request: SecureConfirmRequest): void {\n  if (\n    request.type !== SecureConfirmationType.SIGN_TRANSACTION\n    && request.type !== SecureConfirmationType.SIGN_NEP413_MESSAGE\n  ) {\n    return;\n  }\n\n  const payload: any = (request as any).payload || {};\n  if (payload.prfOutput !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field prfOutput');\n  }\n  if (payload.wrapKeySeed !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field wrapKeySeed');\n  }\n  if (payload.wrapKeySalt !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field wrapKeySalt');\n  }\n  if (payload.vrf_sk !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field vrf_sk');\n  }\n}\n"],"mappings":";;;;;;;;;AAQA,SAAgB,6BAA6B,OAAsC;AACjF,KAAI,OAAO,UAAU,SACnB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,OAAQ,OAAM,IAAI,MAAM;CACtC,MAAM,IAAI;AAOV,KAAI,EAAE,kBAAkB,EAAG,OAAM,IAAI,MAAM;AAC3C,KAAI,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,UAAW,OAAM,IAAI,MAAM;AAC5D,KAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,KAAM,OAAM,IAAI,MAAM;AAClD,KAAI,EAAE,YAAY,UAAa,EAAE,YAAY,KAAM,OAAM,IAAI,MAAM;AACnE,KAAI,EAAE,YAAY,UAAa,EAAE,YAAY,KAAM,OAAM,IAAI,MAAM;AACnE,QAAO;;AAGT,SAAgB,0CAA0C,SAAqC;AAC7F,KACE,QAAQ,SAAS,uBAAuB,oBACrC,QAAQ,SAAS,uBAAuB,oBAE3C;CAGF,MAAMA,UAAgB,QAAgB,WAAW;AACjD,KAAI,QAAQ,cAAc,OACxB,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,gBAAgB,OAC1B,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,gBAAgB,OAC1B,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,WAAW,OACrB,OAAM,IAAI,MAAM"}
+{"version":3,"file":"requestAdapter.js","names":["payload: any"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestAdapter.ts"],"sourcesContent":["import type { SecureConfirmRequest } from '../types';\nimport { SecureConfirmationType } from '../types';\nimport { isObject, isString } from '@/utils/validation';\n\n/**\n * Validates secure-confirm requests (V2 only).\n * This deliberately does not accept JSON strings or shorthand/legacy shapes.\n */\nexport function validateSecureConfirmRequest(input: unknown): SecureConfirmRequest {\n  if (typeof input === 'string') {\n    throw new Error('Invalid secure confirm request: expected an object (JSON strings are not supported)');\n  }\n  if (!isObject(input)) throw new Error('parsed is not an object');\n  const p = input as {\n    requestId?: unknown;\n    type?: unknown;\n    summary?: unknown;\n    payload?: unknown;\n  };\n  if (!isString(p.requestId) || !p.requestId) throw new Error('missing requestId');\n  if (!isString(p.type) || !p.type) throw new Error('missing type');\n  if (p.summary === undefined || p.summary === null) throw new Error('missing summary');\n  if (p.payload === undefined || p.payload === null) throw new Error('missing payload');\n  return input as unknown as SecureConfirmRequest;\n}\n\nexport function assertNoForbiddenMainThreadSigningSecrets(request: SecureConfirmRequest): void {\n  if (\n    request.type !== SecureConfirmationType.SIGN_TRANSACTION\n    && request.type !== SecureConfirmationType.SIGN_NEP413_MESSAGE\n  ) {\n    return;\n  }\n\n  const payload: any = (request as any).payload || {};\n  if (payload.prfOutput !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field prfOutput');\n  }\n  if (payload.wrapKeySeed !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field wrapKeySeed');\n  }\n  if (payload.wrapKeySalt !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field wrapKeySalt');\n  }\n  if (payload.vrf_sk !== undefined) {\n    throw new Error('Invalid secure confirm request: forbidden signing payload field vrf_sk');\n  }\n}\n"],"mappings":";;;;;;;;AAQA,SAAgB,6BAA6B,OAAsC;AACjF,KAAI,OAAO,UAAU,SACnB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,OAAQ,OAAM,IAAI,MAAM;CACtC,MAAM,IAAI;AAMV,KAAI,CAAC,SAAS,EAAE,cAAc,CAAC,EAAE,UAAW,OAAM,IAAI,MAAM;AAC5D,KAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,KAAM,OAAM,IAAI,MAAM;AAClD,KAAI,EAAE,YAAY,UAAa,EAAE,YAAY,KAAM,OAAM,IAAI,MAAM;AACnE,KAAI,EAAE,YAAY,UAAa,EAAE,YAAY,KAAM,OAAM,IAAI,MAAM;AACnE,QAAO;;AAGT,SAAgB,0CAA0C,SAAqC;AAC7F,KACE,QAAQ,SAAS,uBAAuB,oBACrC,QAAQ,SAAS,uBAAuB,oBAE3C;CAGF,MAAMA,UAAgB,QAAgB,WAAW;AACjD,KAAI,QAAQ,cAAc,OACxB,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,gBAAgB,OAC1B,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,gBAAgB,OAC1B,OAAM,IAAI,MAAM;AAElB,KAAI,QAAQ,WAAW,OACrB,OAAM,IAAI,MAAM"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.js.map

@@ -1 +1 @@
-{"version":3,"file":"session.js","names":["reservedNonces: string[] | undefined","confirmHandle: ConfirmUIHandle | undefined"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.ts"],"sourcesContent":["import type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport type { ConfirmUIHandle, ConfirmUIUpdate } from '../../../LitComponents/confirm-ui';\nimport type { SecureConfirmDecision, SecureConfirmRequest, TransactionSummary } from '../types';\nimport type { VRFChallenge } from '../../../../types';\nimport { sendConfirmResponse } from './common';\nimport type { ConfirmTxFlowAdapters } from './interfaces';\n\nexport function createConfirmSession({\n  adapters,\n  worker,\n  request,\n  confirmationConfig,\n  transactionSummary,\n}: {\n  adapters: ConfirmTxFlowAdapters;\n  worker: Worker;\n  request: SecureConfirmRequest;\n  confirmationConfig: ConfirmationConfig;\n  transactionSummary: TransactionSummary;\n}): {\n  setReservedNonces: (nonces?: string[]) => void;\n  updateUI: (props: ConfirmUIUpdate) => void;\n  promptUser: (args: { vrfChallenge?: Partial<VRFChallenge> }) => Promise<{ confirmed: boolean; error?: string }>;\n  /**\n   * Send decision back to worker and perform standard cleanup.\n   * - On `confirmed: false`, releases any reserved nonces.\n   * - Always closes the confirm UI handle when present.\n   */\n  confirmAndCloseModal: (decision: SecureConfirmDecision) => void;\n  /**\n   * Cleanup + rethrow helper for invariant failures (e.g. missing PRF outputs),\n   * where tests/logic expect no worker response envelope.\n   */\n  cleanupAndRethrow: (err: unknown) => never;\n} {\n  let reservedNonces: string[] | undefined;\n  let confirmHandle: ConfirmUIHandle | undefined;\n\n  const setReservedNonces = (nonces?: string[]) => {\n    reservedNonces = nonces;\n  };\n\n  const updateUI = (props: ConfirmUIUpdate) => {\n    confirmHandle?.update?.(props);\n  };\n\n  const promptUser = async ({ vrfChallenge }: { vrfChallenge?: Partial<VRFChallenge> }) => {\n    const { confirmed, confirmHandle: handle, error } = await adapters.ui.renderConfirmUI({\n      request,\n      confirmationConfig,\n      transactionSummary,\n      vrfChallenge,\n    });\n    confirmHandle = handle;\n    return { confirmed, error };\n  };\n\n  const confirmAndCloseModal = (decision: SecureConfirmDecision) => {\n    try {\n      sendConfirmResponse(worker, decision);\n    } finally {\n      if (!decision.confirmed) {\n        adapters.near.releaseReservedNonces(reservedNonces);\n      }\n      adapters.ui.closeModalSafely(!!decision.confirmed, confirmHandle);\n    }\n  };\n\n  const cleanupAndRethrow = (err: unknown): never => {\n    try {\n      adapters.near.releaseReservedNonces(reservedNonces);\n      adapters.ui.closeModalSafely(false, confirmHandle);\n    } finally {\n      throw err;\n    }\n  };\n\n  return {\n    setReservedNonces,\n    updateUI,\n    promptUser,\n    confirmAndCloseModal,\n    cleanupAndRethrow,\n  };\n}\n"],"mappings":";;;AAOA,SAAgB,qBAAqB,EACnC,UACA,QACA,SACA,oBACA,sBAsBA;CACA,IAAIA;CACJ,IAAIC;CAEJ,MAAM,qBAAqB,WAAsB;AAC/C,mBAAiB;;CAGnB,MAAM,YAAY,UAA2B;AAC3C,iBAAe,SAAS;;CAG1B,MAAM,aAAa,OAAO,EAAE,mBAA6D;EACvF,MAAM,EAAE,WAAW,eAAe,QAAQ,UAAU,MAAM,SAAS,GAAG,gBAAgB;GACpF;GACA;GACA;GACA;;AAEF,kBAAgB;AAChB,SAAO;GAAE;GAAW;;;CAGtB,MAAM,wBAAwB,aAAoC;AAChE,MAAI;AACF,uBAAoB,QAAQ;YACpB;AACR,OAAI,CAAC,SAAS,UACZ,UAAS,KAAK,sBAAsB;AAEtC,YAAS,GAAG,iBAAiB,CAAC,CAAC,SAAS,WAAW;;;CAIvD,MAAM,qBAAqB,QAAwB;AACjD,MAAI;AACF,YAAS,KAAK,sBAAsB;AACpC,YAAS,GAAG,iBAAiB,OAAO;YAC5B;AACR,SAAM;;;AAIV,QAAO;EACL;EACA;EACA;EACA;EACA"}
+{"version":3,"file":"session.js","names":["reservedNonces: string[] | undefined","confirmHandle: ConfirmUIHandle | undefined"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/session.ts"],"sourcesContent":["import type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport type { ConfirmUIHandle, ConfirmUIUpdate } from '../../../LitComponents/confirm-ui';\nimport type { KnownSecureConfirmRequest, SecureConfirmDecision, TransactionSummary } from '../types';\nimport type { VRFChallenge } from '../../../../types';\nimport { sendConfirmResponse } from './common';\nimport type { ConfirmTxFlowAdapters } from './interfaces';\n\nexport function createConfirmSession({\n  adapters,\n  worker,\n  request,\n  confirmationConfig,\n  transactionSummary,\n}: {\n  adapters: ConfirmTxFlowAdapters;\n  worker: Worker;\n  request: KnownSecureConfirmRequest;\n  confirmationConfig: ConfirmationConfig;\n  transactionSummary: TransactionSummary;\n}): {\n  setReservedNonces: (nonces?: string[]) => void;\n  updateUI: (props: ConfirmUIUpdate) => void;\n  promptUser: (args: { vrfChallenge?: Partial<VRFChallenge> }) => Promise<{ confirmed: boolean; error?: string }>;\n  /**\n   * Send decision back to worker and perform standard cleanup.\n   * - On `confirmed: false`, releases any reserved nonces.\n   * - Always closes the confirm UI handle when present.\n   */\n  confirmAndCloseModal: (decision: SecureConfirmDecision) => void;\n  /**\n   * Cleanup + rethrow helper for invariant failures (e.g. missing PRF outputs),\n   * where tests/logic expect no worker response envelope.\n   */\n  cleanupAndRethrow: (err: unknown) => never;\n} {\n  let reservedNonces: string[] | undefined;\n  let confirmHandle: ConfirmUIHandle | undefined;\n\n  const setReservedNonces = (nonces?: string[]) => {\n    reservedNonces = nonces;\n  };\n\n  const updateUI = (props: ConfirmUIUpdate) => {\n    confirmHandle?.update?.(props);\n  };\n\n  const promptUser = async ({ vrfChallenge }: { vrfChallenge?: Partial<VRFChallenge> }) => {\n    const { confirmed, confirmHandle: handle, error } = await adapters.ui.renderConfirmUI({\n      request,\n      confirmationConfig,\n      transactionSummary,\n      vrfChallenge,\n    });\n    confirmHandle = handle;\n    return { confirmed, error };\n  };\n\n  const confirmAndCloseModal = (decision: SecureConfirmDecision) => {\n    try {\n      sendConfirmResponse(worker, decision);\n    } finally {\n      if (!decision.confirmed) {\n        adapters.near.releaseReservedNonces(reservedNonces);\n      }\n      adapters.ui.closeModalSafely(!!decision.confirmed, confirmHandle);\n    }\n  };\n\n  const cleanupAndRethrow = (err: unknown): never => {\n    try {\n      adapters.near.releaseReservedNonces(reservedNonces);\n      adapters.ui.closeModalSafely(false, confirmHandle);\n    } finally {\n      throw err;\n    }\n  };\n\n  return {\n    setReservedNonces,\n    updateUI,\n    promptUser,\n    confirmAndCloseModal,\n    cleanupAndRethrow,\n  };\n}\n"],"mappings":";;;AAOA,SAAgB,qBAAqB,EACnC,UACA,QACA,SACA,oBACA,sBAsBA;CACA,IAAIA;CACJ,IAAIC;CAEJ,MAAM,qBAAqB,WAAsB;AAC/C,mBAAiB;;CAGnB,MAAM,YAAY,UAA2B;AAC3C,iBAAe,SAAS;;CAG1B,MAAM,aAAa,OAAO,EAAE,mBAA6D;EACvF,MAAM,EAAE,WAAW,eAAe,QAAQ,UAAU,MAAM,SAAS,GAAG,gBAAgB;GACpF;GACA;GACA;GACA;;AAEF,kBAAgB;AAChB,SAAO;GAAE;GAAW;;;CAGtB,MAAM,wBAAwB,aAAoC;AAChE,MAAI;AACF,uBAAoB,QAAQ;YACpB;AACR,OAAI,CAAC,SAAS,UACZ,UAAS,KAAK,sBAAsB;AAEtC,YAAS,GAAG,iBAAiB,CAAC,CAAC,SAAS,WAAW;;;CAIvD,MAAM,qBAAqB,QAAwB;AACjD,MAAI;AACF,YAAS,KAAK,sBAAsB;AACpC,YAAS,GAAG,iBAAiB,OAAO;YAC5B;AACR,SAAM;;;AAIV,QAAO;EACL;EACA;EACA;EACA;EACA"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/vrf.js

@@ -1,22 +1,44 @@
-import { errorMessage, init_errors, toError } from "../../../../../utils/errors.js";
+import { errorMessage, toError } from "../../../../../utils/errors.js";
+import { computeUiIntentDigestFromNep413, sha256Base64UrlUtf8 } from "../../../../digests/intentDigest.js";
 import { SecureConfirmationType } from "../types.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/vrf.ts
-init_errors();
 async function maybeRefreshVrfChallenge(ctx, request, nearAccountId) {
-	const rpId = ctx.touchIdPrompt.getRpId();
 	const vrfWorkerManager = ctx.vrfWorkerManager;
 	if (!vrfWorkerManager) throw new Error("VrfWorkerManager not available");
-	if (!ctx.nonceManager.nearAccountId || !ctx.nonceManager.nearPublicKeyStr || String(ctx.nonceManager.nearAccountId) !== String(nearAccountId)) throw new Error("NonceManager not initialized with user data");
+	if (!ctx.nonceManager.nearAccountId || !ctx.nonceManager.nearPublicKeyStr || ctx.nonceManager.nearAccountId !== nearAccountId) throw new Error("NonceManager not initialized with user data");
+	const rpId = ctx.touchIdPrompt.getRpId();
+	let sessionPolicyDigest32;
+	let intentDigestB64u;
+	switch (request.type) {
+		case SecureConfirmationType.SIGN_TRANSACTION:
+			sessionPolicyDigest32 = request.payload.sessionPolicyDigest32;
+			intentDigestB64u = request.payload.intentDigest;
+			break;
+		case SecureConfirmationType.SIGN_NEP413_MESSAGE:
+			sessionPolicyDigest32 = request.payload.sessionPolicyDigest32;
+			intentDigestB64u = await computeUiIntentDigestFromNep413({
+				nearAccountId,
+				recipient: request.payload.recipient,
+				message: request.payload.message
+			});
+			break;
+		case SecureConfirmationType.REGISTER_ACCOUNT:
+		case SecureConfirmationType.LINK_DEVICE:
+			intentDigestB64u = request.intentDigest ? await sha256Base64UrlUtf8(request.intentDigest) : void 0;
+			break;
+		default: break;
+	}
 	const attempts = 3;
-	return await retryWithBackoff(async (attempt) => {
+	return await retryWithBackoff(async () => {
 		const latestCtx = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient, { force: true });
 		const vrfChallenge = request.type === SecureConfirmationType.REGISTER_ACCOUNT || request.type === SecureConfirmationType.LINK_DEVICE ? (await vrfWorkerManager.generateVrfKeypairBootstrap({
 			vrfInputData: {
 				userId: nearAccountId,
 				rpId,
 				blockHeight: latestCtx.txBlockHeight,
-				blockHash: latestCtx.txBlockHash
+				blockHash: latestCtx.txBlockHash,
+				...intentDigestB64u ? { intentDigest: intentDigestB64u } : {}
 			},
 			saveInMemory: true,
 			sessionId: request.requestId
@@ -24,7 +46,9 @@ async function maybeRefreshVrfChallenge(ctx, request, nearAccountId) {
 			userId: nearAccountId,
 			rpId,
 			blockHeight: latestCtx.txBlockHeight,
-			blockHash: latestCtx.txBlockHash
+			blockHash: latestCtx.txBlockHash,
+			...intentDigestB64u ? { intentDigest: intentDigestB64u } : {},
+			...sessionPolicyDigest32 ? { sessionPolicyDigest32 } : {}
 		}, request.requestId);
 		return {
 			vrfChallenge,

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/vrf.js.map

@@ -1 +1 @@
-{"version":3,"file":"vrf.js","names":["lastError: unknown"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/vrf.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport { TransactionContext, VRFChallenge } from '../../../../types';\nimport type { SecureConfirmRequest } from '../types';\nimport { SecureConfirmationType } from '../types';\nimport { errorMessage, toError } from '../../../../../utils/errors';\n\nexport async function maybeRefreshVrfChallenge(\n  ctx: VrfWorkerManagerContext,\n  request: SecureConfirmRequest,\n  nearAccountId: string,\n): Promise<{ vrfChallenge: VRFChallenge; transactionContext: TransactionContext }> {\n\n  const rpId = ctx.touchIdPrompt.getRpId();\n  const vrfWorkerManager = ctx.vrfWorkerManager;\n  if (!vrfWorkerManager) {\n    throw new Error('VrfWorkerManager not available');\n  }\n  // Only attempt a JIT refresh when NonceManager is initialized for this account.\n  // Pre-login/registration flows should just skip (callers already treat this as best-effort).\n  if (\n    !ctx.nonceManager.nearAccountId ||\n    !ctx.nonceManager.nearPublicKeyStr ||\n    String(ctx.nonceManager.nearAccountId) !== String(nearAccountId)\n  ) {\n    throw new Error('NonceManager not initialized with user data');\n  }\n\n  const attempts = 3;\n  return await retryWithBackoff(async (attempt) => {\n    const latestCtx = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient, { force: true });\n\n    const vrfChallenge = (request.type === SecureConfirmationType.REGISTER_ACCOUNT || request.type === SecureConfirmationType.LINK_DEVICE)\n      ? (await vrfWorkerManager.generateVrfKeypairBootstrap({\n          vrfInputData: {\n            userId: nearAccountId,\n            rpId,\n            blockHeight: latestCtx.txBlockHeight,\n            blockHash: latestCtx.txBlockHash,\n          },\n          saveInMemory: true,\n          sessionId: request.requestId,\n        })).vrfChallenge\n      : await vrfWorkerManager.generateVrfChallengeForSession(\n          {\n            userId: nearAccountId,\n            rpId,\n            blockHeight: latestCtx.txBlockHeight,\n            blockHash: latestCtx.txBlockHash,\n          },\n          request.requestId,\n        );\n\n    return {\n      vrfChallenge,\n      transactionContext: latestCtx\n    };\n\n  }, {\n    attempts,\n    baseDelayMs: 150,\n    onError: (err, attempt) => {\n      const msg = errorMessage(err);\n      const isFinal = attempt >= attempts;\n      if (isFinal) {\n        console.warn(`[SecureConfirm] VRF refresh failed: ${msg}`);\n      } else {\n        console.debug(`[SecureConfirm] VRF refresh attempt ${attempt} failed: ${msg}`);\n      }\n    },\n    errorFactory: () => new Error('VRF refresh failed'),\n  });\n}\n\ninterface RetryOptions {\n  attempts: number;\n  baseDelayMs: number;\n  onError?: (error: unknown, attempt: number) => void;\n  errorFactory?: () => Error;\n}\n\nasync function retryWithBackoff<T>(fn: (attempt: number) => Promise<T>, options: RetryOptions): Promise<T> {\n  const { attempts, baseDelayMs, onError, errorFactory } = options;\n  let lastError: unknown;\n\n  for (let attempt = 1; attempt <= Math.max(1, attempts); attempt++) {\n    try {\n      return await fn(attempt);\n    } catch (err) {\n      lastError = err;\n      onError?.(err, attempt);\n      if (attempt < attempts) {\n        const delay = baseDelayMs * attempt;\n        await new Promise((resolve) => setTimeout(resolve, delay));\n      }\n    }\n  }\n\n  throw errorFactory ? errorFactory() : toError(lastError ?? new Error('Retry exhausted'));\n}\n"],"mappings":";;;;;AAMA,eAAsB,yBACpB,KACA,SACA,eACiF;CAEjF,MAAM,OAAO,IAAI,cAAc;CAC/B,MAAM,mBAAmB,IAAI;AAC7B,KAAI,CAAC,iBACH,OAAM,IAAI,MAAM;AAIlB,KACE,CAAC,IAAI,aAAa,iBAClB,CAAC,IAAI,aAAa,oBAClB,OAAO,IAAI,aAAa,mBAAmB,OAAO,eAElD,OAAM,IAAI,MAAM;CAGlB,MAAM,WAAW;AACjB,QAAO,MAAM,iBAAiB,OAAO,YAAY;EAC/C,MAAM,YAAY,MAAM,IAAI,aAAa,2BAA2B,IAAI,YAAY,EAAE,OAAO;EAE7F,MAAM,eAAgB,QAAQ,SAAS,uBAAuB,oBAAoB,QAAQ,SAAS,uBAAuB,eACrH,MAAM,iBAAiB,4BAA4B;GAClD,cAAc;IACZ,QAAQ;IACR;IACA,aAAa,UAAU;IACvB,WAAW,UAAU;;GAEvB,cAAc;GACd,WAAW,QAAQ;MACjB,eACJ,MAAM,iBAAiB,+BACrB;GACE,QAAQ;GACR;GACA,aAAa,UAAU;GACvB,WAAW,UAAU;KAEvB,QAAQ;AAGd,SAAO;GACL;GACA,oBAAoB;;IAGrB;EACD;EACA,aAAa;EACb,UAAU,KAAK,YAAY;GACzB,MAAM,MAAM,aAAa;GACzB,MAAM,UAAU,WAAW;AAC3B,OAAI,QACF,SAAQ,KAAK,uCAAuC;OAEpD,SAAQ,MAAM,uCAAuC,QAAQ,WAAW;;EAG5E,oCAAoB,IAAI,MAAM;;;AAWlC,eAAe,iBAAoB,IAAqC,SAAmC;CACzG,MAAM,EAAE,UAAU,aAAa,SAAS,iBAAiB;CACzD,IAAIA;AAEJ,MAAK,IAAI,UAAU,GAAG,WAAW,KAAK,IAAI,GAAG,WAAW,UACtD,KAAI;AACF,SAAO,MAAM,GAAG;UACT,KAAK;AACZ,cAAY;AACZ,YAAU,KAAK;AACf,MAAI,UAAU,UAAU;GACtB,MAAM,QAAQ,cAAc;AAC5B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS;;;AAKzD,OAAM,eAAe,iBAAiB,QAAQ,6BAAa,IAAI,MAAM"}
+{"version":3,"file":"vrf.js","names":["sessionPolicyDigest32: string | undefined","intentDigestB64u: string | undefined","lastError: unknown"],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/vrf.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport { TransactionContext, VRFChallenge } from '../../../../types';\nimport type { KnownSecureConfirmRequest } from '../types';\nimport { SecureConfirmationType } from '../types';\nimport { errorMessage, toError } from '../../../../../utils/errors';\nimport { computeUiIntentDigestFromNep413, sha256Base64UrlUtf8 } from '../../../../digests/intentDigest';\n\nexport async function maybeRefreshVrfChallenge(\n  ctx: VrfWorkerManagerContext,\n  request: KnownSecureConfirmRequest,\n  nearAccountId: string,\n): Promise<{ vrfChallenge: VRFChallenge; transactionContext: TransactionContext }> {\n\n  const vrfWorkerManager = ctx.vrfWorkerManager;\n  if (!vrfWorkerManager) {\n    throw new Error('VrfWorkerManager not available');\n  }\n  // Only attempt a JIT refresh when NonceManager is initialized for this account.\n  // Pre-login/registration flows should just skip (callers already treat this as best-effort).\n  if (\n    !ctx.nonceManager.nearAccountId ||\n    !ctx.nonceManager.nearPublicKeyStr ||\n    ctx.nonceManager.nearAccountId !== nearAccountId\n  ) {\n    throw new Error('NonceManager not initialized with user data');\n  }\n\n  const rpId = ctx.touchIdPrompt.getRpId();\n  let sessionPolicyDigest32: string | undefined;\n  let intentDigestB64u: string | undefined;\n\n  switch (request.type) {\n    case SecureConfirmationType.SIGN_TRANSACTION: {\n      sessionPolicyDigest32 = request.payload.sessionPolicyDigest32;\n      intentDigestB64u = request.payload.intentDigest;\n      break;\n    }\n    case SecureConfirmationType.SIGN_NEP413_MESSAGE: {\n      sessionPolicyDigest32 = request.payload.sessionPolicyDigest32;\n      intentDigestB64u = await computeUiIntentDigestFromNep413({\n        nearAccountId,\n        recipient: request.payload.recipient,\n        message: request.payload.message,\n      });\n      break;\n    }\n    case SecureConfirmationType.REGISTER_ACCOUNT:\n    case SecureConfirmationType.LINK_DEVICE: {\n      intentDigestB64u = request.intentDigest ? await sha256Base64UrlUtf8(request.intentDigest) : undefined;\n      break;\n    }\n    default:\n      break;\n  }\n\n  const attempts = 3;\n  return await retryWithBackoff(async () => {\n    const latestCtx = await ctx.nonceManager.getNonceBlockHashAndHeight(ctx.nearClient, { force: true });\n    const vrfChallenge = (request.type === SecureConfirmationType.REGISTER_ACCOUNT || request.type === SecureConfirmationType.LINK_DEVICE)\n      ? (await vrfWorkerManager.generateVrfKeypairBootstrap({\n          vrfInputData: {\n            userId: nearAccountId,\n            rpId,\n            blockHeight: latestCtx.txBlockHeight,\n            blockHash: latestCtx.txBlockHash,\n            ...(intentDigestB64u ? { intentDigest: intentDigestB64u } : {}),\n          },\n          saveInMemory: true,\n          sessionId: request.requestId,\n        })).vrfChallenge\n      : await vrfWorkerManager.generateVrfChallengeForSession(\n          {\n            userId: nearAccountId,\n            rpId,\n            blockHeight: latestCtx.txBlockHeight,\n            blockHash: latestCtx.txBlockHash,\n            ...(intentDigestB64u ? { intentDigest: intentDigestB64u } : {}),\n            ...(sessionPolicyDigest32 ? { sessionPolicyDigest32 } : {}),\n          },\n          request.requestId,\n        );\n\n    return {\n      vrfChallenge,\n      transactionContext: latestCtx\n    };\n  }, {\n    attempts,\n    baseDelayMs: 150,\n    onError: (err, attempt) => {\n      const msg = errorMessage(err);\n      const isFinal = attempt >= attempts;\n      if (isFinal) {\n        console.warn(`[SecureConfirm] VRF refresh failed: ${msg}`);\n      } else {\n        console.debug(`[SecureConfirm] VRF refresh attempt ${attempt} failed: ${msg}`);\n      }\n    },\n    errorFactory: () => new Error('VRF refresh failed'),\n  });\n}\n\ninterface RetryOptions {\n  attempts: number;\n  baseDelayMs: number;\n  onError?: (error: unknown, attempt: number) => void;\n  errorFactory?: () => Error;\n}\n\nasync function retryWithBackoff<T>(fn: (attempt: number) => Promise<T>, options: RetryOptions): Promise<T> {\n  const { attempts, baseDelayMs, onError, errorFactory } = options;\n  let lastError: unknown;\n\n  for (let attempt = 1; attempt <= Math.max(1, attempts); attempt++) {\n    try {\n      return await fn(attempt);\n    } catch (err) {\n      lastError = err;\n      onError?.(err, attempt);\n      if (attempt < attempts) {\n        const delay = baseDelayMs * attempt;\n        await new Promise((resolve) => setTimeout(resolve, delay));\n      }\n    }\n  }\n\n  throw errorFactory ? errorFactory() : toError(lastError ?? new Error('Retry exhausted'));\n}\n"],"mappings":";;;;;AAOA,eAAsB,yBACpB,KACA,SACA,eACiF;CAEjF,MAAM,mBAAmB,IAAI;AAC7B,KAAI,CAAC,iBACH,OAAM,IAAI,MAAM;AAIlB,KACE,CAAC,IAAI,aAAa,iBAClB,CAAC,IAAI,aAAa,oBAClB,IAAI,aAAa,kBAAkB,cAEnC,OAAM,IAAI,MAAM;CAGlB,MAAM,OAAO,IAAI,cAAc;CAC/B,IAAIA;CACJ,IAAIC;AAEJ,SAAQ,QAAQ,MAAhB;EACE,KAAK,uBAAuB;AAC1B,2BAAwB,QAAQ,QAAQ;AACxC,sBAAmB,QAAQ,QAAQ;AACnC;EAEF,KAAK,uBAAuB;AAC1B,2BAAwB,QAAQ,QAAQ;AACxC,sBAAmB,MAAM,gCAAgC;IACvD;IACA,WAAW,QAAQ,QAAQ;IAC3B,SAAS,QAAQ,QAAQ;;AAE3B;EAEF,KAAK,uBAAuB;EAC5B,KAAK,uBAAuB;AAC1B,sBAAmB,QAAQ,eAAe,MAAM,oBAAoB,QAAQ,gBAAgB;AAC5F;EAEF,QACE;;CAGJ,MAAM,WAAW;AACjB,QAAO,MAAM,iBAAiB,YAAY;EACxC,MAAM,YAAY,MAAM,IAAI,aAAa,2BAA2B,IAAI,YAAY,EAAE,OAAO;EAC7F,MAAM,eAAgB,QAAQ,SAAS,uBAAuB,oBAAoB,QAAQ,SAAS,uBAAuB,eACrH,MAAM,iBAAiB,4BAA4B;GAClD,cAAc;IACZ,QAAQ;IACR;IACA,aAAa,UAAU;IACvB,WAAW,UAAU;IACrB,GAAI,mBAAmB,EAAE,cAAc,qBAAqB;;GAE9D,cAAc;GACd,WAAW,QAAQ;MACjB,eACJ,MAAM,iBAAiB,+BACrB;GACE,QAAQ;GACR;GACA,aAAa,UAAU;GACvB,WAAW,UAAU;GACrB,GAAI,mBAAmB,EAAE,cAAc,qBAAqB;GAC5D,GAAI,wBAAwB,EAAE,0BAA0B;KAE1D,QAAQ;AAGd,SAAO;GACL;GACA,oBAAoB;;IAErB;EACD;EACA,aAAa;EACb,UAAU,KAAK,YAAY;GACzB,MAAM,MAAM,aAAa;GACzB,MAAM,UAAU,WAAW;AAC3B,OAAI,QACF,SAAQ,KAAK,uCAAuC;OAEpD,SAAQ,MAAM,uCAAuC,QAAQ,WAAW;;EAG5E,oCAAoB,IAAI,MAAM;;;AAWlC,eAAe,iBAAoB,IAAqC,SAAmC;CACzG,MAAM,EAAE,UAAU,aAAa,SAAS,iBAAiB;CACzD,IAAIC;AAEJ,MAAK,IAAI,UAAU,GAAG,WAAW,KAAK,IAAI,GAAG,WAAW,UACtD,KAAI;AACF,SAAO,MAAM,GAAG;UACT,KAAK;AACZ,cAAY;AACZ,YAAU,KAAK;AACf,MAAI,UAAU,UAAU;GACtB,MAAM,QAAQ,cAAc;AAC5B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS;;;AAKzD,OAAM,eAAe,iBAAiB,QAAQ,6BAAa,IAAI,MAAM"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/webauthn.js

@@ -1,37 +1,15 @@
-import { init_accountIds, toAccountId } from "../../../../types/accountIds.js";
-import { init_credentialsHelpers, serializeAuthenticationCredentialWithPRF } from "../../../credentialsHelpers.js";
-import { authenticatorsToAllowCredentials, init_touchIdPrompt } from "../../../touchIdPrompt.js";
+import { collectAuthenticationCredentialForVrfChallenge } from "../../../collectAuthenticationCredentialForVrfChallenge.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/webauthn.ts
-init_credentialsHelpers();
-init_accountIds();
-init_touchIdPrompt();
 async function collectAuthenticationCredentialWithPRF({ ctx, nearAccountId, vrfChallenge, onBeforePrompt, includeSecondPrfOutput = false }) {
-	const authenticators = await ctx.indexedDB.clientDB.getAuthenticatorsByUser(toAccountId(nearAccountId));
-	const { authenticatorsForPrompt, wrongPasskeyError } = await ctx.indexedDB.clientDB.ensureCurrentPasskey(toAccountId(nearAccountId), authenticators);
-	if (wrongPasskeyError) throw new Error(wrongPasskeyError);
-	if (authenticatorsForPrompt.length === 1) {
-		const expectedVrfPublicKey = authenticatorsForPrompt[0]?.vrfPublicKey;
-		if (expectedVrfPublicKey && vrfChallenge.vrfPublicKey && expectedVrfPublicKey !== vrfChallenge.vrfPublicKey) throw new Error("Signing session is using a different passkey/VRF session than the current device. Please log in again and retry.");
-	}
-	onBeforePrompt?.({
-		authenticators,
-		authenticatorsForPrompt,
-		vrfChallenge
-	});
-	const credential = await ctx.touchIdPrompt.getAuthenticationCredentialsInternal({
+	return collectAuthenticationCredentialForVrfChallenge({
+		indexedDB: ctx.indexedDB,
+		touchIdPrompt: ctx.touchIdPrompt,
 		nearAccountId,
-		challenge: vrfChallenge,
-		allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt)
-	});
-	const serialized = serializeAuthenticationCredentialWithPRF({
-		credential,
-		firstPrfOutput: true,
-		secondPrfOutput: includeSecondPrfOutput
+		vrfChallenge,
+		includeSecondPrfOutput,
+		onBeforePrompt
 	});
-	const { wrongPasskeyError: wrongSelectedCredentialError } = await ctx.indexedDB.clientDB.ensureCurrentPasskey(toAccountId(nearAccountId), authenticators, serialized.rawId);
-	if (wrongSelectedCredentialError) throw new Error(wrongSelectedCredentialError);
-	return serialized;
 }
 
 //#endregion

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/webauthn.js.map

@@ -1 +1 @@
-{"version":3,"file":"webauthn.js","names":[],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/webauthn.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { VRFChallenge } from '../../../../types';\nimport type { SerializableCredential } from '../types';\nimport { serializeAuthenticationCredentialWithPRF } from '../../../credentialsHelpers';\nimport { toAccountId } from '../../../../types/accountIds';\nimport { authenticatorsToAllowCredentials } from '../../../touchIdPrompt';\nimport type { ClientAuthenticatorData } from '../../../../IndexedDBManager';\n\nexport async function collectAuthenticationCredentialWithPRF({\n  ctx,\n  nearAccountId,\n  vrfChallenge,\n  onBeforePrompt,\n  includeSecondPrfOutput = false,\n}: {\n  ctx: VrfWorkerManagerContext;\n  nearAccountId: string;\n  vrfChallenge: VRFChallenge;\n  onBeforePrompt?: (info: {\n    authenticators: ClientAuthenticatorData[];\n    authenticatorsForPrompt: ClientAuthenticatorData[];\n    vrfChallenge: VRFChallenge;\n  }) => void;\n  /**\n   * When true, include PRF.second in the serialized credential.\n   * Use only for explicit recovery/export flows (higher-friction paths).\n   */\n  includeSecondPrfOutput?: boolean;\n}): Promise<SerializableCredential> {\n\n  const authenticators = await ctx.indexedDB.clientDB.getAuthenticatorsByUser(toAccountId(nearAccountId));\n  const { authenticatorsForPrompt, wrongPasskeyError } = await ctx.indexedDB.clientDB.ensureCurrentPasskey(\n    toAccountId(nearAccountId),\n    authenticators,\n  );\n  if (wrongPasskeyError) {\n    throw new Error(wrongPasskeyError);\n  }\n\n  // If we know which device we're targeting (single authenticator), ensure the VRF worker\n  // challenge was generated with the same device's VRF keypair. Otherwise contract verification\n  // will deterministically fail later with \"Contract verification failed\".\n  if (authenticatorsForPrompt.length === 1) {\n    const expectedVrfPublicKey = authenticatorsForPrompt[0]?.vrfPublicKey;\n    // Only enforce mismatch if the challenge strictly requires a specific VRF key.\n    if (expectedVrfPublicKey && vrfChallenge.vrfPublicKey && expectedVrfPublicKey !== vrfChallenge.vrfPublicKey) {\n      throw new Error('Signing session is using a different passkey/VRF session than the current device. Please log in again and retry.');\n    }\n  }\n\n  onBeforePrompt?.({ authenticators, authenticatorsForPrompt, vrfChallenge });\n\n  const credential = await ctx.touchIdPrompt.getAuthenticationCredentialsInternal({\n    nearAccountId,\n    challenge: vrfChallenge,\n    allowCredentials: authenticatorsToAllowCredentials(authenticatorsForPrompt),\n  });\n\n  const serialized = serializeAuthenticationCredentialWithPRF({\n    credential,\n    firstPrfOutput: true,\n    secondPrfOutput: includeSecondPrfOutput,\n  });\n\n  // Verify that the chosen credential matches the \"current\" passkey device, when applicable.\n  const { wrongPasskeyError: wrongSelectedCredentialError } = await ctx.indexedDB.clientDB.ensureCurrentPasskey(\n    toAccountId(nearAccountId),\n    authenticators,\n    serialized.rawId,\n  );\n  if (wrongSelectedCredentialError) {\n    throw new Error(wrongSelectedCredentialError);\n  }\n\n  return serialized;\n}\n"],"mappings":";;;;;;;;AAQA,eAAsB,uCAAuC,EAC3D,KACA,eACA,cACA,gBACA,yBAAyB,SAeS;CAElC,MAAM,iBAAiB,MAAM,IAAI,UAAU,SAAS,wBAAwB,YAAY;CACxF,MAAM,EAAE,yBAAyB,sBAAsB,MAAM,IAAI,UAAU,SAAS,qBAClF,YAAY,gBACZ;AAEF,KAAI,kBACF,OAAM,IAAI,MAAM;AAMlB,KAAI,wBAAwB,WAAW,GAAG;EACxC,MAAM,uBAAuB,wBAAwB,IAAI;AAEzD,MAAI,wBAAwB,aAAa,gBAAgB,yBAAyB,aAAa,aAC7F,OAAM,IAAI,MAAM;;AAIpB,kBAAiB;EAAE;EAAgB;EAAyB;;CAE5D,MAAM,aAAa,MAAM,IAAI,cAAc,qCAAqC;EAC9E;EACA,WAAW;EACX,kBAAkB,iCAAiC;;CAGrD,MAAM,aAAa,yCAAyC;EAC1D;EACA,gBAAgB;EAChB,iBAAiB;;CAInB,MAAM,EAAE,mBAAmB,iCAAiC,MAAM,IAAI,UAAU,SAAS,qBACvF,YAAY,gBACZ,gBACA,WAAW;AAEb,KAAI,6BACF,OAAM,IAAI,MAAM;AAGlB,QAAO"}
+{"version":3,"file":"webauthn.js","names":[],"sources":["../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/webauthn.ts"],"sourcesContent":["import type { VrfWorkerManagerContext } from '../../';\nimport type { VRFChallenge } from '../../../../types';\nimport type { SerializableCredential } from '../types';\nimport type { ClientAuthenticatorData } from '../../../../IndexedDBManager';\nimport { collectAuthenticationCredentialForVrfChallenge } from '../../../collectAuthenticationCredentialForVrfChallenge';\n\nexport async function collectAuthenticationCredentialWithPRF({\n  ctx,\n  nearAccountId,\n  vrfChallenge,\n  onBeforePrompt,\n  includeSecondPrfOutput = false,\n}: {\n  ctx: VrfWorkerManagerContext;\n  nearAccountId: string;\n  vrfChallenge: VRFChallenge;\n  onBeforePrompt?: (info: {\n    authenticators: ClientAuthenticatorData[];\n    authenticatorsForPrompt: ClientAuthenticatorData[];\n    vrfChallenge: VRFChallenge;\n  }) => void;\n  /**\n   * When true, include PRF.second in the serialized credential.\n   * Use only for explicit recovery/export flows (higher-friction paths).\n   */\n  includeSecondPrfOutput?: boolean;\n}): Promise<SerializableCredential> {\n  return collectAuthenticationCredentialForVrfChallenge({\n    indexedDB: ctx.indexedDB,\n    touchIdPrompt: ctx.touchIdPrompt,\n    nearAccountId,\n    vrfChallenge,\n    includeSecondPrfOutput,\n    onBeforePrompt,\n  });\n}\n"],"mappings":";;;AAMA,eAAsB,uCAAuC,EAC3D,KACA,eACA,cACA,gBACA,yBAAyB,SAeS;AAClC,QAAO,+CAA+C;EACpD,WAAW,IAAI;EACf,eAAe,IAAI;EACnB;EACA;EACA;EACA"}

package/dist/esm/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/determineConfirmationConfig.js

@@ -1,9 +1,7 @@
 import { needsExplicitActivation } from "../../../../react/deviceDetection.js";
-import { init_utils } from "../../../../utils/index.js";
 import { SecureConfirmationType } from "./types.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/determineConfirmationConfig.ts
-init_utils();
 /**
 * determineConfirmationConfig
 *