npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2488) hide show

package/dist/esm/core/types/signer-worker.js CHANGED Viewed

@@ -1,15 +1,96 @@
-import { __esm } from "../../_virtual/rolldown_runtime.js";
 import { WorkerRequestType, WorkerResponseType } from "../../wasm_signer_worker/pkg/wasm_signer_worker.js";
 //#region src/core/types/signer-worker.ts
+const DEFAULT_THRESHOLD_BEHAVIOR = "strict";
+const DEFAULT_SIGNER_MODE = "local-signer";
+const DEFAULT_SIGNING_MODE = { mode: DEFAULT_SIGNER_MODE };
+function isSignerMode(input) {
+	return input === "local-signer" || input === "threshold-signer";
+}
+function isThresholdBehavior(input) {
+	return input === "fallback" || input === "strict";
+}
+function coerceSignerMode(input, fallback = DEFAULT_SIGNING_MODE) {
+	if (input == null) return fallback;
+	if (typeof input === "string") return isSignerMode(input) ? { mode: input } : fallback;
+	if (typeof input !== "object") return fallback;
+	if (input.mode === "local-signer") return { mode: input.mode };
+	const behavior = input.behavior;
+	return isThresholdBehavior(behavior) ? {
+		mode: input.mode,
+		behavior
+	} : { mode: input.mode };
+}
+/**
+* Merge a mode-only override onto a base signer mode.
+*
+* This is intentionally "partial override" semantics:
+* - override sets `mode` when provided
+* - override sets `behavior` only when explicitly provided
+* - if override switches to `threshold-signer` without specifying `behavior`,
+*   preserve `base.behavior` when base is already `threshold-signer`
+*/
+function mergeSignerMode(base, override) {
+	const baseNormalized = coerceSignerMode(base, DEFAULT_SIGNING_MODE);
+	if (override == null) return baseNormalized;
+	if (typeof override === "string") {
+		if (!isSignerMode(override)) return baseNormalized;
+		if (override === "local-signer") return { mode: "local-signer" };
+		if (baseNormalized.mode === "threshold-signer") {
+			const behavior$1 = baseNormalized.behavior;
+			return isThresholdBehavior(behavior$1) ? {
+				mode: "threshold-signer",
+				behavior: behavior$1
+			} : { mode: "threshold-signer" };
+		}
+		return { mode: "threshold-signer" };
+	}
+	if (typeof override !== "object") return baseNormalized;
+	const mode = override.mode;
+	if (mode === "local-signer") return { mode: "local-signer" };
+	if (mode !== "threshold-signer") return baseNormalized;
+	const behavior = override.behavior;
+	if (isThresholdBehavior(behavior)) return {
+		mode: "threshold-signer",
+		behavior
+	};
+	if (baseNormalized.mode === "threshold-signer") {
+		const baseBehavior = baseNormalized.behavior;
+		if (isThresholdBehavior(baseBehavior)) return {
+			mode: "threshold-signer",
+			behavior: baseBehavior
+		};
+	}
+	return { mode: "threshold-signer" };
+}
+function getThresholdBehaviorFromSignerMode(mode) {
+	if (mode.mode !== "threshold-signer") return DEFAULT_THRESHOLD_BEHAVIOR;
+	return isThresholdBehavior(mode.behavior) ? mode.behavior : DEFAULT_THRESHOLD_BEHAVIOR;
+}
+/**
+* Internal, single-purpose worker request types.
+*
+* These are intentionally *not* exposed as general-purpose "no prompt" signing APIs.
+* They exist to support tightly-scoped post-registration flows without allowing
+* arbitrary actions/receivers to be signed without VRF/WebAuthn binding.
+*/
+const INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT = 10;
+const INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS = 24;
+const INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_FAILURE = 25;
+const DEFAULT_CONFIRMATION_CONFIG = {
+	uiMode: "modal",
+	behavior: "requireClick",
+	autoProceedDelay: 0,
+	theme: "dark"
+};
 function isWorkerProgress(response) {
 	return response.type === WorkerResponseType.RegistrationProgress || response.type === WorkerResponseType.RegistrationComplete || response.type === WorkerResponseType.ExecuteActionsProgress || response.type === WorkerResponseType.ExecuteActionsComplete;
 }
 function isWorkerSuccess(response) {
-	return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess || response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess || response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess || response.type === WorkerResponseType.SignTransactionsWithActionsSuccess || response.type === WorkerResponseType.SignDelegateActionSuccess || response.type === WorkerResponseType.ExtractCosePublicKeySuccess || response.type === WorkerResponseType.SignTransactionWithKeyPairSuccess || response.type === WorkerResponseType.SignNep413MessageSuccess || response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess;
+	return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess || response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess || response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess || response.type === WorkerResponseType.SignTransactionsWithActionsSuccess || response.type === WorkerResponseType.SignDelegateActionSuccess || response.type === WorkerResponseType.ExtractCosePublicKeySuccess || response.type === WorkerResponseType.SignTransactionWithKeyPairSuccess || response.type === WorkerResponseType.SignNep413MessageSuccess || response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess || response.type === WorkerResponseType.DeriveThresholdEd25519ClientVerifyingShareSuccess || response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS;
 }
 function isWorkerError(response) {
-	return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptFailure || response.type === WorkerResponseType.RecoverKeypairFromPasskeyFailure || response.type === WorkerResponseType.DecryptPrivateKeyWithPrfFailure || response.type === WorkerResponseType.SignTransactionsWithActionsFailure || response.type === WorkerResponseType.SignDelegateActionFailure || response.type === WorkerResponseType.ExtractCosePublicKeyFailure || response.type === WorkerResponseType.SignTransactionWithKeyPairFailure || response.type === WorkerResponseType.SignNep413MessageFailure || response.type === WorkerResponseType.RegisterDevice2WithDerivedKeyFailure;
+	return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptFailure || response.type === WorkerResponseType.RecoverKeypairFromPasskeyFailure || response.type === WorkerResponseType.DecryptPrivateKeyWithPrfFailure || response.type === WorkerResponseType.SignTransactionsWithActionsFailure || response.type === WorkerResponseType.SignDelegateActionFailure || response.type === WorkerResponseType.ExtractCosePublicKeyFailure || response.type === WorkerResponseType.SignTransactionWithKeyPairFailure || response.type === WorkerResponseType.SignNep413MessageFailure || response.type === WorkerResponseType.RegisterDevice2WithDerivedKeyFailure || response.type === WorkerResponseType.DeriveThresholdEd25519ClientVerifyingShareFailure || response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_FAILURE;
 }
 function isDeriveNearKeypairAndEncryptSuccess(response) {
 	return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess;
@@ -20,6 +101,9 @@ function isRecoverKeypairFromPasskeySuccess(response) {
 function isSignTransactionsWithActionsSuccess(response) {
 	return response.type === WorkerResponseType.SignTransactionsWithActionsSuccess;
 }
+function isSignAddKeyThresholdPublicKeyNoPromptSuccess(response) {
+	return response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS;
+}
 function isSignDelegateActionSuccess(response) {
 	return response.type === WorkerResponseType.SignDelegateActionSuccess;
 }
@@ -35,17 +119,7 @@ function isSignNep413MessageSuccess(response) {
 function isRegisterDevice2WithDerivedKeySuccess(response) {
 	return response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess;
 }
-var DEFAULT_CONFIRMATION_CONFIG;
-var init_signer_worker = __esm({ "src/core/types/signer-worker.ts": (() => {
-	DEFAULT_CONFIRMATION_CONFIG = {
-		uiMode: "modal",
-		behavior: "requireClick",
-		autoProceedDelay: 0,
-		theme: "dark"
-	};
-}) });
 //#endregion
-init_signer_worker();
-export { DEFAULT_CONFIRMATION_CONFIG, WorkerRequestType, WorkerResponseType, init_signer_worker, isDecryptPrivateKeyWithPrfSuccess, isDeriveNearKeypairAndEncryptSuccess, isExtractCosePublicKeySuccess, isRecoverKeypairFromPasskeySuccess, isRegisterDevice2WithDerivedKeySuccess, isSignDelegateActionSuccess, isSignNep413MessageSuccess, isSignTransactionsWithActionsSuccess, isWorkerError, isWorkerProgress, isWorkerSuccess };
+export { DEFAULT_CONFIRMATION_CONFIG, DEFAULT_SIGNING_MODE, DEFAULT_THRESHOLD_BEHAVIOR, INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT, WorkerRequestType, WorkerResponseType, coerceSignerMode, getThresholdBehaviorFromSignerMode, isDecryptPrivateKeyWithPrfSuccess, isDeriveNearKeypairAndEncryptSuccess, isExtractCosePublicKeySuccess, isRecoverKeypairFromPasskeySuccess, isRegisterDevice2WithDerivedKeySuccess, isSignAddKeyThresholdPublicKeyNoPromptSuccess, isSignDelegateActionSuccess, isSignNep413MessageSuccess, isSignTransactionsWithActionsSuccess, isWorkerError, isWorkerProgress, isWorkerSuccess, mergeSignerMode };
 //# sourceMappingURL=signer-worker.js.map

package/dist/esm/core/types/signer-worker.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"signer-worker.js","names":["DEFAULT_CONFIRMATION_CONFIG: ConfirmationConfig"],"sources":["../../../../src/core/types/signer-worker.ts"],"sourcesContent":["\n// === IMPORT AUTO-GENERATED WASM TYPES ===\n// These are the source of truth generated from Rust structs via wasm-bindgen\n// Import as instance types from the WASM module classes\nimport * as wasmModule from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nimport { WorkerRequestType, WorkerResponseType } from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nexport { WorkerRequestType, WorkerResponseType }; // Export the WASM enums directly\n\nimport { StripFree } from \"./index.js\";\nimport type { onProgressEvents } from \"./sdkSentEvents.js\";\nimport type { TransactionContext } from './rpc.js';\nimport type { VRFChallenge } from './vrf-worker.js';\nimport type { ActionArgsWasm } from './actions.js';\n\nexport type WasmTransaction = wasmModule.WasmTransaction;\nexport type WasmSignature = wasmModule.WasmSignature;\n\nexport interface TransactionPayload {\n nearAccountId: string;\n receiverId: string;\n actions: ActionArgsWasm[];\n}\nexport type RpcCallPayload = StripFree<wasmModule.RpcCallPayload>;\n/*\n RPC call parameters for NEAR operations and VRF generation\n * Used to pass essential parameters for background operations\n * export interface RpcCallPayload {\n * contractId: string; // Web3Authn contract ID for verification\n * nearRpcUrl: string; // NEAR RPC endpoint URL\n * nearAccountId: string; // Account ID for VRF challenge generation\n * }\n /\n\nexport type WasmDeriveNearKeypairAndEncryptRequest = StripFree<wasmModule.DeriveNearKeypairAndEncryptRequest>;\nexport type WasmRecoverKeypairRequest = StripFree<wasmModule.RecoverKeypairRequest>;\nexport interface WasmSignTransactionsWithActionsRequest {\n rpcCall: RpcCallPayload;\n sessionId: string;\n createdAt?: number;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n txSigningRequests: TransactionPayload[];\n intentDigest?: string;\n transactionContext?: TransactionContext;\n vrfChallenge?: VRFChallenge;\n credential?: string;\n}\nexport interface WasmSignDelegateActionRequest {\n rpcCall: RpcCallPayload;\n sessionId: string;\n createdAt?: number;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n delegate: DelegatePayload;\n intentDigest?: string;\n transactionContext?: TransactionContext;\n credential?: string;\n}\nexport interface DelegatePayload {\n senderId: string;\n receiverId: string;\n actions: ActionArgsWasm[];\n nonce: string;\n maxBlockHeight: string;\n publicKey: string;\n}\nexport type WasmDecryptPrivateKeyRequest = StripFree<wasmModule.DecryptPrivateKeyRequest>;\nexport type WasmExtractCosePublicKeyRequest = StripFree<wasmModule.ExtractCoseRequest>;\nexport type WasmSignNep413MessageRequest = StripFree<wasmModule.SignNep413Request>;\nexport interface WasmSignTransactionWithKeyPairRequest {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n}\n// Combined Device2 registration handler (derive + sign in one step)\nexport type WasmRegisterDevice2WithDerivedKeyRequest = StripFree<wasmModule.RegisterDevice2WithDerivedKeyRequest>;\n\nexport type WasmRequestPayload = WasmDeriveNearKeypairAndEncryptRequest\n \| WasmRecoverKeypairRequest\n \| WasmSignTransactionsWithActionsRequest\n \| WasmSignDelegateActionRequest\n \| WasmDecryptPrivateKeyRequest\n \| WasmExtractCosePublicKeyRequest\n \| WasmSignNep413MessageRequest\n \| WasmSignTransactionWithKeyPairRequest\n \| WasmRegisterDevice2WithDerivedKeyRequest;\n\n// WASM Worker Response Types\nexport type WasmRecoverKeypairResult = InstanceType<typeof wasmModule.RecoverKeypairResult>;\nexport type WasmSignedTransaction = InstanceType<typeof wasmModule.WasmSignedTransaction>;\nexport type WasmSignedDelegate = wasmModule.WasmSignedDelegate;\nexport type WasmDelegateAction = wasmModule.WasmDelegateAction;\nexport type WasmTransactionSignResult = InstanceType<typeof wasmModule.TransactionSignResult>;\nexport type WasmDelegateSignResult = wasmModule.DelegateSignResult;\nexport type WasmDecryptPrivateKeyResult = InstanceType<typeof wasmModule.DecryptPrivateKeyResult>;\nexport type WasmDeriveNearKeypairAndEncryptResult = InstanceType<typeof wasmModule.DeriveNearKeypairAndEncryptResult>;\n// wasm-bindgen generates some classes with private constructors, which breaks\n// `InstanceType<typeof Class>`. Use the class name directly for the instance type.\nexport type WasmRegisterDevice2WithDerivedKeyResult = InstanceType<typeof wasmModule.RegisterDevice2WithDerivedKeyResult>;\n\n// === WORKER REQUEST TYPE MAPPING ===\n// Define the complete type mapping for each worker request\nexport interface WorkerRequestTypeMap {\n [WorkerRequestType.DeriveNearKeypairAndEncrypt]: {\n type: WorkerRequestType.DeriveNearKeypairAndEncrypt;\n request: WasmDeriveNearKeypairAndEncryptRequest;\n result: WasmDeriveNearKeypairAndEncryptResult;\n };\n [WorkerRequestType.RecoverKeypairFromPasskey]: {\n type: WorkerRequestType.RecoverKeypairFromPasskey;\n request: WasmRecoverKeypairRequest;\n result: WasmRecoverKeypairResult;\n };\n [WorkerRequestType.SignTransactionsWithActions]: {\n type: WorkerRequestType.SignTransactionsWithActions;\n request: WasmSignTransactionsWithActionsRequest;\n result: WasmTransactionSignResult;\n };\n [WorkerRequestType.SignDelegateAction]: {\n type: WorkerRequestType.SignDelegateAction;\n request: WasmSignDelegateActionRequest;\n result: WasmDelegateSignResult;\n };\n [WorkerRequestType.DecryptPrivateKeyWithPrf]: {\n type: WorkerRequestType.DecryptPrivateKeyWithPrf;\n request: WasmDecryptPrivateKeyRequest;\n result: WasmDecryptPrivateKeyResult;\n };\n [WorkerRequestType.ExtractCosePublicKey]: {\n type: WorkerRequestType.ExtractCosePublicKey;\n request: WasmExtractCosePublicKeyRequest;\n result: wasmModule.CoseExtractionResult;\n };\n [WorkerRequestType.SignTransactionWithKeyPair]: {\n type: WorkerRequestType.SignTransactionWithKeyPair;\n request: WasmSignTransactionWithKeyPairRequest;\n result: WasmTransactionSignResult;\n };\n [WorkerRequestType.SignNep413Message]: {\n type: WorkerRequestType.SignNep413Message;\n request: WasmSignNep413MessageRequest;\n result: wasmModule.SignNep413Result;\n };\n [WorkerRequestType.RegisterDevice2WithDerivedKey]: {\n type: WorkerRequestType.RegisterDevice2WithDerivedKey;\n request: WasmRegisterDevice2WithDerivedKeyRequest;\n result: WasmRegisterDevice2WithDerivedKeyResult;\n };\n}\n\n/\n Validation rules for ConfirmationConfig to ensure behavior conforms to UI mode:\n \n - uiMode: 'skip' → behavior is ignored, autoProceedDelay is ignored\n * - uiMode: 'modal' \| 'drawer' → behavior: 'requireClick' \| 'autoProceed', autoProceedDelay only used with 'autoProceed'\n \n The WASM worker automatically validates and overrides these settings:\n * - For 'skip' mode: behavior is set to 'autoProceed' with autoProceedDelay: 0\n * - For 'modal' and 'drawer' modes: behavior and autoProceedDelay are used as specified\n \n The actual type would be the following, but we use the flat interface for simplicity:\n * export interface ConfirmationConfig {\n * uiMode: 'skip' \| 'modal' \| 'drawer'\n \n }\n /\nexport type ConfirmationUIMode = 'skip' \| 'modal' \| 'drawer';\nexport type ConfirmationBehavior = 'requireClick' \| 'autoProceed';\nexport interface ConfirmationConfig {\n /* Type of UI to display for confirmation: 'skip' \| 'modal' \| 'drawer' /\n uiMode: ConfirmationUIMode;\n /* How the confirmation UI behaves: 'requireClick' \| 'autoProceed' /\n behavior: ConfirmationBehavior;\n /* Delay in milliseconds before auto-proceeding (only used with autoProceed) /\n autoProceedDelay?: number;\n /* Theme for the confirmation UI: 'dark' \| 'light' /\n theme: 'dark' \| 'light';\n}\n\nexport const DEFAULT_CONFIRMATION_CONFIG: ConfirmationConfig = {\n uiMode: 'modal',\n behavior: 'requireClick',\n autoProceedDelay: 0,\n theme: 'dark',\n};\n\n// WASM enum types for confirmation configuration\nexport type WasmConfirmationUIMode = wasmModule.ConfirmationUIMode;\nexport type WasmConfirmationBehavior = wasmModule.ConfirmationBehavior;\n\n// Mapping functions to convert string literals to numeric enum values\nexport const mapUIModeToWasm = (uiMode: ConfirmationUIMode): number => {\n switch (uiMode) {\n case 'skip': return wasmModule.ConfirmationUIMode.Skip;\n case 'modal': return wasmModule.ConfirmationUIMode.Modal;\n // Drawer now has a dedicated WASM enum variant\n case 'drawer': return (wasmModule as any).ConfirmationUIMode.Drawer ?? wasmModule.ConfirmationUIMode.Modal;\n default: return wasmModule.ConfirmationUIMode.Modal;\n }\n};\n\nexport const mapBehaviorToWasm = (behavior: ConfirmationBehavior): number => {\n switch (behavior) {\n case 'requireClick': return wasmModule.ConfirmationBehavior.RequireClick;\n case 'autoProceed': return wasmModule.ConfirmationBehavior.AutoProceed;\n default: return wasmModule.ConfirmationBehavior.RequireClick;\n }\n};\nexport type WasmRequestResult = WasmRecoverKeypairResult\n \| WasmSignedTransaction\n \| WasmSignedDelegate\n \| WasmTransactionSignResult\n \| WasmDelegateSignResult\n \| WasmDecryptPrivateKeyResult\n\nexport interface SignerWorkerMessage<T extends WorkerRequestType, R extends WasmRequestPayload> {\n type: T;\n payload: R;\n}\n\n/\n =============================\n * Worker Progress Message Types\n * =============================\n \n 1. PROGRESS MESSAGES (During Operation):\n * Rust WASM → send_typed_progress_message() → TypeScript sendProgressMessage() → postMessage() → Main Thread\n * - Used for real-time updates during long operations\n * - Multiple progress messages can be sent per operation\n * - Does not affect the final result\n * - Types: ProgressMessageType, ProgressStep, ProgressStatus (auto-generated from Rust)\n \n 2. FINAL RESULTS (Operation Complete):\n * Rust WASM → return value from handle_signer_message() → TypeScript worker → postMessage() → Main Thread\n * - Contains the actual operation result (success/error)\n * - Only one result message per operation\n * - This is what the main thread awaits for completion\n */\n\n// === PROGRESS MESSAGE TYPES ===\n\n// Basic interface for development - actual types are auto-generated from Rust\nexport type ProgressMessage = wasmModule.WorkerProgressMessage;\n\n// Type guard for basic progress message validation during development\nexport function isProgressMessage(obj: unknown): obj is ProgressMessage {\n return (\n typeof obj === 'object' &&\n obj !== null &&\n typeof (obj as { message_type?: unknown }).message_type === 'string' &&\n typeof (obj as { step?: unknown }).step === 'string' &&\n typeof (obj as { message?: unknown }).message === 'string' &&\n typeof (obj as { status?: unknown }).status === 'string'\n );\n}\n\nexport enum ProgressMessageType {\n REGISTRATION_PROGRESS = 'REGISTRATION_PROGRESS',\n REGISTRATION_COMPLETE = 'REGISTRATION_COMPLETE',\n EXECUTE_ACTIONS_PROGRESS = 'EXECUTE_ACTIONS_PROGRESS',\n EXECUTE_ACTIONS_COMPLETE = 'EXECUTE_ACTIONS_COMPLETE',\n}\n\n// Step identifiers for progress tracking\n// This enum exactly matches the Rust WASM ProgressStep enum from:\n// packages/passkey/src/wasm_signer_worker/src/types/progress.rs\n// The string values come from the progress_step_name() function in that file\nexport enum ProgressStep {\n PREPARATION = 'preparation', // Rust: Preparation\n WEBAUTHN_AUTHENTICATION = 'webauthn-authentication', // Rust: WebauthnAuthentication\n AUTHENTICATION_COMPLETE = 'authentication-complete', // Rust: AuthenticationComplete\n TRANSACTION_SIGNING_PROGRESS = 'transaction-signing-progress', // Rust: TransactionSigningProgress\n TRANSACTION_SIGNING_COMPLETE = 'transaction-signing-complete', // Rust: TransactionSigningComplete\n ERROR = 'error', // Rust: Error\n}\n\nexport interface ProgressStepMap {\n [wasmModule.ProgressStep.Preparation]: ProgressStep.PREPARATION;\n [wasmModule.ProgressStep.WebauthnAuthentication]: ProgressStep.WEBAUTHN_AUTHENTICATION;\n [wasmModule.ProgressStep.AuthenticationComplete]: ProgressStep.AUTHENTICATION_COMPLETE;\n [wasmModule.ProgressStep.TransactionSigningProgress]: ProgressStep.TRANSACTION_SIGNING_PROGRESS;\n [wasmModule.ProgressStep.TransactionSigningComplete]: ProgressStep.TRANSACTION_SIGNING_COMPLETE;\n [wasmModule.ProgressStep.Error]: ProgressStep.ERROR;\n}\n\n// === RESPONSE MESSAGE INTERFACES ===\n\n// Base interface for all worker responses\nexport interface BaseWorkerResponse {\n type: WorkerResponseType;\n payload: unknown;\n}\n\n// Map request types to their expected success response payloads (WASM types)\nexport interface RequestResponseMap {\n [WorkerRequestType.DeriveNearKeypairAndEncrypt]: WasmDeriveNearKeypairAndEncryptResult;\n [WorkerRequestType.RecoverKeypairFromPasskey]: WasmRecoverKeypairResult;\n [WorkerRequestType.DecryptPrivateKeyWithPrf]: WasmDecryptPrivateKeyResult;\n [WorkerRequestType.SignTransactionsWithActions]: WasmTransactionSignResult;\n [WorkerRequestType.SignDelegateAction]: WasmDelegateSignResult;\n [WorkerRequestType.ExtractCosePublicKey]: wasmModule.CoseExtractionResult;\n [WorkerRequestType.SignTransactionWithKeyPair]: WasmTransactionSignResult;\n [WorkerRequestType.SignNep413Message]: wasmModule.SignNep413Result;\n [WorkerRequestType.RegisterDevice2WithDerivedKey]: WasmRegisterDevice2WithDerivedKeyResult;\n}\n\n// Generic success response type that uses WASM types\nexport interface WorkerSuccessResponse<T extends WorkerRequestType> extends BaseWorkerResponse {\n type: WorkerResponseType;\n payload: RequestResponseMap[T];\n}\n\n// Generic error response type\nexport interface WorkerErrorResponse extends BaseWorkerResponse {\n type: WorkerResponseType;\n payload: {\n error: string;\n errorCode?: WorkerErrorCode;\n context?: Record<string, unknown>;\n };\n}\n\nexport enum WorkerErrorCode {\n WASM_INIT_FAILED = 'WASM_INIT_FAILED',\n INVALID_REQUEST = 'INVALID_REQUEST',\n TIMEOUT = 'TIMEOUT',\n ENCRYPTION_FAILED = 'ENCRYPTION_FAILED',\n DECRYPTION_FAILED = 'DECRYPTION_FAILED',\n SIGNING_FAILED = 'SIGNING_FAILED',\n STORAGE_FAILED = 'STORAGE_FAILED',\n UNKNOWN_ERROR = 'UNKNOWN_ERROR',\n}\n\nexport interface WorkerProgressResponse extends BaseWorkerResponse {\n type: WorkerResponseType;\n payload: onProgressEvents\n}\n\n// === MAIN RESPONSE TYPE ===\n\ntype RequestTypeKey = keyof RequestResponseMap;\n\nexport type WorkerResponseForRequest<T extends RequestTypeKey> =\n \| WorkerSuccessResponse<T>\n \| WorkerErrorResponse\n \| WorkerProgressResponse;\n\n// === CONVENIENCE TYPE ALIASES ===\n\nexport type EncryptionResponse = WorkerResponseForRequest<typeof WorkerRequestType.DeriveNearKeypairAndEncrypt>;\nexport type RecoveryResponse = WorkerResponseForRequest<typeof WorkerRequestType.RecoverKeypairFromPasskey>;\nexport type TransactionResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignTransactionsWithActions>;\nexport type DelegateSignResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignDelegateAction>;\nexport type DecryptionResponse = WorkerResponseForRequest<typeof WorkerRequestType.DecryptPrivateKeyWithPrf>;\nexport type CoseExtractionResponse = WorkerResponseForRequest<typeof WorkerRequestType.ExtractCosePublicKey>;\nexport type Nep413SigningResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignNep413Message>;\n\n// === TYPE GUARDS FOR GENERIC RESPONSES ===\n\nexport function isWorkerProgress<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerProgressResponse {\n return (\n response.type === WorkerResponseType.RegistrationProgress \|\|\n response.type === WorkerResponseType.RegistrationComplete \|\|\n response.type === WorkerResponseType.ExecuteActionsProgress \|\|\n response.type === WorkerResponseType.ExecuteActionsComplete\n );\n}\n\nexport function isWorkerSuccess<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerSuccessResponse<T> {\n return (\n response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess \|\|\n response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess \|\|\n response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess \|\|\n response.type === WorkerResponseType.SignTransactionsWithActionsSuccess \|\|\n response.type === WorkerResponseType.SignDelegateActionSuccess \|\|\n response.type === WorkerResponseType.ExtractCosePublicKeySuccess \|\|\n response.type === WorkerResponseType.SignTransactionWithKeyPairSuccess \|\|\n response.type === WorkerResponseType.SignNep413MessageSuccess \|\|\n response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess\n );\n}\n\nexport function isWorkerError<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerErrorResponse {\n return (\n response.type === WorkerResponseType.DeriveNearKeypairAndEncryptFailure \|\|\n response.type === WorkerResponseType.RecoverKeypairFromPasskeyFailure \|\|\n response.type === WorkerResponseType.DecryptPrivateKeyWithPrfFailure \|\|\n response.type === WorkerResponseType.SignTransactionsWithActionsFailure \|\|\n response.type === WorkerResponseType.SignDelegateActionFailure \|\|\n response.type === WorkerResponseType.ExtractCosePublicKeyFailure \|\|\n response.type === WorkerResponseType.SignTransactionWithKeyPairFailure \|\|\n response.type === WorkerResponseType.SignNep413MessageFailure \|\|\n response.type === WorkerResponseType.RegisterDevice2WithDerivedKeyFailure\n );\n}\n\n// === SPECIFIC TYPE GUARDS FOR COMMON OPERATIONS ===\n\nexport function isDeriveNearKeypairAndEncryptSuccess(response: EncryptionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.DeriveNearKeypairAndEncrypt> {\n return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess;\n}\n\nexport function isRecoverKeypairFromPasskeySuccess(response: RecoveryResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.RecoverKeypairFromPasskey> {\n return response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess;\n}\n\nexport function isSignTransactionsWithActionsSuccess(response: TransactionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignTransactionsWithActions> {\n return response.type === WorkerResponseType.SignTransactionsWithActionsSuccess;\n}\n\nexport function isSignDelegateActionSuccess(response: DelegateSignResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignDelegateAction> {\n return response.type === WorkerResponseType.SignDelegateActionSuccess;\n}\n\nexport function isDecryptPrivateKeyWithPrfSuccess(response: DecryptionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.DecryptPrivateKeyWithPrf> {\n return response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess;\n}\n\nexport function isExtractCosePublicKeySuccess(response: CoseExtractionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.ExtractCosePublicKey> {\n return response.type === WorkerResponseType.ExtractCosePublicKeySuccess;\n}\n\nexport function isSignNep413MessageSuccess(response: Nep413SigningResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignNep413Message> {\n return response.type === WorkerResponseType.SignNep413MessageSuccess;\n}\n\nexport function isRegisterDevice2WithDerivedKeySuccess(\n response: WorkerResponseForRequest<typeof WorkerRequestType.RegisterDevice2WithDerivedKey>\n): response is WorkerSuccessResponse<typeof WorkerRequestType.RegisterDevice2WithDerivedKey> {\n return response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess;\n}\n"],"mappings":";;;;AAwWA,SAAgB,iBACd,UACoC;AACpC,QACE,SAAS,SAAS,mBAAmB,wBACrC,SAAS,SAAS,mBAAmB,wBACrC,SAAS,SAAS,mBAAmB,0BACrC,SAAS,SAAS,mBAAmB;;AAIzC,SAAgB,gBACd,UACsC;AACtC,QACE,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,oCACrC,SAAS,SAAS,mBAAmB,mCACrC,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,6BACrC,SAAS,SAAS,mBAAmB,+BACrC,SAAS,SAAS,mBAAmB,qCACrC,SAAS,SAAS,mBAAmB,4BACrC,SAAS,SAAS,mBAAmB;;AAIzC,SAAgB,cACd,UACiC;AACjC,QACE,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,oCACrC,SAAS,SAAS,mBAAmB,mCACrC,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,6BACrC,SAAS,SAAS,mBAAmB,+BACrC,SAAS,SAAS,mBAAmB,qCACrC,SAAS,SAAS,mBAAmB,4BACrC,SAAS,SAAS,mBAAmB;;AAMzC,SAAgB,qCAAqC,UAAuH;AAC1K,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,mCAAmC,UAAmH;AACpK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,qCAAqC,UAAwH;AAC3K,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,4BAA4B,UAAgH;AAC1J,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,kCAAkC,UAAoH;AACpK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,8BAA8B,UAAoH;AAChK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,2BAA2B,UAAgH;AACzJ,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,uCACd,UAC2F;AAC3F,QAAO,SAAS,SAAS,mBAAmB;;;;CAhQjCA,8BAAkD;EAC7D,QAAQ;EACR,UAAU;EACV,kBAAkB;EAClB,OAAO"}
1	+ {"version":3,"file":"signer-worker.js","names":["DEFAULT_THRESHOLD_BEHAVIOR: ThresholdBehavior","DEFAULT_SIGNER_MODE: SignerMode['mode']","DEFAULT_SIGNING_MODE: SignerMode","behavior","DEFAULT_CONFIRMATION_CONFIG: ConfirmationConfig"],"sources":["../../../../src/core/types/signer-worker.ts"],"sourcesContent":["\n// === IMPORT AUTO-GENERATED WASM TYPES ===\n// These are the source of truth generated from Rust structs via wasm-bindgen\n// Import as instance types from the WASM module classes\nimport * as wasmModule from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nimport { WorkerRequestType, WorkerResponseType } from '../../wasm_signer_worker/pkg/wasm_signer_worker.js';\nexport { WorkerRequestType, WorkerResponseType }; // Export the WASM enums directly\n\nimport { StripFree } from \"./index.js\";\nimport type { onProgressEvents } from \"./sdkSentEvents.js\";\nimport type { TransactionContext } from './rpc.js';\nimport type { VRFChallenge } from './vrf-worker.js';\nimport type { ActionArgsWasm } from './actions.js';\n\nexport type WasmTransaction = wasmModule.WasmTransaction;\nexport type WasmSignature = wasmModule.WasmSignature;\n\nexport type ThresholdBehavior = 'strict' \| 'fallback';\nexport const DEFAULT_THRESHOLD_BEHAVIOR: ThresholdBehavior = 'strict';\n\n/** High-level policy used by SDK APIs (includes optional threshold fallback behavior). /\nexport type SignerMode =\n \| { mode: 'local-signer' }\n \| { mode: 'threshold-signer'; behavior?: ThresholdBehavior };\n\nexport const DEFAULT_SIGNER_MODE: SignerMode['mode'] = 'local-signer';\nexport const DEFAULT_SIGNING_MODE: SignerMode = { mode: DEFAULT_SIGNER_MODE };\n\nexport function isSignerMode(input: unknown): input is SignerMode['mode'] {\n return input === 'local-signer' \|\| input === 'threshold-signer';\n}\n\nexport function isThresholdBehavior(input: unknown): input is ThresholdBehavior {\n return input === 'fallback' \|\| input === 'strict';\n}\n\nexport function coerceSignerMode(\n input?: SignerMode \| SignerMode['mode'] \| null,\n fallback: SignerMode = DEFAULT_SIGNING_MODE,\n): SignerMode {\n if (input == null) return fallback;\n\n if (typeof input === 'string') return isSignerMode(input) ? { mode: input } : fallback;\n\n if (typeof input !== 'object') return fallback;\n\n if (input.mode === 'local-signer') return { mode: input.mode };\n const behavior = input.behavior;\n return isThresholdBehavior(behavior)\n ? { mode: input.mode, behavior }\n : { mode: input.mode };\n}\n\n/* @deprecated use `coerceSignerMode` /\nexport const normalizeSignerMode = coerceSignerMode;\n\n/\n Merge a mode-only override onto a base signer mode.\n \n This is intentionally \"partial override\" semantics:\n * - override sets `mode` when provided\n * - override sets `behavior` only when explicitly provided\n * - if override switches to `threshold-signer` without specifying `behavior`,\n * preserve `base.behavior` when base is already `threshold-signer`\n /\nexport function mergeSignerMode(\n base: SignerMode,\n override?: SignerMode \| SignerMode['mode'] \| null,\n): SignerMode {\n const baseNormalized = coerceSignerMode(base, DEFAULT_SIGNING_MODE);\n if (override == null) return baseNormalized;\n\n // Shorthand: string overrides only switch mode\n if (typeof override === 'string') {\n if (!isSignerMode(override)) return baseNormalized;\n if (override === 'local-signer') return { mode: 'local-signer' };\n // override === 'threshold-signer'\n if (baseNormalized.mode === 'threshold-signer') {\n const behavior = (baseNormalized as { behavior?: unknown }).behavior;\n return isThresholdBehavior(behavior)\n ? { mode: 'threshold-signer', behavior }\n : { mode: 'threshold-signer' };\n }\n return { mode: 'threshold-signer' };\n }\n\n if (typeof override !== 'object') return baseNormalized;\n\n const mode = (override as { mode?: unknown }).mode;\n if (mode === 'local-signer') return { mode: 'local-signer' };\n if (mode !== 'threshold-signer') return baseNormalized;\n\n const behavior = (override as { behavior?: unknown }).behavior;\n if (isThresholdBehavior(behavior)) return { mode: 'threshold-signer', behavior };\n\n // Preserve base threshold behavior when override didn't specify it\n if (baseNormalized.mode === 'threshold-signer') {\n const baseBehavior = (baseNormalized as { behavior?: unknown }).behavior;\n if (isThresholdBehavior(baseBehavior)) return { mode: 'threshold-signer', behavior: baseBehavior };\n }\n return { mode: 'threshold-signer' };\n}\n\nexport function getSignerModeString(mode: SignerMode): SignerMode['mode'] {\n return mode.mode;\n}\n\nexport function getThresholdBehaviorFromSignerMode(mode: SignerMode): ThresholdBehavior {\n if (mode.mode !== 'threshold-signer') return DEFAULT_THRESHOLD_BEHAVIOR;\n return isThresholdBehavior(mode.behavior) ? mode.behavior : DEFAULT_THRESHOLD_BEHAVIOR;\n}\n\n/\n Internal, single-purpose worker request types.\n \n These are intentionally not exposed as general-purpose \"no prompt\" signing APIs.\n * They exist to support tightly-scoped post-registration flows without allowing\n * arbitrary actions/receivers to be signed without VRF/WebAuthn binding.\n /\nexport const INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT = 10 as const;\nexport const INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS = 24 as const;\nexport const INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_FAILURE = 25 as const;\n\ntype InternalSignerWorkerRequestType = typeof INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT;\ntype InternalSignerWorkerResponseType =\n \| typeof INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS\n \| typeof INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_FAILURE;\n\nexport type SignerWorkerRequestType = WorkerRequestType \| InternalSignerWorkerRequestType;\nexport type SignerWorkerResponseType = WorkerResponseType \| InternalSignerWorkerResponseType;\n\nexport interface ThresholdSignerConfig {\n /* Base URL of the relayer server (e.g. https://relay.example.com) /\n relayerUrl: string;\n /* Identifies which relayer-held key share to use /\n relayerKeyId: string;\n /* FROST participant identifier used for the client share (2P only, optional). /\n clientParticipantId?: number;\n /* FROST participant identifier used for the relayer share (2P only, optional). /\n relayerParticipantId?: number;\n /* Optional participant ids (signer set) associated with this threshold key/session. /\n participantIds?: number[];\n /\n Optional short-lived authorization token returned by `/threshold-ed25519/authorize`.\n * When omitted, the signer worker will call `/threshold-ed25519/authorize` on-demand per signature.\n /\n mpcSessionId?: string;\n /\n Optional session policy JSON (serialized) used to mint a relayer threshold session token.\n * When provided alongside a VRF challenge that includes `sessionPolicyDigest32`,\n * the signer worker may call `/threshold-ed25519/session` to obtain a JWT/cookie for session-style signing.\n /\n thresholdSessionPolicyJson?: string;\n /\n Optional bearer token returned by `POST /threshold-ed25519/session`.\n * When present, the signer worker uses it to authenticate `/threshold-ed25519/authorize` requests.\n /\n thresholdSessionJwt?: string;\n /\n Preferred session token delivery mechanism for `/threshold-ed25519/session`.\n * - `jwt` (default): return token in JSON and use Authorization: Bearer on subsequent requests.\n * - `cookie`: set HttpOnly cookie (same-site only).\n /\n thresholdSessionKind?: 'jwt' \| 'cookie';\n}\n\nexport interface TransactionPayload {\n nearAccountId: string;\n receiverId: string;\n actions: ActionArgsWasm[];\n}\nexport type RpcCallPayload = StripFree<wasmModule.RpcCallPayload>;\n/\n RPC call parameters for NEAR operations and VRF generation\n * Used to pass essential parameters for background operations\n * export interface RpcCallPayload {\n * contractId: string; // Web3Authn contract ID for verification\n * nearRpcUrl: string; // NEAR RPC endpoint URL\n * nearAccountId: string; // Account ID for VRF challenge generation\n * }\n /\n\nexport type WasmDeriveNearKeypairAndEncryptRequest = StripFree<wasmModule.DeriveNearKeypairAndEncryptRequest>;\nexport type WasmRecoverKeypairRequest = StripFree<wasmModule.RecoverKeypairRequest>;\nexport type WasmDeriveThresholdEd25519ClientVerifyingShareRequest =\n StripFree<wasmModule.DeriveThresholdEd25519ClientVerifyingShareRequest>;\nexport interface WasmSignTransactionsWithActionsRequest {\n signerMode: SignerMode['mode'];\n rpcCall: RpcCallPayload;\n sessionId: string;\n createdAt?: number;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n threshold?: ThresholdSignerConfig;\n txSigningRequests: TransactionPayload[];\n intentDigest?: string;\n transactionContext?: TransactionContext;\n vrfChallenge?: VRFChallenge;\n credential?: string;\n}\n\nexport interface WasmSignAddKeyThresholdPublicKeyNoPromptRequest {\n sessionId: string;\n createdAt?: number;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n nearAccountId: string;\n thresholdPublicKey: string;\n relayerVerifyingShareB64u: string;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n transactionContext: TransactionContext;\n}\n\nexport interface WasmSignDelegateActionRequest {\n signerMode: SignerMode['mode'];\n rpcCall: RpcCallPayload;\n sessionId: string;\n createdAt?: number;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n threshold?: ThresholdSignerConfig;\n delegate: DelegatePayload;\n intentDigest?: string;\n transactionContext?: TransactionContext;\n vrfChallenge?: VRFChallenge;\n credential?: string;\n}\nexport interface DelegatePayload {\n senderId: string;\n receiverId: string;\n actions: ActionArgsWasm[];\n nonce: string;\n maxBlockHeight: string;\n publicKey: string;\n}\nexport type WasmDecryptPrivateKeyRequest = StripFree<wasmModule.DecryptPrivateKeyRequest>;\nexport type WasmExtractCosePublicKeyRequest = StripFree<wasmModule.ExtractCoseRequest>;\nexport interface WasmSignNep413MessageRequest {\n signerMode: SignerMode['mode'];\n sessionId: string;\n accountId: string;\n nearPublicKey: string;\n decryption: StripFree<wasmModule.DecryptionPayload>;\n threshold?: ThresholdSignerConfig;\n message: string;\n recipient: string;\n nonce: string;\n state?: string;\n vrfChallenge?: VRFChallenge;\n credential?: string;\n}\nexport interface WasmSignTransactionWithKeyPairRequest {\n nearPrivateKey: string;\n signerAccountId: string;\n receiverId: string;\n nonce: string;\n blockHash: string;\n actions: ActionArgsWasm[];\n}\n// Combined Device2 registration handler (derive + sign in one step)\nexport type WasmRegisterDevice2WithDerivedKeyRequest = StripFree<wasmModule.RegisterDevice2WithDerivedKeyRequest>;\n\nexport type WasmRequestPayload = WasmDeriveNearKeypairAndEncryptRequest\n \| WasmRecoverKeypairRequest\n \| WasmDeriveThresholdEd25519ClientVerifyingShareRequest\n \| WasmSignTransactionsWithActionsRequest\n \| WasmSignAddKeyThresholdPublicKeyNoPromptRequest\n \| WasmSignDelegateActionRequest\n \| WasmDecryptPrivateKeyRequest\n \| WasmExtractCosePublicKeyRequest\n \| WasmSignNep413MessageRequest\n \| WasmSignTransactionWithKeyPairRequest\n \| WasmRegisterDevice2WithDerivedKeyRequest;\n\n// WASM Worker Response Types\nexport type WasmRecoverKeypairResult = InstanceType<typeof wasmModule.RecoverKeypairResult>;\nexport type WasmSignedTransaction = InstanceType<typeof wasmModule.WasmSignedTransaction>;\nexport type WasmSignedDelegate = wasmModule.WasmSignedDelegate;\nexport type WasmDelegateAction = wasmModule.WasmDelegateAction;\nexport type WasmTransactionSignResult = InstanceType<typeof wasmModule.TransactionSignResult>;\nexport type WasmDelegateSignResult = wasmModule.DelegateSignResult;\nexport type WasmDecryptPrivateKeyResult = InstanceType<typeof wasmModule.DecryptPrivateKeyResult>;\nexport type WasmDeriveNearKeypairAndEncryptResult = InstanceType<typeof wasmModule.DeriveNearKeypairAndEncryptResult>;\n// wasm-bindgen generates some classes with private constructors, which breaks\n// `InstanceType<typeof Class>`. Use the class name directly for the instance type.\nexport type WasmRegisterDevice2WithDerivedKeyResult = InstanceType<typeof wasmModule.RegisterDevice2WithDerivedKeyResult>;\n// wasm-bindgen may generate classes with private constructors, which breaks\n// `InstanceType<typeof Class>`. Use the class name directly for the instance type.\nexport type WasmDeriveThresholdEd25519ClientVerifyingShareResult =\n wasmModule.DeriveThresholdEd25519ClientVerifyingShareResult;\n\n// === WORKER REQUEST TYPE MAPPING ===\n// Define the complete type mapping for each worker request\nexport interface WorkerRequestTypeMap {\n [WorkerRequestType.DeriveNearKeypairAndEncrypt]: {\n type: WorkerRequestType.DeriveNearKeypairAndEncrypt;\n request: WasmDeriveNearKeypairAndEncryptRequest;\n result: WasmDeriveNearKeypairAndEncryptResult;\n };\n [WorkerRequestType.RecoverKeypairFromPasskey]: {\n type: WorkerRequestType.RecoverKeypairFromPasskey;\n request: WasmRecoverKeypairRequest;\n result: WasmRecoverKeypairResult;\n };\n [WorkerRequestType.DeriveThresholdEd25519ClientVerifyingShare]: {\n type: WorkerRequestType.DeriveThresholdEd25519ClientVerifyingShare;\n request: WasmDeriveThresholdEd25519ClientVerifyingShareRequest;\n result: WasmDeriveThresholdEd25519ClientVerifyingShareResult;\n };\n [WorkerRequestType.SignTransactionsWithActions]: {\n type: WorkerRequestType.SignTransactionsWithActions;\n request: WasmSignTransactionsWithActionsRequest;\n result: WasmTransactionSignResult;\n };\n [INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT]: {\n type: typeof INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT;\n request: WasmSignAddKeyThresholdPublicKeyNoPromptRequest;\n result: WasmTransactionSignResult;\n };\n [WorkerRequestType.SignDelegateAction]: {\n type: WorkerRequestType.SignDelegateAction;\n request: WasmSignDelegateActionRequest;\n result: WasmDelegateSignResult;\n };\n [WorkerRequestType.DecryptPrivateKeyWithPrf]: {\n type: WorkerRequestType.DecryptPrivateKeyWithPrf;\n request: WasmDecryptPrivateKeyRequest;\n result: WasmDecryptPrivateKeyResult;\n };\n [WorkerRequestType.ExtractCosePublicKey]: {\n type: WorkerRequestType.ExtractCosePublicKey;\n request: WasmExtractCosePublicKeyRequest;\n result: wasmModule.CoseExtractionResult;\n };\n [WorkerRequestType.SignTransactionWithKeyPair]: {\n type: WorkerRequestType.SignTransactionWithKeyPair;\n request: WasmSignTransactionWithKeyPairRequest;\n result: WasmTransactionSignResult;\n };\n [WorkerRequestType.SignNep413Message]: {\n type: WorkerRequestType.SignNep413Message;\n request: WasmSignNep413MessageRequest;\n result: wasmModule.SignNep413Result;\n };\n [WorkerRequestType.RegisterDevice2WithDerivedKey]: {\n type: WorkerRequestType.RegisterDevice2WithDerivedKey;\n request: WasmRegisterDevice2WithDerivedKeyRequest;\n result: WasmRegisterDevice2WithDerivedKeyResult;\n };\n}\n\n/\n Validation rules for ConfirmationConfig to ensure behavior conforms to UI mode:\n \n - uiMode: 'skip' → behavior is ignored, autoProceedDelay is ignored\n * - uiMode: 'modal' \| 'drawer' → behavior: 'requireClick' \| 'autoProceed', autoProceedDelay only used with 'autoProceed'\n \n The WASM worker automatically validates and overrides these settings:\n * - For 'skip' mode: behavior is set to 'autoProceed' with autoProceedDelay: 0\n * - For 'modal' and 'drawer' modes: behavior and autoProceedDelay are used as specified\n \n The actual type would be the following, but we use the flat interface for simplicity:\n * export interface ConfirmationConfig {\n * uiMode: 'skip' \| 'modal' \| 'drawer'\n \n }\n /\nexport type ConfirmationUIMode = 'skip' \| 'modal' \| 'drawer';\nexport type ConfirmationBehavior = 'requireClick' \| 'autoProceed';\nexport interface ConfirmationConfig {\n /* Type of UI to display for confirmation: 'skip' \| 'modal' \| 'drawer' /\n uiMode: ConfirmationUIMode;\n /* How the confirmation UI behaves: 'requireClick' \| 'autoProceed' /\n behavior: ConfirmationBehavior;\n /* Delay in milliseconds before auto-proceeding (only used with autoProceed) /\n autoProceedDelay?: number;\n /* Theme for the confirmation UI: 'dark' \| 'light' /\n theme: 'dark' \| 'light';\n}\n\nexport const DEFAULT_CONFIRMATION_CONFIG: ConfirmationConfig = {\n uiMode: 'modal',\n behavior: 'requireClick',\n autoProceedDelay: 0,\n theme: 'dark',\n};\n\n// WASM enum types for confirmation configuration\nexport type WasmConfirmationUIMode = wasmModule.ConfirmationUIMode;\nexport type WasmConfirmationBehavior = wasmModule.ConfirmationBehavior;\n\n// Mapping functions to convert string literals to numeric enum values\nexport const mapUIModeToWasm = (uiMode: ConfirmationUIMode): number => {\n switch (uiMode) {\n case 'skip': return wasmModule.ConfirmationUIMode.Skip;\n case 'modal': return wasmModule.ConfirmationUIMode.Modal;\n // Drawer now has a dedicated WASM enum variant\n case 'drawer': return (wasmModule as any).ConfirmationUIMode.Drawer ?? wasmModule.ConfirmationUIMode.Modal;\n default: return wasmModule.ConfirmationUIMode.Modal;\n }\n};\n\nexport const mapBehaviorToWasm = (behavior: ConfirmationBehavior): number => {\n switch (behavior) {\n case 'requireClick': return wasmModule.ConfirmationBehavior.RequireClick;\n case 'autoProceed': return wasmModule.ConfirmationBehavior.AutoProceed;\n default: return wasmModule.ConfirmationBehavior.RequireClick;\n }\n};\nexport type WasmRequestResult = WasmRecoverKeypairResult\n \| WasmSignedTransaction\n \| WasmSignedDelegate\n \| WasmTransactionSignResult\n \| WasmDelegateSignResult\n \| WasmDecryptPrivateKeyResult\n\nexport interface SignerWorkerMessage<T extends SignerWorkerRequestType, R extends WasmRequestPayload> {\n type: T;\n payload: R;\n}\n\n/\n =============================\n * Worker Progress Message Types\n * =============================\n \n 1. PROGRESS MESSAGES (During Operation):\n * Rust WASM → send_typed_progress_message() → TypeScript sendProgressMessage() → postMessage() → Main Thread\n * - Used for real-time updates during long operations\n * - Multiple progress messages can be sent per operation\n * - Does not affect the final result\n * - Types: ProgressMessageType, ProgressStep, ProgressStatus (auto-generated from Rust)\n \n 2. FINAL RESULTS (Operation Complete):\n * Rust WASM → return value from handle_signer_message() → TypeScript worker → postMessage() → Main Thread\n * - Contains the actual operation result (success/error)\n * - Only one result message per operation\n * - This is what the main thread awaits for completion\n */\n\n// === PROGRESS MESSAGE TYPES ===\n\n// Basic interface for development - actual types are auto-generated from Rust\nexport type ProgressMessage = wasmModule.WorkerProgressMessage;\n\n// Type guard for basic progress message validation during development\nexport function isProgressMessage(obj: unknown): obj is ProgressMessage {\n return (\n typeof obj === 'object' &&\n obj !== null &&\n typeof (obj as { message_type?: unknown }).message_type === 'string' &&\n typeof (obj as { step?: unknown }).step === 'string' &&\n typeof (obj as { message?: unknown }).message === 'string' &&\n typeof (obj as { status?: unknown }).status === 'string'\n );\n}\n\nexport enum ProgressMessageType {\n REGISTRATION_PROGRESS = 'REGISTRATION_PROGRESS',\n REGISTRATION_COMPLETE = 'REGISTRATION_COMPLETE',\n EXECUTE_ACTIONS_PROGRESS = 'EXECUTE_ACTIONS_PROGRESS',\n EXECUTE_ACTIONS_COMPLETE = 'EXECUTE_ACTIONS_COMPLETE',\n}\n\n// Step identifiers for progress tracking\n// This enum exactly matches the Rust WASM ProgressStep enum from:\n// packages/passkey/src/wasm_signer_worker/src/types/progress.rs\n// The string values come from the progress_step_name() function in that file\nexport enum ProgressStep {\n PREPARATION = 'preparation', // Rust: Preparation\n WEBAUTHN_AUTHENTICATION = 'webauthn-authentication', // Rust: WebauthnAuthentication\n AUTHENTICATION_COMPLETE = 'authentication-complete', // Rust: AuthenticationComplete\n TRANSACTION_SIGNING_PROGRESS = 'transaction-signing-progress', // Rust: TransactionSigningProgress\n TRANSACTION_SIGNING_COMPLETE = 'transaction-signing-complete', // Rust: TransactionSigningComplete\n ERROR = 'error', // Rust: Error\n}\n\nexport interface ProgressStepMap {\n [wasmModule.ProgressStep.Preparation]: ProgressStep.PREPARATION;\n [wasmModule.ProgressStep.WebauthnAuthentication]: ProgressStep.WEBAUTHN_AUTHENTICATION;\n [wasmModule.ProgressStep.AuthenticationComplete]: ProgressStep.AUTHENTICATION_COMPLETE;\n [wasmModule.ProgressStep.TransactionSigningProgress]: ProgressStep.TRANSACTION_SIGNING_PROGRESS;\n [wasmModule.ProgressStep.TransactionSigningComplete]: ProgressStep.TRANSACTION_SIGNING_COMPLETE;\n [wasmModule.ProgressStep.Error]: ProgressStep.ERROR;\n}\n\n// === RESPONSE MESSAGE INTERFACES ===\n\n// Base interface for all worker responses\nexport interface BaseWorkerResponse<TPayload = unknown> {\n type: SignerWorkerResponseType;\n payload: TPayload;\n}\n\n// Map request types to their expected success response payloads (WASM types)\nexport interface RequestResponseMap {\n [WorkerRequestType.DeriveNearKeypairAndEncrypt]: WasmDeriveNearKeypairAndEncryptResult;\n [WorkerRequestType.RecoverKeypairFromPasskey]: WasmRecoverKeypairResult;\n [WorkerRequestType.DecryptPrivateKeyWithPrf]: WasmDecryptPrivateKeyResult;\n [WorkerRequestType.DeriveThresholdEd25519ClientVerifyingShare]: WasmDeriveThresholdEd25519ClientVerifyingShareResult;\n [WorkerRequestType.SignTransactionsWithActions]: WasmTransactionSignResult;\n [INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT]: WasmTransactionSignResult;\n [WorkerRequestType.SignDelegateAction]: WasmDelegateSignResult;\n [WorkerRequestType.ExtractCosePublicKey]: wasmModule.CoseExtractionResult;\n [WorkerRequestType.SignTransactionWithKeyPair]: WasmTransactionSignResult;\n [WorkerRequestType.SignNep413Message]: wasmModule.SignNep413Result;\n [WorkerRequestType.RegisterDevice2WithDerivedKey]: WasmRegisterDevice2WithDerivedKeyResult;\n}\n\nexport type RequestTypeKey = keyof RequestResponseMap;\n\n// Generic success response type that uses WASM types\nexport interface WorkerSuccessResponse<T extends RequestTypeKey>\n extends BaseWorkerResponse<RequestResponseMap[T]> {\n type: SignerWorkerResponseType;\n}\n\n// Generic error response type\nexport interface WorkerErrorResponse extends BaseWorkerResponse<{\n error: string;\n errorCode?: WorkerErrorCode;\n context?: Record<string, unknown>;\n}> {\n type: SignerWorkerResponseType;\n}\n\nexport enum WorkerErrorCode {\n WASM_INIT_FAILED = 'WASM_INIT_FAILED',\n INVALID_REQUEST = 'INVALID_REQUEST',\n TIMEOUT = 'TIMEOUT',\n ENCRYPTION_FAILED = 'ENCRYPTION_FAILED',\n DECRYPTION_FAILED = 'DECRYPTION_FAILED',\n SIGNING_FAILED = 'SIGNING_FAILED',\n STORAGE_FAILED = 'STORAGE_FAILED',\n UNKNOWN_ERROR = 'UNKNOWN_ERROR',\n}\n\nexport interface WorkerProgressResponse extends BaseWorkerResponse<onProgressEvents> {\n type: SignerWorkerResponseType;\n}\n\n// === MAIN RESPONSE TYPE ===\n\nexport type WorkerResponseForRequest<T extends RequestTypeKey> =\n \| WorkerSuccessResponse<T>\n \| WorkerErrorResponse\n \| WorkerProgressResponse;\n\n// === CONVENIENCE TYPE ALIASES ===\n\nexport type EncryptionResponse = WorkerResponseForRequest<typeof WorkerRequestType.DeriveNearKeypairAndEncrypt>;\nexport type RecoveryResponse = WorkerResponseForRequest<typeof WorkerRequestType.RecoverKeypairFromPasskey>;\nexport type TransactionResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignTransactionsWithActions>;\nexport type DelegateSignResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignDelegateAction>;\nexport type DecryptionResponse = WorkerResponseForRequest<typeof WorkerRequestType.DecryptPrivateKeyWithPrf>;\nexport type CoseExtractionResponse = WorkerResponseForRequest<typeof WorkerRequestType.ExtractCosePublicKey>;\nexport type Nep413SigningResponse = WorkerResponseForRequest<typeof WorkerRequestType.SignNep413Message>;\n\n// === TYPE GUARDS FOR GENERIC RESPONSES ===\n\nexport function isWorkerProgress<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerProgressResponse {\n return (\n response.type === WorkerResponseType.RegistrationProgress \|\|\n response.type === WorkerResponseType.RegistrationComplete \|\|\n response.type === WorkerResponseType.ExecuteActionsProgress \|\|\n response.type === WorkerResponseType.ExecuteActionsComplete\n );\n}\n\nexport function isWorkerSuccess<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerSuccessResponse<T> {\n return (\n response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess \|\|\n response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess \|\|\n response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess \|\|\n response.type === WorkerResponseType.SignTransactionsWithActionsSuccess \|\|\n response.type === WorkerResponseType.SignDelegateActionSuccess \|\|\n response.type === WorkerResponseType.ExtractCosePublicKeySuccess \|\|\n response.type === WorkerResponseType.SignTransactionWithKeyPairSuccess \|\|\n response.type === WorkerResponseType.SignNep413MessageSuccess \|\|\n response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess \|\|\n response.type === WorkerResponseType.DeriveThresholdEd25519ClientVerifyingShareSuccess \|\|\n response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS\n );\n}\n\nexport function isWorkerError<T extends RequestTypeKey>(\n response: WorkerResponseForRequest<T>\n): response is WorkerErrorResponse {\n return (\n response.type === WorkerResponseType.DeriveNearKeypairAndEncryptFailure \|\|\n response.type === WorkerResponseType.RecoverKeypairFromPasskeyFailure \|\|\n response.type === WorkerResponseType.DecryptPrivateKeyWithPrfFailure \|\|\n response.type === WorkerResponseType.SignTransactionsWithActionsFailure \|\|\n response.type === WorkerResponseType.SignDelegateActionFailure \|\|\n response.type === WorkerResponseType.ExtractCosePublicKeyFailure \|\|\n response.type === WorkerResponseType.SignTransactionWithKeyPairFailure \|\|\n response.type === WorkerResponseType.SignNep413MessageFailure \|\|\n response.type === WorkerResponseType.RegisterDevice2WithDerivedKeyFailure \|\|\n response.type === WorkerResponseType.DeriveThresholdEd25519ClientVerifyingShareFailure \|\|\n response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_FAILURE\n );\n}\n\n// === SPECIFIC TYPE GUARDS FOR COMMON OPERATIONS ===\n\nexport function isDeriveNearKeypairAndEncryptSuccess(response: EncryptionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.DeriveNearKeypairAndEncrypt> {\n return response.type === WorkerResponseType.DeriveNearKeypairAndEncryptSuccess;\n}\n\nexport function isRecoverKeypairFromPasskeySuccess(response: RecoveryResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.RecoverKeypairFromPasskey> {\n return response.type === WorkerResponseType.RecoverKeypairFromPasskeySuccess;\n}\n\nexport function isSignTransactionsWithActionsSuccess(response: TransactionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignTransactionsWithActions> {\n return response.type === WorkerResponseType.SignTransactionsWithActionsSuccess;\n}\n\nexport function isSignAddKeyThresholdPublicKeyNoPromptSuccess(\n response: WorkerResponseForRequest<typeof INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT>\n): response is WorkerSuccessResponse<typeof INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT> {\n return response.type === INTERNAL_WORKER_RESPONSE_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT_SUCCESS;\n}\n\nexport function isSignDelegateActionSuccess(response: DelegateSignResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignDelegateAction> {\n return response.type === WorkerResponseType.SignDelegateActionSuccess;\n}\n\nexport function isDecryptPrivateKeyWithPrfSuccess(response: DecryptionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.DecryptPrivateKeyWithPrf> {\n return response.type === WorkerResponseType.DecryptPrivateKeyWithPrfSuccess;\n}\n\nexport function isExtractCosePublicKeySuccess(response: CoseExtractionResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.ExtractCosePublicKey> {\n return response.type === WorkerResponseType.ExtractCosePublicKeySuccess;\n}\n\nexport function isSignNep413MessageSuccess(response: Nep413SigningResponse): response is WorkerSuccessResponse<typeof WorkerRequestType.SignNep413Message> {\n return response.type === WorkerResponseType.SignNep413MessageSuccess;\n}\n\nexport function isRegisterDevice2WithDerivedKeySuccess(\n response: WorkerResponseForRequest<typeof WorkerRequestType.RegisterDevice2WithDerivedKey>\n): response is WorkerSuccessResponse<typeof WorkerRequestType.RegisterDevice2WithDerivedKey> {\n return response.type === WorkerResponseType.RegisterDevice2WithDerivedKeySuccess;\n}\n"],"mappings":";;;AAkBA,MAAaA,6BAAgD;AAO7D,MAAaC,sBAA0C;AACvD,MAAaC,uBAAmC,EAAE,MAAM;AAExD,SAAgB,aAAa,OAA6C;AACxE,QAAO,UAAU,kBAAkB,UAAU;;AAG/C,SAAgB,oBAAoB,OAA4C;AAC9E,QAAO,UAAU,cAAc,UAAU;;AAG3C,SAAgB,iBACd,OACA,WAAuB,sBACX;AACZ,KAAI,SAAS,KAAM,QAAO;AAE1B,KAAI,OAAO,UAAU,SAAU,QAAO,aAAa,SAAS,EAAE,MAAM,UAAU;AAE9E,KAAI,OAAO,UAAU,SAAU,QAAO;AAEtC,KAAI,MAAM,SAAS,eAAgB,QAAO,EAAE,MAAM,MAAM;CACxD,MAAM,WAAW,MAAM;AACvB,QAAO,oBAAoB,YACvB;EAAE,MAAM,MAAM;EAAM;KACpB,EAAE,MAAM,MAAM;;;;;;;;;;;AAepB,SAAgB,gBACd,MACA,UACY;CACZ,MAAM,iBAAiB,iBAAiB,MAAM;AAC9C,KAAI,YAAY,KAAM,QAAO;AAG7B,KAAI,OAAO,aAAa,UAAU;AAChC,MAAI,CAAC,aAAa,UAAW,QAAO;AACpC,MAAI,aAAa,eAAgB,QAAO,EAAE,MAAM;AAEhD,MAAI,eAAe,SAAS,oBAAoB;GAC9C,MAAMC,aAAY,eAA0C;AAC5D,UAAO,oBAAoBA,cACvB;IAAE,MAAM;IAAoB;OAC5B,EAAE,MAAM;;AAEd,SAAO,EAAE,MAAM;;AAGjB,KAAI,OAAO,aAAa,SAAU,QAAO;CAEzC,MAAM,OAAQ,SAAgC;AAC9C,KAAI,SAAS,eAAgB,QAAO,EAAE,MAAM;AAC5C,KAAI,SAAS,mBAAoB,QAAO;CAExC,MAAM,WAAY,SAAoC;AACtD,KAAI,oBAAoB,UAAW,QAAO;EAAE,MAAM;EAAoB;;AAGtE,KAAI,eAAe,SAAS,oBAAoB;EAC9C,MAAM,eAAgB,eAA0C;AAChE,MAAI,oBAAoB,cAAe,QAAO;GAAE,MAAM;GAAoB,UAAU;;;AAEtF,QAAO,EAAE,MAAM;;AAOjB,SAAgB,mCAAmC,MAAqC;AACtF,KAAI,KAAK,SAAS,mBAAoB,QAAO;AAC7C,QAAO,oBAAoB,KAAK,YAAY,KAAK,WAAW;;;;;;;;;AAU9D,MAAa,2EAA2E;AACxF,MAAa,oFAAoF;AACjG,MAAa,oFAAoF;AAiQjG,MAAaC,8BAAkD;CAC7D,QAAQ;CACR,UAAU;CACV,kBAAkB;CAClB,OAAO;;AAgLT,SAAgB,iBACd,UACoC;AACpC,QACE,SAAS,SAAS,mBAAmB,wBACrC,SAAS,SAAS,mBAAmB,wBACrC,SAAS,SAAS,mBAAmB,0BACrC,SAAS,SAAS,mBAAmB;;AAIzC,SAAgB,gBACd,UACsC;AACtC,QACE,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,oCACrC,SAAS,SAAS,mBAAmB,mCACrC,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,6BACrC,SAAS,SAAS,mBAAmB,+BACrC,SAAS,SAAS,mBAAmB,qCACrC,SAAS,SAAS,mBAAmB,4BACrC,SAAS,SAAS,mBAAmB,wCACrC,SAAS,SAAS,mBAAmB,qDACrC,SAAS,SAAS;;AAItB,SAAgB,cACd,UACiC;AACjC,QACE,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,oCACrC,SAAS,SAAS,mBAAmB,mCACrC,SAAS,SAAS,mBAAmB,sCACrC,SAAS,SAAS,mBAAmB,6BACrC,SAAS,SAAS,mBAAmB,+BACrC,SAAS,SAAS,mBAAmB,qCACrC,SAAS,SAAS,mBAAmB,4BACrC,SAAS,SAAS,mBAAmB,wCACrC,SAAS,SAAS,mBAAmB,qDACrC,SAAS,SAAS;;AAMtB,SAAgB,qCAAqC,UAAuH;AAC1K,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,mCAAmC,UAAmH;AACpK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,qCAAqC,UAAwH;AAC3K,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,8CACd,UACoH;AACpH,QAAO,SAAS,SAAS;;AAG3B,SAAgB,4BAA4B,UAAgH;AAC1J,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,kCAAkC,UAAoH;AACpK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,8BAA8B,UAAoH;AAChK,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,2BAA2B,UAAgH;AACzJ,QAAO,SAAS,SAAS,mBAAmB;;AAG9C,SAAgB,uCACd,UAC2F;AAC3F,QAAO,SAAS,SAAS,mBAAmB"}

package/dist/esm/core/types/vrf-worker.js CHANGED Viewed

@@ -1,6 +1,4 @@
-import { __esm } from "../../_virtual/rolldown_runtime.js";
 import { base64UrlDecode, base64UrlEncode } from "../../utils/base64.js";
-import { init_encoders } from "../../utils/encoders.js";
 //#region src/core/types/vrf-worker.ts
 /**
@@ -34,7 +32,9 @@ function validateVRFChallenge(vrfChallengeData) {
 		userId: vrfChallengeData.userId,
 		rpId: vrfChallengeData.rpId,
 		blockHeight: vrfChallengeData.blockHeight,
-		blockHash: vrfChallengeData.blockHash
+		blockHash: vrfChallengeData.blockHash,
+		...vrfChallengeData.intentDigest ? { intentDigest: vrfChallengeData.intentDigest } : {},
+		...vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: vrfChallengeData.sessionPolicyDigest32 } : {}
 	};
 }
 /**
@@ -56,11 +56,7 @@ function createRandomVRFChallenge() {
 		blockHash: void 0
 	};
 }
-var init_vrf_worker = __esm({ "src/core/types/vrf-worker.ts": (() => {
-	init_encoders();
-}) });
 //#endregion
-init_vrf_worker();
-export { createRandomVRFChallenge, init_vrf_worker, outputAs32Bytes, validateVRFChallenge };
+export { createRandomVRFChallenge, outputAs32Bytes, validateVRFChallenge };
 //# sourceMappingURL=vrf-worker.js.map

package/dist/esm/core/types/vrf-worker.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"vrf-worker.js","names":[],"sources":["../../../../src/core/types/vrf-worker.ts"],"sourcesContent":["/*\n VRF Types for Web Worker Communication\n /\nimport as wasmModule from '../../wasm_vrf_worker/pkg/wasm_vrf_worker.js';\nimport { StripFree } from \"./index.js\";\n\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from \"./webauthn\";\nimport { ConfirmationConfig } from './signer-worker';\nimport { AccountId } from \"./accountIds.js\";\nimport { base64UrlDecode, base64UrlEncode } from \"../../utils/encoders.js\";\nimport type { SecureConfirmRequest } from \"../WebAuthnManager/VrfWorkerManager/confirmTxFlow/types\";\n\nexport type WasmGenerateVrfKeypairBootstrapRequest = StripFree<wasmModule.GenerateVrfKeypairBootstrapRequest>;\nexport type WasmGenerateVrfChallengeRequest = StripFree<wasmModule.GenerateVrfChallengeRequest>;\nexport type WasmUnlockVrfKeypairRequest = Omit<StripFree<wasmModule.UnlockVrfKeypairRequest>, 'prfKey'> & {\n // Prefer forwarding the full serialized WebAuthn credential so PRF outputs do not need\n // to be extracted into separate main-thread strings.\n credential: WebAuthnAuthenticationCredential;\n};\nexport type WasmDeriveVrfKeypairFromPrfRequest = Omit<\n StripFree<wasmModule.DeriveVrfKeypairFromPrfRequest>,\n 'credential' \| 'prfOutput'\n> & {\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n};\nexport type WasmMintSessionKeysAndSendToSignerRequest =\n Omit<\n StripFree<wasmModule.MintSessionKeysAndSendToSignerRequest>,\n 'contractId' \| 'nearRpcUrl' \| 'ttlMs' \| 'remainingUses'\n > & {\n contractId?: string;\n nearRpcUrl?: string;\n // Optional signing-session config. When omitted, VRF worker uses defaults.\n ttlMs?: number;\n remainingUses?: number;\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n };\nexport type WasmDispenseSessionKeyRequest = StripFree<wasmModule.DispenseSessionKeyRequest>;\nexport type WasmCheckSessionStatusRequest = StripFree<wasmModule.CheckSessionStatusRequest>;\nexport type WasmClearSessionRequest = StripFree<wasmModule.ClearSessionRequest>;\nexport type WasmConfirmAndPrepareSigningSessionRequest = {\n request: SecureConfirmRequest;\n};\nexport type WasmDecryptSessionRequest = StripFree<wasmModule.DecryptSessionRequest>;\nexport type WasmRegistrationCredentialConfirmationRequest = StripFree<wasmModule.RegistrationCredentialConfirmationRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\nexport type WasmDevice2RegistrationSessionRequest = StripFree<wasmModule.Device2RegistrationSessionRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\n\nexport type WasmShamir3PassConfigPRequest = StripFree<wasmModule.Shamir3PassConfigPRequest>;\nexport type WasmShamir3PassConfigServerUrlsRequest = StripFree<wasmModule.Shamir3PassConfigServerUrlsRequest>;\nexport type WasmShamir3PassClientEncryptCurrentVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientEncryptCurrentVrfKeypairRequest>;\nexport type WasmShamir3PassClientDecryptVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientDecryptVrfKeypairRequest>;\n\nexport type WasmVrfWorkerRequestType = WasmGenerateVrfKeypairBootstrapRequest\n \| WasmGenerateVrfChallengeRequest\n \| WasmUnlockVrfKeypairRequest\n \| WasmDeriveVrfKeypairFromPrfRequest\n \| WasmMintSessionKeysAndSendToSignerRequest\n \| WasmDispenseSessionKeyRequest\n \| WasmCheckSessionStatusRequest\n \| WasmClearSessionRequest\n \| WasmConfirmAndPrepareSigningSessionRequest\n \| WasmDecryptSessionRequest\n \| WasmRegistrationCredentialConfirmationRequest\n \| WasmDevice2RegistrationSessionRequest\n \| WasmShamir3PassConfigPRequest\n \| WasmShamir3PassConfigServerUrlsRequest\n \| WasmShamir3PassClientEncryptCurrentVrfKeypairRequest\n \| WasmShamir3PassClientDecryptVrfKeypairRequest;\n\nexport interface VRFChallenge {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n}\n\n/*\n Decode VRF output and use first 32 bytes as WebAuthn challenge\n * @param vrfChallenge - VRF challenge object\n * @returns 32-byte Uint8Array\n /\nexport function outputAs32Bytes(vrfChallenge: VRFChallenge): Uint8Array {\n let vrfOutputBytes = base64UrlDecode(vrfChallenge.vrfOutput);\n return vrfOutputBytes.slice(0, 32);\n}\n\n/\n Validate and create a VRFChallenge object\n * @param vrfChallengeData - The challenge data to validate\n * @returns VRFChallenge object\n /\nexport function validateVRFChallenge(vrfChallengeData: {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n}): VRFChallenge {\n if (!vrfChallengeData.vrfInput \|\| typeof vrfChallengeData.vrfInput !== 'string') {\n throw new Error('vrfInput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfOutput \|\| typeof vrfChallengeData.vrfOutput !== 'string') {\n throw new Error('vrfOutput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfProof \|\| typeof vrfChallengeData.vrfProof !== 'string') {\n throw new Error('vrfProof must be a non-empty string');\n }\n if (!vrfChallengeData.vrfPublicKey \|\| typeof vrfChallengeData.vrfPublicKey !== 'string') {\n throw new Error('vrfPublicKey must be a non-empty string');\n }\n if (!vrfChallengeData.userId \|\| typeof vrfChallengeData.userId !== 'string') {\n throw new Error('userId must be a non-empty string');\n }\n if (!vrfChallengeData.rpId \|\| typeof vrfChallengeData.rpId !== 'string') {\n throw new Error('rpId must be a non-empty string');\n }\n if (!vrfChallengeData.blockHeight \|\| typeof vrfChallengeData.blockHeight !== 'string') {\n throw new Error('blockHeight must be a non-empty string');\n }\n if (!vrfChallengeData.blockHash \|\| typeof vrfChallengeData.blockHash !== 'string') {\n throw new Error('blockHash must be a non-empty string');\n }\n\n return {\n vrfInput: vrfChallengeData.vrfInput,\n vrfOutput: vrfChallengeData.vrfOutput,\n vrfProof: vrfChallengeData.vrfProof,\n vrfPublicKey: vrfChallengeData.vrfPublicKey,\n userId: vrfChallengeData.userId,\n rpId: vrfChallengeData.rpId,\n blockHeight: vrfChallengeData.blockHeight,\n blockHash: vrfChallengeData.blockHash,\n };\n}\n\n/\n Create a random VRF challenge\n * @returns Partial<VRFChallenge> with vrfOutput set, but other fields are undefined\n * This is used for local operations that don't require a VRF verification\n /\nexport function createRandomVRFChallenge(): Partial<VRFChallenge> {\n const challenge = crypto.getRandomValues(new Uint8Array(32));\n const vrfOutput = base64UrlEncode(challenge.buffer);\n return {\n vrfOutput: vrfOutput,\n vrfInput: undefined,\n vrfProof: undefined,\n vrfPublicKey: undefined,\n userId: undefined,\n rpId: undefined,\n blockHeight: undefined,\n blockHash: undefined,\n };\n}\n\nexport interface VrfWorkerManagerConfig {\n vrfWorkerUrl?: string;\n workerTimeout?: number;\n debug?: boolean;\n // Optional Shamir 3-pass configuration passed to the VRF WASM worker at init\n shamirPB64u?: string; // base64url prime p\n relayServerUrl?: string;\n applyServerLockRoute?: string;\n removeServerLockRoute?: string;\n}\n\n// Define interfaces that are missing\nexport interface VRFWorkerStatus {\n active: boolean;\n nearAccountId: AccountId \| null;\n sessionDuration?: number;\n}\n\nexport interface EncryptedVRFKeypair {\n encryptedVrfDataB64u: string;\n chacha20NonceB64u: string;\n}\n\nexport interface VRFInputData {\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n}\n\nexport interface VRFWorkerMessage<T extends WasmVrfWorkerRequestType> {\n // type: wasmModule.WorkerRequestType\n type: 'PING'\n \| 'GENERATE_VRF_CHALLENGE'\n \| 'GENERATE_VRF_KEYPAIR_BOOTSTRAP'\n \| 'UNLOCK_VRF_KEYPAIR'\n \| 'CHECK_VRF_STATUS'\n \| 'CLEAR_VRF'\n \| 'DERIVE_VRF_KEYPAIR_FROM_PRF'\n \| 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER'\n \| 'DISPENSE_SESSION_KEY'\n \| 'CHECK_SESSION_STATUS'\n \| 'CLEAR_SESSION'\n \| 'CONFIRM_AND_PREPARE_SIGNING_SESSION'\n \| 'DECRYPT_SESSION'\n \| 'REGISTRATION_CREDENTIAL_CONFIRMATION'\n \| 'DEVICE2_REGISTRATION_SESSION'\n \| 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR' // client only\n \| 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR' // client only\n \| 'SHAMIR3PASS_APPLY_SERVER_LOCK_KEK' // server only\n \| 'SHAMIR3PASS_REMOVE_SERVER_LOCK_KEK' // server only\n \| 'SHAMIR3PASS_CONFIG_P'\n \| 'SHAMIR3PASS_CONFIG_SERVER_URLS'\n id?: string;\n payload?: T;\n}\n\nexport interface VRFWorkerResponse<TData = Record<string, unknown>> {\n id?: string;\n success: boolean;\n data?: TData;\n error?: string;\n}\n\nexport interface VRFKeypairBootstrapResponse {\n vrfPublicKey: string;\n vrfChallengeData?: VRFChallenge;\n}\n\nexport interface EncryptedVRFKeypairResponse {\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n}\n\n/\n Server-encrypted VRF keypair for commutative encryption scheme\n * This allows server-assisted VRF key recovery without the server seeing the plaintext\n /\nexport interface ServerEncryptedVrfKeypair {\n /* Base64url-encoded VRF ciphertext (AEAD over VRF keypair bytes) /\n ciphertextVrfB64u: string;\n /* Base64url-encoded KEK with server lock applied (KEK_s) /\n kek_s_b64u: string;\n /* Server key identifier for proactive refresh/versioning /\n serverKeyId: string;\n}\n\n/\n Plaintext VRF keypair data structure\n * Used for loading decrypted VRF keypairs directly into memory\n /\nexport interface VRFKeypairData {\n /* Bincode-serialized ECVRFKeyPair bytes (includes both private and public key) /\n keypairBytes: number[];\n /* Base64url-encoded public key for convenience and verification */\n publicKeyBase64: string;\n}\n\n// Shamir 3-pass registration wrap result\nexport interface Shamir3PassRegisterWrapResult {\n ciphertextVrfB64u: string;\n enc_s_k_b64u: string;\n vrfPublicKey: string;\n}\n"],"mappings":";;;;;;;;;;AA2FA,SAAgB,gBAAgB,cAAwC;CACtE,IAAI,iBAAiB,gBAAgB,aAAa;AAClD,QAAO,eAAe,MAAM,GAAG;;;;;;;AAQjC,SAAgB,qBAAqB,kBASpB;AACf,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,gBAAgB,OAAO,iBAAiB,iBAAiB,SAC7E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,UAAU,OAAO,iBAAiB,WAAW,SACjE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,QAAQ,OAAO,iBAAiB,SAAS,SAC7D,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,eAAe,OAAO,iBAAiB,gBAAgB,SAC3E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,UAAU,iBAAiB;EAC3B,WAAW,iBAAiB;EAC5B,UAAU,iBAAiB;EAC3B,cAAc,iBAAiB;EAC/B,QAAQ,iBAAiB;EACzB,MAAM,iBAAiB;EACvB,aAAa,iBAAiB;EAC9B,WAAW,iBAAiB;;;;;;;;AAShC,SAAgB,2BAAkD;CAChE,MAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW;CACxD,MAAM,YAAY,gBAAgB,UAAU;AAC5C,QAAO;EACM;EACX,UAAU;EACV,UAAU;EACV,cAAc;EACd,QAAQ;EACR,MAAM;EACN,aAAa;EACb,WAAW"}
1	+ {"version":3,"file":"vrf-worker.js","names":[],"sources":["../../../../src/core/types/vrf-worker.ts"],"sourcesContent":["/*\n VRF Types for Web Worker Communication\n /\nimport as wasmModule from '../../wasm_vrf_worker/pkg/wasm_vrf_worker.js';\nimport { StripFree } from \"./index.js\";\n\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from \"./webauthn\";\nimport { ConfirmationConfig } from './signer-worker';\nimport { AccountId } from \"./accountIds.js\";\nimport { base64UrlDecode, base64UrlEncode } from \"../../utils/encoders.js\";\nimport type { SecureConfirmRequest } from \"../WebAuthnManager/VrfWorkerManager/confirmTxFlow/types\";\n\nexport type WasmGenerateVrfKeypairBootstrapRequest = StripFree<wasmModule.GenerateVrfKeypairBootstrapRequest>;\nexport type WasmGenerateVrfChallengeRequest = StripFree<wasmModule.GenerateVrfChallengeRequest>;\nexport type WasmUnlockVrfKeypairRequest = Omit<StripFree<wasmModule.UnlockVrfKeypairRequest>, 'prfKey'> & {\n // Prefer forwarding the full serialized WebAuthn credential so PRF outputs do not need\n // to be extracted into separate main-thread strings.\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n};\nexport type WasmDeriveVrfKeypairFromPrfRequest = Omit<\n StripFree<wasmModule.DeriveVrfKeypairFromPrfRequest>,\n 'credential' \| 'prfOutput'\n> & {\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n};\nexport type WasmMintSessionKeysAndSendToSignerRequest =\n Omit<\n StripFree<wasmModule.MintSessionKeysAndSendToSignerRequest>,\n 'contractId' \| 'nearRpcUrl' \| 'ttlMs' \| 'remainingUses'\n > & {\n contractId?: string;\n nearRpcUrl?: string;\n // Optional signing-session config. When omitted, VRF worker uses defaults.\n ttlMs?: number;\n remainingUses?: number;\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential \| WebAuthnAuthenticationCredential;\n };\nexport type WasmDispenseSessionKeyRequest = StripFree<wasmModule.DispenseSessionKeyRequest>;\nexport type WasmCheckSessionStatusRequest = StripFree<wasmModule.CheckSessionStatusRequest>;\nexport type WasmClearSessionRequest = StripFree<wasmModule.ClearSessionRequest>;\nexport type WasmConfirmAndPrepareSigningSessionRequest = {\n request: SecureConfirmRequest;\n};\nexport type WasmDecryptSessionRequest = StripFree<wasmModule.DecryptSessionRequest>;\nexport type WasmRegistrationCredentialConfirmationRequest = StripFree<wasmModule.RegistrationCredentialConfirmationRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\nexport type WasmDevice2RegistrationSessionRequest = StripFree<wasmModule.Device2RegistrationSessionRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\n\nexport type WasmShamir3PassConfigPRequest = StripFree<wasmModule.Shamir3PassConfigPRequest>;\nexport type WasmShamir3PassConfigServerUrlsRequest = StripFree<wasmModule.Shamir3PassConfigServerUrlsRequest>;\nexport type WasmShamir3PassClientEncryptCurrentVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientEncryptCurrentVrfKeypairRequest>;\nexport type WasmShamir3PassClientDecryptVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientDecryptVrfKeypairRequest>;\n\nexport type WasmVrfWorkerRequestType = WasmGenerateVrfKeypairBootstrapRequest\n \| WasmGenerateVrfChallengeRequest\n \| WasmUnlockVrfKeypairRequest\n \| WasmDeriveVrfKeypairFromPrfRequest\n \| WasmMintSessionKeysAndSendToSignerRequest\n \| WasmDispenseSessionKeyRequest\n \| WasmCheckSessionStatusRequest\n \| WasmClearSessionRequest\n \| WasmConfirmAndPrepareSigningSessionRequest\n \| WasmDecryptSessionRequest\n \| WasmRegistrationCredentialConfirmationRequest\n \| WasmDevice2RegistrationSessionRequest\n \| WasmShamir3PassConfigPRequest\n \| WasmShamir3PassConfigServerUrlsRequest\n \| WasmShamir3PassClientEncryptCurrentVrfKeypairRequest\n \| WasmShamir3PassClientDecryptVrfKeypairRequest;\n\nexport interface VRFChallenge {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n /*\n Optional base64url-encoded 32-byte digest that was bound into the VRF input hash.\n * When present, it must decode to exactly 32 bytes on the WASM worker / contract side.\n /\n intentDigest?: string;\n /\n Optional base64url-encoded 32-byte digest that was bound into the VRF input hash for\n * relayer session policy binding (v4+ only).\n /\n sessionPolicyDigest32?: string;\n}\n\n/\n Decode VRF output and use first 32 bytes as WebAuthn challenge\n * @param vrfChallenge - VRF challenge object\n * @returns 32-byte Uint8Array\n /\nexport function outputAs32Bytes(vrfChallenge: VRFChallenge): Uint8Array {\n let vrfOutputBytes = base64UrlDecode(vrfChallenge.vrfOutput);\n return vrfOutputBytes.slice(0, 32);\n}\n\n/\n Validate and create a VRFChallenge object\n * @param vrfChallengeData - The challenge data to validate\n * @returns VRFChallenge object\n /\nexport function validateVRFChallenge(vrfChallengeData: {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n intentDigest?: string;\n sessionPolicyDigest32?: string;\n}): VRFChallenge {\n if (!vrfChallengeData.vrfInput \|\| typeof vrfChallengeData.vrfInput !== 'string') {\n throw new Error('vrfInput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfOutput \|\| typeof vrfChallengeData.vrfOutput !== 'string') {\n throw new Error('vrfOutput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfProof \|\| typeof vrfChallengeData.vrfProof !== 'string') {\n throw new Error('vrfProof must be a non-empty string');\n }\n if (!vrfChallengeData.vrfPublicKey \|\| typeof vrfChallengeData.vrfPublicKey !== 'string') {\n throw new Error('vrfPublicKey must be a non-empty string');\n }\n if (!vrfChallengeData.userId \|\| typeof vrfChallengeData.userId !== 'string') {\n throw new Error('userId must be a non-empty string');\n }\n if (!vrfChallengeData.rpId \|\| typeof vrfChallengeData.rpId !== 'string') {\n throw new Error('rpId must be a non-empty string');\n }\n if (!vrfChallengeData.blockHeight \|\| typeof vrfChallengeData.blockHeight !== 'string') {\n throw new Error('blockHeight must be a non-empty string');\n }\n if (!vrfChallengeData.blockHash \|\| typeof vrfChallengeData.blockHash !== 'string') {\n throw new Error('blockHash must be a non-empty string');\n }\n\n return {\n vrfInput: vrfChallengeData.vrfInput,\n vrfOutput: vrfChallengeData.vrfOutput,\n vrfProof: vrfChallengeData.vrfProof,\n vrfPublicKey: vrfChallengeData.vrfPublicKey,\n userId: vrfChallengeData.userId,\n rpId: vrfChallengeData.rpId,\n blockHeight: vrfChallengeData.blockHeight,\n blockHash: vrfChallengeData.blockHash,\n ...(vrfChallengeData.intentDigest ? { intentDigest: vrfChallengeData.intentDigest } : {}),\n ...(vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: vrfChallengeData.sessionPolicyDigest32 } : {}),\n };\n}\n\n/\n Create a random VRF challenge\n * @returns Partial<VRFChallenge> with vrfOutput set, but other fields are undefined\n * This is used for local operations that don't require a VRF verification\n /\nexport function createRandomVRFChallenge(): Partial<VRFChallenge> {\n const challenge = crypto.getRandomValues(new Uint8Array(32));\n const vrfOutput = base64UrlEncode(challenge.buffer);\n return {\n vrfOutput: vrfOutput,\n vrfInput: undefined,\n vrfProof: undefined,\n vrfPublicKey: undefined,\n userId: undefined,\n rpId: undefined,\n blockHeight: undefined,\n blockHash: undefined,\n };\n}\n\nexport interface VrfWorkerManagerConfig {\n vrfWorkerUrl?: string;\n workerTimeout?: number;\n debug?: boolean;\n // Optional Shamir 3-pass configuration passed to the VRF WASM worker at init\n shamirPB64u?: string; // base64url prime p\n relayServerUrl?: string;\n applyServerLockRoute?: string;\n removeServerLockRoute?: string;\n}\n\n// Define interfaces that are missing\nexport interface VRFWorkerStatus {\n active: boolean;\n nearAccountId: AccountId \| null;\n sessionDuration?: number;\n /\n Base64url VRF public key currently loaded in the VRF worker (when active).\n * Used to detect device/passkey mismatches for multi-device accounts.\n /\n vrfPublicKey?: string \| null;\n}\n\nexport interface EncryptedVRFKeypair {\n encryptedVrfDataB64u: string;\n chacha20NonceB64u: string;\n}\n\nexport interface VRFInputData {\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n /\n Optional base64url-encoded 32-byte digest to bind into the VRF input hash.\n * This is intended for transaction/delegate signing flows (e.g. the UI intent digest).\n /\n intentDigest?: string;\n /\n Optional base64url-encoded 32-byte digest to bind a relayer session policy into the VRF input hash (v4+ only).\n /\n sessionPolicyDigest32?: string;\n}\n\nexport interface VRFWorkerMessage<T extends WasmVrfWorkerRequestType> {\n // type: wasmModule.WorkerRequestType\n type: 'PING'\n \| 'GENERATE_VRF_CHALLENGE'\n \| 'GENERATE_VRF_KEYPAIR_BOOTSTRAP'\n \| 'UNLOCK_VRF_KEYPAIR'\n \| 'CHECK_VRF_STATUS'\n \| 'CLEAR_VRF'\n \| 'DERIVE_VRF_KEYPAIR_FROM_PRF'\n \| 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER'\n \| 'DISPENSE_SESSION_KEY'\n \| 'CHECK_SESSION_STATUS'\n \| 'CLEAR_SESSION'\n \| 'CONFIRM_AND_PREPARE_SIGNING_SESSION'\n \| 'DECRYPT_SESSION'\n \| 'REGISTRATION_CREDENTIAL_CONFIRMATION'\n \| 'DEVICE2_REGISTRATION_SESSION'\n \| 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR' // client only\n \| 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR' // client only\n \| 'SHAMIR3PASS_APPLY_SERVER_LOCK_KEK' // server only\n \| 'SHAMIR3PASS_REMOVE_SERVER_LOCK_KEK' // server only\n \| 'SHAMIR3PASS_CONFIG_P'\n \| 'SHAMIR3PASS_CONFIG_SERVER_URLS'\n id?: string;\n payload?: T;\n}\n\nexport interface VRFWorkerResponse<TData = Record<string, unknown>> {\n id?: string;\n success: boolean;\n data?: TData;\n error?: string;\n}\n\nexport interface VRFKeypairBootstrapResponse {\n vrfPublicKey: string;\n vrfChallengeData?: VRFChallenge;\n}\n\nexport interface EncryptedVRFKeypairResponse {\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n}\n\n/\n Server-encrypted VRF keypair for commutative encryption scheme\n * This allows server-assisted VRF key recovery without the server seeing the plaintext\n /\nexport interface ServerEncryptedVrfKeypair {\n /* Base64url-encoded VRF ciphertext (AEAD over VRF keypair bytes) /\n ciphertextVrfB64u: string;\n /* Base64url-encoded KEK with server lock applied (KEK_s) /\n kek_s_b64u: string;\n /* Server key identifier for proactive refresh/versioning /\n serverKeyId: string;\n}\n\n/\n Plaintext VRF keypair data structure\n * Used for loading decrypted VRF keypairs directly into memory\n /\nexport interface VRFKeypairData {\n /* Bincode-serialized ECVRFKeyPair bytes (includes both private and public key) /\n keypairBytes: number[];\n /* Base64url-encoded public key for convenience and verification */\n publicKeyBase64: string;\n}\n\n// Shamir 3-pass registration wrap result\nexport interface Shamir3PassRegisterWrapResult {\n ciphertextVrfB64u: string;\n enc_s_k_b64u: string;\n vrfPublicKey: string;\n}\n"],"mappings":";;;;;;;;AAqGA,SAAgB,gBAAgB,cAAwC;CACtE,IAAI,iBAAiB,gBAAgB,aAAa;AAClD,QAAO,eAAe,MAAM,GAAG;;;;;;;AAQjC,SAAgB,qBAAqB,kBAWpB;AACf,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,gBAAgB,OAAO,iBAAiB,iBAAiB,SAC7E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,UAAU,OAAO,iBAAiB,WAAW,SACjE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,QAAQ,OAAO,iBAAiB,SAAS,SAC7D,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,eAAe,OAAO,iBAAiB,gBAAgB,SAC3E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,UAAU,iBAAiB;EAC3B,WAAW,iBAAiB;EAC5B,UAAU,iBAAiB;EAC3B,cAAc,iBAAiB;EAC/B,QAAQ,iBAAiB;EACzB,MAAM,iBAAiB;EACvB,aAAa,iBAAiB;EAC9B,WAAW,iBAAiB;EAC5B,GAAI,iBAAiB,eAAe,EAAE,cAAc,iBAAiB,iBAAiB;EACtF,GAAI,iBAAiB,wBAAwB,EAAE,uBAAuB,iBAAiB,0BAA0B;;;;;;;;AASrH,SAAgB,2BAAkD;CAChE,MAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW;CACxD,MAAM,YAAY,gBAAgB,UAAU;AAC5C,QAAO;EACM;EACX,UAAU;EACV,UAAU;EACV,cAAc;EACd,QAAQ;EACR,MAAM;EACN,aAAa;EACb,WAAW"}

package/dist/esm/index.js CHANGED Viewed

@@ -1,32 +1,17 @@
-import { init_accountIds, toAccountId } from "./core/types/accountIds.js";
-import { DEVICE_LINKING_CONFIG, SIGNER_WORKER_MANAGER_CONFIG } from "./config.js";
+import { toAccountId } from "./core/types/accountIds.js";
 import { base64UrlDecode, base64UrlEncode } from "./utils/base64.js";
-import { init_encoders } from "./utils/encoders.js";
-import { PASSKEY_MANAGER_DEFAULT_CONFIGS, buildConfigsFromEnv, init_defaultConfigs } from "./core/defaultConfigs.js";
-import { DeviceLinkingPhase, DeviceLinkingStatus, init_sdkSentEvents } from "./core/types/sdkSentEvents.js";
-import { ActionType, init_actions } from "./core/types/actions.js";
-import { DEFAULT_WAIT_STATUS, init_rpc } from "./core/types/rpc.js";
-import { init_rpcCalls, verifyAuthenticationResponse } from "./core/rpcCalls.js";
+import { PASSKEY_MANAGER_DEFAULT_CONFIGS, buildConfigsFromEnv } from "./core/defaultConfigs.js";
+import { DEFAULT_WAIT_STATUS } from "./core/types/rpc.js";
 import { MinimalNearClient, encodeSignedTransactionBase64 } from "./core/NearClient.js";
+import { DEVICE_LINKING_CONFIG, SIGNER_WORKER_MANAGER_CONFIG } from "./config.js";
+import { DeviceLinkingPhase, DeviceLinkingStatus } from "./core/types/sdkSentEvents.js";
+import { ActionType } from "./core/types/actions.js";
+import { verifyAuthenticationResponse } from "./core/rpcCalls.js";
+import { EmailRecoveryError, EmailRecoveryErrorCode } from "./core/types/emailRecovery.js";
 import { WebAuthnManager } from "./core/WebAuthnManager/index.js";
-import { AccountRecoveryFlow } from "./core/TatchiPasskey/recoverAccount.js";
-import { EmailRecoveryPendingStore } from "./core/EmailRecovery/emailRecoveryPendingStore.js";
-import { init_EmailRecovery } from "./core/EmailRecovery/index.js";
-import { EmailRecoveryError, EmailRecoveryErrorCode, init_emailRecovery } from "./core/types/emailRecovery.js";
+import { SyncAccountFlow } from "./core/TatchiPasskey/syncAccount.js";
 import { TatchiPasskey } from "./core/TatchiPasskey/index.js";
+import { EmailRecoveryPendingStore } from "./core/EmailRecovery/emailRecoveryPendingStore.js";
 import { detectTatchiWalletExtension } from "./core/ExtensionWallet/detect.js";
-//#region src/index.ts
-init_rpcCalls();
-init_EmailRecovery();
-init_encoders();
-init_defaultConfigs();
-init_rpc();
-init_sdkSentEvents();
-init_accountIds();
-init_actions();
-init_emailRecovery();
-//#endregion
-export { AccountRecoveryFlow, ActionType, DEFAULT_WAIT_STATUS, DEVICE_LINKING_CONFIG, DeviceLinkingPhase, DeviceLinkingStatus, EmailRecoveryError, EmailRecoveryErrorCode, EmailRecoveryPendingStore, MinimalNearClient, PASSKEY_MANAGER_DEFAULT_CONFIGS, SIGNER_WORKER_MANAGER_CONFIG, TatchiPasskey, WebAuthnManager, base64UrlDecode, base64UrlEncode, buildConfigsFromEnv, detectTatchiWalletExtension, encodeSignedTransactionBase64, toAccountId, verifyAuthenticationResponse };
-//# sourceMappingURL=index.js.map
+export { ActionType, DEFAULT_WAIT_STATUS, DEVICE_LINKING_CONFIG, DeviceLinkingPhase, DeviceLinkingStatus, EmailRecoveryError, EmailRecoveryErrorCode, EmailRecoveryPendingStore, MinimalNearClient, PASSKEY_MANAGER_DEFAULT_CONFIGS, SIGNER_WORKER_MANAGER_CONFIG, SyncAccountFlow, TatchiPasskey, WebAuthnManager, base64UrlDecode, base64UrlEncode, buildConfigsFromEnv, detectTatchiWalletExtension, encodeSignedTransactionBase64, toAccountId, verifyAuthenticationResponse };

package/dist/esm/plugins/headers.js CHANGED Viewed

@@ -1,15 +1,8 @@
+import { toOriginOrUndefined } from "./utils/validation.js";
 //#region src/plugins/headers.ts
-function normalizeOrigin(input) {
-	try {
-		const v = (input || "").trim();
-		if (!v) return void 0;
-		return new URL(v, "http://dummy").origin === "http://dummy" ? new URL(v).origin : v;
-	} catch {
-		return input?.trim() || void 0;
-	}
-}
 function buildPermissionsPolicy(walletOrigin) {
-	const o = normalizeOrigin(walletOrigin);
+	const o = toOriginOrUndefined(walletOrigin);
 	const part = (name) => `${name}=(self${o ? ` "${o}"` : ""})`;
 	return [
 		part("publickey-credentials-get"),
@@ -35,7 +28,7 @@ function buildPermissionsPolicy(walletOrigin) {
 function buildWalletCsp(opts = {}) {
 	const mode = opts.mode || "strict";
 	const frame = (opts.frameSrc || []).filter(Boolean);
-	const scriptAllow = (opts.scriptSrcAllowlist || []).map((s) => normalizeOrigin(s) || s).filter(Boolean);
+	const scriptAllow = (opts.scriptSrcAllowlist || []).map((s) => toOriginOrUndefined(s) || s).filter(Boolean);
 	const scriptUnsafeInline = mode === "compatible" ? " 'unsafe-inline'" : "";
 	const styleUnsafeInline = mode === "compatible" ? " 'unsafe-inline'" : "";
 	const scriptUnsafeEval = opts.allowUnsafeEval ? " 'unsafe-eval'" : "";

package/dist/esm/plugins/headers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"headers.js","names":["mode: CspMode","base: string[]"],"sources":["../../../src/plugins/headers.ts"],"sourcesContent":["// Framework-agnostic header helpers to minimize configuration surface.\n// Keep types local to avoid coupling to framework packages.\n\~~nexport~~ ~~type~~ ~~CspMode~~ = ~~'strict'~~ \| '~~compatible~~'\n\~~nfunction~~ ~~normalizeOrigin(input?:~~ ~~string):~~ ~~string \| undefined {\n try {\n const v~~ = ~~(input \|\|~~ ''~~).trim()\n if~~ ~~(!v)~~ ~~return undefined\n // Next/Caddy/etc. expect an origin, not a path\n return new URL(v,~~ '~~http://dummy~~'~~).origin === 'http://dummy' ? new URL(v).origin : v~~\n ~~} catch {~~\~~n return input?.trim() \|\| undefined\n }\n}\n\~~nexport function buildPermissionsPolicy(walletOrigin?: string): string {\n const o = ~~normalizeOrigin~~(walletOrigin)\n const part = (name: string) => `${name}=(self${o ? ` \"${o}\"` : ''})`\n return [\n part('publickey-credentials-get'),\n part('publickey-credentials-create'),\n part('clipboard-read'),\n part('clipboard-write'),\n ].join(', ')\n}\n\n/*\n Build a wallet-friendly Content Security Policy string.\n \n mode:\n * - 'strict' (default): no inline styles, injects \"style-src-attr 'none'\", and forbids 'unsafe-eval'.\n * - 'compatible': allows inline styles/scripts via 'unsafe-inline' for friendlier dev/local setups.\n \n allowUnsafeEval:\n * - false by default. Set to true only for development servers that require eval (e.g., Next.js Fast Refresh).\n * - Tatchi SDK does not require 'unsafe-eval' in production.\n \n Typical usage: apply strict CSP only to wallet HTML routes\n * (/wallet-service, /export-viewer); do not attach CSP to host app routes.\n */\nexport function buildWalletCsp(opts: {\n frameSrc?: string[]\n mode?: CspMode\n allowUnsafeEval?: boolean\n scriptSrcAllowlist?: string[]\n} = {}): string {\n const mode: CspMode = opts.mode \|\| 'strict'\n const frame = (opts.frameSrc \|\| []).filter(Boolean)\n const scriptAllow = (opts.scriptSrcAllowlist \|\| [])\n .map((s) => ~~normalizeOrigin~~(s) \|\| s)\n .filter(Boolean) as string[]\n const scriptUnsafeInline = mode === 'compatible' ? \" 'unsafe-inline'\" : ''\n const styleUnsafeInline = mode === 'compatible' ? \" 'unsafe-inline'\" : ''\n const scriptUnsafeEval = opts.allowUnsafeEval ? \" 'unsafe-eval'\" : ''\n const base: string[] = [\n \"default-src 'self'\",\n `script-src 'self'${scriptUnsafeInline}${scriptUnsafeEval}${scriptAllow.length ? ' ' + scriptAllow.join(' ') : ''}`,\n `style-src 'self'${styleUnsafeInline}`,\n \"img-src 'self' data:\",\n \"font-src 'self'\",\n \"connect-src 'self' https:\",\n \"worker-src 'self' blob:\",\n `frame-src 'self'${frame.length ? ' ' + frame.join(' ') : ''}`,\n \"object-src 'none'\",\n \"base-uri 'none'\",\n \"form-action 'none'\",\n ]\n if (mode === 'strict') base.splice(2, 0, \"style-src-attr 'none'\")\n return base.join('; ')\n}\n"],"mappings":"~~;AAKA,SAAS,gBAAgB,OAAoC;AAC3D,KAAI;EACF,MAAM,KAAK,SAAS,IAAI;AACxB,MAAI,CAAC,EAAG,QAAO;AAEf,SAAO,IAAI,IAAI,GAAG,gBAAgB,WAAW,iBAAiB,IAAI,IAAI,GAAG,SAAS;SAC5E;AACN,SAAO,OAAO,UAAU~~;;;~~AAI5B~~,SAAgB,uBAAuB,cAA+B;CACpE,MAAM,IAAI,~~gBAAgB~~;~~CAC1B~~,MAAM,QAAQ,SAAiB,GAAG,KAAK,QAAQ,IAAI,KAAK,EAAE,KAAK,GAAG;AAClE,QAAO;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACL,KAAK;;;;;;;;;;;;;;;;AAiBT,SAAgB,eAAe,OAK3B,IAAY;CACd,MAAMA,OAAgB,KAAK,QAAQ;CACnC,MAAM,SAAS,KAAK,YAAY,IAAI,OAAO;CAC3C,MAAM,eAAe,KAAK,sBAAsB,IAC7C,KAAK,MAAM,~~gBAAgB~~,MAAM,~~GACjC~~,OAAO;CACV,MAAM,qBAAqB,SAAS,eAAe,qBAAqB;CACxE,MAAM,oBAAoB,SAAS,eAAe,qBAAqB;CACvE,MAAM,mBAAmB,KAAK,kBAAkB,mBAAmB;CACnE,MAAMC,OAAiB;EACrB;EACA,oBAAoB,qBAAqB,mBAAmB,YAAY,SAAS,MAAM,YAAY,KAAK,OAAO;EAC/G,mBAAmB;EACnB;EACA;EACA;EACA;EACA,mBAAmB,MAAM,SAAS,MAAM,MAAM,KAAK,OAAO;EAC1D;EACA;EACA;;AAEF,KAAI,SAAS,SAAU,MAAK,OAAO,GAAG,GAAG;AACzC,QAAO,KAAK,KAAK"}
1	+ {"version":3,"file":"headers.js","names":["mode: CspMode","base: string[]"],"sources":["../../../src/plugins/headers.ts"],"sourcesContent":["// Framework-agnostic header helpers to minimize configuration surface.\n// Keep types local to avoid coupling to framework packages.\n\nimport { toOriginOrUndefined } from '../utils/validation'\n\nexport type CspMode = 'strict' \| 'compatible'\n\nexport function buildPermissionsPolicy(walletOrigin?: string): string {\n const o = toOriginOrUndefined(walletOrigin)\n const part = (name: string) => `${name}=(self${o ? ` \"${o}\"` : ''})`\n return [\n part('publickey-credentials-get'),\n part('publickey-credentials-create'),\n part('clipboard-read'),\n part('clipboard-write'),\n ].join(', ')\n}\n\n/*\n Build a wallet-friendly Content Security Policy string.\n \n mode:\n * - 'strict' (default): no inline styles, injects \"style-src-attr 'none'\", and forbids 'unsafe-eval'.\n * - 'compatible': allows inline styles/scripts via 'unsafe-inline' for friendlier dev/local setups.\n \n allowUnsafeEval:\n * - false by default. Set to true only for development servers that require eval (e.g., Next.js Fast Refresh).\n * - Tatchi SDK does not require 'unsafe-eval' in production.\n \n Typical usage: apply strict CSP only to wallet HTML routes\n * (/wallet-service, /export-viewer); do not attach CSP to host app routes.\n */\nexport function buildWalletCsp(opts: {\n frameSrc?: string[]\n mode?: CspMode\n allowUnsafeEval?: boolean\n scriptSrcAllowlist?: string[]\n} = {}): string {\n const mode: CspMode = opts.mode \|\| 'strict'\n const frame = (opts.frameSrc \|\| []).filter(Boolean)\n const scriptAllow = (opts.scriptSrcAllowlist \|\| [])\n .map((s) => toOriginOrUndefined(s) \|\| s)\n .filter(Boolean) as string[]\n const scriptUnsafeInline = mode === 'compatible' ? \" 'unsafe-inline'\" : ''\n const styleUnsafeInline = mode === 'compatible' ? \" 'unsafe-inline'\" : ''\n const scriptUnsafeEval = opts.allowUnsafeEval ? \" 'unsafe-eval'\" : ''\n const base: string[] = [\n \"default-src 'self'\",\n `script-src 'self'${scriptUnsafeInline}${scriptUnsafeEval}${scriptAllow.length ? ' ' + scriptAllow.join(' ') : ''}`,\n `style-src 'self'${styleUnsafeInline}`,\n \"img-src 'self' data:\",\n \"font-src 'self'\",\n \"connect-src 'self' https:\",\n \"worker-src 'self' blob:\",\n `frame-src 'self'${frame.length ? ' ' + frame.join(' ') : ''}`,\n \"object-src 'none'\",\n \"base-uri 'none'\",\n \"form-action 'none'\",\n ]\n if (mode === 'strict') base.splice(2, 0, \"style-src-attr 'none'\")\n return base.join('; ')\n}\n"],"mappings":";;;AAOA,SAAgB,uBAAuB,cAA+B;CACpE,MAAM,IAAI,oBAAoB;CAC9B,MAAM,QAAQ,SAAiB,GAAG,KAAK,QAAQ,IAAI,KAAK,EAAE,KAAK,GAAG;AAClE,QAAO;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACL,KAAK;;;;;;;;;;;;;;;;AAiBT,SAAgB,eAAe,OAK3B,IAAY;CACd,MAAMA,OAAgB,KAAK,QAAQ;CACnC,MAAM,SAAS,KAAK,YAAY,IAAI,OAAO;CAC3C,MAAM,eAAe,KAAK,sBAAsB,IAC7C,KAAK,MAAM,oBAAoB,MAAM,GACrC,OAAO;CACV,MAAM,qBAAqB,SAAS,eAAe,qBAAqB;CACxE,MAAM,oBAAoB,SAAS,eAAe,qBAAqB;CACvE,MAAM,mBAAmB,KAAK,kBAAkB,mBAAmB;CACnE,MAAMC,OAAiB;EACrB;EACA,oBAAoB,qBAAqB,mBAAmB,YAAY,SAAS,MAAM,YAAY,KAAK,OAAO;EAC/G,mBAAmB;EACnB;EACA;EACA;EACA;EACA,mBAAmB,MAAM,SAAS,MAAM,MAAM,KAAK,OAAO;EAC1D;EACA;EACA;;AAEF,KAAI,SAAS,SAAU,MAAK,OAAO,GAAG,GAAG;AACzC,QAAO,KAAK,KAAK"}

package/dist/esm/plugins/next.js CHANGED Viewed

@@ -2,8 +2,21 @@ import * as path from "node:path";
 import * as fs from "node:fs";
 import { createRequire } from "node:module";
-//#region src/plugins/headers.ts
-function normalizeOrigin(input) {
+//#region src/utils/validation.ts
+/** Ensure a non-empty string starts with `/` (path normalization). */
+function ensureLeadingSlash(value) {
+	const trimmed = String(value ?? "").trim();
+	if (!trimmed) return "";
+	return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+}
+/** Normalize an app base path like `/sdk` (leading slash, no trailing slashes except `/`). */
+function toBasePath(value, fallback = "/sdk") {
+	const base = ensureLeadingSlash(typeof value === "string" ? value : fallback) || ensureLeadingSlash(fallback) || "/";
+	if (base === "/") return "/";
+	return base.replace(/\/+$/, "");
+}
+/** Best-effort origin normalization (used by CSP/Permissions-Policy helpers). */
+function toOriginOrUndefined(input) {
 	try {
 		const v = (input || "").trim();
 		if (!v) return void 0;
@@ -12,8 +25,11 @@ function normalizeOrigin(input) {
 		return input?.trim() || void 0;
 	}
 }
+//#endregion
+//#region src/plugins/headers.ts
 function buildPermissionsPolicy(walletOrigin) {
-	const o = normalizeOrigin(walletOrigin);
+	const o = toOriginOrUndefined(walletOrigin);
 	const part = (name) => `${name}=(self${o ? ` "${o}"` : ""})`;
 	return [
 		part("publickey-credentials-get"),
@@ -39,7 +55,7 @@ function buildPermissionsPolicy(walletOrigin) {
 function buildWalletCsp(opts = {}) {
 	const mode = opts.mode || "strict";
 	const frame = (opts.frameSrc || []).filter(Boolean);
-	const scriptAllow = (opts.scriptSrcAllowlist || []).map((s) => normalizeOrigin(s) || s).filter(Boolean);
+	const scriptAllow = (opts.scriptSrcAllowlist || []).map((s) => toOriginOrUndefined(s) || s).filter(Boolean);
 	const scriptUnsafeInline = mode === "compatible" ? " 'unsafe-inline'" : "";
 	const styleUnsafeInline = mode === "compatible" ? " 'unsafe-inline'" : "";
 	const scriptUnsafeEval = opts.allowUnsafeEval ? " 'unsafe-eval'" : "";
@@ -137,12 +153,6 @@ async function fetchRorOriginsFromNear(opts) {
 	return __rorInflight.get(key);
 }
 const requireCjs = createRequire(import.meta.url);
-function normalizeBase(p, fallback = "/sdk") {
-	let out = (p || fallback).trim();
-	if (!out.startsWith("/")) out = "/" + out;
-	if (out.length > 1 && out.endsWith("/")) out = out.slice(0, -1);
-	return out;
-}
 function resolveSdkDistRoot(explicit) {
 	if (explicit) return path.resolve(explicit);
 	const pkgPath = requireCjs.resolve("@tatchi-xyz/sdk/package.json");
@@ -463,7 +473,7 @@ async function handleWellKnownRorEdge(_request, opts = {}) {
 }
 function nextEmitOfflineExportAssets(opts) {
 	const outDir = path.resolve(opts.outDir);
-	const sdkBasePath = normalizeBase(opts.sdkBasePath, "/sdk");
+	const sdkBasePath = toBasePath(opts.sdkBasePath, "/sdk");
 	const sdkDistRoot = resolveSdkDistRoot(opts.sdkDistRoot);
 	emitOfflineExportAssets({
 		outDir,