npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2488) hide show

package/dist/esm/server/router/express.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"express.js","names":["out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse","normalizedHeaders: Record<string, string>","v","base: Logger","allowedOrigin: string \| '' \| undefined","error: any","e: any","result","currentKeyId: string \| null","shamirReady: boolean \| null","shamirCurrentKeyId: string \| null","shamirError: string \| undefined","timer: any"],"sources":["../../../../src/server/core/SessionService.ts","../../../../src/core/WalletIframe/validation.ts","../../../../src/server/core/shamirHandlers.ts","../../../../src/server/email-recovery/zkEmail/index.ts","../../../../src/server/email-recovery/emailParsers.ts","../../../../src/server/core/logger.ts","../../../../src/server/router/logger.ts","../../../../src/server/router/express-adaptor.ts"],"sourcesContent":["\nexport interface SessionConfig {\n jwt?: {\n /* Required: JWT signing hook; return a complete token /\n signToken?: (input: { header: Record<string, unknown>; payload: Record<string, unknown> }) => Promise<string> \| string;\n /* Required: JWT verification hook /\n verifyToken?: (token: string) => Promise<{ valid: boolean; payload?: any }> \| { valid: boolean; payload?: any };\n /* Optional: sliding refresh window (seconds) to allow /session/refresh before exp, default 900 (15 min) /\n refreshWindowSec?: number;\n /* Optional: build additional claims to include in the payload /\n buildClaims?: (input: { sub: string; context?: Record<string, unknown> }) => Promise<Record<string, unknown> \| void> \| Record<string, unknown> \| void;\n };\n cookie?: {\n /* Cookie name. Default: 'w3a_session' /\n name?: string;\n /* Optional override: build Set-Cookie header for a new token /\n buildSetHeader?: (token: string) => string;\n /* Optional override: build Set-Cookie header that clears the cookie /\n buildClearHeader?: () => string;\n /* Optional override: extract token from headers (Authorization/Cookie) /\n extractToken?: (headers: Record<string, string \| string[] \| undefined>, cookieName: string) => string \| null;\n };\n}\n\nexport class SessionService<TClaims = any> {\n private cfg: NonNullable<SessionConfig>;\n\n constructor(cfg: NonNullable<SessionConfig>) {\n this.cfg = cfg \|\| ({} as any);\n }\n\n getCookieName(): string {\n return this.cfg?.cookie?.name \|\| 'w3a_session';\n }\n\n buildSetCookie(token: string): string {\n if (this.cfg?.cookie?.buildSetHeader) return this.cfg.cookie.buildSetHeader(token);\n const name = this.getCookieName();\n const cookieParts = [`${name}=${token}`];\n const path = '/';\n const httpOnly = true;\n const secure = true; // default secure\n const sameSite = 'Lax';\n const maxAge = 24 3600; // 1 day default\n cookieParts.push(`Path=${path}`);\n if (httpOnly) cookieParts.push('HttpOnly');\n if (secure) cookieParts.push('Secure');\n if (sameSite) cookieParts.push(`SameSite=${sameSite}`);\n if (maxAge) {\n cookieParts.push(`Max-Age=${maxAge}`);\n const expires = new Date(Date.now() + (maxAge * 1000)).toUTCString();\n cookieParts.push(`Expires=${expires}`);\n }\n return cookieParts.join('; ');\n }\n\n buildClearCookie(): string {\n if (this.cfg?.cookie?.buildClearHeader) return this.cfg.cookie.buildClearHeader();\n const name = this.getCookieName();\n const path = '/';\n const secure = true;\n const httpOnly = true;\n const parts = [\n `${name}=`,\n `Path=${path}`,\n 'Max-Age=0',\n 'Expires=Thu, 01 Jan 1970 00:00:00 GMT'\n ];\n if (httpOnly) parts.push('HttpOnly');\n if (secure) parts.push('Secure');\n const sameSite = 'Lax';\n if (sameSite) parts.push(`SameSite=${sameSite}`);\n return parts.join('; ');\n }\n\n /** Sign a JWT with configured algorithm. Adds iat/exp and copies iss/aud. /\n async signJwt(sub: string, extraClaims?: Record<string, unknown>): Promise<string> {\n const jwt = this.cfg?.jwt \|\| {};\n const built = await Promise.resolve(jwt.buildClaims?.({ sub, context: extraClaims })) \|\| {};\n const payload = { sub, ...(extraClaims \|\| {}), ...(built \|\| {}) } as Record<string, unknown>;\n if (typeof jwt.signToken === 'function') {\n // Full override of signing: user supplies the complete token\n const token = await Promise.resolve(jwt.signToken({ header: { typ: 'JWT' }, payload } as any));\n return token;\n }\n throw new Error('SessionService: No JWT signing hook or provider configured');\n }\n\n /* Verify signature and expiration. Returns payload on success. /\n async verifyJwt(token: string): Promise<{ valid: boolean; payload?: any }> {\n const verify = this.cfg?.jwt?.verifyToken;\n if (typeof verify !== 'function') return { valid: false };\n return await Promise.resolve(verify(token));\n }\n\n parse(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; claims?: TClaims } \| { ok: false }>{\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n let token: string \| null = null;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (!token && cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) { token = (v \|\| '').trim(); break; }\n }\n }\n if (!token) return Promise.resolve({ ok: false });\n return this.verifyJwt(token).then(v => v.valid ? { ok: true, claims: v.payload as TClaims } : { ok: false });\n }\n\n // === token helpers ===\n extractTokenFromHeaders(headers: Record<string, string \| string[] \| undefined>): string \| null {\n if (this.cfg?.cookie?.extractToken) return this.cfg.cookie.extractToken(headers, this.getCookieName());\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) return authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) return (v \|\| '').trim();\n }\n }\n return null;\n }\n\n async refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>{\n try {\n const token = this.extractTokenFromHeaders(headers);\n if (!token) return { ok: false, code: 'unauthorized', message: 'No session token' };\n const v = await this.verifyJwt(token);\n if (!v.valid) return { ok: false, code: 'unauthorized', message: 'Invalid token' };\n const payload: any = v.payload \|\| {};\n if (!this.isWithinRefreshWindow(payload)) return { ok: false, code: 'not_eligible', message: 'Not within refresh window' };\n const sub = String(payload.sub \|\| '');\n if (!sub) return { ok: false, code: 'invalid_claims', message: 'Missing sub claim' };\n const next = await this.signJwt(sub);\n return { ok: true, jwt: next };\n } catch (e: any) {\n return { ok: false, code: 'internal', message: e?.message \|\| 'Refresh failed' };\n }\n }\n\n nowSeconds(): number { return Math.floor(Date.now() / 1000); }\n\n private isWithinRefreshWindow(payload: any): boolean {\n try {\n const now = this.nowSeconds();\n const exp = Number(payload?.exp \|\| 0);\n if (!exp \|\| now >= exp) return false; // no refresh if already expired\n const windowSec = Number(this.cfg?.jwt?.refreshWindowSec \|\| 15 60);\n return (exp - now) <= windowSec;\n } catch { return false; }\n }\n}\n\n/\n Utility: parse comma-separated list of origins into a normalized unique list\n * - canonicalizes to protocol + host + optional port\n * - lowercases host, strips path/query/hash, trims spaces/trailing slashes\n /\nexport function parseCsvList(input?: string): string[] {\n const out = new Set<string>();\n for (const raw of String(input \|\| '').split(',')) {\n const s = raw.trim();\n if (!s) continue;\n try {\n const u = new URL(s);\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const proto = u.protocol === 'http:' \|\| u.protocol === 'https:' ? u.protocol : 'https:';\n out.add(`${proto}//${host}${port}`);\n } catch {\n const stripped = s.replace(/\\/$/, '');\n if (stripped) out.add(stripped);\n }\n }\n return Array.from(out);\n}\n\n/\n * Utility: merge multiple CSV lists of origins and return normalized list or ''\n /\nexport function buildCorsOrigins(...inputs: Array<string \| undefined>): string[] \| '' {\n const merged = new Set<string>();\n for (const input of inputs) {\n for (const origin of parseCsvList(input)) merged.add(origin);\n }\n const list = Array.from(merged);\n return list.length > 0 ? list : '';\n}\n","// Shared runtime validation helpers for Wallet Iframe code.\n\nexport function isObject(x: unknown): x is Record<string, unknown> {\n return x !== null && typeof x === 'object';\n}\n\nexport function isString(x: unknown): x is string {\n return typeof x === 'string';\n}\n\nexport function isNonEmptyString(x: unknown): x is string {\n return typeof x === 'string' && x.length > 0;\n}\n\nexport function isNumber(x: unknown): x is number {\n return typeof x === 'number';\n}\n\nexport function isFiniteNumber(x: unknown): x is number {\n return typeof x === 'number' && Number.isFinite(x);\n}\n\nexport function isFunction(x: unknown): x is Function {\n return typeof x === 'function';\n}\n\nexport function isBoolean(x: unknown): x is boolean {\n return typeof x === 'boolean';\n}\n\nexport function isArray<T = unknown>(x: unknown): x is T[] {\n return Array.isArray(x);\n}\n\n// ========= Assertions (throw on mismatch) =========\n\nexport function assertString(val: unknown, name = 'value'): string {\n if (typeof val !== 'string') throw new Error(`Invalid ${name}: expected string`);\n return val;\n}\n\nexport function assertNumber(val: unknown, name = 'value'): number {\n if (typeof val !== 'number' \|\| !Number.isFinite(val)) throw new Error(`Invalid ${name}: expected finite number`);\n return val;\n}\n\nexport function assertBoolean(val: unknown, name = 'value'): boolean {\n if (typeof val !== 'boolean') throw new Error(`Invalid ${name}: expected boolean`);\n return val;\n}\n\nexport function assertObject<T extends Record<string, unknown> = Record<string, unknown>>(val: unknown, name = 'value'): T {\n if (!isObject(val)) throw new Error(`Invalid ${name}: expected object`);\n return val as T;\n}\n\nexport function assertArray<T = unknown>(val: unknown, name = 'value'): T[] {\n if (!Array.isArray(val)) throw new Error(`Invalid ${name}: expected array`);\n return val as T[];\n}\n\n// Shallowly remove function-valued properties (postMessage/clone safety)\nexport function stripFunctionsShallow<T extends Record<string, unknown>>(obj?: T): Partial<T> \| undefined {\n if (!obj \|\| !isObject(obj)) return undefined;\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(obj)) {\n if (!isFunction(v)) out[k] = v as unknown;\n }\n return out as Partial<T>;\n}\n\n// ===============================\n// SignedTransaction shape helpers\n// ===============================\n\nexport interface PlainSignedTransactionLike {\n transaction: unknown;\n signature: unknown;\n borsh_bytes?: unknown;\n borshBytes?: unknown;\n base64Encode?: unknown;\n}\n\nexport function isPlainSignedTransactionLike(x: unknown): x is PlainSignedTransactionLike {\n if (!isObject(x)) return false;\n const hasTx = 'transaction' in x;\n const hasSig = 'signature' in x;\n const bytes = x as { borsh_bytes?: unknown; borshBytes?: unknown };\n const hasBytes = Array.isArray(bytes.borsh_bytes) \|\| bytes.borshBytes instanceof Uint8Array;\n const hasMethod = typeof (x as { base64Encode?: unknown }).base64Encode === 'function';\n return hasTx && hasSig && hasBytes && !hasMethod;\n}\n\nexport function extractBorshBytesFromPlainSignedTx(x: PlainSignedTransactionLike): number[] {\n const asArray = Array.isArray(x.borsh_bytes) ? (x.borsh_bytes as number[]) : undefined;\n if (asArray) return asArray;\n const asU8 = (x.borshBytes instanceof Uint8Array) ? x.borshBytes : undefined;\n return Array.from(asU8 \|\| new Uint8Array());\n}\n","import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '../../core/WalletIframe/validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n","import { ZkEmailProverClient, type ZkEmailProverClientOptions, type ZkEmailProverError } from './proverClient';\n\nexport { ZkEmailProverClient } from './proverClient';\nexport type { ZkEmailProverClientOptions, ZkEmailProverError, ZkEmailProverResponse } from './proverClient';\n\nexport interface ForwardableEmailPayload {\n from: string;\n to: string;\n headers: Record<string, string>;\n raw?: string;\n rawSize?: number;\n}\n\nexport type NormalizedEmailResult =\n \| { ok: true; payload: ForwardableEmailPayload }\n \| { ok: false; code: string; message: string };\n\nexport interface GenerateZkEmailProofResult {\n proof: unknown;\n publicInputs: string[];\n}\n\nexport interface ParsedZkEmailBindings {\n accountId: string;\n newPublicKey: string;\n fromEmail: string;\n timestamp: string;\n requestId: string;\n}\n\n/*\n Build a minimal ForwardableEmailPayload from a raw RFC822 email string.\n * This is primarily used by server-side helpers that receive only a raw\n * email blob (no pre-normalized headers).\n /\nexport function buildForwardablePayloadFromRawEmail(raw: string): ForwardableEmailPayload {\n const safeRaw = typeof raw === 'string' ? raw : '';\n const lines = safeRaw.split(/\\r?\\n/);\n\n const getHeader = (name: string): string \| undefined => {\n const line = lines.find(l => new RegExp(`^${name}:`, 'i').test(l));\n if (!line) return undefined;\n const idx = line.indexOf(':');\n const rest = idx >= 0 ? line.slice(idx + 1) : '';\n const value = rest.trim();\n return value \|\| undefined;\n };\n\n const fromHeader = getHeader('from') \|\| 'unknown@zkemail.local';\n const toHeader = getHeader('to') \|\| 'recover@zkemail.local';\n\n const headers: Record<string, string> = {};\n const subjectHeader = getHeader('subject');\n const dateHeader = getHeader('date');\n\n if (fromHeader) headers.from = fromHeader;\n if (toHeader) headers.to = toHeader;\n if (subjectHeader) headers.subject = subjectHeader;\n if (dateHeader) headers.date = dateHeader;\n\n return {\n from: fromHeader,\n to: toHeader,\n headers,\n raw: safeRaw,\n rawSize: safeRaw.length,\n };\n}\n\nexport function normalizeForwardableEmailPayload(input: unknown): NormalizedEmailResult {\n if (!input \|\| typeof input !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'JSON body required' };\n }\n\n const body = input as Partial<ForwardableEmailPayload>;\n const { from, to, headers, raw, rawSize } = body;\n\n if (!from \|\| typeof from !== 'string' \|\| !to \|\| typeof to !== 'string') {\n return { ok: false, code: 'invalid_email', message: 'from and to are required' };\n }\n\n if (!headers \|\| typeof headers !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'headers object is required' };\n }\n\n const normalizedHeaders: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers as Record<string, unknown>)) {\n normalizedHeaders[String(k).toLowerCase()] = String(v);\n }\n\n return {\n ok: true,\n payload: {\n from,\n to,\n headers: normalizedHeaders,\n raw: typeof raw === 'string' ? raw : undefined,\n rawSize: typeof rawSize === 'number' ? rawSize : undefined,\n },\n };\n}\n\n/\n Parse NEAR accountId from the Subject line inside a raw RFC822 email.\n \n Expected format (case-insensitive on \"Subject\" and \"recover\"):\n * Subject: recover-123ABC bob.testnet ed25519:<pk>\n \n Returns the parsed accountId (e.g. \"bob.testnet\") or null if not found.\n /\nexport function parseAccountIdFromSubject(raw: string \| undefined \| null): string \| null {\n if (!raw \|\| typeof raw !== 'string') return null;\n\n // Accept either a full RFC822 message (with \"Subject: ...\" header)\n // or a bare Subject value (\"recover-123ABC bob.testnet ed25519:<pk>\").\n let subjectText = '';\n const lines = raw.split(/\\r?\\n/);\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = raw.trim();\n }\n\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format: \"recover-<request_id> <accountId> [ed25519:<pk>]\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)(?:\\s+ed25519:[^\\s]+)?\\s$/i\n );\n if (match?.[2]) {\n return match[2];\n }\n\n return null;\n}\n\nfunction parseSubjectBindings(\n rawSubject: string \| undefined \| null\n): { accountId: string; newPublicKey: string; requestId: string } \| null {\n if (!rawSubject \|\| typeof rawSubject !== 'string') return null;\n\n const lines = rawSubject.split(/\\r?\\n/);\n let subjectText = '';\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = rawSubject.trim();\n }\n if (!subjectText) return null;\n\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n\n return {\n accountId,\n newPublicKey,\n requestId,\n };\n}\n\nexport function extractZkEmailBindingsFromPayload(\n payload: ForwardableEmailPayload\n): ParsedZkEmailBindings \| null {\n const raw = payload.raw \|\| '';\n const lines = raw.split(/\\r?\\n/);\n\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n const subjectBindings = parseSubjectBindings(subjectLine ?? '');\n if (!subjectBindings) {\n return null;\n }\n\n const headers = payload.headers \|\| {};\n let fromEmailRaw: string \| undefined =\n (headers['from'] as any) \|\|\n (headers['x-from-email'] as any);\n let dateRaw: string \| undefined =\n (headers['date'] as any) \|\|\n (headers['x-original-date'] as any);\n\n // Fallback: if headers object does not contain from/date,\n // attempt to parse them from the raw RFC822 email lines.\n if (!fromEmailRaw \|\| !dateRaw) {\n for (const line of lines) {\n if (!fromEmailRaw && /^from:/i.test(line)) {\n const idx = line.indexOf(':');\n fromEmailRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (!dateRaw && /^date:/i.test(line)) {\n const idx = line.indexOf(':');\n dateRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (fromEmailRaw && dateRaw) break;\n }\n }\n\n const fromEmail = String(fromEmailRaw \|\| '').trim();\n const timestamp = String(dateRaw \|\| '').trim();\n\n if (!fromEmail \|\| !timestamp) {\n return null;\n }\n\n return {\n accountId: subjectBindings.accountId,\n newPublicKey: subjectBindings.newPublicKey,\n fromEmail,\n timestamp,\n requestId: subjectBindings.requestId,\n };\n}\n\nexport async function generateZkEmailProofFromPayload(\n payload: ForwardableEmailPayload,\n prover: ZkEmailProverClientOptions \| ZkEmailProverClient\n): Promise<GenerateZkEmailProofResult> {\n if (!payload.raw \|\| typeof payload.raw !== 'string') {\n const err: ZkEmailProverError = Object.assign(\n new Error('raw email contents are required to generate a zk-email proof'),\n { code: 'missing_raw_email' }\n );\n throw err;\n }\n\n const client =\n (prover && typeof (prover as any).proveEmail === 'function')\n ? (prover as ZkEmailProverClient)\n : new ZkEmailProverClient(prover as ZkEmailProverClientOptions);\n\n const res = await client.proveEmail(payload.raw);\n\n return {\n proof: res.proof,\n publicInputs: res.publicSignals,\n };\n}\n","import type { EmailRecoveryMode } from './types';\nimport { normalizeForwardableEmailPayload, parseAccountIdFromSubject } from './zkEmail';\nimport { ensureEd25519Prefix } from '../../core/nearCrypto';\n\nexport enum EmailRecoveryModeHint {\n ZkEmail = 'zk-email',\n TeeEncrypted = 'tee-encrypted',\n OnchainPublic = 'onchain-public',\n}\n\nexport function normalizeRecoveryMode(raw: string \| undefined \| null): EmailRecoveryMode \| null {\n if (!raw) return null;\n const value = raw.trim().toLowerCase();\n if (value === EmailRecoveryModeHint.ZkEmail) return 'zk-email';\n if (value === EmailRecoveryModeHint.TeeEncrypted) return 'tee-encrypted';\n if (value === EmailRecoveryModeHint.OnchainPublic) return 'onchain-public';\n return null;\n}\n\nexport function extractRecoveryModeFromBody(emailBlob?: string): EmailRecoveryMode \| null {\n if (!emailBlob) return null;\n\n const lines = emailBlob.split(/\\r?\\n/);\n const bodyStartIndex = lines.findIndex(line => line.trim() === '');\n if (bodyStartIndex === -1) return null;\n\n const bodyLines = lines.slice(bodyStartIndex + 1);\n const firstNonEmptyBodyLine = bodyLines.find(line => line.trim() !== '');\n if (!firstNonEmptyBodyLine) return null;\n\n const candidate = firstNonEmptyBodyLine.trim();\n const normalized = normalizeRecoveryMode(candidate);\n if (normalized) return normalized;\n\n const lower = candidate.toLowerCase();\n if (lower.includes(EmailRecoveryModeHint.ZkEmail)) return 'zk-email';\n if (lower.includes(EmailRecoveryModeHint.TeeEncrypted)) return 'tee-encrypted';\n if (lower.includes(EmailRecoveryModeHint.OnchainPublic)) return 'onchain-public';\n\n return null;\n}\n\ntype HeaderValue = string \| string[] \| undefined;\ntype HeadersLike = Headers \| Record<string, HeaderValue> \| undefined;\n\nexport type RecoverEmailParseResult =\n \| { ok: true; accountId: string; emailBlob: string; explicitMode?: string }\n \| { ok: false; status: number; code: string; message: string };\n\nfunction getHeader(headers: HeadersLike, name: string): string \| undefined {\n if (!headers) return undefined;\n\n const maybeHeaders = headers as any;\n if (typeof maybeHeaders.get === 'function') {\n const v = maybeHeaders.get(name);\n return (typeof v === 'string') ? v : undefined;\n }\n\n const record = headers as Record<string, HeaderValue>;\n const v = record[name.toLowerCase()] ?? record[name];\n if (Array.isArray(v)) return (typeof v[0] === 'string') ? v[0] : undefined;\n return (typeof v === 'string') ? v : undefined;\n}\n\nfunction parseExplicitMode(body: unknown, headers?: HeadersLike): string \| undefined {\n const modeFromBody =\n (typeof (body as any)?.explicitMode === 'string' ? String((body as any).explicitMode) : '') \|\|\n (typeof (body as any)?.explicit_mode === 'string' ? String((body as any).explicit_mode) : '');\n const modeFromHeader = getHeader(headers, 'x-email-recovery-mode') \|\| getHeader(headers, 'x-recovery-mode') \|\| '';\n const raw = (modeFromBody \|\| modeFromHeader).trim();\n return raw ? raw : undefined;\n}\n\nexport function parseRecoverEmailRequest(body: unknown, opts: { headers?: HeadersLike } = {}): RecoverEmailParseResult {\n const explicitMode = parseExplicitMode(body, opts.headers);\n\n const normalized = normalizeForwardableEmailPayload(body);\n if (!normalized.ok) {\n return { ok: false, status: 400, code: normalized.code, message: normalized.message };\n }\n\n const payload = normalized.payload;\n const emailBlob = payload.raw \|\| '';\n const emailHeaders = payload.headers \|\| {};\n\n const subjectHeader = emailHeaders['subject'];\n const parsedAccountId = parseAccountIdFromSubject(subjectHeader \|\| emailBlob);\n const headerAccountId = String(emailHeaders['x-near-account-id'] \|\| emailHeaders['x-account-id'] \|\| '').trim();\n const accountId = (parsedAccountId \|\| headerAccountId \|\| '').trim();\n\n if (!accountId) {\n return { ok: false, status: 400, code: 'missing_account', message: 'x-near-account-id header is required' };\n }\n if (!emailBlob) {\n return { ok: false, status: 400, code: 'missing_email', message: 'raw email blob is required' };\n }\n\n return { ok: true, accountId, emailBlob, explicitMode };\n}\n\nconst EMAIL_ADDRESS_REGEX =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\nexport function canonicalizeEmail(input: string): string {\n const raw = String(input \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(EMAIL_ADDRESS_REGEX);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n}\n\nexport function parseHeaderValue(rawEmail: string, name: string): string \| undefined {\n try {\n const raw = String(rawEmail \|\| '');\n if (!raw) return undefined;\n\n const lines = raw.split(/\\r?\\n/);\n const headerLines: string[] = [];\n\n // Only consider the header section (until the first blank line).\n for (const line of lines) {\n if (line.trim() === '') break;\n\n // RFC822 header folding: lines starting with whitespace continue previous header.\n if (/^\\s/.test(line) && headerLines.length > 0) {\n headerLines[headerLines.length - 1] += ` ${line.trim()}`;\n continue;\n }\n\n headerLines.push(line);\n }\n\n const headerName = name.trim();\n if (!headerName) return undefined;\n\n const re = new RegExp(`^${headerName.replace(/[.+?^${}()\|[\\]\\\\]/g, '\\\\$&')}\\\\s:`, 'i');\n const found = headerLines.find((l) => re.test(l));\n if (!found) return undefined;\n\n const idx = found.indexOf(':');\n const value = idx >= 0 ? found.slice(idx + 1).trim() : '';\n return value \|\| undefined;\n } catch {\n return undefined;\n }\n}\n\nexport function parseRecoverSubjectBindings(\n rawEmail: string\n): { requestId: string; accountId: string; newPublicKey: string } \| null {\n // Accept either a full RFC822 email or a bare Subject value.\n let subjectText = (parseHeaderValue(rawEmail, 'subject') \|\| String(rawEmail \|\| '')).trim();\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes.\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n return { requestId, accountId, newPublicKey: ensureEd25519Prefix(newPublicKey) };\n}\n","export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/*\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n /\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\n","import type { Logger, NormalizedLogger } from '../core/logger';\nimport { normalizeLogger } from '../core/logger';\n\nexport type RouterLogger = Logger;\nexport type NormalizedRouterLogger = NormalizedLogger;\nexport const normalizeRouterLogger = normalizeLogger;\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport express from 'express';\nimport type { AuthService } from '../core/AuthService';\nimport { buildCorsOrigins } from '../core/SessionService';\nimport {\n handleApplyServerLock,\n handleRemoveServerLock,\n handleGetShamirKeyInfo,\n handleListGraceKeys,\n handleAddGraceKey,\n handleRemoveGraceKey,\n} from '../core/shamirHandlers';\nimport { parseRecoverEmailRequest } from '../email-recovery/emailParsers';\nimport type { DelegateActionPolicy } from '../delegateAction';\nimport type { RouterLogger } from './logger';\nimport { normalizeRouterLogger } from './logger';\n\nexport interface RelayRouterOptions {\n healthz?: boolean;\n readyz?: boolean;\n // Optional list(s) of CORS origins (CSV strings or literal origins).\n // Pass raw strings; the router normalizes/merges internally.\n corsOrigins?: Array<string \| undefined>;\n /\n Optional route for submitting NEP-461 SignedDelegate meta-transactions.\n \n - When omitted: disabled.\n * - When set: enabled at `route`.\n \n `policy` is server-controlled and is never read from the request body.\n /\n signedDelegate?: {\n route: string;\n policy?: DelegateActionPolicy;\n };\n sessionRoutes?: { auth?: string; logout?: string };\n session?: SessionAdapter \| null;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n\nfunction normalizePath(path: string): string {\n const trimmed = String(path \|\| '').trim();\n if (!trimmed) return '';\n return trimmed.startsWith('/') ? trimmed : `/${trimmed}`;\n}\n\nfunction withCors(res: Response, opts?: RelayRouterOptions, req?: Request): void {\n if (!opts?.corsOrigins) return;\n\n let allowedOrigin: string \| '' \| undefined;\n const normalized = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n if (normalized === '') {\n allowedOrigin = '';\n res.set('Access-Control-Allow-Origin', '');\n } else if (Array.isArray(normalized)) {\n const origin = String((req as any)?.headers?.origin \|\| '').trim();\n if (origin && normalized.includes(origin)) {\n allowedOrigin = origin;\n res.set('Access-Control-Allow-Origin', origin);\n res.set('Vary', 'Origin');\n }\n }\n\n res.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');\n res.set('Access-Control-Allow-Headers', 'Content-Type,Authorization');\n // Only advertise credentials when we echo back a specific origin (not '')\n if (allowedOrigin && allowedOrigin !== '') {\n res.set('Access-Control-Allow-Credentials', 'true');\n }\n}\n\n// Minimal session adapter interface expected by the routers\nexport interface SessionAdapter {\n signJwt(sub: string, extra?: Record<string, unknown>): Promise<string>;\n parse(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; claims?: any } \| { ok: false }>;\n buildSetCookie(token: string): string;\n buildClearCookie(): string;\n refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>;\n}\n\nexport function createRelayRouter(service: AuthService, opts: RelayRouterOptions = {}): ExpressRouter {\n const router = express.Router();\n const mePath = opts.sessionRoutes?.auth \|\| '/session/auth';\n const logoutPath = opts.sessionRoutes?.logout \|\| '/session/logout';\n const logger = normalizeRouterLogger(opts.logger);\n const signedDelegatePath = (() => {\n if (!opts.signedDelegate) return '';\n const raw = String(opts.signedDelegate.route \|\| '').trim();\n if (!raw) throw new Error('RelayRouterOptions.signedDelegate.route is required');\n return normalizePath(raw);\n })();\n const signedDelegatePolicy = opts.signedDelegate?.policy;\n\n // Optional CORS: implemented here to keep setup simple for example relayers.\n // If you prefer custom CORS middleware, omit `corsOrigins` and wire your own.\n router.use((req: Request, res: Response, next: any) => {\n withCors(res, opts, req);\n const method = String((req as any)?.method \|\| '').toUpperCase();\n if (opts.corsOrigins && method === 'OPTIONS') {\n res.status(204).send('');\n return;\n }\n next();\n });\n\n router.post(\n '/create_account_and_register_user',\n async (req: any, res: any) => {\n try {\n const {\n new_account_id,\n new_public_key,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options\n } = req.body \|\| ({} as any);\n\n if (!new_account_id \|\| typeof new_account_id !== 'string') throw new Error('Missing or invalid new_account_id');\n if (!new_public_key \|\| typeof new_public_key !== 'string') throw new Error('Missing or invalid new_public_key');\n if (!vrf_data \|\| typeof vrf_data !== 'object') throw new Error('Missing or invalid vrf_data');\n if (!webauthn_registration \|\| typeof webauthn_registration !== 'object') throw new Error('Missing or invalid webauthn_registration');\n\n const result = await service.createAccountAndRegisterUser({\n new_account_id,\n new_public_key,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options\n });\n\n if (result.success) res.status(200).json(result);\n else res.status(400).json(result);\n } catch (error: any) {\n res.status(500).json({ success: false, error: error?.message \|\| 'internal error' });\n }\n }\n );\n\n if (signedDelegatePath) {\n router.options(signedDelegatePath, (_req: any, res: any) => {\n res.sendStatus(204);\n });\n\n router.post(signedDelegatePath, async (req: any, res: any) => {\n try {\n const { hash, signedDelegate } = req.body \|\| {};\n if (typeof hash !== 'string' \|\| !hash \|\| !signedDelegate) {\n res.status(400).json({ ok: false, code: 'invalid_body', message: 'Expected { hash, signedDelegate }' });\n return;\n }\n\n const result = await service.executeSignedDelegate({\n hash,\n signedDelegate,\n policy: signedDelegatePolicy,\n });\n\n if (!result \|\| !result.ok) {\n res.status(400).json({\n ok: false,\n code: result?.code \|\| 'delegate_execution_failed',\n message: result?.error \|\| 'Failed to execute delegate action',\n });\n return;\n }\n\n res.status(200).json({\n ok: true,\n relayerTxHash: result.transactionHash \|\| null,\n status: 'submitted',\n outcome: result.outcome ?? null,\n });\n } catch (e: any) {\n res.status(500).json({\n ok: false,\n code: 'internal',\n message: e?.message \|\| 'Internal error while executing delegate action',\n });\n }\n });\n }\n\n router.post('/vrf/apply-server-lock', async (req: any, res: any) => {\n const shamir = service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleApplyServerLock(shamir, { body: req.body });\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n\n router.post('/vrf/remove-server-lock', async (req: any, res: any) => {\n const shamir = service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleRemoveServerLock(shamir, { body: req.body });\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n\n // VRF + WebAuthn session verification (VIEW call) + optional session issuance\n router.post('/verify-authentication-response', async (req: any, res: any) => {\n try {\n if (!req?.body) {\n res.status(400).json({ code: 'invalid_body', message: 'Request body is required' });\n return;\n }\n const body = req.body;\n const valid = body && body.vrf_data && body.webauthn_authentication;\n if (!valid) {\n res.status(400).json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' });\n return;\n }\n const result = await service.verifyAuthenticationResponse(body);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n res.status(status).json({ code: 'not_verified', message: result.message \|\| 'Authentication verification failed' });\n return;\n }\n const sessionKind = ((body?.sessionKind \|\| body?.session_kind) === 'cookie') ? 'cookie' : 'jwt';\n const session = opts.session;\n if (session && result.verified) {\n try {\n const sub = String(body.vrf_data.user_id \|\| '');\n const token = await session.signJwt(sub, { rpId: body.vrf_data.rp_id, blockHeight: body.vrf_data.block_height });\n // Best-effort server log without sensitive data\n logger.info(`[relay] creating ${sessionKind === 'cookie' ? 'HttpOnly session' : 'JWT'} for`, sub);\n if (sessionKind === 'cookie') {\n res.set('Set-Cookie', session.buildSetCookie(token));\n const { jwt: _omit, ...rest } = result as any;\n res.status(200).json(rest);\n return;\n }\n res.status(200).json({ ...result, jwt: token });\n return;\n } catch (e: any) {\n // If session issuance fails, still return verification result\n }\n }\n res.status(200).json(result);\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n\n // Session: read current claims via bearer token or cookie\n router.get(mePath, async (req: any, res: any) => {\n try {\n const session = opts.session;\n if (!session) {\n res.status(501).json({ authenticated: false, code: 'sessions_disabled', message: 'Sessions are not configured' });\n return;\n }\n const parsed = await session.parse(req.headers \|\| {});\n if (!parsed.ok) {\n res.status(401).json({ authenticated: false, code: 'unauthorized', message: 'No valid session' });\n return;\n }\n res.status(200).json({ authenticated: true, claims: (parsed as any).claims });\n } catch (e: any) {\n res.status(500).json({ authenticated: false, code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n\n // Session: logout clears cookie (best-effort)\n router.post(logoutPath, async (_req: any, res: any) => {\n try {\n const session = opts.session;\n if (session) res.set('Set-Cookie', session.buildClearCookie());\n res.status(200).json({ success: true });\n } catch (e: any) {\n res.status(500).json({ success: false, error: 'internal', details: e?.message });\n }\n });\n\n // Session: refresh (sliding expiration)\n router.post('/session/refresh', async (req: any, res: any) => {\n try {\n const sessionKind = ((req.body \|\| {}).sessionKind === 'cookie') ? 'cookie' : ((req.body \|\| {}).session_kind === 'cookie' ? 'cookie' : 'jwt');\n const session = opts.session;\n if (!session) {\n res.status(501).json({ code: 'sessions_disabled', message: 'Sessions are not configured' });\n return;\n }\n const out = await session.refresh(req.headers \|\| {});\n if (!out.ok \|\| !out.jwt) {\n const code = out.code \|\| 'not_eligible';\n const message = out.message \|\| 'Refresh not eligible';\n res.status(code === 'unauthorized' ? 401 : 400).json({ code, message });\n return;\n }\n if (sessionKind === 'cookie') {\n res.set('Set-Cookie', session.buildSetCookie(out.jwt));\n res.status(200).json({ ok: true });\n } else {\n res.status(200).json({ ok: true, jwt: out.jwt });\n }\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n\n // Email recovery hook (DKIM/TEE flow):\n // Accept a ForwardableEmailPayload from the email worker and call the\n // per-user email-recoverer contract deployed on `accountId`.\n router.post('/recover-email', async (req: any, res: any) => {\n try {\n const prefer = String(req?.headers?.prefer \|\| '').toLowerCase();\n const respondAsync =\n prefer.includes('respond-async') \|\|\n String((req?.query as any)?.async \|\| '').trim() === '1' \|\|\n String((req?.query as any)?.respond_async \|\| '').trim() === '1';\n\n const parsed = parseRecoverEmailRequest(req.body as unknown, { headers: req.headers as any });\n if (!parsed.ok) {\n res.status(parsed.status).json({ code: parsed.code, message: parsed.message });\n return;\n }\n const { accountId, emailBlob, explicitMode } = parsed;\n\n if (!service.emailRecovery) {\n res.status(503).json({ code: 'email_recovery_unavailable', message: 'EmailRecoveryService is not configured on this server' });\n return;\n }\n\n if (respondAsync) {\n void service.emailRecovery\n .requestEmailRecovery({ accountId, emailBlob, explicitMode })\n .then((result) => {\n logger.info('[recover-email] async complete', {\n success: result?.success === true,\n accountId,\n error: result?.success ? undefined : result?.error,\n });\n })\n .catch((err: any) => {\n logger.error('[recover-email] async error', {\n accountId,\n error: err?.message \|\| String(err),\n });\n });\n\n res.status(202).json({ success: true, queued: true, accountId });\n return;\n }\n\n const result = await service.emailRecovery.requestEmailRecovery({ accountId, emailBlob, explicitMode });\n res.status(result.success ? 202 : 400).json(result);\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n\n router.get('/shamir/key-info', async (_req: any, res: any) => {\n const shamir = service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleGetShamirKeyInfo(shamir);\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n\n if (opts.healthz) {\n router.get('/healthz', async (_req: Request, res: Response) => {\n const shamir = service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n let currentKeyId: string \| null = null;\n if (shamirConfigured && shamir) {\n try {\n const payload = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n currentKeyId = payload.currentKeyId \|\| null;\n } catch {}\n }\n\n const proverBaseUrl = service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;\n const zkEmailConfigured = Boolean(proverBaseUrl);\n\n res.status(200).json({\n ok: true,\n // Backwards-compatible field (was previously top-level).\n currentKeyId,\n shamir: { configured: shamirConfigured, currentKeyId },\n zkEmail: { configured: zkEmailConfigured, proverBaseUrl },\n });\n });\n }\n\n if (opts.readyz) {\n router.get('/readyz', async (_req: Request, res: Response) => {\n const shamir = service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n\n let shamirReady: boolean \| null = null;\n let shamirCurrentKeyId: string \| null = null;\n let shamirError: string \| undefined;\n if (shamirConfigured && shamir) {\n try {\n await shamir.ensureReady();\n shamirReady = true;\n const payload = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n shamirCurrentKeyId = payload.currentKeyId \|\| null;\n } catch (e: any) {\n shamirReady = false;\n shamirError = e?.message \|\| String(e);\n }\n }\n\n const zk = service.emailRecovery\n ? await service.emailRecovery.checkZkEmailProverHealth()\n : { configured: false, baseUrl: null, healthy: null as boolean \| null };\n\n const ok =\n (shamirConfigured ? shamirReady === true : true) &&\n (zk.configured ? zk.healthy === true : true);\n\n res.status(ok ? 200 : 503).json({\n ok,\n shamir: {\n configured: shamirConfigured,\n ready: shamirConfigured ? shamirReady : null,\n currentKeyId: shamirCurrentKeyId,\n error: shamirError,\n },\n zkEmail: zk,\n });\n });\n }\n\n // ROR manifest for Related Origin Requests (wallet-scoped credentials)\n const wellKnownPaths = ['/.well-known/webauthn', '/.well-known/webauthn/'];\n for (const p of wellKnownPaths) {\n router.get(p, async (_req: Request, res: Response) => {\n try {\n const origins = await service.getRorOrigins();\n res.set('Content-Type', 'application/json; charset=utf-8');\n // Short TTL + SWR so updates propagate while staying cache-friendly\n res.set('Cache-Control', 'max-age=60, stale-while-revalidate=600');\n res.status(200).send(JSON.stringify({ origins }));\n } catch (e: any) {\n res.status(200).json({ origins: [] });\n }\n });\n }\n\n return router;\n}\n\nexport interface KeyRotationCronOptions {\n enabled?: boolean;\n intervalMinutes?: number;\n maxGraceKeys?: number;\n logger?: RouterLogger \| null;\n}\n\nexport function startKeyRotationCronjob(\n service: AuthService,\n opts: KeyRotationCronOptions = {},\n): { stop(): void } {\n const logger = normalizeRouterLogger(opts.logger);\n const enabled = Boolean(opts.enabled);\n const intervalMinutes = Math.max(1, Number(opts.intervalMinutes \|\| 0) \|\| 60);\n const maxGraceKeys = Math.max(0, Number(opts.maxGraceKeys ?? 0) \|\| 0);\n\n let timer: any = null;\n let inFlight = false;\n\n const run = async () => {\n if (!enabled) return;\n if (inFlight) {\n logger.warn('[key-rotation-cron] previous rotation still running; skipping');\n return;\n }\n inFlight = true;\n try {\n const shamir = service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n logger.warn('[key-rotation-cron] Shamir not configured; skipping rotation');\n return;\n }\n\n const rotation = await shamir.rotateShamirServerKeypair();\n logger.info('[key-rotation-cron] rotated key', {\n newKeyId: rotation.newKeyId,\n previousKeyId: rotation.previousKeyId,\n graceKeyIds: rotation.graceKeyIds,\n });\n\n if (maxGraceKeys > 0) {\n const graceKeyIds = shamir.getGraceKeyIds();\n if (graceKeyIds.length > maxGraceKeys) {\n const toRemove = graceKeyIds.slice(0, graceKeyIds.length - maxGraceKeys);\n for (const keyId of toRemove) {\n try {\n const removed = await shamir.removeGraceKeyInternal(keyId, { persist: true });\n logger.info('[key-rotation-cron] pruned grace key', { keyId, removed });\n } catch (e: any) {\n logger.warn('[key-rotation-cron] failed to prune grace key', { keyId, error: e?.message \|\| String(e) });\n }\n }\n }\n }\n } catch (e: any) {\n logger.error('[key-rotation-cron] rotation failed', { error: e?.message \|\| String(e) });\n } finally {\n inFlight = false;\n }\n };\n\n if (enabled) {\n timer = setInterval(() => { void run(); }, intervalMinutes 60_000);\n }\n\n return {\n stop() {\n if (timer) clearInterval(timer);\n timer = null;\n },\n };\n}\n"],"mappings":";;;AAkKA,SAAgB,aAAa,OAA0B;CACrD,MAAM,sBAAM,IAAI;AAChB,MAAK,MAAM,OAAO,OAAO,SAAS,IAAI,MAAM,MAAM;EAChD,MAAM,IAAI,IAAI;AACd,MAAI,CAAC,EAAG;AACR,MAAI;GACF,MAAM,IAAI,IAAI,IAAI;GAClB,MAAM,OAAO,EAAE,SAAS;GACxB,MAAM,OAAO,EAAE,OAAO,IAAI,EAAE,SAAS;GACrC,MAAM,QAAQ,EAAE,aAAa,WAAW,EAAE,aAAa,WAAW,EAAE,WAAW;AAC/E,OAAI,IAAI,GAAG,MAAM,IAAI,OAAO;UACtB;GACN,MAAM,WAAW,EAAE,QAAQ,OAAO;AAClC,OAAI,SAAU,KAAI,IAAI;;;AAG1B,QAAO,MAAM,KAAK;;AAMpB,SAAgB,iBAAiB,GAAG,QAAmD;CACrF,MAAM,yBAAS,IAAI;AACnB,MAAK,MAAM,SAAS,OAClB,MAAK,MAAM,UAAU,aAAa,OAAQ,QAAO,IAAI;CAEvD,MAAM,OAAO,MAAM,KAAK;AACxB,QAAO,KAAK,SAAS,IAAI,OAAO;;;;;ACxLlC,SAAgB,SAAS,GAAyB;AAChD,QAAO,OAAO,MAAM;;;;;ACEtB,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMA,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;;;;ACnD5D,SAAgB,iCAAiC,OAAuC;AACtF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC7B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAM,OAAO;CACb,MAAM,EAAE,MAAM,IAAI,SAAS,KAAK,YAAY;AAE5C,KAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,OAAO,OAAO,SAC5D,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;AAGtD,KAAI,CAAC,WAAW,OAAO,YAAY,SACjC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAME,oBAA4C;AAClD,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,SAClC,mBAAkB,OAAO,GAAG,iBAAiB,OAAO;AAGtD,QAAO;EACL,IAAI;EACJ,SAAS;GACP;GACA;GACA,SAAS;GACT,KAAK,OAAO,QAAQ,WAAW,MAAM;GACrC,SAAS,OAAO,YAAY,WAAW,UAAU;;;;;;;;;;;;AAavD,SAAgB,0BAA0B,KAA+C;AACvF,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;CAI5C,IAAI,cAAc;CAClB,MAAM,QAAQ,IAAI,MAAM;CACxB,MAAM,cAAc,MAAM,MAAK,SAAQ,aAAa,KAAK;AACzD,KAAI,aAAa;EACf,MAAM,MAAM,YAAY,QAAQ;EAChC,MAAM,UAAU,OAAO,IAAI,YAAY,MAAM,MAAM,KAAK;AACxD,gBAAc,QAAQ;OAEtB,eAAc,IAAI;AAGpB,KAAI,CAAC,YAAa,QAAO;AAGzB,eAAc,YAAY,QAAQ,kBAAkB,IAAI;AACxD,KAAI,CAAC,YAAa,QAAO;CAGzB,MAAM,QAAQ,YAAY,MACxB;AAEF,KAAI,QAAQ,GACV,QAAO,MAAM;AAGf,QAAO;;;;;AC3FT,SAAS,UAAU,SAAsB,MAAkC;AACzE,KAAI,CAAC,QAAS,QAAO;CAErB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,QAAQ,YAAY;EAC1C,MAAMC,MAAI,aAAa,IAAI;AAC3B,SAAQ,OAAOA,QAAM,WAAYA,MAAI;;CAGvC,MAAM,SAAS;CACf,MAAM,IAAI,OAAO,KAAK,kBAAkB,OAAO;AAC/C,KAAI,MAAM,QAAQ,GAAI,QAAQ,OAAO,EAAE,OAAO,WAAY,EAAE,KAAK;AACjE,QAAQ,OAAO,MAAM,WAAY,IAAI;;AAGvC,SAAS,kBAAkB,MAAe,SAA2C;CACnF,MAAM,gBACH,OAAQ,MAAc,iBAAiB,WAAW,OAAQ,KAAa,gBAAgB,QACvF,OAAQ,MAAc,kBAAkB,WAAW,OAAQ,KAAa,iBAAiB;CAC5F,MAAM,iBAAiB,UAAU,SAAS,4BAA4B,UAAU,SAAS,sBAAsB;CAC/G,MAAM,OAAO,gBAAgB,gBAAgB;AAC7C,QAAO,MAAM,MAAM;;AAGrB,SAAgB,yBAAyB,MAAe,OAAkC,IAA6B;CACrH,MAAM,eAAe,kBAAkB,MAAM,KAAK;CAElD,MAAM,aAAa,iCAAiC;AACpD,KAAI,CAAC,WAAW,GACd,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM,WAAW;EAAM,SAAS,WAAW;;CAG9E,MAAM,UAAU,WAAW;CAC3B,MAAM,YAAY,QAAQ,OAAO;CACjC,MAAM,eAAe,QAAQ,WAAW;CAExC,MAAM,gBAAgB,aAAa;CACnC,MAAM,kBAAkB,0BAA0B,iBAAiB;CACnE,MAAM,kBAAkB,OAAO,aAAa,wBAAwB,aAAa,mBAAmB,IAAI;CACxG,MAAM,aAAa,mBAAmB,mBAAmB,IAAI;AAE7D,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAmB,SAAS;;AAErE,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAiB,SAAS;;AAGnE,QAAO;EAAE,IAAI;EAAM;EAAW;EAAW;;;;;;AClF3C,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMC,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK;;;;;;AC3ChB,MAAa,wBAAwB;;;;ACoCrC,SAAS,cAAc,MAAsB;CAC3C,MAAM,UAAU,OAAO,QAAQ,IAAI;AACnC,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,QAAQ,WAAW,OAAO,UAAU,IAAI;;AAGjD,SAAS,SAAS,KAAe,MAA2B,KAAqB;AAC/E,KAAI,CAAC,MAAM,YAAa;CAExB,IAAIC;CACJ,MAAM,aAAa,iBAAiB,GAAI,KAAK,eAAe;AAC5D,KAAI,eAAe,KAAK;AACtB,kBAAgB;AAChB,MAAI,IAAI,+BAA+B;YAC9B,MAAM,QAAQ,aAAa;EACpC,MAAM,SAAS,OAAQ,KAAa,SAAS,UAAU,IAAI;AAC3D,MAAI,UAAU,WAAW,SAAS,SAAS;AACzC,mBAAgB;AAChB,OAAI,IAAI,+BAA+B;AACvC,OAAI,IAAI,QAAQ;;;AAIpB,KAAI,IAAI,gCAAgC;AACxC,KAAI,IAAI,gCAAgC;AAExC,KAAI,iBAAiB,kBAAkB,IACrC,KAAI,IAAI,oCAAoC;;AAahD,SAAgB,kBAAkB,SAAsB,OAA2B,IAAmB;CACpG,MAAM,SAAS,QAAQ;CACvB,MAAM,SAAS,KAAK,eAAe,QAAQ;CAC3C,MAAM,aAAa,KAAK,eAAe,UAAU;CACjD,MAAM,SAAS,sBAAsB,KAAK;CAC1C,MAAM,4BAA4B;AAChC,MAAI,CAAC,KAAK,eAAgB,QAAO;EACjC,MAAM,MAAM,OAAO,KAAK,eAAe,SAAS,IAAI;AACpD,MAAI,CAAC,IAAK,OAAM,IAAI,MAAM;AAC1B,SAAO,cAAc;;CAEvB,MAAM,uBAAuB,KAAK,gBAAgB;AAIlD,QAAO,KAAK,KAAc,KAAe,SAAc;AACrD,WAAS,KAAK,MAAM;EACpB,MAAM,SAAS,OAAQ,KAAa,UAAU,IAAI;AAClD,MAAI,KAAK,eAAe,WAAW,WAAW;AAC5C,OAAI,OAAO,KAAK,KAAK;AACrB;;AAEF;;AAGF,QAAO,KACL,qCACA,OAAO,KAAU,QAAa;AAC5B,MAAI;GACF,MAAM,EACJ,gBACA,gBACA,UACA,uBACA,8BACA,0BACE,IAAI,QAAS;AAEjB,OAAI,CAAC,kBAAkB,OAAO,mBAAmB,SAAU,OAAM,IAAI,MAAM;AAC3E,OAAI,CAAC,kBAAkB,OAAO,mBAAmB,SAAU,OAAM,IAAI,MAAM;AAC3E,OAAI,CAAC,YAAY,OAAO,aAAa,SAAU,OAAM,IAAI,MAAM;AAC/D,OAAI,CAAC,yBAAyB,OAAO,0BAA0B,SAAU,OAAM,IAAI,MAAM;GAEzF,MAAM,SAAS,MAAM,QAAQ,6BAA6B;IACxD;IACA;IACA;IACA;IACA;IACA;;AAGF,OAAI,OAAO,QAAS,KAAI,OAAO,KAAK,KAAK;OACpC,KAAI,OAAO,KAAK,KAAK;WACnBC,OAAY;AACnB,OAAI,OAAO,KAAK,KAAK;IAAE,SAAS;IAAO,OAAO,OAAO,WAAW;;;;AAKtE,KAAI,oBAAoB;AACtB,SAAO,QAAQ,qBAAqB,MAAW,QAAa;AAC1D,OAAI,WAAW;;AAGjB,SAAO,KAAK,oBAAoB,OAAO,KAAU,QAAa;AAC5D,OAAI;IACF,MAAM,EAAE,MAAM,mBAAmB,IAAI,QAAQ;AAC7C,QAAI,OAAO,SAAS,YAAY,CAAC,QAAQ,CAAC,gBAAgB;AACxD,SAAI,OAAO,KAAK,KAAK;MAAE,IAAI;MAAO,MAAM;MAAgB,SAAS;;AACjE;;IAGF,MAAM,SAAS,MAAM,QAAQ,sBAAsB;KACjD;KACA;KACA,QAAQ;;AAGV,QAAI,CAAC,UAAU,CAAC,OAAO,IAAI;AACzB,SAAI,OAAO,KAAK,KAAK;MACnB,IAAI;MACJ,MAAM,QAAQ,QAAQ;MACtB,SAAS,QAAQ,SAAS;;AAE5B;;AAGF,QAAI,OAAO,KAAK,KAAK;KACnB,IAAI;KACJ,eAAe,OAAO,mBAAmB;KACzC,QAAQ;KACR,SAAS,OAAO,WAAW;;YAEtBC,GAAQ;AACf,QAAI,OAAO,KAAK,KAAK;KACnB,IAAI;KACJ,MAAM;KACN,SAAS,GAAG,WAAW;;;;;AAM/B,QAAO,KAAK,0BAA0B,OAAO,KAAU,QAAa;EAClE,MAAM,SAAS,QAAQ;AACvB,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,sBAAsB,QAAQ,EAAE,MAAM,IAAI;AACvE,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;AAI1D,QAAO,KAAK,2BAA2B,OAAO,KAAU,QAAa;EACnE,MAAM,SAAS,QAAQ;AACvB,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,uBAAuB,QAAQ,EAAE,MAAM,IAAI;AACxE,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;AAK1D,QAAO,KAAK,mCAAmC,OAAO,KAAU,QAAa;AAC3E,MAAI;AACF,OAAI,CAAC,KAAK,MAAM;AACd,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAgB,SAAS;;AACtD;;GAEF,MAAM,OAAO,IAAI;GACjB,MAAM,QAAQ,QAAQ,KAAK,YAAY,KAAK;AAC5C,OAAI,CAAC,OAAO;AACV,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAgB,SAAS;;AACtD;;GAEF,MAAM,SAAS,MAAM,QAAQ,6BAA6B;GAC1D,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,OAAI,WAAW,KAAK;AAClB,QAAI,OAAO,QAAQ,KAAK;KAAE,MAAM;KAAgB,SAAS,OAAO,WAAW;;AAC3E;;GAEF,MAAM,eAAgB,MAAM,eAAe,MAAM,kBAAkB,WAAY,WAAW;GAC1F,MAAM,UAAU,KAAK;AACrB,OAAI,WAAW,OAAO,SACpB,KAAI;IACF,MAAM,MAAM,OAAO,KAAK,SAAS,WAAW;IAC5C,MAAM,QAAQ,MAAM,QAAQ,QAAQ,KAAK;KAAE,MAAM,KAAK,SAAS;KAAO,aAAa,KAAK,SAAS;;AAEjG,WAAO,KAAK,oBAAoB,gBAAgB,WAAW,qBAAqB,MAAM,OAAO;AAC7F,QAAI,gBAAgB,UAAU;AAC5B,SAAI,IAAI,cAAc,QAAQ,eAAe;KAC7C,MAAM,EAAE,KAAK,MAAO,GAAG,SAAS;AAChC,SAAI,OAAO,KAAK,KAAK;AACrB;;AAEF,QAAI,OAAO,KAAK,KAAK;KAAE,GAAG;KAAQ,KAAK;;AACvC;YACOA,GAAQ;AAInB,OAAI,OAAO,KAAK,KAAK;WACdA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;AAKpE,QAAO,IAAI,QAAQ,OAAO,KAAU,QAAa;AAC/C,MAAI;GACF,MAAM,UAAU,KAAK;AACrB,OAAI,CAAC,SAAS;AACZ,QAAI,OAAO,KAAK,KAAK;KAAE,eAAe;KAAO,MAAM;KAAqB,SAAS;;AACjF;;GAEF,MAAM,SAAS,MAAM,QAAQ,MAAM,IAAI,WAAW;AAClD,OAAI,CAAC,OAAO,IAAI;AACd,QAAI,OAAO,KAAK,KAAK;KAAE,eAAe;KAAO,MAAM;KAAgB,SAAS;;AAC5E;;AAEF,OAAI,OAAO,KAAK,KAAK;IAAE,eAAe;IAAM,QAAS,OAAe;;WAC7DA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,eAAe;IAAO,MAAM;IAAY,SAAS,GAAG,WAAW;;;;AAK1F,QAAO,KAAK,YAAY,OAAO,MAAW,QAAa;AACrD,MAAI;GACF,MAAM,UAAU,KAAK;AACrB,OAAI,QAAS,KAAI,IAAI,cAAc,QAAQ;AAC3C,OAAI,OAAO,KAAK,KAAK,EAAE,SAAS;WACzBA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,SAAS;IAAO,OAAO;IAAY,SAAS,GAAG;;;;AAK1E,QAAO,KAAK,oBAAoB,OAAO,KAAU,QAAa;AAC5D,MAAI;GACF,MAAM,eAAgB,IAAI,QAAQ,IAAI,gBAAgB,WAAY,YAAa,IAAI,QAAQ,IAAI,iBAAiB,WAAW,WAAW;GACtI,MAAM,UAAU,KAAK;AACrB,OAAI,CAAC,SAAS;AACZ,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAqB,SAAS;;AAC3D;;GAEF,MAAM,MAAM,MAAM,QAAQ,QAAQ,IAAI,WAAW;AACjD,OAAI,CAAC,IAAI,MAAM,CAAC,IAAI,KAAK;IACvB,MAAM,OAAO,IAAI,QAAQ;IACzB,MAAM,UAAU,IAAI,WAAW;AAC/B,QAAI,OAAO,SAAS,iBAAiB,MAAM,KAAK,KAAK;KAAE;KAAM;;AAC7D;;AAEF,OAAI,gBAAgB,UAAU;AAC5B,QAAI,IAAI,cAAc,QAAQ,eAAe,IAAI;AACjD,QAAI,OAAO,KAAK,KAAK,EAAE,IAAI;SAE3B,KAAI,OAAO,KAAK,KAAK;IAAE,IAAI;IAAM,KAAK,IAAI;;WAErCA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;AAOpE,QAAO,KAAK,kBAAkB,OAAO,KAAU,QAAa;AAC1D,MAAI;GACF,MAAM,SAAS,OAAO,KAAK,SAAS,UAAU,IAAI;GAClD,MAAM,eACJ,OAAO,SAAS,oBAChB,QAAQ,KAAK,QAAe,SAAS,IAAI,WAAW,OACpD,QAAQ,KAAK,QAAe,iBAAiB,IAAI,WAAW;GAE9D,MAAM,SAAS,yBAAyB,IAAI,MAAiB,EAAE,SAAS,IAAI;AAC5E,OAAI,CAAC,OAAO,IAAI;AACd,QAAI,OAAO,OAAO,QAAQ,KAAK;KAAE,MAAM,OAAO;KAAM,SAAS,OAAO;;AACpE;;GAEF,MAAM,EAAE,WAAW,WAAW,iBAAiB;AAE/C,OAAI,CAAC,QAAQ,eAAe;AAC1B,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAA8B,SAAS;;AACpE;;AAGF,OAAI,cAAc;AAChB,IAAK,QAAQ,cACV,qBAAqB;KAAE;KAAW;KAAW;OAC7C,MAAM,aAAW;AAChB,YAAO,KAAK,kCAAkC;MAC5C,SAASC,UAAQ,YAAY;MAC7B;MACA,OAAOA,UAAQ,UAAU,SAAYA,UAAQ;;OAGhD,OAAO,QAAa;AACnB,YAAO,MAAM,+BAA+B;MAC1C;MACA,OAAO,KAAK,WAAW,OAAO;;;AAIpC,QAAI,OAAO,KAAK,KAAK;KAAE,SAAS;KAAM,QAAQ;KAAM;;AACpD;;GAGF,MAAM,SAAS,MAAM,QAAQ,cAAc,qBAAqB;IAAE;IAAW;IAAW;;AACxF,OAAI,OAAO,OAAO,UAAU,MAAM,KAAK,KAAK;WACrCD,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;AAIpE,QAAO,IAAI,oBAAoB,OAAO,MAAW,QAAa;EAC5D,MAAM,SAAS,QAAQ;AACvB,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,uBAAuB;AACpD,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;AAI1D,KAAI,KAAK,QACP,QAAO,IAAI,YAAY,OAAO,MAAe,QAAkB;EAC7D,MAAM,SAAS,QAAQ;EACvB,MAAM,mBAAmB,QAAQ,UAAU,OAAO;EAClD,IAAIE,eAA8B;AAClC,MAAI,oBAAoB,OACtB,KAAI;GACF,MAAM,UAAU,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAClE,kBAAe,QAAQ,gBAAgB;UACjC;EAGV,MAAM,gBAAgB,QAAQ,eAAe,+BAA+B;EAC5E,MAAM,oBAAoB,QAAQ;AAElC,MAAI,OAAO,KAAK,KAAK;GACnB,IAAI;GAEJ;GACA,QAAQ;IAAE,YAAY;IAAkB;;GACxC,SAAS;IAAE,YAAY;IAAmB;;;;AAKhD,KAAI,KAAK,OACP,QAAO,IAAI,WAAW,OAAO,MAAe,QAAkB;EAC5D,MAAM,SAAS,QAAQ;EACvB,MAAM,mBAAmB,QAAQ,UAAU,OAAO;EAElD,IAAIC,cAA8B;EAClC,IAAIC,qBAAoC;EACxC,IAAIC;AACJ,MAAI,oBAAoB,OACtB,KAAI;AACF,SAAM,OAAO;AACb,iBAAc;GACd,MAAM,UAAU,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAClE,wBAAqB,QAAQ,gBAAgB;WACtCL,GAAQ;AACf,iBAAc;AACd,iBAAc,GAAG,WAAW,OAAO;;EAIvC,MAAM,KAAK,QAAQ,gBACf,MAAM,QAAQ,cAAc,6BAC5B;GAAE,YAAY;GAAO,SAAS;GAAM,SAAS;;EAEjD,MAAM,MACH,mBAAmB,gBAAgB,OAAO,UAC1C,GAAG,aAAa,GAAG,YAAY,OAAO;AAEzC,MAAI,OAAO,KAAK,MAAM,KAAK,KAAK;GAC9B;GACA,QAAQ;IACN,YAAY;IACZ,OAAO,mBAAmB,cAAc;IACxC,cAAc;IACd,OAAO;;GAET,SAAS;;;CAMf,MAAM,iBAAiB,CAAC,yBAAyB;AACjD,MAAK,MAAM,KAAK,eACd,QAAO,IAAI,GAAG,OAAO,MAAe,QAAkB;AACpD,MAAI;GACF,MAAM,UAAU,MAAM,QAAQ;AAC9B,OAAI,IAAI,gBAAgB;AAExB,OAAI,IAAI,iBAAiB;AACzB,OAAI,OAAO,KAAK,KAAK,KAAK,UAAU,EAAE;WAC/BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK,EAAE,SAAS;;;AAKtC,QAAO;;AAUT,SAAgB,wBACd,SACA,OAA+B,IACb;CAClB,MAAM,SAAS,sBAAsB,KAAK;CAC1C,MAAM,UAAU,QAAQ,KAAK;CAC7B,MAAM,kBAAkB,KAAK,IAAI,GAAG,OAAO,KAAK,mBAAmB,MAAM;CACzE,MAAM,eAAe,KAAK,IAAI,GAAG,OAAO,KAAK,gBAAgB,MAAM;CAEnE,IAAIM,QAAa;CACjB,IAAI,WAAW;CAEf,MAAM,MAAM,YAAY;AACtB,MAAI,CAAC,QAAS;AACd,MAAI,UAAU;AACZ,UAAO,KAAK;AACZ;;AAEF,aAAW;AACX,MAAI;GACF,MAAM,SAAS,QAAQ;AACvB,OAAI,CAAC,UAAU,CAAC,OAAO,aAAa;AAClC,WAAO,KAAK;AACZ;;GAGF,MAAM,WAAW,MAAM,OAAO;AAC9B,UAAO,KAAK,mCAAmC;IAC7C,UAAU,SAAS;IACnB,eAAe,SAAS;IACxB,aAAa,SAAS;;AAGxB,OAAI,eAAe,GAAG;IACpB,MAAM,cAAc,OAAO;AAC3B,QAAI,YAAY,SAAS,cAAc;KACrC,MAAM,WAAW,YAAY,MAAM,GAAG,YAAY,SAAS;AAC3D,UAAK,MAAM,SAAS,SAClB,KAAI;MACF,MAAM,UAAU,MAAM,OAAO,uBAAuB,OAAO,EAAE,SAAS;AACtE,aAAO,KAAK,wCAAwC;OAAE;OAAO;;cACtDN,GAAQ;AACf,aAAO,KAAK,iDAAiD;OAAE;OAAO,OAAO,GAAG,WAAW,OAAO;;;;;WAKnGA,GAAQ;AACf,UAAO,MAAM,uCAAuC,EAAE,OAAO,GAAG,WAAW,OAAO;YAC1E;AACR,cAAW;;;AAIf,KAAI,QACF,SAAQ,kBAAkB;AAAE,EAAK;IAAU,kBAAkB;AAG/D,QAAO,EACL,OAAO;AACL,MAAI,MAAO,eAAc;AACzB,UAAQ"}
1	+ {"version":3,"file":"express.js","names":["base: Logger","allowedOrigin: string \| '' \| undefined","thresholdKeygen:\n \| (Awaited<ReturnType<NonNullable<typeof threshold>['keygenFromClientVerifyingShareForRegistration']>> & { ok: true })\n \| null","thresholdWarning: string \| null","response: CreateAccountAndRegisterResult","e: unknown","error: unknown","out: ShamirApplyServerLockResponse","e: any","out: ShamirRemoveServerLockResponse","currentKeyId: string \| null","shamirReady: boolean \| null","shamirCurrentKeyId: string \| null","shamirError: string \| undefined","e: any","normalizedHeaders: Record<string, string>","v","result","e: any","e: any","e: any","e: any","e: unknown","e: any","e: any","effectiveOpts: RelayRouterOptions","ctx: ExpressRelayContext","timer: any","e: any"],"sources":["../../../../src/utils/validation.ts","../../../../src/server/core/logger.ts","../../../../src/server/router/logger.ts","../../../../src/server/core/SessionService.ts","../../../../src/server/router/express/cors.ts","../../../../src/server/router/express/routes/createAccountAndRegisterUser.ts","../../../../src/server/core/shamirHandlers.ts","../../../../src/server/router/express/routes/health.ts","../../../../src/server/email-recovery/zkEmail/index.ts","../../../../src/server/email-recovery/emailParsers.ts","../../../../src/server/router/express/routes/recoverEmail.ts","../../../../src/server/router/relay.ts","../../../../src/server/router/express/routes/sessions.ts","../../../../src/server/router/express/routes/shamir.ts","../../../../src/server/router/express/routes/signedDelegate.ts","../../../../src/server/threshold/statusCodes.ts","../../../../src/server/core/ThresholdService/validation.ts","../../../../src/server/router/commonRouterUtils.ts","../../../../src/server/router/express/routes/thresholdEd25519.ts","../../../../src/server/router/express/routes/verifyAuthenticationResponse.ts","../../../../src/server/router/express/routes/wellKnown.ts","../../../../src/server/router/routerOptions.ts","../../../../src/server/router/express/createRelayRouter.ts","../../../../src/server/router/express/cron.ts"],"sourcesContent":["\nexport interface ValidationResult {\n valid: boolean;\n error?: string;\n}\n\n// ==============================\n// Normalization helpers (shared)\n// ==============================\n\n/* Strict string coercion: returns the value only when it's already a string. /\nexport function toOptionalString(value: unknown): string {\n return typeof value === 'string' ? value : '';\n}\n\n/* Strict string coercion + trimming. /\nexport function toOptionalTrimmedString(value: unknown): string {\n return toOptionalString(value).trim();\n}\n\n/* String coercion + trimming (useful at IO boundaries). /\nexport function toTrimmedString(value: unknown): string {\n return String(value ?? '').trim();\n}\n\n/* Remove trailing `/` characters (e.g. base URL normalization). /\nexport function stripTrailingSlashes(value: string): string {\n return String(value ?? '').replace(/\\/+$/, '');\n}\n\n/* Ensure a non-empty string starts with `/` (path normalization). /\nexport function ensureLeadingSlash(value: string): string {\n const trimmed = String(value ?? '').trim();\n if (!trimmed) return '';\n return trimmed.startsWith('/') ? trimmed : `/${trimmed}`;\n}\n\n/* Normalize an app base path like `/sdk` (leading slash, no trailing slashes except `/`). /\nexport function toBasePath(value?: string, fallback = '/sdk'): string {\n const base = ensureLeadingSlash(typeof value === 'string' ? value : fallback) \|\| ensureLeadingSlash(fallback) \|\| '/';\n if (base === '/') return '/';\n return base.replace(/\\/+$/, '');\n}\n\n/* Best-effort origin normalization (used by CSP/Permissions-Policy helpers). /\nexport function toOriginOrUndefined(input?: string): string \| undefined {\n try {\n const v = (input \|\| '').trim();\n if (!v) return undefined;\n // Next/Caddy/etc. expect an origin, not a path\n return new URL(v, 'http://dummy').origin === 'http://dummy' ? new URL(v).origin : v;\n } catch {\n return input?.trim() \|\| undefined;\n }\n}\n\n/\n Strict origin sanitizer for Related Origin Requests (ROR).\n * - Allows `https://<host>[:port]` and `http://localhost[:port]` only.\n * - Rejects paths (except `/`), queries, and hashes.\n * - Normalizes hostname casing.\n /\nexport function toRorOriginOrNull(value: unknown): string \| null {\n if (typeof value !== 'string') return null;\n const raw = toTrimmedString(value);\n if (!raw) return null;\n try {\n const u = new URL(raw);\n const scheme = u.protocol;\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const isHttps = scheme === 'https:';\n const isLocalhostHttp = scheme === 'http:' && host === 'localhost';\n if (!isHttps && !isLocalhostHttp) return null;\n if ((u.pathname && u.pathname !== '/') \|\| u.search \|\| u.hash) return null;\n return `${scheme}//${host}${port}`;\n } catch {\n return null;\n }\n}\n\n/* Collapse a string into a single line by normalizing whitespace. /\nexport function toSingleLine(value: unknown): string {\n return String(value ?? '')\n .replace(/[\\r\\n]+/g, ' ')\n .replace(/\\s+/g, ' ')\n .trim();\n}\n\n/\n Ensure a key string has the NEAR Ed25519 prefix (`ed25519:`).\n \n - Accepts either `ed25519:<base58>` or a bare `<base58>` string.\n * - Canonicalizes `ED25519:` → `ed25519:`.\n * - If a different prefix is present (e.g. `secp256k1:`), returns the input unchanged.\n /\nexport function ensureEd25519Prefix(value: string): string {\n const raw = String(value ?? '').trim();\n if (!raw) return '';\n\n if (/^[a-z0-9_]+:/i.test(raw)) {\n if (/^ed25519:/i.test(raw)) {\n return `ed25519:${raw.replace(/^ed25519:/i, '')}`;\n }\n return raw;\n }\n\n return `ed25519:${raw}`;\n}\n\nexport interface NearAccountValidationOptions {\n /* Restrict to specific suffixes (e.g., ['testnet', 'near']) /\n allowedSuffixes?: string[];\n /* Require Top-level domains with exactly 2 parts (username.suffix) instead of allowing subdomains /\n requireTopLevelDomain?: boolean;\n}\n\n/\n Validate NEAR account ID format with optional suffix restrictions\n * @param nearAccountId - The account ID to validate\n * @param options - Optional validation constraints\n /\nexport function validateNearAccountId(\n nearAccountId: string,\n options: NearAccountValidationOptions = {\n allowedSuffixes: ['testnet', 'near'],\n requireTopLevelDomain: false\n }\n): ValidationResult {\n if (!nearAccountId \|\| typeof nearAccountId !== 'string') {\n return { valid: false, error: 'Account ID must be a non-empty string' };\n }\n\n const parts = nearAccountId.split('.');\n if (parts.length < 2) {\n return { valid: false, error: 'Account ID must contain at least one dot (e.g., username.testnet)' };\n }\n\n // Check for exact two parts requirement (e.g., server registration)\n if (options.requireTopLevelDomain && parts.length !== 2) {\n const suffixList = options.allowedSuffixes?.join(', ') \|\| 'valid suffixes';\n return {\n valid: false,\n error: `Invalid NEAR account ID format. Expected format: <username>.<suffix> where suffix is one of: ${suffixList}`\n };\n }\n\n const username = parts[0];\n const suffix = parts[parts.length - 1]; // Last part for suffix checking\n const domain = parts.slice(1).join('.');\n\n // Validate username part\n if (!username \|\| username.length === 0) {\n return { valid: false, error: 'Username part cannot be empty' };\n }\n\n if (!/^[a-z0-9_\\-]+$/.test(username)) {\n return { valid: false, error: 'Username can only contain lowercase letters, numbers, underscores, and hyphens' };\n }\n\n // Validate domain part\n if (!domain \|\| domain.length === 0) {\n return { valid: false, error: 'Domain part cannot be empty' };\n }\n\n // Check allowed suffixes if specified\n if (options.allowedSuffixes && options.allowedSuffixes.length > 0) {\n // Check if the account ID ends with any of the allowed suffixes\n const matchesAnySuffix = options.allowedSuffixes.some(allowedSuffix => {\n // For single-part suffixes, check the last part\n if (!allowedSuffix.includes('.')) {\n return suffix === allowedSuffix;\n }\n // For multi-part suffixes, check if the account ID ends with the full suffix\n return nearAccountId.endsWith(`.${allowedSuffix}`);\n });\n\n if (!matchesAnySuffix) {\n return {\n valid: false,\n error: `Invalid NEAR account ID suffix. Expected account to end with one of: ${options.allowedSuffixes.join(', ')}`\n };\n }\n }\n\n return { valid: true };\n}\n\n/\n Lightweight NEAR account ID validation used by server-side helpers.\n * - length: 2..64\n * - chars: lowercase letters, digits, `_`, `.`, `-`\n /\nexport function isValidAccountId(accountId: unknown): accountId is string {\n if (typeof accountId !== 'string') return false;\n if (!accountId \|\| accountId.length < 2 \|\| accountId.length > 64) return false;\n return /^[a-z0-9_.-]+$/.test(accountId);\n}\n\n// ===========================\n// Runtime validation helpers\n// ===========================\n\nexport function isObject(x: unknown): x is Record<string, unknown> {\n return x !== null && typeof x === 'object';\n}\n\nexport function isString(x: unknown): x is string {\n return typeof x === 'string';\n}\n\nexport function isNonEmptyString(x: unknown): x is string {\n return typeof x === 'string' && x.length > 0;\n}\n\nexport function isNumber(x: unknown): x is number {\n return typeof x === 'number';\n}\n\nexport function isFiniteNumber(x: unknown): x is number {\n return typeof x === 'number' && Number.isFinite(x);\n}\n\nexport function isFunction(x: unknown): x is Function {\n return typeof x === 'function';\n}\n\nexport function isBoolean(x: unknown): x is boolean {\n return typeof x === 'boolean';\n}\n\nexport function isArray<T = unknown>(x: unknown): x is T[] {\n return Array.isArray(x);\n}\n\nexport function assertString(val: unknown, name = 'value'): string {\n if (typeof val !== 'string') throw new Error(`Invalid ${name}: expected string`);\n return val;\n}\n\nexport function assertNumber(val: unknown, name = 'value'): number {\n if (typeof val !== 'number' \|\| !Number.isFinite(val)) throw new Error(`Invalid ${name}: expected finite number`);\n return val;\n}\n\nexport function assertBoolean(val: unknown, name = 'value'): boolean {\n if (typeof val !== 'boolean') throw new Error(`Invalid ${name}: expected boolean`);\n return val;\n}\n\nexport function assertObject<T extends Record<string, unknown> = Record<string, unknown>>(val: unknown, name = 'value'): T {\n if (!isObject(val)) throw new Error(`Invalid ${name}: expected object`);\n return val as T;\n}\n\nexport function assertArray<T = unknown>(val: unknown, name = 'value'): T[] {\n if (!Array.isArray(val)) throw new Error(`Invalid ${name}: expected array`);\n return val as T[];\n}\n\nexport function stripFunctionsShallow<T extends Record<string, unknown>>(obj?: T): Partial<T> \| undefined {\n if (!obj \|\| !isObject(obj)) return undefined;\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(obj)) {\n if (!isFunction(v)) out[k] = v as unknown;\n }\n return out as Partial<T>;\n}\n\nexport interface PlainSignedTransactionLike {\n transaction: unknown;\n signature: unknown;\n borsh_bytes?: unknown;\n borshBytes?: unknown;\n base64Encode?: unknown;\n}\n\nexport function isPlainSignedTransactionLike(x: unknown): x is PlainSignedTransactionLike {\n if (!isObject(x)) return false;\n const hasTx = 'transaction' in x;\n const hasSig = 'signature' in x;\n const bytes = x as { borsh_bytes?: unknown; borshBytes?: unknown };\n const hasBytes = Array.isArray(bytes.borsh_bytes) \|\| bytes.borshBytes instanceof Uint8Array;\n const hasMethod = typeof (x as { base64Encode?: unknown }).base64Encode === 'function';\n return hasTx && hasSig && hasBytes && !hasMethod;\n}\n\nexport function extractBorshBytesFromPlainSignedTx(x: PlainSignedTransactionLike): number[] {\n const asArray = Array.isArray(x.borsh_bytes) ? (x.borsh_bytes as number[]) : undefined;\n if (asArray) return asArray;\n const asU8 = (x.borshBytes instanceof Uint8Array) ? x.borshBytes : undefined;\n return Array.from(asU8 \|\| new Uint8Array());\n}\n","export type Logger = {\n debug?: (...args: unknown[]) => void;\n info?: (...args: unknown[]) => void;\n warn?: (...args: unknown[]) => void;\n error?: (...args: unknown[]) => void;\n log?: (...args: unknown[]) => void;\n};\n\nexport type NormalizedLogger = {\n debug: (...args: unknown[]) => void;\n info: (...args: unknown[]) => void;\n warn: (...args: unknown[]) => void;\n error: (...args: unknown[]) => void;\n};\n\nfunction safe(fn?: (...args: unknown[]) => void): (...args: unknown[]) => void {\n if (!fn) return () => {};\n return (...args: unknown[]) => {\n try {\n fn(...args);\n } catch {\n // Never allow logging to break request handling.\n }\n };\n}\n\n/\n Library code should never call `console.` directly; the host decides where logs go.\n - Default: no logs\n * - To enable: pass `logger: console` (or a structured logger) to the host config.\n /\nexport function normalizeLogger(logger?: Logger \| null): NormalizedLogger {\n if (!logger) {\n return { debug: () => {}, info: () => {}, warn: () => {}, error: () => {} };\n }\n\n const base: Logger = logger;\n const log = typeof base.log === 'function' ? base.log.bind(base) : undefined;\n\n const debug = (typeof base.debug === 'function' ? base.debug.bind(base) : log);\n const info = (typeof base.info === 'function' ? base.info.bind(base) : log);\n const warn = (typeof base.warn === 'function' ? base.warn.bind(base) : log);\n const error = (typeof base.error === 'function' ? base.error.bind(base) : log);\n\n return {\n debug: safe(debug),\n info: safe(info),\n warn: safe(warn),\n error: safe(error),\n };\n}\n\nexport const coerceLogger = normalizeLogger;\n","import type { Logger, NormalizedLogger } from '../core/logger';\nimport { coerceLogger } from '../core/logger';\n\nexport type RouterLogger = Logger;\nexport type NormalizedRouterLogger = NormalizedLogger;\nexport const coerceRouterLogger = coerceLogger;\n/* @deprecated use `coerceRouterLogger` /\nexport const normalizeRouterLogger = coerceRouterLogger;\n","\nexport interface SessionConfig {\n jwt?: {\n /* Required: JWT signing hook; return a complete token /\n signToken?: (input: { header: Record<string, unknown>; payload: Record<string, unknown> }) => Promise<string> \| string;\n /* Required: JWT verification hook /\n verifyToken?: (token: string) => Promise<{ valid: boolean; payload?: any }> \| { valid: boolean; payload?: any };\n /* Optional: sliding refresh window (seconds) to allow /session/refresh before exp, default 900 (15 min) /\n refreshWindowSec?: number;\n /* Optional: build additional claims to include in the payload /\n buildClaims?: (input: { sub: string; context?: Record<string, unknown> }) => Promise<Record<string, unknown> \| void> \| Record<string, unknown> \| void;\n };\n cookie?: {\n /* Cookie name. Default: 'w3a_session' /\n name?: string;\n /* Optional override: build Set-Cookie header for a new token /\n buildSetHeader?: (token: string) => string;\n /* Optional override: build Set-Cookie header that clears the cookie /\n buildClearHeader?: () => string;\n /* Optional override: extract token from headers (Authorization/Cookie) /\n extractToken?: (headers: Record<string, string \| string[] \| undefined>, cookieName: string) => string \| null;\n };\n}\n\nexport class SessionService<TClaims extends Record<string, unknown> = Record<string, unknown>> {\n private cfg: NonNullable<SessionConfig>;\n\n constructor(cfg: NonNullable<SessionConfig>) {\n this.cfg = cfg \|\| ({} as any);\n }\n\n getCookieName(): string {\n return this.cfg?.cookie?.name \|\| 'w3a_session';\n }\n\n buildSetCookie(token: string): string {\n if (this.cfg?.cookie?.buildSetHeader) return this.cfg.cookie.buildSetHeader(token);\n const name = this.getCookieName();\n const cookieParts = [`${name}=${token}`];\n const path = '/';\n const httpOnly = true;\n const secure = true; // default secure\n const sameSite = 'Lax';\n const maxAge = 24 3600; // 1 day default\n cookieParts.push(`Path=${path}`);\n if (httpOnly) cookieParts.push('HttpOnly');\n if (secure) cookieParts.push('Secure');\n if (sameSite) cookieParts.push(`SameSite=${sameSite}`);\n if (maxAge) {\n cookieParts.push(`Max-Age=${maxAge}`);\n const expires = new Date(Date.now() + (maxAge * 1000)).toUTCString();\n cookieParts.push(`Expires=${expires}`);\n }\n return cookieParts.join('; ');\n }\n\n buildClearCookie(): string {\n if (this.cfg?.cookie?.buildClearHeader) return this.cfg.cookie.buildClearHeader();\n const name = this.getCookieName();\n const path = '/';\n const secure = true;\n const httpOnly = true;\n const parts = [\n `${name}=`,\n `Path=${path}`,\n 'Max-Age=0',\n 'Expires=Thu, 01 Jan 1970 00:00:00 GMT'\n ];\n if (httpOnly) parts.push('HttpOnly');\n if (secure) parts.push('Secure');\n const sameSite = 'Lax';\n if (sameSite) parts.push(`SameSite=${sameSite}`);\n return parts.join('; ');\n }\n\n /** Sign a JWT with configured algorithm. Adds iat/exp and copies iss/aud. /\n async signJwt(sub: string, extraClaims?: Record<string, unknown>): Promise<string> {\n const jwt = this.cfg?.jwt \|\| {};\n const built = await Promise.resolve(jwt.buildClaims?.({ sub, context: extraClaims })) \|\| {};\n const payload = { sub, ...(extraClaims \|\| {}), ...(built \|\| {}) } as Record<string, unknown>;\n if (typeof jwt.signToken === 'function') {\n // Full override of signing: user supplies the complete token\n const token = await Promise.resolve(jwt.signToken({ header: { typ: 'JWT' }, payload } as any));\n return token;\n }\n throw new Error('SessionService: No JWT signing hook or provider configured');\n }\n\n /* Verify signature and expiration. Returns payload on success. /\n async verifyJwt(token: string): Promise<{ valid: boolean; payload?: any }> {\n const verify = this.cfg?.jwt?.verifyToken;\n if (typeof verify !== 'function') return { valid: false };\n return await Promise.resolve(verify(token));\n }\n\n parse(\n headers: Record<string, string \| string[] \| undefined>\n ): Promise<{ ok: true; claims: TClaims } \| { ok: false }> {\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n let token: string \| null = null;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) token = authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (!token && cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) { token = (v \|\| '').trim(); break; }\n }\n }\n if (!token) return Promise.resolve({ ok: false });\n return this.verifyJwt(token).then(v =>\n v.valid\n ? { ok: true, claims: v.payload as TClaims }\n : { ok: false }\n );\n }\n\n // === token helpers ===\n extractTokenFromHeaders(headers: Record<string, string \| string[] \| undefined>): string \| null {\n if (this.cfg?.cookie?.extractToken) return this.cfg.cookie.extractToken(headers, this.getCookieName());\n const authHeader = (headers['authorization'] \|\| headers['Authorization']) as string \| undefined;\n if (authHeader && /^Bearer\\s+/.test(authHeader)) return authHeader.replace(/^Bearer\\s+/i, '').trim();\n const cookieHeader = (headers['cookie'] \|\| headers['Cookie']) as string \| undefined;\n if (cookieHeader) {\n const name = this.getCookieName();\n for (const part of cookieHeader.split(';')) {\n const [k, v] = part.split('=');\n if (k && k.trim() === name) return (v \|\| '').trim();\n }\n }\n return null;\n }\n\n async refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>{\n try {\n const token = this.extractTokenFromHeaders(headers);\n if (!token) return { ok: false, code: 'unauthorized', message: 'No session token' };\n const v = await this.verifyJwt(token);\n if (!v.valid) return { ok: false, code: 'unauthorized', message: 'Invalid token' };\n const payload: any = v.payload \|\| {};\n if (!this.isWithinRefreshWindow(payload)) return { ok: false, code: 'not_eligible', message: 'Not within refresh window' };\n const sub = String(payload.sub \|\| '');\n if (!sub) return { ok: false, code: 'invalid_claims', message: 'Missing sub claim' };\n const next = await this.signJwt(sub);\n return { ok: true, jwt: next };\n } catch (e: any) {\n return { ok: false, code: 'internal', message: e?.message \|\| 'Refresh failed' };\n }\n }\n\n nowSeconds(): number { return Math.floor(Date.now() / 1000); }\n\n private isWithinRefreshWindow(payload: any): boolean {\n try {\n const now = this.nowSeconds();\n const exp = Number(payload?.exp \|\| 0);\n if (!exp \|\| now >= exp) return false; // no refresh if already expired\n const windowSec = Number(this.cfg?.jwt?.refreshWindowSec \|\| 15 60);\n return (exp - now) <= windowSec;\n } catch { return false; }\n }\n}\n\n/\n Utility: parse comma-separated list of origins into a normalized unique list\n * - canonicalizes to protocol + host + optional port\n * - lowercases host, strips path/query/hash, trims spaces/trailing slashes\n /\nexport function parseCsvList(input?: string): string[] {\n const out = new Set<string>();\n for (const raw of String(input \|\| '').split(',')) {\n const s = raw.trim();\n if (!s) continue;\n try {\n const u = new URL(s);\n const host = u.hostname.toLowerCase();\n const port = u.port ? `:${u.port}` : '';\n const proto = u.protocol === 'http:' \|\| u.protocol === 'https:' ? u.protocol : 'https:';\n out.add(`${proto}//${host}${port}`);\n } catch {\n const stripped = s.replace(/\\/$/, '');\n if (stripped) out.add(stripped);\n }\n }\n return Array.from(out);\n}\n\n/\n * Utility: merge multiple CSV lists of origins and return normalized list or ''\n /\nexport function buildCorsOrigins(...inputs: Array<string \| undefined>): string[] \| '' {\n const merged = new Set<string>();\n for (const input of inputs) {\n for (const origin of parseCsvList(input)) merged.add(origin);\n }\n const list = Array.from(merged);\n return list.length > 0 ? list : '';\n}\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport { buildCorsOrigins } from '../../core/SessionService';\nimport type { RelayRouterOptions } from '../relay';\n\nfunction withCors(res: Response, opts?: RelayRouterOptions, req?: Request): void {\n if (!opts?.corsOrigins) return;\n\n let allowedOrigin: string \| '' \| undefined;\n const normalized = buildCorsOrigins(...(opts.corsOrigins \|\| []));\n if (normalized === '') {\n allowedOrigin = '';\n res.set('Access-Control-Allow-Origin', '');\n } else if (Array.isArray(normalized)) {\n const origin = String((req as any)?.headers?.origin \|\| '').trim();\n if (origin && normalized.includes(origin)) {\n allowedOrigin = origin;\n res.set('Access-Control-Allow-Origin', origin);\n res.set('Vary', 'Origin');\n }\n }\n\n res.set('Access-Control-Allow-Methods', 'GET,POST,OPTIONS');\n res.set('Access-Control-Allow-Headers', 'Content-Type,Authorization');\n // Only advertise credentials when we echo back a specific origin (not '')\n if (allowedOrigin && allowedOrigin !== '') {\n res.set('Access-Control-Allow-Credentials', 'true');\n }\n}\n\nexport function installCors(router: ExpressRouter, opts: RelayRouterOptions): void {\n // Optional CORS: implemented here to keep setup simple for example relayers.\n // If you prefer custom CORS middleware, omit `corsOrigins` and wire your own.\n router.use((req: Request, res: Response, next: any) => {\n withCors(res, opts, req);\n const method = String((req as any)?.method \|\| '').toUpperCase();\n if (opts.corsOrigins && method === 'OPTIONS') {\n res.status(204).send('');\n return;\n }\n next();\n });\n}\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport type { ExpressRelayContext } from '../createRelayRouter';\nimport type { CreateAccountAndRegisterRequest, CreateAccountAndRegisterResult } from '../../../core/types';\n\nexport function registerCreateAccountAndRegisterUser(router: ExpressRouter, ctx: ExpressRelayContext): void {\n router.post('/create_account_and_register_user', async (req: Request, res: Response) => {\n try {\n const {\n new_account_id,\n new_public_key,\n threshold_ed25519,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options\n } = (req.body \|\| {}) as CreateAccountAndRegisterRequest;\n\n if (!new_account_id \|\| typeof new_account_id !== 'string') throw new Error('Missing or invalid new_account_id');\n if (!new_public_key \|\| typeof new_public_key !== 'string') throw new Error('Missing or invalid new_public_key');\n if (!vrf_data \|\| typeof vrf_data !== 'object') throw new Error('Missing or invalid vrf_data');\n if (!webauthn_registration \|\| typeof webauthn_registration !== 'object') throw new Error('Missing or invalid webauthn_registration');\n\n const threshold = ctx.opts.threshold;\n const thresholdClientVerifyingShareB64u = threshold_ed25519?.client_verifying_share_b64u?.trim();\n let thresholdKeygen:\n \| (Awaited<ReturnType<NonNullable<typeof threshold>['keygenFromClientVerifyingShareForRegistration']>> & { ok: true })\n \| null = null;\n let thresholdWarning: string \| null = null;\n\n if (thresholdClientVerifyingShareB64u) {\n if (!threshold) {\n thresholdWarning = 'threshold signing is not configured on this server';\n } else {\n const rpId = typeof (vrf_data as { rp_id?: unknown; rpId?: unknown }).rp_id === 'string'\n ? String((vrf_data as { rp_id?: unknown }).rp_id \|\| '')\n : (typeof (vrf_data as { rpId?: unknown }).rpId === 'string' ? String((vrf_data as { rpId?: unknown }).rpId \|\| '') : '');\n if (!rpId.trim()) {\n thresholdWarning = 'missing vrf_data.rp_id';\n } else {\n const out = await threshold.keygenFromClientVerifyingShareForRegistration({\n nearAccountId: new_account_id,\n rpId,\n clientVerifyingShareB64u: thresholdClientVerifyingShareB64u,\n });\n if (!out.ok) {\n thresholdWarning = out.message \|\| 'threshold-ed25519 registration keygen failed';\n } else {\n thresholdKeygen = out;\n }\n }\n }\n }\n\n const result = await ctx.service.createAccountAndRegisterUser({\n new_account_id,\n new_public_key,\n vrf_data,\n webauthn_registration,\n deterministic_vrf_public_key,\n authenticator_options\n });\n\n let response: CreateAccountAndRegisterResult = result;\n\n if (result.success && threshold && thresholdKeygen) {\n try {\n await threshold.putRelayerKeyMaterial({\n relayerKeyId: thresholdKeygen.relayerKeyId,\n publicKey: thresholdKeygen.publicKey,\n relayerSigningShareB64u: thresholdKeygen.relayerSigningShareB64u,\n relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,\n });\n response = {\n ...response,\n thresholdEd25519: {\n relayerKeyId: thresholdKeygen.relayerKeyId,\n publicKey: thresholdKeygen.publicKey,\n relayerVerifyingShareB64u: thresholdKeygen.relayerVerifyingShareB64u,\n clientParticipantId: thresholdKeygen.clientParticipantId,\n relayerParticipantId: thresholdKeygen.relayerParticipantId,\n participantIds: thresholdKeygen.participantIds,\n },\n };\n } catch (e: unknown) {\n thresholdWarning = thresholdWarning \|\| ((e && typeof e === 'object' && 'message' in e)\n ? String((e as { message?: unknown }).message \|\| 'threshold signing persistence failed')\n : String(e \|\| 'threshold signing persistence failed'));\n }\n }\n\n if (result.success && thresholdWarning) {\n response = {\n ...response,\n message: `${response.message \|\| 'Account created and registered successfully'} (threshold enrollment skipped: ${thresholdWarning})`,\n };\n }\n\n if (response.success) res.status(200).json(response);\n else res.status(400).json(response);\n } catch (error: unknown) {\n const message = (error && typeof error === 'object' && 'message' in error)\n ? String((error as { message?: unknown }).message \|\| 'internal error')\n : 'internal error';\n res.status(500).json({ success: false, error: message });\n }\n });\n}\n","import type {\n ShamirApplyServerLockRequest,\n ShamirApplyServerLockResponse,\n ShamirRemoveServerLockRequest,\n ShamirRemoveServerLockResponse,\n} from './types';\nimport type { ShamirService } from './ShamirService';\nimport { isString } from '@/utils/validation';\n\nexport async function handleApplyServerLock(\n service: ShamirService,\n request: { body?: { kek_c_b64u?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const kek_c_b64u = request.body?.kek_c_b64u;\n if (!isString(kek_c_b64u) \|\| !kek_c_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_c_b64u required and must be a non-empty string' }),\n };\n }\n\n const out: ShamirApplyServerLockResponse = await service.applyServerLock(kek_c_b64u);\n const keyId = service.getCurrentShamirKeyId();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ ...out, keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveServerLock(\n service: ShamirService,\n request: { body?: { kek_cs_b64u?: string; keyId?: string } },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const body = request.body;\n if (!body) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'Missing body' }),\n };\n }\n const { kek_cs_b64u, keyId } = body;\n if (!isString(kek_cs_b64u) \|\| !kek_cs_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'kek_cs_b64u required and must be a non-empty string' }),\n };\n }\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const providedKeyId = String(keyId);\n const currentKeyId = service.getCurrentShamirKeyId();\n let out: ShamirRemoveServerLockResponse;\n\n if (currentKeyId && providedKeyId === currentKeyId) {\n out = await service.removeServerLock(kek_cs_b64u);\n } else if (service.hasGraceKey(providedKeyId)) {\n out = await service.removeGraceServerLockWithKey(providedKeyId, { kek_cs_b64u } as ShamirRemoveServerLockRequest);\n } else {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'unknown keyId' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify(out),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleGetShamirKeyInfo(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureReady();\n const currentKeyId = service.getCurrentShamirKeyId();\n const graceKeyIds = service.getGraceKeyIds();\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n currentKeyId,\n p_b64u: service.getShamirConfig()?.shamir_p_b64u ?? null,\n graceKeyIds,\n }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleListGraceKeys(\n service: ShamirService,\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n await service.ensureGraceKeysLoaded();\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ graceKeyIds: service.getGraceKeyIds() }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleAddGraceKey(\n service: ShamirService,\n request: { e_s_b64u?: string; d_s_b64u?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const { e_s_b64u, d_s_b64u } = request \|\| ({} as any);\n if (!isString(e_s_b64u) \|\| !e_s_b64u \|\| !isString(d_s_b64u) \|\| !d_s_b64u) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'e_s_b64u and d_s_b64u required' }),\n };\n }\n\n await service.ensureGraceKeysLoaded();\n const added = await service.addGraceKeyInternal({ e_s_b64u, d_s_b64u }, { persist: true, skipIfExists: true });\n if (!added) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'failed to add grace key' }),\n };\n }\n\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ keyId: added.keyId }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n\nexport async function handleRemoveGraceKey(\n service: ShamirService,\n request: { keyId?: string },\n): Promise<{ status: number; headers: Record<string, string>; body: string }> {\n try {\n const keyId = request?.keyId;\n if (!isString(keyId) \|\| !keyId) {\n return {\n status: 400,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'keyId required and must be a non-empty string' }),\n };\n }\n\n const removed = await service.removeGraceKeyInternal(keyId, { persist: true });\n return {\n status: 200,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ removed }),\n };\n } catch (e: any) {\n return {\n status: 500,\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ error: 'internal', details: e?.message }),\n };\n }\n}\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport { handleGetShamirKeyInfo } from '../../../core/shamirHandlers';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerHealthRoutes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n if (ctx.opts.healthz) {\n router.get('/healthz', async (_req: Request, res: Response) => {\n const shamir = ctx.service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n const thresholdConfigured = Boolean(ctx.opts.threshold);\n let currentKeyId: string \| null = null;\n if (shamirConfigured && shamir) {\n try {\n const payload = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n currentKeyId = payload.currentKeyId \|\| null;\n } catch { }\n }\n\n const proverBaseUrl = ctx.service.emailRecovery?.getZkEmailProverBaseUrl?.() ?? null;\n const zkEmailConfigured = Boolean(proverBaseUrl);\n\n res.status(200).json({\n ok: true,\n // Backwards-compatible field (was previously top-level).\n currentKeyId,\n shamir: { configured: shamirConfigured, currentKeyId },\n zkEmail: { configured: zkEmailConfigured, proverBaseUrl },\n thresholdEd25519: { configured: thresholdConfigured },\n });\n });\n }\n\n if (ctx.opts.readyz) {\n router.get('/readyz', async (_req: Request, res: Response) => {\n const shamir = ctx.service.shamirService;\n const shamirConfigured = Boolean(shamir && shamir.hasShamir());\n const thresholdConfigured = Boolean(ctx.opts.threshold);\n\n let shamirReady: boolean \| null = null;\n let shamirCurrentKeyId: string \| null = null;\n let shamirError: string \| undefined;\n if (shamirConfigured && shamir) {\n try {\n await shamir.ensureReady();\n shamirReady = true;\n const payload = JSON.parse((await handleGetShamirKeyInfo(shamir)).body) as { currentKeyId?: string };\n shamirCurrentKeyId = payload.currentKeyId \|\| null;\n } catch (e: any) {\n shamirReady = false;\n shamirError = e?.message \|\| String(e);\n }\n }\n\n const zk = ctx.service.emailRecovery\n ? await ctx.service.emailRecovery.checkZkEmailProverHealth()\n : { configured: false, baseUrl: null, healthy: null as boolean \| null };\n\n const ok =\n (shamirConfigured ? shamirReady === true : true) &&\n (zk.configured ? zk.healthy === true : true);\n\n res.status(ok ? 200 : 503).json({\n ok,\n shamir: {\n configured: shamirConfigured,\n ready: shamirConfigured ? shamirReady : null,\n currentKeyId: shamirCurrentKeyId,\n error: shamirError,\n },\n thresholdEd25519: { configured: thresholdConfigured },\n zkEmail: zk,\n });\n });\n }\n}\n","import { ZkEmailProverClient, type ZkEmailProverClientOptions, type ZkEmailProverError } from './proverClient';\n\nexport { ZkEmailProverClient } from './proverClient';\nexport type { ZkEmailProverClientOptions, ZkEmailProverError, ZkEmailProverResponse } from './proverClient';\n\nexport interface ForwardableEmailPayload {\n from: string;\n to: string;\n headers: Record<string, string>;\n raw?: string;\n rawSize?: number;\n}\n\nexport type NormalizedEmailResult =\n \| { ok: true; payload: ForwardableEmailPayload }\n \| { ok: false; code: string; message: string };\n\nexport interface GenerateZkEmailProofResult {\n proof: unknown;\n publicInputs: string[];\n}\n\nexport interface ParsedZkEmailBindings {\n accountId: string;\n newPublicKey: string;\n fromEmail: string;\n timestamp: string;\n requestId: string;\n}\n\n/*\n Build a minimal ForwardableEmailPayload from a raw RFC822 email string.\n * This is primarily used by server-side helpers that receive only a raw\n * email blob (no pre-normalized headers).\n /\nexport function buildForwardablePayloadFromRawEmail(raw: string): ForwardableEmailPayload {\n const safeRaw = typeof raw === 'string' ? raw : '';\n const lines = safeRaw.split(/\\r?\\n/);\n\n const getHeader = (name: string): string \| undefined => {\n const line = lines.find(l => new RegExp(`^${name}:`, 'i').test(l));\n if (!line) return undefined;\n const idx = line.indexOf(':');\n const rest = idx >= 0 ? line.slice(idx + 1) : '';\n const value = rest.trim();\n return value \|\| undefined;\n };\n\n const fromHeader = getHeader('from') \|\| 'unknown@zkemail.local';\n const toHeader = getHeader('to') \|\| 'recover@zkemail.local';\n\n const headers: Record<string, string> = {};\n const subjectHeader = getHeader('subject');\n const dateHeader = getHeader('date');\n\n if (fromHeader) headers.from = fromHeader;\n if (toHeader) headers.to = toHeader;\n if (subjectHeader) headers.subject = subjectHeader;\n if (dateHeader) headers.date = dateHeader;\n\n return {\n from: fromHeader,\n to: toHeader,\n headers,\n raw: safeRaw,\n rawSize: safeRaw.length,\n };\n}\n\nexport function normalizeForwardableEmailPayload(input: unknown): NormalizedEmailResult {\n if (!input \|\| typeof input !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'JSON body required' };\n }\n\n const body = input as Partial<ForwardableEmailPayload>;\n const { from, to, headers, raw, rawSize } = body;\n\n if (!from \|\| typeof from !== 'string' \|\| !to \|\| typeof to !== 'string') {\n return { ok: false, code: 'invalid_email', message: 'from and to are required' };\n }\n\n if (!headers \|\| typeof headers !== 'object') {\n return { ok: false, code: 'invalid_email', message: 'headers object is required' };\n }\n\n const normalizedHeaders: Record<string, string> = {};\n for (const [k, v] of Object.entries(headers as Record<string, unknown>)) {\n normalizedHeaders[String(k).toLowerCase()] = String(v);\n }\n\n return {\n ok: true,\n payload: {\n from,\n to,\n headers: normalizedHeaders,\n raw: typeof raw === 'string' ? raw : undefined,\n rawSize: typeof rawSize === 'number' ? rawSize : undefined,\n },\n };\n}\n\n/\n Parse NEAR accountId from the Subject line inside a raw RFC822 email.\n \n Expected format (case-insensitive on \"Subject\" and \"recover\"):\n * Subject: recover-123ABC bob.testnet ed25519:<pk>\n \n Returns the parsed accountId (e.g. \"bob.testnet\") or null if not found.\n /\nexport function parseAccountIdFromSubject(raw: string \| undefined \| null): string \| null {\n if (!raw \|\| typeof raw !== 'string') return null;\n\n // Accept either a full RFC822 message (with \"Subject: ...\" header)\n // or a bare Subject value (\"recover-123ABC bob.testnet ed25519:<pk>\").\n let subjectText = '';\n const lines = raw.split(/\\r?\\n/);\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = raw.trim();\n }\n\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format: \"recover-<request_id> <accountId> [ed25519:<pk>]\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)(?:\\s+ed25519:[^\\s]+)?\\s$/i\n );\n if (match?.[2]) {\n return match[2];\n }\n\n return null;\n}\n\nfunction parseSubjectBindings(\n rawSubject: string \| undefined \| null\n): { accountId: string; newPublicKey: string; requestId: string } \| null {\n if (!rawSubject \|\| typeof rawSubject !== 'string') return null;\n\n const lines = rawSubject.split(/\\r?\\n/);\n let subjectText = '';\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n if (subjectLine) {\n const idx = subjectLine.indexOf(':');\n const restRaw = idx >= 0 ? subjectLine.slice(idx + 1) : '';\n subjectText = restRaw.trim();\n } else {\n subjectText = rawSubject.trim();\n }\n if (!subjectText) return null;\n\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n\n return {\n accountId,\n newPublicKey,\n requestId,\n };\n}\n\nexport function extractZkEmailBindingsFromPayload(\n payload: ForwardableEmailPayload\n): ParsedZkEmailBindings \| null {\n const raw = payload.raw \|\| '';\n const lines = raw.split(/\\r?\\n/);\n\n const subjectLine = lines.find(line => /^subject:/i.test(line));\n const subjectBindings = parseSubjectBindings(subjectLine ?? '');\n if (!subjectBindings) {\n return null;\n }\n\n const headers = payload.headers \|\| {};\n let fromEmailRaw: string \| undefined =\n (headers['from'] as any) \|\|\n (headers['x-from-email'] as any);\n let dateRaw: string \| undefined =\n (headers['date'] as any) \|\|\n (headers['x-original-date'] as any);\n\n // Fallback: if headers object does not contain from/date,\n // attempt to parse them from the raw RFC822 email lines.\n if (!fromEmailRaw \|\| !dateRaw) {\n for (const line of lines) {\n if (!fromEmailRaw && /^from:/i.test(line)) {\n const idx = line.indexOf(':');\n fromEmailRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (!dateRaw && /^date:/i.test(line)) {\n const idx = line.indexOf(':');\n dateRaw = idx >= 0 ? line.slice(idx + 1).trim() : '';\n }\n if (fromEmailRaw && dateRaw) break;\n }\n }\n\n const fromEmail = String(fromEmailRaw \|\| '').trim();\n const timestamp = String(dateRaw \|\| '').trim();\n\n if (!fromEmail \|\| !timestamp) {\n return null;\n }\n\n return {\n accountId: subjectBindings.accountId,\n newPublicKey: subjectBindings.newPublicKey,\n fromEmail,\n timestamp,\n requestId: subjectBindings.requestId,\n };\n}\n\nexport async function generateZkEmailProofFromPayload(\n payload: ForwardableEmailPayload,\n prover: ZkEmailProverClientOptions \| ZkEmailProverClient\n): Promise<GenerateZkEmailProofResult> {\n if (!payload.raw \|\| typeof payload.raw !== 'string') {\n const err: ZkEmailProverError = Object.assign(\n new Error('raw email contents are required to generate a zk-email proof'),\n { code: 'missing_raw_email' }\n );\n throw err;\n }\n\n const client =\n (prover && typeof (prover as any).proveEmail === 'function')\n ? (prover as ZkEmailProverClient)\n : new ZkEmailProverClient(prover as ZkEmailProverClientOptions);\n\n const res = await client.proveEmail(payload.raw);\n\n return {\n proof: res.proof,\n publicInputs: res.publicSignals,\n };\n}\n","import type { EmailRecoveryMode } from './types';\nimport { normalizeForwardableEmailPayload, parseAccountIdFromSubject } from './zkEmail';\nimport { ensureEd25519Prefix } from '../../core/nearCrypto';\n\nexport enum EmailRecoveryModeHint {\n ZkEmail = 'zk-email',\n TeeEncrypted = 'tee-encrypted',\n OnchainPublic = 'onchain-public',\n}\n\nexport function parseRecoveryMode(raw: string \| undefined \| null): EmailRecoveryMode \| null {\n if (!raw) return null;\n const value = raw.trim().toLowerCase();\n if (value === EmailRecoveryModeHint.ZkEmail) return 'zk-email';\n if (value === EmailRecoveryModeHint.TeeEncrypted) return 'tee-encrypted';\n if (value === EmailRecoveryModeHint.OnchainPublic) return 'onchain-public';\n return null;\n}\n\nexport function extractRecoveryModeFromBody(emailBlob?: string): EmailRecoveryMode \| null {\n if (!emailBlob) return null;\n\n const lines = emailBlob.split(/\\r?\\n/);\n const bodyStartIndex = lines.findIndex(line => line.trim() === '');\n if (bodyStartIndex === -1) return null;\n\n const bodyLines = lines.slice(bodyStartIndex + 1);\n const firstNonEmptyBodyLine = bodyLines.find(line => line.trim() !== '');\n if (!firstNonEmptyBodyLine) return null;\n\n const candidate = firstNonEmptyBodyLine.trim();\n const normalized = parseRecoveryMode(candidate);\n if (normalized) return normalized;\n\n const lower = candidate.toLowerCase();\n if (lower.includes(EmailRecoveryModeHint.ZkEmail)) return 'zk-email';\n if (lower.includes(EmailRecoveryModeHint.TeeEncrypted)) return 'tee-encrypted';\n if (lower.includes(EmailRecoveryModeHint.OnchainPublic)) return 'onchain-public';\n\n return null;\n}\n\ntype HeaderValue = string \| string[] \| undefined;\ntype HeadersLike = Headers \| Record<string, HeaderValue> \| undefined;\n\nexport type RecoverEmailParseResult =\n \| { ok: true; accountId: string; emailBlob: string; explicitMode?: string }\n \| { ok: false; status: number; code: string; message: string };\n\nfunction getHeader(headers: HeadersLike, name: string): string \| undefined {\n if (!headers) return undefined;\n\n const maybeHeaders = headers as any;\n if (typeof maybeHeaders.get === 'function') {\n const v = maybeHeaders.get(name);\n return (typeof v === 'string') ? v : undefined;\n }\n\n const record = headers as Record<string, HeaderValue>;\n const v = record[name.toLowerCase()] ?? record[name];\n if (Array.isArray(v)) return (typeof v[0] === 'string') ? v[0] : undefined;\n return (typeof v === 'string') ? v : undefined;\n}\n\nfunction parseExplicitMode(body: unknown, headers?: HeadersLike): string \| undefined {\n const modeFromBody =\n (typeof (body as any)?.explicitMode === 'string' ? String((body as any).explicitMode) : '') \|\|\n (typeof (body as any)?.explicit_mode === 'string' ? String((body as any).explicit_mode) : '');\n const modeFromHeader = getHeader(headers, 'x-email-recovery-mode') \|\| getHeader(headers, 'x-recovery-mode') \|\| '';\n const raw = (modeFromBody \|\| modeFromHeader).trim();\n return raw ? raw : undefined;\n}\n\nexport function parseRecoverEmailRequest(body: unknown, opts: { headers?: HeadersLike } = {}): RecoverEmailParseResult {\n const explicitMode = parseExplicitMode(body, opts.headers);\n\n const normalized = normalizeForwardableEmailPayload(body);\n if (!normalized.ok) {\n return { ok: false, status: 400, code: normalized.code, message: normalized.message };\n }\n\n const payload = normalized.payload;\n const emailBlob = payload.raw \|\| '';\n const emailHeaders = payload.headers \|\| {};\n\n const subjectHeader = emailHeaders['subject'];\n const parsedAccountId = parseAccountIdFromSubject(subjectHeader \|\| emailBlob);\n const headerAccountId = String(emailHeaders['x-near-account-id'] \|\| emailHeaders['x-account-id'] \|\| '').trim();\n const accountId = (parsedAccountId \|\| headerAccountId \|\| '').trim();\n\n if (!accountId) {\n return { ok: false, status: 400, code: 'missing_account', message: 'x-near-account-id header is required' };\n }\n if (!emailBlob) {\n return { ok: false, status: 400, code: 'missing_email', message: 'raw email blob is required' };\n }\n\n return { ok: true, accountId, emailBlob, explicitMode };\n}\n\nconst EMAIL_ADDRESS_REGEX =\n /([a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+))/;\n\nexport function canonicalizeEmail(input: string): string {\n const raw = String(input \|\| '').trim();\n if (!raw) return '';\n\n // Handle cases where a full header line is passed in (e.g. \"From: ...\").\n const withoutHeaderName = raw.replace(/^[a-z0-9-]+\\s:\\s/i, '').trim();\n\n // Prefer the common \"Name <email@domain>\" format when present, but still\n // validate/extract the actual address via regex.\n const angleMatch = withoutHeaderName.match(/<([^>]+)>/);\n const candidates = [\n angleMatch?.[1],\n withoutHeaderName,\n ].filter((v): v is string => typeof v === 'string' && v.length > 0);\n\n for (const candidate of candidates) {\n const cleaned = candidate.replace(/^mailto:\\s/i, '');\n const match = cleaned.match(EMAIL_ADDRESS_REGEX);\n if (match?.[1]) {\n return match[1].trim().toLowerCase();\n }\n }\n\n return withoutHeaderName.toLowerCase();\n}\n\nexport function parseHeaderValue(rawEmail: string, name: string): string \| undefined {\n try {\n const raw = String(rawEmail \|\| '');\n if (!raw) return undefined;\n\n const lines = raw.split(/\\r?\\n/);\n const headerLines: string[] = [];\n\n // Only consider the header section (until the first blank line).\n for (const line of lines) {\n if (line.trim() === '') break;\n\n // RFC822 header folding: lines starting with whitespace continue previous header.\n if (/^\\s/.test(line) && headerLines.length > 0) {\n headerLines[headerLines.length - 1] += ` ${line.trim()}`;\n continue;\n }\n\n headerLines.push(line);\n }\n\n const headerName = name.trim();\n if (!headerName) return undefined;\n\n const re = new RegExp(`^${headerName.replace(/[.+?^${}()\|[\\]\\\\]/g, '\\\\$&')}\\\\s:`, 'i');\n const found = headerLines.find((l) => re.test(l));\n if (!found) return undefined;\n\n const idx = found.indexOf(':');\n const value = idx >= 0 ? found.slice(idx + 1).trim() : '';\n return value \|\| undefined;\n } catch {\n return undefined;\n }\n}\n\nexport function parseRecoverSubjectBindings(\n rawEmail: string\n): { requestId: string; accountId: string; newPublicKey: string } \| null {\n // Accept either a full RFC822 email or a bare Subject value.\n let subjectText = (parseHeaderValue(rawEmail, 'subject') \|\| String(rawEmail \|\| '')).trim();\n if (!subjectText) return null;\n\n // Strip common reply/forward prefixes.\n subjectText = subjectText.replace(/^(re\|fwd):\\s/i, '').trim();\n if (!subjectText) return null;\n\n // Strict format:\n // \"recover-<request_id> <accountId> ed25519:<pk>\"\n const match = subjectText.match(\n /^recover-([A-Za-z0-9]{6})\\s+([^\\s]+)\\s+ed25519:([^\\s]+)\\s$/i\n );\n if (!match) return null;\n\n const [, requestId, accountId, newPublicKey] = match;\n return { requestId, accountId, newPublicKey: ensureEd25519Prefix(newPublicKey) };\n}\n","import type { Router as ExpressRouter } from 'express';\nimport { parseRecoverEmailRequest } from '../../../email-recovery/emailParsers';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerRecoverEmailRoute(router: ExpressRouter, ctx: ExpressRelayContext): void {\n // Email recovery hook (DKIM/TEE flow):\n // Accept a ForwardableEmailPayload from the email worker and call the\n // per-user email-recoverer contract deployed on `accountId`.\n router.post('/recover-email', async (req: any, res: any) => {\n try {\n const prefer = String(req?.headers?.prefer \|\| '').toLowerCase();\n const respondAsync =\n prefer.includes('respond-async') \|\|\n String((req?.query as any)?.async \|\| '').trim() === '1' \|\|\n String((req?.query as any)?.respond_async \|\| '').trim() === '1';\n\n const parsed = parseRecoverEmailRequest(req.body as unknown, { headers: req.headers as any });\n if (!parsed.ok) {\n res.status(parsed.status).json({ code: parsed.code, message: parsed.message });\n return;\n }\n const { accountId, emailBlob, explicitMode } = parsed;\n\n if (!ctx.service.emailRecovery) {\n res.status(503).json({ code: 'email_recovery_unavailable', message: 'EmailRecoveryService is not configured on this server' });\n return;\n }\n\n if (respondAsync) {\n void ctx.service.emailRecovery\n .requestEmailRecovery({ accountId, emailBlob, explicitMode })\n .then((result) => {\n ctx.logger.info('[recover-email] async complete', {\n success: result?.success === true,\n accountId,\n error: result?.success ? undefined : result?.error,\n });\n })\n .catch((err: any) => {\n ctx.logger.error('[recover-email] async error', {\n accountId,\n error: err?.message \|\| String(err),\n });\n });\n\n res.status(202).json({ success: true, queued: true, accountId });\n return;\n }\n\n const result = await ctx.service.emailRecovery.requestEmailRecovery({ accountId, emailBlob, explicitMode });\n res.status(result.success ? 202 : 400).json(result);\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n}\n","import type { DelegateActionPolicy } from '../delegateAction';\nimport type { RouterLogger } from './logger';\nimport type {\n ThresholdEd25519AuthorizeWithSessionRequest,\n ThresholdEd25519AuthorizeRequest,\n ThresholdEd25519AuthorizeResponse,\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignFinalizeResponse,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519CosignInitResponse,\n ThresholdEd25519KeygenRequest,\n ThresholdEd25519KeygenResponse,\n ThresholdEd25519SessionRequest,\n ThresholdEd25519SessionResponse,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignFinalizeResponse,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SignInitResponse,\n} from '../core/types';\n\n// Minimal session adapter interface expected by the routers.\nexport type SessionClaims = Record<string, unknown>;\n\nexport type SessionKind = 'cookie' \| 'jwt';\n\nexport function parseSessionKind(body: unknown): SessionKind {\n const v = (body && typeof body === 'object' && !Array.isArray(body))\n ? (body as Record<string, unknown>)\n : {};\n const raw = v.sessionKind ?? v.session_kind;\n return raw === 'cookie' ? 'cookie' : 'jwt';\n}\n\nexport interface SessionAdapter {\n signJwt(sub: string, extra?: Record<string, unknown>): Promise<string>;\n parse(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: true; claims: SessionClaims } \| { ok: false }>;\n buildSetCookie(token: string): string;\n buildClearCookie(): string;\n refresh(headers: Record<string, string \| string[] \| undefined>): Promise<{ ok: boolean; jwt?: string; code?: string; message?: string }>;\n}\n\nexport type ThresholdEd25519RegistrationKeygenResult =\n \| {\n ok: true;\n clientParticipantId: number;\n relayerParticipantId: number;\n participantIds: number[];\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }\n \| { ok: false; code: string; message: string };\n\nexport interface ThresholdSigningAdapter {\n keygenFromClientVerifyingShareForRegistration(input: {\n nearAccountId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n }): Promise<ThresholdEd25519RegistrationKeygenResult>;\n putRelayerKeyMaterial(input: {\n relayerKeyId: string;\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n }): Promise<void>;\n thresholdEd25519Keygen(request: ThresholdEd25519KeygenRequest): Promise<ThresholdEd25519KeygenResponse>;\n authorizeThresholdEd25519(request: ThresholdEd25519AuthorizeRequest): Promise<ThresholdEd25519AuthorizeResponse>;\n authorizeThresholdEd25519WithSession(input: {\n sessionId: string;\n userId: string;\n request: ThresholdEd25519AuthorizeWithSessionRequest;\n }): Promise<ThresholdEd25519AuthorizeResponse>;\n thresholdEd25519Session(request: ThresholdEd25519SessionRequest): Promise<ThresholdEd25519SessionResponse>;\n thresholdEd25519SignInit(request: ThresholdEd25519SignInitRequest): Promise<ThresholdEd25519SignInitResponse>;\n thresholdEd25519SignFinalize(request: ThresholdEd25519SignFinalizeRequest): Promise<ThresholdEd25519SignFinalizeResponse>;\n /*\n Internal coordinator→cosigner cosigning API (optional).\n * When omitted, relayer-fleet cosigning mode is unsupported.\n /\n thresholdEd25519CosignInit?: (request: ThresholdEd25519CosignInitRequest) => Promise<ThresholdEd25519CosignInitResponse>;\n thresholdEd25519CosignFinalize?: (request: ThresholdEd25519CosignFinalizeRequest) => Promise<ThresholdEd25519CosignFinalizeResponse>;\n}\n\nexport interface RelayRouterOptions {\n healthz?: boolean;\n readyz?: boolean;\n /\n Optional list(s) of CORS origins (CSV strings or literal origins).\n * Pass raw strings; the router normalizes/merges internally.\n /\n corsOrigins?: Array<string \| undefined>;\n /\n Optional route for submitting NEP-461 SignedDelegate meta-transactions.\n * - When omitted: disabled.\n * - When set: enabled at `route`.\n * `policy` is server-controlled and is never read from the request body.\n /\n signedDelegate?: {\n route: string;\n policy?: DelegateActionPolicy;\n };\n // Optional: customize session route paths\n sessionRoutes?: { auth?: string; logout?: string };\n // Optional: pluggable session adapter\n session?: SessionAdapter \| null;\n // Optional: pluggable threshold signing service\n threshold?: ThresholdSigningAdapter \| null;\n // Optional logger; defaults to silent.\n logger?: RouterLogger \| null;\n}\n","import type { Router as ExpressRouter } from 'express';\nimport { parseSessionKind } from '../../relay';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerSessionRoutes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n // Session: read current claims via bearer token or cookie\n router.get(ctx.mePath, async (req: any, res: any) => {\n try {\n const session = ctx.opts.session;\n if (!session) {\n res.status(501).json({ authenticated: false, code: 'sessions_disabled', message: 'Sessions are not configured' });\n return;\n }\n const parsed = await session.parse(req.headers \|\| {});\n if (!parsed.ok) {\n res.status(401).json({ authenticated: false, code: 'unauthorized', message: 'No valid session' });\n return;\n }\n res.status(200).json({ authenticated: true, claims: parsed.claims });\n } catch (e: any) {\n res.status(500).json({ authenticated: false, code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n\n // Session: logout clears cookie (best-effort)\n router.post(ctx.logoutPath, async (_req: any, res: any) => {\n try {\n const session = ctx.opts.session;\n if (session) res.set('Set-Cookie', session.buildClearCookie());\n res.status(200).json({ success: true });\n } catch (e: any) {\n res.status(500).json({ success: false, error: 'internal', details: e?.message });\n }\n });\n\n // Session: refresh (sliding expiration)\n router.post('/session/refresh', async (req: any, res: any) => {\n try {\n const sessionKind = parseSessionKind(req.body \|\| {});\n const session = ctx.opts.session;\n if (!session) {\n res.status(501).json({ code: 'sessions_disabled', message: 'Sessions are not configured' });\n return;\n }\n const out = await session.refresh(req.headers \|\| {});\n if (!out.ok \|\| !out.jwt) {\n const code = out.code \|\| 'not_eligible';\n const message = out.message \|\| 'Refresh not eligible';\n res.status(code === 'unauthorized' ? 401 : 400).json({ code, message });\n return;\n }\n if (sessionKind === 'cookie') {\n res.set('Set-Cookie', session.buildSetCookie(out.jwt));\n res.status(200).json({ ok: true });\n } else {\n res.status(200).json({ ok: true, jwt: out.jwt });\n }\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n}\n","import type { Router as ExpressRouter } from 'express';\nimport {\n handleApplyServerLock,\n handleRemoveServerLock,\n handleGetShamirKeyInfo,\n} from '../../../core/shamirHandlers';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerShamirRoutes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n router.post('/vrf/apply-server-lock', async (req: any, res: any) => {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleApplyServerLock(shamir, { body: req.body });\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n\n router.post('/vrf/remove-server-lock', async (req: any, res: any) => {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleRemoveServerLock(shamir, { body: req.body });\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n\n router.get('/shamir/key-info', async (_req: any, res: any) => {\n const shamir = ctx.service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n return res.status(503).json({ error: 'shamir_disabled', message: 'Shamir 3-pass is not configured on this server' });\n }\n try {\n const serverResponse = await handleGetShamirKeyInfo(shamir);\n Object.entries(serverResponse.headers).forEach(([k, v]) => res.set(k, v as any));\n res.status(serverResponse.status);\n res.send(JSON.parse(serverResponse.body));\n } catch (e: any) {\n res.status(500).json({ error: 'internal', details: e?.message });\n }\n });\n}\n","import type { Router as ExpressRouter } from 'express';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerSignedDelegateRoutes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n if (!ctx.signedDelegatePath) return;\n\n router.options(ctx.signedDelegatePath, (_req: any, res: any) => {\n res.sendStatus(204);\n });\n\n router.post(ctx.signedDelegatePath, async (req: any, res: any) => {\n try {\n const { hash, signedDelegate } = req.body \|\| {};\n if (typeof hash !== 'string' \|\| !hash \|\| !signedDelegate) {\n res.status(400).json({ ok: false, code: 'invalid_body', message: 'Expected { hash, signedDelegate }' });\n return;\n }\n\n const result = await ctx.service.executeSignedDelegate({\n hash,\n signedDelegate,\n policy: ctx.signedDelegatePolicy,\n });\n\n if (!result \|\| !result.ok) {\n res.status(400).json({\n ok: false,\n code: result?.code \|\| 'delegate_execution_failed',\n message: result?.error \|\| 'Failed to execute delegate action',\n });\n return;\n }\n\n res.status(200).json({\n ok: true,\n relayerTxHash: result.transactionHash \|\| null,\n status: 'submitted',\n outcome: result.outcome ?? null,\n });\n } catch (e: any) {\n res.status(500).json({\n ok: false,\n code: 'internal',\n message: e?.message \|\| 'Internal error while executing delegate action',\n });\n }\n });\n}\n","export type ThresholdEd25519RouteResult = { ok: boolean; code?: string };\n\nexport function thresholdEd25519StatusCode(result: ThresholdEd25519RouteResult): number {\n if (result.ok) return 200;\n switch (result.code) {\n case 'not_found':\n return 404;\n case 'not_implemented':\n return 501;\n case 'threshold_disabled':\n return 503;\n case 'internal':\n return 500;\n case 'unauthorized':\n return 401;\n default:\n return 400;\n }\n}\n","import type { AccessKeyList } from '../../../core/NearClient';\nimport { alphabetizeStringify, sha256BytesUtf8 } from '../../../utils/digests';\nimport { ensureEd25519Prefix, toOptionalString, toTrimmedString } from '../../../utils/validation';\nimport {\n THRESHOLD_ED25519_2P_PARTICIPANT_IDS,\n normalizeThresholdEd25519ParticipantIds,\n} from '../../../threshold/participants';\n\nexport type ThresholdValidationOk = { ok: true };\nexport type ThresholdValidationErr = { ok: false; code: string; message: string };\nexport type ThresholdValidationResult = ThresholdValidationOk \| ThresholdValidationErr;\n\nexport function isObject(v: unknown): v is Record<string, unknown> {\n return !!v && typeof v === 'object' && !Array.isArray(v);\n}\n\nexport function isValidNumber(v: unknown): v is number {\n return typeof v === 'number' && Number.isFinite(v);\n}\n\nexport function toPrefixWithColon(prefix: unknown, defaultPrefix: string): string {\n const p = toOptionalString(prefix);\n if (!p) return defaultPrefix;\n return p.endsWith(':') ? p : `${p}:`;\n}\n\nexport function toThresholdEd25519KeyPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:key:');\n}\n\nexport function toThresholdEd25519SessionPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:sess:');\n}\n\nexport function toThresholdEd25519AuthPrefix(prefix: unknown): string {\n return toPrefixWithColon(prefix, 'w3a:threshold-ed25519:auth:');\n}\n\nexport type ParsedThresholdEd25519KeyRecord = {\n publicKey: string;\n relayerSigningShareB64u: string;\n relayerVerifyingShareB64u: string;\n};\n\nexport function parseThresholdEd25519KeyRecord(raw: unknown): ParsedThresholdEd25519KeyRecord \| null {\n if (!isObject(raw)) return null;\n const publicKey = toOptionalString(raw.publicKey);\n const relayerSigningShareB64u = toOptionalString(raw.relayerSigningShareB64u);\n const relayerVerifyingShareB64u = toOptionalString(raw.relayerVerifyingShareB64u);\n if (!publicKey \|\| !relayerSigningShareB64u \|\| !relayerVerifyingShareB64u) return null;\n return { publicKey, relayerSigningShareB64u, relayerVerifyingShareB64u };\n}\n\nexport type ParsedThresholdEd25519Commitments = { hiding: string; binding: string };\n\nexport function parseThresholdEd25519Commitments(raw: unknown): ParsedThresholdEd25519Commitments \| null {\n if (!isObject(raw)) return null;\n const hiding = toOptionalString(raw.hiding);\n const binding = toOptionalString(raw.binding);\n if (!hiding \|\| !binding) return null;\n return { hiding, binding };\n}\n\nexport type ParsedThresholdEd25519CommitmentsById = Record<string, ParsedThresholdEd25519Commitments>;\n\nexport function parseThresholdEd25519CommitmentsById(raw: unknown): ParsedThresholdEd25519CommitmentsById \| null {\n if (!isObject(raw)) return null;\n const out: ParsedThresholdEd25519CommitmentsById = {};\n for (const [k, v] of Object.entries(raw)) {\n const key = toTrimmedString(k);\n if (!key) return null;\n const commitments = parseThresholdEd25519Commitments(v);\n if (!commitments) return null;\n out[key] = commitments;\n }\n return Object.keys(out).length ? out : null;\n}\n\nexport type ParsedThresholdEd25519MpcSessionRecord = {\n expiresAtMs: number;\n relayerKeyId: string;\n purpose: string;\n intentDigestB64u: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519MpcSessionRecord(raw: unknown): ParsedThresholdEd25519MpcSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const purpose = toOptionalString(raw.purpose);\n const intentDigestB64u = toOptionalString(raw.intentDigestB64u);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const participantIds = normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !relayerKeyId \|\|\n !purpose \|\|\n !intentDigestB64u \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u\n ) return null;\n return {\n expiresAtMs,\n relayerKeyId,\n purpose,\n intentDigestB64u,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n participantIds,\n };\n}\n\nexport type ParsedThresholdEd25519SigningSessionRecord = {\n expiresAtMs: number;\n mpcSessionId: string;\n relayerKeyId: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n commitmentsById: ParsedThresholdEd25519CommitmentsById;\n relayerSigningShareB64u?: string;\n relayerNoncesB64u: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519SigningSessionRecord(raw: unknown): ParsedThresholdEd25519SigningSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const mpcSessionId = toOptionalString(raw.mpcSessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const commitmentsById = parseThresholdEd25519CommitmentsById(raw.commitmentsById);\n const relayerSigningShareB64u = toOptionalString(raw.relayerSigningShareB64u);\n const relayerNoncesB64u = toOptionalString(raw.relayerNoncesB64u);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !mpcSessionId \|\|\n !relayerKeyId \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u \|\|\n !commitmentsById \|\|\n !relayerNoncesB64u\n ) {\n return null;\n }\n return {\n expiresAtMs,\n mpcSessionId,\n relayerKeyId,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n commitmentsById,\n ...(relayerSigningShareB64u ? { relayerSigningShareB64u } : {}),\n relayerNoncesB64u,\n participantIds,\n };\n}\n\nexport type ParsedThresholdEd25519StringById = Record<string, string>;\n\nexport function parseThresholdEd25519StringById(raw: unknown): ParsedThresholdEd25519StringById \| null {\n if (!isObject(raw)) return null;\n const out: ParsedThresholdEd25519StringById = {};\n for (const [k, v] of Object.entries(raw)) {\n const key = toTrimmedString(k);\n const value = toOptionalString(v);\n if (!key \|\| !value) return null;\n out[key] = value;\n }\n return Object.keys(out).length ? out : null;\n}\n\nexport type ParsedThresholdEd25519CoordinatorSigningSessionRecord =\n {\n mode: 'cosigner';\n expiresAtMs: number;\n mpcSessionId: string;\n relayerKeyId: string;\n signingDigestB64u: string;\n userId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n commitmentsById: ParsedThresholdEd25519CommitmentsById;\n participantIds: number[];\n groupPublicKey: string;\n cosignerIds: number[];\n cosignerRelayerUrlsById: ParsedThresholdEd25519StringById;\n cosignerCoordinatorGrantsById: ParsedThresholdEd25519StringById;\n relayerVerifyingSharesById: ParsedThresholdEd25519StringById;\n };\n\nexport function parseThresholdEd25519CoordinatorSigningSessionRecord(raw: unknown): ParsedThresholdEd25519CoordinatorSigningSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const mpcSessionId = toOptionalString(raw.mpcSessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const signingDigestB64u = toOptionalString(raw.signingDigestB64u);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const clientVerifyingShareB64u = toOptionalString(raw.clientVerifyingShareB64u);\n const commitmentsById = parseThresholdEd25519CommitmentsById(raw.commitmentsById);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n const relayerVerifyingSharesById = parseThresholdEd25519StringById(raw.relayerVerifyingSharesById);\n\n if (!isValidNumber(expiresAtMs)) return null;\n if (\n !mpcSessionId \|\|\n !relayerKeyId \|\|\n !signingDigestB64u \|\|\n !userId \|\|\n !rpId \|\|\n !clientVerifyingShareB64u \|\|\n !commitmentsById \|\|\n !relayerVerifyingSharesById\n ) {\n return null;\n }\n\n const mode = toOptionalString(raw.mode);\n if (mode !== 'cosigner') return null;\n\n const groupPublicKey = toOptionalString(raw.groupPublicKey);\n const cosignerIds = normalizeThresholdEd25519ParticipantIds(raw.cosignerIds);\n const cosignerRelayerUrlsById = parseThresholdEd25519StringById(raw.cosignerRelayerUrlsById);\n const cosignerCoordinatorGrantsById = parseThresholdEd25519StringById(raw.cosignerCoordinatorGrantsById);\n if (!groupPublicKey \|\| !cosignerIds \|\| !cosignerRelayerUrlsById \|\| !cosignerCoordinatorGrantsById) return null;\n return {\n mode: 'cosigner',\n expiresAtMs,\n mpcSessionId,\n relayerKeyId,\n signingDigestB64u,\n userId,\n rpId,\n clientVerifyingShareB64u,\n commitmentsById,\n participantIds,\n groupPublicKey,\n cosignerIds,\n cosignerRelayerUrlsById,\n cosignerCoordinatorGrantsById,\n relayerVerifyingSharesById,\n };\n}\n\nexport type ParsedThresholdEd25519AuthSessionRecord = {\n expiresAtMs: number;\n relayerKeyId: string;\n userId: string;\n rpId: string;\n participantIds: number[];\n};\n\nexport function parseThresholdEd25519AuthSessionRecord(raw: unknown): ParsedThresholdEd25519AuthSessionRecord \| null {\n if (!isObject(raw)) return null;\n const expiresAtMs = raw.expiresAtMs;\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const userId = toOptionalString(raw.userId);\n const rpId = toOptionalString(raw.rpId);\n const participantIds =\n normalizeThresholdEd25519ParticipantIds(raw.participantIds)\n \|\| [...THRESHOLD_ED25519_2P_PARTICIPANT_IDS];\n if (!isValidNumber(expiresAtMs)) return null;\n if (!relayerKeyId \|\| !userId \|\| !rpId) return null;\n return { expiresAtMs, relayerKeyId, userId, rpId, participantIds };\n}\n\nexport type ThresholdEd25519SessionClaims = {\n sub: string;\n kind: 'threshold_ed25519_session_v1';\n sessionId: string;\n relayerKeyId: string;\n rpId: string;\n};\n\nexport function parseThresholdEd25519SessionClaims(raw: unknown): ThresholdEd25519SessionClaims \| null {\n if (!isObject(raw)) return null;\n const kind = toOptionalString(raw.kind);\n if (kind !== 'threshold_ed25519_session_v1') return null;\n const sub = toOptionalString(raw.sub);\n const sessionId = toOptionalString(raw.sessionId);\n const relayerKeyId = toOptionalString(raw.relayerKeyId);\n const rpId = toOptionalString(raw.rpId);\n if (!sub \|\| !sessionId \|\| !relayerKeyId \|\| !rpId) return null;\n return { sub, kind, sessionId, relayerKeyId, rpId };\n}\n\nexport function normalizeByteArray32(input: unknown): Uint8Array \| null {\n if (input instanceof Uint8Array) {\n return input.length === 32 ? input : null;\n }\n if (!Array.isArray(input) \|\| input.length !== 32) return null;\n const out = new Uint8Array(32);\n for (let i = 0; i < 32; i++) {\n const v = Number(input[i]);\n if (!Number.isFinite(v) \|\| v < 0 \|\| v > 255) return null;\n out[i] = v;\n }\n return out;\n}\n\nexport function bytesEqual32(a: Uint8Array, b: Uint8Array): boolean {\n if (a.length !== 32 \|\| b.length !== 32) return false;\n for (let i = 0; i < 32; i++) {\n if (a[i] !== b[i]) return false;\n }\n return true;\n}\n\nexport function toNearPublicKeyStr(v: unknown): string {\n return ensureEd25519Prefix(toOptionalString(v));\n}\n\nexport function normalizeActionForIntentDigest(a: unknown): Record<string, unknown> {\n if (!isObject(a)) return { action_type: '' };\n const actionType = toOptionalString(a.action_type);\n switch (actionType) {\n case 'FunctionCall':\n return {\n action_type: actionType,\n args: toOptionalString(a.args),\n deposit: toOptionalString(a.deposit),\n gas: toOptionalString(a.gas),\n method_name: toOptionalString(a.method_name),\n };\n case 'Transfer':\n return { action_type: actionType, deposit: toOptionalString(a.deposit) };\n case 'Stake':\n return { action_type: actionType, stake: toOptionalString(a.stake), public_key: toOptionalString(a.public_key) };\n case 'AddKey':\n return { action_type: actionType, public_key: toOptionalString(a.public_key), access_key: toOptionalString(a.access_key) };\n case 'DeleteKey':\n return { action_type: actionType, public_key: toOptionalString(a.public_key) };\n case 'DeleteAccount':\n return { action_type: actionType, beneficiary_id: toOptionalString(a.beneficiary_id) };\n case 'DeployContract':\n return { action_type: actionType, code: Array.isArray(a.code) ? a.code : [] };\n case 'DeployGlobalContract':\n return {\n action_type: actionType,\n code: Array.isArray(a.code) ? a.code : [],\n deploy_mode: toOptionalString(a.deploy_mode),\n };\n case 'UseGlobalContract':\n return {\n action_type: actionType,\n account_id: toOptionalString(a.account_id) \|\| undefined,\n code_hash: toOptionalString(a.code_hash) \|\| undefined,\n };\n case 'CreateAccount':\n case 'SignedDelegate':\n default:\n return { action_type: actionType };\n }\n}\n\nexport function extractAuthorizeSigningPublicKey(purpose: string, signingPayload: unknown): string {\n if (!isObject(signingPayload)) return '';\n if (purpose === 'near_tx') {\n const ctx = isObject(signingPayload.transactionContext) ? signingPayload.transactionContext : null;\n return toNearPublicKeyStr(ctx?.nearPublicKeyStr);\n }\n if (purpose === 'nep461_delegate') {\n const delegate = isObject(signingPayload.delegate) ? signingPayload.delegate : null;\n return toNearPublicKeyStr(delegate?.publicKey);\n }\n return '';\n}\n\nexport async function ensureRelayerKeyIsActiveAccessKey(input: {\n nearAccountId: unknown;\n relayerPublicKey: unknown;\n expectedSigningPublicKey?: unknown;\n viewAccessKeyList: (accountId: string) => Promise<AccessKeyList>;\n}): Promise<ThresholdValidationResult> {\n const nearAccountId = toOptionalString(input.nearAccountId);\n const relayerPublicKey = toNearPublicKeyStr(input.relayerPublicKey);\n const expectedSigningPublicKey = toNearPublicKeyStr(input.expectedSigningPublicKey);\n if (!nearAccountId) return { ok: false, code: 'invalid_body', message: 'nearAccountId is required' };\n if (!relayerPublicKey) return { ok: false, code: 'internal', message: 'Missing relayer public key for relayerKeyId' };\n\n if (expectedSigningPublicKey && expectedSigningPublicKey !== relayerPublicKey) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId does not match signingPayload public key' };\n }\n\n try {\n const list = await input.viewAccessKeyList(nearAccountId);\n const keys = list.keys \|\| [];\n const found = keys.some((k) => toNearPublicKeyStr(k.public_key) === relayerPublicKey);\n if (!found) {\n return { ok: false, code: 'unauthorized', message: 'relayerKeyId public key is not an active access key for nearAccountId' };\n }\n return { ok: true };\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to query NEAR access keys');\n return { ok: false, code: 'internal', message: `Failed to verify access key scope: ${msg}` };\n }\n}\n\ntype NearTxAuthorizeSigningPayload = {\n kind?: string;\n txSigningRequests: Array<{\n nearAccountId: string;\n receiverId: string;\n actions: unknown[];\n }>;\n transactionContext: {\n nearPublicKeyStr: string;\n nextNonce: string;\n txBlockHash: string;\n txBlockHeight?: string;\n };\n};\n\ntype Nep461DelegateAuthorizeSigningPayload = {\n kind?: string;\n delegate: {\n senderId: string;\n receiverId: string;\n actions: unknown[];\n nonce: string;\n maxBlockHeight: string;\n publicKey: string;\n };\n};\n\ntype Nep413AuthorizeSigningPayload = {\n kind?: string;\n nearAccountId: string;\n message: string;\n recipient: string;\n nonce: string;\n state?: string;\n};\n\nexport async function verifyThresholdEd25519AuthorizeSigningPayload(input: {\n purpose: string;\n signingPayload: unknown;\n signingDigest32: Uint8Array;\n intentDigest32: Uint8Array;\n userId: string;\n ensureSignerWasm: () => Promise<void>;\n computeNearTxSigningDigests: (payload: unknown) => unknown;\n computeDelegateSigningDigest: (payload: unknown) => unknown;\n computeNep413SigningDigest: (payload: unknown) => unknown;\n}): Promise<ThresholdValidationResult> {\n const purpose = input.purpose;\n const signingPayload = input.signingPayload;\n if (!isObject(signingPayload)) {\n return { ok: false, code: 'invalid_body', message: 'signingPayload (object) is required for threshold authorization' };\n }\n\n const kind = toOptionalString(signingPayload.kind);\n const expectedKind = purpose;\n if (kind && kind !== expectedKind) {\n return { ok: false, code: 'invalid_body', message: `signingPayload.kind must match purpose (${expectedKind})` };\n }\n\n // 1) Recompute intent_digest_32 from signingPayload and compare to VRF-bound digest.\n let intentDigest32Computed: Uint8Array;\n try {\n if (purpose === 'near_tx') {\n const payload = signingPayload as Partial<NearTxAuthorizeSigningPayload>;\n const txs = payload.txSigningRequests;\n if (!Array.isArray(txs) \|\| !txs.length) throw new Error('signingPayload.txSigningRequests is required');\n const nearAccountId = toOptionalString(txs[0]?.nearAccountId);\n if (!nearAccountId) throw new Error('txSigningRequests[0].nearAccountId is required');\n for (const tx of txs) {\n if (toOptionalString(tx?.nearAccountId) !== nearAccountId) {\n throw new Error('All txSigningRequests[].nearAccountId must match');\n }\n }\n if (nearAccountId !== input.userId) throw new Error('txSigningRequests[].nearAccountId must match vrf_data.user_id');\n const txInputs = txs.map((tx) => ({\n receiverId: toOptionalString(tx?.receiverId),\n actions: Array.isArray(tx?.actions) ? tx.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }));\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep461_delegate') {\n const payload = signingPayload as Partial<Nep461DelegateAuthorizeSigningPayload>;\n const d = payload.delegate;\n if (!isObject(d)) throw new Error('signingPayload.delegate is required');\n const senderId = toOptionalString(d.senderId);\n if (!senderId) throw new Error('delegate.senderId is required');\n if (senderId !== input.userId) throw new Error('delegate.senderId must match vrf_data.user_id');\n const txInputs = [{\n receiverId: toOptionalString(d.receiverId),\n actions: Array.isArray(d.actions) ? d.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }];\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep413') {\n const payload = signingPayload as Partial<Nep413AuthorizeSigningPayload>;\n const nearAccountId = toOptionalString(payload.nearAccountId);\n if (!nearAccountId) throw new Error('signingPayload.nearAccountId is required');\n if (nearAccountId !== input.userId) throw new Error('signingPayload.nearAccountId must match vrf_data.user_id');\n const recipient = toOptionalString(payload.recipient);\n const message = toOptionalString(payload.message);\n const json = alphabetizeStringify({ kind: 'nep413', nearAccountId, recipient, message });\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else {\n throw new Error(`Unsupported purpose: ${purpose}`);\n }\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute intent digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n if (intentDigest32Computed.length !== 32) {\n return { ok: false, code: 'internal', message: `Computed intent digest is not 32 bytes (got ${intentDigest32Computed.length})` };\n }\n if (!bytesEqual32(intentDigest32Computed, input.intentDigest32)) {\n return { ok: false, code: 'intent_digest_mismatch', message: 'signingPayload does not match vrf_data.intent_digest_32' };\n }\n\n // 2) Recompute signing_digest_32 from signingPayload and compare to requested signing digest.\n let signingDigest32Computed: Uint8Array[];\n try {\n await input.ensureSignerWasm();\n signingDigest32Computed = (() => {\n if (purpose === 'near_tx') {\n const digestsUnknown: unknown = input.computeNearTxSigningDigests(signingPayload);\n if (!Array.isArray(digestsUnknown)) throw new Error('near_tx digest recomputation failed');\n return digestsUnknown.map((d, i) => {\n const bytes = normalizeByteArray32(d);\n if (!bytes) throw new Error(`near_tx digest[${i}] is not 32 bytes`);\n return bytes;\n });\n }\n if (purpose === 'nep461_delegate') {\n const digestUnknown: unknown = input.computeDelegateSigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep461_delegate digest is not 32 bytes');\n return [bytes];\n }\n if (purpose === 'nep413') {\n const digestUnknown: unknown = input.computeNep413SigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep413 digest is not 32 bytes');\n return [bytes];\n }\n throw new Error(`Unsupported purpose: ${purpose}`);\n })();\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute signing digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n const match = signingDigest32Computed.some((d) => bytesEqual32(d, input.signingDigest32));\n if (!match) {\n return { ok: false, code: 'signing_digest_mismatch', message: 'signingPayload does not match signing_digest_32' };\n }\n\n return { ok: true };\n}\n\nexport type ThresholdAuthorizeSigningDigestOnlyOk = { ok: true; intentDigest32: Uint8Array };\nexport type ThresholdAuthorizeSigningDigestOnlyResult = ThresholdAuthorizeSigningDigestOnlyOk \| ThresholdValidationErr;\n\nexport async function verifyThresholdEd25519AuthorizeSigningPayloadSigningDigestOnly(input: {\n purpose: string;\n signingPayload: unknown;\n signingDigest32: Uint8Array;\n userId: string;\n ensureSignerWasm: () => Promise<void>;\n computeNearTxSigningDigests: (payload: unknown) => unknown;\n computeDelegateSigningDigest: (payload: unknown) => unknown;\n computeNep413SigningDigest: (payload: unknown) => unknown;\n}): Promise<ThresholdAuthorizeSigningDigestOnlyResult> {\n const purpose = input.purpose;\n const signingPayload = input.signingPayload;\n if (!isObject(signingPayload)) {\n return { ok: false, code: 'invalid_body', message: 'signingPayload (object) is required for threshold authorization' };\n }\n\n const kind = toOptionalString(signingPayload.kind);\n const expectedKind = purpose;\n if (kind && kind !== expectedKind) {\n return { ok: false, code: 'invalid_body', message: `signingPayload.kind must match purpose (${expectedKind})` };\n }\n\n // 1) Recompute intent_digest_32 from signingPayload (not VRF-bound in session mode).\n let intentDigest32Computed: Uint8Array;\n try {\n if (purpose === 'near_tx') {\n const payload = signingPayload as Partial<NearTxAuthorizeSigningPayload>;\n const txs = payload.txSigningRequests;\n if (!Array.isArray(txs) \|\| !txs.length) throw new Error('signingPayload.txSigningRequests is required');\n const nearAccountId = toOptionalString(txs[0]?.nearAccountId);\n if (!nearAccountId) throw new Error('txSigningRequests[0].nearAccountId is required');\n for (const tx of txs) {\n if (toOptionalString(tx?.nearAccountId) !== nearAccountId) {\n throw new Error('All txSigningRequests[].nearAccountId must match');\n }\n }\n if (nearAccountId !== input.userId) throw new Error('txSigningRequests[].nearAccountId must match session user');\n const txInputs = txs.map((tx) => ({\n receiverId: toOptionalString(tx?.receiverId),\n actions: Array.isArray(tx?.actions) ? tx.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }));\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep461_delegate') {\n const payload = signingPayload as Partial<Nep461DelegateAuthorizeSigningPayload>;\n const d = payload.delegate;\n if (!isObject(d)) throw new Error('signingPayload.delegate is required');\n const senderId = toOptionalString(d.senderId);\n if (!senderId) throw new Error('delegate.senderId is required');\n if (senderId !== input.userId) throw new Error('delegate.senderId must match session user');\n const txInputs = [{\n receiverId: toOptionalString(d.receiverId),\n actions: Array.isArray(d.actions) ? d.actions.map((a) => normalizeActionForIntentDigest(a)) : [],\n }];\n const json = alphabetizeStringify(txInputs);\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else if (purpose === 'nep413') {\n const payload = signingPayload as Partial<Nep413AuthorizeSigningPayload>;\n const nearAccountId = toOptionalString(payload.nearAccountId);\n if (!nearAccountId) throw new Error('signingPayload.nearAccountId is required');\n if (nearAccountId !== input.userId) throw new Error('signingPayload.nearAccountId must match session user');\n const recipient = toOptionalString(payload.recipient);\n const message = toOptionalString(payload.message);\n const json = alphabetizeStringify({ kind: 'nep413', nearAccountId, recipient, message });\n intentDigest32Computed = await sha256BytesUtf8(json);\n } else {\n throw new Error(`Unsupported purpose: ${purpose}`);\n }\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute intent digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n if (intentDigest32Computed.length !== 32) {\n return { ok: false, code: 'internal', message: `Computed intent digest is not 32 bytes (got ${intentDigest32Computed.length})` };\n }\n\n // 2) Recompute signing_digest_32 from signingPayload and compare to requested signing digest.\n let signingDigest32Computed: Uint8Array[];\n try {\n await input.ensureSignerWasm();\n signingDigest32Computed = (() => {\n if (purpose === 'near_tx') {\n const digestsUnknown: unknown = input.computeNearTxSigningDigests(signingPayload);\n if (!Array.isArray(digestsUnknown)) throw new Error('near_tx digest recomputation failed');\n return digestsUnknown.map((d, i) => {\n const bytes = normalizeByteArray32(d);\n if (!bytes) throw new Error(`near_tx digest[${i}] is not 32 bytes`);\n return bytes;\n });\n }\n if (purpose === 'nep461_delegate') {\n const digestUnknown: unknown = input.computeDelegateSigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep461_delegate digest is not 32 bytes');\n return [bytes];\n }\n if (purpose === 'nep413') {\n const digestUnknown: unknown = input.computeNep413SigningDigest(signingPayload);\n const bytes = normalizeByteArray32(digestUnknown);\n if (!bytes) throw new Error('nep413 digest is not 32 bytes');\n return [bytes];\n }\n throw new Error(`Unsupported purpose: ${purpose}`);\n })();\n } catch (e: unknown) {\n const msg = String((e && typeof e === 'object' && 'message' in e) ? (e as { message?: unknown }).message : e \|\| 'Failed to recompute signing digest');\n return { ok: false, code: 'invalid_body', message: msg };\n }\n\n const match = signingDigest32Computed.some((d) => bytesEqual32(d, input.signingDigest32));\n if (!match) {\n return { ok: false, code: 'signing_digest_mismatch', message: 'signingPayload does not match signing_digest_32' };\n }\n\n return { ok: true, intentDigest32: intentDigest32Computed };\n}\n","import type {\n ThresholdEd25519AuthorizeRequest,\n ThresholdEd25519AuthorizeWithSessionRequest,\n} from '../core/types';\nimport { parseThresholdEd25519SessionClaims } from '../core/ThresholdService/validation';\nimport type { SessionAdapter } from './relay';\n\ntype PlainObject = Record<string, unknown>;\ntype AuthorizeErr = { ok: false; code: 'sessions_disabled' \| 'unauthorized'; message: string };\n\nfunction isPlainObject(input: unknown): input is PlainObject {\n return !!input && typeof input === 'object' && !Array.isArray(input);\n}\n\nexport function summarizeVrfData(input: unknown): Record<string, unknown> \| undefined {\n if (!isPlainObject(input)) return undefined;\n const user_id = typeof input.user_id === 'string' ? input.user_id : undefined;\n const rp_id = typeof input.rp_id === 'string' ? input.rp_id : undefined;\n const block_height = typeof input.block_height === 'number' ? input.block_height : undefined;\n const has_intent_digest_32 = Array.isArray(input.intent_digest_32) ? true : undefined;\n const intent_digest_32_len = Array.isArray(input.intent_digest_32) ? input.intent_digest_32.length : undefined;\n const has_session_policy_digest_32 = Array.isArray(input.session_policy_digest_32) ? true : undefined;\n const session_policy_digest_32_len = Array.isArray(input.session_policy_digest_32) ? input.session_policy_digest_32.length : undefined;\n return {\n ...(user_id ? { user_id } : {}),\n ...(rp_id ? { rp_id } : {}),\n ...(block_height != null ? { block_height } : {}),\n ...(has_intent_digest_32 != null ? { has_intent_digest_32 } : {}),\n ...(intent_digest_32_len != null ? { intent_digest_32_len } : {}),\n ...(has_session_policy_digest_32 != null ? { has_session_policy_digest_32 } : {}),\n ...(session_policy_digest_32_len != null ? { session_policy_digest_32_len } : {}),\n };\n}\n\nfunction looksLikeWebauthnAuthorizeBody(input: unknown): boolean {\n if (!isPlainObject(input)) return false;\n return isPlainObject(input.vrf_data) && isPlainObject(input.webauthn_authentication);\n}\n\nexport type ThresholdEd25519AuthorizeInputs =\n \| { ok: true; mode: 'webauthn'; request: ThresholdEd25519AuthorizeRequest }\n \| {\n ok: true;\n mode: 'session';\n sessionId: string;\n userId: string;\n request: ThresholdEd25519AuthorizeWithSessionRequest;\n }\n \| AuthorizeErr;\n\nexport async function validateThresholdEd25519AuthorizeInputs(input: {\n body: unknown;\n headers: Record<string, string \| string[] \| undefined>;\n session: SessionAdapter \| null \| undefined;\n}): Promise<ThresholdEd25519AuthorizeInputs> {\n if (looksLikeWebauthnAuthorizeBody(input.body)) {\n return { ok: true, mode: 'webauthn', request: input.body as ThresholdEd25519AuthorizeRequest };\n }\n\n const session = input.session;\n if (!session) {\n return { ok: false, code: 'sessions_disabled', message: 'Sessions are not configured on this server' };\n }\n\n const parsed = await session.parse(input.headers);\n if (!parsed.ok) {\n return { ok: false, code: 'unauthorized', message: 'Missing or invalid threshold session token' };\n }\n\n const claims = parseThresholdEd25519SessionClaims(parsed.claims);\n if (!claims) {\n return { ok: false, code: 'unauthorized', message: 'Invalid threshold session token claims' };\n }\n\n const requestBody = isPlainObject(input.body) ? input.body : {};\n return {\n ok: true,\n mode: 'session',\n sessionId: claims.sessionId,\n userId: claims.sub,\n request: requestBody as unknown as ThresholdEd25519AuthorizeWithSessionRequest,\n };\n}\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport type { ExpressRelayContext } from '../createRelayRouter';\nimport type {\n ThresholdEd25519CosignFinalizeRequest,\n ThresholdEd25519CosignInitRequest,\n ThresholdEd25519KeygenRequest,\n ThresholdEd25519SignFinalizeRequest,\n ThresholdEd25519SignInitRequest,\n ThresholdEd25519SessionRequest,\n} from '../../../core/types';\nimport { thresholdEd25519StatusCode } from '../../../threshold/statusCodes';\nimport { parseSessionKind } from '../../relay';\nimport {\n summarizeVrfData,\n validateThresholdEd25519AuthorizeInputs,\n} from '../../commonRouterUtils';\n\nfunction errMessage(e: unknown): string {\n if (e && typeof e === 'object' && 'message' in e) return String((e as { message?: unknown }).message \|\| 'Internal error');\n return String(e \|\| 'Internal error');\n}\n\nasync function handle<T extends { ok: boolean; code?: string; message?: string }>(\n ctx: ExpressRelayContext,\n req: Request,\n res: Response,\n route: string,\n requestMeta: Record<string, unknown>,\n fn: () => Promise<T>\n): Promise<void> {\n try {\n ctx.logger.info('[threshold-ed25519] request', {\n route,\n method: req.method,\n ...(requestMeta \|\| {}),\n });\n const result = await fn();\n const status = thresholdEd25519StatusCode(result);\n ctx.logger.info('[threshold-ed25519] response', {\n route,\n status,\n ok: result.ok,\n ...(result.code ? { code: result.code } : {}),\n });\n res.status(status).json(result);\n } catch (e: unknown) {\n ctx.logger.error('[threshold-ed25519] error', {\n route,\n message: errMessage(e),\n ...(requestMeta \|\| {}),\n });\n res.status(500).json({ ok: false, code: 'internal', message: errMessage(e) });\n }\n}\n\nexport function registerThresholdEd25519Routes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n ctx.logger.info('[threshold-ed25519] routes', {\n enabled: Boolean(ctx.opts.threshold),\n });\n\n // Threshold Ed25519 (2-party) routes (scaffolding).\n // These routes establish the relayer as a co-signer and will eventually run a 2-round FROST flow.\n router.get('/threshold-ed25519/healthz', async (req: Request, res: Response) => {\n await handle(ctx, req, res, '/threshold-ed25519/healthz', {}, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return {\n ok: false,\n configured: false,\n code: 'threshold_disabled',\n message: 'Threshold signing is not configured on this server',\n };\n }\n return { ok: true, configured: true };\n });\n });\n\n router.post('/threshold-ed25519/keygen', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519KeygenRequest;\n await handle(ctx, req, res, '/threshold-ed25519/keygen', {\n nearAccountId: typeof body.nearAccountId === 'string' ? body.nearAccountId : undefined,\n clientVerifyingShareB64u_len: typeof body.clientVerifyingShareB64u === 'string' ? body.clientVerifyingShareB64u.length : undefined,\n registrationTxHash: ('registrationTxHash' in body && typeof body.registrationTxHash === 'string') ? body.registrationTxHash : undefined,\n vrf_data: summarizeVrfData((body as unknown as { vrf_data?: unknown }).vrf_data),\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n return threshold.thresholdEd25519Keygen(body);\n });\n });\n\n router.post('/threshold-ed25519/session', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519SessionRequest;\n await handle(ctx, req, res, '/threshold-ed25519/session', {\n relayerKeyId: typeof body.relayerKeyId === 'string' ? body.relayerKeyId : undefined,\n clientVerifyingShareB64u_len: typeof body.clientVerifyingShareB64u === 'string' ? body.clientVerifyingShareB64u.length : undefined,\n sessionPolicy: body.sessionPolicy ? { version: body.sessionPolicy.version } : undefined,\n vrf_data: summarizeVrfData((body as { vrf_data?: unknown }).vrf_data),\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n const session = ctx.opts.session;\n if (!session) {\n return { ok: false, code: 'sessions_disabled', message: 'Sessions are not configured on this server' };\n }\n\n const result = await threshold.thresholdEd25519Session(body);\n if (!result.ok) return result;\n\n const sessionId = String(result.sessionId \|\| '').trim();\n if (!sessionId) {\n return { ok: false, code: 'internal', message: 'threshold session missing sessionId' };\n }\n\n const userId = body.vrf_data.user_id;\n const rpId = body.vrf_data.rp_id;\n const relayerKeyId = body.relayerKeyId;\n const token = await session.signJwt(userId, {\n kind: 'threshold_ed25519_session_v1',\n sessionId,\n relayerKeyId,\n rpId,\n });\n\n const sessionKind = parseSessionKind(body);\n if (sessionKind === 'cookie') {\n res.set('Set-Cookie', session.buildSetCookie(token));\n const { jwt: _omit, ...rest } = result;\n return { ...rest, ok: true };\n }\n\n return { ...result, jwt: token };\n });\n });\n\n router.post('/threshold-ed25519/authorize', async (req: Request, res: Response) => {\n const bodyUnknown = (req.body \|\| {}) as unknown;\n const body = (bodyUnknown \|\| {}) as Record<string, unknown>;\n await handle(ctx, req, res, '/threshold-ed25519/authorize', {\n relayerKeyId: typeof body.relayerKeyId === 'string' ? body.relayerKeyId : undefined,\n clientVerifyingShareB64u_len: typeof body.clientVerifyingShareB64u === 'string' ? body.clientVerifyingShareB64u.length : undefined,\n purpose: typeof body.purpose === 'string' ? body.purpose : undefined,\n signing_digest_32_len: Array.isArray(body.signing_digest_32) ? body.signing_digest_32.length : undefined,\n vrf_data: summarizeVrfData(body.vrf_data),\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n\n const validated = await validateThresholdEd25519AuthorizeInputs({\n body: bodyUnknown,\n headers: req.headers \|\| {},\n session: ctx.opts.session,\n });\n if (!validated.ok) return validated;\n\n if (validated.mode === 'webauthn') {\n return threshold.authorizeThresholdEd25519(validated.request);\n }\n\n return threshold.authorizeThresholdEd25519WithSession({\n sessionId: validated.sessionId,\n userId: validated.userId,\n request: validated.request,\n });\n });\n });\n\n router.post('/threshold-ed25519/sign/init', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519SignInitRequest;\n await handle(ctx, req, res, '/threshold-ed25519/sign/init', {\n mpcSessionId: typeof body.mpcSessionId === 'string' ? body.mpcSessionId : undefined,\n relayerKeyId: typeof body.relayerKeyId === 'string' ? body.relayerKeyId : undefined,\n nearAccountId: typeof body.nearAccountId === 'string' ? body.nearAccountId : undefined,\n signingDigestB64u_len: typeof body.signingDigestB64u === 'string' ? body.signingDigestB64u.length : undefined,\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n return threshold.thresholdEd25519SignInit(body);\n });\n });\n\n router.post('/threshold-ed25519/sign/finalize', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519SignFinalizeRequest;\n await handle(ctx, req, res, '/threshold-ed25519/sign/finalize', {\n signingSessionId: typeof body.signingSessionId === 'string' ? body.signingSessionId : undefined,\n clientSignatureShareB64u_len: typeof body.clientSignatureShareB64u === 'string' ? body.clientSignatureShareB64u.length : undefined,\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n return threshold.thresholdEd25519SignFinalize(body);\n });\n });\n\n // Internal coordinator → cosigner route (feature-gated by shared secret).\n router.post('/threshold-ed25519/internal/cosign/init', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519CosignInitRequest;\n await handle(ctx, req, res, '/threshold-ed25519/internal/cosign/init', {\n coordinatorGrant_len: typeof body.coordinatorGrant === 'string' ? body.coordinatorGrant.length : undefined,\n signingSessionId: typeof body.signingSessionId === 'string' ? body.signingSessionId : undefined,\n cosignerShareB64u_len: typeof body.cosignerShareB64u === 'string' ? body.cosignerShareB64u.length : undefined,\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n if (!threshold.thresholdEd25519CosignInit) {\n return { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server' };\n }\n return threshold.thresholdEd25519CosignInit(body);\n });\n });\n\n router.post('/threshold-ed25519/internal/cosign/finalize', async (req: Request, res: Response) => {\n const body = (req.body \|\| {}) as ThresholdEd25519CosignFinalizeRequest;\n await handle(ctx, req, res, '/threshold-ed25519/internal/cosign/finalize', {\n coordinatorGrant_len: typeof body.coordinatorGrant === 'string' ? body.coordinatorGrant.length : undefined,\n signingSessionId: typeof body.signingSessionId === 'string' ? body.signingSessionId : undefined,\n cosignerIds_len: Array.isArray(body.cosignerIds) ? body.cosignerIds.length : undefined,\n }, async () => {\n const threshold = ctx.opts.threshold;\n if (!threshold) {\n return { ok: false, code: 'threshold_disabled', message: 'Threshold signing is not configured on this server' };\n }\n if (!threshold.thresholdEd25519CosignFinalize) {\n return { ok: false, code: 'not_found', message: 'threshold-ed25519 cosigner endpoints are not enabled on this server' };\n }\n return threshold.thresholdEd25519CosignFinalize(body);\n });\n });\n}\n","import type { Router as ExpressRouter } from 'express';\nimport { parseSessionKind } from '../../relay';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerVerifyAuthenticationResponse(router: ExpressRouter, ctx: ExpressRelayContext): void {\n // VRF + WebAuthn session verification (VIEW call) + optional session issuance\n router.post('/verify-authentication-response', async (req: any, res: any) => {\n try {\n if (!req?.body) {\n res.status(400).json({ code: 'invalid_body', message: 'Request body is required' });\n return;\n }\n const body = req.body;\n const valid = body && body.vrf_data && body.webauthn_authentication;\n if (!valid) {\n res.status(400).json({ code: 'invalid_body', message: 'vrf_data and webauthn_authentication are required' });\n return;\n }\n const result = await ctx.service.verifyAuthenticationResponse(body);\n const status = result.success ? 200 : 400;\n if (status !== 200) {\n res.status(status).json({ code: 'not_verified', message: result.message \|\| 'Authentication verification failed' });\n return;\n }\n const sessionKind = parseSessionKind(body);\n const session = ctx.opts.session;\n if (session && result.verified) {\n try {\n const sub = String(body.vrf_data.user_id \|\| '');\n const token = await session.signJwt(sub, { rpId: body.vrf_data.rp_id, blockHeight: body.vrf_data.block_height });\n // Best-effort server log without sensitive data\n ctx.logger.info(`[relay] creating ${sessionKind === 'cookie' ? 'HttpOnly session' : 'JWT'} for`, sub);\n if (sessionKind === 'cookie') {\n res.set('Set-Cookie', session.buildSetCookie(token));\n const { jwt: _omit, ...rest } = result as any;\n res.status(200).json(rest);\n return;\n }\n res.status(200).json({ ...result, jwt: token });\n return;\n } catch (e: any) {\n // If session issuance fails, still return verification result\n }\n }\n res.status(200).json(result);\n } catch (e: any) {\n res.status(500).json({ code: 'internal', message: e?.message \|\| 'Internal error' });\n }\n });\n}\n","import type { Request, Response, Router as ExpressRouter } from 'express';\nimport type { ExpressRelayContext } from '../createRelayRouter';\n\nexport function registerWellKnownRoutes(router: ExpressRouter, ctx: ExpressRelayContext): void {\n // ROR manifest for Related Origin Requests (wallet-scoped credentials)\n const wellKnownPaths = ['/.well-known/webauthn', '/.well-known/webauthn/'];\n for (const p of wellKnownPaths) {\n router.get(p, async (_req: Request, res: Response) => {\n try {\n const origins = await ctx.service.getRorOrigins();\n res.set('Content-Type', 'application/json; charset=utf-8');\n // Short TTL + SWR so updates propagate while staying cache-friendly\n res.set('Cache-Control', 'max-age=60, stale-while-revalidate=600');\n res.status(200).send(JSON.stringify({ origins }));\n } catch (e: any) {\n res.status(200).json({ origins: [] });\n }\n });\n }\n}\n","import type { AuthService } from '../core/AuthService';\nimport type { RelayRouterOptions } from './relay';\n\nexport function resolveThresholdOption(service: AuthService, opts: RelayRouterOptions): RelayRouterOptions['threshold'] {\n // Preserve \"explicit null disables threshold\" semantics:\n // - `opts.threshold === null` => disabled\n // - `opts.threshold === undefined` => auto-wire from AuthService config\n return opts.threshold !== undefined ? opts.threshold : service.getThresholdSigningService();\n}\n\n","import type { Router as ExpressRouter } from 'express';\nimport express from 'express';\nimport type { AuthService } from '../../core/AuthService';\nimport type { DelegateActionPolicy } from '../../delegateAction';\nimport { ensureLeadingSlash } from '../../../utils/validation';\nimport type { RelayRouterOptions } from '../relay';\nimport type { NormalizedRouterLogger } from '../logger';\nimport { coerceRouterLogger } from '../logger';\nimport { installCors } from './cors';\nimport { registerCreateAccountAndRegisterUser } from './routes/createAccountAndRegisterUser';\nimport { registerHealthRoutes } from './routes/health';\nimport { registerRecoverEmailRoute } from './routes/recoverEmail';\nimport { registerSessionRoutes } from './routes/sessions';\nimport { registerShamirRoutes } from './routes/shamir';\nimport { registerSignedDelegateRoutes } from './routes/signedDelegate';\nimport { registerThresholdEd25519Routes } from './routes/thresholdEd25519';\nimport { registerVerifyAuthenticationResponse } from './routes/verifyAuthenticationResponse';\nimport { registerWellKnownRoutes } from './routes/wellKnown';\nimport { resolveThresholdOption } from '../routerOptions';\n\nexport interface ExpressRelayContext {\n service: AuthService;\n opts: RelayRouterOptions;\n logger: NormalizedRouterLogger;\n mePath: string;\n logoutPath: string;\n signedDelegatePath: string;\n signedDelegatePolicy?: DelegateActionPolicy;\n}\n\nexport function createRelayRouter(service: AuthService, opts: RelayRouterOptions = {}): ExpressRouter {\n const router = express.Router();\n\n const threshold = resolveThresholdOption(service, opts);\n const effectiveOpts: RelayRouterOptions = { ...opts, threshold };\n\n const mePath = effectiveOpts.sessionRoutes?.auth \|\| '/session/auth';\n const logoutPath = effectiveOpts.sessionRoutes?.logout \|\| '/session/logout';\n const logger = coerceRouterLogger(effectiveOpts.logger);\n let signedDelegatePath = '';\n if (effectiveOpts.signedDelegate) {\n signedDelegatePath = ensureLeadingSlash(effectiveOpts.signedDelegate.route) \|\| '/signed-delegate';\n }\n const signedDelegatePolicy = effectiveOpts.signedDelegate?.policy;\n\n installCors(router, effectiveOpts);\n\n const ctx: ExpressRelayContext = {\n service,\n opts: effectiveOpts,\n logger,\n mePath,\n logoutPath,\n signedDelegatePath,\n signedDelegatePolicy,\n };\n\n registerCreateAccountAndRegisterUser(router, ctx);\n registerSignedDelegateRoutes(router, ctx);\n registerShamirRoutes(router, ctx);\n registerVerifyAuthenticationResponse(router, ctx);\n registerThresholdEd25519Routes(router, ctx);\n registerSessionRoutes(router, ctx);\n registerRecoverEmailRoute(router, ctx);\n registerHealthRoutes(router, ctx);\n registerWellKnownRoutes(router, ctx);\n\n return router;\n}\n","import type { AuthService } from '../../core/AuthService';\nimport type { RouterLogger } from '../logger';\nimport { coerceRouterLogger } from '../logger';\n\nexport interface KeyRotationCronOptions {\n enabled?: boolean;\n intervalMinutes?: number;\n maxGraceKeys?: number;\n logger?: RouterLogger \| null;\n}\n\nexport function startKeyRotationCronjob(\n service: AuthService,\n opts: KeyRotationCronOptions = {},\n): { stop(): void } {\n const logger = coerceRouterLogger(opts.logger);\n const enabled = Boolean(opts.enabled);\n const intervalMinutes = Math.max(1, Number(opts.intervalMinutes \|\| 0) \|\| 60);\n const maxGraceKeys = Math.max(0, Number(opts.maxGraceKeys ?? 0) \|\| 0);\n\n let timer: any = null;\n let inFlight = false;\n\n const run = async () => {\n if (!enabled) return;\n if (inFlight) {\n logger.warn('[key-rotation-cron] previous rotation still running; skipping');\n return;\n }\n inFlight = true;\n try {\n const shamir = service.shamirService;\n if (!shamir \|\| !shamir.hasShamir()) {\n logger.warn('[key-rotation-cron] Shamir not configured; skipping rotation');\n return;\n }\n\n const rotation = await shamir.rotateShamirServerKeypair();\n logger.info('[key-rotation-cron] rotated key', {\n newKeyId: rotation.newKeyId,\n previousKeyId: rotation.previousKeyId,\n graceKeyIds: rotation.graceKeyIds,\n });\n\n if (maxGraceKeys > 0) {\n const graceKeyIds = shamir.getGraceKeyIds();\n if (graceKeyIds.length > maxGraceKeys) {\n const toRemove = graceKeyIds.slice(0, graceKeyIds.length - maxGraceKeys);\n for (const keyId of toRemove) {\n try {\n const removed = await shamir.removeGraceKeyInternal(keyId, { persist: true });\n logger.info('[key-rotation-cron] pruned grace key', { keyId, removed });\n } catch (e: any) {\n logger.warn('[key-rotation-cron] failed to prune grace key', { keyId, error: e?.message \|\| String(e) });\n }\n }\n }\n }\n } catch (e: any) {\n logger.error('[key-rotation-cron] rotation failed', { error: e?.message \|\| String(e) });\n } finally {\n inFlight = false;\n }\n };\n\n if (enabled) {\n timer = setInterval(() => { void run(); }, intervalMinutes 60_000);\n }\n\n return {\n stop() {\n if (timer) clearInterval(timer);\n timer = null;\n },\n };\n}\n"],"mappings":";;;;AAWA,SAAgB,iBAAiB,OAAwB;AACvD,QAAO,OAAO,UAAU,WAAW,QAAQ;;;AAmB7C,SAAgB,mBAAmB,OAAuB;CACxD,MAAM,UAAU,OAAO,SAAS,IAAI;AACpC,KAAI,CAAC,QAAS,QAAO;AACrB,QAAO,QAAQ,WAAW,OAAO,UAAU,IAAI;;AA6KjD,SAAgB,SAAS,GAAyB;AAChD,QAAO,OAAO,MAAM;;;;;ACjMtB,SAAS,KAAK,IAAiE;AAC7E,KAAI,CAAC,GAAI,cAAa;AACtB,SAAQ,GAAG,SAAoB;AAC7B,MAAI;AACF,MAAG,GAAG;UACA;;;;;;;;AAWZ,SAAgB,gBAAgB,QAA0C;AACxE,KAAI,CAAC,OACH,QAAO;EAAE,aAAa;EAAI,YAAY;EAAI,YAAY;EAAI,aAAa;;CAGzE,MAAMA,OAAe;CACrB,MAAM,MAAM,OAAO,KAAK,QAAQ,aAAa,KAAK,IAAI,KAAK,QAAQ;CAEnE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;CAC1E,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,OAAQ,OAAO,KAAK,SAAS,aAAa,KAAK,KAAK,KAAK,QAAQ;CACvE,MAAM,QAAS,OAAO,KAAK,UAAU,aAAa,KAAK,MAAM,KAAK,QAAQ;AAE1E,QAAO;EACL,OAAO,KAAK;EACZ,MAAM,KAAK;EACX,MAAM,KAAK;EACX,OAAO,KAAK;;;AAIhB,MAAa,eAAe;;;;AC/C5B,MAAa,qBAAqB;;;;ACmKlC,SAAgB,aAAa,OAA0B;CACrD,MAAM,sBAAM,IAAI;AAChB,MAAK,MAAM,OAAO,OAAO,SAAS,IAAI,MAAM,MAAM;EAChD,MAAM,IAAI,IAAI;AACd,MAAI,CAAC,EAAG;AACR,MAAI;GACF,MAAM,IAAI,IAAI,IAAI;GAClB,MAAM,OAAO,EAAE,SAAS;GACxB,MAAM,OAAO,EAAE,OAAO,IAAI,EAAE,SAAS;GACrC,MAAM,QAAQ,EAAE,aAAa,WAAW,EAAE,aAAa,WAAW,EAAE,WAAW;AAC/E,OAAI,IAAI,GAAG,MAAM,IAAI,OAAO;UACtB;GACN,MAAM,WAAW,EAAE,QAAQ,OAAO;AAClC,OAAI,SAAU,KAAI,IAAI;;;AAG1B,QAAO,MAAM,KAAK;;AAMpB,SAAgB,iBAAiB,GAAG,QAAmD;CACrF,MAAM,yBAAS,IAAI;AACnB,MAAK,MAAM,SAAS,OAClB,MAAK,MAAM,UAAU,aAAa,OAAQ,QAAO,IAAI;CAEvD,MAAM,OAAO,MAAM,KAAK;AACxB,QAAO,KAAK,SAAS,IAAI,OAAO;;;;;AChMlC,SAAS,SAAS,KAAe,MAA2B,KAAqB;AAC/E,KAAI,CAAC,MAAM,YAAa;CAExB,IAAIC;CACJ,MAAM,aAAa,iBAAiB,GAAI,KAAK,eAAe;AAC5D,KAAI,eAAe,KAAK;AACtB,kBAAgB;AAChB,MAAI,IAAI,+BAA+B;YAC9B,MAAM,QAAQ,aAAa;EACpC,MAAM,SAAS,OAAQ,KAAa,SAAS,UAAU,IAAI;AAC3D,MAAI,UAAU,WAAW,SAAS,SAAS;AACzC,mBAAgB;AAChB,OAAI,IAAI,+BAA+B;AACvC,OAAI,IAAI,QAAQ;;;AAIpB,KAAI,IAAI,gCAAgC;AACxC,KAAI,IAAI,gCAAgC;AAExC,KAAI,iBAAiB,kBAAkB,IACrC,KAAI,IAAI,oCAAoC;;AAIhD,SAAgB,YAAY,QAAuB,MAAgC;AAGjF,QAAO,KAAK,KAAc,KAAe,SAAc;AACrD,WAAS,KAAK,MAAM;EACpB,MAAM,SAAS,OAAQ,KAAa,UAAU,IAAI;AAClD,MAAI,KAAK,eAAe,WAAW,WAAW;AAC5C,OAAI,OAAO,KAAK,KAAK;AACrB;;AAEF;;;;;;ACnCJ,SAAgB,qCAAqC,QAAuB,KAAgC;AAC1G,QAAO,KAAK,qCAAqC,OAAO,KAAc,QAAkB;AACtF,MAAI;GACF,MAAM,EACJ,gBACA,gBACA,mBACA,UACA,uBACA,8BACA,0BACG,IAAI,QAAQ;AAEjB,OAAI,CAAC,kBAAkB,OAAO,mBAAmB,SAAU,OAAM,IAAI,MAAM;AAC3E,OAAI,CAAC,kBAAkB,OAAO,mBAAmB,SAAU,OAAM,IAAI,MAAM;AAC3E,OAAI,CAAC,YAAY,OAAO,aAAa,SAAU,OAAM,IAAI,MAAM;AAC/D,OAAI,CAAC,yBAAyB,OAAO,0BAA0B,SAAU,OAAM,IAAI,MAAM;GAEzF,MAAM,YAAY,IAAI,KAAK;GAC3B,MAAM,oCAAoC,mBAAmB,6BAA6B;GAC1F,IAAIC,kBAEO;GACX,IAAIC,mBAAkC;AAEtC,OAAI,kCACF,KAAI,CAAC,UACH,oBAAmB;QACd;IACL,MAAM,OAAO,OAAQ,SAAiD,UAAU,WAC5E,OAAQ,SAAiC,SAAS,MACjD,OAAQ,SAAgC,SAAS,WAAW,OAAQ,SAAgC,QAAQ,MAAM;AACvH,QAAI,CAAC,KAAK,OACR,oBAAmB;SACd;KACL,MAAM,MAAM,MAAM,UAAU,8CAA8C;MACxE,eAAe;MACf;MACA,0BAA0B;;AAE5B,SAAI,CAAC,IAAI,GACP,oBAAmB,IAAI,WAAW;SAElC,mBAAkB;;;GAM1B,MAAM,SAAS,MAAM,IAAI,QAAQ,6BAA6B;IAC5D;IACA;IACA;IACA;IACA;IACA;;GAGF,IAAIC,WAA2C;AAE/C,OAAI,OAAO,WAAW,aAAa,gBACjC,KAAI;AACF,UAAM,UAAU,sBAAsB;KACpC,cAAc,gBAAgB;KAC9B,WAAW,gBAAgB;KAC3B,yBAAyB,gBAAgB;KACzC,2BAA2B,gBAAgB;;AAE7C,eAAW;KACT,GAAG;KACH,kBAAkB;MAChB,cAAc,gBAAgB;MAC9B,WAAW,gBAAgB;MAC3B,2BAA2B,gBAAgB;MAC3C,qBAAqB,gBAAgB;MACrC,sBAAsB,gBAAgB;MACtC,gBAAgB,gBAAgB;;;YAG7BC,GAAY;AACnB,uBAAmB,qBAAsB,KAAK,OAAO,MAAM,YAAY,aAAa,IAChF,OAAQ,EAA4B,WAAW,0CAC/C,OAAO,KAAK;;AAIpB,OAAI,OAAO,WAAW,iBACpB,YAAW;IACT,GAAG;IACH,SAAS,GAAG,SAAS,WAAW,8CAA8C,kCAAkC,iBAAiB;;AAIrI,OAAI,SAAS,QAAS,KAAI,OAAO,KAAK,KAAK;OACtC,KAAI,OAAO,KAAK,KAAK;WACnBC,OAAgB;GACvB,MAAM,UAAW,SAAS,OAAO,UAAU,YAAY,aAAa,QAChE,OAAQ,MAAgC,WAAW,oBACnD;AACJ,OAAI,OAAO,KAAK,KAAK;IAAE,SAAS;IAAO,OAAO;;;;;;;;AC9FpD,eAAsB,sBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,aAAa,QAAQ,MAAM;AACjC,MAAI,CAAC,SAAS,eAAe,CAAC,WAC5B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAMC,MAAqC,MAAM,QAAQ,gBAAgB;EACzE,MAAM,QAAQ,QAAQ;AAEtB,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,GAAG;IAAK;;;UAE1BC,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SACA,SAC4E;AAC5E,KAAI;EACF,MAAM,OAAO,QAAQ;AACrB,MAAI,CAAC,KACH,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAGlC,MAAM,EAAE,aAAa,UAAU;AAC/B,MAAI,CAAC,SAAS,gBAAgB,CAAC,YAC7B,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAGlC,MAAI,CAAC,SAAS,UAAU,CAAC,MACvB,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;EAIlC,MAAM,gBAAgB,OAAO;EAC7B,MAAM,eAAe,QAAQ;EAC7B,IAAIC;AAEJ,MAAI,gBAAgB,kBAAkB,aACpC,OAAM,MAAM,QAAQ,iBAAiB;WAC5B,QAAQ,YAAY,eAC7B,OAAM,MAAM,QAAQ,6BAA6B,eAAe,EAAE;MAElE,QAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU,EAAE,OAAO;;AAIlC,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;;UAEhBD,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;AAK5D,eAAsB,uBACpB,SAC4E;AAC5E,KAAI;AACF,QAAM,QAAQ;EACd,MAAM,eAAe,QAAQ;EAC7B,MAAM,cAAc,QAAQ;AAE5B,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IACnB;IACA,QAAQ,QAAQ,mBAAmB,iBAAiB;IACpD;;;UAGGA,GAAQ;AACf,SAAO;GACL,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,MAAM,KAAK,UAAU;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;;;;ACpH5D,SAAgB,qBAAqB,QAAuB,KAAgC;AAC1F,KAAI,IAAI,KAAK,QACX,QAAO,IAAI,YAAY,OAAO,MAAe,QAAkB;EAC7D,MAAM,SAAS,IAAI,QAAQ;EAC3B,MAAM,mBAAmB,QAAQ,UAAU,OAAO;EAClD,MAAM,sBAAsB,QAAQ,IAAI,KAAK;EAC7C,IAAIE,eAA8B;AAClC,MAAI,oBAAoB,OACtB,KAAI;GACF,MAAM,UAAU,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAClE,kBAAe,QAAQ,gBAAgB;UACjC;EAGV,MAAM,gBAAgB,IAAI,QAAQ,eAAe,+BAA+B;EAChF,MAAM,oBAAoB,QAAQ;AAElC,MAAI,OAAO,KAAK,KAAK;GACnB,IAAI;GAEJ;GACA,QAAQ;IAAE,YAAY;IAAkB;;GACxC,SAAS;IAAE,YAAY;IAAmB;;GAC1C,kBAAkB,EAAE,YAAY;;;AAKtC,KAAI,IAAI,KAAK,OACX,QAAO,IAAI,WAAW,OAAO,MAAe,QAAkB;EAC5D,MAAM,SAAS,IAAI,QAAQ;EAC3B,MAAM,mBAAmB,QAAQ,UAAU,OAAO;EAClD,MAAM,sBAAsB,QAAQ,IAAI,KAAK;EAE7C,IAAIC,cAA8B;EAClC,IAAIC,qBAAoC;EACxC,IAAIC;AACJ,MAAI,oBAAoB,OACtB,KAAI;AACF,SAAM,OAAO;AACb,iBAAc;GACd,MAAM,UAAU,KAAK,OAAO,MAAM,uBAAuB,SAAS;AAClE,wBAAqB,QAAQ,gBAAgB;WACtCC,GAAQ;AACf,iBAAc;AACd,iBAAc,GAAG,WAAW,OAAO;;EAIvC,MAAM,KAAK,IAAI,QAAQ,gBACnB,MAAM,IAAI,QAAQ,cAAc,6BAChC;GAAE,YAAY;GAAO,SAAS;GAAM,SAAS;;EAEjD,MAAM,MACH,mBAAmB,gBAAgB,OAAO,UAC1C,GAAG,aAAa,GAAG,YAAY,OAAO;AAEzC,MAAI,OAAO,KAAK,MAAM,KAAK,KAAK;GAC9B;GACA,QAAQ;IACN,YAAY;IACZ,OAAO,mBAAmB,cAAc;IACxC,cAAc;IACd,OAAO;;GAET,kBAAkB,EAAE,YAAY;GAChC,SAAS;;;;;;;ACDjB,SAAgB,iCAAiC,OAAuC;AACtF,KAAI,CAAC,SAAS,OAAO,UAAU,SAC7B,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAM,OAAO;CACb,MAAM,EAAE,MAAM,IAAI,SAAS,KAAK,YAAY;AAE5C,KAAI,CAAC,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,OAAO,OAAO,SAC5D,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;AAGtD,KAAI,CAAC,WAAW,OAAO,YAAY,SACjC,QAAO;EAAE,IAAI;EAAO,MAAM;EAAiB,SAAS;;CAGtD,MAAMC,oBAA4C;AAClD,MAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,SAClC,mBAAkB,OAAO,GAAG,iBAAiB,OAAO;AAGtD,QAAO;EACL,IAAI;EACJ,SAAS;GACP;GACA;GACA,SAAS;GACT,KAAK,OAAO,QAAQ,WAAW,MAAM;GACrC,SAAS,OAAO,YAAY,WAAW,UAAU;;;;;;;;;;;;AAavD,SAAgB,0BAA0B,KAA+C;AACvF,KAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;CAI5C,IAAI,cAAc;CAClB,MAAM,QAAQ,IAAI,MAAM;CACxB,MAAM,cAAc,MAAM,MAAK,SAAQ,aAAa,KAAK;AACzD,KAAI,aAAa;EACf,MAAM,MAAM,YAAY,QAAQ;EAChC,MAAM,UAAU,OAAO,IAAI,YAAY,MAAM,MAAM,KAAK;AACxD,gBAAc,QAAQ;OAEtB,eAAc,IAAI;AAGpB,KAAI,CAAC,YAAa,QAAO;AAGzB,eAAc,YAAY,QAAQ,kBAAkB,IAAI;AACxD,KAAI,CAAC,YAAa,QAAO;CAGzB,MAAM,QAAQ,YAAY,MACxB;AAEF,KAAI,QAAQ,GACV,QAAO,MAAM;AAGf,QAAO;;;;;AC3FT,SAAS,UAAU,SAAsB,MAAkC;AACzE,KAAI,CAAC,QAAS,QAAO;CAErB,MAAM,eAAe;AACrB,KAAI,OAAO,aAAa,QAAQ,YAAY;EAC1C,MAAMC,MAAI,aAAa,IAAI;AAC3B,SAAQ,OAAOA,QAAM,WAAYA,MAAI;;CAGvC,MAAM,SAAS;CACf,MAAM,IAAI,OAAO,KAAK,kBAAkB,OAAO;AAC/C,KAAI,MAAM,QAAQ,GAAI,QAAQ,OAAO,EAAE,OAAO,WAAY,EAAE,KAAK;AACjE,QAAQ,OAAO,MAAM,WAAY,IAAI;;AAGvC,SAAS,kBAAkB,MAAe,SAA2C;CACnF,MAAM,gBACH,OAAQ,MAAc,iBAAiB,WAAW,OAAQ,KAAa,gBAAgB,QACvF,OAAQ,MAAc,kBAAkB,WAAW,OAAQ,KAAa,iBAAiB;CAC5F,MAAM,iBAAiB,UAAU,SAAS,4BAA4B,UAAU,SAAS,sBAAsB;CAC/G,MAAM,OAAO,gBAAgB,gBAAgB;AAC7C,QAAO,MAAM,MAAM;;AAGrB,SAAgB,yBAAyB,MAAe,OAAkC,IAA6B;CACrH,MAAM,eAAe,kBAAkB,MAAM,KAAK;CAElD,MAAM,aAAa,iCAAiC;AACpD,KAAI,CAAC,WAAW,GACd,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM,WAAW;EAAM,SAAS,WAAW;;CAG9E,MAAM,UAAU,WAAW;CAC3B,MAAM,YAAY,QAAQ,OAAO;CACjC,MAAM,eAAe,QAAQ,WAAW;CAExC,MAAM,gBAAgB,aAAa;CACnC,MAAM,kBAAkB,0BAA0B,iBAAiB;CACnE,MAAM,kBAAkB,OAAO,aAAa,wBAAwB,aAAa,mBAAmB,IAAI;CACxG,MAAM,aAAa,mBAAmB,mBAAmB,IAAI;AAE7D,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAmB,SAAS;;AAErE,KAAI,CAAC,UACH,QAAO;EAAE,IAAI;EAAO,QAAQ;EAAK,MAAM;EAAiB,SAAS;;AAGnE,QAAO;EAAE,IAAI;EAAM;EAAW;EAAW;;;;;;AC7F3C,SAAgB,0BAA0B,QAAuB,KAAgC;AAI/F,QAAO,KAAK,kBAAkB,OAAO,KAAU,QAAa;AAC1D,MAAI;GACF,MAAM,SAAS,OAAO,KAAK,SAAS,UAAU,IAAI;GAClD,MAAM,eACJ,OAAO,SAAS,oBAChB,QAAQ,KAAK,QAAe,SAAS,IAAI,WAAW,OACpD,QAAQ,KAAK,QAAe,iBAAiB,IAAI,WAAW;GAE9D,MAAM,SAAS,yBAAyB,IAAI,MAAiB,EAAE,SAAS,IAAI;AAC5E,OAAI,CAAC,OAAO,IAAI;AACd,QAAI,OAAO,OAAO,QAAQ,KAAK;KAAE,MAAM,OAAO;KAAM,SAAS,OAAO;;AACpE;;GAEF,MAAM,EAAE,WAAW,WAAW,iBAAiB;AAE/C,OAAI,CAAC,IAAI,QAAQ,eAAe;AAC9B,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAA8B,SAAS;;AACpE;;AAGF,OAAI,cAAc;AAChB,IAAK,IAAI,QAAQ,cACd,qBAAqB;KAAE;KAAW;KAAW;OAC7C,MAAM,aAAW;AAChB,SAAI,OAAO,KAAK,kCAAkC;MAChD,SAASC,UAAQ,YAAY;MAC7B;MACA,OAAOA,UAAQ,UAAU,SAAYA,UAAQ;;OAGhD,OAAO,QAAa;AACnB,SAAI,OAAO,MAAM,+BAA+B;MAC9C;MACA,OAAO,KAAK,WAAW,OAAO;;;AAIpC,QAAI,OAAO,KAAK,KAAK;KAAE,SAAS;KAAM,QAAQ;KAAM;;AACpD;;GAGF,MAAM,SAAS,MAAM,IAAI,QAAQ,cAAc,qBAAqB;IAAE;IAAW;IAAW;;AAC5F,OAAI,OAAO,OAAO,UAAU,MAAM,KAAK,KAAK;WACrCC,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;;;;;AC3BtE,SAAgB,iBAAiB,MAA4B;CAC3D,MAAM,IAAK,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,QACzD,OACD;CACJ,MAAM,MAAM,EAAE,eAAe,EAAE;AAC/B,QAAO,QAAQ,WAAW,WAAW;;;;;AC1BvC,SAAgB,sBAAsB,QAAuB,KAAgC;AAE3F,QAAO,IAAI,IAAI,QAAQ,OAAO,KAAU,QAAa;AACnD,MAAI;GACF,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,CAAC,SAAS;AACZ,QAAI,OAAO,KAAK,KAAK;KAAE,eAAe;KAAO,MAAM;KAAqB,SAAS;;AACjF;;GAEF,MAAM,SAAS,MAAM,QAAQ,MAAM,IAAI,WAAW;AAClD,OAAI,CAAC,OAAO,IAAI;AACd,QAAI,OAAO,KAAK,KAAK;KAAE,eAAe;KAAO,MAAM;KAAgB,SAAS;;AAC5E;;AAEF,OAAI,OAAO,KAAK,KAAK;IAAE,eAAe;IAAM,QAAQ,OAAO;;WACpDC,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,eAAe;IAAO,MAAM;IAAY,SAAS,GAAG,WAAW;;;;AAK1F,QAAO,KAAK,IAAI,YAAY,OAAO,MAAW,QAAa;AACzD,MAAI;GACF,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,QAAS,KAAI,IAAI,cAAc,QAAQ;AAC3C,OAAI,OAAO,KAAK,KAAK,EAAE,SAAS;WACzBA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,SAAS;IAAO,OAAO;IAAY,SAAS,GAAG;;;;AAK1E,QAAO,KAAK,oBAAoB,OAAO,KAAU,QAAa;AAC5D,MAAI;GACF,MAAM,cAAc,iBAAiB,IAAI,QAAQ;GACjD,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,CAAC,SAAS;AACZ,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAqB,SAAS;;AAC3D;;GAEF,MAAM,MAAM,MAAM,QAAQ,QAAQ,IAAI,WAAW;AACjD,OAAI,CAAC,IAAI,MAAM,CAAC,IAAI,KAAK;IACvB,MAAM,OAAO,IAAI,QAAQ;IACzB,MAAM,UAAU,IAAI,WAAW;AAC/B,QAAI,OAAO,SAAS,iBAAiB,MAAM,KAAK,KAAK;KAAE;KAAM;;AAC7D;;AAEF,OAAI,gBAAgB,UAAU;AAC5B,QAAI,IAAI,cAAc,QAAQ,eAAe,IAAI;AACjD,QAAI,OAAO,KAAK,KAAK,EAAE,IAAI;SAE3B,KAAI,OAAO,KAAK,KAAK;IAAE,IAAI;IAAM,KAAK,IAAI;;WAErCA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;;;;;AClDtE,SAAgB,qBAAqB,QAAuB,KAAgC;AAC1F,QAAO,KAAK,0BAA0B,OAAO,KAAU,QAAa;EAClE,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,sBAAsB,QAAQ,EAAE,MAAM,IAAI;AACvE,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BC,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;AAI1D,QAAO,KAAK,2BAA2B,OAAO,KAAU,QAAa;EACnE,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,uBAAuB,QAAQ,EAAE,MAAM,IAAI;AACxE,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;AAI1D,QAAO,IAAI,oBAAoB,OAAO,MAAW,QAAa;EAC5D,MAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,CAAC,UAAU,CAAC,OAAO,YACrB,QAAO,IAAI,OAAO,KAAK,KAAK;GAAE,OAAO;GAAmB,SAAS;;AAEnE,MAAI;GACF,MAAM,iBAAiB,MAAM,uBAAuB;AACpD,UAAO,QAAQ,eAAe,SAAS,SAAS,CAAC,GAAG,OAAO,IAAI,IAAI,GAAG;AACtE,OAAI,OAAO,eAAe;AAC1B,OAAI,KAAK,KAAK,MAAM,eAAe;WAC5BA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,OAAO;IAAY,SAAS,GAAG;;;;;;;;AC/C5D,SAAgB,6BAA6B,QAAuB,KAAgC;AAClG,KAAI,CAAC,IAAI,mBAAoB;AAE7B,QAAO,QAAQ,IAAI,qBAAqB,MAAW,QAAa;AAC9D,MAAI,WAAW;;AAGjB,QAAO,KAAK,IAAI,oBAAoB,OAAO,KAAU,QAAa;AAChE,MAAI;GACF,MAAM,EAAE,MAAM,mBAAmB,IAAI,QAAQ;AAC7C,OAAI,OAAO,SAAS,YAAY,CAAC,QAAQ,CAAC,gBAAgB;AACxD,QAAI,OAAO,KAAK,KAAK;KAAE,IAAI;KAAO,MAAM;KAAgB,SAAS;;AACjE;;GAGF,MAAM,SAAS,MAAM,IAAI,QAAQ,sBAAsB;IACrD;IACA;IACA,QAAQ,IAAI;;AAGd,OAAI,CAAC,UAAU,CAAC,OAAO,IAAI;AACzB,QAAI,OAAO,KAAK,KAAK;KACnB,IAAI;KACJ,MAAM,QAAQ,QAAQ;KACtB,SAAS,QAAQ,SAAS;;AAE5B;;AAGF,OAAI,OAAO,KAAK,KAAK;IACnB,IAAI;IACJ,eAAe,OAAO,mBAAmB;IACzC,QAAQ;IACR,SAAS,OAAO,WAAW;;WAEtBC,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IACnB,IAAI;IACJ,MAAM;IACN,SAAS,GAAG,WAAW;;;;;;;;ACzC/B,SAAgB,2BAA2B,QAA6C;AACtF,KAAI,OAAO,GAAI,QAAO;AACtB,SAAQ,OAAO,MAAf;EACE,KAAK,YACH,QAAO;EACT,KAAK,kBACH,QAAO;EACT,KAAK,qBACH,QAAO;EACT,KAAK,WACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,QACE,QAAO;;;;;;ACJb,SAAgB,SAAS,GAA0C;AACjE,QAAO,CAAC,CAAC,KAAK,OAAO,MAAM,YAAY,CAAC,MAAM,QAAQ;;AAgSxD,SAAgB,mCAAmC,KAAoD;AACrG,KAAI,CAAC,SAAS,KAAM,QAAO;CAC3B,MAAM,OAAO,iBAAiB,IAAI;AAClC,KAAI,SAAS,+BAAgC,QAAO;CACpD,MAAM,MAAM,iBAAiB,IAAI;CACjC,MAAM,YAAY,iBAAiB,IAAI;CACvC,MAAM,eAAe,iBAAiB,IAAI;CAC1C,MAAM,OAAO,iBAAiB,IAAI;AAClC,KAAI,CAAC,OAAO,CAAC,aAAa,CAAC,gBAAgB,CAAC,KAAM,QAAO;AACzD,QAAO;EAAE;EAAK;EAAM;EAAW;EAAc;;;;;;AC5S/C,SAAS,cAAc,OAAsC;AAC3D,QAAO,CAAC,CAAC,SAAS,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ;;AAGhE,SAAgB,iBAAiB,OAAqD;AACpF,KAAI,CAAC,cAAc,OAAQ,QAAO;CAClC,MAAM,UAAU,OAAO,MAAM,YAAY,WAAW,MAAM,UAAU;CACpE,MAAM,QAAQ,OAAO,MAAM,UAAU,WAAW,MAAM,QAAQ;CAC9D,MAAM,eAAe,OAAO,MAAM,iBAAiB,WAAW,MAAM,eAAe;CACnF,MAAM,uBAAuB,MAAM,QAAQ,MAAM,oBAAoB,OAAO;CAC5E,MAAM,uBAAuB,MAAM,QAAQ,MAAM,oBAAoB,MAAM,iBAAiB,SAAS;CACrG,MAAM,+BAA+B,MAAM,QAAQ,MAAM,4BAA4B,OAAO;CAC5F,MAAM,+BAA+B,MAAM,QAAQ,MAAM,4BAA4B,MAAM,yBAAyB,SAAS;AAC7H,QAAO;EACL,GAAI,UAAU,EAAE,YAAY;EAC5B,GAAI,QAAQ,EAAE,UAAU;EACxB,GAAI,gBAAgB,OAAO,EAAE,iBAAiB;EAC9C,GAAI,wBAAwB,OAAO,EAAE,yBAAyB;EAC9D,GAAI,wBAAwB,OAAO,EAAE,yBAAyB;EAC9D,GAAI,gCAAgC,OAAO,EAAE,iCAAiC;EAC9E,GAAI,gCAAgC,OAAO,EAAE,iCAAiC;;;AAIlF,SAAS,+BAA+B,OAAyB;AAC/D,KAAI,CAAC,cAAc,OAAQ,QAAO;AAClC,QAAO,cAAc,MAAM,aAAa,cAAc,MAAM;;AAc9D,eAAsB,wCAAwC,OAIjB;AAC3C,KAAI,+BAA+B,MAAM,MACvC,QAAO;EAAE,IAAI;EAAM,MAAM;EAAY,SAAS,MAAM;;CAGtD,MAAM,UAAU,MAAM;AACtB,KAAI,CAAC,QACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAqB,SAAS;;CAG1D,MAAM,SAAS,MAAM,QAAQ,MAAM,MAAM;AACzC,KAAI,CAAC,OAAO,GACV,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,SAAS,mCAAmC,OAAO;AACzD,KAAI,CAAC,OACH,QAAO;EAAE,IAAI;EAAO,MAAM;EAAgB,SAAS;;CAGrD,MAAM,cAAc,cAAc,MAAM,QAAQ,MAAM,OAAO;AAC7D,QAAO;EACL,IAAI;EACJ,MAAM;EACN,WAAW,OAAO;EAClB,QAAQ,OAAO;EACf,SAAS;;;;;;AC/Db,SAAS,WAAW,GAAoB;AACtC,KAAI,KAAK,OAAO,MAAM,YAAY,aAAa,EAAG,QAAO,OAAQ,EAA4B,WAAW;AACxG,QAAO,OAAO,KAAK;;AAGrB,eAAe,OACb,KACA,KACA,KACA,OACA,aACA,IACe;AACf,KAAI;AACF,MAAI,OAAO,KAAK,+BAA+B;GAC7C;GACA,QAAQ,IAAI;GACZ,GAAI,eAAe;;EAErB,MAAM,SAAS,MAAM;EACrB,MAAM,SAAS,2BAA2B;AAC1C,MAAI,OAAO,KAAK,gCAAgC;GAC9C;GACA;GACA,IAAI,OAAO;GACX,GAAI,OAAO,OAAO,EAAE,MAAM,OAAO,SAAS;;AAE5C,MAAI,OAAO,QAAQ,KAAK;UACjBC,GAAY;AACnB,MAAI,OAAO,MAAM,6BAA6B;GAC5C;GACA,SAAS,WAAW;GACpB,GAAI,eAAe;;AAErB,MAAI,OAAO,KAAK,KAAK;GAAE,IAAI;GAAO,MAAM;GAAY,SAAS,WAAW;;;;AAI5E,SAAgB,+BAA+B,QAAuB,KAAgC;AACpG,KAAI,OAAO,KAAK,8BAA8B,EAC5C,SAAS,QAAQ,IAAI,KAAK;AAK5B,QAAO,IAAI,8BAA8B,OAAO,KAAc,QAAkB;AAC9E,QAAM,OAAO,KAAK,KAAK,KAAK,8BAA8B,IAAI,YAAY;GACxE,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IACL,IAAI;IACJ,YAAY;IACZ,MAAM;IACN,SAAS;;AAGb,UAAO;IAAE,IAAI;IAAM,YAAY;;;;AAInC,QAAO,KAAK,6BAA6B,OAAO,KAAc,QAAkB;EAC9E,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,6BAA6B;GACvD,eAAe,OAAO,KAAK,kBAAkB,WAAW,KAAK,gBAAgB;GAC7E,8BAA8B,OAAO,KAAK,6BAA6B,WAAW,KAAK,yBAAyB,SAAS;GACzH,oBAAqB,wBAAwB,QAAQ,OAAO,KAAK,uBAAuB,WAAY,KAAK,qBAAqB;GAC9H,UAAU,iBAAkB,KAA2C;KACtE,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;AAE3D,UAAO,UAAU,uBAAuB;;;AAI5C,QAAO,KAAK,8BAA8B,OAAO,KAAc,QAAkB;EAC/E,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,8BAA8B;GACxD,cAAc,OAAO,KAAK,iBAAiB,WAAW,KAAK,eAAe;GAC1E,8BAA8B,OAAO,KAAK,6BAA6B,WAAW,KAAK,yBAAyB,SAAS;GACzH,eAAe,KAAK,gBAAgB,EAAE,SAAS,KAAK,cAAc,YAAY;GAC9E,UAAU,iBAAkB,KAAgC;KAC3D,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;GAE3D,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,CAAC,QACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAqB,SAAS;;GAG1D,MAAM,SAAS,MAAM,UAAU,wBAAwB;AACvD,OAAI,CAAC,OAAO,GAAI,QAAO;GAEvB,MAAM,YAAY,OAAO,OAAO,aAAa,IAAI;AACjD,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAY,SAAS;;GAGjD,MAAM,SAAS,KAAK,SAAS;GAC7B,MAAM,OAAO,KAAK,SAAS;GAC3B,MAAM,eAAe,KAAK;GAC1B,MAAM,QAAQ,MAAM,QAAQ,QAAQ,QAAQ;IAC1C,MAAM;IACN;IACA;IACA;;GAGF,MAAM,cAAc,iBAAiB;AACrC,OAAI,gBAAgB,UAAU;AAC5B,QAAI,IAAI,cAAc,QAAQ,eAAe;IAC7C,MAAM,EAAE,KAAK,MAAO,GAAG,SAAS;AAChC,WAAO;KAAE,GAAG;KAAM,IAAI;;;AAGxB,UAAO;IAAE,GAAG;IAAQ,KAAK;;;;AAI7B,QAAO,KAAK,gCAAgC,OAAO,KAAc,QAAkB;EACjF,MAAM,cAAe,IAAI,QAAQ;EACjC,MAAM,OAAQ,eAAe;AAC7B,QAAM,OAAO,KAAK,KAAK,KAAK,gCAAgC;GAC1D,cAAc,OAAO,KAAK,iBAAiB,WAAW,KAAK,eAAe;GAC1E,8BAA8B,OAAO,KAAK,6BAA6B,WAAW,KAAK,yBAAyB,SAAS;GACzH,SAAS,OAAO,KAAK,YAAY,WAAW,KAAK,UAAU;GAC3D,uBAAuB,MAAM,QAAQ,KAAK,qBAAqB,KAAK,kBAAkB,SAAS;GAC/F,UAAU,iBAAiB,KAAK;KAC/B,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;GAG3D,MAAM,YAAY,MAAM,wCAAwC;IAC9D,MAAM;IACN,SAAS,IAAI,WAAW;IACxB,SAAS,IAAI,KAAK;;AAEpB,OAAI,CAAC,UAAU,GAAI,QAAO;AAE1B,OAAI,UAAU,SAAS,WACrB,QAAO,UAAU,0BAA0B,UAAU;AAGvD,UAAO,UAAU,qCAAqC;IACpD,WAAW,UAAU;IACrB,QAAQ,UAAU;IAClB,SAAS,UAAU;;;;AAKzB,QAAO,KAAK,gCAAgC,OAAO,KAAc,QAAkB;EACjF,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,gCAAgC;GAC1D,cAAc,OAAO,KAAK,iBAAiB,WAAW,KAAK,eAAe;GAC1E,cAAc,OAAO,KAAK,iBAAiB,WAAW,KAAK,eAAe;GAC1E,eAAe,OAAO,KAAK,kBAAkB,WAAW,KAAK,gBAAgB;GAC7E,uBAAuB,OAAO,KAAK,sBAAsB,WAAW,KAAK,kBAAkB,SAAS;KACnG,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;AAE3D,UAAO,UAAU,yBAAyB;;;AAI9C,QAAO,KAAK,oCAAoC,OAAO,KAAc,QAAkB;EACrF,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,oCAAoC;GAC9D,kBAAkB,OAAO,KAAK,qBAAqB,WAAW,KAAK,mBAAmB;GACtF,8BAA8B,OAAO,KAAK,6BAA6B,WAAW,KAAK,yBAAyB,SAAS;KACxH,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;AAE3D,UAAO,UAAU,6BAA6B;;;AAKlD,QAAO,KAAK,2CAA2C,OAAO,KAAc,QAAkB;EAC5F,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,2CAA2C;GACrE,sBAAsB,OAAO,KAAK,qBAAqB,WAAW,KAAK,iBAAiB,SAAS;GACjG,kBAAkB,OAAO,KAAK,qBAAqB,WAAW,KAAK,mBAAmB;GACtF,uBAAuB,OAAO,KAAK,sBAAsB,WAAW,KAAK,kBAAkB,SAAS;KACnG,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;AAE3D,OAAI,CAAC,UAAU,2BACb,QAAO;IAAE,IAAI;IAAO,MAAM;IAAa,SAAS;;AAElD,UAAO,UAAU,2BAA2B;;;AAIhD,QAAO,KAAK,+CAA+C,OAAO,KAAc,QAAkB;EAChG,MAAM,OAAQ,IAAI,QAAQ;AAC1B,QAAM,OAAO,KAAK,KAAK,KAAK,+CAA+C;GACzE,sBAAsB,OAAO,KAAK,qBAAqB,WAAW,KAAK,iBAAiB,SAAS;GACjG,kBAAkB,OAAO,KAAK,qBAAqB,WAAW,KAAK,mBAAmB;GACtF,iBAAiB,MAAM,QAAQ,KAAK,eAAe,KAAK,YAAY,SAAS;KAC5E,YAAY;GACb,MAAM,YAAY,IAAI,KAAK;AAC3B,OAAI,CAAC,UACH,QAAO;IAAE,IAAI;IAAO,MAAM;IAAsB,SAAS;;AAE3D,OAAI,CAAC,UAAU,+BACb,QAAO;IAAE,IAAI;IAAO,MAAM;IAAa,SAAS;;AAElD,UAAO,UAAU,+BAA+B;;;;;;;ACxOtD,SAAgB,qCAAqC,QAAuB,KAAgC;AAE1G,QAAO,KAAK,mCAAmC,OAAO,KAAU,QAAa;AAC3E,MAAI;AACF,OAAI,CAAC,KAAK,MAAM;AACd,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAgB,SAAS;;AACtD;;GAEF,MAAM,OAAO,IAAI;GACjB,MAAM,QAAQ,QAAQ,KAAK,YAAY,KAAK;AAC5C,OAAI,CAAC,OAAO;AACV,QAAI,OAAO,KAAK,KAAK;KAAE,MAAM;KAAgB,SAAS;;AACtD;;GAEF,MAAM,SAAS,MAAM,IAAI,QAAQ,6BAA6B;GAC9D,MAAM,SAAS,OAAO,UAAU,MAAM;AACtC,OAAI,WAAW,KAAK;AAClB,QAAI,OAAO,QAAQ,KAAK;KAAE,MAAM;KAAgB,SAAS,OAAO,WAAW;;AAC3E;;GAEF,MAAM,cAAc,iBAAiB;GACrC,MAAM,UAAU,IAAI,KAAK;AACzB,OAAI,WAAW,OAAO,SACpB,KAAI;IACF,MAAM,MAAM,OAAO,KAAK,SAAS,WAAW;IAC5C,MAAM,QAAQ,MAAM,QAAQ,QAAQ,KAAK;KAAE,MAAM,KAAK,SAAS;KAAO,aAAa,KAAK,SAAS;;AAEjG,QAAI,OAAO,KAAK,oBAAoB,gBAAgB,WAAW,qBAAqB,MAAM,OAAO;AACjG,QAAI,gBAAgB,UAAU;AAC5B,SAAI,IAAI,cAAc,QAAQ,eAAe;KAC7C,MAAM,EAAE,KAAK,MAAO,GAAG,SAAS;AAChC,SAAI,OAAO,KAAK,KAAK;AACrB;;AAEF,QAAI,OAAO,KAAK,KAAK;KAAE,GAAG;KAAQ,KAAK;;AACvC;YACOC,GAAQ;AAInB,OAAI,OAAO,KAAK,KAAK;WACdA,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK;IAAE,MAAM;IAAY,SAAS,GAAG,WAAW;;;;;;;;AC3CtE,SAAgB,wBAAwB,QAAuB,KAAgC;CAE7F,MAAM,iBAAiB,CAAC,yBAAyB;AACjD,MAAK,MAAM,KAAK,eACd,QAAO,IAAI,GAAG,OAAO,MAAe,QAAkB;AACpD,MAAI;GACF,MAAM,UAAU,MAAM,IAAI,QAAQ;AAClC,OAAI,IAAI,gBAAgB;AAExB,OAAI,IAAI,iBAAiB;AACzB,OAAI,OAAO,KAAK,KAAK,KAAK,UAAU,EAAE;WAC/BC,GAAQ;AACf,OAAI,OAAO,KAAK,KAAK,EAAE,SAAS;;;;;;;ACZxC,SAAgB,uBAAuB,SAAsB,MAA2D;AAItH,QAAO,KAAK,cAAc,SAAY,KAAK,YAAY,QAAQ;;;;;ACuBjE,SAAgB,kBAAkB,SAAsB,OAA2B,IAAmB;CACpG,MAAM,SAAS,QAAQ;CAEvB,MAAM,YAAY,uBAAuB,SAAS;CAClD,MAAMC,gBAAoC;EAAE,GAAG;EAAM;;CAErD,MAAM,SAAS,cAAc,eAAe,QAAQ;CACpD,MAAM,aAAa,cAAc,eAAe,UAAU;CAC1D,MAAM,SAAS,mBAAmB,cAAc;CAChD,IAAI,qBAAqB;AACzB,KAAI,cAAc,eAChB,sBAAqB,mBAAmB,cAAc,eAAe,UAAU;CAEjF,MAAM,uBAAuB,cAAc,gBAAgB;AAE3D,aAAY,QAAQ;CAEpB,MAAMC,MAA2B;EAC/B;EACA,MAAM;EACN;EACA;EACA;EACA;EACA;;AAGF,sCAAqC,QAAQ;AAC7C,8BAA6B,QAAQ;AACrC,sBAAqB,QAAQ;AAC7B,sCAAqC,QAAQ;AAC7C,gCAA+B,QAAQ;AACvC,uBAAsB,QAAQ;AAC9B,2BAA0B,QAAQ;AAClC,sBAAqB,QAAQ;AAC7B,yBAAwB,QAAQ;AAEhC,QAAO;;;;;ACxDT,SAAgB,wBACd,SACA,OAA+B,IACb;CAClB,MAAM,SAAS,mBAAmB,KAAK;CACvC,MAAM,UAAU,QAAQ,KAAK;CAC7B,MAAM,kBAAkB,KAAK,IAAI,GAAG,OAAO,KAAK,mBAAmB,MAAM;CACzE,MAAM,eAAe,KAAK,IAAI,GAAG,OAAO,KAAK,gBAAgB,MAAM;CAEnE,IAAIC,QAAa;CACjB,IAAI,WAAW;CAEf,MAAM,MAAM,YAAY;AACtB,MAAI,CAAC,QAAS;AACd,MAAI,UAAU;AACZ,UAAO,KAAK;AACZ;;AAEF,aAAW;AACX,MAAI;GACF,MAAM,SAAS,QAAQ;AACvB,OAAI,CAAC,UAAU,CAAC,OAAO,aAAa;AAClC,WAAO,KAAK;AACZ;;GAGF,MAAM,WAAW,MAAM,OAAO;AAC9B,UAAO,KAAK,mCAAmC;IAC7C,UAAU,SAAS;IACnB,eAAe,SAAS;IACxB,aAAa,SAAS;;AAGxB,OAAI,eAAe,GAAG;IACpB,MAAM,cAAc,OAAO;AAC3B,QAAI,YAAY,SAAS,cAAc;KACrC,MAAM,WAAW,YAAY,MAAM,GAAG,YAAY,SAAS;AAC3D,UAAK,MAAM,SAAS,SAClB,KAAI;MACF,MAAM,UAAU,MAAM,OAAO,uBAAuB,OAAO,EAAE,SAAS;AACtE,aAAO,KAAK,wCAAwC;OAAE;OAAO;;cACtDC,GAAQ;AACf,aAAO,KAAK,iDAAiD;OAAE;OAAO,OAAO,GAAG,WAAW,OAAO;;;;;WAKnGA,GAAQ;AACf,UAAO,MAAM,uCAAuC,EAAE,OAAO,GAAG,WAAW,OAAO;YAC1E;AACR,cAAW;;;AAIf,KAAI,QACF,SAAQ,kBAAkB;AAAE,EAAK;IAAU,kBAAkB;AAG/D,QAAO,EACL,OAAO;AACL,MAAI,MAAO,eAAc;AACzB,UAAQ"}

package/dist/esm/server/sdk/src/core/NearClient.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { isFunction } from "./WalletIframe/validation.js";
+import { isFunction } from "../utils/validation.js";
 import { base64Decode, base64Encode } from "../utils/base64.js";
 import { errorMessage } from "../utils/errors.js";
 import { NearRpcError } from "./NearRpcError.js";
@@ -213,6 +213,13 @@ var MinimalNearClient = class MinimalNearClient {
 		}
 		throw lastError instanceof Error ? lastError : new Error(String(lastError));
 	}
+	async txStatus(txHash, senderAccountId) {
+		const params = {
+			tx_hash: txHash,
+			sender_account_id: senderAccountId
+		};
+		return this.makeRpcCall("EXPERIMENTAL_tx_status", params, "Tx Status");
+	}
 	async callFunction(contractId, method, args, blockQuery) {
 		const rpcParams = {
 			request_type: "call_function",