@tatchi-xyz/sdk 0.21.0 → 0.31.0

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js

@@ -1,8 +1,6 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 const require_vrf_worker = require('../../../types/vrf-worker.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts
-require_vrf_worker.init_vrf_worker();
 /**
 * Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.
 */
@@ -22,7 +20,9 @@ async function deriveVrfKeypairFromPrf(ctx, args) {
 				userId: vrfInputData.userId,
 				rpId: vrfInputData.rpId,
 				blockHeight: String(vrfInputData.blockHeight),
-				blockHash: vrfInputData.blockHash
+				blockHash: vrfInputData.blockHash,
+				intentDigest: vrfInputData.intentDigest,
+				sessionPolicyDigest32: vrfInputData.sessionPolicyDigest32
 			} : void 0
 		}
 	};
@@ -40,7 +40,9 @@ async function deriveVrfKeypairFromPrf(ctx, args) {
 		userId: data.vrfChallengeData.userId,
 		rpId: data.vrfChallengeData.rpId,
 		blockHeight: data.vrfChallengeData.blockHeight,
-		blockHash: data.vrfChallengeData.blockHash
+		blockHash: data.vrfChallengeData.blockHash,
+		...data.vrfChallengeData.intentDigest ? { intentDigest: data.vrfChallengeData.intentDigest } : {},
+		...data.vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: data.vrfChallengeData.sessionPolicyDigest32 } : {}
 	}) : null;
 	if (saveInMemory) {
 		ctx.setCurrentVrfAccountId(args.nearAccountId);

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js.map

@@ -1 +1 @@
-{"version":3,"file":"deriveVrfKeypairFromPrf.js","names":["message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest>","validateVRFChallenge"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  EncryptedVRFKeypair,\n  ServerEncryptedVrfKeypair,\n  VRFInputData,\n  VRFWorkerMessage,\n  WasmDeriveVrfKeypairFromPrfRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n */\nexport async function deriveVrfKeypairFromPrf(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n    nearAccountId: AccountId;\n    vrfInputData?: VRFInputData;\n    saveInMemory?: boolean;\n  }\n): Promise<{\n  vrfPublicKey: string;\n  vrfChallenge: VRFChallenge | null;\n  encryptedVrfKeypair: EncryptedVRFKeypair;\n  serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n}> {\n  const saveInMemory = args.saveInMemory ?? true;\n  await ctx.ensureWorkerReady();\n\n  const vrfInputData = args.vrfInputData;\n  const hasVrfInputData = vrfInputData?.blockHash\n    && vrfInputData?.blockHeight\n    && vrfInputData?.userId\n    && vrfInputData?.rpId;\n\n  const message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest> = {\n    type: 'DERIVE_VRF_KEYPAIR_FROM_PRF',\n    id: ctx.generateMessageId(),\n    payload: {\n      credential: args.credential,\n      nearAccountId: args.nearAccountId,\n      saveInMemory,\n      vrfInputData: hasVrfInputData ? {\n        userId: vrfInputData.userId,\n        rpId: vrfInputData.rpId,\n        blockHeight: String(vrfInputData.blockHeight),\n        blockHash: vrfInputData.blockHash,\n      } : undefined,\n    }\n  };\n\n  const response = await ctx.sendMessage(message);\n\n  if (!response.success || !response.data) {\n    throw new Error(`VRF keypair derivation failed: ${response.error}`);\n  }\n  const data = response.data as {\n    vrfPublicKey?: string;\n    vrfChallengeData?: VRFChallenge;\n    encryptedVrfKeypair: EncryptedVRFKeypair;\n    serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair | null;\n  };\n\n  const vrfPublicKey = data.vrfPublicKey || data.vrfChallengeData?.vrfPublicKey;\n  if (!vrfPublicKey) {\n    throw new Error('VRF public key not found in response');\n  }\n  if (!data.encryptedVrfKeypair) {\n    throw new Error('Encrypted VRF keypair not found in response');\n  }\n\n  const vrfChallenge = data.vrfChallengeData\n    ? validateVRFChallenge({\n      vrfInput: data.vrfChallengeData.vrfInput,\n      vrfOutput: data.vrfChallengeData.vrfOutput,\n      vrfProof: data.vrfChallengeData.vrfProof,\n      vrfPublicKey: data.vrfChallengeData.vrfPublicKey,\n      userId: data.vrfChallengeData.userId,\n      rpId: data.vrfChallengeData.rpId,\n      blockHeight: data.vrfChallengeData.blockHeight,\n      blockHash: data.vrfChallengeData.blockHash,\n    })\n    : null;\n\n  if (saveInMemory) {\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n    console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);\n  }\n\n  return {\n    vrfPublicKey,\n    vrfChallenge,\n    encryptedVrfKeypair: data.encryptedVrfKeypair,\n    serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair || null,\n  };\n}\n"],"mappings":";;;;;;;;AAeA,eAAsB,wBACpB,KACA,MAWC;CACD,MAAM,eAAe,KAAK,gBAAgB;AAC1C,OAAM,IAAI;CAEV,MAAM,eAAe,KAAK;CAC1B,MAAM,kBAAkB,cAAc,aACjC,cAAc,eACd,cAAc,UACd,cAAc;CAEnB,MAAMA,UAAgE;EACpE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,YAAY,KAAK;GACjB,eAAe,KAAK;GACpB;GACA,cAAc,kBAAkB;IAC9B,QAAQ,aAAa;IACrB,MAAM,aAAa;IACnB,aAAa,OAAO,aAAa;IACjC,WAAW,aAAa;OACtB;;;CAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,kCAAkC,SAAS;CAE7D,MAAM,OAAO,SAAS;CAOtB,MAAM,eAAe,KAAK,gBAAgB,KAAK,kBAAkB;AACjE,KAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,oBACR,OAAM,IAAI,MAAM;CAGlB,MAAM,eAAe,KAAK,mBACtBC,wCAAqB;EACrB,UAAU,KAAK,iBAAiB;EAChC,WAAW,KAAK,iBAAiB;EACjC,UAAU,KAAK,iBAAiB;EAChC,cAAc,KAAK,iBAAiB;EACpC,QAAQ,KAAK,iBAAiB;EAC9B,MAAM,KAAK,iBAAiB;EAC5B,aAAa,KAAK,iBAAiB;EACnC,WAAW,KAAK,iBAAiB;MAEjC;AAEJ,KAAI,cAAc;AAChB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,iDAAiD,KAAK;;AAGtE,QAAO;EACL;EACA;EACA,qBAAqB,KAAK;EAC1B,2BAA2B,KAAK,6BAA6B"}
+{"version":3,"file":"deriveVrfKeypairFromPrf.js","names":["message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest>","validateVRFChallenge"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  EncryptedVRFKeypair,\n  ServerEncryptedVrfKeypair,\n  VRFInputData,\n  VRFWorkerMessage,\n  WasmDeriveVrfKeypairFromPrfRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n */\nexport async function deriveVrfKeypairFromPrf(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n    nearAccountId: AccountId;\n    vrfInputData?: VRFInputData;\n    saveInMemory?: boolean;\n  }\n): Promise<{\n  vrfPublicKey: string;\n  vrfChallenge: VRFChallenge | null;\n  encryptedVrfKeypair: EncryptedVRFKeypair;\n  serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n}> {\n  const saveInMemory = args.saveInMemory ?? true;\n  await ctx.ensureWorkerReady();\n\n  const vrfInputData = args.vrfInputData;\n  const hasVrfInputData = vrfInputData?.blockHash\n    && vrfInputData?.blockHeight\n    && vrfInputData?.userId\n    && vrfInputData?.rpId;\n\n  const message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest> = {\n    type: 'DERIVE_VRF_KEYPAIR_FROM_PRF',\n    id: ctx.generateMessageId(),\n    payload: {\n      credential: args.credential,\n      nearAccountId: args.nearAccountId,\n\t      saveInMemory,\n\t      vrfInputData: hasVrfInputData ? {\n\t        userId: vrfInputData.userId,\n\t        rpId: vrfInputData.rpId,\n\t        blockHeight: String(vrfInputData.blockHeight),\n\t        blockHash: vrfInputData.blockHash,\n\t        intentDigest: vrfInputData.intentDigest,\n          sessionPolicyDigest32: vrfInputData.sessionPolicyDigest32,\n\t      } : undefined,\n\t    }\n\t  };\n\n  const response = await ctx.sendMessage(message);\n\n  if (!response.success || !response.data) {\n    throw new Error(`VRF keypair derivation failed: ${response.error}`);\n  }\n  const data = response.data as {\n    vrfPublicKey?: string;\n    vrfChallengeData?: VRFChallenge;\n    encryptedVrfKeypair: EncryptedVRFKeypair;\n    serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair | null;\n  };\n\n  const vrfPublicKey = data.vrfPublicKey || data.vrfChallengeData?.vrfPublicKey;\n  if (!vrfPublicKey) {\n    throw new Error('VRF public key not found in response');\n  }\n  if (!data.encryptedVrfKeypair) {\n    throw new Error('Encrypted VRF keypair not found in response');\n  }\n\n  const vrfChallenge = data.vrfChallengeData\n    ? validateVRFChallenge({\n      vrfInput: data.vrfChallengeData.vrfInput,\n      vrfOutput: data.vrfChallengeData.vrfOutput,\n      vrfProof: data.vrfChallengeData.vrfProof,\n      vrfPublicKey: data.vrfChallengeData.vrfPublicKey,\n      userId: data.vrfChallengeData.userId,\n      rpId: data.vrfChallengeData.rpId,\n      blockHeight: data.vrfChallengeData.blockHeight,\n      blockHash: data.vrfChallengeData.blockHash,\n      ...(data.vrfChallengeData.intentDigest ? { intentDigest: data.vrfChallengeData.intentDigest } : {}),\n      ...(data.vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: data.vrfChallengeData.sessionPolicyDigest32 } : {}),\n    })\n    : null;\n\n  if (saveInMemory) {\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n    console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);\n  }\n\n  return {\n    vrfPublicKey,\n    vrfChallenge,\n    encryptedVrfKeypair: data.encryptedVrfKeypair,\n    serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair || null,\n  };\n}\n"],"mappings":";;;;;;AAeA,eAAsB,wBACpB,KACA,MAWC;CACD,MAAM,eAAe,KAAK,gBAAgB;AAC1C,OAAM,IAAI;CAEV,MAAM,eAAe,KAAK;CAC1B,MAAM,kBAAkB,cAAc,aACjC,cAAc,eACd,cAAc,UACd,cAAc;CAEnB,MAAMA,UAAgE;EACpE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,YAAY,KAAK;GACjB,eAAe,KAAK;GACnB;GACA,cAAc,kBAAkB;IAC9B,QAAQ,aAAa;IACrB,MAAM,aAAa;IACnB,aAAa,OAAO,aAAa;IACjC,WAAW,aAAa;IACxB,cAAc,aAAa;IAC1B,uBAAuB,aAAa;OACnC;;;CAIT,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,kCAAkC,SAAS;CAE7D,MAAM,OAAO,SAAS;CAOtB,MAAM,eAAe,KAAK,gBAAgB,KAAK,kBAAkB;AACjE,KAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,oBACR,OAAM,IAAI,MAAM;CAGlB,MAAM,eAAe,KAAK,mBACtBC,wCAAqB;EACrB,UAAU,KAAK,iBAAiB;EAChC,WAAW,KAAK,iBAAiB;EACjC,UAAU,KAAK,iBAAiB;EAChC,cAAc,KAAK,iBAAiB;EACpC,QAAQ,KAAK,iBAAiB;EAC9B,MAAM,KAAK,iBAAiB;EAC5B,aAAa,KAAK,iBAAiB;EACnC,WAAW,KAAK,iBAAiB;EACjC,GAAI,KAAK,iBAAiB,eAAe,EAAE,cAAc,KAAK,iBAAiB,iBAAiB;EAChG,GAAI,KAAK,iBAAiB,wBAAwB,EAAE,uBAAuB,KAAK,iBAAiB,0BAA0B;MAE3H;AAEJ,KAAI,cAAc;AAChB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,iDAAiD,KAAK;;AAGtE,QAAO;EACL;EACA;EACA,qBAAqB,KAAK;EAC1B,2BAA2B,KAAK,6BAA6B"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.js.map

@@ -1 +1 @@
-{"version":3,"file":"dispenseSessionKey.js","names":["message: VRFWorkerMessage<WasmDispenseSessionKeyRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmDispenseSessionKeyRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * \"Warm session\" path: dispense an existing VRF-owned session key to the signer worker.\n *\n * VRF WASM enforces TTL/usage limits for `sessionId`, then sends `{ wrap_key_seed, wrapKeySalt }`\n * over the attached MessagePort to the signer worker. This does not prompt for WebAuthn.\n */\nexport async function dispenseSessionKey(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: { sessionId: string; uses?: number }\n): Promise<{\n  sessionId: string;\n  remainingUses?: number;\n  expiresAtMs?: number;\n}> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmDispenseSessionKeyRequest> = {\n    type: 'DISPENSE_SESSION_KEY',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      uses: args.uses,\n    } as any,\n  };\n  const response = await ctx.sendMessage<WasmDispenseSessionKeyRequest>(message);\n  if (!response.success) {\n    throw new Error(`dispenseSessionKey failed: ${response.error}`);\n  }\n  return (response.data as any) || { sessionId: args.sessionId };\n}\n"],"mappings":";;;;;;;;;AASA,eAAsB,mBACpB,KACA,MAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2D;EAC/D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,MAAM,KAAK;;;CAGf,MAAM,WAAW,MAAM,IAAI,YAA2C;AACtE,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,8BAA8B,SAAS;AAEzD,QAAQ,SAAS,QAAgB,EAAE,WAAW,KAAK"}
+{"version":3,"file":"dispenseSessionKey.js","names":["message: VRFWorkerMessage<WasmDispenseSessionKeyRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmDispenseSessionKeyRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * \"Warm session\" path: dispense an existing VRF-owned session key to the signer worker.\n *\n * VRF WASM enforces TTL/usage limits for `sessionId`, then sends `{ wrap_key_seed, wrapKeySalt }`\n * over the attached MessagePort to the signer worker. This does not prompt for WebAuthn.\n */\nexport async function dispenseSessionKey(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: { sessionId: string; uses?: number }\n): Promise<{\n  sessionId: string;\n  remainingUses?: number;\n  expiresAtMs?: number;\n}> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmDispenseSessionKeyRequest> = {\n    type: 'DISPENSE_SESSION_KEY',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      uses: args.uses,\n    } as any,\n  };\n  const response = await ctx.sendMessage<WasmDispenseSessionKeyRequest>(message);\n  if (!response.success) {\n    throw new Error(`dispenseSessionKey failed: ${response.error}`);\n  }\n  return (response.data as any) || { sessionId: args.sessionId };\n}\n"],"mappings":";;;;;;;;AASA,eAAsB,mBACpB,KACA,MAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2D;EAC/D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,MAAM,KAAK;;;CAGf,MAAM,WAAW,MAAM,IAAI,YAA2C;AACtE,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,8BAA8B,SAAS;AAEzD,QAAQ,SAAS,QAAgB,EAAE,WAAW,KAAK"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js

@@ -1,8 +1,10 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
+const require_validation = require('../../../../utils/validation.js');
+const require_accountIds = require('../../../types/accountIds.js');
 const require_vrf_worker = require('../../../types/vrf-worker.js');
+const require_checkVrfStatus = require('./checkVrfStatus.js');
+const require_shamir3PassDecryptVrfKeypair = require('./shamir3PassDecryptVrfKeypair.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts
-require_vrf_worker.init_vrf_worker();
 /**
 * Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.
 *
@@ -22,6 +24,7 @@ async function generateVrfChallengeOnce(ctx, inputData) {
 }
 async function generateVrfChallengeInternal(ctx, inputData, sessionId) {
 	await ctx.ensureWorkerReady(true);
+	await ensureVrfKeypairBoundToLastUser(ctx, inputData.userId);
 	const message = {
 		type: "GENERATE_VRF_CHALLENGE",
 		id: ctx.generateMessageId(),
@@ -31,16 +34,45 @@ async function generateVrfChallengeInternal(ctx, inputData, sessionId) {
 				userId: inputData.userId,
 				rpId: inputData.rpId,
 				blockHeight: String(inputData.blockHeight),
-				blockHash: inputData.blockHash
+				blockHash: inputData.blockHash,
+				intentDigest: inputData.intentDigest,
+				sessionPolicyDigest32: inputData.sessionPolicyDigest32
 			}
 		}
 	};
 	const response = await ctx.sendMessage(message);
 	if (!response.success || !response.data) throw new Error(`VRF challenge generation failed: ${response.error}`);
 	const data = response.data;
-	console.debug("VRF Manager: VRF challenge generated successfully");
 	return require_vrf_worker.validateVRFChallenge(data);
 }
+async function ensureVrfKeypairBoundToLastUser(ctx, nearAccountId) {
+	const accountId = require_accountIds.toAccountId(nearAccountId);
+	const { indexedDB } = ctx.getContext();
+	const lastUser = await indexedDB.clientDB.getLastUser().catch(() => null);
+	if (!lastUser || require_accountIds.toAccountId(lastUser.nearAccountId) !== accountId) return;
+	const lastUserDeviceNumber = Number(lastUser.deviceNumber);
+	if (!Number.isFinite(lastUserDeviceNumber) || lastUserDeviceNumber < 1) return;
+	const status = await require_checkVrfStatus.checkVrfStatus(ctx);
+	const currentVrfPublicKey = require_validation.toTrimmedString(status.vrfPublicKey);
+	const authenticators = await indexedDB.clientDB.getAuthenticatorsByUser(accountId).catch(() => []);
+	const expectedVrfPublicKey = require_validation.toTrimmedString(authenticators.find((a) => a.credentialId === lastUser.passkeyCredential.rawId)?.vrfPublicKey ?? authenticators.find((a) => a.deviceNumber === lastUserDeviceNumber)?.vrfPublicKey);
+	const needsRebind = !status.active || expectedVrfPublicKey && currentVrfPublicKey !== expectedVrfPublicKey;
+	if (!needsRebind) return;
+	const shamir = lastUser.serverEncryptedVrfKeypair;
+	if (!shamir?.ciphertextVrfB64u || !shamir?.kek_s_b64u || !shamir?.serverKeyId) throw new Error("VRF session is not bound to the last logged-in passkey device. Please log in again on this device.");
+	const unlock = await require_shamir3PassDecryptVrfKeypair.shamir3PassDecryptVrfKeypair(ctx, {
+		nearAccountId: accountId,
+		ciphertextVrfB64u: shamir.ciphertextVrfB64u,
+		kek_s_b64u: shamir.kek_s_b64u,
+		serverKeyId: shamir.serverKeyId
+	});
+	if (!unlock.success) throw new Error(unlock.error || "Failed to rebind VRF keypair to the last logged-in device");
+	if (expectedVrfPublicKey) {
+		const rebound = await require_checkVrfStatus.checkVrfStatus(ctx);
+		const reboundPk = require_validation.toTrimmedString(rebound.vrfPublicKey);
+		if (!rebound.active || reboundPk !== expectedVrfPublicKey) throw new Error("VRF session mismatch: VRF keypair did not match the last logged-in device after rebind. Please log in again.");
+	}
+}
 
 //#endregion
 exports.generateVrfChallengeForSession = generateVrfChallengeForSession;

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js.map

@@ -1 +1 @@
-{"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>","validateVRFChallenge"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n  VRFInputData,\n  VRFWorkerMessage,\n  WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n *\n * This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n */\nexport async function generateVrfChallengeForSession(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData,\n  sessionId: string\n): Promise<VRFChallenge> {\n  return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/**\n * Generate a one-off VRF challenge without caching it in the VRF worker.\n *\n * Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData\n): Promise<VRFChallenge> {\n  return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData,\n  sessionId?: string\n): Promise<VRFChallenge> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n    type: 'GENERATE_VRF_CHALLENGE',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId,\n      vrfInputData: {\n        userId: inputData.userId,\n        rpId: inputData.rpId,\n        blockHeight: String(inputData.blockHeight),\n        blockHash: inputData.blockHash,\n      },\n    },\n  };\n\n  const response = await ctx.sendMessage(message);\n\n  if (!response.success || !response.data) {\n    throw new Error(`VRF challenge generation failed: ${response.error}`);\n  }\n\n  const data = response.data as unknown as VRFChallenge;\n  console.debug('VRF Manager: VRF challenge generated successfully');\n  return validateVRFChallenge(data);\n}\n"],"mappings":";;;;;;;;;;;AAcA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACA,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;;;;CAK3B,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,SAAQ,MAAM;AACd,QAAOC,wCAAqB"}
+{"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>","validateVRFChallenge","toAccountId","checkVrfStatus","toTrimmedString","shamir3PassDecryptVrfKeypair"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n  VRFInputData,\n  VRFWorkerMessage,\n  WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport { toAccountId } from '../../../types/accountIds';\nimport type { VrfWorkerManagerHandlerContext } from './types';\nimport { checkVrfStatus } from './checkVrfStatus';\nimport { shamir3PassDecryptVrfKeypair } from './shamir3PassDecryptVrfKeypair';\nimport { toTrimmedString } from '@/utils';\n\n/**\n * Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n *\n * This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n */\nexport async function generateVrfChallengeForSession(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData,\n  sessionId: string\n): Promise<VRFChallenge> {\n  return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/**\n * Generate a one-off VRF challenge without caching it in the VRF worker.\n *\n * Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData\n): Promise<VRFChallenge> {\n  return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n  ctx: VrfWorkerManagerHandlerContext,\n  inputData: VRFInputData,\n  sessionId?: string\n): Promise<VRFChallenge> {\n  await ctx.ensureWorkerReady(true);\n\n  // Root-cause fix: ensure the VRF worker's active VRF keypair matches the IndexedDB \"lastUser\" device.\n  // Otherwise, multi-device accounts can drift such that:\n  // - WebAuthn allowCredentials selects the lastUser passkey, but\n  // - VRF challenges are generated from a different device's vrf_sk,\n  // causing contract verification failures.\n  await ensureVrfKeypairBoundToLastUser(ctx, inputData.userId);\n\n  const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n    type: 'GENERATE_VRF_CHALLENGE',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId,\n\t      vrfInputData: {\n\t        userId: inputData.userId,\n\t        rpId: inputData.rpId,\n\t        blockHeight: String(inputData.blockHeight),\n\t        blockHash: inputData.blockHash,\n\t        intentDigest: inputData.intentDigest,\n          sessionPolicyDigest32: inputData.sessionPolicyDigest32,\n\t      },\n\t    },\n\t  };\n\n  const response = await ctx.sendMessage(message);\n\n  if (!response.success || !response.data) {\n    throw new Error(`VRF challenge generation failed: ${response.error}`);\n  }\n\n  const data = response.data as unknown as VRFChallenge;\n  return validateVRFChallenge(data);\n}\n\nasync function ensureVrfKeypairBoundToLastUser(\n  ctx: VrfWorkerManagerHandlerContext,\n  nearAccountId: string,\n): Promise<void> {\n  const accountId = toAccountId(nearAccountId);\n  const { indexedDB } = ctx.getContext();\n\n  const lastUser = await indexedDB.clientDB.getLastUser().catch(() => null);\n  if (!lastUser || toAccountId(lastUser.nearAccountId) !== accountId) {\n    return;\n  }\n\n  const lastUserDeviceNumber = Number(lastUser.deviceNumber);\n  if (!Number.isFinite(lastUserDeviceNumber) || lastUserDeviceNumber < 1) {\n    return;\n  }\n\n  const status = await checkVrfStatus(ctx);\n  const currentVrfPublicKey = toTrimmedString(status.vrfPublicKey);\n\n  // Best-effort: find the expected VRF public key for the last-user device from the authenticator cache.\n  const authenticators = await indexedDB.clientDB.getAuthenticatorsByUser(accountId).catch(() => []);\n  const expectedVrfPublicKey = toTrimmedString(\n    authenticators.find(a => a.credentialId === lastUser.passkeyCredential.rawId)?.vrfPublicKey\n    ?? authenticators.find(a => a.deviceNumber === lastUserDeviceNumber)?.vrfPublicKey\n  );\n\n  const needsRebind = !status.active\n    || (expectedVrfPublicKey && currentVrfPublicKey !== expectedVrfPublicKey);\n\n  if (!needsRebind) {\n    return;\n  }\n\n  const shamir = lastUser.serverEncryptedVrfKeypair;\n  if (!shamir?.ciphertextVrfB64u || !shamir?.kek_s_b64u || !shamir?.serverKeyId) {\n    // If we can't rebind automatically, fail early instead of silently generating a challenge from the wrong vrf_sk.\n    throw new Error(\n      'VRF session is not bound to the last logged-in passkey device. Please log in again on this device.',\n    );\n  }\n\n  const unlock = await shamir3PassDecryptVrfKeypair(ctx, {\n    nearAccountId: accountId,\n    ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n    kek_s_b64u: shamir.kek_s_b64u,\n    serverKeyId: shamir.serverKeyId,\n  });\n  if (!unlock.success) {\n    throw new Error(unlock.error || 'Failed to rebind VRF keypair to the last logged-in device');\n  }\n\n  // If we know the expected VRF pk, confirm the rebind succeeded.\n  if (expectedVrfPublicKey) {\n    const rebound = await checkVrfStatus(ctx);\n    const reboundPk = toTrimmedString(rebound.vrfPublicKey);\n    if (!rebound.active || reboundPk !== expectedVrfPublicKey) {\n      throw new Error(\n        'VRF session mismatch: VRF keypair did not match the last logged-in device after rebind. Please log in again.',\n      );\n    }\n  }\n}\n"],"mappings":";;;;;;;;;;;;;AAkBA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;AAO5B,OAAM,gCAAgC,KAAK,UAAU;CAErD,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACC,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;IACrB,cAAc,UAAU;IACvB,uBAAuB,UAAU;;;;CAKzC,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,QAAOC,wCAAqB;;AAG9B,eAAe,gCACb,KACA,eACe;CACf,MAAM,YAAYC,+BAAY;CAC9B,MAAM,EAAE,cAAc,IAAI;CAE1B,MAAM,WAAW,MAAM,UAAU,SAAS,cAAc,YAAY;AACpE,KAAI,CAAC,YAAYA,+BAAY,SAAS,mBAAmB,UACvD;CAGF,MAAM,uBAAuB,OAAO,SAAS;AAC7C,KAAI,CAAC,OAAO,SAAS,yBAAyB,uBAAuB,EACnE;CAGF,MAAM,SAAS,MAAMC,sCAAe;CACpC,MAAM,sBAAsBC,mCAAgB,OAAO;CAGnD,MAAM,iBAAiB,MAAM,UAAU,SAAS,wBAAwB,WAAW,YAAY;CAC/F,MAAM,uBAAuBA,mCAC3B,eAAe,MAAK,MAAK,EAAE,iBAAiB,SAAS,kBAAkB,QAAQ,gBAC5E,eAAe,MAAK,MAAK,EAAE,iBAAiB,uBAAuB;CAGxE,MAAM,cAAc,CAAC,OAAO,UACtB,wBAAwB,wBAAwB;AAEtD,KAAI,CAAC,YACH;CAGF,MAAM,SAAS,SAAS;AACxB,KAAI,CAAC,QAAQ,qBAAqB,CAAC,QAAQ,cAAc,CAAC,QAAQ,YAEhE,OAAM,IAAI,MACR;CAIJ,MAAM,SAAS,MAAMC,kEAA6B,KAAK;EACrD,eAAe;EACf,mBAAmB,OAAO;EAC1B,YAAY,OAAO;EACnB,aAAa,OAAO;;AAEtB,KAAI,CAAC,OAAO,QACV,OAAM,IAAI,MAAM,OAAO,SAAS;AAIlC,KAAI,sBAAsB;EACxB,MAAM,UAAU,MAAMF,sCAAe;EACrC,MAAM,YAAYC,mCAAgB,QAAQ;AAC1C,MAAI,CAAC,QAAQ,UAAU,cAAc,qBACnC,OAAM,IAAI,MACR"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js

@@ -1,8 +1,6 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 const require_vrf_worker = require('../../../types/vrf-worker.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts
-require_vrf_worker.init_vrf_worker();
 /**
 * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)
 * generate a VRF challenge from it.
@@ -23,7 +21,9 @@ async function generateVrfKeypairBootstrap(ctx, args) {
 					userId: args.vrfInputData.userId,
 					rpId: args.vrfInputData.rpId,
 					blockHeight: String(args.vrfInputData.blockHeight),
-					blockHash: args.vrfInputData.blockHash
+					blockHash: args.vrfInputData.blockHash,
+					intentDigest: args.vrfInputData.intentDigest,
+					sessionPolicyDigest32: args.vrfInputData.sessionPolicyDigest32
 				} : void 0
 			}
 		};
@@ -45,7 +45,9 @@ async function generateVrfKeypairBootstrap(ctx, args) {
 				userId: challengeData.userId,
 				rpId: challengeData.rpId,
 				blockHeight: challengeData.blockHeight,
-				blockHash: challengeData.blockHash
+				blockHash: challengeData.blockHash,
+				...challengeData.intentDigest ? { intentDigest: challengeData.intentDigest } : {},
+				...challengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: challengeData.sessionPolicyDigest32 } : {}
 			})
 		};
 	} catch (error) {

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","validateVRFChallenge","error: any"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n *\n * This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    vrfInputData: VRFInputData;\n    saveInMemory: boolean;\n    sessionId?: string;\n  }\n): Promise<{\n  vrfPublicKey: string;\n  vrfChallenge: VRFChallenge;\n}> {\n  await ctx.ensureWorkerReady();\n  try {\n    const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n      type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n      id: ctx.generateMessageId(),\n      payload: {\n        // Include VRF input data if provided for challenge generation\n        sessionId: args.sessionId,\n        vrfInputData: args.vrfInputData\n          ? {\n              userId: args.vrfInputData.userId,\n              rpId: args.vrfInputData.rpId,\n              blockHeight: String(args.vrfInputData.blockHeight),\n              blockHash: args.vrfInputData.blockHash,\n            }\n          : undefined,\n      },\n    };\n\n    const response = await ctx.sendMessage(message);\n\n    if (!response.success || !response.data) {\n      throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n    }\n    const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n    const challengeData = data.vrf_challenge_data as VRFChallenge | undefined;\n    if (!challengeData) {\n      throw new Error('VRF challenge data failed to be generated');\n    }\n    const vrfPublicKey = data.vrfPublicKey || challengeData.vrfPublicKey;\n    if (!vrfPublicKey) {\n      throw new Error('VRF public key missing in bootstrap response');\n    }\n    if (args.vrfInputData && args.saveInMemory) {\n      // Track the account ID for this VRF session if saving in memory\n      ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n    }\n\n    // TODO: strong types generated by Rust wasm-bindgen\n    return {\n      vrfPublicKey,\n      vrfChallenge: validateVRFChallenge({\n        vrfInput: challengeData.vrfInput,\n        vrfOutput: challengeData.vrfOutput,\n        vrfProof: challengeData.vrfProof,\n        vrfPublicKey: challengeData.vrfPublicKey,\n        userId: challengeData.userId,\n        rpId: challengeData.rpId,\n        blockHeight: challengeData.blockHeight,\n        blockHash: challengeData.blockHash,\n      })\n    }\n\n  } catch (error: any) {\n    console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n    throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n  }\n}\n"],"mappings":";;;;;;;;;;;;;AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACR,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;QAE/B;;;EAIR,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAcC,wCAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;;;UAItBC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}
+{"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","validateVRFChallenge","error: any"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n *\n * This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    vrfInputData: VRFInputData;\n    saveInMemory: boolean;\n    sessionId?: string;\n  }\n): Promise<{\n  vrfPublicKey: string;\n  vrfChallenge: VRFChallenge;\n}> {\n  await ctx.ensureWorkerReady();\n  try {\n    const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n      type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n      id: ctx.generateMessageId(),\n\t      payload: {\n\t        // Include VRF input data if provided for challenge generation\n\t        sessionId: args.sessionId,\n\t        vrfInputData: args.vrfInputData\n\t          ? {\n\t              userId: args.vrfInputData.userId,\n\t              rpId: args.vrfInputData.rpId,\n\t              blockHeight: String(args.vrfInputData.blockHeight),\n\t              blockHash: args.vrfInputData.blockHash,\n\t              intentDigest: args.vrfInputData.intentDigest,\n                sessionPolicyDigest32: args.vrfInputData.sessionPolicyDigest32,\n\t            }\n\t          : undefined,\n\t      },\n\t    };\n\n    const response = await ctx.sendMessage(message);\n\n    if (!response.success || !response.data) {\n      throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n    }\n    const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n    const challengeData = data.vrf_challenge_data as VRFChallenge | undefined;\n    if (!challengeData) {\n      throw new Error('VRF challenge data failed to be generated');\n    }\n    const vrfPublicKey = data.vrfPublicKey || challengeData.vrfPublicKey;\n    if (!vrfPublicKey) {\n      throw new Error('VRF public key missing in bootstrap response');\n    }\n    if (args.vrfInputData && args.saveInMemory) {\n      // Track the account ID for this VRF session if saving in memory\n      ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n    }\n\n    // TODO: strong types generated by Rust wasm-bindgen\n    return {\n      vrfPublicKey,\n      vrfChallenge: validateVRFChallenge({\n        vrfInput: challengeData.vrfInput,\n        vrfOutput: challengeData.vrfOutput,\n        vrfProof: challengeData.vrfProof,\n        vrfPublicKey: challengeData.vrfPublicKey,\n        userId: challengeData.userId,\n        rpId: challengeData.rpId,\n        blockHeight: challengeData.blockHeight,\n        blockHash: challengeData.blockHash,\n        ...(challengeData.intentDigest ? { intentDigest: challengeData.intentDigest } : {}),\n        ...(challengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: challengeData.sessionPolicyDigest32 } : {}),\n      })\n    }\n\n  } catch (error: any) {\n    console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n    throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n  }\n}\n"],"mappings":";;;;;;;;;;;AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACP,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;KAC7B,cAAc,KAAK,aAAa;KAC/B,uBAAuB,KAAK,aAAa;QAE5C;;;EAIT,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAcC,wCAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;IACzB,GAAI,cAAc,eAAe,EAAE,cAAc,cAAc,iBAAiB;IAChF,GAAI,cAAc,wBAAwB,EAAE,uBAAuB,cAAc,0BAA0B;;;UAIxGC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.js.map

@@ -1 +1 @@
-{"version":3,"file":"mintSessionKeysAndSendToSigner.js","names":["message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.ts"],"sourcesContent":["import type {\n  VRFWorkerMessage,\n  WasmMintSessionKeysAndSendToSignerRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Mint/refresh a VRF-owned signing session and deliver WrapKey material to the signer worker.\n *\n * VRF WASM will:\n * - (optionally) gate on `verify_authentication_response` when `contractId` + `nearRpcUrl` are provided,\n * - derive WrapKeySeed from PRF.first_auth + the in-memory VRF secret key,\n * - choose/generate `wrapKeySalt` (when omitted/empty),\n * - upsert session metadata (TTL + remaining uses),\n * - and send `{ wrap_key_seed, wrapKeySalt, prfSecond? }` to the signer worker over the attached MessagePort.\n *\n * The main thread never receives WrapKeySeed; it only receives `wrapKeySalt` metadata.\n * This expects `createSigningSessionChannel` + signer port attachment to have happened for `sessionId`.\n */\nexport async function mintSessionKeysAndSendToSigner(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    sessionId: string;\n    wrapKeySalt?: string;\n    contractId?: string;\n    nearRpcUrl?: string;\n    ttlMs?: number;\n    remainingUses?: number;\n    credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n  }\n): Promise<{ sessionId: string; wrapKeySalt: string }> {\n  await ctx.ensureWorkerReady(true);\n\n  const message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest> = {\n    type: 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      // Use empty string as a sentinel to tell the VRF worker to generate wrapKeySalt when none is provided.\n      wrapKeySalt: args.wrapKeySalt ?? '',\n      contractId: args.contractId,\n      nearRpcUrl: args.nearRpcUrl,\n      ttlMs: args.ttlMs,\n      remainingUses: args.remainingUses,\n      credential: args.credential,\n    }\n  };\n  const response = await ctx.sendMessage<WasmMintSessionKeysAndSendToSignerRequest>(message);\n  if (!response.success) {\n    throw new Error(`mintSessionKeysAndSendToSigner failed: ${response.error}`);\n  }\n  // VRF WASM now delivers WrapKeySeed + wrapKeySalt directly to the signer worker via the\n  // attached MessagePort; TS only needs to know that the session is prepared and\n  // what wrapKeySalt was actually used (for new vault entries).\n  const data = (response.data as unknown) as { sessionId: string; wrapKeySalt?: string } | undefined;\n  const wrapKeySalt = data?.wrapKeySalt ?? args.wrapKeySalt ?? '';\n  if (!wrapKeySalt) {\n    throw new Error('mintSessionKeysAndSendToSigner: VRF worker did not return wrapKeySalt');\n  }\n  return { sessionId: data?.sessionId ?? args.sessionId, wrapKeySalt };\n}\n"],"mappings":";;;;;;;;;;;;;;;;AAoBA,eAAsB,+BACpB,KACA,MASqD;AACrD,OAAM,IAAI,kBAAkB;CAE5B,MAAMA,UAAuE;EAC3E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAEhB,aAAa,KAAK,eAAe;GACjC,YAAY,KAAK;GACjB,YAAY,KAAK;GACjB,OAAO,KAAK;GACZ,eAAe,KAAK;GACpB,YAAY,KAAK;;;CAGrB,MAAM,WAAW,MAAM,IAAI,YAAuD;AAClF,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,0CAA0C,SAAS;CAKrE,MAAM,OAAQ,SAAS;CACvB,MAAM,cAAc,MAAM,eAAe,KAAK,eAAe;AAC7D,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE,WAAW,MAAM,aAAa,KAAK;EAAW"}
+{"version":3,"file":"mintSessionKeysAndSendToSigner.js","names":["message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.ts"],"sourcesContent":["import type {\n  VRFWorkerMessage,\n  WasmMintSessionKeysAndSendToSignerRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Mint/refresh a VRF-owned signing session and deliver WrapKey material to the signer worker.\n *\n * VRF WASM will:\n * - (optionally) gate on `verify_authentication_response` when `contractId` + `nearRpcUrl` are provided,\n * - derive WrapKeySeed from PRF.first_auth + the in-memory VRF secret key,\n * - choose/generate `wrapKeySalt` (when omitted/empty),\n * - upsert session metadata (TTL + remaining uses),\n * - and send `{ wrap_key_seed, wrapKeySalt, prfSecond? }` to the signer worker over the attached MessagePort.\n *\n * The main thread never receives WrapKeySeed; it only receives `wrapKeySalt` metadata.\n * This expects `createSigningSessionChannel` + signer port attachment to have happened for `sessionId`.\n */\nexport async function mintSessionKeysAndSendToSigner(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    sessionId: string;\n    wrapKeySalt?: string;\n    contractId?: string;\n    nearRpcUrl?: string;\n    ttlMs?: number;\n    remainingUses?: number;\n    credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n  }\n): Promise<{ sessionId: string; wrapKeySalt: string }> {\n  await ctx.ensureWorkerReady(true);\n\n  const message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest> = {\n    type: 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      // Use empty string as a sentinel to tell the VRF worker to generate wrapKeySalt when none is provided.\n      wrapKeySalt: args.wrapKeySalt ?? '',\n      contractId: args.contractId,\n      nearRpcUrl: args.nearRpcUrl,\n      ttlMs: args.ttlMs,\n      remainingUses: args.remainingUses,\n      credential: args.credential,\n    }\n  };\n  const response = await ctx.sendMessage<WasmMintSessionKeysAndSendToSignerRequest>(message);\n  if (!response.success) {\n    throw new Error(`mintSessionKeysAndSendToSigner failed: ${response.error}`);\n  }\n  // VRF WASM now delivers WrapKeySeed + wrapKeySalt directly to the signer worker via the\n  // attached MessagePort; TS only needs to know that the session is prepared and\n  // what wrapKeySalt was actually used (for new vault entries).\n  const data = (response.data as unknown) as { sessionId: string; wrapKeySalt?: string } | undefined;\n  const wrapKeySalt = data?.wrapKeySalt ?? args.wrapKeySalt ?? '';\n  if (!wrapKeySalt) {\n    throw new Error('mintSessionKeysAndSendToSigner: VRF worker did not return wrapKeySalt');\n  }\n  return { sessionId: data?.sessionId ?? args.sessionId, wrapKeySalt };\n}\n"],"mappings":";;;;;;;;;;;;;;;AAoBA,eAAsB,+BACpB,KACA,MASqD;AACrD,OAAM,IAAI,kBAAkB;CAE5B,MAAMA,UAAuE;EAC3E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAEhB,aAAa,KAAK,eAAe;GACjC,YAAY,KAAK;GACjB,YAAY,KAAK;GACjB,OAAO,KAAK;GACZ,eAAe,KAAK;GACpB,YAAY,KAAK;;;CAGrB,MAAM,WAAW,MAAM,IAAI,YAAuD;AAClF,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,0CAA0C,SAAS;CAKrE,MAAM,OAAQ,SAAS;CACvB,MAAM,cAAc,MAAM,eAAe,KAAK,eAAe;AAC7D,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE,WAAW,MAAM,aAAa,KAAK;EAAW"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.js.map

@@ -1 +1 @@
-{"version":3,"file":"prepareDecryptSession.js","names":["message: VRFWorkerMessage<any>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type { EncryptedVRFKeypair, VRFWorkerMessage } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Prepare an export/decrypt session by having the VRF worker derive and deliver WrapKeySeed\n * to the signer worker, using the VRF-owned confirmation flow.\n *\n * This is used by \"offline export\" / decrypt flows where secrets must not touch the main thread.\n */\nexport async function prepareDecryptSession(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    sessionId: string;\n    nearAccountId: AccountId;\n    wrapKeySalt: string;\n    /**\n     * Optional: local encrypted VRF keypair for this account/device.\n     * Supplying this lets the VRF worker unlock the correct VRF secret in offline mode.\n     */\n    encryptedVrfKeypair?: EncryptedVRFKeypair;\n    /**\n     * Optional: expected VRF public key (base64url) for sanity checking/fallback derivation.\n     */\n    expectedVrfPublicKey?: string;\n  }\n): Promise<void> {\n  if (!args.wrapKeySalt) {\n    throw new Error('wrapKeySalt is required for decrypt session');\n  }\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<any> = {\n    type: 'DECRYPT_SESSION',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n      wrapKeySalt: args.wrapKeySalt,\n      encryptedVrfKeypair: args.encryptedVrfKeypair,\n      expectedVrfPublicKey: args.expectedVrfPublicKey,\n    },\n  };\n  try {\n    console.debug('[VRF] prepareDecryptSession: start', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n    });\n    const response = await ctx.sendMessage(message);\n    if (!response.success) {\n      console.error('[VRF] prepareDecryptSession: worker reported failure', {\n        sessionId: args.sessionId,\n        nearAccountId: String(args.nearAccountId),\n        error: response.error,\n      });\n      throw new Error(`prepareDecryptSession failed: ${response.error}`);\n    }\n    console.debug('[VRF] prepareDecryptSession: success', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n    });\n  } catch (error) {\n    console.error('[VRF] prepareDecryptSession: error', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n      error,\n    });\n    throw error;\n  }\n}\n"],"mappings":";;;;;;;;;AAUA,eAAsB,sBACpB,KACA,MAce;AACf,KAAI,CAAC,KAAK,YACR,OAAM,IAAI,MAAM;AAElB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAiC;EACrC,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B,aAAa,KAAK;GAClB,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;;;AAG/B,KAAI;AACF,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;EAE7B,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,MAAI,CAAC,SAAS,SAAS;AACrB,WAAQ,MAAM,wDAAwD;IACpE,WAAW,KAAK;IAChB,eAAe,OAAO,KAAK;IAC3B,OAAO,SAAS;;AAElB,SAAM,IAAI,MAAM,iCAAiC,SAAS;;AAE5D,UAAQ,MAAM,wCAAwC;GACpD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;UAEtB,OAAO;AACd,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B;;AAEF,QAAM"}
+{"version":3,"file":"prepareDecryptSession.js","names":["message: VRFWorkerMessage<any>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type { EncryptedVRFKeypair, VRFWorkerMessage } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Prepare an export/decrypt session by having the VRF worker derive and deliver WrapKeySeed\n * to the signer worker, using the VRF-owned confirmation flow.\n *\n * This is used by \"offline export\" / decrypt flows where secrets must not touch the main thread.\n */\nexport async function prepareDecryptSession(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    sessionId: string;\n    nearAccountId: AccountId;\n    wrapKeySalt: string;\n    /**\n     * Optional: local encrypted VRF keypair for this account/device.\n     * Supplying this lets the VRF worker unlock the correct VRF secret in offline mode.\n     */\n    encryptedVrfKeypair?: EncryptedVRFKeypair;\n    /**\n     * Optional: expected VRF public key (base64url) for sanity checking/fallback derivation.\n     */\n    expectedVrfPublicKey?: string;\n  }\n): Promise<void> {\n  if (!args.wrapKeySalt) {\n    throw new Error('wrapKeySalt is required for decrypt session');\n  }\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<any> = {\n    type: 'DECRYPT_SESSION',\n    id: ctx.generateMessageId(),\n    payload: {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n      wrapKeySalt: args.wrapKeySalt,\n      encryptedVrfKeypair: args.encryptedVrfKeypair,\n      expectedVrfPublicKey: args.expectedVrfPublicKey,\n    },\n  };\n  try {\n    console.debug('[VRF] prepareDecryptSession: start', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n    });\n    const response = await ctx.sendMessage(message);\n    if (!response.success) {\n      console.error('[VRF] prepareDecryptSession: worker reported failure', {\n        sessionId: args.sessionId,\n        nearAccountId: String(args.nearAccountId),\n        error: response.error,\n      });\n      throw new Error(`prepareDecryptSession failed: ${response.error}`);\n    }\n    console.debug('[VRF] prepareDecryptSession: success', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n    });\n  } catch (error) {\n    console.error('[VRF] prepareDecryptSession: error', {\n      sessionId: args.sessionId,\n      nearAccountId: String(args.nearAccountId),\n      error,\n    });\n    throw error;\n  }\n}\n"],"mappings":";;;;;;;;AAUA,eAAsB,sBACpB,KACA,MAce;AACf,KAAI,CAAC,KAAK,YACR,OAAM,IAAI,MAAM;AAElB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAiC;EACrC,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B,aAAa,KAAK;GAClB,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;;;AAG/B,KAAI;AACF,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;EAE7B,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,MAAI,CAAC,SAAS,SAAS;AACrB,WAAQ,MAAM,wDAAwD;IACpE,WAAW,KAAK;IAChB,eAAe,OAAO,KAAK;IAC3B,OAAO,SAAS;;AAElB,SAAM,IAAI,MAAM,iCAAiC,SAAS;;AAE5D,UAAQ,MAAM,wCAAwC;GACpD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;UAEtB,OAAO;AACd,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B;;AAEF,QAAM"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 const require_requestRegistrationCredentialConfirmation = require('../confirmTxFlow/flows/requestRegistrationCredentialConfirmation.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.ts

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.js.map

@@ -1 +1 @@
-{"version":3,"file":"requestRegistrationCredentialConfirmation.js","names":["requestRegistrationCredentialConfirmation","requestRegistrationCredentialConfirmationFlow"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.ts"],"sourcesContent":["import type { ConfirmationConfig } from '../../../types/signer-worker';\nimport type { RegistrationCredentialConfirmationPayload } from '../../SignerWorkerManager/handlers/validation';\nimport { requestRegistrationCredentialConfirmation as requestRegistrationCredentialConfirmationFlow } from '../confirmTxFlow/flows/requestRegistrationCredentialConfirmation';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Kick off the SecureConfirm UI flow for account registration and return the confirmed decision.\n *\n * This is used when the host (main thread) needs a registration credential + VRF challenge + NEAR context,\n * but the UI/confirmation orchestration lives in the VRF worker confirmation flow.\n */\nexport async function requestRegistrationCredentialConfirmation(\n  ctx: VrfWorkerManagerHandlerContext,\n  params: {\n    nearAccountId: string;\n    deviceNumber: number;\n    confirmerText?: { title?: string; body?: string };\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    contractId: string;\n    nearRpcUrl: string;\n  }\n): Promise<RegistrationCredentialConfirmationPayload> {\n  const hostCtx = ctx.getContext();\n  const decision = await requestRegistrationCredentialConfirmationFlow({\n    ctx: hostCtx,\n    nearAccountId: params.nearAccountId,\n    deviceNumber: params.deviceNumber,\n    confirmerText: params.confirmerText,\n    contractId: params.contractId,\n    nearRpcUrl: params.nearRpcUrl,\n    // Flow expects `confirmationConfig` on the request envelope; forward the override.\n    confirmationConfig: params.confirmationConfigOverride,\n  });\n\n  if (!decision.confirmed) {\n    throw new Error(decision.error || 'User rejected registration request');\n  }\n  if (!decision.credential) {\n    throw new Error('Missing credential from registration confirmation');\n  }\n  if (!decision.vrfChallenge) {\n    throw new Error('Missing vrfChallenge from registration confirmation');\n  }\n  if (!decision.transactionContext) {\n    throw new Error('Missing transactionContext from registration confirmation');\n  }\n\n  return decision;\n}\n"],"mappings":";;;;;;;;;;AAWA,eAAsBA,4CACpB,KACA,QAQoD;CACpD,MAAM,UAAU,IAAI;CACpB,MAAM,WAAW,MAAMC,4FAA8C;EACnE,KAAK;EACL,eAAe,OAAO;EACtB,cAAc,OAAO;EACrB,eAAe,OAAO;EACtB,YAAY,OAAO;EACnB,YAAY,OAAO;EAEnB,oBAAoB,OAAO;;AAG7B,KAAI,CAAC,SAAS,UACZ,OAAM,IAAI,MAAM,SAAS,SAAS;AAEpC,KAAI,CAAC,SAAS,WACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,aACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,mBACZ,OAAM,IAAI,MAAM;AAGlB,QAAO"}
+{"version":3,"file":"requestRegistrationCredentialConfirmation.js","names":["requestRegistrationCredentialConfirmation","requestRegistrationCredentialConfirmationFlow"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.ts"],"sourcesContent":["import type { ConfirmationConfig } from '../../../types/signer-worker';\nimport type { RegistrationCredentialConfirmationPayload } from '../../SignerWorkerManager/handlers/validation';\nimport { requestRegistrationCredentialConfirmation as requestRegistrationCredentialConfirmationFlow } from '../confirmTxFlow/flows/requestRegistrationCredentialConfirmation';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Kick off the SecureConfirm UI flow for account registration and return the confirmed decision.\n *\n * This is used when the host (main thread) needs a registration credential + VRF challenge + NEAR context,\n * but the UI/confirmation orchestration lives in the VRF worker confirmation flow.\n */\nexport async function requestRegistrationCredentialConfirmation(\n  ctx: VrfWorkerManagerHandlerContext,\n  params: {\n    nearAccountId: string;\n    deviceNumber: number;\n    confirmerText?: { title?: string; body?: string };\n    confirmationConfigOverride?: Partial<ConfirmationConfig>;\n    contractId: string;\n    nearRpcUrl: string;\n  }\n): Promise<RegistrationCredentialConfirmationPayload> {\n  const hostCtx = ctx.getContext();\n  const decision = await requestRegistrationCredentialConfirmationFlow({\n    ctx: hostCtx,\n    nearAccountId: params.nearAccountId,\n    deviceNumber: params.deviceNumber,\n    confirmerText: params.confirmerText,\n    contractId: params.contractId,\n    nearRpcUrl: params.nearRpcUrl,\n    // Flow expects `confirmationConfig` on the request envelope; forward the override.\n    confirmationConfig: params.confirmationConfigOverride,\n  });\n\n  if (!decision.confirmed) {\n    throw new Error(decision.error || 'User rejected registration request');\n  }\n  if (!decision.credential) {\n    throw new Error('Missing credential from registration confirmation');\n  }\n  if (!decision.vrfChallenge) {\n    throw new Error('Missing vrfChallenge from registration confirmation');\n  }\n  if (!decision.transactionContext) {\n    throw new Error('Missing transactionContext from registration confirmation');\n  }\n\n  return decision;\n}\n"],"mappings":";;;;;;;;;AAWA,eAAsBA,4CACpB,KACA,QAQoD;CACpD,MAAM,UAAU,IAAI;CACpB,MAAM,WAAW,MAAMC,4FAA8C;EACnE,KAAK;EACL,eAAe,OAAO;EACtB,cAAc,OAAO;EACrB,eAAe,OAAO;EACtB,YAAY,OAAO;EACnB,YAAY,OAAO;EAEnB,oBAAoB,OAAO;;AAG7B,KAAI,CAAC,SAAS,UACZ,OAAM,IAAI,MAAM,SAAS,SAAS;AAEpC,KAAI,CAAC,SAAS,WACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,aACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,mBACZ,OAAM,IAAI,MAAM;AAGlB,QAAO"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.js.map

@@ -1 +1 @@
-{"version":3,"file":"shamir3PassDecryptVrfKeypair.js","names":["message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  VRFWorkerMessage,\n  VRFWorkerResponse,\n  WasmShamir3PassClientDecryptVrfKeypairRequest\n} from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): decrypt/unlock a VRF keypair using a server-protected envelope.\n *\n * On success, the VRF keypair becomes active in the VRF worker and is bound (in TS state) to `nearAccountId`.\n */\nexport async function shamir3PassDecryptVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    nearAccountId: AccountId;\n    kek_s_b64u: string;\n    ciphertextVrfB64u: string;\n    serverKeyId: string;\n  }\n): Promise<VRFWorkerResponse> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest> = {\n    type: 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {\n      nearAccountId: args.nearAccountId,\n      kek_s_b64u: args.kek_s_b64u,\n      ciphertextVrfB64u: args.ciphertextVrfB64u,\n      // Required key for server selection\n      keyId: args.serverKeyId,\n    },\n  };\n  const response = await ctx.sendMessage(message);\n  if (response.success) {\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n  }\n  return response;\n}\n"],"mappings":";;;;;;;;AAaA,eAAsB,6BACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2E;EAC/E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,mBAAmB,KAAK;GAExB,OAAO,KAAK;;;CAGhB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,QACX,KAAI,uBAAuB,KAAK;AAElC,QAAO"}
+{"version":3,"file":"shamir3PassDecryptVrfKeypair.js","names":["message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  VRFWorkerMessage,\n  VRFWorkerResponse,\n  WasmShamir3PassClientDecryptVrfKeypairRequest\n} from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): decrypt/unlock a VRF keypair using a server-protected envelope.\n *\n * On success, the VRF keypair becomes active in the VRF worker and is bound (in TS state) to `nearAccountId`.\n */\nexport async function shamir3PassDecryptVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    nearAccountId: AccountId;\n    kek_s_b64u: string;\n    ciphertextVrfB64u: string;\n    serverKeyId: string;\n  }\n): Promise<VRFWorkerResponse> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest> = {\n    type: 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {\n      nearAccountId: args.nearAccountId,\n      kek_s_b64u: args.kek_s_b64u,\n      ciphertextVrfB64u: args.ciphertextVrfB64u,\n      // Required key for server selection\n      keyId: args.serverKeyId,\n    },\n  };\n  const response = await ctx.sendMessage(message);\n  if (response.success) {\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n  }\n  return response;\n}\n"],"mappings":";;;;;;;AAaA,eAAsB,6BACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2E;EAC/E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,mBAAmB,KAAK;GAExB,OAAO,KAAK;;;CAGhB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,QACX,KAAI,uBAAuB,KAAK;AAElC,QAAO"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.js.map

@@ -1 +1 @@
-{"version":3,"file":"shamir3PassEncryptCurrentVrfKeypair.js","names":["message: VRFWorkerMessage<WasmVrfWorkerRequestType>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmVrfWorkerRequestType } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): encrypt the currently-unlocked VRF keypair for server lock flows.\n *\n * Returns ciphertext + client key share (`kek_s_b64u`) + server key id for subsequent unlock.\n */\nexport async function shamir3PassEncryptCurrentVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n): Promise<{\n  ciphertextVrfB64u: string;\n  kek_s_b64u: string;\n  serverKeyId: string;\n}> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmVrfWorkerRequestType> = {\n    type: 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {} as WasmVrfWorkerRequestType,\n  };\n  const response = await ctx.sendMessage(message);\n  if (!response.success || !response.data) {\n    throw new Error(`VRF encrypt-current failed: ${response.error}`);\n  }\n  const { ciphertextVrfB64u, kek_s_b64u, serverKeyId } = response.data as {\n    ciphertextVrfB64u: string;\n    kek_s_b64u: string;\n    serverKeyId: string;\n  };\n  if (!ciphertextVrfB64u || !kek_s_b64u) {\n    throw new Error('Invalid encrypt-current response');\n  }\n  if (!serverKeyId) {\n    throw new Error('Server did not return keyId from apply-server-lock');\n  }\n  return { ciphertextVrfB64u, kek_s_b64u, serverKeyId };\n}\n"],"mappings":";;;;;;;;AAQA,eAAsB,oCACpB,KAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAsD;EAC1D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;;CAEX,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,+BAA+B,SAAS;CAE1D,MAAM,EAAE,mBAAmB,YAAY,gBAAgB,SAAS;AAKhE,KAAI,CAAC,qBAAqB,CAAC,WACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE;EAAmB;EAAY"}
+{"version":3,"file":"shamir3PassEncryptCurrentVrfKeypair.js","names":["message: VRFWorkerMessage<WasmVrfWorkerRequestType>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmVrfWorkerRequestType } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): encrypt the currently-unlocked VRF keypair for server lock flows.\n *\n * Returns ciphertext + client key share (`kek_s_b64u`) + server key id for subsequent unlock.\n */\nexport async function shamir3PassEncryptCurrentVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n): Promise<{\n  ciphertextVrfB64u: string;\n  kek_s_b64u: string;\n  serverKeyId: string;\n}> {\n  await ctx.ensureWorkerReady(true);\n  const message: VRFWorkerMessage<WasmVrfWorkerRequestType> = {\n    type: 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {} as WasmVrfWorkerRequestType,\n  };\n  const response = await ctx.sendMessage(message);\n  if (!response.success || !response.data) {\n    throw new Error(`VRF encrypt-current failed: ${response.error}`);\n  }\n  const { ciphertextVrfB64u, kek_s_b64u, serverKeyId } = response.data as {\n    ciphertextVrfB64u: string;\n    kek_s_b64u: string;\n    serverKeyId: string;\n  };\n  if (!ciphertextVrfB64u || !kek_s_b64u) {\n    throw new Error('Invalid encrypt-current response');\n  }\n  if (!serverKeyId) {\n    throw new Error('Server did not return keyId from apply-server-lock');\n  }\n  return { ciphertextVrfB64u, kek_s_b64u, serverKeyId };\n}\n"],"mappings":";;;;;;;AAQA,eAAsB,oCACpB,KAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAsD;EAC1D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;;CAEX,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,+BAA+B,SAAS;CAE1D,MAAM,EAAE,mBAAmB,YAAY,gBAAgB,SAAS;AAKhE,KAAI,CAAC,qBAAqB,CAAC,WACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE;EAAmB;EAAY"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.js

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../../../_virtual/rolldown_runtime.js');
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.ts
 /**

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.js.map

@@ -1 +1 @@
-{"version":3,"file":"unlockVrfKeypair.js","names":["message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  EncryptedVRFKeypair,\n  VRFWorkerMessage,\n  VRFWorkerResponse,\n  WasmUnlockVrfKeypairRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Unlock/load the VRF keypair into VRF worker memory using a WebAuthn authentication credential.\n *\n * This is the \"login\" / \"unlock\" path: the VRF worker decrypts the stored encrypted VRF keypair\n * using PRF output, and keeps it active in-memory for subsequent operations (challenge gen, sessions, etc.).\n */\nexport async function unlockVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    credential: WebAuthnAuthenticationCredential;\n    nearAccountId: AccountId;\n    encryptedVrfKeypair: EncryptedVRFKeypair;\n    onEvent?: (event: { type: string; data: { step: string; message: string } }) => void;\n  }\n): Promise<VRFWorkerResponse> {\n  await ctx.ensureWorkerReady(true);\n\n  args.onEvent?.({\n    type: 'loginProgress',\n    data: {\n      step: 'verifying-server',\n      message: 'TouchId success! Unlocking VRF keypair...'\n    }\n  });\n\n  const message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest> = {\n    type: 'UNLOCK_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {\n      nearAccountId: args.nearAccountId,\n      encryptedVrfKeypair: args.encryptedVrfKeypair,\n      credential: args.credential,\n    }\n  };\n\n  const response = await ctx.sendMessage(message);\n  if (response.success) {\n    // Track the current VRF session account at TypeScript level\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n    console.debug(`VRF Manager: VRF keypair unlocked for ${args.nearAccountId}`);\n  } else {\n    console.error('VRF Manager: Failed to unlock VRF keypair:', response.error);\n    console.error('VRF Manager: Full response:', JSON.stringify(response, null, 2));\n    console.error('VRF Manager: Message that was sent:', JSON.stringify(message, null, 2));\n  }\n\n  return response;\n}\n"],"mappings":";;;;;;;;;AAgBA,eAAsB,iBACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;AAE5B,MAAK,UAAU;EACb,MAAM;EACN,MAAM;GACJ,MAAM;GACN,SAAS;;;CAIb,MAAMA,UAAyD;EAC7D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,qBAAqB,KAAK;GAC1B,YAAY,KAAK;;;CAIrB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,SAAS;AAEpB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,yCAAyC,KAAK;QACvD;AACL,UAAQ,MAAM,8CAA8C,SAAS;AACrE,UAAQ,MAAM,+BAA+B,KAAK,UAAU,UAAU,MAAM;AAC5E,UAAQ,MAAM,uCAAuC,KAAK,UAAU,SAAS,MAAM;;AAGrF,QAAO"}
+{"version":3,"file":"unlockVrfKeypair.js","names":["message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest>"],"sources":["../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n  EncryptedVRFKeypair,\n  VRFWorkerMessage,\n  VRFWorkerResponse,\n  WasmUnlockVrfKeypairRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Unlock/load the VRF keypair into VRF worker memory using a WebAuthn authentication credential.\n *\n * This is the \"login\" / \"unlock\" path: the VRF worker decrypts the stored encrypted VRF keypair\n * using PRF output, and keeps it active in-memory for subsequent operations (challenge gen, sessions, etc.).\n */\nexport async function unlockVrfKeypair(\n  ctx: VrfWorkerManagerHandlerContext,\n  args: {\n    credential: WebAuthnAuthenticationCredential | WebAuthnRegistrationCredential;\n    nearAccountId: AccountId;\n    encryptedVrfKeypair: EncryptedVRFKeypair;\n    onEvent?: (event: { type: string; data: { step: string; message: string } }) => void;\n  }\n): Promise<VRFWorkerResponse> {\n  await ctx.ensureWorkerReady(true);\n\n  args.onEvent?.({\n    type: 'loginProgress',\n    data: {\n      step: 'verifying-server',\n      message: 'TouchId success! Unlocking VRF keypair...'\n    }\n  });\n\n  const message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest> = {\n    type: 'UNLOCK_VRF_KEYPAIR',\n    id: ctx.generateMessageId(),\n    payload: {\n      nearAccountId: args.nearAccountId,\n      encryptedVrfKeypair: args.encryptedVrfKeypair,\n      credential: args.credential,\n    }\n  };\n\n  const response = await ctx.sendMessage(message);\n  if (response.success) {\n    // Track the current VRF session account at TypeScript level\n    ctx.setCurrentVrfAccountId(args.nearAccountId);\n    console.debug(`VRF Manager: VRF keypair unlocked for ${args.nearAccountId}`);\n  } else {\n    console.error('VRF Manager: Failed to unlock VRF keypair:', response.error);\n    console.error('VRF Manager: Full response:', JSON.stringify(response, null, 2));\n    console.error('VRF Manager: Message that was sent:', JSON.stringify(message, null, 2));\n  }\n\n  return response;\n}\n"],"mappings":";;;;;;;;AAgBA,eAAsB,iBACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;AAE5B,MAAK,UAAU;EACb,MAAM;EACN,MAAM;GACJ,MAAM;GACN,SAAS;;;CAIb,MAAMA,UAAyD;EAC7D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,qBAAqB,KAAK;GAC1B,YAAY,KAAK;;;CAIrB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,SAAS;AAEpB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,yCAAyC,KAAK;QACvD;AACL,UAAQ,MAAM,8CAA8C,SAAS;AACrE,UAAQ,MAAM,+BAA+B,KAAK,UAAU,UAAU,MAAM;AAC5E,UAAQ,MAAM,uCAAuC,KAAK,UAAU,SAAS,MAAM;;AAGrF,QAAO"}

package/dist/cjs/core/WebAuthnManager/VrfWorkerManager/index.js

@@ -1,6 +1,6 @@
-const require_rolldown_runtime = require('../../../_virtual/rolldown_runtime.js');
 const require_build_paths = require('../../../build-paths.js');
 const require_workers = require('../../sdkPaths/workers.js');
+const require_workerControlMessages = require('../../workerControlMessages.js');
 const require_types = require('./confirmTxFlow/types.js');
 const require_handleSecureConfirmRequest = require('./confirmTxFlow/handleSecureConfirmRequest.js');
 const require_checkVrfStatus = require('./handlers/checkVrfStatus.js');
@@ -8,16 +8,15 @@ const require_clearSession = require('./handlers/clearSession.js');
 const require_clearVrf = require('./handlers/clearVrf.js');
 const require_confirmAndDeriveDevice2RegistrationSession = require('./handlers/confirmAndDeriveDevice2RegistrationSession.js');
 const require_confirmAndPrepareSigningSession = require('./handlers/confirmAndPrepareSigningSession.js');
-const require_createSigningSessionChannel = require('./handlers/createSigningSessionChannel.js');
 const require_deriveVrfKeypairFromPrf = require('./handlers/deriveVrfKeypairFromPrf.js');
 const require_mintSessionKeysAndSendToSigner = require('./handlers/mintSessionKeysAndSendToSigner.js');
 const require_dispenseSessionKey = require('./handlers/dispenseSessionKey.js');
+const require_shamir3PassDecryptVrfKeypair = require('./handlers/shamir3PassDecryptVrfKeypair.js');
 const require_generateVrfChallenge = require('./handlers/generateVrfChallenge.js');
 const require_generateVrfKeypairBootstrap = require('./handlers/generateVrfKeypairBootstrap.js');
 const require_checkSessionStatus = require('./handlers/checkSessionStatus.js');
 const require_prepareDecryptSession = require('./handlers/prepareDecryptSession.js');
 const require_requestRegistrationCredentialConfirmation = require('./handlers/requestRegistrationCredentialConfirmation.js');
-const require_shamir3PassDecryptVrfKeypair = require('./handlers/shamir3PassDecryptVrfKeypair.js');
 const require_shamir3PassEncryptCurrentVrfKeypair = require('./handlers/shamir3PassEncryptCurrentVrfKeypair.js');
 const require_unlockVrfKeypair = require('./handlers/unlockVrfKeypair.js');
 
@@ -78,7 +77,41 @@ var VrfWorkerManager = class {
 	* VRF retains the sibling port for WrapKeySeed delivery.
 	*/
 	async createSigningSessionChannel(sessionId) {
-		return require_createSigningSessionChannel.createSigningSessionChannel(this.getHandlerContext(), sessionId);
+		await this.ensureWorkerReady(true);
+		if (!this.vrfWorker) throw new Error("VRF Web Worker not available");
+		const channel = new MessageChannel();
+		const ackPromise = new Promise((resolve, reject) => {
+			const worker = this.vrfWorker;
+			const timeout = setTimeout(() => {
+				cleanup();
+				reject(/* @__PURE__ */ new Error(`Timeout waiting for VRF WrapKeySeed port attach for session ${sessionId}`));
+			}, 2e3);
+			const onMessage = (event) => {
+				const msg = event?.data;
+				if (!msg || typeof msg.type !== "string") return;
+				if (msg.sessionId !== sessionId) return;
+				if (msg.type === require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_ERROR) {
+					cleanup();
+					reject(new Error(String(msg.error || "VRF worker failed to attach WrapKeySeed port")));
+					return;
+				}
+				if (msg.type === require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT_OK) {
+					cleanup();
+					resolve();
+				}
+			};
+			const cleanup = () => {
+				clearTimeout(timeout);
+				worker.removeEventListener("message", onMessage);
+			};
+			worker.addEventListener("message", onMessage);
+		});
+		this.vrfWorker.postMessage({
+			type: require_workerControlMessages.WorkerControlMessage.ATTACH_WRAP_KEY_SEED_PORT,
+			sessionId
+		}, [channel.port1]);
+		await ackPromise;
+		return channel.port2;
 	}
 	/**
 	* Derive WrapKeySeed in the VRF worker and deliver it (along with PRF.second if credential provided)