npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.0 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2488) hide show

package/dist/cjs/core/rpcCalls.js CHANGED Viewed

@@ -1,13 +1,25 @@
-const require_rolldown_runtime = require('../_virtual/rolldown_runtime.js');
+const require_validation = require('../utils/validation.js');
 const require_base64 = require('../utils/base64.js');
-const require_encoders = require('../utils/encoders.js');
 const require_errors = require('../utils/errors.js');
 const require_defaultConfigs = require('./defaultConfigs.js');
+const require_rpc = require('./types/rpc.js');
+const require_vrf_worker = require('./types/vrf-worker.js');
 const require_sdkSentEvents = require('./types/sdkSentEvents.js');
 const require_actions = require('./types/actions.js');
-const require_rpc = require('./types/rpc.js');
 //#region src/core/rpcCalls.ts
+function normalizeByteArray(input) {
+	if (input == null) return input;
+	if (Array.isArray(input)) return input.map((v) => Number(v)).filter((v) => Number.isFinite(v));
+	if (typeof input === "string" && input) try {
+		const bytes = typeof Buffer !== "undefined" ? Buffer.from(input, "base64") : Uint8Array.from(atob(input), (c) => c.charCodeAt(0));
+		const arr = bytes instanceof Uint8Array ? Array.from(bytes) : Array.from(new Uint8Array(bytes));
+		return arr;
+	} catch {
+		return void 0;
+	}
+	return void 0;
+}
 async function getEmailRecoveryAttempt(nearClient, accountId, requestId) {
 	const raw = await nearClient.view({
 		account: accountId,
@@ -26,6 +38,7 @@ async function getEmailRecoveryAttempt(nearClient, accountId, requestId) {
 	})();
 	return {
 		...raw,
+		from_address_hash: normalizeByteArray(raw.from_address_hash) ?? raw.from_address_hash,
 		status
 	};
 }
@@ -62,12 +75,16 @@ async function getDeviceLinkingAccountContractCall(nearClient, contractId, devic
 * This function signs and broadcasts both transactions required for device linking
 */
 async function executeDeviceLinkingContractCalls({ context, device1AccountId, device2PublicKey, nextNonce, nextNextNonce, nextNextNextNonce, txBlockHash, vrfChallenge, onEvent, confirmationConfigOverride, confirmerText }) {
-	const signedTransactions = await context.webAuthnManager.signTransactionsWithActions({
+	const signTransactions = () => context.webAuthnManager.signTransactionsWithActions({
 		rpcCall: {
 			contractId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,
 			nearRpcUrl: context.webAuthnManager.tatchiPasskeyConfigs.nearRpcUrl,
 			nearAccountId: device1AccountId
 		},
+		signerMode: {
+			mode: "threshold-signer",
+			behavior: "fallback"
+		},
 		confirmationConfigOverride,
 		title: confirmerText?.title,
 		body: confirmerText?.body,
@@ -119,6 +136,25 @@ async function executeDeviceLinkingContractCalls({ context, device1AccountId, de
 			});
 		}
 	});
+	let signedTransactions = [];
+	try {
+		signedTransactions = await signTransactions();
+	} catch (e) {
+		if (!isVrfSessionPasskeyMismatchError(e)) throw e;
+		onEvent?.({
+			step: 3,
+			phase: require_sdkSentEvents.DeviceLinkingPhase.STEP_3_AUTHORIZATION,
+			status: require_sdkSentEvents.DeviceLinkingStatus.PROGRESS,
+			message: "Session mismatch detected; re-authenticating with TouchID..."
+		});
+		await repairVrfSessionForCurrentDevice({
+			context,
+			nearAccountId: device1AccountId,
+			remainingUses: 3,
+			ttlMs: 120 * 1e3
+		});
+		signedTransactions = await signTransactions();
+	}
 	if (!signedTransactions[0].signedTransaction) throw new Error("AddKey transaction signing failed");
 	if (!signedTransactions[1].signedTransaction) throw new Error("Contract mapping transaction signing failed");
 	if (!signedTransactions[2].signedTransaction) throw new Error("DeleteKey transaction signing failed");
@@ -160,6 +196,39 @@ async function executeDeviceLinkingContractCalls({ context, device1AccountId, de
 		signedDeleteKeyTransaction: signedTransactions[2].signedTransaction
 	};
 }
+function isVrfSessionPasskeyMismatchError(err) {
+	const msg = require_errors.errorMessage(err) || String(err || "");
+	return msg.includes("different passkey/VRF session than the current device");
+}
+async function repairVrfSessionForCurrentDevice(args) {
+	const { context, nearAccountId } = args;
+	const lastUser = await context.webAuthnManager.getLastUser();
+	if (!lastUser || lastUser.nearAccountId !== nearAccountId) throw new Error("Cannot repair VRF session: no lastUser for this account. Please log in again.");
+	const deviceNumber = lastUser.deviceNumber;
+	if (!Number.isFinite(deviceNumber) || deviceNumber < 1) throw new Error("Cannot repair VRF session: invalid lastUser.deviceNumber");
+	const authenticators = await context.webAuthnManager.getAuthenticatorsByUser(nearAccountId);
+	const credentialIdsForDevice = authenticators.filter((a) => a.deviceNumber === deviceNumber).map((a) => a.credentialId);
+	const credentialIds = credentialIdsForDevice.length > 0 ? credentialIdsForDevice : authenticators.map((a) => a.credentialId);
+	if (credentialIds.length === 0) throw new Error(`Cannot repair VRF session: no authenticators found for ${nearAccountId}`);
+	const challenge = require_vrf_worker.createRandomVRFChallenge();
+	const credential = await context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
+		nearAccountId,
+		challenge,
+		credentialIds
+	});
+	const unlockResult = await context.webAuthnManager.unlockVRFKeypair({
+		nearAccountId,
+		encryptedVrfKeypair: lastUser.encryptedVrfKeypair,
+		credential
+	});
+	if (!unlockResult.success) throw new Error(unlockResult.error || "Failed to re-unlock VRF keypair for current device");
+	await context.webAuthnManager.mintSigningSessionFromCredential({
+		nearAccountId,
+		credential,
+		ttlMs: args.ttlMs,
+		remainingUses: args.remainingUses
+	});
+}
 /**
 * Get credential IDs associated with an account from the contract
 * Used in account recovery to discover available credentials
@@ -219,6 +288,12 @@ async function syncAuthenticatorsContractCall(nearClient, contractId, accountId)
 				}).filter((x) => typeof x === "string" && x.length > 0);
 				return void 0;
 			})();
+			const nearPublicKey = (() => {
+				const raw = contractAuthenticator.near_public_key;
+				if (typeof raw !== "string") return void 0;
+				const trimmed = raw.trim();
+				return trimmed ? require_validation.ensureEd25519Prefix(trimmed) : void 0;
+			})();
 			return {
 				credentialId,
 				authenticator: {
@@ -230,7 +305,8 @@ async function syncAuthenticatorsContractCall(nearClient, contractId, accountId)
 					registered,
 					deviceNumber: contractAuthenticator.device_number,
 					vrfPublicKeys
-				}
+				},
+				...nearPublicKey ? { nearPublicKey } : {}
 			};
 		});
 		return [];
@@ -239,6 +315,7 @@ async function syncAuthenticatorsContractCall(nearClient, contractId, accountId)
 		return [];
 	}
 }
+const EMPTY_NEAR_CODE_HASH = "11111111111111111111111111111111";
 async function hasDeployedContractCode(nearClient, accountId) {
 	try {
 		const account = await nearClient.viewAccount(accountId);
@@ -311,6 +388,50 @@ async function buildSetRecoveryEmailsActions(nearClient, accountId, recoveryEmai
 		deposit: "0"
 	}];
 }
+function sleep(ms) {
+	return new Promise((res) => setTimeout(res, ms));
+}
+function isAccessKeyNotFoundError(err) {
+	const msg = String(require_errors.errorMessage(err) || "").toLowerCase();
+	if (!msg) return false;
+	if (msg.includes("unknown access key") || msg.includes("unknown_access_key") || msg.includes("unknownaccesskey")) return true;
+	if (msg.includes("accesskeydoesnotexist")) return true;
+	if (msg.includes("access key does not exist")) return true;
+	if (msg.includes("access key doesn't exist")) return true;
+	if (msg.includes("access key not found")) return true;
+	if (msg.includes("no such access key")) return true;
+	if (msg.includes("viewing access key") && msg.includes("does not exist") && !msg.includes("account")) return true;
+	return false;
+}
+async function hasAccessKey(nearClient, nearAccountId, publicKey, opts) {
+	const expected = require_validation.ensureEd25519Prefix(publicKey);
+	if (!expected) return false;
+	const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));
+	const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));
+	for (let i = 0; i < attempts; i++) {
+		try {
+			await nearClient.viewAccessKey(nearAccountId, expected);
+			return true;
+		} catch {}
+		if (i < attempts - 1) await sleep(delayMs);
+	}
+	return false;
+}
+async function waitForAccessKeyAbsent(nearClient, nearAccountId, publicKey, opts) {
+	const expected = require_validation.ensureEd25519Prefix(publicKey);
+	if (!expected) return true;
+	const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));
+	const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 650));
+	for (let i = 0; i < attempts; i++) {
+		try {
+			await nearClient.viewAccessKey(nearAccountId, expected);
+		} catch (err) {
+			if (isAccessKeyNotFoundError(err)) return true;
+		}
+		if (i < attempts - 1) await sleep(delayMs);
+	}
+	return false;
+}
 /**
 * View-only registration pre-check.
 *
@@ -320,6 +441,10 @@ async function buildSetRecoveryEmailsActions(nearClient, accountId, recoveryEmai
 */
 async function checkCanRegisterUserContractCall({ nearClient, contractId, vrfChallenge, credential, authenticatorOptions }) {
 	try {
+		const intent_digest_32 = Array.from(require_base64.base64UrlDecode(vrfChallenge.intentDigest || ""));
+		if (intent_digest_32.length !== 32) throw new Error("Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)");
+		const session_policy_digest_32 = vrfChallenge.sessionPolicyDigest32 ? Array.from(require_base64.base64UrlDecode(vrfChallenge.sessionPolicyDigest32)) : [];
+		if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) throw new Error("Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)");
 		const vrfData = {
 			vrf_input_data: Array.from(require_base64.base64UrlDecode(vrfChallenge.vrfInput)),
 			vrf_output: Array.from(require_base64.base64UrlDecode(vrfChallenge.vrfOutput)),
@@ -328,7 +453,9 @@ async function checkCanRegisterUserContractCall({ nearClient, contractId, vrfCha
 			user_id: vrfChallenge.userId,
 			rp_id: vrfChallenge.rpId,
 			block_height: Number(vrfChallenge.blockHeight),
-			block_hash: Array.from(require_base64.base64UrlDecode(vrfChallenge.blockHash))
+			block_hash: Array.from(require_base64.base64UrlDecode(vrfChallenge.blockHash)),
+			intent_digest_32,
+			...session_policy_digest_32.length ? { session_policy_digest_32 } : {}
 		};
 		const args = {
 			vrf_data: vrfData,
@@ -363,6 +490,10 @@ async function verifyAuthenticationResponse(relayServerUrl, routePath, sessionKi
 			if (!b64u) return [];
 			return Array.from(require_base64.base64UrlDecode(b64u));
 		};
+		const intent_digest_32 = toBytes(vrfChallenge.intentDigest);
+		if (intent_digest_32.length !== 32) throw new Error("Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)");
+		const session_policy_digest_32 = toBytes(vrfChallenge.sessionPolicyDigest32);
+		if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) throw new Error("Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)");
 		const vrf_data = {
 			vrf_input_data: toBytes(vrfChallenge.vrfInput),
 			vrf_output: toBytes(vrfChallenge.vrfOutput),
@@ -371,7 +502,9 @@ async function verifyAuthenticationResponse(relayServerUrl, routePath, sessionKi
 			user_id: vrfChallenge.userId,
 			rp_id: vrfChallenge.rpId,
 			block_height: Number(vrfChallenge.blockHeight || 0),
-			block_hash: toBytes(vrfChallenge.blockHash)
+			block_hash: toBytes(vrfChallenge.blockHash),
+			intent_digest_32,
+			...session_policy_digest_32.length ? { session_policy_digest_32 } : {}
 		};
 		const webauthn_authentication = {
 			...webauthnAuthentication,
@@ -414,19 +547,127 @@ async function verifyAuthenticationResponse(relayServerUrl, routePath, sessionKi
 		};
 	}
 }
-var EMPTY_NEAR_CODE_HASH;
-var init_rpcCalls = require_rolldown_runtime.__esm({ "src/core/rpcCalls.ts": (() => {
-	require_sdkSentEvents.init_sdkSentEvents();
-	require_actions.init_actions();
-	require_rpc.init_rpc();
-	require_encoders.init_encoders();
-	require_errors.init_errors();
-	require_defaultConfigs.init_defaultConfigs();
-	EMPTY_NEAR_CODE_HASH = "11111111111111111111111111111111";
-}) });
+async function thresholdEd25519Keygen(relayServerUrl, vrfChallenge, webauthnAuthentication, args) {
+	try {
+		const base = String(relayServerUrl || "").trim().replace(/\/$/, "");
+		if (!base) throw new Error("Missing relayServerUrl");
+		const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u || "").trim();
+		if (!clientVerifyingShareB64u) throw new Error("Missing clientVerifyingShareB64u");
+		const nearAccountId = String(args.nearAccountId || "").trim();
+		if (!nearAccountId) throw new Error("Missing nearAccountId");
+		const toBytes = (b64u) => {
+			if (!b64u) return [];
+			return Array.from(require_base64.base64UrlDecode(b64u));
+		};
+		const intent_digest_32 = toBytes(vrfChallenge.intentDigest);
+		if (intent_digest_32.length !== 32) throw new Error("Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)");
+		const vrf_data = {
+			vrf_input_data: toBytes(vrfChallenge.vrfInput),
+			vrf_output: toBytes(vrfChallenge.vrfOutput),
+			vrf_proof: toBytes(vrfChallenge.vrfProof),
+			public_key: toBytes(vrfChallenge.vrfPublicKey),
+			user_id: vrfChallenge.userId,
+			rp_id: vrfChallenge.rpId,
+			block_height: Number(vrfChallenge.blockHeight || 0),
+			block_hash: toBytes(vrfChallenge.blockHash),
+			intent_digest_32
+		};
+		const webauthn_authentication = {
+			...webauthnAuthentication,
+			authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,
+			response: {
+				...webauthnAuthentication.response,
+				userHandle: webauthnAuthentication.response.userHandle ?? null
+			},
+			clientExtensionResults: null
+		};
+		const url = `${base}/threshold-ed25519/keygen`;
+		const response = await fetch(url, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			credentials: "include",
+			body: JSON.stringify({
+				clientVerifyingShareB64u,
+				nearAccountId,
+				vrf_data,
+				webauthn_authentication
+			})
+		});
+		if (!response.ok) {
+			const errorText = await response.text();
+			return {
+				ok: false,
+				error: `HTTP ${response.status}: ${errorText}`
+			};
+		}
+		const json = await response.json();
+		return {
+			ok: !!json?.ok,
+			clientParticipantId: json?.clientParticipantId,
+			relayerParticipantId: json?.relayerParticipantId,
+			participantIds: json?.participantIds,
+			relayerKeyId: json?.relayerKeyId,
+			publicKey: json?.publicKey,
+			relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,
+			code: json?.code,
+			message: json?.message
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			error: error?.message || "Failed to keygen threshold-ed25519"
+		};
+	}
+}
+async function thresholdEd25519KeygenFromRegistrationTx(relayServerUrl, args) {
+	try {
+		const base = String(relayServerUrl || "").trim().replace(/\/$/, "");
+		if (!base) throw new Error("Missing relayServerUrl");
+		const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u || "").trim();
+		if (!clientVerifyingShareB64u) throw new Error("Missing clientVerifyingShareB64u");
+		const nearAccountId = String(args.nearAccountId || "").trim();
+		if (!nearAccountId) throw new Error("Missing nearAccountId");
+		const registrationTxHash = String(args.registrationTxHash || "").trim();
+		if (!registrationTxHash) throw new Error("Missing registrationTxHash");
+		const url = `${base}/threshold-ed25519/keygen`;
+		const response = await fetch(url, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			credentials: "include",
+			body: JSON.stringify({
+				clientVerifyingShareB64u,
+				nearAccountId,
+				registrationTxHash
+			})
+		});
+		if (!response.ok) {
+			const errorText = await response.text();
+			return {
+				ok: false,
+				error: `HTTP ${response.status}: ${errorText}`
+			};
+		}
+		const json = await response.json();
+		return {
+			ok: !!json?.ok,
+			clientParticipantId: json?.clientParticipantId,
+			relayerParticipantId: json?.relayerParticipantId,
+			participantIds: json?.participantIds,
+			relayerKeyId: json?.relayerKeyId,
+			publicKey: json?.publicKey,
+			relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,
+			code: json?.code,
+			message: json?.message
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			error: error?.message || "Failed to keygen threshold-ed25519 from registration tx"
+		};
+	}
+}
 //#endregion
-init_rpcCalls();
 exports.buildSetRecoveryEmailsActions = buildSetRecoveryEmailsActions;
 exports.checkCanRegisterUserContractCall = checkCanRegisterUserContractCall;
 exports.executeDeviceLinkingContractCalls = executeDeviceLinkingContractCalls;
@@ -434,12 +675,10 @@ exports.getCredentialIdsContractCall = getCredentialIdsContractCall;
 exports.getDeviceLinkingAccountContractCall = getDeviceLinkingAccountContractCall;
 exports.getEmailRecoveryAttempt = getEmailRecoveryAttempt;
 exports.getRecoveryEmailHashesContractCall = getRecoveryEmailHashesContractCall;
-Object.defineProperty(exports, 'init_rpcCalls', {
-  enumerable: true,
-  get: function () {
-    return init_rpcCalls;
-  }
-});
+exports.hasAccessKey = hasAccessKey;
 exports.syncAuthenticatorsContractCall = syncAuthenticatorsContractCall;
+exports.thresholdEd25519Keygen = thresholdEd25519Keygen;
+exports.thresholdEd25519KeygenFromRegistrationTx = thresholdEd25519KeygenFromRegistrationTx;
 exports.verifyAuthenticationResponse = verifyAuthenticationResponse;
+exports.waitForAccessKeyAbsent = waitForAccessKeyAbsent;
 //# sourceMappingURL=rpcCalls.js.map

package/dist/cjs/core/rpcCalls.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rpcCalls.js","names":["error: any","ActionType","ActionPhase","DeviceLinkingPhase","DeviceLinkingStatus","addKeyTxResult: FinalExecutionOutcome","storeDeviceLinkingTxResult: FinalExecutionOutcome","DEFAULT_WAIT_STATUS","txError: any","base64UrlEncode","DEFAULT_EMAIL_RECOVERY_CONTRACTS","err: unknown","errorMessage","base: ActionArgs[]","base64UrlDecode"],"sources":["../../../src/core/rpcCalls.ts"],"sourcesContent":["/*\n Consolidated NEAR Contract Calls\n \n This file contains all the NEAR contract calls made to the web3authn contract\n * throughout the passkey SDK. It provides a centralized location for all\n * contract interactions and makes it easier to maintain and update contract\n * call patterns.\n /\n\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from './NearClient';\nimport type { ContractStoredAuthenticator } from './TatchiPasskey/recoverAccount';\nimport type { PasskeyManagerContext } from './TatchiPasskey';\nimport type { AccountId } from './types/accountIds';\nimport type { DeviceLinkingSSEEvent } from './types/sdkSentEvents';\nimport type {\n StoredAuthenticator,\n WebAuthnRegistrationCredential,\n WebAuthnAuthenticationCredential\n} from './types/webauthn';\n\nimport { ActionPhase, DeviceLinkingPhase, DeviceLinkingStatus } from './types/sdkSentEvents';\nimport { ActionType, type ActionArgs } from './types/actions';\nimport { VRFChallenge } from './types/vrf-worker';\nimport { DEFAULT_WAIT_STATUS, TransactionContext } from './types/rpc';\nimport type { AuthenticatorOptions } from './types/authenticatorOptions';\nimport type { ConfirmationConfig } from './types/signer-worker';\nimport { base64UrlDecode, base64UrlEncode } from '../utils/encoders';\nimport { errorMessage } from '../utils/errors';\nimport type { EmailRecoveryContracts } from './types/tatchi';\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from './defaultConfigs';\n\n// ===========================\n// CONTRACT CALL RESPONSES\n// ===========================\n\nexport interface DeviceLinkingResult {\n linkedAccountId: string;\n deviceNumber: number;\n}\n\nexport interface CredentialIdsResult {\n credentialIds: string[];\n}\n\nexport interface AuthenticatorsResult {\n authenticators: Array<[string, ContractStoredAuthenticator]>;\n}\n\nexport type RecoveryAttemptStatus =\n \| \"Started\"\n \| \"VerifyingDkim\"\n \| \"VerifyingZkEmail\"\n \| \"DkimFailed\"\n \| \"ZkEmailFailed\"\n \| \"PolicyFailed\"\n \| \"Recovering\"\n \| \"AwaitingMoreEmails\"\n \| \"Complete\"\n \| \"Failed\";\n\nexport type RecoveryAttempt = {\n request_id: string;\n status: RecoveryAttemptStatus \| string;\n created_at_ms: number;\n updated_at_ms: number;\n error?: string \| null;\n from_address?: string \| null;\n email_timestamp_ms?: number \| null;\n new_public_key?: string \| null;\n};\n\nexport async function getEmailRecoveryAttempt(\n nearClient: NearClient,\n accountId: string,\n requestId: string\n): Promise<RecoveryAttempt \| null> {\n const raw = await nearClient.view<{ request_id: string }, Omit<RecoveryAttempt, 'status'> & { status: any } \| null>({\n account: accountId,\n method: 'get_recovery_attempt',\n args: { request_id: requestId },\n });\n\n if (!raw) return null;\n\n // Normalization logic for status (string or object enum)\n const statusRaw = raw.status;\n const status = (() => {\n if (typeof statusRaw === 'string') return statusRaw.trim();\n if (statusRaw && typeof statusRaw === 'object') {\n const keys = Object.keys(statusRaw as Record<string, unknown>);\n if (keys.length === 1) {\n return String(keys[0] \|\| '').trim();\n }\n }\n return '';\n })();\n\n return {\n ...raw,\n status: status as RecoveryAttemptStatus,\n };\n}\n\n// ===========================\n// DEVICE LINKING CONTRACT CALLS\n// ===========================\n\n/\n Query the contract to get the account linked to a device public key\n * Used in device linking flow to check if a device key has been added\n \n NEAR does not provide a way to lookup the AccountID an access key has access to.\n * So we store a temporary mapping in the contract to lookup pubkey -> account ID.\n /\nexport async function getDeviceLinkingAccountContractCall(\n nearClient: NearClient,\n contractId: string,\n devicePublicKey: string\n): Promise<DeviceLinkingResult \| null> {\n try {\n const result = await nearClient.callFunction<\n { device_public_key: string },\n [string, number \| string]\n >(\n contractId,\n 'get_device_linking_account',\n { device_public_key: devicePublicKey }\n );\n\n // Handle different result formats\n if (result && Array.isArray(result) && result.length >= 2) {\n const [linkedAccountId, deviceNumberRaw] = result;\n const deviceNumber = Number(deviceNumberRaw);\n if (!Number.isSafeInteger(deviceNumber) \|\| deviceNumber < 0) {\n console.warn(\n 'Invalid deviceNumber returned from get_device_linking_account:',\n deviceNumberRaw\n );\n return null;\n }\n return {\n linkedAccountId,\n deviceNumber\n };\n }\n\n return null;\n } catch (error: any) {\n console.warn('Failed to get device linking account:', error.message);\n return null;\n }\n}\n\n// ===========================\n// DEVICE LINKING TRANSACTION CALLS\n// ===========================\n\n/\n Execute device1's linking transactions (AddKey + Contract mapping)\n * This function signs and broadcasts both transactions required for device linking\n /\nexport async function executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride,\n confirmerText,\n}: {\n context: PasskeyManagerContext,\n device1AccountId: AccountId,\n device2PublicKey: string,\n nextNonce: string,\n nextNextNonce: string,\n nextNextNextNonce: string,\n txBlockHash: string,\n vrfChallenge: VRFChallenge,\n onEvent?: (event: DeviceLinkingSSEEvent) => void;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n confirmerText?: { title?: string; body?: string };\n}): Promise<{\n addKeyTxResult: FinalExecutionOutcome;\n storeDeviceLinkingTxResult: FinalExecutionOutcome;\n signedDeleteKeyTransaction: SignedTransaction\n}> {\n\n // Sign three transactions with one PRF authentication\n const signedTransactions = await context.webAuthnManager.signTransactionsWithActions({\n rpcCall: {\n contractId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: context.webAuthnManager.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId: device1AccountId\n },\n confirmationConfigOverride,\n title: confirmerText?.title,\n body: confirmerText?.body,\n transactions: [\n // Transaction 1: AddKey - Add Device2's key to Device1's account\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.AddKey,\n public_key: device2PublicKey,\n access_key: JSON.stringify({\n // NEAR-style AccessKey JSON shape, matching near-api-js:\n // { nonce: number, permission: { FullAccess: {} } }\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }],\n nonce: nextNonce,\n },\n // Transaction 2: Store temporary mapping in contract so Device2 can lookup Device1's accountID.\n {\n receiverId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n actions: [{\n action_type: ActionType.FunctionCall,\n method_name: 'store_device_linking_mapping',\n args: JSON.stringify({\n device_public_key: device2PublicKey,\n target_account_id: device1AccountId,\n }),\n gas: '30000000000000', // 30 TGas for device linking with yield promise automatic cleanup\n deposit: '0'\n }],\n nonce: nextNextNonce,\n },\n // Transaction 3: Remove Device2's temporary key if it fails to complete linking after a timeout\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.DeleteKey,\n public_key: device2PublicKey\n }],\n nonce: nextNextNextNonce,\n }\n ],\n onEvent: (progress) => {\n // Bridge all action progress events to the parent so the wallet iframe overlay\n // can expand during user confirmation in wallet-iframe mode.\n try { onEvent?.(progress as any); } catch { }\n // Keep existing mapping for device linking semantics; surface signing as a loading state\n if (progress.phase == ActionPhase.STEP_6_TRANSACTION_SIGNING_COMPLETE) {\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: progress.message \|\| 'Transaction signing in progress...'\n })\n }\n }\n });\n\n if (!signedTransactions[0].signedTransaction) {\n throw new Error('AddKey transaction signing failed');\n }\n if (!signedTransactions[1].signedTransaction) {\n throw new Error('Contract mapping transaction signing failed');\n }\n if (!signedTransactions[2].signedTransaction) {\n throw new Error('DeleteKey transaction signing failed');\n }\n\n // Broadcast just the first 2 transactions: addKey and store device linking mapping\n let addKeyTxResult: FinalExecutionOutcome;\n let storeDeviceLinkingTxResult: FinalExecutionOutcome;\n try {\n console.debug('LinkDeviceFlow: AddKey transaction details:', {\n receiverId: signedTransactions[0].signedTransaction.transaction.receiverId,\n actions: signedTransactions[0].signedTransaction.transaction.actions \|\| [],\n transactionKeys: Object.keys(signedTransactions[0].signedTransaction.transaction),\n });\n\n addKeyTxResult = await context.nearClient.sendTransaction(\n signedTransactions[0].signedTransaction,\n DEFAULT_WAIT_STATUS.linkDeviceAddKey\n );\n console.log('LinkDeviceFlow: AddKey transaction result:', addKeyTxResult?.transaction?.hash);\n\n // Send success events immediately after AddKey succeeds\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `AddKey transaction completed successfully!`\n });\n\n // Check if contract mapping transaction is valid before attempting to broadcast\n const contractTx = signedTransactions[1].signedTransaction;\n console.log('LinkDeviceFlow: Contract mapping transaction details:', {\n receiverId: contractTx.transaction.receiverId,\n actions: (contractTx.transaction.actions \|\| []).length\n });\n\n // Standard timeout since nonce conflict should be resolved by the 2s delay\n storeDeviceLinkingTxResult = await context.nearClient.sendTransaction(\n contractTx,\n DEFAULT_WAIT_STATUS.linkDeviceAccountMapping\n );\n\n } catch (txError: any) {\n console.error('LinkDeviceFlow: Transaction broadcasting failed:', txError);\n throw new Error(`Transaction broadcasting failed: ${txError.message}`);\n }\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device linking completed successfully!`\n });\n\n return {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction: signedTransactions[2].signedTransaction\n };\n}\n\n// ===========================\n// ACCOUNT RECOVERY CONTRACT CALLS\n// ===========================\n\n/\n Get credential IDs associated with an account from the contract\n * Used in account recovery to discover available credentials\n /\nexport async function getCredentialIdsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<string[]> {\n try {\n const credentialIds = await nearClient.callFunction<{ account_id: AccountId }, string[]>(\n contractId,\n 'get_credential_ids_by_account',\n { account_id: accountId }\n );\n return credentialIds \|\| [];\n } catch (error: any) {\n console.warn('Failed to fetch credential IDs from contract:', error.message);\n return [];\n }\n}\n\n/\n Get all authenticators stored for a user from the contract\n * Used in account recovery to sync authenticator data\n /\nexport async function getAuthenticatorsByUser(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<[string, ContractStoredAuthenticator][]> {\n try {\n const authenticatorsResult = await nearClient.view<{ user_id: AccountId }, [string, ContractStoredAuthenticator][]>({\n account: contractId,\n method: 'get_authenticators_by_user',\n args: { user_id: accountId }\n });\n\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult;\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\nexport async function syncAuthenticatorsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<Array<{ credentialId: string, authenticator: StoredAuthenticator }>> {\n try {\n const authenticatorsResult = await getAuthenticatorsByUser(nearClient, contractId, accountId);\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult.map(([credentialId, contractAuthenticator]) => {\n console.log(`Contract authenticator device_number for ${credentialId}:`, contractAuthenticator.device_number);\n\n const transports = Array.isArray(contractAuthenticator.transports)\n ? contractAuthenticator.transports\n : [];\n\n const registered = (() => {\n const raw = String((contractAuthenticator as any).registered ?? '');\n if (!raw) return new Date(0);\n if (/^\\d+$/.test(raw)) {\n const ts = Number(raw);\n return Number.isFinite(ts) ? new Date(ts) : new Date(0);\n }\n const d = new Date(raw);\n return Number.isFinite(d.getTime()) ? d : new Date(0);\n })();\n\n const vrfPublicKeys = (() => {\n const raw = (contractAuthenticator as any).vrf_public_keys;\n if (!raw) return undefined;\n if (Array.isArray(raw) && raw.length > 0 && typeof raw[0] === 'string') {\n return raw as string[];\n }\n if (Array.isArray(raw)) {\n return raw\n .map((entry: unknown) => {\n if (!entry) return null;\n if (entry instanceof Uint8Array) return base64UrlEncode(entry);\n if (Array.isArray(entry)) return base64UrlEncode(new Uint8Array(entry));\n return null;\n })\n .filter((x): x is string => typeof x === 'string' && x.length > 0);\n }\n return undefined;\n })();\n\n return {\n credentialId,\n authenticator: {\n credentialId,\n credentialPublicKey: new Uint8Array(contractAuthenticator.credential_public_key),\n transports,\n userId: accountId,\n name: `Device ${contractAuthenticator.device_number} Authenticator`,\n registered,\n // Store the actual device number from contract (no fallback)\n deviceNumber: contractAuthenticator.device_number,\n vrfPublicKeys\n }\n };\n });\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\n// ===========================\n// RECOVERY EMAIL CONTRACT CALLS\n// ===========================\n\nconst EMPTY_NEAR_CODE_HASH = '11111111111111111111111111111111';\n\nasync function hasDeployedContractCode(nearClient: NearClient, accountId: AccountId): Promise<boolean> {\n try {\n const account = await nearClient.viewAccount(accountId);\n const codeHash = (account as { code_hash?: unknown } \| null)?.code_hash;\n const globalContractHash = (account as { global_contract_hash?: unknown } \| null)?.global_contract_hash;\n const globalContractAccountId = (account as { global_contract_account_id?: unknown } \| null)?.global_contract_account_id;\n\n const hasLocalCode = typeof codeHash === 'string' && codeHash !== EMPTY_NEAR_CODE_HASH;\n const hasGlobalCode =\n (typeof globalContractHash === 'string' && globalContractHash.trim().length > 0) \|\|\n (typeof globalContractAccountId === 'string' && globalContractAccountId.trim().length > 0);\n\n return hasLocalCode \|\| hasGlobalCode;\n } catch {\n return false;\n }\n}\n\n/\n Fetch on-chain recovery email hashes from the per-account contract.\n * Returns [] when no contract is deployed or on failure.\n /\nexport async function getRecoveryEmailHashesContractCall(\n nearClient: NearClient,\n accountId: AccountId\n): Promise<number[][]> {\n try {\n // Prefer `view_account` over `view_code`:\n // - `view_code` is expected to fail for non-contract accounts and is noisy.\n // - `view_account` is lightweight and tells us whether the account uses local contract code\n // or a NEAR \"global contract\" (via `global_contract_` fields).\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n if (!hasContract) return [];\n\n const hashes = await nearClient.view<Record<string, never>, number[][]>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n\n return Array.isArray(hashes) ? (hashes as number[][]) : [];\n } catch (error) {\n return [];\n }\n}\n\n/*\n Build action args to update on-chain recovery emails for an account.\n * If the per-account contract is missing, deploy/attach the global recoverer via `init_email_recovery`.\n /\nexport async function buildSetRecoveryEmailsActions(\n nearClient: NearClient,\n accountId: AccountId,\n recoveryEmailHashes: number[][],\n contracts: EmailRecoveryContracts = DEFAULT_EMAIL_RECOVERY_CONTRACTS\n): Promise<ActionArgs[]> {\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n\n const {\n emailRecovererGlobalContract,\n zkEmailVerifierContract,\n emailDkimVerifierContract,\n } = contracts;\n\n // If the account already has a contract (local or global), it still might not be a readable\n // EmailRecoverer instance (e.g. stale state after upgrades). In that case, `set_recovery_emails`\n // would fail while `init_email_recovery` (#[init(ignore_state)]) can safely re-initialize.\n //\n // We keep this as a best-effort probe to avoid wiping state on transient RPC issues.\n let shouldInit = !hasContract;\n if (!shouldInit) {\n try {\n await nearClient.view<Record<string, never>, unknown>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n } catch (err: unknown) {\n const msg = errorMessage(err);\n // Common/expected cases where we should fall back to init:\n // - account has a global contract pointer but no EmailRecoverer-compatible state yet\n // - account has stale/incompatible state after a contract upgrade\n // - account has some other contract (method missing)\n if (/Cannot deserialize the contract state/i.test(msg)\n \|\| /CodeDoesNotExist/i.test(msg)\n \|\| /MethodNotFound/i.test(msg)) {\n shouldInit = true;\n }\n }\n }\n\n const base: ActionArgs[] = [\n {\n type: ActionType.UseGlobalContract,\n accountId: emailRecovererGlobalContract,\n },\n ];\n\n return shouldInit\n ? [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'init_email_recovery',\n args: {\n zk_email_verifier: zkEmailVerifierContract,\n email_dkim_verifier: emailDkimVerifierContract,\n policy: null,\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ]\n : [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'set_recovery_emails',\n args: {\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ];\n}\n\nexport async function fetchNonceBlockHashAndHeight({ nearClient, nearPublicKeyStr, nearAccountId }: {\n nearClient: NearClient,\n nearPublicKeyStr: string,\n nearAccountId: AccountId\n}): Promise<TransactionContext> {\n // Get access key and transaction block info concurrently\n const [accessKeyInfo, txBlockInfo] = await Promise.all([\n nearClient.viewAccessKey(nearAccountId, nearPublicKeyStr)\n .catch(e => { throw new Error(`Failed to fetch Access Key`) }),\n nearClient.viewBlock({ finality: 'final' })\n .catch(e => { throw new Error(`Failed to fetch Block Info`) })\n ]);\n if (!accessKeyInfo \|\| accessKeyInfo.nonce === undefined) {\n throw new Error(`Access key not found or invalid for account ${nearAccountId} with public key ${nearPublicKeyStr}. Response: ${JSON.stringify(accessKeyInfo)}`);\n }\n const nextNonce = (BigInt(accessKeyInfo.nonce) + BigInt(1)).toString();\n const txBlockHeight = String(txBlockInfo.header.height);\n const txBlockHash = txBlockInfo.header.hash; // Keep original base58 string\n\n return {\n nearPublicKeyStr,\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash,\n };\n}\n\n// ===========================\n// REGISTRATION PRE-CHECK CALL\n// ===========================\n\nexport interface CheckCanRegisterUserResult {\n success: boolean;\n verified: boolean;\n logs: string[];\n error?: string;\n}\n\n/\n View-only registration pre-check.\n \n Calls the contract's `check_can_register_user` view method with VRF data\n * derived from the provided VRF challenge and a serialized WebAuthn\n * registration credential (typically with PRF outputs embedded).\n /\nexport async function checkCanRegisterUserContractCall({\n nearClient,\n contractId,\n vrfChallenge,\n credential,\n authenticatorOptions,\n}: {\n nearClient: NearClient;\n contractId: string;\n vrfChallenge: VRFChallenge;\n credential: WebAuthnRegistrationCredential;\n authenticatorOptions?: AuthenticatorOptions;\n}): Promise<CheckCanRegisterUserResult> {\n try {\n const vrfData = {\n vrf_input_data: Array.from(base64UrlDecode(vrfChallenge.vrfInput)),\n vrf_output: Array.from(base64UrlDecode(vrfChallenge.vrfOutput)),\n vrf_proof: Array.from(base64UrlDecode(vrfChallenge.vrfProof)),\n public_key: Array.from(base64UrlDecode(vrfChallenge.vrfPublicKey)),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight),\n block_hash: Array.from(base64UrlDecode(vrfChallenge.blockHash)),\n };\n\n const args = {\n vrf_data: vrfData,\n webauthn_registration: credential,\n authenticator_options: authenticatorOptions,\n };\n\n const response = await nearClient.callFunction<typeof args, any>(\n contractId,\n 'check_can_register_user',\n args,\n );\n\n const verified = !!response?.verified;\n return {\n success: true,\n verified,\n logs: [],\n error: verified ? undefined : 'Contract registration check failed',\n };\n } catch (err: unknown) {\n return {\n success: false,\n verified: false,\n logs: [],\n error: errorMessage(err) \|\| 'Failed to call check_can_register_user',\n };\n }\n}\n\n\n/\n Verify authentication response through relay server\n * Routes the request to relay server which calls the web3authn contract for verification\n * and issues a JWT or session credential\n */\nexport async function verifyAuthenticationResponse(\n relayServerUrl: string,\n routePath: string,\n sessionKind: 'jwt' \| 'cookie',\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential\n): Promise<{\n success: boolean;\n verified?: boolean;\n jwt?: string;\n sessionCredential?: any;\n error?: string;\n contractResponse?: any;\n}> {\n try {\n // Map VRFChallenge into server ContractVrfData shape (number arrays)\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n };\n\n // Normalize authenticatorAttachment and userHandle to null for server schema\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n }\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}${routePath.startsWith('/') ? routePath : `/${routePath}`}`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: sessionKind === 'cookie' ? 'include' : 'omit',\n body: JSON.stringify({\n sessionKind: sessionKind,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return {\n success: false,\n error: `HTTP ${response.status}: ${errorText}`,\n };\n }\n\n const result = await response.json();\n return {\n success: true,\n verified: result.verified,\n jwt: result.jwt,\n sessionCredential: result.sessionCredential,\n contractResponse: result.contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n error: error.message \|\| 'Failed to verify authentication response',\n };\n }\n}\n"],"mappings":";;;;;;;;;;AAwEA,eAAsB,wBACpB,YACA,WACA,WACiC;CACjC,MAAM,MAAM,MAAM,WAAW,KAAuF;EAClH,SAAS;EACT,QAAQ;EACR,MAAM,EAAE,YAAY;;AAGtB,KAAI,CAAC,IAAK,QAAO;CAGjB,MAAM,YAAY,IAAI;CACtB,MAAM,gBAAgB;AACpB,MAAI,OAAO,cAAc,SAAU,QAAO,UAAU;AACpD,MAAI,aAAa,OAAO,cAAc,UAAU;GAC9C,MAAM,OAAO,OAAO,KAAK;AACzB,OAAI,KAAK,WAAW,EAClB,QAAO,OAAO,KAAK,MAAM,IAAI;;AAGjC,SAAO;;AAGT,QAAO;EACL,GAAG;EACK;;;;;;;;;;AAeZ,eAAsB,oCACpB,YACA,YACA,iBACqC;AACrC,KAAI;EACF,MAAM,SAAS,MAAM,WAAW,aAI9B,YACA,8BACA,EAAE,mBAAmB;AAIvB,MAAI,UAAU,MAAM,QAAQ,WAAW,OAAO,UAAU,GAAG;GACzD,MAAM,CAAC,iBAAiB,mBAAmB;GAC3C,MAAM,eAAe,OAAO;AAC5B,OAAI,CAAC,OAAO,cAAc,iBAAiB,eAAe,GAAG;AAC3D,YAAQ,KACN,kEACA;AAEF,WAAO;;AAET,UAAO;IACL;IACA;;;AAIJ,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,yCAAyC,MAAM;AAC5D,SAAO;;;;;;;AAYX,eAAsB,kCAAkC,EACtD,SACA,kBACA,kBACA,WACA,eACA,mBACA,aACA,cACA,SACA,4BACA,iBAiBC;CAGD,MAAM,qBAAqB,MAAM,QAAQ,gBAAgB,4BAA4B;EACnF,SAAS;GACP,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,eAAe;;EAEjB;EACA,OAAO,eAAe;EACtB,MAAM,eAAe;EACrB,cAAc;GAEZ;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaC,2BAAW;KACxB,YAAY;KACZ,YAAY,KAAK,UAAU;MAGzB,OAAO;MACP,YAAY,EAAE,YAAY;;;IAG9B,OAAO;;GAGT;IACE,YAAY,QAAQ,gBAAgB,qBAAqB;IACzD,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;MACnB,mBAAmB;MACnB,mBAAmB;;KAErB,KAAK;KACL,SAAS;;IAEX,OAAO;;GAGT;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,YAAY;;IAEd,OAAO;;;EAGX,UAAU,aAAa;AAGrB,OAAI;AAAE,cAAU;WAA0B;AAE1C,OAAI,SAAS,SAASC,kCAAY,oCAChC,WAAU;IACR,MAAM;IACN,OAAOC,yCAAmB;IAC1B,QAAQC,0CAAoB;IAC5B,SAAS,SAAS,WAAW;;;;AAMrC,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;CAIlB,IAAIC;CACJ,IAAIC;AACJ,KAAI;AACF,UAAQ,MAAM,+CAA+C;GAC3D,YAAY,mBAAmB,GAAG,kBAAkB,YAAY;GAChE,SAAS,mBAAmB,GAAG,kBAAkB,YAAY,WAAW;GACxE,iBAAiB,OAAO,KAAK,mBAAmB,GAAG,kBAAkB;;AAGvE,mBAAiB,MAAM,QAAQ,WAAW,gBACxC,mBAAmB,GAAG,mBACtBC,gCAAoB;AAEtB,UAAQ,IAAI,8CAA8C,gBAAgB,aAAa;AAGvF,YAAU;GACR,MAAM;GACN,OAAOJ,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,aAAa,mBAAmB,GAAG;AACzC,UAAQ,IAAI,yDAAyD;GACnE,YAAY,WAAW,YAAY;GACnC,UAAU,WAAW,YAAY,WAAW,IAAI;;AAIlD,+BAA6B,MAAM,QAAQ,WAAW,gBACpD,YACAG,gCAAoB;UAGfC,SAAc;AACrB,UAAQ,MAAM,oDAAoD;AAClE,QAAM,IAAI,MAAM,oCAAoC,QAAQ;;AAG9D,WAAU;EACR,MAAM;EACN,OAAOL,yCAAmB;EAC1B,QAAQC,0CAAoB;EAC5B,SAAS;;AAGX,QAAO;EACL;EACA;EACA,4BAA4B,mBAAmB,GAAG;;;;;;;AAYtD,eAAsB,6BACpB,YACA,YACA,WACmB;AACnB,KAAI;EACF,MAAM,gBAAgB,MAAM,WAAW,aACrC,YACA,iCACA,EAAE,YAAY;AAEhB,SAAO,iBAAiB;UACjBJ,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;;;;;AAQX,eAAsB,wBACpB,YACA,YACA,WACkD;AAClD,KAAI;EACF,MAAM,uBAAuB,MAAM,WAAW,KAAsE;GAClH,SAAS;GACT,QAAQ;GACR,MAAM,EAAE,SAAS;;AAGnB,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO;AAET,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAIX,eAAsB,+BACpB,YACA,YACA,WAC8E;AAC9E,KAAI;EACF,MAAM,uBAAuB,MAAM,wBAAwB,YAAY,YAAY;AACnF,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO,qBAAqB,KAAK,CAAC,cAAc,2BAA2B;AACzE,WAAQ,IAAI,4CAA4C,aAAa,IAAI,sBAAsB;GAE/F,MAAM,aAAa,MAAM,QAAQ,sBAAsB,cACnD,sBAAsB,aACtB;GAEJ,MAAM,oBAAoB;IACxB,MAAM,MAAM,OAAQ,sBAA8B,cAAc;AAChE,QAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,QAAI,QAAQ,KAAK,MAAM;KACrB,MAAM,KAAK,OAAO;AAClB,YAAO,OAAO,SAAS,MAAM,IAAI,KAAK,sBAAM,IAAI,KAAK;;IAEvD,MAAM,IAAI,IAAI,KAAK;AACnB,WAAO,OAAO,SAAS,EAAE,aAAa,oBAAI,IAAI,KAAK;;GAGrD,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,MAAM,QAAQ,QAAQ,IAAI,SAAS,KAAK,OAAO,IAAI,OAAO,SAC5D,QAAO;AAET,QAAI,MAAM,QAAQ,KAChB,QAAO,IACJ,KAAK,UAAmB;AACvB,SAAI,CAAC,MAAO,QAAO;AACnB,SAAI,iBAAiB,WAAY,QAAOS,+BAAgB;AACxD,SAAI,MAAM,QAAQ,OAAQ,QAAOA,+BAAgB,IAAI,WAAW;AAChE,YAAO;OAER,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEpE,WAAO;;AAGT,UAAO;IACL;IACA,eAAe;KACb;KACA,qBAAqB,IAAI,WAAW,sBAAsB;KAC1D;KACA,QAAQ;KACR,MAAM,UAAU,sBAAsB,cAAc;KACpD;KAEA,cAAc,sBAAsB;KACpC;;;;AAKR,SAAO;UACAT,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAUX,eAAe,wBAAwB,YAAwB,WAAwC;AACrG,KAAI;EACF,MAAM,UAAU,MAAM,WAAW,YAAY;EAC7C,MAAM,WAAY,SAA4C;EAC9D,MAAM,qBAAsB,SAAuD;EACnF,MAAM,0BAA2B,SAA6D;EAE9F,MAAM,eAAe,OAAO,aAAa,YAAY,aAAa;EAClE,MAAM,gBACH,OAAO,uBAAuB,YAAY,mBAAmB,OAAO,SAAS,KAC7E,OAAO,4BAA4B,YAAY,wBAAwB,OAAO,SAAS;AAE1F,SAAO,gBAAgB;SACjB;AACN,SAAO;;;;;;;AAQX,eAAsB,mCACpB,YACA,WACqB;AACrB,KAAI;EAKF,MAAM,cAAc,MAAM,wBAAwB,YAAY;AAC9D,MAAI,CAAC,YAAa,QAAO;EAEzB,MAAM,SAAS,MAAM,WAAW,KAAwC;GACtE,SAAS;GACT,QAAQ;GACR,MAAM;;AAGR,SAAO,MAAM,QAAQ,UAAW,SAAwB;UACjD,OAAO;AACd,SAAO;;;;;;;AAQX,eAAsB,8BACpB,YACA,WACA,qBACA,YAAoCU,yDACb;CACvB,MAAM,cAAc,MAAM,wBAAwB,YAAY;CAE9D,MAAM,EACJ,8BACA,yBACA,8BACE;CAOJ,IAAI,aAAa,CAAC;AAClB,KAAI,CAAC,WACH,KAAI;AACF,QAAM,WAAW,KAAqC;GACpD,SAAS;GACT,QAAQ;GACR,MAAM;;UAEDC,KAAc;EACrB,MAAM,MAAMC,4BAAa;AAKzB,MAAI,yCAAyC,KAAK,QAC7C,oBAAoB,KAAK,QACzB,kBAAkB,KAAK,KAC1B,cAAa;;CAKnB,MAAMC,OAAqB,CACzB;EACE,MAAMZ,2BAAW;EACjB,WAAW;;AAIf,QAAO,aACH,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM;GACJ,mBAAmB;GACnB,qBAAqB;GACrB,QAAQ;GACR,iBAAiB;;EAEnB,KAAK;EACL,SAAS;MAGb,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM,EACJ,iBAAiB;EAEnB,KAAK;EACL,SAAS;;;;;;;;;;AAmDnB,eAAsB,iCAAiC,EACrD,YACA,YACA,cACA,YACA,wBAOsC;AACtC,KAAI;EACF,MAAM,UAAU;GACd,gBAAgB,MAAM,KAAKa,+BAAgB,aAAa;GACxD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,WAAW,MAAM,KAAKA,+BAAgB,aAAa;GACnD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa;GAClC,YAAY,MAAM,KAAKA,+BAAgB,aAAa;;EAGtD,MAAM,OAAO;GACX,UAAU;GACV,uBAAuB;GACvB,uBAAuB;;EAGzB,MAAM,WAAW,MAAM,WAAW,aAChC,YACA,2BACA;EAGF,MAAM,WAAW,CAAC,CAAC,UAAU;AAC7B,SAAO;GACL,SAAS;GACT;GACA,MAAM;GACN,OAAO,WAAW,SAAY;;UAEzBH,KAAc;AACrB,SAAO;GACL,SAAS;GACT,UAAU;GACV,MAAM;GACN,OAAOC,4BAAa,QAAQ;;;;;;;;;AAWlC,eAAsB,6BACpB,gBACA,WACA,aACA,cACA,wBAQC;AACD,KAAI;EAEF,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKE,+BAAgB;;EAEpC,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;;EAInC,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;;EAI9D,MAAM,MAAM,GAAG,eAAe,QAAQ,OAAO,MAAM,UAAU,WAAW,OAAO,YAAY,IAAI;EAC/F,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EACP,gBAAgB;GAElB,aAAa,gBAAgB,WAAW,YAAY;GACpD,MAAM,KAAK,UAAU;IACN;IACb;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IACL,SAAS;IACT,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAIvC,MAAM,SAAS,MAAM,SAAS;AAC9B,SAAO;GACL,SAAS;GACT,UAAU,OAAO;GACjB,KAAK,OAAO;GACZ,mBAAmB,OAAO;GAC1B,kBAAkB,OAAO;;UAEpBd,OAAY;AACnB,SAAO;GACL,SAAS;GACT,OAAO,MAAM,WAAW;;;;;;;;;;;;CAtTxB,uBAAuB"}
1	+ {"version":3,"file":"rpcCalls.js","names":["error: any","ActionType","ActionPhase","DeviceLinkingPhase","DeviceLinkingStatus","signedTransactions: Array<{ signedTransaction: SignedTransaction }>","e: unknown","addKeyTxResult: FinalExecutionOutcome","storeDeviceLinkingTxResult: FinalExecutionOutcome","DEFAULT_WAIT_STATUS","txError: any","errorMessage","createRandomVRFChallenge","base64UrlEncode","ensureEd25519Prefix","DEFAULT_EMAIL_RECOVERY_CONTRACTS","err: unknown","base: ActionArgs[]","base64UrlDecode"],"sources":["../../../src/core/rpcCalls.ts"],"sourcesContent":["/*\n Consolidated NEAR Contract Calls\n \n This file contains all the NEAR contract calls made to the web3authn contract\n * throughout the passkey SDK. It provides a centralized location for all\n * contract interactions and makes it easier to maintain and update contract\n * call patterns.\n /\n\nimport type { FinalExecutionOutcome } from '@near-js/types';\nimport type { NearClient, SignedTransaction } from './NearClient';\nimport type { ContractStoredAuthenticator } from './TatchiPasskey/syncAccount';\nimport type { PasskeyManagerContext } from './TatchiPasskey';\nimport type { AccountId } from './types/accountIds';\nimport type { DeviceLinkingSSEEvent } from './types/sdkSentEvents';\nimport type {\n StoredAuthenticator,\n WebAuthnRegistrationCredential,\n WebAuthnAuthenticationCredential\n} from './types/webauthn';\n\nimport { ActionPhase, DeviceLinkingPhase, DeviceLinkingStatus } from './types/sdkSentEvents';\nimport { ActionType, type ActionArgs } from './types/actions';\nimport { createRandomVRFChallenge, type VRFChallenge } from './types/vrf-worker';\nimport { DEFAULT_WAIT_STATUS, TransactionContext } from './types/rpc';\nimport type { AuthenticatorOptions } from './types/authenticatorOptions';\nimport type { ConfirmationConfig } from './types/signer-worker';\nimport { base64UrlDecode, base64UrlEncode } from '../utils/encoders';\nimport { errorMessage } from '../utils/errors';\nimport { ensureEd25519Prefix } from '../utils/validation';\nimport type { EmailRecoveryContracts } from './types/tatchi';\nimport { DEFAULT_EMAIL_RECOVERY_CONTRACTS } from './defaultConfigs';\n\n// ===========================\n// CONTRACT CALL RESPONSES\n// ===========================\n\nexport interface DeviceLinkingResult {\n linkedAccountId: string;\n deviceNumber: number;\n}\n\nexport interface CredentialIdsResult {\n credentialIds: string[];\n}\n\nexport interface AuthenticatorsResult {\n authenticators: Array<[string, ContractStoredAuthenticator]>;\n}\n\nexport type RecoveryAttemptStatus =\n \| \"Started\"\n \| \"VerifyingDkim\"\n \| \"VerifyingZkEmail\"\n \| \"DkimFailed\"\n \| \"ZkEmailFailed\"\n \| \"PolicyFailed\"\n \| \"Recovering\"\n \| \"AwaitingMoreEmails\"\n \| \"Complete\"\n \| \"Failed\";\n\nexport type RecoveryAttempt = {\n request_id: string;\n status: RecoveryAttemptStatus \| string;\n created_at_ms: number;\n updated_at_ms: number;\n error?: string \| null;\n /\n 32-byte SHA-256 hash of \"<canonical_from>\|<account_id_lower>\".\n * Returned by newer EmailRecoverer contracts (replaces `from_address`).\n /\n from_address_hash?: number[] \| null;\n /* Legacy field (string email address). /\n from_address?: string \| null;\n email_timestamp_ms?: number \| null;\n new_public_key?: string \| null;\n};\n\nfunction normalizeByteArray(input: unknown): number[] \| null \| undefined {\n if (input == null) return input as null \| undefined;\n\n if (Array.isArray(input)) {\n return input.map((v) => Number(v)).filter((v) => Number.isFinite(v));\n }\n\n if (typeof input === 'string' && input) {\n try {\n const bytes =\n typeof Buffer !== 'undefined'\n ? Buffer.from(input, 'base64')\n : Uint8Array.from(atob(input), (c) => c.charCodeAt(0));\n const arr = bytes instanceof Uint8Array ? Array.from(bytes) : Array.from(new Uint8Array(bytes));\n return arr;\n } catch {\n return undefined;\n }\n }\n\n return undefined;\n}\n\nexport async function getEmailRecoveryAttempt(\n nearClient: NearClient,\n accountId: string,\n requestId: string\n): Promise<RecoveryAttempt \| null> {\n const raw = await nearClient.view<{ request_id: string }, Omit<RecoveryAttempt, 'status'> & { status: any } \| null>({\n account: accountId,\n method: 'get_recovery_attempt',\n args: { request_id: requestId },\n });\n\n if (!raw) return null;\n\n // Normalization logic for status (string or object enum)\n const statusRaw = raw.status;\n const status = (() => {\n if (typeof statusRaw === 'string') return statusRaw.trim();\n if (statusRaw && typeof statusRaw === 'object') {\n const keys = Object.keys(statusRaw as Record<string, unknown>);\n if (keys.length === 1) {\n return String(keys[0] \|\| '').trim();\n }\n }\n return '';\n })();\n\n return {\n ...raw,\n from_address_hash: normalizeByteArray((raw as any).from_address_hash) ?? (raw as any).from_address_hash,\n status: status as RecoveryAttemptStatus,\n };\n}\n\n// ===========================\n// DEVICE LINKING CONTRACT CALLS\n// ===========================\n\n/\n Query the contract to get the account linked to a device public key\n * Used in device linking flow to check if a device key has been added\n \n NEAR does not provide a way to lookup the AccountID an access key has access to.\n * So we store a temporary mapping in the contract to lookup pubkey -> account ID.\n /\nexport async function getDeviceLinkingAccountContractCall(\n nearClient: NearClient,\n contractId: string,\n devicePublicKey: string\n): Promise<DeviceLinkingResult \| null> {\n try {\n const result = await nearClient.callFunction<\n { device_public_key: string },\n [string, number \| string]\n >(\n contractId,\n 'get_device_linking_account',\n { device_public_key: devicePublicKey }\n );\n\n // Handle different result formats\n if (result && Array.isArray(result) && result.length >= 2) {\n const [linkedAccountId, deviceNumberRaw] = result;\n const deviceNumber = Number(deviceNumberRaw);\n if (!Number.isSafeInteger(deviceNumber) \|\| deviceNumber < 0) {\n console.warn(\n 'Invalid deviceNumber returned from get_device_linking_account:',\n deviceNumberRaw\n );\n return null;\n }\n return {\n linkedAccountId,\n deviceNumber\n };\n }\n\n return null;\n } catch (error: any) {\n console.warn('Failed to get device linking account:', error.message);\n return null;\n }\n}\n\n// ===========================\n// DEVICE LINKING TRANSACTION CALLS\n// ===========================\n\n/\n Execute device1's linking transactions (AddKey + Contract mapping)\n * This function signs and broadcasts both transactions required for device linking\n /\nexport async function executeDeviceLinkingContractCalls({\n context,\n device1AccountId,\n device2PublicKey,\n nextNonce,\n nextNextNonce,\n nextNextNextNonce,\n txBlockHash,\n vrfChallenge,\n onEvent,\n confirmationConfigOverride,\n confirmerText,\n}: {\n context: PasskeyManagerContext,\n device1AccountId: AccountId,\n device2PublicKey: string,\n nextNonce: string,\n nextNextNonce: string,\n nextNextNextNonce: string,\n txBlockHash: string,\n vrfChallenge: VRFChallenge,\n onEvent?: (event: DeviceLinkingSSEEvent) => void;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n confirmerText?: { title?: string; body?: string };\n}): Promise<{\n addKeyTxResult: FinalExecutionOutcome;\n storeDeviceLinkingTxResult: FinalExecutionOutcome;\n signedDeleteKeyTransaction: SignedTransaction\n}> {\n\n const signTransactions = () => context.webAuthnManager.signTransactionsWithActions({\n rpcCall: {\n contractId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n nearRpcUrl: context.webAuthnManager.tatchiPasskeyConfigs.nearRpcUrl,\n nearAccountId: device1AccountId\n },\n // Prefer threshold signing when available; fall back to local signing if the account\n // is not enrolled with threshold key material.\n signerMode: { mode: 'threshold-signer', behavior: 'fallback' },\n confirmationConfigOverride,\n title: confirmerText?.title,\n body: confirmerText?.body,\n transactions: [\n // Transaction 1: AddKey - Add Device2's key to Device1's account\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.AddKey,\n public_key: device2PublicKey,\n access_key: JSON.stringify({\n // NEAR-style AccessKey JSON shape, matching near-api-js:\n // { nonce: number, permission: { FullAccess: {} } }\n nonce: 0,\n permission: { FullAccess: {} },\n }),\n }],\n nonce: nextNonce,\n },\n // Transaction 2: Store temporary mapping in contract so Device2 can lookup Device1's accountID.\n {\n receiverId: context.webAuthnManager.tatchiPasskeyConfigs.contractId,\n actions: [{\n action_type: ActionType.FunctionCall,\n method_name: 'store_device_linking_mapping',\n args: JSON.stringify({\n device_public_key: device2PublicKey,\n target_account_id: device1AccountId,\n }),\n gas: '30000000000000', // 30 TGas for device linking with yield promise automatic cleanup\n deposit: '0'\n }],\n nonce: nextNextNonce,\n },\n // Transaction 3: Remove Device2's temporary key if it fails to complete linking after a timeout\n {\n receiverId: device1AccountId,\n actions: [{\n action_type: ActionType.DeleteKey,\n public_key: device2PublicKey\n }],\n nonce: nextNextNextNonce,\n }\n ],\n onEvent: (progress) => {\n // Bridge all action progress events to the parent so the wallet iframe overlay\n // can expand during user confirmation in wallet-iframe mode.\n try { onEvent?.(progress as any); } catch { }\n // Keep existing mapping for device linking semantics; surface signing as a loading state\n if (progress.phase == ActionPhase.STEP_6_TRANSACTION_SIGNING_COMPLETE) {\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: progress.message \|\| 'Transaction signing in progress...'\n })\n }\n }\n });\n\n // Sign three transactions with one PRF authentication\n let signedTransactions: Array<{ signedTransaction: SignedTransaction }> = [];\n try {\n signedTransactions = await signTransactions();\n } catch (e: unknown) {\n if (!isVrfSessionPasskeyMismatchError(e)) throw e;\n\n // This happens when:\n // - the VRF worker is unlocked for a different device's VRF keypair, but\n // - IndexedDB `lastUser` (and thus allowCredentials) points at another device.\n // Fix by re-unlocking the VRF keypair for the current deviceNumber, then retry once.\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.PROGRESS,\n message: 'Session mismatch detected; re-authenticating with TouchID...'\n });\n\n await repairVrfSessionForCurrentDevice({\n context,\n nearAccountId: device1AccountId,\n // Needs to cover 3 txs in a single batch.\n remainingUses: 3,\n ttlMs: 2 60 * 1000,\n });\n\n signedTransactions = await signTransactions();\n }\n\n if (!signedTransactions[0].signedTransaction) {\n throw new Error('AddKey transaction signing failed');\n }\n if (!signedTransactions[1].signedTransaction) {\n throw new Error('Contract mapping transaction signing failed');\n }\n if (!signedTransactions[2].signedTransaction) {\n throw new Error('DeleteKey transaction signing failed');\n }\n\n // Broadcast just the first 2 transactions: addKey and store device linking mapping\n let addKeyTxResult: FinalExecutionOutcome;\n let storeDeviceLinkingTxResult: FinalExecutionOutcome;\n try {\n console.debug('LinkDeviceFlow: AddKey transaction details:', {\n receiverId: signedTransactions[0].signedTransaction.transaction.receiverId,\n actions: signedTransactions[0].signedTransaction.transaction.actions \|\| [],\n transactionKeys: Object.keys(signedTransactions[0].signedTransaction.transaction),\n });\n\n addKeyTxResult = await context.nearClient.sendTransaction(\n signedTransactions[0].signedTransaction,\n DEFAULT_WAIT_STATUS.linkDeviceAddKey\n );\n console.log('LinkDeviceFlow: AddKey transaction result:', addKeyTxResult?.transaction?.hash);\n\n // Send success events immediately after AddKey succeeds\n onEvent?.({\n step: 3,\n phase: DeviceLinkingPhase.STEP_3_AUTHORIZATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `AddKey transaction completed successfully!`\n });\n\n // Check if contract mapping transaction is valid before attempting to broadcast\n const contractTx = signedTransactions[1].signedTransaction;\n console.log('LinkDeviceFlow: Contract mapping transaction details:', {\n receiverId: contractTx.transaction.receiverId,\n actions: (contractTx.transaction.actions \|\| []).length\n });\n\n // Standard timeout since nonce conflict should be resolved by the 2s delay\n storeDeviceLinkingTxResult = await context.nearClient.sendTransaction(\n contractTx,\n DEFAULT_WAIT_STATUS.linkDeviceAccountMapping\n );\n\n } catch (txError: any) {\n console.error('LinkDeviceFlow: Transaction broadcasting failed:', txError);\n throw new Error(`Transaction broadcasting failed: ${txError.message}`);\n }\n\n onEvent?.({\n step: 6,\n phase: DeviceLinkingPhase.STEP_6_REGISTRATION,\n status: DeviceLinkingStatus.SUCCESS,\n message: `Device linking completed successfully!`\n });\n\n return {\n addKeyTxResult,\n storeDeviceLinkingTxResult,\n signedDeleteKeyTransaction: signedTransactions[2].signedTransaction\n };\n}\n\nfunction isVrfSessionPasskeyMismatchError(err: unknown): boolean {\n const msg = errorMessage(err) \|\| String(err \|\| '');\n return msg.includes('different passkey/VRF session than the current device');\n}\n\nasync function repairVrfSessionForCurrentDevice(args: {\n context: PasskeyManagerContext;\n nearAccountId: AccountId;\n ttlMs?: number;\n remainingUses?: number;\n}): Promise<void> {\n const { context, nearAccountId } = args;\n const lastUser = await context.webAuthnManager.getLastUser();\n if (!lastUser \|\| lastUser.nearAccountId !== nearAccountId) {\n throw new Error('Cannot repair VRF session: no lastUser for this account. Please log in again.');\n }\n const deviceNumber = lastUser.deviceNumber;\n if (!Number.isFinite(deviceNumber) \|\| deviceNumber < 1) {\n throw new Error('Cannot repair VRF session: invalid lastUser.deviceNumber');\n }\n\n const authenticators = await context.webAuthnManager.getAuthenticatorsByUser(nearAccountId);\n const credentialIdsForDevice = authenticators\n .filter((a) => a.deviceNumber === deviceNumber)\n .map((a) => a.credentialId);\n\n const credentialIds = credentialIdsForDevice.length > 0\n ? credentialIdsForDevice\n : authenticators.map((a) => a.credentialId);\n\n if (credentialIds.length === 0) {\n throw new Error(`Cannot repair VRF session: no authenticators found for ${nearAccountId}`);\n }\n\n const challenge = createRandomVRFChallenge();\n const credential = await context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: challenge as VRFChallenge,\n credentialIds,\n });\n\n const unlockResult = await context.webAuthnManager.unlockVRFKeypair({\n nearAccountId,\n encryptedVrfKeypair: lastUser.encryptedVrfKeypair,\n credential: credential as WebAuthnAuthenticationCredential,\n });\n if (!unlockResult.success) {\n throw new Error(unlockResult.error \|\| 'Failed to re-unlock VRF keypair for current device');\n }\n\n // Restore a minimal warm signing session so the retried batch can run without a second TouchID prompt.\n await context.webAuthnManager.mintSigningSessionFromCredential({\n nearAccountId,\n credential: credential as WebAuthnAuthenticationCredential,\n ttlMs: args.ttlMs,\n remainingUses: args.remainingUses,\n });\n}\n\n// ===========================\n// ACCOUNT RECOVERY CONTRACT CALLS\n// ===========================\n\n/*\n Get credential IDs associated with an account from the contract\n * Used in account recovery to discover available credentials\n /\nexport async function getCredentialIdsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<string[]> {\n try {\n const credentialIds = await nearClient.callFunction<{ account_id: AccountId }, string[]>(\n contractId,\n 'get_credential_ids_by_account',\n { account_id: accountId }\n );\n return credentialIds \|\| [];\n } catch (error: any) {\n console.warn('Failed to fetch credential IDs from contract:', error.message);\n return [];\n }\n}\n\n/\n Get all authenticators stored for a user from the contract\n * Used in account recovery to sync authenticator data\n /\nexport async function getAuthenticatorsByUser(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<[string, ContractStoredAuthenticator][]> {\n try {\n const authenticatorsResult = await nearClient.view<{ user_id: AccountId }, [string, ContractStoredAuthenticator][]>({\n account: contractId,\n method: 'get_authenticators_by_user',\n args: { user_id: accountId }\n });\n\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult;\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\nexport async function syncAuthenticatorsContractCall(\n nearClient: NearClient,\n contractId: string,\n accountId: AccountId\n): Promise<Array<{ credentialId: string, authenticator: StoredAuthenticator, nearPublicKey?: string }>> {\n try {\n const authenticatorsResult = await getAuthenticatorsByUser(nearClient, contractId, accountId);\n if (authenticatorsResult && Array.isArray(authenticatorsResult)) {\n return authenticatorsResult.map(([credentialId, contractAuthenticator]) => {\n console.log(`Contract authenticator device_number for ${credentialId}:`, contractAuthenticator.device_number);\n\n const transports = Array.isArray(contractAuthenticator.transports)\n ? contractAuthenticator.transports\n : [];\n\n const registered = (() => {\n const raw = String((contractAuthenticator as any).registered ?? '');\n if (!raw) return new Date(0);\n if (/^\\d+$/.test(raw)) {\n const ts = Number(raw);\n return Number.isFinite(ts) ? new Date(ts) : new Date(0);\n }\n const d = new Date(raw);\n return Number.isFinite(d.getTime()) ? d : new Date(0);\n })();\n\n const vrfPublicKeys = (() => {\n const raw = (contractAuthenticator as any).vrf_public_keys;\n if (!raw) return undefined;\n if (Array.isArray(raw) && raw.length > 0 && typeof raw[0] === 'string') {\n return raw as string[];\n }\n if (Array.isArray(raw)) {\n return raw\n .map((entry: unknown) => {\n if (!entry) return null;\n if (entry instanceof Uint8Array) return base64UrlEncode(entry);\n if (Array.isArray(entry)) return base64UrlEncode(new Uint8Array(entry));\n return null;\n })\n .filter((x): x is string => typeof x === 'string' && x.length > 0);\n }\n return undefined;\n })();\n\n const nearPublicKey = (() => {\n const raw = (contractAuthenticator as any).near_public_key;\n if (typeof raw !== 'string') return undefined;\n const trimmed = raw.trim();\n return trimmed ? ensureEd25519Prefix(trimmed) : undefined;\n })();\n\n return {\n credentialId,\n authenticator: {\n credentialId,\n credentialPublicKey: new Uint8Array(contractAuthenticator.credential_public_key),\n transports,\n userId: accountId,\n name: `Device ${contractAuthenticator.device_number} Authenticator`,\n registered,\n // Store the actual device number from contract (no fallback)\n deviceNumber: contractAuthenticator.device_number,\n vrfPublicKeys\n },\n ...(nearPublicKey ? { nearPublicKey } : {})\n };\n });\n }\n return [];\n } catch (error: any) {\n console.warn('Failed to fetch authenticators from contract:', error.message);\n return [];\n }\n}\n\n// ===========================\n// RECOVERY EMAIL CONTRACT CALLS\n// ===========================\n\nconst EMPTY_NEAR_CODE_HASH = '11111111111111111111111111111111';\n\nasync function hasDeployedContractCode(nearClient: NearClient, accountId: AccountId): Promise<boolean> {\n try {\n const account = await nearClient.viewAccount(accountId);\n const codeHash = (account as { code_hash?: unknown } \| null)?.code_hash;\n const globalContractHash = (account as { global_contract_hash?: unknown } \| null)?.global_contract_hash;\n const globalContractAccountId = (account as { global_contract_account_id?: unknown } \| null)?.global_contract_account_id;\n\n const hasLocalCode = typeof codeHash === 'string' && codeHash !== EMPTY_NEAR_CODE_HASH;\n const hasGlobalCode =\n (typeof globalContractHash === 'string' && globalContractHash.trim().length > 0) \|\|\n (typeof globalContractAccountId === 'string' && globalContractAccountId.trim().length > 0);\n\n return hasLocalCode \|\| hasGlobalCode;\n } catch {\n return false;\n }\n}\n\n/\n Fetch on-chain recovery email hashes from the per-account contract.\n * Returns [] when no contract is deployed or on failure.\n /\nexport async function getRecoveryEmailHashesContractCall(\n nearClient: NearClient,\n accountId: AccountId\n): Promise<number[][]> {\n try {\n // Prefer `view_account` over `view_code`:\n // - `view_code` is expected to fail for non-contract accounts and is noisy.\n // - `view_account` is lightweight and tells us whether the account uses local contract code\n // or a NEAR \"global contract\" (via `global_contract_` fields).\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n if (!hasContract) return [];\n\n const hashes = await nearClient.view<Record<string, never>, number[][]>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n\n return Array.isArray(hashes) ? (hashes as number[][]) : [];\n } catch (error) {\n return [];\n }\n}\n\n/*\n Build action args to update on-chain recovery emails for an account.\n * If the per-account contract is missing, deploy/attach the global recoverer via `init_email_recovery`.\n /\nexport async function buildSetRecoveryEmailsActions(\n nearClient: NearClient,\n accountId: AccountId,\n recoveryEmailHashes: number[][],\n contracts: EmailRecoveryContracts = DEFAULT_EMAIL_RECOVERY_CONTRACTS\n): Promise<ActionArgs[]> {\n const hasContract = await hasDeployedContractCode(nearClient, accountId);\n\n const {\n emailRecovererGlobalContract,\n zkEmailVerifierContract,\n emailDkimVerifierContract,\n } = contracts;\n\n // If the account already has a contract (local or global), it still might not be a readable\n // EmailRecoverer instance (e.g. stale state after upgrades). In that case, `set_recovery_emails`\n // would fail while `init_email_recovery` (#[init(ignore_state)]) can safely re-initialize.\n //\n // We keep this as a best-effort probe to avoid wiping state on transient RPC issues.\n let shouldInit = !hasContract;\n if (!shouldInit) {\n try {\n await nearClient.view<Record<string, never>, unknown>({\n account: accountId,\n method: 'get_recovery_emails',\n args: {} as Record<string, never>,\n });\n } catch (err: unknown) {\n const msg = errorMessage(err);\n // Common/expected cases where we should fall back to init:\n // - account has a global contract pointer but no EmailRecoverer-compatible state yet\n // - account has stale/incompatible state after a contract upgrade\n // - account has some other contract (method missing)\n if (/Cannot deserialize the contract state/i.test(msg)\n \|\| /CodeDoesNotExist/i.test(msg)\n \|\| /MethodNotFound/i.test(msg)) {\n shouldInit = true;\n }\n }\n }\n\n const base: ActionArgs[] = [\n {\n type: ActionType.UseGlobalContract,\n accountId: emailRecovererGlobalContract,\n },\n ];\n\n return shouldInit\n ? [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'init_email_recovery',\n args: {\n zk_email_verifier: zkEmailVerifierContract,\n email_dkim_verifier: emailDkimVerifierContract,\n policy: null,\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ]\n : [\n ...base,\n {\n type: ActionType.FunctionCall,\n methodName: 'set_recovery_emails',\n args: {\n recovery_emails: recoveryEmailHashes,\n },\n gas: '80000000000000',\n deposit: '0',\n },\n ];\n}\n\nexport async function fetchNonceBlockHashAndHeight({ nearClient, nearPublicKeyStr, nearAccountId }: {\n nearClient: NearClient,\n nearPublicKeyStr: string,\n nearAccountId: AccountId\n}): Promise<TransactionContext> {\n // Get access key and transaction block info concurrently\n const [accessKeyInfo, txBlockInfo] = await Promise.all([\n nearClient.viewAccessKey(nearAccountId, nearPublicKeyStr)\n .catch(e => { throw new Error(`Failed to fetch Access Key`) }),\n nearClient.viewBlock({ finality: 'final' })\n .catch(e => { throw new Error(`Failed to fetch Block Info`) })\n ]);\n if (!accessKeyInfo \|\| accessKeyInfo.nonce === undefined) {\n throw new Error(`Access key not found or invalid for account ${nearAccountId} with public key ${nearPublicKeyStr}. Response: ${JSON.stringify(accessKeyInfo)}`);\n }\n const nextNonce = (BigInt(accessKeyInfo.nonce) + BigInt(1)).toString();\n const txBlockHeight = String(txBlockInfo.header.height);\n const txBlockHash = txBlockInfo.header.hash; // Keep original base58 string\n\n return {\n nearPublicKeyStr,\n accessKeyInfo,\n nextNonce,\n txBlockHeight,\n txBlockHash,\n };\n}\n\n// ===========================\n// ACCESS KEY HELPERS\n// ===========================\n\nexport type AccessKeyWaitOptions = {\n attempts?: number;\n delayMs?: number;\n};\n\nfunction sleep(ms: number): Promise<void> {\n return new Promise((res) => setTimeout(res, ms));\n}\n\nfunction isAccessKeyNotFoundError(err: unknown): boolean {\n const msg = String(errorMessage(err) \|\| '').toLowerCase();\n if (!msg) return false;\n\n // Common NEAR node / near-api-js phrasing for missing access keys.\n if (msg.includes('unknown access key') \|\| msg.includes('unknown_access_key') \|\| msg.includes('unknownaccesskey')) {\n return true;\n }\n if (msg.includes('accesskeydoesnotexist')) return true;\n if (msg.includes('access key does not exist')) return true;\n if (msg.includes(\"access key doesn't exist\")) return true;\n if (msg.includes('access key not found')) return true;\n if (msg.includes('no such access key')) return true;\n if (msg.includes('viewing access key') && msg.includes('does not exist') && !msg.includes('account')) return true;\n\n return false;\n}\n\nexport async function hasAccessKey(\n nearClient: NearClient,\n nearAccountId: string,\n publicKey: string,\n opts?: AccessKeyWaitOptions,\n): Promise<boolean> {\n const expected = ensureEd25519Prefix(publicKey);\n if (!expected) return false;\n\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));\n\n for (let i = 0; i < attempts; i++) {\n try {\n await nearClient.viewAccessKey(nearAccountId, expected);\n return true;\n } catch {\n // tolerate transient view errors during propagation; retry\n }\n if (i < attempts - 1) {\n await sleep(delayMs);\n }\n }\n return false;\n}\n\nexport async function waitForAccessKeyAbsent(\n nearClient: NearClient,\n nearAccountId: string,\n publicKey: string,\n opts?: AccessKeyWaitOptions,\n): Promise<boolean> {\n const expected = ensureEd25519Prefix(publicKey);\n if (!expected) return true;\n\n const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));\n const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 650));\n\n for (let i = 0; i < attempts; i++) {\n try {\n await nearClient.viewAccessKey(nearAccountId, expected);\n } catch (err: unknown) {\n if (isAccessKeyNotFoundError(err)) return true;\n // tolerate transient view errors during propagation; retry\n }\n if (i < attempts - 1) {\n await sleep(delayMs);\n }\n }\n return false;\n}\n\n// ===========================\n// REGISTRATION PRE-CHECK CALL\n// ===========================\n\nexport interface CheckCanRegisterUserResult {\n success: boolean;\n verified: boolean;\n logs: string[];\n error?: string;\n}\n\n/\n View-only registration pre-check.\n \n Calls the contract's `check_can_register_user` view method with VRF data\n * derived from the provided VRF challenge and a serialized WebAuthn\n * registration credential (typically with PRF outputs embedded).\n /\nexport async function checkCanRegisterUserContractCall({\n nearClient,\n contractId,\n vrfChallenge,\n credential,\n authenticatorOptions,\n}: {\n nearClient: NearClient;\n contractId: string;\n vrfChallenge: VRFChallenge;\n credential: WebAuthnRegistrationCredential;\n authenticatorOptions?: AuthenticatorOptions;\n}): Promise<CheckCanRegisterUserResult> {\n try {\n const intent_digest_32 = Array.from(base64UrlDecode(vrfChallenge.intentDigest \|\| ''));\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const session_policy_digest_32 = vrfChallenge.sessionPolicyDigest32\n ? Array.from(base64UrlDecode(vrfChallenge.sessionPolicyDigest32))\n : [];\n if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) {\n throw new Error('Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)');\n }\n const vrfData = {\n vrf_input_data: Array.from(base64UrlDecode(vrfChallenge.vrfInput)),\n vrf_output: Array.from(base64UrlDecode(vrfChallenge.vrfOutput)),\n vrf_proof: Array.from(base64UrlDecode(vrfChallenge.vrfProof)),\n public_key: Array.from(base64UrlDecode(vrfChallenge.vrfPublicKey)),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight),\n block_hash: Array.from(base64UrlDecode(vrfChallenge.blockHash)),\n intent_digest_32,\n ...(session_policy_digest_32.length ? { session_policy_digest_32 } : {}),\n };\n\n const args = {\n vrf_data: vrfData,\n webauthn_registration: credential,\n authenticator_options: authenticatorOptions,\n };\n\n const response = await nearClient.callFunction<typeof args, any>(\n contractId,\n 'check_can_register_user',\n args,\n );\n\n const verified = !!response?.verified;\n return {\n success: true,\n verified,\n logs: [],\n error: verified ? undefined : 'Contract registration check failed',\n };\n } catch (err: unknown) {\n return {\n success: false,\n verified: false,\n logs: [],\n error: errorMessage(err) \|\| 'Failed to call check_can_register_user',\n };\n }\n}\n\n\n/\n Verify authentication response through relay server\n * Routes the request to relay server which calls the web3authn contract for verification\n * and issues a JWT or session credential\n /\nexport async function verifyAuthenticationResponse(\n relayServerUrl: string,\n routePath: string,\n sessionKind: 'jwt' \| 'cookie',\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential\n): Promise<{\n success: boolean;\n verified?: boolean;\n jwt?: string;\n sessionCredential?: any;\n error?: string;\n contractResponse?: any;\n}> {\n try {\n // Map VRFChallenge into server ContractVrfData shape (number arrays)\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const session_policy_digest_32 = toBytes(vrfChallenge.sessionPolicyDigest32);\n if (session_policy_digest_32.length !== 0 && session_policy_digest_32.length !== 32) {\n throw new Error('Invalid vrfChallenge.sessionPolicyDigest32 (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n ...(session_policy_digest_32.length ? { session_policy_digest_32 } : {}),\n };\n\n // Normalize authenticatorAttachment and userHandle to null for server schema\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n }\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}${routePath.startsWith('/') ? routePath : `/${routePath}`}`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: sessionKind === 'cookie' ? 'include' : 'omit',\n body: JSON.stringify({\n sessionKind: sessionKind,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return {\n success: false,\n error: `HTTP ${response.status}: ${errorText}`,\n };\n }\n\n const result = await response.json();\n return {\n success: true,\n verified: result.verified,\n jwt: result.jwt,\n sessionCredential: result.sessionCredential,\n contractResponse: result.contractResponse,\n };\n } catch (error: any) {\n return {\n success: false,\n error: error.message \|\| 'Failed to verify authentication response',\n };\n }\n}\n\nexport async function authorizeThresholdEd25519(\n relayServerUrl: string,\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential,\n args: {\n relayerKeyId: string;\n clientVerifyingShareB64u: string;\n purpose: string;\n /\n Exact 32-byte digest that will be co-signed (tx hash / delegate hash / NEP-413 hash).\n * The relayer must bind this digest to the VRF-authorized `intent_digest_32`.\n */\n signingDigest32: number[];\n signingPayload?: unknown;\n },\n): Promise<{\n ok: boolean;\n mpcSessionId?: string;\n expiresAt?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n };\n\n const clientVerifyingShareBytes = toBytes(args.clientVerifyingShareB64u);\n if (clientVerifyingShareBytes.length !== 32) {\n throw new Error('Missing or invalid args.clientVerifyingShareB64u (expected base64url-encoded 32 bytes)');\n }\n\n // Strip extension results before sending to the relay (never send PRF outputs).\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n },\n clientExtensionResults: null,\n };\n\n const url = `${relayServerUrl.replace(/\\/$/, '')}/threshold-ed25519/authorize`;\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n credentials: 'include',\n body: JSON.stringify({\n relayerKeyId: args.relayerKeyId,\n clientVerifyingShareB64u: args.clientVerifyingShareB64u,\n purpose: args.purpose,\n signing_digest_32: (() => {\n const d = args.signingDigest32;\n if (!Array.isArray(d) \|\| d.length !== 32) {\n throw new Error('Missing or invalid args.signingDigest32 (expected number[32])');\n }\n return d;\n })(),\n signingPayload: args.signingPayload,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n mpcSessionId: json?.mpcSessionId,\n expiresAt: json?.expiresAt,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to authorize threshold-ed25519 signing' };\n }\n}\n\nexport async function thresholdEd25519Keygen(\n relayServerUrl: string,\n vrfChallenge: VRFChallenge,\n webauthnAuthentication: WebAuthnAuthenticationCredential,\n args: {\n clientVerifyingShareB64u: string;\n nearAccountId: string;\n },\n): Promise<{\n ok: boolean;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n participantIds?: number[];\n relayerKeyId?: string;\n publicKey?: string;\n relayerVerifyingShareB64u?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const base = String(relayServerUrl \|\| '').trim().replace(/\\/$/, '');\n if (!base) throw new Error('Missing relayServerUrl');\n\n const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u \|\| '').trim();\n if (!clientVerifyingShareB64u) throw new Error('Missing clientVerifyingShareB64u');\n\n const nearAccountId = String(args.nearAccountId \|\| '').trim();\n if (!nearAccountId) throw new Error('Missing nearAccountId');\n\n const toBytes = (b64u: string \| undefined): number[] => {\n if (!b64u) return [];\n return Array.from(base64UrlDecode(b64u));\n };\n const intent_digest_32 = toBytes(vrfChallenge.intentDigest);\n if (intent_digest_32.length !== 32) {\n throw new Error('Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)');\n }\n const vrf_data = {\n vrf_input_data: toBytes(vrfChallenge.vrfInput),\n vrf_output: toBytes(vrfChallenge.vrfOutput),\n vrf_proof: toBytes(vrfChallenge.vrfProof),\n public_key: toBytes(vrfChallenge.vrfPublicKey),\n user_id: vrfChallenge.userId,\n rp_id: vrfChallenge.rpId,\n block_height: Number(vrfChallenge.blockHeight \|\| 0),\n block_hash: toBytes(vrfChallenge.blockHash),\n intent_digest_32,\n };\n\n // Strip extension results before sending to the relay (never send PRF outputs).\n const webauthn_authentication = {\n ...webauthnAuthentication,\n authenticatorAttachment: webauthnAuthentication.authenticatorAttachment ?? null,\n response: {\n ...webauthnAuthentication.response,\n userHandle: webauthnAuthentication.response.userHandle ?? null,\n },\n clientExtensionResults: null,\n };\n\n const url = `${base}/threshold-ed25519/keygen`;\n const response = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n credentials: 'include',\n body: JSON.stringify({\n clientVerifyingShareB64u,\n nearAccountId,\n vrf_data,\n webauthn_authentication,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n clientParticipantId: json?.clientParticipantId,\n relayerParticipantId: json?.relayerParticipantId,\n participantIds: json?.participantIds,\n relayerKeyId: json?.relayerKeyId,\n publicKey: json?.publicKey,\n relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to keygen threshold-ed25519' };\n }\n}\n\nexport async function thresholdEd25519KeygenFromRegistrationTx(\n relayServerUrl: string,\n args: {\n clientVerifyingShareB64u: string;\n nearAccountId: string;\n registrationTxHash: string;\n },\n): Promise<{\n ok: boolean;\n clientParticipantId?: number;\n relayerParticipantId?: number;\n participantIds?: number[];\n relayerKeyId?: string;\n publicKey?: string;\n relayerVerifyingShareB64u?: string;\n code?: string;\n message?: string;\n error?: string;\n}> {\n try {\n const base = String(relayServerUrl \|\| '').trim().replace(/\\/$/, '');\n if (!base) throw new Error('Missing relayServerUrl');\n\n const clientVerifyingShareB64u = String(args.clientVerifyingShareB64u \|\| '').trim();\n if (!clientVerifyingShareB64u) throw new Error('Missing clientVerifyingShareB64u');\n\n const nearAccountId = String(args.nearAccountId \|\| '').trim();\n if (!nearAccountId) throw new Error('Missing nearAccountId');\n\n const registrationTxHash = String(args.registrationTxHash \|\| '').trim();\n if (!registrationTxHash) throw new Error('Missing registrationTxHash');\n\n const url = `${base}/threshold-ed25519/keygen`;\n const response = await fetch(url, {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n credentials: 'include',\n body: JSON.stringify({\n clientVerifyingShareB64u,\n nearAccountId,\n registrationTxHash,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n return { ok: false, error: `HTTP ${response.status}: ${errorText}` };\n }\n\n const json = await response.json();\n return {\n ok: !!json?.ok,\n clientParticipantId: json?.clientParticipantId,\n relayerParticipantId: json?.relayerParticipantId,\n participantIds: json?.participantIds,\n relayerKeyId: json?.relayerKeyId,\n publicKey: json?.publicKey,\n relayerVerifyingShareB64u: json?.relayerVerifyingShareB64u,\n code: json?.code,\n message: json?.message,\n };\n } catch (error: any) {\n return { ok: false, error: error?.message \|\| 'Failed to keygen threshold-ed25519 from registration tx' };\n }\n}\n"],"mappings":";;;;;;;;;;AA+EA,SAAS,mBAAmB,OAA6C;AACvE,KAAI,SAAS,KAAM,QAAO;AAE1B,KAAI,MAAM,QAAQ,OAChB,QAAO,MAAM,KAAK,MAAM,OAAO,IAAI,QAAQ,MAAM,OAAO,SAAS;AAGnE,KAAI,OAAO,UAAU,YAAY,MAC/B,KAAI;EACF,MAAM,QACJ,OAAO,WAAW,cACd,OAAO,KAAK,OAAO,YACnB,WAAW,KAAK,KAAK,SAAS,MAAM,EAAE,WAAW;EACvD,MAAM,MAAM,iBAAiB,aAAa,MAAM,KAAK,SAAS,MAAM,KAAK,IAAI,WAAW;AACxF,SAAO;SACD;AACN,SAAO;;AAIX,QAAO;;AAGT,eAAsB,wBACpB,YACA,WACA,WACiC;CACjC,MAAM,MAAM,MAAM,WAAW,KAAuF;EAClH,SAAS;EACT,QAAQ;EACR,MAAM,EAAE,YAAY;;AAGtB,KAAI,CAAC,IAAK,QAAO;CAGjB,MAAM,YAAY,IAAI;CACtB,MAAM,gBAAgB;AACpB,MAAI,OAAO,cAAc,SAAU,QAAO,UAAU;AACpD,MAAI,aAAa,OAAO,cAAc,UAAU;GAC9C,MAAM,OAAO,OAAO,KAAK;AACzB,OAAI,KAAK,WAAW,EAClB,QAAO,OAAO,KAAK,MAAM,IAAI;;AAGjC,SAAO;;AAGT,QAAO;EACL,GAAG;EACH,mBAAmB,mBAAoB,IAAY,sBAAuB,IAAY;EAC9E;;;;;;;;;;AAeZ,eAAsB,oCACpB,YACA,YACA,iBACqC;AACrC,KAAI;EACF,MAAM,SAAS,MAAM,WAAW,aAI9B,YACA,8BACA,EAAE,mBAAmB;AAIvB,MAAI,UAAU,MAAM,QAAQ,WAAW,OAAO,UAAU,GAAG;GACzD,MAAM,CAAC,iBAAiB,mBAAmB;GAC3C,MAAM,eAAe,OAAO;AAC5B,OAAI,CAAC,OAAO,cAAc,iBAAiB,eAAe,GAAG;AAC3D,YAAQ,KACN,kEACA;AAEF,WAAO;;AAET,UAAO;IACL;IACA;;;AAIJ,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,yCAAyC,MAAM;AAC5D,SAAO;;;;;;;AAYX,eAAsB,kCAAkC,EACtD,SACA,kBACA,kBACA,WACA,eACA,mBACA,aACA,cACA,SACA,4BACA,iBAiBC;CAED,MAAM,yBAAyB,QAAQ,gBAAgB,4BAA4B;EACjF,SAAS;GACP,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,YAAY,QAAQ,gBAAgB,qBAAqB;GACzD,eAAe;;EAIjB,YAAY;GAAE,MAAM;GAAoB,UAAU;;EAClD;EACA,OAAO,eAAe;EACtB,MAAM,eAAe;EACrB,cAAc;GAEZ;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaC,2BAAW;KACxB,YAAY;KACZ,YAAY,KAAK,UAAU;MAGzB,OAAO;MACP,YAAY,EAAE,YAAY;;;IAG9B,OAAO;;GAGT;IACE,YAAY,QAAQ,gBAAgB,qBAAqB;IACzD,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,aAAa;KACb,MAAM,KAAK,UAAU;MACnB,mBAAmB;MACnB,mBAAmB;;KAErB,KAAK;KACL,SAAS;;IAEX,OAAO;;GAGT;IACE,YAAY;IACZ,SAAS,CAAC;KACR,aAAaA,2BAAW;KACxB,YAAY;;IAEd,OAAO;;;EAGX,UAAU,aAAa;AAGrB,OAAI;AAAE,cAAU;WAA0B;AAE1C,OAAI,SAAS,SAASC,kCAAY,oCAChC,WAAU;IACR,MAAM;IACN,OAAOC,yCAAmB;IAC1B,QAAQC,0CAAoB;IAC5B,SAAS,SAAS,WAAW;;;;CAOrC,IAAIC,qBAAsE;AAC1E,KAAI;AACF,uBAAqB,MAAM;UACpBC,GAAY;AACnB,MAAI,CAAC,iCAAiC,GAAI,OAAM;AAMhD,YAAU;GACR,MAAM;GACN,OAAOH,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;AAGX,QAAM,iCAAiC;GACrC;GACA,eAAe;GAEf,eAAe;GACf,OAAO,MAAS;;AAGlB,uBAAqB,MAAM;;AAG7B,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,mBAAmB,GAAG,kBACzB,OAAM,IAAI,MAAM;CAIlB,IAAIG;CACJ,IAAIC;AACJ,KAAI;AACF,UAAQ,MAAM,+CAA+C;GAC3D,YAAY,mBAAmB,GAAG,kBAAkB,YAAY;GAChE,SAAS,mBAAmB,GAAG,kBAAkB,YAAY,WAAW;GACxE,iBAAiB,OAAO,KAAK,mBAAmB,GAAG,kBAAkB;;AAGvE,mBAAiB,MAAM,QAAQ,WAAW,gBACxC,mBAAmB,GAAG,mBACtBC,gCAAoB;AAEtB,UAAQ,IAAI,8CAA8C,gBAAgB,aAAa;AAGvF,YAAU;GACR,MAAM;GACN,OAAON,yCAAmB;GAC1B,QAAQC,0CAAoB;GAC5B,SAAS;;EAIX,MAAM,aAAa,mBAAmB,GAAG;AACzC,UAAQ,IAAI,yDAAyD;GACnE,YAAY,WAAW,YAAY;GACnC,UAAU,WAAW,YAAY,WAAW,IAAI;;AAIlD,+BAA6B,MAAM,QAAQ,WAAW,gBACpD,YACAK,gCAAoB;UAGfC,SAAc;AACrB,UAAQ,MAAM,oDAAoD;AAClE,QAAM,IAAI,MAAM,oCAAoC,QAAQ;;AAG9D,WAAU;EACR,MAAM;EACN,OAAOP,yCAAmB;EAC1B,QAAQC,0CAAoB;EAC5B,SAAS;;AAGX,QAAO;EACL;EACA;EACA,4BAA4B,mBAAmB,GAAG;;;AAItD,SAAS,iCAAiC,KAAuB;CAC/D,MAAM,MAAMO,4BAAa,QAAQ,OAAO,OAAO;AAC/C,QAAO,IAAI,SAAS;;AAGtB,eAAe,iCAAiC,MAK9B;CAChB,MAAM,EAAE,SAAS,kBAAkB;CACnC,MAAM,WAAW,MAAM,QAAQ,gBAAgB;AAC/C,KAAI,CAAC,YAAY,SAAS,kBAAkB,cAC1C,OAAM,IAAI,MAAM;CAElB,MAAM,eAAe,SAAS;AAC9B,KAAI,CAAC,OAAO,SAAS,iBAAiB,eAAe,EACnD,OAAM,IAAI,MAAM;CAGlB,MAAM,iBAAiB,MAAM,QAAQ,gBAAgB,wBAAwB;CAC7E,MAAM,yBAAyB,eAC5B,QAAQ,MAAM,EAAE,iBAAiB,cACjC,KAAK,MAAM,EAAE;CAEhB,MAAM,gBAAgB,uBAAuB,SAAS,IAClD,yBACA,eAAe,KAAK,MAAM,EAAE;AAEhC,KAAI,cAAc,WAAW,EAC3B,OAAM,IAAI,MAAM,0DAA0D;CAG5E,MAAM,YAAYC;CAClB,MAAM,aAAa,MAAM,QAAQ,gBAAgB,8CAA8C;EAC7F;EACW;EACX;;CAGF,MAAM,eAAe,MAAM,QAAQ,gBAAgB,iBAAiB;EAClE;EACA,qBAAqB,SAAS;EAClB;;AAEd,KAAI,CAAC,aAAa,QAChB,OAAM,IAAI,MAAM,aAAa,SAAS;AAIxC,OAAM,QAAQ,gBAAgB,iCAAiC;EAC7D;EACY;EACZ,OAAO,KAAK;EACZ,eAAe,KAAK;;;;;;;AAYxB,eAAsB,6BACpB,YACA,YACA,WACmB;AACnB,KAAI;EACF,MAAM,gBAAgB,MAAM,WAAW,aACrC,YACA,iCACA,EAAE,YAAY;AAEhB,SAAO,iBAAiB;UACjBZ,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;;;;;AAQX,eAAsB,wBACpB,YACA,YACA,WACkD;AAClD,KAAI;EACF,MAAM,uBAAuB,MAAM,WAAW,KAAsE;GAClH,SAAS;GACT,QAAQ;GACR,MAAM,EAAE,SAAS;;AAGnB,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO;AAET,SAAO;UACAA,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAIX,eAAsB,+BACpB,YACA,YACA,WACsG;AACtG,KAAI;EACF,MAAM,uBAAuB,MAAM,wBAAwB,YAAY,YAAY;AACnF,MAAI,wBAAwB,MAAM,QAAQ,sBACxC,QAAO,qBAAqB,KAAK,CAAC,cAAc,2BAA2B;AACzE,WAAQ,IAAI,4CAA4C,aAAa,IAAI,sBAAsB;GAE/F,MAAM,aAAa,MAAM,QAAQ,sBAAsB,cACnD,sBAAsB,aACtB;GAEJ,MAAM,oBAAoB;IACxB,MAAM,MAAM,OAAQ,sBAA8B,cAAc;AAChE,QAAI,CAAC,IAAK,wBAAO,IAAI,KAAK;AAC1B,QAAI,QAAQ,KAAK,MAAM;KACrB,MAAM,KAAK,OAAO;AAClB,YAAO,OAAO,SAAS,MAAM,IAAI,KAAK,sBAAM,IAAI,KAAK;;IAEvD,MAAM,IAAI,IAAI,KAAK;AACnB,WAAO,OAAO,SAAS,EAAE,aAAa,oBAAI,IAAI,KAAK;;GAGrD,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,CAAC,IAAK,QAAO;AACjB,QAAI,MAAM,QAAQ,QAAQ,IAAI,SAAS,KAAK,OAAO,IAAI,OAAO,SAC5D,QAAO;AAET,QAAI,MAAM,QAAQ,KAChB,QAAO,IACJ,KAAK,UAAmB;AACvB,SAAI,CAAC,MAAO,QAAO;AACnB,SAAI,iBAAiB,WAAY,QAAOa,+BAAgB;AACxD,SAAI,MAAM,QAAQ,OAAQ,QAAOA,+BAAgB,IAAI,WAAW;AAChE,YAAO;OAER,QAAQ,MAAmB,OAAO,MAAM,YAAY,EAAE,SAAS;AAEpE,WAAO;;GAGT,MAAM,uBAAuB;IAC3B,MAAM,MAAO,sBAA8B;AAC3C,QAAI,OAAO,QAAQ,SAAU,QAAO;IACpC,MAAM,UAAU,IAAI;AACpB,WAAO,UAAUC,uCAAoB,WAAW;;AAGlD,UAAO;IACL;IACA,eAAe;KACb;KACA,qBAAqB,IAAI,WAAW,sBAAsB;KAC1D;KACA,QAAQ;KACR,MAAM,UAAU,sBAAsB,cAAc;KACpD;KAEA,cAAc,sBAAsB;KACpC;;IAEF,GAAI,gBAAgB,EAAE,kBAAkB;;;AAI9C,SAAO;UACAd,OAAY;AACnB,UAAQ,KAAK,iDAAiD,MAAM;AACpE,SAAO;;;AAQX,MAAM,uBAAuB;AAE7B,eAAe,wBAAwB,YAAwB,WAAwC;AACrG,KAAI;EACF,MAAM,UAAU,MAAM,WAAW,YAAY;EAC7C,MAAM,WAAY,SAA4C;EAC9D,MAAM,qBAAsB,SAAuD;EACnF,MAAM,0BAA2B,SAA6D;EAE9F,MAAM,eAAe,OAAO,aAAa,YAAY,aAAa;EAClE,MAAM,gBACH,OAAO,uBAAuB,YAAY,mBAAmB,OAAO,SAAS,KAC7E,OAAO,4BAA4B,YAAY,wBAAwB,OAAO,SAAS;AAE1F,SAAO,gBAAgB;SACjB;AACN,SAAO;;;;;;;AAQX,eAAsB,mCACpB,YACA,WACqB;AACrB,KAAI;EAKF,MAAM,cAAc,MAAM,wBAAwB,YAAY;AAC9D,MAAI,CAAC,YAAa,QAAO;EAEzB,MAAM,SAAS,MAAM,WAAW,KAAwC;GACtE,SAAS;GACT,QAAQ;GACR,MAAM;;AAGR,SAAO,MAAM,QAAQ,UAAW,SAAwB;UACjD,OAAO;AACd,SAAO;;;;;;;AAQX,eAAsB,8BACpB,YACA,WACA,qBACA,YAAoCe,yDACb;CACvB,MAAM,cAAc,MAAM,wBAAwB,YAAY;CAE9D,MAAM,EACJ,8BACA,yBACA,8BACE;CAOJ,IAAI,aAAa,CAAC;AAClB,KAAI,CAAC,WACH,KAAI;AACF,QAAM,WAAW,KAAqC;GACpD,SAAS;GACT,QAAQ;GACR,MAAM;;UAEDC,KAAc;EACrB,MAAM,MAAML,4BAAa;AAKzB,MAAI,yCAAyC,KAAK,QAC7C,oBAAoB,KAAK,QACzB,kBAAkB,KAAK,KAC1B,cAAa;;CAKnB,MAAMM,OAAqB,CACzB;EACE,MAAMhB,2BAAW;EACjB,WAAW;;AAIf,QAAO,aACH,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM;GACJ,mBAAmB;GACnB,qBAAqB;GACrB,QAAQ;GACR,iBAAiB;;EAEnB,KAAK;EACL,SAAS;MAGb,CACE,GAAG,MACH;EACE,MAAMA,2BAAW;EACjB,YAAY;EACZ,MAAM,EACJ,iBAAiB;EAEnB,KAAK;EACL,SAAS;;;AA0CnB,SAAS,MAAM,IAA2B;AACxC,QAAO,IAAI,SAAS,QAAQ,WAAW,KAAK;;AAG9C,SAAS,yBAAyB,KAAuB;CACvD,MAAM,MAAM,OAAOU,4BAAa,QAAQ,IAAI;AAC5C,KAAI,CAAC,IAAK,QAAO;AAGjB,KAAI,IAAI,SAAS,yBAAyB,IAAI,SAAS,yBAAyB,IAAI,SAAS,oBAC3F,QAAO;AAET,KAAI,IAAI,SAAS,yBAA0B,QAAO;AAClD,KAAI,IAAI,SAAS,6BAA8B,QAAO;AACtD,KAAI,IAAI,SAAS,4BAA6B,QAAO;AACrD,KAAI,IAAI,SAAS,wBAAyB,QAAO;AACjD,KAAI,IAAI,SAAS,sBAAuB,QAAO;AAC/C,KAAI,IAAI,SAAS,yBAAyB,IAAI,SAAS,qBAAqB,CAAC,IAAI,SAAS,WAAY,QAAO;AAE7G,QAAO;;AAGT,eAAsB,aACpB,YACA,eACA,WACA,MACkB;CAClB,MAAM,WAAWG,uCAAoB;AACrC,KAAI,CAAC,SAAU,QAAO;CAEtB,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;AACF,SAAM,WAAW,cAAc,eAAe;AAC9C,UAAO;UACD;AAGR,MAAI,IAAI,WAAW,EACjB,OAAM,MAAM;;AAGhB,QAAO;;AAGT,eAAsB,uBACpB,YACA,eACA,WACA,MACkB;CAClB,MAAM,WAAWA,uCAAoB;AACrC,KAAI,CAAC,SAAU,QAAO;CAEtB,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,MAAM,YAAY;CAC1D,MAAM,UAAU,KAAK,IAAI,IAAI,KAAK,MAAM,MAAM,WAAW;AAEzD,MAAK,IAAI,IAAI,GAAG,IAAI,UAAU,KAAK;AACjC,MAAI;AACF,SAAM,WAAW,cAAc,eAAe;WACvCE,KAAc;AACrB,OAAI,yBAAyB,KAAM,QAAO;;AAG5C,MAAI,IAAI,WAAW,EACjB,OAAM,MAAM;;AAGhB,QAAO;;;;;;;;;AAqBT,eAAsB,iCAAiC,EACrD,YACA,YACA,cACA,YACA,wBAOsC;AACtC,KAAI;EACF,MAAM,mBAAmB,MAAM,KAAKE,+BAAgB,aAAa,gBAAgB;AACjF,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,2BAA2B,aAAa,wBAC1C,MAAM,KAAKA,+BAAgB,aAAa,0BACxC;AACJ,MAAI,yBAAyB,WAAW,KAAK,yBAAyB,WAAW,GAC/E,OAAM,IAAI,MAAM;EAElB,MAAM,UAAU;GACd,gBAAgB,MAAM,KAAKA,+BAAgB,aAAa;GACxD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,WAAW,MAAM,KAAKA,+BAAgB,aAAa;GACnD,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa;GAClC,YAAY,MAAM,KAAKA,+BAAgB,aAAa;GACpD;GACA,GAAI,yBAAyB,SAAS,EAAE,6BAA6B;;EAGvE,MAAM,OAAO;GACX,UAAU;GACV,uBAAuB;GACvB,uBAAuB;;EAGzB,MAAM,WAAW,MAAM,WAAW,aAChC,YACA,2BACA;EAGF,MAAM,WAAW,CAAC,CAAC,UAAU;AAC7B,SAAO;GACL,SAAS;GACT;GACA,MAAM;GACN,OAAO,WAAW,SAAY;;UAEzBF,KAAc;AACrB,SAAO;GACL,SAAS;GACT,UAAU;GACV,MAAM;GACN,OAAOL,4BAAa,QAAQ;;;;;;;;;AAWlC,eAAsB,6BACpB,gBACA,WACA,aACA,cACA,wBAQC;AACD,KAAI;EAEF,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKO,+BAAgB;;EAEpC,MAAM,mBAAmB,QAAQ,aAAa;AAC9C,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,2BAA2B,QAAQ,aAAa;AACtD,MAAI,yBAAyB,WAAW,KAAK,yBAAyB,WAAW,GAC/E,OAAM,IAAI,MAAM;EAElB,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;GACjC;GACA,GAAI,yBAAyB,SAAS,EAAE,6BAA6B;;EAIvE,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;;EAI9D,MAAM,MAAM,GAAG,eAAe,QAAQ,OAAO,MAAM,UAAU,WAAW,OAAO,YAAY,IAAI;EAC/F,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EACP,gBAAgB;GAElB,aAAa,gBAAgB,WAAW,YAAY;GACpD,MAAM,KAAK,UAAU;IACN;IACb;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IACL,SAAS;IACT,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAIvC,MAAM,SAAS,MAAM,SAAS;AAC9B,SAAO;GACL,SAAS;GACT,UAAU,OAAO;GACjB,KAAK,OAAO;GACZ,mBAAmB,OAAO;GAC1B,kBAAkB,OAAO;;UAEpBlB,OAAY;AACnB,SAAO;GACL,SAAS;GACT,OAAO,MAAM,WAAW;;;;AA2G9B,eAAsB,uBACpB,gBACA,cACA,wBACA,MAeC;AACD,KAAI;EACF,MAAM,OAAO,OAAO,kBAAkB,IAAI,OAAO,QAAQ,OAAO;AAChE,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAE3B,MAAM,2BAA2B,OAAO,KAAK,4BAA4B,IAAI;AAC7E,MAAI,CAAC,yBAA0B,OAAM,IAAI,MAAM;EAE/C,MAAM,gBAAgB,OAAO,KAAK,iBAAiB,IAAI;AACvD,MAAI,CAAC,cAAe,OAAM,IAAI,MAAM;EAEpC,MAAM,WAAW,SAAuC;AACtD,OAAI,CAAC,KAAM,QAAO;AAClB,UAAO,MAAM,KAAKkB,+BAAgB;;EAEpC,MAAM,mBAAmB,QAAQ,aAAa;AAC9C,MAAI,iBAAiB,WAAW,GAC9B,OAAM,IAAI,MAAM;EAElB,MAAM,WAAW;GACf,gBAAgB,QAAQ,aAAa;GACrC,YAAY,QAAQ,aAAa;GACjC,WAAW,QAAQ,aAAa;GAChC,YAAY,QAAQ,aAAa;GACjC,SAAS,aAAa;GACtB,OAAO,aAAa;GACpB,cAAc,OAAO,aAAa,eAAe;GACjD,YAAY,QAAQ,aAAa;GACjC;;EAIF,MAAM,0BAA0B;GAC9B,GAAG;GACH,yBAAyB,uBAAuB,2BAA2B;GAC3E,UAAU;IACR,GAAG,uBAAuB;IAC1B,YAAY,uBAAuB,SAAS,cAAc;;GAE5D,wBAAwB;;EAG1B,MAAM,MAAM,GAAG,KAAK;EACpB,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,aAAa;GACb,MAAM,KAAK,UAAU;IACnB;IACA;IACA;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IAAE,IAAI;IAAO,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAGzD,MAAM,OAAO,MAAM,SAAS;AAC5B,SAAO;GACL,IAAI,CAAC,CAAC,MAAM;GACZ,qBAAqB,MAAM;GAC3B,sBAAsB,MAAM;GAC5B,gBAAgB,MAAM;GACtB,cAAc,MAAM;GACpB,WAAW,MAAM;GACjB,2BAA2B,MAAM;GACjC,MAAM,MAAM;GACZ,SAAS,MAAM;;UAEVlB,OAAY;AACnB,SAAO;GAAE,IAAI;GAAO,OAAO,OAAO,WAAW;;;;AAIjD,eAAsB,yCACpB,gBACA,MAgBC;AACD,KAAI;EACF,MAAM,OAAO,OAAO,kBAAkB,IAAI,OAAO,QAAQ,OAAO;AAChE,MAAI,CAAC,KAAM,OAAM,IAAI,MAAM;EAE3B,MAAM,2BAA2B,OAAO,KAAK,4BAA4B,IAAI;AAC7E,MAAI,CAAC,yBAA0B,OAAM,IAAI,MAAM;EAE/C,MAAM,gBAAgB,OAAO,KAAK,iBAAiB,IAAI;AACvD,MAAI,CAAC,cAAe,OAAM,IAAI,MAAM;EAEpC,MAAM,qBAAqB,OAAO,KAAK,sBAAsB,IAAI;AACjE,MAAI,CAAC,mBAAoB,OAAM,IAAI,MAAM;EAEzC,MAAM,MAAM,GAAG,KAAK;EACpB,MAAM,WAAW,MAAM,MAAM,KAAK;GAChC,QAAQ;GACR,SAAS,EAAE,gBAAgB;GAC3B,aAAa;GACb,MAAM,KAAK,UAAU;IACnB;IACA;IACA;;;AAIJ,MAAI,CAAC,SAAS,IAAI;GAChB,MAAM,YAAY,MAAM,SAAS;AACjC,UAAO;IAAE,IAAI;IAAO,OAAO,QAAQ,SAAS,OAAO,IAAI;;;EAGzD,MAAM,OAAO,MAAM,SAAS;AAC5B,SAAO;GACL,IAAI,CAAC,CAAC,MAAM;GACZ,qBAAqB,MAAM;GAC3B,sBAAsB,MAAM;GAC5B,gBAAgB,MAAM;GACtB,cAAc,MAAM;GACpB,WAAW,MAAM;GACjB,2BAA2B,MAAM;GACjC,MAAM,MAAM;GACZ,SAAS,MAAM;;UAEVA,OAAY;AACnB,SAAO;GAAE,IAAI;GAAO,OAAO,OAAO,WAAW"}

package/dist/cjs/core/sdkPaths/base.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const require_rolldown_runtime = require('../../_virtual/rolldown_runtime.js');
 //#region src/core/sdkPaths/base.ts
 const W3A_WALLET_SDK_BASE_EVENT = "W3A_WALLET_SDK_BASE_CHANGED";

package/dist/cjs/core/sdkPaths/base.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"base.js","names":[],"sources":["../../../../src/core/sdkPaths/base.ts"],"sourcesContent":["/*\n SDK Base (wallet origin)\n \n The wallet iframe host announces the absolute SDK base URL so that all\n * embedded assets (host script, Lit bundles) and module workers resolve from\n * the wallet origin in production. This keeps sensitive execution isolated\n * under the wallet site while allowing cross‑origin embedding.\n \n Writers:\n * - Wallet iframe host (service) on boot and after PM_SET_CONFIG\n * - App provider hook in dev when walletOrigin is configured\n \n Readers:\n * - WebAuthnManager (to set worker base origin for managers)\n * - Lit wrappers (to resolve embedded script/css URLs)\n /\nexport const W3A_WALLET_SDK_BASE_KEY = '__W3A_WALLET_SDK_BASE__'\nexport const W3A_WALLET_SDK_BASE_EVENT = 'W3A_WALLET_SDK_BASE_CHANGED'\n\n/\n Typed CustomEvent emitted when the wallet SDK base changes.\n * Detail contains the absolute base URL string (e.g., `${walletOrigin}/sdk/`).\n /\nexport type WalletSdkBaseChangedEvent = CustomEvent<string>\n\nexport interface WalletSDKBase {\n [W3A_WALLET_SDK_BASE_KEY]?: string\n}\n\n/\n @returns Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`) when set, otherwise undefined.\n /\nexport function getEmbeddedBase(): string \| undefined {\n if (typeof window === 'undefined') return undefined\n const w = window as unknown as WalletSDKBase\n const v = w[W3A_WALLET_SDK_BASE_KEY]\n return typeof v === 'string' && v.length > 0 ? v : undefined\n}\n\n/\n @param url - Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`).\n * @returns void\n /\nexport function setEmbeddedBase(url: string): void {\n if (typeof window === 'undefined') return\n const w = window as unknown as WalletSDKBase\n w[W3A_WALLET_SDK_BASE_KEY] = url\n window.dispatchEvent(new CustomEvent(W3A_WALLET_SDK_BASE_EVENT as any, { detail: url }))\n}\n\n/\n @param cb - Callback invoked with the new absolute base URL when it changes.\n * @returns Unsubscribe function to remove the listener.\n */\nexport function onEmbeddedBaseChange(cb: (url: string) => void): () => void {\n if (typeof window === 'undefined') return () => {}\n const handler = (e: WalletSdkBaseChangedEvent) => {\n const d = e.detail\n if (typeof d === 'string' && d.length > 0) cb(d)\n }\n window.addEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener, { passive: true })\n return () => window.removeEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener)\n}\n"],"mappings":"~~;;;~~AAiBA,MAAa,4BAA4B;;;;;AAqCzC,SAAgB,qBAAqB,IAAuC;AAC1E,KAAI,OAAO,WAAW,YAAa,cAAa;CAChD,MAAM,WAAW,MAAiC;EAChD,MAAM,IAAI,EAAE;AACZ,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,IAAG;;AAEhD,QAAO,iBAAiB,2BAA2B,SAA0B,EAAE,SAAS;AACxF,cAAa,OAAO,oBAAoB,2BAA2B"}
1	+ {"version":3,"file":"base.js","names":[],"sources":["../../../../src/core/sdkPaths/base.ts"],"sourcesContent":["/*\n SDK Base (wallet origin)\n \n The wallet iframe host announces the absolute SDK base URL so that all\n * embedded assets (host script, Lit bundles) and module workers resolve from\n * the wallet origin in production. This keeps sensitive execution isolated\n * under the wallet site while allowing cross‑origin embedding.\n \n Writers:\n * - Wallet iframe host (service) on boot and after PM_SET_CONFIG\n * - App provider hook in dev when walletOrigin is configured\n \n Readers:\n * - WebAuthnManager (to set worker base origin for managers)\n * - Lit wrappers (to resolve embedded script/css URLs)\n /\nexport const W3A_WALLET_SDK_BASE_KEY = '__W3A_WALLET_SDK_BASE__'\nexport const W3A_WALLET_SDK_BASE_EVENT = 'W3A_WALLET_SDK_BASE_CHANGED'\n\n/\n Typed CustomEvent emitted when the wallet SDK base changes.\n * Detail contains the absolute base URL string (e.g., `${walletOrigin}/sdk/`).\n /\nexport type WalletSdkBaseChangedEvent = CustomEvent<string>\n\nexport interface WalletSDKBase {\n [W3A_WALLET_SDK_BASE_KEY]?: string\n}\n\n/\n @returns Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`) when set, otherwise undefined.\n /\nexport function getEmbeddedBase(): string \| undefined {\n if (typeof window === 'undefined') return undefined\n const w = window as unknown as WalletSDKBase\n const v = w[W3A_WALLET_SDK_BASE_KEY]\n return typeof v === 'string' && v.length > 0 ? v : undefined\n}\n\n/\n @param url - Absolute SDK base URL (e.g., `${walletOrigin}/sdk/`).\n * @returns void\n /\nexport function setEmbeddedBase(url: string): void {\n if (typeof window === 'undefined') return\n const w = window as unknown as WalletSDKBase\n w[W3A_WALLET_SDK_BASE_KEY] = url\n window.dispatchEvent(new CustomEvent(W3A_WALLET_SDK_BASE_EVENT as any, { detail: url }))\n}\n\n/\n @param cb - Callback invoked with the new absolute base URL when it changes.\n * @returns Unsubscribe function to remove the listener.\n */\nexport function onEmbeddedBaseChange(cb: (url: string) => void): () => void {\n if (typeof window === 'undefined') return () => {}\n const handler = (e: WalletSdkBaseChangedEvent) => {\n const d = e.detail\n if (typeof d === 'string' && d.length > 0) cb(d)\n }\n window.addEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener, { passive: true })\n return () => window.removeEventListener(W3A_WALLET_SDK_BASE_EVENT, handler as EventListener)\n}\n"],"mappings":";;AAiBA,MAAa,4BAA4B;;;;;AAqCzC,SAAgB,qBAAqB,IAAuC;AAC1E,KAAI,OAAO,WAAW,YAAa,cAAa;CAChD,MAAM,WAAW,MAAiC;EAChD,MAAM,IAAI,EAAE;AACZ,MAAI,OAAO,MAAM,YAAY,EAAE,SAAS,EAAG,IAAG;;AAEhD,QAAO,iBAAiB,2BAA2B,SAA0B,EAAE,SAAS;AACxF,cAAa,OAAO,oBAAoB,2BAA2B"}