npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.1 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2501) hide show

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/checkVrfStatus.js ADDED Viewed

@@ -0,0 +1,54 @@
+import { toAccountId } from "../../../types/accountIds.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/handlers/checkVrfStatus.ts
+/**
+* "Global" VRF status: is the VRF keypair currently unlocked/active inside the VRF worker?
+*
+* This is NOT the same as a signing session status (WrapKeySeed session gating).
+* For per-`sessionId` signing-session status, use `checkSessionStatus`.
+*/
+async function checkVrfStatus(ctx) {
+	try {
+		await ctx.ensureWorkerReady();
+	} catch {
+		return {
+			active: false,
+			nearAccountId: null,
+			vrfPublicKey: null
+		};
+	}
+	try {
+		const message = {
+			type: "CHECK_VRF_STATUS",
+			id: ctx.generateMessageId(),
+			payload: {}
+		};
+		const response = await ctx.sendMessage(message);
+		if (response.success && response.data) {
+			const data = response.data;
+			const current = ctx.getCurrentVrfAccountId();
+			return {
+				active: data.active,
+				nearAccountId: current ? toAccountId(current) : null,
+				sessionDuration: data.sessionDuration,
+				vrfPublicKey: data.vrfPublicKey ?? null
+			};
+		}
+		return {
+			active: false,
+			nearAccountId: null,
+			vrfPublicKey: null
+		};
+	} catch (error) {
+		console.warn("VRF Manager: Failed to get VRF status:", error);
+		return {
+			active: false,
+			nearAccountId: null,
+			vrfPublicKey: null
+		};
+	}
+}
+//#endregion
+export { checkVrfStatus };
+//# sourceMappingURL=checkVrfStatus.js.map

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/checkVrfStatus.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"checkVrfStatus.js","names":["message: VRFWorkerMessage<WasmVrfWorkerRequestType>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/checkVrfStatus.ts"],"sourcesContent":["import type { VRFWorkerMessage, VRFWorkerStatus, WasmVrfWorkerRequestType } from '../../../types/vrf-worker';\nimport { toAccountId } from '../../../types/accountIds';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * \"Global\" VRF status: is the VRF keypair currently unlocked/active inside the VRF worker?\n *\n * This is NOT the same as a signing session status (WrapKeySeed session gating).\n * For per-`sessionId` signing-session status, use `checkSessionStatus`.\n */\nexport async function checkVrfStatus(ctx: VrfWorkerManagerHandlerContext): Promise<VRFWorkerStatus> {\n try {\n await ctx.ensureWorkerReady();\n } catch {\n // If initialization fails, return inactive status\n return { active: false, nearAccountId: null, vrfPublicKey: null };\n }\n\n try {\n const message: VRFWorkerMessage<WasmVrfWorkerRequestType> = {\n type: 'CHECK_VRF_STATUS',\n id: ctx.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n };\n\n const response = await ctx.sendMessage(message);\n\n if (response.success && response.data) {\n const data = response.data as { active: boolean; sessionDuration?: number; vrfPublicKey?: string };\n const current = ctx.getCurrentVrfAccountId();\n return {\n active: data.active,\n nearAccountId: current ? toAccountId(current) : null,\n sessionDuration: data.sessionDuration,\n vrfPublicKey: data.vrfPublicKey ?? null,\n };\n }\n\n return { active: false, nearAccountId: null, vrfPublicKey: null };\n } catch (error) {\n console.warn('VRF Manager: Failed to get VRF status:', error);\n return { active: false, nearAccountId: null, vrfPublicKey: null };\n }\n}\n"],"mappings":";;;;;;;;;AAUA,eAAsB,eAAe,KAA+D;AAClG,KAAI;AACF,QAAM,IAAI;SACJ;AAEN,SAAO;GAAE,QAAQ;GAAO,eAAe;GAAM,cAAc;;;AAG7D,KAAI;EACF,MAAMA,UAAsD;GAC1D,MAAM;GACN,IAAI,IAAI;GACR,SAAS;;EAGX,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,SAAS,WAAW,SAAS,MAAM;GACrC,MAAM,OAAO,SAAS;GACtB,MAAM,UAAU,IAAI;AACpB,UAAO;IACL,QAAQ,KAAK;IACb,eAAe,UAAU,YAAY,WAAW;IAChD,iBAAiB,KAAK;IACtB,cAAc,KAAK,gBAAgB;;;AAIvC,SAAO;GAAE,QAAQ;GAAO,eAAe;GAAM,cAAc;;UACpD,OAAO;AACd,UAAQ,KAAK,0CAA0C;AACvD,SAAO;GAAE,QAAQ;GAAO,eAAe;GAAM,cAAc"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/clearSession.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clearSession.js","names":["message: VRFWorkerMessage<WasmClearSessionRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/clearSession.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmClearSessionRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Best-effort cleanup for a single VRF-owned signing session.\n *\n * Clears any VRF worker state bound to `sessionId`:\n * - cached WrapKeySeed session material (TTL/uses),\n * - cached VRF challenge (used for contract verification),\n * - and any attached WrapKeySeed MessagePort.\n *\n * Used by UI \"Lock\" actions and as a safety valve for session lifecycle cleanup.\n */\nexport async function clearSession(\n ctx: VrfWorkerManagerHandlerContext,\n args: { sessionId: string }\n): Promise<{\n sessionId: string;\n clearedSession: boolean;\n clearedChallenge: boolean;\n clearedPort: boolean;\n}> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmClearSessionRequest> = {\n type: 'CLEAR_SESSION',\n id: ctx.generateMessageId(),\n payload: {\n sessionId: args.sessionId,\n } as any,\n };\n const response = await ctx.sendMessage<WasmClearSessionRequest>(message);\n if (!response.success) {\n throw new Error(`clearSession failed: ${response.error}`);\n }\n return (response.data as any) || {\n sessionId: args.sessionId,\n clearedSession: false,\n clearedChallenge: false,\n clearedPort: false,\n };\n}\n"],"mappings":";;;;;;;;;;;AAaA,eAAsB,aACpB,KACA,MAMC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAqD;EACzD,MAAM;EACN,IAAI,IAAI;EACR,SAAS,EACP,WAAW,KAAK;;CAGpB,MAAM,WAAW,MAAM,IAAI,YAAqC;AAChE,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,wBAAwB,SAAS;AAEnD,QAAQ,SAAS,QAAgB;EAC/B,WAAW,KAAK;EAChB,gBAAgB;EAChB,kBAAkB;EAClB,aAAa"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/clearVrf.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"clearVrf.js","names":["message: VRFWorkerMessage<WasmVrfWorkerRequestType>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/clearVrf.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmVrfWorkerRequestType } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Full VRF logout: zeroize the in-memory VRF keypair and clear all VRF worker caches.\n *\n * This differs from `clearSession`, which only clears a single signing session (`sessionId`).\n * Use this when the user explicitly logs out / locks the VRF keypair.\n */\nexport async function clearVrfSession(ctx: VrfWorkerManagerHandlerContext): Promise<void> {\n console.debug('VRF Manager: Clearing VRF session...');\n\n await ctx.ensureWorkerReady();\n\n try {\n const message: VRFWorkerMessage<WasmVrfWorkerRequestType> = {\n type: 'CLEAR_VRF',\n id: ctx.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType\n };\n\n const response = await ctx.sendMessage(message);\n\n if (response.success) {\n // Clear the TypeScript-tracked account ID\n ctx.setCurrentVrfAccountId(null);\n console.debug('VRF Manager: VRF session cleared (key material zeroized)');\n } else {\n console.warn('️VRF Manager: Clear VRF failed:', response.error);\n }\n } catch (error) {\n console.warn('VRF Manager: Clear VRF error:', error);\n }\n}\n"],"mappings":";;;;;;;AASA,eAAsB,gBAAgB,KAAoD;AACxF,SAAQ,MAAM;AAEd,OAAM,IAAI;AAEV,KAAI;EACF,MAAMA,UAAsD;GAC1D,MAAM;GACN,IAAI,IAAI;GACR,SAAS;;EAGX,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,SAAS,SAAS;AAEpB,OAAI,uBAAuB;AAC3B,WAAQ,MAAM;QAEd,SAAQ,KAAK,mCAAmC,SAAS;UAEpD,OAAO;AACd,UAAQ,KAAK,iCAAiC"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndDeriveDevice2RegistrationSession.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"confirmAndDeriveDevice2RegistrationSession.js","names":["message: VRFWorkerMessage<WasmDevice2RegistrationSessionRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndDeriveDevice2RegistrationSession.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type { EncryptedVRFKeypair, VRFWorkerMessage, WasmDevice2RegistrationSessionRequest } from '../../../types/vrf-worker';\nimport type { TransactionContext } from '../../../types/rpc';\nimport type { VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Kick off the SecureConfirm flow for Device2 registration (\"link device\") and return the confirmed result.\n *\n * This is a bundled orchestration that can:\n * - collect a registration credential (PRF-capable),\n * - derive a deterministic VRF keypair for the new device,\n * - and return the data needed for storage + subsequent signing steps (tx context, VRF challenge, etc.).\n */\nexport async function confirmAndDeriveDevice2RegistrationSession(\n ctx: VrfWorkerManagerHandlerContext,\n params: {\n sessionId: string;\n nearAccountId: AccountId;\n deviceNumber: number;\n contractId: string;\n nearRpcUrl: string;\n authenticatorOptions?: object;\n wrapKeySalt?: string;\n }\n): Promise<{\n confirmed: boolean;\n sessionId: string;\n credential: WebAuthnRegistrationCredential;\n vrfChallenge: VRFChallenge;\n transactionContext: TransactionContext;\n wrapKeySalt: string;\n requestId: string;\n intentDigest: string;\n deterministicVrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n error?: string;\n}> {\n await ctx.ensureWorkerReady(true);\n\n const message: VRFWorkerMessage<WasmDevice2RegistrationSessionRequest> = {\n type: 'DEVICE2_REGISTRATION_SESSION',\n id: ctx.generateMessageId(),\n payload: {\n sessionId: params.sessionId,\n nearAccountId: params.nearAccountId,\n deviceNumber: params.deviceNumber,\n contractId: params.contractId,\n nearRpcUrl: params.nearRpcUrl,\n wrapKeySalt: params.wrapKeySalt || '',\n // No confirmationConfig override for now; can add later if needed\n }\n };\n\n const response = await ctx.sendMessage<WasmDevice2RegistrationSessionRequest>(message);\n\n if (!response.success) {\n throw new Error(`Device2 registration session failed: ${response.error}`);\n }\n\n const data = response.data as any;\n\n if (!data.confirmed) {\n throw new Error(data.error || 'User rejected Device2 registration');\n }\n\n if (!data.credential) {\n throw new Error('Missing credential from Device2 registration session');\n }\n if (!data.vrfChallenge) {\n throw new Error('Missing vrfChallenge from Device2 registration session');\n }\n if (!data.transactionContext) {\n throw new Error('Missing transactionContext from Device2 registration session');\n }\n if (!data.wrapKeySalt) {\n throw new Error('Missing wrapKeySalt from Device2 registration session');\n }\n\n return {\n confirmed: true,\n sessionId: data.sessionId,\n credential: data.credential,\n vrfChallenge: data.vrfChallenge,\n transactionContext: data.transactionContext,\n wrapKeySalt: data.wrapKeySalt,\n requestId: data.requestId,\n intentDigest: data.intentDigest,\n deterministicVrfPublicKey: data.deterministicVrfPublicKey,\n encryptedVrfKeypair: data.encryptedVrfKeypair,\n };\n}\n"],"mappings":";;;;;;;;;AAeA,eAAsB,2CACpB,KACA,QAqBC;AACD,OAAM,IAAI,kBAAkB;CAE5B,MAAMA,UAAmE;EACvE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,OAAO;GAClB,eAAe,OAAO;GACtB,cAAc,OAAO;GACrB,YAAY,OAAO;GACnB,YAAY,OAAO;GACnB,aAAa,OAAO,eAAe;;;CAKvC,MAAM,WAAW,MAAM,IAAI,YAAmD;AAE9E,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,wCAAwC,SAAS;CAGnE,MAAM,OAAO,SAAS;AAEtB,KAAI,CAAC,KAAK,UACR,OAAM,IAAI,MAAM,KAAK,SAAS;AAGhC,KAAI,CAAC,KAAK,WACR,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,aACR,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,mBACR,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,YACR,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,WAAW;EACX,WAAW,KAAK;EAChB,YAAY,KAAK;EACjB,cAAc,KAAK;EACnB,oBAAoB,KAAK;EACzB,aAAa,KAAK;EAClB,WAAW,KAAK;EAChB,cAAc,KAAK;EACnB,2BAA2B,KAAK;EAChC,qBAAqB,KAAK"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndPrepareSigningSession.js ADDED Viewed

@@ -0,0 +1,158 @@
+import { ActionType } from "../../../types/actions.js";
+import { computeUiIntentDigestFromTxs, orderActionForDigest } from "../../../digests/intentDigest.js";
+import { SecureConfirmationType } from "../confirmTxFlow/types.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndPrepareSigningSession.ts
+/**
+* Kick off the SecureConfirm signing flow inside the VRF worker.
+*
+* This creates a `SecureConfirmRequest` (tx / delegate / NEP-413) and sends it to the
+* VRF worker, which will render UI, collect a WebAuthn credential when needed, and return the
+* `transactionContext` (reserved nonces, block hash/height) needed by the signer worker.
+*/
+async function confirmAndPrepareSigningSession(handlerCtx, params) {
+	const { sessionId } = params;
+	let intentDigest;
+	let request;
+	switch (params.kind) {
+		case "transaction": {
+			const txSigningRequests = params.txSigningRequests;
+			intentDigest = await computeUiIntentDigestFromTxs(txSigningRequests.map((tx) => ({
+				receiverId: tx.receiverId,
+				actions: tx.actions.map(orderActionForDigest)
+			})));
+			const summary = {
+				intentDigest,
+				receiverId: txSigningRequests[0]?.receiverId,
+				totalAmount: computeTotalAmountYocto(txSigningRequests),
+				type: "transaction",
+				...params.title != null ? { title: params.title } : {},
+				...params.body != null ? { body: params.body } : {}
+			};
+			request = {
+				requestId: sessionId,
+				type: SecureConfirmationType.SIGN_TRANSACTION,
+				summary,
+				payload: {
+					txSigningRequests,
+					intentDigest,
+					rpcCall: params.rpcCall,
+					...params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {},
+					...params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}
+				},
+				confirmationConfig: params.confirmationConfigOverride,
+				intentDigest
+			};
+			break;
+		}
+		case "delegate": {
+			const txSigningRequests = [{
+				receiverId: params.delegate.receiverId,
+				actions: params.delegate.actions
+			}];
+			intentDigest = await computeUiIntentDigestFromTxs(txSigningRequests.map((tx) => ({
+				receiverId: tx.receiverId,
+				actions: tx.actions.map(orderActionForDigest)
+			})));
+			const summary = {
+				intentDigest,
+				receiverId: txSigningRequests[0]?.receiverId,
+				totalAmount: computeTotalAmountYocto(txSigningRequests),
+				type: "delegateAction",
+				...params.title != null ? { title: params.title } : {},
+				...params.body != null ? { body: params.body } : {},
+				delegate: {
+					senderId: params.delegate.senderId,
+					receiverId: params.delegate.receiverId,
+					nonce: String(params.delegate.nonce),
+					maxBlockHeight: String(params.delegate.maxBlockHeight)
+				}
+			};
+			request = {
+				requestId: sessionId,
+				type: SecureConfirmationType.SIGN_TRANSACTION,
+				summary,
+				payload: {
+					txSigningRequests,
+					intentDigest,
+					rpcCall: params.rpcCall,
+					...params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {},
+					...params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}
+				},
+				confirmationConfig: params.confirmationConfigOverride,
+				intentDigest
+			};
+			break;
+		}
+		case "nep413": {
+			intentDigest = `${params.nearAccountId}:${params.recipient}:${params.message}`;
+			const summary = {
+				intentDigest,
+				method: "NEP-413",
+				receiverId: params.recipient,
+				...params.title != null ? { title: params.title } : {},
+				...params.body != null ? { body: params.body } : {}
+			};
+			request = {
+				requestId: sessionId,
+				type: SecureConfirmationType.SIGN_NEP413_MESSAGE,
+				summary,
+				payload: {
+					nearAccountId: params.nearAccountId,
+					message: params.message,
+					recipient: params.recipient,
+					...params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {},
+					...params.contractId ? { contractId: params.contractId } : {},
+					...params.nearRpcUrl ? { nearRpcUrl: params.nearRpcUrl } : {},
+					...params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}
+				},
+				confirmationConfig: params.confirmationConfigOverride,
+				intentDigest
+			};
+			break;
+		}
+		default: throw new Error("Unsupported signing session kind");
+	}
+	await handlerCtx.ensureWorkerReady(true);
+	const message = {
+		type: "CONFIRM_AND_PREPARE_SIGNING_SESSION",
+		id: handlerCtx.generateMessageId(),
+		payload: { request }
+	};
+	const response = await handlerCtx.sendMessage(message);
+	if (!response.success) throw new Error(`confirmAndPrepareSigningSession failed: ${response.error}`);
+	const decision = response.data;
+	if (!decision?.confirmed) throw new Error(decision?.error || "User rejected signing request");
+	if (!decision.transaction_context) throw new Error("Missing transactionContext from confirmation flow");
+	return {
+		sessionId,
+		transactionContext: decision.transaction_context,
+		intentDigest: decision.intent_digest || intentDigest,
+		credential: decision.credential,
+		vrfChallenge: decision.vrf_challenge
+	};
+}
+function computeTotalAmountYocto(txSigningRequests) {
+	try {
+		let total = BigInt(0);
+		for (const tx of txSigningRequests) for (const action of tx.actions) switch (action.action_type) {
+			case ActionType.Transfer:
+				total += BigInt(action.deposit || "0");
+				break;
+			case ActionType.FunctionCall:
+				total += BigInt(action.deposit || "0");
+				break;
+			case ActionType.Stake:
+				total += BigInt(action.stake || "0");
+				break;
+			default: break;
+		}
+		return total > BigInt(0) ? total.toString() : void 0;
+	} catch {
+		return void 0;
+	}
+}
+//#endregion
+export { confirmAndPrepareSigningSession };
+//# sourceMappingURL=confirmAndPrepareSigningSession.js.map

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndPrepareSigningSession.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"confirmAndPrepareSigningSession.js","names":["intentDigest: string","request: SecureConfirmRequest<SignTransactionPayload | SignNep413Payload, TransactionSummary>","summary: TransactionSummary","txSigningRequests: TransactionInputWasm[]","message: VRFWorkerMessage<WasmConfirmAndPrepareSigningSessionRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/confirmAndPrepareSigningSession.ts"],"sourcesContent":["import type { TransactionInputWasm } from '../../../types/actions';\nimport { ActionType } from '../../../types/actions';\nimport type { RpcCallPayload, ConfirmationConfig } from '../../../types/signer-worker';\nimport type { TransactionContext } from '../../../types/rpc';\nimport { computeUiIntentDigestFromTxs, orderActionForDigest } from '../../../digests/intentDigest';\nimport {\n SecureConfirmationType,\n type SecureConfirmRequest,\n type SignTransactionPayload,\n type SigningAuthMode,\n type TransactionSummary,\n type SerializableCredential,\n} from '../confirmTxFlow/types';\nimport type { SignNep413Payload } from '../confirmTxFlow/types';\nimport type { VrfWorkerManagerContext } from '..';\nimport type { VrfWorkerManagerHandlerContext } from './types';\nimport type { VRFChallenge, VRFWorkerMessage, WasmConfirmAndPrepareSigningSessionRequest } from '../../../types/vrf-worker';\n\nexport interface ConfirmAndPrepareSigningSessionBaseParams {\n ctx: VrfWorkerManagerContext;\n sessionId: string;\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n /**\n * Optional override for signing auth mode.\n * When omitted, the VRF worker may auto-select `warmSession` when a session is available.\n *\n * Threshold signing should force `webauthn` to ensure a fresh VRF challenge + WebAuthn assertion\n * is available for relayer authorization.\n */\n signingAuthMode?: SigningAuthMode;\n /**\n * Optional base64url-encoded 32-byte digest to bind a relayer session policy into the VRF input hash (v4+ only).\n * When provided, it is forwarded to the VRF worker for inclusion in VRF input derivation.\n */\n sessionPolicyDigest32?: string;\n}\n\nexport interface ConfirmAndPrepareSigningSessionTransactionParams extends ConfirmAndPrepareSigningSessionBaseParams {\n kind: 'transaction';\n txSigningRequests: TransactionInputWasm[];\n rpcCall: RpcCallPayload;\n title?: string;\n body?: string;\n}\n\nexport interface ConfirmAndPrepareSigningSessionDelegateParams extends ConfirmAndPrepareSigningSessionBaseParams {\n kind: 'delegate';\n nearAccountId: string;\n title?: string;\n body?: string;\n delegate: {\n senderId: string;\n receiverId: string;\n actions: TransactionInputWasm['actions'];\n nonce: string | number | bigint;\n maxBlockHeight: string | number | bigint;\n };\n rpcCall: RpcCallPayload;\n}\n\nexport interface ConfirmAndPrepareSigningSessionNep413Params extends ConfirmAndPrepareSigningSessionBaseParams {\n kind: 'nep413';\n nearAccountId: string;\n message: string;\n recipient: string;\n title?: string;\n body?: string;\n contractId?: string;\n nearRpcUrl?: string;\n}\n\nexport type ConfirmAndPrepareSigningSessionParams =\n | ConfirmAndPrepareSigningSessionTransactionParams\n | ConfirmAndPrepareSigningSessionDelegateParams\n | ConfirmAndPrepareSigningSessionNep413Params;\n\nexport interface ConfirmAndPrepareSigningSessionResult {\n sessionId: string;\n transactionContext: TransactionContext;\n intentDigest: string;\n credential?: SerializableCredential;\n vrfChallenge?: VRFChallenge;\n}\n\n/**\n * Kick off the SecureConfirm signing flow inside the VRF worker.\n *\n * This creates a `SecureConfirmRequest` (tx / delegate / NEP-413) and sends it to the\n * VRF worker, which will render UI, collect a WebAuthn credential when needed, and return the\n * `transactionContext` (reserved nonces, block hash/height) needed by the signer worker.\n */\nexport async function confirmAndPrepareSigningSession(\n handlerCtx: VrfWorkerManagerHandlerContext,\n params: ConfirmAndPrepareSigningSessionParams\n): Promise<ConfirmAndPrepareSigningSessionResult> {\n const { sessionId } = params;\n\n let intentDigest: string;\n let request: SecureConfirmRequest<SignTransactionPayload | SignNep413Payload, TransactionSummary>;\n\n switch (params.kind) {\n case 'transaction': {\n const txSigningRequests = params.txSigningRequests;\n intentDigest = await computeUiIntentDigestFromTxs(\n txSigningRequests.map(tx => ({\n receiverId: tx.receiverId,\n actions: tx.actions.map(orderActionForDigest),\n })) as TransactionInputWasm[]\n );\n\n const summary: TransactionSummary = {\n intentDigest,\n receiverId: txSigningRequests[0]?.receiverId,\n totalAmount: computeTotalAmountYocto(txSigningRequests),\n type: 'transaction',\n ...(params.title != null ? { title: params.title } : {}),\n ...(params.body != null ? { body: params.body } : {}),\n };\n\n request = {\n requestId: sessionId,\n type: SecureConfirmationType.SIGN_TRANSACTION,\n summary,\n payload: {\n txSigningRequests,\n intentDigest,\n rpcCall: params.rpcCall,\n ...(params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {}),\n ...(params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}),\n },\n confirmationConfig: params.confirmationConfigOverride,\n intentDigest,\n };\n break;\n }\n case 'delegate': {\n const txSigningRequests: TransactionInputWasm[] = [{\n receiverId: params.delegate.receiverId,\n actions: params.delegate.actions,\n }];\n\n intentDigest = await computeUiIntentDigestFromTxs(\n txSigningRequests.map(tx => ({\n receiverId: tx.receiverId,\n actions: tx.actions.map(orderActionForDigest),\n }))\n );\n\n const summary: TransactionSummary = {\n intentDigest,\n receiverId: txSigningRequests[0]?.receiverId,\n totalAmount: computeTotalAmountYocto(txSigningRequests),\n type: 'delegateAction',\n ...(params.title != null ? { title: params.title } : {}),\n ...(params.body != null ? { body: params.body } : {}),\n delegate: {\n senderId: params.delegate.senderId,\n receiverId: params.delegate.receiverId,\n nonce: String(params.delegate.nonce),\n maxBlockHeight: String(params.delegate.maxBlockHeight),\n },\n };\n\n request = {\n requestId: sessionId,\n type: SecureConfirmationType.SIGN_TRANSACTION,\n summary,\n payload: {\n txSigningRequests,\n intentDigest,\n rpcCall: params.rpcCall,\n ...(params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {}),\n ...(params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}),\n },\n confirmationConfig: params.confirmationConfigOverride,\n intentDigest,\n };\n break;\n }\n case 'nep413': {\n intentDigest = `${params.nearAccountId}:${params.recipient}:${params.message}`;\n const summary: TransactionSummary = {\n intentDigest,\n method: 'NEP-413',\n receiverId: params.recipient,\n ...(params.title != null ? { title: params.title } : {}),\n ...(params.body != null ? { body: params.body } : {}),\n };\n\n request = {\n requestId: sessionId,\n type: SecureConfirmationType.SIGN_NEP413_MESSAGE,\n summary,\n payload: {\n nearAccountId: params.nearAccountId,\n message: params.message,\n recipient: params.recipient,\n ...(params.sessionPolicyDigest32 ? { sessionPolicyDigest32: params.sessionPolicyDigest32 } : {}),\n ...(params.contractId ? { contractId: params.contractId } : {}),\n ...(params.nearRpcUrl ? { nearRpcUrl: params.nearRpcUrl } : {}),\n ...(params.signingAuthMode ? { signingAuthMode: params.signingAuthMode } : {}),\n },\n confirmationConfig: params.confirmationConfigOverride,\n intentDigest,\n };\n break;\n }\n default: {\n // Exhaustiveness guard\n // eslint-disable-next-line @typescript-eslint/no-unused-vars\n const _exhaustive: never = params;\n throw new Error('Unsupported signing session kind');\n }\n }\n\n await handlerCtx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmConfirmAndPrepareSigningSessionRequest> = {\n type: 'CONFIRM_AND_PREPARE_SIGNING_SESSION',\n id: handlerCtx.generateMessageId(),\n payload: {\n request,\n },\n };\n const response = await handlerCtx.sendMessage<WasmConfirmAndPrepareSigningSessionRequest>(message);\n if (!response.success) {\n throw new Error(`confirmAndPrepareSigningSession failed: ${response.error}`);\n }\n\n const decision = response.data as {\n confirmed?: boolean;\n error?: string;\n intent_digest?: string;\n transaction_context?: TransactionContext;\n credential?: SerializableCredential;\n vrf_challenge?: VRFChallenge;\n };\n\n if (!decision?.confirmed) {\n throw new Error(decision?.error || 'User rejected signing request');\n }\n if (!decision.transaction_context) {\n throw new Error('Missing transactionContext from confirmation flow');\n }\n\n return {\n sessionId,\n transactionContext: decision.transaction_context,\n intentDigest: decision.intent_digest || intentDigest,\n credential: decision.credential,\n vrfChallenge: decision.vrf_challenge,\n };\n}\n\nfunction computeTotalAmountYocto(txSigningRequests: TransactionInputWasm[]): string | undefined {\n try {\n let total = BigInt(0);\n for (const tx of txSigningRequests) {\n for (const action of tx.actions) {\n switch (action.action_type) {\n case ActionType.Transfer:\n total += BigInt(action.deposit || '0');\n break;\n case ActionType.FunctionCall:\n total += BigInt(action.deposit || '0');\n break;\n case ActionType.Stake:\n total += BigInt(action.stake || '0');\n break;\n default:\n break;\n }\n }\n }\n return total > BigInt(0) ? total.toString() : undefined;\n } catch {\n return undefined;\n }\n}\n"],"mappings":";;;;;;;;;;;;AA2FA,eAAsB,gCACpB,YACA,QACgD;CAChD,MAAM,EAAE,cAAc;CAEtB,IAAIA;CACJ,IAAIC;AAEJ,SAAQ,OAAO,MAAf;EACE,KAAK,eAAe;GAClB,MAAM,oBAAoB,OAAO;AACjC,kBAAe,MAAM,6BACnB,kBAAkB,KAAI,QAAO;IAC3B,YAAY,GAAG;IACf,SAAS,GAAG,QAAQ,IAAI;;GAI5B,MAAMC,UAA8B;IAClC;IACA,YAAY,kBAAkB,IAAI;IAClC,aAAa,wBAAwB;IACrC,MAAM;IACN,GAAI,OAAO,SAAS,OAAO,EAAE,OAAO,OAAO,UAAU;IACrD,GAAI,OAAO,QAAQ,OAAO,EAAE,MAAM,OAAO,SAAS;;AAGpD,aAAU;IACR,WAAW;IACX,MAAM,uBAAuB;IAC7B;IACA,SAAS;KACP;KACA;KACA,SAAS,OAAO;KAChB,GAAI,OAAO,wBAAwB,EAAE,uBAAuB,OAAO,0BAA0B;KAC7F,GAAI,OAAO,kBAAkB,EAAE,iBAAiB,OAAO,oBAAoB;;IAE7E,oBAAoB,OAAO;IAC3B;;AAEF;;EAEF,KAAK,YAAY;GACf,MAAMC,oBAA4C,CAAC;IACjD,YAAY,OAAO,SAAS;IAC5B,SAAS,OAAO,SAAS;;AAG3B,kBAAe,MAAM,6BACnB,kBAAkB,KAAI,QAAO;IAC3B,YAAY,GAAG;IACf,SAAS,GAAG,QAAQ,IAAI;;GAI5B,MAAMD,UAA8B;IAClC;IACA,YAAY,kBAAkB,IAAI;IAClC,aAAa,wBAAwB;IACrC,MAAM;IACN,GAAI,OAAO,SAAS,OAAO,EAAE,OAAO,OAAO,UAAU;IACrD,GAAI,OAAO,QAAQ,OAAO,EAAE,MAAM,OAAO,SAAS;IAClD,UAAU;KACR,UAAU,OAAO,SAAS;KAC1B,YAAY,OAAO,SAAS;KAC5B,OAAO,OAAO,OAAO,SAAS;KAC9B,gBAAgB,OAAO,OAAO,SAAS;;;AAI3C,aAAU;IACR,WAAW;IACX,MAAM,uBAAuB;IAC7B;IACA,SAAS;KACP;KACA;KACA,SAAS,OAAO;KAChB,GAAI,OAAO,wBAAwB,EAAE,uBAAuB,OAAO,0BAA0B;KAC7F,GAAI,OAAO,kBAAkB,EAAE,iBAAiB,OAAO,oBAAoB;;IAE7E,oBAAoB,OAAO;IAC3B;;AAEF;;EAEF,KAAK,UAAU;AACb,kBAAe,GAAG,OAAO,cAAc,GAAG,OAAO,UAAU,GAAG,OAAO;GACrE,MAAMA,UAA8B;IAClC;IACA,QAAQ;IACR,YAAY,OAAO;IACnB,GAAI,OAAO,SAAS,OAAO,EAAE,OAAO,OAAO,UAAU;IACrD,GAAI,OAAO,QAAQ,OAAO,EAAE,MAAM,OAAO,SAAS;;AAGpD,aAAU;IACR,WAAW;IACX,MAAM,uBAAuB;IAC7B;IACA,SAAS;KACP,eAAe,OAAO;KACtB,SAAS,OAAO;KAChB,WAAW,OAAO;KAClB,GAAI,OAAO,wBAAwB,EAAE,uBAAuB,OAAO,0BAA0B;KAC7F,GAAI,OAAO,aAAa,EAAE,YAAY,OAAO,eAAe;KAC5D,GAAI,OAAO,aAAa,EAAE,YAAY,OAAO,eAAe;KAC5D,GAAI,OAAO,kBAAkB,EAAE,iBAAiB,OAAO,oBAAoB;;IAE7E,oBAAoB,OAAO;IAC3B;;AAEF;;EAEF,QAIE,OAAM,IAAI,MAAM;;AAIpB,OAAM,WAAW,kBAAkB;CACnC,MAAME,UAAwE;EAC5E,MAAM;EACN,IAAI,WAAW;EACf,SAAS,EACP;;CAGJ,MAAM,WAAW,MAAM,WAAW,YAAwD;AAC1F,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,2CAA2C,SAAS;CAGtE,MAAM,WAAW,SAAS;AAS1B,KAAI,CAAC,UAAU,UACb,OAAM,IAAI,MAAM,UAAU,SAAS;AAErC,KAAI,CAAC,SAAS,oBACZ,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL;EACA,oBAAoB,SAAS;EAC7B,cAAc,SAAS,iBAAiB;EACxC,YAAY,SAAS;EACrB,cAAc,SAAS;;;AAI3B,SAAS,wBAAwB,mBAA+D;AAC9F,KAAI;EACF,IAAI,QAAQ,OAAO;AACnB,OAAK,MAAM,MAAM,kBACf,MAAK,MAAM,UAAU,GAAG,QACtB,SAAQ,OAAO,aAAf;GACE,KAAK,WAAW;AACd,aAAS,OAAO,OAAO,WAAW;AAClC;GACF,KAAK,WAAW;AACd,aAAS,OAAO,OAAO,WAAW;AAClC;GACF,KAAK,WAAW;AACd,aAAS,OAAO,OAAO,SAAS;AAChC;GACF,QACE;;AAIR,SAAO,QAAQ,OAAO,KAAK,MAAM,aAAa;SACxC;AACN,SAAO"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts
+/**
+* Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.
+*/
+async function deriveVrfKeypairFromPrf(ctx, args) {
+	const saveInMemory = args.saveInMemory ?? true;
+	await ctx.ensureWorkerReady();
+	const vrfInputData = args.vrfInputData;
+	const hasVrfInputData = vrfInputData?.blockHash && vrfInputData?.blockHeight && vrfInputData?.userId && vrfInputData?.rpId;
+	const message = {
+		type: "DERIVE_VRF_KEYPAIR_FROM_PRF",
+		id: ctx.generateMessageId(),
+		payload: {
+			credential: args.credential,
+			nearAccountId: args.nearAccountId,
+			saveInMemory,
+			vrfInputData: hasVrfInputData ? {
+				userId: vrfInputData.userId,
+				rpId: vrfInputData.rpId,
+				blockHeight: String(vrfInputData.blockHeight),
+				blockHash: vrfInputData.blockHash,
+				intentDigest: vrfInputData.intentDigest,
+				sessionPolicyDigest32: vrfInputData.sessionPolicyDigest32
+			} : void 0
+		}
+	};
+	const response = await ctx.sendMessage(message);
+	if (!response.success || !response.data) throw new Error(`VRF keypair derivation failed: ${response.error}`);
+	const data = response.data;
+	const vrfPublicKey = data.vrfPublicKey || data.vrfChallengeData?.vrfPublicKey;
+	if (!vrfPublicKey) throw new Error("VRF public key not found in response");
+	if (!data.encryptedVrfKeypair) throw new Error("Encrypted VRF keypair not found in response");
+	const vrfChallenge = data.vrfChallengeData ? validateVRFChallenge({
+		vrfInput: data.vrfChallengeData.vrfInput,
+		vrfOutput: data.vrfChallengeData.vrfOutput,
+		vrfProof: data.vrfChallengeData.vrfProof,
+		vrfPublicKey: data.vrfChallengeData.vrfPublicKey,
+		userId: data.vrfChallengeData.userId,
+		rpId: data.vrfChallengeData.rpId,
+		blockHeight: data.vrfChallengeData.blockHeight,
+		blockHash: data.vrfChallengeData.blockHash,
+		...data.vrfChallengeData.intentDigest ? { intentDigest: data.vrfChallengeData.intentDigest } : {},
+		...data.vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: data.vrfChallengeData.sessionPolicyDigest32 } : {}
+	}) : null;
+	if (saveInMemory) {
+		ctx.setCurrentVrfAccountId(args.nearAccountId);
+		console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);
+	}
+	return {
+		vrfPublicKey,
+		vrfChallenge,
+		encryptedVrfKeypair: data.encryptedVrfKeypair,
+		serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair || null
+	};
+}
+//#endregion
+export { deriveVrfKeypairFromPrf };
+//# sourceMappingURL=deriveVrfKeypairFromPrf.js.map

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"deriveVrfKeypairFromPrf.js","names":["message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/deriveVrfKeypairFromPrf.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n EncryptedVRFKeypair,\n ServerEncryptedVrfKeypair,\n VRFInputData,\n VRFWorkerMessage,\n WasmDeriveVrfKeypairFromPrfRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Derive deterministic VRF keypair from PRF output embedded in a WebAuthn credential.\n */\nexport async function deriveVrfKeypairFromPrf(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n nearAccountId: AccountId;\n vrfInputData?: VRFInputData;\n saveInMemory?: boolean;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge | null;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair: ServerEncryptedVrfKeypair | null;\n}> {\n const saveInMemory = args.saveInMemory ?? true;\n await ctx.ensureWorkerReady();\n\n const vrfInputData = args.vrfInputData;\n const hasVrfInputData = vrfInputData?.blockHash\n && vrfInputData?.blockHeight\n && vrfInputData?.userId\n && vrfInputData?.rpId;\n\n const message: VRFWorkerMessage<WasmDeriveVrfKeypairFromPrfRequest> = {\n type: 'DERIVE_VRF_KEYPAIR_FROM_PRF',\n id: ctx.generateMessageId(),\n payload: {\n credential: args.credential,\n nearAccountId: args.nearAccountId,\n\t saveInMemory,\n\t vrfInputData: hasVrfInputData ? {\n\t userId: vrfInputData.userId,\n\t rpId: vrfInputData.rpId,\n\t blockHeight: String(vrfInputData.blockHeight),\n\t blockHash: vrfInputData.blockHash,\n\t intentDigest: vrfInputData.intentDigest,\n sessionPolicyDigest32: vrfInputData.sessionPolicyDigest32,\n\t } : undefined,\n\t }\n\t };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success || !response.data) {\n throw new Error(`VRF keypair derivation failed: ${response.error}`);\n }\n const data = response.data as {\n vrfPublicKey?: string;\n vrfChallengeData?: VRFChallenge;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair | null;\n };\n\n const vrfPublicKey = data.vrfPublicKey || data.vrfChallengeData?.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key not found in response');\n }\n if (!data.encryptedVrfKeypair) {\n throw new Error('Encrypted VRF keypair not found in response');\n }\n\n const vrfChallenge = data.vrfChallengeData\n ? validateVRFChallenge({\n vrfInput: data.vrfChallengeData.vrfInput,\n vrfOutput: data.vrfChallengeData.vrfOutput,\n vrfProof: data.vrfChallengeData.vrfProof,\n vrfPublicKey: data.vrfChallengeData.vrfPublicKey,\n userId: data.vrfChallengeData.userId,\n rpId: data.vrfChallengeData.rpId,\n blockHeight: data.vrfChallengeData.blockHeight,\n blockHash: data.vrfChallengeData.blockHash,\n ...(data.vrfChallengeData.intentDigest ? { intentDigest: data.vrfChallengeData.intentDigest } : {}),\n ...(data.vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: data.vrfChallengeData.sessionPolicyDigest32 } : {}),\n })\n : null;\n\n if (saveInMemory) {\n ctx.setCurrentVrfAccountId(args.nearAccountId);\n console.debug(`VRF Manager: VRF keypair loaded in memory for ${args.nearAccountId}`);\n }\n\n return {\n vrfPublicKey,\n vrfChallenge,\n encryptedVrfKeypair: data.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: data.serverEncryptedVrfKeypair || null,\n };\n}\n"],"mappings":";;;;;;AAeA,eAAsB,wBACpB,KACA,MAWC;CACD,MAAM,eAAe,KAAK,gBAAgB;AAC1C,OAAM,IAAI;CAEV,MAAM,eAAe,KAAK;CAC1B,MAAM,kBAAkB,cAAc,aACjC,cAAc,eACd,cAAc,UACd,cAAc;CAEnB,MAAMA,UAAgE;EACpE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,YAAY,KAAK;GACjB,eAAe,KAAK;GACnB;GACA,cAAc,kBAAkB;IAC9B,QAAQ,aAAa;IACrB,MAAM,aAAa;IACnB,aAAa,OAAO,aAAa;IACjC,WAAW,aAAa;IACxB,cAAc,aAAa;IAC1B,uBAAuB,aAAa;OACnC;;;CAIT,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,kCAAkC,SAAS;CAE7D,MAAM,OAAO,SAAS;CAOtB,MAAM,eAAe,KAAK,gBAAgB,KAAK,kBAAkB;AACjE,KAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,KAAK,oBACR,OAAM,IAAI,MAAM;CAGlB,MAAM,eAAe,KAAK,mBACtB,qBAAqB;EACrB,UAAU,KAAK,iBAAiB;EAChC,WAAW,KAAK,iBAAiB;EACjC,UAAU,KAAK,iBAAiB;EAChC,cAAc,KAAK,iBAAiB;EACpC,QAAQ,KAAK,iBAAiB;EAC9B,MAAM,KAAK,iBAAiB;EAC5B,aAAa,KAAK,iBAAiB;EACnC,WAAW,KAAK,iBAAiB;EACjC,GAAI,KAAK,iBAAiB,eAAe,EAAE,cAAc,KAAK,iBAAiB,iBAAiB;EAChG,GAAI,KAAK,iBAAiB,wBAAwB,EAAE,uBAAuB,KAAK,iBAAiB,0BAA0B;MAE3H;AAEJ,KAAI,cAAc;AAChB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,iDAAiD,KAAK;;AAGtE,QAAO;EACL;EACA;EACA,qBAAqB,KAAK;EAC1B,2BAA2B,KAAK,6BAA6B"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dispenseSessionKey.js","names":["message: VRFWorkerMessage<WasmDispenseSessionKeyRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/dispenseSessionKey.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmDispenseSessionKeyRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * \"Warm session\" path: dispense an existing VRF-owned session key to the signer worker.\n *\n * VRF WASM enforces TTL/usage limits for `sessionId`, then sends `{ wrap_key_seed, wrapKeySalt }`\n * over the attached MessagePort to the signer worker. This does not prompt for WebAuthn.\n */\nexport async function dispenseSessionKey(\n ctx: VrfWorkerManagerHandlerContext,\n args: { sessionId: string; uses?: number }\n): Promise<{\n sessionId: string;\n remainingUses?: number;\n expiresAtMs?: number;\n}> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmDispenseSessionKeyRequest> = {\n type: 'DISPENSE_SESSION_KEY',\n id: ctx.generateMessageId(),\n payload: {\n sessionId: args.sessionId,\n uses: args.uses,\n } as any,\n };\n const response = await ctx.sendMessage<WasmDispenseSessionKeyRequest>(message);\n if (!response.success) {\n throw new Error(`dispenseSessionKey failed: ${response.error}`);\n }\n return (response.data as any) || { sessionId: args.sessionId };\n}\n"],"mappings":";;;;;;;AASA,eAAsB,mBACpB,KACA,MAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2D;EAC/D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,MAAM,KAAK;;;CAGf,MAAM,WAAW,MAAM,IAAI,YAA2C;AACtE,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,8BAA8B,SAAS;AAEzD,QAAQ,SAAS,QAAgB,EAAE,WAAW,KAAK"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js ADDED Viewed

@@ -0,0 +1,79 @@
+import { toTrimmedString } from "../../../../utils/validation.js";
+import { toAccountId } from "../../../types/accountIds.js";
+import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+import { checkVrfStatus } from "./checkVrfStatus.js";
+import { shamir3PassDecryptVrfKeypair } from "./shamir3PassDecryptVrfKeypair.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts
+/**
+* Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.
+*
+* This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on
+* worker-owned challenge data instead of JS-provided state.
+*/
+async function generateVrfChallengeForSession(ctx, inputData, sessionId) {
+	return generateVrfChallengeInternal(ctx, inputData, sessionId);
+}
+/**
+* Generate a one-off VRF challenge without caching it in the VRF worker.
+*
+* Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.
+*/
+async function generateVrfChallengeOnce(ctx, inputData) {
+	return generateVrfChallengeInternal(ctx, inputData);
+}
+async function generateVrfChallengeInternal(ctx, inputData, sessionId) {
+	await ctx.ensureWorkerReady(true);
+	await ensureVrfKeypairBoundToLastUser(ctx, inputData.userId);
+	const message = {
+		type: "GENERATE_VRF_CHALLENGE",
+		id: ctx.generateMessageId(),
+		payload: {
+			sessionId,
+			vrfInputData: {
+				userId: inputData.userId,
+				rpId: inputData.rpId,
+				blockHeight: String(inputData.blockHeight),
+				blockHash: inputData.blockHash,
+				intentDigest: inputData.intentDigest,
+				sessionPolicyDigest32: inputData.sessionPolicyDigest32
+			}
+		}
+	};
+	const response = await ctx.sendMessage(message);
+	if (!response.success || !response.data) throw new Error(`VRF challenge generation failed: ${response.error}`);
+	const data = response.data;
+	return validateVRFChallenge(data);
+}
+async function ensureVrfKeypairBoundToLastUser(ctx, nearAccountId) {
+	const accountId = toAccountId(nearAccountId);
+	const { indexedDB } = ctx.getContext();
+	const lastUser = await indexedDB.clientDB.getLastUser().catch(() => null);
+	if (!lastUser || toAccountId(lastUser.nearAccountId) !== accountId) return;
+	const lastUserDeviceNumber = Number(lastUser.deviceNumber);
+	if (!Number.isFinite(lastUserDeviceNumber) || lastUserDeviceNumber < 1) return;
+	const status = await checkVrfStatus(ctx);
+	const currentVrfPublicKey = toTrimmedString(status.vrfPublicKey);
+	const authenticators = await indexedDB.clientDB.getAuthenticatorsByUser(accountId).catch(() => []);
+	const expectedVrfPublicKey = toTrimmedString(authenticators.find((a) => a.credentialId === lastUser.passkeyCredential.rawId)?.vrfPublicKey ?? authenticators.find((a) => a.deviceNumber === lastUserDeviceNumber)?.vrfPublicKey);
+	const needsRebind = !status.active || expectedVrfPublicKey && currentVrfPublicKey !== expectedVrfPublicKey;
+	if (!needsRebind) return;
+	const shamir = lastUser.serverEncryptedVrfKeypair;
+	if (!shamir?.ciphertextVrfB64u || !shamir?.kek_s_b64u || !shamir?.serverKeyId) throw new Error("VRF session is not bound to the last logged-in passkey device. Please log in again on this device.");
+	const unlock = await shamir3PassDecryptVrfKeypair(ctx, {
+		nearAccountId: accountId,
+		ciphertextVrfB64u: shamir.ciphertextVrfB64u,
+		kek_s_b64u: shamir.kek_s_b64u,
+		serverKeyId: shamir.serverKeyId
+	});
+	if (!unlock.success) throw new Error(unlock.error || "Failed to rebind VRF keypair to the last logged-in device");
+	if (expectedVrfPublicKey) {
+		const rebound = await checkVrfStatus(ctx);
+		const reboundPk = toTrimmedString(rebound.vrfPublicKey);
+		if (!rebound.active || reboundPk !== expectedVrfPublicKey) throw new Error("VRF session mismatch: VRF keypair did not match the last logged-in device after rebind. Please log in again.");
+	}
+}
+//#endregion
+export { generateVrfChallengeForSession, generateVrfChallengeOnce };
+//# sourceMappingURL=generateVrfChallenge.js.map

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"generateVrfChallenge.js","names":["message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfChallenge.ts"],"sourcesContent":["import type {\n VRFInputData,\n VRFWorkerMessage,\n WasmGenerateVrfChallengeRequest,\n} from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport { toAccountId } from '../../../types/accountIds';\nimport type { VrfWorkerManagerHandlerContext } from './types';\nimport { checkVrfStatus } from './checkVrfStatus';\nimport { shamir3PassDecryptVrfKeypair } from './shamir3PassDecryptVrfKeypair';\nimport { toTrimmedString } from '@/utils';\n\n/**\n * Generate a VRF challenge and cache it under `sessionId` inside the VRF worker.\n *\n * This is used by SecureConfirm flows so later steps (e.g. contract verification) can rely on\n * worker-owned challenge data instead of JS-provided state.\n */\nexport async function generateVrfChallengeForSession(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId: string\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData, sessionId);\n}\n\n/**\n * Generate a one-off VRF challenge without caching it in the VRF worker.\n *\n * Used for standalone WebAuthn prompts where we don't need to later look up the challenge by `sessionId`.\n */\nexport async function generateVrfChallengeOnce(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData\n): Promise<VRFChallenge> {\n return generateVrfChallengeInternal(ctx, inputData);\n}\n\nasync function generateVrfChallengeInternal(\n ctx: VrfWorkerManagerHandlerContext,\n inputData: VRFInputData,\n sessionId?: string\n): Promise<VRFChallenge> {\n await ctx.ensureWorkerReady(true);\n\n // Root-cause fix: ensure the VRF worker's active VRF keypair matches the IndexedDB \"lastUser\" device.\n // Otherwise, multi-device accounts can drift such that:\n // - WebAuthn allowCredentials selects the lastUser passkey, but\n // - VRF challenges are generated from a different device's vrf_sk,\n // causing contract verification failures.\n await ensureVrfKeypairBoundToLastUser(ctx, inputData.userId);\n\n const message: VRFWorkerMessage<WasmGenerateVrfChallengeRequest> = {\n type: 'GENERATE_VRF_CHALLENGE',\n id: ctx.generateMessageId(),\n payload: {\n sessionId,\n\t vrfInputData: {\n\t userId: inputData.userId,\n\t rpId: inputData.rpId,\n\t blockHeight: String(inputData.blockHeight),\n\t blockHash: inputData.blockHash,\n\t intentDigest: inputData.intentDigest,\n sessionPolicyDigest32: inputData.sessionPolicyDigest32,\n\t },\n\t },\n\t };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success || !response.data) {\n throw new Error(`VRF challenge generation failed: ${response.error}`);\n }\n\n const data = response.data as unknown as VRFChallenge;\n return validateVRFChallenge(data);\n}\n\nasync function ensureVrfKeypairBoundToLastUser(\n ctx: VrfWorkerManagerHandlerContext,\n nearAccountId: string,\n): Promise<void> {\n const accountId = toAccountId(nearAccountId);\n const { indexedDB } = ctx.getContext();\n\n const lastUser = await indexedDB.clientDB.getLastUser().catch(() => null);\n if (!lastUser || toAccountId(lastUser.nearAccountId) !== accountId) {\n return;\n }\n\n const lastUserDeviceNumber = Number(lastUser.deviceNumber);\n if (!Number.isFinite(lastUserDeviceNumber) || lastUserDeviceNumber < 1) {\n return;\n }\n\n const status = await checkVrfStatus(ctx);\n const currentVrfPublicKey = toTrimmedString(status.vrfPublicKey);\n\n // Best-effort: find the expected VRF public key for the last-user device from the authenticator cache.\n const authenticators = await indexedDB.clientDB.getAuthenticatorsByUser(accountId).catch(() => []);\n const expectedVrfPublicKey = toTrimmedString(\n authenticators.find(a => a.credentialId === lastUser.passkeyCredential.rawId)?.vrfPublicKey\n ?? authenticators.find(a => a.deviceNumber === lastUserDeviceNumber)?.vrfPublicKey\n );\n\n const needsRebind = !status.active\n || (expectedVrfPublicKey && currentVrfPublicKey !== expectedVrfPublicKey);\n\n if (!needsRebind) {\n return;\n }\n\n const shamir = lastUser.serverEncryptedVrfKeypair;\n if (!shamir?.ciphertextVrfB64u || !shamir?.kek_s_b64u || !shamir?.serverKeyId) {\n // If we can't rebind automatically, fail early instead of silently generating a challenge from the wrong vrf_sk.\n throw new Error(\n 'VRF session is not bound to the last logged-in passkey device. Please log in again on this device.',\n );\n }\n\n const unlock = await shamir3PassDecryptVrfKeypair(ctx, {\n nearAccountId: accountId,\n ciphertextVrfB64u: shamir.ciphertextVrfB64u,\n kek_s_b64u: shamir.kek_s_b64u,\n serverKeyId: shamir.serverKeyId,\n });\n if (!unlock.success) {\n throw new Error(unlock.error || 'Failed to rebind VRF keypair to the last logged-in device');\n }\n\n // If we know the expected VRF pk, confirm the rebind succeeded.\n if (expectedVrfPublicKey) {\n const rebound = await checkVrfStatus(ctx);\n const reboundPk = toTrimmedString(rebound.vrfPublicKey);\n if (!rebound.active || reboundPk !== expectedVrfPublicKey) {\n throw new Error(\n 'VRF session mismatch: VRF keypair did not match the last logged-in device after rebind. Please log in again.',\n );\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;AAkBA,eAAsB,+BACpB,KACA,WACA,WACuB;AACvB,QAAO,6BAA6B,KAAK,WAAW;;;;;;;AAQtD,eAAsB,yBACpB,KACA,WACuB;AACvB,QAAO,6BAA6B,KAAK;;AAG3C,eAAe,6BACb,KACA,WACA,WACuB;AACvB,OAAM,IAAI,kBAAkB;AAO5B,OAAM,gCAAgC,KAAK,UAAU;CAErD,MAAMA,UAA6D;EACjE,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP;GACC,cAAc;IACZ,QAAQ,UAAU;IAClB,MAAM,UAAU;IAChB,aAAa,OAAO,UAAU;IAC9B,WAAW,UAAU;IACrB,cAAc,UAAU;IACvB,uBAAuB,UAAU;;;;CAKzC,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,oCAAoC,SAAS;CAG/D,MAAM,OAAO,SAAS;AACtB,QAAO,qBAAqB;;AAG9B,eAAe,gCACb,KACA,eACe;CACf,MAAM,YAAY,YAAY;CAC9B,MAAM,EAAE,cAAc,IAAI;CAE1B,MAAM,WAAW,MAAM,UAAU,SAAS,cAAc,YAAY;AACpE,KAAI,CAAC,YAAY,YAAY,SAAS,mBAAmB,UACvD;CAGF,MAAM,uBAAuB,OAAO,SAAS;AAC7C,KAAI,CAAC,OAAO,SAAS,yBAAyB,uBAAuB,EACnE;CAGF,MAAM,SAAS,MAAM,eAAe;CACpC,MAAM,sBAAsB,gBAAgB,OAAO;CAGnD,MAAM,iBAAiB,MAAM,UAAU,SAAS,wBAAwB,WAAW,YAAY;CAC/F,MAAM,uBAAuB,gBAC3B,eAAe,MAAK,MAAK,EAAE,iBAAiB,SAAS,kBAAkB,QAAQ,gBAC5E,eAAe,MAAK,MAAK,EAAE,iBAAiB,uBAAuB;CAGxE,MAAM,cAAc,CAAC,OAAO,UACtB,wBAAwB,wBAAwB;AAEtD,KAAI,CAAC,YACH;CAGF,MAAM,SAAS,SAAS;AACxB,KAAI,CAAC,QAAQ,qBAAqB,CAAC,QAAQ,cAAc,CAAC,QAAQ,YAEhE,OAAM,IAAI,MACR;CAIJ,MAAM,SAAS,MAAM,6BAA6B,KAAK;EACrD,eAAe;EACf,mBAAmB,OAAO;EAC1B,YAAY,OAAO;EACnB,aAAa,OAAO;;AAEtB,KAAI,CAAC,OAAO,QACV,OAAM,IAAI,MAAM,OAAO,SAAS;AAIlC,KAAI,sBAAsB;EACxB,MAAM,UAAU,MAAM,eAAe;EACrC,MAAM,YAAY,gBAAgB,QAAQ;AAC1C,MAAI,CAAC,QAAQ,UAAU,cAAc,qBACnC,OAAM,IAAI,MACR"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js ADDED Viewed

@@ -0,0 +1,61 @@
+import { validateVRFChallenge } from "../../../types/vrf-worker.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts
+/**
+* Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)
+* generate a VRF challenge from it.
+*
+* This solves the "chicken-and-egg" problem during registration where you need a VRF challenge
+* before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in
+* VRF worker memory until it is later encrypted with PRF output.
+*/
+async function generateVrfKeypairBootstrap(ctx, args) {
+	await ctx.ensureWorkerReady();
+	try {
+		const message = {
+			type: "GENERATE_VRF_KEYPAIR_BOOTSTRAP",
+			id: ctx.generateMessageId(),
+			payload: {
+				sessionId: args.sessionId,
+				vrfInputData: args.vrfInputData ? {
+					userId: args.vrfInputData.userId,
+					rpId: args.vrfInputData.rpId,
+					blockHeight: String(args.vrfInputData.blockHeight),
+					blockHash: args.vrfInputData.blockHash,
+					intentDigest: args.vrfInputData.intentDigest,
+					sessionPolicyDigest32: args.vrfInputData.sessionPolicyDigest32
+				} : void 0
+			}
+		};
+		const response = await ctx.sendMessage(message);
+		if (!response.success || !response.data) throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);
+		const data = response.data;
+		const challengeData = data.vrf_challenge_data;
+		if (!challengeData) throw new Error("VRF challenge data failed to be generated");
+		const vrfPublicKey = data.vrfPublicKey || challengeData.vrfPublicKey;
+		if (!vrfPublicKey) throw new Error("VRF public key missing in bootstrap response");
+		if (args.vrfInputData && args.saveInMemory) ctx.setCurrentVrfAccountId(args.vrfInputData.userId);
+		return {
+			vrfPublicKey,
+			vrfChallenge: validateVRFChallenge({
+				vrfInput: challengeData.vrfInput,
+				vrfOutput: challengeData.vrfOutput,
+				vrfProof: challengeData.vrfProof,
+				vrfPublicKey: challengeData.vrfPublicKey,
+				userId: challengeData.userId,
+				rpId: challengeData.rpId,
+				blockHeight: challengeData.blockHeight,
+				blockHash: challengeData.blockHash,
+				...challengeData.intentDigest ? { intentDigest: challengeData.intentDigest } : {},
+				...challengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: challengeData.sessionPolicyDigest32 } : {}
+			})
+		};
+	} catch (error) {
+		console.error("VRF Manager: Bootstrap VRF keypair generation failed:", error);
+		throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);
+	}
+}
+//#endregion
+export { generateVrfKeypairBootstrap };
+//# sourceMappingURL=generateVrfKeypairBootstrap.js.map

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"generateVrfKeypairBootstrap.js","names":["message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest>","error: any"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/generateVrfKeypairBootstrap.ts"],"sourcesContent":["import type { VRFInputData } from '../../../types/vrf-worker';\nimport { validateVRFChallenge, type VRFChallenge } from '../../../types/vrf-worker';\nimport type { VRFWorkerMessage, WasmGenerateVrfKeypairBootstrapRequest } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Registration bootstrap: generate a fresh random VRF keypair in the VRF worker and (optionally)\n * generate a VRF challenge from it.\n *\n * This solves the \"chicken-and-egg\" problem during registration where you need a VRF challenge\n * before you have PRF outputs to encrypt the VRF keypair. The generated VRF keypair lives in\n * VRF worker memory until it is later encrypted with PRF output.\n */\nexport async function generateVrfKeypairBootstrap(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n vrfInputData: VRFInputData;\n saveInMemory: boolean;\n sessionId?: string;\n }\n): Promise<{\n vrfPublicKey: string;\n vrfChallenge: VRFChallenge;\n}> {\n await ctx.ensureWorkerReady();\n try {\n const message: VRFWorkerMessage<WasmGenerateVrfKeypairBootstrapRequest> = {\n type: 'GENERATE_VRF_KEYPAIR_BOOTSTRAP',\n id: ctx.generateMessageId(),\n\t payload: {\n\t // Include VRF input data if provided for challenge generation\n\t sessionId: args.sessionId,\n\t vrfInputData: args.vrfInputData\n\t ? {\n\t userId: args.vrfInputData.userId,\n\t rpId: args.vrfInputData.rpId,\n\t blockHeight: String(args.vrfInputData.blockHeight),\n\t blockHash: args.vrfInputData.blockHash,\n\t intentDigest: args.vrfInputData.intentDigest,\n sessionPolicyDigest32: args.vrfInputData.sessionPolicyDigest32,\n\t }\n\t : undefined,\n\t },\n\t };\n\n const response = await ctx.sendMessage(message);\n\n if (!response.success || !response.data) {\n throw new Error(`VRF bootstrap keypair generation failed: ${response.error}`);\n }\n const data = response.data as { vrf_challenge_data?: VRFChallenge; vrfPublicKey?: string };\n const challengeData = data.vrf_challenge_data as VRFChallenge | undefined;\n if (!challengeData) {\n throw new Error('VRF challenge data failed to be generated');\n }\n const vrfPublicKey = data.vrfPublicKey || challengeData.vrfPublicKey;\n if (!vrfPublicKey) {\n throw new Error('VRF public key missing in bootstrap response');\n }\n if (args.vrfInputData && args.saveInMemory) {\n // Track the account ID for this VRF session if saving in memory\n ctx.setCurrentVrfAccountId(args.vrfInputData.userId);\n }\n\n // TODO: strong types generated by Rust wasm-bindgen\n return {\n vrfPublicKey,\n vrfChallenge: validateVRFChallenge({\n vrfInput: challengeData.vrfInput,\n vrfOutput: challengeData.vrfOutput,\n vrfProof: challengeData.vrfProof,\n vrfPublicKey: challengeData.vrfPublicKey,\n userId: challengeData.userId,\n rpId: challengeData.rpId,\n blockHeight: challengeData.blockHeight,\n blockHash: challengeData.blockHash,\n ...(challengeData.intentDigest ? { intentDigest: challengeData.intentDigest } : {}),\n ...(challengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: challengeData.sessionPolicyDigest32 } : {}),\n })\n }\n\n } catch (error: any) {\n console.error('VRF Manager: Bootstrap VRF keypair generation failed:', error);\n throw new Error(`Failed to generate bootstrap VRF keypair: ${error.message}`);\n }\n}\n"],"mappings":";;;;;;;;;;;AAaA,eAAsB,4BACpB,KACA,MAQC;AACD,OAAM,IAAI;AACV,KAAI;EACF,MAAMA,UAAoE;GACxE,MAAM;GACN,IAAI,IAAI;GACP,SAAS;IAEP,WAAW,KAAK;IAChB,cAAc,KAAK,eACf;KACE,QAAQ,KAAK,aAAa;KAC1B,MAAM,KAAK,aAAa;KACxB,aAAa,OAAO,KAAK,aAAa;KACtC,WAAW,KAAK,aAAa;KAC7B,cAAc,KAAK,aAAa;KAC/B,uBAAuB,KAAK,aAAa;QAE5C;;;EAIT,MAAM,WAAW,MAAM,IAAI,YAAY;AAEvC,MAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,4CAA4C,SAAS;EAEvE,MAAM,OAAO,SAAS;EACtB,MAAM,gBAAgB,KAAK;AAC3B,MAAI,CAAC,cACH,OAAM,IAAI,MAAM;EAElB,MAAM,eAAe,KAAK,gBAAgB,cAAc;AACxD,MAAI,CAAC,aACH,OAAM,IAAI,MAAM;AAElB,MAAI,KAAK,gBAAgB,KAAK,aAE5B,KAAI,uBAAuB,KAAK,aAAa;AAI/C,SAAO;GACL;GACA,cAAc,qBAAqB;IACjC,UAAU,cAAc;IACxB,WAAW,cAAc;IACzB,UAAU,cAAc;IACxB,cAAc,cAAc;IAC5B,QAAQ,cAAc;IACtB,MAAM,cAAc;IACpB,aAAa,cAAc;IAC3B,WAAW,cAAc;IACzB,GAAI,cAAc,eAAe,EAAE,cAAc,cAAc,iBAAiB;IAChF,GAAI,cAAc,wBAAwB,EAAE,uBAAuB,cAAc,0BAA0B;;;UAIxGC,OAAY;AACnB,UAAQ,MAAM,yDAAyD;AACvE,QAAM,IAAI,MAAM,6CAA6C,MAAM"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"mintSessionKeysAndSendToSigner.js","names":["message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/mintSessionKeysAndSendToSigner.ts"],"sourcesContent":["import type {\n VRFWorkerMessage,\n WasmMintSessionKeysAndSendToSignerRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Mint/refresh a VRF-owned signing session and deliver WrapKey material to the signer worker.\n *\n * VRF WASM will:\n * - (optionally) gate on `verify_authentication_response` when `contractId` + `nearRpcUrl` are provided,\n * - derive WrapKeySeed from PRF.first_auth + the in-memory VRF secret key,\n * - choose/generate `wrapKeySalt` (when omitted/empty),\n * - upsert session metadata (TTL + remaining uses),\n * - and send `{ wrap_key_seed, wrapKeySalt, prfSecond? }` to the signer worker over the attached MessagePort.\n *\n * The main thread never receives WrapKeySeed; it only receives `wrapKeySalt` metadata.\n * This expects `createSigningSessionChannel` + signer port attachment to have happened for `sessionId`.\n */\nexport async function mintSessionKeysAndSendToSigner(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n sessionId: string;\n wrapKeySalt?: string;\n contractId?: string;\n nearRpcUrl?: string;\n ttlMs?: number;\n remainingUses?: number;\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n }\n): Promise<{ sessionId: string; wrapKeySalt: string }> {\n await ctx.ensureWorkerReady(true);\n\n const message: VRFWorkerMessage<WasmMintSessionKeysAndSendToSignerRequest> = {\n type: 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER',\n id: ctx.generateMessageId(),\n payload: {\n sessionId: args.sessionId,\n // Use empty string as a sentinel to tell the VRF worker to generate wrapKeySalt when none is provided.\n wrapKeySalt: args.wrapKeySalt ?? '',\n contractId: args.contractId,\n nearRpcUrl: args.nearRpcUrl,\n ttlMs: args.ttlMs,\n remainingUses: args.remainingUses,\n credential: args.credential,\n }\n };\n const response = await ctx.sendMessage<WasmMintSessionKeysAndSendToSignerRequest>(message);\n if (!response.success) {\n throw new Error(`mintSessionKeysAndSendToSigner failed: ${response.error}`);\n }\n // VRF WASM now delivers WrapKeySeed + wrapKeySalt directly to the signer worker via the\n // attached MessagePort; TS only needs to know that the session is prepared and\n // what wrapKeySalt was actually used (for new vault entries).\n const data = (response.data as unknown) as { sessionId: string; wrapKeySalt?: string } | undefined;\n const wrapKeySalt = data?.wrapKeySalt ?? args.wrapKeySalt ?? '';\n if (!wrapKeySalt) {\n throw new Error('mintSessionKeysAndSendToSigner: VRF worker did not return wrapKeySalt');\n }\n return { sessionId: data?.sessionId ?? args.sessionId, wrapKeySalt };\n}\n"],"mappings":";;;;;;;;;;;;;;AAoBA,eAAsB,+BACpB,KACA,MASqD;AACrD,OAAM,IAAI,kBAAkB;CAE5B,MAAMA,UAAuE;EAC3E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAEhB,aAAa,KAAK,eAAe;GACjC,YAAY,KAAK;GACjB,YAAY,KAAK;GACjB,OAAO,KAAK;GACZ,eAAe,KAAK;GACpB,YAAY,KAAK;;;CAGrB,MAAM,WAAW,MAAM,IAAI,YAAuD;AAClF,KAAI,CAAC,SAAS,QACZ,OAAM,IAAI,MAAM,0CAA0C,SAAS;CAKrE,MAAM,OAAQ,SAAS;CACvB,MAAM,cAAc,MAAM,eAAe,KAAK,eAAe;AAC7D,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE,WAAW,MAAM,aAAa,KAAK;EAAW"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"prepareDecryptSession.js","names":["message: VRFWorkerMessage<any>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/prepareDecryptSession.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type { EncryptedVRFKeypair, VRFWorkerMessage } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Prepare an export/decrypt session by having the VRF worker derive and deliver WrapKeySeed\n * to the signer worker, using the VRF-owned confirmation flow.\n *\n * This is used by \"offline export\" / decrypt flows where secrets must not touch the main thread.\n */\nexport async function prepareDecryptSession(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n sessionId: string;\n nearAccountId: AccountId;\n wrapKeySalt: string;\n /**\n * Optional: local encrypted VRF keypair for this account/device.\n * Supplying this lets the VRF worker unlock the correct VRF secret in offline mode.\n */\n encryptedVrfKeypair?: EncryptedVRFKeypair;\n /**\n * Optional: expected VRF public key (base64url) for sanity checking/fallback derivation.\n */\n expectedVrfPublicKey?: string;\n }\n): Promise<void> {\n if (!args.wrapKeySalt) {\n throw new Error('wrapKeySalt is required for decrypt session');\n }\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<any> = {\n type: 'DECRYPT_SESSION',\n id: ctx.generateMessageId(),\n payload: {\n sessionId: args.sessionId,\n nearAccountId: String(args.nearAccountId),\n wrapKeySalt: args.wrapKeySalt,\n encryptedVrfKeypair: args.encryptedVrfKeypair,\n expectedVrfPublicKey: args.expectedVrfPublicKey,\n },\n };\n try {\n console.debug('[VRF] prepareDecryptSession: start', {\n sessionId: args.sessionId,\n nearAccountId: String(args.nearAccountId),\n });\n const response = await ctx.sendMessage(message);\n if (!response.success) {\n console.error('[VRF] prepareDecryptSession: worker reported failure', {\n sessionId: args.sessionId,\n nearAccountId: String(args.nearAccountId),\n error: response.error,\n });\n throw new Error(`prepareDecryptSession failed: ${response.error}`);\n }\n console.debug('[VRF] prepareDecryptSession: success', {\n sessionId: args.sessionId,\n nearAccountId: String(args.nearAccountId),\n });\n } catch (error) {\n console.error('[VRF] prepareDecryptSession: error', {\n sessionId: args.sessionId,\n nearAccountId: String(args.nearAccountId),\n error,\n });\n throw error;\n }\n}\n"],"mappings":";;;;;;;AAUA,eAAsB,sBACpB,KACA,MAce;AACf,KAAI,CAAC,KAAK,YACR,OAAM,IAAI,MAAM;AAElB,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAiC;EACrC,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B,aAAa,KAAK;GAClB,qBAAqB,KAAK;GAC1B,sBAAsB,KAAK;;;AAG/B,KAAI;AACF,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;EAE7B,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,MAAI,CAAC,SAAS,SAAS;AACrB,WAAQ,MAAM,wDAAwD;IACpE,WAAW,KAAK;IAChB,eAAe,OAAO,KAAK;IAC3B,OAAO,SAAS;;AAElB,SAAM,IAAI,MAAM,iCAAiC,SAAS;;AAE5D,UAAQ,MAAM,wCAAwC;GACpD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;;UAEtB,OAAO;AACd,UAAQ,MAAM,sCAAsC;GAClD,WAAW,KAAK;GAChB,eAAe,OAAO,KAAK;GAC3B;;AAEF,QAAM"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"requestRegistrationCredentialConfirmation.js","names":["requestRegistrationCredentialConfirmation","requestRegistrationCredentialConfirmationFlow"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/requestRegistrationCredentialConfirmation.ts"],"sourcesContent":["import type { ConfirmationConfig } from '../../../types/signer-worker';\nimport type { RegistrationCredentialConfirmationPayload } from '../../SignerWorkerManager/handlers/validation';\nimport { requestRegistrationCredentialConfirmation as requestRegistrationCredentialConfirmationFlow } from '../confirmTxFlow/flows/requestRegistrationCredentialConfirmation';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Kick off the SecureConfirm UI flow for account registration and return the confirmed decision.\n *\n * This is used when the host (main thread) needs a registration credential + VRF challenge + NEAR context,\n * but the UI/confirmation orchestration lives in the VRF worker confirmation flow.\n */\nexport async function requestRegistrationCredentialConfirmation(\n ctx: VrfWorkerManagerHandlerContext,\n params: {\n nearAccountId: string;\n deviceNumber: number;\n confirmerText?: { title?: string; body?: string };\n confirmationConfigOverride?: Partial<ConfirmationConfig>;\n contractId: string;\n nearRpcUrl: string;\n }\n): Promise<RegistrationCredentialConfirmationPayload> {\n const hostCtx = ctx.getContext();\n const decision = await requestRegistrationCredentialConfirmationFlow({\n ctx: hostCtx,\n nearAccountId: params.nearAccountId,\n deviceNumber: params.deviceNumber,\n confirmerText: params.confirmerText,\n contractId: params.contractId,\n nearRpcUrl: params.nearRpcUrl,\n // Flow expects `confirmationConfig` on the request envelope; forward the override.\n confirmationConfig: params.confirmationConfigOverride,\n });\n\n if (!decision.confirmed) {\n throw new Error(decision.error || 'User rejected registration request');\n }\n if (!decision.credential) {\n throw new Error('Missing credential from registration confirmation');\n }\n if (!decision.vrfChallenge) {\n throw new Error('Missing vrfChallenge from registration confirmation');\n }\n if (!decision.transactionContext) {\n throw new Error('Missing transactionContext from registration confirmation');\n }\n\n return decision;\n}\n"],"mappings":";;;;;;;;;AAWA,eAAsBA,4CACpB,KACA,QAQoD;CACpD,MAAM,UAAU,IAAI;CACpB,MAAM,WAAW,MAAMC,0CAA8C;EACnE,KAAK;EACL,eAAe,OAAO;EACtB,cAAc,OAAO;EACrB,eAAe,OAAO;EACtB,YAAY,OAAO;EACnB,YAAY,OAAO;EAEnB,oBAAoB,OAAO;;AAG7B,KAAI,CAAC,SAAS,UACZ,OAAM,IAAI,MAAM,SAAS,SAAS;AAEpC,KAAI,CAAC,SAAS,WACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,aACZ,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,SAAS,mBACZ,OAAM,IAAI,MAAM;AAGlB,QAAO"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"shamir3PassDecryptVrfKeypair.js","names":["message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassDecryptVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n VRFWorkerMessage,\n VRFWorkerResponse,\n WasmShamir3PassClientDecryptVrfKeypairRequest\n} from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): decrypt/unlock a VRF keypair using a server-protected envelope.\n *\n * On success, the VRF keypair becomes active in the VRF worker and is bound (in TS state) to `nearAccountId`.\n */\nexport async function shamir3PassDecryptVrfKeypair(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n nearAccountId: AccountId;\n kek_s_b64u: string;\n ciphertextVrfB64u: string;\n serverKeyId: string;\n }\n): Promise<VRFWorkerResponse> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmShamir3PassClientDecryptVrfKeypairRequest> = {\n type: 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR',\n id: ctx.generateMessageId(),\n payload: {\n nearAccountId: args.nearAccountId,\n kek_s_b64u: args.kek_s_b64u,\n ciphertextVrfB64u: args.ciphertextVrfB64u,\n // Required key for server selection\n keyId: args.serverKeyId,\n },\n };\n const response = await ctx.sendMessage(message);\n if (response.success) {\n ctx.setCurrentVrfAccountId(args.nearAccountId);\n }\n return response;\n}\n"],"mappings":";;;;;;AAaA,eAAsB,6BACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAA2E;EAC/E,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,YAAY,KAAK;GACjB,mBAAmB,KAAK;GAExB,OAAO,KAAK;;;CAGhB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,QACX,KAAI,uBAAuB,KAAK;AAElC,QAAO"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"shamir3PassEncryptCurrentVrfKeypair.js","names":["message: VRFWorkerMessage<WasmVrfWorkerRequestType>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/shamir3PassEncryptCurrentVrfKeypair.ts"],"sourcesContent":["import type { VRFWorkerMessage, WasmVrfWorkerRequestType } from '../../../types/vrf-worker';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Shamir 3-pass (client): encrypt the currently-unlocked VRF keypair for server lock flows.\n *\n * Returns ciphertext + client key share (`kek_s_b64u`) + server key id for subsequent unlock.\n */\nexport async function shamir3PassEncryptCurrentVrfKeypair(\n ctx: VrfWorkerManagerHandlerContext,\n): Promise<{\n ciphertextVrfB64u: string;\n kek_s_b64u: string;\n serverKeyId: string;\n}> {\n await ctx.ensureWorkerReady(true);\n const message: VRFWorkerMessage<WasmVrfWorkerRequestType> = {\n type: 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR',\n id: ctx.generateMessageId(),\n payload: {} as WasmVrfWorkerRequestType,\n };\n const response = await ctx.sendMessage(message);\n if (!response.success || !response.data) {\n throw new Error(`VRF encrypt-current failed: ${response.error}`);\n }\n const { ciphertextVrfB64u, kek_s_b64u, serverKeyId } = response.data as {\n ciphertextVrfB64u: string;\n kek_s_b64u: string;\n serverKeyId: string;\n };\n if (!ciphertextVrfB64u || !kek_s_b64u) {\n throw new Error('Invalid encrypt-current response');\n }\n if (!serverKeyId) {\n throw new Error('Server did not return keyId from apply-server-lock');\n }\n return { ciphertextVrfB64u, kek_s_b64u, serverKeyId };\n}\n"],"mappings":";;;;;;AAQA,eAAsB,oCACpB,KAKC;AACD,OAAM,IAAI,kBAAkB;CAC5B,MAAMA,UAAsD;EAC1D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;;CAEX,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,CAAC,SAAS,WAAW,CAAC,SAAS,KACjC,OAAM,IAAI,MAAM,+BAA+B,SAAS;CAE1D,MAAM,EAAE,mBAAmB,YAAY,gBAAgB,SAAS;AAKhE,KAAI,CAAC,qBAAqB,CAAC,WACzB,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,YACH,OAAM,IAAI,MAAM;AAElB,QAAO;EAAE;EAAmB;EAAY"}

package/dist/esm/react/src/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unlockVrfKeypair.js","names":["message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest>"],"sources":["../../../../../../../../src/core/WebAuthnManager/VrfWorkerManager/handlers/unlockVrfKeypair.ts"],"sourcesContent":["import type { AccountId } from '../../../types/accountIds';\nimport type {\n EncryptedVRFKeypair,\n VRFWorkerMessage,\n VRFWorkerResponse,\n WasmUnlockVrfKeypairRequest,\n} from '../../../types/vrf-worker';\nimport type { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport type { VrfWorkerManagerHandlerContext } from './types';\n\n/**\n * Unlock/load the VRF keypair into VRF worker memory using a WebAuthn authentication credential.\n *\n * This is the \"login\" / \"unlock\" path: the VRF worker decrypts the stored encrypted VRF keypair\n * using PRF output, and keeps it active in-memory for subsequent operations (challenge gen, sessions, etc.).\n */\nexport async function unlockVrfKeypair(\n ctx: VrfWorkerManagerHandlerContext,\n args: {\n credential: WebAuthnAuthenticationCredential | WebAuthnRegistrationCredential;\n nearAccountId: AccountId;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n onEvent?: (event: { type: string; data: { step: string; message: string } }) => void;\n }\n): Promise<VRFWorkerResponse> {\n await ctx.ensureWorkerReady(true);\n\n args.onEvent?.({\n type: 'loginProgress',\n data: {\n step: 'verifying-server',\n message: 'TouchId success! Unlocking VRF keypair...'\n }\n });\n\n const message: VRFWorkerMessage<WasmUnlockVrfKeypairRequest> = {\n type: 'UNLOCK_VRF_KEYPAIR',\n id: ctx.generateMessageId(),\n payload: {\n nearAccountId: args.nearAccountId,\n encryptedVrfKeypair: args.encryptedVrfKeypair,\n credential: args.credential,\n }\n };\n\n const response = await ctx.sendMessage(message);\n if (response.success) {\n // Track the current VRF session account at TypeScript level\n ctx.setCurrentVrfAccountId(args.nearAccountId);\n console.debug(`VRF Manager: VRF keypair unlocked for ${args.nearAccountId}`);\n } else {\n console.error('VRF Manager: Failed to unlock VRF keypair:', response.error);\n console.error('VRF Manager: Full response:', JSON.stringify(response, null, 2));\n console.error('VRF Manager: Message that was sent:', JSON.stringify(message, null, 2));\n }\n\n return response;\n}\n"],"mappings":";;;;;;;AAgBA,eAAsB,iBACpB,KACA,MAM4B;AAC5B,OAAM,IAAI,kBAAkB;AAE5B,MAAK,UAAU;EACb,MAAM;EACN,MAAM;GACJ,MAAM;GACN,SAAS;;;CAIb,MAAMA,UAAyD;EAC7D,MAAM;EACN,IAAI,IAAI;EACR,SAAS;GACP,eAAe,KAAK;GACpB,qBAAqB,KAAK;GAC1B,YAAY,KAAK;;;CAIrB,MAAM,WAAW,MAAM,IAAI,YAAY;AACvC,KAAI,SAAS,SAAS;AAEpB,MAAI,uBAAuB,KAAK;AAChC,UAAQ,MAAM,yCAAyC,KAAK;QACvD;AACL,UAAQ,MAAM,8CAA8C,SAAS;AACrE,UAAQ,MAAM,+BAA+B,KAAK,UAAU,UAAU,MAAM;AAC5E,UAAQ,MAAM,uCAAuC,KAAK,UAAU,SAAS,MAAM;;AAGrF,QAAO"}