npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.1 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2501) hide show

package/dist/esm/sdk/collectAuthenticationCredentialForVrfChallenge-C9p90e5Z.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"collectAuthenticationCredentialForVrfChallenge-C9p90e5Z.js","names":["result: Record<string, unknown>","transports: string[]","normalized: Record<string, unknown>","response: Record<string, unknown>","response: unknown","out: AuthenticationExtensionsClientOutputs","outCp: CredentialPropertiesOutput","be: unknown","e: unknown","publicKey: PublicKeyCredentialCreationOptions","publicKey: PublicKeyCredentialRequestOptions","parsedArgs: Record<string, any>","accessKey: { nonce: bigint; permission: 'FullAccess' | FunctionCallPermissionView; }","normalizedPermission: 'FullAccess' | FunctionCallPermissionView","_exhaustive: never","out: Record<string, unknown>","authenticatorsForPrompt: ClientAuthenticatorData[]"],"sources":["../../../src/core/types/accountIds.ts","../../../src/utils/base64.ts","../../../src/utils/errors.ts","../../../src/utils/digests.ts","../../../src/core/types/vrf-worker.ts","../../../src/core/WebAuthnManager/credentialsHelpers.ts","../../../src/core/WebAuthnManager/WebAuthnFallbacks/safari-fallbacks.ts","../../../src/core/WebAuthnManager/touchIdPrompt.ts","../../../src/core/types/actions.ts","../../../src/core/digests/intentDigest.ts","../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/types.ts","../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.ts","../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestHelpers.ts","../../../src/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.ts"],"sourcesContent":["\n/**\n * Type-safe account ID system for NEAR account operations\n *\n * USAGE:\n * - AccountId: Use for all operations - on-chain, PRF salt derivation, VRF operations, storage, WebAuthn\n *\n * EXAMPLES:\n * - \"serp126.w3a-v1.testnet\"\n * - \"alice.near\"\n * - \"simple.testnet\"\n */\n\nimport { validateNearAccountId } from '../../utils/validation';\n\n// Branded string type for compile-time type safety\nexport type AccountId = string & { readonly __brand: 'AccountId' };\n\n/**\n * Convert and validate string to AccountId\n * Validates proper NEAR account format (must contain at least one dot)\n */\nexport function toAccountId(accountId: string): AccountId {\n const validation = validateNearAccountId(accountId);\n if (!validation.valid) {\n throw new Error(`Invalid NEAR account ID: ${accountId}`);\n }\n return accountId as AccountId;\n}\n\n/**\n * Account ID utilities\n */\nexport const AccountId = {\n validate: validateNearAccountId,\n to: toAccountId,\n} as const;\n","/**\n * Encodes binary data to standard base64 format for NEAR RPC compatibility.\n * Uses standard base64 characters (+, /, =) rather than base64url encoding.\n *\n * Important: Avoids spreading large arrays into String.fromCharCode(...) which\n * can overflow the JS call stack when encoding big WASM binaries.\n *\n * @param value - ArrayBufferLike or ArrayBufferView containing the binary data to encode\n * @returns Standard base64-encoded string with padding\n */\nexport const base64Encode = (value: ArrayBufferLike | ArrayBufferView): string => {\n const bytes = ArrayBuffer.isView(value)\n ? new Uint8Array(value.buffer, value.byteOffset, value.byteLength)\n : new Uint8Array(value);\n let binary = '';\n // Build the string incrementally to avoid exceeding the argument limit.\n for (let i = 0; i < bytes.length; i++) {\n binary += String.fromCharCode(bytes[i]);\n }\n return btoa(binary);\n}\n\n/**\n * Decodes a standard base64-encoded string into a Uint8Array.\n * Handles standard base64 format with +, /, and = characters.\n *\n * @param base64 - The base64-encoded string to decode\n * @returns Uint8Array containing the decoded bytes\n * @throws Error if decoding fails due to invalid base64 input\n */\nexport function base64Decode(base64: string): Uint8Array {\n const binaryString = atob(base64);\n const bytes = new Uint8Array(binaryString.length);\n for (let i = 0; i < binaryString.length; i++) {\n bytes[i] = binaryString.charCodeAt(i);\n }\n return bytes;\n}\n\n/**\n * Encodes an ArrayBuffer into a base64url string.\n * Converts binary data to base64 then replaces standard base64 characters with URL-safe ones:\n * + -> -\n * / -> _\n * Removes padding = characters\n *\n * Used for WebAuthn API compatibility in browser environments.\n * Equivalent to Buffer.from(value).toString('base64url') in Node.js.\n *\n * @param value - The ArrayBufferLike or ArrayBufferView to encode\n * @returns A base64url-encoded string without padding\n */\nexport const base64UrlEncode = (value: ArrayBufferLike | ArrayBufferView): string => {\n return base64Encode(value)\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=/g, \"\");\n}\n\n/**\n * Decodes a base64url-encoded string into a Uint8Array.\n * Handles base64url format by replacing URL-safe characters and adding padding.\n *\n * @param base64Url - The base64url-encoded string to decode\n * @returns Uint8Array containing the decoded bytes\n * @throws Error if decoding fails due to invalid base64url input\n */\nexport function base64UrlDecode(base64Url: string): Uint8Array {\n const padding = '='.repeat((4 - (base64Url.length % 4)) % 4);\n const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/') + padding;\n const binaryString = atob(base64);\n const bytes = new Uint8Array(binaryString.length);\n for (let i = 0; i < binaryString.length; i++) {\n bytes[i] = binaryString.charCodeAt(i);\n }\n return bytes;\n}\n\n/**\n * Converts an ArrayBuffer or ArrayBufferLike object to a plain number array for WASM compatibility.\n * WASM bindings require plain number arrays rather than TypedArrays for memory safety and direct access.\n * The resulting array contains values from 0-255 representing raw bytes.\n *\n * @param buffer - The source buffer to convert, either ArrayBuffer or ArrayBufferLike\n * @returns A plain number[] array containing the buffer's bytes\n */\nexport const toWasmByteArray = (buffer: ArrayBuffer | ArrayBufferLike): number[] => {\n return Array.from(new Uint8Array(buffer));\n}\n","/**\n * Centralized error handling utilities for the Passkey SDK\n */\n\n/**\n * Best-effort error message extractor without relying on `any`.\n * Always returns a string (may be empty when nothing usable can be derived).\n */\nexport function errorMessage(err: unknown): string {\n try {\n if (typeof err === 'string') return err;\n if (err && typeof (err as { message?: unknown }).message === 'string') {\n return (err as { message: string }).message;\n }\n return String(err ?? '');\n } catch {\n return '';\n }\n}\n\n/**\n * Normalize any thrown value into an Error instance.\n * - preserves message/name/stack when available\n * - best-effort copies optional code/details properties if present\n */\nexport function toError(e: unknown): Error {\n if (e instanceof Error) return e;\n const err = new Error(errorMessage(e));\n try {\n const src = e as { name?: unknown; stack?: unknown; code?: unknown; details?: unknown };\n if (typeof src?.name === 'string') err.name = src.name;\n if (typeof src?.stack === 'string') (err as { stack?: string }).stack = src.stack;\n if (src && typeof src.code !== 'undefined') (err as { code?: unknown }).code = src.code;\n if (src && typeof src.details !== 'undefined') (err as { details?: unknown }).details = src.details;\n } catch {}\n return err;\n}\n\n/**\n * Check if an error is related to user cancellation of TouchID/FaceID prompt\n * @param error - The error object or error message string\n * @returns true if the error indicates user cancellation\n */\nexport function isTouchIdCancellationError(error: unknown): boolean {\n const msg = errorMessage(error);\n\n // Normalize for case-insensitive substring checks on user-facing phrases\n const lower = msg.toLowerCase();\n\n return msg.includes('The operation either timed out or was not allowed') ||\n msg.includes('NotAllowedError') ||\n msg.includes('AbortError') ||\n lower.includes('user cancelled') ||\n lower.includes('user canceled') ||\n lower.includes('user aborted');\n}\n\n/**\n * Get a user-friendly error message for TouchID/FaceID cancellation\n * @param context - The context where the cancellation occurred (e.g., 'registration', 'login')\n * @returns A user-friendly error message\n */\nexport function getTouchIdCancellationMessage(context: 'registration' | 'login'): string {\n switch (context) {\n case 'registration':\n return `Registration was cancelled. Please try again when you're ready to set up your passkey.`;\n case 'login':\n return `Login was cancelled. Please try again when you're ready to authenticate.`;\n default:\n return `Operation was cancelled. Please try again when you're ready.`;\n }\n}\n\n/**\n * Transform an error message to be more user-friendly\n * @param error - The original error object or message\n * @param context - The context where the error occurred\n * @param nearAccountId - Optional NEAR account ID for context-specific messages\n * @returns A user-friendly error message\n */\nexport function getUserFriendlyErrorMessage(\n error: unknown,\n context: 'registration' | 'login' = 'registration',\n nearAccountId?: string\n): string {\n const msg = errorMessage(error);\n\n // Handle TouchID/FaceID cancellation\n if (isTouchIdCancellationError(error)) {\n return getTouchIdCancellationMessage(context);\n }\n\n // Missing PRF outputs\n if (msg.includes('PRF outputs missing')) {\n const op = context === 'registration' ? 'Registration' : 'Login';\n return `${op} failed because your browser did not return the required passkey PRF results. On some mobile browsers this is not available for create(); try updating your browser or use a desktop browser. We’re working on an alternate path for broader device support.`;\n }\n\n // Handle other common errors\n if (msg.includes('one of the credentials already registered')) {\n return `A passkey for '${nearAccountId || 'this account'}' already exists. Please try logging in instead.`;\n }\n\n if (msg.includes('Cannot deserialize the contract state')) {\n return `Contract state deserialization failed. This may be due to a contract upgrade. Please try again or contact support.`;\n }\n\n if (msg.includes('Web3Authn contract registration check failed')) {\n return `Contract registration check failed: ${msg.replace('Web3Authn contract registration check failed: ', '')}`;\n }\n\n if (msg.includes('Unknown error occurred')) {\n return `${context === 'registration' ? 'Registration' : 'Login'} failed due to an unknown error. Please check your connection and try again.`;\n }\n\n // Return the original error message if no specific handling is needed\n return msg;\n}\n\n/**\n * Format a NEAR JSON-RPC error into a concise, human-friendly message while\n * preserving the original error payload on `details`.\n *\n * The function is defensive and only relies on structural checks. It does not\n * require concrete NEAR types to avoid tight coupling with providers.\n */\nexport function formatNearRpcError(\n operationName: string,\n rpc: { error?: { code?: number; name?: string; message?: string; data?: unknown } }\n): { message: string; code?: number; name?: string; details?: unknown } {\n const err = rpc?.error || {};\n const details = err.data as unknown;\n\n const code = typeof err.code === 'number' ? err.code : undefined;\n const name = typeof err.name === 'string' ? err.name : undefined;\n const generic = typeof err.message === 'string'\n ? err.message\n : (details && typeof (details as { message?: unknown }).message === 'string'\n ? (details as { message: string }).message\n : 'RPC error');\n\n // Helper: get first key of object\n const firstKey = (o: unknown): string | undefined => {\n if (!o || typeof o !== 'object') return undefined;\n const keys = Object.keys(o as Record<string, unknown>);\n return keys.length ? keys[0] : undefined;\n };\n\n // Helper: shallow object check\n const isObj = (v: unknown): v is Record<string, unknown> => !!v && typeof v === 'object' && !Array.isArray(v);\n\n // Extract structured NEAR error kinds if present (generic traversal)\n const d = details as Record<string, unknown> | undefined;\n const txExec = isObj(d) ? d.TxExecutionError : undefined;\n if (isObj(txExec)) {\n let node: Record<string, unknown> | undefined = txExec;\n const path: string[] = ['TxExecutionError'];\n let depth = 0;\n while (node && depth < 5 && isObj(node)) {\n const k = firstKey(node);\n if (!k) break;\n const nextNode: unknown = (node as Record<string, unknown>)[k as string];\n path.push(k);\n node = isObj(nextNode) ? (nextNode as Record<string, unknown>) : undefined;\n depth++;\n }\n\n // Special-case action index when present for better UX\n const actionError = (isObj(txExec) && isObj(txExec.ActionError)) ? txExec.ActionError as Record<string, unknown> : undefined;\n const idx = (isObj(actionError) && typeof actionError.index === 'number') ? ` at action ${actionError.index}` : '';\n\n const payload = isObj(node) ? node : undefined;\n const suffix = payload && Object.keys(payload).length ? `: ${JSON.stringify(payload)}` : '';\n const prefix = [name, typeof code === 'number' ? `code ${code}` : undefined].filter(Boolean).join(' ');\n const kindPath = path.join('.');\n const message = [prefix, `${operationName} failed${idx} (${kindPath}${suffix})`].filter(Boolean).join(' - ');\n return { message, code, name, details };\n }\n\n // Fallback generic message including data when available\n const prefix = [name, typeof code === 'number' ? `code ${code}` : undefined].filter(Boolean).join(' ');\n const dataStr = isObj(details) ? ` Details: ${JSON.stringify(details)}` : '';\n const message = [prefix, `${operationName} RPC error: ${generic}${dataStr}`].filter(Boolean).join(' - ');\n return { message, code, name, details };\n}\n\n/**\n * Extract a short NEAR error label for UI display, e.g.:\n * \"InvalidTxError: UnsuitableStakingKey\"\n * Falls back to undefined when structure is not recognized.\n */\nexport function getNearShortErrorMessage(error: unknown): string | undefined {\n try {\n const err = error as { details?: unknown; message?: string };\n const details = err?.details as Record<string, unknown> | undefined;\n const isObj = (v: unknown): v is Record<string, unknown> => !!v && typeof v === 'object' && !Array.isArray(v);\n if (!isObj(details)) return undefined;\n\n // Path 1: details.TxExecutionError (RPC top-level error)\n const txExec = details.TxExecutionError as unknown;\n if (isObj(txExec)) {\n if (isObj(txExec.InvalidTxError)) {\n const inv = txExec.InvalidTxError as Record<string, unknown>;\n if (isObj(inv.ActionsValidation)) {\n const kind = Object.keys(inv.ActionsValidation)[0];\n if (kind) return `InvalidTxError: ${kind}`;\n }\n const first = Object.keys(inv)[0];\n if (first) return `InvalidTxError: ${first}`;\n return 'InvalidTxError';\n }\n if (isObj(txExec.ActionError)) {\n const ae = txExec.ActionError as Record<string, unknown>;\n const kindObj = isObj(ae.kind) ? (ae.kind as Record<string, unknown>) : undefined;\n const kind = kindObj ? Object.keys(kindObj)[0] : undefined;\n if (kind) return `ActionError: ${kind}`;\n return 'ActionError';\n }\n }\n\n // Path 2: details.Failure (sendTransaction resolved with Failure)\n const failure = details.Failure as unknown;\n if (isObj(failure)) {\n if (isObj(failure.InvalidTxError)) {\n const inv = failure.InvalidTxError as Record<string, unknown>;\n if (isObj(inv.ActionsValidation)) {\n const kind = Object.keys(inv.ActionsValidation)[0];\n if (kind) return `InvalidTxError: ${kind}`;\n }\n const first = Object.keys(inv)[0];\n if (first) return `InvalidTxError: ${first}`;\n return 'InvalidTxError';\n }\n if (isObj(failure.ActionError)) {\n const ae = failure.ActionError as Record<string, unknown>;\n const kindObj = isObj(ae.kind) ? (ae.kind as Record<string, unknown>) : undefined;\n const kind = kindObj ? Object.keys(kindObj)[0] : undefined;\n if (kind) return `ActionError: ${kind}`;\n return 'ActionError';\n }\n }\n\n return undefined;\n } catch {\n return undefined;\n }\n}\n","// Shared digest primitives used across browser + server code.\n//\n// These helpers deliberately stay small and dependency-free so they can be used from:\n// - UI/VRF binding (WebAuthnManager)\n// - Relayer/server-side verification (threshold validation)\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return value !== null && typeof value === 'object' && !Array.isArray(value);\n}\n\n// Deterministic stringify by alphabetizing object keys recursively.\n// Arrays preserve order; only keys within objects are sorted.\nexport function alphabetizeStringify(input: unknown): string {\n const normalizeValue = (value: unknown): unknown => {\n if (Array.isArray(value)) {\n return value.map(normalizeValue);\n }\n if (isRecord(value)) {\n const sortedKeys = Object.keys(value).sort();\n const result: Record<string, unknown> = {};\n for (const key of sortedKeys) {\n result[key] = normalizeValue(value[key]);\n }\n return result;\n }\n return value;\n };\n\n return JSON.stringify(normalizeValue(input));\n}\n\nexport async function sha256BytesUtf8(input: string): Promise<Uint8Array> {\n const data = new TextEncoder().encode(input);\n const digest = await crypto.subtle.digest('SHA-256', data);\n return new Uint8Array(digest);\n}\n\n","/**\n * VRF Types for Web Worker Communication\n */\nimport * as wasmModule from '../../wasm_vrf_worker/pkg/wasm_vrf_worker.js';\nimport { StripFree } from \"./index.js\";\n\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from \"./webauthn\";\nimport { ConfirmationConfig } from './signer-worker';\nimport { AccountId } from \"./accountIds.js\";\nimport { base64UrlDecode, base64UrlEncode } from \"../../utils/encoders.js\";\nimport type { SecureConfirmRequest } from \"../WebAuthnManager/VrfWorkerManager/confirmTxFlow/types\";\n\nexport type WasmGenerateVrfKeypairBootstrapRequest = StripFree<wasmModule.GenerateVrfKeypairBootstrapRequest>;\nexport type WasmGenerateVrfChallengeRequest = StripFree<wasmModule.GenerateVrfChallengeRequest>;\nexport type WasmUnlockVrfKeypairRequest = Omit<StripFree<wasmModule.UnlockVrfKeypairRequest>, 'prfKey'> & {\n // Prefer forwarding the full serialized WebAuthn credential so PRF outputs do not need\n // to be extracted into separate main-thread strings.\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n};\nexport type WasmDeriveVrfKeypairFromPrfRequest = Omit<\n StripFree<wasmModule.DeriveVrfKeypairFromPrfRequest>,\n 'credential' | 'prfOutput'\n> & {\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n};\nexport type WasmMintSessionKeysAndSendToSignerRequest =\n Omit<\n StripFree<wasmModule.MintSessionKeysAndSendToSignerRequest>,\n 'contractId' | 'nearRpcUrl' | 'ttlMs' | 'remainingUses'\n > & {\n contractId?: string;\n nearRpcUrl?: string;\n // Optional signing-session config. When omitted, VRF worker uses defaults.\n ttlMs?: number;\n remainingUses?: number;\n // Forward the WebAuthn credential so PRF outputs do not need to be extracted in main-thread JS.\n credential: WebAuthnRegistrationCredential | WebAuthnAuthenticationCredential;\n };\nexport type WasmDispenseSessionKeyRequest = StripFree<wasmModule.DispenseSessionKeyRequest>;\nexport type WasmCheckSessionStatusRequest = StripFree<wasmModule.CheckSessionStatusRequest>;\nexport type WasmClearSessionRequest = StripFree<wasmModule.ClearSessionRequest>;\nexport type WasmConfirmAndPrepareSigningSessionRequest = {\n request: SecureConfirmRequest;\n};\nexport type WasmDecryptSessionRequest = StripFree<wasmModule.DecryptSessionRequest>;\nexport type WasmRegistrationCredentialConfirmationRequest = StripFree<wasmModule.RegistrationCredentialConfirmationRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\nexport type WasmDevice2RegistrationSessionRequest = StripFree<wasmModule.Device2RegistrationSessionRequest> & {\n confirmationConfig?: ConfirmationConfig;\n};\n\nexport type WasmShamir3PassConfigPRequest = StripFree<wasmModule.Shamir3PassConfigPRequest>;\nexport type WasmShamir3PassConfigServerUrlsRequest = StripFree<wasmModule.Shamir3PassConfigServerUrlsRequest>;\nexport type WasmShamir3PassClientEncryptCurrentVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientEncryptCurrentVrfKeypairRequest>;\nexport type WasmShamir3PassClientDecryptVrfKeypairRequest = StripFree<wasmModule.Shamir3PassClientDecryptVrfKeypairRequest>;\n\nexport type WasmVrfWorkerRequestType = WasmGenerateVrfKeypairBootstrapRequest\n | WasmGenerateVrfChallengeRequest\n | WasmUnlockVrfKeypairRequest\n | WasmDeriveVrfKeypairFromPrfRequest\n | WasmMintSessionKeysAndSendToSignerRequest\n | WasmDispenseSessionKeyRequest\n | WasmCheckSessionStatusRequest\n | WasmClearSessionRequest\n | WasmConfirmAndPrepareSigningSessionRequest\n | WasmDecryptSessionRequest\n | WasmRegistrationCredentialConfirmationRequest\n | WasmDevice2RegistrationSessionRequest\n | WasmShamir3PassConfigPRequest\n | WasmShamir3PassConfigServerUrlsRequest\n | WasmShamir3PassClientEncryptCurrentVrfKeypairRequest\n | WasmShamir3PassClientDecryptVrfKeypairRequest;\n\nexport interface VRFChallenge {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n /**\n * Optional base64url-encoded 32-byte digest that was bound into the VRF input hash.\n * When present, it must decode to exactly 32 bytes on the WASM worker / contract side.\n */\n intentDigest?: string;\n /**\n * Optional base64url-encoded 32-byte digest that was bound into the VRF input hash for\n * relayer session policy binding (v4+ only).\n */\n sessionPolicyDigest32?: string;\n}\n\n/**\n * Decode VRF output and use first 32 bytes as WebAuthn challenge\n * @param vrfChallenge - VRF challenge object\n * @returns 32-byte Uint8Array\n */\nexport function outputAs32Bytes(vrfChallenge: VRFChallenge): Uint8Array {\n let vrfOutputBytes = base64UrlDecode(vrfChallenge.vrfOutput);\n return vrfOutputBytes.slice(0, 32);\n}\n\n/**\n * Validate and create a VRFChallenge object\n * @param vrfChallengeData - The challenge data to validate\n * @returns VRFChallenge object\n */\nexport function validateVRFChallenge(vrfChallengeData: {\n vrfInput: string;\n vrfOutput: string;\n vrfProof: string;\n vrfPublicKey: string;\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n intentDigest?: string;\n sessionPolicyDigest32?: string;\n}): VRFChallenge {\n if (!vrfChallengeData.vrfInput || typeof vrfChallengeData.vrfInput !== 'string') {\n throw new Error('vrfInput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfOutput || typeof vrfChallengeData.vrfOutput !== 'string') {\n throw new Error('vrfOutput must be a non-empty string');\n }\n if (!vrfChallengeData.vrfProof || typeof vrfChallengeData.vrfProof !== 'string') {\n throw new Error('vrfProof must be a non-empty string');\n }\n if (!vrfChallengeData.vrfPublicKey || typeof vrfChallengeData.vrfPublicKey !== 'string') {\n throw new Error('vrfPublicKey must be a non-empty string');\n }\n if (!vrfChallengeData.userId || typeof vrfChallengeData.userId !== 'string') {\n throw new Error('userId must be a non-empty string');\n }\n if (!vrfChallengeData.rpId || typeof vrfChallengeData.rpId !== 'string') {\n throw new Error('rpId must be a non-empty string');\n }\n if (!vrfChallengeData.blockHeight || typeof vrfChallengeData.blockHeight !== 'string') {\n throw new Error('blockHeight must be a non-empty string');\n }\n if (!vrfChallengeData.blockHash || typeof vrfChallengeData.blockHash !== 'string') {\n throw new Error('blockHash must be a non-empty string');\n }\n\n return {\n vrfInput: vrfChallengeData.vrfInput,\n vrfOutput: vrfChallengeData.vrfOutput,\n vrfProof: vrfChallengeData.vrfProof,\n vrfPublicKey: vrfChallengeData.vrfPublicKey,\n userId: vrfChallengeData.userId,\n rpId: vrfChallengeData.rpId,\n blockHeight: vrfChallengeData.blockHeight,\n blockHash: vrfChallengeData.blockHash,\n ...(vrfChallengeData.intentDigest ? { intentDigest: vrfChallengeData.intentDigest } : {}),\n ...(vrfChallengeData.sessionPolicyDigest32 ? { sessionPolicyDigest32: vrfChallengeData.sessionPolicyDigest32 } : {}),\n };\n}\n\n/**\n * Create a random VRF challenge\n * @returns Partial<VRFChallenge> with vrfOutput set, but other fields are undefined\n * This is used for local operations that don't require a VRF verification\n */\nexport function createRandomVRFChallenge(): Partial<VRFChallenge> {\n const challenge = crypto.getRandomValues(new Uint8Array(32));\n const vrfOutput = base64UrlEncode(challenge.buffer);\n return {\n vrfOutput: vrfOutput,\n vrfInput: undefined,\n vrfProof: undefined,\n vrfPublicKey: undefined,\n userId: undefined,\n rpId: undefined,\n blockHeight: undefined,\n blockHash: undefined,\n };\n}\n\nexport interface VrfWorkerManagerConfig {\n vrfWorkerUrl?: string;\n workerTimeout?: number;\n debug?: boolean;\n // Optional Shamir 3-pass configuration passed to the VRF WASM worker at init\n shamirPB64u?: string; // base64url prime p\n relayServerUrl?: string;\n applyServerLockRoute?: string;\n removeServerLockRoute?: string;\n}\n\n// Define interfaces that are missing\nexport interface VRFWorkerStatus {\n active: boolean;\n nearAccountId: AccountId | null;\n sessionDuration?: number;\n /**\n * Base64url VRF public key currently loaded in the VRF worker (when active).\n * Used to detect device/passkey mismatches for multi-device accounts.\n */\n vrfPublicKey?: string | null;\n}\n\nexport interface EncryptedVRFKeypair {\n encryptedVrfDataB64u: string;\n chacha20NonceB64u: string;\n}\n\nexport interface VRFInputData {\n userId: string;\n rpId: string;\n blockHeight: string;\n blockHash: string;\n /**\n * Optional base64url-encoded 32-byte digest to bind into the VRF input hash.\n * This is intended for transaction/delegate signing flows (e.g. the UI intent digest).\n */\n intentDigest?: string;\n /**\n * Optional base64url-encoded 32-byte digest to bind a relayer session policy into the VRF input hash (v4+ only).\n */\n sessionPolicyDigest32?: string;\n}\n\nexport interface VRFWorkerMessage<T extends WasmVrfWorkerRequestType> {\n // type: wasmModule.WorkerRequestType\n type: 'PING'\n | 'GENERATE_VRF_CHALLENGE'\n | 'GENERATE_VRF_KEYPAIR_BOOTSTRAP'\n | 'UNLOCK_VRF_KEYPAIR'\n | 'CHECK_VRF_STATUS'\n | 'CLEAR_VRF'\n | 'DERIVE_VRF_KEYPAIR_FROM_PRF'\n | 'MINT_SESSION_KEYS_AND_SEND_TO_SIGNER'\n | 'DISPENSE_SESSION_KEY'\n | 'CHECK_SESSION_STATUS'\n | 'CLEAR_SESSION'\n | 'CONFIRM_AND_PREPARE_SIGNING_SESSION'\n | 'DECRYPT_SESSION'\n | 'REGISTRATION_CREDENTIAL_CONFIRMATION'\n | 'DEVICE2_REGISTRATION_SESSION'\n | 'SHAMIR3PASS_CLIENT_ENCRYPT_CURRENT_VRF_KEYPAIR' // client only\n | 'SHAMIR3PASS_CLIENT_DECRYPT_VRF_KEYPAIR' // client only\n | 'SHAMIR3PASS_APPLY_SERVER_LOCK_KEK' // server only\n | 'SHAMIR3PASS_REMOVE_SERVER_LOCK_KEK' // server only\n | 'SHAMIR3PASS_CONFIG_P'\n | 'SHAMIR3PASS_CONFIG_SERVER_URLS'\n id?: string;\n payload?: T;\n}\n\nexport interface VRFWorkerResponse<TData = Record<string, unknown>> {\n id?: string;\n success: boolean;\n data?: TData;\n error?: string;\n}\n\nexport interface VRFKeypairBootstrapResponse {\n vrfPublicKey: string;\n vrfChallengeData?: VRFChallenge;\n}\n\nexport interface EncryptedVRFKeypairResponse {\n vrfPublicKey: string;\n encryptedVrfKeypair: EncryptedVRFKeypair;\n}\n\n/**\n * Server-encrypted VRF keypair for commutative encryption scheme\n * This allows server-assisted VRF key recovery without the server seeing the plaintext\n */\nexport interface ServerEncryptedVrfKeypair {\n /** Base64url-encoded VRF ciphertext (AEAD over VRF keypair bytes) */\n ciphertextVrfB64u: string;\n /** Base64url-encoded KEK with server lock applied (KEK_s) */\n kek_s_b64u: string;\n /** Server key identifier for proactive refresh/versioning */\n serverKeyId: string;\n}\n\n/**\n * Plaintext VRF keypair data structure\n * Used for loading decrypted VRF keypairs directly into memory\n */\nexport interface VRFKeypairData {\n /** Bincode-serialized ECVRFKeyPair bytes (includes both private and public key) */\n keypairBytes: number[];\n /** Base64url-encoded public key for convenience and verification */\n publicKeyBase64: string;\n}\n\n// Shamir 3-pass registration wrap result\nexport interface Shamir3PassRegisterWrapResult {\n ciphertextVrfB64u: string;\n enc_s_k_b64u: string;\n vrfPublicKey: string;\n}\n","import { base64UrlEncode } from \"../../utils\";\nimport { isObject, isString, isArray } from '@/utils/validation';\nimport {\n type WebAuthnAuthenticationCredential,\n type WebAuthnRegistrationCredential,\n type AuthenticationExtensionsClientOutputs,\n type CredentialPropertiesOutput,\n} from '../types/webauthn';\n\ntype SerializableCredential = WebAuthnAuthenticationCredential | WebAuthnRegistrationCredential;\n\n/**\n * Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * - Uses base64url encoding for WASM compatibility\n *\n * @returns SerializableCredential - The serialized credential\n * - Does not return PRF outputs\n */\nexport function serializeRegistrationCredential(\n credential: PublicKeyCredential,\n): WebAuthnRegistrationCredential {\n const response = credential.response as AuthenticatorAttestationResponse;\n // Safari and some platforms may not implement getTransports(); guard it.\n let transports: string[] = [];\n try {\n const fn = (response as { getTransports?: () => string[] })?.getTransports;\n if (typeof fn === 'function') {\n transports = fn.call(response) || [];\n }\n } catch {\n transports = [];\n }\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n attestationObject: base64UrlEncode(response.attestationObject),\n transports,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\nexport function serializeAuthenticationCredential(\n credential: PublicKeyCredential,\n): WebAuthnAuthenticationCredential {\n const response = credential.response as AuthenticatorAssertionResponse;\n\n return {\n id: credential.id,\n rawId: base64UrlEncode(credential.rawId),\n type: credential.type,\n authenticatorAttachment: credential.authenticatorAttachment ?? undefined,\n response: {\n clientDataJSON: base64UrlEncode(response.clientDataJSON),\n authenticatorData: base64UrlEncode(response.authenticatorData),\n signature: base64UrlEncode(response.signature),\n userHandle: response.userHandle ? base64UrlEncode(response.userHandle as ArrayBuffer) : undefined,\n },\n clientExtensionResults: {\n prf: {\n results: {\n first: undefined,\n second: undefined\n }\n }\n },\n };\n}\n\n/**\n * Serialize PublicKeyCredential for both authentication and registration for WASM worker\n * @returns SerializableCredential - The serialized credential\n * - INCLUDES PRF outputs\n */\nexport function serializeRegistrationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = true,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnRegistrationCredential {\n const base = serializeRegistrationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\nexport function serializeAuthenticationCredentialWithPRF({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: PublicKeyCredential,\n firstPrfOutput?: boolean,\n secondPrfOutput?: boolean,\n}): WebAuthnAuthenticationCredential {\n const base = serializeAuthenticationCredential(credential);\n const { chacha20PrfOutput, ed25519PrfOutput } = extractPrfFromCredential({\n credential,\n firstPrfOutput,\n secondPrfOutput,\n });\n return {\n ...base,\n clientExtensionResults: {\n prf: {\n results: {\n first: chacha20PrfOutput,\n second: ed25519PrfOutput,\n },\n },\n },\n };\n}\n\n/////////////////////////////////////////\n// RUNTIME VALIDATION / NORMALIZATION\n/////////////////////////////////////////\n\n// Use shared type guards (isString/isArray) from @/utils/validation\n\n/**\n * Validates and normalizes a serialized WebAuthn registration credential.\n * Ensures required fields exist and have the expected primitive types.\n * Populates missing optional arrays like transports with [].\n */\nexport function normalizeRegistrationCredential(input: unknown): WebAuthnRegistrationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.attestationObject)) response.attestationObject = '';\n if (!isArray<string>(response.transports)) response.transports = [];\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnRegistrationCredential;\n}\n\n/**\n * Validates and normalizes a serialized WebAuthn authentication credential.\n * Ensures required fields exist and have the expected primitive types.\n */\nexport function normalizeAuthenticationCredential(input: unknown): WebAuthnAuthenticationCredential {\n if (!isObject(input)) throw new Error('Invalid credential: not an object');\n\n const candidate = input as Record<string, unknown>;\n const normalized: Record<string, unknown> = { ...candidate };\n\n if (!isString(normalized.id)) throw new Error('Invalid credential.id');\n if (!isString(normalized.type)) throw new Error('Invalid credential.type');\n\n if (!isString(normalized.rawId)) normalized.rawId = '';\n if (normalized.authenticatorAttachment !== undefined && !isString(normalized.authenticatorAttachment)) {\n normalized.authenticatorAttachment = String(normalized.authenticatorAttachment);\n }\n\n const response: Record<string, unknown> = isObject(normalized.response)\n ? { ...(normalized.response as Record<string, unknown>) }\n : {};\n\n if (!isString(response.clientDataJSON)) response.clientDataJSON = '';\n if (!isString(response.authenticatorData)) response.authenticatorData = '';\n if (!isString(response.signature)) response.signature = '';\n if (response.userHandle !== undefined && !isString(response.userHandle)) response.userHandle = undefined;\n\n normalized.response = response;\n normalized.clientExtensionResults = normalizeClientExtensionOutputs(normalized.clientExtensionResults);\n\n return normalized as unknown as WebAuthnAuthenticationCredential;\n}\n\n/**\n * Redacts client extension outputs from the credential before sending it over the network.\n *\n * Motivation:\n * - WebAuthn `clientExtensionResults` may contain sensitive material (e.g. PRF outputs).\n * - Even when not sensitive, extension outputs can add fingerprinting surface and bloat payloads.\n *\n * @param credential - The WebAuthn credential potentially containing extension outputs\n * @returns Credential with `clientExtensionResults` removed/redacted\n */\nexport function removePrfOutputGuard<C extends SerializableCredential>(credential: C): C {\n // Never leak PRF (or any other extension outputs) outside the wallet runtime.\n // Use `null` so the field is explicitly redacted in JSON payloads.\n const response: unknown = (credential as { response?: unknown }).response;\n const responseWithoutExtensions = isObject(response)\n ? (() => {\n const cloned = { ...(response as Record<string, unknown>) };\n if ('clientExtensionResults' in cloned) cloned.clientExtensionResults = null;\n return cloned;\n })()\n : response;\n\n return {\n ...credential,\n response: responseWithoutExtensions,\n clientExtensionResults: null ,\n } as C;\n}\n\n/////////////////////////////////////////\n// TYPE GUARDS\n/////////////////////////////////////////\n\n/**\n * Returns true when the input looks like a serialized registration credential\n * (i.e., plain object with base64url string fields), not a live PublicKeyCredential.\n */\nexport function isSerializedRegistrationCredential(x: unknown): x is WebAuthnRegistrationCredential {\n if (!isObject(x)) return false;\n const candidate = x as {\n id?: unknown;\n rawId?: unknown;\n type?: unknown;\n response?: unknown;\n };\n\n if (!isString(candidate.id) || !isString(candidate.rawId) || !isString(candidate.type)) {\n return false;\n }\n\n if (!isObject(candidate.response)) return false;\n const response = candidate.response as {\n clientDataJSON?: unknown;\n attestationObject?: unknown;\n transports?: unknown;\n };\n\n if (!isString(response.clientDataJSON) || !isString(response.attestationObject)) {\n return false;\n }\n\n return response.transports == null || isArray(response.transports);\n}\n\n/**\n * Generate ChaCha20Poly1305 salt using account-specific HKDF for encryption key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for ChaCha20Poly1305 key derivation\n */\nexport function generateChaCha20Salt(nearAccountId: string): Uint8Array {\n const saltString = `chacha20-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/**\n * Generate Ed25519 salt using account-specific HKDF for signing key derivation\n * @param nearAccountId - NEAR account ID to scope the salt to\n * @returns 32-byte Uint8Array salt for Ed25519 key derivation\n */\nexport function generateEd25519Salt(nearAccountId: string): Uint8Array {\n const saltString = `ed25519-salt:${nearAccountId}`;\n const salt = new Uint8Array(32);\n const saltBytes = new TextEncoder().encode(saltString);\n salt.set(saltBytes.slice(0, 32));\n return salt;\n}\n\n/** Credential that may have extension results (live or serialized) */\ntype CredentialWithExtensions =\n | PublicKeyCredential\n | {\n clientExtensionResults?: unknown;\n getClientExtensionResults?: () => unknown;\n };\n\n/** Extension results structure - flexible to handle both live and serialized forms */\ntype ExtensionResults = {\n prf?: {\n enabled?: boolean;\n results?: {\n first?: unknown;\n second?: unknown;\n };\n };\n [key: string]: unknown;\n};\n\n/** PRF output values after extraction */\ntype PrfOutputs = {\n first?: unknown;\n second?: unknown;\n};\n\n/**\n * Dual PRF outputs for separate encryption and signing key derivation\n */\ninterface DualPrfOutputs {\n /** Base64-encoded PRF output from prf.results.first for ChaCha20Poly1305 encryption */\n chacha20PrfOutput: string;\n /** Base64-encoded PRF output from prf.results.second for Ed25519 signing */\n ed25519PrfOutput: string;\n}\n\n/**\n * Extract PRF outputs from WebAuthn credential extension results\n * ENCODING: Uses base64url for WASM compatibility\n * @param credential - WebAuthn credential with dual PRF extension results\n * @param firstPrfOutput - Whether to include the first PRF output (default: true)\n * @param secondPrfOutput - Whether to include the second PRF output (default: false)\n * @returns PRF outputs\n */\nfunction extractPrfFromCredential({\n credential,\n firstPrfOutput = true,\n secondPrfOutput = false,\n}: {\n credential: CredentialWithExtensions;\n firstPrfOutput?: boolean | undefined;\n secondPrfOutput?: boolean;\n}): DualPrfOutputs {\n // Step 1: Get extension results (support both live and serialized credentials)\n const extensionResults = getExtensionResults(credential);\n\n // Step 2: Extract PRF results object\n const prfResults = extractPrfResultsObject(extensionResults);\n\n // Step 3: Validate PRF results exist and are not empty\n validatePrfResults(prfResults, firstPrfOutput, secondPrfOutput);\n\n // Step 4: Normalize and encode PRF outputs\n const firstEncoded = firstPrfOutput ? normalizePrfValueToBase64Url(prfResults.first) : undefined;\n const secondEncoded = secondPrfOutput ? normalizePrfValueToBase64Url(prfResults.second) : undefined;\n\n // Step 5: Validate required outputs are present\n if (firstPrfOutput && !firstEncoded) {\n throw new Error('Missing PRF result: first');\n }\n if (secondPrfOutput && !secondEncoded) {\n throw new Error('Missing PRF result: second');\n }\n\n return {\n chacha20PrfOutput: firstEncoded || '',\n ed25519PrfOutput: secondEncoded || '',\n };\n}\n\n/** Get extension results from credential (live or serialized) */\nfunction getExtensionResults(credential: CredentialWithExtensions): ExtensionResults | undefined {\n try {\n const fn = (credential as { getClientExtensionResults?: () => unknown }).getClientExtensionResults;\n if (typeof fn === 'function') {\n return fn.call(credential) as ExtensionResults;\n }\n } catch {\n // Fall through to direct property access\n }\n return (credential as { clientExtensionResults?: unknown }).clientExtensionResults as ExtensionResults | undefined;\n}\n\n/** Extract PRF results object from extension results */\nfunction extractPrfResultsObject(extensionResults: ExtensionResults | undefined): PrfOutputs | undefined {\n try {\n return extensionResults?.prf?.results;\n } catch {\n return undefined;\n }\n}\n\n/** Validate PRF results are present and not empty */\nfunction validatePrfResults(\n prfResults: PrfOutputs | undefined,\n firstRequired: boolean,\n secondRequired: boolean\n): asserts prfResults is PrfOutputs {\n if (!prfResults) {\n throw new Error('Missing PRF results from credential, use a PRF-enabled Authenticator');\n }\n\n // Check if PRF results object exists but is completely empty\n // This indicates a hard failure (not a platform limitation that should trigger GET fallback)\n const hasAnyPrfData = prfResults.first !== undefined || prfResults.second !== undefined;\n if (!hasAnyPrfData && (firstRequired || secondRequired)) {\n throw new Error('Missing PRF result - PRF evaluation failed: results object is empty');\n }\n}\n\n/** Normalize a PRF value to base64url string */\nfunction normalizePrfValueToBase64Url(value: unknown): string | undefined {\n if (!value) return undefined;\n\n // Already base64url encoded\n if (typeof value === 'string') return value;\n\n // ArrayBuffer\n if (value instanceof ArrayBuffer) return base64UrlEncode(value);\n\n // ArrayBufferView (TypedArray, DataView)\n if (ArrayBuffer.isView(value)) {\n return base64UrlEncode(value.buffer);\n }\n\n // Try to treat as ArrayBuffer-like\n try {\n return base64UrlEncode(value as ArrayBufferLike);\n } catch {\n // Last resort: wrap in Uint8Array\n try {\n return base64UrlEncode(new Uint8Array(value as ArrayBufferLike).buffer);\n } catch {\n return undefined;\n }\n }\n}\n\n/////////////////////////////////////////\n// EXTENSION OUTPUTS NORMALIZATION\n/////////////////////////////////////////\n\n/**\n * Normalize WebAuthn client extension outputs into an SDK‑local, clone‑safe shape.\n *\n * Purpose:\n * - Browsers return extension results on PublicKeyCredential in a variety of\n * shapes and with optional presence. This helper takes an unknown value\n * (either a live `credential.getClientExtensionResults()` object or a\n * serialized snapshot) and produces a strictly typed\n * `AuthenticationExtensionsClientOutputs` compatible with our WASM workers\n * and cross‑window message passing (structured‑clone safe).\n */\nfunction normalizeClientExtensionOutputs(input: unknown): AuthenticationExtensionsClientOutputs {\n const out: AuthenticationExtensionsClientOutputs = {\n prf: { results: { first: undefined, second: undefined } },\n } as AuthenticationExtensionsClientOutputs;\n\n const src = isObject(input) ? (input as Record<string, unknown>) : {};\n // appid\n if (typeof src.appid === 'boolean') out.appid = src.appid as boolean;\n // appidExclude\n if (typeof src.appidExclude === 'boolean') out.appidExclude = src.appidExclude as boolean;\n // hmacCreateSecret\n if (typeof src.hmacCreateSecret === 'boolean') out.hmacCreateSecret = src.hmacCreateSecret as boolean;\n // credProps\n if (isObject(src.credProps)) {\n const cp = src.credProps as Record<string, unknown>;\n const outCp: CredentialPropertiesOutput = {};\n if (typeof cp.rk === 'boolean') outCp.rk = cp.rk as boolean;\n out.credProps = outCp;\n }\n // uvm: expect array of 3-number tuples; tolerate nested arrays loosely\n if (isArray(src.uvm)) {\n const uvmArr = (src.uvm as unknown[]).filter(isArray).map((t) => {\n const a = t as unknown[];\n const n0 = typeof a[0] === 'number' ? (a[0] as number) : undefined;\n const n1 = typeof a[1] === 'number' ? (a[1] as number) : undefined;\n const n2 = typeof a[2] === 'number' ? (a[2] as number) : undefined;\n return (typeof n0 === 'number' && typeof n1 === 'number' && typeof n2 === 'number')\n ? [n0, n1, n2] as [number, number, number]\n : undefined;\n }).filter((x): x is [number, number, number] => Array.isArray(x));\n if (uvmArr.length > 0) out.uvm = uvmArr;\n }\n // prf\n if (isObject(src.prf)) {\n const prf = src.prf as Record<string, unknown>;\n const results = isObject(prf.results) ? (prf.results as Record<string, unknown>) : {};\n const first = results.first;\n const second = results.second;\n out.prf = {\n results: {\n first: isString(first) ? first : undefined,\n second: isString(second) ? second : undefined,\n },\n };\n }\n return out;\n}\n","// Safari/WebAuthn fallbacks: centralized retry + top-level bridge\n// - Encapsulates Safari-specific error handling (ancestor-origin, not-focused)\n// - Bridges create/get to top-level via postMessage when needed\n// - Keeps helpers private to reduce file count and surface area\n\ntype Kind = 'create' | 'get';\n\n// Typed message names for parent-domain bridge\nexport const WebAuthnBridgeMessage = {\n Create: 'WALLET_WEBAUTHN_CREATE',\n Get: 'WALLET_WEBAUTHN_GET',\n CreateResult: 'WALLET_WEBAUTHN_CREATE_RESULT',\n GetResult: 'WALLET_WEBAUTHN_GET_RESULT',\n} as const;\n\nexport type BridgeKind = typeof WebAuthnBridgeMessage.Create | typeof WebAuthnBridgeMessage.Get;\nexport type BridgeResultKind = typeof WebAuthnBridgeMessage.CreateResult | typeof WebAuthnBridgeMessage.GetResult;\n\ntype ResultTypeFor<K extends BridgeKind> =\n K extends typeof WebAuthnBridgeMessage.Get\n ? typeof WebAuthnBridgeMessage.GetResult\n : typeof WebAuthnBridgeMessage.CreateResult;\n\nfunction getResultTypeFor<K extends BridgeKind>(kind: K): ResultTypeFor<K> {\n return (kind === WebAuthnBridgeMessage.Get\n ? WebAuthnBridgeMessage.GetResult\n : WebAuthnBridgeMessage.CreateResult) as ResultTypeFor<K>;\n}\n\ntype BridgeOk = { ok: true; credential: unknown };\ntype BridgeErr = { ok: false; error?: string; timeout?: boolean };\ntype BridgeResponse = BridgeOk | BridgeErr;\n\n// Client interface used to request WebAuthn from the parent/top-level context\nexport type ParentDomainWebAuthnClient = {\n request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions | PublicKeyCredentialRequestOptions,\n timeoutMs?: number,\n ): Promise<BridgeResponse>;\n};\n\nexport interface OrchestratorDeps {\n rpId: string;\n inIframe: boolean;\n timeoutMs?: number;\n bridgeClient?: ParentDomainWebAuthnClient;\n // Gate for ancestor-error on GET; bridges for focus errors are always allowed when in iframe.\n permitGetBridgeOnAncestorError?: boolean;\n // Optional AbortSignal to cancel native navigator.credentials operations.\n // Note: parent-bridge path may not be abortable.\n abortSignal?: AbortSignal;\n}\n\n/**\n * Execute a WebAuthn operation with Safari-aware fallbacks.\n *\n * Steps:\n * 1) Try native WebAuthn via navigator.credentials.{create|get}\n * 2) If the failure matches Safari's ancestor-origin restriction and we are in an iframe,\n * ask the parent/top-level window to perform the WebAuthn operation (bridge). If the\n * parent reports a user cancellation, throw NotAllowedError; if it times out, continue.\n * 3) If the failure matches Safari's \"document not focused\" path, first attempt to refocus\n * and retry native once; if still blocked and in an iframe, ask the parent window to handle it.\n * 4) Generic last resort: when in an iframe (constrained context), always attempt the parent\n * WebAuthn once even if the error wasn't recognized as a Safari-specific case. If the parent\n * path times out, surface a deterministic timeout error without re-trying native again.\n * 5) Otherwise, rethrow the original error.\n */\nexport async function executeWebAuthnWithParentFallbacksSafari(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions | PublicKeyCredentialRequestOptions,\n deps: OrchestratorDeps,\n): Promise<PublicKeyCredential | unknown> {\n\n const {\n rpId,\n inIframe,\n timeoutMs = 60000,\n permitGetBridgeOnAncestorError = true\n } = deps;\n const bridgeClient = deps.bridgeClient || new WindowParentDomainWebAuthnClient();\n\n const isTestForceNativeFail = (): boolean => {\n const g = (globalThis as any);\n const w = (typeof window !== 'undefined' ? (window as any) : undefined);\n return !!(g && g.__W3A_TEST_FORCE_NATIVE_FAIL) || !!(w && w.__W3A_TEST_FORCE_NATIVE_FAIL);\n };\n const bumpCounter = (key: string) => {\n const g = (globalThis as any);\n g[key] = (g[key] || 0) + 1;\n };\n\n // Test harness fast-path: when explicitly forcing native fail, skip native and go straight to bridge.\n // Still bump native attempt counters for determinism in tests.\n if (isTestForceNativeFail()) {\n if (kind === 'create') bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n else bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n try {\n const bridged = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridged?.ok) return bridged.credential;\n if (bridged && !bridged.timeout) {\n throw notAllowedError(bridged.error || 'WebAuthn cancelled or failed (bridge)');\n }\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n // Ensure consistent error type for unit tests\n throw notAllowedError((be as any)?.message || 'WebAuthn bridge failed');\n }\n }\n\n const tryNative = async () => {\n if (kind === 'create') {\n bumpCounter('__W3A_TEST_NATIVE_CREATE_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (create)');\n // Build options with optional AbortSignal\n return await navigator.credentials.create({\n publicKey: publicKey as PublicKeyCredentialCreationOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n } else {\n bumpCounter('__W3A_TEST_NATIVE_GET_ATTEMPTS');\n if (isTestForceNativeFail()) throw notAllowedError('Forced native fail (get)');\n return await navigator.credentials.get({\n publicKey: publicKey as PublicKeyCredentialRequestOptions,\n ...(deps.abortSignal ? { signal: deps.abortSignal } : {}),\n });\n }\n };\n\n // Step 1: native attempt\n try {\n return await tryNative();\n } catch (e: unknown) {\n // If the user explicitly cancelled (generic NotAllowedError without Safari-specific hints),\n // do not attempt any bridge fallbacks that would re-prompt Touch ID. Propagate immediately.\n // This avoids double prompts when a user cancels the native sheet.\n const name = safeName(e);\n if (name === 'NotAllowedError' && !isAncestorOriginError(e) && !isDocumentNotFocusedError(e)) {\n throw e;\n }\n\n // Step 2: ancestor-origin restriction → parent bridge (when in iframe)\n if (isAncestorOriginError(e) && inIframe) {\n if (kind === 'get' && !permitGetBridgeOnAncestorError) {\n throw e;\n }\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error || 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message || 'WebAuthn bridge failed');\n }\n }\n\n // Step 3: document-not-focused → refocus + retry native; then parent bridge if still blocked\n if (isDocumentNotFocusedError(e)) {\n const focused = await attemptRefocus();\n if (focused) {\n try { return await tryNative(); } catch {}\n }\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error || 'WebAuthn get cancelled or failed (bridge)');\n }\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message || 'WebAuthn bridge failed');\n }\n }\n }\n\n // Step 4: generic last-resort bridge path for constrained iframe contexts\n if (inIframe) {\n try {\n const bridgedCredentials = await requestParentDomainWebAuthn(kind, publicKey, bridgeClient, timeoutMs);\n if (bridgedCredentials?.ok) return bridgedCredentials.credential;\n if (bridgedCredentials && !bridgedCredentials.timeout) {\n throw notAllowedError(bridgedCredentials.error || 'WebAuthn cancelled or failed (bridge)');\n }\n // Timeout: surface an explicit error without re‑trying native again\n throw new Error('WebAuthn bridge timeout');\n } catch (be: unknown) {\n throw notAllowedError((be as any)?.message || 'WebAuthn bridge failed');\n }\n }\n\n // Step 5: not an iframe or no recognized fallback – rethrow original error\n throw e;\n }\n}\n\n// Request the parent/top-level window to perform the WebAuthn operation\nexport async function requestParentDomainWebAuthn(\n kind: Kind,\n publicKey: PublicKeyCredentialCreationOptions | PublicKeyCredentialRequestOptions,\n client: ParentDomainWebAuthnClient,\n timeoutMs: number,\n): Promise<BridgeResponse> {\n if (kind === 'create') {\n return client.request(WebAuthnBridgeMessage.Create, publicKey as PublicKeyCredentialCreationOptions, timeoutMs);\n }\n return client.request(WebAuthnBridgeMessage.Get, publicKey as PublicKeyCredentialRequestOptions, timeoutMs);\n}\n\n// Default bridge client using window.parent postMessage protocol\nexport class WindowParentDomainWebAuthnClient implements ParentDomainWebAuthnClient {\n async request<K extends BridgeKind>(\n kind: K,\n publicKey: PublicKeyCredentialCreationOptions | PublicKeyCredentialRequestOptions,\n timeoutMs = 60000,\n ): Promise<BridgeResponse> {\n const requestId = `${kind}:${Date.now()}:${Math.random().toString(36).slice(2)}`;\n const resultType = getResultTypeFor(kind);\n\n return new Promise((resolve) => {\n let settled = false;\n const finish = (val: BridgeResponse) => { if (!settled) { settled = true; resolve(val); } };\n\n const onMessage = (ev: MessageEvent) => {\n const payload = ev?.data as unknown;\n if (!payload || typeof (payload as { type?: unknown }).type !== 'string') return;\n const t = (payload as { type: string }).type;\n if (t !== resultType) return;\n const rid = (payload as { requestId?: unknown }).requestId;\n if (rid !== requestId) return;\n window.removeEventListener('message', onMessage);\n const ok = !!(payload as { ok?: unknown }).ok;\n const cred = (payload as { credential?: unknown }).credential;\n const err = (payload as { error?: unknown }).error;\n if (ok && cred) return finish({ ok: true, credential: cred });\n return finish({ ok: false, error: typeof err === 'string' ? err : undefined });\n };\n window.addEventListener('message', onMessage);\n window.parent?.postMessage({ type: kind, requestId, publicKey } as { type: K; requestId: string; publicKey: any }, '*');\n setTimeout(() => { window.removeEventListener('message', onMessage); finish({ ok: false, timeout: true }); }, timeoutMs);\n });\n }\n}\n\nfunction notAllowedError(message: string): Error {\n const e = new Error(message);\n (e as any).name = 'NotAllowedError';\n return e;\n}\n\n// Private: error classification helpers\nfunction isAncestorOriginError(err: unknown): boolean {\n const msg = safeMessage(err);\n return /origin of the document is not the same as its ancestors/i.test(msg);\n}\n\nfunction isDocumentNotFocusedError(err: unknown): boolean {\n const name = safeName(err);\n const msg = safeMessage(err);\n const isNotAllowed = name === 'NotAllowedError';\n const mentionsFocus = /document is not focused|not focused|focus/i.test(msg);\n return Boolean(isNotAllowed && mentionsFocus);\n}\n\nfunction safeMessage(err: unknown): string {\n return String((err as { message?: unknown })?.message || '');\n}\n\nfunction safeName(err: unknown): string {\n const n = (err as { name?: unknown })?.name;\n return typeof n === 'string' ? n : '';\n}\n\n// Private: focus utility to mitigate Safari focus issues\nasync function attemptRefocus(maxRetries = 2, delays: number[] = [50, 120]): Promise<boolean> {\n (window as any).focus?.();\n (document?.body as any)?.focus?.();\n\n const wait = (ms: number) => new Promise(r => setTimeout(r, ms));\n const total = Math.max(0, maxRetries);\n for (let i = 0; i <= total; i++) {\n const d = delays[i] ?? delays[delays.length - 1] ?? 80;\n await wait(d);\n if (document.hasFocus()) return true;\n (window as any).focus?.();\n }\n return document.hasFocus();\n}\n","import { ClientAuthenticatorData } from '../IndexedDBManager';\nimport { base64UrlDecode } from '../../utils/encoders';\nimport { outputAs32Bytes, VRFChallenge } from '../types/vrf-worker';\nimport { serializeAuthenticationCredentialWithPRF, generateChaCha20Salt, generateEd25519Salt } from './credentialsHelpers';\nimport type {\n WebAuthnAuthenticationCredential,\n WebAuthnRegistrationCredential\n} from '../types/webauthn';\nimport { executeWebAuthnWithParentFallbacksSafari } from './WebAuthnFallbacks';\n// Local rpId policy helpers (moved back from WebAuthnFallbacks)\nfunction isRegistrableSuffix(host: string, cand: string): boolean {\n if (!host || !cand) return false;\n if (host === cand) return true;\n return host.endsWith('.' + cand);\n}\n\nfunction resolveRpId(override: string | undefined, host: string | undefined): string {\n const h = (host || '').toLowerCase();\n const ov = (override || '').toLowerCase();\n if (ov && h && isRegistrableSuffix(h, ov)) return ov;\n return h || ov || '';\n}\n\nexport interface RegisterCredentialsArgs {\n nearAccountId: string, // NEAR account ID for PRF salts and keypair derivation (always base account)\n challenge: VRFChallenge,\n deviceNumber?: number, // Optional device number for device-specific user ID (0, 1, 2, etc.)\n}\n\nexport interface AuthenticateCredentialsArgs {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n}\n\nexport interface AllowCredential {\n id: string,\n type: string,\n transports: AuthenticatorTransport[]\n}\n\nexport function authenticatorsToAllowCredentials(\n authenticators: ClientAuthenticatorData[]\n): AllowCredential[] {\n return authenticators.map(auth => ({\n id: auth.credentialId,\n type: 'public-key',\n transports: auth.transports as AuthenticatorTransport[]\n }));\n}\n\n/**\n * TouchIdPrompt prompts for touchID,\n * creates credentials,\n * manages WebAuthn touchID prompts,\n * and generates credentials, and PRF Outputs\n */\nexport class TouchIdPrompt {\n private rpIdOverride?: string;\n private safariGetWebauthnRegistrationFallback: boolean;\n // create() only: internal abort controller + cleanup hooks\n private abortController?: AbortController;\n private removePageAbortHandlers?: () => void;\n private removeExternalAbortListener?: () => void;\n\n constructor(rpIdOverride?: string, safariGetWebauthnRegistrationFallback = false) {\n this.rpIdOverride = rpIdOverride;\n this.safariGetWebauthnRegistrationFallback = safariGetWebauthnRegistrationFallback === true;\n }\n\n getRpId(): string {\n try {\n return resolveRpId(this.rpIdOverride, window?.location?.hostname);\n } catch {\n return this.rpIdOverride || '';\n }\n }\n\n // Utility helpers for cross‑origin fallback\n private static _inIframe(): boolean {\n try { return window.self !== window.top; } catch { return true; }\n }\n\n /**\n * Get authentication credentials\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns WebAuthn credential with only the first PRF output\n */\n async getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string\n challenge: VRFChallenge\n allowCredentials: AllowCredential[]\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: false,\n })\n }\n\n /**\n * Same as getAuthenticationCredentialsSerialized but returns both PRF outputs\n * (PRF.first + PRF.second).\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes\n * @param allowCredentials - Array of allowed credentials for authentication\n * @returns\n */\n async getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge,\n allowCredentials,\n }: {\n nearAccountId: string,\n challenge: VRFChallenge,\n allowCredentials: AllowCredential[],\n }): Promise<WebAuthnAuthenticationCredential> {\n const credentialMaybe = (await this.getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n })) as unknown;\n // Support parent-bridge fallback returning an already-serialized credential\n if (isSerializedAuthenticationCredential(credentialMaybe)) {\n return credentialMaybe;\n }\n return serializeAuthenticationCredentialWithPRF({\n credential: credentialMaybe as PublicKeyCredential,\n firstPrfOutput: true,\n secondPrfOutput: true,\n });\n }\n\n /**\n * Internal method for generating WebAuthn registration credentials with PRF output\n * @param nearAccountId - NEAR account ID for PRF salts and keypair derivation (always base account)\n * @param challenge - Random challenge bytes for the registration ceremony\n * @param deviceNumber - Device number for device-specific user ID.\n * @returns Credential with PRF output\n */\n async generateRegistrationCredentialsInternal({\n nearAccountId,\n challenge,\n deviceNumber,\n }: RegisterCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per create() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialCreationOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rp: {\n name: 'WebAuthn VRF Passkey',\n id: rpId\n },\n user: {\n id: new TextEncoder().encode(generateDeviceSpecificUserId(nearAccountId, deviceNumber)),\n name: generateDeviceSpecificUserId(nearAccountId, deviceNumber),\n displayName: generateUserFriendlyDisplayName(nearAccountId, deviceNumber)\n },\n pubKeyCredParams: [\n { alg: -7, type: 'public-key' },\n { alg: -257, type: 'public-key' }\n ],\n authenticatorSelection: {\n residentKey: 'required',\n userVerification: 'preferred'\n },\n timeout: 60000,\n attestation: 'none',\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n },\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('create', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number | undefined,\n // Pass AbortSignal through when supported; Safari bridge path may ignore it.\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n\n /**\n * Internal method for getting WebAuthn authentication credentials with PRF output\n * @param nearAccountId - NEAR account ID to authenticate\n * @param challenge - VRF challenge bytes to use for WebAuthn authentication\n * @param authenticators - List of stored authenticator data for the user\n * @returns WebAuthn credential with PRF output (HKDF derivation done in WASM worker)\n * ```ts\n * const credential = await touchIdPrompt.getCredentials({\n * nearAccountId,\n * challenge,\n * authenticators,\n * });\n * ```\n */\n async getAuthenticationCredentialsInternal({\n nearAccountId,\n challenge,\n allowCredentials,\n }: AuthenticateCredentialsArgs): Promise<PublicKeyCredential> {\n // New controller per get() call\n this.abortController = new AbortController();\n this.removePageAbortHandlers = TouchIdPrompt.attachPageAbortHandlers(this.abortController);\n // Single source of truth for rpId: use getRpId().\n const rpId = this.getRpId();\n const publicKey: PublicKeyCredentialRequestOptions = {\n challenge: outputAs32Bytes(challenge) as BufferSource,\n rpId,\n allowCredentials: allowCredentials.map((credential) => ({\n id: base64UrlDecode(credential.id) as BufferSource,\n type: 'public-key' as PublicKeyCredentialType,\n transports: credential.transports,\n })),\n userVerification: 'preferred' as UserVerificationRequirement,\n timeout: 60000,\n extensions: {\n prf: {\n eval: {\n // Always use NEAR account ID for PRF salts to ensure consistent keypair derivation across devices\n first: generateChaCha20Salt(nearAccountId) as BufferSource, // ChaCha20Poly1305 encryption keys\n second: generateEd25519Salt(nearAccountId) as BufferSource // Ed25519 signing keys\n }\n }\n }\n };\n try {\n const result = await executeWebAuthnWithParentFallbacksSafari('get', publicKey, {\n rpId,\n inIframe: TouchIdPrompt._inIframe(),\n timeoutMs: publicKey.timeout as number | undefined,\n permitGetBridgeOnAncestorError: this.safariGetWebauthnRegistrationFallback,\n abortSignal: this.abortController.signal,\n });\n return result as PublicKeyCredential;\n } finally {\n this.removePageAbortHandlers?.();\n this.removePageAbortHandlers = undefined;\n this.removeExternalAbortListener?.();\n this.removeExternalAbortListener = undefined;\n this.abortController = undefined;\n }\n }\n}\n\n// Type guard for already-serialized authentication credential\nfunction isSerializedAuthenticationCredential(x: unknown): x is WebAuthnAuthenticationCredential {\n if (!x || typeof x !== 'object') return false;\n const obj = x as { response?: unknown };\n const resp = obj.response as { authenticatorData?: unknown } | undefined;\n return typeof resp?.authenticatorData === 'string';\n}\n\n/**\n * Generate device-specific user ID to prevent Chrome sync conflicts\n * Creates technical identifiers with full account context\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns Technical identifier:\n * - Device 1: \"serp120.web3-authn.testnet\"\n * - Device 2: \"serp120.web3-authn.testnet (2)\"\n * - Device 3: \"serp120.web3-authn.testnet (3)\"\n */\nexport function generateDeviceSpecificUserId(nearAccountId: string, deviceNumber?: number): string {\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined || deviceNumber === 1) {\n return nearAccountId;\n }\n // For additional devices, add device number in parentheses\n return `${nearAccountId} (${deviceNumber})`;\n}\n\n/**\n * Generate user-friendly display name for passkey manager UI\n * Creates clean, intuitive names that users will see\n *\n * @param nearAccountId - The NEAR account ID (e.g., \"serp120.w3a-v1.testnet\")\n * @param deviceNumber - The device number (optional, undefined for device 1, 2 for device 2, etc.)\n * @returns User-friendly display name:\n * - Device 1: \"serp120\"\n * - Device 2: \"serp120 (device 2)\"\n * - Device 3: \"serp120 (device 3)\"\n */\nfunction generateUserFriendlyDisplayName(nearAccountId: string, deviceNumber?: number): string {\n // Extract the base username (everything before the first dot)\n const baseUsername = nearAccountId.split('.')[0];\n // If no device number provided or device number is 1, this is the first device\n if (deviceNumber === undefined || deviceNumber === 1) {\n return baseUsername;\n }\n // For additional devices, add device number with friendly label\n return `${baseUsername} (device ${deviceNumber})`;\n}\n\n// Abort native WebAuthn when page is being hidden or unloaded\n// Centralized here to keep WebAuthn lifecycle concerns alongside native calls.\nexport namespace TouchIdPrompt {\n export function attachPageAbortHandlers(controller: AbortController): () => void {\n const onVisibility = () => { if (document.hidden) controller.abort(); };\n const onPageHide = () => { controller.abort(); };\n const onBeforeUnload = () => { controller.abort(); };\n document.addEventListener('visibilitychange', onVisibility, { passive: true });\n window.addEventListener('pagehide', onPageHide, { passive: true });\n window.addEventListener('beforeunload', onBeforeUnload, { passive: true });\n return () => {\n document.removeEventListener('visibilitychange', onVisibility);\n window.removeEventListener('pagehide', onPageHide);\n window.removeEventListener('beforeunload', onBeforeUnload);\n };\n }\n}\n","import { DelegateAction, Signature } from './delegate';\n\n// === TRANSACTION INPUT INTERFACES ===\n\nexport interface TransactionInput {\n receiverId: string;\n actions: ActionArgs[],\n}\n\nexport interface TransactionInputWasm {\n receiverId: string;\n actions: ActionArgsWasm[],\n nonce?: string; // Optional - computed in confirmation flow if not provided\n}\n\n/**\n * Enum for all supported NEAR action types\n */\nexport enum ActionType {\n CreateAccount = \"CreateAccount\",\n DeployContract = \"DeployContract\",\n FunctionCall = \"FunctionCall\",\n Transfer = \"Transfer\",\n Stake = \"Stake\",\n AddKey = \"AddKey\",\n DeleteKey = \"DeleteKey\",\n DeleteAccount = \"DeleteAccount\",\n SignedDelegate = \"SignedDelegate\",\n DeployGlobalContract = \"DeployGlobalContract\",\n UseGlobalContract = \"UseGlobalContract\",\n}\n\nexport enum TxExecutionStatus {\n NONE = 'NONE',\n INCLUDED = 'INCLUDED',\n INCLUDED_FINAL = 'INCLUDED_FINAL',\n EXECUTED = 'EXECUTED',\n FINAL = 'FINAL',\n EXECUTED_OPTIMISTIC = 'EXECUTED_OPTIMISTIC'\n}\n\n// === ACTION INTERFACES (camelCase for JS) ===\n\nexport interface FunctionCallAction {\n type: ActionType.FunctionCall;\n /** Name of the contract method to call */\n methodName: string;\n /** Arguments to pass to the method (will be JSON.stringify'd automatically) */\n args: Record<string, any>;\n /** Maximum gas to use for this call (default: '30000000000000' 30 TGas) */\n gas?: string;\n /** Amount of NEAR tokens to attach in yoctoNEAR (default: '0') */\n deposit?: string;\n}\n\nexport interface TransferAction {\n type: ActionType.Transfer;\n /** Amount of NEAR tokens to transfer in yoctoNEAR */\n amount: string;\n}\n\nexport interface CreateAccountAction {\n type: ActionType.CreateAccount;\n}\n\nexport interface DeployContractAction {\n type: ActionType.DeployContract;\n /** Contract code as Uint8Array or base64 string */\n code: Uint8Array | string;\n}\n\nexport interface DeployGlobalContractAction {\n type: ActionType.DeployGlobalContract;\n /** Global contract code as Uint8Array or base64 string */\n code: Uint8Array | string;\n /** Deployment mode: CodeHash | AccountId */\n deployMode: 'CodeHash' | 'AccountId';\n}\n\nexport interface UseGlobalContractAction {\n type: ActionType.UseGlobalContract;\n /** Exactly one of these should be set */\n accountId?: string;\n /** bs58-encoded 32-byte code hash */\n codeHash?: string;\n}\n\nexport interface StakeAction {\n type: ActionType.Stake;\n /** Amount to stake in yoctoNEAR */\n stake: string;\n /** Public key of the validator */\n publicKey: string;\n}\n\nexport interface AddKeyAction {\n type: ActionType.AddKey;\n /** Public key to add */\n publicKey: string;\n /** Access key configuration */\n accessKey: {\n /** Starting nonce for the key */\n nonce?: number;\n /** Permission level for the key */\n permission: 'FullAccess' | {\n /** Function call permissions */\n FunctionCall: {\n /** Maximum allowance in yoctoNEAR (optional for unlimited) */\n allowance?: string;\n /** Contract that can be called (default: same as receiverId) */\n receiverId?: string;\n /** Method names that can be called (empty array = all methods) */\n methodNames?: string[];\n };\n };\n };\n}\n\nexport interface DeleteKeyAction {\n type: ActionType.DeleteKey;\n /** Public key to remove */\n publicKey: string;\n}\n\nexport interface DeleteAccountAction {\n type: ActionType.DeleteAccount;\n /** Account that will receive the remaining balance */\n beneficiaryId: string;\n}\n\n/**\n * Action types for all NEAR actions\n * camelCase for JS\n */\nexport type ActionArgs =\n | FunctionCallAction\n | TransferAction\n | CreateAccountAction\n | DeployContractAction\n | StakeAction\n | AddKeyAction\n | DeleteKeyAction\n | DeleteAccountAction\n | DeployGlobalContractAction\n | UseGlobalContractAction;\n\n// === ACTION TYPES ===\n\n// ActionArgsWasm matches the Rust enum structure exactly\n// snake_case for wasm\nexport type ActionArgsWasm =\n | { action_type: ActionType.CreateAccount }\n | { action_type: ActionType.DeployContract; code: number[] }\n | {\n action_type: ActionType.FunctionCall;\n method_name: string;\n args: string; // JSON string\n gas: string;\n deposit: string;\n }\n | { action_type: ActionType.Transfer; deposit: string }\n | { action_type: ActionType.Stake; stake: string; public_key: string }\n | { action_type: ActionType.AddKey; public_key: string; access_key: string }\n | { action_type: ActionType.DeleteKey; public_key: string }\n | { action_type: ActionType.DeleteAccount; beneficiary_id: string }\n | {\n action_type: ActionType.SignedDelegate;\n delegate_action: DelegateAction;\n signature: Signature;\n }\n | { action_type: ActionType.DeployGlobalContract; code: number[]; deploy_mode: 'CodeHash' | 'AccountId' }\n | { action_type: ActionType.UseGlobalContract; account_id?: string; code_hash?: string }\n\nexport function isActionArgsWasm(a?: any): a is ActionArgsWasm {\n return isObject(a) && 'action_type' in a;\n}\n\nexport function toActionArgsWasm(action: ActionArgs): ActionArgsWasm {\n switch (action.type) {\n case ActionType.Transfer:\n return {\n action_type: ActionType.Transfer,\n deposit: action.amount\n };\n\n case ActionType.FunctionCall:\n return {\n action_type: ActionType.FunctionCall,\n method_name: action.methodName,\n args: JSON.stringify(action.args),\n gas: action.gas || \"30000000000000\",\n deposit: action.deposit || \"0\"\n };\n\n case ActionType.AddKey:\n // Ensure access key has proper format with nonce and permission object.\n // For FullAccess we emit the NEAR-style `{ FullAccess: {} }` shape to\n // match near-api-js and RPC JSON; FunctionCall permissions are passed\n // through as-is.\n const rawPermission = action.accessKey.permission;\n const permission = rawPermission === 'FullAccess'\n ? { FullAccess: {} }\n : rawPermission;\n const accessKey = {\n nonce: action.accessKey.nonce || 0,\n permission,\n };\n return {\n action_type: ActionType.AddKey,\n public_key: action.publicKey,\n access_key: JSON.stringify(accessKey)\n };\n\n case ActionType.DeleteKey:\n return {\n action_type: ActionType.DeleteKey,\n public_key: action.publicKey\n };\n\n case ActionType.CreateAccount:\n return {\n action_type: ActionType.CreateAccount\n };\n\n case ActionType.DeleteAccount:\n return {\n action_type: ActionType.DeleteAccount,\n beneficiary_id: action.beneficiaryId\n };\n\n case ActionType.DeployContract:\n return {\n action_type: ActionType.DeployContract,\n code: typeof action.code === 'string'\n ? Array.from(new TextEncoder().encode(action.code))\n : Array.from(action.code)\n };\n\n case ActionType.DeployGlobalContract:\n return {\n action_type: ActionType.DeployGlobalContract,\n code: typeof action.code === 'string'\n ? Array.from(new TextEncoder().encode(action.code))\n : Array.from(action.code),\n deploy_mode: action.deployMode,\n };\n\n case ActionType.UseGlobalContract:\n return {\n action_type: ActionType.UseGlobalContract,\n account_id: action.accountId,\n code_hash: action.codeHash,\n };\n\n case ActionType.Stake:\n return {\n action_type: ActionType.Stake,\n stake: action.stake,\n public_key: action.publicKey\n };\n\n default:\n throw new Error(`Action type ${(action as any).type} is not supported`);\n }\n}\n\n// === ACTION TYPE VALIDATION ===\n\n/**\n * Validate action parameters before sending to worker\n */\nexport function validateActionArgsWasm(actionArgsWasm: ActionArgsWasm): void {\n switch (actionArgsWasm.action_type) {\n case ActionType.FunctionCall:\n if (!actionArgsWasm.method_name) {\n throw new Error('method_name required for FunctionCall');\n }\n if (!actionArgsWasm.args) {\n throw new Error('args required for FunctionCall');\n }\n if (!actionArgsWasm.gas) {\n throw new Error('gas required for FunctionCall');\n }\n if (!actionArgsWasm.deposit) {\n throw new Error('deposit required for FunctionCall');\n }\n // Validate args is valid JSON string\n if (typeof actionArgsWasm.args !== 'string') {\n throw new Error('FunctionCall action args must be a valid JSON string');\n }\n try {\n JSON.parse(actionArgsWasm.args);\n } catch {\n throw new Error('FunctionCall action args must be valid JSON string');\n }\n break;\n case ActionType.Transfer:\n if (!actionArgsWasm.deposit) {\n throw new Error('deposit required for Transfer');\n }\n break;\n case ActionType.CreateAccount:\n // No additional validation needed\n break;\n case ActionType.DeployContract:\n if (!actionArgsWasm.code || actionArgsWasm.code.length === 0) {\n throw new Error('code required for DeployContract');\n }\n break;\n case ActionType.Stake:\n if (!actionArgsWasm.stake) {\n throw new Error('stake amount required for Stake');\n }\n if (!actionArgsWasm.public_key) {\n throw new Error('public_key required for Stake');\n }\n break;\n case ActionType.AddKey:\n if (!actionArgsWasm.public_key) {\n throw new Error('public_key required for AddKey');\n }\n if (!actionArgsWasm.access_key) {\n throw new Error('access_key required for AddKey');\n }\n // Validate access_key is valid JSON string\n if (typeof actionArgsWasm.access_key !== 'string') {\n throw new Error('AddKey action access_key must be a valid JSON string');\n }\n try {\n JSON.parse(actionArgsWasm.access_key);\n } catch {\n throw new Error('AddKey action access_key must be valid JSON string');\n }\n break;\n case ActionType.DeleteKey:\n if (!actionArgsWasm.public_key) {\n throw new Error('public_key required for DeleteKey');\n }\n break;\n case ActionType.DeleteAccount:\n if (!actionArgsWasm.beneficiary_id) {\n throw new Error('beneficiary_id required for DeleteAccount');\n }\n break;\n case ActionType.SignedDelegate: {\n const payload = actionArgsWasm as {\n delegate_action?: unknown;\n signature?: unknown;\n };\n if (!payload.delegate_action || typeof payload.delegate_action !== 'object') {\n throw new Error('delegate_action required for SignedDelegate');\n }\n if (!payload.signature || typeof payload.signature !== 'object') {\n throw new Error('signature required for SignedDelegate');\n }\n break;\n }\n case ActionType.DeployGlobalContract:\n if (!actionArgsWasm.code || actionArgsWasm.code.length === 0) {\n throw new Error('code required for DeployGlobalContract');\n }\n if (!actionArgsWasm.deploy_mode || (actionArgsWasm.deploy_mode !== 'CodeHash' && actionArgsWasm.deploy_mode !== 'AccountId')) {\n throw new Error('deploy_mode must be CodeHash or AccountId for DeployGlobalContract');\n }\n break;\n case ActionType.UseGlobalContract: {\n const hasAccountId = !!actionArgsWasm.account_id;\n const hasCodeHash = !!actionArgsWasm.code_hash;\n if (hasAccountId === hasCodeHash) {\n throw new Error('UseGlobalContract requires exactly one of account_id or code_hash');\n }\n break;\n }\n default:\n throw new Error(`Unsupported action type: ${(actionArgsWasm as any).action_type}`);\n }\n}\n\n// === CONVERSIONS: WASM -> JS ACTIONS ===\n\ninterface FunctionCallPermissionView {\n FunctionCall: {\n allowance: string;\n receiver_id: string;\n method_names: string[];\n };\n}\n\n/**\n * Convert a single ActionArgsWasm (snake_case, stringified fields) to ActionArgs (camelCase, typed fields)\n */\nexport function fromActionArgsWasm(a: ActionArgsWasm): ActionArgs {\n switch (a.action_type) {\n case ActionType.FunctionCall: {\n let parsedArgs: Record<string, any> = {};\n try {\n if (typeof a.args === 'string') {\n parsedArgs = a.args ? JSON.parse(a.args) : {};\n } else {\n parsedArgs = a.args || {};\n }\n } catch {\n // leave as empty object if parsing fails\n parsedArgs = {};\n }\n return {\n type: ActionType.FunctionCall,\n methodName: a.method_name,\n args: parsedArgs,\n gas: a.gas,\n deposit: a.deposit\n };\n }\n case ActionType.Transfer:\n return {\n type: ActionType.Transfer,\n amount: a.deposit\n };\n case ActionType.CreateAccount:\n return {\n type: ActionType.CreateAccount\n };\n case ActionType.DeployContract: {\n // Represent code as Uint8Array for consistency\n const codeBytes = Array.isArray(a.code) ? new Uint8Array(a.code) : new Uint8Array();\n return {\n type: ActionType.DeployContract,\n code: codeBytes\n };\n }\n case ActionType.DeployGlobalContract: {\n const codeBytes = Array.isArray(a.code) ? new Uint8Array(a.code) : new Uint8Array();\n return {\n type: ActionType.DeployGlobalContract,\n code: codeBytes,\n deployMode: a.deploy_mode,\n };\n }\n case ActionType.Stake:\n return {\n type: ActionType.Stake,\n stake: a.stake,\n publicKey: a.public_key\n };\n case ActionType.AddKey: {\n // access_key is a JSON string of { nonce, permission: ... }\n let accessKey: { nonce: bigint; permission: 'FullAccess' | FunctionCallPermissionView; }\n try {\n accessKey = JSON.parse(a.access_key);\n } catch {\n accessKey = { nonce: BigInt(0), permission: 'FullAccess' };\n }\n // Normalize permission back to SDK shape\n const permission = accessKey?.permission;\n let normalizedPermission: 'FullAccess' | FunctionCallPermissionView = 'FullAccess';\n\n if (isObject(permission)) {\n if ('FullAccess' in permission) {\n normalizedPermission = 'FullAccess';\n } else if ('FunctionCall' in permission) {\n const fc = (permission as FunctionCallPermissionView).FunctionCall;\n normalizedPermission = {\n FunctionCall: {\n allowance: fc.allowance,\n receiver_id: fc.receiver_id,\n method_names: fc.method_names\n }\n };\n }\n }\n return {\n type: ActionType.AddKey,\n publicKey: a.public_key,\n accessKey: {\n nonce: typeof accessKey?.nonce === 'number' ? accessKey.nonce : 0,\n permission: normalizedPermission\n }\n };\n }\n case ActionType.DeleteKey:\n return {\n type: ActionType.DeleteKey,\n publicKey: a.public_key\n };\n case ActionType.DeleteAccount:\n return {\n type: ActionType.DeleteAccount,\n beneficiaryId: a.beneficiary_id\n };\n case ActionType.UseGlobalContract:\n return {\n type: ActionType.UseGlobalContract,\n accountId: a.account_id,\n codeHash: a.code_hash,\n };\n default:\n // Exhaustive guard\n throw new Error(`Unsupported wasm action_type: ${(a as any)?.action_type}`);\n }\n}\n\n/** Convert a TransactionInputWasm structure to TransactionInput */\nexport function fromTransactionInputWasm(tx: TransactionInputWasm): TransactionInput {\n return {\n receiverId: tx.receiverId,\n actions: tx.actions.map(fromActionArgsWasm)\n };\n}\n\n/** Convert an array of TransactionInputWasm to TransactionInput[] */\nexport function fromTransactionInputsWasm(txs: TransactionInputWasm[]): TransactionInput[] {\n return (txs || []).map(fromTransactionInputWasm);\n}\nimport { isObject } from '@/utils/validation';\n","// Canonical intent digest helpers for UI/host validation.\n// Used by both VRF-driven flows and signer-worker signing flows.\n//\n// Uses Web Crypto API (crypto.subtle). Import a minimal base64url helper that does not pull bs58.\nimport { ActionType, type ActionArgsWasm, type TransactionInputWasm } from '@/core/types';\nimport { base64UrlEncode } from '@/utils/base64';\nimport { alphabetizeStringify, sha256BytesUtf8 } from '@/utils/digests';\n\nexport async function sha256Base64UrlUtf8(input: string): Promise<string> {\n const digest = await sha256BytesUtf8(input);\n return base64UrlEncode(digest);\n}\n\nexport async function computeUiIntentDigestFromNep413(args: {\n nearAccountId: string;\n recipient: string;\n message: string;\n}): Promise<string> {\n // This is a UI/host + VRF binding digest. It is NOT the NEP-413 signing hash.\n const json = alphabetizeStringify({ kind: 'nep413', ...args });\n return sha256Base64UrlUtf8(json);\n}\n\nexport async function computeThresholdEd25519KeygenIntentDigest(args: {\n nearAccountId: string;\n rpId: string;\n clientVerifyingShareB64u: string;\n}): Promise<string> {\n const json = alphabetizeStringify({ kind: 'threshold_ed25519_keygen', ...args });\n return sha256Base64UrlUtf8(json);\n}\n\nexport async function computeLoginIntentDigest(args: {\n nearAccountId: string;\n rpId: string;\n}): Promise<string> {\n const json = alphabetizeStringify({ kind: 'login_session', ...args });\n return sha256Base64UrlUtf8(json);\n}\n\n// Canonical intent digest for signing flows.\n// This is a UI/host validation digest derived from `{ receiverId, actions }` only; it is NOT the\n// canonical NEAR signing hash (NEAR signs `sha256(borsh(Transaction))`, computed in the WASM signer).\n// Both VRF-side code (confirmAndPrepareSigningSession) and all UI confirmers MUST call this with\n// TransactionInputWasm[] built from:\n// { receiverId, actions: ActionArgsWasm[] }\n// where each ActionArgsWasm has been normalized via orderActionForDigest.\n//\n// IMPORTANT:\n// - The order of transactions and the order of actions within each transaction is preserved.\n// - Only the *keys inside each object* are alphabetically sorted to produce a stable JSON encoding.\n// The arrays themselves are not reordered.\n// - Do NOT include nonce or other per-tx fields in the digest input, or INTENT_DIGEST_MISMATCH errors will occur.\nexport async function computeUiIntentDigestFromTxs(txInputs: TransactionInputWasm[]): Promise<string> {\n // Preserve array order; only object keys are sorted for stable encoding.\n // This must match the relayer/server-side recomputation used for VRF binding.\n const json = alphabetizeStringify(txInputs);\n return sha256Base64UrlUtf8(json);\n}\n\nexport function orderActionForDigest(a: ActionArgsWasm): ActionArgsWasm {\n switch (a.action_type) {\n case ActionType.FunctionCall:\n return { action_type: a.action_type, args: a.args, deposit: a.deposit, gas: a.gas, method_name: a.method_name };\n case ActionType.Transfer:\n return { action_type: a.action_type, deposit: a.deposit };\n case ActionType.Stake:\n return { action_type: a.action_type, stake: a.stake, public_key: a.public_key };\n case ActionType.AddKey:\n return { action_type: a.action_type, public_key: a.public_key, access_key: a.access_key };\n case ActionType.DeleteKey:\n return { action_type: a.action_type, public_key: a.public_key };\n case ActionType.DeleteAccount:\n return { action_type: a.action_type, beneficiary_id: a.beneficiary_id };\n case ActionType.DeployContract:\n return { action_type: a.action_type, code: a.code };\n case ActionType.SignedDelegate:\n return { action_type: a.action_type, delegate_action: a.delegate_action, signature: a.signature };\n case ActionType.DeployGlobalContract:\n return { action_type: a.action_type, code: a.code, deploy_mode: a.deploy_mode };\n case ActionType.UseGlobalContract:\n return { action_type: a.action_type, account_id: a.account_id, code_hash: a.code_hash };\n case ActionType.CreateAccount:\n return { action_type: a.action_type };\n default: {\n const _exhaustive: never = a;\n return _exhaustive;\n }\n }\n}\n","import { VRFChallenge } from '@/core/types/vrf-worker';\nimport { TransactionInputWasm } from '../../../types';\nimport { ConfirmationConfig } from '../../../types';\nimport { TransactionContext } from '../../../types/rpc';\nimport { RpcCallPayload } from '../../../types/signer-worker';\nimport { WebAuthnAuthenticationCredential, WebAuthnRegistrationCredential } from '../../../types/webauthn';\nimport { isObject, isString } from '@/utils/validation';\n\n// === SECURE CONFIRM TYPES (V2) ===\n\nexport enum SecureConfirmMessageType {\n PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD = 'PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD',\n USER_PASSKEY_CONFIRM_RESPONSE = 'USER_PASSKEY_CONFIRM_RESPONSE',\n}\n\n/**\n * Type-level guardrail: these secrets must never appear in main-thread\n * request/response envelopes. WrapKeySeed is delivered only over the dedicated\n * VRF→Signer MessagePort, and PRF outputs should only exist inside credentials.\n */\nexport type ForbiddenMainThreadSecrets = {\n prfOutput?: never;\n prf_output?: never;\n wrapKeySeed?: never;\n wrapKeySalt?: never;\n vrf_sk?: never;\n prfKey?: never;\n};\n\nexport interface SecureConfirmDecision extends ForbiddenMainThreadSecrets {\n requestId: string;\n intentDigest?: string;\n confirmed: boolean;\n credential?: SerializableCredential; // Serialized WebAuthn credential\n vrfChallenge?: VRFChallenge; // VRF challenge generated during confirmation\n transactionContext?: TransactionContext; // NEAR data fetched during confirmation\n // This is a private field used to close the confirmation modal\n _confirmHandle?: { close: (confirmed: boolean) => void };\n error?: string;\n}\n\nexport interface TransactionSummary {\n totalAmount?: string;\n title?: string;\n body?: string;\n method?: string;\n intentDigest?: string;\n receiverId?: string;\n type?: string;\n delegate?: {\n senderId?: string;\n receiverId?: string;\n nonce?: string;\n maxBlockHeight?: string;\n };\n registrationDetails?: {\n nearAccountId: string;\n deviceNumber: number;\n deterministicVrfPublicKey?: string;\n };\n vrfChallenge?: VRFChallenge;\n summary?: unknown;\n}\n\n// Payload to return to Rust WASM is snake_case\nexport interface WorkerConfirmationResponse {\n request_id: string;\n intent_digest?: string;\n confirmed: boolean;\n credential?: SerializableCredential;\n vrf_challenge?: VRFChallenge; // VRF challenge generated during confirmation\n transaction_context?: TransactionContext; // NEAR data fetched during confirmation\n error?: string;\n}\n\n// ===== V2 MESSAGE TYPES =====\n\nexport enum SecureConfirmationType {\n SIGN_TRANSACTION = 'signTransaction',\n REGISTER_ACCOUNT = 'registerAccount',\n LINK_DEVICE = 'linkDevice',\n DECRYPT_PRIVATE_KEY_WITH_PRF = 'decryptPrivateKeyWithPrf',\n SIGN_NEP413_MESSAGE = 'signNep413Message',\n SHOW_SECURE_PRIVATE_KEY_UI = 'showSecurePrivateKeyUi',\n}\n\nexport type SigningAuthMode = 'webauthn' | 'warmSession';\n\n// V2 summaries (render-oriented / UI hints)\nexport interface TxSummary { totalAmount?: string; method?: string; receiverId?: string }\nexport interface RegistrationSummary {\n nearAccountId: string;\n deviceNumber?: number;\n contractId?: string;\n title?: string;\n body?: string;\n}\nexport type ExportOperation = 'Export Private Key' | 'Decrypt Private Key';\nexport interface ExportSummary { operation: ExportOperation; accountId: string; publicKey: string; warning: string }\nexport interface Nep413Summary { operation: 'Sign NEP-413 Message'; message: string; recipient: string; accountId: string }\n\n// V2 request envelope\nexport type SecureConfirmPayloadByType = {\n [SecureConfirmationType.SIGN_TRANSACTION]: SignTransactionPayload;\n [SecureConfirmationType.REGISTER_ACCOUNT]: RegisterAccountPayload;\n [SecureConfirmationType.LINK_DEVICE]: RegisterAccountPayload;\n [SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF]: DecryptPrivateKeyWithPrfPayload;\n [SecureConfirmationType.SIGN_NEP413_MESSAGE]: SignNep413Payload;\n [SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI]: ShowSecurePrivateKeyUiPayload;\n};\n\nexport type SecureConfirmSummaryByType = {\n [SecureConfirmationType.SIGN_TRANSACTION]: TransactionSummary;\n [SecureConfirmationType.REGISTER_ACCOUNT]: RegistrationSummary;\n [SecureConfirmationType.LINK_DEVICE]: RegistrationSummary;\n [SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF]: ExportSummary;\n [SecureConfirmationType.SIGN_NEP413_MESSAGE]: TransactionSummary;\n [SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI]: ExportSummary;\n};\n\nexport type SecureConfirmPayload = SecureConfirmPayloadByType[keyof SecureConfirmPayloadByType];\nexport type SecureConfirmSummary = SecureConfirmSummaryByType[keyof SecureConfirmSummaryByType];\n\nexport interface SecureConfirmRequest<TPayload = SecureConfirmPayload, TSummary = SecureConfirmSummary> {\n requestId: string;\n type: SecureConfirmationType;\n summary: TSummary;\n payload: TPayload;\n // Allow partial override from callers; effective config is computed later\n confirmationConfig?: Partial<ConfirmationConfig>;\n // Optional intent digest to echo back in responses for flows that\n // do not have a tx-centric payload (e.g., registration/link flows)\n intentDigest?: string;\n}\n\n// V2 payloads\nexport interface SignTransactionPayload {\n txSigningRequests: TransactionInputWasm[];\n intentDigest: string;\n rpcCall: RpcCallPayload;\n /**\n * Optional base64url-encoded 32-byte digest to bind a relayer session policy into the VRF input hash (v4+ only).\n * When present, it will be forwarded to the VRF worker for inclusion in VRF input derivation.\n */\n sessionPolicyDigest32?: string;\n /**\n * Controls whether confirmTxFlow should collect a WebAuthn credential.\n * - `webauthn`: prompt TouchID/FaceID and derive WrapKeySeed from PRF.first_auth.\n * - `warmSession`: skip WebAuthn and dispense the existing VRF session key to the signer worker.\n */\n signingAuthMode?: SigningAuthMode;\n}\n\nexport interface RegisterAccountPayload {\n nearAccountId: string;\n deviceNumber?: number;\n rpcCall: RpcCallPayload;\n}\n\nexport interface DecryptPrivateKeyWithPrfPayload {\n nearAccountId: string;\n publicKey: string;\n}\n\nexport interface ShowSecurePrivateKeyUiPayload {\n nearAccountId: string;\n publicKey: string;\n privateKey: string;\n variant?: 'drawer' | 'modal';\n theme?: 'dark' | 'light';\n}\n\nexport interface SignNep413Payload {\n nearAccountId: string;\n message: string;\n recipient: string;\n /**\n * Optional base64url-encoded 32-byte digest to bind a relayer session policy into the VRF input hash (v4+ only).\n */\n sessionPolicyDigest32?: string;\n /**\n * Optional contract verification context for VRF gating.\n * When provided, VRF Rust can call `verify_authentication_response` on-chain\n * before deriving and dispensing session keys.\n */\n contractId?: string;\n /**\n * Optional NEAR RPC URL for contract verification (single URL or failover list).\n */\n nearRpcUrl?: string;\n /**\n * Controls whether confirmTxFlow should collect a WebAuthn credential for this signing intent.\n * See `SignTransactionPayload.signingAuthMode`.\n */\n signingAuthMode?: SigningAuthMode;\n}\n\n// Type guards\nexport function isSecureConfirmRequestV2(x: unknown): x is SecureConfirmRequest {\n return isObject(x)\n && isString((x as { type?: unknown }).type)\n && isString((x as { requestId?: unknown }).requestId)\n && (x as { summary?: unknown }).summary != null\n && (x as { payload?: unknown }).payload != null;\n}\n\n// Serialized WebAuthn credential (authentication or registration)\nexport type SerializableCredential = WebAuthnAuthenticationCredential | WebAuthnRegistrationCredential;\n\n// Discriminated unions to bind `type` to payload shape\nexport type SecureConfirmRequestByType<TType extends SecureConfirmationType> =\n SecureConfirmRequest<SecureConfirmPayloadByType[TType], SecureConfirmSummaryByType[TType]> & { type: TType };\n\nexport type LocalOnlySecureConfirmRequest =\n | SecureConfirmRequestByType<SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF>\n | SecureConfirmRequestByType<SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI>;\n\nexport type RegistrationSecureConfirmRequest =\n | SecureConfirmRequestByType<SecureConfirmationType.REGISTER_ACCOUNT>\n | SecureConfirmRequestByType<SecureConfirmationType.LINK_DEVICE>;\n\nexport type SigningSecureConfirmRequest =\n | SecureConfirmRequestByType<SecureConfirmationType.SIGN_TRANSACTION>\n | SecureConfirmRequestByType<SecureConfirmationType.SIGN_NEP413_MESSAGE>;\n\nexport type KnownSecureConfirmRequest =\n | LocalOnlySecureConfirmRequest\n | RegistrationSecureConfirmRequest\n | SigningSecureConfirmRequest;\n","import type { TransactionSummary, SecureConfirmDecision } from '../types';\nimport { SecureConfirmMessageType } from '../types';\nimport { isObject, isFunction, isString } from '@/utils/validation';\nimport { toError, isTouchIdCancellationError } from '../../../../../utils/errors';\n\nexport function parseTransactionSummary(summaryData: unknown): TransactionSummary {\n if (!summaryData) return {};\n if (isString(summaryData)) {\n try {\n const parsed = JSON.parse(summaryData) as unknown;\n return isObject(parsed) ? (parsed as TransactionSummary) : {};\n } catch (parseError) {\n console.warn('[SignerWorkerManager]: Failed to parse summary string:', parseError);\n return {};\n }\n }\n return isObject(summaryData) ? (summaryData as TransactionSummary) : {};\n}\n\n// ===== Utility: postMessage sanitization (exported in case flows need to respond directly) =====\nexport type NonFunctionKeys<T> = { [K in keyof T]: T[K] extends Function ? never : K }[keyof T];\n\nexport type ShallowPostMessageSafe<T> = T extends object\n ? Omit<Pick<T, NonFunctionKeys<T>>, '_confirmHandle'>\n : T;\n\nexport function sanitizeForPostMessage<T>(data: T): ShallowPostMessageSafe<T> {\n if (data == null) return data as ShallowPostMessageSafe<T>;\n if (Array.isArray(data)) return data.map((v) => v) as unknown as ShallowPostMessageSafe<T>;\n if (isObject(data)) {\n const src = data as Record<string, unknown>;\n const out: Record<string, unknown> = {};\n for (const key of Object.keys(src)) {\n if (key === '_confirmHandle') continue;\n const value = src[key];\n if (isFunction(value)) continue;\n out[key] = value;\n }\n return out as ShallowPostMessageSafe<T>;\n }\n return data as ShallowPostMessageSafe<T>;\n}\n\n// ===== Shared worker response + UI close helpers =====\nexport const ERROR_MESSAGES = {\n cancelled: 'User cancelled secure confirm request',\n collectCredentialsFailed: 'Failed to collect credentials',\n nearRpcFailed: 'Failed to fetch NEAR data',\n} as const;\n\nexport function sendConfirmResponse(worker: Worker, response: SecureConfirmDecision) {\n const sanitized = sanitizeForPostMessage(response);\n worker.postMessage({ type: SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE, data: sanitized });\n}\n\nexport function isUserCancelledSecureConfirm(error: unknown): boolean {\n return (\n isTouchIdCancellationError(error) ||\n (() => {\n const e = toError(error);\n return e?.name === 'NotAllowedError' || e?.name === 'AbortError';\n })()\n );\n}\n\n","import {\n SecureConfirmRequest,\n SecureConfirmationType,\n SignTransactionPayload,\n RegisterAccountPayload,\n SignNep413Payload,\n} from '../types';\n\nexport function getNearAccountId(request: SecureConfirmRequest): string {\n switch (request.type) {\n case SecureConfirmationType.SIGN_TRANSACTION:\n return getSignTransactionPayload(request).rpcCall.nearAccountId;\n case SecureConfirmationType.SIGN_NEP413_MESSAGE:\n return (request.payload as SignNep413Payload).nearAccountId;\n case SecureConfirmationType.REGISTER_ACCOUNT:\n case SecureConfirmationType.LINK_DEVICE:\n return getRegisterAccountPayload(request).nearAccountId;\n case SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF: {\n const p = request.payload as { nearAccountId?: string };\n return p?.nearAccountId || '';\n }\n case SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI: {\n const p = request.payload as { nearAccountId?: string };\n return p?.nearAccountId || '';\n }\n default:\n return '';\n }\n}\n\nexport function getTxCount(request: SecureConfirmRequest): number {\n return request.type === SecureConfirmationType.SIGN_TRANSACTION\n ? (getSignTransactionPayload(request).txSigningRequests?.length || 1)\n : 1;\n}\n\nexport function getIntentDigest(request: SecureConfirmRequest): string | undefined {\n if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {\n const p = request?.payload as Partial<SignTransactionPayload> | undefined;\n return p?.intentDigest;\n }\n return request?.intentDigest;\n}\n\nexport function getSignTransactionPayload(request: SecureConfirmRequest): SignTransactionPayload {\n if (request.type !== SecureConfirmationType.SIGN_TRANSACTION) {\n throw new Error(`Expected SIGN_TRANSACTION request, got ${request.type}`);\n }\n return request.payload as SignTransactionPayload;\n}\n\nexport function getRegisterAccountPayload(request: SecureConfirmRequest): RegisterAccountPayload {\n if (request.type !== SecureConfirmationType.REGISTER_ACCOUNT && request.type !== SecureConfirmationType.LINK_DEVICE) {\n throw new Error(`Expected REGISTER_ACCOUNT or LINK_DEVICE request, got ${request.type}`);\n }\n return request.payload as RegisterAccountPayload;\n}\n\n","import type { ClientAuthenticatorData, UnifiedIndexedDBManager } from '../IndexedDBManager';\nimport type { AccountId } from '../types/accountIds';\nimport { toAccountId } from '../types/accountIds';\nimport type { VRFChallenge } from '../types/vrf-worker';\nimport { authenticatorsToAllowCredentials } from './touchIdPrompt';\nimport type { TouchIdPrompt } from './touchIdPrompt';\nimport type { WebAuthnAuthenticationCredential } from '../types/webauthn';\n\nexport async function collectAuthenticationCredentialForVrfChallenge(args: {\n indexedDB: UnifiedIndexedDBManager;\n touchIdPrompt: Pick<TouchIdPrompt, 'getAuthenticationCredentialsSerialized' | 'getAuthenticationCredentialsSerializedDualPrf'>;\n nearAccountId: AccountId | string;\n vrfChallenge: VRFChallenge;\n onBeforePrompt?: (info: {\n authenticators: ClientAuthenticatorData[];\n authenticatorsForPrompt: ClientAuthenticatorData[];\n vrfChallenge: VRFChallenge;\n }) => void;\n /**\n * When true, include PRF.second in the serialized credential.\n * Use only for explicit recovery/export flows (higher-friction paths).\n */\n includeSecondPrfOutput?: boolean;\n}): Promise<WebAuthnAuthenticationCredential> {\n const nearAccountId = toAccountId(args.nearAccountId);\n\n const authenticators = await args.indexedDB.clientDB.getAuthenticatorsByUser(nearAccountId);\n let authenticatorsForPrompt: ClientAuthenticatorData[] = authenticators;\n if (authenticators.length > 0) {\n ({ authenticatorsForPrompt } = await args.indexedDB.clientDB.ensureCurrentPasskey(\n toAccountId(nearAccountId),\n authenticators,\n ));\n }\n\n args.onBeforePrompt?.({ authenticators, authenticatorsForPrompt, vrfChallenge: args.vrfChallenge });\n\n const allowCredentials = authenticatorsToAllowCredentials(authenticatorsForPrompt);\n const serialized = args.includeSecondPrfOutput\n ? await args.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId,\n challenge: args.vrfChallenge,\n allowCredentials,\n })\n : await args.touchIdPrompt.getAuthenticationCredentialsSerialized({\n nearAccountId,\n challenge: args.vrfChallenge,\n allowCredentials,\n });\n\n // Verify that the chosen credential matches the \"current\" passkey device, when applicable.\n if (authenticators.length > 0) {\n const { wrongPasskeyError } = await args.indexedDB.clientDB.ensureCurrentPasskey(\n toAccountId(nearAccountId),\n authenticators,\n serialized.rawId,\n );\n if (wrongPasskeyError) {\n throw new Error(wrongPasskeyError);\n }\n }\n\n return serialized;\n}\n"],"mappings":";;;;;;;AAsBA,SAAgB,YAAY,WAA8B;CACxD,MAAM,aAAa,sBAAsB;AACzC,KAAI,CAAC,WAAW,MACd,OAAM,IAAI,MAAM,4BAA4B;AAE9C,QAAO;;;;;;;;;;;;;;;ACjBT,MAAa,gBAAgB,UAAqD;CAChF,MAAM,QAAQ,YAAY,OAAO,SAC7B,IAAI,WAAW,MAAM,QAAQ,MAAM,YAAY,MAAM,cACrD,IAAI,WAAW;CACnB,IAAI,SAAS;AAEb,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,IAChC,WAAU,OAAO,aAAa,MAAM;AAEtC,QAAO,KAAK;;;;;;;;;;AAWd,SAAgB,aAAa,QAA4B;CACvD,MAAM,eAAe,KAAK;CAC1B,MAAM,QAAQ,IAAI,WAAW,aAAa;AAC1C,MAAK,IAAI,IAAI,GAAG,IAAI,aAAa,QAAQ,IACvC,OAAM,KAAK,aAAa,WAAW;AAErC,QAAO;;;;;;;;;;;;;;;AAgBT,MAAa,mBAAmB,UAAqD;AACnF,QAAO,aAAa,OACjB,QAAQ,OAAO,KACf,QAAQ,OAAO,KACf,QAAQ,MAAM;;;;;;;;;;AAWnB,SAAgB,gBAAgB,WAA+B;CAC7D,MAAM,UAAU,IAAI,QAAQ,IAAK,UAAU,SAAS,KAAM;CAC1D,MAAM,SAAS,UAAU,QAAQ,MAAM,KAAK,QAAQ,MAAM,OAAO;CACjE,MAAM,eAAe,KAAK;CAC1B,MAAM,QAAQ,IAAI,WAAW,aAAa;AAC1C,MAAK,IAAI,IAAI,GAAG,IAAI,aAAa,QAAQ,IACvC,OAAM,KAAK,aAAa,WAAW;AAErC,QAAO;;;;;;;;;;;;ACnET,SAAgB,aAAa,KAAsB;AACjD,KAAI;AACF,MAAI,OAAO,QAAQ,SAAU,QAAO;AACpC,MAAI,OAAO,OAAQ,IAA8B,YAAY,SAC3D,QAAQ,IAA4B;AAEtC,SAAO,OAAO,OAAO;SACf;AACN,SAAO;;;;;;;;AASX,SAAgB,QAAQ,GAAmB;AACzC,KAAI,aAAa,MAAO,QAAO;CAC/B,MAAM,MAAM,IAAI,MAAM,aAAa;AACnC,KAAI;EACF,MAAM,MAAM;AACZ,MAAI,OAAO,KAAK,SAAS,SAAU,KAAI,OAAO,IAAI;AAClD,MAAI,OAAO,KAAK,UAAU,SAAU,CAAC,IAA2B,QAAQ,IAAI;AAC5E,MAAI,OAAO,OAAO,IAAI,SAAS,YAAa,CAAC,IAA2B,OAAO,IAAI;AACnF,MAAI,OAAO,OAAO,IAAI,YAAY,YAAa,CAAC,IAA8B,UAAU,IAAI;SACtF;AACR,QAAO;;;;;;;AAQT,SAAgB,2BAA2B,OAAyB;CAClE,MAAM,MAAM,aAAa;CAGzB,MAAM,QAAQ,IAAI;AAElB,QAAO,IAAI,SAAS,wDACb,IAAI,SAAS,sBACb,IAAI,SAAS,iBACb,MAAM,SAAS,qBACf,MAAM,SAAS,oBACf,MAAM,SAAS;;;;;AChDxB,SAAS,SAAS,OAAkD;AAClE,QAAO,UAAU,QAAQ,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ;;AAKvE,SAAgB,qBAAqB,OAAwB;CAC3D,MAAM,kBAAkB,UAA4B;AAClD,MAAI,MAAM,QAAQ,OAChB,QAAO,MAAM,IAAI;AAEnB,MAAI,SAAS,QAAQ;GACnB,MAAM,aAAa,OAAO,KAAK,OAAO;GACtC,MAAMA,SAAkC;AACxC,QAAK,MAAM,OAAO,WAChB,QAAO,OAAO,eAAe,MAAM;AAErC,UAAO;;AAET,SAAO;;AAGT,QAAO,KAAK,UAAU,eAAe;;AAGvC,eAAsB,gBAAgB,OAAoC;CACxE,MAAM,OAAO,IAAI,cAAc,OAAO;CACtC,MAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW;AACrD,QAAO,IAAI,WAAW;;;;;;;;;;ACmExB,SAAgB,gBAAgB,cAAwC;CACtE,IAAI,iBAAiB,gBAAgB,aAAa;AAClD,QAAO,eAAe,MAAM,GAAG;;;;;;;AAQjC,SAAgB,qBAAqB,kBAWpB;AACf,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,YAAY,OAAO,iBAAiB,aAAa,SACrE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,gBAAgB,OAAO,iBAAiB,iBAAiB,SAC7E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,UAAU,OAAO,iBAAiB,WAAW,SACjE,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,QAAQ,OAAO,iBAAiB,SAAS,SAC7D,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,eAAe,OAAO,iBAAiB,gBAAgB,SAC3E,OAAM,IAAI,MAAM;AAElB,KAAI,CAAC,iBAAiB,aAAa,OAAO,iBAAiB,cAAc,SACvE,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,UAAU,iBAAiB;EAC3B,WAAW,iBAAiB;EAC5B,UAAU,iBAAiB;EAC3B,cAAc,iBAAiB;EAC/B,QAAQ,iBAAiB;EACzB,MAAM,iBAAiB;EACvB,aAAa,iBAAiB;EAC9B,WAAW,iBAAiB;EAC5B,GAAI,iBAAiB,eAAe,EAAE,cAAc,iBAAiB,iBAAiB;EACtF,GAAI,iBAAiB,wBAAwB,EAAE,uBAAuB,iBAAiB,0BAA0B;;;;;;;;AASrH,SAAgB,2BAAkD;CAChE,MAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW;CACxD,MAAM,YAAY,gBAAgB,UAAU;AAC5C,QAAO;EACM;EACX,UAAU;EACV,UAAU;EACV,cAAc;EACd,QAAQ;EACR,MAAM;EACN,aAAa;EACb,WAAW;;;;;;;;;;;;;AChKf,SAAgB,gCACd,YACgC;CAChC,MAAM,WAAW,WAAW;CAE5B,IAAIC,aAAuB;AAC3B,KAAI;EACF,MAAM,KAAM,UAAiD;AAC7D,MAAI,OAAO,OAAO,WAChB,cAAa,GAAG,KAAK,aAAa;SAE9B;AACN,eAAa;;AAGf,QAAO;EACL,IAAI,WAAW;EACf,OAAO,gBAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgB,gBAAgB,SAAS;GACzC,mBAAmB,gBAAgB,SAAS;GAC5C;;EAEF,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,kCACd,YACkC;CAClC,MAAM,WAAW,WAAW;AAE5B,QAAO;EACL,IAAI,WAAW;EACf,OAAO,gBAAgB,WAAW;EAClC,MAAM,WAAW;EACjB,yBAAyB,WAAW,2BAA2B;EAC/D,UAAU;GACR,gBAAgB,gBAAgB,SAAS;GACzC,mBAAmB,gBAAgB,SAAS;GAC5C,WAAW,gBAAgB,SAAS;GACpC,YAAY,SAAS,aAAa,gBAAgB,SAAS,cAA6B;;EAE1F,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAYlB,SAAgB,uCAAuC,EACrD,YACA,iBAAiB,MACjB,kBAAkB,QAKe;CACjC,MAAM,OAAO,gCAAgC;CAC7C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;AAOlB,SAAgB,yCAAyC,EACvD,YACA,iBAAiB,MACjB,kBAAkB,SAKiB;CACnC,MAAM,OAAO,kCAAkC;CAC/C,MAAM,EAAE,mBAAmB,qBAAqB,yBAAyB;EACvE;EACA;EACA;;AAEF,QAAO;EACL,GAAG;EACH,wBAAwB,EACtB,KAAK,EACH,SAAS;GACP,OAAO;GACP,QAAQ;;;;;;;;;AAkBlB,SAAgB,gCAAgC,OAAgD;AAC9F,KAAI,CAAC,SAAS,OAAQ,OAAM,IAAI,MAAM;CAEtC,MAAM,YAAY;CAClB,MAAMC,aAAsC,EAAE,GAAG;AAEjD,KAAI,CAAC,SAAS,WAAW,IAAK,OAAM,IAAI,MAAM;AAC9C,KAAI,CAAC,SAAS,WAAW,MAAO,OAAM,IAAI,MAAM;AAEhD,KAAI,CAAC,SAAS,WAAW,OAAQ,YAAW,QAAQ;AACpD,KAAI,WAAW,4BAA4B,UAAa,CAAC,SAAS,WAAW,yBAC3E,YAAW,0BAA0B,OAAO,WAAW;CAGzD,MAAMC,WAAoC,SAAS,WAAW,YAC1D,EAAE,GAAI,WAAW,aACjB;AAEJ,KAAI,CAAC,SAAS,SAAS,gBAAiB,UAAS,iBAAiB;AAClE,KAAI,CAAC,SAAS,SAAS,mBAAoB,UAAS,oBAAoB;AACxE,KAAI,CAAC,QAAgB,SAAS,YAAa,UAAS,aAAa;AAEjE,YAAW,WAAW;AACtB,YAAW,yBAAyB,gCAAgC,WAAW;AAE/E,QAAO;;;;;;;;;;;;AA8CT,SAAgB,qBAAuD,YAAkB;CAGvF,MAAMC,WAAqB,WAAsC;CACjE,MAAM,4BAA4B,SAAS,mBAChC;EACP,MAAM,SAAS,EAAE,GAAI;AACrB,MAAI,4BAA4B,OAAQ,QAAO,yBAAyB;AACxE,SAAO;QAEP;AAEJ,QAAO;EACL,GAAG;EACH,UAAU;EACV,wBAAwB;;;;;;;AAY5B,SAAgB,mCAAmC,GAAiD;AAClG,KAAI,CAAC,SAAS,GAAI,QAAO;CACzB,MAAM,YAAY;AAOlB,KAAI,CAAC,SAAS,UAAU,OAAO,CAAC,SAAS,UAAU,UAAU,CAAC,SAAS,UAAU,MAC/E,QAAO;AAGT,KAAI,CAAC,SAAS,UAAU,UAAW,QAAO;CAC1C,MAAM,WAAW,UAAU;AAM3B,KAAI,CAAC,SAAS,SAAS,mBAAmB,CAAC,SAAS,SAAS,mBAC3D,QAAO;AAGT,QAAO,SAAS,cAAc,QAAQ,QAAQ,SAAS;;;;;;;AAQzD,SAAgB,qBAAqB,eAAmC;CACtE,MAAM,aAAa,iBAAiB;CACpC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;AAQT,SAAgB,oBAAoB,eAAmC;CACrE,MAAM,aAAa,gBAAgB;CACnC,MAAM,OAAO,IAAI,WAAW;CAC5B,MAAM,YAAY,IAAI,cAAc,OAAO;AAC3C,MAAK,IAAI,UAAU,MAAM,GAAG;AAC5B,QAAO;;;;;;;;;;AA+CT,SAAS,yBAAyB,EAChC,YACA,iBAAiB,MACjB,kBAAkB,SAKD;CAEjB,MAAM,mBAAmB,oBAAoB;CAG7C,MAAM,aAAa,wBAAwB;AAG3C,oBAAmB,YAAY,gBAAgB;CAG/C,MAAM,eAAe,iBAAiB,6BAA6B,WAAW,SAAS;CACvF,MAAM,gBAAgB,kBAAkB,6BAA6B,WAAW,UAAU;AAG1F,KAAI,kBAAkB,CAAC,aACrB,OAAM,IAAI,MAAM;AAElB,KAAI,mBAAmB,CAAC,cACtB,OAAM,IAAI,MAAM;AAGlB,QAAO;EACL,mBAAmB,gBAAgB;EACnC,kBAAkB,iBAAiB;;;;AAKvC,SAAS,oBAAoB,YAAoE;AAC/F,KAAI;EACF,MAAM,KAAM,WAA6D;AACzE,MAAI,OAAO,OAAO,WAChB,QAAO,GAAG,KAAK;SAEX;AAGR,QAAQ,WAAoD;;;AAI9D,SAAS,wBAAwB,kBAAwE;AACvG,KAAI;AACF,SAAO,kBAAkB,KAAK;SACxB;AACN,SAAO;;;;AAKX,SAAS,mBACP,YACA,eACA,gBACkC;AAClC,KAAI,CAAC,WACH,OAAM,IAAI,MAAM;CAKlB,MAAM,gBAAgB,WAAW,UAAU,UAAa,WAAW,WAAW;AAC9E,KAAI,CAAC,kBAAkB,iBAAiB,gBACtC,OAAM,IAAI,MAAM;;;AAKpB,SAAS,6BAA6B,OAAoC;AACxE,KAAI,CAAC,MAAO,QAAO;AAGnB,KAAI,OAAO,UAAU,SAAU,QAAO;AAGtC,KAAI,iBAAiB,YAAa,QAAO,gBAAgB;AAGzD,KAAI,YAAY,OAAO,OACrB,QAAO,gBAAgB,MAAM;AAI/B,KAAI;AACF,SAAO,gBAAgB;SACjB;AAEN,MAAI;AACF,UAAO,gBAAgB,IAAI,WAAW,OAA0B;UAC1D;AACN,UAAO;;;;;;;;;;;;;;;AAoBb,SAAS,gCAAgC,OAAuD;CAC9F,MAAMC,MAA6C,EACjD,KAAK,EAAE,SAAS;EAAE,OAAO;EAAW,QAAQ;;CAG9C,MAAM,MAAM,SAAS,SAAU,QAAoC;AAEnE,KAAI,OAAO,IAAI,UAAU,UAAW,KAAI,QAAQ,IAAI;AAEpD,KAAI,OAAO,IAAI,iBAAiB,UAAW,KAAI,eAAe,IAAI;AAElE,KAAI,OAAO,IAAI,qBAAqB,UAAW,KAAI,mBAAmB,IAAI;AAE1E,KAAI,SAAS,IAAI,YAAY;EAC3B,MAAM,KAAK,IAAI;EACf,MAAMC,QAAoC;AAC1C,MAAI,OAAO,GAAG,OAAO,UAAW,OAAM,KAAK,GAAG;AAC9C,MAAI,YAAY;;AAGlB,KAAI,QAAQ,IAAI,MAAM;EACpB,MAAM,SAAU,IAAI,IAAkB,OAAO,SAAS,KAAK,MAAM;GAC/D,MAAM,IAAI;GACV,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;GACzD,MAAM,KAAK,OAAO,EAAE,OAAO,WAAY,EAAE,KAAgB;AACzD,UAAQ,OAAO,OAAO,YAAY,OAAO,OAAO,YAAY,OAAO,OAAO,WACtE;IAAC;IAAI;IAAI;OACT;KACH,QAAQ,MAAqC,MAAM,QAAQ;AAC9D,MAAI,OAAO,SAAS,EAAG,KAAI,MAAM;;AAGnC,KAAI,SAAS,IAAI,MAAM;EACrB,MAAM,MAAM,IAAI;EAChB,MAAM,UAAU,SAAS,IAAI,WAAY,IAAI,UAAsC;EACnF,MAAM,QAAQ,QAAQ;EACtB,MAAM,SAAS,QAAQ;AACvB,MAAI,MAAM,EACR,SAAS;GACP,OAAO,SAAS,SAAS,QAAQ;GACjC,QAAQ,SAAS,UAAU,SAAS;;;AAI1C,QAAO;;;;;ACxfT,MAAa,wBAAwB;CACnC,QAAQ;CACR,KAAK;CACL,cAAc;CACd,WAAW;;AAWb,SAAS,iBAAuC,MAA2B;AACzE,QAAQ,SAAS,sBAAsB,MACnC,sBAAsB,YACtB,sBAAsB;;;;;;;;;;;;;;;;;AA2C5B,eAAsB,yCACpB,MACA,WACA,MACwC;CAExC,MAAM,EACJ,MACA,UACA,YAAY,KACZ,iCAAiC,SAC/B;CACJ,MAAM,eAAe,KAAK,gBAAgB,IAAI;CAE9C,MAAM,8BAAuC;EAC3C,MAAM,IAAK;EACX,MAAM,IAAK,OAAO,WAAW,cAAe,SAAiB;AAC7D,SAAO,CAAC,EAAE,KAAK,EAAE,iCAAiC,CAAC,EAAE,KAAK,EAAE;;CAE9D,MAAM,eAAe,QAAgB;EACnC,MAAM,IAAK;AACX,IAAE,QAAQ,EAAE,QAAQ,KAAK;;AAK3B,KAAI,yBAAyB;AAC3B,MAAI,SAAS,SAAU,aAAY;MAC9B,aAAY;AACjB,MAAI;GACF,MAAM,UAAU,MAAM,4BAA4B,MAAM,WAAW,cAAc;AACjF,OAAI,SAAS,GAAI,QAAO,QAAQ;AAChC,OAAI,WAAW,CAAC,QAAQ,QACtB,OAAM,gBAAgB,QAAQ,SAAS;AAEzC,SAAM,IAAI,MAAM;WACTC,IAAa;AAEpB,SAAM,gBAAiB,IAAY,WAAW;;;CAIlD,MAAM,YAAY,YAAY;AAC5B,MAAI,SAAS,UAAU;AACrB,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AAEnD,UAAO,MAAM,UAAU,YAAY,OAAO;IAC7B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;SAEnD;AACL,eAAY;AACZ,OAAI,wBAAyB,OAAM,gBAAgB;AACnD,UAAO,MAAM,UAAU,YAAY,IAAI;IAC1B;IACX,GAAI,KAAK,cAAc,EAAE,QAAQ,KAAK,gBAAgB;;;;AAM5D,KAAI;AACF,SAAO,MAAM;UACNC,GAAY;EAInB,MAAM,OAAO,SAAS;AACtB,MAAI,SAAS,qBAAqB,CAAC,sBAAsB,MAAM,CAAC,0BAA0B,GACxF,OAAM;AAIR,MAAI,sBAAsB,MAAM,UAAU;AACxC,OAAI,SAAS,SAAS,CAAC,+BACrB,OAAM;AAER,OAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CD,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAKlD,MAAI,0BAA0B,IAAI;GAChC,MAAM,UAAU,MAAM;AACtB,OAAI,QACF,KAAI;AAAE,WAAO,MAAM;WAAqB;AAE1C,OAAI,SACF,KAAI;IACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,QAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,QAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;YAE7CA,IAAa;AACpB,UAAM,gBAAiB,IAAY,WAAW;;;AAMpD,MAAI,SACF,KAAI;GACF,MAAM,qBAAqB,MAAM,4BAA4B,MAAM,WAAW,cAAc;AAC5F,OAAI,oBAAoB,GAAI,QAAO,mBAAmB;AACtD,OAAI,sBAAsB,CAAC,mBAAmB,QAC5C,OAAM,gBAAgB,mBAAmB,SAAS;AAGpD,SAAM,IAAI,MAAM;WACTA,IAAa;AACpB,SAAM,gBAAiB,IAAY,WAAW;;AAKlD,QAAM;;;AAKV,eAAsB,4BACpB,MACA,WACA,QACA,WACyB;AACzB,KAAI,SAAS,SACX,QAAO,OAAO,QAAQ,sBAAsB,QAAQ,WAAiD;AAEvG,QAAO,OAAO,QAAQ,sBAAsB,KAAK,WAAgD;;AAInG,IAAa,mCAAb,MAAoF;CAClF,MAAM,QACJ,MACA,WACA,YAAY,KACa;EACzB,MAAM,YAAY,GAAG,KAAK,GAAG,KAAK,MAAM,GAAG,KAAK,SAAS,SAAS,IAAI,MAAM;EAC5E,MAAM,aAAa,iBAAiB;AAEpC,SAAO,IAAI,SAAS,YAAY;GAC9B,IAAI,UAAU;GACd,MAAM,UAAU,QAAwB;AAAE,QAAI,CAAC,SAAS;AAAE,eAAU;AAAM,aAAQ;;;GAElF,MAAM,aAAa,OAAqB;IACtC,MAAM,UAAU,IAAI;AACpB,QAAI,CAAC,WAAW,OAAQ,QAA+B,SAAS,SAAU;IAC1E,MAAM,IAAK,QAA6B;AACxC,QAAI,MAAM,WAAY;IACtB,MAAM,MAAO,QAAoC;AACjD,QAAI,QAAQ,UAAW;AACvB,WAAO,oBAAoB,WAAW;IACtC,MAAM,KAAK,CAAC,CAAE,QAA6B;IAC3C,MAAM,OAAQ,QAAqC;IACnD,MAAM,MAAO,QAAgC;AAC7C,QAAI,MAAM,KAAM,QAAO,OAAO;KAAE,IAAI;KAAM,YAAY;;AACtD,WAAO,OAAO;KAAE,IAAI;KAAO,OAAO,OAAO,QAAQ,WAAW,MAAM;;;AAEpE,UAAO,iBAAiB,WAAW;AACnC,UAAO,QAAQ,YAAY;IAAE,MAAM;IAAM;IAAW;MAA+D;AACnH,oBAAiB;AAAE,WAAO,oBAAoB,WAAW;AAAY,WAAO;KAAE,IAAI;KAAO,SAAS;;MAAY;;;;AAKpH,SAAS,gBAAgB,SAAwB;CAC/C,MAAM,IAAI,IAAI,MAAM;AACpB,CAAC,EAAU,OAAO;AAClB,QAAO;;AAIT,SAAS,sBAAsB,KAAuB;CACpD,MAAM,MAAM,YAAY;AACxB,QAAO,2DAA2D,KAAK;;AAGzE,SAAS,0BAA0B,KAAuB;CACxD,MAAM,OAAO,SAAS;CACtB,MAAM,MAAM,YAAY;CACxB,MAAM,eAAe,SAAS;CAC9B,MAAM,gBAAgB,6CAA6C,KAAK;AACxE,QAAO,QAAQ,gBAAgB;;AAGjC,SAAS,YAAY,KAAsB;AACzC,QAAO,OAAQ,KAA+B,WAAW;;AAG3D,SAAS,SAAS,KAAsB;CACtC,MAAM,IAAK,KAA4B;AACvC,QAAO,OAAO,MAAM,WAAW,IAAI;;AAIrC,eAAe,eAAe,aAAa,GAAG,SAAmB,CAAC,IAAI,MAAwB;AAC5F,CAAC,OAAe;AAChB,EAAC,UAAU,OAAc;CAEzB,MAAM,QAAQ,OAAe,IAAI,SAAQ,MAAK,WAAW,GAAG;CAC5D,MAAM,QAAQ,KAAK,IAAI,GAAG;AAC1B,MAAK,IAAI,IAAI,GAAG,KAAK,OAAO,KAAK;EAC/B,MAAM,IAAI,OAAO,MAAM,OAAO,OAAO,SAAS,MAAM;AACpD,QAAM,KAAK;AACX,MAAI,SAAS,WAAY,QAAO;AAChC,EAAC,OAAe;;AAElB,QAAO,SAAS;;;;;ACrRlB,SAAS,oBAAoB,MAAc,MAAuB;AAChE,KAAI,CAAC,QAAQ,CAAC,KAAM,QAAO;AAC3B,KAAI,SAAS,KAAM,QAAO;AAC1B,QAAO,KAAK,SAAS,MAAM;;AAG7B,SAAS,YAAY,UAA8B,MAAkC;CACnF,MAAM,KAAK,QAAQ,IAAI;CACvB,MAAM,MAAM,YAAY,IAAI;AAC5B,KAAI,MAAM,KAAK,oBAAoB,GAAG,IAAK,QAAO;AAClD,QAAO,KAAK,MAAM;;AAqBpB,SAAgB,iCACd,gBACmB;AACnB,QAAO,eAAe,KAAI,UAAS;EACjC,IAAI,KAAK;EACT,MAAM;EACN,YAAY,KAAK;;;;;;;;;AAUrB,IAAa,gBAAb,MAAa,cAAc;CACzB,AAAQ;CACR,AAAQ;CAER,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YAAY,cAAuB,wCAAwC,OAAO;AAChF,OAAK,eAAe;AACpB,OAAK,wCAAwC,0CAA0C;;CAGzF,UAAkB;AAChB,MAAI;AACF,UAAO,YAAY,KAAK,cAAc,QAAQ,UAAU;UAClD;AACN,UAAO,KAAK,gBAAgB;;;CAKhC,OAAe,YAAqB;AAClC,MAAI;AAAE,UAAO,OAAO,SAAS,OAAO;UAAa;AAAE,UAAO;;;;;;;;;;CAU5D,MAAM,uCAAuC,EAC3C,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAO,yCAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;;CAYrB,MAAM,8CAA8C,EAClD,eACA,WACA,oBAK4C;EAC5C,MAAM,kBAAmB,MAAM,KAAK,qCAAqC;GACvE;GACA;GACA;;AAGF,MAAI,qCAAqC,iBACvC,QAAO;AAET,SAAO,yCAAyC;GAC9C,YAAY;GACZ,gBAAgB;GAChB,iBAAiB;;;;;;;;;;CAWrB,MAAM,wCAAwC,EAC5C,eACA,WACA,gBACwD;AAExD,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAME,YAAgD;GACpD,WAAW,gBAAgB;GAC3B,IAAI;IACF,MAAM;IACN,IAAI;;GAEN,MAAM;IACJ,IAAI,IAAI,cAAc,OAAO,6BAA6B,eAAe;IACzE,MAAM,6BAA6B,eAAe;IAClD,aAAa,gCAAgC,eAAe;;GAE9D,kBAAkB,CAChB;IAAE,KAAK;IAAI,MAAM;MACjB;IAAE,KAAK;IAAM,MAAM;;GAErB,wBAAwB;IACtB,aAAa;IACb,kBAAkB;;GAEpB,SAAS;GACT,aAAa;GACb,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAO,qBAAqB;IAC5B,QAAQ,oBAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAM,yCAAyC,UAAU,WAAW;IACjF;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IAErB,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;;;;;;;;;;;;;;CAkB3B,MAAM,qCAAqC,EACzC,eACA,WACA,oBAC4D;AAE5D,OAAK,kBAAkB,IAAI;AAC3B,OAAK,0BAA0B,cAAc,wBAAwB,KAAK;EAE1E,MAAM,OAAO,KAAK;EAClB,MAAMC,YAA+C;GACnD,WAAW,gBAAgB;GAC3B;GACA,kBAAkB,iBAAiB,KAAK,gBAAgB;IACtD,IAAI,gBAAgB,WAAW;IAC/B,MAAM;IACN,YAAY,WAAW;;GAEzB,kBAAkB;GAClB,SAAS;GACT,YAAY,EACV,KAAK,EACH,MAAM;IAEJ,OAAO,qBAAqB;IAC5B,QAAQ,oBAAoB;;;AAKpC,MAAI;GACF,MAAM,SAAS,MAAM,yCAAyC,OAAO,WAAW;IAC9E;IACA,UAAU,cAAc;IACxB,WAAW,UAAU;IACrB,gCAAgC,KAAK;IACrC,aAAa,KAAK,gBAAgB;;AAEpC,UAAO;YACC;AACR,QAAK;AACL,QAAK,0BAA0B;AAC/B,QAAK;AACL,QAAK,8BAA8B;AACnC,QAAK,kBAAkB;;;;AAM7B,SAAS,qCAAqC,GAAmD;AAC/F,KAAI,CAAC,KAAK,OAAO,MAAM,SAAU,QAAO;CACxC,MAAM,MAAM;CACZ,MAAM,OAAO,IAAI;AACjB,QAAO,OAAO,MAAM,sBAAsB;;;;;;;;;;;;;AAc5C,SAAgB,6BAA6B,eAAuB,cAA+B;AAEjG,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,cAAc,IAAI,aAAa;;;;;;;;;;;;;AAc3C,SAAS,gCAAgC,eAAuB,cAA+B;CAE7F,MAAM,eAAe,cAAc,MAAM,KAAK;AAE9C,KAAI,iBAAiB,UAAa,iBAAiB,EACjD,QAAO;AAGT,QAAO,GAAG,aAAa,WAAW,aAAa;;;CAMxC,SAAS,wBAAwB,YAAyC;EAC/E,MAAM,qBAAqB;AAAE,OAAI,SAAS,OAAQ,YAAW;;EAC7D,MAAM,mBAAmB;AAAE,cAAW;;EACtC,MAAM,uBAAuB;AAAE,cAAW;;AAC1C,WAAS,iBAAiB,oBAAoB,cAAc,EAAE,SAAS;AACvE,SAAO,iBAAiB,YAAY,YAAY,EAAE,SAAS;AAC3D,SAAO,iBAAiB,gBAAgB,gBAAgB,EAAE,SAAS;AACnE,eAAa;AACX,YAAS,oBAAoB,oBAAoB;AACjD,UAAO,oBAAoB,YAAY;AACvC,UAAO,oBAAoB,gBAAgB;;;;;;;;;;;AClUjD,IAAY,oDAAL;AACL;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAgJF,SAAgB,iBAAiB,GAA8B;AAC7D,QAAO,SAAS,MAAM,iBAAiB;;AAGzC,SAAgB,iBAAiB,QAAoC;AACnE,SAAQ,OAAO,MAAf;EACE,KAAK,WAAW,SACd,QAAO;GACL,aAAa,WAAW;GACxB,SAAS,OAAO;;EAGpB,KAAK,WAAW,aACd,QAAO;GACL,aAAa,WAAW;GACxB,aAAa,OAAO;GACpB,MAAM,KAAK,UAAU,OAAO;GAC5B,KAAK,OAAO,OAAO;GACnB,SAAS,OAAO,WAAW;;EAG/B,KAAK,WAAW;GAKd,MAAM,gBAAgB,OAAO,UAAU;GACvC,MAAM,aAAa,kBAAkB,eAC/B,EAAE,YAAY,OACd;GACN,MAAM,YAAY;IAChB,OAAO,OAAO,UAAU,SAAS;IACjC;;AAEF,UAAO;IACL,aAAa,WAAW;IACxB,YAAY,OAAO;IACnB,YAAY,KAAK,UAAU;;EAG/B,KAAK,WAAW,UACd,QAAO;GACL,aAAa,WAAW;GACxB,YAAY,OAAO;;EAGvB,KAAK,WAAW,cACd,QAAO,EACL,aAAa,WAAW;EAG5B,KAAK,WAAW,cACd,QAAO;GACL,aAAa,WAAW;GACxB,gBAAgB,OAAO;;EAG3B,KAAK,WAAW,eACd,QAAO;GACL,aAAa,WAAW;GACxB,MAAM,OAAO,OAAO,SAAS,WACzB,MAAM,KAAK,IAAI,cAAc,OAAO,OAAO,SAC3C,MAAM,KAAK,OAAO;;EAG1B,KAAK,WAAW,qBACd,QAAO;GACL,aAAa,WAAW;GACxB,MAAM,OAAO,OAAO,SAAS,WACzB,MAAM,KAAK,IAAI,cAAc,OAAO,OAAO,SAC3C,MAAM,KAAK,OAAO;GACtB,aAAa,OAAO;;EAGxB,KAAK,WAAW,kBACd,QAAO;GACL,aAAa,WAAW;GACxB,YAAY,OAAO;GACnB,WAAW,OAAO;;EAGtB,KAAK,WAAW,MACd,QAAO;GACL,aAAa,WAAW;GACxB,OAAO,OAAO;GACd,YAAY,OAAO;;EAGvB,QACE,OAAM,IAAI,MAAM,eAAgB,OAAe,KAAK;;;;;;AAS1D,SAAgB,uBAAuB,gBAAsC;AAC3E,SAAQ,eAAe,aAAvB;EACE,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,YAClB,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,KAClB,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,IAClB,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,QAClB,OAAM,IAAI,MAAM;AAGlB,OAAI,OAAO,eAAe,SAAS,SACjC,OAAM,IAAI,MAAM;AAElB,OAAI;AACF,SAAK,MAAM,eAAe;WACpB;AACN,UAAM,IAAI,MAAM;;AAElB;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,QAClB,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW,cAEd;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,QAAQ,eAAe,KAAK,WAAW,EACzD,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,MAClB,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,WAClB,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,WAClB,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,WAClB,OAAM,IAAI,MAAM;AAGlB,OAAI,OAAO,eAAe,eAAe,SACvC,OAAM,IAAI,MAAM;AAElB,OAAI;AACF,SAAK,MAAM,eAAe;WACpB;AACN,UAAM,IAAI,MAAM;;AAElB;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,WAClB,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,eAClB,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW,gBAAgB;GAC9B,MAAM,UAAU;AAIhB,OAAI,CAAC,QAAQ,mBAAmB,OAAO,QAAQ,oBAAoB,SACjE,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,QAAQ,aAAa,OAAO,QAAQ,cAAc,SACrD,OAAM,IAAI,MAAM;AAElB;;EAEF,KAAK,WAAW;AACd,OAAI,CAAC,eAAe,QAAQ,eAAe,KAAK,WAAW,EACzD,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,eAAgB,eAAe,gBAAgB,cAAc,eAAe,gBAAgB,YAC9G,OAAM,IAAI,MAAM;AAElB;EACF,KAAK,WAAW,mBAAmB;GACjC,MAAM,eAAe,CAAC,CAAC,eAAe;GACtC,MAAM,cAAc,CAAC,CAAC,eAAe;AACrC,OAAI,iBAAiB,YACnB,OAAM,IAAI,MAAM;AAElB;;EAEF,QACE,OAAM,IAAI,MAAM,4BAA6B,eAAuB;;;;;;AAiB1E,SAAgB,mBAAmB,GAA+B;AAChE,SAAQ,EAAE,aAAV;EACE,KAAK,WAAW,cAAc;GAC5B,IAAIC,aAAkC;AACtC,OAAI;AACF,QAAI,OAAO,EAAE,SAAS,SACpB,cAAa,EAAE,OAAO,KAAK,MAAM,EAAE,QAAQ;QAE3C,cAAa,EAAE,QAAQ;WAEnB;AAEN,iBAAa;;AAEf,UAAO;IACL,MAAM,WAAW;IACjB,YAAY,EAAE;IACd,MAAM;IACN,KAAK,EAAE;IACP,SAAS,EAAE;;;EAGf,KAAK,WAAW,SACd,QAAO;GACL,MAAM,WAAW;GACjB,QAAQ,EAAE;;EAEd,KAAK,WAAW,cACd,QAAO,EACL,MAAM,WAAW;EAErB,KAAK,WAAW,gBAAgB;GAE9B,MAAM,YAAY,MAAM,QAAQ,EAAE,QAAQ,IAAI,WAAW,EAAE,QAAQ,IAAI;AACvE,UAAO;IACL,MAAM,WAAW;IACjB,MAAM;;;EAGV,KAAK,WAAW,sBAAsB;GACpC,MAAM,YAAY,MAAM,QAAQ,EAAE,QAAQ,IAAI,WAAW,EAAE,QAAQ,IAAI;AACvE,UAAO;IACL,MAAM,WAAW;IACjB,MAAM;IACN,YAAY,EAAE;;;EAGlB,KAAK,WAAW,MACd,QAAO;GACL,MAAM,WAAW;GACjB,OAAO,EAAE;GACT,WAAW,EAAE;;EAEjB,KAAK,WAAW,QAAQ;GAEtB,IAAIC;AACJ,OAAI;AACF,gBAAY,KAAK,MAAM,EAAE;WACnB;AACN,gBAAY;KAAE,OAAO,OAAO;KAAI,YAAY;;;GAG9C,MAAM,aAAa,WAAW;GAC9B,IAAIC,uBAAkE;AAEtE,OAAI,SAAS,aACX;QAAI,gBAAgB,WAClB,wBAAuB;aACd,kBAAkB,YAAY;KACvC,MAAM,KAAM,WAA0C;AACtD,4BAAuB,EACrB,cAAc;MACZ,WAAW,GAAG;MACd,aAAa,GAAG;MAChB,cAAc,GAAG;;;;AAKzB,UAAO;IACL,MAAM,WAAW;IACjB,WAAW,EAAE;IACb,WAAW;KACT,OAAO,OAAO,WAAW,UAAU,WAAW,UAAU,QAAQ;KAChE,YAAY;;;;EAIlB,KAAK,WAAW,UACd,QAAO;GACL,MAAM,WAAW;GACjB,WAAW,EAAE;;EAEjB,KAAK,WAAW,cACd,QAAO;GACL,MAAM,WAAW;GACjB,eAAe,EAAE;;EAErB,KAAK,WAAW,kBACd,QAAO;GACL,MAAM,WAAW;GACjB,WAAW,EAAE;GACb,UAAU,EAAE;;EAEhB,QAEE,OAAM,IAAI,MAAM,iCAAkC,GAAW;;;;AAKnE,SAAgB,yBAAyB,IAA4C;AACnF,QAAO;EACL,YAAY,GAAG;EACf,SAAS,GAAG,QAAQ,IAAI;;;;AAK5B,SAAgB,0BAA0B,KAAiD;AACzF,SAAQ,OAAO,IAAI,IAAI;;;;;ACvfzB,eAAsB,oBAAoB,OAAgC;CACxE,MAAM,SAAS,MAAM,gBAAgB;AACrC,QAAO,gBAAgB;;AAGzB,eAAsB,gCAAgC,MAIlC;CAElB,MAAM,OAAO,qBAAqB;EAAE,MAAM;EAAU,GAAG;;AACvD,QAAO,oBAAoB;;AAG7B,eAAsB,0CAA0C,MAI5C;CAClB,MAAM,OAAO,qBAAqB;EAAE,MAAM;EAA4B,GAAG;;AACzE,QAAO,oBAAoB;;AAwB7B,eAAsB,6BAA6B,UAAmD;CAGpG,MAAM,OAAO,qBAAqB;AAClC,QAAO,oBAAoB;;AAG7B,SAAgB,qBAAqB,GAAmC;AACtE,SAAQ,EAAE,aAAV;EACE,KAAK,WAAW,aACd,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;GAAM,SAAS,EAAE;GAAS,KAAK,EAAE;GAAK,aAAa,EAAE;;EACpG,KAAK,WAAW,SACd,QAAO;GAAE,aAAa,EAAE;GAAa,SAAS,EAAE;;EAClD,KAAK,WAAW,MACd,QAAO;GAAE,aAAa,EAAE;GAAa,OAAO,EAAE;GAAO,YAAY,EAAE;;EACrE,KAAK,WAAW,OACd,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;GAAY,YAAY,EAAE;;EAC/E,KAAK,WAAW,UACd,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;;EACrD,KAAK,WAAW,cACd,QAAO;GAAE,aAAa,EAAE;GAAa,gBAAgB,EAAE;;EACzD,KAAK,WAAW,eACd,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;;EAC/C,KAAK,WAAW,eACd,QAAO;GAAE,aAAa,EAAE;GAAa,iBAAiB,EAAE;GAAiB,WAAW,EAAE;;EACxF,KAAK,WAAW,qBACd,QAAO;GAAE,aAAa,EAAE;GAAa,MAAM,EAAE;GAAM,aAAa,EAAE;;EACpE,KAAK,WAAW,kBACd,QAAO;GAAE,aAAa,EAAE;GAAa,YAAY,EAAE;GAAY,WAAW,EAAE;;EAC9E,KAAK,WAAW,cACd,QAAO,EAAE,aAAa,EAAE;EAC1B,SAAS;GACP,MAAMC,cAAqB;AAC3B,UAAO;;;;;;;AC5Eb,IAAY,gFAAL;AACL;AACA;;;AAiEF,IAAY,4EAAL;AACL;AACA;AACA;AACA;AACA;AACA;;;;;;AC9EF,SAAgB,wBAAwB,aAA0C;AAChF,KAAI,CAAC,YAAa,QAAO;AACzB,KAAI,SAAS,aACX,KAAI;EACF,MAAM,SAAS,KAAK,MAAM;AAC1B,SAAO,SAAS,UAAW,SAAgC;UACpD,YAAY;AACnB,UAAQ,KAAK,0DAA0D;AACvE,SAAO;;AAGX,QAAO,SAAS,eAAgB,cAAqC;;AAUvE,SAAgB,uBAA0B,MAAoC;AAC5E,KAAI,QAAQ,KAAM,QAAO;AACzB,KAAI,MAAM,QAAQ,MAAO,QAAO,KAAK,KAAK,MAAM;AAChD,KAAI,SAAS,OAAO;EAClB,MAAM,MAAM;EACZ,MAAMC,MAA+B;AACrC,OAAK,MAAM,OAAO,OAAO,KAAK,MAAM;AAClC,OAAI,QAAQ,iBAAkB;GAC9B,MAAM,QAAQ,IAAI;AAClB,OAAI,WAAW,OAAQ;AACvB,OAAI,OAAO;;AAEb,SAAO;;AAET,QAAO;;AAIT,MAAa,iBAAiB;CAC5B,WAAW;CACX,0BAA0B;CAC1B,eAAe;;AAGjB,SAAgB,oBAAoB,QAAgB,UAAiC;CACnF,MAAM,YAAY,uBAAuB;AACzC,QAAO,YAAY;EAAE,MAAM,yBAAyB;EAA+B,MAAM;;;AAG3F,SAAgB,6BAA6B,OAAyB;AACpE,QACE,2BAA2B,iBACpB;EACL,MAAM,IAAI,QAAQ;AAClB,SAAO,GAAG,SAAS,qBAAqB,GAAG,SAAS;;;;;;ACpD1D,SAAgB,iBAAiB,SAAuC;AACtE,SAAQ,QAAQ,MAAhB;EACE,KAAK,uBAAuB,iBAC1B,QAAO,0BAA0B,SAAS,QAAQ;EACpD,KAAK,uBAAuB,oBAC1B,QAAQ,QAAQ,QAA8B;EAChD,KAAK,uBAAuB;EAC5B,KAAK,uBAAuB,YAC1B,QAAO,0BAA0B,SAAS;EAC5C,KAAK,uBAAuB,8BAA8B;GACxD,MAAM,IAAI,QAAQ;AAClB,UAAO,GAAG,iBAAiB;;EAE7B,KAAK,uBAAuB,4BAA4B;GACtD,MAAM,IAAI,QAAQ;AAClB,UAAO,GAAG,iBAAiB;;EAE7B,QACE,QAAO;;;AAIb,SAAgB,WAAW,SAAuC;AAChE,QAAO,QAAQ,SAAS,uBAAuB,mBAC1C,0BAA0B,SAAS,mBAAmB,UAAU,IACjE;;AAGN,SAAgB,gBAAgB,SAAmD;AACjF,KAAI,QAAQ,SAAS,uBAAuB,kBAAkB;EAC5D,MAAM,IAAI,SAAS;AACnB,SAAO,GAAG;;AAEZ,QAAO,SAAS;;AAGlB,SAAgB,0BAA0B,SAAuD;AAC/F,KAAI,QAAQ,SAAS,uBAAuB,iBAC1C,OAAM,IAAI,MAAM,0CAA0C,QAAQ;AAEpE,QAAO,QAAQ;;AAGjB,SAAgB,0BAA0B,SAAuD;AAC/F,KAAI,QAAQ,SAAS,uBAAuB,oBAAoB,QAAQ,SAAS,uBAAuB,YACtG,OAAM,IAAI,MAAM,yDAAyD,QAAQ;AAEnF,QAAO,QAAQ;;;;;AC/CjB,eAAsB,+CAA+C,MAevB;CAC5C,MAAM,gBAAgB,YAAY,KAAK;CAEvC,MAAM,iBAAiB,MAAM,KAAK,UAAU,SAAS,wBAAwB;CAC7E,IAAIC,0BAAqD;AACzD,KAAI,eAAe,SAAS,EAC1B,EAAC,CAAE,2BAA4B,MAAM,KAAK,UAAU,SAAS,qBAC3D,YAAY,gBACZ;AAIJ,MAAK,iBAAiB;EAAE;EAAgB;EAAyB,cAAc,KAAK;;CAEpF,MAAM,mBAAmB,iCAAiC;CAC1D,MAAM,aAAa,KAAK,yBACpB,MAAM,KAAK,cAAc,8CAA8C;EACvE;EACA,WAAW,KAAK;EAChB;MAEA,MAAM,KAAK,cAAc,uCAAuC;EAChE;EACA,WAAW,KAAK;EAChB;;AAIJ,KAAI,eAAe,SAAS,GAAG;EAC7B,MAAM,EAAE,sBAAsB,MAAM,KAAK,UAAU,SAAS,qBAC1D,YAAY,gBACZ,gBACA,WAAW;AAEb,MAAI,kBACF,OAAM,IAAI,MAAM;;AAIpB,QAAO"}

package/dist/esm/sdk/collectAuthenticationCredentialForVrfChallenge-DqzPzwvU.js ADDED Viewed

@@ -0,0 +1,138 @@
+import { isFunction, isObject, isString } from "./validation-BTq6LGPp.js";
+import { toAccountId } from "./accountIds-DVDhXwVA.js";
+import { isTouchIdCancellationError, toError } from "./errors-DevlT39D.js";
+import { authenticatorsToAllowCredentials } from "./touchIdPrompt-JPhrOx8o.js";
+//#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/types.ts
+let SecureConfirmMessageType = /* @__PURE__ */ function(SecureConfirmMessageType$1) {
+	SecureConfirmMessageType$1["PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD"] = "PROMPT_USER_CONFIRM_IN_JS_MAIN_THREAD";
+	SecureConfirmMessageType$1["USER_PASSKEY_CONFIRM_RESPONSE"] = "USER_PASSKEY_CONFIRM_RESPONSE";
+	return SecureConfirmMessageType$1;
+}({});
+let SecureConfirmationType = /* @__PURE__ */ function(SecureConfirmationType$1) {
+	SecureConfirmationType$1["SIGN_TRANSACTION"] = "signTransaction";
+	SecureConfirmationType$1["REGISTER_ACCOUNT"] = "registerAccount";
+	SecureConfirmationType$1["LINK_DEVICE"] = "linkDevice";
+	SecureConfirmationType$1["DECRYPT_PRIVATE_KEY_WITH_PRF"] = "decryptPrivateKeyWithPrf";
+	SecureConfirmationType$1["SIGN_NEP413_MESSAGE"] = "signNep413Message";
+	SecureConfirmationType$1["SHOW_SECURE_PRIVATE_KEY_UI"] = "showSecurePrivateKeyUi";
+	return SecureConfirmationType$1;
+}({});
+//#endregion
+//#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/common.ts
+function parseTransactionSummary(summaryData) {
+	if (!summaryData) return {};
+	if (isString(summaryData)) try {
+		const parsed = JSON.parse(summaryData);
+		return isObject(parsed) ? parsed : {};
+	} catch (parseError) {
+		console.warn("[SignerWorkerManager]: Failed to parse summary string:", parseError);
+		return {};
+	}
+	return isObject(summaryData) ? summaryData : {};
+}
+function sanitizeForPostMessage(data) {
+	if (data == null) return data;
+	if (Array.isArray(data)) return data.map((v) => v);
+	if (isObject(data)) {
+		const src = data;
+		const out = {};
+		for (const key of Object.keys(src)) {
+			if (key === "_confirmHandle") continue;
+			const value = src[key];
+			if (isFunction(value)) continue;
+			out[key] = value;
+		}
+		return out;
+	}
+	return data;
+}
+const ERROR_MESSAGES = {
+	cancelled: "User cancelled secure confirm request",
+	collectCredentialsFailed: "Failed to collect credentials",
+	nearRpcFailed: "Failed to fetch NEAR data"
+};
+function sendConfirmResponse(worker, response) {
+	const sanitized = sanitizeForPostMessage(response);
+	worker.postMessage({
+		type: SecureConfirmMessageType.USER_PASSKEY_CONFIRM_RESPONSE,
+		data: sanitized
+	});
+}
+function isUserCancelledSecureConfirm(error) {
+	return isTouchIdCancellationError(error) || (() => {
+		const e = toError(error);
+		return e?.name === "NotAllowedError" || e?.name === "AbortError";
+	})();
+}
+//#endregion
+//#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/adapters/requestHelpers.ts
+function getNearAccountId(request) {
+	switch (request.type) {
+		case SecureConfirmationType.SIGN_TRANSACTION: return getSignTransactionPayload(request).rpcCall.nearAccountId;
+		case SecureConfirmationType.SIGN_NEP413_MESSAGE: return request.payload.nearAccountId;
+		case SecureConfirmationType.REGISTER_ACCOUNT:
+		case SecureConfirmationType.LINK_DEVICE: return getRegisterAccountPayload(request).nearAccountId;
+		case SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF: {
+			const p = request.payload;
+			return p?.nearAccountId || "";
+		}
+		case SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI: {
+			const p = request.payload;
+			return p?.nearAccountId || "";
+		}
+		default: return "";
+	}
+}
+function getTxCount(request) {
+	return request.type === SecureConfirmationType.SIGN_TRANSACTION ? getSignTransactionPayload(request).txSigningRequests?.length || 1 : 1;
+}
+function getIntentDigest(request) {
+	if (request.type === SecureConfirmationType.SIGN_TRANSACTION) {
+		const p = request?.payload;
+		return p?.intentDigest;
+	}
+	return request?.intentDigest;
+}
+function getSignTransactionPayload(request) {
+	if (request.type !== SecureConfirmationType.SIGN_TRANSACTION) throw new Error(`Expected SIGN_TRANSACTION request, got ${request.type}`);
+	return request.payload;
+}
+function getRegisterAccountPayload(request) {
+	if (request.type !== SecureConfirmationType.REGISTER_ACCOUNT && request.type !== SecureConfirmationType.LINK_DEVICE) throw new Error(`Expected REGISTER_ACCOUNT or LINK_DEVICE request, got ${request.type}`);
+	return request.payload;
+}
+//#endregion
+//#region src/core/WebAuthnManager/collectAuthenticationCredentialForVrfChallenge.ts
+async function collectAuthenticationCredentialForVrfChallenge(args) {
+	const nearAccountId = toAccountId(args.nearAccountId);
+	const authenticators = await args.indexedDB.clientDB.getAuthenticatorsByUser(nearAccountId);
+	let authenticatorsForPrompt = authenticators;
+	if (authenticators.length > 0) ({authenticatorsForPrompt} = await args.indexedDB.clientDB.ensureCurrentPasskey(toAccountId(nearAccountId), authenticators));
+	args.onBeforePrompt?.({
+		authenticators,
+		authenticatorsForPrompt,
+		vrfChallenge: args.vrfChallenge
+	});
+	const allowCredentials = authenticatorsToAllowCredentials(authenticatorsForPrompt);
+	const serialized = args.includeSecondPrfOutput ? await args.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({
+		nearAccountId,
+		challenge: args.vrfChallenge,
+		allowCredentials
+	}) : await args.touchIdPrompt.getAuthenticationCredentialsSerialized({
+		nearAccountId,
+		challenge: args.vrfChallenge,
+		allowCredentials
+	});
+	if (authenticators.length > 0) {
+		const { wrongPasskeyError } = await args.indexedDB.clientDB.ensureCurrentPasskey(toAccountId(nearAccountId), authenticators, serialized.rawId);
+		if (wrongPasskeyError) throw new Error(wrongPasskeyError);
+	}
+	return serialized;
+}
+//#endregion
+export { ERROR_MESSAGES, SecureConfirmMessageType, SecureConfirmationType, collectAuthenticationCredentialForVrfChallenge, getIntentDigest, getNearAccountId, getRegisterAccountPayload, getSignTransactionPayload, getTxCount, isUserCancelledSecureConfirm, parseTransactionSummary, sanitizeForPostMessage, sendConfirmResponse };

package/dist/esm/sdk/config-BbNXtVtu.js ADDED Viewed

@@ -0,0 +1,100 @@
+//#region src/core/types/linkDevice.ts
+var DeviceLinkingError = class extends Error {
+	constructor(message, code, phase) {
+		super(message);
+		this.code = code;
+		this.phase = phase;
+	}
+};
+let DeviceLinkingErrorCode = /* @__PURE__ */ function(DeviceLinkingErrorCode$1) {
+	DeviceLinkingErrorCode$1["INVALID_QR_DATA"] = "INVALID_QR_DATA";
+	DeviceLinkingErrorCode$1["ACCOUNT_NOT_OWNED"] = "ACCOUNT_NOT_OWNED";
+	DeviceLinkingErrorCode$1["AUTHORIZATION_TIMEOUT"] = "AUTHORIZATION_TIMEOUT";
+	DeviceLinkingErrorCode$1["INSUFFICIENT_BALANCE"] = "INSUFFICIENT_BALANCE";
+	DeviceLinkingErrorCode$1["REGISTRATION_FAILED"] = "REGISTRATION_FAILED";
+	DeviceLinkingErrorCode$1["SESSION_EXPIRED"] = "SESSION_EXPIRED";
+	return DeviceLinkingErrorCode$1;
+}({});
+//#endregion
+//#region build-paths.ts
+const BUILD_PATHS = {
+	BUILD: {
+		ROOT: "dist",
+		WORKERS: "dist/workers",
+		ESM: "dist/esm",
+		CJS: "dist/cjs",
+		TYPES: "dist/types"
+	},
+	SOURCE: {
+		ROOT: "src",
+		CORE: "src/core",
+		WASM_SIGNER: "src/wasm_signer_worker",
+		WASM_VRF: "src/wasm_vrf_worker",
+		CRITICAL_DIRS: [
+			"src/core",
+			"src/wasm_signer_worker",
+			"src/wasm_vrf_worker"
+		]
+	},
+	FRONTEND: {
+		ROOT: "../examples/vite/public",
+		SDK: "../examples/vite/public/sdk",
+		WORKERS: "../examples/vite/public/sdk/workers"
+	},
+	RUNTIME: {
+		SDK_BASE: "/sdk",
+		WORKERS_BASE: "/sdk/workers",
+		VRF_WORKER: "/sdk/workers/web3authn-vrf.worker.js",
+		SIGNER_WORKER: "/sdk/workers/web3authn-signer.worker.js"
+	},
+	WORKERS: {
+		VRF: "web3authn-vrf.worker.js",
+		SIGNER: "web3authn-signer.worker.js",
+		OFFLINE_SW: "offline-export-sw.js",
+		WASM_VRF_JS: "wasm_vrf_worker.js",
+		WASM_VRF_WASM: "wasm_vrf_worker_bg.wasm",
+		WASM_SIGNER_JS: "wasm_signer_worker.js",
+		WASM_SIGNER_WASM: "wasm_signer_worker_bg.wasm"
+	},
+	TEST_WORKERS: {
+		VRF: "/sdk/workers/web3authn-vrf.worker.js",
+		SIGNER: "/sdk/workers/web3authn-signer.worker.js",
+		WASM_VRF_JS: "/sdk/workers/wasm_vrf_worker.js",
+		WASM_VRF_WASM: "/sdk/workers/wasm_vrf_worker_bg.wasm",
+		WASM_SIGNER_JS: "/sdk/workers/wasm_signer_worker.js",
+		WASM_SIGNER_WASM: "/sdk/workers/wasm_signer_worker_bg.wasm"
+	}
+};
+//#endregion
+//#region src/config.ts
+const SIGNER_WORKER_MANAGER_CONFIG = {
+	TIMEOUTS: {
+		DEFAULT: 6e4,
+		TRANSACTION: 6e4,
+		REGISTRATION: 6e4
+	},
+	WORKER: {
+		URL: BUILD_PATHS.RUNTIME.SIGNER_WORKER,
+		TYPE: "module",
+		NAME: "Web3AuthnSignerWorker"
+	},
+	RETRY: {
+		MAX_ATTEMPTS: 3,
+		BACKOFF_MS: 1e3
+	}
+};
+const DEVICE_LINKING_CONFIG = {
+	TIMEOUTS: {
+		QR_CODE_MAX_AGE_MS: 900 * 1e3,
+		SESSION_EXPIRATION_MS: 900 * 1e3,
+		TEMP_KEY_CLEANUP_MS: 900 * 1e3,
+		POLLING_INTERVAL_MS: 3e3,
+		REGISTRATION_RETRY_DELAY_MS: 2e3
+	},
+	RETRY: { MAX_REGISTRATION_ATTEMPTS: 5 }
+};
+//#endregion
+export { BUILD_PATHS, DEVICE_LINKING_CONFIG, DeviceLinkingError, DeviceLinkingErrorCode, SIGNER_WORKER_MANAGER_CONFIG };