npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.1 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2501) hide show

package/dist/cjs/react/src/core/TatchiPasskey/syncAccount.js ADDED Viewed

@@ -0,0 +1,505 @@
+const require_validation = require('../../utils/validation.js');
+const require_accountIds = require('../types/accountIds.js');
+const require_participants = require('../../threshold/participants.js');
+const require_index = require('../IndexedDBManager/index.js');
+const require_vrf_worker = require('../types/vrf-worker.js');
+const require_sdkSentEvents = require('../types/sdkSentEvents.js');
+const require_rpcCalls = require('../rpcCalls.js');
+const require_getDeviceNumber = require('../WebAuthnManager/SignerWorkerManager/getDeviceNumber.js');
+const require_userHandle = require('../WebAuthnManager/userHandle.js');
+//#region src/core/TatchiPasskey/syncAccount.ts
+/**
+* Account sync flow with credential encapsulation
+*
+* Usage:
+* ```typescript
+* const flow = new SyncAccountFlow(context);
+* const options = await flow.discover(); // Get safe display options
+* // ... user selects account in UI ...
+* const result = await flow.sync({ credentialId, accountId }); // Execute sync
+* ```
+*/
+var SyncAccountFlow = class {
+	context;
+	options;
+	availableAccounts;
+	phase = "idle";
+	error;
+	constructor(context, options) {
+		this.context = context;
+		this.options = options;
+	}
+	/**
+	* Phase 1: Discover available accounts
+	* Returns safe display data without exposing credentials to UI
+	*/
+	async discover(accountId) {
+		try {
+			this.phase = "discovering";
+			const normalizedAccountId = normalizeSyncAccountIdInput(accountId);
+			const hasValidAccount = !!normalizedAccountId && require_validation.validateNearAccountId(normalizedAccountId).valid;
+			if (hasValidAccount) {
+				const nearAccountId = require_accountIds.toAccountId(normalizedAccountId);
+				this.availableAccounts = await getSyncableAccounts(this.context, nearAccountId);
+			} else {
+				const challenge = require_vrf_worker.createRandomVRFChallenge();
+				const credential = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
+					nearAccountId: "",
+					challenge,
+					credentialIds: []
+				});
+				const inferredAccountId = require_userHandle.parseAccountIdFromUserHandle(credential.response?.userHandle);
+				const option = {
+					credentialId: credential.rawId,
+					accountId: inferredAccountId ? require_accountIds.toAccountId(inferredAccountId) : null,
+					publicKey: "",
+					displayName: inferredAccountId ? `${inferredAccountId}` : "Discovered passkey",
+					credential: null
+				};
+				this.availableAccounts = [option];
+			}
+			if (!this.availableAccounts || this.availableAccounts.length === 0) console.warn("No syncable accounts found for this passkey");
+			else console.debug(`SyncAccountFlow: Found ${this.availableAccounts.length} syncable accounts`);
+			this.phase = "ready";
+			return this.availableAccounts.map((option) => ({
+				credentialId: option.credentialId,
+				accountId: option.accountId,
+				publicKey: option.publicKey,
+				displayName: option.displayName
+			}));
+		} catch (error) {
+			const failure = error instanceof Error ? error : new Error(String(error));
+			this.phase = "error";
+			this.error = failure;
+			console.error("SyncAccountFlow: Discovery failed:", failure);
+			throw failure;
+		}
+	}
+	/**
+	* Phase 2: Execute sync with user selection
+	* Securely looks up credential based on selection
+	*/
+	async sync(selection) {
+		if (this.phase !== "ready") throw new Error(`Cannot sync - flow is in ${this.phase} phase. Call discover() first.`);
+		if (!this.availableAccounts) throw new Error("No available accounts found. Call discover() first.");
+		try {
+			this.phase = "syncing";
+			console.debug(`SyncAccountFlow: Syncing account: ${selection.accountId}`);
+			const selectedOption = this.availableAccounts.find((option) => option.credentialId === selection.credentialId && option.accountId === selection.accountId);
+			if (!selectedOption) throw new Error("Invalid selection - account not found in available options");
+			if (!selectedOption.accountId) {
+				const storedAccount = require_userHandle.parseAccountIdFromUserHandle(selectedOption.credential?.response?.userHandle);
+				if (storedAccount) selectedOption.accountId = require_accountIds.toAccountId(storedAccount);
+				else try {
+					const challenge = require_vrf_worker.createRandomVRFChallenge();
+					const cred = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
+						nearAccountId: "",
+						challenge,
+						credentialIds: selectedOption.credentialId && selectedOption.credentialId !== "manual-input" ? [selectedOption.credentialId] : []
+					});
+					const maybeAccount = require_userHandle.parseAccountIdFromUserHandle(cred.response?.userHandle);
+					if (maybeAccount) selectedOption.accountId = require_accountIds.toAccountId(maybeAccount);
+				} catch {}
+				if (!selectedOption.accountId) throw new Error("Invalid account selection - no account ID provided");
+			}
+			const allowList = (() => {
+				try {
+					if (!this.availableAccounts) return void 0;
+					if (!selectedOption.credentialId || selectedOption.credentialId === "manual-input") return void 0;
+					const ids = this.availableAccounts.filter((opt) => opt.accountId === selectedOption.accountId && opt.credentialId && opt.credentialId !== "manual-input").map((opt) => opt.credentialId);
+					const uniq = Array.from(new Set(ids));
+					return uniq.length > 0 ? uniq : void 0;
+				} catch {
+					return void 0;
+				}
+			})();
+			const syncResult = await syncAccount(this.context, selectedOption.accountId, this.options, selectedOption.credential ?? void 0, allowList);
+			this.phase = "complete";
+			return syncResult;
+		} catch (error) {
+			const failure = error instanceof Error ? error : new Error(String(error));
+			this.phase = "error";
+			this.error = failure;
+			console.error("SyncAccountFlow: Sync failed:", failure);
+			throw failure;
+		}
+	}
+	/**
+	* Get current flow state (safe display data only)
+	*/
+	getState() {
+		const safeAccounts = this.availableAccounts?.map((option) => ({
+			credentialId: option.credentialId,
+			accountId: option.accountId,
+			publicKey: option.publicKey,
+			displayName: option.displayName
+		}));
+		return {
+			phase: this.phase,
+			availableAccounts: safeAccounts,
+			error: this.error,
+			isReady: this.phase === "ready",
+			isComplete: this.phase === "complete",
+			hasError: this.phase === "error"
+		};
+	}
+	/**
+	* Reset flow to initial state
+	*/
+	reset() {
+		this.phase = "idle";
+		this.availableAccounts = void 0;
+		this.error = void 0;
+	}
+};
+function normalizeSyncAccountIdInput(input) {
+	const raw = String(input || "").trim();
+	if (!raw) return "";
+	const match = raw.match(/nearblocks\.io\/(?:address|account)\/([^/?#]+)/i);
+	if (match?.[1]) return match[1];
+	try {
+		const u = new URL(raw);
+		const parts = String(u.pathname || "").split("/").filter(Boolean);
+		const idx = parts.findIndex((p) => p === "address" || p === "account");
+		if (idx >= 0 && parts[idx + 1]) return parts[idx + 1];
+	} catch {}
+	return raw;
+}
+/**
+* Get available passkeys for account sync
+*/
+async function getSyncableAccounts(context, accountId) {
+	const availablePasskeys = await getAvailablePasskeysForDomain(context, accountId);
+	return availablePasskeys.filter((passkey) => passkey.accountId !== null);
+}
+/**
+* Discover passkeys for domain using contract-based lookup
+*/
+async function getAvailablePasskeysForDomain(context, accountId) {
+	const { nearClient, configs } = context;
+	const credentialIds = await require_rpcCalls.getCredentialIdsContractCall(nearClient, configs.contractId, accountId);
+	if (credentialIds.length > 0) return credentialIds.map((credentialId, idx) => ({
+		credentialId,
+		accountId,
+		publicKey: "",
+		displayName: credentialIds.length > 1 ? `${accountId} (passkey ${idx + 1})` : `${accountId}`,
+		credential: null
+	}));
+	return [];
+}
+/**
+* Main account sync function
+*/
+async function syncAccount(context, accountId, options, reuseCredential, allowedCredentialIds) {
+	const { onEvent, onError, afterCall } = options || {};
+	const { webAuthnManager, nearClient, configs } = context;
+	onEvent?.({
+		step: 1,
+		phase: require_sdkSentEvents.SyncAccountPhase.STEP_1_PREPARATION,
+		status: require_sdkSentEvents.SyncAccountStatus.PROGRESS,
+		message: "Preparing account sync..."
+	});
+	try {
+		const validation = require_validation.validateNearAccountId(accountId);
+		if (!validation.valid) return handleSyncError(accountId, `Invalid NEAR account ID: ${validation.error}`, onError, afterCall);
+		onEvent?.({
+			step: 2,
+			phase: require_sdkSentEvents.SyncAccountPhase.STEP_2_WEBAUTHN_AUTHENTICATION,
+			status: require_sdkSentEvents.SyncAccountStatus.PROGRESS,
+			message: "Authenticating with contract..."
+		});
+		const credential = await getOrCreateCredential(webAuthnManager, accountId, reuseCredential, allowedCredentialIds);
+		const passkeyAccount = require_userHandle.parseAccountIdFromUserHandle(credential.response?.userHandle);
+		if (passkeyAccount && passkeyAccount !== accountId) return handleSyncError(accountId, `Selected passkey belongs to ${passkeyAccount}, not ${accountId}`, onError, afterCall);
+		const blockInfo = await nearClient.viewBlock({ finality: "final" });
+		const blockHeight = String(blockInfo.header.height);
+		const blockHash = blockInfo.header.hash;
+		const vrfInputData = {
+			userId: accountId,
+			rpId: webAuthnManager.getRpId(),
+			blockHeight,
+			blockHash
+		};
+		const deterministicVrfResult = await webAuthnManager.deriveVrfKeypair({
+			credential,
+			nearAccountId: accountId,
+			vrfInputData
+		});
+		if (!deterministicVrfResult.success) throw new Error("Failed to derive deterministic VRF keypair and generate challenge from PRF");
+		const recoveredKeypair = await webAuthnManager.recoverKeypairFromPasskey(credential, accountId);
+		if (!recoveredKeypair.wrapKeySalt) throw new Error("Missing wrapKeySalt in derived key material; re-register to upgrade vault format.");
+		const hasAccess = await require_rpcCalls.hasAccessKey(nearClient, accountId, recoveredKeypair.publicKey, {
+			attempts: 1,
+			delayMs: 0
+		});
+		if (!hasAccess) return handleSyncError(accountId, `Account ${accountId} does not have access key ${recoveredKeypair.publicKey} (check you selected the correct passkey)`, onError, afterCall);
+		const syncResult = await performAccountSync({
+			context,
+			accountId,
+			publicKey: recoveredKeypair.publicKey,
+			encryptedKeypair: {
+				encryptedPrivateKey: recoveredKeypair.encryptedPrivateKey,
+				chacha20NonceB64u: recoveredKeypair.chacha20NonceB64u,
+				wrapKeySalt: recoveredKeypair.wrapKeySalt
+			},
+			credential,
+			encryptedVrfResult: {
+				vrfPublicKey: deterministicVrfResult.vrfPublicKey,
+				encryptedVrfKeypair: deterministicVrfResult.encryptedVrfKeypair,
+				serverEncryptedVrfKeypair: deterministicVrfResult.serverEncryptedVrfKeypair || void 0
+			},
+			onEvent
+		});
+		onEvent?.({
+			step: 5,
+			phase: require_sdkSentEvents.SyncAccountPhase.STEP_5_SYNC_ACCOUNT_COMPLETE,
+			status: require_sdkSentEvents.SyncAccountStatus.SUCCESS,
+			message: "Account sync completed successfully",
+			data: { syncResult }
+		});
+		afterCall?.(true, syncResult);
+		return syncResult;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		const err = error instanceof Error ? error : new Error(message);
+		try {
+			await webAuthnManager.clearVrfSession();
+		} catch (clearError) {
+			console.warn("Failed to clear VRF session after sync error:", clearError);
+		}
+		onError?.(err);
+		return handleSyncError(accountId, message, onError, afterCall);
+	}
+}
+/**
+* Get credential (reuse existing or create new)
+*/
+async function getOrCreateCredential(webAuthnManager, accountId, reuseCredential, allowedCredentialIds) {
+	if (reuseCredential) {
+		const prfResults = reuseCredential.clientExtensionResults?.prf?.results;
+		if (!prfResults?.first || !prfResults?.second) throw new Error("Reused credential missing PRF outputs - cannot proceed with sync");
+		return reuseCredential;
+	}
+	const challenge = require_vrf_worker.createRandomVRFChallenge();
+	return await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
+		nearAccountId: accountId,
+		challenge,
+		credentialIds: allowedCredentialIds ?? []
+	});
+}
+/**
+* Handle sync error
+*/
+function handleSyncError(accountId, errorMessage, onError, afterCall) {
+	console.error("[syncAccount] Error:", errorMessage);
+	onError?.(new Error(errorMessage));
+	const errorResult = {
+		success: false,
+		accountId,
+		publicKey: "",
+		message: `Sync failed: ${errorMessage}`,
+		error: errorMessage
+	};
+	afterCall?.(false);
+	return errorResult;
+}
+/**
+* Perform the actual sync process
+* Syncs on-chain data and restores local IndexedDB data
+*/
+async function performAccountSync({ context, accountId, publicKey, encryptedKeypair, credential, encryptedVrfResult, onEvent }) {
+	const { webAuthnManager, nearClient, configs } = context;
+	try {
+		console.debug(`Performing sync for account: ${accountId}`);
+		onEvent?.({
+			step: 3,
+			phase: require_sdkSentEvents.SyncAccountPhase.STEP_3_SYNC_AUTHENTICATORS_ONCHAIN,
+			status: require_sdkSentEvents.SyncAccountStatus.PROGRESS,
+			message: "Syncing authenticators from onchain..."
+		});
+		const contractAuthenticators = await require_rpcCalls.syncAuthenticatorsContractCall(nearClient, configs.contractId, accountId);
+		const credentialIdUsed = credential.rawId;
+		const matchingAuthenticator = contractAuthenticators.find((auth) => auth.credentialId === credentialIdUsed);
+		if (!matchingAuthenticator) throw new Error(`Could not find authenticator for credential ${credentialIdUsed}`);
+		const deviceNumber = matchingAuthenticator.authenticator.deviceNumber;
+		if (deviceNumber === void 0) throw new Error(`Device number not found for authenticator ${credentialIdUsed}`);
+		const serverEncryptedVrfKeypairObj = encryptedVrfResult.serverEncryptedVrfKeypair;
+		await restoreUserData({
+			webAuthnManager,
+			accountId,
+			deviceNumber,
+			publicKey,
+			encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,
+			serverEncryptedVrfKeypair: serverEncryptedVrfKeypairObj,
+			encryptedNearKeypair: encryptedKeypair,
+			credential
+		});
+		await restoreAuthenticators({
+			webAuthnManager,
+			accountId,
+			contractAuthenticators: [matchingAuthenticator],
+			vrfPublicKey: encryptedVrfResult.vrfPublicKey
+		});
+		onEvent?.({
+			step: 4,
+			phase: require_sdkSentEvents.SyncAccountPhase.STEP_4_AUTHENTICATOR_SAVED,
+			status: require_sdkSentEvents.SyncAccountStatus.SUCCESS,
+			message: "Restored Passkey authenticator..."
+		});
+		await activateThresholdEnrollment({
+			context,
+			accountId,
+			deviceNumber,
+			localPublicKey: publicKey,
+			wrapKeySalt: String(encryptedKeypair.wrapKeySalt || "").trim(),
+			contractAuthenticators
+		});
+		console.debug("Unlocking VRF keypair in memory after account sync");
+		const unlockResult = await webAuthnManager.unlockVRFKeypair({
+			nearAccountId: accountId,
+			encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,
+			credential
+		});
+		if (!unlockResult.success) console.warn("Failed to unlock VRF keypair after sync:", unlockResult.error);
+		else console.debug("VRF keypair unlocked successfully after account sync");
+		try {
+			await webAuthnManager.initializeCurrentUser(accountId, context.nearClient);
+		} catch (initErr) {
+			console.warn("Failed to initialize current user after sync:", initErr);
+		}
+		return {
+			success: true,
+			accountId,
+			publicKey,
+			message: "Account successfully synced"
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.error("[performAccountSync] Error:", error);
+		throw new Error(`Sync process failed: ${message}`);
+	}
+}
+async function restoreUserData({ webAuthnManager, accountId, deviceNumber, publicKey, encryptedVrfKeypair, serverEncryptedVrfKeypair, encryptedNearKeypair, credential }) {
+	const existingUser = await webAuthnManager.getUserByDevice(accountId, deviceNumber);
+	if (!encryptedNearKeypair.wrapKeySalt) throw new Error("Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.");
+	const wrapKeySalt = encryptedNearKeypair.wrapKeySalt;
+	const chacha20NonceB64u = encryptedNearKeypair.chacha20NonceB64u;
+	if (!chacha20NonceB64u) throw new Error("Missing chacha20NonceB64u in recovered key material; cannot store encrypted NEAR key.");
+	await require_index.IndexedDBManager.nearKeysDB.storeKeyMaterial({
+		kind: "local_near_sk_v3",
+		nearAccountId: accountId,
+		deviceNumber,
+		publicKey,
+		encryptedSk: encryptedNearKeypair.encryptedPrivateKey,
+		chacha20NonceB64u,
+		wrapKeySalt,
+		timestamp: Date.now()
+	});
+	if (!existingUser) await webAuthnManager.registerUser({
+		nearAccountId: accountId,
+		deviceNumber,
+		version: 2,
+		clientNearPublicKey: publicKey,
+		lastUpdated: Date.now(),
+		passkeyCredential: {
+			id: credential.id,
+			rawId: credential.rawId
+		},
+		encryptedVrfKeypair: {
+			encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,
+			chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u
+		},
+		serverEncryptedVrfKeypair
+	});
+	else await webAuthnManager.storeUserData({
+		nearAccountId: accountId,
+		clientNearPublicKey: publicKey,
+		lastUpdated: Date.now(),
+		passkeyCredential: existingUser.passkeyCredential,
+		encryptedVrfKeypair: {
+			encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,
+			chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u
+		},
+		serverEncryptedVrfKeypair,
+		deviceNumber
+	});
+}
+async function restoreAuthenticators({ webAuthnManager, accountId, contractAuthenticators, vrfPublicKey }) {
+	for (const { credentialId, authenticator } of contractAuthenticators) {
+		const credentialPublicKey = authenticator.credentialPublicKey;
+		const validTransports = authenticator.transports.filter((transport) => transport !== void 0 && transport !== null && typeof transport === "string");
+		const transports = validTransports?.length > 0 ? validTransports : ["internal"];
+		const deviceNumber = authenticator.deviceNumber;
+		console.debug("Restoring authenticator with device number:", deviceNumber, authenticator);
+		await webAuthnManager.storeAuthenticator({
+			nearAccountId: accountId,
+			credentialId,
+			credentialPublicKey,
+			transports,
+			name: `Recovered Device ${deviceNumber} Passkey`,
+			registered: authenticator.registered.toISOString(),
+			syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			vrfPublicKey,
+			deviceNumber
+		});
+	}
+}
+async function activateThresholdEnrollment(args) {
+	const deviceNumber = require_getDeviceNumber.parseDeviceNumber(args.deviceNumber, { min: 1 });
+	if (deviceNumber === null) throw new Error(`Invalid deviceNumber for threshold enrollment: ${String(args.deviceNumber)}`);
+	try {
+		await args.context.webAuthnManager.setLastUser(args.accountId, deviceNumber);
+	} catch {}
+	const existing = await require_index.IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(args.accountId, deviceNumber);
+	if (existing) return;
+	try {
+		const thresholdPublicKey = await inferThresholdPublicKeyNoPrompt({
+			nearClient: args.context.nearClient,
+			accountId: args.accountId,
+			localPublicKey: args.localPublicKey,
+			contractAuthenticators: args.contractAuthenticators
+		});
+		if (!thresholdPublicKey) return;
+		if (!args.wrapKeySalt) return;
+		await require_index.IndexedDBManager.nearKeysDB.storeKeyMaterial({
+			kind: "threshold_ed25519_2p_v1",
+			nearAccountId: args.accountId,
+			deviceNumber,
+			publicKey: thresholdPublicKey,
+			wrapKeySalt: args.wrapKeySalt,
+			relayerKeyId: thresholdPublicKey,
+			clientShareDerivation: "prf_first_v1",
+			participants: require_participants.buildThresholdEd25519Participants2pV1({
+				relayerKeyId: thresholdPublicKey,
+				relayerUrl: args.context.configs?.relayer?.url,
+				clientShareDerivation: "prf_first_v1"
+			}),
+			timestamp: Date.now()
+		});
+	} catch (e) {
+		console.warn("[syncAccount] Skipping threshold key restoration (non-fatal):", e);
+	}
+}
+async function inferThresholdPublicKeyNoPrompt(args) {
+	const localKeys = /* @__PURE__ */ new Set();
+	const localPublicKey = require_validation.ensureEd25519Prefix(String(args.localPublicKey || "").trim());
+	if (localPublicKey) localKeys.add(localPublicKey);
+	for (const entry of args.contractAuthenticators) {
+		const pk = require_validation.ensureEd25519Prefix(String(entry.nearPublicKey || "").trim());
+		if (pk) localKeys.add(pk);
+	}
+	const accessKeyList = await args.nearClient.viewAccessKeyList(String(args.accountId));
+	const onChainKeys = Array.from(new Set((accessKeyList?.keys || []).map((k) => require_validation.ensureEd25519Prefix(String(k?.public_key || "").trim())).filter((k) => !!k)));
+	const candidates = onChainKeys.filter((k) => !localKeys.has(k));
+	if (candidates.length === 1) return candidates[0];
+	if (onChainKeys.length === 2 && localPublicKey) {
+		const other = onChainKeys.find((k) => k !== localPublicKey);
+		return other || null;
+	}
+	return null;
+}
+//#endregion
+exports.SyncAccountFlow = SyncAccountFlow;
+//# sourceMappingURL=syncAccount.js.map

package/dist/cjs/react/src/core/TatchiPasskey/syncAccount.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"syncAccount.js","names":["validateNearAccountId","toAccountId","createRandomVRFChallenge","parseAccountIdFromUserHandle","option: PasskeyOption","error: unknown","getCredentialIdsContractCall","SyncAccountPhase","SyncAccountStatus","vrfInputData: VRFInputData","hasAccessKey","errorResult: SyncAccountResult","syncAuthenticatorsContractCall","IndexedDBManager","parseDeviceNumber","buildThresholdEd25519Participants2pV1","ensureEd25519Prefix"],"sources":["../../../../../../src/core/TatchiPasskey/syncAccount.ts"],"sourcesContent":["import type { AfterCall, SyncAccountSSEEvent, EventCallback } from '../types/sdkSentEvents';\nimport { SyncAccountPhase, SyncAccountStatus, SyncAccountHooksOptions } from '../types/sdkSentEvents';\nimport type { PasskeyManagerContext } from './index';\nimport type {\n AccountId,\n StoredAuthenticator,\n VRFChallenge,\n WebAuthnAuthenticationCredential\n} from '../types';\nimport type { EncryptedVRFKeypair, ServerEncryptedVrfKeypair } from '../types/vrf-worker';\nimport { ensureEd25519Prefix, validateNearAccountId } from '../../utils/validation';\nimport { parseAccountIdFromUserHandle } from '../WebAuthnManager/userHandle';\nimport { toAccountId } from '../types/accountIds';\nimport { createRandomVRFChallenge } from '../types/vrf-worker';\nimport { WebAuthnManager } from '../WebAuthnManager';\nimport { IndexedDBManager } from '../IndexedDBManager';\nimport type { VRFInputData } from '../types/vrf-worker';\nimport type { OriginPolicyInput, UserVerificationPolicy } from '../types/authenticatorOptions';\nimport { parseDeviceNumber } from '../WebAuthnManager/SignerWorkerManager/getDeviceNumber';\nimport { buildThresholdEd25519Participants2pV1 } from '../../threshold/participants';\nimport {\n getCredentialIdsContractCall,\n hasAccessKey,\n syncAuthenticatorsContractCall\n} from '../rpcCalls';\n\n/**\n * Use case:\n * Suppose a user accidentally clears their browser's indexedDB, and deletes their:\n * - encrypted NEAR keypair\n * - encrypted VRF keypair\n * - webauthn authenticator\n * Provide a way for the user to sync their account from on-chain authenticator information with their passkey.\n */\n\nexport interface SyncAccountResult {\n success: boolean;\n accountId: string;\n publicKey: string;\n message: string;\n error?: string;\n loginState?: {\n isLoggedIn: boolean;\n vrfActive: boolean;\n vrfSessionDuration?: number;\n };\n}\n\nexport interface SyncAccountLookupResult {\n accountId: string;\n publicKey: string;\n hasAccess: boolean;\n}\n\nexport interface PasskeyOption {\n credentialId: string;\n accountId: AccountId | null;\n publicKey: string;\n displayName: string;\n credential: WebAuthnAuthenticationCredential | null;\n}\n\n// Public-facing passkey option without sensitive credential data\nexport interface PasskeyOptionWithoutCredential {\n credentialId: string;\n accountId: string | null;\n publicKey: string;\n displayName: string;\n}\n\n// Internal selection identifier for secure credential lookup\nexport interface PasskeySelection {\n credentialId: string;\n accountId: string | null;\n}\n\n/**\n * Account sync flow with credential encapsulation\n *\n * Usage:\n * ```typescript\n * const flow = new SyncAccountFlow(context);\n * const options = await flow.discover(); // Get safe display options\n * // ... user selects account in UI ...\n * const result = await flow.sync({ credentialId, accountId }); // Execute sync\n * ```\n */\nexport class SyncAccountFlow {\n private context: PasskeyManagerContext;\n private options?: SyncAccountHooksOptions;\n private availableAccounts?: PasskeyOption[]; // Full options with credentials (private)\n private phase: 'idle' | 'discovering' | 'ready' | 'syncing' | 'complete' | 'error' = 'idle';\n private error?: Error;\n\n constructor(context: PasskeyManagerContext, options?: SyncAccountHooksOptions) {\n this.context = context;\n this.options = options;\n }\n\n /**\n * Phase 1: Discover available accounts\n * Returns safe display data without exposing credentials to UI\n */\n async discover(accountId: string): Promise<PasskeyOptionWithoutCredential[]> {\n try {\n this.phase = 'discovering';\n const normalizedAccountId = normalizeSyncAccountIdInput(accountId);\n const hasValidAccount = !!normalizedAccountId && validateNearAccountId(normalizedAccountId).valid;\n\n if (hasValidAccount) {\n const nearAccountId = toAccountId(normalizedAccountId);\n // Contract-based lookup; no WebAuthn prompt during discovery\n this.availableAccounts = await getSyncableAccounts(this.context, nearAccountId);\n } else {\n // No typed account: prompt once to select a passkey (platform chooser),\n // then infer the accountId from userHandle (set at registration time).\n const challenge = createRandomVRFChallenge();\n const credential = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n // Account is unknown here – we only need userHandle for inference.\n nearAccountId: '' as AccountId,\n challenge: challenge as VRFChallenge,\n credentialIds: [],\n });\n\n // Try to infer accountId from userHandle\n const inferredAccountId = parseAccountIdFromUserHandle(credential.response?.userHandle);\n\n const option: PasskeyOption = {\n // Use rawId (base64url) consistently with on-chain/IndexedDB credential IDs.\n credentialId: credential.rawId,\n accountId: inferredAccountId ? toAccountId(inferredAccountId) : null,\n publicKey: '',\n displayName: inferredAccountId ? `${inferredAccountId}` : 'Discovered passkey',\n // Do not reuse this discovery credential during sync:\n // PRF outputs are scoped to the salts used above (nearAccountId=\"\"),\n // and will not match the real account-specific salts needed to\n // deterministically derive the correct on-chain access key.\n credential: null,\n };\n this.availableAccounts = [option];\n }\n\n if (!this.availableAccounts || this.availableAccounts.length === 0) {\n console.warn('No syncable accounts found for this passkey');\n } else {\n console.debug(`SyncAccountFlow: Found ${this.availableAccounts.length} syncable accounts`);\n }\n\n this.phase = 'ready';\n\n // Return safe options without credentials for UI display\n return this.availableAccounts.map(option => ({\n credentialId: option.credentialId,\n accountId: option.accountId,\n publicKey: option.publicKey,\n displayName: option.displayName\n }));\n\n } catch (error: unknown) {\n const failure = error instanceof Error ? error : new Error(String(error));\n this.phase = 'error';\n this.error = failure;\n console.error('SyncAccountFlow: Discovery failed:', failure);\n throw failure;\n }\n }\n\n /**\n * Phase 2: Execute sync with user selection\n * Securely looks up credential based on selection\n */\n async sync(selection: PasskeySelection): Promise<SyncAccountResult> {\n if (this.phase !== 'ready') {\n throw new Error(`Cannot sync - flow is in ${this.phase} phase. Call discover() first.`);\n }\n if (!this.availableAccounts) {\n throw new Error('No available accounts found. Call discover() first.');\n }\n\n try {\n this.phase = 'syncing';\n console.debug(`SyncAccountFlow: Syncing account: ${selection.accountId}`);\n\n // Securely lookup the full option with credential\n const selectedOption = this.availableAccounts.find(\n option => option.credentialId === selection.credentialId &&\n option.accountId === selection.accountId\n );\n\n if (!selectedOption) {\n throw new Error('Invalid selection - account not found in available options');\n }\n if (!selectedOption.accountId) {\n // Attempt to infer accountId from the stored discovery credential first.\n const storedAccount = parseAccountIdFromUserHandle(selectedOption.credential?.response?.userHandle);\n if (storedAccount) {\n selectedOption.accountId = toAccountId(storedAccount);\n } else {\n // Fall back to a one-time re-prompt to infer accountId from userHandle.\n try {\n const challenge = createRandomVRFChallenge();\n const cred = await this.context.webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId: '' as AccountId,\n challenge: challenge as VRFChallenge,\n credentialIds: selectedOption.credentialId && selectedOption.credentialId !== 'manual-input'\n ? [selectedOption.credentialId]\n : [],\n });\n const maybeAccount = parseAccountIdFromUserHandle(cred.response?.userHandle);\n if (maybeAccount) {\n selectedOption.accountId = toAccountId(maybeAccount);\n }\n } catch {}\n }\n if (!selectedOption.accountId) {\n throw new Error('Invalid account selection - no account ID provided');\n }\n }\n\n // If multiple credentials exist for this account, allow the platform chooser UI\n // by passing all known credential IDs for this account as allowCredentials.\n const allowList = (() => {\n try {\n if (!this.availableAccounts) return undefined;\n if (!selectedOption.credentialId || selectedOption.credentialId === 'manual-input') return undefined;\n const ids = this.availableAccounts\n .filter(opt => opt.accountId === selectedOption.accountId && opt.credentialId && opt.credentialId !== 'manual-input')\n .map(opt => opt.credentialId);\n const uniq = Array.from(new Set(ids));\n return uniq.length > 0 ? uniq : undefined;\n } catch { return undefined; }\n })();\n\n const syncResult = await syncAccount(\n this.context,\n selectedOption.accountId,\n this.options,\n selectedOption.credential ?? undefined,\n allowList\n );\n\n this.phase = 'complete';\n return syncResult;\n\n } catch (error: unknown) {\n const failure = error instanceof Error ? error : new Error(String(error));\n this.phase = 'error';\n this.error = failure;\n console.error('SyncAccountFlow: Sync failed:', failure);\n throw failure;\n }\n }\n\n /**\n * Get current flow state (safe display data only)\n */\n getState() {\n // Convert internal accounts to safe display format\n const safeAccounts = this.availableAccounts?.map(option => ({\n credentialId: option.credentialId,\n accountId: option.accountId,\n publicKey: option.publicKey,\n displayName: option.displayName\n }));\n\n return {\n phase: this.phase,\n availableAccounts: safeAccounts,\n error: this.error,\n isReady: this.phase === 'ready',\n isComplete: this.phase === 'complete',\n hasError: this.phase === 'error'\n };\n }\n\n /**\n * Reset flow to initial state\n */\n reset() {\n this.phase = 'idle';\n this.availableAccounts = undefined;\n this.error = undefined;\n }\n}\n\nfunction normalizeSyncAccountIdInput(input: string): string {\n const raw = String(input || '').trim();\n if (!raw) return '';\n\n // Common copy/paste: Nearblocks account URL\n const match = raw.match(/nearblocks\\.io\\/(?:address|account)\\/([^/?#]+)/i);\n if (match?.[1]) return match[1];\n\n try {\n const u = new URL(raw);\n const parts = String(u.pathname || '').split('/').filter(Boolean);\n const idx = parts.findIndex((p) => p === 'address' || p === 'account');\n if (idx >= 0 && parts[idx + 1]) return parts[idx + 1];\n } catch {}\n\n return raw;\n}\n\n/**\n * Get available passkeys for account sync\n */\nasync function getSyncableAccounts(\n context: PasskeyManagerContext,\n accountId: AccountId\n): Promise<PasskeyOption[]> {\n const availablePasskeys = await getAvailablePasskeysForDomain(context, accountId);\n return availablePasskeys.filter(passkey => passkey.accountId !== null);\n}\n\n/**\n * Discover passkeys for domain using contract-based lookup\n */\nasync function getAvailablePasskeysForDomain(\n context: PasskeyManagerContext,\n accountId: AccountId\n): Promise<PasskeyOption[]> {\n const { nearClient, configs } = context;\n\n const credentialIds = await getCredentialIdsContractCall(nearClient, configs.contractId, accountId);\n\n // Do not invoke WebAuthn here; just return display options bound to credential IDs\n if (credentialIds.length > 0) {\n return credentialIds.map((credentialId, idx) => ({\n credentialId,\n accountId,\n publicKey: '',\n displayName: credentialIds.length > 1 ? `${accountId} (passkey ${idx + 1})` : `${accountId}`,\n credential: null,\n }));\n }\n // If no contract credentials found for this specific account, do not fall back\n // to an unrestricted OS credential prompt here. Returning an empty set lets\n // the caller surface a precise message (no syncable accounts for this ID),\n // avoiding accidental selection of a passkey from a different account.\n return [];\n}\n\n/**\n * Main account sync function\n */\nexport async function syncAccount(\n context: PasskeyManagerContext,\n accountId: AccountId,\n options?: SyncAccountHooksOptions,\n reuseCredential?: WebAuthnAuthenticationCredential,\n allowedCredentialIds?: string[]\n): Promise<SyncAccountResult> {\n const { onEvent, onError, afterCall } = options || {};\n const { webAuthnManager, nearClient, configs } = context;\n\n onEvent?.({\n step: 1,\n phase: SyncAccountPhase.STEP_1_PREPARATION,\n status: SyncAccountStatus.PROGRESS,\n message: 'Preparing account sync...',\n });\n\n try {\n const validation = validateNearAccountId(accountId);\n if (!validation.valid) {\n return handleSyncError(accountId, `Invalid NEAR account ID: ${validation.error}`, onError, afterCall);\n }\n\n onEvent?.({\n step: 2,\n phase: SyncAccountPhase.STEP_2_WEBAUTHN_AUTHENTICATION,\n status: SyncAccountStatus.PROGRESS,\n message: 'Authenticating with contract...',\n });\n\n const credential = await getOrCreateCredential(\n webAuthnManager,\n accountId,\n reuseCredential,\n allowedCredentialIds\n );\n // Cross-check: ensure the authenticator's userHandle maps to the same account,\n // when available. This avoids deriving a key for the wrong account if the user\n // picks an unrelated passkey from the platform chooser.\n const passkeyAccount = parseAccountIdFromUserHandle(credential.response?.userHandle);\n if (passkeyAccount && passkeyAccount !== accountId) {\n return handleSyncError(\n accountId,\n `Selected passkey belongs to ${passkeyAccount}, not ${accountId}`,\n onError,\n afterCall\n );\n }\n\n const blockInfo = await nearClient.viewBlock({ finality: 'final' });\n const blockHeight = String(blockInfo.header.height);\n const blockHash = blockInfo.header.hash;\n\n const vrfInputData: VRFInputData = {\n userId: accountId,\n rpId: webAuthnManager.getRpId(),\n blockHeight,\n blockHash,\n };\n\n // Generate VRF keypair first before recovering keypair\n // keypair recovery needs the VRF keypair in memory to derive the WrapKeySeed\n const deterministicVrfResult = await webAuthnManager.deriveVrfKeypair({\n credential,\n nearAccountId: accountId,\n vrfInputData,\n });\n\n if (!deterministicVrfResult.success) {\n throw new Error('Failed to derive deterministic VRF keypair and generate challenge from PRF');\n }\n\n // Now recover the NEAR keypair (uses VRF keypair to derive WrapKeySeed)\n const recoveredKeypair = await webAuthnManager.recoverKeypairFromPasskey(\n credential,\n accountId\n );\n if (!recoveredKeypair.wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in derived key material; re-register to upgrade vault format.');\n }\n\n // Check if the recovered public key has access to the account.\n // `viewAccessKey` throws when the key doesn't exist; use the boolean helper instead.\n const hasAccess = await hasAccessKey(nearClient, accountId, recoveredKeypair.publicKey, { attempts: 1, delayMs: 0 });\n\n if (!hasAccess) {\n return handleSyncError(\n accountId,\n `Account ${accountId} does not have access key ${recoveredKeypair.publicKey} (check you selected the correct passkey)`,\n onError,\n afterCall\n );\n }\n\n const syncResult = await performAccountSync({\n context,\n accountId,\n publicKey: recoveredKeypair.publicKey,\n encryptedKeypair: {\n encryptedPrivateKey: recoveredKeypair.encryptedPrivateKey,\n chacha20NonceB64u: recoveredKeypair.chacha20NonceB64u,\n wrapKeySalt: recoveredKeypair.wrapKeySalt,\n },\n credential: credential,\n encryptedVrfResult: {\n vrfPublicKey: deterministicVrfResult.vrfPublicKey,\n encryptedVrfKeypair: deterministicVrfResult.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: deterministicVrfResult.serverEncryptedVrfKeypair || undefined,\n },\n onEvent,\n });\n\n onEvent?.({\n step: 5,\n phase: SyncAccountPhase.STEP_5_SYNC_ACCOUNT_COMPLETE,\n status: SyncAccountStatus.SUCCESS,\n message: 'Account sync completed successfully',\n data: { syncResult },\n });\n\n afterCall?.(true, syncResult);\n return syncResult;\n } catch (error: unknown) {\n const message = error instanceof Error ? error.message : String(error);\n const err = error instanceof Error ? error : new Error(message);\n // Clear any VRF session that might have been established during sync\n try {\n await webAuthnManager.clearVrfSession();\n } catch (clearError) {\n console.warn('Failed to clear VRF session after sync error:', clearError);\n }\n\n onError?.(err);\n return handleSyncError(accountId, message, onError, afterCall);\n }\n}\n\n/**\n * Get credential (reuse existing or create new)\n */\nasync function getOrCreateCredential(\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n reuseCredential?: WebAuthnAuthenticationCredential,\n allowedCredentialIds?: string[]\n): Promise<WebAuthnAuthenticationCredential> {\n\n if (reuseCredential) {\n const prfResults = reuseCredential.clientExtensionResults?.prf?.results;\n if (!prfResults?.first || !prfResults?.second) {\n throw new Error('Reused credential missing PRF outputs - cannot proceed with sync');\n }\n return reuseCredential;\n }\n\n const challenge = createRandomVRFChallenge();\n\n return await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({\n nearAccountId: accountId,\n challenge: challenge as VRFChallenge,\n credentialIds: allowedCredentialIds ?? []\n });\n}\n\n/**\n * Handle sync error\n */\nfunction handleSyncError(\n accountId: AccountId,\n errorMessage: string,\n onError?: (error: Error) => void,\n afterCall?: AfterCall<SyncAccountResult>\n): SyncAccountResult {\n console.error('[syncAccount] Error:', errorMessage);\n onError?.(new Error(errorMessage));\n\n const errorResult: SyncAccountResult = {\n success: false,\n accountId,\n publicKey: '',\n message: `Sync failed: ${errorMessage}`,\n error: errorMessage\n };\n\n afterCall?.(false);\n return errorResult;\n}\n\n/**\n * Perform the actual sync process\n * Syncs on-chain data and restores local IndexedDB data\n */\nasync function performAccountSync({\n context,\n accountId,\n publicKey,\n encryptedKeypair,\n credential,\n encryptedVrfResult,\n onEvent,\n}: {\n context: PasskeyManagerContext,\n accountId: AccountId,\n publicKey: string,\n encryptedKeypair: {\n encryptedPrivateKey: string,\n /**\n * Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key.\n */\n chacha20NonceB64u: string,\n wrapKeySalt?: string,\n },\n credential: WebAuthnAuthenticationCredential,\n encryptedVrfResult: {\n encryptedVrfKeypair: EncryptedVRFKeypair;\n vrfPublicKey: string\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair\n },\n onEvent?: EventCallback<SyncAccountSSEEvent>,\n}): Promise<SyncAccountResult> {\n\n const { webAuthnManager, nearClient, configs } = context;\n\n try {\n console.debug(`Performing sync for account: ${accountId}`);\n onEvent?.({\n step: 3,\n phase: SyncAccountPhase.STEP_3_SYNC_AUTHENTICATORS_ONCHAIN,\n status: SyncAccountStatus.PROGRESS,\n message: 'Syncing authenticators from onchain...',\n });\n\n // 1. Sync on-chain authenticator data\n const contractAuthenticators = await syncAuthenticatorsContractCall(nearClient, configs.contractId, accountId);\n\n // 2. Find the matching authenticator to get the correct device number\n // Serialized auth credential.rawId is already base64url-encoded\n const credentialIdUsed = credential.rawId;\n const matchingAuthenticator = contractAuthenticators.find(auth => auth.credentialId === credentialIdUsed);\n\n if (!matchingAuthenticator) {\n throw new Error(`Could not find authenticator for credential ${credentialIdUsed}`);\n }\n\n const deviceNumber = matchingAuthenticator.authenticator.deviceNumber;\n if (deviceNumber === undefined) {\n throw new Error(`Device number not found for authenticator ${credentialIdUsed}`);\n }\n\n // 3. Restore user data to IndexedDB with correct device number\n // Use the server-encrypted VRF keypair directly from the VRF worker result\n const serverEncryptedVrfKeypairObj = encryptedVrfResult.serverEncryptedVrfKeypair;\n\n await restoreUserData({\n webAuthnManager,\n accountId,\n deviceNumber,\n publicKey,\n encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,\n serverEncryptedVrfKeypair: serverEncryptedVrfKeypairObj,\n encryptedNearKeypair: encryptedKeypair,\n credential\n });\n\n // 4. Restore only the authenticator used for sync\n await restoreAuthenticators({\n webAuthnManager,\n accountId,\n contractAuthenticators: [matchingAuthenticator],\n vrfPublicKey: encryptedVrfResult.vrfPublicKey\n // deterministically derived VRF keypair\n });\n\n onEvent?.({\n step: 4,\n phase: SyncAccountPhase.STEP_4_AUTHENTICATOR_SAVED,\n status: SyncAccountStatus.SUCCESS,\n message: 'Restored Passkey authenticator...',\n });\n\n // Activate threshold enrollment for this device by ensuring threshold key\n // material is available locally (and AddKey if needed).\n await activateThresholdEnrollment({\n context,\n accountId,\n deviceNumber,\n localPublicKey: publicKey,\n wrapKeySalt: String(encryptedKeypair.wrapKeySalt || '').trim(),\n contractAuthenticators,\n });\n\n // 5. Unlock VRF keypair in memory for immediate use\n console.debug('Unlocking VRF keypair in memory after account sync');\n const unlockResult = await webAuthnManager.unlockVRFKeypair({\n nearAccountId: accountId,\n encryptedVrfKeypair: encryptedVrfResult.encryptedVrfKeypair,\n credential: credential,\n });\n\n if (!unlockResult.success) {\n console.warn('Failed to unlock VRF keypair after sync:', unlockResult.error);\n // Don't throw error here - sync was successful, but VRF unlock failed\n } else {\n console.debug('VRF keypair unlocked successfully after account sync');\n }\n\n // 6. Initialize current user only after a successful unlock\n try {\n await webAuthnManager.initializeCurrentUser(accountId, context.nearClient);\n } catch (initErr) {\n console.warn('Failed to initialize current user after sync:', initErr);\n }\n\n return {\n success: true,\n accountId,\n publicKey,\n message: 'Account successfully synced',\n };\n\n } catch (error: unknown) {\n const message = error instanceof Error ? error.message : String(error);\n console.error('[performAccountSync] Error:', error);\n throw new Error(`Sync process failed: ${message}`);\n }\n}\n\n/** Stored authenticator onchain uses snake case */\nexport interface ContractStoredAuthenticator {\n // V4 contract fields (snake_case JSON)\n credential_public_key: number[] | Uint8Array;\n transports?: AuthenticatorTransport[] | null;\n registered: string; // ISO timestamp (legacy contracts may return numeric timestamp string)\n expected_rp_id?: string;\n origin_policy?: OriginPolicyInput;\n user_verification?: UserVerificationPolicy;\n vrf_public_keys?: Array<number[] | Uint8Array> | string[];\n device_number: number; // 1-indexed for UX\n near_public_key?: string;\n}\n\nasync function restoreUserData({\n webAuthnManager,\n accountId,\n deviceNumber,\n publicKey,\n encryptedVrfKeypair,\n serverEncryptedVrfKeypair,\n encryptedNearKeypair,\n credential\n}: {\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n deviceNumber: number,\n publicKey: string,\n encryptedVrfKeypair: EncryptedVRFKeypair,\n serverEncryptedVrfKeypair?: ServerEncryptedVrfKeypair,\n encryptedNearKeypair: {\n encryptedPrivateKey: string;\n /** Base64url-encoded AEAD nonce (ChaCha20-Poly1305) for the encrypted private key */\n chacha20NonceB64u: string;\n wrapKeySalt?: string;\n },\n credential: WebAuthnAuthenticationCredential\n}) {\n const existingUser = await webAuthnManager.getUserByDevice(accountId, deviceNumber);\n if (!encryptedNearKeypair.wrapKeySalt) {\n throw new Error('Missing wrapKeySalt in recovered key material; re-register to upgrade vault format.');\n }\n const wrapKeySalt = encryptedNearKeypair.wrapKeySalt;\n\n const chacha20NonceB64u = encryptedNearKeypair.chacha20NonceB64u;\n if (!chacha20NonceB64u) {\n throw new Error('Missing chacha20NonceB64u in recovered key material; cannot store encrypted NEAR key.');\n }\n\n // Store the encrypted NEAR keypair in the encrypted keys database\n await IndexedDBManager.nearKeysDB.storeKeyMaterial({\n kind: 'local_near_sk_v3',\n nearAccountId: accountId,\n deviceNumber,\n publicKey,\n encryptedSk: encryptedNearKeypair.encryptedPrivateKey,\n chacha20NonceB64u,\n wrapKeySalt,\n timestamp: Date.now()\n });\n\n if (!existingUser) {\n await webAuthnManager.registerUser({\n nearAccountId: accountId,\n deviceNumber,\n version: 2,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: {\n id: credential.id,\n rawId: credential.rawId\n },\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n serverEncryptedVrfKeypair,\n });\n } else {\n await webAuthnManager.storeUserData({\n nearAccountId: accountId,\n clientNearPublicKey: publicKey,\n lastUpdated: Date.now(),\n passkeyCredential: existingUser.passkeyCredential,\n encryptedVrfKeypair: {\n encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,\n chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u,\n },\n serverEncryptedVrfKeypair,\n deviceNumber\n });\n }\n}\n\nasync function restoreAuthenticators({\n webAuthnManager,\n accountId,\n contractAuthenticators,\n vrfPublicKey\n}: {\n webAuthnManager: WebAuthnManager,\n accountId: AccountId,\n contractAuthenticators: {\n credentialId: string,\n authenticator: StoredAuthenticator\n }[],\n vrfPublicKey: string\n}) {\n for (const { credentialId, authenticator } of contractAuthenticators) {\n const credentialPublicKey = authenticator.credentialPublicKey;\n\n // Fix transport processing: filter out undefined values and provide fallback\n const validTransports = authenticator.transports.filter((transport) =>\n transport !== undefined && transport !== null && typeof transport === 'string'\n );\n\n // If no valid transports, default to 'internal' for platform authenticators\n const transports = validTransports?.length > 0 ? validTransports : ['internal'];\n\n // Extract device number from contract authenticator data (now camelCase)\n const deviceNumber = authenticator.deviceNumber;\n console.debug(\"Restoring authenticator with device number:\", deviceNumber, authenticator);\n\n await webAuthnManager.storeAuthenticator({\n nearAccountId: accountId,\n credentialId: credentialId,\n credentialPublicKey,\n transports,\n name: `Recovered Device ${deviceNumber} Passkey`,\n registered: authenticator.registered.toISOString(),\n syncedAt: new Date().toISOString(),\n vrfPublicKey,\n deviceNumber // Pass the device number from contract data\n });\n }\n}\n\nasync function activateThresholdEnrollment(args: {\n context: PasskeyManagerContext;\n accountId: AccountId;\n deviceNumber: number;\n localPublicKey: string;\n wrapKeySalt: string;\n contractAuthenticators: Array<{ credentialId: string; authenticator: StoredAuthenticator; nearPublicKey?: string }>;\n}): Promise<void> {\n const deviceNumber = parseDeviceNumber(args.deviceNumber, { min: 1 });\n if (deviceNumber === null) {\n throw new Error(`Invalid deviceNumber for threshold enrollment: ${String(args.deviceNumber)}`);\n }\n\n // Ensure WebAuthn allowCredentials selection prefers this device's passkey\n // when multiple authenticators exist for the account.\n try {\n await args.context.webAuthnManager.setLastUser(args.accountId, deviceNumber);\n } catch {}\n\n const existing = await IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(args.accountId, deviceNumber);\n if (existing) return;\n\n // Avoid introducing another TouchID/WebAuthn prompt during account sync:\n // best-effort restore of threshold key metadata (no relayer keygen, no AddKey).\n try {\n const thresholdPublicKey = await inferThresholdPublicKeyNoPrompt({\n nearClient: args.context.nearClient,\n accountId: args.accountId,\n localPublicKey: args.localPublicKey,\n contractAuthenticators: args.contractAuthenticators,\n });\n if (!thresholdPublicKey) return;\n if (!args.wrapKeySalt) return;\n\n await IndexedDBManager.nearKeysDB.storeKeyMaterial({\n kind: 'threshold_ed25519_2p_v1',\n nearAccountId: args.accountId,\n deviceNumber,\n publicKey: thresholdPublicKey,\n wrapKeySalt: args.wrapKeySalt,\n relayerKeyId: thresholdPublicKey, // default: relayerKeyId := publicKey\n clientShareDerivation: 'prf_first_v1',\n participants: buildThresholdEd25519Participants2pV1({\n relayerKeyId: thresholdPublicKey,\n relayerUrl: args.context.configs?.relayer?.url,\n clientShareDerivation: 'prf_first_v1',\n }),\n timestamp: Date.now(),\n });\n } catch (e) {\n console.warn('[syncAccount] Skipping threshold key restoration (non-fatal):', e);\n }\n}\n\nasync function inferThresholdPublicKeyNoPrompt(args: {\n nearClient: PasskeyManagerContext['nearClient'];\n accountId: AccountId;\n localPublicKey: string;\n contractAuthenticators: Array<{ credentialId: string; authenticator: StoredAuthenticator; nearPublicKey?: string }>;\n}): Promise<string | null> {\n const localKeys = new Set<string>();\n const localPublicKey = ensureEd25519Prefix(String(args.localPublicKey || '').trim());\n if (localPublicKey) localKeys.add(localPublicKey);\n\n for (const entry of args.contractAuthenticators) {\n const pk = ensureEd25519Prefix(String(entry.nearPublicKey || '').trim());\n if (pk) localKeys.add(pk);\n }\n\n const accessKeyList = await args.nearClient.viewAccessKeyList(String(args.accountId));\n const onChainKeys = Array.from(\n new Set(\n (accessKeyList?.keys || [])\n .map((k: any) => ensureEd25519Prefix(String(k?.public_key || '').trim()))\n .filter((k: string) => !!k),\n ),\n );\n\n // Threshold key is any access key not associated with a device-local key.\n const candidates = onChainKeys.filter((k) => !localKeys.has(k));\n if (candidates.length === 1) return candidates[0];\n\n // Fallback: if the account has exactly two keys, treat the \"other\" key as threshold.\n if (onChainKeys.length === 2 && localPublicKey) {\n const other = onChainKeys.find((k) => k !== localPublicKey);\n return other || null;\n }\n\n return null;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAuFA,IAAa,kBAAb,MAA6B;CAC3B,AAAQ;CACR,AAAQ;CACR,AAAQ;CACR,AAAQ,QAA6E;CACrF,AAAQ;CAER,YAAY,SAAgC,SAAmC;AAC7E,OAAK,UAAU;AACf,OAAK,UAAU;;;;;;CAOjB,MAAM,SAAS,WAA8D;AAC3E,MAAI;AACF,QAAK,QAAQ;GACb,MAAM,sBAAsB,4BAA4B;GACxD,MAAM,kBAAkB,CAAC,CAAC,uBAAuBA,yCAAsB,qBAAqB;AAE5F,OAAI,iBAAiB;IACnB,MAAM,gBAAgBC,+BAAY;AAElC,SAAK,oBAAoB,MAAM,oBAAoB,KAAK,SAAS;UAC5D;IAGL,MAAM,YAAYC;IAClB,MAAM,aAAa,MAAM,KAAK,QAAQ,gBAAgB,8CAA8C;KAElG,eAAe;KACJ;KACX,eAAe;;IAIjB,MAAM,oBAAoBC,gDAA6B,WAAW,UAAU;IAE5E,MAAMC,SAAwB;KAE5B,cAAc,WAAW;KACzB,WAAW,oBAAoBH,+BAAY,qBAAqB;KAChE,WAAW;KACX,aAAa,oBAAoB,GAAG,sBAAsB;KAK1D,YAAY;;AAEd,SAAK,oBAAoB,CAAC;;AAG5B,OAAI,CAAC,KAAK,qBAAqB,KAAK,kBAAkB,WAAW,EAC/D,SAAQ,KAAK;OAEb,SAAQ,MAAM,0BAA0B,KAAK,kBAAkB,OAAO;AAGxE,QAAK,QAAQ;AAGb,UAAO,KAAK,kBAAkB,KAAI,YAAW;IAC3C,cAAc,OAAO;IACrB,WAAW,OAAO;IAClB,WAAW,OAAO;IAClB,aAAa,OAAO;;WAGfI,OAAgB;GACvB,MAAM,UAAU,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO;AAClE,QAAK,QAAQ;AACb,QAAK,QAAQ;AACb,WAAQ,MAAM,sCAAsC;AACpD,SAAM;;;;;;;CAQV,MAAM,KAAK,WAAyD;AAClE,MAAI,KAAK,UAAU,QACjB,OAAM,IAAI,MAAM,4BAA4B,KAAK,MAAM;AAEzD,MAAI,CAAC,KAAK,kBACR,OAAM,IAAI,MAAM;AAGlB,MAAI;AACF,QAAK,QAAQ;AACb,WAAQ,MAAM,qCAAqC,UAAU;GAG7D,MAAM,iBAAiB,KAAK,kBAAkB,MAC5C,WAAU,OAAO,iBAAiB,UAAU,gBACnC,OAAO,cAAc,UAAU;AAG1C,OAAI,CAAC,eACH,OAAM,IAAI,MAAM;AAElB,OAAI,CAAC,eAAe,WAAW;IAE7B,MAAM,gBAAgBF,gDAA6B,eAAe,YAAY,UAAU;AACxF,QAAI,cACF,gBAAe,YAAYF,+BAAY;QAGvC,KAAI;KACF,MAAM,YAAYC;KAClB,MAAM,OAAO,MAAM,KAAK,QAAQ,gBAAgB,8CAA8C;MAC5F,eAAe;MACJ;MACX,eAAe,eAAe,gBAAgB,eAAe,iBAAiB,iBAC1E,CAAC,eAAe,gBAChB;;KAEN,MAAM,eAAeC,gDAA6B,KAAK,UAAU;AACjE,SAAI,aACF,gBAAe,YAAYF,+BAAY;YAEnC;AAEV,QAAI,CAAC,eAAe,UAClB,OAAM,IAAI,MAAM;;GAMpB,MAAM,mBAAmB;AACvB,QAAI;AACF,SAAI,CAAC,KAAK,kBAAmB,QAAO;AACpC,SAAI,CAAC,eAAe,gBAAgB,eAAe,iBAAiB,eAAgB,QAAO;KAC3F,MAAM,MAAM,KAAK,kBACd,QAAO,QAAO,IAAI,cAAc,eAAe,aAAa,IAAI,gBAAgB,IAAI,iBAAiB,gBACrG,KAAI,QAAO,IAAI;KAClB,MAAM,OAAO,MAAM,KAAK,IAAI,IAAI;AAChC,YAAO,KAAK,SAAS,IAAI,OAAO;YAC1B;AAAE,YAAO;;;GAGnB,MAAM,aAAa,MAAM,YACvB,KAAK,SACL,eAAe,WACf,KAAK,SACL,eAAe,cAAc,QAC7B;AAGF,QAAK,QAAQ;AACb,UAAO;WAEAI,OAAgB;GACvB,MAAM,UAAU,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO;AAClE,QAAK,QAAQ;AACb,QAAK,QAAQ;AACb,WAAQ,MAAM,iCAAiC;AAC/C,SAAM;;;;;;CAOV,WAAW;EAET,MAAM,eAAe,KAAK,mBAAmB,KAAI,YAAW;GAC1D,cAAc,OAAO;GACrB,WAAW,OAAO;GAClB,WAAW,OAAO;GAClB,aAAa,OAAO;;AAGtB,SAAO;GACL,OAAO,KAAK;GACZ,mBAAmB;GACnB,OAAO,KAAK;GACZ,SAAS,KAAK,UAAU;GACxB,YAAY,KAAK,UAAU;GAC3B,UAAU,KAAK,UAAU;;;;;;CAO7B,QAAQ;AACN,OAAK,QAAQ;AACb,OAAK,oBAAoB;AACzB,OAAK,QAAQ;;;AAIjB,SAAS,4BAA4B,OAAuB;CAC1D,MAAM,MAAM,OAAO,SAAS,IAAI;AAChC,KAAI,CAAC,IAAK,QAAO;CAGjB,MAAM,QAAQ,IAAI,MAAM;AACxB,KAAI,QAAQ,GAAI,QAAO,MAAM;AAE7B,KAAI;EACF,MAAM,IAAI,IAAI,IAAI;EAClB,MAAM,QAAQ,OAAO,EAAE,YAAY,IAAI,MAAM,KAAK,OAAO;EACzD,MAAM,MAAM,MAAM,WAAW,MAAM,MAAM,aAAa,MAAM;AAC5D,MAAI,OAAO,KAAK,MAAM,MAAM,GAAI,QAAO,MAAM,MAAM;SAC7C;AAER,QAAO;;;;;AAMT,eAAe,oBACb,SACA,WAC0B;CAC1B,MAAM,oBAAoB,MAAM,8BAA8B,SAAS;AACvE,QAAO,kBAAkB,QAAO,YAAW,QAAQ,cAAc;;;;;AAMnE,eAAe,8BACb,SACA,WAC0B;CAC1B,MAAM,EAAE,YAAY,YAAY;CAEhC,MAAM,gBAAgB,MAAMC,8CAA6B,YAAY,QAAQ,YAAY;AAGzF,KAAI,cAAc,SAAS,EACzB,QAAO,cAAc,KAAK,cAAc,SAAS;EAC/C;EACA;EACA,WAAW;EACX,aAAa,cAAc,SAAS,IAAI,GAAG,UAAU,YAAY,MAAM,EAAE,KAAK,GAAG;EACjF,YAAY;;AAOhB,QAAO;;;;;AAMT,eAAsB,YACpB,SACA,WACA,SACA,iBACA,sBAC4B;CAC5B,MAAM,EAAE,SAAS,SAAS,cAAc,WAAW;CACnD,MAAM,EAAE,iBAAiB,YAAY,YAAY;AAEjD,WAAU;EACR,MAAM;EACN,OAAOC,uCAAiB;EACxB,QAAQC,wCAAkB;EAC1B,SAAS;;AAGX,KAAI;EACF,MAAM,aAAaR,yCAAsB;AACzC,MAAI,CAAC,WAAW,MACd,QAAO,gBAAgB,WAAW,4BAA4B,WAAW,SAAS,SAAS;AAG7F,YAAU;GACR,MAAM;GACN,OAAOO,uCAAiB;GACxB,QAAQC,wCAAkB;GAC1B,SAAS;;EAGX,MAAM,aAAa,MAAM,sBACvB,iBACA,WACA,iBACA;EAKF,MAAM,iBAAiBL,gDAA6B,WAAW,UAAU;AACzE,MAAI,kBAAkB,mBAAmB,UACvC,QAAO,gBACL,WACA,+BAA+B,eAAe,QAAQ,aACtD,SACA;EAIJ,MAAM,YAAY,MAAM,WAAW,UAAU,EAAE,UAAU;EACzD,MAAM,cAAc,OAAO,UAAU,OAAO;EAC5C,MAAM,YAAY,UAAU,OAAO;EAEnC,MAAMM,eAA6B;GACjC,QAAQ;GACR,MAAM,gBAAgB;GACtB;GACA;;EAKF,MAAM,yBAAyB,MAAM,gBAAgB,iBAAiB;GACpE;GACA,eAAe;GACf;;AAGF,MAAI,CAAC,uBAAuB,QAC1B,OAAM,IAAI,MAAM;EAIlB,MAAM,mBAAmB,MAAM,gBAAgB,0BAC7C,YACA;AAEF,MAAI,CAAC,iBAAiB,YACpB,OAAM,IAAI,MAAM;EAKlB,MAAM,YAAY,MAAMC,8BAAa,YAAY,WAAW,iBAAiB,WAAW;GAAE,UAAU;GAAG,SAAS;;AAEhH,MAAI,CAAC,UACH,QAAO,gBACL,WACA,WAAW,UAAU,4BAA4B,iBAAiB,UAAU,4CAC5E,SACA;EAIJ,MAAM,aAAa,MAAM,mBAAmB;GAC1C;GACA;GACA,WAAW,iBAAiB;GAC5B,kBAAkB;IAChB,qBAAqB,iBAAiB;IACtC,mBAAmB,iBAAiB;IACpC,aAAa,iBAAiB;;GAEpB;GACZ,oBAAoB;IAClB,cAAc,uBAAuB;IACrC,qBAAqB,uBAAuB;IAC5C,2BAA2B,uBAAuB,6BAA6B;;GAEjF;;AAGF,YAAU;GACR,MAAM;GACN,OAAOH,uCAAiB;GACxB,QAAQC,wCAAkB;GAC1B,SAAS;GACT,MAAM,EAAE;;AAGV,cAAY,MAAM;AAClB,SAAO;UACAH,OAAgB;EACvB,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO;EAChE,MAAM,MAAM,iBAAiB,QAAQ,QAAQ,IAAI,MAAM;AAEvD,MAAI;AACF,SAAM,gBAAgB;WACf,YAAY;AACnB,WAAQ,KAAK,iDAAiD;;AAGhE,YAAU;AACV,SAAO,gBAAgB,WAAW,SAAS,SAAS;;;;;;AAOxD,eAAe,sBACb,iBACA,WACA,iBACA,sBAC2C;AAE3C,KAAI,iBAAiB;EACnB,MAAM,aAAa,gBAAgB,wBAAwB,KAAK;AAChE,MAAI,CAAC,YAAY,SAAS,CAAC,YAAY,OACrC,OAAM,IAAI,MAAM;AAElB,SAAO;;CAGT,MAAM,YAAYH;AAElB,QAAO,MAAM,gBAAgB,8CAA8C;EACzE,eAAe;EACJ;EACX,eAAe,wBAAwB;;;;;;AAO3C,SAAS,gBACP,WACA,cACA,SACA,WACmB;AACnB,SAAQ,MAAM,wBAAwB;AACtC,WAAU,IAAI,MAAM;CAEpB,MAAMS,cAAiC;EACrC,SAAS;EACT;EACA,WAAW;EACX,SAAS,gBAAgB;EACzB,OAAO;;AAGT,aAAY;AACZ,QAAO;;;;;;AAOT,eAAe,mBAAmB,EAChC,SACA,WACA,WACA,kBACA,YACA,oBACA,WAoB6B;CAE7B,MAAM,EAAE,iBAAiB,YAAY,YAAY;AAEjD,KAAI;AACF,UAAQ,MAAM,gCAAgC;AAC9C,YAAU;GACR,MAAM;GACN,OAAOJ,uCAAiB;GACxB,QAAQC,wCAAkB;GAC1B,SAAS;;EAIX,MAAM,yBAAyB,MAAMI,gDAA+B,YAAY,QAAQ,YAAY;EAIpG,MAAM,mBAAmB,WAAW;EACpC,MAAM,wBAAwB,uBAAuB,MAAK,SAAQ,KAAK,iBAAiB;AAExF,MAAI,CAAC,sBACH,OAAM,IAAI,MAAM,+CAA+C;EAGjE,MAAM,eAAe,sBAAsB,cAAc;AACzD,MAAI,iBAAiB,OACnB,OAAM,IAAI,MAAM,6CAA6C;EAK/D,MAAM,+BAA+B,mBAAmB;AAExD,QAAM,gBAAgB;GACpB;GACA;GACA;GACA;GACA,qBAAqB,mBAAmB;GACxC,2BAA2B;GAC3B,sBAAsB;GACtB;;AAIF,QAAM,sBAAsB;GAC1B;GACA;GACA,wBAAwB,CAAC;GACzB,cAAc,mBAAmB;;AAInC,YAAU;GACR,MAAM;GACN,OAAOL,uCAAiB;GACxB,QAAQC,wCAAkB;GAC1B,SAAS;;AAKX,QAAM,4BAA4B;GAChC;GACA;GACA;GACA,gBAAgB;GAChB,aAAa,OAAO,iBAAiB,eAAe,IAAI;GACxD;;AAIF,UAAQ,MAAM;EACd,MAAM,eAAe,MAAM,gBAAgB,iBAAiB;GAC1D,eAAe;GACf,qBAAqB,mBAAmB;GAC5B;;AAGd,MAAI,CAAC,aAAa,QAChB,SAAQ,KAAK,4CAA4C,aAAa;MAGtE,SAAQ,MAAM;AAIhB,MAAI;AACF,SAAM,gBAAgB,sBAAsB,WAAW,QAAQ;WACxD,SAAS;AAChB,WAAQ,KAAK,iDAAiD;;AAGhE,SAAO;GACL,SAAS;GACT;GACA;GACA,SAAS;;UAGJH,OAAgB;EACvB,MAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU,OAAO;AAChE,UAAQ,MAAM,+BAA+B;AAC7C,QAAM,IAAI,MAAM,wBAAwB;;;AAkB5C,eAAe,gBAAgB,EAC7B,iBACA,WACA,cACA,WACA,qBACA,2BACA,sBACA,cAeC;CACD,MAAM,eAAe,MAAM,gBAAgB,gBAAgB,WAAW;AACtE,KAAI,CAAC,qBAAqB,YACxB,OAAM,IAAI,MAAM;CAElB,MAAM,cAAc,qBAAqB;CAEzC,MAAM,oBAAoB,qBAAqB;AAC/C,KAAI,CAAC,kBACH,OAAM,IAAI,MAAM;AAIlB,OAAMQ,+BAAiB,WAAW,iBAAiB;EACjD,MAAM;EACN,eAAe;EACf;EACA;EACA,aAAa,qBAAqB;EAClC;EACA;EACA,WAAW,KAAK;;AAGlB,KAAI,CAAC,aACH,OAAM,gBAAgB,aAAa;EACjC,eAAe;EACf;EACA,SAAS;EACT,qBAAqB;EACrB,aAAa,KAAK;EAClB,mBAAmB;GACjB,IAAI,WAAW;GACf,OAAO,WAAW;;EAEpB,qBAAqB;GACnB,sBAAsB,oBAAoB;GAC1C,mBAAmB,oBAAoB;;EAEzC;;KAGF,OAAM,gBAAgB,cAAc;EAClC,eAAe;EACf,qBAAqB;EACrB,aAAa,KAAK;EAClB,mBAAmB,aAAa;EAChC,qBAAqB;GACnB,sBAAsB,oBAAoB;GAC1C,mBAAmB,oBAAoB;;EAEzC;EACA;;;AAKN,eAAe,sBAAsB,EACnC,iBACA,WACA,wBACA,gBASC;AACD,MAAK,MAAM,EAAE,cAAc,mBAAmB,wBAAwB;EACpE,MAAM,sBAAsB,cAAc;EAG1C,MAAM,kBAAkB,cAAc,WAAW,QAAQ,cACvD,cAAc,UAAa,cAAc,QAAQ,OAAO,cAAc;EAIxE,MAAM,aAAa,iBAAiB,SAAS,IAAI,kBAAkB,CAAC;EAGpE,MAAM,eAAe,cAAc;AACnC,UAAQ,MAAM,+CAA+C,cAAc;AAE3E,QAAM,gBAAgB,mBAAmB;GACvC,eAAe;GACD;GACd;GACA;GACA,MAAM,oBAAoB,aAAa;GACvC,YAAY,cAAc,WAAW;GACrC,2BAAU,IAAI,QAAO;GACrB;GACA;;;;AAKN,eAAe,4BAA4B,MAOzB;CAChB,MAAM,eAAeC,0CAAkB,KAAK,cAAc,EAAE,KAAK;AACjE,KAAI,iBAAiB,KACnB,OAAM,IAAI,MAAM,kDAAkD,OAAO,KAAK;AAKhF,KAAI;AACF,QAAM,KAAK,QAAQ,gBAAgB,YAAY,KAAK,WAAW;SACzD;CAER,MAAM,WAAW,MAAMD,+BAAiB,WAAW,wBAAwB,KAAK,WAAW;AAC3F,KAAI,SAAU;AAId,KAAI;EACF,MAAM,qBAAqB,MAAM,gCAAgC;GAC/D,YAAY,KAAK,QAAQ;GACzB,WAAW,KAAK;GAChB,gBAAgB,KAAK;GACrB,wBAAwB,KAAK;;AAE/B,MAAI,CAAC,mBAAoB;AACzB,MAAI,CAAC,KAAK,YAAa;AAEvB,QAAMA,+BAAiB,WAAW,iBAAiB;GACjD,MAAM;GACN,eAAe,KAAK;GACpB;GACA,WAAW;GACX,aAAa,KAAK;GAClB,cAAc;GACd,uBAAuB;GACvB,cAAcE,2DAAsC;IAClD,cAAc;IACd,YAAY,KAAK,QAAQ,SAAS,SAAS;IAC3C,uBAAuB;;GAEzB,WAAW,KAAK;;UAEX,GAAG;AACV,UAAQ,KAAK,iEAAiE;;;AAIlF,eAAe,gCAAgC,MAKpB;CACzB,MAAM,4BAAY,IAAI;CACtB,MAAM,iBAAiBC,uCAAoB,OAAO,KAAK,kBAAkB,IAAI;AAC7E,KAAI,eAAgB,WAAU,IAAI;AAElC,MAAK,MAAM,SAAS,KAAK,wBAAwB;EAC/C,MAAM,KAAKA,uCAAoB,OAAO,MAAM,iBAAiB,IAAI;AACjE,MAAI,GAAI,WAAU,IAAI;;CAGxB,MAAM,gBAAgB,MAAM,KAAK,WAAW,kBAAkB,OAAO,KAAK;CAC1E,MAAM,cAAc,MAAM,KACxB,IAAI,KACD,eAAe,QAAQ,IACrB,KAAK,MAAWA,uCAAoB,OAAO,GAAG,cAAc,IAAI,SAChE,QAAQ,MAAc,CAAC,CAAC;CAK/B,MAAM,aAAa,YAAY,QAAQ,MAAM,CAAC,UAAU,IAAI;AAC5D,KAAI,WAAW,WAAW,EAAG,QAAO,WAAW;AAG/C,KAAI,YAAY,WAAW,KAAK,gBAAgB;EAC9C,MAAM,QAAQ,YAAY,MAAM,MAAM,MAAM;AAC5C,SAAO,SAAS;;AAGlB,QAAO"}