npm - @tatchi-xyz/sdk - Versions diffs - 0.21.0 → 0.31.1 - Mend

@tatchi-xyz/sdk 0.21.0 → 0.31.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2501) hide show

package/dist/cjs/react/src/core/WebAuthnManager/index.js ADDED Viewed

@@ -0,0 +1,1192 @@
+const require_validation = require('../../utils/validation.js');
+const require_accountIds = require('../types/accountIds.js');
+const require_signer_worker = require('../types/signer-worker.js');
+const require_participants = require('../../threshold/participants.js');
+const require_index = require('../IndexedDBManager/index.js');
+const require_rpc = require('../types/rpc.js');
+const require_NearClient = require('../NearClient.js');
+const require_base = require('../sdkPaths/base.js');
+const require_workers = require('../sdkPaths/workers.js');
+const require_touchIdPrompt = require('./touchIdPrompt.js');
+const require_rpcCalls = require('../rpcCalls.js');
+const require_getDeviceNumber = require('./SignerWorkerManager/getDeviceNumber.js');
+const require_collectAuthenticationCredentialForVrfChallenge = require('./collectAuthenticationCredentialForVrfChallenge.js');
+const require_index$1 = require('./SignerWorkerManager/index.js');
+const require_index$2 = require('./VrfWorkerManager/index.js');
+const require_userPreferences = require('./userPreferences.js');
+const require_nonceManager = require('../nonceManager.js');
+const require_host_mode = require('../WalletIframe/host-mode.js');
+const require_enrollThresholdEd25519Key = require('./threshold/enrollThresholdEd25519Key.js');
+const require_rotateThresholdEd25519KeyPostRegistration = require('./threshold/rotateThresholdEd25519KeyPostRegistration.js');
+//#region src/core/WebAuthnManager/index.ts
+/**
+* WebAuthnManager - Main orchestrator for WebAuthn operations
+*
+* Architecture:
+* - index.ts (this file): Main class orchestrating everything
+* - signerWorkerManager: NEAR transaction signing, and VRF Web3Authn verification RPC calls
+* - vrfWorkerManager: VRF keypair generation, challenge generation
+* - touchIdPrompt: TouchID prompt for biometric authentication
+*/
+var WebAuthnManager = class {
+	vrfWorkerManager;
+	signerWorkerManager;
+	touchIdPrompt;
+	userPreferencesManager;
+	nearClient;
+	nonceManager;
+	workerBaseOrigin = "";
+	activeSigningSessionIds = /* @__PURE__ */ new Map();
+	tatchiPasskeyConfigs;
+	constructor(tatchiPasskeyConfigs, nearClient) {
+		this.tatchiPasskeyConfigs = tatchiPasskeyConfigs;
+		this.nearClient = nearClient;
+		this.touchIdPrompt = new require_touchIdPrompt.TouchIdPrompt(tatchiPasskeyConfigs.iframeWallet?.rpIdOverride, true);
+		this.userPreferencesManager = require_userPreferences.default;
+		this.userPreferencesManager.configureWalletTheme?.(tatchiPasskeyConfigs.walletTheme);
+		this.userPreferencesManager.configureDefaultSignerMode?.(tatchiPasskeyConfigs.signerMode);
+		this.nonceManager = require_nonceManager.default;
+		const { vrfWorkerConfigs } = tatchiPasskeyConfigs;
+		this.vrfWorkerManager = new require_index$2.VrfWorkerManager({
+			shamirPB64u: vrfWorkerConfigs?.shamir3pass?.p,
+			relayServerUrl: vrfWorkerConfigs?.shamir3pass?.relayServerUrl,
+			applyServerLockRoute: vrfWorkerConfigs?.shamir3pass?.applyServerLockRoute,
+			removeServerLockRoute: vrfWorkerConfigs?.shamir3pass?.removeServerLockRoute
+		}, {
+			touchIdPrompt: this.touchIdPrompt,
+			nearClient: this.nearClient,
+			indexedDB: require_index.IndexedDBManager,
+			userPreferencesManager: this.userPreferencesManager,
+			nonceManager: this.nonceManager,
+			rpIdOverride: this.touchIdPrompt.getRpId(),
+			nearExplorerUrl: tatchiPasskeyConfigs.nearExplorerUrl
+		});
+		this.signerWorkerManager = new require_index$1.SignerWorkerManager(this.vrfWorkerManager, nearClient, this.userPreferencesManager, this.nonceManager, this.tatchiPasskeyConfigs.relayer.url, tatchiPasskeyConfigs.iframeWallet?.rpIdOverride, true, tatchiPasskeyConfigs.nearExplorerUrl);
+		this.workerBaseOrigin = require_workers.resolveWorkerBaseOrigin() || (typeof window !== "undefined" ? window.location.origin : "");
+		this.signerWorkerManager.setWorkerBaseOrigin(this.workerBaseOrigin);
+		this.vrfWorkerManager.setWorkerBaseOrigin?.(this.workerBaseOrigin);
+		if (typeof window !== "undefined") require_base.onEmbeddedBaseChange((url) => {
+			const origin = new URL(url, window.location.origin).origin;
+			if (origin && origin !== this.workerBaseOrigin) {
+				this.workerBaseOrigin = origin;
+				this.signerWorkerManager.setWorkerBaseOrigin(origin);
+				this.vrfWorkerManager.setWorkerBaseOrigin?.(origin);
+			}
+		});
+		const shouldAvoidAppOriginIndexedDB = !!tatchiPasskeyConfigs.iframeWallet?.walletOrigin && !require_host_mode.__isWalletIframeHostMode();
+		if (!shouldAvoidAppOriginIndexedDB) this.userPreferencesManager.initFromIndexedDB().catch(() => void 0);
+	}
+	/**
+	* Public pre-warm hook to initialize signer workers ahead of time.
+	* Safe to call multiple times; errors are non-fatal.
+	*/
+	prewarmSignerWorkers() {
+		if (typeof window === "undefined" || typeof window.Worker === "undefined") return;
+		if (this.workerBaseOrigin && this.workerBaseOrigin !== window.location.origin) return;
+		this.signerWorkerManager.preWarmWorkerPool().catch(() => {});
+	}
+	/**
+	* Warm critical resources to reduce first-action latency.
+	* - Initialize current user (sets up NonceManager and local state)
+	* - Prefetch latest block context (and nonce if missing)
+	* - Pre-open IndexedDB and warm encrypted key for the active account (best-effort)
+	* - Pre-warm signer workers in the background
+	*/
+	async warmCriticalResources(nearAccountId) {
+		if (nearAccountId) await this.initializeCurrentUser(require_accountIds.toAccountId(nearAccountId), this.nearClient).catch(() => null);
+		await this.nonceManager.prefetchBlockheight(this.nearClient).catch(() => null);
+		if (nearAccountId) await require_index.IndexedDBManager.getUserWithKeys(require_accountIds.toAccountId(nearAccountId)).catch(() => null);
+		this.prewarmSignerWorkers();
+	}
+	/**
+	* Resolve the effective rpId used for WebAuthn operations.
+	* Delegates to TouchIdPrompt to centralize rpId selection logic.
+	*/
+	getRpId() {
+		return this.touchIdPrompt.getRpId();
+	}
+	/** Getter for NonceManager instance */
+	getNonceManager() {
+		return this.nonceManager;
+	}
+	/**
+	* WebAuthnManager-level orchestrator for VRF-owned signing sessions.
+	* Creates sessionId, wires MessagePort between VRF and signer workers, and ensures cleanup.
+	*
+	* Overload 1: plain signing session (no WrapKeySeed derivation).
+	* Overload 2: signing session with WrapKeySeed derivation, when `SigningSessionOptions`
+	*             (PRF.first_auth) are provided. wrapKeySalt is generated inside the VRF worker
+	*             when a new vault entry is being created.
+	*/
+	generateSessionId(prefix) {
+		return typeof crypto !== "undefined" && typeof crypto.randomUUID === "function" ? crypto.randomUUID() : `${prefix}-${Date.now()}-${Math.random().toString(16).slice(2)}`;
+	}
+	toNonNegativeInt(value) {
+		if (typeof value !== "number" || !Number.isFinite(value) || value < 0) return void 0;
+		return Math.floor(value);
+	}
+	resolveSigningSessionPolicy(args) {
+		const ttlMs = this.toNonNegativeInt(args.ttlMs) ?? this.tatchiPasskeyConfigs.signingSessionDefaults.ttlMs;
+		const remainingUses = this.toNonNegativeInt(args.remainingUses) ?? this.tatchiPasskeyConfigs.signingSessionDefaults.remainingUses;
+		return {
+			ttlMs,
+			remainingUses
+		};
+	}
+	getOrCreateActiveSigningSessionId(nearAccountId) {
+		const key = String(require_accountIds.toAccountId(nearAccountId));
+		const existing = this.activeSigningSessionIds.get(key);
+		if (existing) return existing;
+		const sessionId = this.generateSessionId("signing-session");
+		this.activeSigningSessionIds.set(key, sessionId);
+		return sessionId;
+	}
+	async withSigningSession(args) {
+		if (typeof args.handler !== "function") throw new Error("withSigningSession requires a handler function");
+		const sessionId = args.sessionId || (args.prefix ? this.generateSessionId(args.prefix) : "");
+		if (!sessionId) throw new Error("withSigningSession requires a sessionId or prefix");
+		return await this.withSigningSessionInternal({
+			sessionId,
+			options: args.options,
+			handler: args.handler
+		});
+	}
+	async withSigningSessionInternal(args) {
+		const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(args.sessionId);
+		await this.signerWorkerManager.reserveSignerWorkerSession(args.sessionId, { signerPort });
+		try {
+			if (args.options) await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({
+				sessionId: args.sessionId,
+				wrapKeySalt: args.options.wrapKeySalt,
+				credential: args.options.credential
+			});
+			return await args.handler(args.sessionId);
+		} finally {
+			this.signerWorkerManager.releaseSigningSession(args.sessionId);
+		}
+	}
+	/**
+	* VRF-driven registration confirmation helper.
+	* Runs confirmTxFlow and returns registration artifacts.
+	*
+	* SecureConfirm wrapper for link-device / registration: prompts user in-iframe to create a
+	* new passkey (device N), returning artifacts for subsequent derivation.
+	*/
+	async requestRegistrationCredentialConfirmation(params) {
+		return this.vrfWorkerManager.requestRegistrationCredentialConfirmation({
+			nearAccountId: params.nearAccountId,
+			deviceNumber: params.deviceNumber,
+			confirmerText: params.confirmerText,
+			confirmationConfigOverride: params.confirmationConfigOverride,
+			contractId: this.tatchiPasskeyConfigs.contractId,
+			nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl
+		});
+	}
+	/**
+	* Helper for export/decrypt flows:
+	*  - Read vault wrapKeySalt
+	*  - Ask VRF worker to run LocalOnly(DECRYPT_PRIVATE_KEY_WITH_PRF) + derive WrapKeySeed
+	*  - WrapKeySeed travels only over the VRF→Signer MessagePort
+	*/
+	async confirmDecryptAndDeriveWrapKeySeed(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const [last, latest] = await Promise.all([require_index.IndexedDBManager.clientDB.getLastUser().catch(() => null), require_index.IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId).catch(() => null)]);
+		const deviceNumber = last && last.nearAccountId === nearAccountId && typeof last.deviceNumber === "number" ? last.deviceNumber : latest && typeof latest.deviceNumber === "number" ? latest.deviceNumber : null;
+		if (deviceNumber === null) throw new Error(`No deviceNumber found for account ${nearAccountId} (decrypt session)`);
+		const userForDevice = await require_index.IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber).catch(() => null);
+		const encryptedVrfKeypair = userForDevice?.encryptedVrfKeypair;
+		const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+		if (!keyMaterial) {
+			console.error("WebAuthnManager: No encrypted key found for decrypt session", {
+				nearAccountId: String(nearAccountId),
+				deviceNumber
+			});
+			throw new Error(`No key material found for account: ${nearAccountId}`);
+		}
+		const wrapKeySalt = keyMaterial.wrapKeySalt;
+		if (!wrapKeySalt) {
+			console.error("WebAuthnManager: Missing wrapKeySalt in vault for decrypt session", {
+				nearAccountId: String(nearAccountId),
+				deviceNumber
+			});
+			throw new Error("Missing wrapKeySalt in vault; re-register to upgrade vault format.");
+		}
+		try {
+			await this.vrfWorkerManager.prepareDecryptSession({
+				sessionId: args.sessionId,
+				nearAccountId,
+				wrapKeySalt,
+				encryptedVrfKeypair
+			});
+		} catch (error) {
+			console.error("WebAuthnManager: VRF decrypt session failed", {
+				nearAccountId: String(nearAccountId),
+				sessionId: args.sessionId,
+				error
+			});
+			throw error;
+		}
+	}
+	getAuthenticationCredentialsSerialized({ nearAccountId, challenge, allowCredentials }) {
+		return this.touchIdPrompt.getAuthenticationCredentialsSerialized({
+			nearAccountId,
+			challenge,
+			allowCredentials
+		});
+	}
+	async collectAuthenticationCredentialForVrfChallenge(args) {
+		return require_collectAuthenticationCredentialForVrfChallenge.collectAuthenticationCredentialForVrfChallenge({
+			indexedDB: require_index.IndexedDBManager,
+			touchIdPrompt: this.touchIdPrompt,
+			nearAccountId: args.nearAccountId,
+			vrfChallenge: args.vrfChallenge,
+			includeSecondPrfOutput: args.includeSecondPrfOutput,
+			onBeforePrompt: args.onBeforePrompt
+		});
+	}
+	/**
+	* Generate a VRF challenge bound to a specific signing/confirm session.
+	* The challenge will be cached in the VRF worker under this sessionId so
+	* later contract verification (MINT_SESSION_KEYS_AND_SEND_TO_SIGNER) can look it up.
+	*/
+	async generateVrfChallengeForSession(sessionId, vrfInputData) {
+		return this.vrfWorkerManager.generateVrfChallengeForSession(vrfInputData, sessionId);
+	}
+	/**
+	* Generate a one-off VRF challenge without caching it in the VRF worker.
+	* Use this for flows that don't perform contract verification or derive
+	* wrap keys via MINT_SESSION_KEYS_AND_SEND_TO_SIGNER.
+	*/
+	async generateVrfChallengeOnce(vrfInputData) {
+		return this.vrfWorkerManager.generateVrfChallengeOnce(vrfInputData);
+	}
+	/**
+	* Generate VRF keypair for bootstrapping - stores in memory unencrypted temporarily
+	* This is used during registration to generate a VRF keypair that will be used for
+	* WebAuthn ceremony and later encrypted with the real PRF output
+	*
+	* @param saveInMemory - Whether to persist the generated VRF keypair in WASM worker memory
+	* @param vrfInputParams - Optional parameters to generate VRF challenge/proof in same call
+	* @returns VRF public key and optionally VRF challenge data
+	*/
+	async generateVrfKeypairBootstrap(args) {
+		return this.vrfWorkerManager.generateVrfKeypairBootstrap({
+			vrfInputData: args.vrfInputData,
+			saveInMemory: args.saveInMemory,
+			sessionId: args.sessionId
+		});
+	}
+	/**
+	* Derive NEAR keypair directly from a serialized WebAuthn registration credential
+	*/
+	async deriveNearKeypairAndEncryptFromSerialized({ credential, nearAccountId, options }) {
+		return this.withSigningSession({
+			prefix: "reg",
+			options: { credential },
+			handler: (sessionId) => this.signerWorkerManager.deriveNearKeypairAndEncryptFromSerialized({
+				credential,
+				nearAccountId: require_accountIds.toAccountId(nearAccountId),
+				options,
+				sessionId
+			})
+		});
+	}
+	/**
+	* **Sign Device2 registration transaction with already-stored key (no prompt)**
+	*
+	* Used by linkDevice flow after key swap to sign the registration transaction
+	* without prompting the user again. Reuses the credential collected earlier.
+	*
+	* Flow:
+	* 1. Extract PRF.first from the provided credential
+	* 2. Create new MessagePort session for WrapKeySeed delivery
+	* 3. VRF worker re-derives WrapKeySeed and sends to signer (with PRF.second)
+	* 4. Signer worker retrieves encrypted key from IndexedDB
+	* 5. Signer worker decrypts key and signs registration transaction
+	*
+	* @param nearAccountId - NEAR account ID for Device2
+	* @param credential - WebAuthn registration credential from earlier prompt
+	* @param vrfChallenge - VRF challenge from earlier prompt
+	* @param deviceNumber - Device number for Device2
+	* @returns Signed registration transaction ready for submission
+	*/
+	async signDevice2RegistrationWithStoredKey(args) {
+		const { nearAccountId, credential, vrfChallenge, deviceNumber, deterministicVrfPublicKey } = args;
+		const contractId = this.tatchiPasskeyConfigs.contractId;
+		try {
+			const sessionId = `device2-sign-${Date.now()}-${Math.random().toString(36).slice(2, 11)}`;
+			const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+			if (!keyMaterial) throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);
+			const wrapKeySalt = keyMaterial.wrapKeySalt;
+			if (!wrapKeySalt) throw new Error(`Missing wrapKeySalt for account ${nearAccountId} device ${deviceNumber}`);
+			const signerPort = await this.vrfWorkerManager.createSigningSessionChannel(sessionId);
+			await this.signerWorkerManager.reserveSignerWorkerSession(sessionId, { signerPort });
+			await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({
+				sessionId,
+				wrapKeySalt,
+				credential
+			});
+			const transactionContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient);
+			let vrfPublicKey = deterministicVrfPublicKey;
+			const finalVrfPublicKey = vrfPublicKey || vrfChallenge.vrfPublicKey;
+			const signerResult = await this.signerWorkerManager.registerDevice2WithDerivedKey({
+				sessionId,
+				nearAccountId,
+				credential,
+				vrfChallenge,
+				transactionContext,
+				contractId,
+				wrapKeySalt,
+				deviceNumber,
+				deterministicVrfPublicKey: finalVrfPublicKey
+			});
+			return {
+				success: true,
+				publicKey: signerResult.publicKey,
+				signedTransaction: signerResult.signedTransaction
+			};
+		} catch (error) {
+			console.error("[WebAuthnManager] Failed to sign Device2 registration with stored key:", error);
+			return {
+				success: false,
+				error: error.message || String(error)
+			};
+		}
+	}
+	/**
+	* Derive deterministic VRF keypair from PRF output for recovery
+	* Optionally generates VRF challenge if input parameters are provided
+	* This enables deterministic VRF key derivation from WebAuthn credentials
+	*
+	* @param credential - WebAuthn credential containing PRF outputs
+	* @param nearAccountId - NEAR account ID for key derivation salt
+	* @param vrfInputParams - Optional VRF inputs, if provided will generate a challenge
+	* @param saveInMemory - Whether to save the derived VRF keypair in worker memory for immediate use
+	* @returns Deterministic VRF public key, optional VRF challenge, and encrypted VRF keypair for storage
+	*/
+	async deriveVrfKeypair({ credential, nearAccountId, vrfInputData, saveInMemory = true }) {
+		try {
+			const vrfResult = await this.vrfWorkerManager.deriveVrfKeypairFromPrf({
+				credential,
+				nearAccountId,
+				vrfInputData,
+				saveInMemory
+			});
+			const result = {
+				success: true,
+				vrfPublicKey: vrfResult.vrfPublicKey,
+				encryptedVrfKeypair: vrfResult.encryptedVrfKeypair,
+				vrfChallenge: vrfResult.vrfChallenge,
+				serverEncryptedVrfKeypair: vrfResult.serverEncryptedVrfKeypair
+			};
+			return result;
+		} catch (error) {
+			console.error("WebAuthnManager: VRF keypair derivation error:", error);
+			throw new Error(`VRF keypair derivation failed ${error.message}`);
+		}
+	}
+	/**
+	* Unlock VRF keypair in memory using PRF output
+	* This is called during login to decrypt and load the VRF keypair in-memory
+	*/
+	async unlockVRFKeypair({ nearAccountId, encryptedVrfKeypair, credential }) {
+		try {
+			const unlockResult = await this.vrfWorkerManager.unlockVrfKeypair({
+				credential,
+				nearAccountId,
+				encryptedVrfKeypair
+			});
+			if (!unlockResult.success) {
+				console.error("WebAuthnManager: VRF keypair unlock failed");
+				return {
+					success: false,
+					error: "VRF keypair unlock failed"
+				};
+			}
+			this.signerWorkerManager.preWarmWorkerPool().catch(() => {});
+			return { success: true };
+		} catch (error) {
+			console.error("WebAuthnManager: VRF keypair unlock failed:", error.message);
+			return {
+				success: false,
+				error: error.message
+			};
+		}
+	}
+	/**
+	* Perform Shamir 3-pass commutative decryption within WASM worker
+	* This securely decrypts a server-encrypted KEK (key encryption key)
+	* which the wasm worker uses to unlock a key to decrypt the VRF keypair and loads it into memory
+	* The server never knows the real value of the KEK, nor the VRF keypair
+	*/
+	async shamir3PassDecryptVrfKeypair({ nearAccountId, kek_s_b64u, ciphertextVrfB64u, serverKeyId }) {
+		const result = await this.vrfWorkerManager.shamir3PassDecryptVrfKeypair({
+			nearAccountId,
+			kek_s_b64u,
+			ciphertextVrfB64u,
+			serverKeyId
+		});
+		return {
+			success: result.success,
+			error: result.error
+		};
+	}
+	/**
+	* Shamir 3-pass: encrypt the unlocked VRF keypair under the server key
+	* Returns a fresh blob to store in IndexedDB for future auto-login.
+	*/
+	async shamir3PassEncryptCurrentVrfKeypair() {
+		const res = await this.vrfWorkerManager.shamir3PassEncryptCurrentVrfKeypair();
+		return {
+			ciphertextVrfB64u: res.ciphertextVrfB64u,
+			kek_s_b64u: res.kek_s_b64u,
+			serverKeyId: res.serverKeyId
+		};
+	}
+	/**
+	* Persist refreshed server-encrypted VRF keypair in IndexedDB.
+	*/
+	async updateServerEncryptedVrfKeypair(nearAccountId, serverEncrypted, deviceNumber) {
+		await require_index.IndexedDBManager.clientDB.updateUser(nearAccountId, { serverEncryptedVrfKeypair: {
+			ciphertextVrfB64u: serverEncrypted.ciphertextVrfB64u,
+			kek_s_b64u: serverEncrypted.kek_s_b64u,
+			serverKeyId: serverEncrypted.serverKeyId,
+			updatedAt: Date.now()
+		} }, deviceNumber);
+	}
+	async clearVrfSession() {
+		if (typeof window !== "undefined" && this.workerBaseOrigin !== window.location.origin) return;
+		return await this.vrfWorkerManager.clearVrfSession();
+	}
+	/**
+	* Check VRF worker status
+	*/
+	async checkVrfStatus() {
+		return this.vrfWorkerManager.checkVrfStatus();
+	}
+	/**
+	* Mint/refresh a VRF-owned warm signing session using an already-collected WebAuthn credential.
+	*
+	* This is used to avoid a second TouchID prompt during login flows when we already
+	* performed an authentication ceremony (e.g., to unlock the VRF keypair).
+	*
+	* Notes:
+	* - This method does not initiate a WebAuthn prompt.
+	* - Contract verification is optional and only performed when `contractId` + `nearRpcUrl` are provided.
+	*/
+	async mintSigningSessionFromCredential(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);
+		const vrfStatus = await this.vrfWorkerManager.checkVrfStatus();
+		if (!vrfStatus.active) throw new Error("VRF keypair not active in memory. Please log in again.");
+		if (!vrfStatus.nearAccountId || String(vrfStatus.nearAccountId) !== String(nearAccountId)) throw new Error("VRF keypair active but bound to a different account. Please log in again.");
+		const credentialRawId = String(args.credential?.rawId || "").trim();
+		const authenticators = await this.getAuthenticatorsByUser(nearAccountId).catch(() => []);
+		let deviceNumber;
+		try {
+			deviceNumber = await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB);
+		} catch (err) {
+			if (credentialRawId) {
+				const matched = authenticators.find((a) => a.credentialId === credentialRawId);
+				const inferred = matched && typeof matched.deviceNumber === "number" && Number.isFinite(matched.deviceNumber) ? matched.deviceNumber : null;
+				if (inferred !== null) {
+					deviceNumber = inferred;
+					await this.setLastUser(nearAccountId, inferred).catch(() => void 0);
+				} else throw err;
+			} else throw err;
+		}
+		if (credentialRawId && authenticators.length > 1) {
+			const { wrongPasskeyError } = await require_index.IndexedDBManager.clientDB.ensureCurrentPasskey(nearAccountId, authenticators, credentialRawId);
+			if (wrongPasskeyError) throw new Error(wrongPasskeyError);
+		}
+		const keyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, deviceNumber);
+		if (!keyMaterial) throw new Error(`No key material found for account ${nearAccountId} device ${deviceNumber}`);
+		const wrapKeySalt = keyMaterial.wrapKeySalt;
+		if (!wrapKeySalt) throw new Error("Missing wrapKeySalt in vault; re-register to upgrade vault format.");
+		const { ttlMs, remainingUses } = this.resolveSigningSessionPolicy(args);
+		await this.vrfWorkerManager.mintSessionKeysAndSendToSigner({
+			sessionId,
+			wrapKeySalt,
+			contractId: args.contractId,
+			nearRpcUrl: args.nearRpcUrl,
+			ttlMs,
+			remainingUses,
+			credential: args.credential
+		});
+		return await this.vrfWorkerManager.checkSessionStatus({ sessionId });
+	}
+	/**
+	* Introspect the VRF-owned signing session for UI (no prompt, metadata only).
+	* Session usage (`remainingUses`) is decremented on `DISPENSE_SESSION_KEY` calls.
+	*/
+	async getWarmSigningSessionStatus(nearAccountId) {
+		const sessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);
+		return await this.vrfWorkerManager.checkSessionStatus({ sessionId });
+	}
+	/**
+	* Fetch Shamir server key info to support proactive refresh.
+	*/
+	async getShamirKeyInfo() {
+		try {
+			const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;
+			if (!relayUrl) return null;
+			const res = await fetch(`${relayUrl}/shamir/key-info`, { method: "GET" });
+			if (!res.ok) return null;
+			const data = await res.json();
+			return {
+				currentKeyId: data?.currentKeyId ?? null,
+				p_b64u: data?.p_b64u ?? null,
+				graceKeyIds: Array.isArray(data?.graceKeyIds) ? data.graceKeyIds : void 0
+			};
+		} catch {
+			return null;
+		}
+	}
+	/**
+	* If server key changed and VRF is unlocked in memory, re-encrypt under the new server key.
+	* Returns true if refreshed, false otherwise.
+	*/
+	async maybeProactiveShamirRefresh(nearAccountId) {
+		try {
+			const relayUrl = this.tatchiPasskeyConfigs?.vrfWorkerConfigs?.shamir3pass?.relayServerUrl;
+			if (!relayUrl) return false;
+			const userData = await this.getLastUser();
+			const stored = userData?.serverEncryptedVrfKeypair;
+			if (!stored || !stored.kek_s_b64u || !stored.ciphertextVrfB64u || !stored.serverKeyId) return false;
+			const keyInfo = await this.getShamirKeyInfo();
+			const currentKeyId = keyInfo?.currentKeyId;
+			if (!currentKeyId || currentKeyId === stored.serverKeyId) return false;
+			const status = await this.checkVrfStatus();
+			const active = status.active && status.nearAccountId === nearAccountId;
+			if (!active) return false;
+			const refreshed = await this.shamir3PassEncryptCurrentVrfKeypair();
+			await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed, userData?.deviceNumber);
+			return true;
+		} catch {
+			return false;
+		}
+	}
+	async storeUserData(userData) {
+		await require_index.IndexedDBManager.clientDB.storeWebAuthnUserData({
+			...userData,
+			deviceNumber: userData.deviceNumber ?? 1,
+			version: userData.version || 2
+		});
+	}
+	async getAllUsers() {
+		return await require_index.IndexedDBManager.clientDB.getAllUsers();
+	}
+	async getUserByDevice(nearAccountId, deviceNumber) {
+		return await require_index.IndexedDBManager.clientDB.getUserByDevice(nearAccountId, deviceNumber);
+	}
+	async getLastUser() {
+		return await require_index.IndexedDBManager.clientDB.getLastUser();
+	}
+	async getAuthenticatorsByUser(nearAccountId) {
+		return await require_index.IndexedDBManager.clientDB.getAuthenticatorsByUser(nearAccountId);
+	}
+	async updateLastLogin(nearAccountId) {
+		return await require_index.IndexedDBManager.clientDB.updateLastLogin(nearAccountId);
+	}
+	/**
+	* Set the last logged-in user
+	* @param nearAccountId - The account ID of the user
+	* @param deviceNumber - The device number (defaults to 1)
+	*/
+	async setLastUser(nearAccountId, deviceNumber = 1) {
+		return await require_index.IndexedDBManager.clientDB.setLastUser(nearAccountId, deviceNumber);
+	}
+	/**
+	* Initialize current user authentication state
+	* This should be called after VRF keypair is successfully unlocked in memory
+	* to ensure the user is properly logged in and can perform transactions
+	*
+	* @param nearAccountId - The NEAR account ID to initialize
+	* @param nearClient - The NEAR client for nonce prefetching
+	*/
+	async initializeCurrentUser(nearAccountId, nearClient) {
+		const accountId = require_accountIds.toAccountId(nearAccountId);
+		let deviceNumberToUse = null;
+		const lastUser = await require_index.IndexedDBManager.clientDB.getLastUser().catch(() => null);
+		if (lastUser && require_accountIds.toAccountId(lastUser.nearAccountId) === accountId && Number.isFinite(lastUser.deviceNumber)) deviceNumberToUse = lastUser.deviceNumber;
+		if (deviceNumberToUse === null) {
+			const userForAccount = await require_index.IndexedDBManager.clientDB.getUserByDevice(accountId, 1).catch(() => null);
+			if (userForAccount && Number.isFinite(userForAccount.deviceNumber)) deviceNumberToUse = userForAccount.deviceNumber;
+		}
+		if (deviceNumberToUse === null) deviceNumberToUse = 1;
+		await this.setLastUser(accountId, deviceNumberToUse);
+		this.userPreferencesManager.setCurrentUser(accountId);
+		await this.userPreferencesManager.reloadUserSettings().catch(() => void 0);
+		const userData = await require_index.IndexedDBManager.clientDB.getUserByDevice(accountId, deviceNumberToUse).catch(() => null);
+		if (userData && userData.clientNearPublicKey) this.nonceManager.initializeUser(accountId, userData.clientNearPublicKey);
+		if (nearClient) await this.nonceManager.prefetchBlockheight(nearClient).catch((prefetchErr) => console.debug("Nonce prefetch after authentication state initialization failed (non-fatal):", prefetchErr));
+	}
+	async registerUser(storeUserData) {
+		return await require_index.IndexedDBManager.clientDB.registerUser(storeUserData);
+	}
+	async storeAuthenticator(authenticatorData) {
+		const deviceNumber = Number(authenticatorData.deviceNumber);
+		const normalizedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : 1;
+		const authData = {
+			...authenticatorData,
+			nearAccountId: require_accountIds.toAccountId(authenticatorData.nearAccountId),
+			deviceNumber: normalizedDeviceNumber
+		};
+		return await require_index.IndexedDBManager.clientDB.storeAuthenticator(authData);
+	}
+	extractUsername(nearAccountId) {
+		return require_index.IndexedDBManager.clientDB.extractUsername(nearAccountId);
+	}
+	async atomicOperation(callback) {
+		return await require_index.IndexedDBManager.clientDB.atomicOperation(callback);
+	}
+	async rollbackUserRegistration(nearAccountId) {
+		return await require_index.IndexedDBManager.clientDB.rollbackUserRegistration(nearAccountId);
+	}
+	async hasPasskeyCredential(nearAccountId) {
+		return await require_index.IndexedDBManager.clientDB.hasPasskeyCredential(nearAccountId);
+	}
+	/**
+	* Atomically store all registration data (user, authenticator, VRF credentials)
+	*/
+	async atomicStoreRegistrationData({ nearAccountId, credential, publicKey, encryptedVrfKeypair, vrfPublicKey, serverEncryptedVrfKeypair }) {
+		await this.atomicOperation(async (db) => {
+			const credentialId = credential.rawId;
+			const attestationB64u = credential.response.attestationObject;
+			const transports = credential.response?.transports;
+			await this.storeAuthenticator({
+				nearAccountId,
+				credentialId,
+				credentialPublicKey: await this.extractCosePublicKey(attestationB64u),
+				transports,
+				name: `VRF Passkey for ${this.extractUsername(nearAccountId)}`,
+				registered: (/* @__PURE__ */ new Date()).toISOString(),
+				syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
+				vrfPublicKey
+			});
+			await this.storeUserData({
+				nearAccountId,
+				deviceNumber: 1,
+				clientNearPublicKey: publicKey,
+				lastUpdated: Date.now(),
+				passkeyCredential: {
+					id: credential.id,
+					rawId: credentialId
+				},
+				encryptedVrfKeypair: {
+					encryptedVrfDataB64u: encryptedVrfKeypair.encryptedVrfDataB64u,
+					chacha20NonceB64u: encryptedVrfKeypair.chacha20NonceB64u
+				},
+				version: 2,
+				serverEncryptedVrfKeypair: serverEncryptedVrfKeypair ? {
+					ciphertextVrfB64u: serverEncryptedVrfKeypair?.ciphertextVrfB64u,
+					kek_s_b64u: serverEncryptedVrfKeypair?.kek_s_b64u,
+					serverKeyId: serverEncryptedVrfKeypair?.serverKeyId,
+					updatedAt: Date.now()
+				} : void 0
+			});
+			return true;
+		});
+	}
+	/**
+	* Transaction signing with contract verification and progress updates.
+	* Demonstrates the "streaming" worker pattern similar to SSE.
+	*
+	* Requires a successful TouchID/biometric prompt before transaction signing in wasm worker
+	* Automatically verifies the authentication with the web3authn contract.
+	*
+	* @param transactions - Transaction payload containing:
+	*   - receiverId: NEAR account ID receiving the transaction
+	*   - actions: Array of NEAR actions to execute
+	* @param rpcCall: RpcCallPayload containing:
+	*   - contractId: Web3Authn contract ID for verification
+	*   - nearRpcUrl: NEAR RPC endpoint URL
+	*   - nearAccountId: NEAR account ID performing the transaction
+	* @param confirmationConfigOverride: Optional confirmation configuration override
+	* @param onEvent: Optional callback for progress updates during signing
+	* @param onEvent - Optional callback for progress updates during signing
+	*/
+	async signTransactionsWithActions({ transactions, rpcCall, signerMode, confirmationConfigOverride, title, body, onEvent }) {
+		return this.withSigningSession({
+			sessionId: this.getOrCreateActiveSigningSessionId(require_accountIds.toAccountId(rpcCall.nearAccountId)),
+			handler: (sessionId) => this.signerWorkerManager.signTransactionsWithActions({
+				transactions,
+				rpcCall,
+				signerMode,
+				confirmationConfigOverride,
+				title,
+				body,
+				onEvent,
+				sessionId
+			})
+		});
+	}
+	/**
+	* Sign AddKey(thresholdPublicKey) for `receiverId === nearAccountId` without running confirmTxFlow.
+	*
+	* This is a narrowly-scoped, internal-only helper for post-registration activation flows where
+	* the caller already has a PRF-bearing credential in memory (e.g., immediately after registration)
+	* and wants to avoid an extra TouchID/WebAuthn prompt.
+	*/
+	async signAddKeyThresholdPublicKeyNoPrompt(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const wrapKeySalt = args.wrapKeySalt;
+		if (!wrapKeySalt) throw new Error("Missing wrapKeySalt for AddKey(thresholdPublicKey) signing");
+		if (!args.credential) throw new Error("Missing credential for AddKey(thresholdPublicKey) signing");
+		if (!args.transactionContext) throw new Error("Missing transactionContext for no-prompt signing");
+		const thresholdPublicKey = require_validation.ensureEd25519Prefix(args.thresholdPublicKey);
+		if (!thresholdPublicKey) throw new Error("Missing thresholdPublicKey for AddKey(thresholdPublicKey) signing");
+		const relayerVerifyingShareB64u = args.relayerVerifyingShareB64u;
+		if (!relayerVerifyingShareB64u) throw new Error("Missing relayerVerifyingShareB64u for AddKey(thresholdPublicKey) signing");
+		const deviceNumber = Number(args.deviceNumber);
+		const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+		const localKeyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);
+		if (!localKeyMaterial) throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);
+		if (localKeyMaterial.wrapKeySalt !== wrapKeySalt) throw new Error("wrapKeySalt mismatch for AddKey(thresholdPublicKey) signing");
+		return await this.withSigningSession({
+			prefix: "no-prompt-add-threshold-key",
+			options: {
+				credential: args.credential,
+				wrapKeySalt
+			},
+			handler: async (sessionId) => {
+				const response = await this.signerWorkerManager.getContext().sendMessage({
+					sessionId,
+					message: {
+						type: require_signer_worker.INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT,
+						payload: {
+							createdAt: Date.now(),
+							decryption: {
+								encryptedPrivateKeyData: localKeyMaterial.encryptedSk,
+								encryptedPrivateKeyChacha20NonceB64u: localKeyMaterial.chacha20NonceB64u
+							},
+							transactionContext: args.transactionContext,
+							nearAccountId,
+							thresholdPublicKey,
+							relayerVerifyingShareB64u,
+							clientParticipantId: typeof args.clientParticipantId === "number" ? args.clientParticipantId : void 0,
+							relayerParticipantId: typeof args.relayerParticipantId === "number" ? args.relayerParticipantId : void 0
+						}
+					},
+					onEvent: args.onEvent
+				});
+				if (!require_signer_worker.isSignAddKeyThresholdPublicKeyNoPromptSuccess(response)) throw new Error("AddKey(thresholdPublicKey) signing failed");
+				if (!response.payload.success) throw new Error(response.payload.error || "AddKey(thresholdPublicKey) signing failed");
+				const signedTransactions = response.payload.signedTransactions || [];
+				if (signedTransactions.length !== 1) throw new Error(`Expected 1 signed transaction but received ${signedTransactions.length}`);
+				const signedTx = signedTransactions[0];
+				if (!signedTx || !signedTx.transaction || !signedTx.signature) throw new Error("Incomplete signed transaction data received for AddKey(thresholdPublicKey)");
+				return {
+					signedTransaction: new require_NearClient.SignedTransaction({
+						transaction: signedTx.transaction,
+						signature: signedTx.signature,
+						borsh_bytes: Array.from(signedTx.borshBytes || [])
+					}),
+					nearAccountId: String(nearAccountId),
+					logs: response.payload.logs || []
+				};
+			}
+		});
+	}
+	async signDelegateAction({ delegate, rpcCall, signerMode, confirmationConfigOverride, title, body, onEvent }) {
+		const nearAccountId = require_accountIds.toAccountId(rpcCall.nearAccountId || delegate.senderId);
+		const normalizedRpcCall = {
+			contractId: rpcCall.contractId || this.tatchiPasskeyConfigs.contractId,
+			nearRpcUrl: rpcCall.nearRpcUrl || this.tatchiPasskeyConfigs.nearRpcUrl,
+			nearAccountId
+		};
+		try {
+			const activeSessionId = this.getOrCreateActiveSigningSessionId(nearAccountId);
+			return await this.withSigningSession({
+				sessionId: activeSessionId,
+				handler: (sessionId) => {
+					console.debug("[WebAuthnManager][delegate] session created", { sessionId });
+					return this.signerWorkerManager.signDelegateAction({
+						delegate,
+						rpcCall: normalizedRpcCall,
+						signerMode,
+						confirmationConfigOverride,
+						title,
+						body,
+						onEvent,
+						sessionId
+					});
+				}
+			});
+		} catch (err) {
+			console.error("[WebAuthnManager][delegate] failed", err);
+			throw err;
+		}
+	}
+	async signNEP413Message(payload) {
+		try {
+			const activeSessionId = this.getOrCreateActiveSigningSessionId(payload.accountId);
+			const contractId = this.tatchiPasskeyConfigs.contractId;
+			const nearRpcUrl = this.tatchiPasskeyConfigs.nearRpcUrl.split(",")[0] || this.tatchiPasskeyConfigs.nearRpcUrl;
+			const result = await this.withSigningSession({
+				sessionId: activeSessionId,
+				handler: (sessionId) => this.signerWorkerManager.signNep413Message({
+					...payload,
+					sessionId,
+					contractId,
+					nearRpcUrl
+				})
+			});
+			if (result.success) return result;
+			else throw new Error(`NEP-413 signing failed: ${result.error || "Unknown error"}`);
+		} catch (error) {
+			console.error("WebAuthnManager: NEP-413 signing error:", error);
+			return {
+				success: false,
+				accountId: "",
+				publicKey: "",
+				signature: "",
+				error: error.message || "Unknown error"
+			};
+		}
+	}
+	/**
+	* Extract COSE public key from WebAuthn attestation object using WASM worker
+	*/
+	async extractCosePublicKey(attestationObjectBase64url) {
+		return await this.signerWorkerManager.extractCosePublicKey(attestationObjectBase64url);
+	}
+	/** Worker-driven export: two-phase V2 (collect PRF → decrypt → show UI) */
+	async exportNearKeypairWithUIWorkerDriven(nearAccountId, options) {
+		await this.withSigningSession({
+			prefix: "export-session",
+			handler: async (sessionId) => {
+				await this.confirmDecryptAndDeriveWrapKeySeed({
+					nearAccountId,
+					sessionId
+				});
+				return this.signerWorkerManager.exportNearKeypairUi({
+					nearAccountId,
+					variant: options?.variant,
+					theme: options?.theme,
+					sessionId
+				});
+			}
+		});
+	}
+	async exportNearKeypairWithUI(nearAccountId, options) {
+		await this.exportNearKeypairWithUIWorkerDriven(nearAccountId, options);
+		let userData = await this.getLastUser();
+		if (!userData || userData.nearAccountId !== nearAccountId) userData = await require_index.IndexedDBManager.clientDB.getLastDBUpdatedUser(nearAccountId);
+		return {
+			accountId: String(nearAccountId),
+			publicKey: userData?.clientNearPublicKey ?? "",
+			privateKey: ""
+		};
+	}
+	async checkCanRegisterUser({ contractId, credential, vrfChallenge, authenticatorOptions, onEvent }) {
+		return await this.signerWorkerManager.checkCanRegisterUser({
+			contractId,
+			credential,
+			vrfChallenge,
+			authenticatorOptions,
+			onEvent,
+			nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl
+		});
+	}
+	/**
+	* Recover keypair from authentication credential for account recovery
+	* Uses dual PRF outputs to re-derive the same NEAR keypair and re-encrypt it
+	* @param challenge - Random challenge for WebAuthn authentication ceremony
+	* @param authenticationCredential - The authentication credential with dual PRF outputs
+	* @param accountIdHint - Optional account ID hint for recovery
+	* @returns Public key and encrypted private key for secure storage
+	*/
+	async recoverKeypairFromPasskey(authenticationCredential, accountIdHint) {
+		try {
+			if (!authenticationCredential) throw new Error("Authentication credential required for account recovery. Use an existing credential with dual PRF outputs to re-derive the same NEAR keypair.");
+			const prfResults = authenticationCredential.clientExtensionResults?.prf?.results;
+			if (!prfResults?.first || !prfResults?.second) throw new Error("Dual PRF outputs required for account recovery - both AES and Ed25519 PRF outputs must be available");
+			const result = await this.withSigningSession({
+				prefix: "recover",
+				options: { credential: authenticationCredential },
+				handler: (sessionId) => this.signerWorkerManager.recoverKeypairFromPasskey({
+					credential: authenticationCredential,
+					accountIdHint,
+					sessionId
+				})
+			});
+			return result;
+		} catch (error) {
+			console.error("WebAuthnManager: Deterministic keypair derivation error:", error);
+			throw new Error(`Deterministic keypair derivation failed: ${error.message}`);
+		}
+	}
+	async getAuthenticationCredentialsSerializedDualPrf({ nearAccountId, challenge, credentialIds }) {
+		return this.touchIdPrompt.getAuthenticationCredentialsSerializedDualPrf({
+			nearAccountId,
+			challenge,
+			allowCredentials: credentialIds.map((id) => ({
+				id,
+				type: "public-key",
+				transports: [
+					"internal",
+					"hybrid",
+					"usb",
+					"ble"
+				]
+			}))
+		});
+	}
+	/**
+	* Sign transaction with raw private key
+	* for key replacement in device linking
+	* No TouchID/PRF required - uses provided private key directly
+	*/
+	async signTransactionWithKeyPair({ nearPrivateKey, signerAccountId, receiverId, nonce, blockHash, actions }) {
+		return await this.signerWorkerManager.signTransactionWithKeyPair({
+			nearPrivateKey,
+			signerAccountId,
+			receiverId,
+			nonce,
+			blockHash,
+			actions
+		});
+	}
+	/**
+	* Derive the deterministic threshold client verifying share (2-of-2 ed25519) from WrapKeySeed.
+	* This is safe to call during registration because it only requires the PRF-bearing credential
+	* (no on-chain verification needed) and returns public material only.
+	*/
+	async deriveThresholdEd25519ClientVerifyingShareFromCredential(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		try {
+			return await this.withSigningSession({
+				prefix: "threshold-client-share",
+				options: {
+					credential: args.credential,
+					wrapKeySalt: args.wrapKeySalt
+				},
+				handler: (sessionId) => this.signerWorkerManager.deriveThresholdEd25519ClientVerifyingShare({
+					sessionId,
+					nearAccountId
+				})
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				nearAccountId,
+				clientVerifyingShareB64u: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key enrollment (post-registration):
+	* prompts for a dual-PRF WebAuthn authentication to obtain PRF.first/second,
+	* then runs the `/threshold-ed25519/keygen` enrollment flow.
+	*
+	* This is intended to be called only after the passkey is registered on-chain.
+	*/
+	async enrollThresholdEd25519KeyPostRegistration(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		try {
+			const rpId = this.touchIdPrompt.getRpId();
+			if (!rpId) throw new Error("Missing rpId for WebAuthn VRF challenge");
+			const block = await this.nearClient.viewBlock({ finality: "final" });
+			const blockHeight = String(block?.header?.height ?? "");
+			const blockHash = String(block?.header?.hash ?? "");
+			if (!blockHeight || !blockHash) throw new Error("Failed to fetch NEAR block context for VRF challenge");
+			const vrfChallenge = await this.vrfWorkerManager.generateVrfChallengeOnce({
+				userId: nearAccountId,
+				rpId,
+				blockHeight,
+				blockHash
+			});
+			const authenticators = await this.getAuthenticatorsByUser(nearAccountId);
+			if (!authenticators.length) throw new Error(`No passkey authenticators found for account ${nearAccountId}`);
+			const authCredential = await this.collectAuthenticationCredentialForVrfChallenge({
+				nearAccountId,
+				vrfChallenge,
+				includeSecondPrfOutput: true
+			});
+			return await this.enrollThresholdEd25519Key({
+				credential: authCredential,
+				nearAccountId,
+				deviceNumber: args.deviceNumber
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key rotation (post-registration):
+	* - keygen (new relayerKeyId + publicKey)
+	* - AddKey(new threshold publicKey)
+	* - DeleteKey(old threshold publicKey)
+	*
+	* Uses the local signer key for AddKey/DeleteKey, and requires the account to already
+	* have a stored `threshold_ed25519_2p_v1` key material entry for the target device.
+	*/
+	async rotateThresholdEd25519KeyPostRegistration(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		let oldPublicKey = "";
+		let oldRelayerKeyId = "";
+		try {
+			const deviceNumber = Number(args.deviceNumber);
+			const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+			const existing = await require_index.IndexedDBManager.nearKeysDB.getThresholdKeyMaterial(nearAccountId, resolvedDeviceNumber);
+			if (!existing) throw new Error(`No threshold key material found for account ${nearAccountId} device ${resolvedDeviceNumber}. Call enrollThresholdEd25519Key() first.`);
+			oldPublicKey = existing.publicKey;
+			oldRelayerKeyId = existing.relayerKeyId;
+			const enrollment = await this.enrollThresholdEd25519KeyPostRegistration({
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber
+			});
+			if (!enrollment.success) throw new Error(enrollment.error || "Threshold keygen/enrollment failed");
+			return await require_rotateThresholdEd25519KeyPostRegistration.rotateThresholdEd25519KeyPostRegistrationHandler({
+				nearClient: this.nearClient,
+				contractId: this.tatchiPasskeyConfigs.contractId,
+				nearRpcUrl: this.tatchiPasskeyConfigs.nearRpcUrl,
+				signTransactionsWithActions: (params) => this.signTransactionsWithActions(params)
+			}, {
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber,
+				oldPublicKey,
+				oldRelayerKeyId,
+				newPublicKey: enrollment.publicKey,
+				newRelayerKeyId: enrollment.relayerKeyId,
+				wrapKeySalt: enrollment.wrapKeySalt
+			});
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				oldPublicKey,
+				oldRelayerKeyId,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				deleteOldKeyAttempted: false,
+				deleteOldKeySuccess: false,
+				error: message
+			};
+		}
+	}
+	/**
+	* Threshold key enrollment (2-of-2): deterministically derive the client verifying share
+	* from WrapKeySeed and register the corresponding relayer share via `/threshold-ed25519/keygen`.
+	*
+	* Stores a v3 vault entry of kind `threshold_ed25519_2p_v1` (breaking; no migration).
+	*/
+	async enrollThresholdEd25519Key(args) {
+		const nearAccountId = require_accountIds.toAccountId(args.nearAccountId);
+		const relayerUrl = this.tatchiPasskeyConfigs.relayer.url;
+		try {
+			if (!relayerUrl) throw new Error("Missing relayer url (configs.relayer.url)");
+			if (!args.credential) throw new Error("Missing credential");
+			const deviceNumber = Number(args.deviceNumber);
+			const resolvedDeviceNumber = Number.isSafeInteger(deviceNumber) && deviceNumber >= 1 ? deviceNumber : await require_getDeviceNumber.getLastLoggedInDeviceNumber(nearAccountId, require_index.IndexedDBManager.clientDB).catch(() => 1);
+			const keygen = await this.withSigningSession({
+				prefix: "threshold-keygen",
+				options: { credential: args.credential },
+				handler: (sessionId) => require_enrollThresholdEd25519Key.enrollThresholdEd25519KeyHandler({
+					nearClient: this.nearClient,
+					vrfWorkerManager: this.vrfWorkerManager,
+					signerWorkerManager: this.signerWorkerManager,
+					touchIdPrompt: this.touchIdPrompt,
+					relayerUrl
+				}, {
+					sessionId,
+					nearAccountId
+				})
+			});
+			if (!keygen.success) throw new Error(keygen.error || "Threshold keygen failed");
+			const publicKey = keygen.publicKey;
+			const clientVerifyingShareB64u = keygen.clientVerifyingShareB64u;
+			const relayerKeyId = keygen.relayerKeyId;
+			const relayerVerifyingShareB64u = keygen.relayerVerifyingShareB64u;
+			if (!clientVerifyingShareB64u) throw new Error("Threshold keygen returned empty clientVerifyingShareB64u");
+			const localKeyMaterial = await require_index.IndexedDBManager.nearKeysDB.getLocalKeyMaterial(nearAccountId, resolvedDeviceNumber);
+			if (!localKeyMaterial) throw new Error(`No local key material found for account ${nearAccountId} device ${resolvedDeviceNumber}`);
+			const alreadyActive = await require_rpcCalls.hasAccessKey(this.nearClient, nearAccountId, publicKey, {
+				attempts: 1,
+				delayMs: 0
+			});
+			if (!alreadyActive) {
+				this.nonceManager.initializeUser(nearAccountId, localKeyMaterial.publicKey);
+				const txContext = await this.nonceManager.getNonceBlockHashAndHeight(this.nearClient, { force: true });
+				const signed = await this.signAddKeyThresholdPublicKeyNoPrompt({
+					nearAccountId,
+					credential: args.credential,
+					wrapKeySalt: localKeyMaterial.wrapKeySalt,
+					transactionContext: txContext,
+					thresholdPublicKey: publicKey,
+					relayerVerifyingShareB64u,
+					clientParticipantId: keygen.clientParticipantId,
+					relayerParticipantId: keygen.relayerParticipantId,
+					deviceNumber: resolvedDeviceNumber
+				});
+				const signedTx = signed?.signedTransaction;
+				if (!signedTx) throw new Error("Failed to sign AddKey(thresholdPublicKey) transaction");
+				await this.nearClient.sendTransaction(signedTx, require_rpc.DEFAULT_WAIT_STATUS.thresholdAddKey);
+				const activated = await require_rpcCalls.hasAccessKey(this.nearClient, nearAccountId, publicKey);
+				if (!activated) throw new Error("Threshold access key not found on-chain after AddKey");
+			}
+			const keyMaterial = {
+				kind: "threshold_ed25519_2p_v1",
+				nearAccountId,
+				deviceNumber: resolvedDeviceNumber,
+				publicKey,
+				wrapKeySalt: keygen.wrapKeySalt,
+				relayerKeyId,
+				clientShareDerivation: "prf_first_v1",
+				participants: require_participants.buildThresholdEd25519Participants2pV1({
+					clientParticipantId: keygen.clientParticipantId,
+					relayerParticipantId: keygen.relayerParticipantId,
+					relayerKeyId,
+					relayerUrl,
+					clientVerifyingShareB64u,
+					relayerVerifyingShareB64u,
+					clientShareDerivation: "prf_first_v1"
+				}),
+				timestamp: Date.now()
+			};
+			await require_index.IndexedDBManager.nearKeysDB.storeKeyMaterial(keyMaterial);
+			return {
+				success: true,
+				publicKey,
+				relayerKeyId,
+				wrapKeySalt: keygen.wrapKeySalt
+			};
+		} catch (error) {
+			const message = String(error?.message ?? error);
+			return {
+				success: false,
+				publicKey: "",
+				relayerKeyId: "",
+				wrapKeySalt: "",
+				error: message
+			};
+		}
+	}
+	/** * Get user preferences manager */
+	getUserPreferences() {
+		return this.userPreferencesManager;
+	}
+	/** * Clean up resources */
+	destroy() {
+		if (this.userPreferencesManager) this.userPreferencesManager.destroy();
+		if (this.nonceManager) this.nonceManager.clear();
+		this.activeSigningSessionIds.clear();
+	}
+};
+//#endregion
+exports.WebAuthnManager = WebAuthnManager;
+//# sourceMappingURL=index.js.map