@tatchi-xyz/sdk 0.31.0 → 0.32.0

package/dist/esm/sdk/{linkDevice-C98klpcE.js → linkDevice-CRPf5aW2.js}

@@ -4,18 +4,18 @@ import { ActionType } from "./actions-fHadejPs.js";
 import { DEFAULT_WAIT_STATUS } from "./rpc-Dq3ioE9T.js";
 import "./signer-worker-DK847sXj.js";
 import "./base64-dqpWgddX.js";
-import { createNearKeypair, getLoginSession } from "./login-DnROv3eA.js";
+import { createNearKeypair, getLoginSession } from "./login-DUIWZHp_.js";
 import "./vrf-worker-BzQsJ5BW.js";
-import { DeviceLinkingPhase, DeviceLinkingStatus } from "./sdkSentEvents-CzAZBFjP.js";
+import { DeviceLinkingPhase, DeviceLinkingStatus } from "./sdkSentEvents-BfkcI7EN.js";
 import { DEVICE_LINKING_CONFIG, DeviceLinkingError, DeviceLinkingErrorCode } from "./config-BbNXtVtu.js";
 import "./accountIds-DVDhXwVA.js";
 import "./intentDigest-yivVENNK.js";
 import "./errors-DevlT39D.js";
-import { IndexedDBManager, buildThresholdEd25519Participants2pV1 } from "./IndexedDBManager-B1cUvdyY.js";
-import "./defaultConfigs-BmCU1_qI.js";
+import { IndexedDBManager, buildThresholdEd25519Participants2pV1 } from "./IndexedDBManager-CmdN7smS.js";
+import "./defaultConfigs-BQqiXif-.js";
 import "./safari-fallbacks-BcMFntiP.js";
 import "./touchIdPrompt-JPhrOx8o.js";
-import { getDeviceLinkingAccountContractCall, thresholdEd25519KeygenFromRegistrationTx } from "./rpcCalls-B44MZora.js";
+import { getDeviceLinkingAccountContractCall, thresholdEd25519KeygenFromRegistrationTx } from "./rpcCalls-VL4loDKP.js";
 import { parseDeviceNumber } from "./getDeviceNumber-y3mMtky6.js";
 
 //#region src/core/TatchiPasskey/linkDevice.ts

package/dist/esm/sdk/{localOnly-40zxrBMm.js → localOnly-COpDBMkm.js}

@@ -1,6 +1,6 @@
 import "./validation-hUZgySTx.js";
 import { ERROR_MESSAGES, SecureConfirmationType, createRandomVRFChallenge, errorMessage, getIntentDigest, getNearAccountId, isUserCancelledSecureConfirm } from "./collectAuthenticationCredentialForVrfChallenge-C9p90e5Z.js";
-import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-Dv7ZJPf1.js";
+import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-4c8mBiD5.js";
 import { W3A_EXPORT_VIEWER_IFRAME_ID, addLitCancelListener } from "./css-loader-DWW-_Vli.js";
 import { __isWalletIframeHostMode } from "./host-mode-CgqmYAwZ.js";
 
@@ -130,4 +130,4 @@ async function handleLocalOnlyFlow(ctx, request, worker, opts) {
 
 //#endregion
 export { handleLocalOnlyFlow };
-//# sourceMappingURL=localOnly-40zxrBMm.js.map
+//# sourceMappingURL=localOnly-COpDBMkm.js.map

package/dist/esm/sdk/{localOnly-40zxrBMm.js.map → localOnly-COpDBMkm.js.map}

@@ -1 +1 @@
-{"version":3,"file":"localOnly-40zxrBMm.js","names":["TAG_LOADERS: Record<string, () => Promise<unknown>>","removeCancelListener: (() => void) | undefined","err: unknown","uiVrfChallenge: Partial<VRFChallenge>"],"sources":["../../../src/core/WebAuthnManager/LitComponents/ensure-defined.ts","../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/localOnly.ts"],"sourcesContent":["/**\n * Consolidated loaders for known W3A custom elements that may be used across runtimes.\n * This allows dev tooling to auto-ensure definitions for common elements when possible.\n */\nimport { W3A_EXPORT_VIEWER_IFRAME_ID } from './tags';\n\nexport const TAG_LOADERS: Record<string, () => Promise<unknown>> = {\n  [W3A_EXPORT_VIEWER_IFRAME_ID]: () => import('./ExportPrivateKey/iframe-host'),\n};\n\n/**\n * Small utility that guarantees a custom element definition exists in the\n * current runtime before creating/using it. If the tag is not yet defined,\n * it runs the provided dynamic import loader to execute the module that calls\n * customElements.define().\n */\nexport async function ensureDefined(tag: string, loader: () => Promise<unknown>): Promise<void> {\n  try {\n    if (!customElements.get(tag)) {\n      await loader();\n    }\n  } catch {\n    // Best-effort; downstream calls will still throw useful errors if missing\n  }\n}\n\n/** Attempt to ensure a known W3A element by tag; returns true if a loader ran. */\nexport async function ensureKnownW3aElement(tag: string): Promise<boolean> {\n  try {\n    const t = (tag || '').toLowerCase();\n    const loader = TAG_LOADERS[t];\n    if (!loader) return false;\n    await ensureDefined(t, loader);\n    return true;\n  } catch {\n    return false;\n  }\n}\n","import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n  SecureConfirmationType,\n  TransactionSummary,\n  LocalOnlySecureConfirmRequest,\n  type ShowSecurePrivateKeyUiPayload,\n} from '../types';\nimport { VRFChallenge } from '../../../../types';\nimport { createRandomVRFChallenge } from '../../../../types/vrf-worker';\nimport { addLitCancelListener } from '../../../LitComponents/lit-events';\nimport { ensureDefined } from '../../../LitComponents/ensure-defined';\nimport { W3A_EXPORT_VIEWER_IFRAME_ID } from '../../../LitComponents/tags';\nimport { __isWalletIframeHostMode } from '../../../../WalletIframe/host-mode';\nimport type { ExportViewerIframeElement } from '../../../LitComponents/ExportPrivateKey/iframe-host';\nimport {\n  getNearAccountId,\n  getIntentDigest,\n  isUserCancelledSecureConfirm,\n  ERROR_MESSAGES,\n} from './index';\nimport { errorMessage } from '../../../../../utils/errors';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nasync function mountExportViewer(\n  payload: ShowSecurePrivateKeyUiPayload,\n  confirmationConfig: ConfirmationConfig,\n): Promise<void> {\n  await ensureDefined(W3A_EXPORT_VIEWER_IFRAME_ID, () => import('../../../LitComponents/ExportPrivateKey/iframe-host'));\n  const host = document.createElement(W3A_EXPORT_VIEWER_IFRAME_ID) as ExportViewerIframeElement;\n  host.theme = payload.theme || confirmationConfig.theme || 'dark';\n  host.variant = payload.variant || ((confirmationConfig.uiMode === 'drawer') ? 'drawer' : 'modal');\n  host.accountId = payload.nearAccountId;\n  host.publicKey = payload.publicKey;\n  host.privateKey = payload.privateKey;\n  host.loading = false;\n\n  window.parent?.postMessage({ type: 'WALLET_UI_OPENED' }, '*');\n  document.body.appendChild(host);\n\n  let removeCancelListener: (() => void) | undefined;\n  removeCancelListener = addLitCancelListener(host, () => {\n    window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n    removeCancelListener?.();\n    host.remove();\n  }, { once: true });\n}\n\nexport async function handleLocalOnlyFlow(\n  ctx: VrfWorkerManagerContext,\n  request: LocalOnlySecureConfirmRequest,\n  worker: Worker,\n  opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n\n  const { confirmationConfig, transactionSummary } = opts;\n  const adapters = createConfirmTxFlowAdapters(ctx);\n  const session = createConfirmSession({\n    adapters,\n    worker,\n    request,\n    confirmationConfig,\n    transactionSummary,\n  });\n  const nearAccountId = getNearAccountId(request);\n\n  // SHOW_SECURE_PRIVATE_KEY_UI: purely visual; keep UI open and return confirmed immediately\n  if (request.type === SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI) {\n    try {\n      await mountExportViewer(request.payload as ShowSecurePrivateKeyUiPayload, confirmationConfig);\n      // Keep viewer open; do not close here.\n      session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: true,\n      });\n      return;\n    } catch (err: unknown) {\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: errorMessage(err) || 'Failed to render export UI',\n      });\n    }\n  }\n\n  // DECRYPT_PRIVATE_KEY_WITH_PRF: collect an authentication credential (with PRF extension results)\n  // and return it to the VRF worker; VRF worker extracts PRF outputs internally.\n  if (request.type === SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF) {\n    if (__isWalletIframeHostMode()) {\n      confirmationConfig.uiMode = 'skip';\n      confirmationConfig.behavior = 'autoProceed';\n    }\n\n    const vrfChallenge = createRandomVRFChallenge() as VRFChallenge;\n    // When this flow is initiated via worker→host messaging (wallet-iframe mode),\n    // there is typically no transient user activation. If confirmationConfig chooses\n    // a visible UI mode (modal/drawer), prompt first so the click lands inside the\n    // wallet iframe and grants activation for the subsequent WebAuthn call.\n    if (confirmationConfig.uiMode !== 'skip') {\n      // Provide a sensible title/body for non-transaction flows so the confirmer\n      // doesn't fall back to \"Register with Passkey\" (txSigningRequests is empty).\n      try {\n        const op = (transactionSummary as any)?.operation as string | undefined;\n        const warning = (transactionSummary as any)?.warning as string | undefined;\n        if (!transactionSummary.title) transactionSummary.title = op || 'Decrypt Private Key';\n        if (!transactionSummary.body) {\n          transactionSummary.body = warning || 'Confirm to authenticate with your passkey.';\n        }\n      } catch { }\n\n      const uiVrfChallenge: Partial<VRFChallenge> = (() => {\n        try {\n          return {\n            ...vrfChallenge,\n            userId: nearAccountId,\n            rpId: adapters.vrf.getRpId(),\n          } as Partial<VRFChallenge>;\n        } catch {\n          return { ...vrfChallenge, userId: nearAccountId } as Partial<VRFChallenge>;\n        }\n      })();\n\n      const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallenge });\n      if (!confirmed) {\n        window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n        return session.confirmAndCloseModal({\n          requestId: request.requestId,\n          intentDigest: getIntentDigest(request),\n          confirmed: false,\n          error: uiError,\n        });\n      }\n    }\n    try {\n      const credential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n        nearAccountId,\n        vrfChallenge,\n        // Offline export / local decrypt needs both PRF outputs so the VRF worker can\n        // recover/derive key material without requiring a pre-existing VRF session.\n        includeSecondPrfOutput: true,\n      });\n      // No modal to keep open; export viewer will be shown by a subsequent request.\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: true,\n        credential,\n      });\n\n    } catch (err: unknown) {\n      const cancelled = isUserCancelledSecureConfirm(err);\n      if (cancelled) {\n        window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n      }\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: cancelled ? ERROR_MESSAGES.cancelled : (errorMessage(err) || ERROR_MESSAGES.collectCredentialsFailed),\n      });\n    }\n  }\n}\n"],"mappings":";;;;;;;AAMA,MAAaA,cAAsD,GAChE,oCAAoC,OAAO;;;;;;;AAS9C,eAAsB,cAAc,KAAa,QAA+C;AAC9F,KAAI;AACF,MAAI,CAAC,eAAe,IAAI,KACtB,OAAM;SAEF;;;;;ACIV,eAAe,kBACb,SACA,oBACe;AACf,OAAM,cAAc,mCAAmC,OAAO;CAC9D,MAAM,OAAO,SAAS,cAAc;AACpC,MAAK,QAAQ,QAAQ,SAAS,mBAAmB,SAAS;AAC1D,MAAK,UAAU,QAAQ,YAAa,mBAAmB,WAAW,WAAY,WAAW;AACzF,MAAK,YAAY,QAAQ;AACzB,MAAK,YAAY,QAAQ;AACzB,MAAK,aAAa,QAAQ;AAC1B,MAAK,UAAU;AAEf,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD,UAAS,KAAK,YAAY;CAE1B,IAAIC;AACJ,wBAAuB,qBAAqB,YAAY;AACtD,SAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD;AACA,OAAK;IACJ,EAAE,MAAM;;AAGb,eAAsB,oBACpB,KACA,SACA,QACA,MACe;CAEf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;AAGvC,KAAI,QAAQ,SAAS,uBAAuB,2BAC1C,KAAI;AACF,QAAM,kBAAkB,QAAQ,SAA0C;AAE1E,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;;AAEb;UACOC,KAAc;AACrB,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,aAAa,QAAQ;;;AAOlC,KAAI,QAAQ,SAAS,uBAAuB,8BAA8B;AACxE,MAAI,4BAA4B;AAC9B,sBAAmB,SAAS;AAC5B,sBAAmB,WAAW;;EAGhC,MAAM,eAAe;AAKrB,MAAI,mBAAmB,WAAW,QAAQ;AAGxC,OAAI;IACF,MAAM,KAAM,oBAA4B;IACxC,MAAM,UAAW,oBAA4B;AAC7C,QAAI,CAAC,mBAAmB,MAAO,oBAAmB,QAAQ,MAAM;AAChE,QAAI,CAAC,mBAAmB,KACtB,oBAAmB,OAAO,WAAW;WAEjC;GAER,MAAMC,wBAA+C;AACnD,QAAI;AACF,YAAO;MACL,GAAG;MACH,QAAQ;MACR,MAAM,SAAS,IAAI;;YAEf;AACN,YAAO;MAAE,GAAG;MAAc,QAAQ;;;;GAItC,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,OAAI,CAAC,WAAW;AACd,WAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD,WAAO,QAAQ,qBAAqB;KAClC,WAAW,QAAQ;KACnB,cAAc,gBAAgB;KAC9B,WAAW;KACX,OAAO;;;;AAIb,MAAI;GACF,MAAM,aAAa,MAAM,SAAS,SAAS,uCAAuC;IAChF;IACA;IAGA,wBAAwB;;AAG1B,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX;;WAGKD,KAAc;GACrB,MAAM,YAAY,6BAA6B;AAC/C,OAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AAE3D,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,YAAY,eAAe,YAAa,aAAa,QAAQ,eAAe"}
+{"version":3,"file":"localOnly-COpDBMkm.js","names":["TAG_LOADERS: Record<string, () => Promise<unknown>>","removeCancelListener: (() => void) | undefined","err: unknown","uiVrfChallenge: Partial<VRFChallenge>"],"sources":["../../../src/core/WebAuthnManager/LitComponents/ensure-defined.ts","../../../src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/localOnly.ts"],"sourcesContent":["/**\n * Consolidated loaders for known W3A custom elements that may be used across runtimes.\n * This allows dev tooling to auto-ensure definitions for common elements when possible.\n */\nimport { W3A_EXPORT_VIEWER_IFRAME_ID } from './tags';\n\nexport const TAG_LOADERS: Record<string, () => Promise<unknown>> = {\n  [W3A_EXPORT_VIEWER_IFRAME_ID]: () => import('./ExportPrivateKey/iframe-host'),\n};\n\n/**\n * Small utility that guarantees a custom element definition exists in the\n * current runtime before creating/using it. If the tag is not yet defined,\n * it runs the provided dynamic import loader to execute the module that calls\n * customElements.define().\n */\nexport async function ensureDefined(tag: string, loader: () => Promise<unknown>): Promise<void> {\n  try {\n    if (!customElements.get(tag)) {\n      await loader();\n    }\n  } catch {\n    // Best-effort; downstream calls will still throw useful errors if missing\n  }\n}\n\n/** Attempt to ensure a known W3A element by tag; returns true if a loader ran. */\nexport async function ensureKnownW3aElement(tag: string): Promise<boolean> {\n  try {\n    const t = (tag || '').toLowerCase();\n    const loader = TAG_LOADERS[t];\n    if (!loader) return false;\n    await ensureDefined(t, loader);\n    return true;\n  } catch {\n    return false;\n  }\n}\n","import type { VrfWorkerManagerContext } from '../../';\nimport type { ConfirmationConfig } from '../../../../types/signer-worker';\nimport {\n  SecureConfirmationType,\n  TransactionSummary,\n  LocalOnlySecureConfirmRequest,\n  type ShowSecurePrivateKeyUiPayload,\n} from '../types';\nimport { VRFChallenge } from '../../../../types';\nimport { createRandomVRFChallenge } from '../../../../types/vrf-worker';\nimport { addLitCancelListener } from '../../../LitComponents/lit-events';\nimport { ensureDefined } from '../../../LitComponents/ensure-defined';\nimport { W3A_EXPORT_VIEWER_IFRAME_ID } from '../../../LitComponents/tags';\nimport { __isWalletIframeHostMode } from '../../../../WalletIframe/host-mode';\nimport type { ExportViewerIframeElement } from '../../../LitComponents/ExportPrivateKey/iframe-host';\nimport {\n  getNearAccountId,\n  getIntentDigest,\n  isUserCancelledSecureConfirm,\n  ERROR_MESSAGES,\n} from './index';\nimport { errorMessage } from '../../../../../utils/errors';\nimport { createConfirmSession } from '../adapters/session';\nimport { createConfirmTxFlowAdapters } from '../adapters/createAdapters';\n\nasync function mountExportViewer(\n  payload: ShowSecurePrivateKeyUiPayload,\n  confirmationConfig: ConfirmationConfig,\n): Promise<void> {\n  await ensureDefined(W3A_EXPORT_VIEWER_IFRAME_ID, () => import('../../../LitComponents/ExportPrivateKey/iframe-host'));\n  const host = document.createElement(W3A_EXPORT_VIEWER_IFRAME_ID) as ExportViewerIframeElement;\n  host.theme = payload.theme || confirmationConfig.theme || 'dark';\n  host.variant = payload.variant || ((confirmationConfig.uiMode === 'drawer') ? 'drawer' : 'modal');\n  host.accountId = payload.nearAccountId;\n  host.publicKey = payload.publicKey;\n  host.privateKey = payload.privateKey;\n  host.loading = false;\n\n  window.parent?.postMessage({ type: 'WALLET_UI_OPENED' }, '*');\n  document.body.appendChild(host);\n\n  let removeCancelListener: (() => void) | undefined;\n  removeCancelListener = addLitCancelListener(host, () => {\n    window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n    removeCancelListener?.();\n    host.remove();\n  }, { once: true });\n}\n\nexport async function handleLocalOnlyFlow(\n  ctx: VrfWorkerManagerContext,\n  request: LocalOnlySecureConfirmRequest,\n  worker: Worker,\n  opts: { confirmationConfig: ConfirmationConfig; transactionSummary: TransactionSummary },\n): Promise<void> {\n\n  const { confirmationConfig, transactionSummary } = opts;\n  const adapters = createConfirmTxFlowAdapters(ctx);\n  const session = createConfirmSession({\n    adapters,\n    worker,\n    request,\n    confirmationConfig,\n    transactionSummary,\n  });\n  const nearAccountId = getNearAccountId(request);\n\n  // SHOW_SECURE_PRIVATE_KEY_UI: purely visual; keep UI open and return confirmed immediately\n  if (request.type === SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI) {\n    try {\n      await mountExportViewer(request.payload as ShowSecurePrivateKeyUiPayload, confirmationConfig);\n      // Keep viewer open; do not close here.\n      session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: true,\n      });\n      return;\n    } catch (err: unknown) {\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: errorMessage(err) || 'Failed to render export UI',\n      });\n    }\n  }\n\n  // DECRYPT_PRIVATE_KEY_WITH_PRF: collect an authentication credential (with PRF extension results)\n  // and return it to the VRF worker; VRF worker extracts PRF outputs internally.\n  if (request.type === SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF) {\n    if (__isWalletIframeHostMode()) {\n      confirmationConfig.uiMode = 'skip';\n      confirmationConfig.behavior = 'autoProceed';\n    }\n\n    const vrfChallenge = createRandomVRFChallenge() as VRFChallenge;\n    // When this flow is initiated via worker→host messaging (wallet-iframe mode),\n    // there is typically no transient user activation. If confirmationConfig chooses\n    // a visible UI mode (modal/drawer), prompt first so the click lands inside the\n    // wallet iframe and grants activation for the subsequent WebAuthn call.\n    if (confirmationConfig.uiMode !== 'skip') {\n      // Provide a sensible title/body for non-transaction flows so the confirmer\n      // doesn't fall back to \"Register with Passkey\" (txSigningRequests is empty).\n      try {\n        const op = (transactionSummary as any)?.operation as string | undefined;\n        const warning = (transactionSummary as any)?.warning as string | undefined;\n        if (!transactionSummary.title) transactionSummary.title = op || 'Decrypt Private Key';\n        if (!transactionSummary.body) {\n          transactionSummary.body = warning || 'Confirm to authenticate with your passkey.';\n        }\n      } catch { }\n\n      const uiVrfChallenge: Partial<VRFChallenge> = (() => {\n        try {\n          return {\n            ...vrfChallenge,\n            userId: nearAccountId,\n            rpId: adapters.vrf.getRpId(),\n          } as Partial<VRFChallenge>;\n        } catch {\n          return { ...vrfChallenge, userId: nearAccountId } as Partial<VRFChallenge>;\n        }\n      })();\n\n      const { confirmed, error: uiError } = await session.promptUser({ vrfChallenge: uiVrfChallenge });\n      if (!confirmed) {\n        window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n        return session.confirmAndCloseModal({\n          requestId: request.requestId,\n          intentDigest: getIntentDigest(request),\n          confirmed: false,\n          error: uiError,\n        });\n      }\n    }\n    try {\n      const credential = await adapters.webauthn.collectAuthenticationCredentialWithPRF({\n        nearAccountId,\n        vrfChallenge,\n        // Offline export / local decrypt needs both PRF outputs so the VRF worker can\n        // recover/derive key material without requiring a pre-existing VRF session.\n        includeSecondPrfOutput: true,\n      });\n      // No modal to keep open; export viewer will be shown by a subsequent request.\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: true,\n        credential,\n      });\n\n    } catch (err: unknown) {\n      const cancelled = isUserCancelledSecureConfirm(err);\n      if (cancelled) {\n        window.parent?.postMessage({ type: 'WALLET_UI_CLOSED' }, '*');\n      }\n      return session.confirmAndCloseModal({\n        requestId: request.requestId,\n        intentDigest: getIntentDigest(request),\n        confirmed: false,\n        error: cancelled ? ERROR_MESSAGES.cancelled : (errorMessage(err) || ERROR_MESSAGES.collectCredentialsFailed),\n      });\n    }\n  }\n}\n"],"mappings":";;;;;;;AAMA,MAAaA,cAAsD,GAChE,oCAAoC,OAAO;;;;;;;AAS9C,eAAsB,cAAc,KAAa,QAA+C;AAC9F,KAAI;AACF,MAAI,CAAC,eAAe,IAAI,KACtB,OAAM;SAEF;;;;;ACIV,eAAe,kBACb,SACA,oBACe;AACf,OAAM,cAAc,mCAAmC,OAAO;CAC9D,MAAM,OAAO,SAAS,cAAc;AACpC,MAAK,QAAQ,QAAQ,SAAS,mBAAmB,SAAS;AAC1D,MAAK,UAAU,QAAQ,YAAa,mBAAmB,WAAW,WAAY,WAAW;AACzF,MAAK,YAAY,QAAQ;AACzB,MAAK,YAAY,QAAQ;AACzB,MAAK,aAAa,QAAQ;AAC1B,MAAK,UAAU;AAEf,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD,UAAS,KAAK,YAAY;CAE1B,IAAIC;AACJ,wBAAuB,qBAAqB,YAAY;AACtD,SAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD;AACA,OAAK;IACJ,EAAE,MAAM;;AAGb,eAAsB,oBACpB,KACA,SACA,QACA,MACe;CAEf,MAAM,EAAE,oBAAoB,uBAAuB;CACnD,MAAM,WAAW,4BAA4B;CAC7C,MAAM,UAAU,qBAAqB;EACnC;EACA;EACA;EACA;EACA;;CAEF,MAAM,gBAAgB,iBAAiB;AAGvC,KAAI,QAAQ,SAAS,uBAAuB,2BAC1C,KAAI;AACF,QAAM,kBAAkB,QAAQ,SAA0C;AAE1E,UAAQ,qBAAqB;GAC3B,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;;AAEb;UACOC,KAAc;AACrB,SAAO,QAAQ,qBAAqB;GAClC,WAAW,QAAQ;GACnB,cAAc,gBAAgB;GAC9B,WAAW;GACX,OAAO,aAAa,QAAQ;;;AAOlC,KAAI,QAAQ,SAAS,uBAAuB,8BAA8B;AACxE,MAAI,4BAA4B;AAC9B,sBAAmB,SAAS;AAC5B,sBAAmB,WAAW;;EAGhC,MAAM,eAAe;AAKrB,MAAI,mBAAmB,WAAW,QAAQ;AAGxC,OAAI;IACF,MAAM,KAAM,oBAA4B;IACxC,MAAM,UAAW,oBAA4B;AAC7C,QAAI,CAAC,mBAAmB,MAAO,oBAAmB,QAAQ,MAAM;AAChE,QAAI,CAAC,mBAAmB,KACtB,oBAAmB,OAAO,WAAW;WAEjC;GAER,MAAMC,wBAA+C;AACnD,QAAI;AACF,YAAO;MACL,GAAG;MACH,QAAQ;MACR,MAAM,SAAS,IAAI;;YAEf;AACN,YAAO;MAAE,GAAG;MAAc,QAAQ;;;;GAItC,MAAM,EAAE,WAAW,OAAO,YAAY,MAAM,QAAQ,WAAW,EAAE,cAAc;AAC/E,OAAI,CAAC,WAAW;AACd,WAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AACzD,WAAO,QAAQ,qBAAqB;KAClC,WAAW,QAAQ;KACnB,cAAc,gBAAgB;KAC9B,WAAW;KACX,OAAO;;;;AAIb,MAAI;GACF,MAAM,aAAa,MAAM,SAAS,SAAS,uCAAuC;IAChF;IACA;IAGA,wBAAwB;;AAG1B,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX;;WAGKD,KAAc;GACrB,MAAM,YAAY,6BAA6B;AAC/C,OAAI,UACF,QAAO,QAAQ,YAAY,EAAE,MAAM,sBAAsB;AAE3D,UAAO,QAAQ,qBAAqB;IAClC,WAAW,QAAQ;IACnB,cAAc,gBAAgB;IAC9B,WAAW;IACX,OAAO,YAAY,eAAe,YAAa,aAAa,QAAQ,eAAe"}

package/dist/esm/sdk/{localOnly-BZPBj14l.js → localOnly-DQQuqgjJ.js}

@@ -14,7 +14,7 @@ import { errorMessage } from "./errors-DevlT39D.js";
 import "./safari-fallbacks-BcMFntiP.js";
 import "./touchIdPrompt-JPhrOx8o.js";
 import { ERROR_MESSAGES, SecureConfirmationType, getIntentDigest, getNearAccountId, isUserCancelledSecureConfirm } from "./collectAuthenticationCredentialForVrfChallenge-DqzPzwvU.js";
-import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-1Hmc1vVC.js";
+import { createConfirmSession, createConfirmTxFlowAdapters } from "./createAdapters-DF32SIZa.js";
 
 //#region src/core/WebAuthnManager/VrfWorkerManager/confirmTxFlow/flows/localOnly.ts
 async function mountExportViewer(payload, confirmationConfig) {

package/dist/esm/sdk/{login-DnROv3eA.js → login-DUIWZHp_.js}

@@ -1,13 +1,13 @@
 import { ensureEd25519Prefix, stripTrailingSlashes, toTrimmedString } from "./validation-BTq6LGPp.js";
 import { base64UrlDecode, base64UrlEncode } from "./base64-dqpWgddX.js";
 import { createRandomVRFChallenge } from "./vrf-worker-BzQsJ5BW.js";
-import { LoginPhase, LoginStatus } from "./sdkSentEvents-CzAZBFjP.js";
+import { LoginPhase, LoginStatus } from "./sdkSentEvents-BfkcI7EN.js";
 import { alphabetizeStringify, computeLoginIntentDigest, sha256BytesUtf8 } from "./intentDigest-yivVENNK.js";
 import { getUserFriendlyErrorMessage } from "./errors-DevlT39D.js";
-import { IndexedDBManager, normalizeThresholdEd25519ParticipantIds } from "./IndexedDBManager-B1cUvdyY.js";
+import { IndexedDBManager, normalizeThresholdEd25519ParticipantIds } from "./IndexedDBManager-CmdN7smS.js";
 import { removePrfOutputGuard } from "./safari-fallbacks-BcMFntiP.js";
 import { authenticatorsToAllowCredentials } from "./touchIdPrompt-JPhrOx8o.js";
-import { verifyAuthenticationResponse } from "./rpcCalls-B44MZora.js";
+import { verifyAuthenticationResponse } from "./rpcCalls-VL4loDKP.js";
 import { parseDeviceNumber } from "./getDeviceNumber-y3mMtky6.js";
 
 //#region ../node_modules/.pnpm/base-x@5.0.1/node_modules/base-x/src/esm/index.js
@@ -1319,7 +1319,7 @@ async function handleLoginUnlockVRF(context, nearAccountId, onEvent, onError, af
 			const relayerUrl$1 = context.configs.relayer?.url;
 			if (usedFallbackTouchId && relayerUrl$1) {
 				const refreshed = await webAuthnManager.shamir3PassEncryptCurrentVrfKeypair();
-				await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);
+				await webAuthnManager.updateServerEncryptedVrfKeypair(nearAccountId, refreshed, activeDeviceNumber);
 			}
 		} catch (refreshErr) {
 			console.warn("Non-fatal: Failed to refresh serverEncryptedVrfKeypair:", refreshErr?.message || refreshErr);

package/dist/esm/sdk/offline-export-app.js

@@ -1,6 +1,6 @@
 import { assertString, ensureEd25519Prefix, isFunction, isNumber, isObject, isString, stripTrailingSlashes, toOptionalTrimmedString, toTrimmedString, validateNearAccountId } from "./validation-hUZgySTx.js";
 import { ActionType, SecureConfirmMessageType, SecureConfirmationType, TouchIdPrompt, base64Decode, base64Encode, base64UrlDecode, collectAuthenticationCredentialForVrfChallenge, computeThresholdEd25519KeygenIntentDigest, computeUiIntentDigestFromTxs, createRandomVRFChallenge, errorMessage, getIntentDigest, normalizeRegistrationCredential, orderActionForDigest, parseTransactionSummary, removePrfOutputGuard, sanitizeForPostMessage, sendConfirmResponse, serializeRegistrationCredentialWithPRF, toAccountId, toActionArgsWasm, toError, validateActionArgsWasm, validateVRFChallenge } from "./collectAuthenticationCredentialForVrfChallenge-C9p90e5Z.js";
-import { DEFAULT_CONFIRMATION_CONFIG, DEFAULT_SIGNING_MODE, DEFAULT_THRESHOLD_BEHAVIOR, INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT, PASSKEY_MANAGER_DEFAULT_CONFIGS, THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID, THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID, UserVerificationPolicy as UserVerificationPolicy$1, WorkerRequestType, WorkerResponseType, buildConfigsFromEnv, coerceSignerMode, getLastLoggedInDeviceNumber, getThresholdBehaviorFromSignerMode, isDecryptPrivateKeyWithPrfSuccess, isDeriveNearKeypairAndEncryptSuccess, isExtractCosePublicKeySuccess, isRecoverKeypairFromPasskeySuccess, isRegisterDevice2WithDerivedKeySuccess, isSignAddKeyThresholdPublicKeyNoPromptSuccess, isSignDelegateActionSuccess, isSignNep413MessageSuccess, isSignTransactionsWithActionsSuccess, isWorkerError, isWorkerProgress, isWorkerSuccess, mergeSignerMode } from "./getDeviceNumber-f8bfPB9U.js";
+import { DEFAULT_CONFIRMATION_CONFIG, DEFAULT_SIGNING_MODE, DEFAULT_THRESHOLD_BEHAVIOR, INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT, PASSKEY_MANAGER_DEFAULT_CONFIGS, THRESHOLD_ED25519_CLIENT_PARTICIPANT_ID, THRESHOLD_ED25519_RELAYER_PARTICIPANT_ID, UserVerificationPolicy as UserVerificationPolicy$1, WorkerRequestType, WorkerResponseType, buildConfigsFromEnv, coerceSignerMode, getLastLoggedInDeviceNumber, getThresholdBehaviorFromSignerMode, isDecryptPrivateKeyWithPrfSuccess, isDeriveNearKeypairAndEncryptSuccess, isExtractCosePublicKeySuccess, isRecoverKeypairFromPasskeySuccess, isRegisterDevice2WithDerivedKeySuccess, isSignAddKeyThresholdPublicKeyNoPromptSuccess, isSignDelegateActionSuccess, isSignNep413MessageSuccess, isSignTransactionsWithActionsSuccess, isWorkerError, isWorkerProgress, isWorkerSuccess, mergeSignerMode } from "./getDeviceNumber-WiNzKx1x.js";
 import { __isWalletIframeHostMode } from "./host-mode-CgqmYAwZ.js";
 
 //#region ../node_modules/.pnpm/idb@8.0.3/node_modules/idb/build/index.js
@@ -513,8 +513,8 @@ var PasskeyClientDBManager = class {
 		await this.storeUser(userData);
 		return userData;
 	}
-	async updateUser(nearAccountId, updates) {
-		const user = await this.getUser(nearAccountId);
+	async updateUser(nearAccountId, updates, deviceNumber) {
+		const user = await this.getUser(nearAccountId, deviceNumber);
 		if (user) {
 			const updatedUser = {
 				...user,
@@ -2135,8 +2135,9 @@ let RegistrationPhase = /* @__PURE__ */ function(RegistrationPhase$1) {
 	RegistrationPhase$1["STEP_4_ACCESS_KEY_ADDITION"] = "access-key-addition";
 	RegistrationPhase$1["STEP_5_CONTRACT_REGISTRATION"] = "contract-registration";
 	RegistrationPhase$1["STEP_6_ACCOUNT_VERIFICATION"] = "account-verification";
-	RegistrationPhase$1["STEP_7_DATABASE_STORAGE"] = "database-storage";
-	RegistrationPhase$1["STEP_8_REGISTRATION_COMPLETE"] = "registration-complete";
+	RegistrationPhase$1["STEP_7_THRESHOLD_KEY_ENROLLMENT"] = "threshold-key-enrollment";
+	RegistrationPhase$1["STEP_8_DATABASE_STORAGE"] = "database-storage";
+	RegistrationPhase$1["STEP_9_REGISTRATION_COMPLETE"] = "registration-complete";
 	RegistrationPhase$1["REGISTRATION_ERROR"] = "error";
 	return RegistrationPhase$1;
 }({});
@@ -3860,13 +3861,23 @@ async function handlePromptUserConfirmInJsMainThread(ctx, message, worker) {
 		});
 		return;
 	}
-	await handler({
-		ctx,
-		request,
-		worker,
-		confirmationConfig,
-		transactionSummary
-	});
+	try {
+		await handler({
+			ctx,
+			request,
+			worker,
+			confirmationConfig,
+			transactionSummary
+		});
+	} catch (e) {
+		console.error("[SecureConfirm][Host] handler failed", e);
+		sendConfirmResponse(worker, {
+			requestId: request.requestId,
+			intentDigest: getIntentDigest(request),
+			confirmed: false,
+			error: errorMessage(e) || "Secure confirmation failed"
+		});
+	}
 }
 async function importFlow(label, loader) {
 	try {
@@ -3878,42 +3889,42 @@ async function importFlow(label, loader) {
 }
 const HANDLERS = {
 	[SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-40zxrBMm.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-COpDBMkm.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-40zxrBMm.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-COpDBMkm.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.REGISTER_ACCOUNT]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-MrAOC8Ub.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-R70lvG_o.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.LINK_DEVICE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-MrAOC8Ub.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-R70lvG_o.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_TRANSACTION]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-CrjP8yPD.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-CxsklyCK.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_NEP413_MESSAGE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-CrjP8yPD.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-CxsklyCK.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
@@ -7050,13 +7061,13 @@ var WebAuthnManager = class {
 	/**
 	* Persist refreshed server-encrypted VRF keypair in IndexedDB.
 	*/
-	async updateServerEncryptedVrfKeypair(nearAccountId, serverEncrypted) {
+	async updateServerEncryptedVrfKeypair(nearAccountId, serverEncrypted, deviceNumber) {
 		await IndexedDBManager.clientDB.updateUser(nearAccountId, { serverEncryptedVrfKeypair: {
 			ciphertextVrfB64u: serverEncrypted.ciphertextVrfB64u,
 			kek_s_b64u: serverEncrypted.kek_s_b64u,
 			serverKeyId: serverEncrypted.serverKeyId,
 			updatedAt: Date.now()
-		} });
+		} }, deviceNumber);
 	}
 	async clearVrfSession() {
 		if (typeof window !== "undefined" && this.workerBaseOrigin !== window.location.origin) return;
@@ -7164,7 +7175,7 @@ var WebAuthnManager = class {
 			const active = status.active && status.nearAccountId === nearAccountId;
 			if (!active) return false;
 			const refreshed = await this.shamir3PassEncryptCurrentVrfKeypair();
-			await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);
+			await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed, userData?.deviceNumber);
 			return true;
 		} catch {
 			return false;