@tatchi-xyz/sdk 0.31.0 → 0.32.0

package/dist/esm/sdk/wallet-iframe-host.js

@@ -4,9 +4,9 @@ import { ActionType, fromTransactionInputsWasm, toActionArgsWasm, validateAction
 import { DEFAULT_WAIT_STATUS } from "./rpc-Dq3ioE9T.js";
 import { DEFAULT_CONFIRMATION_CONFIG, DEFAULT_SIGNING_MODE, DEFAULT_THRESHOLD_BEHAVIOR, INTERNAL_WORKER_REQUEST_TYPE_SIGN_ADD_KEY_THRESHOLD_PUBLIC_KEY_NO_PROMPT, UserVerificationPolicy as UserVerificationPolicy$1, WorkerRequestType, WorkerResponseType, coerceSignerMode, getThresholdBehaviorFromSignerMode, isDecryptPrivateKeyWithPrfSuccess, isDeriveNearKeypairAndEncryptSuccess, isExtractCosePublicKeySuccess, isRecoverKeypairFromPasskeySuccess, isRegisterDevice2WithDerivedKeySuccess, isSignAddKeyThresholdPublicKeyNoPromptSuccess, isSignDelegateActionSuccess, isSignNep413MessageSuccess, isSignTransactionsWithActionsSuccess, isWorkerError, isWorkerProgress, isWorkerSuccess, mergeSignerMode } from "./signer-worker-DK847sXj.js";
 import { base64UrlDecode } from "./base64-dqpWgddX.js";
-import { clearCachedThresholdEd25519AuthSession, esm_default, getCachedThresholdEd25519AuthSessionJwt, getLoginSession, getRecentLogins, isThresholdSessionAuthUnavailableError, isThresholdSignerMissingKeyError, loginAndCreateSession, logoutAndClearSession, makeThresholdEd25519AuthSessionCacheKey } from "./login-DnROv3eA.js";
+import { clearCachedThresholdEd25519AuthSession, esm_default, getCachedThresholdEd25519AuthSessionJwt, getLoginSession, getRecentLogins, isThresholdSessionAuthUnavailableError, isThresholdSignerMissingKeyError, loginAndCreateSession, logoutAndClearSession, makeThresholdEd25519AuthSessionCacheKey } from "./login-DUIWZHp_.js";
 import { validateVRFChallenge } from "./vrf-worker-BzQsJ5BW.js";
-import { ActionPhase, ActionStatus, RegistrationPhase, RegistrationStatus } from "./sdkSentEvents-CzAZBFjP.js";
+import { ActionPhase, ActionStatus, RegistrationPhase, RegistrationStatus } from "./sdkSentEvents-BfkcI7EN.js";
 import { BUILD_PATHS, SIGNER_WORKER_MANAGER_CONFIG } from "./config-BbNXtVtu.js";
 import { toAccountId } from "./accountIds-DVDhXwVA.js";
 import { computeThresholdEd25519KeygenIntentDigest, computeUiIntentDigestFromTxs, orderActionForDigest } from "./intentDigest-yivVENNK.js";
@@ -14,14 +14,14 @@ import { CONFIRM_UI_ELEMENT_SELECTORS } from "./tags-ByzxP7Cc.js";
 import { __isWalletIframeHostMode, __setWalletIframeHostMode, ensureKnownW3aElement } from "./host-mode-BIUqo9hg.js";
 import { errorMessage, getNearShortErrorMessage, getUserFriendlyErrorMessage, isTouchIdCancellationError, toError } from "./errors-DevlT39D.js";
 import { MinimalNearClient, SignedTransaction, isOffline, openOfflineExport } from "./overlay-Ci2FOQKE.js";
-import { IndexedDBManager, buildThresholdEd25519Participants2pV1, configureIndexedDB, normalizeThresholdEd25519ParticipantIds } from "./IndexedDBManager-B1cUvdyY.js";
-import { PASSKEY_MANAGER_DEFAULT_CONFIGS, buildConfigsFromEnv } from "./defaultConfigs-BmCU1_qI.js";
+import { IndexedDBManager, buildThresholdEd25519Participants2pV1, configureIndexedDB, normalizeThresholdEd25519ParticipantIds } from "./IndexedDBManager-CmdN7smS.js";
+import { PASSKEY_MANAGER_DEFAULT_CONFIGS, buildConfigsFromEnv } from "./defaultConfigs-BQqiXif-.js";
 import { normalizeRegistrationCredential, removePrfOutputGuard, serializeRegistrationCredential, serializeRegistrationCredentialWithPRF } from "./safari-fallbacks-BcMFntiP.js";
 import { TouchIdPrompt } from "./touchIdPrompt-JPhrOx8o.js";
-import { checkCanRegisterUserContractCall, hasAccessKey, thresholdEd25519Keygen, waitForAccessKeyAbsent } from "./rpcCalls-B44MZora.js";
+import { checkCanRegisterUserContractCall, hasAccessKey, thresholdEd25519Keygen, waitForAccessKeyAbsent } from "./rpcCalls-VL4loDKP.js";
 import { getLastLoggedInDeviceNumber } from "./getDeviceNumber-y3mMtky6.js";
 import { SecureConfirmMessageType, SecureConfirmationType, collectAuthenticationCredentialForVrfChallenge, getIntentDigest, parseTransactionSummary, sanitizeForPostMessage, sendConfirmResponse } from "./collectAuthenticationCredentialForVrfChallenge-DqzPzwvU.js";
-import "./syncAccount-Dt5jJbEB.js";
+import "./syncAccount-xh81Vppo.js";
 
 //#region src/utils/base58.ts
 /**
@@ -2364,13 +2364,23 @@ async function handlePromptUserConfirmInJsMainThread(ctx, message, worker) {
 		});
 		return;
 	}
-	await handler({
-		ctx,
-		request,
-		worker,
-		confirmationConfig,
-		transactionSummary
-	});
+	try {
+		await handler({
+			ctx,
+			request,
+			worker,
+			confirmationConfig,
+			transactionSummary
+		});
+	} catch (e) {
+		console.error("[SecureConfirm][Host] handler failed", e);
+		sendConfirmResponse(worker, {
+			requestId: request.requestId,
+			intentDigest: getIntentDigest(request),
+			confirmed: false,
+			error: errorMessage(e) || "Secure confirmation failed"
+		});
+	}
 }
 async function importFlow(label, loader) {
 	try {
@@ -2382,42 +2392,42 @@ async function importFlow(label, loader) {
 }
 const HANDLERS = {
 	[SecureConfirmationType.DECRYPT_PRIVATE_KEY_WITH_PRF]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-BZPBj14l.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-DQQuqgjJ.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SHOW_SECURE_PRIVATE_KEY_UI]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-BZPBj14l.js"));
+		const { handleLocalOnlyFlow } = await importFlow("localOnly", () => import("./localOnly-DQQuqgjJ.js"));
 		await handleLocalOnlyFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.REGISTER_ACCOUNT]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-BP9M3tE1.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-BR2G9tz_.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.LINK_DEVICE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-BP9M3tE1.js"));
+		const { handleRegistrationFlow } = await importFlow("registration", () => import("./registration-BR2G9tz_.js"));
 		await handleRegistrationFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_TRANSACTION]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-DAZrPW-6.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-Cg1TIUyK.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
 		});
 	},
 	[SecureConfirmationType.SIGN_NEP413_MESSAGE]: async ({ ctx, request, worker, confirmationConfig, transactionSummary }) => {
-		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-DAZrPW-6.js"));
+		const { handleTransactionSigningFlow } = await importFlow("transactions", () => import("./transactions-Cg1TIUyK.js"));
 		await handleTransactionSigningFlow(ctx, request, worker, {
 			confirmationConfig,
 			transactionSummary
@@ -5554,13 +5564,13 @@ var WebAuthnManager = class {
 	/**
 	* Persist refreshed server-encrypted VRF keypair in IndexedDB.
 	*/
-	async updateServerEncryptedVrfKeypair(nearAccountId, serverEncrypted) {
+	async updateServerEncryptedVrfKeypair(nearAccountId, serverEncrypted, deviceNumber) {
 		await IndexedDBManager.clientDB.updateUser(nearAccountId, { serverEncryptedVrfKeypair: {
 			ciphertextVrfB64u: serverEncrypted.ciphertextVrfB64u,
 			kek_s_b64u: serverEncrypted.kek_s_b64u,
 			serverKeyId: serverEncrypted.serverKeyId,
 			updatedAt: Date.now()
-		} });
+		} }, deviceNumber);
 	}
 	async clearVrfSession() {
 		if (typeof window !== "undefined" && this.workerBaseOrigin !== window.location.origin) return;
@@ -5668,7 +5678,7 @@ var WebAuthnManager = class {
 			const active = status.active && status.nearAccountId === nearAccountId;
 			if (!active) return false;
 			const refreshed = await this.shamir3PassEncryptCurrentVrfKeypair();
-			await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed);
+			await this.updateServerEncryptedVrfKeypair(nearAccountId, refreshed, userData?.deviceNumber);
 			return true;
 		} catch {
 			return false;
@@ -6717,23 +6727,24 @@ async function createAccountAndRegisterWithRelayServer(context, nearAccountId, p
 		const serialized = isSerialized ? normalizeRegistrationCredential(credential) : serializeRegistrationCredential(credential);
 		const serializedCredential = removePrfOutputGuard(serialized);
 		if (!Array.isArray(serializedCredential?.response?.transports)) serializedCredential.response.transports = [];
-		const intent_digest_32 = Array.from(base64UrlDecode(vrfChallenge.intentDigest || ""));
-		if (intent_digest_32.length !== 32) throw new Error("Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)");
+		const intentDigestB64u = String(vrfChallenge.intentDigest || "").trim();
+		const intentDigestBytes = base64UrlDecode(intentDigestB64u);
+		if (intentDigestBytes.length !== 32) throw new Error("Missing or invalid vrfChallenge.intentDigest (expected base64url-encoded 32 bytes)");
 		const requestData = {
 			new_account_id: nearAccountId,
 			new_public_key: publicKey,
 			device_number: 1,
 			...opts?.thresholdEd25519?.clientVerifyingShareB64u ? { threshold_ed25519: { client_verifying_share_b64u: opts.thresholdEd25519.clientVerifyingShareB64u } } : {},
 			vrf_data: {
-				vrf_input_data: Array.from(base64UrlDecode(vrfChallenge.vrfInput)),
-				vrf_output: Array.from(base64UrlDecode(vrfChallenge.vrfOutput)),
-				vrf_proof: Array.from(base64UrlDecode(vrfChallenge.vrfProof)),
-				public_key: Array.from(base64UrlDecode(vrfChallenge.vrfPublicKey)),
+				vrf_input_data: vrfChallenge.vrfInput,
+				vrf_output: vrfChallenge.vrfOutput,
+				vrf_proof: vrfChallenge.vrfProof,
+				public_key: vrfChallenge.vrfPublicKey,
 				user_id: vrfChallenge.userId,
 				rp_id: vrfChallenge.rpId,
 				block_height: Number(vrfChallenge.blockHeight),
-				block_hash: Array.from(base64UrlDecode(vrfChallenge.blockHash)),
-				intent_digest_32
+				block_hash: vrfChallenge.blockHash,
+				intent_digest_32: intentDigestB64u
 			},
 			webauthn_registration: serializedCredential,
 			deterministic_vrf_public_key: Array.from(base64UrlDecode(deterministicVrfPublicKey)),
@@ -6829,7 +6840,7 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			step: 1,
 			phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,
 			status: RegistrationStatus.PROGRESS,
-			message: "Account available, generating credentials..."
+			message: "Generating passkey credential..."
 		});
 		const confirmationConfig = {
 			uiMode: "modal",
@@ -6845,26 +6856,13 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 		});
 		const credential = registrationSession.credential;
 		const vrfChallenge = registrationSession.vrfChallenge;
+		const transactionContext = registrationSession.transactionContext;
 		onEvent?.({
 			step: 1,
 			phase: RegistrationPhase.STEP_1_WEBAUTHN_VERIFICATION,
 			status: RegistrationStatus.SUCCESS,
 			message: "WebAuthn ceremony successful"
 		});
-		const canRegisterUserPromise = webAuthnManager.checkCanRegisterUser({
-			contractId: context.configs.contractId,
-			credential,
-			vrfChallenge,
-			onEvent: (progress) => {
-				console.debug(`Registration progress: ${progress.step} - ${progress.message}`);
-				onEvent?.({
-					step: 3,
-					phase: RegistrationPhase.STEP_3_CONTRACT_PRE_CHECK,
-					status: RegistrationStatus.PROGRESS,
-					message: `${progress.message}`
-				});
-			}
-		});
 		const deterministicVrfKeyResult = await webAuthnManager.deriveVrfKeypair({
 			credential,
 			nearAccountId,
@@ -6896,12 +6894,6 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			if (!derived.success || !derived.clientVerifyingShareB64u) throw new Error(derived.error || "Failed to derive threshold client verifying share");
 			thresholdClientVerifyingShareB64u = derived.clientVerifyingShareB64u;
 		}
-		const canRegisterUserResult = await canRegisterUserPromise;
-		if (!canRegisterUserResult.verified) {
-			console.error(canRegisterUserResult);
-			const errorMessage$1 = canRegisterUserResult.error || "User verification failed - account may already exist or contract is unreachable";
-			throw new Error(`Web3Authn contract registration check failed: ${errorMessage$1}`);
-		}
 		onEvent?.({
 			step: 2,
 			phase: RegistrationPhase.STEP_2_KEY_GENERATION,
@@ -6927,15 +6919,26 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 		const expectedAccessKeys = [nearPublicKey];
 		const thresholdPublicKey = String(accountAndRegistrationResult?.thresholdEd25519?.publicKey || "").trim();
 		const relayerKeyId = String(accountAndRegistrationResult?.thresholdEd25519?.relayerKeyId || "").trim();
-		const accessKeyVerified = await verifyAccountAccessKeysPresent(context.nearClient, nearAccountId, expectedAccessKeys);
-		if (!accessKeyVerified) throw new Error("On-chain access key mismatch or not found after registration");
-		onEvent?.({
+		const accessKeyVerified = await verifyAccountAccessKeysPresent(context.nearClient, nearAccountId, expectedAccessKeys, {
+			attempts: 3,
+			delayMs: 200,
+			finality: "optimistic"
+		});
+		if (!accessKeyVerified) {
+			console.warn("[Registration] Access key not yet visible after atomic registration; continuing optimistically");
+			onEvent?.({
+				step: 6,
+				phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,
+				status: RegistrationStatus.SUCCESS,
+				message: "Access key verification pending (optimistic); continuing..."
+			});
+		} else onEvent?.({
 			step: 6,
 			phase: RegistrationPhase.STEP_6_ACCOUNT_VERIFICATION,
 			status: RegistrationStatus.SUCCESS,
 			message: "Access key verified on-chain"
 		});
-		await activateThresholdEnrollmentPostRegistration({
+		activateThresholdEnrollmentPostRegistration({
 			requestedSignerMode: requestedSignerModeStr,
 			nearAccountId,
 			nearPublicKey,
@@ -6950,10 +6953,10 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 			webAuthnManager: context.webAuthnManager,
 			nearClient: context.nearClient,
 			onEvent
-		});
+		}).catch(() => {});
 		onEvent?.({
-			step: 7,
-			phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,
+			step: 8,
+			phase: RegistrationPhase.STEP_8_DATABASE_STORAGE,
 			status: RegistrationStatus.PROGRESS,
 			message: "Storing passkey wallet metadata..."
 		});
@@ -6967,36 +6970,17 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 		});
 		registrationState.databaseStored = true;
 		onEvent?.({
-			step: 7,
-			phase: RegistrationPhase.STEP_7_DATABASE_STORAGE,
+			step: 8,
+			phase: RegistrationPhase.STEP_8_DATABASE_STORAGE,
 			status: RegistrationStatus.SUCCESS,
 			message: "Registration metadata stored successfully"
 		});
-		try {
-			context.webAuthnManager.getNonceManager().initializeUser(nearAccountId, nearPublicKey);
-			await context.webAuthnManager.getNonceManager().prefetchBlockheight(context.nearClient);
-		} catch {}
 		let vrfStatus = await webAuthnManager.checkVrfStatus().catch(() => ({ active: false }));
 		if (!vrfStatus?.active) {
-			const blockInfo = await context.nearClient.viewBlock({ finality: "final" });
-			const txBlockHash = blockInfo?.header?.hash;
-			const txBlockHeight = String(blockInfo.header?.height ?? "");
-			const vrfChallenge2 = await webAuthnManager.generateVrfChallengeOnce({
-				userId: nearAccountId,
-				rpId: webAuthnManager.getRpId(),
-				blockHash: txBlockHash,
-				blockHeight: txBlockHeight
-			});
-			const authenticators = await webAuthnManager.getAuthenticatorsByUser(nearAccountId);
-			const authCredential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
-				nearAccountId,
-				challenge: vrfChallenge2,
-				credentialIds: authenticators.map((a) => a.credentialId)
-			});
-			const unlockResult = await webAuthnManager.unlockVRFKeypair({
+			const unlockNoPrompt = await webAuthnManager.unlockVRFKeypair({
 				nearAccountId,
 				encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,
-				credential: authCredential
+				credential
 			}).catch((unlockError) => {
 				const message = unlockError && typeof unlockError === "object" && "message" in unlockError ? String(unlockError.message || "") : String(unlockError || "");
 				return {
@@ -7004,19 +6988,52 @@ async function registerPasskeyInternal(context, nearAccountId, options, authenti
 					error: message
 				};
 			});
-			if (!unlockResult.success) {
-				console.warn("VRF keypair unlock failed:", unlockResult.error);
-				throw new Error(unlockResult.error);
-			}
+			if (!unlockNoPrompt.success) {
+				let txBlockHash = String(transactionContext?.txBlockHash || "").trim();
+				let txBlockHeight = String(transactionContext?.txBlockHeight || "").trim();
+				if (!txBlockHash || !txBlockHeight) {
+					const blockInfo = await context.nearClient.viewBlock({ finality: "final" });
+					txBlockHash = String(blockInfo?.header?.hash || "").trim();
+					txBlockHeight = String(blockInfo?.header?.height ?? "").trim();
+				}
+				const vrfChallenge2 = await webAuthnManager.generateVrfChallengeOnce({
+					userId: nearAccountId,
+					rpId: webAuthnManager.getRpId(),
+					blockHash: txBlockHash,
+					blockHeight: txBlockHeight
+				});
+				const allowCredentialIds = String(credential?.rawId || "").trim() ? [String(credential.rawId)] : (await webAuthnManager.getAuthenticatorsByUser(nearAccountId)).map((a) => a.credentialId);
+				const authCredential = await webAuthnManager.getAuthenticationCredentialsSerializedDualPrf({
+					nearAccountId,
+					challenge: vrfChallenge2,
+					credentialIds: allowCredentialIds
+				});
+				const unlockResult = await webAuthnManager.unlockVRFKeypair({
+					nearAccountId,
+					encryptedVrfKeypair: deterministicVrfKeyResult.encryptedVrfKeypair,
+					credential: authCredential
+				}).catch((unlockError) => {
+					const message = unlockError && typeof unlockError === "object" && "message" in unlockError ? String(unlockError.message || "") : String(unlockError || "");
+					return {
+						success: false,
+						error: message
+					};
+				});
+				if (!unlockResult.success) {
+					console.warn("VRF keypair unlock failed:", unlockResult.error);
+					throw new Error(unlockResult.error);
+				}
+			} else console.debug("Registration: VRF unlocked using registration credential; skipping extra Touch ID unlock");
 		} else console.debug("Registration: VRF session already active; skipping extra Touch ID unlock");
 		try {
-			await webAuthnManager.initializeCurrentUser(nearAccountId, context.nearClient);
+			await webAuthnManager.initializeCurrentUser(nearAccountId);
+			webAuthnManager.getNonceManager().prefetchBlockheight(context.nearClient).catch(() => {});
 		} catch (initErr) {
 			console.warn("Failed to initialize current user after registration:", initErr);
 		}
 		onEvent?.({
-			step: 8,
-			phase: RegistrationPhase.STEP_8_REGISTRATION_COMPLETE,
+			step: 9,
+			phase: RegistrationPhase.STEP_9_REGISTRATION_COMPLETE,
 			status: RegistrationStatus.SUCCESS,
 			message: "Registration completed!"
 		});
@@ -7143,8 +7160,31 @@ async function activateThresholdEnrollmentPostRegistration(opts) {
 	const relayerKeyId = String(opts.relayerKeyId || "").trim();
 	const clientVerifyingShareB64u = String(opts.thresholdClientVerifyingShareB64u || "").trim();
 	const relayerVerifyingShareB64u = String(opts.relayerVerifyingShareB64u || "").trim();
-	if (!thresholdPublicKey || !relayerKeyId || !clientVerifyingShareB64u || !relayerVerifyingShareB64u) {
+	const emitThresholdKeyEnrollmentResult = (input) => {
+		opts.onEvent?.({
+			step: 7,
+			phase: RegistrationPhase.STEP_7_THRESHOLD_KEY_ENROLLMENT,
+			status: RegistrationStatus.SUCCESS,
+			message: input.message,
+			thresholdKeyReady: input.thresholdKeyReady,
+			thresholdPublicKey: thresholdPublicKey || void 0,
+			relayerKeyId: relayerKeyId || void 0,
+			deviceNumber: 1,
+			warning: input.warning
+		});
+	};
+	const missingEnrollmentDetails = [];
+	if (!thresholdPublicKey) missingEnrollmentDetails.push("thresholdPublicKey");
+	if (!relayerKeyId) missingEnrollmentDetails.push("relayerKeyId");
+	if (!clientVerifyingShareB64u) missingEnrollmentDetails.push("clientVerifyingShareB64u");
+	if (!relayerVerifyingShareB64u) missingEnrollmentDetails.push("relayerVerifyingShareB64u");
+	if (missingEnrollmentDetails.length) {
 		console.warn("[Registration] threshold-signer requested but threshold enrollment details are missing; continuing with local-signer only");
+		emitThresholdKeyEnrollmentResult({
+			thresholdKeyReady: false,
+			message: "Threshold key not ready; continuing with local-signer only",
+			warning: `Missing threshold enrollment details: ${missingEnrollmentDetails.join(", ")}`
+		});
 		return;
 	}
 	try {
@@ -7171,7 +7211,11 @@ async function activateThresholdEnrollmentPostRegistration(opts) {
 		const signedTx = signed?.signedTransaction;
 		if (!signedTx) throw new Error("Failed to sign AddKey(thresholdPublicKey) transaction");
 		await opts.nearClient.sendTransaction(signedTx, DEFAULT_WAIT_STATUS.thresholdAddKey);
-		const thresholdKeyVerified = await verifyAccountAccessKeysPresent(opts.nearClient, opts.nearAccountId, [opts.nearPublicKey, thresholdPublicKey]);
+		const thresholdKeyVerified = await verifyAccountAccessKeysPresent(opts.nearClient, opts.nearAccountId, [opts.nearPublicKey, thresholdPublicKey], {
+			attempts: 6,
+			delayMs: 250,
+			finality: "optimistic"
+		});
 		if (!thresholdKeyVerified) throw new Error("Threshold access key not found on-chain after AddKey");
 		await IndexedDBManager.nearKeysDB.storeKeyMaterial({
 			kind: "threshold_ed25519_2p_v1",
@@ -7198,8 +7242,18 @@ async function activateThresholdEnrollmentPostRegistration(opts) {
 			status: RegistrationStatus.SUCCESS,
 			message: "Threshold access key activated on-chain"
 		});
+		emitThresholdKeyEnrollmentResult({
+			thresholdKeyReady: true,
+			message: "Threshold key ready"
+		});
 	} catch (e) {
+		const warning = e && typeof e === "object" && "message" in e ? String(e.message || "") : String(e || "");
 		console.warn("[Registration] threshold enrollment activation failed; continuing with local-signer only:", e);
+		emitThresholdKeyEnrollmentResult({
+			thresholdKeyReady: false,
+			message: "Threshold key not ready; continuing with local-signer only",
+			warning
+		});
 	}
 }
 async function verifyAccountAccessKeysPresent(nearClient$1, nearAccountId, expectedPublicKeys, opts) {
@@ -7207,14 +7261,15 @@ async function verifyAccountAccessKeysPresent(nearClient$1, nearAccountId, expec
 	if (!unique.length) return false;
 	const attempts = Math.max(1, Math.floor(opts?.attempts ?? 6));
 	const delayMs = Math.max(50, Math.floor(opts?.delayMs ?? 750));
+	const finality = opts?.finality ?? "optimistic";
 	for (let i = 0; i < attempts; i++) {
 		try {
-			const { fullAccessKeys, functionCallAccessKeys } = await nearClient$1.getAccessKeys({ account: nearAccountId });
-			const keys = [...fullAccessKeys, ...functionCallAccessKeys].map((k) => ensureEd25519Prefix(k.public_key));
+			const accessKeyList = await nearClient$1.viewAccessKeyList(nearAccountId, { finality });
+			const keys = accessKeyList.keys.map((k) => ensureEd25519Prefix(k.public_key)).filter(Boolean);
 			const allPresent = unique.every((expected) => keys.includes(expected));
 			if (allPresent) return true;
 		} catch {}
-		await new Promise((res) => setTimeout(res, delayMs));
+		if (i < attempts - 1) await new Promise((res) => setTimeout(res, delayMs));
 	}
 	return false;
 }
@@ -7307,7 +7362,7 @@ var TatchiPasskey = class {
 		} catch {}
 		if (!this.iframeRouter) {
 			if (!this.walletIframeInitInFlight) this.walletIframeInitInFlight = (async () => {
-				const { WalletIframeRouter } = await import("./router-BEGGuWaB.js");
+				const { WalletIframeRouter } = await import("./router-Cj2WexK-.js");
 				this.iframeRouter = new WalletIframeRouter({
 					walletOrigin,
 					servicePath: walletIframeConfig?.walletServicePath || "/wallet-service",
@@ -8040,7 +8095,7 @@ var TatchiPasskey = class {
 			await options?.afterCall?.(false);
 			throw e;
 		}
-		const { signDelegateAction: signDelegateAction$1 } = await import("./delegateAction-DdkvFFKA.js");
+		const { signDelegateAction: signDelegateAction$1 } = await import("./delegateAction-Bq5zkOvn.js");
 		return signDelegateAction$1({
 			context: this.getContext(),
 			nearAccountId: toAccountId(nearAccountId),
@@ -8056,7 +8111,7 @@ var TatchiPasskey = class {
 		const base = args.relayerUrl.replace(/\/+$/, "");
 		const route = (this.configs.relayer?.delegateActionRoute || "/signed-delegate").replace(/^\/?/, "/");
 		const endpoint = `${base}${route}`;
-		const { sendDelegateActionViaRelayer } = await import("./relay-Dq9D7fhG.js");
+		const { sendDelegateActionViaRelayer } = await import("./relay-BCEyWFew.js");
 		return sendDelegateActionViaRelayer({
 			url: endpoint,
 			payload: {
@@ -8172,7 +8227,7 @@ var TatchiPasskey = class {
 			await args.options?.afterCall?.(false);
 			throw e;
 		}
-		const { signNEP413Message } = await import("./signNEP413-DsyWH_Jo.js");
+		const { signNEP413Message } = await import("./signNEP413-lj0swHsD.js");
 		const res = await signNEP413Message({
 			context: this.getContext(),
 			nearAccountId: toAccountId(args.nearAccountId),
@@ -8281,8 +8336,8 @@ var TatchiPasskey = class {
 			return await router.getRecoveryEmails(nearAccountId);
 		}
 		const accountId = toAccountId(nearAccountId);
-		const { getRecoveryEmailHashesContractCall } = await import("./rpcCalls-CMzj_Va_.js");
-		const { getLocalRecoveryEmails, bytesToHex } = await import("./EmailRecovery-Dl8b4ONg.js");
+		const { getRecoveryEmailHashesContractCall } = await import("./rpcCalls-C1sp-Epo.js");
+		const { getLocalRecoveryEmails, bytesToHex } = await import("./EmailRecovery-Y7rurd4B.js");
 		const rawHashes = await getRecoveryEmailHashesContractCall(this.nearClient, accountId);
 		if (!rawHashes.length) return [];
 		let local = [];
@@ -8329,8 +8384,8 @@ var TatchiPasskey = class {
 			throw e;
 		}
 		const accountId = toAccountId(nearAccountId);
-		const { prepareRecoveryEmails } = await import("./EmailRecovery-Dl8b4ONg.js");
-		const { buildSetRecoveryEmailsActions } = await import("./rpcCalls-CMzj_Va_.js");
+		const { prepareRecoveryEmails } = await import("./EmailRecovery-Y7rurd4B.js");
+		const { buildSetRecoveryEmailsActions } = await import("./rpcCalls-C1sp-Epo.js");
 		const { hashes: recoveryEmailHashes } = await prepareRecoveryEmails(accountId, recoveryEmails);
 		const actions = await buildSetRecoveryEmailsActions(this.nearClient, accountId, recoveryEmailHashes, this.configs.emailRecoveryContracts);
 		return this.executeAction({
@@ -8361,7 +8416,7 @@ var TatchiPasskey = class {
 			throw e;
 		}
 		try {
-			const { SyncAccountFlow } = await import("./syncAccount-CqWCmBVb.js");
+			const { SyncAccountFlow } = await import("./syncAccount-DnQ9AstS.js");
 			const flow = new SyncAccountFlow(this.getContext(), options);
 			const discovered = await flow.discover(accountIdInput || "");
 			if (!Array.isArray(discovered) || discovered.length === 0) {
@@ -8391,7 +8446,7 @@ var TatchiPasskey = class {
 		}
 	}
 	async ensureEmailRecoveryFlow(options) {
-		const { EmailRecoveryFlow } = await import("./emailRecovery-4J-g9tlY.js");
+		const { EmailRecoveryFlow } = await import("./emailRecovery-B1hbE_sM.js");
 		if (!this.activeEmailRecoveryFlow) this.activeEmailRecoveryFlow = new EmailRecoveryFlow(this.getContext(), options);
 		else if (options) this.activeEmailRecoveryFlow.setOptions(options);
 		return this.activeEmailRecoveryFlow;
@@ -8485,7 +8540,7 @@ var TatchiPasskey = class {
 			});
 		}
 		this.activeDeviceLinkFlow?.cancel();
-		const { LinkDeviceFlow } = await import("./linkDevice-C98klpcE.js");
+		const { LinkDeviceFlow } = await import("./linkDevice-CRPf5aW2.js");
 		const flow = new LinkDeviceFlow(this.getContext(), {
 			cameraId: args?.cameraId,
 			options: args?.options
@@ -8538,7 +8593,7 @@ var TatchiPasskey = class {
 			});
 			return res;
 		}
-		const { linkDeviceWithScannedQRData } = await import("./scanDevice-Cp-r-Z2T.js");
+		const { linkDeviceWithScannedQRData } = await import("./scanDevice-C0HcnZym.js");
 		return linkDeviceWithScannedQRData(this.getContext(), qrData, options);
 	}
 	/**

package/dist/esm/server/core/AuthService.js

@@ -1,6 +1,7 @@
 import { isValidAccountId, toOptionalTrimmedString, toRorOriginOrNull } from "../sdk/src/utils/validation.js";
 import { createAuthServiceConfig } from "./config.js";
 import { ActionType, validateActionArgsWasm } from "../sdk/src/core/types/actions.js";
+import { base64UrlDecode } from "../sdk/src/utils/base64.js";
 import { errorMessage, toError } from "../sdk/src/utils/errors.js";
 import { MinimalNearClient, SignedTransaction } from "../sdk/src/core/NearClient.js";
 import { toPublicKeyStringFromSecretKey } from "./nearKeys.js";
@@ -19,6 +20,50 @@ import initSignerWasm, { WorkerRequestType, WorkerResponseType, handle_signer_me
 function isObject(v) {
 	return !!v && typeof v === "object" && !Array.isArray(v);
 }
+function normalizeU8ArrayLike(input, fieldName) {
+	if (input instanceof Uint8Array) return Array.from(input);
+	if (typeof input === "string") try {
+		return Array.from(base64UrlDecode(input));
+	} catch (err) {
+		throw new Error(`Invalid ${fieldName}: expected base64url string (${errorMessage(err) || "decode failed"})`);
+	}
+	if (Array.isArray(input)) {
+		const out = [];
+		for (const v of input) {
+			const n = Number(v);
+			if (!Number.isFinite(n) || n < 0 || n > 255) throw new Error(`Invalid ${fieldName}: expected byte array (0..255)`);
+			out.push(Math.floor(n));
+		}
+		return out;
+	}
+	throw new Error(`Invalid ${fieldName}: expected number[] or base64url string`);
+}
+function normalizeContractVrfDataForContract(input) {
+	if (!isObject(input)) throw new Error("Missing or invalid vrf_data");
+	const user_id = toOptionalTrimmedString(input.user_id);
+	const rp_id = toOptionalTrimmedString(input.rp_id);
+	const block_height_raw = input.block_height;
+	const block_height = typeof block_height_raw === "number" ? block_height_raw : Number(block_height_raw);
+	if (!user_id) throw new Error("Missing vrf_data.user_id");
+	if (!rp_id) throw new Error("Missing vrf_data.rp_id");
+	if (!Number.isFinite(block_height) || block_height <= 0) throw new Error("Invalid vrf_data.block_height");
+	const base = {
+		vrf_input_data: normalizeU8ArrayLike(input.vrf_input_data, "vrf_data.vrf_input_data"),
+		vrf_output: normalizeU8ArrayLike(input.vrf_output, "vrf_data.vrf_output"),
+		vrf_proof: normalizeU8ArrayLike(input.vrf_proof, "vrf_data.vrf_proof"),
+		public_key: normalizeU8ArrayLike(input.public_key, "vrf_data.public_key"),
+		user_id,
+		rp_id,
+		block_height,
+		block_hash: normalizeU8ArrayLike(input.block_hash, "vrf_data.block_hash"),
+		intent_digest_32: normalizeU8ArrayLike(input.intent_digest_32, "vrf_data.intent_digest_32")
+	};
+	if (Object.prototype.hasOwnProperty.call(input, "session_policy_digest_32")) {
+		const v = input.session_policy_digest_32;
+		if (v != null) base.session_policy_digest_32 = normalizeU8ArrayLike(v, "vrf_data.session_policy_digest_32");
+	}
+	return base;
+}
 const SIGNER_WASM_MAIN_PATH = "../../wasm_signer_worker/pkg/wasm_signer_worker_bg.wasm";
 const SIGNER_WASM_FALLBACK_PATH = "../../../workers/wasm_signer_worker_bg.wasm";
 function getSignerWasmUrls(logger) {
@@ -327,18 +372,16 @@ var AuthService = class {
 		return this.queueTransaction(async () => {
 			try {
 				if (!isValidAccountId(request.new_account_id)) throw new Error(`Invalid account ID format: ${request.new_account_id}`);
-				this.logger.info(`Checking if account ${request.new_account_id} already exists...`);
-				const accountExists = await this.checkAccountExists(request.new_account_id);
-				if (accountExists) throw new Error(`Account ${request.new_account_id} already exists. Cannot create duplicate account.`);
-				this.logger.info(`Account ${request.new_account_id} is available for atomic creation and registration`);
 				this.logger.info(`Registering account: ${request.new_account_id}`);
 				this.logger.info(`Contract: ${this.config.webAuthnContractId}`);
+				const vrf_data = normalizeContractVrfDataForContract(request.vrf_data);
+				const deterministic_vrf_public_key = normalizeU8ArrayLike(request.deterministic_vrf_public_key, "deterministic_vrf_public_key");
 				const contractArgs = {
 					new_account_id: request.new_account_id,
 					new_public_key: request.new_public_key,
-					vrf_data: request.vrf_data,
+					vrf_data,
 					webauthn_registration: request.webauthn_registration,
-					deterministic_vrf_public_key: request.deterministic_vrf_public_key,
+					deterministic_vrf_public_key,
 					authenticator_options: request.authenticator_options
 				};
 				const actions = [{