@thru/passkey 0.2.12 → 0.2.14

package/dist/chunk-B5SN7AS7.js

@@ -0,0 +1,586 @@
+import {
+  closePopup,
+  openPasskeyPopupWindow,
+  requestPasskeyPopup
+} from "./chunk-LNDWK3FA.js";
+
+// src/register.ts
+import { arrayBufferToBase64Url, bytesToHex } from "@thru/passkey-manager";
+
+// src/capabilities.ts
+var DEBUG = typeof process !== "undefined" && process.env?.NEXT_PUBLIC_PASSKEY_DEBUG === "1";
+var cachedClientCapabilities;
+var clientCapabilitiesPromise = null;
+function isWebAuthnSupported() {
+  const supported = typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined" && typeof navigator.credentials !== "undefined";
+  if (DEBUG) {
+    console.log("[Passkey] WebAuthn support check:", {
+      window: typeof window !== "undefined",
+      PublicKeyCredential: typeof window !== "undefined" && typeof window.PublicKeyCredential !== "undefined",
+      credentials: typeof window !== "undefined" && typeof navigator !== "undefined" && typeof navigator.credentials !== "undefined",
+      supported
+    });
+  }
+  return supported;
+}
+async function fetchPasskeyClientCapabilities() {
+  if (typeof window === "undefined" || typeof window.PublicKeyCredential === "undefined") {
+    return null;
+  }
+  const getClientCapabilities = window.PublicKeyCredential.getClientCapabilities;
+  if (typeof getClientCapabilities !== "function") {
+    return null;
+  }
+  try {
+    const capabilities = await getClientCapabilities.call(window.PublicKeyCredential);
+    if (DEBUG) {
+      console.log("[Passkey] WebAuthn client capabilities:", capabilities);
+    }
+    return capabilities ?? null;
+  } catch (error) {
+    if (DEBUG) {
+      console.warn("[Passkey] Failed to read client capabilities:", error);
+    }
+    return null;
+  }
+}
+function preloadPasskeyClientCapabilities() {
+  if (cachedClientCapabilities !== void 0 || clientCapabilitiesPromise) {
+    return;
+  }
+  clientCapabilitiesPromise = fetchPasskeyClientCapabilities().then((capabilities) => {
+    cachedClientCapabilities = capabilities;
+    return capabilities;
+  });
+}
+async function getPasskeyClientCapabilities() {
+  if (cachedClientCapabilities !== void 0) {
+    return cachedClientCapabilities;
+  }
+  if (!clientCapabilitiesPromise) {
+    preloadPasskeyClientCapabilities();
+  }
+  if (!clientCapabilitiesPromise) {
+    cachedClientCapabilities = null;
+    return null;
+  }
+  const capabilities = await clientCapabilitiesPromise;
+  cachedClientCapabilities = capabilities;
+  return capabilities;
+}
+function getCachedPasskeyClientCapabilities() {
+  return cachedClientCapabilities;
+}
+function isInIframe() {
+  if (typeof window === "undefined") {
+    return false;
+  }
+  try {
+    return window.self !== window.top;
+  } catch {
+    return true;
+  }
+}
+async function shouldUsePasskeyPopup(action) {
+  if (!isInIframe()) {
+    return false;
+  }
+  const mode = await getPasskeyPromptMode(action);
+  return mode === "popup";
+}
+function getPermissionsPolicyAllowsFeature(feature) {
+  if (typeof document === "undefined") {
+    return null;
+  }
+  const policy = document.permissionsPolicy;
+  const featurePolicy = document.featurePolicy;
+  const allowsFeature = policy?.allowsFeature || featurePolicy?.allowsFeature;
+  if (typeof allowsFeature !== "function") {
+    return null;
+  }
+  try {
+    return allowsFeature(feature);
+  } catch {
+    return null;
+  }
+}
+function getCachedPromptMode(action) {
+  if (!isInIframe()) {
+    return "inline";
+  }
+  if (cachedClientCapabilities === void 0 && !clientCapabilitiesPromise) {
+    preloadPasskeyClientCapabilities();
+  }
+  const feature = action === "create" ? "publickey-credentials-create" : "publickey-credentials-get";
+  const policyAllows = getPermissionsPolicyAllowsFeature(feature);
+  const capabilities = getCachedPasskeyClientCapabilities();
+  const supportsInline = capabilities?.passkeyPlatformAuthenticator === true || capabilities?.userVerifyingPlatformAuthenticator === true;
+  if (policyAllows === false) {
+    return "popup";
+  }
+  if (capabilities === void 0) {
+    return "unknown";
+  }
+  if (!supportsInline) {
+    return "popup";
+  }
+  return "inline";
+}
+async function getPasskeyPromptMode(action) {
+  if (!isInIframe()) {
+    return "inline";
+  }
+  const feature = action === "create" ? "publickey-credentials-create" : "publickey-credentials-get";
+  const policyAllows = getPermissionsPolicyAllowsFeature(feature);
+  const capabilities = await getPasskeyClientCapabilities();
+  const supportsInline = capabilities?.passkeyPlatformAuthenticator === true || capabilities?.userVerifyingPlatformAuthenticator === true;
+  if (DEBUG) {
+    console.log("[Passkey] Prompt mode check:", {
+      action,
+      policyAllows,
+      supportsInline,
+      capabilities
+    });
+  }
+  if (!supportsInline) {
+    return "popup";
+  }
+  if (policyAllows === false) {
+    return "popup";
+  }
+  return "inline";
+}
+function maybePreopenPopup(action, openPopupFn) {
+  const cachedMode = getCachedPromptMode(action);
+  if (cachedMode !== "popup") {
+    return null;
+  }
+  try {
+    return openPopupFn();
+  } catch {
+    return null;
+  }
+}
+function shouldFallbackToPopup(error) {
+  if (!isInIframe()) {
+    return false;
+  }
+  const name = error && typeof error === "object" && "name" in error ? String(error.name) : "";
+  const message = error && typeof error === "object" && "message" in error ? String(error.message) : "";
+  const normalized = `${name} ${message}`.toLowerCase();
+  if (normalized.includes("cancel") || normalized.includes("canceled") || normalized.includes("cancelled") || normalized.includes("user canceled") || normalized.includes("user cancelled") || normalized.includes("aborted")) {
+    return false;
+  }
+  if (normalized.includes("securityerror")) {
+    return true;
+  }
+  if (normalized.includes("notallowederror")) {
+    if (normalized.includes("permission") || normalized.includes("policy") || normalized.includes("iframe") || normalized.includes("frame")) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/register.ts
+async function registerPasskey(alias, userId, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  return runWithPromptMode(
+    "create",
+    () => registerPasskeyInline(alias, userId, rpId),
+    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)
+  );
+}
+async function runWithPromptMode(action, inlineFn, popupFn) {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === "popup") {
+    return popupFn(preopenedPopup);
+  }
+  closePopup(preopenedPopup);
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+async function registerPasskeyInline(alias, userId, rpId) {
+  const rpName = "Thru Wallet";
+  const userIdBytes = new TextEncoder().encode(userId);
+  const userIdBuffer = userIdBytes.slice(0, 64);
+  const challenge = crypto.getRandomValues(new Uint8Array(32));
+  const createOptions = {
+    challenge,
+    rp: {
+      id: rpId,
+      name: rpName
+    },
+    user: {
+      id: userIdBuffer,
+      name: alias,
+      displayName: alias
+    },
+    pubKeyCredParams: [
+      { type: "public-key", alg: -7 }
+    ],
+    authenticatorSelection: {
+      authenticatorAttachment: "platform",
+      userVerification: "required",
+      residentKey: "required",
+      requireResidentKey: true
+    },
+    attestation: "none",
+    timeout: 6e4
+  };
+  const credential = await navigator.credentials.create({
+    publicKey: createOptions
+  });
+  if (!credential) {
+    throw new Error("Passkey registration was cancelled");
+  }
+  const response = credential.response;
+  const { x, y } = extractP256PublicKey(response);
+  return {
+    credentialId: arrayBufferToBase64Url(credential.rawId),
+    publicKeyX: bytesToHex(x),
+    publicKeyY: bytesToHex(y),
+    rpId
+  };
+}
+async function registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup) {
+  const result = await requestPasskeyPopup(
+    "create",
+    { alias, userId, rpId },
+    preopenedPopup
+  );
+  return result;
+}
+function extractP256PublicKey(response) {
+  if (typeof response.getPublicKey === "function") {
+    const spkiKey = response.getPublicKey();
+    if (spkiKey) {
+      return extractFromSpki(new Uint8Array(spkiKey));
+    }
+  }
+  if (typeof response.getAuthenticatorData === "function") {
+    const authData = new Uint8Array(response.getAuthenticatorData());
+    return extractFromAuthenticatorData(authData);
+  }
+  throw new Error("Unable to extract public key: browser does not support required WebAuthn methods");
+}
+function extractFromSpki(spki) {
+  const pointStart = spki.length - 65;
+  if (spki[pointStart] !== 4) {
+    throw new Error("Invalid SPKI format: expected uncompressed point");
+  }
+  const x = spki.slice(pointStart + 1, pointStart + 33);
+  const y = spki.slice(pointStart + 33, pointStart + 65);
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error("Invalid SPKI format: incorrect coordinate length");
+  }
+  return { x, y };
+}
+function extractFromAuthenticatorData(authData) {
+  const rpIdHashLength = 32;
+  const flagsLength = 1;
+  const counterLength = 4;
+  const offset = rpIdHashLength + flagsLength + counterLength;
+  const aaguidLength = 16;
+  const credIdLenOffset = offset + aaguidLength;
+  const credIdLength = authData[credIdLenOffset] << 8 | authData[credIdLenOffset + 1];
+  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;
+  const coseKey = authData.slice(coseKeyOffset);
+  return extractFromCoseKey(coseKey);
+}
+function extractFromCoseKey(coseKey) {
+  const mapStart = coseKey[0];
+  if (mapStart !== 165 && mapStart !== 164) {
+    throw new Error("Invalid COSE key format");
+  }
+  let offset = 1;
+  let x = null;
+  let y = null;
+  while (offset < coseKey.length) {
+    const key = coseKey[offset++];
+    const valueType = coseKey[offset++];
+    if (key === 33) {
+      const length = valueType & 31;
+      x = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+    if (key === 34) {
+      const length = valueType & 31;
+      y = coseKey.slice(offset, offset + length);
+      offset += length;
+      continue;
+    }
+    if (valueType >= 64 && valueType <= 95) {
+      const length = valueType & 31;
+      offset += length;
+      continue;
+    }
+    if (valueType === 1 || valueType === 2 || valueType === 3) {
+      continue;
+    }
+    if (valueType >= 24 && valueType <= 27) {
+      const size = 1 << valueType - 24;
+      offset += size;
+      continue;
+    }
+  }
+  if (!x || !y) {
+    throw new Error("Failed to extract P-256 public key from COSE data");
+  }
+  if (x.length !== 32 || y.length !== 32) {
+    throw new Error("Invalid COSE key: incorrect coordinate length");
+  }
+  return { x, y };
+}
+
+// src/sign.ts
+import {
+  arrayBufferToBase64Url as arrayBufferToBase64Url2,
+  base64UrlToArrayBuffer,
+  bytesToBase64Url,
+  base64UrlToBytes,
+  parseDerSignature,
+  normalizeLowS
+} from "@thru/passkey-manager";
+async function signWithPasskey(credentialId, challenge, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  return runWithPromptMode2(
+    "get",
+    () => signWithPasskeyInline(credentialId, challenge, rpId),
+    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)
+  );
+}
+async function signWithStoredPasskey(challenge, rpId, preferredPasskey, allPasskeys, context) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const preopenedPopup = maybePreopenPopup("get", openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode("get");
+  const storedPasskey = preferredPasskey;
+  const canUsePopup = isInIframe();
+  if (promptMode === "popup" || canUsePopup && !storedPasskey) {
+    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);
+  }
+  closePopup(preopenedPopup);
+  try {
+    if (storedPasskey) {
+      const result = await signWithPasskeyInline(
+        storedPasskey.credentialId,
+        challenge,
+        storedPasskey.rpId
+      );
+      return {
+        ...result,
+        passkey: storedPasskey
+      };
+    }
+    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);
+    const matchingPasskey = allPasskeys.find((p) => p.credentialId === discoverable.credentialId) ?? null;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const passkey = matchingPasskey ?? {
+      credentialId: discoverable.credentialId,
+      publicKeyX: "",
+      publicKeyY: "",
+      rpId: discoverable.rpId,
+      createdAt: now,
+      lastUsedAt: now
+    };
+    return {
+      signature: discoverable.signature,
+      authenticatorData: discoverable.authenticatorData,
+      clientDataJSON: discoverable.clientDataJSON,
+      signatureR: discoverable.signatureR,
+      signatureS: discoverable.signatureS,
+      passkey
+    };
+  } catch (error) {
+    if (canUsePopup && shouldFallbackToPopup(error)) {
+      return requestStoredPasskeyPopup(challenge, void 0, context);
+    }
+    throw error;
+  }
+}
+async function signWithDiscoverablePasskey(challenge, rpId) {
+  if (!isWebAuthnSupported()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const resolvedRpId = rpId;
+  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS,
+    credentialId: result.credentialId,
+    rpId: resolvedRpId
+  };
+}
+async function runWithPromptMode2(action, inlineFn, popupFn) {
+  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);
+  const promptMode = await getPasskeyPromptMode(action);
+  if (promptMode === "popup") {
+    return popupFn(preopenedPopup);
+  }
+  closePopup(preopenedPopup);
+  try {
+    return await inlineFn();
+  } catch (error) {
+    if (shouldFallbackToPopup(error)) {
+      return popupFn();
+    }
+    throw error;
+  }
+}
+async function signWithPasskeyInline(credentialId, challenge, rpId) {
+  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);
+  return {
+    signature: result.signature,
+    authenticatorData: result.authenticatorData,
+    clientDataJSON: result.clientDataJSON,
+    signatureR: result.signatureR,
+    signatureS: result.signatureS
+  };
+}
+async function signWithPasskeyAssertion(challenge, rpId, credentialId) {
+  const challengeBytes = new Uint8Array(challenge);
+  const getOptions = {
+    challenge: challengeBytes,
+    rpId,
+    userVerification: "required",
+    timeout: 6e4
+  };
+  if (credentialId) {
+    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);
+    getOptions.allowCredentials = [
+      {
+        type: "public-key",
+        id: credentialIdBuffer,
+        transports: ["internal", "hybrid", "usb", "ble", "nfc"]
+      }
+    ];
+  }
+  const assertion = await navigator.credentials.get({
+    publicKey: getOptions
+  });
+  if (!assertion) {
+    throw new Error("Passkey authentication was cancelled");
+  }
+  const response = assertion.response;
+  const signature = new Uint8Array(response.signature);
+  let { r, s } = parseDerSignature(signature);
+  s = normalizeLowS(s);
+  return {
+    signature: new Uint8Array([...r, ...s]),
+    authenticatorData: new Uint8Array(response.authenticatorData),
+    clientDataJSON: new Uint8Array(response.clientDataJSON),
+    signatureR: r,
+    signatureS: s,
+    credentialId: arrayBufferToBase64Url2(assertion.rawId)
+  };
+}
+async function signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup) {
+  const result = await requestPasskeyPopup(
+    "get",
+    {
+      credentialId,
+      challengeBase64Url: bytesToBase64Url(challenge),
+      rpId
+    },
+    preopenedPopup
+  );
+  return decodePopupSigningResult(result);
+}
+async function requestStoredPasskeyPopup(challenge, preopenedPopup, context) {
+  const result = await requestPasskeyPopup(
+    "getStored",
+    {
+      challengeBase64Url: bytesToBase64Url(challenge),
+      context
+    },
+    preopenedPopup
+  );
+  return decodePopupStoredSigningResult(result);
+}
+function decodePopupSigningResult(result) {
+  return {
+    signature: base64UrlToBytes(result.signatureBase64Url),
+    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),
+    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),
+    signatureR: base64UrlToBytes(result.signatureRBase64Url),
+    signatureS: base64UrlToBytes(result.signatureSBase64Url)
+  };
+}
+function decodePopupStoredSigningResult(result) {
+  return {
+    ...decodePopupSigningResult(result),
+    passkey: result.passkey,
+    accounts: result.accounts
+  };
+}
+
+// src/web.ts
+import {
+  parseDerSignature as parseDerSignature2,
+  normalizeLowS as normalizeLowS2,
+  normalizeSignatureComponent,
+  P256_N,
+  P256_HALF_N,
+  bytesToBigIntBE,
+  bigIntToBytesBE
+} from "@thru/passkey-manager";
+import {
+  arrayBufferToBase64Url as arrayBufferToBase64Url3,
+  base64UrlToArrayBuffer as base64UrlToArrayBuffer2,
+  bytesToBase64,
+  bytesToBase64Url as bytesToBase64Url2,
+  base64UrlToBytes as base64UrlToBytes2,
+  bytesToHex as bytesToHex2,
+  hexToBytes,
+  bytesEqual,
+  compareBytes,
+  uniqueAccounts
+} from "@thru/passkey-manager";
+
+export {
+  isWebAuthnSupported,
+  preloadPasskeyClientCapabilities,
+  getPasskeyClientCapabilities,
+  getCachedPasskeyClientCapabilities,
+  isInIframe,
+  shouldUsePasskeyPopup,
+  registerPasskey,
+  signWithPasskey,
+  signWithStoredPasskey,
+  signWithDiscoverablePasskey,
+  parseDerSignature2 as parseDerSignature,
+  normalizeLowS2 as normalizeLowS,
+  normalizeSignatureComponent,
+  P256_N,
+  P256_HALF_N,
+  bytesToBigIntBE,
+  bigIntToBytesBE,
+  arrayBufferToBase64Url3 as arrayBufferToBase64Url,
+  base64UrlToArrayBuffer2 as base64UrlToArrayBuffer,
+  bytesToBase64,
+  bytesToBase64Url2 as bytesToBase64Url,
+  base64UrlToBytes2 as base64UrlToBytes,
+  bytesToHex2 as bytesToHex,
+  hexToBytes,
+  bytesEqual,
+  compareBytes,
+  uniqueAccounts
+};
+//# sourceMappingURL=chunk-B5SN7AS7.js.map

package/dist/chunk-B5SN7AS7.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/register.ts","../src/capabilities.ts","../src/sign.ts","../src/web.ts"],"sourcesContent":["import type { PasskeyRegistrationResult, PasskeyPopupRegistrationResult } from './types';\nimport { arrayBufferToBase64Url, bytesToHex } from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Register a new passkey for a profile.\n */\nexport async function registerPasskey(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'create',\n    () => registerPasskeyInline(alias, userId, rpId),\n    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)\n  );\n}\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function registerPasskeyInline(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  const rpName = 'Thru Wallet';\n\n  const userIdBytes = new TextEncoder().encode(userId);\n  const userIdBuffer = userIdBytes.slice(0, 64);\n\n  const challenge = crypto.getRandomValues(new Uint8Array(32));\n\n  const createOptions: PublicKeyCredentialCreationOptions = {\n    challenge,\n    rp: {\n      id: rpId,\n      name: rpName,\n    },\n    user: {\n      id: userIdBuffer,\n      name: alias,\n      displayName: alias,\n    },\n    pubKeyCredParams: [\n      { type: 'public-key', alg: -7 },\n    ],\n    authenticatorSelection: {\n      authenticatorAttachment: 'platform',\n      userVerification: 'required',\n      residentKey: 'required',\n      requireResidentKey: true,\n    },\n    attestation: 'none',\n    timeout: 60000,\n  };\n\n  const credential = (await navigator.credentials.create({\n    publicKey: createOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!credential) {\n    throw new Error('Passkey registration was cancelled');\n  }\n\n  const response = credential.response as AuthenticatorAttestationResponse;\n  const { x, y } = extractP256PublicKey(response);\n\n  return {\n    credentialId: arrayBufferToBase64Url(credential.rawId),\n    publicKeyX: bytesToHex(x),\n    publicKeyY: bytesToHex(y),\n    rpId,\n  };\n}\n\nasync function registerPasskeyViaPopup(\n  alias: string,\n  userId: string,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeyRegistrationResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupRegistrationResult>(\n    'create',\n    { alias, userId, rpId },\n    preopenedPopup\n  );\n  return result;\n}\n\n// Key extraction helpers\n\nfunction extractP256PublicKey(\n  response: AuthenticatorAttestationResponse\n): { x: Uint8Array; y: Uint8Array } {\n  if (typeof response.getPublicKey === 'function') {\n    const spkiKey = response.getPublicKey();\n    if (spkiKey) {\n      return extractFromSpki(new Uint8Array(spkiKey));\n    }\n  }\n\n  if (typeof response.getAuthenticatorData === 'function') {\n    const authData = new Uint8Array(response.getAuthenticatorData());\n    return extractFromAuthenticatorData(authData);\n  }\n\n  throw new Error('Unable to extract public key: browser does not support required WebAuthn methods');\n}\n\nfunction extractFromSpki(spki: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const pointStart = spki.length - 65;\n\n  if (spki[pointStart] !== 0x04) {\n    throw new Error('Invalid SPKI format: expected uncompressed point');\n  }\n\n  const x = spki.slice(pointStart + 1, pointStart + 33);\n  const y = spki.slice(pointStart + 33, pointStart + 65);\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid SPKI format: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n\nfunction extractFromAuthenticatorData(authData: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const rpIdHashLength = 32;\n  const flagsLength = 1;\n  const counterLength = 4;\n  const offset = rpIdHashLength + flagsLength + counterLength;\n  const aaguidLength = 16;\n  const credIdLenOffset = offset + aaguidLength;\n  const credIdLength = (authData[credIdLenOffset] << 8) | authData[credIdLenOffset + 1];\n  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;\n  const coseKey = authData.slice(coseKeyOffset);\n\n  return extractFromCoseKey(coseKey);\n}\n\nfunction extractFromCoseKey(coseKey: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const mapStart = coseKey[0];\n  if (mapStart !== 0xa5 && mapStart !== 0xa4) {\n    throw new Error('Invalid COSE key format');\n  }\n\n  let offset = 1;\n  let x: Uint8Array | null = null;\n  let y: Uint8Array | null = null;\n\n  while (offset < coseKey.length) {\n    const key = coseKey[offset++];\n    const valueType = coseKey[offset++];\n\n    if (key === 0x21) {\n      const length = valueType & 0x1f;\n      x = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (key === 0x22) {\n      const length = valueType & 0x1f;\n      y = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (valueType >= 0x40 && valueType <= 0x5f) {\n      const length = valueType & 0x1f;\n      offset += length;\n      continue;\n    }\n\n    if (valueType === 0x01 || valueType === 0x02 || valueType === 0x03) {\n      continue;\n    }\n\n    if (valueType >= 0x18 && valueType <= 0x1b) {\n      const size = 1 << (valueType - 0x18);\n      offset += size;\n      continue;\n    }\n  }\n\n  if (!x || !y) {\n    throw new Error('Failed to extract P-256 public key from COSE data');\n  }\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid COSE key: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n","import type { PasskeyClientCapabilities } from './types';\n\nconst DEBUG = typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_PASSKEY_DEBUG === '1';\n\nlet cachedClientCapabilities: PasskeyClientCapabilities | null | undefined;\nlet clientCapabilitiesPromise: Promise<PasskeyClientCapabilities | null> | null = null;\n\nexport function isWebAuthnSupported(): boolean {\n  const supported =\n    typeof window !== 'undefined' &&\n    typeof window.PublicKeyCredential !== 'undefined' &&\n    typeof navigator.credentials !== 'undefined';\n\n  if (DEBUG) {\n    console.log('[Passkey] WebAuthn support check:', {\n      window: typeof window !== 'undefined',\n      PublicKeyCredential:\n        typeof window !== 'undefined' && typeof window.PublicKeyCredential !== 'undefined',\n      credentials:\n        typeof window !== 'undefined' &&\n        typeof navigator !== 'undefined' &&\n        typeof navigator.credentials !== 'undefined',\n      supported,\n    });\n  }\n\n  return supported;\n}\n\nasync function fetchPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (typeof window === 'undefined' || typeof window.PublicKeyCredential === 'undefined') {\n    return null;\n  }\n\n  const getClientCapabilities = (window.PublicKeyCredential as {\n    getClientCapabilities?: () => Promise<PasskeyClientCapabilities>;\n  }).getClientCapabilities;\n\n  if (typeof getClientCapabilities !== 'function') {\n    return null;\n  }\n\n  try {\n    const capabilities = await getClientCapabilities.call(window.PublicKeyCredential);\n    if (DEBUG) {\n      console.log('[Passkey] WebAuthn client capabilities:', capabilities);\n    }\n    return capabilities ?? null;\n  } catch (error) {\n    if (DEBUG) {\n      console.warn('[Passkey] Failed to read client capabilities:', error);\n    }\n    return null;\n  }\n}\n\nexport function preloadPasskeyClientCapabilities(): void {\n  if (cachedClientCapabilities !== undefined || clientCapabilitiesPromise) {\n    return;\n  }\n\n  clientCapabilitiesPromise = fetchPasskeyClientCapabilities().then((capabilities) => {\n    cachedClientCapabilities = capabilities;\n    return capabilities;\n  });\n}\n\nexport async function getPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (cachedClientCapabilities !== undefined) {\n    return cachedClientCapabilities;\n  }\n\n  if (!clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  if (!clientCapabilitiesPromise) {\n    cachedClientCapabilities = null;\n    return null;\n  }\n\n  const capabilities = await clientCapabilitiesPromise;\n  cachedClientCapabilities = capabilities;\n  return capabilities;\n}\n\nexport function getCachedPasskeyClientCapabilities(): PasskeyClientCapabilities | null | undefined {\n  return cachedClientCapabilities;\n}\n\nexport function isInIframe(): boolean {\n  if (typeof window === 'undefined') {\n    return false;\n  }\n  try {\n    return window.self !== window.top;\n  } catch {\n    return true;\n  }\n}\n\nexport type PasskeyPromptAction = 'get' | 'create';\n\nexport async function shouldUsePasskeyPopup(action: PasskeyPromptAction): Promise<boolean> {\n  if (!isInIframe()) {\n    return false;\n  }\n  const mode = await getPasskeyPromptMode(action);\n  return mode === 'popup';\n}\n\ntype PasskeyPromptMode = 'inline' | 'popup';\n\nfunction getPermissionsPolicyAllowsFeature(feature: string): boolean | null {\n  if (typeof document === 'undefined') {\n    return null;\n  }\n\n  const policy = (document as { permissionsPolicy?: { allowsFeature?: (name: string) => boolean } })\n    .permissionsPolicy;\n  const featurePolicy = (document as { featurePolicy?: { allowsFeature?: (name: string) => boolean } })\n    .featurePolicy;\n  const allowsFeature = policy?.allowsFeature || featurePolicy?.allowsFeature;\n\n  if (typeof allowsFeature !== 'function') {\n    return null;\n  }\n\n  try {\n    return allowsFeature(feature);\n  } catch {\n    return null;\n  }\n}\n\nfunction getCachedPromptMode(action: PasskeyPromptAction): PasskeyPromptMode | 'unknown' {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  if (cachedClientCapabilities === undefined && !clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = getCachedPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  if (capabilities === undefined) {\n    return 'unknown';\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport async function getPasskeyPromptMode(action: PasskeyPromptAction): Promise<PasskeyPromptMode> {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = await getPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (DEBUG) {\n    console.log('[Passkey] Prompt mode check:', {\n      action,\n      policyAllows,\n      supportsInline,\n      capabilities,\n    });\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport function maybePreopenPopup(action: PasskeyPromptAction, openPopupFn: () => Window): Window | null {\n  const cachedMode = getCachedPromptMode(action);\n  if (cachedMode !== 'popup') {\n    return null;\n  }\n\n  try {\n    return openPopupFn();\n  } catch {\n    return null;\n  }\n}\n\nexport function shouldFallbackToPopup(error: unknown): boolean {\n  if (!isInIframe()) {\n    return false;\n  }\n\n  const name =\n    error && typeof error === 'object' && 'name' in error ? String((error as { name?: unknown }).name) : '';\n  const message =\n    error && typeof error === 'object' && 'message' in error\n      ? String((error as { message?: unknown }).message)\n      : '';\n  const normalized = `${name} ${message}`.toLowerCase();\n\n  if (\n    normalized.includes('cancel') ||\n    normalized.includes('canceled') ||\n    normalized.includes('cancelled') ||\n    normalized.includes('user canceled') ||\n    normalized.includes('user cancelled') ||\n    normalized.includes('aborted')\n  ) {\n    return false;\n  }\n\n  if (normalized.includes('securityerror')) {\n    return true;\n  }\n\n  if (normalized.includes('notallowederror')) {\n    if (\n      normalized.includes('permission') ||\n      normalized.includes('policy') ||\n      normalized.includes('iframe') ||\n      normalized.includes('frame')\n    ) {\n      return true;\n    }\n  }\n\n  return false;\n}\n","import type {\n  PasskeySigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyMetadata,\n  PasskeyPopupContext,\n  PasskeyPopupSigningResult,\n  PasskeyPopupStoredSigningResult,\n} from './types';\nimport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  parseDerSignature,\n  normalizeLowS,\n} from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  isInIframe,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Sign a challenge with an existing passkey (by credential ID).\n */\nexport async function signWithPasskey(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'get',\n    () => signWithPasskeyInline(credentialId, challenge, rpId),\n    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)\n  );\n}\n\n/**\n * Sign with stored passkey (for embedded/popup contexts).\n */\nexport async function signWithStoredPasskey(\n  challenge: Uint8Array,\n  rpId: string,\n  preferredPasskey: PasskeyMetadata | null,\n  allPasskeys: PasskeyMetadata[],\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const preopenedPopup = maybePreopenPopup('get', openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode('get');\n  const storedPasskey = preferredPasskey;\n  const canUsePopup = isInIframe();\n\n  if (promptMode === 'popup' || (canUsePopup && !storedPasskey)) {\n    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    if (storedPasskey) {\n      const result = await signWithPasskeyInline(\n        storedPasskey.credentialId,\n        challenge,\n        storedPasskey.rpId\n      );\n      return {\n        ...result,\n        passkey: storedPasskey,\n      };\n    }\n\n    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);\n    const matchingPasskey = allPasskeys.find(p => p.credentialId === discoverable.credentialId) ?? null;\n    const now = new Date().toISOString();\n    const passkey = matchingPasskey ?? {\n      credentialId: discoverable.credentialId,\n      publicKeyX: '',\n      publicKeyY: '',\n      rpId: discoverable.rpId,\n      createdAt: now,\n      lastUsedAt: now,\n    };\n\n    return {\n      signature: discoverable.signature,\n      authenticatorData: discoverable.authenticatorData,\n      clientDataJSON: discoverable.clientDataJSON,\n      signatureR: discoverable.signatureR,\n      signatureS: discoverable.signatureS,\n      passkey,\n    };\n  } catch (error) {\n    if (canUsePopup && shouldFallbackToPopup(error)) {\n      return requestStoredPasskeyPopup(challenge, undefined, context);\n    }\n\n    throw error;\n  }\n}\n\n/**\n * Sign with a discoverable passkey (no credential ID - browser prompts user to select).\n */\nexport async function signWithDiscoverablePasskey(\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeyDiscoverableSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const resolvedRpId = rpId;\n  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);\n\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n    credentialId: result.credentialId,\n    rpId: resolvedRpId,\n  };\n}\n\n// Internal helpers\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function signWithPasskeyInline(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n  };\n}\n\nasync function signWithPasskeyAssertion(\n  challenge: Uint8Array,\n  rpId: string,\n  credentialId?: string\n): Promise<PasskeySigningResult & { credentialId: string }> {\n  const challengeBytes = new Uint8Array(challenge);\n  const getOptions: PublicKeyCredentialRequestOptions = {\n    challenge: challengeBytes,\n    rpId,\n    userVerification: 'required',\n    timeout: 60000,\n  };\n\n  if (credentialId) {\n    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);\n    getOptions.allowCredentials = [\n      {\n        type: 'public-key',\n        id: credentialIdBuffer,\n        transports: ['internal', 'hybrid', 'usb', 'ble', 'nfc'],\n      },\n    ];\n  }\n\n  const assertion = (await navigator.credentials.get({\n    publicKey: getOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!assertion) {\n    throw new Error('Passkey authentication was cancelled');\n  }\n\n  const response = assertion.response as AuthenticatorAssertionResponse;\n\n  const signature = new Uint8Array(response.signature);\n  let { r, s } = parseDerSignature(signature);\n  s = normalizeLowS(s);\n\n  return {\n    signature: new Uint8Array([...r, ...s]),\n    authenticatorData: new Uint8Array(response.authenticatorData),\n    clientDataJSON: new Uint8Array(response.clientDataJSON),\n    signatureR: r,\n    signatureS: s,\n    credentialId: arrayBufferToBase64Url(assertion.rawId),\n  };\n}\n\nasync function signWithPasskeyViaPopup(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeySigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupSigningResult>(\n    'get',\n    {\n      credentialId,\n      challengeBase64Url: bytesToBase64Url(challenge),\n      rpId,\n    },\n    preopenedPopup\n  );\n\n  return decodePopupSigningResult(result);\n}\n\nasync function requestStoredPasskeyPopup(\n  challenge: Uint8Array,\n  preopenedPopup?: Window | null,\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupStoredSigningResult>(\n    'getStored',\n    {\n      challengeBase64Url: bytesToBase64Url(challenge),\n      context,\n    },\n    preopenedPopup\n  );\n  return decodePopupStoredSigningResult(result);\n}\n\nfunction decodePopupSigningResult(result: PasskeyPopupSigningResult): PasskeySigningResult {\n  return {\n    signature: base64UrlToBytes(result.signatureBase64Url),\n    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),\n    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),\n    signatureR: base64UrlToBytes(result.signatureRBase64Url),\n    signatureS: base64UrlToBytes(result.signatureSBase64Url),\n  };\n}\n\nfunction decodePopupStoredSigningResult(\n  result: PasskeyPopupStoredSigningResult\n): PasskeyStoredSigningResult {\n  return {\n    ...decodePopupSigningResult(result),\n    passkey: result.passkey,\n    accounts: result.accounts,\n  };\n}\n","export type {\n  PasskeyRegistrationResult,\n  PasskeySigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyMetadata,\n  PasskeyClientCapabilities,\n  PasskeyPopupContext,\n  PasskeyPopupAccount,\n} from './types';\n\nexport { registerPasskey } from './register';\n\nexport {\n  signWithPasskey,\n  signWithStoredPasskey,\n  signWithDiscoverablePasskey,\n} from './sign';\n\nexport {\n  parseDerSignature,\n  normalizeLowS,\n  normalizeSignatureComponent,\n  P256_N,\n  P256_HALF_N,\n  bytesToBigIntBE,\n  bigIntToBytesBE,\n} from '@thru/passkey-manager';\n\nexport {\n  isWebAuthnSupported,\n  preloadPasskeyClientCapabilities,\n  getPasskeyClientCapabilities,\n  getCachedPasskeyClientCapabilities,\n  shouldUsePasskeyPopup,\n  isInIframe,\n  type PasskeyPromptAction,\n} from './capabilities';\n\nexport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  bytesToHex,\n  hexToBytes,\n  bytesEqual,\n  compareBytes,\n  uniqueAccounts,\n} from '@thru/passkey-manager';\n"],"mappings":";;;;;;;AACA,SAAS,wBAAwB,kBAAkB;;;ACCnD,IAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,8BAA8B;AAE3F,IAAI;AACJ,IAAI,4BAA8E;AAE3E,SAAS,sBAA+B;AAC7C,QAAM,YACJ,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB,eACtC,OAAO,UAAU,gBAAgB;AAEnC,MAAI,OAAO;AACT,YAAQ,IAAI,qCAAqC;AAAA,MAC/C,QAAQ,OAAO,WAAW;AAAA,MAC1B,qBACE,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB;AAAA,MACzE,aACE,OAAO,WAAW,eAClB,OAAO,cAAc,eACrB,OAAO,UAAU,gBAAgB;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,iCAA4E;AACzF,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB,aAAa;AACtF,WAAO;AAAA,EACT;AAEA,QAAM,wBAAyB,OAAO,oBAEnC;AAEH,MAAI,OAAO,0BAA0B,YAAY;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,sBAAsB,KAAK,OAAO,mBAAmB;AAChF,QAAI,OAAO;AACT,cAAQ,IAAI,2CAA2C,YAAY;AAAA,IACrE;AACA,WAAO,gBAAgB;AAAA,EACzB,SAAS,OAAO;AACd,QAAI,OAAO;AACT,cAAQ,KAAK,iDAAiD,KAAK;AAAA,IACrE;AACA,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mCAAyC;AACvD,MAAI,6BAA6B,UAAa,2BAA2B;AACvE;AAAA,EACF;AAEA,8BAA4B,+BAA+B,EAAE,KAAK,CAAC,iBAAiB;AAClF,+BAA2B;AAC3B,WAAO;AAAA,EACT,CAAC;AACH;AAEA,eAAsB,+BAA0E;AAC9F,MAAI,6BAA6B,QAAW;AAC1C,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,2BAA2B;AAC9B,qCAAiC;AAAA,EACnC;AAEA,MAAI,CAAC,2BAA2B;AAC9B,+BAA2B;AAC3B,WAAO;AAAA,EACT;AAEA,QAAM,eAAe,MAAM;AAC3B,6BAA2B;AAC3B,SAAO;AACT;AAEO,SAAS,qCAAmF;AACjG,SAAO;AACT;AAEO,SAAS,aAAsB;AACpC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,SAAS,OAAO;AAAA,EAChC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,eAAsB,sBAAsB,QAA+C;AACzF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AACA,QAAM,OAAO,MAAM,qBAAqB,MAAM;AAC9C,SAAO,SAAS;AAClB;AAIA,SAAS,kCAAkC,SAAiC;AAC1E,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AAEA,QAAM,SAAU,SACb;AACH,QAAM,gBAAiB,SACpB;AACH,QAAM,gBAAgB,QAAQ,iBAAiB,eAAe;AAE9D,MAAI,OAAO,kBAAkB,YAAY;AACvC,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,cAAc,OAAO;AAAA,EAC9B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,oBAAoB,QAA4D;AACvF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,MAAI,6BAA6B,UAAa,CAAC,2BAA2B;AACxE,qCAAiC;AAAA,EACnC;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,mCAAmC;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,QAAW;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,eAAsB,qBAAqB,QAAyD;AAClG,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,MAAM,6BAA6B;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,OAAO;AACT,YAAQ,IAAI,gCAAgC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,kBAAkB,QAA6B,aAA0C;AACvG,QAAM,aAAa,oBAAoB,MAAM;AAC7C,MAAI,eAAe,SAAS;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,YAAY;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAAsB,OAAyB;AAC7D,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,OACJ,SAAS,OAAO,UAAU,YAAY,UAAU,QAAQ,OAAQ,MAA6B,IAAI,IAAI;AACvG,QAAM,UACJ,SAAS,OAAO,UAAU,YAAY,aAAa,QAC/C,OAAQ,MAAgC,OAAO,IAC/C;AACN,QAAM,aAAa,GAAG,IAAI,IAAI,OAAO,GAAG,YAAY;AAEpD,MACE,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,UAAU,KAC9B,WAAW,SAAS,WAAW,KAC/B,WAAW,SAAS,eAAe,KACnC,WAAW,SAAS,gBAAgB,KACpC,WAAW,SAAS,SAAS,GAC7B;AACA,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,eAAe,GAAG;AACxC,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,iBAAiB,GAAG;AAC1C,QACE,WAAW,SAAS,YAAY,KAChC,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,OAAO,GAC3B;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AD/OA,eAAsB,gBACpB,OACA,QACA,MACoC;AACpC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAO;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,OAAO,QAAQ,IAAI;AAAA,IAC/C,CAAC,mBAAmB,wBAAwB,OAAO,QAAQ,MAAM,cAAc;AAAA,EACjF;AACF;AAEA,eAAe,kBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,OACA,QACA,MACoC;AACpC,QAAM,SAAS;AAEf,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,MAAM;AACnD,QAAM,eAAe,YAAY,MAAM,GAAG,EAAE;AAE5C,QAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,QAAM,gBAAoD;AAAA,IACxD;AAAA,IACA,IAAI;AAAA,MACF,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,IACA,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA,kBAAkB;AAAA,MAChB,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA,IAChC;AAAA,IACA,wBAAwB;AAAA,MACtB,yBAAyB;AAAA,MACzB,kBAAkB;AAAA,MAClB,aAAa;AAAA,MACb,oBAAoB;AAAA,IACtB;AAAA,IACA,aAAa;AAAA,IACb,SAAS;AAAA,EACX;AAEA,QAAM,aAAc,MAAM,UAAU,YAAY,OAAO;AAAA,IACrD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,WAAW,WAAW;AAC5B,QAAM,EAAE,GAAG,EAAE,IAAI,qBAAqB,QAAQ;AAE9C,SAAO;AAAA,IACL,cAAc,uBAAuB,WAAW,KAAK;AAAA,IACrD,YAAY,WAAW,CAAC;AAAA,IACxB,YAAY,WAAW,CAAC;AAAA,IACxB;AAAA,EACF;AACF;AAEA,eAAe,wBACb,OACA,QACA,MACA,gBACoC;AACpC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA,EAAE,OAAO,QAAQ,KAAK;AAAA,IACtB;AAAA,EACF;AACA,SAAO;AACT;AAIA,SAAS,qBACP,UACkC;AAClC,MAAI,OAAO,SAAS,iBAAiB,YAAY;AAC/C,UAAM,UAAU,SAAS,aAAa;AACtC,QAAI,SAAS;AACX,aAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,yBAAyB,YAAY;AACvD,UAAM,WAAW,IAAI,WAAW,SAAS,qBAAqB,CAAC;AAC/D,WAAO,6BAA6B,QAAQ;AAAA,EAC9C;AAEA,QAAM,IAAI,MAAM,kFAAkF;AACpG;AAEA,SAAS,gBAAgB,MAAoD;AAC3E,QAAM,aAAa,KAAK,SAAS;AAEjC,MAAI,KAAK,UAAU,MAAM,GAAM;AAC7B,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,QAAM,IAAI,KAAK,MAAM,aAAa,GAAG,aAAa,EAAE;AACpD,QAAM,IAAI,KAAK,MAAM,aAAa,IAAI,aAAa,EAAE;AAErD,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;AAEA,SAAS,6BAA6B,UAAwD;AAC5F,QAAM,iBAAiB;AACvB,QAAM,cAAc;AACpB,QAAM,gBAAgB;AACtB,QAAM,SAAS,iBAAiB,cAAc;AAC9C,QAAM,eAAe;AACrB,QAAM,kBAAkB,SAAS;AACjC,QAAM,eAAgB,SAAS,eAAe,KAAK,IAAK,SAAS,kBAAkB,CAAC;AACpF,QAAM,gBAAgB,kBAAkB,IAAI;AAC5C,QAAM,UAAU,SAAS,MAAM,aAAa;AAE5C,SAAO,mBAAmB,OAAO;AACnC;AAEA,SAAS,mBAAmB,SAAuD;AACjF,QAAM,WAAW,QAAQ,CAAC;AAC1B,MAAI,aAAa,OAAQ,aAAa,KAAM;AAC1C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI,SAAS;AACb,MAAI,IAAuB;AAC3B,MAAI,IAAuB;AAE3B,SAAO,SAAS,QAAQ,QAAQ;AAC9B,UAAM,MAAM,QAAQ,QAAQ;AAC5B,UAAM,YAAY,QAAQ,QAAQ;AAElC,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,SAAS,YAAY;AAC3B,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,cAAc,KAAQ,cAAc,KAAQ,cAAc,GAAM;AAClE;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,OAAO,KAAM,YAAY;AAC/B,gBAAU;AACV;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK,CAAC,GAAG;AACZ,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;;;AE1NA;AAAA,EACE,0BAAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAcP,eAAsB,gBACpB,cACA,WACA,MAC+B;AAC/B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAOC;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,cAAc,WAAW,IAAI;AAAA,IACzD,CAAC,mBAAmB,wBAAwB,cAAc,WAAW,MAAM,cAAc;AAAA,EAC3F;AACF;AAKA,eAAsB,sBACpB,WACA,MACA,kBACA,aACA,SACqC;AACrC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,iBAAiB,kBAAkB,OAAO,sBAAsB;AACtE,QAAM,aAAa,MAAM,qBAAqB,KAAK;AACnD,QAAM,gBAAgB;AACtB,QAAM,cAAc,WAAW;AAE/B,MAAI,eAAe,WAAY,eAAe,CAAC,eAAgB;AAC7D,WAAO,0BAA0B,WAAW,gBAAgB,OAAO;AAAA,EACrE;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM;AAAA,QACnB,cAAc;AAAA,QACd;AAAA,QACA,cAAc;AAAA,MAChB;AACA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS;AAAA,MACX;AAAA,IACF;AAEA,UAAM,eAAe,MAAM,4BAA4B,WAAW,IAAI;AACtE,UAAM,kBAAkB,YAAY,KAAK,OAAK,EAAE,iBAAiB,aAAa,YAAY,KAAK;AAC/F,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,UAAU,mBAAmB;AAAA,MACjC,cAAc,aAAa;AAAA,MAC3B,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,MAAM,aAAa;AAAA,MACnB,WAAW;AAAA,MACX,YAAY;AAAA,IACd;AAEA,WAAO;AAAA,MACL,WAAW,aAAa;AAAA,MACxB,mBAAmB,aAAa;AAAA,MAChC,gBAAgB,aAAa;AAAA,MAC7B,YAAY,aAAa;AAAA,MACzB,YAAY,aAAa;AAAA,MACzB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QAAI,eAAe,sBAAsB,KAAK,GAAG;AAC/C,aAAO,0BAA0B,WAAW,QAAW,OAAO;AAAA,IAChE;AAEA,UAAM;AAAA,EACR;AACF;AAKA,eAAsB,4BACpB,WACA,MAC2C;AAC3C,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,eAAe;AACrB,QAAM,SAAS,MAAM,yBAAyB,WAAW,YAAY;AAErE,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,MAAM;AAAA,EACR;AACF;AAIA,eAAeA,mBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,cACA,WACA,MAC+B;AAC/B,QAAM,SAAS,MAAM,yBAAyB,WAAW,MAAM,YAAY;AAC3E,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,EACrB;AACF;AAEA,eAAe,yBACb,WACA,MACA,cAC0D;AAC1D,QAAM,iBAAiB,IAAI,WAAW,SAAS;AAC/C,QAAM,aAAgD;AAAA,IACpD,WAAW;AAAA,IACX;AAAA,IACA,kBAAkB;AAAA,IAClB,SAAS;AAAA,EACX;AAEA,MAAI,cAAc;AAChB,UAAM,qBAAqB,uBAAuB,YAAY;AAC9D,eAAW,mBAAmB;AAAA,MAC5B;AAAA,QACE,MAAM;AAAA,QACN,IAAI;AAAA,QACJ,YAAY,CAAC,YAAY,UAAU,OAAO,OAAO,KAAK;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAa,MAAM,UAAU,YAAY,IAAI;AAAA,IACjD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,WAAW,UAAU;AAE3B,QAAM,YAAY,IAAI,WAAW,SAAS,SAAS;AACnD,MAAI,EAAE,GAAG,EAAE,IAAI,kBAAkB,SAAS;AAC1C,MAAI,cAAc,CAAC;AAEnB,SAAO;AAAA,IACL,WAAW,IAAI,WAAW,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AAAA,IACtC,mBAAmB,IAAI,WAAW,SAAS,iBAAiB;AAAA,IAC5D,gBAAgB,IAAI,WAAW,SAAS,cAAc;AAAA,IACtD,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAcC,wBAAuB,UAAU,KAAK;AAAA,EACtD;AACF;AAEA,eAAe,wBACb,cACA,WACA,MACA,gBAC+B;AAC/B,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE;AAAA,MACA,oBAAoB,iBAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO,yBAAyB,MAAM;AACxC;AAEA,eAAe,0BACb,WACA,gBACA,SACqC;AACrC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE,oBAAoB,iBAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACA,SAAO,+BAA+B,MAAM;AAC9C;AAEA,SAAS,yBAAyB,QAAyD;AACzF,SAAO;AAAA,IACL,WAAW,iBAAiB,OAAO,kBAAkB;AAAA,IACrD,mBAAmB,iBAAiB,OAAO,0BAA0B;AAAA,IACrE,gBAAgB,iBAAiB,OAAO,uBAAuB;AAAA,IAC/D,YAAY,iBAAiB,OAAO,mBAAmB;AAAA,IACvD,YAAY,iBAAiB,OAAO,mBAAmB;AAAA,EACzD;AACF;AAEA,SAAS,+BACP,QAC4B;AAC5B,SAAO;AAAA,IACL,GAAG,yBAAyB,MAAM;AAAA,IAClC,SAAS,OAAO;AAAA,IAChB,UAAU,OAAO;AAAA,EACnB;AACF;;;ACpQA;AAAA,EACE,qBAAAC;AAAA,EACA,iBAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAYP;AAAA,EACE,0BAAAC;AAAA,EACA,0BAAAC;AAAA,EACA;AAAA,EACA,oBAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,cAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":["arrayBufferToBase64Url","runWithPromptMode","arrayBufferToBase64Url","parseDerSignature","normalizeLowS","arrayBufferToBase64Url","base64UrlToArrayBuffer","bytesToBase64Url","base64UrlToBytes","bytesToHex"]}