@thru/passkey 0.2.13 → 0.2.14

package/dist/web.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/web.ts","../src/register.ts","../src/capabilities.ts","../src/popup.ts","../src/sign.ts"],"sourcesContent":["export type {\n  PasskeyRegistrationResult,\n  PasskeySigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyMetadata,\n  PasskeyClientCapabilities,\n  PasskeyPopupContext,\n  PasskeyPopupAccount,\n} from './types';\n\nexport { registerPasskey } from './register';\n\nexport {\n  signWithPasskey,\n  signWithStoredPasskey,\n  signWithDiscoverablePasskey,\n} from './sign';\n\nexport {\n  parseDerSignature,\n  normalizeLowS,\n  normalizeSignatureComponent,\n  P256_N,\n  P256_HALF_N,\n  bytesToBigIntBE,\n  bigIntToBytesBE,\n} from '@thru/passkey-manager';\n\nexport {\n  isWebAuthnSupported,\n  preloadPasskeyClientCapabilities,\n  getPasskeyClientCapabilities,\n  getCachedPasskeyClientCapabilities,\n  shouldUsePasskeyPopup,\n  isInIframe,\n  type PasskeyPromptAction,\n} from './capabilities';\n\nexport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  bytesToHex,\n  hexToBytes,\n  bytesEqual,\n  compareBytes,\n  uniqueAccounts,\n} from '@thru/passkey-manager';\n","import type { PasskeyRegistrationResult, PasskeyPopupRegistrationResult } from './types';\nimport { arrayBufferToBase64Url, bytesToHex } from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Register a new passkey for a profile.\n */\nexport async function registerPasskey(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'create',\n    () => registerPasskeyInline(alias, userId, rpId),\n    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)\n  );\n}\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function registerPasskeyInline(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  const rpName = 'Thru Wallet';\n\n  const userIdBytes = new TextEncoder().encode(userId);\n  const userIdBuffer = userIdBytes.slice(0, 64);\n\n  const challenge = crypto.getRandomValues(new Uint8Array(32));\n\n  const createOptions: PublicKeyCredentialCreationOptions = {\n    challenge,\n    rp: {\n      id: rpId,\n      name: rpName,\n    },\n    user: {\n      id: userIdBuffer,\n      name: alias,\n      displayName: alias,\n    },\n    pubKeyCredParams: [\n      { type: 'public-key', alg: -7 },\n    ],\n    authenticatorSelection: {\n      authenticatorAttachment: 'platform',\n      userVerification: 'required',\n      residentKey: 'required',\n      requireResidentKey: true,\n    },\n    attestation: 'none',\n    timeout: 60000,\n  };\n\n  const credential = (await navigator.credentials.create({\n    publicKey: createOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!credential) {\n    throw new Error('Passkey registration was cancelled');\n  }\n\n  const response = credential.response as AuthenticatorAttestationResponse;\n  const { x, y } = extractP256PublicKey(response);\n\n  return {\n    credentialId: arrayBufferToBase64Url(credential.rawId),\n    publicKeyX: bytesToHex(x),\n    publicKeyY: bytesToHex(y),\n    rpId,\n  };\n}\n\nasync function registerPasskeyViaPopup(\n  alias: string,\n  userId: string,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeyRegistrationResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupRegistrationResult>(\n    'create',\n    { alias, userId, rpId },\n    preopenedPopup\n  );\n  return result;\n}\n\n// Key extraction helpers\n\nfunction extractP256PublicKey(\n  response: AuthenticatorAttestationResponse\n): { x: Uint8Array; y: Uint8Array } {\n  if (typeof response.getPublicKey === 'function') {\n    const spkiKey = response.getPublicKey();\n    if (spkiKey) {\n      return extractFromSpki(new Uint8Array(spkiKey));\n    }\n  }\n\n  if (typeof response.getAuthenticatorData === 'function') {\n    const authData = new Uint8Array(response.getAuthenticatorData());\n    return extractFromAuthenticatorData(authData);\n  }\n\n  throw new Error('Unable to extract public key: browser does not support required WebAuthn methods');\n}\n\nfunction extractFromSpki(spki: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const pointStart = spki.length - 65;\n\n  if (spki[pointStart] !== 0x04) {\n    throw new Error('Invalid SPKI format: expected uncompressed point');\n  }\n\n  const x = spki.slice(pointStart + 1, pointStart + 33);\n  const y = spki.slice(pointStart + 33, pointStart + 65);\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid SPKI format: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n\nfunction extractFromAuthenticatorData(authData: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const rpIdHashLength = 32;\n  const flagsLength = 1;\n  const counterLength = 4;\n  const offset = rpIdHashLength + flagsLength + counterLength;\n  const aaguidLength = 16;\n  const credIdLenOffset = offset + aaguidLength;\n  const credIdLength = (authData[credIdLenOffset] << 8) | authData[credIdLenOffset + 1];\n  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;\n  const coseKey = authData.slice(coseKeyOffset);\n\n  return extractFromCoseKey(coseKey);\n}\n\nfunction extractFromCoseKey(coseKey: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const mapStart = coseKey[0];\n  if (mapStart !== 0xa5 && mapStart !== 0xa4) {\n    throw new Error('Invalid COSE key format');\n  }\n\n  let offset = 1;\n  let x: Uint8Array | null = null;\n  let y: Uint8Array | null = null;\n\n  while (offset < coseKey.length) {\n    const key = coseKey[offset++];\n    const valueType = coseKey[offset++];\n\n    if (key === 0x21) {\n      const length = valueType & 0x1f;\n      x = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (key === 0x22) {\n      const length = valueType & 0x1f;\n      y = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (valueType >= 0x40 && valueType <= 0x5f) {\n      const length = valueType & 0x1f;\n      offset += length;\n      continue;\n    }\n\n    if (valueType === 0x01 || valueType === 0x02 || valueType === 0x03) {\n      continue;\n    }\n\n    if (valueType >= 0x18 && valueType <= 0x1b) {\n      const size = 1 << (valueType - 0x18);\n      offset += size;\n      continue;\n    }\n  }\n\n  if (!x || !y) {\n    throw new Error('Failed to extract P-256 public key from COSE data');\n  }\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid COSE key: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n","import type { PasskeyClientCapabilities } from './types';\n\nconst DEBUG = typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_PASSKEY_DEBUG === '1';\n\nlet cachedClientCapabilities: PasskeyClientCapabilities | null | undefined;\nlet clientCapabilitiesPromise: Promise<PasskeyClientCapabilities | null> | null = null;\n\nexport function isWebAuthnSupported(): boolean {\n  const supported =\n    typeof window !== 'undefined' &&\n    typeof window.PublicKeyCredential !== 'undefined' &&\n    typeof navigator.credentials !== 'undefined';\n\n  if (DEBUG) {\n    console.log('[Passkey] WebAuthn support check:', {\n      window: typeof window !== 'undefined',\n      PublicKeyCredential:\n        typeof window !== 'undefined' && typeof window.PublicKeyCredential !== 'undefined',\n      credentials:\n        typeof window !== 'undefined' &&\n        typeof navigator !== 'undefined' &&\n        typeof navigator.credentials !== 'undefined',\n      supported,\n    });\n  }\n\n  return supported;\n}\n\nasync function fetchPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (typeof window === 'undefined' || typeof window.PublicKeyCredential === 'undefined') {\n    return null;\n  }\n\n  const getClientCapabilities = (window.PublicKeyCredential as {\n    getClientCapabilities?: () => Promise<PasskeyClientCapabilities>;\n  }).getClientCapabilities;\n\n  if (typeof getClientCapabilities !== 'function') {\n    return null;\n  }\n\n  try {\n    const capabilities = await getClientCapabilities.call(window.PublicKeyCredential);\n    if (DEBUG) {\n      console.log('[Passkey] WebAuthn client capabilities:', capabilities);\n    }\n    return capabilities ?? null;\n  } catch (error) {\n    if (DEBUG) {\n      console.warn('[Passkey] Failed to read client capabilities:', error);\n    }\n    return null;\n  }\n}\n\nexport function preloadPasskeyClientCapabilities(): void {\n  if (cachedClientCapabilities !== undefined || clientCapabilitiesPromise) {\n    return;\n  }\n\n  clientCapabilitiesPromise = fetchPasskeyClientCapabilities().then((capabilities) => {\n    cachedClientCapabilities = capabilities;\n    return capabilities;\n  });\n}\n\nexport async function getPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (cachedClientCapabilities !== undefined) {\n    return cachedClientCapabilities;\n  }\n\n  if (!clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  if (!clientCapabilitiesPromise) {\n    cachedClientCapabilities = null;\n    return null;\n  }\n\n  const capabilities = await clientCapabilitiesPromise;\n  cachedClientCapabilities = capabilities;\n  return capabilities;\n}\n\nexport function getCachedPasskeyClientCapabilities(): PasskeyClientCapabilities | null | undefined {\n  return cachedClientCapabilities;\n}\n\nexport function isInIframe(): boolean {\n  if (typeof window === 'undefined') {\n    return false;\n  }\n  try {\n    return window.self !== window.top;\n  } catch {\n    return true;\n  }\n}\n\nexport type PasskeyPromptAction = 'get' | 'create';\n\nexport async function shouldUsePasskeyPopup(action: PasskeyPromptAction): Promise<boolean> {\n  if (!isInIframe()) {\n    return false;\n  }\n  const mode = await getPasskeyPromptMode(action);\n  return mode === 'popup';\n}\n\ntype PasskeyPromptMode = 'inline' | 'popup';\n\nfunction getPermissionsPolicyAllowsFeature(feature: string): boolean | null {\n  if (typeof document === 'undefined') {\n    return null;\n  }\n\n  const policy = (document as { permissionsPolicy?: { allowsFeature?: (name: string) => boolean } })\n    .permissionsPolicy;\n  const featurePolicy = (document as { featurePolicy?: { allowsFeature?: (name: string) => boolean } })\n    .featurePolicy;\n  const allowsFeature = policy?.allowsFeature || featurePolicy?.allowsFeature;\n\n  if (typeof allowsFeature !== 'function') {\n    return null;\n  }\n\n  try {\n    return allowsFeature(feature);\n  } catch {\n    return null;\n  }\n}\n\nfunction getCachedPromptMode(action: PasskeyPromptAction): PasskeyPromptMode | 'unknown' {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  if (cachedClientCapabilities === undefined && !clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = getCachedPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  if (capabilities === undefined) {\n    return 'unknown';\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport async function getPasskeyPromptMode(action: PasskeyPromptAction): Promise<PasskeyPromptMode> {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = await getPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (DEBUG) {\n    console.log('[Passkey] Prompt mode check:', {\n      action,\n      policyAllows,\n      supportsInline,\n      capabilities,\n    });\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport function maybePreopenPopup(action: PasskeyPromptAction, openPopupFn: () => Window): Window | null {\n  const cachedMode = getCachedPromptMode(action);\n  if (cachedMode !== 'popup') {\n    return null;\n  }\n\n  try {\n    return openPopupFn();\n  } catch {\n    return null;\n  }\n}\n\nexport function shouldFallbackToPopup(error: unknown): boolean {\n  if (!isInIframe()) {\n    return false;\n  }\n\n  const name =\n    error && typeof error === 'object' && 'name' in error ? String((error as { name?: unknown }).name) : '';\n  const message =\n    error && typeof error === 'object' && 'message' in error\n      ? String((error as { message?: unknown }).message)\n      : '';\n  const normalized = `${name} ${message}`.toLowerCase();\n\n  if (\n    normalized.includes('cancel') ||\n    normalized.includes('canceled') ||\n    normalized.includes('cancelled') ||\n    normalized.includes('user canceled') ||\n    normalized.includes('user cancelled') ||\n    normalized.includes('aborted')\n  ) {\n    return false;\n  }\n\n  if (normalized.includes('securityerror')) {\n    return true;\n  }\n\n  if (normalized.includes('notallowederror')) {\n    if (\n      normalized.includes('permission') ||\n      normalized.includes('policy') ||\n      normalized.includes('iframe') ||\n      normalized.includes('frame')\n    ) {\n      return true;\n    }\n  }\n\n  return false;\n}\n","import type {\n  PasskeyPopupAction,\n  PasskeyPopupRequestPayload,\n  PasskeyPopupRequest,\n  PasskeyPopupResponse,\n} from './types';\n\nexport const PASSKEY_POPUP_PATH = '/passkey/popup';\nexport const PASSKEY_POPUP_READY_EVENT = 'thru:passkey-popup-ready';\nexport const PASSKEY_POPUP_REQUEST_EVENT = 'thru:passkey-popup-request';\nexport const PASSKEY_POPUP_RESPONSE_EVENT = 'thru:passkey-popup-response';\nexport const PASSKEY_POPUP_CHANNEL = 'thru:passkey-popup-channel';\n\nconst PASSKEY_POPUP_TIMEOUT_MS = 60000;\n\nexport function closePopup(popup: Window | null | undefined): void {\n  if (popup && !popup.closed) {\n    popup.close();\n  }\n}\n\nexport function openPasskeyPopupWindow(): Window {\n  const popupUrl = new URL(PASSKEY_POPUP_PATH, window.location.origin).toString();\n  const popup = window.open(\n    popupUrl,\n    'thru_passkey_popup',\n    'popup=yes,width=440,height=640'\n  );\n\n  if (!popup) {\n    throw new Error('Passkey popup was blocked');\n  }\n\n  return popup;\n}\n\nfunction createPopupRequestId(): string {\n  const rand = Math.random().toString(36).slice(2, 10);\n  return `passkey_${Date.now()}_${rand}`;\n}\n\nexport async function requestPasskeyPopup<T>(\n  action: PasskeyPopupAction,\n  payload: PasskeyPopupRequestPayload,\n  preopenedPopup?: Window | null\n): Promise<T> {\n  if (typeof window === 'undefined') {\n    throw new Error('Passkey popup is only available in the browser');\n  }\n\n  const requestId = createPopupRequestId();\n  const targetOrigin = window.location.origin;\n  let popup: Window | null = preopenedPopup ?? null;\n  const channel =\n    typeof BroadcastChannel !== 'undefined' ? new BroadcastChannel(PASSKEY_POPUP_CHANNEL) : null;\n\n  return new Promise<T>((resolve, reject) => {\n    let timeout: ReturnType<typeof setTimeout> | null = null;\n    let closePoll: ReturnType<typeof setInterval> | null = null;\n    let requestSent = false;\n\n    const cleanup = () => {\n      if (timeout) {\n        clearTimeout(timeout);\n        timeout = null;\n      }\n      if (closePoll) {\n        clearInterval(closePoll);\n        closePoll = null;\n      }\n      window.removeEventListener('message', handleMessage);\n      if (channel) {\n        channel.removeEventListener('message', handleChannelMessage);\n        channel.close();\n      }\n    };\n\n    const sendRequest = (viaChannel: boolean) => {\n      if (requestSent) {\n        return;\n      }\n      requestSent = true;\n\n      const request: PasskeyPopupRequest = {\n        type: PASSKEY_POPUP_REQUEST_EVENT,\n        requestId,\n        action,\n        payload,\n      };\n\n      if (viaChannel) {\n        channel?.postMessage(request);\n        return;\n      }\n\n      popup?.postMessage(request, targetOrigin);\n    };\n\n    const handleResponse = (data: PasskeyPopupResponse) => {\n      if (data.requestId !== requestId) {\n        return;\n      }\n\n      cleanup();\n      if (popup && !popup.closed) {\n        popup.close();\n      }\n\n      if (data.success) {\n        resolve((data as Extract<PasskeyPopupResponse, { success: true }>).result as T);\n      } else {\n        const err = new Error(data.error?.message || 'Passkey popup failed');\n        if (data.error?.name) {\n          (err as { name?: string }).name = data.error.name;\n        }\n        reject(err);\n      }\n    };\n\n    const handleMessage = (event: MessageEvent) => {\n      if (event.origin !== targetOrigin) {\n        return;\n      }\n\n      const data = event.data as PasskeyPopupResponse | { type?: string };\n      if (!data || typeof data !== 'object') {\n        return;\n      }\n\n      if (data.type === PASSKEY_POPUP_READY_EVENT) {\n        if (popup && event.source !== popup) {\n          return;\n        }\n        sendRequest(false);\n        return;\n      }\n\n      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && 'requestId' in data) {\n        handleResponse(data as PasskeyPopupResponse);\n      }\n    };\n\n    window.addEventListener('message', handleMessage);\n\n    const handleChannelMessage = (event: MessageEvent) => {\n      const data = event.data as PasskeyPopupResponse | { type?: string };\n      if (!data || typeof data !== 'object') {\n        return;\n      }\n\n      if (data.type === PASSKEY_POPUP_READY_EVENT) {\n        sendRequest(true);\n        return;\n      }\n\n      if (data.type === PASSKEY_POPUP_RESPONSE_EVENT && 'requestId' in data) {\n        handleResponse(data as PasskeyPopupResponse);\n      }\n    };\n\n    if (channel) {\n      channel.addEventListener('message', handleChannelMessage);\n    }\n\n    if (!popup) {\n      try {\n        popup = openPasskeyPopupWindow();\n      } catch (error) {\n        cleanup();\n        reject(error);\n        return;\n      }\n    }\n\n    timeout = setTimeout(() => {\n      cleanup();\n      try {\n        popup?.close();\n      } catch {\n        /* ignore */\n      }\n      reject(new Error('Passkey popup timed out'));\n    }, PASSKEY_POPUP_TIMEOUT_MS);\n\n    closePoll = setInterval(() => {\n      if (popup && popup.closed) {\n        cleanup();\n        reject(new Error('Passkey popup was closed'));\n      }\n    }, 250);\n  });\n}\n","import type {\n  PasskeySigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyMetadata,\n  PasskeyPopupContext,\n  PasskeyPopupSigningResult,\n  PasskeyPopupStoredSigningResult,\n} from './types';\nimport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  parseDerSignature,\n  normalizeLowS,\n} from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  isInIframe,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Sign a challenge with an existing passkey (by credential ID).\n */\nexport async function signWithPasskey(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'get',\n    () => signWithPasskeyInline(credentialId, challenge, rpId),\n    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)\n  );\n}\n\n/**\n * Sign with stored passkey (for embedded/popup contexts).\n */\nexport async function signWithStoredPasskey(\n  challenge: Uint8Array,\n  rpId: string,\n  preferredPasskey: PasskeyMetadata | null,\n  allPasskeys: PasskeyMetadata[],\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const preopenedPopup = maybePreopenPopup('get', openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode('get');\n  const storedPasskey = preferredPasskey;\n  const canUsePopup = isInIframe();\n\n  if (promptMode === 'popup' || (canUsePopup && !storedPasskey)) {\n    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    if (storedPasskey) {\n      const result = await signWithPasskeyInline(\n        storedPasskey.credentialId,\n        challenge,\n        storedPasskey.rpId\n      );\n      return {\n        ...result,\n        passkey: storedPasskey,\n      };\n    }\n\n    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);\n    const matchingPasskey = allPasskeys.find(p => p.credentialId === discoverable.credentialId) ?? null;\n    const now = new Date().toISOString();\n    const passkey = matchingPasskey ?? {\n      credentialId: discoverable.credentialId,\n      publicKeyX: '',\n      publicKeyY: '',\n      rpId: discoverable.rpId,\n      createdAt: now,\n      lastUsedAt: now,\n    };\n\n    return {\n      signature: discoverable.signature,\n      authenticatorData: discoverable.authenticatorData,\n      clientDataJSON: discoverable.clientDataJSON,\n      signatureR: discoverable.signatureR,\n      signatureS: discoverable.signatureS,\n      passkey,\n    };\n  } catch (error) {\n    if (canUsePopup && shouldFallbackToPopup(error)) {\n      return requestStoredPasskeyPopup(challenge, undefined, context);\n    }\n\n    throw error;\n  }\n}\n\n/**\n * Sign with a discoverable passkey (no credential ID - browser prompts user to select).\n */\nexport async function signWithDiscoverablePasskey(\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeyDiscoverableSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const resolvedRpId = rpId;\n  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);\n\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n    credentialId: result.credentialId,\n    rpId: resolvedRpId,\n  };\n}\n\n// Internal helpers\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function signWithPasskeyInline(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n  };\n}\n\nasync function signWithPasskeyAssertion(\n  challenge: Uint8Array,\n  rpId: string,\n  credentialId?: string\n): Promise<PasskeySigningResult & { credentialId: string }> {\n  const challengeBytes = new Uint8Array(challenge);\n  const getOptions: PublicKeyCredentialRequestOptions = {\n    challenge: challengeBytes,\n    rpId,\n    userVerification: 'required',\n    timeout: 60000,\n  };\n\n  if (credentialId) {\n    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);\n    getOptions.allowCredentials = [\n      {\n        type: 'public-key',\n        id: credentialIdBuffer,\n        transports: ['internal', 'hybrid', 'usb', 'ble', 'nfc'],\n      },\n    ];\n  }\n\n  const assertion = (await navigator.credentials.get({\n    publicKey: getOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!assertion) {\n    throw new Error('Passkey authentication was cancelled');\n  }\n\n  const response = assertion.response as AuthenticatorAssertionResponse;\n\n  const signature = new Uint8Array(response.signature);\n  let { r, s } = parseDerSignature(signature);\n  s = normalizeLowS(s);\n\n  return {\n    signature: new Uint8Array([...r, ...s]),\n    authenticatorData: new Uint8Array(response.authenticatorData),\n    clientDataJSON: new Uint8Array(response.clientDataJSON),\n    signatureR: r,\n    signatureS: s,\n    credentialId: arrayBufferToBase64Url(assertion.rawId),\n  };\n}\n\nasync function signWithPasskeyViaPopup(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeySigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupSigningResult>(\n    'get',\n    {\n      credentialId,\n      challengeBase64Url: bytesToBase64Url(challenge),\n      rpId,\n    },\n    preopenedPopup\n  );\n\n  return decodePopupSigningResult(result);\n}\n\nasync function requestStoredPasskeyPopup(\n  challenge: Uint8Array,\n  preopenedPopup?: Window | null,\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupStoredSigningResult>(\n    'getStored',\n    {\n      challengeBase64Url: bytesToBase64Url(challenge),\n      context,\n    },\n    preopenedPopup\n  );\n  return decodePopupStoredSigningResult(result);\n}\n\nfunction decodePopupSigningResult(result: PasskeyPopupSigningResult): PasskeySigningResult {\n  return {\n    signature: base64UrlToBytes(result.signatureBase64Url),\n    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),\n    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),\n    signatureR: base64UrlToBytes(result.signatureRBase64Url),\n    signatureS: base64UrlToBytes(result.signatureSBase64Url),\n  };\n}\n\nfunction decodePopupStoredSigningResult(\n  result: PasskeyPopupStoredSigningResult\n): PasskeyStoredSigningResult {\n  return {\n    ...decodePopupSigningResult(result),\n    passkey: result.passkey,\n    accounts: result.accounts,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACCA,6BAAmD;;;ACCnD,IAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,8BAA8B;AAE3F,IAAI;AACJ,IAAI,4BAA8E;AAE3E,SAAS,sBAA+B;AAC7C,QAAM,YACJ,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB,eACtC,OAAO,UAAU,gBAAgB;AAEnC,MAAI,OAAO;AACT,YAAQ,IAAI,qCAAqC;AAAA,MAC/C,QAAQ,OAAO,WAAW;AAAA,MAC1B,qBACE,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB;AAAA,MACzE,aACE,OAAO,WAAW,eAClB,OAAO,cAAc,eACrB,OAAO,UAAU,gBAAgB;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,iCAA4E;AACzF,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB,aAAa;AACtF,WAAO;AAAA,EACT;AAEA,QAAM,wBAAyB,OAAO,oBAEnC;AAEH,MAAI,OAAO,0BAA0B,YAAY;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,sBAAsB,KAAK,OAAO,mBAAmB;AAChF,QAAI,OAAO;AACT,cAAQ,IAAI,2CAA2C,YAAY;AAAA,IACrE;AACA,WAAO,gBAAgB;AAAA,EACzB,SAAS,OAAO;AACd,QAAI,OAAO;AACT,cAAQ,KAAK,iDAAiD,KAAK;AAAA,IACrE;AACA,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mCAAyC;AACvD,MAAI,6BAA6B,UAAa,2BAA2B;AACvE;AAAA,EACF;AAEA,8BAA4B,+BAA+B,EAAE,KAAK,CAAC,iBAAiB;AAClF,+BAA2B;AAC3B,WAAO;AAAA,EACT,CAAC;AACH;AAEA,eAAsB,+BAA0E;AAC9F,MAAI,6BAA6B,QAAW;AAC1C,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,2BAA2B;AAC9B,qCAAiC;AAAA,EACnC;AAEA,MAAI,CAAC,2BAA2B;AAC9B,+BAA2B;AAC3B,WAAO;AAAA,EACT;AAEA,QAAM,eAAe,MAAM;AAC3B,6BAA2B;AAC3B,SAAO;AACT;AAEO,SAAS,qCAAmF;AACjG,SAAO;AACT;AAEO,SAAS,aAAsB;AACpC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,SAAS,OAAO;AAAA,EAChC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,eAAsB,sBAAsB,QAA+C;AACzF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AACA,QAAM,OAAO,MAAM,qBAAqB,MAAM;AAC9C,SAAO,SAAS;AAClB;AAIA,SAAS,kCAAkC,SAAiC;AAC1E,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AAEA,QAAM,SAAU,SACb;AACH,QAAM,gBAAiB,SACpB;AACH,QAAM,gBAAgB,QAAQ,iBAAiB,eAAe;AAE9D,MAAI,OAAO,kBAAkB,YAAY;AACvC,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,cAAc,OAAO;AAAA,EAC9B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,oBAAoB,QAA4D;AACvF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,MAAI,6BAA6B,UAAa,CAAC,2BAA2B;AACxE,qCAAiC;AAAA,EACnC;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,mCAAmC;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,QAAW;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,eAAsB,qBAAqB,QAAyD;AAClG,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,MAAM,6BAA6B;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,OAAO;AACT,YAAQ,IAAI,gCAAgC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,kBAAkB,QAA6B,aAA0C;AACvG,QAAM,aAAa,oBAAoB,MAAM;AAC7C,MAAI,eAAe,SAAS;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,YAAY;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAAsB,OAAyB;AAC7D,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,OACJ,SAAS,OAAO,UAAU,YAAY,UAAU,QAAQ,OAAQ,MAA6B,IAAI,IAAI;AACvG,QAAM,UACJ,SAAS,OAAO,UAAU,YAAY,aAAa,QAC/C,OAAQ,MAAgC,OAAO,IAC/C;AACN,QAAM,aAAa,GAAG,IAAI,IAAI,OAAO,GAAG,YAAY;AAEpD,MACE,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,UAAU,KAC9B,WAAW,SAAS,WAAW,KAC/B,WAAW,SAAS,eAAe,KACnC,WAAW,SAAS,gBAAgB,KACpC,WAAW,SAAS,SAAS,GAC7B;AACA,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,eAAe,GAAG;AACxC,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,iBAAiB,GAAG;AAC1C,QACE,WAAW,SAAS,YAAY,KAChC,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,OAAO,GAC3B;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;ACtPO,IAAM,qBAAqB;AAC3B,IAAM,4BAA4B;AAClC,IAAM,8BAA8B;AACpC,IAAM,+BAA+B;AACrC,IAAM,wBAAwB;AAErC,IAAM,2BAA2B;AAE1B,SAAS,WAAW,OAAwC;AACjE,MAAI,SAAS,CAAC,MAAM,QAAQ;AAC1B,UAAM,MAAM;AAAA,EACd;AACF;AAEO,SAAS,yBAAiC;AAC/C,QAAM,WAAW,IAAI,IAAI,oBAAoB,OAAO,SAAS,MAAM,EAAE,SAAS;AAC9E,QAAM,QAAQ,OAAO;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,2BAA2B;AAAA,EAC7C;AAEA,SAAO;AACT;AAEA,SAAS,uBAA+B;AACtC,QAAM,OAAO,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,MAAM,GAAG,EAAE;AACnD,SAAO,WAAW,KAAK,IAAI,CAAC,IAAI,IAAI;AACtC;AAEA,eAAsB,oBACpB,QACA,SACA,gBACY;AACZ,MAAI,OAAO,WAAW,aAAa;AACjC,UAAM,IAAI,MAAM,gDAAgD;AAAA,EAClE;AAEA,QAAM,YAAY,qBAAqB;AACvC,QAAM,eAAe,OAAO,SAAS;AACrC,MAAI,QAAuB,kBAAkB;AAC7C,QAAM,UACJ,OAAO,qBAAqB,cAAc,IAAI,iBAAiB,qBAAqB,IAAI;AAE1F,SAAO,IAAI,QAAW,CAAC,SAAS,WAAW;AACzC,QAAI,UAAgD;AACpD,QAAI,YAAmD;AACvD,QAAI,cAAc;AAElB,UAAM,UAAU,MAAM;AACpB,UAAI,SAAS;AACX,qBAAa,OAAO;AACpB,kBAAU;AAAA,MACZ;AACA,UAAI,WAAW;AACb,sBAAc,SAAS;AACvB,oBAAY;AAAA,MACd;AACA,aAAO,oBAAoB,WAAW,aAAa;AACnD,UAAI,SAAS;AACX,gBAAQ,oBAAoB,WAAW,oBAAoB;AAC3D,gBAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AAEA,UAAM,cAAc,CAAC,eAAwB;AAC3C,UAAI,aAAa;AACf;AAAA,MACF;AACA,oBAAc;AAEd,YAAM,UAA+B;AAAA,QACnC,MAAM;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,UAAI,YAAY;AACd,iBAAS,YAAY,OAAO;AAC5B;AAAA,MACF;AAEA,aAAO,YAAY,SAAS,YAAY;AAAA,IAC1C;AAEA,UAAM,iBAAiB,CAAC,SAA+B;AACrD,UAAI,KAAK,cAAc,WAAW;AAChC;AAAA,MACF;AAEA,cAAQ;AACR,UAAI,SAAS,CAAC,MAAM,QAAQ;AAC1B,cAAM,MAAM;AAAA,MACd;AAEA,UAAI,KAAK,SAAS;AAChB,gBAAS,KAA0D,MAAW;AAAA,MAChF,OAAO;AACL,cAAM,MAAM,IAAI,MAAM,KAAK,OAAO,WAAW,sBAAsB;AACnE,YAAI,KAAK,OAAO,MAAM;AACpB,UAAC,IAA0B,OAAO,KAAK,MAAM;AAAA,QAC/C;AACA,eAAO,GAAG;AAAA,MACZ;AAAA,IACF;AAEA,UAAM,gBAAgB,CAAC,UAAwB;AAC7C,UAAI,MAAM,WAAW,cAAc;AACjC;AAAA,MACF;AAEA,YAAM,OAAO,MAAM;AACnB,UAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC;AAAA,MACF;AAEA,UAAI,KAAK,SAAS,2BAA2B;AAC3C,YAAI,SAAS,MAAM,WAAW,OAAO;AACnC;AAAA,QACF;AACA,oBAAY,KAAK;AACjB;AAAA,MACF;AAEA,UAAI,KAAK,SAAS,gCAAgC,eAAe,MAAM;AACrE,uBAAe,IAA4B;AAAA,MAC7C;AAAA,IACF;AAEA,WAAO,iBAAiB,WAAW,aAAa;AAEhD,UAAM,uBAAuB,CAAC,UAAwB;AACpD,YAAM,OAAO,MAAM;AACnB,UAAI,CAAC,QAAQ,OAAO,SAAS,UAAU;AACrC;AAAA,MACF;AAEA,UAAI,KAAK,SAAS,2BAA2B;AAC3C,oBAAY,IAAI;AAChB;AAAA,MACF;AAEA,UAAI,KAAK,SAAS,gCAAgC,eAAe,MAAM;AACrE,uBAAe,IAA4B;AAAA,MAC7C;AAAA,IACF;AAEA,QAAI,SAAS;AACX,cAAQ,iBAAiB,WAAW,oBAAoB;AAAA,IAC1D;AAEA,QAAI,CAAC,OAAO;AACV,UAAI;AACF,gBAAQ,uBAAuB;AAAA,MACjC,SAAS,OAAO;AACd,gBAAQ;AACR,eAAO,KAAK;AACZ;AAAA,MACF;AAAA,IACF;AAEA,cAAU,WAAW,MAAM;AACzB,cAAQ;AACR,UAAI;AACF,eAAO,MAAM;AAAA,MACf,QAAQ;AAAA,MAER;AACA,aAAO,IAAI,MAAM,yBAAyB,CAAC;AAAA,IAC7C,GAAG,wBAAwB;AAE3B,gBAAY,YAAY,MAAM;AAC5B,UAAI,SAAS,MAAM,QAAQ;AACzB,gBAAQ;AACR,eAAO,IAAI,MAAM,0BAA0B,CAAC;AAAA,MAC9C;AAAA,IACF,GAAG,GAAG;AAAA,EACR,CAAC;AACH;;;AFjLA,eAAsB,gBACpB,OACA,QACA,MACoC;AACpC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAO;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,OAAO,QAAQ,IAAI;AAAA,IAC/C,CAAC,mBAAmB,wBAAwB,OAAO,QAAQ,MAAM,cAAc;AAAA,EACjF;AACF;AAEA,eAAe,kBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,OACA,QACA,MACoC;AACpC,QAAM,SAAS;AAEf,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,MAAM;AACnD,QAAM,eAAe,YAAY,MAAM,GAAG,EAAE;AAE5C,QAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,QAAM,gBAAoD;AAAA,IACxD;AAAA,IACA,IAAI;AAAA,MACF,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,IACA,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA,kBAAkB;AAAA,MAChB,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA,IAChC;AAAA,IACA,wBAAwB;AAAA,MACtB,yBAAyB;AAAA,MACzB,kBAAkB;AAAA,MAClB,aAAa;AAAA,MACb,oBAAoB;AAAA,IACtB;AAAA,IACA,aAAa;AAAA,IACb,SAAS;AAAA,EACX;AAEA,QAAM,aAAc,MAAM,UAAU,YAAY,OAAO;AAAA,IACrD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,WAAW,WAAW;AAC5B,QAAM,EAAE,GAAG,EAAE,IAAI,qBAAqB,QAAQ;AAE9C,SAAO;AAAA,IACL,kBAAc,+CAAuB,WAAW,KAAK;AAAA,IACrD,gBAAY,mCAAW,CAAC;AAAA,IACxB,gBAAY,mCAAW,CAAC;AAAA,IACxB;AAAA,EACF;AACF;AAEA,eAAe,wBACb,OACA,QACA,MACA,gBACoC;AACpC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA,EAAE,OAAO,QAAQ,KAAK;AAAA,IACtB;AAAA,EACF;AACA,SAAO;AACT;AAIA,SAAS,qBACP,UACkC;AAClC,MAAI,OAAO,SAAS,iBAAiB,YAAY;AAC/C,UAAM,UAAU,SAAS,aAAa;AACtC,QAAI,SAAS;AACX,aAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,yBAAyB,YAAY;AACvD,UAAM,WAAW,IAAI,WAAW,SAAS,qBAAqB,CAAC;AAC/D,WAAO,6BAA6B,QAAQ;AAAA,EAC9C;AAEA,QAAM,IAAI,MAAM,kFAAkF;AACpG;AAEA,SAAS,gBAAgB,MAAoD;AAC3E,QAAM,aAAa,KAAK,SAAS;AAEjC,MAAI,KAAK,UAAU,MAAM,GAAM;AAC7B,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,QAAM,IAAI,KAAK,MAAM,aAAa,GAAG,aAAa,EAAE;AACpD,QAAM,IAAI,KAAK,MAAM,aAAa,IAAI,aAAa,EAAE;AAErD,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;AAEA,SAAS,6BAA6B,UAAwD;AAC5F,QAAM,iBAAiB;AACvB,QAAM,cAAc;AACpB,QAAM,gBAAgB;AACtB,QAAM,SAAS,iBAAiB,cAAc;AAC9C,QAAM,eAAe;AACrB,QAAM,kBAAkB,SAAS;AACjC,QAAM,eAAgB,SAAS,eAAe,KAAK,IAAK,SAAS,kBAAkB,CAAC;AACpF,QAAM,gBAAgB,kBAAkB,IAAI;AAC5C,QAAM,UAAU,SAAS,MAAM,aAAa;AAE5C,SAAO,mBAAmB,OAAO;AACnC;AAEA,SAAS,mBAAmB,SAAuD;AACjF,QAAM,WAAW,QAAQ,CAAC;AAC1B,MAAI,aAAa,OAAQ,aAAa,KAAM;AAC1C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI,SAAS;AACb,MAAI,IAAuB;AAC3B,MAAI,IAAuB;AAE3B,SAAO,SAAS,QAAQ,QAAQ;AAC9B,UAAM,MAAM,QAAQ,QAAQ;AAC5B,UAAM,YAAY,QAAQ,QAAQ;AAElC,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,SAAS,YAAY;AAC3B,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,cAAc,KAAQ,cAAc,KAAQ,cAAc,GAAM;AAClE;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,OAAO,KAAM,YAAY;AAC/B,gBAAU;AACV;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK,CAAC,GAAG;AACZ,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;;;AG1NA,IAAAA,0BAOO;AAcP,eAAsB,gBACpB,cACA,WACA,MAC+B;AAC/B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAOC;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,cAAc,WAAW,IAAI;AAAA,IACzD,CAAC,mBAAmB,wBAAwB,cAAc,WAAW,MAAM,cAAc;AAAA,EAC3F;AACF;AAKA,eAAsB,sBACpB,WACA,MACA,kBACA,aACA,SACqC;AACrC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,iBAAiB,kBAAkB,OAAO,sBAAsB;AACtE,QAAM,aAAa,MAAM,qBAAqB,KAAK;AACnD,QAAM,gBAAgB;AACtB,QAAM,cAAc,WAAW;AAE/B,MAAI,eAAe,WAAY,eAAe,CAAC,eAAgB;AAC7D,WAAO,0BAA0B,WAAW,gBAAgB,OAAO;AAAA,EACrE;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM;AAAA,QACnB,cAAc;AAAA,QACd;AAAA,QACA,cAAc;AAAA,MAChB;AACA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS;AAAA,MACX;AAAA,IACF;AAEA,UAAM,eAAe,MAAM,4BAA4B,WAAW,IAAI;AACtE,UAAM,kBAAkB,YAAY,KAAK,OAAK,EAAE,iBAAiB,aAAa,YAAY,KAAK;AAC/F,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,UAAU,mBAAmB;AAAA,MACjC,cAAc,aAAa;AAAA,MAC3B,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,MAAM,aAAa;AAAA,MACnB,WAAW;AAAA,MACX,YAAY;AAAA,IACd;AAEA,WAAO;AAAA,MACL,WAAW,aAAa;AAAA,MACxB,mBAAmB,aAAa;AAAA,MAChC,gBAAgB,aAAa;AAAA,MAC7B,YAAY,aAAa;AAAA,MACzB,YAAY,aAAa;AAAA,MACzB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QAAI,eAAe,sBAAsB,KAAK,GAAG;AAC/C,aAAO,0BAA0B,WAAW,QAAW,OAAO;AAAA,IAChE;AAEA,UAAM;AAAA,EACR;AACF;AAKA,eAAsB,4BACpB,WACA,MAC2C;AAC3C,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,eAAe;AACrB,QAAM,SAAS,MAAM,yBAAyB,WAAW,YAAY;AAErE,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,MAAM;AAAA,EACR;AACF;AAIA,eAAeA,mBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,cACA,WACA,MAC+B;AAC/B,QAAM,SAAS,MAAM,yBAAyB,WAAW,MAAM,YAAY;AAC3E,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,EACrB;AACF;AAEA,eAAe,yBACb,WACA,MACA,cAC0D;AAC1D,QAAM,iBAAiB,IAAI,WAAW,SAAS;AAC/C,QAAM,aAAgD;AAAA,IACpD,WAAW;AAAA,IACX;AAAA,IACA,kBAAkB;AAAA,IAClB,SAAS;AAAA,EACX;AAEA,MAAI,cAAc;AAChB,UAAM,yBAAqB,gDAAuB,YAAY;AAC9D,eAAW,mBAAmB;AAAA,MAC5B;AAAA,QACE,MAAM;AAAA,QACN,IAAI;AAAA,QACJ,YAAY,CAAC,YAAY,UAAU,OAAO,OAAO,KAAK;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAa,MAAM,UAAU,YAAY,IAAI;AAAA,IACjD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,WAAW,UAAU;AAE3B,QAAM,YAAY,IAAI,WAAW,SAAS,SAAS;AACnD,MAAI,EAAE,GAAG,EAAE,QAAI,2CAAkB,SAAS;AAC1C,UAAI,uCAAc,CAAC;AAEnB,SAAO;AAAA,IACL,WAAW,IAAI,WAAW,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AAAA,IACtC,mBAAmB,IAAI,WAAW,SAAS,iBAAiB;AAAA,IAC5D,gBAAgB,IAAI,WAAW,SAAS,cAAc;AAAA,IACtD,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,kBAAc,gDAAuB,UAAU,KAAK;AAAA,EACtD;AACF;AAEA,eAAe,wBACb,cACA,WACA,MACA,gBAC+B;AAC/B,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE;AAAA,MACA,wBAAoB,0CAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO,yBAAyB,MAAM;AACxC;AAEA,eAAe,0BACb,WACA,gBACA,SACqC;AACrC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE,wBAAoB,0CAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACA,SAAO,+BAA+B,MAAM;AAC9C;AAEA,SAAS,yBAAyB,QAAyD;AACzF,SAAO;AAAA,IACL,eAAW,0CAAiB,OAAO,kBAAkB;AAAA,IACrD,uBAAmB,0CAAiB,OAAO,0BAA0B;AAAA,IACrE,oBAAgB,0CAAiB,OAAO,uBAAuB;AAAA,IAC/D,gBAAY,0CAAiB,OAAO,mBAAmB;AAAA,IACvD,gBAAY,0CAAiB,OAAO,mBAAmB;AAAA,EACzD;AACF;AAEA,SAAS,+BACP,QAC4B;AAC5B,SAAO;AAAA,IACL,GAAG,yBAAyB,MAAM;AAAA,IAClC,SAAS,OAAO;AAAA,IAChB,UAAU,OAAO;AAAA,EACnB;AACF;;;AJpQA,IAAAC,0BAQO;AAYP,IAAAA,0BAWO;","names":["import_passkey_manager","runWithPromptMode","import_passkey_manager"]}

package/dist/web.d.cts

@@ -0,0 +1,32 @@
+import { b as PasskeyPopupContext, P as PasskeyStoredSigningResult, a as PasskeyClientCapabilities } from './types-_HRzmn-j.cjs';
+export { c as PasskeyPopupAccount } from './types-_HRzmn-j.cjs';
+import { PasskeyRegistrationResult, PasskeySigningResult, PasskeyMetadata, PasskeyDiscoverableSigningResult } from '@thru/passkey-manager';
+export { P256_HALF_N, P256_N, PasskeyDiscoverableSigningResult, PasskeyMetadata, PasskeyRegistrationResult, PasskeySigningResult, arrayBufferToBase64Url, base64UrlToArrayBuffer, base64UrlToBytes, bigIntToBytesBE, bytesEqual, bytesToBase64, bytesToBase64Url, bytesToBigIntBE, bytesToHex, compareBytes, hexToBytes, normalizeLowS, normalizeSignatureComponent, parseDerSignature, uniqueAccounts } from '@thru/passkey-manager';
+
+/**
+ * Register a new passkey for a profile.
+ */
+declare function registerPasskey(alias: string, userId: string, rpId: string): Promise<PasskeyRegistrationResult>;
+
+/**
+ * Sign a challenge with an existing passkey (by credential ID).
+ */
+declare function signWithPasskey(credentialId: string, challenge: Uint8Array, rpId: string): Promise<PasskeySigningResult>;
+/**
+ * Sign with stored passkey (for embedded/popup contexts).
+ */
+declare function signWithStoredPasskey(challenge: Uint8Array, rpId: string, preferredPasskey: PasskeyMetadata | null, allPasskeys: PasskeyMetadata[], context?: PasskeyPopupContext): Promise<PasskeyStoredSigningResult>;
+/**
+ * Sign with a discoverable passkey (no credential ID - browser prompts user to select).
+ */
+declare function signWithDiscoverablePasskey(challenge: Uint8Array, rpId: string): Promise<PasskeyDiscoverableSigningResult>;
+
+declare function isWebAuthnSupported(): boolean;
+declare function preloadPasskeyClientCapabilities(): void;
+declare function getPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null>;
+declare function getCachedPasskeyClientCapabilities(): PasskeyClientCapabilities | null | undefined;
+declare function isInIframe(): boolean;
+type PasskeyPromptAction = 'get' | 'create';
+declare function shouldUsePasskeyPopup(action: PasskeyPromptAction): Promise<boolean>;
+
+export { PasskeyClientCapabilities, PasskeyPopupContext, type PasskeyPromptAction, PasskeyStoredSigningResult, getCachedPasskeyClientCapabilities, getPasskeyClientCapabilities, isInIframe, isWebAuthnSupported, preloadPasskeyClientCapabilities, registerPasskey, shouldUsePasskeyPopup, signWithDiscoverablePasskey, signWithPasskey, signWithStoredPasskey };

package/dist/web.d.ts

@@ -0,0 +1,32 @@
+import { b as PasskeyPopupContext, P as PasskeyStoredSigningResult, a as PasskeyClientCapabilities } from './types-_HRzmn-j.js';
+export { c as PasskeyPopupAccount } from './types-_HRzmn-j.js';
+import { PasskeyRegistrationResult, PasskeySigningResult, PasskeyMetadata, PasskeyDiscoverableSigningResult } from '@thru/passkey-manager';
+export { P256_HALF_N, P256_N, PasskeyDiscoverableSigningResult, PasskeyMetadata, PasskeyRegistrationResult, PasskeySigningResult, arrayBufferToBase64Url, base64UrlToArrayBuffer, base64UrlToBytes, bigIntToBytesBE, bytesEqual, bytesToBase64, bytesToBase64Url, bytesToBigIntBE, bytesToHex, compareBytes, hexToBytes, normalizeLowS, normalizeSignatureComponent, parseDerSignature, uniqueAccounts } from '@thru/passkey-manager';
+
+/**
+ * Register a new passkey for a profile.
+ */
+declare function registerPasskey(alias: string, userId: string, rpId: string): Promise<PasskeyRegistrationResult>;
+
+/**
+ * Sign a challenge with an existing passkey (by credential ID).
+ */
+declare function signWithPasskey(credentialId: string, challenge: Uint8Array, rpId: string): Promise<PasskeySigningResult>;
+/**
+ * Sign with stored passkey (for embedded/popup contexts).
+ */
+declare function signWithStoredPasskey(challenge: Uint8Array, rpId: string, preferredPasskey: PasskeyMetadata | null, allPasskeys: PasskeyMetadata[], context?: PasskeyPopupContext): Promise<PasskeyStoredSigningResult>;
+/**
+ * Sign with a discoverable passkey (no credential ID - browser prompts user to select).
+ */
+declare function signWithDiscoverablePasskey(challenge: Uint8Array, rpId: string): Promise<PasskeyDiscoverableSigningResult>;
+
+declare function isWebAuthnSupported(): boolean;
+declare function preloadPasskeyClientCapabilities(): void;
+declare function getPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null>;
+declare function getCachedPasskeyClientCapabilities(): PasskeyClientCapabilities | null | undefined;
+declare function isInIframe(): boolean;
+type PasskeyPromptAction = 'get' | 'create';
+declare function shouldUsePasskeyPopup(action: PasskeyPromptAction): Promise<boolean>;
+
+export { PasskeyClientCapabilities, PasskeyPopupContext, type PasskeyPromptAction, PasskeyStoredSigningResult, getCachedPasskeyClientCapabilities, getPasskeyClientCapabilities, isInIframe, isWebAuthnSupported, preloadPasskeyClientCapabilities, registerPasskey, shouldUsePasskeyPopup, signWithDiscoverablePasskey, signWithPasskey, signWithStoredPasskey };

package/dist/web.js

@@ -0,0 +1,60 @@
+import {
+  P256_HALF_N,
+  P256_N,
+  arrayBufferToBase64Url,
+  base64UrlToArrayBuffer,
+  base64UrlToBytes,
+  bigIntToBytesBE,
+  bytesEqual,
+  bytesToBase64,
+  bytesToBase64Url,
+  bytesToBigIntBE,
+  bytesToHex,
+  compareBytes,
+  getCachedPasskeyClientCapabilities,
+  getPasskeyClientCapabilities,
+  hexToBytes,
+  isInIframe,
+  isWebAuthnSupported,
+  normalizeLowS,
+  normalizeSignatureComponent,
+  parseDerSignature,
+  preloadPasskeyClientCapabilities,
+  registerPasskey,
+  shouldUsePasskeyPopup,
+  signWithDiscoverablePasskey,
+  signWithPasskey,
+  signWithStoredPasskey,
+  uniqueAccounts
+} from "./chunk-B5SN7AS7.js";
+import "./chunk-LNDWK3FA.js";
+export {
+  P256_HALF_N,
+  P256_N,
+  arrayBufferToBase64Url,
+  base64UrlToArrayBuffer,
+  base64UrlToBytes,
+  bigIntToBytesBE,
+  bytesEqual,
+  bytesToBase64,
+  bytesToBase64Url,
+  bytesToBigIntBE,
+  bytesToHex,
+  compareBytes,
+  getCachedPasskeyClientCapabilities,
+  getPasskeyClientCapabilities,
+  hexToBytes,
+  isInIframe,
+  isWebAuthnSupported,
+  normalizeLowS,
+  normalizeSignatureComponent,
+  parseDerSignature,
+  preloadPasskeyClientCapabilities,
+  registerPasskey,
+  shouldUsePasskeyPopup,
+  signWithDiscoverablePasskey,
+  signWithPasskey,
+  signWithStoredPasskey,
+  uniqueAccounts
+};
+//# sourceMappingURL=web.js.map

package/dist/web.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thru/passkey",
-  "version": "0.2.13",
+  "version": "0.2.14",
   "type": "module",
   "main": "./dist/index.cjs",
   "module": "./dist/index.js",
@@ -10,10 +10,55 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
       "require": "./dist/index.cjs"
+    },
+    "./web": {
+      "types": "./dist/web.d.ts",
+      "import": "./dist/web.js",
+      "require": "./dist/web.cjs"
+    },
+    "./popup": {
+      "types": "./dist/popup.d.ts",
+      "import": "./dist/popup.js",
+      "require": "./dist/popup.cjs"
+    },
+    "./mobile": {
+      "types": "./dist/mobile.d.ts",
+      "import": "./dist/mobile.js",
+      "require": "./dist/mobile.cjs"
+    },
+    "./auth": {
+      "types": "./dist/auth.d.ts",
+      "import": "./dist/auth.js",
+      "require": "./dist/auth.cjs"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js",
+      "require": "./dist/server.cjs"
     }
   },
   "dependencies": {
-    "@thru/passkey-manager": "0.2.13"
+    "@thru/passkey-manager": "0.2.14"
+  },
+  "peerDependencies": {
+    "expo-secure-store": "*",
+    "react-native": "*",
+    "react-native-passkeys": "*",
+    "zustand": ">=4"
+  },
+  "peerDependenciesMeta": {
+    "expo-secure-store": {
+      "optional": true
+    },
+    "react-native": {
+      "optional": true
+    },
+    "react-native-passkeys": {
+      "optional": true
+    },
+    "zustand": {
+      "optional": true
+    }
   },
   "devDependencies": {
     "tsup": "^8.5.0",

package/src/auth/execute-tx.ts

@@ -0,0 +1,87 @@
+import { base64UrlToBytes, bytesToBase64, bytesToHex } from '@thru/passkey-manager';
+import { signWithPasskey } from '../mobile/passkey';
+import { touchPasskeyLastUsedAt } from '../mobile/storage';
+
+async function readJson(response: Response): Promise<Record<string, unknown>> {
+  try {
+    return (await response.json()) as Record<string, unknown>;
+  } catch {
+    throw new Error(`Non-JSON response (HTTP ${response.status})`);
+  }
+}
+
+export async function executePasskeyTransaction<
+  P extends Record<string, unknown>,
+  R
+>(opts: {
+  challengeUrl: string;
+  submitUrl: string;
+  params: P;
+  credentialId: string;
+  rpId: string;
+}): Promise<R> {
+  let challengeRes: Response;
+  try {
+    challengeRes = await fetch(opts.challengeUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(opts.params),
+    });
+  } catch {
+    throw new Error('Network request failed (challenge)');
+  }
+
+  const challengeData = await readJson(challengeRes);
+  if (!challengeRes.ok || challengeData.success !== true) {
+    throw new Error(
+      typeof challengeData.error === 'string'
+        ? challengeData.error
+        : 'Failed to get challenge'
+    );
+  }
+
+  if (typeof challengeData.challenge !== 'string') {
+    throw new Error('Challenge response did not include a challenge');
+  }
+
+  const challengeBytes = base64UrlToBytes(challengeData.challenge);
+  const signature = await signWithPasskey(
+    opts.credentialId,
+    challengeBytes,
+    opts.rpId
+  );
+  await touchPasskeyLastUsedAt().catch((error) => {
+    console.warn('Failed to update passkey last-used timestamp:', error);
+  });
+
+  const { success: _success, error: _error, ...challengeFields } = challengeData;
+
+  let submitRes: Response;
+  try {
+    submitRes = await fetch(opts.submitUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        ...opts.params,
+        ...challengeFields,
+        signatureR: bytesToHex(signature.signatureR),
+        signatureS: bytesToHex(signature.signatureS),
+        authenticatorData: bytesToBase64(signature.authenticatorData),
+        clientDataJSON: bytesToBase64(signature.clientDataJSON),
+      }),
+    });
+  } catch {
+    throw new Error('Network request failed (submit)');
+  }
+
+  const submitData = await readJson(submitRes);
+  if (!submitRes.ok || submitData.success !== true) {
+    throw new Error(
+      typeof submitData.error === 'string'
+        ? submitData.error
+        : 'Failed to submit transaction'
+    );
+  }
+
+  return submitData as R;
+}

package/src/auth/index.ts

@@ -0,0 +1,18 @@
+export type {
+  PasskeyApiUser,
+  PasskeyAuthApiResponse,
+  PasskeyUser,
+  PasskeyAuthConfig,
+  PasskeyAuthState,
+  PasskeyAuthActions,
+  PasskeyAuthStore,
+  PasskeyAuthBoundStore,
+} from './types';
+
+export { executePasskeyTransaction } from './execute-tx';
+
+export {
+  createPasskeyAuthStore,
+  getPasskeyAuthStore,
+  usePasskeyAuth,
+} from './use-passkey-auth';

package/src/auth/types.ts

@@ -0,0 +1,56 @@
+import type { StoreApi, UseBoundStore } from 'zustand';
+
+export interface PasskeyApiUser<TExtra = Record<string, never>> {
+  id: string;
+  publicKey: string;
+  tokenAccountAddress?: string | null;
+  extras?: TExtra;
+}
+
+export interface PasskeyAuthApiResponse<TExtra = Record<string, never>> {
+  success: boolean;
+  user: PasskeyApiUser<TExtra>;
+}
+
+export interface PasskeyUser<TExtra = Record<string, never>> {
+  id: string;
+  displayName: string;
+  tokenAccountAddress?: string | null;
+  extras?: TExtra;
+}
+
+export interface PasskeyAuthConfig {
+  apiUrl: string;
+  alias?: string;
+  rpId?: string;
+  rpName?: string;
+}
+
+export interface PasskeyAuthState<TExtra = Record<string, never>> {
+  isAuthenticated: boolean;
+  isLoading: boolean;
+  isInitialized: boolean;
+  hasExistingPasskey: boolean;
+  needsNewPasskey: boolean;
+  error: string | null;
+  user: PasskeyUser<TExtra> | null;
+  address: string | null;
+  activeCredentialId: string | null;
+}
+
+export interface PasskeyAuthActions<TExtra = Record<string, never>> {
+  initialize: () => Promise<void>;
+  createWallet: () => Promise<boolean>;
+  unlockWithPasskey: () => Promise<boolean>;
+  recoverWithDiscoverablePasskey: () => Promise<boolean>;
+  logout: () => Promise<void>;
+  clearError: () => void;
+  dismissNewPasskey: () => void;
+}
+
+export type PasskeyAuthStore<TExtra = Record<string, never>> =
+  PasskeyAuthState<TExtra> & PasskeyAuthActions<TExtra>;
+
+export type PasskeyAuthBoundStore<TExtra = Record<string, never>> = UseBoundStore<
+  StoreApi<PasskeyAuthStore<TExtra>>
+>;