@thru/passkey 0.2.21 → 0.2.22

package/src/server/submit.ts

@@ -3,8 +3,8 @@ import {
   concatenateInstructions,
   encodeValidateInstruction,
   hexToBytes,
-} from '@thru/passkey-manager';
-import type { AccountContext } from '@thru/passkey-manager';
+} from '@thru/programs/passkey-manager';
+import type { AccountContext } from '@thru/programs/passkey-manager';
 import { trackTransaction, withSerializedFeePayer } from './utils';
 import type {
   BuiltPasskeyTransaction,
@@ -14,6 +14,27 @@ import type {
   TransactionResult,
 } from './types';
 
+function base64ToBytes(base64: string): Uint8Array {
+  type BufferLike = {
+    from(value: string, encoding: 'base64'): Uint8Array;
+  };
+  const globalBuffer = (globalThis as { Buffer?: BufferLike }).Buffer;
+  if (globalBuffer) {
+    return globalBuffer.from(base64, 'base64');
+  }
+
+  if (typeof atob === 'function') {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+
+  throw new Error('Base64 decoding is not supported in this environment');
+}
+
 /**
  * Builds and signs a passkey-manager transaction without submitting it.
  *
@@ -35,8 +56,8 @@ export async function buildPasskeyTransaction(opts: {
     authIdx: 0,
     signatureR: hexToBytes(opts.signatureR),
     signatureS: hexToBytes(opts.signatureS),
-    authenticatorData: Buffer.from(opts.authenticatorData, 'base64'),
-    clientDataJSON: Buffer.from(opts.clientDataJSON, 'base64'),
+    authenticatorData: base64ToBytes(opts.authenticatorData),
+    clientDataJSON: base64ToBytes(opts.clientDataJSON),
   });
 
   const instructionData = concatenateInstructions([validateIx, opts.invokeIx]);

package/src/server/types.ts

@@ -1,5 +1,5 @@
-import type { AccountContext } from '@thru/passkey-manager';
-import type { TransactionHeaderConfig } from '@thru/thru-sdk';
+import type { AccountContext } from '@thru/programs/passkey-manager';
+import type { TransactionHeaderConfig } from '@thru/sdk';
 
 export type PasskeyTransactionHeaderOverrides = TransactionHeaderConfig;
 

package/src/server/utils.ts

@@ -1,4 +1,4 @@
-import { encodeAddress } from '@thru/helpers';
+import { encodeAddress } from '@thru/sdk/helpers';
 import type { ThruClient, TransactionResult } from './types';
 
 const feePayerQueueSymbol = Symbol.for('thru.sharedFeePayerQueues');

package/src/sign.ts

@@ -6,6 +6,7 @@ import type {
   PasskeyPopupContext,
   PasskeyPopupSigningResult,
   PasskeyPopupStoredSigningResult,
+  PasskeyStoredSigningOptions,
 } from './types';
 import {
   arrayBufferToBase64Url,
@@ -14,7 +15,7 @@ import {
   base64UrlToBytes,
   parseDerSignature,
   normalizeLowS,
-} from '@thru/passkey-manager';
+} from '@thru/programs/passkey-manager';
 import {
   isWebAuthnSupported,
   getPasskeyPromptMode,
@@ -23,7 +24,11 @@ import {
   shouldFallbackToPopup,
   type PasskeyPromptAction,
 } from './capabilities';
-import { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';
+import {
+  requestPasskeyPopup,
+  openPasskeyPopupWindow,
+  closePopup,
+} from './popup';
 
 /**
  * Sign a challenge with an existing passkey (by credential ID).
@@ -40,7 +45,8 @@ export async function signWithPasskey(
   return runWithPromptMode(
     'get',
     () => signWithPasskeyInline(credentialId, challenge, rpId),
-    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)
+    (preopenedPopup) =>
+      signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)
   );
 }
 
@@ -52,16 +58,31 @@ export async function signWithStoredPasskey(
   rpId: string,
   preferredPasskey: PasskeyMetadata | null,
   allPasskeys: PasskeyMetadata[],
-  context?: PasskeyPopupContext
+  context?: PasskeyPopupContext,
+  options: PasskeyStoredSigningOptions = {}
 ): Promise<PasskeyStoredSigningResult> {
   if (!isWebAuthnSupported()) {
     throw new Error('WebAuthn is not supported in this browser');
   }
 
-  const preopenedPopup = maybePreopenPopup('get', openPasskeyPopupWindow);
-  const promptMode = await getPasskeyPromptMode('get');
+  const allowPopupFallback = options.allowPopupFallback ?? true;
+  const preopenedPopup = allowPopupFallback
+    ? maybePreopenPopup('get', openPasskeyPopupWindow)
+    : null;
+  const promptMode = allowPopupFallback
+    ? await getPasskeyPromptMode('get')
+    : 'inline';
   const storedPasskey = preferredPasskey;
-  const canUsePopup = isInIframe();
+  const canUsePopup = allowPopupFallback && isInIframe();
+
+  if (options.preferDiscoverable) {
+    closePopup(preopenedPopup);
+    return signWithDiscoverableStoredPasskey(
+      challenge,
+      storedPasskey?.rpId ?? rpId,
+      allPasskeys
+    );
+  }
 
   if (promptMode === 'popup' || (canUsePopup && !storedPasskey)) {
     return requestStoredPasskeyPopup(challenge, preopenedPopup, context);
@@ -71,37 +92,29 @@ export async function signWithStoredPasskey(
 
   try {
     if (storedPasskey) {
-      const result = await signWithPasskeyInline(
-        storedPasskey.credentialId,
-        challenge,
-        storedPasskey.rpId
-      );
-      return {
-        ...result,
-        passkey: storedPasskey,
-      };
+      try {
+        const result = await signWithPasskeyInline(
+          storedPasskey.credentialId,
+          challenge,
+          storedPasskey.rpId
+        );
+        return {
+          ...result,
+          passkey: storedPasskey,
+        };
+      } catch (error) {
+        if (!shouldFallbackToDiscoverable(error)) {
+          throw error;
+        }
+        return signWithDiscoverableStoredPasskey(
+          challenge,
+          storedPasskey.rpId,
+          allPasskeys
+        );
+      }
     }
 
-    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);
-    const matchingPasskey = allPasskeys.find(p => p.credentialId === discoverable.credentialId) ?? null;
-    const now = new Date().toISOString();
-    const passkey = matchingPasskey ?? {
-      credentialId: discoverable.credentialId,
-      publicKeyX: '',
-      publicKeyY: '',
-      rpId: discoverable.rpId,
-      createdAt: now,
-      lastUsedAt: now,
-    };
-
-    return {
-      signature: discoverable.signature,
-      authenticatorData: discoverable.authenticatorData,
-      clientDataJSON: discoverable.clientDataJSON,
-      signatureR: discoverable.signatureR,
-      signatureS: discoverable.signatureS,
-      passkey,
-    };
+    return signWithDiscoverableStoredPasskey(challenge, rpId, allPasskeys);
   } catch (error) {
     if (canUsePopup && shouldFallbackToPopup(error)) {
       return requestStoredPasskeyPopup(challenge, undefined, context);
@@ -111,6 +124,66 @@ export async function signWithStoredPasskey(
   }
 }
 
+async function signWithDiscoverableStoredPasskey(
+  challenge: Uint8Array,
+  rpId: string,
+  allPasskeys: PasskeyMetadata[]
+): Promise<PasskeyStoredSigningResult> {
+  const discoverable = await signWithDiscoverablePasskey(challenge, rpId);
+  const matchingPasskey =
+    allPasskeys.find((p) => p.credentialId === discoverable.credentialId) ??
+    null;
+  const now = new Date().toISOString();
+  const passkey = matchingPasskey ?? {
+    credentialId: discoverable.credentialId,
+    publicKeyX: '',
+    publicKeyY: '',
+    rpId: discoverable.rpId,
+    createdAt: now,
+    lastUsedAt: now,
+  };
+
+  return {
+    signature: discoverable.signature,
+    authenticatorData: discoverable.authenticatorData,
+    clientDataJSON: discoverable.clientDataJSON,
+    signatureR: discoverable.signatureR,
+    signatureS: discoverable.signatureS,
+    authenticatorAttachment: discoverable.authenticatorAttachment,
+    passkey,
+  };
+}
+
+function shouldFallbackToDiscoverable(error: unknown): boolean {
+  const name =
+    error && typeof error === 'object' && 'name' in error
+      ? String((error as { name?: unknown }).name)
+      : '';
+  const message =
+    error && typeof error === 'object' && 'message' in error
+      ? String((error as { message?: unknown }).message)
+      : '';
+  const normalized = `${name} ${message}`.toLowerCase();
+
+  if (
+    normalized.includes('user rejected') ||
+    normalized.includes('user canceled') ||
+    normalized.includes('user cancelled')
+  ) {
+    return false;
+  }
+
+  return (
+    normalized.includes('notallowederror') ||
+    normalized.includes('invalidstateerror') ||
+    normalized.includes('notfounderror') ||
+    normalized.includes('not found') ||
+    normalized.includes('no passkey') ||
+    normalized.includes('no credential') ||
+    normalized.includes('saved for this app')
+  );
+}
+
 /**
  * Sign with a discoverable passkey (no credential ID - browser prompts user to select).
  */
@@ -133,6 +206,7 @@ export async function signWithDiscoverablePasskey(
     signatureS: result.signatureS,
     credentialId: result.credentialId,
     rpId: resolvedRpId,
+    authenticatorAttachment: result.authenticatorAttachment,
   };
 }
 
@@ -173,6 +247,7 @@ async function signWithPasskeyInline(
     clientDataJSON: result.clientDataJSON,
     signatureR: result.signatureR,
     signatureS: result.signatureS,
+    authenticatorAttachment: result.authenticatorAttachment,
   };
 }
 
@@ -214,6 +289,17 @@ async function signWithPasskeyAssertion(
   let { r, s } = parseDerSignature(signature);
   s = normalizeLowS(s);
 
+  /* `authenticatorAttachment` distinguishes a same-device passkey
+     ('platform') from a cross-device one signed via QR / hybrid
+     transport ('cross-platform'). Drives the wallet's add-device
+     prompt. Browsers may report null. */
+  const rawAttachment =
+    (
+      assertion as PublicKeyCredential & {
+        authenticatorAttachment?: AuthenticatorAttachment | null;
+      }
+    ).authenticatorAttachment ?? null;
+
   return {
     signature: new Uint8Array([...r, ...s]),
     authenticatorData: new Uint8Array(response.authenticatorData),
@@ -221,6 +307,7 @@ async function signWithPasskeyAssertion(
     signatureR: r,
     signatureS: s,
     credentialId: arrayBufferToBase64Url(assertion.rawId),
+    authenticatorAttachment: rawAttachment,
   };
 }
 
@@ -259,13 +346,16 @@ async function requestStoredPasskeyPopup(
   return decodePopupStoredSigningResult(result);
 }
 
-function decodePopupSigningResult(result: PasskeyPopupSigningResult): PasskeySigningResult {
+function decodePopupSigningResult(
+  result: PasskeyPopupSigningResult
+): PasskeySigningResult {
   return {
     signature: base64UrlToBytes(result.signatureBase64Url),
     authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),
     clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),
     signatureR: base64UrlToBytes(result.signatureRBase64Url),
     signatureS: base64UrlToBytes(result.signatureSBase64Url),
+    authenticatorAttachment: result.authenticatorAttachment ?? null,
   };
 }
 

package/src/types.ts

@@ -1,4 +1,4 @@
-import type { PasskeySigningResult, PasskeyMetadata } from '@thru/passkey-manager';
+import type { PasskeySigningResult, PasskeyMetadata } from '@thru/programs/passkey-manager';
 
 // Re-export platform-agnostic types for backward compatibility
 export type {
@@ -6,7 +6,7 @@ export type {
   PasskeySigningResult,
   PasskeyDiscoverableSigningResult,
   PasskeyMetadata,
-} from '@thru/passkey-manager';
+} from '@thru/programs/passkey-manager';
 
 /**
  * Signing result with stored passkey metadata attached.
@@ -44,6 +44,25 @@ export interface PasskeyPopupContext {
   imageUrl?: string;
 }
 
+/**
+ * Options for stored passkey signing in embedded contexts.
+ */
+export interface PasskeyStoredSigningOptions {
+  allowPopupFallback?: boolean;
+  /** Prefer an RP-scoped discoverable credential prompt over a stored
+   * credential-id lookup. Native WebViews can show misleading
+   * app-level "no passkey" UI when allowCredentials is stale, while a
+   * discoverable prompt correctly lets the wallet/RP choose the passkey. */
+  preferDiscoverable?: boolean;
+}
+
+/**
+ * Options for passkey registration in embedded contexts.
+ */
+export interface PasskeyRegistrationOptions {
+  allowPopupFallback?: boolean;
+}
+
 /**
  * Account info passed through popup bridge.
  */
@@ -95,6 +114,7 @@ export interface PasskeyPopupSigningResult {
   clientDataJSONBase64Url: string;
   signatureRBase64Url: string;
   signatureSBase64Url: string;
+  authenticatorAttachment?: 'platform' | 'cross-platform' | null;
 }
 
 export interface PasskeyPopupStoredPasskey {
@@ -103,6 +123,10 @@ export interface PasskeyPopupStoredPasskey {
   publicKeyY: string;
   rpId: string;
   label?: string;
+  deviceName?: string;
+  devicePlatform?: string;
+  browserName?: string;
+  authenticatorAttachment?: 'platform' | 'cross-platform' | null;
   createdAt: string;
   lastUsedAt: string;
 }
@@ -117,6 +141,7 @@ export interface PasskeyPopupRegistrationResult {
   publicKeyX: string;
   publicKeyY: string;
   rpId: string;
+  authenticatorAttachment?: 'platform' | 'cross-platform' | null;
 }
 
 export type PasskeyPopupResponse =

package/src/web.ts

@@ -7,9 +7,13 @@ export type {
   PasskeyClientCapabilities,
   PasskeyPopupContext,
   PasskeyPopupAccount,
+  PasskeyStoredSigningOptions,
+  PasskeyRegistrationOptions,
 } from './types';
 
 export { registerPasskey } from './register';
+export { createDistinctPasskeyLabel } from './label';
+export type { DistinctPasskeyLabelOptions } from './label';
 
 export {
   signWithPasskey,
@@ -25,7 +29,7 @@ export {
   P256_HALF_N,
   bytesToBigIntBE,
   bigIntToBytesBE,
-} from '@thru/passkey-manager';
+} from '@thru/programs/passkey-manager';
 
 export {
   isWebAuthnSupported,
@@ -48,4 +52,4 @@ export {
   bytesEqual,
   compareBytes,
   uniqueAccounts,
-} from '@thru/passkey-manager';
+} from '@thru/programs/passkey-manager';

package/tsconfig.json

@@ -4,9 +4,10 @@
     "outDir": "./dist",
     "rootDir": "..",
     "baseUrl": ".",
+    "ignoreDeprecations": "6.0",
     "paths": {
-      "@thru/helpers": ["../helpers/src/index.ts"],
-      "@thru/passkey-manager": ["../passkey-manager/src/index.ts"]
+      "@thru/sdk/helpers": ["../sdk/src/helpers/index.ts"],
+      "@thru/programs/passkey-manager": ["../programs/src/passkey-manager/index.ts"]
     }
   },
   "include": ["src/**/*"],

package/tsup.config.ts

@@ -8,6 +8,7 @@ export default defineConfig({
     popup: 'src/popup-entry.ts',
     mobile: 'src/mobile/index.ts',
     auth: 'src/auth/index.ts',
+    'auth/add-device': 'src/auth/add-device.ts',
     server: 'src/server/index.ts',
   },
   external: ['expo-secure-store', 'react-native', 'react-native-passkeys', 'zustand'],

package/dist/chunk-2JHC7OOH.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/mobile/errors.ts","../src/mobile/storage.ts","../src/mobile/passkey.ts"],"sourcesContent":["const PASSKEY_ERRORS = {\n  USER_CANCELLED: [\n    'error 1001',\n    'UserCancelled',\n    'Passkey authentication was cancelled',\n    'Passkey registration was cancelled',\n  ],\n  NOT_FOUND: [\n    'not found',\n    'No credentials available',\n    'no passkey',\n    'NoCredentials',\n  ],\n} as const;\n\nexport type PasskeyErrorKind = keyof typeof PASSKEY_ERRORS;\n\nexport function classifyPasskeyError(error: unknown): PasskeyErrorKind | null {\n  const message =\n    error instanceof Error ? error.message : typeof error === 'string' ? error : null;\n\n  if (!message) return null;\n\n  for (const [kind, patterns] of Object.entries(PASSKEY_ERRORS)) {\n    if (patterns.some((pattern) => message.includes(pattern))) {\n      return kind as PasskeyErrorKind;\n    }\n  }\n\n  return null;\n}\n","import * as SecureStore from 'expo-secure-store';\nimport type { PasskeyMetadata } from '@thru/passkey-manager';\n\nconst SECURE_STORE_OPTS = {\n  keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,\n} as const;\n\nconst PASSKEY_CREDENTIAL_ID_KEY = 'thru_passkey_credential_id';\nconst PASSKEY_PUBLIC_KEY_X_KEY = 'thru_passkey_pubkey_x';\nconst PASSKEY_PUBLIC_KEY_Y_KEY = 'thru_passkey_pubkey_y';\nconst PASSKEY_RP_ID_KEY = 'thru_passkey_rp_id';\nconst PASSKEY_LABEL_KEY = 'thru_passkey_label';\nconst PASSKEY_CREATED_AT_KEY = 'thru_passkey_created_at';\nconst PASSKEY_LAST_USED_AT_KEY = 'thru_passkey_last_used_at';\n\nconst ADDRESS_KEY = 'thru_address';\nconst USER_ID_KEY = 'thru_user_id';\nconst TOKEN_ACCOUNT_KEY = 'thru_token_account';\n\nexport async function storePasskeyMetadata(metadata: PasskeyMetadata): Promise<void> {\n  await Promise.all([\n    SecureStore.setItemAsync(PASSKEY_CREDENTIAL_ID_KEY, metadata.credentialId, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_PUBLIC_KEY_X_KEY, metadata.publicKeyX, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY, metadata.publicKeyY, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_RP_ID_KEY, metadata.rpId, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_LABEL_KEY, metadata.label ?? '', SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_CREATED_AT_KEY, metadata.createdAt, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(PASSKEY_LAST_USED_AT_KEY, metadata.lastUsedAt, SECURE_STORE_OPTS),\n  ]);\n}\n\nexport async function getStoredPasskeyMetadata(): Promise<PasskeyMetadata | null> {\n  const credentialId = await SecureStore.getItemAsync(PASSKEY_CREDENTIAL_ID_KEY);\n  if (!credentialId) return null;\n\n  const [publicKeyX, publicKeyY, rpId, label, createdAt, lastUsedAt] = await Promise.all([\n    SecureStore.getItemAsync(PASSKEY_PUBLIC_KEY_X_KEY),\n    SecureStore.getItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY),\n    SecureStore.getItemAsync(PASSKEY_RP_ID_KEY),\n    SecureStore.getItemAsync(PASSKEY_LABEL_KEY),\n    SecureStore.getItemAsync(PASSKEY_CREATED_AT_KEY),\n    SecureStore.getItemAsync(PASSKEY_LAST_USED_AT_KEY),\n  ]);\n\n  if (!rpId || !createdAt) return null;\n\n  return {\n    credentialId,\n    publicKeyX: publicKeyX ?? '',\n    publicKeyY: publicKeyY ?? '',\n    rpId,\n    label: label || undefined,\n    createdAt,\n    lastUsedAt: lastUsedAt ?? createdAt,\n  };\n}\n\nexport async function touchPasskeyLastUsedAt(lastUsedAt = new Date().toISOString()): Promise<string> {\n  await SecureStore.setItemAsync(PASSKEY_LAST_USED_AT_KEY, lastUsedAt, SECURE_STORE_OPTS);\n  return lastUsedAt;\n}\n\nexport async function hasStoredPasskey(): Promise<boolean> {\n  return (await SecureStore.getItemAsync(PASSKEY_CREDENTIAL_ID_KEY)) !== null;\n}\n\nexport async function clearPasskeyMetadata(): Promise<void> {\n  await Promise.all([\n    SecureStore.deleteItemAsync(PASSKEY_CREDENTIAL_ID_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_PUBLIC_KEY_X_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_PUBLIC_KEY_Y_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_RP_ID_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_LABEL_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_CREATED_AT_KEY),\n    SecureStore.deleteItemAsync(PASSKEY_LAST_USED_AT_KEY),\n  ]);\n}\n\nexport async function storeWalletInfo(\n  address: string,\n  userId: string,\n  tokenAccountAddress?: string\n): Promise<void> {\n  await Promise.all([\n    SecureStore.setItemAsync(ADDRESS_KEY, address, SECURE_STORE_OPTS),\n    SecureStore.setItemAsync(USER_ID_KEY, userId, SECURE_STORE_OPTS),\n    tokenAccountAddress\n      ? SecureStore.setItemAsync(TOKEN_ACCOUNT_KEY, tokenAccountAddress, SECURE_STORE_OPTS)\n      : SecureStore.deleteItemAsync(TOKEN_ACCOUNT_KEY),\n  ]);\n}\n\nexport async function hasStoredWallet(): Promise<boolean> {\n  return (await SecureStore.getItemAsync(ADDRESS_KEY)) !== null;\n}\n\nexport async function getStoredAddress(): Promise<string | null> {\n  return SecureStore.getItemAsync(ADDRESS_KEY);\n}\n\nexport async function getStoredUserId(): Promise<string | null> {\n  return SecureStore.getItemAsync(USER_ID_KEY);\n}\n\nexport async function getStoredTokenAccount(): Promise<string | null> {\n  return SecureStore.getItemAsync(TOKEN_ACCOUNT_KEY);\n}\n\nexport async function clearSession(): Promise<void> {\n  await Promise.all([\n    SecureStore.deleteItemAsync(ADDRESS_KEY),\n    SecureStore.deleteItemAsync(USER_ID_KEY),\n    SecureStore.deleteItemAsync(TOKEN_ACCOUNT_KEY),\n  ]);\n}\n","import { create as passkeyCreate, get as passkeyGet } from 'react-native-passkeys';\nimport {\n  bytesToBase64Url,\n  base64UrlToBytes,\n  normalizeLowS,\n  parseDerSignature,\n  type PasskeySigningResult,\n} from '@thru/passkey-manager';\nimport type {\n  DiscoverablePasskeyResult,\n  PasskeyMobileConfig,\n  PasskeyRegistrationResult,\n} from './types';\n\ntype ProcessLike = typeof globalThis & {\n  process?: {\n    env?: Record<string, string | undefined>;\n  };\n};\n\nfunction getDefaultConfig(config?: PasskeyMobileConfig): Required<PasskeyMobileConfig> {\n  const env = (globalThis as ProcessLike).process?.env ?? {};\n\n  return {\n    rpId: config?.rpId ?? env.EXPO_PUBLIC_PASSKEY_RP_ID ?? 'wallet.thru.org',\n    rpName: config?.rpName ?? env.EXPO_PUBLIC_PASSKEY_RP_NAME ?? 'Thru Wallet',\n  };\n}\n\nexport async function registerPasskey(\n  alias: string,\n  userId: string,\n  config?: PasskeyMobileConfig\n): Promise<PasskeyRegistrationResult> {\n  const { rpId, rpName } = getDefaultConfig(config);\n  const challenge = bytesToBase64Url(crypto.getRandomValues(new Uint8Array(32)));\n  const userIdB64 = bytesToBase64Url(new TextEncoder().encode(userId));\n\n  const result = await passkeyCreate({\n    challenge,\n    rp: { id: rpId, name: rpName },\n    user: { id: userIdB64, name: alias, displayName: alias },\n    pubKeyCredParams: [{ type: 'public-key', alg: -7 }],\n    authenticatorSelection: {\n      authenticatorAttachment: 'platform',\n      userVerification: 'required',\n      residentKey: 'required',\n    },\n    attestation: 'none',\n    timeout: 60000,\n  });\n\n  if (!result) {\n    throw new Error('Passkey registration was cancelled');\n  }\n\n  const publicKeyB64 = result.response.getPublicKey?.();\n  if (!publicKeyB64) {\n    throw new Error('Failed to retrieve public key from registration');\n  }\n\n  const keyBytes = base64UrlToBytes(publicKeyB64);\n  const { x, y } = extractP256Coordinates(keyBytes);\n\n  return {\n    credentialId: result.id,\n    publicKeyX: x,\n    publicKeyY: y,\n    rpId,\n  };\n}\n\nexport async function signWithPasskey(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId?: string\n): Promise<PasskeySigningResult> {\n  const resolvedRpId = rpId ?? getDefaultConfig().rpId;\n  const challengeB64 = bytesToBase64Url(challenge);\n\n  const result = await passkeyGet({\n    challenge: challengeB64,\n    rpId: resolvedRpId,\n    allowCredentials: [{ type: 'public-key', id: credentialId }],\n    userVerification: 'required',\n    timeout: 60000,\n  });\n\n  if (!result) {\n    throw new Error('Passkey authentication was cancelled');\n  }\n\n  const derSignature = base64UrlToBytes(result.response.signature);\n  let { r, s } = parseDerSignature(derSignature);\n  s = normalizeLowS(s);\n\n  return {\n    signature: new Uint8Array([...r, ...s]),\n    authenticatorData: base64UrlToBytes(result.response.authenticatorData),\n    clientDataJSON: base64UrlToBytes(result.response.clientDataJSON),\n    signatureR: r,\n    signatureS: s,\n  };\n}\n\nexport async function authenticateWithDiscoverablePasskey(\n  config?: Pick<PasskeyMobileConfig, 'rpId'>\n): Promise<DiscoverablePasskeyResult | null> {\n  const { rpId } = getDefaultConfig(config);\n\n  try {\n    const challenge = bytesToBase64Url(crypto.getRandomValues(new Uint8Array(32)));\n    const result = await passkeyGet({\n      challenge,\n      rpId,\n      userVerification: 'required',\n      timeout: 60000,\n    });\n\n    return result ? { credentialId: result.id, rpId } : null;\n  } catch {\n    return null;\n  }\n}\n\nexport function extractP256Coordinates(\n  keyBytes: Uint8Array\n): { x: Uint8Array; y: Uint8Array } {\n  if (keyBytes.length === 64) {\n    return {\n      x: keyBytes.slice(0, 32),\n      y: keyBytes.slice(32, 64),\n    };\n  }\n\n  if (keyBytes.length === 65 && keyBytes[0] === 0x04) {\n    return {\n      x: keyBytes.slice(1, 33),\n      y: keyBytes.slice(33, 65),\n    };\n  }\n\n  const pointStart = keyBytes.length - 65;\n  if (pointStart > 0 && keyBytes[pointStart] === 0x04) {\n    return {\n      x: keyBytes.slice(pointStart + 1, pointStart + 33),\n      y: keyBytes.slice(pointStart + 33, pointStart + 65),\n    };\n  }\n\n  throw new Error(\n    `Unsupported public key format (${keyBytes.length} bytes). Expected raw X||Y (64), uncompressed point (65), or SPKI DER (91).`\n  );\n}\n"],"mappings":";AAAA,IAAM,iBAAiB;AAAA,EACrB,gBAAgB;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,WAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAIO,SAAS,qBAAqB,OAAyC;AAC5E,QAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU,OAAO,UAAU,WAAW,QAAQ;AAE/E,MAAI,CAAC,QAAS,QAAO;AAErB,aAAW,CAAC,MAAM,QAAQ,KAAK,OAAO,QAAQ,cAAc,GAAG;AAC7D,QAAI,SAAS,KAAK,CAAC,YAAY,QAAQ,SAAS,OAAO,CAAC,GAAG;AACzD,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AC9BA,YAAY,iBAAiB;AAG7B,IAAM,oBAAoB;AAAA,EACxB,oBAAgC;AAClC;AAEA,IAAM,4BAA4B;AAClC,IAAM,2BAA2B;AACjC,IAAM,2BAA2B;AACjC,IAAM,oBAAoB;AAC1B,IAAM,oBAAoB;AAC1B,IAAM,yBAAyB;AAC/B,IAAM,2BAA2B;AAEjC,IAAM,cAAc;AACpB,IAAM,cAAc;AACpB,IAAM,oBAAoB;AAE1B,eAAsB,qBAAqB,UAA0C;AACnF,QAAM,QAAQ,IAAI;AAAA,IACJ,yBAAa,2BAA2B,SAAS,cAAc,iBAAiB;AAAA,IAChF,yBAAa,0BAA0B,SAAS,YAAY,iBAAiB;AAAA,IAC7E,yBAAa,0BAA0B,SAAS,YAAY,iBAAiB;AAAA,IAC7E,yBAAa,mBAAmB,SAAS,MAAM,iBAAiB;AAAA,IAChE,yBAAa,mBAAmB,SAAS,SAAS,IAAI,iBAAiB;AAAA,IACvE,yBAAa,wBAAwB,SAAS,WAAW,iBAAiB;AAAA,IAC1E,yBAAa,0BAA0B,SAAS,YAAY,iBAAiB;AAAA,EAC3F,CAAC;AACH;AAEA,eAAsB,2BAA4D;AAChF,QAAM,eAAe,MAAkB,yBAAa,yBAAyB;AAC7E,MAAI,CAAC,aAAc,QAAO;AAE1B,QAAM,CAAC,YAAY,YAAY,MAAM,OAAO,WAAW,UAAU,IAAI,MAAM,QAAQ,IAAI;AAAA,IACzE,yBAAa,wBAAwB;AAAA,IACrC,yBAAa,wBAAwB;AAAA,IACrC,yBAAa,iBAAiB;AAAA,IAC9B,yBAAa,iBAAiB;AAAA,IAC9B,yBAAa,sBAAsB;AAAA,IACnC,yBAAa,wBAAwB;AAAA,EACnD,CAAC;AAED,MAAI,CAAC,QAAQ,CAAC,UAAW,QAAO;AAEhC,SAAO;AAAA,IACL;AAAA,IACA,YAAY,cAAc;AAAA,IAC1B,YAAY,cAAc;AAAA,IAC1B;AAAA,IACA,OAAO,SAAS;AAAA,IAChB;AAAA,IACA,YAAY,cAAc;AAAA,EAC5B;AACF;AAEA,eAAsB,uBAAuB,cAAa,oBAAI,KAAK,GAAE,YAAY,GAAoB;AACnG,QAAkB,yBAAa,0BAA0B,YAAY,iBAAiB;AACtF,SAAO;AACT;AAEA,eAAsB,mBAAqC;AACzD,SAAQ,MAAkB,yBAAa,yBAAyB,MAAO;AACzE;AAEA,eAAsB,uBAAsC;AAC1D,QAAM,QAAQ,IAAI;AAAA,IACJ,4BAAgB,yBAAyB;AAAA,IACzC,4BAAgB,wBAAwB;AAAA,IACxC,4BAAgB,wBAAwB;AAAA,IACxC,4BAAgB,iBAAiB;AAAA,IACjC,4BAAgB,iBAAiB;AAAA,IACjC,4BAAgB,sBAAsB;AAAA,IACtC,4BAAgB,wBAAwB;AAAA,EACtD,CAAC;AACH;AAEA,eAAsB,gBACpB,SACA,QACA,qBACe;AACf,QAAM,QAAQ,IAAI;AAAA,IACJ,yBAAa,aAAa,SAAS,iBAAiB;AAAA,IACpD,yBAAa,aAAa,QAAQ,iBAAiB;AAAA,IAC/D,sBACgB,yBAAa,mBAAmB,qBAAqB,iBAAiB,IACtE,4BAAgB,iBAAiB;AAAA,EACnD,CAAC;AACH;AAEA,eAAsB,kBAAoC;AACxD,SAAQ,MAAkB,yBAAa,WAAW,MAAO;AAC3D;AAEA,eAAsB,mBAA2C;AAC/D,SAAmB,yBAAa,WAAW;AAC7C;AAEA,eAAsB,kBAA0C;AAC9D,SAAmB,yBAAa,WAAW;AAC7C;AAEA,eAAsB,wBAAgD;AACpE,SAAmB,yBAAa,iBAAiB;AACnD;AAEA,eAAsB,eAA8B;AAClD,QAAM,QAAQ,IAAI;AAAA,IACJ,4BAAgB,WAAW;AAAA,IAC3B,4BAAgB,WAAW;AAAA,IAC3B,4BAAgB,iBAAiB;AAAA,EAC/C,CAAC;AACH;;;AClHA,SAAS,UAAU,eAAe,OAAO,kBAAkB;AAC3D;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAaP,SAAS,iBAAiB,QAA6D;AACrF,QAAM,MAAO,WAA2B,SAAS,OAAO,CAAC;AAEzD,SAAO;AAAA,IACL,MAAM,QAAQ,QAAQ,IAAI,6BAA6B;AAAA,IACvD,QAAQ,QAAQ,UAAU,IAAI,+BAA+B;AAAA,EAC/D;AACF;AAEA,eAAsB,gBACpB,OACA,QACA,QACoC;AACpC,QAAM,EAAE,MAAM,OAAO,IAAI,iBAAiB,MAAM;AAChD,QAAM,YAAY,iBAAiB,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC7E,QAAM,YAAY,iBAAiB,IAAI,YAAY,EAAE,OAAO,MAAM,CAAC;AAEnE,QAAM,SAAS,MAAM,cAAc;AAAA,IACjC;AAAA,IACA,IAAI,EAAE,IAAI,MAAM,MAAM,OAAO;AAAA,IAC7B,MAAM,EAAE,IAAI,WAAW,MAAM,OAAO,aAAa,MAAM;AAAA,IACvD,kBAAkB,CAAC,EAAE,MAAM,cAAc,KAAK,GAAG,CAAC;AAAA,IAClD,wBAAwB;AAAA,MACtB,yBAAyB;AAAA,MACzB,kBAAkB;AAAA,MAClB,aAAa;AAAA,IACf;AAAA,IACA,aAAa;AAAA,IACb,SAAS;AAAA,EACX,CAAC;AAED,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,eAAe,OAAO,SAAS,eAAe;AACpD,MAAI,CAAC,cAAc;AACjB,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AAEA,QAAM,WAAW,iBAAiB,YAAY;AAC9C,QAAM,EAAE,GAAG,EAAE,IAAI,uBAAuB,QAAQ;AAEhD,SAAO;AAAA,IACL,cAAc,OAAO;AAAA,IACrB,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ;AAAA,EACF;AACF;AAEA,eAAsB,gBACpB,cACA,WACA,MAC+B;AAC/B,QAAM,eAAe,QAAQ,iBAAiB,EAAE;AAChD,QAAM,eAAe,iBAAiB,SAAS;AAE/C,QAAM,SAAS,MAAM,WAAW;AAAA,IAC9B,WAAW;AAAA,IACX,MAAM;AAAA,IACN,kBAAkB,CAAC,EAAE,MAAM,cAAc,IAAI,aAAa,CAAC;AAAA,IAC3D,kBAAkB;AAAA,IAClB,SAAS;AAAA,EACX,CAAC;AAED,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,eAAe,iBAAiB,OAAO,SAAS,SAAS;AAC/D,MAAI,EAAE,GAAG,EAAE,IAAI,kBAAkB,YAAY;AAC7C,MAAI,cAAc,CAAC;AAEnB,SAAO;AAAA,IACL,WAAW,IAAI,WAAW,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AAAA,IACtC,mBAAmB,iBAAiB,OAAO,SAAS,iBAAiB;AAAA,IACrE,gBAAgB,iBAAiB,OAAO,SAAS,cAAc;AAAA,IAC/D,YAAY;AAAA,IACZ,YAAY;AAAA,EACd;AACF;AAEA,eAAsB,oCACpB,QAC2C;AAC3C,QAAM,EAAE,KAAK,IAAI,iBAAiB,MAAM;AAExC,MAAI;AACF,UAAM,YAAY,iBAAiB,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC,CAAC;AAC7E,UAAM,SAAS,MAAM,WAAW;AAAA,MAC9B;AAAA,MACA;AAAA,MACA,kBAAkB;AAAA,MAClB,SAAS;AAAA,IACX,CAAC;AAED,WAAO,SAAS,EAAE,cAAc,OAAO,IAAI,KAAK,IAAI;AAAA,EACtD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,uBACd,UACkC;AAClC,MAAI,SAAS,WAAW,IAAI;AAC1B,WAAO;AAAA,MACL,GAAG,SAAS,MAAM,GAAG,EAAE;AAAA,MACvB,GAAG,SAAS,MAAM,IAAI,EAAE;AAAA,IAC1B;AAAA,EACF;AAEA,MAAI,SAAS,WAAW,MAAM,SAAS,CAAC,MAAM,GAAM;AAClD,WAAO;AAAA,MACL,GAAG,SAAS,MAAM,GAAG,EAAE;AAAA,MACvB,GAAG,SAAS,MAAM,IAAI,EAAE;AAAA,IAC1B;AAAA,EACF;AAEA,QAAM,aAAa,SAAS,SAAS;AACrC,MAAI,aAAa,KAAK,SAAS,UAAU,MAAM,GAAM;AACnD,WAAO;AAAA,MACL,GAAG,SAAS,MAAM,aAAa,GAAG,aAAa,EAAE;AAAA,MACjD,GAAG,SAAS,MAAM,aAAa,IAAI,aAAa,EAAE;AAAA,IACpD;AAAA,EACF;AAEA,QAAM,IAAI;AAAA,IACR,kCAAkC,SAAS,MAAM;AAAA,EACnD;AACF;","names":[]}

package/dist/chunk-75G2FPYW.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/popup-service.ts"],"sourcesContent":["import type {\n  PasskeyPopupAction,\n  PasskeyPopupResponse,\n  PasskeyPopupSigningResult,\n  PasskeySigningResult,\n} from './types';\nimport {\n  PASSKEY_POPUP_RESPONSE_EVENT,\n} from './popup';\nimport { bytesToBase64Url, base64UrlToBytes } from '@thru/passkey-manager';\nexport function toPopupSigningResult(result: PasskeySigningResult): PasskeyPopupSigningResult {\n  return {\n    signatureBase64Url: bytesToBase64Url(result.signature),\n    authenticatorDataBase64Url: bytesToBase64Url(result.authenticatorData),\n    clientDataJSONBase64Url: bytesToBase64Url(result.clientDataJSON),\n    signatureRBase64Url: bytesToBase64Url(result.signatureR),\n    signatureSBase64Url: bytesToBase64Url(result.signatureS),\n  };\n}\n\nexport function buildSuccessResponse<T>(\n  requestId: string,\n  action: PasskeyPopupAction,\n  result: T\n): PasskeyPopupResponse {\n  return {\n    type: PASSKEY_POPUP_RESPONSE_EVENT,\n    requestId,\n    action,\n    success: true,\n    result,\n  } as PasskeyPopupResponse;\n}\n\nexport function decodeChallenge(base64Url: string): Uint8Array {\n  return base64UrlToBytes(base64Url);\n}\n\nexport function getResponseError(action: PasskeyPopupAction, error: unknown): { name?: string; message: string } {\n  const { name, message } = normalizeError(error);\n  const actionLabel = `Popup ${action}`;\n  const messageText = message || 'Passkey popup failed';\n  const detailedMessage = messageText.includes('Popup')\n    ? messageText\n    : `${actionLabel}: ${messageText}`;\n  return {\n    name,\n    message: detailedMessage,\n  };\n}\nfunction normalizeError(error: unknown): { name?: string; message?: string; normalized: string } {\n  const name =\n    error && typeof error === 'object' && 'name' in error\n      ? String((error as { name?: unknown }).name)\n      : '';\n  const message =\n    error && typeof error === 'object' && 'message' in error\n      ? String((error as { message?: unknown }).message)\n      : '';\n  return {\n    name,\n    message,\n    normalized: `${name} ${message}`.toLowerCase(),\n  };\n}\n"],"mappings":";;;;;AASA,SAAS,kBAAkB,wBAAwB;AAC5C,SAAS,qBAAqB,QAAyD;AAC5F,SAAO;AAAA,IACL,oBAAoB,iBAAiB,OAAO,SAAS;AAAA,IACrD,4BAA4B,iBAAiB,OAAO,iBAAiB;AAAA,IACrE,yBAAyB,iBAAiB,OAAO,cAAc;AAAA,IAC/D,qBAAqB,iBAAiB,OAAO,UAAU;AAAA,IACvD,qBAAqB,iBAAiB,OAAO,UAAU;AAAA,EACzD;AACF;AAEO,SAAS,qBACd,WACA,QACA,QACsB;AACtB,SAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA;AAAA,IACA,SAAS;AAAA,IACT;AAAA,EACF;AACF;AAEO,SAAS,gBAAgB,WAA+B;AAC7D,SAAO,iBAAiB,SAAS;AACnC;AAEO,SAAS,iBAAiB,QAA4B,OAAoD;AAC/G,QAAM,EAAE,MAAM,QAAQ,IAAI,eAAe,KAAK;AAC9C,QAAM,cAAc,SAAS,MAAM;AACnC,QAAM,cAAc,WAAW;AAC/B,QAAM,kBAAkB,YAAY,SAAS,OAAO,IAChD,cACA,GAAG,WAAW,KAAK,WAAW;AAClC,SAAO;AAAA,IACL;AAAA,IACA,SAAS;AAAA,EACX;AACF;AACA,SAAS,eAAe,OAAyE;AAC/F,QAAM,OACJ,SAAS,OAAO,UAAU,YAAY,UAAU,QAC5C,OAAQ,MAA6B,IAAI,IACzC;AACN,QAAM,UACJ,SAAS,OAAO,UAAU,YAAY,aAAa,QAC/C,OAAQ,MAAgC,OAAO,IAC/C;AACN,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,YAAY,GAAG,IAAI,IAAI,OAAO,GAAG,YAAY;AAAA,EAC/C;AACF;","names":[]}

package/dist/chunk-B5SN7AS7.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/register.ts","../src/capabilities.ts","../src/sign.ts","../src/web.ts"],"sourcesContent":["import type { PasskeyRegistrationResult, PasskeyPopupRegistrationResult } from './types';\nimport { arrayBufferToBase64Url, bytesToHex } from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Register a new passkey for a profile.\n */\nexport async function registerPasskey(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'create',\n    () => registerPasskeyInline(alias, userId, rpId),\n    (preopenedPopup) => registerPasskeyViaPopup(alias, userId, rpId, preopenedPopup)\n  );\n}\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function registerPasskeyInline(\n  alias: string,\n  userId: string,\n  rpId: string\n): Promise<PasskeyRegistrationResult> {\n  const rpName = 'Thru Wallet';\n\n  const userIdBytes = new TextEncoder().encode(userId);\n  const userIdBuffer = userIdBytes.slice(0, 64);\n\n  const challenge = crypto.getRandomValues(new Uint8Array(32));\n\n  const createOptions: PublicKeyCredentialCreationOptions = {\n    challenge,\n    rp: {\n      id: rpId,\n      name: rpName,\n    },\n    user: {\n      id: userIdBuffer,\n      name: alias,\n      displayName: alias,\n    },\n    pubKeyCredParams: [\n      { type: 'public-key', alg: -7 },\n    ],\n    authenticatorSelection: {\n      authenticatorAttachment: 'platform',\n      userVerification: 'required',\n      residentKey: 'required',\n      requireResidentKey: true,\n    },\n    attestation: 'none',\n    timeout: 60000,\n  };\n\n  const credential = (await navigator.credentials.create({\n    publicKey: createOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!credential) {\n    throw new Error('Passkey registration was cancelled');\n  }\n\n  const response = credential.response as AuthenticatorAttestationResponse;\n  const { x, y } = extractP256PublicKey(response);\n\n  return {\n    credentialId: arrayBufferToBase64Url(credential.rawId),\n    publicKeyX: bytesToHex(x),\n    publicKeyY: bytesToHex(y),\n    rpId,\n  };\n}\n\nasync function registerPasskeyViaPopup(\n  alias: string,\n  userId: string,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeyRegistrationResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupRegistrationResult>(\n    'create',\n    { alias, userId, rpId },\n    preopenedPopup\n  );\n  return result;\n}\n\n// Key extraction helpers\n\nfunction extractP256PublicKey(\n  response: AuthenticatorAttestationResponse\n): { x: Uint8Array; y: Uint8Array } {\n  if (typeof response.getPublicKey === 'function') {\n    const spkiKey = response.getPublicKey();\n    if (spkiKey) {\n      return extractFromSpki(new Uint8Array(spkiKey));\n    }\n  }\n\n  if (typeof response.getAuthenticatorData === 'function') {\n    const authData = new Uint8Array(response.getAuthenticatorData());\n    return extractFromAuthenticatorData(authData);\n  }\n\n  throw new Error('Unable to extract public key: browser does not support required WebAuthn methods');\n}\n\nfunction extractFromSpki(spki: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const pointStart = spki.length - 65;\n\n  if (spki[pointStart] !== 0x04) {\n    throw new Error('Invalid SPKI format: expected uncompressed point');\n  }\n\n  const x = spki.slice(pointStart + 1, pointStart + 33);\n  const y = spki.slice(pointStart + 33, pointStart + 65);\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid SPKI format: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n\nfunction extractFromAuthenticatorData(authData: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const rpIdHashLength = 32;\n  const flagsLength = 1;\n  const counterLength = 4;\n  const offset = rpIdHashLength + flagsLength + counterLength;\n  const aaguidLength = 16;\n  const credIdLenOffset = offset + aaguidLength;\n  const credIdLength = (authData[credIdLenOffset] << 8) | authData[credIdLenOffset + 1];\n  const coseKeyOffset = credIdLenOffset + 2 + credIdLength;\n  const coseKey = authData.slice(coseKeyOffset);\n\n  return extractFromCoseKey(coseKey);\n}\n\nfunction extractFromCoseKey(coseKey: Uint8Array): { x: Uint8Array; y: Uint8Array } {\n  const mapStart = coseKey[0];\n  if (mapStart !== 0xa5 && mapStart !== 0xa4) {\n    throw new Error('Invalid COSE key format');\n  }\n\n  let offset = 1;\n  let x: Uint8Array | null = null;\n  let y: Uint8Array | null = null;\n\n  while (offset < coseKey.length) {\n    const key = coseKey[offset++];\n    const valueType = coseKey[offset++];\n\n    if (key === 0x21) {\n      const length = valueType & 0x1f;\n      x = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (key === 0x22) {\n      const length = valueType & 0x1f;\n      y = coseKey.slice(offset, offset + length);\n      offset += length;\n      continue;\n    }\n\n    if (valueType >= 0x40 && valueType <= 0x5f) {\n      const length = valueType & 0x1f;\n      offset += length;\n      continue;\n    }\n\n    if (valueType === 0x01 || valueType === 0x02 || valueType === 0x03) {\n      continue;\n    }\n\n    if (valueType >= 0x18 && valueType <= 0x1b) {\n      const size = 1 << (valueType - 0x18);\n      offset += size;\n      continue;\n    }\n  }\n\n  if (!x || !y) {\n    throw new Error('Failed to extract P-256 public key from COSE data');\n  }\n\n  if (x.length !== 32 || y.length !== 32) {\n    throw new Error('Invalid COSE key: incorrect coordinate length');\n  }\n\n  return { x, y };\n}\n","import type { PasskeyClientCapabilities } from './types';\n\nconst DEBUG = typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_PASSKEY_DEBUG === '1';\n\nlet cachedClientCapabilities: PasskeyClientCapabilities | null | undefined;\nlet clientCapabilitiesPromise: Promise<PasskeyClientCapabilities | null> | null = null;\n\nexport function isWebAuthnSupported(): boolean {\n  const supported =\n    typeof window !== 'undefined' &&\n    typeof window.PublicKeyCredential !== 'undefined' &&\n    typeof navigator.credentials !== 'undefined';\n\n  if (DEBUG) {\n    console.log('[Passkey] WebAuthn support check:', {\n      window: typeof window !== 'undefined',\n      PublicKeyCredential:\n        typeof window !== 'undefined' && typeof window.PublicKeyCredential !== 'undefined',\n      credentials:\n        typeof window !== 'undefined' &&\n        typeof navigator !== 'undefined' &&\n        typeof navigator.credentials !== 'undefined',\n      supported,\n    });\n  }\n\n  return supported;\n}\n\nasync function fetchPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (typeof window === 'undefined' || typeof window.PublicKeyCredential === 'undefined') {\n    return null;\n  }\n\n  const getClientCapabilities = (window.PublicKeyCredential as {\n    getClientCapabilities?: () => Promise<PasskeyClientCapabilities>;\n  }).getClientCapabilities;\n\n  if (typeof getClientCapabilities !== 'function') {\n    return null;\n  }\n\n  try {\n    const capabilities = await getClientCapabilities.call(window.PublicKeyCredential);\n    if (DEBUG) {\n      console.log('[Passkey] WebAuthn client capabilities:', capabilities);\n    }\n    return capabilities ?? null;\n  } catch (error) {\n    if (DEBUG) {\n      console.warn('[Passkey] Failed to read client capabilities:', error);\n    }\n    return null;\n  }\n}\n\nexport function preloadPasskeyClientCapabilities(): void {\n  if (cachedClientCapabilities !== undefined || clientCapabilitiesPromise) {\n    return;\n  }\n\n  clientCapabilitiesPromise = fetchPasskeyClientCapabilities().then((capabilities) => {\n    cachedClientCapabilities = capabilities;\n    return capabilities;\n  });\n}\n\nexport async function getPasskeyClientCapabilities(): Promise<PasskeyClientCapabilities | null> {\n  if (cachedClientCapabilities !== undefined) {\n    return cachedClientCapabilities;\n  }\n\n  if (!clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  if (!clientCapabilitiesPromise) {\n    cachedClientCapabilities = null;\n    return null;\n  }\n\n  const capabilities = await clientCapabilitiesPromise;\n  cachedClientCapabilities = capabilities;\n  return capabilities;\n}\n\nexport function getCachedPasskeyClientCapabilities(): PasskeyClientCapabilities | null | undefined {\n  return cachedClientCapabilities;\n}\n\nexport function isInIframe(): boolean {\n  if (typeof window === 'undefined') {\n    return false;\n  }\n  try {\n    return window.self !== window.top;\n  } catch {\n    return true;\n  }\n}\n\nexport type PasskeyPromptAction = 'get' | 'create';\n\nexport async function shouldUsePasskeyPopup(action: PasskeyPromptAction): Promise<boolean> {\n  if (!isInIframe()) {\n    return false;\n  }\n  const mode = await getPasskeyPromptMode(action);\n  return mode === 'popup';\n}\n\ntype PasskeyPromptMode = 'inline' | 'popup';\n\nfunction getPermissionsPolicyAllowsFeature(feature: string): boolean | null {\n  if (typeof document === 'undefined') {\n    return null;\n  }\n\n  const policy = (document as { permissionsPolicy?: { allowsFeature?: (name: string) => boolean } })\n    .permissionsPolicy;\n  const featurePolicy = (document as { featurePolicy?: { allowsFeature?: (name: string) => boolean } })\n    .featurePolicy;\n  const allowsFeature = policy?.allowsFeature || featurePolicy?.allowsFeature;\n\n  if (typeof allowsFeature !== 'function') {\n    return null;\n  }\n\n  try {\n    return allowsFeature(feature);\n  } catch {\n    return null;\n  }\n}\n\nfunction getCachedPromptMode(action: PasskeyPromptAction): PasskeyPromptMode | 'unknown' {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  if (cachedClientCapabilities === undefined && !clientCapabilitiesPromise) {\n    preloadPasskeyClientCapabilities();\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = getCachedPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  if (capabilities === undefined) {\n    return 'unknown';\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport async function getPasskeyPromptMode(action: PasskeyPromptAction): Promise<PasskeyPromptMode> {\n  if (!isInIframe()) {\n    return 'inline';\n  }\n\n  const feature =\n    action === 'create' ? 'publickey-credentials-create' : 'publickey-credentials-get';\n  const policyAllows = getPermissionsPolicyAllowsFeature(feature);\n  const capabilities = await getPasskeyClientCapabilities();\n  const supportsInline =\n    capabilities?.passkeyPlatformAuthenticator === true ||\n    capabilities?.userVerifyingPlatformAuthenticator === true;\n\n  if (DEBUG) {\n    console.log('[Passkey] Prompt mode check:', {\n      action,\n      policyAllows,\n      supportsInline,\n      capabilities,\n    });\n  }\n\n  if (!supportsInline) {\n    return 'popup';\n  }\n\n  if (policyAllows === false) {\n    return 'popup';\n  }\n\n  return 'inline';\n}\n\nexport function maybePreopenPopup(action: PasskeyPromptAction, openPopupFn: () => Window): Window | null {\n  const cachedMode = getCachedPromptMode(action);\n  if (cachedMode !== 'popup') {\n    return null;\n  }\n\n  try {\n    return openPopupFn();\n  } catch {\n    return null;\n  }\n}\n\nexport function shouldFallbackToPopup(error: unknown): boolean {\n  if (!isInIframe()) {\n    return false;\n  }\n\n  const name =\n    error && typeof error === 'object' && 'name' in error ? String((error as { name?: unknown }).name) : '';\n  const message =\n    error && typeof error === 'object' && 'message' in error\n      ? String((error as { message?: unknown }).message)\n      : '';\n  const normalized = `${name} ${message}`.toLowerCase();\n\n  if (\n    normalized.includes('cancel') ||\n    normalized.includes('canceled') ||\n    normalized.includes('cancelled') ||\n    normalized.includes('user canceled') ||\n    normalized.includes('user cancelled') ||\n    normalized.includes('aborted')\n  ) {\n    return false;\n  }\n\n  if (normalized.includes('securityerror')) {\n    return true;\n  }\n\n  if (normalized.includes('notallowederror')) {\n    if (\n      normalized.includes('permission') ||\n      normalized.includes('policy') ||\n      normalized.includes('iframe') ||\n      normalized.includes('frame')\n    ) {\n      return true;\n    }\n  }\n\n  return false;\n}\n","import type {\n  PasskeySigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyMetadata,\n  PasskeyPopupContext,\n  PasskeyPopupSigningResult,\n  PasskeyPopupStoredSigningResult,\n} from './types';\nimport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  parseDerSignature,\n  normalizeLowS,\n} from '@thru/passkey-manager';\nimport {\n  isWebAuthnSupported,\n  getPasskeyPromptMode,\n  isInIframe,\n  maybePreopenPopup,\n  shouldFallbackToPopup,\n  type PasskeyPromptAction,\n} from './capabilities';\nimport { requestPasskeyPopup, openPasskeyPopupWindow, closePopup } from './popup';\n\n/**\n * Sign a challenge with an existing passkey (by credential ID).\n */\nexport async function signWithPasskey(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  return runWithPromptMode(\n    'get',\n    () => signWithPasskeyInline(credentialId, challenge, rpId),\n    (preopenedPopup) => signWithPasskeyViaPopup(credentialId, challenge, rpId, preopenedPopup)\n  );\n}\n\n/**\n * Sign with stored passkey (for embedded/popup contexts).\n */\nexport async function signWithStoredPasskey(\n  challenge: Uint8Array,\n  rpId: string,\n  preferredPasskey: PasskeyMetadata | null,\n  allPasskeys: PasskeyMetadata[],\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const preopenedPopup = maybePreopenPopup('get', openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode('get');\n  const storedPasskey = preferredPasskey;\n  const canUsePopup = isInIframe();\n\n  if (promptMode === 'popup' || (canUsePopup && !storedPasskey)) {\n    return requestStoredPasskeyPopup(challenge, preopenedPopup, context);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    if (storedPasskey) {\n      const result = await signWithPasskeyInline(\n        storedPasskey.credentialId,\n        challenge,\n        storedPasskey.rpId\n      );\n      return {\n        ...result,\n        passkey: storedPasskey,\n      };\n    }\n\n    const discoverable = await signWithDiscoverablePasskey(challenge, rpId);\n    const matchingPasskey = allPasskeys.find(p => p.credentialId === discoverable.credentialId) ?? null;\n    const now = new Date().toISOString();\n    const passkey = matchingPasskey ?? {\n      credentialId: discoverable.credentialId,\n      publicKeyX: '',\n      publicKeyY: '',\n      rpId: discoverable.rpId,\n      createdAt: now,\n      lastUsedAt: now,\n    };\n\n    return {\n      signature: discoverable.signature,\n      authenticatorData: discoverable.authenticatorData,\n      clientDataJSON: discoverable.clientDataJSON,\n      signatureR: discoverable.signatureR,\n      signatureS: discoverable.signatureS,\n      passkey,\n    };\n  } catch (error) {\n    if (canUsePopup && shouldFallbackToPopup(error)) {\n      return requestStoredPasskeyPopup(challenge, undefined, context);\n    }\n\n    throw error;\n  }\n}\n\n/**\n * Sign with a discoverable passkey (no credential ID - browser prompts user to select).\n */\nexport async function signWithDiscoverablePasskey(\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeyDiscoverableSigningResult> {\n  if (!isWebAuthnSupported()) {\n    throw new Error('WebAuthn is not supported in this browser');\n  }\n\n  const resolvedRpId = rpId;\n  const result = await signWithPasskeyAssertion(challenge, resolvedRpId);\n\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n    credentialId: result.credentialId,\n    rpId: resolvedRpId,\n  };\n}\n\n// Internal helpers\n\nasync function runWithPromptMode<T>(\n  action: PasskeyPromptAction,\n  inlineFn: () => Promise<T>,\n  popupFn: (preopenedPopup?: Window | null) => Promise<T>\n): Promise<T> {\n  const preopenedPopup = maybePreopenPopup(action, openPasskeyPopupWindow);\n  const promptMode = await getPasskeyPromptMode(action);\n  if (promptMode === 'popup') {\n    return popupFn(preopenedPopup);\n  }\n\n  closePopup(preopenedPopup);\n\n  try {\n    return await inlineFn();\n  } catch (error) {\n    if (shouldFallbackToPopup(error)) {\n      return popupFn();\n    }\n    throw error;\n  }\n}\n\nasync function signWithPasskeyInline(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string\n): Promise<PasskeySigningResult> {\n  const result = await signWithPasskeyAssertion(challenge, rpId, credentialId);\n  return {\n    signature: result.signature,\n    authenticatorData: result.authenticatorData,\n    clientDataJSON: result.clientDataJSON,\n    signatureR: result.signatureR,\n    signatureS: result.signatureS,\n  };\n}\n\nasync function signWithPasskeyAssertion(\n  challenge: Uint8Array,\n  rpId: string,\n  credentialId?: string\n): Promise<PasskeySigningResult & { credentialId: string }> {\n  const challengeBytes = new Uint8Array(challenge);\n  const getOptions: PublicKeyCredentialRequestOptions = {\n    challenge: challengeBytes,\n    rpId,\n    userVerification: 'required',\n    timeout: 60000,\n  };\n\n  if (credentialId) {\n    const credentialIdBuffer = base64UrlToArrayBuffer(credentialId);\n    getOptions.allowCredentials = [\n      {\n        type: 'public-key',\n        id: credentialIdBuffer,\n        transports: ['internal', 'hybrid', 'usb', 'ble', 'nfc'],\n      },\n    ];\n  }\n\n  const assertion = (await navigator.credentials.get({\n    publicKey: getOptions,\n  })) as PublicKeyCredential | null;\n\n  if (!assertion) {\n    throw new Error('Passkey authentication was cancelled');\n  }\n\n  const response = assertion.response as AuthenticatorAssertionResponse;\n\n  const signature = new Uint8Array(response.signature);\n  let { r, s } = parseDerSignature(signature);\n  s = normalizeLowS(s);\n\n  return {\n    signature: new Uint8Array([...r, ...s]),\n    authenticatorData: new Uint8Array(response.authenticatorData),\n    clientDataJSON: new Uint8Array(response.clientDataJSON),\n    signatureR: r,\n    signatureS: s,\n    credentialId: arrayBufferToBase64Url(assertion.rawId),\n  };\n}\n\nasync function signWithPasskeyViaPopup(\n  credentialId: string,\n  challenge: Uint8Array,\n  rpId: string,\n  preopenedPopup?: Window | null\n): Promise<PasskeySigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupSigningResult>(\n    'get',\n    {\n      credentialId,\n      challengeBase64Url: bytesToBase64Url(challenge),\n      rpId,\n    },\n    preopenedPopup\n  );\n\n  return decodePopupSigningResult(result);\n}\n\nasync function requestStoredPasskeyPopup(\n  challenge: Uint8Array,\n  preopenedPopup?: Window | null,\n  context?: PasskeyPopupContext\n): Promise<PasskeyStoredSigningResult> {\n  const result = await requestPasskeyPopup<PasskeyPopupStoredSigningResult>(\n    'getStored',\n    {\n      challengeBase64Url: bytesToBase64Url(challenge),\n      context,\n    },\n    preopenedPopup\n  );\n  return decodePopupStoredSigningResult(result);\n}\n\nfunction decodePopupSigningResult(result: PasskeyPopupSigningResult): PasskeySigningResult {\n  return {\n    signature: base64UrlToBytes(result.signatureBase64Url),\n    authenticatorData: base64UrlToBytes(result.authenticatorDataBase64Url),\n    clientDataJSON: base64UrlToBytes(result.clientDataJSONBase64Url),\n    signatureR: base64UrlToBytes(result.signatureRBase64Url),\n    signatureS: base64UrlToBytes(result.signatureSBase64Url),\n  };\n}\n\nfunction decodePopupStoredSigningResult(\n  result: PasskeyPopupStoredSigningResult\n): PasskeyStoredSigningResult {\n  return {\n    ...decodePopupSigningResult(result),\n    passkey: result.passkey,\n    accounts: result.accounts,\n  };\n}\n","export type {\n  PasskeyRegistrationResult,\n  PasskeySigningResult,\n  PasskeyDiscoverableSigningResult,\n  PasskeyStoredSigningResult,\n  PasskeyMetadata,\n  PasskeyClientCapabilities,\n  PasskeyPopupContext,\n  PasskeyPopupAccount,\n} from './types';\n\nexport { registerPasskey } from './register';\n\nexport {\n  signWithPasskey,\n  signWithStoredPasskey,\n  signWithDiscoverablePasskey,\n} from './sign';\n\nexport {\n  parseDerSignature,\n  normalizeLowS,\n  normalizeSignatureComponent,\n  P256_N,\n  P256_HALF_N,\n  bytesToBigIntBE,\n  bigIntToBytesBE,\n} from '@thru/passkey-manager';\n\nexport {\n  isWebAuthnSupported,\n  preloadPasskeyClientCapabilities,\n  getPasskeyClientCapabilities,\n  getCachedPasskeyClientCapabilities,\n  shouldUsePasskeyPopup,\n  isInIframe,\n  type PasskeyPromptAction,\n} from './capabilities';\n\nexport {\n  arrayBufferToBase64Url,\n  base64UrlToArrayBuffer,\n  bytesToBase64,\n  bytesToBase64Url,\n  base64UrlToBytes,\n  bytesToHex,\n  hexToBytes,\n  bytesEqual,\n  compareBytes,\n  uniqueAccounts,\n} from '@thru/passkey-manager';\n"],"mappings":";;;;;;;AACA,SAAS,wBAAwB,kBAAkB;;;ACCnD,IAAM,QAAQ,OAAO,YAAY,eAAe,QAAQ,KAAK,8BAA8B;AAE3F,IAAI;AACJ,IAAI,4BAA8E;AAE3E,SAAS,sBAA+B;AAC7C,QAAM,YACJ,OAAO,WAAW,eAClB,OAAO,OAAO,wBAAwB,eACtC,OAAO,UAAU,gBAAgB;AAEnC,MAAI,OAAO;AACT,YAAQ,IAAI,qCAAqC;AAAA,MAC/C,QAAQ,OAAO,WAAW;AAAA,MAC1B,qBACE,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB;AAAA,MACzE,aACE,OAAO,WAAW,eAClB,OAAO,cAAc,eACrB,OAAO,UAAU,gBAAgB;AAAA,MACnC;AAAA,IACF,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAEA,eAAe,iCAA4E;AACzF,MAAI,OAAO,WAAW,eAAe,OAAO,OAAO,wBAAwB,aAAa;AACtF,WAAO;AAAA,EACT;AAEA,QAAM,wBAAyB,OAAO,oBAEnC;AAEH,MAAI,OAAO,0BAA0B,YAAY;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI;AACF,UAAM,eAAe,MAAM,sBAAsB,KAAK,OAAO,mBAAmB;AAChF,QAAI,OAAO;AACT,cAAQ,IAAI,2CAA2C,YAAY;AAAA,IACrE;AACA,WAAO,gBAAgB;AAAA,EACzB,SAAS,OAAO;AACd,QAAI,OAAO;AACT,cAAQ,KAAK,iDAAiD,KAAK;AAAA,IACrE;AACA,WAAO;AAAA,EACT;AACF;AAEO,SAAS,mCAAyC;AACvD,MAAI,6BAA6B,UAAa,2BAA2B;AACvE;AAAA,EACF;AAEA,8BAA4B,+BAA+B,EAAE,KAAK,CAAC,iBAAiB;AAClF,+BAA2B;AAC3B,WAAO;AAAA,EACT,CAAC;AACH;AAEA,eAAsB,+BAA0E;AAC9F,MAAI,6BAA6B,QAAW;AAC1C,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,2BAA2B;AAC9B,qCAAiC;AAAA,EACnC;AAEA,MAAI,CAAC,2BAA2B;AAC9B,+BAA2B;AAC3B,WAAO;AAAA,EACT;AAEA,QAAM,eAAe,MAAM;AAC3B,6BAA2B;AAC3B,SAAO;AACT;AAEO,SAAS,qCAAmF;AACjG,SAAO;AACT;AAEO,SAAS,aAAsB;AACpC,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO;AAAA,EACT;AACA,MAAI;AACF,WAAO,OAAO,SAAS,OAAO;AAAA,EAChC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,eAAsB,sBAAsB,QAA+C;AACzF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AACA,QAAM,OAAO,MAAM,qBAAqB,MAAM;AAC9C,SAAO,SAAS;AAClB;AAIA,SAAS,kCAAkC,SAAiC;AAC1E,MAAI,OAAO,aAAa,aAAa;AACnC,WAAO;AAAA,EACT;AAEA,QAAM,SAAU,SACb;AACH,QAAM,gBAAiB,SACpB;AACH,QAAM,gBAAgB,QAAQ,iBAAiB,eAAe;AAE9D,MAAI,OAAO,kBAAkB,YAAY;AACvC,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,cAAc,OAAO;AAAA,EAC9B,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,oBAAoB,QAA4D;AACvF,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,MAAI,6BAA6B,UAAa,CAAC,2BAA2B;AACxE,qCAAiC;AAAA,EACnC;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,mCAAmC;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,QAAW;AAC9B,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEA,eAAsB,qBAAqB,QAAyD;AAClG,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,UACJ,WAAW,WAAW,iCAAiC;AACzD,QAAM,eAAe,kCAAkC,OAAO;AAC9D,QAAM,eAAe,MAAM,6BAA6B;AACxD,QAAM,iBACJ,cAAc,iCAAiC,QAC/C,cAAc,uCAAuC;AAEvD,MAAI,OAAO;AACT,YAAQ,IAAI,gCAAgC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAEA,MAAI,CAAC,gBAAgB;AACnB,WAAO;AAAA,EACT;AAEA,MAAI,iBAAiB,OAAO;AAC1B,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAEO,SAAS,kBAAkB,QAA6B,aAA0C;AACvG,QAAM,aAAa,oBAAoB,MAAM;AAC7C,MAAI,eAAe,SAAS;AAC1B,WAAO;AAAA,EACT;AAEA,MAAI;AACF,WAAO,YAAY;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,sBAAsB,OAAyB;AAC7D,MAAI,CAAC,WAAW,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,QAAM,OACJ,SAAS,OAAO,UAAU,YAAY,UAAU,QAAQ,OAAQ,MAA6B,IAAI,IAAI;AACvG,QAAM,UACJ,SAAS,OAAO,UAAU,YAAY,aAAa,QAC/C,OAAQ,MAAgC,OAAO,IAC/C;AACN,QAAM,aAAa,GAAG,IAAI,IAAI,OAAO,GAAG,YAAY;AAEpD,MACE,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,UAAU,KAC9B,WAAW,SAAS,WAAW,KAC/B,WAAW,SAAS,eAAe,KACnC,WAAW,SAAS,gBAAgB,KACpC,WAAW,SAAS,SAAS,GAC7B;AACA,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,eAAe,GAAG;AACxC,WAAO;AAAA,EACT;AAEA,MAAI,WAAW,SAAS,iBAAiB,GAAG;AAC1C,QACE,WAAW,SAAS,YAAY,KAChC,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,QAAQ,KAC5B,WAAW,SAAS,OAAO,GAC3B;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;;;AD/OA,eAAsB,gBACpB,OACA,QACA,MACoC;AACpC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAO;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,OAAO,QAAQ,IAAI;AAAA,IAC/C,CAAC,mBAAmB,wBAAwB,OAAO,QAAQ,MAAM,cAAc;AAAA,EACjF;AACF;AAEA,eAAe,kBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,OACA,QACA,MACoC;AACpC,QAAM,SAAS;AAEf,QAAM,cAAc,IAAI,YAAY,EAAE,OAAO,MAAM;AACnD,QAAM,eAAe,YAAY,MAAM,GAAG,EAAE;AAE5C,QAAM,YAAY,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAE3D,QAAM,gBAAoD;AAAA,IACxD;AAAA,IACA,IAAI;AAAA,MACF,IAAI;AAAA,MACJ,MAAM;AAAA,IACR;AAAA,IACA,MAAM;AAAA,MACJ,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,aAAa;AAAA,IACf;AAAA,IACA,kBAAkB;AAAA,MAChB,EAAE,MAAM,cAAc,KAAK,GAAG;AAAA,IAChC;AAAA,IACA,wBAAwB;AAAA,MACtB,yBAAyB;AAAA,MACzB,kBAAkB;AAAA,MAClB,aAAa;AAAA,MACb,oBAAoB;AAAA,IACtB;AAAA,IACA,aAAa;AAAA,IACb,SAAS;AAAA,EACX;AAEA,QAAM,aAAc,MAAM,UAAU,YAAY,OAAO;AAAA,IACrD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,oCAAoC;AAAA,EACtD;AAEA,QAAM,WAAW,WAAW;AAC5B,QAAM,EAAE,GAAG,EAAE,IAAI,qBAAqB,QAAQ;AAE9C,SAAO;AAAA,IACL,cAAc,uBAAuB,WAAW,KAAK;AAAA,IACrD,YAAY,WAAW,CAAC;AAAA,IACxB,YAAY,WAAW,CAAC;AAAA,IACxB;AAAA,EACF;AACF;AAEA,eAAe,wBACb,OACA,QACA,MACA,gBACoC;AACpC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA,EAAE,OAAO,QAAQ,KAAK;AAAA,IACtB;AAAA,EACF;AACA,SAAO;AACT;AAIA,SAAS,qBACP,UACkC;AAClC,MAAI,OAAO,SAAS,iBAAiB,YAAY;AAC/C,UAAM,UAAU,SAAS,aAAa;AACtC,QAAI,SAAS;AACX,aAAO,gBAAgB,IAAI,WAAW,OAAO,CAAC;AAAA,IAChD;AAAA,EACF;AAEA,MAAI,OAAO,SAAS,yBAAyB,YAAY;AACvD,UAAM,WAAW,IAAI,WAAW,SAAS,qBAAqB,CAAC;AAC/D,WAAO,6BAA6B,QAAQ;AAAA,EAC9C;AAEA,QAAM,IAAI,MAAM,kFAAkF;AACpG;AAEA,SAAS,gBAAgB,MAAoD;AAC3E,QAAM,aAAa,KAAK,SAAS;AAEjC,MAAI,KAAK,UAAU,MAAM,GAAM;AAC7B,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,QAAM,IAAI,KAAK,MAAM,aAAa,GAAG,aAAa,EAAE;AACpD,QAAM,IAAI,KAAK,MAAM,aAAa,IAAI,aAAa,EAAE;AAErD,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;AAEA,SAAS,6BAA6B,UAAwD;AAC5F,QAAM,iBAAiB;AACvB,QAAM,cAAc;AACpB,QAAM,gBAAgB;AACtB,QAAM,SAAS,iBAAiB,cAAc;AAC9C,QAAM,eAAe;AACrB,QAAM,kBAAkB,SAAS;AACjC,QAAM,eAAgB,SAAS,eAAe,KAAK,IAAK,SAAS,kBAAkB,CAAC;AACpF,QAAM,gBAAgB,kBAAkB,IAAI;AAC5C,QAAM,UAAU,SAAS,MAAM,aAAa;AAE5C,SAAO,mBAAmB,OAAO;AACnC;AAEA,SAAS,mBAAmB,SAAuD;AACjF,QAAM,WAAW,QAAQ,CAAC;AAC1B,MAAI,aAAa,OAAQ,aAAa,KAAM;AAC1C,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC3C;AAEA,MAAI,SAAS;AACb,MAAI,IAAuB;AAC3B,MAAI,IAAuB;AAE3B,SAAO,SAAS,QAAQ,QAAQ;AAC9B,UAAM,MAAM,QAAQ,QAAQ;AAC5B,UAAM,YAAY,QAAQ,QAAQ;AAElC,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,QAAQ,IAAM;AAChB,YAAM,SAAS,YAAY;AAC3B,UAAI,QAAQ,MAAM,QAAQ,SAAS,MAAM;AACzC,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,SAAS,YAAY;AAC3B,gBAAU;AACV;AAAA,IACF;AAEA,QAAI,cAAc,KAAQ,cAAc,KAAQ,cAAc,GAAM;AAClE;AAAA,IACF;AAEA,QAAI,aAAa,MAAQ,aAAa,IAAM;AAC1C,YAAM,OAAO,KAAM,YAAY;AAC/B,gBAAU;AACV;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,KAAK,CAAC,GAAG;AACZ,UAAM,IAAI,MAAM,mDAAmD;AAAA,EACrE;AAEA,MAAI,EAAE,WAAW,MAAM,EAAE,WAAW,IAAI;AACtC,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,SAAO,EAAE,GAAG,EAAE;AAChB;;;AE1NA;AAAA,EACE,0BAAAA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAcP,eAAsB,gBACpB,cACA,WACA,MAC+B;AAC/B,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,SAAOC;AAAA,IACL;AAAA,IACA,MAAM,sBAAsB,cAAc,WAAW,IAAI;AAAA,IACzD,CAAC,mBAAmB,wBAAwB,cAAc,WAAW,MAAM,cAAc;AAAA,EAC3F;AACF;AAKA,eAAsB,sBACpB,WACA,MACA,kBACA,aACA,SACqC;AACrC,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,iBAAiB,kBAAkB,OAAO,sBAAsB;AACtE,QAAM,aAAa,MAAM,qBAAqB,KAAK;AACnD,QAAM,gBAAgB;AACtB,QAAM,cAAc,WAAW;AAE/B,MAAI,eAAe,WAAY,eAAe,CAAC,eAAgB;AAC7D,WAAO,0BAA0B,WAAW,gBAAgB,OAAO;AAAA,EACrE;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,QAAI,eAAe;AACjB,YAAM,SAAS,MAAM;AAAA,QACnB,cAAc;AAAA,QACd;AAAA,QACA,cAAc;AAAA,MAChB;AACA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS;AAAA,MACX;AAAA,IACF;AAEA,UAAM,eAAe,MAAM,4BAA4B,WAAW,IAAI;AACtE,UAAM,kBAAkB,YAAY,KAAK,OAAK,EAAE,iBAAiB,aAAa,YAAY,KAAK;AAC/F,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,UAAU,mBAAmB;AAAA,MACjC,cAAc,aAAa;AAAA,MAC3B,YAAY;AAAA,MACZ,YAAY;AAAA,MACZ,MAAM,aAAa;AAAA,MACnB,WAAW;AAAA,MACX,YAAY;AAAA,IACd;AAEA,WAAO;AAAA,MACL,WAAW,aAAa;AAAA,MACxB,mBAAmB,aAAa;AAAA,MAChC,gBAAgB,aAAa;AAAA,MAC7B,YAAY,aAAa;AAAA,MACzB,YAAY,aAAa;AAAA,MACzB;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,QAAI,eAAe,sBAAsB,KAAK,GAAG;AAC/C,aAAO,0BAA0B,WAAW,QAAW,OAAO;AAAA,IAChE;AAEA,UAAM;AAAA,EACR;AACF;AAKA,eAAsB,4BACpB,WACA,MAC2C;AAC3C,MAAI,CAAC,oBAAoB,GAAG;AAC1B,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC7D;AAEA,QAAM,eAAe;AACrB,QAAM,SAAS,MAAM,yBAAyB,WAAW,YAAY;AAErE,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,MAAM;AAAA,EACR;AACF;AAIA,eAAeA,mBACb,QACA,UACA,SACY;AACZ,QAAM,iBAAiB,kBAAkB,QAAQ,sBAAsB;AACvE,QAAM,aAAa,MAAM,qBAAqB,MAAM;AACpD,MAAI,eAAe,SAAS;AAC1B,WAAO,QAAQ,cAAc;AAAA,EAC/B;AAEA,aAAW,cAAc;AAEzB,MAAI;AACF,WAAO,MAAM,SAAS;AAAA,EACxB,SAAS,OAAO;AACd,QAAI,sBAAsB,KAAK,GAAG;AAChC,aAAO,QAAQ;AAAA,IACjB;AACA,UAAM;AAAA,EACR;AACF;AAEA,eAAe,sBACb,cACA,WACA,MAC+B;AAC/B,QAAM,SAAS,MAAM,yBAAyB,WAAW,MAAM,YAAY;AAC3E,SAAO;AAAA,IACL,WAAW,OAAO;AAAA,IAClB,mBAAmB,OAAO;AAAA,IAC1B,gBAAgB,OAAO;AAAA,IACvB,YAAY,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,EACrB;AACF;AAEA,eAAe,yBACb,WACA,MACA,cAC0D;AAC1D,QAAM,iBAAiB,IAAI,WAAW,SAAS;AAC/C,QAAM,aAAgD;AAAA,IACpD,WAAW;AAAA,IACX;AAAA,IACA,kBAAkB;AAAA,IAClB,SAAS;AAAA,EACX;AAEA,MAAI,cAAc;AAChB,UAAM,qBAAqB,uBAAuB,YAAY;AAC9D,eAAW,mBAAmB;AAAA,MAC5B;AAAA,QACE,MAAM;AAAA,QACN,IAAI;AAAA,QACJ,YAAY,CAAC,YAAY,UAAU,OAAO,OAAO,KAAK;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAa,MAAM,UAAU,YAAY,IAAI;AAAA,IACjD,WAAW;AAAA,EACb,CAAC;AAED,MAAI,CAAC,WAAW;AACd,UAAM,IAAI,MAAM,sCAAsC;AAAA,EACxD;AAEA,QAAM,WAAW,UAAU;AAE3B,QAAM,YAAY,IAAI,WAAW,SAAS,SAAS;AACnD,MAAI,EAAE,GAAG,EAAE,IAAI,kBAAkB,SAAS;AAC1C,MAAI,cAAc,CAAC;AAEnB,SAAO;AAAA,IACL,WAAW,IAAI,WAAW,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AAAA,IACtC,mBAAmB,IAAI,WAAW,SAAS,iBAAiB;AAAA,IAC5D,gBAAgB,IAAI,WAAW,SAAS,cAAc;AAAA,IACtD,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAcC,wBAAuB,UAAU,KAAK;AAAA,EACtD;AACF;AAEA,eAAe,wBACb,cACA,WACA,MACA,gBAC+B;AAC/B,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE;AAAA,MACA,oBAAoB,iBAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AAEA,SAAO,yBAAyB,MAAM;AACxC;AAEA,eAAe,0BACb,WACA,gBACA,SACqC;AACrC,QAAM,SAAS,MAAM;AAAA,IACnB;AAAA,IACA;AAAA,MACE,oBAAoB,iBAAiB,SAAS;AAAA,MAC9C;AAAA,IACF;AAAA,IACA;AAAA,EACF;AACA,SAAO,+BAA+B,MAAM;AAC9C;AAEA,SAAS,yBAAyB,QAAyD;AACzF,SAAO;AAAA,IACL,WAAW,iBAAiB,OAAO,kBAAkB;AAAA,IACrD,mBAAmB,iBAAiB,OAAO,0BAA0B;AAAA,IACrE,gBAAgB,iBAAiB,OAAO,uBAAuB;AAAA,IAC/D,YAAY,iBAAiB,OAAO,mBAAmB;AAAA,IACvD,YAAY,iBAAiB,OAAO,mBAAmB;AAAA,EACzD;AACF;AAEA,SAAS,+BACP,QAC4B;AAC5B,SAAO;AAAA,IACL,GAAG,yBAAyB,MAAM;AAAA,IAClC,SAAS,OAAO;AAAA,IAChB,UAAU,OAAO;AAAA,EACnB;AACF;;;ACpQA;AAAA,EACE,qBAAAC;AAAA,EACA,iBAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAYP;AAAA,EACE,0BAAAC;AAAA,EACA,0BAAAC;AAAA,EACA;AAAA,EACA,oBAAAC;AAAA,EACA,oBAAAC;AAAA,EACA,cAAAC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":["arrayBufferToBase64Url","runWithPromptMode","arrayBufferToBase64Url","parseDerSignature","normalizeLowS","arrayBufferToBase64Url","base64UrlToArrayBuffer","bytesToBase64Url","base64UrlToBytes","bytesToHex"]}