@thru/passkey 0.2.21 → 0.2.23

package/dist/auth/add-device.cjs

@@ -0,0 +1,139 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/add-device.ts
+var add_device_exports = {};
+__export(add_device_exports, {
+  addDeviceToAccount: () => addDeviceToAccount
+});
+module.exports = __toCommonJS(add_device_exports);
+var import_passkey_manager = require("@thru/programs/passkey-manager");
+var import_multicall = require("@thru/programs/multicall");
+async function addDeviceToAccount(params) {
+  const status = params.onStatus ?? (() => {
+  });
+  const walletAccount = await params.thru.accounts.get(params.walletAddress);
+  const walletData = walletAccount?.data?.data;
+  if (!walletData) {
+    throw new Error("Wallet account data missing");
+  }
+  const parsed = (0, import_passkey_manager.parseWalletAuthorities)(walletData);
+  const authorizing = parsed.authorities[params.authIdx];
+  if (!authorizing) {
+    throw new Error("Authorization index out of bounds");
+  }
+  if (authorizing.kind !== "passkey") {
+    throw new Error(
+      "addDeviceToAccount currently requires a passkey authority for VALIDATE"
+    );
+  }
+  const newAuthorityIdx = parsed.authorities.length;
+  let readWriteAccounts = [];
+  let lookupSeed;
+  let lookupAddressBytes;
+  let lookupProof;
+  if (params.credentialId) {
+    lookupSeed = await (0, import_passkey_manager.createCredentialLookupSeed)(params.credentialId);
+    lookupAddressBytes = await (0, import_passkey_manager.deriveWalletAddress)(
+      lookupSeed,
+      params.programAddress
+    );
+    status("Fetching state proof for credential lookup...");
+    const proofResult = await params.thru.proofs.generate({
+      proofType: 1,
+      address: lookupAddressBytes
+    });
+    lookupProof = proofResult.proof;
+    readWriteAccounts = [lookupAddressBytes];
+  }
+  const ctx = (0, import_passkey_manager.buildAccountContext)({
+    walletAddress: params.walletAddress,
+    readWriteAccounts,
+    readOnlyAccounts: params.credentialId ? [import_multicall.MULTICALL_PROGRAM_PUBKEY] : [],
+    programAddress: params.programAddress
+  });
+  const passkeyProgramPubkey = (0, import_passkey_manager.decodeAddress)(params.programAddress);
+  const addAuthorityInstruction = (0, import_passkey_manager.encodeAddAuthorityInstruction)({
+    walletAccountIdx: ctx.walletAccountIdx,
+    authority: params.newAuthority
+  });
+  let targetProgramIdx = ctx.getAccountIndex(passkeyProgramPubkey);
+  let targetInstructionData = addAuthorityInstruction;
+  if (params.credentialId) {
+    if (!lookupSeed || !lookupAddressBytes || !lookupProof) {
+      throw new Error("Credential lookup proof data missing");
+    }
+    const registerCredentialInstruction = (0, import_passkey_manager.encodeRegisterCredentialInstruction)({
+      walletAccountIdx: ctx.walletAccountIdx,
+      lookupAccountIdx: ctx.getAccountIndex(lookupAddressBytes),
+      seed: lookupSeed,
+      stateProof: lookupProof
+    });
+    targetProgramIdx = ctx.getAccountIndex(import_multicall.MULTICALL_PROGRAM_PUBKEY);
+    targetInstructionData = (0, import_multicall.buildMulticallInstruction)([
+      {
+        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),
+        instructionData: addAuthorityInstruction
+      },
+      {
+        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),
+        instructionData: registerCredentialInstruction
+      }
+    ]);
+  }
+  const challenge = await (0, import_passkey_manager.createValidateChallenge)(
+    parsed.nonce,
+    ctx.accountAddresses,
+    ctx.walletAccountIdx,
+    params.authIdx,
+    {
+      programIdx: targetProgramIdx,
+      instructionData: targetInstructionData
+    }
+  );
+  status("Waiting for passkey approval...");
+  const signature = await params.passkey.signChallenge(challenge);
+  const validateInstruction = (0, import_passkey_manager.encodeValidateInstruction)({
+    walletAccountIdx: ctx.walletAccountIdx,
+    authIdx: params.authIdx,
+    targetInstruction: {
+      programIdx: targetProgramIdx,
+      instructionData: targetInstructionData
+    },
+    signatureR: signature.signatureR,
+    signatureS: signature.signatureS,
+    authenticatorData: signature.authenticatorData,
+    clientDataJSON: signature.clientDataJSON
+  });
+  status("Sending transaction...");
+  const result = await params.executor({
+    thru: params.thru,
+    walletSigner: params.walletSigner,
+    instructionData: validateInstruction,
+    readWriteAddresses: ctx.readWriteAddresses,
+    readOnlyAddresses: ctx.readOnlyAddresses,
+    label: params.credentialId ? "VALIDATE -> MULTICALL(ADD_AUTHORITY, REGISTER_CREDENTIAL)" : "VALIDATE -> ADD_AUTHORITY"
+  });
+  return { ...result, newAuthorityIdx };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  addDeviceToAccount
+});
+//# sourceMappingURL=add-device.cjs.map

package/dist/auth/add-device.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/auth/add-device.ts"],"sourcesContent":["/* Add-passkey-to-account transaction builder, lifted from\n   `web/wallet-auth-manager/app/page.tsx` (`runValidateThen`,\n   `handleSubmitAddPasskey`) so the wallet's `/embedded` post-connect\n   step can reuse the exact same flow.\n\n   Builds the on-chain transaction:\n     VALIDATE(existingAuthority -> ADD_AUTHORITY(newPasskey))\n     or VALIDATE(existingAuthority -> multicall[ADD_AUTHORITY, REGISTER_CREDENTIAL])\n   asks the caller's existing passkey to sign the challenge, then asks\n   the caller's wallet signer to sign the assembled transaction, sends\n   it, and returns the result. */\n\nimport {\n  type Authority,\n  buildAccountContext,\n  createValidateChallenge,\n  createCredentialLookupSeed,\n  decodeAddress,\n  deriveWalletAddress,\n  encodeAddAuthorityInstruction,\n  encodeRegisterCredentialInstruction,\n  encodeValidateInstruction,\n  parseWalletAuthorities,\n  type ParsedAuthority,\n  type WalletSigner,\n} from \"@thru/programs/passkey-manager\";\nimport {\n  MULTICALL_PROGRAM_PUBKEY,\n  buildMulticallInstruction,\n} from \"@thru/programs/multicall\";\n\n/** Minimal shape required from a passkey signer. Both web's\n    `signWithDiscoverablePasskey`/`signWithPasskey` and mobile's\n    counterparts conform. */\nexport interface PasskeyChallengeSigner {\n  signChallenge: (challenge: Uint8Array) => Promise<{\n    signatureR: Uint8Array;\n    signatureS: Uint8Array;\n    authenticatorData: Uint8Array;\n    clientDataJSON: Uint8Array;\n  }>;\n}\n\n/** Minimal shape required from a Thru chain client. Loosely-typed\n    because @thru/sdk's DTS emit is currently broken in this\n    repo. The caller passes the real Thru and we narrow operationally. */\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nexport type AnyThruClient = any;\n\nexport interface AddDeviceParams {\n  /** Loosely-typed Thru chain client (`@thru/sdk/client`). */\n  thru: AnyThruClient;\n  /** Wallet (the on-chain WalletAccount) to attach the passkey to. */\n  walletAddress: string;\n  /** Index of the existing authority that approves this change. Must\n      currently be a passkey authority. */\n  authIdx: number;\n  /** New passkey to attach. tag = 1 (passkey). */\n  newAuthority: Authority;\n  /** Optional credential-lookup registration so the new passkey is\n      discoverable on subsequent sign-ins. */\n  credentialId?: Uint8Array;\n  walletName?: string;\n  /** Existing-passkey challenge signer (web or mobile). */\n  passkey: PasskeyChallengeSigner;\n  /** Wallet transaction signer that returns base64(signed bytes). */\n  walletSigner: WalletSigner;\n  /** Passkey program address (base58). */\n  programAddress: string;\n  /** Sign-and-send executor (lifted from passkey-transaction.ts in the\n      wallet-auth-manager - wallet apps own this because it depends on\n      the `Thru` client's transaction builder). */\n  executor: TxExecutor;\n  /** Optional status callback so UIs can show progress. */\n  onStatus?: (message: string) => void;\n}\n\nexport interface TxExecutorParams {\n  thru: AnyThruClient;\n  walletSigner: WalletSigner;\n  instructionData: Uint8Array;\n  readWriteAddresses: string[];\n  readOnlyAddresses: string[];\n  label: string;\n}\n\nexport interface TxExecutorResult {\n  signature: string;\n  /** Loosely-typed because @thru/sdk types aren't available. */\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  execution: any;\n}\n\nexport type TxExecutor = (\n  params: TxExecutorParams,\n) => Promise<TxExecutorResult>;\n\nexport interface AddDeviceResult extends TxExecutorResult {\n  /** The new passkey's authority index after the transaction lands. */\n  newAuthorityIdx: number;\n}\n\n/**\n * Run VALIDATE + ADD_AUTHORITY [+ REGISTER_CREDENTIAL] to attach a new\n * passkey to an on-chain WalletAccount.\n */\nexport async function addDeviceToAccount(\n  params: AddDeviceParams,\n): Promise<AddDeviceResult> {\n  const status = params.onStatus ?? (() => {});\n\n  const walletAccount = await params.thru.accounts.get(params.walletAddress);\n  const walletData: Uint8Array | undefined = walletAccount?.data?.data;\n  if (!walletData) {\n    throw new Error(\"Wallet account data missing\");\n  }\n\n  const parsed = parseWalletAuthorities(walletData);\n  const authorizing: ParsedAuthority | undefined =\n    parsed.authorities[params.authIdx];\n  if (!authorizing) {\n    throw new Error(\"Authorization index out of bounds\");\n  }\n  if (authorizing.kind !== \"passkey\") {\n    throw new Error(\n      \"addDeviceToAccount currently requires a passkey authority for VALIDATE\",\n    );\n  }\n\n  /* The new authority will land at the next free slot. */\n  const newAuthorityIdx = parsed.authorities.length;\n\n  let readWriteAccounts: Uint8Array[] = [];\n  let lookupSeed: Uint8Array | undefined;\n  let lookupAddressBytes: Uint8Array | undefined;\n  let lookupProof: Uint8Array | undefined;\n\n  if (params.credentialId) {\n    lookupSeed = await createCredentialLookupSeed(params.credentialId);\n    lookupAddressBytes = await deriveWalletAddress(\n      lookupSeed,\n      params.programAddress,\n    );\n\n    status(\"Fetching state proof for credential lookup...\");\n    const proofResult = await params.thru.proofs.generate({\n      proofType: 1 /* StateProofType.CREATING */,\n      address: lookupAddressBytes,\n    });\n    lookupProof = proofResult.proof;\n    readWriteAccounts = [lookupAddressBytes];\n  }\n\n  const ctx = buildAccountContext({\n    walletAddress: params.walletAddress,\n    readWriteAccounts,\n    readOnlyAccounts: params.credentialId ? [MULTICALL_PROGRAM_PUBKEY] : [],\n    programAddress: params.programAddress,\n  });\n\n  const passkeyProgramPubkey = decodeAddress(params.programAddress);\n  const addAuthorityInstruction = encodeAddAuthorityInstruction({\n    walletAccountIdx: ctx.walletAccountIdx,\n    authority: params.newAuthority,\n  });\n\n  let targetProgramIdx = ctx.getAccountIndex(passkeyProgramPubkey);\n  let targetInstructionData = addAuthorityInstruction;\n\n  if (params.credentialId) {\n    if (!lookupSeed || !lookupAddressBytes || !lookupProof) {\n      throw new Error(\"Credential lookup proof data missing\");\n    }\n\n    const registerCredentialInstruction = encodeRegisterCredentialInstruction({\n      walletAccountIdx: ctx.walletAccountIdx,\n      lookupAccountIdx: ctx.getAccountIndex(lookupAddressBytes),\n      seed: lookupSeed,\n      stateProof: lookupProof,\n    });\n\n    targetProgramIdx = ctx.getAccountIndex(MULTICALL_PROGRAM_PUBKEY);\n    targetInstructionData = buildMulticallInstruction([\n      {\n        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),\n        instructionData: addAuthorityInstruction,\n      },\n      {\n        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),\n        instructionData: registerCredentialInstruction,\n      },\n    ]);\n  }\n\n  /* Build the VALIDATE challenge over the target CPI and ask the caller's passkey to sign. */\n  const challenge = await createValidateChallenge(\n    parsed.nonce,\n    ctx.accountAddresses,\n    ctx.walletAccountIdx,\n    params.authIdx,\n    {\n      programIdx: targetProgramIdx,\n      instructionData: targetInstructionData,\n    },\n  );\n\n  status(\"Waiting for passkey approval...\");\n  const signature = await params.passkey.signChallenge(challenge);\n\n  const validateInstruction = encodeValidateInstruction({\n    walletAccountIdx: ctx.walletAccountIdx,\n    authIdx: params.authIdx,\n    targetInstruction: {\n      programIdx: targetProgramIdx,\n      instructionData: targetInstructionData,\n    },\n    signatureR: signature.signatureR,\n    signatureS: signature.signatureS,\n    authenticatorData: signature.authenticatorData,\n    clientDataJSON: signature.clientDataJSON,\n  });\n\n  status(\"Sending transaction...\");\n  const result = await params.executor({\n    thru: params.thru,\n    walletSigner: params.walletSigner,\n    instructionData: validateInstruction,\n    readWriteAddresses: ctx.readWriteAddresses,\n    readOnlyAddresses: ctx.readOnlyAddresses,\n    label: params.credentialId\n      ? \"VALIDATE -> MULTICALL(ADD_AUTHORITY, REGISTER_CREDENTIAL)\"\n      : \"VALIDATE -> ADD_AUTHORITY\",\n  });\n\n  return { ...result, newAuthorityIdx };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAYA,6BAaO;AACP,uBAGO;AA6EP,eAAsB,mBACpB,QAC0B;AAC1B,QAAM,SAAS,OAAO,aAAa,MAAM;AAAA,EAAC;AAE1C,QAAM,gBAAgB,MAAM,OAAO,KAAK,SAAS,IAAI,OAAO,aAAa;AACzE,QAAM,aAAqC,eAAe,MAAM;AAChE,MAAI,CAAC,YAAY;AACf,UAAM,IAAI,MAAM,6BAA6B;AAAA,EAC/C;AAEA,QAAM,aAAS,+CAAuB,UAAU;AAChD,QAAM,cACJ,OAAO,YAAY,OAAO,OAAO;AACnC,MAAI,CAAC,aAAa;AAChB,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AACA,MAAI,YAAY,SAAS,WAAW;AAClC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAGA,QAAM,kBAAkB,OAAO,YAAY;AAE3C,MAAI,oBAAkC,CAAC;AACvC,MAAI;AACJ,MAAI;AACJ,MAAI;AAEJ,MAAI,OAAO,cAAc;AACvB,iBAAa,UAAM,mDAA2B,OAAO,YAAY;AACjE,yBAAqB,UAAM;AAAA,MACzB;AAAA,MACA,OAAO;AAAA,IACT;AAEA,WAAO,+CAA+C;AACtD,UAAM,cAAc,MAAM,OAAO,KAAK,OAAO,SAAS;AAAA,MACpD,WAAW;AAAA,MACX,SAAS;AAAA,IACX,CAAC;AACD,kBAAc,YAAY;AAC1B,wBAAoB,CAAC,kBAAkB;AAAA,EACzC;AAEA,QAAM,UAAM,4CAAoB;AAAA,IAC9B,eAAe,OAAO;AAAA,IACtB;AAAA,IACA,kBAAkB,OAAO,eAAe,CAAC,yCAAwB,IAAI,CAAC;AAAA,IACtE,gBAAgB,OAAO;AAAA,EACzB,CAAC;AAED,QAAM,2BAAuB,sCAAc,OAAO,cAAc;AAChE,QAAM,8BAA0B,sDAA8B;AAAA,IAC5D,kBAAkB,IAAI;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AAED,MAAI,mBAAmB,IAAI,gBAAgB,oBAAoB;AAC/D,MAAI,wBAAwB;AAE5B,MAAI,OAAO,cAAc;AACvB,QAAI,CAAC,cAAc,CAAC,sBAAsB,CAAC,aAAa;AACtD,YAAM,IAAI,MAAM,sCAAsC;AAAA,IACxD;AAEA,UAAM,oCAAgC,4DAAoC;AAAA,MACxE,kBAAkB,IAAI;AAAA,MACtB,kBAAkB,IAAI,gBAAgB,kBAAkB;AAAA,MACxD,MAAM;AAAA,MACN,YAAY;AAAA,IACd,CAAC;AAED,uBAAmB,IAAI,gBAAgB,yCAAwB;AAC/D,gCAAwB,4CAA0B;AAAA,MAChD;AAAA,QACE,YAAY,IAAI,gBAAgB,oBAAoB;AAAA,QACpD,iBAAiB;AAAA,MACnB;AAAA,MACA;AAAA,QACE,YAAY,IAAI,gBAAgB,oBAAoB;AAAA,QACpD,iBAAiB;AAAA,MACnB;AAAA,IACF,CAAC;AAAA,EACH;AAGA,QAAM,YAAY,UAAM;AAAA,IACtB,OAAO;AAAA,IACP,IAAI;AAAA,IACJ,IAAI;AAAA,IACJ,OAAO;AAAA,IACP;AAAA,MACE,YAAY;AAAA,MACZ,iBAAiB;AAAA,IACnB;AAAA,EACF;AAEA,SAAO,iCAAiC;AACxC,QAAM,YAAY,MAAM,OAAO,QAAQ,cAAc,SAAS;AAE9D,QAAM,0BAAsB,kDAA0B;AAAA,IACpD,kBAAkB,IAAI;AAAA,IACtB,SAAS,OAAO;AAAA,IAChB,mBAAmB;AAAA,MACjB,YAAY;AAAA,MACZ,iBAAiB;AAAA,IACnB;AAAA,IACA,YAAY,UAAU;AAAA,IACtB,YAAY,UAAU;AAAA,IACtB,mBAAmB,UAAU;AAAA,IAC7B,gBAAgB,UAAU;AAAA,EAC5B,CAAC;AAED,SAAO,wBAAwB;AAC/B,QAAM,SAAS,MAAM,OAAO,SAAS;AAAA,IACnC,MAAM,OAAO;AAAA,IACb,cAAc,OAAO;AAAA,IACrB,iBAAiB;AAAA,IACjB,oBAAoB,IAAI;AAAA,IACxB,mBAAmB,IAAI;AAAA,IACvB,OAAO,OAAO,eACV,8DACA;AAAA,EACN,CAAC;AAED,SAAO,EAAE,GAAG,QAAQ,gBAAgB;AACtC;","names":[]}

package/dist/auth/add-device.d.cts

@@ -0,0 +1,69 @@
+import { Authority, WalletSigner } from '@thru/programs/passkey-manager';
+
+/** Minimal shape required from a passkey signer. Both web's
+    `signWithDiscoverablePasskey`/`signWithPasskey` and mobile's
+    counterparts conform. */
+interface PasskeyChallengeSigner {
+    signChallenge: (challenge: Uint8Array) => Promise<{
+        signatureR: Uint8Array;
+        signatureS: Uint8Array;
+        authenticatorData: Uint8Array;
+        clientDataJSON: Uint8Array;
+    }>;
+}
+/** Minimal shape required from a Thru chain client. Loosely-typed
+    because @thru/sdk's DTS emit is currently broken in this
+    repo. The caller passes the real Thru and we narrow operationally. */
+type AnyThruClient = any;
+interface AddDeviceParams {
+    /** Loosely-typed Thru chain client (`@thru/sdk/client`). */
+    thru: AnyThruClient;
+    /** Wallet (the on-chain WalletAccount) to attach the passkey to. */
+    walletAddress: string;
+    /** Index of the existing authority that approves this change. Must
+        currently be a passkey authority. */
+    authIdx: number;
+    /** New passkey to attach. tag = 1 (passkey). */
+    newAuthority: Authority;
+    /** Optional credential-lookup registration so the new passkey is
+        discoverable on subsequent sign-ins. */
+    credentialId?: Uint8Array;
+    walletName?: string;
+    /** Existing-passkey challenge signer (web or mobile). */
+    passkey: PasskeyChallengeSigner;
+    /** Wallet transaction signer that returns base64(signed bytes). */
+    walletSigner: WalletSigner;
+    /** Passkey program address (base58). */
+    programAddress: string;
+    /** Sign-and-send executor (lifted from passkey-transaction.ts in the
+        wallet-auth-manager - wallet apps own this because it depends on
+        the `Thru` client's transaction builder). */
+    executor: TxExecutor;
+    /** Optional status callback so UIs can show progress. */
+    onStatus?: (message: string) => void;
+}
+interface TxExecutorParams {
+    thru: AnyThruClient;
+    walletSigner: WalletSigner;
+    instructionData: Uint8Array;
+    readWriteAddresses: string[];
+    readOnlyAddresses: string[];
+    label: string;
+}
+interface TxExecutorResult {
+    signature: string;
+    /** Loosely-typed because @thru/sdk types aren't available. */
+    execution: any;
+}
+type TxExecutor = (params: TxExecutorParams) => Promise<TxExecutorResult>;
+interface AddDeviceResult extends TxExecutorResult {
+    /** The new passkey's authority index after the transaction lands. */
+    newAuthorityIdx: number;
+}
+/**
+ * Run VALIDATE + ADD_AUTHORITY [+ REGISTER_CREDENTIAL] to attach a new
+ * passkey to an on-chain WalletAccount.
+ */
+declare function addDeviceToAccount(params: AddDeviceParams): Promise<AddDeviceResult>;
+
+export { type AddDeviceParams, type AddDeviceResult, type AnyThruClient, type PasskeyChallengeSigner, type TxExecutor, type TxExecutorParams, type TxExecutorResult, addDeviceToAccount };

package/dist/auth/add-device.d.ts

@@ -0,0 +1,69 @@
+import { Authority, WalletSigner } from '@thru/programs/passkey-manager';
+
+/** Minimal shape required from a passkey signer. Both web's
+    `signWithDiscoverablePasskey`/`signWithPasskey` and mobile's
+    counterparts conform. */
+interface PasskeyChallengeSigner {
+    signChallenge: (challenge: Uint8Array) => Promise<{
+        signatureR: Uint8Array;
+        signatureS: Uint8Array;
+        authenticatorData: Uint8Array;
+        clientDataJSON: Uint8Array;
+    }>;
+}
+/** Minimal shape required from a Thru chain client. Loosely-typed
+    because @thru/sdk's DTS emit is currently broken in this
+    repo. The caller passes the real Thru and we narrow operationally. */
+type AnyThruClient = any;
+interface AddDeviceParams {
+    /** Loosely-typed Thru chain client (`@thru/sdk/client`). */
+    thru: AnyThruClient;
+    /** Wallet (the on-chain WalletAccount) to attach the passkey to. */
+    walletAddress: string;
+    /** Index of the existing authority that approves this change. Must
+        currently be a passkey authority. */
+    authIdx: number;
+    /** New passkey to attach. tag = 1 (passkey). */
+    newAuthority: Authority;
+    /** Optional credential-lookup registration so the new passkey is
+        discoverable on subsequent sign-ins. */
+    credentialId?: Uint8Array;
+    walletName?: string;
+    /** Existing-passkey challenge signer (web or mobile). */
+    passkey: PasskeyChallengeSigner;
+    /** Wallet transaction signer that returns base64(signed bytes). */
+    walletSigner: WalletSigner;
+    /** Passkey program address (base58). */
+    programAddress: string;
+    /** Sign-and-send executor (lifted from passkey-transaction.ts in the
+        wallet-auth-manager - wallet apps own this because it depends on
+        the `Thru` client's transaction builder). */
+    executor: TxExecutor;
+    /** Optional status callback so UIs can show progress. */
+    onStatus?: (message: string) => void;
+}
+interface TxExecutorParams {
+    thru: AnyThruClient;
+    walletSigner: WalletSigner;
+    instructionData: Uint8Array;
+    readWriteAddresses: string[];
+    readOnlyAddresses: string[];
+    label: string;
+}
+interface TxExecutorResult {
+    signature: string;
+    /** Loosely-typed because @thru/sdk types aren't available. */
+    execution: any;
+}
+type TxExecutor = (params: TxExecutorParams) => Promise<TxExecutorResult>;
+interface AddDeviceResult extends TxExecutorResult {
+    /** The new passkey's authority index after the transaction lands. */
+    newAuthorityIdx: number;
+}
+/**
+ * Run VALIDATE + ADD_AUTHORITY [+ REGISTER_CREDENTIAL] to attach a new
+ * passkey to an on-chain WalletAccount.
+ */
+declare function addDeviceToAccount(params: AddDeviceParams): Promise<AddDeviceResult>;
+
+export { type AddDeviceParams, type AddDeviceResult, type AnyThruClient, type PasskeyChallengeSigner, type TxExecutor, type TxExecutorParams, type TxExecutorResult, addDeviceToAccount };

package/dist/auth/add-device.js

@@ -0,0 +1,7 @@
+import {
+  addDeviceToAccount
+} from "../chunk-KASTJBBY.js";
+export {
+  addDeviceToAccount
+};
+//# sourceMappingURL=add-device.js.map

package/dist/auth/add-device.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/auth.cjs

@@ -30,6 +30,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/auth/index.ts
 var auth_exports = {};
 __export(auth_exports, {
+  addDeviceToAccount: () => addDeviceToAccount,
   createPasskeyAuthStore: () => createPasskeyAuthStore,
   executePasskeyTransaction: () => executePasskeyTransaction,
   getPasskeyAuthStore: () => getPasskeyAuthStore,
@@ -38,11 +39,11 @@ __export(auth_exports, {
 module.exports = __toCommonJS(auth_exports);
 
 // src/auth/execute-tx.ts
-var import_passkey_manager2 = require("@thru/passkey-manager");
+var import_passkey_manager2 = require("@thru/programs/passkey-manager");
 
 // src/mobile/passkey.ts
 var import_react_native_passkeys = require("react-native-passkeys");
-var import_passkey_manager = require("@thru/passkey-manager");
+var import_passkey_manager = require("@thru/programs/passkey-manager");
 function getDefaultConfig(config) {
   const env = globalThis.process?.env ?? {};
   return {
@@ -301,8 +302,119 @@ async function executePasskeyTransaction(opts) {
   return submitData;
 }
 
+// src/auth/add-device.ts
+var import_passkey_manager3 = require("@thru/programs/passkey-manager");
+var import_multicall = require("@thru/programs/multicall");
+async function addDeviceToAccount(params) {
+  const status = params.onStatus ?? (() => {
+  });
+  const walletAccount = await params.thru.accounts.get(params.walletAddress);
+  const walletData = walletAccount?.data?.data;
+  if (!walletData) {
+    throw new Error("Wallet account data missing");
+  }
+  const parsed = (0, import_passkey_manager3.parseWalletAuthorities)(walletData);
+  const authorizing = parsed.authorities[params.authIdx];
+  if (!authorizing) {
+    throw new Error("Authorization index out of bounds");
+  }
+  if (authorizing.kind !== "passkey") {
+    throw new Error(
+      "addDeviceToAccount currently requires a passkey authority for VALIDATE"
+    );
+  }
+  const newAuthorityIdx = parsed.authorities.length;
+  let readWriteAccounts = [];
+  let lookupSeed;
+  let lookupAddressBytes;
+  let lookupProof;
+  if (params.credentialId) {
+    lookupSeed = await (0, import_passkey_manager3.createCredentialLookupSeed)(params.credentialId);
+    lookupAddressBytes = await (0, import_passkey_manager3.deriveWalletAddress)(
+      lookupSeed,
+      params.programAddress
+    );
+    status("Fetching state proof for credential lookup...");
+    const proofResult = await params.thru.proofs.generate({
+      proofType: 1,
+      address: lookupAddressBytes
+    });
+    lookupProof = proofResult.proof;
+    readWriteAccounts = [lookupAddressBytes];
+  }
+  const ctx = (0, import_passkey_manager3.buildAccountContext)({
+    walletAddress: params.walletAddress,
+    readWriteAccounts,
+    readOnlyAccounts: params.credentialId ? [import_multicall.MULTICALL_PROGRAM_PUBKEY] : [],
+    programAddress: params.programAddress
+  });
+  const passkeyProgramPubkey = (0, import_passkey_manager3.decodeAddress)(params.programAddress);
+  const addAuthorityInstruction = (0, import_passkey_manager3.encodeAddAuthorityInstruction)({
+    walletAccountIdx: ctx.walletAccountIdx,
+    authority: params.newAuthority
+  });
+  let targetProgramIdx = ctx.getAccountIndex(passkeyProgramPubkey);
+  let targetInstructionData = addAuthorityInstruction;
+  if (params.credentialId) {
+    if (!lookupSeed || !lookupAddressBytes || !lookupProof) {
+      throw new Error("Credential lookup proof data missing");
+    }
+    const registerCredentialInstruction = (0, import_passkey_manager3.encodeRegisterCredentialInstruction)({
+      walletAccountIdx: ctx.walletAccountIdx,
+      lookupAccountIdx: ctx.getAccountIndex(lookupAddressBytes),
+      seed: lookupSeed,
+      stateProof: lookupProof
+    });
+    targetProgramIdx = ctx.getAccountIndex(import_multicall.MULTICALL_PROGRAM_PUBKEY);
+    targetInstructionData = (0, import_multicall.buildMulticallInstruction)([
+      {
+        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),
+        instructionData: addAuthorityInstruction
+      },
+      {
+        programIdx: ctx.getAccountIndex(passkeyProgramPubkey),
+        instructionData: registerCredentialInstruction
+      }
+    ]);
+  }
+  const challenge = await (0, import_passkey_manager3.createValidateChallenge)(
+    parsed.nonce,
+    ctx.accountAddresses,
+    ctx.walletAccountIdx,
+    params.authIdx,
+    {
+      programIdx: targetProgramIdx,
+      instructionData: targetInstructionData
+    }
+  );
+  status("Waiting for passkey approval...");
+  const signature = await params.passkey.signChallenge(challenge);
+  const validateInstruction = (0, import_passkey_manager3.encodeValidateInstruction)({
+    walletAccountIdx: ctx.walletAccountIdx,
+    authIdx: params.authIdx,
+    targetInstruction: {
+      programIdx: targetProgramIdx,
+      instructionData: targetInstructionData
+    },
+    signatureR: signature.signatureR,
+    signatureS: signature.signatureS,
+    authenticatorData: signature.authenticatorData,
+    clientDataJSON: signature.clientDataJSON
+  });
+  status("Sending transaction...");
+  const result = await params.executor({
+    thru: params.thru,
+    walletSigner: params.walletSigner,
+    instructionData: validateInstruction,
+    readWriteAddresses: ctx.readWriteAddresses,
+    readOnlyAddresses: ctx.readOnlyAddresses,
+    label: params.credentialId ? "VALIDATE -> MULTICALL(ADD_AUTHORITY, REGISTER_CREDENTIAL)" : "VALIDATE -> ADD_AUTHORITY"
+  });
+  return { ...result, newAuthorityIdx };
+}
+
 // src/auth/use-passkey-auth.ts
-var import_passkey_manager3 = require("@thru/passkey-manager");
+var import_passkey_manager4 = require("@thru/programs/passkey-manager");
 var import_zustand = require("zustand");
 
 // src/mobile/errors.ts
@@ -429,18 +541,20 @@ function createPasskeyAuthStore(config) {
       set({ isLoading: true, error: null, needsNewPasskey: false });
       try {
         const tempId = `user-${Date.now()}`;
-        const { credentialId, publicKeyX, publicKeyY, rpId } = await registerPasskey(resolvedAlias, tempId, {
+        const passkeyLabel = resolvedAlias.trim() || "Thru Wallet";
+        const { credentialId, publicKeyX, publicKeyY, rpId } = await registerPasskey(passkeyLabel, tempId, {
           rpId: config.rpId,
           rpName: config.rpName
         });
         const now = (/* @__PURE__ */ new Date()).toISOString();
-        const pubkeyXHex = (0, import_passkey_manager3.bytesToHex)(publicKeyX);
-        const pubkeyYHex = (0, import_passkey_manager3.bytesToHex)(publicKeyY);
+        const pubkeyXHex = (0, import_passkey_manager4.bytesToHex)(publicKeyX);
+        const pubkeyYHex = (0, import_passkey_manager4.bytesToHex)(publicKeyY);
         await storePasskeyMetadata({
           credentialId,
           publicKeyX: pubkeyXHex,
           publicKeyY: pubkeyYHex,
           rpId,
+          label: passkeyLabel,
           createdAt: now,
           lastUsedAt: now
         });
@@ -664,6 +778,7 @@ function usePasskeyAuth(config) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  addDeviceToAccount,
   createPasskeyAuthStore,
   executePasskeyTransaction,
   getPasskeyAuthStore,