@thru/programs 0.2.25 → 0.2.28

package/src/passkey-manager/accounts.ts

@@ -1,15 +1,20 @@
 import { encodeAddress } from '@thru/sdk/helpers';
+import { LONG_LIVED_AUTHORITY_EXPIRY_SECONDS } from './constants';
 import {
   CredentialLookup,
   WalletAccount,
 } from './abi/thru/program/passkey_manager/types';
 
+const LEGACY_WALLET_HEADER_BYTES = 9;
+const LEGACY_AUTHORITY_BYTES = 65;
+const AUTHORITY_DATA_BYTES = 64;
+
 /**
  * Parse wallet account data to extract nonce.
  */
 export function parseWalletNonce(data: Uint8Array): bigint {
   const account = WalletAccount.from_array(data);
-  if (!account) return 0n;
+  if (!account) return parseLegacyWalletNonce(data) ?? 0n;
   return account.get_nonce();
 }
 
@@ -24,9 +29,7 @@ export async function fetchWalletNonce(
   const account = await sdk.accounts.get(walletAddress);
   const data = account.data?.data;
   if (!data) return 0n;
-  const parsed = WalletAccount.from_array(data);
-  if (!parsed) return 0n;
-  return parsed.get_nonce();
+  return parseWalletNonce(data);
 }
 
 /* ------------------------------------------------------------------ */
@@ -36,17 +39,20 @@ export async function fetchWalletNonce(
 export type ParsedAuthority =
   | {
       idx: number;
+      expiresAtBlockTimeSeconds: bigint;
       kind: 'passkey';
       x: Uint8Array;
       y: Uint8Array;
     }
   | {
       idx: number;
+      expiresAtBlockTimeSeconds: bigint;
       kind: 'pubkey';
       pubkey: Uint8Array;
     }
   | {
       idx: number;
+      expiresAtBlockTimeSeconds: bigint;
       kind: 'unknown';
       tag: number;
       data: Uint8Array;
@@ -55,56 +61,84 @@ export type ParsedAuthority =
 export interface WalletAuthorities {
   nonce: bigint;
   authorities: ParsedAuthority[];
-}
-
-const AUTHORITY_HEADER_BYTES = 9; /* num_auth (u8) + nonce (u64 LE) */
-const AUTHORITY_ENTRY_BYTES = 65; /* tag (u8) + data (64) */
-
-function readU64LE(data: Uint8Array, offset: number): bigint {
-  if (offset + 8 > data.length) {
-    throw new Error('Out of bounds');
-  }
-  let value = 0n;
-  for (let i = 0; i < 8; i++) {
-    value |= BigInt(data[offset + i]) << (8n * BigInt(i));
-  }
-  return value;
+  layout: 'authorityRecord' | 'legacyAuthority';
 }
 
 /**
  * Parse the on-chain WalletAccount data buffer into its nonce and full
- * authority list. The on-chain layout is:
- *
- *   num_auth: u8
- *   nonce:    u64 LE
- *   authorities[num_auth + 1]: { tag: u8, data: [u8; 64] }
- *
- * (`num_auth + 1` because num_auth stores the count minus one.)
+ * authority list using the generated ABI view.
  */
 export function parseWalletAuthorities(data: Uint8Array): WalletAuthorities {
-  if (data.length < AUTHORITY_HEADER_BYTES) {
-    throw new Error('Wallet data too small');
+  const account = WalletAccount.from_array(data);
+  if (!account) {
+    const legacy = parseLegacyWalletAuthorities(data);
+    if (legacy) return legacy;
+    throw new Error('Wallet data truncated');
   }
 
+  const authorities: ParsedAuthority[] = [];
+  account.get_authorities().forEach((record, idx) => {
+    const authority = record.get_authority();
+    const tag = authority.get_tag();
+    const payload = Uint8Array.from(authority.get_data());
+    const expiresAtBlockTimeSeconds =
+      record.get_expires_at_block_time_seconds();
+
+    if (tag === 1) {
+      authorities.push({
+        idx,
+        expiresAtBlockTimeSeconds,
+        kind: 'passkey',
+        x: payload.slice(0, 32),
+        y: payload.slice(32, 64),
+      });
+      return;
+    }
+
+    if (tag === 2) {
+      authorities.push({
+        idx,
+        expiresAtBlockTimeSeconds,
+        kind: 'pubkey',
+        pubkey: payload.slice(0, 32),
+      });
+      return;
+    }
+
+    authorities.push({ idx, expiresAtBlockTimeSeconds, kind: 'unknown', tag, data: payload });
+  });
+
+  return { nonce: account.get_nonce(), authorities, layout: 'authorityRecord' };
+}
+
+function parseLegacyWalletNonce(data: Uint8Array): bigint | null {
+  if (data.length < LEGACY_WALLET_HEADER_BYTES) return null;
+  const view = new DataView(data.buffer, data.byteOffset, data.byteLength);
+  return view.getBigUint64(1, true);
+}
+
+function parseLegacyWalletAuthorities(data: Uint8Array): WalletAuthorities | null {
+  if (data.length < LEGACY_WALLET_HEADER_BYTES) return null;
+
   const numAuth = data[0];
-  const nonce = readU64LE(data, 1);
+  const authorityCount = numAuth + 1;
+  const requiredLength = LEGACY_WALLET_HEADER_BYTES + authorityCount * LEGACY_AUTHORITY_BYTES;
+  if (data.length < requiredLength) return null;
 
-  const count = numAuth + 1;
-  const required =
-    AUTHORITY_HEADER_BYTES + count * AUTHORITY_ENTRY_BYTES;
-  if (data.length < required) {
-    throw new Error('Wallet data truncated');
-  }
+  const nonce = parseLegacyWalletNonce(data);
+  if (nonce === null) return null;
 
   const authorities: ParsedAuthority[] = [];
-  for (let idx = 0; idx < count; idx++) {
-    const offset = AUTHORITY_HEADER_BYTES + idx * AUTHORITY_ENTRY_BYTES;
+  for (let idx = 0; idx < authorityCount; idx += 1) {
+    const offset = LEGACY_WALLET_HEADER_BYTES + idx * LEGACY_AUTHORITY_BYTES;
     const tag = data[offset];
-    const payload = data.slice(offset + 1, offset + AUTHORITY_ENTRY_BYTES);
+    const payload = data.slice(offset + 1, offset + 1 + AUTHORITY_DATA_BYTES);
+    const expiresAtBlockTimeSeconds = LONG_LIVED_AUTHORITY_EXPIRY_SECONDS;
 
     if (tag === 1) {
       authorities.push({
         idx,
+        expiresAtBlockTimeSeconds,
         kind: 'passkey',
         x: payload.slice(0, 32),
         y: payload.slice(32, 64),
@@ -113,14 +147,19 @@ export function parseWalletAuthorities(data: Uint8Array): WalletAuthorities {
     }
 
     if (tag === 2) {
-      authorities.push({ idx, kind: 'pubkey', pubkey: payload.slice(0, 32) });
+      authorities.push({
+        idx,
+        expiresAtBlockTimeSeconds,
+        kind: 'pubkey',
+        pubkey: payload.slice(0, 32),
+      });
       continue;
     }
 
-    authorities.push({ idx, kind: 'unknown', tag, data: payload });
+    authorities.push({ idx, expiresAtBlockTimeSeconds, kind: 'unknown', tag, data: payload });
   }
 
-  return { nonce, authorities };
+  return { nonce, authorities, layout: 'legacyAuthority' };
 }
 
 /**

package/src/passkey-manager/constants.ts

@@ -1,5 +1,10 @@
+import {
+  Authority,
+  AuthorityRecord,
+} from './abi/thru/program/passkey_manager/types';
+
 export const PASSKEY_MANAGER_PROGRAM_ADDRESS =
-  'taUDdQyFxvM5i0HFRkEK3W45kWLyblAHSnMg4zplgUnz6Z';
+  'tabsq39mzj3DZlutXOGG6VtfMj8fUvI0HIOXfZm7TLLY6N';
 
 // Instruction discriminants
 export const INSTRUCTION_CREATE = 0x00;
@@ -12,3 +17,7 @@ export const INSTRUCTION_REGISTER_CREDENTIAL = 0x06;
 // Authority tags
 export const AUTHORITY_TAG_PASSKEY = 1;
 export const AUTHORITY_TAG_PUBKEY = 2;
+
+export const AUTHORITY_BYTES = Authority.footprint();
+export const AUTHORITY_RECORD_BYTES = AuthorityRecord.footprint();
+export const LONG_LIVED_AUTHORITY_EXPIRY_SECONDS = 0xffffffffffffffffn;

package/src/passkey-manager/index.ts

@@ -9,11 +9,15 @@ export {
   INSTRUCTION_REGISTER_CREDENTIAL,
   AUTHORITY_TAG_PASSKEY,
   AUTHORITY_TAG_PUBKEY,
+  AUTHORITY_BYTES,
+  AUTHORITY_RECORD_BYTES,
+  LONG_LIVED_AUTHORITY_EXPIRY_SECONDS,
 } from './constants';
 
 // Types
 export type {
   Authority,
+  AuthorityRecord,
   CreateInstructionParams,
   TransferInstructionParams,
   TargetInstructionParams,
@@ -31,12 +35,24 @@ export type {
 } from './types';
 
 // Instructions
-export { encodeCreateInstruction } from './instructions/create';
+export {
+  buildAuthority,
+  buildAuthorityRecord,
+  createAuthorityRecord,
+  createSessionAuthorityRecord,
+  encodeCreateInstruction,
+  encodeLegacyCreateInstruction,
+} from './instructions/create';
 export { encodeValidateInstruction } from './instructions/validate';
 export { encodeTransferInstruction } from './instructions/transfer';
-export { encodeAddAuthorityInstruction } from './instructions/add-authority';
+export { encodeInvokeInstruction } from './instructions/invoke';
+export {
+  encodeAddAuthorityInstruction,
+  encodeLegacyAddAuthorityInstruction,
+} from './instructions/add-authority';
 export { encodeRemoveAuthorityInstruction } from './instructions/remove-authority';
 export { encodeRegisterCredentialInstruction } from './instructions/register-credential';
+export { concatenateInstructions } from './instructions/shared';
 
 // Challenge
 export { createValidateChallenge, VALIDATE_CHALLENGE_DOMAIN } from './challenge';

package/src/passkey-manager/instructions/add-authority.ts

@@ -1,9 +1,10 @@
 import type { AddAuthorityInstructionParams } from '../types';
+import { INSTRUCTION_ADD_AUTHORITY } from '../constants';
 import {
   AddAuthorityArgsBuilder,
   PasskeyInstructionBuilder,
 } from '../abi/thru/program/passkey_manager/types';
-import { buildAuthority } from './create';
+import { buildAuthority, buildAuthorityRecord } from './create';
 
 export function encodeAddAuthorityInstruction(params: AddAuthorityInstructionParams): Uint8Array {
   const { walletAccountIdx } = params;
@@ -11,11 +12,11 @@ export function encodeAddAuthorityInstruction(params: AddAuthorityInstructionPar
     throw new Error('walletAccountIdx must be 0-65535');
   }
 
-  const authorityBytes = buildAuthority(params.authority);
+  const authorityRecordBytes = buildAuthorityRecord(params.authorityRecord);
 
   const argsPayload = new AddAuthorityArgsBuilder()
     .set_wallet_account_idx(walletAccountIdx)
-    .set_authority(authorityBytes)
+    .set_authority_record(authorityRecordBytes)
     .build();
 
   return new PasskeyInstructionBuilder()
@@ -25,3 +26,30 @@ export function encodeAddAuthorityInstruction(params: AddAuthorityInstructionPar
     .finish()
     .build();
 }
+
+function writeU16LE(target: Uint8Array, offset: number, value: number): void {
+  target[offset] = value & 0xff;
+  target[offset + 1] = (value >> 8) & 0xff;
+}
+
+/**
+ * Encode ADD_AUTHORITY for the currently deployed legacy passkey-manager.
+ *
+ * Legacy ADD_AUTHORITY appends a bare 65-byte Authority. Expiry remains a
+ * local wallet/session policy until the AuthorityRecord program is deployed.
+ */
+export function encodeLegacyAddAuthorityInstruction(
+  params: AddAuthorityInstructionParams
+): Uint8Array {
+  const { walletAccountIdx } = params;
+  if (walletAccountIdx < 0 || walletAccountIdx > 0xffff) {
+    throw new Error('walletAccountIdx must be 0-65535');
+  }
+
+  const authorityBytes = buildAuthority(params.authorityRecord.authority);
+  const output = new Uint8Array(1 + 2 + authorityBytes.length);
+  output[0] = INSTRUCTION_ADD_AUTHORITY;
+  writeU16LE(output, 1, walletAccountIdx);
+  output.set(authorityBytes, 3);
+  return output;
+}

package/src/passkey-manager/instructions/create.ts

@@ -1,21 +1,33 @@
-import type { Authority, CreateInstructionParams } from '../types';
 import {
+  AUTHORITY_BYTES,
+  AUTHORITY_RECORD_BYTES,
+  LONG_LIVED_AUTHORITY_EXPIRY_SECONDS,
+  INSTRUCTION_CREATE,
+} from '../constants';
+import type { Authority, AuthorityRecord, CreateInstructionParams } from '../types';
+import {
+  Authority as AuthorityView,
   AuthorityBuilder,
+  AuthorityRecord as AuthorityRecordView,
   CreateArgsBuilder,
   PasskeyInstructionBuilder,
 } from '../abi/thru/program/passkey_manager/types';
 
+const AUTHORITY_DATA_BYTES = AUTHORITY_BYTES - 1;
+const PUBKEY_BYTES = AUTHORITY_DATA_BYTES / 2;
+const U64_MAX = 0xffffffffffffffffn;
+
 function buildAuthority(authority: Authority): Uint8Array {
-  const data = new Array<number>(64).fill(0);
+  const data = new Array<number>(AUTHORITY_DATA_BYTES).fill(0);
 
   if (authority.tag === 1) {
-    if (authority.pubkeyX.length !== 32) throw new Error('pubkeyX must be 32 bytes');
-    if (authority.pubkeyY.length !== 32) throw new Error('pubkeyY must be 32 bytes');
-    for (let i = 0; i < 32; i++) data[i] = authority.pubkeyX[i];
-    for (let i = 0; i < 32; i++) data[32 + i] = authority.pubkeyY[i];
+    if (authority.pubkeyX.length !== PUBKEY_BYTES) throw new Error('pubkeyX must be 32 bytes');
+    if (authority.pubkeyY.length !== PUBKEY_BYTES) throw new Error('pubkeyY must be 32 bytes');
+    for (let i = 0; i < PUBKEY_BYTES; i++) data[i] = authority.pubkeyX[i];
+    for (let i = 0; i < PUBKEY_BYTES; i++) data[PUBKEY_BYTES + i] = authority.pubkeyY[i];
   } else if (authority.tag === 2) {
-    if (authority.pubkey.length !== 32) throw new Error('pubkey must be 32 bytes');
-    for (let i = 0; i < 32; i++) data[i] = authority.pubkey[i];
+    if (authority.pubkey.length !== PUBKEY_BYTES) throw new Error('pubkey must be 32 bytes');
+    for (let i = 0; i < PUBKEY_BYTES; i++) data[i] = authority.pubkey[i];
   } else {
     throw new Error('Invalid authority tag');
   }
@@ -28,19 +40,70 @@ function buildAuthority(authority: Authority): Uint8Array {
 
 export { buildAuthority };
 
+function copyGeneratedBuffer(view: unknown, label: string): Uint8Array {
+  const buffer = (view as { buffer?: Uint8Array }).buffer;
+  if (!buffer) {
+    throw new Error(`${label} did not expose a generated buffer`);
+  }
+  return buffer.slice();
+}
+
+function assertU64(value: bigint, label: string): void {
+  if (value < 0n || value > U64_MAX) {
+    throw new Error(`${label} must fit in u64`);
+  }
+}
+
+export function createAuthorityRecord(
+  authority: Authority,
+  expiresAtBlockTimeSeconds = LONG_LIVED_AUTHORITY_EXPIRY_SECONDS
+): AuthorityRecord {
+  return { authority, expiresAtBlockTimeSeconds };
+}
+
+export function createSessionAuthorityRecord(
+  params: {
+    pubkey: Uint8Array;
+    expiresAtBlockTimeSeconds: bigint;
+  }
+): AuthorityRecord {
+  return createAuthorityRecord(
+    { tag: 2, pubkey: params.pubkey },
+    params.expiresAtBlockTimeSeconds
+  );
+}
+
+export function buildAuthorityRecord(record: AuthorityRecord): Uint8Array {
+  assertU64(record.expiresAtBlockTimeSeconds, 'expiresAtBlockTimeSeconds');
+
+  const authority = AuthorityView.from_array(buildAuthority(record.authority));
+  if (!authority) {
+    throw new Error('Failed to build authority');
+  }
+
+  const authorityRecord = AuthorityRecordView.__tnCreateView(
+    new Uint8Array(AUTHORITY_RECORD_BYTES)
+  );
+  authorityRecord.set_authority(authority);
+  authorityRecord.set_expires_at_block_time_seconds(
+    record.expiresAtBlockTimeSeconds
+  );
+  return copyGeneratedBuffer(authorityRecord, 'AuthorityRecord');
+}
+
 export function encodeCreateInstruction(params: CreateInstructionParams): Uint8Array {
-  const { walletAccountIdx, authority, seed, stateProof } = params;
+  const { walletAccountIdx, authorityRecord, seed, stateProof } = params;
 
   if (seed.length !== 32) throw new Error('seed must be 32 bytes');
   if (walletAccountIdx < 0 || walletAccountIdx > 0xffff) {
     throw new Error('walletAccountIdx must be 0-65535');
   }
 
-  const authorityBytes = buildAuthority(authority);
+  const authorityRecordBytes = buildAuthorityRecord(authorityRecord);
 
   const argsPayload = new CreateArgsBuilder()
     .set_wallet_account_idx(walletAccountIdx)
-    .set_authority(authorityBytes)
+    .set_authority_record(authorityRecordBytes)
     .set_seed(seed)
     .set_state_proof(stateProof)
     .build();
@@ -52,3 +115,35 @@ export function encodeCreateInstruction(params: CreateInstructionParams): Uint8A
     .finish()
     .build();
 }
+
+function writeU16LE(target: Uint8Array, offset: number, value: number): void {
+  target[offset] = value & 0xff;
+  target[offset + 1] = (value >> 8) & 0xff;
+}
+
+/**
+ * Encode CREATE for the currently deployed legacy passkey-manager program.
+ *
+ * Legacy CREATE stores the initial bare Authority directly:
+ *   tag || wallet_account_idx || Authority || seed || StateProof
+ *
+ * Newer program builds should use encodeCreateInstruction, which carries a
+ * full AuthorityRecord with an expiry timestamp.
+ */
+export function encodeLegacyCreateInstruction(params: CreateInstructionParams): Uint8Array {
+  const { walletAccountIdx, authorityRecord, seed, stateProof } = params;
+
+  if (seed.length !== 32) throw new Error('seed must be 32 bytes');
+  if (walletAccountIdx < 0 || walletAccountIdx > 0xffff) {
+    throw new Error('walletAccountIdx must be 0-65535');
+  }
+
+  const authorityBytes = buildAuthority(authorityRecord.authority);
+  const output = new Uint8Array(1 + 2 + authorityBytes.length + seed.length + stateProof.length);
+  output[0] = INSTRUCTION_CREATE;
+  writeU16LE(output, 1, walletAccountIdx);
+  output.set(authorityBytes, 3);
+  output.set(seed, 3 + authorityBytes.length);
+  output.set(stateProof, 3 + authorityBytes.length + seed.length);
+  return output;
+}

package/src/passkey-manager/instructions/invoke.ts

@@ -0,0 +1,9 @@
+export function encodeInvokeInstruction(
+  _programPubkey: Uint8Array,
+  _instruction: Uint8Array,
+): Uint8Array {
+  throw new Error(
+    'encodeInvokeInstruction is from the legacy passkey-manager ABI. ' +
+      'Migrate this flow to encodeValidateInstruction({ targetInstruction }) against the upgraded passkey manager.',
+  );
+}

package/src/passkey-manager/instructions/shared.ts

@@ -0,0 +1,15 @@
+export function concatenateInstructions(instructions: Uint8Array[]): Uint8Array {
+  const totalLength = instructions.reduce(
+    (sum, instruction) => sum + instruction.length,
+    0,
+  );
+  const result = new Uint8Array(totalLength);
+
+  let offset = 0;
+  for (const instruction of instructions) {
+    result.set(instruction, offset);
+    offset += instruction.length;
+  }
+
+  return result;
+}

package/src/passkey-manager/instructions/transfer.ts

@@ -18,7 +18,7 @@ export function encodeTransferInstruction(params: TransferInstructionParams): Ui
   const argsPayload = new TransferArgsBuilder()
     .set_wallet_account_idx(walletAccountIdx)
     .set_to_account_idx(toAccountIdx)
-    .set_amount(amount as unknown as number)
+    .set_amount(amount)
     .build();
 
   return new PasskeyInstructionBuilder()

package/src/passkey-manager/instructions/validate.ts

@@ -1,23 +1,10 @@
 import type { ValidateInstructionParams } from '../types';
-import { PasskeyInstructionBuilder } from '../abi/thru/program/passkey_manager/types';
+import {
+  PasskeyInstructionBuilder,
+  ValidateArgsBuilder,
+} from '../abi/thru/program/passkey_manager/types';
 import { buildTargetInstructionBytes } from '../target-instruction';
 
-const U8_SIZE = Uint8Array.BYTES_PER_ELEMENT;
-const U16_SIZE = Uint16Array.BYTES_PER_ELEMENT;
-const P256_COORDINATE_SIZE = 32;
-const VALIDATE_FIXED_PREFIX_SIZE =
-  U16_SIZE +
-  U8_SIZE +
-  P256_COORDINATE_SIZE +
-  P256_COORDINATE_SIZE +
-  U16_SIZE +
-  U16_SIZE;
-
-function writeU16LE(target: Uint8Array, offset: number, value: number): void {
-  target[offset] = value & 0xff;
-  target[offset + 1] = (value >> 8) & 0xff;
-}
-
 export function encodeValidateInstruction(params: ValidateInstructionParams): Uint8Array {
   const {
     walletAccountIdx,
@@ -44,36 +31,19 @@ export function encodeValidateInstruction(params: ValidateInstructionParams): Ui
 
   const targetInstructionBytes = buildTargetInstructionBytes(targetInstruction);
 
-  const argsPayload = new Uint8Array(
-    VALIDATE_FIXED_PREFIX_SIZE +
-      authenticatorData.length +
-      clientDataJSON.length +
-      targetInstructionBytes.length
-  );
-  let offset = 0;
-
-  writeU16LE(argsPayload, offset, walletAccountIdx);
-  offset += 2;
-  argsPayload[offset] = authIdx;
-  offset += 1;
-  argsPayload.set(signatureR, offset);
-  offset += signatureR.length;
-  argsPayload.set(signatureS, offset);
-  offset += signatureS.length;
-  writeU16LE(argsPayload, offset, authenticatorData.length);
-  offset += 2;
-  writeU16LE(argsPayload, offset, clientDataJSON.length);
-  offset += 2;
-  argsPayload.set(authenticatorData, offset);
-  offset += authenticatorData.length;
-  argsPayload.set(clientDataJSON, offset);
-  offset += clientDataJSON.length;
-  argsPayload.set(targetInstructionBytes, offset);
+  const argsBuilder = new ValidateArgsBuilder()
+    .set_wallet_account_idx(walletAccountIdx)
+    .set_auth_idx(authIdx)
+    .set_signature_r(signatureR)
+    .set_signature_s(signatureS)
+    .set_target_instruction(targetInstructionBytes);
+  argsBuilder.authenticator_data().write(authenticatorData).finish();
+  argsBuilder.client_data().write(clientDataJSON).finish();
 
   return new PasskeyInstructionBuilder()
     .payload()
     .select('validate')
-    .writePayload(argsPayload)
+    .writePayload(argsBuilder)
     .finish()
     .build();
 }

package/src/passkey-manager/types.ts

@@ -64,9 +64,14 @@ export type Authority =
       pubkey: Uint8Array; // 32 bytes
     };
 
+export interface AuthorityRecord {
+  authority: Authority;
+  expiresAtBlockTimeSeconds: bigint;
+}
+
 export interface CreateInstructionParams {
   walletAccountIdx: number;
-  authority: Authority;
+  authorityRecord: AuthorityRecord;
   seed: Uint8Array;
   stateProof: Uint8Array;
 }
@@ -94,7 +99,7 @@ export interface ValidateInstructionParams {
 
 export interface AddAuthorityInstructionParams {
   walletAccountIdx: number;
-  authority: Authority;
+  authorityRecord: AuthorityRecord;
 }
 
 export interface RemoveAuthorityInstructionParams {