@veridex/sdk 1.0.0-beta.18 → 1.0.0-beta.21

package/dist/auth/prepareAuth.js

@@ -0,0 +1,1553 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/prepareAuth.ts
+var prepareAuth_exports = {};
+__export(prepareAuth_exports, {
+  authenticateAndPrepare: () => authenticateAndPrepare
+});
+module.exports = __toCommonJS(prepareAuth_exports);
+var import_ethers5 = require("ethers");
+
+// src/core/PasskeyManager.ts
+var import_browser = require("@simplewebauthn/browser");
+var import_ethers2 = require("ethers");
+
+// src/utils.ts
+var import_ethers = require("ethers");
+
+// src/constants.ts
+var ACTION_TRANSFER = 1;
+var ACTION_EXECUTE = 2;
+var ACTION_BRIDGE = 4;
+var TESTNET_CHAINS = {
+  baseSepolia: {
+    name: "Base Sepolia",
+    chainId: 84532,
+    wormholeChainId: 10004,
+    rpcUrl: "https://sepolia.base.org",
+    // Public CORS-friendly RPC
+    explorerUrl: "https://sepolia.basescan.org",
+    isEvm: true,
+    contracts: {
+      hub: "0x66D87dE68327f48A099c5B9bE97020Feab9a7c82",
+      vaultFactory: "0xCFaEb5652aa2Ee60b2229dC8895B4159749C7e53",
+      vaultImplementation: "0x0d13367C16c6f0B24eD275CC67C7D9f42878285c",
+      wormholeCoreBridge: "0x79A1027a6A159502049F10906D333EC57E95F083",
+      tokenBridge: "0x86F55A04690fd7815A3D802bD587e83eA888B239"
+    }
+  },
+  ethereumSepolia: {
+    name: "Ethereum Sepolia",
+    chainId: 11155111,
+    wormholeChainId: 10002,
+    rpcUrl: "https://ethereum-sepolia-rpc.publicnode.com",
+    explorerUrl: "https://sepolia.etherscan.io",
+    isEvm: true,
+    contracts: {
+      vaultFactory: "0x07F608AFf6d63b68029488b726d895c4Bb593038",
+      vaultImplementation: "0xD66153fccFB6731fB6c4944FbD607ba86A76a1f6",
+      wormholeCoreBridge: "0x4a8bc80Ed5a4067f1CCf107057b8270E0cC11A78",
+      tokenBridge: "0xDB5492265f6038831E89f495670FF909aDe94bd9"
+    }
+  },
+  optimismSepolia: {
+    name: "Optimism Sepolia",
+    chainId: 11155420,
+    wormholeChainId: 10005,
+    rpcUrl: "https://sepolia.optimism.io",
+    explorerUrl: "https://sepolia-optimism.etherscan.io",
+    isEvm: true,
+    contracts: {
+      vaultFactory: "0xA5653d54079ABeCe780F8d9597B2bc4B09fe464A",
+      vaultImplementation: "0x8099b1406485d2255ff89Ce5Ea18520802AFC150",
+      wormholeCoreBridge: "0x31377888146f3253211EFEf5c676D41ECe7D58Fe",
+      tokenBridge: "0x99737Ec4B815d816c49A385943baf0380e75c0Ac"
+    }
+  },
+  arbitrumSepolia: {
+    name: "Arbitrum Sepolia",
+    chainId: 421614,
+    wormholeChainId: 10003,
+    rpcUrl: "https://sepolia-rollup.arbitrum.io/rpc",
+    explorerUrl: "https://sepolia.arbiscan.io",
+    isEvm: true,
+    contracts: {
+      vaultFactory: "0xd36D3D5DB59d78f1E33813490F72DABC15C9B07c",
+      vaultImplementation: "0xB10ACf39eBF17fc33F722cBD955b7aeCB0611bc4",
+      wormholeCoreBridge: "0x6b9C8671cdDC8dEab9c719bB87cBd3e782bA6a35",
+      tokenBridge: "0xC7A204bDBFe983FCD8d8E61D02b475D4073fF97e"
+    }
+  },
+  seiTestnet: {
+    name: "Sei Atlantic-2",
+    chainId: 1328,
+    wormholeChainId: 40,
+    rpcUrl: "https://evm-rpc-testnet.sei-apis.com",
+    explorerUrl: "https://seitrace.com/?chain=atlantic-2",
+    isEvm: true,
+    contracts: {
+      vaultFactory: "0x07F608AFf6d63b68029488b726d895c4Bb593038",
+      vaultImplementation: "0xD66153fccFB6731fB6c4944FbD607ba86A76a1f6",
+      wormholeCoreBridge: "0x0000000000000000000000000000000000000000"
+      // Mock - not yet deployed
+    }
+  },
+  solanaDevnet: {
+    name: "Solana Devnet",
+    chainId: 0,
+    wormholeChainId: 1,
+    rpcUrl: "https://api.devnet.solana.com",
+    explorerUrl: "https://explorer.solana.com",
+    isEvm: false,
+    contracts: {
+      hub: "AnyXHsqq9c2BiW4WgBcj6Aye7Ua7a7L7iSuwpfJxECJM",
+      wormholeCoreBridge: "3u8hJUVTA4jH1wYAyUur7FFZVQ8H635K3tSHHF4ssjQ5",
+      tokenBridge: "DZnkkTmCiFWfYTfT41X3Rd1kDgozqzxWaHqsw6W4x2oe"
+    }
+  },
+  aptosTestnet: {
+    name: "Aptos Testnet",
+    chainId: 0,
+    wormholeChainId: 22,
+    rpcUrl: "https://fullnode.testnet.aptoslabs.com/v1",
+    explorerUrl: "https://explorer.aptoslabs.com",
+    isEvm: false,
+    contracts: {
+      hub: "0x0237e04f74b991b5b6030a793779663033f4ff4a1682a9e66c1f41fc1ec3e2a4",
+      wormholeCoreBridge: "0x5bc11445584a763c1fa7ed39081f1b920954da14e04b32440cba863d03e19625",
+      tokenBridge: "0x576410486a2da45eee6c949c995670112ddf2fbeedab20350d506328eefc9d4f"
+    }
+  },
+  suiTestnet: {
+    name: "Sui Testnet",
+    chainId: 0,
+    wormholeChainId: 21,
+    rpcUrl: "https://fullnode.testnet.sui.io:443",
+    explorerUrl: "https://suiscan.xyz/testnet",
+    isEvm: false,
+    contracts: {
+      hub: "0x35e99fdbbc1cde7e093da6f9e758ba2c4a077904bd64caee2fa6db5e6c4e9e37",
+      wormholeCoreBridge: "0x31358d198147da50db32eda2562951d53973a0c0ad5ed738e9b17d88b213d790"
+    }
+  },
+  starknetSepolia: {
+    name: "Starknet Sepolia",
+    chainId: 0,
+    // Native Starknet chain ID (SN_SEPOLIA = 0x534e5f5345504f4c4941)
+    wormholeChainId: 50001,
+    // Custom chain ID (50000+ reserved for non-Wormhole chains)
+    rpcUrl: "https://starknet-sepolia.g.alchemy.com/starknet/version/rpc/v0_7/tsOnfTBZDKMXcUA26OED-",
+    explorerUrl: "https://sepolia.starkscan.co",
+    isEvm: false,
+    contracts: {
+      // Starknet spoke contract
+      hub: "0x68adcc730ed6c355200d00f763825448497b9cdf7936ca121711e078c88e811",
+      // Custom bridge contract (NOT Wormhole)
+      wormholeCoreBridge: "0x2c458c1ae64556482b05cc2d3ee5b032ed114d68429dda2062c9849a5a725f8"
+    },
+    // Hub chain ID that Starknet bridge validates (Base Sepolia = 10004)
+    hubChainId: 10004
+  }
+};
+var MAINNET_CHAINS = {
+  ethereum: {
+    name: "Ethereum",
+    chainId: 1,
+    wormholeChainId: 2,
+    rpcUrl: "https://eth.llamarpc.com",
+    explorerUrl: "https://etherscan.io",
+    isEvm: true,
+    contracts: {
+      wormholeCoreBridge: "0x98f3c9e6E3fAce36bAAd05FE09d375Ef1464288B",
+      tokenBridge: "0x3ee18B2214AFF97000D974cf647E7C347E8fa585"
+    }
+  },
+  base: {
+    name: "Base",
+    chainId: 8453,
+    wormholeChainId: 30,
+    rpcUrl: "https://mainnet.base.org",
+    explorerUrl: "https://basescan.org",
+    isEvm: true,
+    contracts: {
+      wormholeCoreBridge: "0xbebdb6C8ddC678FfA9f8748f85C815C556Dd8ac6",
+      tokenBridge: "0x8d2de8d2f73F1F4cAB472AC9A881C9b123C79627"
+    }
+  },
+  optimism: {
+    name: "Optimism",
+    chainId: 10,
+    wormholeChainId: 24,
+    rpcUrl: "https://mainnet.optimism.io",
+    explorerUrl: "https://optimistic.etherscan.io",
+    isEvm: true,
+    contracts: {
+      wormholeCoreBridge: "0xEe91C335eab126dF5fDB3797EA9d6aD93aeC9722",
+      tokenBridge: "0x1D68124e65faFC907325e3EDbF8c4d84499DAa8b"
+    }
+  },
+  arbitrum: {
+    name: "Arbitrum",
+    chainId: 42161,
+    wormholeChainId: 23,
+    rpcUrl: "https://arb1.arbitrum.io/rpc",
+    explorerUrl: "https://arbiscan.io",
+    isEvm: true,
+    contracts: {
+      wormholeCoreBridge: "0xa5f208e072434bC67592E4C49C1B991BA79BCA46",
+      tokenBridge: "0x0b2402144Bb366A632D14B83F244D2e0e21bD39c"
+    }
+  },
+  polygon: {
+    name: "Polygon",
+    chainId: 137,
+    wormholeChainId: 5,
+    rpcUrl: "https://polygon-rpc.com",
+    explorerUrl: "https://polygonscan.com",
+    isEvm: true,
+    contracts: {
+      wormholeCoreBridge: "0x7A4B5a56256163F07b2C80A7cA55aBE66c4ec4d7",
+      tokenBridge: "0x5a58505a96D1dbf8dF91cB21B54419FC36e93fdE"
+    }
+  },
+  solana: {
+    name: "Solana",
+    chainId: 0,
+    wormholeChainId: 1,
+    rpcUrl: "https://api.mainnet-beta.solana.com",
+    explorerUrl: "https://explorer.solana.com",
+    isEvm: false,
+    contracts: {
+      wormholeCoreBridge: "worm2ZoG2kUd4vFXhvjh93UUH596ayRfgQ2MgjNMTth",
+      tokenBridge: "wormDTUJ6AWPNvk59vGQbDvGJmqbDTdgWgAqcLBCgUb"
+    }
+  },
+  aptos: {
+    name: "Aptos",
+    chainId: 0,
+    wormholeChainId: 22,
+    rpcUrl: "https://fullnode.mainnet.aptoslabs.com/v1",
+    explorerUrl: "https://explorer.aptoslabs.com",
+    isEvm: false,
+    contracts: {
+      wormholeCoreBridge: "0x5bc11445584a763c1fa7ed39081f1b920954da14e04b32440cba863d03e19625",
+      tokenBridge: "0x576410486a2da45eee6c949c995670112ddf2fbeedab20350d506328eefc9d4f"
+    }
+  },
+  sui: {
+    name: "Sui",
+    chainId: 0,
+    wormholeChainId: 21,
+    rpcUrl: "https://fullnode.mainnet.sui.io:443",
+    explorerUrl: "https://suiscan.xyz/mainnet",
+    isEvm: false,
+    contracts: {
+      wormholeCoreBridge: "0xaeab97f96cf9877fee2883315d459552b2b921edc16d7ceac6eab944dd88919c"
+    }
+  }
+};
+
+// src/utils.ts
+function base64URLEncode(buffer) {
+  const bytes = Array.from(buffer);
+  const binary = String.fromCharCode(...bytes);
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLDecode(str) {
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function parseDERSignature(signature) {
+  let offset = 0;
+  if (signature[offset++] !== 48) {
+    throw new Error("Invalid signature format");
+  }
+  offset++;
+  if (signature[offset++] !== 2) {
+    throw new Error("Invalid signature format");
+  }
+  const rLength = signature[offset++];
+  if (rLength === void 0) {
+    throw new Error("Invalid signature format: missing r length");
+  }
+  let r = signature.slice(offset, offset + rLength);
+  offset += rLength;
+  if (r[0] === 0 && r.length > 32) {
+    r = r.slice(1);
+  }
+  if (r.length < 32) {
+    const padded = new Uint8Array(32);
+    padded.set(r, 32 - r.length);
+    r = padded;
+  }
+  if (signature[offset++] !== 2) {
+    throw new Error("Invalid signature format");
+  }
+  const sLength = signature[offset++];
+  if (sLength === void 0) {
+    throw new Error("Invalid signature format: missing s length");
+  }
+  let s = signature.slice(offset, offset + sLength);
+  if (s[0] === 0 && s.length > 32) {
+    s = s.slice(1);
+  }
+  if (s.length < 32) {
+    const padded = new Uint8Array(32);
+    padded.set(s, 32 - s.length);
+    s = padded;
+  }
+  return { r, s };
+}
+function computeKeyHash(publicKeyX, publicKeyY) {
+  return import_ethers.ethers.keccak256(
+    import_ethers.ethers.solidityPacked(["uint256", "uint256"], [publicKeyX, publicKeyY])
+  );
+}
+
+// src/core/PasskeyManager.ts
+var VERIDEX_RP_ID = "veridex.network";
+function detectRpId(forceLocal) {
+  if (typeof window === "undefined") return "localhost";
+  const hostname = window.location.hostname;
+  if (hostname === "localhost" || hostname === "127.0.0.1" || /^\d+\.\d+\.\d+\.\d+$/.test(hostname)) {
+    return hostname;
+  }
+  if (forceLocal) {
+    const parts = hostname.split(".");
+    if (parts.length <= 2) {
+      return hostname;
+    }
+    return parts.slice(-2).join(".");
+  }
+  return VERIDEX_RP_ID;
+}
+var PasskeyManager = class _PasskeyManager {
+  config;
+  credential = null;
+  constructor(config = {}) {
+    this.config = {
+      rpName: config.rpName ?? "Veridex Protocol",
+      rpId: config.rpId ?? detectRpId(),
+      timeout: config.timeout ?? 6e4,
+      userVerification: config.userVerification ?? "required",
+      authenticatorAttachment: config.authenticatorAttachment ?? "platform",
+      relayerUrl: config.relayerUrl ?? ""
+    };
+  }
+  static isSupported() {
+    return (0, import_browser.browserSupportsWebAuthn)();
+  }
+  static async isPlatformAuthenticatorAvailable() {
+    if (typeof window === "undefined" || !window.PublicKeyCredential) {
+      return false;
+    }
+    return await window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+  }
+  async register(username, displayName) {
+    if (!_PasskeyManager.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const challenge = import_ethers2.ethers.randomBytes(32);
+    const challengeBase64 = base64URLEncode(challenge);
+    const options = {
+      challenge: challengeBase64,
+      rp: {
+        name: this.config.rpName,
+        id: this.config.rpId
+      },
+      user: {
+        id: base64URLEncode(import_ethers2.ethers.toUtf8Bytes(username)),
+        name: username,
+        displayName
+      },
+      pubKeyCredParams: [
+        { alg: -7, type: "public-key" },
+        // ES256 (P-256) - WebAuthn default
+        { alg: -257, type: "public-key" },
+        // RS256 - Widely supported
+        { alg: -8, type: "public-key" },
+        // EdDSA - Modern, efficient
+        { alg: -35, type: "public-key" },
+        // ES384 (P-384)
+        { alg: -36, type: "public-key" },
+        // ES512 (P-521)
+        { alg: -37, type: "public-key" }
+        // PS256 - RSA PSS
+      ],
+      authenticatorSelection: {
+        authenticatorAttachment: this.config.authenticatorAttachment,
+        userVerification: this.config.userVerification,
+        residentKey: "required",
+        requireResidentKey: true
+      },
+      timeout: this.config.timeout,
+      attestation: "none"
+    };
+    const response = await (0, import_browser.startRegistration)(options);
+    const publicKey = this.extractPublicKeyFromAttestation(response);
+    const keyHash = computeKeyHash(publicKey.x, publicKey.y);
+    this.credential = {
+      credentialId: response.id,
+      publicKeyX: publicKey.x,
+      publicKeyY: publicKey.y,
+      keyHash
+    };
+    return this.credential;
+  }
+  async sign(challenge) {
+    if (!this.credential) {
+      throw new Error("No credential set. Call register() or setCredential() first.");
+    }
+    const challengeBase64 = base64URLEncode(challenge);
+    const options = {
+      challenge: challengeBase64,
+      rpId: this.config.rpId,
+      allowCredentials: [
+        {
+          id: this.credential.credentialId,
+          type: "public-key",
+          transports: ["internal"]
+        }
+      ],
+      userVerification: this.config.userVerification,
+      timeout: this.config.timeout
+    };
+    const response = await (0, import_browser.startAuthentication)(options);
+    return this.parseAuthenticationResponse(response);
+  }
+  /**
+   * Authenticate using a discoverable credential (passkey)
+   * This allows sign-in without knowing the credential ID ahead of time.
+   * The authenticator will show all available passkeys for this RP.
+   * 
+   * @param challenge - Optional challenge bytes. If not provided, a random challenge is used.
+   * @returns The credential that was used to authenticate, along with the signature
+   */
+  async authenticate(challenge) {
+    if (!_PasskeyManager.isSupported()) {
+      throw new Error("WebAuthn is not supported in this browser");
+    }
+    const actualChallenge = challenge ?? import_ethers2.ethers.randomBytes(32);
+    const challengeBase64 = base64URLEncode(actualChallenge);
+    const options = {
+      challenge: challengeBase64,
+      rpId: this.config.rpId,
+      userVerification: this.config.userVerification,
+      timeout: this.config.timeout
+    };
+    const response = await (0, import_browser.startAuthentication)(options);
+    const credentialId = response.id;
+    const signature = this.parseAuthenticationResponse(response);
+    let storedCredential = this.findCredentialById(credentialId);
+    if (storedCredential) {
+      this.credential = storedCredential;
+      return { credential: storedCredential, signature };
+    }
+    if (this.config.relayerUrl) {
+      storedCredential = await this.loadCredentialFromRelayer(credentialId);
+      if (storedCredential) {
+        this.credential = storedCredential;
+        this.addCredentialToStorage(storedCredential);
+        return { credential: storedCredential, signature };
+      }
+    }
+    const hasRelayer = !!this.config.relayerUrl;
+    throw new Error(
+      "Credential not found. This passkey was registered on a different device or the data was cleared. " + (hasRelayer ? "The credential was not found. Please register a new passkey." : "Please register a new passkey or ensure the relayer URL is configured.")
+    );
+  }
+  /**
+   * Find a credential by ID in the list of stored credentials
+   */
+  findCredentialById(credentialId) {
+    if (typeof window === "undefined") return null;
+    const stored = this.getAllStoredCredentials();
+    return stored.find((c) => c.credentialId === credentialId) || null;
+  }
+  /**
+   * Get all credentials stored in localStorage
+   */
+  getAllStoredCredentials(key = "veridex_credentials") {
+    if (typeof window === "undefined") return [];
+    const stored = localStorage.getItem(key);
+    if (!stored) {
+      const legacy = localStorage.getItem("veridex_credential");
+      if (legacy) {
+        try {
+          const data = JSON.parse(legacy);
+          const cred = this.parseStoredCredential(data);
+          if (cred) {
+            this.saveCredentials([cred], key);
+            localStorage.removeItem("veridex_credential");
+            return [cred];
+          }
+        } catch (e) {
+        }
+      }
+      return [];
+    }
+    try {
+      const data = JSON.parse(stored);
+      if (Array.isArray(data)) {
+        return data.map((item) => this.parseStoredCredential(item)).filter((c) => c !== null);
+      }
+      return [];
+    } catch (error) {
+      console.error("Failed to load credentials:", error);
+      return [];
+    }
+  }
+  parseStoredCredential(data) {
+    try {
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Save a list of credentials to localStorage
+   */
+  saveCredentials(credentials, key = "veridex_credentials") {
+    if (typeof window === "undefined") return;
+    const data = credentials.map((c) => ({
+      credentialId: c.credentialId,
+      publicKeyX: c.publicKeyX.toString(),
+      publicKeyY: c.publicKeyY.toString(),
+      keyHash: c.keyHash
+    }));
+    localStorage.setItem(key, JSON.stringify(data));
+  }
+  /**
+   * Add a single credential to storage (append or update)
+   */
+  addCredentialToStorage(credential, key = "veridex_credentials") {
+    const stored = this.getAllStoredCredentials(key);
+    const existingIndex = stored.findIndex((c) => c.credentialId === credential.credentialId);
+    if (existingIndex >= 0) {
+      stored[existingIndex] = credential;
+    } else {
+      stored.push(credential);
+    }
+    this.saveCredentials(stored, key);
+  }
+  /**
+   * Check if there's ANY stored credential for this RP
+   */
+  hasStoredCredential() {
+    return this.getAllStoredCredentials().length > 0;
+  }
+  getCredential() {
+    return this.credential;
+  }
+  setCredential(credential) {
+    this.credential = credential;
+  }
+  createCredentialFromPublicKey(credentialId, publicKeyX, publicKeyY) {
+    const keyHash = computeKeyHash(publicKeyX, publicKeyY);
+    this.credential = {
+      credentialId,
+      publicKeyX,
+      publicKeyY,
+      keyHash
+    };
+    return this.credential;
+  }
+  clearCredential() {
+    this.credential = null;
+  }
+  /**
+   * Save the current credential to localStorage (appends to list)
+   */
+  saveToLocalStorage(key = "veridex_credentials") {
+    if (!this.credential) {
+      throw new Error("No credential to save");
+    }
+    this.addCredentialToStorage(this.credential, key);
+  }
+  loadFromLocalStorage(key = "veridex_credentials") {
+    if (typeof window === "undefined") {
+      return null;
+    }
+    const stored = this.getAllStoredCredentials(key);
+    if (stored.length > 0) {
+      this.credential = stored[stored.length - 1];
+      return this.credential;
+    }
+    return null;
+  }
+  removeFromLocalStorage(key = "veridex_credentials") {
+    if (typeof window !== "undefined") {
+      localStorage.removeItem(key);
+      localStorage.removeItem("veridex_credential");
+    }
+  }
+  // =========================================================================
+  // Relayer-based Credential Storage (Cross-Device Recovery)
+  // =========================================================================
+  /**
+   * Save the current credential to the relayer for cross-device recovery.
+   * This should be called after registration.
+   */
+  async saveCredentialToRelayer() {
+    if (!this.credential) {
+      throw new Error("No credential to save");
+    }
+    if (!this.config.relayerUrl) {
+      console.warn("Relayer URL not configured; skipping remote credential storage");
+      return false;
+    }
+    try {
+      const response = await fetch(`${this.config.relayerUrl}/api/v1/credential`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          keyHash: this.credential.keyHash,
+          credentialId: this.credential.credentialId,
+          publicKeyX: this.credential.publicKeyX.toString(),
+          publicKeyY: this.credential.publicKeyY.toString()
+        })
+      });
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        console.error("Failed to save credential to relayer:", errorData);
+        return false;
+      }
+      console.log("Credential saved to relayer for cross-device recovery");
+      return true;
+    } catch (error) {
+      console.error("Failed to save credential to relayer:", error);
+      return false;
+    }
+  }
+  /**
+   * Load a credential from the relayer by credential ID.
+   * Used during discoverable credential authentication when localStorage is empty.
+   */
+  async loadCredentialFromRelayer(credentialId) {
+    if (!this.config.relayerUrl) {
+      return null;
+    }
+    try {
+      const response = await fetch(
+        `${this.config.relayerUrl}/api/v1/credential/by-id/${encodeURIComponent(credentialId)}`
+      );
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (!data.exists) {
+        return null;
+      }
+      if (!data.credentialId || !data.publicKeyX || !data.publicKeyY || !data.keyHash) {
+        console.warn("Relayer returned incomplete credential data:", {
+          hasCredentialId: !!data.credentialId,
+          hasPublicKeyX: !!data.publicKeyX,
+          hasPublicKeyY: !!data.publicKeyY,
+          hasKeyHash: !!data.keyHash
+        });
+        return null;
+      }
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch (error) {
+      console.error("Failed to load credential from relayer:", error);
+      return null;
+    }
+  }
+  /**
+   * Load a credential from the relayer by keyHash.
+   * Useful when you know the user's keyHash but not their credential ID.
+   */
+  async loadCredentialFromRelayerByKeyHash(keyHash) {
+    if (!this.config.relayerUrl) {
+      return null;
+    }
+    try {
+      const response = await fetch(
+        `${this.config.relayerUrl}/api/v1/credential/${encodeURIComponent(keyHash)}`
+      );
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (!data.exists) {
+        return null;
+      }
+      if (!data.credentialId || !data.publicKeyX || !data.publicKeyY || !data.keyHash) {
+        console.warn("Relayer returned incomplete credential data for keyHash:", {
+          hasCredentialId: !!data.credentialId,
+          hasPublicKeyX: !!data.publicKeyX,
+          hasPublicKeyY: !!data.publicKeyY,
+          hasKeyHash: !!data.keyHash
+        });
+        return null;
+      }
+      return {
+        credentialId: data.credentialId,
+        publicKeyX: BigInt(data.publicKeyX),
+        publicKeyY: BigInt(data.publicKeyY),
+        keyHash: data.keyHash
+      };
+    } catch (error) {
+      console.error("Failed to load credential from relayer:", error);
+      return null;
+    }
+  }
+  extractPublicKeyFromAttestation(response) {
+    const attestationObject = base64URLDecode(response.response.attestationObject);
+    let offset = 0;
+    if (attestationObject[offset] >= 160 && attestationObject[offset] <= 191) {
+      offset++;
+    }
+    while (offset < attestationObject.length - 37) {
+      if (attestationObject[offset] === 104 && // text string, 8 bytes
+      attestationObject[offset + 1] === 97 && // 'a'
+      attestationObject[offset + 2] === 117 && // 'u'
+      attestationObject[offset + 3] === 116 && // 't'
+      attestationObject[offset + 4] === 104 && // 'h'
+      attestationObject[offset + 5] === 68 && // 'D'
+      attestationObject[offset + 6] === 97 && // 'a'
+      attestationObject[offset + 7] === 116 && // 't'
+      attestationObject[offset + 8] === 97) {
+        offset += 9;
+        break;
+      }
+      offset++;
+    }
+    if (attestationObject[offset] === 88 || attestationObject[offset] === 89) {
+      const lengthBytes = attestationObject[offset] === 88 ? 1 : 2;
+      offset += 1 + lengthBytes;
+    }
+    offset += 32;
+    offset += 1;
+    offset += 4;
+    offset += 16;
+    const credIdLen = attestationObject[offset] << 8 | attestationObject[offset + 1];
+    offset += 2;
+    offset += credIdLen;
+    const coseKey = attestationObject.slice(offset);
+    console.log("COSE key length:", coseKey.length);
+    console.log("COSE key hex:", this.bytesToHex(coseKey.slice(0, Math.min(100, coseKey.length))));
+    const { x, y } = this.parseCOSEKey(coseKey);
+    return { x, y };
+  }
+  parseCOSEKey(coseKey) {
+    console.log("COSE key length:", coseKey.length);
+    console.log("COSE key hex:", this.bytesToHex(coseKey));
+    const parsed = this.tryParseCOSEKeyStrategies(coseKey);
+    if (parsed) {
+      return parsed;
+    }
+    return this.parseCOSEKeyWithCBORStructure(coseKey);
+  }
+  tryParseCOSEKeyStrategies(coseKey) {
+    const keyBytes = new Uint8Array(coseKey);
+    for (let i = 0; i < keyBytes.length - 40; i++) {
+      if (keyBytes[i] === 88 && keyBytes[i + 1] === 32) {
+        const potentialX = keyBytes.slice(i + 2, i + 34);
+        for (let j = i + 34; j < keyBytes.length - 34; j++) {
+          if (keyBytes[j] === 88 && keyBytes[j + 1] === 32) {
+            const potentialY = keyBytes.slice(j + 2, j + 34);
+            if (this.isValidCoordinate(potentialX) && this.isValidCoordinate(potentialY)) {
+              console.log("Found coordinates via pattern matching");
+              return {
+                x: this.bytesToBigInt(potentialX),
+                y: this.bytesToBigInt(potentialY)
+              };
+            }
+          }
+        }
+      }
+    }
+    return this.tryParseASN1Structure(keyBytes);
+  }
+  parseCOSEKeyWithCBORStructure(coseKey) {
+    const bytes = new Uint8Array(coseKey);
+    let xBytes = null;
+    let yBytes = null;
+    let i = 0;
+    while (i < bytes.length) {
+      if (bytes[i] === 88) {
+        const length = bytes[i + 1];
+        if (length === 32) {
+          const start = i + 2;
+          const end = start + 32;
+          if (end <= bytes.length) {
+            const coordinate = bytes.slice(start, end);
+            if (!xBytes) {
+              xBytes = coordinate;
+              console.log("Found x at offset", i);
+            } else if (!yBytes) {
+              yBytes = coordinate;
+              console.log("Found y at offset", i);
+              break;
+            }
+          }
+          i = end;
+        } else {
+          i += length + 2;
+        }
+      } else if (bytes[i] === 66) {
+        if (i + 3 < bytes.length) {
+          const length = bytes[i + 1] << 8 | bytes[i + 2];
+          if (length === 32) {
+            const start = i + 3;
+            const end = start + 32;
+            if (end <= bytes.length) {
+              const coordinate = bytes.slice(start, end);
+              if (!xBytes) {
+                xBytes = coordinate;
+                console.log("Found x at offset", i);
+              } else if (!yBytes) {
+                yBytes = coordinate;
+                console.log("Found y at offset", i);
+                break;
+              }
+            }
+            i = end;
+          } else {
+            i += length + 3;
+          }
+        } else {
+          i++;
+        }
+      } else if (bytes[i] === 64) {
+        i++;
+        while (i < bytes.length && bytes[i] !== 255) {
+          if (bytes[i] === 4 && i + 65 <= bytes.length) {
+            const x = bytes.slice(i + 1, i + 33);
+            const y = bytes.slice(i + 33, i + 65);
+            if (this.isValidCoordinate(x) && this.isValidCoordinate(y)) {
+              xBytes = x;
+              yBytes = y;
+              console.log("Found coordinates in uncompressed point format");
+              break;
+            }
+          }
+          i++;
+        }
+        if (xBytes && yBytes) break;
+      } else {
+        i++;
+      }
+    }
+    if (!xBytes || !yBytes) {
+      const potentialCoords = this.find32ByteSequences(bytes);
+      if (potentialCoords.length >= 2) {
+        xBytes = potentialCoords[0];
+        yBytes = potentialCoords[1];
+        console.log("Fallback: Using first two 32-byte sequences as coordinates");
+      }
+    }
+    if (!xBytes || !yBytes) {
+      console.error("Failed to find coordinates in COSE key. Full dump:");
+      console.error("Hex:", this.bytesToHex(bytes));
+      console.error("Structure analysis:");
+      this.analyzeCOSEStructure(bytes);
+      throw new Error("Failed to extract public key coordinates from COSE key. Check console for details.");
+    }
+    return {
+      x: this.bytesToBigInt(xBytes),
+      y: this.bytesToBigInt(yBytes)
+    };
+  }
+  tryParseASN1Structure(bytes) {
+    if (bytes[0] === 48) {
+      let offset = 2;
+      if (bytes[offset] === 3) {
+        offset += 2;
+        if (bytes[offset] === 48) {
+          offset += 2;
+          offset += 12;
+          if (bytes[offset] === 3 && bytes[offset + 2] === 4) {
+            offset += 3;
+            const x = bytes.slice(offset, offset + 32);
+            const y = bytes.slice(offset + 32, offset + 64);
+            if (x.length === 32 && y.length === 32) {
+              console.log("Found coordinates via ASN.1 parsing");
+              return {
+                x: this.bytesToBigInt(x),
+                y: this.bytesToBigInt(y)
+              };
+            }
+          }
+        }
+      }
+    }
+    return null;
+  }
+  find32ByteSequences(bytes) {
+    const sequences = [];
+    for (let i = 0; i <= bytes.length - 32; i++) {
+      const sequence = bytes.slice(i, i + 32);
+      if (this.isValidCoordinate(sequence)) {
+        sequences.push(sequence);
+      }
+    }
+    return sequences;
+  }
+  isValidCoordinate(bytes) {
+    if (bytes.length !== 32) return false;
+    let allZeros = true;
+    let allOnes = true;
+    for (const byte of bytes) {
+      if (byte !== 0) allZeros = false;
+      if (byte !== 255) allOnes = false;
+    }
+    return !allZeros && !allOnes;
+  }
+  bytesToBigInt(bytes) {
+    return BigInt("0x" + this.bytesToHex(bytes));
+  }
+  bytesToHex(bytes) {
+    return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  analyzeCOSEStructure(bytes) {
+    console.log("COSE Structure Analysis:");
+    console.log("First 20 bytes:", this.bytesToHex(bytes.slice(0, 20)));
+    const firstByte = bytes[0];
+    console.log("First byte (0x" + firstByte.toString(16) + "):");
+    if (firstByte >= 160 && firstByte <= 191) {
+      console.log("- Definite length map with", firstByte & 31, "pairs");
+    } else if (firstByte === 191) {
+      console.log("- Indefinite length map");
+    } else if (firstByte === 4) {
+      console.log("- Byte string");
+    } else if (firstByte === 2) {
+      console.log("- Negative integer");
+    }
+    let count32 = 0;
+    for (let i = 0; i <= bytes.length - 32; i++) {
+      const chunk = bytes.slice(i, i + 32);
+      if (this.isValidCoordinate(chunk)) {
+        console.log(
+          `Found valid 32-byte sequence at offset ${i}:`,
+          this.bytesToHex(chunk.slice(0, 8)) + "..."
+        );
+        count32++;
+      }
+    }
+    console.log(`Total valid 32-byte sequences: ${count32}`);
+    console.log("Looking for known markers:");
+    const markers = [
+      { byte: 4, name: "Uncompressed point marker" },
+      { byte: 3, name: "BIT STRING" },
+      { byte: 48, name: "SEQUENCE" },
+      { byte: 2, name: "INTEGER" },
+      { byte: 6, name: "OBJECT IDENTIFIER" },
+      { byte: 88, name: "Byte string with length byte" },
+      { byte: 66, name: "Byte string with 2-byte length" },
+      { byte: 64, name: "Byte string indefinite length" },
+      { byte: 160, name: "Map start" },
+      { byte: 191, name: "Indefinite map start" }
+    ];
+    for (const marker of markers) {
+      const indices = [];
+      for (let i = 0; i < bytes.length; i++) {
+        if (bytes[i] === marker.byte) {
+          indices.push(i);
+        }
+      }
+      if (indices.length > 0) {
+        console.log(`  ${marker.name} (0x${marker.byte.toString(16)}) at positions:`, indices.slice(0, 5).join(", "));
+      }
+    }
+  }
+  parseAuthenticationResponse(response) {
+    const authenticatorData = base64URLDecode(response.response.authenticatorData);
+    const clientDataJSON = response.response.clientDataJSON;
+    const signature = base64URLDecode(response.response.signature);
+    const { r, s } = parseDERSignature(signature);
+    const P256_N = BigInt("0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
+    const P256_N_DIV_2 = BigInt(
+      "0x7FFFFFFF800000007FFFFFFFFFFFFFFFDE737D56D38BCF4279DCE5617E3192A8"
+    );
+    const clientDataStr = new TextDecoder().decode(base64URLDecode(clientDataJSON));
+    const challengeIndex = clientDataStr.indexOf('"challenge"');
+    const typeIndex = clientDataStr.indexOf('"type"');
+    if (challengeIndex === -1 || typeIndex === -1) {
+      throw new Error("Invalid clientDataJSON format");
+    }
+    return {
+      authenticatorData: import_ethers2.ethers.hexlify(authenticatorData),
+      clientDataJSON: clientDataStr,
+      challengeIndex,
+      typeIndex,
+      r: this.bytesToBigInt(r),
+      s: (() => {
+        const sBig = this.bytesToBigInt(s);
+        return sBig > P256_N_DIV_2 ? P256_N - sBig : sBig;
+      })()
+    };
+  }
+};
+
+// src/payload.ts
+var import_ethers3 = require("ethers");
+function encodeTransferAction(token, recipient, amount) {
+  const tokenPadded = padTo32Bytes(token);
+  const recipientPadded = padTo32Bytes(recipient);
+  const amountBytes = import_ethers3.ethers.zeroPadValue(import_ethers3.ethers.toBeHex(amount), 32);
+  return import_ethers3.ethers.concat([
+    import_ethers3.ethers.toBeHex(ACTION_TRANSFER, 1),
+    tokenPadded,
+    recipientPadded,
+    amountBytes
+  ]);
+}
+function encodeBridgeAction(token, amount, targetChain, recipient) {
+  const tokenPadded = padTo32Bytes(token);
+  const amountBytes = import_ethers3.ethers.zeroPadValue(import_ethers3.ethers.toBeHex(amount), 32);
+  const targetChainBytes = import_ethers3.ethers.toBeHex(targetChain, 2);
+  const recipientPadded = padTo32Bytes(recipient);
+  return import_ethers3.ethers.concat([
+    import_ethers3.ethers.toBeHex(ACTION_BRIDGE, 1),
+    tokenPadded,
+    amountBytes,
+    targetChainBytes,
+    recipientPadded
+  ]);
+}
+function encodeExecuteAction(target, value, data) {
+  const targetPadded = padTo32Bytes(target);
+  const valueBytes = import_ethers3.ethers.zeroPadValue(import_ethers3.ethers.toBeHex(value), 32);
+  const dataBytes = import_ethers3.ethers.getBytes(data);
+  const dataLengthBytes = import_ethers3.ethers.toBeHex(dataBytes.length, 2);
+  return import_ethers3.ethers.concat([
+    import_ethers3.ethers.toBeHex(ACTION_EXECUTE, 1),
+    targetPadded,
+    valueBytes,
+    dataLengthBytes,
+    data
+  ]);
+}
+function padTo32Bytes(address) {
+  if (address.toLowerCase() === "native") {
+    return "0x" + "0".repeat(64);
+  }
+  if (address.startsWith("0x")) {
+    const hex2 = address.replace("0x", "");
+    if (!/^[0-9a-fA-F]*$/.test(hex2)) {
+      throw new Error(`Invalid address: ${address}. Expected hex string or 'native'.`);
+    }
+    return "0x" + hex2.padStart(64, "0");
+  }
+  const base58Chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  for (const char of address) {
+    if (!base58Chars.includes(char)) {
+      throw new Error(`Invalid address: ${address}. Contains invalid base58 character '${char}'.`);
+    }
+  }
+  let value = BigInt(0);
+  for (const char of address) {
+    value = value * 58n + BigInt(base58Chars.indexOf(char));
+  }
+  let hex = value.toString(16);
+  if (hex.length > 64) {
+    throw new Error(`Invalid address: ${address}. Decoded value too large for 32 bytes.`);
+  }
+  return "0x" + hex.padStart(64, "0");
+}
+function createGaslessMessageHash(targetChain, actionPayload, nonce, hubChainId) {
+  return import_ethers3.ethers.solidityPacked(
+    ["uint16", "bytes", "uint256", "uint16"],
+    [targetChain, actionPayload, nonce, hubChainId]
+  );
+}
+function buildGaslessChallenge(targetChain, actionPayload, nonce, hubChainId) {
+  const packed = createGaslessMessageHash(targetChain, actionPayload, nonce, hubChainId);
+  return import_ethers3.ethers.getBytes(packed);
+}
+
+// src/queries/hubState.ts
+var import_axios = __toESM(require("axios"));
+var import_buffer = require("buffer");
+var import_ethers4 = require("ethers");
+var import_wormhole_query_sdk = require("@wormhole-foundation/wormhole-query-sdk");
+
+// src/queries/constants.ts
+var WORMHOLE_QUERY_PROXY_URLS = {
+  mainnet: "https://query.wormhole.com/v1/query",
+  testnet: "https://testnet.query.wormhole.com/v1/query"
+};
+
+// src/queries/hubState.ts
+var QueryHubStateError = class extends Error {
+  code;
+  cause;
+  constructor(code, message, cause) {
+    super(message);
+    this.name = "QueryHubStateError";
+    this.code = code;
+    this.cause = cause;
+  }
+};
+function resolveNetwork(options) {
+  if (options?.network) return options.network;
+  const envCandidates = [
+    globalThis?.process?.env?.NEXT_PUBLIC_VERIDEX_NETWORK,
+    globalThis?.process?.env?.VERIDEX_NETWORK,
+    globalThis?.process?.env?.NEXT_PUBLIC_WORMHOLE_NETWORK,
+    globalThis?.process?.env?.WORMHOLE_NETWORK
+  ].filter(Boolean);
+  const env = envCandidates[0]?.toLowerCase();
+  if (env === "mainnet" || env === "testnet") return env;
+  return "testnet";
+}
+function concatBytes(parts) {
+  const total = parts.reduce((sum, p) => sum + p.length, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const p of parts) {
+    out.set(p, offset);
+    offset += p.length;
+  }
+  return out;
+}
+function signaturesToProofBytes(signatures) {
+  const chunks = [];
+  for (const sig of signatures) {
+    if (typeof sig !== "string" || sig.length !== 132 || !/^[0-9a-fA-F]+$/.test(sig)) {
+      throw new QueryHubStateError(
+        "PROXY_RESPONSE_INVALID",
+        `Invalid guardian signature format (expected 132 hex chars): ${String(sig)}`
+      );
+    }
+    chunks.push((0, import_wormhole_query_sdk.hexToUint8Array)(`0x${sig}`));
+  }
+  return concatBytes(chunks);
+}
+function decodeQueryBytes(bytes) {
+  if (typeof bytes !== "string" || bytes.length === 0) {
+    throw new QueryHubStateError("PROXY_RESPONSE_INVALID", "Missing query response bytes");
+  }
+  if ((0, import_wormhole_query_sdk.isValidHexString)(bytes)) {
+    return (0, import_wormhole_query_sdk.hexToUint8Array)(bytes);
+  }
+  try {
+    if (typeof atob === "function") {
+      const raw = atob(bytes);
+      const arr = new Uint8Array(raw.length);
+      for (let i = 0; i < raw.length; i++) arr[i] = raw.charCodeAt(i);
+      return arr;
+    }
+  } catch {
+  }
+  try {
+    return new Uint8Array(import_buffer.Buffer.from(bytes, "base64"));
+  } catch (cause) {
+    throw new QueryHubStateError("PROXY_RESPONSE_INVALID", "Unrecognized query response bytes encoding", cause);
+  }
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function withExponentialBackoff(fn, maxAttempts) {
+  let attempt = 0;
+  let lastError;
+  while (attempt < maxAttempts) {
+    try {
+      return await fn();
+    } catch (err) {
+      lastError = err;
+      attempt += 1;
+      if (attempt >= maxAttempts) break;
+      const baseMs = 250;
+      const backoffMs = Math.min(5e3, baseMs * 2 ** (attempt - 1));
+      const jitterMs = Math.floor(Math.random() * 100);
+      await sleep(backoffMs + jitterMs);
+    }
+  }
+  throw lastError;
+}
+function getHubConfig(network) {
+  if (network === "testnet") {
+    const baseSepolia = TESTNET_CHAINS.baseSepolia;
+    if (!baseSepolia?.contracts?.hub) {
+      throw new QueryHubStateError("MISSING_HUB_ADDRESS", "Missing Base Sepolia hub address in SDK constants");
+    }
+    return {
+      wormholeChainId: baseSepolia.wormholeChainId,
+      hubAddress: baseSepolia.contracts.hub,
+      endpoint: WORMHOLE_QUERY_PROXY_URLS.testnet,
+      rpcUrl: baseSepolia.rpcUrl
+    };
+  }
+  if (network === "mainnet") {
+    const base = MAINNET_CHAINS.base;
+    const hubAddress = base?.contracts?.hub;
+    if (!hubAddress) {
+      throw new QueryHubStateError(
+        "MISSING_HUB_ADDRESS",
+        "Missing mainnet hub address in SDK constants (MAINNET_CHAINS.base.contracts.hub)"
+      );
+    }
+    return {
+      wormholeChainId: base.wormholeChainId,
+      hubAddress,
+      endpoint: WORMHOLE_QUERY_PROXY_URLS.mainnet,
+      rpcUrl: base.rpcUrl
+    };
+  }
+  throw new QueryHubStateError("UNSUPPORTED_NETWORK", `Unsupported network: ${network}`);
+}
+function encodeHubCalls(hubAddress, userKeyHash) {
+  const nonceAbiCandidates = [
+    "function getUserNonce(bytes32 userKeyHash) view returns (uint256)",
+    "function userNonces(bytes32 userKeyHash) view returns (uint256)",
+    "function getNonceByHash(bytes32 userKeyHash) view returns (uint256)"
+  ];
+  const registeredAbiCandidates = [
+    "function registeredKeys(bytes32 userKeyHash) view returns (bool)",
+    "function isKeyRegisteredByHash(bytes32 userKeyHash) view returns (bool)"
+  ];
+  const actionHashAbiCandidates = [
+    "function getUserLastActionHash(bytes32 userKeyHash) view returns (bytes32)",
+    "function userLastActionHash(bytes32 userKeyHash) view returns (bytes32)"
+  ];
+  const iface = new import_ethers4.ethers.Interface([
+    ...nonceAbiCandidates,
+    ...registeredAbiCandidates,
+    ...actionHashAbiCandidates
+  ]);
+  const nonceFnNames = ["getUserNonce", "userNonces", "getNonceByHash"];
+  const regFnNames = ["registeredKeys", "isKeyRegisteredByHash"];
+  const actionHashFnNames = ["getUserLastActionHash", "userLastActionHash"];
+  return [
+    ...nonceFnNames.map((fn) => ({
+      to: hubAddress,
+      data: iface.encodeFunctionData(fn, [userKeyHash])
+    })),
+    ...regFnNames.map((fn) => ({
+      to: hubAddress,
+      data: iface.encodeFunctionData(fn, [userKeyHash])
+    })),
+    ...actionHashFnNames.map((fn) => ({
+      to: hubAddress,
+      data: iface.encodeFunctionData(fn, [userKeyHash])
+    }))
+  ];
+}
+function decodeFirstNonce(results) {
+  const candidates = [
+    "function getUserNonce(bytes32 userKeyHash) view returns (uint256)",
+    "function userNonces(bytes32 userKeyHash) view returns (uint256)",
+    "function getNonceByHash(bytes32 userKeyHash) view returns (uint256)"
+  ];
+  const iface = new import_ethers4.ethers.Interface(candidates);
+  const fnNames = ["getUserNonce", "userNonces", "getNonceByHash"];
+  for (let idx = 0; idx < fnNames.length; idx++) {
+    const fnName = fnNames[idx];
+    try {
+      const data = results[idx];
+      if (!data || data === "0x") continue;
+      const decoded = iface.decodeFunctionResult(fnName, data);
+      return decoded[0];
+    } catch {
+    }
+  }
+  throw new QueryHubStateError("QUERY_RESPONSE_INVALID", "Unable to decode user nonce from query response");
+}
+function decodeFirstIsRegistered(results) {
+  const nonceCandidateCount = 3;
+  const candidates = [
+    "function registeredKeys(bytes32 userKeyHash) view returns (bool)",
+    "function isKeyRegisteredByHash(bytes32 userKeyHash) view returns (bool)"
+  ];
+  const iface = new import_ethers4.ethers.Interface(candidates);
+  const fnNames = ["registeredKeys", "isKeyRegisteredByHash"];
+  for (let i = 0; i < fnNames.length; i++) {
+    const fnName = fnNames[i];
+    try {
+      const data = results[nonceCandidateCount + i];
+      if (!data || data === "0x") continue;
+      const decoded = iface.decodeFunctionResult(fnName, data);
+      return Boolean(decoded[0]);
+    } catch {
+    }
+  }
+  return false;
+}
+function decodeLastActionHash(results) {
+  const nonceCandidateCount = 3;
+  const registeredCandidateCount = 2;
+  const actionHashOffset = nonceCandidateCount + registeredCandidateCount;
+  const candidates = [
+    "function getUserLastActionHash(bytes32 userKeyHash) view returns (bytes32)",
+    "function userLastActionHash(bytes32 userKeyHash) view returns (bytes32)"
+  ];
+  const iface = new import_ethers4.ethers.Interface(candidates);
+  const fnNames = ["getUserLastActionHash", "userLastActionHash"];
+  for (let i = 0; i < fnNames.length; i++) {
+    const fnName = fnNames[i];
+    try {
+      const data = results[actionHashOffset + i];
+      if (!data || data === "0x") continue;
+      const decoded = iface.decodeFunctionResult(fnName, data);
+      return decoded[0];
+    } catch {
+    }
+  }
+  return import_ethers4.ethers.ZeroHash;
+}
+async function queryHubState(userKeyHash, apiKey, options) {
+  if (typeof userKeyHash !== "string" || userKeyHash.length === 0) {
+    throw new QueryHubStateError("INVALID_ARGUMENT", "userKeyHash is required");
+  }
+  if (!(0, import_wormhole_query_sdk.isValidHexString)(userKeyHash) || (0, import_wormhole_query_sdk.hexToUint8Array)(userKeyHash).length !== 32) {
+    throw new QueryHubStateError("INVALID_ARGUMENT", "userKeyHash must be a 32-byte hex string");
+  }
+  if (typeof apiKey !== "string" || apiKey.length === 0) {
+    throw new QueryHubStateError("INVALID_ARGUMENT", "apiKey is required");
+  }
+  const network = resolveNetwork(options);
+  const maxAgeSeconds = options?.maxAge ?? 60;
+  const maxAttempts = options?.maxAttempts ?? 4;
+  const { wormholeChainId, hubAddress, endpoint, rpcUrl } = getHubConfig(network);
+  const provider = new import_ethers4.ethers.JsonRpcProvider(rpcUrl);
+  const callData = encodeHubCalls(hubAddress, userKeyHash);
+  const doFetch = async () => {
+    try {
+      const latestBlock = await provider.getBlockNumber();
+      const blockTag = Math.max(0, latestBlock - 2);
+      const request = new import_wormhole_query_sdk.QueryRequest(Date.now() & 4294967295, [
+        new import_wormhole_query_sdk.PerChainQueryRequest(wormholeChainId, new import_wormhole_query_sdk.EthCallQueryRequest(blockTag, callData))
+      ]);
+      const requestHex = import_buffer.Buffer.from(request.serialize()).toString("hex");
+      const response = await import_axios.default.post(
+        endpoint,
+        { bytes: requestHex },
+        {
+          headers: {
+            "X-API-Key": apiKey,
+            "Content-Type": "application/json"
+          },
+          timeout: 1e4
+        }
+      );
+      const data = response.data;
+      const signatures = data?.signatures;
+      const bytes = data?.bytes;
+      if (!Array.isArray(signatures) || typeof bytes !== "string") {
+        throw new QueryHubStateError("PROXY_RESPONSE_INVALID", "Query Proxy response missing signatures/bytes");
+      }
+      const proof = signaturesToProofBytes(signatures);
+      const queryBytes = decodeQueryBytes(bytes);
+      const parsed = import_wormhole_query_sdk.QueryResponse.from(queryBytes);
+      const perChain = parsed.responses.find((r) => r.chainId === wormholeChainId);
+      if (!perChain) {
+        throw new QueryHubStateError("QUERY_RESPONSE_INVALID", "Missing per-chain response for hub chain");
+      }
+      const chainResp = import_wormhole_query_sdk.EthCallQueryResponse.from(perChain.response.serialize());
+      const blockTime = Number(chainResp.blockTime);
+      const nowSeconds = Math.floor(Date.now() / 1e3);
+      if (nowSeconds - blockTime > maxAgeSeconds) {
+        throw new QueryHubStateError(
+          "ATTESTATION_STALE",
+          `Guardian attestation is stale (blockTime=${blockTime}, now=${nowSeconds}, maxAge=${maxAgeSeconds}s)`
+        );
+      }
+      const nonce = decodeFirstNonce(chainResp.results);
+      const isRegistered = decodeFirstIsRegistered(chainResp.results);
+      const lastActionHash = decodeLastActionHash(chainResp.results);
+      return {
+        nonce,
+        isRegistered,
+        blockTime,
+        proof,
+        lastActionHash
+      };
+    } catch (err) {
+      if (err instanceof QueryHubStateError) throw err;
+      if (import_axios.default.isAxiosError(err)) {
+        const ax = err;
+        const status = ax.response?.status;
+        const statusText = ax.response?.statusText;
+        const details = typeof ax.response?.data === "string" ? ax.response?.data : void 0;
+        throw new QueryHubStateError(
+          "PROXY_HTTP_ERROR",
+          `Query Proxy request failed${status ? ` (${status} ${statusText ?? ""})` : ""}${details ? `: ${details}` : ""}`,
+          err
+        );
+      }
+      throw new QueryHubStateError("PROXY_HTTP_ERROR", "Query Proxy request failed", err);
+    }
+  };
+  return await withExponentialBackoff(doFetch, maxAttempts);
+}
+
+// src/auth/prepareAuth.ts
+function resolveNetwork2() {
+  const envCandidates = [
+    globalThis?.process?.env?.NEXT_PUBLIC_VERIDEX_NETWORK,
+    globalThis?.process?.env?.VERIDEX_NETWORK,
+    globalThis?.process?.env?.NEXT_PUBLIC_WORMHOLE_NETWORK,
+    globalThis?.process?.env?.WORMHOLE_NETWORK
+  ].filter(Boolean);
+  const env = envCandidates[0]?.toLowerCase();
+  if (env === "mainnet" || env === "testnet") return env;
+  return "testnet";
+}
+function getHubChainId(network) {
+  return network === "testnet" ? TESTNET_CHAINS.baseSepolia.wormholeChainId : MAINNET_CHAINS.base.wormholeChainId;
+}
+function getHubRpcUrl(network) {
+  return network === "testnet" ? TESTNET_CHAINS.baseSepolia.rpcUrl : MAINNET_CHAINS.base.rpcUrl;
+}
+function getHubAddress(network) {
+  const hub = network === "testnet" ? TESTNET_CHAINS.baseSepolia.contracts.hub : MAINNET_CHAINS.base.contracts?.hub;
+  if (!hub) {
+    throw new Error("Hub address missing in SDK constants");
+  }
+  return hub;
+}
+function encodeActionPayload(action, targetChain) {
+  if (action.token !== void 0 && action.recipient !== void 0) {
+    const a2 = action;
+    return encodeTransferAction(a2.token, a2.recipient, a2.amount);
+  }
+  if (action.target !== void 0 && action.data !== void 0) {
+    const a2 = action;
+    return encodeExecuteAction(a2.target, a2.value, a2.data);
+  }
+  const a = action;
+  return encodeBridgeAction(a.token, a.amount, targetChain, a.recipient);
+}
+async function fetchNonceViaRpc(userKeyHash, network) {
+  const rpcUrl = getHubRpcUrl(network);
+  const hubAddress = getHubAddress(network);
+  const provider = new import_ethers5.ethers.JsonRpcProvider(rpcUrl);
+  const hubIface = new import_ethers5.ethers.Interface([
+    "function getNonce(bytes32 userKeyHash) external view returns (uint256)",
+    "function userNonces(bytes32 userKeyHash) external view returns (uint256)"
+  ]);
+  const calls = [
+    async () => {
+      const data = hubIface.encodeFunctionData("getNonce", [userKeyHash]);
+      const res = await provider.call({ to: hubAddress, data });
+      const decoded = hubIface.decodeFunctionResult("getNonce", res);
+      return decoded[0];
+    },
+    async () => {
+      const data = hubIface.encodeFunctionData("userNonces", [userKeyHash]);
+      const res = await provider.call({ to: hubAddress, data });
+      const decoded = hubIface.decodeFunctionResult("userNonces", res);
+      return decoded[0];
+    }
+  ];
+  let lastErr;
+  for (const fn of calls) {
+    try {
+      return await fn();
+    } catch (e) {
+      lastErr = e;
+    }
+  }
+  throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
+}
+function toHex32(value) {
+  return "0x" + value.toString(16).padStart(64, "0");
+}
+async function authenticateAndPrepare(userParams, apiKey) {
+  const network = resolveNetwork2();
+  const hubChainId = getHubChainId(network);
+  const actionPayload = userParams.actionPayload ?? (userParams.action ? encodeActionPayload(userParams.action, userParams.targetChain) : void 0);
+  if (!actionPayload) {
+    throw new Error("Missing action payload: provide either actionPayload or action");
+  }
+  let nonce;
+  let queryProof = new Uint8Array();
+  let fallbackAvailable = true;
+  const queryStart = Date.now();
+  try {
+    if (!apiKey) {
+      throw new Error("Missing Query Proxy apiKey");
+    }
+    const state = await queryHubState(userParams.credential.keyHash, apiKey, { network, maxAge: 60 });
+    if (!state.isRegistered) {
+      throw new Error("Passkey is not registered on Hub");
+    }
+    nonce = state.nonce;
+    queryProof = state.proof;
+  } catch {
+    nonce = await fetchNonceViaRpc(userParams.credential.keyHash, network);
+    queryProof = new Uint8Array();
+  }
+  const queryLatencyMs = Date.now() - queryStart;
+  const challenge = buildGaslessChallenge(userParams.targetChain, actionPayload, nonce, hubChainId);
+  const passkey = new PasskeyManager();
+  passkey.setCredential(userParams.credential);
+  const signature = await passkey.sign(challenge);
+  const requestBody = {
+    authenticatorData: signature.authenticatorData,
+    clientDataJSON: signature.clientDataJSON,
+    challengeIndex: signature.challengeIndex,
+    typeIndex: signature.typeIndex,
+    r: toHex32(signature.r),
+    s: toHex32(signature.s),
+    publicKeyX: toHex32(userParams.credential.publicKeyX),
+    publicKeyY: toHex32(userParams.credential.publicKeyY),
+    targetChain: userParams.targetChain,
+    actionPayload,
+    nonce: Number(nonce)
+  };
+  if (queryProof.length) {
+    requestBody.queryProof = import_ethers5.ethers.hexlify(queryProof);
+  }
+  const serializedTx = new TextEncoder().encode(JSON.stringify(requestBody));
+  const estimatedLatency = queryProof.length ? Math.max(250, queryLatencyMs) : Math.max(800, queryLatencyMs);
+  return {
+    serializedTx,
+    queryProof,
+    estimatedLatency,
+    fallbackAvailable
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  authenticateAndPrepare
+});
+//# sourceMappingURL=prepareAuth.js.map