@worldcoin/idkit-core 4.0.1 → 4.0.2-dev.a1a85c4

package/dist/index.cjs

@@ -1,10 +1,16 @@
 'use strict';
 
+var sha3 = require('@noble/hashes/sha3');
+var utils = require('@noble/hashes/utils');
+var hmac = require('@noble/hashes/hmac');
+var sha2 = require('@noble/hashes/sha2');
+var secp256k1 = require('@noble/secp256k1');
+
 var _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;
 var __defProp = Object.defineProperty;
-var __export = (target, all2) => {
-  for (var name in all2)
-    __defProp(target, name, { get: all2[name], enumerable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
 
 // src/types/result.ts
@@ -245,6 +251,22 @@ function _assertClass(instance, klass) {
     throw new Error(`expected instance of ${klass.name}`);
   }
 }
+function createSession(app_id, rp_context, action_description, bridge_url, override_connect_base_url, environment) {
+  const ptr0 = passStringToWasm0(app_id, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  const len0 = WASM_VECTOR_LEN;
+  _assertClass(rp_context, RpContextWasm);
+  var ptr1 = rp_context.__destroy_into_raw();
+  var ptr2 = isLikeNone(action_description) ? 0 : passStringToWasm0(action_description, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  var len2 = WASM_VECTOR_LEN;
+  var ptr3 = isLikeNone(bridge_url) ? 0 : passStringToWasm0(bridge_url, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  var len3 = WASM_VECTOR_LEN;
+  var ptr4 = isLikeNone(override_connect_base_url) ? 0 : passStringToWasm0(override_connect_base_url, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  var len4 = WASM_VECTOR_LEN;
+  var ptr5 = isLikeNone(environment) ? 0 : passStringToWasm0(environment, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+  var len5 = WASM_VECTOR_LEN;
+  const ret = wasm.createSession(ptr0, len0, ptr1, ptr2, len2, ptr3, len3, ptr4, len4, ptr5, len5);
+  return IDKitBuilder.__wrap(ret);
+}
 function request(app_id, action, rp_context, action_description, bridge_url, allow_legacy_proofs, override_connect_base_url, environment) {
   const ptr0 = passStringToWasm0(app_id, wasm.__wbindgen_export, wasm.__wbindgen_export2);
   const len0 = WASM_VECTOR_LEN;
@@ -263,9 +285,6 @@ function request(app_id, action, rp_context, action_description, bridge_url, all
   const ret = wasm.idkitbuilder_new(ptr0, len0, ptr1, len1, ptr2, ptr3, len3, ptr4, len4, allow_legacy_proofs, ptr5, len5, ptr6, len6);
   return IDKitBuilder.__wrap(ret);
 }
-function init_wasm() {
-  wasm.init_wasm();
-}
 function base64Decode(data) {
   try {
     const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
@@ -304,22 +323,6 @@ function proveSession(session_id, app_id, rp_context, action_description, bridge
   const ret = wasm.idkitbuilder_forProveSession(ptr0, len0, ptr1, len1, ptr2, ptr3, len3, ptr4, len4, ptr5, len5, ptr6, len6);
   return IDKitBuilder.__wrap(ret);
 }
-function createSession(app_id, rp_context, action_description, bridge_url, override_connect_base_url, environment) {
-  const ptr0 = passStringToWasm0(app_id, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-  const len0 = WASM_VECTOR_LEN;
-  _assertClass(rp_context, RpContextWasm);
-  var ptr1 = rp_context.__destroy_into_raw();
-  var ptr2 = isLikeNone(action_description) ? 0 : passStringToWasm0(action_description, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-  var len2 = WASM_VECTOR_LEN;
-  var ptr3 = isLikeNone(bridge_url) ? 0 : passStringToWasm0(bridge_url, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-  var len3 = WASM_VECTOR_LEN;
-  var ptr4 = isLikeNone(override_connect_base_url) ? 0 : passStringToWasm0(override_connect_base_url, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-  var len4 = WASM_VECTOR_LEN;
-  var ptr5 = isLikeNone(environment) ? 0 : passStringToWasm0(environment, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-  var len5 = WASM_VECTOR_LEN;
-  const ret = wasm.createSession(ptr0, len0, ptr1, ptr2, len2, ptr3, len3, ptr4, len4, ptr5, len5);
-  return IDKitBuilder.__wrap(ret);
-}
 function passArray8ToWasm0(arg, malloc) {
   const ptr = malloc(arg.length * 1, 1) >>> 0;
   getUint8ArrayMemory0().set(arg, ptr / 1);
@@ -344,6 +347,28 @@ function base64Encode(data) {
     wasm.__wbindgen_export4(deferred2_0, deferred2_1, 1);
   }
 }
+function init_wasm() {
+  wasm.init_wasm();
+}
+function signRequest(action, signing_key_hex, ttl_seconds) {
+  try {
+    const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+    const ptr0 = passStringToWasm0(action, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(signing_key_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
+    const len1 = WASM_VECTOR_LEN;
+    wasm.signRequest(retptr, ptr0, len0, ptr1, len1, !isLikeNone(ttl_seconds), isLikeNone(ttl_seconds) ? BigInt(0) : ttl_seconds);
+    var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+    var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+    var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+    if (r2) {
+      throw takeObject(r1);
+    }
+    return RpSignature.__wrap(r0);
+  } finally {
+    wasm.__wbindgen_add_to_stack_pointer(16);
+  }
+}
 function hashSignal(signal) {
   let deferred2_0;
   let deferred2_1;
@@ -369,33 +394,14 @@ function hashSignal(signal) {
     wasm.__wbindgen_export4(deferred2_0, deferred2_1, 1);
   }
 }
-function signRequest(action, signing_key_hex, ttl_seconds) {
-  try {
-    const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-    const ptr0 = passStringToWasm0(action, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-    const len0 = WASM_VECTOR_LEN;
-    const ptr1 = passStringToWasm0(signing_key_hex, wasm.__wbindgen_export, wasm.__wbindgen_export2);
-    const len1 = WASM_VECTOR_LEN;
-    wasm.signRequest(retptr, ptr0, len0, ptr1, len1, !isLikeNone(ttl_seconds), isLikeNone(ttl_seconds) ? BigInt(0) : ttl_seconds);
-    var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
-    var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
-    var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
-    if (r2) {
-      throw takeObject(r1);
-    }
-    return RpSignature.__wrap(r0);
-  } finally {
-    wasm.__wbindgen_add_to_stack_pointer(16);
-  }
-}
-function __wasm_bindgen_func_elem_960(arg0, arg1, arg2) {
-  wasm.__wasm_bindgen_func_elem_960(arg0, arg1, addHeapObject(arg2));
+function __wasm_bindgen_func_elem_962(arg0, arg1, arg2) {
+  wasm.__wasm_bindgen_func_elem_962(arg0, arg1, addHeapObject(arg2));
 }
-function __wasm_bindgen_func_elem_597(arg0, arg1) {
-  wasm.__wasm_bindgen_func_elem_597(arg0, arg1);
+function __wasm_bindgen_func_elem_599(arg0, arg1) {
+  wasm.__wasm_bindgen_func_elem_599(arg0, arg1);
 }
-function __wasm_bindgen_func_elem_1343(arg0, arg1, arg2, arg3) {
-  wasm.__wasm_bindgen_func_elem_1343(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+function __wasm_bindgen_func_elem_1347(arg0, arg1, arg2, arg3) {
+  wasm.__wasm_bindgen_func_elem_1347(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 }
 var __wbindgen_enum_RequestCache = ["default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached"];
 var __wbindgen_enum_RequestCredentials = ["omit", "same-origin", "include"];
@@ -772,6 +778,34 @@ var IDKitBuilder = class _IDKitBuilder {
     const ret = wasm.idkitbuilder_constraints(ptr, addHeapObject(constraints_json));
     return takeObject(ret);
   }
+  /**
+   * Builds the native payload for constraints (synchronous, no bridge connection).
+   *
+   * Used by the native transport to get the same payload format as the bridge
+   * without creating a network connection.
+   *
+   * # Errors
+   *
+   * Returns an error if constraints are invalid or payload construction fails.
+   * @param {any} constraints_json
+   * @returns {any}
+   */
+  nativePayload(constraints_json) {
+    try {
+      const ptr = this.__destroy_into_raw();
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      wasm.idkitbuilder_nativePayload(retptr, ptr, addHeapObject(constraints_json));
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      return takeObject(r0);
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
   /**
    * Creates a new builder for proving an existing session
    * @param {string} session_id
@@ -827,6 +861,34 @@ var IDKitBuilder = class _IDKitBuilder {
     const ret = wasm.createSession(ptr0, len0, ptr1, ptr2, len2, ptr3, len3, ptr4, len4, ptr5, len5);
     return _IDKitBuilder.__wrap(ret);
   }
+  /**
+   * Builds the native payload from a preset (synchronous, no bridge connection).
+   *
+   * Used by the native transport to get the same payload format as the bridge
+   * without creating a network connection.
+   *
+   * # Errors
+   *
+   * Returns an error if the preset is invalid or payload construction fails.
+   * @param {any} preset_json
+   * @returns {any}
+   */
+  nativePayloadFromPreset(preset_json) {
+    try {
+      const ptr = this.__destroy_into_raw();
+      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
+      wasm.idkitbuilder_nativePayloadFromPreset(retptr, ptr, addHeapObject(preset_json));
+      var r0 = getDataViewMemory0().getInt32(retptr + 4 * 0, true);
+      var r1 = getDataViewMemory0().getInt32(retptr + 4 * 1, true);
+      var r2 = getDataViewMemory0().getInt32(retptr + 4 * 2, true);
+      if (r2) {
+        throw takeObject(r1);
+      }
+      return takeObject(r0);
+    } finally {
+      wasm.__wbindgen_add_to_stack_pointer(16);
+    }
+  }
   /**
    * Creates a new builder for uniqueness requests
    * @param {string} app_id
@@ -1502,7 +1564,7 @@ function __wbg_get_imports() {
         const a = state0.a;
         state0.a = 0;
         try {
-          return __wasm_bindgen_func_elem_1343(a, state0.b, arg02, arg12);
+          return __wasm_bindgen_func_elem_1347(a, state0.b, arg02, arg12);
         } finally {
           state0.a = a;
         }
@@ -1715,20 +1777,20 @@ function __wbg_get_imports() {
     const ret = getStringFromWasm0(arg0, arg1);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_cast_4625c577ab2ec9ee = function(arg0) {
-    const ret = BigInt.asUintN(64, arg0);
+  imports.wbg.__wbindgen_cast_2d12912bac8cf5ca = function(arg0, arg1) {
+    const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_961, __wasm_bindgen_func_elem_962);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_cast_91c43ecf1f8dafb8 = function(arg0, arg1) {
-    const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_596, __wasm_bindgen_func_elem_597);
+  imports.wbg.__wbindgen_cast_4625c577ab2ec9ee = function(arg0) {
+    const ret = BigInt.asUintN(64, arg0);
     return addHeapObject(ret);
   };
   imports.wbg.__wbindgen_cast_9ae0607507abb057 = function(arg0) {
     const ret = arg0;
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_cast_ab10518eebecf9a3 = function(arg0, arg1) {
-    const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_959, __wasm_bindgen_func_elem_960);
+  imports.wbg.__wbindgen_cast_b8b1061c2d0ea705 = function(arg0, arg1) {
+    const ret = makeMutClosure(arg0, arg1, wasm.__wasm_bindgen_func_elem_598, __wasm_bindgen_func_elem_599);
     return addHeapObject(ret);
   };
   imports.wbg.__wbindgen_cast_cb9088102bce6b30 = function(arg0, arg1) {
@@ -1814,27 +1876,242 @@ async function initIDKit() {
   })();
   return wasmInitPromise;
 }
-async function initIDKitServer() {
-  if (wasmInitialized) {
-    return;
+
+// src/transports/native.ts
+var MINIAPP_VERIFY_ACTION = "miniapp-verify-action";
+function isInWorldApp() {
+  return typeof window !== "undefined" && Boolean(window.WorldApp);
+}
+var _requestCounter = 0;
+var _activeNativeRequest = null;
+function createNativeRequest(wasmPayload, config, signalHashes = {}) {
+  if (_activeNativeRequest?.isPending()) {
+    console.warn(
+      "IDKit native request already in flight. Reusing active request."
+    );
+    return _activeNativeRequest;
   }
-  if (wasmInitPromise) {
-    return wasmInitPromise;
+  const request2 = new NativeIDKitRequest(wasmPayload, config, signalHashes);
+  _activeNativeRequest = request2;
+  return request2;
+}
+var NativeIDKitRequest = class {
+  constructor(wasmPayload, config, signalHashes = {}) {
+    this.connectorURI = "";
+    this.resolved = false;
+    this.cancelled = false;
+    this.settled = false;
+    this.resolvedResult = null;
+    this.messageHandler = null;
+    this.miniKitHandler = null;
+    this.rejectFn = null;
+    this.requestId = crypto.randomUUID?.() ?? `native-${Date.now()}-${++_requestCounter}`;
+    this.resultPromise = new Promise((resolve, reject) => {
+      this.rejectFn = reject;
+      const handleIncomingPayload = (responsePayload) => {
+        if (this.cancelled || this.resolved || this.settled) return;
+        if (responsePayload?.status === "error") {
+          this.cleanup();
+          reject(
+            new NativeVerifyError(
+              responsePayload.error_code ?? "generic_error" /* GenericError */
+            )
+          );
+          return;
+        }
+        this.resolved = true;
+        const result = nativeResultToIDKitResult(
+          responsePayload,
+          config,
+          signalHashes
+        );
+        this.resolvedResult = result;
+        this.cleanup();
+        resolve(result);
+      };
+      const handler = (event) => {
+        const data = event.data;
+        if (data?.type === MINIAPP_VERIFY_ACTION || data?.command === MINIAPP_VERIFY_ACTION) {
+          handleIncomingPayload(data.payload ?? data);
+        }
+      };
+      this.messageHandler = handler;
+      window.addEventListener("message", handler);
+      try {
+        const miniKit = window.MiniKit;
+        if (typeof miniKit?.subscribe === "function") {
+          const miniKitHandler = (payload) => {
+            handleIncomingPayload(payload?.payload ?? payload);
+          };
+          this.miniKitHandler = miniKitHandler;
+          miniKit.subscribe(MINIAPP_VERIFY_ACTION, miniKitHandler);
+        }
+      } catch {
+      }
+      const sendPayload = {
+        command: "verify",
+        version: 2,
+        payload: wasmPayload
+      };
+      const w = window;
+      if (w.webkit?.messageHandlers?.minikit) {
+        w.webkit.messageHandlers.minikit.postMessage(sendPayload);
+      } else if (w.Android) {
+        w.Android.postMessage(JSON.stringify(sendPayload));
+      } else {
+        this.cleanup();
+        reject(new Error("No WebView bridge available"));
+      }
+    });
+    this.resultPromise.catch(() => {
+    }).finally(() => {
+      this.settled = true;
+      this.cleanup();
+      if (_activeNativeRequest === this) {
+        _activeNativeRequest = null;
+      }
+    });
   }
-  wasmInitPromise = (async () => {
+  /**
+   * Cancel this request. Removes the message listener so it cannot consume
+   * a response meant for a later request, and rejects the pending promise.
+   */
+  cancel() {
+    if (this.resolved || this.cancelled) return;
+    this.cancelled = true;
+    this.cleanup();
+    this.rejectFn?.(new NativeVerifyError("cancelled" /* Cancelled */));
+    if (_activeNativeRequest === this) {
+      _activeNativeRequest = null;
+    }
+  }
+  cleanup() {
+    if (this.messageHandler) {
+      window.removeEventListener("message", this.messageHandler);
+      this.messageHandler = null;
+    }
+    if (this.miniKitHandler) {
+      try {
+        const miniKit = window.MiniKit;
+        miniKit?.unsubscribe?.(MINIAPP_VERIFY_ACTION);
+      } catch {
+      }
+      this.miniKitHandler = null;
+    }
+  }
+  isPending() {
+    return !this.settled && !this.cancelled;
+  }
+  async pollOnce() {
+    if (this.resolved && this.resolvedResult) {
+      return { type: "confirmed", result: this.resolvedResult };
+    }
+    return { type: "awaiting_confirmation" };
+  }
+  async pollUntilCompletion(options) {
+    const timeout = options?.timeout ?? 3e5;
+    let timeoutId;
+    let abortHandler = null;
+    let waiterTerminationCode = null;
     try {
-      const { readFile } = await import('fs/promises');
-      const { fileURLToPath } = await import('url');
-      const wasmUrl = new URL("idkit_wasm_bg.wasm", (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('index.cjs', document.baseURI).href)));
-      const wasmBuffer = await readFile(fileURLToPath(wasmUrl));
-      await idkit_wasm_default({ module_or_path: wasmBuffer });
-      wasmInitialized = true;
+      const result = await Promise.race([
+        this.resultPromise,
+        new Promise((_, reject) => {
+          if (options?.signal) {
+            abortHandler = () => {
+              waiterTerminationCode = "cancelled" /* Cancelled */;
+              reject(new NativeVerifyError("cancelled" /* Cancelled */));
+            };
+            if (options.signal.aborted) {
+              abortHandler();
+              return;
+            }
+            options.signal.addEventListener("abort", abortHandler, {
+              once: true
+            });
+          }
+          timeoutId = setTimeout(() => {
+            waiterTerminationCode = "timeout" /* Timeout */;
+            reject(new NativeVerifyError("timeout" /* Timeout */));
+          }, timeout);
+        })
+      ]);
+      return { success: true, result };
     } catch (error) {
-      wasmInitPromise = null;
-      throw new Error(`Failed to initialize IDKit WASM for server: ${error}`);
+      if (error instanceof NativeVerifyError) {
+        if (waiterTerminationCode === error.code && this.isPending()) {
+          this.cancel();
+        }
+        return { success: false, error: error.code };
+      }
+      return { success: false, error: "generic_error" /* GenericError */ };
+    } finally {
+      if (timeoutId) {
+        clearTimeout(timeoutId);
+      }
+      if (options?.signal && abortHandler) {
+        options.signal.removeEventListener("abort", abortHandler);
+      }
     }
-  })();
-  return wasmInitPromise;
+  }
+};
+var NativeVerifyError = class extends Error {
+  constructor(code) {
+    super(code);
+    this.code = code;
+  }
+};
+function nativeResultToIDKitResult(payload, config, signalHashes) {
+  const rpNonce = config.rp_context?.nonce ?? "";
+  if ("responses" in payload) {
+    const v4 = payload;
+    return {
+      protocol_version: v4.protocol_version ?? "4.0",
+      nonce: v4.nonce ?? rpNonce,
+      action: v4.action ?? config.action ?? "",
+      action_description: v4.action_description,
+      session_id: v4.session_id,
+      responses: v4.responses.map((item) => ({
+        ...item,
+        signal_hash: signalHashes[item.identifier]
+      })),
+      environment: v4.environment ?? config.environment ?? "production"
+    };
+  }
+  if ("verifications" in payload) {
+    const multi = payload;
+    return {
+      protocol_version: "4.0",
+      nonce: rpNonce,
+      action: config.action ?? "",
+      responses: multi.verifications.map((v) => ({
+        identifier: v.verification_level,
+        signal_hash: v.signal_hash ?? signalHashes[v.verification_level],
+        proof: [v.proof],
+        nullifier: v.nullifier_hash,
+        merkle_root: v.merkle_root,
+        issuer_schema_id: 0,
+        expires_at_min: 0
+      })),
+      environment: "production"
+    };
+  }
+  const single = payload;
+  return {
+    protocol_version: "3.0",
+    nonce: rpNonce,
+    action: config.action ?? "",
+    responses: [
+      {
+        identifier: single.verification_level,
+        signal_hash: single.signal_hash ?? signalHashes[single.verification_level],
+        proof: single.proof,
+        merkle_root: single.merkle_root,
+        nullifier: single.nullifier_hash
+      }
+    ],
+    environment: "production"
+  };
 }
 
 // src/request.ts
@@ -1878,20 +2155,6 @@ var IDKitRequestImpl = class {
     }
   }
 };
-function CredentialRequest(credential_type, options) {
-  return {
-    type: credential_type,
-    signal: options?.signal,
-    genesis_issued_at_min: options?.genesis_issued_at_min,
-    expires_at_min: options?.expires_at_min
-  };
-}
-function any(...nodes) {
-  return { any: nodes };
-}
-function all(...nodes) {
-  return { all: nodes };
-}
 function orbLegacy(opts = {}) {
   return { type: "OrbLegacy", signal: opts.signal };
 }
@@ -1901,48 +2164,108 @@ function secureDocumentLegacy(opts = {}) {
 function documentLegacy(opts = {}) {
   return { type: "DocumentLegacy", signal: opts.signal };
 }
+function createWasmBuilderFromConfig(config) {
+  if (!config.rp_context) {
+    throw new Error("rp_context is required for WASM bridge transport");
+  }
+  const rpContext = new idkit_wasm_exports.RpContextWasm(
+    config.rp_context.rp_id,
+    config.rp_context.nonce,
+    BigInt(config.rp_context.created_at),
+    BigInt(config.rp_context.expires_at),
+    config.rp_context.signature
+  );
+  if (config.type === "request") {
+    return idkit_wasm_exports.request(
+      config.app_id,
+      String(config.action ?? ""),
+      rpContext,
+      config.action_description ?? null,
+      config.bridge_url ?? null,
+      config.allow_legacy_proofs ?? false,
+      config.override_connect_base_url ?? null,
+      config.environment ?? null
+    );
+  }
+  if (config.type === "proveSession") {
+    return idkit_wasm_exports.proveSession(
+      config.session_id,
+      config.app_id,
+      rpContext,
+      config.action_description ?? null,
+      config.bridge_url ?? null,
+      config.override_connect_base_url ?? null,
+      config.environment ?? null
+    );
+  }
+  return idkit_wasm_exports.createSession(
+    config.app_id,
+    rpContext,
+    config.action_description ?? null,
+    config.bridge_url ?? null,
+    config.override_connect_base_url ?? null,
+    config.environment ?? null
+  );
+}
 var IDKitBuilder2 = class {
-  constructor(wasmBuilder) {
-    this.wasmBuilder = wasmBuilder;
+  constructor(config) {
+    this.config = config;
   }
   /**
    * Creates an IDKit request with the given constraints
    *
-   * @param constraints - Constraint tree (CredentialRequest or any/all combinators)
+   * @param constraints - Constraint tree (CredentialRequest or any/all/enumerate combinators)
    * @returns A new IDKitRequest instance
    *
    * @example
    * ```typescript
-   * const builder = await IDKit.request({ app_id, action, rp_context });
-   * const request = await builder.constraints(any(CredentialRequest('orb'), CredentialRequest('face')));
+   * const request = await IDKit.request({ app_id, action, rp_context, allow_legacy_proofs: false })
+   *   .constraints(any(CredentialRequest('orb'), CredentialRequest('face')));
    * ```
    */
-  //TODO: re-enable once this is supported and World ID 4.0 is rolled out live
-  // async constraints(constraints: ConstraintNode): Promise<IDKitRequest> {
-  //   await initIDKit();
-  //   const wasmRequest = (await this.wasmBuilder.constraints(
-  //     constraints,
-  //   )) as unknown as WasmModule.IDKitRequest;
-  //   return new IDKitRequestImpl(wasmRequest);
-  // }
+  async constraints(constraints) {
+    await initIDKit();
+    const wasmBuilder = createWasmBuilderFromConfig(this.config);
+    if (isInWorldApp()) {
+      const wasmResult = wasmBuilder.nativePayload(constraints);
+      return createNativeRequest(
+        wasmResult.payload,
+        this.config,
+        wasmResult.signal_hashes ?? {}
+      );
+    }
+    const wasmRequest = await wasmBuilder.constraints(
+      constraints
+    );
+    return new IDKitRequestImpl(wasmRequest);
+  }
   /**
    * Creates an IDKit request from a preset (works for all request types)
    *
    * Presets provide a simplified way to create requests with predefined
    * credential configurations.
    *
-   * @param preset - A preset object from orbLegacy()
+   * @param preset - A preset object from orbLegacy(), secureDocumentLegacy(), or documentLegacy()
    * @returns A new IDKitRequest instance
    *
    * @example
    * ```typescript
-   * const builder = await IDKit.request({ app_id, action, rp_context });
-   * const request = await builder.preset(orbLegacy({ signal: 'user-123' }));
+   * const request = await IDKit.request({ app_id, action, rp_context, allow_legacy_proofs: true })
+   *   .preset(orbLegacy({ signal: 'user-123' }));
    * ```
    */
   async preset(preset) {
     await initIDKit();
-    const wasmRequest = await this.wasmBuilder.preset(
+    const wasmBuilder = createWasmBuilderFromConfig(this.config);
+    if (isInWorldApp()) {
+      const wasmResult = wasmBuilder.nativePayloadFromPreset(preset);
+      return createNativeRequest(
+        wasmResult.payload,
+        this.config,
+        wasmResult.signal_hashes ?? {}
+      );
+    }
+    const wasmRequest = await wasmBuilder.preset(
       preset
     );
     return new IDKitRequestImpl(wasmRequest);
@@ -1956,101 +2279,43 @@ function createRequest(config) {
     throw new Error("action is required");
   }
   if (!config.rp_context) {
-    throw new Error("rp_context is required");
+    throw new Error(
+      "rp_context is required. Generate it on your backend using signRequest()."
+    );
   }
   if (typeof config.allow_legacy_proofs !== "boolean") {
     throw new Error(
       "allow_legacy_proofs is required. Set to true to accept v3 proofs during migration, or false to only accept v4 proofs."
     );
   }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.request(
-    config.app_id,
-    String(config.action),
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.allow_legacy_proofs,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
-}
-function createSession2(config) {
-  if (!config.app_id) {
-    throw new Error("app_id is required");
-  }
-  if (!config.rp_context) {
-    throw new Error("rp_context is required");
-  }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.createSession(
-    config.app_id,
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
-}
-function proveSession2(sessionId, config) {
-  if (!sessionId) {
-    throw new Error("session_id is required");
-  }
-  if (!config.app_id) {
-    throw new Error("app_id is required");
-  }
-  if (!config.rp_context) {
-    throw new Error("rp_context is required");
-  }
-  const rpContext = new idkit_wasm_exports.RpContextWasm(
-    config.rp_context.rp_id,
-    config.rp_context.nonce,
-    BigInt(config.rp_context.created_at),
-    BigInt(config.rp_context.expires_at),
-    config.rp_context.signature
-  );
-  const wasmBuilder = idkit_wasm_exports.proveSession(
-    sessionId,
-    config.app_id,
-    rpContext,
-    config.action_description ?? null,
-    config.bridge_url ?? null,
-    config.override_connect_base_url ?? null,
-    config.environment ?? null
-  );
-  return new IDKitBuilder2(wasmBuilder);
+  return new IDKitBuilder2({
+    type: "request",
+    app_id: config.app_id,
+    action: String(config.action),
+    rp_context: config.rp_context,
+    action_description: config.action_description,
+    bridge_url: config.bridge_url,
+    allow_legacy_proofs: config.allow_legacy_proofs,
+    override_connect_base_url: config.override_connect_base_url,
+    environment: config.environment
+  });
 }
 var IDKit = {
-  /** Initialize WASM for browser environments */
-  init: initIDKit,
-  /** Initialize WASM for Node.js/server environments */
-  initServer: initIDKitServer,
   /** Create a new verification request */
   request: createRequest,
-  /** Create a new session (no action, no existing session_id) */
-  createSession: createSession2,
-  /** Prove an existing session (no action, has session_id) */
-  proveSession: proveSession2,
-  /** Create a CredentialRequest for a credential type */
-  CredentialRequest,
-  /** Create an OR constraint - at least one child must be satisfied */
-  any,
-  /** Create an AND constraint - all children must be satisfied */
-  all,
+  // TODO: Re-enable when World ID 4.0 is live
+  // /** Create a new session (no action, no existing session_id) */
+  // createSession,
+  // /** Prove an existing session (no action, has session_id) */
+  // proveSession,
+  // /** Create a CredentialRequest for a credential type */
+  // CredentialRequest,
+  // /** Create an OR constraint - at least one child must be satisfied */
+  // any,
+  // /** Create an AND constraint - all children must be satisfied */
+  // all,
+  // /** Create an enumerate constraint - all satisfiable children should be selected */
+  // enumerate,
   /** Create an OrbLegacy preset for World ID 3.0 legacy support */
   orbLegacy,
   /** Create a SecureDocumentLegacy preset for World ID 3.0 legacy support */
@@ -2081,28 +2346,75 @@ var isServerEnvironment = () => {
   }
   return false;
 };
+function hashToField(input) {
+  const hash = BigInt("0x" + utils.bytesToHex(sha3.keccak_256(input))) >> 8n;
+  return utils.hexToBytes(hash.toString(16).padStart(64, "0"));
+}
+function hashSignal2(signal) {
+  let input;
+  if (signal instanceof Uint8Array) {
+    input = signal;
+  } else if (signal.startsWith("0x") && isValidHex(signal.slice(2))) {
+    input = utils.hexToBytes(signal.slice(2));
+  } else {
+    input = new TextEncoder().encode(signal);
+  }
+  return "0x" + utils.bytesToHex(hashToField(input));
+}
+function isValidHex(s) {
+  if (s.length === 0) return false;
+  if (s.length % 2 !== 0) return false;
+  return /^[0-9a-fA-F]+$/.test(s);
+}
 
-// src/lib/rp-signature.ts
-function signRequest2(action, signingKeyHex, ttlSeconds) {
+// src/lib/signing.ts
+secp256k1.etc.hmacSha256Sync = (key, ...msgs) => hmac.hmac(sha2.sha256, key, secp256k1.etc.concatBytes(...msgs));
+var DEFAULT_TTL_SEC = 300;
+function computeRpSignatureMessage(nonceBytes, createdAt, expiresAt) {
+  const message = new Uint8Array(48);
+  message.set(nonceBytes, 0);
+  const view = new DataView(message.buffer);
+  view.setBigUint64(32, BigInt(createdAt), false);
+  view.setBigUint64(40, BigInt(expiresAt), false);
+  return message;
+}
+function signRequest2(_action, signingKeyHex, ttl = DEFAULT_TTL_SEC) {
   if (!isServerEnvironment()) {
     throw new Error(
       "signRequest can only be used in Node.js environments. This function requires access to signing keys and should never be called from browser/client-side code."
     );
   }
-  const ttlBigInt = ttlSeconds !== void 0 ? BigInt(ttlSeconds) : void 0;
-  return idkit_wasm_exports.signRequest(action, signingKeyHex, ttlBigInt);
-}
-
-// src/lib/hashing.ts
-function hashSignal2(signal) {
-  return idkit_wasm_exports.hashSignal(signal);
+  const keyHex = signingKeyHex.startsWith("0x") ? signingKeyHex.slice(2) : signingKeyHex;
+  if (!/^[0-9a-fA-F]+$/.test(keyHex)) {
+    throw new Error("Invalid signing key: contains non-hex characters");
+  }
+  if (keyHex.length !== 64) {
+    throw new Error(
+      `Invalid signing key: expected 32 bytes (64 hex chars), got ${keyHex.length / 2} bytes`
+    );
+  }
+  const privKey = secp256k1.etc.hexToBytes(keyHex);
+  const randomBytes = crypto.getRandomValues(new Uint8Array(32));
+  const nonceBytes = hashToField(randomBytes);
+  const createdAt = Math.floor(Date.now() / 1e3);
+  const expiresAt = createdAt + ttl;
+  const message = computeRpSignatureMessage(nonceBytes, createdAt, expiresAt);
+  const msgHash = sha3.keccak_256(message);
+  const recSig = secp256k1.sign(msgHash, privKey);
+  const compact = recSig.toCompactRawBytes();
+  const sig65 = new Uint8Array(65);
+  sig65.set(compact, 0);
+  sig65[64] = recSig.recovery + 27;
+  return {
+    sig: "0x" + utils.bytesToHex(sig65),
+    nonce: "0x" + utils.bytesToHex(nonceBytes),
+    createdAt,
+    expiresAt
+  };
 }
 
-exports.CredentialRequest = CredentialRequest;
 exports.IDKit = IDKit;
 exports.IDKitErrorCodes = IDKitErrorCodes;
-exports.all = all;
-exports.any = any;
 exports.documentLegacy = documentLegacy;
 exports.hashSignal = hashSignal2;
 exports.isNode = isNode;