@zerodev/wallet-core 0.0.1-alpha.17 → 0.0.1-alpha.19

package/dist/_esm/utils/encryptOtpAttempt.js

@@ -0,0 +1,81 @@
+/**
+ * Wraps the OTP code + client public key in a Turnkey-compatible HPKE bundle
+ * for the `/v1/otp_verify_v2` auth-proxy endpoint.
+ *
+ * Bundle flow (RFC 9180 mode_base over Turnkey's TLS Fetcher enclave):
+ *   1. The backend's /init/otp returns a signed envelope that contains an
+ *      ephemeral HPKE public key (`targetPublic`) generated fresh by the
+ *      enclave for this OTP attempt.
+ *   2. We verify the envelope's ECDSA signature against a pinned production
+ *      key (`TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY`) so a compromised proxy
+ *      cannot substitute its own ephemeral key.
+ *   3. We HPKE-seal `{otp_code, public_key}` to `targetPublic`. The auth proxy
+ *      forwards the ciphertext to the enclave; only the enclave can decrypt
+ *      it. The enclave then issues a `verificationToken` bound to the public
+ *      key embedded in the plaintext.
+ *
+ * See: tkhq/go-sdk `examples/email_otp` and `pkg/enclave_encrypt`.
+ */
+import { p256 } from '@noble/curves/nist.js';
+import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js';
+import { TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY } from '../constants.js';
+import { hpkeSealP256 } from './hpke.js';
+const BUNDLE_DATA_VERSION = 'v1.0.0';
+/**
+ * Returns a JSON string ready to be sent as `encryptedOtpBundle` on
+ * `POST /v1/otp_verify_v2`.
+ */
+export async function encryptOtpAttempt({ otpCode, publicKey, encryptionTargetBundle, dangerouslyOverrideSignerPublicKey, }) {
+    const expectedSignerHex = dangerouslyOverrideSignerPublicKey ?? TURNKEY_TLS_FETCHER_SIGN_PUBLIC_KEY;
+    let envelope;
+    try {
+        envelope = JSON.parse(encryptionTargetBundle);
+    }
+    catch (err) {
+        throw new Error(`encryptOtpAttempt: failed to parse encryption target bundle: ${err.message}`);
+    }
+    if (envelope.version !== BUNDLE_DATA_VERSION) {
+        throw new Error(`encryptOtpAttempt: unsupported bundle version ${envelope.version}`);
+    }
+    if (envelope.enclaveQuorumPublic.toLowerCase() !==
+        expectedSignerHex.toLowerCase()) {
+        throw new Error('encryptOtpAttempt: enclave quorum public key does not match pinned signing key');
+    }
+    const dataBytes = hexToBytes(envelope.data);
+    const signatureBytes = hexToBytes(envelope.dataSignature);
+    const signerPublicKeyBytes = hexToBytes(envelope.enclaveQuorumPublic);
+    // The Go side does sha256(data) then ASN.1 DER ECDSA verify, without
+    // enforcing low-S. Match that here.
+    const valid = p256.verify(signatureBytes, dataBytes, signerPublicKeyBytes, {
+        prehash: true,
+        format: 'der',
+        lowS: false,
+    });
+    if (!valid) {
+        throw new Error('encryptOtpAttempt: invalid enclave signature on bundle');
+    }
+    let signedData;
+    try {
+        signedData = JSON.parse(new TextDecoder().decode(dataBytes));
+    }
+    catch (err) {
+        throw new Error(`encryptOtpAttempt: failed to parse signed bundle data: ${err.message}`);
+    }
+    if (!signedData.targetPublic) {
+        throw new Error('encryptOtpAttempt: missing targetPublic in signed data');
+    }
+    const targetPublicKey = hexToBytes(signedData.targetPublic);
+    // Plaintext shape matches what the Go example marshals:
+    //   { otp_code: string, public_key: string }
+    const plaintext = new TextEncoder().encode(JSON.stringify({ otp_code: otpCode, public_key: publicKey }));
+    const { encappedPublic, ciphertext } = await hpkeSealP256({
+        receiverPublicKey: targetPublicKey,
+        plaintext,
+    });
+    // Wire format = the Go SDK's `ClientSendMsg`: Bytes fields hex-encoded.
+    return JSON.stringify({
+        encappedPublic: bytesToHex(encappedPublic),
+        ciphertext: bytesToHex(ciphertext),
+    });
+}
+//# sourceMappingURL=encryptOtpAttempt.js.map

package/dist/_esm/utils/encryptOtpAttempt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryptOtpAttempt.js","sourceRoot":"","sources":["../../../src/utils/encryptOtpAttempt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAA;AAC5C,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAA;AAC/D,OAAO,EAAE,mCAAmC,EAAE,MAAM,iBAAiB,CAAA;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAExC,MAAM,mBAAmB,GAAG,QAAQ,CAAA;AAmCpC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,EACtC,OAAO,EACP,SAAS,EACT,sBAAsB,EACtB,kCAAkC,GACV;IACxB,MAAM,iBAAiB,GACrB,kCAAkC,IAAI,mCAAmC,CAAA;IAE3E,IAAI,QAAkC,CAAA;IACtC,IAAI,CAAC;QACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAA;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,gEAAiE,GAAa,CAAC,OAAO,EAAE,CACzF,CAAA;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,OAAO,KAAK,mBAAmB,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,iDAAiD,QAAQ,CAAC,OAAO,EAAE,CACpE,CAAA;IACH,CAAC;IAED,IACE,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE;QAC1C,iBAAiB,CAAC,WAAW,EAAE,EAC/B,CAAC;QACD,MAAM,IAAI,KAAK,CACb,gFAAgF,CACjF,CAAA;IACH,CAAC;IAED,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;IAC3C,MAAM,cAAc,GAAG,UAAU,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IACzD,MAAM,oBAAoB,GAAG,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAA;IAErE,qEAAqE;IACrE,oCAAoC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,SAAS,EAAE,oBAAoB,EAAE;QACzE,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,KAAK;KACZ,CAAC,CAAA;IACF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAA;IAC3E,CAAC;IAED,IAAI,UAA4B,CAAA;IAChC,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAA;IAC9D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,0DAA2D,GAAa,CAAC,OAAO,EAAE,CACnF,CAAA;IACH,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAA;IAC3E,CAAC;IAED,MAAM,eAAe,GAAG,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,CAAA;IAE3D,wDAAwD;IACxD,6CAA6C;IAC7C,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CACxC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAC7D,CAAA;IAED,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,MAAM,YAAY,CAAC;QACxD,iBAAiB,EAAE,eAAe;QAClC,SAAS;KACV,CAAC,CAAA;IAEF,wEAAwE;IACxE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC;QAC1C,UAAU,EAAE,UAAU,CAAC,UAAU,CAAC;KACnC,CAAC,CAAA;AACJ,CAAC"}

package/dist/_esm/utils/exportPrivateKey.js

@@ -53,7 +53,7 @@ export async function exportPrivateKey(params) {
             targetPublicKey,
         },
     });
-    const stamperKey = session.stamperType === 'indexedDb' ? 'indexedDbStamper' : 'webauthnStamper';
+    const stamperKey = session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper';
     const stamper = wallet.client[stamperKey];
     if (!stamper) {
         throw new Error(`Stamper '${stamperKey}' not found on wallet.client`);

package/dist/_esm/utils/exportPrivateKey.js.map

@@ -1 +1 @@
-{"version":3,"file":"exportPrivateKey.js","sourceRoot":"","sources":["../../../src/utils/exportPrivateKey.ts"],"names":[],"mappings":"AAYA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAkC;IAElC,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,MAAM,CAAA;IAEjE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAA;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;IACtC,CAAC;IACD,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAA;IAElC,4DAA4D;IAC5D,IAAI,OAAO,GAAG,YAAY,CAAA;IAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAA;QACxC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;QAC9D,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;IAC3B,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,cAAc,EAAE,cAAc;QAC9B,UAAU,EAAE;YACV,OAAO,EAAE,OAAO;YAChB,eAAe;SAChB;KACF,CAAC,CAAA;IAEF,MAAM,UAAU,GACd,OAAO,CAAC,WAAW,KAAK,WAAW,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,iBAAiB,CAAA;IAC9E,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,YAAY,UAAU,8BAA8B,CAAC,CAAA;IACvE,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;IAChD,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,KAAK,CAChC,gEAAgE,EAChE;QACE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE;YACP,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,WAAW,CAAC,gBAAgB;SAC5D;KACF,CACF,CAAA;IACD,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,CAAA;QAC7C,MAAM,IAAI,KAAK,CACb,oCAAoC,cAAc,CAAC,MAAM,IAAI,SAAS,EAAE,CACzE,CAAA;IACH,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,CAAA;IAE9C,MAAM,YAAY,GAChB,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,yBAAyB,EAAE,YAAY,CAAA;IAEvE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,wCAAwC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CACrE,CAAA;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,OAAQ,EAAE,cAAc,EAAE,CAAA;AAC5D,CAAC"}
+{"version":3,"file":"exportPrivateKey.js","sourceRoot":"","sources":["../../../src/utils/exportPrivateKey.ts"],"names":[],"mappings":"AAYA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAkC;IAElC,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,MAAM,CAAA;IAEjE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAA;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;IACtC,CAAC;IACD,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAA;IAElC,4DAA4D;IAC5D,IAAI,OAAO,GAAG,YAAY,CAAA;IAC1B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAA;QACxC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;QAC9D,CAAC;QACD,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;IAC3B,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,cAAc,EAAE,cAAc;QAC9B,UAAU,EAAE;YACV,OAAO,EAAE,OAAO;YAChB,eAAe;SAChB;KACF,CAAC,CAAA;IAEF,MAAM,UAAU,GACd,OAAO,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,CAAA;IACvE,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,YAAY,UAAU,8BAA8B,CAAC,CAAA;IACvE,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IACnD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;IAChD,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,KAAK,CAChC,gEAAgE,EAChE;QACE,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE;YACP,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,WAAW,CAAC,gBAAgB;SAC5D;KACF,CACF,CAAA;IACD,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;QACvB,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,CAAA;QAC7C,MAAM,IAAI,KAAK,CACb,oCAAoC,cAAc,CAAC,MAAM,IAAI,SAAS,EAAE,CACzE,CAAA;IACH,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,CAAA;IAE9C,MAAM,YAAY,GAChB,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,yBAAyB,EAAE,YAAY,CAAA;IAEvE,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,wCAAwC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CACrE,CAAA;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,OAAQ,EAAE,cAAc,EAAE,CAAA;AAC5D,CAAC"}

package/dist/_esm/utils/exportWallet.js

@@ -40,9 +40,7 @@ export async function exportWallet(params) {
         const listWalletsBody = JSON.stringify({
             organizationId,
         });
-        const listWalletsStamp = await wallet.client[session.stamperType === 'indexedDb'
-            ? 'indexedDbStamper'
-            : 'webauthnStamper'].stamp(listWalletsBody);
+        const listWalletsStamp = await wallet.client[session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'].stamp(listWalletsBody);
         if (!listWalletsStamp) {
             throw new Error('Failed to stamp list wallets body');
         }
@@ -68,9 +66,7 @@ export async function exportWallet(params) {
                 language: 'MNEMONIC_LANGUAGE_ENGLISH',
             },
         });
-        const exportWalletStamp = await wallet.client[session.stamperType === 'indexedDb'
-            ? 'indexedDbStamper'
-            : 'webauthnStamper'].stamp(exportWalletBody);
+        const exportWalletStamp = await wallet.client[session.stamperType === 'apiKey' ? 'apiKeyStamper' : 'passkeyStamper'].stamp(exportWalletBody);
         if (!exportWalletStamp) {
             throw new Error('Failed to stamp export wallet body');
         }

package/dist/_esm/utils/exportWallet.js.map

@@ -1 +1 @@
-{"version":3,"file":"exportWallet.js","sourceRoot":"","sources":["../../../src/utils/exportWallet.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA8B;IAE9B,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,CAAA;IAE1C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAA;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;QACtC,CAAC;QACD,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAA;QAElC,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;YACrC,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,gBAAgB,GACpB,MAAM,MAAM,CAAC,MAAM,CACjB,OAAO,CAAC,WAAW,KAAK,WAAW;YACjC,CAAC,CAAC,kBAAkB;YACpB,CAAC,CAAC,iBAAiB,CACtB,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;QAC1B,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,mBAAmB,GAAG,MAAM,KAAK,CACrC,sDAAsD,EACtD;YACE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,CAAC,gBAAgB,CAAC,eAAe,CAAC,EAAE,gBAAgB,CAAC,gBAAgB;aACtE;SACF,CACF,CAAA;QACD,IAAI,CAAC,mBAAmB,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAC3C,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAA;QAExD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;QAEpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;YACtC,IAAI,EAAE,6BAA6B;YACnC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAClC,cAAc,EAAE,cAAc;YAC9B,UAAU,EAAE;gBACV,QAAQ,EAAE,QAAQ;gBAClB,eAAe;gBACf,QAAQ,EAAE,2BAA2B;aACtC;SACF,CAAC,CAAA;QACF,MAAM,iBAAiB,GACrB,MAAM,MAAM,CAAC,MAAM,CACjB,OAAO,CAAC,WAAW,KAAK,WAAW;YACjC,CAAC,CAAC,kBAAkB;YACpB,CAAC,CAAC,iBAAiB,CACtB,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QAC3B,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;QACvD,CAAC;QACD,MAAM,oBAAoB,GAAG,MAAM,KAAK,CACtC,wDAAwD,EACxD;YACE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACP,CAAC,iBAAiB,CAAC,eAAe,CAAC,EACjC,iBAAiB,CAAC,gBAAgB;aACrC;SACF,CACF,CAAA;QACD,IAAI,CAAC,oBAAoB,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;QAC5C,CAAC;QACD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,IAAI,EAAE,CAAA;QAE1D,MAAM,YAAY,GAChB,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,EAAE,YAAY,CAAA;QAEtE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;QACxD,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACnD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAC3C,CAAC;AACH,CAAC"}
+{"version":3,"file":"exportWallet.js","sourceRoot":"","sources":["../../../src/utils/exportWallet.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA8B;IAE9B,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,MAAM,CAAA;IAE1C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,CAAA;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAA;QACtC,CAAC;QACD,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAA;QAElC,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC;YACrC,cAAc;SACf,CAAC,CAAA;QAEF,MAAM,gBAAgB,GACpB,MAAM,MAAM,CAAC,MAAM,CACjB,OAAO,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,CACtE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAA;QAC1B,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;QACtD,CAAC;QAED,MAAM,mBAAmB,GAAG,MAAM,KAAK,CACrC,sDAAsD,EACtD;YACE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE;gBACP,CAAC,gBAAgB,CAAC,eAAe,CAAC,EAAE,gBAAgB,CAAC,gBAAgB;aACtE;SACF,CACF,CAAA;QACD,IAAI,CAAC,mBAAmB,CAAC,EAAE,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAC3C,CAAC;QACD,MAAM,eAAe,GAAG,MAAM,mBAAmB,CAAC,IAAI,EAAE,CAAA;QAExD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;QAEpD,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC;YACtC,IAAI,EAAE,6BAA6B;YACnC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;YAClC,cAAc,EAAE,cAAc;YAC9B,UAAU,EAAE;gBACV,QAAQ,EAAE,QAAQ;gBAClB,eAAe;gBACf,QAAQ,EAAE,2BAA2B;aACtC;SACF,CAAC,CAAA;QACF,MAAM,iBAAiB,GACrB,MAAM,MAAM,CAAC,MAAM,CACjB,OAAO,CAAC,WAAW,KAAK,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,gBAAgB,CACtE,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;QAC3B,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;QACvD,CAAC;QACD,MAAM,oBAAoB,GAAG,MAAM,KAAK,CACtC,wDAAwD,EACxD;YACE,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE;gBACP,CAAC,iBAAiB,CAAC,eAAe,CAAC,EACjC,iBAAiB,CAAC,gBAAgB;aACrC;SACF,CACF,CAAA;QACD,IAAI,CAAC,oBAAoB,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;QAC5C,CAAC;QACD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,IAAI,EAAE,CAAA;QAE1D,MAAM,YAAY,GAChB,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,EAAE,YAAY,CAAA;QAEtE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;QACxD,CAAC;QAED,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,cAAc,EAAE,CAAA;IACnD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;IAC3C,CAAC;AACH,CAAC"}

package/dist/_esm/utils/hpke.js

@@ -0,0 +1,119 @@
+/**
+ * HPKE (RFC 9180) seal for Turnkey enclave-encrypted requests.
+ *
+ * Suite: DHKEM(P-256, HKDF-SHA256) / HKDF-SHA256 / AES-256-GCM
+ *   - KEM ID  = 0x0010 (DHKEM-P256-HKDF-SHA256)
+ *   - KDF ID  = 0x0001 (HKDF-SHA256)
+ *   - AEAD ID = 0x0002 (AES-256-GCM)
+ *
+ * Wire format and AAD construction match Turnkey's enclave_encrypt Go package:
+ *   info = "turnkey_hpke"
+ *   aad  = enc || pkR  (both 65-byte uncompressed P-256 points)
+ *
+ * References:
+ *   - RFC 9180 §4 / §5
+ *   - tkhq/go-sdk/pkg/enclave_encrypt
+ */
+import { gcm } from '@noble/ciphers/aes.js';
+import { p256 } from '@noble/curves/nist.js';
+import { expand, extract } from '@noble/hashes/hkdf.js';
+import { sha256 } from '@noble/hashes/sha2.js';
+const KEM_ID = 0x0010;
+const KDF_ID = 0x0001;
+const AEAD_ID = 0x0002;
+// Output sizes for the chosen primitives.
+const NH = 32; // SHA-256 output
+const NK = 32; // AES-256 key
+const NN = 12; // AES-GCM nonce
+const NPK = 65; // uncompressed P-256 point: 0x04 || X || Y
+const TURNKEY_HPKE_INFO = new TextEncoder().encode('turnkey_hpke');
+const HPKE_VERSION = new TextEncoder().encode('HPKE-v1');
+// suite_id for the HPKE context: "HPKE" || I2OSP(KEM,2) || I2OSP(KDF,2) || I2OSP(AEAD,2)
+const HPKE_SUITE_ID = concat(new TextEncoder().encode('HPKE'), i2osp(KEM_ID, 2), i2osp(KDF_ID, 2), i2osp(AEAD_ID, 2));
+// suite_id for the KEM scope: "KEM" || I2OSP(KEM,2)
+const KEM_SUITE_ID = concat(new TextEncoder().encode('KEM'), i2osp(KEM_ID, 2));
+function concat(...parts) {
+    const total = parts.reduce((sum, p) => sum + p.length, 0);
+    const out = new Uint8Array(total);
+    let offset = 0;
+    for (const p of parts) {
+        out.set(p, offset);
+        offset += p.length;
+    }
+    return out;
+}
+function i2osp(n, len) {
+    const out = new Uint8Array(len);
+    for (let i = len - 1; i >= 0; i--) {
+        out[i] = n & 0xff;
+        n >>>= 8;
+    }
+    return out;
+}
+// LabeledExtract(salt, label, ikm, suite_id) =
+//   HKDF-Extract(salt, "HPKE-v1" || suite_id || label || ikm)
+function labeledExtract(salt, label, ikm, suiteId) {
+    const labeledIkm = concat(HPKE_VERSION, suiteId, new TextEncoder().encode(label), ikm);
+    return extract(sha256, labeledIkm, salt);
+}
+// LabeledExpand(prk, label, info, L, suite_id) =
+//   HKDF-Expand(prk, I2OSP(L,2) || "HPKE-v1" || suite_id || label || info, L)
+function labeledExpand(prk, label, info, length, suiteId) {
+    const labeledInfo = concat(i2osp(length, 2), HPKE_VERSION, suiteId, new TextEncoder().encode(label), info);
+    return expand(sha256, prk, labeledInfo, length);
+}
+// DHKEM Encap: returns (sharedSecret, enc)
+// sharedSecret is 32 bytes; enc is the serialized ephemeral pubkey (65 bytes uncompressed).
+function encap(receiverPublicKey) {
+    const ephSk = p256.utils.randomSecretKey();
+    const ephPkUncompressed = p256.getPublicKey(ephSk, false);
+    // ECDH: returns the serialized shared point. Pass isCompressed=true so the
+    // first byte is the SEC1 prefix and bytes [1, 33) are the x-coordinate.
+    const sharedPoint = p256.getSharedSecret(ephSk, receiverPublicKey, 
+    /* isCompressed */ true);
+    const dh = sharedPoint.slice(1, 33);
+    const kemContext = concat(ephPkUncompressed, receiverPublicKey);
+    const eaePrk = labeledExtract(new Uint8Array(0), 'eae_prk', dh, KEM_SUITE_ID);
+    const sharedSecret = labeledExpand(eaePrk, 'shared_secret', kemContext, NH, KEM_SUITE_ID);
+    return { sharedSecret, enc: ephPkUncompressed };
+}
+// KeySchedule for mode_base: returns (key, base_nonce).
+function keySchedule(sharedSecret, info) {
+    const empty = new Uint8Array(0);
+    const pskIdHash = labeledExtract(empty, 'psk_id_hash', empty, HPKE_SUITE_ID);
+    const infoHash = labeledExtract(empty, 'info_hash', info, HPKE_SUITE_ID);
+    // mode_base = 0x00 prepended to (psk_id_hash || info_hash)
+    const keyScheduleContext = concat(new Uint8Array([0]), pskIdHash, infoHash);
+    const secret = labeledExtract(sharedSecret, 'secret', empty, HPKE_SUITE_ID);
+    const key = labeledExpand(secret, 'key', keyScheduleContext, NK, HPKE_SUITE_ID);
+    const baseNonce = labeledExpand(secret, 'base_nonce', keyScheduleContext, NN, HPKE_SUITE_ID);
+    return { key, baseNonce };
+}
+function aesGcmSeal(key, nonce, aad, plaintext) {
+    // Returns ciphertext || tag (16 bytes appended) — matches the single-blob
+    // format Turnkey's `Sealer.Seal` and Web Crypto's AES-GCM produce.
+    return gcm(key, nonce, aad).encrypt(plaintext);
+}
+/**
+ * Single-shot HPKE seal in mode_base for Turnkey's TLS Fetcher enclave.
+ *
+ * Uses the fixed Turnkey `info = "turnkey_hpke"` and the AAD shape
+ * `enc || receiverPublicKey` so the resulting bundle is decryptable by
+ * `enclave_encrypt.EnclaveEncryptServer.Decrypt`.
+ *
+ * @param receiverPublicKey - The enclave's ephemeral target public key
+ *   (uncompressed P-256, 65 bytes), extracted from the encryption target bundle.
+ * @param plaintext - The bytes to encrypt (e.g. the JSON-encoded OTP attempt).
+ */
+export async function hpkeSealP256({ receiverPublicKey, plaintext, }) {
+    if (receiverPublicKey.length !== NPK) {
+        throw new Error(`hpkeSealP256: receiverPublicKey must be ${NPK} bytes (uncompressed P-256), got ${receiverPublicKey.length}`);
+    }
+    const { sharedSecret, enc } = encap(receiverPublicKey);
+    const { key, baseNonce } = keySchedule(sharedSecret, TURNKEY_HPKE_INFO);
+    // First message of the context, sequence 0 → nonce = base_nonce.
+    const aad = concat(enc, receiverPublicKey);
+    const ciphertext = aesGcmSeal(key, baseNonce, aad, plaintext);
+    return { encappedPublic: enc, ciphertext };
+}
+//# sourceMappingURL=hpke.js.map

package/dist/_esm/utils/hpke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hpke.js","sourceRoot":"","sources":["../../../src/utils/hpke.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,uBAAuB,CAAA;AAC3C,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAA;AAC5C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAA;AACvD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AAE9C,MAAM,MAAM,GAAG,MAAM,CAAA;AACrB,MAAM,MAAM,GAAG,MAAM,CAAA;AACrB,MAAM,OAAO,GAAG,MAAM,CAAA;AAEtB,0CAA0C;AAC1C,MAAM,EAAE,GAAG,EAAE,CAAA,CAAC,iBAAiB;AAC/B,MAAM,EAAE,GAAG,EAAE,CAAA,CAAC,cAAc;AAC5B,MAAM,EAAE,GAAG,EAAE,CAAA,CAAC,gBAAgB;AAC9B,MAAM,GAAG,GAAG,EAAE,CAAA,CAAC,2CAA2C;AAE1D,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;AAElE,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;AAExD,yFAAyF;AACzF,MAAM,aAAa,GAAG,MAAM,CAC1B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,EAChB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,EAChB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAClB,CAAA;AAED,oDAAoD;AACpD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAA;AAE9E,SAAS,MAAM,CAAC,GAAG,KAAmB;IACpC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAA;IACzD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;IACjC,IAAI,MAAM,GAAG,CAAC,CAAA;IACd,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAA;QAClB,MAAM,IAAI,CAAC,CAAC,MAAM,CAAA;IACpB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,KAAK,CAAC,CAAS,EAAE,GAAW;IACnC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAA;IAC/B,KAAK,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAA;QACjB,CAAC,MAAM,CAAC,CAAA;IACV,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,+CAA+C;AAC/C,8DAA8D;AAC9D,SAAS,cAAc,CACrB,IAAgB,EAChB,KAAa,EACb,GAAe,EACf,OAAmB;IAEnB,MAAM,UAAU,GAAG,MAAM,CACvB,YAAY,EACZ,OAAO,EACP,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAC/B,GAAG,CACJ,CAAA;IACD,OAAO,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAA;AAC1C,CAAC;AAED,iDAAiD;AACjD,8EAA8E;AAC9E,SAAS,aAAa,CACpB,GAAe,EACf,KAAa,EACb,IAAgB,EAChB,MAAc,EACd,OAAmB;IAEnB,MAAM,WAAW,GAAG,MAAM,CACxB,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,EAChB,YAAY,EACZ,OAAO,EACP,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAC/B,IAAI,CACL,CAAA;IACD,OAAO,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,CAAC,CAAA;AACjD,CAAC;AAED,2CAA2C;AAC3C,4FAA4F;AAC5F,SAAS,KAAK,CAAC,iBAA6B;IAI1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,CAAA;IAC1C,MAAM,iBAAiB,GAAG,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IAEzD,2EAA2E;IAC3E,wEAAwE;IACxE,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CACtC,KAAK,EACL,iBAAiB;IACjB,kBAAkB,CAAC,IAAI,CACxB,CAAA;IACD,MAAM,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAEnC,MAAM,UAAU,GAAG,MAAM,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,CAAA;IAE/D,MAAM,MAAM,GAAG,cAAc,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE,YAAY,CAAC,CAAA;IAC7E,MAAM,YAAY,GAAG,aAAa,CAChC,MAAM,EACN,eAAe,EACf,UAAU,EACV,EAAE,EACF,YAAY,CACb,CAAA;IAED,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,iBAAiB,EAAE,CAAA;AACjD,CAAC;AAED,wDAAwD;AACxD,SAAS,WAAW,CAClB,YAAwB,EACxB,IAAgB;IAEhB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAA;IAE/B,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,aAAa,CAAC,CAAA;IAC5E,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,aAAa,CAAC,CAAA;IAExE,2DAA2D;IAC3D,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAA;IAE3E,MAAM,MAAM,GAAG,cAAc,CAAC,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,CAAC,CAAA;IAE3E,MAAM,GAAG,GAAG,aAAa,CACvB,MAAM,EACN,KAAK,EACL,kBAAkB,EAClB,EAAE,EACF,aAAa,CACd,CAAA;IACD,MAAM,SAAS,GAAG,aAAa,CAC7B,MAAM,EACN,YAAY,EACZ,kBAAkB,EAClB,EAAE,EACF,aAAa,CACd,CAAA;IAED,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,CAAA;AAC3B,CAAC;AAED,SAAS,UAAU,CACjB,GAAe,EACf,KAAiB,EACjB,GAAe,EACf,SAAqB;IAErB,0EAA0E;IAC1E,mEAAmE;IACnE,OAAO,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;AAChD,CAAC;AASD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,EACjC,iBAAiB,EACjB,SAAS,GAIV;IACC,IAAI,iBAAiB,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,2CAA2C,GAAG,oCAAoC,iBAAiB,CAAC,MAAM,EAAE,CAC7G,CAAA;IACH,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,iBAAiB,CAAC,CAAA;IACtD,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,WAAW,CAAC,YAAY,EAAE,iBAAiB,CAAC,CAAA;IAEvE,iEAAiE;IACjE,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAA;IAC1C,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,SAAS,CAAC,CAAA;IAE7D,OAAO,EAAE,cAAc,EAAE,GAAG,EAAE,UAAU,EAAE,CAAA;AAC5C,CAAC"}

package/dist/_esm/utils/utils.js

@@ -12,7 +12,8 @@ export function parseSession(token) {
     if (!payload) {
         throw new Error('Invalid JWT: Missing payload');
     }
-    const decoded = JSON.parse(Buffer.from(payload, 'base64').toString());
+    const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
+    const decoded = JSON.parse(atob(base64));
     const { exp, public_key: publicKey, session_type: sessionType, user_id: userId, organization_id: organizationId, } = decoded;
     if (!exp || !publicKey || !sessionType || !userId || !organizationId) {
         throw new Error('JWT payload missing required fields');
@@ -51,11 +52,9 @@ export const generateRandomBuffer = () => {
  * @returns {string} - The encoded challenge.
  */
 export const base64UrlEncode = (challenge) => {
-    return Buffer.from(challenge)
-        .toString('base64')
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=/g, '');
+    const bytes = new Uint8Array(challenge);
+    const binary = String.fromCharCode(...bytes);
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 };
 /**
  * Compresses an uncompressed P-256 public key into its 33-byte compressed form.

package/dist/_esm/utils/utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/utils/utils.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAoC;IAEpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACpC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;IACjD,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;IACrE,MAAM,EACJ,GAAG,EACH,UAAU,EAAE,SAAS,EACrB,YAAY,EAAE,WAAW,EACzB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,cAAc,GAChC,GAAG,OAAO,CAAA;IAEX,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM;QACN,cAAc;QACd,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,SAAS;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,OAAO,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;AACzD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,GAAgB,EAAE;IACpD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IAC9B,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAA;IAC3B,OAAO,GAAG,CAAC,MAAM,CAAA;AACnB,CAAC,CAAA;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,SAAsB,EAAU,EAAE;IAChE,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC;SAC1B,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AACtB,CAAC,CAAA;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,GAAe;IACzC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC1B,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;IAE3B,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;IAE/C,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IACrC,UAAU,CAAC,CAAC,CAAC,GAAG,MAAM,CAAA;IACtB,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IACpB,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAiB;IACrD,OAAO,KAAK,CAAC,MAAM,CACjB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EACvD,EAAE,CACH,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAsB;IAEtB,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CACxD,CAAA;IACD,MAAM,gBAAgB,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC/C,MAAM,aAAa,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAA;IAC7D,OAAO,aAAa,CAAA;AACtB,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,GAAW,EAAE;IAChD,OAAO,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC9E,CAAC,CAAA"}
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../../src/utils/utils.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAC1B,KAAoC;IAEpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,CAAC,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACpC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;IACjD,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAA;IACxC,MAAM,EACJ,GAAG,EACH,UAAU,EAAE,SAAS,EACrB,YAAY,EAAE,WAAW,EACzB,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,cAAc,GAChC,GAAG,OAAO,CAAA;IAEX,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IACxD,CAAC;IAED,OAAO;QACL,WAAW;QACX,MAAM;QACN,cAAc;QACd,MAAM,EAAE,GAAG;QACX,KAAK,EAAE,SAAS;KACjB,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAiB;IAClD,OAAO,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;AACzD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,GAAgB,EAAE;IACpD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IAC9B,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAA;IAC3B,OAAO,GAAG,CAAC,MAAM,CAAA;AACnB,CAAC,CAAA;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,SAAsB,EAAU,EAAE;IAChE,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAA;IACvC,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAA;IAC5C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AAC/E,CAAC,CAAA;AAED;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,GAAe;IACzC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAA;IACnD,CAAC;IAED,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC1B,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAA;IAE3B,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,IAAI,CAAC,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;IAE/C,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IACrC,UAAU,CAAC,CAAC,CAAC,GAAG,MAAM,CAAA;IACtB,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;IACpB,OAAO,UAAU,CAAA;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,KAAiB;IACrD,OAAO,KAAK,CAAC,MAAM,CACjB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EACvD,EAAE,CACH,CAAA;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sCAAsC,CAC1D,OAAsB;IAEtB,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CACxD,CAAA;IACD,MAAM,gBAAgB,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IAC/C,MAAM,aAAa,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAA;IAC7D,OAAO,aAAa,CAAA;AACtB,CAAC;AAED,MAAM,CAAC,MAAM,qBAAqB,GAAG,GAAW,EAAE;IAChD,OAAO,IAAI,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAA;AAC9E,CAAC,CAAA"}

package/dist/_types/actions/auth/getOAuthLoginUrl.d.ts

@@ -0,0 +1,30 @@
+import type { Client } from '../../client/types.js';
+export type GetOAuthLoginUrlParameters = {
+    /** OAuth provider — currently only `'google'` is supported. */
+    provider: 'google';
+    /** The project ID for the request. */
+    projectId: string;
+    /**
+     * The session public key (compressed P-256 hex, lowercase, with or
+     * without `0x` prefix). The backend embeds `sha256(utf8(hex))` as the
+     * OIDC `nonce` so the SDK can verify the URL was minted for this key.
+     */
+    publicKey: string;
+    /**
+     * Where the popup should land after the OAuth round-trip
+     * (e.g. `https://app.example.com/dashboard?oauth_success=true`).
+     * Must be on the project's whitelist.
+     */
+    returnTo: string;
+};
+export type GetOAuthLoginUrlReturnType = string;
+/**
+ * Fetches the Google OAuth authorization URL from the backend.
+ *
+ * The SDK must verify the returned URL's `nonce` against
+ * `sha256(utf8(publicKey))` (and the host is `accounts.google.com`)
+ * before opening it in a popup — the backend is not a trusted party.
+ * See audit finding TOB-KMS-1.
+ */
+export declare function getOAuthLoginUrl(client: Client, params: GetOAuthLoginUrlParameters): Promise<GetOAuthLoginUrlReturnType>;
+//# sourceMappingURL=getOAuthLoginUrl.d.ts.map

package/dist/_types/actions/auth/getOAuthLoginUrl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getOAuthLoginUrl.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/getOAuthLoginUrl.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AAEnD,MAAM,MAAM,0BAA0B,GAAG;IACvC,+DAA+D;IAC/D,QAAQ,EAAE,QAAQ,CAAA;IAClB,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,SAAS,EAAE,MAAM,CAAA;IACjB;;;;OAIG;IACH,QAAQ,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG,MAAM,CAAA;AAE/C;;;;;;;GAOG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,0BAA0B,GACjC,OAAO,CAAC,0BAA0B,CAAC,CAarC"}

package/dist/_types/actions/auth/index.d.ts

@@ -2,6 +2,7 @@ export { type AuthenticateWithEmailParameters, type AuthenticateWithEmailReturnT
 export { type AuthenticateWithOAuthParameters, type AuthenticateWithOAuthReturnType, authenticateWithOAuth, } from './authenticateWithOAuth.js';
 export { type ApiKeyAuthenticator, type EmailContact, type GetAuthenticatorsParameters, type GetAuthenticatorsReturnType, getAuthenticators, type OAuthAuthenticator, type PasskeyAuthenticator, } from './getAuthenticators.js';
 export { type GetAuthProxyConfigIdReturnType, getAuthProxyConfigId, } from './getAuthProxyConfigId.js';
+export { type GetOAuthLoginUrlParameters, type GetOAuthLoginUrlReturnType, getOAuthLoginUrl, } from './getOAuthLoginUrl.js';
 export { type GetWhoamiParameters, type GetWhoamiReturnType, getWhoami, } from './getWhoami.js';
 export { type LoginWithOTPParameters, type LoginWithOTPReturnType, loginWithOTP, } from './loginWithOTP.js';
 export { type LoginWithStampParameters, type LoginWithStampReturnType, loginWithStamp, } from './loginWithStamp.js';

package/dist/_types/actions/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,EACrB,KAAK,kBAAkB,GACxB,MAAM,4BAA4B,CAAA;AAEnC,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,GACtB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,YAAY,EACjB,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,KAAK,8BAA8B,EACnC,oBAAoB,GACrB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,SAAS,GACV,MAAM,gBAAgB,CAAA;AACvB,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,YAAY,GACb,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,cAAc,GACf,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,eAAe,GAChB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAClC,mBAAmB,GACpB,MAAM,0BAA0B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,EACrB,KAAK,kBAAkB,GACxB,MAAM,4BAA4B,CAAA;AAEnC,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,GACtB,MAAM,4BAA4B,CAAA;AACnC,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,YAAY,EACjB,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,iBAAiB,EACjB,KAAK,kBAAkB,EACvB,KAAK,oBAAoB,GAC1B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,KAAK,8BAA8B,EACnC,oBAAoB,GACrB,MAAM,2BAA2B,CAAA;AAClC,OAAO,EACL,KAAK,0BAA0B,EAC/B,KAAK,0BAA0B,EAC/B,gBAAgB,GACjB,MAAM,uBAAuB,CAAA;AAC9B,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,SAAS,GACV,MAAM,gBAAgB,CAAA;AACvB,OAAO,EACL,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,YAAY,GACb,MAAM,mBAAmB,CAAA;AAC1B,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,cAAc,GACf,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EACL,KAAK,oBAAoB,EACzB,KAAK,UAAU,EACf,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,eAAe,GAChB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EACL,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAClC,mBAAmB,GACpB,MAAM,0BAA0B,CAAA"}

package/dist/_types/actions/auth/loginWithStamp.d.ts

@@ -1,4 +1,5 @@
 import type { Client } from '../../client/types.js';
+import type { StamperType } from '../../types/session.js';
 export type EmailCustomization = {
     /** A template for the URL to be used in a magic link button, e.g. `https://dapp.xyz/%s`. The auth bundle will be interpolated into the `%s`. */
     magicLinkTemplate?: string;
@@ -11,7 +12,7 @@ export type LoginWithStampParameters = {
     /** The encoded public key for the request */
     targetPublicKey: string;
     /** The stamper type for the request */
-    stampWith?: 'indexedDb' | 'webauthn';
+    stampWith?: StamperType;
 };
 export type LoginWithStampReturnType = {
     /** The session */

package/dist/_types/actions/auth/loginWithStamp.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loginWithStamp.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/loginWithStamp.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AAGnD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,gJAAgJ;IAChJ,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAA;IACjB,0CAA0C;IAC1C,cAAc,EAAE,MAAM,CAAA;IACtB,6CAA6C;IAC7C,eAAe,EAAE,MAAM,CAAA;IACvB,uCAAuC;IACvC,SAAS,CAAC,EAAE,WAAW,GAAG,UAAU,CAAA;CACrC,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,kBAAkB;IAClB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAkCnC"}
+{"version":3,"file":"loginWithStamp.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/loginWithStamp.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AAEnD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAA;AAEzD,MAAM,MAAM,kBAAkB,GAAG;IAC/B,gJAAgJ;IAChJ,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAA;IACjB,0CAA0C;IAC1C,cAAc,EAAE,MAAM,CAAA;IACtB,6CAA6C;IAC7C,eAAe,EAAE,MAAM,CAAA;IACvB,uCAAuC;IACvC,SAAS,CAAC,EAAE,WAAW,CAAA;CACxB,CAAA;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,kBAAkB;IAClB,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAkCnC"}

package/dist/_types/actions/auth/registerWithOTP.d.ts

@@ -27,6 +27,12 @@ export type RegisterWithOTPParameters = {
 export type RegisterWithOTPReturnType = {
     /** The OTP ID needed for verification */
     otpId: string;
+    /**
+     * Signed encryption target bundle issued by the TLS Fetcher enclave for
+     * this OTP session. Passed verbatim to the verify step so the SDK can
+     * HPKE-encrypt the OTP attempt to the enclave's ephemeral target key.
+     */
+    otpEncryptionTargetBundle: string;
 };
 /**
  * Initiates OTP (One-Time Password) authentication

package/dist/_types/actions/auth/registerWithOTP.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registerWithOTP.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/registerWithOTP.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AACnD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAA;AAEpE,MAAM,MAAM,UAAU,GAAG;IACvB,kEAAkE;IAClE,IAAI,EAAE,OAAO,GAAG,KAAK,CAAA;IACrB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qEAAqE;IACrE,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACrB,kDAAkD;IAClD,YAAY,EAAE,OAAO,CAAA;CACtB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,+CAA+C;IAC/C,OAAO,EAAE,UAAU,CAAA;IACnB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAA;IACjB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,kBAAkB,CAAA;IACvC,+CAA+C;IAC/C,oBAAoB,CAAC,EAAE,oBAAoB,CAAA;CAC5C,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,yCAAyC;IACzC,KAAK,EAAE,MAAM,CAAA;CACd,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,yBAAyB,GAChC,OAAO,CAAC,yBAAyB,CAAC,CA0BpC"}
+{"version":3,"file":"registerWithOTP.d.ts","sourceRoot":"","sources":["../../../../src/actions/auth/registerWithOTP.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAA;AACnD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAA;AAEpE,MAAM,MAAM,UAAU,GAAG;IACvB,kEAAkE;IAClE,IAAI,EAAE,OAAO,GAAG,KAAK,CAAA;IACrB,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,qEAAqE;IACrE,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACrB,kDAAkD;IAClD,YAAY,EAAE,OAAO,CAAA;CACtB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,+CAA+C;IAC/C,OAAO,EAAE,UAAU,CAAA;IACnB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAA;IACjB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,kBAAkB,CAAA;IACvC,+CAA+C;IAC/C,oBAAoB,CAAC,EAAE,oBAAoB,CAAA;CAC5C,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,yCAAyC;IACzC,KAAK,EAAE,MAAM,CAAA;IACb;;;;OAIG;IACH,yBAAyB,EAAE,MAAM,CAAA;CAClC,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,yBAAyB,GAChC,OAAO,CAAC,yBAAyB,CAAC,CA0BpC"}

package/dist/_types/actions/index.d.ts

@@ -1,3 +1,3 @@
-export { type ApiKeyAuthenticator, type AuthenticateWithEmailParameters, type AuthenticateWithEmailReturnType, type AuthenticateWithOAuthParameters, type AuthenticateWithOAuthReturnType, authenticateWithEmail, authenticateWithOAuth, type EmailContact, type EmailCustomization, type GetAuthenticatorsParameters, type GetAuthenticatorsReturnType, type GetAuthProxyConfigIdReturnType, type GetWhoamiParameters, type GetWhoamiReturnType, getAuthenticators, getAuthProxyConfigId, getWhoami, type LoginWithOTPParameters, type LoginWithOTPReturnType, loginWithOTP, type OAuthAuthenticator, type OtpContact, type PasskeyAuthenticator, type RegisterWithOTPParameters, type RegisterWithOTPReturnType, type RegisterWithPasskeyParameters, type RegisterWithPasskeyReturnType, registerWithOTP, registerWithPasskey, } from './auth/index.js';
+export { type ApiKeyAuthenticator, type AuthenticateWithEmailParameters, type AuthenticateWithEmailReturnType, type AuthenticateWithOAuthParameters, type AuthenticateWithOAuthReturnType, authenticateWithEmail, authenticateWithOAuth, type EmailContact, type EmailCustomization, type GetAuthenticatorsParameters, type GetAuthenticatorsReturnType, type GetAuthProxyConfigIdReturnType, type GetOAuthLoginUrlParameters, type GetOAuthLoginUrlReturnType, type GetWhoamiParameters, type GetWhoamiReturnType, getAuthenticators, getAuthProxyConfigId, getOAuthLoginUrl, getWhoami, type LoginWithOTPParameters, type LoginWithOTPReturnType, loginWithOTP, type OAuthAuthenticator, type OtpContact, type PasskeyAuthenticator, type RegisterWithOTPParameters, type RegisterWithOTPReturnType, type RegisterWithPasskeyParameters, type RegisterWithPasskeyReturnType, registerWithOTP, registerWithPasskey, } from './auth/index.js';
 export { type GetUserWalletParameters, type GetUserWalletReturnType, getUserWallet, type Sign7702AuthorizationParameters, type Sign7702AuthorizationReturnType, type SignMessageParameters, type SignMessageReturnType, type SignTransactionParameters, type SignTransactionReturnType, type SignTypedDataV4Parameters, type SignTypedDataV4ReturnType, type SignUserOperationParameters, type SignUserOperationReturnType, sign7702Authorization, signMessage, signTransaction, signTypedDataV4, signUserOperation, } from './wallet/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/_types/actions/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/actions/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,EACrB,qBAAqB,EACrB,KAAK,YAAY,EACjB,KAAK,kBAAkB,EACvB,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,iBAAiB,EACjB,oBAAoB,EACpB,SAAS,EACT,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,YAAY,EACZ,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAClC,eAAe,EACf,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,aAAa,EACb,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,qBAAqB,EACrB,WAAW,EACX,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,mBAAmB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/actions/index.ts"],"names":[],"mappings":"AACA,OAAO,EACL,KAAK,mBAAmB,EACxB,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,qBAAqB,EACrB,qBAAqB,EACrB,KAAK,YAAY,EACjB,KAAK,kBAAkB,EACvB,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,0BAA0B,EAC/B,KAAK,0BAA0B,EAC/B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,SAAS,EACT,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAC3B,YAAY,EACZ,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,oBAAoB,EACzB,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAClC,eAAe,EACf,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EACL,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,aAAa,EACb,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,qBAAqB,EACrB,WAAW,EACX,eAAe,EACf,eAAe,EACf,iBAAiB,GAClB,MAAM,mBAAmB,CAAA"}

package/dist/_types/client/authProxy.d.ts

@@ -7,10 +7,11 @@ export type AuthProxyClientConfig = {
 export type AuthProxyVerifyOtpRequest = {
     /** The OTP ID from registration */
     otpId: string;
-    /** The OTP code entered by the user */
-    otpCode: string;
-    /** The public key to associate with the verification */
-    public_key: string;
+    /**
+     * HPKE-sealed bundle containing `{otp_code, public_key}` encrypted to the
+     * enclave's per-session target key. Produced by `encryptOtpAttempt`.
+     */
+    encryptedOtpBundle: string;
 };
 export type AuthProxyVerifyOtpResponse = {
     /** The verification token to use for login */
@@ -25,10 +26,15 @@ export type AuthProxyVerifyOtpResponse = {
  */
 export declare function createAuthProxyClient(config: AuthProxyClientConfig): {
     /**
-     * Verifies an OTP code with Turnkey's Auth Proxy
+     * Verifies an OTP attempt with Turnkey's Auth Proxy.
+     *
+     * The `encryptedOtpBundle` is HPKE-sealed `{otp_code, public_key}` JSON
+     * (see `encryptOtpAttempt`). The auth proxy forwards the ciphertext to
+     * the TLS Fetcher enclave, which decrypts it, verifies the OTP code, and
+     * returns a `verificationToken` bound to the embedded public key.
      *
-     * Returns a verificationToken that should be passed to the backend's
-     * /auth/login/otp endpoint along with a client signature.
+     * Pass the returned `verificationToken` to `/auth/login/otp` along with
+     * a client signature to complete the login.
      */
     verifyOtp(params: AuthProxyVerifyOtpRequest): Promise<AuthProxyVerifyOtpResponse>;
 };

package/dist/_types/client/authProxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authProxy.d.ts","sourceRoot":"","sources":["../../../src/client/authProxy.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,qBAAqB,GAAG;IAClC,gDAAgD;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAA;IACb,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAA;IACf,wDAAwD;IACxD,UAAU,EAAE,MAAM,CAAA;CACnB,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG;IACvC,8CAA8C;IAC9C,iBAAiB,EAAE,MAAM,CAAA;CAC1B,CAAA;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,qBAAqB;IAiC/D;;;;;OAKG;sBAEO,yBAAyB,GAChC,OAAO,CAAC,0BAA0B,CAAC;EAIzC;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAA"}
+{"version":3,"file":"authProxy.d.ts","sourceRoot":"","sources":["../../../src/client/authProxy.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,qBAAqB,GAAG;IAClC,gDAAgD;IAChD,iBAAiB,EAAE,MAAM,CAAA;IACzB,+CAA+C;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,CAAA;AAED,MAAM,MAAM,yBAAyB,GAAG;IACtC,mCAAmC;IACnC,KAAK,EAAE,MAAM,CAAA;IACb;;;OAGG;IACH,kBAAkB,EAAE,MAAM,CAAA;CAC3B,CAAA;AAED,MAAM,MAAM,0BAA0B,GAAG;IACvC,8CAA8C;IAC9C,iBAAiB,EAAE,MAAM,CAAA;CAC1B,CAAA;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,qBAAqB;IAiC/D;;;;;;;;;;OAUG;sBAEO,yBAAyB,GAChC,OAAO,CAAC,0BAA0B,CAAC;EAIzC;AAED,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAA"}

package/dist/_types/client/decorators/client.d.ts

@@ -1,5 +1,5 @@
 import { type LoginWithStampParameters, type LoginWithStampReturnType } from '../../actions/auth/loginWithStamp.js';
-import { type AuthenticateWithEmailParameters, type AuthenticateWithEmailReturnType, type AuthenticateWithOAuthParameters, type AuthenticateWithOAuthReturnType, type GetAuthenticatorsParameters, type GetAuthenticatorsReturnType, type GetAuthProxyConfigIdReturnType, type GetUserWalletParameters, type GetUserWalletReturnType, type GetWhoamiParameters, type GetWhoamiReturnType, type LoginWithOTPParameters, type LoginWithOTPReturnType, type RegisterWithOTPParameters, type RegisterWithOTPReturnType, type RegisterWithPasskeyParameters, type RegisterWithPasskeyReturnType, type Sign7702AuthorizationParameters, type Sign7702AuthorizationReturnType, type SignMessageParameters, type SignMessageReturnType, type SignTransactionParameters, type SignTransactionReturnType, type SignTypedDataV4Parameters, type SignTypedDataV4ReturnType, type SignUserOperationParameters, type SignUserOperationReturnType } from '../../actions/index.js';
+import { type AuthenticateWithEmailParameters, type AuthenticateWithEmailReturnType, type AuthenticateWithOAuthParameters, type AuthenticateWithOAuthReturnType, type GetAuthenticatorsParameters, type GetAuthenticatorsReturnType, type GetAuthProxyConfigIdReturnType, type GetOAuthLoginUrlParameters, type GetOAuthLoginUrlReturnType, type GetUserWalletParameters, type GetUserWalletReturnType, type GetWhoamiParameters, type GetWhoamiReturnType, type LoginWithOTPParameters, type LoginWithOTPReturnType, type RegisterWithOTPParameters, type RegisterWithOTPReturnType, type RegisterWithPasskeyParameters, type RegisterWithPasskeyReturnType, type Sign7702AuthorizationParameters, type Sign7702AuthorizationReturnType, type SignMessageParameters, type SignMessageReturnType, type SignTransactionParameters, type SignTransactionReturnType, type SignTypedDataV4Parameters, type SignTypedDataV4ReturnType, type SignUserOperationParameters, type SignUserOperationReturnType } from '../../actions/index.js';
 import type { Client } from '../types.js';
 /**
  * ZeroDev Wallet client actions that can be performed with a client
@@ -66,6 +66,12 @@ export type ZeroDevWalletActions = {
      * Gets the auth proxy config ID from the backend
      */
     getAuthProxyConfigId: () => Promise<GetAuthProxyConfigIdReturnType>;
+    /**
+     * Fetches the Google OAuth authorization URL from the backend.
+     * The caller must verify the URL's `nonce` against `sha256(utf8(publicKey))`
+     * before opening it (audit finding TOB-KMS-1).
+     */
+    getOAuthLoginUrl: (params: GetOAuthLoginUrlParameters) => Promise<GetOAuthLoginUrlReturnType>;
 };
 /**
  * Decorator function that adds ZeroDev Wallet client actions to a client

package/dist/_types/client/decorators/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../../src/client/decorators/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAE9B,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EAGpC,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EAKxB,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAE3B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAGlC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAMjC,MAAM,wBAAwB,CAAA;AAC/B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEzC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAEjC;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,SAAS,EAAE,CAAC,MAAM,EAAE,mBAAmB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAExE;;;OAGG;IACH,iBAAiB,EAAE,CACjB,MAAM,EAAE,2BAA2B,KAChC,OAAO,CAAC,2BAA2B,CAAC,CAAA;IAGzC;;OAEG;IACH,aAAa,EAAE,CACb,MAAM,EAAE,uBAAuB,KAC5B,OAAO,CAAC,uBAAuB,CAAC,CAAA;IAErC;;OAEG;IACH,WAAW,EAAE,CAAC,MAAM,EAAE,qBAAqB,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAA;IAE9E;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,iBAAiB,EAAE,CACjB,MAAM,EAAE,2BAA2B,KAChC,OAAO,CAAC,2BAA2B,CAAC,CAAA;IAEzC;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,mBAAmB,EAAE,CACnB,MAAM,EAAE,6BAA6B,KAClC,OAAO,CAAC,6BAA6B,CAAC,CAAA;IAE3C;;OAEG;IACH,cAAc,EAAE,CACd,MAAM,EAAE,wBAAwB,KAC7B,OAAO,CAAC,wBAAwB,CAAC,CAAA;IAEtC;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,YAAY,EAAE,CACZ,MAAM,EAAE,sBAAsB,KAC3B,OAAO,CAAC,sBAAsB,CAAC,CAAA;IAEpC;;OAEG;IACH,oBAAoB,EAAE,MAAM,OAAO,CAAC,8BAA8B,CAAC,CAAA;CACpE,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,CAqBzE"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../../src/client/decorators/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAE9B,MAAM,sCAAsC,CAAA;AAC7C,OAAO,EACL,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EAGpC,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAChC,KAAK,8BAA8B,EACnC,KAAK,0BAA0B,EAC/B,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EAMxB,KAAK,sBAAsB,EAC3B,KAAK,sBAAsB,EAE3B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,6BAA6B,EAClC,KAAK,6BAA6B,EAGlC,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,yBAAyB,EAC9B,KAAK,2BAA2B,EAChC,KAAK,2BAA2B,EAMjC,MAAM,wBAAwB,CAAA;AAC/B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAEzC;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAAG;IAEjC;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,SAAS,EAAE,CAAC,MAAM,EAAE,mBAAmB,KAAK,OAAO,CAAC,mBAAmB,CAAC,CAAA;IAExE;;;OAGG;IACH,iBAAiB,EAAE,CACjB,MAAM,EAAE,2BAA2B,KAChC,OAAO,CAAC,2BAA2B,CAAC,CAAA;IAGzC;;OAEG;IACH,aAAa,EAAE,CACb,MAAM,EAAE,uBAAuB,KAC5B,OAAO,CAAC,uBAAuB,CAAC,CAAA;IAErC;;OAEG;IACH,WAAW,EAAE,CAAC,MAAM,EAAE,qBAAqB,KAAK,OAAO,CAAC,qBAAqB,CAAC,CAAA;IAE9E;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,iBAAiB,EAAE,CACjB,MAAM,EAAE,2BAA2B,KAChC,OAAO,CAAC,2BAA2B,CAAC,CAAA;IAEzC;;OAEG;IACH,qBAAqB,EAAE,CACrB,MAAM,EAAE,+BAA+B,KACpC,OAAO,CAAC,+BAA+B,CAAC,CAAA;IAE7C;;OAEG;IACH,mBAAmB,EAAE,CACnB,MAAM,EAAE,6BAA6B,KAClC,OAAO,CAAC,6BAA6B,CAAC,CAAA;IAE3C;;OAEG;IACH,cAAc,EAAE,CACd,MAAM,EAAE,wBAAwB,KAC7B,OAAO,CAAC,wBAAwB,CAAC,CAAA;IAEtC;;OAEG;IACH,eAAe,EAAE,CACf,MAAM,EAAE,yBAAyB,KAC9B,OAAO,CAAC,yBAAyB,CAAC,CAAA;IAEvC;;OAEG;IACH,YAAY,EAAE,CACZ,MAAM,EAAE,sBAAsB,KAC3B,OAAO,CAAC,sBAAsB,CAAC,CAAA;IAEpC;;OAEG;IACH,oBAAoB,EAAE,MAAM,OAAO,CAAC,8BAA8B,CAAC,CAAA;IAEnE;;;;OAIG;IACH,gBAAgB,EAAE,CAChB,MAAM,EAAE,0BAA0B,KAC/B,OAAO,CAAC,0BAA0B,CAAC,CAAA;CACzC,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,oBAAoB,CAsBzE"}

package/dist/_types/client/transports/rest.d.ts

@@ -1,11 +1,12 @@
-import type { IndexedDbStamper, WebauthnStamper } from '../../stampers/types.js';
+import type { ApiKeyStamper, PasskeyStamper } from '../../stampers/types.js';
+import type { StamperType } from '../../types/session.js';
 export type RestRequestArgs = {
     path: string;
     method?: 'GET' | 'POST' | 'PUT' | 'DELETE';
     body?: any;
     headers?: Record<string, string>;
     stamp?: boolean;
-    stampWith?: 'indexedDb' | 'webAuthn';
+    stampWith?: StamperType;
     stampPostion?: 'body' | 'headers';
     /** Include credentials (cookies) in the request */
     credentials?: RequestCredentials;
@@ -28,8 +29,8 @@ export type RestTransportConfig = {
     timeoutMs?: number;
     key?: string;
     name?: string;
-    indexedDbStamper: IndexedDbStamper;
-    webauthnStamper: WebauthnStamper;
+    apiKeyStamper: ApiKeyStamper;
+    passkeyStamper: PasskeyStamper;
 };
 export declare function rest(url: string, cfg: RestTransportConfig): RestTransport;
 //# sourceMappingURL=rest.d.ts.map

package/dist/_types/client/transports/rest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rest.d.ts","sourceRoot":"","sources":["../../../../src/client/transports/rest.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAA;AAEhF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAA;IAC1C,IAAI,CAAC,EAAE,GAAG,CAAA;IACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,SAAS,CAAC,EAAE,WAAW,GAAG,UAAU,CAAA;IACpC,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IACjC,mDAAmD;IACnD,WAAW,CAAC,EAAE,kBAAkB,CAAA;CACjC,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,CAAA;AAE1E,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IACrE,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAC/B,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,YAAY,CAAC,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC,CAAA;IAC9D,SAAS,CAAC,EAAE,CACV,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,WAAW,KACd,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,GAAG,WAAW,GAAG,SAAS,CAAA;IAC/D,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;IACpD,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,eAAe,EAAE,eAAe,CAAA;CACjC,CAAA;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,GAAG,aAAa,CAmGzE"}
+{"version":3,"file":"rest.d.ts","sourceRoot":"","sources":["../../../../src/client/transports/rest.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AAC5E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAA;AAEzD,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,CAAA;IAC1C,IAAI,CAAC,EAAE,GAAG,CAAA;IACV,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAChC,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,SAAS,CAAC,EAAE,WAAW,CAAA;IACvB,YAAY,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;IACjC,mDAAmD;IACnD,WAAW,CAAC,EAAE,kBAAkB,CAAA;CACjC,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,GAAG,GAAG,EAAE,IAAI,EAAE,eAAe,KAAK,OAAO,CAAC,CAAC,CAAC,CAAA;AAE1E,MAAM,MAAM,aAAa,GAAG;IAC1B,MAAM,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IACrE,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAC/B,CAAA;AAED,MAAM,MAAM,mBAAmB,GAAG;IAChC,YAAY,CAAC,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC,CAAA;IAC9D,SAAS,CAAC,EAAE,CACV,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,WAAW,KACd,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,GAAG,WAAW,GAAG,SAAS,CAAA;IAC/D,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,QAAQ,KAAK,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;IACpD,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,aAAa,EAAE,aAAa,CAAA;IAC5B,cAAc,EAAE,cAAc,CAAA;CAC/B,CAAA;AAED,wBAAgB,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,GAAG,aAAa,CAmGzE"}

package/dist/_types/client/types.d.ts

@@ -1,4 +1,4 @@
-import type { IndexedDbStamper, WebauthnStamper } from '../stampers/types.js';
+import type { ApiKeyStamper, PasskeyStamper } from '../stampers/types.js';
 import type { RestRequestFn } from './transports/rest.js';
 export type TransportConfig = {
     /** The name of the transport. */
@@ -15,8 +15,8 @@ export type TransportConfig = {
     type: string;
 };
 export type Transport = (options: {
-    indexedDbStamper: IndexedDbStamper;
-    webauthnStamper: WebauthnStamper;
+    apiKeyStamper: ApiKeyStamper;
+    passkeyStamper: PasskeyStamper;
 }) => {
     config: TransportConfig;
     request: RestRequestFn;
@@ -24,8 +24,8 @@ export type Transport = (options: {
 };
 export type ClientConfig = {
     transport: Transport;
-    indexedDbStamper: IndexedDbStamper;
-    webauthnStamper: WebauthnStamper;
+    apiKeyStamper: ApiKeyStamper;
+    passkeyStamper: PasskeyStamper;
     organizationId?: string;
     key?: string;
     name?: string;
@@ -35,10 +35,10 @@ export type Client<extended extends Extended | undefined = undefined> = {
     transport: TransportConfig & Record<string, unknown>;
     /** Request function from transport */
     request: RestRequestFn;
-    /** IndexedDB Stamper for authenticated requests */
-    indexedDbStamper: IndexedDbStamper;
-    /** WebAuthn Stamper for authenticated requests */
-    webauthnStamper: WebauthnStamper;
+    /** API Key Stamper for authenticated requests */
+    apiKeyStamper: ApiKeyStamper;
+    /** Passkey Stamper for authenticated requests */
+    passkeyStamper: PasskeyStamper;
     /** Organization ID */
     organizationId?: string;
     /** A key for the client */

package/dist/_types/client/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/client/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAA;AAC7E,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEzD,MAAM,MAAM,eAAe,GAAG;IAC5B,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAA;IACZ,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAA;IACX,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAA;IACX,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAA;CACb,CAAA;AAED,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IAChC,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,eAAe,EAAE,eAAe,CAAA;CACjC,KAAK;IACJ,MAAM,EAAE,eAAe,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,SAAS,CAAA;IACpB,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,eAAe,EAAE,eAAe,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;CACd,CAAA;AAED,MAAM,MAAM,MAAM,CAAC,QAAQ,SAAS,QAAQ,GAAG,SAAS,GAAG,SAAS,IAAI;IACtE,8BAA8B;IAC9B,SAAS,EAAE,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACpD,sCAAsC;IACtC,OAAO,EAAE,aAAa,CAAA;IACtB,mDAAmD;IACnD,gBAAgB,EAAE,gBAAgB,CAAA;IAClC,kDAAkD;IAClD,eAAe,EAAE,eAAe,CAAA;IAChC,sBAAsB;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAA;IACX,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAA;IACX,sDAAsD;IACtD,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,SAAS,QAAQ,EACpC,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,MAAM,KACrC,MAAM,CAAC,MAAM,GAAG,CAAC,QAAQ,SAAS,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAA;CACvE,GAAG,CAAC,QAAQ,SAAS,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC,CAAA;AAEpD,KAAK,QAAQ,GAAG;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB,CAAA"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/client/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AACzE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEzD,MAAM,MAAM,eAAe,GAAG;IAC5B,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAA;IACZ,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAA;IACX,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAA;IACX,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAA;CACb,CAAA;AAED,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE;IAChC,aAAa,EAAE,aAAa,CAAA;IAC5B,cAAc,EAAE,cAAc,CAAA;CAC/B,KAAK;IACJ,MAAM,EAAE,eAAe,CAAA;IACvB,OAAO,EAAE,aAAa,CAAA;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAChC,CAAA;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,SAAS,EAAE,SAAS,CAAA;IACpB,aAAa,EAAE,aAAa,CAAA;IAC5B,cAAc,EAAE,cAAc,CAAA;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;CACd,CAAA;AAED,MAAM,MAAM,MAAM,CAAC,QAAQ,SAAS,QAAQ,GAAG,SAAS,GAAG,SAAS,IAAI;IACtE,8BAA8B;IAC9B,SAAS,EAAE,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACpD,sCAAsC;IACtC,OAAO,EAAE,aAAa,CAAA;IACtB,iDAAiD;IACjD,aAAa,EAAE,aAAa,CAAA;IAC5B,iDAAiD;IACjD,cAAc,EAAE,cAAc,CAAA;IAC9B,sBAAsB;IACtB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAA;IACX,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAA;IACZ,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAA;IACX,sDAAsD;IACtD,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,SAAS,QAAQ,EACpC,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,MAAM,KACrC,MAAM,CAAC,MAAM,GAAG,CAAC,QAAQ,SAAS,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAA;CACvE,GAAG,CAAC,QAAQ,SAAS,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC,CAAA;AAEpD,KAAK,QAAQ,GAAG;IACd,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB,CAAA"}