@zhoujun_aptos/octopus-ts-sdk-min 0.22.5 → 0.22.7

package/dist/common/index.js

@@ -2412,11 +2412,82 @@ var worker_config_exports = {};
 __export(worker_config_exports, {
   WorkerConfig: () => WorkerConfig,
   get: () => get,
+  getAsync: () => getAsync,
   randWorker: () => randWorker,
   view: () => view
 });
 var import_ts_sdk11 = require("@aptos-labs/ts-sdk");
 var import_utils16 = require("@noble/curves/utils");
+
+// src/result.ts
+var Result = class _Result {
+  isOk;
+  okValue;
+  errValue;
+  extra;
+  constructor({ isOk, okValue, errValue, extra }) {
+    this.isOk = isOk;
+    this.okValue = okValue;
+    this.errValue = errValue;
+    this.extra = extra;
+  }
+  static Ok(args) {
+    return new _Result({ isOk: true, okValue: args.value, extra: args.extra });
+  }
+  static Err(args) {
+    return new _Result({ isOk: false, errValue: args.error, extra: args.extra });
+  }
+  /**
+   * You write a closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static capture({ task, recordsExecutionTimeMs = false }) {
+    const start = performance.now();
+    var extra = {};
+    var error;
+    var okValue;
+    try {
+      okValue = task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  /**
+   * You write an async closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static async captureAsync({ task, recordsExecutionTimeMs = false }) {
+    var extra = {};
+    const start = performance.now();
+    var error;
+    var okValue;
+    try {
+      okValue = await task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+};
+
+// src/worker_config.ts
 var WorkerConfig = class _WorkerConfig {
   expiryTimeMicrosecs;
   endpoint;
@@ -2501,6 +2572,23 @@ async function get(workerEndpoint) {
   const hex = await response.text();
   return WorkerConfig.fromHex(hex);
 }
+async function getAsync(workerEndpoint) {
+  const task = async (extra) => {
+    const url = `${workerEndpoint}/config_bcs`;
+    extra["url"] = url;
+    const response = await fetch(url, {
+      method: "GET"
+    });
+    extra["responseStatus"] = response.status;
+    extra["responseStatusText"] = response.statusText;
+    if (!response.ok) {
+      throw `Failed to fetch worker config: ${response.status} ${response.statusText}`;
+    }
+    const hex = await response.text();
+    return WorkerConfig.fromHex(hex);
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
 function randWorker() {
   const addr = new import_ts_sdk11.AccountAddress(utils_exports.randBytes(32));
   const encDk = keygen2();
@@ -2717,64 +2805,76 @@ var ProofOfPermission = class _ProofOfPermission {
   }
 };
 async function verifyPermission({ fullDecryptionDomain, proof }) {
-  const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
-  const taskVerifySig = async () => {
+  const task = async (extra) => {
+    const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
+    const [verifySigResult, checkAuthKeyResult, checkPermissionResult] = await Promise.all([
+      verifySig({ aptos, fullDecryptionDomain, proof }),
+      checkAuthKey({ aptos, userAddr: proof.userAddr, publicKey: proof.publicKey }),
+      checkPermission({ aptos, fullDecryptionDomain, proof })
+    ]);
+    extra["verifySigResult"] = verifySigResult;
+    extra["checkAuthKeyResult"] = checkAuthKeyResult;
+    extra["checkPermissionResult"] = checkPermissionResult;
+    if (!verifySigResult.isOk || !checkAuthKeyResult.isOk || !checkPermissionResult.isOk) {
+      throw "one or more sub-checks failed";
+    }
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function verifySig({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const msgToSign = fullDecryptionDomain.toPrettyMessage();
     const msgToSignHex = (0, import_utils17.bytesToHex)(new TextEncoder().encode(msgToSign));
-    const fullMessageFromPetra = proof.fullMessage.includes(msgToSign);
-    const fullMessageFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
-    if (!fullMessageFromPetra && !fullMessageFromAptosConnect) return false;
-    try {
-      return await proof.publicKey.verifySignatureAsync({
-        aptosConfig: aptos.config,
-        message: proof.fullMessage,
-        signature: proof.signature
-      });
-    } catch (error) {
-      return false;
-    }
+    const fullMessageSeemsFromPetra = proof.fullMessage.includes(msgToSign);
+    const fullMessageSeemsFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
+    extra["msgToSign"] = msgToSign;
+    extra["msgToSignHex"] = msgToSignHex;
+    extra["fullMessageSeemsFromPetra"] = fullMessageSeemsFromPetra;
+    extra["fullMessageSeemsFromAptosConnect"] = fullMessageSeemsFromAptosConnect;
+    if (!fullMessageSeemsFromPetra && !fullMessageSeemsFromAptosConnect) throw "fullMessage does not contain fullDecryptionDomain or its hex";
+    const sigValid = await proof.publicKey.verifySignatureAsync({
+      aptosConfig: aptos.config,
+      message: proof.fullMessage,
+      signature: proof.signature
+    });
+    if (!sigValid) throw "verifySignatureAsync failed";
   };
-  const taskCheckAuthKey = async () => {
-    try {
-      const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, proof.userAddr);
-      const userAuthKeyBytes = proof.publicKey.authKey().bcsToBytes();
-      const onChainHex = (0, import_utils17.bytesToHex)(onChainAuthKeyBytes);
-      const userHex = (0, import_utils17.bytesToHex)(userAuthKeyBytes);
-      console.log(`onChainHex: ${onChainHex}`);
-      console.log(`userHex   : ${userHex}`);
-      return onChainHex === userHex;
-    } catch (error) {
-      return false;
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkAuthKey({ aptos, userAddr, publicKey }) {
+  const task = async (extra) => {
+    if (!(publicKey instanceof import_ts_sdk12.AccountPublicKey)) {
+      throw "publicKey is not an AccountPublicKey";
     }
+    const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, userAddr);
+    const userAuthKeyBytes = publicKey.authKey().bcsToBytes();
+    const onChainHex = (0, import_utils17.bytesToHex)(onChainAuthKeyBytes);
+    const userHex = (0, import_utils17.bytesToHex)(userAuthKeyBytes);
+    extra["onChainHex"] = onChainHex;
+    extra["userHex"] = userHex;
+    if (onChainHex !== userHex) throw "on-chain auth key does not match user auth key";
   };
-  const taskCheckPermission = async () => {
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkPermission({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const contractId = fullDecryptionDomain.getAptosContractID();
-    try {
-      const userIsPermittedMoveVal = await view2(
-        aptos,
-        `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
-        [],
-        [proof.userAddr, fullDecryptionDomain.toBytes()]
-      );
-      return userIsPermittedMoveVal?.toString() === "true";
-    } catch (error) {
-      return false;
+    const viewFunctionInvocationResult = await view2({
+      aptos,
+      func: `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
+      typeArguments: [],
+      functionArguments: [proof.userAddr, fullDecryptionDomain.domain]
+    });
+    extra["viewFunctionInvocationResult"] = viewFunctionInvocationResult;
+    if (!viewFunctionInvocationResult.isOk) {
+      throw "view function invocation failed";
+    }
+    const returnedMoveValue = viewFunctionInvocationResult.okValue;
+    if (returnedMoveValue?.toString() !== "true") {
+      throw "access control contract return value is not true";
     }
   };
-  const [sigIsValid, authKeyMatches, userIsPermitted] = await Promise.all([
-    taskVerifySig(),
-    taskCheckAuthKey(),
-    taskCheckPermission()
-  ]);
-  if (!sigIsValid) {
-    throw new Error("Signature invalid.");
-  }
-  if (!authKeyMatches) {
-    throw new Error("Authentication key mismatch: on-chain key does not match provided public key.");
-  }
-  if (!userIsPermitted) {
-    throw new Error("Permission denied.");
-  }
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 function getChainNameFromChainId(chainId) {
   if (chainId === 1) {
@@ -2811,18 +2911,22 @@ async function getAccountAuthKeyBytes(aptos, address) {
   const accountInfo = await aptos.getAccountInfo({ accountAddress: address });
   return (0, import_utils17.hexToBytes)(accountInfo.authentication_key.replace("0x", ""));
 }
-async function view2(aptos, func, typeArguments, functionArguments) {
-  const result = await aptos.view({
-    payload: {
-      function: func,
-      typeArguments,
-      functionArguments
+async function view2({ aptos, func, typeArguments, functionArguments }) {
+  const task = async (extra) => {
+    const returnedMoveValues = await aptos.view({
+      payload: {
+        function: func,
+        typeArguments,
+        functionArguments
+      }
+    });
+    extra["returnedMoveValues"] = returnedMoveValues;
+    if (returnedMoveValues.length === 0) {
+      throw `aptos.view returned an empty list`;
     }
-  });
-  if (result.length === 0) {
-    throw new Error(`View function returned empty result`);
-  }
-  return result[0];
+    return returnedMoveValues[0];
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 
 // src/threshold-ibe/solana.ts
@@ -2923,76 +3027,107 @@ var ProofOfPermission2 = class _ProofOfPermission {
   }
 };
 async function verifyPermission2({ fullDecryptionDomain, proof }) {
-  const txn = proof.inner;
-  assertTransactionValid({ txn, fullDecryptionDomain });
-  await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
-}
-function assertTransactionValid({ txn, fullDecryptionDomain }) {
-  let instructions;
-  if (txn instanceof import_web3.VersionedTransaction) {
-    const message = txn.message;
-    instructions = message.compiledInstructions.map((ix) => {
-      if (ix.programIdIndex >= message.staticAccountKeys.length) {
-        throw new Error(`Program ID index ${ix.programIdIndex} is out of bounds for static account keys (length: ${message.staticAccountKeys.length}). Address table lookups are not supported for validation.`);
-      }
-      const programId = message.staticAccountKeys[ix.programIdIndex];
-      return { programId, data: Buffer.from(ix.data) };
-    });
-  } else {
-    instructions = txn.instructions.map((ix) => ({
-      programId: ix.programId,
-      data: Buffer.from(ix.data)
-    }));
-  }
-  if (instructions.length !== 1) {
-    throw new Error(`transaction must contain exactly 1 instruction, found ${instructions.length}`);
-  }
-  const instruction = instructions[0];
-  if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
-    throw new Error(`transaction instruction program ID (${instruction.programId.toString()}) does not match contract program ID`);
-  }
-  const instructionData = instruction.data;
-  if (instructionData.length < 12) {
-    throw new Error("instruction data too short (must be at least 12 bytes: 8-byte discriminator + 4-byte Vec length)");
-  }
-  const paramData = instructionData.slice(8);
-  const vecLength = paramData.readUInt32LE(0);
-  if (paramData.length < 4 + vecLength) {
-    throw new Error(`instruction data incomplete: expected ${4 + vecLength} bytes after discriminator, found ${paramData.length}`);
-  }
-  const fullBlobNameBytes = paramData.slice(4, 4 + vecLength);
-  const expectedParamDataLength = 4 + vecLength;
-  if (paramData.length > expectedParamDataLength) {
-    throw new Error(`instruction data has extra bytes: expected exactly ${expectedParamDataLength} bytes after discriminator, found ${paramData.length}`);
+  var extra = {};
+  try {
+    const txn = proof.inner;
+    const validateTxnResult = validateTxn({ txn, fullDecryptionDomain });
+    if (!validateTxnResult.isOk) {
+      extra["causedBy"] = validateTxnResult.extra;
+      throw "transaction is invalid";
+    }
+    const simulationResult = await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
+    if (!simulationResult.isOk) {
+      extra["causedBy"] = simulationResult.extra;
+      throw "transaction simulation failed";
+    }
+    return Result.Ok({ value: void 0, extra });
+  } catch (error) {
+    return Result.Err({ error, extra });
   }
-  if ((0, import_utils18.bytesToHex)(fullBlobNameBytes) !== fullDecryptionDomain.toHex()) {
-    throw new Error(`domain mismatch: instruction parameter does not match decryptionContext.domain`);
+}
+function validateTxn({ txn, fullDecryptionDomain }) {
+  try {
+    let instructions;
+    if (txn instanceof import_web3.VersionedTransaction) {
+      const message = txn.message;
+      instructions = message.compiledInstructions.map((ix) => {
+        if (ix.programIdIndex >= message.staticAccountKeys.length) {
+          throw `some program ID index is out of bounds for static account keys (are you using address table lookups? threshold-ibe does not support it yet)`;
+        }
+        const programId = message.staticAccountKeys[ix.programIdIndex];
+        return { programId, data: Buffer.from(ix.data) };
+      });
+    } else {
+      instructions = txn.instructions.map((ix) => ({
+        programId: ix.programId,
+        data: Buffer.from(ix.data)
+      }));
+    }
+    if (instructions.length !== 1) throw `transaction must contain exactly 1 instruction`;
+    const instruction = instructions[0];
+    if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
+      throw `transaction instruction program ID does not match contract program ID`;
+    }
+    const instructionData = instruction.data;
+    if (instructionData.length < 12) {
+      throw "instruction data too short";
+    }
+    const paramData = instructionData.slice(8);
+    const vecLength = paramData.readUInt32LE(0);
+    if (paramData.length < 4 + vecLength) throw `instruction data incomplete`;
+    const domainAsTxnParam = paramData.slice(4, 4 + vecLength);
+    const expectedParamDataLength = 4 + vecLength;
+    if (paramData.length > expectedParamDataLength) {
+      throw `instruction data has extra bytes`;
+    }
+    if ((0, import_utils18.bytesToHex)(domainAsTxnParam) !== (0, import_utils18.bytesToHex)(fullDecryptionDomain.domain)) {
+      throw `instruction parameter does not match decryptionContext.domain`;
+    }
+    return Result.Ok({ value: void 0 });
+  } catch (error) {
+    return Result.Err({ error });
   }
 }
 async function assertTransactionSimulationPasses(txn, chainName) {
-  let rpcUrl;
-  if (chainName === "localnet" || chainName === "localhost") {
-    rpcUrl = "http://127.0.0.1:8899";
-  } else if (chainName === "devnet") {
-    rpcUrl = "https://api.devnet.solana.com";
-  } else if (chainName === "testnet") {
-    rpcUrl = "https://api.testnet.solana.com";
-  } else if (chainName === "mainnet-beta") {
-    rpcUrl = "https://api.mainnet-beta.solana.com";
-  } else {
-    throw new Error(`Unknown chain name: ${chainName}`);
-  }
-  const connection = new import_web3.Connection(rpcUrl, "confirmed");
-  let simulation;
-  if (txn instanceof import_web3.VersionedTransaction) {
-    simulation = await connection.simulateTransaction(txn, {
-      sigVerify: true
-    });
-  } else {
-    simulation = await connection.simulateTransaction(txn);
-  }
-  if (simulation.value.err) {
-    throw new Error(`transaction simulation failed: ${JSON.stringify(simulation.value.err)}`);
+  var extra = {};
+  var error;
+  const start = performance.now();
+  try {
+    let rpcUrl;
+    if (chainName === "localnet" || chainName === "localhost") {
+      rpcUrl = "http://127.0.0.1:8899";
+    } else if (chainName === "devnet") {
+      rpcUrl = "https://api.devnet.solana.com";
+    } else if (chainName === "testnet") {
+      rpcUrl = "https://api.testnet.solana.com";
+    } else if (chainName === "mainnet-beta") {
+      rpcUrl = "https://api.mainnet-beta.solana.com";
+    } else {
+      extra["chainName"] = chainName;
+      throw `unsupported chain name`;
+    }
+    const connection = new import_web3.Connection(rpcUrl, "confirmed");
+    let simulation;
+    if (txn instanceof import_web3.VersionedTransaction) {
+      simulation = await connection.simulateTransaction(txn, {
+        sigVerify: true
+      });
+    } else {
+      simulation = await connection.simulateTransaction(txn);
+    }
+    if (simulation.value.err) {
+      extra["simulationError"] = simulation.value.err;
+      throw `transaction simulation failed`;
+    }
+  } catch (caught) {
+    error = caught;
+  } finally {
+    extra["executionTimeMs"] = performance.now() - start;
+    if (error !== void 0) {
+      return Result.Err({ error, extra });
+    } else {
+      return Result.Ok({ value: void 0, extra });
+    }
   }
 }
 
@@ -3098,11 +3233,16 @@ var EncryptionKey2 = class _EncryptionKey {
     this.ibeMpks = ibeMpks;
   }
   static async fetch({ committee }) {
-    const ibeMpks = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
-      const config = await worker_config_exports.get(endpoint);
-      return config.ibeMpk;
-    }));
-    return new _EncryptionKey({ ibeMpks });
+    const task = async (extra) => {
+      const workerConfigGetResults = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
+        return worker_config_exports.getAsync(endpoint);
+      }));
+      extra["workerConfigGetResults"] = workerConfigGetResults;
+      if (workerConfigGetResults.some((result) => !result.isOk)) throw "failed to get all worker configs";
+      const ibeMpks = workerConfigGetResults.map((result) => result.okValue.ibeMpk);
+      return new _EncryptionKey({ ibeMpks });
+    };
+    return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var DecryptionKey2 = class _DecryptionKey {
@@ -3111,43 +3251,43 @@ var DecryptionKey2 = class _DecryptionKey {
     this.ibeDecryptionKeys = ibeDecryptionKeys;
   }
   static async fetch({ committee, contractId, domain, proof }) {
-    const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (workerEndpoint) => {
-      const task = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
+    const task = async (extra) => {
+      extra["committee"] = committee;
+      const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (_workerEndpoint, index) => {
+        return _DecryptionKey.fetchDecKeyShare({ committee, contractId, domain, proof, index });
+      }));
+      extra["decKeyLoadResults"] = decKeyLoadResults;
+      const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult.isOk).length;
+      if (numSharesCollected < committee.threshold) throw `failed to collect enough shares`;
+      const decKeyShares = decKeyLoadResults.map((loadResult) => loadResult.okValue ?? null);
+      return new _DecryptionKey(decKeyShares);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
+  }
+  static async fetchDecKeyShare({ committee, contractId, domain, proof, index }) {
+    const task = async (extra) => {
+      const targetWorkerEndpoint = committee.workerEndpoints[index];
+      const task2 = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), 5e3);
       var response = null;
       try {
-        response = await fetch(workerEndpoint, {
+        response = await fetch(targetWorkerEndpoint, {
           method: "POST",
-          body: task.toHex(),
+          body: task2.toHex(),
           signal: controller.signal
         });
       } catch (error) {
         clearTimeout(timeoutId);
       }
-      if (response == null) {
-        return new WorkerTimedOut();
-      }
+      if (response == null) throw "worker is not responding";
       const responseBody = await response.text();
-      if (response.status !== 200) {
-        return new WorkerRejected(response.status, responseBody);
-      }
-      try {
-        return IdentityPrivateKey2.fromHex(responseBody);
-      } catch (error) {
-        return new CouldNotParseDecryptionKey(responseBody);
-      }
-    }));
-    const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
-    if (numSharesCollected < committee.threshold) {
-      const workerResults = committee.workerEndpoints.map((workerEndpoint, i) => {
-        const result = decKeyLoadResults[i];
-        return `${workerEndpoint}: ${result instanceof IdentityPrivateKey2 ? "Success" : result.toDisplayString()}`;
-      }).join(", ");
-      throw new Error(`Failed to collect enough shares to decrypt. Collected ${numSharesCollected} shares, but needed ${committee.threshold} shares. Worker results: ${workerResults}`);
-    }
-    const decKeys = decKeyLoadResults.map((loadResult) => loadResult instanceof IdentityPrivateKey2 ? loadResult : null);
-    return new _DecryptionKey(decKeys);
+      extra["workerResponseStatus"] = response.status;
+      extra["workerResponseBody"] = responseBody;
+      if (response.status !== 200) throw `worker rejected: ${response.status}`;
+      return IdentityPrivateKey2.fromHex(responseBody);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var Ciphertext7 = class _Ciphertext {
@@ -3343,41 +3483,25 @@ function decrypt7({ decryptionKey, ciphertext }) {
   return decrypt6(symmKey, ciphertext.aesCiph);
 }
 async function verifyAndExtract({ ibeMsk, committee, contractId, domain, proof }) {
-  const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
-  if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
-    await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
-    await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else {
-    throw new Error(`Unknown scheme: contractId=${contractId.scheme}, proof=${proof.scheme}`);
-  }
-  return extract2(ibeMsk, decryptionContext.toBytes());
+  const task = async (extra) => {
+    extra["contractIdScheme"] = contractId.scheme;
+    extra["proofScheme"] = proof.scheme;
+    const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
+    if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
+      const aptosResult = await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifyAptosResult"] = aptosResult;
+      if (!aptosResult.isOk) throw "aptos verification failed";
+    } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
+      const solanaResult = await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifySolanaResult"] = solanaResult;
+      if (!solanaResult.isOk) throw "solana verification failed";
+    } else {
+      throw "unsupported scheme combination";
+    }
+    return extract2(ibeMsk, decryptionContext.toBytes());
+  };
+  return Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
-var WorkerTimedOut = class {
-  toDisplayString() {
-    return "Timed out";
-  }
-};
-var WorkerRejected = class {
-  statusCode;
-  responseBody;
-  constructor(statusCode, responseBody) {
-    this.statusCode = statusCode;
-    this.responseBody = responseBody;
-  }
-  toDisplayString() {
-    return `Rejected: ${this.statusCode} ${this.responseBody}`;
-  }
-};
-var CouldNotParseDecryptionKey = class {
-  originalHex;
-  constructor(originalHex) {
-    this.originalHex = originalHex;
-  }
-  toDisplayString() {
-    return `Could not parse decryption key: ${this.originalHex}`;
-  }
-};
 
 // src/worker_task.ts
 var TYPE_SILENT_SETUP_DECRYPTION_KEY = 5;
@@ -3607,16 +3731,16 @@ var DecryptionContext = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut2();
+        return new WorkerTimedOut();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected2(response.status, responseBody);
+        return new WorkerRejected(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey2(responseBody);
+        return new CouldNotParseDecryptionKey(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -3722,12 +3846,12 @@ var Decryptor = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut2 = class {
+var WorkerTimedOut = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected2 = class {
+var WorkerRejected = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -3738,7 +3862,7 @@ var WorkerRejected2 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey2 = class {
+var CouldNotParseDecryptionKey = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4302,16 +4426,16 @@ var DecryptionContext2 = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut3();
+        return new WorkerTimedOut2();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected3(response.status, responseBody);
+        return new WorkerRejected2(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey3(responseBody);
+        return new CouldNotParseDecryptionKey2(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -4416,12 +4540,12 @@ var Decryptor2 = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut3 = class {
+var WorkerTimedOut2 = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected3 = class {
+var WorkerRejected2 = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -4432,7 +4556,7 @@ var WorkerRejected3 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey3 = class {
+var CouldNotParseDecryptionKey2 = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;