npm - @zhoujun_aptos/octopus-ts-sdk-min - Versions diffs - 0.22.6 → 0.22.7 - Mend

@zhoujun_aptos/octopus-ts-sdk-min 0.22.6 → 0.22.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/esm/index.mjs CHANGED Viewed

@@ -2371,11 +2371,82 @@ var worker_config_exports = {};
 __export(worker_config_exports, {
   WorkerConfig: () => WorkerConfig,
   get: () => get,
+  getAsync: () => getAsync,
   randWorker: () => randWorker,
   view: () => view
 });
 import { AccountAddress, Deserializer as Deserializer10, Network as Network2, Serializer as Serializer11 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex10, hexToBytes as hexToBytes5 } from "@noble/curves/utils";
+// src/result.ts
+var Result = class _Result {
+  isOk;
+  okValue;
+  errValue;
+  extra;
+  constructor({ isOk, okValue, errValue, extra }) {
+    this.isOk = isOk;
+    this.okValue = okValue;
+    this.errValue = errValue;
+    this.extra = extra;
+  }
+  static Ok(args) {
+    return new _Result({ isOk: true, okValue: args.value, extra: args.extra });
+  }
+  static Err(args) {
+    return new _Result({ isOk: false, errValue: args.error, extra: args.extra });
+  }
+  /**
+   * You write a closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static capture({ task, recordsExecutionTimeMs = false }) {
+    const start = performance.now();
+    var extra = {};
+    var error;
+    var okValue;
+    try {
+      okValue = task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  /**
+   * You write an async closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static async captureAsync({ task, recordsExecutionTimeMs = false }) {
+    var extra = {};
+    const start = performance.now();
+    var error;
+    var okValue;
+    try {
+      okValue = await task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+};
+// src/worker_config.ts
 var WorkerConfig = class _WorkerConfig {
   expiryTimeMicrosecs;
   endpoint;
@@ -2460,6 +2531,23 @@ async function get(workerEndpoint) {
   const hex = await response.text();
   return WorkerConfig.fromHex(hex);
 }
+async function getAsync(workerEndpoint) {
+  const task = async (extra) => {
+    const url = `${workerEndpoint}/config_bcs`;
+    extra["url"] = url;
+    const response = await fetch(url, {
+      method: "GET"
+    });
+    extra["responseStatus"] = response.status;
+    extra["responseStatusText"] = response.statusText;
+    if (!response.ok) {
+      throw `Failed to fetch worker config: ${response.status} ${response.statusText}`;
+    }
+    const hex = await response.text();
+    return WorkerConfig.fromHex(hex);
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
 function randWorker() {
   const addr = new AccountAddress(utils_exports.randBytes(32));
   const encDk = keygen2();
@@ -2495,7 +2583,7 @@ import { bytesToHex as bytesToHex13, hexToBytes as hexToBytes8 } from "@noble/ha
 import * as SolanaSDK from "@solana/web3.js";
 // src/threshold-ibe/aptos.ts
-import { AccountAddress as AccountAddress2, AnyPublicKey, AnySignature, Aptos as Aptos2, AptosConfig as AptosConfig2, Deserializer as Deserializer11, Ed25519PublicKey, Ed25519Signature, FederatedKeylessPublicKey, KeylessPublicKey, KeylessSignature, MultiEd25519PublicKey, MultiEd25519Signature, MultiKey, MultiKeySignature, Network as Network3, Serializer as Serializer12 } from "@aptos-labs/ts-sdk";
+import { AccountAddress as AccountAddress2, AccountPublicKey, AnyPublicKey, AnySignature, Aptos as Aptos2, AptosConfig as AptosConfig2, Deserializer as Deserializer11, Ed25519PublicKey, Ed25519Signature, FederatedKeylessPublicKey, KeylessPublicKey, KeylessSignature, MultiEd25519PublicKey, MultiEd25519Signature, MultiKey, MultiKeySignature, Network as Network3, Serializer as Serializer12 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex11, hexToBytes as hexToBytes6 } from "@noble/hashes/utils";
 var ContractID = class _ContractID {
   chainId;
@@ -2676,64 +2764,76 @@ var ProofOfPermission = class _ProofOfPermission {
   }
 };
 async function verifyPermission({ fullDecryptionDomain, proof }) {
-  const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
-  const taskVerifySig = async () => {
+  const task = async (extra) => {
+    const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
+    const [verifySigResult, checkAuthKeyResult, checkPermissionResult] = await Promise.all([
+      verifySig({ aptos, fullDecryptionDomain, proof }),
+      checkAuthKey({ aptos, userAddr: proof.userAddr, publicKey: proof.publicKey }),
+      checkPermission({ aptos, fullDecryptionDomain, proof })
+    ]);
+    extra["verifySigResult"] = verifySigResult;
+    extra["checkAuthKeyResult"] = checkAuthKeyResult;
+    extra["checkPermissionResult"] = checkPermissionResult;
+    if (!verifySigResult.isOk || !checkAuthKeyResult.isOk || !checkPermissionResult.isOk) {
+      throw "one or more sub-checks failed";
+    }
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function verifySig({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const msgToSign = fullDecryptionDomain.toPrettyMessage();
     const msgToSignHex = bytesToHex11(new TextEncoder().encode(msgToSign));
-    const fullMessageFromPetra = proof.fullMessage.includes(msgToSign);
-    const fullMessageFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
-    if (!fullMessageFromPetra && !fullMessageFromAptosConnect) return false;
-    try {
-      return await proof.publicKey.verifySignatureAsync({
-        aptosConfig: aptos.config,
-        message: proof.fullMessage,
-        signature: proof.signature
-      });
-    } catch (error) {
-      return false;
-    }
+    const fullMessageSeemsFromPetra = proof.fullMessage.includes(msgToSign);
+    const fullMessageSeemsFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
+    extra["msgToSign"] = msgToSign;
+    extra["msgToSignHex"] = msgToSignHex;
+    extra["fullMessageSeemsFromPetra"] = fullMessageSeemsFromPetra;
+    extra["fullMessageSeemsFromAptosConnect"] = fullMessageSeemsFromAptosConnect;
+    if (!fullMessageSeemsFromPetra && !fullMessageSeemsFromAptosConnect) throw "fullMessage does not contain fullDecryptionDomain or its hex";
+    const sigValid = await proof.publicKey.verifySignatureAsync({
+      aptosConfig: aptos.config,
+      message: proof.fullMessage,
+      signature: proof.signature
+    });
+    if (!sigValid) throw "verifySignatureAsync failed";
   };
-  const taskCheckAuthKey = async () => {
-    try {
-      const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, proof.userAddr);
-      const userAuthKeyBytes = proof.publicKey.authKey().bcsToBytes();
-      const onChainHex = bytesToHex11(onChainAuthKeyBytes);
-      const userHex = bytesToHex11(userAuthKeyBytes);
-      console.log(`onChainHex: ${onChainHex}`);
-      console.log(`userHex   : ${userHex}`);
-      return onChainHex === userHex;
-    } catch (error) {
-      return false;
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkAuthKey({ aptos, userAddr, publicKey }) {
+  const task = async (extra) => {
+    if (!(publicKey instanceof AccountPublicKey)) {
+      throw "publicKey is not an AccountPublicKey";
     }
+    const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, userAddr);
+    const userAuthKeyBytes = publicKey.authKey().bcsToBytes();
+    const onChainHex = bytesToHex11(onChainAuthKeyBytes);
+    const userHex = bytesToHex11(userAuthKeyBytes);
+    extra["onChainHex"] = onChainHex;
+    extra["userHex"] = userHex;
+    if (onChainHex !== userHex) throw "on-chain auth key does not match user auth key";
   };
-  const taskCheckPermission = async () => {
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkPermission({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const contractId = fullDecryptionDomain.getAptosContractID();
-    try {
-      const userIsPermittedMoveVal = await view2(
-        aptos,
-        `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
-        [],
-        [proof.userAddr, fullDecryptionDomain.domain]
-      );
-      return userIsPermittedMoveVal?.toString() === "true";
-    } catch (error) {
-      return false;
+    const viewFunctionInvocationResult = await view2({
+      aptos,
+      func: `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
+      typeArguments: [],
+      functionArguments: [proof.userAddr, fullDecryptionDomain.domain]
+    });
+    extra["viewFunctionInvocationResult"] = viewFunctionInvocationResult;
+    if (!viewFunctionInvocationResult.isOk) {
+      throw "view function invocation failed";
+    }
+    const returnedMoveValue = viewFunctionInvocationResult.okValue;
+    if (returnedMoveValue?.toString() !== "true") {
+      throw "access control contract return value is not true";
     }
   };
-  const [sigIsValid, authKeyMatches, userIsPermitted] = await Promise.all([
-    taskVerifySig(),
-    taskCheckAuthKey(),
-    taskCheckPermission()
-  ]);
-  if (!sigIsValid) {
-    throw new Error("Signature invalid.");
-  }
-  if (!authKeyMatches) {
-    throw new Error("Authentication key mismatch: on-chain key does not match provided public key.");
-  }
-  if (!userIsPermitted) {
-    throw new Error("Permission denied.");
-  }
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 function getChainNameFromChainId(chainId) {
   if (chainId === 1) {
@@ -2770,18 +2870,22 @@ async function getAccountAuthKeyBytes(aptos, address) {
   const accountInfo = await aptos.getAccountInfo({ accountAddress: address });
   return hexToBytes6(accountInfo.authentication_key.replace("0x", ""));
 }
-async function view2(aptos, func, typeArguments, functionArguments) {
-  const result = await aptos.view({
-    payload: {
-      function: func,
-      typeArguments,
-      functionArguments
+async function view2({ aptos, func, typeArguments, functionArguments }) {
+  const task = async (extra) => {
+    const returnedMoveValues = await aptos.view({
+      payload: {
+        function: func,
+        typeArguments,
+        functionArguments
+      }
+    });
+    extra["returnedMoveValues"] = returnedMoveValues;
+    if (returnedMoveValues.length === 0) {
+      throw `aptos.view returned an empty list`;
     }
-  });
-  if (result.length === 0) {
-    throw new Error(`View function returned empty result`);
-  }
-  return result[0];
+    return returnedMoveValues[0];
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 // src/threshold-ibe/solana.ts
@@ -2882,76 +2986,107 @@ var ProofOfPermission2 = class _ProofOfPermission {
   }
 };
 async function verifyPermission2({ fullDecryptionDomain, proof }) {
-  const txn = proof.inner;
-  assertTransactionValid({ txn, fullDecryptionDomain });
-  await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
-}
-function assertTransactionValid({ txn, fullDecryptionDomain }) {
-  let instructions;
-  if (txn instanceof VersionedTransaction) {
-    const message = txn.message;
-    instructions = message.compiledInstructions.map((ix) => {
-      if (ix.programIdIndex >= message.staticAccountKeys.length) {
-        throw new Error(`Program ID index ${ix.programIdIndex} is out of bounds for static account keys (length: ${message.staticAccountKeys.length}). Address table lookups are not supported for validation.`);
-      }
-      const programId = message.staticAccountKeys[ix.programIdIndex];
-      return { programId, data: Buffer.from(ix.data) };
-    });
-  } else {
-    instructions = txn.instructions.map((ix) => ({
-      programId: ix.programId,
-      data: Buffer.from(ix.data)
-    }));
-  }
-  if (instructions.length !== 1) {
-    throw new Error(`transaction must contain exactly 1 instruction, found ${instructions.length}`);
-  }
-  const instruction = instructions[0];
-  if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
-    throw new Error(`transaction instruction program ID (${instruction.programId.toString()}) does not match contract program ID`);
-  }
-  const instructionData = instruction.data;
-  if (instructionData.length < 12) {
-    throw new Error("instruction data too short (must be at least 12 bytes: 8-byte discriminator + 4-byte Vec length)");
-  }
-  const paramData = instructionData.slice(8);
-  const vecLength = paramData.readUInt32LE(0);
-  if (paramData.length < 4 + vecLength) {
-    throw new Error(`instruction data incomplete: expected ${4 + vecLength} bytes after discriminator, found ${paramData.length}`);
-  }
-  const fullBlobNameBytes = paramData.slice(4, 4 + vecLength);
-  const expectedParamDataLength = 4 + vecLength;
-  if (paramData.length > expectedParamDataLength) {
-    throw new Error(`instruction data has extra bytes: expected exactly ${expectedParamDataLength} bytes after discriminator, found ${paramData.length}`);
+  var extra = {};
+  try {
+    const txn = proof.inner;
+    const validateTxnResult = validateTxn({ txn, fullDecryptionDomain });
+    if (!validateTxnResult.isOk) {
+      extra["causedBy"] = validateTxnResult.extra;
+      throw "transaction is invalid";
+    }
+    const simulationResult = await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
+    if (!simulationResult.isOk) {
+      extra["causedBy"] = simulationResult.extra;
+      throw "transaction simulation failed";
+    }
+    return Result.Ok({ value: void 0, extra });
+  } catch (error) {
+    return Result.Err({ error, extra });
   }
-  if (bytesToHex12(fullBlobNameBytes) !== fullDecryptionDomain.toHex()) {
-    throw new Error(`domain mismatch: instruction parameter does not match decryptionContext.domain`);
+}
+function validateTxn({ txn, fullDecryptionDomain }) {
+  try {
+    let instructions;
+    if (txn instanceof VersionedTransaction) {
+      const message = txn.message;
+      instructions = message.compiledInstructions.map((ix) => {
+        if (ix.programIdIndex >= message.staticAccountKeys.length) {
+          throw `some program ID index is out of bounds for static account keys (are you using address table lookups? threshold-ibe does not support it yet)`;
+        }
+        const programId = message.staticAccountKeys[ix.programIdIndex];
+        return { programId, data: Buffer.from(ix.data) };
+      });
+    } else {
+      instructions = txn.instructions.map((ix) => ({
+        programId: ix.programId,
+        data: Buffer.from(ix.data)
+      }));
+    }
+    if (instructions.length !== 1) throw `transaction must contain exactly 1 instruction`;
+    const instruction = instructions[0];
+    if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
+      throw `transaction instruction program ID does not match contract program ID`;
+    }
+    const instructionData = instruction.data;
+    if (instructionData.length < 12) {
+      throw "instruction data too short";
+    }
+    const paramData = instructionData.slice(8);
+    const vecLength = paramData.readUInt32LE(0);
+    if (paramData.length < 4 + vecLength) throw `instruction data incomplete`;
+    const domainAsTxnParam = paramData.slice(4, 4 + vecLength);
+    const expectedParamDataLength = 4 + vecLength;
+    if (paramData.length > expectedParamDataLength) {
+      throw `instruction data has extra bytes`;
+    }
+    if (bytesToHex12(domainAsTxnParam) !== bytesToHex12(fullDecryptionDomain.domain)) {
+      throw `instruction parameter does not match decryptionContext.domain`;
+    }
+    return Result.Ok({ value: void 0 });
+  } catch (error) {
+    return Result.Err({ error });
   }
 }
 async function assertTransactionSimulationPasses(txn, chainName) {
-  let rpcUrl;
-  if (chainName === "localnet" || chainName === "localhost") {
-    rpcUrl = "http://127.0.0.1:8899";
-  } else if (chainName === "devnet") {
-    rpcUrl = "https://api.devnet.solana.com";
-  } else if (chainName === "testnet") {
-    rpcUrl = "https://api.testnet.solana.com";
-  } else if (chainName === "mainnet-beta") {
-    rpcUrl = "https://api.mainnet-beta.solana.com";
-  } else {
-    throw new Error(`Unknown chain name: ${chainName}`);
-  }
-  const connection = new Connection(rpcUrl, "confirmed");
-  let simulation;
-  if (txn instanceof VersionedTransaction) {
-    simulation = await connection.simulateTransaction(txn, {
-      sigVerify: true
-    });
-  } else {
-    simulation = await connection.simulateTransaction(txn);
-  }
-  if (simulation.value.err) {
-    throw new Error(`transaction simulation failed: ${JSON.stringify(simulation.value.err)}`);
+  var extra = {};
+  var error;
+  const start = performance.now();
+  try {
+    let rpcUrl;
+    if (chainName === "localnet" || chainName === "localhost") {
+      rpcUrl = "http://127.0.0.1:8899";
+    } else if (chainName === "devnet") {
+      rpcUrl = "https://api.devnet.solana.com";
+    } else if (chainName === "testnet") {
+      rpcUrl = "https://api.testnet.solana.com";
+    } else if (chainName === "mainnet-beta") {
+      rpcUrl = "https://api.mainnet-beta.solana.com";
+    } else {
+      extra["chainName"] = chainName;
+      throw `unsupported chain name`;
+    }
+    const connection = new Connection(rpcUrl, "confirmed");
+    let simulation;
+    if (txn instanceof VersionedTransaction) {
+      simulation = await connection.simulateTransaction(txn, {
+        sigVerify: true
+      });
+    } else {
+      simulation = await connection.simulateTransaction(txn);
+    }
+    if (simulation.value.err) {
+      extra["simulationError"] = simulation.value.err;
+      throw `transaction simulation failed`;
+    }
+  } catch (caught) {
+    error = caught;
+  } finally {
+    extra["executionTimeMs"] = performance.now() - start;
+    if (error !== void 0) {
+      return Result.Err({ error, extra });
+    } else {
+      return Result.Ok({ value: void 0, extra });
+    }
   }
 }
@@ -3057,11 +3192,16 @@ var EncryptionKey2 = class _EncryptionKey {
     this.ibeMpks = ibeMpks;
   }
   static async fetch({ committee }) {
-    const ibeMpks = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
-      const config = await worker_config_exports.get(endpoint);
-      return config.ibeMpk;
-    }));
-    return new _EncryptionKey({ ibeMpks });
+    const task = async (extra) => {
+      const workerConfigGetResults = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
+        return worker_config_exports.getAsync(endpoint);
+      }));
+      extra["workerConfigGetResults"] = workerConfigGetResults;
+      if (workerConfigGetResults.some((result) => !result.isOk)) throw "failed to get all worker configs";
+      const ibeMpks = workerConfigGetResults.map((result) => result.okValue.ibeMpk);
+      return new _EncryptionKey({ ibeMpks });
+    };
+    return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var DecryptionKey2 = class _DecryptionKey {
@@ -3070,43 +3210,43 @@ var DecryptionKey2 = class _DecryptionKey {
     this.ibeDecryptionKeys = ibeDecryptionKeys;
   }
   static async fetch({ committee, contractId, domain, proof }) {
-    const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (workerEndpoint) => {
-      const task = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
+    const task = async (extra) => {
+      extra["committee"] = committee;
+      const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (_workerEndpoint, index) => {
+        return _DecryptionKey.fetchDecKeyShare({ committee, contractId, domain, proof, index });
+      }));
+      extra["decKeyLoadResults"] = decKeyLoadResults;
+      const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult.isOk).length;
+      if (numSharesCollected < committee.threshold) throw `failed to collect enough shares`;
+      const decKeyShares = decKeyLoadResults.map((loadResult) => loadResult.okValue ?? null);
+      return new _DecryptionKey(decKeyShares);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
+  }
+  static async fetchDecKeyShare({ committee, contractId, domain, proof, index }) {
+    const task = async (extra) => {
+      const targetWorkerEndpoint = committee.workerEndpoints[index];
+      const task2 = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), 5e3);
       var response = null;
       try {
-        response = await fetch(workerEndpoint, {
+        response = await fetch(targetWorkerEndpoint, {
           method: "POST",
-          body: task.toHex(),
+          body: task2.toHex(),
           signal: controller.signal
         });
       } catch (error) {
         clearTimeout(timeoutId);
       }
-      if (response == null) {
-        return new WorkerTimedOut();
-      }
+      if (response == null) throw "worker is not responding";
       const responseBody = await response.text();
-      if (response.status !== 200) {
-        return new WorkerRejected(response.status, responseBody);
-      }
-      try {
-        return IdentityPrivateKey2.fromHex(responseBody);
-      } catch (error) {
-        return new CouldNotParseDecryptionKey(responseBody);
-      }
-    }));
-    const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
-    if (numSharesCollected < committee.threshold) {
-      const workerResults = committee.workerEndpoints.map((workerEndpoint, i) => {
-        const result = decKeyLoadResults[i];
-        return `${workerEndpoint}: ${result instanceof IdentityPrivateKey2 ? "Success" : result.toDisplayString()}`;
-      }).join(", ");
-      throw new Error(`Failed to collect enough shares to decrypt. Collected ${numSharesCollected} shares, but needed ${committee.threshold} shares. Worker results: ${workerResults}`);
-    }
-    const decKeys = decKeyLoadResults.map((loadResult) => loadResult instanceof IdentityPrivateKey2 ? loadResult : null);
-    return new _DecryptionKey(decKeys);
+      extra["workerResponseStatus"] = response.status;
+      extra["workerResponseBody"] = responseBody;
+      if (response.status !== 200) throw `worker rejected: ${response.status}`;
+      return IdentityPrivateKey2.fromHex(responseBody);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var Ciphertext7 = class _Ciphertext {
@@ -3302,41 +3442,25 @@ function decrypt7({ decryptionKey, ciphertext }) {
   return decrypt6(symmKey, ciphertext.aesCiph);
 }
 async function verifyAndExtract({ ibeMsk, committee, contractId, domain, proof }) {
-  const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
-  if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
-    await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
-    await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else {
-    throw new Error(`Unknown scheme: contractId=${contractId.scheme}, proof=${proof.scheme}`);
-  }
-  return extract2(ibeMsk, decryptionContext.toBytes());
+  const task = async (extra) => {
+    extra["contractIdScheme"] = contractId.scheme;
+    extra["proofScheme"] = proof.scheme;
+    const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
+    if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
+      const aptosResult = await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifyAptosResult"] = aptosResult;
+      if (!aptosResult.isOk) throw "aptos verification failed";
+    } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
+      const solanaResult = await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifySolanaResult"] = solanaResult;
+      if (!solanaResult.isOk) throw "solana verification failed";
+    } else {
+      throw "unsupported scheme combination";
+    }
+    return extract2(ibeMsk, decryptionContext.toBytes());
+  };
+  return Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
-var WorkerTimedOut = class {
-  toDisplayString() {
-    return "Timed out";
-  }
-};
-var WorkerRejected = class {
-  statusCode;
-  responseBody;
-  constructor(statusCode, responseBody) {
-    this.statusCode = statusCode;
-    this.responseBody = responseBody;
-  }
-  toDisplayString() {
-    return `Rejected: ${this.statusCode} ${this.responseBody}`;
-  }
-};
-var CouldNotParseDecryptionKey = class {
-  originalHex;
-  constructor(originalHex) {
-    this.originalHex = originalHex;
-  }
-  toDisplayString() {
-    return `Could not parse decryption key: ${this.originalHex}`;
-  }
-};
 // src/worker_task.ts
 var TYPE_SILENT_SETUP_DECRYPTION_KEY = 5;
@@ -3566,16 +3690,16 @@ var DecryptionContext = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut2();
+        return new WorkerTimedOut();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected2(response.status, responseBody);
+        return new WorkerRejected(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey2(responseBody);
+        return new CouldNotParseDecryptionKey(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -3681,12 +3805,12 @@ var Decryptor = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut2 = class {
+var WorkerTimedOut = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected2 = class {
+var WorkerRejected = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -3697,7 +3821,7 @@ var WorkerRejected2 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey2 = class {
+var CouldNotParseDecryptionKey = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4261,16 +4385,16 @@ var DecryptionContext2 = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut3();
+        return new WorkerTimedOut2();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected3(response.status, responseBody);
+        return new WorkerRejected2(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey3(responseBody);
+        return new CouldNotParseDecryptionKey2(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -4375,12 +4499,12 @@ var Decryptor2 = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut3 = class {
+var WorkerTimedOut2 = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected3 = class {
+var WorkerRejected2 = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -4391,7 +4515,7 @@ var WorkerRejected3 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey3 = class {
+var CouldNotParseDecryptionKey2 = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;