npm - @zhoujun_aptos/octopus-ts-sdk-min - Versions diffs - 0.22.6 → 0.22.8 - Mend

@zhoujun_aptos/octopus-ts-sdk-min 0.22.6 → 0.22.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/common/index.js CHANGED Viewed

@@ -34,6 +34,7 @@ __export(index_exports, {
   Enc: () => enc_exports,
   Group: () => group_exports,
   IBE: () => ibe_exports,
+  Result: () => Result,
   Sig: () => sig_exports,
   SilentSetupEncryption: () => silent_setup_encryption_exports,
   SilentSetupEncryptionXChain: () => silent_setup_encryption_xchain_exports,
@@ -752,7 +753,9 @@ __export(ibe_exports, {
   encrypt: () => encrypt4,
   encryptWithRandomness: () => encryptWithRandomness4,
   extract: () => extract2,
-  keygen: () => keygen4
+  keygen: () => keygen4,
+  tryDecrypt: () => tryDecrypt2,
+  tryExtract: () => tryExtract
 });
 var import_ts_sdk6 = require("@aptos-labs/ts-sdk");
 var import_utils9 = require("@noble/curves/abstract/utils");
@@ -761,6 +764,84 @@ var import_utils9 = require("@noble/curves/abstract/utils");
 var import_bls12_381 = require("@noble/curves/bls12-381");
 var import_utils6 = require("@noble/curves/utils");
 var import_utils7 = require("@noble/hashes/utils");
+// src/result.ts
+var Result = class _Result {
+  isOk;
+  okValue;
+  errValue;
+  extra;
+  constructor({ isOk, okValue, errValue, extra }) {
+    this.isOk = isOk;
+    this.okValue = okValue;
+    this.errValue = errValue;
+    this.extra = extra;
+  }
+  static Ok(args) {
+    return new _Result({ isOk: true, okValue: args.value, extra: args.extra });
+  }
+  static Err(args) {
+    return new _Result({ isOk: false, errValue: args.error, extra: args.extra });
+  }
+  /**
+   * You write a closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static capture({ task, recordsExecutionTimeMs = false }) {
+    const start = performance.now();
+    var extra = {};
+    var error;
+    var okValue;
+    try {
+      okValue = task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  /**
+   * You write an async closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static async captureAsync({ task, recordsExecutionTimeMs = false }) {
+    var extra = {};
+    const start = performance.now();
+    var error;
+    var okValue;
+    try {
+      okValue = await task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  unwrapOrThrow(tothrow) {
+    if (!this.isOk) throw tothrow;
+    return this.okValue;
+  }
+  unwrapErrOrThrow(tothrow) {
+    if (this.isOk) throw tothrow;
+    return this.errValue;
+  }
+};
+// src/ibe/otp_hmac_boneh_franklin_bls12381_short_pk.ts
 var DST_OTP = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/OTP");
 var DST_ID_HASH = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/HASH_ID_TO_CURVE");
 var DST_MAC = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/MAC");
@@ -894,6 +975,21 @@ function decrypt3(identityKey, ciphertext) {
   const plaintext = xorBytes(otp, ciphertext.symmetricCiph);
   return plaintext;
 }
+function tryDecrypt(identityKey, ciphertext) {
+  const task = (_extra) => {
+    const seedElementGt = import_bls12_381.bls12_381.pairing(ciphertext.c0, identityKey.privatePointG2);
+    const seed = bls12381GtReprNobleToAptos(import_bls12_381.bls12_381.fields.Fp12.toBytes(seedElementGt));
+    const macKey = kdf(seed, DST_MAC, 32);
+    const macAnother = hmac_sha3_256(macKey, ciphertext.symmetricCiph);
+    if ((0, import_utils7.bytesToHex)(ciphertext.mac) !== (0, import_utils7.bytesToHex)(macAnother)) {
+      throw "decryption failed";
+    }
+    const otp = kdf(seed, DST_OTP, ciphertext.symmetricCiph.length);
+    const plaintext = xorBytes(otp, ciphertext.symmetricCiph);
+    return plaintext;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 // src/ibe/index.ts
 var SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK = 0;
@@ -1124,12 +1220,36 @@ function extract2(privateKey, id) {
   }
   throw new Error(`Unknown scheme: ${privateKey.scheme}`);
 }
+function tryExtract(privateKey, id) {
+  const task = (extra) => {
+    extra["scheme"] = privateKey.scheme;
+    if (privateKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
+      return new IdentityPrivateKey2(
+        SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK,
+        extract(privateKey.inner, id)
+      );
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 function decrypt4(identityKey, ciphertext) {
   if (identityKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
     return decrypt3(identityKey.inner, ciphertext.inner);
   }
   throw new Error(`Unknown scheme: ${identityKey.scheme}`);
 }
+function tryDecrypt2(identityKey, ciphertext) {
+  const task = (extra) => {
+    extra["scheme"] = identityKey.scheme;
+    if (identityKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
+      const innerResult = tryDecrypt(identityKey.inner, ciphertext.inner);
+      return innerResult.unwrapOrThrow("OtpHmacBonehFranklinBls12381ShortPK.tryDecrypt failed");
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 // src/sig/index.ts
 var sig_exports = {};
@@ -2196,7 +2316,8 @@ __export(sym_exports, {
   decrypt: () => decrypt6,
   encrypt: () => encrypt6,
   encryptWithRandomness: () => encryptWithRandomness6,
-  keygen: () => keygen8
+  keygen: () => keygen8,
+  tryDecrypt: () => tryDecrypt4
 });
 var import_ts_sdk10 = require("@aptos-labs/ts-sdk");
 var import_utils15 = require("@noble/curves/utils");
@@ -2297,6 +2418,16 @@ function decrypt5(key, ciphertext) {
     return void 0;
   }
 }
+function tryDecrypt3(key, ciphertext) {
+  const task = (_extra) => {
+    const gcmInstance = (0, import_aes.gcm)(key.inner, ciphertext.iv);
+    const encryptedData = new Uint8Array(ciphertext.ct.length + ciphertext.tag.length);
+    encryptedData.set(ciphertext.ct, 0);
+    encryptedData.set(ciphertext.tag, ciphertext.ct.length);
+    return gcmInstance.decrypt(encryptedData);
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 // src/sym/index.ts
 var SCHEME_AES256GCM = 0;
@@ -2406,12 +2537,24 @@ function decrypt6(key, ciphertext) {
   }
   throw new Error("Invalid scheme");
 }
+function tryDecrypt4(key, ciphertext) {
+  const task = (extra) => {
+    extra["scheme"] = key.scheme;
+    if (key.scheme === SCHEME_AES256GCM) {
+      const innerResult = tryDecrypt3(key.inner, ciphertext.inner);
+      return innerResult.unwrapOrThrow("AES256GCM decryption failed");
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 // src/worker_config.ts
 var worker_config_exports = {};
 __export(worker_config_exports, {
   WorkerConfig: () => WorkerConfig,
   get: () => get,
+  getAsync: () => getAsync,
   randWorker: () => randWorker,
   view: () => view
 });
@@ -2501,6 +2644,23 @@ async function get(workerEndpoint) {
   const hex = await response.text();
   return WorkerConfig.fromHex(hex);
 }
+async function getAsync(workerEndpoint) {
+  const task = async (extra) => {
+    const url = `${workerEndpoint}/config_bcs`;
+    extra["url"] = url;
+    const response = await fetch(url, {
+      method: "GET"
+    });
+    extra["responseStatus"] = response.status;
+    extra["responseStatusText"] = response.statusText;
+    if (!response.ok) {
+      throw `Failed to fetch worker config: ${response.status} ${response.statusText}`;
+    }
+    const hex = await response.text();
+    return WorkerConfig.fromHex(hex);
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
 function randWorker() {
   const addr = new import_ts_sdk11.AccountAddress(utils_exports.randBytes(32));
   const encDk = keygen2();
@@ -2527,9 +2687,9 @@ __export(threshold_ibe_exports, {
   EncryptionKey: () => EncryptionKey2,
   FullDecryptionDomain: () => FullDecryptionDomain,
   ProofOfPermission: () => ProofOfPermission3,
-  decrypt: () => decrypt7,
   encrypt: () => encrypt7,
-  verifyAndExtract: () => verifyAndExtract
+  tryDecrypt: () => tryDecrypt5,
+  tryExtract: () => tryExtract2
 });
 var import_ts_sdk14 = require("@aptos-labs/ts-sdk");
 var import_utils19 = require("@noble/hashes/utils");
@@ -2717,64 +2877,76 @@ var ProofOfPermission = class _ProofOfPermission {
   }
 };
 async function verifyPermission({ fullDecryptionDomain, proof }) {
-  const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
-  const taskVerifySig = async () => {
+  const task = async (extra) => {
+    const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
+    const [verifySigResult, checkAuthKeyResult, checkPermissionResult] = await Promise.all([
+      verifySig({ aptos, fullDecryptionDomain, proof }),
+      checkAuthKey({ aptos, userAddr: proof.userAddr, publicKey: proof.publicKey }),
+      checkPermission({ aptos, fullDecryptionDomain, proof })
+    ]);
+    extra["verifySigResult"] = verifySigResult;
+    extra["checkAuthKeyResult"] = checkAuthKeyResult;
+    extra["checkPermissionResult"] = checkPermissionResult;
+    if (!verifySigResult.isOk || !checkAuthKeyResult.isOk || !checkPermissionResult.isOk) {
+      throw "one or more sub-checks failed";
+    }
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function verifySig({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const msgToSign = fullDecryptionDomain.toPrettyMessage();
     const msgToSignHex = (0, import_utils17.bytesToHex)(new TextEncoder().encode(msgToSign));
-    const fullMessageFromPetra = proof.fullMessage.includes(msgToSign);
-    const fullMessageFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
-    if (!fullMessageFromPetra && !fullMessageFromAptosConnect) return false;
-    try {
-      return await proof.publicKey.verifySignatureAsync({
-        aptosConfig: aptos.config,
-        message: proof.fullMessage,
-        signature: proof.signature
-      });
-    } catch (error) {
-      return false;
-    }
+    const fullMessageSeemsFromPetra = proof.fullMessage.includes(msgToSign);
+    const fullMessageSeemsFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
+    extra["msgToSign"] = msgToSign;
+    extra["msgToSignHex"] = msgToSignHex;
+    extra["fullMessageSeemsFromPetra"] = fullMessageSeemsFromPetra;
+    extra["fullMessageSeemsFromAptosConnect"] = fullMessageSeemsFromAptosConnect;
+    if (!fullMessageSeemsFromPetra && !fullMessageSeemsFromAptosConnect) throw "fullMessage does not contain fullDecryptionDomain or its hex";
+    const sigValid = await proof.publicKey.verifySignatureAsync({
+      aptosConfig: aptos.config,
+      message: proof.fullMessage,
+      signature: proof.signature
+    });
+    if (!sigValid) throw "verifySignatureAsync failed";
   };
-  const taskCheckAuthKey = async () => {
-    try {
-      const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, proof.userAddr);
-      const userAuthKeyBytes = proof.publicKey.authKey().bcsToBytes();
-      const onChainHex = (0, import_utils17.bytesToHex)(onChainAuthKeyBytes);
-      const userHex = (0, import_utils17.bytesToHex)(userAuthKeyBytes);
-      console.log(`onChainHex: ${onChainHex}`);
-      console.log(`userHex   : ${userHex}`);
-      return onChainHex === userHex;
-    } catch (error) {
-      return false;
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkAuthKey({ aptos, userAddr, publicKey }) {
+  const task = async (extra) => {
+    if (!(publicKey instanceof import_ts_sdk12.AccountPublicKey)) {
+      throw "publicKey is not an AccountPublicKey";
     }
+    const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, userAddr);
+    const userAuthKeyBytes = publicKey.authKey().bcsToBytes();
+    const onChainHex = (0, import_utils17.bytesToHex)(onChainAuthKeyBytes);
+    const userHex = (0, import_utils17.bytesToHex)(userAuthKeyBytes);
+    extra["onChainHex"] = onChainHex;
+    extra["userHex"] = userHex;
+    if (onChainHex !== userHex) throw "on-chain auth key does not match user auth key";
   };
-  const taskCheckPermission = async () => {
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkPermission({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const contractId = fullDecryptionDomain.getAptosContractID();
-    try {
-      const userIsPermittedMoveVal = await view2(
-        aptos,
-        `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
-        [],
-        [proof.userAddr, fullDecryptionDomain.domain]
-      );
-      return userIsPermittedMoveVal?.toString() === "true";
-    } catch (error) {
-      return false;
+    const viewFunctionInvocationResult = await view2({
+      aptos,
+      func: `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
+      typeArguments: [],
+      functionArguments: [proof.userAddr, fullDecryptionDomain.domain]
+    });
+    extra["viewFunctionInvocationResult"] = viewFunctionInvocationResult;
+    if (!viewFunctionInvocationResult.isOk) {
+      throw "view function invocation failed";
+    }
+    const returnedMoveValue = viewFunctionInvocationResult.okValue;
+    if (returnedMoveValue?.toString() !== "true") {
+      throw "access control contract return value is not true";
     }
   };
-  const [sigIsValid, authKeyMatches, userIsPermitted] = await Promise.all([
-    taskVerifySig(),
-    taskCheckAuthKey(),
-    taskCheckPermission()
-  ]);
-  if (!sigIsValid) {
-    throw new Error("Signature invalid.");
-  }
-  if (!authKeyMatches) {
-    throw new Error("Authentication key mismatch: on-chain key does not match provided public key.");
-  }
-  if (!userIsPermitted) {
-    throw new Error("Permission denied.");
-  }
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 function getChainNameFromChainId(chainId) {
   if (chainId === 1) {
@@ -2811,18 +2983,22 @@ async function getAccountAuthKeyBytes(aptos, address) {
   const accountInfo = await aptos.getAccountInfo({ accountAddress: address });
   return (0, import_utils17.hexToBytes)(accountInfo.authentication_key.replace("0x", ""));
 }
-async function view2(aptos, func, typeArguments, functionArguments) {
-  const result = await aptos.view({
-    payload: {
-      function: func,
-      typeArguments,
-      functionArguments
+async function view2({ aptos, func, typeArguments, functionArguments }) {
+  const task = async (extra) => {
+    const returnedMoveValues = await aptos.view({
+      payload: {
+        function: func,
+        typeArguments,
+        functionArguments
+      }
+    });
+    extra["returnedMoveValues"] = returnedMoveValues;
+    if (returnedMoveValues.length === 0) {
+      throw `aptos.view returned an empty list`;
     }
-  });
-  if (result.length === 0) {
-    throw new Error(`View function returned empty result`);
-  }
-  return result[0];
+    return returnedMoveValues[0];
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 // src/threshold-ibe/solana.ts
@@ -2923,76 +3099,107 @@ var ProofOfPermission2 = class _ProofOfPermission {
   }
 };
 async function verifyPermission2({ fullDecryptionDomain, proof }) {
-  const txn = proof.inner;
-  assertTransactionValid({ txn, fullDecryptionDomain });
-  await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
-}
-function assertTransactionValid({ txn, fullDecryptionDomain }) {
-  let instructions;
-  if (txn instanceof import_web3.VersionedTransaction) {
-    const message = txn.message;
-    instructions = message.compiledInstructions.map((ix) => {
-      if (ix.programIdIndex >= message.staticAccountKeys.length) {
-        throw new Error(`Program ID index ${ix.programIdIndex} is out of bounds for static account keys (length: ${message.staticAccountKeys.length}). Address table lookups are not supported for validation.`);
-      }
-      const programId = message.staticAccountKeys[ix.programIdIndex];
-      return { programId, data: Buffer.from(ix.data) };
-    });
-  } else {
-    instructions = txn.instructions.map((ix) => ({
-      programId: ix.programId,
-      data: Buffer.from(ix.data)
-    }));
-  }
-  if (instructions.length !== 1) {
-    throw new Error(`transaction must contain exactly 1 instruction, found ${instructions.length}`);
-  }
-  const instruction = instructions[0];
-  if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
-    throw new Error(`transaction instruction program ID (${instruction.programId.toString()}) does not match contract program ID`);
-  }
-  const instructionData = instruction.data;
-  if (instructionData.length < 12) {
-    throw new Error("instruction data too short (must be at least 12 bytes: 8-byte discriminator + 4-byte Vec length)");
-  }
-  const paramData = instructionData.slice(8);
-  const vecLength = paramData.readUInt32LE(0);
-  if (paramData.length < 4 + vecLength) {
-    throw new Error(`instruction data incomplete: expected ${4 + vecLength} bytes after discriminator, found ${paramData.length}`);
-  }
-  const fullBlobNameBytes = paramData.slice(4, 4 + vecLength);
-  const expectedParamDataLength = 4 + vecLength;
-  if (paramData.length > expectedParamDataLength) {
-    throw new Error(`instruction data has extra bytes: expected exactly ${expectedParamDataLength} bytes after discriminator, found ${paramData.length}`);
+  var extra = {};
+  try {
+    const txn = proof.inner;
+    const validateTxnResult = validateTxn({ txn, fullDecryptionDomain });
+    if (!validateTxnResult.isOk) {
+      extra["causedBy"] = validateTxnResult.extra;
+      throw "transaction is invalid";
+    }
+    const simulationResult = await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
+    if (!simulationResult.isOk) {
+      extra["causedBy"] = simulationResult.extra;
+      throw "transaction simulation failed";
+    }
+    return Result.Ok({ value: void 0, extra });
+  } catch (error) {
+    return Result.Err({ error, extra });
   }
-  if ((0, import_utils18.bytesToHex)(fullBlobNameBytes) !== fullDecryptionDomain.toHex()) {
-    throw new Error(`domain mismatch: instruction parameter does not match decryptionContext.domain`);
+}
+function validateTxn({ txn, fullDecryptionDomain }) {
+  try {
+    let instructions;
+    if (txn instanceof import_web3.VersionedTransaction) {
+      const message = txn.message;
+      instructions = message.compiledInstructions.map((ix) => {
+        if (ix.programIdIndex >= message.staticAccountKeys.length) {
+          throw `some program ID index is out of bounds for static account keys (are you using address table lookups? threshold-ibe does not support it yet)`;
+        }
+        const programId = message.staticAccountKeys[ix.programIdIndex];
+        return { programId, data: Buffer.from(ix.data) };
+      });
+    } else {
+      instructions = txn.instructions.map((ix) => ({
+        programId: ix.programId,
+        data: Buffer.from(ix.data)
+      }));
+    }
+    if (instructions.length !== 1) throw `transaction must contain exactly 1 instruction`;
+    const instruction = instructions[0];
+    if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
+      throw `transaction instruction program ID does not match contract program ID`;
+    }
+    const instructionData = instruction.data;
+    if (instructionData.length < 12) {
+      throw "instruction data too short";
+    }
+    const paramData = instructionData.slice(8);
+    const vecLength = paramData.readUInt32LE(0);
+    if (paramData.length < 4 + vecLength) throw `instruction data incomplete`;
+    const domainAsTxnParam = paramData.slice(4, 4 + vecLength);
+    const expectedParamDataLength = 4 + vecLength;
+    if (paramData.length > expectedParamDataLength) {
+      throw `instruction data has extra bytes`;
+    }
+    if ((0, import_utils18.bytesToHex)(domainAsTxnParam) !== (0, import_utils18.bytesToHex)(fullDecryptionDomain.domain)) {
+      throw `instruction parameter does not match decryptionContext.domain`;
+    }
+    return Result.Ok({ value: void 0 });
+  } catch (error) {
+    return Result.Err({ error });
   }
 }
 async function assertTransactionSimulationPasses(txn, chainName) {
-  let rpcUrl;
-  if (chainName === "localnet" || chainName === "localhost") {
-    rpcUrl = "http://127.0.0.1:8899";
-  } else if (chainName === "devnet") {
-    rpcUrl = "https://api.devnet.solana.com";
-  } else if (chainName === "testnet") {
-    rpcUrl = "https://api.testnet.solana.com";
-  } else if (chainName === "mainnet-beta") {
-    rpcUrl = "https://api.mainnet-beta.solana.com";
-  } else {
-    throw new Error(`Unknown chain name: ${chainName}`);
-  }
-  const connection = new import_web3.Connection(rpcUrl, "confirmed");
-  let simulation;
-  if (txn instanceof import_web3.VersionedTransaction) {
-    simulation = await connection.simulateTransaction(txn, {
-      sigVerify: true
-    });
-  } else {
-    simulation = await connection.simulateTransaction(txn);
-  }
-  if (simulation.value.err) {
-    throw new Error(`transaction simulation failed: ${JSON.stringify(simulation.value.err)}`);
+  var extra = {};
+  var error;
+  const start = performance.now();
+  try {
+    let rpcUrl;
+    if (chainName === "localnet" || chainName === "localhost") {
+      rpcUrl = "http://127.0.0.1:8899";
+    } else if (chainName === "devnet") {
+      rpcUrl = "https://api.devnet.solana.com";
+    } else if (chainName === "testnet") {
+      rpcUrl = "https://api.testnet.solana.com";
+    } else if (chainName === "mainnet-beta") {
+      rpcUrl = "https://api.mainnet-beta.solana.com";
+    } else {
+      extra["chainName"] = chainName;
+      throw `unsupported chain name`;
+    }
+    const connection = new import_web3.Connection(rpcUrl, "confirmed");
+    let simulation;
+    if (txn instanceof import_web3.VersionedTransaction) {
+      simulation = await connection.simulateTransaction(txn, {
+        sigVerify: true
+      });
+    } else {
+      simulation = await connection.simulateTransaction(txn);
+    }
+    if (simulation.value.err) {
+      extra["simulationError"] = simulation.value.err;
+      throw `transaction simulation failed`;
+    }
+  } catch (caught) {
+    error = caught;
+  } finally {
+    extra["executionTimeMs"] = performance.now() - start;
+    if (error !== void 0) {
+      return Result.Err({ error, extra });
+    } else {
+      return Result.Ok({ value: void 0, extra });
+    }
   }
 }
@@ -3098,11 +3305,16 @@ var EncryptionKey2 = class _EncryptionKey {
     this.ibeMpks = ibeMpks;
   }
   static async fetch({ committee }) {
-    const ibeMpks = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
-      const config = await worker_config_exports.get(endpoint);
-      return config.ibeMpk;
-    }));
-    return new _EncryptionKey({ ibeMpks });
+    const task = async (extra) => {
+      const workerConfigGetResults = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
+        return worker_config_exports.getAsync(endpoint);
+      }));
+      extra["workerConfigGetResults"] = workerConfigGetResults;
+      if (workerConfigGetResults.some((result) => !result.isOk)) throw "failed to get all worker configs";
+      const ibeMpks = workerConfigGetResults.map((result) => result.okValue.ibeMpk);
+      return new _EncryptionKey({ ibeMpks });
+    };
+    return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var DecryptionKey2 = class _DecryptionKey {
@@ -3111,43 +3323,43 @@ var DecryptionKey2 = class _DecryptionKey {
     this.ibeDecryptionKeys = ibeDecryptionKeys;
   }
   static async fetch({ committee, contractId, domain, proof }) {
-    const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (workerEndpoint) => {
-      const task = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
+    const task = async (extra) => {
+      extra["committee"] = committee;
+      const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (_workerEndpoint, index) => {
+        return _DecryptionKey.fetchDecKeyShare({ committee, contractId, domain, proof, index });
+      }));
+      extra["decKeyLoadResults"] = decKeyLoadResults;
+      const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult.isOk).length;
+      if (numSharesCollected < committee.threshold) throw `failed to collect enough shares`;
+      const decKeyShares = decKeyLoadResults.map((loadResult) => loadResult.okValue ?? null);
+      return new _DecryptionKey(decKeyShares);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
+  }
+  static async fetchDecKeyShare({ committee, contractId, domain, proof, index }) {
+    const task = async (extra) => {
+      const targetWorkerEndpoint = committee.workerEndpoints[index];
+      const task2 = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), 5e3);
       var response = null;
       try {
-        response = await fetch(workerEndpoint, {
+        response = await fetch(targetWorkerEndpoint, {
           method: "POST",
-          body: task.toHex(),
+          body: task2.toHex(),
           signal: controller.signal
         });
       } catch (error) {
         clearTimeout(timeoutId);
       }
-      if (response == null) {
-        return new WorkerTimedOut();
-      }
+      if (response == null) throw "worker is not responding";
       const responseBody = await response.text();
-      if (response.status !== 200) {
-        return new WorkerRejected(response.status, responseBody);
-      }
-      try {
-        return IdentityPrivateKey2.fromHex(responseBody);
-      } catch (error) {
-        return new CouldNotParseDecryptionKey(responseBody);
-      }
-    }));
-    const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
-    if (numSharesCollected < committee.threshold) {
-      const workerResults = committee.workerEndpoints.map((workerEndpoint, i) => {
-        const result = decKeyLoadResults[i];
-        return `${workerEndpoint}: ${result instanceof IdentityPrivateKey2 ? "Success" : result.toDisplayString()}`;
-      }).join(", ");
-      throw new Error(`Failed to collect enough shares to decrypt. Collected ${numSharesCollected} shares, but needed ${committee.threshold} shares. Worker results: ${workerResults}`);
-    }
-    const decKeys = decKeyLoadResults.map((loadResult) => loadResult instanceof IdentityPrivateKey2 ? loadResult : null);
-    return new _DecryptionKey(decKeys);
+      extra["workerResponseStatus"] = response.status;
+      extra["workerResponseBody"] = responseBody;
+      if (response.status !== 200) throw `worker rejected: ${response.status}`;
+      return IdentityPrivateKey2.fromHex(responseBody);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var Ciphertext7 = class _Ciphertext {
@@ -3328,56 +3540,48 @@ function encrypt7({ committee, encryptionKey, contractId, domain, plaintext }) {
   const ibeCiphs = symmKeyShares.map((share, idx) => encrypt4(encryptionKey.ibeMpks[idx], fullDecryptionDomain.toBytes(), share.payload));
   return { fullDecryptionDomain, ciphertext: new Ciphertext7(symmCiph, ibeCiphs) };
 }
-function decrypt7({ decryptionKey, ciphertext }) {
-  if (decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length) {
-    throw new Error("decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length");
-  }
-  const symmKeyShares = ciphertext.ibeCiphs.map((ibeCiph, idx) => {
-    if (decryptionKey.ibeDecryptionKeys[idx] == null) return null;
-    const sharePayload = decrypt4(decryptionKey.ibeDecryptionKeys[idx], ibeCiph);
-    if (sharePayload == null) return null;
-    return new Share(idx + 1, sharePayload);
-  }).filter((share) => share != null);
-  const symmKeyBytes = combine(symmKeyShares);
-  const symmKey = Key2.fromBytes(symmKeyBytes);
-  return decrypt6(symmKey, ciphertext.aesCiph);
+function tryDecrypt5({ decryptionKey, ciphertext }) {
+  const task = (extra) => {
+    extra["numIbeDecryptionKeys"] = decryptionKey.ibeDecryptionKeys.length;
+    extra["numIbeCiphs"] = ciphertext.ibeCiphs.length;
+    if (decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length) {
+      throw "decryption key share count does not match ciphertext share count";
+    }
+    const unfilteredSymmKeyShares = ciphertext.ibeCiphs.map((ibeCiph, idx) => {
+      if (decryptionKey.ibeDecryptionKeys[idx] == null) return null;
+      const maybeSharePayload = tryDecrypt2(decryptionKey.ibeDecryptionKeys[idx], ibeCiph);
+      if (!maybeSharePayload.isOk) return null;
+      return new Share(idx + 1, maybeSharePayload.okValue);
+    });
+    extra["symmKeySharePresences"] = unfilteredSymmKeyShares.map((share) => share != null);
+    const symmKeyShares = unfilteredSymmKeyShares.filter((share) => share != null);
+    const symmKeyBytes = combine(symmKeyShares);
+    const symmKey = Key2.fromBytes(symmKeyBytes);
+    const symDecResult = tryDecrypt4(symmKey, ciphertext.aesCiph);
+    return symDecResult.unwrapOrThrow("symmetric decryption failed");
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
 }
-async function verifyAndExtract({ ibeMsk, committee, contractId, domain, proof }) {
-  const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
-  if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
-    await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
-    await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else {
-    throw new Error(`Unknown scheme: contractId=${contractId.scheme}, proof=${proof.scheme}`);
-  }
-  return extract2(ibeMsk, decryptionContext.toBytes());
+async function tryExtract2({ ibeMsk, committee, contractId, domain, proof }) {
+  const task = async (extra) => {
+    extra["contractIdScheme"] = contractId.scheme;
+    extra["proofScheme"] = proof.scheme;
+    const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
+    if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
+      const aptosResult = await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifyAptosResult"] = aptosResult;
+      if (!aptosResult.isOk) throw "aptos verification failed";
+    } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
+      const solanaResult = await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifySolanaResult"] = solanaResult;
+      if (!solanaResult.isOk) throw "solana verification failed";
+    } else {
+      throw "unsupported scheme combination";
+    }
+    return extract2(ibeMsk, decryptionContext.toBytes());
+  };
+  return Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
-var WorkerTimedOut = class {
-  toDisplayString() {
-    return "Timed out";
-  }
-};
-var WorkerRejected = class {
-  statusCode;
-  responseBody;
-  constructor(statusCode, responseBody) {
-    this.statusCode = statusCode;
-    this.responseBody = responseBody;
-  }
-  toDisplayString() {
-    return `Rejected: ${this.statusCode} ${this.responseBody}`;
-  }
-};
-var CouldNotParseDecryptionKey = class {
-  originalHex;
-  constructor(originalHex) {
-    this.originalHex = originalHex;
-  }
-  toDisplayString() {
-    return `Could not parse decryption key: ${this.originalHex}`;
-  }
-};
 // src/worker_task.ts
 var TYPE_SILENT_SETUP_DECRYPTION_KEY = 5;
@@ -3607,16 +3811,16 @@ var DecryptionContext = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut2();
+        return new WorkerTimedOut();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected2(response.status, responseBody);
+        return new WorkerRejected(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey2(responseBody);
+        return new CouldNotParseDecryptionKey(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -3722,12 +3926,12 @@ var Decryptor = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut2 = class {
+var WorkerTimedOut = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected2 = class {
+var WorkerRejected = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -3738,7 +3942,7 @@ var WorkerRejected2 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey2 = class {
+var CouldNotParseDecryptionKey = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4302,16 +4506,16 @@ var DecryptionContext2 = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut3();
+        return new WorkerTimedOut2();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected3(response.status, responseBody);
+        return new WorkerRejected2(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey3(responseBody);
+        return new CouldNotParseDecryptionKey2(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -4416,12 +4620,12 @@ var Decryptor2 = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut3 = class {
+var WorkerTimedOut2 = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected3 = class {
+var WorkerRejected2 = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -4432,7 +4636,7 @@ var WorkerRejected3 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey3 = class {
+var CouldNotParseDecryptionKey2 = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4479,6 +4683,7 @@ var RequestForDecryptionKey2 = class _RequestForDecryptionKey {
   Enc,
   Group,
   IBE,
+  Result,
   Sig,
   SilentSetupEncryption,
   SilentSetupEncryptionXChain,