@zhoujun_aptos/octopus-ts-sdk-min 0.22.6 → 0.22.8

package/dist/esm/index.mjs

@@ -711,7 +711,9 @@ __export(ibe_exports, {
   encrypt: () => encrypt4,
   encryptWithRandomness: () => encryptWithRandomness4,
   extract: () => extract2,
-  keygen: () => keygen4
+  keygen: () => keygen4,
+  tryDecrypt: () => tryDecrypt2,
+  tryExtract: () => tryExtract
 });
 import { Deserializer as Deserializer5, Serializer as Serializer6 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex5, hexToBytes as hexToBytes2 } from "@noble/curves/abstract/utils";
@@ -720,6 +722,84 @@ import { bytesToHex as bytesToHex5, hexToBytes as hexToBytes2 } from "@noble/cur
 import { bls12_381 } from "@noble/curves/bls12-381";
 import { bytesToNumberBE, bytesToNumberLE as bytesToNumberLE2, numberToBytesLE as numberToBytesLE2 } from "@noble/curves/utils";
 import { bytesToHex as bytesToHex4, randomBytes } from "@noble/hashes/utils";
+
+// src/result.ts
+var Result = class _Result {
+  isOk;
+  okValue;
+  errValue;
+  extra;
+  constructor({ isOk, okValue, errValue, extra }) {
+    this.isOk = isOk;
+    this.okValue = okValue;
+    this.errValue = errValue;
+    this.extra = extra;
+  }
+  static Ok(args) {
+    return new _Result({ isOk: true, okValue: args.value, extra: args.extra });
+  }
+  static Err(args) {
+    return new _Result({ isOk: false, errValue: args.error, extra: args.extra });
+  }
+  /**
+   * You write a closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static capture({ task, recordsExecutionTimeMs = false }) {
+    const start = performance.now();
+    var extra = {};
+    var error;
+    var okValue;
+    try {
+      okValue = task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  /**
+   * You write an async closure that either returns a T or throws, and we wrap it to return a Result<T>.
+   * Your closure is also given an `extra` dictionary to record additional context.
+   */
+  static async captureAsync({ task, recordsExecutionTimeMs = false }) {
+    var extra = {};
+    const start = performance.now();
+    var error;
+    var okValue;
+    try {
+      okValue = await task(extra);
+    } catch (caught) {
+      error = caught;
+    } finally {
+      if (recordsExecutionTimeMs) {
+        extra["_sdk_execution_time_ms"] = performance.now() - start;
+      }
+      if (error !== void 0) {
+        return _Result.Err({ error, extra });
+      } else {
+        return _Result.Ok({ value: okValue, extra });
+      }
+    }
+  }
+  unwrapOrThrow(tothrow) {
+    if (!this.isOk) throw tothrow;
+    return this.okValue;
+  }
+  unwrapErrOrThrow(tothrow) {
+    if (this.isOk) throw tothrow;
+    return this.errValue;
+  }
+};
+
+// src/ibe/otp_hmac_boneh_franklin_bls12381_short_pk.ts
 var DST_OTP = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/OTP");
 var DST_ID_HASH = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/HASH_ID_TO_CURVE");
 var DST_MAC = new TextEncoder().encode("BONEH_FRANKLIN_BLS12381_SHORT_PK/MAC");
@@ -853,6 +933,21 @@ function decrypt3(identityKey, ciphertext) {
   const plaintext = xorBytes(otp, ciphertext.symmetricCiph);
   return plaintext;
 }
+function tryDecrypt(identityKey, ciphertext) {
+  const task = (_extra) => {
+    const seedElementGt = bls12_381.pairing(ciphertext.c0, identityKey.privatePointG2);
+    const seed = bls12381GtReprNobleToAptos(bls12_381.fields.Fp12.toBytes(seedElementGt));
+    const macKey = kdf(seed, DST_MAC, 32);
+    const macAnother = hmac_sha3_256(macKey, ciphertext.symmetricCiph);
+    if (bytesToHex4(ciphertext.mac) !== bytesToHex4(macAnother)) {
+      throw "decryption failed";
+    }
+    const otp = kdf(seed, DST_OTP, ciphertext.symmetricCiph.length);
+    const plaintext = xorBytes(otp, ciphertext.symmetricCiph);
+    return plaintext;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 
 // src/ibe/index.ts
 var SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK = 0;
@@ -1083,12 +1178,36 @@ function extract2(privateKey, id) {
   }
   throw new Error(`Unknown scheme: ${privateKey.scheme}`);
 }
+function tryExtract(privateKey, id) {
+  const task = (extra) => {
+    extra["scheme"] = privateKey.scheme;
+    if (privateKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
+      return new IdentityPrivateKey2(
+        SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK,
+        extract(privateKey.inner, id)
+      );
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 function decrypt4(identityKey, ciphertext) {
   if (identityKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
     return decrypt3(identityKey.inner, ciphertext.inner);
   }
   throw new Error(`Unknown scheme: ${identityKey.scheme}`);
 }
+function tryDecrypt2(identityKey, ciphertext) {
+  const task = (extra) => {
+    extra["scheme"] = identityKey.scheme;
+    if (identityKey.scheme == SCHEME_OTP_HAMC_BONEH_FRANKLIN_BLS12381_SHORT_PK) {
+      const innerResult = tryDecrypt(identityKey.inner, ciphertext.inner);
+      return innerResult.unwrapOrThrow("OtpHmacBonehFranklinBls12381ShortPK.tryDecrypt failed");
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 
 // src/sig/index.ts
 var sig_exports = {};
@@ -2155,7 +2274,8 @@ __export(sym_exports, {
   decrypt: () => decrypt6,
   encrypt: () => encrypt6,
   encryptWithRandomness: () => encryptWithRandomness6,
-  keygen: () => keygen8
+  keygen: () => keygen8,
+  tryDecrypt: () => tryDecrypt4
 });
 import { Deserializer as Deserializer9, Serializer as Serializer10 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex9 } from "@noble/curves/utils";
@@ -2256,6 +2376,16 @@ function decrypt5(key, ciphertext) {
     return void 0;
   }
 }
+function tryDecrypt3(key, ciphertext) {
+  const task = (_extra) => {
+    const gcmInstance = gcm(key.inner, ciphertext.iv);
+    const encryptedData = new Uint8Array(ciphertext.ct.length + ciphertext.tag.length);
+    encryptedData.set(ciphertext.ct, 0);
+    encryptedData.set(ciphertext.tag, ciphertext.ct.length);
+    return gcmInstance.decrypt(encryptedData);
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 
 // src/sym/index.ts
 var SCHEME_AES256GCM = 0;
@@ -2365,12 +2495,24 @@ function decrypt6(key, ciphertext) {
   }
   throw new Error("Invalid scheme");
 }
+function tryDecrypt4(key, ciphertext) {
+  const task = (extra) => {
+    extra["scheme"] = key.scheme;
+    if (key.scheme === SCHEME_AES256GCM) {
+      const innerResult = tryDecrypt3(key.inner, ciphertext.inner);
+      return innerResult.unwrapOrThrow("AES256GCM decryption failed");
+    }
+    throw `unknown scheme`;
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
+}
 
 // src/worker_config.ts
 var worker_config_exports = {};
 __export(worker_config_exports, {
   WorkerConfig: () => WorkerConfig,
   get: () => get,
+  getAsync: () => getAsync,
   randWorker: () => randWorker,
   view: () => view
 });
@@ -2460,6 +2602,23 @@ async function get(workerEndpoint) {
   const hex = await response.text();
   return WorkerConfig.fromHex(hex);
 }
+async function getAsync(workerEndpoint) {
+  const task = async (extra) => {
+    const url = `${workerEndpoint}/config_bcs`;
+    extra["url"] = url;
+    const response = await fetch(url, {
+      method: "GET"
+    });
+    extra["responseStatus"] = response.status;
+    extra["responseStatusText"] = response.statusText;
+    if (!response.ok) {
+      throw `Failed to fetch worker config: ${response.status} ${response.statusText}`;
+    }
+    const hex = await response.text();
+    return WorkerConfig.fromHex(hex);
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
 function randWorker() {
   const addr = new AccountAddress(utils_exports.randBytes(32));
   const encDk = keygen2();
@@ -2486,16 +2645,16 @@ __export(threshold_ibe_exports, {
   EncryptionKey: () => EncryptionKey2,
   FullDecryptionDomain: () => FullDecryptionDomain,
   ProofOfPermission: () => ProofOfPermission3,
-  decrypt: () => decrypt7,
   encrypt: () => encrypt7,
-  verifyAndExtract: () => verifyAndExtract
+  tryDecrypt: () => tryDecrypt5,
+  tryExtract: () => tryExtract2
 });
 import { Deserializer as Deserializer13, Serializer as Serializer14 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex13, hexToBytes as hexToBytes8 } from "@noble/hashes/utils";
 import * as SolanaSDK from "@solana/web3.js";
 
 // src/threshold-ibe/aptos.ts
-import { AccountAddress as AccountAddress2, AnyPublicKey, AnySignature, Aptos as Aptos2, AptosConfig as AptosConfig2, Deserializer as Deserializer11, Ed25519PublicKey, Ed25519Signature, FederatedKeylessPublicKey, KeylessPublicKey, KeylessSignature, MultiEd25519PublicKey, MultiEd25519Signature, MultiKey, MultiKeySignature, Network as Network3, Serializer as Serializer12 } from "@aptos-labs/ts-sdk";
+import { AccountAddress as AccountAddress2, AccountPublicKey, AnyPublicKey, AnySignature, Aptos as Aptos2, AptosConfig as AptosConfig2, Deserializer as Deserializer11, Ed25519PublicKey, Ed25519Signature, FederatedKeylessPublicKey, KeylessPublicKey, KeylessSignature, MultiEd25519PublicKey, MultiEd25519Signature, MultiKey, MultiKeySignature, Network as Network3, Serializer as Serializer12 } from "@aptos-labs/ts-sdk";
 import { bytesToHex as bytesToHex11, hexToBytes as hexToBytes6 } from "@noble/hashes/utils";
 var ContractID = class _ContractID {
   chainId;
@@ -2676,64 +2835,76 @@ var ProofOfPermission = class _ProofOfPermission {
   }
 };
 async function verifyPermission({ fullDecryptionDomain, proof }) {
-  const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
-  const taskVerifySig = async () => {
+  const task = async (extra) => {
+    const aptos = createAptos(getChainNameFromChainId(fullDecryptionDomain.getAptosContractID().chainId));
+    const [verifySigResult, checkAuthKeyResult, checkPermissionResult] = await Promise.all([
+      verifySig({ aptos, fullDecryptionDomain, proof }),
+      checkAuthKey({ aptos, userAddr: proof.userAddr, publicKey: proof.publicKey }),
+      checkPermission({ aptos, fullDecryptionDomain, proof })
+    ]);
+    extra["verifySigResult"] = verifySigResult;
+    extra["checkAuthKeyResult"] = checkAuthKeyResult;
+    extra["checkPermissionResult"] = checkPermissionResult;
+    if (!verifySigResult.isOk || !checkAuthKeyResult.isOk || !checkPermissionResult.isOk) {
+      throw "one or more sub-checks failed";
+    }
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function verifySig({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const msgToSign = fullDecryptionDomain.toPrettyMessage();
     const msgToSignHex = bytesToHex11(new TextEncoder().encode(msgToSign));
-    const fullMessageFromPetra = proof.fullMessage.includes(msgToSign);
-    const fullMessageFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
-    if (!fullMessageFromPetra && !fullMessageFromAptosConnect) return false;
-    try {
-      return await proof.publicKey.verifySignatureAsync({
-        aptosConfig: aptos.config,
-        message: proof.fullMessage,
-        signature: proof.signature
-      });
-    } catch (error) {
-      return false;
-    }
+    const fullMessageSeemsFromPetra = proof.fullMessage.includes(msgToSign);
+    const fullMessageSeemsFromAptosConnect = proof.fullMessage.includes(msgToSignHex);
+    extra["msgToSign"] = msgToSign;
+    extra["msgToSignHex"] = msgToSignHex;
+    extra["fullMessageSeemsFromPetra"] = fullMessageSeemsFromPetra;
+    extra["fullMessageSeemsFromAptosConnect"] = fullMessageSeemsFromAptosConnect;
+    if (!fullMessageSeemsFromPetra && !fullMessageSeemsFromAptosConnect) throw "fullMessage does not contain fullDecryptionDomain or its hex";
+    const sigValid = await proof.publicKey.verifySignatureAsync({
+      aptosConfig: aptos.config,
+      message: proof.fullMessage,
+      signature: proof.signature
+    });
+    if (!sigValid) throw "verifySignatureAsync failed";
   };
-  const taskCheckAuthKey = async () => {
-    try {
-      const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, proof.userAddr);
-      const userAuthKeyBytes = proof.publicKey.authKey().bcsToBytes();
-      const onChainHex = bytesToHex11(onChainAuthKeyBytes);
-      const userHex = bytesToHex11(userAuthKeyBytes);
-      console.log(`onChainHex: ${onChainHex}`);
-      console.log(`userHex   : ${userHex}`);
-      return onChainHex === userHex;
-    } catch (error) {
-      return false;
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkAuthKey({ aptos, userAddr, publicKey }) {
+  const task = async (extra) => {
+    if (!(publicKey instanceof AccountPublicKey)) {
+      throw "publicKey is not an AccountPublicKey";
     }
+    const onChainAuthKeyBytes = await getAccountAuthKeyBytes(aptos, userAddr);
+    const userAuthKeyBytes = publicKey.authKey().bcsToBytes();
+    const onChainHex = bytesToHex11(onChainAuthKeyBytes);
+    const userHex = bytesToHex11(userAuthKeyBytes);
+    extra["onChainHex"] = onChainHex;
+    extra["userHex"] = userHex;
+    if (onChainHex !== userHex) throw "on-chain auth key does not match user auth key";
   };
-  const taskCheckPermission = async () => {
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
+}
+async function checkPermission({ aptos, fullDecryptionDomain, proof }) {
+  const task = async (extra) => {
     const contractId = fullDecryptionDomain.getAptosContractID();
-    try {
-      const userIsPermittedMoveVal = await view2(
-        aptos,
-        `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
-        [],
-        [proof.userAddr, fullDecryptionDomain.domain]
-      );
-      return userIsPermittedMoveVal?.toString() === "true";
-    } catch (error) {
-      return false;
+    const viewFunctionInvocationResult = await view2({
+      aptos,
+      func: `${contractId.moduleAddr.toStringLong()}::${contractId.moduleName}::${contractId.functionName}`,
+      typeArguments: [],
+      functionArguments: [proof.userAddr, fullDecryptionDomain.domain]
+    });
+    extra["viewFunctionInvocationResult"] = viewFunctionInvocationResult;
+    if (!viewFunctionInvocationResult.isOk) {
+      throw "view function invocation failed";
+    }
+    const returnedMoveValue = viewFunctionInvocationResult.okValue;
+    if (returnedMoveValue?.toString() !== "true") {
+      throw "access control contract return value is not true";
     }
   };
-  const [sigIsValid, authKeyMatches, userIsPermitted] = await Promise.all([
-    taskVerifySig(),
-    taskCheckAuthKey(),
-    taskCheckPermission()
-  ]);
-  if (!sigIsValid) {
-    throw new Error("Signature invalid.");
-  }
-  if (!authKeyMatches) {
-    throw new Error("Authentication key mismatch: on-chain key does not match provided public key.");
-  }
-  if (!userIsPermitted) {
-    throw new Error("Permission denied.");
-  }
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 function getChainNameFromChainId(chainId) {
   if (chainId === 1) {
@@ -2770,18 +2941,22 @@ async function getAccountAuthKeyBytes(aptos, address) {
   const accountInfo = await aptos.getAccountInfo({ accountAddress: address });
   return hexToBytes6(accountInfo.authentication_key.replace("0x", ""));
 }
-async function view2(aptos, func, typeArguments, functionArguments) {
-  const result = await aptos.view({
-    payload: {
-      function: func,
-      typeArguments,
-      functionArguments
+async function view2({ aptos, func, typeArguments, functionArguments }) {
+  const task = async (extra) => {
+    const returnedMoveValues = await aptos.view({
+      payload: {
+        function: func,
+        typeArguments,
+        functionArguments
+      }
+    });
+    extra["returnedMoveValues"] = returnedMoveValues;
+    if (returnedMoveValues.length === 0) {
+      throw `aptos.view returned an empty list`;
     }
-  });
-  if (result.length === 0) {
-    throw new Error(`View function returned empty result`);
-  }
-  return result[0];
+    return returnedMoveValues[0];
+  };
+  return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
 
 // src/threshold-ibe/solana.ts
@@ -2882,76 +3057,107 @@ var ProofOfPermission2 = class _ProofOfPermission {
   }
 };
 async function verifyPermission2({ fullDecryptionDomain, proof }) {
-  const txn = proof.inner;
-  assertTransactionValid({ txn, fullDecryptionDomain });
-  await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
-}
-function assertTransactionValid({ txn, fullDecryptionDomain }) {
-  let instructions;
-  if (txn instanceof VersionedTransaction) {
-    const message = txn.message;
-    instructions = message.compiledInstructions.map((ix) => {
-      if (ix.programIdIndex >= message.staticAccountKeys.length) {
-        throw new Error(`Program ID index ${ix.programIdIndex} is out of bounds for static account keys (length: ${message.staticAccountKeys.length}). Address table lookups are not supported for validation.`);
-      }
-      const programId = message.staticAccountKeys[ix.programIdIndex];
-      return { programId, data: Buffer.from(ix.data) };
-    });
-  } else {
-    instructions = txn.instructions.map((ix) => ({
-      programId: ix.programId,
-      data: Buffer.from(ix.data)
-    }));
-  }
-  if (instructions.length !== 1) {
-    throw new Error(`transaction must contain exactly 1 instruction, found ${instructions.length}`);
-  }
-  const instruction = instructions[0];
-  if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
-    throw new Error(`transaction instruction program ID (${instruction.programId.toString()}) does not match contract program ID`);
-  }
-  const instructionData = instruction.data;
-  if (instructionData.length < 12) {
-    throw new Error("instruction data too short (must be at least 12 bytes: 8-byte discriminator + 4-byte Vec length)");
-  }
-  const paramData = instructionData.slice(8);
-  const vecLength = paramData.readUInt32LE(0);
-  if (paramData.length < 4 + vecLength) {
-    throw new Error(`instruction data incomplete: expected ${4 + vecLength} bytes after discriminator, found ${paramData.length}`);
-  }
-  const fullBlobNameBytes = paramData.slice(4, 4 + vecLength);
-  const expectedParamDataLength = 4 + vecLength;
-  if (paramData.length > expectedParamDataLength) {
-    throw new Error(`instruction data has extra bytes: expected exactly ${expectedParamDataLength} bytes after discriminator, found ${paramData.length}`);
+  var extra = {};
+  try {
+    const txn = proof.inner;
+    const validateTxnResult = validateTxn({ txn, fullDecryptionDomain });
+    if (!validateTxnResult.isOk) {
+      extra["causedBy"] = validateTxnResult.extra;
+      throw "transaction is invalid";
+    }
+    const simulationResult = await assertTransactionSimulationPasses(txn, fullDecryptionDomain.getSolanaContractID().knownChainName);
+    if (!simulationResult.isOk) {
+      extra["causedBy"] = simulationResult.extra;
+      throw "transaction simulation failed";
+    }
+    return Result.Ok({ value: void 0, extra });
+  } catch (error) {
+    return Result.Err({ error, extra });
   }
-  if (bytesToHex12(fullBlobNameBytes) !== fullDecryptionDomain.toHex()) {
-    throw new Error(`domain mismatch: instruction parameter does not match decryptionContext.domain`);
+}
+function validateTxn({ txn, fullDecryptionDomain }) {
+  try {
+    let instructions;
+    if (txn instanceof VersionedTransaction) {
+      const message = txn.message;
+      instructions = message.compiledInstructions.map((ix) => {
+        if (ix.programIdIndex >= message.staticAccountKeys.length) {
+          throw `some program ID index is out of bounds for static account keys (are you using address table lookups? threshold-ibe does not support it yet)`;
+        }
+        const programId = message.staticAccountKeys[ix.programIdIndex];
+        return { programId, data: Buffer.from(ix.data) };
+      });
+    } else {
+      instructions = txn.instructions.map((ix) => ({
+        programId: ix.programId,
+        data: Buffer.from(ix.data)
+      }));
+    }
+    if (instructions.length !== 1) throw `transaction must contain exactly 1 instruction`;
+    const instruction = instructions[0];
+    if (!instruction.programId.equals(fullDecryptionDomain.getSolanaContractID().programId)) {
+      throw `transaction instruction program ID does not match contract program ID`;
+    }
+    const instructionData = instruction.data;
+    if (instructionData.length < 12) {
+      throw "instruction data too short";
+    }
+    const paramData = instructionData.slice(8);
+    const vecLength = paramData.readUInt32LE(0);
+    if (paramData.length < 4 + vecLength) throw `instruction data incomplete`;
+    const domainAsTxnParam = paramData.slice(4, 4 + vecLength);
+    const expectedParamDataLength = 4 + vecLength;
+    if (paramData.length > expectedParamDataLength) {
+      throw `instruction data has extra bytes`;
+    }
+    if (bytesToHex12(domainAsTxnParam) !== bytesToHex12(fullDecryptionDomain.domain)) {
+      throw `instruction parameter does not match decryptionContext.domain`;
+    }
+    return Result.Ok({ value: void 0 });
+  } catch (error) {
+    return Result.Err({ error });
   }
 }
 async function assertTransactionSimulationPasses(txn, chainName) {
-  let rpcUrl;
-  if (chainName === "localnet" || chainName === "localhost") {
-    rpcUrl = "http://127.0.0.1:8899";
-  } else if (chainName === "devnet") {
-    rpcUrl = "https://api.devnet.solana.com";
-  } else if (chainName === "testnet") {
-    rpcUrl = "https://api.testnet.solana.com";
-  } else if (chainName === "mainnet-beta") {
-    rpcUrl = "https://api.mainnet-beta.solana.com";
-  } else {
-    throw new Error(`Unknown chain name: ${chainName}`);
-  }
-  const connection = new Connection(rpcUrl, "confirmed");
-  let simulation;
-  if (txn instanceof VersionedTransaction) {
-    simulation = await connection.simulateTransaction(txn, {
-      sigVerify: true
-    });
-  } else {
-    simulation = await connection.simulateTransaction(txn);
-  }
-  if (simulation.value.err) {
-    throw new Error(`transaction simulation failed: ${JSON.stringify(simulation.value.err)}`);
+  var extra = {};
+  var error;
+  const start = performance.now();
+  try {
+    let rpcUrl;
+    if (chainName === "localnet" || chainName === "localhost") {
+      rpcUrl = "http://127.0.0.1:8899";
+    } else if (chainName === "devnet") {
+      rpcUrl = "https://api.devnet.solana.com";
+    } else if (chainName === "testnet") {
+      rpcUrl = "https://api.testnet.solana.com";
+    } else if (chainName === "mainnet-beta") {
+      rpcUrl = "https://api.mainnet-beta.solana.com";
+    } else {
+      extra["chainName"] = chainName;
+      throw `unsupported chain name`;
+    }
+    const connection = new Connection(rpcUrl, "confirmed");
+    let simulation;
+    if (txn instanceof VersionedTransaction) {
+      simulation = await connection.simulateTransaction(txn, {
+        sigVerify: true
+      });
+    } else {
+      simulation = await connection.simulateTransaction(txn);
+    }
+    if (simulation.value.err) {
+      extra["simulationError"] = simulation.value.err;
+      throw `transaction simulation failed`;
+    }
+  } catch (caught) {
+    error = caught;
+  } finally {
+    extra["executionTimeMs"] = performance.now() - start;
+    if (error !== void 0) {
+      return Result.Err({ error, extra });
+    } else {
+      return Result.Ok({ value: void 0, extra });
+    }
   }
 }
 
@@ -3057,11 +3263,16 @@ var EncryptionKey2 = class _EncryptionKey {
     this.ibeMpks = ibeMpks;
   }
   static async fetch({ committee }) {
-    const ibeMpks = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
-      const config = await worker_config_exports.get(endpoint);
-      return config.ibeMpk;
-    }));
-    return new _EncryptionKey({ ibeMpks });
+    const task = async (extra) => {
+      const workerConfigGetResults = await Promise.all(committee.workerEndpoints.map(async (endpoint) => {
+        return worker_config_exports.getAsync(endpoint);
+      }));
+      extra["workerConfigGetResults"] = workerConfigGetResults;
+      if (workerConfigGetResults.some((result) => !result.isOk)) throw "failed to get all worker configs";
+      const ibeMpks = workerConfigGetResults.map((result) => result.okValue.ibeMpk);
+      return new _EncryptionKey({ ibeMpks });
+    };
+    return await Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var DecryptionKey2 = class _DecryptionKey {
@@ -3070,43 +3281,43 @@ var DecryptionKey2 = class _DecryptionKey {
     this.ibeDecryptionKeys = ibeDecryptionKeys;
   }
   static async fetch({ committee, contractId, domain, proof }) {
-    const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (workerEndpoint) => {
-      const task = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
+    const task = async (extra) => {
+      extra["committee"] = committee;
+      const decKeyLoadResults = await Promise.all(committee.workerEndpoints.map(async (_workerEndpoint, index) => {
+        return _DecryptionKey.fetchDecKeyShare({ committee, contractId, domain, proof, index });
+      }));
+      extra["decKeyLoadResults"] = decKeyLoadResults;
+      const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult.isOk).length;
+      if (numSharesCollected < committee.threshold) throw `failed to collect enough shares`;
+      const decKeyShares = decKeyLoadResults.map((loadResult) => loadResult.okValue ?? null);
+      return new _DecryptionKey(decKeyShares);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
+  }
+  static async fetchDecKeyShare({ committee, contractId, domain, proof, index }) {
+    const task = async (extra) => {
+      const targetWorkerEndpoint = committee.workerEndpoints[index];
+      const task2 = WorkerTask.newThresholdIbeDecryptionKey({ committee, contractId, domain, proof });
       const controller = new AbortController();
       const timeoutId = setTimeout(() => controller.abort(), 5e3);
       var response = null;
       try {
-        response = await fetch(workerEndpoint, {
+        response = await fetch(targetWorkerEndpoint, {
           method: "POST",
-          body: task.toHex(),
+          body: task2.toHex(),
           signal: controller.signal
         });
       } catch (error) {
         clearTimeout(timeoutId);
       }
-      if (response == null) {
-        return new WorkerTimedOut();
-      }
+      if (response == null) throw "worker is not responding";
       const responseBody = await response.text();
-      if (response.status !== 200) {
-        return new WorkerRejected(response.status, responseBody);
-      }
-      try {
-        return IdentityPrivateKey2.fromHex(responseBody);
-      } catch (error) {
-        return new CouldNotParseDecryptionKey(responseBody);
-      }
-    }));
-    const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
-    if (numSharesCollected < committee.threshold) {
-      const workerResults = committee.workerEndpoints.map((workerEndpoint, i) => {
-        const result = decKeyLoadResults[i];
-        return `${workerEndpoint}: ${result instanceof IdentityPrivateKey2 ? "Success" : result.toDisplayString()}`;
-      }).join(", ");
-      throw new Error(`Failed to collect enough shares to decrypt. Collected ${numSharesCollected} shares, but needed ${committee.threshold} shares. Worker results: ${workerResults}`);
-    }
-    const decKeys = decKeyLoadResults.map((loadResult) => loadResult instanceof IdentityPrivateKey2 ? loadResult : null);
-    return new _DecryptionKey(decKeys);
+      extra["workerResponseStatus"] = response.status;
+      extra["workerResponseBody"] = responseBody;
+      if (response.status !== 200) throw `worker rejected: ${response.status}`;
+      return IdentityPrivateKey2.fromHex(responseBody);
+    };
+    return Result.captureAsync({ task, recordsExecutionTimeMs: true });
   }
 };
 var Ciphertext7 = class _Ciphertext {
@@ -3287,56 +3498,48 @@ function encrypt7({ committee, encryptionKey, contractId, domain, plaintext }) {
   const ibeCiphs = symmKeyShares.map((share, idx) => encrypt4(encryptionKey.ibeMpks[idx], fullDecryptionDomain.toBytes(), share.payload));
   return { fullDecryptionDomain, ciphertext: new Ciphertext7(symmCiph, ibeCiphs) };
 }
-function decrypt7({ decryptionKey, ciphertext }) {
-  if (decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length) {
-    throw new Error("decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length");
-  }
-  const symmKeyShares = ciphertext.ibeCiphs.map((ibeCiph, idx) => {
-    if (decryptionKey.ibeDecryptionKeys[idx] == null) return null;
-    const sharePayload = decrypt4(decryptionKey.ibeDecryptionKeys[idx], ibeCiph);
-    if (sharePayload == null) return null;
-    return new Share(idx + 1, sharePayload);
-  }).filter((share) => share != null);
-  const symmKeyBytes = combine(symmKeyShares);
-  const symmKey = Key2.fromBytes(symmKeyBytes);
-  return decrypt6(symmKey, ciphertext.aesCiph);
+function tryDecrypt5({ decryptionKey, ciphertext }) {
+  const task = (extra) => {
+    extra["numIbeDecryptionKeys"] = decryptionKey.ibeDecryptionKeys.length;
+    extra["numIbeCiphs"] = ciphertext.ibeCiphs.length;
+    if (decryptionKey.ibeDecryptionKeys.length !== ciphertext.ibeCiphs.length) {
+      throw "decryption key share count does not match ciphertext share count";
+    }
+    const unfilteredSymmKeyShares = ciphertext.ibeCiphs.map((ibeCiph, idx) => {
+      if (decryptionKey.ibeDecryptionKeys[idx] == null) return null;
+      const maybeSharePayload = tryDecrypt2(decryptionKey.ibeDecryptionKeys[idx], ibeCiph);
+      if (!maybeSharePayload.isOk) return null;
+      return new Share(idx + 1, maybeSharePayload.okValue);
+    });
+    extra["symmKeySharePresences"] = unfilteredSymmKeyShares.map((share) => share != null);
+    const symmKeyShares = unfilteredSymmKeyShares.filter((share) => share != null);
+    const symmKeyBytes = combine(symmKeyShares);
+    const symmKey = Key2.fromBytes(symmKeyBytes);
+    const symDecResult = tryDecrypt4(symmKey, ciphertext.aesCiph);
+    return symDecResult.unwrapOrThrow("symmetric decryption failed");
+  };
+  return Result.capture({ task, recordsExecutionTimeMs: true });
 }
-async function verifyAndExtract({ ibeMsk, committee, contractId, domain, proof }) {
-  const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
-  if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
-    await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
-    await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
-  } else {
-    throw new Error(`Unknown scheme: contractId=${contractId.scheme}, proof=${proof.scheme}`);
-  }
-  return extract2(ibeMsk, decryptionContext.toBytes());
+async function tryExtract2({ ibeMsk, committee, contractId, domain, proof }) {
+  const task = async (extra) => {
+    extra["contractIdScheme"] = contractId.scheme;
+    extra["proofScheme"] = proof.scheme;
+    const decryptionContext = new FullDecryptionDomain({ committee, contractId, domain });
+    if (contractId.scheme == ContractID3.SCHEME_APTOS && proof.scheme == ProofOfPermission3.SCHEME_APTOS) {
+      const aptosResult = await verifyPermission({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifyAptosResult"] = aptosResult;
+      if (!aptosResult.isOk) throw "aptos verification failed";
+    } else if (contractId.scheme == ContractID3.SCHEME_SOLANA && proof.scheme == ProofOfPermission3.SCHEME_SOLANA) {
+      const solanaResult = await verifyPermission2({ fullDecryptionDomain: decryptionContext, proof: proof.inner });
+      extra["verifySolanaResult"] = solanaResult;
+      if (!solanaResult.isOk) throw "solana verification failed";
+    } else {
+      throw "unsupported scheme combination";
+    }
+    return extract2(ibeMsk, decryptionContext.toBytes());
+  };
+  return Result.captureAsync({ task, recordsExecutionTimeMs: true });
 }
-var WorkerTimedOut = class {
-  toDisplayString() {
-    return "Timed out";
-  }
-};
-var WorkerRejected = class {
-  statusCode;
-  responseBody;
-  constructor(statusCode, responseBody) {
-    this.statusCode = statusCode;
-    this.responseBody = responseBody;
-  }
-  toDisplayString() {
-    return `Rejected: ${this.statusCode} ${this.responseBody}`;
-  }
-};
-var CouldNotParseDecryptionKey = class {
-  originalHex;
-  constructor(originalHex) {
-    this.originalHex = originalHex;
-  }
-  toDisplayString() {
-    return `Could not parse decryption key: ${this.originalHex}`;
-  }
-};
 
 // src/worker_task.ts
 var TYPE_SILENT_SETUP_DECRYPTION_KEY = 5;
@@ -3566,16 +3769,16 @@ var DecryptionContext = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut2();
+        return new WorkerTimedOut();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected2(response.status, responseBody);
+        return new WorkerRejected(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey2(responseBody);
+        return new CouldNotParseDecryptionKey(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -3681,12 +3884,12 @@ var Decryptor = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut2 = class {
+var WorkerTimedOut = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected2 = class {
+var WorkerRejected = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -3697,7 +3900,7 @@ var WorkerRejected2 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey2 = class {
+var CouldNotParseDecryptionKey = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4261,16 +4464,16 @@ var DecryptionContext2 = class _DecryptionContext {
         clearTimeout(timeoutId);
       }
       if (response == null) {
-        return new WorkerTimedOut3();
+        return new WorkerTimedOut2();
       }
       const responseBody = await response.text();
       if (response.status !== 200) {
-        return new WorkerRejected3(response.status, responseBody);
+        return new WorkerRejected2(response.status, responseBody);
       }
       try {
         return IdentityPrivateKey2.fromHex(responseBody);
       } catch (error) {
-        return new CouldNotParseDecryptionKey3(responseBody);
+        return new CouldNotParseDecryptionKey2(responseBody);
       }
     }));
     const numSharesCollected = decKeyLoadResults.filter((loadResult) => loadResult instanceof IdentityPrivateKey2).length;
@@ -4375,12 +4578,12 @@ var Decryptor2 = class {
     return decrypt6(symmKey, ciphertext.aesCiph);
   }
 };
-var WorkerTimedOut3 = class {
+var WorkerTimedOut2 = class {
   toDisplayString() {
     return "Timed out";
   }
 };
-var WorkerRejected3 = class {
+var WorkerRejected2 = class {
   statusCode;
   responseBody;
   constructor(statusCode, responseBody) {
@@ -4391,7 +4594,7 @@ var WorkerRejected3 = class {
     return `Rejected: ${this.statusCode} ${this.responseBody}`;
   }
 };
-var CouldNotParseDecryptionKey3 = class {
+var CouldNotParseDecryptionKey2 = class {
   originalHex;
   constructor(originalHex) {
     this.originalHex = originalHex;
@@ -4437,6 +4640,7 @@ export {
   enc_exports as Enc,
   group_exports as Group,
   ibe_exports as IBE,
+  Result,
   sig_exports as Sig,
   silent_setup_encryption_exports as SilentSetupEncryption,
   silent_setup_encryption_xchain_exports as SilentSetupEncryptionXChain,