abstractionkit 0.3.3 → 0.3.5

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import { t as __exportAll } from "./chunk-CfYAbeIz.mjs";
-import { AbiCoder, JsonRpcProvider, TypedDataEncoder, Wallet, encodeRlp, ethers, getAddress, getBytes, hashMessage, id, isAddress, keccak256, solidityPacked, solidityPackedKeccak256, toBeArray } from "ethers";
+import { AbiCoder, JsonRpcProvider, TypedDataEncoder, Wallet, encodeRlp, ethers, getAddress, getBytes, hashMessage, hexlify, id, isAddress, keccak256, solidityPacked, solidityPackedKeccak256, toBeArray } from "ethers";
 //#region src/errors.ts
 /**
 * Maps JSON-RPC numeric error codes to human-readable {@link BundlerErrorCode} values.
@@ -319,6 +319,61 @@ function createUserOperationHash(useroperation, entrypointAddress, chainId) {
 	return userOperationHash;
 }
 /**
+* @internal
+* Reconstruct the packed `initCode` field for an EntryPoint v0.8/v0.9
+* UserOperation. When `eip7702Auth.address` is set, the EIP-7702 delegatee
+* address replaces the factory address in initCode (only `factoryData` is
+* concatenated). Otherwise, behaves like v0.7 (`factory + factoryData`).
+*
+* Shared by {@link createPackedUserOperationV8} /
+* {@link createPackedUserOperationV9} and Simple7702Account's typed-data
+* builder. Not part of the public API; only `export`ed for cross-module
+* use within the package and not re-exported from `src/abstractionkit.ts`.
+*
+* @param useroperation - V8 or V9 UserOperation to read fields from
+* @returns Hex-encoded initCode
+*/
+function buildPackedInitCodeV8V9(useroperation) {
+	if (useroperation.factory == null) return "0x";
+	const eip7702Auth = useroperation.eip7702Auth;
+	return (eip7702Auth != null && eip7702Auth.address != null ? eip7702Auth.address : useroperation.factory) + (useroperation.factoryData != null ? useroperation.factoryData.slice(2) : "");
+}
+/**
+* @internal
+* Reconstruct the packed `paymasterAndData` field from a UserOperation's
+* separate paymaster fields. Returns `0x` when no paymaster is set.
+*
+* For EntryPoint v0.9, when `paymasterData` ends with the parallel-paymaster
+* signature magic suffix (`0x22e325a297439656`), the embedded signature is
+* stripped so the userOpHash does not commit to the paymaster's signature
+* over itself. Pass `stripV9PaymasterSig=false` to preserve the wire format.
+*
+* Shared by v7/v8/v9 packers and Simple7702Account's typed-data builder.
+* Not part of the public API; only `export`ed for cross-module use within
+* the package and not re-exported from `src/abstractionkit.ts`.
+*
+* @param useroperation - V7/V8/V9 UserOperation to read fields from
+* @param stripV9PaymasterSig - Whether to strip the v0.9 paymaster signature suffix
+* @returns Hex-encoded paymasterAndData
+*/
+function buildPaymasterAndData(useroperation, stripV9PaymasterSig = false) {
+	if (useroperation.paymaster == null) return "0x";
+	const abiCoder = AbiCoder.defaultAbiCoder();
+	let paymasterAndData = useroperation.paymaster;
+	if (useroperation.paymasterVerificationGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterVerificationGasLimit]).slice(34);
+	if (useroperation.paymasterPostOpGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterPostOpGasLimit]).slice(34);
+	if (useroperation.paymasterData != null) {
+		const PAYMASTER_SIG_MAGIC = "22e325a297439656";
+		if (stripV9PaymasterSig && useroperation.paymasterData.toLowerCase().endsWith(PAYMASTER_SIG_MAGIC)) {
+			const sigLenHex = useroperation.paymasterData.slice(useroperation.paymasterData.length - 16 - 4, useroperation.paymasterData.length - 16);
+			const sigLen = parseInt(sigLenHex, 16);
+			const prefixEnd = useroperation.paymasterData.length - 16 - 4 - sigLen * 2;
+			paymasterAndData += useroperation.paymasterData.slice(0, prefixEnd).replaceAll("0x", "") + PAYMASTER_SIG_MAGIC;
+		} else paymasterAndData += useroperation.paymasterData.slice(2);
+	}
+	return paymasterAndData;
+}
+/**
 * ABI-encode and pack a UserOperation for hashing (EntryPoint v0.6 format).
 * Bytes fields (initCode, callData, paymasterAndData) are keccak256-hashed before packing.
 *
@@ -367,13 +422,7 @@ function createPackedUserOperationV7(useroperation) {
 	}
 	const accountGasLimits = "0x" + abiCoder.encode(["uint128"], [useroperation.verificationGasLimit]).slice(34) + abiCoder.encode(["uint128"], [useroperation.callGasLimit]).slice(34);
 	const gasFees = "0x" + abiCoder.encode(["uint128"], [useroperation.maxPriorityFeePerGas]).slice(34) + abiCoder.encode(["uint128"], [useroperation.maxFeePerGas]).slice(34);
-	let paymasterAndData = "0x";
-	if (useroperation.paymaster != null) {
-		paymasterAndData = useroperation.paymaster;
-		if (useroperation.paymasterVerificationGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterVerificationGasLimit]).slice(34);
-		if (useroperation.paymasterPostOpGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterPostOpGasLimit]).slice(34);
-		if (useroperation.paymasterData != null) paymasterAndData += useroperation.paymasterData.slice(2);
-	}
+	const paymasterAndData = buildPaymasterAndData(useroperation);
 	const useroperationValuesArrayWithHashedByteValues = [
 		useroperation.sender,
 		useroperation.nonce,
@@ -421,30 +470,10 @@ function createPackedUserOperationV8(useroperation) {
 */
 function baseCreatePackedUserOperationV8V9(useroperation, is_v9) {
 	const abiCoder = AbiCoder.defaultAbiCoder();
-	let initCode = "0x";
-	if (useroperation.factory != null) {
-		const eip7702Auth = useroperation.eip7702Auth;
-		if (eip7702Auth != null && eip7702Auth.address != null) initCode = eip7702Auth.address;
-		else initCode = useroperation.factory;
-		if (useroperation.factoryData != null) initCode += useroperation.factoryData.slice(2);
-	}
+	const initCode = buildPackedInitCodeV8V9(useroperation);
 	const accountGasLimits = "0x" + abiCoder.encode(["uint128"], [useroperation.verificationGasLimit]).slice(34) + abiCoder.encode(["uint128"], [useroperation.callGasLimit]).slice(34);
 	const gasFees = "0x" + abiCoder.encode(["uint128"], [useroperation.maxPriorityFeePerGas]).slice(34) + abiCoder.encode(["uint128"], [useroperation.maxFeePerGas]).slice(34);
-	let paymasterAndData = "0x";
-	if (useroperation.paymaster != null) {
-		paymasterAndData = useroperation.paymaster;
-		if (useroperation.paymasterVerificationGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterVerificationGasLimit]).slice(34);
-		if (useroperation.paymasterPostOpGasLimit != null) paymasterAndData += abiCoder.encode(["uint128"], [useroperation.paymasterPostOpGasLimit]).slice(34);
-		if (useroperation.paymasterData != null) {
-			const PAYMASTER_SIG_MAGIC = "22e325a297439656";
-			if (is_v9 && useroperation.paymasterData.toLowerCase().endsWith(PAYMASTER_SIG_MAGIC)) {
-				const sigLenHex = useroperation.paymasterData.slice(useroperation.paymasterData.length - 16 - 4, useroperation.paymasterData.length - 16);
-				const sigLen = parseInt(sigLenHex, 16);
-				const prefixEnd = useroperation.paymasterData.length - 16 - 4 - sigLen * 2;
-				paymasterAndData += useroperation.paymasterData.slice(0, prefixEnd).replaceAll("0x", "") + PAYMASTER_SIG_MAGIC;
-			} else paymasterAndData += useroperation.paymasterData.slice(2);
-		}
-	}
+	const paymasterAndData = buildPaymasterAndData(useroperation, is_v9);
 	const useroperationValuesArrayWithHashedByteValues = [
 		"0x29a0bca4af4be3421398da00295e58e6d7de38cb492214754cb6a47507dd6f8e",
 		useroperation.sender,
@@ -2666,7 +2695,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	static DEFAULT_WEB_AUTHN_SHARED_SIGNER = "0xfD90FAd33ee8b58f32c00aceEad1358e4AFC23f9";
 	static DEFAULT_WEB_AUTHN_SIGNER_SINGLETON = "0x270D7E4a57E6322f336261f3EaE2BADe72E68d72";
 	static DEFAULT_WEB_AUTHN_SIGNER_FACTORY = "0xF7488fFbe67327ac9f37D5F722d83Fc900852Fbf";
-	static DEFAULT_WEB_AUTHN_FCLP256_VERIFIER = "0x445a0683e494ea0c5AF3E83c5159fBE47Cf9e765";
+	static DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER = "0x445a0683e494ea0c5AF3E83c5159fBE47Cf9e765";
 	static DEFAULT_WEB_AUTHN_PRECOMPILE = "0x0000000000000000000000000000000000000000";
 	static DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE = "0x61010060405234801561001157600080fd5b506040516101ee3803806101ee83398101604081905261003091610058565b6001600160a01b0390931660805260a09190915260c0526001600160b01b031660e0526100bc565b6000806000806080858703121561006e57600080fd5b84516001600160a01b038116811461008557600080fd5b60208601516040870151606088015192965090945092506001600160b01b03811681146100b157600080fd5b939692955090935050565b60805160a05160c05160e05160ff6100ef60003960006008015260006031015260006059015260006080015260ff6000f3fe608060408190527f00000000000000000000000000000000000000000000000000000000000000003660b681018290527f000000000000000000000000000000000000000000000000000000000000000060a082018190527f00000000000000000000000000000000000000000000000000000000000000008285018190527f00000000000000000000000000000000000000000000000000000000000000009490939192600082376000806056360183885af490503d6000803e8060c3573d6000fd5b503d6000f3fea2646970667358221220ddd9bb059ba7a6497d560ca97aadf4dbf0476f578378554a50d41c6bb654beae64736f6c63430008180033";
 	static DEFAULT_MULTISEND_CONTRACT_ADDRESS = "0x38869bf66a61cF6bDB996A6aE40D5853Fd43B526";
@@ -2754,6 +2783,33 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 		]).slice(-40)}`);
 	}
 	/**
+	* Check whether a Safe account is already deployed at the given address.
+	*
+	* Use this to decide between connecting to an existing account
+	* (`new SafeAccountV0_3_0(address)`) and initializing a new one
+	* (`SafeAccountV0_3_0.initializeNewAccount(owners)`). Once an account is
+	* deployed, the factory data carried by `initializeNewAccount` is no
+	* longer needed and including it would waste gas.
+	*
+	* Note: this only checks whether bytecode exists at `accountAddress`, not
+	* whether the deployed code is actually a Safe or whether its on-chain
+	* configuration matches a given set of owners.
+	*
+	* @param accountAddress - the Safe account address to check
+	* @param nodeRpcUrl - Ethereum JSON-RPC node URL
+	* @returns `true` if bytecode is deployed at `accountAddress`, `false` otherwise
+	*
+	* @example
+	* ```ts
+	* const account = (await SafeAccountV0_3_0.isDeployed(addr, rpc))
+	*   ? new SafeAccountV0_3_0(addr)
+	*   : SafeAccountV0_3_0.initializeNewAccount(owners);
+	* ```
+	*/
+	static async isDeployed(accountAddress, nodeRpcUrl) {
+		return (await sendEthGetCodeRequest(nodeRpcUrl, accountAddress, "latest")).length > 2;
+	}
+	/**
 	* encode calldata for a single MetaTransaction to be executed by Safe account
 	* @param metaTransaction - metaTransaction to create calldata for
 	* @param overrides - overrides for the default values
@@ -3150,7 +3206,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	*/
 	static createAccountAddressAndFactoryAddressAndData(owners, overrides, safe4337ModuleAddress, safeModuleSetupAddress) {
 		if (owners.length < 1) throw new RangeError("There should be at least one owner");
-		const initializerCallData = SafeAccount.createBaseInitializerCallData(owners, overrides.threshold ?? 1, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress ?? SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, overrides.webAuthnSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER);
+		const initializerCallData = SafeAccount.createBaseInitializerCallData(owners, overrides.threshold ?? 1, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress ?? SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, overrides.webAuthnSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER);
 		let safeAccountFactory;
 		if (overrides.safeAccountFactoryAddress != null) safeAccountFactory = new SafeAccountFactory(overrides.safeAccountFactoryAddress);
 		else safeAccountFactory = new SafeAccountFactory();
@@ -3172,7 +3228,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 			factoryGeneratorFunctionCallData
 		];
 	}
-	static createBaseInitializerCallData(owners, threshold, safe4337ModuleAddress, safeModuleSetupAddress, multisendContractAddress = SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, webAuthnSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, eip7212WebAuthnPrecompileVerifierForSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, eip7212WebAuthnContractVerifierForSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER) {
+	static createBaseInitializerCallData(owners, threshold, safe4337ModuleAddress, safeModuleSetupAddress, multisendContractAddress = SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, webAuthnSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, eip7212WebAuthnPrecompileVerifierForSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, eip7212WebAuthnContractVerifierForSharedSigner = SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER) {
 		if (owners.length < 1) throw new RangeError("There should be at least one owner");
 		if (threshold < 1) throw new RangeError("threshold should be at least one");
 		if (threshold > owners.length) throw new RangeError("threshold can't be larger than number of owners");
@@ -3248,7 +3304,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 		if (threshold < 1) throw new RangeError("threshold should be at least one");
 		if (threshold > owners.length) throw new RangeError("threshold can't be larger than number of owners");
 		if (c2Nonce < 0n) throw new RangeError("c2Nonce can't be negative");
-		const initializerCallData = SafeAccount.createBaseInitializerCallData(owners, overrides.threshold ?? 1, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress ?? SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, overrides.webAuthnSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER);
+		const initializerCallData = SafeAccount.createBaseInitializerCallData(owners, overrides.threshold ?? 1, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress ?? SafeAccount.DEFAULT_MULTISEND_CONTRACT_ADDRESS, overrides.webAuthnSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER);
 		let safeAccountFactory;
 		if (overrides.safeAccountFactoryAddress != null) safeAccountFactory = new SafeAccountFactory(overrides.safeAccountFactoryAddress);
 		else safeAccountFactory = new SafeAccountFactory();
@@ -3310,9 +3366,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 				eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier,
 				webAuthnSignerFactory: overrides.webAuthnSignerFactory,
 				webAuthnSignerSingleton: overrides.webAuthnSignerSingleton,
-				webAuthnSignerProxyCreationCode: overrides.webAuthnSignerProxyCreationCode,
-				validAfter,
-				validUntil
+				webAuthnSignerProxyCreationCode: overrides.webAuthnSignerProxyCreationCode
 			});
 			userOperation.signature = SafeAccount.formatSignaturesToUseroperationSignature(dummySignerSignaturePairs, {
 				validAfter,
@@ -3379,7 +3433,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 		maxFeePerGas = overrides.maxFeePerGas ?? maxFeePerGas * BigInt((overrides.maxFeePerGasPercentageMultiplier ?? 0) + 100) / 100n;
 		maxPriorityFeePerGas = overrides.maxPriorityFeePerGas ?? maxPriorityFeePerGas * BigInt((overrides.maxPriorityFeePerGasPercentageMultiplier ?? 0) + 100) / 100n;
 		const eip7212WebAuthnPrecompileVerifier = overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 		const webAuthnSignerFactory = overrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY;
 		const webAuthnSignerSingleton = overrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 		const webAuthnSignerProxyCreationCode = overrides.webAuthnSignerProxyCreationCode ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE;
@@ -3454,16 +3508,14 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 				eip7212WebAuthnContractVerifier,
 				webAuthnSignerFactory,
 				webAuthnSignerSingleton,
-				webAuthnSignerProxyCreationCode,
-				validAfter,
-				validUntil
+				webAuthnSignerProxyCreationCode
 			});
 		}
 		userOperation.signature = SafeAccount.formatSignaturesToUseroperationSignature(dummySignerSignaturePairs, {
 			validAfter,
 			validUntil,
-			webAuthnSharedSigner,
-			isMultiChainSignature: overrides.isMultiChainSignature
+			isMultiChainSignature: overrides.isMultiChainSignature,
+			webAuthnSharedSigner
 		});
 		if (!(overrides.skipGasEstimation ?? false) && (overrides.preVerificationGas == null || overrides.verificationGasLimit == null || overrides.callGasLimit == null)) if (bundlerRpc != null) {
 			userOperation.callGasLimit = 0n;
@@ -3530,14 +3582,15 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	* @param useroperation - useroperation to sign
 	* @param privateKeys - for the signers
 	* @param chainId - target chain id
-	* @param overrides - overrides for the default values
-	* @param overrides.validAfter - timestamp the signature will be valid after
-	* @param overrides.validUntil - timestamp the signature will be valid until
+	* @param entrypointAddress - target EntryPoint
+	* @param safe4337ModuleAddress - Safe 4337 module
+	* @param options - per-call signing options (timing, multi-chain encoding, module address) — passed through to {@link formatSignaturesToUseroperationSignature}
 	* @returns signature
 	*/
-	static baseSignSingleUserOperation(useroperation, privateKeys, chainId, entrypointAddress, safe4337ModuleAddress, overrides = {}) {
-		const validAfter = overrides.validAfter ?? 0n;
-		const validUntil = overrides.validUntil ?? 0n;
+	static baseSignSingleUserOperation(useroperation, privateKeys, chainId, entrypointAddress, safe4337ModuleAddress, options = {}) {
+		const validAfter = options.validAfter ?? 0n;
+		const validUntil = options.validUntil ?? 0n;
+		const moduleAddress = options.safe4337ModuleAddress ?? safe4337ModuleAddress;
 		if (privateKeys.length < 1) throw new RangeError("There should be at least one privateKey");
 		if (chainId < 0n) throw new RangeError("chainId can't be negative");
 		if (validAfter < 0n) throw new RangeError("validAfter can't be negative");
@@ -3546,7 +3599,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 			validAfter,
 			validUntil,
 			entrypointAddress,
-			safe4337ModuleAddress
+			safe4337ModuleAddress: moduleAddress
 		});
 		const signerSignaturePairs = [];
 		for (const privateKey of privateKeys) {
@@ -3558,9 +3611,9 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 			});
 		}
 		return SafeAccount.formatSignaturesToUseroperationSignature(signerSignaturePairs, {
+			...options,
 			validAfter,
-			validUntil,
-			isMultiChainSignature: overrides.isMultiChainSignature
+			validUntil
 		});
 	}
 	/**
@@ -3583,20 +3636,24 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	* @param useroperation - UserOperation to sign
 	* @param signers - Signer instances (`fromViem(account)`, `fromEthersWallet(wallet)`, etc.)
 	* @param chainId - target chain id
-	* @param entrypointAddress - target EntryPoint
-	* @param safe4337ModuleAddress - Safe 4337 module
-	* @param overrides - optional validAfter / validUntil / multi-chain flag
+	* @param params - bag combining required wiring (`entrypointAddress`,
+	*   `safe4337ModuleAddress`, `context`) with optional `options`
+	*   ({@link SafeSignatureOptions}: timing, multi-chain encoding,
+	*   module address).
+	*   Both flow through to {@link formatSignaturesToUseroperationSignature}.
 	* @returns formatted signature
 	*/
-	static async baseSignUserOperationWithSigners(useroperation, signers, chainId, entrypointAddress, safe4337ModuleAddress, context, overrides = {}) {
-		const validAfter = overrides.validAfter ?? 0n;
-		const validUntil = overrides.validUntil ?? 0n;
+	static async baseSignUserOperationWithSigners(useroperation, signers, chainId, params) {
+		const { entrypointAddress, safe4337ModuleAddress, context, options = {} } = params;
+		const validAfter = options.validAfter ?? 0n;
+		const validUntil = options.validUntil ?? 0n;
+		const moduleAddress = options.safe4337ModuleAddress ?? safe4337ModuleAddress;
 		if (signers.length < 1) throw new RangeError("There should be at least one signer");
 		const typedDataRaw = SafeAccount.getUserOperationEip712Data(useroperation, chainId, {
 			validAfter,
 			validUntil,
 			entrypointAddress,
-			safe4337ModuleAddress
+			safe4337ModuleAddress: moduleAddress
 		});
 		const userOpHash = TypedDataEncoder.hash(typedDataRaw.domain, typedDataRaw.types, typedDataRaw.messageValue);
 		const { EIP712Domain: _drop, ...primaryTypes } = typedDataRaw.types;
@@ -3617,12 +3674,13 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 			context
 		})))).map((signature, i) => ({
 			signer: normalizedAddresses[i],
-			signature
+			signature,
+			isContractSignature: signers[i].type === "contract"
 		}));
 		return SafeAccount.formatSignaturesToUseroperationSignature(signerSignaturePairs, {
+			...options,
 			validAfter,
-			validUntil,
-			isMultiChainSignature: overrides.isMultiChainSignature
+			validUntil
 		});
 	}
 	/**
@@ -3635,7 +3693,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	*/
 	static createWebAuthnSignerVerifierAddress(x, y, overrides = {}) {
 		const eip7212WebAuthnPrecompileVerifier = overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 		const webAuthnSignerFactory = overrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY;
 		const webAuthnSignerSingleton = overrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 		if (eip7212WebAuthnPrecompileVerifier.length !== 42 || eip7212WebAuthnPrecompileVerifier.slice(0, 38) !== "0x0000000000000000000000000000000000000000".slice(0, 38)) throw new RangeError("Invalid precompile address. It should have the format 0x000000000000000000000000000000000000____");
@@ -3666,15 +3724,15 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	/**
 	* format a list of eip712 signatures to a useroperation signature
 	* @param signerSignaturePairs - a list of a pair of a signer and it's signature
-	* @param overrides - overrides for the default values
+	* @param options - merged bag of {@link SafeSignatureOptions} (timing, multi-chain encoding, module address) and {@link WebAuthnSignatureOverrides} (verifier addresses, init flag). Single param for back-compat with the pre-split shape — callers may pass any combination of fields from either type.
 	* @returns signature
 	*/
-	static formatSignaturesToUseroperationSignature(signerSignaturePairs, overrides = {}) {
-		const validAfter = overrides.validAfter ?? 0n;
-		const validUntil = overrides.validUntil ?? 0n;
-		const signature = SafeAccount.buildSignaturesFromSingerSignaturePairs(signerSignaturePairs, overrides);
-		if (overrides.isMultiChainSignature) if (overrides.multiChainMerkleProof != null) {
-			const merkleProofLength = overrides.multiChainMerkleProof.slice(2).length;
+	static formatSignaturesToUseroperationSignature(signerSignaturePairs, options = {}) {
+		const validAfter = options.validAfter ?? 0n;
+		const validUntil = options.validUntil ?? 0n;
+		const signature = SafeAccount.buildSignaturesFromSingerSignaturePairs(signerSignaturePairs, options);
+		if (options.isMultiChainSignature) if (options.multiChainMerkleProof != null) {
+			const merkleProofLength = options.multiChainMerkleProof.slice(2).length;
 			if (merkleProofLength < 128 || merkleProofLength % 64 !== 0) throw new RangeError("invalid multiChainMerkleProof length.");
 			let merkleTreeDepthHex = (merkleProofLength / 64 - 1).toString(16);
 			if (merkleTreeDepthHex.length % 2 === 0) merkleTreeDepthHex = `0x${merkleTreeDepthHex}`;
@@ -3688,7 +3746,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 				merkleTreeDepthHex,
 				validAfter,
 				validUntil,
-				overrides.multiChainMerkleProof + signature.slice(2)
+				options.multiChainMerkleProof + signature.slice(2)
 			]);
 		} else return solidityPacked([
 			"bytes1",
@@ -3721,7 +3779,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 		if (typeof signer === "string") return signer.toLowerCase();
 		else {
 			const eip7212WebAuthnPrecompileVerifier = overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-			const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+			const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 			const webAuthnSignerFactory = overrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY;
 			const webAuthnSignerSingleton = overrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 			const webAuthnSignerProxyCreationCode = overrides.webAuthnSignerProxyCreationCode ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE;
@@ -3747,7 +3805,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	/**
 	* format a list of eip712 signatures to a safe signature (without the time range)
 	* @param signerSignaturePairs - a list of a pair of a signer and it's signature
-	* @param overrides - overrides for the default values
+	* @param webAuthnSignatureOverrides - WebAuthn-only configuration (verifier addresses, init flag)
 	* @returns signature
 	*/
 	static buildSignaturesFromSingerSignaturePairs(signerSignaturePairs, webAuthnSignatureOverrides = {}) {
@@ -3761,7 +3819,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 					if (webAuthnSignatureOverrides.isInit) signer = webAuthnSignatureOverrides.webAuthnSharedSigner ?? SafeAccount.DEFAULT_WEB_AUTHN_SHARED_SIGNER;
 					else {
 						const eip7212WebAuthnPrecompileVerifier = webAuthnSignatureOverrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-						const eip7212WebAuthnContractVerifier = webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+						const eip7212WebAuthnContractVerifier = webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 						const webAuthnSignerFactory = webAuthnSignatureOverrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY;
 						const webAuthnSignerSingleton = webAuthnSignatureOverrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 						const webAuthnSignerProxyCreationCode = webAuthnSignatureOverrides.webAuthnSignerProxyCreationCode ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE;
@@ -4032,7 +4090,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	*/
 	static createDeployWebAuthnVerifierMetaTransaction(x, y, overrides = {}) {
 		const eip7212WebAuthnPrecompileVerifier = overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 		return {
 			to: overrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
 			value: 0n,
@@ -4134,7 +4192,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 					signerSignaturePair.signer = webauthnsharedsigner;
 				} else {
 					const eip7212WebAuthnPrecompileVerifier = webAuthnSignatureOverrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-					const eip7212WebAuthnContractVerifier = webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+					const eip7212WebAuthnContractVerifier = webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 					const webAuthnSignerFactory = webAuthnSignatureOverrides.webAuthnSignerFactory ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_FACTORY;
 					const webAuthnSignerSingleton = webAuthnSignatureOverrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 					const webAuthnSignerProxyCreationCode = webAuthnSignatureOverrides.webAuthnSignerProxyCreationCode ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE;
@@ -4168,7 +4226,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 	static async verifyWebAuthnSignatureForMessageHash(nodeRpcUrl, signer, messageHash, signature, overrides = {}) {
 		if (messageHash.length !== 66 || messageHash.slice(0, 2) !== "0x") throw new RangeError("Invalid messageHash, must be a 0x-prefixed keccak256 hash.");
 		const eip7212WebAuthnPrecompileVerifier = overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_PRECOMPILE;
-		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_FCLP256_VERIFIER;
+		const eip7212WebAuthnContractVerifier = overrides.eip7212WebAuthnContractVerifier ?? SafeAccount.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER;
 		const webAuthnSignerSingleton = overrides.webAuthnSignerSingleton ?? SafeAccount.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON;
 		if (eip7212WebAuthnPrecompileVerifier.length !== 42 || eip7212WebAuthnPrecompileVerifier.slice(0, 38) !== "0x0000000000000000000000000000000000000000".slice(0, 38)) throw new RangeError("Invalid precompile address. It should have the format 0x000000000000000000000000000000000000____");
 		const callData = createCallData("0x1626ba7e", ["bytes32", "bytes"], [messageHash, signature]);
@@ -4298,7 +4356,7 @@ var SafeAccount = class SafeAccount extends SmartAccount {
 * @param toolVersion - tool version; defaults to the current abstractionkit version
 * @returns the on-chain identifier as a hex string (not 0x prefixed)
 */
-function generateOnChainIdentifier(project, platform = "Web", tool = "abstractionkit", toolVersion = "0.3.3") {
+function generateOnChainIdentifier(project, platform = "Web", tool = "abstractionkit", toolVersion = "0.3.5") {
 	const identifierPrefix = "5afe";
 	const identifierVersion = "00";
 	const projectHash = keccak256(`0x${Buffer.from(project, "utf8").toString("hex")}`).slice(-20);
@@ -5302,15 +5360,15 @@ var SafeAccountV0_3_0 = class SafeAccountV0_3_0 extends SafeAccount {
 	* @param useroperation - The UserOperation to sign
 	* @param privateKeys - Array of private keys for the signers
 	* @param chainId - The target chain ID
-	* @param overrides - Override validAfter and validUntil timestamps
+	* @param options - {@link SafeSignatureOptions} — timing, multi-chain encoding, module address
 	* @returns The formatted signature string ready to set on the UserOperation
 	*
 	* @example
 	* const signature = smartAccount.signUserOperation(userOp, [privateKey], 1n);
 	* userOp.signature = signature;
 	*/
-	signUserOperation(useroperation, privateKeys, chainId, overrides = {}) {
-		return SafeAccount.baseSignSingleUserOperation(useroperation, privateKeys, chainId, this.entrypointAddress, this.safe4337ModuleAddress, overrides);
+	signUserOperation(useroperation, privateKeys, chainId, options = {}) {
+		return SafeAccount.baseSignSingleUserOperation(useroperation, privateKeys, chainId, this.entrypointAddress, this.safe4337ModuleAddress, options);
 	}
 	/**
 	* Sign a UserOperation with one or more {@link ExternalSigner} instances
@@ -5332,16 +5390,21 @@ var SafeAccountV0_3_0 = class SafeAccountV0_3_0 extends SafeAccount {
 	* @param useroperation - UserOperation to sign
 	* @param signers - one ExternalSigner per owner (any order)
 	* @param chainId - target chain ID
-	* @param overrides - optional validAfter / validUntil / multi-chain flag
+	* @param options - {@link SafeSignatureOptions} — timing, multi-chain encoding, module address
 	* @returns Promise resolving to the formatted signature string
 	*/
-	signUserOperationWithSigners(useroperation, signers, chainId, overrides = {}) {
+	signUserOperationWithSigners(useroperation, signers, chainId, options = {}) {
 		const context = {
 			userOperation: useroperation,
 			chainId,
 			entryPoint: this.entrypointAddress
 		};
-		return SafeAccount.baseSignUserOperationWithSigners(useroperation, signers, chainId, this.entrypointAddress, this.safe4337ModuleAddress, context, overrides);
+		return SafeAccount.baseSignUserOperationWithSigners(useroperation, signers, chainId, {
+			entrypointAddress: this.entrypointAddress,
+			safe4337ModuleAddress: this.safe4337ModuleAddress,
+			context,
+			options
+		});
 	}
 };
 //#endregion
@@ -5584,28 +5647,39 @@ var SafeAccountV0_2_0 = class SafeAccountV0_2_0 extends SafeAccount {
 	* @param useroperation - The UserOperation to sign
 	* @param privateKeys - Array of private keys for the signers
 	* @param chainId - The target chain ID
-	* @param overrides - Override validAfter and validUntil timestamps
+	* @param options - {@link SafeSignatureOptions} — timing, multi-chain encoding, module address
 	* @returns The formatted signature string ready to set on the UserOperation
 	*
 	* @example
 	* const signature = smartAccount.signUserOperation(userOp, [privateKey], 1n);
 	* userOp.signature = signature;
 	*/
-	signUserOperation(useroperation, privateKeys, chainId, overrides = {}) {
-		return SafeAccount.baseSignSingleUserOperation(useroperation, privateKeys, chainId, this.entrypointAddress, this.safe4337ModuleAddress, overrides);
+	signUserOperation(useroperation, privateKeys, chainId, options = {}) {
+		return SafeAccount.baseSignSingleUserOperation(useroperation, privateKeys, chainId, this.entrypointAddress, this.safe4337ModuleAddress, options);
 	}
 	/**
 	* Sign a UserOperation using one or more {@link AkSigner} instances.
 	* See {@link SafeAccountV0_3_0.signUserOperationWithSigners} for full
 	* design rationale and examples.
+	*
+	* @param useroperation - The UserOperation to sign
+	* @param signers - one ExternalSigner per owner (any order)
+	* @param chainId - The target chain ID
+	* @param options - {@link SafeSignatureOptions} — timing, multi-chain encoding, module address
+	* @returns Promise resolving to the formatted signature string
 	*/
-	signUserOperationWithSigners(useroperation, signers, chainId, overrides = {}) {
+	signUserOperationWithSigners(useroperation, signers, chainId, options = {}) {
 		const context = {
 			userOperation: useroperation,
 			chainId,
 			entryPoint: this.entrypointAddress
 		};
-		return SafeAccount.baseSignUserOperationWithSigners(useroperation, signers, chainId, this.entrypointAddress, this.safe4337ModuleAddress, context, overrides);
+		return SafeAccount.baseSignUserOperationWithSigners(useroperation, signers, chainId, {
+			entrypointAddress: this.entrypointAddress,
+			safe4337ModuleAddress: this.safe4337ModuleAddress,
+			context,
+			options
+		});
 	}
 };
 //#endregion
@@ -5624,6 +5698,7 @@ var SafeAccountV0_2_0 = class SafeAccountV0_2_0 extends SafeAccount {
 var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAccountV0_3_0 {
 	static DEFAULT_WEB_AUTHN_PRECOMPILE = "0x0000000000000000000000000000000000000100";
 	static DEFAULT_WEB_AUTHN_DAIMO_VERIFIER = "0xc2b78104907F722DABAc4C69f826a522B2754De4";
+	static DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER = "0xc2b78104907F722DABAc4C69f826a522B2754De4";
 	/**
 	* Create a SafeAccountV1_5_0_M_0_3_0 instance for an existing deployed account.
 	* For new (undeployed) accounts, use the static `initializeNewAccount` method instead.
@@ -5672,7 +5747,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 			...overrides,
 			safeAccountSingleton: overrides.safeAccountSingleton ?? Safe_L2_V1_5_0,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		return SafeAccountV0_3_0.initializeNewAccount(owners, modOverrides);
 	}
@@ -5689,7 +5764,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 			...overrides,
 			safeAccountSingleton: overrides.safeAccountSingleton ?? Safe_L2_V1_5_0,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		return SafeAccountV0_3_0.createAccountAddress(owners, modOverrides);
 	}
@@ -5706,7 +5781,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 			...overrides,
 			safeAccountSingleton: overrides.safeAccountSingleton ?? Safe_L2_V1_5_0,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		return SafeAccountV0_3_0.createFactoryAddressAndData(owners, modOverrides);
 	}
@@ -5724,7 +5799,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return super.createUserOperation(transactions, providerRpc, bundlerRpc, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 	/**
@@ -5739,7 +5814,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return super.estimateUserOperationGas(userOperation, bundlerRpc, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 	/**
@@ -5755,7 +5830,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return SafeAccount.createWebAuthnSignerVerifierAddress(x, y, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 	/**
@@ -5771,7 +5846,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return SafeAccount.createDeployWebAuthnVerifierMetaTransaction(x, y, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 	/**
@@ -5785,7 +5860,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return SafeAccount.createDummySignerSignaturePairForExpectedSigners(expectedSigners, {
 			...webAuthnSignatureOverrides,
 			eip7212WebAuthnPrecompileVerifier: webAuthnSignatureOverrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 	/**
@@ -5803,7 +5878,7 @@ var SafeAccountV1_5_0_M_0_3_0 = class SafeAccountV1_5_0_M_0_3_0 extends SafeAcco
 		return SafeAccount.verifyWebAuthnSignatureForMessageHash(nodeRpcUrl, signer, messageHash, signature, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeAccountV1_5_0_M_0_3_0.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		});
 	}
 };
@@ -5897,6 +5972,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 	static DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE = DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE_V_0_2_1;
 	static DEFAULT_WEB_AUTHN_PRECOMPILE = DEFAULT_WEB_AUTHN_PRECOMPILE_RIP_7951;
 	static DEFAULT_WEB_AUTHN_DAIMO_VERIFIER = DEFAULT_WEB_AUTHN_DAIMO_VERIFIER_V_0_2_1;
+	static DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER = DEFAULT_WEB_AUTHN_DAIMO_VERIFIER_V_0_2_1;
 	/**
 	* Create a SafeMultiChainSigAccount instance for an existing or new account.
 	* @param accountAddress - the Safe account address
@@ -5922,7 +5998,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 			...overrides,
 			webAuthnSharedSigner: overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		const [accountAddress, ,] = SafeAccount.createAccountAddressAndFactoryAddressAndData(owners, modOverrides, overrides.safe4337ModuleAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS, overrides.safeModuleSetupAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_MODULE_SETUP_ADDRESS);
 		return accountAddress;
@@ -5952,7 +6028,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 			...overrides,
 			webAuthnSharedSigner: overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		const [accountAddress, factoryAddress, factoryData] = SafeAccount.createAccountAddressAndFactoryAddressAndData(owners, modOverrides, overrides.safe4337ModuleAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS, overrides.safeModuleSetupAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_MODULE_SETUP_ADDRESS);
 		const safe = new SafeMultiChainSigAccountV1(accountAddress, {
@@ -6029,7 +6105,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 	static createInitializerCallData(owners, threshold, overrides = {}) {
 		const safe4337ModuleAddress = overrides.safe4337ModuleAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS;
 		const safeModuleSetupAddress = overrides.safeModuleSetupAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_MODULE_SETUP_ADDRESS;
-		return SafeAccount.createBaseInitializerCallData(owners, threshold, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress, overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER);
+		return SafeAccount.createBaseInitializerCallData(owners, threshold, safe4337ModuleAddress, safeModuleSetupAddress, overrides.multisendContractAddress, overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER, overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE, overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER);
 	}
 	/**
 	* create account factory address and factory data
@@ -6042,7 +6118,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 			...overrides,
 			webAuthnSharedSigner: overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER,
 			eip7212WebAuthnPrecompileVerifierForSharedSigner: overrides.eip7212WebAuthnPrecompileVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER
+			eip7212WebAuthnContractVerifierForSharedSigner: overrides.eip7212WebAuthnContractVerifierForSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
 		};
 		return SafeAccount.createFactoryAddressAndData(owners, modOverrides, overrides.safe4337ModuleAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS, overrides.safeModuleSetupAddress ?? SafeMultiChainSigAccountV1.DEFAULT_SAFE_MODULE_SETUP_ADDRESS);
 	}
@@ -6064,7 +6140,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 			isMultiChainSignature: true,
 			webAuthnSharedSigner: overrides.webAuthnSharedSigner ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerFactory: overrides.webAuthnSignerFactory ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
 			webAuthnSignerSingleton: overrides.webAuthnSignerSingleton ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON,
 			webAuthnSignerProxyCreationCode: overrides.webAuthnSignerProxyCreationCode ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE
@@ -6092,14 +6168,13 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 	* @param useroperation - useroperation to sign
 	* @param privateKeys - for the signers
 	* @param chainId - target chain id
-	* @param overrides - overrides for the default values
-	* @param overrides.validAfter - timestamp the signature will be valid after
-	* @param overrides.validUntil - timestamp the signature will be valid until
+	* @param options - {@link SafeSignatureOptions} — timing, multiChainMerkleProof, module address. The multi-chain flag is force-set true and overrides any caller value.
 	* @returns signature
 	*/
-	signUserOperation(userOperation, privateKeys, chainId, overrides = {}) {
+	signUserOperation(userOperation, privateKeys, chainId, options = {}) {
+		if (options.multiChainMerkleProof != null && options.multiChainMerkleProof.length > 0) throw new RangeError("signUserOperation does not accept multiChainMerkleProof; use signUserOperations for multi-op Merkle signatures");
 		return SafeAccount.baseSignSingleUserOperation(userOperation, privateKeys, chainId, this.entrypointAddress, this.safe4337ModuleAddress, {
-			...overrides,
+			...options,
 			isMultiChainSignature: true
 		});
 	}
@@ -6108,16 +6183,28 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 	* {@link AkSigner} instances. See
 	* {@link SafeAccountV0_3_0.signUserOperationWithSigners} for the full
 	* design rationale. Sets the multi-chain flag automatically.
+	*
+	* @param userOperation - UserOperation to sign
+	* @param signers - one ExternalSigner per owner (any order)
+	* @param chainId - target chain id
+	* @param options - {@link SafeSignatureOptions} — timing, multiChainMerkleProof, module address. The multi-chain flag is force-set true and overrides any caller value.
+	* @returns Promise resolving to the formatted signature string
 	*/
-	signUserOperationWithSigners(userOperation, signers, chainId, overrides = {}) {
+	signUserOperationWithSigners(userOperation, signers, chainId, options = {}) {
+		if (options.multiChainMerkleProof != null && options.multiChainMerkleProof.length > 0) throw new RangeError("signUserOperationWithSigners does not accept multiChainMerkleProof; use signUserOperationsWithSigners for multi-op Merkle signatures");
 		const context = {
 			userOperation,
 			chainId,
 			entryPoint: this.entrypointAddress
 		};
-		return SafeAccount.baseSignUserOperationWithSigners(userOperation, signers, chainId, this.entrypointAddress, this.safe4337ModuleAddress, context, {
-			...overrides,
-			isMultiChainSignature: true
+		return SafeAccount.baseSignUserOperationWithSigners(userOperation, signers, chainId, {
+			entrypointAddress: this.entrypointAddress,
+			safe4337ModuleAddress: this.safe4337ModuleAddress,
+			context,
+			options: {
+				...options,
+				isMultiChainSignature: true
+			}
 		});
 	}
 	/**
@@ -6238,10 +6325,15 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 			return userOpSignatures;
 		} else {
 			const u = userOperationsToSign[0];
-			return [await SafeAccount.baseSignUserOperationWithSigners(u.userOperation, signers, u.chainId, this.entrypointAddress, this.safe4337ModuleAddress, context, {
-				validAfter: u.validAfter,
-				validUntil: u.validUntil,
-				isMultiChainSignature: true
+			return [await SafeAccount.baseSignUserOperationWithSigners(u.userOperation, signers, u.chainId, {
+				entrypointAddress: this.entrypointAddress,
+				safe4337ModuleAddress: this.safe4337ModuleAddress,
+				context,
+				options: {
+					validAfter: u.validAfter,
+					validUntil: u.validUntil,
+					isMultiChainSignature: true
+				}
 			})];
 		}
 	}
@@ -6291,28 +6383,34 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 	*/
 	static formatSignaturesToUseroperationsSignatures(userOperationsToSign, signerSignaturePairs) {
 		if (userOperationsToSign.length < 1) throw new RangeError("There should be at least one userOperationsToSign");
-		const defaultOverrides = {
+		const defaultWebAuthnOverrides = {
 			eip7212WebAuthnPrecompileVerifier: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerFactory: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
 			webAuthnSignerSingleton: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON,
 			webAuthnSignerProxyCreationCode: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE,
-			safe4337ModuleAddress: SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS,
 			webAuthnSharedSigner: SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SHARED_SIGNER
 		};
+		const defaultOptions = { safe4337ModuleAddress: SafeMultiChainSigAccountV1.DEFAULT_SAFE_4337_MODULE_ADDRESS };
 		if (userOperationsToSign.length === 1) return [SafeAccount.formatSignaturesToUseroperationSignature(signerSignaturePairs, {
-			...defaultOverrides,
-			...userOperationsToSign[0].overrides,
+			...defaultOptions,
+			...defaultWebAuthnOverrides,
+			...userOperationsToSign[0].options,
+			...userOperationsToSign[0].webAuthnSignatureOverrides,
 			validAfter: userOperationsToSign[0].validAfter,
 			validUntil: userOperationsToSign[0].validUntil,
 			isMultiChainSignature: true
 		})];
 		const userOperationsHashes = [];
-		userOperationsToSign.forEach((userOperationToSign, _index) => {
+		const resolvedValidity = userOperationsToSign.map((userOperationToSign) => ({
+			validAfter: userOperationToSign.options?.validAfter ?? userOperationToSign.validAfter,
+			validUntil: userOperationToSign.options?.validUntil ?? userOperationToSign.validUntil
+		}));
+		userOperationsToSign.forEach((userOperationToSign, index) => {
 			const userOperationHash = SafeAccount.getUserOperationEip712Hash_V9(userOperationToSign.userOperation, userOperationToSign.chainId, {
-				validAfter: userOperationToSign.validAfter,
-				validUntil: userOperationToSign.validUntil,
-				safe4337ModuleAddress: userOperationToSign.overrides?.safe4337ModuleAddress ?? defaultOverrides.safe4337ModuleAddress
+				validAfter: resolvedValidity[index].validAfter,
+				validUntil: resolvedValidity[index].validUntil,
+				safe4337ModuleAddress: userOperationToSign.options?.safe4337ModuleAddress ?? defaultOptions.safe4337ModuleAddress
 			});
 			userOperationsHashes.push(userOperationHash);
 		});
@@ -6320,8 +6418,12 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 		const userOpSignatures = [];
 		userOperationsToSign.forEach((userOperationToSign, index) => {
 			userOpSignatures.push(SafeAccount.formatSignaturesToUseroperationSignature(signerSignaturePairs, {
-				...defaultOverrides,
-				...userOperationToSign.overrides,
+				...defaultOptions,
+				...defaultWebAuthnOverrides,
+				...userOperationToSign.options,
+				...userOperationToSign.webAuthnSignatureOverrides,
+				validAfter: resolvedValidity[index].validAfter,
+				validUntil: resolvedValidity[index].validUntil,
 				isMultiChainSignature: true,
 				multiChainMerkleProof: proofs[index]
 			}));
@@ -6332,7 +6434,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 		return SafeAccount.createWebAuthnSignerVerifierAddress(x, y, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerFactory: overrides.webAuthnSignerFactory ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
 			webAuthnSignerSingleton: overrides.webAuthnSignerSingleton ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON,
 			webAuthnSignerProxyCreationCode: overrides.webAuthnSignerProxyCreationCode ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE
@@ -6342,7 +6444,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 		return SafeAccount.createDeployWebAuthnVerifierMetaTransaction(x, y, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerFactory: overrides.webAuthnSignerFactory ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_FACTORY
 		});
 	}
@@ -6350,7 +6452,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 		return SafeAccount.createDummySignerSignaturePairForExpectedSigners(expectedSigners, {
 			...webAuthnSignatureOverrides,
 			eip7212WebAuthnPrecompileVerifier: webAuthnSignatureOverrides.eip7212WebAuthnPrecompileVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: webAuthnSignatureOverrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerFactory: webAuthnSignatureOverrides.webAuthnSignerFactory ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
 			webAuthnSignerSingleton: webAuthnSignatureOverrides.webAuthnSignerSingleton ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON,
 			webAuthnSignerProxyCreationCode: webAuthnSignatureOverrides.webAuthnSignerProxyCreationCode ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE,
@@ -6361,7 +6463,7 @@ var SafeMultiChainSigAccountV1 = class SafeMultiChainSigAccountV1 extends SafeAc
 		return SafeAccount.verifyWebAuthnSignatureForMessageHash(nodeRpcUrl, signer, messageHash, signature, {
 			...overrides,
 			eip7212WebAuthnPrecompileVerifier: overrides.eip7212WebAuthnPrecompileVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_PRECOMPILE,
-			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_DAIMO_VERIFIER,
+			eip7212WebAuthnContractVerifier: overrides.eip7212WebAuthnContractVerifier ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER,
 			webAuthnSignerSingleton: overrides.webAuthnSignerSingleton ?? SafeMultiChainSigAccountV1.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON
 		});
 	}
@@ -6699,27 +6801,139 @@ var BaseSimple7702Account = class BaseSimple7702Account extends SmartAccount {
 		return new Wallet(privateKey).signingKey.sign(userOperationHash).serialized;
 	}
 	/**
-	* Schemes Simple7702 accepts from a Signer. Only raw-hash ECDSA, since
-	* the delegatee verifies a plain signature over the userOp hash.
+	* Schemes Simple7702 accepts from a Signer. EntryPoint v0.8/v0.9 introduced
+	* an EIP-712 domain at the EntryPoint contract, and the userOpHash IS the
+	* EIP-712 digest of the PackedUserOperation under that domain — so signing
+	* the typed data and signing the raw hash produce signatures that verify
+	* against the same `userOpHash` (and recover to the same signer address).
+	* Deterministic-ECDSA signers (ethers, viem, MetaMask) yield byte-identical
+	* bytes; signers that differ in `s` / `v` normalization still validate the
+	* same on-chain.
+	*
+	* `typedData` is listed first so JSON-RPC wallets that can only sign typed
+	* data work without a separate code path; `hash` remains a valid fallback
+	* for local-key signers.
 	*/
-	static ACCEPTED_SIGNING_SCHEMES = ["hash"];
+	static ACCEPTED_SIGNING_SCHEMES = ["typedData", "hash"];
 	/**
-	* Sign a UserOperation with an {@link AkSigner}. Signer must implement
-	* `signHash`, since Simple7702 only verifies raw ECDSA over the userOp
-	* hash. JSON-RPC wallets and anything that only provides `signTypedData`
-	* fail offline with a specific error.
+	* Build the EIP-712 typed data payload for a UserOperation under the
+	* EntryPoint v0.8 / v0.9 domain. Lower-level escape hatch for integrators
+	* driving `signTypedData` themselves with their own signing primitive
+	* (HSM, MPC, custom wallet abstraction). Most callers should pass an
+	* {@link AkSigner} to {@link signUserOperationWithSigner} instead, which
+	* builds this internally.
+	*
+	* The digest of the returned payload equals the UserOperation hash from
+	* {@link createUserOperationHash}, so a wallet calling
+	* `signTypedData(domain, types, message)` produces a signature that
+	* verifies against the same `userOpHash` as raw ECDSA over that hash.
+	* Deterministic-ECDSA signers yield byte-identical signatures; signers
+	* that differ in `s` / `v` normalization still validate the same on-chain.
+	*
+	* Common use cases beyond direct signing:
+	*   - Inspect / log the typed data the wallet will display.
+	*   - Render a custom confirmation UI before delegating to a wallet's
+	*     `signTypedData`.
+	*   - Drive non-`ExternalSigner`-shaped signers (HSM, MPC service,
+	*     backend signing pipelines).
+	*
+	* @param userOperation - Unsigned UserOperation to wrap
+	* @param chainId - Target chain ID (must match the chain that will validate
+	*   the signature)
+	* @returns EIP-712 {@link TypedData} payload ready for `signTypedData`
+	* @throws {AbstractionKitError} if this account targets an EntryPoint
+	*   version other than v0.8 / v0.9. Earlier EntryPoints define the
+	*   userOpHash differently and require raw-hash signing.
+	*/
+	getUserOperationEip712TypedData(userOperation, chainId) {
+		const ep = this.entrypointAddress.toLowerCase();
+		const isV9 = ep === ENTRYPOINT_V9.toLowerCase();
+		if (ep !== "0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108".toLowerCase() && !isV9) throw new AbstractionKitError("BAD_DATA", `getUserOperationEip712TypedData supports EntryPoint v0.8 / v0.9 only; this account targets ${this.entrypointAddress}. Use signUserOperation (raw-hash ECDSA) for earlier EntryPoint versions.`);
+		const abiCoder = AbiCoder.defaultAbiCoder();
+		const initCode = buildPackedInitCodeV8V9(userOperation);
+		const accountGasLimits = "0x" + abiCoder.encode(["uint128"], [userOperation.verificationGasLimit]).slice(34) + abiCoder.encode(["uint128"], [userOperation.callGasLimit]).slice(34);
+		const gasFees = "0x" + abiCoder.encode(["uint128"], [userOperation.maxPriorityFeePerGas]).slice(34) + abiCoder.encode(["uint128"], [userOperation.maxFeePerGas]).slice(34);
+		const paymasterAndData = buildPaymasterAndData(userOperation, isV9);
+		return {
+			domain: {
+				name: "ERC4337",
+				version: "1",
+				chainId,
+				verifyingContract: this.entrypointAddress
+			},
+			types: { PackedUserOperation: [
+				{
+					name: "sender",
+					type: "address"
+				},
+				{
+					name: "nonce",
+					type: "uint256"
+				},
+				{
+					name: "initCode",
+					type: "bytes"
+				},
+				{
+					name: "callData",
+					type: "bytes"
+				},
+				{
+					name: "accountGasLimits",
+					type: "bytes32"
+				},
+				{
+					name: "preVerificationGas",
+					type: "uint256"
+				},
+				{
+					name: "gasFees",
+					type: "bytes32"
+				},
+				{
+					name: "paymasterAndData",
+					type: "bytes"
+				}
+			] },
+			primaryType: "PackedUserOperation",
+			message: {
+				sender: userOperation.sender,
+				nonce: userOperation.nonce,
+				initCode,
+				callData: userOperation.callData,
+				accountGasLimits,
+				preVerificationGas: userOperation.preVerificationGas,
+				gasFees,
+				paymasterAndData
+			}
+		};
+	}
+	/**
+	* Sign a UserOperation with an {@link AkSigner}. The signer can implement
+	* either `signTypedData` (preferred — JSON-RPC wallets, viem `WalletClient`)
+	* or `signHash` (local keys, hardware wallets). Both schemes produce
+	* signatures that validate against the same `userOpHash` because the
+	* v0.8 / v0.9 userOpHash IS the EIP-712 digest of the PackedUserOperation
+	* (deterministic-ECDSA signers yield byte-identical bytes).
+	*
+	* Signers that implement neither method fail offline with an actionable
+	* error.
 	*/
 	async baseSignUserOperationWithSigner(useroperation, signer, chainId) {
-		return invokeSigner(signer, pickScheme(signer, BaseSimple7702Account.ACCEPTED_SIGNING_SCHEMES, {
-			accountName: "Simple7702 (raw ECDSA over userOpHash)",
+		const scheme = pickScheme(signer, BaseSimple7702Account.ACCEPTED_SIGNING_SCHEMES, {
+			accountName: "Simple7702 (EIP-712 typed data or raw ECDSA over userOpHash)",
 			signerIndex: 0
-		}), {
-			hash: createUserOperationHash(useroperation, this.entrypointAddress, chainId),
-			context: {
-				userOperation: useroperation,
-				chainId,
-				entryPoint: this.entrypointAddress
-			}
+		});
+		const hash = createUserOperationHash(useroperation, this.entrypointAddress, chainId);
+		const context = {
+			userOperation: useroperation,
+			chainId,
+			entryPoint: this.entrypointAddress
+		};
+		return invokeSigner(signer, scheme, {
+			hash,
+			typedData: scheme === "typedData" ? this.getUserOperationEip712TypedData(useroperation, chainId) : void 0,
+			context
 		});
 	}
 	/**
@@ -6833,13 +7047,34 @@ var Simple7702Account = class Simple7702Account extends BaseSimple7702Account {
 		return this.baseSignUserOperation(useroperation, privateKey, chainId);
 	}
 	/**
-	* Sign a {@link UserOperationV8} using an {@link ExternalSigner}.
-	* Simple7702 only accepts raw-hash ECDSA; signers without `signHash`
-	* fail offline with an actionable error.
+	* Sign a {@link UserOperationV8} using an {@link ExternalSigner}. This is
+	* the recommended entry point for any non-private-key signer.
+	*
+	* Accepts signers that implement `signTypedData` (JSON-RPC wallets, viem
+	* `WalletClient`, browser wallets), `signHash` (local keys, hardware
+	* wallets), or both. The v0.8 userOpHash IS the EIP-712 digest of the
+	* PackedUserOperation under the EntryPoint domain, so both schemes
+	* produce signatures that validate against the same `userOpHash`.
+	*
+	* Wrapping a custom signing primitive is just an object literal; no
+	* adapter function required:
+	*
+	* ```ts
+	* const signer: ExternalSigner = {
+	*   address: ownerAddress,
+	*   signTypedData: async (td) => myWallet.signTypedData(td),
+	* }
+	* userOp.signature = await account.signUserOperationWithSigner(userOp, signer, chainId)
+	* ```
 	*
 	* For signing with a raw private-key string, use the sync
 	* {@link signUserOperation} method, or wrap explicitly with
 	* `fromPrivateKey(pk)`.
+	*
+	* @see {@link BaseSimple7702Account.getUserOperationEip712TypedData} for
+	*   the lower-level escape hatch when you need the typed data outside the
+	*   dispatcher (e.g., to render a custom confirmation UI or feed an HSM
+	*   that doesn't fit the {@link ExternalSigner} shape).
 	*/
 	async signUserOperationWithSigner(useroperation, signer, chainId) {
 		return this.baseSignUserOperationWithSigner(useroperation, signer, chainId);
@@ -6910,10 +7145,33 @@ var Simple7702AccountV09 = class Simple7702AccountV09 extends BaseSimple7702Acco
 		return this.baseSignUserOperation(useroperation, privateKey, chainId);
 	}
 	/**
-	* Sign a {@link UserOperationV9} using an {@link ExternalSigner}.
-	* Simple7702 only accepts raw-hash ECDSA; signers without `signHash`
-	* fail offline with an actionable error. For a raw pk string, use the
-	* sync {@link signUserOperation} method or wrap with `fromPrivateKey`.
+	* Sign a {@link UserOperationV9} using an {@link ExternalSigner}. This is
+	* the recommended entry point for any non-private-key signer.
+	*
+	* Accepts signers that implement `signTypedData` (JSON-RPC wallets, viem
+	* `WalletClient`, browser wallets), `signHash` (local keys, hardware
+	* wallets), or both. The v0.9 userOpHash IS the EIP-712 digest of the
+	* PackedUserOperation under the EntryPoint domain, so both schemes
+	* produce signatures that validate against the same `userOpHash`.
+	*
+	* Wrapping a custom signing primitive is just an object literal; no
+	* adapter function required:
+	*
+	* ```ts
+	* const signer: ExternalSigner = {
+	*   address: ownerAddress,
+	*   signTypedData: async (td) => myWallet.signTypedData(td),
+	* }
+	* userOp.signature = await account.signUserOperationWithSigner(userOp, signer, chainId)
+	* ```
+	*
+	* For signing with a raw private-key string, use the sync
+	* {@link signUserOperation} method, or wrap explicitly with
+	* `fromPrivateKey(pk)`.
+	*
+	* @see {@link BaseSimple7702Account.getUserOperationEip712TypedData} for
+	*   the lower-level escape hatch when you need the typed data outside the
+	*   dispatcher.
 	*/
 	async signUserOperationWithSigner(useroperation, signer, chainId) {
 		return this.baseSignUserOperationWithSigner(useroperation, signer, chainId);
@@ -7924,6 +8182,280 @@ function createWorldIdSignal(accountAddress, accountNonce, chainId) {
 	]));
 }
 //#endregion
+//#region src/account/Safe/adapters.ts
+/**
+* Adapt a WebAuthn credential to a Signer for `signUserOperationWithSigners`
+* on Safe accounts. Safe-specific (uses Safe's WebAuthn shared signer /
+* verifier proxy / signature encoding) — for non-Safe accounts, use the
+* account's own WebAuthn adapter.
+*
+* Hides the address routing (shared signer for the init UserOp, per-owner
+* verifier proxy after that), the `type: "contract"` tag, and the
+* Safe-specific signature encoding. The caller supplies a
+* {@link FromSafeWebauthnParams.getAssertion} callback that runs the
+* actual WebAuthn ceremony — this is where you call
+* `navigator.credentials.get(...)` (browser) or an equivalent native
+* bridge, since the SDK doesn't import `navigator` itself.
+*
+* Only `signHash` is exposed: WebAuthn signs a flat challenge, so a typed-data
+* preview would never reach the authenticator anyway.
+*
+* **Override consistency.** Pass the same `accountClass` you passed to
+* `initializeNewAccount` so the adapter sources the right Safe Passkey
+* module defaults — v0.2.0 / FCL P256 for `SafeAccount` / `SafeAccountV0_2_0`
+* / `SafeAccountV0_3_0`, v0.2.1 / Daimo P256 + RIP-7951 for
+* `SafeMultiChainSigAccountV1`. Every individual WebAuthn override
+* (`webAuthnSharedSigner`, `webAuthnSignerFactory`, `webAuthnSignerSingleton`,
+* `webAuthnSignerProxyCreationCode`, `eip7212WebAuthnPrecompileVerifier`,
+* `eip7212WebAuthnContractVerifier`) must likewise match what was passed to
+* `InitCodeOverrides` at init time — only set them when you've also
+* overridden them at init. The on-chain owner set is locked to whatever was
+* used at init: `webAuthnSharedSigner` for `isInit=true`, the deterministic
+* verifier proxy derived from the other five for `isInit=false`. A mismatch
+* produces a signature pointing at an address that isn't an owner; on-chain
+* `checkSignatures` reverts with `GS026` and the bundler surfaces it as a
+* generic "Invalid UserOp signature" with no offline diagnostic.
+*
+* @example
+* import { fromSafeWebauthn, SafeAccountV0_3_0 } from "abstractionkit";
+*
+* // Pass `expectedSigners: [{ x, y }]` so createUserOperation picks the
+* // WebAuthn dummy signature for gas estimation. Without it, the
+* // bundler sizes verification gas against the EOA dummy and the
+* // real signed UserOp gets rejected (or under-budgeted on-chain) at submit.
+* let userOperation = await safe.createUserOperation(
+*   transactions, nodeUrl, bundlerUrl,
+*   { expectedSigners: [{ x, y }] },
+* );
+*
+* const signer = fromSafeWebauthn({
+*   publicKey: { x, y },
+*   isInit: userOperation.nonce === 0n,
+*   accountClass: SafeAccountV0_3_0, // SafeMultiChainSigAccountV1 for multi-chain
+*   getAssertion: async (challenge) => {
+*     const assertion = await navigator.credentials.get({
+*       publicKey: { challenge, rpId, allowCredentials, userVerification },
+*     });
+*     return {
+*       authenticatorData: assertion.response.authenticatorData,
+*       clientDataFields: extractClientDataFields(assertion.response),
+*       rs: extractSignature(assertion.response),
+*     };
+*   },
+* });
+* userOperation.signature = await safe.signUserOperationWithSigners(
+*   userOperation, [signer], chainId,
+* );
+*/
+function fromSafeWebauthn(params) {
+	const { publicKey, isInit, getAssertion, accountClass, webAuthnSharedSigner, webAuthnSignerFactory, webAuthnSignerSingleton, webAuthnSignerProxyCreationCode, eip7212WebAuthnPrecompileVerifier, eip7212WebAuthnContractVerifier } = params;
+	if (typeof publicKey?.x !== "bigint" || typeof publicKey?.y !== "bigint") throw new TypeError("fromSafeWebauthn: publicKey.x and publicKey.y must be bigint. If they round-tripped through JSON.parse, hydrate them back to bigint first (e.g. BigInt(value) for decimal strings, or use a JSON reviver).");
+	return {
+		address: isInit ? webAuthnSharedSigner ?? accountClass.DEFAULT_WEB_AUTHN_SHARED_SIGNER : SafeAccount.createWebAuthnSignerVerifierAddress(publicKey.x, publicKey.y, {
+			webAuthnSignerFactory: webAuthnSignerFactory ?? accountClass.DEFAULT_WEB_AUTHN_SIGNER_FACTORY,
+			webAuthnSignerSingleton: webAuthnSignerSingleton ?? accountClass.DEFAULT_WEB_AUTHN_SIGNER_SINGLETON,
+			webAuthnSignerProxyCreationCode: webAuthnSignerProxyCreationCode ?? accountClass.DEFAULT_WEB_AUTHN_SIGNER_PROXY_CREATION_CODE,
+			eip7212WebAuthnPrecompileVerifier: eip7212WebAuthnPrecompileVerifier ?? accountClass.DEFAULT_WEB_AUTHN_PRECOMPILE,
+			eip7212WebAuthnContractVerifier: eip7212WebAuthnContractVerifier ?? accountClass.DEFAULT_WEB_AUTHN_CONTRACT_VERIFIER
+		}),
+		type: "contract",
+		signHash: async (hash) => {
+			const assertion = await getAssertion(getBytes(hash));
+			return SafeAccount.createWebAuthnSignature(assertion);
+		}
+	};
+}
+/**
+* Coerce a `{ x, y }` pair where each coord may be `bigint`, hex string
+* (`"0x..."`), decimal string, or a safe-integer number into a canonical
+* {@link WebauthnPublicKey} with bigint coords. Used internally by
+* {@link pubkeyCoordinatesFromJson} — for non-JSON inputs (URL params,
+* RPC responses), pass the pre-parsed object straight to that helper.
+*
+* @throws if either coordinate is missing, the wrong type, or an
+* unparseable string.
+*/
+function toBigintPubkey(pubkey) {
+	if (!pubkey || pubkey.x == null || pubkey.y == null) throw new Error("toBigintPubkey: pubkey must be `{ x, y }` with both coords set");
+	return {
+		x: coerceBigint(pubkey.x, "x"),
+		y: coerceBigint(pubkey.y, "y")
+	};
+}
+function coerceBigint(v, field) {
+	let coerced;
+	if (typeof v === "bigint") coerced = v;
+	else if (typeof v === "string") try {
+		coerced = BigInt(v);
+	} catch {
+		throw new Error(`toBigintPubkey: pubkey.${field} ("${v}") is not a valid bigint string. Accepted: non-negative bigint, decimal string, or 0x-prefixed hex string.`);
+	}
+	else if (typeof v === "number") {
+		if (!Number.isSafeInteger(v)) throw new Error(`toBigintPubkey: pubkey.${field} is a Number but not a safe integer. Pass as bigint or hex string to avoid precision loss.`);
+		coerced = BigInt(v);
+	} else throw new Error(`toBigintPubkey: pubkey.${field} must be bigint, string, or number (got ${typeof v})`);
+	if (coerced < 0n) throw new Error(`toBigintPubkey: pubkey.${field} must be non-negative (got ${coerced.toString()}). P-256 coordinates are non-negative field elements; negative values aren't valid and would break canonical JSON round-trip serialization.`);
+	return coerced;
+}
+/**
+* Serialize a WebAuthn pubkey to a JSON string with hex-encoded
+* coordinates. Inverse of {@link pubkeyCoordinatesFromJson}.
+*
+* Any JSON-string persistence — localStorage, backend indexes, query
+* strings, IPC payloads — eventually needs a custom replacer for
+* `bigint` (which `JSON.stringify` can't serialize on its own). This
+* helper ships the canonical version so the round-trip is consistent
+* across call sites.
+*
+* @example
+* ```ts
+* localStorage.setItem("passkey", pubkeyCoordinatesToJson({ x: 0x7a..., y: 0x2e... }));
+* // Stored as: {"x":"0x7a...","y":"0x2e..."}
+* ```
+*/
+function pubkeyCoordinatesToJson(pubkey) {
+	return JSON.stringify({
+		x: "0x" + pubkey.x.toString(16),
+		y: "0x" + pubkey.y.toString(16)
+	});
+}
+/**
+* Parse a JSON string produced by {@link pubkeyCoordinatesToJson} (or
+* any JSON object with `x` / `y` fields as bigint-compatible values)
+* back into a {@link WebauthnPublicKey} with bigint coords.
+*
+* Lenient about input shape: accepts a JSON string, a pre-parsed object
+* (skip `JSON.parse` if you already ran it), and either hex (`"0x..."`)
+* or decimal-string coords. Same one-line cost regardless of where the
+* string came from — localStorage, backend response, query parameter.
+*
+* @example
+* ```ts
+* const raw = localStorage.getItem("passkey");
+* if (raw) {
+*   const pubkey = pubkeyCoordinatesFromJson(raw);
+*   // pubkey: { x: bigint, y: bigint }
+* }
+* ```
+*/
+function pubkeyCoordinatesFromJson(input) {
+	return toBigintPubkey(typeof input === "string" ? JSON.parse(input) : input);
+}
+/**
+* Turn a structural {@link AuthenticatorAssertionLike} into
+* {@link WebauthnSignatureData}, ready to feed straight into
+* `SafeAccount.createWebAuthnSignature` or the `getAssertion` callback
+* of `fromSafeWebauthn`.
+*
+* Replaces the ~13-line manual pipeline every Safe-passkeys consumer
+* has been writing — `JSON.parse` of `clientDataJSON`, destructure +
+* re-serialize the non-`type` / non-`challenge` fields, hex-encode,
+* normalize `authenticatorData`, parse DER signature → `(r, s)` —
+* with a single call.
+*
+* @example Browser:
+* ```ts
+* const assertion = await navigator.credentials.get({...});
+* return webauthnSignatureFromAssertion(assertion.response);
+* ```
+*
+* @example `ox/WebAuthnP256`:
+* ```ts
+* const { metadata, signature } = await sign({ challenge, credentialId });
+* return webauthnSignatureFromAssertion({
+*   authenticatorData: metadata.authenticatorData, // hex string from ox
+*   clientDataJSON: metadata.clientDataJSON,       // string from ox
+*   signature,                                      // { r, s } from ox
+* });
+* ```
+*/
+function webauthnSignatureFromAssertion(response) {
+	const authenticatorData = toArrayBuffer(response.authenticatorData);
+	const clientDataJSON = toUtf8String(response.clientDataJSON);
+	const rs = toRSPair(response.signature);
+	return {
+		authenticatorData,
+		clientDataFields: extractClientDataFieldsHex(clientDataJSON),
+		rs: [rs.r, rs.s]
+	};
+}
+function toArrayBuffer(input) {
+	if (input instanceof ArrayBuffer) return input;
+	const bytes = getBytes(input);
+	return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}
+function toUtf8String(input) {
+	if (typeof input === "string") return input;
+	const bytes = input instanceof Uint8Array ? input : new Uint8Array(input);
+	return new TextDecoder("utf-8").decode(bytes);
+}
+function toRSPair(input) {
+	if (input !== null && typeof input === "object" && "r" in input && "s" in input && typeof input.r === "bigint" && typeof input.s === "bigint") return {
+		r: input.r,
+		s: input.s
+	};
+	return parseDerP256Signature(input instanceof Uint8Array ? input : new Uint8Array(input));
+}
+/**
+* Re-serialize every clientDataJSON field except `type` and `challenge`.
+* Robust to authenticators adding or reordering keys (e.g. Safari's
+* `crossOrigin`, future WebAuthn L3 fields) — parses JSON instead of
+* using a regex, validates the shape is a plain object, and emits hex
+* via `TextEncoder` (browser-safe; `Buffer` isn't defined in Vite /
+* Rollup / esbuild bundles without a polyfill).
+*/
+function extractClientDataFieldsHex(clientDataJSON) {
+	let parsed;
+	try {
+		parsed = JSON.parse(clientDataJSON);
+	} catch (err) {
+		throw new Error(`webauthnSignatureFromAssertion: clientDataJSON is not valid JSON (${err.message})`);
+	}
+	if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) throw new Error(`webauthnSignatureFromAssertion: clientDataJSON must parse to a plain object (got ${parsed === null ? "null" : Array.isArray(parsed) ? "array" : typeof parsed})`);
+	const { type: _type, challenge: _challenge, ...rest } = parsed;
+	const fields = Object.entries(rest).map(([key, value]) => `"${key}":${JSON.stringify(value)}`).join(",");
+	return hexlify(new TextEncoder().encode(fields));
+}
+/**
+* Parse a DER-encoded ECDSA P-256 signature into `(r, s)` bigints with
+* low-S normalization. Defends against truncated / malformed DER: every
+* length and tag is bounds-checked against the buffer before slicing,
+* because `Uint8Array.subarray` silently clamps OOB indices and would
+* otherwise produce attacker-controlled-length r/s.
+*
+* DER layout:
+*   0x30 | total-len | 0x02 | r-len | r-bytes | 0x02 | s-len | s-bytes
+*/
+function parseDerP256Signature(der) {
+	const malformed = () => /* @__PURE__ */ new Error("webauthnSignatureFromAssertion: malformed DER signature");
+	if (der.length < 8 || der[0] !== 48) throw malformed();
+	const headerLen = der[1] === 129 ? 3 : 2;
+	const outerLen = der[1] === 129 ? der[2] : der[1];
+	if (der.length !== headerLen + outerLen) throw malformed();
+	let offset = headerLen;
+	if (offset + 2 > der.length) throw malformed();
+	if (der[offset] !== 2) throw malformed();
+	const rLen = der[offset + 1];
+	if (rLen <= 0 || offset + 2 + rLen > der.length) throw malformed();
+	const rBytes = der.subarray(offset + 2, offset + 2 + rLen);
+	offset += 2 + rLen;
+	if (offset + 2 > der.length) throw malformed();
+	if (der[offset] !== 2) throw malformed();
+	const sLen = der[offset + 1];
+	if (sLen <= 0 || offset + 2 + sLen > der.length) throw malformed();
+	const sBytes = der.subarray(offset + 2, offset + 2 + sLen);
+	if (offset + 2 + sLen !== der.length) throw malformed();
+	const r = rBytes.length === 0 ? 0n : BigInt(hexlify(rBytes));
+	let s = sBytes.length === 0 ? 0n : BigInt(hexlify(sBytes));
+	const P256_N = 115792089210356248762697446949407573529996955224135760342422259061068512044369n;
+	const P256_N_HALF = P256_N >> 1n;
+	if (s > P256_N_HALF) s = P256_N - s;
+	return {
+		r,
+		s
+	};
+}
+//#endregion
 //#region src/signer/adapters.ts
 /**
 * Build a Signer from a raw private-key hex string. Supports both raw-hash
@@ -8062,6 +8594,7 @@ var abstractionkit_exports = /* @__PURE__ */ __exportAll({
 	fetchGasPrice: () => fetchGasPrice,
 	fromEthersWallet: () => fromEthersWallet,
 	fromPrivateKey: () => fromPrivateKey,
+	fromSafeWebauthn: () => fromSafeWebauthn,
 	fromViem: () => fromViem,
 	fromViemWalletClient: () => fromViemWalletClient,
 	getBalanceOf: () => getBalanceOf,
@@ -8069,6 +8602,8 @@ var abstractionkit_exports = /* @__PURE__ */ __exportAll({
 	getDepositInfo: () => getDepositInfo,
 	getFunctionSelector: () => getFunctionSelector,
 	getSafeMessageEip712Data: () => getSafeMessageEip712Data,
+	pubkeyCoordinatesFromJson: () => pubkeyCoordinatesFromJson,
+	pubkeyCoordinatesToJson: () => pubkeyCoordinatesToJson,
 	sendJsonRpcRequest: () => sendJsonRpcRequest,
 	shareTenderlySimulationAndCreateLink: () => shareTenderlySimulationAndCreateLink,
 	signHash: () => signHash,
@@ -8077,9 +8612,10 @@ var abstractionkit_exports = /* @__PURE__ */ __exportAll({
 	simulateUserOperationCallDataWithTenderly: () => simulateUserOperationCallDataWithTenderly,
 	simulateUserOperationCallDataWithTenderlyAndCreateShareLink: () => simulateUserOperationCallDataWithTenderlyAndCreateShareLink,
 	simulateUserOperationWithTenderly: () => simulateUserOperationWithTenderly,
-	simulateUserOperationWithTenderlyAndCreateShareLink: () => simulateUserOperationWithTenderlyAndCreateShareLink
+	simulateUserOperationWithTenderlyAndCreateShareLink: () => simulateUserOperationWithTenderlyAndCreateShareLink,
+	webauthnSignatureFromAssertion: () => webauthnSignatureFromAssertion
 });
 //#endregion
-export { ALLOWANCE_MODULE_V0_1_0_ADDRESS, AbstractionKitError, AllowanceModule, BaseUserOperationDummyValues, Bundler, CALIBUR_CANDIDE_V0_1_0_SINGLETON_ADDRESS, CALIBUR_UNISWAP_V1_0_0_SINGLETON_ADDRESS, Calibur7702Account, CaliburKeyType, CandidePaymaster, DEFAULT_SECP256R1_PRECOMPILE_ADDRESS, EIP712_MULTI_CHAIN_OPERATIONS_PRIMARY_TYPE, EIP712_MULTI_CHAIN_OPERATIONS_TYPE, EIP712_RECOVERY_MODULE_TYPE, EIP712_SAFE_OPERATION_PRIMARY_TYPE, EIP712_SAFE_OPERATION_V6_TYPE, EIP712_SAFE_OPERATION_V7_TYPE, ENTRYPOINT_V6, ENTRYPOINT_V7, ENTRYPOINT_V8, ENTRYPOINT_V9, EOADummySignerSignaturePair, EXECUTE_RECOVERY_PRIMARY_TYPE, Erc7677Paymaster, ExperimentalAllowAllParallelPaymaster, GasOption, Operation, PolygonChain, SAFE_MESSAGE_MODULE_TYPE, SAFE_MESSAGE_PRIMARY_TYPE, SafeAccountFactory, SafeAccountV0_2_0, SafeAccountV0_3_0, SafeAccountV1_5_0_M_0_3_0, SafeModuleExecutorFunctionSelector, SafeMultiChainSigAccountV1, SendUseroperationResponse, Simple7702Account, Simple7702AccountV09, SmartAccount, SmartAccountFactory, SocialRecoveryModule, SocialRecoveryModuleGracePeriodSelector, WebauthnDummySignerSignaturePair, WorldIdPermissionlessPaymaster, ZeroAddress, abstractionkit_exports as abstractionkit, calculateUserOperationMaxGasCost, callTenderlySimulateBundle, createAndSignEip7702DelegationAuthorization, createAndSignEip7702RawTransaction, createAndSignLegacyRawTransaction, createCallData, createEip7702DelegationAuthorizationHash, createEip7702TransactionHash, createUserOperationHash, createWorldIdSignal, fetchAccountNonce, fetchGasPrice, fromEthersWallet, fromPrivateKey, fromViem, fromViemWalletClient, getBalanceOf, getDelegatedAddress, getDepositInfo, getFunctionSelector, getSafeMessageEip712Data, sendJsonRpcRequest, shareTenderlySimulationAndCreateLink, signHash, simulateSenderCallDataWithTenderly, simulateSenderCallDataWithTenderlyAndCreateShareLink, simulateUserOperationCallDataWithTenderly, simulateUserOperationCallDataWithTenderlyAndCreateShareLink, simulateUserOperationWithTenderly, simulateUserOperationWithTenderlyAndCreateShareLink };
+export { ALLOWANCE_MODULE_V0_1_0_ADDRESS, AbstractionKitError, AllowanceModule, BaseUserOperationDummyValues, Bundler, CALIBUR_CANDIDE_V0_1_0_SINGLETON_ADDRESS, CALIBUR_UNISWAP_V1_0_0_SINGLETON_ADDRESS, Calibur7702Account, CaliburKeyType, CandidePaymaster, DEFAULT_SECP256R1_PRECOMPILE_ADDRESS, EIP712_MULTI_CHAIN_OPERATIONS_PRIMARY_TYPE, EIP712_MULTI_CHAIN_OPERATIONS_TYPE, EIP712_RECOVERY_MODULE_TYPE, EIP712_SAFE_OPERATION_PRIMARY_TYPE, EIP712_SAFE_OPERATION_V6_TYPE, EIP712_SAFE_OPERATION_V7_TYPE, ENTRYPOINT_V6, ENTRYPOINT_V7, ENTRYPOINT_V8, ENTRYPOINT_V9, EOADummySignerSignaturePair, EXECUTE_RECOVERY_PRIMARY_TYPE, Erc7677Paymaster, ExperimentalAllowAllParallelPaymaster, GasOption, Operation, PolygonChain, SAFE_MESSAGE_MODULE_TYPE, SAFE_MESSAGE_PRIMARY_TYPE, SafeAccountFactory, SafeAccountV0_2_0, SafeAccountV0_3_0, SafeAccountV1_5_0_M_0_3_0, SafeModuleExecutorFunctionSelector, SafeMultiChainSigAccountV1, SendUseroperationResponse, Simple7702Account, Simple7702AccountV09, SmartAccount, SmartAccountFactory, SocialRecoveryModule, SocialRecoveryModuleGracePeriodSelector, WebauthnDummySignerSignaturePair, WorldIdPermissionlessPaymaster, ZeroAddress, abstractionkit_exports as abstractionkit, calculateUserOperationMaxGasCost, callTenderlySimulateBundle, createAndSignEip7702DelegationAuthorization, createAndSignEip7702RawTransaction, createAndSignLegacyRawTransaction, createCallData, createEip7702DelegationAuthorizationHash, createEip7702TransactionHash, createUserOperationHash, createWorldIdSignal, fetchAccountNonce, fetchGasPrice, fromEthersWallet, fromPrivateKey, fromSafeWebauthn, fromViem, fromViemWalletClient, getBalanceOf, getDelegatedAddress, getDepositInfo, getFunctionSelector, getSafeMessageEip712Data, pubkeyCoordinatesFromJson, pubkeyCoordinatesToJson, sendJsonRpcRequest, shareTenderlySimulationAndCreateLink, signHash, simulateSenderCallDataWithTenderly, simulateSenderCallDataWithTenderlyAndCreateShareLink, simulateUserOperationCallDataWithTenderly, simulateUserOperationCallDataWithTenderlyAndCreateShareLink, simulateUserOperationWithTenderly, simulateUserOperationWithTenderlyAndCreateShareLink, webauthnSignatureFromAssertion };
 
 //# sourceMappingURL=index.mjs.map