w3pk 0.10.0 → 0.10.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/index.d.mts +44 -12
- package/dist/index.d.ts +44 -12
- package/dist/index.js +32 -30
- package/dist/index.js.map +1 -1
- package/dist/index.mjs +33 -31
- package/dist/index.mjs.map +1 -1
- package/dist/inspect/browser.d.mts +5 -0
- package/dist/inspect/browser.d.ts +5 -0
- package/dist/inspect/browser.js +20 -3
- package/dist/inspect/browser.js.map +1 -1
- package/dist/inspect/browser.mjs +20 -3
- package/dist/inspect/browser.mjs.map +1 -1
- package/dist/inspect/index.js +20 -3
- package/dist/inspect/index.js.map +1 -1
- package/dist/inspect/index.mjs +20 -3
- package/dist/inspect/index.mjs.map +1 -1
- package/dist/inspect/node.d.mts +5 -0
- package/dist/inspect/node.d.ts +5 -0
- package/dist/inspect/node.js +13 -2
- package/dist/inspect/node.js.map +1 -1
- package/dist/inspect/node.mjs +13 -2
- package/dist/inspect/node.mjs.map +1 -1
- package/docs/API_REFERENCE.md +10 -91
- package/docs/ARCHITECTURE.md +45 -42
- package/docs/BUILD_VERIFICATION.md +3 -3
- package/docs/INTEGRATION_GUIDELINES.md +6 -9
- package/docs/SECURITY.md +155 -314
- package/package.json +1 -1
- package/dist/chainlist/index.d.mts +0 -96
- package/dist/chainlist/index.d.ts +0 -96
package/README.md
CHANGED
|
@@ -257,6 +257,8 @@ await w3pk.clearSession()
|
|
|
257
257
|
|
|
258
258
|
**Note:** STRICT mode never allows persistent sessions.
|
|
259
259
|
|
|
260
|
+
**PRF-keyed persistence:** persistent sessions are encrypted under a key derived from the WebAuthn PRF extension (an authenticator-held secret, released only during a biometric/PIN-verified assertion) and re-keyed at every real login. Authenticators without PRF support get in-memory sessions only — there is no weaker at-rest fallback. See [Security Architecture](./docs/SECURITY.md) for details.
|
|
261
|
+
|
|
260
262
|
### RPC Endpoints
|
|
261
263
|
|
|
262
264
|
```typescript
|
|
@@ -428,6 +430,8 @@ console.log('Verified:', isValid ? '✅' : '❌')
|
|
|
428
430
|
|
|
429
431
|
### Security Inspection
|
|
430
432
|
|
|
433
|
+
> **⚠️ Privacy Notice:** This optional feature sends application source code to an external API (Rukh) for AI analysis. User IP address will be visible to the API server.
|
|
434
|
+
|
|
431
435
|
Analyze web3 applications to understand their transaction and signing methods:
|
|
432
436
|
|
|
433
437
|
**Browser (analyze current page):**
|
package/dist/index.d.mts
CHANGED
|
@@ -386,11 +386,20 @@ declare class ApiError extends Web3PasskeyError {
|
|
|
386
386
|
* Enables "Remember Me" functionality for STANDARD and YOLO mode wallets.
|
|
387
387
|
*
|
|
388
388
|
* SECURITY:
|
|
389
|
-
* -
|
|
389
|
+
* - The mnemonic blob is encrypted with a key derived from the WebAuthn PRF
|
|
390
|
+
* extension: a secret the authenticator releases only during a
|
|
391
|
+
* user-verified assertion. Nothing stored on disk can re-derive it.
|
|
392
|
+
* - requireReauth: true → the key is NOT stored; every restore re-evaluates
|
|
393
|
+
* the PRF on a live assertion. The blob is hardware-bound at rest.
|
|
394
|
+
* - requireReauth: false → the key is stored as a NON-EXTRACTABLE CryptoKey
|
|
395
|
+
* so silent restore works without a prompt. Scripts can use it but never
|
|
396
|
+
* read its bytes; it is refreshed at every real (prompted) login.
|
|
397
|
+
* - Authenticators without PRF get no persistent sessions (in-memory only) —
|
|
398
|
+
* there is deliberately no weaker fallback encryption.
|
|
390
399
|
* - Only enabled for STANDARD and YOLO modes (STRICT mode excluded)
|
|
391
|
-
* - Time-limited expiration
|
|
392
|
-
*
|
|
393
|
-
*
|
|
400
|
+
* - Time-limited expiration; the expiry IS the renewal boundary: when the
|
|
401
|
+
* blob expires, the next login prompts, and that assertion's PRF output
|
|
402
|
+
* re-keys a fresh blob.
|
|
394
403
|
*/
|
|
395
404
|
|
|
396
405
|
/**
|
|
@@ -521,6 +530,12 @@ declare class Web3Passkey {
|
|
|
521
530
|
login(): Promise<UserInfo>;
|
|
522
531
|
/**
|
|
523
532
|
* Logout current user and clear session
|
|
533
|
+
*
|
|
534
|
+
* The user is always logged out in memory, even if clearing persistent
|
|
535
|
+
* storage fails — in that case a StorageError is thrown so the app knows
|
|
536
|
+
* a persistent session may still exist on the device
|
|
537
|
+
*
|
|
538
|
+
* @throws {StorageError} if persistent sessions could not be cleared
|
|
524
539
|
*/
|
|
525
540
|
logout(): Promise<void>;
|
|
526
541
|
get isAuthenticated(): boolean;
|
|
@@ -1009,6 +1024,8 @@ declare class Web3Passkey {
|
|
|
1009
1024
|
/**
|
|
1010
1025
|
* Clear active session
|
|
1011
1026
|
* Also clears ALL persistent sessions from IndexedDB
|
|
1027
|
+
*
|
|
1028
|
+
* @throws {StorageError} if persistent sessions could not be cleared
|
|
1012
1029
|
*/
|
|
1013
1030
|
clearSession(): Promise<void>;
|
|
1014
1031
|
/**
|
|
@@ -1016,6 +1033,14 @@ declare class Web3Passkey {
|
|
|
1016
1033
|
* @param hours - Duration in hours
|
|
1017
1034
|
*/
|
|
1018
1035
|
setSessionDuration(hours: number): void;
|
|
1036
|
+
/**
|
|
1037
|
+
* Update the persistent-session duration (the "Remember Me" window).
|
|
1038
|
+
* Takes effect the next time a session is persisted — i.e. at the next
|
|
1039
|
+
* real (prompted) login, which is also when the blob is re-keyed with a
|
|
1040
|
+
* fresh PRF-derived key. The duration is therefore the renewal interval.
|
|
1041
|
+
* @param hours - Duration in hours
|
|
1042
|
+
*/
|
|
1043
|
+
setPersistentSessionDuration(hours: number): void;
|
|
1019
1044
|
/**
|
|
1020
1045
|
* Derive ML-KEM-1024 public key from the current wallet
|
|
1021
1046
|
*
|
|
@@ -1301,6 +1326,15 @@ declare function verifyEIP7702Authorization(chainId: bigint, contractAddress: st
|
|
|
1301
1326
|
s: string;
|
|
1302
1327
|
} | string, expectedSigner: string): boolean;
|
|
1303
1328
|
|
|
1329
|
+
/** Client extension results consumed by w3pk (subset of the WebAuthn spec) */
|
|
1330
|
+
interface PrfExtensionResults {
|
|
1331
|
+
prf?: {
|
|
1332
|
+
enabled?: boolean;
|
|
1333
|
+
results?: {
|
|
1334
|
+
first?: ArrayBuffer;
|
|
1335
|
+
};
|
|
1336
|
+
};
|
|
1337
|
+
}
|
|
1304
1338
|
/**
|
|
1305
1339
|
* Native WebAuthn credential response (authentication)
|
|
1306
1340
|
*/
|
|
@@ -1314,14 +1348,7 @@ interface AuthenticationCredential {
|
|
|
1314
1348
|
signature: ArrayBuffer;
|
|
1315
1349
|
userHandle?: ArrayBuffer;
|
|
1316
1350
|
};
|
|
1317
|
-
getClientExtensionResults():
|
|
1318
|
-
prf?: {
|
|
1319
|
-
results?: {
|
|
1320
|
-
first?: ArrayBuffer;
|
|
1321
|
-
second?: ArrayBuffer;
|
|
1322
|
-
};
|
|
1323
|
-
};
|
|
1324
|
-
};
|
|
1351
|
+
getClientExtensionResults(): PrfExtensionResults;
|
|
1325
1352
|
}
|
|
1326
1353
|
|
|
1327
1354
|
/**
|
|
@@ -2121,6 +2148,11 @@ interface BrowserInspectOptions {
|
|
|
2121
2148
|
* @default 'transactions'
|
|
2122
2149
|
*/
|
|
2123
2150
|
focusMode?: "transactions" | "all";
|
|
2151
|
+
/**
|
|
2152
|
+
* Maximum total size in KB for all collected code (prevents exceeding API token limits)
|
|
2153
|
+
* @default 100
|
|
2154
|
+
*/
|
|
2155
|
+
maxTotalSizeKB?: number;
|
|
2124
2156
|
}
|
|
2125
2157
|
/**
|
|
2126
2158
|
* Result of a browser-based inspection
|
package/dist/index.d.ts
CHANGED
|
@@ -386,11 +386,20 @@ declare class ApiError extends Web3PasskeyError {
|
|
|
386
386
|
* Enables "Remember Me" functionality for STANDARD and YOLO mode wallets.
|
|
387
387
|
*
|
|
388
388
|
* SECURITY:
|
|
389
|
-
* -
|
|
389
|
+
* - The mnemonic blob is encrypted with a key derived from the WebAuthn PRF
|
|
390
|
+
* extension: a secret the authenticator releases only during a
|
|
391
|
+
* user-verified assertion. Nothing stored on disk can re-derive it.
|
|
392
|
+
* - requireReauth: true → the key is NOT stored; every restore re-evaluates
|
|
393
|
+
* the PRF on a live assertion. The blob is hardware-bound at rest.
|
|
394
|
+
* - requireReauth: false → the key is stored as a NON-EXTRACTABLE CryptoKey
|
|
395
|
+
* so silent restore works without a prompt. Scripts can use it but never
|
|
396
|
+
* read its bytes; it is refreshed at every real (prompted) login.
|
|
397
|
+
* - Authenticators without PRF get no persistent sessions (in-memory only) —
|
|
398
|
+
* there is deliberately no weaker fallback encryption.
|
|
390
399
|
* - Only enabled for STANDARD and YOLO modes (STRICT mode excluded)
|
|
391
|
-
* - Time-limited expiration
|
|
392
|
-
*
|
|
393
|
-
*
|
|
400
|
+
* - Time-limited expiration; the expiry IS the renewal boundary: when the
|
|
401
|
+
* blob expires, the next login prompts, and that assertion's PRF output
|
|
402
|
+
* re-keys a fresh blob.
|
|
394
403
|
*/
|
|
395
404
|
|
|
396
405
|
/**
|
|
@@ -521,6 +530,12 @@ declare class Web3Passkey {
|
|
|
521
530
|
login(): Promise<UserInfo>;
|
|
522
531
|
/**
|
|
523
532
|
* Logout current user and clear session
|
|
533
|
+
*
|
|
534
|
+
* The user is always logged out in memory, even if clearing persistent
|
|
535
|
+
* storage fails — in that case a StorageError is thrown so the app knows
|
|
536
|
+
* a persistent session may still exist on the device
|
|
537
|
+
*
|
|
538
|
+
* @throws {StorageError} if persistent sessions could not be cleared
|
|
524
539
|
*/
|
|
525
540
|
logout(): Promise<void>;
|
|
526
541
|
get isAuthenticated(): boolean;
|
|
@@ -1009,6 +1024,8 @@ declare class Web3Passkey {
|
|
|
1009
1024
|
/**
|
|
1010
1025
|
* Clear active session
|
|
1011
1026
|
* Also clears ALL persistent sessions from IndexedDB
|
|
1027
|
+
*
|
|
1028
|
+
* @throws {StorageError} if persistent sessions could not be cleared
|
|
1012
1029
|
*/
|
|
1013
1030
|
clearSession(): Promise<void>;
|
|
1014
1031
|
/**
|
|
@@ -1016,6 +1033,14 @@ declare class Web3Passkey {
|
|
|
1016
1033
|
* @param hours - Duration in hours
|
|
1017
1034
|
*/
|
|
1018
1035
|
setSessionDuration(hours: number): void;
|
|
1036
|
+
/**
|
|
1037
|
+
* Update the persistent-session duration (the "Remember Me" window).
|
|
1038
|
+
* Takes effect the next time a session is persisted — i.e. at the next
|
|
1039
|
+
* real (prompted) login, which is also when the blob is re-keyed with a
|
|
1040
|
+
* fresh PRF-derived key. The duration is therefore the renewal interval.
|
|
1041
|
+
* @param hours - Duration in hours
|
|
1042
|
+
*/
|
|
1043
|
+
setPersistentSessionDuration(hours: number): void;
|
|
1019
1044
|
/**
|
|
1020
1045
|
* Derive ML-KEM-1024 public key from the current wallet
|
|
1021
1046
|
*
|
|
@@ -1301,6 +1326,15 @@ declare function verifyEIP7702Authorization(chainId: bigint, contractAddress: st
|
|
|
1301
1326
|
s: string;
|
|
1302
1327
|
} | string, expectedSigner: string): boolean;
|
|
1303
1328
|
|
|
1329
|
+
/** Client extension results consumed by w3pk (subset of the WebAuthn spec) */
|
|
1330
|
+
interface PrfExtensionResults {
|
|
1331
|
+
prf?: {
|
|
1332
|
+
enabled?: boolean;
|
|
1333
|
+
results?: {
|
|
1334
|
+
first?: ArrayBuffer;
|
|
1335
|
+
};
|
|
1336
|
+
};
|
|
1337
|
+
}
|
|
1304
1338
|
/**
|
|
1305
1339
|
* Native WebAuthn credential response (authentication)
|
|
1306
1340
|
*/
|
|
@@ -1314,14 +1348,7 @@ interface AuthenticationCredential {
|
|
|
1314
1348
|
signature: ArrayBuffer;
|
|
1315
1349
|
userHandle?: ArrayBuffer;
|
|
1316
1350
|
};
|
|
1317
|
-
getClientExtensionResults():
|
|
1318
|
-
prf?: {
|
|
1319
|
-
results?: {
|
|
1320
|
-
first?: ArrayBuffer;
|
|
1321
|
-
second?: ArrayBuffer;
|
|
1322
|
-
};
|
|
1323
|
-
};
|
|
1324
|
-
};
|
|
1351
|
+
getClientExtensionResults(): PrfExtensionResults;
|
|
1325
1352
|
}
|
|
1326
1353
|
|
|
1327
1354
|
/**
|
|
@@ -2121,6 +2148,11 @@ interface BrowserInspectOptions {
|
|
|
2121
2148
|
* @default 'transactions'
|
|
2122
2149
|
*/
|
|
2123
2150
|
focusMode?: "transactions" | "all";
|
|
2151
|
+
/**
|
|
2152
|
+
* Maximum total size in KB for all collected code (prevents exceeding API token limits)
|
|
2153
|
+
* @default 100
|
|
2154
|
+
*/
|
|
2155
|
+
maxTotalSizeKB?: number;
|
|
2124
2156
|
}
|
|
2125
2157
|
/**
|
|
2126
2158
|
* Result of a browser-based inspection
|