feat: invite-code mode core API (WDP-73 / APP-9428)

Adds a code-based discovery channel to the existing Bridge proof flow.
The RP shows the user a 6-character code; the user types it into World
App on their phone and completes the existing Selfie Check / proof
flow. Same proof flow, same poll loop, same Status enum — only the
discovery channel changes.

Wire shape (matches wallet-bridge APP-9425 and world-app-ios APP-9424):

- Code is canonical 6-char Crockford Base32 (5 random data chars + 1
  mod-32 weighted check digit, weights 1/3/5/7/9 — all coprime to 32,
  so 100% of single-char substitutions are caught). UI may format as
  "ABC-DEF" but the canonical form has no separator.
- HKDF-SHA256, no salt, 32-byte output, IKM = canonical code's UTF-8
  bytes. info="dx" → lookup index (lowercase hex on the wire);
  info="key" → AES-256-GCM key. The encryption key never reaches the
  bridge — only the index and ciphertext do.
- POST /request body has the new `request_code_enabled: true, iv,
  payload, index` shape with `iv`/`payload` as standard base64 (same
  as the URL/QR path).
- Response carries `session_nonce` and `code_expires_at`. Polling
  attaches `Authorization: Bearer <session_nonce>` so we're forward-
  compatible with the bridge's session_nonce gate (release-blocking
  follow-up on Bridge). URL-mode connections keep `session_nonce: None`
  and the header is omitted, so existing bridge behavior is unchanged.

Cross-device implications:

- Original WDP-73 mermaid minted a `delivery_token` ferried back via
  universal link. Universal links route to the device that opened them,
  so a desktop browser ↔ phone flow never receives the token. We drop
  delivery_token from idkit's surface entirely. Anti-collusion in the
  code path now degrades to "10-min TTL + one-shot redeem + per-IP
  rate limit."

API surface (mirrors existing URL-mode):

- Rust: `BridgeConnection::create_for_invite_code` (retry-once-on-409),
  `.invite_code()` / `.code_expires_at()` accessors. New crypto.rs
  primitives: `generate_invite_code`, `parse_invite_code`,
  `hkdf_invite_index_hex`, `hkdf_invite_key`, `generate_nonce`.
- FFI: `IDKitInviteCodeRequest` sibling to `IDKitRequestWrapper`. New
  builder methods `constraints_with_invite_code` /
  `preset_with_invite_code` on `IDKitBuilder`.
- WASM: `IDKitInviteCodeRequest` sibling to `IDKitRequest`,
  `constraintsWithInviteCode` / `presetWithInviteCode` on the WASM
  builder.
- TypeScript: `IDKitInviteCodeRequest` interface + impl,
  `IDKitInviteCodeBuilder`, `IDKit.requestWithInviteCode(...)` entry
  point. Code mode is bridge-only by definition (user is on a different
  device than World App), so the builder skips the `isInWorldApp()`
  branch.
- React: `IDKitInviteCodeRequestWidget`, `useIDKitInviteCodeRequest`,
  `useIDKitInviteCodeFlow` hooks. New `InviteCodeState` UI component.
- Swift: `presetWithInviteCode(_:)` / `constraintsWithInviteCode(_:)`
  on the builder; `IDKitInviteCodeRequest` wrapper exposing `code` and
  `expiresAt: Date`.

Adopter diff is two lines per integration:

  // before
  const req = await IDKit.request(config).constraints(...);
  showQR(req.connectorURI);
  // after
  const req = await IDKit.requestWithInviteCode(config).constraints(...);
  showCode(req.code);

Tests:
- 9 new Rust unit tests covering code generation, parser (round-trip,
  separator stripping, lowercase normalization, Crockford ambiguity
  collapse, U-rejection, length validation, check-digit validation,
  exhaustive single-char substitution detection), HKDF determinism,
  hex output shape, index/key differentiation across info strings.
- 86 existing rust tests pass; 54 core JS tests pass; 23 React tests
  pass. Clippy clean on native + ffi feature combos.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: SeanROlszewski

js/packages/core/src/request.ts

@@ -147,15 +147,14 @@ class IDKitRequestImpl implements IDKitRequest {
  * An invite-code mode World ID verification request (WDP-73).
  *
  * Sibling shape to {@link IDKitRequest}, but discovery happens through a
- * 6-character code the user types into World App instead of a QR scan. The
- * polling lifecycle is byte-identical to URL mode — same `Status`, same
- * `IDKitCompletionResult` — so adopters write the same poll loop.
- *
- * Only the constructor and the displayable `code` differ between modes.
+ * URL pointing at the `world.org/verify` landing page (which displays the
+ * code for the user to type into World App). The polling lifecycle is
+ * byte-identical to URL mode — same `Status`, same `IDKitCompletionResult` —
+ * so adopters write the same poll loop.
  */
 export interface IDKitInviteCodeRequest {
-  /** Canonical 6-char Crockford Base32 code (no separator). UI may format as "ABC-DEF" for display. */
-  readonly code: string;
+  /** URL to display to the user. Same shape as URL/QR mode's `connectorURI` with `&c=<code>&a=<app_id>` appended. */
+  readonly connectorURI: string;
   /** Unix-seconds expiry of the unredeemed code. After this point bridge will reject the redeem. */
   readonly expiresAt: number;
   /** Unique request ID for this verification */
@@ -173,19 +172,19 @@ export interface IDKitInviteCodeRequest {
  */
 class IDKitInviteCodeRequestImpl implements IDKitInviteCodeRequest {
   private wasmRequest: WasmModule.IDKitInviteCodeRequest;
-  private _code: string;
+  private _connectorURI: string;
   private _expiresAt: number;
   private _requestId: string;
 
   constructor(wasmRequest: WasmModule.IDKitInviteCodeRequest) {
     this.wasmRequest = wasmRequest;
-    this._code = wasmRequest.code();
+    this._connectorURI = wasmRequest.connectUrl();
     this._expiresAt = wasmRequest.expiresAt();
     this._requestId = wasmRequest.requestId();
   }
 
-  get code(): string {
-    return this._code;
+  get connectorURI(): string {
+    return this._connectorURI;
   }
 
   get expiresAt(): number {
@@ -644,7 +643,7 @@ class IDKitInviteCodeBuilder {
    * ```typescript
    * const request = await IDKit.requestWithInviteCode({ app_id, action, rp_context, allow_legacy_proofs: false })
    *   .constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
-   * showCode(request.code);
+   * displayLink(request.connectorURI);
    * ```
    */
   async constraints(
@@ -653,11 +652,7 @@ class IDKitInviteCodeBuilder {
     await initIDKit();
 
     const wasmBuilder = createWasmBuilderFromConfig(this.config);
-    const wasmRequest = (await (
-      wasmBuilder as unknown as {
-        constraintsWithInviteCode: (c: ConstraintNode) => Promise<unknown>;
-      }
-    ).constraintsWithInviteCode(
+    const wasmRequest = (await wasmBuilder.constraintsWithInviteCode(
       constraints,
     )) as unknown as WasmModule.IDKitInviteCodeRequest;
     return new IDKitInviteCodeRequestImpl(wasmRequest);
@@ -682,11 +677,7 @@ class IDKitInviteCodeBuilder {
     await initIDKit();
 
     const wasmBuilder = createWasmBuilderFromConfig(this.config);
-    const wasmRequest = (await (
-      wasmBuilder as unknown as {
-        presetWithInviteCode: (p: Preset) => Promise<unknown>;
-      }
-    ).presetWithInviteCode(
+    const wasmRequest = (await wasmBuilder.presetWithInviteCode(
       preset,
     )) as unknown as WasmModule.IDKitInviteCodeRequest;
     return new IDKitInviteCodeRequestImpl(wasmRequest);
@@ -785,7 +776,7 @@ function createRequest(config: IDKitRequestConfig): IDKitBuilder {
  *   allow_legacy_proofs: false,
  * }).constraints(any(CredentialRequest('proof_of_human'), CredentialRequest('face')));
  *
- * showCode(request.code);                     // user types this into World App
+ * displayLink(request.connectorURI);          // user opens this URL on their phone
  * const proof = await request.pollUntilCompletion();
  * ```
  */

js/packages/react/src/components/States/InviteCodeState.tsx

@@ -2,22 +2,14 @@ import { useEffect, useState, type ReactElement } from "react";
 import { __ } from "../../lang";
 import { WorldcoinIcon } from "../Icons/WorldIcon";
 import { LoadingIcon } from "../Icons/LoadingIcon";
+import { QRCode } from "../../widget/QRCode";
 
 type InviteCodeStateProps = {
-  code: string | null;
+  connectorURI: string | null;
   codeExpiresAt: number | null;
   isAwaitingUserConfirmation: boolean;
 };
 
-function formatCodeForDisplay(code: string): string {
-  // Canonical form is 6-char Crockford Base32 (no separator).
-  // For display, format as "ABC-DEF" when length is exactly 6.
-  if (code.length === 6) {
-    return `${code.slice(0, 3)}-${code.slice(3)}`;
-  }
-  return code;
-}
-
 function useNowInSeconds(): number {
   const [now, setNow] = useState(() => Math.floor(Date.now() / 1000));
   useEffect(() => {
@@ -30,7 +22,7 @@ function useNowInSeconds(): number {
 }
 
 export function InviteCodeState({
-  code,
+  connectorURI,
   codeExpiresAt,
   isAwaitingUserConfirmation,
 }: InviteCodeStateProps): ReactElement {
@@ -47,20 +39,16 @@ export function InviteCodeState({
         textAlign: "center",
       }}
     >
-      {/* World logo */}
       <div className="idkit-worldid-icon">
         <WorldcoinIcon />
       </div>
 
-      {/* Heading */}
       <h2 className="idkit-heading">{__("Connect your World ID")}</h2>
 
-      {/* Instruction */}
       <p className="idkit-subtext">
-        {__("Open World App on your phone and enter this code")}
+        {__("Scan with your phone to continue verifying")}
       </p>
 
-      {/* Code display container — mirrors qr-container layout for the spinner overlay */}
       <div className="idkit-qr-container">
         {isAwaitingUserConfirmation && (
           <div className="idkit-qr-overlay">
@@ -77,45 +65,73 @@ export function InviteCodeState({
         <div
           className={`idkit-qr-blur ${isAwaitingUserConfirmation ? "blurred" : ""}`}
         >
-          <div
+          {connectorURI ? <QRCode data={connectorURI} /> : null}
+        </div>
+      </div>
+
+      {connectorURI && (
+        <div
+          style={{
+            marginTop: 16,
+            display: "flex",
+            alignItems: "center",
+            gap: 8,
+            width: "100%",
+            maxWidth: 360,
+          }}
+        >
+          <code
             style={{
-              display: "flex",
-              flexDirection: "column",
-              alignItems: "center",
-              justifyContent: "center",
-              gap: 12,
-              padding: "24px 16px",
+              flex: 1,
+              fontFamily:
+                "ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, 'Liberation Mono', 'Courier New', monospace",
+              fontSize: 12,
+              padding: "8px 10px",
+              borderRadius: 6,
+              background: "var(--idkit-surface-muted, rgba(0,0,0,0.04))",
+              color: "var(--idkit-text-primary)",
+              overflow: "hidden",
+              textOverflow: "ellipsis",
+              whiteSpace: "nowrap",
+              userSelect: "all",
             }}
+            title={connectorURI}
           >
-            <div
-              aria-label={
-                code ? `Invite code ${formatCodeForDisplay(code)}` : undefined
+            {connectorURI}
+          </code>
+          <button
+            type="button"
+            onClick={() => {
+              if (typeof navigator !== "undefined" && navigator.clipboard) {
+                void navigator.clipboard.writeText(connectorURI);
               }
-              style={{
-                fontFamily:
-                  "ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, 'Liberation Mono', 'Courier New', monospace",
-                fontSize: 36,
-                fontWeight: 600,
-                letterSpacing: "0.15em",
-                color: "var(--idkit-text-primary)",
-                userSelect: "all",
-              }}
-            >
-              {code ? formatCodeForDisplay(code) : "------"}
-            </div>
-            {secondsRemaining !== null && (
-              <div
-                style={{
-                  fontSize: 14,
-                  color: "var(--idkit-text-secondary)",
-                }}
-              >
-                {__("Expires in")} {secondsRemaining}s
-              </div>
-            )}
-          </div>
+            }}
+            style={{
+              padding: "6px 12px",
+              borderRadius: 6,
+              border: "1px solid var(--idkit-border, rgba(0,0,0,0.1))",
+              background: "var(--idkit-surface, transparent)",
+              color: "var(--idkit-text-primary)",
+              fontSize: 12,
+              cursor: "pointer",
+            }}
+          >
+            {__("Copy")}
+          </button>
         </div>
-      </div>
+      )}
+
+      {secondsRemaining !== null && (
+        <div
+          style={{
+            marginTop: 12,
+            fontSize: 14,
+            color: "var(--idkit-text-secondary)",
+          }}
+        >
+          {__("Expires in")} {secondsRemaining}s
+        </div>
+      )}
     </div>
   );
 }

js/packages/react/src/hooks/inviteCodeCommon.ts

@@ -10,7 +10,7 @@ type IDKitHookStatus =
 export type InviteCodeHookState<TResult> = {
   isOpen: boolean;
   status: IDKitHookStatus;
-  code: string | null;
+  connectorURI: string | null;
   codeExpiresAt: number | null;
   result: TResult | null;
   errorCode: IDKitErrorCodes | null;
@@ -22,7 +22,7 @@ export function createInitialInviteCodeHookState<
   return {
     isOpen: false,
     status: "idle",
-    code: null,
+    connectorURI: null,
     codeExpiresAt: null,
     result: null,
     errorCode: null,

js/packages/react/src/hooks/useIDKitInviteCodeFlow.ts

@@ -48,7 +48,7 @@ export function useIDKitInviteCodeFlow<TResult>(
       return {
         isOpen: true,
         status: "waiting_for_connection",
-        code: null,
+        connectorURI: null,
         codeExpiresAt: null,
         result: null,
         errorCode: null,
@@ -86,18 +86,21 @@ export function useIDKitInviteCodeFlow<TResult>(
         ensureNotAborted(controller.signal);
         if (isDebug())
           console.debug("[IDKit] Invite-code flow created", {
-            code: request.code,
+            connectorURI: request.connectorURI,
             expiresAt: request.expiresAt,
             requestId: request.requestId,
           });
 
-        const code = request.code;
+        const connectorURI = request.connectorURI;
         const codeExpiresAt = request.expiresAt;
         setState((prev) => {
-          if (prev.code === code && prev.codeExpiresAt === codeExpiresAt) {
+          if (
+            prev.connectorURI === connectorURI &&
+            prev.codeExpiresAt === codeExpiresAt
+          ) {
             return prev;
           }
-          return { ...prev, code, codeExpiresAt };
+          return { ...prev, connectorURI, codeExpiresAt };
         });
 
         const pollInterval = configRef.current.polling?.interval ?? 1000;
@@ -176,7 +179,7 @@ export function useIDKitInviteCodeFlow<TResult>(
     isAwaitingUserConfirmation: state.status === "awaiting_confirmation",
     isSuccess: state.status === "confirmed",
     isError: state.status === "failed",
-    code: state.code,
+    connectorURI: state.connectorURI,
     codeExpiresAt: state.codeExpiresAt,
     result: state.result,
     errorCode: state.errorCode,

js/packages/react/src/types/common.ts

@@ -39,8 +39,8 @@ export type IDKitInviteCodeHookResult<TResult> = {
   isAwaitingUserConfirmation: boolean;
   isSuccess: boolean;
   isError: boolean;
-  /** Canonical 6-char Crockford Base32 invite code (no separator). UI may format as "ABC-DEF". */
-  code: string | null;
+  /** URL to display to the user (same shape as URL/QR mode's `connectorURI`, with `&c=<code>&a=<app_id>` appended for the `world.org/verify` landing page). */
+  connectorURI: string | null;
   /** Unix-seconds expiry of the unredeemed code. */
   codeExpiresAt: number | null;
   result: TResult | null;

js/packages/react/src/widget/IDKitInviteCodeWidgetBase.tsx

@@ -156,7 +156,7 @@ export function IDKitInviteCodeWidgetBase<TResult>({
     <IDKitModal open={open} onOpenChange={onOpenChange}>
       {stage === "invite_code" && (
         <InviteCodeState
-          code={flow.code}
+          connectorURI={flow.connectorURI}
           codeExpiresAt={flow.codeExpiresAt}
           isAwaitingUserConfirmation={flow.isAwaitingUserConfirmation}
         />
@@ -180,6 +180,7 @@ export function IDKitInviteCodeWidgetBase<TResult>({
       {stage === "error" && (
         <ErrorState
           errorCode={effectiveErrorCode}
+          onClose={() => onOpenChange(false)}
           onRetry={() => {
             setHostVerifyResult(null);
             lastResultRef.current = null;