feat: invite-code mode + bridge contract alignment

[SeanROlszewski]

Summary

Adds invite-code mode (the user types a 6-char code into World App on a different device instead of scanning a QR) and aligns idkit with the simplified bridge contract from worldcoin/wallet-bridge#89. The bridge becomes a generic content-addressable single-use store; invite-code mode reuses the regular POST /request and GET /request/:id endpoints with an HKDF-derived request_id. No new bridge endpoints. No /code/redeem, index, request_code_enabled, session_nonce, or bridge-returned code_expires_at.

The wrapper exposes a URL (not a raw code) — the same connector URL URL/QR mode produces, with &c=<canonical_code>&a=<app_id> appended. The world.org/verify server inspects those params and renders an invite-code-aware landing page; clients that ignore c/a see the original URL/QR shape, so the change is backwards-compatible.

Stacked: #239 (examples) sits on top.

Invite-code derivation

canonical_code = generate_invite_code()                       // 6 chars Crockford B32
request_id     = hex(HKDF-SHA256(code, info="dx", L=32))      // 64 hex chars
K              = HKDF-SHA256(code, info="key", L=32)          // AES-256-GCM key
ciphertext     = AES-256-GCM(K, fresh_iv, proof_request)
POST /request  { iv, payload: ciphertext, request_id }        // 409 → retry once
connectorURI   = base ?t=wld&i=<request_id>&k=<K>&c=<canonical_code>&a=<app_id>

World App, given the typed code, derives the same request_id and reads via GET /request/:request_id (which is GETDEL-backed). K never reaches the bridge. code_expires_at is synthesized client-side as now + 900s (matching bridge's EXPIRE_AFTER_SECONDS).

API additions

The new entry point mirrors the existing URL/QR IDKit.request(...) builder, just with code-mode wiring. You get back an IDKitInviteCodeRequest whose connectorURI and expiresAt accessors replace the URL/QR wrapper's connectorURI; everything else (pollStatusOnce, pollUntilCompletion, requestId, error handling) is identical.

Per language:

• TypeScript: IDKit.requestWithInviteCode(config).preset(...) (or .constraints(...)) → IDKitInviteCodeRequest.
• Rust / WASM: presetWithInviteCode / constraintsWithInviteCode on the WASM builder → IDKitInviteCodeRequest.
• Swift / FFI: chain IDKit.request(config).presetWithInviteCode(...) (or .constraintsWithInviteCode(...)) on the existing builder → IDKitInviteCodeRequest with connectorURL: URL.
• React: drop in <IDKitInviteCodeRequestWidget /> (mirrors <IDKitRequestWidget />), or use useIDKitInviteCodeRequest / useIDKitInviteCodeFlow for headless integrations. The widget renders both a QR code of the URL and a copy-to-clipboard plaintext display.

Adopter diff for invite-code mode is two lines:

const req = await IDKit.requestWithInviteCode(config).constraints(...);
displayLink(req.connectorURI);

Source-compatibility

The Uuid → String migration from the bridge contract is contained:

• Swift IDKitRequest.requestID: still UUID. No source breakage for URL/QR iOS adopters; the wrapper parses the FFI String back into a UUID and throws IDKitClientError.invalidRequestID on failure (which can't happen — bridge always mints UUID v4 there).
• Swift IDKitInviteCodeRequest.requestID: String. New wrapper, no prior contract.
• TS requestId: string. Already a string.
• Rust BridgeConnection::request_id() -> &str. The one structural break; URL/QR Rust adopters who held the result as Uuid need Uuid::parse_str(req.request_id()) at the call site.

WASM-specific fix

std::time::SystemTime::now() traps to unreachable on wasm32-unknown-unknown. current_unix_seconds() is cfg-gated: js_sys::Date::now() on WASM, SystemTime::now() on native.

Test plan

• cargo test --lib — 98 pass (9 new invite-code unit tests).
• cargo clippy --all-targets --all-features -- -D warnings clean.
• cargo fmt --check + pnpm prettier --check clean.
• pnpm build:wasm clean (production wasm-pack build).
• Core JS: 54 pass. React: 26 pass.
• swift build broken on main (feat(core): add world id availability errors #246 introduced AppError variants without regenerating UniFFI bindings). Not introduced by this PR.
• End-to-end browser → World App iOS once wallet-bridge#89 is deployed.

Dependencies

• wallet-bridge Allow RP to supply request_id on POST /request wallet-bridge#89 — required at runtime. Without it the bridge silently ignores the request_id field and generates a UUID, producing a downstream "no proof arrives" failure.
• world-app-ios APP-9424 — needs to migrate off POST /code/redeem onto GET /request/:request_id with request_id = lowercase_hex(HKDF(C, "dx")). Tracked separately.

🤖 Generated with Claude Code

[vercel]

You must have Developer access to commit code to Worldcoin on Vercel. If you contact an administrator and receive Developer access, commit again to see your changes.

Learn more: https://vercel.com/docs/accounts/team-members-and-roles/access-roles#team-level-roles

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
idkit-js-example	Ready	Preview, Comment	May 6, 2026 1:22am

[Takaros999]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8f9c513a72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Pass close callback into invite-code error state

ErrorState requires an onClose prop, but the invite-code widget only passes errorCode and onRetry. In error variants that render a "Close" action (for example configuration-related failures), clicking the button will invoke an undefined handler and can throw at runtime instead of dismissing the modal, breaking recovery for users on that path.

Useful? React with 👍 / 👎.

[SeanROlszewski]

Already fixed in the current head — <ErrorState> in IDKitInviteCodeWidgetBase.tsx:184 now passes onClose={() => onOpenChange(false)} matching the URL/QR widget. Resolution landed before the rebase that surfaced this comment; should be visible in the diff at b1758de.

[chatgpt-codex-connector]

Restore invite-code request after poll failures

This method takes the request out of inner and only reinserts it after a successful poll. If poll_for_status() returns an error (for example a transient network failure), the ? on map_err exits early before reinsertion, leaving inner as None; every later poll then fails with "Request closed", turning a retryable transport blip into a permanent request failure.

Useful? React with 👍 / 👎.

[SeanROlszewski]

Fixed. Extracted the take-await-restore into a shared poll_taking_inner helper (wasm_bindings.rs) so both the URL/QR and invite-code wrappers always reinsert the request before propagating an error. A transient transport blip now leaves inner populated so the next poll can retry, instead of latching the request closed permanently. Also pulled status_to_js_value out of the duplicated match so both wrappers share the serialization. b1758de.

[Takaros999]

part 1

• can you please update the nextjs example to use the invite code flow, so we can try it out. (you could have an optional checkbox that triggers a invite code flow request)

[Takaros999]

casting wasBuilder to have a method can introduce footguns and runtime errors, i would look deeper here to avoid having to do this

[SeanROlszewski]

Removed both wasmBuilder as unknown as { ... } casts in the invite-code builder — the rebuilt WASM .d.ts exposes constraintsWithInviteCode / presetWithInviteCode directly on WasmModule.IDKitBuilder (idkit_wasm.d.ts:416,470), so the cast was indeed leftover scaffolding from a stale build. Mirrors the URL/QR-mode shape now: (await wasmBuilder.constraintsWithInviteCode(constraints)) as unknown as WasmModule.IDKitInviteCodeRequest. b1758de.

[Takaros999]

i like this direction of having a new interface 👍

[Takaros999]

Rust core follow-up from review:

1. WASM poll state restoration

There is already an inline Codex thread on rust/core/src/wasm_bindings.rs for the invite-code wrapper losing inner when poll_for_status() errors. The same take-await-restore pattern exists in the normal IDKitRequest::pollForStatus wrapper too, so the fix should update both wrappers or extract a shared restore-after-await helper.

2. Validate echoed invite request_id

rust/core/src/bridge.rs invite-code mode sends a deterministic request_id, but the response body is parsed and discarded:

// Discard the echoed request_id — we already have ours.
let _: BridgeCreateResponse = response
    .json()
    .await
    .map_err(|e| Error::BridgeError(format!("Failed to parse bridge response: {e}")))?;

Since the rest of the flow polls with the locally derived id and World App derives the same id from the code, we should assert that the bridge echoed the same request_id; otherwise a bridge/proxy contract bug can silently create an unretrievable request.

[Takaros999]

we shouldn't panic here, this will be very hard to debug, we can just throw an error

[SeanROlszewski]

Fixed. generate_invite_code now returns crate::Result<String> and propagates getrandom failures via crate::Error::Crypto(...), mirroring generate_nonce's shape. Caller in try_create_invite_code_request propagates with ? (lifts via the existing From<Error> for CreateCodeError). Tests use .unwrap() since entropy is reliable in test context. b1758de.

[Takaros999]

if your IDE complaint locally try running pnpm build we dont need this

[SeanROlszewski]

Yep — the cast went away once I rebuilt WASM. Done in the same commit as the broader cast removal. b1758de.

[SeanROlszewski]

part 1

• can you please update the nextjs example to use the invite code flow, so we can try it out. (you could have an optional checkbox that triggers a invite code flow request)

This is already on another PR. 😄 I broke them apart to reduce review burden.

[SeanROlszewski]

Both follow-ups addressed in b1758de:

1. WASM poll state restoration — extracted shared poll_taking_inner helper in wasm_bindings.rs; both IDKitRequest::poll_for_status and IDKitInviteCodeRequest::poll_for_status now go through it. Pattern: take → await → unconditionally restore → propagate error. A transient transport blip leaves inner populated so the next poll retries instead of latching the request closed permanently. Also pulled status_to_js_value out so the serialization match isn't duplicated.

2. Validate echoed request_id — try_create_invite_code_request no longer discards the response. It deserializes the { request_id } body and asserts it equals the locally-derived hex(HKDF(C, "dx")); mismatch surfaces Error::BridgeError("Bridge echoed mismatched request_id (sent X, got Y)") at creation time rather than letting World App fail to find the request later in the poll loop. Catches a misbehaving bridge or proxy that would otherwise create a silently-unretrievable request.