feat: add loginStatus field

[hieu-w]

Jira Link

Description

How has this been tested?

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

Medium Risk
Adds new Citadel signer/allow calls with a torusloginstatus parameter during share retrieval, including extra reporting on success/failure, which could affect critical login flows if the endpoint is slow/unavailable. Remaining changes are dependency/version bumps.

Overview
Adds a TorusLoginStatus enum and threads an optional torusloginstatus query param into the Citadel v1/signer/allow request.

Introduces citadelUtils (buildAllowUrl/callAllowApi) and refactors share retrieval to use it: retrieveOrImportShare now logs an initiated status, and Torus.retrieveShares additionally reports success or failed after the operation (errors are swallowed in reportSignerAllow).

Bumps package version to 17.2.1 and updates several dependencies/devDependencies (notably @toruslabs/constants, @toruslabs/fetch-node-details, vite, vitest).

^{Written by Cursor Bugbot for commit 3ebb385. This will update automatically on new commits. Configure here.}

[tuna1207]

should this be awaited ?

[hieu-w]

Updated

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​toruslabs/​constants@​16.1.0 ⏵ 16.1.1	-8		+1	+2
	vitest@​4.1.0 ⏵ 4.1.1	+1		+1	+2
	@​babel/​runtime@​7.28.6 ⏵ 7.29.2				-1
	@​vitest/​coverage-istanbul@​4.1.0 ⏵ 4.1.1				-1
	@​faker-js/​faker@​10.3.0 ⏵ 10.4.0				+5
	@​toruslabs/​fetch-node-details@​16.1.0 ⏵ 16.1.1	-7			+2

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vitest@4.1.1 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: The JS loader is not itself executing obvious malicious JavaScript (no eval, no external network calls, no hard-coded credentials). However it intentionally grants a WebAssembly module broad privileges: it passes the full process.env into WASI and the worker, and preopens the host filesystem root so the wasm can access the filesystem. It also forwards worker messages into a filesystem proxy function. These design choices make running an untrusted or tampered-with wasm binary dangerous: a malicious wasm could read environment variables, enumerate and modify host files, and exfiltrate data via any network capability inside the wasm or worker. Therefore the module should be treated as high-risk if the wasm artifact (local file or npm package) is not from a trusted source. Recommended mitigations: avoid preopening the root (limit to specific directories), avoid passing full process.env, validate integrity of the wasm binary (signing/checksums), and avoid installing untrusted package replacements. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/vitest@4.1.1 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @toruslabs/constants@16.1.1
• @toruslabs/fetch-node-details@16.1.1
• @toruslabs/fnd-base@16.1.1
• rolldown@1.0.0-rc.11

View full report

[chaitanyapotti]

@SocketSecurity allow npm/@toruslabs/constants@16.1.1
@SocketSecurity allow npm/@toruslabs/fetch-node-details@16.1.1
@SocketSecurity allow npm/@toruslabs/fnd-base@16.1.1

Archit is part of web3auth team and has publishing access.

[chaitanyapotti]

@SocketSecurity ignore npm/rolldown@1.0.0-rc.11
@SocketSecurity ignore npm/@toruslabs/constants@16.1.1
@SocketSecurity ignore npm/@toruslabs/fetch-node-details@16.1.1
@SocketSecurity ignore npm/@toruslabs/fnd-base@16.1.1

This is a dev dependency