From 1aa502fcaed0e28cc0c9f575a572582fd72fe498 Mon Sep 17 00:00:00 2001
From: rajangarg047 <rajangarg047@bitgo.com>
Date: Thu, 28 May 2026 15:14:30 -0400
Subject: [PATCH] feat(sdk-core): add webauthnInfo param to AddKeychainOptions
 for atomic passkey attachment

The backend POST /api/v2/:coin/key handler reads `req.body.webauthnInfo` (single object)
to atomically attach a passkey during key creation, but the SDK only sent
`webauthnDevices` (array) which the backend ignores. This caused passkey attachment to
require a separate best-effort PUT call that could fail, leaving wallets in an
inconsistent state.

Add `webauthnInfo` field to `AddKeychainOptions` and pass it through in `keychains.add()`
so callers can atomically link a passkey to a keychain during creation.

Deprecate `webauthnDevices` on `AddKeychainOptions` since the backend never reads it
on the POST path.

WCN-127
---
 modules/sdk-core/src/bitgo/keychain/iKeychains.ts | 7 ++++++-
 modules/sdk-core/src/bitgo/keychain/keychains.ts  | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/sdk-core/src/bitgo/keychain/iKeychains.ts b/modules/sdk-core/src/bitgo/keychain/iKeychains.ts
index 82fbfe5014..7f40a86fd7 100644
--- a/modules/sdk-core/src/bitgo/keychain/iKeychains.ts
+++ b/modules/sdk-core/src/bitgo/keychain/iKeychains.ts
@@ -141,8 +141,13 @@ export interface AddKeychainOptions {
   // indicates if the key is MPCv2 or not
   isMPCv2?: boolean;
   coinSpecific?: { [coinName: string]: unknown };
-  /** WebAuthn devices that have an additional encrypted copy of the private key, keyed by PRF-derived passphrases. */
+  /** WebAuthn devices that have an additional encrypted copy of the private key, keyed by PRF-derived passphrases.
+   *  @deprecated Use {@link webauthnInfo} instead — the backend reads `webauthnInfo` (single object), not `webauthnDevices`. */
   webauthnDevices?: WebauthnInfo[];
+  /** Single webauthn device to atomically attach during key creation.
+   *  Sent as `webauthnInfo` in the POST /key body so the backend can link
+   *  the passkey to the keychain in the same request. */
+  webauthnInfo?: WebauthnInfo;
 }
 
 export interface ApiKeyShare {
diff --git a/modules/sdk-core/src/bitgo/keychain/keychains.ts b/modules/sdk-core/src/bitgo/keychain/keychains.ts
index e933cb32e5..44e3f02dc6 100644
--- a/modules/sdk-core/src/bitgo/keychain/keychains.ts
+++ b/modules/sdk-core/src/bitgo/keychain/keychains.ts
@@ -307,6 +307,7 @@ export class Keychains implements IKeychains {
         isMPCv2: params.isMPCv2,
         coinSpecific: params.coinSpecific,
         webauthnDevices: params.webauthnDevices,
+        webauthnInfo: params.webauthnInfo,
       })
       .result();
   }