Phase 0 — Wallet Iframe PRF Verification

Parent () embeds a cross-origin wallet iframe () and asks it to assert with PRF. Real-device test of the wallet.3id.me design.

Step 1 — credential — or skip if you already have a 3id.me passkey on this device.

Step 2 — iframe container mode (for the Safari visibility gotcha) normal (visible) — expect PASS
invisible (display:block, opacity:0, 1px) — the mitigation, expect PASS
display:none — the gotcha, expect FAIL on Safari

Step 3a — RELAYED from parent (postMessage → iframe.get())

On desktop the gesture does NOT cross into the iframe → expect activation=false. This is the design finding.

Step 3b — IN-IFRAME tap (the robust path) ⭐

Tap the 🔓 button inside the iframe below — the gesture is in the iframe's own context → expect activation=true + PASS.

in-iframe tap uses explicit rpId (uncheck = no-rpId negative control, with activation)

ready.