diff --git a/Dockerfile b/Dockerfile
index 6333f9b..5ac808d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,16 +13,11 @@ COPY auth /usr/share/nginx/recovery
 COPY export /usr/share/nginx/export
 COPY import /usr/share/nginx/import
 
-# prod
 EXPOSE 8080/tcp
 EXPOSE 8081/tcp
 EXPOSE 8082/tcp
 EXPOSE 8083/tcp
 
-# preprod
-EXPOSE 7070/tcp
-EXPOSE 7071/tcp
-EXPOSE 7072/tcp
-EXPOSE 7073/tcp
+WORKDIR /usr/share/nginx
 
 CMD ["nginx"]
diff --git a/auth/index.preprod.html b/auth/index.preprod.html
deleted file mode 100644
index 24a4cd4..0000000
--- a/auth/index.preprod.html
+++ /dev/null
@@ -1,1047 +0,0 @@
-<!doctype html>
-<html class="no-js" lang="">
-
-<head>
-  <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
-  <meta charset="utf-8">
-  <title>Turnkey Recovery and Auth</title>
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <style>
-    body {
-      text-align: center;
-      font-family: 'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
-      max-width: 1024px;
-      margin: auto;
-    }
-    label {
-      display:inline-block;
-      width: 8em;
-    }
-    input[type=text] {
-      width: 40em;
-      margin: 0.5em;
-      font-family: 'Courier New', Courier, monospace;
-      font-size: 1em;
-      height: 1.8em;
-      color: rgb(18, 87, 18);
-      border: 1px rgb(217, 240, 221) solid;
-      border-radius: 4px;
-    }
-    input:disabled {
-      background-color: rgb(239, 243, 240);
-    }
-    #decrypted {
-      width: 60em;
-      background-color: rgb(58, 152, 81);
-      color: white;
-      height: 2em;
-      font-weight: bold;
-      text-align: center;
-    }
-    #reset {
-      color: white;
-      width: 7em;
-      font-size: 1em;
-      padding: 0.38em;
-      border-radius: 4px;
-      background-color: rgb(187, 100, 100);
-      border: 1px rgb(112, 42, 42) solid;
-      cursor: pointer;
-    }
-    #inject, #stamp {
-      color: white;
-      width: 7em;
-      font-size: 1em;
-      padding: 0.38em;
-      border-radius: 4px;
-      background-color: rgb(50, 44, 44);
-      border: 1px rgb(33, 33, 33) solid;
-      cursor: pointer;
-    }
-    #message-log {
-      border: 1px #2a2828 solid;
-      padding: 0 0.7em;
-      border-radius: 4px;
-      margin-top: 2em;
-      max-width: 800px;
-      margin: auto;
-    }
-    #message-log p {
-      font-size: 0.9em;
-      text-align: left;
-      word-break: break-all;
-    }
-    .hidden { display: none; }
-  </style>
-</head>
-
-<body>
-  <h2>Init Recovery or Auth</h2>
-  <p><em>This public key will be sent along with your email inside of a new <code>INIT_USER_EMAIL_RECOVERY</code> or <code>EMAIL_AUTH</code> activity</em></p>
-  <form>
-    <label>Embedded key</label>
-    <input type="text" name="embedded-key" id="embedded-key" disabled/>
-    <button id="reset">Reset Key</button>
-  </form>
-  <br>
-  <br>
-  <br>
-  <h2>Inject Credential Bundle</h2>
-  <p><em>The credential bundle will come from your email. This bundle can then be used for email recovery or auth. We can simulate this locally: see instructions <a href="https://github.com/tkhq/frames#running-local-auth" target="_blank">here</a>. A credential bundle is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p>
-  <form>
-    <label>Bundle</label>
-    <input type="text" name="credential-bundle" id="credential-bundle"/>
-    <button id="inject">Inject Bundle</button>
-  </form>
-  <br>
-  <br>
-  <br>
-  <h2>Stamp</h2>
-  <p><em>Once you've injected the credential bundle, the credential is ready to sign. A new <code>RECOVER</code> activity for example. This iframe doesn't know anything about Turnkey activity however, it's a simple stamper!</em></p>
-  <form>
-    <label>Payload</label>
-    <input type="text" name="payload" id="payload"/>
-    <button id="stamp">Stamp</button>
-  </form>
-  <br>
-  <br>
-  <br>
-  <h2>Message log</h2>
-  <p><em>Below we display a log of the messages sent / received. The forms above send messages, and the code communicates results by sending events via the <code>postMessage</code> API.</em></p>
-  <div id="message-log"></div>
-
-  <!--
-    Script defining important helpers.
-    These helpers are unit-testable, so most of the logic should be written here.
-  -->
-  <script>
-    window.TKHQ = function() {
-      /** constant for LocalStorage */
-      var TURNKEY_EMBEDDED_KEY = "TURNKEY_EMBEDDED_KEY";
-      var TURNKEY_EMBEDDED_KEY_TTL_IN_MILLIS = 1000 * 60 * 60 * 48; // 48 hours in milliseconds
-
-      /**
-       * Creates a new public/private key pair and persists it in localStorage
-       */
-      var initEmbeddedKey = async function() {
-        var retrievedKey = await getEmbeddedKey();
-        if (retrievedKey === null) {
-          var targetKey = await generateTargetKey();
-          setEmbeddedKey(targetKey)
-        } else {
-          // Nothing to do, key is correctly initialized!
-        }
-      }
-
-      /*
-      * Generate a key to encrypt to and export it as a JSON Web Key.
-      */
-      var generateTargetKey = async function() {
-        var p256key = await crypto.subtle.generateKey({
-          name: 'ECDH',
-          namedCurve: 'P-256',
-        }, true, ['deriveBits',]);
-
-        return await crypto.subtle.exportKey("jwk", p256key.privateKey);
-      }
-
-      /**
-       * Gets the current embedded private key JWK. Returns `null` if not found.
-       */
-      var getEmbeddedKey = function() {
-        var jwtKey = getItemWithExpiry(TURNKEY_EMBEDDED_KEY)
-        if (!jwtKey) {
-          return null
-        } else {
-          return JSON.parse(jwtKey);
-        }
-      }
-
-      var setEmbeddedKey = function(targetKey) {
-        return setItemWithExpiry(TURNKEY_EMBEDDED_KEY, JSON.stringify(targetKey), TURNKEY_EMBEDDED_KEY_TTL_IN_MILLIS);
-      }
-
-      var onResetEmbeddedKey = function() {
-        window.localStorage.removeItem(TURNKEY_EMBEDDED_KEY)
-      }
-
-      /**
-       * Set an item in localStorage with an expiration time
-       * @param {string} key
-       * @param {string} value
-       * @param {number} ttl expiration time in milliseconds
-       */
-      var setItemWithExpiry = function(key, value, ttl) {
-        const now = new Date();
-        const item = {
-            value: value,
-            expiry: now.getTime() + ttl,
-        };
-        window.localStorage.setItem(key, JSON.stringify(item));
-      };
-
-      /**
-       * Get an item from localStorage. If it has expired, remove
-       * the item from localStorage and return null.
-       * @param {string} key
-       */
-      const getItemWithExpiry = (key) => {
-        const itemStr = window.localStorage.getItem(key);
-
-        if (!itemStr) {
-            return null;
-        }
-
-        const item = JSON.parse(itemStr);
-
-        if (!item.hasOwnProperty("expiry") || !item.hasOwnProperty("value")) {
-          window.localStorage.removeItem(key);
-          return null;
-        }
-
-        const now = new Date();
-        if (now.getTime() > item.expiry) {
-            window.localStorage.removeItem(key);
-            return null;
-        }
-        return item.value;
-      };
-
-      /**
-       * Takes a hex string (e.g. "e4567ab") and returns an array buffer (Uint8Array)
-       * @param {string} hexString
-       * @returns {Uint8Array}
-       */
-      var uint8arrayFromHexString = function(hexString) {
-        var hexRegex = /^[0-9A-Fa-f]+$/;
-        if (!hexString || hexString.length % 2 != 0 || !hexRegex.test(hexString)) {
-          throw new Error('cannot create uint8array from invalid hex string: "' + hexString + '"');
-        }
-        return new Uint8Array(hexString.match(/../g).map(h=>parseInt(h,16)));
-      }
-
-      /**
-        * Takes a Uint8Array and returns a hex string
-        * @param {Uint8Array} buffer
-        * @return {string}
-        */
-      var uint8arrayToHexString = function(buffer) {
-        return [...buffer]
-            .map(x => x.toString(16).padStart(2, '0'))
-            .join('');
-      }
-
-      /**
-       * Additional Associated Data (AAD) in the format dictated by the enclave_encrypt crate.
-       */
-      var additionalAssociatedData = function(
-        senderPubBuf,
-        receiverPubBuf,
-      ) {
-        var s = Array.from(new Uint8Array(senderPubBuf));
-        var r = Array.from(new Uint8Array(receiverPubBuf));
-        return new Uint8Array([...s, ...r]);
-      }
-
-      /**
-       * Encodes a buffer into base64url
-       * @param {Uint8Array} byteArray
-       */
-      function base64urlEncode(byteArray) {
-        return btoa(Array.from(byteArray).map(val => {
-          return String.fromCharCode(val);
-        }).join('')).replace(/\+/g, '-').replace(/\//g, '_').replace(/\=/g, '');
-      }
-
-      /**
-       * Decodes a base64-encoded string into a buffer
-       * @param {string} s
-       * @return {Uint8Array}
-       */
-      function base64urlDecode(s) {
-        var binaryString = atob(s.replace(/\-/g, '+').replace(/\_/g, '/'));
-        var bytes = new Uint8Array(binaryString.length);
-        for (var i = 0; i < binaryString.length; i++) {
-          bytes[i] = binaryString.charCodeAt(i);
-        }
-        return bytes;
-      }
-
-      /**
-       * Decodes a base58check-encoded string into a buffer
-       * This function throws an error when the string is too small, doesn't have the proper checksum, or contains invalid characters.
-       * Inspired by https://gist.github.com/diafygi/90a3e80ca1c2793220e5/
-       * @param {string} s
-       * @return {Uint8Array}
-       */
-      async function base58checkDecode(s) {
-        if (s.length < 5) {
-          throw new Error(`cannot base58-decode a string of length < 5 (found length ${s.length})`)
-        }
-
-        // See https://en.bitcoin.it/wiki/Base58Check_encoding
-        var alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-        var decoded = BigInt(0);
-        var decodedBytes = [];
-        var leadingZeros = [];
-        for (var i = 0; i < s.length; i++) {
-          if (alphabet.indexOf(s[i]) === -1) {
-            throw new Error(`cannot base58-decode: ${s[i]} isn't a valid character`)
-          }
-          var carry = alphabet.indexOf(s[i]);
-
-          // If the current base58 digit is 0, append a 0 byte.
-          // "i == leadingZeros.length" can only be true if we have not seen non-zero bytes so far.
-          // If we had seen a non-zero byte, carry wouldn't be 0, and i would be strictly more than `leadingZeros.length`
-          if (carry == 0 && i === leadingZeros.length) {
-            leadingZeros.push(0);
-          }
-
-          var j = 0;
-          while (j < decodedBytes.length || carry > 0) {
-            var currentByte = decodedBytes[j];
-
-            // shift the current byte 58 units and add the carry amount
-            // (or just add the carry amount if this is a new byte -- undefined case)
-            if (currentByte === undefined) {
-              currentByte = carry
-            } else {
-              currentByte = currentByte * 58 + carry
-            }
-
-            // find the new carry amount (1-byte shift of current byte value)
-            carry = currentByte >> 8;
-            // reset the current byte to the remainder (the carry amount will pass on the overflow)
-            decodedBytes[j] = currentByte % 256;
-            j++
-          }
-        }
-
-        var result = leadingZeros.concat(decodedBytes.reverse());
-
-        var foundChecksum = result.slice(result.length - 4)
-
-        var msg = result.slice(0, result.length - 4)
-        var checksum1 = await crypto.subtle.digest("SHA-256", new Uint8Array(msg))
-        var checksum2 = await crypto.subtle.digest("SHA-256", new Uint8Array(checksum1))
-        var computedChecksum = Array.from(new Uint8Array(checksum2)).slice(0, 4);
-
-        if (computedChecksum.toString() != foundChecksum.toString()) {
-          throw new Error(`checksums do not match: computed ${computedChecksum} but found ${foundChecksum}`)
-        }
-
-        return new Uint8Array(msg);
-      }
-
-      /**
-       * `SubtleCrypto.sign(...)` outputs signature in IEEE P1363 format:
-       * - https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/sign#ecdsa
-       *
-       * Turnkey expects the signature encoding to be DER-encoded ASN.1:
-       * - https://github.com/tkhq/tkcli/blob/7f0159af5a73387ff050647180d1db4d3a3aa033/src/internal/apikey/apikey.go#L149
-       *
-       * Code modified from https://github.com/google/tink/blob/6f74b99a2bfe6677e3670799116a57268fd067fa/javascript/subtle/elliptic_curves.ts#L114
-       *
-       * Transform an ECDSA signature in IEEE 1363 encoding to DER encoding.
-       *
-       * @param {Uint8Array} ieee the ECDSA signature in IEEE encoding
-       * @return ECDSA signature in DER encoding
-       */
-      function convertEcdsaIeee1363ToDer(ieee) {
-        if (ieee.length % 2 != 0 || ieee.length == 0 || ieee.length > 132) {
-          throw new Error(
-            "Invalid IEEE P1363 signature encoding. Length: " + ieee.length
-          );
-        }
-        const r = toUnsignedBigNum(ieee.subarray(0, ieee.length / 2));
-        const s = toUnsignedBigNum(ieee.subarray(ieee.length / 2, ieee.length));
-        let offset = 0;
-        const length = 1 + 1 + r.length + 1 + 1 + s.length;
-        let der;
-        if (length >= 128) {
-          der = new Uint8Array(length + 3);
-          der[offset++] = 48;
-          der[offset++] = 128 + 1;
-          der[offset++] = length;
-        } else {
-          der = new Uint8Array(length + 2);
-          der[offset++] = 48;
-          der[offset++] = length;
-        }
-        der[offset++] = 2;
-        der[offset++] = r.length;
-        der.set(r, offset);
-        offset += r.length;
-        der[offset++] = 2;
-        der[offset++] = s.length;
-        der.set(s, offset);
-        return der;
-      }
-
-      /**
-       * (private function, only called by `convertEcdsaIeee1363ToDer`)
-       * Code modified from https://github.com/google/tink/blob/6f74b99a2bfe6677e3670799116a57268fd067fa/javascript/subtle/elliptic_curves.ts#L311
-       *
-       * Transform a big integer in big endian to minimal unsigned form which has
-       * no extra zero at the beginning except when the highest bit is set.
-       *
-       * @param {Uint8Array} bytes
-       *
-       */
-      function toUnsignedBigNum(bytes) {
-        // Remove zero prefixes.
-        let start = 0;
-        while (start < bytes.length && bytes[start] == 0) {
-          start++;
-        }
-        if (start == bytes.length) {
-          start = bytes.length - 1;
-        }
-        let extraZero = 0;
-
-        // If the 1st bit is not zero, add 1 zero byte.
-        if ((bytes[start] & 128) == 128) {
-          // Add extra zero.
-          extraZero = 1;
-        }
-        const res = new Uint8Array(bytes.length - start + extraZero);
-        res.set(bytes.subarray(start), extraZero);
-        return res;
-      }
-
-      /**
-       * Code modified from https://github.com/github/webauthn-json/blob/e932b3585fa70b0bd5b5a4012ba7dbad7b0a0d0f/src/webauthn-json/base64url.ts#L23
-       * @param {string} input
-       */
-      var stringToBase64urlString = function(input) {
-          const base64String = btoa(input);
-          return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-      }
-
-      /**
-       * Function to send a message. If this page is embedded as an iframe we'll use window.top.postMessage. Otherwise we'll display it in the DOM.
-       * @param type message type. Can be "PUBLIC_KEY_CREATED", "BUNDLE_INJECTED" or "STAMP"
-       * @param value message value
-       */
-      var sendMessageUp = function(type, value) {
-        if (window.top !== null) {
-          window.top.postMessage({
-              "type": type,
-              "value": value,
-          }, '*')
-        }
-        logMessage(`⬆️ Sent message ${type}: ${value}`)
-      }
-
-      /**
-       * Function to log a message and persist it in the page's DOM.
-       */
-      var logMessage = function(content) {
-        var messageLog = document.getElementById("message-log");
-        var message = document.createElement("p")
-        message.innerText = content;
-        messageLog.appendChild(message);
-      }
-
-      /**
-      * Convert a JSON Web Key private key to a public key and export the public
-      * key in raw format.
-      * @return {Uint8array}
-      */
-      var p256JWKPrivateToPublic = async function(jwkPrivate) {
-        // make a copy so we don't modify the underlying object
-        const jwkPrivateCopy = { ... jwkPrivate }
-        // change jwk so it will be imported as a public key
-        delete jwkPrivateCopy.d;
-        jwkPrivateCopy.key_ops = ["verify"];
-
-        var publicKey =  await window.crypto.subtle
-          .importKey("jwk", jwkPrivateCopy, { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
-        var buffer = await crypto.subtle.exportKey("raw", publicKey);
-        return new Uint8Array(buffer)
-      }
-
-      /**
-       * Returns a CryptoKey from a P256 private key bytes
-       * This is a bit awkward because webcrypto can't import raw private key bytes.
-       * We use some custom crypto code to derive the public key from the private key bytes.
-       * Note that this is NOT security sensitive because browsers validate x/y coordinate
-       * when performing `crypto.subtle.importKey` operations.
-       * @param {Uint8Array} privateKeyBytes
-       */
-      var importCredential = async function(privateKeyBytes) {
-        var privateKeyHexString = uint8arrayToHexString(privateKeyBytes);
-        var privateKey = BigInt('0x' + privateKeyHexString);
-        var publicKeyPoint = P256Generator.multiply(privateKey);
-
-        return await window.crypto.subtle.importKey(
-          "jwk",
-          {
-            kty: "EC",
-            crv: "P-256",
-            d: bigIntToBase64Url(privateKey),
-            x: bigIntToBase64Url(publicKeyPoint.x.num),
-            y: bigIntToBase64Url(publicKeyPoint.y.num),
-            ext: true,
-          },
-          {
-            name: "ECDSA",
-            namedCurve: "P-256",
-          },
-          true,
-          ["sign"]
-        )
-      }
-
-      /**
-       * Converts a `BigInt` into a base64url encoded string
-       * @param {BigInt} num
-       * @return {string}
-       */
-      var bigIntToBase64Url = function(num) {
-          var hexString = num.toString(16);
-          // Add an extra 0 to the start of the string to get a valid hex string (even length)
-          // (e.g. 0x0123 instead of 0x123)
-          var hexString = hexString.padStart(Math.ceil(hexString.length/2)*2, 0)
-          var buffer = uint8arrayFromHexString(hexString);
-          return base64urlEncode(buffer)
-      }
-
-      /**
-       * Converts a `BigInt` into a hex encoded string
-       * @param {BigInt} num
-       * @param {number} length expected length of the resulting hex string
-       * @return {string}
-       */
-       var bigIntToHex = function(num, length) {
-          var hexString = num.toString(16);
-          if (hexString.length > length) {
-            throw new Error("number cannot fit in a hex string of " + length + " characters");
-          }
-          // Add an extra 0 to the start of the string to get to `length`
-          return hexString.padStart(length, 0)
-      }
-
-      /**
-       * Accepts a public key array buffer, and returns a buffer with the compressed version of the public key
-       * @param {Uint8Array} rawPublicKey
-       */
-       var compressRawPublicKey = function(rawPublicKey) {
-        const len = rawPublicKey.byteLength
-
-        // Drop the y coordinate
-        // Uncompressed key is in the form 0x04||x||y
-        // `len >>> 1` is a more concise way to write `floor(len/2)`
-        var compressedBytes = rawPublicKey.slice(0, 1 + len >>> 1)
-
-        // Encode the parity of `y` in first bit
-        // `BYTE & 0x01` tests for parity and returns 0x00 when even, or 0x01 when odd
-        // Then `0x02 | <parity test result>` yields either 0x02 (even case) or 0x03 (odd).
-        compressedBytes[0] = 0x02 | (rawPublicKey[len-1] & 0x01)
-        return compressedBytes
-      }
-
-      /**
-       * Accepts a public key array buffer, and returns a buffer with the uncompressed version of the public key
-       * @param {Uint8Array} rawPublicKey
-       * @return {Uint8Array} the uncompressed bytes
-       */
-       var uncompressRawPublicKey = function(rawPublicKey) {
-        const len = rawPublicKey.byteLength
-
-        // point[0] must be 2 (false) or 3 (true).
-        // this maps to the initial "02" or "03" prefix
-        const lsb = rawPublicKey[0] === 3;
-        const x = BigInt("0x" + uint8arrayToHexString(rawPublicKey.subarray(1)));
-
-        // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf (Appendix D).
-        const p = BigInt("115792089210356248762697446949407573530086143415290314195533631308867097853951");
-        const b = BigInt("0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b");
-        const a = p - BigInt(3);
-
-        // Now compute y based on x
-        const rhs = ((x * x + a) * x + b) % p;
-        let y = modSqrt(rhs, p);
-        if (lsb !== testBit(y, 0)) {
-          y = (p - y) % p;
-        }
-
-        if (x < BigInt(0) || x >= p) {
-          throw new Error("x is out of range");
-        }
-
-        if (y < BigInt(0) || y >= p) {
-          throw new Error("y is out of range");
-        }
-
-        var uncompressedHexString = "04" + bigIntToHex(x, 64) + bigIntToHex(y, 64);
-        return uint8arrayFromHexString(uncompressedHexString)
-      }
-
-      /**
-       * Private helper to compute square root modulo p
-       */
-      function modSqrt(x, p) {
-        if (p <= BigInt(0)) {
-          throw new Error("p must be positive");
-        }
-        const base = x % p;
-        // The currently supported NIST curves P-256, P-384, and P-521 all satisfy
-        // p % 4 == 3.  However, although currently a no-op, the following check
-        // should be left in place in case other curves are supported in the future.
-        if (testBit(p, 0) && /* istanbul ignore next */ testBit(p, 1)) {
-          // Case p % 4 == 3 (applies to NIST curves P-256, P-384, and P-521)
-          // q = (p + 1) / 4
-          const q = (p + BigInt(1)) >> BigInt(2);
-          const squareRoot = modPow(base, q, p);
-          if ((squareRoot * squareRoot) % p !== base) {
-            throw new Error("could not find a modular square root");
-          }
-          return squareRoot;
-        }
-        // Skipping other elliptic curve types that require Cipolla's algorithm.
-        throw new Error("unsupported modulus value");
-      }
-
-      /**
-       * Private helper function used by `modSqrt`
-       */
-      function modPow(b, exp, p) {
-        if (exp === BigInt(0)) {
-          return BigInt(1);
-        }
-        let result = b;
-        const exponentBitString = exp.toString(2);
-        for (let i = 1; i < exponentBitString.length; ++i) {
-          result = (result * result) % p;
-          if (exponentBitString[i] === "1") {
-            result = (result * b) % p;
-          }
-        }
-        return result;
-      }
-
-      /**
-       * Another private helper function used as part of `modSqrt`
-       */
-      function testBit(n, i) {
-        const m = BigInt(1) << BigInt(i);
-        return (n & m) !== BigInt(0);
-      }
-
-      /**********************************************************************************************
-       * Start of private crypto implementation for P256 public key derivation from a private key.
-       * ----
-       * IMPORTANT NOTE: below we implement basic field arithmetic for P256
-       * This is only used to compute public point from a secret key inside of
-       * `importCredential` above. If something goes wrong with the code below
-       * the web crypto API will simply refuse to import the key.
-       * None of the functions below are returned from the closure to minimize the risk of misuse.
-       *********************************************************************************************/
-
-      /**
-       * P256FieldElement represents a finite field element
-       * The field is set to be the P256 prime:
-       * 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
-       */
-      var P256FieldElement = function(num) {
-        this.num = BigInt(num);
-        this.prime = BigInt('0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff');
-      };
-      P256FieldElement.prototype.eq = function(other) {
-        return this.num === other.num;
-      }
-      P256FieldElement.prototype.add = function(other) {
-        num = this.num + other.num;
-        return new P256FieldElement(num % this.prime);
-      }
-      P256FieldElement.prototype.sub = function(other) {
-        res = (this.num - other.num) % this.prime;
-        if (res < BigInt(0)) { res += this.prime }
-        return new P256FieldElement(res);
-      }
-      P256FieldElement.prototype.mul = function(other) {
-        if (typeof(other) === "bigint") {
-          coefficient = other;
-        } else if (typeof(other) === "number") {
-          coefficient = BigInt(other)
-        } else if (other instanceof P256FieldElement) {
-          coefficient = other.num;
-        } else {
-          throw new Error("Cannot multiply element. Expected a BigInt, a Number or a P256FieldElement. Got: " + other);
-        }
-        num = (this.num * coefficient) % this.prime
-        return new P256FieldElement(num);
-      }
-      P256FieldElement.prototype.div = function(other) {
-        // This uses fermat's little theorem (https://en.wikipedia.org/wiki/Fermat%27s_little_theorem)
-        // => if p is prime, then for any integer a: a**(p-1) % p = 1
-        // => we can compute inverses for any a: 1/a = a**(p-2) % p
-        return new P256FieldElement(other.num).pow(this.prime - BigInt(2)).mul(this.num)
-      }
-      P256FieldElement.prototype.pow = function(exponent) {
-        var exponent = BigInt(exponent);
-        var base = this.num % this.prime;
-        // Pretty standard double-and-add loop
-        var result = 1n;
-        while (exponent > BigInt(0)) {
-          if (exponent % BigInt(2)) {
-            result = (result * base) % this.prime;
-          }
-          exponent = exponent / BigInt(2);
-          base = (base * base) % this.prime;
-        }
-        return new P256FieldElement(result);
-      };
-
-      /**
-       * P256Point is a point (x, y) on the following elliptic curve:
-       *     y**2 = x**3 + ax + b
-       *     (where x and y are both finite field elements on the P256 field)
-       * https://www.secg.org/sec2-v2.pdf, https://neuromancer.sk/std/nist/P-256
-       *
-       * We only define + and * since that's what's needed for public key derivation.
-       */
-      P256Point = function(x, y) {
-        if (!x instanceof P256FieldElement) {
-          throw new Error("expected a P256FieldElement for x. Got: " + x);
-        }
-        this.x = x;
-
-        if (!y instanceof P256FieldElement) {
-          throw new Error("expected a P256FieldElement for y. Got: " + y);
-        }
-        this.y = y;
-        this.a = new P256FieldElement(BigInt('0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc'));
-        this.b = new P256FieldElement(BigInt('0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b'));
-
-        if (this.x === null && this.y === null) {
-          // Point at infinity
-          return
-        }
-
-        var left = this.y.pow(2).num;
-        var right = this.x.pow(3).add(this.x.mul(this.a)).add(this.b).num;
-
-        if (left != right){
-          // y**2 = x**3 + 7 is the elliptic curve equation
-          throw new Error('Not on the P256 curve! y**2 (' + left + ') != x3 + ax + b (' + right + ')');
-        }
-      }
-
-      /**
-       * Addition is a complex operation because of the number of cases involved.
-       * The point at infinity is represented by (x=null, y=null), and represents the logical "0".
-       * So, to compute `A.add(B)`:
-       * - Case 1a: if A is 0, return B (0+B=B)
-       * - Case 1b: if B is 0, return A (A+0=A)
-       * - Case 2: if A and B have the same x but different y coordinates, they're
-       *           opposite points: B is "-A". So, A+B=A+(-A)=0 (return point at infinity)
-       * - Case 3: if A and B are the same and at y=0, the A->B line is tangent to the y axis
-       *           -> return point at infinity
-       * - Case 4: if A and B are the same (with y≠0), the formula for the result R (x3, y3):
-       *           s = (3*x1**2 + a) / 2*y1
-       *           x3 = s**2 - 2*x1
-       *           y3 = s*(x1 - x3) - y1
-       *           -> return (x3, y3)
-       * - Case 5: general case (different x coordinates). To get R (x3, y3) from A and B:
-       *           s = (y2 -y1) / (x2 - x1)
-       *           x3 = s**2 - x1 - x2
-       *           y3 = s*(x1 - x3) - y1
-       *           -> return (x3, y3)
-       *
-       * See https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication#Point_addition for helpful visuals
-       */
-      P256Point.prototype.add = function(other) {
-        if (this.x === null) { return other; }  /* 1a */
-        if (other.x === null) { return this; }  /* 1b */
-
-        /* 2 */
-        if (this.x.eq(other.x) === true && this.y.eq(this.y) === false) {
-            return new P256Point(null, null);
-        }
-
-        /* 3 */
-        if (this.x.eq(other.x) && this.y.eq(other.y) && this.y.eq(new P256FieldElement(0))) {
-            return new P256Point(null, null);
-        }
-
-        /* 4 */
-        if (this.x.eq(other.x) && this.y.eq(other.y)) {
-            s = (this.x.pow(2).mul(3).add(this.a)).div(this.y.mul(2))
-            x = s.pow(2).sub(this.x.mul(2))
-            y = s.mul(this.x.sub(x)).sub(this.y)
-            return new P256Point(x, y)
-        }
-
-        /* 5 */
-        if (this.x.eq(other.x) === false) {
-            s = other.y.sub(this.y).div(other.x.sub(this.x));
-            x = s.pow(2).sub(this.x).sub(other.x);
-            y = s.mul(this.x.sub(x)).sub(this.y);
-            return new P256Point(x, y);
-        }
-
-        throw new Error('cannot handle addition of (' + this.x +  ', ' + this.y + ') with (' + other.x +  ', ' + other.y + ')');
-      }
-      /**
-       * Multiplication uses addition. Nothing crazy here.
-       * We start with "0" (point at infinity). Then we add increasing powers of 2.
-       * So, to multiply A by e.g. 25 (25 is 11001 in binary), we add 1*A, then compute
-       * 2*A, 4*A, 8*A by successive additions. Then add 8*A, then compute 16*A, then
-       * add 16*A.
-       */
-      P256Point.prototype.multiply = function(coefficient) {
-          var coef = BigInt(coefficient);
-          var current = this;
-          var result = new P256Point(null, null);
-          while(coef) {
-              if (coef & BigInt(1)) {
-                  result = result.add(current);
-              }
-              current = current.add(current);
-              coef >>= BigInt(1);
-          }
-          return result;
-      }
-
-      /**
-       * This is the P256 base point (aka generator)
-       * See https://www.secg.org/sec2-v2.pdf and https://neuromancer.sk/std/nist/P-256
-       */
-      var P256Generator = new P256Point(
-        new P256FieldElement(BigInt('0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296')),
-        new P256FieldElement(BigInt('0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5'))
-      )
-
-      /**********************************************************************************************
-       * End of private crypto implementation for P256 public key derivation from a private key.
-       *********************************************************************************************/
-
-      return {
-        initEmbeddedKey,
-        generateTargetKey,
-        setItemWithExpiry,
-        getItemWithExpiry,
-        getEmbeddedKey,
-        setEmbeddedKey,
-        onResetEmbeddedKey,
-        importCredential,
-        compressRawPublicKey,
-        uncompressRawPublicKey,
-        p256JWKPrivateToPublic,
-        convertEcdsaIeee1363ToDer,
-        sendMessageUp,
-        logMessage,
-        base64urlEncode,
-        base64urlDecode,
-        base58checkDecode,
-        bigIntToHex,
-        stringToBase64urlString,
-        uint8arrayToHexString,
-        uint8arrayFromHexString,
-        additionalAssociatedData
-      }
-    }();
-  </script>
-
-  <!--
-    Script importing HPKE lib until we can replace it
-    Because this is loaded as a module JSDOM can't load it properly
-    Code in here isn't tested, so let's keep this to a minimum!
-  -->
-  <script type="module">
-    // TODO: this should be bundled at build time or replaced with code written by Turnkey entirely.
-    import * as hpke from "https://esm.sh/@hpke/core";
-
-    // In memory spot for the credential to live. We do NOT persist it to localStorage.
-    var CREDENTIAL_BYTES = null;
-
-    document.addEventListener("DOMContentLoaded", async function () {
-      await TKHQ.initEmbeddedKey();
-      var embeddedKeyJwk = await TKHQ.getEmbeddedKey();
-      var targetPubBuf = await TKHQ.p256JWKPrivateToPublic(embeddedKeyJwk);
-      var targetPubHex = TKHQ.uint8arrayToHexString(targetPubBuf);
-      document.getElementById("embedded-key").value = targetPubHex;
-      TKHQ.sendMessageUp("PUBLIC_KEY_READY", targetPubHex)
-
-      // TODO: find a way to filter messages and ensure they're coming from the parent window?
-      // We do not want to arbitrarily receive messages from all origins.
-      window.addEventListener("message", async function(event) {
-        if (event.data && (event.data["type"] == "INJECT_CREDENTIAL_BUNDLE" || event.data["type"] == "INJECT_RECOVERY_BUNDLE")) {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}: ${event.data["value"]}`);
-          try {
-            await onInjectBundle(event.data["value"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "STAMP_REQUEST") {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}: ${event.data["value"]}`);
-          try {
-            await onStampRequest(event.data["value"]);
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "RESET_EMBEDDED_KEY") {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}`);
-          try {
-            TKHQ.onResetEmbeddedKey();
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-      }, false);
-
-      /**
-       * Event handlers to power the recovery and auth flows in standalone mode
-       * Instead of receiving events from the parent page, forms trigger them.
-       * This is useful for debugging as well.
-       */
-      document.getElementById("inject").addEventListener("click", async function(e) {
-        e.preventDefault();
-        window.postMessage({
-          "type": "INJECT_CREDENTIAL_BUNDLE",
-          "value": document.getElementById("credential-bundle").value,
-        })
-      }, false);
-      document.getElementById("stamp").addEventListener("click", async function(e) {
-        e.preventDefault();
-        window.postMessage({
-          "type": "STAMP_REQUEST",
-          "value": document.getElementById("payload").value,
-        })
-      }, false);
-      document.getElementById("reset").addEventListener("click", async function(e) {
-        e.preventDefault();
-        window.postMessage({ "type": "RESET_EMBEDDED_KEY" })
-      }, false);
-    }, false);
-
-    /**
-     * Function triggered when INJECT_CREDENTIAL_BUNDLE event is received.
-     * The `bundle` param is the concatenation of a public key and an encrypted payload, and then base64 encoded
-     * Example: A6ZPGAlxBRZhjKWky4RpXnHVceGzJjTuBrzKvMGnIgZ3r6JD4D1iiSg_m-y_u0BgJKI397Xjn0wgu17w9wuRooEp-F38m4ql57FgQ7sX9nQA
-     * @param {string} bundle
-     */
-    var onInjectBundle = async function(bundle) {
-        if (
-          // Non-alphanumerical characters in base64url: - and _. These aren't in base58.
-          bundle.indexOf("-") === -1 && bundle.indexOf("_") === -1
-          // Uppercase o (O), uppercase i (I), lowercase L (l), and 0 aren't in the character set either.
-          && bundle.indexOf("O") === -1 && bundle.indexOf("I") === -1 && bundle.indexOf("l") === -1 && bundle.indexOf("0") === -1
-        ) {
-          // If none of these characters are in the bundle we assume it's a base58check-encoded string
-          // This isn't perfect: there's a small chance that a base64url-encoded string doesn't have any of these characters by chance!
-          // But we accept this risk given this branching is only here to support our transition to base58check.
-          // I hear you'd like to quantify this risk? Let's do it.
-          // Assuming random bytes in our bundle and a bundle length of 33 (public key, compressed) + 48 (encrypted cred) = 81 bytes.
-          // The odds of a byte being in the overlap set between base58 and base64url is 58/64=0.90625.
-          // Which means the odds of a 81 bytes string being in the overlap character set for its entire length is...
-          // ... 0.90625^81 = 0.0003444209703
-          // Are you convinced that this is good enough? I am :)
-          var bundleBytes = await TKHQ.base58checkDecode(bundle);
-        } else {
-          var bundleBytes = TKHQ.base64urlDecode(bundle);
-        }
-
-        if (bundleBytes.byteLength <= 33) {
-          throw new Error("bundle size " + bundleBytes.byteLength + " is too low. Expecting a compressed public key (33 bytes) and an encrypted credential")
-        }
-
-        var compressedEncappedKeyBuf = bundleBytes.subarray(0,33);
-        var ciphertextBuf = bundleBytes.subarray(33);
-        var embeddedKeyJwk = await TKHQ.getEmbeddedKey();
-
-        // Decompress the compressed key
-        var encappedKeyBuf = TKHQ.uncompressRawPublicKey(compressedEncappedKeyBuf);
-
-        var credentialBytes = await HpkeDecrypt(
-          {
-            ciphertextBuf,
-            encappedKeyBuf,
-            receiverPrivJwk: embeddedKeyJwk,
-          });
-
-        CREDENTIAL_BYTES = new Uint8Array(credentialBytes);
-        TKHQ.sendMessageUp("BUNDLE_INJECTED", true)
-    }
-    /**
-     * Function triggered when STAMP_REQUEST event is received.
-     * @param {string} payload to sign
-     */
-    var onStampRequest = async function(payload) {
-      if (CREDENTIAL_BYTES === null) {
-        throw new Error("cannot sign payload without credential. Credential bytes are null");
-      }
-      var key = await TKHQ.importCredential(CREDENTIAL_BYTES)
-      var signatureIeee1363 = await window.crypto.subtle.sign(
-        {
-            name: "ECDSA",
-            hash: {name: "SHA-256"},
-        },
-        key,
-        new TextEncoder().encode(payload)
-      );
-
-      var derSignature = TKHQ.convertEcdsaIeee1363ToDer(new Uint8Array(signatureIeee1363));
-      var derSignatureHexString = TKHQ.uint8arrayToHexString(derSignature);
-
-      // This is a bit of a pain, but we need to go through this:
-      // - Key needs to be exported to JWK first
-      // - Then imported without the private "d" component, and exported to get the public key
-      //   ^^ (that's what `p256JWKPrivateToPublic` does)
-      // - Finally, compress the public key.
-      var jwkKey = await crypto.subtle.exportKey("jwk", key);
-      var publicKey = await TKHQ.p256JWKPrivateToPublic(jwkKey);
-      var compressedPublicKey = TKHQ.compressRawPublicKey(publicKey);
-
-      var stamp = {
-        publicKey: TKHQ.uint8arrayToHexString(compressedPublicKey),
-        scheme: "SIGNATURE_SCHEME_TK_API_P256",
-        signature: derSignatureHexString,
-      };
-
-      var stampHeaderValue = TKHQ.stringToBase64urlString(JSON.stringify(stamp));
-      TKHQ.sendMessageUp("STAMP", stampHeaderValue)
-    }
-
-    /**
-     * Decrypt the ciphertext (ArrayBuffer) given an encapsulation key (ArrayBuffer)
-     * and the receivers private key (JSON Web Key).
-     */
-    var HpkeDecrypt = async function({
-      ciphertextBuf,
-      encappedKeyBuf,
-      receiverPrivJwk,
-    }) {
-      var kemContext = new hpke.DhkemP256HkdfSha256();
-      var receiverPriv = await kemContext.importKey("jwk", {...receiverPrivJwk}, false);
-
-
-      var suite = new hpke.CipherSuite({
-        kem: kemContext,
-        kdf: new hpke.HkdfSha256(),
-        aead: new hpke.Aes256Gcm(),
-      });
-
-      var recipientCtx = await suite.createRecipientContext({
-        recipientKey: receiverPriv,
-        enc: encappedKeyBuf,
-        info: new TextEncoder().encode("turnkey_hpke"),
-      });
-
-      var receiverPubBuf = await TKHQ.p256JWKPrivateToPublic(receiverPrivJwk);
-      var aad = TKHQ.additionalAssociatedData(encappedKeyBuf, receiverPubBuf);
-      var res;
-      try {
-        res = await recipientCtx.open(ciphertextBuf, aad);
-      } catch (e) {
-        throw new Error("decryption failed: " + e);
-      }
-      return res
-    }
-  </script>
-</body>
-</html>
diff --git a/export/index.preprod.html b/export/index.preprod.html
deleted file mode 100644
index f82ba48..0000000
--- a/export/index.preprod.html
+++ /dev/null
@@ -1,845 +0,0 @@
-<!doctype html>
-<html class="no-js" lang="">
-
-<head>
-  <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
-  <meta charset="utf-8">
-  <title>Turnkey Export</title>
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <style>
-    body {
-      text-align: center;
-      font-family: 'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
-      max-width: 1024px;
-      margin: auto;
-    }
-    label {
-      display:inline-block;
-      width: 8em;
-    }
-    form {
-      text-align: left;
-    }
-    input[type=text], select {
-      width: 40em;
-      margin: 0.5em;
-      font-family: 'Courier New', Courier, monospace;
-      font-size: 1em;
-      height: 1.8em;
-      color: rgb(18, 87, 18);
-      border: 1px rgb(217, 240, 221) solid;
-      border-radius: 4px;
-    }
-    input:disabled {
-      background-color: rgb(239, 243, 240);
-    }
-    #reset {
-      color: white;
-      width: 7em;
-      font-size: 1em;
-      padding: 0.38em;
-      border-radius: 4px;
-      background-color: rgb(187, 100, 100);
-      border: 1px rgb(112, 42, 42) solid;
-      cursor: pointer;
-      display: inline;
-    }
-    #inject-key, #inject-wallet {
-      color: white;
-      width: 7em;
-      font-size: 1em;
-      padding: 0.38em;
-      border-radius: 4px;
-      background-color: rgb(50, 44, 44);
-      border: 1px rgb(33, 33, 33) solid;
-      cursor: pointer;
-      display: inline;
-    }
-    #message-log {
-      border: 1px #2a2828 solid;
-      padding: 0 0.7em;
-      border-radius: 4px;
-      margin-top: 2em;
-      max-width: 800px;
-      margin: auto;
-      display: block;
-    }
-    #message-log p {
-      font-size: 0.9em;
-      text-align: left;
-      word-break: break-all;
-    }
-    .hidden { display: none; }
-  </style>
-</head>
-
-<body>
-  <h2>Export Key Material</h2>
-  <p><em>This public key will be sent along with a private key ID or wallet ID inside of a new <code>EXPORT_PRIVATE_KEY</code> or <code>EXPORT_WALLET</code> activity</em></p>
-  <form>
-    <label>Embedded key</label>
-    <input type="text" name="embedded-key" id="embedded-key" disabled/>
-    <button id="reset">Reset Key</button>
-  </form>
-  <br>
-  <br>
-  <br>
-  <h2>Inject Key Export Bundle</h2>
-  <p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p>
-  <form>
-    <label>Bundle</label>
-    <input type="text" name="key-export-bundle" id="key-export-bundle"/>
-    <button id="inject-key">Inject Bundle</button>
-    <br>
-    <label>Key Format</label>
-    <select id="key-export-format" name="key-export-format">
-      <option value="HEXADECIMAL">Hexadecimal (Default)</option>
-      <option value="SOLANA">Solana</option>
-    </select>
-    <br>
-    <label>Organization Id</label>
-    <input type="text" name="key-organization-id" id="key-organization-id"/>
-  </form>
-  <br>
-  <h2>Inject Wallet Export Bundle</h2>
-  <p><em>The export bundle comes from the parent page and is composed of a public key and an encrypted payload. The payload is encrypted to this document's embedded key (stored in local storage and displayed above). The scheme relies on <a target="_blank" href="https://datatracker.ietf.org/doc/rfc9180/">HPKE (RFC 9180)</a></em>.</p>
-  <form>
-    <label>Bundle</label>
-    <input type="text" name="wallet-export-bundle" id="wallet-export-bundle"/>
-    <button id="inject-wallet">Inject Bundle</button>
-    <br>
-    <label>Organization Id</label>
-    <input type="text" name="wallet-organization-id" id="wallet-organization-id"/>
-  </form>
-  <br>
-  <br>
-  <h2>Message log</h2>
-  <p><em>Below we display a log of the messages sent / received. The forms above send messages, and the code communicates results by sending events via the <code>postMessage</code> API.</em></p>
-  <div id="message-log"></div>
-
-  <!--
-    Script defining important helpers.
-    These helpers are unit-testable, so most of the logic should be written here.
-  -->
-  <script>
-    window.TKHQ = function() {
-      /** constant for LocalStorage */
-      const TURNKEY_EMBEDDED_KEY = "TURNKEY_EMBEDDED_KEY"
-      /** 48 hours in milliseconds */
-      const TURNKEY_EMBEDDED_KEY_TTL_IN_MILLIS = 1000 * 60 * 60 * 48;
-
-      /*
-      * Loads the quorum public key as a CryptoKey.
-      */
-      async function loadQuorumKey(quorumPublic) {
-        return await crypto.subtle.importKey("raw", quorumPublic, {
-          name: "ECDSA",
-          namedCurve: "P-256"
-        }, true, ["verify"]);
-      }
-
-      /**
-       * Creates a new public/private key pair and persists it in localStorage
-       */
-      async function initEmbeddedKey() {
-        const retrievedKey = await getEmbeddedKey();
-        if (retrievedKey === null) {
-          const targetKey = await generateTargetKey();
-          setEmbeddedKey(targetKey);
-        }
-        // Nothing to do, key is correctly initialized!
-      }
-
-      /*
-      * Generate a key to encrypt to and export it as a JSON Web Key.
-      */
-      async function generateTargetKey() {
-        const p256key = await crypto.subtle.generateKey({
-          name: 'ECDH',
-          namedCurve: 'P-256',
-        }, true, ['deriveBits',]);
-
-        return await crypto.subtle.exportKey("jwk", p256key.privateKey);
-      }
-
-      /**
-       * Gets the current embedded private key JWK. Returns `null` if not found.
-       */
-      function getEmbeddedKey() {
-        const jwtKey = TKHQ.getItemWithExpiry(TURNKEY_EMBEDDED_KEY)
-        return jwtKey ?  JSON.parse(jwtKey) : null;
-      }
-
-      /**
-       * Sets the embedded private key JWK with the default expiration time. 
-       * @param {JsonWebKey} targetKey
-       */
-      function setEmbeddedKey(targetKey) {
-        setItemWithExpiry(TURNKEY_EMBEDDED_KEY, JSON.stringify(targetKey), TURNKEY_EMBEDDED_KEY_TTL_IN_MILLIS);
-      }
-
-      /**
-       * Resets the current embedded private key JWK.
-       */
-      function onResetEmbeddedKey() {
-        window.localStorage.removeItem(TURNKEY_EMBEDDED_KEY);
-      }
-
-       /**
-       * Set an item in localStorage with an expiration time
-       * @param {string} key
-       * @param {string} value
-       * @param {number} ttl expiration time in milliseconds
-       */
-       function setItemWithExpiry(key, value, ttl) {
-        const now = new Date();
-        const item = {
-          value: value,
-          expiry: now.getTime() + ttl,
-        };
-        window.localStorage.setItem(key, JSON.stringify(item));
-      };
-
-      /**
-       * Get an item from localStorage. Returns `null` and
-       * removes the item from localStorage if expired or
-       * expiry time is missing.
-       * @param {string} key
-       */
-      function getItemWithExpiry(key) {
-        const itemStr = window.localStorage.getItem(key);
-        if (!itemStr) {
-          return null;
-        }
-        const item = JSON.parse(itemStr);
-        if (!item.hasOwnProperty("expiry") || !item.hasOwnProperty("value")) {
-          window.localStorage.removeItem(key);
-          return null;
-        }
-        const now = new Date();
-        if (now.getTime() > item.expiry) {
-          window.localStorage.removeItem(key);
-          return null;
-        }
-        return item.value;
-      };
-
-      /**
-       * Takes a hex string (e.g. "e4567ab") and returns an array buffer (Uint8Array)
-       * @param {string} hexString
-       * @returns {Uint8Array}
-       */
-       function uint8arrayFromHexString(hexString) {
-        var hexRegex = /^[0-9A-Fa-f]+$/;
-        if (!hexString || hexString.length % 2 != 0 || !hexRegex.test(hexString)) {
-          throw new Error('cannot create uint8array from invalid hex string: "' + hexString + '"');
-        }
-        return new Uint8Array(hexString.match(/../g).map(h=>parseInt(h,16)));
-      }
-
-      /**
-        * Takes a Uint8Array and returns a hex string
-        * @param {Uint8Array} buffer
-        * @return {string}
-        */
-      function uint8arrayToHexString(buffer) {
-        return [...buffer]
-          .map(x => x.toString(16).padStart(2, '0'))
-          .join('');
-      }
-
-      /**
-       * Function to normalize padding of byte array with 0's to a target length
-       */
-      function normalizePadding(byteArray, targetLength) {
-        const paddingLength = targetLength - byteArray.length;
-
-        // Add leading 0's to array
-        if (paddingLength > 0) {
-          const padding = new Uint8Array(paddingLength).fill(0);
-          return new Uint8Array([...padding, ...byteArray]);
-        }
-
-        // Remove leading 0's from array
-        if (paddingLength < 0) {
-          const expectedZeroCount = paddingLength * -1;
-          let zeroCount = 0;
-          for (let i = 0; i < expectedZeroCount && i < byteArray.length; i++) {
-            if (byteArray[i] === 0) {
-              zeroCount++;
-            }
-          }
-          // Check if the number of zeros found equals the number of zeroes expected
-          if (zeroCount !== expectedZeroCount) {
-            throw new Error(`invalid number of starting zeroes. Expected number of zeroes: ${expectedZeroCount}. Found: ${zeroCount}.`);
-          }
-          return byteArray.slice(expectedZeroCount, expectedZeroCount + targetLength);
-        }
-        return byteArray;
-      }
-
-      /**
-       * Additional Associated Data (AAD) in the format dictated by the enclave_encrypt crate.
-       */
-      function additionalAssociatedData(senderPubBuf, receiverPubBuf) {
-        const s = Array.from(new Uint8Array(senderPubBuf));
-        const r = Array.from(new Uint8Array(receiverPubBuf));
-        return new Uint8Array([...s, ...r]);
-      }
-
-      /**
-       * Converts an ASN.1 DER-encoded ECDSA signature to the raw format that WebCrypto uses.
-       */ 
-      function fromDerSignature(derSignature) {
-        const derSignatureBuf = uint8arrayFromHexString(derSignature);
-        
-        // Check and skip the sequence tag (0x30)
-        let index = 2;
-
-        // Parse 'r' and check for integer tag (0x02)
-        if (derSignatureBuf[index] !== 0x02) {
-          throw new Error("failed to convert DER-encoded signature: invalid tag for r");
-        }
-        index++; // Move past the INTEGER tag
-        const rLength = derSignatureBuf[index];
-        index++; // Move past the length byte
-        const r = derSignatureBuf.slice(index, index + rLength);
-        index += rLength; // Move to the start of s
-
-        // Parse 's' and check for integer tag (0x02)
-        if (derSignatureBuf[index] !== 0x02) {
-          throw new Error("failed to convert DER-encoded signature: invalid tag for s");
-        }
-        index++; // Move past the INTEGER tag
-        const sLength = derSignatureBuf[index];
-        index++; // Move past the length byte
-        const s = derSignatureBuf.slice(index, index + sLength);
-
-        // Normalize 'r' and 's' to 32 bytes each
-        const rPadded = normalizePadding(r, 32);
-        const sPadded = normalizePadding(s, 32);
-
-        // Concatenate and return the raw signature
-        return new Uint8Array([...rPadded, ...sPadded]);
-      }
-
-      /**
-       * Function to verify enclave signature on import bundle received from the server. 
-       */
-       async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
-        /** Turnkey Signer enclave's public key (preprod) */
-        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212";
-
-        // todo(olivia): throw error if enclave quorum public is null once server changes are deployed
-        if (enclaveQuorumPublic) {
-          if (enclaveQuorumPublic !== TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY) {
-            throw new Error(`enclave quorum public keys from client and bundle do not match. Client: ${TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY}. Bundle: ${enclaveQuorumPublic}.`);
-          }
-        }
-
-        const encryptionQuorumPublicBuf = new Uint8Array(uint8arrayFromHexString(TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY));
-        const quorumKey = await loadQuorumKey(encryptionQuorumPublicBuf);
-        if (!quorumKey) {
-          throw new Error("failed to load quorum key");
-        }
-
-        // The ECDSA signature is ASN.1 DER encoded but WebCrypto uses raw format 
-        const publicSignatureBuf = fromDerSignature(publicSignature);
-        const publicKeyBuf = uint8arrayFromHexString(publicKey);
-        return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, publicKeyBuf);
-      }
-
-      /**
-       * Function to send a message. If this page is embedded as an iframe we'll use window.top.postMessage. Otherwise we'll display it in the DOM.
-       * @param type message type. Can be "PUBLIC_KEY_CREATED" or "BUNDLE_INJECTED"
-       * @param value message value
-       */
-      function sendMessageUp(type, value) {
-        if (window.top !== null) {
-          window.top.postMessage({
-              "type": type,
-              "value": value,
-          }, '*')
-        }
-        logMessage(`⬆️ Sent message ${type}: ${value}`)
-      }
-
-      /**
-       * Function to log a message and persist it in the page's DOM.
-       */
-      function logMessage(content) {
-        const messageLog = document.getElementById("message-log");
-        const message = document.createElement("p")
-        message.innerText = content;
-        messageLog.appendChild(message);
-      }
-
-      /**
-      * Convert a JSON Web Key private key to a public key and export the public
-      * key in raw format.
-      * @return {Uint8array}
-      */
-      async function p256JWKPrivateToPublic(jwkPrivate) {
-        // make a copy so we don't modify the underlying object
-        const jwkPrivateCopy = { ... jwkPrivate }
-        // change jwk so it will be imported as a public key
-        delete jwkPrivateCopy.d;
-        jwkPrivateCopy.key_ops = ["verify"];
-
-        const publicKey =  await window.crypto.subtle
-          .importKey("jwk", jwkPrivateCopy, { name: "ECDSA", namedCurve: "P-256" }, true, ["verify"]);
-        const buffer = await crypto.subtle.exportKey("raw", publicKey);
-        return new Uint8Array(buffer)
-      }
-
-      /**
-       * Encodes a buffer into a base58-encoded string.
-       * @param {Uint8Array} bytes The buffer to encode.
-       * @return {string} The base58-encoded string.
-       */
-      function base58Encode(bytes) {
-        // See https://en.bitcoin.it/wiki/Base58Check_encoding
-        const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-        let result = '';
-        let digits = [0];
-        for (let i = 0; i < bytes.length; i++) {
-            let carry = bytes[i];
-            for (let j = 0; j < digits.length; ++j) {
-                carry += digits[j] << 8;
-                digits[j] = carry % 58;
-                carry = (carry / 58) | 0;
-            }
-            
-            while (carry > 0) {
-                digits.push(carry % 58);
-                carry = (carry / 58) | 0;
-            }
-        }
-        // Convert digits to a base58 string
-        for (let k = 0; k < digits.length; k++) {
-            result = alphabet[digits[k]] + result;
-        }
-
-        // Add '1' for each leading 0 byte
-        for (let i = 0; bytes[i] === 0 && i < bytes.length - 1; i++) {
-            result = '1' + result;
-        }
-        return result;
-      }
-
-      /**
-       * Decodes a base58-encoded string into a buffer
-       * This function throws an error when the string contains invalid characters.
-       * @param {string} s The base58-encoded string.
-       * @return {Uint8Array} The decoded buffer.
-       */
-       function base58Decode(s) {
-        // See https://en.bitcoin.it/wiki/Base58Check_encoding
-        var alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-        var decoded = BigInt(0);
-        var decodedBytes = [];
-        var leadingZeros = [];
-        for (var i = 0; i < s.length; i++) {
-          if (alphabet.indexOf(s[i]) === -1) {
-            throw new Error(`cannot base58-decode: ${s[i]} isn't a valid character`)
-          }
-          var carry = alphabet.indexOf(s[i]);
-
-          // If the current base58 digit is 0, append a 0 byte.
-          // "i == leadingZeros.length" can only be true if we have not seen non-zero bytes so far.
-          // If we had seen a non-zero byte, carry wouldn't be 0, and i would be strictly more than `leadingZeros.length`
-          if (carry == 0 && i === leadingZeros.length) {
-            leadingZeros.push(0);
-          }
-
-          var j = 0;
-          while (j < decodedBytes.length || carry > 0) {
-            var currentByte = decodedBytes[j];
-
-            // shift the current byte 58 units and add the carry amount
-            // (or just add the carry amount if this is a new byte -- undefined case)
-            if (currentByte === undefined) {
-              currentByte = carry
-            } else {
-              currentByte = currentByte * 58 + carry
-            }
-
-            // find the new carry amount (1-byte shift of current byte value)
-            carry = currentByte >> 8;
-            // reset the current byte to the remainder (the carry amount will pass on the overflow)
-            decodedBytes[j] = currentByte % 256;
-            j++
-          }
-        }
-
-        var result = leadingZeros.concat(decodedBytes.reverse());
-        return new Uint8Array(result);
-      }
-
-      /**
-       * Returns a private key from private key bytes, represented in
-       * the encoding and format specified by `keyFormat`. Defaults to
-       * hex-encoding if `keyFormat` isn't passed.
-       * @param {Uint8Array} privateKeyBytes
-       * @param {string} keyFormat Can be "HEXADECIMAL" or "SOLANA"
-       */
-      async function encodeKey(privateKeyBytes, keyFormat, publicKeyBytes) {
-        switch (keyFormat) {
-          case "SOLANA":
-            if (!publicKeyBytes) {
-              throw new Error("public key must be specified for SOLANA key format");
-            }
-            if (privateKeyBytes.length !== 32) {
-              throw new Error(`invalid private key length. Expected 32 bytes. Got ${privateKeyBytes.length}.`);
-            }
-            if (publicKeyBytes.length !== 32) {
-              throw new Error(`invalid public key length. Expected 32 bytes. Got ${publicKeyBytes.length}.`);
-            }
-            const concatenatedBytes = new Uint8Array(64);
-            concatenatedBytes.set(privateKeyBytes, 0);
-            concatenatedBytes.set(publicKeyBytes, 32);
-            return base58Encode(concatenatedBytes);
-          case "HEXADECIMAL":
-            return "0x" + uint8arrayToHexString(privateKeyBytes);
-          default:
-            console.warn(`invalid key format: ${keyFormat}. Defaulting to HEXADECIMAL.`);
-            return "0x" + uint8arrayToHexString(privateKeyBytes);
-        }
-      }
-
-      /**
-       * Returns a UTF-8 encoded wallet mnemonic + newline optional passphrase
-       * from wallet bytes.
-       * @param {Uint8Array} walletBytes
-       */
-       function encodeWallet(walletBytes) {
-        const decoder = new TextDecoder("utf-8");
-        const wallet = decoder.decode(walletBytes);
-        let mnemonic;
-        let passphrase = null;
-
-        if (wallet.includes("\n")) {
-            const parts = wallet.split("\n");
-            mnemonic = parts[0];
-            passphrase = parts[1];
-        } else {
-            mnemonic = wallet;
-        }
-
-        return {
-            mnemonic: mnemonic,
-            passphrase: passphrase
-        };
-      }
-
-      return {
-        initEmbeddedKey,
-        generateTargetKey,
-        setItemWithExpiry,
-        getItemWithExpiry,
-        getEmbeddedKey,
-        setEmbeddedKey,
-        onResetEmbeddedKey,
-        p256JWKPrivateToPublic,
-        base58Encode,
-        base58Decode,
-        encodeKey,
-        encodeWallet,
-        sendMessageUp,
-        logMessage,
-        uint8arrayFromHexString,
-        uint8arrayToHexString,
-        normalizePadding,
-        fromDerSignature,
-        additionalAssociatedData,
-        verifyEnclaveSignature
-      }
-    }();
-  </script>
-
-  <!--
-    Script importing HPKE lib until we can replace it
-    Because this is loaded as a module JSDOM can't load it properly
-    Code in here isn't tested, so let's keep this to a minimum!
-  -->
-  <script type="module">
-    // TODO: this should be bundled at build time or replaced with code written by Turnkey entirely.
-    import * as hpke from "https://esm.sh/@hpke/core";
-    import * as ed from "https://esm.sh/@noble/ed25519";
-    import { sha512 } from 'https://esm.sh/@noble/hashes/sha512';
-
-    ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
-
-    document.addEventListener("DOMContentLoaded", async () => {
-      await TKHQ.initEmbeddedKey();
-      const embeddedKeyJwk = await TKHQ.getEmbeddedKey();
-      const targetPubBuf = await TKHQ.p256JWKPrivateToPublic(embeddedKeyJwk);
-      const targetPubHex = TKHQ.uint8arrayToHexString(targetPubBuf);
-      document.getElementById("embedded-key").value = targetPubHex;
-      TKHQ.sendMessageUp("PUBLIC_KEY_READY", targetPubHex)
-
-      // TODO: find a way to filter messages and ensure they're coming from the parent window?
-      // We do not want to arbitrarily receive messages from all origins.
-      window.addEventListener("message", async function(event) {
-        if (event.data && event.data["type"] == "INJECT_KEY_EXPORT_BUNDLE") {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}: ${event.data["value"]}, ${event.data["keyFormat"]}, ${event.data["organizationId"]}`);
-          try {
-            await onInjectKeyBundle(event.data["value"], event.data["keyFormat"], event.data["organizationId"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "INJECT_WALLET_EXPORT_BUNDLE") {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}: ${event.data["value"]}, ${event.data["organizationId"]}`);
-          try {
-            await onInjectWalletBundle(event.data["value"], event.data["organizationId"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "RESET_EMBEDDED_KEY") {
-          TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}`);
-          try {
-            TKHQ.onResetEmbeddedKey();
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-      }, false);
-
-      /**
-       * Event handlers to power the export flow in standalone mode
-       * Instead of receiving events from the parent page, forms trigger them.
-       * This is useful for debugging as well.
-       */
-      document.getElementById("inject-key").addEventListener("click", async e => {
-        e.preventDefault();
-        window.postMessage({
-          "type": "INJECT_KEY_EXPORT_BUNDLE",
-          "value": document.getElementById("key-export-bundle").value,
-          "keyFormat": document.getElementById("key-export-format").value,
-          "organizationId": document.getElementById("key-organization-id").value,
-        })
-      }, false);
-      document.getElementById("inject-wallet").addEventListener("click", async e => {
-        e.preventDefault();
-        window.postMessage({
-          "type": "INJECT_WALLET_EXPORT_BUNDLE",
-          "value": document.getElementById("wallet-export-bundle").value,
-          "organizationId": document.getElementById("wallet-organization-id").value,
-        })
-      }, false);
-      document.getElementById("reset").addEventListener("click", async e => {
-        e.preventDefault();
-        window.postMessage({ "type": "RESET_EMBEDDED_KEY" })
-      }, false);
-    }, false);
-
-    /**
-     * Hide every HTML element in <body> except any <script> elements.
-     * Then append an element containing the hex-encoded raw private key.
-     * @param {string} key
-     */ 
-    function displayKey(key) {
-      Array.from(document.body.children).forEach(child => {
-          if (child.tagName !== "SCRIPT") {
-            child.style.display = 'none';
-          }
-        });
-
-        const style = {
-          border: "none",
-          color: "#555b64",
-          fontSize: ".875rem",
-          lineHeight: "1.25rem",
-          overflowWrap: "break-word",
-          textAlign: "left",
-        };
-
-        // Create a new div with the key material and append the new div to the body
-        const keyDiv = document.createElement("div");
-        keyDiv.id = "key-div";
-        keyDiv.innerText = key;
-        for (let styleKey in style) {
-            keyDiv.style[styleKey] = style[styleKey];
-        }
-        document.body.appendChild(keyDiv);
-    }
-
-    /**
-     * Parse and decrypt the export bundle.
-     * The `bundle` param is a JSON string of the encapsulated public
-     * key, encapsulated public key signature, and the ciphertext.
-     * Example: {"encappedPublic":"04912cb4200c40f04ae4a162f4c870c78cb4498a8efda0b94f4a9cb848d611bd40e9acccab2bf73cee1e269d8350a02f4df71864921097838f05c288d944fa2f8b","encappedPublicSignature":"304502200cd19a3c5892f1eeab88fe0cdd7cca63736a7d15fc364186fb3c913e1e01568b022100dea49557c176f6ca052b27ad164f077cf64d2aa55fbdc4757a14767f8b8c6b48","ciphertext":"0e5d5503f43721135818051e4c5b77b3365b66ec4020b0051d59ea9fc773c67bd4b61ed34a97b07a3074a85546721ae4","enclaveQuorumPublic":"04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569"}
-     * @param {string} bundle
-     * @param {string} organizationId
-     */ 
-    async function decryptBundle(bundle, organizationId) {
-      let encappedKeyBuf;
-      let ciphertextBuf;
-      let verified;
-
-      // Parse the import bundle
-      const bundleObj = JSON.parse(bundle);
-      switch (bundleObj.version) {
-        case undefined:
-          // Validate fields exist
-          if (!bundleObj.encappedPublic) {
-            throw new Error('missing "encappedPublic" in bundle');
-          }
-
-          if (!bundleObj.encappedPublicSignature) {
-            throw new Error('missing "encappedPublicSignature" in bundle');
-          }
-
-          // Verify enclave signature
-          if (!TKHQ.verifyEnclaveSignature) {
-            throw new Error("method not loaded");
-          }
-          verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.encappedPublicSignature, bundleObj.encappedPublic);
-          if (!verified) {
-            throw new Error(`failed to verify enclave signature: ${bundle}`);
-          }
-
-          encappedKeyBuf = TKHQ.uint8arrayFromHexString(bundleObj.encappedPublic);
-          ciphertextBuf = TKHQ.uint8arrayFromHexString(bundleObj.ciphertext);
-          break;
-        case 'v1.0.0':
-          // Validate fields exist
-          if (!bundleObj.data) {
-            throw new Error('missing "data" in bundle');
-          }
-
-          if (!bundleObj.data.encappedPublic) {
-            throw new Error('missing "data.encappedPublic" in bundle');
-          }
-
-          if (!bundleObj.data.ciphertext) {
-            throw new Error('missing "data.ciphertext" in bundle');
-          }
-
-          if (!bundleObj.dataSignature) {
-            throw new Error('missing "dataSignature" in bundle');
-          }
-
-          // Verify enclave signature
-          if (!TKHQ.verifyEnclaveSignature) {
-            throw new Error("method not loaded");
-          }
-          verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, bundleObj.data);
-          if (!verified) {
-            throw new Error(`failed to verify enclave signature: ${bundle}`);
-          }
-
-          // Validate fields match
-          if (!organizationId) {
-            // todo: throw error if organization id is undefined once we've fully transitioned to v1.0.0 server messages and v2.0.0 iframe-stamper
-            console.warn('we highly recommend using v2.0.0 iframe stamper to pass the "organizationId" for security purposes.');
-          } else if (!bundleObj.data.organizationId || bundleObj.data.organizationId !== organizationId) {
-            throw new Error(`organization id does not match expected value. Expected: ${organizationId}. Found: ${bundleObj.data.organizationId}.`);
-          }
-
-          encappedKeyBuf = TKHQ.uint8arrayFromHexString(bundleObj.data.encappedPublic);
-          ciphertextBuf = TKHQ.uint8arrayFromHexString(bundleObj.data.ciphertext);
-          break;
-        default:
-          throw new Error(`unsupported version: ${bundleObj.version}`);
-      }
-
-      // Decrypt the ciphertext
-      const embeddedKeyJwk = await TKHQ.getEmbeddedKey();
-      return await HpkeDecrypt(
-        {
-          ciphertextBuf,
-          encappedKeyBuf,
-          receiverPrivJwk: embeddedKeyJwk,
-        });
-    }
-
-    /**
-     * Function triggered when INJECT_KEY_EXPORT_BUNDLE event is received.
-     * @param {string} bundle
-     * @param {string} keyFormat
-     * @param {string} organizationId
-     */
-     async function onInjectKeyBundle(bundle, keyFormat, organizationId) {
-        // Decrypt the export bundle
-        const keyBytes = await decryptBundle(bundle, organizationId);
-        
-        // Reset embedded key after using for decryption
-        TKHQ.onResetEmbeddedKey();
-
-        // Parse the decrypted key bytes
-        var key;
-        const privateKeyBytes = new Uint8Array(keyBytes);
-        if (keyFormat === "SOLANA") {
-          const privateKeyHex = TKHQ.uint8arrayToHexString(privateKeyBytes.subarray(0,32));
-          const publicKeyBytes = ed.getPublicKey(privateKeyHex);
-          key = await TKHQ.encodeKey(privateKeyBytes, keyFormat, publicKeyBytes);
-        } else {
-          key = await TKHQ.encodeKey(privateKeyBytes, keyFormat);
-        }
-
-        // Display only the key
-        displayKey(key);
-
-        // Send up BUNDLE_INJECTED message
-        TKHQ.sendMessageUp("BUNDLE_INJECTED", true)
-    }
-
-    /**
-     * Function triggered when INJECT_WALLET_EXPORT_BUNDLE event is received.
-     * @param {string} bundle
-     * @param {string} organizationId
-     */
-     async function onInjectWalletBundle(bundle, organizationId) {
-        // Decrypt the export bundle
-        const walletBytes = await decryptBundle(bundle, organizationId);
-
-        // Reset embedded key after using for decryption
-        TKHQ.onResetEmbeddedKey();
-
-        // Parse the decrypted wallet bytes
-        const wallet = TKHQ.encodeWallet(new Uint8Array(walletBytes));
-
-        // Display only the wallet's mnemonic
-        displayKey(wallet.mnemonic);
-
-        // Send up BUNDLE_INJECTED message
-        TKHQ.sendMessageUp("BUNDLE_INJECTED", true)
-    }
-
-    /**
-     * Decrypt the ciphertext (ArrayBuffer) given an encapsulation key (ArrayBuffer)
-     * and the receivers private key (JSON Web Key).
-     */
-    async function HpkeDecrypt({ ciphertextBuf, encappedKeyBuf, receiverPrivJwk }) {
-      const kemContext = new hpke.DhkemP256HkdfSha256();
-      var receiverPriv = await kemContext.importKey("jwk", {...receiverPrivJwk}, false);
-
-
-      var suite = new hpke.CipherSuite({
-        kem: kemContext,
-        kdf: new hpke.HkdfSha256(),
-        aead: new hpke.Aes256Gcm(),
-      });
-
-      var recipientCtx = await suite.createRecipientContext({
-        recipientKey: receiverPriv,
-        enc: encappedKeyBuf,
-        info: new TextEncoder().encode("turnkey_hpke"),
-      });
-
-      var receiverPubBuf = await TKHQ.p256JWKPrivateToPublic(receiverPrivJwk);
-      var aad = TKHQ.additionalAssociatedData(encappedKeyBuf, receiverPubBuf);
-      var res;
-      try {
-        res = await recipientCtx.open(ciphertextBuf, aad);
-      } catch (e) {
-        throw new Error("decryption failed: " + e);
-      }
-      return res
-    }
-  </script>
-</body>
-</html>
diff --git a/export/index.html b/export/index.template.html
similarity index 97%
rename from export/index.html
rename to export/index.template.html
index 768467b..0180a09 100644
--- a/export/index.html
+++ b/export/index.template.html
@@ -330,8 +330,15 @@ <h2>Message log</h2>
        * Function to verify enclave signature on import bundle received from the server. 
        */
        async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
-        /** Turnkey Signer enclave's public key */
-        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569";
+        /** Turnkey Signer enclave's public keys */
+        const TURNKEY_SIGNERS_ENCLAVES = {
+          "prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
+          "preprod": "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212"
+        }
+        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = TURNKEY_SIGNERS_ENCLAVES["${TURNKEY_SIGNER_ENVIRONMENT}"];
+        if (TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY === undefined) {
+          throw new Error("Configuration error: TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY is undefined")
+        }
 
         // todo(olivia): throw error if enclave quorum public is null once server changes are deployed
         if (enclaveQuorumPublic) {
diff --git a/export/index.test.js b/export/index.test.js
index 915e903..ca7793b 100644
--- a/export/index.test.js
+++ b/export/index.test.js
@@ -4,7 +4,7 @@ import fs from "fs"
 import path from "path"
 import * as crypto from "crypto";
 
-const html = fs.readFileSync(path.resolve(__dirname, "./index.html"), "utf8");
+const html = fs.readFileSync(path.resolve(__dirname, "./index.template.html"), "utf8").replace("${TURNKEY_SIGNER_ENVIRONMENT}", "prod");
 
 let dom;
 let TKHQ;
@@ -234,4 +234,4 @@ describe("TKHQ", () => {
       TKHQ.verifyEnclaveSignature(null, "30440220773382ac39085f58a584fd5ad8c8b91b50993ad480af2c5eaefe0b09447b6dca02205201c8e20a92bce524caac08a956b0c2e7447de9c68f91ab1e09fd58988041b5", "")
     ).rejects.toThrow('cannot create uint8array from invalid hex string: ""');
   })
-});
\ No newline at end of file
+});
diff --git a/import/index.html b/import/index.html
deleted file mode 100644
index 36a038b..0000000
--- a/import/index.html
+++ /dev/null
@@ -1,708 +0,0 @@
-<!--
-  This page is intended to be embedded in an iframe. When updating any functions in
-  index.html, please make the same updates in standalone.html.
--->
-<!doctype html>
-<html class="no-js" lang="">
-
-<head>
-  <link rel="icon" type="image/svg+xml" href="./favicon.svg" />
-  <meta charset="utf-8">
-  <title>Turnkey Import</title>
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <style>
-    #plaintext {
-      width: 300px;
-      font-size: .875rem;
-      line-height: 1.25rem;
-      height: 110px;
-      color: #555b64;
-      border: none;
-      resize: none;
-      word-wrap: break-word;
-      overflow-wrap: break-word;
-      font-family: 'Lucida Sans', 'Lucida Sans Regular', 'Lucida Grande', 'Lucida Sans Unicode', Geneva, Verdana, sans-serif;
-    }
-    #plaintext:focus {
-      outline: none;
-      border: none;
-    }
-  </style>
-</head>
-
-<body>
-  <form>
-    <textarea name="plaintext" id="plaintext"></textarea>
-  </form>
-
-  <!--
-    Script defining important helpers.
-    These helpers are unit-testable, so most of the logic should be written here.
-  -->
-  <script>
-    window.TKHQ = function() {
-      /** constants for LocalStorage */
-      const TURNKEY_TARGET_EMBEDDED_KEY = "TURNKEY_TARGET_EMBEDDED_KEY";
-      const TURNKEY_SETTINGS = "TURNKEY_SETTINGS";
-
-      /*
-      * Load a key to encrypt to as a CryptoKey and return it as a JSON Web Key.
-      */
-      async function loadTargetKey(targetPublic) {
-        const targetKey = await crypto.subtle.importKey("raw", targetPublic, {
-          name: 'ECDH',
-          namedCurve: 'P-256',
-        }, true, []);
-
-        return await crypto.subtle.exportKey("jwk", targetKey);
-      }
-
-      /*
-      * Loads the quorum public key as a CryptoKey.
-      */
-      async function loadQuorumKey(quorumPublic) {
-        return await crypto.subtle.importKey("raw", quorumPublic, {
-          name: 'ECDSA',
-          namedCurve: 'P-256'
-        }, true, ['verify']);
-      }
-
-      /**
-       * Gets the current target embedded private key JWK. Returns `null` if not found.
-       */
-      function getTargetEmbeddedKey() {
-        const jwtKey = window.localStorage.getItem(TURNKEY_TARGET_EMBEDDED_KEY);
-        return jwtKey ?  JSON.parse(jwtKey) : null;
-      }
-
-      /**
-       * Sets the target embedded public key JWK.
-       * @param {JsonWebKey} targetKey
-       */
-      function setTargetEmbeddedKey(targetKey) {
-        window.localStorage.setItem(TURNKEY_TARGET_EMBEDDED_KEY, JSON.stringify(targetKey));
-      }
-
-      /**
-       * Resets the current target embedded private key JWK.
-       */
-      function resetTargetEmbeddedKey() {
-        window.localStorage.removeItem(TURNKEY_TARGET_EMBEDDED_KEY);
-      }
-
-      /**
-       * Gets the current settings.
-       */
-      function getSettings() {
-        const settings = window.localStorage.getItem(TURNKEY_SETTINGS);
-        return settings ?  JSON.parse(settings) : null;
-      }
-
-      /**
-       * Sets the settings object.
-       * @param {Object} settings
-       */
-      function setSettings(settings) {
-        window.localStorage.setItem(TURNKEY_SETTINGS, JSON.stringify(settings));
-      }
-
-      /**
-       * Takes a hex string (e.g. "e4567ab") and returns an array buffer (Uint8Array)
-       * @param {string} hexString
-       * @returns {Uint8Array}
-       */
-      function uint8arrayFromHexString(hexString) {
-        var hexRegex = /^[0-9A-Fa-f]+$/;
-        if (!hexString || hexString.length % 2 != 0 || !hexRegex.test(hexString)) {
-          throw new Error('cannot create uint8array from invalid hex string: "' + hexString + '"');
-        }
-        return new Uint8Array(hexString.match(/../g).map(h=>parseInt(h,16)));
-      }
-
-      /**
-       * Takes a Uint8Array and returns a hex string
-       * @param {Uint8Array} buffer
-       * @return {string}
-       */
-      function uint8arrayToHexString(buffer) {
-        return [...buffer]
-          .map(x => x.toString(16).padStart(2, '0'))
-          .join('');
-      }
-
-      /**
-       * Decodes a base58-encoded string into a buffer
-       * This function throws an error when the string contains invalid characters.
-       * @param {string} s The base58-encoded string.
-       * @return {Uint8Array} The decoded buffer.
-       */
-      function base58Decode(s) {
-        // See https://en.bitcoin.it/wiki/Base58Check_encoding
-        var alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
-        var decoded = BigInt(0);
-        var decodedBytes = [];
-        var leadingZeros = [];
-        for (var i = 0; i < s.length; i++) {
-          if (alphabet.indexOf(s[i]) === -1) {
-            throw new Error(`cannot base58-decode: ${s[i]} isn't a valid character`)
-          }
-          var carry = alphabet.indexOf(s[i]);
-
-          // If the current base58 digit is 0, append a 0 byte.
-          // "i == leadingZeros.length" can only be true if we have not seen non-zero bytes so far.
-          // If we had seen a non-zero byte, carry wouldn't be 0, and i would be strictly more than `leadingZeros.length`
-          if (carry == 0 && i === leadingZeros.length) {
-            leadingZeros.push(0);
-          }
-
-          var j = 0;
-          while (j < decodedBytes.length || carry > 0) {
-            var currentByte = decodedBytes[j];
-
-            // shift the current byte 58 units and add the carry amount
-            // (or just add the carry amount if this is a new byte -- undefined case)
-            if (currentByte === undefined) {
-              currentByte = carry
-            } else {
-              currentByte = currentByte * 58 + carry
-            }
-
-            // find the new carry amount (1-byte shift of current byte value)
-            carry = currentByte >> 8;
-            // reset the current byte to the remainder (the carry amount will pass on the overflow)
-            decodedBytes[j] = currentByte % 256;
-            j++
-          }
-        }
-
-        var result = leadingZeros.concat(decodedBytes.reverse());
-        return new Uint8Array(result);
-      }
-
-      /**
-       * Returns private key bytes from a private key, represented in
-       * the encoding and format specified by `keyFormat`. Defaults to
-       * hex-encoding if `keyFormat` isn't passed.
-       * @param {string} privateKey
-       * @param {string} keyFormat Can be "HEXADECIMAL" or "SOLANA"
-       */
-      function decodeKey(privateKey, keyFormat) {
-        switch (keyFormat) {
-          case "SOLANA":
-            const decodedKeyBytes = base58Decode(privateKey);
-            if (decodedKeyBytes.length !== 64) {
-              throw new Error(`invalid key length. Expected 64 bytes. Got ${decodedKeyBytes.length()}.`);
-            }
-            return decodedKeyBytes.subarray(0, 32);
-          case "HEXADECIMAL":
-            if (privateKey.startsWith("0x")) {
-              return uint8arrayFromHexString(privateKey.slice(2));
-            }
-            return uint8arrayFromHexString(privateKey);
-          default:
-            console.warn(`invalid key format: ${keyFormat}. Defaulting to HEXADECIMAL.`);
-            if (privateKey.startsWith("0x")) {
-              return uint8arrayFromHexString(privateKey.slice(2));
-            }
-            return uint8arrayFromHexString(privateKey);
-        }
-      }
-
-      /**
-       * Function to normalize padding of byte array with 0's to a target length
-       */
-      function normalizePadding(byteArray, targetLength) {
-        const paddingLength = targetLength - byteArray.length;
-
-        // Add leading 0's to array
-        if (paddingLength > 0) {
-          const padding = new Uint8Array(paddingLength).fill(0);
-          return new Uint8Array([...padding, ...byteArray]);
-        }
-
-        // Remove leading 0's from array
-        if (paddingLength < 0) {
-          const expectedZeroCount = paddingLength * -1;
-          let zeroCount = 0;
-          for (let i = 0; i < expectedZeroCount && i < byteArray.length; i++) {
-            if (byteArray[i] === 0) {
-              zeroCount++;
-            }
-          }
-          // Check if the number of zeros found equals the number of zeroes expected
-          if (zeroCount !== expectedZeroCount) {
-            throw new Error(`invalid number of starting zeroes. Expected number of zeroes: ${expectedZeroCount}. Found: ${zeroCount}.`);
-          }
-          return byteArray.slice(expectedZeroCount, expectedZeroCount + targetLength);
-        }
-        return byteArray;
-      }
-
-      /**
-       * Additional Associated Data (AAD) in the format dictated by the enclave_encrypt crate.
-       */
-      function additionalAssociatedData(senderPubBuf, receiverPubBuf) {
-        const s = Array.from(new Uint8Array(senderPubBuf));
-        const r = Array.from(new Uint8Array(receiverPubBuf));
-        return new Uint8Array([...s, ...r]);
-      }
-
-      /**
-       * Converts an ASN.1 DER-encoded ECDSA signature to the raw format that WebCrypto uses.
-       */ 
-      function fromDerSignature(derSignature) {
-        const derSignatureBuf = uint8arrayFromHexString(derSignature);
-        
-        // Check and skip the sequence tag (0x30)
-        let index = 2;
-
-        // Parse 'r' and check for integer tag (0x02)
-        if (derSignatureBuf[index] !== 0x02) {
-          throw new Error("failed to convert DER-encoded signature: invalid tag for r");
-        }
-        index++; // Move past the INTEGER tag
-        const rLength = derSignatureBuf[index];
-        index++; // Move past the length byte
-        const r = derSignatureBuf.slice(index, index + rLength);
-        index += rLength; // Move to the start of s
-
-        // Parse 's' and check for integer tag (0x02)
-        if (derSignatureBuf[index] !== 0x02) {
-          throw new Error("failed to convert DER-encoded signature: invalid tag for s");
-        }
-        index++; // Move past the INTEGER tag
-        const sLength = derSignatureBuf[index];
-        index++; // Move past the length byte
-        const s = derSignatureBuf.slice(index, index + sLength);
-
-        // Normalize 'r' and 's' to 32 bytes each
-        const rPadded = normalizePadding(r, 32);
-        const sPadded = normalizePadding(s, 32);
-
-        // Concatenate and return the raw signature
-        return new Uint8Array([...rPadded, ...sPadded]);
-      }
-
-      /**
-       * Function to verify enclave signature on import bundle received from the server. 
-       */
-      async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
-        /** Turnkey Signer enclave's public key */
-        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569";
-
-        // todo(olivia): throw error if enclave quorum public is null once server changes are deployed
-        if (enclaveQuorumPublic) {
-          if (enclaveQuorumPublic !== TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY) {
-            throw new Error(`enclave quorum public keys from client and bundle do not match. Client: ${TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY}. Bundle: ${enclaveQuorumPublic}.`);
-          }
-        }
-
-        const encryptionQuorumPublicBuf = new Uint8Array(uint8arrayFromHexString(TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY));
-        const quorumKey = await loadQuorumKey(encryptionQuorumPublicBuf);
-        if (!quorumKey) {
-          throw new Error("failed to load quorum key");
-        }
-
-        // The ECDSA signature is ASN.1 DER encoded but WebCrypto uses raw format 
-        const publicSignatureBuf = fromDerSignature(publicSignature);
-        const publicKeyBuf = uint8arrayFromHexString(publicKey);
-        return await crypto.subtle.verify({ name: "ECDSA", namedCurve: "P-256", hash: {name: "SHA-256" }}, quorumKey, publicSignatureBuf, publicKeyBuf);
-      }
-
-      /**
-       * Function to validate and sanitize the styles object using the accepted map of style keys and values (as regular expressions).
-       * Any invalid style throws an error. Returns an object of valid styles.
-       * @param {Object} styles
-       * @return {Object}
-       */
-       function validateStyles(styles, element) {
-        const validStyles = {};
-
-        const cssValidationRegex = {
-          "padding": "^(\\d+(px|em|%|rem) ?){1,4}$",
-          "margin": "^(\\d+(px|em|%|rem) ?){1,4}$",
-          "borderWidth": "^(\\d+(px|em|rem) ?){1,4}$",
-          "borderStyle": "^(none|solid|dashed|dotted|double|groove|ridge|inset|outset)$",
-          "borderColor": "^(transparent|inherit|initial|#[0-9a-f]{3,8}|rgba?\\(\\d{1,3}, \\d{1,3}, \\d{1,3}(, \\d?(\\.\\d{1,2})?)?\\)|hsla?\\(\\d{1,3}, \\d{1,3}%, \\d{1,3}%(, \\d?(\\.\\d{1,2})?)?\\))$",
-          "borderRadius": "^(\\d+(px|em|%|rem) ?){1,4}$",
-          "fontSize": "^(\\d+(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax))$",
-          "fontWeight": "^(normal|bold|bolder|lighter|\\d{3})$",
-          "fontFamily": "^[^\";<>]*$", // checks for the absence of some characters that could lead to CSS/HTML injection
-          "color": "^(transparent|inherit|initial|#[0-9a-f]{3,8}|rgba?\\(\\d{1,3}, \\d{1,3}, \\d{1,3}(, \\d?(\\.\\d{1,2})?)?\\)|hsla?\\(\\d{1,3}, \\d{1,3}%, \\d{1,3}%(, \\d?(\\.\\d{1,2})?)?\\))$",
-          "backgroundColor": "^(transparent|inherit|initial|#[0-9a-f]{3,8}|rgba?\\(\\d{1,3}, \\d{1,3}, \\d{1,3}(, \\d?(\\.\\d{1,2})?)?\\)|hsla?\\(\\d{1,3}, \\d{1,3}%, \\d{1,3}%(, \\d?(\\.\\d{1,2})?)?\\))$",
-          "width": "^(\\d+(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax)|auto)$",
-          "height": "^(\\d+(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax)|auto)$",
-          "maxWidth": "^(\\d+(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax)|none)$",
-          "maxHeight": "^(\\d+(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax)|none)$",
-          "lineHeight": "^(\\d+(\\.\\d+)?(px|em|rem|%|vh|vw|in|cm|mm|pt|pc|ex|ch|vmin|vmax)|normal)$",
-          "boxShadow": "^(none|(\\d+(px|em|rem) ?){2,4} (#[0-9a-f]{3,8}|rgba?\\(\\d{1,3}, \\d{1,3}, \\d{1,3}(, \\d?(\\.\\d{1,2})?)?\\)) ?(inset)?)$",
-          "textAlign": "^(left|right|center|justify|initial|inherit)$",
-          "overflowWrap": "^(normal|break-word|anywhere)$",
-          "wordWrap": "^(normal|break-word)$",
-          "resize": "^(none|both|horizontal|vertical|block|inline)$",
-        };
-
-        Object.entries(styles).forEach(([property, value]) => {
-          const styleProperty = property.trim();
-          if (styleProperty.length === 0) {
-            throw new Error("css style property cannot be empty");
-          }
-          const styleRegexStr = cssValidationRegex[styleProperty];
-          if (!styleRegexStr) {
-            throw new Error(`invalid or unsupported css style property: "${styleProperty}"`);
-          }
-          const styleRegex = new RegExp(styleRegexStr);
-          const styleValue = value.trim();
-          if (styleValue.length == 0) {
-            throw new Error(`css style for "${styleProperty}" is empty`);
-          }
-          const isValidStyle = styleRegex.test(styleValue);
-          if (!isValidStyle) {
-            throw new Error(`invalid css style value for property "${styleProperty}"`);
-          }
-          validStyles[styleProperty] = styleValue;
-        })
-
-        return validStyles;
-      }
-
-      /**
-       * Function to apply settings on this page. For now, the only settings that can be applied
-       * are for "styles". Upon successful application, return the valid, sanitized settings JSON string.
-       * @param {string} settings
-       * @return {string}
-       */
-      function applySettings(settings) {
-        const validSettings = {};
-        const settingsObj = JSON.parse(settings);
-        if (settingsObj.styles) {
-          // Valid styles will be applied the "plaintext" textarea HTML element.
-          const plaintextTextarea = document.getElementById("plaintext");
-          if (!plaintextTextarea) {
-            throw new Error("no plaintext textarea HTML element found to apply settings to.");
-          }
-
-          // Validate, sanitize, and apply the styles to the "plaintext" textarea.
-          const validStyles = TKHQ.validateStyles(settingsObj.styles);
-          Object.entries(validStyles).forEach(([key, value]) => {
-            plaintextTextarea.style[key] = value;
-          });
-
-          validSettings["styles"] = validStyles;
-        }
-
-        return JSON.stringify(validSettings);
-      }
-
-      /**
-       * Function to send a message. If this page is embedded as an iframe we'll use window.top.postMessage. Otherwise we'll display it in the DOM.
-       * @param type message type. Can be "PUBLIC_KEY_CREATED" or "BUNDLE_INJECTED"
-       * @param value message value
-       */
-      function sendMessageUp(type, value) {
-        if (window.top !== null) {
-          window.top.postMessage({
-              "type": type,
-              "value": value,
-          }, '*')
-        }
-      }
-
-      return {
-        loadTargetKey,
-        getTargetEmbeddedKey,
-        setTargetEmbeddedKey,
-        resetTargetEmbeddedKey,
-        getSettings,
-        setSettings,
-        sendMessageUp,
-        uint8arrayFromHexString,
-        uint8arrayToHexString,
-        base58Decode,
-        decodeKey,
-        normalizePadding,
-        fromDerSignature,
-        additionalAssociatedData,
-        verifyEnclaveSignature,
-        validateStyles,
-        applySettings,
-      }
-    }();
-  </script>
-
-  <!--
-    Script importing HPKE lib until we can replace it
-    Because this is loaded as a module JSDOM can't load it properly
-    Code in here isn't tested, so let's keep this to a minimum!
-  -->
-  <script type="module">
-    // TODO: this should be bundled at build time or replaced with code written by Turnkey entirely.
-    import * as hpke from "https://esm.sh/@hpke/core";
-
-    document.addEventListener("DOMContentLoaded", async () => {
-      // If styles are saved in local storage, sanitize and apply them.
-      const styleSettings = TKHQ.getSettings();
-      if (styleSettings) {
-        TKHQ.applySettings(styleSettings);
-      }
-      // This is a workaround for how @turnkey/iframe-stamper is initialized. Currently,
-      // init() waits for a public key to be initialized that can be used to send to the server
-      // which will encrypt messages to this public key.
-      // In the case of import, this public key is not used because the client encrypts messages
-      // to the server's public key.
-      TKHQ.sendMessageUp("PUBLIC_KEY_READY", "")
-      // TODO: find a way to filter messages and ensure they're coming from the parent window?
-      // We do not want to arbitrarily receive messages from all origins.
-      window.addEventListener("message", async function(event) {
-        if (event.data && event.data["type"] == "INJECT_IMPORT_BUNDLE") {
-          try {
-            await onInjectImportBundle(event.data["value"], event.data["organizationId"], event.data["userId"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "EXTRACT_WALLET_ENCRYPTED_BUNDLE") {
-          try {
-            await onExtractWalletEncryptedBundle()
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "EXTRACT_KEY_ENCRYPTED_BUNDLE") {
-          try {
-            await onExtractKeyEncryptedBundle(event.data["keyFormat"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-        if (event.data && event.data["type"] == "APPLY_SETTINGS") {
-          try {
-            await onApplySettings(event.data["value"])
-          } catch (e) {
-            TKHQ.sendMessageUp("ERROR", e.toString());
-          }
-        }
-      }, false);
-    }, false);
-
-    /**
-     * Function triggered when INJECT_IMPORT_BUNDLE event is received.
-     * Parses the `import_bundle` and stores the target public key as a JWK
-     * in local storage. Sends true upon success.
-     * @param {string} bundle
-     * Example bundle: {"targetPublic":"0491ccb68758b822a6549257f87769eeed37c6cb68a6c6255c5f238e2b6e6e61838c8ac857f2e305970a6435715f84e5a2e4b02a4d1e5289ba7ec7910e47d2d50f","targetPublicSignature":"3045022100cefc333c330c9fa300d1aa10a439a76539b4d6967301638ab9edc9fd9468bfdb0220339bba7e2b00b45d52e941d068ecd3bfd16fd1926da69dd7769893268990d62f","enclaveQuorumPublic":"04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569"}
-     * @param {string} organizationId
-     * @param {string} userId
-     */
-    async function onInjectImportBundle(bundle, organizationId, userId) {
-      let targetPublicBuf;
-      let verified;
-
-      // Parse the import bundle
-      const bundleObj = JSON.parse(bundle);
-
-      switch (bundleObj.version) {
-        case undefined:
-          // Validate fields exist
-          if (!bundleObj.targetPublic) {
-            throw new Error('missing "targetPublic" in bundle');
-          }
-
-          if (!bundleObj.targetPublicSignature) {
-            throw new Error('missing "targetPublicSignature" in bundle');
-          }
-
-          // Verify enclave signature
-          verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.targetPublicSignature, bundleObj.targetPublic);
-          if (!verified) {
-            throw new Error("failed to verify enclave signature");
-          }
-
-          // Load target public key generated from enclave and set in local storage
-          targetPublicBuf = TKHQ.uint8arrayFromHexString(bundleObj.targetPublic);
-          break;
-        case 'v1.0.0':
-          // Validate fields exist
-          if (!bundleObj.data) {
-            throw new Error('missing "data" in bundle');
-          }
-
-          if (!bundleObj.data.targetPublic) {
-            throw new Error('missing "data.targetPublic" in bundle');
-          }
-
-          if (!bundleObj.dataSignature) {
-            throw new Error('missing "dataSignature" in bundle');
-          }
-
-          // Verify enclave signature
-          if (!TKHQ.verifyEnclaveSignature) {
-            throw new Error("method not loaded");
-          }
-          verified = await TKHQ.verifyEnclaveSignature(bundleObj.enclaveQuorumPublic, bundleObj.dataSignature, bundleObj.data);
-          if (!verified) {
-            throw new Error(`failed to verify enclave signature: ${bundle}`);
-          }
-
-          // Validate fields match
-          if (!organizationId) {
-            // todo: throw error if organization id is undefined once we've fully transitioned to v1.0.0 server messages and v2.0.0 iframe-stamper
-            console.warn('we highly recommend using v2.0.0 iframe stamper to pass the "organizationId" for security purposes.');
-          } else if (!bundleObj.data.organizationId || bundleObj.data.organizationId !== organizationId) {
-            throw new Error(`organization id does not match expected value. Expected: ${organizationId}. Found: ${bundleObj.data.organizationId}.`);
-          }
-          if (!userId) {
-            // todo: throw error if organization id is undefined once we've fully transitioned to v1.0.0 server messages and v2.0.0 iframe-stamper
-            console.warn('we highly recommend using v2.0.0 iframe stamper to pass the "userId" for security purposes.');
-          } else if (!bundleObj.data.userId || bundleObj.data.userId !== userId) {
-            throw new Error(`user id does not match expected value. Expected: ${userId}. Found: ${bundleObj.data.userId}.`);
-          }
-
-          // Load target public key generated from enclave and set in local storage
-          targetPublicBuf = TKHQ.uint8arrayFromHexString(bundleObj.data.targetPublic);
-          break;
-        default:
-          throw new Error(`unsupported version: ${bundleObj.version}`);
-      }
-
-      const targetPublicKeyJwk = await TKHQ.loadTargetKey(new Uint8Array(targetPublicBuf));
-      TKHQ.setTargetEmbeddedKey(targetPublicKeyJwk);
-
-      // Send up BUNDLE_INJECTED message
-      TKHQ.sendMessageUp("BUNDLE_INJECTED", true)
-    }
-
-    /**
-     * Function triggered when EXTRACT_WALLET_ENCRYPTED_BUNDLE event is received.
-     * Prerequisite: This function uses the target public key in local storage that is imported
-     * from the INJECT_IMPORT_BUNDLE event.
-     * Uses the target public key in local storage to encrypt the text entered in the
-     * `plaintext` textarea element. Upon successful encryption, sends
-     * an `encrypted_bundle` containing the ciphertext and encapped public key.
-     * Example bundle: {"encappedPublic":"0497f33f3306f67f4402d4824e15b63b04786b6558d417aac2fef69051e46fa7bfbe776b142e4ded4f02097617a7588e93c53b71f900a4a8831a31be6f95e5f60f","ciphertext":"c17c3085505f3c094f0fa61791395b83ab1d8c90bdf9f12a64fc6e2e9cba266beb528f65c88bd933e36e6203752a9b63e6a92290a0ab6bf0ed591cf7bfa08006001e2cc63870165dc99ec61554ffdc14dea7d567e62cceed29314ae6c71a013843f5c06146dee5bf9c1d"}
-     */
-    async function onExtractWalletEncryptedBundle() {
-      // Get target embedded key from previous step (onInjectImportBundle)
-      const targetPublicKeyJwk = TKHQ.getTargetEmbeddedKey();
-      if (targetPublicKeyJwk == null) {
-        throw new Error("no target key found");
-      }
-
-      // Get plaintext wallet mnemonic
-      const plaintext = document.getElementById("plaintext").value.trim();
-      if (!plaintext) {
-        throw new Error("no wallet mnemonic entered");
-      }
-      const plaintextBuf = new TextEncoder().encode(plaintext);
-
-      // Encrypt the bundle using the enclave target public key
-      const encryptedBundle = await HpkeEncrypt(
-        {
-          plaintextBuf,
-          receiverPubJwk: targetPublicKeyJwk,
-        });
-
-      // Reset target embedded key after using for encryption
-      TKHQ.resetTargetEmbeddedKey();
-
-      // Send up ENCRYPTED_BUNDLE_EXTRACTED message
-      TKHQ.sendMessageUp("ENCRYPTED_BUNDLE_EXTRACTED", encryptedBundle)
-    }
-
-    /**
-     * Function triggered when EXTRACT_KEY_ENCRYPTED_BUNDLE event is received.
-     * Prerequisite: This function uses the target public key in local storage that is imported
-     * from the INJECT_IMPORT_BUNDLE event.
-     * Uses the target public key in local storage to encrypt the text entered in the
-     * `plaintext` textarea element. Upon successful encryption, sends
-     * an `encrypted_bundle` containing the ciphertext and encapped public key.
-     * Example bundle: {"encappedPublic":"0497f33f3306f67f4402d4824e15b63b04786b6558d417aac2fef69051e46fa7bfbe776b142e4ded4f02097617a7588e93c53b71f900a4a8831a31be6f95e5f60f","ciphertext":"c17c3085505f3c094f0fa61791395b83ab1d8c90bdf9f12a64fc6e2e9cba266beb528f65c88bd933e36e6203752a9b63e6a92290a0ab6bf0ed591cf7bfa08006001e2cc63870165dc99ec61554ffdc14dea7d567e62cceed29314ae6c71a013843f5c06146dee5bf9c1d"}
-     */
-    async function onExtractKeyEncryptedBundle(keyFormat) {
-      // Get target embedded key from previous step (onInjectImportBundle)
-      const targetPublicKeyJwk = TKHQ.getTargetEmbeddedKey();
-      if (targetPublicKeyJwk == null) {
-        throw new Error("no target key found");
-      }
-
-      // Get plaintext private key
-      const plaintext = document.getElementById("plaintext").value.trim();
-      if (!plaintext) {
-        throw new Error("no private key entered");
-      }
-      const plaintextBuf = TKHQ.decodeKey(plaintext, keyFormat);
-
-      // Encrypt the bundle using the enclave target public key
-      const encryptedBundle = await HpkeEncrypt(
-        {
-          plaintextBuf,
-          receiverPubJwk: targetPublicKeyJwk,
-        });
-
-      // Reset target embedded key after using for encryption
-      TKHQ.resetTargetEmbeddedKey();
-
-      // Send up ENCRYPTED_BUNDLE_EXTRACTED message
-      TKHQ.sendMessageUp("ENCRYPTED_BUNDLE_EXTRACTED", encryptedBundle)
-    }
-
-    /**
-     * Function triggered when APPLY_SETTINGS event is received.
-     * For now, the only settings that can be applied are for "styles".
-     * Persist them in local storage so they can be applied on every
-     * page load.
-     */
-    async function onApplySettings(settings) {
-      // Apply settings
-      const validSettings = TKHQ.applySettings(settings);
-
-      // Persist in local storage
-      TKHQ.setSettings(validSettings);
-
-      // Send up SETTINGS_APPLIED message
-      TKHQ.sendMessageUp("SETTINGS_APPLIED", true);
-    }
-
-    async function HpkeEncrypt({ plaintextBuf, receiverPubJwk }) {
-      const kemContext = new hpke.DhkemP256HkdfSha256();
-      const receiverPub = await kemContext.importKey("jwk", {...receiverPubJwk}, true);
-
-      const suite = new hpke.CipherSuite({
-        kem: kemContext,
-        kdf: new hpke.HkdfSha256(),
-        aead: new hpke.Aes256Gcm(),
-      });
-
-      const senderCtx = await suite.createSenderContext({
-        recipientPublicKey: receiverPub,
-        info: new TextEncoder().encode("turnkey_hpke"),
-      });
-
-      // Need to import the key again as a JWK to export as a raw key, the format needed to
-      // create the aad with the newly generated raw encapped key.
-      const receiverPubCryptoKey = await crypto.subtle.importKey("jwk", receiverPubJwk, {
-          name: 'ECDSA',
-          namedCurve: 'P-256',
-        }, true, []);
-      const receiverPubRaw = await crypto.subtle.exportKey("raw", receiverPubCryptoKey);
-      const receiverPubBuf = new Uint8Array(receiverPubRaw);
-
-      const encappedKeyBuf = new Uint8Array(senderCtx.enc);
-
-      const aad = TKHQ.additionalAssociatedData(encappedKeyBuf, receiverPubBuf);
-      
-      var ciphertextBuf;
-      try {
-        ciphertextBuf = await senderCtx.seal(plaintextBuf, aad);
-      } catch (e) {
-        throw new Error("encryption failed: " + e);
-      }
-      
-      const ciphertextHex = TKHQ.uint8arrayToHexString(new Uint8Array(ciphertextBuf));
-      const encappedKeyBufHex = TKHQ.uint8arrayToHexString(encappedKeyBuf);
-      const encryptedBundle = JSON.stringify({ encappedPublic: encappedKeyBufHex, ciphertext: ciphertextHex })
-      return encryptedBundle
-    }
-  </script>
-</body>
-</html>
\ No newline at end of file
diff --git a/import/index.preprod.html b/import/index.template.html
similarity index 97%
rename from import/index.preprod.html
rename to import/index.template.html
index fc0d552..5d5f5c7 100644
--- a/import/index.preprod.html
+++ b/import/index.template.html
@@ -287,8 +287,15 @@
        * Function to verify enclave signature on import bundle received from the server. 
        */
       async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
-        /** Turnkey Signer enclave's public key (preprod) */
-        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212";
+        /** Turnkey Signer enclave's public keys */
+        const TURNKEY_SIGNERS_ENCLAVES = {
+          "prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
+          "preprod": "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212"
+        }
+        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = TURNKEY_SIGNERS_ENCLAVES["${TURNKEY_SIGNER_ENVIRONMENT}"];
+        if (TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY === undefined) {
+          throw new Error("Configuration error: TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY is undefined")
+        }
 
         // todo(olivia): throw error if enclave quorum public is null once server changes are deployed
         if (enclaveQuorumPublic) {
@@ -705,4 +712,4 @@
     }
   </script>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/import/index.test.js b/import/index.test.js
index 7cda000..857fd15 100644
--- a/import/index.test.js
+++ b/import/index.test.js
@@ -4,7 +4,7 @@ import fs from "fs"
 import path from "path"
 import * as crypto from "crypto";
 
-const html = fs.readFileSync(path.resolve(__dirname, "./index.html"), "utf8");
+const html = fs.readFileSync(path.resolve(__dirname, "./index.template.html"), "utf8").replace("${TURNKEY_SIGNER_ENVIRONMENT}", "prod");
 
 let dom;
 let TKHQ;
diff --git a/import/standalone.html b/import/standalone.template.html
similarity index 97%
rename from import/standalone.html
rename to import/standalone.template.html
index 933b10c..203ef76 100644
--- a/import/standalone.html
+++ b/import/standalone.template.html
@@ -339,8 +339,15 @@ <h2>Message log</h2>
        * Function to verify enclave signature on import bundle received from the server. 
        */
       async function verifyEnclaveSignature(enclaveQuorumPublic, publicSignature, publicKey) {
-        /** Turnkey Signer enclave's public key */
-        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569";
+        /** Turnkey Signer enclave's public keys */
+        const TURNKEY_SIGNERS_ENCLAVES = {
+          "prod": "04cf288fe433cc4e1aa0ce1632feac4ea26bf2f5a09dcfe5a42c398e06898710330f0572882f4dbdf0f5304b8fc8703acd69adca9a4bbf7f5d00d20a5e364b2569",
+          "preprod": "04f3422b8afbe425d6ece77b8d2469954715a2ff273ab7ac89f1ed70e0a9325eaa1698b4351fd1b23734e65c0b6a86b62dd49d70b37c94606aac402cbd84353212"
+        }
+        const TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY = TURNKEY_SIGNERS_ENCLAVES["${TURNKEY_SIGNER_ENVIRONMENT}"];
+        if (TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY === undefined) {
+          throw new Error("Configuration error: TURNKEY_SIGNER_ENCLAVE_QUORUM_PUBLIC_KEY is undefined")
+        }
 
         // todo(olivia): throw error if enclave quorum public is null once server changes are deployed
         if (enclaveQuorumPublic) {
@@ -683,4 +690,4 @@ <h2>Message log</h2>
     }
   </script>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/kustomize/resources.yaml b/kustomize/resources.yaml
index 57f68aa..c24526b 100644
--- a/kustomize/resources.yaml
+++ b/kustomize/resources.yaml
@@ -10,6 +10,30 @@ metadata:
 spec:
   template:
     spec:
+      initContainers:
+        - name: template-quorum-key
+          image: ghcr.io/tkhq/frames
+          env:
+            - name: TURNKEY_SIGNER_ENVIRONMENT
+              value: "prod"
+          command:
+            - sh
+            - -c
+            - |
+                mkdir -p templated/export templated/import;
+                envsubst '${TURNKEY_SIGNER_ENVIRONMENT}' < import/index.template.html > templated/import/index.html;
+                envsubst '${TURNKEY_SIGNER_ENVIRONMENT}' < import/standalone.template.html > templated/import/standalone.html;
+                envsubst '${TURNKEY_SIGNER_ENVIRONMENT}' < export/index.template.html > templated/export/index.html;
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            runAsNonRoot: true
+            runAsUser: 1000
+          volumeMounts:
+            - name: templated
+              mountPath: /usr/share/nginx/templated
       containers:
         - name: frames
           image: ghcr.io/tkhq/frames
@@ -36,7 +60,14 @@ spec:
                 - ALL
             runAsNonRoot: true
             runAsUser: 1000
+          volumeMounts:
+            - name: templated
+              mountPath: /usr/share/nginx/templated
+              readOnly: true
       serviceAccountName: frames
+      volumes:
+        - name: templated
+          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
diff --git a/nginx.conf b/nginx.conf
index a046f76..1ade501 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -40,20 +40,23 @@ http {
 
     # Prod
     server {
-       listen 8080;
-       root /usr/share/nginx/auth;
+        listen 8080;
+        root /usr/share/nginx/auth;
 
         # Health endpoint for k8s
-       location = /health {
+        location = /health {
             access_log off;
             add_header 'Content-Type' 'application/json';
             return 200 '{"status":"UP"}';
-       }
+        }
     }
 
     server {
         listen 8081;
-        root /usr/share/nginx/export;
+        root /usr/share/nginx;
+        location / {
+            try_files /export/$uri /templated/export/$uri /templated/export/$uri/index.html =404;
+        }
     }
 
     server {
@@ -63,38 +66,9 @@ http {
 
     server {
         listen 8083;
-        root /usr/share/nginx/import;
-    }
-
-    # Preprod
-    server {
-       listen 7070;
-       root /usr/share/nginx/auth;
-       index index.preprod.html;
-
-        # Health endpoint for k8s
-       location = /health {
-            access_log off;
-            add_header 'Content-Type' 'application/json';
-            return 200 '{"status":"UP"}';
-       }
-    }
-
-    server {
-        listen 7071;
-        root /usr/share/nginx/export;
-        index index.preprod.html;
-    }
-
-    server {
-        listen 7072;
-        root /usr/share/nginx/recovery;
-        index index.preprod.html;
-    }
-
-    server {
-        listen 7073;
-        root /usr/share/nginx/import;
-        index index.preprod.html;
+        root /usr/share/nginx;
+        location / {
+            try_files /import/$uri /templated/import/$uri /templated/import/$uri/index.html =404;
+        }
     }
 }