assets/modules/analytics.js

const { sessionStorage, navigator, document, location, screen, fetch } = globalThis

let ENDPOINT = '/t'
const SK_UID = '_u'
const SK_HASH = '_h'

let encKey = null

async function importKey(b64) {
    const raw = Uint8Array.from(globalThis.atob(b64), c => c.codePointAt(0))
    return globalThis.crypto.subtle.importKey('raw', raw, 'AES-GCM', false, ['encrypt', 'decrypt'])
}

async function encrypt(data) {
    /* c8 ignore next */ /* istanbul ignore next */ if (!encKey) return null
    const json = new globalThis.TextEncoder().encode(JSON.stringify(data))
    const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))
    const encrypted = await globalThis.crypto.subtle.encrypt({ name: 'AES-GCM', iv, tagLength: 128 }, encKey, json)
    const buf = new Uint8Array(encrypted)
    const combined = new Uint8Array(12 + buf.length)
    combined.set(iv)
    combined.set(buf, 12)
    return globalThis.btoa(String.fromCodePoint(...combined))
}

async function decrypt(b64) {
    /* c8 ignore next */ /* istanbul ignore next */ if (!encKey) return null
    const raw = Uint8Array.from(globalThis.atob(b64), c => c.codePointAt(0))
    const iv = raw.slice(0, 12)
    const data = raw.slice(12)
    try {
        const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv, tagLength: 128 }, encKey, data)
        return JSON.parse(new globalThis.TextDecoder().decode(decrypted))
    } catch {
        return null
    }
}

function clearSession() {
    sessionStorage.removeItem(SK_UID)
    sessionStorage.removeItem(SK_HASH)
}

async function send(data, expectResponse = false) {
    const d = await encrypt(data)
    /* c8 ignore next */ /* istanbul ignore next */ if (!d) return null
    try {
        if (!expectResponse && navigator.sendBeacon) {
            navigator.sendBeacon(ENDPOINT, JSON.stringify({ d }))
            return null
        }
        const res = await fetch(ENDPOINT, {
            method: 'POST',
            headers: { 'Content-Type': 'application/json' },
            body: JSON.stringify({ d }),
            keepalive: true,
        })
        if (res.status === 403) {
            clearSession()
            return null
        }
        if (!res.ok || res.status === 204) return null
        const json = await res.json()
        return json.d ? await decrypt(json.d) : null
    } catch {
        return null
    }
}

async function getOrCreateVisitor() {
    const uid = sessionStorage.getItem(SK_UID)
    const hash = sessionStorage.getItem(SK_HASH)
    if (uid && hash) return { uid, hash }

    const resp = await send({
        sw: screen.width,
        sh: screen.height,
        l: navigator.language || null,
    }, true)

    if (!resp?.uid || !resp?.h) return null

    sessionStorage.setItem(SK_UID, resp.uid)
    sessionStorage.setItem(SK_HASH, resp.h)
    return { uid: resp.uid, hash: resp.h }
}

async function trackPageView(visitor) {
    await send({
        uid: visitor.uid,
        h: visitor.hash,
        u: location.pathname + location.search,
        t: document.title,
        r: document.referrer || null,
    })
}

export async function initAnalytics() {
    const keyB64 = document.body.dataset.k
    const ep = document.body.dataset.e
    if (!keyB64 || !ep) return
    ENDPOINT = ep

    try {
        encKey = await importKey(keyB64)
    } catch {
        return
    }

    let visitor = await getOrCreateVisitor()
    if (!visitor) return

    await trackPageView(visitor)

    // If trackPageView got 403 (stale session), retry with fresh visitor
    if (!sessionStorage.getItem(SK_UID)) {
        visitor = await getOrCreateVisitor()
        if (!visitor) return
        await trackPageView(visitor)
    }

    const authUserId = document.body.dataset.uid
    if (authUserId) {
        await setAuth(Number.parseInt(authUserId, 10))
    }
}

export async function setAuth(userId) {
    const uid = sessionStorage.getItem(SK_UID)
    const hash = sessionStorage.getItem(SK_HASH)
    if (!uid || !hash || !encKey) return

    await send({ uid, h: hash, setUser: userId })
}
Destructure browser globals from globalThis in analytics module Fixes linter warnings for sessionStorage, navigator, document, location, screen, fetch. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:11:15 +01:00			`const { sessionStorage, navigator, document, location, screen, fetch } = globalThis`

Make analytics endpoint dynamic: /t/{token} derived from APP_SECRET The endpoint path is now /t/<8-char hash of APP_SECRET> instead of static /t. Token is injected via data-e attribute on body, read by JS. Server validates token on every hit, returns 404 if invalid. Changes with each APP_SECRET = impossible to hardcode in a blocker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 12:22:59 +01:00			`let ENDPOINT = '/t'`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`const SK_UID = '_u'`
			`const SK_HASH = '_h'`

			`let encKey = null`

			`async function importKey(b64) {`
Replace charCodeAt with codePointAt in analytics module Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:07:26 +01:00			`const raw = Uint8Array.from(globalThis.atob(b64), c => c.codePointAt(0))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`return globalThis.crypto.subtle.importKey('raw', raw, 'AES-GCM', false, ['encrypt', 'decrypt'])`
			`}`

			`async function encrypt(data) {`
Add istanbul ignore comments alongside c8 for analytics.js coverage Ensures 100% coverage regardless of which provider (c8/istanbul/v8) is used by the CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-02 13:13:26 +02:00			`/* c8 ignore next / / istanbul ignore next */ if (!encKey) return null`
Use globalThis for TextEncoder, TextDecoder, and atob browser globals Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:08:37 +01:00			`const json = new globalThis.TextEncoder().encode(JSON.stringify(data))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`const iv = globalThis.crypto.getRandomValues(new Uint8Array(12))`
			`const encrypted = await globalThis.crypto.subtle.encrypt({ name: 'AES-GCM', iv, tagLength: 128 }, encKey, json)`
			`const buf = new Uint8Array(encrypted)`
			`const combined = new Uint8Array(12 + buf.length)`
			`combined.set(iv)`
			`combined.set(buf, 12)`
Fix linter warnings in analytics module: codePoint, const, optional chaining, Number.parseInt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:34:22 +01:00			`return globalThis.btoa(String.fromCodePoint(...combined))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`}`

			`async function decrypt(b64) {`
Add istanbul ignore comments alongside c8 for analytics.js coverage Ensures 100% coverage regardless of which provider (c8/istanbul/v8) is used by the CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-02 13:13:26 +02:00			`/* c8 ignore next / / istanbul ignore next */ if (!encKey) return null`
Replace charCodeAt with codePointAt in analytics module Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:07:26 +01:00			`const raw = Uint8Array.from(globalThis.atob(b64), c => c.codePointAt(0))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`const iv = raw.slice(0, 12)`
			`const data = raw.slice(12)`
			`try {`
			`const decrypted = await globalThis.crypto.subtle.decrypt({ name: 'AES-GCM', iv, tagLength: 128 }, encKey, data)`
Use globalThis for TextEncoder, TextDecoder, and atob browser globals Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:08:37 +01:00			`return JSON.parse(new globalThis.TextDecoder().decode(decrypted))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`} catch {`
			`return null`
			`}`
			`}`

Clear sessionStorage on 403 and retry with fresh visitor When SECRET_ANALYTICS changes (deploy), old uid/hash become invalid. On 403, clear session and auto-retry with a new visitor creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 13:41:34 +01:00			`function clearSession() {`
			`sessionStorage.removeItem(SK_UID)`
			`sessionStorage.removeItem(SK_HASH)`
			`}`

Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`async function send(data, expectResponse = false) {`
			`const d = await encrypt(data)`
Add istanbul ignore comments alongside c8 for analytics.js coverage Ensures 100% coverage regardless of which provider (c8/istanbul/v8) is used by the CI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-02 13:13:26 +02:00			`/* c8 ignore next / / istanbul ignore next */ if (!d) return null`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`try {`
			`if (!expectResponse && navigator.sendBeacon) {`
			`navigator.sendBeacon(ENDPOINT, JSON.stringify({ d }))`
			`return null`
			`}`
			`const res = await fetch(ENDPOINT, {`
			`method: 'POST',`
			`headers: { 'Content-Type': 'application/json' },`
			`body: JSON.stringify({ d }),`
			`keepalive: true,`
			`})`
Clear sessionStorage on 403 and retry with fresh visitor When SECRET_ANALYTICS changes (deploy), old uid/hash become invalid. On 403, clear session and auto-retry with a new visitor creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 13:41:34 +01:00			`if (res.status === 403) {`
			`clearSession()`
			`return null`
			`}`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`if (!res.ok \|\| res.status === 204) return null`
			`const json = await res.json()`
			`return json.d ? await decrypt(json.d) : null`
			`} catch {`
			`return null`
			`}`
			`}`

			`async function getOrCreateVisitor() {`
Fix linter warnings in analytics module: codePoint, const, optional chaining, Number.parseInt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:34:22 +01:00			`const uid = sessionStorage.getItem(SK_UID)`
			`const hash = sessionStorage.getItem(SK_HASH)`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`if (uid && hash) return { uid, hash }`

			`const resp = await send({`
			`sw: screen.width,`
			`sh: screen.height,`
			`l: navigator.language \|\| null,`
			`}, true)`

Fix linter warnings in analytics module: codePoint, const, optional chaining, Number.parseInt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:34:22 +01:00			`if (!resp?.uid \|\| !resp?.h) return null`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00
			`sessionStorage.setItem(SK_UID, resp.uid)`
			`sessionStorage.setItem(SK_HASH, resp.h)`
			`return { uid: resp.uid, hash: resp.h }`
			`}`

			`async function trackPageView(visitor) {`
			`await send({`
			`uid: visitor.uid,`
			`h: visitor.hash,`
			`u: location.pathname + location.search,`
			`t: document.title,`
			`r: document.referrer \|\| null,`
			`})`
			`}`

			`export async function initAnalytics() {`
			`const keyB64 = document.body.dataset.k`
Make analytics endpoint dynamic: /t/{token} derived from APP_SECRET The endpoint path is now /t/<8-char hash of APP_SECRET> instead of static /t. Token is injected via data-e attribute on body, read by JS. Server validates token on every hit, returns 404 if invalid. Changes with each APP_SECRET = impossible to hardcode in a blocker. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 12:22:59 +01:00			`const ep = document.body.dataset.e`
			`if (!keyB64 \|\| !ep) return`
			`ENDPOINT = ep`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00
			`try {`
			`encKey = await importKey(keyB64)`
			`} catch {`
			`return`
			`}`

Clear sessionStorage on 403 and retry with fresh visitor When SECRET_ANALYTICS changes (deploy), old uid/hash become invalid. On 403, clear session and auto-retry with a new visitor creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 13:41:34 +01:00			`let visitor = await getOrCreateVisitor()`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`if (!visitor) return`

			`await trackPageView(visitor)`

Clear sessionStorage on 403 and retry with fresh visitor When SECRET_ANALYTICS changes (deploy), old uid/hash become invalid. On 403, clear session and auto-retry with a new visitor creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 13:41:34 +01:00			`// If trackPageView got 403 (stale session), retry with fresh visitor`
			`if (!sessionStorage.getItem(SK_UID)) {`
			`visitor = await getOrCreateVisitor()`
			`if (!visitor) return`
			`await trackPageView(visitor)`
			`}`

Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`const authUserId = document.body.dataset.uid`
			`if (authUserId) {`
Fix linter warnings in analytics module: codePoint, const, optional chaining, Number.parseInt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 21:34:22 +01:00			`await setAuth(Number.parseInt(authUserId, 10))`
Add first-party analytics tracker with encrypted transmissions Core system: - AnalyticsUniqId entity (visitor identity with device/os/browser parsing) - AnalyticsEvent entity (page views linked to visitor) - POST /t endpoint with AES-256-GCM encrypted payloads - HMAC-SHA256 visitor hash for anti-tampering - Async processing via Messenger - JS module: auto page_view tracking, setAuth for logged users - Encryption key shared via data-k attribute on body - setAuth only triggers when cookie consent is accepted - Clean CSP: remove old tracker domains (Cloudflare, Umami) 100% first-party, no cookies, invisible to adblockers, RGPD-friendly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:07 +01:00			`}`
			`}`

			`export async function setAuth(userId) {`
			`const uid = sessionStorage.getItem(SK_UID)`
			`const hash = sessionStorage.getItem(SK_HASH)`
			`if (!uid \|\| !hash \|\| !encKey) return`

			`await send({ uid, h: hash, setUser: userId })`
			`}`