@buildersgarden/siwa 0.0.1 → 0.0.3

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Builders Garden SRL
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -64,7 +64,7 @@ See [`references/security-model.md`](references/security-model.md) for the full
 ## Tech Stack
 
 - **TypeScript** (ES modules, strict mode)
-- **ethers.js** v6 — wallet management and contract interaction
+- **viem** — wallet management and contract interaction
 - **pnpm** — package manager
 
 ## References

package/dist/addresses.d.ts

@@ -0,0 +1,20 @@
+/**
+ * addresses.ts
+ *
+ * Canonical ERC-8004 contract addresses, chain metadata, and helpers.
+ * Published as part of the SDK so consumers don't need to hard-code addresses.
+ */
+export declare const REGISTRY_ADDRESSES: Record<number, string>;
+export declare const REPUTATION_ADDRESSES: Record<number, string>;
+export declare const RPC_ENDPOINTS: Record<number, string>;
+export declare const CHAIN_NAMES: Record<number, string>;
+export declare const FAUCETS: Record<number, string>;
+export declare const BLOCK_EXPLORERS: Record<number, string>;
+/**
+ * Get the identity registry address for a chain, or throw if unsupported.
+ */
+export declare function getRegistryAddress(chainId: number): string;
+/**
+ * Get the agent registry string in `eip155:{chainId}:{address}` format.
+ */
+export declare function getAgentRegistryString(chainId: number): string;

package/dist/addresses.js

@@ -0,0 +1,82 @@
+/**
+ * addresses.ts
+ *
+ * Canonical ERC-8004 contract addresses, chain metadata, and helpers.
+ * Published as part of the SDK so consumers don't need to hard-code addresses.
+ */
+// ---------------------------------------------------------------------------
+// Identity Registries
+// ---------------------------------------------------------------------------
+export const REGISTRY_ADDRESSES = {
+    8453: '0x8004A169FB4a3325136EB29fA0ceB6D2e539a432', // Base
+    84532: '0x8004A818BFB912233c491871b3d84c89A494BD9e', // Base Sepolia
+    11155111: '0x8004a6090Cd10A7288092483047B097295Fb8847', // ETH Sepolia
+    59141: '0x8004aa7C931bCE1233973a0C6A667f73F66282e7', // Linea Sepolia
+    80002: '0x8004ad19E14B9e0654f73353e8a0B600D46C2898', // Polygon Amoy
+};
+// ---------------------------------------------------------------------------
+// Reputation Registries
+// ---------------------------------------------------------------------------
+export const REPUTATION_ADDRESSES = {
+    8453: '0x8004BAa17C55a88189AE136b182e5fdA19dE9b63', // Base
+    84532: '0x8004B663056A597Dffe9eCcC1965A193B7388713', // Base Sepolia
+};
+// ---------------------------------------------------------------------------
+// RPC Endpoints (public, rate-limited)
+// ---------------------------------------------------------------------------
+export const RPC_ENDPOINTS = {
+    8453: 'https://mainnet.base.org',
+    84532: 'https://sepolia.base.org',
+    11155111: 'https://rpc.sepolia.org',
+    59141: 'https://rpc.sepolia.linea.build',
+    80002: 'https://rpc-amoy.polygon.technology',
+};
+// ---------------------------------------------------------------------------
+// Chain Names
+// ---------------------------------------------------------------------------
+export const CHAIN_NAMES = {
+    8453: 'Base',
+    84532: 'Base Sepolia',
+    11155111: 'Ethereum Sepolia',
+    59141: 'Linea Sepolia',
+    80002: 'Polygon Amoy',
+};
+// ---------------------------------------------------------------------------
+// Faucets (testnets only)
+// ---------------------------------------------------------------------------
+export const FAUCETS = {
+    84532: 'https://www.alchemy.com/faucets/base-sepolia',
+    11155111: 'https://www.alchemy.com/faucets/ethereum-sepolia',
+    59141: 'https://faucets.chain.link/linea-sepolia',
+    80002: 'https://faucet.polygon.technology/',
+};
+// ---------------------------------------------------------------------------
+// Block Explorers
+// ---------------------------------------------------------------------------
+export const BLOCK_EXPLORERS = {
+    8453: 'https://basescan.org',
+    84532: 'https://sepolia.basescan.org',
+    11155111: 'https://sepolia.etherscan.io',
+    59141: 'https://sepolia.lineascan.build',
+    80002: 'https://amoy.polygonscan.com',
+};
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/**
+ * Get the identity registry address for a chain, or throw if unsupported.
+ */
+export function getRegistryAddress(chainId) {
+    const addr = REGISTRY_ADDRESSES[chainId];
+    if (!addr) {
+        const supported = Object.keys(REGISTRY_ADDRESSES).join(', ');
+        throw new Error(`No identity registry for chainId ${chainId}. Supported: ${supported}`);
+    }
+    return addr;
+}
+/**
+ * Get the agent registry string in `eip155:{chainId}:{address}` format.
+ */
+export function getAgentRegistryString(chainId) {
+    return `eip155:${chainId}:${getRegistryAddress(chainId)}`;
+}

package/dist/index.d.ts

@@ -3,3 +3,4 @@ export * from './siwa.js';
 export * from './memory.js';
 export * from './proxy-auth.js';
 export * from './registry.js';
+export * from './addresses.js';

package/dist/index.js

@@ -3,3 +3,4 @@ export * from './siwa.js';
 export * from './memory.js';
 export * from './proxy-auth.js';
 export * from './registry.js';
+export * from './addresses.js';

package/dist/keystore.d.ts

@@ -5,7 +5,7 @@
  *
  * Three backends, in order of preference:
  *   0. Keyring Proxy (via HMAC-authenticated HTTP) — key never enters agent process
- *   1. Ethereum V3 Encrypted JSON Keystore (via ethers.js) — password-encrypted file on disk
+ *   1. Ethereum V3 Encrypted JSON Keystore (via @noble/ciphers) — password-encrypted file on disk
  *   2. Environment variable fallback (AGENT_PRIVATE_KEY) — least secure, for CI/testing only
  *
  * The private key NEVER leaves this module as a return value.
@@ -18,15 +18,15 @@
  *   - getAddress()            → returns the public address
  *   - hasWallet()             → returns boolean
  *
- * EIP-7702 Support (requires ethers >= 6.14.3):
- *   Wallets are standard EOAs created via ethers.Wallet.createRandom().
+ * EIP-7702 Support:
+ *   Wallets are standard EOAs created via viem's generatePrivateKey().
  *   EIP-7702 allows these EOAs to temporarily delegate to smart contract
  *   implementations via authorization lists in type 4 transactions.
  *   Use signAuthorization() to sign delegation authorizations without
  *   exposing the private key.
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  *
  * Configuration (via env vars or passed options):
  *   KEYSTORE_BACKEND      — "encrypted-file" | "env" | "proxy" (auto-detected if omitted)
@@ -34,7 +34,7 @@
  *   KEYSTORE_PATH         — Path to encrypted keystore file (default: ./agent-keystore.json)
  *   AGENT_PRIVATE_KEY     — Fallback for env backend only
  */
-import { ethers } from 'ethers';
+import { type WalletClient, type Account, type Chain, type Transport } from 'viem';
 export type KeystoreBackend = 'encrypted-file' | 'env' | 'proxy';
 export interface KeystoreConfig {
     backend?: KeystoreBackend;
@@ -65,6 +65,20 @@ export interface SignedAuthorization {
     r: string;
     s: string;
 }
+export interface TransactionLike {
+    to?: string;
+    data?: string;
+    value?: bigint;
+    nonce?: number;
+    chainId?: number;
+    type?: number;
+    maxFeePerGas?: bigint | null;
+    maxPriorityFeePerGas?: bigint | null;
+    gasLimit?: bigint;
+    gas?: bigint;
+    gasPrice?: bigint | null;
+    accessList?: any[];
+}
 export declare function detectBackend(): Promise<KeystoreBackend>;
 /**
  * Create a new random wallet and store it securely.
@@ -96,13 +110,12 @@ export declare function signMessage(message: string, config?: KeystoreConfig): P
  * The private key is loaded, used, and immediately discarded.
  * Only the signed transaction is returned.
  */
-export declare function signTransaction(tx: ethers.TransactionRequest, config?: KeystoreConfig): Promise<{
+export declare function signTransaction(tx: TransactionLike, config?: KeystoreConfig): Promise<{
     signedTx: string;
     address: string;
 }>;
 /**
  * Sign an EIP-7702 authorization for delegating the EOA to a contract.
- * Requires ethers >= 6.14.3.
  *
  * This allows the agent's EOA to temporarily act as a smart contract
  * during a type 4 transaction. The private key is loaded, used, and
@@ -113,12 +126,12 @@ export declare function signTransaction(tx: ethers.TransactionRequest, config?:
  */
 export declare function signAuthorization(auth: AuthorizationRequest, config?: KeystoreConfig): Promise<SignedAuthorization>;
 /**
- * Get a connected signer (for contract interactions).
- * NOTE: This returns a signer with the private key in memory.
+ * Get a wallet client for contract interactions.
+ * NOTE: This creates a client with the private key in memory.
  * Use only within a narrow scope and discard immediately.
  * Prefer signMessage() / signTransaction() when possible.
  */
-export declare function getSigner(provider: ethers.Provider, config?: KeystoreConfig): Promise<ethers.Wallet>;
+export declare function getWalletClient(rpcUrl: string, config?: KeystoreConfig): Promise<WalletClient<Transport, Chain | undefined, Account>>;
 /**
  * Delete the stored wallet from the active backend.
  * DESTRUCTIVE — the identity is lost if no backup exists.

package/dist/keystore.js

@@ -5,7 +5,7 @@
  *
  * Three backends, in order of preference:
  *   0. Keyring Proxy (via HMAC-authenticated HTTP) — key never enters agent process
- *   1. Ethereum V3 Encrypted JSON Keystore (via ethers.js) — password-encrypted file on disk
+ *   1. Ethereum V3 Encrypted JSON Keystore (via @noble/ciphers) — password-encrypted file on disk
  *   2. Environment variable fallback (AGENT_PRIVATE_KEY) — least secure, for CI/testing only
  *
  * The private key NEVER leaves this module as a return value.
@@ -18,15 +18,15 @@
  *   - getAddress()            → returns the public address
  *   - hasWallet()             → returns boolean
  *
- * EIP-7702 Support (requires ethers >= 6.14.3):
- *   Wallets are standard EOAs created via ethers.Wallet.createRandom().
+ * EIP-7702 Support:
+ *   Wallets are standard EOAs created via viem's generatePrivateKey().
  *   EIP-7702 allows these EOAs to temporarily delegate to smart contract
  *   implementations via authorization lists in type 4 transactions.
  *   Use signAuthorization() to sign delegation authorizations without
  *   exposing the private key.
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  *
  * Configuration (via env vars or passed options):
  *   KEYSTORE_BACKEND      — "encrypted-file" | "env" | "proxy" (auto-detected if omitted)
@@ -34,14 +34,98 @@
  *   KEYSTORE_PATH         — Path to encrypted keystore file (default: ./agent-keystore.json)
  *   AGENT_PRIVATE_KEY     — Fallback for env backend only
  */
-import { ethers } from 'ethers';
+import { createWalletClient, http, keccak256, toBytes, toHex, concat, } from 'viem';
+import { privateKeyToAccount, generatePrivateKey } from 'viem/accounts';
+import { hashAuthorization } from 'viem/experimental';
+import { scrypt } from '@noble/hashes/scrypt';
+import { randomBytes } from '@noble/hashes/utils';
+import { ctr } from '@noble/ciphers/aes';
 import * as fs from 'fs';
 import * as crypto from 'crypto';
+import * as os from 'os';
 import { computeHmac } from './proxy-auth.js';
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
 const DEFAULT_KEYSTORE_PATH = './agent-keystore.json';
+function generateUUID() {
+    const bytes = randomBytes(16);
+    bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
+    bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant
+    const hex = toHex(bytes).slice(2);
+    return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`;
+}
+async function encryptKeystore(privateKey, password) {
+    const privateKeyBytes = toBytes(privateKey);
+    const salt = randomBytes(32);
+    const iv = randomBytes(16);
+    // Scrypt parameters (standard for V3 keystores)
+    const n = 262144; // 2^18
+    const r = 8;
+    const p = 1;
+    const dklen = 32;
+    // Derive key using scrypt
+    const derivedKey = scrypt(new TextEncoder().encode(password), salt, { N: n, r, p, dkLen: dklen });
+    // Encrypt private key with AES-128-CTR
+    const encryptionKey = derivedKey.slice(0, 16);
+    const cipher = ctr(encryptionKey, iv);
+    const ciphertext = cipher.encrypt(privateKeyBytes);
+    // Calculate MAC: keccak256(derivedKey[16:32] + ciphertext)
+    const macData = concat([toHex(derivedKey.slice(16, 32)), toHex(ciphertext)]);
+    const mac = keccak256(macData);
+    // Get address from private key
+    const account = privateKeyToAccount(privateKey);
+    const keystore = {
+        version: 3,
+        id: generateUUID(),
+        address: account.address.toLowerCase().slice(2),
+        crypto: {
+            ciphertext: toHex(ciphertext).slice(2),
+            cipherparams: { iv: toHex(iv).slice(2) },
+            cipher: 'aes-128-ctr',
+            kdf: 'scrypt',
+            kdfparams: {
+                dklen,
+                salt: toHex(salt).slice(2),
+                n,
+                r,
+                p,
+            },
+            mac: mac.slice(2),
+        },
+    };
+    return JSON.stringify(keystore);
+}
+async function decryptKeystore(json, password) {
+    const keystore = JSON.parse(json);
+    if (keystore.version !== 3) {
+        throw new Error(`Unsupported keystore version: ${keystore.version}`);
+    }
+    const { crypto: cryptoData } = keystore;
+    if (cryptoData.kdf !== 'scrypt') {
+        throw new Error(`Unsupported KDF: ${cryptoData.kdf}`);
+    }
+    if (cryptoData.cipher !== 'aes-128-ctr') {
+        throw new Error(`Unsupported cipher: ${cryptoData.cipher}`);
+    }
+    const { kdfparams } = cryptoData;
+    const salt = toBytes(`0x${kdfparams.salt}`);
+    const iv = toBytes(`0x${cryptoData.cipherparams.iv}`);
+    const ciphertext = toBytes(`0x${cryptoData.ciphertext}`);
+    // Derive key using scrypt
+    const derivedKey = scrypt(new TextEncoder().encode(password), salt, { N: kdfparams.n, r: kdfparams.r, p: kdfparams.p, dkLen: kdfparams.dklen });
+    // Verify MAC
+    const macData = concat([toHex(derivedKey.slice(16, 32)), toHex(ciphertext)]);
+    const calculatedMac = keccak256(macData).slice(2);
+    if (calculatedMac.toLowerCase() !== cryptoData.mac.toLowerCase()) {
+        throw new Error('Invalid password or corrupted keystore');
+    }
+    // Decrypt private key with AES-128-CTR
+    const encryptionKey = derivedKey.slice(0, 16);
+    const cipher = ctr(encryptionKey, iv);
+    const privateKeyBytes = cipher.decrypt(ciphertext);
+    return toHex(privateKeyBytes);
+}
 // ---------------------------------------------------------------------------
 // Proxy backend — HMAC-authenticated HTTP to a keyring proxy server
 // ---------------------------------------------------------------------------
@@ -86,20 +170,17 @@ export async function detectBackend() {
     return 'encrypted-file';
 }
 // ---------------------------------------------------------------------------
-// Encrypted V3 JSON Keystore backend (ethers.js built-in)
+// Encrypted V3 JSON Keystore backend
 // ---------------------------------------------------------------------------
-async function encryptedFileStore(privateKey, address, password, filePath) {
-    const account = { address, privateKey };
-    // ethers v6: encryptKeystoreJsonSync or encryptKeystoreJson
-    const json = await ethers.encryptKeystoreJson(account, password);
+async function encryptedFileStore(privateKey, password, filePath) {
+    const json = await encryptKeystore(privateKey, password);
     fs.writeFileSync(filePath, json, { mode: 0o600 }); // Owner-only read/write
 }
 async function encryptedFileLoad(password, filePath) {
     if (!fs.existsSync(filePath))
         return null;
     const json = fs.readFileSync(filePath, 'utf-8');
-    const wallet = await ethers.Wallet.fromEncryptedJson(json, password);
-    return wallet.privateKey;
+    return decryptKeystore(json, password);
 }
 function encryptedFileExists(filePath) {
     return fs.existsSync(filePath);
@@ -116,8 +197,8 @@ function deriveMachinePassword() {
     const factors = [
         process.env.USER || process.env.USERNAME || 'agent',
         process.env.HOME || process.env.USERPROFILE || '/tmp',
-        require('os').hostname(),
-        require('os').platform(),
+        os.hostname(),
+        os.platform(),
     ];
     return crypto
         .createHash('sha256')
@@ -138,13 +219,13 @@ export async function createWallet(config = {}) {
         const data = await proxyRequest(config, '/create-wallet');
         return { address: data.address, backend, keystorePath: undefined };
     }
-    const wallet = ethers.Wallet.createRandom();
-    const privateKey = wallet.privateKey;
-    const address = wallet.address;
+    const privateKey = generatePrivateKey();
+    const account = privateKeyToAccount(privateKey);
+    const address = account.address;
     switch (backend) {
         case 'encrypted-file': {
             const password = config.password || process.env.KEYSTORE_PASSWORD || deriveMachinePassword();
-            await encryptedFileStore(privateKey, address, password, keystorePath);
+            await encryptedFileStore(privateKey, password, keystorePath);
             break;
         }
         case 'env':
@@ -173,12 +254,13 @@ export async function importWallet(privateKey, config = {}) {
         throw new Error('importWallet() is not supported via proxy. Import the wallet on the proxy server directly.');
     }
     const keystorePath = config.keystorePath || process.env.KEYSTORE_PATH || DEFAULT_KEYSTORE_PATH;
-    const wallet = new ethers.Wallet(privateKey);
-    const address = wallet.address;
+    const hexKey = (privateKey.startsWith('0x') ? privateKey : `0x${privateKey}`);
+    const account = privateKeyToAccount(hexKey);
+    const address = account.address;
     switch (backend) {
         case 'encrypted-file': {
             const password = config.password || process.env.KEYSTORE_PASSWORD || deriveMachinePassword();
-            await encryptedFileStore(privateKey, address, password, keystorePath);
+            await encryptedFileStore(hexKey, password, keystorePath);
             break;
         }
         case 'env':
@@ -217,12 +299,11 @@ export async function getAddress(config = {}) {
         const data = await proxyRequest(config, '/get-address');
         return data.address;
     }
-    const wallet = await _loadWalletInternal(config);
-    if (!wallet)
+    const privateKey = await _loadPrivateKeyInternal(config);
+    if (!privateKey)
         return null;
-    const address = wallet.address;
-    // wallet goes out of scope and is GC'd — private key not returned
-    return address;
+    const account = privateKeyToAccount(privateKey);
+    return account.address;
 }
 /**
  * Sign a message (EIP-191 personal_sign).
@@ -235,13 +316,12 @@ export async function signMessage(message, config = {}) {
         const data = await proxyRequest(config, '/sign-message', { message });
         return { signature: data.signature, address: data.address };
     }
-    const wallet = await _loadWalletInternal(config);
-    if (!wallet)
+    const privateKey = await _loadPrivateKeyInternal(config);
+    if (!privateKey)
         throw new Error('No wallet found. Run createWallet() first.');
-    const signature = await wallet.signMessage(message);
-    const address = wallet.address;
-    // wallet goes out of scope — private key discarded
-    return { signature, address };
+    const account = privateKeyToAccount(privateKey);
+    const signature = await account.signMessage({ message });
+    return { signature, address: account.address };
 }
 /**
  * Sign a transaction.
@@ -254,16 +334,37 @@ export async function signTransaction(tx, config = {}) {
         const data = await proxyRequest(config, '/sign-transaction', { tx: tx });
         return { signedTx: data.signedTx, address: data.address };
     }
-    const wallet = await _loadWalletInternal(config);
-    if (!wallet)
+    const privateKey = await _loadPrivateKeyInternal(config);
+    if (!privateKey)
         throw new Error('No wallet found. Run createWallet() first.');
-    const signedTx = await wallet.signTransaction(tx);
-    const address = wallet.address;
-    return { signedTx, address };
+    const account = privateKeyToAccount(privateKey);
+    // Build transaction request for viem
+    const viemTx = {
+        to: tx.to,
+        data: tx.data,
+        value: tx.value,
+        nonce: tx.nonce,
+        chainId: tx.chainId,
+        gas: tx.gasLimit ?? tx.gas,
+    };
+    // Handle EIP-1559 vs legacy transactions
+    if (tx.type === 2 || tx.maxFeePerGas !== undefined) {
+        viemTx.type = 'eip1559';
+        viemTx.maxFeePerGas = tx.maxFeePerGas;
+        viemTx.maxPriorityFeePerGas = tx.maxPriorityFeePerGas;
+    }
+    else if (tx.gasPrice !== undefined) {
+        viemTx.type = 'legacy';
+        viemTx.gasPrice = tx.gasPrice;
+    }
+    if (tx.accessList) {
+        viemTx.accessList = tx.accessList;
+    }
+    const signedTx = await account.signTransaction(viemTx);
+    return { signedTx, address: account.address };
 }
 /**
  * Sign an EIP-7702 authorization for delegating the EOA to a contract.
- * Requires ethers >= 6.14.3.
  *
  * This allows the agent's EOA to temporarily act as a smart contract
  * during a type 4 transaction. The private key is loaded, used, and
@@ -278,37 +379,54 @@ export async function signAuthorization(auth, config = {}) {
         const data = await proxyRequest(config, '/sign-authorization', { auth });
         return data;
     }
-    const wallet = await _loadWalletInternal(config);
-    if (!wallet)
+    const privateKey = await _loadPrivateKeyInternal(config);
+    if (!privateKey)
         throw new Error('No wallet found. Run createWallet() first.');
-    // ethers v6.14.3+ exposes wallet.authorize()
-    if (typeof wallet.authorize !== 'function') {
-        throw new Error('wallet.authorize() not available. EIP-7702 requires ethers >= 6.14.3. ' +
-            'Run: pnpm add ethers@latest');
-    }
-    const authorization = await wallet.authorize({
-        address: auth.address,
-        ...(auth.chainId !== undefined && { chainId: auth.chainId }),
-        ...(auth.nonce !== undefined && { nonce: auth.nonce }),
+    const account = privateKeyToAccount(privateKey);
+    // EIP-7702 authorization signing using viem experimental
+    const chainId = auth.chainId ?? 1;
+    const nonce = auth.nonce ?? 0;
+    // Hash the authorization struct according to EIP-7702
+    const authHash = hashAuthorization({
+        contractAddress: auth.address,
+        chainId,
+        nonce,
     });
-    // wallet goes out of scope — private key discarded
-    return authorization;
+    // Sign the authorization hash
+    const signature = await account.sign({ hash: authHash });
+    // Parse signature into r, s, yParity
+    const r = signature.slice(0, 66);
+    const s = `0x${signature.slice(66, 130)}`;
+    const v = parseInt(signature.slice(130, 132), 16);
+    const yParity = v - 27; // Convert v to yParity (0 or 1)
+    return {
+        address: auth.address,
+        nonce,
+        chainId,
+        yParity,
+        r,
+        s,
+    };
 }
 /**
- * Get a connected signer (for contract interactions).
- * NOTE: This returns a signer with the private key in memory.
+ * Get a wallet client for contract interactions.
+ * NOTE: This creates a client with the private key in memory.
  * Use only within a narrow scope and discard immediately.
  * Prefer signMessage() / signTransaction() when possible.
  */
-export async function getSigner(provider, config = {}) {
+export async function getWalletClient(rpcUrl, config = {}) {
     const backend = config.backend || await detectBackend();
     if (backend === 'proxy') {
-        throw new Error('getSigner() is not supported via proxy. The private key cannot be serialized over HTTP. Use signMessage() or signTransaction() instead.');
+        throw new Error('getWalletClient() is not supported via proxy. The private key cannot be serialized over HTTP. Use signMessage() or signTransaction() instead.');
     }
-    const wallet = await _loadWalletInternal(config);
-    if (!wallet)
+    const privateKey = await _loadPrivateKeyInternal(config);
+    if (!privateKey)
         throw new Error('No wallet found. Run createWallet() first.');
-    return wallet.connect(provider);
+    const account = privateKeyToAccount(privateKey);
+    return createWalletClient({
+        account,
+        transport: http(rpcUrl),
+    });
 }
 /**
  * Delete the stored wallet from the active backend.
@@ -333,9 +451,9 @@ export async function deleteWallet(config = {}) {
     }
 }
 // ---------------------------------------------------------------------------
-// Internal — loads the wallet. NEVER exposed publicly.
+// Internal — loads the private key. NEVER exposed publicly.
 // ---------------------------------------------------------------------------
-async function _loadWalletInternal(config = {}) {
+async function _loadPrivateKeyInternal(config = {}) {
     const backend = config.backend || await detectBackend();
     const keystorePath = config.keystorePath || process.env.KEYSTORE_PATH || DEFAULT_KEYSTORE_PATH;
     let privateKey = null;
@@ -345,11 +463,13 @@ async function _loadWalletInternal(config = {}) {
             privateKey = await encryptedFileLoad(password, keystorePath);
             break;
         }
-        case 'env':
-            privateKey = process.env.AGENT_PRIVATE_KEY || null;
+        case 'env': {
+            const envKey = process.env.AGENT_PRIVATE_KEY || null;
+            if (envKey) {
+                privateKey = (envKey.startsWith('0x') ? envKey : `0x${envKey}`);
+            }
             break;
+        }
     }
-    if (!privateKey)
-        return null;
-    return new ethers.Wallet(privateKey);
+    return privateKey;
 }

package/dist/proxy-auth.d.ts

@@ -10,8 +10,8 @@
  *   - Constant-time comparison via crypto.timingSafeEqual
  */
 export interface HmacHeaders {
-    'X-Proxy-Timestamp': string;
-    'X-Proxy-Signature': string;
+    'X-Keyring-Timestamp': string;
+    'X-Keyring-Signature': string;
 }
 /**
  * Compute HMAC-SHA256 headers for an outgoing request.

package/dist/proxy-auth.js

@@ -22,8 +22,8 @@ export function computeHmac(secret, method, path, body) {
         .update(payload)
         .digest('hex');
     return {
-        'X-Proxy-Timestamp': timestamp,
-        'X-Proxy-Signature': signature,
+        'X-Keyring-Timestamp': timestamp,
+        'X-Keyring-Signature': signature,
     };
 }
 /**
@@ -46,8 +46,8 @@ export function verifyHmac(secret, method, path, body, timestamp, signature) {
         .update(payload)
         .digest('hex');
     // Constant-time comparison
-    const sigBuf = Buffer.from(signature, 'utf-8');
-    const expBuf = Buffer.from(expected, 'utf-8');
+    const sigBuf = new Uint8Array(Buffer.from(signature, 'utf-8'));
+    const expBuf = new Uint8Array(Buffer.from(expected, 'utf-8'));
     if (sigBuf.length !== expBuf.length) {
         return { valid: false, error: 'Signature mismatch' };
     }

package/dist/registry.d.ts

@@ -5,9 +5,9 @@
  * Provides functions to read agent profiles and reputation from on-chain registries.
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  */
-import { ethers } from 'ethers';
+import { type PublicClient } from 'viem';
 /** Service endpoint types defined in ERC-8004 */
 export type ServiceType = 'web' | 'A2A' | 'MCP' | 'OASF' | 'ENS' | 'DID' | 'email';
 /** Trust models defined in ERC-8004 */
@@ -42,7 +42,7 @@ export interface AgentProfile {
 }
 export interface GetAgentOptions {
     registryAddress: string;
-    provider: ethers.Provider;
+    client: PublicClient;
     fetchMetadata?: boolean;
 }
 export interface ReputationSummary {
@@ -53,7 +53,7 @@ export interface ReputationSummary {
 }
 export interface GetReputationOptions {
     reputationRegistryAddress: string;
-    provider: ethers.Provider;
+    client: PublicClient;
     clients?: string[];
     tag1?: ReputationTag | (string & {});
     tag2?: string;
@@ -62,13 +62,13 @@ export interface GetReputationOptions {
  * Read an agent from the Identity Registry and parse its profile.
  *
  * @param agentId  The on-chain agent token ID
- * @param options  Registry address, provider, and optional fetchMetadata flag
+ * @param options  Registry address, client, and optional fetchMetadata flag
  */
 export declare function getAgent(agentId: number, options: GetAgentOptions): Promise<AgentProfile>;
 /**
  * Read an agent's reputation summary from the Reputation Registry.
  *
  * @param agentId  The on-chain agent token ID
- * @param options  Reputation registry address, provider, and optional filters
+ * @param options  Reputation registry address, client, and optional filters
  */
 export declare function getReputation(agentId: number, options: GetReputationOptions): Promise<ReputationSummary>;

package/dist/registry.js

@@ -5,17 +5,50 @@
  * Provides functions to read agent profiles and reputation from on-chain registries.
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  */
-import { ethers } from 'ethers';
+import { zeroAddress, } from 'viem';
 // ─── ABI Fragments ──────────────────────────────────────────────────
 const IDENTITY_REGISTRY_ABI = [
-    'function ownerOf(uint256 tokenId) view returns (address)',
-    'function tokenURI(uint256 tokenId) view returns (string)',
-    'function getAgentWallet(uint256 agentId) view returns (address)',
+    {
+        name: 'ownerOf',
+        type: 'function',
+        stateMutability: 'view',
+        inputs: [{ name: 'tokenId', type: 'uint256' }],
+        outputs: [{ name: '', type: 'address' }],
+    },
+    {
+        name: 'tokenURI',
+        type: 'function',
+        stateMutability: 'view',
+        inputs: [{ name: 'tokenId', type: 'uint256' }],
+        outputs: [{ name: '', type: 'string' }],
+    },
+    {
+        name: 'getAgentWallet',
+        type: 'function',
+        stateMutability: 'view',
+        inputs: [{ name: 'agentId', type: 'uint256' }],
+        outputs: [{ name: '', type: 'address' }],
+    },
 ];
 const REPUTATION_REGISTRY_ABI = [
-    'function getSummary(uint256 agentId, address[] clients, string tag1, string tag2) view returns (uint64 count, int128 summaryValue, uint8 valueDecimals)',
+    {
+        name: 'getSummary',
+        type: 'function',
+        stateMutability: 'view',
+        inputs: [
+            { name: 'agentId', type: 'uint256' },
+            { name: 'clients', type: 'address[]' },
+            { name: 'tag1', type: 'string' },
+            { name: 'tag2', type: 'string' },
+        ],
+        outputs: [
+            { name: 'count', type: 'uint64' },
+            { name: 'summaryValue', type: 'int128' },
+            { name: 'valueDecimals', type: 'uint8' },
+        ],
+    },
 ];
 // ─── Internal Helpers ───────────────────────────────────────────────
 const IPFS_GATEWAY = 'https://gateway.pinata.cloud/ipfs/';
@@ -49,17 +82,31 @@ async function resolveURI(uri) {
  * Read an agent from the Identity Registry and parse its profile.
  *
  * @param agentId  The on-chain agent token ID
- * @param options  Registry address, provider, and optional fetchMetadata flag
+ * @param options  Registry address, client, and optional fetchMetadata flag
  */
 export async function getAgent(agentId, options) {
-    const { registryAddress, provider, fetchMetadata = true } = options;
-    const registry = new ethers.Contract(registryAddress, IDENTITY_REGISTRY_ABI, provider);
+    const { registryAddress, client, fetchMetadata = true } = options;
     const [owner, uri, walletAddr] = await Promise.all([
-        registry.ownerOf(agentId),
-        registry.tokenURI(agentId),
-        registry.getAgentWallet(agentId),
+        client.readContract({
+            address: registryAddress,
+            abi: IDENTITY_REGISTRY_ABI,
+            functionName: 'ownerOf',
+            args: [BigInt(agentId)],
+        }),
+        client.readContract({
+            address: registryAddress,
+            abi: IDENTITY_REGISTRY_ABI,
+            functionName: 'tokenURI',
+            args: [BigInt(agentId)],
+        }),
+        client.readContract({
+            address: registryAddress,
+            abi: IDENTITY_REGISTRY_ABI,
+            functionName: 'getAgentWallet',
+            args: [BigInt(agentId)],
+        }),
     ]);
-    const agentWallet = walletAddr === ethers.ZeroAddress ? null : walletAddr;
+    const agentWallet = walletAddr === zeroAddress ? null : walletAddr;
     let metadata = null;
     if (fetchMetadata) {
         try {
@@ -76,12 +123,17 @@ export async function getAgent(agentId, options) {
  * Read an agent's reputation summary from the Reputation Registry.
  *
  * @param agentId  The on-chain agent token ID
- * @param options  Reputation registry address, provider, and optional filters
+ * @param options  Reputation registry address, client, and optional filters
  */
 export async function getReputation(agentId, options) {
-    const { reputationRegistryAddress, provider, clients = [], tag1 = '', tag2 = '', } = options;
-    const reputation = new ethers.Contract(reputationRegistryAddress, REPUTATION_REGISTRY_ABI, provider);
-    const [count, summaryValue, valueDecimals] = await reputation.getSummary(agentId, clients, tag1, tag2);
+    const { reputationRegistryAddress, client, clients = [], tag1 = '', tag2 = '', } = options;
+    const result = await client.readContract({
+        address: reputationRegistryAddress,
+        abi: REPUTATION_REGISTRY_ABI,
+        functionName: 'getSummary',
+        args: [BigInt(agentId), clients, tag1, tag2],
+    });
+    const [count, summaryValue, valueDecimals] = result;
     const decimals = Number(valueDecimals);
     const rawValue = BigInt(summaryValue);
     const score = Number(rawValue) / 10 ** decimals;

package/dist/siwa.d.ts

@@ -5,9 +5,9 @@
  * Provides message building, signing (agent-side), and verification (server-side).
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  */
-import { ethers } from 'ethers';
+import { type PublicClient } from 'viem';
 import { AgentProfile, ServiceType, TrustModel } from './registry.js';
 export interface SIWAMessageFields {
     domain: string;
@@ -93,7 +93,7 @@ export declare function signSIWAMessageUnsafe(privateKey: string, fields: SIWAMe
  * @param signature  EIP-191 signature hex string
  * @param expectedDomain  The server's domain (for domain binding)
  * @param nonceValid  Callback that returns true if the nonce is valid and unconsumed
- * @param provider   ethers Provider for onchain verification
+ * @param client   viem PublicClient for onchain verification
  * @param criteria   Optional criteria to validate agent profile/reputation after ownership check
  */
-export declare function verifySIWA(message: string, signature: string, expectedDomain: string, nonceValid: (nonce: string) => boolean | Promise<boolean>, provider: ethers.Provider, criteria?: SIWAVerifyCriteria): Promise<SIWAVerificationResult>;
+export declare function verifySIWA(message: string, signature: string, expectedDomain: string, nonceValid: (nonce: string) => boolean | Promise<boolean>, client: PublicClient, criteria?: SIWAVerifyCriteria): Promise<SIWAVerificationResult>;

package/dist/siwa.js

@@ -5,9 +5,10 @@
  * Provides message building, signing (agent-side), and verification (server-side).
  *
  * Dependencies:
- *   npm install ethers
+ *   npm install viem
  */
-import { ethers } from 'ethers';
+import { verifyMessage, hashMessage, } from 'viem';
+import { privateKeyToAccount } from 'viem/accounts';
 import * as crypto from 'crypto';
 import { getAgent, getReputation } from './registry.js';
 // ─── Message Construction ────────────────────────────────────────────
@@ -136,12 +137,13 @@ export async function signSIWAMessage(fields, keystoreConfig) {
  * Kept only for server-side testing or environments without keystore.
  */
 export async function signSIWAMessageUnsafe(privateKey, fields) {
-    const wallet = new ethers.Wallet(privateKey);
-    if (wallet.address.toLowerCase() !== fields.address.toLowerCase()) {
-        throw new Error(`Address mismatch: wallet is ${wallet.address}, message says ${fields.address}`);
+    const hexKey = (privateKey.startsWith('0x') ? privateKey : `0x${privateKey}`);
+    const account = privateKeyToAccount(hexKey);
+    if (account.address.toLowerCase() !== fields.address.toLowerCase()) {
+        throw new Error(`Address mismatch: wallet is ${account.address}, message says ${fields.address}`);
     }
     const message = buildSIWAMessage(fields);
-    const signature = await wallet.signMessage(message);
+    const signature = await account.signMessage({ message });
     return { message, signature };
 }
 // ─── Server-Side Verification ────────────────────────────────────────
@@ -161,19 +163,24 @@ export async function signSIWAMessageUnsafe(privateKey, fields) {
  * @param signature  EIP-191 signature hex string
  * @param expectedDomain  The server's domain (for domain binding)
  * @param nonceValid  Callback that returns true if the nonce is valid and unconsumed
- * @param provider   ethers Provider for onchain verification
+ * @param client   viem PublicClient for onchain verification
  * @param criteria   Optional criteria to validate agent profile/reputation after ownership check
  */
-export async function verifySIWA(message, signature, expectedDomain, nonceValid, provider, criteria) {
+export async function verifySIWA(message, signature, expectedDomain, nonceValid, client, criteria) {
     try {
         // 1. Parse
         const fields = parseSIWAMessage(message);
         // 2. Recover signer
-        const recovered = ethers.verifyMessage(message, signature);
-        // 3. Address match
-        if (recovered.toLowerCase() !== fields.address.toLowerCase()) {
-            return { valid: false, address: recovered, agentId: fields.agentId, agentRegistry: fields.agentRegistry, chainId: fields.chainId, error: 'Recovered address does not match message address' };
+        const isValid = await verifyMessage({
+            address: fields.address,
+            message,
+            signature: signature,
+        });
+        if (!isValid) {
+            return { valid: false, address: fields.address, agentId: fields.agentId, agentRegistry: fields.agentRegistry, chainId: fields.chainId, error: 'Invalid signature' };
         }
+        const recovered = fields.address;
+        // 3. Address match is implicit in verifyMessage (it checks against the address)
         // 4. Domain binding
         if (fields.domain !== expectedDomain) {
             return { valid: false, address: recovered, agentId: fields.agentId, agentRegistry: fields.agentRegistry, chainId: fields.chainId, error: `Domain mismatch: expected ${expectedDomain}, got ${fields.domain}` };
@@ -197,16 +204,24 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             return { valid: false, address: recovered, agentId: fields.agentId, agentRegistry: fields.agentRegistry, chainId: fields.chainId, error: 'Invalid agentRegistry format' };
         }
         const registryAddress = registryParts[2];
-        const registry = new ethers.Contract(registryAddress, ['function ownerOf(uint256) view returns (address)'], provider);
-        const owner = await registry.ownerOf(fields.agentId);
+        const owner = await client.readContract({
+            address: registryAddress,
+            abi: [{ name: 'ownerOf', type: 'function', stateMutability: 'view', inputs: [{ name: 'tokenId', type: 'uint256' }], outputs: [{ name: '', type: 'address' }] }],
+            functionName: 'ownerOf',
+            args: [BigInt(fields.agentId)],
+        });
         if (owner.toLowerCase() !== recovered.toLowerCase()) {
             // 7b. ERC-1271 fallback for smart contract wallets / EIP-7702 delegated accounts.
             // If ecrecover doesn't match the NFT owner, the owner may be a contract
             // that validates signatures via isValidSignature (ERC-1271).
-            const messageHash = ethers.hashMessage(message);
+            const messageHash = hashMessage(message);
             try {
-                const ownerContract = new ethers.Contract(owner, ['function isValidSignature(bytes32, bytes) view returns (bytes4)'], provider);
-                const magicValue = await ownerContract.isValidSignature(messageHash, signature);
+                const magicValue = await client.readContract({
+                    address: owner,
+                    abi: [{ name: 'isValidSignature', type: 'function', stateMutability: 'view', inputs: [{ name: 'hash', type: 'bytes32' }, { name: 'signature', type: 'bytes' }], outputs: [{ name: '', type: 'bytes4' }] }],
+                    functionName: 'isValidSignature',
+                    args: [messageHash, signature],
+                });
                 // ERC-1271 magic value: 0x1626ba7e
                 if (magicValue !== '0x1626ba7e') {
                     return { valid: false, address: recovered, agentId: fields.agentId, agentRegistry: fields.agentRegistry, chainId: fields.chainId, error: 'Signer is not the owner of this agent NFT (ERC-1271 check also failed)' };
@@ -230,7 +245,7 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             return baseResult;
         const agent = await getAgent(fields.agentId, {
             registryAddress: registryAddress,
-            provider,
+            client,
             fetchMetadata: true,
         });
         baseResult.agent = agent;
@@ -261,7 +276,7 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             }
             const rep = await getReputation(fields.agentId, {
                 reputationRegistryAddress: criteria.reputationRegistryAddress,
-                provider,
+                client,
             });
             if (criteria.minFeedbackCount !== undefined && rep.count < criteria.minFeedbackCount) {
                 return { ...baseResult, valid: false, error: `Agent feedback count ${rep.count} below minimum ${criteria.minFeedbackCount}` };

package/package.json

@@ -1,27 +1,56 @@
 {
   "name": "@buildersgarden/siwa",
-  "version": "0.0.1",
+  "version": "0.0.3",
   "type": "module",
   "exports": {
-    ".": { "types": "./dist/index.d.ts", "default": "./dist/index.js" },
-    "./keystore": { "types": "./dist/keystore.d.ts", "default": "./dist/keystore.js" },
-    "./siwa": { "types": "./dist/siwa.d.ts", "default": "./dist/siwa.js" },
-    "./memory": { "types": "./dist/memory.d.ts", "default": "./dist/memory.js" },
-    "./proxy-auth": { "types": "./dist/proxy-auth.d.ts", "default": "./dist/proxy-auth.js" },
-    "./registry": { "types": "./dist/registry.d.ts", "default": "./dist/registry.js" }
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./keystore": {
+      "types": "./dist/keystore.d.ts",
+      "default": "./dist/keystore.js"
+    },
+    "./siwa": {
+      "types": "./dist/siwa.d.ts",
+      "default": "./dist/siwa.js"
+    },
+    "./memory": {
+      "types": "./dist/memory.d.ts",
+      "default": "./dist/memory.js"
+    },
+    "./proxy-auth": {
+      "types": "./dist/proxy-auth.d.ts",
+      "default": "./dist/proxy-auth.js"
+    },
+    "./registry": {
+      "types": "./dist/registry.d.ts",
+      "default": "./dist/registry.js"
+    },
+    "./addresses": {
+      "types": "./dist/addresses.d.ts",
+      "default": "./dist/addresses.js"
+    }
   },
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
-  "files": ["dist"],
-  "publishConfig": { "access": "public" },
-  "scripts": {
-    "build": "tsc",
-    "clean": "rm -rf dist"
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
   },
   "dependencies": {
-    "ethers": "^6.14.3"
+    "@noble/ciphers": "^0.5.0",
+    "@noble/hashes": "^1.4.0",
+    "viem": "^2.21.0"
   },
   "devDependencies": {
+    "@types/node": "^25.2.1",
     "typescript": "^5.5.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist"
   }
-}
+}