@buildersgarden/siwa 0.0.10 → 0.0.12

package/README.md

@@ -13,7 +13,7 @@ A Claude Code skill for registering AI agents on the [ERC-8004 (Trustless Agents
 ```
 src/               Core SDK modules
   keystore.ts        Proxy-only keystore (signing delegated over HMAC-authenticated HTTP)
-  identity.ts        IDENTITY.md read/write helpers
+  identity.ts        SIWA_IDENTITY.md read/write helpers
   siwa.ts            SIWA message building, signing, verification
   proxy-auth.ts      HMAC-SHA256 authentication utilities
   registry.ts        Onchain agent profile & reputation lookups
@@ -26,7 +26,7 @@ references/        Protocol documentation
   security-model.md  Threat model and keystore architecture
 
 assets/            Templates
-  IDENTITY.template.md
+  SIWA_IDENTITY.template.md
 
 ```
 

package/dist/erc8128.d.ts

@@ -9,14 +9,16 @@
  *
  * These are the two main entry points. Everything else is internal.
  */
-import type { PublicClient } from 'viem';
-import { type EthHttpSigner } from '@slicekit/erc8128';
-import { type KeystoreConfig } from './keystore.js';
+import type { Address, PublicClient } from 'viem';
+import { type EthHttpSigner, type NonceStore } from '@slicekit/erc8128';
+import type { Signer, SignerType } from './signer.js';
 export interface VerifyOptions {
     receiptSecret: string;
     rpcUrl?: string;
     verifyOnchain?: boolean;
     publicClient?: PublicClient;
+    nonceStore?: NonceStore;
+    allowedSignerTypes?: SignerType[];
 }
 /** Verified agent identity returned from a successful auth check. */
 export interface SiwaAgent {
@@ -24,6 +26,7 @@ export interface SiwaAgent {
     agentId: number;
     agentRegistry: string;
     chainId: number;
+    signerType?: SignerType;
 }
 export type AuthResult = {
     valid: true;
@@ -41,13 +44,19 @@ export declare function resolveReceiptSecret(explicit?: string): string;
 /** Header name for the verification receipt */
 export declare const RECEIPT_HEADER = "X-SIWA-Receipt";
 /**
- * Create an ERC-8128 signer backed by the keyring proxy.
+ * Create an ERC-8128 HTTP signer from a SIWA Signer.
  *
  * The `signMessage` callback converts the RFC 9421 signature base
- * (Uint8Array) to a hex string and delegates to the proxy via
- * `signRawMessage`, which signs with `{ raw: true }`.
+ * (Uint8Array) to a hex string and delegates to the signer.
+ *
+ * @param signer - A SIWA Signer (createKeyringProxySigner, createLocalAccountSigner, etc.)
+ * @param chainId - Chain ID for the ERC-8128 keyid
+ * @param options - Optional overrides (e.g. signerAddress for TBA identity)
+ * @returns An EthHttpSigner for use with @slicekit/erc8128
  */
-export declare function createProxySigner(config: KeystoreConfig, chainId: number): Promise<EthHttpSigner>;
+export declare function createErc8128Signer(signer: Signer, chainId: number, options?: {
+    signerAddress?: Address;
+}): Promise<EthHttpSigner>;
 /**
  * Attach a verification receipt to a request.
  *
@@ -60,16 +69,35 @@ export declare function attachReceipt(request: Request, receipt: string): Reques
  * This is the main function platform developers use on the agent side.
  * One call does everything:
  *   1. Attaches the receipt header
- *   2. Creates a proxy-backed ERC-8128 signer
+ *   2. Creates an ERC-8128 signer from the SIWA signer
  *   3. Signs the request with HTTP Message Signatures (RFC 9421)
  *
  * @param request  The outgoing Request object
  * @param receipt  Verification receipt from SIWA sign-in
- * @param config   Keystore config (proxy URL + secret)
+ * @param signer   A SIWA Signer (createKeyringProxySigner, createLocalAccountSigner, etc.)
  * @param chainId  Chain ID for the ERC-8128 keyid
+ * @param options  Optional overrides (e.g. signerAddress for TBA identity)
  * @returns        A new Request with Signature, Signature-Input, Content-Digest, and X-SIWA-Receipt headers
+ *
+ * @example
+ * ```typescript
+ * import { signAuthenticatedRequest, createLocalAccountSigner } from '@buildersgarden/siwa';
+ * import { privateKeyToAccount } from 'viem/accounts';
+ *
+ * const account = privateKeyToAccount('0x...');
+ * const signer = createLocalAccountSigner(account);
+ *
+ * const signedRequest = await signAuthenticatedRequest(
+ *   new Request('https://api.example.com/data'),
+ *   receipt,
+ *   signer,
+ *   84532
+ * );
+ * ```
  */
-export declare function signAuthenticatedRequest(request: Request, receipt: string, config: KeystoreConfig, chainId: number): Promise<Request>;
+export declare function signAuthenticatedRequest(request: Request, receipt: string, signer: Signer, chainId: number, options?: {
+    signerAddress?: Address;
+}): Promise<Request>;
 /**
  * Verify an authenticated request: ERC-8128 signature + receipt + optional onchain check.
  *

package/dist/erc8128.js

@@ -10,7 +10,6 @@
  * These are the two main entry points. Everything else is internal.
  */
 import { signRequest, verifyRequest, } from '@slicekit/erc8128';
-import { signRawMessage, getAddress } from './keystore.js';
 import { verifyReceipt } from './receipt.js';
 /**
  * Resolve the receipt secret from an explicit value or environment variables.
@@ -30,23 +29,29 @@ export const RECEIPT_HEADER = 'X-SIWA-Receipt';
 // Agent-side: signer creation
 // ---------------------------------------------------------------------------
 /**
- * Create an ERC-8128 signer backed by the keyring proxy.
+ * Create an ERC-8128 HTTP signer from a SIWA Signer.
  *
  * The `signMessage` callback converts the RFC 9421 signature base
- * (Uint8Array) to a hex string and delegates to the proxy via
- * `signRawMessage`, which signs with `{ raw: true }`.
+ * (Uint8Array) to a hex string and delegates to the signer.
+ *
+ * @param signer - A SIWA Signer (createKeyringProxySigner, createLocalAccountSigner, etc.)
+ * @param chainId - Chain ID for the ERC-8128 keyid
+ * @param options - Optional overrides (e.g. signerAddress for TBA identity)
+ * @returns An EthHttpSigner for use with @slicekit/erc8128
  */
-export async function createProxySigner(config, chainId) {
-    const address = await getAddress(config);
-    if (!address)
-        throw new Error('No wallet found in keystore');
+export async function createErc8128Signer(signer, chainId, options) {
+    const address = options?.signerAddress ?? await signer.getAddress();
     return {
-        address: address,
+        address,
         chainId,
         signMessage: async (message) => {
             const hex = ('0x' + Array.from(message).map(b => b.toString(16).padStart(2, '0')).join(''));
-            const result = await signRawMessage(hex, config);
-            return result.signature;
+            // Use signRawMessage if available (preferred for raw bytes)
+            if (signer.signRawMessage) {
+                return signer.signRawMessage(hex);
+            }
+            // Fallback to signMessage for signers without signRawMessage
+            return signer.signMessage(hex);
         },
     };
 }
@@ -69,22 +74,41 @@ export function attachReceipt(request, receipt) {
  * This is the main function platform developers use on the agent side.
  * One call does everything:
  *   1. Attaches the receipt header
- *   2. Creates a proxy-backed ERC-8128 signer
+ *   2. Creates an ERC-8128 signer from the SIWA signer
  *   3. Signs the request with HTTP Message Signatures (RFC 9421)
  *
  * @param request  The outgoing Request object
  * @param receipt  Verification receipt from SIWA sign-in
- * @param config   Keystore config (proxy URL + secret)
+ * @param signer   A SIWA Signer (createKeyringProxySigner, createLocalAccountSigner, etc.)
  * @param chainId  Chain ID for the ERC-8128 keyid
+ * @param options  Optional overrides (e.g. signerAddress for TBA identity)
  * @returns        A new Request with Signature, Signature-Input, Content-Digest, and X-SIWA-Receipt headers
+ *
+ * @example
+ * ```typescript
+ * import { signAuthenticatedRequest, createLocalAccountSigner } from '@buildersgarden/siwa';
+ * import { privateKeyToAccount } from 'viem/accounts';
+ *
+ * const account = privateKeyToAccount('0x...');
+ * const signer = createLocalAccountSigner(account);
+ *
+ * const signedRequest = await signAuthenticatedRequest(
+ *   new Request('https://api.example.com/data'),
+ *   receipt,
+ *   signer,
+ *   84532
+ * );
+ * ```
  */
-export async function signAuthenticatedRequest(request, receipt, config, chainId) {
+export async function signAuthenticatedRequest(request, receipt, signer, chainId, options) {
     // 1. Attach receipt header
     const withReceipt = attachReceipt(request, receipt);
-    // 2. Create proxy-backed signer
-    const signer = await createProxySigner(config, chainId);
-    // 3. Sign with ERC-8128 (includes Content-Digest for bodies)
-    return signRequest(withReceipt, signer);
+    // 2. Create ERC-8128 signer from SIWA signer
+    const erc8128Signer = await createErc8128Signer(signer, chainId, options);
+    // 3. Sign with ERC-8128 (includes Content-Digest for bodies and receipt header)
+    return signRequest(withReceipt, erc8128Signer, {
+        components: [RECEIPT_HEADER],
+    });
 }
 // ---------------------------------------------------------------------------
 // Server-side: high-level request verification
@@ -138,6 +162,10 @@ export async function verifyAuthenticatedRequest(request, options) {
     if (!receipt) {
         return { valid: false, error: 'Invalid or expired receipt' };
     }
+    // 1b. Enforce signer type policy
+    if (options.allowedSignerTypes?.length && !options.allowedSignerTypes.includes(receipt.signerType)) {
+        return { valid: false, error: `Signer type '${receipt.signerType || 'unknown'}' is not in allowed types [${options.allowedSignerTypes.join(', ')}]` };
+    }
     // 2. Verify ERC-8128 signature
     const { verifyMessage } = await import('viem');
     const verifyResult = await verifyRequest(request, async (args) => {
@@ -155,7 +183,10 @@ export async function verifyAuthenticatedRequest(request, options) {
             message: args.message,
             signature: args.signature,
         });
-    }, nonceStore);
+    }, options.nonceStore ?? nonceStore, {
+        additionalRequestBoundComponents: [RECEIPT_HEADER],
+        classBoundPolicies: [RECEIPT_HEADER]
+    });
     if (!verifyResult.ok) {
         return { valid: false, error: `ERC-8128 verification failed: ${verifyResult.reason}${verifyResult.detail ? ` (${verifyResult.detail})` : ''}` };
     }
@@ -202,6 +233,7 @@ export async function verifyAuthenticatedRequest(request, options) {
             agentId: receipt.agentId,
             agentRegistry: receipt.agentRegistry,
             chainId: receipt.chainId,
+            ...(receipt.signerType ? { signerType: receipt.signerType } : {}),
         },
     };
 }

package/dist/express.d.ts

@@ -16,6 +16,7 @@
  */
 import type { RequestHandler } from 'express';
 import { type SiwaAgent, type VerifyOptions } from './erc8128.js';
+import type { SignerType } from './signer.js';
 export type { SiwaAgent };
 declare global {
     namespace Express {
@@ -34,6 +35,8 @@ export interface SiwaMiddlewareOptions {
     verifyOnchain?: boolean;
     /** Public client for ERC-1271 or onchain checks. */
     publicClient?: VerifyOptions['publicClient'];
+    /** Allowed signer types. Omit to accept all. */
+    allowedSignerTypes?: SignerType[];
 }
 export interface SiwaCorsOptions {
     /** Allowed origin(s). Defaults to "*". */

package/dist/express.js

@@ -78,6 +78,7 @@ export function siwaMiddleware(options) {
                 rpcUrl: options?.rpcUrl,
                 verifyOnchain: options?.verifyOnchain,
                 publicClient: options?.publicClient,
+                allowedSignerTypes: options?.allowedSignerTypes,
             });
             if (!result.valid) {
                 res.status(401).json({ error: result.error });

package/dist/identity.d.ts

@@ -1,10 +1,10 @@
 /**
  * identity.ts
  *
- * Read/write helpers for the agent's IDENTITY.md file.
+ * Read/write helpers for the agent's SIWA_IDENTITY.md file.
  * Minimal 4-field identity: Address, Agent ID, Agent Registry, Chain ID.
  *
- * IDENTITY.md uses the pattern: - **Key**: `value`
+ * SIWA_IDENTITY.md uses the pattern: - **Key**: `value`
  *
  * Registration checks are done onchain via ownerOf() when a PublicClient
  * is provided, otherwise the local file is used as a cache.
@@ -19,26 +19,26 @@ export interface AgentIdentity {
     chainId?: number;
 }
 /**
- * Ensure IDENTITY.md exists. If not, copy from template or create minimal.
+ * Ensure SIWA_IDENTITY.md exists. If not, copy from template or create minimal.
  */
 export declare function ensureIdentityExists(identityPath?: string, templatePath?: string): void;
 /**
- * Read the agent identity from IDENTITY.md.
+ * Read the agent identity from SIWA_IDENTITY.md.
  * Returns typed AgentIdentity with parsed values.
  */
 export declare function readIdentity(identityPath?: string): AgentIdentity;
 /**
- * Write a single field value in IDENTITY.md.
+ * Write a single field value in SIWA_IDENTITY.md.
  */
 export declare function writeIdentityField(key: string, value: string, identityPath?: string): void;
 /**
- * Check if the agent has a wallet address recorded in IDENTITY.md.
+ * Check if the agent has a wallet address recorded in SIWA_IDENTITY.md.
  */
 export declare function hasWalletRecord(identityPath?: string): boolean;
 /**
  * Check if the agent is registered.
  *
- * Without a client: returns true if IDENTITY.md has an Agent ID and Agent Registry (local cache).
+ * Without a client: returns true if SIWA_IDENTITY.md has an Agent ID and Agent Registry (local cache).
  * With a client: performs an onchain ownerOf(agentId) check on the registry contract.
  */
 export declare function isRegistered(options?: {

package/dist/identity.js

@@ -1,10 +1,10 @@
 /**
  * identity.ts
  *
- * Read/write helpers for the agent's IDENTITY.md file.
+ * Read/write helpers for the agent's SIWA_IDENTITY.md file.
  * Minimal 4-field identity: Address, Agent ID, Agent Registry, Chain ID.
  *
- * IDENTITY.md uses the pattern: - **Key**: `value`
+ * SIWA_IDENTITY.md uses the pattern: - **Key**: `value`
  *
  * Registration checks are done onchain via ownerOf() when a PublicClient
  * is provided, otherwise the local file is used as a cache.
@@ -12,12 +12,12 @@
  * Dependencies: fs (Node built-in), viem (optional for onchain checks)
  */
 import * as fs from 'fs';
-const DEFAULT_IDENTITY_PATH = './IDENTITY.md';
+const DEFAULT_IDENTITY_PATH = './SIWA_IDENTITY.md';
 // ---------------------------------------------------------------------------
 // File Operations
 // ---------------------------------------------------------------------------
 /**
- * Ensure IDENTITY.md exists. If not, copy from template or create minimal.
+ * Ensure SIWA_IDENTITY.md exists. If not, copy from template or create minimal.
  */
 export function ensureIdentityExists(identityPath = DEFAULT_IDENTITY_PATH, templatePath) {
     if (fs.existsSync(identityPath))
@@ -36,7 +36,7 @@ export function ensureIdentityExists(identityPath = DEFAULT_IDENTITY_PATH, templ
     }
 }
 /**
- * Read the agent identity from IDENTITY.md.
+ * Read the agent identity from SIWA_IDENTITY.md.
  * Returns typed AgentIdentity with parsed values.
  */
 export function readIdentity(identityPath = DEFAULT_IDENTITY_PATH) {
@@ -62,7 +62,7 @@ export function readIdentity(identityPath = DEFAULT_IDENTITY_PATH) {
     return identity;
 }
 /**
- * Write a single field value in IDENTITY.md.
+ * Write a single field value in SIWA_IDENTITY.md.
  */
 export function writeIdentityField(key, value, identityPath = DEFAULT_IDENTITY_PATH) {
     let content = fs.readFileSync(identityPath, 'utf-8');
@@ -77,7 +77,7 @@ export function writeIdentityField(key, value, identityPath = DEFAULT_IDENTITY_P
     fs.writeFileSync(identityPath, content);
 }
 /**
- * Check if the agent has a wallet address recorded in IDENTITY.md.
+ * Check if the agent has a wallet address recorded in SIWA_IDENTITY.md.
  */
 export function hasWalletRecord(identityPath = DEFAULT_IDENTITY_PATH) {
     const identity = readIdentity(identityPath);
@@ -86,7 +86,7 @@ export function hasWalletRecord(identityPath = DEFAULT_IDENTITY_PATH) {
 /**
  * Check if the agent is registered.
  *
- * Without a client: returns true if IDENTITY.md has an Agent ID and Agent Registry (local cache).
+ * Without a client: returns true if SIWA_IDENTITY.md has an Agent ID and Agent Registry (local cache).
  * With a client: performs an onchain ownerOf(agentId) check on the registry contract.
  */
 export async function isRegistered(options) {

package/dist/index.d.ts

@@ -1,3 +1,4 @@
+export * from './signer.js';
 export * from './keystore.js';
 export * from './siwa.js';
 export * from './identity.js';
@@ -6,3 +7,4 @@ export * from './registry.js';
 export * from './addresses.js';
 export * from './receipt.js';
 export * from './erc8128.js';
+export * from './tba.js';

package/dist/index.js

@@ -1,3 +1,4 @@
+export * from './signer.js';
 export * from './keystore.js';
 export * from './siwa.js';
 export * from './identity.js';
@@ -6,3 +7,4 @@ export * from './registry.js';
 export * from './addresses.js';
 export * from './receipt.js';
 export * from './erc8128.js';
+export * from './tba.js';

package/dist/keystore.d.ts

@@ -1,23 +1,23 @@
 /**
  * keystore.ts
  *
- * Secure signing abstraction for ERC-8004 agents.
+ * Keyring proxy administrative operations.
  *
- * All signing is delegated to a **keyring proxy server** — a separate process
- * that holds the encrypted private key and exposes only HMAC-authenticated
- * signing endpoints. The private key NEVER enters the agent process.
+ * This module provides admin functions for the keyring proxy server:
+ *   - createWallet() - Create a new wallet
+ *   - hasWallet() - Check if a wallet exists
+ *   - signAuthorization() - Sign EIP-7702 authorizations
  *
- * External code interacts only through:
- *   - createWallet()          → returns { address } (no private key)
- *   - signMessage(msg)        → returns { signature, address }
- *   - signTransaction(tx)     → returns { signedTx, address }
- *   - signAuthorization(auth) → returns signed EIP-7702 authorization
- *   - getAddress()            → returns the public address
- *   - hasWallet()             → returns boolean
+ * For signing operations, use the Signer API instead:
  *
- * Configuration (via env vars or passed options):
- *   KEYRING_PROXY_URL     — URL of the keyring proxy server
- *   KEYRING_PROXY_SECRET  — HMAC shared secret
+ * ```typescript
+ * import { createKeyringProxySigner } from '@buildersgarden/siwa/signer';
+ *
+ * const signer = createKeyringProxySigner({ proxyUrl, proxySecret });
+ * const address = await signer.getAddress();
+ * const signature = await signer.signMessage(message);
+ * const signedTx = await signer.signTransaction(tx);
+ * ```
  */
 export interface KeystoreConfig {
     proxyUrl?: string;
@@ -26,10 +26,6 @@ export interface KeystoreConfig {
 export interface WalletInfo {
     address: string;
 }
-export interface SignResult {
-    signature: string;
-    address: string;
-}
 export interface AuthorizationRequest {
     address: string;
     chainId?: number;
@@ -43,23 +39,9 @@ export interface SignedAuthorization {
     r: string;
     s: string;
 }
-export interface TransactionLike {
-    to?: string;
-    data?: string;
-    value?: bigint;
-    nonce?: number;
-    chainId?: number;
-    type?: number;
-    maxFeePerGas?: bigint | null;
-    maxPriorityFeePerGas?: bigint | null;
-    gasLimit?: bigint;
-    gas?: bigint;
-    gasPrice?: bigint | null;
-    accessList?: any[];
-}
 /**
  * Create a new random wallet via the keyring proxy.
- * Returns only the public address — NEVER the private key.
+ * Returns only the public address.
  */
 export declare function createWallet(config?: KeystoreConfig): Promise<WalletInfo>;
 /**
@@ -67,35 +49,13 @@ export declare function createWallet(config?: KeystoreConfig): Promise<WalletInf
  */
 export declare function hasWallet(config?: KeystoreConfig): Promise<boolean>;
 /**
- * Get the wallet's public address (no private key exposed).
+ * Get the wallet's public address from the keyring proxy.
  */
 export declare function getAddress(config?: KeystoreConfig): Promise<string | null>;
-/**
- * Sign a message (EIP-191 personal_sign) via the keyring proxy.
- * Only the signature is returned.
- */
-export declare function signMessage(message: string, config?: KeystoreConfig): Promise<SignResult>;
-/**
- * Sign a raw hex message via the keyring proxy.
- *
- * Used internally by the ERC-8128 signer — the signature base bytes are
- * passed as a hex string and signed with `{ raw: true }` so the proxy
- * interprets them as raw bytes (not UTF-8). Note: the proxy still applies
- * EIP-191 personal_sign wrapping (viem `signMessage({ message: { raw } })`).
- */
-export declare function signRawMessage(rawHex: string, config?: KeystoreConfig): Promise<SignResult>;
-/**
- * Sign a transaction via the keyring proxy.
- * Only the signed transaction is returned.
- */
-export declare function signTransaction(tx: TransactionLike, config?: KeystoreConfig): Promise<{
-    signedTx: string;
-    address: string;
-}>;
 /**
  * Sign an EIP-7702 authorization for delegating the EOA to a contract.
  *
  * This allows the agent's EOA to temporarily act as a smart contract
- * during a type 4 transaction. Only the signed authorization tuple is returned.
+ * during a type 4 transaction.
  */
 export declare function signAuthorization(auth: AuthorizationRequest, config?: KeystoreConfig): Promise<SignedAuthorization>;

package/dist/keystore.js

@@ -1,35 +1,35 @@
 /**
  * keystore.ts
  *
- * Secure signing abstraction for ERC-8004 agents.
+ * Keyring proxy administrative operations.
  *
- * All signing is delegated to a **keyring proxy server** — a separate process
- * that holds the encrypted private key and exposes only HMAC-authenticated
- * signing endpoints. The private key NEVER enters the agent process.
+ * This module provides admin functions for the keyring proxy server:
+ *   - createWallet() - Create a new wallet
+ *   - hasWallet() - Check if a wallet exists
+ *   - signAuthorization() - Sign EIP-7702 authorizations
  *
- * External code interacts only through:
- *   - createWallet()          → returns { address } (no private key)
- *   - signMessage(msg)        → returns { signature, address }
- *   - signTransaction(tx)     → returns { signedTx, address }
- *   - signAuthorization(auth) → returns signed EIP-7702 authorization
- *   - getAddress()            → returns the public address
- *   - hasWallet()             → returns boolean
+ * For signing operations, use the Signer API instead:
  *
- * Configuration (via env vars or passed options):
- *   KEYRING_PROXY_URL     — URL of the keyring proxy server
- *   KEYRING_PROXY_SECRET  — HMAC shared secret
+ * ```typescript
+ * import { createKeyringProxySigner } from '@buildersgarden/siwa/signer';
+ *
+ * const signer = createKeyringProxySigner({ proxyUrl, proxySecret });
+ * const address = await signer.getAddress();
+ * const signature = await signer.signMessage(message);
+ * const signedTx = await signer.signTransaction(tx);
+ * ```
  */
 import { computeHmac } from "./proxy-auth.js";
 // ---------------------------------------------------------------------------
-// Proxy backend — HMAC-authenticated HTTP to a keyring proxy server
+// Proxy backend
 // ---------------------------------------------------------------------------
 async function proxyRequest(config, endpoint, body = {}) {
     const url = config.proxyUrl || process.env.KEYRING_PROXY_URL;
     const secret = config.proxySecret || process.env.KEYRING_PROXY_SECRET;
     if (!url)
-        throw new Error("Keystore requires KEYRING_PROXY_URL or config.proxyUrl");
+        throw new Error("Keyring proxy requires KEYRING_PROXY_URL or config.proxyUrl");
     if (!secret)
-        throw new Error("Keystore requires KEYRING_PROXY_SECRET or config.proxySecret");
+        throw new Error("Keyring proxy requires KEYRING_PROXY_SECRET or config.proxySecret");
     const bodyStr = JSON.stringify(body, (_key, value) => typeof value === "bigint" ? "0x" + value.toString(16) : value);
     const hmacHeaders = computeHmac(secret, "POST", endpoint, bodyStr);
     const res = await fetch(`${url}${endpoint}`, {
@@ -51,7 +51,7 @@ async function proxyRequest(config, endpoint, body = {}) {
 // ---------------------------------------------------------------------------
 /**
  * Create a new random wallet via the keyring proxy.
- * Returns only the public address — NEVER the private key.
+ * Returns only the public address.
  */
 export async function createWallet(config = {}) {
     const data = await proxyRequest(config, "/create-wallet");
@@ -65,51 +65,17 @@ export async function hasWallet(config = {}) {
     return data.hasWallet;
 }
 /**
- * Get the wallet's public address (no private key exposed).
+ * Get the wallet's public address from the keyring proxy.
  */
 export async function getAddress(config = {}) {
     const data = await proxyRequest(config, "/get-address");
     return data.address;
 }
-/**
- * Sign a message (EIP-191 personal_sign) via the keyring proxy.
- * Only the signature is returned.
- */
-export async function signMessage(message, config = {}) {
-    const msg = typeof message === "string" ? message : String(message ?? "");
-    const data = await proxyRequest(config, "/sign-message", { message: msg });
-    return { signature: data.signature, address: data.address };
-}
-/**
- * Sign a raw hex message via the keyring proxy.
- *
- * Used internally by the ERC-8128 signer — the signature base bytes are
- * passed as a hex string and signed with `{ raw: true }` so the proxy
- * interprets them as raw bytes (not UTF-8). Note: the proxy still applies
- * EIP-191 personal_sign wrapping (viem `signMessage({ message: { raw } })`).
- */
-export async function signRawMessage(rawHex, config = {}) {
-    const data = await proxyRequest(config, "/sign-message", {
-        message: rawHex,
-        raw: true,
-    });
-    return { signature: data.signature, address: data.address };
-}
-/**
- * Sign a transaction via the keyring proxy.
- * Only the signed transaction is returned.
- */
-export async function signTransaction(tx, config = {}) {
-    const data = await proxyRequest(config, "/sign-transaction", {
-        tx: tx,
-    });
-    return { signedTx: data.signedTx, address: data.address };
-}
 /**
  * Sign an EIP-7702 authorization for delegating the EOA to a contract.
  *
  * This allows the agent's EOA to temporarily act as a smart contract
- * during a type 4 transaction. Only the signed authorization tuple is returned.
+ * during a type 4 transaction.
  */
 export async function signAuthorization(auth, config = {}) {
     const data = await proxyRequest(config, "/sign-authorization", { auth });

package/dist/next.d.ts

@@ -17,6 +17,7 @@
  * ```
  */
 import { type SiwaAgent } from './erc8128.js';
+import type { SignerType } from './signer.js';
 export type { SiwaAgent };
 export interface WithSiwaOptions {
     /** HMAC secret for receipt verification. Defaults to RECEIPT_SECRET or SIWA_SECRET env. */
@@ -25,6 +26,8 @@ export interface WithSiwaOptions {
     rpcUrl?: string;
     /** Enable onchain ownerOf check. */
     verifyOnchain?: boolean;
+    /** Allowed signer types. Omit to accept all. */
+    allowedSignerTypes?: SignerType[];
 }
 /** CORS headers required by SIWA-authenticated requests. */
 export declare function corsHeaders(): Record<string, string>;

package/dist/next.js

@@ -60,6 +60,7 @@ export function withSiwa(handler, options) {
             receiptSecret: secret,
             rpcUrl: options?.rpcUrl,
             verifyOnchain: options?.verifyOnchain,
+            allowedSignerTypes: options?.allowedSignerTypes,
         };
         const result = await verifyAuthenticatedRequest(nextjsToFetchRequest(verifyReq), verifyOptions);
         if (!result.valid) {

package/dist/receipt.d.ts

@@ -14,12 +14,14 @@
  * Format: base64url(json).base64url(hmac-sha256)
  * Same token format as nonce tokens in siwa.ts.
  */
+import type { SignerType } from './signer.js';
 export interface ReceiptPayload {
     address: string;
     agentId: number;
     agentRegistry: string;
     chainId: number;
     verified: 'offline' | 'onchain';
+    signerType?: SignerType;
     iat: number;
     exp: number;
 }