@buildersgarden/siwa 0.0.11 → 0.0.13

package/dist/siwa.js

@@ -7,7 +7,6 @@
  * Dependencies:
  *   npm install viem
  */
-import { verifyMessage, hashMessage, } from 'viem';
 import * as crypto from 'crypto';
 import { getAgent, getReputation } from './registry.js';
 // ─── Types ───────────────────────────────────────────────────────────
@@ -39,11 +38,12 @@ export function buildSIWAResponse(result) {
         agentRegistry: result.agentRegistry || undefined,
         chainId: result.chainId || undefined,
         verified: result.verified,
+        ...(result.signerType ? { signerType: result.signerType } : {}),
     };
     const skillRef = {
         name: '@buildersgarden/siwa',
         install: 'npm install @buildersgarden/siwa',
-        url: 'https://siwa.builders.garden/skill.md',
+        url: 'https://siwa.id/skill.md',
     };
     if (result.valid) {
         return { status: 'authenticated', ...base };
@@ -284,39 +284,55 @@ export async function createSIWANonce(params, client, options) {
     return result;
 }
 /**
- * Sign a SIWA message using the secure keystore.
+ * Sign a SIWA message using the provided signer.
  *
- * The private key is loaded from the keystore, used to sign, and discarded.
- * It is NEVER returned or exposed to the caller.
+ * The signer abstracts the wallet implementation, allowing you to use:
+ *   - createKeyringProxySigner(config)   — Keyring proxy server
+ *   - createLocalAccountSigner(account)  — viem LocalAccount (private key)
+ *   - createWalletClientSigner(client)   — viem WalletClient (Privy, MetaMask, etc.)
  *
- * The agent address is always resolved from the keystore — the single source
+ * The agent address is always resolved from the signer — the single source
  * of truth — so the caller doesn't need to supply (or risk hallucinating) it.
- * If `fields.address` is provided it must match the keystore address.
+ * If `fields.address` is provided it must match the signer's address.
  *
  * @param fields — SIWA message fields (domain, agentId, etc.). `address` is optional.
- * @param keystoreConfig — Optional keystore configuration override
+ * @param signer — A Signer implementation (see createKeyringProxySigner, createLocalAccountSigner, createWalletClientSigner)
  * @returns { message, signature, address } — the plaintext message, EIP-191 signature, and resolved address
+ *
+ * @example
+ * ```typescript
+ * import { signSIWAMessage, createLocalAccountSigner } from '@buildersgarden/siwa';
+ * import { privateKeyToAccount } from 'viem/accounts';
+ *
+ * const account = privateKeyToAccount('0x...');
+ * const signer = createLocalAccountSigner(account);
+ *
+ * const { message, signature, address } = await signSIWAMessage({
+ *   domain: 'example.com',
+ *   uri: 'https://example.com/login',
+ *   agentId: 123,
+ *   agentRegistry: 'eip155:84532:0x...',
+ *   chainId: 84532,
+ *   nonce: 'abc123',
+ *   issuedAt: new Date().toISOString(),
+ * }, signer);
+ * ```
  */
-export async function signSIWAMessage(fields, keystoreConfig) {
-    // Import keystore dynamically to avoid circular deps
-    const { signMessage, getAddress } = await import('./keystore');
-    // Resolve the address from the keystore — the trusted source of truth
-    const keystoreAddress = await getAddress(keystoreConfig);
-    if (!keystoreAddress) {
-        throw new Error('No wallet found in keystore. Run createWallet() first.');
-    }
+export async function signSIWAMessage(fields, signer) {
+    // Resolve the address from the signer — the trusted source of truth
+    const signerAddress = await signer.getAddress();
     // If the caller supplied an address, verify it matches (defensive check)
-    if (fields.address && keystoreAddress.toLowerCase() !== fields.address.toLowerCase()) {
-        throw new Error(`Address mismatch: keystore has ${keystoreAddress}, message claims ${fields.address}`);
+    if (fields.address && signerAddress.toLowerCase() !== fields.address.toLowerCase()) {
+        throw new Error(`Address mismatch: signer has ${signerAddress}, message claims ${fields.address}`);
     }
     const resolvedFields = {
         ...fields,
-        address: keystoreAddress,
+        address: signerAddress,
     };
     const message = buildSIWAMessage(resolvedFields);
-    // Sign via keystore — private key is loaded, used, and discarded internally
-    const result = await signMessage(message, keystoreConfig);
-    return { message, signature: result.signature, address: keystoreAddress };
+    // Sign via signer
+    const signature = await signer.signMessage(message);
+    return { message, signature, address: signerAddress };
 }
 /**
  * Verify a SIWA message + signature.
@@ -342,8 +358,12 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
     try {
         // 1. Parse
         const fields = parseSIWAMessage(message);
-        // 2. Recover signer
-        const isValid = await verifyMessage({
+        // 2. Verify signature (supports both EOA and ERC-1271 smart wallets)
+        // Using client.verifyMessage handles:
+        //   - EOA signatures (ECDSA recovery)
+        //   - ERC-1271 smart contract wallets (Safe, Argent, etc.)
+        //   - ERC-6492 pre-deployed smart wallets
+        const isValid = await client.verifyMessage({
             address: fields.address,
             message,
             signature: signature,
@@ -352,6 +372,9 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             return fail(fields, SIWAErrorCode.INVALID_SIGNATURE, 'Invalid signature');
         }
         const recovered = fields.address;
+        // 2b. Detect signer type (EOA vs smart contract account)
+        const signerCode = await client.getCode({ address: fields.address });
+        const signerType = (signerCode && signerCode !== '0x') ? 'sca' : 'eoa';
         // 3. Address match is implicit in verifyMessage (it checks against the address)
         // 4. Domain binding
         if (fields.domain !== expectedDomain) {
@@ -404,22 +427,7 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             return fail(fields, SIWAErrorCode.NOT_REGISTERED, 'Agent is not registered on the ERC-8004 Identity Registry');
         }
         if (owner.toLowerCase() !== recovered.toLowerCase()) {
-            // ERC-1271 fallback for smart contract wallets / EIP-7702 delegated accounts
-            const messageHash = hashMessage(message);
-            try {
-                const magicValue = await client.readContract({
-                    address: owner,
-                    abi: [{ name: 'isValidSignature', type: 'function', stateMutability: 'view', inputs: [{ name: 'hash', type: 'bytes32' }, { name: 'signature', type: 'bytes' }], outputs: [{ name: '', type: 'bytes4' }] }],
-                    functionName: 'isValidSignature',
-                    args: [messageHash, signature],
-                });
-                if (magicValue !== '0x1626ba7e') {
-                    return fail(fields, SIWAErrorCode.NOT_OWNER, 'Signer is not the owner of this agent NFT (ERC-1271 check also failed)');
-                }
-            }
-            catch {
-                return fail(fields, SIWAErrorCode.NOT_OWNER, 'Signer is not the owner of this agent NFT');
-            }
+            return fail(fields, SIWAErrorCode.NOT_OWNER, 'Signer is not the owner of this agent NFT');
         }
         // 8. Base result
         const baseResult = {
@@ -429,9 +437,14 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
             agentRegistry: fields.agentRegistry,
             chainId: fields.chainId,
             verified: 'onchain',
+            signerType,
         };
         if (!criteria)
             return baseResult;
+        // Signer type policy (checked before fetching metadata for early exit)
+        if (criteria.allowedSignerTypes?.length && !criteria.allowedSignerTypes.includes(signerType)) {
+            return { ...baseResult, valid: false, code: SIWAErrorCode.CUSTOM_CHECK_FAILED, error: `Signer type '${signerType}' is not in allowed types [${criteria.allowedSignerTypes.join(', ')}]` };
+        }
         const agent = await getAgent(fields.agentId, {
             registryAddress: registryAddress,
             client,

package/dist/tba.d.ts

@@ -0,0 +1,82 @@
+/**
+ * tba.ts
+ *
+ * ERC-6551 Token Bound Account address computation utilities.
+ *
+ * Pure math — no RPC calls. Useful for platforms that want to verify
+ * a signer is specifically a TBA derived from a given agent NFT.
+ *
+ * The ERC-6551 registry deploys a modified ERC-1167 minimal proxy with
+ * immutable data (salt, chainId, tokenContract, tokenId) appended.
+ * The CREATE2 address is deterministic from these inputs.
+ */
+import { type Address, type Hex } from 'viem';
+/** Canonical ERC-6551 registry address, deployed across all EVM chains. */
+export declare const ERC6551_REGISTRY: "0x000000006551c19487814612e58FE06813775758";
+/**
+ * Compute the deterministic ERC-6551 Token Bound Account address for an NFT.
+ *
+ * Pure math — no RPC call needed. Given the same inputs, the address is
+ * the same whether or not the account is deployed.
+ *
+ * Mirrors the on-chain `ERC6551Registry.account()` function exactly.
+ *
+ * @example
+ * ```typescript
+ * import { computeTbaAddress } from '@buildersgarden/siwa/tba';
+ *
+ * const tba = computeTbaAddress({
+ *   implementation: '0x...TBAImpl',
+ *   tokenContract: '0x...AgentRegistry',
+ *   tokenId: 42n,
+ *   chainId: 84532,
+ * });
+ * ```
+ */
+export declare function computeTbaAddress(params: {
+    /** TBA implementation contract address. */
+    implementation: Address;
+    /** NFT contract address. */
+    tokenContract: Address;
+    /** NFT token ID. */
+    tokenId: bigint;
+    /** Chain ID where the NFT lives. */
+    chainId: number;
+    /** Registry address (defaults to canonical ERC-6551 registry). */
+    registry?: Address;
+    /** CREATE2 salt (defaults to bytes32(0)). */
+    salt?: Hex;
+}): Address;
+/**
+ * Check if a signer address matches the expected TBA for an agent NFT.
+ *
+ * Useful for platforms that want to verify the signer is specifically
+ * a TBA derived from the agent's registry, not just any smart contract.
+ *
+ * @example
+ * ```typescript
+ * import { isTbaForAgent } from '@buildersgarden/siwa/tba';
+ *
+ * const isValid = isTbaForAgent({
+ *   signerAddress: agent.address as Address,
+ *   implementation: '0x...TBAImpl',
+ *   agentRegistry: '0x...AgentRegistry',
+ *   agentId: 42,
+ *   chainId: 84532,
+ * });
+ * ```
+ */
+export declare function isTbaForAgent(params: {
+    /** The signer address to check. */
+    signerAddress: Address;
+    /** TBA implementation contract address. */
+    implementation: Address;
+    /** ERC-8004 agent registry address. */
+    agentRegistry: Address;
+    /** Agent NFT token ID. */
+    agentId: number;
+    /** Chain ID. */
+    chainId: number;
+    /** CREATE2 salt (defaults to bytes32(0)). */
+    salt?: Hex;
+}): boolean;

package/dist/tba.js

@@ -0,0 +1,113 @@
+/**
+ * tba.ts
+ *
+ * ERC-6551 Token Bound Account address computation utilities.
+ *
+ * Pure math — no RPC calls. Useful for platforms that want to verify
+ * a signer is specifically a TBA derived from a given agent NFT.
+ *
+ * The ERC-6551 registry deploys a modified ERC-1167 minimal proxy with
+ * immutable data (salt, chainId, tokenContract, tokenId) appended.
+ * The CREATE2 address is deterministic from these inputs.
+ */
+import { encodePacked, getContractAddress, } from 'viem';
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+/** Canonical ERC-6551 registry address, deployed across all EVM chains. */
+export const ERC6551_REGISTRY = '0x000000006551c19487814612e58FE06813775758';
+/**
+ * ERC-1167 modified proxy init code prefix + proxy runtime header (20 bytes).
+ *
+ * Breakdown:
+ *   3d60ad80600a3d3981f3  — init code (10 bytes): deploys 0xad bytes of runtime
+ *   363d3d373d3d3d363d73  — proxy runtime header (10 bytes): delegatecall setup
+ */
+const ERC1167_HEADER = '0x3d60ad80600a3d3981f3363d3d373d3d3d363d73';
+/** ERC-1167 proxy runtime footer (15 bytes): delegatecall + return/revert. */
+const ERC1167_FOOTER = '0x5af43d82803e903d91602b57fd5bf3';
+/** Default salt (bytes32 zero). */
+const DEFAULT_SALT = '0x0000000000000000000000000000000000000000000000000000000000000000';
+// ---------------------------------------------------------------------------
+// Address computation
+// ---------------------------------------------------------------------------
+/**
+ * Compute the deterministic ERC-6551 Token Bound Account address for an NFT.
+ *
+ * Pure math — no RPC call needed. Given the same inputs, the address is
+ * the same whether or not the account is deployed.
+ *
+ * Mirrors the on-chain `ERC6551Registry.account()` function exactly.
+ *
+ * @example
+ * ```typescript
+ * import { computeTbaAddress } from '@buildersgarden/siwa/tba';
+ *
+ * const tba = computeTbaAddress({
+ *   implementation: '0x...TBAImpl',
+ *   tokenContract: '0x...AgentRegistry',
+ *   tokenId: 42n,
+ *   chainId: 84532,
+ * });
+ * ```
+ */
+export function computeTbaAddress(params) {
+    const { implementation, tokenContract, tokenId, chainId, registry = ERC6551_REGISTRY, salt = DEFAULT_SALT, } = params;
+    // Build the 183-byte creation code (init code) matching ERC6551Registry.sol
+    //
+    // Layout:
+    //   [20 bytes] ERC1167_HEADER (init prefix + proxy header)
+    //   [20 bytes] implementation address
+    //   [15 bytes] ERC1167_FOOTER (proxy footer)
+    //   [32 bytes] salt
+    //   [32 bytes] chainId
+    //   [32 bytes] tokenContract (address as uint256, left-padded)
+    //   [32 bytes] tokenId
+    const creationCode = encodePacked(['bytes', 'address', 'bytes', 'bytes32', 'uint256', 'uint256', 'uint256'], [
+        ERC1167_HEADER,
+        implementation,
+        ERC1167_FOOTER,
+        salt,
+        BigInt(chainId),
+        BigInt(tokenContract),
+        tokenId,
+    ]);
+    return getContractAddress({
+        bytecode: creationCode,
+        from: registry,
+        opcode: 'CREATE2',
+        salt,
+    });
+}
+// ---------------------------------------------------------------------------
+// Agent-specific helpers
+// ---------------------------------------------------------------------------
+/**
+ * Check if a signer address matches the expected TBA for an agent NFT.
+ *
+ * Useful for platforms that want to verify the signer is specifically
+ * a TBA derived from the agent's registry, not just any smart contract.
+ *
+ * @example
+ * ```typescript
+ * import { isTbaForAgent } from '@buildersgarden/siwa/tba';
+ *
+ * const isValid = isTbaForAgent({
+ *   signerAddress: agent.address as Address,
+ *   implementation: '0x...TBAImpl',
+ *   agentRegistry: '0x...AgentRegistry',
+ *   agentId: 42,
+ *   chainId: 84532,
+ * });
+ * ```
+ */
+export function isTbaForAgent(params) {
+    const expected = computeTbaAddress({
+        implementation: params.implementation,
+        tokenContract: params.agentRegistry,
+        tokenId: BigInt(params.agentId),
+        chainId: params.chainId,
+        salt: params.salt,
+    });
+    return expected.toLowerCase() === params.signerAddress.toLowerCase();
+}

package/package.json

@@ -1,12 +1,16 @@
 {
   "name": "@buildersgarden/siwa",
-  "version": "0.0.11",
+  "version": "0.0.13",
   "type": "module",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
+    "./signer": {
+      "types": "./dist/signer.d.ts",
+      "default": "./dist/signer.js"
+    },
     "./keystore": {
       "types": "./dist/keystore.d.ts",
       "default": "./dist/keystore.js"
@@ -46,6 +50,10 @@
     "./express": {
       "types": "./dist/express.d.ts",
       "default": "./dist/express.js"
+    },
+    "./tba": {
+      "types": "./dist/tba.d.ts",
+      "default": "./dist/tba.js"
     }
   },
   "main": "./dist/index.js",