@buildersgarden/siwa 0.0.13 → 0.0.15

package/dist/signer/wallet-client.js

@@ -0,0 +1,57 @@
+/**
+ * wallet-client.ts
+ *
+ * WalletClient signer implementation for browser wallets and embedded wallets.
+ */
+/**
+ * Create a signer from a viem WalletClient.
+ *
+ * Use this for browser wallets (MetaMask, etc.), embedded wallets (Privy),
+ * WalletConnect, or any wallet that provides an EIP-1193 provider.
+ *
+ * @param client - A viem WalletClient
+ * @param account - Optional specific account address to use
+ * @returns A Signer that delegates to the WalletClient
+ *
+ * @example
+ * ```typescript
+ * // With Privy embedded wallet
+ * const provider = await privyWallet.getEthereumProvider();
+ * const walletClient = createWalletClient({
+ *   chain: baseSepolia,
+ *   transport: custom(provider),
+ * });
+ * const signer = createWalletClientSigner(walletClient);
+ *
+ * // With browser wallet (MetaMask)
+ * const walletClient = createWalletClient({
+ *   chain: mainnet,
+ *   transport: custom(window.ethereum),
+ * });
+ * const signer = createWalletClientSigner(walletClient);
+ * ```
+ */
+export function createWalletClientSigner(client, account) {
+    const resolveAccount = async () => {
+        if (account)
+            return account;
+        const addresses = await client.getAddresses();
+        if (!addresses || addresses.length === 0) {
+            throw new Error('No address found in wallet');
+        }
+        return addresses[0];
+    };
+    return {
+        async getAddress() {
+            return resolveAccount();
+        },
+        async signMessage(message) {
+            const addr = await resolveAccount();
+            return client.signMessage({ account: addr, message });
+        },
+        async signRawMessage(rawHex) {
+            const addr = await resolveAccount();
+            return client.signMessage({ account: addr, message: { raw: rawHex } });
+        },
+    };
+}

package/dist/siwa.d.ts

@@ -9,7 +9,8 @@
  */
 import { type PublicClient } from 'viem';
 import { AgentProfile, ServiceType, TrustModel } from './registry.js';
-import type { Signer, SignerType } from './signer.js';
+import type { Signer, SignerType } from './signer/index.js';
+import type { SIWANonceStore } from './nonce-store.js';
 export declare enum SIWAErrorCode {
     INVALID_SIGNATURE = "INVALID_SIGNATURE",
     DOMAIN_MISMATCH = "DOMAIN_MISMATCH",
@@ -117,6 +118,7 @@ export interface SIWANonceParams {
 export interface SIWANonceOptions {
     expirationTTL?: number;
     secret?: string;
+    nonceStore?: SIWANonceStore;
 }
 export type SIWANonceResult = {
     status: 'nonce_issued';
@@ -203,6 +205,8 @@ export declare function signSIWAMessage(fields: SIWASignFields, signer: Signer):
 export type NonceValidator = ((nonce: string) => boolean | Promise<boolean>) | {
     nonceToken: string;
     secret: string;
+} | {
+    nonceStore: SIWANonceStore;
 };
 /**
  * Verify a SIWA message + signature.

package/dist/siwa.js

@@ -272,6 +272,10 @@ export async function createSIWANonce(params, client, options) {
     const now = new Date();
     const expiresAt = new Date(now.getTime() + ttl);
     const nonce = generateNonce();
+    // Track nonce in the store (for replay protection)
+    if (options?.nonceStore) {
+        await options.nonceStore.issue(nonce, ttl);
+    }
     const result = {
         status: 'nonce_issued',
         nonce,
@@ -385,6 +389,10 @@ export async function verifySIWA(message, signature, expectedDomain, nonceValid,
         if (typeof nonceValid === 'function') {
             nonceOk = await nonceValid(fields.nonce);
         }
+        else if ('nonceStore' in nonceValid) {
+            // Store-based validation: atomic consume (check + delete)
+            nonceOk = await nonceValid.nonceStore.consume(fields.nonce);
+        }
         else {
             // Stateless validation via HMAC token
             const payload = verifyNonceToken(nonceValid.nonceToken, nonceValid.secret);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@buildersgarden/siwa",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "type": "module",
   "exports": {
     ".": {
@@ -8,8 +8,8 @@
       "default": "./dist/index.js"
     },
     "./signer": {
-      "types": "./dist/signer.d.ts",
-      "default": "./dist/signer.js"
+      "types": "./dist/signer/index.d.ts",
+      "default": "./dist/signer/index.js"
     },
     "./keystore": {
       "types": "./dist/keystore.d.ts",
@@ -43,13 +43,25 @@
       "types": "./dist/erc8128.d.ts",
       "default": "./dist/erc8128.js"
     },
+    "./nonce-store": {
+      "types": "./dist/nonce-store.d.ts",
+      "default": "./dist/nonce-store.js"
+    },
     "./next": {
-      "types": "./dist/next.d.ts",
-      "default": "./dist/next.js"
+      "types": "./dist/server-side-wrappers/next.d.ts",
+      "default": "./dist/server-side-wrappers/next.js"
     },
     "./express": {
-      "types": "./dist/express.d.ts",
-      "default": "./dist/express.js"
+      "types": "./dist/server-side-wrappers/express.d.ts",
+      "default": "./dist/server-side-wrappers/express.js"
+    },
+    "./hono": {
+      "types": "./dist/server-side-wrappers/hono.d.ts",
+      "default": "./dist/server-side-wrappers/hono.js"
+    },
+    "./fastify": {
+      "types": "./dist/server-side-wrappers/fastify.d.ts",
+      "default": "./dist/server-side-wrappers/fastify.js"
     },
     "./tba": {
       "types": "./dist/tba.d.ts",
@@ -78,16 +90,41 @@
     "viem": "^2.21.0"
   },
   "peerDependencies": {
-    "express": "^4.0.0 || ^5.0.0"
+    "@circle-fin/developer-controlled-wallets": ">=6.0.0",
+    "@fastify/cors": ">=9.0.0",
+    "@privy-io/node": ">=1.0.0",
+    "express": "^4.0.0 || ^5.0.0",
+    "fastify": ">=4.0.0",
+    "hono": ">=4.0.0"
   },
   "peerDependenciesMeta": {
     "express": {
       "optional": true
+    },
+    "@circle-fin/developer-controlled-wallets": {
+      "optional": true
+    },
+    "@privy-io/node": {
+      "optional": true
+    },
+    "hono": {
+      "optional": true
+    },
+    "fastify": {
+      "optional": true
+    },
+    "@fastify/cors": {
+      "optional": true
     }
   },
   "devDependencies": {
+    "@circle-fin/developer-controlled-wallets": "^10.1.0",
+    "@fastify/cors": "^10.1.0",
+    "@privy-io/node": "^0.8.0",
     "@types/express": "^4.17.0",
     "@types/node": "^25.2.1",
+    "fastify": "^5.7.4",
+    "hono": "^4.0.0",
     "typescript": "^5.5.0"
   }
 }

package/dist/signer.d.ts

@@ -1,145 +0,0 @@
-/**
- * signer.ts
- *
- * Wallet-agnostic signing abstraction for SIWA.
- *
- * This module provides a `Signer` interface that abstracts signing operations,
- * allowing developers to use any wallet provider without changing the SDK.
- *
- * Available signer implementations:
- *   - createKeyringProxySigner(config)    — Keyring proxy server (HMAC-authenticated)
- *   - createLocalAccountSigner(account)   — viem LocalAccount (privateKeyToAccount)
- *   - createWalletClientSigner(client)    — viem WalletClient (Privy, MetaMask, etc.)
- *
- * Usage:
- *   import { signSIWAMessage, createLocalAccountSigner } from '@buildersgarden/siwa';
- *   import { privateKeyToAccount } from 'viem/accounts';
- *
- *   const account = privateKeyToAccount('0x...');
- *   const signer = createLocalAccountSigner(account);
- *   const { message, signature } = await signSIWAMessage(fields, signer);
- */
-import type { Address, Hex, WalletClient } from 'viem';
-import type { LocalAccount } from 'viem/accounts';
-/**
- * Signer type detected during SIWA sign-in.
- *
- * - `'eoa'` — Externally Owned Account (ECDSA key pair)
- * - `'sca'` — Smart Contract Account (ERC-1271, e.g. Safe, TBA, Kernel)
- */
-export type SignerType = 'eoa' | 'sca';
-/**
- * Core signer interface for message signing.
- *
- * Implement this interface to add support for new wallet providers.
- */
-export interface Signer {
-    /** Get the signer's address */
-    getAddress(): Promise<Address>;
-    /** Sign a message (EIP-191 personal_sign) */
-    signMessage(message: string): Promise<Hex>;
-    /**
-     * Sign raw bytes (optional).
-     * Used by ERC-8128 for HTTP message signatures.
-     * If not implemented, signMessage will be used as fallback.
-     */
-    signRawMessage?(rawHex: Hex): Promise<Hex>;
-}
-/**
- * Extended signer with transaction signing capabilities.
- *
- * Required for onchain operations like agent registration.
- */
-export interface TransactionSigner extends Signer {
-    /** Sign a transaction and return the serialized signed transaction */
-    signTransaction(tx: TransactionRequest): Promise<Hex>;
-}
-/** Transaction request compatible with viem */
-export interface TransactionRequest {
-    to?: Address;
-    data?: Hex;
-    value?: bigint;
-    nonce?: number;
-    chainId?: number;
-    gas?: bigint;
-    maxFeePerGas?: bigint;
-    maxPriorityFeePerGas?: bigint;
-    gasPrice?: bigint;
-    type?: number | string;
-    accessList?: any[];
-}
-/** Configuration for the keyring proxy signer */
-export interface KeyringProxyConfig {
-    /** URL of the keyring proxy server (or KEYRING_PROXY_URL env var) */
-    proxyUrl?: string;
-    /** HMAC shared secret (or KEYRING_PROXY_SECRET env var) */
-    proxySecret?: string;
-}
-/**
- * Create a signer backed by the keyring proxy server.
- *
- * The private key is stored securely in the proxy server and never
- * enters the calling process. All signing operations are performed
- * via HMAC-authenticated HTTP requests.
- *
- * @param config - Proxy URL and secret (or use env vars)
- * @returns A TransactionSigner that delegates to the keyring proxy
- *
- * @example
- * ```typescript
- * const signer = createKeyringProxySigner({
- *   proxyUrl: 'http://localhost:3100',
- *   proxySecret: 'my-secret',
- * });
- * const { message, signature } = await signSIWAMessage(fields, signer);
- * ```
- */
-export declare function createKeyringProxySigner(config?: KeyringProxyConfig): TransactionSigner;
-/**
- * Create a signer from a viem LocalAccount.
- *
- * Use this when you have direct access to a private key via
- * viem's `privateKeyToAccount()` or similar.
- *
- * @param account - A viem LocalAccount (from privateKeyToAccount, mnemonicToAccount, etc.)
- * @returns A TransactionSigner that signs using the local account
- *
- * @example
- * ```typescript
- * import { privateKeyToAccount } from 'viem/accounts';
- *
- * const account = privateKeyToAccount('0x...');
- * const signer = createLocalAccountSigner(account);
- * const { message, signature } = await signSIWAMessage(fields, signer);
- * ```
- */
-export declare function createLocalAccountSigner(account: LocalAccount): TransactionSigner;
-/**
- * Create a signer from a viem WalletClient.
- *
- * Use this for browser wallets (MetaMask, etc.), embedded wallets (Privy),
- * WalletConnect, or any wallet that provides an EIP-1193 provider.
- *
- * @param client - A viem WalletClient
- * @param account - Optional specific account address to use
- * @returns A Signer that delegates to the WalletClient
- *
- * @example
- * ```typescript
- * // With Privy embedded wallet
- * const provider = await privyWallet.getEthereumProvider();
- * const walletClient = createWalletClient({
- *   chain: baseSepolia,
- *   transport: custom(provider),
- * });
- * const signer = createWalletClientSigner(walletClient);
- *
- * // With browser wallet (MetaMask)
- * const walletClient = createWalletClient({
- *   chain: mainnet,
- *   transport: custom(window.ethereum),
- * });
- * const signer = createWalletClientSigner(walletClient);
- * ```
- */
-export declare function createWalletClientSigner(client: WalletClient, account?: Address): Signer;

package/dist/signer.js

@@ -1,179 +0,0 @@
-/**
- * signer.ts
- *
- * Wallet-agnostic signing abstraction for SIWA.
- *
- * This module provides a `Signer` interface that abstracts signing operations,
- * allowing developers to use any wallet provider without changing the SDK.
- *
- * Available signer implementations:
- *   - createKeyringProxySigner(config)    — Keyring proxy server (HMAC-authenticated)
- *   - createLocalAccountSigner(account)   — viem LocalAccount (privateKeyToAccount)
- *   - createWalletClientSigner(client)    — viem WalletClient (Privy, MetaMask, etc.)
- *
- * Usage:
- *   import { signSIWAMessage, createLocalAccountSigner } from '@buildersgarden/siwa';
- *   import { privateKeyToAccount } from 'viem/accounts';
- *
- *   const account = privateKeyToAccount('0x...');
- *   const signer = createLocalAccountSigner(account);
- *   const { message, signature } = await signSIWAMessage(fields, signer);
- */
-import { computeHmac } from './proxy-auth.js';
-// ─── Internal: Keyring Proxy Request ─────────────────────────────────
-async function proxyRequest(config, endpoint, body = {}) {
-    const url = config.proxyUrl || process.env.KEYRING_PROXY_URL;
-    const secret = config.proxySecret || process.env.KEYRING_PROXY_SECRET;
-    if (!url) {
-        throw new Error('Keyring proxy requires KEYRING_PROXY_URL or config.proxyUrl');
-    }
-    if (!secret) {
-        throw new Error('Keyring proxy requires KEYRING_PROXY_SECRET or config.proxySecret');
-    }
-    const bodyStr = JSON.stringify(body, (_key, value) => typeof value === 'bigint' ? '0x' + value.toString(16) : value);
-    const hmacHeaders = computeHmac(secret, 'POST', endpoint, bodyStr);
-    const res = await fetch(`${url}${endpoint}`, {
-        method: 'POST',
-        headers: {
-            'Content-Type': 'application/json',
-            ...hmacHeaders,
-        },
-        body: bodyStr,
-    });
-    if (!res.ok) {
-        const text = await res.text();
-        throw new Error(`Proxy ${endpoint} failed (${res.status}): ${text}`);
-    }
-    return res.json();
-}
-// ─── Keyring Proxy Signer ────────────────────────────────────────────
-/**
- * Create a signer backed by the keyring proxy server.
- *
- * The private key is stored securely in the proxy server and never
- * enters the calling process. All signing operations are performed
- * via HMAC-authenticated HTTP requests.
- *
- * @param config - Proxy URL and secret (or use env vars)
- * @returns A TransactionSigner that delegates to the keyring proxy
- *
- * @example
- * ```typescript
- * const signer = createKeyringProxySigner({
- *   proxyUrl: 'http://localhost:3100',
- *   proxySecret: 'my-secret',
- * });
- * const { message, signature } = await signSIWAMessage(fields, signer);
- * ```
- */
-export function createKeyringProxySigner(config = {}) {
-    return {
-        async getAddress() {
-            const data = await proxyRequest(config, '/get-address');
-            return data.address;
-        },
-        async signMessage(message) {
-            const data = await proxyRequest(config, '/sign-message', { message });
-            return data.signature;
-        },
-        async signRawMessage(rawHex) {
-            const data = await proxyRequest(config, '/sign-message', {
-                message: rawHex,
-                raw: true,
-            });
-            return data.signature;
-        },
-        async signTransaction(tx) {
-            const data = await proxyRequest(config, '/sign-transaction', { tx });
-            return data.signedTx;
-        },
-    };
-}
-// ─── Local Account Signer ────────────────────────────────────────────
-/**
- * Create a signer from a viem LocalAccount.
- *
- * Use this when you have direct access to a private key via
- * viem's `privateKeyToAccount()` or similar.
- *
- * @param account - A viem LocalAccount (from privateKeyToAccount, mnemonicToAccount, etc.)
- * @returns A TransactionSigner that signs using the local account
- *
- * @example
- * ```typescript
- * import { privateKeyToAccount } from 'viem/accounts';
- *
- * const account = privateKeyToAccount('0x...');
- * const signer = createLocalAccountSigner(account);
- * const { message, signature } = await signSIWAMessage(fields, signer);
- * ```
- */
-export function createLocalAccountSigner(account) {
-    return {
-        async getAddress() {
-            return account.address;
-        },
-        async signMessage(message) {
-            return account.signMessage({ message });
-        },
-        async signRawMessage(rawHex) {
-            return account.signMessage({ message: { raw: rawHex } });
-        },
-        async signTransaction(tx) {
-            return account.signTransaction(tx);
-        },
-    };
-}
-// ─── WalletClient Signer ─────────────────────────────────────────────
-/**
- * Create a signer from a viem WalletClient.
- *
- * Use this for browser wallets (MetaMask, etc.), embedded wallets (Privy),
- * WalletConnect, or any wallet that provides an EIP-1193 provider.
- *
- * @param client - A viem WalletClient
- * @param account - Optional specific account address to use
- * @returns A Signer that delegates to the WalletClient
- *
- * @example
- * ```typescript
- * // With Privy embedded wallet
- * const provider = await privyWallet.getEthereumProvider();
- * const walletClient = createWalletClient({
- *   chain: baseSepolia,
- *   transport: custom(provider),
- * });
- * const signer = createWalletClientSigner(walletClient);
- *
- * // With browser wallet (MetaMask)
- * const walletClient = createWalletClient({
- *   chain: mainnet,
- *   transport: custom(window.ethereum),
- * });
- * const signer = createWalletClientSigner(walletClient);
- * ```
- */
-export function createWalletClientSigner(client, account) {
-    const resolveAccount = async () => {
-        if (account)
-            return account;
-        const addresses = await client.getAddresses();
-        if (!addresses || addresses.length === 0) {
-            throw new Error('No address found in wallet');
-        }
-        return addresses[0];
-    };
-    return {
-        async getAddress() {
-            return resolveAccount();
-        },
-        async signMessage(message) {
-            const addr = await resolveAccount();
-            return client.signMessage({ account: addr, message });
-        },
-        async signRawMessage(rawHex) {
-            const addr = await resolveAccount();
-            return client.signMessage({ account: addr, message: { raw: rawHex } });
-        },
-    };
-}