npm - @open-wallet-standard/core - Versions diffs - 0.4.2 → 0.5.0 - Mend

@open-wallet-standard/core 0.4.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,16 +1,18 @@
+<!-- Generated from readme/templates/node.md + readme/partials/ — edit those, then run readme/generate.sh -->
 # @open-wallet-standard/core
-Secure signing and wallet management for every chain. One vault, one interface — keys never leave your machine.
+Local, policy-gated signing and wallet management for every chain.
 [![npm](https://img.shields.io/npm/v/@open-wallet-standard/core)](https://www.npmjs.com/package/@open-wallet-standard/core)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/open-wallet-standard/core/blob/main/LICENSE)
 ## Why OWS
-- **Zero key exposure.** Private keys are encrypted at rest, decrypted only inside an isolated signing process. Agents and LLMs never see raw key material.
-- **Every chain, one interface.** EVM, Solana, Sui, Bitcoin, Cosmos, Tron, TON — all first-class. CAIP-2/CAIP-10 addressing abstracts away chain-specific details.
-- **Policy before signing.** A pre-signing policy engine gates every operation — spending limits, allowlists, chain restrictions — before any key is touched.
-- **Built for agents.** MCP server, native SDK, and CLI. A wallet created by one tool works in every other.
+- **Local key custody.** Private keys stay encrypted at rest and are decrypted only inside the OWS signing path after the relevant checks pass. Current implementations harden in-process memory handling and wipe key material after use.
+- **Every chain, one interface.** EVM, Solana, Sui, Bitcoin, Cosmos, Tron, TON, Spark, Filecoin — all first-class. CAIP-2/CAIP-10 addressing abstracts away chain-specific details.
+- **Policy before signing.** A pre-signing policy engine gates agent (API key) operations before decryption — chain allowlists, expiry, and optional custom executables.
+- **Built for agents.** Native SDK and CLI today. A wallet created by one tool works in every other.
 ## Install
@@ -27,7 +29,7 @@ The package is **fully self-contained** — it embeds the Rust core via native F
 import { createWallet, signMessage } from "@open-wallet-standard/core";
 const wallet = createWallet("agent-treasury");
-// => accounts for EVM, Solana, Sui, BTC, Cosmos, Tron, TON
+// => accounts for EVM, Solana, Bitcoin, Cosmos, Tron, TON, Filecoin, and Sui
 const sig = signMessage("agent-treasury", "evm", "hello");
 console.log(sig.signature);
@@ -36,14 +38,14 @@ console.log(sig.signature);
 ### CLI
 ```bash
-# Create a wallet (derives addresses for all supported chains)
+# Create a wallet (derives addresses for the current auto-derived chain set)
 ows wallet create --name "agent-treasury"
 # Sign a message
 ows sign message --wallet agent-treasury --chain evm --message "hello"
 # Sign a transaction
-ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
+ows sign tx --wallet agent-treasury --chain evm --tx "deadbeef..."
 ```
 ## Supported Chains
@@ -57,6 +59,7 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 | Tron | secp256k1 | base58check | `m/44'/195'/0'/0/0` |
 | TON | Ed25519 | raw/bounceable | `m/44'/607'/0'` |
 | Sui | Ed25519 | 0x + BLAKE2b-256 hex | `m/44'/784'/0'/0'/0'` |
+| Spark (Bitcoin L2) | secp256k1 | spark: prefixed | `m/84'/0'/0'/0/0` |
 | Filecoin | secp256k1 | f1 base32 | `m/44'/461'/0'/0/0` |
 ## CLI Reference
@@ -74,6 +77,11 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 | `ows fund balance` | Check token balances for a wallet |
 | `ows mnemonic generate` | Generate a BIP-39 mnemonic phrase |
 | `ows mnemonic derive` | Derive an address from a mnemonic |
+| `ows policy create` | Register a policy from a JSON file |
+| `ows policy list` | List all registered policies |
+| `ows key create` | Create an API key for agent access |
+| `ows key list` | List all API keys |
+| `ows key revoke` | Revoke an API key |
 | `ows update` | Update ows and bindings |
 | `ows uninstall` | Remove ows from the system |
@@ -82,18 +90,18 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 ```
 Agent / CLI / App
        │
-       │  OWS Interface (MCP / SDK / CLI)
+       │  OWS Interface (SDK / CLI)
        ▼
 ┌─────────────────────┐
-│    Access Layer      │     1. Agent calls ows.sign()
-│  ┌────────────────┐  │     2. Policy engine evaluates
-│  │ Policy Engine   │  │     3. Enclave decrypts key
+│    Access Layer      │     1. Caller invokes sign()
+│  ┌────────────────┐  │     2. Policy engine evaluates for API tokens
+│  │ Policy Engine   │  │     3. Key decrypted in hardened memory
 │  │ (pre-signing)   │  │     4. Transaction signed
 │  └───────┬────────┘  │     5. Key wiped from memory
 │  ┌───────▼────────┐  │     6. Signature returned
-│  │ Signing Enclave │  │
-│  │ (isolated proc) │  │     The agent NEVER sees
-│  └───────┬────────┘  │     the private key.
+│  │  Signing Core   │  │
+│  │   (in-process)  │  │     The OWS API never returns
+│  └───────┬────────┘  │     raw private keys.
 │  ┌───────▼────────┐  │
 │  │  Wallet Vault   │  │
 │  │ ~/.ows/wallets/ │  │

package/index.d.ts CHANGED Viewed

@@ -60,5 +60,30 @@ export declare function signTransaction(wallet: string, chain: string, txHex: st
 export declare function signMessage(wallet: string, chain: string, message: string, passphrase?: string | undefined | null, encoding?: string | undefined | null, index?: number | undefined | null, vaultPathOpt?: string | undefined | null): SignResult
 /** Sign EIP-712 typed structured data (EVM only). Returns hex-encoded signature. */
 export declare function signTypedData(wallet: string, chain: string, typedDataJson: string, passphrase?: string | undefined | null, index?: number | undefined | null, vaultPathOpt?: string | undefined | null): SignResult
+/** Register a policy from a JSON string. */
+export declare function createPolicy(policyJson: string, vaultPathOpt?: string | undefined | null): void
+/** List all registered policies. */
+export declare function listPolicies(vaultPathOpt?: string | undefined | null): Array<any>
+/** Get a single policy by ID. */
+export declare function getPolicy(id: string, vaultPathOpt?: string | undefined | null): any
+/** Delete a policy by ID. */
+export declare function deletePolicy(id: string, vaultPathOpt?: string | undefined | null): void
+/** API key creation result. */
+export interface ApiKeyResult {
+  /** The raw token (shown once — caller must save it). */
+  token: string
+  /** The key file ID. */
+  id: string
+  name: string
+}
+/**
+ * Create an API key for agent access to wallets.
+ * Returns the raw token (shown once) and key metadata.
+ */
+export declare function createApiKey(name: string, walletIds: Array<string>, policyIds: Array<string>, passphrase: string, expiresAt?: string | undefined | null, vaultPathOpt?: string | undefined | null): ApiKeyResult
+/** List all API keys (tokens are never returned). */
+export declare function listApiKeys(vaultPathOpt?: string | undefined | null): Array<any>
+/** Revoke (delete) an API key by ID. */
+export declare function revokeApiKey(id: string, vaultPathOpt?: string | undefined | null): void
 /** Sign and broadcast a transaction. Returns the transaction hash. */
 export declare function signAndSend(wallet: string, chain: string, txHex: string, passphrase?: string | undefined | null, index?: number | undefined | null, rpcUrl?: string | undefined | null, vaultPathOpt?: string | undefined | null): SendResult

package/index.js CHANGED Viewed

@@ -310,7 +310,7 @@ if (!nativeBinding) {
   throw new Error(`Failed to load native binding`)
 }
-const { generateMnemonic, deriveAddress, createWallet, importWalletMnemonic, importWalletPrivateKey, listWallets, getWallet, deleteWallet, exportWallet, renameWallet, signTransaction, signMessage, signTypedData, signAndSend } = nativeBinding
+const { generateMnemonic, deriveAddress, createWallet, importWalletMnemonic, importWalletPrivateKey, listWallets, getWallet, deleteWallet, exportWallet, renameWallet, signTransaction, signMessage, signTypedData, createPolicy, listPolicies, getPolicy, deletePolicy, createApiKey, listApiKeys, revokeApiKey, signAndSend } = nativeBinding
 module.exports.generateMnemonic = generateMnemonic
 module.exports.deriveAddress = deriveAddress
@@ -325,4 +325,11 @@ module.exports.renameWallet = renameWallet
 module.exports.signTransaction = signTransaction
 module.exports.signMessage = signMessage
 module.exports.signTypedData = signTypedData
+module.exports.createPolicy = createPolicy
+module.exports.listPolicies = listPolicies
+module.exports.getPolicy = getPolicy
+module.exports.deletePolicy = deletePolicy
+module.exports.createApiKey = createApiKey
+module.exports.listApiKeys = listApiKeys
+module.exports.revokeApiKey = revokeApiKey
 module.exports.signAndSend = signAndSend

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-wallet-standard/core",
-  "version": "0.4.2",
+  "version": "0.5.0",
   "description": "Node.js native bindings for the Open Wallet Standard",
   "main": "index.js",
   "types": "index.d.ts",
@@ -31,10 +31,10 @@
     "@napi-rs/cli": "^2.18.0"
   },
   "optionalDependencies": {
-    "@open-wallet-standard/core-linux-x64-gnu": "0.4.2",
-    "@open-wallet-standard/core-linux-arm64-gnu": "0.4.2",
-    "@open-wallet-standard/core-darwin-x64": "0.4.2",
-    "@open-wallet-standard/core-darwin-arm64": "0.4.2"
+    "@open-wallet-standard/core-linux-x64-gnu": "0.5.0",
+    "@open-wallet-standard/core-linux-arm64-gnu": "0.5.0",
+    "@open-wallet-standard/core-darwin-x64": "0.5.0",
+    "@open-wallet-standard/core-darwin-arm64": "0.5.0"
   },
   "license": "MIT",
   "files": [