@open-wallet-standard/core 0.4.3 → 0.5.0

package/README.md

@@ -1,16 +1,18 @@
+<!-- Generated from readme/templates/node.md + readme/partials/ — edit those, then run readme/generate.sh -->
+
 # @open-wallet-standard/core
 
-Secure signing and wallet management for every chain. One vault, one interface — keys never leave your machine.
+Local, policy-gated signing and wallet management for every chain.
 
 [![npm](https://img.shields.io/npm/v/@open-wallet-standard/core)](https://www.npmjs.com/package/@open-wallet-standard/core)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://github.com/open-wallet-standard/core/blob/main/LICENSE)
 
 ## Why OWS
 
-- **Zero key exposure.** Private keys are encrypted at rest, decrypted only after policy checks pass, then immediately wiped from memory. Agents authenticate with scoped API tokens and never see raw key material.
-- **Every chain, one interface.** EVM, Solana, Sui, Bitcoin, Cosmos, Tron, TON — all first-class. CAIP-2/CAIP-10 addressing abstracts away chain-specific details.
-- **Policy before signing.** A pre-signing policy engine gates agent (API key) operations — chain allowlists, expiry, and optional custom executables — before any key is touched.
-- **Built for agents.** MCP server, native SDK, and CLI. A wallet created by one tool works in every other.
+- **Local key custody.** Private keys stay encrypted at rest and are decrypted only inside the OWS signing path after the relevant checks pass. Current implementations harden in-process memory handling and wipe key material after use.
+- **Every chain, one interface.** EVM, Solana, Sui, Bitcoin, Cosmos, Tron, TON, Spark, Filecoin — all first-class. CAIP-2/CAIP-10 addressing abstracts away chain-specific details.
+- **Policy before signing.** A pre-signing policy engine gates agent (API key) operations before decryption — chain allowlists, expiry, and optional custom executables.
+- **Built for agents.** Native SDK and CLI today. A wallet created by one tool works in every other.
 
 ## Install
 
@@ -27,7 +29,7 @@ The package is **fully self-contained** — it embeds the Rust core via native F
 import { createWallet, signMessage } from "@open-wallet-standard/core";
 
 const wallet = createWallet("agent-treasury");
-// => accounts for EVM, Solana, Sui, BTC, Cosmos, Tron, TON
+// => accounts for EVM, Solana, Bitcoin, Cosmos, Tron, TON, Filecoin, and Sui
 
 const sig = signMessage("agent-treasury", "evm", "hello");
 console.log(sig.signature);
@@ -36,14 +38,14 @@ console.log(sig.signature);
 ### CLI
 
 ```bash
-# Create a wallet (derives addresses for all supported chains)
+# Create a wallet (derives addresses for the current auto-derived chain set)
 ows wallet create --name "agent-treasury"
 
 # Sign a message
 ows sign message --wallet agent-treasury --chain evm --message "hello"
 
 # Sign a transaction
-ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
+ows sign tx --wallet agent-treasury --chain evm --tx "deadbeef..."
 ```
 
 ## Supported Chains
@@ -57,6 +59,7 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 | Tron | secp256k1 | base58check | `m/44'/195'/0'/0/0` |
 | TON | Ed25519 | raw/bounceable | `m/44'/607'/0'` |
 | Sui | Ed25519 | 0x + BLAKE2b-256 hex | `m/44'/784'/0'/0'/0'` |
+| Spark (Bitcoin L2) | secp256k1 | spark: prefixed | `m/84'/0'/0'/0/0` |
 | Filecoin | secp256k1 | f1 base32 | `m/44'/461'/0'/0/0` |
 
 ## CLI Reference
@@ -74,6 +77,11 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 | `ows fund balance` | Check token balances for a wallet |
 | `ows mnemonic generate` | Generate a BIP-39 mnemonic phrase |
 | `ows mnemonic derive` | Derive an address from a mnemonic |
+| `ows policy create` | Register a policy from a JSON file |
+| `ows policy list` | List all registered policies |
+| `ows key create` | Create an API key for agent access |
+| `ows key list` | List all API keys |
+| `ows key revoke` | Revoke an API key |
 | `ows update` | Update ows and bindings |
 | `ows uninstall` | Remove ows from the system |
 
@@ -82,18 +90,18 @@ ows sign tx --wallet agent-treasury --chain evm --tx-hex "deadbeef..."
 ```
 Agent / CLI / App
        │
-       │  OWS Interface (MCP / SDK / CLI)
+       │  OWS Interface (SDK / CLI)
        ▼
 ┌─────────────────────┐
-│    Access Layer      │     1. Agent calls ows.sign()
-│  ┌────────────────┐  │     2. Policy engine evaluates
-│  │ Policy Engine   │  │     3. Enclave decrypts key
+│    Access Layer      │     1. Caller invokes sign()
+│  ┌────────────────┐  │     2. Policy engine evaluates for API tokens
+│  │ Policy Engine   │  │     3. Key decrypted in hardened memory
 │  │ (pre-signing)   │  │     4. Transaction signed
 │  └───────┬────────┘  │     5. Key wiped from memory
 │  ┌───────▼────────┐  │     6. Signature returned
-│  │ Signing Enclave │  │
-│  │ (isolated proc) │  │     The agent NEVER sees
-│  └───────┬────────┘  │     the private key.
+│  │  Signing Core   │  │
+│  │   (in-process)  │  │     The OWS API never returns
+│  └───────┬────────┘  │     raw private keys.
 │  ┌───────▼────────┐  │
 │  │  Wallet Vault   │  │
 │  │ ~/.ows/wallets/ │  │

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-wallet-standard/core",
-  "version": "0.4.3",
+  "version": "0.5.0",
   "description": "Node.js native bindings for the Open Wallet Standard",
   "main": "index.js",
   "types": "index.d.ts",
@@ -31,10 +31,10 @@
     "@napi-rs/cli": "^2.18.0"
   },
   "optionalDependencies": {
-    "@open-wallet-standard/core-linux-x64-gnu": "0.4.3",
-    "@open-wallet-standard/core-linux-arm64-gnu": "0.4.3",
-    "@open-wallet-standard/core-darwin-x64": "0.4.3",
-    "@open-wallet-standard/core-darwin-arm64": "0.4.3"
+    "@open-wallet-standard/core-linux-x64-gnu": "0.5.0",
+    "@open-wallet-standard/core-linux-arm64-gnu": "0.5.0",
+    "@open-wallet-standard/core-darwin-x64": "0.5.0",
+    "@open-wallet-standard/core-darwin-arm64": "0.5.0"
   },
   "license": "MIT",
   "files": [