@orbitmem/sdk 0.1.0

package/src/encryption/__tests__/encryption-layer.test.ts

@@ -0,0 +1,80 @@
+import { describe, expect, test } from "bun:test";
+
+import { createEncryptionLayer } from "../encryption-layer.js";
+
+describe("EncryptionLayer", () => {
+  const layer = createEncryptionLayer({
+    defaultEngine: "aes",
+    aes: { kdf: "hkdf-sha256" },
+  });
+
+  test("encrypt/decrypt with AES via unified interface", async () => {
+    const data = new TextEncoder().encode("unified test");
+    const rawKey = crypto.getRandomValues(new Uint8Array(32));
+
+    const encrypted = await layer.encrypt(data, {
+      engine: "aes",
+      keySource: { type: "raw", key: rawKey },
+    });
+
+    expect(encrypted.engine).toBe("aes");
+
+    const decrypted = await layer.decrypt(encrypted, {
+      keySource: { type: "raw", key: rawKey },
+    });
+    expect(new TextDecoder().decode(decrypted)).toBe("unified test");
+  });
+
+  test("deriveAESKey returns CryptoKey", async () => {
+    const key = await layer.deriveAESKey({
+      type: "raw",
+      key: crypto.getRandomValues(new Uint8Array(32)),
+    });
+    expect(key.type).toBe("secret");
+  });
+
+  test("canDecrypt returns true for AES", async () => {
+    const rawKey = crypto.getRandomValues(new Uint8Array(32));
+    const encrypted = await layer.encrypt(new TextEncoder().encode("test"), {
+      engine: "aes",
+      keySource: { type: "raw", key: rawKey },
+    });
+    const result = await layer.canDecrypt(encrypted);
+    expect(result).toBe(true);
+  });
+
+  test("Lit decrypt throws clear error without authSig", async () => {
+    const litLayer = createEncryptionLayer({
+      defaultEngine: "lit",
+      aes: { kdf: "hkdf-sha256" },
+      lit: { network: "cayenne" },
+    });
+
+    const fakeLitBlob = {
+      engine: "lit" as const,
+      ciphertext: new Uint8Array([1, 2, 3]),
+      dataToEncryptHash: "abc",
+      accessControlConditions: [],
+      chain: "base" as const,
+    };
+
+    await expect(litLayer.decrypt(fakeLitBlob)).rejects.toThrow(/authSig/);
+  });
+
+  test("Lit decrypt without lit config throws", async () => {
+    const noLitLayer = createEncryptionLayer({
+      defaultEngine: "aes",
+      aes: { kdf: "hkdf-sha256" },
+    });
+
+    const fakeLitBlob = {
+      engine: "lit" as const,
+      ciphertext: new Uint8Array([1, 2, 3]),
+      dataToEncryptHash: "abc",
+      accessControlConditions: [],
+      chain: "base" as const,
+    };
+
+    await expect(noLitLayer.decrypt(fakeLitBlob)).rejects.toThrow(/Lit Protocol not configured/);
+  });
+});

package/src/encryption/__tests__/lit.test.ts

@@ -0,0 +1,97 @@
+import { describe, expect, mock, test } from "bun:test";
+
+import { LitEngine } from "../lit.js";
+
+describe("LitEngine", () => {
+  test("creates access conditions correctly", () => {
+    const engine = new LitEngine({ network: "datil-dev" });
+    const condition = engine.createAddressCondition(
+      "0x1234567890abcdef1234567890abcdef12345678",
+      "base",
+    );
+    expect(condition.conditionType).toBe("evmBasic");
+    expect(condition.returnValueTest.value).toBe("0x1234567890abcdef1234567890abcdef12345678");
+  });
+
+  test("createReputationCondition builds correct contract call condition", () => {
+    const engine = new LitEngine({ network: "datil-dev" });
+    const condition = engine.createReputationCondition({
+      registryAddress: "0xREP_REGISTRY",
+      minScore: 80,
+      chain: "base",
+    });
+    expect(condition.conditionType).toBe("evmContract");
+    expect(condition.returnValueTest.comparator).toBe(">=");
+  });
+
+  test("getSessionSigs calls litClient.getSessionSigs with authNeededCallback", async () => {
+    const engine = new LitEngine({ network: "datil-dev" });
+
+    const mockSessionSigs = { "https://node1.lit": { sig: "abc", address: "0x123" } };
+    const mockClient = {
+      getSessionSigs: mock(async () => mockSessionSigs),
+      getLatestBlockhash: mock(async () => "0xblockhash"),
+    };
+    // Inject mock client
+    (engine as any).client = mockClient;
+
+    const authSig = {
+      sig: "0xsig",
+      derivedVia: "web3.eth.personal.sign",
+      signedMessage: "Sign in to OrbitMem",
+      address: "0x1234567890abcdef1234567890abcdef12345678",
+    };
+
+    const result = await engine.getSessionSigs(authSig, "base");
+    expect(result).toEqual(mockSessionSigs);
+    expect(mockClient.getSessionSigs).toHaveBeenCalledTimes(1);
+  });
+
+  test("decrypt resolves authSig to sessionSigs when authSig object is passed", async () => {
+    const engine = new LitEngine({ network: "datil-dev" });
+
+    const mockClient = {
+      getSessionSigs: mock(async () => ({ "https://node1.lit": { sig: "abc" } })),
+      getLatestBlockhash: mock(async () => "0xblockhash"),
+    };
+    (engine as any).client = mockClient;
+
+    const authSig = {
+      sig: "0xsig",
+      derivedVia: "web3.eth.personal.sign",
+      signedMessage: "Sign in",
+      address: "0xABCD",
+    };
+
+    const encrypted = {
+      engine: "lit" as const,
+      ciphertext: new Uint8Array([10, 20]),
+      dataToEncryptHash: "abc123",
+      accessControlConditions: [
+        {
+          conditionType: "evmBasic" as const,
+          contractAddress: "" as `0x${string}`,
+          standardContractType: "" as const,
+          chain: "base" as const,
+          method: "",
+          parameters: [":userAddress"],
+          returnValueTest: { comparator: "=" as const, value: "0xABCD" },
+        },
+      ],
+      chain: "base" as const,
+    };
+
+    // Spy on getSessionSigs to verify it's called when authSig is provided
+    const getSessionSigsSpy = mock(async () => ({ "https://node1.lit": { sig: "abc" } }));
+    engine.getSessionSigs = getSessionSigsSpy;
+
+    // decrypt will fail at the actual Lit decryption (no real Lit network),
+    // but we can verify getSessionSigs was called
+    try {
+      await engine.decrypt(encrypted, authSig);
+    } catch {
+      // Expected — dynamic import of @lit-protocol/encryption will fail in test
+    }
+    expect(getSessionSigsSpy).toHaveBeenCalledTimes(1);
+  });
+});

package/src/encryption/aes.ts

@@ -0,0 +1,109 @@
+import type { AESEncryptedData, AESKeySource } from "../types.js";
+
+export interface AESConfig {
+  kdf: "hkdf-sha256" | "pbkdf2-sha256";
+  iterations?: number;
+}
+
+export class AESEngine {
+  private config: AESConfig;
+  private lastSalt: Uint8Array = new Uint8Array(32);
+  private lastSource: "wallet-signature" | "password" | "raw" = "raw";
+
+  constructor(config: AESConfig) {
+    this.config = config;
+  }
+
+  async deriveKey(source: AESKeySource, walletSignature?: Uint8Array): Promise<CryptoKey> {
+    if (source.type === "raw") {
+      this.lastSource = "raw";
+      this.lastSalt = new Uint8Array(0);
+      return crypto.subtle.importKey(
+        "raw",
+        source.key as BufferSource,
+        { name: "AES-GCM" },
+        false,
+        ["encrypt", "decrypt"],
+      );
+    }
+
+    if (source.type === "wallet-signature") {
+      if (!walletSignature) throw new Error("walletSignature required for wallet-signature source");
+      const ikm = await crypto.subtle.importKey(
+        "raw",
+        walletSignature as BufferSource,
+        "HKDF",
+        false,
+        ["deriveKey"],
+      );
+      const salt = crypto.getRandomValues(new Uint8Array(32));
+      const info = new TextEncoder().encode("orbitmem-aes-256-gcm");
+      this.lastSource = "wallet-signature";
+      this.lastSalt = salt;
+      return crypto.subtle.deriveKey(
+        { name: "HKDF", hash: "SHA-256", salt, info },
+        ikm,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["encrypt", "decrypt"],
+      );
+    }
+
+    if (source.type === "password") {
+      const enc = new TextEncoder().encode(source.password);
+      const ikm = await crypto.subtle.importKey("raw", enc, "PBKDF2", false, ["deriveKey"]);
+      const salt = crypto.getRandomValues(new Uint8Array(32));
+      this.lastSource = "password";
+      this.lastSalt = salt;
+      return crypto.subtle.deriveKey(
+        { name: "PBKDF2", hash: "SHA-256", salt, iterations: this.config.iterations ?? 100000 },
+        ikm,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["encrypt", "decrypt"],
+      );
+    }
+
+    throw new Error(`Unknown key source type: ${(source as any).type}`);
+  }
+
+  async encrypt(data: Uint8Array, key: CryptoKey): Promise<AESEncryptedData> {
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ciphertextWithTag = await crypto.subtle.encrypt(
+      { name: "AES-GCM", iv: iv as BufferSource, tagLength: 128 },
+      key,
+      data as BufferSource,
+    );
+    // AES-GCM appends the 16-byte auth tag to the ciphertext
+    const raw = new Uint8Array(ciphertextWithTag);
+    const ciphertext = raw.slice(0, raw.length - 16);
+    const authTag = raw.slice(raw.length - 16);
+
+    return {
+      engine: "aes",
+      ciphertext,
+      iv,
+      authTag,
+      keyDerivation: {
+        source: this.lastSource,
+        salt: new Uint8Array(this.lastSalt),
+        kdf: this.config.kdf === "hkdf-sha256" ? "hkdf-sha256" : "pbkdf2-sha256",
+        ...(this.lastSource === "password" ? { iterations: this.config.iterations ?? 100000 } : {}),
+      },
+    };
+  }
+
+  async decrypt(encrypted: AESEncryptedData, key: CryptoKey): Promise<Uint8Array> {
+    // Reconstruct ciphertext + authTag
+    const combined = new Uint8Array(encrypted.ciphertext.length + encrypted.authTag.length);
+    combined.set(encrypted.ciphertext, 0);
+    combined.set(encrypted.authTag, encrypted.ciphertext.length);
+
+    const plaintext = await crypto.subtle.decrypt(
+      { name: "AES-GCM", iv: encrypted.iv as BufferSource, tagLength: 128 },
+      key,
+      combined,
+    );
+    return new Uint8Array(plaintext);
+  }
+}

package/src/encryption/encryption-layer.ts

@@ -0,0 +1,100 @@
+import type {
+  AESEncryptedData,
+  EncryptAESOptions,
+  EncryptionConfig,
+  EncryptLitOptions,
+  IEncryptionLayer,
+  LitAccessCondition,
+  LitEncryptedData,
+} from "../types.js";
+import { AESEngine } from "./aes.js";
+import { LitEngine } from "./lit.js";
+
+export function createEncryptionLayer(config: EncryptionConfig): IEncryptionLayer & {
+  aes: AESEngine;
+  lit: LitEngine | null;
+} {
+  const aes = new AESEngine({
+    kdf: config.aes?.kdf ?? "hkdf-sha256",
+    iterations: config.aes?.iterations,
+  });
+  const lit = config.lit
+    ? new LitEngine({
+        network:
+          config.lit.network === "cayenne"
+            ? "datil-dev"
+            : config.lit.network === "manzano"
+              ? "datil-test"
+              : config.lit.network === "habanero"
+                ? "datil"
+                : (config.lit.network as any),
+        debug: config.lit.debug,
+      })
+    : null;
+
+  return {
+    aes,
+    lit,
+
+    async encrypt(data, opts) {
+      if (opts.engine === "aes") {
+        const aesOpts = opts as EncryptAESOptions;
+        const key = await aes.deriveKey(aesOpts.keySource);
+        return aes.encrypt(data instanceof Uint8Array ? data : new TextEncoder().encode(data), key);
+      }
+      if (opts.engine === "lit") {
+        if (!lit) throw new Error("Lit Protocol not configured");
+        const litOpts = opts as EncryptLitOptions;
+        const raw = data instanceof Uint8Array ? data : new TextEncoder().encode(data);
+        return lit.encrypt(raw, litOpts.accessConditions, litOpts.chain as string);
+      }
+      throw new Error(`Unknown engine: ${(opts as any).engine}`);
+    },
+
+    async decrypt(encrypted, opts) {
+      if (encrypted.engine === "aes") {
+        const aesData = encrypted as AESEncryptedData;
+        if (!opts?.keySource) throw new Error("keySource required for AES decryption");
+        const key = await aes.deriveKey(opts.keySource);
+        return aes.decrypt(aesData, key);
+      }
+      if (encrypted.engine === "lit") {
+        if (!lit) throw new Error("Lit Protocol not configured");
+        if (!opts?.authSig) throw new Error("Lit decryption requires authSig in DecryptOptions");
+        return lit.decrypt(encrypted as LitEncryptedData, opts.authSig);
+      }
+      throw new Error(`Unknown engine: ${(encrypted as any).engine}`);
+    },
+
+    async grantAccess(encrypted, agentAddress, opts) {
+      if (!lit) throw new Error("Lit Protocol not configured");
+      const newCondition = lit.createAddressCondition(
+        agentAddress as string,
+        (opts?.chain ?? "base") as any,
+      );
+      const updatedConditions: LitAccessCondition[] = [
+        ...encrypted.accessControlConditions,
+        { operator: "or" as const },
+        newCondition,
+      ];
+      return { ...encrypted, accessControlConditions: updatedConditions };
+    },
+
+    async revokeAccess(encrypted, agentAddress) {
+      const filtered = encrypted.accessControlConditions.filter(
+        (c: any) => !("returnValueTest" in c && c.returnValueTest?.value === agentAddress),
+      );
+      return { ...encrypted, accessControlConditions: filtered };
+    },
+
+    async deriveAESKey(source) {
+      return aes.deriveKey(source);
+    },
+
+    async canDecrypt(encrypted) {
+      if (encrypted.engine === "aes") return true; // caller must have key
+      if (encrypted.engine === "lit") return lit !== null;
+      return false;
+    },
+  };
+}

package/src/encryption/index.ts

@@ -0,0 +1,5 @@
+export type { AESConfig } from "./aes.js";
+export { AESEngine } from "./aes.js";
+export { createEncryptionLayer } from "./encryption-layer.js";
+export type { LitConfig } from "./lit.js";
+export { LitEngine } from "./lit.js";

package/src/encryption/lit.ts

@@ -0,0 +1,161 @@
+import type {
+  EvmAddress,
+  EvmChain,
+  LitAccessCondition,
+  LitAuthSig,
+  LitEncryptedData,
+  LitEvmCondition,
+} from "../types.js";
+
+export interface LitConfig {
+  network: "datil-dev" | "datil-test" | "datil";
+  debug?: boolean;
+}
+
+export class LitEngine {
+  private config: LitConfig;
+  private client: any | null = null;
+
+  constructor(config: LitConfig) {
+    this.config = config;
+  }
+
+  /** Lazy-initialize the Lit client (heavy import) */
+  async getClient(): Promise<any> {
+    if (this.client) return this.client;
+    const { LitNodeClient } = await import("@lit-protocol/lit-node-client");
+    const { LIT_NETWORK } = await import("@lit-protocol/constants");
+    const networkMap: Record<string, string> = {
+      "datil-dev": LIT_NETWORK.DatilDev,
+      "datil-test": LIT_NETWORK.DatilTest,
+      datil: LIT_NETWORK.Datil,
+    };
+    this.client = new LitNodeClient({
+      litNetwork: networkMap[this.config.network] as any,
+      debug: this.config.debug ?? false,
+    });
+    await this.client.connect();
+    return this.client;
+  }
+
+  async getSessionSigs(authSig: LitAuthSig, chain: string): Promise<any> {
+    const client = await this.getClient();
+    const { LitAbility } = await import("@lit-protocol/constants");
+    const { LitAccessControlConditionResource, createSiweMessageWithRecaps, generateAuthSig } =
+      await import("@lit-protocol/auth-helpers");
+
+    const litResource = new LitAccessControlConditionResource("*");
+
+    return client.getSessionSigs({
+      chain,
+      resourceAbilityRequests: [
+        { resource: litResource, ability: LitAbility.AccessControlConditionDecryption },
+      ],
+      authNeededCallback: async (params: {
+        uri?: string;
+        expiration?: string;
+        resourceAbilityRequests?: any[];
+      }) => {
+        const toSign = await createSiweMessageWithRecaps({
+          uri: params.uri!,
+          expiration: params.expiration!,
+          resources: params.resourceAbilityRequests!,
+          walletAddress: authSig.address,
+          nonce: await client.getLatestBlockhash(),
+          litNodeClient: client,
+        });
+        return generateAuthSig({
+          signer: {
+            signMessage: async () => authSig.sig,
+            getAddress: async () => authSig.address,
+          } as any,
+          toSign,
+        });
+      },
+    });
+  }
+
+  async encrypt(
+    data: Uint8Array,
+    accessConditions: LitAccessCondition[],
+    chain: string = "ethereum",
+  ): Promise<LitEncryptedData> {
+    const client = await this.getClient();
+    const { encryptUint8Array } = await import("@lit-protocol/encryption");
+    const { ciphertext, dataToEncryptHash } = await encryptUint8Array(
+      { accessControlConditions: accessConditions as any, dataToEncrypt: data },
+      client,
+    );
+    return {
+      engine: "lit",
+      ciphertext:
+        typeof ciphertext === "string" ? new TextEncoder().encode(ciphertext) : ciphertext,
+      dataToEncryptHash,
+      accessControlConditions: accessConditions,
+      chain: chain as any,
+    };
+  }
+
+  async decrypt(encrypted: LitEncryptedData, sessionSigsOrAuthSig: any): Promise<Uint8Array> {
+    let sessionSigs = sessionSigsOrAuthSig;
+
+    // If an authSig object is passed, resolve it to sessionSigs
+    if (sessionSigsOrAuthSig?.sig && sessionSigsOrAuthSig?.address) {
+      sessionSigs = await this.getSessionSigs(
+        sessionSigsOrAuthSig as LitAuthSig,
+        encrypted.chain as string,
+      );
+    }
+
+    const client = await this.getClient();
+    const { decryptToUint8Array } = await import("@lit-protocol/encryption");
+    return decryptToUint8Array(
+      {
+        accessControlConditions: encrypted.accessControlConditions as any,
+        chain: encrypted.chain as string,
+        ciphertext:
+          typeof encrypted.ciphertext === "string"
+            ? encrypted.ciphertext
+            : new TextDecoder().decode(encrypted.ciphertext),
+        dataToEncryptHash: encrypted.dataToEncryptHash,
+        sessionSigs,
+      },
+      client,
+    );
+  }
+
+  createAddressCondition(address: string, chain: EvmChain): LitEvmCondition {
+    return {
+      conditionType: "evmBasic",
+      contractAddress: "" as EvmAddress,
+      standardContractType: "",
+      chain,
+      method: "",
+      parameters: [":userAddress"],
+      returnValueTest: { comparator: "=", value: address },
+    };
+  }
+
+  createReputationCondition(opts: {
+    registryAddress: string;
+    minScore: number;
+    chain: EvmChain;
+  }): LitEvmCondition {
+    return {
+      conditionType: "evmContract",
+      contractAddress: opts.registryAddress as EvmAddress,
+      standardContractType: "",
+      chain: opts.chain,
+      method: "getScore",
+      parameters: [":userAddress"],
+      returnValueTest: { comparator: ">=", value: String(opts.minScore) },
+    };
+  }
+
+  async disconnect(): Promise<void> {
+    if (this.client) {
+      await this.client.disconnect();
+      this.client = null;
+    }
+  }
+}

package/src/encryption/vault-key.ts

@@ -0,0 +1,63 @@
+/**
+ * Vault key derivation with optional caching.
+ *
+ * Derives a deterministic AES-256 key from a wallet signature
+ * and caches the signature in storage to avoid re-prompting.
+ */
+
+import { AESEngine } from "./aes.js";
+
+const CACHE_PREFIX = "orbitmem:vk";
+const aes = new AESEngine({ kdf: "hkdf-sha256" });
+
+export interface VaultKeyConfig {
+  /** Wallet address (used as cache key discriminator) */
+  address: string;
+  /** Wallet signMessage function — returns hex signature */
+  signMessage: (message: string) => Promise<string>;
+  /** Storage adapter for caching (default: sessionStorage if available) */
+  storage?: {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+  };
+}
+
+/**
+ * Derive a vault encryption key, caching the signature to avoid
+ * re-prompting the wallet on page reload.
+ *
+ * Usage:
+ * ```ts
+ * const { key, clear } = await deriveVaultKeyWithCache({
+ *   address: "0x...",
+ *   signMessage: (msg) => wagmiSignMessage({ message: msg }),
+ * });
+ * // Use `key` for encryption/decryption
+ * // Call `clear()` on disconnect
+ * ```
+ */
+export async function deriveVaultKeyWithCache(
+  config: VaultKeyConfig,
+): Promise<{ key: CryptoKey; clear: () => void }> {
+  const { address, signMessage } = config;
+  const storage = config.storage ?? (typeof sessionStorage !== "undefined" ? sessionStorage : null);
+  const cacheKey = `${CACHE_PREFIX}:${address}`;
+
+  let sig = storage?.getItem(cacheKey) ?? null;
+  if (!sig) {
+    sig = await signMessage("OrbitMem Vault Key v1");
+    storage?.setItem(cacheKey, sig);
+  }
+
+  const sigBytes = new Uint8Array((sig.slice(2).match(/.{2}/g) ?? []).map((b) => parseInt(b, 16)));
+  const hash = new Uint8Array(await crypto.subtle.digest("SHA-256", sigBytes as BufferSource));
+  const key = await aes.deriveKey({ type: "raw", key: hash });
+
+  return {
+    key,
+    clear() {
+      storage?.removeItem(cacheKey);
+    },
+  };
+}

package/src/identity/__tests__/identity.test.ts

@@ -0,0 +1,31 @@
+import { describe, expect, test } from "bun:test";
+
+import { deriveSessionKey } from "../session.js";
+
+describe("IdentityLayer", () => {
+  test("creates session key from EVM signature", async () => {
+    const session = await deriveSessionKey({
+      family: "evm",
+      signature: new Uint8Array(65).fill(1),
+      parentAddress: "0x1234567890abcdef1234567890abcdef12345678",
+      permissions: [{ type: "vault:read" }, { type: "vault:write" }],
+      ttl: 3600,
+    });
+    expect(session.id).toBeTruthy();
+    expect(session.family).toBe("evm");
+    expect(session.permissions).toHaveLength(2);
+    expect(session.isActive).toBe(true);
+    expect(session.expiresAt).toBeGreaterThan(Date.now());
+  });
+
+  test("session key expires", async () => {
+    const session = await deriveSessionKey({
+      family: "evm",
+      signature: new Uint8Array(65).fill(1),
+      parentAddress: "0x1234567890abcdef1234567890abcdef12345678",
+      permissions: [{ type: "vault:read" }],
+      ttl: -1, // already expired
+    });
+    expect(session.isActive).toBe(false);
+  });
+});

package/src/identity/__tests__/ows-adapter.test.ts

@@ -0,0 +1,47 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+
+import { createOwsAdapter } from "../ows-adapter.js";
+
+const WALLET = "orbitmem-test-adapter";
+const CHAIN = "eip155:84532"; // Base Sepolia
+
+describe("ows-adapter", () => {
+  beforeAll(async () => {
+    const { createWallet, listWallets } = await import("@open-wallet-standard/core");
+    const existing = listWallets().find((w) => w.name === WALLET);
+    if (!existing) {
+      createWallet(WALLET);
+    }
+  });
+
+  afterAll(async () => {
+    try {
+      const { deleteWallet } = await import("@open-wallet-standard/core");
+      deleteWallet(WALLET);
+    } catch {
+      // ignore
+    }
+  });
+
+  test("getAddress returns a valid EVM address", async () => {
+    const adapter = createOwsAdapter(WALLET, CHAIN);
+    const address = await adapter.getAddress();
+    expect(address).toMatch(/^0x[0-9a-fA-F]{40}$/);
+  });
+
+  test("signMessage returns a Uint8Array signature", async () => {
+    const adapter = createOwsAdapter(WALLET, CHAIN);
+    const result = await adapter.signMessage("hello");
+    expect(result.signature).toBeInstanceOf(Uint8Array);
+    expect(result.signature.length).toBeGreaterThan(0);
+    expect(result.algorithm).toBe("ecdsa-secp256k1");
+  });
+
+  test("toViemAccount returns account with address and sign methods", async () => {
+    const adapter = createOwsAdapter(WALLET, CHAIN);
+    const account = await adapter.toViemAccount();
+    expect(account.address).toMatch(/^0x[0-9a-fA-F]{40}$/);
+    expect(typeof account.signMessage).toBe("function");
+    expect(typeof account.signTransaction).toBe("function");
+  });
+});