@twin.org/dlt-iota 0.0.3-next.13 → 0.0.3-next.15

package/dist/types/vaultJwtSigner.d.ts

@@ -0,0 +1,26 @@
+import { StorageSigner } from "@iota/identity-wasm/node/index.js";
+import type { IVaultConnector } from "@twin.org/vault-models";
+import type { IIotaConfig } from "./models/IIotaConfig.js";
+/**
+ * Factory that creates a vault-backed StorageSigner for IOTA Identity operations.
+ * The private key never leaves the vault — only the raw signing operation is delegated.
+ *
+ * The returned StorageSigner is a genuine WASM object, satisfying the internal validation
+ * that IdentityClient.create() performs on the signer's iotaPublicKeyBytes() path.
+ */
+export declare class VaultJwtSigner {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a StorageSigner whose cryptographic operations are backed by the vault connector.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param accountIndex The account index.
+     * @param addressIndex The address index within the account.
+     * @returns A StorageSigner backed by the vault for the specified key.
+     */
+    static create(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, accountIndex: number, addressIndex: number): Promise<StorageSigner>;
+}

package/dist/types/vaultSigner.d.ts

@@ -0,0 +1,32 @@
+import { Signer, type SignatureScheme } from "@iota/iota-sdk/cryptography";
+import { Ed25519PublicKey } from "@iota/iota-sdk/keypairs/ed25519";
+import type { IVaultConnector } from "@twin.org/vault-models";
+/**
+ * A signer that delegates all signing to the vault connector, ensuring the private key
+ * is never exposed to application code.
+ */
+export declare class VaultSigner extends Signer {
+    /**
+     * Create a new VaultSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array);
+    /**
+     * Get the key scheme.
+     * @returns The signature scheme.
+     */
+    getKeyScheme(): SignatureScheme;
+    /**
+     * Get the public key.
+     * @returns The Ed25519 public key.
+     */
+    getPublicKey(): Ed25519PublicKey;
+    /**
+     * Sign the provided bytes via the vault connector.
+     * @param bytes The bytes to sign.
+     * @returns The raw Ed25519 signature bytes.
+     */
+    sign(bytes: Uint8Array): Promise<Uint8Array>;
+}

package/dist/types/vaultTransactionSigner.d.ts

@@ -0,0 +1,39 @@
+import { type PublicKey } from "@iota/iota-sdk/cryptography";
+import type { IVaultConnector } from "@twin.org/vault-models";
+import type { ITransactionSigner } from "./models/ITransactionSigner.js";
+/**
+ * A transaction signer that delegates all signing operations to the vault connector,
+ * ensuring the private key is never exposed to application code.
+ */
+export declare class VaultTransactionSigner implements ITransactionSigner {
+    /**
+     * Create a new VaultTransactionSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array);
+    /**
+     * Sign the BCS-encoded transaction data.
+     * Applies the TransactionData intent, hashes the result, signs via the vault,
+     * and returns a serialized IOTA signature string.
+     * @param txDataBcs The raw transaction bytes to sign.
+     * @returns The serialized signature string.
+     */
+    sign(txDataBcs: Uint8Array): Promise<string>;
+    /**
+     * Get the public key for this signer.
+     * @returns The Ed25519 public key.
+     */
+    publicKey(): Promise<PublicKey>;
+    /**
+     * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+     * @returns The IOTA public key bytes.
+     */
+    iotaPublicKeyBytes(): Promise<Uint8Array>;
+    /**
+     * Get the vault key name used by this signer.
+     * @returns The key name.
+     */
+    keyId(): string;
+}

package/docs/changelog.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [0.0.3-next.15](https://github.com/iotaledger/twin-dlt/compare/dlt-iota-v0.0.3-next.14...dlt-iota-v0.0.3-next.15) (2026-06-17)
+
+
+### Features
+
+* add vault signers ([#76](https://github.com/iotaledger/twin-dlt/issues/76)) ([bfdd701](https://github.com/iotaledger/twin-dlt/commit/bfdd701a010ad45d4f0cffb06d829360cf380a40))
+
+## [0.0.3-next.14](https://github.com/iotaledger/twin-dlt/compare/dlt-iota-v0.0.3-next.13...dlt-iota-v0.0.3-next.14) (2026-06-15)
+
+
+### Bug Fixes
+
+* use async getStore in tests ([0a7d4ac](https://github.com/iotaledger/twin-dlt/commit/0a7d4ac3e524481c2ca49d7fbb3507556b42473e))
+* use async getStore in tests ([39a533d](https://github.com/iotaledger/twin-dlt/commit/39a533d9e2f806add624fc3f7ea7817f4b4c89f1))
+
 ## [0.0.3-next.13](https://github.com/iotaledger/twin-dlt/compare/dlt-iota-v0.0.3-next.12...dlt-iota-v0.0.3-next.13) (2026-05-20)
 
 

package/docs/reference/classes/Iota.md

@@ -266,11 +266,11 @@ The list of addresses.
 
 ***
 
-### getKeyPair() {#getkeypair}
+### getTransactionSigner() {#gettransactionsigner}
 
-> `static` **getKeyPair**(`vaultConnector`, `config`, `identity`, `accountIndex`, `addressIndex`, `isInternal?`): `Promise`\<\{ `privateKey`: `Uint8Array`; `publicKey`: `Uint8Array`; \}\>
+> `static` **getTransactionSigner**(`vaultConnector`, `config`, `identity`, `accountIndex`, `addressIndex`): `Promise`\<[`VaultTransactionSigner`](VaultTransactionSigner.md)\>
 
-Get a key pair for the specified index.
+Get a vault-backed transaction signer for the given identity and key indices.
 
 #### Parameters
 
@@ -296,25 +296,19 @@ The identity of the user to access the vault keys.
 
 `number`
 
-The account index to get the key pair for.
+The account index.
 
 ##### addressIndex
 
 `number`
 
-The address index to get the key pair for.
-
-##### isInternal?
-
-`boolean`
-
-Whether the address is internal.
+The address index within the account.
 
 #### Returns
 
-`Promise`\<\{ `privateKey`: `Uint8Array`; `publicKey`: `Uint8Array`; \}\>
+`Promise`\<[`VaultTransactionSigner`](VaultTransactionSigner.md)\>
 
-The key pair containing private key and public key.
+A VaultTransactionSigner for the specified key.
 
 ***
 
@@ -466,74 +460,6 @@ The transaction response.
 
 ***
 
-### findAddress() {#findaddress}
-
-> `static` **findAddress**(`vaultConnector`, `config`, `identity`, `address`, `accountIndex`, `isInternal?`, `startScanIndex?`, `maxScanRange?`): `Promise`\<\{ `address`: `string`; `privateKey`: `Uint8Array`; `publicKey`: `Uint8Array`; \}\>
-
-Find the address in the seed.
-
-#### Parameters
-
-##### vaultConnector
-
-`IVaultConnector`
-
-The vault connector to use.
-
-##### config
-
-[`IIotaConfig`](../interfaces/IIotaConfig.md)
-
-The configuration to use.
-
-##### identity
-
-`string`
-
-The identity of the user to access the vault keys.
-
-##### address
-
-`string`
-
-The address to find.
-
-##### accountIndex
-
-`number`
-
-The account index to search.
-
-##### isInternal?
-
-`boolean`
-
-Whether to search internal addresses.
-
-##### startScanIndex?
-
-`number`
-
-The address index to start scanning from.
-
-##### maxScanRange?
-
-`number`
-
-The maximum range to scan.
-
-#### Returns
-
-`Promise`\<\{ `address`: `string`; `privateKey`: `Uint8Array`; `publicKey`: `Uint8Array`; \}\>
-
-The address key pair.
-
-#### Throws
-
-Error if the address is not found.
-
-***
-
 ### extractPayloadError() {#extractpayloaderror}
 
 > `static` **extractPayloadError**(`error`): `IError`
@@ -627,7 +553,7 @@ The operation to log.
 
 `Promise`\<[`IIotaDryRun`](../interfaces/IIotaDryRun.md)\>
 
-void.
+The dry run result including status, costs, events, and object changes.
 
 ***
 
@@ -1032,3 +958,25 @@ The address to get the balance for.
 `Promise`\<`bigint`\>
 
 The balance of the given address.
+
+***
+
+### transactionFromBytes() {#transactionfrombytes}
+
+> `static` **transactionFromBytes**(`bytes`): `Transaction`
+
+Create a transaction instance from the given bytes.
+
+#### Parameters
+
+##### bytes
+
+`Uint8Array`
+
+The transaction bytes to create the transaction from.
+
+#### Returns
+
+`Transaction`
+
+The transaction instance created from the given bytes.

package/docs/reference/classes/IotaIdentityUtils.md

@@ -1,7 +1,6 @@
 # Class: IotaIdentityUtils
 
-Utility class for resolving IOTA Identity on-chain objects required by
-the NFT mint_with_identity() Move contract function.
+Utility class for resolving IOTA Identity on-chain objects and controller tokens.
 
 ## Constructors
 
@@ -27,8 +26,7 @@ Runtime name for the class.
 
 > `static` **getControllerCapInfo**(`identityId`, `controllerAddress`, `client`): `Promise`\<[`IIotaControllerCapInfo`](../interfaces/IIotaControllerCapInfo.md)\>
 
-Resolve the on-chain object IDs for an identity and its controller token.
-Returns the IDs needed to call mint_with_identity() on the NFT Move contract.
+Resolves the on-chain object IDs for an identity and its controller token.
 
 #### Parameters
 

package/docs/reference/classes/IotaSmartContractUtils.md

@@ -1,7 +1,6 @@
 # Class: IotaSmartContractUtils
 
 Utility class providing common smart contract operations for IOTA-based contracts.
-This class uses composition pattern to provide shared functionality without inheritance complexity.
 
 ## Constructors
 

package/docs/reference/classes/VaultJwtSigner.md

@@ -0,0 +1,71 @@
+# Class: VaultJwtSigner
+
+Factory that creates a vault-backed StorageSigner for IOTA Identity operations.
+The private key never leaves the vault — only the raw signing operation is delegated.
+
+The returned StorageSigner is a genuine WASM object, satisfying the internal validation
+that IdentityClient.create() performs on the signer's iotaPublicKeyBytes() path.
+
+## Constructors
+
+### Constructor
+
+> **new VaultJwtSigner**(): `VaultJwtSigner`
+
+#### Returns
+
+`VaultJwtSigner`
+
+## Properties
+
+### CLASS\_NAME {#class_name}
+
+> `readonly` `static` **CLASS\_NAME**: `string`
+
+Runtime name for the class.
+
+## Methods
+
+### create() {#create}
+
+> `static` **create**(`vaultConnector`, `config`, `identity`, `accountIndex`, `addressIndex`): `Promise`\<`StorageSigner`\>
+
+Create a StorageSigner whose cryptographic operations are backed by the vault connector.
+
+#### Parameters
+
+##### vaultConnector
+
+`IVaultConnector`
+
+The vault connector.
+
+##### config
+
+[`IIotaConfig`](../interfaces/IIotaConfig.md)
+
+The configuration.
+
+##### identity
+
+`string`
+
+The identity of the user to access the vault keys.
+
+##### accountIndex
+
+`number`
+
+The account index.
+
+##### addressIndex
+
+`number`
+
+The address index within the account.
+
+#### Returns
+
+`Promise`\<`StorageSigner`\>
+
+A StorageSigner backed by the vault for the specified key.

package/docs/reference/classes/VaultSigner.md

@@ -0,0 +1,106 @@
+# Class: VaultSigner
+
+A signer that delegates all signing to the vault connector, ensuring the private key
+is never exposed to application code.
+
+## Extends
+
+- `Signer`
+
+## Constructors
+
+### Constructor
+
+> **new VaultSigner**(`vaultConnector`, `keyName`, `publicKey`): `VaultSigner`
+
+Create a new VaultSigner.
+
+#### Parameters
+
+##### vaultConnector
+
+`IVaultConnector`
+
+The vault connector used to perform signing operations.
+
+##### keyName
+
+`string`
+
+The name of the key in the vault to use for signing.
+
+##### publicKey
+
+`Uint8Array`
+
+The public key bytes corresponding to the vault key.
+
+#### Returns
+
+`VaultSigner`
+
+#### Overrides
+
+`Signer.constructor`
+
+## Methods
+
+### getKeyScheme() {#getkeyscheme}
+
+> **getKeyScheme**(): `SignatureScheme`
+
+Get the key scheme.
+
+#### Returns
+
+`SignatureScheme`
+
+The signature scheme.
+
+#### Overrides
+
+`Signer.getKeyScheme`
+
+***
+
+### getPublicKey() {#getpublickey}
+
+> **getPublicKey**(): `Ed25519PublicKey`
+
+Get the public key.
+
+#### Returns
+
+`Ed25519PublicKey`
+
+The Ed25519 public key.
+
+#### Overrides
+
+`Signer.getPublicKey`
+
+***
+
+### sign() {#sign}
+
+> **sign**(`bytes`): `Promise`\<`Uint8Array`\<`ArrayBufferLike`\>\>
+
+Sign the provided bytes via the vault connector.
+
+#### Parameters
+
+##### bytes
+
+`Uint8Array`
+
+The bytes to sign.
+
+#### Returns
+
+`Promise`\<`Uint8Array`\<`ArrayBufferLike`\>\>
+
+The raw Ed25519 signature bytes.
+
+#### Overrides
+
+`Signer.sign`

package/docs/reference/classes/VaultTransactionSigner.md

@@ -0,0 +1,122 @@
+# Class: VaultTransactionSigner
+
+A transaction signer that delegates all signing operations to the vault connector,
+ensuring the private key is never exposed to application code.
+
+## Implements
+
+- [`ITransactionSigner`](../interfaces/ITransactionSigner.md)
+
+## Constructors
+
+### Constructor
+
+> **new VaultTransactionSigner**(`vaultConnector`, `keyName`, `publicKey`): `VaultTransactionSigner`
+
+Create a new VaultTransactionSigner.
+
+#### Parameters
+
+##### vaultConnector
+
+`IVaultConnector`
+
+The vault connector used to perform signing operations.
+
+##### keyName
+
+`string`
+
+The name of the key in the vault to use for signing.
+
+##### publicKey
+
+`Uint8Array`
+
+The public key bytes corresponding to the vault key.
+
+#### Returns
+
+`VaultTransactionSigner`
+
+## Methods
+
+### sign() {#sign}
+
+> **sign**(`txDataBcs`): `Promise`\<`string`\>
+
+Sign the BCS-encoded transaction data.
+Applies the TransactionData intent, hashes the result, signs via the vault,
+and returns a serialized IOTA signature string.
+
+#### Parameters
+
+##### txDataBcs
+
+`Uint8Array`
+
+The raw transaction bytes to sign.
+
+#### Returns
+
+`Promise`\<`string`\>
+
+The serialized signature string.
+
+#### Implementation of
+
+[`ITransactionSigner`](../interfaces/ITransactionSigner.md).[`sign`](../interfaces/ITransactionSigner.md#sign)
+
+***
+
+### publicKey() {#publickey}
+
+> **publicKey**(): `Promise`\<`PublicKey`\>
+
+Get the public key for this signer.
+
+#### Returns
+
+`Promise`\<`PublicKey`\>
+
+The Ed25519 public key.
+
+#### Implementation of
+
+[`ITransactionSigner`](../interfaces/ITransactionSigner.md).[`publicKey`](../interfaces/ITransactionSigner.md#publickey)
+
+***
+
+### iotaPublicKeyBytes() {#iotapublickeybytes}
+
+> **iotaPublicKeyBytes**(): `Promise`\<`Uint8Array`\<`ArrayBufferLike`\>\>
+
+Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+
+#### Returns
+
+`Promise`\<`Uint8Array`\<`ArrayBufferLike`\>\>
+
+The IOTA public key bytes.
+
+#### Implementation of
+
+[`ITransactionSigner`](../interfaces/ITransactionSigner.md).[`iotaPublicKeyBytes`](../interfaces/ITransactionSigner.md#iotapublickeybytes)
+
+***
+
+### keyId() {#keyid}
+
+> **keyId**(): `string`
+
+Get the vault key name used by this signer.
+
+#### Returns
+
+`string`
+
+The key name.
+
+#### Implementation of
+
+[`ITransactionSigner`](../interfaces/ITransactionSigner.md).[`keyId`](../interfaces/ITransactionSigner.md#keyid)

package/docs/reference/index.md

@@ -5,6 +5,9 @@
 - [Iota](classes/Iota.md)
 - [IotaIdentityUtils](classes/IotaIdentityUtils.md)
 - [IotaSmartContractUtils](classes/IotaSmartContractUtils.md)
+- [VaultJwtSigner](classes/VaultJwtSigner.md)
+- [VaultSigner](classes/VaultSigner.md)
+- [VaultTransactionSigner](classes/VaultTransactionSigner.md)
 
 ## Interfaces
 
@@ -21,6 +24,7 @@
 - [IIotaResponseOptions](interfaces/IIotaResponseOptions.md)
 - [IMigrationStateFields](interfaces/IMigrationStateFields.md)
 - [ISmartContractObject](interfaces/ISmartContractObject.md)
+- [ITransactionSigner](interfaces/ITransactionSigner.md)
 
 ## Type Aliases
 

package/docs/reference/interfaces/IAdminCapFields.md

@@ -8,10 +8,10 @@ Generic interface representing the storage fields of an AdminCap object.
 
 > **id**: `object`
 
-The ID of the AdminCap object.
+The UID wrapper of the AdminCap object.
 
 #### id
 
 > **id**: `string`
 
-The ID of the AdminCap object.
+The hex string ID of the AdminCap object.

package/docs/reference/interfaces/IGasStationExecuteResponse.md

@@ -9,14 +9,12 @@ Interface for the gas station execute transaction response.
 > **effects**: `object`
 
 The transaction effects from the IOTA network.
-This contains the full IOTA transaction effects object.
 
 #### Index Signature
 
 \[`key`: `string`\]: `unknown`
 
-Additional effects data from the IOTA network.
-This includes messageVersion, status, executedEpoch, gasUsed, etc.
+Additional fields from the IOTA network effects object.
 
 #### transactionDigest
 

package/docs/reference/interfaces/IIotaControllerCapInfo.md

@@ -1,6 +1,6 @@
 # Interface: IIotaControllerCapInfo
 
-On-chain object IDs needed to call mint_with_identity() on the NFT Move contract.
+On-chain object IDs for an identity and its associated controller token.
 
 ## Properties
 
@@ -8,8 +8,7 @@ On-chain object IDs needed to call mint_with_identity() on the NFT Move contract
 
 > **identityObjectId**: `string`
 
-The on-chain Object ID of the Identity Move object (hex string, e.g. "0x...").
-Used as the Identity argument in mint_with_identity().
+The on-chain object ID of the Identity Move object (hex string, e.g. "0x...").
 
 ***
 
@@ -17,6 +16,4 @@ Used as the Identity argument in mint_with_identity().
 
 > **controllerCapObjectId**: `string`
 
-The on-chain Object ID of the ControllerToken Move object (hex string, e.g. "0x...").
-Proves that the controller address controls identityObjectId.
-Used as the ControllerCap argument in mint_with_identity().
+The on-chain object ID of the ControllerToken Move object (hex string, e.g. "0x...").

package/docs/reference/interfaces/IIotaResponseOptions.md

@@ -1,6 +1,6 @@
 # Interface: IIotaResponseOptions
 
-Configuration for IOTA.
+Options for controlling transaction execution and response behaviour.
 
 ## Extends