accounts 0.7.0 → 0.7.2

package/src/core/Account.test.ts

@@ -306,4 +306,149 @@ describe('find', () => {
       `[Provider.DisconnectedError: No active account.]`,
     )
   })
+
+  test('behavior: unscoped access key is used regardless of calls', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+        },
+      ],
+    )
+
+    const result = Account.find({
+      signable: true,
+      store,
+      calls: [{ to: '0x0000000000000000000000000000000000000abc', data: '0xa9059cbb' }],
+    })
+
+    expect(result.source).toMatchInlineSnapshot(`"accessKey"`)
+  })
+
+  test('behavior: scoped access key is used when calls match', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const token = '0x0000000000000000000000000000000000000abc' as const
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+          scopes: [{ address: token, selector: '0xa9059cbb' }],
+        },
+      ],
+    )
+
+    const result = Account.find({
+      signable: true,
+      store,
+      calls: [{ to: token, data: '0xa9059cbb0000000000000000000000000000000000000001' }],
+    })
+
+    expect(result.source).toMatchInlineSnapshot(`"accessKey"`)
+  })
+
+  test('behavior: scoped access key falls back to root when calls do not match', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const token = '0x0000000000000000000000000000000000000abc' as const
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+          scopes: [{ address: token, selector: '0xa9059cbb' }],
+        },
+      ],
+    )
+
+    const result = Account.find({
+      signable: true,
+      store,
+      calls: [{ to: '0x0000000000000000000000000000000000000def', data: '0xdeadbeef' }],
+    })
+
+    expect(result.address).toMatchInlineSnapshot(`"${accounts[0].address}"`)
+    expect(result.source).not.toBe('accessKey')
+  })
+
+  test('behavior: scoped access key with human-readable selector matches', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const token = '0x0000000000000000000000000000000000000abc' as const
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+          scopes: [{ address: token, selector: 'transfer(address,uint256)' }],
+        },
+      ],
+    )
+
+    // 0xa9059cbb is the selector for transfer(address,uint256)
+    const result = Account.find({
+      signable: true,
+      store,
+      calls: [{ to: token, data: '0xa9059cbb0000000000000000000000000000000000000001' }],
+    })
+
+    expect(result.source).toMatchInlineSnapshot(`"accessKey"`)
+  })
+
+  test('behavior: scoped access key without selector allows any call to that address', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const token = '0x0000000000000000000000000000000000000abc' as const
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+          scopes: [{ address: token }],
+        },
+      ],
+    )
+
+    const result = Account.find({
+      signable: true,
+      store,
+      calls: [{ to: token, data: '0xdeadbeef' }],
+    })
+
+    expect(result.source).toMatchInlineSnapshot(`"accessKey"`)
+  })
+
+  test('behavior: scoped access key used when no calls provided', async () => {
+    const keyPair = await WebCryptoP256.createKeyPair()
+    const store = setup(
+      [{ address: accounts[0].address, keyType: 'secp256k1', privateKey: privateKeys[0] }],
+      [
+        {
+          address: '0x0000000000000000000000000000000000000099',
+          access: accounts[0].address,
+          keyType: 'webCrypto',
+          keyPair,
+          scopes: [{ address: '0x0000000000000000000000000000000000000abc' }],
+        },
+      ],
+    )
+
+    const result = Account.find({ signable: true, store })
+
+    expect(result.source).toMatchInlineSnapshot(`"accessKey"`)
+  })
 })

package/src/core/Account.ts

@@ -1,4 +1,4 @@
-import { Provider, type WebCryptoP256 } from 'ox'
+import { AbiFunction, Provider, type WebCryptoP256 } from 'ox'
 import { type KeyAuthorization } from 'ox/tempo'
 import type { Hex } from 'viem'
 import type { Address, JsonRpcAccount } from 'viem/accounts'
@@ -42,7 +42,15 @@ export type AccessKey = {
   /** Key type. */
   keyType: 'secp256k1' | 'p256' | 'webAuthn' | 'webCrypto'
   /** TIP-20 spending limits for the access key. */
-  limits?: { token: Address; limit: bigint }[] | undefined
+  limits?: { token: Address; limit: bigint; period?: number | undefined }[] | undefined
+  /** Call scopes restricting which contracts/selectors this key can call. */
+  scopes?:
+    | {
+        address: Address
+        selector?: Hex | string | undefined
+        recipients?: readonly Address[] | undefined
+      }[]
+    | undefined
 } & OneOf<
   | {}
   | {
@@ -82,7 +90,8 @@ export function find(options: find.Options): TempoAccount.Account | JsonRpcAccou
       // Remove expired access keys.
       if (key.expiry && key.expiry < Date.now() / 1000)
         store.setState({ accessKeys: accessKeys.filter((a) => a !== key) })
-      else return hydrateAccessKey(key) as never
+      // Use access key if unscoped or scopes cover the requested calls; otherwise fall through to root.
+      else if (scopesMatch(key, options)) return hydrateAccessKey(key) as never
     }
   }
 
@@ -95,6 +104,8 @@ export declare namespace find {
     accessKey?: boolean | undefined
     /** Address to resolve. Defaults to the active account. */
     address?: Address | undefined
+    /** Calls to match against access key scopes. When provided, access keys whose scopes don't cover these calls are skipped. */
+    calls?: readonly { to?: Address | undefined; data?: Hex | undefined }[] | undefined
     /** Whether to hydrate signing capability. @default false */
     signable?: boolean | undefined
     /** Reactive state store. */
@@ -168,3 +179,23 @@ export declare namespace hydrate {
     signable?: boolean | undefined
   }
 }
+
+/** Returns true if the access key's scopes cover the requested calls (or key is unscoped). */
+function scopesMatch(key: AccessKey, options: find.Options): boolean {
+  if (!options.calls || !key.scopes) return true
+  return options.calls!.every((call) => {
+    if (!call.to) return false
+    const callTo = call.to.toLowerCase()
+    const callSelector = call.data?.slice(0, 10).toLowerCase()
+    return key.scopes!.some((scope) => {
+      if (scope.address.toLowerCase() !== callTo) return false
+      if (!scope.selector) return true
+      const scopeSelector = (
+        scope.selector.startsWith('0x') && scope.selector.length === 10
+          ? scope.selector
+          : AbiFunction.getSelector(scope.selector)
+      ).toLowerCase()
+      return callSelector === scopeSelector
+    })
+  })
+}

package/src/core/Adapter.ts

@@ -206,14 +206,24 @@ export declare namespace authorizeAccessKey {
   type Parameters = {
     /** Access key address. Alternative to `publicKey` when the caller already knows the derived address. */
     address?: Address | undefined
+    /** Chain ID the key authorization is scoped to. Defaults to the active chain. */
+    chainId?: number | undefined
     /** Unix timestamp (seconds) when the key expires. */
     expiry: number
     /** Key type of the external public key. Required when `publicKey` or `address` is provided. */
     keyType?: 'secp256k1' | 'p256' | 'webAuthn' | undefined
     /** TIP-20 spending limits for this key. */
-    limits?: readonly { token: Address; limit: bigint }[] | undefined
+    limits?: readonly { token: Address; limit: bigint; period?: number | undefined }[] | undefined
     /** External public key to authorize. When provided, no key pair is generated — the caller holds the signing material. */
     publicKey?: Hex | undefined
+    /** Call scopes restricting which contracts/selectors this key can call. */
+    scopes?:
+      | readonly {
+          address: Address
+          selector?: Hex | string | undefined
+          recipients?: readonly Address[] | undefined
+        }[]
+      | undefined
     /** Pre-computed signature over the key authorization digest (skips a second signing ceremony). */
     signature?: Hex | undefined
   }

package/src/core/Provider.test.ts

@@ -648,24 +648,32 @@ describe.each(adapters)('$name', ({ adapter }: (typeof adapters)[number]) => {
 
       const result = await provider.request({ method: 'wallet_getCapabilities' })
       expect(result).toMatchInlineSnapshot(`
-        {
-          "0x1079": {
-            "accessKeys": {
-              "status": "supported",
-            },
-            "atomic": {
-              "status": "supported",
-            },
-          },
-          "0xa5bf": {
-            "accessKeys": {
-              "status": "supported",
-            },
-            "atomic": {
-              "status": "supported",
-            },
-          },
-        }
+      	{
+      	  "0x1079": {
+      	    "accessKeys": {
+      	      "status": "supported",
+      	    },
+      	    "atomic": {
+      	      "status": "supported",
+      	    },
+      	  },
+      	  "0x7a56": {
+      	    "accessKeys": {
+      	      "status": "supported",
+      	    },
+      	    "atomic": {
+      	      "status": "supported",
+      	    },
+      	  },
+      	  "0xa5bf": {
+      	    "accessKeys": {
+      	      "status": "supported",
+      	    },
+      	    "atomic": {
+      	      "status": "supported",
+      	    },
+      	  },
+      	}
       `)
     })
 
@@ -724,7 +732,7 @@ describe.each(adapters)('$name', ({ adapter }: (typeof adapters)[number]) => {
         method: 'wallet_getCapabilities',
         params: [connected],
       })
-      expect(Object.keys(result).length).toMatchInlineSnapshot(`2`)
+      expect(Object.keys(result).length).toMatchInlineSnapshot(`3`)
       expect(result[Hex.fromNumber(tempo.id)]!.atomic.status).toMatchInlineSnapshot(`"supported"`)
     })
 

package/src/core/Provider.ts

@@ -3,7 +3,7 @@ import { Mppx, tempo as mppx_tempo } from 'mppx/client'
 import { Hash, Hex, Json, Provider as ox_Provider, RpcResponse } from 'ox'
 import { KeyAuthorization } from 'ox/tempo'
 import type { Chain, Client as ViemClient, Transport } from 'viem'
-import { tempo, tempoModerato } from 'viem/chains'
+import { tempo, tempoDevnet, tempoModerato } from 'viem/chains'
 import { Actions } from 'viem/tempo'
 import * as z from 'zod/mini'
 
@@ -49,7 +49,7 @@ const announced = new Set<string>()
 export function create(options: create.Options = {}): create.ReturnType {
   const {
     adapter = dialog(),
-    chains = [tempo, tempoModerato],
+    chains = [tempo, tempoModerato, tempoDevnet],
     persistCredentials,
     testnet,
     storage = typeof window !== 'undefined' ? Storage.idb() : Storage.memory(),
@@ -681,7 +681,7 @@ export declare namespace create {
     authorizeAccessKey?: (() => Adapter.authorizeAccessKey.Parameters) | undefined
     /**
      * Supported chains. First chain is the default.
-     * @default [tempo, tempoModerato]
+     * @default [tempo, tempoModerato, tempoDevnet]
      */
     chains?: readonly [Chain, ...Chain[]] | undefined
     /** Fee payer configuration. @see {@link Client.fromChainId.Options.feePayer} */

package/src/core/adapters/local.ts

@@ -34,8 +34,8 @@ export function local(options: local.Options): Adapter.Adapter {
      * For local keys: generates a P256 key pair via `AccessKey.generate`.
      */
     async function prepareKeyAuthorization(options: Adapter.authorizeAccessKey.Parameters) {
-      const { expiry, limits } = options
-      const chainId = getClient().chain.id
+      const { expiry, limits, scopes } = options
+      const chainId = options.chainId ?? getClient().chain.id
 
       if (options.publicKey || options.address) {
         const accessKeyAddress =
@@ -46,6 +46,7 @@ export function local(options: local.Options): Adapter.Adapter {
           chainId: BigInt(chainId),
           expiry,
           limits,
+          scopes,
           type: keyType,
         })
         return { keyAuthorization }
@@ -58,6 +59,7 @@ export function local(options: local.Options): Adapter.Adapter {
         chainId: BigInt(chainId),
         expiry,
         limits,
+        scopes,
         type: 'p256',
       })
       return { keyAuthorization, keyPair }

package/src/core/zod/rpc.ts

@@ -51,7 +51,11 @@ export const keyAuthorization = z.object({
   expiry: z.union([u.number(), z.null(), z.undefined()]),
   keyId: u.address(),
   keyType,
-  limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+  limits: z.optional(
+    z.readonly(
+      z.array(z.object({ token: u.address(), limit: u.bigint(), period: z.optional(u.number()) })),
+    ),
+  ),
   signature: signatureEnvelope,
 })
 
@@ -341,13 +345,31 @@ export namespace wallet_getCapabilities {
 export namespace wallet_authorizeAccessKey {
   export const parameters = z.object({
     address: z.optional(u.address()),
+    chainId: z.optional(u.number()),
     expiry: z.number(),
     keyType: z.optional(keyType),
-    limits: z.optional(z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() })))),
+    limits: z.optional(
+      z.readonly(
+        z.array(
+          z.object({ token: u.address(), limit: u.bigint(), period: z.optional(z.number()) }),
+        ),
+      ),
+    ),
     publicKey: z.optional(u.hex()),
+    scopes: z.optional(
+      z.readonly(
+        z.array(
+          z.object({
+            address: u.address(),
+            selector: z.optional(z.union([u.hex(), z.string()])),
+            recipients: z.optional(z.readonly(z.array(u.address()))),
+          }),
+        ),
+      ),
+    ),
   })
 
-  const returns = z.object({
+  export const returns = z.object({
     keyAuthorization,
     rootAddress: u.address(),
   })
@@ -366,8 +388,21 @@ export namespace wallet_authorizeAccessKey_strict {
     address: z.optional(u.address()),
     expiry: z.number(),
     keyType: z.optional(keyType),
-    limits: z.readonly(z.array(z.object({ token: u.address(), limit: u.bigint() }))),
+    limits: z.readonly(
+      z.array(z.object({ token: u.address(), limit: u.bigint(), period: z.optional(z.number()) })),
+    ),
     publicKey: z.optional(u.hex()),
+    scopes: z.optional(
+      z.readonly(
+        z.array(
+          z.object({
+            address: u.address(),
+            selector: z.optional(z.union([u.hex(), z.string()])),
+            recipients: z.optional(z.readonly(z.array(u.address()))),
+          }),
+        ),
+      ),
+    ),
   })
 }
 

package/src/react-native/Provider.test.ts

@@ -0,0 +1,115 @@
+import { Address, Hex, PublicKey } from 'ox'
+import { KeyAuthorization } from 'ox/tempo'
+import { parseUnits, type Address as viem_Address } from 'viem'
+import { Actions, Addresses } from 'viem/tempo'
+import { describe, expect, test } from 'vp/test'
+
+import { accounts, chain, getClient } from '../../test/config.js'
+import * as Storage from '../core/Storage.js'
+import * as Provider from './Provider.js'
+
+const root = accounts[0]!
+const transferCall = Actions.token.transfer.call({
+  to: '0x0000000000000000000000000000000000000001',
+  token: Addresses.pathUsd,
+  amount: parseUnits('1', 6),
+})
+
+async function fund(address: viem_Address) {
+  await Actions.token.transferSync(getClient(), {
+    account: root,
+    feeToken: Addresses.pathUsd,
+    to: address,
+    token: Addresses.pathUsd,
+    amount: parseUnits('10', 6),
+  })
+}
+
+function createOpen(options: { mismatchFirstCall?: boolean | undefined } = {}) {
+  let calls = 0
+
+  return {
+    calls: () => calls,
+    open: async (url: string) => {
+      calls += 1
+
+      const authUrl = new URL(url)
+      const callback = authUrl.searchParams.get('callback')
+      const chainId = authUrl.searchParams.get('chainId')
+      const pubKey = authUrl.searchParams.get('pubKey')
+      const state = authUrl.searchParams.get('state')
+
+      if (!callback || !chainId || !pubKey || !state)
+        throw new Error('Expected callback, chainId, pubKey, and state in auth URL.')
+
+      const limits = authUrl.searchParams.get('limits')
+      const keyType = authUrl.searchParams.get('keyType')
+      if (keyType !== 'p256' && keyType !== 'secp256k1')
+        throw new Error('Expected a managed key type in auth URL.')
+
+      const keyAuthorization = await root.signKeyAuthorization(
+        {
+          accessKeyAddress:
+            options.mismatchFirstCall && calls === 1
+              ? accounts[1]!.address
+              : Address.fromPublicKey(PublicKey.fromHex(pubKey as Hex.Hex)),
+          keyType,
+        },
+        {
+          chainId: BigInt(chainId),
+          ...(authUrl.searchParams.get('expiry')
+            ? { expiry: Number(authUrl.searchParams.get('expiry')) }
+            : {}),
+          ...(limits
+            ? {
+                limits: (JSON.parse(limits) as { token: `0x${string}`; limit: string }[]).map(
+                  (x) => ({
+                    limit: BigInt(x.limit),
+                    token: x.token,
+                  }),
+                ),
+              }
+            : {}),
+        },
+      )
+
+      const callbackUrl = new URL(callback)
+      callbackUrl.searchParams.set('accountAddress', root.address)
+      callbackUrl.searchParams.set('keyAuthorization', KeyAuthorization.serialize(keyAuthorization))
+      callbackUrl.searchParams.set('state', state)
+      return callbackUrl.toString()
+    },
+  }
+}
+
+describe('create', () => {
+  test('behavior: reauthorizes the managed key when the saved authorization targets the wrong key', async () => {
+    const secureStorage = Storage.memory()
+    const browser = createOpen({ mismatchFirstCall: true })
+    const provider = Provider.create({
+      authorizeAccessKey: () => ({
+        expiry: Math.floor(Date.now() / 1000) + 3600,
+      }),
+      chains: [chain],
+      host: 'https://wallet.tempo.xyz',
+      open: browser.open,
+      redirectUri: 'accounts-playground://auth',
+      secureStorage,
+    })
+
+    const result = await provider.request({
+      method: 'wallet_connect',
+      params: [{ capabilities: { method: 'register', name: 'Accounts RN Test' } }],
+    })
+    expect(result.accounts[0]!.address).toBe(root.address)
+
+    await fund(root.address)
+
+    const receipt = await provider.request({
+      method: 'eth_sendTransactionSync',
+      params: [{ calls: [transferCall], feeToken: Addresses.pathUsd }],
+    })
+    expect(receipt.status).toMatchInlineSnapshot(`"0x1"`)
+    expect(browser.calls()).toMatchInlineSnapshot(`2`)
+  })
+})