Skip to content

feat: Vincent Wrapped Keys (Platform User) #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Nov 19, 2025
Merged

feat: Vincent Wrapped Keys (Platform User) #410

merged 7 commits into from
Nov 19, 2025
+1,523 −989

Conversation

@MaximusHaximus
Copy link
Contributor

@MaximusHaximus MaximusHaximus commented Nov 17, 2025
edited
Loading

Description

This PR replaces #365; it contains some of the changes from that PR, further updates and enhancements based on API changes made since #365 was opened, and is rebased to our current master branch.

Changes vs. existing PR in 365:

Updated the app-sdk sessionSig creation's resourceAbilityRequests composition to include the ability to decrypt access-control-condition restricted resources, which facilitates Vincent Wrapped keys abilities being able to decrypt wrapped keys

  • Renamed decryptVincentWrappedKey -> exportPrivateKey to match existing wrapped keys SDK method names
  • Resolved TS80009 errors by removing @Typedef from tsdocs
  • Updated APIs to match evmContractConditions naming (exists partially in Platform User Auth for Wrapped Keys #365)
  • Updated APIs for delegatorAddress both in inputs and returned outputs from storage backend
  • Added explicit exported types for exportPrivateKey inputs and outputs (this matches our existing APIs/exports)
  • Removed unused sessionSigs helper code from the api layer
  • Removed unused getDecryptedKeyToSingleNode()
  • Renamed delegateeSessionSigs arg in generate methods to delegatorSessionSigs, since only delegators are allowed to generate sessionSigs per current spec.
  • Removed sessionSigs param from the base API params; they aren't required for basic service client usage (only needed for the generate and export methods of the API layer)
  • Paramaterized evmContractConditions in getSolanaKeyPair() -- this is stored along with other wrapped key metadata and should not be assumed to be static based on the SDK method (composition of the access control conditions is an internal concern of the generate methods only)
  • Updated REST API paths and arguments in service-client to match current paths
  • Removed unused devDependency on @lit-protocol/lit-node-client (we only use its type)
  • Replaced duplicated salt removal code and updated to use removeSaltFromDecryptedKey() in all places where we need to remove salt from the decrypted key (both exporting and inside of helper for solana wrapped keypair composition)
  • Updated exportPrivateKey API to match existing wrapped key behaviour patterns -- it now fetches the encrypted wrapped key from the storage backend using the id instead of expecting the consumer to use the service-client directly to fetch it; this was previously taking raw inputs and did not use the service client at all

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

  • E2E tests are not yet fully functional; there is some work still to be done here -- in particular, since our access control conditions require that the decryption is done by a PKP that owns the agent PKP, the e2e tests need to actually mint a user PKP that owns the agent PKP instead of using a raw ethers wallet.

Checklist:

  • I created a release plan (nx release plan) describing my changes and the version bump
  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • [] I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules

@MaximusHaximus
feat: Add getVincentWrappedKeysAccs() to contracts-sdk
628ba81 
- Removed intended-to-be-private ABI export, contract address, and `getPkpTokenId()` method
@MaximusHaximus
feat: Vincent Wrapped Keys
24381ec 
- Renamed `decryptVincentWrappedKey` -> `exportPrivateKey` to match existing wrapped keys SDK terminology
- Resolved `TS80009` errors by removing `@Typedef` from tsdocs
- Updated APIs for `evmContractConditions`
- Updated APIs for `delegatorAddress` both in inputs and returned outputs from storage backend
- Added explicit exported types for exportPrivateKey inputs and outputs (now matches our existing APIs structures)
- Removed unused sessionSigs helper code from the api layer
- Removed unused getDecryptedKeyToSingleNode
- Renamed `delegateeSessionSigs` arg in generate methods to `delegatorSessionSigs`, since only delegators are allowed to generate sessionSigs per current spec
- Paramaterized `evmContractConditions` in `getSolanaKeyPair()` -- this is now stored along with other wrapped key metadata and should _not_ be assumed to be static.
- Updated REST API paths and arguments in `service-client` to match current paths
- Removed unused devDependency on @lit-protocol/lit-node-client (we only use its type)
- Use `removeSaltFromDecryptedKey()` in all places where we need to remove salt from the decrypted key (both exporting and inside of helper for solana wrapped keypair composition)
- Updated `exportPrivateKey` API to match existing wrapped key behaviour patterns -- it now fetches the encrypted wrapped key from the storage backend using the `id` instead of expecting the consumer to use the service-client directly to fetch it
@MaximusHaximus
feat: Update app-sdk sessionSig creation's resourceAbilityRequests
529ce1a 
…to include the ability to decrypt access-control-condition restricted resources

- Facilitates Vincent Wrapped keys abilities being able to decrypt wrapped keys
@MaximusHaximus
docs: tsdoc clarity
c7f846d
@MaximusHaximus
test: Initial update of solana transaction signer e2e tests to match …
1166d4e 
…new API paradigm

- Compose delegator sessionSigs to export the private key
- Add TODOs where API changes are still pending (needs the agent PKP's owner to be an actual PKP)
@vercel
Copy link

vercel bot commented Nov 17, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
vincent-app-dashboard Ready Ready Preview Comment Nov 19, 2025 4:08am

Copilot finished reviewing on behalf of spacesailor24 November 19, 2025 03:56
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces support for Vincent Wrapped Keys at the platform user level, enabling both delegatees and platform users to decrypt wrapped keys. It replaces PR #365 with updated APIs matching recent backend changes.

Key changes:

  • Renamed delegateeSessionSigs to delegatorSessionSigs throughout to reflect that delegators generate keys
  • Updated REST API paths from /delegatee/encrypted to /delegated/encrypted
  • Added exportPrivateKey() API for decrypting previously stored wrapped keys
  • Implemented dual access control conditions supporting both delegatees and platform user (PKP owner) decryption
  • Renamed accessControlConditions parameter to evmContractConditions for consistency
  • Added evmContractConditions field to encrypted key storage and retrieval

Reviewed Changes

Copilot reviewed 42 out of 49 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
packages/libs/wrapped-keys/src/lib/types.ts Updated type definitions with new parameter naming and added ExportPrivateKey types
packages/libs/wrapped-keys/src/lib/api/export-private-key.ts New API function to export/decrypt wrapped keys
packages/libs/wrapped-keys/src/lib/api/generate-private-key.ts Updated to use new getVincentWrappedKeysAccs for access control conditions
packages/libs/wrapped-keys/src/lib/service-client/client.ts Updated REST API paths from /delegatee/ to /delegated/ and parameter names
packages/libs/wrapped-keys/src/lib/lit-actions-client/*.ts Renamed parameters from accessControlConditions to evmContractConditions
packages/libs/contracts-sdk/src/internal/wrapped-keys/getVincentWrappedKeysAccs.ts New function generating dual access control conditions for delegatees OR platform users
packages/libs/app-sdk/src/abilityClient/execute/generateVincentAbilitySessionSigs.ts Added AccessControlConditionDecryption ability to session sig requests
packages/apps/ability-sol-transaction-signer/src/lib/*.ts Updated to accept and use evmContractConditions parameter
packages/apps/abilities-e2e/test-e2e/solana/*.ts New E2E test suite for Solana transaction signing with wrapped keys
pnpm-lock.yaml Updated @LIT-Protocol dependencies to 7.3.1 versions
packages/libs/wrapped-keys/package.json Version bump to 0.6.0
packages/libs/contracts-sdk/package.json Moved dependencies from devDependencies to dependencies
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@spacesailor24 spacesailor24 merged commit 69e25c2 into main Nov 19, 2025
5 checks passed
@spacesailor24
Copy link
Contributor

spacesailor24 commented Nov 19, 2025

Merged with the intention of following up with a PR to finish the E2E test implementation - want to avoid this PR getting state with other unrelated changes getting merged into main

@spacesailor24 spacesailor24 deleted the feat/wks-2 branch November 19, 2025 04:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@spacesailor24 spacesailor24 spacesailor24 approved these changes

@awisniew207 awisniew207 Awaiting requested review from awisniew207 awisniew207 is a code owner

@Ansonhkg Ansonhkg Awaiting requested review from Ansonhkg Ansonhkg is a code owner

@DashKash54 DashKash54 Awaiting requested review from DashKash54 DashKash54 is a code owner

@FedericoAmura FedericoAmura Awaiting requested review from FedericoAmura FedericoAmura is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MaximusHaximus @spacesailor24