feat: ERC-4337-compatible passkey (P-256) account system (#2443)

* feat: add passkey signing

* feat: fix the evm e2e test to have passkey signing

* fix: make taht run on e2e

* fix: fix lint

* fix: address comments by gemini

Author: matthiasmatt

.gitignore

@@ -357,3 +357,8 @@ playwright/chrome-extensions/keplr/
 playwright/yarn.lock
 
 debug_container.dot
+
+.gocache
+AGENTS.md
+precompile.test
+tx_log.json

CLAUDE.md

@@ -0,0 +1,190 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Nibiru Chain is a breakthrough L1 blockchain and smart contract ecosystem providing superior throughput, reduced latency, and improved security. It operates two virtual machines in parallel:
+- **NibiruEVM**: Ethereum Virtual Machine for Ethereum compatibility
+- **Wasm**: For CosmWasm smart contracts
+
+## Repository Structure
+
+### Core Directories
+- `/x/` - Custom blockchain modules (oracle, evm, devgas, epochs, inflation, tokenfactory, sudo)
+- `/app/` - Core blockchain application logic and module integration
+- `/eth/` - Ethereum-specific implementations (accounts, crypto, RPC)
+- `/proto/` - Protocol Buffer definitions for blockchain messages
+- `/cmd/nibid/` - CLI binary for interacting with the blockchain
+- `/evm-core-ts/` - TypeScript library for EVM interactions
+- `/gosdk/` - Go SDK for programmatic blockchain interactions
+
+### Key Modules
+- **evm**: Ethereum Virtual Machine implementation
+- **oracle**: Decentralized price oracle system  
+- **devgas**: Revenue sharing for smart contract developers
+- **epochs**: Time-based hook system for periodic tasks
+- **inflation**: Tokenomics implementation
+- **tokenfactory**: Token creation and management
+
+## Essential Commands
+
+### Build & Install
+```bash
+# Install the nibid binary
+make install
+
+# Build the project
+make build
+
+# Alternative with just
+just build
+just install
+```
+
+### Local Development
+```bash
+# Run a local blockchain node
+make localnet
+
+# Alternative single-node testnet
+just init-local-testnet [moniker]
+just start
+```
+
+### Testing
+```bash
+# Run all unit tests
+make test-unit
+
+# Run specific package tests
+go test ./x/evm/...
+
+# Run with coverage
+make test-coverage
+
+# Run integration tests
+make test-coverage-integration
+
+# Run EVM E2E tests
+cd evm-e2e && npm test
+```
+
+### Code Quality
+```bash
+# Format code
+make format
+
+# Run linter
+make lint
+
+# Fix linting issues
+make lint-fix
+
+# Generate protobuf code
+make proto-gen
+```
+
+### Development Utilities
+```bash
+# Install development tools
+make tools-clean
+
+# Run simulation tests
+make sim-full
+
+# Generate documentation
+make docs-generate
+
+# Check for breaking changes
+make proto-break-check
+```
+
+## System Requirements
+
+- Go version 1.22.2 or higher
+- Node.js 20+ and npm 10+ (for TypeScript/EVM tests)
+- Make and Git
+- For validators: 8-core x64 CPU, 64GB RAM, 1TB+ SSD
+
+## Development Workflow
+
+1. **Setup Environment**
+   ```bash
+   git clone https://github.com/NibiruChain/nibiru
+   cd nibiru
+   make install
+   ```
+
+2. **Run Local Network**
+   ```bash
+   make localnet
+   # or
+   just init-local-testnet test-moniker
+   just start
+   ```
+
+3. **Make Changes**
+   - Core logic: `/x/` modules
+   - Application: `/app/`
+   - Tests: `*_test.go` files
+
+4. **Test Changes**
+   ```bash
+   # Test specific module
+   go test ./x/oracle/...
+   
+   # Run integration tests
+   make test-coverage-integration
+   ```
+
+5. **Lint & Format**
+   ```bash
+   make lint-fix
+   make format
+   ```
+
+## Technical Details
+
+### Build System
+- Primary: Makefile with includes from `/contrib/make/`
+- Alternative: justfile for common tasks
+- Protocol Buffers: buf for proto compilation
+
+### Dependencies
+- Cosmos SDK v0.47.11
+- CometBFT/Tendermint consensus
+- go-ethereum fork for EVM compatibility
+- CosmWasm for WASM smart contracts
+
+### Testing Framework
+- Go: Built-in testing with testify assertions
+- TypeScript: Jest for EVM E2E tests
+- Simulation: Custom simulation framework
+
+## Troubleshooting
+
+### Common Issues
+1. **Import errors**: Run `go mod tidy` and `go mod download`
+2. **Proto errors**: Run `make proto-gen`
+3. **Build failures**: Ensure Go 1.22.2+ is installed
+4. **Test failures**: Check if local node is running for integration tests
+
+### Local Network Ports
+- RPC: http://localhost:26657
+- gRPC: localhost:9090
+- EVM RPC: http://localhost:8545
+- API: http://localhost:1317
+
+## Documentation Resources
+
+- Main docs: https://docs.nibiru.fi
+- Contracts: https://github.com/NibiruChain/contracts
+- TypeScript SDK: https://www.npmjs.com/package/@nibiruchain/ts-sdk
+- Oracle docs: See `/x/oracle/README.md`
+
+## Community
+
+- Discord: https://discord.gg/nibiru
+- Twitter: https://twitter.com/NibiruChain
+- Telegram: https://t.me/nibiruchainofficial

evm-e2e/.entrypoint.addr

@@ -0,0 +1 @@
+0x31cB3eE2aC481dbF1fc85a3Ab1Aad925Af4b3b5a

evm-e2e/.passkeyfactory.addr

@@ -0,0 +1 @@
+0xF4434B66C39dA329a7230Faf919Ea65d3aCeB0AA

evm-e2e/README.md

@@ -21,6 +21,7 @@ Localnet has JSON RPC enabled by default.
 
 ```bash
 npm install
+(cd passkey-sdk && npm install)
 ```
 
 ### Configure environment in `.env` file
@@ -58,3 +59,40 @@ test/contract_send_nibi.test.ts:
 Ran 6 tests across 4 files. [38.08s]
 
 ```
+
+### Deploy PasskeyAccountFactory on Nibiru localnet
+
+Assumes:
+- Nibiru localnet running with the P-256 precompile at `0x0000000000000000000000000000000000000100`.
+- An ERC-4337 EntryPoint already deployed; pass its address via `ENTRY_POINT`.
+
+```bash
+# Optional: provide QX/QY (0x-prefixed 32-byte coords) to create the first account.
+ENTRY_POINT=0xYourEntryPoint \
+QX=0x... \
+QY=0x... \
+npx hardhat run scripts/deploy-passkey.js --network localhost
+```
+
+### Run an ERC-4337 bundler against Nibiru RPC
+
+Uses a Stackup-style Docker image with a temp config. Required env: `RPC_URL`, `ENTRY_POINT`, `CHAIN_ID`. Optional:
+`PRIVATE_KEY` (bundler signer), `BUNDLER_PORT` (default 4337), `BUNDLER_IMAGE` (default
+`ghcr.io/stackup-wallet/stackup-bundler:latest`).
+
+```bash
+RPC_URL=http://127.0.0.1:8545 \
+ENTRY_POINT=0x... \
+CHAIN_ID=12345 \
+npm run bundler
+```
+
+### Passkey ERC-4337 test coverage
+
+The `bun test` suite now exercises the passkey ERC-4337 flow end-to-end. During the run it:
+
+- Builds the `passkey-sdk`, deploys a fresh `EntryPointV06` + `PasskeyAccountFactory`, and funds the dev bundler key.
+- Starts the local bundler from `passkey-sdk/dist/local-bundler.js` on port `14437`.
+- Executes the CLI passkey script against that bundler to prove a full user operation.
+
+Ensure `node`, `npm`, and `tsup` dependencies are installed (`npm install` in both `evm-e2e/` and `evm-e2e/passkey-sdk/`) and that port `14437` is free before running `bun test` or `just test-e2e`.

evm-e2e/contracts/passkey/EntryPointV06.sol

@@ -0,0 +1,11 @@
+// SPDX-License-Identifier: GPL-3.0
+pragma solidity ^0.8.24;
+
+import "@account-abstraction/contracts/core/EntryPoint.sol";
+
+/// @notice Thin wrapper that tags EntryPoint v0.6 with a version string for bundlers that require it.
+contract EntryPointV06 is EntryPoint {
+    function entryPointVersion() external pure returns (string memory) {
+        return "0.6.0";
+    }
+}

evm-e2e/contracts/passkey/PasskeyAccount.sol

@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+import {Clones} from "@openzeppelin/contracts/proxy/Clones.sol";
+import {UserOperation, SIG_VALIDATION_FAILED} from "./UserOperation.sol";
+import {IEntryPoint} from "./interfaces/IEntryPoint.sol";
+
+/// @notice Minimal ERC-4337-style account secured by a P-256 pubkey (raw r,s signatures).
+/// @dev Uses Nibiru RIP-7212 precompile at 0x...0100. Signature format: abi.encode(r,s).
+contract PasskeyAccount {
+    IEntryPoint public entryPoint;
+    bytes32 public qx;
+    bytes32 public qy;
+    uint256 public nonce;
+    bool private initialized;
+
+    event Executed(address indexed target, uint256 value, bytes data);
+
+    modifier onlyEntryPoint() {
+        require(msg.sender == address(entryPoint), "not entrypoint");
+        _;
+    }
+
+    function initialize(address _entryPoint, bytes32 _qx, bytes32 _qy) external {
+        require(!initialized, "initialized");
+        require(_entryPoint != address(0), "entrypoint=0");
+        initialized = true;
+        entryPoint = IEntryPoint(_entryPoint);
+        qx = _qx;
+        qy = _qy;
+    }
+
+    receive() external payable {}
+
+    function validateUserOp(
+        UserOperation calldata userOp,
+        bytes32 userOpHash,
+        uint256 missingAccountFunds
+    ) external onlyEntryPoint returns (uint256 validationData) {
+        if (userOp.nonce != nonce) return SIG_VALIDATION_FAILED;
+        uint256 verified = _verify(userOpHash, userOp.signature);
+        if (verified != 1) return SIG_VALIDATION_FAILED;
+        nonce++;
+        if (missingAccountFunds > 0) {
+            entryPoint.depositTo{value: missingAccountFunds}(address(this));
+        }
+        return 0;
+    }
+
+    function execute(address to, uint256 value, bytes calldata data) external onlyEntryPoint {
+        (bool ok, ) = to.call{value: value}(data);
+        require(ok, "exec failed");
+        emit Executed(to, value, data);
+    }
+
+    function _verify(bytes32 userOpHash, bytes calldata signature) internal view returns (uint256) {
+        bytes32 digest;
+        bytes32 r;
+        bytes32 s;
+
+        // For Node/EVM tests we accept compact r,s signatures over userOpHash.
+        if (signature.length == 64) {
+            (r, s) = abi.decode(signature, (bytes32, bytes32));
+            digest = sha256(abi.encodePacked(userOpHash));
+        } else {
+            // WebAuthn signatures are over sha256(authenticatorData || sha256(clientDataJSON)).
+            // Signature payload layout: abi.encode(authenticatorData, clientDataJSON, r, s)
+            (bytes memory authData, bytes memory clientDataJSON, bytes32 rFull, bytes32 sFull) =
+                abi.decode(signature, (bytes, bytes, bytes32, bytes32));
+            r = rFull;
+            s = sFull;
+            digest = sha256(abi.encodePacked(authData, sha256(clientDataJSON)));
+        }
+
+        bytes memory input = abi.encodePacked(digest, r, s, qx, qy);
+        (bool ok, bytes memory out) = address(0x100).staticcall(input);
+        if (!ok || out.length != 32) {
+            return 0;
+        }
+        return uint256(bytes32(out));
+    }
+}
+
+/// @notice Factory deploying cheap PasskeyAccount minimal-proxy clones.
+contract PasskeyAccountFactory {
+    address public immutable IMPLEMENTATION;
+    address public immutable ENTRY_POINT;
+
+    event AccountCreated(address indexed account, bytes32 qx, bytes32 qy, bytes32 salt);
+
+    constructor(address _entryPoint) {
+        ENTRY_POINT = _entryPoint;
+        IMPLEMENTATION = address(new PasskeyAccount());
+    }
+
+    function createAccount(bytes32 _qx, bytes32 _qy) external returns (address account) {
+        bytes32 salt = _salt(_qx, _qy);
+        account = Clones.cloneDeterministic(IMPLEMENTATION, salt);
+        PasskeyAccount(payable(account)).initialize(ENTRY_POINT, _qx, _qy);
+        emit AccountCreated(account, _qx, _qy, salt);
+    }
+
+    function accountAddress(bytes32 _qx, bytes32 _qy) external view returns (address predicted) {
+        bytes32 salt = _salt(_qx, _qy);
+        predicted = Clones.predictDeterministicAddress(IMPLEMENTATION, salt, address(this));
+    }
+
+    function _salt(bytes32 _qx, bytes32 _qy) internal pure returns (bytes32) {
+        return keccak256(abi.encodePacked(_qx, _qy));
+    }
+}

evm-e2e/contracts/passkey/UserOperation.sol

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.24;
+
+struct UserOperation {
+    address sender;
+    uint256 nonce;
+    bytes initCode;
+    bytes callData;
+    uint256 callGasLimit;
+    uint256 verificationGasLimit;
+    uint256 preVerificationGas;
+    uint256 maxFeePerGas;
+    uint256 maxPriorityFeePerGas;
+    bytes paymasterAndData;
+    bytes signature;
+}
+
+uint256 constant SIG_VALIDATION_FAILED = 1;