Skip to content

feat(protocol): add personal server registration signing#148

Merged
tnunamak merged 8 commits into
mainfrom
tim/ps-registration-intent-signing-main
May 14, 2026
Merged

feat(protocol): add personal server registration signing#148
tnunamak merged 8 commits into
mainfrom
tim/ps-registration-intent-signing-main

Conversation

@tnunamak
Copy link
Copy Markdown
Member

@tnunamak tnunamak commented May 14, 2026

Summary

  • Re-stage the personal server registration and PS Lite owner-binding signing helpers directly against SDK main.
  • Keeps protocol typed-data builders separate from Account-origin signing helpers.
  • Adds package import validation for the new deep ESM subpaths.

Context

PR #147 was validated by unity-surfaces via @opendatalabs/vana-sdk@3.0.1-pr.147.f9fcf43, but it was merged into an intermediate branch and is not currently in the SDK main release path. This PR makes the same validated changes mergeable to main so Unity can later replace the PR prerelease with a normal SDK release.

Validation

  • npm run build:sdk
  • npm --workspace @opendatalabs/vana-sdk test -- --run (47 files, 656 tests)

Follow-up after release

Once this lands and publishes a normal @opendatalabs/vana-sdk release, update unity-surfaces away from 3.0.1-pr.147.f9fcf43 and remove the temporary pnpm override if no longer needed.

@vercel
Copy link
Copy Markdown

vercel Bot commented May 14, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments
Project Deployment Actions Updated (UTC)
vana-console Ignored Ignored May 14, 2026 4:31pm
vana-rbac-auditor Ignored Ignored May 14, 2026 4:31pm
vana-vibes-demo Ignored Ignored May 14, 2026 4:31pm

Request Review

@tnunamak
Copy link
Copy Markdown
Member Author

tnunamak commented May 14, 2026

Unity is already consuming the validated PR prerelease @opendatalabs/vana-sdk@3.0.1-pr.147.f9fcf43 on dev for app-dev/account-dev.

Follow-up to remove that prerelease after this lands and publishes a normal SDK release is tracked here: https://github.com/vana-com/unity-surfaces/issues/63

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

Findings

  • Medium: packages/vana-sdk/src/account/personal-server-registration.ts:223 and line 296 trust Account-returned typedData without checking it matches the returned/fallback signer or the original request. If Account returns stale or mismatched typed data, the SDK can return or create a signature whose signer does not match typedData.message.ownerAddress, making the registration unusable. Validate typedData.message.ownerAddress, serverAddress, publicKey, serverUrl, and domain before returning or fallback-signing it.

  • Low: packages/vana-sdk/scripts/validate-package-imports.ts:7 only validates two of the new deep ESM subpaths. The PR also adds protocol/personal-server-lite-owner-binding and account/personal-server-lite-owner-binding; include those in imports so packaging regressions for those exports are caught.

Validation

I attempted the targeted Vitest files and npm --workspace @opendatalabs/vana-sdk run typecheck, but this checkout is missing dev dependencies (vitest and @types/node), so local verification could not complete.

@tnunamak
Copy link
Copy Markdown
Member Author

tnunamak commented May 14, 2026

Addressed the automated review findings in 1e0eb06:

  • Account helper now validates returned typedData against the expected signer, requested server fields, expected primary type/types, and requested domain before returning or fallback-signing it.
  • Package import validation now covers both PS Lite owner-binding deep subpaths.

Validation after the patch:

  • npm --workspace @opendatalabs/vana-sdk test -- --run src/account/personal-server-registration.test.ts
  • npm --workspace @opendatalabs/vana-sdk run typecheck
  • npm --workspace @opendatalabs/vana-sdk run validate:package-imports
  • npm --workspace @opendatalabs/vana-sdk test -- --run
  • npm run validate

GitHub CI is green on Node 20 and 22 after the patch.

@tnunamak tnunamak merged commit 81231dd into main May 14, 2026
6 checks passed
@tnunamak tnunamak deleted the tim/ps-registration-intent-signing-main branch May 14, 2026 17:45
github-actions Bot pushed a commit that referenced this pull request May 14, 2026
@semantic-release-bot
chore(release): 3.2.0 [skip ci]
9888e4b 
## [3.2.0](v3.1.0...v3.2.0) (2026-05-14)

### Features

* **protocol:** add personal server registration signing ([#148](#148)) ([81231dd](81231dd))
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

🎉 This PR is included in version 3.2.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tnunamak