Skip to content

Self-onboarding: SIWE/SIWS + /claim web app + extension session bootstrap#6

Merged
miraekims merged 8 commits into
mainfrom
feat/identity-auth-scaffold
May 11, 2026
Merged

Self-onboarding: SIWE/SIWS + /claim web app + extension session bootstrap#6
miraekims merged 8 commits into
mainfrom
feat/identity-auth-scaffold

Conversation

@kiro-agent

@kiro-agent kiro-agent Bot commented May 11, 2026

Copy link
Copy Markdown

This pull request was generated by @kiro-agent 👻

Comment with /kiro fix to address specific feedback or /kiro all to address everything.
Learn about Kiro autonomous agent


Self-onboarding end-to-end: real SIWE/SIWS verification, /claim web app, extension session bootstrap.

API (apps/api)

  • Zero-dep HS256 JWT (timing-safe compare)
  • SIWE verifier (secp256k1 personal_sign recovery)
  • SIWS verifier (Ed25519)
  • Single-use nonces: bounded TTL, per-triple, latest-only-valid
  • In-memory identity/session stores with Postgres-ready interfaces
  • Routes: POST /v1/session/anonymous, GET /v1/session, POST /v1/claim/nonce, POST /v1/claim
  • Category-level errors; no leakage of which defense layer fired

Claim web app (apps/claim-web)

  • Vanilla TS + Vite, ~8KB gzipped, no wagmi/viem/ethers
  • Real wallet integration via window.ethereum (EIP-1193) and window.solana
  • 3-step flow: handle -> wallet -> sign
  • Signed message is always the server-built canonical form

Extension (apps/extension)

  • Anonymous session bootstrap on onInstalled/onStartup and worker load
  • Token stored in chrome.storage.local.tl_session
  • Content script never touches the token

Shared contract (packages/shared)

  • Session and claim request/response types
  • buildClaimMessage() single source of truth

Adapters seam (apps/api/src/adapters)

  • Interface-only stubs for chain/price/social/risk adapters
  • README documents the mock -> real swap path

Steering

  • .kiro/steering/claim-flow.md: canonical-message, nonce lifecycle, signature verification, session model, never-merge rules

Public docs

  • docs/data-pipeline.md: pipeline principles without naming providers

Smoke verified

Both test-e2e-*.mjs scripts pass:

  • wallet keypair -> session -> nonce -> sign -> A-tier; replay and tampering rejected (403)
  • anonymous issuance, snapshot, score with bearer, invalid bearer -> 401

kiro and others added 8 commits May 11, 2026 03:49
…t content+background build, content via Vite IIFE, background via esbuild, manifest copy)
…SIWE message preview, A-tier success state)
….kiro/internal/ (ignored); public docs describe principles without numbers
…, founder-community popup

Security audit results:
- Removed raw numeric signal fields (confidence, *_hours, *_usd, top10_pct, etc)
  from consumer ScoreResponse. Partner API is a separate surface.
- Removed client-side thresholds from Overlay.tsx. Now a pure renderer of
  server-supplied display strings and ui_flags.
- Split dev manifest.json (localhost origin, 'dev' marker) from manifest.prod.json
  (no dev origins, clean name, default_popup).
- Build-time inject of API_BASE via __API_BASE__ / __BUILD_ENV__ defines in
  both Vite (content) and esbuild (background/popup).
- Background now attaches Bearer session token to every API call; content
  script never touches credentials.

Popup added:
- src/popup/popup.html + index.ts (vanilla TS, no React to keep size small)
- Renders plan badge, usage bar, identity state, founder community link
- Community link is a build-time constant, never fetched from API

Release strategy:
- docs/release-strategy.md (public): 3-phase plan without numbers
- .kiro/steering/release.md: invariants Kiro must preserve going forward
  including explicit rejection of invite-only consumer distribution

Build verified:
- dev: manifest 'TruthLayer (dev)', localhost origin, sourcemaps
- prod: manifest 'TruthLayer', only x.com + twitter.com origins, minified,
        no localhost strings anywhere in bundles
API (apps/api):
- Zero-dep HS256 JWT (timing-safe compare)
- SIWE verifier (secp256k1 personal_sign recovery via ethereum-cryptography)
- SIWS verifier (Ed25519 via @noble/curves + bs58)
- Single-use nonces: 10-min TTL, per-triple, only-latest-valid, consume-on-submit
- In-memory identity/session stores with Postgres-ready interfaces
- Routes: POST /v1/session/anonymous, GET /v1/session,
  POST /v1/claim/nonce, POST /v1/claim
- Category-level errors; no leakage of which defense layer fired
- Twitter OAuth behind TwitterVerifier interface (stub for v1)

Claim web app (apps/claim-web):
- Vanilla TS + Vite, ~8KB gzipped, no wagmi/viem/ethers
- Real wallet integration via window.ethereum (EIP-1193) and window.solana
- 3-step flow: handle -> wallet -> sign; signed message is always the
  server-built canonical form (never templated client-side)
- localStorage session persistence, refresh-safe mid-flow

Extension (apps/extension):
- Anonymous session bootstrap on onInstalled/onStartup and worker load
- Token stored in chrome.storage.local.tl_session, attached to every
  API call by the background worker; content script never touches it

Shared contract (packages/shared):
- Session / claim request+response types
- buildClaimMessage() — single source of truth for the canonical message
  so API and clients cannot desynchronize whitespace

Adapters seam (apps/api/src/adapters):
- Interface-only stubs for chain / price / social / risk adapters
- README documents the mock -> real swap path without leaking provider
  choices

Steering:
- .kiro/steering/claim-flow.md: canonical-message, nonce lifecycle,
  signature verification, session model, never-merge rules

Public docs:
- docs/data-pipeline.md: what the pipeline consumes at the principle
  level, without naming providers or internal cache policies

Smoke verified (both scripts pass):
- apps/api/test-e2e-claim.mjs:
  wallet keypair -> anonymous session -> nonce -> sign -> A-tier recorded
  + replay rejected (403) + tampered message rejected (403)
- apps/api/test-e2e-session.mjs:
  anonymous session issuance, snapshot, score with bearer, invalid bearer
  correctly 401
@miraekims miraekims merged commit bacb995 into main May 11, 2026
miraekims pushed a commit that referenced this pull request May 11, 2026
Merge pull request #6 from youngboy91-beep/feat/identity-auth-scaffold
miraekims added a commit that referenced this pull request May 12, 2026
Self-onboarding: SIWE/SIWS + /claim web app + extension session bootstrap
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
miraekims added a commit that referenced this pull request May 12, 2026
Merge pull request #6 from youngboy91-beep/feat/identity-auth-scaffold
Co-authored-by: youngboy91-beep <247809216+youngboy91-beep@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants