feat(wallets): add shadow signer support for automatic delegated signers

[guilleasz-crossmint]

Description

This PR implements automatic "shadow" delegated signers for wallets created via getOrCreateWallet. Shadow signers are device-bound keypairs (stored using Web Crypto API's non-extractable keys) that act as delegated signers, intended to allow transactions without requiring OTP authentication on the same device.

Shadow signers are only added to Stellar and Solana wallets, a follow up PR will add it for EVM.

Important Notes:

• Shadow signers are enabled by default - users must explicitly set shadowSigner: { enabled: false } to opt out

Changes Made:

1. New shadow-signer.ts utility:

   • generateShadowSigner(): Creates device-bound keypairs using Web Crypto API
   • Ed25519 for Solana/Stellar (as external-wallet delegated signers)
   • localStorage functions for storing/retrieving shadow signer metadata

2. WalletFactory modifications:

   • Automatically generates shadow signer during wallet creation (client-side only)
   • Adds shadow signer to delegated signers array
   • Stores metadata after successful wallet creation
   • Adds shadow signer as signer of the wallet instance and handles the signing of transactions

3. React Provider updates:

   • Added shadowSigner prop to CrossmintWalletBaseProviderProps
   • Passes configuration through to wallet creation

Test plan

Manual tested in quickstart with solana and stellar wallets, no email otp was necessary for fulfilling transactions

Package updates

This are part of the delegated signers breaking changes, so it goes to the wallets-v1 branch

Session Info:

• Link to Devin run: https://app.devin.ai/sessions/acc231cd48904372bfc0cf46b0953cd3
• Requested by: Guille ([email protected]) (@guilleasz-crossmint)

[devin-ai-integration]

Original prompt from Guille

Create a new branch basing yourself first in guillea/wal-4751-allowing-delegated-signers-to-use-the-sdk


## Implementation Plan for Shadow Signers

You're asking for a comprehensive implementation plan to add automatic "shadow" delegated signers to wallets created via `getOrCreateWallet` in the Crossmint SDK. This feature would create a device-bound keypair using Web Crypto API that acts as a delegated signer, allowing transactions without requiring OTP authentication on the same device.

### High-Level Architecture

The implementation needs to modify the wallet creation flow in `packages/wallets/src/wallets/wallet-factory.ts` and `packages/client/react-base/src/providers/CrossmintWalletBaseProvider.tsx` to automatically generate and add shadow signers. [6-cite-0](#6-cite-0) 

### Detailed Implementation Steps

#### 1. Add Shadow Signer Configuration to WalletOptions

**File: `packages/wallets/src/wallets/types.ts`**

Add a new option to control shadow signer behavior:

```typescript
export type WalletOptions = {
  clientTEEConnection?: () => HandshakeParent<typeof signerOutboundEvents, typeof signerInboundEvents>;
  experimental_callbacks?: {
    onWalletCreationStart?: () => Promise<void>;
    onTransactionStart?: () => Promise<void>;
  };
  // NEW: Add shadow signer configuration
  shadowSigner?: {
    enabled?: boolean; // defaults to true
  };
};

2. Create Shadow Signer Generation Utility

File: packages/wallets/src/utils/shadow-signer.ts (new file)

Create utilities for generating and storing shadow signers:

import { WebAuthnP256 } from "ox";
import type { Chain } from "../chains/chains";
import type { DelegatedSigner } from "../wallets/types";

const SHADOW_SIGNER_STORAGE_KEY = "crossmint_shadow_signer";

export type ShadowSignerData = {
  chain: Chain;
  walletAddress: string;
  publicKey: string;
  createdAt: number;
};

export async function generateShadowSigner(
  chain: Chain
): Promise<{ delegatedSigner: DelegatedSigner; ... (17104 chars truncated...)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4d2b684

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
crossmint-sdk-quickstart-devkit	Error			Oct 23, 2025 11:58pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
smart-wallet-auth-demo	Ignored			Oct 23, 2025 11:58pm

[AlbertoElias]

Left some comments suggesting a refactor so the code lives closer to ncs-signer

[devin-ai-integration]

Thanks for the review @AlbertoElias! I understand the proposed refactor to move this into the NCS signer layer. Just to make sure I understand the architecture correctly:

1. Shadow signer config location: The config would move from WalletOptions.shadowSigner to inside the email/phone signer config (e.g., { type: "email", email: "...", options: { sessions: { duration: "" } } })

2. Shadow signer generation: Instead of generating in WalletFactory.createWallet, we'd call a method like ncsSigner.getShadowSigner() that generates and stores the shadow signer

3. Shadow signer usage: The signTransaction method in each chain-specific NCS signer would:

   • Check if a shadow signer exists for this device/wallet
   • If yes, use it to sign (bypassing OTP)
   • If no, fall back to the current OTP flow

A few questions before I proceed with the refactor:

• Should the shadow signer still be registered as a delegated signer during wallet creation, or should that be handled differently?
• For the signer config, should it look like: { type: "email", email: "...", shadowSigner: { enabled: true, duration: "..." } }?
• The shadow signer would still be device-specific (stored in IndexedDB + localStorage), correct?

Let me know if my understanding is correct and I'll proceed with the refactor!

[AlbertoElias]

Looking really good! left some small comments, but leaving approved. remember to add changeset

[AlbertoElias]

i would keep this called as delegatedSigners and the one below can have a more specific name for the changes/enhancements we do to signers

[AlbertoElias]

i think we should separate this to a separate function with a nice name to make it more declarative

[devin-ai-integration]

@AlbertoElias Thanks for the approval! I've addressed all your feedback:

✅ Fixed != null to == null for style consistency
✅ Replaced all @ imports with relative imports
✅ Renamed updatedDelegatedSigners → delegatedSigners for clarity
✅ Extracted delegated signer registration to registerDelegatedSigners() method
✅ Changeset already added by Guille

The refactoring makes the code more declarative and easier to maintain. All changes pushed!