chore: migrate to Crossmint wallets v1 SDK

[jmderby]

Summary

Migrates @crossmint/client-sdk-react-ui from 2.6.16 to 4.0.6 (Wallets V1 SDK). Changes are scoped to breaking API renames — no refactoring of unrelated code.

What changed:

• useAuth → useCrossmintAuth (8 files)
• createOnLogin.signer → createOnLogin.recovery in provider setup
• wallet.experimental_activity() → wallet.transfers() with response shape mapping (data.events → data.data, fields remapped to ActivityEvent)
• Removed showPasskeyHelpers prop (assumed handled by SDK in v1)

Updates since last revision

• Bumped to 4.0.6: Pinned @crossmint/client-sdk-react-ui to exact version 4.0.6 (was ^4.0.1). Updated pnpm-lock.yaml accordingly.
• Removed accidental package-lock.json: A freshly-generated npm lockfile was committed by mistake (repo uses pnpm). This caused a Vercel deployment failure. Removed in a follow-up commit.

Previous updates (for context)

• Fixed completedAt bug in activity feed: The V1 Transfer type uses completedAt (not createdAt). The original mapping used tx.createdAt which resolved to undefined, producing NaN timestamps — breaking date display and sort order in the activity feed. Fixed in hooks/useActivityFeed.ts.
• Fixed missing tokens param in transfers() call: The transfers() method was being called without parameters. Now passes { tokens: "usdc", status: "successful" } to correctly filter activity results, matching the pattern used in the playground reference snippets.
• Reverted explicit signers config: An earlier commit added signers: [{ type: "device" }] to createOnLogin, but the playground reference confirms device signers auto-initialize via the provider's IframeDeviceSignerKeyStorage — no explicit config needed. Reverted.

Known SDK issue (not fixable in app code)

Yield deposits are broken by an SDK-level device signer bug. When evmWallet.sendTransaction() calls preAuthIfNeeded() → recover(), the SDK's resolveDeviceSignerAvailability sometimes produces an empty device locator (device: with no public key), causing:

1. GET .../signers/device: → 400 "Invalid public key base64"
2. recover() tries to re-register → fails with "already approved"
3. SDK deletes the local device key from IndexedDB on failure, making subsequent attempts worse

This is internal to @crossmint/wallets-sdk's recover() method and cannot be worked around in app code.

Review & Testing Checklist for Human

• Test the activity feed end-to-end: Deploy to staging, log in, deposit funds, send a transfer, and confirm the feed displays correctly with proper amounts, direction labels ("Sent" vs "Deposit"), and timestamps. The mapping uses (tx: any) (line 50 of useActivityFeed.ts), so TypeScript cannot validate field names at compile time. The createdAt bug was caught this way; other fields (tx.sender?.address, tx.recipient?.address, tx.token?.amount, tx.token?.symbol) remain unverified against live API responses.
• Verify transfers({ tokens: "usdc" }) returns the expected data: The tokens param is hardcoded to "usdc". If the app supports other tokens in the future, this filter will silently exclude them from the activity feed.
• Activity feed no longer distinguishes canceled/failed transfers: The old code checked for "cancel" and "fail" substrings in event.type. V1 transfer types are "wallets.transfer.in" / "wallets.transfer.out" — so canceled/failed transfers will render as regular "Sent"/"Deposit" with no visual distinction. Decide if this is acceptable or needs a follow-up using the status: "failed" field.
• Verify showPasskeyHelpers removal is safe: The old code had showPasskeyHelpers={chain !== "solana"}. Deploy with NEXT_PUBLIC_CHAIN_ID=solana and confirm no broken passkey prompts appear.
• Confirm yield deposit SDK issue: Attempt a yield deposit and confirm you see the device: / "already approved" errors described above. This validates the issue is SDK-level (not a missing app-side fix) and can be escalated to the SDK team.

Recommended test plan: Deploy to staging, log in, deposit USDC, send a transfer, and confirm the activity feed. Then attempt a yield deposit — expect it to fail with the SDK device signer error described above until the SDK is patched.

Notes

• Build compiles and passes type checks. The only build failure is the pre-existing NEXT_PUBLIC_CROSSMINT_CLIENT_API_KEY missing during static page generation (expected without .env).
• Pre-existing formatting issues in globals.css and PositionsList.tsx were not touched.
• The any cast on the transfers mapping is a pragmatic tradeoff — the SDK doesn't export a named type for individual transfer items that's easy to import. This was the root cause of the createdAt bug and remains a risk for other fields.
• Version pinned to exact 4.0.6 (no caret) per reviewer request.

Link to Devin session: https://crossmint.devinenterprise.com/sessions/801a63c1d8ab4cf29f9b2c26251758ba
Requested by: @jmderby

---

[devin-ai-integration]

Original prompt from Jonathan

Hey Devin,

I need your help with an important task that has two phases. Please read this fully before starting.

Context
We've recently released a new version of our Crossmint v1 wallets SDK (available for Node.js, React, and React Native). I've written a skill file to guide you — please read it carefully before doing anything else:
👉 https://github.com/Crossmint/wallets-v1-playground/blob/main/WALLETS_SKILL.md

---

Phase 1 — Migration Task
Migrate the fintech-starter-app quickstart repo to use the new wallets v1 package:
👉 https://github.com/Crossmint/fintech-starter-app

The change is scoped to bumping the React wallets package to v1 in the existing repo. Do not refactor unrelated code.

Before you write a single line of code, flag anything in the skill file that is:

• Missing (e.g. undocumented behaviors, edge cases)
• Ambiguous (e.g. unclear signer setup, environment-specific nuances)

Wallets have important nuances around signers and environments — if anything is unclear, stop and ask rather than assume. I will update the skill file before you proceed.

---

Phase 2 — Big Picture Goal (for your awareness)
Once the migration is complete and the skill file is refined to a point I'm happy with, my goal is to:

1. Promote this skill file into a generalized Crossmint wallets skill usable by any agent working with our product
2. Use it as the source of truth to audit docs.crossmint.com — fixing broken/incorrect code snippets and filling in missing nuances across doc pages

You don't need to act on Phase 2 now — just keep it in mind so your feedback on the skill file is thorough and forward-looking (i.e. would this skill work for any agent, not just this migration?).

---

Summary of what I need from you right now:

1. Read the skill file
2. Flag any gaps or ambiguities before touching code
3. Migrate the fintech-starter-app to wallets v1 (React package bump)
4. Note anything you encountered during the migration that should be... (99 chars truncated...)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
fintech-starter-app	Ready	Preview, Comment	Apr 1, 2026 9:43pm

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[jmderby]

@devinai please bump this to latest 4.0.6

[devin-ai-integration]

Bumped to 4.0.6 (pinned, no caret). Lockfile updated.