feat: cip-conformance

Signed-off-by: Marc Juchli <marc.juchli@digitalasset.com>

Author: mjuchli-da

package.json

@@ -36,6 +36,9 @@
         "script:test:examples": "tsx ./scripts/src/test-example-scripts.ts",
         "script:test:examples-stress": "tsx ./scripts/src/test-examples-scripts-under-stress.ts",
         "script:test:stress-scripts": "tsx ./scripts/src/test-stress-scripts.ts",
+        "script:conformance:run": "yarn workspace @canton-network/cip103-conformance run run",
+        "script:conformance:validate-artifact": "yarn workspace @canton-network/cip103-conformance run validate-artifact",
+        "script:conformance:export-badge": "yarn workspace @canton-network/cip103-conformance run export-badge",
         "script:release": "tsx ./scripts/src/release.ts",
         "script:retag": "tsx ./scripts/src/retag.ts",
         "script:flat-pack": "tsx ./scripts/src/flat-pack.ts",
@@ -53,6 +56,7 @@
         "example-scripts",
         "sdk/**",
         "sdk-support/**",
+        "tools/**",
         "scripts",
         "mock-oauth2",
         "wallet-gateway/**"

tools/cip103-conformance/README.md

@@ -0,0 +1,47 @@
+# CIP-103 Conformance CLI
+
+Self-serve conformance checks for wallet providers against CIP-103 sync/async profiles.
+The CLI is built with `commander` and provides strict option validation.
+
+## Commands
+
+- `conformance-cli run --profile sync|async --provider-config <file>`
+- `conformance-cli validate-artifact --artifact <file> [--public-key <pem>] [--require-signature]`
+- `conformance-cli export-badge --artifact <file> [--out <file>]`
+
+## Example Provider Config
+
+```json
+{
+    "name": "Example Wallet Provider",
+    "version": "1.2.3",
+    "endpoint": "http://localhost:8081/json-rpc",
+    "timeoutMs": 10000
+}
+```
+
+## Example Provider Config (Browser Extension Wallet)
+
+Current implementation note: the conformance runner executes JSON-RPC over HTTP.  
+For browser extension wallets, use a local bridge endpoint that exposes the extension methods over JSON-RPC.
+
+```json
+{
+    "name": "Example Browser Extension Wallet",
+    "version": "1.0.0",
+    "endpoint": "http://127.0.0.1:12481/json-rpc",
+    "timeoutMs": 10000,
+    "headers": {
+        "x-provider-kind": "browser-extension"
+    },
+    "extensionId": "abcdefghijklmnoabcdefghijklmn",
+    "injectedNamespace": "window.canton"
+}
+```
+
+See `provider.config.browser-extension.example.json` for a copy-ready template.
+
+## Profile Mapping
+
+- `sync` -> `api-specs/openrpc-dapp-api.json`
+- `async` -> `api-specs/openrpc-dapp-remote-api.json`

tools/cip103-conformance/package.json

@@ -0,0 +1,49 @@
+{
+    "name": "@canton-network/cip103-conformance",
+    "version": "0.1.0",
+    "type": "module",
+    "description": "Self-serve CIP-103 conformance CLI for sync/async wallet provider profiles.",
+    "license": "Apache-2.0",
+    "author": "Digital Asset",
+    "main": "./dist/index.cjs",
+    "module": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "bin": {
+        "conformance-cli": "./dist/cli.js"
+    },
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js",
+            "require": "./dist/index.cjs",
+            "default": "./dist/index.js"
+        }
+    },
+    "scripts": {
+        "build": "tsup && tsc -p tsconfig.types.json",
+        "dev": "tsup --watch --onSuccess \"tsc -p tsconfig.types.json\"",
+        "clean": "tsc -b --clean; rm -rf dist",
+        "run": "tsx src/cli.ts"
+    },
+    "dependencies": {
+        "commander": "^14.0.3",
+        "zod": "^4.3.6"
+    },
+    "devDependencies": {
+        "@types/node": "^25.3.3",
+        "tsup": "^8.5.1",
+        "tsx": "^4.21.0",
+        "typescript": "^5.9.3"
+    },
+    "files": [
+        "dist/**"
+    ],
+    "publishConfig": {
+        "access": "public"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/hyperledger-labs/splice-wallet-kernel.git",
+        "directory": "tools/cip103-conformance"
+    }
+}

tools/cip103-conformance/provider.config.browser-extension.example.json

@@ -0,0 +1,11 @@
+{
+    "name": "Example Browser Extension Wallet",
+    "version": "1.0.0",
+    "endpoint": "http://127.0.0.1:12481/json-rpc",
+    "timeoutMs": 10000,
+    "headers": {
+        "x-provider-kind": "browser-extension"
+    },
+    "extensionId": "abcdefghijklmnoabcdefghijklmn",
+    "injectedNamespace": "window.canton"
+}

tools/cip103-conformance/provider.config.remote.example.json

@@ -0,0 +1,6 @@
+{
+    "name": "Example Wallet Provider",
+    "version": "0.0.0",
+    "endpoint": "http://localhost:8081/json-rpc",
+    "timeoutMs": 10000
+}

tools/cip103-conformance/src/artifact.ts

@@ -0,0 +1,96 @@
+// Copyright (c) 2025-2026 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import { createPrivateKey, createPublicKey, sign, verify } from 'node:crypto'
+import { readFile, writeFile } from 'node:fs/promises'
+import { dirname, resolve } from 'node:path'
+import { mkdir } from 'node:fs/promises'
+import { ArtifactSchema, type Artifact } from './schemas'
+
+function canonicalize(value: unknown): string {
+    if (Array.isArray(value)) {
+        return `[${value.map(canonicalize).join(',')}]`
+    }
+    if (value && typeof value === 'object') {
+        const entries = Object.entries(value as Record<string, unknown>).sort(
+            ([a], [b]) => a.localeCompare(b)
+        )
+        return `{${entries
+            .map(([key, val]) => `${JSON.stringify(key)}:${canonicalize(val)}`)
+            .join(',')}}`
+    }
+    return JSON.stringify(value)
+}
+
+function toSignPayload(artifact: Artifact): Buffer {
+    const unsigned = { ...artifact, signature: undefined }
+    return Buffer.from(canonicalize(unsigned), 'utf8')
+}
+
+export async function writeArtifact(
+    path: string,
+    artifact: Artifact
+): Promise<void> {
+    const absolutePath = resolve(process.cwd(), path)
+    await mkdir(dirname(absolutePath), { recursive: true })
+    await writeFile(
+        absolutePath,
+        `${JSON.stringify(artifact, null, 2)}\n`,
+        'utf8'
+    )
+}
+
+export async function readArtifact(path: string): Promise<Artifact> {
+    const absolutePath = resolve(process.cwd(), path)
+    const raw = await readFile(absolutePath, 'utf8')
+    return ArtifactSchema.parse(JSON.parse(raw))
+}
+
+export async function signArtifact(
+    artifact: Artifact,
+    privateKeyPath: string,
+    keyId?: string
+): Promise<Artifact> {
+    const rawKey = await readFile(
+        resolve(process.cwd(), privateKeyPath),
+        'utf8'
+    )
+    const privateKey = createPrivateKey(rawKey)
+    const signature = sign(null, toSignPayload(artifact), privateKey).toString(
+        'base64'
+    )
+    return {
+        ...artifact,
+        signature: {
+            algorithm: 'ed25519',
+            value: signature,
+            keyId,
+        },
+    }
+}
+
+export async function verifyArtifactSignature(
+    artifact: Artifact,
+    publicKeyPath: string
+): Promise<boolean> {
+    if (!artifact.signature) {
+        return false
+    }
+    const rawKey = await readFile(resolve(process.cwd(), publicKeyPath), 'utf8')
+    const publicKey = createPublicKey(rawKey)
+    return verify(
+        null,
+        toSignPayload(artifact),
+        publicKey,
+        Buffer.from(artifact.signature.value, 'base64')
+    )
+}
+
+export function toBadgeData(artifact: Artifact): Record<string, unknown> {
+    return {
+        schemaVersion: 1,
+        label: `cip-103 ${artifact.profile}`,
+        message: artifact.summary.status,
+        color: artifact.summary.status === 'pass' ? 'green' : 'red',
+    }
+}