feat: connect guardian

.github/workflows/ci.yml

@@ -116,6 +116,19 @@ jobs:
           path: examples/demo-app/playwright-report/
           retention-days: 3
 
+      # Run Guardian E2E tests (reuses same Anvil + bundler setup)
+      - name: Install Playwright Chromium Browser for Guardian tests
+        run: pnpm exec playwright install chromium
+        working-directory: packages/auth-server
+      - name: Run Guardian e2e tests
+        run: pnpm nx e2e:guardian auth-server
+      - uses: actions/upload-artifact@v4
+        if: ${{ !cancelled() }}
+        with:
+          name: auth-server-guardian-playwright-report
+          path: packages/auth-server/playwright-report/
+          retention-days: 3
+
   # e2e-nft-quest:
   #   runs-on: ubuntu-latest
   #   defaults:

cspell-config/cspell-packages.txt

@@ -8,3 +8,4 @@ levischuck
 ofetch
 reown
 jose
+pinia

examples/demo-app/project.json

@@ -120,6 +120,14 @@
       },
       "dependsOn": ["e2e:setup"]
     },
+    "e2e:guardian": {
+      "executor": "nx:run-commands",
+      "options": {
+        "cwd": "examples/demo-app",
+        "command": "PW_TEST_HTML_REPORT_OPEN=never playwright test tests/guardian.spec.ts --config=playwright-erc4337.config.ts"
+      },
+      "dependsOn": ["e2e:setup:erc4337"]
+    },
     "e2e:demo-only": {
       "executor": "nx:run-commands",
       "options": {

examples/demo-app/scripts/deploy-msa-anvil.sh

@@ -60,6 +60,10 @@ cast send "$PAYMASTER" --value 10ether --private-key "$ANVIL_ACCOUNT_0_KEY" --rp
 echo "💳 Depositing 10 ETH into EntryPoint for paymaster..."
 cast send "$PAYMASTER" "deposit()" --value 10ether --private-key "$ANVIL_ACCOUNT_0_KEY" --rpc-url "$RPC_URL" 2>&1 || echo "Deposit initiated"
 
+# Add stake to the paymaster (required for ERC-4337)
+echo "🔒 Adding stake to paymaster (1 day unlock delay)..."
+cast send "$PAYMASTER" "addStake(uint32)" 86400 --value 1ether --private-key "$ANVIL_ACCOUNT_0_KEY" --rpc-url "$RPC_URL" 2>&1 || echo "Stake added"
+
 # Verify all addresses were extracted
 if [ -z "$EOA_VALIDATOR" ] || [ -z "$SESSION_VALIDATOR" ] || [ -z "$WEBAUTHN_VALIDATOR" ] || \
   [ -z "$GUARDIAN_EXECUTOR" ] || [ -z "$ACCOUNT_IMPL" ] || [ -z "$BEACON" ] || [ -z "$FACTORY" ] || [ -z "$PAYMASTER" ]; then

packages/auth-server-api/src/config.ts

@@ -17,6 +17,7 @@ let contractsFromFile: {
   eoaValidator?: string;
   webauthnValidator?: string;
   sessionValidator?: string;
+  guardianExecutor?: string;
 } = {};
 
 try {
@@ -38,6 +39,7 @@ const envSchema = z.object({
   EOA_VALIDATOR_ADDRESS: z.string().optional(),
   WEBAUTHN_VALIDATOR_ADDRESS: z.string().optional(),
   SESSION_VALIDATOR_ADDRESS: z.string().optional(),
+  GUARDIAN_EXECUTOR_ADDRESS: z.string().optional(),
   // Prividium Mode Configuration
   PRIVIDIUM_MODE: z.string().transform((v) => v === "true").default("false"),
   PRIVIDIUM_PERMISSIONS_BASE_URL: z.string().optional(),
@@ -79,6 +81,7 @@ const FACTORY_ADDRESS = env.FACTORY_ADDRESS || contractsFromFile.factory;
 const EOA_VALIDATOR_ADDRESS = env.EOA_VALIDATOR_ADDRESS || contractsFromFile.eoaValidator;
 const WEBAUTHN_VALIDATOR_ADDRESS = env.WEBAUTHN_VALIDATOR_ADDRESS || contractsFromFile.webauthnValidator;
 const SESSION_VALIDATOR_ADDRESS = env.SESSION_VALIDATOR_ADDRESS || contractsFromFile.sessionValidator;
+const GUARDIAN_EXECUTOR_ADDRESS = env.GUARDIAN_EXECUTOR_ADDRESS || contractsFromFile.guardianExecutor;
 
 // Validate that we have all required contract addresses
 if (!FACTORY_ADDRESS || !EOA_VALIDATOR_ADDRESS || !WEBAUTHN_VALIDATOR_ADDRESS || !SESSION_VALIDATOR_ADDRESS) {
@@ -162,4 +165,4 @@ const rateLimitConfig = {
   deployWindowMs: parseInt(env.RATE_LIMIT_DEPLOY_WINDOW_MS, 10),
 };
 
-export { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, prividiumConfig, rateLimitConfig, SESSION_VALIDATOR_ADDRESS, SUPPORTED_CHAINS, WEBAUTHN_VALIDATOR_ADDRESS };
+export { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, GUARDIAN_EXECUTOR_ADDRESS, prividiumConfig, rateLimitConfig, SESSION_VALIDATOR_ADDRESS, SUPPORTED_CHAINS, WEBAUTHN_VALIDATOR_ADDRESS };

packages/auth-server-api/src/handlers/deploy-account.ts

@@ -4,7 +4,7 @@ import { privateKeyToAccount } from "viem/accounts";
 import { waitForTransactionReceipt } from "viem/actions";
 import { getAccountAddressFromLogs, prepareDeploySmartAccount } from "zksync-sso-4337/client";
 
-import { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, prividiumConfig, SESSION_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from "../config.js";
+import { env, EOA_VALIDATOR_ADDRESS, FACTORY_ADDRESS, getChain, GUARDIAN_EXECUTOR_ADDRESS, prividiumConfig, SESSION_VALIDATOR_ADDRESS, WEBAUTHN_VALIDATOR_ADDRESS } from "../config.js";
 import { deployAccountSchema } from "../schemas.js";
 import { addAddressToUser, createProxyTransport, getAdminAuthService, whitelistContract } from "../services/prividium/index.js";
 
@@ -79,6 +79,8 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
     }
 
     // Prepare deployment transaction
+    const executorModulesToInstall = GUARDIAN_EXECUTOR_ADDRESS ? [GUARDIAN_EXECUTOR_ADDRESS as Address] : [];
+
     const { transaction, accountId } = prepareDeploySmartAccount({
       contracts: {
         factory: FACTORY_ADDRESS as Address,
@@ -96,6 +98,7 @@ export const deployAccountHandler = async (req: Request, res: Response): Promise
       eoaSigners: body.eoaSigners,
       userId: body.userId,
       installSessionValidator: true,
+      executorModules: executorModulesToInstall,
     });
 
     console.log("Deploying account with ID:", accountId);