Problem
The SDK signing path relies on third-party packages for signer construction, smart-wallet address derivation, calldata building, and protocol validation. The published package manifest currently allows consumers to resolve versions outside the graph CI exercised, while hosted-wallet SDK peers are hard, unbounded, and reachable through eager value exports.
This overlaps #131, which tracks peer dependency install/build behavior. This issue covers the broader manifest and lazy-export hardening from the prod-ready planning ticket.
Solution
- Constrain signing-path runtime dependency ranges, especially
viem, permissionless, and Morpho packages, to tested minor bands.
- Move
viem to a peer dependency with a matching dev dependency so consumers can dedupe to the tested boundary.
- Add upper bounds to hosted-wallet peer ranges.
- Mark hosted-wallet peers optional in
peerDependenciesMeta.
- Avoid eager value exports that pull optional hosted-wallet packages into consumers that do not use them.
Acceptance criteria
Problem
The SDK signing path relies on third-party packages for signer construction, smart-wallet address derivation, calldata building, and protocol validation. The published package manifest currently allows consumers to resolve versions outside the graph CI exercised, while hosted-wallet SDK peers are hard, unbounded, and reachable through eager value exports.
This overlaps #131, which tracks peer dependency install/build behavior. This issue covers the broader manifest and lazy-export hardening from the prod-ready planning ticket.
Solution
viem,permissionless, and Morpho packages, to tested minor bands.viemto a peer dependency with a matching dev dependency so consumers can dedupe to the tested boundary.peerDependenciesMeta.Acceptance criteria
packages/sdk/package.jsonconstrains signing-path packages to the tested bands.>=ranges.