Skip to content

Release: zero-setup onboarding, browser login, agent command#126

Open
JamesLawton wants to merge 86 commits into
mainfrom
staging
Open

Release: zero-setup onboarding, browser login, agent command#126
JamesLawton wants to merge 86 commits into
mainfrom
staging

Conversation

@JamesLawton

Copy link
Copy Markdown
Collaborator

Promotes the accumulated staging work to production. Merging this deploys the production oidc-relay and agentconnect UI and opens the changesets version PR; merging that version PR publishes @polygonlabs/agent-cli to npm.

What ships

  • agent wallet login is the entire onboarding. agent is the primary command (polygon-agent stays as an alias). Login opens the agentconnect page (Google or email), a relay pairing session hands the result back to the CLI which drives the SDK auth locally, and the page lands the user on the agentconnect dashboard.
  • Zero setup. The CLI ships a default OMS publishable key and auto-provisions a Sequence Builder project + access key (indexer and Trails quota) on first login, best-effort. OMS_PUBLISHABLE_KEY (renamed from SEQUENCE_PUBLISHABLE_KEY) and setup --oms-publishable-key remain overrides.
  • Dashboard + funding are one app: Add funds opens the Trails widget in a modal; the fund deep link opens the same modal.
  • x402 discovery skill refreshed to the live agentic-services catalog; x402-pay picks the cheapest Polygon USDC option and sets JSON content-type.
  • Tooling migrated to changesets + shared workflows (prior changeset).

Production cutover in this PR

  • oidc-relay production route uncommented → the merge deploys oidc-relay.polygon.technology (wrangler provisions the custom domain).
  • CLI defaults flipped from staging to the production relay + agentconnect domains.
  • agentconnect production config defaults to the production relay (no env var needed).

Gate before the npm publish (version PR)

  • Confirm oidc-relay.polygon.technology is reachable after this merge's relay deploy.
  • Confirm Sequence has allowlisted https://oidc-relay.polygon.technology/api/oidc/cb as a redirect target (required for the Google leg; the staging callback was already allowlisted).
  • One real production agent wallet login round-trips (Google + email).

🤖 Generated with Claude Code

AkshatGada and others added 30 commits June 10, 2026 16:28
Phase 1 + core Phase 2 of the migration from @0xsequence/dapp-client
(delegated browser-approved sessions) to @0xsequence/typescript-sdk
(OMSClient embedded wallet, email login). Additive and flag-gated —
the legacy path is unchanged and remains the default.

New:
- lib/oms-storage.ts: encrypted file-backed StorageManager + persisted
  EthereumPrivateKeyCredentialSigner key (survives process restarts).
- lib/oms-client.ts: getOmsClient(walletName) singleton.
- lib/oms-tx.ts: runOmsTx — drop-in for runDappClientTx; maps the
  {to,data,value}[] interface onto oms.wallet.sendTransaction with ported
  fee selection (prefer native or USDC, gated on availableRaw).
- lib/tx-dispatch.ts: runTx routes to OMS when POLYGON_AGENT_OMS is set.
- wallet login (email OTP) + wallet logout; list/address handle OMS pointers.

Changed:
- storage.ts: export GCM helpers; add OmsConfig/OmsWalletPointer + helpers
  and bootstrapOmsConfig.
- All 17 runDappClientTx call sites now import runTx via the dispatch shim.
- utils.ts: getReadRpcUrl with public-RPC fallback (OMS has no nodes access key).
- x402-pay receipt poll uses getReadRpcUrl instead of session.projectAccessKey.

Verified end-to-end on Polygon mainnet: email login -> persisted session ->
call with POLYGON_AGENT_OMS=1 -> on-chain USDC transfer
(tx 0xb5e35f2f74fcdb75ccd453e23af4e0d3a88f60e383f00fb2e0e43cbf41613ba1).
… only path

Completes the migration from the dapp-client delegated-session model
(browser approval + relay + on-chain Sapient permission scoping) to the
Sequence V3 OMSClient embedded-wallet model. OMS is now the only path.

Removed:
- packages/connector-ui (browser approval UI) + its deploy workflow
- packages/shared (x25519/xchacha20 relay session crypto)
- src/lib/dapp-client.ts, src/lib/relay-client.ts
- wallet create/import (+ WalletCreateUI), AUTO_WHITELISTED_CONTRACTS,
  spending-limit / --contract scoping flags, relay storage helpers,
  bootstrapAccessKey, SequenceIndexer usage
- 12 legacy @0xsequence/* + tweetnacl deps (pnpm: +95 -894 packages)

Changed:
- balances + balances Ink UI now read via oms.indexer (publishableKey auth);
  no more projectAccessKey
- withdraw/x402 receipt polling uses getReadRpcUrl (public-RPC fallback)
- all tx commands resolve wallets via loadOmsWalletPointer; chain defaults
  to polygon (OMS wallets are chain-agnostic)
- tx-dispatch.runTx now wraps runOmsTx unconditionally
- CLAUDE.md updated for the OMS-only structure

Verified live on Polygon mainnet with no env flag: wallet login, balances
via oms.indexer, and a USDC transfer via `call`
(tx 0x1c7ff1df746bacab7930dc24ada694fa9061976164871ad3fb6bf3940eec2bdc).
Remove all references to the removed wallet create / browser approval /
--contract scoping / connector-ui flow across SKILL.md files and README.
Document wallet login (email OTP), setup --oms-* credentials, the call
command, and the no-permission-scoping V3 model.
Drop the dead "re-create with wallet create --contract" notes and the
Sapient-era error handling ("No signer supported", session-permission
rejection) from deposit and withdraw — these referred to the removed
dapp-client permission-scoping model and can't occur on the OMS path.
Deposit/withdraw now submit through runOmsTx directly; OMS session
errors are handled in the primitive. Also fix the setup TTY hint to
point at `wallet login` instead of the removed `wallet create`.
Add a `wallet login-browser` subcommand that signs in with Google through the
SDK's OIDC + PKCE redirect flow, using a short-lived localhost callback server.
The resulting session persists identically to email login, so balances, tx and
address resume with no re-login. The funding step is chained after a successful
login (skip with --no-fund).

- oidc-callback-server.ts: loopback server that captures the single callback URL
- oms-client.ts: pass the mandatory redirectAuthStorage; SEQUENCE_OIDC_RELAY_URI override
- oms-storage.ts: FileStorageManager subdir arg, isolating transient OIDC state
- storage.ts: widen loginMethod to email|oidc|google; email now optional
- operations.ts: extract showFunding so `fund` and post-login reuse one path

This is the same-machine flow (browser and CLI co-located). Remote login over a
relay is a follow-up.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A small Cloudflare Worker + Durable Object that lets the CLI complete browser
login from any machine, including a remote server where a localhost callback
can't be reached. The browser is redirected to the relay with the OAuth
code+state; the CLI polls for them and finishes the exchange itself. The PKCE
verifier never leaves the CLI, so the relay alone cannot complete a login.
Sessions are keyed by the OIDC state, single-use, with a 10-minute TTL.

Not yet wired into the CLI: the --remote poll path lands once Sequence
allowlists the relay's /api/oidc/cb as a redirect target. Deploy with
`npx wrangler` (kept out of the workspace dep graph to satisfy the repo's
trust policy).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…gration

# Conflicts:
#	packages/connector-ui/CHANGELOG.md
#	packages/connector-ui/package.json
#	packages/connector-ui/src/App.css
#	packages/connector-ui/src/index.css
#	packages/shared/CHANGELOG.md
#	packages/shared/package.json
#	pnpm-lock.yaml
JamesLawton and others added 11 commits July 15, 2026 10:34
feat: zero-setup onboarding (wallet login provisions everything)
Documentation and skills now show `agent <subcommand>` as the primary
invocation, with `polygon-agent` called out as the long-form alias
(both bin names run the same CLI). Package name, repo name, storage
paths, env vars, and the root pnpm script name are unchanged.
The no-session notice and expired-link screen showed polygon-agent
wallet login; update the displayed command to agent wallet login to
match the new primary CLI command name.
Comment thread packages/polygon-agent-cli/src/lib/oms-storage.ts Fixed
@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown

Code review

3 issues found. Checked for bugs and CLAUDE.md compliance.

Issue 1: Non-null assertion in App.tsx (line 360)
CLAUDE.md compliance — AGENTS.find((a) => a.id === selectedAgent)! uses a non-null assertion. Team standards prohibit ! assertions; use an if guard or ?? fallback instead.
File: packages/agentconnect-ui/src/App.tsx:360

Issue 2: Deprecated --remote flag referenced in SKILL.md (line 16)
CLAUDE.md compliance — SKILL.md tells users to add --remote on headless hosts, but CLAUDE.md states --remote is deprecated. The default flow already works remotely.
File: packages/polygon-agent-cli/skills/polygon-defi/SKILL.md:16
Contradicts: CLAUDE.md:37

Issue 3: CLAUDE.md duplicates source of truth (lines 35-39)
CLAUDE.md compliance — The new Wallet auth (OMS V3) section enumerates env var names, default URLs, CLI flags, file paths, and a session duration claim. Team standards require pointing to source files rather than copying values that will drift.
File: CLAUDE.md:35-39

@claude

claude Bot commented Jul 15, 2026

Copy link
Copy Markdown

Code Review

Issue: Deprecated --remote flag recommended in SKILL.md

File: packages/polygon-agent-cli/skills/polygon-defi/SKILL.md:16

Category: CLAUDE.md compliance

The new Session Prerequisites block instructs users to add --remote on headless/remote hosts:

On a headless/remote host add --remote (uses a public OIDC relay).

However, the CLAUDE.md added in this same PR states:

--remote is deprecated now that the default flow already works remotely.

The default wallet login flow already works on remote hosts via the agentconnect page. The --remote recommendation should be removed from line 16 of SKILL.md.

Suggested fix: Remove the sentence "On a headless/remote host add --remote (uses a public OIDC relay)." from line 16.

JamesLawton and others added 10 commits July 16, 2026 09:29
…on post error

isRelayReturn now requires an oauth callback param (code/state/error) rather
than any non-s query key, so a wrapped/tracked link (utm_*, gclid) pasted
into a browser no longer misfires a bogus relay callback post. The
oidc-callback post in LoginPage now awaits the result and dispatches a
terminal failed state on a false response, instead of leaving the user on
the finishing-sign-in spinner until the poll timeout. Also hoists the
duplicated isRelayReturn(window.location.search) call into one const.
feat: migrate embedded wallet to @polygonlabs/oms-wallet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants