agentcommercekit · venables · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026 · Jun 20, 2026
diff --git a/.changeset/keys-noble-curves-v2.md b/.changeset/keys-noble-curves-v2.md
@@ -0,0 +1,8 @@
+---
+"@agentcommercekit/keys": minor
+---
+
+Upgrade cryptographic dependencies to their latest majors (@noble/curves 2,
+@solana/codecs-strings 6, multiformats 14, uint8arrays 6) and migrate the curve
+modules to the @noble/curves v2 API. The public API of `@agentcommercekit/keys`
+is unchanged.
diff --git a/demos/identity-a2a/package.json b/demos/identity-a2a/package.json
@@ -26,8 +26,6 @@
     "@repo/cli-tools": "workspace:*",
     "agentcommercekit": "workspace:*",
     "express": "4.21.2",
-    "jose": "catalog:",
-    "safe-stable-stringify": "catalog:",
     "uuid": "catalog:",
     "valibot": "catalog:"
   },

diff --git a/demos/identity-a2a/src/bank-client-agent.ts b/demos/identity-a2a/src/bank-client-agent.ts
@@ -35,7 +35,7 @@ import { startAgentServer } from "./utils/server-utils"
 
 const logger = createLogger("Bank Customer", colors.green)
 
-export class BankClientAgent extends Agent {
+class BankClientAgent extends Agent {
   private a2aServerUrl: string | undefined = undefined // Will be discovered from DID document
   private server: Server | undefined = undefined // Server instance for cleanup
 

diff --git a/demos/identity-a2a/src/issuer.ts b/demos/identity-a2a/src/issuer.ts
@@ -13,7 +13,7 @@ import {
 const issuerKeypair = await generateKeypair("Ed25519")
 
 export const issuerDid = createDidKeyUri(issuerKeypair)
-export const issuerDidDocument = createDidDocumentFromKeypair({
+const issuerDidDocument = createDidDocumentFromKeypair({
   did: issuerDid,
   keypair: issuerKeypair,
 })

diff --git a/demos/identity-a2a/src/utils/response-parsers.ts b/demos/identity-a2a/src/utils/response-parsers.ts
@@ -4,12 +4,6 @@ import type {
   SendMessageSuccessResponse,
 } from "@a2a-js/sdk"
 
-export function isRpcSuccessResponse(
-  resp: SendMessageResponse,
-): resp is SendMessageSuccessResponse {
-  return "result" in resp
-}
-
 export function isRpcErrorResponse(
   resp: SendMessageResponse,
 ): resp is JSONRPCErrorResponse {

diff --git a/demos/identity/package.json b/demos/identity/package.json
@@ -34,7 +34,8 @@
     "agentcommercekit": "workspace:*",
     "ai": "4.3.16",
     "hono": "catalog:",
-    "valibot": "catalog:"
+    "valibot": "catalog:",
+    "zod": "catalog:"
   },
   "devDependencies": {
     "@repo/typescript-config": "workspace:*"

diff --git a/demos/payments/package.json b/demos/payments/package.json
@@ -27,7 +27,6 @@
     "@hono/node-server": "catalog:",
     "@repo/api-utils": "workspace:*",
     "@repo/cli-tools": "workspace:*",
-    "@solana-program/system": "^0.9.0",
     "@solana-program/token": "^0.6.0",
     "@solana/kit": "^4.0.0",
     "agentcommercekit": "workspace:*",

diff --git a/demos/payments/src/constants.ts b/demos/payments/src/constants.ts
@@ -2,6 +2,7 @@ import path from "node:path"
 
 import { caip2ChainIds } from "agentcommercekit"
 import { createPublicClient, http } from "viem"
+import type { HttpTransport, PublicClient } from "viem"
 import { baseSepolia } from "viem/chains"
 
 /**
@@ -23,10 +24,11 @@ export const envFilePath = path.resolve(currentDir, "..", ".env")
 export const chain = baseSepolia
 export const chainId = caip2ChainIds.baseSepolia
 export const usdcAddress = "0x036CbD53842c5426634e7929541eC2318f3dCF7e"
-export const publicClient = createPublicClient({
-  chain,
-  transport: http(),
-})
+export const publicClient: PublicClient<HttpTransport, typeof baseSepolia> =
+  createPublicClient({
+    chain,
+    transport: http(),
+  })
 
 export const solana = {
   chainId: caip2ChainIds.solanaDevnet,

diff --git a/demos/skyfire-kya/src/kya-token.ts b/demos/skyfire-kya/src/kya-token.ts
@@ -9,7 +9,7 @@ import { jwtPayloadSchema } from "agentcommercekit/schemas/zod/v4"
 import { decodeJwt } from "jose"
 import * as z from "zod/v4"
 
-export const skyfireKyaJwtPayloadSchema = z.object({
+const skyfireKyaJwtPayloadSchema = z.object({
   ...jwtPayloadSchema.shape,
   ssi: z.string(),
   jti: z.string(),

diff --git a/demos/skyfire-kya/src/skyfire-kya-ack-id.ts b/demos/skyfire-kya/src/skyfire-kya-ack-id.ts
@@ -2,7 +2,6 @@ import {
   bytesToBase64url,
   type DidUri,
   type DidWebUri,
-  type JwtPayload,
   type JwtString,
   type Verifiable,
   type W3CCredential,
@@ -120,12 +119,6 @@ export function getOwnerDidFromVC(
     : undefined
 }
 
-export interface SkyFireKYAPayload extends JwtPayload {
-  bid: Record<string, unknown> // buyer identity data
-  ssi: string // seller service id
-  jti: string
-}
-
 // create ack-id compatible verification for services
 export async function verifySkyfireKyaAsAckId(
   jwks: jose.JSONWebKeySet,

diff --git a/examples/issuer/.env.example b/examples/issuer/.env.example
@@ -1,2 +1,8 @@
 BASE_URL="http://localhost:3456"
 NODE_ENV="development"
+
+# Local-development ONLY: when "true", accept unsigned request payloads with an
+# `X-Payload-Issuer` header instead of a signed JWT. This bypasses signature
+# verification (authentication), so it is off by default. Never enable it in a
+# deployed environment.
+# ALLOW_UNSIGNED_PAYLOADS="true"
diff --git a/examples/issuer/README.md b/examples/issuer/README.md
@@ -33,7 +33,7 @@ To simplify the development experience, this API uses a SQLite database. In a pr
 
 All API endpoints require a **signed payload** to prove ownership of the DIDs involved. This payload is a JWT of the request parameters, signed using your DID.
 
-In local development, each endpoint accepts a `X-Payload-Issuer` header with a DID-URI as a value. This bypasses the signed payload requirement, and simulates that you signed by the payload. NOTE: This `did` MUST be resolvable, which makes using the [`local-did-host`](../local-did-host/) server helpful.
+In local development, you can bypass the signed payload requirement by setting `ALLOW_UNSIGNED_PAYLOADS="true"` in your `.env` and sending an `X-Payload-Issuer` header with a DID-URI as its value. This simulates that you signed the payload, and is **off by default** — never enable it outside local development, as it disables authentication. NOTE: This `did` MUST be resolvable, which makes using the [`local-did-host`](../local-did-host/) server helpful.
 
 ### Response format
 

diff --git a/examples/issuer/package.json b/examples/issuer/package.json
@@ -26,17 +26,17 @@
   },
   "dependencies": {
     "@hono/node-server": "catalog:",
-    "@libsql/client": "0.15.15",
+    "@libsql/client": "0.17.4",
     "@repo/api-utils": "workspace:*",
     "agentcommercekit": "workspace:*",
     "bit-buffers": "catalog:",
-    "drizzle-orm": "0.43.1",
+    "drizzle-orm": "0.45.2",
     "hono": "catalog:",
     "valibot": "catalog:"
   },
   "devDependencies": {
     "@repo/typescript-config": "workspace:*",
-    "drizzle-kit": "0.31.9",
-    "vite-tsconfig-paths": "5.1.4"
+    "drizzle-kit": "0.31.10",
+    "vite-tsconfig-paths": "6.1.1"
   }
 }
diff --git a/knip.json b/knip.json
@@ -0,0 +1,17 @@
+{
+  "$schema": "https://unpkg.com/knip@6/schema.json",
+  "rules": {
+    "duplicates": "warn"
+  },
+  "workspaces": {
+    "examples/issuer": {
+      "entry": ["bin/*.ts"]
+    },
+    "examples/local-did-host": {
+      "entry": ["bin/*.ts"]
+    },
+    "examples/verifier": {
+      "entry": ["bin/*.ts"]
+    }
+  }
+}
diff --git a/package.json b/package.json
@@ -30,6 +30,7 @@
     "dev:examples": "turbo dev",
     "fix": "turbo build && turbo fix",
     "format": "oxfmt --write .",
+    "knip": "knip",
     "lint": "oxlint --type-aware",
     "lint:fix": "pnpm run lint -- --fix --fix-suggestions",
     "nuke": "pnpm run clean && git clean -xdf demos/**/node_modules docs/**/node_modules examples/**/node_modules packages/**/node_modules tools/**/node_modules node_modules",
@@ -40,22 +41,23 @@
     "test": "turbo test --env-mode=loose"
   },
   "devDependencies": {
-    "@changesets/changelog-github": "0.5.2",
-    "@changesets/cli": "2.29.8",
+    "@changesets/changelog-github": "0.7.0",
+    "@changesets/cli": "2.31.0",
     "@repo/typescript-config": "workspace:*",
     "@types/node": "24.9.2",
     "dotenv-cli": "11.0.0",
+    "knip": "6.17.1",
     "oxfmt": "0.35.0",
     "oxlint": "1.50.0",
     "oxlint-tsgolint": "0.14.2",
     "tsdown": "0.15.11",
-    "tsx": "4.21.0",
-    "turbo": "2.8.10",
+    "tsx": "4.22.4",
+    "turbo": "2.9.18",
     "typescript": "5.9.3",
-    "vitest": "4.0.18"
+    "vitest": "4.1.9"
   },
   "engines": {
-    "node": ">=22",
+    "node": ">=22.13.0",
     "pnpm": ">=10"
   },
   "packageManager": "pnpm@10.20.0"

diff --git a/packages/keys/package.json b/packages/keys/package.json
@@ -56,10 +56,10 @@
     "test": "vitest"
   },
   "dependencies": {
-    "@noble/curves": "1.9.1",
-    "@solana/codecs-strings": "2.1.1",
-    "multiformats": "13.4.2",
-    "uint8arrays": "5.1.0"
+    "@noble/curves": "2.2.0",
+    "@solana/codecs-strings": "6.10.0",
+    "multiformats": "14.0.0",
+    "uint8arrays": "6.1.1"
   },
   "devDependencies": {
     "@repo/typescript-config": "workspace:*"

diff --git a/packages/keys/src/curves/ed25519.ts b/packages/keys/src/curves/ed25519.ts
@@ -1,12 +1,12 @@
-import { ed25519 } from "@noble/curves/ed25519"
+import { ed25519 } from "@noble/curves/ed25519.js"
 
 import type { Keypair } from "../keypair"
 
 /**
  * Generate a random private key using the Ed25519 curve
  */
 export function generatePrivateKeyBytes(): Uint8Array {
-  return ed25519.utils.randomPrivateKey()
+  return ed25519.utils.randomSecretKey()
 }
 
 /**
@@ -42,7 +42,7 @@ export function isValidPublicKey(pubkey: Uint8Array): boolean {
   }
 
   try {
-    ed25519.ExtendedPoint.fromHex(pubkey)
+    ed25519.Point.fromBytes(pubkey)
     return true
   } catch {
     return false

diff --git a/packages/keys/src/curves/secp256k1.ts b/packages/keys/src/curves/secp256k1.ts
@@ -1,12 +1,12 @@
-import { secp256k1 } from "@noble/curves/secp256k1"
+import { secp256k1 } from "@noble/curves/secp256k1.js"
 
 import type { Keypair } from "../keypair"
 
 /**
  * Generate a random private key using the secp256k1 curve
  */
 export function generatePrivateKeyBytes(): Uint8Array {
-  return secp256k1.utils.randomPrivateKey()
+  return secp256k1.utils.randomSecretKey()
 }
 
 /**
@@ -46,7 +46,7 @@ export function isValidPublicKey(pubkey: Uint8Array): boolean {
   }
 
   try {
-    secp256k1.ProjectivePoint.fromHex(pubkey)
+    secp256k1.Point.fromBytes(pubkey)
     return true
   } catch {
     return false

diff --git a/packages/keys/src/curves/secp256r1.ts b/packages/keys/src/curves/secp256r1.ts
@@ -1,12 +1,12 @@
-import { secp256r1 } from "@noble/curves/p256"
+import { p256 as secp256r1 } from "@noble/curves/nist.js"
 
 import type { Keypair } from "../keypair"
 
 /**
  * Generate a random private key using the secp256r1 curve
  */
 export function generatePrivateKeyBytes(): Uint8Array {
-  return secp256r1.utils.randomPrivateKey()
+  return secp256r1.utils.randomSecretKey()
 }
 
 /**
@@ -35,7 +35,7 @@ export async function generateKeypair(
 }
 
 /**
- * Check if a public key is a valid secp256k1 public key (either compressed or
+ * Check if a public key is a valid secp256r1 public key (either compressed or
  * uncompressed)
  * @param pubkey - The public key bytes to check
  * @returns true if the public key is valid, false otherwise
@@ -46,7 +46,7 @@ export function isValidPublicKey(pubkey: Uint8Array): boolean {
   }
 
   try {
-    secp256r1.ProjectivePoint.fromHex(pubkey)
+    secp256r1.Point.fromBytes(pubkey)
     return true
   } catch {
     return false