Modernize toolchain: pnpm 11, TypeScript 6, oxlint type-checking, dependency & security cleanup

.changeset/a2a-sdk-0-3-peer.md

@@ -0,0 +1,9 @@
+---
+"@agentcommercekit/ack-id": minor
+"agentcommercekit": minor
+---
+
+Bump the `@a2a-js/sdk` peer dependency from `^0.2.2` to `^0.3.0`. The 0.3 line
+reorganizes its entry points (server/client/express subpaths) and is not
+backward compatible with 0.2, so consumers of `@agentcommercekit/ack-id`'s A2A
+helpers must upgrade to `@a2a-js/sdk@^0.3.0`.

.changeset/remove-deprecated-aliases.md

@@ -0,0 +1,21 @@
+---
+"agentcommercekit": minor
+"@agentcommercekit/keys": minor
+"@agentcommercekit/did": minor
+"@agentcommercekit/ack-pay": minor
+---
+
+Remove previously deprecated APIs. These were thin aliases for their
+replacements; migrate callers as noted.
+
+- `@agentcommercekit/keys`
+  - `bytesToJwk` → `publicKeyBytesToJwk`
+  - `jwkToBytes` → `publicKeyJwkToBytes`
+  - `getCompressedPublicKey(keypair)` → `getPublicKeyFromPrivateKey(privateKey, curve, true)`
+- `@agentcommercekit/did`
+  - `DidPkhChainId` (type) → `Caip2ChainId`
+  - `isDidPkhChainId` → `isCaip2ChainId`
+  - `createBlockchainAccountId(address, chainId)` → `createCaip10AccountId(chainId, address)` (note the argument order)
+  - `didPkhChainIdSchema` (valibot + zod) → `caip2ChainIdSchema`
+- `@agentcommercekit/ack-pay`
+  - `createPaymentRequestBody` → `createSignedPaymentRequest` (returns `paymentRequestToken` instead of `paymentToken`)

.changeset/vc-public-api-tightening.md

@@ -0,0 +1,18 @@
+---
+"@agentcommercekit/vc": minor
+---
+
+Tighten two `@agentcommercekit/vc` public type signatures. These remove
+unchecked casts and are breaking only for callers that passed explicit type
+arguments:
+
+- `parseJwtCredential` no longer accepts a `<T extends W3CCredential>` type
+  parameter and now returns `Promise<Verifiable<W3CCredential>>`. The old
+  generic was an unchecked cast — the function cannot prove a decoded credential
+  matches an arbitrary `T`. Migration: drop the type argument and, if you need a
+  narrower type, parse/validate the returned `Verifiable<W3CCredential>` against
+  your own schema.
+- `createCredential` now returns `W3CCredential` instead of the generic `T`. The
+  `<T>` parameter still types `attestation`. Migration: if you relied on the
+  narrowed return type, assert or parse the returned `W3CCredential` at the call
+  site.

.oxlintrc.json

@@ -12,7 +12,10 @@
     "vitest"
   ],
   "globals": {},
-  "settings": {},
+  "options": {
+    "typeAware": true,
+    "typeCheck": true
+  },
   "categories": {
     "correctness": "error",
     "perf": "warn",
@@ -39,6 +42,14 @@
       "rules": {
         "typescript/no-explicit-any": "off"
       }
+    },
+    {
+      // Ambient module augmentation (*.d.ts) and test-matcher setup files rely
+      // on side-effect imports that cannot be assigned to a variable.
+      "files": ["**/*.d.ts", "**/vitest.setup.ts"],
+      "rules": {
+        "import/no-unassigned-import": "off"
+      }
     }
   ]
 }

AGENTS.md

@@ -13,7 +13,7 @@ TypeScript monorepo for verifiable AI identity (ACK-ID) and automated payment (A
 ```bash
 pnpm run setup                          # Install deps + build (safe to re-run)
 pnpm run build                          # Build all packages (turbo)
-pnpm run check                          # Full CI: build + types + lint + format + test
+pnpm run check                          # Full CI: build + lint (incl. type checking) + format + test
 pnpm run test                           # All tests
 pnpm run fix                            # lint:fix + format (oxlint + oxfmt)
 pnpm --filter ./packages/<name> test    # Single package test
@@ -36,8 +36,13 @@ agentcommercekit  (umbrella re-export)
 └── caip, keys  (leaves)
 ```
 
-- Each package builds with **tsdown** (not tsc), configured per-package in `tsdown.config.ts` with multiple entry points; outputs ESM `.js` + `.d.ts` to `dist/`.
-- `tools/` holds internal, unpublished workspace packages (`api-utils`, `cli-tools`, `typescript-config`).
+- Each package builds with **tsdown** (not tsc), configured per-package in `tsdown.config.ts` with multiple entry points; outputs ESM `.mjs` + `.d.mts` to `dist/` (tsdown defaults — the `package.json` `exports` must match these extensions).
+- `tools/` holds internal, unpublished workspace packages (`api-utils`, `cli-tools`).
+- Shared TypeScript config lives in the root `tsconfig.json`; each sub-project extends it via a relative path. The `examples/*` add `allowJs`/`jsx` on top.
+
+### Type checking
+
+There is **no `tsc`/`check:types` step**. Type checking runs through oxlint: `.oxlintrc.json` sets `options.typeAware` + `options.typeCheck` (backed by `oxlint-tsgolint`), so `pnpm run lint` reports TypeScript compiler diagnostics (e.g. `TS2322`) alongside lint findings. Type checking needs the workspace `dist/` present, so build first — `pnpm run check` runs `turbo build` before `turbo check`. Do not re-introduce per-package `tsc --noEmit` scripts.
 
 ### Dual Validation Schemas
 
@@ -53,7 +58,7 @@ Adding a new type requires updating both schema files **and** the `exports` map
 
 ### Dependencies
 
-- Exact versions enforced by `.npmrc` (`save-exact=true`).
+- Exact versions enforced by `saveExact: true` in `pnpm-workspace.yaml`.
 - Workspace deps use `workspace:*`; shared external versions use `catalog:` (pnpm catalog in `pnpm-workspace.yaml`).
 
 ## Testing

demos/e2e/package.json

@@ -17,7 +17,6 @@
   "type": "module",
   "main": "./src/index.ts",
   "scripts": {
-    "check:types": "tsc --noEmit",
     "clean": "git clean -fdX .turbo",
     "demo": "tsx ./src/index.ts",
     "test": "vitest"
@@ -27,8 +26,5 @@
     "agentcommercekit": "workspace:*",
     "valibot": "catalog:",
     "viem": "catalog:"
-  },
-  "devDependencies": {
-    "@repo/typescript-config": "workspace:*"
   }
 }

demos/e2e/src/verification.ts

@@ -73,7 +73,11 @@ export async function verifyAgentIdentityWithCredential(
     )
     return true
   } catch (error) {
-    log(errorMessage(`[verification] Credential verification error: ${error}`))
+    log(
+      errorMessage(
+        `[verification] Credential verification error: ${String(error)}`,
+      ),
+    )
     return false
   }
 }

demos/e2e/tsconfig.json

@@ -1,5 +1,5 @@
 {
-  "extends": "@repo/typescript-config/typescript-library.json",
+  "extends": "../../tsconfig.json",
   "compilerOptions": {
     "paths": {
       "@/*": ["./src/*"]

demos/identity-a2a/package.json

@@ -16,7 +16,6 @@
   },
   "type": "module",
   "scripts": {
-    "check:types": "tsc --noEmit",
     "clean": "git clean -fdX .turbo",
     "demo": "tsx ./src/run-demo.ts",
     "test": "vitest"
@@ -25,12 +24,11 @@
     "@a2a-js/sdk": "catalog:",
     "@repo/cli-tools": "workspace:*",
     "agentcommercekit": "workspace:*",
-    "express": "4.21.2",
+    "express": "5.2.1",
     "uuid": "catalog:",
     "valibot": "catalog:"
   },
   "devDependencies": {
-    "@repo/typescript-config": "workspace:*",
     "@types/express": "5.0.6"
   }
 }

demos/identity-a2a/src/agent.ts

@@ -8,13 +8,12 @@
  * - Authentication uses DID-based JWT signing and verification
  */
 
+import type { AgentCard, Message } from "@a2a-js/sdk"
 import type {
-  AgentCard,
   AgentExecutor,
   ExecutionEventBus,
-  Message,
   RequestContext,
-} from "@a2a-js/sdk"
+} from "@a2a-js/sdk/server"
 import { colors } from "@repo/cli-tools"
 import {
   createDidDocumentFromKeypair,

demos/identity-a2a/src/bank-client-agent.ts

@@ -1,11 +1,7 @@
 import type { Server } from "node:http"
 
-import {
-  A2AClient,
-  type AgentCard,
-  type Message,
-  type TextPart,
-} from "@a2a-js/sdk"
+import type { AgentCard, Message, TextPart } from "@a2a-js/sdk"
+import { A2AClient } from "@a2a-js/sdk/client"
 import { colors, createLogger, waitForEnter } from "@repo/cli-tools"
 import {
   curveToJwtAlgorithm,
@@ -69,7 +65,7 @@ class BankClientAgent extends Agent {
         `🌐 Client DID document available at: ${colors.dim("http://localhost:3000/.well-known/did.json")}`,
       )
     } catch (error) {
-      logger.log("❌ Failed to start Bank Client server:", error as Error)
+      logger.log("❌ Failed to start Bank Client server:", error)
       throw error
     }
 
@@ -288,7 +284,7 @@ class BankClientAgent extends Agent {
         "🏦 Bank Client: Thank you! I appreciate the secure identity verification process.",
       )
     } catch (error) {
-      logger.log("❌ Error accessing banking services:", error as Error)
+      logger.log("❌ Error accessing banking services:", error)
       if (error instanceof Error) {
         logger.log("Error message:", error.message)
         logger.log("Error stack:", error.stack ?? "No stack trace")
@@ -364,7 +360,7 @@ class BankClientAgent extends Agent {
       logger.log("✅ Identity verification successful!")
       return true
     } catch (error) {
-      logger.log("❌ Identity verification error:", error as Error)
+      logger.log("❌ Identity verification error:", error)
       return false
     }
   }
@@ -432,17 +428,15 @@ class BankClientAgent extends Agent {
         )
       }
     } catch (error) {
-      logger.log(
-        "❌ Failed to resolve bank teller DID document:",
-        error as Error,
-      )
+      logger.log("❌ Failed to resolve bank teller DID document:", error)
       throw error // Don't continue if we can't resolve the DID document
     }
   }
 }
 
 // Create a simple AgentCard for the client
 const agentCard: AgentCard = {
+  protocolVersion: "0.3.0",
   name: "Bank Client",
   description: "Banking services client",
   version: "1.0.0",

demos/identity-a2a/src/bank-teller-agent.ts

@@ -1,10 +1,9 @@
+import type { AgentCard, Message } from "@a2a-js/sdk"
 import {
   A2AError,
-  type AgentCard,
   type ExecutionEventBus,
-  type Message,
   type RequestContext,
-} from "@a2a-js/sdk"
+} from "@a2a-js/sdk/server"
 import { colors, createLogger, waitForEnter } from "@repo/cli-tools"
 import {
   curveToJwtAlgorithm,
@@ -181,7 +180,7 @@ class BankTellerAgent extends Agent {
 
       return message
     } catch (error) {
-      logger.log("❌ Identity verification error:", error as Error)
+      logger.log("❌ Identity verification error:", error)
       throw new A2AError(
         -32603,
         "Identity verification failed",
@@ -193,6 +192,7 @@ class BankTellerAgent extends Agent {
 }
 
 const agentCard: AgentCard = {
+  protocolVersion: "0.3.0",
   name: "Bank Teller Agent",
   description:
     "A digital bank teller agent that verifies customer identity and provides banking services",

demos/identity-a2a/src/utils/server-utils.ts

@@ -1,8 +1,5 @@
-import {
-  A2AExpressApp,
-  DefaultRequestHandler,
-  InMemoryTaskStore,
-} from "@a2a-js/sdk"
+import { DefaultRequestHandler, InMemoryTaskStore } from "@a2a-js/sdk/server"
+import { A2AExpressApp } from "@a2a-js/sdk/server/express"
 import { colors, createLogger, type Logger } from "@repo/cli-tools"
 import express from "express"
 
@@ -48,9 +45,8 @@ export function startAgentServer(
   // Add DID document endpoint for did:web resolution
   app.get("/.well-known/did.json", (req, res) => {
     logger.log("🔍 Request for DID document:", colors.dim(req.url))
-    const didDocument = agent.didDocument
     logger.log("🌐 Serving DID document for did:web resolution")
-    res.json(didDocument)
+    res.json(agent.didDocument)
   })
 
   logger.log(

demos/identity-a2a/tsconfig.json

@@ -1,5 +1,5 @@
 {
-  "extends": "@repo/typescript-config/typescript-library.json",
+  "extends": "../../tsconfig.json",
   "compilerOptions": {
     "paths": {
       "@/*": ["./src/*"]

demos/identity/package.json

@@ -17,27 +17,23 @@
   "type": "module",
   "main": "./src/index.ts",
   "scripts": {
-    "check:types": "tsc --noEmit",
     "clean": "git clean -fdX .turbo",
     "demo": "dotenv -e .env -- tsx ./src/index.ts",
     "setup": "./bin/setup",
     "test": "vitest"
   },
   "dependencies": {
-    "@ai-sdk/anthropic": "1.2.11",
-    "@ai-sdk/openai": "1.3.22",
-    "@ai-sdk/valibot": "0.1.28",
+    "@ai-sdk/anthropic": "3.0.85",
+    "@ai-sdk/openai": "3.0.74",
+    "@ai-sdk/valibot": "2.0.31",
     "@hono/node-server": "catalog:",
     "@hono/standard-validator": "catalog:",
     "@repo/api-utils": "workspace:*",
     "@repo/cli-tools": "workspace:*",
     "agentcommercekit": "workspace:*",
-    "ai": "4.3.16",
+    "ai": "6.0.209",
     "hono": "catalog:",
     "valibot": "catalog:",
     "zod": "catalog:"
-  },
-  "devDependencies": {
-    "@repo/typescript-config": "workspace:*"
   }
 }

demos/identity/src/agent.ts

@@ -14,7 +14,7 @@ import {
   type Verifiable,
   type W3CCredential,
 } from "agentcommercekit"
-import type { CoreMessage } from "ai"
+import type { ModelMessage } from "ai"
 
 import type { CredentialVerifier } from "./credential-verifier"
 
@@ -28,7 +28,7 @@ interface AgentConstructorParams {
 
 type RunResult = {
   text: string
-  responseMessages: CoreMessage[]
+  responseMessages: ModelMessage[]
 }
 
 export abstract class Agent {
@@ -42,7 +42,7 @@ export abstract class Agent {
 
   ownershipVc?: Verifiable<W3CCredential>
 
-  private messages: CoreMessage[] = []
+  private messages: ModelMessage[] = []
 
   constructor({
     resolver,
@@ -128,12 +128,12 @@ export abstract class Agent {
       content: prompt,
     })
 
-    const result = await this._run(this.messages)
+    const result = await this.runInternal(this.messages)
 
     this.messages.push(...result.responseMessages)
 
     return result.text
   }
 
-  protected abstract _run(messages: CoreMessage[]): Promise<RunResult>
+  protected abstract runInternal(messages: ModelMessage[]): Promise<RunResult>
 }