v0.7.7

What's Changed

• Add EIP-7702 signAuthorization by @julienbrg in #52
• Add origin-specific derived wallets by @julienbrg in #54
• Add reproducible builds by @julienbrg in #56
• Enforce origin isolation and prevent key material exposure by @julienbrg in #58

Full Changelog: v0.7.6...v0.7.7

🔐 Build Verification

IPFS CIDv1 Hash:

bafybeid4lxeev2nperciozegxexe6q22soz7pwhl234qoivt2ffbf3tbl4

Verify This Release

Option 1: Using w3pk SDK

import { verifyBuildHash } from 'w3pk'

const TRUSTED_HASH = 'bafybeid4lxeev2nperciozegxexe6q22soz7pwhl234qoivt2ffbf3tbl4'
const isValid = await verifyBuildHash(TRUSTED_HASH)

if (isValid) {
  console.log('✅ Build integrity verified!')
} else {
  console.error('⚠️ Build verification failed!')
}

Option 2: Build Locally

git clone https://github.com/w3hc/w3pk.git
cd w3pk
git checkout v0.7.7
pnpm install
pnpm build
pnpm build:hash
# Should output: bafybeid4lxeev2nperciozegxexe6q22soz7pwhl234qoivt2ffbf3tbl4

Option 3: Compare Multiple Sources

# Check hash from npm package
npm view w3pk@0.7.7 dist.tarball | xargs curl -s | tar -xz
cat package/dist/BUILD_HASH.txt
# Should match: bafybeid4lxeev2nperciozegxexe6q22soz7pwhl234qoivt2ffbf3tbl4

Multi-Source Verification

For maximum security, verify the hash from multiple sources:

1. ✅ This GitHub release (you are here)
2. ✅ npm README: https://www.npmjs.com/package/w3pk
3. ✅ On-chain registry: Coming soon - DAO-maintained hash registry
4. ✅ Local build: Clone repo and build yourself

All sources should report the same hash: bafybeid4lxeev2nperciozegxexe6q22soz7pwhl234qoivt2ffbf3tbl4

What is Build Verification?

W3pk uses IPFS CIDv1 hashing to create a unique, deterministic fingerprint of each build. This allows you to:

• Verify package integrity
• Detect tampering or supply chain attacks
• Ensure reproducible builds
• Trust what you're installing

See the Build Verification Guide for complete documentation.