Migrate from webauthn-p256 to 0x p256 module (ox)

[jeffsmale90]

📝 Description

This PR implements the migration from the deprecated webauthn-p256 package to 0x's ox package for handling P256 WebAuthn signatures, addressing breaking changes introduced in viem 2.43.5+.

The changes are not breaking.

🔄 What Changed?

• Removed webauthn-p256 dependency from both @metamask/smart-accounts-kit/package.json and root package.json
• Added ox@0.8.1 as a direct dependency (version compatible with viem 2.31.4)
• Updated packages/smart-accounts-kit/src/webAuthn.ts:
  • Replaced parseSignature from webauthn-p256 with Signature.fromHex from ox/Signature
  • Uses Ox's stricter signature parsing (requires 130 or 132 char hex, rejects DER encoding)
  • Renamed variables to meet linting standards (rValue, sValue, normalizedS)
  • Used object destructuring for signature parsing
• Updated packages/smart-accounts-kit/src/signer.ts:
  • Removed SignReturnType import from webauthn-p256
  • Added WebAuthnAccount type import from viem/account-abstraction
  • Updated encodeSignature callback type to use Awaited<ReturnType<WebAuthnAccount['signMessage']>>
• Updated test files:
  • test/webAuthn.test.ts: Replaced parseSignature with Signature.fromHex
  • test/signer.test.ts: Updated WebAuthn signature fixtures
  • Converted signature fixtures from DER-encoded format to flat r||s hex (64 bytes = 130 chars with 0x prefix)
• Fixed import ordering: ox imports now appear before viem imports per project standards

🚀 Why?

• Breaking Change in Viem: Viem 2.43.5+ introduced breaking changes in WebAuthn types that are incompatible with webauthn-p256 (see issue Viem dependency specification includes breaking changes #188)
• Alignment with Viem: Viem's toWebAuthnAccount already uses Ox internally and returns signatures in the flat r||s format
• Stricter Validation: Ox's Signature.fromHex provides stricter validation, requiring exact 130 or 132 character hex strings and rejecting DER-encoded signatures
• Maintainability: Using Ox removes duplication and aligns with Viem's internal implementation

🧪 How to Test?

• Automated tests added/updated
• All existing tests pass

Testing steps:

1. Build all packages: yarn build:packages
2. Run smart-accounts-kit tests: yarn workspace @metamask/smart-accounts-kit test
3. Verify all WebAuthn-related tests pass (webAuthn.test.ts, signer.test.ts)
4. Verify no webauthn-p256 references remain: rg 'webauthn-p256' .

⚠️ Breaking Changes

• No breaking changes

Note: While the internal implementation changes, this is not a breaking change for consumers of the SDK because:

• Public API remains unchanged
• encodeDeleGatorSignature still accepts the same parameters and returns the same format
• Viem's WebAuthnAccount already produces signatures in the format Ox expects

📋 Checklist

• Code follows the project's coding standards
• Self-review completed
• Documentation updated (if needed) - no doc changes needed, internal migration only
• Tests added/updated
• Changelog updated (if needed) - will be handled separately
• All CI checks pass

🔗 Related Issues

Closes #188
Closes #192

📚 Additional Notes

Implementation Details

• Signature Format: Changed from DER-encoded (variable length, starts with 0x30) to flat r||s concatenation (exactly 64 bytes = 130 hex chars)
• Ox Version: Using ox@0.8.1 which is the version that viem@2.31.4 depends on internally
• Low-S Normalization: The existing low-s malleability protection logic in encodeDeleGatorSignature remains unchanged and continues to work correctly with Ox-parsed signatures
• Type Safety: Using Awaited<ReturnType<WebAuthnAccount['signMessage']>> ensures type compatibility is maintained automatically if Viem's types evolve further

Verification

All webauthn-p256 references have been removed from the codebase and yarn.lock. The ox package is now properly installed and integrated.

Slack Thread