// Guide for adding a new signer backend to solana-keychain (Rust + TypeScript). Use when asked to "add a signer", "implement a signing backend", "integrate a key management service", "add X signer", "new signer backend", or when a contributor needs to add a new signing provider to the library.
Finalize a mainline solana-keychain release after the PR is approved: approve, squash-merge, and trigger both publish workflows from main via gh CLI. Use when asked to "finalize release", "merge release PR", "complete release", "publish packages", or "approve and merge release".
Guide for releasing a new version of solana-keychain (Rust and/or TypeScript). Use when asked to "prepare a release", "bump the version", "release Rust", "release TypeScript", "publish a new version", or "cut a release". Covers the PR-based release flow end-to-end.
| name | add-signer |
| description | Guide for adding a new signer backend to solana-keychain (Rust + TypeScript). Use when asked to "add a signer", "implement a signing backend", "integrate a key management service", "add X signer", "new signer backend", or when a contributor needs to add a new signing provider to the library. |
Orchestrate adding a new signing backend to solana-keychain. Delegate to existing docs for code templates; this skill provides the procedure, file order, and gotchas.
docs/ADDING_SIGNERS.md/add-signer-ci commandrust/src/para/ (use as pattern)typescript/packages/para/ (use as pattern)rust/src/traits.rsrust/src/http_client_config.rsrust/src/transaction_util.rstypescript/packages/keychain/src/create-signer.tstypescript/packages/keychain/src/resolve-address.tstypescript/packages/keychain/src/types.tsAsk the user for:
para, dfns)Determine from API docs:
init() to fetch the public key? (Most remote signers do)reqwest for HTTP calls? (Affects error.rs cfg gate)Read docs/ADDING_SIGNERS.md for detailed code templates. Read rust/src/para/mod.rs as the most recent reference implementation.
| File | When |
|---|---|
rust/src/<name>/mod.rs | Always — signer struct + SolanaSigner impl + unit tests |
rust/src/<name>/types.rs | If API needs custom request/response types |
rust/src/<name>/auth.rs | If authentication is complex (e.g., challenge/response) |
a) rust/Cargo.toml — Add feature flag with dep: prefixed dependencies. Add feature to all list.
b) rust/src/lib.rs — 6 additions, all feature-gated with #[cfg(feature = "<name>")]:
pub mod <name>)pub use <name>::<Name>Signer)Signer enum variantimpl Signer (from_<name>)impl SolanaSigner for Signer:
pubkey()sign_transaction()sign_message()is_available()compile_error! cfg gate (search for compile_error!)c) rust/src/error.rs — If signer uses reqwest, add feature to the #[cfg(any(...))] gate on From<reqwest::Error> for SignerError. Without this, ? on reqwest calls won't compile.
rust/src/traits.rs for the current trait definition — it is the source of truth. The trait has pubkey(), sign_transaction(), sign_message(), and is_available().sign_transaction returns SignTransactionResult (an enum of Complete(SignedTransaction) or Partial(SignedTransaction)). Use TransactionUtil::classify_signed_transaction() from rust/src/transaction_util.rs to classify the result.TransactionUtil::add_signature_to_transaction() and TransactionUtil::serialize_transaction() instead of implementing your own.crate::sdk_adapter, not solana_sdk directly. The project supports both SDK v2 and v3 via an adapter layer.reqwest::ClientBuilder::https_only(true) gated behind #[cfg(not(test))] for wiremock compatibility.HttpClientConfig from crate::http_client_config for request/connect timeouts (defaults: 30s/5s)..expect() or .unwrap() on untrusted API responses. Both Display and Debug on SignerError are redacted — keep error messages generic.Sync constructor (public key provided upfront): Memory, Vault, Turnkey, CDP
pub fn new(..., public_key: String, http_config: Option<HttpClientConfig>) -> Result<Self, SignerError>
Async init (public key fetched from API): Privy, Fireblocks, Dfns, Para, Crossmint
pub fn new(...) -> Self // or Result<Self, SignerError>
pub async fn init(&mut self) -> Result<(), SignerError> // fetches pubkey
Factory in lib.rs calls init() automatically:
let mut signer = <Name>Signer::new(config);
signer.init().await?;
Ok(Self::<Name>(signer))
Important: Use Option<Pubkey> (not Pubkey::default()) for the public key field before init(). Return SignerError::ConfigError from signing methods if init() hasn't been called.
Async constructor (no separate init step): AWS KMS, GCP KMS
pub async fn new(...) -> Result<Self, SignerError> // single async constructor
Config struct (when many params): Fireblocks, Dfns
pub struct <Name>SignerConfig { ... }
pub fn new(config: <Name>SignerConfig) -> Self
HTTP client pattern (all remote signers):
let http = http_config.unwrap_or_default();
let builder = reqwest::Client::builder()
.timeout(http.resolved_request_timeout())
.connect_timeout(http.resolved_connect_timeout());
#[cfg(not(test))]
let builder = builder.https_only(true);
let client = builder.build()?;
Add #[cfg(test)] mod tests at the bottom of mod.rs. Use wiremock::MockServer to mock HTTP endpoints. Cover:
sign_message successsign_transaction success (verify SignTransactionResult::Complete vs Partial)is_available success + failureCreate rust/src/tests/test_<name>_integration.rs with:
pub const env var name declarationsasync fn get_signer() helper reading env vars via dotenvytest_<name>_sign_message, test_<name>_sign_transaction, test_<name>_is_available#[cfg(feature = "<name>")] inside the test file wrapping the test block, #[cfg(feature = "integration-tests")] on each test functionRegister in rust/src/tests/mod.rs (no feature gate — the gate goes inside the file):
pub mod test_<name>_integration;
Read docs/ADDING_SIGNERS.md TypeScript section. Use typescript/packages/para/ as template.
typescript/packages/<name>/src/
├── index.ts — Public exports
├── <name>-signer.ts — Factory function + class implementing SolanaSigner<TAddress>
├── types.ts — API types
└── __tests__/
├── <name>-signer.test.ts — Unit tests (mocked fetch)
├── <name>-signer.integration.test.ts — Integration tests
└── setup.ts — Integration test config
Also create: package.json, tsconfig.json, README.md
typescript/packages/keychain/6 files to modify:
src/types.ts — Add YourSignerConfig to KeychainSignerConfig discriminated union with & { backend: '<name>' }src/create-keychain-signer.ts — Import create<Name>Signer, add switch casesrc/resolve-address.ts — Add to fast-path (if config has publicKey) or fetch-path (if async init) switch casesrc/index.ts — Add 4 export lines: config type, namespace, factory fn, deprecated classpackage.json — Add @solana/keychain-<name>: "workspace:*" dependencytsconfig.json — Add { "path": "../<name>" } referenceThe switch statements have exhaustive never checks — TypeScript will error if you add to the union but miss a case.
create<Name>Signer() returns SolanaSigner<TAddress> (the interface)static async create() methodthrowSignerError(SignerErrorCode.*, { cause, message }) from @solana/keychain-corefetch() calls in try/catchapiBaseUrl uses HTTPS: new URL(url).protocol !== 'https:' → throw CONFIG_ERRORsanitizeRemoteErrorResponse() from @solana/keychain-core?.@throws JSDoc to factory functions listing error codes.env.example (root) — Add env vars with comment header identifying the signertypescript/packages/<name>/.env.example — Same env vars for TS integration testsREADME.md — Add row to supported backends table + usage exampleUse the /add-signer-ci command for Phase 1 preparation (maintainer PR to main).
Phase 2 changes go in the contributor's signer PR:
ci.yml — Add Rust feature to backend matrix + integration test to test matrixtypescript-ci.yml — Add package to unit + integration test matricestypescript-publish.yml — Add package to PUBLISH_PACKAGES, GitHub Release array, summary table# Rust
cd rust && cargo build --features <name>
cd rust && cargo test --features <name>
cd rust && cargo build --all-features
cd rust && cargo test --all-features
cd rust && cargo clippy --all-targets --all-features -- -D warnings
cd rust && cargo fmt --check
# TypeScript
pnpm --filter @solana/keychain-<name> test:unit
pnpm --filter @solana/keychain-<name> typecheck
# Or use just
just build
just test
just fmt