DemosSdkProvider.sign keypair-init gap breaks Verify + Community Bounty

[linear]

What

Both the Verify identity app and the Community Bounty app fail at the "sign ownership" step with Cannot read properties of undefined (reading 'publicKey'). Both flows go through byte-identical adapter code that calls selectedProvider.request({ method: "sign", params: [message] }). These are the only two provider.request({ method: "sign" }) call sites in the codebase, and both fail the same way — so the bug is in the shared sign provider method, not in either page.

randomblocker confirmed the failure shape and posted the lead on incentives PR #81 (https://github.com/kynesyslabs/incentives/pull/81): DemosSdkProvider.sign (the seed-phrase path) calls demos.crypto.sign("ed25519", ...) directly and skips the keypair-init step (getIdentity('ed25519') → generate) that the SDK's own demos.signMessage performs. With the keypair never initialised, this.keypair.publicKey is undefined when the signing call dereferences it. The extension-handler path may have a separate variant of the same bug.

Acceptance

• Reproduce both failures locally (extension + seed-phrase) and capture the console stack trace at the point of throw
• Confirm which provider implementation each path takes (extension handler vs DemosSdkProvider.sign)
• Fix DemosSdkProvider.sign so it walks the same keypair-init sequence as demos.signMessage before reaching the underlying signer
• Verify both apps' "Verify" / "Sign ownership" flows succeed end-to-end with extension wallet AND with seed-phrase fallback
• Add a regression test covering provider.request({ method: "sign", params: [message] }) so a future SDK refactor cannot silently re-introduce the gap

Source

• Discussion + analysis: incentives PR SDK browser compatibility #81 (https://github.com/kynesyslabs/incentives/pull/81)
• Affected apps:
  • https://github.com/kynesyslabs/demos-identity-verify
  • https://github.com/kynesyslabs/Demos_community

[maojianian25-png]

Hi maintainers,

I would like to work on this bounty (Issue #940). The root cause has been clearly identified in DemosSdkProvider.sign in the kynesyslabs/incentives repo (PR #81), where the keypair-init step is skipped before calling demos.crypto.sign("ed25519", ...).

However, my current account (maojianian25-png) does not have access to the kynesyslabs/incentives private repository, which means I cannot view the source code or submit a fix directly there.

Could you please grant me temporary read/write access to kynesyslabs/incentives so I can:

1. Inspect the full DemosSdkProvider.sign implementation
2. Submit a PR with the keypair-init fix (ensuring getIdentity('ed25519') is called before signing)
3. Add a regression test for provider.request({ method: "sign", params: [message] })

Alternatively, if there is a standard process for bounty contributors to gain access to private repos in this org, please let me know. I am happy to follow whatever workflow is preferred.

Thank you!