feat: VeChain whitelabel cross-app connect host

.github/workflows/cross-app-connect-check.yaml

@@ -0,0 +1,77 @@
+name: Cross-App Connect — Check
+
+on:
+    # zizmor: ignore[dangerous-triggers] - Mitigated with label-based approval
+    pull_request_target:
+        types: [labeled, opened, synchronize, reopened]
+        branches:
+            - main
+        paths:
+            - 'cross-app-connect/**'
+            - 'packages/vechain-kit/**'
+            - 'yarn.lock'
+            - '.github/workflows/cross-app-connect-check.yaml'
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
+    cancel-in-progress: true
+
+permissions:
+    contents: read
+
+jobs:
+    # External PRs: post a one-time comment explaining the safe-to-build gate.
+    comment-external-pr:
+        runs-on: ubuntu-latest
+        permissions:
+            pull-requests: write
+        if: |
+            github.event.pull_request.head.repo.full_name != github.repository &&
+            github.event.action == 'opened'
+        steps:
+            - name: Comment on external PR
+              uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+              with:
+                  issue-number: ${{ github.event.pull_request.number }}
+                  body: |
+                      ## 👋 Thanks for your contribution!
+
+                      Since this PR comes from a fork, the cross-app-connect
+                      check will only run after a maintainer adds the
+                      `safe-to-build` label (and re-adds it after each new
+                      commit, for security).
+
+    typecheck-and-build:
+        name: Type-check & Build
+        runs-on: ubuntu-latest
+        if: |
+            (github.event.label.name == 'safe-to-build') ||
+            (github.event.pull_request.head.repo.full_name == github.repository) && github.event.pull_request.head.ref != 'main'
+        steps:
+            - name: Checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+              with:
+                  ref: ${{ github.event.pull_request.head.sha }}
+
+            - name: Setup Node
+              uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+              with:
+                  node-version-file: .nvmrc
+                  cache: yarn
+
+            - name: Install
+              run: yarn && yarn install:all
+
+            - name: Type-check (cross-app-connect)
+              run: yarn workspace cross-app-connect typecheck
+
+            - name: Build (cross-app-connect)
+              run: yarn workspace cross-app-connect build
+              env:
+                  # Build-time public env. Provided as repo Variables; the
+                  # popup needs them to construct the Privy client. The build
+                  # tolerates missing values but won't run end-to-end without
+                  # them — sufficient to verify the bundle compiles cleanly.
+                  NEXT_PUBLIC_PRIVY_APP_ID: ${{ vars.NEXT_PUBLIC_PRIVY_APP_ID }}
+                  NEXT_PUBLIC_PRIVY_CLIENT_ID: ${{ vars.NEXT_PUBLIC_PRIVY_CLIENT_ID }}
+                  NEXT_PUBLIC_PRIVY_DOMAIN: ${{ vars.NEXT_PUBLIC_PRIVY_DOMAIN }}

.github/workflows/cross-app-connect-deploy.yaml

@@ -0,0 +1,83 @@
+name: Cross-App Connect — Deploy to Pages
+
+on:
+    push:
+        branches:
+            - main
+        paths:
+            - 'cross-app-connect/**'
+            - 'packages/vechain-kit/**'
+            - 'yarn.lock'
+            - '.github/workflows/cross-app-connect-deploy.yaml'
+    workflow_dispatch:
+
+concurrency:
+    # Pages permits one in-flight deploy. Queue rather than cancel so a hot
+    # fix doesn't get wiped by a follow-up merge mid-deploy.
+    group: pages
+    cancel-in-progress: false
+
+permissions:
+    contents: read
+
+jobs:
+    build:
+        name: Build static site
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+        steps:
+            - name: Checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Setup Node
+              uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+              with:
+                  node-version-file: .nvmrc
+                  cache: yarn
+
+            - name: Install
+              run: yarn && yarn install:all
+
+            - name: Build (cross-app-connect)
+              run: yarn workspace cross-app-connect build
+              env:
+                  NEXT_PUBLIC_PRIVY_APP_ID: ${{ vars.NEXT_PUBLIC_PRIVY_APP_ID }}
+                  NEXT_PUBLIC_PRIVY_CLIENT_ID: ${{ vars.NEXT_PUBLIC_PRIVY_CLIENT_ID }}
+                  NEXT_PUBLIC_PRIVY_DOMAIN: ${{ vars.NEXT_PUBLIC_PRIVY_DOMAIN }}
+                  # Empty when a custom domain is set up in repo Settings →
+                  # Pages. Override to `/vechain-kit` (or whatever the repo
+                  # name is) if you want to test at the default
+                  # `<org>.github.io/<repo>/` URL before the CNAME points here.
+                  NEXT_PUBLIC_BASE_PATH: ${{ vars.NEXT_PUBLIC_BASE_PATH }}
+
+            - name: Disable Jekyll on Pages
+              # GitHub Pages otherwise strips paths starting with `_` (e.g.
+              # `_next/`), which kills every JS/CSS chunk Next.js emits.
+              run: touch cross-app-connect/dist/.nojekyll
+
+            - name: Configure Pages
+              uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+
+            - name: Upload artifact
+              uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
+              with:
+                  path: cross-app-connect/dist
+
+    deploy:
+        name: Deploy to GitHub Pages
+        needs: build
+        runs-on: ubuntu-latest
+        # Pages-specific permissions scoped to this job only — zizmor flags
+        # them as too broad at the workflow level since the build job
+        # doesn't need to write anything.
+        permissions:
+            pages: write
+            id-token: write
+        environment:
+            name: github-pages
+            url: ${{ steps.deployment.outputs.page_url }}
+        steps:
+            - name: Deploy
+              id: deployment
+              uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/cross-app-connect-refresh-app-hub.yaml

@@ -0,0 +1,77 @@
+name: Cross-App Connect — Refresh App Hub cache
+
+on:
+    schedule:
+        # Daily at 04:13 UTC — odd minute to avoid the top-of-hour rush on
+        # GitHub-hosted runners, and well before EU/US working hours so a
+        # follow-up PR is waiting for review when the team comes online.
+        - cron: '13 4 * * *'
+    workflow_dispatch:
+
+permissions:
+    contents: read
+
+concurrency:
+    # Only one refresh attempt at a time; if a previous PR is still pending
+    # merge, queueing another would create a duplicate branch tip.
+    group: ${{ github.workflow }}
+    cancel-in-progress: false
+
+jobs:
+    refresh:
+        name: Regenerate app-hub.json
+        runs-on: ubuntu-latest
+        # PR-opening permissions are scoped to this job (zizmor flags them
+        # as too broad at the workflow level).
+        permissions:
+            contents: write
+            pull-requests: write
+        steps:
+            - name: Checkout
+              uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+            - name: Setup Node
+              uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+              with:
+                  node-version-file: .nvmrc
+                  cache: yarn
+
+            - name: Install
+              run: yarn && yarn install:all
+
+            - name: Regenerate cache
+              run: yarn workspace cross-app-connect generate-app-hub
+              env:
+                  # Raises the GitHub API rate limit from 60/hr (anonymous)
+                  # to 5000/hr so the fetch can cover the full registry
+                  # without throttling.
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Open PR if anything changed
+              uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+              with:
+                  commit-message: |
+                      chore(cross-app-connect): refresh app-hub.json from vechain/app-hub
+
+                      Auto-generated by the cross-app-connect-refresh-app-hub workflow.
+                  title: 'chore(cross-app-connect): refresh app-hub cache'
+                  body: |
+                      Scheduled refresh of `cross-app-connect/src/app/cross-app/_lib/app-hub.json` from [`vechain/app-hub`](https://github.com/vechain/app-hub).
+
+                      The cache keys the registry by origin so the transact popup can show
+                      `Confirm token swap on Nubila` instead of a raw URL. This PR appears
+                      whenever a new app is added, an existing one is updated, or one is
+                      removed from the registry.
+
+                      Review the diff to make sure the changes look like additions you
+                      expected (no surprise deletions, plausible names). Merge when happy.
+
+                      🤖 Opened by `.github/workflows/cross-app-connect-refresh-app-hub.yaml`.
+                  branch: chore/refresh-app-hub-cache
+                  base: main
+                  delete-branch: true
+                  labels: |
+                      chore
+                      automated
+                  add-paths: |
+                      cross-app-connect/src/app/cross-app/_lib/app-hub.json

README.md

@@ -12,8 +12,9 @@ VeChain Kit is a comprehensive library designed to make building VeChain applica
 
 It offers:
 
--   <b>Seamless Wallet Integration:</b> Support for VeWorld, Sync2, WalletConnect, VeChain Embedded Wallet, and social logins (Google, Apple, GitHub, email, passkey — powered by Privy).
+-   <b>Seamless Wallet Integration:</b> Support for VeWorld, Sync2, WalletConnect, VeChain Embedded Wallet, and social logins (Google, Apple, GitHub, X/Twitter, Discord, TikTok, LINE, email, passkey — powered by Privy).
 -   <b>Custom Connection UI:</b> Vechain-kit's own connect modal handles the VeWorld and Sync2 flows directly, with a built-in “Waiting for signature…” view and a fully themeable layout. WalletConnect's QR modal is preserved.
+-   <b>Social Logins Without Your Own Privy Account:</b> Drop a "Continue with Google / Apple / X / Discord / GitHub / TikTok / LINE" button in your app and it just works — the kit routes through VeChain's whitelabel cross-app host (`cross-app-connect/`) so users get one VeChain identity that follows them across every kit-using dApp. No Privy bill, no dashboard setup.
 -   <b>Unified Ecosystem Accounts:</b> Leverage Privy’s Ecosystem feature to give users a single wallet across multiple dApps, providing a consistent identity within the VeChain network.
 -   <b>Developer-Friendly Hooks:</b> Easy-to-use React Hooks that let you read and write data on the VeChainThor blockchain.
 -   <b>Pre-Built UI Components:</b> Ready-to-use components (e.g., TransactionModal) to simplify wallet operations and enhance your users’ experience.
@@ -31,6 +32,14 @@ It offers:
 -   [Smart Account Factory](https://vechain.github.io/smart-accounts/)
 -   [Docs](https://docs.vechainkit.vechain.org/)
 
+## Cross-app Whitelabel Host
+
+When a user picks "Continue with Google / Apple / VeChain / …" from a kit-using dApp, the kit opens a small popup that handles the OAuth/SMS handshake and posts the resulting signature back. That popup runs on VeChain's whitelabel host, which lives in this repo at [`cross-app-connect/`](./cross-app-connect/) — a Next.js static export with VeChain branding, a calldata-aware transaction summary, recovery from stale connection records, and 17 languages.
+
+The whitelabel popup is why your app can offer social login without owning a Privy account: users see VeChain chrome and get one identity across every kit-integrated dApp.
+
+See [`cross-app-connect/README.md`](./cross-app-connect/README.md) for the popup's architecture, the rationale behind dropping Chakra / TanStack Query / vechain-kit from that surface, deploy instructions (GitHub Pages workflow included), and how to add translation keys.
+
 ## Table of Contents
 
 -   [Setting up for local development](#setting-up-for-local-development)

cross-app-connect/.env.example

@@ -0,0 +1,13 @@
+# Privy app this host represents
+# Default = VeChain's mainnet Privy app (mirrors VECHAIN_PRIVY_APP_ID in vechain-kit)
+NEXT_PUBLIC_PRIVY_APP_ID=cm4wxxujb022fyujl7g0thb21
+NEXT_PUBLIC_PRIVY_CLIENT_ID=
+# REQUIRED. Whitelabel Privy auth subdomain provisioned for your app in the
+# Privy dashboard. Must include scheme, e.g. https://privy.your-app.privy.dev
+# This is NOT the public auth.privy.io host.
+NEXT_PUBLIC_PRIVY_DOMAIN=
+
+# VeChain network -- main | test | solo
+NEXT_PUBLIC_NETWORK_TYPE=main
+NEXT_PUBLIC_DELEGATOR_URL=
+NEXT_PUBLIC_WALLET_CONNECT_PROJECT_ID=

cross-app-connect/.eslintrc.js

@@ -0,0 +1,6 @@
+module.exports = {
+    extends: ['next'],
+    rules: {
+        '@typescript-eslint/unbound-method': 'off',
+    },
+};

cross-app-connect/.gitignore

@@ -0,0 +1,38 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+.yarn/install-state.gz
+
+# testing
+/coverage
+
+# next.js
+/.next/
+/out/
+/dist/
+
+# production
+/build
+
+# misc
+.DS_Store
+*.pem
+
+# debug
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# local env files
+.env
+.env*.local
+
+# vercel
+.vercel
+
+# typescript
+*.tsbuildinfo
+next-env.d.ts