Update ERC-7836: Add missing sections

Merged by EIP-Bot.

Author: lukasrosario

ERCS/erc-7836.md

@@ -35,34 +35,36 @@ Instructs a Wallet to prepare a call bundle according to the Account's implement
 
 ```typescript
 type Request = {
-  method: 'wallet_prepareCalls',
-  params: [{
-    // Calls to be executed.
-    calls: {
-      to: `0x${string}`;
-      data?: `0x${string}`;
-      value?: `0x${string}`;
+  method: "wallet_prepareCalls";
+  params: [
+    {
+      // Calls to be executed.
+      calls: {
+        to: `0x${string}`;
+        data?: `0x${string}`;
+        value?: `0x${string}`;
+        capabilities?: Record<string, any>;
+      }[];
+      // Capabilities.
       capabilities?: Record<string, any>;
-    }[];
-    // Capabilities.
-    capabilities?: Record<string, any>
-    // Chain ID of the chain the calls are being submitted to.
-    chainId: `0x${string}`;
-    // Sender address.
-    from?: `0x${string}`;
-    // Key (hint) that will be used to sign the call bundle.
-    key?: {
-      // Whether the digest will be prehashed by the key (default behavior of WebCrypto APIs).
-      prehash?: boolean,
-      // Public key.
-      publicKey: `0x${string}`,
-      // Key type.
-      type: 'secp256k1' | 'p256' | 'webauthn-p256'
-    };
-    // JSON-RPC method version.
-    version: string;
-  }]
-}
+      // Chain ID of the chain the calls are being submitted to.
+      chainId: `0x${string}`;
+      // Sender address.
+      from?: `0x${string}`;
+      // Key (hint) that will be used to sign the call bundle.
+      key?: {
+        // Whether the digest will be prehashed by the key (default behavior of WebCrypto APIs).
+        prehash?: boolean;
+        // Public key.
+        publicKey: `0x${string}`;
+        // Key type.
+        type: "secp256k1" | "p256" | "webauthn-p256";
+      };
+      // JSON-RPC method version.
+      version: string;
+    }
+  ];
+};
 ```
 
 #### Response
@@ -72,52 +74,57 @@ type Request = {
 ```typescript
 type Response = {
   // Capabilities to be forwarded to `wallet_sendPreparedCalls`.
-  capabilities: Record<string, any>
+  capabilities: Record<string, any>;
   // Chain ID of the chain the calls are being submitted to.
-  chainId: `0x${string}`
-  // Data specific to the Wallet to be forwarded to `wallet_sendPreparedCalls` 
+  chainId: `0x${string}`;
+  // Data specific to the Wallet to be forwarded to `wallet_sendPreparedCalls`
   // (e.g. ERC-4337 UserOperation or alternative).
-  context: unknown
+  context: unknown;
   // Key (hint) that will be used to sign the call bundle.
   key?: {
     // Whether the digest will be prehashed by the key (default behavior of WebCrypto APIs).
-    prehash: boolean,
+    prehash: boolean;
     // Public key.
-    publicKey: `0x${string}`,
+    publicKey: `0x${string}`;
     // Key type.
-    type: 'secp256k1' | 'p256' | 'webauthn-p256' | 'webcrypto-p256'
-  },
+    type: "secp256k1" | "p256" | "webauthn-p256" | "webcrypto-p256";
+  };
   // Digest of the call bundle to sign over.
-  digest: `0x${string}`
+  digest: `0x${string}`;
   // JSON-RPC method version.
-  version: string
-}
+  version: string;
+};
 ```
 
 #### Example
 
 ```typescript
 const response = await provider.request({
-  method: 'wallet_prepareCalls',
-  params: [{
-    calls: [{
-      to: '0xcafebabecafebabecafebabecafebabecafebabe',
-      data: '0xdeadbeef',
-    }],
-    capabilities: {
-      paymasterService: {
-        url: 'https://...',
+  method: "wallet_prepareCalls",
+  params: [
+    {
+      calls: [
+        {
+          to: "0xcafebabecafebabecafebabecafebabecafebabe",
+          data: "0xdeadbeef",
+        },
+      ],
+      capabilities: {
+        paymasterService: {
+          url: "https://...",
+        },
       },
+      chainId: "0x1",
+      key: {
+        prehash: false,
+        publicKey:
+          "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef",
+        type: "p256",
+      },
+      version: "1",
     },
-    chainId: '0x1',
-    key: {
-      prehash: false,
-      publicKey: '0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
-      type: 'p256',
-    },
-    version: '1',
-  }]
-})
+  ],
+});
 /**
  * {
  *   capabilities: {
@@ -140,38 +147,40 @@ const response = await provider.request({
 
 ### `wallet_sendPreparedCalls`
 
-Instructs a Wallet to execute a prepared call bundle (response of `wallet_prepareCalls`) with an accompanying `signature`. 
+Instructs a Wallet to execute a prepared call bundle (response of `wallet_prepareCalls`) with an accompanying `signature`.
 
 #### Parameters
 
 > The request is identical to the response of `wallet_prepareCalls`, except that it includes a `signature`.
 
 ```typescript
 type Request = {
-  method: 'wallet_sendPreparedCalls',
-  params: [{
-    // Capabilities.
-    capabilities: Record<string, any>
-    // Chain ID of the chain the calls are being submitted to.
-    chainId: `0x${string}`
-    // Data specific to the Wallet from the `wallet_prepareCalls` response.
-    // (e.g. ERC-4337 UserOperation or alternative).
-    context: unknown
-    // Key that was used to sign the call bundle.
-    key: {
-      // Whether the digest will be prehashed by the key (default behavior of WebCrypto APIs).
-      prehash?: boolean,
-      // Public key.
-      publicKey: `0x${string}`,
-      // Key type.
-      type: 'secp256k1' | 'p256' | 'webauthn-p256' | 'webcrypto-p256'
-    },
-    // Signature of the call bundle.
-    signature: `0x${string}`
-    // JSON-RPC method version.
-    version: string
-  }]
-}
+  method: "wallet_sendPreparedCalls";
+  params: [
+    {
+      // Capabilities.
+      capabilities: Record<string, any>;
+      // Chain ID of the chain the calls are being submitted to.
+      chainId: `0x${string}`;
+      // Data specific to the Wallet from the `wallet_prepareCalls` response.
+      // (e.g. ERC-4337 UserOperation or alternative).
+      context: unknown;
+      // Key that was used to sign the call bundle.
+      key: {
+        // Whether the digest will be prehashed by the key (default behavior of WebCrypto APIs).
+        prehash?: boolean;
+        // Public key.
+        publicKey: `0x${string}`;
+        // Key type.
+        type: "secp256k1" | "p256" | "webauthn-p256" | "webcrypto-p256";
+      };
+      // Signature of the call bundle.
+      signature: `0x${string}`;
+      // JSON-RPC method version.
+      version: string;
+    }
+  ];
+};
 ```
 
 #### Response
@@ -180,45 +189,52 @@ type Request = {
 
 ```typescript
 type Response = {
-  id: string,
-  capabilities: Record<string, any>
-}
+  id: string;
+  capabilities: Record<string, any>;
+};
 ```
 
 #### Example
 
 ```typescript
 const { digest, ...request } = await provider.request({
-  method: 'wallet_prepareCalls',
-  params: [{
-    calls: [{
-      to: '0xcafebabecafebabecafebabecafebabecafebabe',
-      data: '0xdeadbeef',
-    }],
-    capabilities: {
-      paymasterService: {
-        url: 'https://...',
+  method: "wallet_prepareCalls",
+  params: [
+    {
+      calls: [
+        {
+          to: "0xcafebabecafebabecafebabecafebabecafebabe",
+          data: "0xdeadbeef",
+        },
+      ],
+      capabilities: {
+        paymasterService: {
+          url: "https://...",
+        },
       },
+      chainId: "0x1",
+      key: {
+        prehash: false,
+        publicKey:
+          "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef",
+        type: "p256",
+      },
+      version: "1",
     },
-    chainId: '0x1',
-    key: {
-      prehash: false,
-      publicKey: '0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
-      type: 'p256',
-    },
-    version: '1',
-  }]
-})
+  ],
+});
 
-const signature = p256.sign(digest, privateKey)
+const signature = p256.sign(digest, privateKey);
 
 const response = await provider.request({
-  method: 'wallet_sendPreparedCalls',
-  params: [{
-    ...request,
-    signature
-  }]
-})
+  method: "wallet_sendPreparedCalls",
+  params: [
+    {
+      ...request,
+      signature,
+    },
+  ],
+});
 /**
  * [
  *   {
@@ -238,11 +254,24 @@ Surfacing the prepared calls should be relatively simple for wallets, who alread
 
 ## Backwards Compatibility
 
-TBD <!-- TODO -->
+This specification is currently compatible with EIP-5792 and does not introduce breaking changes to existing `wallet_sendCalls` flows.
+
+- It does not modify or deprecate `wallet_sendCalls`; wallets compliant with EIP-5792 continue to work unchanged.
+- `wallet_prepareCalls` mirrors the `wallet_sendCalls` request shape and returns values intended to be forwarded to `wallet_sendPreparedCalls`, preserving field formats such as `capabilities`, `chainId`, `context`, and `version`.
+- `wallet_sendPreparedCalls` consumes the same data the wallet would otherwise construct internally for EIP-5792, with the addition of an externally produced `signature`.
+- Any additional key types or hints (e.g., WebCrypto/WebAuthn variants) are optional and do not affect EIP-5792 behavior.
 
 ## Security Considerations
 
-Needs discussion. <!-- TODO -->
+- Key authorization and scope: Wallets MUST verify that the provided `key.publicKey` is authorized for the account and that the requested `capabilities` are within that key’s permissions (scopes, limits, validity windows).
+
+- Prehashing consistency: Honor `key.prehash` consistently. A mismatch between signer and verifier (e.g., double-hashing vs prehashed input) can cause verification failures. Wallets SHOULD fix the hash function per key type.
+
+- Preparation-to-execution linkage: Wallets SHOULD ensure `wallet_sendPreparedCalls` corresponds to a `digest` they could have produced (e.g., by recomputing it) and MAY track a preparation identifier and/or validity window to mitigate long-lived replay.
+
+- WebAuthn/origin considerations: For `webauthn-p256`, prefer user-verification and origin-bound credentials. Applications SHOULD keep session keys non-extractable and hardware-backed where available, and avoid presenting opaque digests for end-user approval.
+
+- Resource usage and DoS: Wallets MAY rate-limit `wallet_prepareCalls`, cap bundle sizes, and validate inputs early to avoid expensive context generation for malformed or adversarial requests.
 
 ## Copyright