fix: use correct signer locator in approval submissions

[brendanw]

Description

Fixes a bug where approveSignatureInternal and approveTransactionInternal would always use this.signer.locator() when building approval payloads, even when a different signer from additionalSigners was used to sign. This made the additionalSigners option effectively broken for delegated signers.

The fix ensures the correct signer's locator is used in the approval payload - the one that actually performed the signing operation.

Before: Approval submitted with this.signer.locator() regardless of which signer signed
After: Approval submitted with the actual signer's locator that was matched and used for signing

Test plan

• Existing unit tests pass (102 tests in wallets package)
• Code review to verify the signer variable from signers.find() is correctly used in the approval payload

Human review checklist:

• Verify the signer variable captured in the map callback is the correct one to use for signer.locator()
• Consider whether a dedicated test for additionalSigners approval flow should be added

Package updates

• @crossmint/wallets-sdk: patch bump - changeset added via pnpm change:add

---

Link to Devin run: https://crossmint.devinenterprise.com/sessions/2265a4dc8e5745b6916e43bd3acff919
Requested by: Brendan Weinstein (@brendanw)

[changeset-bot]

🦋 Changeset detected

Latest commit: 5a79365

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages

Name	Type
@crossmint/wallets-sdk	Patch
expo-demo	Patch
@crossmint/client-sdk-react-base	Patch
@crossmint/client-sdk-react-native-ui	Patch
@crossmint/client-sdk-react-ui	Patch
@crossmint/auth-ssr-nextjs-demo	Patch
@crossmint/client-sdk-nextjs-starter	Patch
@crossmint/wallets-quickstart-devkit	Patch
@crossmint/client-sdk-smart-wallet-next-starter	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

Original prompt from Brendan

I am looking at a feature support matrix spreadsheet that lists the functionality `Create Wallet with Signers` -- the spreadsheet says the typescript SDK has this functionality. What is this functionality and what would we need to do to add it to the kotlin SDK?

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[albertoelias-crossmint]

can you explain more about the bug? but the new logic makes sense too

[brendanw]

@albertoelias-crossmint I noticed this issue when trying to implement transactions with delegated signers in the kotlin SDK. I've been trying to keep the kotlin SDK as closely aligned to the typescript SDK as possible. But in this case, the bug made additionalSigners effectively broken. We don't have transactions with delegate signers marked as supported in the supported features matrix, so that's fine, but I just wanted to make this fix now so we aren't caught off guard by it when we do try and support transactions with delegated signers.

The issue was that when approving with a delegated signer, the code would:

• Correctly find the matching signer from additionalSigners based on pendingApproval.signer.locator
• Use that signer to produce the signature
• But then in a separate .map() step, always use this.signer.locator() for the approval payload

So the cryptographic signature was valid (signed by the correct delegated signer), but the approval payload sent to the backend claimed it was signed by the wallet's primary signer. The backend uses that signer field to look up which public key to verify against, so the signature verification would fail - making delegated signer approvals broken.