Fix merge branch 0xsequence/master

[Dargon789]

Summary by Sourcery

Harden ID generation in the dapp client and add a new wagmi-based example app alongside security, issue management, and multi-CI configuration files.

Bug Fixes:

• Use cryptographically secure randomness via window.crypto.getRandomValues when generating DappTransport request IDs.

Enhancements:

• Add a wagmi-based React example application configured with Vite, TypeScript, and React Query for wallet connectivity demos.

CI:

• Add a GitHub Actions workflow to run Fortify Application Security Testing scans on master and pull requests.
• Introduce a basic CircleCI pipeline configuration using a custom Docker executor.
• Add an Azure Pipelines configuration to build the Node.js project on master.

Deployment:

• Add CNAME configuration for custom domain hosting.

Documentation:

• Add a SECURITY policy document describing supported versions and vulnerability reporting process.
• Add GitHub issue templates for bug reports, feature requests, and custom issues.
• Document the wagmi example app as a Vite project created via create-wagmi.

Chores:

• Add various project metadata and configuration stubs (Codesandbox tasks, funding configuration, npm/TypeScript/Vite/biome settings) to support local tooling and funding.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Dec 22, 2025 3:28pm
sequence-js-web	Ready	Preview, Comment	Dec 22, 2025 3:28pm
sequence.js	Ready	Preview, Comment	Dec 22, 2025 3:28pm

[sourcery-ai]

Reviewer's Guide

Introduces a new secure ID generation strategy for the dapp client, adds a wagmi-based demo app scaffold, and configures multiple CI/security workflows and project metadata files (issue templates, security policy, pipelines, and funding).

Sequence diagram for wallet connection flow in wagmi demo app

sequenceDiagram
  actor User
  participant Browser
  participant App
  participant WagmiProvider
  participant ConnectHook
  participant Connector
  participant Blockchain

  User->>Browser: Load page
  Browser->>App: Render App component
  App->>WagmiProvider: Initialize with config
  App->>ConnectHook: useConnect()
  ConnectHook-->>App: connectors, connect, status, error

  User->>App: Click connect button for connector
  App->>ConnectHook: connect(connector)
  ConnectHook->>Connector: initiate connection
  Connector->>Blockchain: wallet RPC / authorization
  Blockchain-->>Connector: connection approved
  Connector-->>ConnectHook: connection result (account, chainId)
  ConnectHook-->>App: status updated to connected
  App-->>User: Render connected state and Disconnect button

  User->>App: Click Disconnect
  App->>Connector: disconnect()
  Connector->>Blockchain: terminate session
  Blockchain-->>Connector: disconnected
  Connector-->>App: status updated to disconnected
  App-->>User: Render disconnected state

Loading

Class diagram for updated DappTransport ID generation

classDiagram
  class DappTransport {
    -someInternalState
    +sendMessage(message)
    +receiveMessage(message)
    -generateId() string
  }

  class WindowCrypto {
    +getRandomValues(array Uint32Array) Uint32Array
  }

  class MathRandomLegacy {
    +random() number
  }

  DappTransport ..> WindowCrypto : uses
  DappTransport ..> MathRandomLegacy : replaces

Loading

Class diagram for wagmi React demo app structure

classDiagram
  class App {
    +App() JSXElement
  }

  class MainEntrypoint {
    +main() void
  }

  class WagmiProvider {
    +WagmiProvider(config Config, children ReactNode)
  }

  class QueryClientProvider {
    +QueryClientProvider(client QueryClient, children ReactNode)
  }

  class QueryClient {
    +QueryClient()
  }

  class Config {
    +chains Chain[]
    +connectors Connector[]
    +transports Map<int, Transport>
  }

  class Chain {
    +id int
    +name string
  }

  class Connector {
    +uid string
    +name string
    +connect() Promise<Account>
    +disconnect() Promise<void>
  }

  class AccountHookResult {
    +status string
    +addresses string[]
    +chainId int
  }

  class ConnectHookResult {
    +connect(connector Connector) void
    +connectors Connector[]
    +status string
    +error Error
  }

  class DisconnectHookResult {
    +disconnect() void
  }

  MainEntrypoint --> WagmiProvider : wraps
  WagmiProvider --> QueryClientProvider : wraps
  QueryClientProvider --> App : renders

  MainEntrypoint --> QueryClient : creates
  WagmiProvider --> Config : uses

  App --> AccountHookResult : useAccount
  App --> ConnectHookResult : useConnect
  App --> DisconnectHookResult : useDisconnect

  Config --> Chain : contains
  Config --> Connector : contains

Loading

File-Level Changes

Change	Details	Files
Use cryptographically secure randomness for DappTransport ID generation.	Replace Math.random-based ID suffix with crypto.getRandomValues using a Uint32Array. Generate a base-36 random string from two 32-bit values and slice to 9 characters. Preserve existing timestamp-based prefix while improving randomness quality.	packages/wallet/dapp-client/src/DappTransport.ts
Add wagmi-based React demo application scaffolded with Vite.	Create a new wagmi-project package with Vite/React/TypeScript tooling and dependencies. Set up WagmiProvider, QueryClientProvider, and Buffer global in main entrypoint. Implement a simple App component showing account status and allowing wallet connection/disconnection. Configure wagmi client with mainnet and sepolia chains and common connectors. Add Vite, TypeScript, Biome, and CSS configuration and boilerplate files for the new project.	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/vite.config.ts wagmi-project/index.html wagmi-project/src/main.tsx wagmi-project/src/App.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts wagmi-project/.gitignore wagmi-project/.npmrc wagmi-project/biome.json wagmi-project/README.md
Introduce security scanning and CI pipeline configurations across multiple platforms.	Add GitHub Actions workflow to run Fortify AST SAST scans on master branch and PRs. Configure CircleCI with a basic executor and placeholder job using a Docker image. Add Azure Pipelines YAML for basic Node.js build on master branch.	.github/workflows/fortify.yml .circleci/config.yml azure-pipelines.yml
Add repository templates and security policy documentation.	Add GitHub issue templates for bug reports, feature requests, and a custom template. Create SECURITY.md outlining supported versions and vulnerability reporting process. Add FUNDING.json and CNAME placeholders for project funding and custom domain configuration.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md SECURITY.md FUNDING.json CNAME
Add auxiliary project and cache-related files.	Introduce an empty .codesandbox/tasks.json file for CodeSandbox integration. Add V8 compile cache map artifacts under v8-compile-cache-0/. Add various wagmi-project root config files such as .gitignore, .npmrc, and Biome configuration.	.codesandbox/tasks.json v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP wagmi-project/.gitignore wagmi-project/.npmrc wagmi-project/biome.json

Possibly linked issues

• Fix merge branch 0xsequence/master #86: They match: this PR implements the wagmi app, Fortify workflow, CI, and templates requested in the issue.
• Feature/integration #17: They both describe adding the wagmi React app plus SECURITY.md, Azure pipeline, and related scaffolding files.
• 0xsequence/master #79: PR implements the Fortify workflow, CircleCI config, issue templates, and React Query upgrade described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily serves to synchronize the project with the latest 0xsequence/master branch, bringing all @0xsequence packages to version 3.0.0-beta.6. The core of this update includes a critical fix for a 'signer 404 error' and various minor enhancements. A key functional improvement is introduced in the Wallet Development Kit (WDK), where the system for identifying signer types has been optimized to avoid redundant witness checks for known non-witnessable signers like Passkeys, thereby boosting efficiency. Additionally, the PR updates a wide array of development dependencies and refines monorepo tooling configurations for better consistency and maintainability.

Highlights

• Version Bump to 3.0.0-beta.6: All @0xsequence packages have been updated to 3.0.0-beta.6, incorporating a fix for a 'signer 404 error' and other minor improvements.
• Optimized Signer Kind Detection in WDK: The Wallet Development Kit (WDK) now includes logic to identify 'non-witnessable signers' (e.g., Passkeys, certain module signers) and skip unnecessary witness probes, improving performance and efficiency.
• Dependency Updates: Numerous development dependencies and internal workspace dependencies across the monorepo have been updated to their latest versions, including Next.js, React, ESLint, TypeScript, and Node types.
• Improved Monorepo Configuration: The syncpack configuration in the root package.json has been extended to include extras/ and repo/ directories, ensuring consistent dependency management across more parts of the project.
• WDK Test Enhancements: Test files within the WDK have been refactored to use .js extensions for imports and improved null-safety in mock call assertions, alongside the addition of a new test specifically for the optimized signer kind detection.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/tests.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a variety of changes, including bug fixes, dependency updates, and new features. The main fix for the "signer 404 error" is well-implemented by introducing a list of nonWitnessableSigners to avoid unnecessary witness probes, which is a good improvement for both performance and correctness. This change is also well-tested. The pull request also includes numerous dependency updates and configuration changes which seem correct. I've added a couple of suggestions to improve type safety in the test files for better maintainability. Overall, this is a good set of changes.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/wallet/wdk/test/wallets.test.ts (322-324)

Using any for the type of m weakens type safety. It would be better to use an inline type for the module object to ensure type safety and improve readability.

    const sessionsModule = config.raw.modules.find((m: { sapientLeaf: { address: Address.Address }; guardLeaf?: Config.Topology }) =>
      Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress)
    )

packages/wallet/wdk/test/wallets.test.ts (365-367)

Using any for the type of m weakens type safety. It would be better to use an inline type for the module object to ensure type safety and improve readability.

    const sessionsModule = config.raw.modules.find((m: { sapientLeaf: { address: Address.Address }; guardLeaf?: Config.Topology }) =>
      Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress)
    )