Master ceb95d4

[Dargon789]

Summary by Sourcery

Improve security, privacy, and developer tooling while adding a new wagmi-based demo app and basic project metadata/configuration.

New Features:

• Add a new Vite-based wagmi demo application with wallet connection UI and wagmi configuration.
• Introduce GitHub issue templates for bugs, feature requests, and custom issues to standardize user feedback.
• Add security policy documentation outlining supported versions and vulnerability reporting.

Bug Fixes:

• Avoid leaking internal JSON parse error details in the primitives CLI HTTP server by returning a generic parse error response.

Enhancements:

• Use cryptographically secure randomness for ID generation in the dapp client transport.
• Generate a random nonce for identity instrument signing instead of using the current timestamp.
• Upgrade the Next.js dependency in the web extras app to the latest major version.

Build:

• Add a Vite/TypeScript build configuration and supporting files for the new wagmi project.
• Introduce an Azure Pipelines configuration for building the Node.js project.

CI:

• Restrict permissions for the pnpm-format-label GitHub Actions workflow to the minimum required.
• Add a basic CircleCI configuration with a custom executor for future CI jobs.

Documentation:

• Document the new wagmi project setup with a minimal README.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide

Strengthens security/privacy around wallet operations, adds a new wagmi-based Vite React example app with full TS/build tooling, and introduces CI/configuration and GitHub templates/metadata.

Sequence diagram for primitives CLI JSON parse error handling

sequenceDiagram
  actor Client
  participant HttpServer
  participant handleHttpRequest
  participant JSONParser
  participant errorResponse

  Client->>HttpServer: HTTP request with body
  HttpServer->>handleHttpRequest: pass IncomingMessage and ServerResponse
  handleHttpRequest->>JSONParser: parse(requestBody)
  JSONParser-->>handleHttpRequest: throw SyntaxError
  handleHttpRequest->>handleHttpRequest: catch JSON parse error
  handleHttpRequest->>handleHttpRequest: log parse error (server-side)
  handleHttpRequest->>errorResponse: create(-32700, Parse_error)
  errorResponse-->>handleHttpRequest: generic_error_payload
  handleHttpRequest-->>Client: HTTP 400 with generic parse error JSON

Loading

Class diagram for updated wallet ID and nonce generation

classDiagram

class DappTransport {
  +generateId() string
}

class IdentityInstrument {
  +createSignParams(digest Uint8Array) IdentitySignParams
}

class IdentitySignParams {
  +keyType KeyType
  +digest Hex
  +nonce Hex
}

DappTransport ..> IdentityInstrument : used_in_same_wallet_domain
IdentityInstrument *-- IdentitySignParams : builds
IdentitySignParams o-- Hex : uses

class Hex {
  +fromBytes(bytes Uint8Array) Hex
  +random(length number) Hex
}

class KeyType {
}

Loading

File-Level Changes

Change	Details	Files
Harden randomness and nonce generation for wallet-related operations.	Replace Math.random-based ID component in DappTransport.generateId with crypto.getRandomValues-based random string while keeping timestamp prefix for ordering/debugging. Switch IdentityInstrument nonce from timestamp-based Hex.fromNumber(Date.now()) to Hex.random(16) for better uniqueness and security.	packages/wallet/dapp-client/src/DappTransport.ts packages/services/identity-instrument/src/index.ts
Reduce information leakage from the primitives CLI HTTP JSON parser errors.	Stop echoing internal JSON.parse error details back to clients and instead return a generic JSON-RPC -32700 'Parse error' response while still logging full details server-side when not in silent mode.	packages/wallet/primitives-cli/src/subcommands/server.ts
Introduce a wagmi-based Vite React example dapp with basic wallet connection UI and tooling.	Add a new wagmi-project Vite+TypeScript+React app scaffold including tsconfig, Vite config, Biome config, npmrc, gitignore, and index.html. Implement main.tsx bootstrapping React with WagmiProvider, React Query, and global Buffer polyfill. Add wagmi.ts to configure wagmi with mainnet/sepolia chains, injected/WalletConnect/Coinbase connectors, and type registration. Create App.tsx showing basic account state (status, addresses, chainId) plus connect/disconnect flows driven by wagmi hooks. Add minimal styling via index.css and a short README referencing create-wagmi.	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/vite.config.ts wagmi-project/biome.json wagmi-project/.npmrc wagmi-project/.gitignore wagmi-project/index.html wagmi-project/src/main.tsx wagmi-project/src/App.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts wagmi-project/README.md
Add and tighten CI/build automation for the repository and workflows.	Introduce a CircleCI 2.1 config using a custom Docker-based executor and a placeholder web3-defi-game-project- job that checks out the repo and runs a shell step. Add an Azure Pipelines YAML that triggers on master, installs Node.js 10.x, and runs npm install && npm run build. Restrict GitHub on_pr_pnpm-format-label workflow permissions to read-only contents and write-only issues.	.circleci/config.yml azure-pipelines.yml .github/workflows/on_pr_pnpm-format-label.yml
Refresh web example dependencies and add security/issue documentation and repo metadata.	Bump extras/web Next.js dependency from ^15.5.9 to ^16.1.5 to keep the example app current. Add SECURITY.md with supported version table and vulnerability reporting instructions. Add GitHub issue templates for bugs, feature requests, and custom issues. Add assorted repo metadata/config and sandbox artifacts such as CNAME, FUNDING, .codesandbox tasks, and v8-compile-cache entries.	extras/web/package.json SECURITY.md .github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md .codesandbox/tasks.json CNAME FUNDING.json v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP

Possibly linked issues

• Fix merge branch 0xsequence/master #136: They match: the PR implements the wagmi demo app, secure ID generation, CI, and templates described in the issue.
• Feature/integration #17: The PR implements the wagmi project, SECURITY.md, Azure pipeline, and placeholder/config files exactly as described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

⚠️ Snyk checks are incomplete.

Status	Scanner	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request consolidates a series of updates and new features for the @0xsequence ecosystem, culminating in the 3.0.0-beta.12 release across core packages. The changes significantly expand the capabilities of the userdata service for comprehensive wallet management and introduce critical improvements to the dapp-client for enhanced DApp connectivity and transaction efficiency. Specific authentication flows, particularly for Apple, have been refined, and new utilities have been added to streamline session configuration, contributing to a more robust and developer-friendly platform.

Highlights

• Expanded User Data Service: The @0xsequence/userdata service has been significantly enhanced with new functionalities for managing wallet preferences, signers, sessions, contacts, watched wallets, and discover/token favorites/history. This includes new interfaces and client methods to interact with these data types.
• DApp Connector Enhancements: The @0xsequence/dapp-client now includes a caching mechanism for signed calls to optimize transaction processing, improving efficiency for feeOptions and sendTransaction calls. The logic for handling expired signers during permission checks has also been refined.
• Apple Authentication Fixes: Adjustments have been made in @0xsequence/wallet-wdk to conditionally remove the scope parameter during Apple authentication requests, resolving specific issues with Apple logins.
• New Login Method and Session Configuration Utilities: The LoginMethod type in @0xsequence/dapp-client now supports 'eoa' (Externally Owned Account). Additionally, a new utility function createExplicitSessionConfig has been introduced to simplify the configuration of explicit sessions, allowing for easier definition of native token spending limits and allowed recipients.
• Core Package Version Updates: Numerous @0xsequence packages, including api, builder, guard, identity-instrument, indexer, marketplace, metadata, relayer, userdata, abi, wallet-core, dapp-client, wallet-primitives, and wallet-wdk, have been updated to version 3.0.0-beta.12.

Changelog

• .changeset/bright-pots-hope.md
  • Added: Beta release with dapp connector fixes
• .changeset/crisp-zoos-retire.md
  • Added: dapp-client updates
• .changeset/free-tips-switch.md
  • Added: 3.0.0 beta
• .changeset/new-turkeys-double.md
  • Added: Apple auth fixes
• .changeset/nice-tips-slide.md
  • Added: Apple auth fix
• .changeset/pre.json
  • Updated versions for all @0xsequence packages from 3.0.0-beta.5 to 3.0.0-beta.11 in initialVersions.
  • Added new changeset IDs: bright-pots-hope, crisp-zoos-retire, free-tips-switch, new-turkeys-double, nice-tips-slide, tiny-files-chew.
• .changeset/tiny-files-chew.md
  • Added: dapp client updates for EOA login
• extras/web/package.json
  • Updated next dependency from ^15.5.9 to ^16.1.5.
• packages/services/api/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/api/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/builder/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/builder/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/guard/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/guard/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/identity-instrument/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/identity-instrument/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/indexer/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/indexer/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/marketplace/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/marketplace/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/metadata/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/metadata/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/relayer/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
  • Updated dependencies for @0xsequence/wallet-primitives across all new beta versions.
• packages/services/relayer/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/userdata/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/userdata/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/services/userdata/src/userdata.gen.ts
  • Updated WebrpcSchemaHash from 99a19ff0218eda6f5e544642d0fd72f66736bdaf to 4797326ffeb063c7256cf02523d563066fdaec9b.
  • Added numerous new methods to the UserDataClient interface, including getWalletPreferences, listWalletSigners, listSessions, listContacts, listWatchedWallets, listDiscoverFavorites, listDiscoverHistory, and listTokenFavorites, along with their corresponding put and delete operations.
  • Introduced new interfaces such as Version, RuntimeStatus, WalletPreferences, Contact, WatchedWallet, DiscoverFavorite, DiscoverHistory, TokenFavorite, and various Props interfaces for requests.
  • Modified existing Wallet interface to include preferences, updatedAt, createdAt, and made ecosystem optional.
  • Modified WalletSigner interface to include kind, email, updatedAt, and createdAt.
  • Implemented the new methods within the UserData class.
• packages/utils/abi/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/utils/abi/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/wallet/core/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
  • Updated dependencies for @0xsequence/guard, @0xsequence/relayer, and @0xsequence/wallet-primitives across all new beta versions.
• packages/wallet/core/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/wallet/dapp-client/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
  • Updated dependencies for @0xsequence/guard, @0xsequence/relayer, @0xsequence/wallet-core, and @0xsequence/wallet-primitives across all new beta versions.
• packages/wallet/dapp-client/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/wallet/dapp-client/src/ChainSessionManager.ts
  • Added lastSignedCallCache property to ChainSessionManager to store recently signed calls.
  • Removed the retry logic for permission checks that involved refreshing explicit sessions upon encountering expired signers.
  • Implemented caching for signed calls in _buildAndSignCalls and sendTransaction methods using _getCachedSignedCall and _fingerprintCalls to avoid redundant signing operations.
  • Added _getCachedSignedCall and _fingerprintCalls private methods for managing the signed call cache.
• packages/wallet/dapp-client/src/DappTransport.ts
  • Simplified the isPotentiallyValidSource check within the _onMessage handler, now directly checking event.source === this.walletWindow and removing the !this.walletWindow.closed condition.
• packages/wallet/dapp-client/src/index.ts
  • Exported new types: TransportMessage, ExplicitSessionParams, NativeTokenSpending, SessionDuration.
  • Exported new functions: createExplicitSessionConfig, getNetwork, getRelayerUrl, getRpcUrl, VALUE_FORWARDER_ADDRESS.
  • Exported MessageType from ./types/index.js.
  • Exported Network from @0xsequence/wallet-primitives.
• packages/wallet/dapp-client/src/types/index.ts
  • Added 'eoa' to the LoginMethod type.
• packages/wallet/dapp-client/src/utils/index.ts
  • Imported ExplicitSessionConfig, Permission, and Address types.
  • Exported VALUE_FORWARDER_ADDRESS from ./constants.js.
  • Defined new types: SessionDuration, NativeTokenSpending, ExplicitSessionParams.
  • Added createExplicitSessionConfig function to facilitate the creation of explicit session configurations with specified chain ID, expiration, permissions, and optional native token spending limits.
• packages/wallet/primitives/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/wallet/primitives/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/wallet/wdk/CHANGELOG.md
  • Added changelog entries for 3.0.0-beta.12 through 3.0.0-beta.7, including 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
  • Updated dependencies for @0xsequence/guard, @0xsequence/identity-instrument, @0xsequence/relayer, @0xsequence/wallet-core, and @0xsequence/wallet-primitives across all new beta versions.
• packages/wallet/wdk/package.json
  • Updated package version from 3.0.0-beta.6 to 3.0.0-beta.12.
• packages/wallet/wdk/src/sequence/handlers/authcode.ts
  • Modified the AuthCodeHandler to conditionally include the scope parameter in the OAuth URL. The scope parameter is now omitted for Apple authentication (signupKind === 'apple').
• packages/wallet/wdk/test/authcode.test.ts
  • Added a test case to verify that the scope search parameter is not present in the generated URL when signupKind is 'apple'.

Activity

• This pull request appears to be an automated merge or synchronization of the master branch, indicated by the generic title and empty description.
• Multiple @0xsequence packages have been updated to 3.0.0-beta.12, suggesting a new beta release cycle.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request includes a variety of updates across many packages, primarily focused on version bumps for a new beta release, and updating changelogs accordingly. Key functional changes include a security enhancement to use cryptographically secure randomness for ID generation in the dapp-client, a fix for Apple authentication by removing the scope parameter, and the addition of new helper functions for creating explicit session configurations.

My main concern is the removal of the automatic session refresh logic in ChainSessionManager.ts. This change could lead to permission failures for users with expired sessions without an attempt to automatically refresh them, potentially degrading the user experience. I've added a specific comment with more details on this.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	Feb 7, 2026 3:03pm
sequence-js-web	Ready	Preview, Comment	Feb 7, 2026 3:03pm

[Dargon789]

#283