Main

[Dargon789]

Summary by Sourcery

Introduce a new wagmi-based demo dapp project and improve security, tooling, and CI configuration across the repository.

New Features:

• Add a new wagmi-project React/Vite demo dapp integrating wagmi, viem, and WalletConnect/Coinbase/injected connectors.

Bug Fixes:

• Avoid leaking internal JSON parse errors from the primitives CLI HTTP server responses.

Enhancements:

• Strengthen randomness sources by using crypto.getRandomValues for dapp client ID generation.
• Use a random hex nonce for identity instrument signing instead of a time-based nonce.

Build:

• Add pnpm install step to the tests GitHub Actions workflow and define Node-based Azure Pipelines and CircleCI configurations for the project.

CI:

• Tighten permissions for the pnpm-format-label GitHub workflow.
• Add basic CircleCI and Azure Pipelines configurations for running Node-based builds.

Documentation:

• Add GitHub issue templates for bugs, features, and custom issues, plus a security policy document.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide

This pull request introduces a new wagmi-based demo dapp project, hardens security and privacy in existing wallet and CLI code, and adds CI/configuration files for GitHub Actions, CircleCI, Azure Pipelines, and GitHub issue templates.

Sequence diagram for wallet connect flow in the new wagmi demo dapp

sequenceDiagram
  actor User
  participant App
  participant SequenceWallet as SequenceWalletSDK
  participant SequenceAPI as SequenceAPIClient
  participant ETHAuth as ETHAuthClient

  User->>App: Click Connect (authorize=true)
  App->>SequenceWallet: connect(connectOptions)
  SequenceWallet-->>App: connectDetails(connected, chainId, session, proof)
  alt connectDetails.connected and connectOptions.authorize and connectDetails.proof
    App->>SequenceAPI: isValidETHAuthProof(chainId, walletAddress, ethAuthProofString)
    SequenceAPI-->>App: isValid
    App->>ETHAuth: decodeProof(proofString, validate=true)
    ETHAuth-->>App: decodedProof(signature)
    App->>SequenceWallet: utils.isValidTypedDataSignature(address, typedData, signature, chainId)
    SequenceWallet-->>App: isValidClient
  end
  alt connected
    App-->>User: Show "Wallet connected" and shared email
  else not connected
    App-->>User: Show connection error message
  end

Loading

Class diagram for updated wallet and services utilities

classDiagram
  class DappTransport {
    -generateId() string
  }

  class IdentityInstrument {
    +rpc
    +sign(digest Uint8Array) Promise~any~
  }

  class ServerModule {
    +handleHttpRequest(req IncomingMessage, res ServerResponse, debug boolean, silent boolean) Promise~void~
  }

  class Hex {
    +fromBytes(bytes Uint8Array) Hex
    +fromNumber(value number) Hex
    +random(length number) Hex
  }

  class ErrorResponseFactory {
    +errorResponse(id string, code number, message string) object
  }

  DappTransport ..> window : uses
  DappTransport ..> crypto : uses

  IdentityInstrument ..> Hex : uses

  ServerModule ..> ErrorResponseFactory : uses

  note for DappTransport "generateId now uses window.crypto.getRandomValues for secure randomness"
  note for IdentityInstrument "nonce now generated via Hex.random(16) instead of timestamp based value"
  note for ServerModule "Parse error responses no longer expose internal error details"

Loading

File-Level Changes

Change	Details	Files
Strengthen randomness and nonce generation in wallet-related code.	Replace Math.random-based ID generation in DappTransport with crypto.getRandomValues-backed random strings while preserving existing ID format prefix. Change IdentityInstrument nonce generation from time-based Hex.fromNumber(Date.now()) to a fixed-size cryptographically random Hex.random(16).	packages/wallet/dapp-client/src/DappTransport.ts packages/services/identity-instrument/src/index.ts
Avoid leaking internal error details from the primitives CLI HTTP server JSON parse errors.	Modify JSON parse error response to return a generic 'Parse error' without stringifying and exposing the internal error object.	packages/wallet/primitives-cli/src/subcommands/server.ts
Adjust CI GitHub Actions permissions and dependency installation behavior.	Add minimal contents read and issues write permissions to pnpm-format-label workflow to satisfy GitHub permission model. Insert a pnpm install --no-frozen-lockfile step in tests workflow after dependency installation action to ensure dependencies are installed/updated for tests.	.github/workflows/on_pr_pnpm-format-label.yml .github/workflows/tests.yml
Add a new wagmi-based React demo dapp project integrated with Sequence and Wagmi.	Create a Vite + React + TypeScript wagmi-project with wagmi, viem, React Query and related tooling configuration (tsconfig, vite config, Biome, etc.). Implement a large App.tsx showcasing Sequence wallet initialization, environment selection, network switching, connection flows (including email and OAuth), signing operations, token and transaction examples, and console output. Wire up WagmiProvider and QueryClientProvider in main.tsx, global Buffer polyfill, base HTML/CSS, and wagmi.ts configuration for mainnet and Sepolia with common connectors.	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/vite.config.ts wagmi-project/biome.json wagmi-project/.npmrc wagmi-project/.gitignore wagmi-project/index.html wagmi-project/src/main.tsx wagmi-project/src/App.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts
Introduce additional project configuration and community/ops metadata files.	Add GitHub issue templates for bug reports, feature requests, and a custom template to standardize incoming issues. Add SECURITY.md describing supported versions and vulnerability reporting process. Add Azure Pipelines and CircleCI example configurations for CI builds. Add various repo-level config/place-holder files like CNAME, FUNDING.json, .codesandbox/tasks.json, v8-compile-cache artifacts, and wagmi-project scaffolding files.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md SECURITY.md azure-pipelines.yml .circleci/config.yml .codesandbox/tasks.json CNAME FUNDING.json v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP

Possibly linked issues

• Feature/integration #17: The PR delivers the wagmi project, SECURITY.md, Azure pipelines, and placeholder files exactly as outlined in the issue.
• Fix merge branch 0xsequence/master #86: They match: both introduce the wagmi demo app plus CI, issue templates, and security/workflow configurations described in the issue.
• 0xsequence/master #79: PR fulfills issue by adding CircleCI config, GitHub issue templates, and updating @tanstack/react-query as requested

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

⚠️ Snyk checks are incomplete.

Status	Scanner	Critical	High	Medium	Low	Total (0)
⚠️	Open Source Security	0	0	0	0	See details

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request marks a significant advancement in the '@0xsequence' ecosystem with the release of '3.0.0-beta.12'. It primarily focuses on a substantial expansion of the UserData service API, introducing a rich set of new functionalities for managing various aspects of user wallet data. Concurrently, the dapp client has received key enhancements, including a new caching layer for signed calls to improve performance and new utilities for more flexible explicit session configuration. Authentication flows have also been refined, notably with an adjustment to Apple's OAuth scope handling and the addition of support for Externally Owned Account (EOA) logins.

Highlights

• Major Beta Release (3.0.0-beta.12): All core '@0xsequence' packages have been updated to a new beta version, consolidating recent features and fixes.
• Expanded UserData Service API: The 'userdata' service now includes extensive new RPC methods and data structures for managing wallet preferences, signers, sessions, contacts, watched wallets, and discover/token favorites.
• Dapp Client Session Management Improvements: Implemented a caching mechanism for signed calls within 'ChainSessionManager' to optimize transaction processing and removed specific retry logic for expired signers.
• Enhanced Explicit Session Configuration: New utilities are introduced in the dapp client to simplify the creation of explicit session configurations, allowing for precise control over session duration and native token spending limits.
• Apple Authentication Scope Adjustment: The Wallet Development Kit (WDK) now conditionally omits the 'scope' parameter for Apple authentication requests, aligning with Apple's specific OAuth requirements.
• EOA Login Method Support: The dapp client now supports Externally Owned Account (EOA) as a login method, broadening authentication options.

Changelog

• .changeset/bright-pots-hope.md
  • Added a new changeset entry for 'Beta release with dapp connector fixes'.
• .changeset/crisp-zoos-retire.md
  • Added a new changeset entry for 'dapp-client updates'.
• .changeset/free-tips-switch.md
  • Added a new changeset entry for '3.0.0 beta'.
• .changeset/new-turkeys-double.md
  • Added a new changeset entry for 'Apple auth fixes'.
• .changeset/nice-tips-slide.md
  • Added a new changeset entry for 'Apple auth fix'.
• .changeset/pre.json
  • Updated initial versions of '@0xsequence' packages from '3.0.0-beta.5' to '3.0.0-beta.11'.
  • Added new changeset entries: 'bright-pots-hope', 'crisp-zoos-retire', 'free-tips-switch', 'new-turkeys-double', 'nice-tips-slide', 'tiny-files-chew'.
• .changeset/tiny-files-chew.md
  • Added a new changeset entry for 'dapp client updates for EOA login'.
• packages/services/api/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/api/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/builder/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/builder/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/guard/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/guard/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/identity-instrument/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/identity-instrument/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/indexer/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/indexer/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/marketplace/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/marketplace/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/metadata/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/metadata/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/relayer/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes and updated dependencies for '@0xsequence/wallet-primitives'.
• packages/services/relayer/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/userdata/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/services/userdata/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/services/userdata/src/userdata.gen.ts
  • Updated the 'WebrpcSchemaHash' from '99a19ff0218eda6f5e544642d0fd72f66736bdaf' to '4797326ffeb063c7256cf02523d563066fdaec9b'.
  • Added numerous new RPC methods to the 'UserDataClient' interface, including 'getWalletPreferences', 'putWalletPreferences', 'listWalletSigners', 'putWalletSigner', 'deleteWalletSigner', 'listSessions', 'putSession', 'deleteSession', 'listContacts', 'putContact', 'deleteContact', 'listWatchedWallets', 'putWatchedWallet', 'deleteWatchedWallet', 'listDiscoverFavorites', 'putDiscoverFavorite', 'deleteDiscoverFavorite', 'listDiscoverHistory', 'putDiscoverHistory', 'deleteDiscoverHistory', 'listTokenFavorites', 'putTokenFavorite', and 'deleteTokenFavorite'.
  • Introduced new interfaces such as 'Version', 'RuntimeStatus', 'WalletPreferences', 'Contact', 'WatchedWallet', 'DiscoverFavorite', 'DiscoverHistory', 'TokenFavorite', 'WalletSignerProps', 'ContactProps', 'DiscoverProps', 'TokenFavoriteProps', and 'WatchedWalletProps'.
  • Modified existing interfaces 'Wallet' and 'WalletSigner' to include new fields like 'preferences', 'updatedAt', 'createdAt', 'kind', and 'email'.
  • Implemented the new RPC methods within the 'UserData' client class.
• packages/utils/abi/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/utils/abi/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/wallet/core/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes and updated dependencies for '@0xsequence/guard', '@0xsequence/relayer', and '@0xsequence/wallet-primitives'.
• packages/wallet/core/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/wallet/dapp-client/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes and updated dependencies for '@0xsequence/guard', '@0xsequence/relayer', '@0xsequence/wallet-core', and '@0xsequence/wallet-primitives'.
• packages/wallet/dapp-client/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/wallet/dapp-client/src/ChainSessionManager.ts
  • Introduced a 'lastSignedCallCache' property to store recently signed calls.
  • Removed the specific retry logic for expired signers from the 'hasPermission' method.
  • Implemented caching of signed calls within the 'estimateGasLimits' method.
  • Added a new private method '_getCachedSignedCall' to retrieve cached signed calls with a 30-second TTL.
  • Added a new private method '_fingerprintCalls' to generate a unique identifier for call arrays for caching purposes.
• packages/wallet/dapp-client/src/DappTransport.ts
  • Simplified the message source validation in the '_onMessage' handler to strictly check if 'event.source' matches 'this.walletWindow'.
• packages/wallet/dapp-client/src/index.ts
  • Exported 'TransportMessage' and 'MessageType' from './types/index.js'.
  • Exported new utility functions: 'createExplicitSessionConfig', 'getNetwork', 'getRelayerUrl', 'getRpcUrl', 'VALUE_FORWARDER_ADDRESS'.
  • Exported new types: 'ExplicitSessionParams', 'NativeTokenSpending', 'SessionDuration'.
  • Exported 'Network' from '@0xsequence/wallet-primitives'.
• packages/wallet/dapp-client/src/types/index.ts
  • Added 'eoa' as a new 'LoginMethod' type.
• packages/wallet/dapp-client/src/utils/index.ts
  • Exported 'VALUE_FORWARDER_ADDRESS'.
  • Defined new types: 'SessionDuration', 'NativeTokenSpending', and 'ExplicitSessionParams'.
  • Added a new function 'createExplicitSessionConfig' to facilitate the creation of explicit session configurations with specified durations, permissions, and native token spending limits.
• packages/wallet/primitives/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes like 'Beta release with dapp connector fixes', '3.0.0 beta', 'dapp-client updates', 'dapp client updates for EOA login', 'Apple auth fixes', and 'Apple auth fix'.
• packages/wallet/primitives/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/wallet/wdk/CHANGELOG.md
  • Added changelog entries for versions '3.0.0-beta.7' through '3.0.0-beta.12', including various patch changes and updated dependencies for '@0xsequence/guard', '@0xsequence/identity-instrument', '@0xsequence/relayer', '@0xsequence/wallet-core', and '@0xsequence/wallet-primitives'.
• packages/wallet/wdk/package.json
  • Updated package version from '3.0.0-beta.6' to '3.0.0-beta.12'.
• packages/wallet/wdk/src/sequence/handlers/authcode.ts
  • Modified the 'getAuthUrl' method to conditionally omit the 'scope' parameter for Apple authentication requests.
• packages/wallet/wdk/test/authcode.test.ts
  • Added a test case to verify that the 'scope' parameter is not present in the Apple authentication URL generated by 'AuthCodeHandler'.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Sorry @Dargon789, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[gemini-code-assist]

Code Review

This pull request introduces a series of updates, primarily focused on a beta release with dapp connector fixes, Apple authentication improvements, and EOA login support.

My review focused on the logic changes within the dapp-client and wdk packages. The changes include:

• Caching signed calls in ChainSessionManager to optimize fee estimation and transaction sending.
• A security improvement in DappTransport by enforcing stricter validation of message sources.
• A fix in authcode.ts to correctly handle OAuth scope for Apple sign-in, which is accompanied by a corresponding test update.

I have one main concern regarding the removal of the automatic session refresh logic in ChainSessionManager.ts. This could potentially be a regression in user experience if not handled properly by consuming dapps. Please see my detailed comment on that.

Overall, the changes seem to be moving in the right direction, with good optimizations and security enhancements. Addressing the session refresh concern would further improve the robustness of the dapp client.

[Dargon789]

#284

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
wagmi-project	Canceled		Feb 7, 2026 10:34pm