Wagmi

[Dargon789]

Summary by Sourcery

Introduce a new Wagmi-based demo project and improve security, randomness, and CI/pipeline configuration across the repo.

New Features:

• Add a new Vite-based wagmi-project demo app configured with Wagmi, React Query, and wallet connectors.
• Add GitHub issue templates for bugs, feature requests, and custom issues.
• Add a repository security policy document.

Bug Fixes:

• Use cryptographically secure randomness for generated IDs in the dapp client transport.
• Avoid leaking internal error details in HTTP JSON parse error responses.
• Use a cryptographically random nonce for identity instrument signing requests instead of a timestamp-based value.

Enhancements:

• Upgrade Next.js dependency to the latest major version in docs and web extras packages.
• Restrict GitHub workflow permissions for the pnpm-format-label workflow.

CI:

• Add a basic CircleCI configuration with a custom executor and placeholder job.
• Add an Azure Pipelines configuration for building the Node.js project.

Chores:

• Add miscellaneous project metadata and config files such as CNAME, funding, and sandbox/task-related files.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide

Adds a new Vite-based wagmi demo app, tightens security and privacy in wallet/CLI services, upgrades Next.js dependencies, and introduces CI, issue templates, and security documentation.

Sequence diagram for wagmi wallet connect and disconnect flow

sequenceDiagram
  actor User
  participant BrowserUI
  participant App
  participant WagmiProvider
  participant Connector
  participant Wallet

  User->>BrowserUI: Open wagmi demo
  BrowserUI->>App: Mount App component
  App->>WagmiProvider: useAccount / useConnect / useDisconnect
  WagmiProvider-->>App: account status disconnected
  App-->>BrowserUI: Render connector buttons

  User->>BrowserUI: Click connector button
  BrowserUI->>App: onClick connect(connector)
  App->>WagmiProvider: connect(connector)
  WagmiProvider->>Connector: initiate connection
  Connector->>Wallet: request approval
  Wallet-->>Connector: user approves
  Connector-->>WagmiProvider: connection success (account, chainId)
  WagmiProvider-->>App: account status connected
  App-->>BrowserUI: Show addresses, chainId, Disconnect button

  User->>BrowserUI: Click Disconnect
  BrowserUI->>App: onClick disconnect()
  App->>WagmiProvider: disconnect()
  WagmiProvider-->>App: account status disconnected
  App-->>BrowserUI: Hide account data, show connect options

Loading

Sequence diagram for primitives CLI generic JSON parse error handling

sequenceDiagram
  participant Client
  participant HttpServer
  participant handleHttpRequest
  participant errorResponse

  Client->>HttpServer: HTTP request with invalid JSON
  HttpServer->>handleHttpRequest: pass IncomingMessage and ServerResponse
  handleHttpRequest->>handleHttpRequest: attempt JSON.parse(body)
  handleHttpRequest-->>handleHttpRequest: throws parse error
  handleHttpRequest->>errorResponse: build error(-32700, Parse error)
  errorResponse-->>handleHttpRequest: generic error payload
  handleHttpRequest->>HttpServer: set statusCode 400, end(response)
  HttpServer-->>Client: 400 Parse error (no internal details)

Loading

Class diagram for the new wagmi demo app

classDiagram

class App {
  +App() JSXElement
}

class WagmiConfig {
  +config Config
}

class MainEntry {
  +bootstrap() void
}

class QueryClient {
  +QueryClient() void
}

class WagmiProvider {
  +WagmiProvider(config Config, children ReactNode) JSXElement
}

class QueryClientProvider {
  +QueryClientProvider(client QueryClient, children ReactNode) JSXElement
}

MainEntry --> WagmiProvider : uses
MainEntry --> QueryClientProvider : uses
MainEntry --> App : renders
MainEntry --> QueryClient : creates
WagmiProvider --> WagmiConfig : uses config
App --> WagmiProvider : reads account and connect state
QueryClientProvider --> QueryClient : uses

Loading

Class diagram for DappTransport ID generation security change

classDiagram

class DappTransport {
  -generateId() string
}

Loading

File-Level Changes

Change	Details	Files
Introduce a standalone wagmi demo application using Vite and wagmi best-practice wiring.	Add a Vite/TypeScript React app entrypoint that renders account status, addresses, and chainId using wagmi hooks and supports connect/disconnect flows. Configure WagmiProvider, QueryClientProvider, and Buffer polyfill in the main React bootstrap file, and centralize chain/connector configuration in a typed wagmi config module. Add Vite, TypeScript, Biome, and related tooling configuration plus base HTML, CSS, and README for the wagmi project.	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/vite.config.ts wagmi-project/index.html wagmi-project/src/App.tsx wagmi-project/src/main.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts wagmi-project/.gitignore wagmi-project/.npmrc wagmi-project/biome.json wagmi-project/README.md
Improve security and privacy in wallet-related services by hardening randomness and error handling.	Replace Math.random-based ID generation in the dapp client transport with a crypto.getRandomValues-based random suffix combined with a timestamp prefix. Change the identity instrument nonce from a timestamp-derived value to a fixed-length cryptographically random hex nonce. Avoid returning internal JSON parse error details from the primitives CLI HTTP server, instead sending a generic parse error response.	packages/wallet/dapp-client/src/DappTransport.ts packages/services/identity-instrument/src/index.ts packages/wallet/primitives-cli/src/subcommands/server.ts
Update Next.js-based docs and web extras to the latest major Next.js release.	Bump Next.js dependency to ^16.1.5 in the docs extras project. Bump Next.js dependency to ^16.1.5 in the web extras project.	extras/docs/package.json extras/web/package.json
Tighten CI and build tooling via GitHub Actions permissions, Azure Pipelines, and CircleCI.	Restrict permissions for the pnpm-format-label GitHub workflow to read contents and write issues only. Add an Azure Pipelines configuration to build the Node.js project using Node 10.x and run npm install/build. Add an initial CircleCI 2.1 configuration with a custom Docker-based executor and placeholder job/workflow wiring.	.github/workflows/on_pr_pnpm-format-label.yml azure-pipelines.yml .circleci/config.yml
Add repository-level templates and security documentation to standardize contributions and reporting.	Introduce GitHub issue templates for bug reports, feature requests, and a generic custom issue type. Add a SECURITY.md describing supported versions and how to report vulnerabilities.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md SECURITY.md
Add various ancillary project and cache artefact files for hosting, funding, and tooling.	Add placeholder or configuration files for Codesandbox tasks, CNAME, and funding configuration. Check in v8 compile cache map artefacts for preconstruct CLI builds.	.codesandbox/tasks.json CNAME FUNDING.json v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP

Possibly linked issues

• Feature/integration #17: They describe the same wagmi integration, security policy, and Azure Pipelines setup; this PR implements it.
• Fix merge branch 0xsequence/master #136: They describe the same wagmi demo app, secure ID generation, CI workflows, and repo templates/security documentation changes.
• Fix merge branch 0xsequence/master #86: The PR implements the wagmi demo app, security policy, CI workflows, and templates exactly as outlined in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence.js	Ready	Preview, Comment	Mar 6, 2026 1:00pm
wagmi-project	Ready	Preview, Comment	Mar 6, 2026 1:00pm

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
🔚	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new beta release across several core @0xsequence packages, bumping their versions to 3.0.0-beta.12. The changes primarily focus on expanding the userdata service's API to support a broader range of wallet-related data management. Concurrently, the dapp client has been improved with enhanced session management, including call caching and refined message handling, and the Apple authentication flow has been adjusted for better compatibility. These updates aim to broaden the platform's capabilities and improve the overall developer experience.

Highlights

• Package Version Bumps: Numerous @0xsequence packages were updated to version 3.0.0-beta.12, indicating a new beta release cycle.
• New UserData Service API: The userdata service received significant enhancements, including new RPC methods and data structures for managing wallet preferences, signers, sessions, contacts, watched wallets, discover favorites/history, and token favorites.
• Dapp Client Enhancements: The ChainSessionManager now includes caching for signed calls, and the DappTransport's wallet message source validation was simplified. Additionally, 'eoa' was added as a new LoginMethod type.
• Apple Authentication Flow Adjustment: The Apple authentication process was modified to conditionally omit the scope parameter during authorization requests.
• Next.js Dependency Update: The next dependency in extras/docs and extras/web was upgraded from ^15.5.9 to ^16.1.5.
• New Dapp Client Utilities: New types and utility functions, such as createExplicitSessionConfig and VALUE_FORWARDER_ADDRESS, were exported from the dapp client.

Changelog

• packages/services/api/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/builder/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/guard/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/identity-instrument/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/indexer/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/marketplace/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/metadata/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/services/relayer/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix, along with updated dependencies.
• packages/services/userdata/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/utils/abi/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/wallet/core/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix, along with updated dependencies.
• packages/wallet/dapp-client/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix, along with updated dependencies.
• packages/wallet/primitives/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix.
• packages/wallet/wdk/CHANGELOG.md
  • Added changelog entries for versions 3.0.0-beta.7 through 3.0.0-beta.12, detailing beta release with dapp connector fixes, 3.0.0 beta, dapp-client updates, dapp client updates for EOA login, Apple auth fixes, and Apple auth fix, along with updated dependencies.

Activity

• The pull request was opened by Dargon789 with the title 'Wagmi' and an empty description.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces version bumps for a beta release, security enhancements, and new features for session management. A security audit, while noting the positive implementation of cryptographically secure randomness for ID generation, highlighted concerns regarding the exposure of user information in URLs and potential client-side request manipulation via untrusted redirect parameters. It is recommended to validate all data from redirect URLs and prevent sensitive information leaks through URL parameters. Additionally, a potential regression in session refresh handling and a bug in the new createExplicitSessionConfig utility function were identified.