Sequence diagram for Tempo signer lookup and access key signing

[Dargon789]

Reviewer's Guide

Introduces security-hardening and ecosystem integration changes across test utilities, npm tooling, wallets, linting, CI workflows, and dependency configuration, plus a sample counter project and Remix artifacts.

Sequence diagram for Tempo signer lookup and access key signing

sequenceDiagram
    actor User
    participant WalletApi
    participant FileSystem
    participant TempoModule
    participant Signer

    User->>WalletApi: send_transaction(from, tx_request)
    WalletApi->>TempoModule: lookup_signer(from)
    TempoModule->>FileSystem: keys_path()
    FileSystem-->>TempoModule: keys_toml_path
    TempoModule->>FileSystem: read_to_string(path)
    FileSystem-->>TempoModule: contents
    TempoModule->>TempoModule: parse KeysFile and iterate KeyEntry
    alt matching_direct_entry
        TempoModule-->>WalletApi: TempoLookup_Direct(WalletSigner)
        WalletApi->>Signer: sign_standard(tx_request)
        Signer-->>WalletApi: signed_tx_bytes
    else matching_keychain_entry
        TempoModule->>TempoModule: decode_key_authorization(optional_hex)
        TempoModule-->>WalletApi: TempoLookup_Keychain(WalletSigner, TempoAccessKeyConfig)
        WalletApi->>TempoModule: sign_with_access_key(tx_request, signer, wallet_address)
        TempoModule->>TempoModule: build_aa(TempoTransactionRequest)
        TempoModule->>TempoModule: sig_hash = tempo_tx.signature_hash()
        TempoModule->>TempoModule: signing_hash = KeychainSignature.signing_hash(sig_hash, wallet_address)
        TempoModule->>Signer: sign_hash(signing_hash)
        Signer-->>TempoModule: raw_sig
        TempoModule->>TempoModule: keychain_sig = KeychainSignature.new(wallet_address, raw_sig)
        TempoModule->>TempoModule: aa_signed = tempo_tx.into_signed(Keychain(keychain_sig))
        TempoModule-->>WalletApi: encoded_eip2718_bytes
    end
    WalletApi-->>User: submit_signed_transaction_result

Loading

Class diagram for Tempo wallets integration module

classDiagram
    class KeysFile {
        +Vec~KeyEntry~ keys
    }

    class KeyEntry {
        +WalletType wallet_type
        +Address wallet_address
        +u64 chain_id
        +KeyType key_type
        +Option~Address~ key_address
        +Option~String~ key
        +Option~String~ key_authorization
        +Option~u64~ expiry
        +Vec~StoredTokenLimit~ limits
    }

    class StoredTokenLimit {
        +Address currency
        +String limit
    }

    class WalletType {
        <<enum>>
        +Local
        +Passkey
    }

    class KeyType {
        <<enum>>
        +Secp256k1
        +P256
        +WebAuthn
    }

    class TempoAccessKeyConfig {
        +Address wallet_address
        +Address key_address
        +Option~SignedKeyAuthorization~ key_authorization
    }

    class TempoLookup {
        <<enum>>
        +Direct(wallet_signer WalletSigner)
        +Keychain(wallet_signer WalletSigner, config TempoAccessKeyConfig)
        +NotFound
    }

    class TempoModule {
        <<module>>
        +Option~PathBuf~ keys_path()
        +SignedKeyAuthorization decode_key_authorization(hex_str String) Result
        +TempoLookup lookup_signer(from Address) Result
        +Vec~u8~ sign_with_access_key(tx_request TempoTransactionRequest, signer Signer, wallet_address Address) Result
    }

    class WalletSigner {
    }

    class Signer {
        <<trait>>
        +sign_hash(hash PrimitiveSignature) Future~Result~
    }

    class TempoTransactionRequest {
        +TempoTransactionRequest build_aa() Result
    }

    class KeychainSignature {
        +Hash signing_hash(sig_hash PrimitiveSignature, wallet_address Address)
        +KeychainSignature new(wallet_address Address, primitive PrimitiveSignature)
    }

    class PrimitiveSignature {
        <<enum>>
        +Secp256k1(raw_sig PrimitiveSignature)
    }

    class TempoSignature {
        <<enum>>
        +Keychain(keychain_sig KeychainSignature)
    }

    class SignedKeyAuthorization {
    }

    class Address {
    }

    class PathBuf {
    }

    class Result {
    }

    class Vec_u8 {
    }

    KeysFile "1" o-- "*" KeyEntry : contains
    KeyEntry "1" o-- "*" StoredTokenLimit : has

    TempoLookup ..> WalletSigner : variant_uses
    TempoLookup ..> TempoAccessKeyConfig : variant_uses

    TempoAccessKeyConfig ..> SignedKeyAuthorization : optional

    TempoModule ..> KeysFile : parses
    TempoModule ..> TempoLookup : returns
    TempoModule ..> TempoAccessKeyConfig : constructs
    TempoModule ..> KeychainSignature : signs_with
    TempoModule ..> TempoTransactionRequest : builds_from
    TempoModule ..> Signer : uses
    TempoModule ..> Address : identifies_wallet

    KeyEntry ..> WalletType : uses
    KeyEntry ..> KeyType : uses

Loading

Class diagram for linting framework abstractions

classDiagram
    class Linter {
        <<trait>>
        +Language Language
        +Lint Lint
        +lint(input Vec~PathBuf~) void
    }

    class Lint {
        <<trait>>
        +id() String
        +severity() Severity
        +description() String
        +help() String
    }

    class LintContext {
        -Session sess
        -bool desc
        +new(sess Session, with_description bool) LintContext
        +emit(lint Lint, span Span) void
    }

    class EarlyLintPass {
        <<trait>>
        +check_expr(ctx LintContext, expr Expr) void
        +check_item_struct(ctx LintContext, strukt ItemStruct) void
        +check_item_function(ctx LintContext, func ItemFunction) void
        +check_variable_definition(ctx LintContext, var VariableDefinition) void
    }

    class EarlyLintVisitor {
        +LintContext ctx
        +Vec~EarlyLintPass~ passes
        +visit_expr(expr Expr) ControlFlow
        +visit_variable_definition(var VariableDefinition) ControlFlow
        +visit_item_struct(strukt ItemStruct) ControlFlow
        +visit_item_function(func ItemFunction) ControlFlow
        +walk_expr(expr Expr) ControlFlow
        +walk_variable_definition(var VariableDefinition) ControlFlow
        +walk_item_struct(strukt ItemStruct) ControlFlow
        +walk_item_function(func ItemFunction) ControlFlow
    }

    class Visit {
        <<trait>>
        +visit_expr(expr Expr) ControlFlow
        +visit_variable_definition(var VariableDefinition) ControlFlow
        +visit_item_struct(strukt ItemStruct) ControlFlow
        +visit_item_function(func ItemFunction) ControlFlow
    }

    class Expr {
    }

    class ItemStruct {
    }

    class ItemFunction {
    }

    class VariableDefinition {
    }

    class Session {
        +dcx DiagnosticContext
    }

    class Severity {
        <<enum>>
    }

    class Span {
    }

    class PathBuf {
    }

    class DiagBuilder {
        +diag(severity Severity, message String) DiagBuilder
        +code(id DiagId) DiagBuilder
        +span(multi MultiSpan) DiagBuilder
        +help(message String) DiagBuilder
        +emit() void
    }

    class DiagnosticContext {
        +diag(severity Severity, message String) DiagBuilder
    }

    class MultiSpan {
        +from_span(span Span) MultiSpan
    }

    class DiagId {
        +new_str(id String) DiagId
    }

    class ControlFlow {
    }

    Linter ..> Lint : associated_type
    Linter ..> Language : associated_type

    LintContext ..> Session : holds
    LintContext ..> Lint : emits
    LintContext ..> Span : targets
    LintContext ..> DiagBuilder : builds
    LintContext ..> MultiSpan : wraps_span

    EarlyLintPass <|.. EarlyLintVisitor : uses_trait

    EarlyLintVisitor ..|> Visit : implements
    EarlyLintVisitor ..> EarlyLintPass : owns_passes
    EarlyLintVisitor ..> LintContext : holds

    Visit ..> Expr : visits
    Visit ..> ItemStruct : visits
    Visit ..> ItemFunction : visits
    Visit ..> VariableDefinition : visits

Loading

File-Level Changes

Change	Details	Files
Constrain test-utils filesystem operations to a fixed temp-based workspace and expose terminal detection flag.	Introduce TEST_UTIL_BASE to anchor all test utility filesystem paths under the system temp directory and pre-create the directory. Add resolve_and_validate_under_base helper to canonicalize input paths, remap absolute paths under the base, and reject paths escaping the base. Wrap copy_dir_filtered and its recursive helper to always operate on validated, canonicalized paths while still skipping build-artifact directories. Expose IS_TTY LazyLock boolean for stdout is_terminal detection and adjust compiler error handling to use explicit panic instead of assert.	crates/test-utils/src/util.rs
Harden file copying in script tests against symlink traversal and path tricks.	Filter directory entries to operate only on regular files using symlink_metadata. Skip entries with invalid or traversal-like file names containing .. or path separators. Canonicalize candidate files and ensure they reside under from_dir before copying into the destination utilities directory.	crates/test-utils/src/script.rs
Tighten npm artifact and registry handling plus argument validation for staging scripts.	Add GitHub workflow step to validate downloaded artifacts directories, ensure they exist and are non-empty, and reject files with absolute or parent-traversal paths. Wrap registry URL resolution to parse and validate as a URL, enforce https scheme, block obvious loopback hosts, and normalize the base URL without trailing slashes. Introduce requireSafeIdentifier helper and use it for tool/platform/arch/release arguments in stage-from-artifact to restrict values to a safe identifier character set.	.github/workflows/npm.yml npm/src/const.mjs npm/scripts/stage-from-artifact.mjs
Integrate Tempo wallet/keychain support and signing path.	Add Tempo keys.toml parsing types and helpers to locate Tempo wallets under TEMPO_HOME or ~/.tempo. Implement TempoLookup to distinguish direct EOA keys from keychain (access key) entries, creating WalletSigner instances for each. Define TempoAccessKeyConfig to carry wallet/key addresses and optional decoded SignedKeyAuthorization from hex RLP. Provide sign_with_access_key helper to build AA transactions, compute the keychain V2 signing hash, sign with the underlying signer, wrap into KeychainSignature/TempoSignature, and output EIP-2718-encoded bytes.	crates/wallets/src/tempo.rs
Introduce a generic linting infrastructure built on solar AST visitors.	Define a Linter trait parameterized by language and lint types with a lint entry point over paths. Add Lint trait describing id, severity, description, and help for individual lint rules. Provide LintContext wrapper over solar Session to emit diagnostics with lint metadata and optional descriptions. Implement EarlyLintPass trait that mirrors solar_ast::visit::Visit hooks and an EarlyLintVisitor that dispatches those hooks to all registered passes while walking the AST.	crates/lint/src/linter.rs
Add a Cancun beacon block trace regression test and minor fixes in EVM/Anvil.	Add cast CLI test that exercises a Cancun beacon block root and asserts on the expected textual trace output for a specific mainnet transaction. Adjust evm env tests imports to move Sealed under an optimism-gated module and add missing alloy-network dependency in Cargo. Change Anvil in-memory backend to construct OpCallDepositInfo without default() in OP feature path.	crates/cast/tests/cli/main.rs crates/evm/core/src/env.rs crates/evm/evm/Cargo.toml crates/anvil/src/eth/backend/mem/mod.rs
Tighten cleanup and constructor handling plus add convenience conversions in core Rust code.	Harden benchmark project cleanup by canonicalizing entries, ensuring they stay under the root path, and skipping suspicious paths before deleting. Warn when forge create is given constructor args for a contract without a constructor and ignore the extraneous arguments. Provide From<Vec> for doc Comments for easier construction from collected comment vectors. Gate an anvil state integration test behind the cmd feature. Remove an unnecessary cfg guard in a forge optimizer test and adjust other minor imports or types.	benches/src/lib.rs crates/forge/src/cmd/create.rs crates/doc/src/parser/comment.rs crates/anvil/tests/it/main.rs crates/forge/tests/cli/test_optimizer.rs crates/common/Cargo.toml crates/forge/Cargo.toml
Update dependency/deny configuration to support new Foundry and Reth forks.	Extend cargo-deny allow-git list to include new foundry-* and optimism repositories and a forked reth repository while dropping older entries. Wire foundry-primitives, alloy-network, alloy-hardforks, and tempo-alloy into the appropriate Cargo crates to reflect new integrations.	deny.toml crates/common/Cargo.toml crates/evm/evm/Cargo.toml crates/forge/Cargo.toml crates/script/Cargo.toml
Add a small sample Foundry counter project and Remix test support artifacts.	Add a counter/ Foundry subproject including Counter.sol, deployment script, tests, config, and README. Include forge-std and openzeppelin-contracts as submodules under the counter project libs. Vendor Remix testing support contracts (remix_tests.sol and remix_accounts.sol) in .deps for potential integration.	counter/src/Counter.sol counter/script/Counter.s.sol counter/test/Counter.t.sol counter/foundry.toml counter/README.md counter/.gitignore counter/lib/forge-std counter/lib/openzeppelin-contracts .deps/remix-tests/remix_tests.sol .deps/remix-tests/remix_accounts.sol
Introduce or expand CI/CD pipelines and security scanning across GitHub Actions and CircleCI.	Add multiple GitHub workflows for Docker builds, Snyk container scanning, CodeQL analysis, APIsec scanning, Foundry CI for the counter project, npm publish artifact validation, and a basic cargo build/test deploy workflow. Introduce various CircleCI configs for Rust cargo CI, deployment examples, and web3-related sample jobs, albeit some appear templated or redundant. Add a Google GKE build-and-deploy workflow for containerized deployment using Workload Identity Federation.	.github/workflows/npm.yml .github/workflows/Docker.yml .github/workflows/docker.yml .github/workflows/snyk-container.yml .github/workflows/codeql.yml .github/workflows/apisec-scan.yml .github/workflows/deploy.yml .github/workflows/google.yml counter/.github/workflows/test.yml .circleci/config.yml .circleci/ci.yml .circleci/ci_v1.yml .circleci/ci_cargo.yml .circleci/cargo.yml .circleci/ci_deploy.yml .circleci/dev_stage.yml .circleci/ci-web3-gamefi.yml .circleci/web3_defi_gamefi.yml
Add generic GitHub issue templates and a few misc repo files.	Introduce GitHub issue templates for bug reports, feature requests, and a custom template placeholder. Add sleep.json, .codesandbox/tasks.json, .gitmodules, and ensure CI jobs cover no-default-features in main workflow matrix. Minor tweaks like adding IS_TTY and workflow matrix entry for no-default-features.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md .github/workflows/ci.yml .codesandbox/tasks.json .gitmodules sleep.json crates/test-utils/src/util.rs

Possibly linked issues

• Foundry/ethereum ux (#284) #289 #290 #291: The PR delivers the AST-based keccak256 gas lint infrastructure, path hardening, CI workflows, and counter sample requested.
• Wagmi (e604566) #413: The PR is the concrete implementation of the AST-based keccak256 linting and associated refactors described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

Originally posted by @sourcery-ai[bot] in #523 (comment)