Main

[Dargon789]

Motivation

Solution

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes

Summary by Sourcery

Harden CI workflows, extend Tempo wallet support, and adjust test aggregation and dependency configuration.

New Features:

• Add Tempo wallet keychain support with lookup and access-key signing utilities.

Bug Fixes:

• Prevent npm workflow artifacts from being consumed outside trusted workflow_run contexts and validate downloaded artifacts.
• Fix nightly performance comparison script division by zero when previous timings are zero.
• Ensure batch RPC requests with empty payloads return a structured invalid_request error response.
• Correct test suite duration aggregation to sum durations across merged suites.
• Fix script simulation native token symbol resolution using up-to-date chain metadata.

Enhancements:

• Allow additional project Git dependencies and update deny list entries.
• Add From<Vec> conversion for natspec comment collections.
• Augment bug report issue template with additional browser and version fields.

CI:

• Introduce multiple CircleCI configurations for Rust build-and-test workflows and web3-related jobs.
• Add cargo-based CircleCI pipelines with caching and formatting/test checks.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
next	Ready	Preview, Comment	May 7, 2026 3:29am

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Reviewer's Guide

Adds stricter artifact consumption constraints in the npm workflow, adjusts dependency allowlist, introduces Tempo wallet integration helpers, fixes several runtime/logic bugs, and adds multiple CircleCI configs (though they appear noisy/duplicative) plus assorted minor doc/script tweaks.

Sequence diagram for signing a Tempo transaction with an access key

sequenceDiagram
    participant Caller
    participant TempoModule as TempoWalletIntegration
    participant TempoTxReq as TempoTransactionRequest
    participant TempoTx as TempoTransaction
    participant KeychainSig as KeychainSignature
    participant Signer

    Caller->>TempoModule: sign_with_access_key(tx_request, signer, wallet_address)
    activate TempoModule

    TempoModule->>TempoTxReq: new TempoTransactionRequest from tx_request
    activate TempoTxReq
    TempoTxReq-->>TempoModule: TempoTransactionRequest
    deactivate TempoTxReq

    TempoModule->>TempoTxReq: build_aa()
    TempoTxReq-->>TempoModule: TempoTransaction

    TempoModule->>TempoTx: signature_hash()
    TempoTx-->>TempoModule: sig_hash

    TempoModule->>KeychainSig: signing_hash(sig_hash, wallet_address)
    KeychainSig-->>TempoModule: signing_hash

    TempoModule->>Signer: sign_hash(signing_hash)
    activate Signer
    Signer-->>TempoModule: raw_sig
    deactivate Signer

    TempoModule->>KeychainSig: new(wallet_address, PrimitiveSignature::Secp256k1(raw_sig))
    KeychainSig-->>TempoModule: keychain_sig

    TempoModule->>TempoTx: into_signed(TempoSignature::Keychain(keychain_sig))
    TempoTx-->>TempoModule: aa_signed

    TempoModule->>TempoModule: encode_2718(aa_signed)
    TempoModule-->>Caller: signed_bytes Vec~u8~
    deactivate TempoModule

Loading

Sequence diagram for secured artifact consumption in npm workflow

sequenceDiagram
    participant GHA as GitHubActions
    participant NpmJob as npm Workflow Job
    participant ArtifactStore as GitHubArtifacts

    GHA->>NpmJob: Trigger job (event)

    NpmJob->>NpmJob: Check event_name != workflow_run
    alt Not workflow_run
        NpmJob-->>GHA: Fail job (Refusing to consume artifacts outside workflow_run context)
    else workflow_run
        NpmJob->>ArtifactStore: download-artifact(run_id = github.event.workflow_run.id)
        ArtifactStore-->>NpmJob: artifacts in ARTIFACT_DIR

        NpmJob->>NpmJob: Validate ARTIFACT_DIR exists
        NpmJob->>NpmJob: Validate ARTIFACT_DIR not empty
        NpmJob->>NpmJob: Scan files for suspicious paths
        alt Suspicious path or invalid dir
            NpmJob-->>GHA: Fail job (artifact validation error)
        else All checks pass
            NpmJob-->>GHA: Proceed to next steps (e.g. Setup Bun, npm publish)
        end
    end

Loading

Class diagram for new Tempo wallet integration helpers

classDiagram
    class WalletType {
        <<enum>>
        +Local
        +Passkey
    }

    class KeyType {
        <<enum>>
        +Secp256k1
        +P256
        +WebAuthn
    }

    class StoredTokenLimit {
        +Address currency
        +String limit
    }

    class KeyEntry {
        +WalletType wallet_type
        +Address wallet_address
        +u64 chain_id
        +KeyType key_type
        +Address key_address
        +String key
        +String key_authorization
        +u64 expiry
        +Vec~StoredTokenLimit~ limits
    }

    class KeysFile {
        +Vec~KeyEntry~ keys
    }

    class TempoAccessKeyConfig {
        +Address wallet_address
        +Address key_address
        +SignedKeyAuthorization key_authorization
    }

    class TempoLookup {
        <<enum-like>>
        +Direct(WalletSigner)
        +Keychain(WalletSigner, TempoAccessKeyConfig)
        +NotFound()
    }

    class TempoWalletIntegration {
        +Option~PathBuf~ keys_path()
        +Result~SignedKeyAuthorization~ decode_key_authorization(hex_str)
        +Result~TempoLookup~ lookup_signer(from)
        +Result~Vec~u8~~ sign_with_access_key(tx_request, signer, wallet_address)
    }

    KeysFile "1" --> "*" KeyEntry : contains
    KeyEntry "1" --> "*" StoredTokenLimit : has
    KeyEntry --> WalletType : uses
    KeyEntry --> KeyType : uses
    TempoLookup --> WalletSigner : wraps
    TempoLookup --> TempoAccessKeyConfig : wraps
    TempoAccessKeyConfig --> SignedKeyAuthorization : uses
    TempoWalletIntegration --> KeysFile : parses
    TempoWalletIntegration --> TempoLookup : returns
    TempoWalletIntegration --> TempoAccessKeyConfig : constructs

Loading

File-Level Changes

Change	Details	Files
Harden GitHub Actions npm workflow artifact consumption and validation.	Add guard step to fail when workflow is not triggered via workflow_run before downloading artifacts Force download-artifact to always use workflow_run.id instead of a user-supplied run_id Introduce shell validation of downloaded artifacts, checking directory existence, non-emptiness, and rejecting suspicious paths with absolute or '..' segments	.github/workflows/npm.yml
Update cargo-deny git source allowlist to reflect new official repos and drop temporary ones.	Add new foundry-related repositories to allow-git Replace old optimism and reth-core URLs with updated official or fork URLs Remove temporary upstream OP crates entry	deny.toml
Improve Rust APIs and bug fixes across doc parsing, anvil RPC handling, scripting, benchmarking, and test aggregation.	Implement From<Vec> for Comments to simplify construction Change empty batch RPC handling to return a batch response containing an invalid_request error instead of a single error Switch native currency symbol resolution to use alloy_chains::Chain::from_id in script simulation Avoid division-by-zero in compare-nightly.sh when previous timing is zero Merge test suite durations by summing rather than taking max in forge test outcomes Add alloy-hardforks as a forge dependency	crates/doc/src/parser/comment.rs crates/anvil/server/src/handler.rs crates/script/src/simulate.rs .github/scripts/compare-nightly.sh crates/forge/src/cmd/test/mod.rs crates/forge/Cargo.toml
Introduce Tempo wallet integration utilities for Tempo key store and keychain signing.	Add types to deserialize Tempo keys.toml structure and per-token limits Add TempoAccessKeyConfig and TempoLookup abstractions to distinguish direct vs keychain signers Implement lookup_signer to locate and construct appropriate WalletSigner and tempo config Add async helper to sign Tempo AA transactions with a keychain access key and produce EIP-2718-encoded bytes	crates/wallets/src/tempo.rs
Add multiple CircleCI configuration files for Rust build-and-test and example executors.	Introduce several CircleCI configs (ci.yml, ci_v1.yml, cargo.yml, ci_cargo.yml) that run cargo fmt and cargo test with caching using cimg/rust images Add dev_stage, ci-web3-gamefi, and web3_defi_gamefi configs with custom executors and placeholder jobs, some of which appear malformed or redundant	.circleci/dev_stage.yml .circleci/ci_cargo.yml .circleci/cargo.yml .circleci/ci.yml .circleci/ci_v1.yml .circleci/ci-web3-gamefi.yml .circleci/web3_defi_gamefi.yml
Minor documentation and placeholder file changes.	Update bug report issue template to include additional browser and version fields (currently duplicated entries) Add sleep.json placeholder file Remove or modify counter/.gas-snapshot content (exact diff not shown)	.github/ISSUE_TEMPLATE/bug_report.md sleep.json counter/.gas-snapshot

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Code Review

This pull request introduces several CircleCI configuration files, a new Tempo wallet integration module, and updates to gas snapshots and issue templates. However, several critical issues were identified: a syntax error in simulate.rs caused by a duplicate variable declaration, a JSON-RPC specification violation in handler.rs concerning empty batch responses, and invalid YAML nesting in dev_stage.yml. Additionally, there are redundant steps in several CI configurations, duplicate fields in the bug report template, and inconsistent Rust versions across the pipeline. Feedback also suggests improving the wallet lookup logic by incorporating chain ID filtering.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• In crates/script/src/simulate.rs the token_symbol assignment was changed in a way that leaves two let token_symbol = lines back-to-back and switches to alloy_chains::Chain::from_id without an obvious import; this likely won’t compile and should be simplified to a single binding with the appropriate import.
• The new .circleci configs (dev_stage.yml, ci_cargo.yml, cargo.yml, ci.yml, ci_v1.yml, ci-web3-gamefi.yml, web3_defi_gamefi.yml) contain a lot of duplication, potentially invalid YAML (e.g. repeated jobs/workflows keys in dev_stage.yml), and placeholder jobs; it would be good to consolidate these into a minimal, valid CI setup before merging.
• The change to .github/ISSUE_TEMPLATE/bug_report.md now duplicates the Browser and Version fields (they appear twice); consider removing the original pair so the template doesn’t ask for the same information twice.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `crates/script/src/simulate.rs` the `token_symbol` assignment was changed in a way that leaves two `let token_symbol =` lines back-to-back and switches to `alloy_chains::Chain::from_id` without an obvious import; this likely won’t compile and should be simplified to a single binding with the appropriate import.
- The new `.circleci` configs (`dev_stage.yml`, `ci_cargo.yml`, `cargo.yml`, `ci.yml`, `ci_v1.yml`, `ci-web3-gamefi.yml`, `web3_defi_gamefi.yml`) contain a lot of duplication, potentially invalid YAML (e.g. repeated `jobs`/`workflows` keys in `dev_stage.yml`), and placeholder jobs; it would be good to consolidate these into a minimal, valid CI setup before merging.
- The change to `.github/ISSUE_TEMPLATE/bug_report.md` now duplicates the Browser and Version fields (they appear twice); consider removing the original pair so the template doesn’t ask for the same information twice.

## Individual Comments

### Comment 1
<location path=".circleci/ci_cargo.yml" line_range="13-18" />
<code_context>
+          keys:
+            - v1-cargo-{{ checksum "Cargo.lock" }}
+            - v1-cargo-
+      - run:
+          name: "Check formatting"
+          command: cargo fmt -- --check
+      - run:
+          name: "Run tests"
+          command: cargo test
+      - save_cache:
+          key: v1-cargo-{{ checksum "Cargo.lock" }}
</code_context>
<issue_to_address>
**suggestion (performance):** `cargo fmt` and `cargo test` are executed twice in the same job, which is redundant.

`cargo fmt -- --check` and `cargo test` are run both before and after caching, which just duplicates work and increases CI time. Unless there’s a strong reason to run them twice, consider removing the second set of steps or saving the cache earlier.
</issue_to_address>

### Comment 2
<location path=".github/scripts/compare-nightly.sh" line_range="42" />
<code_context>
         print(f"| `{key}` | N/A | {t:.5f}s | — | 🆕 New |")
         continue
-    delta = (t - p) / p * 100
+    delta = (t - p) / p * 100 if p > 0 else 0
     if delta >= fail:
         status = "🔴 Regression"
</code_context>
<issue_to_address>
**question (bug_risk):** Treating zero previous value as `delta = 0` may hide regressions when baseline is zero.

Avoid masking this case by forcing `delta` to 0 when `p == 0`, since any non-zero timing will then appear unchanged. Instead, consider explicitly handling a zero baseline (e.g., treat as infinite/undefined delta or flag it) so regressions from ~0 to large values are visible.
</issue_to_address>

### Comment 3
<location path=".github/ISSUE_TEMPLATE/bug_report.md" line_range="30" />
<code_context>
  - OS: [e.g. iOS]
+ - Browser [e.g. Chrome, Safari]
+ - Version [e.g. 22]
  - Browser [e.g. Chrome, safari]
  - Version [e.g. 22]

</code_context>
<issue_to_address>
**suggestion (typo):** Capitalize "Safari" consistently in the browser example.

This keeps product names consistent and prevents it from looking like a typo.

```suggestion
 - Browser [e.g. Chrome, Safari]
```
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}