feat: implement approval gate for wallet commands and add SSE transpo…#16
feat: implement approval gate for wallet commands and add SSE transpo…#16andrew-virtuals wants to merge 3 commits into
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } | ||
|
|
||
| const transactionHash = await provider.sendTransaction(chainId, { | ||
| to: opts.to, |
There was a problem hiding this comment.
Redundant getSupportedChainIds call in send-transaction path
Low Severity
In the send-transaction command, provider.getSupportedChainIds() is called twice on the same provider instance within a single withApprovalGate invocation — once inside createSseTransport (to populate providerSupportedChainIds in the transport context) and again in the callback at line 142 for chain validation. Since both calls happen on the same provider, the second call is redundant work (likely an additional network round-trip). The withApprovalGate API could expose the already-fetched chain IDs to avoid this duplication.
Reviewed by Cursor Bugbot for commit 23a4560. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 14d8f65. Configure here.
| if (!json && isTTY()) { | ||
| process.stdout.write(" Signing wallet verification..."); | ||
| } | ||
| signature = await provider.signMessage( |
There was a problem hiding this comment.
Topup command creates redundant expensive provider adapter
Low Severity
In the topup command, createProviderAdapter() is called at line 285 for chain validation, and then withApprovalGate at line 369 internally calls createProviderAdapter() a second time (plus creates an SSE transport). Before this PR, the single provider was reused for both validation and signing. Each createProviderFromConfig call potentially involves API calls (wallet ID lookup, builder code fetch) and creates a full PrivyAlchemyEvmProviderAdapter, making this a meaningful duplication of expensive work in the card+challenge flow.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 14d8f65. Configure here.
2 participants
…rt creation
Note
Medium Risk
Introduces a new approval gate that opens an SSE
WALLETstream around message/typed-data signing and transaction sends; mistakes here could block or alter wallet flows. Changes touch transaction broadcasting and signature generation paths, but are scoped to CLI wallet commands.Overview
Adds a reusable
withApprovalGatehelper that creates a provider, connects an SSE transport on theWALLETstream, runs a wallet operation, then disconnects.Updates wallet CLI operations that require approvals—
sign-message,sign-typed-data,send-transaction, and the Crossmint card top-up verification signature—to execute inside this gate, moving the chain-support validation forsend-transactioninto the gated block.Extends
agentFactorywithcreateSseTransportto configure and connectSseTransport(context + supported chain IDs) for the requested streams.Reviewed by Cursor Bugbot for commit 14d8f65. Bugbot is set up for automated code reviews on this repo. Configure here.