V1.0

[Dargon789]

Summary by Sourcery

Introduce a new wagmi-based demo dapp project and tighten security, tooling, and CI across the repository.

New Features:

• Add a new Vite-based wagmi-project React dapp configured with wagmi, WalletConnect, and basic styling and documentation.

Bug Fixes:

• Avoid leaking internal JSON parse error details from the primitives CLI HTTP server responses.

Enhancements:

• Improve ID and nonce generation in wallet and identity services by using cryptographically secure randomness.
• Restrict permissions for the pnpm-format-label GitHub workflow to the minimal required scope.

Build:

• Add an explicit pnpm install --no-frozen-lockfile step to the tests GitHub workflow.
• Introduce Azure Pipelines and CircleCI configurations for Node.js build and basic checkout steps.

CI:

• Add a Fortify Application Security Testing GitHub workflow to run SAST scans on pushes, pull requests, and a schedule.

Deployment:

• Add a CNAME file for custom domain configuration.

Documentation:

• Add SECURITY policy documentation detailing supported versions and vulnerability reporting process.
• Add GitHub issue templates for bug reports, feature requests, and custom issues to standardize user feedback.

Chores:

• Check in additional project metadata and cache artifacts such as CodeSandbox tasks, funding configuration, and precompiled V8 cache files.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[sourcery-ai]

Reviewer's Guide

Enhances security and infrastructure by improving randomness and nonce generation, hardening error responses, updating CI workflows (GitHub Actions, CircleCI, Azure Pipelines, Fortify), adding issue templates and security policy, and introducing a new wagmi-based demo dapp project.

File-Level Changes

Change	Details	Files
Improve randomness and nonce generation for identifiers and signing operations.	Replace Math.random-based ID segment with crypto.getRandomValues for cryptographically secure randomness in ID generation. Change nonce generation from timestamp-based Hex.fromNumber(Date.now()) to Hex.random(16) for better entropy and unpredictability.	packages/wallet/dapp-client/src/DappTransport.ts packages/services/identity-instrument/src/index.ts
Harden HTTP JSON-RPC error handling to avoid leaking server internals.	Update JSON parse error response to return a generic 'Parse error' without serializing the caught error object.	packages/wallet/primitives-cli/src/subcommands/server.ts
Adjust and extend CI/CD workflows, including dependency installation and security scanning.	Add pnpm install step to tests workflow to ensure dependencies are installed before running. Configure permissions for the pnpm-format-label GitHub Action workflow. Add a Fortify AST Scan GitHub Actions workflow for SAST integration. Introduce a minimal CircleCI config and an Azure Pipelines YAML for Node.js build integration.	.github/workflows/tests.yml .github/workflows/on_pr_pnpm-format-label.yml .github/workflows/fortify.yml .circleci/config.yml azure-pipelines.yml
Add repository process documentation and templates for security and issue tracking.	Add standardized bug report, feature request, and custom issue templates. Introduce a SECURITY.md document describing supported versions and vulnerability reporting process. Add funding and CNAME placeholder files and other metadata scaffolding.	.github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md SECURITY.md FUNDING.json CNAME
Add a new wagmi-based Vite React demo dapp project and associated tooling config.	Create a new wagmi-project Vite React app wired with wagmi, viem, React Query, and WalletConnect/Coinbase connectors. Implement a comprehensive App.tsx demo for Sequence wallet: environment selection, connection flows, signing, transactions, token queries, and prohibited action tests. Add TypeScript, Vite, Biome, and wagmi configuration, entry point, HTML shell, and basic theming CSS. Add project-specific config and ignore files for the wagmi project.	wagmi-project/package.json wagmi-project/src/App.tsx wagmi-project/src/main.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts wagmi-project/vite.config.ts wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/index.html wagmi-project/README.md wagmi-project/.gitignore wagmi-project/.npmrc wagmi-project/biome.json
Introduce additional tooling/cache artifacts.	Add codesandbox tasks configuration and v8 compile cache map artifacts for build tooling.	.codesandbox/tasks.json v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP

Possibly linked issues

• Feature/integration #17: The PR delivers the wagmi React project, SECURITY policy, Azure/CircleCI configs, and related scaffolding requested in the issue.
• Fix merge branch 0xsequence/master #86: The PR delivers the wagmi demo app, Fortify SAST workflow, CI configs, and GitHub templates described in issue Fix merge branch 0xsequence/master #86.
• 0xsequence/master #79: The PR implements the requested CI/CD infrastructure: Fortify workflow, CircleCI config, GitHub issue templates, and React Query bump.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Canceled		Jun 15, 2026 9:03am
sequence-js-web	Canceled		Jun 15, 2026 9:03am
sequence.js	Canceled		Jun 15, 2026 9:03am
wagmi-project	Canceled		Jun 15, 2026 9:03am

[sourcery-ai]

Hey - I've found 5 issues, and left some high level feedback:

• The new generateId implementation in DappTransport assumes a browser environment (window.crypto), which will break in non-browser contexts (e.g. Node, React Native); consider using globalThis.crypto with a feature check and a safe fallback to keep this transport reusable.
• In the new wagmi-project App component, sanitizeEmail is typed to accept a string but is called with email which can be null, and the onChange handler uses SetStateAction<string> even though the state is string | null; tightening these types or adding null guards will avoid runtime issues and TypeScript errors.
• The Azure DevOps pipeline is pinned to Node.js 10.x, which is long out of support and inconsistent with the rest of the tooling (e.g. Vite/TypeScript), so it would be safer to upgrade this to a maintained Node version that matches the project’s current runtime expectations.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new generateId implementation in DappTransport assumes a browser environment (`window.crypto`), which will break in non-browser contexts (e.g. Node, React Native); consider using `globalThis.crypto` with a feature check and a safe fallback to keep this transport reusable.
- In the new wagmi-project App component, `sanitizeEmail` is typed to accept a `string` but is called with `email` which can be `null`, and the `onChange` handler uses `SetStateAction<string>` even though the state is `string | null`; tightening these types or adding null guards will avoid runtime issues and TypeScript errors.
- The Azure DevOps pipeline is pinned to Node.js 10.x, which is long out of support and inconsistent with the rest of the tooling (e.g. Vite/TypeScript), so it would be safer to upgrade this to a maintained Node version that matches the project’s current runtime expectations.

## Individual Comments

### Comment 1
<location path="wagmi-project/src/App.tsx" line_range="975-984" />
<code_context>
+    }
+  }, [email, isOpen])
+
+  const sanitizeEmail = (email: string) => {
+    // Trim unnecessary spaces
+    email = email.trim()
+
+    // Check if the email matches the pattern of a typical email
+    const emailRegex = /^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}$/
+    if (emailRegex.test(email)) {
+      return true
+    }
+
+    return false
+  }
+
</code_context>
<issue_to_address>
**issue (bug_risk):** Fix type mismatch when calling `sanitizeEmail` with `email` that can be `null`.

Here `email` is typed as `null | string` in state, but `sanitizeEmail` only accepts `string`. When you call `sanitizeEmail(email)`, `email` may still be `null`, which will fail type-checking. Either widen `sanitizeEmail` to accept `string | null` and guard against `null` inside, or narrow `email` before the call so it’s guaranteed to be non-null.
</issue_to_address>

### Comment 2
<location path="wagmi-project/src/App.tsx" line_range="115-124" />
<code_context>
+    .sort((a, b) => a.chainId - b.chainId)
+  const networks = [...mainnets, ...testnets].filter(network => !network.deprecated && !omitNetworks.includes(network.chainId))
+
+  useEffect(() => {
+    if (email && !isOpen) {
+      console.log(email)
+      connect({
+        app: 'Demo Dapp',
+        authorize: true,
+        settings: {
+          // Specify signInWithEmail with an email address to allow user automatically sign in with the email option.
+          signInWithEmail: email,
+          theme: 'dark',
+          bannerUrl: `${window.location.origin}${skyweaverBannerUrl}`
+        }
+      })
+      setEmail(null)
+    }
+  }, [email, isOpen])
+
+  const sanitizeEmail = (email: string) => {
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Stabilize `connect` or include it in the dependency list to avoid stale closures.

Because `connect` is defined inline in the component, it’s recreated on every render, but it’s not in the effect’s dependency array. This can cause stale captures of `defaultConnectOptions` or other values used by `connect`, and may also violate eslint rules. Consider wrapping `connect` in `useCallback` and adding it to the dependencies, or document the intentional behavior and add a targeted eslint disable.
</issue_to_address>

### Comment 3
<location path="SECURITY.md" line_range="19" />
<code_context>
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them to email [your-security-email@example.com], and they can expect an initial response within 48 hours. We will provide regular updates on the status of the reported vulnerability.
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Replace the placeholder security email with a real contact address.

`[your-security-email@example.com]` is still the template placeholder. Please update this to the real security contact so users know where to report vulnerabilities.

Suggested implementation:

```
Tell them to email [security@project-name.org](mailto:security@project-name.org), and they can expect an initial response within 48 hours. We will provide regular updates on the status of the reported vulnerability.

```

Replace `security@project-name.org` with the actual security contact address for your project (for example, `security@yourcompany.com` or `security@yourproject.org`) to ensure users can reach the correct team.
</issue_to_address>

### Comment 4
<location path=".github/ISSUE_TEMPLATE/bug_report.md" line_range="34" />
<code_context>
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Browser [e.g. stock browser, safari]
+ - Version [e.g. 22]
+
</code_context>
<issue_to_address>
**nitpick (typo):** Capitalize Safari in the smartphone browser example.

Also capitalize `Safari` here to match the product name.

Suggested implementation:

```
**Desktop (please complete the following information):**
 - OS: [e.g. iOS]
 - Browser [e.g. Chrome, Safari]
 - Version [e.g. 22]

```

```
**Smartphone (please complete the following information):**
 - Device: [e.g. iPhone6]
 - OS: [e.g. iOS8.1]
 - Browser [e.g. stock browser, Safari]

```
</issue_to_address>

### Comment 5
<location path="wagmi-project/src/App.tsx" line_range="291" />
<code_context>
+    setConsoleLoading(false)
+  }
+
+  const getChainID = async () => {
+    try {
+      resetConsole()
</code_context>
<issue_to_address>
**issue (complexity):** Consider extracting shared helpers for console handling and wallet access so each async handler focuses only on its core logic instead of repeating boilerplate.

You can reduce a lot of incidental complexity here by centralizing the repeated console + wallet patterns, without changing any behavior.

### 1. DRY up the console pattern

Almost every async handler does:

```ts
try {
  resetConsole()
  // ...
  setConsoleLoading(false)
} catch (e) {
  console.error(e)
  consoleErrorMessage()
}
```

Extracting a small helper keeps each handler focused on its core logic and removes the risk of forgetting `setConsoleLoading(false)`:

```ts
// inside App (or extracted to a hook/module)
const withConsole = async (fn: () => Promise<void>) => {
  resetConsole()
  try {
    await fn()
  } catch (e) {
    console.error(e)
    consoleErrorMessage()
  } finally {
    setConsoleLoading(false)
  }
}
```

Then handlers become:

```ts
const getBalance = () =>
  withConsole(async () => {
    const wallet = sequence.getWallet()

    const provider = wallet.getProvider()
    const account = wallet.getAddress()
    const balanceChk1 = await provider!.getBalance(account)
    appendConsoleLine(`balance check 1: ${balanceChk1.toString()}`)

    const signer = wallet.getSigner()
    const balanceChk2 = await signer.getBalance()
    appendConsoleLine(`balance check 2: ${balanceChk2.toString()}`)
  })
```

You can apply this pattern to `getChainID`, `getAccounts`, `getNetworks`, `signMessage*`, `sendETH*`, `contractExample`, etc.

### 2. Centralize wallet access

You repeatedly recompute `const wallet = sequence.getWallet()` and then `wallet.getSigner()` / `wallet.getProvider()` in many places. A small helper makes the intent clearer and keeps the wiring in one place:

```ts
// inside App or a small helper module
const getWalletContext = () => {
  const wallet = sequence.getWallet()
  const provider = wallet.getProvider()
  const signer = wallet.getSigner()
  const address = wallet.getAddress()
  const chainId = wallet.getChainId()
  return { wallet, provider, signer, address, chainId }
}
```

Usage:

```ts
const getAccounts = () =>
  withConsole(async () => {
    const { wallet, provider, address } = getWalletContext()

    appendConsoleLine(`getAddress(): ${address}`)

    const accountList = await provider.listAccounts()
    appendConsoleLine(`accounts: ${JSON.stringify(accountList)}`)
  })
```

For cases where you need a signer for a specific chain:

```ts
const getSignerForChain = (chainId?: number) => {
  const wallet = sequence.getWallet()
  return chainId ? wallet.getSigner(chainId) : wallet.getSigner()
}
```

Then:

```ts
const sendETHSidechain = () =>
  withConsole(async () => {
    const wallet = sequence.getWallet()
    const pick = wallet.getChainId() === ChainId.ARBITRUM ? ChainId.OPTIMISM : ChainId.ARBITRUM
    const signer = getSignerForChain(pick)
    await sendETH(signer)
  })
```

This keeps all the “how do I get wallet/signer/provider” logic in one place and makes individual handlers smaller and easier to scan.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Code Review

This pull request introduces a new Wagmi-based React project, configures CI/CD pipelines (CircleCI and Azure), and implements security and randomness improvements across several packages. Key feedback highlights critical runtime issues in the new React application, including a type error from misusing the Sequence provider as a wallet instance and a potential crash in sanitizeEmail due to a missing null check. Additionally, the Azure pipeline should be updated to use a modern Node.js version and pnpm to match the project's package manager, direct window.crypto access should be guarded for SSR compatibility, dependencies in package.json should be pinned instead of using latest, and local V8 compile cache files should be removed from the repository.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.