Skip to content

feat: implement approval gate for wallet commands and add SSE transpo…#16

Open
andrew-virtuals wants to merge 4 commits into
mainfrom
feat/policy-guardrail
Open

feat: implement approval gate for wallet commands and add SSE transpo…#16
andrew-virtuals wants to merge 4 commits into
mainfrom
feat/policy-guardrail

Conversation

@andrew-virtuals
Copy link
Copy Markdown
Contributor

@andrew-virtuals andrew-virtuals commented May 12, 2026
edited by cursor Bot
Loading

…rt creation

Note

Medium Risk
Touches wallet signing and transaction-broadcast flows by adding an SSE-based approval gate, which could impact interactive authorization and resource cleanup if the transport isn’t connected/disconnected correctly.

Overview
Introduces withApprovalGate to run wallet provider operations with an SSE STREAMS.WALLET transport connected for approval, and ensures the transport is disconnected afterward.

Updates wallet CLI commands (sign-message, sign-typed-data, send-transaction, and card top-up challenge signing) to execute via this gate, moving the supported-chain validation for send-transaction inside the gated section.

Adds createSseTransport in agentFactory to centralize SSE transport setup (context wiring + connect) for a given provider and set of streams.

Reviewed by Cursor Bugbot for commit 253cfc0. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 12, 2026
View reviewed changes
Comment thread src/lib/walletGate.ts Outdated
cursor[bot]
cursor Bot reviewed May 12, 2026
View reviewed changes
Comment thread src/commands/wallet.ts
cursor[bot]
cursor Bot reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 14d8f65. Configure here.

Comment thread src/commands/wallet.ts
if (!json && isTTY()) {
process.stdout.write(" Signing wallet verification...");
}
signature = await provider.signMessage(
Copy link
Copy Markdown

@cursor cursor Bot May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Topup command creates redundant expensive provider adapter

Low Severity

In the topup command, createProviderAdapter() is called at line 285 for chain validation, and then withApprovalGate at line 369 internally calls createProviderAdapter() a second time (plus creates an SSE transport). Before this PR, the single provider was reused for both validation and signing. Each createProviderFromConfig call potentially involves API calls (wallet ID lookup, builder code fetch) and creates a full PrivyAlchemyEvmProviderAdapter, making this a meaningful duplication of expensive work in the card+challenge flow.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 14d8f65. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Zuhwa Zuhwa Zuhwa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andrew-virtuals @Zuhwa