Revise README structure and add sponsorship details (#146)

[Dargon789]

9c420a7

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sequence.js	Ready	Preview, Comment	Dec 26, 2025 9:53pm
wagmi-project	Ready	Preview, Comment	Dec 26, 2025 9:53pm

[Dargon789]

General fix: replace the use of Math.random() in the UID generator with a cryptographically secure source of randomness (crypto.randomBytes in Node / crypto.getRandomValues in the browser), and keep the same external API and approximate UID format/length to avoid breaking callers.

Best specific fix for this codebase:

• Only wagmi-project/packages/core/src/utils/uid.ts needs changes; createEmitter.ts and createConfig.ts simply consume the UID.
• Implement a small abstraction that uses:
  • window.crypto.getRandomValues when available (browser).
  • require('crypto').randomBytes or globalThis.crypto.getRandomValues when available in non-browser environments (e.g. Node 19+).
  • As a last resort, fall back to Math.random() with a clear comment (for environments without crypto), but this fallback should be used only when no CSPRNG is present.
• Preserve the public API: export function uid(length = 11): string and the semantics that it returns a hex-like string of requested length.
• The previous implementation built a large hex buffer once (size * 2 characters) and then consumed substrings from it. We can keep the same buffering approach for performance, but fill the buffer using secure random bytes rather than Math.random().

Concretely in utils/uid.ts:

1. Add a helper getRandomBytes(byteLength: number): Uint8Array that:
   • Uses globalThis.crypto.getRandomValues if available.
   • Else, tries Node’s require('crypto').randomBytes (without adding a top-level import to avoid bundler issues; require is typically shimmed or tree-shaken).
   • Else, falls back to Math.random() to generate bytes (with a comment noting that this path is non-cryptographic).
2. Change the buffer fill loop to:
   • Allocate a Uint8Array of length size.
   • Call getRandomBytes(randomBytes.length).
   • Convert each byte to a 2-character hex string and append to buffer.
3. Keep the rest of the logic (index, buffer.substring(index, index++ + length)) unchanged so external behavior is stable aside from improved randomness quality.

No changes are required to createEmitter.ts or createConfig.ts, since they already accept and pass through a string UID.

---

[Dargon789]

In general, hostnames in regular expressions should escape all literal dots (. → \.) so they cannot match arbitrary characters. When you intend to match exactly prover.certora.com, you should use prover\.certora\.com.

In this file, the best fix is to update the regex literal on line 118 so all dots in the hostname are escaped. Currently it is /https:\/\/prover.certora.com\/output\/\S*/; we should change it to /https:\/\/prover\.certora\.com\/output\/\S*/. This keeps the behavior (matching URLs that start with https://prover.certora.com/output/ and then non‑whitespace) but ensures it cannot match different hosts. No new imports or helpers are needed; it’s just a one‑character change in the pattern.

Concretely, edit wagmi-project/packages/sequence-core-1.0.0/lib/signals-implicit-mode/lib/sequence-v3/lib/openzeppelin-contracts/certora/run.js at the writeEntry call in runCertora, replacing the regex in the .match(...) call as described.

[Dargon789]

To fix this, generateId() should stop using Math.random() and instead use a cryptographically secure source of randomness. In a browser, that is window.crypto.getRandomValues. We can generate a sequence of random bytes, encode them (for example as base36/hex), and keep the same “timestamp-randomPart” shape so existing behavior and usage patterns remain unchanged.

Concretely, in wagmi-project/packages/sequence-core-1.0.0/packages/wallet/dapp-client/src/DappTransport.ts, update the generateId() method at lines 515–517 to:

• Keep using Date.now().toString(36) as the prefix.
• Replace Math.random().toString(36).substring(2, 9) with a helper that creates a random base‑36 string from bytes generated via crypto.getRandomValues(new Uint8Array(n)).
  No extra imports are needed because window.crypto / self.crypto are standard in browsers; we can just call window.crypto directly.

[Dargon789]

In general, the fix is to avoid returning exception details derived from a caught error back to the remote client. Instead, log the error server-side (for diagnostics) and respond with a generic, standard JSON-RPC error object that does not include stack traces or detailed internal messages in the data field.

Concretely, in server.ts, within the try/catch around JSON.parse(body), we should keep the server-side logging (console.log(...)) but change the call to errorResponse so that it does not include String(error) as the data argument. For a JSON-RPC parse error (-32700), it is sufficient to send just the error code and a generic "Parse error" message. This means updating line 329 from JSON.stringify(errorResponse(undefined, -32700, 'Parse error', String(error))) to JSON.stringify(errorResponse(undefined, -32700, 'Parse error')). No new imports are needed, and no other behavior changes are required; the HTTP status code and logging remain the same, but the client no longer sees the exact exception details.

[sourcery-ai]

Sorry, we are unable to review this pull request

The GitHub API does not allow us to fetch diffs exceeding 300 files, and this pull request has 3668

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request marks a substantial update to the project, primarily by revamping the documentation and integrating a new 'wagmi-project' structure. It includes a wide array of dependency upgrades across various packages, enhancing stability and leveraging modern development practices. Additionally, the PR refines CLI functionalities, improves GitHub workflows, and addresses several minor bugs and security-related aspects, such as improving nonce generation and handling API errors more gracefully.

Highlights

• README Overhaul: The project's main README.md file has been completely restructured and updated to reflect a new focus on 'wagmi' (Reactive primitives for Ethereum apps), including new badges, documentation links, community resources, contributing guidelines, and a comprehensive list of sponsors.
• Dependency Updates: Numerous dependencies across core, utility, and UI packages have been updated to their latest versions, including next, react, react-dom, eslint, typescript, @changesets/cli, lefthook, prettier, and turbo. This ensures the project benefits from the latest features, bug fixes, and security patches.
• CLI and Workflow Enhancements: New GitHub workflows for changesets, dependency review, issue labeling, and pull requests have been introduced, alongside updated CircleCI configurations and new GitHub issue templates. The CLI now includes improved configuration validation and plugin handling, with specific fixes for signer 404 errors and enhanced nonce generation randomness.
• New Wagmi Project Integration: A new 'wagmi-project' directory has been added, containing extensive new files for CLI, connectors, and core functionalities, suggesting a significant expansion or rebranding of the project to align with the 'wagmi' ecosystem for Ethereum application development.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/Publish-Dists.yml
  • .github/workflows/tests.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a variety of changes, including significant security improvements, dependency updates, and a major refactoring of the README file. The PR title, "Revise README structure and add sponsorship details," is somewhat misleading as it doesn't cover the full scope of the changes, which also include important bug fixes and feature enhancements.

Key improvements include a critical security fix by replacing a predictable nonce generation with a cryptographically secure one, and another security enhancement to prevent leaking internal error details in API responses. There are also optimizations for handling signers that don't require witness probing.

However, there are two major issues with this pull request. First, the README.md file has been completely replaced with content from the wagmi project, which is irrelevant to sequence.js. This needs to be corrected. Second, an entire wagmi-project directory has been added, which seems to be a mistake and should be removed from this PR.

I have provided specific feedback on the security fixes and the README.md file. Please address the issues with the README and the extraneous wagmi-project directory.

[gemini-code-assist]

The content of this README appears to be for the wagmi project, not sequence.js. All branding, links, and information are related to wagmi. This seems to be a copy-paste error and needs to be corrected to reflect the sequence.js project. For example, links point to wagmi.sh, github.com/wevm/wagmi, and the sponsors listed are for wagmi.

[gemini-code-assist]

This is an excellent and critical security improvement. Using Date.now() for a nonce is insecure because it's predictable and not guaranteed to be unique, especially in high-throughput scenarios. Switching to Hex.random(16) generates a cryptographically secure random nonce, which is the correct approach to prevent replay attacks and other potential vulnerabilities.

[gemini-code-assist]

This is a great security enhancement. By removing String(error) from the JSON-RPC error response, you are preventing the leakage of potentially sensitive internal error details, such as stack traces or file paths, to the client. This is a best practice for building secure APIs.

[gemini-code-assist]

Using any for the type of m bypasses TypeScript's type safety. It would be more robust to use a proper type or a type guard to ensure that m has the sapientLeaf property before accessing it. This would make the test code safer and clearer.

Suggested change

	const sessionsModule = config.raw.modules.find((m: any) =>
	Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress),
	)
	const sessionsModule = config.raw.modules.find((m: any) =>
	m.sapientLeaf && Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress),
	)

[gemini-code-assist]

Similar to the previous comment, using any here weakens type safety. Consider using a type guard or a more specific type to ensure m.sapientLeaf exists and is of the correct type before it's accessed.

Suggested change

	const sessionsModule = config.raw.modules.find((m: any) =>
	Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress),
	)
	const sessionsModule = config.raw.modules.find((m: any) =>
	m.sapientLeaf && Address.isEqual(m.sapientLeaf.address, sessionsModuleAddress),
	)