refactor: earn flow + remove xstate/store#551
Conversation
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
Key validators by address and subnet so selection keeps distinct validator options. Scope balance and init token options to the selected dashboard category.
| {t("dashboard.borrow.success_page.view_transaction")} | ||
| </Text> | ||
| </Box> | ||
| ) : null |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: MEDIUM
submission.link is opened via window.open(..., "_blank") without noopener,noreferrer. If this URL is attacker-influenced (e.g., via upstream API data), the opened page can access window.opener and navigate the original tab (reverse-tabnabbing).
Impact: A user can be redirected from the trusted widget host tab to a phishing or malicious page after clicking a transaction link.
Reviewed by Cursor Security Reviewer for commit 6cf3187. Configure here.
6cf3187 to
5dac944
Compare
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, Cursor Security Agent left an unresolved medium-severity finding, and required checks did not finish on the latest commit (Bugbot cancelled; Security Agent still running). Assigned jdomingos and dnehl for human review.
Sent by Cursor Approval Agent: Pull Request Router and Approver
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, and Cursor Security Agent has an unresolved medium-severity tabnabbing finding on
complete.tsx. jdomingos and dnehl are already assigned for human review.Sent by Cursor Approval Agent: Pull Request Router and Approver
Split earn intent and view atoms so route and wallet state changes update the resolved view. Keep dispatch separate from view reads and add wallet resolution handling. Cover dashboard tab selection and patch Effect parent tracking.
Use the native TypeScript 7 compiler across the widget and examples. Keep TypeScript 6 API compatibility for Next.js tooling.
Replace legacy context, query, and state-machine integrations with Effect services and atom-backed wallet, API, and workflow state. Split Vitest projects and add AST rules to validate the new architecture.
There was a problem hiding this comment.
Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, and Cursor Security Agent has an unresolved medium-severity tabnabbing finding on complete.tsx. jdomingos and dnehl are already assigned for human review.
Sent by Cursor Approval Agent: Pull Request Router and Approver




Note
High Risk
Large new DeFi borrow path with wallet signing, transaction submission, and LTV validation touches money-moving flows; earn routing/state refactor could regress staking if mis-wired.
Overview
Adds a feature-flagged borrow experience in the dashboard (form → review → steps → complete, plus borrow position management), backed by a new
borrowmodule: Effect Schema domain models, OpenAPI-generatedBorrowApiclient, and@effect/atom-reactatoms for markets/positions, form state, action execution (sign/submit/confirm), and post-tx cache refresh.Earn flow cleanup: drops
EarnPageStateUsageBoundaryProvider/@xstate/store, removescommon/get-token-balances.tsandgetInitialTokenfrom stake types, and tightens validator handling via a compositeValidator.key(address + optional subnet) used in select-validator and position balance keys.Tooling/config: OpenAPI generator gains
BorrowApi(fullhttpclient+ spec prep), optional CLI spec selection,VITE_BORROW_API_URL/VITE_FORCE_BORROW, and rootpnpm.patchedDependenciesremoved; adds skeleton line/circle loaders for borrow UI loading states.Reviewed by Cursor Bugbot for commit 6cf3187. Configure here.