Wagmi (e604566)

[Dargon789]

Motivation

Solution

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes

Summary by Sourcery

Introduce a new generic linting infrastructure for early AST-based checks, add Cancun beacon block root handling to cast run tracing, and tighten various security, tooling, and documentation aspects across the repo.

New Features:

• Add a language-agnostic linting framework with early AST traversal and integrate a simplified keccak256 gas lint.
• Support processing and tracing of Cancun beacon block roots in cast run, including a new CLI test and executor helper.
• Add a standalone sample Foundry counter project with scripts, tests, and CI workflow.
• Introduce Docker image build/publish workflows and multiple CircleCI configurations for Rust and web3 workflows.
• Add Remix-style Solidity assertion and accounts helper libraries under the deps tree for testing compatibility.

Bug Fixes:

• Prevent path traversal and unsafe filesystem operations in script utilities and benchmark cleanup by validating names and canonicalizing paths.
• Harden npm publishing and artifact staging scripts against unsafe input and directory traversal, and enforce safe HTTPS registry URLs.
• Fix floating-point comparison usage in CLI suggestion and contract-matching helpers to avoid panics on NaN.
• Ensure Vyper compiler settings cloning avoids unnecessary context cloning and potential misuse.
• Normalize script gas estimate output to always use ETH and improve enum and function documentation rendering and inheritdoc resolution.

Enhancements:

• Simplify the keccak gas lint to operate on AST calls only and streamline lint description text.
• Refine doc generation for functions and enums, including cleaner headings, filtered variant comments, and direct dev comments italics.
• Add conversion utilities for comment collections to support new doc writer flows.
• Update Node.js type dependencies and Forge crate dependencies to current workspace settings.
• Tidy flake.nix dev shell configuration and remove unnecessary hardening overrides.

Build:

• Strengthen npm workflow publishing with additional validation, sanity checks, and logging.
• Add Docker buildx-based image build workflow with registry authentication and metadata tagging.
• Introduce Google GKE build-and-deploy workflow template for containerized deployments.

CI:

• Add CodeQL, Snyk container, and APIsec scanning workflows for advanced security analysis.
• Add multiple CircleCI configs for Rust cargo builds, tests, and example web3/game workflows, alongside a Foundry deploy workflow.
• Add CI for the new counter example project using Foundry toolchain, formatting, build, and test steps.

Documentation:

• Adjust various doc generation behaviors for clearer output and add a README for the counter example project.
• Add GitHub issue templates for bugs, feature requests, and custom issues.

Tests:

• Add a Cancun beacon block root trace regression test for cast, and tests around new behavior where applicable.

Chores:

• Vendor Remix testing Solidity libraries and configure git submodules and codesandbox metadata for local development.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[sourcery-ai]

Reviewer's Guide

Introduces a generic AST-based linting framework and migrates the keccak256 gas lint to an early AST pass, adds Cancun parent beacon block root processing in cast run/tracing, hardens filesystem and npm workflows against unsafe inputs, improves Solidity documentation output, normalizes gas simulation output, and adds a self-contained example counter Foundry project with dedicated CI and multiple new Docker/cloud security workflows.

Sequence diagram for Cancun beacon block root processing in cast run

sequenceDiagram
    actor User
    participant CastCLI
    participant RunArgs
    participant TracingExecutor
    participant EvmEnv
    participant Storage as BeaconRootsStorage

    User->>CastCLI: invoke cast run ...
    CastCLI->>RunArgs: parse and build RunArgs
    RunArgs->>EvmEnv: create initial EVM env
    RunArgs->>CastCLI: fetch block (with header)
    CastCLI-->>RunArgs: Block{ header, parent_beacon_block_root }

    RunArgs->>EvmEnv: set block_env fields
    alt spec >= CANCUN
        RunArgs->>RunArgs: parent_beacon_block_root = header.parent_beacon_block_root
    else
        RunArgs->>RunArgs: parent_beacon_block_root = None
    end

    RunArgs->>TracingExecutor: new_with_env(...)
    TracingExecutor-->>RunArgs: executor

    alt parent_beacon_block_root is Some
        RunArgs->>RunArgs: timestamp = block_env.timestamp as u64
        RunArgs->>TracingExecutor: process_beacon_block_root(timestamp, parent_beacon_block_root)
        activate TracingExecutor
        TracingExecutor->>TracingExecutor: compute timestamp_index, root_index
        TracingExecutor->>Storage: set_storage_slot(BEACON_ROOTS_ADDRESS, timestamp_slot, block_timestamp)
        TracingExecutor->>Storage: set_storage_slot(BEACON_ROOTS_ADDRESS, root_slot, beacon_root)
        deactivate TracingExecutor
    end

    RunArgs->>TracingExecutor: execute transaction trace
    TracingExecutor-->>CastCLI: traced execution result
    CastCLI-->>User: display trace including Cancun beacon root context

Loading

Class diagram for new AST-based linting framework and keccak256 lint

classDiagram
    direction LR

    class Linter {
      <<interface>>
      +lint(input : [PathBuf]) void
      %% associated types
      +Language
      +Lint
    }

    class Lint {
      <<interface>>
      +id() str
      +severity() Severity
      +description() str
      +help() str
    }

    class LintContext {
      -sess : Session
      -desc : bool
      +new(sess : Session, with_description : bool) LintContext
      +emit(lint : L, span : Span) void
    }

    class EarlyLintPass {
      <<interface>>
      +check_expr(ctx : LintContext, expr : Expr) void
      +check_item_struct(ctx : LintContext, strukt : ItemStruct) void
      +check_item_function(ctx : LintContext, func : ItemFunction) void
      +check_variable_definition(ctx : LintContext, var : VariableDefinition) void
    }

    class EarlyLintVisitor {
      +ctx : LintContext
      +passes : [EarlyLintPass]
      +visit_expr(expr : Expr) ControlFlow
      +visit_variable_definition(var : VariableDefinition) ControlFlow
      +visit_item_struct(strukt : ItemStruct) ControlFlow
      +visit_item_function(func : ItemFunction) ControlFlow
    }

    class AsmKeccak256 {
      +check_expr(ctx : LintContext, expr : Expr) void
    }

    class Session
    class Severity
    class Span
    class Expr {
      +kind : ExprKind
      +span : Span
    }
    class ExprKind {
      <<enumeration>>
      Call
      Ident
    }
    class ItemStruct
    class ItemFunction
    class VariableDefinition
    class DiagBuilder
    class DiagId
    class MultiSpan

    Linter --> Lint : uses
    Linter --> Session : for diagnostics

    LintContext --> Session : holds
    LintContext --> Lint : emit
    LintContext --> Span : positions
    LintContext --> DiagBuilder : builds
    LintContext --> DiagId : codes
    LintContext --> MultiSpan : spans

    EarlyLintPass --> LintContext : parameter
    EarlyLintPass --> Expr : parameter
    EarlyLintPass --> ItemStruct : parameter
    EarlyLintPass --> ItemFunction : parameter
    EarlyLintPass --> VariableDefinition : parameter

    EarlyLintVisitor --> LintContext : ctx
    EarlyLintVisitor --> EarlyLintPass : passes
    EarlyLintVisitor ..|> Visit

    AsmKeccak256 ..|> EarlyLintPass
    AsmKeccak256 --> ExprKind : inspects
    AsmKeccak256 --> LintContext : emits

    class Visit {
      <<interface>>
      +visit_expr(expr : Expr) ControlFlow
      +visit_variable_definition(var : VariableDefinition) ControlFlow
      +visit_item_struct(strukt : ItemStruct) ControlFlow
      +visit_item_function(func : ItemFunction) ControlFlow
    }

Loading

File-Level Changes

Change	Details	Files
Introduce a generic AST-based linting framework and migrate the keccak256 gas lint to an early AST lint.	Add a language-agnostic Linter trait, Lint trait, LintContext, and EarlyLintPass/EarlyLintVisitor abstractions operating on the Solidity AST with diagnostic emission helpers. Refactor the keccak256 gas lint from a late HIR-based pass to an early Expr-based AST pass that flags direct keccak256 identifier calls. Simplify the keccak256 lint to emit diagnostics directly via the new LintContext rather than custom helper logic.	crates/lint/src/linter.rs crates/lint/src/sol/gas/keccak.rs
Process Cancun parent beacon block roots during cast run execution and tracing, with test coverage.	Capture parent_beacon_block_root from block headers when running on Cancun or later specs and pass it into the tracing executor. Add executor logic to map a block timestamp into beacon roots contract storage, writing both timestamp and root into indexed slots. Add a CLI test that runs a known Cancun block transaction hash and asserts the trace output including beacon root related calls.	crates/cast/src/cmd/run.rs crates/evm/evm/src/executors/trace.rs crates/cast/tests/cli/main.rs
Harden npm workflows and artifact staging by validating identifiers, paths, and registry URLs.	In the npm publish workflow, validate matrix-derived TOOL/PLATFORM/ARCH values, ensure the package directory exists and is under the expected root via realpath, and require a package.json before publishing. Constrain CLI arguments/env values used for artifact staging (tool, platform, arch, releaseVersion) to safe identifier patterns and reuse a shared validator. Add strict getRegistryUrl handling that parses and validates the URL, enforces https, rejects localhost/loopback hosts, and normalizes the base URL without trailing slashes. Update npm package dependencies to a newer @types/node version.	.github/workflows/npm.yml npm/scripts/stage-from-artifact.mjs npm/src/const.mjs npm/package.json
Harden filesystem operations in script test utilities and benchmark cleanup to avoid unsafe paths and symlinks.	Update script test utility copying to operate only on regular files, skip entries with suspicious names (.. or path separators), and ensure canonicalized paths remain within the source directory before copying. Adjust benchmark project cleanup to canonicalize each entry, ensure it remains under the temporary root, and then delete via canonical paths, logging a warning when skipping suspicious paths.	crates/test-utils/src/script.rs benches/src/lib.rs
Improve Solidity documentation generation for dev comments, functions, enums, and inheritdoc handling.	Simplify dev comment rendering to always write dev tags in italics and remove the special write_dev_content helper. Change function headings to use the function identifier and parameter type list instead of the full signature, and adjust inheritdoc merging to use the function name as the key. Filter out variant-tagged comments from the main enum section while including both param and custom variant tags in the variant table, and tighten enum table rendering. Add a From<Vec> implementation for Comments to enable easier comment list construction.	crates/doc/src/writer/as_doc.rs crates/doc/src/writer/buf_writer.rs crates/doc/src/parser/comment.rs
Normalize script gas simulation output to ETH and simplify the JSON schema.	Remove chain-native token symbol lookup in gas simulation, always printing estimated amount required in ETH for human-readable output. Drop the token_symbol field from the JSON output to keep the schema minimal and symbol-agnostic.	crates/script/src/simulate.rs
Fix float sorting logic by replacing total_cmp usage with safer partial_cmp fallbacks.	Change suggestion candidate sorting to use partial_cmp on similarity scores, defaulting to equal on comparison failures. Change best-match contract selection to use partial_cmp on scores with a safe fallback when comparison is not defined.	crates/cli/src/utils/suggestions.rs crates/common/src/contracts.rs
Adjust verification and build tooling configuration for robustness and platform support.	Simplify Vyper standard JSON verification by using a cloned vyper compiler settings struct instead of cloning the entire context. Tighten the Nix flake dev shell: drop dprint, remove hardeningDisable overrides, and add macOS AppKit framework support via buildInputs. Add alloy-hardforks as a forge crate dependency, and unconditionally enable a forge optimizer test by removing a feature guard attribute.	crates/verify/src/etherscan/standard_json.rs flake.nix crates/forge/Cargo.toml crates/forge/tests/cli/test_optimizer.rs
Add a self-contained example Foundry counter project with tests, scripts, and CI.	Introduce a minimal Counter contract with setNumber and increment functions, a deployment script, and corresponding forge tests including fuzzing. Provide a dedicated foundry.toml, local .gitignore, and vendored library directories for forge-std and OpenZeppelin contracts inside the example project. Add a README describing common Foundry commands for building, testing, formatting, snapshots, anvil, deployment, and cast usage. Add a GitHub Actions workflow that checks out the repo, installs Foundry, runs fmt, build, and tests for the counter project on pushes and PRs.	counter/src/Counter.sol counter/script/Counter.s.sol counter/test/Counter.t.sol counter/foundry.toml counter/.gitignore counter/lib/forge-std counter/lib/openzeppelin-contracts counter/README.md counter/.github/workflows/test.yml
Introduce Remix-style Solidity test support libraries for local experimentation.	Add Assert and TestsAccounts Solidity libraries providing assertion events and deterministic test accounts for Remix-style testing flows.	.deps/remix-tests/remix_tests.sol .deps/remix-tests/remix_accounts.sol
Expand CI, security scanning, and deployment workflows across GitHub Actions and CircleCI.	Add GitHub workflows for Docker image builds/pushes, CodeQL analysis, Snyk container scanning, APIsec API scanning, a Foundry build-and-deploy pipeline, hardened npm publish, and a GKE build-and-deploy pipeline with Workload Identity auth. Introduce multiple CircleCI configs for Rust build/test/format pipelines and placeholder web3/gamefi jobs using a custom executor and cached cargo builds. Add scaffolding files such as GitHub issue templates (bug, feature request, custom), a CodeSandbox tasks placeholder, and git submodule configuration.	.github/workflows/docker.yml .github/workflows/codeql.yml .github/workflows/snyk-container.yml .github/workflows/apisec-scan.yml .github/workflows/deploy.yml .github/workflows/google.yml .github/workflows/npm.yml .circleci/config.yml .circleci/ci.yml .circleci/ci_v1.yml .circleci/cargo.yml .circleci/ci_cargo.yml .circleci/dev_stage.yml .circleci/ci-web3-gamefi.yml .circleci/web3_defi_gamefi.yml .github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md .codesandbox/tasks.json .gitmodules

Possibly linked issues

• Foundry/ethereum ux (#284) #289 #290 #291: They describe and implement the same AST-based keccak256 gas lint and linting framework; this PR realizes the issue’s design.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
next	Ready	Preview, Comment	Apr 16, 2026 6:52am

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Code Review

This pull request updates Foundry to version 1.6.0, incorporating revm v34 and setting the default EVM version to Osaka. Key enhancements include parallel fuzzing with a synchronized corpus, an optimization mode for invariant tests to maximize int256 return values, and refined reentrancy simulation. The review identified a compilation error in the invariant check interval logic and high-severity issues in parallel fuzzing, specifically regarding log aggregation and seed collisions. Additionally, the optimization sequence shrinker needs to account for trailing block state adjustments, and a confusing comment about reverted calls should be moved for better clarity.