Sequence diagram for sign_with_access_key Tempo access-key signing flow

[Dargon789]

Reviewer's Guide

This PR mixes significant internal feature work with a large set of security hardening changes and CI / workflow additions. Key changes include: constrained temp filesystem usage in test utilities and benchmarks; safer path handling for config and script helpers; new Tempo wallet integration and access-key signing support; a generic linting framework and config schema crate; updates to cheatcodes/config schemas and cargo aliases; a new Cancun beacon-block trace test; and a substantial number of new GitHub Actions and CircleCI configs plus project-scoped example counter app files and docs assets.

Sequence diagram for sign_with_access_key Tempo access-key signing flow

sequenceDiagram
    participant Caller
    participant tempo as tempo_mod
    participant req as TempoTransactionRequest
    participant signer as Signer
    participant kc as KeychainSignature

    Caller->>tempo: sign_with_access_key(tx_request, signer, wallet_address)
    activate tempo
    tempo->>req: build_aa()
    activate req
    req-->>tempo: tempo_tx
    deactivate req

    tempo->>tempo: signature_hash = tempo_tx.signature_hash()
    tempo->>kc: KeychainSignature::signing_hash(signature_hash, wallet_address)
    kc-->>tempo: signing_hash

    tempo->>signer: sign_hash(signing_hash)
    activate signer
    signer-->>tempo: raw_sig
    deactivate signer

    tempo->>kc: KeychainSignature::new(wallet_address, raw_sig)
    kc-->>tempo: keychain_sig

    tempo->>tempo: aa_signed = tempo_tx.into_signed(TempoSignature::Keychain(keychain_sig))
    tempo->>tempo: aa_signed.encode_2718(buf)
    tempo-->>Caller: signed_bytes
    deactivate tempo

Loading

File-Level Changes

Change	Details	Files
Harden filesystem operations and path handling in test utilities, benchmarks, scripts, and config cleanup logic.	Introduce a fixed TEST_UTIL_BASE under the system temp directory and a resolve_and_validate_under_base helper to constrain copy_dir_filtered operations to this base and prevent directory escape via absolute or .. paths. Add global IS_TTY flag, adjust get_compiled to panic on compiler errors instead of using assert!, and slightly tweak Vyper lock error handling pattern matching. Ensure test failures file removal resolves to a path under the canonicalized project root before deleting, emitting a warning when the file would lie outside the project root. Canonicalize TempProject root in benchmarks cleanup and verify each entry’s canonical path stays under that root before removing directories/files, logging and skipping suspicious paths. In ScriptTester, skip files with suspicious names and avoid copying files whose canonicalized path escapes the source dir, preventing traversal via symlinks or invalid filenames. In cheatcodes fs tests, guard remove_dir_all by verifying the directory exists and resides under the system temp directory before deleting.	crates/test-utils/src/util.rs crates/config/src/lib.rs benches/src/lib.rs crates/test-utils/src/script.rs crates/cheatcodes/src/fs.rs
Add Tempo wallet integration with support for local and keychain (access-key) signing, plus a dedicated Tempo transaction signing path.	Introduce enums for WalletType and KeyType and data structures to deserialize Tempo’s keys.toml layout, including per-token limits and top-level KeysFile. Implement keys_path resolution honoring TEMPO_HOME or defaulting to ~/.tempo/wallet/keys.toml, and decode SignedKeyAuthorization from hex+RLP. Provide TempoLookup abstraction that distinguishes direct EOA signers from keychain access-key signers and returns either a simple WalletSigner or a WalletSigner plus TempoAccessKeyConfig. Add sign_with_access_key helper that builds a TempoTransaction from a TempoTransactionRequest, computes the keychain V2 signing hash, signs via alloy Signer, wraps in a KeychainSignature/TempoSignature and encodes the result as EIP-2718 bytes.	crates/wallets/src/tempo.rs
Introduce a generic linting framework abstraction for AST-based lint passes.	Define a Linter trait parametrized by language and lint type with a lint method taking input file paths. Define a Lint trait with id, severity, description, and help methods, plus a LintContext carrying Session and description flags and an emit helper that builds and emits diagnostics with appropriate codes and spans. Add EarlyLintPass trait mirroring solar_ast::visit::Visit for key nodes (Expr, ItemStruct, ItemFunction, VariableDefinition) but enriched with LintContext, and EarlyLintVisitor that drives multiple passes over the AST and dispatches checks while walking nodes.	crates/lint/src/linter.rs
Add a dedicated config spec crate and JSON schema generation for Foundry config, plus cargo alias integration.	Create foundry-config-spec crate wrapping Config inside ConfigSchema with serde flattening and optional schemars JsonSchema derivation behind a schema feature. Add a test helper that verifies the generated config.schema.json matches the compiled schema, auto-updating the file and instructing CI users to run cargo spec-config when out-of-date. Register schemars as an optional dependency and add a schema feature for the main config crate, and expose a new cargo alias spec-config to run the schema tests; also add foundry-config-spec to workspace manifests as needed.	crates/config/spec/Cargo.toml crates/config/spec/src/lib.rs crates/config/Cargo.toml .cargo/config.toml crates/config/assets/config.schema.json
Update cheatcodes spec metadata and references, including schema URL and CI hints, and wire config spec into workspace dependencies.	Change cheatcodes spec doc URL to point to getfoundry.sh-specific cheatcodes documentation under forge tests. Adjust CI hint message in cheatcodes spec tests to recommend running cargo spec-cheats instead of the old cargo cheats alias. Declare foundry-primitives as a workspace dependency in the common crate and hook up new schema features in config and cheatcodes crates where appropriate.	crates/cheatcodes/spec/src/lib.rs crates/common/Cargo.toml crates/config/Cargo.toml .cargo/config.toml
Refine various runtime behaviors and bugfixes across RPC handling, miner, script simulation, lints, and testing.	In Anvil RPC handler, change behavior for empty batch requests to return a Batch response containing a single RpcError instead of a Single error response. Fix cast miner::mine alignment wrapper by redefining B256Aligned with repr(C, align(8)) and a single B256 field, avoiding the previous zero-length array trick. Update gas price symbol resolution in script simulation to use alloy_chains::Chain::from_id instead of NamedChain::try_from, aligning with newer APIs. In EVM fuzzer WorkerCorpus, use rng.gen_ratio instead of random_ratio for payable value mutation frequency.

Make merge_outcomes accumulate suite duration by summing rather than taking max when merging TestOutcome structures.

Simplify keccak lint helper extract_keccak256_arg to an explicit if/else returning Option, and adjust unused_return lint to use call_args.len() instead of call_args.kind.len() to reflect updated API.

Un-gate the preprocess_contract_with_decode_internal test by removing the isolate-by-default cfg guard.

| `crates/anvil/server/src/handler.rs`
`crates/cast/src/cmd/miner.rs`
`crates/script/src/simulate.rs`
`crates/evm/evm/src/executors/corpus.rs`
`crates/forge/src/cmd/test/mod.rs`
`crates/lint/src/sol/gas/keccak.rs`
`crates/lint/src/sol/med/unused_return.rs`
`crates/forge/tests/cli/test_optimizer.rs` | | Add a new Cancun beacon-block trace regression test for cast and guard nightly comparison script against division-by-zero. |

• Introduce a new CLI test that runs a specific Cancun-era beacon block root transaction and asserts on the printed call trace and gas section, ensuring regression coverage for GitHub issue cast run result is different from the actual transaction foundry-rs/foundry#12435.
• Modify compare-nightly.sh to compute percentage delta only when previous timing is greater than zero, otherwise defaulting to 0 to avoid division-by-zero.

| `crates/cast/tests/cli/main.rs`
`.github/scripts/compare-nightly.sh` | | Add CSS/JS documentation assets for doc output and a sample counter Foundry project with scripts, tests, CI, and README. |

• Add doc-style.css and doc-script.js under both doc/ and counter/doc/ and minimal doc-filelist.js stubs, providing highlight.js styling and sidebar navigation logic for generated docs.
• Introduce a standalone counter example project with Counter.sol, deployment script, tests, foundry.toml, remappings, forge-std and openzeppelin submodules, gas snapshot, and README describing common Foundry commands.
• Add a minimal GitHub Actions workflow under counter to run fmt, build, and tests for the example project.

| `doc/doc-style.css`
`doc/doc-script.js`
`doc/doc-filelist.js`
`counter/doc/doc-style.css`
`counter/doc/doc-script.js`
`counter/doc/doc-filelist.js`
`counter/src/Counter.sol`
`counter/script/Counter.s.sol`
`counter/test/Counter.t.sol`
`counter/foundry.toml`
`counter/README.md`
`counter/.gas-snapshot`
`counter/remappings.txt`
`counter/.github/workflows/test.yml`
`counter/lib/forge-std`
`counter/lib/openzeppelin-contracts` | | Add multiple new CI / security workflows and CircleCI configs for Docker, CodeQL, Snyk, Google GKE, Pages, API security, and Rust/Cargo pipelines. |

• Add GitHub Actions workflows for Docker builds (two variants), Docker image CI, static site deployment to GitHub Pages, CodeQL advanced scanning, Google GKE build/deploy, Snyk container scans, APIsec scanning, and a Foundry build/test/deploy pipeline.
• Introduce multiple CircleCI configurations for Foundry testing, Rust cargo build/test with caching, and assorted custom web3/gamefi/dev_stage pipelines with examples of filters and retry semantics.
• Add basic GitHub issue templates for bug reports, feature requests, and a custom template, plus a Sample .codesandbox/tasks.json stub and auxiliary project files like .gitmodules and sleep.json.

| `.github/workflows/docker.yml`
`.github/workflows/Docker.yml`
`.github/workflows/docker-image.yml`
`.github/workflows/static.yml`
`.github/workflows/codeql.yml`
`.github/workflows/google.yml`
`.github/workflows/snyk-container.yml`
`.github/workflows/apisec-scan.yml`
`.github/workflows/deploy.yml`
`.github/workflows/docker-image.yml`
`.circleci/config.yml`
`.circleci/cargo.yml`
`.circleci/ci.yml`
`.circleci/ci_v1.yml`
`.circleci/ci_cargo.yml`
`.circleci/ci-web3-gamefi.yml`
`.circleci/web3_defi_gamefi.yml`
`.circleci/dev_stage.yml`
`.github/ISSUE_TEMPLATE/bug_report.md`
`.github/ISSUE_TEMPLATE/feature_request.md`
`.github/ISSUE_TEMPLATE/custom.md`
`.codesandbox/tasks.json`
`.gitmodules`
`sleep.json` | | Vendor Remix testing helper contracts for Solidity testing and add small project metadata or placeholder files. |

• Add remix_tests.sol with the Assert library exposing a suite of assertion helpers that emit type-specific AssertionEvent events for use in Remix-compatible tests.
• Add remix_accounts.sol providing a fixed set of test account addresses via getAccount(index).
• Add placeholder or lock files such as soldeer.lock and references under .deps for Remix tests and config.

| `.deps/remix-tests/remix_tests.sol`
`.deps/remix-tests/remix_accounts.sol`
`counter/soldeer.lock` |

Possibly linked issues

• Foundry/ethereum ux (#284) #289 #290 #291: The PR is the concrete implementation of the AST-based keccak256 lint, new lint infra, CI, and counter project described.
• Wagmi (e604566) #413: The PR is the concrete implementation of the AST-based keccak256 linting and surrounding refactors described.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

Originally posted by @sourcery-ai[bot] in #585 (comment)