Dev

[JaCoderX]

Summary by CodeRabbit

• New Features

  • New getHooks endpoint to list configured hooks for contract operations.
  • Create transactions with attached payment details.
  • ERC20 minting workflow added to the controller test tooling.

• Improvements

  • Transaction APIs now return concise transaction IDs (txId) instead of full records.
  • Centralized post-action hook processing for consistent post-transaction behavior.

• Chores

  • Package bumped to 1.0.0-alpha.5.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactors transaction flows to return uint256 txId instead of TxRecord, centralizes hook execution into a post-action hook model with getHooks(bytes4), threads explicit PaymentDetails through transaction creation (txRequestWithPayment), and reorganizes import/package layout plus ABI and test updates.

Changes

Cohort / File(s)	Summary
Hook system & post-action flow contracts/experimental/hook/HookManager.sol, contracts/experimental/hook/interface/IOnActionHook.sol, contracts/interfaces/IOnActionHook.sol, contracts/examples/templates/MachineBlox.sol, contracts/core/base/BaseStateMachine.sol, docs/core/hook/HookManager.md, abi/*, sdk/typescript/abi/*	Consolidated per-event hooks into a single post-action hook pipeline; introduced IOnActionHook.onAction(txRecord); removed legacy IOnActionHook interface/events; added public getHooks(bytes4) and internal _setHook/_clearHook paths.
Return-type simplification (TxRecord → txId) contracts/core/execution/GuardController.sol, contracts/core/access/RuntimeRBAC.sol, contracts/core/security/SecureOwnable.sol, contracts/examples/.../SimpleVault.sol, contracts/examples/.../SimpleRWA20.sol, contracts/examples/integrations/Safe/GuardianSafe/GuardianSafe.sol, contracts/.../interface/*.sol, abi/*, sdk/typescript/abi/*	Many public APIs changed to return uint256 txId instead of EngineBlox.TxRecord memory; implementations updated to return txRecord.txId; interfaces and ABIs updated accordingly.
Payment model and EngineBlox updates contracts/core/lib/EngineBlox.sol, contracts/examples/applications/PayBlox/PayBlox.sol, contracts/examples/applications/PayBlox/PayBloxDefinitions.sol, abi/EngineBlox.abi.json	Removed UPDATE_PAYMENT selector/operation and updatePaymentForTransaction; added txRequestWithPayment, _noPayment(), and propagated PaymentDetails through createNewTxRecord/_txRequest and related flows.
Hook query ABI additions abi/BareBlox.abi.json, abi/BaseStateMachine.abi.json, abi/GuardController.abi.json, abi/RoleBlox.abi.json, abi/RuntimeRBAC.abi.json, sdk/typescript/abi/*	Added getHooks(bytes4) -> address[] ABI entries across multiple contracts and SDK ABIs.
Import path & package layout contracts/core/lib/interfaces/IDefinition.sol, contracts/core/lib/interfaces/IEventForwarder.sol, many contracts/.../Definitions.sol, package/*, package/scripts/prepublish-contracts.cjs, package/README.md	Adjusted import paths to unified core/lib/..., reorganized publishing to expose core/ and abi/, and updated packaging scripts and .npmignore.
Tests & tooling scripts/sanity/guard-controller/base-test.cjs, scripts/sanity/guard-controller/erc20-mint-controller-tests.cjs, scripts/sanity-sdk/..., scripts/sanity/..., scripts/sanity-sdk/guard-controller/*	Added ERC20 mint-via-controller test suites, extensive ABI-decoding resilience and raw-path meta-tx helpers, best-effort checks, and updated test runners to include new suites.
Migrations & examples migrations/3_deploy_example_contracts.cjs, migrations/4_deploy_basic_erc20.cjs, contracts/examples/*	Added ERC20Blox deployment and minter-resolution logic; updated examples to new import paths and txId-returning APIs.
Misc (configs & docs) .gitignore, env.example, foundry.toml, package.json, package/package.json, package/.npmignore	Version bump to 1.0.0-alpha.5, added ERC20_BLOX env flags, increased Foundry fuzz rejects, and adjusted packaging and ignore rules.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Caller
    participant Base as BaseStateMachine
    participant Engine as EngineBlox
    participant Hook as HookManager

    Caller->>Base: requestTransaction(...)
    Base->>Engine: txRequest(..., _noPayment()/paymentDetails)
    Engine-->>Base: TxRecord (includes txId, payment)
    Base->>Base: _postActionHook(txRecord)
    Base->>Hook: _postActionHook(txRecord)
    Hook->>Hook: _executeActionHooks(state.functionTargetHooks[txRecord.params.executionSelector])
    loop for each hook
        Hook->>Hook: IOnActionHook(hook).onAction(txRecord)
    end
    Base-->>Caller: return txRecord.txId (uint256)

Loading

sequenceDiagram
    participant Caller as Caller
    participant Engine as EngineBlox
    participant TxRecord as TxRecord

    Caller->>Engine: txRequestWithPayment(..., paymentDetails)
    Engine->>Engine: _txRequest(..., paymentDetails)
    Engine->>Engine: createNewTxRecord(..., paymentDetails)
    Engine-->>Caller: TxRecord (contains txId + payment)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Dev #31 — Overlapping changes to hook subsystem and getHook/getHooks refactor.
• Dev 3 #27 — Related BaseStateMachine / GuardController ABI and post-action hook modifications.
• Dev #40 — Related EngineBlox payment/path and selector changes (UPDATE_PAYMENT removal, payment propagation).

Poem

🐰
I hopped through bytes and function calls so spry,
Replaced big records with a tiny txId sigh,
Hooks gather now in one soft post-action hum,
Payments threaded through, the new pathways come,
The rabbit cheers — the Bloxchain blooms, oh my!

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'Dev' is vague and does not describe the actual changes; it fails to communicate the scope or nature of the modifications to reviewers scanning history.	Replace with a descriptive title summarizing the main changes, such as 'Refactor transaction return types from TxRecord to uint256 and restructure hook management' or 'Simplify public APIs and reorganize library imports'.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (15)

scripts/sanity-sdk/runtime-rbac/base-test.ts (1)

686-750: ⚠️ Potential issue | 🟡 Minor

checkTransactionRecordStatus defaults to success: true on multiple failure paths.

Lines 690, 698, and 748 all return { success: true, ... } when the txId can't be extracted, the record can't be fetched, or an exception occurs. This silently swallows failures and could mask real issues in tests. Consider defaulting to success: false or at least logging a more prominent warning, so test failures aren't hidden.

scripts/sanity/guard-controller/README.md (1)

44-56: ⚠️ Potential issue | 🟡 Minor

Inconsistent file extensions in usage examples.

Lines 52 and 55 correctly reference .cjs files, but Line 46 still uses run-tests.js (without the .cjs extension). The same stale .js extension appears on Lines 60 and 219. These should all be updated to .cjs for consistency.

📝 Proposed fix

 ### Run All Tests
 ```bash
-node run-tests.js --all
+node run-tests.cjs --all

Line 60:
```diff
-node run-tests.js --help
+node run-tests.cjs --help

Line 219:

-node guard-controller-tests.js
+node guard-controller-tests.cjs

migrations/4_deploy_basic_erc20.cjs (1)

74-89: ⚠️ Potential issue | 🟡 Minor

Comment claims reload but uses stale addresses object.

Line 74's comment says "reload to merge with any concurrent updates," but the code still uses the addresses object loaded at the start (Line 16-19) without re-reading the file. If concurrent merge is truly needed, re-read addressesFile before writing. If not (migrations are sequential), update the comment to remove the misleading "reload" language.

📝 Option A: Actually reload (if concurrent writes are possible)

-        // Save the address to a file for easy access (reload to merge with any concurrent updates)
-        if (!addresses[network]) {
-            addresses[network] = {};
-        }
+        // Save the address to a file for easy access (reload to merge with any concurrent updates)
+        let latestAddresses = {};
+        if (fs.existsSync(addressesFile)) {
+            latestAddresses = JSON.parse(fs.readFileSync(addressesFile, 'utf8'));
+        }
+        if (!latestAddresses[network]) {
+            latestAddresses[network] = {};
+        }

Then use latestAddresses for the write on Line 89.

📝 Option B: Fix the comment (if sequential is fine)

-        // Save the address to a file for easy access (reload to merge with any concurrent updates)
+        // Save the address to a file for easy access

scripts/sanity/guard-controller/run-tests.cjs (1)

28-28: ⚠️ Potential issue | 🟡 Minor

Usage text still references run-tests.js instead of run-tests.cjs.

Line 37–39 were updated to run-tests.cjs, but line 28 was missed.

Proposed fix

-        console.log('Usage: node run-tests.js [options]');
+        console.log('Usage: node run-tests.cjs [options]');

scripts/sanity-sdk/guard-controller/whitelist-tests.ts (1)

462-466: ⚠️ Potential issue | 🟡 Minor

Step 5 asserts strictly while Steps 2–3 use best-effort — inconsistent verification strategy.

If getFunctionWhitelistTargets can't be trusted in Steps 2–3 (best-effort), it shouldn't be trusted here either. Conversely, if it's reliable enough to assert on removal, the add-verification steps should also assert.

migrations/3_deploy_example_contracts.cjs (1)

341-341: ⚠️ Potential issue | 🟡 Minor

Log message says "60 seconds" but all contracts are initialized with 1 second time lock.

Line 341 reads Time Lock Period: 60 seconds (1 minute) but lines 129, 184, and 237 all pass 1 as the time lock period. This is a pre-existing issue but worth fixing now since the summary section is being updated.

docs/core/hook/HookManager.md (1)

65-77: ⚠️ Potential issue | 🟡 Minor

Missing parameter name in getHooks documentation.

Line 74 shows the parameter entry as (): The function selector``, with the parameter name left blank. It should read functionSelector to match the signature on Line 68. The same issue exists for `setHook` and `clearHook` above, but since `getHooks` is the changed section, flagging it here.

contracts/core/access/interface/IRuntimeRBAC.sol (1)

48-54: ⚠️ Potential issue | 🟡 Minor

Stale @return NatSpec: still says "The transaction record" but now returns uint256.

The return type was changed to uint256 (txId), but the NatSpec on Line 50 was not updated to reflect this.

Proposed fix

-     * `@return` The transaction record
+     * `@return` The transaction ID

contracts/core/execution/GuardController.sol (2)

177-264: ⚠️ Potential issue | 🟡 Minor

Multiple stale @return NatSpec comments after the return-type refactor to uint256.

Several functions still document the return as "The execution result", "The updated transaction record", or "The transaction record after request and approval", but they now all return uint256 (txId). Affected functions:

• approveTimeLockExecution (Line 180): @return result The execution result
• cancelTimeLockExecution (Line 198): @return The updated transaction record
• approveTimeLockExecutionWithMetaTx (Line 216): @return The updated transaction record
• cancelTimeLockExecutionWithMetaTx (Line 234): @return The updated transaction record
• requestAndApproveExecution (Line 250): @return The transaction record after request and approval

These should all read something like @return The transaction ID. As per coding guidelines, "Document contracts and functions using NatSpec, including security annotations and param/return tags".

---

308-320: ⚠️ Potential issue | 🟡 Minor

Stale @return NatSpec on guardConfigBatchRequestAndApprove.

Line 311: @return The transaction record should be updated to reflect the uint256 txId return.

contracts/core/access/RuntimeRBAC.sol (1)

95-106: ⚠️ Potential issue | 🟡 Minor

Stale NatSpec: @return still says "The transaction record" but function now returns uint256.

Line 97 should be updated to reflect the new return type.

📝 Suggested NatSpec fix

-     * `@return` The transaction record
+     * `@return` The transaction ID

contracts/core/base/BaseStateMachine.sol (1)

239-261: ⚠️ Potential issue | 🟠 Major

Reentrancy risk: _cancelTransaction and _cancelTransactionWithMetaTx now perform external calls via _postActionHook but lack nonReentrant.

With the introduction of _postActionHook, these internal functions now invoke external hook contracts (through HookManager._executeActionHooks). Unlike _approveTransaction (Line 208) and _requestAndApproveTransaction (Line 274), which are protected by nonReentrant, these cancel functions are not. A malicious hook could re-enter the contract during cancellation.

The same concern applies to _requestTransaction (Line 133) and _requestTransactionWithPayment (Line 171).

Consider adding nonReentrant to all internal transaction functions that now invoke _postActionHook, or document why it is safe for request/cancel paths to be re-entered.

contracts/examples/integrations/Safe/GuardianSafe/GuardianSafe.sol (1)

148-168: ⚠️ Potential issue | 🟠 Major

Missing SafeTx target validation after encoding change.
requestTransaction now encodes params directly, which skips the target validation previously done in createTransactionExecutionParams. Add explicit validation to prevent zero/self-target submissions.

🛠️ Suggested fix

     {
         SharedValidation.validateOwner(owner());
+        SharedValidation.validateTargetAddress(safeTx.to);
         // Use helper function to encode parameters and avoid stack too deep
         bytes memory params = _encodeSafeTxParams(safeTx);

As per coding guidelines, Validate all external inputs: prohibit zero values where inappropriate and block self-targeting addresses.

contracts/core/lib/EngineBlox.sol (1)

1661-1697: ⚠️ Potential issue | 🔴 Critical

Critical: PaymentDetails is declared in the EIP-712 TYPE_HASH but omitted from the actual structHash computation — payment fields are not covered by the meta-transaction signature.

The TYPE_HASH (Line 208) declares TxRecord as including PaymentDetails payment, but the inner hash of TxRecord at Lines 1672–1681 only encodes txId, requester, target, value, gasLimit, operationType, executionSelector, and executionParams. The payment sub-struct (and releaseTime, status, message, result) is entirely absent from the hash.

This means a malicious relay/broadcaster can modify metaTx.txRecord.payment (recipient, native amount, ERC-20 amount) without invalidating the owner's signature. In the requestAndApprove path (Line 551–552), the payment from metaTx.txRecord.payment is passed directly into _txRequest and stored, so tampered payment details will be persisted and later executed.

The PaymentDetails hash must be included in the TxRecord struct hash to bind the signer's payment intent to the signature.

As per coding guidelines, "Validate EIP-712 signatures for meta-transactions before execution".

Proposed fix — include PaymentDetails in the struct hash

Add a PAYMENT_DETAILS_TYPE_HASH and include a hash of the payment fields in the TxRecord struct hash:

     bytes32 structHash = keccak256(abi.encode(
         TYPE_HASH,
         keccak256(abi.encode(
             metaTx.txRecord.txId,
+            metaTx.txRecord.releaseTime,
+            uint8(metaTx.txRecord.status),
             metaTx.txRecord.params.requester,
             metaTx.txRecord.params.target,
             metaTx.txRecord.params.value,
             metaTx.txRecord.params.gasLimit,
             metaTx.txRecord.params.operationType,
             metaTx.txRecord.params.executionSelector,
-            keccak256(metaTx.txRecord.params.executionParams)
+            keccak256(metaTx.txRecord.params.executionParams),
+            metaTx.txRecord.message,
+            keccak256(metaTx.txRecord.result),
+            keccak256(abi.encode(
+                metaTx.txRecord.payment.recipient,
+                metaTx.txRecord.payment.nativeTokenAmount,
+                metaTx.txRecord.payment.erc20TokenAddress,
+                metaTx.txRecord.payment.erc20TokenAmount
+            ))
         )),

Alternatively, at minimum include just the payment hash if the other fields (releaseTime, status, etc.) are intentionally excluded because they are contract-determined:

         keccak256(metaTx.txRecord.params.executionParams)
+        ),
+        keccak256(abi.encode(
+            metaTx.txRecord.payment.recipient,
+            metaTx.txRecord.payment.nativeTokenAmount,
+            metaTx.txRecord.payment.erc20TokenAddress,
+            metaTx.txRecord.payment.erc20TokenAmount
         ))

Either way, the TYPE_HASH string must match the actual encoding fields for EIP-712 compliance.

contracts/core/security/SecureOwnable.sol (1)

252-283: ⚠️ Potential issue | 🟠 Major

Add nonReentrant modifier to all execute* functions in SecureOwnable.sol.

The external functions executeTransferOwnership, executeBroadcasterUpdate, executeRecoveryUpdate, and executeTimeLockUpdate modify critical contract state but lack the nonReentrant modifier. The _validateExecuteBySelf() check only validates that the caller is address(this) and does not provide reentrancy protection. While BaseStateMachine extends ReentrancyGuardUpgradeable, the internal state-changing functions (e.g., _approveTransaction, _approveTransactionWithMetaTx) correctly apply nonReentrant, but these external execution entry points do not. Per coding guidelines, all state-changing functions must be protected with nonReentrant.

Apply the nonReentrant modifier to each of these four external execution functions.

🤖 Fix all issues with AI agents

In `@abi/SimpleRWA20.abi.json`:
- Around line 2097-2101: The ABI changed mintWithMetaTx and burnWithMetaTx to
return uint256 txId instead of a struct; add or update integration tests in the
sanity-sdk test suite (mirroring the existing pattern in
scripts/sanity-sdk/secure-ownable/) to call mintWithMetaTx and burnWithMetaTx,
assert they return a txId (uint256), then fetch full details with
getTransaction(txId) and validate the returned TxRecord fields; update any test
helpers or assertions that previously expected a destructured struct from
mint/burn to use txId + getTransaction instead.

In `@contracts/core/security/SecureOwnable.sol`:
- Around line 106-114: Update the NatSpec `@return` descriptions for the listed
functions so they correctly state they return a uint256 transaction identifier:
change the `@return` text from "The updated transaction record" to "The
transaction ID" in transferOwnershipDelayedApproval,
transferOwnershipApprovalWithMetaTx, transferOwnershipCancellation,
transferOwnershipCancellationWithMetaTx, updateBroadcasterDelayedApproval,
updateBroadcasterApprovalWithMetaTx, updateBroadcasterCancellation, and
updateBroadcasterCancellationWithMetaTx; keep the rest of the comments intact
and ensure each function's `@return` now matches the uint256 return type.

In `@contracts/examples/applications/PayBlox/PayBlox.sol`:
- Around line 162-167: Update the NatSpec `@return` for the functions
approvePaymentAfterDelay and cancelPayment to accurately describe the returned
value: they return a uint256 transaction ID, not a full transaction record.
Locate the docblocks above the functions approvePaymentAfterDelay(uint256 txId)
and cancelPayment(...) and change the `@return` text to "The transaction ID" (or
equivalent concise wording) so the comment matches the uint256 return type.

In `@contracts/experimental/hook/HookManager.sol`:
- Around line 68-80: The _executeActionHooks function currently calls
IOnActionHook(hook).onAction(txRecord) directly, which allows any reverting hook
to block the whole transaction; change it to treat hooks as best-effort by
wrapping each external call in a try/catch around
IOnActionHook(hook).onAction(txRecord) so a failing hook is caught, does not
revert the loop, and you continue to the next hook; in the catch path, emit or
log a new event (e.g., HookExecutionFailed with hook address, executionSelector,
and error) so failures are observable; keep the rest of the loop and state usage
(EngineBlox.TxRecord, executionSelector, state.functionTargetHooks) unchanged.

In `@scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts`:
- Line 243: The forEach callback on targetsAfter uses a concise arrow body that
implicitly returns console.log’s value; change it to a block-bodied arrow to
avoid implicit return (e.g., replace (t, i) => console.log(`     ${i + 1}.
${t}`) with (t, i) => { console.log(`     ${i + 1}. ${t}`); } ), or
alternatively use a for...of loop over targetsAfter to perform the logging;
update the callback on targetsAfter.forEach accordingly.

In `@scripts/sanity-sdk/guard-controller/whitelist-tests.ts`:
- Around line 286-304: The current whitelist verification always calls
this.assertTest(true, ...) in both branches so SDK read failures are ignored;
update the logic in the block that reads isWhitelisted/expectedIsWhitelisted so
that when they match you keep the passing assertion (this.assertTest(true, ...))
and when they differ you log at error/warn level and surface a failure instead
of silently passing — either call this.assertTest(false, `Target whitelist
verification failed: expected ${expectedIsWhitelisted}, actual
${isWhitelisted}`) or, if your framework supports soft failures, call the
soft-failure helper (e.g., this.recordSoftFailure(...) ) so the discrepancy is
recorded while preserving suite flow; ensure references to isWhitelisted,
expectedIsWhitelisted, this.assertTest, and testStep5VerifyTargetRemoved are
used to locate and align behavior with the strict check in
testStep5VerifyTargetRemoved.

In `@scripts/sanity/guard-controller/base-test.cjs`:
- Around line 627-647: The current decode-recovery branch in
sendTransactionWithValue silently returns a raw receipt (variable receipt) when
isDecodeError is true, which breaks callers expecting a decoded contract result;
instead, stop returning the raw receipt directly and surface the situation to
callers by attaching the receipt to an error or returning a standardized result
shape. Modify the sendTransactionWithValue logic where receipt is obtained (the
isDecodeError branch) so that you either (A) rethrow the original decode error
after adding a property like error.receipt = receipt and a clear message, or (B)
return a consistent object (e.g., { success: true, receipt, decoded: null,
decodeError: <errorInfo> }) so callers can handle it deterministically; ensure
you update any calling sites if you choose the result-shape approach and
reference sendTransactionWithValue, isDecodeError, and the receipt variable when
making the change.
- Around line 920-932: The const permTuples declared inside the CREATE_ROLE case
is not block-scoped because the case lacks braces, which triggers the
noSwitchDeclarations warning; fix by adding a block around the case body (wrap
the code between case this.RoleConfigActionType.CREATE_ROLE: and its break in {
... }), keeping the logic that builds permTuples (using createBitmapFromActions
and handlerForSelectors) and the encodedData assignment via
this.web3.eth.abi.encodeParameters intact so scoping is limited to that case.

🧹 Nitpick comments (21)

.gitignore (1)

15-15: reports/ on Line 15 already covers scripts/sanity/reports/ on Line 24.

The broader reports/ pattern at Line 15 makes the more specific scripts/sanity/reports/ entry redundant. Consider removing Line 24 to keep the ignore list tidy.

Also applies to: 23-24

package.json (1)

43-43: Hardcoded alpha.5 tag in three separate script entries is fragile.

The tag alpha.5 appears in release:sync-versions:tag:alpha, publish:contracts, and publish:sdk. Each version bump requires updating all three in lockstep, which is easy to miss. Consider deriving the tag from the version field or a single variable to reduce the risk of drift.

Also applies to: 49-50

scripts/sanity-sdk/guard-controller/base-test.ts (1)

461-479: Duplicated error selector map across test base classes.

The getErrorName error map here is identical to the one in scripts/sanity-sdk/runtime-rbac/base-test.ts. Consider extracting this into a shared utility (e.g., in scripts/sanity-sdk/base/) to keep them in sync.

migrations/4_deploy_basic_erc20.cjs (1)

12-12: Unused web3 declaration on Line 12 is shadowed by Line 53.

const web3 on Line 12 is never used — it's shadowed by the const web3 inside the try block on Line 53. Remove the outer declaration to avoid confusion.

🧹 Proposed fix

-    // Get web3 instance from artifacts
-    const web3 = artifacts.web3;
-    

Also applies to: 53-53

scripts/sanity/guard-controller/run-tests.cjs (1)

162-165: padEnd(15) is too narrow for the new suite name erc20-mint-controller (21 chars), causing misaligned output.

Consider increasing the pad width to accommodate the longest suite name.

Proposed fix

-            console.log(`  ${suiteName.padEnd(15)} ${status}`);
+            console.log(`  ${suiteName.padEnd(25)} ${status}`);

scripts/sanity/utils/eip712-signing.cjs (1)

107-123: Silent truncation of oversized hex values may mask bugs.

Line 120: if body.length > 64, the helper takes the last 64 hex characters. For a bytes32 hash this shouldn't happen, but silently discarding the prefix could hide upstream corruption. Consider throwing or at least logging a warning when the input exceeds the expected length.

Proposed improvement

-        if (body.length > 64) hex = '0x' + body.slice(-64);
+        if (body.length > 64) {
+            console.warn(`  ⚠️  _normalizeMessageHex: input hex body is ${body.length} chars, expected ≤64; truncating`);
+            hex = '0x' + body.slice(-64);
+        }

scripts/sanity/guard-controller/erc20-mint-controller-tests.cjs (1)

435-441: Duplicated hex normalization logic — consider extracting to a shared utility.

This block replicates the same normalization pattern found in _normalizeMessageHex in scripts/sanity/utils/eip712-signing.cjs (lines 107–123). If the normalization logic needs to change, both locations must be updated in sync.

scripts/sanity/guard-controller/base-test.cjs (2)

826-853: The result destructuring logic is difficult to follow and fragile.

Lines 826–833 chain multiple ?? and && operators across nested tuples. This works but is hard to reason about and maintain. A clearer approach would be to extract the decoded tuple once and access named fields directly.

Suggested simplification

-        const single = decoded.__length__ === 1;
-        const result = single ? decoded[0] : decoded;
-        const tuple = result && (result.txRecord !== undefined || result[0] !== undefined) ? result : (single ? decoded : result);
-        const msg = (tuple && (tuple.message ?? tuple[2])) ?? (result && (result.message ?? result[2]));
-        const sig = (tuple && (tuple.signature ?? tuple[3])) ?? (result && (result.signature ?? result[3]));
-        const dat = (tuple && (tuple.data ?? tuple[4])) ?? (result && (result.data ?? result[4]));
-        const txRecord = (tuple && (tuple.txRecord ?? tuple[0])) ?? (result && (result.txRecord ?? result[0]));
-        const params = (tuple && (tuple.params ?? tuple[1])) ?? (result && (result.params ?? result[1]));
+        // decodeParameters wraps a single output tuple at index 0
+        const mt = decoded.__length__ === 1 ? decoded[0] : decoded;
+        const txRecord = mt.txRecord ?? mt[0];
+        const params   = mt.params   ?? mt[1];
+        const msg      = mt.message  ?? mt[2];
+        const sig      = mt.signature ?? mt[3];
+        const dat      = mt.data     ?? mt[4];

---

11-52: Global monkey-patching of web3-eth-abi is a pragmatic but risky workaround.

This patch applies globally and could silently coerce legitimate short type strings (though unlikely). The try/catch and logging are good safeguards. Consider adding a comment noting this should be removed once the upstream ABI enum metadata issue is resolved.

contracts/examples/applications/CopyBlox/CopyBlox.sol (1)

246-246: Prefer custom error over string revert for gas efficiency and consistency.

Line 246 uses require with a string message. The rest of the contract (and codebase) uses custom errors from SharedValidation. This should follow the same pattern.

♻️ Proposed fix

-        require(_clones.contains(msg.sender), "CopyBlox: Only clones can forward events");
+        if (!_clones.contains(msg.sender)) {
+            revert SharedValidation.NoPermission(msg.sender);
+        }

As per coding guidelines, "Prefer custom errors over string reverts for gas efficiency and clarity".

contracts/experimental/hook/interface/IOnActionHook.sol (1)

14-21: Consider using calldata instead of memory for the txRecord parameter.

Since onAction is an external function and the txRecord is read-only input, using calldata avoids an unnecessary memory copy and saves gas on every hook invocation.

⛽ Proposed optimization

-    function onAction(EngineBlox.TxRecord memory txRecord) external;
+    function onAction(EngineBlox.TxRecord calldata txRecord) external;

scripts/sanity-sdk/guard-controller/run-tests.ts (1)

160-163: padEnd(15) is too narrow for 'erc20-mint-controller' (22 chars).

The suite name will not be padded, causing misaligned output in the final results table. Consider increasing to padEnd(25) or similar.

Proposed fix

-      console.log(`  ${suiteName.padEnd(15)} ${status}`);
+      console.log(`  ${suiteName.padEnd(25)} ${status}`);

contracts/core/base/BaseStateMachine.sol (1)

295-309: _setHook and _clearHook emit identical event payloads — set and clear are indistinguishable to indexers.

Both functions call _logComponentEvent(abi.encode(functionSelector, hook)). Since msg.sig will differ (the caller's public function selector), this may be disambiguated at the ComponentEvent level if the public callers have distinct selectors. However, if both setHook and clearHook share the same msg.sig context (e.g., called from the same batch handler), there is no way to tell them apart.

Consider encoding a boolean or action type in the payload to make the events self-describing:

📝 Suggested fix

 function _setHook(bytes4 functionSelector, address hook) internal {
     EngineBlox.addTargetToFunctionHooks(_getSecureState(), functionSelector, hook);
-    _logComponentEvent(abi.encode(functionSelector, hook));
+    _logComponentEvent(abi.encode(functionSelector, hook, true));
 }

 function _clearHook(bytes4 functionSelector, address hook) internal {
     EngineBlox.removeTargetFromFunctionHooks(_getSecureState(), functionSelector, hook);
-    _logComponentEvent(abi.encode(functionSelector, hook));
+    _logComponentEvent(abi.encode(functionSelector, hook, false));
 }

scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts (3)

135-154: Duplicated wallet-name-by-address lookup pattern.

The pattern of finding a wallet name via Object.keys(this.wallets).find(k => this.wallets[k].address.toLowerCase() === ...) is repeated at least 5 times across this file (Lines 137–139, 151–153, 201–204, 207–209, 325–327). Extract a helper like getWalletName(address: Address): string in the base class or locally.

---

344-360: Best-effort assertion masks real failures.

When requestAndApproveExecution reverts (Line 348), the catch block logs a warning but then asserts true (Line 359), making the test always pass regardless of outcome. This means SDK regressions in the mint flow will go undetected.

If intentional for environment-specific reasons, consider at minimum recording the failure count separately or using a "soft failure" counter so the suite summary reflects reality.

---

279-283: Hardcoded wallet indices (wallet3, wallet4) are fragile.

These should ideally be resolved by role (e.g., MINT_REQUESTOR, MINT_APPROVER) similar to how getRoleWallet('owner') is used elsewhere, to avoid breaking if the wallet configuration changes.

contracts/core/execution/interface/IGuardController.sol (1)

83-141: Inconsistent named vs unnamed return parameters.

executeWithTimeLock (Line 52) and executeWithPayment (Line 74) use a named return uint256 txId, while the remaining functions (approveTimeLockExecution Line 86, cancelTimeLockExecution Line 98, etc.) use an unnamed uint256. Consider using named returns consistently across the interface for clarity.

contracts/examples/applications/SimpleVault/SimpleVault.sol (1)

189-192: String revert should be replaced with a custom error.

Line 191 uses require(success, "ETH transfer failed") which is less gas-efficient than a custom error. As per coding guidelines, "Prefer custom errors over string reverts for gas efficiency and clarity."

📝 Suggested fix

 function _withdrawEth(address payable to, uint256 amount) internal {
     (bool success, ) = to.call{value: amount}("");
-    require(success, "ETH transfer failed");
+    if (!success) revert SharedValidation.NotSupported();
     emit EthWithdrawn(to, amount);
 }

Ideally, introduce a more descriptive custom error (e.g., EthTransferFailed()) rather than reusing NotSupported.

contracts/core/lib/EngineBlox.sol (2)

648-654: Double external balanceOf call on revert path wastes gas.

erc20Token.balanceOf(address(this)) is called at Line 652 for the check and again at Line 653 inside the revert. Cache the balance to avoid the redundant external call.

♻️ Proposed fix

         if (payment.erc20TokenAmount > 0) {
             SharedValidation.validateNotZeroAddress(payment.erc20TokenAddress);
             
             IERC20 erc20Token = IERC20(payment.erc20TokenAddress);
-            if (erc20Token.balanceOf(address(this)) < payment.erc20TokenAmount) {
-                revert SharedValidation.InsufficientBalance(erc20Token.balanceOf(address(this)), payment.erc20TokenAmount);
+            uint256 erc20Balance = erc20Token.balanceOf(address(this));
+            if (erc20Balance < payment.erc20TokenAmount) {
+                revert SharedValidation.InsufficientBalance(erc20Balance, payment.erc20TokenAmount);
             }

---

1742-1762: generateUnsignedForNewMetaTx uses _noPayment() — no mechanism to generate unsigned meta-transactions with payment.

If payment-bearing meta-transactions are intended (per txRequestWithPayment), callers need a way to generate unsigned meta-transactions that include payment details. Currently, generateUnsignedForNewMetaTx always uses _noPayment(), so any off-chain tooling would need to manually construct the payment-bearing variant.

Consider whether a generateUnsignedForNewMetaTxWithPayment(...) helper is needed, or document that payment-bearing meta-transactions must be assembled off-chain.

contracts/core/security/interface/ISecureOwnable.sol (1)

18-20: Minor inconsistency: some return values are named txId while others are unnamed.

transferOwnershipRequest (Line 20) and updateBroadcasterRequest (Line 58) name their return value txId, while all other functions (Lines 27, 34, 41, 48, 65, 72, 79, 86, 95, 104) return an anonymous uint256. Consider making this consistent—either all named or all unnamed—for interface clarity.

Also applies to: 56-58

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the ABI file
find . -name "SimpleRWA20.abi.json" -type f

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 148

---

🏁 Script executed:

# Check the structure and size of the ABI file
wc -l abi/SimpleRWA20.abi.json 2>/dev/null || find . -name "SimpleRWA20.abi.json" -exec wc -l {} \;

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 109

---

🏁 Script executed:

# Examine the specific lines mentioned in the review to verify the return type changes
# Lines 2097-2101 (first snippet in comment)
head -2101 abi/SimpleRWA20.abi.json | tail -20

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 564

---

🏁 Script executed:

# Check lines 2116-2121
head -2121 abi/SimpleRWA20.abi.json | tail -20

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 446

---

🏁 Script executed:

# Search for TypeScript/SDK files that might reference the old return types
rg -l '\.(ts|js)$' --type=text -g '!node_modules' -g '!dist' -g '!build' | head -20

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 108

---

🏁 Script executed:

# Let's check more of the specified line ranges to verify consistency
# Lines 2300-2341
head -2341 abi/SimpleRWA20.abi.json | tail -100 | grep -A5 "\"outputs\""

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 431

---

🏁 Script executed:

# Check for getTransaction function and its return type
rg -A10 '"name": "getTransaction"' abi/SimpleRWA20.abi.json

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 331

---

🏁 Script executed:

# Search for TypeScript/SDK files properly
find . -type f \( -name "*.ts" -o -name "*.js" \) -not -path "*/node_modules/*" -not -path "*/dist/*" -not -path "*/build/*" | head -30

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 1616

---

🏁 Script executed:

# Search for references to the mentioned functions in TypeScript files
find . -type f \( -name "*.ts" -o -name "*.js" \) -not -path "*/node_modules/*" -not -path "*/dist/*" -not -path "*/build/*" -exec grep -l "transferOwnershipApprovalWithMetaTx\|transferOwnershipCancellation\|updateBroadcasterRequest\|mintWithMetaTx\|burnWithMetaTx" {} \;

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 270

---

🏁 Script executed:

# Examine the TypeScript test files to see how they handle the return values
cat -n ./scripts/sanity-sdk/secure-ownable/ownership-transfer-tests.ts | head -100

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 5335

---

🏁 Script executed:

# Search for function call patterns in the test files
rg -n "transferOwnershipApprovalWithMetaTx|transferOwnershipCancellation" ./scripts/sanity-sdk/secure-ownable/ownership-transfer-tests.ts -A5 -B2

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 2554

---

🏁 Script executed:

# Check meta-tx-execution-tests for how it uses these functions
rg -n "mintWithMetaTx\|burnWithMetaTx" ./scripts/sanity-sdk/secure-ownable/meta-tx-execution-tests.ts -A5 -B2

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 62

---

🏁 Script executed:

# Verify the complete return type for getTransaction
rg -A30 '"name": "getTransaction"' abi/SimpleRWA20.abi.json | grep -A30 "outputs"

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 849

---

🏁 Script executed:

# Check all the line ranges mentioned to ensure uint256 is consistent
# Lines 2515-2768, 2946-2954, 3129-3136, 3390-3398, 3573-3582
for lines in "2515-2768" "2946-2954" "3129-3136" "3390-3398" "3573-3582"; do
  start=$(echo $lines | cut -d- -f1)
  end=$(echo $lines | cut -d- -f2)
  echo "=== Lines $lines ==="
  head -$end abi/SimpleRWA20.abi.json | tail -$((end - start + 1)) | grep -A5 '"outputs"' | head -20
done

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 1011

---

🏁 Script executed:

# Check the SDK TypeScript definition files mentioned earlier
cat ./sdk/typescript/lib/definitions/SecureOwnableDefinitions.ts | head -150

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 1041

---

🏁 Script executed:

# Search for mintWithMetaTx and burnWithMetaTx in all TypeScript files
rg -r "mintWithMetaTx\|burnWithMetaTx" --type ts

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 476

---

🏁 Script executed:

# Check if there are integration tests for mint/burn operations
find . -type f -name "*mint*test*" -o -name "*burn*test*" | grep -E "\.(ts|js)$"

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 148

---

🏁 Script executed:

# Examine the complete structure of the mentioned functions to verify they all have uint256 returns
rg -B5 '"name": "(transferOwnershipApprovalWithMetaTx|transferOwnershipCancellation|updateBroadcasterRequest|mintWithMetaTx|burnWithMetaTx)"' abi/SimpleRWA20.abi.json | grep -A7 '"outputs"'

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 62

---

🏁 Script executed:

# Search directly in the ABI file for the function names mentioned
rg "mintWithMetaTx|burnWithMetaTx|updateBroadcasterRequest" abi/SimpleRWA20.abi.json

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 179

---

🏁 Script executed:

# Let's look at all functions in the ABI that have "WithMetaTx" in the name
rg '"name": ".*WithMetaTx"' abi/SimpleRWA20.abi.json

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 351

---

🏁 Script executed:

# Check the meta-tx-execution-tests file more directly for mint/burn references
cat ./scripts/sanity-sdk/secure-ownable/meta-tx-execution-tests.ts | grep -n "mint\|burn" -i

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 62

---

🏁 Script executed:

# Look for any tests related to mint/burn functionality
find ./scripts -type f -name "*.ts" -exec grep -l "mint\|burn" {} \; | grep -v node_modules

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 247

---

🏁 Script executed:

# Examine how the SDK is using return values from these meta-transaction functions
rg "await.*\.(transferOwnershipApprovalWithMetaTx|transferOwnershipCancellation)" scripts/sanity-sdk/ -A3

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 2651

---

Confirm ABI return type changes are consistent, but verify mint/burn test coverage.

Return type simplification from struct to uint256 (txId) is applied uniformly across all ownership, broadcaster, and meta-transaction mutating functions in the ABI. This is a breaking change for any consumers destructuring the old struct returns.

Verified: Ownership transfer and broadcaster tests in scripts/sanity-sdk/secure-ownable/ have been updated to handle the new scalar returns. Callers correctly retrieve full transaction details via getTransaction(txId), which continues to return the full TxRecord struct.

Gap: mintWithMetaTx and burnWithMetaTx are updated in the ABI with uint256 returns, but integration tests for these functions are not present in the sanity-sdk test suite. Confirm mint/burn meta-transaction test coverage exists or create tests to match the ownership/broadcaster test pattern.

🤖 Prompt for AI Agents

In `@abi/SimpleRWA20.abi.json` around lines 2097 - 2101, The ABI changed
mintWithMetaTx and burnWithMetaTx to return uint256 txId instead of a struct;
add or update integration tests in the sanity-sdk test suite (mirroring the
existing pattern in scripts/sanity-sdk/secure-ownable/) to call mintWithMetaTx
and burnWithMetaTx, assert they return a txId (uint256), then fetch full details
with getTransaction(txId) and validate the returned TxRecord fields; update any
test helpers or assertions that previously expected a destructured struct from
mint/burn to use txId + getTransaction instead.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Reverting hook can DOS all transactions for an execution selector.

_executeActionHooks calls each hook without try/catch. If any registered hook reverts (due to a bug, out-of-gas, or malicious behavior), the entire parent transaction (request, approve, cancel) will revert. This contradicts the NatSpec at Line 20 which describes hooks as "best-effort."

Since the owner controls hook registration, the blast radius is somewhat contained, but a previously-good hook that later becomes upgradeable-and-malicious or runs out of gas would block all operations for that selector.

Consider wrapping the external call in try/catch if hooks should truly be best-effort, or updating the NatSpec to clearly state that hooks are mandatory and can block operations:

📝 Option A: True best-effort with try/catch

 for (uint256 i = 0; i < length; i++) {
     address hook = hooks.at(i);
-    IOnActionHook(hook).onAction(txRecord);
+    try IOnActionHook(hook).onAction(txRecord) {} catch {}
 }

📝 Option B: Update NatSpec to reflect actual behavior

- * - Hooks are best-effort: if no hook is configured, nothing happens
+ * - If no hook is configured, nothing happens
+ * - Configured hooks are mandatory: a reverting hook will revert the parent transaction

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function _executeActionHooks(
	EngineBlox.TxRecord memory txRecord
	) internal {
	EngineBlox.SecureOperationState storage state = _getSecureState();
	EnumerableSet.AddressSet storage hooks = state.functionTargetHooks[functionSelector];
	bytes4 executionSelector = txRecord.params.executionSelector;
	EnumerableSet.AddressSet storage hooks = state.functionTargetHooks[executionSelector];
	uint256 length = hooks.length();
	for (uint256 i = 0; i < length; i++) {
	address hook = hooks.at(i);
	IOnActionHook(hook).onRequestAndApprove(txRecord, metaTx, caller);
	IOnActionHook(hook).onAction(txRecord);
	}
	}
	function _executeActionHooks(
	EngineBlox.TxRecord memory txRecord
	) internal {
	EngineBlox.SecureOperationState storage state = _getSecureState();
	bytes4 executionSelector = txRecord.params.executionSelector;
	EnumerableSet.AddressSet storage hooks = state.functionTargetHooks[executionSelector];
	uint256 length = hooks.length();
	for (uint256 i = 0; i < length; i++) {
	address hook = hooks.at(i);
	try IOnActionHook(hook).onAction(txRecord) {} catch {}
	}
	}

🤖 Prompt for AI Agents

In `@contracts/experimental/hook/HookManager.sol` around lines 68 - 80, The
_executeActionHooks function currently calls
IOnActionHook(hook).onAction(txRecord) directly, which allows any reverting hook
to block the whole transaction; change it to treat hooks as best-effort by
wrapping each external call in a try/catch around
IOnActionHook(hook).onAction(txRecord) so a failing hook is caught, does not
revert the loop, and you continue to the next hook; in the catch path, emit or
log a new event (e.g., HookExecutionFailed with hook address, executionSelector,
and error) so failures are observable; keep the rest of the loop and state usage
(EngineBlox.TxRecord, executionSelector, state.functionTargetHooks) unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Best-effort assertions mean this test can never fail on verification, reducing its value.

Steps 2 and 3 always call this.assertTest(true, ...) regardless of the actual result, so SDK-specific whitelist read bugs will be silently ignored. Meanwhile, Step 5 (testStep5VerifyTargetRemoved, line 463) asserts strictly on the same kind of check — inconsistent failure modes within the same test suite.

If the intent is truly best-effort, consider at minimum logging the discrepancy at a higher severity or tracking it as a soft failure in test results. Otherwise, the verification steps are no-ops.

🤖 Prompt for AI Agents

In `@scripts/sanity-sdk/guard-controller/whitelist-tests.ts` around lines 286 -
304, The current whitelist verification always calls this.assertTest(true, ...)
in both branches so SDK read failures are ignored; update the logic in the block
that reads isWhitelisted/expectedIsWhitelisted so that when they match you keep
the passing assertion (this.assertTest(true, ...)) and when they differ you log
at error/warn level and surface a failure instead of silently passing — either
call this.assertTest(false, `Target whitelist verification failed: expected
${expectedIsWhitelisted}, actual ${isWhitelisted}`) or, if your framework
supports soft failures, call the soft-failure helper (e.g.,
this.recordSoftFailure(...) ) so the discrepancy is recorded while preserving
suite flow; ensure references to isWhitelisted, expectedIsWhitelisted,
this.assertTest, and testStep5VerifyTargetRemoved are used to locate and align
behavior with the strict check in testStep5VerifyTargetRemoved.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Decode error recovery silently returns receipt as if the call succeeded.

When sendTransactionWithValue catches an ABI decode error (e.g., INVALID_ARGUMENT), it returns the raw receipt. Callers expecting a decoded return value (with events, return data, etc.) will get a plain receipt object instead, which could cause subtle downstream issues if they access properties that only exist on the web3 contract result wrapper.

🤖 Prompt for AI Agents

In `@scripts/sanity/guard-controller/base-test.cjs` around lines 627 - 647, The
current decode-recovery branch in sendTransactionWithValue silently returns a
raw receipt (variable receipt) when isDecodeError is true, which breaks callers
expecting a decoded contract result; instead, stop returning the raw receipt
directly and surface the situation to callers by attaching the receipt to an
error or returning a standardized result shape. Modify the
sendTransactionWithValue logic where receipt is obtained (the isDecodeError
branch) so that you either (A) rethrow the original decode error after adding a
property like error.receipt = receipt and a clear message, or (B) return a
consistent object (e.g., { success: true, receipt, decoded: null, decodeError:
<errorInfo> }) so callers can handle it deterministically; ensure you update any
calling sites if you choose the result-shape approach and reference
sendTransactionWithValue, isDecodeError, and the receipt variable when making
the change.

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

contracts/examples/applications/PayBlox/PayBlox.sol (1)

178-186: ⚠️ Potential issue | 🟠 Major

PaymentExecuted event emits only nativeTokenAmount, ignoring ERC20 payments.

requestWithPayment (Line 155) correctly uses a ternary to pick between nativeTokenAmount and erc20TokenAmount, but approvePaymentAfterDelay always emits nativeTokenAmount. For an ERC20 payment, the logged amount will be 0, silently losing accounting data. The same issue exists in cancelPayment at Line 208.

Proposed fix

             emit PaymentExecuted(
                 txId,
                 record.paymentDetails.recipient,
-                record.paymentDetails.nativeTokenAmount,
+                record.paymentDetails.nativeTokenAmount > 0
+                    ? record.paymentDetails.nativeTokenAmount
+                    : record.paymentDetails.erc20TokenAmount,
                 block.timestamp
             );

Apply the same fix in cancelPayment:

             emit PaymentCancelled(
                 txId,
                 record.paymentDetails.recipient,
-                record.paymentDetails.nativeTokenAmount,
+                record.paymentDetails.nativeTokenAmount > 0
+                    ? record.paymentDetails.nativeTokenAmount
+                    : record.paymentDetails.erc20TokenAmount,
                 block.timestamp
             );

contracts/core/security/SecureOwnable.sol (1)

36-40: ⚠️ Potential issue | 🟠 Major

Add __gap array to preserve storage layout in upgradeable contracts.

_hasOpenRequest is a new storage variable in an upgradeable abstract contract. BaseStateMachine (the parent) and SecureOwnable both lack __gap arrays. This violates the coding guideline requiring storage layout preservation through __gap arrays in upgradeable contracts and risks storage slot collisions during future upgrades in child contracts like SecureBlox, SimpleVault, GuardianSafe, and PayBlox.

scripts/sanity/guard-controller/base-test.cjs (1)

1425-1428: ⚠️ Potential issue | 🟡 Minor

Use consistent send strategy for both guardConfigBatchRequestAndApprove and roleConfigBatchRequestAndApprove.

Both methods return uint256 txId, but executeRoleConfigBatch uses sendTransactionReceiptOnly (line 1115) to bypass ABI decoding, while executeGuardConfigBatch uses sendTransaction (line 1425) which attempts decoding and relies on the fallback mechanism in sendTransactionWithValue. For consistency and clarity, both should use sendTransactionReceiptOnly to avoid decode attempts entirely.

🤖 Fix all issues with AI agents

In `@contracts/experimental/hook/HookManager.sol`:
- Around line 59-61: The clearHook function currently calls _clearHook but does
not emit an event like setHook does; ensure off-chain observability by emitting
a HookCleared (or similarly named) event when a hook is removed unless
_clearHook already emits it—inspect _clearHook implementation and either add an
event emission after calling _clearHook in clearHook or move/ensure the event is
emitted inside _clearHook; reference the clearHook, _clearHook, and setHook
symbols when making the change so the behavior matches setHook's event semantics
and includes functionSelector and hook in the event payload.
- Around line 48-51: Add explicit zero-address validation and emit a specific
HookSet event when registering hooks: in setHook(bytes4 functionSelector,
address hook) call SharedValidation.validateNotZeroAddress(hook) before invoking
_setHook (to enforce the NatSpec "zero address not allowed (use clearHook to
remove)"), and update the hook registration flow to emit a HookSet event (e.g.,
event HookSet(bytes4 indexed selector, address indexed hook)) from _setHook or
immediately after calling _setHook instead of relying only on _logComponentEvent
so the state change is recorded with a dedicated event; ensure the event
signature and emission use the function selector and hook address.

In `@scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts`:
- Around line 350-362: The catch in requestAndApproveExecution currently
swallows failures by calling this.assertTest(true); instead, add a soft-failure
counter (e.g. this.softFailureCount = 0) on the test instance, increment it
inside the catch in requestAndApproveExecution (and keep the warning logs), and
remove the unconditional this.assertTest(true) there; then update
step3VerifyBalanceIncrease to check if this.softFailureCount > 0 and call
this.assertTest(false, 'Previous SDK execution failed — soft failures detected;
skip/flag subsequent balance checks') so CI surfaces the issue (or alternatively
fail immediately by asserting false in the catch if you prefer immediate
failure).

In `@scripts/sanity-sdk/guard-controller/whitelist-tests.ts`:
- Around line 148-159: The final assertion unconditionally calls
this.assertTest(true, ...) even when the transaction reverted; update the check
to assert based on the transaction receipt status (e.g.,
this.assertTest(receipt.status === 'success', `Function selector
${this.NATIVE_TRANSFER_SELECTOR} registration tx ${receipt.status}`)) and
include the functionSchemaExists result in the message or logs so the test only
passes when receipt.status indicates success and still reports the isRegistered
warning when appropriate.

🧹 Nitpick comments (9)

scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts (3)

135-153: Wallet-name resolution is copy-pasted across every step.

The Object.keys(this.wallets).find(k => ...) lookup appears in step0 (lines 136-139, 151-153), step1 (201-204, 207-209), step2 (327-329), and the equivalent pattern in whitelist-tests.ts. Extract a helper in the base class (e.g., getWalletName(role: string): string) to eliminate the duplication.

Example helper in BaseGuardControllerTest

protected getWalletNameForRole(role: 'owner' | 'broadcaster' | 'recovery'): string {
  const roleWallet = this.getRoleWallet(role);
  return Object.keys(this.wallets).find(
    (k) => this.wallets[k].address.toLowerCase() === roleWallet.address.toLowerCase()
  ) ?? 'wallet1';
}

---

58-82: Unvalidated Address casts on user-supplied / file-sourced strings.

Lines 63, 80 cast raw strings to Address without verifying they are valid checksummed (or even hex) addresses. If the env var or JSON file contains a malformed value, the error will surface much later as an obscure RPC failure.

Use viem's isAddress or getAddress (which normalises + checksums) to fail fast:

Suggested fix

+import { getAddress } from 'viem';
 ...
     const envAddr = process.env.BASICERC20_ADDRESS;
     if (envAddr) {
-      this.basicErc20Address = envAddr as Address;
+      this.basicErc20Address = getAddress(envAddr);
       return this.basicErc20Address;
     }
 ...
-    this.basicErc20Address = info.address as Address;
+    this.basicErc20Address = getAddress(info.address);

As per coding guidelines, "Validate presence of wallet client and handle async contract calls using typed methods, returning typed results".

---

91-108: Inline ABI definition re-created on every call; balance cast to bigint loses type safety.

ERC20_BALANCE_OF_ABI is a constant—hoist it to module scope so it is allocated once. Also, viem's readContract already infers the return type from the ABI; the explicit as bigint cast on line 108 circumvents that inference.

Suggested change

+const ERC20_BALANCE_OF_ABI = [
+  {
+    name: 'balanceOf',
+    type: 'function' as const,
+    stateMutability: 'view' as const,
+    inputs: [{ name: 'account', type: 'address' as const }],
+    outputs: [{ type: 'uint256' as const }],
+  },
+] as const;
+
 ...
   private async readAccountBloxBasicBalance(): Promise<bigint> {
     ...
-    const ERC20_BALANCE_OF_ABI = [ ... ] as const;
-
     const balance = await this.publicClient.readContract({
       address: token,
       abi: ERC20_BALANCE_OF_ABI,
       functionName: 'balanceOf',
       args: [accountBlox],
     });
-    return balance as bigint;
+    return balance;
   }

contracts/examples/applications/PayBlox/PayBlox.sol (2)

233-240: Unbounded loop in getPaymentRecords — consider documenting or capping txIds.length.

A very large txIds array could exceed the block gas limit. Since this is a view function it won't cost gas when called off-chain, but on-chain callers could hit issues. This is low-risk for the current use case but worth a NatSpec note.

---

116-119: Public state-changing functions should apply nonReentrant modifier.

requestWithPayment, approvePaymentAfterDelay, and cancelPayment are public functions that modify contract state. Although PayBlox inherits ReentrancyGuard through its parent BaseStateMachine, these public functions lack explicit nonReentrant protection. Apply the modifier to each function entry point for defense-in-depth and guideline compliance:

function requestWithPayment(...) public nonReentrant returns (uint256 txId) {
function approvePaymentAfterDelay(uint256 txId) public nonReentrant returns (uint256) {
function cancelPayment(uint256 txId) public nonReentrant returns (uint256) {

scripts/sanity/guard-controller/base-test.cjs (4)

206-208: Incomplete normalization for non-"u" invalid types.

Line 206 detects types that are too short or don't match known Solidity type prefixes, but line 207 only corrects types starting with 'u'. Other invalid types (e.g., "e", "ab") pass through uncorrected. If the intent of line 206's broader condition is to catch all malformed types, consider falling through to uint8 for all matches, not just 'u'-prefixed ones.

Suggested fix

-                if (key === 'type' && typeof val === 'string' && (val.length < 3 || val === 'u' || !/^(u?int|address|bool|bytes|string|tuple)/.test(val))) {
-                    if (val === 'u' || (val.length <= 2 && val.startsWith('u'))) val = 'uint8';
+                if (key === 'type' && typeof val === 'string' && (val.length < 3 || val === 'u' || !/^(u?int|address|bool|bytes|string|tuple)/.test(val))) {
+                    val = 'uint8';
                 }

---

513-517: Silent gas estimation fallback masks reverts.

When estimateGas fails (often because the transaction would revert), the code silently falls back to 500,000 gas. This sends a transaction that is likely to fail on-chain, wasting gas and producing a confusing revert instead of a clear pre-flight error. At minimum, log the estimation failure; better yet, only fall back for non-revert errors.

Suggested improvement

         try {
             gas = await this.web3.eth.estimateGas({ from, to: this.contractAddress, data, value });
         } catch (e) {
-            gas = 500000;
+            console.warn(`  ⚠️  Gas estimation failed (${e.message}), using fallback of 500000`);
+            gas = 500000;
         }

---

827-853: Fragile and opaque tuple extraction logic.

Lines 827–834 use deeply nested ternaries and ?? chains across both named and indexed access patterns, making this very difficult to reason about or debug. For example, line 829's condition (result && (result.txRecord !== undefined || result[0] !== undefined) ? result : ...) appears to almost always resolve to result, making the branch effectively dead code.

Consider simplifying by establishing a single canonical access pattern (named properties first, indexed fallback) and extracting it into a small helper, rather than repeating the ?? chain for every field.

---

1348-1381: Debug statements left in shared test utility.

process.stderr.write (lines 1348, 1354, 1363) and console.log (line 1381) with [DEBUG] prefixes will pollute output for all test consumers. Similarly, callContractMethod at lines 664-665 logs every call. Consider gating behind a DEBUG env flag or removing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

echo "=== Searching for _setHook implementation ==="
rg -n -C7 'function _setHook' -g '*.sol'

echo ""
echo "=== Searching for _clearHook implementation ==="
rg -n -C7 'function _clearHook' -g '*.sol'

echo ""
echo "=== Searching for HookSet or HookCleared events ==="
rg -n 'event Hook(Set|Cleared)' -g '*.sol'
rg -n 'emit Hook' -g '*.sol'

echo ""
echo "=== Full HookManager.sol file ==="
fd 'HookManager.sol' -x wc -l {} \; 2>/dev/null
fd 'HookManager.sol' -x head -100 {} \; 2>/dev/null

echo ""
echo "=== Search for ZeroAddress in SharedValidation ==="
fd 'SharedValidation.sol' -x cat {}

Repository: PracticalParticle/Bloxchain-Protocol

Length of output: 27180

---

Missing zero-address validation and event emission for hook registration.

Two issues confirmed:

1. No zero-address check on hook: If address(0) is registered, any call to IOnActionHook(address(0)).onAction() reverts, bricking all transactions for that selector. _setHook lacks validation, and setHook does not call SharedValidation.validateNotZeroAddress() despite it being available.

2. No event emitted for critical state change: _setHook uses only generic _logComponentEvent() instead of emitting specific HookSet events. The coding guidelines mandate event emission for critical state changes. The NatSpec comment in setHook states "zero address not allowed (use clearHook to remove)" but provides no enforcement.

Add zero-address validation and emit a specific event:

Proposed fix

+    event HookSet(bytes4 indexed functionSelector, address indexed hook);
+
     function setHook(bytes4 functionSelector, address hook) external {
         SharedValidation.validateOwner(owner());
+        SharedValidation.validateNotZeroAddress(hook);
         _setHook(functionSelector, hook);
+        emit HookSet(functionSelector, hook);
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function setHook(bytes4 functionSelector, address hook) external {
	SharedValidation.validateOwner(owner());
	SharedValidation.validateNotZeroAddress(hook);
	EngineBlox.addTargetToFunctionHooks(_getSecureState(), functionSelector, hook);
	emit HookSet(functionSelector, hook);
	_setHook(functionSelector, hook);
	}
	event HookSet(bytes4 indexed functionSelector, address indexed hook);
	function setHook(bytes4 functionSelector, address hook) external {
	SharedValidation.validateOwner(owner());
	SharedValidation.validateNotZeroAddress(hook);
	_setHook(functionSelector, hook);
	emit HookSet(functionSelector, hook);
	}

🤖 Prompt for AI Agents

In `@contracts/experimental/hook/HookManager.sol` around lines 48 - 51, Add
explicit zero-address validation and emit a specific HookSet event when
registering hooks: in setHook(bytes4 functionSelector, address hook) call
SharedValidation.validateNotZeroAddress(hook) before invoking _setHook (to
enforce the NatSpec "zero address not allowed (use clearHook to remove)"), and
update the hook registration flow to emit a HookSet event (e.g., event
HookSet(bytes4 indexed selector, address indexed hook)) from _setHook or
immediately after calling _setHook instead of relying only on _logComponentEvent
so the state change is recorded with a dedicated event; ensure the event
signature and emission use the function selector and hook address.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

clearHook also missing event emission.

Same concern as setHook — hook removal is a critical state change that should emit an event for off-chain observability. If _clearHook handles this internally, disregard.

Proposed fix (if not handled by _clearHook)

+    event HookCleared(bytes4 indexed functionSelector, address indexed hook);
+
     function clearHook(bytes4 functionSelector, address hook) external {
         SharedValidation.validateOwner(owner());
         _clearHook(functionSelector, hook);
+        emit HookCleared(functionSelector, hook);
     }

As per coding guidelines, "Emit events for critical state changes (e.g., funds locked, operations requested/approved)".

🤖 Prompt for AI Agents

In `@contracts/experimental/hook/HookManager.sol` around lines 59 - 61, The
clearHook function currently calls _clearHook but does not emit an event like
setHook does; ensure off-chain observability by emitting a HookCleared (or
similarly named) event when a hook is removed unless _clearHook already emits
it—inspect _clearHook implementation and either add an event emission after
calling _clearHook in clearHook or move/ensure the event is emitted inside
_clearHook; reference the clearHook, _clearHook, and setHook symbols when making
the change so the behavior matches setHook's event semantics and includes
functionSelector and hook in the event payload.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Best-effort catch swallows execution failures and unconditionally passes the test.

When requestAndApproveExecution reverts, the catch block logs a warning but calls this.assertTest(true, ...), so the test can never fail. This cascades into step3VerifyBalanceIncrease (line 389-397) where the balance mismatch is also silently marked as passed. Together, steps 2 + 3 become no-ops that provide zero regression signal for the SDK mint path.

Consider at minimum introducing a soft-failure / warning counter so CI can surface these, or assert false and let the caller decide whether to skip the suite:

Suggested approach

       } catch (execError: any) {
         console.warn('  ⚠️  Mint meta-transaction execution via SDK reverted or failed during simulation.');
         console.warn(
           `     Details: ${execError?.message || execError}`
         );
-        console.warn(
-          '     Treating this as a best-effort execution check for the SDK wrapper. ' +
-          'Core CJS sanity tests validate the full GuardController mint flow (roles, permissions, and balance change).'
-        );
-        this.assertTest(true, 'Mint meta-transaction treated as best-effort (SDK helper)');
+        this.recordSoftFailure('Mint meta-transaction reverted (SDK best-effort)', execError?.message);
       }

🤖 Prompt for AI Agents

In `@scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts` around
lines 350 - 362, The catch in requestAndApproveExecution currently swallows
failures by calling this.assertTest(true); instead, add a soft-failure counter
(e.g. this.softFailureCount = 0) on the test instance, increment it inside the
catch in requestAndApproveExecution (and keep the warning logs), and remove the
unconditional this.assertTest(true) there; then update
step3VerifyBalanceIncrease to check if this.softFailureCount > 0 and call
this.assertTest(false, 'Previous SDK execution failed — soft failures detected;
skip/flag subsequent balance checks') so CI surfaces the issue (or alternatively
fail immediately by asserting false in the catch if you prefer immediate
failure).

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

scripts/sanity-sdk/guard-controller/whitelist-tests.ts (2)

172-240: ⚠️ Potential issue | 🟠 Major

testStep1AddTargetToWhitelist asserts success without checking receipt status.

Line 235 calls this.assertTest(true, ...) unconditionally after result.wait(). If receipt.status indicates failure (logged on Line 224 but not acted upon), the test still passes. This is the same pattern that was fixed in testStep0RegisterFunction (Lines 159–165) but wasn't applied here.

Proposed fix

-      this.assertTest(true, `Target ${this.testTarget} added to whitelist successfully`);
+      const status = receipt.status as string | number;
+      const txSucceeded = status === 'success' || status === 1 || String(status) === '1';
+      this.assertTest(txSucceeded, `Target ${this.testTarget} added to whitelist (status: ${receipt.status})`);

---

370-431: ⚠️ Potential issue | 🟠 Major

Same issue in testStep4RemoveTargetFromWhitelist — receipt status not checked.

Line 427 asserts true without gating on receipt.status. Apply the same fix as in testStep0RegisterFunction.

Proposed fix

+      const receipt = await result.wait();
       console.log('  ✅ Target removed from whitelist successfully');
       console.log(`     Transaction Hash: ${result.hash}`);
+      const status = receipt.status as string | number;
+      const txSucceeded = status === 'success' || status === 1 || String(status) === '1';
 
       // Wait a bit for state to update
       console.log('  ⏳ Waiting for state to update...');
       await new Promise((resolve) => setTimeout(resolve, 1000));
 
-      this.assertTest(true, `Target ${this.testTarget} removed from whitelist successfully`);
+      this.assertTest(txSucceeded, `Target ${this.testTarget} removed from whitelist (status: ${receipt.status})`);

Note: Line 418 calls await result.wait() but discards the receipt — you'll need to capture it (const receipt = await result.wait()) to check status.

🤖 Fix all issues with AI agents

In `@scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts`:
- Around line 280-284: The test currently directly reads this.wallets.wallet3
and this.wallets.wallet4 into mintRequestor/mintApprover which is fragile and
can cause an unhelpful runtime error when wallets are missing; change the logic
in the test setup (where mintRequestor and mintApprover are assigned and later
used) to first verify existence of this.wallets and the specific entries (e.g.,
check this.wallets && this.wallets.wallet3 && this.wallets.wallet4) before any
property access, or use safe lookups/optional chaining (this.wallets?.wallet3,
this.wallets?.wallet4) and throw a clear Error if either is missing so the later
code that uses mintRequestor/mintApprover (and their .address) never triggers a
generic "Cannot read properties of undefined" failure.

🧹 Nitpick comments (4)

scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts (3)

58-82: Unsafe Address casts bypass type safety.

Both envAddr as Address (Line 63) and info.address as Address (Line 80) cast raw strings without validating they are well-formed Ethereum addresses. A typo in an env var or malformed JSON entry would propagate silently and fail later with a confusing RPC error.

Use viem's getAddress (or isAddress + getAddress) to validate and checksum:

Proposed fix

+import { getAddress, isAddress } from 'viem';
 ...
     const envAddr = process.env.BASICERC20_ADDRESS;
     if (envAddr) {
-      this.basicErc20Address = envAddr as Address;
+      if (!isAddress(envAddr)) throw new Error(`Invalid BASICERC20_ADDRESS: ${envAddr}`);
+      this.basicErc20Address = getAddress(envAddr);
       return this.basicErc20Address;
     }
 ...
-    this.basicErc20Address = info.address as Address;
+    if (!isAddress(info.address)) throw new Error(`Invalid BasicERC20 address in deployed-addresses.json: ${info.address}`);
+    this.basicErc20Address = getAddress(info.address);

As per coding guidelines, "Validate presence of wallet client and handle async contract calls using typed methods, returning typed results".

---

84-109: Guard against this.contractAddress being a valid Address at the type level, and avoid the as bigint cast.

readContract with a const ABI should already return the correct type. The as bigint cast on Line 108 masks potential type mismatches. If the ABI or function name changes and the return type shifts, this cast would hide the error.

Consider letting TypeScript infer the return type or using a narrowing check instead:

-    return balance as bigint;
+    return BigInt(balance);

Or simply return balance; if the inferred type is already bigint.

---

135-153: Repeated wallet-name resolution pattern — extract a helper.

The pattern of resolving a wallet name by matching this.wallets[k].address.toLowerCase() against a role wallet address appears at least 6 times across this file (Lines 136–139, 151–153, 201–204, 207–209, 327–329) and similarly in whitelist-tests.ts. This is verbose and error-prone — the || 'wallet1' / || 'wallet2' fallbacks silently pick the wrong wallet if no match is found.

Consider extracting a helper in the base class:

Suggested helper

protected getWalletName(address: Address): string {
  const name = Object.keys(this.wallets).find(
    (k) => this.wallets[k].address.toLowerCase() === address.toLowerCase()
  );
  if (!name) throw new Error(`No wallet found for address ${address}`);
  return name;
}

This would simplify every call site to e.g. this.getWalletName(ownerWallet.address) and eliminate the silent fallback risk.

Also applies to: 200-210

scripts/sanity-sdk/guard-controller/whitelist-tests.ts (1)

125-145: Retry loop silently continues on exception without resetting isRegistered.

Inside the retry loop (Lines 136–144), if functionSchemaExists throws on one attempt, isRegistered retains its previous value (initialized to false on Line 132, or potentially true from a prior iteration if an earlier attempt succeeded then a later one threw). This is fine for the false → exception case, but if a transient success followed by an exception occurred, the loop would break on the stale true value.

This is a minor edge case since the if (isRegistered) break; on Line 145 only triggers on true, and a transient true followed by an exception is unlikely. No action needed, but worth noting the loop doesn't reset isRegistered on failure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Direct access to this.wallets.wallet3 / wallet4 is fragile.

Lines 281–282 hard-code wallet3 and wallet4 as the mint requestor and approver. If the test config provides wallets under different names or fewer wallets, this will throw at runtime with a generic "Cannot read properties of undefined" error rather than a descriptive message.

The null check on Line 283 catches undefined but only after accessing .address would have already thrown. Move the guard before the property access or use optional chaining:

-      const mintRequestor = this.wallets.wallet3;
-      const mintApprover = this.wallets.wallet4;
-      if (!mintRequestor || !mintApprover) {
+      const mintRequestor = this.wallets?.wallet3;
+      const mintApprover = this.wallets?.wallet4;
+      if (!mintRequestor?.address || !mintApprover?.address) {
         throw new Error('wallet3 and wallet4 must be configured for mint test');
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const mintRequestor = this.wallets.wallet3;
	const mintApprover = this.wallets.wallet4;
	if (!mintRequestor || !mintApprover) {
	throw new Error('wallet3 and wallet4 must be configured for mint test');
	const mintRequestor = this.wallets?.wallet3;
	const mintApprover = this.wallets?.wallet4;
	if (!mintRequestor?.address || !mintApprover?.address) {
	throw new Error('wallet3 and wallet4 must be configured for mint test');
	}

🤖 Prompt for AI Agents

In `@scripts/sanity-sdk/guard-controller/erc20-mint-controller-tests.ts` around
lines 280 - 284, The test currently directly reads this.wallets.wallet3 and
this.wallets.wallet4 into mintRequestor/mintApprover which is fragile and can
cause an unhelpful runtime error when wallets are missing; change the logic in
the test setup (where mintRequestor and mintApprover are assigned and later
used) to first verify existence of this.wallets and the specific entries (e.g.,
check this.wallets && this.wallets.wallet3 && this.wallets.wallet4) before any
property access, or use safe lookups/optional chaining (this.wallets?.wallet3,
this.wallets?.wallet4) and throw a clear Error if either is missing so the later
code that uses mintRequestor/mintApprover (and their .address) never triggers a
generic "Cannot read properties of undefined" failure.