Main

[Dargon789]

Motivation

Solution

PR Checklist

• Added Tests
• Added Documentation
• Breaking changes

Summary by Sourcery

Harden filesystem and configuration handling, add Tempo wallet/keychain support, extend linting and config schema tooling, introduce a sample Foundry counter project, and add multiple CI/CD and container-related workflows and configs.

New Features:

• Add Tempo wallet access-key integration and signing utilities.
• Introduce a generic linting framework over the Solidity AST and a new config schema crate for Foundry.
• Add a sample Foundry counter project with contracts, tests, scripts, docs, and CI.
• Add detection of TTY for test utilities and a new Cancun beacon block trace CLI test.

Bug Fixes:

• Constrain test utility filesystem operations to a safe temp directory and prevent directory traversal and symlink escapes when copying and cleaning files.
• Ensure removal of test failure files and temp directories only occurs within validated project or temp roots.
• Avoid divide-by-zero in nightly comparison script and correct RNG API usage in EVM corpus mutation logic.
• Fix forge test suite duration aggregation and misc logic issues in lints, script simulation, and RPC batch error handling.

Enhancements:

• Refine config handling for test failures to respect project root boundaries and canonical paths.
• Tighten handling of temporary project cleanup and script file copying with path validation and canonicalization.
• Update cheatcode schema docs and cargo aliases, and adjust miner alignment struct and comments utilities.
• Add convenience From<Vec> conversion for doc comments and adjust forge test gating.

Build:

• Add new workspace dependencies for primitives, network, hardforks, tempo, and schema generation across crates.

CI:

• Add multiple CI/CD workflows for Docker builds, static site deploys, CodeQL, Snyk, API security scans, Google Cloud/GKE deploys, and CircleCI Rust/Foundry pipelines.

Documentation:

• Add shared documentation styles and scripts for generated docs and a README for the sample counter project.

Tests:

• Add a new Cancun beacon block trace CLI test, a cheatcodes filesystem safety test improvement, and CI coverage for the new counter project.

Chores:

• Vendor Remix test helper contracts and various project config files (gitmodules, sandbox, snapshots, remappings, locks, schemas, and placeholders).

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
next	Ready	Preview, Comment	Jun 6, 2026 6:05am
react	Ready	Preview, Comment	Jun 6, 2026 6:05am

[sourcery-ai]

Reviewer's Guide

This PR mixes significant internal feature work with a large set of security hardening changes and CI / workflow additions. Key changes include: constrained temp filesystem usage in test utilities and benchmarks; safer path handling for config and script helpers; new Tempo wallet integration and access-key signing support; a generic linting framework and config schema crate; updates to cheatcodes/config schemas and cargo aliases; a new Cancun beacon-block trace test; and a substantial number of new GitHub Actions and CircleCI configs plus project-scoped example counter app files and docs assets.

Sequence diagram for sign_with_access_key Tempo access-key signing flow

sequenceDiagram
    participant Caller
    participant tempo as tempo_mod
    participant req as TempoTransactionRequest
    participant signer as Signer
    participant kc as KeychainSignature

    Caller->>tempo: sign_with_access_key(tx_request, signer, wallet_address)
    activate tempo
    tempo->>req: build_aa()
    activate req
    req-->>tempo: tempo_tx
    deactivate req

    tempo->>tempo: signature_hash = tempo_tx.signature_hash()
    tempo->>kc: KeychainSignature::signing_hash(signature_hash, wallet_address)
    kc-->>tempo: signing_hash

    tempo->>signer: sign_hash(signing_hash)
    activate signer
    signer-->>tempo: raw_sig
    deactivate signer

    tempo->>kc: KeychainSignature::new(wallet_address, raw_sig)
    kc-->>tempo: keychain_sig

    tempo->>tempo: aa_signed = tempo_tx.into_signed(TempoSignature::Keychain(keychain_sig))
    tempo->>tempo: aa_signed.encode_2718(buf)
    tempo-->>Caller: signed_bytes
    deactivate tempo

Loading

File-Level Changes

Change	Details	Files
Harden filesystem operations and path handling in test utilities, benchmarks, scripts, and config cleanup logic.	Introduce a fixed TEST_UTIL_BASE under the system temp directory and a resolve_and_validate_under_base helper to constrain copy_dir_filtered operations to this base and prevent directory escape via absolute or .. paths. Add global IS_TTY flag, adjust get_compiled to panic on compiler errors instead of using assert!, and slightly tweak Vyper lock error handling pattern matching. Ensure test failures file removal resolves to a path under the canonicalized project root before deleting, emitting a warning when the file would lie outside the project root. Canonicalize TempProject root in benchmarks cleanup and verify each entry’s canonical path stays under that root before removing directories/files, logging and skipping suspicious paths. In ScriptTester, skip files with suspicious names and avoid copying files whose canonicalized path escapes the source dir, preventing traversal via symlinks or invalid filenames. In cheatcodes fs tests, guard remove_dir_all by verifying the directory exists and resides under the system temp directory before deleting.	crates/test-utils/src/util.rs crates/config/src/lib.rs benches/src/lib.rs crates/test-utils/src/script.rs crates/cheatcodes/src/fs.rs
Add Tempo wallet integration with support for local and keychain (access-key) signing, plus a dedicated Tempo transaction signing path.	Introduce enums for WalletType and KeyType and data structures to deserialize Tempo’s keys.toml layout, including per-token limits and top-level KeysFile. Implement keys_path resolution honoring TEMPO_HOME or defaulting to ~/.tempo/wallet/keys.toml, and decode SignedKeyAuthorization from hex+RLP. Provide TempoLookup abstraction that distinguishes direct EOA signers from keychain access-key signers and returns either a simple WalletSigner or a WalletSigner plus TempoAccessKeyConfig. Add sign_with_access_key helper that builds a TempoTransaction from a TempoTransactionRequest, computes the keychain V2 signing hash, signs via alloy Signer, wraps in a KeychainSignature/TempoSignature and encodes the result as EIP-2718 bytes.	crates/wallets/src/tempo.rs
Introduce a generic linting framework abstraction for AST-based lint passes.	Define a Linter trait parametrized by language and lint type with a lint method taking input file paths. Define a Lint trait with id, severity, description, and help methods, plus a LintContext carrying Session and description flags and an emit helper that builds and emits diagnostics with appropriate codes and spans. Add EarlyLintPass trait mirroring solar_ast::visit::Visit for key nodes (Expr, ItemStruct, ItemFunction, VariableDefinition) but enriched with LintContext, and EarlyLintVisitor that drives multiple passes over the AST and dispatches checks while walking nodes.	crates/lint/src/linter.rs
Add a dedicated config spec crate and JSON schema generation for Foundry config, plus cargo alias integration.	Create foundry-config-spec crate wrapping Config inside ConfigSchema with serde flattening and optional schemars JsonSchema derivation behind a schema feature. Add a test helper that verifies the generated config.schema.json matches the compiled schema, auto-updating the file and instructing CI users to run cargo spec-config when out-of-date. Register schemars as an optional dependency and add a schema feature for the main config crate, and expose a new cargo alias spec-config to run the schema tests; also add foundry-config-spec to workspace manifests as needed.	crates/config/spec/Cargo.toml crates/config/spec/src/lib.rs crates/config/Cargo.toml .cargo/config.toml crates/config/assets/config.schema.json
Update cheatcodes spec metadata and references, including schema URL and CI hints, and wire config spec into workspace dependencies.	Change cheatcodes spec doc URL to point to getfoundry.sh-specific cheatcodes documentation under forge tests. Adjust CI hint message in cheatcodes spec tests to recommend running cargo spec-cheats instead of the old cargo cheats alias. Declare foundry-primitives as a workspace dependency in the common crate and hook up new schema features in config and cheatcodes crates where appropriate.	crates/cheatcodes/spec/src/lib.rs crates/common/Cargo.toml crates/config/Cargo.toml .cargo/config.toml
Refine various runtime behaviors and bugfixes across RPC handling, miner, script simulation, lints, and testing.	In Anvil RPC handler, change behavior for empty batch requests to return a Batch response containing a single RpcError instead of a Single error response. Fix cast miner::mine alignment wrapper by redefining B256Aligned with repr(C, align(8)) and a single B256 field, avoiding the previous zero-length array trick. Update gas price symbol resolution in script simulation to use alloy_chains::Chain::from_id instead of NamedChain::try_from, aligning with newer APIs. In EVM fuzzer WorkerCorpus, use rng.gen_ratio instead of random_ratio for payable value mutation frequency.

Make merge_outcomes accumulate suite duration by summing rather than taking max when merging TestOutcome structures.

Simplify keccak lint helper extract_keccak256_arg to an explicit if/else returning Option, and adjust unused_return lint to use call_args.len() instead of call_args.kind.len() to reflect updated API.

Un-gate the preprocess_contract_with_decode_internal test by removing the isolate-by-default cfg guard.

| `crates/anvil/server/src/handler.rs`
`crates/cast/src/cmd/miner.rs`
`crates/script/src/simulate.rs`
`crates/evm/evm/src/executors/corpus.rs`
`crates/forge/src/cmd/test/mod.rs`
`crates/lint/src/sol/gas/keccak.rs`
`crates/lint/src/sol/med/unused_return.rs`
`crates/forge/tests/cli/test_optimizer.rs` | | Add a new Cancun beacon-block trace regression test for cast and guard nightly comparison script against division-by-zero. |

• Introduce a new CLI test that runs a specific Cancun-era beacon block root transaction and asserts on the printed call trace and gas section, ensuring regression coverage for GitHub issue cast run result is different from the actual transaction foundry-rs/foundry#12435.
• Modify compare-nightly.sh to compute percentage delta only when previous timing is greater than zero, otherwise defaulting to 0 to avoid division-by-zero.

| `crates/cast/tests/cli/main.rs`
`.github/scripts/compare-nightly.sh` | | Add CSS/JS documentation assets for doc output and a sample counter Foundry project with scripts, tests, CI, and README. |

• Add doc-style.css and doc-script.js under both doc/ and counter/doc/ and minimal doc-filelist.js stubs, providing highlight.js styling and sidebar navigation logic for generated docs.
• Introduce a standalone counter example project with Counter.sol, deployment script, tests, foundry.toml, remappings, forge-std and openzeppelin submodules, gas snapshot, and README describing common Foundry commands.
• Add a minimal GitHub Actions workflow under counter to run fmt, build, and tests for the example project.

| `doc/doc-style.css`
`doc/doc-script.js`
`doc/doc-filelist.js`
`counter/doc/doc-style.css`
`counter/doc/doc-script.js`
`counter/doc/doc-filelist.js`
`counter/src/Counter.sol`
`counter/script/Counter.s.sol`
`counter/test/Counter.t.sol`
`counter/foundry.toml`
`counter/README.md`
`counter/.gas-snapshot`
`counter/remappings.txt`
`counter/.github/workflows/test.yml`
`counter/lib/forge-std`
`counter/lib/openzeppelin-contracts` | | Add multiple new CI / security workflows and CircleCI configs for Docker, CodeQL, Snyk, Google GKE, Pages, API security, and Rust/Cargo pipelines. |

• Add GitHub Actions workflows for Docker builds (two variants), Docker image CI, static site deployment to GitHub Pages, CodeQL advanced scanning, Google GKE build/deploy, Snyk container scans, APIsec scanning, and a Foundry build/test/deploy pipeline.
• Introduce multiple CircleCI configurations for Foundry testing, Rust cargo build/test with caching, and assorted custom web3/gamefi/dev_stage pipelines with examples of filters and retry semantics.
• Add basic GitHub issue templates for bug reports, feature requests, and a custom template, plus a Sample .codesandbox/tasks.json stub and auxiliary project files like .gitmodules and sleep.json.

| `.github/workflows/docker.yml`
`.github/workflows/Docker.yml`
`.github/workflows/docker-image.yml`
`.github/workflows/static.yml`
`.github/workflows/codeql.yml`
`.github/workflows/google.yml`
`.github/workflows/snyk-container.yml`
`.github/workflows/apisec-scan.yml`
`.github/workflows/deploy.yml`
`.github/workflows/docker-image.yml`
`.circleci/config.yml`
`.circleci/cargo.yml`
`.circleci/ci.yml`
`.circleci/ci_v1.yml`
`.circleci/ci_cargo.yml`
`.circleci/ci-web3-gamefi.yml`
`.circleci/web3_defi_gamefi.yml`
`.circleci/dev_stage.yml`
`.github/ISSUE_TEMPLATE/bug_report.md`
`.github/ISSUE_TEMPLATE/feature_request.md`
`.github/ISSUE_TEMPLATE/custom.md`
`.codesandbox/tasks.json`
`.gitmodules`
`sleep.json` | | Vendor Remix testing helper contracts for Solidity testing and add small project metadata or placeholder files. |

• Add remix_tests.sol with the Assert library exposing a suite of assertion helpers that emit type-specific AssertionEvent events for use in Remix-compatible tests.
• Add remix_accounts.sol providing a fixed set of test account addresses via getAccount(index).
• Add placeholder or lock files such as soldeer.lock and references under .deps for Remix tests and config.

| `.deps/remix-tests/remix_tests.sol`
`.deps/remix-tests/remix_accounts.sol`
`counter/soldeer.lock` |

Possibly linked issues

• Foundry/ethereum ux (#284) #289 #290 #291: The PR is the concrete implementation of the AST-based keccak256 lint, new lint infra, CI, and counter project described.
• Wagmi (e604566) #413: The PR is the concrete implementation of the AST-based keccak256 linting and surrounding refactors described.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Hey - I've found 4 issues, and left some high level feedback:

• In cast/src/cmd/miner.rs, the updated B256Aligned definition no longer matches the B256Aligned(salt, []) construction, which will fail to compile; either restore the second field or adjust the constructor and subsequent unsafe code accordingly.
• The new copy_dir_filtered / copy_dir_filtered_inner flow repeatedly calls resolve_and_validate_under_base and re-canonicalizes src/dst on every recursion step, which adds a lot of filesystem I/O; consider validating once at the top level and passing trusted, joined paths down the recursion to keep the security guarantee with less overhead.
• This PR adds many orthogonal artifacts (sample counter project, Remix test deps, multiple CircleCI and GitHub Actions workflows, Docker/Pages configs, etc.); it would be clearer to split these into separate, focused PRs or omit the template/demo content from the main repository.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `cast/src/cmd/miner.rs`, the updated `B256Aligned` definition no longer matches the `B256Aligned(salt, [])` construction, which will fail to compile; either restore the second field or adjust the constructor and subsequent unsafe code accordingly.
- The new `copy_dir_filtered` / `copy_dir_filtered_inner` flow repeatedly calls `resolve_and_validate_under_base` and re-canonicalizes `src`/`dst` on every recursion step, which adds a lot of filesystem I/O; consider validating once at the top level and passing trusted, joined paths down the recursion to keep the security guarantee with less overhead.
- This PR adds many orthogonal artifacts (sample `counter` project, Remix test deps, multiple CircleCI and GitHub Actions workflows, Docker/Pages configs, etc.); it would be clearer to split these into separate, focused PRs or omit the template/demo content from the main repository.

## Individual Comments

### Comment 1
<location path="crates/cast/src/cmd/miner.rs" line_range="26-27" />
<code_context>
             #[repr(C)]
-            struct B256Aligned(B256, [usize; 0]);
-
+#[repr(C, align(8))]
+struct B256Aligned(B256);
             let mut salt = B256Aligned(salt, []);
             // SAFETY: `B256` is aligned to `usize`.
</code_context>
<issue_to_address>
**issue (bug_risk):** Constructor call for `B256Aligned` still uses the old tuple layout and will not compile.

The struct changed from `B256Aligned(B256, [usize; 0])` to `B256Aligned(B256)`, but this site still calls `B256Aligned(salt, [])`, which will not compile. Update this to `B256Aligned(salt)` (and revise the SAFETY comment if needed). Also, consider indenting the attribute and struct definition inside the closure for consistency with the surrounding code.
</issue_to_address>

### Comment 2
<location path=".github/workflows/google.yml" line_range="37-40" />
<code_context>
+name: Docker
+
+on:
+  push:
+    tags: ["*"]
+    branches:
</code_context>
<issue_to_address>
**issue (bug_risk):** Quoted branch names and kustomize download command look misconfigured and will likely prevent this workflow from working.

Two issues to fix:
1. Branch filters are defined as `- '"main"'` / `- '"master"'`, which makes the literal branch names include quotes. GitHub Actions will not match the real `main`/`master` branches.
2. The `curl -sfLo kustomize ...kustomize_v5.4.3_linux_amd64.tar.gz` step downloads a tar.gz archive but you never extract it before running `./kustomize`. Either download the binary directly or extract the archive first so the command succeeds.
</issue_to_address>

### Comment 3
<location path=".circleci/ci_cargo.yml" line_range="13-18" />
<code_context>
+          keys:
+            - v1-cargo-{{ checksum "Cargo.lock" }}
+            - v1-cargo-
+      - run:
+          name: "Check formatting"
+          command: cargo fmt -- --check
+      - run:
+          name: "Run tests"
+          command: cargo test
+      - save_cache:
+          key: v1-cargo-{{ checksum "Cargo.lock" }}
</code_context>
<issue_to_address>
**nitpick (performance):** Formatting and test steps are duplicated in the same job.

This job reruns `cargo fmt -- --check` and `cargo test` without adding value, which unnecessarily increases CI time. If there’s no requirement to run them twice, please remove the duplicates.
</issue_to_address>

### Comment 4
<location path=".github/ISSUE_TEMPLATE/bug_report.md" line_range="26-29" />
<code_context>
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Desktop (please complete the following information):**
+ - OS: [e.g. iOS]
+ - Browser [e.g. Chrome, Safari]
+ - Version [e.g. 22]
+ - Browser [e.g. Chrome, Safari]
+ - Version [e.g. 22]
</code_context>
<issue_to_address>
**issue:** Desktop section lists the Browser and Version fields twice, which is likely unintentional duplication.

Please remove the duplicated `Browser` and `Version` entries so each field appears only once in this section.
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request introduces various CI/CD configurations, issue templates, security enhancements to prevent directory traversal, a new Tempo wallet signer module, and a configuration specification schema. The review feedback highlights several critical issues, including compilation errors in the miner command and simulation script, missing dependencies in the wallets crate, and a bug where canonicalizing non-existent paths causes directory copying to fail. Additionally, there are syntax errors and duplicate steps in the CircleCI configurations, redundant path canonicalizations inside loops, and a design issue with the lifetime parameterization of the early lint pass trait.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.