Conversation
Silent `let _ =` on `pipe.query_async` meant Redis write failures in the rate-limit recording path produced no log output, leaving operators with no signal that counters were silently dropped and rate limiting was degraded — extremely hard to diagnose under load. The check phase already warns on Redis failure (lines 241, 260, 279 in rate_limit.rs — "allowing"). This brings the record phase in line with that pattern.
fix(server): log redis errors in rate limit record_in_window
fix(sidecar): limit getDynamicField concurrency to 5 + retry on 429
…il-open, sponsor endpoints, key storage
…ation:Bearer, exit(1) if unset
* feat(researcher): add Enoki zkLogin for wallet-less Google sign-in
Add "Sign in with Google" via Enoki alongside existing Ed25519 key
login. Returning users skip on-chain registration via stored DB
credentials. Session cookie format unchanged — zero changes to
existing getSession() consumers.
* fix(researcher): address review findings for Enoki login
- Derive publicKey server-side from privateKey instead of trusting client
- Tighten Sui address regex from {10,} to {64}
- Validate accountId format (must be 0x... Sui object ID)
- Show error on Phase 1 server failure instead of falling through to Phase 2
- Throw explicit error if knownAccountId is null after create_account
- Check all required env vars before rendering Google sign-in button
- Remove unused publicKey from client POST body
* feat(researcher): add profile page and polish login UX
Add /profile page showing MemWal account info (Sui address, account ID,
public key) with copy buttons and Suiscan links. Includes delegate key
export for cross-app usage. Add profile link to sidebar user dropdown.
Polish login page with improved copy, Sparkles icon, and cleaner
collapsible layout for delegate key login. Add JSDoc comments to all
new Enoki integration code.
SetupWizard regression
…85) NEXT_PUBLIC_* variables are inlined into the Next.js client bundle at build time. Without ARG/ENV declarations in the Dockerfile, they are empty strings in production, causing the Enoki login button to not render. Add ARG + ENV for all NEXT_PUBLIC_ENOKI/GOOGLE/MEMWAL/SUI vars in both noter and researcher Dockerfiles. Railway passes service env vars as Docker build args automatically.
* chore(noter): remove unused chat/AI feature and dead code Remove the entire AI chat feature (/ai routes, 23 chat files, /api/chat with 20+ crypto tools) which was never linked from the UI. Also remove dead auth components (WalletButton, UserMenu), unused editor code (CoinMentionNode, CoinMentionPlugin), and orphaned memory tRPC router. Clean up DB schema and types to remove chats/messages tables. -2,962 LOC across 38 files. * feat(noter): add Enoki zkLogin backend + per-user MemWal keys Add Enoki as auth provider with two-phase flow (returning user check + first-time registration). Add delegate key login as alternative. - tRPC: auth.connectEnoki + auth.connectDelegateKey procedures - Auth service: upsertEnokiUser, getEnokiUserBySuiAddress, createEnokiSession - tRPC context: load per-user memwalKey + memwalAccountId (replaces shared env key) - DB migration: add delegatePrivateKey + delegateAccountId + "enoki" auth method - SuiProviders wrapper added to Providers component - Auth hook simplified: connectEnoki + connectDelegateKey replace old methods * feat(noter): add Enoki login UI + fix per-user MemWal keys - EnokiLoginCard: Google sign-in with auto key gen + on-chain registration - AuthButtonGroup: replace wallet button with Enoki + collapsible delegate key - pdw-client: replace shared module-level key with per-request factory pattern - memory-detector: pass per-user key from tRPC context through to MemWal calls - memory/remember API: resolve user key from session header - Remove dead code: /api/memory/set-key, /auth/callback, shared/lib/ai (1,738 LOC) * fix(noter): clean up CoinMention imports and DB relations after chat removal Remove CoinMentionNode/CoinMentionPlugin references from editor components and index.ts. Update DB relations to remove chats/messages references. * fix(noter): add auth redirect on logout and protected note routes - Logout now hard-redirects to landing page - Note pages redirect to / when not authenticated * feat(noter): replace user profile panel with MemWal account info Replace manual MemWal key inputs with auto-populated profile showing: - Sui address with copy + Suiscan link - Account ID with copy + Suiscan link - Delegate key export (reveal/hide) - Auth method indicator - Remove dependency on deleted /api/memory/set-key endpoint * fix(noter): auto-generate note title from first line of content Notes now get their title from the first line of text when saved, instead of staying as "Untitled Note" forever. Only applies when the title hasn't been manually renamed by the user. * fix(noter): address review findings for Enoki integration - Filter getEnokiUserBySuiAddress by authMethod="enoki" to prevent cross-auth-method collisions - Skip memory extraction when no MemWal key available instead of falling through to env var fallback for unauthenticated requests - Remove dead privateKey state and handleExportKey in user-float panel * fix(noter): resolve React 18/19 type conflict and remove dead LoginButton - Add @types/react override to force v19 (dapp-kit pulls v18) - Remove dead LoginButton component (used old zkLogin login method)
fix(security): resolve 4 audit findings
Lockfile was out of sync with noter package.json after adding @mysten/dapp-kit, @mysten/enoki, @noble/ed25519, @noble/hashes and bumping drizzle-orm/drizzle-kit versions.
* feat(app): replace setup wizard with inline enoki login flow
Merge SetupWizard into LandingPage with two auth options via
SDK Playground popover:
- Enoki (Google OAuth): silent key gen + on-chain registration
- Wallet (any Sui wallet): key display + confirm + registration
Key changes:
- Remove SetupWizard.tsx and its route
- Add sessionStorage persistence for auth method across OAuth redirects
- Add setupRunningRef guard against React 18 Strict Mode double execution
- Add wallet disconnect detection during active setup
- Clear private key from React state after successful save
- Add login popover with matching neo-brutalism button styles
- Update .env.example with Enoki credentials
* fix(app): resolve premature auth state, hero flash, and defensive guard
- Defer authMethod='wallet' until wallet actually connects via
walletClickedRef, preventing stale sessionStorage on modal dismiss
- Include idle state in showSetupFlow when authMethod is set, so
the setup spinner renders immediately after OAuth redirect instead
of briefly flashing the hero section
- Add spinner for wallet idle state ("connecting wallet...")
- Replace registerOnchain fallback empty string with throw to
fail fast on unexpected missing account ID
* fix(app): resolve code quality bot findings in LandingPage
- Reorder declarations so all useCallback functions are defined
before the useEffect hooks that reference them
- Move walletClickedRef up with other refs
- Remove dead code: redundant knownAccountId null check after
the if/else branches where it is guaranteed to be set
- Reorganize component into clear sections: callbacks → effects → render
* fix(app): prevent wallet connect modal from closing prematurely
ConnectButton's wallet selection modal renders as a portal outside
the login popover. Two issues caused wallet connect to fail:
- handleWalletClick closed the popover immediately, unmounting the
ConnectButton before its modal could open
- Outside-click handler closed the popover when user clicked inside
the wallet modal (which is outside loginRef)
Fix: keep popover open during wallet flow (walletClickedRef guards
the outside-click handler), close only after wallet connects.
* fix(app): restore SetupWizard intro page and auth-aware key generation
Restore the "create your delegate key" intro page at /dashboard for
users who connected but have no delegate key yet. Both Enoki and
Wallet flows now see the intro before key generation.
After clicking "generate delegate key":
- Enoki: silent key gen + on-chain registration with contextual
status text ("this may take a few seconds...")
- Wallet: show key + copy + confirm + on-chain registration with
wallet approval prompt
Simplify LandingPage back to login popover + redirect to /dashboard.
* fix(app): update stale comments and remove auto-redirect for returning users
- Fix SetupWizard doc comment to reflect both flows showing keys
- Remove "(wallet only)" from show-key step comment
- Remove aggressive auto-redirect on currentAccount, matching
original behavior where returning users stay on landing page
and navigate to dashboard via explicit button click
…92) Logout only cleared the app session but did not disconnect the dapp-kit wallet. On revisiting the login page, autoConnect restored the Enoki wallet session and the user appeared still logged in. Add useDisconnectWallet call in the logout function so dapp-kit clears its stored wallet state, preventing autoConnect from restoring the session after logout.
Revert "Merge pull request #84 from MystenLabs/fix/security-p0-four-i…
…etadata feat: pass delegate_public_key to walrus metadata on upload
docs: clarify self-hosting personas, namespace isolation, and rate po…
…etadata fix: remove sidecar_secret logic not yet in dev
daniellam258
approved these changes
Apr 15, 2026
…ent-id feat: rename memwal_delegate_key to memwal_agent_id
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.