client: transfer bugfixes + autoclaim transfers

[djizus]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
eternum-docs	Ready	Preview	Comment	Nov 12, 2025 10:59pm

3 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
eternum	Ignored	Preview		Nov 12, 2025 10:59pm
eternum-landing	Ignored	Preview		Nov 12, 2025 10:59pm
eternum-mobile	Ignored	Preview		Nov 12, 2025 10:59pm

[claude]

Claude finished @djizus's task —— View job

---

Infrastructure & Security Review Complete ⚠️

I've completed my infrastructure and security review of this PR. While the core changes appear focused on client-side transfer automation functionality, there are significant security concerns in the overall repository configuration that need immediate attention.

Review Checklist:

• Gather context and read repository guidelines
• Analyze security & secret management implications
• Review multi-environment configuration changes
• Check deployment & infrastructure modifications
• Evaluate package management & dependency security
• Review GitHub Actions & CI/CD impact
• Examine blockchain & game configuration changes
• Provide inline comments for specific improvements
• Summarize findings and recommendations

---

🚨 Critical Security Issues

1. Private Keys Exposed in Version Control

SEVERITY: CRITICAL - Immediate action required

• contracts/common/.env.sepolia contains exposed private key: 0x075362a844768f31c8058ce31aec3dd7751686440b4f220f410ae0c9bf042e60
• contracts/game/dojo_sepolia.toml contains the same exposed private key
• client/apps/game/.env.sepolia contains the same exposed private key

Impact: Full compromise of deployment accounts and potential loss of funds on Sepolia testnet.

Recommendations:

• Immediately rotate all exposed private keys
• Remove private keys from version control (add to .gitignore)
• Use GitHub Secrets for CI/CD deployments
• Implement .env.example files without real keys

2. Hardcoded Secrets in GitHub Actions

SEVERITY: HIGH

test-client.yml workflow contains:

env:
  VITE_PUBLIC_MASTER_ADDRESS: "0x0"
  VITE_PUBLIC_MASTER_PRIVATE_KEY: "0x0"

While these are dummy values, this pattern is dangerous and could lead to accidental secret exposure.

---

⚠️ Infrastructure Security Concerns

3. Environment Variable Management Issues

Missing Validation:

• No validation that required environment variables are set before deployment
• Missing .env.sample files for some environments
• Inconsistent environment variable naming across services

RPC Endpoint Security:

• Using third-party RPC endpoints (api.cartridge.gg) without fallbacks
• No rate limiting or circuit breaker patterns
• Missing health checks for external dependencies

4. Deployment Script Security

Positive findings in migrate.sh:

• ✅ Good error handling with set -e and set -o pipefail
• ✅ Clear parameter validation
• ✅ Proper argument parsing

Areas for improvement:

• No validation of environment variables before execution
• Missing deployment rollback mechanisms
• No verification of deployment success

5. Package Management Security

Good practices observed:

• Using pnpm for dependency management
• Workspace configuration properly organized
• Package version catalog system implemented

Recommendations:

• Add audit script to package.json: "audit": "pnpm audit --audit-level high"
• Consider using npm-audit-resolver for managing audit issues
• Add dependency scanning to GitHub Actions

---

🔧 Inline Comments for Specific Files

⚙️ Config Scripts Suggestion: package.json:179

Current Issue: Missing package manager security constraint
Suggested Change: The packageManager field should include integrity hash
Impact: Ensures consistent pnpm version across all environments
Environment Impact: All environments

Example Implementation:

"packageManager": "[email protected]+sha512.cce0f9de9c5a7c95bef944169cc5dfe8741abfb145078c0d508b868056848a87c81e626246cb60967cbd7fd29a6c062ef73ff840d96b3c86c40ac92cf4a813ee"

⚙️ Config Environment Suggestion: contracts/game/dojo_sepolia.toml:6

Current Issue: Private key exposed in version control
Suggested Change: Remove private key and use environment variable reference
Impact: Eliminates critical security vulnerability
Environment Impact: Sepolia testnet

Example Implementation:

# Remove this line entirely:
# private_key = "0x075362a844768f31c8058ce31aec3dd7751686440b4f220f410ae0c9bf042e60"

⚙️ Config Scripts Suggestion: contracts/game/ext/scripts/migrate.sh:95-119

Current Issue: No environment variable validation before deployment
Suggested Change: Add validation for required environment variables
Impact: Prevents failed deployments due to missing configuration
Environment Impact: All environments

Example Implementation:

# Add before sozo build command:
validate_env_vars() {
    local required_vars=("STARKNET_RPC" "STARKNET_ACCOUNT_ADDRESS")
    for var in "${required_vars[@]}"; do
        if [[ -z "${!var}" ]]; then
            echo -e "${RED}► Error: Required environment variable $var is not set${NC}"
            exit 1
        fi
    done
}
validate_env_vars

⚙️ Config Security Suggestion: client/apps/game/src/hooks/store/use-transfer-automation-store.ts:58-67

Current Issue: Crypto.randomUUID fallback may be predictable
Suggested Change: Use more secure fallback for ID generation
Impact: Improves security of automation IDs
Environment Impact: Client-side

Example Implementation:

const generateId = () => {
  if (typeof crypto !== "undefined" && "randomUUID" in crypto) {
    try {
      return (crypto as Crypto & { randomUUID: () => string }).randomUUID();
    } catch {
      // Use more secure fallback
      const array = new Uint8Array(16);
      crypto.getRandomValues(array);
      return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');
    }
  }
  return `ta_${Date.now()}_${Math.floor(Math.random() * 1e6)}`;
};

---

🔧 Configuration Management Issues

6. Multi-Environment Configuration

Good infrastructure setup:

• ✅ Proper environment separation (local, slot, sepolia, mainnet)
• ✅ Clear deployment scripts per environment
• ✅ Consistent TOML configuration structure

Security improvements needed:

• Environment-specific secret management
• Configuration validation scripts
• Automated backup of deployment configurations

7. Blockchain Configuration Security

Contract namespace security:

• Using consistent namespace: s1_eternum
• Proper world contract configuration
• Good separation of system permissions

Areas for improvement:

• Add world contract address validation
• Implement multi-sig for production deployments
• Add contract upgrade governance

---

💡 Recommended Immediate Actions

High Priority (Do This Week):

1. Rotate all exposed private keys immediately
2. Remove private keys from version control
3. Set up GitHub Secrets for deployment keys
4. Add .env files to .gitignore
5. Create .env.example files for all environments

Medium Priority (Do This Month):

1. Add environment variable validation to deployment scripts
2. Implement RPC endpoint fallbacks and health checks
3. Add dependency vulnerability scanning to CI/CD
4. Set up deployment rollback procedures
5. Add multi-sig wallet support for mainnet deployments

Infrastructure Enhancements:

1. Implement Infrastructure as Code (Terraform/CDK)
2. Add monitoring and alerting for all environments
3. Set up automated backup systems
4. Implement blue-green deployment strategy

---

📝 PR-Specific Analysis

This PR focuses on client-side transfer automation features. From an infrastructure perspective:

Low Risk Changes:

• Client-side automation logic doesn't affect deployment security
• Store management changes are contained to client application
• UI modifications don't impact backend security

Monitoring Recommendations:

• Monitor transfer automation usage patterns
• Add rate limiting for automated transfers
• Log automation events for audit purposes

---

🔍 Summary

While this specific PR contains low-risk client changes, the repository has critical security issues that require immediate attention. The infrastructure is well-organized with good multi-environment support, but the exposed private keys represent a critical security vulnerability.

Security Grade: D (Critical issues present)
Infrastructure Grade: B+ (Well-organized but security gaps)

---

[github-actions]

Failed to generate code suggestions for PR

[claude]

Claude finished @djizus's task —— View job

---

Infrastructure & Security Review Complete ⚠️

I've completed my infrastructure and security review of this PR. While the core changes appear focused on client-side transfer automation functionality, there are significant security concerns in the overall repository configuration that need immediate attention.

Review Checklist:

• Gather context and read repository guidelines
• Analyze security & secret management implications
• Review multi-environment configuration changes
• Check deployment & infrastructure modifications
• Evaluate package management & dependency security
• Review GitHub Actions & CI/CD impact
• Examine blockchain & game configuration changes
• Provide inline comments for specific improvements
• Summarize findings and recommendations

---

🚨 Critical Security Issues

1. Private Keys Exposed in Version Control

SEVERITY: CRITICAL - Immediate action required

• contracts/common/.env.sepolia contains exposed private key: 0x075362a844768f31c8058ce31aec3dd7751686440b4f220f410ae0c9bf042e60
• contracts/game/dojo_sepolia.toml contains the same exposed private key
• client/apps/game/.env.sepolia contains the same exposed private key

Impact: Full compromise of deployment accounts and potential loss of funds on Sepolia testnet.

Recommendations:

• Immediately rotate all exposed private keys
• Remove private keys from version control (add to .gitignore)
• Use GitHub Secrets for CI/CD deployments
• Implement .env.example files without real keys

2. Hardcoded Secrets in GitHub Actions

SEVERITY: HIGH

test-client.yml workflow contains:

env:
  VITE_PUBLIC_MASTER_ADDRESS: "0x0"
  VITE_PUBLIC_MASTER_PRIVATE_KEY: "0x0"

While these are dummy values, this pattern is dangerous and could lead to accidental secret exposure.

---

⚠️ Infrastructure Security Concerns

3. Environment Variable Management Issues

Missing Validation:

• No validation that required environment variables are set before deployment
• Missing .env.sample files for some environments
• Inconsistent environment variable naming across services

RPC Endpoint Security:

• Using third-party RPC endpoints (api.cartridge.gg) without fallbacks
• No rate limiting or circuit breaker patterns
• Missing health checks for external dependencies

4. Deployment Script Security

Positive findings in migrate.sh:

• ✅ Good error handling with set -e and set -o pipefail
• ✅ Clear parameter validation
• ✅ Proper argument parsing

Areas for improvement:

• No validation of environment variables before execution
• Missing deployment rollback mechanisms
• No verification of deployment success

5. Package Management Security

Good practices observed:

• Using pnpm for dependency management
• Workspace configuration properly organized
• Package version catalog system implemented

Recommendations:

• Add audit script to package.json: "audit": "pnpm audit --audit-level high"
• Consider using npm-audit-resolver for managing audit issues
• Add dependency scanning to GitHub Actions

---

🔧 Inline Comments for Specific Files

⚙️ Config Scripts Suggestion: package.json:179

Current Issue: Missing package manager security constraint
Suggested Change: The packageManager field should include integrity hash
Impact: Ensures consistent pnpm version across all environments
Environment Impact: All environments

Example Implementation:

"packageManager": "[email protected]+sha512.cce0f9de9c5a7c95bef944169cc5dfe8741abfb145078c0d508b868056848a87c81e626246cb60967cbd7fd29a6c062ef73ff840d96b3c86c40ac92cf4a813ee"

⚙️ Config Environment Suggestion: contracts/game/dojo_sepolia.toml:6

Current Issue: Private key exposed in version control
Suggested Change: Remove private key and use environment variable reference
Impact: Eliminates critical security vulnerability
Environment Impact: Sepolia testnet

Example Implementation:

# Remove this line entirely:
# private_key = "0x075362a844768f31c8058ce31aec3dd7751686440b4f220f410ae0c9bf042e60"

⚙️ Config Scripts Suggestion: contracts/game/ext/scripts/migrate.sh:95-119

Current Issue: No environment variable validation before deployment
Suggested Change: Add validation for required environment variables
Impact: Prevents failed deployments due to missing configuration
Environment Impact: All environments

Example Implementation:

# Add before sozo build command:
validate_env_vars() {
    local required_vars=("STARKNET_RPC" "STARKNET_ACCOUNT_ADDRESS")
    for var in "${required_vars[@]}"; do
        if [[ -z "${!var}" ]]; then
            echo -e "${RED}► Error: Required environment variable $var is not set${NC}"
            exit 1
        fi
    done
}
validate_env_vars

⚙️ Config Security Suggestion: client/apps/game/src/hooks/store/use-transfer-automation-store.ts:58-67

Current Issue: Crypto.randomUUID fallback may be predictable
Suggested Change: Use more secure fallback for ID generation
Impact: Improves security of automation IDs
Environment Impact: Client-side

Example Implementation:

const generateId = () => {
  if (typeof crypto !== "undefined" && "randomUUID" in crypto) {
    try {
      return (crypto as Crypto & { randomUUID: () => string }).randomUUID();
    } catch {
      // Use more secure fallback
      const array = new Uint8Array(16);
      crypto.getRandomValues(array);
      return Array.from(array, byte => byte.toString(16).padStart(2, '0')).join('');
    }
  }
  return `ta_${Date.now()}_${Math.floor(Math.random() * 1e6)}`;
};

---

🔧 Configuration Management Issues

6. Multi-Environment Configuration

Good infrastructure setup:

• ✅ Proper environment separation (local, slot, sepolia, mainnet)
• ✅ Clear deployment scripts per environment
• ✅ Consistent TOML configuration structure

Security improvements needed:

• Environment-specific secret management
• Configuration validation scripts
• Automated backup of deployment configurations

7. Blockchain Configuration Security

Contract namespace security:

• Using consistent namespace: s1_eternum
• Proper world contract configuration
• Good separation of system permissions

Areas for improvement:

• Add world contract address validation
• Implement multi-sig for production deployments
• Add contract upgrade governance

---

💡 Recommended Immediate Actions

High Priority (Do This Week):

1. Rotate all exposed private keys immediately
2. Remove private keys from version control
3. Set up GitHub Secrets for deployment keys
4. Add .env files to .gitignore
5. Create .env.example files for all environments

Medium Priority (Do This Month):

1. Add environment variable validation to deployment scripts
2. Implement RPC endpoint fallbacks and health checks
3. Add dependency vulnerability scanning to CI/CD
4. Set up deployment rollback procedures
5. Add multi-sig wallet support for mainnet deployments

Infrastructure Enhancements:

1. Implement Infrastructure as Code (Terraform/CDK)
2. Add monitoring and alerting for all environments
3. Set up automated backup systems
4. Implement blue-green deployment strategy

---

📝 PR-Specific Analysis

This PR focuses on client-side transfer automation features. From an infrastructure perspective:

Low Risk Changes:

• Client-side automation logic doesn't affect deployment security
• Store management changes are contained to client application
• UI modifications don't impact backend security

Monitoring Recommendations:

• Monitor transfer automation usage patterns
• Add rate limiting for automated transfers
• Log automation events for audit purposes

---

🔍 Summary

While this specific PR contains low-risk client changes, the repository has critical security issues that require immediate attention. The infrastructure is well-organized with good multi-environment support, but the exposed private keys represent a critical security vulnerability.

Security Grade: D (Critical issues present)
Infrastructure Grade: B+ (Well-organized but security gaps)

---