Skip to content

refactor: earn flow + remove xstate/store#551

Open
petar-omni wants to merge 5 commits into
mainfrom
feat/earn-effect-atom-poc
Open

refactor: earn flow + remove xstate/store#551
petar-omni wants to merge 5 commits into
mainfrom
feat/earn-effect-atom-poc

Conversation

@petar-omni

@petar-omni petar-omni commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Note

High Risk
Large new DeFi borrow path with wallet signing, transaction submission, and LTV validation touches money-moving flows; earn routing/state refactor could regress staking if mis-wired.

Overview
Adds a feature-flagged borrow experience in the dashboard (form → review → steps → complete, plus borrow position management), backed by a new borrow module: Effect Schema domain models, OpenAPI-generated BorrowApi client, and @effect/atom-react atoms for markets/positions, form state, action execution (sign/submit/confirm), and post-tx cache refresh.

Earn flow cleanup: drops EarnPageStateUsageBoundaryProvider / @xstate/store, removes common/get-token-balances.ts and getInitialToken from stake types, and tightens validator handling via a composite Validator.key (address + optional subnet) used in select-validator and position balance keys.

Tooling/config: OpenAPI generator gains BorrowApi (full httpclient + spec prep), optional CLI spec selection, VITE_BORROW_API_URL / VITE_FORCE_BORROW, and root pnpm.patchedDependencies removed; adds skeleton line/circle loaders for borrow UI loading states.

Reviewed by Cursor Bugbot for commit 6cf3187. Configure here.

@changeset-bot

changeset-bot Bot commented Jun 26, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 2110846

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f2d2a83c-e736-49e8-b48f-3041b4042c82

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/earn-effect-atom-poc

Comment @coderabbitai help to get the list of available commands.

@aws-amplify-eu-central-1

Copy link
Copy Markdown

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-551.d2ribjy8evqo6h.amplifyapp.com

@aws-amplify-eu-central-1

Copy link
Copy Markdown

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-551.df4xyoi0xyeak.amplifyapp.com

Key validators by address and subnet so selection keeps distinct validator options.

Scope balance and init token options to the selected dashboard category.
@petar-omni petar-omni marked this pull request as ready for review July 7, 2026 12:22
Philippoes
Philippoes previously approved these changes Jul 7, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

{t("dashboard.borrow.success_page.view_transaction")}
</Text>
</Box>
) : null

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: MEDIUM

submission.link is opened via window.open(..., "_blank") without noopener,noreferrer. If this URL is attacker-influenced (e.g., via upstream API data), the opened page can access window.opener and navigate the original tab (reverse-tabnabbing).

Impact: A user can be redirected from the trusted widget host tab to a phishing or malicious page after clicking a transaction link.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 6cf3187. Configure here.

Philippoes
Philippoes previously approved these changes Jul 7, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, Cursor Security Agent left an unresolved medium-severity finding, and required checks did not finish on the latest commit (Bugbot cancelled; Security Agent still running). Assigned jdomingos and dnehl for human review.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Router and Approver

@cursor cursor Bot requested a review from jdomingos July 7, 2026 12:31

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, and Cursor Security Agent has an unresolved medium-severity tabnabbing finding on complete.tsx. jdomingos and dnehl are already assigned for human review.

Open in Web View Automation 

Sent by Cursor Approval Agent: Pull Request Router and Approver

@dnehl dnehl left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Played around with the flow - looks good.

  • no console errors
  • no "strange" multiple backend calls
  • duration looks good

@dnehl dnehl self-requested a review July 7, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants