refactor: earn flow + remove xstate/store#551
Conversation
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
Key validators by address and subnet so selection keeps distinct validator options. Scope balance and init token options to the selected dashboard category.
| {t("dashboard.borrow.success_page.view_transaction")} | ||
| </Text> | ||
| </Box> | ||
| ) : null |
There was a problem hiding this comment.
🔒 Agentic Security Review
Severity: MEDIUM
submission.link is opened via window.open(..., "_blank") without noopener,noreferrer. If this URL is attacker-influenced (e.g., via upstream API data), the opened page can access window.opener and navigate the original tab (reverse-tabnabbing).
Impact: A user can be redirected from the trusted widget host tab to a phishing or malicious page after clicking a transaction link.
Reviewed by Cursor Security Reviewer for commit 6cf3187. Configure here.
6cf3187 to
5dac944
Compare
There was a problem hiding this comment.
Stale comment
Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, Cursor Security Agent left an unresolved medium-severity finding, and required checks did not finish on the latest commit (Bugbot cancelled; Security Agent still running). Assigned jdomingos and dnehl for human review.
Sent by Cursor Approval Agent: Pull Request Router and Approver
There was a problem hiding this comment.
Risk: high. Not approving: this large earn/borrow refactor exceeds the low-risk approval threshold, and Cursor Security Agent has an unresolved medium-severity tabnabbing finding on complete.tsx. jdomingos and dnehl are already assigned for human review.
Sent by Cursor Approval Agent: Pull Request Router and Approver




Note
High Risk
Large new DeFi borrow path with wallet signing, transaction submission, and LTV validation touches money-moving flows; earn routing/state refactor could regress staking if mis-wired.
Overview
Adds a feature-flagged borrow experience in the dashboard (form → review → steps → complete, plus borrow position management), backed by a new
borrowmodule: Effect Schema domain models, OpenAPI-generatedBorrowApiclient, and@effect/atom-reactatoms for markets/positions, form state, action execution (sign/submit/confirm), and post-tx cache refresh.Earn flow cleanup: drops
EarnPageStateUsageBoundaryProvider/@xstate/store, removescommon/get-token-balances.tsandgetInitialTokenfrom stake types, and tightens validator handling via a compositeValidator.key(address + optional subnet) used in select-validator and position balance keys.Tooling/config: OpenAPI generator gains
BorrowApi(fullhttpclient+ spec prep), optional CLI spec selection,VITE_BORROW_API_URL/VITE_FORCE_BORROW, and rootpnpm.patchedDependenciesremoved; adds skeleton line/circle loaders for borrow UI loading states.Reviewed by Cursor Bugbot for commit 6cf3187. Configure here.