fix(tools): prevent import time crashes, correct result handling, and improve input validation#60
Closed
Div1912 wants to merge 4 commits into
Closed
fix(tools): prevent import time crashes, correct result handling, and improve input validation#60Div1912 wants to merge 4 commits into
Div1912 wants to merge 4 commits into
Conversation
Interact with a Stellar Soroban liquidity pool smart contract. Supports the following actions: - get_share_id: Retrieve the share token ID for the connected wallet. - deposit: Add liquidity to the pool. Requires destination address (to), desired amounts for both tokens (desiredA, desiredB), and minimum acceptable amounts (minA, minB) to control slippage. - swap: Exchange one token for another. Requires destination address (to), direction flag (buyA: true to buy token A, false to buy token B), exact output amount (out), and maximum input allowed (inMax) to cap slippage. - withdraw: Remove liquidity from the pool. Requires destination address (to), share amount to burn (shareAmount), and minimum amounts to receive for both tokens (minA, minB). - get_reserves: Fetch the current token reserve levels in the pool. Defaults to testnet unless STELLAR_NETWORK is set to mainnet. Contract address can be overridden per-call via contractAddress for targeting specific pools.
There was a problem hiding this comment.
2 issues found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="tools/contract.ts">
<violation number="1" location="tools/contract.ts:23">
P2: `getSorobanRpcUrl` uses `??`, so an empty `SOROBAN_RPC_URL` is treated as valid and passed as `rpcUrl`, causing runtime connection failures instead of falling back to default.</violation>
<violation number="2" location="tools/contract.ts:81">
P2: Truthiness-based handling for deposit/swap misreports successful executions as no-value results because these helpers normally return undefined.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
- Add networkPassphrase as required field in BuildTransactionConfig to prevent silent TESTNET transactions on mainnet - Replace hardcoded Networks.TESTNET with config.networkPassphrase in buildTransaction - Fix fee defaulting: replace || with ?? (nullish coalescing) in buildTransaction and buildPathPaymentTransaction - Add instanceof Transaction guard before memo mutation in buildTransactionFromXDR to safely handle FeeBumpTransaction - Narrow buildTransactionFromXDR config to Pick<…, "memo"> since fee/timeout are already encoded in the XDR - Add args.length > 0 guard to avoid spreading empty arrays - Replace `return _exhaustive` with throw in getDefaultTimeout default branch for loud runtime failure on unhandled operation types - Remove dead `rpc` import; add FeeBumpTransaction import - Prefix unused operationType param with _ in buildTransactionFromXDR - Fix return types: any → Transaction / Transaction | FeeBumpTransaction
fix(core): make transaction builder network aware, improve type safety, and fix default handling
Contributor
|
ci checks fail |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Before:
Environment variables were read at module load time using
const STELLAR_PUBLIC_KEY = process.env.STELLAR_PUBLIC_KEY!. This caused the entire module to crash on import in serverless/edge environments where env vars are not yet injected at parse time. The!non-null assertion also suppressed TypeScript's safety check while a manual runtime guard was still needed, making the code contradictory.depositandswapusedresult ?? "success message"which meant the success string was only returned when the result was falsy — silently discarding actual transaction results on success.buyA === undefinedin the swap validation missednull, allowing invalid calls to pass through.funcwas typed asany, defeating the Zod schema that was already defined on the tool.contractAddresswas always spread into config even when undefined, polluting the config object passed to contract functions.After:
Environment variables are now read inside lazy getter functions (
getStellarPublicKey,getStellarNetwork,getSorobanRpcUrl) that are called at invocation time, not import time. This makes the module safe to import in any environment.depositandswapnow use a ternary to correctly return transaction results on success and a fallback message only when the result is empty.buyA == nullnow correctly catches bothundefinedandnull.funcis now typed asz.infer<typeof schema>for full type safety aligned with the Zod schema.contractAddressis conditionally spread into config only when it has a value.Why it was necessary:
The module-level env var crash was a production risk in any serverless deployment. The inverted result logic on deposit and swap meant successful transactions were returning no meaningful output to the agent, breaking observability. The remaining fixes close type safety gaps that could cause subtle runtime failures as the codebase scales.
Summary by cubic
Refactors env var handling to use lazy getters to avoid import-time crashes, fixes tool result handling and input typing, and makes transaction builders network-aware with safer defaults.
Refactors
STELLAR_PUBLIC_KEY,STELLAR_NETWORK, andSOROBAN_RPC_URL; centralize the Zodschemaand typefuncwithz.infer<typeof schema>; only includecontractAddresswhen provided.networkPassphrase(no hardcoded testnet), use??for fee defaults, guard memo forFeeBumpTransaction, add args-length check, narrowbuildTransactionFromXDRconfig to{ memo }, and throw on unhandled operation types.Bug Fixes
depositandswap(JSON stringified); show a simple fallback only when empty.buyAwith== nullto catch bothundefinedandnull.Written for commit 6f74633. Summary will update on new commits.