Skip to content

Authline PR #13 review fixes + dead-UI cleanup (stacked on #13)#14

Merged
willemneal merged 1 commit into
feature/authline-integrator-sdkfrom
fix/authline-pr13-review
Jun 7, 2026
Merged

Authline PR #13 review fixes + dead-UI cleanup (stacked on #13)#14
willemneal merged 1 commit into
feature/authline-integrator-sdkfrom
fix/authline-pr13-review

Conversation

@willemneal

@willemneal willemneal commented Jun 7, 2026

Copy link
Copy Markdown
Member

Stacked on #13. Applies the review findings from that PR and removes the now-dead pre-rebrand UI, so the two can merge together for a clean history.

SDK (@theaha/authline)

  • useActivation poll — bound the confirmation poll with a 180s deadline and throw on sendTransaction ERROR instead of hanging the hook forever (mirrors the backend pollForSuccess).
  • assetAuthRequired — only a 404 means "open"; transient/5xx now rethrow instead of failing open (which would silently downgrade a regulated asset to the no-authorize path).
  • Discovery ↔ registry — discovered configs are now reconciled against the pinned registry: discoverOnboarder(domain, { network }) + new reconcileWithRegistry() reject a spoofed stellar.toml whose ids differ from the curated values. Also: domain validation (reject scheme/path/SSRF), response size cap, single-quoted TOML values.
  • onboardingRequest — dropped the personal github.io hostedBase default; hostedUrl is omitted unless the integrator supplies an origin they control.
  • BuildersallowHttp defaults true only for localhost; docs spell out the registry-validation requirement for discovered configs.
  • Packaging0.2.0 (aligns with SEP v0.2); @stellar/stellar-sdk moved to a peer dependency.

Frontend

  • Removed the dead pre-rebrand appApp.tsx, components/, hooks/, providers/, util/, contracts/, index.css (unreachable since main.tsx mounts AuthlineApp), and pruned the deps only it used (@stellar/design-system, @tanstack/react-query, lossless-json, zod, @types/lodash).
  • config.ts — resolve the pinned asset by (code, network) not code alone; pin SAC/authorizer from the registry as a fallback; warn on a misconfigured permissionedOneStep asset; canonical repo URL.
  • authline.tsx — 180s poll deadline; map the wallet network from the passphrase (no longer collapse futurenet/standalone to testnet); StrKey-validate the ?address= deep-link.

Build / docs

  • Restored the empty-packages/ guard in install:contracts; dev builds the SDK first; un-ignored packages/authline-sdk from the generated-clients gitignore; added .prettierignore for build output.
  • SEP: filled the verified EURCV SAC, documented the cap73-onesig wire-token normalization, TODO for the SEP-number/discussion placeholders.
  • Demo: ENOENT message for a missing stellar CLI, clarified the CLI-vs-SDK submit note, example hostedBase; docs note the CLI prerequisite.

Verification

npm run build ✅ · tsc -b ✅ · vite build (multi-page) ✅ · eslint . ✅ · prettier . --check ✅ · cargo test ✅ 10/10. No Rust touched; no build artifacts committed.

🤖 Generated with Claude Code

@willemneal @claude
fix(authline): address PR #13 review findings + remove dead pre-rebra…
7d7fc7e 
…nd UI

SDK (@theaha/authline):
- react useActivation: bound the confirmation poll (180s deadline) and throw on
  sendTransaction ERROR instead of hanging the hook forever
- status.assetAuthRequired: only treat 404 as "no auth required"; rethrow on
  transient/5xx errors instead of failing open (which would downgrade a
  regulated asset to the no-authorize path)
- discovery: reconcile discovered configs against the pinned registry
  (discoverOnboarder({network}) + new reconcileWithRegistry) so a spoofed
  stellar.toml can't redirect a trustline/authorize to attacker ids; validate
  the domain (reject scheme/path/SSRF) and cap response size; accept
  single-quoted TOML values
- exchange.onboardingRequest: drop the personal github.io hostedBase default;
  hostedUrl is omitted unless the integrator supplies an origin they control
- builders: default allowHttp true only for localhost; document the
  registry-validation requirement for discovered configs
- package.json: 0.2.0 (aligns with SEP v0.2); @stellar/stellar-sdk -> peer dep

Frontend:
- delete the now-unreachable pre-rebrand app (App, components/, hooks/,
  providers/, util/, contracts/, index.css) and prune its deps
  (@stellar/design-system, @tanstack/react-query, lossless-json, zod,
  @types/lodash)
- config.ts: resolve the pinned asset by (code, network) not code alone; pin
  SAC/authorizer from the registry as fallback; warn on a misconfigured
  permissionedOneStep asset; canonical repo URL
- authline.tsx: 180s poll deadline; map the wallet network from the passphrase
  (no longer collapse futurenet/standalone to testnet); StrKey-validate the
  ?address= deep-link

Build/docs:
- restore the empty-packages/ guard in install:contracts; build SDK before dev
- un-ignore packages/authline-sdk from the generated-clients gitignore rule
- add .prettierignore for build output
- SEP: fill the verified EURCV SAC, document the cap73-onesig wire-token
  normalization, TODO for the SEP number/discussion placeholders
- demo: ENOENT message for a missing stellar CLI; clarify the CLI-vs-SDK submit
  note; example hostedBase; docs note the CLI prerequisite

Verified: npm run build, tsc -b, eslint, prettier --check, cargo test (10/10).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@socket-security

socket-security Bot commented Jun 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​types/​react@​19.2.10 ⏵ 19.2.171001007996100

View full report

@willemneal willemneal merged commit ab66be2 into feature/authline-integrator-sdk Jun 7, 2026
3 checks passed
willemneal added a commit that referenced this pull request Jun 8, 2026
@Dgetsylver @willemneal @claude
Add Authline integrator SDK + rebrand the frontend (backend untouched) (
c867021 
#13)

* feat: add Authline integrator SDK + SEP draft + exchange-withdrawal demos

Additive integrator layer for third-party (exchange/broker/wallet) trustline
onboarding. Wraps the contracts this repo already ships — onboard() and the
live eurcv_auth authorize_trustline() — and adds the runtime two-asset-class
detection, the CAP-33 sponsored reserve-free path, SEP-7 handoffs, stellar.toml
discovery, a pinned registry, and an optional headless React hook.

No existing file is modified and no new contract is added; authorization stays
with eurcv_auth. The SDK is an inert top-level dir (not a workspace member), so
the lockfile, install:contracts, build, and CI are untouched — verified:
npm ci + install:contracts (skips) + tsc -b + vite build, and cargo test (10).

Adds only:
- authline-sdk/            the @theaha/authline SDK (build standalone or adopt into packages/)
- sep/SEP-XXXX-...md       the draft standard
- examples/exchange-withdrawal/{demo,demo-open}.mjs   runnable testnet references
- docs/authline-sdk.md     overview + adoption steps

* style: prettier-format authline-sdk README (CI prettier --check)

* feat: rebrand frontend to Authline (landing + dApp); wire SDK as workspace package

Bring the Authline experience to stellar-assets: the Authline landing page +
activation dApp as the new frontend, powered by @theaha/authline (now a
packages/authline-sdk workspace package, built first in the build script).

Backend untouched: contracts/, src/hooks/useOnboard, src/contracts/assets.ts and
the live eurcv_auth authorization are all unchanged — only the frontend/design
layer changes. The previous React app is kept in place; the entry now mounts the
Authline dApp.

- packages/authline-sdk/  moved from top-level; now a built workspace dependency
- index.html              Authline landing (replaces the Vite entry)
- app.html + src/{main,authline,config}.tsx + authline.css   the activation dApp
- vite.config.ts          multi-page; keeps nodePolyfills + wasm
- package.json            @theaha/authline dep; SDK build step; install:contracts via workspaces

Verified: npm run build, eslint ., cargo test (10) all green; landing + dApp render.

* fix(app): dedupe the live asset from the directory + enrich its metadata from the pinned registry

The directory listed the live asset and its registry twin (e.g. two EURCV rows).
Dedupe the roadmap against the live code, and enrich the live asset's name /
capability / clawback flags from OFFICIAL_ASSETS when its code is known (env
always wins; on-chain ids stay env-driven) so a single row shows the real name
and the freeze/clawback warning.

* fix(authline): address PR #13 review findings + remove dead pre-rebrand UI (#14)

SDK (@theaha/authline):
- react useActivation: bound the confirmation poll (180s deadline) and throw on
  sendTransaction ERROR instead of hanging the hook forever
- status.assetAuthRequired: only treat 404 as "no auth required"; rethrow on
  transient/5xx errors instead of failing open (which would downgrade a
  regulated asset to the no-authorize path)
- discovery: reconcile discovered configs against the pinned registry
  (discoverOnboarder({network}) + new reconcileWithRegistry) so a spoofed
  stellar.toml can't redirect a trustline/authorize to attacker ids; validate
  the domain (reject scheme/path/SSRF) and cap response size; accept
  single-quoted TOML values
- exchange.onboardingRequest: drop the personal github.io hostedBase default;
  hostedUrl is omitted unless the integrator supplies an origin they control
- builders: default allowHttp true only for localhost; document the
  registry-validation requirement for discovered configs
- package.json: 0.2.0 (aligns with SEP v0.2); @stellar/stellar-sdk -> peer dep

Frontend:
- delete the now-unreachable pre-rebrand app (App, components/, hooks/,
  providers/, util/, contracts/, index.css) and prune its deps
  (@stellar/design-system, @tanstack/react-query, lossless-json, zod,
  @types/lodash)
- config.ts: resolve the pinned asset by (code, network) not code alone; pin
  SAC/authorizer from the registry as fallback; warn on a misconfigured
  permissionedOneStep asset; canonical repo URL
- authline.tsx: 180s poll deadline; map the wallet network from the passphrase
  (no longer collapse futurenet/standalone to testnet); StrKey-validate the
  ?address= deep-link

Build/docs:
- restore the empty-packages/ guard in install:contracts; build SDK before dev
- un-ignore packages/authline-sdk from the generated-clients gitignore rule
- add .prettierignore for build output
- SEP: fill the verified EURCV SAC, document the cap73-onesig wire-token
  normalization, TODO for the SEP number/discussion placeholders
- demo: ENOENT message for a missing stellar CLI; clarify the CLI-vs-SDK submit
  note; example hostedBase; docs note the CLI prerequisite

Verified: npm run build, tsc -b, eslint, prettier --check, cargo test (10/10).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Dgetsylver <enzo@theaha.co>
Co-authored-by: Willem Wyndham <willem@ahalabs.dev>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@willemneal willemneal mentioned this pull request Jun 8, 2026
Open
4 tasks
@Dgetsylver Dgetsylver mentioned this pull request Jun 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@willemneal