ci(release): publish latest release

Author: hello-happy-puppy

.env.defaults

@@ -25,6 +25,7 @@ FIREBASE_APP_CHECK_DEBUG_TOKEN=stored-in-.env.local
 INCLUDE_PROTOTYPE_FEATURES=stored-in-.env.local
 GH_TOKEN_RN_CLI=
 NPM_READ_ONLY_TOKEN=stored-in-.env.local
+PRIVY_APP_ID=stored-in-.env.local
 IS_E2E_TEST=false
 ENABLE_SESSION_SERVICE=false
 ENABLE_SESSION_UPGRADE_AUTO=false

.husky/post-checkout

@@ -39,9 +39,9 @@ call_lefthook()
     elif bundle exec lefthook -h >/dev/null 2>&1
     then
       bundle exec lefthook "$@"
-    elif yarn lefthook -h >/dev/null 2>&1
+    elif bun lefthook -h >/dev/null 2>&1
     then
-      yarn lefthook "$@"
+      bun lefthook "$@"
     elif pnpm lefthook -h >/dev/null 2>&1
     then
       pnpm lefthook "$@"

.husky/pre-commit

@@ -39,9 +39,9 @@ call_lefthook()
     elif bundle exec lefthook -h >/dev/null 2>&1
     then
       bundle exec lefthook "$@"
-    elif yarn lefthook -h >/dev/null 2>&1
+    elif bun lefthook -h >/dev/null 2>&1
     then
-      yarn lefthook "$@"
+      bun lefthook "$@"
     elif pnpm lefthook -h >/dev/null 2>&1
     then
       pnpm lefthook "$@"

.husky/prepare-commit-msg

@@ -39,9 +39,9 @@ call_lefthook()
     elif bundle exec lefthook -h >/dev/null 2>&1
     then
       bundle exec lefthook "$@"
-    elif yarn lefthook -h >/dev/null 2>&1
+    elif bun lefthook -h >/dev/null 2>&1
     then
-      yarn lefthook "$@"
+      bun lefthook "$@"
     elif pnpm lefthook -h >/dev/null 2>&1
     then
       pnpm lefthook "$@"

AGENTS.md

@@ -44,7 +44,7 @@ bun extension build:production   # Extension production
 
 ```bash
 bun g:test                      # Run all tests
-bun g:test:coverage             # With coverage
+bun g:test:changed              # Run tests for changed packages
 bun web playwright:test         # Web E2E tests
 bun mobile e2e                  # Mobile E2E tests
 ```
@@ -87,7 +87,7 @@ bun i18n:extract                # Extract localized strings (run after changing
 #### State Management
 
 - **Redux** for complex global state
-- **Jotai** for simple state
+- **Zustand** for simple global/shared state — do not use Jotai, we are migrating away from it. Flag any new Jotai usage in PRs and require Zustand instead.
 - Keep state as local as possible
 - No custom hooks for simple data fetching - use `useQuery`/`useMutation` directly
 

RELEASE

@@ -1,6 +1,6 @@
 IPFS hash of the deployment:
-- CIDv0: `QmQG5W29KDrMdK5VzuMo4AdVSK2nFGhzcjJnZuzUuJuBof`
-- CIDv1: `bafybeia4roahjkbzzq5doa6oeop6s6hrl4ivhqkp6y5aksxhg6bmfh7p5i`
+- CIDv0: `QmVC4WhmppfmiCEHRPVduXaureggHB1cUJuCDZ4XqAKvrD`
+- CIDv1: `bafybeidfzz7oyo32bihvpmxfx5bkl2aenadpwn3wghz766iqvz3qtrnm7i`
 
 The latest release is always mirrored at [app.uniswap.org](https://app.uniswap.org).
 
@@ -10,5 +10,5 @@ You can also access the Uniswap Interface from an IPFS gateway.
 Your Uniswap settings are never remembered across different URLs.
 
 IPFS gateways:
-- https://bafybeia4roahjkbzzq5doa6oeop6s6hrl4ivhqkp6y5aksxhg6bmfh7p5i.ipfs.dweb.link/
-- [ipfs://QmQG5W29KDrMdK5VzuMo4AdVSK2nFGhzcjJnZuzUuJuBof/](ipfs://QmQG5W29KDrMdK5VzuMo4AdVSK2nFGhzcjJnZuzUuJuBof/)
+- https://bafybeidfzz7oyo32bihvpmxfx5bkl2aenadpwn3wghz766iqvz3qtrnm7i.ipfs.dweb.link/
+- [ipfs://QmVC4WhmppfmiCEHRPVduXaureggHB1cUJuCDZ4XqAKvrD/](ipfs://QmVC4WhmppfmiCEHRPVduXaureggHB1cUJuCDZ4XqAKvrD/)

VERSION

@@ -1 +1 @@
-web/5.138.1
+web/5.139.0

apps/extension/e2e/sandbox-test/child.html

@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Sandbox Child Frame</title>
+  <style>
+    body { font-family: monospace; padding: 8px; margin: 0; background: #1a1a2e; color: #e0e0e0; font-size: 11px; }
+    .status { padding: 4px 8px; border-radius: 4px; margin: 2px 0; }
+    .pass { background: #0f5132; color: #75b798; }
+    .fail { background: #842029; color: #ea868f; }
+    .neutral { background: #333; color: #aaa; }
+  </style>
+</head>
+<body>
+  <div id="info">Detecting providers...</div>
+  <script>
+    const origin = window.origin;
+    const hasEthereum = typeof window.ethereum !== 'undefined' && window.ethereum !== null;
+
+    // Listen for Uniswap's EIP-6963 announceProvider event
+    let hasUniswapProvider = false;
+    const UNISWAP_RDNS = 'org.uniswap.app';
+
+    window.addEventListener('eip6963:announceProvider', (event) => {
+      if (event.detail && event.detail.info && event.detail.info.rdns === UNISWAP_RDNS) {
+        hasUniswapProvider = true;
+        updateDisplay();
+      }
+    });
+
+    // Request providers via EIP-6963
+    window.dispatchEvent(new Event('eip6963:requestProvider'));
+
+    // Give providers time to respond, then report
+    setTimeout(() => {
+      updateDisplay();
+      report();
+    }, 500);
+
+    function updateDisplay() {
+      const otherWallet = hasEthereum && !hasUniswapProvider;
+      document.getElementById('info').innerHTML = `
+        <div class="status">origin: <strong>${origin}</strong></div>
+        <div class="status ${hasUniswapProvider ? 'pass' : 'fail'}">
+          Uniswap provider (EIP-6963): <strong>${hasUniswapProvider ? 'PRESENT' : 'ABSENT'}</strong>
+        </div>
+        ${otherWallet ? '<div class="status neutral">window.ethereum present from another wallet (ignored)</div>' : ''}
+      `;
+    }
+
+    function report() {
+      try {
+        window.parent.postMessage({
+          type: 'sandbox-test-report',
+          origin: origin,
+          hasUniswapProvider: hasUniswapProvider,
+        }, '*');
+      } catch (e) {
+        // postMessage may fail in some sandbox configurations
+      }
+    }
+  </script>
+</body>
+</html>

apps/extension/e2e/sandbox-test/index.html

@@ -0,0 +1,135 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Extension Sandbox Origin Validation Test</title>
+  <style>
+    * { box-sizing: border-box; }
+    body { font-family: system-ui, -apple-system, sans-serif; background: #0f0f23; color: #e0e0e0; padding: 24px; margin: 0; }
+    h1 { color: #ff79c6; margin-bottom: 4px; }
+    .subtitle { color: #888; margin-bottom: 24px; }
+    .grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 16px; margin-bottom: 24px; }
+    .card { background: #1a1a2e; border: 1px solid #333; border-radius: 8px; padding: 16px; }
+    .card h3 { margin: 0 0 8px; font-size: 14px; color: #bd93f9; }
+    .card .detail { font-size: 12px; color: #888; margin-bottom: 12px; }
+    .card iframe { width: 100%; height: 100px; border: 1px solid #444; border-radius: 4px; }
+    .result { margin-top: 12px; padding: 8px; border-radius: 4px; font-size: 13px; font-weight: 600; }
+    .result.pass { background: #0f5132; color: #75b798; border: 1px solid #0f5132; }
+    .result.fail { background: #842029; color: #ea868f; border: 1px solid #842029; }
+    .result.waiting { background: #332701; color: #ffda6a; border: 1px solid #332701; }
+    .instructions { background: #1a1a2e; border: 1px solid #333; border-radius: 8px; padding: 16px; font-size: 13px; line-height: 1.6; }
+    .instructions code { background: #2a2a3e; padding: 2px 6px; border-radius: 3px; font-size: 12px; }
+  </style>
+</head>
+<body>
+  <h1>Sandbox Origin Validation Test</h1>
+  <p class="subtitle">Bug bounty #621 — Verify sandboxed frames cannot receive the Uniswap provider</p>
+
+  <div class="grid">
+    <div class="card">
+      <h3>1. Normal Frame (no sandbox)</h3>
+      <div class="detail">Expected: origin = http://localhost:*, Uniswap provider = PRESENT</div>
+      <iframe id="frame-normal" src="child.html"></iframe>
+      <div id="result-normal" class="result waiting">Waiting for report...</div>
+    </div>
+
+    <div class="card">
+      <h3>2. Sandboxed (allow-scripts only)</h3>
+      <div class="detail">Expected: origin = "null", Uniswap provider = ABSENT</div>
+      <iframe id="frame-sandboxed" src="child.html" sandbox="allow-scripts"></iframe>
+      <div id="result-sandboxed" class="result waiting">Waiting for report...</div>
+    </div>
+
+    <div class="card">
+      <h3>3. Sandboxed (allow-scripts + allow-same-origin)</h3>
+      <div class="detail">Expected: origin = http://localhost:*, Uniswap provider = PRESENT</div>
+      <iframe id="frame-same-origin" src="child.html" sandbox="allow-scripts allow-same-origin"></iframe>
+      <div id="result-same-origin" class="result waiting">Waiting for report...</div>
+    </div>
+  </div>
+
+  <div class="instructions">
+    <strong>How to use:</strong><br>
+    1. Serve this directory: <code>python3 -m http.server 8080</code><br>
+    2. Load the extension in Chrome (webpack dev build via <code>bun start:webpack</code>)<br>
+    3. Open <code>http://localhost:8080</code> in Chrome<br>
+    4. All three cards should show their expected results (green = pass, red = fail)<br>
+    <br>
+    <strong>Note:</strong> This test detects the <strong>Uniswap provider specifically</strong> via EIP-6963 (<code>rdns: org.uniswap.app</code>),
+    so other wallet extensions (MetaMask, etc.) won't cause false positives.
+  </div>
+
+  <script>
+    const expectations = {
+      normal:        { originIsNull: false, hasUniswapProvider: true },
+      sandboxed:     { originIsNull: true,  hasUniswapProvider: false },
+      'same-origin': { originIsNull: false, hasUniswapProvider: true },
+    };
+
+    const received = {};
+
+    window.addEventListener('message', (event) => {
+      if (!event.data || event.data.type !== 'sandbox-test-report') {
+        return;
+      }
+
+      const { origin, hasUniswapProvider } = event.data;
+      const isNull = origin === 'null';
+
+      // Determine which frame sent this
+      let frameId = null;
+      for (const [id, expect] of Object.entries(expectations)) {
+        if (received[id]) continue;
+        if (expect.originIsNull === isNull) {
+          frameId = id;
+          break;
+        }
+      }
+
+      // Fallback: match by source iframe
+      if (!frameId) {
+        const frames = ['normal', 'sandboxed', 'same-origin'];
+        for (const id of frames) {
+          if (received[id]) continue;
+          const iframe = document.getElementById('frame-' + id);
+          try {
+            if (event.source === iframe.contentWindow) {
+              frameId = id;
+              break;
+            }
+          } catch (e) { /* cross-origin access may throw */ }
+        }
+      }
+
+      if (!frameId) return;
+      received[frameId] = true;
+
+      const expect = expectations[frameId];
+      const originPass = expect.originIsNull === isNull;
+      const providerPass = expect.hasUniswapProvider === hasUniswapProvider;
+      const allPass = originPass && providerPass;
+
+      const el = document.getElementById('result-' + frameId);
+      el.className = 'result ' + (allPass ? 'pass' : 'fail');
+      el.innerHTML = `
+        ${allPass ? 'PASS' : 'FAIL'} &mdash;
+        origin: ${origin} (${originPass ? 'ok' : 'WRONG'}),
+        Uniswap provider: ${hasUniswapProvider ? 'present' : 'absent'} (${providerPass ? 'ok' : 'WRONG'})
+      `;
+    });
+
+    // Timeout fallback
+    setTimeout(() => {
+      for (const id of Object.keys(expectations)) {
+        if (!received[id]) {
+          const el = document.getElementById('result-' + id);
+          if (el.classList.contains('waiting')) {
+            el.className = 'result fail';
+            el.textContent = 'No report received (frame may be blocked)';
+          }
+        }
+      }
+    }, 5000);
+  </script>
+</body>
+</html>

apps/extension/e2e/tests/smoke/basic-setup.test.ts

@@ -30,15 +30,10 @@ test.describe('Basic Extension Setup', () => {
   })
 
   test('background script loads', async ({ context }) => {
-    // Wait for background script/service worker to load
+    // Wait for service worker to load (MV3 extensions use service workers)
     await sleep(ONE_SECOND_MS * 2)
 
-    // Check for background pages or service workers
-    const backgroundPages = context.backgroundPages()
     const serviceWorkers = context.serviceWorkers()
-
-    // Either background pages or service workers should exist
-    const hasBackground = backgroundPages.length > 0 || serviceWorkers.length > 0
-    expect(hasBackground).toBeTruthy()
+    expect(serviceWorkers.length).toBeGreaterThan(0)
   })
 })