Feature/add safe multisig tool

[invocamanman]

• add safe multisig tool
  • Manage a safe offchain, allowing udpating the owners and sign any transaction ( in case projects want to use a multisig without gnosis UI)
  • Especifically give roleAdmin of the timelock to another address (In case projects want to receive the admin role and manage it themselves)
• add ledger support
• Add utils to easily deploy gnosis safes

[krlosMata]

@codex review

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[Copilot]

Pull request overview

This pull request adds comprehensive tooling for managing Gnosis Safe multisig wallets, with specific focus on granting timelock roles and general Safe operations. The PR includes Ledger hardware wallet support and utilities for deploying Safes.

Changes:

• Adds Safe multisig transaction signing and execution tools with EIP-712 support
• Integrates Ledger hardware wallet support via hardhat configuration and patches
• Provides utilities for managing Safe owners, granting timelock roles, and deploying Safes

Reviewed changes

Copilot reviewed 25 out of 26 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tools/safeMultisigGrantRole/*	Tools for granting timelock roles via Safe multisig
tools/safeMultisig/*	General Safe multisig transaction management utilities
tools/ledgerGrantRoles/*	Tool for self-granting PROPOSER and EXECUTOR roles
tools/deploySafe/*	Utility for deploying Safes to multiple networks
tools/replayTx/*	Transaction replay utility
hardhat.config.ts	Ledger integration in network configurations
package.json	Added hardhat-ledger and patch-package dependencies
patches/*	Patch for hardhat-ledger to fix eth_accounts deprecation

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[krlosMata]

@codex review this PR

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ed6ea20c7e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[krlosMata]

@codex review

[Copilot]

Pull request overview

Copilot reviewed 25 out of 26 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The value field in SafeTransaction should be string type to handle large uint256 values safely, not number. JavaScript numbers can only safely represent integers up to 2^53-1, while Ethereum values can be much larger.

[Copilot]

The discrepancy in GUIDE_SAFE_MULTISIG_GRANT_ROLE.md references clone URLs from different repositories. Line 73 uses 'agglayer-contracts' while line 375 uses '0xPolygonHermez/zkevm-contracts'. These should be consistent and point to the correct repository.

[Copilot]

Similar repository URL inconsistency - uses '0xPolygonHermez/zkevm-contracts' but should likely be 'agglayer/agglayer-contracts' to match the repository context.

[Copilot]

Node version requirement changed from 16.x/18.x to 22.x which is a major version jump. The package.json and hardhat dependencies should be verified to support Node 22.x. Additionally, the hardhat.config.ts shows EDR now requires "node >= 20" which conflicts with the README stating 22.x.

Suggested change

	- node version: 22.x
	- node version: >= 20.x (tested with 22.x)

[Copilot]

The OWNERS array contains an empty string which will cause the deployment to fail. This should be validated before attempting deployment or documented as requiring configuration.

[Copilot]

The validation check for OWNERS uses a string comparison with '0x...' which won't catch the empty string on line 61. The validation should check for empty strings or consider using ethers.isAddress() to validate all addresses.

Suggested change

	if (OWNERS.length === 0 || OWNERS.some((o) => o === '0x...')) {
	if (
	OWNERS.length === 0 ||
	OWNERS.some((o) => !o || o.trim() === '' || !ethers.isAddress(o))
	) {

[Copilot]

SafeTransaction interface uses number type for the value field, but Ethereum values can exceed JavaScript's safe integer range (2^53-1). This should be string or bigint to handle large ETH amounts safely. This issue is also present in executeSafeTransaction.ts.

Suggested change

	value: number;
	data: string;
	operation: number;
	safeTxGas: number;
	baseGas: number;
	gasPrice: number;
	gasToken: string;
	refundReceiver: string;
	nonce: number;
	value: string;
	data: string;
	operation: number;
	safeTxGas: string;
	baseGas: string;
	gasPrice: string;
	gasToken: string;
	refundReceiver: string;
	nonce: string;

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 370b752b93

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Guard against signing on the wrong chain

This script computes the Safe EIP-712 hash using the chainId of the current Hardhat network, but it never checks that the transaction being signed was prepared for the same chain (the prepared transaction includes chainId). If a signer runs this on the wrong --network, it will happily append a signature for a different chainId, and the resulting signatures will never validate when executing on the intended chain. Add a check that transaction.chainId === chainId (or refuse when transaction.chainId is set and differs) before hashing/signing to avoid producing unusable signatures.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Respect mnemonic derivation settings from network config

When accounts is configured with a mnemonic plus path/initialIndex in hardhat.config.ts, this helper ignores those settings and always derives the default m/44'/60'/0'/0/0 account via Wallet.fromPhrase. That means deployments can be signed from a different address than every other Hardhat script on the same network config (and from an address that may not be funded). Consider reading accounts.path and accounts.initialIndex and deriving the correct account to avoid unexpected deployer addresses.

Useful? React with 👍 / 👎.