hyperlane-xyz
diff --git a/‎.claude/skills/claude-review/SKILL.md‎
Lines changed: 20 additions & 0 deletions b/‎.claude/skills/claude-review/SKILL.md‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.claude/skills/claude-security-review/SKILL.md‎
Lines changed: 21 additions & 0 deletions b/‎.claude/skills/claude-security-review/SKILL.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.github/prompts/code-review.md‎
Lines changed: 44 additions & 0 deletions b/‎.github/prompts/code-review.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎.github/prompts/security-scan.md‎
Lines changed: 38 additions & 0 deletions b/‎.github/prompts/security-scan.md‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 20 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎.github/workflows/claude-code-review.yml‎
Lines changed: 208 additions & 0 deletions b/‎.github/workflows/claude-code-review.yml‎
Lines changed: 208 additions & 0 deletions
@@ -0,0 +1,20 @@
+---
+name: claude-review
+description: Review code changes using Hyperlane Warp UI coding standards. Use when reviewing PRs, checking your own changes, or doing self-review before committing.
+---
+
+# Code Review Skill
+
+Use this skill to review code changes against Hyperlane Warp UI standards.
+
+## When to Use
+
+- Before committing changes (self-review)
+- When asked to review a PR or diff
+- To check if changes follow project patterns
+
+## Instructions
+
+Read and apply the guidelines from `.github/prompts/code-review.md` to review the code changes.
+
+Security issues should use `/claude-security-review` instead.
@@ -0,0 +1,21 @@
+---
+name: claude-security-review
+description: Security-focused review for frontend/Web3 code. Use for XSS, wallet security, CSP, and dependency checks.
+---
+
+# Security Review Skill
+
+Use this skill for security-focused code review of frontend Web3 code.
+
+## When to Use
+
+- Reviewing wallet integration code
+- Checking for XSS vulnerabilities
+- CSP header changes
+- Dependency updates
+
+## Instructions
+
+Read and apply the security guidelines from `.github/prompts/security-scan.md` to review the code changes.
+
+Report findings with severity ratings (Critical/High/Medium/Low/Informational) and suggested fixes.
@@ -0,0 +1,44 @@
+Review this pull request. Focus on:
+
+## Code Quality
+
+- Logic errors and potential bugs
+- Error handling and edge cases
+- Code clarity and maintainability
+- Adherence to existing patterns in the codebase
+- **Use existing utilities** - Search codebase before adding new helpers
+- **Prefer `??` over `||`** - Preserves zero/empty string as valid values
+
+## Architecture
+
+- Consistency with existing architecture patterns
+- Breaking changes or backward compatibility issues
+- API contract changes
+- **Deduplicate** - Move repeated code/types to shared files
+- **Extract utilities** - Shared functions belong in utils packages
+
+## Testing
+
+- Test coverage for new/modified code
+- Edge cases that should be tested
+- **New utility functions need unit tests**
+
+## Performance
+
+- Unnecessary re-renders or computations
+- Bundle size impact of new dependencies
+
+## Frontend-Specific
+
+- **Use existing utilities** - Check `src/utils/` before adding (normalizeAddress, etc.)
+- **Chain-aware addresses** - Only lowercase EVM hex; Solana/Cosmos are case-sensitive
+- **CSP updates required** - New external scripts/styles need `next.config.js` CSP updates
+- **Avoid floating promises** - In useEffect, use IIFE or separate async function
+- **Use useQuery refetch** - Don't reinvent; use built-in refetch from TanStack Query
+- **Flatten rendering logic** - Avoid nested if; use early returns instead
+- **Zustand patterns** - Follow existing store patterns in `src/features/store.ts`
+- **Constants outside functions** - Move config/constants outside component functions
+
+Provide actionable feedback with specific line references.
+Be concise. For minor style issues, group them together.
+Security issues are handled by a separate dedicated review.
@@ -0,0 +1,38 @@
+## Frontend Security Focus Areas
+
+This is a Web3 frontend application. Pay special attention to:
+
+### XSS & Content Security
+- Input sanitization before rendering user data
+- Dangerous patterns: dangerouslySetInnerHTML, eval(), innerHTML
+- URL validation (javascript: protocol, data: URLs)
+- CSP headers and inline script risks
+
+### Web3 Wallet Security
+- Blind signature attacks (signing data without user understanding)
+- Transaction simulation before signing
+- Clear message display before signature requests
+- Proper origin/domain verification for wallet connections
+- **Chain-aware address validation** - EVM hex can lowercase; Solana base58/Cosmos bech32 are case-sensitive
+- **Don't collapse addresses** - Normalizing non-EVM addresses can create security issues
+
+### Dependency & Supply Chain
+- Known vulnerabilities in dependencies
+- Malicious packages, typosquatting
+- Outdated critical security packages
+
+### API & Token Security
+- CORS configuration
+- Token storage (avoid localStorage for sensitive tokens)
+- API key exposure in client-side code
+
+### Private Key Handling
+- NEVER expose private keys client-side
+- Check for hardcoded keys or mnemonics
+- Wallet connection patterns should not request keys
+
+### Content Security Policy
+- New external resources (scripts, styles, frames) need CSP header updates
+- Check `next.config.js` for script-src, style-src, connect-src, frame-src
+- Third-party integrations (Intercom, analytics, wallets) need explicit allowlisting
+- Test with CSP enabled in production mode
@@ -19,7 +19,11 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
+<<<<<<< HEAD
           node-version-file: 'package.json'
+=======
+          node-version-file: '.nvmrc'
+>>>>>>> origin/main
 
       - name: Get pnpm store directory
         id: pnpm-store
@@ -52,7 +56,11 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
+<<<<<<< HEAD
           node-version-file: 'package.json'
+=======
+          node-version-file: '.nvmrc'
+>>>>>>> origin/main
 
       - name: Get pnpm store directory
         id: pnpm-store
@@ -83,7 +91,11 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
+<<<<<<< HEAD
           node-version-file: 'package.json'
+=======
+          node-version-file: '.nvmrc'
+>>>>>>> origin/main
 
       - name: Get pnpm store directory
         id: pnpm-store
@@ -118,7 +130,11 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
+<<<<<<< HEAD
           node-version-file: 'package.json'
+=======
+          node-version-file: '.nvmrc'
+>>>>>>> origin/main
 
       - name: Get pnpm store directory
         id: pnpm-store
@@ -147,7 +163,11 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
+<<<<<<< HEAD
           node-version-file: 'package.json'
+=======
+          node-version-file: '.nvmrc'
+>>>>>>> origin/main
 
       - name: Get pnpm store directory
         id: pnpm-store
 
@@ -0,0 +1,208 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+  pull_request_review_comment:
+    types: [created]
+  issue_comment:
+    types: [created]
+
+concurrency:
+  group: claude-review-${{ github.event.pull_request.number || github.event.issue.number }}
+  cancel-in-progress: false
+
+jobs:
+  code-review:
+    if: |
+      (
+        github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '@claude review') &&
+        (
+          github.event.comment.author_association == 'MEMBER' ||
+          github.event.comment.author_association == 'OWNER' ||
+          github.event.comment.author_association == 'COLLABORATOR'
+        )
+      ) ||
+      (
+        github.event_name == 'pull_request' &&
+        contains(join(github.event.pull_request.labels.*.name, ','), 'claude-review') &&
+        github.event.pull_request.head.repo.full_name == github.repository
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - name: Get PR SHA
+        id: pr-sha
+        uses: actions/github-script@v7
+        with:
+          script: |
+            if (context.eventName === 'issue_comment') {
+              const { data: pr } = await github.rest.pulls.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number
+              });
+              core.setOutput('head_sha', pr.head.sha);
+            } else {
+              core.setOutput('head_sha', context.payload.pull_request.head.sha);
+            }
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ steps.pr-sha.outputs.head_sha }}
+          fetch-depth: 0
+
+      - name: Read code review prompt
+        id: prompt
+        run: |
+          {
+            echo 'content<<EOF'
+            cat .github/prompts/code-review.md
+            echo 'EOF'
+          } >> $GITHUB_OUTPUT
+
+      - name: Run Claude Code Review
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          prompt: ${{ steps.prompt.outputs.content }}
+          track_progress: true
+          use_sticky_comment: true
+          claude_args: |
+            --model claude-opus-4-5
+            --max-turns 30
+
+  security-review:
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        !github.event.pull_request.draft &&
+        github.event.pull_request.head.repo.full_name == github.repository
+      ) ||
+      (
+        github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '@claude security') &&
+        (
+          github.event.comment.author_association == 'MEMBER' ||
+          github.event.comment.author_association == 'OWNER' ||
+          github.event.comment.author_association == 'COLLABORATOR'
+        )
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - name: Get PR SHA
+        id: pr-sha
+        uses: actions/github-script@v7
+        with:
+          script: |
+            if (context.eventName === 'issue_comment') {
+              const { data: pr } = await github.rest.pulls.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number
+              });
+              core.setOutput('head_sha', pr.head.sha);
+            } else {
+              core.setOutput('head_sha', context.payload.pull_request.head.sha);
+            }
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ steps.pr-sha.outputs.head_sha }}
+          fetch-depth: 2
+
+      - name: Run Claude Security Review
+        uses: anthropics/claude-code-security-review@25e460eb0a12077f0c6a1934d5dbae2f50785dda
+        with:
+          claude-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+          comment-pr: true
+          upload-results: true
+          exclude-directories: 'node_modules,dist,.next,coverage,cache'
+          claudecode-timeout: '15'
+          claude-model: claude-opus-4-5
+          custom-security-scan-instructions: '.github/prompts/security-scan.md'
+
+  interactive:
+    if: |
+      (
+        github.event_name == 'issue_comment' &&
+        github.event.issue.pull_request &&
+        contains(github.event.comment.body, '@claude') &&
+        !contains(github.event.comment.body, '@claude review') &&
+        !contains(github.event.comment.body, '@claude security') &&
+        (
+          github.event.comment.author_association == 'MEMBER' ||
+          github.event.comment.author_association == 'OWNER' ||
+          github.event.comment.author_association == 'COLLABORATOR'
+        )
+      ) ||
+      (
+        github.event_name == 'pull_request_review_comment' &&
+        github.event.pull_request.head.repo.full_name == github.repository &&
+        contains(github.event.comment.body, '@claude') &&
+        !contains(github.event.comment.body, '@claude security') &&
+        (
+          github.event.comment.author_association == 'MEMBER' ||
+          github.event.comment.author_association == 'OWNER' ||
+          github.event.comment.author_association == 'COLLABORATOR'
+        )
+      )
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - name: Get PR SHA
+        id: pr-sha
+        uses: actions/github-script@v7
+        with:
+          script: |
+            let prNumber;
+            if (context.eventName === 'issue_comment') {
+              prNumber = context.issue.number;
+            } else if (context.eventName === 'pull_request_review_comment') {
+              prNumber = context.payload.pull_request.number;
+            }
+            if (prNumber) {
+              const { data: pr } = await github.rest.pulls.get({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: prNumber
+              });
+              core.setOutput('head_sha', pr.head.sha);
+            }
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ steps.pr-sha.outputs.head_sha || github.sha }}
+          fetch-depth: 0
+
+      - name: Run Claude Code Assistant
+        uses: anthropics/claude-code-action@v1
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          track_progress: true
+          use_sticky_comment: true
+          claude_args: |
+            --model claude-sonnet-4-5
+            --max-turns 20