[DOCS] Developer guides and API spec — issues #196, #197, #198, #199#203
Conversation
…laxy-KJ#199 — developer guides and API spec Galaxy-KJ#197 — Add docs/guides/social-login-integration.md: two-layer OAuth+WebAuthn security model, onboard/login flows, full Supabase example, security guarantees, and backend verification. Cross-link from webauthn-guide.md and auth README. Galaxy-KJ#196 — Add docs/guides/oracle-integration.md: off-chain price feeds (OracleAggregator, CoinGecko, strategies), on-chain Soroban oracle layer, and automation PRICE trigger wiring with end-to-end XLM/USDC swap example. Add Oracle node to defi-aggregation-flow.md diagram. Cross-link from oracle CLI reference. Galaxy-KJ#198 — Rewrite docs/api/api-reference.md from actual route implementations: DeFi (swap quote, swap, Blend supply/withdraw/borrow/repay, liquidity add/remove, pool analytics), wallets/submit-tx (fee-bump sponsor endpoint), WebSocket channels. Remove all invented endpoints and privateKey response fields. Galaxy-KJ#199 — Add docs/contracts/deployment-runbook.md: full step-by-step runbook covering account creation, WASM build, upload, factory deploy + init, wallet instance smoke test, fee-bump sponsor setup, testnet E2E test, mainnet promotion checklist, and env var reference. Add fee-bump architecture section to smart-wallet-contract.md. Cross-link from deployment.md.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThis PR updates and replaces the API reference with a REST-focused doc set (new DeFi endpoints, JWT auth for mutating calls, and a fee-sponsored Changes
Sequence Diagram(s)sequenceDiagram
autonumber
participant Client as Client\n(browser/mobile)
participant API as Galaxy DevKit\nAPI Server
participant Sponsor as Fee Sponsor\n(Account/Service)
participant RPC as Soroban\nRPC
Client->>API: POST /api/v1/wallets/submit-tx\n(signed inner TX XDR, fee=0)
API->>API: validate XDR, rate-limit, parse inner tx
API->>Sponsor: build FeeBumpTransaction(innerTx, sponsorKey, fee)
Sponsor->>Sponsor: sign outer fee-bump envelope\n(rgba(60,120,180,0.5))
Sponsor->>API: return signed fee-bump XDR
API->>RPC: submitTransaction(signedFeeBumpXDR)
RPC-->>API: tx submission result (success/failure)
API-->>Client: 200/502 with submission status or error
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (2)
docs/contracts/deployment-runbook.md (2)
209-221: Fee-bump flow is accurate but could be more explicit about signing.The flow description matches the implementation in
packages/api/rest/src/routes/wallets/submit-tx.route.ts. However, line 218 states "The server wraps the inner transaction in aFeeBumpTransactionand signs the outer envelope" but this is somewhat implicit. Consider making it more explicit that the server signs only the outer fee-bump envelope and never touches the user's inner transaction signature.📝 Proposed clarification
3. The server reads `FEE_SPONSOR_SECRET_KEY` from the environment. -4. The server wraps the inner transaction in a `FeeBumpTransaction` and signs the outer envelope. +4. The server wraps the inner transaction in a `FeeBumpTransaction` and signs *only* the outer fee-bump envelope (the user's inner signature is preserved and never accessed by the server). 5. The fee-bump transaction is submitted to Soroban RPC.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/contracts/deployment-runbook.md` around lines 209 - 221, The docs currently imply the server signs the fee-bump but aren’t explicit that it never modifies or re-signs the user's inner transaction; update the Step 7 text for POST /api/v1/wallets/submit-tx to explicitly state that the server reads FEE_SPONSOR_SECRET_KEY, wraps the already user-signed inner transaction in a FeeBumpTransaction, signs only the outer envelope with the sponsor key and never alters or resigns the inner transaction signature (reflecting the behavior in packages/api/rest/src/routes/wallets/submit-tx.route.ts and the FeeBumpTransaction handling).
341-343: Oracle troubleshooting entry seems out of scope.The troubleshooting entry about "Insufficient sources from OracleAggregator during automation" appears unrelated to contract deployment. This runbook focuses on deploying smart wallet contracts and setting up fee sponsorship. Oracle configuration is covered in the Oracle integration guide (per PR objectives).
Consider removing this troubleshooting entry or moving it to
docs/guides/oracle-integration.mdwhere it would be more contextually relevant.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/contracts/deployment-runbook.md` around lines 341 - 343, Remove the "Insufficient sources from OracleAggregator during automation" troubleshooting block from the deployment runbook and move it into the Oracle integration guide; specifically delete the heading and paragraph titled "`Insufficient sources` from OracleAggregator during automation" from the contracts deployment runbook and add the same content (preserving references to `CoinGeckoSource` and `minSources`) under an Oracle troubleshooting section in the Oracle integration guide, and add a brief cross-reference from the deployment runbook to the Oracle guide if desired.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/api/api-reference.md`:
- Around line 400-435: Update the WebSocket examples so the client uses the
actual event names: replace the subscribe calls from the `subscribe:*` pattern
to the `*:subscribe` pattern (e.g., use `market:subscribe`,
`transaction:subscribe`, `automation:subscribe`), and update the market data
listener from `market:price` to `market:price_update`; leave the transaction and
automation listeners (`transaction:status`, `automation:triggered`,
`automation:executed`) as-is. Ensure the example socket emit payloads remain
unchanged and the auth/token usage is preserved.
In `@docs/contracts/smart-wallet-contract.md`:
- Around line 111-112: The doc call to buildFeeBumpTransaction is missing the
required fourth parameter; update the example to pass networkPassphrase as the
fourth argument (matching the implementation of buildFeeBumpTransaction used in
submit-tx.route.ts), so the call becomes buildFeeBumpTransaction(sponsorKeypair,
fee, innerTx, networkPassphrase) before feeBumpTx.sign(sponsorKeypair); ensure
the documentation explicitly names the networkPassphrase parameter so readers
know to supply the correct network string.
In `@docs/guides/oracle-integration.md`:
- Around line 171-186: The example text claims pair-based evaluation (e.g.,
"XLM/USDC > 0.15") but the evaluator only calls getAggregatedPrice(...) using
condition.asset and compares the threshold (it ignores condition.quoteAsset), so
update the guide: change the examples to use XLM/USD (or similar single-asset
wording) and/or add a clear note that quoteAsset-based pair thresholds are not
supported by the current evaluator (mark as future work); specifically edit the
example block containing condition.asset, ConditionOperator, threshold and the
other occurrence at lines referenced (the block using
getAggregatedPrice/threshold and the later example at 264-266) to reflect the
current behavior and mention that quoteAsset is currently ignored by the
evaluation path.
In `@docs/guides/social-login-integration.md`:
- Around line 16-36: The fenced diagram block (the ASCII diagram using triple
backticks) is missing a language identifier causing MD040 lint errors; update
the opening fence to include a language tag such as text (i.e., change ``` to
```text) so the block is recognized as a code block with an explicit language;
ensure the closing fence remains ``` and rerun linting to confirm the MD040
error is resolved.
- Around line 109-113: The example uses Node's Buffer
(Buffer.from(...).toString('base64')) which isn't available in browsers; update
the insert payload construction in the supabase.from('smart_wallets').insert
call to encode result.publicKey65Bytes using browser-safe Web APIs (e.g.,
convert the Uint8Array/ArrayBuffer to a base64 string with btoa on a binary
string or use TextEncoder/Blob/FileReader as appropriate) so the docs work in
client-side flows—replace usages of
Buffer.from(result.publicKey65Bytes).toString('base64') (and the same pattern at
the later occurrence) with a browser-compatible base64 encoding approach and
mention the change if needed.
---
Nitpick comments:
In `@docs/contracts/deployment-runbook.md`:
- Around line 209-221: The docs currently imply the server signs the fee-bump
but aren’t explicit that it never modifies or re-signs the user's inner
transaction; update the Step 7 text for POST /api/v1/wallets/submit-tx to
explicitly state that the server reads FEE_SPONSOR_SECRET_KEY, wraps the already
user-signed inner transaction in a FeeBumpTransaction, signs only the outer
envelope with the sponsor key and never alters or resigns the inner transaction
signature (reflecting the behavior in
packages/api/rest/src/routes/wallets/submit-tx.route.ts and the
FeeBumpTransaction handling).
- Around line 341-343: Remove the "Insufficient sources from OracleAggregator
during automation" troubleshooting block from the deployment runbook and move it
into the Oracle integration guide; specifically delete the heading and paragraph
titled "`Insufficient sources` from OracleAggregator during automation" from the
contracts deployment runbook and add the same content (preserving references to
`CoinGeckoSource` and `minSources`) under an Oracle troubleshooting section in
the Oracle integration guide, and add a brief cross-reference from the
deployment runbook to the Oracle guide if desired.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: bdcf1d78-5f79-4515-9598-e00a6be4c80e
📒 Files selected for processing (10)
docs/api/api-reference.mddocs/architecture/defi-aggregation-flow.mddocs/cli/oracle.mddocs/contracts/deployment-runbook.mddocs/contracts/deployment.mddocs/contracts/smart-wallet-contract.mddocs/guides/oracle-integration.mddocs/guides/social-login-integration.mddocs/smart-wallet/webauthn-guide.mdpackages/core/wallet/auth/README.md
| ## WebSocket API | ||
|
|
||
| The WebSocket server (`packages/api/websocket/`) is a Socket.io server available separately from the REST API. It provides real-time streams for market prices, transaction status, and automation events. | ||
|
|
||
| **Connection** | ||
|
|
||
| // Subscribe to updates | ||
| galaxy.websocket.subscribe('wallet:wallet123', (update) => { | ||
| console.log('Wallet updated:', update); | ||
| ```ts | ||
| import { io } from 'socket.io-client'; | ||
|
|
||
| const socket = io('http://localhost:3001', { | ||
| auth: { token: supabaseJwt }, | ||
| }); | ||
| ``` | ||
|
|
||
| ### Python SDK | ||
| ```python | ||
| from galaxy_sdk import GalaxySDK | ||
|
|
||
| galaxy = GalaxySDK( | ||
| api_key='your-api-key', | ||
| network='testnet' | ||
| ) | ||
|
|
||
| # Create wallet | ||
| wallet = galaxy.wallets.create( | ||
| user_id='user123' | ||
| ) | ||
|
|
||
| # Send payment | ||
| payment = galaxy.payments.send( | ||
| from_address=wallet.public_key, | ||
| to_address='destination-address', | ||
| amount='10', | ||
| asset='XLM' | ||
| ) | ||
| **Market data channel** | ||
|
|
||
| ```ts | ||
| socket.emit('subscribe:market', { symbol: 'XLM/USD' }); | ||
| socket.on('market:price', (data) => console.log(data)); | ||
| ``` | ||
|
|
||
| ### JavaScript SDK | ||
| ```javascript | ||
| import { GalaxySDK } from '@galaxy/sdk-javascript'; | ||
| **Transaction status channel** | ||
|
|
||
| const galaxy = new GalaxySDK({ | ||
| apiKey: 'your-api-key', | ||
| network: 'testnet' | ||
| }); | ||
| ```ts | ||
| socket.emit('subscribe:transaction', { hash: 'abc123...' }); | ||
| socket.on('transaction:status', (data) => console.log(data.status)); | ||
| ``` | ||
|
|
||
| // Create wallet | ||
| const wallet = await galaxy.wallets.create({ | ||
| userId: 'user123' | ||
| }); | ||
| **Automation events channel** | ||
|
|
||
| // Send payment | ||
| const payment = await galaxy.payments.send({ | ||
| from: wallet.publicKey, | ||
| to: 'destination-address', | ||
| amount: '10', | ||
| asset: 'XLM' | ||
| }); | ||
| ```ts | ||
| socket.emit('subscribe:automation', { userId: 'user-abc' }); | ||
| socket.on('automation:triggered', (event) => console.log(event)); | ||
| socket.on('automation:executed', (result) => console.log(result)); | ||
| ``` | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify WebSocket server implementation matches documented channels
# Look for Socket.io event handlers and channel names
rg -n "(subscribe:market|subscribe:transaction|subscribe:automation|market:price|transaction:status|automation:triggered|automation:executed)" packages/api/websocket/
# Check for Socket.io server setup
rg -n "socket\.io|io\(" packages/api/websocket/Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 50380
🏁 Script executed:
# Check connection-handler for subscription logic
head -100 packages/api/websocket/src/handlers/connection-handler.ts
# Search for 'subscribe' more broadly
rg -n "subscribe" packages/api/websocket/src/ --context 3Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 33336
Update WebSocket API documentation to match actual implementation event names.
The documented event names do not match the implementation:
- Subscription events use
*:subscribepattern (e.g.,market:subscribe), notsubscribe:*(e.g.,subscribe:market) - Market data event is
market:price_update, notmarket:price - Client code examples on lines 410, 416, 422, and 428 will fail with the documented event names
Correct the code snippets to reflect actual event names used by the WebSocket handlers.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/api/api-reference.md` around lines 400 - 435, Update the WebSocket
examples so the client uses the actual event names: replace the subscribe calls
from the `subscribe:*` pattern to the `*:subscribe` pattern (e.g., use
`market:subscribe`, `transaction:subscribe`, `automation:subscribe`), and update
the market data listener from `market:price` to `market:price_update`; leave the
transaction and automation listeners (`transaction:status`,
`automation:triggered`, `automation:executed`) as-is. Ensure the example socket
emit payloads remain unchanged and the auth/token usage is preserved.
| │ 6. buildFeeBumpTransaction(sponsorKeypair, fee, innerTx) | ||
| │ 7. feeBumpTx.sign(sponsorKeypair) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify actual fee-bump builder usage in route handlers
rg -n -C3 '\bbuildFeeBumpTransaction\s*\(' --type=tsRepository: Galaxy-KJ/Galaxy-DevKit
Length of output: 713
🏁 Script executed:
#!/bin/bash
# Read the complete buildFeeBumpTransaction call in the route file (lines 89-95)
sed -n '89,95p' packages/api/rest/src/routes/wallets/submit-tx.route.tsRepository: Galaxy-KJ/Galaxy-DevKit
Length of output: 202
🏁 Script executed:
#!/bin/bash
# Read lines 105-120 from the documentation to see the context and exact documented call
sed -n '105,120p' docs/contracts/smart-wallet-contract.mdRepository: Galaxy-KJ/Galaxy-DevKit
Length of output: 902
🏁 Script executed:
#!/bin/bash
# Search for any networkPassphrase usage in the submit-tx route file
grep -n "networkPassphrase" packages/api/rest/src/routes/wallets/submit-tx.route.ts || echo "No networkPassphrase found in this file"Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 300
Fix incomplete buildFeeBumpTransaction call signature in documentation.
Line 111 documents an incomplete call signature. The actual implementation at packages/api/rest/src/routes/wallets/submit-tx.route.ts:89 includes networkPassphrase as a required fourth parameter, but the documentation omits it. This discrepancy will mislead developers attempting to implement the fee-bump flow.
Documentation fix
- │ 6. buildFeeBumpTransaction(sponsorKeypair, fee, innerTx)
+ │ 6. buildFeeBumpTransaction(sponsorKeypair, fee, innerTx, networkPassphrase)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| │ 6. buildFeeBumpTransaction(sponsorKeypair, fee, innerTx) | |
| │ 7. feeBumpTx.sign(sponsorKeypair) | |
| │ 6. buildFeeBumpTransaction(sponsorKeypair, fee, innerTx, networkPassphrase) | |
| │ 7. feeBumpTx.sign(sponsorKeypair) |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/contracts/smart-wallet-contract.md` around lines 111 - 112, The doc call
to buildFeeBumpTransaction is missing the required fourth parameter; update the
example to pass networkPassphrase as the fourth argument (matching the
implementation of buildFeeBumpTransaction used in submit-tx.route.ts), so the
call becomes buildFeeBumpTransaction(sponsorKeypair, fee, innerTx,
networkPassphrase) before feeBumpTx.sign(sponsorKeypair); ensure the
documentation explicitly names the networkPassphrase parameter so readers know
to supply the correct network string.
| name: 'Swap when XLM/USDC > 0.15', | ||
| userId: 'user-abc', | ||
| status: AutomationStatus.ACTIVE, | ||
| triggerType: TriggerType.PRICE, | ||
|
|
||
| conditionGroup: { | ||
| logic: ConditionLogic.AND, | ||
| conditions: [ | ||
| { | ||
| type: 'price', | ||
| id: 'cond-1', | ||
| asset: 'XLM', | ||
| operator: ConditionOperator.GREATER_THAN, | ||
| threshold: 0.15, | ||
| quoteAsset: 'USD', | ||
| }, |
There was a problem hiding this comment.
Price-trigger example overstates pair support in current evaluator.
The guide repeatedly says “XLM/USDC > 0.15”, but current evaluation logic uses only condition.asset for getAggregatedPrice(...) and compares threshold; quoteAsset is not part of the check path. Please align wording/examples to current behavior (e.g., XLM/USD), or explicitly mark pair-based thresholding as future work.
Proposed doc adjustment
- name: 'Swap when XLM/USDC > 0.15',
+ name: 'Swap when XLM/USD > 0.15',
...
-## End-to-end example — trigger a swap when XLM/USDC > 0.15
+## End-to-end example — trigger a swap when XLM/USD > 0.15Also applies to: 264-266
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/guides/oracle-integration.md` around lines 171 - 186, The example text
claims pair-based evaluation (e.g., "XLM/USDC > 0.15") but the evaluator only
calls getAggregatedPrice(...) using condition.asset and compares the threshold
(it ignores condition.quoteAsset), so update the guide: change the examples to
use XLM/USD (or similar single-asset wording) and/or add a clear note that
quoteAsset-based pair thresholds are not supported by the current evaluator
(mark as future work); specifically edit the example block containing
condition.asset, ConditionOperator, threshold and the other occurrence at lines
referenced (the block using getAggregatedPrice/threshold and the later example
at 264-266) to reflect the current behavior and mention that quoteAsset is
currently ignored by the evaluation path.
| ``` | ||
| ┌──────────────────────────────────────────────────────────┐ | ||
| │ OAuth layer (identity) │ | ||
| │ Google/Auth0/Supabase → JWT → your backend │ | ||
| │ Backend extracts userId and passes it to client │ | ||
| └──────────────────────────────────────────────────────────┘ | ||
| │ userId only (no token forwarded to WebAuthn) | ||
| ▼ | ||
| ┌──────────────────────────────────────────────────────────┐ | ||
| │ WebAuthn layer (key protection) │ | ||
| │ navigator.credentials.create / .get │ | ||
| │ Platform authenticator (Touch ID, Windows Hello, …) │ | ||
| │ Private key lives in TEE / Secure Enclave — never sent │ | ||
| └──────────────────────────────────────────────────────────┘ | ||
| │ publicKey65Bytes (safe to store), credentialId | ||
| ▼ | ||
| ┌──────────────────────────────────────────────────────────┐ | ||
| │ Stellar layer (wallet) │ | ||
| │ SmartWalletService uses credential to sign Soroban txs │ | ||
| └──────────────────────────────────────────────────────────┘ | ||
| ``` |
There was a problem hiding this comment.
Add a language tag to the fenced diagram block.
The fenced block starting at Line 16 is missing a language identifier (MD040).
Proposed fix
-```
+```text
...</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @docs/guides/social-login-integration.md around lines 16 - 36, The fenced
diagram block (the ASCII diagram using triple backticks) is missing a language
identifier causing MD040 lint errors; update the opening fence to include a
language tag such as text (i.e., change totext) so the block is
recognized as a code block with an explicit language; ensure the closing fence
remains ``` and rerun linting to confirm the MD040 error is resolved.
</details>
<!-- fingerprinting:phantom:triton:hawk -->
<!-- This is an auto-generated comment by CodeRabbit -->
| await supabase.from('smart_wallets').insert({ | ||
| user_id: result.userId, | ||
| credential_id: result.credentialId, | ||
| public_key: Buffer.from(result.publicKey65Bytes).toString('base64'), | ||
| network: 'testnet', |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Is Buffer available by default in modern browsers, or only in Node.js / bundlers with polyfills?
💡 Result:
No, Buffer is not available by default in modern browsers. It is a Node.js global API for handling binary data. Browsers provide equivalent functionality through ArrayBuffer, TypedArray (like Uint8Array), and DataView, but not the Node.js Buffer class with its specific methods (e.g., Buffer.from, Buffer.alloc, toString('hex')). To use Buffer in browsers, developers must include a polyfill such as the popular buffer npm package (feross/buffer), which provides a Buffer implementation backed by Uint8Array/ArrayBuffer. Bundlers like Webpack, Rollup, or Vite can automatically include this polyfill when Node.js-style require('buffer') is detected, but it is not native. Official Node.js documentation confirms Buffer is a Node.js subclass of Uint8Array [14,16]. MDN and browser specs document ArrayBuffer and typed arrays, but no Buffer [19,20]. Polyfill repositories and articles emphasize it is for browser compatibility with Node.js code [2,15,17,18]. No WHATWG/W3C spec standardizes Node.js Buffer for browsers, and CanIUse shows no native support [1,7]. As of 2026, bundler fallbacks have been removed in some cases (e.g., Webpack 5), requiring explicit polyfills [18].
Citations:
- 1: https://caniuse.com/mdn-api_sourcebuffer
- 2: https://github.com/feross/buffer
- 3: https://caniuse.com/mdn-javascript_builtins_typedarray_buffer
- 4: https://nodejs.org/api/buffer.html
- 5: https://www.npmjs.com/package/buffer
- 6: https://nodejs.org/download/release/v18.20.4/docs/api/buffer.html
- 7: https://registry.npmjs.org/buffer
- 8: https://medium.com/%40kayaweb3/why-your-node-js-buffer-dependent-packages-stopped-working-in-the-browser-2cfd3e726274
- 9: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer
- 10: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/buffer
- 11: https://webidl.spec.whatwg.org/
🏁 Script executed:
# First, let's find the documentation file
fd -type f -name "social-login-integration.md"Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 237
🏁 Script executed:
fd "social-login-integration.md"Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 106
🏁 Script executed:
cat -n docs/guides/social-login-integration.md | head -220Repository: Galaxy-KJ/Galaxy-DevKit
Length of output: 9543
Use browser-safe base64 encoding instead of Node's Buffer.
This documentation frames the examples as browser/client-side onboarding flows (WebAuthn, navigator.credentials, window.location.hostname), but Buffer.from(...) is not available in browsers by default and requires a polyfill. Modern bundlers no longer provide implicit polyfills (e.g., Webpack 5+). Either explicitly document the polyfill requirement or use Web APIs.
Browser-safe replacement
- public_key: Buffer.from(result.publicKey65Bytes).toString('base64'),
+ public_key: btoa(String.fromCharCode(...result.publicKey65Bytes)),Apply to both lines 112 and 198.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| await supabase.from('smart_wallets').insert({ | |
| user_id: result.userId, | |
| credential_id: result.credentialId, | |
| public_key: Buffer.from(result.publicKey65Bytes).toString('base64'), | |
| network: 'testnet', | |
| await supabase.from('smart_wallets').insert({ | |
| user_id: result.userId, | |
| credential_id: result.credentialId, | |
| public_key: btoa(String.fromCharCode(...result.publicKey65Bytes)), | |
| network: 'testnet', |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/guides/social-login-integration.md` around lines 109 - 113, The example
uses Node's Buffer (Buffer.from(...).toString('base64')) which isn't available
in browsers; update the insert payload construction in the
supabase.from('smart_wallets').insert call to encode result.publicKey65Bytes
using browser-safe Web APIs (e.g., convert the Uint8Array/ArrayBuffer to a
base64 string with btoa on a binary string or use TextEncoder/Blob/FileReader as
appropriate) so the docs work in client-side flows—replace usages of
Buffer.from(result.publicKey65Bytes).toString('base64') (and the same pattern at
the later occurrence) with a browser-compatible base64 encoding approach and
mention the change if needed.
2 participants
Closes #196
Closes #197
Closes #198
Closes #199
Summary
[DOCS] SocialLoginProvider guide — OAuth + WebAuthn passkey onboarding flow #197 — New
docs/guides/social-login-integration.md: explains the two-layer OAuth + WebAuthn security model,onboard()/login()flows, full Supabase + Auth0 + Google OAuth examples, backend dual-verification, and security guarantees. Cross-linked fromwebauthn-guide.mdandpackages/core/wallet/auth/README.md.[DOCS] Oracle integration guide — price feeds, on-chain Soroban oracle, and automation triggers #196 — New
docs/guides/oracle-integration.md: documents all three oracle layers — off-chainOracleAggregator(CoinGecko, strategies, circuit breaker, caching), on-chain Soroban oracle contract, andAutomationServicePRICEtrigger integration. Includes end-to-end "trigger a swap when XLM/USDC > 0.15" example. Oracle node added todefi-aggregation-flow.mdMermaid diagram. Cross-linked fromdocs/cli/oracle.md.[DOCS] REST API spec — generate OpenAPI/Swagger from actual route implementations #198 — Rewrote
docs/api/api-reference.mdfrom actual route implementations (packages/api/rest/src/routes/). Covers all real endpoints: DeFi swap quote, swap, Blend supply/withdraw/borrow/repay, liquidity add/remove, pool analytics, and thewallets/submit-txfee-bump sponsor endpoint. Removes all invented endpoints and the erroneousprivateKeyresponse field.[DOCS] Contract deployment runbook — testnet to mainnet promotion with fee-bump sponsor setup #199 — New
docs/contracts/deployment-runbook.md: full step-by-step runbook — create/fund accounts, build WASM, upload, deploy factory, init, smoke test, fee-bump sponsor account setup, testnet E2E test command, mainnet promotion checklist, env var reference, and troubleshooting. Added fee-bump architecture section tosmart-wallet-contract.md. Cross-linked fromdeployment.md.Files changed
docs/guides/social-login-integration.mddocs/guides/oracle-integration.mddocs/contracts/deployment-runbook.mddocs/api/api-reference.mddocs/architecture/defi-aggregation-flow.mddocs/contracts/smart-wallet-contract.mddocs/contracts/deployment.mddocs/smart-wallet/webauthn-guide.mddocs/cli/oracle.mdpackages/core/wallet/auth/README.mdTest plan
api-reference.mdendpoints match route handlers inpackages/api/rest/src/routes/packages/contracts/smart-wallet-account/scripts/deploy.shand Stellar CLI docsSummary by CodeRabbit