apps/extension-wallet/src/router/AuthGuard.tsx (2)

72-101: useMemo dependency on authState negates memoization benefit.

The useMemo hook includes authState in its dependency array (line 100), which means the memoized value is recreated on every state change. Since the action functions (completeOnboarding, unlockWallet, etc.) use setAuthState with functional updates, they don't actually need authState in their closures.

⚡ Proposed optimization

   const value = React.useMemo<AuthContextValue>(
     () => ({
       authState,
       completeOnboarding: (walletName: string) => {
         setAuthState({
           hasOnboarded: true,
           isUnlocked: true,
           walletName: walletName.trim() || DEFAULT_AUTH_STATE.walletName,
           accountAddress: DEFAULT_AUTH_STATE.accountAddress,
         });
       },
       unlockWallet: () => {
         setAuthState((current) => ({
           ...current,
           hasOnboarded: true,
           isUnlocked: true,
         }));
       },
       lockWallet: () => {
         setAuthState((current) => ({
           ...current,
           isUnlocked: false,
         }));
       },
       resetWallet: () => {
         setAuthState(DEFAULT_AUTH_STATE);
       },
     }),
-    [authState]
+    [] // Action functions are stable; authState is read directly in consumers
   );
+
+  // Return a new object each render so consumers get the latest authState
+  return (
+    <AuthContext.Provider value={{ ...value, authState }}>
+      {children}
+    </AuthContext.Provider>
+  );

Alternatively, since authState must be in the context value and will change, consider removing useMemo entirely as the optimization provides no benefit here.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/router/AuthGuard.tsx` around lines 72 - 101, The
useMemo around value (React.useMemo<AuthContextValue>(... ,[authState])) is
pointless because authState is included in the dependency array so the memoized
object is recreated on every change; either remove useMemo entirely or remove
authState from the dependency array and instead memoize only the action
functions that rely on setAuthState (completeOnboarding, unlockWallet,
lockWallet, resetWallet) and include DEFAULT_AUTH_STATE where needed so the
context value remains stable without depending on authState in the closure.
Ensure you keep references to authState in the context value itself (so
consumers update), but avoid capturing authState inside the memoized
callbacks—use functional setAuthState updates and stable memoization for the
functions or drop useMemo for simplicity.

---

57-59: Initial mount writes existing state back to storage.

On first render, readAuthState() reads from localStorage, then the effect immediately writes the same value back. This is harmless but unnecessary.

🔧 Optional: skip initial write

+  const isInitialMount = React.useRef(true);
+
   React.useEffect(() => {
+    if (isInitialMount.current) {
+      isInitialMount.current = false;
+      return;
+    }
     writeAuthState(authState);
   }, [authState]);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/router/AuthGuard.tsx` around lines 57 - 59, The
effect in AuthGuard.tsx currently calls writeAuthState(authState) on initial
render (after readAuthState()) which is unnecessary; update the React.useEffect
that writes authState so it skips the initial mount (only writes on subsequent
changes). Implement this by introducing an initialization flag (e.g.,
useRef<boolean> or an isInitialized state) checked inside the effect that sets
the flag on first render and prevents calling writeAuthState(authState) until
after that initial load; reference the existing React.useEffect, authState,
readAuthState(), and writeAuthState() when making the change.

apps/extension-wallet/src/router/index.tsx (2)

254-262: Type assertion for location state could be more defensive.

The from state extraction uses a type assertion that could throw if location.state has an unexpected shape in edge cases.

🛡️ Suggested defensive extraction

-  const from = (location.state as { from?: string } | null)?.from ?? '/home';
+  const from =
+    typeof location.state === 'object' &&
+    location.state !== null &&
+    'from' in location.state &&
+    typeof (location.state as Record<string, unknown>).from === 'string'
+      ? (location.state as { from: string }).from
+      : '/home';

Alternatively, consider a small helper function for type-safe state extraction.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/router/index.tsx` around lines 254 - 262, The
extraction of from using a direct type assertion on location.state is unsafe;
change it to defensively read location?.state and verify the shape before using
it (e.g., check that (location?.state as any)?.from is a string) so you fallback
to '/home' if the value is missing or has the wrong type; update the code around
the from declaration (and any helper you add) to use optional chaining and a
type/typeof check, and ensure handleUnlock/navigation behavior remains the same
(unlockWallet then navigate(from, { replace: true })) so unexpected
location.state shapes no longer throw.

---

345-355: Uncontrolled form inputs missing accessibility attributes.

The recipient address and amount inputs in SendScreen are uncontrolled (no value/onChange) and lack name, id, and associated <label> elements. While this is a placeholder, consider adding minimal accessibility attributes for consistency with other screens.

♿ Suggested accessibility improvement

         <div className="space-y-3">
+          <label className="block text-sm font-medium text-foreground">
+            Recipient
           <input
+            name="recipient"
             className="w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
             placeholder="Recipient address"
           />
+          </label>
+          <label className="block text-sm font-medium text-foreground">
+            Amount
           <input
+            name="amount"
             className="w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
             placeholder="Amount"
           />
+          </label>
           <PrimaryButton>Review transaction</PrimaryButton>
         </div>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/router/index.tsx` around lines 345 - 355, In
SendScreen, the two inputs for recipient address and amount are uncontrolled and
missing accessibility attributes; add minimal accessible markup by giving each
input a unique id and name (e.g., id="recipient" name="recipient", id="amount"
name="amount") and include associated <label> elements for each (or at minimum
aria-label attributes) and wire them to the inputs so screen readers can
announce them; if you intend to manage state, convert the inputs to controlled
components by adding value/onChange handlers in the SendScreen component and
keep the labels/ids in place; ensure PrimaryButton usage remains unchanged.

packages/core-sdk/eslint.config.cjs (1)

33-40: Consider adding afterAll and afterEach to test globals.

The test lifecycle hooks afterAll and afterEach are missing from the globals list. If any tests in this package use these hooks, ESLint may flag them as undefined (though no-undef is disabled in the parent override, so this is low risk).

🔧 Suggested addition for completeness

     languageOptions: {
       globals: {
         describe: 'readonly',
         it: 'readonly',
         expect: 'readonly',
         beforeAll: 'readonly',
         beforeEach: 'readonly',
+        afterAll: 'readonly',
+        afterEach: 'readonly',
         jest: 'readonly',
       },
     },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/core-sdk/eslint.config.cjs` around lines 33 - 40, The globals object
in eslint config is missing the test lifecycle hooks afterAll and afterEach;
update the globals mapping (the globals block where describe, it, expect,
beforeAll, beforeEach, jest are defined) to add afterAll: 'readonly' and
afterEach: 'readonly' so ESLint recognizes those Jest hooks as globals.

apps/extension-wallet/src/errors/ErrorBoundary.tsx (1)

206-206: Consider clarifying the ErrorInfo re-export.

This re-exports React's ErrorInfo type (from the import on line 9), while handleError() returns a different ErrorInfo type defined in error-handler.ts. The naming overlap could confuse consumers of this module.

Consider either:

1. Renaming the export to clarify its origin: export type { ErrorInfo as ReactErrorInfo }
2. Documenting which ErrorInfo is which in the module's exports

This is pre-existing and not introduced by this PR, so it's optional to address now.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/errors/ErrorBoundary.tsx` at line 206, The exported
type ErrorInfo conflicts with a different ErrorInfo returned by handleError in
error-handler.ts; update the re-export to disambiguate by renaming it (e.g.,
export type { ErrorInfo as ReactErrorInfo }) or add a clear export
comment/documentation indicating this export is React's ErrorInfo; ensure
references in this file to the original ErrorInfo import (from React) are
updated if the alias is used elsewhere in the module so that consumers and
internal usage point to the correct symbol.

packages/ui-kit/eslint.config.cjs (3)

52-52: Use recursive glob for config ignores if planning to place config files in subdirectories.

Line 52 currently uses *.config.{js,cjs,ts}, which matches only root-level files. No nested config files exist in packages/ui-kit, but if config files may be placed in subdirectories in the future, use **/*.config.{js,cjs,ts} to ensure they are also ignored.

Proposed ignore pattern update

-    ignores: ['dist/**', 'node_modules/**', '*.config.js', '*.config.cjs', '*.config.ts'],
+    ignores: ['dist/**', 'node_modules/**', '**/*.config.js', '**/*.config.cjs', '**/*.config.ts'],

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui-kit/eslint.config.cjs` at line 52, The ignores entry currently
uses '*.config.js', '*.config.cjs', '*.config.ts' which only matches root-level
config files; update the ignores array (the ignores: [...] entry) to use a
recursive glob pattern like '**/*.config.{js,cjs,ts}' so config files in
subdirectories are also ignored by ESLint.

---

21-24: Optional: Scope Node globals to test/config files only.

Line 21–24 enables both browser and node globals for all TS/TSX files. While no source code currently uses Node APIs, tightening this scope would prevent accidental Node global usage in browser code. Node globals could be enabled only for test and config files where they're actually needed.

Proposed config split

   {
     files: ['**/*.{ts,tsx}'],
     languageOptions: {
       parser: tsparser,
       parserOptions: {
         ecmaVersion: 2020,
         sourceType: 'module',
         ecmaFeatures: {
           jsx: true,
         },
       },
       globals: {
-        ...globals.browser,
-        ...globals.node,
+        ...globals.browser,
       },
     },
@@
   },
+  {
+    files: ['**/*.{test,spec}.{ts,tsx}', '**/*.stories.tsx'],
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+        ...globals.node,
+      },
+    },
+  },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui-kit/eslint.config.cjs` around lines 21 - 24, The ESLint config
currently spreads both globals.browser and globals.node into the top-level
globals, which enables Node globals project-wide; change this by removing
...globals.node from the top-level globals and instead add an overrides block
that applies globals: { ...globals.node } only to test/config patterns (e.g.,
files matching **/*.{test,spec}.{ts,tsx,js,jsx} and config/**/*), so update the
globals definition and add an override entry referencing the same globals object
to restrict Node globals to tests/configs.

---

45-49: Replace blanket ESLint rule disable with targeted suppressions for specific stories.

Disabling react-hooks/rules-of-hooks globally for all *.stories.tsx files masks real hook-order and conditional-hook bugs. React's ESLint plugin documentation includes this rule in its recommended set for good reason. Instead, keep the rule enabled and use targeted eslint-disable-next-line react-hooks/rules-of-hooks comments on specific stories where they genuinely conflict with Storybook patterns, documenting why the suppression is needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui-kit/eslint.config.cjs` around lines 45 - 49, Remove the blanket
disable of 'react-hooks/rules-of-hooks' for all '*.stories.tsx' in the ESLint
config (the object that currently sets files: ['**/*.stories.tsx'] and rules:
{'react-hooks/rules-of-hooks': 'off'}) and restore the rule to the recommended
config; instead, for any individual story that genuinely conflicts with
Storybook, add a single-line file-local suppression comment
(eslint-disable-next-line react-hooks/rules-of-hooks) immediately above the
offending hook usage in that specific .stories.tsx and include a brief inline
comment explaining why the suppression is necessary.

apps/extension-wallet/src/router/index.tsx (1)

346-356: Accessibility: form inputs missing associated labels.

The placeholder inputs in SendScreen lack proper <label> associations, unlike the inputs in CreateAccountScreen and UnlockScreen which correctly wrap inputs with labels. While this is a placeholder screen, adding proper labels now prevents accessibility debt when the real form is implemented.

♿ Suggested fix for accessible form inputs

         <div className="space-y-3">
-          <input
-            className="w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
-            placeholder="Recipient address"
-          />
-          <input
-            className="w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
-            placeholder="Amount"
-          />
+          <label className="block text-sm font-medium text-foreground">
+            Recipient address
+            <input
+              className="mt-2 w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
+              placeholder="Enter recipient address"
+            />
+          </label>
+          <label className="block text-sm font-medium text-foreground">
+            Amount
+            <input
+              className="mt-2 w-full rounded-xl border border-border bg-background px-3 py-3 text-sm outline-none transition focus:border-primary"
+              placeholder="Enter amount"
+            />
+          </label>
           <PrimaryButton>Review transaction</PrimaryButton>
         </div>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/src/router/index.tsx` around lines 346 - 356,
SendScreen's two inputs (the "Recipient address" and "Amount" placeholders) lack
associated labels which breaks accessibility; update the SendScreen component to
add proper labels for these fields by either wrapping each input in a <label> or
adding <label htmlFor="..."> plus matching id attributes on the inputs (use
descriptive ids like recipientAddress and amount). Ensure the labels are visible
to screen readers (can be visually hidden if needed) and keep the PrimaryButton
usage unchanged.

apps/extension-wallet/eslint.config.cjs (1)

37-42: Consider keeping @typescript-eslint/no-explicit-any enabled with gradual exceptions.

Disabling no-explicit-any globally for all production code removes a guardrail against type safety regressions. While the PR summary indicates type safety improvements are being made, fully disabling this rule could allow new any usages to slip in unnoticed.

Consider either:

• Keeping the rule as 'warn' to surface new usages without blocking builds
• Using targeted // eslint-disable-next-line comments for legitimate cases

The no-undef: off is appropriate for TypeScript projects since TS handles undefined variable checking and ESLint can produce false positives for TS-specific constructs.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/extension-wallet/eslint.config.cjs` around lines 37 - 42, The config
currently disables '@typescript-eslint/no-explicit-any' globally; change its
setting from 'off' to 'warn' in the ESLint config (the rule name
'@typescript-eslint/no-explicit-any' in the config block) so new any usages are
surfaced but do not fail CI, and for true exceptions use targeted inline
comments (// eslint-disable-next-line `@typescript-eslint/no-explicit-any`) or
file/folder-level overrides rather than a global disable.

packages/crypto/src/encryption.ts (1)

2-3: Use a type-only import for webcrypto to clarify intent.

webcrypto is used only in type positions (return type annotations). While TypeScript's default configuration already elides this import, explicitly marking it as import type makes the intent clear and improves maintainability.

Suggested fix

-import { webcrypto } from 'node:crypto';
+import type { webcrypto } from 'node:crypto';

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/crypto/src/encryption.ts` around lines 2 - 3, Change the top-level
import so that webcrypto is imported as a type-only import: replace the current
import of webcrypto from 'node:crypto' with an explicit type import (e.g.,
import type { webcrypto } from 'node:crypto';) while keeping TextDecoder and
TextEncoder as runtime imports from 'node:util'; update any return type
annotations already referencing webcrypto to use the same symbol so the
type-only import is correct.