[dashboard] add solana policies to vault access token

[d4mr]

PR-Codex overview

This PR introduces new metadata patterns and required metadata patterns for various transaction types related to solana, enhancing the functionality of the vault.client.ts file in the dashboard application.

Detailed summary

• Added metadataPatterns for solana:read, solana:create, solana:signTransaction, and solana:signMessage.
• Each pattern includes projectId, teamId, and type with specific rules.
• Introduced requiredMetadataPatterns for solana:create with similar structure.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features
  • Added Solana-specific permissions to access tokens.
  • Wallet tokens now support solana:read, solana:create, solana:signTransaction, and solana:signMessage.
  • Management tokens now support solana:read and solana:create.
  • Permissions can be scoped via metadata (team, project, server-wallet) for finer control.
  • No changes to public interfaces or existing flows; new scopes are available during token creation.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c9a0c23

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
thirdweb-www	Ready	Preview	Comment	Oct 14, 2025 6:15pm

4 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Skipped			Oct 14, 2025 6:15pm
nebula	Skipped			Oct 14, 2025 6:15pm
thirdweb_playground	Skipped			Oct 14, 2025 6:15pm
wallet-ui	Skipped			Oct 14, 2025 6:15pm

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[coderabbitai]

Walkthrough

Adds Solana-specific policy entries to access token creation for server wallets and management tokens, expanding allowed Solana actions and attaching metadataPatterns (projectId, teamId, type) without modifying function signatures or control flow.

Changes

Cohort / File(s)	Summary of Changes
Solana policy additions apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts	Expanded policy definitions: for wallet (server-wallet) tokens, added solana:read, solana:create, solana:signTransaction, solana:signMessage with metadataPatterns (projectId, teamId, type: server-wallet). For management tokens, added solana:read, solana:create with the same metadataPatterns. No changes to exported APIs or control flow.

Sequence Diagram(s)

No sequence diagram generated — changes only extend policy definitions, not control flow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description does not follow the repository’s required template because it only contains a PR-Codex overview and detailed summary without the mandated “Notes for the reviewer” and “How to test” sections. It is missing the explicit template headings and instructions that guide reviewers on context and validation steps.	Please update the description to include the template’s “Notes for the reviewer” and “How to test” sections, and ensure any relevant issue tag or branch information is provided at the top.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pb/add-solana-policies-to-access-token

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4e0fed9 and c9a0c23.

📒 Files selected for processing (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground-web}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/{dashboard,playground-web}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground apps
Use NavLink for internal navigation with automatic active states in dashboard and playground apps
Use Tailwind CSS only – no inline styles or CSS modules
Use cn() from @/lib/utils for conditional class logic
Use design system tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components (Node edge): Start files with import "server-only";
Client Components (browser): Begin files with 'use client';
Always call getAuthToken() to retrieve JWT from cookies on server side
Use Authorization: Bearer header – never embed tokens in URLs
Return typed results (e.g., Project[], User[]) – avoid any
Wrap client-side data fetching calls in React Query (@tanstack/react-query)
Use descriptive, stable queryKeys for React Query cache hits
Configure staleTime/cacheTime in React Query based on freshness (default ≥ 60s)
Keep tokens secret via internal API routes or server actions
Never import posthog-js in server components

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/_ (e.g., Button, Input, Tabs, Card)
Use NavLink for internal navigation to get active state handling
Use Tailwind CSS for styling; no inline styles
Merge class names with cn() from @/lib/utils for conditional classes
Stick to design tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components must start with import "server-only"; use next/headers, server‑only env, heavy data fetching, and redirect() where appropriate
Client Components must start with 'use client'; handle interactivity with hooks and browser APIs
Server-side data fetching: call getAuthToken() from cookies, send Authorization: Bearer <token> header, and return typed results (avoid any)
Client-side data fetching: wrap calls in React Query with descriptive, stable queryKeys and set sensible staleTime/cacheTime (≥ 60s default); keep tokens secret via internal routes or server actions
Do not import posthog-js in server components (client-side only)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Size
• GitHub Check: Analyze (javascript)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 869bbcf and 4e0fed9.

📒 Files selected for processing (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground-web}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/{dashboard,playground-web}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground apps
Use NavLink for internal navigation with automatic active states in dashboard and playground apps
Use Tailwind CSS only – no inline styles or CSS modules
Use cn() from @/lib/utils for conditional class logic
Use design system tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components (Node edge): Start files with import "server-only";
Client Components (browser): Begin files with 'use client';
Always call getAuthToken() to retrieve JWT from cookies on server side
Use Authorization: Bearer header – never embed tokens in URLs
Return typed results (e.g., Project[], User[]) – avoid any
Wrap client-side data fetching calls in React Query (@tanstack/react-query)
Use descriptive, stable queryKeys for React Query cache hits
Configure staleTime/cacheTime in React Query based on freshness (default ≥ 60s)
Keep tokens secret via internal API routes or server actions
Never import posthog-js in server components

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/_ (e.g., Button, Input, Tabs, Card)
Use NavLink for internal navigation to get active state handling
Use Tailwind CSS for styling; no inline styles
Merge class names with cn() from @/lib/utils for conditional classes
Stick to design tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components must start with import "server-only"; use next/headers, server‑only env, heavy data fetching, and redirect() where appropriate
Client Components must start with 'use client'; handle interactivity with hooks and browser APIs
Server-side data fetching: call getAuthToken() from cookies, send Authorization: Bearer <token> header, and return typed results (avoid any)
Client-side data fetching: wrap calls in React Query with descriptive, stable queryKeys and set sensible staleTime/cacheTime (≥ 60s default); keep tokens secret via internal routes or server actions
Do not import posthog-js in server components (client-side only)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Size
• GitHub Check: Unit Tests
• GitHub Check: Analyze (javascript)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Approve Solana wallet policies with refactor recommendation.

The Solana policy additions correctly mirror the existing EVM policy structure and will enable Solana wallet operations. However, the identical metadataPatterns structure across all policies creates significant duplication.

Consider extracting a helper function to generate policy objects:

function createWalletPolicy(
  type: string,
  projectId: string,
  teamId: string,
  additionalOptions?: Record<string, unknown>
) {
  const metadataPatterns = [
    { key: "projectId", rule: { pattern: projectId } },
    { key: "teamId", rule: { pattern: teamId } },
    { key: "type", rule: { pattern: "server-wallet" } },
  ];

  return {
    ...(type.includes(":create") 
      ? { requiredMetadataPatterns: metadataPatterns }
      : { metadataPatterns }),
    type,
    ...additionalOptions,
  };
}

Then replace the policy blocks:

policies: [
  // EVM policies
  createWalletPolicy("eoa:read", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:create", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:signMessage", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:signTransaction", props.project.id, props.project.teamId, {
    payloadPatterns: {}
  }),
  // ... other EVM policies
  // Solana policies
  createWalletPolicy("solana:read", props.project.id, props.project.teamId),
  createWalletPolicy("solana:create", props.project.id, props.project.teamId),
  createWalletPolicy("solana:signTransaction", props.project.id, props.project.teamId),
  createWalletPolicy("solana:signMessage", props.project.id, props.project.teamId),
]

This would also address the pre-existing duplicate eoa:read and eoa:create policies at lines 351-396 and 517-562.

🤖 Prompt for AI Agents

In
apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
around lines 563-654, the four Solana policy objects repeat identical
metadataPatterns causing duplication; extract a small helper (e.g.,
createWalletPolicy) that accepts type, projectId, teamId and optional extra
options, builds the common metadataPatterns and returns either metadataPatterns
or requiredMetadataPatterns for create types, then replace the repeated Solana
policy blocks with calls to that helper (and likewise replace the duplicated EVM
eoa:read/eoa:create blocks at lines ~351-396 and ~517-562) to deduplicate and
keep payload-specific options passed through the helper.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Approve Solana management policies.

The Solana management token policies are correctly limited to read and create operations (no signing), which matches the EVM policy structure. This is the appropriate permission model for management tokens.

The same helper function refactor suggested for lines 563-654 would reduce duplication here as well. Both createWalletAccessToken and createManagementAccessToken would benefit from the extracted policy generation helper.

🤖 Prompt for AI Agents

In
apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
around lines 728 to 773, the Solana management token policy blocks are correct
but duplicate policy-building logic; extract a small helper (e.g.,
buildSolanaPolicies(project, teamId, types[] or mode)) that returns the array of
policy objects (metadataPatterns/requiredMetadataPatterns and type) and replace
the inline policy arrays in createWalletAccessToken and
createManagementAccessToken with calls to this helper to remove duplication and
centralize policy construction.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	64.51 KB (0%)	1.3 s (0%)	169 ms (+212.08% 🔺)	1.5 s
thirdweb (cjs)	366.04 KB (0%)	7.4 s (0%)	581 ms (+11.97% 🔺)	8 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	96 ms (+3434.73% 🔺)	211 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	74 ms (+4961.19% 🔺)	85 ms
thirdweb/react (minimal + tree-shaking)	19.13 KB (0%)	383 ms (0%)	85 ms (+2851.64% 🔺)	467 ms

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.03%. Comparing base (43b0680) to head (c9a0c23).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8239   +/-   ##
=======================================
  Coverage   55.03%   55.03%           
=======================================
  Files         919      919           
  Lines       60583    60583           
  Branches     4131     4131           
=======================================
  Hits        33341    33341           
  Misses      27138    27138           
  Partials      104      104           

Flag	Coverage Δ
packages	55.03% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[d4mr]

Merge activity

• Oct 14, 6:03 PM UTC: The merge label 'merge-queue' was detected. This PR will be added to the Graphite merge queue once it meets the requirements.
• Oct 14, 6:06 PM UTC: d4mr added this pull request to the Graphite merge queue.
• Oct 14, 6:15 PM UTC: Merged by the Graphite merge queue.