Add Zcash ZIP-321 payment-request deeplink support#6018
Conversation
- Replace yarn.lock with package-lock.json (generated via socket npm install for Socket.dev scanning). - Swap package.json `resolutions` for npm `overrides`, drop `yarn` and `yarn-deduplicate` devDeps, bump `patch-package` to ^8, set `packageManager` to npm@11.15.0, and update the `fix` script to use `npm dedupe`. - Persist prior yarn `--ignore-scripts` behavior via `ignore-scripts=true` in .npmrc, and add `legacy-peer-deps=true` so npm tolerates the same peer-dep conflicts yarn classic did (e.g. async-storage@1.19.4 vs RN 0.79). - Convert yarn invocations to npm equivalents in scripts/prepare.sh, Jenkinsfile, .travis.yml, and developer docs (README.md, AGENTS.md, docs/MAESTRO.md, webpack.config.js, scripts/gitVersionFile.ts). - Remove the yarn global-install step from maestro.sh and rename the bootstrap function accordingly.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
samholmes
left a comment
samholmes
left a comment
There was a problem hiding this comment.
This looks like it'll work but I don't think you need the redundant verification step. I could be wrong
|
Kept the validateZip321Uri verification step: it isn't redundant with the general deep-link parsing. ZIP-321 mandates that a wallet MUST reject payment URIs carrying unknown required ( |
Register the `zcash:` URL scheme on iOS so the OS routes ZIP-321
payment URIs to the app, and add spec validation in the deeplink
parser:
* Reject any `req-*` query parameter (unknown required params must
cause the URI to be rejected per ZIP-321).
* Reject the multi-recipient form (`address.N` indexed params or
top-level `address=` without a host) cleanly with a clear error,
consistent with how BIP21 multi-output URIs are handled today.
Single-recipient address, amount, memo (base64url), label and message
extraction is already handled by the zcash plugin's parseUri, so the
existing 'other' deeplink flow does the prefill end-to-end once the
scheme is registered.
Spec: https://zips.z.cash/zip-0321
j0ntz
force-pushed
the
agent/1215201512214395
branch
2 times, most recently
from
a8dfa08 to
e1a1fff
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e1a1fff. Configure here.
| yarn deploy edge ios master | ||
| yarn deploy edge android master | ||
| npm run deploy edge ios master | ||
| npm run deploy edge android master |
There was a problem hiding this comment.
README deploy commands missing -- argument separator
Medium Severity
The npm run deploy edge ios master commands don't forward arguments to the script. Unlike yarn, npm run requires a -- separator before script arguments. Without it, deploy.ts receives no values for argv[2]–argv[4] (project name, platform, branch) and will fail or behave incorrectly. The Jenkinsfile correctly uses -- for npm test -- --ci, but these README commands were converted from yarn deploy without adding the separator.
Reviewed by Cursor Bugbot for commit e1a1fff. Configure here.
2 participants
Summary
Adds end-to-end Zcash ZIP-321 payment-request URI support so that tapping (or pasting) a
zcash:URI lands the user on the send scene with the address, amount, and memo prefilled.zcashadded toCFBundleURLTypesandLSApplicationQueriesSchemesso the OS routeszcash:URIs to the app.parseDeepLinkfor the parts the zcash plugin'sparseUridoes not enforce on its own:req-*query parameter (unknown required params must cause rejection per the spec).address.Nindexed params or top-leveladdress=without a host) with a clear error.edge-currency-accountbasedalready handles address, amount, base64url-decoded memo, label, and message viaZcashTools.parseUriand threads the memo throughuniqueIdentifier/spendTarget.memo.Out of scope
spendInfo.spendTargets[]array and is a separate piece of work.proposeFulfillingPaymentURIpath. The zcash plugin engine supportsotherParams.zip321Urifor proposal-level fidelity, but the existing address/amount/memo prefill is sufficient for the prefill UX described in the task.Test URIs
These map to the new
describe('zcash ZIP-321')block insrc/__tests__/DeepLink.test.ts:zcash:tmKZ8RrXqfPwhDxN7d8r4wQ3iyc3LwhTSpf?amount=0.001zcash:zs1z7rejlpsa98s2rrrfkwmaxu53e4ue0ulcrw0h4x5g8jl04tak0d3mm47vdtahatqrlkngh9sly?amount=0.05&memo=dGVzdA&label=lunch&message=hellozcash:u1l8xunezsvhq8fgzfl7404m450nwnd76zshscn6nfys7vyz2ywyh4cc5daaq0c7q2su5lqfh23sp7jpe57qa6jukhvz5skp7y34zwlexc?amount=0.001&memo=dGVzdAreq-*):zcash:tmKZ8RrXqfPwhDxN7d8r4wQ3iyc3LwhTSpf?amount=0.001&req-future=1zcash:?address=tmKZ8RrXqfPwhDxN7d8r4wQ3iyc3LwhTSpf&amount=0.1&address.1=zs1...&amount.1=0.2Test plan
tsc --noEmitcleannpx jest DeepLink.test.tspasses (56 tests, including 8 new zcash cases)xcrun simctl openurl <udid> 'zcash:tmKZ8R...?amount=0.001&memo=dGVzdA'opens the send scene with address, amount, and memo "test" prefilled.Asana
https://app.asana.com/0/1215088146871429/1215201512214395
Note
Medium Risk
The package-manager switch touches all install/CI paths and could break builds if lockfile or npm settings diverge from prior Yarn behavior; native scheme registration is low risk but affects how external apps open payment URIs.
Overview
Registers the
zcashURL scheme on iOS (Info.plistURL types and query schemes) and Android (payment-links intent filter) so the OS can hand offzcash:links to Edge—needed for ZIP-321-style payment URIs to reach the app.Separately, the repo standardizes on npm instead of Yarn: removes
.yarnrc, adds.npmrc(ignore-scripts,legacy-peer-deps), updates Travis and Jenkins install/test steps, and rewrites README, AGENTS.md, MAESTRO.md, and maestro.sh (no global Yarn install) to usenpm ci,npm run, etc.Reviewed by Cursor Bugbot for commit e1a1fff. Bugbot is set up for automated code reviews on this repo. Configure here.