Add download Hardhat Polkadot zip option, add Polkadot tab in UI

[ericglau]

• Adds the Download Hardhat package option for Polkadot, limited to non-upgradeable contracts for now. This extends from Solidity Wizard's Download Hardhat functionality.
• Changes required Node version to 22, since this is a requirement of the Hardhat Polkadot plugin.
• Restores Polkadot tab in UI

---

Note for code review:

• Commit 8145433 is cherry-picked from a not-yet-merged PR, which adds extensibility to the zip-hardhat.ts file.
• Only commit 9e22ed5 (and later, if any) is specific for this PR.

[coderabbitai]

Walkthrough

Bumps Node.js to 22 and setup-node to v5 in CI. Refactors Hardhat zip generation into a class. Adds a Polkadot-specific Hardhat zip generator, exports, and tests with snapshots. Updates UI overrides to function-based omit and optional override for Hardhat zip, with dynamic import in Polkadot UI.

Changes

Cohort / File(s)	Summary
CI and Node version bump .github/actions/setup/action.yml, .nvmrc	Update actions/setup-node to v5 and Node.js version from 20 to 22; no flow changes.
Hardhat zip generator refactor packages/core/solidity/src/zip-hardhat.ts, packages/core/solidity/src/zip-hardhat.test.ts.md	Introduce HardhatZipGenerator class, restructure content generation methods, delegate zipHardhat to the class; update snapshots for changed templates/comments and unsafeAllow array syntax.
Polkadot Hardhat zip support packages/core/solidity/src/zip-hardhat-polkadot.ts, packages/core/solidity/zip-env-hardhat-polkadot.ts, packages/core/solidity/zip-env-hardhat-polkadot.js, packages/core/solidity/src/environments/hardhat/polkadot/package.json, packages/core/solidity/src/zip-hardhat-polkadot.test.ts, packages/core/solidity/src/zip-hardhat-polkadot.test.ts.md	Add Polkadot-specific generator extending Hardhat setup, re-export/build proxies, environment package.json, end-to-end AVA test with layout/assertions, and snapshot report.
UI overrides and dynamic generation packages/ui/src/solidity/overrides.ts, packages/ui/src/solidity/App.svelte, packages/ui/src/polkadot/App.svelte	Change omitZipHardhat from boolean to function; add optional overrideZipHardhat. Update App.svelte to call function-based omit and delegate to override when provided; Polkadot UI dynamically imports zip-env-hardhat-polkadot and routes generation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User
  participant UI as Solidity App.svelte
  participant Ov as Overrides
  participant Gen as Core Hardhat Generator

  User->>UI: Click "Download Hardhat ZIP"
  UI->>Ov: omitZipHardhat(opts)
  alt omit = true
    UI-->>User: Skip Hardhat ZIP
  else omit = false
    UI->>Ov: overrideZipHardhat?
    alt override present
      UI->>Ov: overrideZipHardhat(contract, opts)
      Ov-->>UI: JSZip
    else no override
      UI->>Gen: zipHardhat(contract, opts)
      Gen-->>UI: JSZip
    end
    UI-->>User: Start ZIP download
  end

Loading

sequenceDiagram
  autonumber
  participant PolyUI as Polkadot App.svelte
  participant Dyn as Dynamic Import
  participant PGen as zipHardhatPolkadot
  participant HGen as HardhatZipGenerator

  PolyUI->>Dyn: import("@openzeppelin/wizard/zip-env-hardhat-polkadot")
  Dyn-->>PolyUI: { zipHardhatPolkadot }
  PolyUI->>PGen: zipHardhatPolkadot(contract, opts)
  PGen->>HGen: Extend Hardhat config (add @parity/hardhat-polkadot)
  HGen-->>PolyUI: JSZip (Polkadot Hardhat project)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add Polkadot Solidity tab #650: Adjusts Polkadot UI overrides and Hardhat download behavior, aligning with the new override and dynamic import paths introduced here.
• Update migrated imports from community to vanilla contracts #609: Touches packages/core/solidity/src/zip-hardhat.ts, overlapping with the refactor to a class-based generator in this PR.
• Unify upgradeability of Account with the other types of contract #658: Further changes to Hardhat zip generation and configuration, directly related to the generator refactor introduced here.

Suggested reviewers

• KitHat
• gonzaotc

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	The pull request description is well-related to the changeset and provides meaningful context about the changes. It explains that the PR adds a Download Hardhat package option for Polkadot (limited to non-upgradeable contracts), mentions the required Node version update to 22 due to Hardhat Polkadot plugin requirements, and notes the restoration of the Polkadot tab. The description also helpfully includes notes for code reviewers about the cherry-picked commit from another PR and identifies which commits are specific to this PR, demonstrating awareness of the code history.
Title Check	✅ Passed	The pull request title "Add download Hardhat Polkadot zip option, add Polkadot tab in UI" is directly and comprehensively related to the main changes in the changeset. The PR's primary objectives are to introduce a new "Download Hardhat" feature for Polkadot contracts and to add a Polkadot tab in the UI, which the title clearly articulates. The title is concise, specific, and avoids vague language or noise. It accurately captures the two key user-facing features being delivered, though it does not mention supporting changes like the Node version upgrade to 22, which is secondary infrastructure work. The title would allow teammates scanning the commit history to immediately understand the primary focus of this work.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@babel/core@7.28.4 is a AI-detected potential code anomaly. Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/core@7.28.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.28.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/helper-module-imports@7.27.1 is a AI-detected potential code anomaly. Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/helper-module-imports@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/helper-module-transforms@7.28.3 is a AI-detected potential code anomaly. Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/helper-module-transforms@7.28.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.28.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/helper-string-parser@7.27.1 is a AI-detected potential code anomaly. Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/helper-string-parser@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/helpers@7.28.4 is a AI-detected potential code anomaly. Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/helpers@7.28.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.28.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/plugin-syntax-typescript@7.27.1 is a AI-detected potential code anomaly. Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@protobufjs/inquire@1.1.0 is a AI-detected potential code anomaly. Notes: The code uses eval to dynamically require a module, which is highly unusual and considered unsafe. The usage of eval can lead to code injection vulnerabilities if the moduleName is not properly validated. Additionally, the use of string manipulation to form 'require' is a form of obfuscation and makes the code harder to read and understand. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@protobufjs/inquire@1.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@protobufjs/inquire@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		chownr@1.1.4 is a AI-detected potential code anomaly. Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/chownr@1.1.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@1.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		consola@3.4.2 is a AI-detected potential code anomaly. Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/consola@3.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/consola@3.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		enquirer@2.3.0 is a AI-detected potential code anomaly. Notes: The analyzed code implements a straightforward boolean prompt component with predictable data flow. It validates and casts user input to boolean values, renders the UI accordingly, and does not exhibit signs of malice or data exfiltration. Security risk remains low if used within a typical CLI prompt context; no external communications or sensitive data handling detected in this fragment. Confidence: 0.75 Severity: 0.55 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@parity/hardhat-polkadot@0.2.0-pre2 → npm/enquirer@2.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/enquirer@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		fs-extra@11.3.2 is a AI-detected potential code anomaly. Notes: The analyzed code is a standard, legitimate implementation of a recursive copy utility (copySync) from the fs-extra library. It includes typical safeguards (type checks, destination directory creation, overwrite logic, symlink handling, and optional timestamp preservation) and does not exhibit any malicious behavior such as data exfiltration, remote communication, backdoors, or code injection. The warning about preserveTimestamps on ia32 is a benign, user-facing message. Overall security risk is low, with normal filesystem side effects expected. If any concern exists, it would be about untrusted path manipulation via the src/dest, but this is inherent to any filesystem copy utility and mitigated by the provided option hooks (filter, dereference, etc.). Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json → npm/@parity/hardhat-polkadot@0.2.0-pre2 → npm/fs-extra@11.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@11.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

packages/core/solidity/src/environments/hardhat/polkadot/package.json (1)

11-16: Consider version range strategy for dependencies.

The package uses caret (^) version ranges for all dependencies. While this allows for minor/patch updates, consider whether stricter pinning is appropriate for critical dependencies like the Polkadot plugin.

For more stability, consider exact version pinning for newer/experimental dependencies:

  "devDependencies": {
    "@openzeppelin/contracts": "^5.4.0",
-   "@parity/hardhat-polkadot": "^0.1.9",
+   "@parity/hardhat-polkadot": "0.1.9",
    "@nomicfoundation/hardhat-toolbox": "^6.1.0",
    "hardhat": "^2.16.1"
  }

packages/core/solidity/src/zip-hardhat-polkadot.test.ts (1)

121-123: Consider extracting the duplicate asString helper

This asString function duplicates the one already available in packages/core/stellar/src/utils/zip-test.ts.

Consider importing the shared utility instead:

-async function asString(item: JSZipObject) {
-  return Buffer.from(await item.async('arraybuffer')).toString();
-}
+import { asString } from '../../stellar/src/utils/zip-test';

Or if cross-package imports aren't desired, extract it to a shared test utilities module within the solidity package.

packages/core/solidity/src/zip-hardhat-polkadot.ts (1)

57-62: Extra whitespace in gitignore template

The gitignore template has inconsistent indentation with extra spaces at the beginning and end.

Clean up the formatting:

  protected getGitIgnoreHardhatIgnition(): string {
-    return `
-# Hardhat Ignition default folder for deployments against a local Polkadot Revive Dev node
-ignition/deployments/chain-420420420
-    `;
+    return `
+# Hardhat Ignition default folder for deployments against a local Polkadot Revive Dev node
+ignition/deployments/chain-420420420`;
  }

packages/core/solidity/src/zip-hardhat.ts (1)

64-73: Consider validating constructor argument types

The code assumes that non-address constructor arguments need manual setting, but doesn't validate the actual types. This could be enhanced to provide more specific guidance based on the actual argument types.

Consider providing more specific placeholders based on the argument type:

  private declareVariables(args: FunctionArgument[]): Lines[] {
    const vars = [];
    for (let i = 0; i < args.length; i++) {
      if (args[i]!.type === 'address') {
        vars.push(`const ${args[i]!.name} = (await ethers.getSigners())[${i}].address;`);
      } else {
+       const argType = typeof args[i]!.type === 'string' ? args[i]!.type : 'contract';
+       const placeholder = this.getPlaceholderForType(argType);
        vars.push(`// TODO: Set the following constructor argument`);
-       vars.push(`// const ${args[i]!.name} = ...;`);
+       vars.push(`// const ${args[i]!.name} = ${placeholder};`);
      }
    }
    return vars;
  }
+ 
+ private getPlaceholderForType(type: string): string {
+   switch(type) {
+     case 'uint256': return '1000';
+     case 'string': return '"example"';
+     case 'bool': return 'true';
+     default: return '...';
+   }
+ }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a90806 and 9e22ed5.

⛔ Files ignored due to path filters (3)

• packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json is excluded by !**/package-lock.json
• packages/core/solidity/src/zip-hardhat-polkadot.test.ts.snap is excluded by !**/*.snap
• packages/core/solidity/src/zip-hardhat.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (13)

• .github/actions/setup/action.yml (1 hunks)
• .nvmrc (1 hunks)
• packages/core/solidity/src/environments/hardhat/polkadot/package.json (1 hunks)
• packages/core/solidity/src/zip-hardhat-polkadot.test.ts (1 hunks)
• packages/core/solidity/src/zip-hardhat-polkadot.test.ts.md (1 hunks)
• packages/core/solidity/src/zip-hardhat-polkadot.ts (1 hunks)
• packages/core/solidity/src/zip-hardhat.test.ts.md (7 hunks)
• packages/core/solidity/src/zip-hardhat.ts (4 hunks)
• packages/core/solidity/zip-env-hardhat-polkadot.js (1 hunks)
• packages/core/solidity/zip-env-hardhat-polkadot.ts (1 hunks)
• packages/ui/src/polkadot/App.svelte (2 hunks)
• packages/ui/src/solidity/App.svelte (2 hunks)
• packages/ui/src/solidity/overrides.ts (3 hunks)

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-09-24T20:55:43.331Z

Learnt from: CoveMB
PR: OpenZeppelin/contracts-wizard#665
File: packages/ui/src/solidity/remix.node.test.ts:0-0
Timestamp: 2025-09-24T20:55:43.331Z
Learning: In the OpenZeppelin contracts-wizard project, the UI package tests use AVA framework which provides browser API polyfills, so `atob` and other browser APIs are available in the test environment.

Applied to files:

• packages/core/solidity/src/zip-hardhat-polkadot.test.ts

📚 Learning: 2025-08-15T23:23:13.097Z

Learnt from: ernestognw
PR: OpenZeppelin/contracts-wizard#609
File: packages/core/solidity/src/signer.ts:31-38
Timestamp: 2025-08-15T23:23:13.097Z
Learning: In OpenZeppelin contracts-wizard, the `setUpgradeableAccount` function deliberately sets `c.upgradeable = false` after upgradeable setup to exclude EIP712Upgradeable and ERC7739Upgradeable variants (avoiding per-call SLOAD overhead). This architectural pattern necessitates manual `_disableInitializers()` setup in both account.ts and signer.ts since the standard upgradeable constructor logic doesn't apply when upgradeability is disabled post-setup.

Applied to files:

• packages/core/solidity/src/zip-hardhat.test.ts.md

📚 Learning: 2025-08-15T22:52:34.129Z

Learnt from: ernestognw
PR: OpenZeppelin/contracts-wizard#609
File: packages/core/solidity/src/account.ts:89-0
Timestamp: 2025-08-15T22:52:34.129Z
Learning: In OpenZeppelin contracts-wizard, non-upgradeable accounts still require initializer logic (Initializable, _disableInitializers(), and initialize() function) because ERC-4337 accounts are typically deployed by factories as minimal clone proxies, which cannot use constructors effectively for initialization. This is the intended deployment pattern for ERC-4337 account abstraction, even for non-upgradeable accounts.

Applied to files:

• packages/core/solidity/src/zip-hardhat.test.ts.md

🧬 Code graph analysis (3)

packages/core/solidity/src/zip-hardhat-polkadot.test.ts (2)

packages/core/solidity/src/zip-hardhat-polkadot.ts (1)

• zipHardhatPolkadot (65-67)

packages/core/stellar/src/utils/zip-test.ts (1)

• asString (15-15)

packages/core/solidity/src/zip-hardhat-polkadot.ts (2)

packages/core/solidity/src/zip-hardhat.ts (1)

• HardhatZipGenerator (91-307)

packages/core/solidity/hardhat.config.js (1)

• SOLIDITY_VERSION (11-11)

packages/core/solidity/src/zip-hardhat.ts (3)

packages/core/solidity/src/contract.ts (2)

• Contract (3-14)
• FunctionArgument (65-68)

packages/core/solidity/src/utils/format-lines.ts (1)

• formatLinesWithSpaces (9-11)

packages/core/solidity/src/print.ts (1)

• printContract (23-57)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build (solidity, default)
• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (14)

.nvmrc (1)

1-1: Node.js 22 upgrade aligns with PR requirements.

Node.js v22 has officially moved into Active LTS status and the node.js 22 will enter long-term support (LTS) in October, making this a stable choice for production. The upgrade from Node 20 to 22 supports the Hardhat Polkadot plugin requirement mentioned in PR objectives.

.github/actions/setup/action.yml (1)

6-8: GitHub Actions setup properly updated for Node.js 22.

The action correctly updates both the setup-node version to v5.0.0 and Node.js version to 22, maintaining consistency with the .nvmrc change. The commit hash ensures reproducible builds.

packages/core/solidity/src/zip-hardhat-polkadot.test.ts.md (1)

1-201: Test snapshot looks comprehensive and properly structured.

The snapshot covers all essential files for a Hardhat Polkadot project including contracts, configuration, package.json, ignition modules, tests, and documentation. The content demonstrates proper integration of Polkadot-specific configuration like polkavm: true and Polkadot Revive-specific settings.

packages/core/solidity/src/zip-hardhat.test.ts.md (2)

107-107: Comment improvement enhances clarity.

The update from "Set addresses for the contract arguments below" to "Set values for the constructor arguments below" improves clarity and accuracy, as constructor arguments aren't limited to addresses.

Also applies to: 266-266, 373-373, 465-465, 546-546, 644-645, 667-667

---

645-645: Array format for unsafeAllow corrects Hardhat Upgrades API usage.

The change from { unsafeAllow: 'constructor' } to { unsafeAllow: ['constructor'] } aligns with the correct Hardhat Upgrades API format, which expects an array of strings rather than a single string.

Also applies to: 667-667

packages/core/solidity/zip-env-hardhat-polkadot.ts (1)

1-1: Clean re-export structure maintains API consistency.

The simple re-export pattern follows the established convention for environment-specific entry points and properly exposes the Polkadot Hardhat functionality.

packages/ui/src/polkadot/App.svelte (3)

7-7: Type imports added for enhanced type safety.

Adding explicit type imports for Contract and GenericOptions improves type safety for the new override functions.

---

12-14: Dynamic import implementation enables lazy loading.

The dynamic import pattern efficiently loads the Polkadot-specific module only when needed, reducing initial bundle size while maintaining functionality.

---

23-29: Function-based override provides conditional Hardhat zip generation.

The implementation properly uses the new override API:

• omitZipHardhat function correctly excludes upgradeable contracts (which aren't supported for Polkadot per PR objectives)
• overrideZipHardhat async function properly awaits the dynamic module and delegates to zipHardhatPolkadot

packages/core/solidity/zip-env-hardhat-polkadot.js (1)

1-1: Simple proxy module follows established patterns.

The CommonJS proxy correctly routes to the built distribution file, maintaining consistency with other environment entry points in the project.

packages/ui/src/solidity/App.svelte (2)

146-146: LGTM! Clean migration to function-based override

The change from a boolean check to a function call overrides.omitZipHardhat(opts) provides better flexibility for conditional logic based on the options.

---

204-207: Good implementation of override pattern for Hardhat zip generation

The conditional logic properly checks for the presence of overrideZipHardhat and falls back to the default zipHardhat when not provided. This allows ecosystem-specific customization while maintaining backward compatibility.

packages/ui/src/solidity/overrides.ts (1)

24-29: Well-designed extensibility for Hardhat zip generation

The conversion of omitZipHardhat to a function and addition of overrideZipHardhat provides a clean extension point for ecosystem-specific Hardhat configurations. The optional nature of overrideZipHardhat maintains backward compatibility.

packages/core/solidity/src/zip-hardhat.ts (1)

91-307: Excellent refactoring to class-based architecture

The refactoring from procedural code to the HardhatZipGenerator class provides excellent extensibility, as demonstrated by the Polkadot subclass. The protected methods allow for selective overriding while maintaining the core logic.

[CoveMB]

Looking good 🌾 (did not test UI as Polkadot button is hiden)

[CoveMB]

nit: maybe could be moved to utils

[ericglau]

this is just a one-liner that is called from one place, so it seems fine to leave it

[CoveMB]

Wondering if (now or later) it could be a good idea to extract download logic in their own components to keep App.svelte leaner

[ericglau]

Which parts are you referring to? The download logic in App.svelte seems small, as the logic is mostly in the zip-hardhat-*.ts files.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​parity/​hardhat-polkadot@​0.2.0-pre2

View full report