feat: renderer refactor, game versioning, and SVG gas optimization

[starknetdev]

Summary

Renderer refactoring

• Extract metadata generation from svg.cairo into new metadata.cairo submodule
• Remove embedded font.cairo (VT323 WOFF2 font)
• Update AGENTS.md documentation for renderer module

SVG gas optimization

• Inline all 14 <symbol> icon definitions at their use sites, eliminating unused definitions from output
• Add helper functions (icon_check, icon_x, icon_target, icon_flag) for multi-use icons
• Replace base64 encoding with # → %23 URL encoding for data:image/svg+xml, URIs, avoiding ~33% base64 size inflation
• Remove unused ico-user symbol

Game versioning

• Add version: u64 field to GameMetadata struct
• Thread version through register_game, MinigameComponent, and MinigameRegistryComponent
• Update IMINIGAME_REGISTRY_ID interface ID constant

Test updates

• Add new renderer tests and registry component tests
• Update example/mock contracts for new version field

Test plan

• scarb build compiles
• snforge test renderer — all tests pass (test assertions need updating from data:image/svg+xml;base64, to data:image/svg+xml,)
• snforge test registry — all tests pass
• snforge test minigame — all tests pass
• snforge test test_stress — compare SVG gas vs baseline (~999M)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c18c4f1-5e1f-4401-b953-a06976de7d22

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/inline-svg-icons

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the SVG rendering logic by moving away from symbol-based icon definitions to direct inlining and helper functions, aiming to reduce the final SVG size and improve rendering efficiency. A key optimization involves switching from base64 encoding to URL encoding for SVG data URIs, further decreasing the output size. Additionally, the scope of metadata generation has been narrowed by removing the custom JSON metadata creation function.

Highlights

• SVG Icon Handling Refactor: All 14 <symbol> definitions for icons have been removed from the SVG output. Icons are now inlined directly as <svg> elements at each use site, which eliminates unused icon definitions and can reduce the overall SVG size.
• New Icon Helper Functions: Introduced dedicated helper functions (icon_check, icon_x, icon_target, icon_flag) for icons that are used multiple times, promoting code reusability and maintainability.
• Encoding Optimization: Replaced base64 encoding with direct URL encoding (specifically, # is replaced with %23) for the data:image/svg+xml, URI. This change avoids approximately 33% size inflation associated with base64 encoding, leading to smaller SVG outputs.
• Metadata Generation Simplification: The create_custom_metadata function and its related dependencies, which were responsible for generating custom JSON metadata, have been entirely removed. This streamlines the rendering logic to focus solely on SVG generation.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• packages/utilities/src/renderer/svg.cairo
  • Removed unused imports related to Base64 encoding, JSON implementation, and GameDetail struct.
  • Deleted create_trait and bool_to_str utility functions.
  • Added a url_encode_hash function to safely encode '#' characters in SVG data URIs.
  • Implemented new helper functions (icon_check, icon_x, icon_target, icon_flag) for frequently used SVG icons.
  • Removed all <symbol> definitions for icons, opting for direct SVG element inclusion.
  • Updated the cpins pattern dimensions for connector pins.
  • Replaced the EGS logo placeholder text with an inlined SVG representation.
  • Converted all <use href='#ico-...' references to direct inlined <svg> elements or calls to the new icon helper functions.
  • Removed the create_custom_metadata function and its associated logic.
  • Modified the create_default_svg function to return URL-encoded SVG data instead of base64-encoded data.
  • Adjusted the dimensions and positioning of connector pins.
  • Added a version field to GameMetadata in a test case.
  • Removed all test_custom_metadata_... test functions.

Activity

• No specific activity details were provided in the pull request context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22707535344 attempt=1 sha=0b1062e3d2521174b6ebb99c30e1c271f12b3c20 scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22707617761 attempt=1 sha=f51114ae51fbfa2cd8373d4a87b4b3345e4ca6f1 scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

---

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

[gemini-code-assist]

Code Review

This pull request refactors the SVG generation by inlining icons and switching from base64 to URL encoding for data URIs, which aims to reduce final output size and enhance code clarity. However, this change introduces a high-severity Cross-Site Scripting (XSS) vulnerability. The SVG content is now constructed from unsanitized user-controlled metadata, allowing malicious input in fields like the game name, description, or image URL to lead to arbitrary script execution when the SVG is rendered. Proper XML/SVG escaping of all user-controlled data is required to fix this issue. Additionally, the create_custom_metadata function and its associated tests have been removed, and there are opportunities for minor gas optimizations in the new helper functions by avoiding unnecessary clones and using more direct byte appending.

[gemini-code-assist]

The switch from base64 encoding to raw SVG in the data:image/svg+xml URI introduces a significant Cross-Site Scripting (XSS) vulnerability. The svg variable contains multiple unsanitized user-controlled fields (such as game_metadata.name, game_metadata.developer, game_metadata.description, game_metadata.image, player_name, etc.) that are concatenated directly into the SVG string.

While the previous base64 encoding provided some level of protection by preventing the browser from interpreting the SVG content as part of the parent document in some contexts, serving the raw SVG allows any injected <script> tags or malicious event handlers (e.g., in foreignObject or via onerror attributes in img tags) to execute when the data URI is rendered. The url_encode_hash function only escapes the # character, which is insufficient to prevent SVG injection or XSS.

To remediate this, you must properly escape all user-controlled strings for XML/SVG before appending them to the svg ByteArray. Specifically, characters like <, >, &, ', and " should be replaced with their corresponding XML entities (e.g., <, >, &, ', "). Alternatively, consider using a full URL encoding for the entire SVG string or reverting to base64 encoding.

[gemini-code-assist]

For better performance, it's more efficient to append bytes directly rather than appending a felt252 literal. Appending a felt252 involves a conversion to ByteArray which has some overhead. Using append_byte is more direct and saves gas.

            output.append_byte(0x25); // '%'
            output.append_byte(0x32); // '2'
            output.append_byte(0x33); // '3'

[gemini-code-assist]

Since color is a snapshot (@ByteArray) and is only used once in this function, you can move it directly into the string concatenation instead of cloning it. This is a minor gas optimization.

        + color

[gemini-code-assist]

Since color is a snapshot (@ByteArray) and is only used once in this function, you can move it directly into the string concatenation instead of cloning it. This is a minor gas optimization.

        + color

[gemini-code-assist]

For the last use of the color snapshot in this function, you can move it instead of cloning to save some gas.

        + color

[gemini-code-assist]

For the last use of the color snapshot in this function, you can move it instead of cloning to save some gas.

        + color

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22707734379 attempt=1 sha=de47a04d93f27ae841e38ccc769385c7e1b2b800 scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

---

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - Cairo/Starknet Contract Review

run=22707734379 attempt=1 sha=de47a04d93f27ae841e38ccc769385c7e1b2b800 scope=packages

Todo List

• Get PR diff for packages/** scope
• Review renderer SVG changes for security issues
• Check game versioning implementation
• Verify test coverage and patterns
• Provide findings summary

Review Findings

[HIGH] packages/utilities/src/renderer/svg.cairo:787 - XSS vulnerability in SVG generation
Impact: The switch from base64 to URL encoding allows unescaped user data in SVG data URIs. Multiple user-controlled fields (game_metadata.name, .description, .developer, .image, player_name, client_url) are concatenated directly into the SVG without proper XML/SVG escaping. This enables XSS via malicious input that could execute scripts when the SVG is rendered in browsers.
Fix: Add XML/SVG escaping function to escape <, >, &, ', " to <, >, &, ', " before concatenating user-controlled data into the SVG string.

[HIGH] packages/utilities/src/renderer/svg.cairo:106-112 - Inefficient gas usage in icon helper functions
Impact: The color.clone() calls in icon helpers create unnecessary copies of ByteArray data, wasting gas.
Fix: Replace color.clone() with color since color is a snapshot (@bytearray) and only used once per function.

[MEDIUM] packages/embeddable_game_standard/src/registry/registry_component.cairo:274 - Missing version field validation
Impact: The new version field has no validation, allowing potentially problematic values (e.g., 0, MAX_U64).
Fix: Add validation to ensure version > 0 and consider adding an upper bound check.

[LOW] packages/interfaces/src/registry.cairo:10-11 - Interface ID updated without documentation
Impact: The IMINIGAME_REGISTRY_ID constant changed but lacks comment explaining the change reason.
Fix: Add comment explaining the interface change was due to adding the version parameter.

Summary: 2 HIGH, 1 MEDIUM, 1 LOW, 0 INFO

Critical Security Issue: The most serious finding is the XSS vulnerability in SVG generation. The switch from base64 encoding to direct URL encoding removes a layer of protection against script injection attacks. This must be fixed before deployment.

The game versioning implementation correctly threads the version field through all necessary components and updates interface IDs appropriately. Test coverage is comprehensive with proper version field additions throughout.

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

[github-actions]

Codex Review - Cairo/Starknet Contract Review

[HIGH] packages/utilities/src/renderer/metadata.cairo:130 - create_custom_metadata now returns raw JSON instead of a metadata URI (data:application/json;base64,...), which changes the contract-facing token_uri behavior.
Impact: ERC721 consumers/wallets expecting a URI will receive plain JSON text, causing metadata resolution failures and breaking downstream integrations.
Fix: Restore URI wrapping and base64 encoding at return time, e.g. format!("data:application/json;base64,{}", bytes_base64_encode(metadata)).

[HIGH] packages/utilities/src/renderer/svg.cairo:787 - SVG is returned as a raw data:image/svg+xml;utf8, URI without percent-encoding reserved characters (notably #, which is heavily used in SVG color/filter refs).
Impact: The data URI can be truncated/misparsed at the first #, resulting in broken or partially rendered token images.
Fix: Percent-encode the SVG payload before prefixing (at minimum % and #, ideally full URI-safe encoding), then return data:image/svg+xml, + encoded payload.

[MEDIUM] packages/utilities/src/renderer/tests/test_renderer.cairo:192 - SVG assertions still expect data:image/svg+xml;base64, across the suite despite the refactor changing SVG output format.
Impact: Renderer tests are inconsistent with implementation and will fail or mask the intended contract behavior for the new URI strategy.
Fix: Update SVG URI assertions consistently (prefer a shared helper/constant for prefix checks) to match the final chosen format.

Summary: 0 CRITICAL, 2 HIGH, 1 MEDIUM, 0 LOW, 0 INFO

[codecov]

Codecov Report

❌ Patch coverage is 93.43066% with 18 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
packages/utilities/src/renderer/svg.cairo	91.62%	18 Missing ⚠️

📢 Thoughts on this report? Let us know!

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22708800594 attempt=1 sha=a232c74a7b3dfaa5851cb2845dc18b19bb33e65e scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

---

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22711813679 attempt=1 sha=416d1ea80dae5720e62efb2a3f047bb369b518d8 scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

[claude]

Claude finished @starknetdev's task —— View job

---

Claude finished @starknetdev's task —— View job

---

Claude Review - Cairo/Starknet Contract Review

run=22711813679 attempt=1 sha=416d1ea80dae5720e62efb2a3f047bb369b518d8 scope=packages

Todo List

• Get PR diff for packages/** scope
• Review renderer SVG changes for security issues
• Check game versioning implementation
• Verify test coverage and patterns
• Provide findings summary

Review Findings

[HIGH] packages/utilities/src/renderer/svg.cairo:856 - Potential XSS vulnerability in SVG generation
Impact: The switch from base64 encoding to direct URL encoding creates a potential XSS attack surface. User-controlled fields (game_metadata.name, description, developer, image, player_name, client_url) are URL-encoded but not XML/SVG escaped before being embedded in the SVG. Malicious input containing XML tags or script content could be executed when the SVG is rendered.
Fix: Add XML/SVG escaping function to escape <, >, &, ', " characters to <, >, &, ', " before URL encoding user-controlled data.

[MEDIUM] packages/utilities/src/renderer/svg.cairo:160 - Unnecessary clone() calls in icon helper functions
Impact: Icon helper functions use color.clone() when color is a snapshot parameter (@bytearray) that's only used once, causing unnecessary gas consumption.
Fix: Replace color.clone() with color in icon_check, icon_x, icon_target, and icon_flag functions since snapshots are automatically copyable.

[LOW] packages/interfaces/src/registry.cairo:9 - Interface ID updated without documentation
Impact: The IMINIGAME_REGISTRY_ID constant changed but lacks comment explaining the change was due to adding the version parameter.
Fix: Add comment explaining the interface change: // Updated from previous ID due to addition of version parameter

Summary: 0 CRITICAL, 1 HIGH, 1 MEDIUM, 1 LOW, 0 INFO

Critical Finding: The most serious issue is the potential XSS vulnerability in SVG generation. While the PR description mentions switching from base64 to URL encoding for gas optimization, this change removes a layer of protection against script injection. The uri_encode function only escapes specific URI-unsafe characters but doesn't handle XML/SVG context properly.

Game Versioning Implementation: The version field addition is correctly implemented throughout the codebase - properly threaded through all registration functions, stored in GameMetadata struct, and included in all tests. The interface ID constant was appropriately updated to reflect the signature change.

Test Coverage: The test suite has been comprehensively updated with the new version field added to all registration calls. Test assertions correctly expect the new data:image/svg+xml;utf8, format instead of the previous base64 format.

---

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

[github-actions]

Codex Review - Cairo/Starknet Contract Review

[MEDIUM] packages/utilities/src/renderer/svg.cairo:856 - The SVG data URI uses data:image/svg+xml;utf8, with a raw payload, which is not standards-compliant for strict URI/media-type parsers.
Impact: Some wallets/indexers/clients that strictly parse RFC-compliant data URIs can reject or mis-handle token images, causing broken rendering.
Fix: Return a standards-compliant URI (data:image/svg+xml;charset=utf-8, or data:image/svg+xml,) and percent-encode the full SVG payload (not just selected dynamic fields), or keep base64 encoding for maximum compatibility.

[LOW] packages/embeddable_game_standard/src/registry/tests/test_registry_component.cairo:295 - New version persistence is not asserted in metadata retrieval tests (calls pass version, but assertions stop before checking metadata.version).
Impact: A regression in storing/reading version can slip through CI while the new feature appears covered.
Fix: Add explicit assertions for metadata.version and include at least one non-default value (for example version = 42) to validate propagation and storage.

[INFO] packages/utilities/src/renderer/tests/test_renderer.cairo:256 - test_default_svg_objective_failed only checks URI prefix and does not verify the new FAILED objective branch output.
Impact: The new objective-failed rendering branch can regress while tests still pass.
Fix: Assert rendered content contains expected FAILED markers (for example "FAILED" and/or the failed icon color) and does not contain "PENDING"/"COMPLETE".

Summary: 0 CRITICAL, 0 HIGH, 1 MEDIUM, 1 LOW, 1 INFO

[claude]

Claude finished @starknetdev's task —— View job

---

Claude Review - General Engineering Review

run=22712360091 attempt=1 sha=1491e14c64f5b59fd493e9a42125e5b68981d612 scope=general

Todo List

• Check git diff for changes outside packages/
• Review CI/CD configurations, documentation, and tooling changes
• Provide review findings in specified format

Review Findings

This PR modifies only packages/utilities/src/renderer/svg.cairo and related files within the packages/** directory, which falls outside the scope of this general engineering review. Per the scope boundary defined in .github/workflows/pr-ci.yml, I review only changes outside packages/** (CI configs, docs, scripts, tooling, etc.).

No actionable findings for files within my review scope.

Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO

The Cairo contract code changes in packages/** are handled by the Cairo-specific review process.

---

[github-actions]

Codex Review - General Engineering Review

No issues found.
Summary: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW, 0 INFO