SDK: Add verify parameter in Bridge.Webhook.parse function

[MananTank]

---

PR-Codex overview

This PR adds a verify parameter to the Bridge.Webhook.parse function, enabling validation of webhook payloads against specified criteria, enhancing security and ensuring data integrity.

Detailed summary

• Introduced verify parameter in Bridge.Webhook.parse function.
• Added validation checks for:
  • receiverAddress
  • destinationTokenAddress
  • destinationChainId
  • minDestinationAmount
• Implemented error handling for mismatched values.
• Updated tests to cover new verification functionality for both onchain and onramp transactions.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features

  • Webhook parsing now supports optional payload verification: enforce receiver address (case-insensitive), destination token, destination chain ID, and minimum destination amount. Verification applies to both on-chain and on-ramp payloads and returns descriptive errors on mismatch to ensure incoming webhooks meet your requirements.

• Tests

  • Added comprehensive tests covering verification success and failure cases for on-chain and on-ramp payloads.

[linear]

MNY-308 Add `verify` param to `Bridge.Webhook.parse` function and update Portal and Dashboard

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Nov 11, 2025 11:28pm
nebula	Ready	Preview	Comment	Nov 11, 2025 11:28pm
thirdweb_playground	Ready	Preview	Comment	Nov 11, 2025 11:28pm
thirdweb-www	Ready	Preview	Comment	Nov 11, 2025 11:28pm
wallet-ui	Ready	Preview	Comment	Nov 11, 2025 11:28pm

[changeset-bot]

🦋 Changeset detected

Latest commit: a54c1ab

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages

Name	Type
thirdweb	Patch
@thirdweb-dev/nebula	Patch
@thirdweb-dev/wagmi-adapter	Patch
wagmi-inapp	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds an optional verify parameter to Bridge.Webhook.parse that, when supplied, enforces additional post-parse validations (receiverAddress, destinationTokenAddress, destinationChainId, minDestinationAmount) and throws descriptive errors on mismatches; tests added to exercise success and failure paths.

Changes

Cohort / File(s)	Summary
Changeset Documentation ​.changeset/mean-pants-beam.md	Documents the new verify parameter on Bridge.Webhook.parse and its optional payload validation behavior.
Webhook Implementation packages/thirdweb/src/bridge/Webhook.ts	Extends parse signature to accept an optional verify object and adds conditional validation logic for receiverAddress (case-insensitive), destinationTokenAddress, destinationChainId, and minDestinationAmount for both onchain and onramp payload shapes; throws descriptive errors on validation failures.
Webhook Tests packages/thirdweb/src/bridge/Webhook.test.ts	Adds a verify test suite with helpers to sign payloads and tests covering verification failures and successes for onchain and onramp payloads, including mismatched fields and minimum amount checks.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Webhook as Bridge.Webhook.parse()
    participant Validator as Verify Logic

    Client->>Webhook: parse(payload, headers, secret, tolerance, verify?)
    activate Webhook
    Webhook->>Webhook: Validate timestamp & signature
    alt signature valid
        Webhook->>Webhook: Parse JSON payload
        alt verify parameter provided
            activate Validator
            Validator->>Validator: Compare receiverAddress (case-insensitive)
            Validator->>Validator: Compare destinationTokenAddress (onchain/onramp)
            Validator->>Validator: Compare destinationChainId (onchain/onramp)
            Validator->>Validator: Compare minDestinationAmount vs destination amount
            alt all checks pass
                Validator-->>Webhook: validation passed
            else any check fails
                Validator-->>Webhook: throw descriptive validation error
            end
            deactivate Validator
        end
        Webhook-->>Client: return WebhookPayload
    else signature invalid
        Webhook-->>Client: throw verification error
    end
    deactivate Webhook

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review validation branches in Webhook.ts that distinguish onchain vs onramp payload shapes.
• Confirm case-insensitive address comparisons and bigint comparisons are correct and robust.
• Verify tests in Webhook.test.ts cover all failure messages and edge cases (timestamps, signatures, and each verify field).

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	❓ Inconclusive	The description includes a PR-Codex overview with detailed summary of changes, but lacks required template sections like issue tag, explicit notes for reviewer, and how to test.	Consider adding the Linear issue tag (TEAM-0000), explicit reviewer notes section, and clear testing instructions to match the repository template.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a verify parameter to the Bridge.Webhook.parse function.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mny-308

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 896763d and a54c1ab.

📒 Files selected for processing (3)

• .changeset/mean-pants-beam.md (1 hunks)
• packages/thirdweb/src/bridge/Webhook.test.ts (1 hunks)
• packages/thirdweb/src/bridge/Webhook.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

packages/thirdweb/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling @example and a custom tag (@beta, @internal, @experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g., const { jsPDF } = await import("jspdf"))

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.test.{ts,tsx}: Place tests alongside code: foo.ts ↔ foo.test.ts
Use real function invocations with stub data in tests; avoid brittle mocks
Use Mock Service Worker (MSW) for fetch/HTTP call interception in tests
Keep tests deterministic and side-effect free
Use FORKED_ETHEREUM_CHAIN for mainnet interactions and ANVIL_CHAIN for isolated tests

**/*.test.{ts,tsx}: Co‑locate tests as foo.test.ts(x) next to the implementation
Use real function invocations with stub data; avoid brittle mocks
Use MSW to intercept HTTP calls for network interactions; mock only hard‑to‑reproduce scenarios
Keep tests deterministic and side‑effect free; use Vitest

Files:

• packages/thirdweb/src/bridge/Webhook.test.ts

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

.changeset/*.md: Each change in packages/* must include a changeset for the appropriate package
Version bump rules: patch for non‑API changes; minor for new/modified public API

Files:

• .changeset/mean-pants-beam.md

🧠 Learnings (6)

📚 Learning: 2025-06-26T19:46:04.024Z

Learnt from: gregfromstl
Repo: thirdweb-dev/js PR: 7450
File: packages/thirdweb/src/bridge/Webhook.ts:57-81
Timestamp: 2025-06-26T19:46:04.024Z
Learning: In the onramp webhook schema (`packages/thirdweb/src/bridge/Webhook.ts`), the `currencyAmount` field is intentionally typed as `z.number()` while other amount fields use `z.string()` because `currencyAmount` represents fiat currency amounts in decimals (like $10.50), whereas other amount fields represent token amounts in wei (very large integers that benefit from bigint representation). The different naming convention (`currencyAmount` vs `amount`) reflects this intentional distinction.

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-07-18T19:19:55.613Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to packages/thirdweb/src/exports/** : Every public symbol must have comprehensive TSDoc with at least one `example` block that compiles and custom annotation tags (`beta`, `internal`, `experimental`)

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-08-29T15:37:38.513Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to packages/thirdweb/**/*.{ts,tsx} : Every public symbol must have comprehensive TSDoc with at least one compiling `example` and a custom tag (`beta`, `internal`, `experimental`, etc.)

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-08-29T15:37:38.513Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to packages/thirdweb/**/*.{ts,tsx} : Comment only ambiguous logic; avoid restating TypeScript in prose

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-07-18T19:19:55.613Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to **/*.{ts,tsx} : Comment only ambiguous logic; avoid restating TypeScript in prose

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-08-29T15:37:38.513Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to .changeset/*.md : Version bump rules: patch for non‑API changes; minor for new/modified public API

Applied to files:

• .changeset/mean-pants-beam.md

🧬 Code graph analysis (1)

packages/thirdweb/src/bridge/Webhook.test.ts (1)

packages/thirdweb/src/bridge/Webhook.ts (2)

• parse (101-294)
• WebhookPayload (87-90)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Size
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)

🔇 Additional comments (3)

.changeset/mean-pants-beam.md (1)

5-5: Typo fixed.

The grammatical issue from the previous review has been corrected. The description now reads correctly.

packages/thirdweb/src/bridge/Webhook.test.ts (1)

622-778: Comprehensive test coverage for verify functionality.

The test suite is well-structured with reusable helpers (stringifyAndParse, expectVerifyFailure) and provides thorough coverage of both onchain and onramp verification scenarios. All verification fields are tested for both success and failure paths with appropriate error message validation.

packages/thirdweb/src/bridge/Webhook.ts (1)

208-291: Verification logic is well-implemented.

The implementation correctly:

• Uses type discrimination to handle both onchain and onramp payloads
• Performs case-insensitive address comparisons
• Provides descriptive error messages with expected and received values
• Validates all fields when provided

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[MananTank]

• Add callout for verifying webhook in dashboard and portal #8396
• SDK: Add verify parameter in Bridge.Webhook.parse function #8395 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

packages/thirdweb/src/bridge/Webhook.test.ts (1)

649-695: Consider testing case-insensitive address matching.

The implementation uses .toLowerCase() for address comparison (lines 212-213, 226-227 in Webhook.ts), but the tests don't verify this behavior. Consider adding a test case where the verify address has different casing than the payload address to ensure case-insensitive matching works correctly.

Example test:

it("should pass when receiverAddress matches with different casing", async () => {
  const result = await stringifyAndParse(validPayload, {
    receiverAddress: validWebhook.data.receiver.toUpperCase(),
  });
  expect(result).toEqual(validWebhook);
});

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e19f7a2 and 5160252.

📒 Files selected for processing (3)

• .changeset/mean-pants-beam.md (1 hunks)
• packages/thirdweb/src/bridge/Webhook.test.ts (1 hunks)
• packages/thirdweb/src/bridge/Webhook.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

packages/thirdweb/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling @example and a custom tag (@beta, @internal, @experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g., const { jsPDF } = await import("jspdf"))

Files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

**/*.test.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.test.{ts,tsx}: Place tests alongside code: foo.ts ↔ foo.test.ts
Use real function invocations with stub data in tests; avoid brittle mocks
Use Mock Service Worker (MSW) for fetch/HTTP call interception in tests
Keep tests deterministic and side-effect free
Use FORKED_ETHEREUM_CHAIN for mainnet interactions and ANVIL_CHAIN for isolated tests

**/*.test.{ts,tsx}: Co‑locate tests as foo.test.ts(x) next to the implementation
Use real function invocations with stub data; avoid brittle mocks
Use MSW to intercept HTTP calls for network interactions; mock only hard‑to‑reproduce scenarios
Keep tests deterministic and side‑effect free; use Vitest

Files:

• packages/thirdweb/src/bridge/Webhook.test.ts

.changeset/*.md

📄 CodeRabbit inference engine (AGENTS.md)

.changeset/*.md: Each change in packages/* must include a changeset for the appropriate package
Version bump rules: patch for non‑API changes; minor for new/modified public API

Files:

• .changeset/mean-pants-beam.md

🧠 Learnings (1)

📚 Learning: 2025-06-26T19:46:04.024Z

Learnt from: gregfromstl
Repo: thirdweb-dev/js PR: 7450
File: packages/thirdweb/src/bridge/Webhook.ts:57-81
Timestamp: 2025-06-26T19:46:04.024Z
Learning: In the onramp webhook schema (`packages/thirdweb/src/bridge/Webhook.ts`), the `currencyAmount` field is intentionally typed as `z.number()` while other amount fields use `z.string()` because `currencyAmount` represents fiat currency amounts in decimals (like $10.50), whereas other amount fields represent token amounts in wei (very large integers that benefit from bigint representation). The different naming convention (`currencyAmount` vs `amount`) reflects this intentional distinction.

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts
• packages/thirdweb/src/bridge/Webhook.test.ts

🧬 Code graph analysis (1)

packages/thirdweb/src/bridge/Webhook.test.ts (1)

packages/thirdweb/src/bridge/Webhook.ts (2)

• parse (101-294)
• WebhookPayload (87-90)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Unit Tests
• GitHub Check: Size
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Lint Packages
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript)

🔇 Additional comments (5)

packages/thirdweb/src/bridge/Webhook.test.ts (3)

623-639: LGTM! Well-designed test helpers.

The stringifyAndParse helper function is clean and reusable. Using Parameters<typeof parse>[4] to extract the VerifyOptions type is a nice way to maintain type safety without duplicating type definitions.

---

641-647: LGTM! Concise helper for failure cases.

The expectVerifyFailure helper reduces duplication across test cases and makes the tests more readable.

---

697-777: LGTM! Comprehensive onramp transaction coverage.

The onramp verification tests mirror the onchain tests and properly exercise both branches of the verification logic, ensuring the discriminated union handling works correctly.

packages/thirdweb/src/bridge/Webhook.ts (1)

208-291: LGTM! Verification logic is correct and well-structured.

The verification implementation properly handles both onchain and onramp transaction types using discriminated union type narrowing. The case-insensitive address comparison and descriptive error messages are good practices.

The comparison logic on lines 275 and 284 correctly checks if actual < minimum to fail verification, which matches the expected behavior for minDestinationAmount.

.changeset/mean-pants-beam.md (1)

7-22: LGTM! Clear and helpful example.

The example code effectively demonstrates the usage of the new verify parameter.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.82%. Comparing base (bea4f01) to head (a54c1ab).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8395      +/-   ##
==========================================
+ Coverage   54.77%   54.82%   +0.05%     
==========================================
  Files         919      919              
  Lines       60768    60840      +72     
  Branches     4119     4140      +21     
==========================================
+ Hits        33284    33356      +72     
  Misses      27382    27382              
  Partials      102      102              

Flag	Coverage Δ
packages	54.82% <100.00%> (+0.05%)	⬆️

Files with missing lines	Coverage Δ
packages/thirdweb/src/bridge/Webhook.ts	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

size-limit report 📦

Path	Size
@thirdweb-dev/nexus (esm)	104.88 KB (0%)
@thirdweb-dev/nexus (cjs)	316.6 KB (0%)

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

packages/thirdweb/src/bridge/Webhook.ts (1)

122-142: Fix documentation issues and add required @example.

Several documentation improvements needed:

1. Line 127: Remove duplicate "the" → "Verify that the payload's destination token amount..."
2. Line 127: The comment states "greater than" but the implementation (lines 275, 284) uses < which enforces >= (greater than or equal to). Update to "greater than or equal to" for accuracy.
3. Missing @example: The main function's TSDoc (around lines 92-100) still lacks a compiling @example demonstrating the verify parameter usage, as required by coding guidelines. Consider adding an example similar to the one in .changeset/mean-pants-beam.md.

As per coding guidelines

Apply this diff to fix the issues:

 /**
- * Add various validations to the parsed payload to ensure it matches the expected values. Throws error if any validation fails.
+ * When provided, validates the parsed payload against expected values. Throws an error if any validation fails.
  */
 verify?: {
   /**
-   * Verify that the payload's the destination token amount (in wei) is greater than `minDestinationAmount` value
+   * Verify that the payload's destination token amount (in wei) is greater than or equal to `minDestinationAmount` value
    */
   minDestinationAmount?: bigint;

🧹 Nitpick comments (1)

packages/thirdweb/src/bridge/Webhook.ts (1)

208-291: Consider using type-based discrimination for consistency.

The verification logic correctly handles both onchain and onramp transactions. However, since parsedPayload is a discriminated union by type (line 83), you could use parsedPayload.type === "pay.onchain-transaction" instead of field-presence checks like "destinationToken" in parsedPayload.data. This would be more aligned with the discriminated union pattern and provide better type narrowing.

Example refactor for destinationTokenAddress validation:

if (verify.destinationTokenAddress) {
  if (parsedPayload.type === "pay.onchain-transaction") {
    if (
      parsedPayload.data.destinationToken.address.toLowerCase() !==
      verify.destinationTokenAddress.toLowerCase()
    ) {
      throw new Error(
        `Verification Failed: destinationTokenAddress mismatch, Expected: ${verify.destinationTokenAddress}, Received: ${parsedPayload.data.destinationToken.address}`,
      );
    }
  } else if (parsedPayload.type === "pay.onramp-transaction") {
    if (
      parsedPayload.data.token.address.toLowerCase() !==
      verify.destinationTokenAddress.toLowerCase()
    ) {
      throw new Error(
        `Verification Failed: destinationTokenAddress mismatch, Expected: ${verify.destinationTokenAddress}, Received: ${parsedPayload.data.token.address}`,
      );
    }
  }
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5160252 and 896763d.

📒 Files selected for processing (3)

• .changeset/mean-pants-beam.md (1 hunks)
• packages/thirdweb/src/bridge/Webhook.test.ts (1 hunks)
• packages/thirdweb/src/bridge/Webhook.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .changeset/mean-pants-beam.md
• packages/thirdweb/src/bridge/Webhook.test.ts

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• packages/thirdweb/src/bridge/Webhook.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• packages/thirdweb/src/bridge/Webhook.ts

packages/thirdweb/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/thirdweb/**/*.{ts,tsx}: Every public symbol must have comprehensive TSDoc with at least one compiling @example and a custom tag (@beta, @internal, @experimental, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose
Lazy‑load heavy dependencies inside async paths (e.g., const { jsPDF } = await import("jspdf"))

Files:

• packages/thirdweb/src/bridge/Webhook.ts

🧠 Learnings (5)

📚 Learning: 2025-06-26T19:46:04.024Z

Learnt from: gregfromstl
Repo: thirdweb-dev/js PR: 7450
File: packages/thirdweb/src/bridge/Webhook.ts:57-81
Timestamp: 2025-06-26T19:46:04.024Z
Learning: In the onramp webhook schema (`packages/thirdweb/src/bridge/Webhook.ts`), the `currencyAmount` field is intentionally typed as `z.number()` while other amount fields use `z.string()` because `currencyAmount` represents fiat currency amounts in decimals (like $10.50), whereas other amount fields represent token amounts in wei (very large integers that benefit from bigint representation). The different naming convention (`currencyAmount` vs `amount`) reflects this intentional distinction.

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-07-18T19:19:55.613Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to packages/thirdweb/src/exports/** : Every public symbol must have comprehensive TSDoc with at least one `example` block that compiles and custom annotation tags (`beta`, `internal`, `experimental`)

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-08-29T15:37:38.513Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to packages/thirdweb/**/*.{ts,tsx} : Every public symbol must have comprehensive TSDoc with at least one compiling `example` and a custom tag (`beta`, `internal`, `experimental`, etc.)

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-08-29T15:37:38.513Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-08-29T15:37:38.513Z
Learning: Applies to packages/thirdweb/**/*.{ts,tsx} : Comment only ambiguous logic; avoid restating TypeScript in prose

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

📚 Learning: 2025-07-18T19:19:55.613Z

Learnt from: CR
Repo: thirdweb-dev/js PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-07-18T19:19:55.613Z
Learning: Applies to **/*.{ts,tsx} : Comment only ambiguous logic; avoid restating TypeScript in prose

Applied to files:

• packages/thirdweb/src/bridge/Webhook.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Size
• GitHub Check: E2E Tests (pnpm, esbuild)
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Unit Tests
• GitHub Check: Lint Packages
• GitHub Check: Build Packages
• GitHub Check: Analyze (javascript)

[graphite-app]

Merge activity

• Nov 11, 11:20 PM UTC: MananTank added this pull request to the Graphite merge queue.
• Nov 11, 11:29 PM UTC: Merged by the Graphite merge queue.