[dashboard] add solana policies to vault access token

[d4mr]

PR-Codex overview

This PR focuses on enhancing the vault.client.ts file by adding new metadata patterns and required metadata patterns for various Solana-related actions.

Detailed summary

• Added new metadata patterns for solana:read, solana:create, solana:signTransaction, and solana:signMessage.
• Each pattern includes projectId, teamId, and a fixed type of "server-wallet".
• Introduced required metadata patterns for solana:create.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features
  • Added Solana-specific permissions to access tokens.
  • Wallet tokens now support solana:read, solana:create, solana:signTransaction, and solana:signMessage.
  • Management tokens now support solana:read and solana:create.
  • Permissions can be scoped via metadata (team, project, server-wallet) for finer control.
  • No changes to existing flows or error handling; new scopes are available during token creation.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ea69f47

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs-v2	Ready	Preview	Comment	Oct 13, 2025 9:46pm
thirdweb_playground	Ready	Preview	Comment	Oct 13, 2025 9:46pm
thirdweb-www	Ready	Preview	Comment	Oct 13, 2025 9:46pm
wallet-ui	Ready	Preview	Comment	Oct 13, 2025 9:46pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
nebula	Skipped			Oct 13, 2025 9:46pm

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[coderabbitai]

Walkthrough

Adds Solana-specific policy entries to access token creation for wallets and management tokens, expanding allowed actions without altering function signatures or control flow.

Changes

Cohort / File(s)	Summary of Changes
Solana policy additions apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts	Expanded policy definitions: for wallet tokens, added solana:read, solana:create, solana:signTransaction, solana:signMessage with metadataPatterns (projectId, teamId, type: server-wallet). For management tokens, added solana:read, solana:create with the same metadataPatterns. No changes to exported APIs or control flow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description Check	⚠️ Warning	The pull request description does not adhere to the repository’s required template, as it omits the formatted title line, any issue tag or branch reference, and the mandatory “## Notes for the reviewer” and “## How to test” sections, making it unclear how to review and validate the changes.	Please update the PR description to include a title in the format “[SDK/Dashboard/Portal] Feature/Fix: Concise title”, add the relevant issue tag or branch reference, and provide a “## Notes for the reviewer” section with important context plus a “## How to test” section detailing steps to verify the changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title “[dashboard] add solana policies to vault access token” directly reflects the main change by specifying the dashboard scope and the addition of Solana policies to the vault access token, making it concise and clear for team members reviewing history.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pb/add-solana-policies-to-access-token

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 869bbcf and 4e0fed9.

📒 Files selected for processing (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{ts,tsx}: Write idiomatic TypeScript with explicit function declarations and return types
Limit each file to one stateless, single-responsibility function for clarity
Re-use shared types from @/types or local types.ts barrels
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Choose composition over inheritance; leverage utility types (Partial, Pick, etc.)
Comment only ambiguous logic; avoid restating TypeScript in prose

**/*.{ts,tsx}: Use explicit function declarations and explicit return types in TypeScript
Limit each file to one stateless, single‑responsibility function
Re‑use shared types from @/types where applicable
Prefer type aliases over interface except for nominal shapes
Avoid any and unknown unless unavoidable; narrow generics when possible
Prefer composition over inheritance; use utility types (Partial, Pick, etc.)
Lazy‑import optional features and avoid top‑level side‑effects to reduce bundle size

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Load heavy dependencies inside async paths to keep initial bundle lean (lazy loading)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground-web}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/{dashboard,playground-web}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/* (Button, Input, Select, Tabs, Card, Sidebar, Badge, Separator) in dashboard and playground apps
Use NavLink for internal navigation with automatic active states in dashboard and playground apps
Use Tailwind CSS only – no inline styles or CSS modules
Use cn() from @/lib/utils for conditional class logic
Use design system tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components (Node edge): Start files with import "server-only";
Client Components (browser): Begin files with 'use client';
Always call getAuthToken() to retrieve JWT from cookies on server side
Use Authorization: Bearer header – never embed tokens in URLs
Return typed results (e.g., Project[], User[]) – avoid any
Wrap client-side data fetching calls in React Query (@tanstack/react-query)
Use descriptive, stable queryKeys for React Query cache hits
Configure staleTime/cacheTime in React Query based on freshness (default ≥ 60s)
Keep tokens secret via internal API routes or server actions
Never import posthog-js in server components

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

apps/{dashboard,playground}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

apps/{dashboard,playground}/**/*.{ts,tsx}: Import UI primitives from @/components/ui/_ (e.g., Button, Input, Tabs, Card)
Use NavLink for internal navigation to get active state handling
Use Tailwind CSS for styling; no inline styles
Merge class names with cn() from @/lib/utils for conditional classes
Stick to design tokens (e.g., bg-card, border-border, text-muted-foreground)
Server Components must start with import "server-only"; use next/headers, server‑only env, heavy data fetching, and redirect() where appropriate
Client Components must start with 'use client'; handle interactivity with hooks and browser APIs
Server-side data fetching: call getAuthToken() from cookies, send Authorization: Bearer <token> header, and return typed results (avoid any)
Client-side data fetching: wrap calls in React Query with descriptive, stable queryKeys and set sensible staleTime/cacheTime (≥ 60s default); keep tokens secret via internal routes or server actions
Do not import posthog-js in server components (client-side only)

Files:

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Size
• GitHub Check: Unit Tests
• GitHub Check: Analyze (javascript)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Approve Solana wallet policies with refactor recommendation.

The Solana policy additions correctly mirror the existing EVM policy structure and will enable Solana wallet operations. However, the identical metadataPatterns structure across all policies creates significant duplication.

Consider extracting a helper function to generate policy objects:

function createWalletPolicy(
  type: string,
  projectId: string,
  teamId: string,
  additionalOptions?: Record<string, unknown>
) {
  const metadataPatterns = [
    { key: "projectId", rule: { pattern: projectId } },
    { key: "teamId", rule: { pattern: teamId } },
    { key: "type", rule: { pattern: "server-wallet" } },
  ];

  return {
    ...(type.includes(":create") 
      ? { requiredMetadataPatterns: metadataPatterns }
      : { metadataPatterns }),
    type,
    ...additionalOptions,
  };
}

Then replace the policy blocks:

policies: [
  // EVM policies
  createWalletPolicy("eoa:read", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:create", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:signMessage", props.project.id, props.project.teamId),
  createWalletPolicy("eoa:signTransaction", props.project.id, props.project.teamId, {
    payloadPatterns: {}
  }),
  // ... other EVM policies
  // Solana policies
  createWalletPolicy("solana:read", props.project.id, props.project.teamId),
  createWalletPolicy("solana:create", props.project.id, props.project.teamId),
  createWalletPolicy("solana:signTransaction", props.project.id, props.project.teamId),
  createWalletPolicy("solana:signMessage", props.project.id, props.project.teamId),
]

This would also address the pre-existing duplicate eoa:read and eoa:create policies at lines 351-396 and 517-562.

🤖 Prompt for AI Agents

In
apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
around lines 563-654, the four Solana policy objects repeat identical
metadataPatterns causing duplication; extract a small helper (e.g.,
createWalletPolicy) that accepts type, projectId, teamId and optional extra
options, builds the common metadataPatterns and returns either metadataPatterns
or requiredMetadataPatterns for create types, then replace the repeated Solana
policy blocks with calls to that helper (and likewise replace the duplicated EVM
eoa:read/eoa:create blocks at lines ~351-396 and ~517-562) to deduplicate and
keep payload-specific options passed through the helper.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Approve Solana management policies.

The Solana management token policies are correctly limited to read and create operations (no signing), which matches the EVM policy structure. This is the appropriate permission model for management tokens.

The same helper function refactor suggested for lines 563-654 would reduce duplication here as well. Both createWalletAccessToken and createManagementAccessToken would benefit from the extracted policy generation helper.

🤖 Prompt for AI Agents

In
apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/transactions/lib/vault.client.ts
around lines 728 to 773, the Solana management token policy blocks are correct
but duplicate policy-building logic; extract a small helper (e.g.,
buildSolanaPolicies(project, teamId, types[] or mode)) that returns the array of
policy objects (metadataPatterns/requiredMetadataPatterns and type) and replace
the inline policy arrays in createWalletAccessToken and
createManagementAccessToken with calls to this helper to remove duplication and
centralize policy construction.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	64.51 KB (0%)	1.3 s (0%)	1.7 s (+10.09% 🔺)	3 s
thirdweb (cjs)	366.04 KB (0%)	7.4 s (0%)	12.9 s (-6.64% 🔽)	20.2 s
thirdweb (minimal + tree-shaking)	5.73 KB (0%)	115 ms (0%)	56 ms (-37.45% 🔽)	171 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	80 ms (+134.4% 🔺)	91 ms
thirdweb/react (minimal + tree-shaking)	19.13 KB (0%)	383 ms (0%)	129 ms (+72.12% 🔺)	512 ms

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.02%. Comparing base (b0cac94) to head (ea69f47).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8239   +/-   ##
=======================================
  Coverage   55.02%   55.02%           
=======================================
  Files         919      919           
  Lines       60583    60583           
  Branches     4127     4127           
=======================================
  Hits        33335    33335           
  Misses      27145    27145           
  Partials      103      103           

Flag	Coverage Δ
packages	55.02% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.