feat: add trust signals to permission picker#275
Merged
jeffsmale90 merged 11 commits intomainfrom Mar 5, 2026
Merged
Conversation
- trigger request to dapp scanning api when processing a permission request - show the result if it is WARN or BLOCK
cursor bot
pushed a commit
that referenced
this pull request
Mar 4, 2026
Add translation keys for malicious and potentially malicious website labels: - maliciousWebsiteLabel: 'Malicious website' (English) - potentiallyMaliciousWebsiteLabel: 'Potentially malicious website' (English) Updated all locale files with these keys. Non-English translations are left empty for future translation work. Refs #275 Co-authored-by: jeffsmale90 <jeffsmale90@users.noreply.github.com>
6 tasks
Add translation keys for malicious and potentially malicious website labels: - maliciousWebsiteLabel: 'Malicious website' (English) - potentiallyMaliciousWebsiteLabel: 'Potentially malicious website' (English) Updated all locale files with these keys. Non-English translations are left empty for future translation work. Refs #275 Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: jeffsmale90 <jeffsmale90@users.noreply.github.com>
packages/gator-permissions-snap/src/core/permissionRequestLifecycleOrchestrator.ts
Outdated
Show resolved
Hide resolved
packages/gator-permissions-snap/src/clients/trustSignalsClient.ts
Outdated
Show resolved
Hide resolved
mj-kiwi
reviewed
Mar 4, 2026
…. Defaults to 'NONE' if no legitimate result is found.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
…to finish to avoid overwriting data
c574081 to
48095e1
Compare
packages/gator-permissions-snap/src/core/permissionRequestLifecycleOrchestrator.ts
Show resolved
Hide resolved
packages/gator-permissions-snap/src/core/permissionRequestLifecycleOrchestrator.ts
Show resolved
Hide resolved
- fields with warnings - permissionRequestLifecycleOrchestrator's updateConfirmation function - fix tests
…sce to the standard label
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
mj-kiwi
approved these changes
Mar 5, 2026
MoMannn
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When processing a
wallet_requestExecutionPermissionsRPC call, trigger dappscanning of the origin domain, and security alerts scanning of the recipient address. If a positive result is returned display a warning to the user.Manual testing steps
permissionRequestLifecycleHandlerwhere it callsfetchTrustSignal())Expect "Malicious website" to be shown beside the website domain.
Expect "Malicious address" to be shown beside the recipient address.
Screenshots/Recordings
Pre-merge author checklist
Pre-merge reviewer checklist
Note
Medium Risk
Introduces new external API calls and additional async UI updates in the permission request flow, which could affect reliability/performance or display incorrect warnings if responses are unexpected.
Overview
Adds a new
TrustSignalsClientthat calls a dapp-scanning endpoint (GET/scan?url=...) and a security-alerts endpoint (POST/address/evm/scan) with Zod-validated responses and chain-id-to-name mapping.Permission confirmations now kick off these scans in the background during
wallet_requestExecutionPermissions, serializeupdateConfirmationcalls to avoid UI race conditions, and pass scan results intoPermissionHandlerContentto show warning labels next to the requesting origin and recipient address.Introduces
warningLabelsupport inTextFieldandAddressField, adds new i18n keys for malicious/potentially-malicious labels, extends the HTTP client with validated POST support, and wires new required env vars (DAPP_SCANNING_BASE_URL,SECURITY_ALERTS_BASE_URL) through snap config and CI workflows.Written by Cursor Bugbot for commit 7e702df. This will update automatically on new commits. Configure here.