Add Zama tab [WIP]

[ericglau]

Adds a Zama tab that implements a confidential fungible token, using OpenZeppelin Confidential Contracts.

Includes: Zama Wizard core package, UI, AI assistant, MCP.

Remaining design items:

• Determine what should be in the default implementation of the _validateHandleAllowance function override.
• Token URI field:
  • Provide more detailed description for UI and AI/MCP prompts
  • Determine if empty string should be allowed through UI/AI/MCP
• Wrappable option: This requires an ERC20 address in the constructor. Determine how this constructor arg should be handled in the downloaded Hardhat project.
  • Should it just add a placeholder for the user to replace, and leave the deployment line commented out in the sample testcase/script?
• Remix - In Solidity Wizard, when opening a contract in Remix, it pins the version tag for the imports of OpenZeppelin Contracts to the version that was tested with Wizard, e.g. import {ERC20} from "@openzeppelin/[email protected]/token/ERC20/ERC20.sol";
  • Confidential Contracts also has transitive dependencies on vanilla contracts, without the version pin. If direct dependencies of the same vanilla contracts are pinned, this causes compilation conflicts unless a remapping is added in Remix. See Solidity: Document or add Remix remappings when using upgradeable contracts #641.
  • Should we simply avoid version pins in the vanilla imports for Remix? I think this is acceptable if we don't have strict requirements on which vanilla version is used.
  • Should we also avoid version pins for @openzeppelin/confidential-contracts?

Remaining implementation items:

• Clean up extensibility between Solidity Wizard and Zama Wizard packages.
• Clean up Zip Hardhat function override.
• Review and clean up tests.
• In the comment Compatible with OpenZeppelin Contracts ^5.4.0 and OpenZeppelin Confidential Contracts ^0.2.0, remove redundant "OpenZeppelin" prefixes.
• Combine imports from the same Solidity file into the same line e.g. FHE, euint64
• Inject hyperlinks in UI for new imports

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbit review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​fhevm/​solidity@​0.7.0
	@​fhevm/​core-contracts@​0.7.0-12
	@​openzeppelin/​confidential-contracts@​0.2.0
	@​fhevm/​hardhat-plugin@​0.0.1-6
	@​zama-fhe/​relayer-sdk@​0.1.2

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@fhevm/[email protected] is a AI-detected potential security risk. Notes: The code fragment is a benign static configuration module in terms of behavior (no dynamic execution or network operations), but it contains plaintext private keys and operational endpoints which represent a severe security misconfiguration. The primary risk is credential leakage leading to unauthorized signing and on-chain actions. This should be treated as high priority: remove secrets from source, rotate keys, and audit distribution/publishing history. Confidence: 0.75 Severity: 0.75 From: packages/core/zama/src/environments/hardhat/package.json → npm/@fhevm/[email protected] ℹ Read more on: This package | This alert | What are AI-detected potential security risks? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@fhevm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report