New vm2 example #224
New vm2 example #224
Conversation
WalkthroughAdds new Move example documentation in English and Chinese for Hello Blockchain, Resource Groups, Shared Account, and DeFi, plus a small Chinese README tweak. Content includes prerequisites, packaging, deployment, and test command sequences using starcoin-cmd and move-package-manager2. No code changes or public API modifications. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor User
participant Console as Starcoin Console
participant MPM2 as move-package-manager2
participant Chain as Starcoin Node
User->>MPM2: mpm2 package/build
MPM2-->>User: package blob
User->>Console: connect (account import / select)
User->>Chain: deploy package
Chain-->>User: tx result
User->>Chain: call set_message / get_message
Chain-->>User: return values
note over User,Chain: Hello Blockchain flow
sequenceDiagram
autonumber
actor User
participant Chain as Starcoin VM2
participant Primary as Module: resource_groups::Primary
participant Secondary as Module: resource_groups::Secondary
User->>Chain: deploy modules
User->>Primary: init(value_u64)
Primary-->>User: ok
User->>Primary: read / set_value / read / remove / exists_at
Primary-->>User: values / bools
User->>Secondary: init(value_u32) / read / set_value / remove / exists_at
Secondary-->>User: values / bools
note over Primary,Secondary: Cross-module checks where applicable
sequenceDiagram
autonumber
actor S as Sponsor (S)
actor R1 as Recipient (R1)
participant Defi as Module: defi
participant Chain as Starcoin
S->>Chain: deploy Defi
S->>Defi: init / add_lock(R1, amount, lock_secs)
Defi-->>S: lock_id / ok
S->>Defi: query totals/amount/lockup/withdraw_addr
Defi-->>S: data
R1->>Defi: claim(lock_id)
Defi-->>R1: transfer STC
S->>Defi: update_lockup / cancel (optional)
Defi-->>S: ok / error on invalid claimant
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests
Tip 👮 Agentic pre-merge checks are now available in preview!Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.
Please see the documentation for more information. Example: reviews:
pre_merge_checks:
custom_checks:
- name: "Undocumented Breaking Changes"
mode: "warning"
instructions: |
Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).Please share your feedback with us on this Discord post. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🧹 Nitpick comments (7)
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/README.md (1)
3-3: Incomplete sentence; list the covered examples or remove the line.
Current text ends abruptly. Suggest enumerating the examples for clarity.Apply:
-本章节共介绍 +本章节共介绍以下示例: +- Hello Blockchain +- 资源组(Resource Groups) +- 共享账户(Shared Account) +- 去中心化金融(DeFi)docs/03-move/98-move-examples/03-hello-blockchain.md (1)
9-16: Pin or permalink external repo links.
Branch dual-verse-dag may change. Prefer a commit permalink or explicitly state the branch and date.i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/04-resource-groups.md (1)
7-11: Minor naming consistency in link text.
Anchor text says “resource-group” while the path is resource_groups; align to avoid confusion.-该工程位于 [resource-group](https://github.com/.../resource_groups) 仓库中。 +该工程位于 [resource_groups](https://github.com/.../resource_groups) 仓库中。docs/03-move/98-move-examples/04-resource-groups.md (1)
9-17: Permalink external references.
The dual-verse-dag branch may move; pin to a commit or add a note about branch volatility.i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/06-defi.md (1)
46-48: Generalize network names and add a ‘testnets only’ caution.
Explicitly recommend using dev/barnard only; warn against mainnet usage for examples.docs/03-move/98-move-examples/06-defi.md (2)
63-87: Add an explicit wait before claim to avoid expected revert while locked.Readers will hit a revert if they immediately run the claim. Insert a simple wait/poll step.
# R1 claims the locked tokens from S (claiming within 60 seconds will result in an error) +## Option A: wait 60 seconds +sleep 60 +## Option B: poll on-chain time until `claim_time_secs` <= now account execute-function -s 0x95cb8c2ef522014bd03f633bd6c8dee6 --function 0x82cbfefb8076f2da3339b782fb074438::locked_coins::claim -t 0x1::starcoin_coin::STC --arg 0x82cbfefb8076f2da3339b782fb074438 -b
51-53: Default to a safe network and discourage mainnet for examples.To reduce accidental mainnet usage with demo keys, recommend “dev” (or testnet) as the default in the example command.
-starcoin -n <network> console +starcoin -n dev console # use dev/testnet for examples; do not use mainnet
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (9)
docs/03-move/98-move-examples/03-hello-blockchain.md(1 hunks)docs/03-move/98-move-examples/04-resource-groups.md(1 hunks)docs/03-move/98-move-examples/05-shared-account.md(1 hunks)docs/03-move/98-move-examples/06-defi.md(1 hunks)i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md(1 hunks)i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/04-resource-groups.md(1 hunks)i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/05-shared-account.md(1 hunks)i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/06-defi.md(1 hunks)i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/README.md(1 hunks)
🧰 Additional context used
🪛 Gitleaks (8.28.0)
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/06-defi.md
[high] 25-25: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 31-31: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 37-37: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
docs/03-move/98-move-examples/06-defi.md
[high] 30-30: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 36-36: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 42-42: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Test deployment
🔇 Additional comments (3)
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md (1)
45-47: 确认并统一dev deploy的-s参数用法(signer 地址 vs blob 路径)仓库中存在混用,示例:
dev deploy <blob> -s <address>— docs/03-move/12-call-function.md:68、docs/03-move/98-move-examples/01-create-a-new-token.md:67dev deploy -s <address> <blob>— i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/05-shared-account.md:29dev deploy -s <blob>(错误用法) — i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md:46按 starcoin-cmd 实际 CLI 语法确认
-s的正确语义并在全站统一(若 CLI 允许参数顺序任意,也请统一-s必须接 signer 地址并修正错误示例)。docs/03-move/98-move-examples/06-defi.md (2)
9-16: Clarify location and tool name; “repository” → “directory,” confirm tool naming.The link points to a path inside the Starcoin repo, not a separate repository. Also, “move-package-manager2” may be a branch/tool alias—please confirm the exact binary name users should build/invoke.
Apply wording tweak:
-The project is located in the [defi](https://github.com/starcoinorg/starcoin/tree/dual-verse-dag/vm2/move-examples/defi) -repository. Please clone the Starcoin repository to your local machine and compile the following tools: +The project is located in the [defi](https://github.com/starcoinorg/starcoin/tree/dual-verse-dag/vm2/move-examples/defi) +directory within the Starcoin repository. Clone the repo and build the following tools:If the tool is actually named “move-package-manager” (not “…2”), update both the list and the later commands accordingly. Want me to verify the latest naming across vm2 docs and adjust here?
48-57: Add explicit packaging commands (use mpm package build + mpm release)The section says “connect to the console and package the project” but only shows console/sync — add concrete packaging commands before connecting.
Suggested insertion (before the console command):
# Package the Move project (requires mpm) cd <path-to-repo>/vm2/move-examples/defi mpm package build mpm releaseConfirm the correct local path to the defi package (or update the doc's path/link).
| ```shell | ||
| # Switch to the project directory | ||
| cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain | ||
|
|
There was a problem hiding this comment.
Fix path: directory name uses underscore, not hyphen.
Repo link (Line 9) points to hello_blockchain; the cd path uses hello-blockchain.
-cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain
+cd <work_dir>/starcoin/vm2/move-examples/hello_blockchain📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ```shell | |
| # Switch to the project directory | |
| cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain |
🤖 Prompt for AI Agents
In docs/03-move/98-move-examples/03-hello-blockchain.md around lines 33 to 36,
the cd command uses a hyphenated directory name "hello-blockchain" but the
actual repo/directory is named "hello_blockchain"; update the path to use the
underscore (cd <work_dir>/starcoin/vm2/move-examples/hello_blockchain) and scan
nearby lines (including the repo link on line 9) to ensure all references
consistently use "hello_blockchain".
| # Deploy the contract; if the result shows "Executed", it indicates successful deployment | ||
| starcoin% dev deploy -s <work_dir>/starcoin/vm2/move-examples/hello-blockchain/release/hello-blockchain.v0.0.1.blob | ||
| txn 0x12481f66a05a56d93cb51d34e05c1815919ba6cea40ee073621f1d05a66341ac submitted. |
There was a problem hiding this comment.
🧩 Analysis chain
Verify dev deploy CLI flags; usage is inconsistent across docs.
Here -s appears to be used as a blob path, while other pages pass an address after -s. Please confirm the correct syntax with your current starcoin-cmd and unify across all pages.
Run to locate inconsistencies and hard-coded absolute paths:
🏁 Script executed:
#!/bin/bash
rg -nP -C1 'dev\s+deploy\b' docs i18n
rg -nP '/home/|\\Users\\' docs i18nLength of output: 10783
Unify dev deploy usage: -s is the sender address — fix flag misuse & remove hard-coded paths
Starcoin docs show -s/--sender is the publisher/sender address; canonical usage is: dev deploy <blob_path> -s 0x... -b. (cookbook.starcoin.org)
- Fix docs/03-move/98-move-examples/03-hello-blockchain.md:54 (and i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md:46): currently "dev deploy -s <work_dir>/…/hello-blockchain.v0.0.1.blob" — change to "dev deploy <work_dir>/…/hello-blockchain.v0.0.1.blob -s 0x -b" (match other examples such as docs/03-move/98-move-examples/02-create-a-new-nft.md:76).
- Remove/replace hard-coded absolute paths found (examples): docs/03-move/98-move-examples/05-shared-account.md:37 (/home/bob/…), docs/03-move/12-call-function.md:68 (/home/ubuntu/…) and their i18n copies — use <work_dir> or /path/to/ placeholders or relative paths.
🤖 Prompt for AI Agents
In docs/03-move/98-move-examples/03-hello-blockchain.md around lines 53–55 (and
the i18n copy
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md
line ~46), change the dev deploy invocation to use the sender flag correctly and
avoid hard-coded paths: replace the current "dev deploy -s
<work_dir>/…/hello-blockchain.v0.0.1.blob" with "dev deploy
<work_dir>/…/hello-blockchain.v0.0.1.blob -s 0x<address> -b"; additionally, scan
and update other docs with absolute paths
(docs/03-move/98-move-examples/05-shared-account.md,
docs/03-move/12-call-function.md and their i18n copies) to use <work_dir> or
/path/to/ placeholders or relative paths instead of hard-coded /home/... values.
| # Deploy the contract | ||
| dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob | ||
|
|
There was a problem hiding this comment.
❓ Verification inconclusive
Avoid absolute paths and confirm deploy flag semantics.
Replace user-specific path; confirm whether -s is sender or path and make consistent.
-dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob
+dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 <work_dir>/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blobAvoid absolute paths; clarify -s is the sender.
Replace the user-specific absolute path with a repo-relative or placeholder path; -s is the sender flag (usage: dev deploy <path> -s <sender>). (starcoin.org)
-dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob
+dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 <work_dir>/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Deploy the contract | |
| dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob | |
| # Deploy the contract | |
| dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 <work_dir>/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob |
🤖 Prompt for AI Agents
In docs/03-move/98-move-examples/05-shared-account.md around lines 36 to 38, the
deploy example uses a user-specific absolute path and a confusing flag order;
replace the absolute path with a repo-relative or placeholder path (e.g.,
./shared_account/release/shared_account.v0.0.1.blob or <path-to-blob>) and
update the command to show the sender flag clearly (usage: dev deploy <path> -s
<sender>), e.g., put the path first and -s 0x82cb... after it, and add a brief
note that -s specifies the sender address.
| Account import data (JSON format): | ||
|
|
There was a problem hiding this comment.
Add an upfront security disclaimer for account handling.
Given the account import that follows, add a brief disclaimer about test-only keys, rotation, and funding via faucet.
-Account import data (JSON format):
+Account import data (JSON format):
+
+> Security note: Use throwaway dev/test accounts only. If any example key ever held funds on a public network, consider it compromised and rotate immediately.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| Account import data (JSON format): | |
| Account import data (JSON format): | |
| > Security note: Use throwaway dev/test accounts only. If any example key ever held funds on a public network, consider it compromised and rotate immediately. |
🤖 Prompt for AI Agents
In docs/03-move/98-move-examples/06-defi.md around lines 23–24, add a brief
upfront security disclaimer immediately above the "Account import data (JSON
format):" line warning that the shown accounts are test-only keys, should not be
used on mainnet, must be funded via a faucet for testing, and private keys must
be kept secure and rotated regularly in production; keep the text concise (1–2
sentences) and clearly labeled as a security note.
| ```json | ||
| [ | ||
| { | ||
| "ok": { | ||
| "account": "0x82cbfefb8076f2da3339b782fb074438", | ||
| "private_key": "0x01f747e8476fe3727ca29ae87fd44dd8d222609b42517274908c9ef24023169a" | ||
| } | ||
| }, | ||
| { | ||
| "ok": { | ||
| "account": "0x95cb8c2ef522014bd03f633bd6c8dee6", | ||
| "private_key": "0x37528fbbace04e2b3609de312bdcfeb4704cd83a3488b9fc836118d02835c36e" | ||
| } | ||
| }, | ||
| { | ||
| "ok": { | ||
| "account": "0x7111c56355d63f3434aa7de8b3c94aff", | ||
| "private_key": "0xb1a0d666adaae36d103631a182f8742717c7a650f374912804a1f5e740f4b1b7" | ||
| } | ||
| } | ||
| ] | ||
| ``` |
There was a problem hiding this comment.
Hard-stop: Private keys committed in docs (rotate immediately; replace with placeholders).
The JSON sample embeds three real-looking private_key values. This is a critical secret-leak pattern (also flagged by Gitleaks). Even if intended for dev/test, never publish usable keys. Anyone can sweep funds on any network where these keys are funded.
- Action now: Assume keys are compromised; rotate/delete them wherever used.
- Fix docs: Replace with placeholders and add a warning about generating local throwaway keys (devnet only).
Apply this diff to sanitize the sample and protect readers:
-```json
-[
- {
- "ok": {
- "account": "0x82cbfefb8076f2da3339b782fb074438",
- "private_key": "0x01f747e8476fe3727ca29ae87fd44dd8d222609b42517274908c9ef24023169a"
- }
- },
- {
- "ok": {
- "account": "0x95cb8c2ef522014bd03f633bd6c8dee6",
- "private_key": "0x37528fbbace04e2b3609de312bdcfeb4704cd83a3488b9fc836118d02835c36e"
- }
- },
- {
- "ok": {
- "account": "0x7111c56355d63f3434aa7de8b3c94aff",
- "private_key": "0xb1a0d666adaae36d103631a182f8742717c7a650f374912804a1f5e740f4b1b7"
- }
- }
-]
-```
+```json
+[
+ { "ok": { "account": "<SPONSOR_ACCOUNT_ADDRESS>", "private_key": "<SPONSOR_PRIVATE_KEY_HEX>" } },
+ { "ok": { "account": "<RECIPIENT1_ACCOUNT_ADDRESS>","private_key": "<RECIPIENT1_PRIVATE_KEY_HEX>" } },
+ { "ok": { "account": "<RECIPIENT2_ACCOUNT_ADDRESS>","private_key": "<RECIPIENT2_PRIVATE_KEY_HEX>" } }
+]
+```Add this warning right above the JSON:
+> Important
+> - Do NOT use or publish real private keys. Generate local, throwaway keys for dev/test only.
+> - Replace the placeholders below with your locally generated keys (e.g., via `starcoin% account generate`), and never reuse them on mainnet.I can also add a short “generate accounts + faucet” snippet tailored to your preferred network. Want me to push that?
🧰 Tools
🪛 Gitleaks (8.28.0)
[high] 30-30: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 36-36: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 42-42: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
🤖 Prompt for AI Agents
In docs/03-move/98-move-examples/06-defi.md around lines 25 to 46, the JSON
example contains real-looking private_key values which must be removed; replace
each concrete private_key and account value with placeholder tokens (e.g.,
<SPONSOR_ACCOUNT_ADDRESS>, <SPONSOR_PRIVATE_KEY_HEX>, etc.) and insert a short
warning immediately above the JSON block instructing readers to generate or use
throwaway/devnet keys only (and to rotate/revoke any exposed keys). Ensure the
sanitized JSON matches the suggested placeholder format from the review and do
not commit any real secrets; optionally add (or offer separately) a small
“generate accounts + faucet” snippet for the chosen devnet if desired.
| # 切换到工程目录 | ||
| cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain | ||
|
|
There was a problem hiding this comment.
修正目录名:应为下划线。
与仓库路径一致,使用 hello_blockchain。
-cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain
+cd <work_dir>/starcoin/vm2/move-examples/hello_blockchain📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # 切换到工程目录 | |
| cd <work_dir>/starcoin/vm2/move-examples/hello-blockchain | |
| # 切换到工程目录 | |
| cd <work_dir>/starcoin/vm2/move-examples/hello_blockchain | |
🤖 Prompt for AI Agents
In
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/03-hello-blockchain.md
around lines 26 to 28, the example directory name uses a hyphen
("hello-blockchain") but should use an underscore to match the repository path;
update the cd command to use hello_blockchain (cd
<work_dir>/starcoin/vm2/move-examples/hello_blockchain) so the path matches the
repo.
| # 部署合约 | ||
| dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob | ||
|
|
There was a problem hiding this comment.
🛠️ Refactor suggestion
🧩 Analysis chain
Avoid hard-coded absolute paths and unify deploy syntax.
Use <work_dir> placeholder and consistent CLI flags.
-dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 /home/bob/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blob
+dev deploy -s 0x82cbfefb8076f2da3339b782fb074438 <work_dir>/starcoin/vm2/move-examples/shared_account/release/shared_account.v0.0.1.blobAlso verify whether -s should specify sender or blob path and adjust accordingly across all docs.
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Show target doc snippet ==="
sed -n '1,200p' i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/05-shared-account.md || true
echo
echo "=== Search for 'dev deploy' occurrences (context lines) ==="
rg -n --hidden -S -C2 "dev deploy" || true
echo
echo "=== Search for 'dev deploy' with -s flag ==="
rg -n --hidden -S -C2 "dev deploy.*-s" || true
echo
echo "=== Search for absolute /home/ paths in repo ==="
rg -n --hidden -S "/home/" || true
echo
echo "=== Search for '<work_dir>' placeholder usage ==="
rg -n --hidden -S "<work_dir>" || true
echo
echo "=== Search for CLI help strings that mention 'deploy' or '-s' (likely help text) ==="
rg -n --hidden -S -C2 "help.*deploy|deploy.*help|\\-s " || true
echo
echo "=== Search for files likely implementing CLI subcommands named 'deploy' ==="
rg -n --hidden -S "deploy\\b" -g '!**/node_modules/**' -g '!**/.git/**' -g '!**/dist/**' --hidden -C1 || trueLength of output: 79816
Replace hard-coded /home paths with <work_dir> and standardize dev deploy (-s is signer)
Replace the absolute path in i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/05-shared-account.md (lines 28–30) with the <work_dir> placeholder and ensure deploy examples use the canonical ordering: dev deploy -s -b — the -s flag is the signer/sender. (cookbook.starcoin.org)
Also scan and fix other docs that use absolute /home/ paths (e.g., docs/03-move/12-call-function.md) and examples that place -s before the blob (e.g., docs/03-move/98-move-examples/03-hello-blockchain.md); make all examples consistent.
🤖 Prompt for AI Agents
In
i18n/zh/docusaurus-plugin-content-docs/current/03-move/98-move-examples/05-shared-account.md
lines 28–30, the deploy example uses a hard-coded absolute /home path and the -s
flag is placed before the blob; replace the absolute path with the <work_dir>
placeholder and reorder the command to the canonical form "dev deploy
<blob-path> -s <sender-address> -b" (so the blob path comes first and -s is the
signer), and then scan other docs (e.g., docs/03-move/12-call-function.md and
docs/03-move/98-move-examples/03-hello-blockchain.md) for any /home/ absolute
paths or examples with -s before the blob and update them to use <work_dir> and
the canonical flag ordering for consistency.
| ```json | ||
| [ | ||
| { | ||
| "ok": { | ||
| "account": "0x82cbfefb8076f2da3339b782fb074438", | ||
| "private_key": "0x01f747e8476fe3727ca29ae87fd44dd8d222609b42517274908c9ef24023169a" | ||
| } | ||
| }, | ||
| { | ||
| "ok": { | ||
| "account": "0x95cb8c2ef522014bd03f633bd6c8dee6", | ||
| "private_key": "0x37528fbbace04e2b3609de312bdcfeb4704cd83a3488b9fc836118d02835c36e" | ||
| } | ||
| }, | ||
| { | ||
| "ok": { | ||
| "account": "0x7111c56355d63f3434aa7de8b3c94aff", | ||
| "private_key": "0xb1a0d666adaae36d103631a182f8742717c7a650f374912804a1f5e740f4b1b7" | ||
| } | ||
| } | ||
| ] | ||
| ``` |
There was a problem hiding this comment.
Critical: Private keys committed to docs. Remove immediately.
The JSON block includes private_key values. Even for test/dev, this is a secret leak and will trigger scanners and downstream copying. Replace with placeholders and add a warning.
-[
- {
- "ok": {
- "account": "0x82cbfefb8076f2da3339b782fb074438",
- "private_key": "0x01f747e8476fe3727ca29ae87fd44dd8d222609b42517274908c9ef24023169a"
- }
- },
- {
- "ok": {
- "account": "0x95cb8c2ef522014bd03f633bd6c8dee6",
- "private_key": "0x37528fbbace04e2b3609de312bdcfeb4704cd83a3488b9fc836118d02835c36e"
- }
- },
- {
- "ok": {
- "account": "0x7111c56355d63f3434aa7de8b3c94aff",
- "private_key": "0xb1a0d666adaae36d103631a182f8742717c7a650f374912804a1f5e740f4b1b7"
- }
- }
-]
+[
+ {
+ "ok": {
+ "account": "<SPONSOR_ACCOUNT_ADDRESS>",
+ "private_key": "<SPONSOR_PRIVATE_KEY_PLACEHOLDER>"
+ }
+ },
+ {
+ "ok": {
+ "account": "<RECIPIENT_R1_ADDRESS>",
+ "private_key": "<RECIPIENT_R1_PRIVATE_KEY_PLACEHOLDER>"
+ }
+ },
+ {
+ "ok": {
+ "account": "<RECIPIENT_R2_ADDRESS>",
+ "private_key": "<RECIPIENT_R2_PRIVATE_KEY_PLACEHOLDER>"
+ }
+ }
+]Add a note above the block: “切勿在公开仓库中提交真实私钥;仅使用本地环境变量或本地文件导入测试账户。”
I can add a short “Security note” callout to all example pages if you’d like.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ```json | |
| [ | |
| { | |
| "ok": { | |
| "account": "0x82cbfefb8076f2da3339b782fb074438", | |
| "private_key": "0x01f747e8476fe3727ca29ae87fd44dd8d222609b42517274908c9ef24023169a" | |
| } | |
| }, | |
| { | |
| "ok": { | |
| "account": "0x95cb8c2ef522014bd03f633bd6c8dee6", | |
| "private_key": "0x37528fbbace04e2b3609de312bdcfeb4704cd83a3488b9fc836118d02835c36e" | |
| } | |
| }, | |
| { | |
| "ok": { | |
| "account": "0x7111c56355d63f3434aa7de8b3c94aff", | |
| "private_key": "0xb1a0d666adaae36d103631a182f8742717c7a650f374912804a1f5e740f4b1b7" | |
| } | |
| } | |
| ] | |
| ``` | |
| 切勿在公开仓库中提交真实私钥;仅使用本地环境变量或本地文件导入测试账户。 | |
🧰 Tools
🪛 Gitleaks (8.28.0)
[high] 25-25: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 31-31: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
[high] 37-37: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
(generic-api-key)
Added some vm2 example documentation
Summary by CodeRabbit