Cairo: Support ERC-6909 extensions

[immrsd]

Resolves #1591

Adds support for the three ERC-6909 component's extensions:

• Content URI
• Token Supply
• Metadata

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 13557014-3518-4f43-aedb-5a7db5378a8c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The PR adds three new optional features to the ERC6909 token standard: contentUri for contract/token URI metadata, tokenSupply for tracking total supply per token ID, and metadata for per-token metadata fields (name, symbol, decimals). These options are integrated throughout the Cairo Alpha implementation, including core logic, code generation, test coverage, UI controls, and AI function definitions.

Changes

Cohort / File(s)	Summary
Description & Core Configuration packages/common/src/ai/descriptions/cairo.ts, packages/core/cairo_alpha/src/erc6909.ts	Added three new feature flags (contentUri, tokenSupply, metadata) to ERC6909Options and defaults; updated isAccessControlRequired() to treat contentUri and metadata as requiring access control; integrated new component additions and hook logic for token supply updates.
Code Generation packages/core/cairo_alpha/src/generate/erc6909.ts, packages/ui/api/ai-assistant/function-definitions/cairo-alpha.ts	Extended ERC6909 blueprint with three new boolean configuration dimensions; updated AI function definition to expose new parameters with descriptions.
Test Coverage (with_components_off) packages/core/cairo_alpha/src/tests/with_components_off/erc6909/erc6909.test.ts, packages/core/cairo_alpha/src/tests/with_components_off/erc6909/erc6909.test.ts.md	Added test cases and snapshots for new extensions, including single features and combined permutations; generated Cairo contracts demonstrate component integration, access control roles, and constructor/setter implementations.
Test Coverage (with_components_on) packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts, packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md	Added test cases and snapshots mirroring new feature combinations with role-based variants; generated contracts include new external functions for URI and metadata management with role-based access control.
UI Controls packages/ui/src/cairo_alpha/ERC6909Controls.svelte	Added three new feature checkboxes (Content URI, Supply Tracking, Metadata) with bidirectional binding and help tooltips describing each feature's functionality.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Cairo: URI Storage (ERC721 + ERC1155) #772: Modifies Cairo ERC6909 implementation with overlapping changes to component implementations and ISRC5 interface flag handling.

Suggested reviewers

• ericglau
• ericnordelo
• bidzyyys

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding support for ERC-6909 extensions, which is the primary objective of the changeset across multiple files.
Description check	✅ Passed	The description is directly related to the changeset, specifying the exact extensions being added (Content URI, Token Supply, Metadata) and referencing the resolved issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts (1)

63-89: Add one non-upgradeable contentUri / metadata case.

Every new extension scenario here either keeps upgradeable on or opts into explicit roles, so this file still never exercises the new “extension alone forces access control” path. A regression there could slip by while isAccessControlRequired() stays green. I’d add at least one { contentUri: true, upgradeable: false } and one { metadata: true, upgradeable: false } case in both with_components_on and with_components_off.

🧪 Minimal additions

 testERC6909('metadata', {
   metadata: true,
 });
 
+testERC6909('content uri non-upgradeable', {
+  contentUri: true,
+  upgradeable: false,
+});
+
+testERC6909('metadata non-upgradeable', {
+  metadata: true,
+  upgradeable: false,
+});
+
 testERC6909('token supply + pausable', {
   tokenSupply: true,
   pausable: true,

Based on learnings: In the OpenZeppelin contracts-wizard cairo_alpha package, when the uriStorage option is enabled for ERC1155 (or ERC721), access control is required. If access: AccessControl.None() is specified along with uriStorage: true, the contract builder automatically switches to the default access control (Ownable) to ensure URI storage functions (like set_base_uri and set_token_uri) are protected. This is intentional behavior to maintain security.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts`
around lines 63 - 89, The test matrix is missing non-upgradeable cases that
exercise the "extension alone forces access control" path; add at least one
testERC6909 invocation for { contentUri: true, upgradeable: false } and one for
{ metadata: true, upgradeable: false } in both the with_components_on and
with_components_off test files so the builder's automatic default access control
behavior is covered; locate the existing testERC6909 calls and duplicate them
with the new option objects (preserving the same test name pattern) and
run/update assertions if any rely on upgradeable behavior.

packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md (1)

420-427: Consider normalizing constructor argument ordering across extension combinations.

owner/role addresses and metadata fields are ordered differently between variants (for example, metadata-only vs content-uri+metadata/all-extensions). Keeping a stable ordering convention will reduce deployment-script churn when toggling options.

Also applies to: 580-587, 674-681, 1023-1034, 1173-1184, 1337-1348, 1485-1496, 1643-1654, 1809-1820

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md`
around lines 420 - 427, The constructors across ERC6909 test variants have
inconsistent argument ordering (e.g., token_id, token_name, token_symbol,
token_decimals, owner vs other orders); standardize the parameter order for
every `constructor` definition so deployment scripts don’t need per-variant
changes—pick a canonical ordering (suggest: token_id, token_name, token_symbol,
token_decimals, owner) and update all `constructor` declarations and any
corresponding calls/usages in the metadata-only, content-uri+metadata, and
all-extensions variants (including the instances noted around the ranges
provided) to match that canonical order.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/core/cairo_alpha/src/erc6909.ts`:
- Around line 84-92: Add a changelog entry to
packages/core/cairo_alpha/CHANGELOG.md under the Unreleased section documenting
the ERC6909 surface changes (e.g., addition of contentUri, tokenSupply, metadata
options reflected by addContentURI, addTokenSupply, addMetadata in erc6909.ts);
include a short summary of the change, the affected files
(packages/core/cairo_alpha/src/erc6909.ts), and the PR/author reference so
consumers can see the new generated surface and why the package version needs
updating.

In `@packages/ui/src/cairo_alpha/ERC6909Controls.svelte`:
- Around line 58-67: The tooltips for the Content URI and Supply Tracking
options reference hardcoded camelCase method names that don't match generated
Cairo snake_case APIs; update the <HelpTooltip> text used inside the label
elements for opts.contentUri and opts.tokenSupply to remove specific method
signatures (e.g., remove "contractURI()", "tokenURI(id)", "totalSupply(id)") and
replace with generic descriptions like "Provides contract-level and per-token
URI metadata" and "Tracks total supply per token ID" so the text doesn't point
to camelCase names.

---

Nitpick comments:
In
`@packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts`:
- Around line 63-89: The test matrix is missing non-upgradeable cases that
exercise the "extension alone forces access control" path; add at least one
testERC6909 invocation for { contentUri: true, upgradeable: false } and one for
{ metadata: true, upgradeable: false } in both the with_components_on and
with_components_off test files so the builder's automatic default access control
behavior is covered; locate the existing testERC6909 calls and duplicate them
with the new option objects (preserving the same test name pattern) and
run/update assertions if any rely on upgradeable behavior.

In
`@packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md`:
- Around line 420-427: The constructors across ERC6909 test variants have
inconsistent argument ordering (e.g., token_id, token_name, token_symbol,
token_decimals, owner vs other orders); standardize the parameter order for
every `constructor` definition so deployment scripts don’t need per-variant
changes—pick a canonical ordering (suggest: token_id, token_name, token_symbol,
token_decimals, owner) and update all `constructor` declarations and any
corresponding calls/usages in the metadata-only, content-uri+metadata, and
all-extensions variants (including the instances noted around the ranges
provided) to match that canonical order.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 20030574-a299-4d30-8cb7-4f9984ab08f7

📥 Commits

Reviewing files that changed from the base of the PR and between 20141c1 and c6a362d.

⛔ Files ignored due to path filters (2)

• packages/core/cairo_alpha/src/tests/with_components_off/erc6909/erc6909.test.ts.snap is excluded by !**/*.snap
• packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.snap is excluded by !**/*.snap

📒 Files selected for processing (9)

• packages/common/src/ai/descriptions/cairo.ts
• packages/core/cairo_alpha/src/erc6909.ts
• packages/core/cairo_alpha/src/generate/erc6909.ts
• packages/core/cairo_alpha/src/tests/with_components_off/erc6909/erc6909.test.ts
• packages/core/cairo_alpha/src/tests/with_components_off/erc6909/erc6909.test.ts.md
• packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts
• packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md
• packages/ui/api/ai-assistant/function-definitions/cairo-alpha.ts
• packages/ui/src/cairo_alpha/ERC6909Controls.svelte

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Please add the matching cairo_alpha changelog entry.

This PR changes the generated ERC6909 surface under packages/core/cairo_alpha, but the patch doesn’t include the corresponding packages/core/cairo_alpha/CHANGELOG.md update.

Based on learnings: Changes within packages/core/cairo_alpha should have a corresponding changelog entry in packages/core/cairo_alpha/CHANGELOG.md under the Unreleased section to track these changes.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/core/cairo_alpha/src/erc6909.ts` around lines 84 - 92, Add a
changelog entry to packages/core/cairo_alpha/CHANGELOG.md under the Unreleased
section documenting the ERC6909 surface changes (e.g., addition of contentUri,
tokenSupply, metadata options reflected by addContentURI, addTokenSupply,
addMetadata in erc6909.ts); include a short summary of the change, the affected
files (packages/core/cairo_alpha/src/erc6909.ts), and the PR/author reference so
consumers can see the new generated surface and why the package version needs
updating.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

In OpenZeppelin Contracts for Cairo alpha ERC-6909 Content URI and Token Supply extensions, what are the exposed read method names? Are they snake_case (contract_uri, token_uri, total_supply) or camelCase wrappers (contractURI, tokenURI, totalSupply)?

💡 Result:

In OpenZeppelin Contracts for Cairo (alpha), the ERC token components typically expose both:

• the snake_case Cairo-style external methods, and
• camelCase wrappers (for Solidity-/EVM-style naming / legacy tooling expectations).

This is visible in the Cairo alpha API docs for ERC-721, where both token_uri(...) and tokenURI(...) are exposed as external methods. (docs.openzeppelin.com)

So for ERC-6909 extensions you should expect the exposed read methods to include both name variants:

• Content URI extension
  • contract_uri() and contractURI()
  • token_uri(id) and tokenURI(id)
• Token Supply extension
  • total_supply(id) and totalSupply(id)

Citations:

• 1: https://docs.openzeppelin.com/contracts-cairo/alpha/api/erc721?utm_source=openai

---

🏁 Script executed:

# Search for ERC-6909 implementation and Content URI / Token Supply extensions
find . -type f -name "*.ts" -o -name "*.cairo" | xargs grep -l "ERC6909\|contentUri\|tokenSupply" 2>/dev/null | head -20

Repository: OpenZeppelin/contracts-wizard

Length of output: 1138

---

🏁 Script executed:

# Look for test snapshots or generated code that shows the actual Cairo API surface
fd -e "test.ts.md" -e ".test.ts" | xargs grep -l "ERC6909\|contract_uri\|token_uri\|totalSupply" 2>/dev/null | head -10

Repository: OpenZeppelin/contracts-wizard

Length of output: 816

---

🏁 Script executed:

# Check the test snapshot for ERC6909 with components ON to see generated method names
wc -l ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md

Repository: OpenZeppelin/contracts-wizard

Length of output: 161

---

🏁 Script executed:

# Search for contentUri and tokenSupply related code in the test snapshot
rg "contentUri|tokenSupply" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md -A 5 -B 2

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Look for the actual Cairo method signatures in the test snapshot - search for contract_uri, token_uri, total_supply
rg "contract_uri|token_uri|total_supply|contractURI|tokenURI|totalSupply" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md | head -30

Repository: OpenZeppelin/contracts-wizard

Length of output: 2471

---

🏁 Script executed:

# Search for the getter/read methods (without set_ prefix) for contract_uri and token_uri
rg "fn contract_uri|fn token_uri|fn total_supply" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md -A 2 | head -40

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Look at a specific section of the test file to see the full generated contract with all methods
sed -n '1,200p' ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md | grep -A 3 "fn contract_uri\|fn token_uri\|fn total_supply"

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Search for the generated contract code more broadly to see all exposed methods
rg "pub fn contract_uri|pub fn token_uri|pub fn total_supply|pub fn contractURI|pub fn tokenURI|pub fn totalSupply" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Let's look at the actual ERC6909 generation code to understand what methods are created
cat ./packages/core/cairo_alpha/src/generate/erc6909.ts

Repository: OpenZeppelin/contracts-wizard

Length of output: 1356

---

🏁 Script executed:

# Also check the contentUri component implementation
fd -type f -name "*content*uri*" -o -name "*ContentUri*"

Repository: OpenZeppelin/contracts-wizard

Length of output: 243

---

🏁 Script executed:

# Search for where the read methods are defined in the component source
rg "contract_uri|token_uri|total_supply" ./packages/core/cairo_alpha/src -t ts -l | head -10

Repository: OpenZeppelin/contracts-wizard

Length of output: 200

---

🏁 Script executed:

# Check the erc6909.ts file to see the options interface
cat ./packages/core/cairo_alpha/src/erc6909.ts

Repository: OpenZeppelin/contracts-wizard

Length of output: 10420

---

🏁 Script executed:

# Look for the actual component implementations or built templates
fd -name "*.cairo" -path "*6909*" 2>/dev/null

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Search in the test snapshot for where read methods are called or defined
rg "fn contract_uri|fn token_uri|fn total_supply|contract_uri\(\)|token_uri\(" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md -B 2 -A 3 | head -50

Repository: OpenZeppelin/contracts-wizard

Length of output: 1868

---

🏁 Script executed:

# Search for the getter methods in the test snapshot - look for all methods with contract_uri or token_uri in the name
rg "fn.*contract_uri|fn.*token_uri|fn.*total_supply" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md -B 1 -A 3 | head -60

Repository: OpenZeppelin/contracts-wizard

Length of output: 2736

---

🏁 Script executed:

# Alternative: search for the implementation trait methods that would be exposed
rg "ERC6909ContentURIImpl|ERC6909TokenSupplyImpl" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md -B 3 -A 10 | head -80

Repository: OpenZeppelin/contracts-wizard

Length of output: 3170

---

🏁 Script executed:

# Check if there's any documentation or component definition that lists the available methods
rg "contract_uri|token_uri|total_supply" ./packages/core/cairo_alpha/src -g "*.ts" -B 2 -A 2 | grep -A 3 "ERC6909ContentURI\|ERC6909TokenSupply" | head -50

Repository: OpenZeppelin/contracts-wizard

Length of output: 522

---

🏁 Script executed:

# Search for calls to contract_uri, token_uri, total_supply in the test (as reads/getters)
rg "contract_uri\(|token_uri\(|total_supply\(|contractURI\(|tokenURI\(|totalSupply\(" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md

Repository: OpenZeppelin/contracts-wizard

Length of output: 2952

---

🏁 Script executed:

# Look for the actual impl block contents to see what public methods are exposed
sed -n '1,500p' ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md | tail -200

Repository: OpenZeppelin/contracts-wizard

Length of output: 7048

---

🏁 Script executed:

# Check if there are any test calls or assertions that invoke the read methods
rg "\.contract_uri\(|\.token_uri\(|\.total_supply\(" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Search for how other Cairo components expose read methods to understand the pattern
rg "fn contract_uri|fn token_uri|fn total_supply" ./packages/core/cairo_alpha/src -B 2 -A 5

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Check the OpenZeppelin Contracts for Cairo documentation links in the generated code
rg "Compatible with OpenZeppelin Contracts for Cairo" ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md

Repository: OpenZeppelin/contracts-wizard

Length of output: 1492

---

🏁 Script executed:

# Look at what's embedded in the trait/impl for the ContentURI component specifically
sed -n '1,100p' ./packages/core/cairo_alpha/src/tests/with_components_on/erc6909/erc6909.test.ts.md | grep -A 20 "ERC6909ContentURIImpl"

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Look at the ERC1155 test to see if we can find a pattern for how URI read methods are named
rg "contract_uri\(|token_uri\(" ./packages/core/cairo_alpha/src/tests/with_components_on/erc1155/erc1155.test.ts.md | head -20

Repository: OpenZeppelin/contracts-wizard

Length of output: 1802

---

🏁 Script executed:

# Check what methods the ERC1155URIStorageComponent actually exposes by looking for any calls to it
rg "erc1155_uri_storage\." ./packages/core/cairo_alpha/src/tests/with_components_on/erc1155/erc1155.test.ts.md -A 2 | head -40

Repository: OpenZeppelin/contracts-wizard

Length of output: 1057

---

🏁 Script executed:

# Search in the UI file itself to see if there are any other references to these methods
grep -r "contractURI\|tokenURI\|totalSupply" ./packages/ui/src/cairo_alpha/ 2>/dev/null

Repository: OpenZeppelin/contracts-wizard

Length of output: 393

---

🏁 Script executed:

# Let's look for any getter method definitions in the ERC6909 component by checking what's embedded
rg "ERC6909ContentURIImpl|ERC6909TokenSupplyImpl" ./packages/core/cairo_alpha/src -B 3 -A 10 -g "*.ts" | head -100

Repository: OpenZeppelin/contracts-wizard

Length of output: 2329

---

🏁 Script executed:

# Check if there's a definition of what methods these components expose
find ./packages/core/cairo_alpha/src -name "*.ts" -exec grep -l "ERC6909ContentURI\|ERC6909TokenSupply" {} \;

Repository: OpenZeppelin/contracts-wizard

Length of output: 115

---

🏁 Script executed:

# Search in the broader OpenZeppelin Cairo package context to understand if ERC6909 is documented
find ./packages -name "CHANGELOG.md" -o -name "README.md" | xargs grep -l "ERC6909\|6909" 2>/dev/null

Repository: OpenZeppelin/contracts-wizard

Length of output: 184

---

🏁 Script executed:

# Check if the web search claim about both variants is validated by looking at an ERC721 example in the tests
rg "fn token_uri|fn tokenURI" ./packages/core/cairo_alpha/src/tests/with_components_on/erc721/erc721.test.ts.md | head -20

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

🏁 Script executed:

# Look for any documentation in the wizard about which methods are actually exposed
rg "contractURI|tokenURI|totalSupply|contract_uri|token_uri|total_supply" ./packages/ui/src/cairo_alpha -B 3 -A 3

Repository: OpenZeppelin/contracts-wizard

Length of output: 1308

---

🏁 Script executed:

# Check the changelog to see if ERC6909 components are mentioned as new
grep -A 5 -B 5 "ERC6909\|6909" ./packages/core/cairo_alpha/CHANGELOG.md | head -50

Repository: OpenZeppelin/contracts-wizard

Length of output: 997

---

🏁 Script executed:

# Final verification: look for any test that actually calls these read methods to confirm they exist
rg "\.contract_uri\(\)|\.token_uri\(\)|\.total_supply\(\)|contractURI\(\)|tokenURI\(\)|totalSupply\(\)" ./packages/core/cairo_alpha/src/tests -B 2 -A 2

Repository: OpenZeppelin/contracts-wizard

Length of output: 55

---

Remove hardcoded camelCase method names from these tooltips.

The generated Cairo code exposes snake_case methods for URI setters and does not include camelCase wrappers (new features skip backwards-compat naming). The tooltips should omit specific method signatures to avoid pointing users at names that don't match the generated API:

✏️ Suggested rewording

-      <HelpTooltip>Provides contract-level and per-token URI metadata via contractURI() and tokenURI(id).</HelpTooltip>
+      <HelpTooltip>Provides contract-level and per-token URI metadata.</HelpTooltip>
...
-      <HelpTooltip>Keeps track of total supply per token ID via totalSupply(id).</HelpTooltip>
+      <HelpTooltip>Keeps track of total supply per token ID.</HelpTooltip>

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<label class:checked={opts.contentUri}>
	<input type="checkbox" bind:checked={opts.contentUri} />
	Content URI
	<HelpTooltip>Provides contract-level and per-token URI metadata via contractURI() and tokenURI(id).</HelpTooltip>
	</label>
	<label class:checked={opts.tokenSupply}>
	<input type="checkbox" bind:checked={opts.tokenSupply} />
	Supply Tracking
	<HelpTooltip>Keeps track of total supply per token ID via totalSupply(id).</HelpTooltip>
	</label>
	<label class:checked={opts.contentUri}>
	<input type="checkbox" bind:checked={opts.contentUri} />
	Content URI
	<HelpTooltip>Provides contract-level and per-token URI metadata.</HelpTooltip>
	</label>
	<label class:checked={opts.tokenSupply}>
	<input type="checkbox" bind:checked={opts.tokenSupply} />
	Supply Tracking
	<HelpTooltip>Keeps track of total supply per token ID.</HelpTooltip>
	</label>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/ui/src/cairo_alpha/ERC6909Controls.svelte` around lines 58 - 67, The
tooltips for the Content URI and Supply Tracking options reference hardcoded
camelCase method names that don't match generated Cairo snake_case APIs; update
the <HelpTooltip> text used inside the label elements for opts.contentUri and
opts.tokenSupply to remove specific method signatures (e.g., remove
"contractURI()", "tokenURI(id)", "totalSupply(id)") and replace with generic
descriptions like "Provides contract-level and per-token URI metadata" and
"Tracks total supply per token ID" so the text doesn't point to camelCase names.

[bidzyyys]

Looks good to me!

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript-eslint@​8.39.1
	@​types/​semver@​7.7.1
	@​types/​node@​20.19.21
	concurrently@​9.2.0
	prettier-plugin-svelte@​3.4.0
	eslint-config-prettier@​10.1.8
	eslint@​9.33.0
	eslint-plugin-unicorn@​61.0.2
	typescript@​5.9.3
	prettier@​3.6.2
	eslint-plugin-prettier@​5.5.4
	@​openzeppelin/​contracts@​5.4.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: ? → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm prettier is 100.0% likely to have a medium risk anomaly Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins. Confidence: 1.00 Severity: 0.60 From: package.json → npm/prettier@3.6.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[ericglau]

Suggested change

	- Add ERC6909Metadata extension ([#793](https://github.com/OpenZeppelin/contracts-wizard/pull/793))
	- Add ERC6909ContentURI extension ([#793](https://github.com/OpenZeppelin/contracts-wizard/pull/793))
	- Add ERC6909TokenSupply extension ([#793](https://github.com/OpenZeppelin/contracts-wizard/pull/793))
	Cairo: Add ERC6909Metadata, ERC6909ContentURI, ERC6909TokenSupply extensions

[ericglau]

Is there any documentation that we can link to using link= which describes the exposed functions/behavior, instead of directly listing the functions here? Same for the other new fields below. The function names are fine but may be hard to read in this format.

If we do want to list the exposed function names, we could use <code>...</code> to format them.

[ericnordelo]

We didnt create a docsite version for the latest alpha, so there is no matching doc ref. That's on us and something we need to be paying attention to, cc @immrsd and @bidzyyys. Since we are still releasing alphas, we should continue releasing doc-site versions for them. It is sadly somewhat harder to keep up-to-date now that the doc contents are in a different repo...