feat: implement CAIP25 MultiChain API and NextJS playground integration

[abretonc7s]

Description

This PR implements a new MultiChain API package that follows the CAIP25 specification to provide chain-agnostic wallet interactions. It also includes a Next.js playground for testing and demonstrating the API capabilities.

Key Features

• New @metamask/multichainapi package implementing CAIP25 spec
• Interactive Next.js playground for testing multichain functionality
• Integration with MetaMask extension for cross-chain operations
• Support for session management and chain-specific method invocation
• Rich validation and testing environment

MultiChain API Implementation

• Implements CAIP25 session management (create/get/revoke)
• Supports method invocation across different chains
• Handles wallet discovery and connection
• Event system for session changes and notifications
• Built-in TypeScript support and full type safety

Next.js Playground Features

• Interactive UI for testing CAIP25 functionality
• Session lifecycle management
• Chain selection and method invocation
• Real-time response visualization
• Comprehensive error handling

Implementation Details

• Uses Turborepo for improved monorepo development
• Implements proper validation for message sizes and payloads
• Handles extension and deep-link communication
• Supports different environments (extension, mobile web, desktop)
• Includes thorough unit tests
• Configurable logging and debugging support

Testing Instructions

1. Build and run the playground:

yarn install
yarn dev:core
cd packages/playground-next
yarn dev

2. Test core functionality:

• Connect to MetaMask extension
• Create sessions with different chain selections
• Invoke methods across chains
• Monitor session changes and notifications
• Test error handling and validation

Documentation

The playground serves as living documentation for the MultiChain API. Additional package documentation will be added in follow-up PRs.

Review Checklist

• Review CAIP25 compliance
• Test session management across different chains
• Verify error handling and validation
• Check playground functionality
• Review TypeScript types and API surface
• Test extension integration
• Verify build process and dependencies

To fix the problem, we need to specify a target origin for the window.postMessage calls. This ensures that the message is only sent to a trusted origin, reducing the risk of exposing sensitive data to malicious sites.

1. Identify the trusted origin(s) that should receive the messages.
2. Replace the wildcard target origin ('*') with the specific trusted origin(s) in the window.postMessage calls.

To fix the problem, we need to add an origin check in the #handleFallbackMessage function to ensure that only messages from trusted origins are processed. This involves comparing the event.origin property to a list of allowed origins and only proceeding if the origin is trusted.

1. Identify the trusted origins for the application.
2. Modify the #handleFallbackMessage function to include a check for the origin of the incoming message.
3. If the origin is not trusted, the function should return early and not process the message.

[socket-security]

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@metamask/[email protected]	None	0	275 kB	metamaskbot
npm/@metamask/[email protected]	None	+4	905 kB	metamaskbot
npm/@open-rpc/[email protected]	None	0	38.4 kB	belfordz
npm/@open-rpc/[email protected]	filesystem	+7	242 kB	belfordz
npm/@types/[email protected]	None	+2	843 kB	types

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	CI
New author	npm/@lavamoat/[email protected]	New Author: lmbot Previous Author: naugtur	🚫
Install scripts	npm/@lavamoat/[email protected]	Install script: preinstall Source: echo "Don't run npm lifecycle scripts by default! Create a .yarnrc or .npmrc and set enableScripts: false. Then, whitelist them with @lavamoat/allow-scripts" && exit 1	⚠︎

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/@lavamoat/[email protected]