🔨 contracts: add safe propose script

[itofarina]

Summary by CodeRabbit

• New Features

  • Add a script to propose transactions to Safe multisig wallets from JSON files.
  • Supports single-call and batched (multi-call) proposals; validates entries and sender consistency.
  • Automatically selects the correct Safe Transaction Service endpoint per chain and reports clear proposal errors.

• Chores

  • Updated spell-check wordlist with new terms.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6e2d6c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new utility script designed to streamline the process of proposing transactions to Gnosis Safes. By reading transaction details from a JSON file, the script automates the creation and submission of single or batched transactions to the Safe Transaction Service API, enhancing efficiency and reducing manual effort for Safe operations across various EVM chains.

Highlights

• New Safe Propose Script: Added a new Solidity script, SafePropose.s.sol, designed to facilitate the proposal of transactions to Gnosis Safes.
• JSON Input for Transactions: The script reads transaction details from a specified JSON file, allowing for flexible and structured input of transaction data.
• Single and Batch Transaction Support: It supports proposing both individual transactions and batched transactions, utilizing the IMultiSend interface for batch operations.
• Safe Transaction Service API Integration: The script interacts with the Safe Transaction Service API to submit transaction proposals, handling the necessary signing and API calls.
• Multi-Chain Compatibility: The script includes logic to determine the correct Safe Transaction Service API endpoint based on the current chain ID, supporting Ethereum, Optimism, Polygon, Base, and Arbitrum.

Changelog

• contracts/script/SafePropose.s.sol
  • Implemented a new Solidity script for proposing transactions to Gnosis Safes.
  • Added functionality to parse transaction data from a JSON input file.
  • Integrated with the Safe Transaction Service API for submitting transaction proposals.
  • Included support for batching multiple transactions using the IMultiSend interface.
  • Provided chain-specific API endpoint resolution for supported networks.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds SafePropose, a Solidity script that parses Safe deployment JSON into calls, enforces a single Safe sender and CALL types, builds single or multisend proposals, signs Safe transaction hashes, and POSTs proposals to the Safe Transaction Service; also updates spellcheck words.

Changes

Cohort / File(s)	Summary
SafePropose script contracts/script/SafePropose.s.sol	New SafePropose contract with run(string) entry. Probes and parses .transactions[*], enforces CALL type and consistent .from, builds Call structs, handles single propose or packed multiSend batch (operation 1), computes safeTxHash via ISafe.getTransactionHash, signs via vm.sign, derives sender with ecrecover, constructs JSON body (_body) and POSTs to Safe Tx Service endpoint (selected via _chainPrefix()). Adds Call struct, ISafe and IMultiSendCallOnly interfaces, MULTISEND constant and custom errors (EmptyBroadcast, NotACall, SenderMismatch, ProposalFailed, UnsupportedChain).
Spelling dictionary cspell.json	Adds "MULTISEND" and "oeth" to the spellcheck words list.

Sequence Diagram(s)

sequenceDiagram
    actor User
    participant File as JSON File
    participant Script as SafePropose
    participant Safe as ISafe
    participant Multi as IMultiSend
    participant API as Safe Tx Service

    User->>Script: run(filePath)
    Script->>File: read & parse JSON -> Call[]
    Script->>Script: validate single sender & types

    alt single call
        Script->>Safe: nonce()
        Safe-->>Script: nonce
        Script->>Safe: getTransactionHash(to,value,data,op=0,...,nonce)
        Safe-->>Script: safeTxHash
        Script->>Script: vm.sign(safeTxHash) -> signature
        Script->>API: POST proposal (body with safeTxHash, signature, nonce, sender)
        API-->>Script: 201 / error
    else multisend
        Script->>Script: encode multisend payload (calls -> bytes)
        Script->>Multi: prepare multisend calldata
        Script->>Safe: nonce()
        Safe-->>Script: nonce
        Script->>Safe: getTransactionHash(MULTISEND,0,payload,op=1,...,nonce)
        Safe-->>Script: safeTxHash
        Script->>Script: vm.sign(safeTxHash) -> signature
        Script->>API: POST proposal (body with safeTxHash, signature, nonce, sender)
        API-->>Script: 201 / error
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: addition of a new SafePropose script contract in the contracts directory.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch safe-propose

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sentry]

Codecov Report

❌ Patch coverage is 0% with 49 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.28%. Comparing base (5cb98c4) to head (6e2d6c6).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
contracts/script/SafePropose.s.sol	0.00%	49 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #883      +/-   ##
==========================================
- Coverage   71.70%   71.28%   -0.43%     
==========================================
  Files         228      229       +1     
  Lines        8277     8326      +49     
  Branches     2661     2673      +12     
==========================================
  Hits         5935     5935              
- Misses       2113     2162      +49     
  Partials      229      229              

Flag	Coverage Δ
e2e	71.27% <0.00%> (-0.43%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[devin-ai-integration]

Devin Review found 4 potential issues.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Explanatory comment violates AGENTS.md "no comments" rule

The inline comment // github.com/safe-global/safe-deployments v1.4.1 on line 16 is explanatory prose documenting the source of the MULTISEND address. AGENTS.md explicitly states: "this codebase does not use comments. the only exception is static analysis annotations (@ts-expect-error, eslint-disable, slither-disable, solhint-disable, cspell:ignore) and TODO/HACK/FIXME markers. everything else—jsdoc, explanatory prose, region markers, inline labels—is noise that masks unclear code." No other script in contracts/script/ has non-annotation // comments (confirmed via grep). This comment should either be removed or, if the address provenance must be tracked, placed in a commit message instead.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 Safe API v2 URL format and chain prefixes should be verified

The URL pattern https://api.safe.global/tx-service/{prefix}/api/v2/safes/{safe}/multisig-transactions/ and the chain prefix mapping (eth=1, oeth=10, pol=137, base=8453, arb1=42161) at contracts/script/SafePropose.s.sol:113-120 correspond to the Safe Transaction Service's newer API format. These prefixes are not easily verifiable from the codebase alone. If Safe changes their API URL structure or chain prefixes, this would silently fail with a non-201 status (caught by the ProposalFailed revert). Worth verifying against current Safe API documentation.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 66bc0413-5e67-4e27-bd51-08fba140d16c

📥 Commits

Reviewing files that changed from the base of the PR and between 923d1e3 and be9c2af.

📒 Files selected for processing (2)

• contracts/script/SafePropose.s.sol
• cspell.json

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Consider validating ecrecover result.

ecrecover returns address(0) if the signature or hash is malformed. While unlikely in normal operation, adding a guard would provide a clearer error message than a downstream API failure.

🛡️ Proposed fix

     {
       (uint8 v, bytes32 r, bytes32 s) = vm.sign(safeTxHash);
       sender = ecrecover(safeTxHash, v, r, s);
+      require(sender != address(0), "Invalid signature");
       signature = abi.encodePacked(r, s, v);
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{
	(uint8 v, bytes32 r, bytes32 s) = vm.sign(safeTxHash);
	sender = ecrecover(safeTxHash, v, r, s);
	signature = abi.encodePacked(r, s, v);
	}
	{
	(uint8 v, bytes32 r, bytes32 s) = vm.sign(safeTxHash);
	sender = ecrecover(safeTxHash, v, r, s);
	require(sender != address(0), "Invalid signature");
	signature = abi.encodePacked(r, s, v);
	}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 463722fb9a

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Use the next queued Safe nonce instead of safe.nonce()

When the target Safe already has a pending multisig transaction, safe.nonce() is still the last executed nonce, so this script will always propose a competing transaction for the current nonce instead of queueing the new action after the existing one. In that common multisig workflow, the generated contractTransactionHash is for the wrong slot and the proposal cannot be used as the next step in the queue.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Add chain prefixes for the repo's supported testnets

_chainPrefix() only recognizes mainnet chain IDs, but this repository already ships contract configs and broadcast artifacts for Base Sepolia (84532) and OP Sepolia (11155420) in contracts/deploy.json and contracts/broadcast/**. Running the new script on either staging network will always revert with UnsupportedChain(), which makes the tool unusable for the existing non-production deployment flow.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bbf0f44b4c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Add the required Safe API key header

When this posts to the hosted https://api.safe.global/tx-service/... endpoint, the request only includes Content-Type. Safe's current docs for the default Transaction Service say hosted requests should be authenticated with Authorization: Bearer ..., and their API-key guide notes that missing keys are rejected with 401 Unauthorized. In other words, on the official service this script will always revert with ProposalFailed instead of creating the proposal, because there is no way here to send the API key or point at a custom/self-hosted tx-service.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f20de20fd5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Validate broadcast chain before building tx-service URL

run parses transactions from a broadcast file but never verifies that their .transaction.chainId matches the chain the script is currently connected to; propose always derives the endpoint from _chainPrefix() (current block.chainid). If someone accidentally feeds a run-latest.json from another network (easy in this repo because artifacts are stored per-chain), this can submit a proposal to the wrong Safe Transaction Service/network instead of failing fast. Add an explicit chain-id check before proposing.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: cccdae6879

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Read Safe address from explicit input, not tx sender

run currently treats .transactions[i].transaction.from as the Safe address, but in standard Forge broadcast artifacts that field is the broadcasting EOA (for example, existing contracts/broadcast/**/run-latest.json files use a deployer EOA in from). In that common workflow safe is set to an EOA, so subsequent safe.nonce() / getTransactionHash(...) calls in propose revert or build an invalid proposal, making the script unusable for normal broadcast outputs.

Useful? React with 👍 / 👎.

[sentry]

Bug: The script assumes the from address in the input JSON is a Safe contract. It will fail if an EOA address is provided, as there's no validation.
_{Severity: MEDIUM}

Suggested Fix

Add a check to validate that the safe address is a contract before attempting to call methods on it. This can be done by checking the address's code size, for example: if (safe.code.length == 0) revert NotASafeContract();. This will provide a clear error message to the user instead of a cryptic low-level failure.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: contracts/script/SafePropose.s.sol#L31

Potential issue: The `SafePropose.s.sol` script reads a `from` address from a broadcast
JSON file and assigns it to the `safe` variable. It then proceeds to call
contract-specific methods like `safe.nonce()` on this address. The script lacks any
validation to ensure the provided address is a contract and not an Externally Owned
Account (EOA). If a user mistakenly provides a standard broadcast file generated from an
EOA, the script will fail with a low-level error when it attempts to execute code on an
address that has none. This makes the script fragile and hard to debug for users.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 12 additional findings in Devin Review.

[devin-ai-integration]

🚩 Hardcoded MultiSendCallOnly address assumes deployment on all supported chains

The constant MULTI_SEND at line 16 uses address 0x9641d764fc13c8B624c04430C7356C1C7C8102e2 (Safe v1.4.1 MultiSendCallOnly). This is a deterministically deployed Safe contract that should exist on standard EVM chains. However, _chainPrefix() at line 119 includes opBNB (chain 204), which is a less common chain. If Safe's v1.4.1 MultiSendCallOnly is not deployed on opBNB, batch proposals (proposeBatch) would delegate-call to a non-existent contract. Single-call proposals would still work since they bypass MultiSend. Worth verifying the deployment exists on all six supported chains.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 12 additional findings in Devin Review.

[devin-ai-integration]

🟡 Single-use hexSafe variable violates the inline extraction rule

hexSafe is consumed exactly once (line 55) yet is extracted into a named local variable on line 53. AGENTS.md's extraction rules state: "single-use = inline: a value consumed once stays at the point of consumption. … no exceptions for 'clarity' — the call site is already clear." The expression address(safe).toHexStringChecksummed() can be placed directly inside the string.concat call on line 55 without any technical issue.

Suggested change

	string memory hexSafe = address(safe).toHexStringChecksummed();
	string memory url = string.concat(
	"https://api.safe.global/tx-service/", _chainPrefix(), "/api/v2/safes/", hexSafe, "/multisig-transactions/"
	);
	string memory url = string.concat(
	"https://api.safe.global/tx-service/", _chainPrefix(), "/api/v2/safes/", address(safe).toHexStringChecksummed(), "/multisig-transactions/"
	);

---

Was this helpful? React with 👍 or 👎 to provide feedback.