feat(wallet)!: apply FRC-0102 envelope to sign/verify by default

[0xDevNinja]

Summary of changes

Changes introduced in this pull request:

• Wrap the decoded message with the FRC-0102 Filecoin signing envelope (\x19Filecoin Signed Message:\n<len>) in forest-wallet sign and forest-wallet verify before handing it to the signer/verifier. Aligns Forest with Ledger Filecoin, Filsnap, iso-filecoin and Lotus (feat(cli): add FRC-102 compatible EIP-191 signing via --fevm flag (#13256) filecoin-project/lotus#13388).
• Add a --raw flag to both sign and verify that restores the previous raw-bytes behaviour. --raw is also the correct choice when signing on-chain Filecoin messages, which must not be wrapped.
• Add a wrap_frc0102(&[u8]) -> Vec<u8> helper with a const FRC_0102_FILECOIN_PREFIX: &[u8] in wallet_cmd.rs.
• Expand the unit test suite with 7 cases: empty/short/long/binary/length-boundary/embedded-newline format checks, plus a secp256k1 round-trip that asserts verify(wrapped) succeeds and verify(raw) fails.
• CHANGELOG.md: Breaking entry that also calls out (a) pre-FRC-0102 nodes cannot verify the new default without --raw, and (b) on-chain messages must still use --raw.

The envelope is applied client-side only. Forest's and Lotus's WalletSign / WalletVerify RPCs treat their input as opaque bytes and do not wrap, so a single wrap here is correct against today's daemons. If that ever changes server-side, users will want --raw to avoid a double envelope.

Reference issue to close (if applicable)

Closes #6442

Other information and links

• Reference Go implementation: feat(cli): add FRC-102 compatible EIP-191 signing via --fevm flag (#13256) filecoin-project/lotus#13388 (wallet sign/verify wrap by default + --raw opt-out).
• Spec: https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0102.md.
• Scope matches Lotus PR — Filecoin native prefix only, not the EIP-191 variant for f410/EVM addresses. Leaving EVM-envelope support as a follow-up.

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

AI Usage Disclosure

This PR was prepared with assistance from Claude Code (Anthropic). Extent:

• Issue triage, reading of the Lotus reference implementation (feat(cli): add FRC-102 compatible EIP-191 signing via --fevm flag (#13256) filecoin-project/lotus#13388), implementation, self-review (two passes with an independent reviewer agent), test design, and PR drafting were AI-assisted.
• All changes were compiled and tested locally by me before pushing — cargo fmt --all -- --check, cargo clippy --profile quick --all-targets --no-deps -- -D warnings (with FOREST_F3_SIDECAR_FFI_BUILD_OPT_OUT=1), and cargo test --lib -- wrap_frc0102 frc0102_roundtrip (7/7 pass) are all green.
• End-to-end CLI verification against a running daemon has not been performed locally; that path goes through an unchanged wallet_sign / wallet_verify that receives the already-wrapped bytes.
• I have reviewed every diff line and take full responsibility for correctness.

Summary by CodeRabbit

• Breaking Changes

  • Signed messages now use the FRC-0102 Filecoin signing envelope by default; signatures from pre-FRC-0102 releases may not verify unless --raw is used.

• New Features

  • Added a --raw option to control envelope wrapping for both sign and verify commands.

• Documentation

  • Added a “Breaking” note to the changelog documenting the behavior change.

• Chores

  • Updated wordlist with two new entries.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds conditional FRC-0102 envelope wrapping to forest-wallet sign and verify (default on), introduces --raw to preserve prior raw-bytes behavior, updates the wallet signing backend to accept message bytes, and adds unit tests and a breaking changelog notice.

Changes

FRC-0102 Envelope Implementation

Layer / File(s)	Summary
CLI imports and backend plumbing src/wallet/subcommands/wallet_cmd.rs	Removes base64 import, changes the local signing helper to accept Vec<u8>, adds --raw flags to Sign and Verify, and updates sign/verify execution to hex-decode and conditionally wrap bytes before calling the backend.
Wrap implementation and tests src/wallet/subcommands/wallet_cmd.rs	Adds FRC_0102_FILECOIN_PREFIX and wrap_frc0102(msg) plus comprehensive unit tests covering wire-format correctness (empty, length boundaries, binary/newline) and a secp256k1 roundtrip that distinguishes wrapped vs raw verification.
Changelog and dictionary CHANGELOG.md, .config/forest.dic	Adds a breaking CHANGELOG entry noting default FRC-0102 wrapping and compatibility notes; increments .config/forest.dic count and adds Filsnap and interoperating entries.

Sequence Diagram

sequenceDiagram
  participant CLI as forest-wallet CLI
  participant Wrap as wrap_frc0102
  participant Backend as WalletBackend
  participant Signer as crypto signing/verification
  CLI->>CLI: parse message hex, check --raw
  CLI->>Wrap: wrap_frc0102(msg) when raw==false
  CLI->>Backend: pass message bytes to wallet_sign/wallet_verify
  Backend->>Signer: perform signature or verification on provided bytes
  Signer-->>Backend: signature/verification result
  Backend-->>CLI: return result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• hanabi1224
• akaladarshi
• LesnyRumcajs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(wallet)!: apply FRC-0102 envelope to sign/verify by default' accurately summarizes the main breaking change introduced in this PR.
Linked Issues check	✅ Passed	The PR fully addresses all completion criteria from issue #6442: implementation of FRC-0102 wrapping in sign/verify commands, comprehensive tests, and updated documentation.
Out of Scope Changes check	✅ Passed	All changes are directly related to FRC-0102 implementation. Dictionary updates for 'Filsnap' and 'interoperating' are necessary additions supporting the PR changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/wallet/subcommands/wallet_cmd.rs`:
- Around line 475-491: The Sign branch is base64-encoding the wrapped message
(BASE64_STANDARD.encode) before sending to backend.wallet_sign, which causes
remote wallets to sign the base64 text bytes instead of the raw/wrapped bytes
used by verify; change the flow in the Self::Sign arm so that
backend.wallet_sign receives the raw byte payload (i.e., the result of
wrap_frc0102(&message) or message when raw is true) rather than the base64
text—move or remove the BASE64_STANDARD.encode call and only base64-encode
when/if the backend API truly expects a base64 string, ensuring
functions/variables mentioned (Self::Sign, wrap_frc0102, BASE64_STANDARD.encode,
backend.wallet_sign) are updated consistently so sign and verify operate on
identical byte sequences.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8b670a84-4ce2-4479-bc7e-ef7c7caf0fd7

📥 Commits

Reviewing files that changed from the base of the PR and between 65c39a0 and 24b9f00.

📒 Files selected for processing (2)

• CHANGELOG.md
• src/wallet/subcommands/wallet_cmd.rs

[codecov]

Codecov Report

❌ Patch coverage is 85.93750% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.24%. Comparing base (e0bca2a) to head (df8482b).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
src/wallet/subcommands/wallet_cmd.rs	85.93%	9 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
src/wallet/subcommands/wallet_cmd.rs	34.72% <85.93%> (+8.23%)	⬆️

... and 6 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0f4957f...df8482b. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[akaladarshi]

Hi @0xDevNinja
Thanks for raising the PR for this.
It seems the linter is failing in CI and there is a comment form coderabbit AI could you please check and fix it if needed.

[akaladarshi]

Any update on this @0xDevNinja ?

[0xDevNinja]

Hey, sorry for the delay. Just pushed an update:

• Spellcheck: added Filsnap and interoperating to .config/forest.dic (both real Filecoin/English terms, didn't want to rephrase).
• CodeRabbit's sign/verify parity flag was valid — in remote mode sign was base64-encoding the wrapped bytes while verify consumed raw bytes, so a remote daemon would have signed the base64 text instead of the message. Reworked wallet_sign to take Vec<u8> and pass the payload through unchanged so both paths operate on the same bytes. Dropped the now-unused BASE64_STANDARD import.
• Rebased onto main to clear the behind state.

Let me know if anything else stands out.

[akaladarshi]

Link to the FRC should be an internal doc not user facing.

Also keep the comment simple:

Suggested change

	/// See <https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0102.md>.
	/// FRC-0102 envelope prefix format: `0x19 || "Filecoin Signed Message:\n" || ascii(len(msg)) || msg`.

[0xDevNinja]

Done — dropped the FRC link, collapsed to the one-line wire-format note. ff406be63

[akaladarshi]

Don't drop the link keep the FRC link but make it for internal doc and make sure the link refers to a specific commit not master (as it subjected to change).

Also change the comment to something like below and you can remove the comment from const

Suggested change

	/// See <https://github.com/filecoin-project/FIPs/blob/master/FRCs/frc-0102.md>.
	/// Wraps `msg` with the FRC-0102 envelope: `0x19 || "Filecoin Signed Message:\n" || ascii(len(msg)) || msg`
	// See <https://github.com/filecoin-project/FIPs/blob/bdd5283279fd115c87c9bbf71d2e40c9d075f5aa/FRCs/frc-0102.md>.

[0xDevNinja]

Done, restored the link pinned to that commit SHA and updated the comment. Also signed commits.

[0xDevNinja]

Quick follow-up — clippy flagged the blank line between /// and //, so I dropped it. Also rebased on main to clear the conflict with the wallet StrictAddress change.

[akaladarshi]

It's is not being used anywhere, you can remove this.

[akaladarshi]

You can combine above tests into single test using the rstest and cases. Since they are all roughly checking the same thing.

[akaladarshi]

@0xDevNinja Please verify the commits here as well.

[akaladarshi]

@0xDevNinja Can you please address the remaining last two comments.