From b6a776e5d76fa31fd7d0c1124b2ae85011b4912e Mon Sep 17 00:00:00 2001
From: defiQUG <defi@defi-oracle.io>
Date: Sun, 15 Feb 2026 22:31:06 -0800
Subject: [PATCH] chain138-snap: CodeQL workflow, npm README, publish script,
 v0.1.1

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 chain138-snap/.env.example                    |  9 +++
 chain138-snap/.github/workflows/codeql.yml    | 40 +++++++++++
 chain138-snap/.gitignore                      |  4 ++
 chain138-snap/PUSH_AND_PUBLISH.md             | 37 ++++++----
 chain138-snap/package.json                    |  3 +-
 .../packages/site/static/version.json         |  2 +-
 chain138-snap/packages/snap/README.md         | 71 ++++++++++++++++---
 chain138-snap/packages/snap/package.json      |  2 +-
 .../packages/snap/snap.manifest.json          |  4 +-
 chain138-snap/scripts/publish-snap-to-npm.sh  | 22 ++++++
 10 files changed, 167 insertions(+), 27 deletions(-)
 create mode 100644 chain138-snap/.env.example
 create mode 100644 chain138-snap/.github/workflows/codeql.yml
 create mode 100644 chain138-snap/scripts/publish-snap-to-npm.sh

diff --git a/chain138-snap/.env.example b/chain138-snap/.env.example
new file mode 100644
index 0000000..c8cd14c
--- /dev/null
+++ b/chain138-snap/.env.example
@@ -0,0 +1,9 @@
+# Copy to .env and set values. .env is gitignored.
+
+# npm registry token for publishing chain138-snap (granular token with Publish + Bypass 2FA).
+# Create at: https://www.npmjs.com/settings/~/tokens → Generate New Token → Granular.
+NPM_ACCESS_TOKEN=
+
+# Optional: token-aggregation API for companion site (see packages/site/.env.production.dist).
+# GATSBY_SNAP_API_BASE_URL=
+# SNAP_ORIGIN=npm:chain138-snap
diff --git a/chain138-snap/.github/workflows/codeql.yml b/chain138-snap/.github/workflows/codeql.yml
new file mode 100644
index 0000000..8af2db9
--- /dev/null
+++ b/chain138-snap/.github/workflows/codeql.yml
@@ -0,0 +1,40 @@
+# GitHub CodeQL - populates Security > Code scanning
+# https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning-with-codeql
+
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * 1'  # weekly Monday
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/chain138-snap/.gitignore b/chain138-snap/.gitignore
index 8ade3a0..b06c044 100644
--- a/chain138-snap/.gitignore
+++ b/chain138-snap/.gitignore
@@ -71,6 +71,10 @@ playwright/.cache/
 .env
 .env.test
 
+# npm token (may be written by publish-snap-to-npm.sh)
+.npmrc
+packages/snap/.npmrc
+
 # Stores VSCode versions used for testing VSCode extensions
 .vscode-test
 
diff --git a/chain138-snap/PUSH_AND_PUBLISH.md b/chain138-snap/PUSH_AND_PUBLISH.md
index ce828e4..3473073 100644
--- a/chain138-snap/PUSH_AND_PUBLISH.md
+++ b/chain138-snap/PUSH_AND_PUBLISH.md
@@ -1,34 +1,45 @@
 # Push to GitHub and publish to npm
 
-Use this when the Snap lives in **https://github.com/bis-innovations/chain138-snap** and you are ready to push and publish.
+The Snap repo is **https://github.com/bis-innovations/chain138-snap**.
 
-## 1. Push to GitHub (first-time setup)
+## 1. Push to GitHub
 
-From the **chain138-snap** directory (or the repo root if this monorepo is the whole repo):
+This Snap lives inside the **metamask-integration** repo as `chain138-snap/`. To push updates to the dedicated Snap repo:
+
+From the **metamask-integration** repo root (parent of `chain138-snap/`):
 
 ```bash
-# If this folder is the repo to push (you cloned/copied it as chain138-snap):
-git remote add origin https://github.com/bis-innovations/chain138-snap.git
-git branch -M main
-git push -u origin main
+# One-time: add the Snap repo as a remote (if not already added)
+git remote add chain138-snap https://github.com/bis-innovations/chain138-snap.git
+
+# After making changes under chain138-snap/, commit then:
+git add chain138-snap/
+git commit -m "your message"
+git subtree push --prefix=chain138-snap chain138-snap main
 ```
 
-If this directory is part of a larger repo (e.g. `proxmox`), you can either push only the Snap subtree to **chain138-snap** (e.g. `git subtree push` or a new clone containing just the Snap), or push the whole repo and then point the Snap’s `repository` to a dedicated Snap repo. For a **standalone** Snap repo: create **bis-innovations/chain138-snap** on GitHub, then from a clone that contains only this Snap monorepo (e.g. copy `metamask-integration/chain138-snap` contents into a new repo): run the `git remote add origin` / `git push` commands above.
+The remote **chain138-snap** and branch **main** are already set up; the initial push has been done.
 
 ## 2. Publish Snap package to npm
 
 From the **chain138-snap** monorepo root:
 
 ```bash
-# Build (updates manifest shasum)
+# 1. Build (updates manifest shasum)
 pnpm run build
 
-# Publish the Snap package (requires npm login)
-cd packages/snap && npm publish --access public
-# Or: pnpm publish --no-git-checks --access public
+# 2. (Optional) Use token from .env for publish (2FA bypass)
+# Add NPM_ACCESS_TOKEN to .env (see .env.example). Use a Granular Access Token with
+# "Publish" and "Bypass 2FA for publish" at https://www.npmjs.com/settings/~/tokens
+
+# 3. Publish (uses NPM_ACCESS_TOKEN from .env if set)
+# Run from the chain138-snap monorepo root (not from the parent proxmox repo):
+pnpm run publish:snap
+# If you're in the proxmox repo root: cd metamask-integration/chain138-snap && pnpm run publish:snap
+# Or manually: cd packages/snap && npm login && npm publish --access public
 ```
 
-Production Snap ID will be **`npm:chain138-snap`**.
+Production Snap ID will be **`npm:chain138-snap`**. After publish, the package will appear at https://www.npmjs.com/package/chain138-snap.
 
 ## 3. Submit for allowlist
 
diff --git a/chain138-snap/package.json b/chain138-snap/package.json
index 35bb0f9..385f70f 100644
--- a/chain138-snap/package.json
+++ b/chain138-snap/package.json
@@ -26,7 +26,8 @@
     "start": "pnpm -r --parallel run start",
     "test": "pnpm --filter chain138-snap run build && pnpm --filter chain138-snap run test",
     "test:e2e": "playwright test",
-    "test:e2e:ui": "playwright test --ui"
+    "test:e2e:ui": "playwright test --ui",
+    "publish:snap": "bash scripts/publish-snap-to-npm.sh"
   },
   "devDependencies": {
     "@lavamoat/allow-scripts": "^3.4.2",
diff --git a/chain138-snap/packages/site/static/version.json b/chain138-snap/packages/site/static/version.json
index 73bd44c..133f80e 100644
--- a/chain138-snap/packages/site/static/version.json
+++ b/chain138-snap/packages/site/static/version.json
@@ -1 +1 @@
-{"version":"dev","buildTime":"2026-02-16T03:22:42.028Z"}
\ No newline at end of file
+{"version":"dev","buildTime":"2026-02-16T06:07:18.288Z"}
\ No newline at end of file
diff --git a/chain138-snap/packages/snap/README.md b/chain138-snap/packages/snap/README.md
index b252350..e09fb73 100644
--- a/chain138-snap/packages/snap/README.md
+++ b/chain138-snap/packages/snap/README.md
@@ -1,12 +1,65 @@
-# TypeScript Example Snap
+# chain138-snap
 
-This snap demonstrates how to develop a snap with TypeScript. It is a simple
-snap that displays a confirmation dialog when the `hello` JSON-RPC method is
-called.
+**Chain 138 Snap** adds [DeFi Oracle Meta Mainnet](https://chainlist.org/chain/138) (ChainID 138) and **ALL Mainnet** (651940) support inside MetaMask: network params, token list, market data, swap quotes, and CCIP bridge routes.
 
-## Testing
+MetaMask already supports Chain 138 as a custom EVM network, but native **Swaps**, **Portfolio Bridge**, and **USD pricing** do not include Chain 138. This Snap provides in-wallet swap quotes, bridge routes, and market data by calling your token-aggregation (or compatible) API.
 
-The snap comes with some basic tests, to demonstrate how to write tests for
-snaps. To test the snap, run **pnpm run test** (or **yarn test**) from the repo root, or `pnpm run test` / `yarn test` in this directory. This will use
-[`@metamask/snaps-jest`](https://github.com/MetaMask/snaps/tree/main/packages/snaps-jest)
-to run the tests in `src/index.test.ts`.
+## Install
+
+1. Install [MetaMask](https://metamask.io/) (extension or mobile).
+2. From a dApp or the [companion site](https://github.com/bis-innovations/chain138-snap), connect and add the Snap using the ID below.
+
+**Snap ID:** `npm:chain138-snap`
+
+## Usage
+
+dApps invoke the Snap via the MetaMask provider:
+
+```javascript
+// Connect / install the Snap (your dApp typically does this once)
+await ethereum.request({
+  method: 'wallet_requestSnaps',
+  params: {
+    'npm:chain138-snap': {},
+  },
+});
+
+// Call a method (e.g. get networks or market data)
+const result = await ethereum.request({
+  method: 'wallet_invokeSnap',
+  params: {
+    snapId: 'npm:chain138-snap',
+    request: {
+      method: 'get_networks',
+      params: { apiBaseUrl: 'https://your-token-aggregation-api.com' },
+    },
+  },
+});
+```
+
+For **market data**, **swap quotes**, and **bridge routes**, the dApp must pass `apiBaseUrl` (your token-aggregation service base URL) in the request params. Optional URL params: `networksUrl`, `tokenListUrl`, `bridgeListUrl`.
+
+### RPC methods
+
+| Method | Description |
+|--------|-------------|
+| `hello` | Basic test; returns a greeting. |
+| `get_networks` | Full EIP-3085 chain params (Chain 138, Ethereum, ALL Mainnet). |
+| `get_chain138_config` | Chain 138 config from API. |
+| `get_chain138_market_chains` | Market chains list. |
+| `get_token_list` / `get_token_list_url` | Token list (optional `chainId`). |
+| `get_oracles` | Oracles config. |
+| `show_dynamic_info` | In-Snap dialog with networks and token list URL. |
+| `get_market_summary` / `show_market_data` | Tokens and USD prices. |
+| `get_bridge_routes` / `show_bridge_routes` | CCIP bridge routes. |
+| `get_swap_quote` / `show_swap_quote` | Swap quote (requires `tokenIn`, `tokenOut`, `amountIn`). |
+
+## Repository and docs
+
+- **Source:** [github.com/bis-innovations/chain138-snap](https://github.com/bis-innovations/chain138-snap)
+- **Integrator guide:** [INTEGRATORS.md](https://github.com/bis-innovations/chain138-snap/blob/main/INTEGRATORS.md) (Snap ID, `apiBaseUrl`, optional URLs)
+- **Testing / publishing:** [TESTING_INSTRUCTIONS.md](https://github.com/bis-innovations/chain138-snap/blob/main/TESTING_INSTRUCTIONS.md), [PUSH_AND_PUBLISH.md](https://github.com/bis-innovations/chain138-snap/blob/main/PUSH_AND_PUBLISH.md)
+
+## License
+
+MIT-0 OR Apache-2.0
diff --git a/chain138-snap/packages/snap/package.json b/chain138-snap/packages/snap/package.json
index a34f929..2580b26 100644
--- a/chain138-snap/packages/snap/package.json
+++ b/chain138-snap/packages/snap/package.json
@@ -1,6 +1,6 @@
 {
   "name": "chain138-snap",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Chain 138 (DeFi Oracle Meta Mainnet) and ALL Mainnet Snap: networks, token list, market data, swap quotes, CCIP bridge routes for MetaMask.",
   "repository": {
     "type": "git",
diff --git a/chain138-snap/packages/snap/snap.manifest.json b/chain138-snap/packages/snap/snap.manifest.json
index 9bf2c86..c1bdba5 100644
--- a/chain138-snap/packages/snap/snap.manifest.json
+++ b/chain138-snap/packages/snap/snap.manifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Chain 138 (DeFi Oracle Meta Mainnet) and ALL Mainnet: networks, token list, market data, swap quotes, and CCIP bridge routes for MetaMask.",
   "proposedName": "Chain 138",
   "repository": {
@@ -7,7 +7,7 @@
     "url": "https://github.com/bis-innovations/chain138-snap.git"
   },
   "source": {
-    "shasum": "BP9yQblP1R+fSCxYQjdV965YIDdal9Xx3ZiSTbmJYik=",
+    "shasum": "6CuMlWe0q/GCAHp8l6U+niT/Um5DHEYex4GPhbs5bkg=",
     "location": {
       "npm": {
         "filePath": "dist/bundle.js",
diff --git a/chain138-snap/scripts/publish-snap-to-npm.sh b/chain138-snap/scripts/publish-snap-to-npm.sh
new file mode 100644
index 0000000..80a11d0
--- /dev/null
+++ b/chain138-snap/scripts/publish-snap-to-npm.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Publish chain138-snap to npm using NPM_ACCESS_TOKEN from .env.
+# Token must be a Granular Access Token with "Publish" and "Bypass 2FA for publish" enabled.
+# Create at: https://www.npmjs.com/settings/~/tokens → Generate New Token → Granular.
+set -e
+cd "$(dirname "$0")/.."
+if [ -f .env ]; then
+  set -a
+  source .env
+  set +a
+fi
+if [ -z "$NPM_ACCESS_TOKEN" ]; then
+  echo "Error: NPM_ACCESS_TOKEN not set. Add it to .env (see .env.example)." >&2
+  exit 1
+fi
+pnpm run build
+# Publish from a temp copy so npm doesn't see parent workspace
+TMPDIR=$(mktemp -d)
+trap "rm -rf $TMPDIR" EXIT
+cp -r packages/snap/package.json packages/snap/snap.manifest.json packages/snap/README.md packages/snap/dist packages/snap/images "$TMPDIR/"
+echo "//registry.npmjs.org/:_authToken=$NPM_ACCESS_TOKEN" > "$TMPDIR/.npmrc"
+(cd "$TMPDIR" && npm publish --access public --ignore-scripts --userconfig ./.npmrc)