feat: compact-deployer tool#86
Draft
0xisk wants to merge 12 commits into
Draft
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![boostsecurity-io[bot]](https://avatars.githubusercontent.com/in/192984?s=60&v=4){kind=small}
There was a problem hiding this comment.
⚠️ 9 New Security Findings
The latest commit contains 9 new security findings.
| Findings | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Dependency: yarn / brace-expansion@ 2.0.2 SUMMARY Direct Dependency: brace-expansion Location : yarn.lock OCCURRENCE
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / ip-address@ 10.0.1 SUMMARY Direct Dependency: ip-address Location : yarn.lock OCCURRENCE
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / minimatch@ 9.0.5 SUMMARY Direct Dependency: minimatch Location : yarn.lock OCCURRENCES
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / picomatch@ 4.0.3 SUMMARY Direct Dependency: picomatch Location : yarn.lock OCCURRENCES
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / postcss@ 8.5.6 SUMMARY Direct Dependency: postcss Location : yarn.lock OCCURRENCE
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / rollup@ 4.52.5 SUMMARY Direct Dependency: rollup Location : yarn.lock OCCURRENCE
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / tar@ 7.5.3 SUMMARY Direct Dependency: tar Location : yarn.lock OCCURRENCES
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / undici@ 5.29.0 SUMMARY Direct Dependency: undici Location : yarn.lock OCCURRENCES
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: yarn / vite@ 7.1.12 SUMMARY Direct Dependency: vite Location : yarn.lock OCCURRENCES
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
Not a finding? Ignore it by adding a comment on the line with just the word noboost.
Scanner: boostsecurity - Trivy (Filesystem scanning)
There was a problem hiding this comment.
⚠️ 10 New Security Findings
The latest commit contains 10 new security findings.
| Findings | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Dependency: npm / @substrate/connect@ 0.8.11 SUMMARY Dependency: @substrate/connect Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / glob@ 10.5.0 SUMMARY Dependency: glob Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / minimatch@ 9.0.5 SUMMARY Dependency: minimatch Transitive through:
Location : yarn.lock OCCURRENCES
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / node-domexception@ 1.0.0 SUMMARY Dependency: node-domexception Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / picomatch@ 4.0.3 SUMMARY Dependency: picomatch Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / rollup@ 4.52.5 SUMMARY Dependency: rollup Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / tar@ 7.5.3 SUMMARY Dependency: tar Transitive through:
Location : yarn.lock OCCURRENCES
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / undici@ 5.29.0 SUMMARY Dependency: undici Transitive through:
Location : yarn.lock OCCURRENCES
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / uuid@ 10.0.0 SUMMARY Dependency: uuid Transitive through:
Location : yarn.lock OCCURRENCE
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Dependency: npm / vite@ 7.1.12 SUMMARY Dependency: vite Transitive through:
Location : yarn.lock OCCURRENCES
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation :
|
Not a finding? Ignore it by adding a comment on the line with just the word noboost.
Scanner: boostsecurity - BoostSecurity SCA
Adds @openzeppelin/compact-deploy — a Forge-style deployer library for Midnight Compact contracts — and exposes its CLI through the existing @openzeppelin/compact-cli package. Library (packages/deploy/): - runPipeline orchestrator (config → wallet → faucet → providers → submit → persist), decomposed into per-step helpers - Deployments class — head + history JSON ledger with read methods (getHead, getHistory, listContracts) and atomic rotation on write - Keystore class — Web3 Secret Storage v3-compatible with a "midnight-1" version marker; scrypt + AES-128-CTR + SHA-256 MAC - ProofServer class — lifecycle wrapper over the five-step precedence chain (CLI > TOML URL > "auto" container > PROOF_SERVER_PORT > default) - Typed error hierarchy with stable exit codes (DeployError + subclasses) - src/ layout: loaders/, config/, wallet/, providers/ + top-level errors.ts / pipeline.ts / deployments.ts / index.ts CLI (packages/cli/): - runDeploy.ts: thin shell over the deploy library (chalk + ora + pino UX, --json mode, exit-code-mapped errors); ~250 LOC, zero business logic - compact-deploy bin entry added alongside compact-builder + compact-compiler - engines.node bumped 20 → 22 to match the deploy library Integration tests (tests/integrations/): - vitest config + wallet pool harness + Counter fixture - specs cover deploy, dry-run, history rotation, errors, wallet pool Root: - @openzeppelin/compact-deploy workspace devDep - test:integration / env:up / env:down scripts - resolutions pin for @midnight-ntwrk/ledger-v8 8.0.3
- Replace the four loader functions with classes that own their loaded
values: SigningKey, ConstructorArgs, InitialPrivateState, Artifact.
Each exposes `static async load()` + readonly fields; pipeline reads
`.hex` / `.values` / `?.value` at the call site.
- Add shared LoaderContext + RefResolver helpers under loaders/ to absorb
path resolution, readFile, dynamic-import error wrapping, and the
{ file } | { module, export } dispatch.
- Promote loadConfig + LoadedConfig to a CompactConfig class with
`network(name)` / `contract(name)` lookups that throw with the
available set on miss. resolveTargets collapses; wallet/resolve.ts
drops its redundant rootDir parameter (derived from config.rootDir).
- Rename Zod-inferred CompactConfig -> CompactConfigData (internal);
the public name is now the class.
Lets callers manage the proof-server container with `await using` and AsyncDisposableStack instead of explicit try/finally for teardown. Dispose errors are warn-logged rather than thrown so a failed teardown doesn't mask the deploy's primary failure.
AsyncDisposableStack landed in Node 24.0; Node 22 only ships Symbol.asyncDispose and `await using`. Realigns engines with the @tsconfig/node24 lib defs already in use across these packages.
…lasses; consolidate seed helpers
Reshapes the deploy entry-point around resource-managed classes:
- `Deployer` (deployer.ts) replaces the procedural `runPipeline`
function. `Deployer.prepare(opts)` loads config + signing key, starts
the proof server, builds or adopts a wallet, and loads constructor
args; the returned instance exposes `.deploy()` and `.dryRun()`. CLI
flow becomes:
await using deployer = await Deployer.prepare(opts);
return dryRun ? await deployer.dryRun() : await deployer.deploy();
Owned resources are accumulated in an `AsyncDisposableStack` inside
`prepare`, moved to the instance on success, and disposed in reverse
order from `[Symbol.asyncDispose]`. Mid-prepare failures unwind
cleanly via the local `await using` on the stack.
- `WalletHandler` (wallet/handler.ts) replaces the
`buildDeployerWallet` free function. It wraps a built
`MidnightWalletProvider` and implements `[Symbol.asyncDispose]`, so
the Deployer adds it to its stack with a single `stack.use(owned)`
instead of `stack.defer(...)` with custom try/catch. Mirrors the
`ProofServer` pattern.
- `wallet/seeds.ts` merges the previous `local-seeds.ts`,
`normalize.ts`, and `resolve.ts` into one module. None of those owned
state or a lifecycle, so a class wrapper would be ceremony; a single
file with three exports is the right unit. Test renamed
`normalize.test.ts` -> `seeds.test.ts`.
Public API: `runPipeline as deploy` and `PipelineOptions/PipelineResult`
are gone; consumers now use `Deployer`, `DeployerOptions`,
`DeployResult`. `buildDeployerWallet` replaced by `WalletHandler`.
Integration harness and CLI updated.
Mock-based unit tests covering orchestration semantics that integration tests can't isolate cheaply: - Deployer (6 tests): dryRun returns dryRun:true and never calls deployContract; deploy submits the tx and returns the populated success result; injected walletProvider is adopted without calling WalletHandler.build; missing walletProvider builds and starts a wallet; Symbol.asyncDispose stops owned wallets but leaves injected ones alone; deployContract failures are wrapped in DeployTxFailedError. - WalletHandler (7 tests): mnemonic seed routes through .withMnemonic; hex seed routes through .withSeed; additionalFeeOverhead bumps to 5e17 for the undeployed network and keeps the testkit default otherwise; .provider returns the wallet built by MidnightWalletProvider.withWallet; Symbol.asyncDispose stops the underlying wallet; dispose swallows stop() failures with a warn log. testkit-js + ledger-v8 + midnight-js are vi.mock'd; CompactConfig, SigningKey, Deployments run against real tmpdir fixtures. End-to-end network flow remains covered by tests/integrations/.
Renames the npm package from `@openzeppelin/compact-deploy` to `@openzeppelin/compact-deployer`. Updates workspace deps in root + compact-cli, all `from '@openzeppelin/compact-deploy'` imports across the CLI, integration harness and specs, the JSDoc/README references, and the regenerated yarn.lock. The `compact-deploy` binary name and the `packages/deploy/` directory layout are intentionally left unchanged.
…oyer Aligns the workspace folder layout with the @openzeppelin/compact-deployer package name. Git tracks every file as a rename so blame is preserved. No path references needed updating — the yarn workspaces glob is `packages/*`, and no script or tsconfig hardcoded `packages/deploy`.
…... style Convention sweep across all unit + integration test files. No test behaviour changes — only the strings passed to `it(...)` (and the `it.each(...)` template in walletPool.spec.ts). All 50 unit tests still pass.
Five specs are reorganised by feature theme to make the suite scale:
specs/
deploy/
deploy.spec.ts
dryRun.spec.ts
historyRotation.spec.ts
errors/
errors.spec.ts
wallet/
walletPool.spec.ts
No behaviour change — only relative-import depth bumps from `../_harness`
to `../../_harness`. The existing `specs/**/*.spec.ts` glob in vitest.config
already picks up nested directories.
0xisk
force-pushed
the
feat/compact-deployer
branch
from
958d227 to
26aa42b
Compare
…ignore-all Biome ci was failing with 23 errors + 1 warning across the deployer package and integration harness — mostly `useImportType` and `organizeImports` autofixes. `yarn lint:fix` resolved 19 of them; the remaining 4 were: - `packages/cli/src/runDeploy.ts` × 3 — `lint/suspicious/noConsole`. organizeImports had moved the `@openzeppelin/compact-deployer` import ahead of the `biome-ignore-all noConsole` directive, so the directive no longer applied to the file. Moved the directive to line 2 (right after the shebang, before all imports). - `packages/deployer/src/deployer.ts` — dead `SeedResolution` type import after the seeds-module merge consolidated the type alias. Lint:ci now clean; 50 unit tests still pass.
…ions Addresses the BoostSecurity findings on PR #86. Eight of the originally flagged packages auto-upgraded when yarn.lock regenerated post-rebase (brace-expansion, ip-address, minimatch, picomatch, postcss, rollup, tar, vite). The remaining three are forced via root resolutions: - undici ^6.24.0 (was 5.29.0 via testcontainers) Fixes CVE-2026-1525/1526/1527/22036/2229 — HTTP smuggling, WebSocket memory exhaustion, CRLF injection, decompression DoS. Major bump but testcontainers' usage stays within the v6 API. - glob ^11.0.0 (was 10.5.0 via archiver-utils, cacache) Replaces the EOL v10 line. - uuid ^13.0.0 (was 10.0.0 via dockerode) Replaces the EOL v10 line. Two findings left unaddressed: - @substrate/connect@0.8.11 (EOL warning). Pinned exactly by `@polkadot/rpc-provider@16.5.6` (constraint is `0.8.11`, not a range), so resolutions can't override it without breaking that transitive. Would need to wait for @PolkaDot to publish a release that drops the EOL dep. - node-domexception@1.0.0 (EOL warning). Pulled by `fetch-blob@3.2.0`. Modern Node has a native DOMException; the package only matters until fetch-blob/undici upstream drops the polyfill import. No safe override exists. Both are warning-level (EOL classification, no active CVE). Build + 50 unit tests + CLI typecheck still pass after resolutions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Types of changes
What types of changes does your code introduce to OpenZeppelin Midnight Contracts?
Put an
xin the boxes that applyFixes #???
PR Checklist
Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...