Merge develop into main

[wtfsayo]

Summary

• Merge develop into main for the v0.11.0 release.
• Preserve Hypersdk / Alloy 1 signer compatibility while app-level Alloy helpers use Alloy 2.
• Harden order lifecycle safety for acting-account --on-behalf-of flows and expose them as a dedicated acting_account_selector schema kind instead of signer selectors.
• Refresh QA/contract fixtures, release docs, changelog, package metadata, and self-update asset lookup for the supported Linux/macOS release archives.

Validation

• cargo fmt --check
• cargo clippy -- -D warnings
• cargo test --test orders_list_twap orders_schedule_cancel -- --nocapture
• cargo test --test orders_create orders_tpsl_on_behalf_uses_acting_account_for_position_and_submission -- --nocapture
• cargo test --test cli_integration schema_single_command_outputs_schema_object -- --nocapture
• cargo test --test subaccounts schema_describes_acting_account_selectors_and_raw_destinations -- --nocapture
• cargo test --test release_artifacts -- --nocapture
• cargo test --test command_contracts --test schema_contracts --test registry_contracts --test dry_run_contracts --test output_contracts
• cargo test --lib update_check::tests -- --nocapture
• cargo build --locked --release --bin hyperliquid
• HYPERLIQUID_NO_UPDATE_CHECK=1 ./target/release/hyperliquid --version → hyperliquid 0.11.0
• cargo metadata --locked --no-deps --format-version=1 → hyperliquid-cli 0.11.0

Notes

• scripts/pre-release-check.sh was exercised locally and reached the repository checks, but this workstation intentionally has local-only .qa/, .kanna/, and .sc/ artifact directories under the repo root, so the script fails locally on those ignored artifacts. The release workflow now runs the same pre-release check in a clean checkout before packaging.
• Cloudflare Workers deployment has been flaky/unrelated to the CLI Rust gates in recent PRs; Rust quality and security checks passed before this release-prep update.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	hyperliquid-feedback	dda4069	May 16 2026, 08:33 PM

[Copilot]

Pull request overview

Merges develop into main to roll up dependency bumps (rpassword 7.5.2, hypersdk 0.2.11, alloy 2.0.4, alloy-signer-local 2.0.4, rand 0.10.1) along with the source/test/QA-script adjustments needed to keep things compiling and passing. To preserve compatibility with hypersdk 0.2 (which still re-exports Alloy 1.x signer types), the crate now pulls in both Alloy 1 and Alloy 2 side-by-side via package renaming, while application code starts migrating to Alloy 2.

Changes:

• Cargo: bump alloy to 2.0.4 and rand to 0.10, and add side-by-side alloy-v1 / alloy-signer-local-v1 aliases so hypersdk-facing code keeps working.
• Source: switch SignerSync imports in src/signing.rs and tests/staking_commands.rs to the v1 alias; update src/db.rs for rand 0.10's SysRng/TryRng renames.
• QA script: accept bounded NDJSON output in validate_case_contract, replace the invalid qa-cloid fixture with a valid 0x cloid, and parameterize --end-price for the scale dry-run case.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Cargo.toml	Adds Alloy 2 / Alloy-signer-local 2 + v1 aliases and bumps rand to 0.10.
Cargo.lock	Locks the new dependency graph with both Alloy 1.8.3 and 2.0.4 trees.
src/db.rs	Updates encryption key/nonce generation to rand 0.10 (SysRng, TryRng).
src/signing.rs	Uses alloy_v1::signers::SignerSync to keep working with hypersdk's v1 PrivateKeySigner.
tests/staking_commands.rs	Same v1 SignerSync alias swap on the test side.
scripts/qa-command-matrix.sh	Accepts NDJSON in JSON validator, fixes scale --end-price, and uses a valid cloid fixture.

Comments suppressed due to low confidence (1)

scripts/qa-command-matrix.sh:410

• The err variable is captured by the outer except ... as err clause, but is referenced inside the nested except Exception: block. While this happens to work in Python 3 because the inner except executes within the body of the outer except (where err is still bound), this is fragile: if the inner except is ever refactored out of the outer one, the reference will break (Python 3 deletes the captured exception variable when the except clause ends). Additionally, when NDJSON parsing succeeds, the resulting data is a list, but the downstream required_fields and error-envelope checks (lines 400–410) only handle dict. For a streaming command run without a name in required_fields, success-case validation silently passes regardless of contents; for the failing-case branch (code != "0"), an NDJSON list will always trigger "failing JSON command must return an error envelope" even if a valid error envelope was emitted as one of the NDJSON lines.

except Exception as err:
    # Streaming commands in --format json emit bounded NDJSON. Accept each
    # non-empty line as a JSON value while retaining single-document checks for
    # ordinary commands.
    try:
        data = [json.loads(line) for line in stdout.splitlines() if line.strip()]
    except Exception:
        print(f"{name}: stdout is not valid JSON/NDJSON: {err}", file=sys.stderr)
        sys.exit(1)

required_fields = {
    "schema orders create": ["command", "json_schema"],
    "wallet address": ["address"],
    "borrowlend supply dry-run": ["dry_run", "command", "would_execute"],
    "orders create dry run": ["dry_run", "command", "would_execute"],
    "orders payload dry run": ["dry_run", "command", "payload"],
    "transfer payload dry run": ["dry_run", "command", "payload"],
    "vault payload dry run": ["dry_run", "command", "payload"],
}

if code == "0":
    if isinstance(data, dict) and "error" in data:
        print(f"{name}: successful JSON command returned error envelope", file=sys.stderr)
        sys.exit(1)
    for field in required_fields.get(name, []):
        if not isinstance(data, dict) or field not in data:
            print(f"{name}: expected top-level JSON field {field!r}", file=sys.stderr)
            sys.exit(1)
else:
    if not isinstance(data, dict) or "error" not in data:
        print(f"{name}: failing JSON command must return an error envelope", file=sys.stderr)
        sys.exit(1)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Incremental Update (commits 3440982..dda4069)

No new issues found in the incremental changes.

The new commits add:

Area	Summary
Order lifecycle safety	--on-behalf-of (vaultAddress) threaded through all order commands (cancel, cancel-all, modify, tpsl, twap-create, twap-cancel, schedule-cancel)
Schedule-cancel hardening	Mainnet confirmation prompt, --yes bypass, minimum 5s --in duration, on-behalf-of support
Schema semantics	New acting_account_selector input kind replacing signer_selector for acting-account fields
Self-update fix	Release asset names aligned with published archives (hyperliquid-{os}-{arch}.tar.gz)
v0.11.0 release	Version bump, changelog, README updates

Resolved Issues (all previous)

File	Line	Issue	Resolution
Cargo.toml	28	alloy-signer-local-v1 dependency not referenced in source	Fixed (commit 1e051f1): extern crate anchor added in src/lib.rs
Cargo.toml	23	Version pin alloy-signer-local to "2.0.4"	Fixed (commit d0d09dc): pinned to "2.0.4"
src/signing.rs	7-11	Document cross-version TypedData/SignerSync coupling	Fixed (commit d0d09dc): explanatory comment block added

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
src/commands/actions.rs	3	Same cross-version TypedData (alloy v2) + PrivateKeySigner (hypersdk/alloy v1) pattern as signing.rs. Not modified in this PR but now implicitly uses v2 TypedData since the alloy dep was upgraded. Works through shared alloy-dyn-abi but has the same fragility concern.
src/ows.rs	10	Same TypedData from alloy v2 pattern. Not modified in this PR.

Files Reviewed (27 files, incremental)

Previously reviewed (unchanged):

• Cargo.lock - Generated file, no issues
• src/lib.rs - No issues (dependency anchor)
• src/db.rs - No issues (rand 0.10 migration)
• src/signing.rs - All issues resolved
• scripts/qa-command-matrix.sh - No issues

Incremental review (new/changed):

• Cargo.toml - Version bump to 0.11.0, no issues
• src/commands/orders.rs - Order lifecycle safety with vault_address, schedule-cancel confirmation, no issues
• src/commands/orders/args.rs - New on_behalf_of and yes fields on order arg structs, no issues
• src/commands/orders/planning.rs - Dry-run previews include on_behalf_of, minimum 5s duration check, no issues
• src/cli_runtime.rs - Handler wiring for vault_address across all order commands, no issues
• src/commands/actions.rs - send_l1_action_raw correctly passes vault_address, no issues
• src/command_catalog.json - Schema updates for acting_account_selector, no issues
• src/command_metadata.rs - acting_account_selector inference, no issues
• src/command_registry.rs - New ActingAccountSelector enum variant, no issues
• src/update_check.rs - Release asset name fix with proper tests, no issues
• CHANGELOG.md - Accurate release notes
• README.md - Documentation updates for --on-behalf-of semantics
• tests/cli_integration.rs - Schedule-cancel and schema tests, no issues
• tests/orders_cancel_modify.rs - Cancel on-behalf-of integration test, no issues
• tests/orders_create.rs - TPSL on-behalf-of integration test, no issues
• tests/orders_list_twap.rs - Schedule-cancel safety and on-behalf-of tests, no issues
• tests/registry_contracts.rs - Registry test update, no issues
• tests/release_artifacts.rs - Release asset mapping test, no issues
• tests/subaccounts.rs - Acting account selector test, no issues
• tests/staking_commands.rs - Import update for alloy_v1, no issues
• tests/fixtures/contracts/*.json - Fixture updates matching code changes

---

Notes

• The vault_address / --on-behalf-of parameter is correctly resolved once in each handler and threaded consistently through both the user (for lookups) and vault_address (for submission) paths.
• The schedule-cancel double-plan pattern (prepare_schedule_cancel_plan called twice when scheduled_at.is_some()) intentionally refreshes the scheduled timestamp after the confirmation prompt delay. The final output uses the recomputed timestamp.
• The acting_account_selector input kind cleanly separates acting-account semantics from signer-selection semantics in the public schema.
• The self-update asset name fix (hyperliquid-macos-x86_64.tar.gz instead of hyperliquid-x86_64-apple-darwin.tar.gz) is validated by both the unit test and the release_artifacts.rs contract test, and matches the .github/workflows/release.yml asset names.
• The minimum 5s --in duration for schedule-cancel is a sensible exchange-side safety floor.

---

_{Reviewed by glm-5.1 · 1,932,933 tokens}

[wtfsayo]

Addressed Copilot feedback in 1e051f1 by adding an explicit anonymous extern crate alloy_signer_local_v1 as _; dependency anchor in src/lib.rs, with a comment explaining that it keeps the Alloy 1.x keystore feature unified for hypersdk::hypercore::PrivateKeySigner while app-level helpers use Alloy 2.\n\nLocal validation after the change:\n- cargo check\n- cargo clippy -- -D warnings\n- targeted stored-account keystore and local signer tests

[wtfsayo]

Also addressed Kilo suggestions in d0d09dc: pinned alloy-signer-local to 2.0.4 for consistency with alloy = 2.0.4, and documented the temporary Alloy 2 TypedData + Alloy 1 SignerSync compatibility bridge in src/signing.rs. Local cargo fmt --check, cargo check, and cargo clippy -- -D warnings pass.