release: Feature Freeze for Audit (#223)

feat: Major release with security hardening, fee policy enhancements, and infrastructure improvements

## Breaking Changes
- Migrated to Solana SDK v3.0.x and updated all dependencies
- Replaced custom Kora Signer with solana-signers crate
- Removed `sign_transaction_if_paid` - all signing now validates pricing (FREE config maintains old behavior)
- Removed `get_all_signers` function for security
- Changed response types: removed signatures from `signAndSendTransaction` and `signTransaction`

## Security & Audit Fixes
- Implemented constant-time HMAC verification
- Added request body size limits to prevent server overload
- Sanitized debug macros and loggers to prevent sensitive data exposure
- Removed dangerous `.unwrap()` calls with proper error handling
- Added overflow protection across all math operations
- Enhanced ConfigValidator with security warnings for risky configurations
- Fixed precision issues using fixed-point decimals for price calculations
- Updated fee payer policies to secure defaults

## Fee System Enhancements
- Extended fee payer policy support for SPL/Token2022 instructions (revoke, set authority, mint to, freeze/thaw account, etc.)
- Enhanced fee payer outflow calculation to include SPL token transfers
- Improved fee estimation efficiency (Free→instant, Fixed→simple calc, Margin→full calc)
- Added support for multi-token payment transfers in single transaction
- Refactored payment analysis to return transfer fees
- Added "strict" mode for fixed fees (errors if total exceeds fixed amount)
- Enhanced mint validation for PermanentDelegate and TransferHook extensions

## Developer Experience
- Implemented Rust test runner replacing complex Makefiles
- Added TypeScript test support with improved CI workflow
- Added debug command targets for various test scenarios
- Cleaned up test fixtures and removed duplicated code
- Improved test performance with non-hardcoded ports and file reuse
- Added exponential backoff for health checks

## Bug Fixes
- Fixed inner instruction parsing for Parsed/PartiallyDecoded instructions
- Fixed double fee counting in ATA + fee payer outflow calculation
- Fixed index out of bounds in `uncompile_instructions`
- Made price source non-optional throughout codebase
- Updated transaction validation for safer account key retrieval

## Infrastructure & Tooling
- Updated error handling in TurnkeySigner and PrivySigner
- Added method validation middleware (separate from auth)
- Enhanced logging for API failures and overflow scenarios
- Migrated from gill to @solana/kit
- Added git-cliff configuration for changelog generation
- Improved Rust and SDK publish workflows

## Documentation
- Updated security guidance for FREE/fixed fees and fee payer policies
- Added warnings for permanent delegate risks
- Clarified margin adjustment behavior
- Updated usage_limit documentation
- Enhanced ADDING_SIGNERS.md for solana-signers crate
- Updated x402 demo and configuration guides

## Tests
- Added comprehensive adversarial tests for fee payer policy violations
- Added tests for SPL token transfer scenarios
- Added tests for multi-payment analysis
- Enhanced validation tests for new fee payer policies
- Improved error assertion patterns

Author: dev-jodee

.github/actions/cleanup-test-env/action.yml

@@ -1,53 +1,15 @@
 name: 'Cleanup Test Environment'
-description: 'Stop all test processes (Kora RPC, Solana validator, etc.)'
+description: 'Kill any remaining test processes (safety net for test runner failures)'
 
 runs:
   using: 'composite'
   steps:
-    - name: Stop test processes
+    - name: Kill remaining processes
       shell: bash
       if: always()
       run: |
-        echo "🧹 Cleaning up test environment..."
-        
-        # Stop Kora RPC server using saved PID
-        if [ -f /tmp/kora_pid ]; then
-          KORA_PID=$(cat /tmp/kora_pid)
-          if [ ! -z "$KORA_PID" ]; then
-            echo "Stopping Kora RPC server (PID: $KORA_PID)"
-            kill $KORA_PID 2>/dev/null || true
-          fi
-          rm -f /tmp/kora_pid
-        fi
-        
-        # Stop using environment variable as fallback
-        if [ ! -z "$KORA_PID" ]; then
-          echo "Stopping Kora RPC server (ENV PID: $KORA_PID)"
-          kill $KORA_PID 2>/dev/null || true
-        fi
-        
-        # Stop Solana validator using saved PID
-        if [ -f /tmp/validator_pid ]; then
-          VALIDATOR_PID=$(cat /tmp/validator_pid)
-          if [ ! -z "$VALIDATOR_PID" ]; then
-            echo "Stopping Solana validator (PID: $VALIDATOR_PID)"
-            kill $VALIDATOR_PID 2>/dev/null || true
-          fi
-          rm -f /tmp/validator_pid
-        fi
-        
-        # Stop using environment variable as fallback
-        if [ ! -z "$VALIDATOR_PID" ]; then
-          echo "Stopping Solana validator (ENV PID: $VALIDATOR_PID)"
-          kill $VALIDATOR_PID 2>/dev/null || true
-        fi
-        
-        # Kill any remaining processes by name (nuclear option)
-        echo "Killing any remaining test processes..."
+        echo "🧹 Safety cleanup of any remaining processes..."
         pkill -f "solana-test-validator" 2>/dev/null || true
         pkill -f "kora" 2>/dev/null || true
-        
-        # Wait a moment for processes to stop
-        sleep 2
-        
+        sleep 1
         echo "✅ Cleanup completed"

.github/actions/run-test-runner/action.yml

@@ -0,0 +1,45 @@
+name: "Run Test Runner"
+description: "Execute Kora integration tests using the test runner with specified filters"
+
+inputs:
+  filters:
+    description: "Test filters to apply (e.g., '--filter regular --filter auth')"
+    required: true
+  verbose:
+    description: "Enable verbose output"
+    required: false
+    default: "true"
+  rpc-url:
+    description: "Solana RPC URL to use"
+    required: false
+    default: "http://127.0.0.1:8899"
+  force-refresh:
+    description: "Force refresh of test accounts"
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Run integration tests with test runner
+      shell: bash
+      run: |
+        echo "🧪 Running integration tests with filters: ${{ inputs.filters }}"
+
+        # Build command arguments
+        ARGS=""
+        if [ "${{ inputs.verbose }}" = "true" ]; then
+          ARGS="$ARGS --verbose"
+        fi
+        if [ "${{ inputs.force-refresh }}" = "true" ]; then
+          ARGS="$ARGS --force-refresh"
+        fi
+        if [ "${{ inputs.rpc-url }}" != "http://127.0.0.1:8899" ]; then
+          ARGS="$ARGS --rpc-url ${{ inputs.rpc-url }}"
+        fi
+
+        # Add filters
+        ARGS="$ARGS ${{ inputs.filters }}"
+
+        # Run the test runner
+        cargo run -p tests --bin test_runner -- $ARGS

.github/actions/setup-kora-rpc/action.yml

@@ -1 +1 @@
-{"schemaVersion": 1, "label": "coverage", "message": "85.5%", "color": "green"}
+{"schemaVersion": 1, "label": "coverage", "message": "85.7%", "color": "green"}

.github/actions/setup-solana-validator/action.yml

@@ -0,0 +1,30 @@
+# git-cliff configuration for changelog generation
+# See: https://git-cliff.org/docs/configuration
+
+[changelog]
+header = ""
+body = """
+{% for group, commits in commits | group_by(attribute="group") %}
+### {{ group | upper_first }}
+{% for commit in commits %}
+  - {{ commit.message | split(pat="\n") | first | trim }}
+{% endfor %}
+{% endfor %}
+"""
+trim = true
+
+[git]
+conventional_commits = true
+filter_unconventional = true
+commit_parsers = [
+  { message = "^feat", group = "Features" },
+  { message = "^fix", group = "Bug Fixes" },
+  { message = "^perf", group = "Performance" },
+  { message = "^refactor", group = "Refactoring" },
+  { message = "^doc", group = "Documentation" },
+  { message = "^test", group = "Testing" },
+  { message = "^chore", skip = true },
+  { message = "^ci", skip = true },
+  { message = "^build", skip = true },
+]
+sort_commits = "newest"

.github/badges/coverage.json

@@ -0,0 +1,52 @@
+name: Build Rust Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      cache-key:
+        description: "Cache key suffix for rust cache"
+        required: true
+        type: string
+      artifact-name:
+        description: "Base name for the uploaded artifact"
+        required: true
+        type: string
+    outputs:
+      artifact-name:
+        description: "The actual artifact name with hash suffix"
+        value: ${{ jobs.build.outputs.artifact-name }}
+
+jobs:
+  build:
+    name: Build Rust Artifacts
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    outputs:
+      artifact-name: ${{ inputs.artifact-name }}-${{ steps.source-hash.outputs.hash }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: ${{ inputs.cache-key }}
+
+      - name: Calculate source files hash
+        id: source-hash
+        run: |
+          SOURCE_HASH=$(find crates tests Cargo.toml Cargo.lock Makefile makefiles -type f \( -name "*.rs" -o -name "*.toml" -o -name "Makefile" \) -exec sha256sum {} \; | sort | sha256sum | cut -d' ' -f1 | head -c 8)
+          echo "hash=$SOURCE_HASH" >> $GITHUB_OUTPUT
+          echo "Source files hash: $SOURCE_HASH"
+
+      - name: Build workspace
+        run: make build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.artifact-name }}-${{ steps.source-hash.outputs.hash }}
+          path: |
+            target/debug/kora
+            target/debug/test_runner
+          retention-days: 1