ci: fix 4 workflow issues pre-testnet

.github/workflows/_reusable-contracts-slither.yml

@@ -2,12 +2,6 @@ name: Reusable Contracts Slither
 
 on:
   workflow_call:
-    inputs:
-      foundry_version:
-        description: Foundry version used for Slither compile path
-        required: false
-        default: "1.5.0"
-        type: string
 
 jobs:
   slither-core:
@@ -29,23 +23,8 @@ jobs:
         run: pip install slither-analyzer==0.11.5
 
       - name: Setup Foundry
-        uses: ./.github/actions/setup-foundry
-        with:
-          foundry-version: ${{ inputs.foundry_version }}
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run Slither on MARK core contracts
         working-directory: contracts
-        run: |
-          for target in \
-            src/token/RYLA.sol \
-            src/bridge/MARKBridgeAdapter.sol \
-            src/settlement/MARKSettlementModule.sol \
-            src/settlement/verifier/AttestedSettlementVerifier.sol
-          do
-            slither "$target" \
-              --solc-remaps "@interop-lib/=lib/interop-lib/src/ @openzeppelin/=lib/createx/lib/openzeppelin-contracts/" \
-              --exclude-dependencies \
-              --exclude "naming-convention,timestamp,arbitrary-send-erc20,reentrancy-balance,reentrancy-benign" \
-              --filter-paths "lib|test|script|out|cache" \
-              --fail-medium
-          done
+        run: make slither-core

.github/workflows/contracts-ci.yml

@@ -30,7 +30,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Enforce architecture boundaries
         run: make architecture-guard
@@ -66,7 +66,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Start anvil
         run: anvil --host 127.0.0.1 --port 8545 > /tmp/anvil.log 2>&1 &
@@ -136,9 +136,11 @@ jobs:
           MARK_POOL_VERIFIER="$POOL_VERIFIER" \
           forge script script/ops/pool/ReleasePool.s.sol --rpc-url $RPC_URL -vv
 
-      # Pool execute smoke is omitted: MARKPool and PoseidonT3 exceed the EIP-170
-      # 24,576-byte contract size limit and cannot be broadcast to Anvil until the
-      # PoseidonT3 refactor (KI-8 in contracts/KNOWN_ISSUES.md) is complete.
+      # Pool execute smoke is omitted: Foundry's contract size check rejects the
+      # PoseidonT3 library artifact (55,856 bytes) during broadcast even though
+      # via_ir inlines it into MARKPool at compile time (MARKPool itself is 24,298
+      # bytes and deployable). The dry-run above validates the pool release script
+      # logic without triggering the size check. See KI-8 in KNOWN_ISSUES.md.
 
       - name: Print anvil logs on failure
         if: failure()
@@ -160,7 +162,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run production mode smoke target
         run: make smoke-production-mode
@@ -204,14 +206,21 @@ jobs:
         working-directory: .
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Start supersim
         run: pnpm dev:supersim > /tmp/supersim.log 2>&1 &
         working-directory: .
 
       - name: Wait for supersim readiness
-        run: pnpm wait-port 8420
+        run: |
+          for _ in $(seq 1 30); do
+            if nc -z 127.0.0.1 9545 && nc -z 127.0.0.1 9546; then exit 0; fi
+            sleep 2
+          done
+          echo "supersim did not become ready on ports 9545/9546" >&2
+          tail -n 100 /tmp/supersim.log || true
+          exit 1
         working-directory: .
 
       - name: Run integration suite

.github/workflows/contracts-mainnet-readiness.yml

@@ -64,7 +64,7 @@ jobs:
         run: pip install slither-analyzer==0.11.5
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run mainnet readiness gate
         working-directory: contracts

.github/workflows/contracts-production-lock-verify.yml

@@ -65,7 +65,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run production lock verification
         run: make verify-production-lock

.github/workflows/contracts-staging-rehearsal.yml

@@ -97,7 +97,7 @@ jobs:
           }
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run staging rehearsal (release + production lock verify)
         run: make rehearse-production-lock

contracts/KNOWN_ISSUES.md

@@ -95,7 +95,7 @@ This document lists known limitations and intentional design decisions that audi
 
 **Description:** `MARKPool` is currently 24,298 bytes — 278 bytes under the EIP-170 24,576-byte limit. `PoseidonT3` is 55,856 bytes as a standalone artifact, but `via_ir = true` in `foundry.toml` causes the compiler to inline it into `MARKPool` rather than deploying it as a linked library. `MARKPool` has no link references and is deployable as-is.
 
-**Impact:** `MARKPool` is deployable. The 278-byte margin is tight — any significant feature addition risks exceeding the limit. CI runs pool release dry-run only (no execute smoke) due to the historical size concern.
+**Impact:** `MARKPool` is deployable. The 278-byte margin is tight — any significant feature addition risks exceeding the limit. CI runs pool release dry-run only (no execute smoke): Foundry's contract size check rejects the `PoseidonT3` library artifact (55,856 bytes) during broadcast even though `via_ir` inlines it into `MARKPool` at compile time. The dry-run validates the release script logic without triggering this check.
 
 **Required before mainnet:** Monitor `MARKPool` size on every change. If the margin drops below ~100 bytes, extract logic (e.g. bridge-out, fee policy, or root management) into a separate contract. `PoseidonT3` does not need to be deployed separately as long as `via_ir = true` is maintained.