Enable org-transfer governance: CodeQL, Gitleaks, release-gate container, and verification scripts#19
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
WalkthroughAdds repository governance automation and CI workflows to support org transfer: new GitHub Actions (CodeQL updates, secrets scan, scripts CI, contracts release-gate container, governance verify), containerized release-gate artifacts, branch-protection check/bootstrapping scripts, and multiple governance/transfer documentation files and checklists. ChangesGovernance & CI rollout (single cohesive cohort)
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer (PR / Push)
participant GH as GitHub Actions
participant Runner as CI Runner / Docker
participant Scripts as Repo Scripts
participant API as GitHub API
Dev->>GH: push PR / push to branches or dispatch workflow
GH->>Runner: start workflow (codeql / secrets-scan / scripts-ci / contracts-release-gate-container)
Runner->>Runner: build/run release-gate container (docker build/run)
Runner->>Scripts: run make / shellcheck / gitleaks or invoke verify/pretransfer scripts
Scripts->>API: query branch protections / secrets
API-->>Scripts: protection/secret responses
Scripts-->>GH: exit status -> workflow result (PASS/FAIL)
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
BRANCHING.md (1)
68-93:⚠️ Potential issue | 🟠 Major | ⚡ Quick winKeep governance verification enforcement in lockstep with this matrix
The required-check arrays in
scripts/github/verify-governance.share missing documented checks. Specifically:
require_checks_dev(lines 47–53) omitsGitleaks ScanandRelease Gate Containerrequire_checks_main(lines 55–62) omitsGitleaks ScanandRelease Gate Containercanarybranch validation (line 109) usesrequire_checks_dev, so it also lacks these checksThis will allow PRs to pass governance verification even when they lack checks that BRANCHING.md requires, creating enforcement drift.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@BRANCHING.md` around lines 68 - 93, Update the governance verification arrays so they match BRANCHING.md: add "Gitleaks Scan" and "Release Gate Container" to the require_checks_dev and require_checks_main arrays in the script, and ensure the canary validation uses an array that includes those checks (either keep canary pointing to require_checks_dev after you update it or create a dedicated require_checks_canary that contains the same set including "Gitleaks Scan" and "Release Gate Container"); modify the definitions for require_checks_dev, require_checks_main (and create/adjust require_checks_canary if present) in verify-governance.sh so the enforcement matrix is consistent with BRANCHING.md.
🧹 Nitpick comments (1)
scripts/github/verify-governance.sh (1)
95-95: ⚡ Quick winCheck both
contextsandcheckswhen validating required statuses.Line 95 only inspects
.required_status_checks.checks[]?.context, which misses checks stored in the deprecated.required_status_checks.contextsfield. The GitHub API returns both fields, and older branch protection configurations may usecontexts, causing false negatives during governance verification.Proposed fix
- if ! jq -e --arg c "$check" '.required_status_checks.checks[]?.context | select(. == $c)' <<<"$json" >/dev/null; then + if ! jq -e --arg c "$check" ' + ( + [ .required_status_checks.checks[]?.context ] + + ( .required_status_checks.contexts // [] ) + ) | any(. == $c) + ' <<<"$json" >/dev/null; then🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/github/verify-governance.sh` at line 95, The jq check only looks at .required_status_checks.checks[].context and misses deprecated .required_status_checks.contexts, causing false negatives; update the conditional (the jq invocation on the line with '.required_status_checks.checks[]?.context | select(. == $c)') to test both sources, e.g. combine the two streams like '(.required_status_checks.checks[]?.context, .required_status_checks.contexts[]?) | select(. == $c)' (or otherwise concatenate/merge those arrays) so the script returns true if the required status exists in either field.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/codeql.yml:
- Around line 6-19: The CodeQL workflow's path filters in
.github/workflows/codeql.yml (the "paths:" keys under the push and pull_request
triggers) are causing required checks to remain pending on protected branches;
remove the "paths:" blocks from both the pull_request and push sections so the
workflow triggers on the specified branches (branches: [main, canary, dev])
without path filtering, ensuring the CodeQL required status can complete and
won't block merges.
In @.github/workflows/contracts-release-gate-container.yml:
- Around line 5-7: Remove the path filtering that scopes the pull_request
trigger so the required "Release Gate Container" check will run for all PRs;
specifically, delete or disable the YAML keys that set paths: - "contracts/**"
and - ".github/workflows/contracts-release-gate-container.yml" under the
pull_request trigger in this workflow (so the workflow's pull_request trigger is
not limited by path filters and will report on every PR).
In @.github/workflows/scripts-ci.yml:
- Around line 26-31: The workflow is using mutable action tags
(actions/checkout@v6 and ludeeus/action-shellcheck@2.0.0); replace those with
immutable commit SHAs to hard-pin versions: find the uses: lines referencing
"actions/checkout" and "ludeeus/action-shellcheck" and update them to use the
full commit SHA (e.g., actions/checkout@<commit_sha> and
ludeeus/action-shellcheck@<commit_sha>), obtaining the correct commit SHA from
each action's GitHub repo (releases/commits) and apply the same pinning pattern
consistently across all workflows in the repo.
In `@BRANCHING.md`:
- Around line 129-135: Remove the duplicated check bullets in the canary/dev
protection sections by editing the BRANCHING.md checklist so each required check
appears only once (e.g., remove repeated instances of `Gitleaks Scan` and
`Release Gate Container`), ensuring the final list contains a single entry for
`Analyze (JavaScript/TypeScript)`, `Gitleaks Scan`, `Release Gate Container` and
the "Require at least 1 approval" line in each protection section; apply the
same cleanup to both canary and dev sections so the policy is unambiguous and
consistent.
In `@contracts/docker/release-gate.Dockerfile`:
- Line 1: The Dockerfile currently uses an unpinned base image "FROM
ghcr.io/foundry-rs/foundry:latest" and an unversioned slither-analyzer; change
the FROM line to a specific Foundry semver tag or digest (e.g., replace
":latest" with a concrete tag like ":v1.7.0" or its digest) and update the
slither installation step to install slither-analyzer@0.11.5 (pin the package
version) so the release-gate runtime is deterministic and reproducible.
- Around line 1-5: The Dockerfile is running apt-get as the non-root foundry
user causing permission errors; update the Dockerfile to switch to USER root
before the RUN apt-get ... line, perform the package install and cleanup as
root, then switch back to USER foundry afterward (use the existing base image
user name "foundry"); ensure the RUN block remains unchanged except for being
executed under root and add a subsequent USER foundry to restore privileges.
In `@scripts/github/pretransfer-readiness.sh`:
- Around line 60-66: The script currently treats any non-present secret the same
as an API access failure because secrets_json is populated by curl without
checking HTTP status; update the block that sets and uses secrets_json to detect
and fail fast on HTTP errors by capturing curl's HTTP status (or using curl -f)
and checking the response code/exit status before running jq; if curl returns
non-200 (or fails) print an error and exit1 rather than echoing a WARN for
GOVERNANCE_VERIFY_PAT so lack of secrets API scope is surfaced immediately.
Ensure you reference the variables secrets_json, auth_headers, api and the jq
check for GOVERNANCE_VERIFY_PAT when implementing the change.
In `@scripts/github/verify-governance.sh`:
- Around line 47-63: The arrays require_checks_dev and require_checks_main are
missing the new mandatory checks; update the require_checks_dev and
require_checks_main variables to include the "Gitleaks Scan" and "Release Gate
Container" entries (add both strings into each array so the script accurately
reflects governance policy), preserving the existing checks and order semantics
used in the arrays.
In `@SECURITY_NEXT_STEPS.md`:
- Around line 7-13: The steps currently instruct running
pretransfer-readiness.sh after transferring which inverts the intended flow and
bypasses readiness checks; update the instructions so you export GH_PAT, run
./scripts/github/pretransfer-readiness.sh first, then perform the repository
transfer in GitHub settings, and finally run
./scripts/github/posttransfer-bootstrap.sh (mention GH_PAT and the three script
names: pretransfer-readiness.sh, posttransfer-bootstrap.sh, and the transfer
action between them).
---
Outside diff comments:
In `@BRANCHING.md`:
- Around line 68-93: Update the governance verification arrays so they match
BRANCHING.md: add "Gitleaks Scan" and "Release Gate Container" to the
require_checks_dev and require_checks_main arrays in the script, and ensure the
canary validation uses an array that includes those checks (either keep canary
pointing to require_checks_dev after you update it or create a dedicated
require_checks_canary that contains the same set including "Gitleaks Scan" and
"Release Gate Container"); modify the definitions for require_checks_dev,
require_checks_main (and create/adjust require_checks_canary if present) in
verify-governance.sh so the enforcement matrix is consistent with BRANCHING.md.
---
Nitpick comments:
In `@scripts/github/verify-governance.sh`:
- Line 95: The jq check only looks at .required_status_checks.checks[].context
and misses deprecated .required_status_checks.contexts, causing false negatives;
update the conditional (the jq invocation on the line with
'.required_status_checks.checks[]?.context | select(. == $c)') to test both
sources, e.g. combine the two streams like
'(.required_status_checks.checks[]?.context,
.required_status_checks.contexts[]?) | select(. == $c)' (or otherwise
concatenate/merge those arrays) so the script returns true if the required
status exists in either field.
🪄 Autofix (Beta)
❌ Autofix failed (check again to retry)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 8a993df3-b784-4fc1-9544-0bab9e62773d
📒 Files selected for processing (18)
.github/PRODUCTION_GOVERNANCE_CHECKLIST.md.github/workflows/codeql.yml.github/workflows/contracts-release-gate-container.yml.github/workflows/governance-verify.yml.github/workflows/scripts-ci.yml.github/workflows/secrets-scan.ymlBRANCHING.mdORG_TRANSFER_SECURITY_CHECKLIST.mdPROJECT_REVIEW.mdSECURITY_NEXT_STEPS.mdTRANSFER_NOW_CHECKLIST.mdcontracts/Makefilecontracts/docker/release-gate.Dockerfilecontracts/script/ci/run-release-gate-container.shscripts/github/apply-governance.shscripts/github/posttransfer-bootstrap.shscripts/github/pretransfer-readiness.shscripts/github/verify-governance.sh
Comment on lines
+5
to
+7
| paths: | ||
| - "contracts/**" | ||
| - ".github/workflows/contracts-release-gate-container.yml" |
There was a problem hiding this comment.
Avoid path-filtering a required PR check.
With branch protection requiring “Release Gate Container”, restricting pull_request by paths can leave this check unreported on unrelated PRs, blocking merges.
Proposed fix
on:
pull_request:
- paths:
- - "contracts/**"
- - ".github/workflows/contracts-release-gate-container.yml"
+ branches:
+ - main
+ - canary
+ - devAlso applies to: 24-25
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/contracts-release-gate-container.yml around lines 5 - 7,
Remove the path filtering that scopes the pull_request trigger so the required
"Release Gate Container" check will run for all PRs; specifically, delete or
disable the YAML keys that set paths: - "contracts/**" and -
".github/workflows/contracts-release-gate-container.yml" under the pull_request
trigger in this workflow (so the workflow's pull_request trigger is not limited
by path filters and will report on every PR).
Comment on lines
+26
to
+31
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Run shellcheck | ||
| uses: ludeeus/action-shellcheck@2.0.0 | ||
| with: | ||
| scandir: "scripts contracts/script" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify tag-based action refs still exist in workflows.
rg -n '^\s*uses:\s*[^@]+@v[0-9]+(\.[0-9]+)*\s*$' .github/workflowsRepository: iap/mark
Length of output: 3999
🏁 Script executed:
sed -n '20,35p' .github/workflows/scripts-ci.ymlRepository: iap/mark
Length of output: 332
Pin workflow actions to immutable commit SHAs.
Both actions use mutable version tags (@v6, @2.0.0), which weakens CI supply-chain guarantees. Pin to full commit SHAs instead:
actions/checkout@v6→actions/checkout@<commit_sha>ludeeus/action-shellcheck@2.0.0→ludeeus/action-shellcheck@<commit_sha>
This pattern applies across multiple workflows in the repository.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/scripts-ci.yml around lines 26 - 31, The workflow is using
mutable action tags (actions/checkout@v6 and ludeeus/action-shellcheck@2.0.0);
replace those with immutable commit SHAs to hard-pin versions: find the uses:
lines referencing "actions/checkout" and "ludeeus/action-shellcheck" and update
them to use the full commit SHA (e.g., actions/checkout@<commit_sha> and
ludeeus/action-shellcheck@<commit_sha>), obtaining the correct commit SHA from
each action's GitHub repo (releases/commits) and apply the same pinning pattern
consistently across all workflows in the repo.
| @@ -0,0 +1,17 @@ | |||
| FROM ghcr.io/foundry-rs/foundry:latest | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the recommended immutable tag or digest strategy for ghcr.io/foundry-rs/foundry, and which slither-analyzer version is currently stable for CI pinning?
💡 Result:
Recommended immutable tag/digest strategy for ghcr.io/foundry-rs/foundry: - Use a specific semver tag like:v1.7.0 (or the corresponding major/minor floating release tags:v1.7 /:v1) rather than:latest or:nightly, because Foundry releases have moved to a “fully immutable versioning model” where only semver tags and per-commit nightly-{SHA} releases exist; mutable tags like nightly/stable/rc are gone. [1] - For CI/pipeline reproducibility at the image-content level, pin by digest (use the image reference form ghcr.io/foundry-rs/foundry:v1.7.0@sha256:... after resolving the digest for that tag). The Foundry Docker guide explicitly recommends pinning the Foundry version for reproducible builds using a specific version tag. [2] Example: FROM ghcr.io/foundry-rs/foundry:v1.0.0 (then optionally further lock to @sha256 digest for immutability). [2] Which slither-analyzer version is currently stable for CI pinning (as of 2026-05-05): - slither-analyzer v0.11.5 is the latest release and thus the stable version to pin for CI. [3][4]
Citations:
- 1: https://github.com/foundry-rs/foundry/releases/tag/v1.7.0
- 2: https://book.getfoundry.sh/guides/docker
- 3: https://github.com/crytic/slither/releases/tag/0.11.5
- 4: https://github.com/crytic/slither
🏁 Script executed:
cat -n contracts/docker/release-gate.DockerfileRepository: iap/mark
Length of output: 797
Pin base image and slither-analyzer version for deterministic release-gate runtime.
foundry:latest and unversioned slither-analyzer allow drift across runs, which undermines reproducible governance checks. Use a specific Foundry semver tag (e.g., v1.7.0) or pin by digest, and lock slither-analyzer to version 0.11.5.
Proposed pinning pattern
-FROM ghcr.io/foundry-rs/foundry:latest
+FROM ghcr.io/foundry-rs/foundry:v1.7.0
@@
-RUN python3 -m pip install --no-cache-dir slither-analyzer
+RUN python3 -m pip install --no-cache-dir slither-analyzer==0.11.5Also applies to: 15-15
🧰 Tools
🪛 Trivy (0.69.3)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@contracts/docker/release-gate.Dockerfile` at line 1, The Dockerfile currently
uses an unpinned base image "FROM ghcr.io/foundry-rs/foundry:latest" and an
unversioned slither-analyzer; change the FROM line to a specific Foundry semver
tag or digest (e.g., replace ":latest" with a concrete tag like ":v1.7.0" or its
digest) and update the slither installation step to install
slither-analyzer@0.11.5 (pin the package version) so the release-gate runtime is
deterministic and reproducible.
Comment on lines
+1
to
+5
| FROM ghcr.io/foundry-rs/foundry:latest | ||
|
|
||
| RUN apt-get update \ | ||
| && apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates \ | ||
| && rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the default non-root username in ghcr.io/foundry-rs/foundry Docker images, and what USER should be set after apt installs?
💡 Result:
The default non-root username in ghcr.io/foundry-rs/foundry Docker images is "foundry". The Dockerfile explicitly creates this user with UID 1000 and GID 1000, then sets USER foundry as the final instruction, making it the default runtime user.[1][2] After performing apt installs (which require root privileges), the USER should be set back to "foundry" to maintain the non-root security posture and ensure commands run as the expected user.[1]
Citations:
- 1: https://github.com/foundry-rs/foundry/blob/master/Dockerfile
- 2: chore: install deps and create foundry user in cross built image foundry-rs/foundry#9775
Fix build blocker: run package install as root, then drop privileges.
The current CI failure (/var/lib/apt/lists/lock: Permission denied) occurs because apt-get is executing as the non-root foundry user inherited from the base image. Switch to USER root for package installation, then restore the foundry user.
Proposed fix
FROM ghcr.io/foundry-rs/foundry:latest
+USER root
RUN apt-get update \
&& apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates \
&& rm -rf /var/lib/apt/lists/*
+
+USER foundry📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| FROM ghcr.io/foundry-rs/foundry:latest | |
| RUN apt-get update \ | |
| && apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates \ | |
| && rm -rf /var/lib/apt/lists/* | |
| FROM ghcr.io/foundry-rs/foundry:latest | |
| USER root | |
| RUN apt-get update \ | |
| && apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates \ | |
| && rm -rf /var/lib/apt/lists/* | |
| USER foundry |
🧰 Tools
🪛 GitHub Actions: Contracts Release Gate (Containerized) / 0_Release Gate Container.txt
[error] 3-5: Docker build failed during apt-get: could not open lock file /var/lib/apt/lists/lock (Permission denied). Command: RUN apt-get update && apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates && rm -rf /var/lib/apt/lists/*
🪛 GitHub Actions: Contracts Release Gate (Containerized) / Release Gate Container
[error] 3-5: RUN apt-get update failed: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied). The overall step exited with code 100.
🪛 Trivy (0.69.3)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@contracts/docker/release-gate.Dockerfile` around lines 1 - 5, The Dockerfile
is running apt-get as the non-root foundry user causing permission errors;
update the Dockerfile to switch to USER root before the RUN apt-get ... line,
perform the package install and cleanup as root, then switch back to USER
foundry afterward (use the existing base image user name "foundry"); ensure the
RUN block remains unchanged except for being executed under root and add a
subsequent USER foundry to restore privileges.
Comment on lines
+60
to
+66
| secrets_json="$(curl -sS "${auth_headers[@]}" "${api}/actions/secrets")" | ||
| for s in GOVERNANCE_VERIFY_PAT; do | ||
| if jq -e --arg n "$s" '.secrets[]?.name | select(. == $n)' <<<"$secrets_json" >/dev/null; then | ||
| echo " PASS: secret exists: $s" | ||
| else | ||
| echo " WARN: secret missing (add after transfer if needed): $s" | ||
| fi |
There was a problem hiding this comment.
Fail fast if secrets API access fails instead of emitting a soft WARN
At Line [60], a 401/403 from ${api}/actions/secrets is currently treated like “secret missing” in Line [65]. That can falsely report readiness when GH_PAT lacks required scope.
Suggested fix
-secrets_json="$(curl -sS "${auth_headers[@]}" "${api}/actions/secrets")"
+secrets_json="$(curl -fsS "${auth_headers[@]}" "${api}/actions/secrets")"
+if ! jq -e '.secrets | type == "array"' <<<"$secrets_json" >/dev/null; then
+ echo " FAIL: unable to read repository secrets (check GH_PAT scopes/permissions)" >&2
+ exit 1
+fi
for s in GOVERNANCE_VERIFY_PAT; do📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| secrets_json="$(curl -sS "${auth_headers[@]}" "${api}/actions/secrets")" | |
| for s in GOVERNANCE_VERIFY_PAT; do | |
| if jq -e --arg n "$s" '.secrets[]?.name | select(. == $n)' <<<"$secrets_json" >/dev/null; then | |
| echo " PASS: secret exists: $s" | |
| else | |
| echo " WARN: secret missing (add after transfer if needed): $s" | |
| fi | |
| secrets_json="$(curl -fsS "${auth_headers[@]}" "${api}/actions/secrets")" | |
| if ! jq -e '.secrets | type == "array"' <<<"$secrets_json" >/dev/null; then | |
| echo " FAIL: unable to read repository secrets (check GH_PAT scopes/permissions)" >&2 | |
| exit 1 | |
| fi | |
| for s in GOVERNANCE_VERIFY_PAT; do | |
| if jq -e --arg n "$s" '.secrets[]?.name | select(. == $n)' <<<"$secrets_json" >/dev/null; then | |
| echo " PASS: secret exists: $s" | |
| else | |
| echo " WARN: secret missing (add after transfer if needed): $s" | |
| fi |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/github/pretransfer-readiness.sh` around lines 60 - 66, The script
currently treats any non-present secret the same as an API access failure
because secrets_json is populated by curl without checking HTTP status; update
the block that sets and uses secrets_json to detect and fail fast on HTTP errors
by capturing curl's HTTP status (or using curl -f) and checking the response
code/exit status before running jq; if curl returns non-200 (or fails) print an
error and exit1 rather than echoing a WARN for GOVERNANCE_VERIFY_PAT so lack of
secrets API scope is surfaced immediately. Ensure you reference the variables
secrets_json, auth_headers, api and the jq check for GOVERNANCE_VERIFY_PAT when
implementing the change.
Comment on lines
+47
to
+63
| require_checks_dev=( | ||
| "Contracts Unit + Invariant" | ||
| "Contracts Release Check (Dry-Run + Execute Smoke)" | ||
| "Slither Core Contracts" | ||
| "Secrets Drift Guard" | ||
| "Analyze (JavaScript/TypeScript)" | ||
| ) | ||
|
|
||
| require_checks_main=( | ||
| "Contracts Unit + Invariant" | ||
| "Contracts Release Check (Dry-Run + Execute Smoke)" | ||
| "Slither Core Contracts" | ||
| "Secrets Drift Guard" | ||
| "Analyze (JavaScript/TypeScript)" | ||
| "Validate Release PR Checklist" | ||
| "Validate Release Evidence" | ||
| ) |
There was a problem hiding this comment.
Required checks list is incomplete vs governance policy.
require_checks_dev / require_checks_main omit the new mandatory checks (“Gitleaks Scan”, “Release Gate Container”), so this script can report PASS while governance is actually incomplete.
Proposed fix
require_checks_dev=(
"Contracts Unit + Invariant"
"Contracts Release Check (Dry-Run + Execute Smoke)"
"Slither Core Contracts"
"Secrets Drift Guard"
"Analyze (JavaScript/TypeScript)"
+ "Gitleaks Scan"
+ "Release Gate Container"
)
require_checks_main=(
"Contracts Unit + Invariant"
"Contracts Release Check (Dry-Run + Execute Smoke)"
"Slither Core Contracts"
"Secrets Drift Guard"
"Analyze (JavaScript/TypeScript)"
+ "Gitleaks Scan"
+ "Release Gate Container"
"Validate Release PR Checklist"
"Validate Release Evidence"
)📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
Suggested change
| require_checks_dev=( | |
| "Contracts Unit + Invariant" | |
| "Contracts Release Check (Dry-Run + Execute Smoke)" | |
| "Slither Core Contracts" | |
| "Secrets Drift Guard" | |
| "Analyze (JavaScript/TypeScript)" | |
| ) | |
| require_checks_main=( | |
| "Contracts Unit + Invariant" | |
| "Contracts Release Check (Dry-Run + Execute Smoke)" | |
| "Slither Core Contracts" | |
| "Secrets Drift Guard" | |
| "Analyze (JavaScript/TypeScript)" | |
| "Validate Release PR Checklist" | |
| "Validate Release Evidence" | |
| ) | |
| require_checks_dev=( | |
| "Contracts Unit + Invariant" | |
| "Contracts Release Check (Dry-Run + Execute Smoke)" | |
| "Slither Core Contracts" | |
| "Secrets Drift Guard" | |
| "Analyze (JavaScript/TypeScript)" | |
| "Gitleaks Scan" | |
| "Release Gate Container" | |
| ) | |
| require_checks_main=( | |
| "Contracts Unit + Invariant" | |
| "Contracts Release Check (Dry-Run + Execute Smoke)" | |
| "Slither Core Contracts" | |
| "Secrets Drift Guard" | |
| "Analyze (JavaScript/TypeScript)" | |
| "Gitleaks Scan" | |
| "Release Gate Container" | |
| "Validate Release PR Checklist" | |
| "Validate Release Evidence" | |
| ) |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/github/verify-governance.sh` around lines 47 - 63, The arrays
require_checks_dev and require_checks_main are missing the new mandatory checks;
update the require_checks_dev and require_checks_main variables to include the
"Gitleaks Scan" and "Release Gate Container" entries (add both strings into each
array so the script accurately reflects governance policy), preserving the
existing checks and order semantics used in the arrays.
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. ⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission. |
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. ⛔ CodeRabbit does not have permission to push changes to this repository. Please ensure CodeRabbit has Contents: Read and write permission. |
iap
force-pushed
the
codex/review-current-project-for-accuracy
branch
from
0dac9f7 to
af9828f
Compare
There was a problem hiding this comment.
♻️ Duplicate comments (8)
SECURITY_NEXT_STEPS.md (1)
7-13:⚠️ Potential issue | 🟠 Major | ⚡ Quick winFix sequence: run pre-transfer readiness before the repository transfer.
Current wording inverts control flow and can skip readiness validation during the transfer window.
Suggested wording update
-Transfer the repo to your organization, then run: +Run pre-transfer readiness first, transfer the repo, then run post-transfer bootstrap: ```bash export GH_PAT=<repo_admin_token> ./scripts/github/pretransfer-readiness.sh +# Transfer repository in GitHub settings here ./scripts/github/posttransfer-bootstrap.sh</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@SECURITY_NEXT_STEPS.mdaround lines 7 - 13, The current sequence runs
transfer before validation; change the instructions to run export GH_PAT and
./scripts/github/pretransfer-readiness.sh first, then perform the repository
transfer in GitHub settings, and finally run
./scripts/github/posttransfer-bootstrap.sh (i.e., ensure GH_PAT,
pretransfer-readiness.sh, "Transfer repository in GitHub settings" as an
explicit intermediate step, then posttransfer-bootstrap.sh).</details> </blockquote></details> <details> <summary>.github/workflows/scripts-ci.yml (1)</summary><blockquote> `26-29`: _⚠️ Potential issue_ | _🟠 Major_ | _⚡ Quick win_ **Use immutable SHAs for action refs in Scripts CI.** `actions/checkout@v6` and `ludeeus/action-shellcheck@2.0.0` are mutable refs; pinning to commit SHAs is safer for governance-grade CI. <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In @.github/workflows/scripts-ci.yml around lines 26 - 29, Replace the mutable
action tags with immutable commit SHAs: update the uses entries for
actions/checkout (currently "actions/checkout@v6") and ludeeus/action-shellcheck
(currently "ludeeus/action-shellcheck@2.0.0") to pinned refs using the
repository commit SHAs (e.g. actions/checkout@ and
ludeeus/action-shellcheck@); ensure the chosen SHAs correspond
to the intended release versions and update any README or CI notes if needed.</details> </blockquote></details> <details> <summary>contracts/docker/release-gate.Dockerfile (2)</summary><blockquote> `1-1`: _⚠️ Potential issue_ | _🟠 Major_ | _⚡ Quick win_ **Pin Foundry image and Slither version for deterministic release-gate runs.** `latest` and unversioned pip installs can drift between runs and undermine reproducibility of governance checks. <details> <summary>Pinning pattern</summary> ```diff -FROM ghcr.io/foundry-rs/foundry:latest +FROM ghcr.io/foundry-rs/foundry:<fixed_tag_or_digest> @@ -RUN python3 -m pip install --no-cache-dir slither-analyzer +RUN python3 -m pip install --no-cache-dir slither-analyzer==0.11.5Also applies to: 15-15
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@contracts/docker/release-gate.Dockerfile` at line 1, The Dockerfile uses an unpinned base image "FROM ghcr.io/foundry-rs/foundry:latest" which causes non-deterministic builds; change that FROM line to a specific foundry image tag (e.g. a concrete semver digest or tag) and also pin the Slither installation by replacing any unversioned "pip install slither" with "pip install slither==<stable-version>" (or the exact version used in CI) so release-gate runs are reproducible; update the Dockerfile's FROM line and any pip install commands that install Slither accordingly.
1-5:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winFix current build failure: run apt steps as root, then drop back to non-root.
The container build is failing now due to apt lock permission errors. Execute package installation as root, then switch back to
foundry.Proposed fix
FROM ghcr.io/foundry-rs/foundry:latest +USER root RUN apt-get update \ && apt-get install -y --no-install-recommends curl git jq python3 python3-pip ca-certificates \ && rm -rf /var/lib/apt/lists/* @@ +USER foundry WORKDIR /repo/contracts🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@contracts/docker/release-gate.Dockerfile` around lines 1 - 5, The Dockerfile currently runs apt-get as the non-root user which causes permission errors; update the Dockerfile to switch to root before the RUN that performs apt-get update/install and then switch back to the original non-root user (foundry) after those commands so package installation runs with root privileges but the final image continues to run as the foundry user — look for the base image reference FROM ghcr.io/foundry-rs/foundry:latest and add USER root before the apt-run block and USER foundry after it..github/workflows/codeql.yml (1)
6-19:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove workflow-level
pathsfilters from required CodeQL checks.Because this check is required, skipping the workflow via
pathscan leave the check pending and block merges on protected branches.Minimal fix
on: pull_request: branches: [main, canary, dev] - paths: - - "src/**" - - "contracts/**" - - "package.json" - - "pnpm-lock.yaml" - - ".github/workflows/codeql.yml" push: branches: [main, canary, dev] - paths: - - "src/**" - - "contracts/**" - - "package.json" - - "pnpm-lock.yaml" - - ".github/workflows/codeql.yml"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/codeql.yml around lines 6 - 19, Remove the workflow-level "paths:" trigger filters so the required CodeQL check cannot be skipped; specifically delete the top-level "paths:" blocks shown under the workflow triggers (the "paths:" entries beneath the push and pull_request/push sections in the CodeQL workflow) and leave the triggers without workflow-level path filtering so the job always runs on the protected branches; ensure you only remove those workflow-level "paths:" keys and not any job-level or step-level conditionals.BRANCHING.md (1)
132-135:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRemove duplicated required-check bullets in branch-protection examples.
Line [132]-Line [134] and Line [148]-Line [150] repeat
Gitleaks Scan/Release Gate Container, which makes the policy text ambiguous.Suggested cleanup
- `Analyze (JavaScript/TypeScript)` - `Gitleaks Scan` - `Release Gate Container` -- `Release Gate Container` -- `Gitleaks Scan` -- `Release Gate Container`Also applies to: 148-151
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@BRANCHING.md` around lines 132 - 135, The branch-protection examples contain duplicated required-check bullets — specifically the strings "Release Gate Container" and "Gitleaks Scan" appear twice; remove the duplicate entries so each required check appears only once in each example block (update the bullet lists that reference "Release Gate Container" and "Gitleaks Scan" and the subsequent similar block later in the file to mirror the cleaned list) and verify the surrounding bullets (e.g., "Require at least 1 approval.") remain intact and in the intended order.scripts/github/verify-governance.sh (1)
47-63:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRequired-check arrays are still missing mandated gates.
On Line [47] and Line [55],
require_checks_dev/require_checks_mainstill omitGitleaks ScanandRelease Gate Container, so this script can produce a false PASS against current governance policy.Proposed fix
require_checks_dev=( "Contracts Unit + Invariant" "Contracts Release Check (Dry-Run + Execute Smoke)" "Slither Core Contracts" "Secrets Drift Guard" "Analyze (JavaScript/TypeScript)" + "Gitleaks Scan" + "Release Gate Container" ) require_checks_main=( "Contracts Unit + Invariant" "Contracts Release Check (Dry-Run + Execute Smoke)" "Slither Core Contracts" "Secrets Drift Guard" "Analyze (JavaScript/TypeScript)" + "Gitleaks Scan" + "Release Gate Container" "Validate Release PR Checklist" "Validate Release Evidence" )🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@scripts/github/verify-governance.sh` around lines 47 - 63, Both require_checks_dev and require_checks_main arrays are missing the mandated "Gitleaks Scan" and "Release Gate Container" entries; update the arrays named require_checks_dev and require_checks_main to include those two checks (add "Gitleaks Scan" and "Release Gate Container" into each array) so the script enforces the current governance gates when verifying PRs..github/workflows/contracts-release-gate-container.yml (1)
4-7:⚠️ Potential issue | 🟠 Major | ⚡ Quick winDon’t path-filter a required PR check.
On Line [4]-Line [7], restricting
pull_requestwithpathscan leaveRelease Gate Containerunreported on many PRs, which conflicts with required-check branch protection behavior.Proposed fix
on: pull_request: - paths: - - "contracts/**" - - ".github/workflows/contracts-release-gate-container.yml" + branches: + - main + - canary + - dev🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/contracts-release-gate-container.yml around lines 4 - 7, The workflow currently restricts the pull_request trigger using the pull_request.paths block, which prevents the "Release Gate Container" check from running on many PRs; remove the entire pull_request.paths section (leaving the pull_request trigger enabled) so the workflow runs for all PRs and the required check is always reported, keeping the pull_request: key but deleting the nested paths array and its entries.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In @.github/workflows/codeql.yml:
- Around line 6-19: Remove the workflow-level "paths:" trigger filters so the
required CodeQL check cannot be skipped; specifically delete the top-level
"paths:" blocks shown under the workflow triggers (the "paths:" entries beneath
the push and pull_request/push sections in the CodeQL workflow) and leave the
triggers without workflow-level path filtering so the job always runs on the
protected branches; ensure you only remove those workflow-level "paths:" keys
and not any job-level or step-level conditionals.
In @.github/workflows/contracts-release-gate-container.yml:
- Around line 4-7: The workflow currently restricts the pull_request trigger
using the pull_request.paths block, which prevents the "Release Gate Container"
check from running on many PRs; remove the entire pull_request.paths section
(leaving the pull_request trigger enabled) so the workflow runs for all PRs and
the required check is always reported, keeping the pull_request: key but
deleting the nested paths array and its entries.
In @.github/workflows/scripts-ci.yml:
- Around line 26-29: Replace the mutable action tags with immutable commit SHAs:
update the uses entries for actions/checkout (currently "actions/checkout@v6")
and ludeeus/action-shellcheck (currently "ludeeus/action-shellcheck@2.0.0") to
pinned refs using the repository commit SHAs (e.g.
actions/checkout@<full-commit-sha> and
ludeeus/action-shellcheck@<full-commit-sha>); ensure the chosen SHAs correspond
to the intended release versions and update any README or CI notes if needed.
In `@BRANCHING.md`:
- Around line 132-135: The branch-protection examples contain duplicated
required-check bullets — specifically the strings "Release Gate Container" and
"Gitleaks Scan" appear twice; remove the duplicate entries so each required
check appears only once in each example block (update the bullet lists that
reference "Release Gate Container" and "Gitleaks Scan" and the subsequent
similar block later in the file to mirror the cleaned list) and verify the
surrounding bullets (e.g., "Require at least 1 approval.") remain intact and in
the intended order.
In `@contracts/docker/release-gate.Dockerfile`:
- Line 1: The Dockerfile uses an unpinned base image "FROM
ghcr.io/foundry-rs/foundry:latest" which causes non-deterministic builds; change
that FROM line to a specific foundry image tag (e.g. a concrete semver digest or
tag) and also pin the Slither installation by replacing any unversioned "pip
install slither" with "pip install slither==<stable-version>" (or the exact
version used in CI) so release-gate runs are reproducible; update the
Dockerfile's FROM line and any pip install commands that install Slither
accordingly.
- Around line 1-5: The Dockerfile currently runs apt-get as the non-root user
which causes permission errors; update the Dockerfile to switch to root before
the RUN that performs apt-get update/install and then switch back to the
original non-root user (foundry) after those commands so package installation
runs with root privileges but the final image continues to run as the foundry
user — look for the base image reference FROM ghcr.io/foundry-rs/foundry:latest
and add USER root before the apt-run block and USER foundry after it.
In `@scripts/github/verify-governance.sh`:
- Around line 47-63: Both require_checks_dev and require_checks_main arrays are
missing the mandated "Gitleaks Scan" and "Release Gate Container" entries;
update the arrays named require_checks_dev and require_checks_main to include
those two checks (add "Gitleaks Scan" and "Release Gate Container" into each
array) so the script enforces the current governance gates when verifying PRs.
In `@SECURITY_NEXT_STEPS.md`:
- Around line 7-13: The current sequence runs transfer before validation; change
the instructions to run export GH_PAT and
./scripts/github/pretransfer-readiness.sh first, then perform the repository
transfer in GitHub settings, and finally run
./scripts/github/posttransfer-bootstrap.sh (i.e., ensure GH_PAT,
pretransfer-readiness.sh, "Transfer repository in GitHub settings" as an
explicit intermediate step, then posttransfer-bootstrap.sh).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 2d1774bc-819c-4460-8e44-9d60da9a2331
📒 Files selected for processing (18)
.github/PRODUCTION_GOVERNANCE_CHECKLIST.md.github/workflows/codeql.yml.github/workflows/contracts-release-gate-container.yml.github/workflows/governance-verify.yml.github/workflows/scripts-ci.yml.github/workflows/secrets-scan.ymlBRANCHING.mdORG_TRANSFER_SECURITY_CHECKLIST.mdPROJECT_REVIEW.mdSECURITY_NEXT_STEPS.mdTRANSFER_NOW_CHECKLIST.mdcontracts/Makefilecontracts/docker/release-gate.Dockerfilecontracts/script/ci/run-release-gate-container.shscripts/github/apply-governance.shscripts/github/posttransfer-bootstrap.shscripts/github/pretransfer-readiness.shscripts/github/verify-governance.sh
✅ Files skipped from review due to trivial changes (1)
- ORG_TRANSFER_SECURITY_CHECKLIST.md
🚧 Files skipped from review as they are similar to previous changes (2)
- .github/PRODUCTION_GOVERNANCE_CHECKLIST.md
- scripts/github/pretransfer-readiness.sh
This was referenced May 6, 2026
This was referenced May 7, 2026
iap
added a commit
that referenced
this pull request
May 17, 2026
* chore(deps): bump actions/setup-node from 5 to 6
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v5...v6)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/upload-artifact from 4 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/github-script from 7 to 9
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v9)
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: '9'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump the frontend-minor-patch group with 13 updates
Bumps the frontend-minor-patch group with 13 updates:
| Package | From | To |
| --- | --- | --- |
| [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` |
| [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` |
| [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` |
| [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` |
| [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` |
| [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` |
Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15
- [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md)
- [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem)
Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8
- [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md)
- [Commits](https://github.com/radix-ui/primitives/commits)
Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4
- [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md)
- [Commits](https://github.com/radix-ui/primitives/commits)
Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite)
Updates `@tanstack/react-query` from 5.66.0 to 5.100.8
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query)
Updates `abitype` from 1.0.8 to 1.2.4
- [Release notes](https://github.com/wevm/abitype/releases)
- [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4)
Updates `tailwind-merge` from 3.0.1 to 3.5.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0)
Updates `tailwindcss` from 4.0.6 to 4.2.4
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss)
Updates `viem` from 2.23.1 to 2.48.8
- [Release notes](https://github.com/wevm/viem/releases)
- [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8)
Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2
- [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases)
- [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2)
Updates `mprocs` from 0.7.2 to 0.9.2
- [Release notes](https://github.com/pvolok/mprocs/releases)
- [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2)
Updates `prettier` from 3.5.0 to 3.8.3
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3)
Updates `typescript-eslint` from 8.24.0 to 8.59.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint)
---
updated-dependencies:
- dependency-name: "@eth-optimism/viem"
dependency-version: 0.4.15
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@radix-ui/react-separator"
dependency-version: 1.1.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: "@radix-ui/react-slot"
dependency-version: 1.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/vite"
dependency-version: 4.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tanstack/react-query"
dependency-version: 5.100.8
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: abitype
dependency-version: 1.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwind-merge
dependency-version: 3.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
dependency-version: 4.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: viem
dependency-version: 2.48.8
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: eslint-plugin-react-refresh
dependency-version: 0.5.2
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: mprocs
dependency-version: 0.9.2
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: prettier
dependency-version: 3.8.3
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: typescript-eslint
dependency-version: 8.59.1
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix(readiness): run pre-checks before contracts working directory exists
* fix(frontend): remove non-component export from button ui
* ci(security): add codeql and dependency review gates
* chore(security): add local slither install and core scan targets
* docs(phase1): add comprehensive contributor & deployment runbooks
Add Phase 1 foundation documentation for team scaling and professional maintenance:
CONTRIBUTING.md:
- Local development setup instructions (Node, Foundry, super-cli)
- Feature branch workflow with conventional commits
- Code standards (TypeScript, Solidity, Testing)
- PR submission checklist and review process
- Testing guidelines and test structure
- Troubleshooting for common dev issues
DEPLOYMENT.md:
- Step-by-step staging deployment runbook (OP Sepolia)
- Mainnet deployment procedures with gates
- Pre/post-deployment checklists
- Evidence generation and verification
- Monitoring and health checks
- Rollback procedures for emergency scenarios
- Comprehensive troubleshooting guide
- Command cheat sheet and timeline estimates
TROUBLESHOOTING.md:
- Development setup issues (pnpm, Node, Foundry, super-cli, git hooks)
- Smart contract issues (architecture guard, layering guard, Slither findings)
- Frontend development issues (port conflicts, TypeScript errors, module resolution)
- Testing issues (hanging tests, gas, balance)
- Deployment issues (insufficient funds, timeouts, RPC problems)
- CI/CD workflow issues (stuck workflows, secrets, version mismatches)
- Network & RPC issues (timeouts, contract not found, chain ID)
.github/CODEOWNERS:
- Enhanced documentation with clear sections
- Added review requirements annotations
- Better organization for team scaling
- Maintains strict single-owner model (ready for multi-owner when scaling)
Impact:
- Enables solo maintainer to self-document workflows
- Provides clear onboarding path for new contributors
- Establishes professional deployment procedures
- Reduces support burden with comprehensive troubleshooting
- Foundation for team collaboration (docs ready for team addition)
- Production-ready documentation for auditors and stakeholders
This commit fulfills Phase 1 foundation requirements:
✅ CONTRIBUTING.md created
✅ DEPLOYMENT.md runbook created
✅ TROUBLESHOOTING.md created
✅ CODEOWNERS enhanced and documented
Ready for: Phase 2 (interactive UI) and Phase 3 (security audit planning)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): bump github/codeql-action from 3 to 4 (#16)
Bump github/codeql-action from v3 to v4 to resolve Node.js 20 deprecation warnings on CI.
* chore(ci): bump dependency-review-action from v4 to v5
* chore(ci): disable CodeQL triggers until repo transferred to org with GHAS
* Enable org-transfer governance: CodeQL, Gitleaks, release-gate container, and verification scripts (#19)
* docs: replace roadmap with lean security next-steps guide
* fix(docs): remove duplicate required-check entries in BRANCHING.md
* fix(ci): add USER root in release-gate Dockerfile for apt-get permissions
* ci(security): fix dependency review tag and use OSS gitleaks CLI
* ci(security): fix gitleaks PATH on github runner
* ci(security): run gitleaks scan via docker image
* ci(security): remove hardcoded key and scope gitleaks to workspace
* ci(contracts): fix anvil key extraction for release check
* ci(contracts): require 64-byte anvil private key extraction
* ci: always run contracts/frontend checks on protected branches (#21)
* ci: phase-1 reusable workflows for frontend, slither, and secrets scan (#23)
* ci: extract reusable frontend/slither/secrets workflows
* ci(security): apply codereview pinning and permissions fixes
* fix(contracts): bridge approval safety + IRYLA interface decoupling
- Wrap sendERC20 in try/catch; clear approval and revert with BridgeFailed() on failure
- Extract IRYLA interface (inherits IERC20); MARKSettlementModule decoupled from concrete RYLA type
- Add unit test for BridgeFailed catch branch
* docs: sync governance and CI docs with current protections
- Add missing required checks (Secrets Drift Guard, Release Gate Container) to all branch matrices
- Fix Analyze (JavaScript/TypeScript) casing to match canonical check names
- Fixes Validate Governance Policy Consistency CI check
* chore(deps): bump frontend minor/patch dependencies
105 minor and patch updates including:
- @tanstack/react-query 5.100.8 → 5.100.9
- typescript-eslint 8.59.1 → 8.59.2
- bufferutil 4.0.9 → 4.1.0
- jiti 2.6.1 → 2.7.0
- lockfile resolutions updated accordingly
All CI checks pass on Node 20 and 22.
* fix(deps): bump vite 6.1.0 → 6.4.2 (security)
Fixes high-severity arbitrary file read CVE and medium-severity path traversal in vite dev server.
* test(contracts): add missing unit test coverage
71 tests (was 59). Covers zero-input guards, exact error selectors, accumulator resets, supportsInterface, and isMint flag binding.
* chore(governance): migrate CODEOWNERS to @trade/maintainers team
Replaces @iap with @trade/maintainers across all CODEOWNERS entries. Team created with maintain permission on repo.
* chore(ci): switch CodeRabbit to assertive profile
profile: chill → assertive, request_changes_workflow: false → true
* fix(docs): add VALIDATE_MODE to staging checklist prerequisites
Adds missing VALIDATE_MODE env var to staging checklist. Clarifies operator/attester rotation step with RUNBOOK.md reference. Removes trailing newline from package.json.
* chore(docs): remove stale pre-transfer planning documents
Removes TRANSFER_NOW_CHECKLIST.md, ORG_TRANSFER_SECURITY_CHECKLIST.md, SECURITY_NEXT_STEPS.md, PROJECT_REVIEW.md — all completed with the org transfer on May 6, 2026.
* chore(governance): clean up CODEOWNERS
Remove decorative section dividers, redundant comments, and duplicate entry. Consolidate contract path globs.
* fix(ci): workflow correctness and consistency fixes
Pin slither-analyzer==0.11.5, fix secrets-drift-guard false positives, fix verify-governance.sh dismiss_stale_reviews on dev, add canary to evidence-manifest trigger, fix inputs context, fix wait-port, add pull_request_target comments, add Docker layer caching.
* feat(contracts): migrate AttestedSettlementVerifier to EIP-712
Replace hybrid EIP-191 pattern with standard EIP-712 typed data signing. Expose settlementDigest() for off-chain signers. Add NatSpec on proof encoding and contextHash. 71 tests pass.
* chore: improve gitignore coverage
Add .env/.env.*/*.env and supersim-logs/ to root gitignore. Add coverage/ to contracts gitignore.
* fix(ci): reliability and correctness fixes
Add timeout-minutes:15 to stuck jobs, replace rg with grep -Eo in smoke script, pin slither==0.11.5 in Makefile, add explicit invariant runs=256 to foundry.toml.
* chore(deps): ignore transitive alerts from super-cli
Ignore @hono/node-server, drizzle-orm, @stablelib/ed25519 scoped to vulnerable versions — all transitive from super-cli dev tool, no upstream fix available.
* docs: add SECURITY.md
Reporting channel, scope, response SLA, and supported versions.
* chore(deps): bump @types/node from 22.13.1 to 25.6.1
Type definitions update.
* chore(deps): bump typescript from 5.7.3 to 6.0.3
Add ignoreDeprecations:6.0 for baseUrl deprecation warning.
* chore(deps): bump frontend-minor-patch group
viem, debug, and other minor/patch updates.
* chore(deps): bump docker/setup-buildx-action from 3 to 4
Node 24 runtime update.
* chore(deps): bump frontend-minor-patch group
Minor/patch frontend dependency updates.
* fix: stale references and check name mismatches
Remove chainId double-encoding from AttestedSettlementVerifier, fix stale iap/mark URLs, fix governance script check names to match actual CI output.
* test(contracts): add bridge integration test against supersim
Exercises MARKBridgeAdapter against live SuperchainTokenBridge on two supersim forks. Verifies cross-chain token transfer and rate limit enforcement.
* test(contracts): add bridge adapter invariant fuzz tests
Three invariants covering rate limiting: daily cap never exceeded, accumulator consistent with cap, zero address never holds operator role. 74 tests pass.
* fix(governance): sync check lists and fix ruleset condition
Fix ruleset condition bug (canary/main now covered), sync apply-governance.sh and verify-governance.sh with live branch protection, fix frontend check name prefix in docs.
* chore(governance): document new ruleset structure
Two focused rulesets: branch-protection (CodeQL alert gate) and tag-protection (v* tags). Replaces the broken develop ruleset.
* feat(token): rename RYLA display name to 'RYLA Credits'
name() returns 'RYLA Credits', symbol stays 'RYLA'. Test and verification script updated.
* test
Documents key roles and trust assumptions, attester key rotation
procedure, break-glass procedure, production mode implications,
and key storage recommendations for auditors and operators.
* fix(ci): use matrix language as CodeQL job name
Produces consistent check name 'Analyze (javascript-typescript)' matching branch protection requirements.
* chore(config): harden staging profile and document environment setup
Remove PRIVATE_KEY from staging.env, fix bridge destination to OP Sepolia, add key separation docs, fix env guard and drift guard for CI validation.
* feat(frontend): replace dev dashboard with protocol info page
Protocol info page with pre-production status, contract descriptions, and resource links. Providers updated to optimism/optimismSepolia.
* chore(docs): cleanup and NatSpec improvements
Fix README clone URL and naming, remove stale date from CONTRIBUTING.md, add eip712Domain NatSpec and no-pause design decision docs.
* fix(contracts): document setVerifier interface check limitation
Add @dev comment explaining code.length check rejects EOAs but not non-conforming contracts.
* docs: add protocol philosophy to README
Code is a rule. No DAO, no drama. Don't Trust, Verify.
* fix(ci): add working-directory override to pre-checkout branch enforcement steps
Fixes pre-checkout branch check failing with 'No such file or directory' in staging and production workflows.
* fix(ops): enable post-deploy in rehearse-production-lock
Enable MARK_RELEASE_RUN_POSTDEPLOY so activateProductionMode() is called during rehearsal.
* fix(ops): export deployed verifier address to env before PostDeployMARKSetup
Fixes VerifierRequiredWhenProofEnabled during staging rehearsal.
* fix(ci): exclude Anvil default key from secrets drift guard
Syncs Anvil key exclusion to dev.
* test
THREAT_MODEL.md: trust boundaries, role compromise impact, external
dependencies, invariants, and explicit out-of-scope items.
KNOWN_ISSUES.md: six accepted design decisions with rationale —
attested verifier as ZK placeholder, no-pause design, setVerifier
interface check limitation, counter overflow analysis, timestamp
epoch manipulation, and transitive dep alerts.
* fix(docs): correct two inaccurate invariants in THREAT_MODEL.md
consumedIntents is set after proof validation, not before. Module balance invariant is per-operation, not absolute zero.
* fix(contracts): move consumedIntents assignment before external call (CEI)
Follows CEI pattern — marks intent consumed before external verifier call. No behaviour change for current view verifier.
* chore(governance): set canary to 0 required approvals for solo maintainer
Solo dev cannot self-approve. CI checks are the gate. Restore to 1 when second team member joins.
* docs(contracts): add NatSpec to settleMint and settleBurn
Documents pre-approval requirement for settleBurn.
* fix(ops): wait for tx confirmation in staging rehearsal
Add --slow to forge script broadcast so Foundry waits for each transaction receipt before the verify step runs.
* fix(governance): set all branches to 0 required approvals
Solo maintainer cannot approve own PRs. CI gates are the enforcement mechanism. Removes MAIN_REVIEW_COUNT/DEV_REVIEW_COUNT vars, adds approval count verification to verify-governance.sh.
* fix(governance): restrict direct pushes to trade/maintainers team
Restricts direct pushes on all branches to trade/maintainers team. Removes unused helper functions. verify-governance.sh now checks push restriction team slug.
* fix(deps): update drizzle-orm dependabot ignore rule to 0.38.4
drizzle-orm@0.38.4 is transitive from @eth-optimism/super-cli. Updated ignore rule to match installed version. All four Dependabot alerts dismissed as tolerable risk.
* feat(contracts): add Groth16SettlementVerifier
Adds Groth16SettlementVerifier implementing IUTXOSettlementVerifier via swappable IGroth16Verifier. 12 unit tests passing. AttestedSettlementVerifier remains active production verifier.
* feat(circuits): add UTXOSettlement circom circuit
Adds UTXOSettlement circom circuit. Poseidon-based UTXO ownership proof. 602 constraints, 6 witness tests passing.
* feat(contracts): add MARKPool ZK UTXO pool domain
Adds MARKPool shielded RYLA transfer pool. 88 unit tests passing.
* fix(contracts): rewrite MARKPool for MARK's 4-signal circuit
Rewrites MARKPool from scratch for MARK's own UTXOSettlement circuit. UTXOVerifier.sol regenerated from MARK's own trusted setup. 84 unit tests passing.
* fix(circuits): add range constraints and isMint burn path
Range constraints on recipient/chainId/settlementModule/amount. isMint burn path in MARKPool. Trusted setup rerun. 84 tests passing.
* feat(pool): add MARKPool ZK UTXO pool domain (#100)
* feat(pool): add MARKPool ZK UTXO pool domain
Introduces the full pool domain for private RYLA transfers:
Contracts:
- MARKPool: ZK UTXO pool with Merkle tree, fee policy, bridge-out/in,
withdraw binding, AccessManaged access control
- MARKWithdrawAdapter: EIP-712 signature-based withdrawal adapter
- RYLACreditLedger: ICreditLedger adapter bridging MARKPool to RYLA
mint/burn; restricted to pool caller only (onlyPool)
- PoolFeePolicy, PoolPublicInputs, PoolValidation: pool support libraries
- MARKPoolVerifier: Groth16 verifier generated from MARKPool circuit
(13 public signals, pot15 trusted setup)
Interfaces: ICreditLedger, IVerifier, IPoolBridge, IPoolNullifier
Crypto: MerkleTree (Poseidon, depth-20), ProofUtils, PoseidonT3
Circuit:
- circuits/mark/MARKPool.circom: MARK-native UTXO circuit (depth=20,
2-in/2-out, 13 public signals); renamed from prototype utxo.circom,
domain constants documented as permanent, hardcoded fee policy removed
- circuits/setup.mjs: trusted setup script (pot15)
- circuits/test/MARKPool.test.mjs: 13 witness tests
CI: circuits-ci.yml runs witness tests on every PR
Tests: MARKPool.t.sol (22), MARKWithdrawAdapter.t.sol (9),
RYLACreditLedger.t.sol (8)
* fix(pool): fix PoolErrors, domain separators, remove dead code
- PoolErrors.sol: rewrite to match Pool.sol, PoolValidation.sol, and
MerkleTree.sol — adds 25 missing errors (build was broken), removes
18 errors only used by the old MARKPool prototype
- MARKPool.sol: rename domain separator Pool.WithdrawBinding.v1 to
MARKPool.WithdrawBinding.v1 (permanent, must be set before deploy)
- MARKWithdrawAdapter.sol: rename domain separator
WithdrawAdapter.Intent.v1 to MARKWithdrawAdapter.Intent.v1
- UTXOVerifier.sol: delete (built for old 4-signal circuit, wrong
interface, superseded by MARKPoolVerifier.sol)
- IUTXOVerifier.sol: delete (superseded by IVerifier.sol)
- UTXOSettlement.circom: delete (superseded by MARKPool.circom)
- Groth16SettlementVerifier.sol: update stale comment
- KNOWN_ISSUES.md: add KI-7 (two-circuit architecture), KI-8 (pool
domain access control model)
- foundry.toml: via_ir = true for pool domain compilation
* fix(pool): immutable naming, deploy script, docs, invariants, arch guard
- MARKPool, MARKWithdrawAdapter: rename immutables to SCREAMING_SNAKE_CASE
(assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL)
- MARKPool: remove _assetLedger from constructor; add setAssetLedger()
one-time restricted setter to break circular deploy dependency with
RYLACreditLedger
- DeployMARKPool.s.sol: full deployment script for pool domain
(AccessManager, MARKPool, RYLACreditLedger, MARKWithdrawAdapter)
- MARKPool.sol: add withdrawal flow NatSpec (burn-to-claim model)
- ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and
withdrawal flow section
- MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent,
withdraw bindings immutable, root queue only grows)
- architecture-guard.sh: add pool->settlement/bridge and
withdraw->settlement/bridge isolation rules
* fix(pool): fix deploy script role grant and ASSET_LEDGER null guard
- DeployMARKPool.s.sol: grant POOL_ADMIN_ROLE to deployer during setup
so setAssetLedger/setIntentSigner calls succeed when deployer != owner;
revoke deployer role after setup completes
- MARKPool._applyFee: revert InvalidAssetLedger if ASSET_LEDGER is not
set and a non-zero fee is applied (prevents silent call to address(0))
* fix(ci): compile circuit before running witness tests
circuits/build/ is gitignored so the WASM and witness_calculator.js
are not in the repo. Add circom install and npm run build steps before
npm test so CI compiles the circuit fresh on each run.
* fix(ci): create build dir before circom compile
* refactor(pool): pre-merge improvements
- Rename immutables to SCREAMING_SNAKE_CASE: assetLedger->ASSET_LEDGER,
proofPool->PROOF_POOL (MARKPool.sol, MARKWithdrawAdapter.sol)
- MARKPool: remove _assetLedger from constructor, add setAssetLedger()
one-time restricted setter to break circular deploy dependency with
RYLACreditLedger
- MARKPool: add withdrawal flow documentation to contract NatSpec
- ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and
withdrawal flow explanation
- DeployMARKPool.s.sol: deployment script for MARKPool, RYLACreditLedger,
MARKWithdrawAdapter with AccessManager configuration
- MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent,
withdraw bindings immutable, root queue only grows)
- architecture-guard.sh: add pool and withdraw domain isolation rules
* chore(pool): update circuits CI, setup, and pool errors
- circuits-ci.yml: updated to run MARKPool witness tests
- circuits/package.json: build/test scripts point to MARKPool.circom
- circuits/setup.mjs: updated for MARKPool.circom trusted setup
- circuits/test/MARKPool.test.mjs: cleaned up test file
- contracts/KNOWN_ISSUES.md: updated KI-7 for current two-circuit state
- contracts/src/pool/errors/PoolErrors.sol: add missing blank line
* fix(pool): address CodeRabbit review findings
- circuits-ci.yml: fix circom install permissions (use sudo mv to
/usr/local/bin instead of direct write which fails on GH Actions)
- PoolErrors.sol: add clarifying comment to FixedFeePolicy explaining
it fires when minFee > 1 (not a fee-rate policy, a range guard)
- MARKWithdrawAdapter.sol: document personal_sign intent on
computeWithdrawIntentDigest (EIP-191 is intentional, not EIP-712)
bridgeIn replay protection finding: already fixed in current code
(processedBridgeMessages mapping + check at line 390) — stale finding.
* fix(pool): address second round CodeRabbit findings
- setup.mjs: use crypto.randomBytes for ceremony entropy (Date.now is
predictable), add mkdirSync for build/, fix EJS template loading to
use readFileSync instead of dynamic import with assert (unsupported
in Node 20/22/24 ESM)
- circuits-ci.yml: pin circom to v2.2.3 instead of latest, add version
verification step
- KNOWN_ISSUES.md: fix misleading 'settlement-specific verifier' wording
— MARKPoolVerifier is a shared pool verifier, not settlement-specific
- MARKPool.sol: fix NatSpec EIP-712 reference to EIP-191 (personal_sign)
* feat(pool): add pool E2E test, fix RYLACreditLedger caller model
RYLACreditLedger:
- Separate credit (pool-only) and debit (adapter-only) callers
- Add setAdapter() one-time setter to break circular deploy dependency
(adapter constructor needs ledger, ledger needs adapter address)
- Add AdapterAlreadySet error
DeployMARKPool.s.sol:
- Call ledger.setAdapter(adapter) after adapter deployment
Tests:
- RYLACreditLedger.t.sol: updated for new caller model, 11 tests
- MARKWithdrawAdapter.t.sol: add setAdapter call in setUp
- MARKPoolE2E.t.sol: full withdrawal flow E2E test (3 tests)
- testFullWithdrawalFlow: mint RYLA -> transactWithWithdrawBinding
-> withdrawWithSig -> verify RYLA burned, ETH received
- testNullifierReplayRejected
- testBindingMismatchRejected
134/134 tests pass
* feat(pool): add ReleasePool.s.sol orchestrator and pool env vars
- ReleasePool.s.sol: release orchestrator for pool stack following the
same pattern as ReleaseMARK.s.sol — preflight checks, deploy via
DeployMARKPool, post-deploy verification (wiring checks + RYLA roles),
JSON artifact write
- .env.example: add pool stack env vars (MARK_POOL_VERIFIER,
MARK_POOL_OWNER, MARK_POOL_INTENT_SIGNER, release flags, artifact
path, post-deploy verify addresses)
* fix(pool): security fixes and dead code removal
RYLACreditLedger:
- Add OWNER immutable (set to msg.sender in constructor)
- Restrict setAdapter to OWNER to prevent front-running between
deployment and the setAdapter call in the release script
- Add testSetAdapterRevertsForNonOwner test
- Add clarifying NatSpec to totalCreditsOutstanding explaining it
tracks only flows through this ledger, not total RYLA supply
MARKWithdrawAdapter:
- Move ETH transfer before ASSET_LEDGER.debit — if ETH transfer
fails, RYLA is no longer burned (was a loss-of-funds bug)
MARKPool:
- Remove dead _seedRoot function (defined but never called)
- Add NatSpec to computePublicInputsWithWithdraw clarifying
chainId vs dstChainId semantics
* fix(test): fix nullifier replay test to use fresh signatures
testNullifierReplayRejected was reusing signatures computed for nonce N
in the second withdrawWithSig call with nonce N+1, causing a NonceMismatch
revert instead of exercising nullifier replay protection. Now recomputes
the intent hash and signs with the updated nonce so the revert is caused
by NullifierAlreadyClaimed as intended.
* fix(pool): guard totalCreditsOutstanding against underflow
* feat(pool): add pool release CI check and deploy script tests
contracts-ci.yml:
- Add pool release dry-run and execute smoke steps to the
contracts-release-check job, reusing the Anvil instance and
RYLA token deployed by the settlement release step
- Assert pool release artifact schema (pool, ledger, adapter addresses)
MARKPoolDeployScripts.t.sol:
- testDeployMARKPoolWiresAllContracts: verifies all contract wiring
(pool<->ledger, ledger<->adapter, RYLA roles)
- testDeployMARKPoolSetsIntentSignerWhenProvided: verifies intent signer
is configured when MARK_POOL_INTENT_SIGNER is set
- testDeployMARKPoolRevertsWhenMissingTokenAdmin: verifies preflight
check rejects deployer without RYLA admin role
138/138 tests pass
* fix(pool): address final CodeRabbit findings
- contracts-ci.yml: remove '|| true' from pool release dry-run step;
use the deployed settlement module address as verifier (a real contract)
so the preflight code.length check passes without masking failures
- RYLACreditLedger.sol: fix NatSpec on totalCreditsOutstanding to
accurately describe accounting scope — _totalBurned can exceed
_totalMinted if RYLA is burned via other paths (e.g. settlement module)
* fix(ci): fix pool release CI failure and address CodeRabbit finding
contracts-ci.yml:
- Add --skip-simulation to pool release broadcast — PoseidonT3 (55,856
bytes) exceeds EIP-170 limit and cannot be deployed without refactoring
to a linked library; --skip-simulation tests script orchestration only
- Fix jq assertion to use regex validation instead of zero-address check,
rejecting null values and validating hex address format
KNOWN_ISSUES.md:
- Add KI-8 documenting PoseidonT3 contract size issue and required fix
before mainnet (deploy as standalone contract, call via interface)
* fix(ci): remove pool execute smoke, fix jq assertion, fix KI-7 wording
contracts-ci.yml:
- Remove pool release execute smoke step — MARKPool (24,841 bytes) and
PoseidonT3 (55,856 bytes) exceed EIP-170 limit and cannot be broadcast
to Anvil; pool deploy requires PoseidonT3 refactor (KI-8) first
- Keep pool release dry-run only (validates script logic and preflight)
- Remove the now-unused artifact assertion step
KNOWN_ISSUES.md:
- Fix KI-7: both pool and settlement systems use the same MARKPool
circuit — remove implication of distinct circuit designs
* fix(pool): add code.length checks to RYLACreditLedger constructor and setAdapter
Prevents EOAs from being set as TOKEN, POOL, or ADAPTER.
Adds InvalidContract error. 3 new tests cover the EOA rejection cases.
setUp uses vm.etch to give mock addresses contract bytecode.
* fix(contracts): harden settlement verifier flow and CI reliability
* fix(review): address open CI and pool verifier feedback
* refactor(pool): rename min fee guard error for clarity
* fix(pool,settlement): replace require strings and wrong errors with custom errors
PoolFeePolicy:
- Replace require(maxFeeBurnBps != 0, string) and require(feeBurnBps <= maxFeeBurnBps, string)
with custom error FeePolicyInvalidBps() — consistent with codebase style, lower gas
Groth16SettlementVerifier:
- Replace ZeroAddress() with VerifierNotAContract() for verifierContract code.length check
- Replace ZeroAddress() with SettlementModuleNotAContract() for settlementModule code.length check
- ZeroAddress was semantically wrong for non-zero addresses that have no code
* ci: trigger fresh CI run
* docs(pool): correct KI-8 — MARKPool itself is over EIP-170 size limit
Investigation: MARKPool is 24,960 bytes (over 24,576 limit) even without
PoseidonT3 inlining. via_ir=true already prevents PoseidonT3 from being
inlined. The fix requires splitting MARKPool into smaller contracts, not
just extracting PoseidonT3 as a standalone contract. Both are required.
* fix(pool): reduce MARKPool below EIP-170 size limit (24200 < 24576 bytes)
Size reductions (24961 -> 24200 bytes, -761 bytes):
- Remove redundant verifierAddr.code.length check in _verifyAndConsume
(already validated in setVerifier, cannot change after deployment)
- Remove redundant tail != rootQueueTail guard in _insertCommitmentsValidated
(always true after inserting 2 commitments)
- Inline _requireCommitmentsValid wrapper (single-line delegation)
- Inline _insertCommitments wrapper (only called from bridgeIn)
- Remove computePublicInputs and computePublicInputsWithWithdraw public
view functions from MARKPool — _buildPublicInputs now calls
PoolPublicInputs.build directly; off-chain callers use PoolPublicInputs
Bug fixes:
- PoolValidation: move NullifierDuplicate check before the loop so
duplicate nullifiers get the precise error, not NullifierUsed
- MARKPool.pause(): document that unpause() does NOT auto-restore
withdrawals (intentional asymmetry, requires explicit unpauseWithdrawals)
* fix: address CodeRabbit findings (circuits, Makefile, architecture-guard)
circuits/test/MARKPool.test.mjs:
- Remove unused buildMerklePath helper (tests use buildTwoLeafRoot)
circuits/setup.mjs:
- Add r1cs existence check before trusted setup with clear error message
contracts/Makefile:
- Restore test-core to exclude invariant tests (--no-match-path)
so ci-fast remains fast as documented
contracts/script/ci/architecture-guard.sh:
- Tighten all four import regexes to handle optional leading whitespace
and any number of ../ segments (prevents bypass via indented imports
or deeper relative paths)
* fix: address remaining CodeRabbit findings
contracts/src/pool/MARKPool.sol:
- setVerifier: add code.length check (consistent with constructor)
circuits/test/MARKPool.test.mjs:
- expectFail: only treat constraint/assertion failures as PASS;
rethrow other errors so regressions surface
contracts/KNOWN_ISSUES.md:
- KI-7: separate design capability from configuration state for
settlement system wording
* fix(circuits): lowercase error message comparison in expectFail
* docs(deployment): add Groth16SettlementVerifier wiring step (Step 18)
Documents the two post-deploy calls required to activate ZK-based
settlement: setSettlementModule and setVerifierContract on
Groth16SettlementVerifier, then setVerifier on MARKSettlementModule.
AttestedSettlementVerifier remains the fallback until wiring is complete.
* fix(settlement): return false on malformed proof in Groth16SettlementVerifier (#101)
abi.decode reverts on malformed/short proof bytes, which propagated
through MARKSettlementModule as a raw error instead of VerificationFailed.
Fix: check proof.length == 672 before decoding (fixed ABI encoding size:
uint256[2]+uint256[2][2]+uint256[2]+uint256[13] = 64+128+64+416 = 672).
Malformed proofs now return false cleanly.
Tests: testVerifySettlementReturnsFalseForMalformedProof,
testVerifySettlementReturnsFalseForEmptyProof
* fix(ci): exclude integration tests from test-core target (#102)
test-core was running integration tests (which require supersim on port 9545)
because --no-match-path on the command line overrides foundry.toml's
no_match_path setting rather than adding to it.
Use brace glob to exclude both invariant and integration tests.
* fix(test): remove unverifiable cross-chain assertion from integration test (#103)
testBridgeToTransfersTokensCrossChain switched to fork B and checked the
recipient balance, but Foundry fork tests cannot simulate supersim's async
message relay — the contract simply doesn't exist on the other fork.
Fix: assert only the source-chain burn (which is fully verifiable in a fork
test). Add a NatSpec note explaining the relay limitation.
* docs(pool): correct KI-8 — PoseidonT3 inlined via via_ir, MARKPool deployable (#104)
* docs(pool): correct KI-8 — PoseidonT3 is inlined via via_ir, MARKPool is deployable
via_ir=true causes the compiler to inline PoseidonT3 into MARKPool rather
than deploying it as a linked library. MARKPool has no link references and
is 24,298 bytes (278 bytes under EIP-170). KI-8 was based on an earlier
state where MARKPool exceeded the limit.
Updated KI-8 to reflect accurate current state and note the tight margin.
* refactor(crypto): use >>= 1 instead of /= 2 in MerkleTree insert
* security: harden pool domain before testnet (#105)
* security: harden pool domain before testnet
- Add pool/withdraw/Groth16 contracts to slither-core scope
- Document all slither exclusion rationale in Makefile
- RYLACreditLedger: add Credit/Debit events, move before external calls (CEI)
- MARKWithdrawAdapter: add test for recipient zero-check (existing check, missing test)
- THREAT_MODEL.md: add pool stack overview, trust boundaries, role compromise
impact, and 3 new invariants (nullifier replay, withdraw binding, debit approval)
* fix(ci): use per-contract slither exclusions instead of global
CodeRabbit correctly noted that global exclusions could suppress actionable
findings in newly added contracts. Refactored slither-core to apply only
the relevant exclusions per contract. Also added arbitrary-send-erc20 to
MARKSettlementModule and RYLACreditLedger (both use safeTransferFrom with
prior approval — not arbitrary).
* fix(ci): add set -e to slither-core, fix preflight to use python3 -m slither
Without set -e, a failing early slither invocation would be masked if the
final command succeeds. Also align the preflight check with the actual
invocation (python3 -m slither, not command -v slither).
* ci: fix 4 workflow issues pre-testnet (#106)
* ci: fix 4 workflow issues pre-testnet
1. Sync _reusable-contracts-slither.yml with Makefile
- Delegate to 'make slither-core' (single source of truth)
- Now covers all 8 contracts with per-contract exclusions
- Previously only scanned 4 settlement contracts with global exclusions
2. Enable pool execute smoke in contracts-ci.yml
- KI-8 resolved: via_ir inlines PoseidonT3, MARKPool is 24,298 bytes
- Pool broadcast to Anvil now works; remove stale blocker comment
3. Fix integration test readiness check
- Wait on ports 9545/9546 (actual RPC ports) not 8420 (admin port)
- Use nc loop consistent with anvil readiness pattern
4. Pin foundry-rs/foundry-toolchain to v1.8.0 commit SHA
- Floating @v1 could silently break on Foundry breaking changes
- Pinned: c7450ba673e133f5ee30098b3b54f444d3a2ca2d (v1.8.0)
* fix(ci): remove foundry version input from reusable slither workflow
The version input was passed as 'v1.8.0' to the action's 'version' input
which expects a Foundry binary tag (e.g. 'stable', 'nightly'), not the
action version. This caused foundryup to fail extracting the tar archive.
Use the action's default Foundry version instead.
* fix(ci): revert pool execute smoke — Foundry rejects PoseidonT3 artifact size
forge create/broadcast checks all library artifacts for EIP-170 compliance.
PoseidonT3 is 55,856 bytes as a standalone artifact even though via_ir inlines
it into MARKPool at compile time. The broadcast is blocked before deployment.
Keep dry-run only. Update KI-8 with the precise diagnosis.
* fix(pool): resolve PoseidonT3 deployment blocker via external interface (#107)
PoseidonT3 is a Solidity library with a public function — it gets deployed
as a separate linked contract (55,856 bytes) which exceeds EIP-170 (24,576).
This blocked all pool deployments.
Fix: replace the library call with an external interface (IPoseidonT3).
MerkleTree now stores the Poseidon contract address in the Tree struct and
calls it via DELEGATECALL-free external call. MARKPool constructor accepts
a _poseidon address parameter.
Default deployment address: 0xB43122Ecb241DD50062641f089876679fd06599a
This is Semaphore's PoseidonT3 (PSE/Ethereum Foundation), deployed at the
same address on all EVM networks via CREATE2. Verified compatible with our
implementation: hash([0,0]) and hash([1,2]) produce identical outputs.
MARKPool now has zero link references and is fully self-contained.
MARKPool size: 24,231 bytes (345 bytes margin under EIP-170).
Tests: deployCode('PoseidonT3.sol:PoseidonT3') in test setUp bypasses
EIP-170 (Foundry test runner does not enforce the limit).
* chore(circuits): remove stale UTXOSettlement artifacts (#108)
* chore(circuits): remove stale UTXOSettlement artifacts
UTXOSettlement circuit is superseded by MARKPool.circom.
Remove the stale test file and old verification key artifact.
The utxo/ source and build/ artifacts are already gitignored.
* ci: trigger Release Gate Container for circuits-only PRs
Add circuits/** to path filter so the required check runs and passes
when only circuit files change (no contracts affected).
* ci: add circuits/** to push paths for consistency
* ci: remove path filter from release gate pull_request trigger
* ci: add circuits/** to CodeQL path filter to unblock circuits-only PRs
* fix: address codebase review findings (#109)
Bug: RYLACreditLedger.debit() — move _totalBurned update before
safeTransferFrom to follow CEI pattern. Previously the state update
happened after the external call, creating a reentrancy window where
_totalBurned was not yet incremented during the transfer callback.
Docs: KNOWN_ISSUES.md KI-8 — update stale size figures and description.
MARKPool is now 24,231 bytes (345 bytes margin). PoseidonT3 is no longer
inlined via via_ir; MerkleTree calls it via IPoseidonT3 interface at
0xB43122... (Semaphore, same address on all EVM networks).
Tests: add testConstructorRevertsOnZeroPoseidon and
testConstructorRevertsOnEOAPoseidon to MARKPool.t.sol — the _poseidon
constructor parameter added in PR #107 had no test coverage.
* ci: pin action-shellcheck to commit SHA (#110)
* ci: pin action-shellcheck to commit SHA
ludeeus/action-shellcheck@2.0.0 was pinned by version tag only.
Tags are mutable — a compromised tag could point to malicious code.
Pin to the immutable commit SHA (00cae50) for supply chain safety.
* ci: trigger CodeQL for all .github/workflows/** changes
* chore(deps): bump actions/dependency-review-action from 4 to 5 (#90)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4 to 5.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-version: '5'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump the frontend-minor-patch group across 1 directory with 21 updates (#91)
Bumps the frontend-minor-patch group with 6 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` |
| [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) | `2.10.27` | `2.10.29` |
| [electron-to-chromium](https://github.com/Kilian/electron-to-chromium) | `1.5.352` | `1.5.353` |
| [get-east-asian-width](https://github.com/sindresorhus/get-east-asian-width) | `1.5.0` | `1.6.0` |
Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite)
Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.5.0...v3.6.0)
Updates `tailwindcss` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss)
Updates `@tailwindcss/node` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-node)
Updates `@tailwindcss/oxide-android-arm64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/android-arm64)
Updates `@tailwindcss/oxide-darwin-arm64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-arm64)
Updates `@tailwindcss/oxide-darwin-x64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-x64)
Updates `@tailwindcss/oxide-freebsd-x64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/freebsd-x64)
Updates `@tailwindcss/oxide-linux-arm-gnueabihf` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm-gnueabihf)
Updates `@tailwindcss/oxide-linux-arm64-gnu` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-gnu)
Updates `@tailwindcss/oxide-linux-arm64-musl` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-musl)
Updates `@tailwindcss/oxide-linux-x64-gnu` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-gnu)
Updates `@tailwindcss/oxide-linux-x64-musl` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-musl)
Updates `@tailwindcss/oxide-wasm32-wasi` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node)
Updates `@tailwindcss/oxide-win32-arm64-msvc` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-arm64-msvc)
Updates `@tailwindcss/oxide-win32-x64-msvc` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-x64-msvc)
Updates `@tailwindcss/oxide` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node)
Updates `baseline-browser-mapping` from 2.10.27 to 2.10.29
- [Release notes](https://github.com/web-platform-dx/baseline-browser-mapping/releases)
- [Commits](https://github.com/web-platform-dx/baseline-browser-mapping/compare/v2.10.27...v2.10.29)
Updates `electron-to-chromium` from 1.5.352 to 1.5.353
- [Changelog](https://github.com/Kilian/electron-to-chromium/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Kilian/electron-to-chromium/compare/v1.5.352...v1.5.353)
Updates `enhanced-resolve` from 5.21.1 to 5.21.2
- [Release notes](https://github.com/webpack/enhanced-resolve/releases)
- [Changelog](https://github.com/webpack/enhanced-resolve/blob/main/CHANGELOG.md)
- [Commits](https://github.com/webpack/enhanced-resolve/compare/v5.21.1...v5.21.2)
Updates `get-east-asian-width` from 1.5.0 to 1.6.0
- [Release notes](https://github.com/sindresorhus/get-east-asian-width/releases)
- [Commits](https://github.com/sindresorhus/get-east-asian-width/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: "@tailwindcss/node"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-android-arm64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-darwin-arm64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-darwin-x64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-freebsd-x64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm-gnueabihf"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm64-gnu"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm64-musl"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-x64-gnu"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-x64-musl"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-wasm32-wasi"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-win32-arm64-msvc"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-win32-x64-msvc"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/vite"
dependency-version: 4.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: baseline-browser-mapping
dependency-version: 2.10.29
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: electron-to-chromium
dependency-version: 1.5.353
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: enhanced-resolve
dependency-version: 5.21.2
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: get-east-asian-width
dependency-version: 1.6.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwind-merge
dependency-version: 3.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
dependency-version: 4.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Iko <6572003+iap@users.noreply.github.com>
* chore: update LICENSE copyright to Trade 2026 (#111)
* chore: update LICENSE copyright to Trade 2026
The project was scaffolded from an Optimism template but is original work.
Update copyright holder from Optimism to Trade and year to 2026.
* ci: remove path filter from CodeQL pull_request trigger
CodeQL is a required check for all PRs. With a path filter, PRs that
only touch files outside the filter (e.g. LICENSE, README) are blocked
indefinitely waiting for CodeQL results that never come.
Remove the pull_request path filter so CodeQL always runs on PRs.
Keep the push path filter to avoid unnecessary runs on branch pushes.
* chore: remove stale deploy-contracts step from mprocs.yaml (#112)
deploy:supersim and deploy:counter-incrementer:supersim are template
artifacts from the original Optimism scaffold. They no longer exist.
Remove the stale deploy-contracts proc.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
iap
added a commit
that referenced
this pull request
May 17, 2026
…116) * ops: enforce promotion freshness and commit lineage checks * ops: add full release evidence dispatch sequence * ops: add release secret bootstrap helper * ops: harden release dispatch run correlation and strict env checks * refactor: centralize core contract custom errors * refactor(contracts): separate bridge/settlement domains and harden settlement flows * ci(contracts): enforce architecture/layering guards and fix refactor paths * chore(contracts): remove legacy files replaced by domain refactor * feat(ops): add canonical release-gate workflow with evidence artifact * chore(governance): align release flow and policy guard with canary promotion 1. Update release PR template to canary -> main 2. Extend governance-policy-guard push triggers to include canary 3. Document explicit release promotion path dev -> canary -> main in root README 4. Clarify retirement of legacy CrossChainCounter examples/tests in contracts README 5. Keep governance consistency validator passing after updates * feat(release): harden CI gates and retire cross-chain demo artifacts 1. Enable canary across contracts CI, env guard, slither, and secrets drift workflows 2. Add canary push-driven staging rehearsal defaults and stricter required input checks 3. Strengthen release gate with signed evidence-manifest verification and artifact-anchored deployment verification 4. Add evidence tooling scripts (generate/sign/verify manifest and signature, verify-from-artifact) 5. Retire legacy CrossChainCounter example contracts, ABIs, deploy script, and associated tests 6. Update app shell and package scripts toward MARK protocol operations workflow * chore(ci): stabilize local test and lint signal 1. Exclude vendored/generated contract directories from root ESLint scope 2. Split fast core tests and invariant tests in contracts Makefile 3. Bound local invariant runs for predictable ci-full runtime * fix(ci): repair contracts workflow execution on GitHub 1. Fix contracts integration job condition to use github.event.inputs 2. Run slither per target contract instead of invalid multi-target invocation * fix(ci): quote static private key in contracts-ci workflow env * fix(slither): codify accepted detector exclusions for MARK contracts Exclude known/accepted findings (naming convention, timestamp epoching, operator-gated transferFrom pattern, and benign reentrancy patterns) while keeping fail-medium enforcement for remaining detectors. * chore(ci): harden workflow runtime compatibility and add frontend node matrix 1. Upgrade actions/checkout from v4 to v5 across workflows 2. Upgrade actions/setup-python from v5 to v6 in python-based workflows 3. Add frontend CI workflow with Node 20/22 matrix for typecheck, lint, and build validation * fix(frontend-ci): ensure pnpm setup works with node matrix Use actions/setup-node@v5 and remove premature pnpm cache wiring so pnpm/action-setup can install pnpm before dependency install. * fix(frontend-ci): install pnpm before setup-node auto-cache check * fix(frontend-ci): rely on packageManager-pinned pnpm version * chore(ci): replace pnpm action with corepack-pinned bootstrap 1. Remove pnpm/action-setup usage from frontend and contracts integration workflows 2. Use corepack with pinned pnpm@9.0.2 from project policy 3. Disable setup-node package-manager auto-cache probing to avoid pnpm bootstrap race * fix(contracts-ci): wait for anvil before release dry-run * chore(deps): add dependabot config for actions and npm * chore(deps): add dependabot config for actions and npm * chore(coderabbit): add repository-level review configuration * fix(readiness): run pre-checks before contracts working directory exists * chore: promote dev to canary (ci and quality sync) (#15) * chore(deps): bump actions/setup-node from 5 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/upload-artifact from 4 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/github-script from 7 to 9 Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump the frontend-minor-patch group with 13 updates Bumps the frontend-minor-patch group with 13 updates: | Package | From | To | | --- | --- | --- | | [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` | | [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` | | [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` | | [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` | | [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` | | [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` | Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15 - [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md) - [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem) Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite) Updates `@tanstack/react-query` from 5.66.0 to 5.100.8 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query) Updates `abitype` from 1.0.8 to 1.2.4 - [Release notes](https://github.com/wevm/abitype/releases) - [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4) Updates `tailwind-merge` from 3.0.1 to 3.5.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0) Updates `tailwindcss` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss) Updates `viem` from 2.23.1 to 2.48.8 - [Release notes](https://github.com/wevm/viem/releases) - [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8) Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2) Updates `mprocs` from 0.7.2 to 0.9.2 - [Release notes](https://github.com/pvolok/mprocs/releases) - [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md) - [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2) Updates `prettier` from 3.5.0 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3) Updates `typescript-eslint` from 8.24.0 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eth-optimism/viem" dependency-version: 0.4.15 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-separator" dependency-version: 1.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-slot" dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/vite" dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.100.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: abitype dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwind-merge dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwindcss dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: viem dependency-version: 2.48.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: mprocs dependency-version: 0.9.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> * fix(readiness): run pre-checks before contracts working directory exists * fix(frontend): remove non-component export from button ui --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(security): add codeql and dependency review gates * chore: promote dev to canary 56 commits: EIP-712 verifier, bridge tests, CI fixes, governance cleanup, trust model doc, RYLA Credits rename. * chore: promote dev to canary 65 commits: staging rehearsal fixes, frontend info page, NatSpec improvements, README philosophy. * chore: promote dev to canary (v0.1.1 prep) 69 commits: CEI fix, audit docs, staging pipeline fixes, frontend info page. * chore: promote dev to canary Promotes dev to canary. Staging rehearsal will trigger on merge. * chore: promote dev to canary Promotes dev to canary. Staging rehearsal will trigger on merge. * chore: promote dev to canary Promotes dev to canary. Includes --slow fix for staging rehearsal. * chore: promote dev to canary Promotes dev to canary. Governance fixes: 0 approvals, push restrictions to trade/maintainers, verify-governance.sh checks. * chore: promote dev to canary Promotes dev to canary. Includes Groth16SettlementVerifier, IGroth16Verifier, dependabot fix, governance push restrictions. * chore: promote dev to canary for OP Sepolia staging (#114) * chore(deps): bump actions/setup-node from 5 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/upload-artifact from 4 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/github-script from 7 to 9 Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump the frontend-minor-patch group with 13 updates Bumps the frontend-minor-patch group with 13 updates: | Package | From | To | | --- | --- | --- | | [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` | | [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` | | [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` | | [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` | | [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` | | [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` | Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15 - [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md) - [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem) Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite) Updates `@tanstack/react-query` from 5.66.0 to 5.100.8 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query) Updates `abitype` from 1.0.8 to 1.2.4 - [Release notes](https://github.com/wevm/abitype/releases) - [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4) Updates `tailwind-merge` from 3.0.1 to 3.5.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0) Updates `tailwindcss` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss) Updates `viem` from 2.23.1 to 2.48.8 - [Release notes](https://github.com/wevm/viem/releases) - [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8) Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2) Updates `mprocs` from 0.7.2 to 0.9.2 - [Release notes](https://github.com/pvolok/mprocs/releases) - [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md) - [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2) Updates `prettier` from 3.5.0 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3) Updates `typescript-eslint` from 8.24.0 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eth-optimism/viem" dependency-version: 0.4.15 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-separator" dependency-version: 1.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-slot" dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/vite" dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.100.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: abitype dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwind-merge dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwindcss dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: viem dependency-version: 2.48.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: mprocs dependency-version: 0.9.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> * fix(readiness): run pre-checks before contracts working directory exists * fix(frontend): remove non-component export from button ui * ci(security): add codeql and dependency review gates * chore(security): add local slither install and core scan targets * docs(phase1): add comprehensive contributor & deployment runbooks Add Phase 1 foundation documentation for team scaling and professional maintenance: CONTRIBUTING.md: - Local development setup instructions (Node, Foundry, super-cli) - Feature branch workflow with conventional commits - Code standards (TypeScript, Solidity, Testing) - PR submission checklist and review process - Testing guidelines and test structure - Troubleshooting for common dev issues DEPLOYMENT.md: - Step-by-step staging deployment runbook (OP Sepolia) - Mainnet deployment procedures with gates - Pre/post-deployment checklists - Evidence generation and verification - Monitoring and health checks - Rollback procedures for emergency scenarios - Comprehensive troubleshooting guide - Command cheat sheet and timeline estimates TROUBLESHOOTING.md: - Development setup issues (pnpm, Node, Foundry, super-cli, git hooks) - Smart contract issues (architecture guard, layering guard, Slither findings) - Frontend development issues (port conflicts, TypeScript errors, module resolution) - Testing issues (hanging tests, gas, balance) - Deployment issues (insufficient funds, timeouts, RPC problems) - CI/CD workflow issues (stuck workflows, secrets, version mismatches) - Network & RPC issues (timeouts, contract not found, chain ID) .github/CODEOWNERS: - Enhanced documentation with clear sections - Added review requirements annotations - Better organization for team scaling - Maintains strict single-owner model (ready for multi-owner when scaling) Impact: - Enables solo maintainer to self-document workflows - Provides clear onboarding path for new contributors - Establishes professional deployment procedures - Reduces support burden with comprehensive troubleshooting - Foundation for team collaboration (docs ready for team addition) - Production-ready documentation for auditors and stakeholders This commit fulfills Phase 1 foundation requirements: ✅ CONTRIBUTING.md created ✅ DEPLOYMENT.md runbook created ✅ TROUBLESHOOTING.md created ✅ CODEOWNERS enhanced and documented Ready for: Phase 2 (interactive UI) and Phase 3 (security audit planning) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(deps): bump github/codeql-action from 3 to 4 (#16) Bump github/codeql-action from v3 to v4 to resolve Node.js 20 deprecation warnings on CI. * chore(ci): bump dependency-review-action from v4 to v5 * chore(ci): disable CodeQL triggers until repo transferred to org with GHAS * Enable org-transfer governance: CodeQL, Gitleaks, release-gate container, and verification scripts (#19) * docs: replace roadmap with lean security next-steps guide * fix(docs): remove duplicate required-check entries in BRANCHING.md * fix(ci): add USER root in release-gate Dockerfile for apt-get permissions * ci(security): fix dependency review tag and use OSS gitleaks CLI * ci(security): fix gitleaks PATH on github runner * ci(security): run gitleaks scan via docker image * ci(security): remove hardcoded key and scope gitleaks to workspace * ci(contracts): fix anvil key extraction for release check * ci(contracts): require 64-byte anvil private key extraction * ci: always run contracts/frontend checks on protected branches (#21) * ci: phase-1 reusable workflows for frontend, slither, and secrets scan (#23) * ci: extract reusable frontend/slither/secrets workflows * ci(security): apply codereview pinning and permissions fixes * fix(contracts): bridge approval safety + IRYLA interface decoupling - Wrap sendERC20 in try/catch; clear approval and revert with BridgeFailed() on failure - Extract IRYLA interface (inherits IERC20); MARKSettlementModule decoupled from concrete RYLA type - Add unit test for BridgeFailed catch branch * docs: sync governance and CI docs with current protections - Add missing required checks (Secrets Drift Guard, Release Gate Container) to all branch matrices - Fix Analyze (JavaScript/TypeScript) casing to match canonical check names - Fixes Validate Governance Policy Consistency CI check * chore(deps): bump frontend minor/patch dependencies 105 minor and patch updates including: - @tanstack/react-query 5.100.8 → 5.100.9 - typescript-eslint 8.59.1 → 8.59.2 - bufferutil 4.0.9 → 4.1.0 - jiti 2.6.1 → 2.7.0 - lockfile resolutions updated accordingly All CI checks pass on Node 20 and 22. * fix(deps): bump vite 6.1.0 → 6.4.2 (security) Fixes high-severity arbitrary file read CVE and medium-severity path traversal in vite dev server. * test(contracts): add missing unit test coverage 71 tests (was 59). Covers zero-input guards, exact error selectors, accumulator resets, supportsInterface, and isMint flag binding. * chore(governance): migrate CODEOWNERS to @trade/maintainers team Replaces @iap with @trade/maintainers across all CODEOWNERS entries. Team created with maintain permission on repo. * chore(ci): switch CodeRabbit to assertive profile profile: chill → assertive, request_changes_workflow: false → true * fix(docs): add VALIDATE_MODE to staging checklist prerequisites Adds missing VALIDATE_MODE env var to staging checklist. Clarifies operator/attester rotation step with RUNBOOK.md reference. Removes trailing newline from package.json. * chore(docs): remove stale pre-transfer planning documents Removes TRANSFER_NOW_CHECKLIST.md, ORG_TRANSFER_SECURITY_CHECKLIST.md, SECURITY_NEXT_STEPS.md, PROJECT_REVIEW.md — all completed with the org transfer on May 6, 2026. * chore(governance): clean up CODEOWNERS Remove decorative section dividers, redundant comments, and duplicate entry. Consolidate contract path globs. * fix(ci): workflow correctness and consistency fixes Pin slither-analyzer==0.11.5, fix secrets-drift-guard false positives, fix verify-governance.sh dismiss_stale_reviews on dev, add canary to evidence-manifest trigger, fix inputs context, fix wait-port, add pull_request_target comments, add Docker layer caching. * feat(contracts): migrate AttestedSettlementVerifier to EIP-712 Replace hybrid EIP-191 pattern with standard EIP-712 typed data signing. Expose settlementDigest() for off-chain signers. Add NatSpec on proof encoding and contextHash. 71 tests pass. * chore: improve gitignore coverage Add .env/.env.*/*.env and supersim-logs/ to root gitignore. Add coverage/ to contracts gitignore. * fix(ci): reliability and correctness fixes Add timeout-minutes:15 to stuck jobs, replace rg with grep -Eo in smoke script, pin slither==0.11.5 in Makefile, add explicit invariant runs=256 to foundry.toml. * chore(deps): ignore transitive alerts from super-cli Ignore @hono/node-server, drizzle-orm, @stablelib/ed25519 scoped to vulnerable versions — all transitive from super-cli dev tool, no upstream fix available. * docs: add SECURITY.md Reporting channel, scope, response SLA, and supported versions. * chore(deps): bump @types/node from 22.13.1 to 25.6.1 Type definitions update. * chore(deps): bump typescript from 5.7.3 to 6.0.3 Add ignoreDeprecations:6.0 for baseUrl deprecation warning. * chore(deps): bump frontend-minor-patch group viem, debug, and other minor/patch updates. * chore(deps): bump docker/setup-buildx-action from 3 to 4 Node 24 runtime update. * chore(deps): bump frontend-minor-patch group Minor/patch frontend dependency updates. * fix: stale references and check name mismatches Remove chainId double-encoding from AttestedSettlementVerifier, fix stale iap/mark URLs, fix governance script check names to match actual CI output. * test(contracts): add bridge integration test against supersim Exercises MARKBridgeAdapter against live SuperchainTokenBridge on two supersim forks. Verifies cross-chain token transfer and rate limit enforcement. * test(contracts): add bridge adapter invariant fuzz tests Three invariants covering rate limiting: daily cap never exceeded, accumulator consistent with cap, zero address never holds operator role. 74 tests pass. * fix(governance): sync check lists and fix ruleset condition Fix ruleset condition bug (canary/main now covered), sync apply-governance.sh and verify-governance.sh with live branch protection, fix frontend check name prefix in docs. * chore(governance): document new ruleset structure Two focused rulesets: branch-protection (CodeQL alert gate) and tag-protection (v* tags). Replaces the broken develop ruleset. * feat(token): rename RYLA display name to 'RYLA Credits' name() returns 'RYLA Credits', symbol stays 'RYLA'. Test and verification script updated. * test Documents key roles and trust assumptions, attester key rotation procedure, break-glass procedure, production mode implications, and key storage recommendations for auditors and operators. * fix(ci): use matrix language as CodeQL job name Produces consistent check name 'Analyze (javascript-typescript)' matching branch protection requirements. * chore(config): harden staging profile and document environment setup Remove PRIVATE_KEY from staging.env, fix bridge destination to OP Sepolia, add key separation docs, fix env guard and drift guard for CI validation. * feat(frontend): replace dev dashboard with protocol info page Protocol info page with pre-production status, contract descriptions, and resource links. Providers updated to optimism/optimismSepolia. * chore(docs): cleanup and NatSpec improvements Fix README clone URL and naming, remove stale date from CONTRIBUTING.md, add eip712Domain NatSpec and no-pause design decision docs. * fix(contracts): document setVerifier interface check limitation Add @dev comment explaining code.length check rejects EOAs but not non-conforming contracts. * docs: add protocol philosophy to README Code is a rule. No DAO, no drama. Don't Trust, Verify. * fix(ci): add working-directory override to pre-checkout branch enforcement steps Fixes pre-checkout branch check failing with 'No such file or directory' in staging and production workflows. * fix(ops): enable post-deploy in rehearse-production-lock Enable MARK_RELEASE_RUN_POSTDEPLOY so activateProductionMode() is called during rehearsal. * fix(ops): export deployed verifier address to env before PostDeployMARKSetup Fixes VerifierRequiredWhenProofEnabled during staging rehearsal. * fix(ci): exclude Anvil default key from secrets drift guard Syncs Anvil key exclusion to dev. * test THREAT_MODEL.md: trust boundaries, role compromise impact, external dependencies, invariants, and explicit out-of-scope items. KNOWN_ISSUES.md: six accepted design decisions with rationale — attested verifier as ZK placeholder, no-pause design, setVerifier interface check limitation, counter overflow analysis, timestamp epoch manipulation, and transitive dep alerts. * fix(docs): correct two inaccurate invariants in THREAT_MODEL.md consumedIntents is set after proof validation, not before. Module balance invariant is per-operation, not absolute zero. * fix(contracts): move consumedIntents assignment before external call (CEI) Follows CEI pattern — marks intent consumed before external verifier call. No behaviour change for current view verifier. * chore(governance): set canary to 0 required approvals for solo maintainer Solo dev cannot self-approve. CI checks are the gate. Restore to 1 when second team member joins. * docs(contracts): add NatSpec to settleMint and settleBurn Documents pre-approval requirement for settleBurn. * fix(ops): wait for tx confirmation in staging rehearsal Add --slow to forge script broadcast so Foundry waits for each transaction receipt before the verify step runs. * fix(governance): set all branches to 0 required approvals Solo maintainer cannot approve own PRs. CI gates are the enforcement mechanism. Removes MAIN_REVIEW_COUNT/DEV_REVIEW_COUNT vars, adds approval count verification to verify-governance.sh. * fix(governance): restrict direct pushes to trade/maintainers team Restricts direct pushes on all branches to trade/maintainers team. Removes unused helper functions. verify-governance.sh now checks push restriction team slug. * fix(deps): update drizzle-orm dependabot ignore rule to 0.38.4 drizzle-orm@0.38.4 is transitive from @eth-optimism/super-cli. Updated ignore rule to match installed version. All four Dependabot alerts dismissed as tolerable risk. * feat(contracts): add Groth16SettlementVerifier Adds Groth16SettlementVerifier implementing IUTXOSettlementVerifier via swappable IGroth16Verifier. 12 unit tests passing. AttestedSettlementVerifier remains active production verifier. * feat(circuits): add UTXOSettlement circom circuit Adds UTXOSettlement circom circuit. Poseidon-based UTXO ownership proof. 602 constraints, 6 witness tests passing. * feat(contracts): add MARKPool ZK UTXO pool domain Adds MARKPool shielded RYLA transfer pool. 88 unit tests passing. * fix(contracts): rewrite MARKPool for MARK's 4-signal circuit Rewrites MARKPool from scratch for MARK's own UTXOSettlement circuit. UTXOVerifier.sol regenerated from MARK's own trusted setup. 84 unit tests passing. * fix(circuits): add range constraints and isMint burn path Range constraints on recipient/chainId/settlementModule/amount. isMint burn path in MARKPool. Trusted setup rerun. 84 tests passing. * feat(pool): add MARKPool ZK UTXO pool domain (#100) * feat(pool): add MARKPool ZK UTXO pool domain Introduces the full pool domain for private RYLA transfers: Contracts: - MARKPool: ZK UTXO pool with Merkle tree, fee policy, bridge-out/in, withdraw binding, AccessManaged access control - MARKWithdrawAdapter: EIP-712 signature-based withdrawal adapter - RYLACreditLedger: ICreditLedger adapter bridging MARKPool to RYLA mint/burn; restricted to pool caller only (onlyPool) - PoolFeePolicy, PoolPublicInputs, PoolValidation: pool support libraries - MARKPoolVerifier: Groth16 verifier generated from MARKPool circuit (13 public signals, pot15 trusted setup) Interfaces: ICreditLedger, IVerifier, IPoolBridge, IPoolNullifier Crypto: MerkleTree (Poseidon, depth-20), ProofUtils, PoseidonT3 Circuit: - circuits/mark/MARKPool.circom: MARK-native UTXO circuit (depth=20, 2-in/2-out, 13 public signals); renamed from prototype utxo.circom, domain constants documented as permanent, hardcoded fee policy removed - circuits/setup.mjs: trusted setup script (pot15) - circuits/test/MARKPool.test.mjs: 13 witness tests CI: circuits-ci.yml runs witness tests on every PR Tests: MARKPool.t.sol (22), MARKWithdrawAdapter.t.sol (9), RYLACreditLedger.t.sol (8) * fix(pool): fix PoolErrors, domain separators, remove dead code - PoolErrors.sol: rewrite to match Pool.sol, PoolValidation.sol, and MerkleTree.sol — adds 25 missing errors (build was broken), removes 18 errors only used by the old MARKPool prototype - MARKPool.sol: rename domain separator Pool.WithdrawBinding.v1 to MARKPool.WithdrawBinding.v1 (permanent, must be set before deploy) - MARKWithdrawAdapter.sol: rename domain separator WithdrawAdapter.Intent.v1 to MARKWithdrawAdapter.Intent.v1 - UTXOVerifier.sol: delete (built for old 4-signal circuit, wrong interface, superseded by MARKPoolVerifier.sol) - IUTXOVerifier.sol: delete (superseded by IVerifier.sol) - UTXOSettlement.circom: delete (superseded by MARKPool.circom) - Groth16SettlementVerifier.sol: update stale comment - KNOWN_ISSUES.md: add KI-7 (two-circuit architecture), KI-8 (pool domain access control model) - foundry.toml: via_ir = true for pool domain compilation * fix(pool): immutable naming, deploy script, docs, invariants, arch guard - MARKPool, MARKWithdrawAdapter: rename immutables to SCREAMING_SNAKE_CASE (assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL) - MARKPool: remove _assetLedger from constructor; add setAssetLedger() one-time restricted setter to break circular deploy dependency with RYLACreditLedger - DeployMARKPool.s.sol: full deployment script for pool domain (AccessManager, MARKPool, RYLACreditLedger, MARKWithdrawAdapter) - MARKPool.sol: add withdrawal flow NatSpec (burn-to-claim model) - ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and withdrawal flow section - MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent, withdraw bindings immutable, root queue only grows) - architecture-guard.sh: add pool->settlement/bridge and withdraw->settlement/bridge isolation rules * fix(pool): fix deploy script role grant and ASSET_LEDGER null guard - DeployMARKPool.s.sol: grant POOL_ADMIN_ROLE to deployer during setup so setAssetLedger/setIntentSigner calls succeed when deployer != owner; revoke deployer role after setup completes - MARKPool._applyFee: revert InvalidAssetLedger if ASSET_LEDGER is not set and a non-zero fee is applied (prevents silent call to address(0)) * fix(ci): compile circuit before running witness tests circuits/build/ is gitignored so the WASM and witness_calculator.js are not in the repo. Add circom install and npm run build steps before npm test so CI compiles the circuit fresh on each run. * fix(ci): create build dir before circom compile * refactor(pool): pre-merge improvements - Rename immutables to SCREAMING_SNAKE_CASE: assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL (MARKPool.sol, MARKWithdrawAdapter.sol) - MARKPool: remove _assetLedger from constructor, add setAssetLedger() one-time restricted setter to break circular deploy dependency with RYLACreditLedger - MARKPool: add withdrawal flow documentation to contract NatSpec - ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and withdrawal flow explanation - DeployMARKPool.s.sol: deployment script for MARKPool, RYLACreditLedger, MARKWithdrawAdapter with AccessManager configuration - MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent, withdraw bindings immutable, root queue only grows) - architecture-guard.sh: add pool and withdraw domain isolation rules * chore(pool): update circuits CI, setup, and pool errors - circuits-ci.yml: updated to run MARKPool witness tests - circuits/package.json: build/test scripts point to MARKPool.circom - circuits/setup.mjs: updated for MARKPool.circom trusted setup - circuits/test/MARKPool.test.mjs: cleaned up test file - contracts/KNOWN_ISSUES.md: updated KI-7 for current two-circuit state - contracts/src/pool/errors/PoolErrors.sol: add missing blank line * fix(pool): address CodeRabbit review findings - circuits-ci.yml: fix circom install permissions (use sudo mv to /usr/local/bin instead of direct write which fails on GH Actions) - PoolErrors.sol: add clarifying comment to FixedFeePolicy explaining it fires when minFee > 1 (not a fee-rate policy, a range guard) - MARKWithdrawAdapter.sol: document personal_sign intent on computeWithdrawIntentDigest (EIP-191 is intentional, not EIP-712) bridgeIn replay protection finding: already fixed in current code (processedBridgeMessages mapping + check at line 390) — stale finding. * fix(pool): address second round CodeRabbit findings - setup.mjs: use crypto.randomBytes for ceremony entropy (Date.now is predictable), add mkdirSync for build/, fix EJS template loading to use readFileSync instead of dynamic import with assert (unsupported in Node 20/22/24 ESM) - circuits-ci.yml: pin circom to v2.2.3 instead of latest, add version verification step - KNOWN_ISSUES.md: fix misleading 'settlement-specific verifier' wording — MARKPoolVerifier is a shared pool verifier, not settlement-specific - MARKPool.sol: fix NatSpec EIP-712 reference to EIP-191 (personal_sign) * feat(pool): add pool E2E test, fix RYLACreditLedger caller model RYLACreditLedger: - Separate credit (pool-only) and debit (adapter-only) callers - Add setAdapter() one-time setter to break circular deploy dependency (adapter constructor needs ledger, ledger needs adapter address) - Add AdapterAlreadySet error DeployMARKPool.s.sol: - Call ledger.setAdapter(adapter) after adapter deployment Tests: - RYLACreditLedger.t.sol: updated for new caller model, 11 tests - MARKWithdrawAdapter.t.sol: add setAdapter call in setUp - MARKPoolE2E.t.sol: full withdrawal flow E2E test (3 tests) - testFullWithdrawalFlow: mint RYLA -> transactWithWithdrawBinding -> withdrawWithSig -> verify RYLA burned, ETH received - testNullifierReplayRejected - testBindingMismatchRejected 134/134 tests pass * feat(pool): add ReleasePool.s.sol orchestrator and pool env vars - ReleasePool.s.sol: release orchestrator for pool stack following the same pattern as ReleaseMARK.s.sol — preflight checks, deploy via DeployMARKPool, post-deploy verification (wiring checks + RYLA roles), JSON artifact write - .env.example: add pool stack env vars (MARK_POOL_VERIFIER, MARK_POOL_OWNER, MARK_POOL_INTENT_SIGNER, release flags, artifact path, post-deploy verify addresses) * fix(pool): security fixes and dead code removal RYLACreditLedger: - Add OWNER immutable (set to msg.sender in constructor) - Restrict setAdapter to OWNER to prevent front-running between deployment and the setAdapter call in the release script - Add testSetAdapterRevertsForNonOwner test - Add clarifying NatSpec to totalCreditsOutstanding explaining it tracks only flows through this ledger, not total RYLA supply MARKWithdrawAdapter: - Move ETH transfer before ASSET_LEDGER.debit — if ETH transfer fails, RYLA is no longer burned (was a loss-of-funds bug) MARKPool: - Remove dead _seedRoot function (defined but never called) - Add NatSpec to computePublicInputsWithWithdraw clarifying chainId vs dstChainId semantics * fix(test): fix nullifier replay test to use fresh signatures testNullifierReplayRejected was reusing signatures computed for nonce N in the second withdrawWithSig call with nonce N+1, causing a NonceMismatch revert instead of exercising nullifier replay protection. Now recomputes the intent hash and signs with the updated nonce so the revert is caused by NullifierAlreadyClaimed as intended. * fix(pool): guard totalCreditsOutstanding against underflow * feat(pool): add pool release CI check and deploy script tests contracts-ci.yml: - Add pool release dry-run and execute smoke steps to the contracts-release-check job, reusing the Anvil instance and RYLA token deployed by the settlement release step - Assert pool release artifact schema (pool, ledger, adapter addresses) MARKPoolDeployScripts.t.sol: - testDeployMARKPoolWiresAllContracts: verifies all contract wiring (pool<->ledger, ledger<->adapter, RYLA roles) - testDeployMARKPoolSetsIntentSignerWhenProvided: verifies intent signer is configured when MARK_POOL_INTENT_SIGNER is set - testDeployMARKPoolRevertsWhenMissingTokenAdmin: verifies preflight check rejects deployer without RYLA admin role 138/138 tests pass * fix(pool): address final CodeRabbit findings - contracts-ci.yml: remove '|| true' from pool release dry-run step; use the deployed settlement module address as verifier (a real contract) so the preflight code.length check passes without masking failures - RYLACreditLedger.sol: fix NatSpec on totalCreditsOutstanding to accurately describe accounting scope — _totalBurned can exceed _totalMinted if RYLA is burned via other paths (e.g. settlement module) * fix(ci): fix pool release CI failure and address CodeRabbit finding contracts-ci.yml: - Add --skip-simulation to pool release broadcast — PoseidonT3 (55,856 bytes) exceeds EIP-170 limit and cannot be deployed without refactoring to a linked library; --skip-simulation tests script orchestration only - Fix jq assertion to use regex validation instead of zero-address check, rejecting null values and validating hex address format KNOWN_ISSUES.md: - Add KI-8 documenting PoseidonT3 contract size issue and required fix before mainnet (deploy as standalone contract, call via interface) * fix(ci): remove pool execute smoke, fix jq assertion, fix KI-7 wording contracts-ci.yml: - Remove pool release execute smoke step — MARKPool (24,841 bytes) and PoseidonT3 (55,856 bytes) exceed EIP-170 limit and cannot be broadcast to Anvil; pool deploy requires PoseidonT3 refactor (KI-8) first - Keep pool release dry-run only (validates script logic and preflight) - Remove the now-unused artifact assertion step KNOWN_ISSUES.md: - Fix KI-7: both pool and settlement systems use the same MARKPool circuit — remove implication of distinct circuit designs * fix(pool): add code.length checks to RYLACreditLedger constructor and setAdapter Prevents EOAs from being set as TOKEN, POOL, or ADAPTER. Adds InvalidContract error. 3 new tests cover the EOA rejection cases. setUp uses vm.etch to give mock addresses contract bytecode. * fix(contracts): harden settlement verifier flow and CI reliability * fix(review): address open CI and pool verifier feedback * refactor(pool): rename min fee guard error for clarity * fix(pool,settlement): replace require strings and wrong errors with custom errors PoolFeePolicy: - Replace require(maxFeeBurnBps != 0, string) and require(feeBurnBps <= maxFeeBurnBps, string) with custom error FeePolicyInvalidBps() — consistent with codebase style, lower gas Groth16SettlementVerifier: - Replace ZeroAddress() with VerifierNotAContract() for verifierContract code.length check - Replace ZeroAddress() with SettlementModuleNotAContract() for settlementModule code.length check - ZeroAddress was semantically wrong for non-zero addresses that have no code * ci: trigger fresh CI run * docs(pool): correct KI-8 — MARKPool itself is over EIP-170 size limit Investigation: MARKPool is 24,960 bytes (over 24,576 limit) even without PoseidonT3 inlining. via_ir=true already prevents PoseidonT3 from being inlined. The fix requires splitting MARKPool into smaller contracts, not just extracting PoseidonT3 as a standalone contract. Both are required. * fix(pool): reduce MARKPool below EIP-170 size limit (24200 < 24576 bytes) Size reductions (24961 -> 24200 bytes, -761 bytes): - Remove redundant verifierAddr.code.length check in _verifyAndConsume (already validated in setVerifier, cannot change after deployment) - Remove redundant tail != rootQueueTail guard in _insertCommitmentsValidated (always true after inserting 2 commitments) - Inline _requireCommitmentsValid wrapper (single-line delegation) - Inline _insertCommitments wrapper (only called from bridgeIn) - Remove computePublicInputs and computePublicInputsWithWithdraw public view functions from MARKPool — _buildPublicInputs now calls PoolPublicInputs.build directly; off-chain callers use PoolPublicInputs Bug fixes: - PoolValidation: move NullifierDuplicate check before the loop so duplicate nullifiers get the precise error, not NullifierUsed - MARKPool.pause(): document that unpause() does NOT auto-restore withdrawals (intentional asymmetry, requires explicit unpauseWithdrawals) * fix: address CodeRabbit findings (circuits, Makefile, architecture-guard) circuits/test/MARKPool.test.mjs: - Remove unused buildMerklePath helper (tests use buildTwoLeafRoot) circuits/setup.mjs: - Add r1cs existence check before trusted setup with clear error message contracts/Makefile: - Restore test-core to exclude invariant tests (--no-match-path) so ci-fast remains fast as documented contracts/script/ci/architecture-guard.sh: - Tighten all four import regexes to handle optional leading whitespace and any number of ../ segments (prevents bypass via indented imports or deeper relative paths) * fix: address remaining CodeRabbit findings contracts/src/pool/MARKPool.sol: - setVerifier: add code.length check (consistent with constructor) circuits/test/MARKPool.test.mjs: - expectFail: only treat constraint/assertion failures as PASS; rethrow other errors so regressions surface contracts/KNOWN_ISSUES.md: - KI-7: separate design capability from configuration state for settlement system wording * fix(circuits): lowercase error message comparison in expectFail * docs(deployment): add Groth16SettlementVerifier wiring step (Step 18) Documents the two post-deploy calls required to activate ZK-based settlement: setSettlementModule and setVerifierContract on Groth16SettlementVerifier, then setVerifier on MARKSettlementModule. AttestedSettlementVerifier remains the fallback until wiring is complete. * fix(settlement): return false on malformed proof in Groth16SettlementVerifier (#101) abi.decode reverts on malformed/short proof bytes, which propagated through MARKSettlementModule as a raw error instead of VerificationFailed. Fix: check proof.length == 672 before decoding (fixed ABI encoding size: uint256[2]+uint256[2][2]+uint256[2]+uint256[13] = 64+128+64+416 = 672). Malformed proofs now return false cleanly. Tests: testVerifySettlementReturnsFalseForMalformedProof, testVerifySettlementReturnsFalseForEmptyProof * fix(ci): exclude integration tests from test-core target (#102) test-core was running integration tests (which require supersim on port 9545) because --no-match-path on the command line overrides foundry.toml's no_match_path setting rather than adding to it. Use brace glob to exclude both invariant and integration tests. * fix(test): remove unverifiable cross-chain assertion from integration test (#103) testBridgeToTransfersTokensCrossChain switched to fork B and checked the recipient balance, but Foundry fork tests cannot simulate supersim's async message relay — the contract simply doesn't exist on the other fork. Fix: assert only the source-chain burn (which is fully verifiable in a fork test). Add a NatSpec note explaining the relay limitation. * docs(pool): correct KI-8 — PoseidonT3 inlined via via_ir, MARKPool deployable (#104) * docs(pool): correct KI-8 — PoseidonT3 is inlined via via_ir, MARKPool is deployable via_ir=true causes the compiler to inline PoseidonT3 into MARKPool rather than deploying it as a linked library. MARKPool has no link references and is 24,298 bytes (278 bytes under EIP-170). KI-8 was based on an earlier state where MARKPool exceeded the limit. Updated KI-8 to reflect accurate current state and note the tight margin. * refactor(crypto): use >>= 1 instead of /= 2 in MerkleTree insert * security: harden pool domain before testnet (#105) * security: harden pool domain before testnet - Add pool/withdraw/Groth16 contracts to slither-core scope - Document all slither exclusion rationale in Makefile - RYLACreditLedger: add Credit/Debit events, move before external calls (CEI) - MARKWithdrawAdapter: add test for recipient zero-check (existing check, missing test) - THREAT_MODEL.md: add pool stack overview, trust boundaries, role compromise impact, and 3 new invariants (nullifier replay, withdraw binding, debit approval) * fix(ci): use per-contract slither exclusions instead of global CodeRabbit correctly noted that global exclusions could suppress actionable findings in newly added contracts. Refactored slither-core to apply only the relevant exclusions per contract. Also added arbitrary-send-erc20 to MARKSettlementModule and RYLACreditLedger (both use safeTransferFrom with prior approval — not arbitrary). * fix(ci): add set -e to slither-core, fix preflight to use python3 -m slither Without set -e, a failing early slither invocation would be masked if the final command succeeds. Also align the preflight check with the actual invocation (python3 -m slither, not command -v slither). * ci: fix 4 workflow issues pre-testnet (#106) * ci: fix 4 workflow issues pre-testnet 1. Sync _reusable-contracts-slither.yml with Makefile - Delegate to 'make slither-core' (single source of truth) - Now covers all 8 contracts with per-contract exclusions - Previously only scanned 4 settlement contracts with global exclusions 2. Enable pool execute smoke in contracts-ci.yml - KI-8 resolved: via_ir inlines PoseidonT3, MARKPool is 24,298 bytes - Pool broadcast to Anvil now works; remove stale blocker comment 3. Fix integration test readiness check - Wait on ports 9545/9546 (actual RPC ports) not 8420 (admin port) - Use nc loop consistent with anvil readiness pattern 4. Pin foundry-rs/foundry-toolchain to v1.8.0 commit SHA - Floating @v1 could silently break on Foundry breaking changes - Pinned: c7450ba673e133f5ee30098b3b54f444d3a2ca2d (v1.8.0) * fix(ci): remove foundry version input from reusable slither workflow The version input was passed as 'v1.8.0' to the action's 'version' input which expects a Foundry binary tag (e.g. 'stable', 'nightly'), not the action version. This caused foundryup to fail extracting the tar archive. Use the action's default Foundry version instead. * fix(ci): revert pool execute smoke — Foundry rejects PoseidonT3 artifact size forge create/broadcast checks all library artifacts for EIP-170 compliance. PoseidonT3 is 55,856 bytes as a standalone artifact even though via_ir inlines it into MARKPool at compile time. The broadcast is blocked before deployment. Keep dry-run only. Update KI-8 with the precise diagnosis. * fix(pool): resolve PoseidonT3 deployment blocker via external interface (#107) PoseidonT3 is a Solidity library with a public function — it gets deployed as a separate linked contract (55,856 bytes) which exceeds EIP-170 (24,576). This blocked all pool deployments. Fix: replace the library call with an external interface (IPoseidonT3). MerkleTree now stores the Poseidon contract address in the Tree struct and calls it via DELEGATECALL-free external call. MARKPool constructor accepts a _poseidon address parameter. Default deployment address: 0xB43122Ecb241DD50062641f089876679fd06599a This is Semaphore's PoseidonT3 (PSE/Ethereum Foundation), deployed at the same address on all EVM networks via CREATE2. Verified compatible with our implementation: hash([0,0]) and hash([1,2]) produce identical outputs. MARKPool now has zero link references and is fully self-contained. MARKPool size: 24,231 bytes (345 bytes margin under EIP-170). Tests: deployCode('PoseidonT3.sol:PoseidonT3') in test setUp bypasses EIP-170 (Foundry test runner does not enforce the limit). * chore(circuits): remove stale UTXOSettlement artifacts (#108) * chore(circuits): remove stale UTXOSettlement artifacts UTXOSettlement circuit is superseded by MARKPool.circom. Remove the stale test file and old verification key artifact. The utxo/ source and build/ artifacts are already gitignored. * ci: trigger Release Gate Container for circuits-only PRs Add circuits/** to path filter so the required check runs and passes when only circuit files change (no contracts affected). * ci: add circuits/** to push paths for consistency * ci: remove path filter from release gate pull_request trigger * ci: add circuits/** to CodeQL path filter to unblock circuits-only PRs * fix: address codebase review findings (#109) Bug: RYLACreditLedger.debit() — move _totalBurned update before safeTransferFrom to follow CEI pattern. Previously the state update happened after the external call, creating a reentrancy window where _totalBurned was not yet incremented during the transfer callback. Docs: KNOWN_ISSUES.md KI-8 — update stale size figures and description. MARKPool is now 24,231 bytes (345 bytes margin). PoseidonT3 is no longer inlined via via_ir; MerkleTree calls it via IPoseidonT3 interface at 0xB43122... (Semaphore, same address on all EVM networks). Tests: add testConstructorRevertsOnZeroPoseidon and testConstructorRevertsOnEOAPoseidon to MARKPool.t.sol — the _poseidon constructor parameter added in PR #107 had no test coverage. * ci: pin action-shellcheck to commit SHA (#110) * ci: pin action-shellcheck to commit SHA ludeeus/action-shellcheck@2.0.0 was pinned by version tag only. Tags are mutable — a compromised tag could point to malicious code. Pin to the immutable commit SHA (00cae50) for supply chain safety. * ci: trigger CodeQL for all .github/workflows/** changes * chore(deps): bump actions/dependency-review-action from 4 to 5 (#90) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4 to 5. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the frontend-minor-patch group across 1 directory with 21 updates (#91) Bumps the frontend-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` | | [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) | `2.10.27` | `2.10.29` | | [electron-to-chromium](https://github.com/Kilian/electron-to-chromium) | `1.5.352` | `1.5.353` | | [get-east-asian-width](https://github.com/sindresorhus/get-east-asian-width) | `1.5.0` | `1.6.0` | Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.5.0...v3.6.0) Updates `tailwindcss` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss) Updates `@tailwindcss/node` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-node) Updates `@tailwindcss/oxide-android-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/android-arm64) Updates `@tailwindcss/oxide-darwin-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-arm64) Updates `@tailwindcss/oxide-darwin-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-x64) Updates `@tailwindcss/oxide-freebsd-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/freebsd-x64) Updates `@tailwindcss/oxide-linux-arm-gnueabihf` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm-gnueabihf) Updates `@tailwindcss/oxide-linux-arm64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-gnu) Updates `@tailwindcss/oxide-linux-arm64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-musl) Updates `@tailwindcss/oxide-linux-x64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-gnu) Updates `@tailwindcss/oxide-linux-x64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-musl) Updates `@tailwindcss/oxide-wasm32-wasi` from 4.2.4 to 4.3.0 - [Release not…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
.github/PRODUCTION_GOVERNANCE_CHECKLIST.mdandBRANCHING.mdto requireAnalyze (JavaScript/TypeScript),Gitleaks Scan, andRelease Gate Containerondev,canary, andmainmerges..github/workflows/codeql.ymlwith triggers forpush,pull_request,schedule, Node/pnpm setup, and dependency install steps.contracts-release-gate-container.yml(containerized release gate),governance-verify.yml(scheduled/manual governance verification),scripts-ci.yml(shellcheck for scripts), andsecrets-scan.yml(gitleaks).contracts/docker/release-gate.Dockerfile,contracts/script/ci/run-release-gate-container.sh, and newMakefiletargetrelease-gate-containerto run the release gate in a pinned container.scripts/github/pretransfer-readiness.sh,scripts/github/posttransfer-bootstrap.sh,scripts/github/verify-governance.sh, and updatedscripts/github/apply-governance.shto include the new required checks.ORG_TRANSFER_SECURITY_CHECKLIST.md,PROJECT_REVIEW.md,SECURITY_NEXT_STEPS.md, andTRANSFER_NOW_CHECKLIST.md.Testing
pretransfer-readiness,posttransfer-bootstrap, andverify-governancescripts include runtime checks and will surface failures when executed in CI or locally withGH_PATprovided.scripts-ciworkflow will runshellcheckon shell scripts when PRs touchscripts/**and will validate script syntax once the workflow executes on repo events.dev,canary, andmainand will report results once run in an org with GHAS enabled.Codex Task
Summary by CodeRabbit
New Features
Documentation