chore(deps): bump the frontend-minor-patch group across 1 directory with 21 updates#91
Merged
iap merged 2 commits intoMay 16, 2026
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
WalkthroughThree Tailwind-related frontend dependencies are updated: ChangesTailwind Dependency Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
…ith 21 updates Bumps the frontend-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` | | [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) | `2.10.27` | `2.10.29` | | [electron-to-chromium](https://github.com/Kilian/electron-to-chromium) | `1.5.352` | `1.5.353` | | [get-east-asian-width](https://github.com/sindresorhus/get-east-asian-width) | `1.5.0` | `1.6.0` | Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0) Updates `tailwindcss` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss) Updates `@tailwindcss/node` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-node) Updates `@tailwindcss/oxide-android-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/android-arm64) Updates `@tailwindcss/oxide-darwin-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-arm64) Updates `@tailwindcss/oxide-darwin-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-x64) Updates `@tailwindcss/oxide-freebsd-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/freebsd-x64) Updates `@tailwindcss/oxide-linux-arm-gnueabihf` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm-gnueabihf) Updates `@tailwindcss/oxide-linux-arm64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-gnu) Updates `@tailwindcss/oxide-linux-arm64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-musl) Updates `@tailwindcss/oxide-linux-x64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-gnu) Updates `@tailwindcss/oxide-linux-x64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-musl) Updates `@tailwindcss/oxide-wasm32-wasi` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node) Updates `@tailwindcss/oxide-win32-arm64-msvc` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-arm64-msvc) Updates `@tailwindcss/oxide-win32-x64-msvc` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-x64-msvc) Updates `@tailwindcss/oxide` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node) Updates `baseline-browser-mapping` from 2.10.27 to 2.10.29 - [Release notes](https://github.com/web-platform-dx/baseline-browser-mapping/releases) - [Commits](web-platform-dx/baseline-browser-mapping@v2.10.27...v2.10.29) Updates `electron-to-chromium` from 1.5.352 to 1.5.353 - [Changelog](https://github.com/Kilian/electron-to-chromium/blob/main/CHANGELOG.md) - [Commits](Kilian/electron-to-chromium@v1.5.352...v1.5.353) Updates `enhanced-resolve` from 5.21.1 to 5.21.2 - [Release notes](https://github.com/webpack/enhanced-resolve/releases) - [Changelog](https://github.com/webpack/enhanced-resolve/blob/main/CHANGELOG.md) - [Commits](webpack/enhanced-resolve@v5.21.1...v5.21.2) Updates `get-east-asian-width` from 1.5.0 to 1.6.0 - [Release notes](https://github.com/sindresorhus/get-east-asian-width/releases) - [Commits](sindresorhus/get-east-asian-width@v1.5.0...v1.6.0) --- updated-dependencies: - dependency-name: "@tailwindcss/node" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-android-arm64" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-darwin-arm64" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-darwin-x64" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-freebsd-x64" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-linux-arm-gnueabihf" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-linux-arm64-gnu" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-linux-arm64-musl" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-linux-x64-gnu" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-linux-x64-musl" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-wasm32-wasi" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-win32-arm64-msvc" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/oxide-win32-x64-msvc" dependency-version: 4.3.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/vite" dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: baseline-browser-mapping dependency-version: 2.10.29 dependency-type: indirect update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: electron-to-chromium dependency-version: 1.5.353 dependency-type: indirect update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: enhanced-resolve dependency-version: 5.21.2 dependency-type: indirect update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: get-east-asian-width dependency-version: 1.6.0 dependency-type: indirect update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwind-merge dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwindcss dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/dev/frontend-minor-patch-a14e5a017e
branch
from
f6d5b82 to
6888ee0
Compare
iap
deleted the
dependabot/npm_and_yarn/dev/frontend-minor-patch-a14e5a017e
branch
iap
added a commit
that referenced
this pull request
May 17, 2026
* chore(deps): bump actions/setup-node from 5 to 6
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v5...v6)
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/upload-artifact from 4 to 7
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v4...v7)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: '7'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/checkout from 5 to 6
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: '6'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump actions/github-script from 7 to 9
Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](https://github.com/actions/github-script/compare/v7...v9)
---
updated-dependencies:
- dependency-name: actions/github-script
dependency-version: '9'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(deps): bump the frontend-minor-patch group with 13 updates
Bumps the frontend-minor-patch group with 13 updates:
| Package | From | To |
| --- | --- | --- |
| [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` |
| [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` |
| [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` |
| [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` |
| [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` |
| [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` |
| [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` |
| [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` |
| [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` |
Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15
- [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md)
- [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem)
Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8
- [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md)
- [Commits](https://github.com/radix-ui/primitives/commits)
Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4
- [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md)
- [Commits](https://github.com/radix-ui/primitives/commits)
Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite)
Updates `@tanstack/react-query` from 5.66.0 to 5.100.8
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query)
Updates `abitype` from 1.0.8 to 1.2.4
- [Release notes](https://github.com/wevm/abitype/releases)
- [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4)
Updates `tailwind-merge` from 3.0.1 to 3.5.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0)
Updates `tailwindcss` from 4.0.6 to 4.2.4
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss)
Updates `viem` from 2.23.1 to 2.48.8
- [Release notes](https://github.com/wevm/viem/releases)
- [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8)
Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2
- [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases)
- [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2)
Updates `mprocs` from 0.7.2 to 0.9.2
- [Release notes](https://github.com/pvolok/mprocs/releases)
- [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2)
Updates `prettier` from 3.5.0 to 3.8.3
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3)
Updates `typescript-eslint` from 8.24.0 to 8.59.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint)
---
updated-dependencies:
- dependency-name: "@eth-optimism/viem"
dependency-version: 0.4.15
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@radix-ui/react-separator"
dependency-version: 1.1.8
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: "@radix-ui/react-slot"
dependency-version: 1.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/vite"
dependency-version: 4.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tanstack/react-query"
dependency-version: 5.100.8
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: abitype
dependency-version: 1.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwind-merge
dependency-version: 3.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
dependency-version: 4.2.4
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: viem
dependency-version: 2.48.8
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: eslint-plugin-react-refresh
dependency-version: 0.5.2
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: mprocs
dependency-version: 0.9.2
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: prettier
dependency-version: 3.8.3
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: typescript-eslint
dependency-version: 8.59.1
dependency-type: direct:development
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix(readiness): run pre-checks before contracts working directory exists
* fix(frontend): remove non-component export from button ui
* ci(security): add codeql and dependency review gates
* chore(security): add local slither install and core scan targets
* docs(phase1): add comprehensive contributor & deployment runbooks
Add Phase 1 foundation documentation for team scaling and professional maintenance:
CONTRIBUTING.md:
- Local development setup instructions (Node, Foundry, super-cli)
- Feature branch workflow with conventional commits
- Code standards (TypeScript, Solidity, Testing)
- PR submission checklist and review process
- Testing guidelines and test structure
- Troubleshooting for common dev issues
DEPLOYMENT.md:
- Step-by-step staging deployment runbook (OP Sepolia)
- Mainnet deployment procedures with gates
- Pre/post-deployment checklists
- Evidence generation and verification
- Monitoring and health checks
- Rollback procedures for emergency scenarios
- Comprehensive troubleshooting guide
- Command cheat sheet and timeline estimates
TROUBLESHOOTING.md:
- Development setup issues (pnpm, Node, Foundry, super-cli, git hooks)
- Smart contract issues (architecture guard, layering guard, Slither findings)
- Frontend development issues (port conflicts, TypeScript errors, module resolution)
- Testing issues (hanging tests, gas, balance)
- Deployment issues (insufficient funds, timeouts, RPC problems)
- CI/CD workflow issues (stuck workflows, secrets, version mismatches)
- Network & RPC issues (timeouts, contract not found, chain ID)
.github/CODEOWNERS:
- Enhanced documentation with clear sections
- Added review requirements annotations
- Better organization for team scaling
- Maintains strict single-owner model (ready for multi-owner when scaling)
Impact:
- Enables solo maintainer to self-document workflows
- Provides clear onboarding path for new contributors
- Establishes professional deployment procedures
- Reduces support burden with comprehensive troubleshooting
- Foundation for team collaboration (docs ready for team addition)
- Production-ready documentation for auditors and stakeholders
This commit fulfills Phase 1 foundation requirements:
✅ CONTRIBUTING.md created
✅ DEPLOYMENT.md runbook created
✅ TROUBLESHOOTING.md created
✅ CODEOWNERS enhanced and documented
Ready for: Phase 2 (interactive UI) and Phase 3 (security audit planning)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* chore(deps): bump github/codeql-action from 3 to 4 (#16)
Bump github/codeql-action from v3 to v4 to resolve Node.js 20 deprecation warnings on CI.
* chore(ci): bump dependency-review-action from v4 to v5
* chore(ci): disable CodeQL triggers until repo transferred to org with GHAS
* Enable org-transfer governance: CodeQL, Gitleaks, release-gate container, and verification scripts (#19)
* docs: replace roadmap with lean security next-steps guide
* fix(docs): remove duplicate required-check entries in BRANCHING.md
* fix(ci): add USER root in release-gate Dockerfile for apt-get permissions
* ci(security): fix dependency review tag and use OSS gitleaks CLI
* ci(security): fix gitleaks PATH on github runner
* ci(security): run gitleaks scan via docker image
* ci(security): remove hardcoded key and scope gitleaks to workspace
* ci(contracts): fix anvil key extraction for release check
* ci(contracts): require 64-byte anvil private key extraction
* ci: always run contracts/frontend checks on protected branches (#21)
* ci: phase-1 reusable workflows for frontend, slither, and secrets scan (#23)
* ci: extract reusable frontend/slither/secrets workflows
* ci(security): apply codereview pinning and permissions fixes
* fix(contracts): bridge approval safety + IRYLA interface decoupling
- Wrap sendERC20 in try/catch; clear approval and revert with BridgeFailed() on failure
- Extract IRYLA interface (inherits IERC20); MARKSettlementModule decoupled from concrete RYLA type
- Add unit test for BridgeFailed catch branch
* docs: sync governance and CI docs with current protections
- Add missing required checks (Secrets Drift Guard, Release Gate Container) to all branch matrices
- Fix Analyze (JavaScript/TypeScript) casing to match canonical check names
- Fixes Validate Governance Policy Consistency CI check
* chore(deps): bump frontend minor/patch dependencies
105 minor and patch updates including:
- @tanstack/react-query 5.100.8 → 5.100.9
- typescript-eslint 8.59.1 → 8.59.2
- bufferutil 4.0.9 → 4.1.0
- jiti 2.6.1 → 2.7.0
- lockfile resolutions updated accordingly
All CI checks pass on Node 20 and 22.
* fix(deps): bump vite 6.1.0 → 6.4.2 (security)
Fixes high-severity arbitrary file read CVE and medium-severity path traversal in vite dev server.
* test(contracts): add missing unit test coverage
71 tests (was 59). Covers zero-input guards, exact error selectors, accumulator resets, supportsInterface, and isMint flag binding.
* chore(governance): migrate CODEOWNERS to @trade/maintainers team
Replaces @iap with @trade/maintainers across all CODEOWNERS entries. Team created with maintain permission on repo.
* chore(ci): switch CodeRabbit to assertive profile
profile: chill → assertive, request_changes_workflow: false → true
* fix(docs): add VALIDATE_MODE to staging checklist prerequisites
Adds missing VALIDATE_MODE env var to staging checklist. Clarifies operator/attester rotation step with RUNBOOK.md reference. Removes trailing newline from package.json.
* chore(docs): remove stale pre-transfer planning documents
Removes TRANSFER_NOW_CHECKLIST.md, ORG_TRANSFER_SECURITY_CHECKLIST.md, SECURITY_NEXT_STEPS.md, PROJECT_REVIEW.md — all completed with the org transfer on May 6, 2026.
* chore(governance): clean up CODEOWNERS
Remove decorative section dividers, redundant comments, and duplicate entry. Consolidate contract path globs.
* fix(ci): workflow correctness and consistency fixes
Pin slither-analyzer==0.11.5, fix secrets-drift-guard false positives, fix verify-governance.sh dismiss_stale_reviews on dev, add canary to evidence-manifest trigger, fix inputs context, fix wait-port, add pull_request_target comments, add Docker layer caching.
* feat(contracts): migrate AttestedSettlementVerifier to EIP-712
Replace hybrid EIP-191 pattern with standard EIP-712 typed data signing. Expose settlementDigest() for off-chain signers. Add NatSpec on proof encoding and contextHash. 71 tests pass.
* chore: improve gitignore coverage
Add .env/.env.*/*.env and supersim-logs/ to root gitignore. Add coverage/ to contracts gitignore.
* fix(ci): reliability and correctness fixes
Add timeout-minutes:15 to stuck jobs, replace rg with grep -Eo in smoke script, pin slither==0.11.5 in Makefile, add explicit invariant runs=256 to foundry.toml.
* chore(deps): ignore transitive alerts from super-cli
Ignore @hono/node-server, drizzle-orm, @stablelib/ed25519 scoped to vulnerable versions — all transitive from super-cli dev tool, no upstream fix available.
* docs: add SECURITY.md
Reporting channel, scope, response SLA, and supported versions.
* chore(deps): bump @types/node from 22.13.1 to 25.6.1
Type definitions update.
* chore(deps): bump typescript from 5.7.3 to 6.0.3
Add ignoreDeprecations:6.0 for baseUrl deprecation warning.
* chore(deps): bump frontend-minor-patch group
viem, debug, and other minor/patch updates.
* chore(deps): bump docker/setup-buildx-action from 3 to 4
Node 24 runtime update.
* chore(deps): bump frontend-minor-patch group
Minor/patch frontend dependency updates.
* fix: stale references and check name mismatches
Remove chainId double-encoding from AttestedSettlementVerifier, fix stale iap/mark URLs, fix governance script check names to match actual CI output.
* test(contracts): add bridge integration test against supersim
Exercises MARKBridgeAdapter against live SuperchainTokenBridge on two supersim forks. Verifies cross-chain token transfer and rate limit enforcement.
* test(contracts): add bridge adapter invariant fuzz tests
Three invariants covering rate limiting: daily cap never exceeded, accumulator consistent with cap, zero address never holds operator role. 74 tests pass.
* fix(governance): sync check lists and fix ruleset condition
Fix ruleset condition bug (canary/main now covered), sync apply-governance.sh and verify-governance.sh with live branch protection, fix frontend check name prefix in docs.
* chore(governance): document new ruleset structure
Two focused rulesets: branch-protection (CodeQL alert gate) and tag-protection (v* tags). Replaces the broken develop ruleset.
* feat(token): rename RYLA display name to 'RYLA Credits'
name() returns 'RYLA Credits', symbol stays 'RYLA'. Test and verification script updated.
* test
Documents key roles and trust assumptions, attester key rotation
procedure, break-glass procedure, production mode implications,
and key storage recommendations for auditors and operators.
* fix(ci): use matrix language as CodeQL job name
Produces consistent check name 'Analyze (javascript-typescript)' matching branch protection requirements.
* chore(config): harden staging profile and document environment setup
Remove PRIVATE_KEY from staging.env, fix bridge destination to OP Sepolia, add key separation docs, fix env guard and drift guard for CI validation.
* feat(frontend): replace dev dashboard with protocol info page
Protocol info page with pre-production status, contract descriptions, and resource links. Providers updated to optimism/optimismSepolia.
* chore(docs): cleanup and NatSpec improvements
Fix README clone URL and naming, remove stale date from CONTRIBUTING.md, add eip712Domain NatSpec and no-pause design decision docs.
* fix(contracts): document setVerifier interface check limitation
Add @dev comment explaining code.length check rejects EOAs but not non-conforming contracts.
* docs: add protocol philosophy to README
Code is a rule. No DAO, no drama. Don't Trust, Verify.
* fix(ci): add working-directory override to pre-checkout branch enforcement steps
Fixes pre-checkout branch check failing with 'No such file or directory' in staging and production workflows.
* fix(ops): enable post-deploy in rehearse-production-lock
Enable MARK_RELEASE_RUN_POSTDEPLOY so activateProductionMode() is called during rehearsal.
* fix(ops): export deployed verifier address to env before PostDeployMARKSetup
Fixes VerifierRequiredWhenProofEnabled during staging rehearsal.
* fix(ci): exclude Anvil default key from secrets drift guard
Syncs Anvil key exclusion to dev.
* test
THREAT_MODEL.md: trust boundaries, role compromise impact, external
dependencies, invariants, and explicit out-of-scope items.
KNOWN_ISSUES.md: six accepted design decisions with rationale —
attested verifier as ZK placeholder, no-pause design, setVerifier
interface check limitation, counter overflow analysis, timestamp
epoch manipulation, and transitive dep alerts.
* fix(docs): correct two inaccurate invariants in THREAT_MODEL.md
consumedIntents is set after proof validation, not before. Module balance invariant is per-operation, not absolute zero.
* fix(contracts): move consumedIntents assignment before external call (CEI)
Follows CEI pattern — marks intent consumed before external verifier call. No behaviour change for current view verifier.
* chore(governance): set canary to 0 required approvals for solo maintainer
Solo dev cannot self-approve. CI checks are the gate. Restore to 1 when second team member joins.
* docs(contracts): add NatSpec to settleMint and settleBurn
Documents pre-approval requirement for settleBurn.
* fix(ops): wait for tx confirmation in staging rehearsal
Add --slow to forge script broadcast so Foundry waits for each transaction receipt before the verify step runs.
* fix(governance): set all branches to 0 required approvals
Solo maintainer cannot approve own PRs. CI gates are the enforcement mechanism. Removes MAIN_REVIEW_COUNT/DEV_REVIEW_COUNT vars, adds approval count verification to verify-governance.sh.
* fix(governance): restrict direct pushes to trade/maintainers team
Restricts direct pushes on all branches to trade/maintainers team. Removes unused helper functions. verify-governance.sh now checks push restriction team slug.
* fix(deps): update drizzle-orm dependabot ignore rule to 0.38.4
drizzle-orm@0.38.4 is transitive from @eth-optimism/super-cli. Updated ignore rule to match installed version. All four Dependabot alerts dismissed as tolerable risk.
* feat(contracts): add Groth16SettlementVerifier
Adds Groth16SettlementVerifier implementing IUTXOSettlementVerifier via swappable IGroth16Verifier. 12 unit tests passing. AttestedSettlementVerifier remains active production verifier.
* feat(circuits): add UTXOSettlement circom circuit
Adds UTXOSettlement circom circuit. Poseidon-based UTXO ownership proof. 602 constraints, 6 witness tests passing.
* feat(contracts): add MARKPool ZK UTXO pool domain
Adds MARKPool shielded RYLA transfer pool. 88 unit tests passing.
* fix(contracts): rewrite MARKPool for MARK's 4-signal circuit
Rewrites MARKPool from scratch for MARK's own UTXOSettlement circuit. UTXOVerifier.sol regenerated from MARK's own trusted setup. 84 unit tests passing.
* fix(circuits): add range constraints and isMint burn path
Range constraints on recipient/chainId/settlementModule/amount. isMint burn path in MARKPool. Trusted setup rerun. 84 tests passing.
* feat(pool): add MARKPool ZK UTXO pool domain (#100)
* feat(pool): add MARKPool ZK UTXO pool domain
Introduces the full pool domain for private RYLA transfers:
Contracts:
- MARKPool: ZK UTXO pool with Merkle tree, fee policy, bridge-out/in,
withdraw binding, AccessManaged access control
- MARKWithdrawAdapter: EIP-712 signature-based withdrawal adapter
- RYLACreditLedger: ICreditLedger adapter bridging MARKPool to RYLA
mint/burn; restricted to pool caller only (onlyPool)
- PoolFeePolicy, PoolPublicInputs, PoolValidation: pool support libraries
- MARKPoolVerifier: Groth16 verifier generated from MARKPool circuit
(13 public signals, pot15 trusted setup)
Interfaces: ICreditLedger, IVerifier, IPoolBridge, IPoolNullifier
Crypto: MerkleTree (Poseidon, depth-20), ProofUtils, PoseidonT3
Circuit:
- circuits/mark/MARKPool.circom: MARK-native UTXO circuit (depth=20,
2-in/2-out, 13 public signals); renamed from prototype utxo.circom,
domain constants documented as permanent, hardcoded fee policy removed
- circuits/setup.mjs: trusted setup script (pot15)
- circuits/test/MARKPool.test.mjs: 13 witness tests
CI: circuits-ci.yml runs witness tests on every PR
Tests: MARKPool.t.sol (22), MARKWithdrawAdapter.t.sol (9),
RYLACreditLedger.t.sol (8)
* fix(pool): fix PoolErrors, domain separators, remove dead code
- PoolErrors.sol: rewrite to match Pool.sol, PoolValidation.sol, and
MerkleTree.sol — adds 25 missing errors (build was broken), removes
18 errors only used by the old MARKPool prototype
- MARKPool.sol: rename domain separator Pool.WithdrawBinding.v1 to
MARKPool.WithdrawBinding.v1 (permanent, must be set before deploy)
- MARKWithdrawAdapter.sol: rename domain separator
WithdrawAdapter.Intent.v1 to MARKWithdrawAdapter.Intent.v1
- UTXOVerifier.sol: delete (built for old 4-signal circuit, wrong
interface, superseded by MARKPoolVerifier.sol)
- IUTXOVerifier.sol: delete (superseded by IVerifier.sol)
- UTXOSettlement.circom: delete (superseded by MARKPool.circom)
- Groth16SettlementVerifier.sol: update stale comment
- KNOWN_ISSUES.md: add KI-7 (two-circuit architecture), KI-8 (pool
domain access control model)
- foundry.toml: via_ir = true for pool domain compilation
* fix(pool): immutable naming, deploy script, docs, invariants, arch guard
- MARKPool, MARKWithdrawAdapter: rename immutables to SCREAMING_SNAKE_CASE
(assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL)
- MARKPool: remove _assetLedger from constructor; add setAssetLedger()
one-time restricted setter to break circular deploy dependency with
RYLACreditLedger
- DeployMARKPool.s.sol: full deployment script for pool domain
(AccessManager, MARKPool, RYLACreditLedger, MARKWithdrawAdapter)
- MARKPool.sol: add withdrawal flow NatSpec (burn-to-claim model)
- ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and
withdrawal flow section
- MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent,
withdraw bindings immutable, root queue only grows)
- architecture-guard.sh: add pool->settlement/bridge and
withdraw->settlement/bridge isolation rules
* fix(pool): fix deploy script role grant and ASSET_LEDGER null guard
- DeployMARKPool.s.sol: grant POOL_ADMIN_ROLE to deployer during setup
so setAssetLedger/setIntentSigner calls succeed when deployer != owner;
revoke deployer role after setup completes
- MARKPool._applyFee: revert InvalidAssetLedger if ASSET_LEDGER is not
set and a non-zero fee is applied (prevents silent call to address(0))
* fix(ci): compile circuit before running witness tests
circuits/build/ is gitignored so the WASM and witness_calculator.js
are not in the repo. Add circom install and npm run build steps before
npm test so CI compiles the circuit fresh on each run.
* fix(ci): create build dir before circom compile
* refactor(pool): pre-merge improvements
- Rename immutables to SCREAMING_SNAKE_CASE: assetLedger->ASSET_LEDGER,
proofPool->PROOF_POOL (MARKPool.sol, MARKWithdrawAdapter.sol)
- MARKPool: remove _assetLedger from constructor, add setAssetLedger()
one-time restricted setter to break circular deploy dependency with
RYLACreditLedger
- MARKPool: add withdrawal flow documentation to contract NatSpec
- ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and
withdrawal flow explanation
- DeployMARKPool.s.sol: deployment script for MARKPool, RYLACreditLedger,
MARKWithdrawAdapter with AccessManager configuration
- MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent,
withdraw bindings immutable, root queue only grows)
- architecture-guard.sh: add pool and withdraw domain isolation rules
* chore(pool): update circuits CI, setup, and pool errors
- circuits-ci.yml: updated to run MARKPool witness tests
- circuits/package.json: build/test scripts point to MARKPool.circom
- circuits/setup.mjs: updated for MARKPool.circom trusted setup
- circuits/test/MARKPool.test.mjs: cleaned up test file
- contracts/KNOWN_ISSUES.md: updated KI-7 for current two-circuit state
- contracts/src/pool/errors/PoolErrors.sol: add missing blank line
* fix(pool): address CodeRabbit review findings
- circuits-ci.yml: fix circom install permissions (use sudo mv to
/usr/local/bin instead of direct write which fails on GH Actions)
- PoolErrors.sol: add clarifying comment to FixedFeePolicy explaining
it fires when minFee > 1 (not a fee-rate policy, a range guard)
- MARKWithdrawAdapter.sol: document personal_sign intent on
computeWithdrawIntentDigest (EIP-191 is intentional, not EIP-712)
bridgeIn replay protection finding: already fixed in current code
(processedBridgeMessages mapping + check at line 390) — stale finding.
* fix(pool): address second round CodeRabbit findings
- setup.mjs: use crypto.randomBytes for ceremony entropy (Date.now is
predictable), add mkdirSync for build/, fix EJS template loading to
use readFileSync instead of dynamic import with assert (unsupported
in Node 20/22/24 ESM)
- circuits-ci.yml: pin circom to v2.2.3 instead of latest, add version
verification step
- KNOWN_ISSUES.md: fix misleading 'settlement-specific verifier' wording
— MARKPoolVerifier is a shared pool verifier, not settlement-specific
- MARKPool.sol: fix NatSpec EIP-712 reference to EIP-191 (personal_sign)
* feat(pool): add pool E2E test, fix RYLACreditLedger caller model
RYLACreditLedger:
- Separate credit (pool-only) and debit (adapter-only) callers
- Add setAdapter() one-time setter to break circular deploy dependency
(adapter constructor needs ledger, ledger needs adapter address)
- Add AdapterAlreadySet error
DeployMARKPool.s.sol:
- Call ledger.setAdapter(adapter) after adapter deployment
Tests:
- RYLACreditLedger.t.sol: updated for new caller model, 11 tests
- MARKWithdrawAdapter.t.sol: add setAdapter call in setUp
- MARKPoolE2E.t.sol: full withdrawal flow E2E test (3 tests)
- testFullWithdrawalFlow: mint RYLA -> transactWithWithdrawBinding
-> withdrawWithSig -> verify RYLA burned, ETH received
- testNullifierReplayRejected
- testBindingMismatchRejected
134/134 tests pass
* feat(pool): add ReleasePool.s.sol orchestrator and pool env vars
- ReleasePool.s.sol: release orchestrator for pool stack following the
same pattern as ReleaseMARK.s.sol — preflight checks, deploy via
DeployMARKPool, post-deploy verification (wiring checks + RYLA roles),
JSON artifact write
- .env.example: add pool stack env vars (MARK_POOL_VERIFIER,
MARK_POOL_OWNER, MARK_POOL_INTENT_SIGNER, release flags, artifact
path, post-deploy verify addresses)
* fix(pool): security fixes and dead code removal
RYLACreditLedger:
- Add OWNER immutable (set to msg.sender in constructor)
- Restrict setAdapter to OWNER to prevent front-running between
deployment and the setAdapter call in the release script
- Add testSetAdapterRevertsForNonOwner test
- Add clarifying NatSpec to totalCreditsOutstanding explaining it
tracks only flows through this ledger, not total RYLA supply
MARKWithdrawAdapter:
- Move ETH transfer before ASSET_LEDGER.debit — if ETH transfer
fails, RYLA is no longer burned (was a loss-of-funds bug)
MARKPool:
- Remove dead _seedRoot function (defined but never called)
- Add NatSpec to computePublicInputsWithWithdraw clarifying
chainId vs dstChainId semantics
* fix(test): fix nullifier replay test to use fresh signatures
testNullifierReplayRejected was reusing signatures computed for nonce N
in the second withdrawWithSig call with nonce N+1, causing a NonceMismatch
revert instead of exercising nullifier replay protection. Now recomputes
the intent hash and signs with the updated nonce so the revert is caused
by NullifierAlreadyClaimed as intended.
* fix(pool): guard totalCreditsOutstanding against underflow
* feat(pool): add pool release CI check and deploy script tests
contracts-ci.yml:
- Add pool release dry-run and execute smoke steps to the
contracts-release-check job, reusing the Anvil instance and
RYLA token deployed by the settlement release step
- Assert pool release artifact schema (pool, ledger, adapter addresses)
MARKPoolDeployScripts.t.sol:
- testDeployMARKPoolWiresAllContracts: verifies all contract wiring
(pool<->ledger, ledger<->adapter, RYLA roles)
- testDeployMARKPoolSetsIntentSignerWhenProvided: verifies intent signer
is configured when MARK_POOL_INTENT_SIGNER is set
- testDeployMARKPoolRevertsWhenMissingTokenAdmin: verifies preflight
check rejects deployer without RYLA admin role
138/138 tests pass
* fix(pool): address final CodeRabbit findings
- contracts-ci.yml: remove '|| true' from pool release dry-run step;
use the deployed settlement module address as verifier (a real contract)
so the preflight code.length check passes without masking failures
- RYLACreditLedger.sol: fix NatSpec on totalCreditsOutstanding to
accurately describe accounting scope — _totalBurned can exceed
_totalMinted if RYLA is burned via other paths (e.g. settlement module)
* fix(ci): fix pool release CI failure and address CodeRabbit finding
contracts-ci.yml:
- Add --skip-simulation to pool release broadcast — PoseidonT3 (55,856
bytes) exceeds EIP-170 limit and cannot be deployed without refactoring
to a linked library; --skip-simulation tests script orchestration only
- Fix jq assertion to use regex validation instead of zero-address check,
rejecting null values and validating hex address format
KNOWN_ISSUES.md:
- Add KI-8 documenting PoseidonT3 contract size issue and required fix
before mainnet (deploy as standalone contract, call via interface)
* fix(ci): remove pool execute smoke, fix jq assertion, fix KI-7 wording
contracts-ci.yml:
- Remove pool release execute smoke step — MARKPool (24,841 bytes) and
PoseidonT3 (55,856 bytes) exceed EIP-170 limit and cannot be broadcast
to Anvil; pool deploy requires PoseidonT3 refactor (KI-8) first
- Keep pool release dry-run only (validates script logic and preflight)
- Remove the now-unused artifact assertion step
KNOWN_ISSUES.md:
- Fix KI-7: both pool and settlement systems use the same MARKPool
circuit — remove implication of distinct circuit designs
* fix(pool): add code.length checks to RYLACreditLedger constructor and setAdapter
Prevents EOAs from being set as TOKEN, POOL, or ADAPTER.
Adds InvalidContract error. 3 new tests cover the EOA rejection cases.
setUp uses vm.etch to give mock addresses contract bytecode.
* fix(contracts): harden settlement verifier flow and CI reliability
* fix(review): address open CI and pool verifier feedback
* refactor(pool): rename min fee guard error for clarity
* fix(pool,settlement): replace require strings and wrong errors with custom errors
PoolFeePolicy:
- Replace require(maxFeeBurnBps != 0, string) and require(feeBurnBps <= maxFeeBurnBps, string)
with custom error FeePolicyInvalidBps() — consistent with codebase style, lower gas
Groth16SettlementVerifier:
- Replace ZeroAddress() with VerifierNotAContract() for verifierContract code.length check
- Replace ZeroAddress() with SettlementModuleNotAContract() for settlementModule code.length check
- ZeroAddress was semantically wrong for non-zero addresses that have no code
* ci: trigger fresh CI run
* docs(pool): correct KI-8 — MARKPool itself is over EIP-170 size limit
Investigation: MARKPool is 24,960 bytes (over 24,576 limit) even without
PoseidonT3 inlining. via_ir=true already prevents PoseidonT3 from being
inlined. The fix requires splitting MARKPool into smaller contracts, not
just extracting PoseidonT3 as a standalone contract. Both are required.
* fix(pool): reduce MARKPool below EIP-170 size limit (24200 < 24576 bytes)
Size reductions (24961 -> 24200 bytes, -761 bytes):
- Remove redundant verifierAddr.code.length check in _verifyAndConsume
(already validated in setVerifier, cannot change after deployment)
- Remove redundant tail != rootQueueTail guard in _insertCommitmentsValidated
(always true after inserting 2 commitments)
- Inline _requireCommitmentsValid wrapper (single-line delegation)
- Inline _insertCommitments wrapper (only called from bridgeIn)
- Remove computePublicInputs and computePublicInputsWithWithdraw public
view functions from MARKPool — _buildPublicInputs now calls
PoolPublicInputs.build directly; off-chain callers use PoolPublicInputs
Bug fixes:
- PoolValidation: move NullifierDuplicate check before the loop so
duplicate nullifiers get the precise error, not NullifierUsed
- MARKPool.pause(): document that unpause() does NOT auto-restore
withdrawals (intentional asymmetry, requires explicit unpauseWithdrawals)
* fix: address CodeRabbit findings (circuits, Makefile, architecture-guard)
circuits/test/MARKPool.test.mjs:
- Remove unused buildMerklePath helper (tests use buildTwoLeafRoot)
circuits/setup.mjs:
- Add r1cs existence check before trusted setup with clear error message
contracts/Makefile:
- Restore test-core to exclude invariant tests (--no-match-path)
so ci-fast remains fast as documented
contracts/script/ci/architecture-guard.sh:
- Tighten all four import regexes to handle optional leading whitespace
and any number of ../ segments (prevents bypass via indented imports
or deeper relative paths)
* fix: address remaining CodeRabbit findings
contracts/src/pool/MARKPool.sol:
- setVerifier: add code.length check (consistent with constructor)
circuits/test/MARKPool.test.mjs:
- expectFail: only treat constraint/assertion failures as PASS;
rethrow other errors so regressions surface
contracts/KNOWN_ISSUES.md:
- KI-7: separate design capability from configuration state for
settlement system wording
* fix(circuits): lowercase error message comparison in expectFail
* docs(deployment): add Groth16SettlementVerifier wiring step (Step 18)
Documents the two post-deploy calls required to activate ZK-based
settlement: setSettlementModule and setVerifierContract on
Groth16SettlementVerifier, then setVerifier on MARKSettlementModule.
AttestedSettlementVerifier remains the fallback until wiring is complete.
* fix(settlement): return false on malformed proof in Groth16SettlementVerifier (#101)
abi.decode reverts on malformed/short proof bytes, which propagated
through MARKSettlementModule as a raw error instead of VerificationFailed.
Fix: check proof.length == 672 before decoding (fixed ABI encoding size:
uint256[2]+uint256[2][2]+uint256[2]+uint256[13] = 64+128+64+416 = 672).
Malformed proofs now return false cleanly.
Tests: testVerifySettlementReturnsFalseForMalformedProof,
testVerifySettlementReturnsFalseForEmptyProof
* fix(ci): exclude integration tests from test-core target (#102)
test-core was running integration tests (which require supersim on port 9545)
because --no-match-path on the command line overrides foundry.toml's
no_match_path setting rather than adding to it.
Use brace glob to exclude both invariant and integration tests.
* fix(test): remove unverifiable cross-chain assertion from integration test (#103)
testBridgeToTransfersTokensCrossChain switched to fork B and checked the
recipient balance, but Foundry fork tests cannot simulate supersim's async
message relay — the contract simply doesn't exist on the other fork.
Fix: assert only the source-chain burn (which is fully verifiable in a fork
test). Add a NatSpec note explaining the relay limitation.
* docs(pool): correct KI-8 — PoseidonT3 inlined via via_ir, MARKPool deployable (#104)
* docs(pool): correct KI-8 — PoseidonT3 is inlined via via_ir, MARKPool is deployable
via_ir=true causes the compiler to inline PoseidonT3 into MARKPool rather
than deploying it as a linked library. MARKPool has no link references and
is 24,298 bytes (278 bytes under EIP-170). KI-8 was based on an earlier
state where MARKPool exceeded the limit.
Updated KI-8 to reflect accurate current state and note the tight margin.
* refactor(crypto): use >>= 1 instead of /= 2 in MerkleTree insert
* security: harden pool domain before testnet (#105)
* security: harden pool domain before testnet
- Add pool/withdraw/Groth16 contracts to slither-core scope
- Document all slither exclusion rationale in Makefile
- RYLACreditLedger: add Credit/Debit events, move before external calls (CEI)
- MARKWithdrawAdapter: add test for recipient zero-check (existing check, missing test)
- THREAT_MODEL.md: add pool stack overview, trust boundaries, role compromise
impact, and 3 new invariants (nullifier replay, withdraw binding, debit approval)
* fix(ci): use per-contract slither exclusions instead of global
CodeRabbit correctly noted that global exclusions could suppress actionable
findings in newly added contracts. Refactored slither-core to apply only
the relevant exclusions per contract. Also added arbitrary-send-erc20 to
MARKSettlementModule and RYLACreditLedger (both use safeTransferFrom with
prior approval — not arbitrary).
* fix(ci): add set -e to slither-core, fix preflight to use python3 -m slither
Without set -e, a failing early slither invocation would be masked if the
final command succeeds. Also align the preflight check with the actual
invocation (python3 -m slither, not command -v slither).
* ci: fix 4 workflow issues pre-testnet (#106)
* ci: fix 4 workflow issues pre-testnet
1. Sync _reusable-contracts-slither.yml with Makefile
- Delegate to 'make slither-core' (single source of truth)
- Now covers all 8 contracts with per-contract exclusions
- Previously only scanned 4 settlement contracts with global exclusions
2. Enable pool execute smoke in contracts-ci.yml
- KI-8 resolved: via_ir inlines PoseidonT3, MARKPool is 24,298 bytes
- Pool broadcast to Anvil now works; remove stale blocker comment
3. Fix integration test readiness check
- Wait on ports 9545/9546 (actual RPC ports) not 8420 (admin port)
- Use nc loop consistent with anvil readiness pattern
4. Pin foundry-rs/foundry-toolchain to v1.8.0 commit SHA
- Floating @v1 could silently break on Foundry breaking changes
- Pinned: c7450ba673e133f5ee30098b3b54f444d3a2ca2d (v1.8.0)
* fix(ci): remove foundry version input from reusable slither workflow
The version input was passed as 'v1.8.0' to the action's 'version' input
which expects a Foundry binary tag (e.g. 'stable', 'nightly'), not the
action version. This caused foundryup to fail extracting the tar archive.
Use the action's default Foundry version instead.
* fix(ci): revert pool execute smoke — Foundry rejects PoseidonT3 artifact size
forge create/broadcast checks all library artifacts for EIP-170 compliance.
PoseidonT3 is 55,856 bytes as a standalone artifact even though via_ir inlines
it into MARKPool at compile time. The broadcast is blocked before deployment.
Keep dry-run only. Update KI-8 with the precise diagnosis.
* fix(pool): resolve PoseidonT3 deployment blocker via external interface (#107)
PoseidonT3 is a Solidity library with a public function — it gets deployed
as a separate linked contract (55,856 bytes) which exceeds EIP-170 (24,576).
This blocked all pool deployments.
Fix: replace the library call with an external interface (IPoseidonT3).
MerkleTree now stores the Poseidon contract address in the Tree struct and
calls it via DELEGATECALL-free external call. MARKPool constructor accepts
a _poseidon address parameter.
Default deployment address: 0xB43122Ecb241DD50062641f089876679fd06599a
This is Semaphore's PoseidonT3 (PSE/Ethereum Foundation), deployed at the
same address on all EVM networks via CREATE2. Verified compatible with our
implementation: hash([0,0]) and hash([1,2]) produce identical outputs.
MARKPool now has zero link references and is fully self-contained.
MARKPool size: 24,231 bytes (345 bytes margin under EIP-170).
Tests: deployCode('PoseidonT3.sol:PoseidonT3') in test setUp bypasses
EIP-170 (Foundry test runner does not enforce the limit).
* chore(circuits): remove stale UTXOSettlement artifacts (#108)
* chore(circuits): remove stale UTXOSettlement artifacts
UTXOSettlement circuit is superseded by MARKPool.circom.
Remove the stale test file and old verification key artifact.
The utxo/ source and build/ artifacts are already gitignored.
* ci: trigger Release Gate Container for circuits-only PRs
Add circuits/** to path filter so the required check runs and passes
when only circuit files change (no contracts affected).
* ci: add circuits/** to push paths for consistency
* ci: remove path filter from release gate pull_request trigger
* ci: add circuits/** to CodeQL path filter to unblock circuits-only PRs
* fix: address codebase review findings (#109)
Bug: RYLACreditLedger.debit() — move _totalBurned update before
safeTransferFrom to follow CEI pattern. Previously the state update
happened after the external call, creating a reentrancy window where
_totalBurned was not yet incremented during the transfer callback.
Docs: KNOWN_ISSUES.md KI-8 — update stale size figures and description.
MARKPool is now 24,231 bytes (345 bytes margin). PoseidonT3 is no longer
inlined via via_ir; MerkleTree calls it via IPoseidonT3 interface at
0xB43122... (Semaphore, same address on all EVM networks).
Tests: add testConstructorRevertsOnZeroPoseidon and
testConstructorRevertsOnEOAPoseidon to MARKPool.t.sol — the _poseidon
constructor parameter added in PR #107 had no test coverage.
* ci: pin action-shellcheck to commit SHA (#110)
* ci: pin action-shellcheck to commit SHA
ludeeus/action-shellcheck@2.0.0 was pinned by version tag only.
Tags are mutable — a compromised tag could point to malicious code.
Pin to the immutable commit SHA (00cae50) for supply chain safety.
* ci: trigger CodeQL for all .github/workflows/** changes
* chore(deps): bump actions/dependency-review-action from 4 to 5 (#90)
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4 to 5.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/v4...v5)
---
updated-dependencies:
- dependency-name: actions/dependency-review-action
dependency-version: '5'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump the frontend-minor-patch group across 1 directory with 21 updates (#91)
Bumps the frontend-minor-patch group with 6 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` |
| [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) | `2.10.27` | `2.10.29` |
| [electron-to-chromium](https://github.com/Kilian/electron-to-chromium) | `1.5.352` | `1.5.353` |
| [get-east-asian-width](https://github.com/sindresorhus/get-east-asian-width) | `1.5.0` | `1.6.0` |
Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite)
Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.5.0...v3.6.0)
Updates `tailwindcss` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss)
Updates `@tailwindcss/node` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-node)
Updates `@tailwindcss/oxide-android-arm64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/android-arm64)
Updates `@tailwindcss/oxide-darwin-arm64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-arm64)
Updates `@tailwindcss/oxide-darwin-x64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-x64)
Updates `@tailwindcss/oxide-freebsd-x64` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/freebsd-x64)
Updates `@tailwindcss/oxide-linux-arm-gnueabihf` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm-gnueabihf)
Updates `@tailwindcss/oxide-linux-arm64-gnu` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-gnu)
Updates `@tailwindcss/oxide-linux-arm64-musl` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-musl)
Updates `@tailwindcss/oxide-linux-x64-gnu` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-gnu)
Updates `@tailwindcss/oxide-linux-x64-musl` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-musl)
Updates `@tailwindcss/oxide-wasm32-wasi` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node)
Updates `@tailwindcss/oxide-win32-arm64-msvc` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-arm64-msvc)
Updates `@tailwindcss/oxide-win32-x64-msvc` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/win32-x64-msvc)
Updates `@tailwindcss/oxide` from 4.2.4 to 4.3.0
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node)
Updates `baseline-browser-mapping` from 2.10.27 to 2.10.29
- [Release notes](https://github.com/web-platform-dx/baseline-browser-mapping/releases)
- [Commits](https://github.com/web-platform-dx/baseline-browser-mapping/compare/v2.10.27...v2.10.29)
Updates `electron-to-chromium` from 1.5.352 to 1.5.353
- [Changelog](https://github.com/Kilian/electron-to-chromium/blob/main/CHANGELOG.md)
- [Commits](https://github.com/Kilian/electron-to-chromium/compare/v1.5.352...v1.5.353)
Updates `enhanced-resolve` from 5.21.1 to 5.21.2
- [Release notes](https://github.com/webpack/enhanced-resolve/releases)
- [Changelog](https://github.com/webpack/enhanced-resolve/blob/main/CHANGELOG.md)
- [Commits](https://github.com/webpack/enhanced-resolve/compare/v5.21.1...v5.21.2)
Updates `get-east-asian-width` from 1.5.0 to 1.6.0
- [Release notes](https://github.com/sindresorhus/get-east-asian-width/releases)
- [Commits](https://github.com/sindresorhus/get-east-asian-width/compare/v1.5.0...v1.6.0)
---
updated-dependencies:
- dependency-name: "@tailwindcss/node"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-android-arm64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-darwin-arm64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-darwin-x64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-freebsd-x64"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm-gnueabihf"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm64-gnu"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-arm64-musl"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-x64-gnu"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-linux-x64-musl"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-wasm32-wasi"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-win32-arm64-msvc"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/oxide-win32-x64-msvc"
dependency-version: 4.3.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/vite"
dependency-version: 4.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: baseline-browser-mapping
dependency-version: 2.10.29
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: electron-to-chromium
dependency-version: 1.5.353
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: enhanced-resolve
dependency-version: 5.21.2
dependency-type: indirect
update-type: version-update:semver-patch
dependency-group: frontend-minor-patch
- dependency-name: get-east-asian-width
dependency-version: 1.6.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwind-merge
dependency-version: 3.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
dependency-version: 4.3.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: frontend-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Iko <6572003+iap@users.noreply.github.com>
* chore: update LICENSE copyright to Trade 2026 (#111)
* chore: update LICENSE copyright to Trade 2026
The project was scaffolded from an Optimism template but is original work.
Update copyright holder from Optimism to Trade and year to 2026.
* ci: remove path filter from CodeQL pull_request trigger
CodeQL is a required check for all PRs. With a path filter, PRs that
only touch files outside the filter (e.g. LICENSE, README) are blocked
indefinitely waiting for CodeQL results that never come.
Remove the pull_request path filter so CodeQL always runs on PRs.
Keep the push path filter to avoid unnecessary runs on branch pushes.
* chore: remove stale deploy-contracts step from mprocs.yaml (#112)
deploy:supersim and deploy:counter-incrementer:supersim are template
artifacts from the original Optimism scaffold. They no longer exist.
Remove the stale deploy-contracts proc.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
iap
added a commit
that referenced
this pull request
May 17, 2026
…116) * ops: enforce promotion freshness and commit lineage checks * ops: add full release evidence dispatch sequence * ops: add release secret bootstrap helper * ops: harden release dispatch run correlation and strict env checks * refactor: centralize core contract custom errors * refactor(contracts): separate bridge/settlement domains and harden settlement flows * ci(contracts): enforce architecture/layering guards and fix refactor paths * chore(contracts): remove legacy files replaced by domain refactor * feat(ops): add canonical release-gate workflow with evidence artifact * chore(governance): align release flow and policy guard with canary promotion 1. Update release PR template to canary -> main 2. Extend governance-policy-guard push triggers to include canary 3. Document explicit release promotion path dev -> canary -> main in root README 4. Clarify retirement of legacy CrossChainCounter examples/tests in contracts README 5. Keep governance consistency validator passing after updates * feat(release): harden CI gates and retire cross-chain demo artifacts 1. Enable canary across contracts CI, env guard, slither, and secrets drift workflows 2. Add canary push-driven staging rehearsal defaults and stricter required input checks 3. Strengthen release gate with signed evidence-manifest verification and artifact-anchored deployment verification 4. Add evidence tooling scripts (generate/sign/verify manifest and signature, verify-from-artifact) 5. Retire legacy CrossChainCounter example contracts, ABIs, deploy script, and associated tests 6. Update app shell and package scripts toward MARK protocol operations workflow * chore(ci): stabilize local test and lint signal 1. Exclude vendored/generated contract directories from root ESLint scope 2. Split fast core tests and invariant tests in contracts Makefile 3. Bound local invariant runs for predictable ci-full runtime * fix(ci): repair contracts workflow execution on GitHub 1. Fix contracts integration job condition to use github.event.inputs 2. Run slither per target contract instead of invalid multi-target invocation * fix(ci): quote static private key in contracts-ci workflow env * fix(slither): codify accepted detector exclusions for MARK contracts Exclude known/accepted findings (naming convention, timestamp epoching, operator-gated transferFrom pattern, and benign reentrancy patterns) while keeping fail-medium enforcement for remaining detectors. * chore(ci): harden workflow runtime compatibility and add frontend node matrix 1. Upgrade actions/checkout from v4 to v5 across workflows 2. Upgrade actions/setup-python from v5 to v6 in python-based workflows 3. Add frontend CI workflow with Node 20/22 matrix for typecheck, lint, and build validation * fix(frontend-ci): ensure pnpm setup works with node matrix Use actions/setup-node@v5 and remove premature pnpm cache wiring so pnpm/action-setup can install pnpm before dependency install. * fix(frontend-ci): install pnpm before setup-node auto-cache check * fix(frontend-ci): rely on packageManager-pinned pnpm version * chore(ci): replace pnpm action with corepack-pinned bootstrap 1. Remove pnpm/action-setup usage from frontend and contracts integration workflows 2. Use corepack with pinned pnpm@9.0.2 from project policy 3. Disable setup-node package-manager auto-cache probing to avoid pnpm bootstrap race * fix(contracts-ci): wait for anvil before release dry-run * chore(deps): add dependabot config for actions and npm * chore(deps): add dependabot config for actions and npm * chore(coderabbit): add repository-level review configuration * fix(readiness): run pre-checks before contracts working directory exists * chore: promote dev to canary (ci and quality sync) (#15) * chore(deps): bump actions/setup-node from 5 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/upload-artifact from 4 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/github-script from 7 to 9 Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump the frontend-minor-patch group with 13 updates Bumps the frontend-minor-patch group with 13 updates: | Package | From | To | | --- | --- | --- | | [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` | | [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` | | [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` | | [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` | | [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` | | [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` | Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15 - [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md) - [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem) Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite) Updates `@tanstack/react-query` from 5.66.0 to 5.100.8 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query) Updates `abitype` from 1.0.8 to 1.2.4 - [Release notes](https://github.com/wevm/abitype/releases) - [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4) Updates `tailwind-merge` from 3.0.1 to 3.5.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0) Updates `tailwindcss` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss) Updates `viem` from 2.23.1 to 2.48.8 - [Release notes](https://github.com/wevm/viem/releases) - [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8) Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2) Updates `mprocs` from 0.7.2 to 0.9.2 - [Release notes](https://github.com/pvolok/mprocs/releases) - [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md) - [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2) Updates `prettier` from 3.5.0 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3) Updates `typescript-eslint` from 8.24.0 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eth-optimism/viem" dependency-version: 0.4.15 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-separator" dependency-version: 1.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-slot" dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/vite" dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.100.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: abitype dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwind-merge dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwindcss dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: viem dependency-version: 2.48.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: mprocs dependency-version: 0.9.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> * fix(readiness): run pre-checks before contracts working directory exists * fix(frontend): remove non-component export from button ui --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * ci(security): add codeql and dependency review gates * chore: promote dev to canary 56 commits: EIP-712 verifier, bridge tests, CI fixes, governance cleanup, trust model doc, RYLA Credits rename. * chore: promote dev to canary 65 commits: staging rehearsal fixes, frontend info page, NatSpec improvements, README philosophy. * chore: promote dev to canary (v0.1.1 prep) 69 commits: CEI fix, audit docs, staging pipeline fixes, frontend info page. * chore: promote dev to canary Promotes dev to canary. Staging rehearsal will trigger on merge. * chore: promote dev to canary Promotes dev to canary. Staging rehearsal will trigger on merge. * chore: promote dev to canary Promotes dev to canary. Includes --slow fix for staging rehearsal. * chore: promote dev to canary Promotes dev to canary. Governance fixes: 0 approvals, push restrictions to trade/maintainers, verify-governance.sh checks. * chore: promote dev to canary Promotes dev to canary. Includes Groth16SettlementVerifier, IGroth16Verifier, dependabot fix, governance push restrictions. * chore: promote dev to canary for OP Sepolia staging (#114) * chore(deps): bump actions/setup-node from 5 to 6 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/upload-artifact from 4 to 7 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v4...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/checkout from 5 to 6 Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump actions/github-script from 7 to 9 Bumps [actions/github-script](https://github.com/actions/github-script) from 7 to 9. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](https://github.com/actions/github-script/compare/v7...v9) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: '9' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump the frontend-minor-patch group with 13 updates Bumps the frontend-minor-patch group with 13 updates: | Package | From | To | | --- | --- | --- | | [@eth-optimism/viem](https://github.com/ethereum-optimism/ecosystem/tree/HEAD/packages/viem) | `0.3.2` | `0.4.15` | | [@radix-ui/react-separator](https://github.com/radix-ui/primitives) | `1.1.2` | `1.1.8` | | [@radix-ui/react-slot](https://github.com/radix-ui/primitives) | `1.1.2` | `1.2.4` | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.0.6` | `4.2.4` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.66.0` | `5.100.8` | | [abitype](https://github.com/wevm/abitype) | `1.0.8` | `1.2.4` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.0.1` | `3.5.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.0.6` | `4.2.4` | | [viem](https://github.com/wevm/viem) | `2.23.1` | `2.48.8` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.4.19` | `0.5.2` | | [mprocs](https://github.com/pvolok/mprocs) | `0.7.2` | `0.9.2` | | [prettier](https://github.com/prettier/prettier) | `3.5.0` | `3.8.3` | | [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) | `8.24.0` | `8.59.1` | Updates `@eth-optimism/viem` from 0.3.2 to 0.4.15 - [Changelog](https://github.com/ethereum-optimism/ecosystem/blob/main/packages/viem/CHANGELOG.md) - [Commits](https://github.com/ethereum-optimism/ecosystem/commits/HEAD/packages/viem) Updates `@radix-ui/react-separator` from 1.1.2 to 1.1.8 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@radix-ui/react-slot` from 1.1.2 to 1.2.4 - [Changelog](https://github.com/radix-ui/primitives/blob/main/release-process.md) - [Commits](https://github.com/radix-ui/primitives/commits) Updates `@tailwindcss/vite` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/@tailwindcss-vite) Updates `@tanstack/react-query` from 5.66.0 to 5.100.8 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.100.8/packages/react-query) Updates `abitype` from 1.0.8 to 1.2.4 - [Release notes](https://github.com/wevm/abitype/releases) - [Commits](https://github.com/wevm/abitype/compare/abitype@1.0.8...abitype@1.2.4) Updates `tailwind-merge` from 3.0.1 to 3.5.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.0.1...v3.5.0) Updates `tailwindcss` from 4.0.6 to 4.2.4 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.4/packages/tailwindcss) Updates `viem` from 2.23.1 to 2.48.8 - [Release notes](https://github.com/wevm/viem/releases) - [Commits](https://github.com/wevm/viem/compare/viem@2.23.1...viem@2.48.8) Updates `eslint-plugin-react-refresh` from 0.4.19 to 0.5.2 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/compare/v0.4.19...v0.5.2) Updates `mprocs` from 0.7.2 to 0.9.2 - [Release notes](https://github.com/pvolok/mprocs/releases) - [Changelog](https://github.com/pvolok/mprocs/blob/master/CHANGELOG.md) - [Commits](https://github.com/pvolok/mprocs/compare/v0.7.2...v0.9.2) Updates `prettier` from 3.5.0 to 3.8.3 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](https://github.com/prettier/prettier/compare/3.5.0...3.8.3) Updates `typescript-eslint` from 8.24.0 to 8.59.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.59.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: "@eth-optimism/viem" dependency-version: 0.4.15 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-separator" dependency-version: 1.1.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: frontend-minor-patch - dependency-name: "@radix-ui/react-slot" dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tailwindcss/vite" dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: "@tanstack/react-query" dependency-version: 5.100.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: abitype dependency-version: 1.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwind-merge dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: tailwindcss dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: viem dependency-version: 2.48.8 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: mprocs dependency-version: 0.9.2 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: prettier dependency-version: 3.8.3 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch - dependency-name: typescript-eslint dependency-version: 8.59.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: frontend-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> * fix(readiness): run pre-checks before contracts working directory exists * fix(frontend): remove non-component export from button ui * ci(security): add codeql and dependency review gates * chore(security): add local slither install and core scan targets * docs(phase1): add comprehensive contributor & deployment runbooks Add Phase 1 foundation documentation for team scaling and professional maintenance: CONTRIBUTING.md: - Local development setup instructions (Node, Foundry, super-cli) - Feature branch workflow with conventional commits - Code standards (TypeScript, Solidity, Testing) - PR submission checklist and review process - Testing guidelines and test structure - Troubleshooting for common dev issues DEPLOYMENT.md: - Step-by-step staging deployment runbook (OP Sepolia) - Mainnet deployment procedures with gates - Pre/post-deployment checklists - Evidence generation and verification - Monitoring and health checks - Rollback procedures for emergency scenarios - Comprehensive troubleshooting guide - Command cheat sheet and timeline estimates TROUBLESHOOTING.md: - Development setup issues (pnpm, Node, Foundry, super-cli, git hooks) - Smart contract issues (architecture guard, layering guard, Slither findings) - Frontend development issues (port conflicts, TypeScript errors, module resolution) - Testing issues (hanging tests, gas, balance) - Deployment issues (insufficient funds, timeouts, RPC problems) - CI/CD workflow issues (stuck workflows, secrets, version mismatches) - Network & RPC issues (timeouts, contract not found, chain ID) .github/CODEOWNERS: - Enhanced documentation with clear sections - Added review requirements annotations - Better organization for team scaling - Maintains strict single-owner model (ready for multi-owner when scaling) Impact: - Enables solo maintainer to self-document workflows - Provides clear onboarding path for new contributors - Establishes professional deployment procedures - Reduces support burden with comprehensive troubleshooting - Foundation for team collaboration (docs ready for team addition) - Production-ready documentation for auditors and stakeholders This commit fulfills Phase 1 foundation requirements: ✅ CONTRIBUTING.md created ✅ DEPLOYMENT.md runbook created ✅ TROUBLESHOOTING.md created ✅ CODEOWNERS enhanced and documented Ready for: Phase 2 (interactive UI) and Phase 3 (security audit planning) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * chore(deps): bump github/codeql-action from 3 to 4 (#16) Bump github/codeql-action from v3 to v4 to resolve Node.js 20 deprecation warnings on CI. * chore(ci): bump dependency-review-action from v4 to v5 * chore(ci): disable CodeQL triggers until repo transferred to org with GHAS * Enable org-transfer governance: CodeQL, Gitleaks, release-gate container, and verification scripts (#19) * docs: replace roadmap with lean security next-steps guide * fix(docs): remove duplicate required-check entries in BRANCHING.md * fix(ci): add USER root in release-gate Dockerfile for apt-get permissions * ci(security): fix dependency review tag and use OSS gitleaks CLI * ci(security): fix gitleaks PATH on github runner * ci(security): run gitleaks scan via docker image * ci(security): remove hardcoded key and scope gitleaks to workspace * ci(contracts): fix anvil key extraction for release check * ci(contracts): require 64-byte anvil private key extraction * ci: always run contracts/frontend checks on protected branches (#21) * ci: phase-1 reusable workflows for frontend, slither, and secrets scan (#23) * ci: extract reusable frontend/slither/secrets workflows * ci(security): apply codereview pinning and permissions fixes * fix(contracts): bridge approval safety + IRYLA interface decoupling - Wrap sendERC20 in try/catch; clear approval and revert with BridgeFailed() on failure - Extract IRYLA interface (inherits IERC20); MARKSettlementModule decoupled from concrete RYLA type - Add unit test for BridgeFailed catch branch * docs: sync governance and CI docs with current protections - Add missing required checks (Secrets Drift Guard, Release Gate Container) to all branch matrices - Fix Analyze (JavaScript/TypeScript) casing to match canonical check names - Fixes Validate Governance Policy Consistency CI check * chore(deps): bump frontend minor/patch dependencies 105 minor and patch updates including: - @tanstack/react-query 5.100.8 → 5.100.9 - typescript-eslint 8.59.1 → 8.59.2 - bufferutil 4.0.9 → 4.1.0 - jiti 2.6.1 → 2.7.0 - lockfile resolutions updated accordingly All CI checks pass on Node 20 and 22. * fix(deps): bump vite 6.1.0 → 6.4.2 (security) Fixes high-severity arbitrary file read CVE and medium-severity path traversal in vite dev server. * test(contracts): add missing unit test coverage 71 tests (was 59). Covers zero-input guards, exact error selectors, accumulator resets, supportsInterface, and isMint flag binding. * chore(governance): migrate CODEOWNERS to @trade/maintainers team Replaces @iap with @trade/maintainers across all CODEOWNERS entries. Team created with maintain permission on repo. * chore(ci): switch CodeRabbit to assertive profile profile: chill → assertive, request_changes_workflow: false → true * fix(docs): add VALIDATE_MODE to staging checklist prerequisites Adds missing VALIDATE_MODE env var to staging checklist. Clarifies operator/attester rotation step with RUNBOOK.md reference. Removes trailing newline from package.json. * chore(docs): remove stale pre-transfer planning documents Removes TRANSFER_NOW_CHECKLIST.md, ORG_TRANSFER_SECURITY_CHECKLIST.md, SECURITY_NEXT_STEPS.md, PROJECT_REVIEW.md — all completed with the org transfer on May 6, 2026. * chore(governance): clean up CODEOWNERS Remove decorative section dividers, redundant comments, and duplicate entry. Consolidate contract path globs. * fix(ci): workflow correctness and consistency fixes Pin slither-analyzer==0.11.5, fix secrets-drift-guard false positives, fix verify-governance.sh dismiss_stale_reviews on dev, add canary to evidence-manifest trigger, fix inputs context, fix wait-port, add pull_request_target comments, add Docker layer caching. * feat(contracts): migrate AttestedSettlementVerifier to EIP-712 Replace hybrid EIP-191 pattern with standard EIP-712 typed data signing. Expose settlementDigest() for off-chain signers. Add NatSpec on proof encoding and contextHash. 71 tests pass. * chore: improve gitignore coverage Add .env/.env.*/*.env and supersim-logs/ to root gitignore. Add coverage/ to contracts gitignore. * fix(ci): reliability and correctness fixes Add timeout-minutes:15 to stuck jobs, replace rg with grep -Eo in smoke script, pin slither==0.11.5 in Makefile, add explicit invariant runs=256 to foundry.toml. * chore(deps): ignore transitive alerts from super-cli Ignore @hono/node-server, drizzle-orm, @stablelib/ed25519 scoped to vulnerable versions — all transitive from super-cli dev tool, no upstream fix available. * docs: add SECURITY.md Reporting channel, scope, response SLA, and supported versions. * chore(deps): bump @types/node from 22.13.1 to 25.6.1 Type definitions update. * chore(deps): bump typescript from 5.7.3 to 6.0.3 Add ignoreDeprecations:6.0 for baseUrl deprecation warning. * chore(deps): bump frontend-minor-patch group viem, debug, and other minor/patch updates. * chore(deps): bump docker/setup-buildx-action from 3 to 4 Node 24 runtime update. * chore(deps): bump frontend-minor-patch group Minor/patch frontend dependency updates. * fix: stale references and check name mismatches Remove chainId double-encoding from AttestedSettlementVerifier, fix stale iap/mark URLs, fix governance script check names to match actual CI output. * test(contracts): add bridge integration test against supersim Exercises MARKBridgeAdapter against live SuperchainTokenBridge on two supersim forks. Verifies cross-chain token transfer and rate limit enforcement. * test(contracts): add bridge adapter invariant fuzz tests Three invariants covering rate limiting: daily cap never exceeded, accumulator consistent with cap, zero address never holds operator role. 74 tests pass. * fix(governance): sync check lists and fix ruleset condition Fix ruleset condition bug (canary/main now covered), sync apply-governance.sh and verify-governance.sh with live branch protection, fix frontend check name prefix in docs. * chore(governance): document new ruleset structure Two focused rulesets: branch-protection (CodeQL alert gate) and tag-protection (v* tags). Replaces the broken develop ruleset. * feat(token): rename RYLA display name to 'RYLA Credits' name() returns 'RYLA Credits', symbol stays 'RYLA'. Test and verification script updated. * test Documents key roles and trust assumptions, attester key rotation procedure, break-glass procedure, production mode implications, and key storage recommendations for auditors and operators. * fix(ci): use matrix language as CodeQL job name Produces consistent check name 'Analyze (javascript-typescript)' matching branch protection requirements. * chore(config): harden staging profile and document environment setup Remove PRIVATE_KEY from staging.env, fix bridge destination to OP Sepolia, add key separation docs, fix env guard and drift guard for CI validation. * feat(frontend): replace dev dashboard with protocol info page Protocol info page with pre-production status, contract descriptions, and resource links. Providers updated to optimism/optimismSepolia. * chore(docs): cleanup and NatSpec improvements Fix README clone URL and naming, remove stale date from CONTRIBUTING.md, add eip712Domain NatSpec and no-pause design decision docs. * fix(contracts): document setVerifier interface check limitation Add @dev comment explaining code.length check rejects EOAs but not non-conforming contracts. * docs: add protocol philosophy to README Code is a rule. No DAO, no drama. Don't Trust, Verify. * fix(ci): add working-directory override to pre-checkout branch enforcement steps Fixes pre-checkout branch check failing with 'No such file or directory' in staging and production workflows. * fix(ops): enable post-deploy in rehearse-production-lock Enable MARK_RELEASE_RUN_POSTDEPLOY so activateProductionMode() is called during rehearsal. * fix(ops): export deployed verifier address to env before PostDeployMARKSetup Fixes VerifierRequiredWhenProofEnabled during staging rehearsal. * fix(ci): exclude Anvil default key from secrets drift guard Syncs Anvil key exclusion to dev. * test THREAT_MODEL.md: trust boundaries, role compromise impact, external dependencies, invariants, and explicit out-of-scope items. KNOWN_ISSUES.md: six accepted design decisions with rationale — attested verifier as ZK placeholder, no-pause design, setVerifier interface check limitation, counter overflow analysis, timestamp epoch manipulation, and transitive dep alerts. * fix(docs): correct two inaccurate invariants in THREAT_MODEL.md consumedIntents is set after proof validation, not before. Module balance invariant is per-operation, not absolute zero. * fix(contracts): move consumedIntents assignment before external call (CEI) Follows CEI pattern — marks intent consumed before external verifier call. No behaviour change for current view verifier. * chore(governance): set canary to 0 required approvals for solo maintainer Solo dev cannot self-approve. CI checks are the gate. Restore to 1 when second team member joins. * docs(contracts): add NatSpec to settleMint and settleBurn Documents pre-approval requirement for settleBurn. * fix(ops): wait for tx confirmation in staging rehearsal Add --slow to forge script broadcast so Foundry waits for each transaction receipt before the verify step runs. * fix(governance): set all branches to 0 required approvals Solo maintainer cannot approve own PRs. CI gates are the enforcement mechanism. Removes MAIN_REVIEW_COUNT/DEV_REVIEW_COUNT vars, adds approval count verification to verify-governance.sh. * fix(governance): restrict direct pushes to trade/maintainers team Restricts direct pushes on all branches to trade/maintainers team. Removes unused helper functions. verify-governance.sh now checks push restriction team slug. * fix(deps): update drizzle-orm dependabot ignore rule to 0.38.4 drizzle-orm@0.38.4 is transitive from @eth-optimism/super-cli. Updated ignore rule to match installed version. All four Dependabot alerts dismissed as tolerable risk. * feat(contracts): add Groth16SettlementVerifier Adds Groth16SettlementVerifier implementing IUTXOSettlementVerifier via swappable IGroth16Verifier. 12 unit tests passing. AttestedSettlementVerifier remains active production verifier. * feat(circuits): add UTXOSettlement circom circuit Adds UTXOSettlement circom circuit. Poseidon-based UTXO ownership proof. 602 constraints, 6 witness tests passing. * feat(contracts): add MARKPool ZK UTXO pool domain Adds MARKPool shielded RYLA transfer pool. 88 unit tests passing. * fix(contracts): rewrite MARKPool for MARK's 4-signal circuit Rewrites MARKPool from scratch for MARK's own UTXOSettlement circuit. UTXOVerifier.sol regenerated from MARK's own trusted setup. 84 unit tests passing. * fix(circuits): add range constraints and isMint burn path Range constraints on recipient/chainId/settlementModule/amount. isMint burn path in MARKPool. Trusted setup rerun. 84 tests passing. * feat(pool): add MARKPool ZK UTXO pool domain (#100) * feat(pool): add MARKPool ZK UTXO pool domain Introduces the full pool domain for private RYLA transfers: Contracts: - MARKPool: ZK UTXO pool with Merkle tree, fee policy, bridge-out/in, withdraw binding, AccessManaged access control - MARKWithdrawAdapter: EIP-712 signature-based withdrawal adapter - RYLACreditLedger: ICreditLedger adapter bridging MARKPool to RYLA mint/burn; restricted to pool caller only (onlyPool) - PoolFeePolicy, PoolPublicInputs, PoolValidation: pool support libraries - MARKPoolVerifier: Groth16 verifier generated from MARKPool circuit (13 public signals, pot15 trusted setup) Interfaces: ICreditLedger, IVerifier, IPoolBridge, IPoolNullifier Crypto: MerkleTree (Poseidon, depth-20), ProofUtils, PoseidonT3 Circuit: - circuits/mark/MARKPool.circom: MARK-native UTXO circuit (depth=20, 2-in/2-out, 13 public signals); renamed from prototype utxo.circom, domain constants documented as permanent, hardcoded fee policy removed - circuits/setup.mjs: trusted setup script (pot15) - circuits/test/MARKPool.test.mjs: 13 witness tests CI: circuits-ci.yml runs witness tests on every PR Tests: MARKPool.t.sol (22), MARKWithdrawAdapter.t.sol (9), RYLACreditLedger.t.sol (8) * fix(pool): fix PoolErrors, domain separators, remove dead code - PoolErrors.sol: rewrite to match Pool.sol, PoolValidation.sol, and MerkleTree.sol — adds 25 missing errors (build was broken), removes 18 errors only used by the old MARKPool prototype - MARKPool.sol: rename domain separator Pool.WithdrawBinding.v1 to MARKPool.WithdrawBinding.v1 (permanent, must be set before deploy) - MARKWithdrawAdapter.sol: rename domain separator WithdrawAdapter.Intent.v1 to MARKWithdrawAdapter.Intent.v1 - UTXOVerifier.sol: delete (built for old 4-signal circuit, wrong interface, superseded by MARKPoolVerifier.sol) - IUTXOVerifier.sol: delete (superseded by IVerifier.sol) - UTXOSettlement.circom: delete (superseded by MARKPool.circom) - Groth16SettlementVerifier.sol: update stale comment - KNOWN_ISSUES.md: add KI-7 (two-circuit architecture), KI-8 (pool domain access control model) - foundry.toml: via_ir = true for pool domain compilation * fix(pool): immutable naming, deploy script, docs, invariants, arch guard - MARKPool, MARKWithdrawAdapter: rename immutables to SCREAMING_SNAKE_CASE (assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL) - MARKPool: remove _assetLedger from constructor; add setAssetLedger() one-time restricted setter to break circular deploy dependency with RYLACreditLedger - DeployMARKPool.s.sol: full deployment script for pool domain (AccessManager, MARKPool, RYLACreditLedger, MARKWithdrawAdapter) - MARKPool.sol: add withdrawal flow NatSpec (burn-to-claim model) - ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and withdrawal flow section - MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent, withdraw bindings immutable, root queue only grows) - architecture-guard.sh: add pool->settlement/bridge and withdraw->settlement/bridge isolation rules * fix(pool): fix deploy script role grant and ASSET_LEDGER null guard - DeployMARKPool.s.sol: grant POOL_ADMIN_ROLE to deployer during setup so setAssetLedger/setIntentSigner calls succeed when deployer != owner; revoke deployer role after setup completes - MARKPool._applyFee: revert InvalidAssetLedger if ASSET_LEDGER is not set and a non-zero fee is applied (prevents silent call to address(0)) * fix(ci): compile circuit before running witness tests circuits/build/ is gitignored so the WASM and witness_calculator.js are not in the repo. Add circom install and npm run build steps before npm test so CI compiles the circuit fresh on each run. * fix(ci): create build dir before circom compile * refactor(pool): pre-merge improvements - Rename immutables to SCREAMING_SNAKE_CASE: assetLedger->ASSET_LEDGER, proofPool->PROOF_POOL (MARKPool.sol, MARKWithdrawAdapter.sol) - MARKPool: remove _assetLedger from constructor, add setAssetLedger() one-time restricted setter to break circular deploy dependency with RYLACreditLedger - MARKPool: add withdrawal flow documentation to contract NatSpec - ARCHITECTURE.md: add pool/withdraw domains, dependency rules, and withdrawal flow explanation - DeployMARKPool.s.sol: deployment script for MARKPool, RYLACreditLedger, MARKWithdrawAdapter with AccessManager configuration - MARKPoolInvariants.t.sol: 3 invariants (nullifiers never unspent, withdraw bindings immutable, root queue only grows) - architecture-guard.sh: add pool and withdraw domain isolation rules * chore(pool): update circuits CI, setup, and pool errors - circuits-ci.yml: updated to run MARKPool witness tests - circuits/package.json: build/test scripts point to MARKPool.circom - circuits/setup.mjs: updated for MARKPool.circom trusted setup - circuits/test/MARKPool.test.mjs: cleaned up test file - contracts/KNOWN_ISSUES.md: updated KI-7 for current two-circuit state - contracts/src/pool/errors/PoolErrors.sol: add missing blank line * fix(pool): address CodeRabbit review findings - circuits-ci.yml: fix circom install permissions (use sudo mv to /usr/local/bin instead of direct write which fails on GH Actions) - PoolErrors.sol: add clarifying comment to FixedFeePolicy explaining it fires when minFee > 1 (not a fee-rate policy, a range guard) - MARKWithdrawAdapter.sol: document personal_sign intent on computeWithdrawIntentDigest (EIP-191 is intentional, not EIP-712) bridgeIn replay protection finding: already fixed in current code (processedBridgeMessages mapping + check at line 390) — stale finding. * fix(pool): address second round CodeRabbit findings - setup.mjs: use crypto.randomBytes for ceremony entropy (Date.now is predictable), add mkdirSync for build/, fix EJS template loading to use readFileSync instead of dynamic import with assert (unsupported in Node 20/22/24 ESM) - circuits-ci.yml: pin circom to v2.2.3 instead of latest, add version verification step - KNOWN_ISSUES.md: fix misleading 'settlement-specific verifier' wording — MARKPoolVerifier is a shared pool verifier, not settlement-specific - MARKPool.sol: fix NatSpec EIP-712 reference to EIP-191 (personal_sign) * feat(pool): add pool E2E test, fix RYLACreditLedger caller model RYLACreditLedger: - Separate credit (pool-only) and debit (adapter-only) callers - Add setAdapter() one-time setter to break circular deploy dependency (adapter constructor needs ledger, ledger needs adapter address) - Add AdapterAlreadySet error DeployMARKPool.s.sol: - Call ledger.setAdapter(adapter) after adapter deployment Tests: - RYLACreditLedger.t.sol: updated for new caller model, 11 tests - MARKWithdrawAdapter.t.sol: add setAdapter call in setUp - MARKPoolE2E.t.sol: full withdrawal flow E2E test (3 tests) - testFullWithdrawalFlow: mint RYLA -> transactWithWithdrawBinding -> withdrawWithSig -> verify RYLA burned, ETH received - testNullifierReplayRejected - testBindingMismatchRejected 134/134 tests pass * feat(pool): add ReleasePool.s.sol orchestrator and pool env vars - ReleasePool.s.sol: release orchestrator for pool stack following the same pattern as ReleaseMARK.s.sol — preflight checks, deploy via DeployMARKPool, post-deploy verification (wiring checks + RYLA roles), JSON artifact write - .env.example: add pool stack env vars (MARK_POOL_VERIFIER, MARK_POOL_OWNER, MARK_POOL_INTENT_SIGNER, release flags, artifact path, post-deploy verify addresses) * fix(pool): security fixes and dead code removal RYLACreditLedger: - Add OWNER immutable (set to msg.sender in constructor) - Restrict setAdapter to OWNER to prevent front-running between deployment and the setAdapter call in the release script - Add testSetAdapterRevertsForNonOwner test - Add clarifying NatSpec to totalCreditsOutstanding explaining it tracks only flows through this ledger, not total RYLA supply MARKWithdrawAdapter: - Move ETH transfer before ASSET_LEDGER.debit — if ETH transfer fails, RYLA is no longer burned (was a loss-of-funds bug) MARKPool: - Remove dead _seedRoot function (defined but never called) - Add NatSpec to computePublicInputsWithWithdraw clarifying chainId vs dstChainId semantics * fix(test): fix nullifier replay test to use fresh signatures testNullifierReplayRejected was reusing signatures computed for nonce N in the second withdrawWithSig call with nonce N+1, causing a NonceMismatch revert instead of exercising nullifier replay protection. Now recomputes the intent hash and signs with the updated nonce so the revert is caused by NullifierAlreadyClaimed as intended. * fix(pool): guard totalCreditsOutstanding against underflow * feat(pool): add pool release CI check and deploy script tests contracts-ci.yml: - Add pool release dry-run and execute smoke steps to the contracts-release-check job, reusing the Anvil instance and RYLA token deployed by the settlement release step - Assert pool release artifact schema (pool, ledger, adapter addresses) MARKPoolDeployScripts.t.sol: - testDeployMARKPoolWiresAllContracts: verifies all contract wiring (pool<->ledger, ledger<->adapter, RYLA roles) - testDeployMARKPoolSetsIntentSignerWhenProvided: verifies intent signer is configured when MARK_POOL_INTENT_SIGNER is set - testDeployMARKPoolRevertsWhenMissingTokenAdmin: verifies preflight check rejects deployer without RYLA admin role 138/138 tests pass * fix(pool): address final CodeRabbit findings - contracts-ci.yml: remove '|| true' from pool release dry-run step; use the deployed settlement module address as verifier (a real contract) so the preflight code.length check passes without masking failures - RYLACreditLedger.sol: fix NatSpec on totalCreditsOutstanding to accurately describe accounting scope — _totalBurned can exceed _totalMinted if RYLA is burned via other paths (e.g. settlement module) * fix(ci): fix pool release CI failure and address CodeRabbit finding contracts-ci.yml: - Add --skip-simulation to pool release broadcast — PoseidonT3 (55,856 bytes) exceeds EIP-170 limit and cannot be deployed without refactoring to a linked library; --skip-simulation tests script orchestration only - Fix jq assertion to use regex validation instead of zero-address check, rejecting null values and validating hex address format KNOWN_ISSUES.md: - Add KI-8 documenting PoseidonT3 contract size issue and required fix before mainnet (deploy as standalone contract, call via interface) * fix(ci): remove pool execute smoke, fix jq assertion, fix KI-7 wording contracts-ci.yml: - Remove pool release execute smoke step — MARKPool (24,841 bytes) and PoseidonT3 (55,856 bytes) exceed EIP-170 limit and cannot be broadcast to Anvil; pool deploy requires PoseidonT3 refactor (KI-8) first - Keep pool release dry-run only (validates script logic and preflight) - Remove the now-unused artifact assertion step KNOWN_ISSUES.md: - Fix KI-7: both pool and settlement systems use the same MARKPool circuit — remove implication of distinct circuit designs * fix(pool): add code.length checks to RYLACreditLedger constructor and setAdapter Prevents EOAs from being set as TOKEN, POOL, or ADAPTER. Adds InvalidContract error. 3 new tests cover the EOA rejection cases. setUp uses vm.etch to give mock addresses contract bytecode. * fix(contracts): harden settlement verifier flow and CI reliability * fix(review): address open CI and pool verifier feedback * refactor(pool): rename min fee guard error for clarity * fix(pool,settlement): replace require strings and wrong errors with custom errors PoolFeePolicy: - Replace require(maxFeeBurnBps != 0, string) and require(feeBurnBps <= maxFeeBurnBps, string) with custom error FeePolicyInvalidBps() — consistent with codebase style, lower gas Groth16SettlementVerifier: - Replace ZeroAddress() with VerifierNotAContract() for verifierContract code.length check - Replace ZeroAddress() with SettlementModuleNotAContract() for settlementModule code.length check - ZeroAddress was semantically wrong for non-zero addresses that have no code * ci: trigger fresh CI run * docs(pool): correct KI-8 — MARKPool itself is over EIP-170 size limit Investigation: MARKPool is 24,960 bytes (over 24,576 limit) even without PoseidonT3 inlining. via_ir=true already prevents PoseidonT3 from being inlined. The fix requires splitting MARKPool into smaller contracts, not just extracting PoseidonT3 as a standalone contract. Both are required. * fix(pool): reduce MARKPool below EIP-170 size limit (24200 < 24576 bytes) Size reductions (24961 -> 24200 bytes, -761 bytes): - Remove redundant verifierAddr.code.length check in _verifyAndConsume (already validated in setVerifier, cannot change after deployment) - Remove redundant tail != rootQueueTail guard in _insertCommitmentsValidated (always true after inserting 2 commitments) - Inline _requireCommitmentsValid wrapper (single-line delegation) - Inline _insertCommitments wrapper (only called from bridgeIn) - Remove computePublicInputs and computePublicInputsWithWithdraw public view functions from MARKPool — _buildPublicInputs now calls PoolPublicInputs.build directly; off-chain callers use PoolPublicInputs Bug fixes: - PoolValidation: move NullifierDuplicate check before the loop so duplicate nullifiers get the precise error, not NullifierUsed - MARKPool.pause(): document that unpause() does NOT auto-restore withdrawals (intentional asymmetry, requires explicit unpauseWithdrawals) * fix: address CodeRabbit findings (circuits, Makefile, architecture-guard) circuits/test/MARKPool.test.mjs: - Remove unused buildMerklePath helper (tests use buildTwoLeafRoot) circuits/setup.mjs: - Add r1cs existence check before trusted setup with clear error message contracts/Makefile: - Restore test-core to exclude invariant tests (--no-match-path) so ci-fast remains fast as documented contracts/script/ci/architecture-guard.sh: - Tighten all four import regexes to handle optional leading whitespace and any number of ../ segments (prevents bypass via indented imports or deeper relative paths) * fix: address remaining CodeRabbit findings contracts/src/pool/MARKPool.sol: - setVerifier: add code.length check (consistent with constructor) circuits/test/MARKPool.test.mjs: - expectFail: only treat constraint/assertion failures as PASS; rethrow other errors so regressions surface contracts/KNOWN_ISSUES.md: - KI-7: separate design capability from configuration state for settlement system wording * fix(circuits): lowercase error message comparison in expectFail * docs(deployment): add Groth16SettlementVerifier wiring step (Step 18) Documents the two post-deploy calls required to activate ZK-based settlement: setSettlementModule and setVerifierContract on Groth16SettlementVerifier, then setVerifier on MARKSettlementModule. AttestedSettlementVerifier remains the fallback until wiring is complete. * fix(settlement): return false on malformed proof in Groth16SettlementVerifier (#101) abi.decode reverts on malformed/short proof bytes, which propagated through MARKSettlementModule as a raw error instead of VerificationFailed. Fix: check proof.length == 672 before decoding (fixed ABI encoding size: uint256[2]+uint256[2][2]+uint256[2]+uint256[13] = 64+128+64+416 = 672). Malformed proofs now return false cleanly. Tests: testVerifySettlementReturnsFalseForMalformedProof, testVerifySettlementReturnsFalseForEmptyProof * fix(ci): exclude integration tests from test-core target (#102) test-core was running integration tests (which require supersim on port 9545) because --no-match-path on the command line overrides foundry.toml's no_match_path setting rather than adding to it. Use brace glob to exclude both invariant and integration tests. * fix(test): remove unverifiable cross-chain assertion from integration test (#103) testBridgeToTransfersTokensCrossChain switched to fork B and checked the recipient balance, but Foundry fork tests cannot simulate supersim's async message relay — the contract simply doesn't exist on the other fork. Fix: assert only the source-chain burn (which is fully verifiable in a fork test). Add a NatSpec note explaining the relay limitation. * docs(pool): correct KI-8 — PoseidonT3 inlined via via_ir, MARKPool deployable (#104) * docs(pool): correct KI-8 — PoseidonT3 is inlined via via_ir, MARKPool is deployable via_ir=true causes the compiler to inline PoseidonT3 into MARKPool rather than deploying it as a linked library. MARKPool has no link references and is 24,298 bytes (278 bytes under EIP-170). KI-8 was based on an earlier state where MARKPool exceeded the limit. Updated KI-8 to reflect accurate current state and note the tight margin. * refactor(crypto): use >>= 1 instead of /= 2 in MerkleTree insert * security: harden pool domain before testnet (#105) * security: harden pool domain before testnet - Add pool/withdraw/Groth16 contracts to slither-core scope - Document all slither exclusion rationale in Makefile - RYLACreditLedger: add Credit/Debit events, move before external calls (CEI) - MARKWithdrawAdapter: add test for recipient zero-check (existing check, missing test) - THREAT_MODEL.md: add pool stack overview, trust boundaries, role compromise impact, and 3 new invariants (nullifier replay, withdraw binding, debit approval) * fix(ci): use per-contract slither exclusions instead of global CodeRabbit correctly noted that global exclusions could suppress actionable findings in newly added contracts. Refactored slither-core to apply only the relevant exclusions per contract. Also added arbitrary-send-erc20 to MARKSettlementModule and RYLACreditLedger (both use safeTransferFrom with prior approval — not arbitrary). * fix(ci): add set -e to slither-core, fix preflight to use python3 -m slither Without set -e, a failing early slither invocation would be masked if the final command succeeds. Also align the preflight check with the actual invocation (python3 -m slither, not command -v slither). * ci: fix 4 workflow issues pre-testnet (#106) * ci: fix 4 workflow issues pre-testnet 1. Sync _reusable-contracts-slither.yml with Makefile - Delegate to 'make slither-core' (single source of truth) - Now covers all 8 contracts with per-contract exclusions - Previously only scanned 4 settlement contracts with global exclusions 2. Enable pool execute smoke in contracts-ci.yml - KI-8 resolved: via_ir inlines PoseidonT3, MARKPool is 24,298 bytes - Pool broadcast to Anvil now works; remove stale blocker comment 3. Fix integration test readiness check - Wait on ports 9545/9546 (actual RPC ports) not 8420 (admin port) - Use nc loop consistent with anvil readiness pattern 4. Pin foundry-rs/foundry-toolchain to v1.8.0 commit SHA - Floating @v1 could silently break on Foundry breaking changes - Pinned: c7450ba673e133f5ee30098b3b54f444d3a2ca2d (v1.8.0) * fix(ci): remove foundry version input from reusable slither workflow The version input was passed as 'v1.8.0' to the action's 'version' input which expects a Foundry binary tag (e.g. 'stable', 'nightly'), not the action version. This caused foundryup to fail extracting the tar archive. Use the action's default Foundry version instead. * fix(ci): revert pool execute smoke — Foundry rejects PoseidonT3 artifact size forge create/broadcast checks all library artifacts for EIP-170 compliance. PoseidonT3 is 55,856 bytes as a standalone artifact even though via_ir inlines it into MARKPool at compile time. The broadcast is blocked before deployment. Keep dry-run only. Update KI-8 with the precise diagnosis. * fix(pool): resolve PoseidonT3 deployment blocker via external interface (#107) PoseidonT3 is a Solidity library with a public function — it gets deployed as a separate linked contract (55,856 bytes) which exceeds EIP-170 (24,576). This blocked all pool deployments. Fix: replace the library call with an external interface (IPoseidonT3). MerkleTree now stores the Poseidon contract address in the Tree struct and calls it via DELEGATECALL-free external call. MARKPool constructor accepts a _poseidon address parameter. Default deployment address: 0xB43122Ecb241DD50062641f089876679fd06599a This is Semaphore's PoseidonT3 (PSE/Ethereum Foundation), deployed at the same address on all EVM networks via CREATE2. Verified compatible with our implementation: hash([0,0]) and hash([1,2]) produce identical outputs. MARKPool now has zero link references and is fully self-contained. MARKPool size: 24,231 bytes (345 bytes margin under EIP-170). Tests: deployCode('PoseidonT3.sol:PoseidonT3') in test setUp bypasses EIP-170 (Foundry test runner does not enforce the limit). * chore(circuits): remove stale UTXOSettlement artifacts (#108) * chore(circuits): remove stale UTXOSettlement artifacts UTXOSettlement circuit is superseded by MARKPool.circom. Remove the stale test file and old verification key artifact. The utxo/ source and build/ artifacts are already gitignored. * ci: trigger Release Gate Container for circuits-only PRs Add circuits/** to path filter so the required check runs and passes when only circuit files change (no contracts affected). * ci: add circuits/** to push paths for consistency * ci: remove path filter from release gate pull_request trigger * ci: add circuits/** to CodeQL path filter to unblock circuits-only PRs * fix: address codebase review findings (#109) Bug: RYLACreditLedger.debit() — move _totalBurned update before safeTransferFrom to follow CEI pattern. Previously the state update happened after the external call, creating a reentrancy window where _totalBurned was not yet incremented during the transfer callback. Docs: KNOWN_ISSUES.md KI-8 — update stale size figures and description. MARKPool is now 24,231 bytes (345 bytes margin). PoseidonT3 is no longer inlined via via_ir; MerkleTree calls it via IPoseidonT3 interface at 0xB43122... (Semaphore, same address on all EVM networks). Tests: add testConstructorRevertsOnZeroPoseidon and testConstructorRevertsOnEOAPoseidon to MARKPool.t.sol — the _poseidon constructor parameter added in PR #107 had no test coverage. * ci: pin action-shellcheck to commit SHA (#110) * ci: pin action-shellcheck to commit SHA ludeeus/action-shellcheck@2.0.0 was pinned by version tag only. Tags are mutable — a compromised tag could point to malicious code. Pin to the immutable commit SHA (00cae50) for supply chain safety. * ci: trigger CodeQL for all .github/workflows/** changes * chore(deps): bump actions/dependency-review-action from 4 to 5 (#90) Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4 to 5. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump the frontend-minor-patch group across 1 directory with 21 updates (#91) Bumps the frontend-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@tailwindcss/vite](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-vite) | `4.2.4` | `4.3.0` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.4` | `4.3.0` | | [baseline-browser-mapping](https://github.com/web-platform-dx/baseline-browser-mapping) | `2.10.27` | `2.10.29` | | [electron-to-chromium](https://github.com/Kilian/electron-to-chromium) | `1.5.352` | `1.5.353` | | [get-east-asian-width](https://github.com/sindresorhus/get-east-asian-width) | `1.5.0` | `1.6.0` | Updates `@tailwindcss/vite` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-vite) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](https://github.com/dcastil/tailwind-merge/compare/v3.5.0...v3.6.0) Updates `tailwindcss` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/tailwindcss) Updates `@tailwindcss/node` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/packages/@tailwindcss-node) Updates `@tailwindcss/oxide-android-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/android-arm64) Updates `@tailwindcss/oxide-darwin-arm64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-arm64) Updates `@tailwindcss/oxide-darwin-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/darwin-x64) Updates `@tailwindcss/oxide-freebsd-x64` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/freebsd-x64) Updates `@tailwindcss/oxide-linux-arm-gnueabihf` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm-gnueabihf) Updates `@tailwindcss/oxide-linux-arm64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-gnu) Updates `@tailwindcss/oxide-linux-arm64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-arm64-musl) Updates `@tailwindcss/oxide-linux-x64-gnu` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-gnu) Updates `@tailwindcss/oxide-linux-x64-musl` from 4.2.4 to 4.3.0 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.0/crates/node/npm/linux-x64-musl) Updates `@tailwindcss/oxide-wasm32-wasi` from 4.2.4 to 4.3.0 - [Release not…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the frontend-minor-patch group with 6 updates in the / directory:
4.2.44.3.03.5.03.6.04.2.44.3.02.10.272.10.291.5.3521.5.3531.5.01.6.0Updates
@tailwindcss/vitefrom 4.2.4 to 4.3.0Release notes
Sourced from @tailwindcss/vite's releases.
Changelog
Sourced from @tailwindcss/vite's changelog.
Commits
588bd734.3.0 (#20023)d194d4cdocs: fix various typos in comments and documentation (#19878)db27049fix(@tailwindcss/vite): include@variantin feature detection (#19966)5a79990Always resolve relative files, relative to the current .css file (#19965)f3fdda2fix(vite): avoid resolving JS plugins to browser CSS entries (#19949)Updates
tailwind-mergefrom 3.5.0 to 3.6.0Release notes
Sourced from tailwind-merge's releases.
Commits
d54f7e5v3.6.0638871aUpdate README to add info about Tailwind CSS v4.3 support39fc7b5Revert "v3.6.0"bd8390fv3.6.0802877cadd v3.6.0 changeloga35fedaMerge pull request #665 from dcastil/renovate/rollup-plugin-babel-7.x940389cMerge pull request #667 from dcastil/renovate/release-drafter-release-drafter...005af6dpin to specific version5816cedimplement breaking changes17041e1Merge pull request #676 from dcastil/dependabot/npm_and_yarn/babel/plugin-tra...Updates
tailwindcssfrom 4.2.4 to 4.3.0Release notes
Sourced from tailwindcss's releases.
Changelog
Sourced from tailwindcss's changelog.
Commits
588bd734.3.0 (#20023)59936c6Addtab-*utilities (#20022)90a2373addzoom-*utilities (#20020)2e1ccf7Addscrollbar-gutter-*utilities (#20018)754e751Use non-existing example in tests (#20021)12eb5aeCleanup noisy test output (#20015)4255671Improve snapshot tests (#20013)8c77989Ensure math operators are surrounded by whitespace in arbitrary values (#20011)b4db3b9Add scrollbar-width and scrollbar-color utilities (#19981)08cad84Support--default(…)in--value(…)and--modifier(…)to support fallbac...Updates
@tailwindcss/nodefrom 4.2.4 to 4.3.0Release notes
Sourced from @tailwindcss/node's releases.
Changelog
Sourced from @tailwindcss/node's changelog.
Commits
588bd734.3.0 (#20023)12eb5aeCleanup noisy test output (#20015)4b5d6a5Update enhanced-resolve 5.20.1 → 5.21.0 (minor) (#19998)3a890c3Bump dependencies (#19957)Updates
@tailwindcss/oxide-android-arm64from 4.2.4 to 4.3.0Release notes
Sourced from @tailwindcss/oxide-android-arm64's releases.
Changelog
Sourced from @tailwindcss/oxide-android-arm64's changelog.
Commits
588bd734.3.0 (#20023)Updates
@tailwindcss/oxide-darwin-arm64from 4.2.4 to 4.3.0Release notes
Sourced from @tailwindcss/oxide-darwin-arm64's releases.
Changelog
Sourced from @tailwindcss/oxide-darwin-arm64's changelog.
Commits
588bd734.3.0 (#20023)Updates
@tailwindcss/oxide-darwin-x64from 4.2.4 to 4.3.0Release notes
Sourced from @tailwindcss/oxide-darwin-x64's releases.