From 37c44d5a8b3f6d70bece15aa7d0358d644cc54c3 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 01:56:49 +0700 Subject: [PATCH 1/8] config(coderabbit): reduce noise and focus on important files Make CodeRabbit less noisy while keeping it useful: Changes: - Disable high_level_summary (reduces comment length) - Skip PRs with 'style' or 'chore' in title - Focus path_filters on contracts and workflows only - Skip frontend/tooling files (Greptile handles those) Benefits: - Less noise in PR comments - Focuses on security-critical code (contracts) - Avoids rate limits on trivial changes - Complements local 'pnpm review' workflow Workflow: 1. Local: pnpm review (catches issues early) 2. GitHub: CodeRabbit (team visibility, contracts only) 3. GitHub: Greptile (deep analysis, all files) --- .coderabbit.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 98b3082..6f073a3 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -5,15 +5,24 @@ early_access: false reviews: profile: 'chill' request_changes_workflow: false - high_level_summary: true + high_level_summary: false review_status: true collapse_walkthrough: true auto_review: enabled: true drafts: false + ignore_title_keywords: + - 'WIP' + - 'DO NOT REVIEW' + - 'style' + - 'chore' path_filters: - '!**/.nvmrc' - '!**/pnpm-lock.yaml' + - '!**/package-lock.json' + - '!**/pnpm-lock.yaml' + - 'contracts/src/**/*.sol' + - 'contracts/script/**/*.sol' - '.github/workflows/**' - '**/*.md' - '**/*.yml' From fb9a099d38c133a2d6482b1d6914b034737c4b71 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 05:14:25 +0700 Subject: [PATCH 2/8] fix(config): replace hardcoded RPC URL with env var in staging.env Resolves CWE-798: the public OP Sepolia RPC endpoint was hardcoded. Replace with MARK_STAGING_RPC_URL env var, falling back to the public endpoint for local use. In CI, inject via GitHub secret. --- contracts/config/profiles/staging.env | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contracts/config/profiles/staging.env b/contracts/config/profiles/staging.env index b2ef87c..fd489a1 100644 --- a/contracts/config/profiles/staging.env +++ b/contracts/config/profiles/staging.env @@ -12,8 +12,9 @@ # MARK_STAGING_DEPLOYER_PRIVATE_KEY GitHub secret. For local rehearsal # runs, export PRIVATE_KEY before sourcing this file. -# Use a private RPC endpoint (Alchemy/Infura/QuickNode) to avoid public rate limits. -RPC_URL=https://sepolia.optimism.io +# Set RPC_URL to a private endpoint (Alchemy/Infura/QuickNode) to avoid public rate limits. +# In CI this is injected from the MARK_STAGING_RPC_URL GitHub secret. +RPC_URL=${MARK_STAGING_RPC_URL:-https://sepolia.optimism.io} # Owner address (hardware wallet — address only, never the key). MARK_RYLA_OWNER=0x0000000000000000000000000000000000000000 From e5a5f79ec8a6859f2f1ee585bfbd5eb0dc79bbd9 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 05:15:04 +0700 Subject: [PATCH 3/8] chore: remove stale transfer scripts and clean up gitignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove pretransfer-readiness.sh and posttransfer-bootstrap.sh — both were one-time org migration helpers with no remaining references in workflows or documentation. Remove .vscode exception rules from .gitignore — no longer needed. Update PRODUCTION_GOVERNANCE_CHECKLIST.md section 9 heading to remove the stale 'after transfer' wording. --- .github/PRODUCTION_GOVERNANCE_CHECKLIST.md | 2 +- .gitignore | 2 - scripts/github/posttransfer-bootstrap.sh | 27 -------- scripts/github/pretransfer-readiness.sh | 74 ---------------------- 4 files changed, 1 insertion(+), 104 deletions(-) delete mode 100755 scripts/github/posttransfer-bootstrap.sh delete mode 100755 scripts/github/pretransfer-readiness.sh diff --git a/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md b/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md index 98d7ca1..d31170a 100644 --- a/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md +++ b/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md @@ -135,7 +135,7 @@ What this script applies: - optional production required reviewers by user ID - optional direct-push restrictions via `*_PUSH_ALLOW_*` allowlists -## 9) Verify active protections after transfer +## 9) Verify active protections Run the verification script with a repo-admin token: diff --git a/.gitignore b/.gitignore index a7b5dcf..97cd791 100644 --- a/.gitignore +++ b/.gitignore @@ -21,8 +21,6 @@ dist-ssr supersim-logs/ # Editor directories and files -.vscode/* -!.vscode/extensions.json .idea .DS_Store *.suo diff --git a/scripts/github/posttransfer-bootstrap.sh b/scripts/github/posttransfer-bootstrap.sh deleted file mode 100755 index cc11b4d..0000000 --- a/scripts/github/posttransfer-bootstrap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# Post-transfer bootstrap: -# 1) apply governance protections -# 2) verify protections are active -# -# Required env: -# GH_PAT= -# Optional: -# GH_REPO=owner/repo - -if [[ -z "${GH_PAT:-}" ]]; then - echo "GH_PAT is required" >&2 - exit 1 -fi - -ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)" -cd "$ROOT_DIR" - -echo "[posttransfer] applying governance protections" -./scripts/github/apply-governance.sh - -echo "[posttransfer] verifying governance protections" -./scripts/github/verify-governance.sh - -echo "[posttransfer] SUCCESS: governance baseline applied and verified" diff --git a/scripts/github/pretransfer-readiness.sh b/scripts/github/pretransfer-readiness.sh deleted file mode 100755 index ab6bce8..0000000 --- a/scripts/github/pretransfer-readiness.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# Pre-transfer readiness checks for org migration. -# Required env: -# GH_PAT= -# Optional: -# GH_REPO=owner/repo (inferred from origin) - -require_cmd() { command -v "$1" >/dev/null 2>&1 || { - echo "$1 is required" >&2 - exit 1 -}; } -require_cmd curl -require_cmd jq -require_cmd git - -if [[ -z "${GH_PAT:-}" ]]; then - echo "GH_PAT is required" >&2 - exit 1 -fi - -infer_repo_from_remote() { - local remote - remote="$(git remote get-url origin)" - if [[ "$remote" =~ ^git@github.com:([^/]+/[^/]+)(\.git)?$ ]]; then - echo "${BASH_REMATCH[1]}" - return - fi - if [[ "$remote" =~ ^https://github.com/([^/]+/[^/]+)(\.git)?$ ]]; then - echo "${BASH_REMATCH[1]}" - return - fi - echo "Could not infer GH_REPO from origin: $remote" >&2 - exit 1 -} - -GH_REPO="${GH_REPO:-$(infer_repo_from_remote)}" -owner="${GH_REPO%%/*}" -repo="${GH_REPO##*/}" -api="https://api.github.com/repos/${owner}/${repo}" -auth_headers=(-H "Authorization: Bearer ${GH_PAT}" -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28") - -echo "[pretransfer] repo=${GH_REPO}" - -# Basic repo access check -curl -sS "${auth_headers[@]}" "${api}" | jq -e '.full_name != null' >/dev/null - -echo "[pretransfer] checking required workflow files" -required_workflows=( - ".github/workflows/codeql.yml" - ".github/workflows/secrets-scan.yml" - ".github/workflows/governance-verify.yml" - ".github/workflows/contracts-release-gate-container.yml" -) -for wf in "${required_workflows[@]}"; do - if [[ ! -f "$wf" ]]; then - echo " FAIL: missing workflow file: $wf" >&2 - exit 1 - fi - echo " PASS: $wf" -done - -echo "[pretransfer] checking required repo secret names for post-transfer workflows" -secrets_json="$(curl -sS "${auth_headers[@]}" "${api}/actions/secrets")" -for s in GOVERNANCE_VERIFY_PAT; do - if jq -e --arg n "$s" '.secrets[]?.name | select(. == $n)' <<<"$secrets_json" >/dev/null; then - echo " PASS: secret exists: $s" - else - echo " WARN: secret missing (add after transfer if needed): $s" - fi -done - -echo "[pretransfer] done" From 4684af83a2a4c262782a48313c615581b7772d16 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 05:15:42 +0700 Subject: [PATCH 4/8] docs: add KI-9 for circuits transitive dependency vulnerabilities Document the elliptic, ws, and underscore vulnerabilities in circuits/ as accepted risks (local dev tooling only, no production exposure). Include a concrete resolution path: replace circomlibjs with poseidon-lite or @zk-kit/poseidon-cipher before mainnet promotion to eliminate the ethers@5 dependency chain entirely. --- docs/KNOWN_ISSUES.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/KNOWN_ISSUES.md b/docs/KNOWN_ISSUES.md index fbbccc1..b0f7e7d 100644 --- a/docs/KNOWN_ISSUES.md +++ b/docs/KNOWN_ISSUES.md @@ -100,3 +100,17 @@ This document lists known limitations and intentional design decisions that audi **Required before mainnet:** Monitor `MARKPool` size on every change. If the margin drops below ~100 bytes, extract logic (e.g. bridge-out, fee policy, or root management) into a separate contract. **Accepted for now because:** The pool domain is pre-production. The settlement layer (which does not use `MARKPool`) is unaffected and can proceed to testnet independently. + +--- + +## KI-9: Vulnerable transitive dependencies in circuits/ dev tooling + +**Scope:** `circuits/` — local trusted-setup and witness-test tooling only + +**Description:** `circomlibjs >= 0.1.0` depends on `ethers@5`, which pulls in `elliptic <= 6.6.1` (faulty ECDSA signatures, potential key exposure — GHSA-848j-6mx2-7j84) and `ws 8.0.0–8.20.0` (uninitialized memory disclosure — GHSA-58qx-3vcg-4xpx). No non-breaking fix is available: the only upstream resolution (`npm audit fix --force`) downgrades `circomlibjs` to `0.0.8`, which is incompatible with Node 22/24 and breaks `buildPoseidon`. + +**Impact:** None — `circuits/` is local developer tooling. It is never deployed, never handles user input, and never runs in CI with untrusted data. The `elliptic` key-exposure vector requires an attacker to obtain both a faulty and a correct signature for the same inputs, which is not possible in this context. + +**Accepted because:** No upstream fix is available without a breaking change. The packages are scoped to local trusted-setup (`setup.mjs`) and witness tests (`npm test`). Resolution is blocked on `circomlibjs` releasing a version that drops the `ethers@5` dependency. + +**Resolution path:** Replace `circomlibjs` with a lightweight Poseidon library that has no `ethers` dependency, such as `poseidon-lite` or `@zk-kit/poseidon-cipher`. Both provide `buildPoseidon`-equivalent functionality without pulling in `ethers@5`. Before switching, verify the Poseidon implementation produces identical field outputs to what `MARKPool.circom` expects — run the full witness test suite (`npm test` in `circuits/`) to confirm. Target this before mainnet promotion. From 079fbf28f3e5180e287aa9ef600369d6c33e85a5 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 05:16:14 +0700 Subject: [PATCH 5/8] fix(ci): add shfmt checksum verification in scripts-ci workflow Download shfmt to /tmp, verify SHA256 against the official checksum from sha256sums.txt before installing, preventing tampered binary execution if the release URL were compromised. Checksum: 1f57a384d59542f8fac5f503da1f3ea44242f46dff969569e80b524d64b71dbc Version: shfmt v3.10.0 linux/amd64 --- .github/workflows/scripts-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scripts-ci.yml b/.github/workflows/scripts-ci.yml index 37b59b6..5e6c920 100644 --- a/.github/workflows/scripts-ci.yml +++ b/.github/workflows/scripts-ci.yml @@ -40,7 +40,9 @@ jobs: - name: Install shfmt run: | curl -sSL https://github.com/mvdan/sh/releases/download/v3.10.0/shfmt_v3.10.0_linux_amd64 \ - -o /usr/local/bin/shfmt && chmod +x /usr/local/bin/shfmt + -o /tmp/shfmt + echo '1f57a384d59542f8fac5f503da1f3ea44242f46dff969569e80b524d64b71dbc /tmp/shfmt' | sha256sum -c - + install -m 755 /tmp/shfmt /usr/local/bin/shfmt shfmt --version - name: Check shell formatting From 216d8b79292a13c50c4f3a34ecf016b967d3dbae Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 06:06:31 +0700 Subject: [PATCH 6/8] fix(ci): correct BRANCHING.md path in governance policy validator The script was reading BRANCHING.md from the repo root but the file lives at docs/BRANCHING.md. This caused FileNotFoundError on every run of the governance-policy-guard workflow. --- scripts/ci/validate-governance-policy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/ci/validate-governance-policy.sh b/scripts/ci/validate-governance-policy.sh index 92cbee8..215f82d 100644 --- a/scripts/ci/validate-governance-policy.sh +++ b/scripts/ci/validate-governance-policy.sh @@ -10,7 +10,7 @@ import re import sys apply_governance = Path("scripts/github/apply-governance.sh").read_text() -branching = Path("BRANCHING.md").read_text() +branching = Path("docs/BRANCHING.md").read_text() checklist = Path(".github/PRODUCTION_GOVERNANCE_CHECKLIST.md").read_text() From ccfda2c9ae4ffbba4668518fa475f1f1f9c46f66 Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 06:19:28 +0700 Subject: [PATCH 7/8] fix(config): correct CodeRabbit configuration - profile: chill -> assertive (matches guidelines) - request_changes_workflow: false -> true (blocks merge on findings) - high_level_summary: false -> true (useful PR context) - Remove 'style' and 'chore' from ignore_title_keywords (prevented review of security-relevant PRs with those prefixes) - Add contracts/test/**/*.sol to path_filters and path_instructions - Add circuits/**/*.circom to path_filters (was in instructions but never included in review scope) - Add filePatterns to knowledge_base.code_guidelines --- .coderabbit.yaml | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 6f073a3..0a48cf4 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -3,9 +3,9 @@ language: 'en-US' early_access: false reviews: - profile: 'chill' - request_changes_workflow: false - high_level_summary: false + profile: 'assertive' + request_changes_workflow: true + high_level_summary: true review_status: true collapse_walkthrough: true auto_review: @@ -14,15 +14,14 @@ reviews: ignore_title_keywords: - 'WIP' - 'DO NOT REVIEW' - - 'style' - - 'chore' path_filters: - '!**/.nvmrc' - '!**/pnpm-lock.yaml' - '!**/package-lock.json' - - '!**/pnpm-lock.yaml' - 'contracts/src/**/*.sol' - 'contracts/script/**/*.sol' + - 'contracts/test/**/*.sol' + - 'circuits/**/*.circom' - '.github/workflows/**' - '**/*.md' - '**/*.yml' @@ -34,14 +33,20 @@ reviews: Focus only on: security vulnerabilities, reentrancy, CEI violations, access control issues, integer overflow/underflow, and incorrect error handling. Skip style, naming, and minor readability suggestions. + - path: 'contracts/test/**/*.sol' + instructions: | + Focus only on: missing test cases for security-critical paths, incorrect + assertions that would pass on a broken implementation, and missing invariant + checks. Skip style suggestions. - path: 'circuits/**/*.circom' instructions: | Focus only on: constraint soundness, missing range checks, and signal assignment correctness. Skip style suggestions. - path: '.github/workflows/**' instructions: | - Focus only on: secret exposure, injection vulnerabilities, and - missing branch enforcement. Skip style suggestions. + Focus only on: secret exposure, injection vulnerabilities, unpinned action + versions, missing permissions scoping, and missing branch enforcement. + Skip style suggestions. - path: '**/*.md' instructions: | Focus on: broken links, incorrect commands, version mismatches, @@ -61,3 +66,7 @@ chat: knowledge_base: code_guidelines: enabled: true + filePatterns: + - 'docs/CONTRIBUTING.md' + - 'docs/ARCHITECTURE.md' + - 'contracts/ARCHITECTURE.md' From fd1ab483d965796e18dfcdbc5bfa7c492eff566f Mon Sep 17 00:00:00 2001 From: Iko Date: Thu, 21 May 2026 06:31:33 +0700 Subject: [PATCH 8/8] fix(config): skip CodeRabbit review on bot PRs and correct config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add ignore_authors for dependabot[bot] and github-actions[bot] — automated PRs do not benefit from AI code review. --- .coderabbit.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 0a48cf4..4ca90b0 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -14,6 +14,9 @@ reviews: ignore_title_keywords: - 'WIP' - 'DO NOT REVIEW' + ignore_authors: + - 'dependabot[bot]' + - 'github-actions[bot]' path_filters: - '!**/.nvmrc' - '!**/pnpm-lock.yaml'