fix: security hardening and documentation improvements

.coderabbit.yaml

@@ -5,15 +5,24 @@ early_access: false
 reviews:
   profile: 'chill'
   request_changes_workflow: false
-  high_level_summary: true
+  high_level_summary: false
   review_status: true
   collapse_walkthrough: true
   auto_review:
     enabled: true
     drafts: false
+    ignore_title_keywords:
+      - 'WIP'
+      - 'DO NOT REVIEW'
+      - 'style'
+      - 'chore'
   path_filters:
     - '!**/.nvmrc'
     - '!**/pnpm-lock.yaml'
+    - '!**/package-lock.json'
+    - '!**/pnpm-lock.yaml'
+    - 'contracts/src/**/*.sol'
+    - 'contracts/script/**/*.sol'
     - '.github/workflows/**'
     - '**/*.md'
     - '**/*.yml'

.github/PRODUCTION_GOVERNANCE_CHECKLIST.md

@@ -135,7 +135,7 @@ What this script applies:
 - optional production required reviewers by user ID
 - optional direct-push restrictions via `*_PUSH_ALLOW_*` allowlists
 
-## 9) Verify active protections after transfer
+## 9) Verify active protections
 
 Run the verification script with a repo-admin token:
 

.github/workflows/scripts-ci.yml

@@ -40,7 +40,9 @@ jobs:
       - name: Install shfmt
         run: |
           curl -sSL https://github.com/mvdan/sh/releases/download/v3.10.0/shfmt_v3.10.0_linux_amd64 \
-            -o /usr/local/bin/shfmt && chmod +x /usr/local/bin/shfmt
+            -o /tmp/shfmt
+          echo '1f57a384d59542f8fac5f503da1f3ea44242f46dff969569e80b524d64b71dbc  /tmp/shfmt' | sha256sum -c -
+          install -m 755 /tmp/shfmt /usr/local/bin/shfmt
           shfmt --version
 
       - name: Check shell formatting

.gitignore

@@ -21,8 +21,6 @@ dist-ssr
 supersim-logs/
 
 # Editor directories and files
-.vscode/*
-!.vscode/extensions.json
 .idea
 .DS_Store
 *.suo

contracts/config/profiles/staging.env

@@ -12,8 +12,9 @@
 # MARK_STAGING_DEPLOYER_PRIVATE_KEY GitHub secret. For local rehearsal
 # runs, export PRIVATE_KEY before sourcing this file.
 
-# Use a private RPC endpoint (Alchemy/Infura/QuickNode) to avoid public rate limits.
-RPC_URL=https://sepolia.optimism.io
+# Set RPC_URL to a private endpoint (Alchemy/Infura/QuickNode) to avoid public rate limits.
+# In CI this is injected from the MARK_STAGING_RPC_URL GitHub secret.
+RPC_URL=${MARK_STAGING_RPC_URL:-https://sepolia.optimism.io}
 
 # Owner address (hardware wallet — address only, never the key).
 MARK_RYLA_OWNER=0x0000000000000000000000000000000000000000

docs/KNOWN_ISSUES.md

@@ -100,3 +100,17 @@ This document lists known limitations and intentional design decisions that audi
 **Required before mainnet:** Monitor `MARKPool` size on every change. If the margin drops below ~100 bytes, extract logic (e.g. bridge-out, fee policy, or root management) into a separate contract.
 
 **Accepted for now because:** The pool domain is pre-production. The settlement layer (which does not use `MARKPool`) is unaffected and can proceed to testnet independently.
+
+---
+
+## KI-9: Vulnerable transitive dependencies in circuits/ dev tooling
+
+**Scope:** `circuits/` — local trusted-setup and witness-test tooling only
+
+**Description:** `circomlibjs >= 0.1.0` depends on `ethers@5`, which pulls in `elliptic <= 6.6.1` (faulty ECDSA signatures, potential key exposure — GHSA-848j-6mx2-7j84) and `ws 8.0.0–8.20.0` (uninitialized memory disclosure — GHSA-58qx-3vcg-4xpx). No non-breaking fix is available: the only upstream resolution (`npm audit fix --force`) downgrades `circomlibjs` to `0.0.8`, which is incompatible with Node 22/24 and breaks `buildPoseidon`.
+
+**Impact:** None — `circuits/` is local developer tooling. It is never deployed, never handles user input, and never runs in CI with untrusted data. The `elliptic` key-exposure vector requires an attacker to obtain both a faulty and a correct signature for the same inputs, which is not possible in this context.
+
+**Accepted because:** No upstream fix is available without a breaking change. The packages are scoped to local trusted-setup (`setup.mjs`) and witness tests (`npm test`). Resolution is blocked on `circomlibjs` releasing a version that drops the `ethers@5` dependency.
+
+**Resolution path:** Replace `circomlibjs` with a lightweight Poseidon library that has no `ethers` dependency, such as `poseidon-lite` or `@zk-kit/poseidon-cipher`. Both provide `buildPoseidon`-equivalent functionality without pulling in `ethers@5`. Before switching, verify the Poseidon implementation produces identical field outputs to what `MARKPool.circom` expects — run the full witness test suite (`npm test` in `circuits/`) to confirm. Target this before mainnet promotion.