chore: promote dev to canary

.coderabbit.yaml

@@ -3,8 +3,8 @@ language: "en-US"
 early_access: false
 
 reviews:
-  profile: "chill"
-  request_changes_workflow: false
+  profile: "assertive"
+  request_changes_workflow: true
   high_level_summary: true
   review_status: true
   collapse_walkthrough: false

.github/CODEOWNERS

@@ -1,14 +1,45 @@
-# Global default owner
-* @iap
+# Format: <path> @owner
+# Paths are matched top-to-bottom; first match wins.
 
-# Protocol-critical scope
-/contracts/src/** @iap
-/contracts/script/** @iap
-/contracts/test/** @iap
-/contracts/RUNBOOK.md @iap
-/contracts/README.md @iap
+* @trade/maintainers
+
+# Contracts
+
+/contracts/src/** @trade/maintainers
+/contracts/test/** @trade/maintainers
+/contracts/script/** @trade/maintainers
+/contracts/foundry.toml @trade/maintainers
+/contracts/Makefile @trade/maintainers
+/contracts/RUNBOOK.md @trade/maintainers
+/contracts/README.md @trade/maintainers
 
 # CI and governance
-/.github/workflows/** @iap
-/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md @iap
-/BRANCHING.md @iap
+
+/.github/workflows/** @trade/maintainers
+/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md @trade/maintainers
+/.github/CODEOWNERS @trade/maintainers
+/BRANCHING.md @trade/maintainers
+/CONTRIBUTING.md @trade/maintainers
+
+# Frontend
+
+/src/** @trade/maintainers
+/index.html @trade/maintainers
+
+# Configuration and build
+
+/package.json @trade/maintainers
+/pnpm-lock.yaml @trade/maintainers
+/tsconfig*.json @trade/maintainers
+/vite.config.ts @trade/maintainers
+/eslint.config.js @trade/maintainers
+/.prettierrc.json @trade/maintainers
+/mprocs.yaml @trade/maintainers
+/remappings.txt @trade/maintainers
+
+# Documentation
+
+/README.md @trade/maintainers
+/DEPLOYMENT.md @trade/maintainers
+/TROUBLESHOOTING.md @trade/maintainers
+/LICENSE @trade/maintainers

.github/PRODUCTION_GOVERNANCE_CHECKLIST.md

@@ -12,12 +12,24 @@ GitHub path: `Settings -> Branches -> Add branch protection rule`
 - Enable `Dismiss stale pull request approvals when new commits are pushed`
 - Enable `Require status checks to pass before merging`
 - Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
   - `Contracts Unit + Invariant`
   - `Contracts Release Check (Dry-Run + Execute Smoke)`
-  - `Slither Core Contracts`
-  - `Secrets Drift Guard`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
   - `Validate Release PR Checklist`
   - `Validate Release Evidence`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Contracts Evidence Manifest`
+  - `Governance Policy Guard`
 - Governance policy PR rule:
   - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
 - Enable `Require branches to be up to date before merging`
@@ -34,10 +46,21 @@ GitHub path: `Settings -> Branches -> Add branch protection rule`
 - Enable `Dismiss stale pull request approvals when new commits are pushed`
 - Enable `Require status checks to pass before merging`
 - Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
   - `Contracts Unit + Invariant`
   - `Contracts Release Check (Dry-Run + Execute Smoke)`
-  - `Slither Core Contracts`
-  - `Secrets Drift Guard`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Governance Policy Guard`
 - Governance policy PR rule:
   - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
 - Enable `Require branches to be up to date before merging`
@@ -50,10 +73,21 @@ GitHub path: `Settings -> Branches -> Add branch protection rule`
 - Enable `Require a pull request before merging`
 - Enable `Require status checks to pass before merging`
 - Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
   - `Contracts Unit + Invariant`
   - `Contracts Release Check (Dry-Run + Execute Smoke)`
-  - `Slither Core Contracts`
-  - `Secrets Drift Guard`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Governance Policy Guard`
 - Governance policy PR rule:
   - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
 - Choose one model:
@@ -111,7 +145,7 @@ You can apply most settings via script:
 cd /path/to/mark
 export GH_PAT=<github_token_with_repo_admin_scope>
 # optional:
-# export GH_REPO=iap/mark
+# export GH_REPO=trade/mark
 # export MAIN_REVIEW_COUNT=2
 # export DEV_REVIEW_COUNT=1
 # export MAIN_PUSH_ALLOW_USERS=iap
@@ -129,3 +163,17 @@ What this script applies:
 - `production` environment creation
 - optional production required reviewers by user ID
 - optional direct-push restrictions via `*_PUSH_ALLOW_*` allowlists
+
+
+## 9) Verify active protections after transfer
+
+Run the verification script with a repo-admin token:
+
+```bash
+cd /path/to/mark
+export GH_PAT=<github_token_with_repo_admin_scope>
+# optional: export GH_REPO=your-org/mark
+./scripts/github/verify-governance.sh
+```
+
+Expected output: all three branches (`dev`, `canary`, `main`) report `PASS` and required checks include CodeQL (`Analyze (javascript-typescript)`), `gitleaks / Gitleaks Scan`, and `Dependency Review`.

.github/PULL_REQUEST_TEMPLATE/release.md

@@ -12,7 +12,13 @@ Use this template only for production candidate merges.
 
 - [ ] `Contracts Unit + Invariant` CI passed
 - [ ] `Contracts Release Check (Dry-Run + Execute Smoke)` CI passed
+- [ ] `Contracts Production Mode Smoke` CI passed
 - [ ] `Slither Core Contracts` CI passed
+- [ ] `Analyze (javascript-typescript)` CI passed
+- [ ] `Gitleaks Scan` CI passed
+- [ ] `Dependency Review` CI passed
+- [ ] `Frontend Checks (Node 20)` CI passed
+- [ ] `Frontend Checks (Node 22)` CI passed
 - [ ] `Contracts Mainnet Readiness` run from `main` branch
 - [ ] Readiness artifact uploaded and reviewed
 - [ ] Verify output reviewed (role/config expectations)
@@ -27,6 +33,16 @@ Evidence links/values:
 - [ ] Security reviewer approval
 - [ ] Deployment operator approval
 
+## Staging Go/No-Go (Pre-Mainnet)
+
+Reference: `contracts/STAGING_GO_NO_GO_CHECKLIST.md`
+
+- [ ] Staging rehearsal workflow succeeded (`contracts-staging-rehearsal.yml`)
+- [ ] Production-lock verify succeeded (`contracts-production-lock-verify.yml`)
+- [ ] Staging evidence artifacts reviewed (`mark-staging-release`, `mark-staging-rehearsal`, `mark-production-lock-verify`)
+- [ ] Freshness and lineage policy passed (`contracts-promotion-checklist.yml`)
+- [ ] Final Go/No-Go decision documented with links
+
 ## Deployment Inputs
 
 - RPC target:

.github/actions/setup-foundry/action.yml

@@ -0,0 +1,16 @@
+name: Setup Foundry
+
+description: Install pinned Foundry toolchain used by repository workflows.
+
+inputs:
+  foundry-version:
+    description: Foundry version (for example 1.5.0 or nightly-<commit>)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Foundry
+      uses: foundry-rs/foundry-toolchain@v1
+      with:
+        version: ${{ inputs.foundry-version }}

.github/actions/setup-node-pnpm/action.yml

@@ -0,0 +1,28 @@
+name: Setup Node + pnpm
+
+description: Setup Node.js and activate a pinned pnpm version via corepack.
+
+inputs:
+  node-version:
+    description: Node.js version
+    required: true
+  pnpm-version:
+    description: pnpm version to activate via corepack
+    required: false
+    default: "9.0.2"
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        package-manager-cache: false
+
+    - name: Setup pnpm (corepack)
+      shell: bash
+      run: |
+        corepack enable
+        corepack prepare pnpm@${{ inputs.pnpm-version }} --activate
+        pnpm --version

.github/dependabot.yml

@@ -2,12 +2,13 @@ version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
+    target-branch: "dev"
     schedule:
       interval: "weekly"
       day: "monday"
       time: "03:00"
       timezone: "UTC"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 5
     labels:
       - "dependencies"
       - "ci"
@@ -16,19 +17,33 @@ updates:
 
   - package-ecosystem: "npm"
     directory: "/"
+    target-branch: "dev"
     schedule:
       interval: "weekly"
       day: "monday"
       time: "03:30"
       timezone: "UTC"
-    open-pull-requests-limit: 10
+    open-pull-requests-limit: 8
     labels:
       - "dependencies"
       - "frontend"
+      - "security"
+    allow:
+      - dependency-type: "direct"
+      - dependency-type: "indirect"
     groups:
       frontend-minor-patch:
         update-types:
           - "minor"
           - "patch"
     commit-message:
       prefix: "chore(deps)"
+    ignore:
+      # Transitive deps from @eth-optimism/super-cli (dev/deploy tool, not runtime).
+      # No upstream fix available — re-evaluate when super-cli bumps these packages.
+      - dependency-name: "@hono/node-server"
+        versions: ["<= 1.13.8"]
+      - dependency-name: "drizzle-orm"
+        versions: ["<= 0.38.1"]
+      - dependency-name: "@stablelib/ed25519"
+        versions: ["<= 1.0.3"]

.github/workflows/_reusable-contracts-slither.yml

@@ -0,0 +1,51 @@
+name: Reusable Contracts Slither
+
+on:
+  workflow_call:
+    inputs:
+      foundry_version:
+        description: Foundry version used for Slither compile path
+        required: false
+        default: "1.5.0"
+        type: string
+
+jobs:
+  slither-core:
+    name: Slither Core Contracts
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Install Slither
+        run: pip install slither-analyzer==0.11.5
+
+      - name: Setup Foundry
+        uses: ./.github/actions/setup-foundry
+        with:
+          foundry-version: ${{ inputs.foundry_version }}
+
+      - name: Run Slither on MARK core contracts
+        working-directory: contracts
+        run: |
+          for target in \
+            src/token/RYLA.sol \
+            src/bridge/MARKBridgeAdapter.sol \
+            src/settlement/MARKSettlementModule.sol \
+            src/settlement/verifier/AttestedSettlementVerifier.sol
+          do
+            slither "$target" \
+              --solc-remaps "@interop-lib/=lib/interop-lib/src/ @openzeppelin/=lib/createx/lib/openzeppelin-contracts/" \
+              --exclude-dependencies \
+              --exclude "naming-convention,timestamp,arbitrary-send-erc20,reentrancy-balance,reentrancy-benign" \
+              --filter-paths "lib|test|script|out|cache" \
+              --fail-medium
+          done

.github/workflows/_reusable-frontend-checks.yml

@@ -0,0 +1,48 @@
+name: Reusable Frontend Checks
+
+on:
+  workflow_call:
+    inputs:
+      node_versions:
+        description: JSON array of Node versions
+        required: false
+        default: '["20","22"]'
+        type: string
+      pnpm_version:
+        description: pnpm version used by corepack
+        required: false
+        default: "9.0.2"
+        type: string
+
+jobs:
+  frontend-checks:
+    name: Frontend Checks (Node ${{ matrix.node }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: ${{ fromJSON(inputs.node_versions) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Setup Node + pnpm
+        uses: ./.github/actions/setup-node-pnpm
+        with:
+          node-version: ${{ matrix.node }}
+          pnpm-version: ${{ inputs.pnpm_version }}
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Typecheck
+        run: pnpm -s typecheck
+
+      - name: Lint
+        run: pnpm -s lint
+
+      - name: Build frontend
+        run: pnpm -s build:frontend