Merge branch 'main' into new-observability

.github/workflows/ci.yaml

@@ -79,8 +79,8 @@ jobs:
     uses: ./.github/workflows/contracts-storage.yaml
     needs: [contracts-prettier]
 
-  contracts-npm-audit:
-    uses: ./.github/workflows/contracts-npm-audit.yaml
+  contracts-pnpm-audit:
+    uses: ./.github/workflows/contracts-pnpm-audit.yaml
     needs: [contracts-prettier]
 
   contracts-sast:

.github/workflows/contracts-npm-audit.yaml → .github/workflows/contracts-pnpm-audit.yaml

@@ -5,8 +5,8 @@ on:
   workflow_call:
 
 jobs:
-  npm-audit:
-    name: NPM Audit
+  pnpm-audit:
+    name: pnpm audit
     runs-on: ubuntu-latest
     if: ${{ !github.event.pull_request.draft }}
     steps:

.github/workflows/contracts-sast.yaml

@@ -41,8 +41,19 @@ jobs:
       - name: Install aderyn
         run: cargo install aderyn
 
+      - name: Make deps
+        run: cd contracts && make deps
+
+      # We need a normal npm install because pnpm hoists node_modules and creates symlinks.
+      # Aderyn performs local compilation calling solc directly. Solc requires the target of symlinks to be whitelisted
+      # in allowed-paths. Unfortunately, Aderyn doesn't support passing in allowed-paths, nor does it pick them up from
+      # Foundry config. I also wasn't able to mimic a standard node_modules layout with pnpm, after trying various
+      # hoisting and linking settings. So we bite the bullet and perform an ordinary npm install to make Aderyn happy.
+      - name: Force an ordinary npm install
+        run: cd contracts && rm -rf node_modules && npm install
+
       - name: Run aderyn
-        run: cd contracts && make deps && aderyn ./ -o report.json
+        run: aderyn ./ -o report.json
 
       - name: Check results
         run: cd contracts && ./tools/check_aderyn.sh

.github/workflows/lint-pr.yaml

@@ -0,0 +1,51 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  pull-requests: read
+
+jobs:
+  main:
+    name: Validate PR follows Conventional Commits
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          ## A non-comprehensive list of scopes. Scope is not required, but strongly encouraged, as it brings
+          ## structure to changelogs.
+          ## Note: releases are committed with "chore(release): <version or [module@version]> ".
+          scopes: |
+            actors
+            bottomup
+            cli
+            contracts
+            core
+            deps
+            docker
+            ext
+            extras
+            infra
+            ipld
+            misc
+            node
+            relayer
+            release
+            repo
+            scripts
+            specs
+            topdown
+          requireScope: false
+          subjectPattern: ^(?![A-Z]).+$
+          subjectPatternError: |
+            The subject "{subject}" found in the pull request title "{title}"
+            didn't match the configured pattern. Please ensure that the subject
+            doesn't start with an uppercase character.

CHANGELOG.md

@@ -0,0 +1,42 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [axon-r01] - 2024-07-15
+
+### Introducing Axon
+
+Hello World! It's early days for IPC. We are starting to enact a proper versioning and changelog practices. The framework will evolve rapidly in the next quarters, and it'll do so in major architectural milestones. With high probability, backwards compatibility between these milestones will **not** be preserved, requiring a manual migration to upgrade from one to the next. To cite a few such expected milestones: IPC modularization, consensus pluggability, Wasm-based client kernel.
+
+We introduce the notion of "product generations" to represent the lifetime of IPC under each of these major architectural iterations. Product generations are named alphabetically A-Z (we certainly don't expect more than 26 generations...) We've kept the naming universe deliberately broad: entities/concepts found in biological, mathematical, or computing networks.
+
+The first product generation is called **_Axon_**!
+
+![image](https://github.com/user-attachments/assets/7f9ac874-acdd-49d2-a409-995c55f6bfd4)
+
+Find more background on these choices / implications here: https://github.com/consensus-shipyard/ipc/issues/1012.
+
+### Axon r01
+
+This is the baseline release of the IPC framework. A variation of this release is powering the networks of Fluence and Basin. Throughout the Axon generation, we do not expect to release crates and therefore we're staying away from adopting semver, resorting instead to simple sequential revision numbers. We're aiming to cut/tag revisions and publish changelogs on a weekly basis, with some flexibility to account for work in progress landing smoothly.
+
+Axon r01 supports these major features (not a comprehensive list):
+
+- CometBFT/Ignite-based consensus (currently on v0.37 but with plans to upgrade to [v0.38](https://github.com/consensus-shipyard/ipc/pull/1004) / v1).
+- Wasm- and IPLD-based Filecoin Virtual Machine as an execution layer, supporting custom built-in Wasm actors, custom syscalls, custom gas price lists, and more.
+- Ethereum-compatible runtime and JSON-RPC API (quasi-Dencun level, missing [MCOPY](https://github.com/filecoin-project/FIPs/discussions/1025) support).
+- Validator membership: federated (proof of authority) and collateral-driven (basis for proof of stake).
+- Configurable supply source for subnets: either inheriting the parent root coin, or adopting an ERC20-compatible token for circulating supply / gas.
+- L2 subnet creation, with L3+ behind a feature flag until we harden message propagation, response paths, and fault scenarios.
+- Asynchronous general message passing across the IPC hierarchy, with result and return data delivery back to the caller.
+- Cross-linked security: checkpointing on the parent via the relayer, and committing parent's finality in the subnet.
+- Ability to permission and restrict contract deployment in subnets.
+- Upgradability: framework actors can be upgraded through contract upgrades, and subnet hard forks can be run with the UpgradeScheduler.
+- Validator management through the parent network.
+- Automatic chain snapshots, with ability to bootstrap from them.
+- Compatibility with the BlockScount explorer and Ethereum wallets out of the box.
+- ... and a lot more.
+
+### Join the conversation!
+
+Come ask your questions or give us feedback in the `#ipc` channel on [Filecoin Slack](https://filecoin.io/slack).

cliff.toml

@@ -0,0 +1,89 @@
+# git-cliff ~ default configuration file
+# https://git-cliff.org/docs/configuration
+#
+# Lines starting with "#" are comments.
+# Configuration options are organized into tables and keys.
+# See documentation for more information on available options.
+
+[changelog]
+# template for the changelog footer
+header = """
+# Changelog\n
+All notable changes to this project will be documented in this file.\n
+"""
+# template for the changelog body
+# https://keats.github.io/tera/docs/#introduction
+body = """
+{% if version %}\
+    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }}\
+    {% endfor %}
+{% endfor %}\n
+"""
+# template for the changelog footer
+footer = """
+<!-- generated by git-cliff -->
+"""
+# remove the leading and trailing s
+trim = true
+# postprocessors
+postprocessors = [
+  # { pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" }, # replace repository URL
+]
+
+[git]
+# parse the commits based on https://www.conventionalcommits.org
+conventional_commits = true
+# filter out the commits that are not conventional
+filter_unconventional = true
+# process each line of a commit as an individual commit
+split_commits = false
+# regex for preprocessing the commit messages
+commit_preprocessors = [
+  # Replace issue numbers
+  #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+  # Check spelling of the commit with https://github.com/crate-ci/typos
+  # If the spelling is incorrect, it will be automatically fixed.
+  #{ pattern = '.*', replace_command = 'typos --write-changes -' },
+]
+# regex for parsing and grouping commits
+commit_parsers = [
+  { message = "^feat", group = "<!-- 0 -->🚀 Features" },
+  { message = "^fix", group = "<!-- 1 -->🐛 Bug Fixes" },
+  { message = "^doc", group = "<!-- 3 -->📚 Documentation" },
+  { message = "^perf", group = "<!-- 4 -->⚡ Performance" },
+  { message = "^refactor", group = "<!-- 2 -->🚜 Refactor" },
+  { message = "^style", group = "<!-- 5 -->🎨 Styling" },
+  { message = "^test", group = "<!-- 6 -->🧪 Testing" },
+  { message = "^chore\\(release\\): prepare for", skip = true },
+  { message = "^chore\\(deps.*\\)", skip = true },
+  { message = "^chore\\(pr\\)", skip = true },
+  { message = "^chore\\(pull\\)", skip = true },
+  { message = "^chore|^ci", group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
+  { body = ".*security", group = "<!-- 8 -->🛡️ Security" },
+  { message = "^revert", group = "<!-- 9 -->◀️ Revert" },
+]
+# protect breaking changes from being skipped due to matching a skipping commit_parser
+protect_breaking_commits = false
+# filter out the commits that are not matched by commit parsers
+filter_commits = false
+# regex for matching git tags
+# tag_pattern = "v[0-9].*"
+# regex for skipping tags
+# skip_tags = ""
+# regex for ignoring tags
+# ignore_tags = ""
+# sort the tags topologically
+topo_order = false
+# sort the commits inside sections by oldest/newest order
+sort_commits = "oldest"
+# limit the number of commits included in the changelog.
+# limit_commits = 42

contracts/foundry.toml

@@ -15,6 +15,7 @@ memory_limit =  2147483648 # 2GB
 remappings = [
     "murky/=lib/murky/src/",
 ]
+allow_paths = ["../node_modules"]
 
 [fuzz]
 runs = 512

contracts/tools/check_aderyn.sh

@@ -1,57 +1,61 @@
-#!/usr/bin/env bash
-set -eux
-set -o pipefail
+#!/bin/sh
+set -eu
 
 # Path to the report file
 REPORT_FILE="./report.json"
 
 # List of severities that make us fail
-SEVERITIES=(critical high medium)
-
-# List of vulnerability titles to ignore
-IGNORE_TITLES=("Centralization Risk for trusted owners")
-
-# Specific vulnerabilities to ignore with path and line number
-declare -A IGNORE_SPECIFIC
-IGNORE_SPECIFIC["src/lib/LibDiamond.sol:204:Unprotected initializer"]=1
-IGNORE_SPECIFIC["src/lib/LibDiamond.sol:203:Unprotected initializer"]=1
+SEVERITIES="critical high medium"
+
+# Function to check if a vulnerability title should be ignored
+ignore_title() {
+    case "$1" in
+        "Centralization Risk for trusted owners") return 0 ;;
+        # Add more titles to ignore here, one per line
+        *) return 1 ;;
+    esac
+}
 
-containsElement() {
-  local e match="$1"
-  shift
-  for e; do [[ "$e" == "$match" ]] && return 0; done
-  return 1
+# Function to check if a specific vulnerability should be ignored
+ignore_specific() {
+    case "$1" in
+        "src/lib/LibDiamond.sol:204:Unprotected initializer") return 0 ;;
+        "src/lib/LibDiamond.sol:203:Unprotected initializer") return 0 ;;
+        *) return 1 ;;
+    esac
 }
 
 # Read vulnerabilities from the report
-readVulnerabilities() {
-  level="$1"
-  jq -c --argjson ignoreTitles "$(printf '%s\n' "${IGNORE_TITLES[@]}" | jq -R . | jq -s .)" ".${level}_issues.issues[] | select(.title as \$title | .instances[].contract_path as \$path | .instances[].line_no as \$line | \$ignoreTitles | index(\$title) | not)" $REPORT_FILE
+read_vulnerabilities() {
+    level="$1"
+    jq -c ".${level}_issues.issues[]? // empty" "$REPORT_FILE"
 }
 
 # Main function to process the report
-processReport() {
-  local hasVulnerabilities=0
-
-  for level in ${SEVERITIES[@]}; do
-    while IFS= read -r vulnerability; do
-      title=$(echo "$vulnerability" | jq -r ".title")
-      path=$(echo "$vulnerability" | jq -r ".instances[].contract_path")
-      line=$(echo "$vulnerability" | jq -r ".instances[].line_no")
-      specificKey="${path}:${line}:${title}"
-
-      if [[ ${IGNORE_SPECIFIC[$specificKey]+_} ]]; then
-        echo "Ignoring specific vulnerability: $title at $path line $line"
-      else
-        echo "Found $level vulnerability: $title at $path line $line"
-        hasVulnerabilities=1
-      fi
-    done < <(readVulnerabilities "$level")
-  done
-
-  return $hasVulnerabilities
+process_report() {
+    has_vulnerabilities=0
+
+    for level in $SEVERITIES; do
+        read_vulnerabilities "$level" | while IFS= read -r vulnerability; do
+            title=$(printf '%s' "$vulnerability" | jq -r ".title")
+            path=$(printf '%s' "$vulnerability" | jq -r ".instances[].contract_path")
+            line=$(printf '%s' "$vulnerability" | jq -r ".instances[].line_no")
+            specific_key="${path}:${line}:${title}"
+
+            if ignore_specific "$specific_key"; then
+                printf "Ignoring specific vulnerability: %s at %s line %s\n" "$title" "$path" "$line"
+            elif ignore_title "$title"; then
+                printf "Ignoring vulnerability by title: %s at %s line %s\n" "$title" "$path" "$line"
+            else
+                printf "Found %s vulnerability: %s at %s line %s\n" "$level" "$title" "$path" "$line"
+                has_vulnerabilities=1
+            fi
+        done
+    done
+
+    return $has_vulnerabilities
 }
 
-# Process the report and exit with the code returned by processReport
-processReport
+# Process the report and exit with the code returned by process_report
+process_report
 exit $?

package.json

@@ -4,7 +4,8 @@
   "packageManager": "[email protected]",
   "pnpm": {
     "overrides": {
-      "axios@>=0.8.1 <0.28.0": ">=0.28.0"
+      "axios@>=0.8.1 <0.28.0": ">=0.28.0",
+      "ws": ">=8.17.1"
     }
   }
-}
+}