whitelist: add spotr.tv and dapp.spotr.tv

[cnpierrepapi]

Request

Add spotr.tv and dapp.spotr.tv to the whitelist.

About SPOTR

SPOTR is a cultural opinion market on Solana. Players deposit USDC, pick a side on cultural debate questions, and write a 140-character argument. An AI judge evaluates both sides and picks a winner. Winners split the pool proportional to their stake (pari-mutuel payouts).

Why flagged

We use a sponsor-pays-gas pattern where a backend wallet pays SOL transaction fees on behalf of users. The deposit itself is a standard SPL token transfer (createTransferInstruction) to a program-owned vault. Phantom/Blowfish flags the different fee payer as potentially malicious.

Details

• Landing site: https://spotr.tv
• Dapp: https://dapp.spotr.tv
• Solana Program: 4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u (mainnet, verifiable on Solscan)
• Program deploy tx: 4hvK5WnL7YbYQCkhxqfoPbcuvhNjKiw3DUM5RLRCEYQtM54pSDvuoFC7gddBhpThB8HWeancxTWjkY1trMuTivRV
• Transaction type: Standard SPL token transfer (USDC deposit to vault ATA)
• Source code: Private repository (available on request for review)

On-chain verification

The program can be verified on-chain at the Solscan link above. It has two instructions: Initialize (sets admin + USDC mint) and AdminWithdrawAll (admin claims vault). User deposits are standard SPL token transfers — they do not invoke the program.

Summary by CodeRabbit

• Chores
  • Updated domain allowlist to enable support for spotr.tv and dapp.spotr.tv.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3610ea77-dedc-4c22-8a65-68516d23dc17

📥 Commits

Reviewing files that changed from the base of the PR and between 44ec160 and 00e4a93.

📒 Files selected for processing (1)

• whitelist.yaml

✅ Files skipped from review due to trivial changes (1)

• whitelist.yaml

---

📝 Walkthrough

Walkthrough

whitelist.yaml is updated to expand the URL allowlist by adding spotr.tv and dapp.spotr.tv alongside the existing nftplus.io entry.

Changes

URL Allowlist Update

Layer / File(s)	Summary
Add spotr.tv domains to allowlist whitelist.yaml	The allowlist configuration adds spotr.tv and dapp.spotr.tv to the whitelisted domains.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: adding two specific domains (spotr.tv and dapp.spotr.tv) to the whitelist.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@whitelist.yaml`:
- Around line 34-35: The whitelist entry for domains spotr.tv and dapp.spotr.tv
references a non-existent GitHub repo
(https://github.com/cnpierrepapi/spotr-mvp); update the whitelist.yaml to
replace that URL with the correct repository URL (or add a new source_repo
field) that actually hosts the Spotr source code, and include a verifiable
reference (commit hash, tag or release) for the Solana program id
4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u so reviewers can inspect the code;
ensure the entry for the domains (spotr.tv, dapp.spotr.tv) and the Solana
program id remain unchanged but point to the corrected GitHub link.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8bfbcecc-58b2-4302-ac82-83893716d6dd

📥 Commits

Reviewing files that changed from the base of the PR and between 5030186 and 44ec160.

📒 Files selected for processing (1)

• whitelist.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify SPOTR domains and project authenticity

echo "=== Checking domain accessibility ==="
for domain in "spotr.tv" "dapp.spotr.tv"; do
  echo "Checking https://${domain}..."
  status=$(curl -s -o /dev/null -w "%{http_code}" -L "https://${domain}" --max-time 10)
  if [ "$status" -eq 200 ] || [ "$status" -eq 301 ] || [ "$status" -eq 302 ]; then
    echo "✓ ${domain} is accessible (HTTP ${status})"
  else
    echo "✗ ${domain} returned HTTP ${status} or failed"
  fi
done

echo ""
echo "=== Checking GitHub repository ==="
gh repo view cnpierrepapi/spotr-mvp --json name,description,createdAt,isPrivate,owner,url,stargazerCount || echo "✗ Repository not found or not accessible"

echo ""
echo "=== Checking Solana program existence ==="
echo "Note: Verifying program 4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u on Solana mainnet..."
curl -s -X POST -H "Content-Type: application/json" -d '{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "getAccountInfo",
  "params": [
    "4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u",
    {"encoding": "base64"}
  ]
}' https://api.mainnet-beta.solana.com | jq -r '.result // "✗ Program not found"' | head -5

Repository: phantom/blocklist

Length of output: 639

---

🏁 Script executed:

#!/bin/bash

echo "=== Verifying GitHub user and searching for alternatives ==="
# Check if user exists
curl -s "https://api.github.com/users/cnpierrepapi" | jq -r '.login // "User not found"'

echo ""
echo "=== Searching for SPOTR project on GitHub ==="
# Search for spotr-mvp repo
curl -s "https://api.github.com/search/repositories?q=spotr-mvp" | jq -r '.items[0:3] | .[] | "\(.full_name): \(.description) - \(.html_url)"'

echo ""
echo "=== Complete Solana program info ==="
# Get full account info for the program
curl -s -X POST -H "Content-Type: application/json" -d '{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "getAccountInfo",
  "params": [
    "4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u",
    {"encoding": "base64"}
  ]
}' https://api.mainnet-beta.solana.com | jq '.' | head -20

Repository: phantom/blocklist

Length of output: 650

---

Correct the GitHub repository link — the cited repository does not exist.

Domain accessibility is confirmed (both spotr.tv and dapp.spotr.tv return HTTP 200), and the Solana program 4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u is deployed on mainnet. However, the PR cites https://github.com/cnpierrepapi/spotr-mvp as source code verification, but this repository does not exist on GitHub. The GitHub user cnpierrepapi exists, but the spotr-mvp repository is not found.

Whitelisting domains is security-critical and requires verifying the underlying source code for red flags. Please provide the correct GitHub repository link so the code can be reviewed before approval.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@whitelist.yaml` around lines 34 - 35, The whitelist entry for domains
spotr.tv and dapp.spotr.tv references a non-existent GitHub repo
(https://github.com/cnpierrepapi/spotr-mvp); update the whitelist.yaml to
replace that URL with the correct repository URL (or add a new source_repo
field) that actually hosts the Spotr source code, and include a verifiable
reference (commit hash, tag or release) for the Solana program id
4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u so reviewers can inspect the code;
ensure the entry for the domains (spotr.tv, dapp.spotr.tv) and the Solana
program id remain unchanged but point to the corrected GitHub link.

[cnpierrepapi]

Repository is now public: https://github.com/cnpierrepapi/spotr-mvp

Solana program source code: programs/spotr/src/lib.rs

Verifiable references:

• Latest commit: 5685f62
• Program ID: 4i5etYNKfu7zfYxCtWxPjxaD6KNmgvrr22CZqLTWv16u (Solscan)
• Deploy tx: 4hvK5WnL7YbYQCkhxqfoPbcuvhNjKiw3DUM5RLRCEYQtM54pSDvuoFC7gddBhpThB8HWeancxTWjkY1trMuTivRV

The program has two instructions: Initialize (sets admin + USDC mint in Config PDA) and AdminWithdrawAll (admin claims vault). User deposits are standard SPL token transfers — they do not invoke the program. The sponsor-pays-gas pattern (different fee payer) is what triggers the Phantom warning.