trade · iap · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026
@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+language: "en-US"
+early_access: false
+
+reviews:
+  profile: "assertive"
+  request_changes_workflow: true
+  high_level_summary: true
+  review_status: true
+  collapse_walkthrough: false
+  auto_review:
+    enabled: true
+    drafts: false
+
+chat:
+  auto_reply: true
+
+knowledge_base:
+  code_guidelines:
+    enabled: true
@@ -0,0 +1,45 @@
+# Format: <path> @owner
+# Paths are matched top-to-bottom; first match wins.
+
+* @trade/maintainers
+
+# Contracts
+
+/contracts/src/** @trade/maintainers
+/contracts/test/** @trade/maintainers
+/contracts/script/** @trade/maintainers
+/contracts/foundry.toml @trade/maintainers
+/contracts/Makefile @trade/maintainers
+/contracts/RUNBOOK.md @trade/maintainers
+/contracts/README.md @trade/maintainers
+
+# CI and governance
+
+/.github/workflows/** @trade/maintainers
+/.github/PRODUCTION_GOVERNANCE_CHECKLIST.md @trade/maintainers
+/.github/CODEOWNERS @trade/maintainers
+/BRANCHING.md @trade/maintainers
+/CONTRIBUTING.md @trade/maintainers
+
+# Frontend
+
+/src/** @trade/maintainers
+/index.html @trade/maintainers
+
+# Configuration and build
+
+/package.json @trade/maintainers
+/pnpm-lock.yaml @trade/maintainers
+/tsconfig*.json @trade/maintainers
+/vite.config.ts @trade/maintainers
+/eslint.config.js @trade/maintainers
+/.prettierrc.json @trade/maintainers
+/mprocs.yaml @trade/maintainers
+/remappings.txt @trade/maintainers
+
+# Documentation
+
+/README.md @trade/maintainers
+/DEPLOYMENT.md @trade/maintainers
+/TROUBLESHOOTING.md @trade/maintainers
+/LICENSE @trade/maintainers
@@ -0,0 +1,179 @@
+# Production Governance Checklist (GitHub)
+
+Use this checklist to apply repository settings that enforce the `dev` -> `canary` -> `main` release process.
+
+## 1) Protect `main` branch
+
+GitHub path: `Settings -> Branches -> Add branch protection rule`
+
+- Branch name pattern: `main`
+- Enable `Require a pull request before merging`
+- Enable `Require approvals` and set minimum to `2` (or `1` if your team is small)
+- Enable `Dismiss stale pull request approvals when new commits are pushed`
+- Enable `Require status checks to pass before merging`
+- Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
+  - `Contracts Unit + Invariant`
+  - `Contracts Release Check (Dry-Run + Execute Smoke)`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
+  - `Validate Release PR Checklist`
+  - `Validate Release Evidence`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Contracts Evidence Manifest`
+  - `Governance Policy Guard`
+- Governance policy PR rule:
+  - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
+- Enable `Require branches to be up to date before merging`
+- Enable `Restrict who can push to matching branches` (maintainers only)
+- Enable `Do not allow bypassing the above settings`
+
+## 2) Protect `canary` branch
+
+GitHub path: `Settings -> Branches -> Add branch protection rule`
+
+- Branch name pattern: `canary`
+- Enable `Require a pull request before merging`
+- Enable `Require approvals` and set minimum to `1`
+- Enable `Dismiss stale pull request approvals when new commits are pushed`
+- Enable `Require status checks to pass before merging`
+- Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
+  - `Contracts Unit + Invariant`
+  - `Contracts Release Check (Dry-Run + Execute Smoke)`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Governance Policy Guard`
+- Governance policy PR rule:
+  - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
+- Enable `Require branches to be up to date before merging`
+
+## 3) Protect `dev` branch
+
+GitHub path: `Settings -> Branches -> Add branch protection rule`
+
+- Branch name pattern: `dev`
+- Enable `Require a pull request before merging`
+- Enable `Require status checks to pass before merging`
+- Add required checks:
+  - `Analyze (javascript-typescript)`
+  - `gitleaks / Gitleaks Scan`
+  - `Detect Secrets Drift`
+  - `Release Gate Container`
+  - `Dependency Review`
+  - `Contracts Unit + Invariant`
+  - `Contracts Release Check (Dry-Run + Execute Smoke)`
+  - `Contracts Production Mode Smoke`
+  - `slither-core / Slither Core Contracts`
+  - `frontend-checks / Frontend Checks (Node 20)`
+  - `frontend-checks / Frontend Checks (Node 22)`
+- Optional additional checks (recommended but not globally required):
+  - `Contracts Unit + Invariant`
+  - `Contracts Env Guard`
+  - `Governance Policy Guard`
+- Governance policy PR rule:
+  - If PR changes `scripts/github/apply-governance.sh`, `BRANCHING.md`, or this checklist, ensure `Validate Governance Policy Consistency` passes before merge.
+- Choose one model:
+  - Strict model: also restrict direct push to maintainers only
+  - Fast model: allow maintainer direct push for emergency dev iteration
+
+## 4) Configure `production` environment
+
+GitHub path: `Settings -> Environments -> New environment`
+
+- Environment name: `production`
+- Enable required reviewers (at least `1`, recommended `2`)
+- Add secret:
+  - `MARK_DEPLOYER_PRIVATE_KEY`
+- Optional environment variables:
+  - `MARK_MAINNET_GATE_MODE=predeploy` (default input still controls mode)
+
+Notes:
+- `contracts-mainnet-readiness.yml` already binds to `environment: production`.
+- The workflow already enforces `main` branch execution.
+
+## 5) Restrict release tagging
+
+GitHub path: `Settings -> Rules -> Rulesets` (or tag protection in legacy settings)
+
+- Protect tag pattern: `v*`
+- Restrict create/update/delete tag permissions to maintainers/release managers.
+
+## 6) Validation run (one-time)
+
+1. Open a small PR to `dev` changing docs only.
+2. Confirm required checks run and pass.
+3. Merge PR to `dev`.
+4. Open PR `dev -> canary`; confirm staging rehearsal triggers automatically.
+5. Open PR `canary -> main`.
+6. Confirm required checks are enforced on `main`.
+7. Merge into `main`.
+8. Run workflow `Contracts Mainnet Readiness` from `main`.
+9. Confirm:
+   - workflow requests/uses `production` environment approvals
+   - run succeeds
+   - readiness artifact uploads
+
+## 7) Ongoing operational rule
+
+- No production deployment from `dev` or `canary`.
+- Production readiness + deployment sign-off only from `main`.
+- Any emergency `main` hotfix must be back-merged into `canary` and `dev` immediately after release.
+
+## 8) Optional automation (API)
+
+You can apply most settings via script:
+
+```bash
+cd /path/to/mark
+export GH_PAT=<github_token_with_repo_admin_scope>
+# optional:
+# export GH_REPO=trade/mark
+# export MAIN_REVIEW_COUNT=2
+# export DEV_REVIEW_COUNT=1
+# export MAIN_PUSH_ALLOW_USERS=iap
+# export MAIN_PUSH_ALLOW_TEAMS=release-managers
+# export CANARY_PUSH_ALLOW_USERS=iap
+# export DEV_PUSH_ALLOW_USERS=iap
+# export PRODUCTION_REVIEWER_IDS=12345,67890
+./scripts/github/apply-governance.sh
+```
+
+What this script applies:
+- `main` branch protection (PR + checks + stale review dismissal)
+- `canary` branch protection (PR + checks)
+- `dev` branch protection (PR + checks)
+- `production` environment creation
+- optional production required reviewers by user ID
+- optional direct-push restrictions via `*_PUSH_ALLOW_*` allowlists
+
+
+## 9) Verify active protections after transfer
+
+Run the verification script with a repo-admin token:
+
+```bash
+cd /path/to/mark
+export GH_PAT=<github_token_with_repo_admin_scope>
+# optional: export GH_REPO=your-org/mark
+./scripts/github/verify-governance.sh
+```
+
+Expected output: all three branches (`dev`, `canary`, `main`) report `PASS` and required checks include CodeQL (`Analyze (javascript-typescript)`), `gitleaks / Gitleaks Scan`, and `Dependency Review`.
@@ -0,0 +1,62 @@
+## Release PR (`canary` -> `main`)
+
+Use this template only for production candidate merges.
+
+## Release Scope
+
+- Release tag/version candidate:
+- Commit range / PR range:
+- Contracts affected:
+
+## Required Evidence
+
+- [ ] `Contracts Unit + Invariant` CI passed
+- [ ] `Contracts Release Check (Dry-Run + Execute Smoke)` CI passed
+- [ ] `Contracts Production Mode Smoke` CI passed
+- [ ] `Slither Core Contracts` CI passed
+- [ ] `Analyze (javascript-typescript)` CI passed
+- [ ] `Gitleaks Scan` CI passed
+- [ ] `Dependency Review` CI passed
+- [ ] `Frontend Checks (Node 20)` CI passed
+- [ ] `Frontend Checks (Node 22)` CI passed
+- [ ] `Contracts Mainnet Readiness` run from `main` branch
+- [ ] Readiness artifact uploaded and reviewed
+- [ ] Verify output reviewed (role/config expectations)
+
+Evidence links/values:
+- Mainnet readiness run URL:
+- Readiness artifact SHA256:
+
+## Security + Ops Sign-off
+
+- [ ] Protocol owner/admin signer approval
+- [ ] Security reviewer approval
+- [ ] Deployment operator approval
+
+## Staging Go/No-Go (Pre-Mainnet)
+
+Reference: `contracts/STAGING_GO_NO_GO_CHECKLIST.md`
+
+- [ ] Staging rehearsal workflow succeeded (`contracts-staging-rehearsal.yml`)
+- [ ] Production-lock verify succeeded (`contracts-production-lock-verify.yml`)
+- [ ] Staging evidence artifacts reviewed (`mark-staging-release`, `mark-staging-rehearsal`, `mark-production-lock-verify`)
+- [ ] Freshness and lineage policy passed (`contracts-promotion-checklist.yml`)
+- [ ] Final Go/No-Go decision documented with links
+
+## Deployment Inputs
+
+- RPC target:
+- Artifact path:
+- `MARK_GIT_COMMIT` value:
+- Environment used: `production`
+
+## Go / No-Go
+
+- [ ] Go
+- [ ] No-Go (reason)
+
+## Post-Merge Plan
+
+- [ ] Run/confirm deployment sequence in `contracts/RUNBOOK.md`
+- [ ] Tag release on `main`
+- [ ] Back-merge any hotfixes into `dev` (if applicable)
@@ -0,0 +1,16 @@
+name: Setup Foundry
+
+description: Install pinned Foundry toolchain used by repository workflows.
+
+inputs:
+  foundry-version:
+    description: Foundry version (for example 1.5.0 or nightly-<commit>)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Foundry
+      uses: foundry-rs/foundry-toolchain@v1
+      with:
+        version: ${{ inputs.foundry-version }}
@@ -0,0 +1,28 @@
+name: Setup Node + pnpm
+
+description: Setup Node.js and activate a pinned pnpm version via corepack.
+
+inputs:
+  node-version:
+    description: Node.js version
+    required: true
+  pnpm-version:
+    description: pnpm version to activate via corepack
+    required: false
+    default: "9.0.2"
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Node.js
+      uses: actions/setup-node@v6
+      with:
+        node-version: ${{ inputs.node-version }}
+        package-manager-cache: false
+
+    - name: Setup pnpm (corepack)
+      shell: bash
+      run: |
+        corepack enable
+        corepack prepare pnpm@${{ inputs.pnpm-version }} --activate
+        pnpm --version