Skip to content

fix(ci): restore semgrep to ci-fast, add withdrawal binding tests#337

Merged
iap merged 9 commits into
devfrom
feature/ci-and-circuit-tests
Jun 23, 2026
Merged

fix(ci): restore semgrep to ci-fast, add withdrawal binding tests#337
iap merged 9 commits into
devfrom
feature/ci-and-circuit-tests

Conversation

@iap

@iap iap commented Jun 22, 2026
edited by greptile-apps Bot
Loading

Copy link
Copy Markdown
Contributor

Changes

  • Restore Semgrep scan with --severity ERROR filter to ci-fast task
  • Change circuits step from pnpm test to pnpm test:fast for faster iteration
  • Add RELAYER_MAX constant and withdrawal binding test cases in MARKPool.fast.mjs
  • Add happy path test for withdrawal (exercises inSecret0Upper constraint)
  • Add sad path test for tampered withdrawOwner (attack POC)

Tests

All 11 fast circuit tests passing:

  • valid 2-in 2-out transact
  • valid 2-in 2-out transact with withdrawal (new)
  • wrong withdrawOwner (tampered) (new)
  • fee constraints, nullifier constraints, merkle root constraints

Security

The withdrawal binding path was previously untested in fast suite. Added coverage to prevent regression on the inSecret0Upper constraint that binds withdrawOwner to inSecret[0].

View with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is enabled.

Greptile Summary

  • Restores Semgrep execution in the fast CI task with an ERROR filter.
  • Switches the circuits step in the fast CI path to pnpm test:fast.
  • Removes the old fast-test wrapper script.
  • Expands fast MARKPool withdrawal coverage for owner binding, non-zero upper secret bits, forged upper bits, withdrawal zero-value cases, and output commitment mismatch.

Confidence Score: 5/5

The changes are limited to CI task wiring and additional fast circuit coverage, with no reported code issues requiring changes.

The modified paths align with the PR description and the added tests exercise the withdrawal binding behavior without introducing review findings.

T-Rex T-Rex Logs

What T-Rex did

  • Observed the baseline ci-fast configuration in mise.toml, including a 180s timeout and the initial Semgrep and circuits test commands.
  • Observed the updated head ci-fast configuration in mise.toml with a 600s timeout and a stricter Semgrep invocation, plus the updated circuits test command for fast runs.
  • Recorded that the Semgrep task description was updated in mise.toml and that a dry-run of the ci-fast workflow failed with exit code 127 due to a missing mise.
  • Compared the before-state withdrawal-fast tests and the after-state tests, noting the toolchain blocker for runtime tests and the differing label enumerations.
  • Confirmed the repeated runtime-blocker condition in the after-state withdrawal-fast tests and the continued exit code of 1 for the commands.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (4): Last reviewed commit: "fix: restore full-repo semgrep scope and..." | Re-trigger Greptile

iap added 4 commits June 20, 2026 17:39
@iap
test: verify GPG signing and GH013
3363361
@iap
Merge branch 'dev' of github.com:trade/mark into dev
ea0a628
@iap
chore: remove accidentally committed empty = file
3760724
@iap
fix: circuit test, CI timeout, and stale file cleanup
28b94bd 
- Add missing inSecret0Upper input to MARKPool.fast.mjs happy-path test
- Increase ci-fast timeout to 1200s for cold Solidity compilation
- Move Semgrep to standalone task scoped to contracts/ and circuits/
- Remove orphaned circuits/scripts/test-fast.mjs
@iap iap requested a review from a team as a code owner June 22, 2026 23:14
@iap iap requested review from red-cream and removed request for a team June 22, 2026 23:14
@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@iap
fix(ci): restore semgrep to ci-fast, add withdrawal binding tests
5c76f2b 
- Restore Semgrep scan with --severity ERROR filter to ci-fast task
- Change circuits step from pnpm test to pnpm test:fast for faster iteration
- Add RELAYER_MAX constant and withdrawal binding test cases in MARKPool.fast.mjs
- Add happy path test for withdrawal (exercises inSecret0Upper constraint)
- Add sad path test for tampered withdrawOwner (attack POC)
greptile-apps[bot]
greptile-apps Bot reviewed Jun 22, 2026
View reviewed changes
Comment thread .mise.toml Outdated
Comment thread .mise.toml Outdated
Comment thread circuits/test/MARKPool.fast.mjs
Comment thread circuits/test/MARKPool.fast.mjs
iap and others added 2 commits June 22, 2026 23:31
@iap @codesmith-bot
fix: restore semgrep blocking flags and add forged-upper attack test
040bab3 
- ci-fast: add --error to semgrep so ERROR findings cause non-zero exit
- semgrep task: restore --config=auto --config=p/security-audit and --error
  (lost when the task was previously refactored)
- MARKPool.fast.mjs: add forged-upper owner-binding bypass test that
  computes inSecret0Upper = (secret - spoofedOwner) * RELAYER_MAX^-1 mod p
  and verifies the Num2Bits(93) range check rejects the out-of-range value

Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
@iap @codesmith-bot
test: add withdrawal happy path with non-zero inSecret0Upper
081cd0a 
Previous withdrawal test used secret=111n which is smaller than 2^160,
so inSecret0Upper was always 0n and the upper-bits term of the binding
constraint was never exercised. Add a second happy-path case using
secret = RELAYER_MAX + 42n (upper=1n, lower=42n) so a regression that
ignores inSecret0Upper or uses the wrong multiplier would be caught.

Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
greptile-apps[bot]
greptile-apps Bot reviewed Jun 22, 2026
View reviewed changes
Comment thread .mise.toml Outdated
@iap @codesmith-bot
fix: restore --config=auto to ci-fast semgrep invocation
21ed994 
The fast gate previously ran --config=auto alongside the MARK custom rules.
This was dropped when semgrep was re-added to ci-fast, narrowing the scan
to only project-specific rules and letting generic security findings through.

Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
greptile-apps[bot]
greptile-apps Bot reviewed Jun 22, 2026
View reviewed changes
Comment thread .mise.toml Outdated
Comment thread .mise.toml Outdated
Comment thread .mise.toml Outdated
@iap @codesmith-bot
fix: restore full-repo semgrep scope and port missing circuit tests t…
78a655b 
…o fast suite

- ci-fast/semgrep tasks: remove contracts/ circuits/ target restriction so
  frontend JS/TS is scanned again (matches historical no-target invocation;
  .semgrepignore handles build artifact exclusions)
- MARKPool.fast.mjs: port four security-relevant tests from the full suite
  that were missing from the fast gate:
  - withdraw amount non-zero but owner zero
  - withdraw amount non-zero but recipient zero
  - withdraw amount zero but owner non-zero
  - wrong output commitment

Co-authored-by: Codesmith <codesmith-bot@users.noreply.github.com>
@iap iap merged commit fb62822 into dev Jun 23, 2026
21 checks passed
@iap iap deleted the feature/ci-and-circuit-tests branch June 23, 2026 01:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@red-cream red-cream Awaiting requested review from red-cream red-cream is a code owner automatically assigned from trade/maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iap