Conversation
This commit increments the version number to 1.0.0-alpha.13 in the package.json files for the main project, contracts package, and SDK package. The updates ensure consistency across the project and prepare for the next release cycle. No functional changes were made, focusing solely on version management.
This commit enhances the `CopyBlox` contract by consolidating validation checks for the `bloxAddress` into a dedicated `_validateBloxImplementation` function. It removes the `_cloneCount` state variable, utilizing the length of the `_clones` set to track the number of clones created. The clone creation process is streamlined, ensuring that all necessary validations are performed before cloning, and state changes are handled more efficiently. Additionally, the `getCloneCount` function now returns the length of the `_clones` set, aligning with the new implementation. These changes aim to improve code clarity and maintainability while ensuring robust validation.
This commit updates the version number to 1.0.0-alpha.13 in the package.json and package-lock.json files. It also upgrades several development dependencies, including @commitlint/cli, dotenv, hardhat, prettier-plugin-solidity, release-please, and viem to their latest versions. These updates ensure consistency across the project and prepare for the next release cycle, focusing on dependency management and version alignment.
…yBlox This commit modifies the environment configuration to streamline the deployment process for the CopyBlox contract. It updates the `env.example` file to reflect the new deployment flags and addresses, including the removal of deprecated contract addresses and the addition of `COPYBLOX_ADDRESS`. The migration scripts are also adjusted to focus solely on deploying the AccountBlox and CopyBlox contracts, enhancing clarity and maintainability. Additionally, new sanity tests for CopyBlox are introduced, ensuring robust verification of clone functionality and state management. These changes aim to improve the overall deployment workflow and testing coverage for the CopyBlox implementation.
…lity This commit enhances the deployment process by updating the `deploy:hardhat:foundation` script to point to the correct path for foundation libraries. It introduces a new script, `create-wallet-copyblox.js`, which allows users to interactively create a new wallet (clone) via CopyBlox, streamlining the wallet setup process. Additionally, it modifies the `package.json` to include the new wallet creation command. These changes aim to improve the deployment workflow and user experience when setting up wallets in the Bloxchain Protocol.
…tiple test and helper files This commit modifies the SPDX license identifiers in various Solidity test and helper files, changing them from MIT to MPL-2.0. This update ensures compliance with the new licensing requirements and maintains consistency across the codebase. The affected files include multiple fuzz tests, integration tests, and helper contracts, reflecting a comprehensive update to the licensing information.
This commit enhances the deployment scripts by adding error handling for missing environment variables in `create-wallet-copyblox.js`, ensuring the readline interface is closed properly. Additionally, it updates the logging in `deploy-example-copyblox.js` to clarify the initialization process and warns about the development configuration. The changes aim to improve user experience and maintain clarity during the deployment process. Furthermore, the path for foundation libraries in `deploy-foundation-libraries.js` is corrected to ensure proper functionality.
This commit improves the error handling and validation logic in the CopyBlox test scripts. It adds checks for the existence of ABI files and validates the local RPC URL for Ganache, ensuring that the tests are only run in appropriate environments. Additionally, it enhances the handling of broadcaster retrieval, providing clearer error messages when expectations are not met. These changes aim to improve the robustness and reliability of the testing framework.
…r reporting This commit modifies the dotenv configuration in the base test script to load environment variables quietly, reducing console noise during test execution. Additionally, it updates the error handling in the run-tests script to increment the count of failed suites when an unknown test suite is encountered. These changes aim to improve the clarity of test outputs and streamline the testing process for the CopyBlox framework.
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughThis PR performs a major architectural refactor consolidating template contracts from multiple variants to AccountBlox and CopyBlox. Changes include: removing BareBlox, SecureBlox, RoleBlox, and MachineBlox contracts; updating CopyBlox with cloning and event-forwarding capabilities; rewriting the README with CLI-focused formatting; reorganizing deployment scripts and adding wallet creation tooling; refactoring 40+ Foundry tests to use AccountBlox instead of deprecated templates; updating ABIs and version to alpha.13. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
| "@nomicfoundation/hardhat-ethers": "^4.0.4", | ||
| "dotenv": "^17.2.3", | ||
| "hardhat": "^3.1.5", | ||
| "dotenv": "^17.3.1", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Find repository structure
echo "=== Repository structure ==="
git ls-files | head -20
echo -e "\n=== Looking for dotenv config calls ==="
# Find all scripts that call require('dotenv').config()
rg -n "require\(['\"]dotenv['\"]\)\.config\(" --type=js --type=cjs -g "!node_modules/**" || echo "No matches found"
echo -e "\n=== Looking for import style dotenv calls ==="
rg -n "dotenv.*\.config\(" --type=js --type=cjs -g "!node_modules/**" || echo "No matches found"
echo -e "\n=== Checking for CI configuration files ==="
find . -maxdepth 2 -type f \( -name ".github" -o -name ".gitlab-ci.yml" -o -name ".circleci" -o -name "Jenkinsfile" -o -name ".travis.yml" -o -name ".drone.yml" \) 2>/dev/null | head -20
echo -e "\n=== Listing all .cjs and .js script files in root and common directories ==="
find . -maxdepth 3 -type f \( -name "*.cjs" -o -name "*.mjs" \) -not -path "*/node_modules/*" | head -20Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 1406
🏁 Script executed:
#!/bin/bash
echo "=== Searching for dotenv in all files without type restriction ==="
rg -n "dotenv" -g "!node_modules/**" | head -30
echo -e "\n=== Searching specifically in .cjs files for config calls ==="
rg "require.*dotenv|import.*dotenv" --glob "*.cjs" -g "!node_modules/**" -n
echo -e "\n=== Checking truffle-config.cjs ==="
head -50 truffle-config.cjs
echo -e "\n=== Checking migrations for dotenv ==="
grep -r "dotenv" migrations/ 2>/dev/null || echo "No dotenv found in migrations"
echo -e "\n=== Checking package.json for dotenv entry point ==="
grep -A 5 -B 5 "dotenv" package.json | head -20Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 6612
🏁 Script executed:
#!/bin/bash
echo "=== Checking GitHub Actions workflow ==="
cat .github/workflows/particle-ci.yml
echo -e "\n=== Checking if any logs are captured/parsed in CI ==="
grep -r "stdout\|stderr\|output" .github/workflows/ 2>/dev/null | head -20Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 2162
🌐 Web query:
dotenv 17.0.0 release notes changelog quiet default false
💡 Result:
dotenv v17.0.0 (released 2025‑06‑27) change notes:
- Changed (breaking / behavior):
quietnow defaults tofalse, so dotenv prints an informational runtime log message by default (includes file + keys count), e.g."[dotenv@17.0.0] injecting env (1) from .env". You can suppress it withconfig({ quiet: true }). [1][2]
Sources: CHANGELOG.md for v17.0.0 [1], npm package docs for quiet (default + example output) [2].
Add quiet: true to all require('dotenv').config() calls to suppress dotenv 17.x log output.
dotenv 17.0.0 changed quiet to default to false, causing a [dotenv@17.x.x] injecting env (N) log to be emitted on every .config() call. While cosmetic for interactive scripts, this breaks any CI step or downstream tool parsing stdout.
The following files call require('dotenv').config() without { quiet: true } and should be updated:
truffle-config.cjs:42migrations/2_deploy_guardian_contracts.cjs:2scripts/get-deployed-addresses.cjs:8scripts/sanity/utils/eip712-signing.cjs:3scripts/sanity/simple-vault/base-test.cjs:12scripts/sanity/simple-rwa20/base-test.cjs:12scripts/sanity/runtime-rbac/base-test.cjs:12scripts/sanity/guard-controller/base-test.cjs:55scripts/sanity/secure-ownable/base-test.cjs:12scripts/sanity-sdk/load-env.ts:12scripts/sanity-sdk/base/test-config.ts:14
Note: scripts/sanity/copy-blox/base-test.cjs:11 already uses { quiet: true } and scripts/sanity-sdk/run-all-tests.ts already filters the dotenv logs.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@package.json` at line 74, Multiple files call require('dotenv').config()
without the { quiet: true } option which causes noisy "[dotenv@17.x.x] injecting
env (N)" logs; update each invocation (e.g., the calls in truffle-config.cjs,
migrations/2_deploy_guardian_contracts.cjs, scripts/get-deployed-addresses.cjs,
scripts/sanity/utils/eip712-signing.cjs,
scripts/sanity/simple-vault/base-test.cjs,
scripts/sanity/simple-rwa20/base-test.cjs,
scripts/sanity/runtime-rbac/base-test.cjs,
scripts/sanity/guard-controller/base-test.cjs,
scripts/sanity/secure-ownable/base-test.cjs, scripts/sanity-sdk/load-env.ts, and
scripts/sanity-sdk/base/test-config.ts) to pass { quiet: true } to
require('dotenv').config() (or dotenv.config(...) in TypeScript files), leaving
any existing { quiet: true } calls unchanged and ensuring you import/require
dotenv the same way currently used in each file.
| @@ -1,4 +1,4 @@ | |||
| // SPDX-License-Identifier: MIT | |||
| // SPDX-License-Identifier: MPL-2.0 | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
MIT license vs MPL-2.0 license differences weak copyleft downstream implications test files
💡 Result:
MIT vs MPL‑2.0 (core differences)
1) Copyleft scope
- MIT: Permissive. You can redistribute modified/unmodified code under almost any terms (including closed source), as long as you keep the copyright + permission notice. [1]
- MPL‑2.0: Weak (file‑level) copyleft. Only “Covered Software” must remain under MPL when distributed; you can still combine it into a proprietary “Larger Work” in separate files. [2]
2) What you must give downstream (redistribution obligations)
- MIT (when you distribute): include the MIT notice (in “all copies or substantial portions”). No source-disclosure obligation. [1]
- MPL‑2.0 (when you distribute):
- If you distribute Covered Software in source form, it must be under MPL and you must tell recipients how to get the license. [2]
- If you distribute Covered Software in executable form, you must also make the corresponding Covered Software source available and tell recipients how to obtain it. [2]
- You may license the executable under different terms, but those terms can’t restrict recipients’ MPL rights to the Covered Software source. [2]
“Test files” and downstream implications (common scenarios)
Under MPL‑2.0, whether test files must be MPL depends on whether they become Covered Software / Modifications:
- You write brand‑new test files that do not contain MPL code
- Typically these are not “Modifications” (because they don’t contain Covered Software), so you can license them however you want, even if shipped in the same product/repo as an MPL component (a “Larger Work”). [2] (see definition of “Larger Work”)
- Your test file includes/copies MPL‑licensed code (even small snippets can matter)
- A new file in Source Code Form that contains any Covered Software is a “Modification” and therefore is Covered Software → that test file must be under MPL‑2.0 when distributed. [2]
- You modify existing MPL‑licensed test files
- The modified file is a Modification and remains Covered Software → you must distribute that file’s source under MPL‑2.0 when you distribute it (or any executable containing it). [2]
Practical “downstream” takeaway
- MIT component in your project: downstream users only need to keep the MIT notice; they can relicense/close everything else. [1]
- MPL component in your project: downstream users must be able to get the source of the MPL-covered files (including any MPL-covered test files), but they don’t automatically have a right to the source of your separate, non‑MPL files. [2][3]
If you tell me your exact layout (e.g., “tests import the MPL library but don’t copy code” vs “tests copy helper functions from MPL files”), I can classify each file type more concretely.
🏁 Script executed:
cat -n test/foundry/fuzz/ComprehensiveWhitelistSchemaFuzz.t.sol | head -180Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 9225
🏁 Script executed:
git ls-files | grep -E "(LICENSE|COPYING|README)" | head -5Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 188
🏁 Script executed:
cat README.md | head -50Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 2507
🏁 Script executed:
rg "SPDX-License-Identifier" --max-count=20 | head -30Repository: PracticalParticle/Bloxchain-Protocol
Length of output: 2564
Implement actual test logic in all 8 test functions; do not leave them as comment-only stubs.
All test functions (testFuzz_AddressThisBypassIsIntentional, testFuzz_EmptyWhitelistDeniesExternalTargets, testFuzz_WhitelistRemovalPreventsExecution, testFuzz_UnregisteredSelectorBehavior, testFuzz_HandlerSelectorValidationPreventsBypass, testFuzz_ProtectedFunctionSchemaCannotBeModified, testFuzz_OperationTypeCleanupWorksCorrectly, testFuzz_DuplicateRoleCreationPrevented) contain only comments. These violate the coding guideline "Write fuzz tests for input validation and edge cases" and "Implement invariant tests asserting key properties."
Comments referencing tests in other files do not fulfill this file's purpose; either implement actual tests here (with assertions and state interactions) or remove placeholder functions. testFuzz_UnregisteredSelectorBehavior accepts fuzz inputs (target, unregisteredSelector, params) and guards with vm.assume but contains no assertions or contract interactions, making the fuzzer runs vacuous.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@test/foundry/fuzz/ComprehensiveWhitelistSchemaFuzz.t.sol` at line 1, Replace
the comment-only stubs in the eight tests with concrete fuzz assertions and
contract interactions: for testFuzz_AddressThisBypassIsIntentional call the
relevant contract methods from address(this) and assert the intended
bypass/permission behavior; for testFuzz_EmptyWhitelistDeniesExternalTargets
deploy or use an empty whitelist and assert external calls revert or are denied;
for testFuzz_WhitelistRemovalPreventsExecution add a target to the whitelist,
remove it, then assert subsequent executions revert or fail; for
testFuzz_UnregisteredSelectorBehavior (which currently uses vm.assume) actually
call the target with unregisteredSelector and params and assert it reverts or
returns the expected denial; for
testFuzz_HandlerSelectorValidationPreventsBypass validate that invalid handler
selectors are rejected and cannot be used to bypass checks; for
testFuzz_ProtectedFunctionSchemaCannotBeModified attempt schema changes to
protected functions and assert those calls revert or are no-ops; for
testFuzz_OperationTypeCleanupWorksCorrectly create operations, remove/cleanup
them and assert state is cleared as expected; and for
testFuzz_DuplicateRoleCreationPrevented attempt to create duplicate roles and
assert the contract reverts or prevents duplicates. Use the existing helper
functions and contracts referenced in the file, add concrete
vm.prank/vm.expectRevert assertions where appropriate, and replace
vm.assume-only tests with actual state changes and assert the expected outcomes.
| @@ -1,4 +1,4 @@ | |||
| // SPDX-License-Identifier: MIT | |||
| // SPDX-License-Identifier: MPL-2.0 | |||
There was a problem hiding this comment.
Understand the downstream obligation introduced by the MIT → MPL-2.0 change.
MPL-2.0 is a "weak copyleft" licence: MPL-licensed material must remain open, but the MPL does not "infect" the rest of the project the way GPLv3 does. Concretely, any modifications to MPL-licensed source files must be made available under the same license — if you fix a bug in an MPL-licensed file, you cannot keep the fix proprietary; it must remain under the MPL.
The practical impact here:
- Code under BSD, ISC, MIT and public domain licenses can be absorbed into MPL-2.0 without needing to be kept separate, so the inbound relicensing of this file from MIT is legally clean.
- However, any downstream consumer who previously relied on the MIT permissiveness of this file (no copyleft obligation at all) will now face file-level copyleft obligations on modifications. Confirm this is intentional and consistent with the project's overall licensing strategy for test helpers.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@test/foundry/helpers/TestDefinitionContracts.sol` at line 1, The SPDX header
was changed from MIT to MPL-2.0 which introduces a file-level weak copyleft
obligation; confirm whether this relicensing is intentional for the test helpers
and either revert the SPDX identifier back to MIT in TestDefinitionContracts.sol
if you want to preserve permissive licensing, or if MPL-2.0 is intended, update
the project documentation and CONTRIBUTORS/LICENSING notes to state that
TestDefinitionContracts (and other test helpers) are under MPL-2.0 and that any
modifications to these files must be released under MPL-2.0; locate the SPDX
line in TestDefinitionContracts.sol and make the corresponding change (or add
the documentation change) accordingly.
| if (pending.length >= 2) { | ||
| uint256 toTxId = pending[pending.length - 1]; | ||
| vm.prank(owner); | ||
| EngineBlox.TxRecord[] memory history = secureBlox.getTransactionHistory(1, toTxId); | ||
|
|
||
| for (uint256 i = 0; i < history.length; i++) { | ||
| EngineBlox.TxStatus status = history[i].status; | ||
| if (toTxId > 1) { |
There was a problem hiding this comment.
toTxId from pending[pending.length - 1] silently excludes all non-pending transactions with higher IDs.
Two compounding issues here:
-
Wrong upper bound:
toTxIdis taken from the last element of the pending array. Any completed, cancelled, or failed transactions with IDs greater than the highest pending ID are never validated. E.g., ifpending = [2, 3]and there are completed transactions[4, 5, 6],getTransactionHistory(1, 3)misses them entirely, defeating the purpose of the invariant. -
Over-conservative outer guard:
pending.length >= 2is stricter than the actual API requirement (fromTxId < toTxId, i.e.,toTxId > 1). A single pending transaction with ID 5 would skip the entire check. The innerif (toTxId > 1)guard already covers the necessary condition.
Consider sourcing toTxId from a dedicated total-count or latest-transaction-id accessor, and replacing the outer pending.length >= 2 guard with just the inner toTxId > 1 check:
🔧 Suggested fix
- if (pending.length >= 2) {
- uint256 toTxId = pending[pending.length - 1];
- if (toTxId > 1) {
+ if (pending.length >= 1) {
+ uint256 toTxId = accountBlox.getTransactionCount(); // or equivalent latest-ID accessor
+ if (toTxId > 1) {Also applies to: 77-79
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@test/foundry/invariant/TransactionInvariants.t.sol` around lines 20 - 22, The
current invariant uses toTxId = pending[pending.length - 1] and an outer guard
pending.length >= 2 which ignores non-pending transactions with higher IDs and
is over-conservative; change the logic to source toTxId from the contract's
authoritative latest transaction id / total count accessor (instead of the last
pending element), remove the outer pending.length >= 2 guard and only keep the
inner check (toTxId > 1) before calling getTransactionHistory(fromTxId, toTxId),
and apply the same replacement for the duplicate block referenced at lines
77-79; keep references to pending and toTxId to locate the affected code.
…ding This commit modifies the dotenv configuration across multiple scripts to load environment variables quietly, reducing console noise during execution. The changes are applied in deployment scripts, test scripts, and sanity checks, enhancing the clarity of outputs and improving the overall user experience during testing and deployment processes.
fix: update dotenv configuration for quieter environment variable loa…
1 participant
Summary by CodeRabbit
Release Notes
New Features
npm run create-wallet.Documentation
Refactor
Chores