feat(circle): Base mainnet gate PASSED + 7702 bootstrap fix + DEFER hardening#17
Merged
Merged
Conversation
…pe sync DEFER hardening (#119/#120): - circleReceiptVerifier: structured UnreconciledKind (event-absent/binding- sender/binding-paymaster/reverted/no-charge) + pulled===0 no-charge guard so net=0 is never silently reported as verified. useBatchPayment branches on kind. - /api/log/payment: byte-size cap on actual parsed body (not just content-length header) to close chunked-transfer bypass; circleVerification typed via derived ClientReportedCircleVerification = Exclude<CircleVerificationStatus,'verified'>. - tests: +kind/no-charge cases, +body-cap cases (119 passing). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- smoke-circle-crossswitch: SMOKE_CHAIN=base (Base mainnet USDC/Circle PM from SoT) with SMOKE_MAINNET_OK opt-in gate, on-chain paymaster code guard, and NEXT_PUBLIC_BASE_RPC_URL auto-pickup (public RPC rate-limit warning). - Fix pristine-EOA 7702 bootstrap: explicitly owner.signAuthorization() and pass to estimate/sendUserOperation (viem/permissionless only stub-sign → bundler rejects "recovered signer != sender"). Legs reordered circle→pimlico→circle so the spike-proven viem path bootstraps delegation first. - runbook: Base mainnet gate PASSED 2026-05-30 (3 leg, tx evidence); Base flag enable unblocked; Circle≈3-4x Pimlico gas cost observation recorded. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
DEFER hardening #121: - circlePending.gcStalePreSubmit(olderThanMs, now, excludeKey): abandons stale pre-submit orphans (reserved/awaiting_signature/signed never advanced to submitting) that linger in the live set; excludeKey protects the in-flight attempt; submitting/terminal untouched (recovery info preserved). Wired (with pruneTerminal) into executeCirclePayment start as best-effort housekeeping (TERMINAL_RETENTION_MS=24h ≫ CONFIRMED_DEDUP_WINDOW). Neither helper had a caller before. - HistoryRow: Circle verification badge (verified/client-reported/unreconciled) next to Circle gas, with tooltip; shows even when netUsdc is null. +6 i18n keys (ja/en parity). - tests: gcStalePreSubmit (stale→abandoned, excludeKey/submitting/terminal guard, storage-unavailable) + HistoryRow badge cases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adversarial review HIGH: gcStalePreSubmit reused the guard's PRE_SUBMIT_STALE_MS (3min), so a concurrent payment in another tab could abandon a legitimately-slow (>3min at the wallet popup) in-flight pre-submit from a DIFFERENT attempt/callHash, breaking it via a markSigned CAS failure (no double-spend — both pre-submit, never broadcast — but a UX break). Fix: dedicated PRE_SUBMIT_GC_MS=1h for GC (capacity management; longer than any legitimate signing flow); the guard keeps 3min for same-callHash blocking decisions. +2 regression tests (slow different-callHash in-flight survives; >1h orphan collected). Note: review MEDIUM (concurrent broadcast relies on EntryPoint nonce uniqueness) is the pre-existing, documented, prior-accepted design (circleSend ll.230-233), not a #121 regression. LOW was self-dismissed by the reviewer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Circle Paymaster Phase 1 の Base mainnet 投入ゲート通過と、関連 hardening。
1. Base mainnet 実機ゲート通過 (2026-05-30)
SMOKE_CHAIN=baseで 3 leg (Circle → Pimlico → Circle) 全 PASS。pristine EOA が leg1/circle で 7702 委任を bootstrap (delegateBefore=null→delegateAfter=0xe6Cae83…)、circle paymaster = mainnet0x0578…700Ec、実徴収 USDC ≪ permit 上限 (C4 fee 整合 OK)。→ Base に限りNEXT_PUBLIC_ENABLE_CIRCLE_PAYMASTER=1有効化可 (他 chain は fee 実測前で flag OFF 維持)。0x0578…700Ec0x527224…b0e5e0x8888…24020x355306…1aaddd0x0578…700Ec0xb31b6f…73fc5e2. smoke 7702 bootstrap 修正 (
e7274bf)viem/permissionless は prepareUserOperation 段階で 7702 authorization を stub 署名のまま送るため bundler が
recovered signer != senderで弾く。spike 実証済の通りowner.signAuthorization()を明示署名し estimate/send に渡すよう修正 + Circle leg 先頭化で委任 bootstrap。SMOKE_CHAIN=base対応 (SoT アドレス・SMOKE_MAINNET_OKopt-in・paymaster code guard・専用 RPC auto-pickup)。製品コードは無影響 (Circle 経路は既委任 EOA 前提)。3. DEFER hardening (
e250958)circleReceiptVerifier: 構造化UnreconciledKind+pulled===0no-charge guard (net=0 を verified と誤報告しない)。/api/log/payment: 実 body byte 長 cap (content-length 偽装 bypass を塞ぐ) +circleVerificationをExclude<CircleVerificationStatus,'verified'>で型同期。Test
📊 Note
実測で Base の Circle ガス徴収 ≈ Pimlico の 3〜4倍 (Circle 10% surcharge + Circle fee)。絶対額セント単位だが「Circle 優先は信頼性/公式サポート理由でコスト最適ではない」事実を runbook/memory に記録。
🤖 Generated with Claude Code