Add token image URI policy guard

[punk6529]

Summary

• add StreamMetadataRenderer helpers for the current content/script URI policy
• reject unsafe required token image URI writes in StreamCore.updateImagesAndAttributes
• update metadata docs, roadmap/run-state, changelog, and release/deployment artifacts for the ABI/bytecode change

Scope note

A first local version also enforced collection base URI and external animation library URL writes, but pushed StreamCore over EIP-170. This PR keeps the deployable slice: token image production enforcement plus reusable renderer helpers. Collection base URI and external library URL production enforcement remain queued follow-up work.

Validation

• forge test --match-path test/StreamMetadataUriPolicy.t.sol -vvv
• forge test --match-path test/StreamMetadataEscaping.t.sol -vvv
• forge test --match-path test/StreamMetadataSizeLimits.t.sol -vvv
• forge build --sizes --via-ir --skip test --skip script --force (StreamCore 24,508 bytes, 68 bytes headroom)
• make release-checksums
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• targeted forge fmt --check on touched Solidity files
• git diff --check

Refs #51

Summary by CodeRabbit

Release Notes

• New Features

  • Token image URIs are now validated to ensure safe content. Only HTTPS, IPFS, and Arweave schemes are allowed. Empty URIs, script protocols, whitespace, and control characters are rejected.

• Documentation

  • Updated metadata validation documentation to describe URI policy enforcement and safety requirements.

• Tests

  • Added comprehensive test coverage for URI safety validation.

• Chores

  • Updated release artifacts with integrity checksums.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f20676e8-56ec-44f9-9d3e-577e74136c29

📥 Commits

Reviewing files that changed from the base of the PR and between 419fb1d and 33aa482.

📒 Files selected for processing (24)

• CHANGELOG.md
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• docs/adr/0006-metadata-freeze.md
• docs/known-blockers.md
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/abi-checksums.json
• release-artifacts/latest/release-artifact-manifest.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• smart-contracts/StreamCore.sol
• smart-contracts/StreamMetadataRenderer.sol
• test/README.md
• test/StreamMetadataEscaping.t.sol
• test/StreamMetadataFreeze.t.sol
• test/StreamMetadataSizeLimits.t.sol
• test/StreamMetadataUriPolicy.t.sol

---

📝 Walkthrough

Walkthrough

This PR implements URI safety validation for on-chain metadata token images. It adds public helper functions to StreamMetadataRenderer (isSafeContentUri and isSafeScriptUri) that validate HTTPS, IPFS, and Arweave URI schemes, integrates these checks into StreamCore's updateImagesAndAttributes method with a new UnsafeMetadataURI error, and updates all tests and deployment artifacts accordingly.

Changes

Metadata URI Safety Validation Feature

Layer / File(s)	Summary
URI Validation Helpers smart-contracts/StreamMetadataRenderer.sol	isSafeContentUri validates HTTPS/IPFS/Arweave schemes with empty-URI flexibility; isSafeScriptUri validates HTTPS-only scripts; both reject whitespace/control characters. Private helpers detect disallowed whitespace/control chars, validate HTTPS host constraints, and perform byte-prefix matching for scheme detection.
StreamCore Integration smart-contracts/StreamCore.sol	New UnsafeMetadataURI() custom error added; updateImagesAndAttributes calls isSafeContentUri on each image URI and reverts if unsafe; changeTokenData switched to _requireCollectionNotFrozen helper for consistent freeze validation.
URI Policy Test Suite test/StreamMetadataUriPolicy.t.sol	New test contract validates helper predicates across HTTPS/IPFS/Arweave schemes and empty-URI handling; production integration tests confirm allowed URIs pass and unsafe URIs (empty, javascript:, whitespace-containing) trigger UnsafeMetadataURI revert.
Existing Test Adaptations test/StreamMetadataEscaping.t.sol, test/StreamMetadataFreeze.t.sol, test/StreamMetadataSizeLimits.t.sol	Updated image URIs to IPFS-style format with expected escaping; StreamMetadataFreeze expects MetadataFrozen custom error instead of string revert; StreamMetadataSizeLimits uses new _ipfsUriWithSize helper to generate boundary-tested IPFS URIs.
Documentation and Status CHANGELOG.md, docs/adr/0006-metadata-freeze.md, docs/known-blockers.md, docs/metadata.md, docs/status.md, test/README.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	Documented URI safety policy helpers, production token image enforcement, regression test coverage, remaining render-safety work (base URI/external library URL production enforcement), and updated PR queue status.
Deployment and Release Artifacts deployments/address-books/..., deployments/examples/..., release-artifacts/latest/SHA256SUMS, release-artifacts/latest/abi-checksums.json, release-artifacts/latest/release-{artifact-manifest,checksums,manifest}.json, release-artifacts/latest/source-verification-inputs.json	Updated SHA256 integrity hashes for deployment manifests, address-books, example inputs, and all release artifact checksums to reflect the bytecode/ABI changes in StreamCore and StreamMetadataRenderer.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#87: Modifies updateImagesAndAttributes validation pipeline for JSON escaping and unsafe raw attribute rejection; complements this PR's URI safety validation.
• 6529-Collections/6529Stream#84: Introduces collection-freeze guards and _requireCollectionNotFrozen helper that this PR now relies on in both changeTokenData and updateImagesAndAttributes.
• 6529-Collections/6529Stream#111: Adds max byte size limits to updateImagesAndAttributes; both PRs refine metadata mutation validation in the same method.

Poem

🐰 With whiskers twitching, schemes take flight,
https, ipfs, ar shining bright,
No whitespace slips past our guard—
Safe URIs make metadata hard!
Token images skip the JavaScript snare,
Rendered sweetly, with utmost care. 🎨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add token image URI policy guard' directly and clearly describes the primary change: adding URI policy validation/enforcement for token image writes in StreamCore. It is concise, specific, and accurately reflects the main objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/metadata-uri-policy

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}