Add collection metadata URI policy guard

[punk6529]

Summary

• Enforce production URI policy for optional collection base URIs and external collection library URLs.
• Preserve empty optional collection URI fields while rejecting unsafe non-empty values with UnsafeMetadataURI().
• Replace several legacy StreamCore string reverts with custom errors to keep the added enforcement deployable under EIP-170 and improve selector-based assertions.
• Persist collection base URIs on full metadata updates and harden admin/minter/randomizer marker probes so invalid targets revert through typed custom errors.
• Address CodeRabbit outside-diff findings by rejecting first-time zero collection supply before arithmetic and rejecting dependency registry swaps to non-contract targets with InvalidDependencyRegistryContract().
• Track the now-tight StreamCore bytecode margin in issue Recover StreamCore bytecode headroom before further feature work #115, docs/status.md, and ops/ROADMAP.md.
• Refresh metadata docs, roadmap/run-state traceability, changelog, tests, and generated release/deployment artifacts.

Validation

• forge build --sizes --via-ir --skip test --skip script --force
• forge test --match-path test\StreamMetadataUriPolicy.t.sol -vvv
• forge test --match-path test\StreamMetadataFreeze.t.sol -vvv
• forge test --match-path test\StreamMetadataGolden.t.sol -vvv
• forge test --match-path test\StreamRandomizerLifecycle.t.sol -vvv
• forge test --match-path test\StreamInitialization.t.sol -vvv
• forge test --match-path test\StreamDependencyRegistry.t.sol -vvv
• make release-checksums
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• targeted forge fmt --check for touched Solidity/test files
• git diff --check

After the latest review follow-up, StreamCore is 24,545 runtime bytes, leaving 31 bytes of EIP-170 headroom. Follow-up issue #115 tracks recovering sustainable Core bytecode margin before further non-trivial Core feature work.

Refs #51

Summary by CodeRabbit

• New Features

  • Optional fields now reject unsafe collection base URIs and external library URLs; explicit initial zero-supply is rejected.

• Bug Fixes

  • Ambiguous revert messages replaced with typed custom errors for clearer failure signals; dependency-registry/address validation added.

• Documentation

  • Expanded metadata safety, URI policy, and render-safety guidance; updated roadmap/status/ADR notes.

• Tests

  • Added and extended tests for URI safety, empty-optional behavior, and typed-error revert cases.

• Chores

  • Regenerated release artifacts, checksums, and deployment manifests.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 89db44b6-01ab-4dce-81b0-650b67a07cff

📥 Commits

Reviewing files that changed from the base of the PR and between 6ffdc8a and 3c7a5a3.

📒 Files selected for processing (17)

• CHANGELOG.md
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/abi-checksums.json
• release-artifacts/latest/release-artifact-manifest.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• smart-contracts/StreamCore.sol
• test/StreamDependencyRegistry.t.sol
• test/StreamInitialization.t.sol

✅ Files skipped from review due to trivial changes (9)

• docs/status.md
• release-artifacts/latest/release-checksums.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• CHANGELOG.md
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/source-verification-inputs.json
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

🚧 Files skipped from review as they are similar to previous changes (6)

• release-artifacts/latest/release-artifact-manifest.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• release-artifacts/latest/abi-checksums.json
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• smart-contracts/StreamCore.sol

---

📝 Walkthrough

Walkthrough

Contracts replace string reverts with typed custom errors, add collection/library/script URI safety checks via StreamMetadataRenderer helpers, update tests to assert error selectors, refresh docs/ops to record enforcement and size headroom, and regenerate deployment/release verification artifacts to reflect ABI/bytecode changes.

Changes

Collection URI Validation and Custom Error Enforcement

Layer / File(s)	Summary
StreamMetadataRenderer URI Safety Helpers smart-contracts/StreamMetadataRenderer.sol	Adds isSafeScriptUri(string memory uri, bool allowEmpty) and makes areSafeCollectionUris accept empty libraryUrl while enforcing safety when provided.
StreamCore Custom Errors and Validation Refactor smart-contracts/StreamCore.sol	Adds multiple typed custom errors and replaces string-based reverts across collection creation/updates, mint/burn, token-hash setting, contract updates, metadata-mutation gating, and centralizes mutable-collection checks with _requireExistingMutableCollection.
Tests: Typed-Error Assertions & URI Policy Coverage test/StreamMetadataFreeze.t.sol, test/StreamMetadataGolden.t.sol, test/StreamMetadataUriPolicy.t.sol, test/StreamDependencyRegistry.t.sol, test/StreamInitialization.t.sol, test/README.md	Tests switched to custom error selector assertions, add production-safety tests for unsafe collection base/library/script URIs, add EmptyMarker helper and string assertions, and add initial-zero-supply typed-error test.
Docs and Operations Updates CHANGELOG.md, docs/adr/0006-metadata-freeze.md, docs/known-blockers.md, docs/metadata.md, docs/status.md, ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md	Documentation and runbook entries updated to reflect collection/library URI production enforcement, custom-error migration wording, remaining blockers, and StreamCore size/headroom tracking.
Release Artifacts and Checksums Regeneration deployments/address-books/*, deployments/examples/*, release-artifacts/latest/*, release-artifacts/latest/source-verification-inputs.json	Regenerated deployment manifests, ABI/bytecode checksum records, release manifests, SHA256SUMS, and source-verification inputs (including updated link-reference offsets) to reflect updated contract artifacts.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• Recover StreamCore bytecode headroom before further feature work #115: Discusses recovering StreamCore bytecode headroom after headroom-reducing changes; this PR records headroom impact and headroom-tracking items.

Possibly related PRs

• 6529-Collections/6529Stream#82: Overlaps on StreamCore metadata mutation paths and related logic.
• 6529-Collections/6529Stream#113: Prior work on renderer URI helpers and token-image URI guards extended by this PR.
• 6529-Collections/6529Stream#83: Related to setTokenHash and zero-hash/pending sentinel handling.

Poem

🐰 With custom errors now in place so clear,
URIs are checked and bad inputs veer,
Renderer lends a careful guiding paw,
Tests and docs update to match the law,
A rabbit nudges hashes—release is near!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Add collection metadata URI policy guard' clearly summarizes the main change: implementing URI policy enforcement for collection metadata fields.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/metadata-collection-uri-policy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

smart-contracts/StreamCore.sol (1)

473-493: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Persist _newCollectionBaseURI in the full-update branch.

_requireCollectionInfoLimits(...) validates _newCollectionBaseURI, but the _FULL_COLLECTION_UPDATE_INDEX path never writes it back to storage. That makes the "full" update silently keep the old base URI unless the caller makes a second _BASE_URI_UPDATE_INDEX call.

Suggested fix

             collectionInfo[_collectionID].collectionDescription = _newCollectionDescription;
             collectionInfo[_collectionID].collectionWebsite = _newCollectionWebsite;
             collectionInfo[_collectionID].collectionLicense = _newCollectionLicense;
+            collectionInfo[_collectionID].collectionBaseURI = _newCollectionBaseURI;
             collectionInfo[_collectionID].collectionLibrary = _newCollectionLibrary;
             collectionInfo[_collectionID].collectionDependencyScript =
             _newCollectionDependencyScript;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@smart-contracts/StreamCore.sol` around lines 473 - 493, The full-update
branch guarded by _FULL_COLLECTION_UPDATE_INDEX calls
_requireCollectionInfoLimits(...) including _newCollectionBaseURI but does not
persist it; update the branch to assign
collectionInfo[_collectionID].collectionBaseURI = _newCollectionBaseURI (next to
the other collectionInfo assignments) so the base URI is stored during a full
update, and ensure any related pinning or events used for base URI updates are
invoked if your contract expects them.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 359-361: Your interface probes currently call
IRandomizer(_randomizerContract).isRandomizerContract() and
IStreamAdmins(_newContract).isAdminContract() /
IStreamMinter(_newContract).isMinterContract() directly, which can revert during
ABI decoding for EOAs, address(0) or non-conforming contracts; change each check
to first gate with _addr.code.length == 0 and then perform a low-level
staticcall to the interface selector (IYourInterface.yourCheck.selector), verify
success and that returndata.length >= 32 before abi.decode, and revert with the
existing typed errors (InvalidRandomizerContract, InvalidAdminContract,
InvalidMinterContract) when the code length is zero, the staticcall fails,
returndata is too short, or the decoded bool is false; update the checks around
IRandomizer.isRandomizerContract, IStreamAdmins.isAdminContract and
IStreamMinter.isMinterContract accordingly.

---

Outside diff comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 473-493: The full-update branch guarded by
_FULL_COLLECTION_UPDATE_INDEX calls _requireCollectionInfoLimits(...) including
_newCollectionBaseURI but does not persist it; update the branch to assign
collectionInfo[_collectionID].collectionBaseURI = _newCollectionBaseURI (next to
the other collectionInfo assignments) so the base URI is stored during a full
update, and ensure any related pinning or events used for base URI updates are
invoked if your contract expects them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b648b2f0-2a34-4ede-b974-8b4e48815b59

📥 Commits

Reviewing files that changed from the base of the PR and between ae5fcee and 279736a.

📒 Files selected for processing (23)

• CHANGELOG.md
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• docs/adr/0006-metadata-freeze.md
• docs/known-blockers.md
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/abi-checksums.json
• release-artifacts/latest/release-artifact-manifest.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• smart-contracts/StreamCore.sol
• smart-contracts/StreamMetadataRenderer.sol
• test/README.md
• test/StreamMetadataFreeze.t.sol
• test/StreamMetadataGolden.t.sol
• test/StreamMetadataUriPolicy.t.sol

[punk6529]

Review response for CodeRabbit on latest head 857e1f9:

• Persisted collectionBaseURI during full collection metadata updates after validating it.
• Replaced high-level admin/minter/randomizer marker probes with a compact staticcall helper that returns false for EOAs and non-conforming contracts, preserving typed custom errors.
• Added regressions for full-update base URI persistence and invalid marker targets in test/StreamMetadataUriPolicy.t.sol.
• Regenerated release/deployment artifacts for the ABI/bytecode/checksum deltas.

Validation on the final local tree:

• forge test --match-path test\StreamMetadataUriPolicy.t.sol -vvv
• forge test --match-path test\StreamMetadataFreeze.t.sol -vvv
• forge test --match-path test\StreamMetadataGolden.t.sol -vvv
• forge test --match-path test\StreamRandomizerLifecycle.t.sol -vvv
• forge build --sizes --via-ir --skip test --skip script --force (StreamCore 24,515 bytes; 61 bytes EIP-170 headroom)
• make release-checksums
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• targeted forge fmt --check
• git diff --check (only the existing Windows line-ending warning for release-artifacts/latest/SHA256SUMS)

@coderabbitai review

[coderabbitai]

@punk6529 Thanks for the detailed response and the validation summary. The four addressed items look solid — in particular, fixing the silent collectionBaseURI drop on full-update and switching to a staticcall-based probe for contract-type guards are both meaningful correctness/robustness improvements.

One thing worth keeping an eye on: EIP-170 headroom has tightened from ~228 bytes (PR open) to ~61 bytes after this round of fixes (24,515 / 24,576 byte limit). That's still within bounds, but any future custom error, function, or non-trivial logic addition will need careful size budgeting or an offsetting optimization. You may want to track this as a near-term blocker in the roadmap.

Triggering a full incremental review of head 857e1f9 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

smart-contracts/StreamCore.sol (2)

325-339: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make zero-supply handling explicit.

_collectionTotalSupply == 0 bypasses the new guard and then underflows at Line 339, so this path reverts with Panic(0x11) instead of a contract-defined error. Reject zero up front, or mirror _finalizeCollectionSupply() if zero-supply collections are meant to be representable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@smart-contracts/StreamCore.sol` around lines 325 - 339, The code allows
_collectionTotalSupply == 0 which bypasses the > _COLLECTION_TOKEN_RANGE guard
and later causes an underflow when computing reservedMaxTokensIndex; either
explicitly reject zero or mirror _finalizeCollectionSupply() behavior. Add an
explicit check for _collectionTotalSupply == 0 and revert with a clear error
(e.g., CollectionSupplyZero) before writing into collectionAdditionalData, or if
zero-supply collections are intended, apply the same initialization logic used
in _finalizeCollectionSupply() (adjust reservedMaxTokensIndex calculation and
setFinalSupplyTimeAfterMint handling) to avoid the underflow; locate the check
near where _collectionTotalSupply, _COLLECTION_TOKEN_RANGE,
collectionAdditionalData[_collectionID], reservedMinTokensIndex and
reservedMaxTokensIndex are set.

---

676-680: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate dependency-registry swaps too.

_opt == 3 is now the only contract-update branch that still accepts any address. Pointing it at address(0) or an EOA will make _pinCollectionDependency() fail later at Lines 687-699, which can block future collection create/update flows until an admin repairs the config. Add at least a code.length guard here, and preferably a typed registry probe if the interface exposes one.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@smart-contracts/StreamCore.sol` around lines 676 - 680, The branch handling
_opt == 3 assigns dependencyRegistry = IDependencyRegistry(_newContract) without
validating the address; add a check that _newContract.code.length > 0 and (if
available) call a lightweight registry probe (e.g., a view function on
IDependencyRegistry such as supportsInterface/registryVersion or a no-op getter)
before casting to IDependencyRegistry to ensure it's a contract that implements
the expected interface; keep the existing frozenCollectionCount guard and revert
with a clear error if validation fails so _pinCollectionDependency() cannot
later be broken by an EOA or address(0).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 325-339: The code allows _collectionTotalSupply == 0 which
bypasses the > _COLLECTION_TOKEN_RANGE guard and later causes an underflow when
computing reservedMaxTokensIndex; either explicitly reject zero or mirror
_finalizeCollectionSupply() behavior. Add an explicit check for
_collectionTotalSupply == 0 and revert with a clear error (e.g.,
CollectionSupplyZero) before writing into collectionAdditionalData, or if
zero-supply collections are intended, apply the same initialization logic used
in _finalizeCollectionSupply() (adjust reservedMaxTokensIndex calculation and
setFinalSupplyTimeAfterMint handling) to avoid the underflow; locate the check
near where _collectionTotalSupply, _COLLECTION_TOKEN_RANGE,
collectionAdditionalData[_collectionID], reservedMinTokensIndex and
reservedMaxTokensIndex are set.
- Around line 676-680: The branch handling _opt == 3 assigns dependencyRegistry
= IDependencyRegistry(_newContract) without validating the address; add a check
that _newContract.code.length > 0 and (if available) call a lightweight registry
probe (e.g., a view function on IDependencyRegistry such as
supportsInterface/registryVersion or a no-op getter) before casting to
IDependencyRegistry to ensure it's a contract that implements the expected
interface; keep the existing frozenCollectionCount guard and revert with a clear
error if validation fails so _pinCollectionDependency() cannot later be broken
by an EOA or address(0).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dd45a52c-923d-4961-8510-cc5d3a3b70b5

📥 Commits

Reviewing files that changed from the base of the PR and between 279736a and 857e1f9.

📒 Files selected for processing (15)

• CHANGELOG.md
• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• ops/AUTONOMOUS_RUN.md
• release-artifacts/latest/SHA256SUMS
• release-artifacts/latest/abi-checksums.json
• release-artifacts/latest/release-artifact-manifest.json
• release-artifacts/latest/release-checksums.json
• release-artifacts/latest/release-manifest.json
• release-artifacts/latest/source-verification-inputs.json
• smart-contracts/StreamCore.sol
• smart-contracts/StreamMetadataRenderer.sol
• test/StreamMetadataUriPolicy.t.sol

✅ Files skipped from review due to trivial changes (6)

• release-artifacts/latest/release-artifact-manifest.json
• deployments/address-books/anvil-6529stream-v0.1.0-001.json
• deployments/examples/anvil-6529stream-v0.1.0-001-broadcast.json
• release-artifacts/latest/abi-checksums.json
• release-artifacts/latest/source-verification-inputs.json
• CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (7)

• deployments/address-books/anvil-6529stream-v0.1.0-001-broadcast.json
• release-artifacts/latest/SHA256SUMS
• deployments/examples/anvil-6529stream-v0.1.0-001.json
• release-artifacts/latest/release-manifest.json
• smart-contracts/StreamMetadataRenderer.sol
• test/StreamMetadataUriPolicy.t.sol
• ops/AUTONOMOUS_RUN.md

[punk6529]

Follow-up on CodeRabbit's bytecode-headroom note, latest head 6ffdc8a:

• Created issue Recover StreamCore bytecode headroom before further feature work #115 to track recovering sustainable StreamCore bytecode margin.
• Updated ops/ROADMAP.md with the current 24,515-byte runtime size / 61-byte EIP-170 margin and the new P1-SIZE-001 queue item.
• Updated ops/AUTONOMOUS_RUN.md so the autonomous run state records why this follow-up exists.

Validation on the documentation-only follow-up:

• make release-checksums (no tracked release artifact drift from the ops-doc edits)
• make check
• git diff --check

@coderabbitai review

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue view 115 --repo 6529-Collections/6529Stream --json number,title,body,state,url

Length of output: 2126

---

---

@punk6529 The follow-up is well-structured. Issue #115 ("Recover StreamCore bytecode headroom before further feature work") is a thorough write-up — the acceptance criteria (agreed minimum margin documented in roadmap + docs/status.md, focused regressions for moved logic, release artifact regeneration if ABI/bytecode changes) and candidate approaches (library offloading, satellite contracts for future features, CI size-gate that fails before the hard EIP-170 limit) are exactly the right way to track this.

The three changes on this head are documentation-only and correctly scoped: roadmap gets the P1-SIZE-001 item and the 61-byte figure, run-state records the decision rationale, and no release artifact drift is expected. All looks good. Triggering the incremental review of 6ffdc8a now.

(ᐢ·ᴗ·ᐢ)

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

Follow-up on CodeRabbit outside-diff findings, latest head 3c7a5a3:

• Rejected first-time zero collection supply before reservedMaxTokensIndex arithmetic so this path now uses CollectionSupplyTooLarge() instead of arithmetic panic.
• Rejected dependency registry swaps to address(0) / EOAs with InvalidDependencyRegistryContract() before assigning dependencyRegistry.
• Added focused regressions in test/StreamInitialization.t.sol and test/StreamDependencyRegistry.t.sol.
• Regenerated release/deployment artifacts and updated CHANGELOG.md, docs/status.md, ops/ROADMAP.md, and ops/AUTONOMOUS_RUN.md.

Validation:

• forge test --match-path test\StreamInitialization.t.sol -vvv
• forge test --match-path test\StreamDependencyRegistry.t.sol -vvv
• forge build --sizes --via-ir --skip test --skip script --force (StreamCore 24,545 bytes / 31 bytes headroom)
• make release-checksums
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• targeted forge fmt --check
• git diff --check (only the known SHA256SUMS line-ending warning)

@coderabbitai review

[coderabbitai]

@punk6529 Both fixes are exactly right:

• Zero-supply guard: rejecting _collectionTotalSupply == 0 before the reservedMaxTokensIndex arithmetic avoids an arithmetic panic path entirely and keeps the error surface clean via CollectionSupplyTooLarge().
• Dependency registry guard: validating against address(0) and EOAs with InvalidDependencyRegistryContract() before the assignment closes an unguarded slot-write that the outside-diff pass flagged.

One thing to note: EIP-170 headroom has tightened further — from 61 bytes (head 857e1f9) down to 31 bytes (head 3c7a5a3), which makes the P1-SIZE-001 item in #115 increasingly urgent. At 31 bytes, a single added custom error or a modest logic addition can push past the limit. Worth keeping that at the top of the queue before any further non-trivial StreamCore work.

Triggering the incremental review of 3c7a5a3 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.