Add drop authorization ADR

[punk6529]

Summary

• Add docs/adr/0001-drop-authorization.md as the accepted design gate before P0 auth rewrites.
• Capture the EIP-712 domain/schema, replay protection, recipient/payer policy, signer epoch/cancellation, signature validation, and ERC-1271/EIP-2098 support decisions.
• Link the ADR from the roadmap, ADR index, test traceability matrix, and autonomous run state.

Follow-up implementation issues

• Unblocks [P0-AUTH-001] Remove tx.origin from drop execution #18 (P0-AUTH-001: remove tx.origin from drop execution).
• Feeds [P0-AUTH-002] Replace drop authorization with replay-safe EIP-712 typed data #10 (P0-AUTH-002: replace drop authorization with replay-safe EIP-712 typed data).
• Unblocks [P0-AUTH-003] Implement ERC-1271 contract signer support #19 (P0-AUTH-003: implement ERC-1271 contract signer support).

Notes

• This PR is docs/design only.
• It intentionally does not change Solidity code, tests, CI, deployment scripts, or runtime behavior.
• The ADR is marked Accepted so the implementation PRs can proceed against a concrete design instead of re-deciding the authorization model mid-refactor.

Validation

• rg -n "^#|^##|^###" docs\adr\0001-drop-authorization.md docs\adr\README.md ops\ROADMAP.md ops\AUTONOMOUS_RUN.md
• rg -n "P0-AUTH-ADR|P0-AUTH-001|P0-AUTH-002|P0-AUTH-003|0001-drop-authorization" docs\adr\0001-drop-authorization.md docs\adr\README.md ops\ROADMAP.md ops\AUTONOMOUS_RUN.md
• git diff --check
• make check (17 tests passed; known compiler warnings remain)
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 (17 tests passed; known compiler warnings remain)

Closes #17

Summary by CodeRabbit

• Documentation
  • Added an ADR formalizing a new drop authorization protocol: EIP-712-based signer authorization with ERC-1271 support, replay protection, cancellation/staleness rules, strict validation criteria, events, test plan and rollout guidance.
  • Updated ADR index, roadmap, and ops runbook to mark the decision accepted, link related issues, and record follow-up tasks, timelines, and status updates.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e3ea832d-21f1-4375-b96f-6216f1697b74

📥 Commits

Reviewing files that changed from the base of the PR and between 780a542 and a92b6c4.

📒 Files selected for processing (2)

• docs/adr/0001-drop-authorization.md
• ops/AUTONOMOUS_RUN.md

✅ Files skipped from review due to trivial changes (1)

• docs/adr/0001-drop-authorization.md

🚧 Files skipped from review as they are similar to previous changes (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds ADR 0001 documenting EIP-712 drop authorization (typed drop intent, EOA/ERC-1271 support, replay/revocation, signer epochs) and updates ADR README, ROADMAP links, and AUTONOMOUS_RUN operational tracking to record acceptance and follow-up work.

Changes

Drop Authorization ADR

Layer / File(s)	Summary
ADR 0001 Drop Authorization specification docs/adr/0001-drop-authorization.md	Comprehensive ADR documenting the public-beta drop authorization design: EIP-712 domain and typed drop-intent fields (dropId derivation inputs, participants, tokenDataHash, pricing/auction timing, salt/nonce, deadline, signerEpoch); replay/cancellation and signer-epoch controls with storage-backed consumed/cancelled mappings; EOA and ERC-1271 signature rules (including EIP-2098/malleability policy); required events; alternatives considered; security scope; migration/rollout and P0 test plan; non-goals and accepted risks.
ADR index and ROADMAP links docs/adr/README.md, ops/ROADMAP.md	ADR README replaced by a tabular index marking 0001-drop-authorization.md as Accepted and linking issues; ROADMAP updated to link the drop authorization issue in protocol decisions, update Test Matrix issue links, and mark ADR 0001 as Accepted in the ADR index.
Operational state and tracking ops/AUTONOMOUS_RUN.md	AUTONOMOUS_RUN.md updated to set active branch codex/drop-authorization-adr, record last-merged PR, update PR queue/worklog statuses (mark PR #8 merged), add PR #20 open-work section with created follow-up issues and validation checklist, and extend the Decision Log with ADR-related entries.

Sequence Diagram

sequenceDiagram
  participant Caller
  participant StreamDrops
  participant ReplayState
  Caller->>StreamDrops: Submit signed DropIntent (dropId, deadline, signerEpoch, payload)
  StreamDrops->>StreamDrops: Verify EIP-712 signature (EOA or ERC-1271)
  StreamDrops->>StreamDrops: Validate domain, deadline, signerEpoch, and malleability rules
  StreamDrops->>ReplayState: Check dropId not consumed or cancelled
  StreamDrops->>ReplayState: Mark dropId consumed before external calls
  StreamDrops-->>Caller: Execute drop with signer-authorized parameters

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• #18: ADR removes tx.origin and defines explicit recipient/executor fields required by P0-AUTH-001.
• #10: ADR specifies EIP-712, replay protection, and ERC-1271 behavior relevant to P0-AUTH-002.

Possibly related PRs

• 6529-Collections/6529Stream#16: Prior PR referenced by the AUTONOMOUS_RUN/ROADMAP updates and mentioned as the merged baseline for the ADR rollout.

Poem

A rabbit hops through EIP-712 fields,
I stamp each drop with signer-sealed yields,
No more tx.origin in sight,
Epochs guard each replayed night,
Replay-safe hops and indexed lights 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add drop authorization ADR' directly and clearly describes the primary change: adding architecture decision record 0001 for drop authorization design.
Linked Issues check	✅ Passed	The PR fully satisfies all objectives from linked issue #17: ADR 0001 created covering EIP-712 domain/schema, semantics for all specified fields, replay protection, signer controls, ERC-1271/EIP-2098 support, tx.origin removal, compatibility boundaries, and required documentation sections including alternatives, security, migration, test plan, non-goals, and risks.
Out of Scope Changes check	✅ Passed	All changes are in-scope: docs/adr/0001-drop-authorization.md (primary ADR addition), docs/adr/README.md (ADR index table update), ops/ROADMAP.md (ADR reference linking), and ops/AUTONOMOUS_RUN.md (documentation of PR status and review feedback), all directly supporting issue #17 acceptance criteria.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/drop-authorization-adr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@claude please review this drop authorization ADR before implementation starts. Please focus on whether the ADR gives a complete and safe design for EIP-712 schema/domain separation, tx.origin removal, storage-backed replay protection, signer epoch/cancellation, ERC-1271 contract signatures, EIP-2098 compact signatures, and whether it cleanly unblocks #18, #10, and #19. No Solidity changes are included in this PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/adr/0001-drop-authorization.md`:
- Around line 73-85: Clarify the relationship and purpose of the signed fields
`nonce` and `dropId` in the ADR: either state that `nonce` is used to derive
`dropId` (describe the derivation and include the algorithm/concatenation and
hashing step), or state that `nonce` is a per-signerEpoch sequence number that
provides ordering/uniqueness within an epoch (explain how validation uses
signerEpoch + nonce and how replay protection uses
`consumedDropIds`/`cancelledDropIds` vs per-epoch nonces), or remove/rename
`nonce` if it is redundant and leave only `dropId` as the globally unique
replay-protected identifier; reference the existing symbols `dropId`, `nonce`,
`signerEpoch`, `consumedDropIds`, and `cancelledDropIds` so readers can update
the replay/validation and signer compromise sections consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53db0ee2-6ff1-451a-ae9f-e05a88423324

📥 Commits

Reviewing files that changed from the base of the PR and between 60635f2 and 0c8d54a.

📒 Files selected for processing (4)

• docs/adr/0001-drop-authorization.md
• docs/adr/README.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ops/AUTONOMOUS_RUN.md (1)

36-36: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the "Last updated" timestamp to reflect the latest decision log entry.

The timestamp shows 2026-06-10 02:04 UTC, but the Decision Log at line 473 records an activity at 2026-06-10 02:18 UTC. The "Last updated" field should be at least 02:18 UTC or later to accurately reflect when this operational state was last modified.

🕐 Proposed fix

-| Last updated | `2026-06-10 02:04 UTC` |
+| Last updated | `2026-06-10 02:18 UTC` |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ops/AUTONOMOUS_RUN.md` at line 36, Update the "Last updated" timestamp value
`2026-06-10 02:04 UTC` in AUTONOMOUS_RUN.md to reflect the most recent Decision
Log entry (at `2026-06-10 02:18 UTC`); replace the old timestamp string with
`2026-06-10 02:18 UTC` or a later UTC timestamp so the "Last updated" field
accurately matches the Decision Log activity.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Line 36: Update the "Last updated" timestamp value `2026-06-10 02:04 UTC` in
AUTONOMOUS_RUN.md to reflect the most recent Decision Log entry (at `2026-06-10
02:18 UTC`); replace the old timestamp string with `2026-06-10 02:18 UTC` or a
later UTC timestamp so the "Last updated" field accurately matches the Decision
Log activity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 501d88a4-97ef-47de-872c-af8318db0d25

📥 Commits

Reviewing files that changed from the base of the PR and between 0c8d54a and e07c9a7.

📒 Files selected for processing (2)

• docs/adr/0001-drop-authorization.md
• ops/AUTONOMOUS_RUN.md

✅ Files skipped from review due to trivial changes (1)

• docs/adr/0001-drop-authorization.md

[punk6529]

Addressed Claude's three ADR review threads in 4d3e24c.

Resolution:

• Defined salt as signer/integrator entropy used in the signed payload and dropId derivation, not as an EIP-712 domain salt, with no separate contract storage.
• Defined nonce as a signer-allocated opaque unique value within signerEpoch, not an on-chain monotonic counter; no signerNonces storage is part of the P0 design.
• Updated dropId derivation to include (signer, signerEpoch, nonce, salt) and made dropId the stored replay/cancellation key.
• Required the contract to verify raw tokenData hashes against auth.tokenDataHash before storage/rendering/events, plus a matching required negative test.
• Split recipient semantics by sale mode: fixed-price uses it as the NFT receiver/stored execution address; auctions must use recipient == address(0) until ADR 0002 defines custody and settlement semantics, plus a matching required negative test.

Validation after the changes:

• Markdown heading scan passed.
• Traceability scan for tokenDataHash, tokenData, recipient, auction, nonce, salt, DROP_ID_TYPEHASH, and signerNonces passed.
• git diff --check passed.
• make check passed with 17 tests and known warnings.
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed with 17 tests and known warnings.

[punk6529]

Addressed the CodeRabbit timestamp follow-up in 780a542fed6c4227d413722ae3b1f79ab746f919.

What changed:

• Updated ops/AUTONOMOUS_RUN.md Last updated to 2026-06-10 02:27 UTC.
• Added the matching PR Add drop authorization ADR #20 review-feedback note and decision-log row.

Validation:

• rg -n "Last updated|CodeRabbit timestamp|02:27|timestamp feedback" ops\AUTONOMOUS_RUN.md
• git diff --check
• make check passed: 17 tests, known existing warnings only.
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed: 17 tests, known existing warnings only.

[punk6529]

Addressed the Claude quantity semantics thread (PRRT_kwDOM7REis6IV4bb) in a92b6c4f7c1d8b16817cd311b2bd22c5e061f4f5.

Resolution:

• Added a Decision rule that P0 signed drop authorizations must use quantity == 1.
• Made quantity != 1 an explicit validation rejection case.
• Added a required P0 test for quantity != 1.
• Added quantity to signed-field substitution coverage.
• Documented that batch minting / one authorization to many tokens requires a later ADR and EIP-712 version bump.

Validation:

• rg traceability for quantity, quantity != 1, and EIP-712 version-bump text passed.
• Markdown heading scan passed.
• git diff --check passed.
• make check passed: 17 tests, known existing warnings only.
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed: 17 tests, known existing warnings only.

[punk6529]

@claude please re-review latest head a92b6c4f7c1d8b16817cd311b2bd22c5e061f4f5 after the quantity-semantics follow-up. All visible Claude threads are resolved, local validation passed, and CI run 27249243361 is green.