Add reproducible Foundry baseline

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+indent_style = space
+indent_size = 4
+trim_trailing_whitespace = true
+
+[Makefile]
+indent_style = tab
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.ps1]
+end_of_line = crlf

.gitattributes

@@ -0,0 +1,16 @@
+* text=auto
+
+.editorconfig text eol=lf
+.gitattributes text eol=lf
+.gitignore text eol=lf
+
+*.sol text eol=lf
+*.md text eol=lf
+*.toml text eol=lf
+*.txt text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.sh text eol=lf
+Makefile text eol=lf
+
+*.ps1 text eol=crlf

.github/workflows/ci.yml

@@ -0,0 +1,46 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  foundry:
+    name: Foundry smoke
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+        with:
+          persist-credentials: false
+
+      - name: Install Foundry
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d
+        with:
+          version: v1.7.1
+
+      - name: Build
+        shell: bash
+        run: |
+          set -o pipefail
+          mkdir -p ci-logs
+          forge build 2>&1 | tee ci-logs/forge-build.log
+
+      - name: Test
+        shell: bash
+        run: |
+          set -o pipefail
+          mkdir -p ci-logs
+          forge test -vvv 2>&1 | tee ci-logs/forge-test.log
+
+      - name: Upload Foundry logs
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: foundry-smoke-logs
+          path: ci-logs/
+          if-no-files-found: ignore
+          retention-days: 14

.gitignore

@@ -1,21 +1,27 @@
-# Ignore node_modules directory
+# Node / frontend artifacts
 node_modules/
 
-# Ignore log files
+# Logs
 logs/
 *.log
 
-# Ignore build directories
+# Build outputs
 dist/
 build/
+out/
+cache/
+broadcast/
 
-# Ignore environment variable files
+# Local environments and secrets
 .env
+.env.*
+!.env.example
+!.env.sample
+!.env.template
+.venv-tools/
 
-# Ignore IDE specific files
+# Editors and OS files
 .idea/
 .vscode/
-
-# Ignore OS generated files
 .DS_Store
 Thumbs.db

Makefile

@@ -0,0 +1,40 @@
+ifeq ($(OS),Windows_NT)
+ifdef MSYSTEM
+FOUNDRY_BIN := $(HOME)/.foundry/bin
+REPO_ROOT := $(shell pwd)
+PATH_SEPARATOR := :
+RM_RF := rm -rf out cache broadcast
+else
+FOUNDRY_BIN := $(USERPROFILE)/.foundry/bin
+REPO_ROOT := $(CURDIR)
+PATH_SEPARATOR := ;
+RM_RF := powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Recurse -Force out,cache,broadcast -ErrorAction SilentlyContinue"
+endif
+VENV_BIN := .venv-tools/Scripts
+else
+FOUNDRY_BIN := $(HOME)/.foundry/bin
+REPO_ROOT := $(CURDIR)
+PATH_SEPARATOR := :
+VENV_BIN := .venv-tools/bin
+RM_RF := rm -rf out cache broadcast
+endif
+PATH := $(FOUNDRY_BIN)$(PATH_SEPARATOR)$(REPO_ROOT)/$(VENV_BIN)$(PATH_SEPARATOR)$(PATH)
+
+.PHONY: check build test fmt-check slither clean
+
+check: build test
+
+build:
+	forge build
+
+test:
+	forge test -vvv
+
+fmt-check:
+	forge fmt --check smart-contracts
+
+slither:
+	slither . --foundry-compile-all
+
+clean:
+	$(RM_RF)

README.md

@@ -1,12 +1,84 @@
 # 6529Stream
 
-6529 stream consists of a set of smart contracts (NextGen-modified contracts) to allow the minting/auctioning of drops
+6529Stream is a set of Solidity smart contracts for 6529 NFT drops, including
+fixed-price minting, auction flows, curator rewards, metadata generation, and
+randomness adapters.
 
-It has a TDH signer to act as an admin
+## Status
 
-## Process
+This repository is pre-audit and not production-ready.
 
-1. TDH holders provide rep to drops
-2. If a Drop clears the hurdle for the network selected, it goes into a Pool
-3. Once the Drops is within a Pool, addresses that meet the requirements of the TDH signer contract can sign a minting transaction
-4. Once the TDH signer requirements are met anyone can mint the NFT to buy it or send it to an auction
+The current CI and local smoke checks prove only that the contracts compile and
+that the Foundry test command executes. They do not prove protocol correctness.
+Known P0 blockers and the execution roadmap are tracked in
+[`ops/ROADMAP.md`](ops/ROADMAP.md).
+
+## Drop Flow
+
+1. TDH holders provide reputation to drops.
+2. If a drop clears the selected network hurdle, it enters a pool.
+3. Once a drop is in a pool, addresses that meet TDH signer requirements can
+   sign a minting transaction.
+4. Once signer requirements are met, the NFT can be minted through fixed-price
+   purchase or sent to auction.
+
+## Quickstart
+
+Install Foundry `v1.7.1`, then run:
+
+```bash
+make check
+```
+
+The canonical smoke check runs:
+
+```bash
+forge build
+forge test -vvv
+```
+
+On Windows, install Python 3.8+ or the `py` launcher, then bootstrap and verify
+with:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts\bootstrap-windows.ps1
+powershell -ExecutionPolicy Bypass -File scripts\check.ps1
+```
+
+On Linux or EC2, bootstrap and verify with:
+
+```bash
+bash scripts/bootstrap-ec2.sh
+make check
+```
+
+## Tooling
+
+Tool versions and non-gating diagnostic commands are documented in
+[`docs/tooling.md`](docs/tooling.md).
+
+Current pinned versions:
+
+| Tool | Version |
+| --- | --- |
+| Foundry | `v1.7.1` |
+| Solidity compiler | `0.8.19` |
+| Slither | `0.11.5` |
+
+## Repository Layout
+
+| Path | Purpose |
+| --- | --- |
+| `smart-contracts/` | Solidity source |
+| `test/` | Foundry tests |
+| `script/` | Foundry scripts |
+| `docs/` | Project, security, ADR, and operational docs |
+| `ops/` | Roadmap and execution state |
+
+## Important Docs
+
+- [`ops/ROADMAP.md`](ops/ROADMAP.md)
+- [`ops/AUTONOMOUS_RUN.md`](ops/AUTONOMOUS_RUN.md)
+- [`docs/status.md`](docs/status.md)
+- [`docs/known-blockers.md`](docs/known-blockers.md)
+- [`docs/tooling.md`](docs/tooling.md)

docs/adr/README.md

@@ -0,0 +1,17 @@
+# Architecture Decision Records
+
+ADRs are required before unsafe P0 implementation work.
+
+Expected ADRs are tracked in `ops/ROADMAP.md`:
+
+- `0001-drop-authorization.md`
+- `0002-auction-custody.md`
+- `0003-payment-accounting.md`
+- `0004-admin-governance.md`
+- `0005-randomness.md`
+- `0006-metadata-freeze.md`
+- `0007-upgrade-redeployment.md`
+
+Each ADR should include problem, current behavior, intended behavior,
+alternatives, security impact, migration impact, test plan, rollout plan,
+non-goals, and accepted risks.

docs/known-blockers.md

@@ -0,0 +1,15 @@
+# Known Blockers
+
+This file summarizes the high-level blockers from `ops/ROADMAP.md` for
+contributors who start from the README.
+
+- Drop execution currently needs typed, replay-safe authorization.
+- `tx.origin` usage must be removed from drop execution.
+- Auction custody and settlement need an accepted state-machine model.
+- Push payments must move to pull-payment accounting before production use.
+- Randomizer request and callback validation need production hardening.
+- Slither high/medium findings need triage before audit readiness.
+- Meaningful unit, integration, regression, and invariant tests are missing.
+- Deployment scripts, manifests, and rehearsal runbooks are missing.
+
+Do not treat the current build/test smoke baseline as a security claim.

docs/status.md

@@ -0,0 +1,15 @@
+# Project Status
+
+6529Stream is pre-audit and not production-ready.
+
+The current Gate A smoke baseline proves:
+
+- Foundry is configured to compile `smart-contracts`.
+- `forge build` runs against Solidity `0.8.19`.
+- `forge test -vvv` executes, even though meaningful tests are not yet present.
+- CI can run the same build/test smoke commands and publish logs.
+
+The current baseline does not prove protocol correctness. Known blockers remain
+tracked in `ops/ROADMAP.md`, including authorization, auction custody,
+pull-payment accounting, randomizer hardening, static-analysis triage, and
+meaningful tests.

docs/tooling.md

@@ -0,0 +1,66 @@
+# Tooling
+
+6529Stream currently uses a pinned Foundry smoke baseline.
+
+## Versions
+
+| Tool | Version |
+| --- | --- |
+| Foundry | `v1.7.1` |
+| Solidity compiler | `0.8.19` |
+| Slither | `0.11.5` |
+| solc-select | `1.2.0` |
+
+## Local Checks
+
+Run the canonical Gate A smoke check:
+
+```bash
+make check
+```
+
+This runs:
+
+```bash
+forge build
+forge test -vvv
+```
+
+Windows contributors can run:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts\check.ps1
+```
+
+The Windows script prepends `%USERPROFILE%\.foundry\bin` to the current process
+`PATH` so a fresh shell can find `forge` after bootstrap.
+
+## Bootstrap
+
+Linux or EC2:
+
+```bash
+bash scripts/bootstrap-ec2.sh
+```
+
+Windows PowerShell:
+
+```powershell
+powershell -ExecutionPolicy Bypass -File scripts\bootstrap-windows.ps1
+```
+
+Windows bootstrap requires Python 3.8+ or the `py` launcher for the local
+Slither and `solc-select` tool environment. Foundry itself is downloaded from
+the pinned release asset and verified with SHA256 before extraction.
+
+## Non-Gating Diagnostics
+
+These commands are intentionally not part of `make check` yet:
+
+```bash
+make fmt-check
+make slither
+```
+
+Formatting and Slither have known baselines and should become gates only after
+the roadmap items for formatting triage and Slither baseline acceptance land.

foundry.toml

@@ -0,0 +1,17 @@
+[profile.default]
+src = "smart-contracts"
+test = "test"
+script = "script"
+out = "out"
+cache_path = "cache"
+libs = ["lib"]
+solc_version = "0.8.19"
+auto_detect_solc = false
+evm_version = "paris"
+optimizer = true
+optimizer_runs = 200
+
+[fmt]
+line_length = 100
+tab_width = 4
+bracket_spacing = true