Accept metadata and freeze ADR

[punk6529]

Summary

• Add ADR 0006 for metadata, dependency registry, freeze, ERC-4906, burn, and escaping policy.
• Mark the ADR accepted in the ADR index and roadmap, with issue [P1-META-ADR] Accept metadata, dependency, freeze, and burn design #45 as the design anchor.
• Link the P1 metadata implementation issue set ([P1-META-001] Implement metadata schema and golden-file tests #46-[P1-META-006] Add metadata escaping, size limits, and render-sandbox tests #51) and existing P0 dependency encoding issue [P0-META-001] Replace dependency-script packed concatenation with collision-safe encoding #9 across the roadmap, test matrix, Slither baseline, and autonomous run state.

Validation

• rg -n "^#|^##|^###" docs\adr\0006-metadata-freeze.md docs\adr\README.md ops\ROADMAP.md ops\SLITHER_BASELINE.md ops\AUTONOMOUS_RUN.md
• Traceability grep for [P1-META-ADR] Accept metadata, dependency, freeze, and burn design #45-[P1-META-006] Add metadata escaping, size limits, and render-sandbox tests #51, [P0-META-001] Replace dependency-script packed concatenation with collision-safe encoding #9, ERC-4906, 0x49064906, MetadataUpdate, BatchMetadataUpdate, dependency version events, freeze events, and burned-token callback events
• ASCII scan of touched docs
• git diff --check
• make check - 17 tests passed; existing Solidity warning baseline remains
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 - 17 tests passed; existing Solidity warning baseline remains

Scope

Docs and roadmap only. This PR does not implement Solidity, tests, CI, deployment, or metadata renderer changes.

Summary by CodeRabbit

• Documentation

  • Accepted ADR 0006: formalizes schema-versioned NFT metadata with pending/final states, immutable freeze manifest, metadata encoding/escaping rules, ERC-4906 signaling, burn/supply semantics, required events/views, validation/golden-file guidance, rollout steps, and open follow-ups.
  • ADR index/README and roadmap updated to mark ADR accepted and sequence metadata/freeze work.

• Chores

  • Updated operational run state, PR queue, decision log, and security baseline notes to reflect metadata-freeze planning and next steps.

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, push a new commit or reopen this pull request to trigger a review.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 74f0bb67-8f4c-4fb1-9c79-712e27274a32

📥 Commits

Reviewing files that changed from the base of the PR and between 8058c20 and 4e8cab6.

📒 Files selected for processing (1)

• ops/AUTONOMOUS_RUN.md

---

📝 Walkthrough

Walkthrough

Adds ADR 0006 specifying metadata/freeze semantics (schema-versioned pending/final metadata, base64 on-chain JSON, freeze manifest pinning, dependency versioning, ERC-4906 policy, and burn semantics) and integrates it into ADR tracking, ROADMAP, AUTONOMOUS_RUN, and the Slither baseline.

Changes

ADR 0006 Metadata Freeze and Planning

Layer / File(s)	Summary
ADR 0006 Metadata Freeze Specification docs/adr/0006-metadata-freeze.md	Complete ADR specifying schema-versioned pending/final metadata, explicit randomness-driven pending rules, base64 on-chain JSON encoding, escaping/validation and size limits, freeze readiness and manifest immutability, pinned dependency/version hashes, ERC-4906 interface/event guidance, burned-token semantics, metadata authority rules, required views/events, implementation acceptance criteria, tests, and rollout checklist.
ADR README and ROADMAP integration docs/adr/README.md, ops/ROADMAP.md	Mark ADR 0006 as Accepted in ADR README; add P1-META-ADR to Gate B2, Protocol Decisions table, First Implementation Queue, metadata workstream checklist, Appendix B test-matrix updates, and ADR index links.
AUTONOMOUS_RUN worklog and decision log ops/AUTONOMOUS_RUN.md	Advance durable-run header, mark Randomness ADR merged, add/populate Metadata/freeze ADR worklog and validation checklist, and append decision-log entries for PR #52.
Security Baseline Alignment ops/SLITHER_BASELINE.md	Update Slither baseline encode-packed-collision entry to require typed dependency chunk encoding, versioned content hashes, and frozen dependency pinning per ADR 0006.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• [P1-META-001] Implement metadata schema and golden-file tests #46: ADR-0006 main issue defining the canonical metadata schema, pending/final semantics, on-chain/base64 JSON rules and freeze requirements.
• [P1-META-002] Implement collection freeze boundaries and immutable metadata state #47: Freeze enforcement, dependency immutability, and metadata update event work tied to ADR 0006 objectives.
• [P1-META-004] Implement ERC-4906 metadata update signaling #49: ERC-4906 implementation issue; ADR 0006 mandates interface/events for pre-freeze mutability.
• [P1-META-ADR] Accept metadata, dependency, freeze, and burn design #45: Operational acceptance and integration work that aligns with ADR 0006 rollout tracking.
• [P0-META-001] Replace dependency-script packed concatenation with collision-safe encoding #9: Encode-packed-collision concern resolved by ADR 0006's typed dependency chunk hashing and pinning requirements.

Possibly related PRs

• 6529-Collections/6529Stream#3: Related docs/control-plane work; similar ops/ROADMAP and AUTONOMOUS_RUN updates.
• 6529-Collections/6529Stream#44: Related ADR about randomness lifecycle referenced by ADR 0006.

Poem

🐰 I nibble specs and pin each hash,

Sealing tokens in a tidy stash,
Base64 whispers, codecs neat,
Freeze the manifest, none shall cheat—
Hooray! The metadata's fast asleep.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Accept metadata and freeze ADR' directly and clearly summarizes the main change: accepting ADR 0006 for metadata and freeze behavior, which is the primary purpose of this pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/metadata-freeze-adr

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@claude please review this PR.

Focus areas:

• ADR 0006 should fully settle metadata pending/final behavior, freeze boundaries, dependency immutability, ERC-4906 signaling, burn semantics, and escaping/size-limit policy before P1 implementation begins.
• Please check that the roadmap, ADR index, Slither baseline, test matrix, and autonomous run state all link the correct issue set ([P0-META-001] Replace dependency-script packed concatenation with collision-safe encoding #9, [P1-META-ADR] Accept metadata, dependency, freeze, and burn design #45-[P1-META-006] Add metadata escaping, size limits, and render-sandbox tests #51).
• This is docs/roadmap only; no Solidity or test implementation is intended in this PR.

[punk6529]

@coderabbitai review

Please review the latest PR head 9948e251e98b58d1e3ea909d5d05712398a41c1a. The second commit only records PR #52 state in ops/AUTONOMOUS_RUN.md; CI is green and there are no review threads currently open.

[coderabbitai]

🧹 Nitpick comments (1)

docs/adr/0006-metadata-freeze.md (1)

473-548: 💤 Low value

Optional style polish for repeated sentence beginnings.

Lines 479-482 and 543-546 have successive sentences beginning with "Implement". While this is acceptable in checklists where parallel structure aids scanning, you could optionally vary the sentence openings if you want to polish the prose style. This is purely cosmetic and does not affect clarity or correctness.

Line 501: "very careful" could be strengthened to "rigorous" or "thorough" if you prefer more direct technical writing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/adr/0006-metadata-freeze.md` around lines 473 - 548, The prose uses
repeated sentence openings ("Implement") in the Migration And Rollout and
Alternatives sections and uses "very careful" in one sentence; please vary
sentence starts in the checklist items under the "Migration And Rollout" and the
"Alternatives Considered" lists (e.g., replace some "Implement" entries with
verbs like "Add", "Enforce", "Introduce", or rephrase to passive constructions)
and change "very careful" to a stronger term such as "rigorous" or "thorough" in
the sentence discussing raw UTF-8 JSON data URIs to improve style while
preserving meaning.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/adr/0006-metadata-freeze.md`:
- Around line 473-548: The prose uses repeated sentence openings ("Implement")
in the Migration And Rollout and Alternatives sections and uses "very careful"
in one sentence; please vary sentence starts in the checklist items under the
"Migration And Rollout" and the "Alternatives Considered" lists (e.g., replace
some "Implement" entries with verbs like "Add", "Enforce", "Introduce", or
rephrase to passive constructions) and change "very careful" to a stronger term
such as "rigorous" or "thorough" in the sentence discussing raw UTF-8 JSON data
URIs to improve style while preserving meaning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c93af1d1-9039-4514-a24c-002b4f4ee830

📥 Commits

Reviewing files that changed from the base of the PR and between dd98e91 and aa973c9.

📒 Files selected for processing (5)

• docs/adr/0006-metadata-freeze.md
• docs/adr/README.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• ops/SLITHER_BASELINE.md

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the list of files changed in this PR
gh pr view 52 --repo 6529-Collections/6529Stream --json files --jq '.files[].path'

Length of output: 295

---

🏁 Script executed:

#!/bin/bash
# Read all the key docs files
cat docs/adr/0006-metadata-freeze.md

Length of output: 24183

---

🏁 Script executed:

#!/bin/bash
cat docs/adr/README.md

Length of output: 1310

---

🏁 Script executed:

#!/bin/bash
cat ops/ROADMAP.md

Length of output: 82055

---

🏁 Script executed:

#!/bin/bash
cat ops/SLITHER_BASELINE.md

Length of output: 15264

---

🏁 Script executed:

#!/bin/bash
cat ops/AUTONOMOUS_RUN.md

Length of output: 54222

---

---

@punk6529 — full review of head 9948e251e98b58d1e3ea909d5d05712398a41c1a below.

---

Scope verification ✅

All five changed files are documentation/ops only — docs/adr/0006-metadata-freeze.md, docs/adr/README.md, ops/ROADMAP.md, ops/SLITHER_BASELINE.md, ops/AUTONOMOUS_RUN.md. No Solidity, tests, CI, or deployment changes. The second commit (ops/AUTONOMOUS_RUN.md update only) is consistent with the stated scope.

---

Issue linkage audit ✅

Every cross-reference I checked is present and correct:

Location	Issues linked
ADR 0006 metadata table	Blocks #9, #46–#51; Issue #45
docs/adr/README.md	#45, Accepted
ROADMAP §3 decision table	#45, Gate B2, P0-META-001 (#9), P1-META-*
ROADMAP §7 P1 workstreams	#9, #45–#51 with full issue links
ROADMAP Appendix B test matrix	Burn (#45, #50, #40), dep encoding (#9, #48), ERC-4906 (#49), schema golden files (#46), escaping (#51), freeze (#47), dep immutability (#48), pending metadata (#45, #46, #40)
ROADMAP Appendix C ADR index	#45, blocks Gate B2, #9, P1-META-*
SLITHER_BASELINE encode-packed-collision	#9, "per ADR 0006"
AUTONOMOUS_RUN PR #52 worklog	#9, #45–#51

No missing links found.

---

ADR 0006 content review

✅ Settled decisions (all requested areas are addressed)

• Pending/final behavior: off-chain shape preserved; on-chain explicit pending/final states required; zero-hash-as-pending rejected; base64 on-chain JSON accepted. ✅
• Freeze boundaries: full manifest commit list defined; 11 post-freeze revert operations enumerated; break-glass governance paths noted. ✅
• Dependency immutability: versioned immutable records; new-version-on-update; frozen collections pin key/version/content hash/registry identity. ✅
• ERC-4906 signaling: supportsInterface(0x49064906), MetadataUpdate, BatchMetadataUpdate, emission triggers, non-triggers all specified. ✅
• Burn semantics: ERC-721 semantics; tokenURI reverts; burned excluded from live supply; minted-ever monotonic; archival intent documented. ✅
• Escaping/size-limit policy: per-context escaping policy listed for JSON, HTML, JS, URI, attributes, chunks; size-limit field enumeration present. ✅
• Events and views: 10+ concrete event signatures and 14+ view requirements enumerated. ✅

---

Gaps and ambiguities to resolve before P1 implementation begins

1 — Failed/stale randomness as a freeze blocker (P1-META-002 impact)

The freeze precondition says "all live minted tokens have terminal randomness state" but ADR 0005 defines three non-fulfilled terminal-like states: fulfilled, stale, and failed post-processing. The ADR is silent on whether a token stuck in failed or stale (but not burned) blocks freeze and what the required resolution path is. P1-META-002 implementers will need to know:

• Does failed-randomness state satisfy "terminal" for freeze purposes?
• If not, what resolves it — forced retry, burn, admin override?

Suggest adding one paragraph to the Freeze Model section, or creating a follow-up tracked under #47.

2 — Manifest hash algorithm and encoding unspecified (P1-META-002 impact)

Decision item 7 commits to a manifestHash but the ADR never specifies the algorithm (keccak256 over ABI-encoded fields? EIP-712 typed hash? Merkle root?) or the encoding. The CollectionFrozen event includes manifestHash and schemaVersion, but without an encoding spec two implementations will produce different hashes for the same collection state. Suggest explicitly delegating the algorithm choice to #47 or specifying it here.

3 — Burn + ERC-4906 event policy is under-specified

The ERC-4906 section says "Events should not be emitted merely because… burn happened unless the implementation intentionally documents that the token's JSON metadata changed as part of that operation." This covers the case where burn is incidental. It doesn't cover the distinct case where burn causes tokenURI to transition from returning valid JSON to reverting. Marketplaces and indexers using ERC-4906 to refresh state need to know whether MetadataUpdate(tokenId) fires on burn. The current text leaves this open. Suggest one explicit sentence: e.g., "Burn must not emit MetadataUpdate because tokenURI ceasing to exist is not a metadata content change; indexers should detect burn through the standard ERC-721 Transfer-to-zero event."

4 — Burned-token post-burn callback leaves two valid behaviors

"The implementation may instead mark the callback stale only if the final code and tests document that stricter behavior before merge."

This is intentional flexibility at design time, which is fine. But the conditional phrasing means #50 (P1-META-005) will need to make a binding choice before merge. Consider adding a note to the Open Follow-Ups section that "P1-META-005 must settle audit-record vs. stale-only callback behavior and document the choice before merge."

5 — Size limits fully deferred without an anchor

The Escaping, Validation, And Size Limits section lists all fields that need maximum sizes but provides no numbers or ballpark ranges. The implementation-required sizes will be invented from scratch under #51. In other ADRs (e.g., ADR 0001 for quantity), design-time constraints anchor the implementation. Consider adding at least a reference target (e.g., "sizes must keep tokenURI gas under X, total calldata under Y") or explicitly noting that upper-bound targets are delegated to #51.

6 — Generated HTML / animation_url not in frozen manifest commit list

The frozen manifest commits to "collection script chunk hashes and full script hash" but the on-chain schema includes animation_url from generated HTML. The HTML is the product of collection scripts + dependency scripts + token input — all of which are committed individually, but the decision to include the hash of the full rendered HTML (or to explicitly rely on the individual input hashes being sufficient) is not stated. Suggest one sentence clarifying whether the manifest includes an HTML output hash or whether the individual input hashes are the accepted proof.

7 — Gate B2 status not updated to "In Progress"

Gate B2 exit criteria require both the metadata/freeze ADR and the upgrade/redeployment ADR to be accepted. With ADR 0006 accepted and ADR 0007 still missing, Gate B2 should be "In Progress", not "Not Started". The ROADMAP currently still shows "Not Started" for Gate B2.

---

Minor

• Forward reference to "ADR 0007" in the Related ADRs field is fine as a placeholder.
• metadata_schema_version value format (semver string vs. integer) is unspecified — fine to defer, but could be noted.
• Dependency version format (sequential integer vs. content hash vs. semver) is unspecified — fine to defer to #48.

---

Summary

The ADR is substantive and ready to serve as the design anchor for P1 metadata work. All six requested topics are addressed, all issue links are present and correct, and the PR scope is clean. The items above are pre-implementation gaps — items 1, 2, and 3 in particular should be resolved (either in the ADR itself or as explicit tracking entries under #47, #49, and #50) before implementation begins to avoid divergent behavior.