Bound remaining emergency withdrawals

[punk6529]

Summary

Closes #31.
Refs #8.

This PR finishes the current emergency-withdrawal surface that still appeared under Slither's arbitrary-send-eth detector.

• Adds explicit owed/surplus views to StreamMinter, with totalOwed() == 0 and emergencyWithdrawable() bounded to surplus.
• Changes StreamMinter.emergencyWithdraw() to transfer only positive emergency-withdrawable surplus to the admin owner.
• Treats the full NextGenRandomizerRNG adapter balance as randomness reserve until fuller request-level provider reserve lifecycle accounting lands.
• Changes NextGenRandomizerRNG.emergencyWithdraw() to transfer no ETH and emit the legacy boundary event with zero emergency-withdrawable balance.
• Removes a medium Slither strict-equality warning in StreamAuctions.emergencyWithdraw() by using the positive-surplus branch pattern.
• Adds focused emergency-withdrawal regression tests for minter surplus, randomizer reserves, unauthorized calls, direct ETH, forced ETH, and post-request remaining reserve.
• Updates ADR/status/roadmap/test/Slither traceability without claiming full protocol-wide ledger invariants are complete.

Validation

• forge test --match-contract "Stream(EmergencyWithdraw|AuctionPayments)Test" -vvv passed with 21 tests.
• make check passed with 116 tests.
• powershell -NoProfile -ExecutionPolicy Bypass -File scripts\check.ps1 passed with 116 tests.
• forge fmt --check test\StreamEmergencyWithdraw.t.sol passed.
• git diff --check and git diff --cached --check passed.
• Slither still exits -1 for the known baseline, but regenerated JSON reports ARBITRARY_SEND_ETH_COUNT=0 and updated branch counts of 632 total findings: 9 High, 29 Medium, 58 Low, 530 Informational, 6 Optimization.

Notes

NextGenRandomizerRNG is deliberately conservative in this PR: all adapter ETH is reserve and none is admin-withdrawable. Fuller request-level randomizer reserve lifecycle accounting remains open under the broader payment/randomizer workstream.

Summary by CodeRabbit

• New Features

  • Added emergency-withdrawal accounting helpers and safer withdrawal semantics for randomizer and minter components

• Bug Fixes

  • Bound emergency-withdraw flows to avoid zero-balance or unintended-drain scenarios

• Tests

  • Added comprehensive emergency-withdrawal test suite covering forced-ETH and reserve-edge cases

• Documentation

  • Updated ADRs, roadmap, status, known blockers, SLITHER baseline, and ops run notes to reflect scope and remaining work

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, push a new commit or reopen this pull request to trigger a review.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 141eb97a-8bb4-4d6a-9333-71e450f4d015

📥 Commits

Reviewing files that changed from the base of the PR and between 451eaa9 and 7774391.

📒 Files selected for processing (2)

• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

✅ Files skipped from review due to trivial changes (2)

• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md

---

📝 Walkthrough

Walkthrough

This PR implements surplus-bounded emergency withdrawals across StreamMinter, NextGenRandomizerRNG, and AuctionContract, adds view helpers (totalOwed/totalRandomnessReserved/emergencyWithdrawable), introduces tests for forced-ETH and reserve protection, and updates ADRs, Slither baseline, roadmap, and autonomous-run docs.

Changes

Emergency Withdrawal Bounding

Layer / File(s)	Summary
StreamMinter surplus-only emergency withdrawal smart-contracts/StreamMinter.sol	totalOwed() returns 0 (stub); emergencyWithdrawable() computes surplus; emergencyWithdraw() transfers only surplus and emits standardized Withdraw event.
NextGenRandomizerRNG reserve-conservative emergency withdrawal smart-contracts/RandomizerRNG.sol	Adds totalRandomnessReserved() / totalOwed() reporting adapter balance, emergencyWithdrawable() hardcoded to 0; emergencyWithdraw() emits Withdraw without transferring ETH.
AuctionContract emergency withdrawal guard pattern smart-contracts/AuctionContract.sol	Guards admin transfer on balance > 0; always emits Withdraw(status=true) and removes early-return on zero balance.
Emergency withdrawal test coverage test/StreamEmergencyWithdraw.t.sol, test/README.md	New Foundry suite validates forced-ETH, authorization, reserve protection, post-request accounting; adds helpers (ForceEth, MockArrngController) and documents target assertions.
ADR documentation of emergency withdrawal bounds docs/adr/0002-auction-custody.md, docs/adr/0003-payment-accounting.md	ADRs updated to record StreamMinter surplus-only model, NextGenRandomizerRNG conservative reserve boundary, and remaining "fuller randomizer reserve lifecycle accounting" work.
Known blockers and status narrative refinement docs/known-blockers.md, docs/status.md	Known blockers and status text revised to emphasize broader payment/accounting/invariant gaps and to add smoke baseline emergency-withdrawal coverage details.
Roadmap maturity and test matrix updates ops/ROADMAP.md	P0 blocker list and verification metadata updated; test matrix rows for payment ledger totals, withdrawal behavior, emergency surplus, randomness reserve, and admin controls set to In Progress as appropriate.
Slither baseline and finding resolution ops/SLITHER_BASELINE.md	Baseline timestamp and totals refreshed (new capture); arbitrary-send-eth rows updated to Fixed for affected contracts; locked-ether coverage expanded and unused-return entries consolidated.
Autonomous execution progression tracking ops/AUTONOMOUS_RUN.md	Durable run-state advanced (branch/last-merged PR/timestamps); PR queue/worklog/Decision Log updated with PR #61 merge and Queue Item 21 candidate details.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• [P0-PAY-008] Bound emergency withdrawals and prove owed-balance invariants #8: Addresses arbitrary-send-eth Slither findings by bounding emergencyWithdraw implementations and adding accounting helpers.
• [P0-PAY-001] Add pull-payment accounting #25: Implements parts of ADR-0003 payment-accounting semantics (surplus-only withdrawals and owed/reserve helpers).
• [P0-PAY-007] Bound emergency withdrawals by surplus #31: Implements P0-PAY-007 acceptance criteria to bound emergency withdrawals to surplus and add emergencyWithdrawable views.

Possibly related PRs

• 6529-Collections/6529Stream#32: Related PR that encodes ADR-0003 payment-accounting semantics reflected in this change.
• 6529-Collections/6529Stream#3: Related PR that introduced the autonomous control-plane docs edited here.

Poem

🐰 I nudged the surplus, kept reserves in sight,

Forced ETH tested under moonlit night.
Guards hold fast, events sing true,
Randomness rests, and balances too. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Bound remaining emergency withdrawals' accurately and concisely summarizes the primary change: implementing bounds on emergency withdrawal functions to restrict them to surplus-only transfers.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from issue #31: implements surplus-only emergency withdrawals with exposed accounting helpers, updates multiple contracts, passes targeted tests, and updates related documentation.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #31 objectives: emergency withdrawal bounds, accounting helpers, test coverage, and documentation updates related to payment and randomizer reserve accounting.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/bound-emergency-withdrawals

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@claude please review this PR for contract security, accounting semantics, and test/doc traceability. Focus especially on the conservative NextGenRandomizerRNG all-balance-reserve model, StreamMinter zero-owed surplus model, the auction emergency-withdrawal strict-equality cleanup, and whether the Slither baseline/docs accurately distinguish current emergency-boundary fixes from broader shared-ledger/randomizer lifecycle work.

[punk6529]

@coderabbitai review Please review the latest head 451eaa955a30628f082a930ce1bac005960449cd. CI is green on run 27273309946, there are no visible review threads, and the branch-local Slither delta reports ARBITRARY_SEND_ETH_COUNT=0. Please surface any actionable contract, test, or documentation issues before merge.

[coderabbitai]

@punk6529 I’ll review the latest head 451eaa955a30628f082a930ce1bac005960449cd with focus on the contract security/accounting boundaries, emergency-withdrawal semantics, tests, and Slither/doc traceability before merge.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (2)

ops/ROADMAP.md (1)

1875-1877: ⚡ Quick win

Clarify "current emergency-withdrawal surfaces" scope.

Line 1877 states that emergency surplus boundaries are "Passing for current emergency-withdrawal surfaces" and lists five contracts. The phrase "current surfaces" may be ambiguous—does it mean (a) all contracts with emergency withdrawal functions, or (b) only the subset addressed in this PR?

Consider clarifying whether other contracts in the codebase have emergency withdrawal functions that are explicitly excluded from this scope, or whether this represents complete coverage of all emergency withdrawal paths in the protocol.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ops/ROADMAP.md` around lines 1875 - 1877, The roadmap wording is ambiguous
about the scope of "current emergency-withdrawal surfaces"; update the sentence
in ROADMAP.md to explicitly state whether it covers all contracts with emergency
withdrawal functions or only the subset addressed by this PR, and enumerate the
included symbols (StreamDrops.emergencyWithdrawable(),
StreamCuratorsPool.emergencyWithdrawable(), StreamMinter, NextGenRandomizerRNG
and StreamAuction/StreamFixedPrice emergency withdrawal paths) and any known
exclusions; if full coverage is intended, replace "current surfaces" with "all
emergency-withdrawal surfaces in the protocol" and add a short parenthetical
list of excluded contracts (or a link to the tracking issue) so readers can
unambiguously tell which contracts were validated.

ops/AUTONOMOUS_RUN.md (1)

1710-1711: 💤 Low value

Clarify Slither JSON output interpretation.

Lines 1710-1711 claim: "regenerated branch-local counts are 632 total findings: 9 High, 29 Medium, 58 Low, 530 Informational, and 6 Optimization."

These counts exactly match the updated ops/SLITHER_BASELINE.md file (lines 26-31), which is good for consistency. However, the claim that "arbitrary-send-eth now reports zero current findings" should be verifiable from the Slither JSON output. Consider documenting how the ARBITRARY_SEND_ETH_COUNT=0 metric was extracted from the regenerated Slither run to make this claim auditable by future reviewers.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ops/AUTONOMOUS_RUN.md` around lines 1710 - 1711, Record the exact extraction
method from the Slither JSON that proves "arbitrary-send-eth now reports zero
current findings": update ops/AUTONOMOUS_RUN.md (near the regenerated counts) to
show the command or JSON query used to compute ARBITRARY_SEND_ETH_COUNT (e.g.,
the jq/grep/JSONPath expression run against the Slither output file) and state
the resulting value ARBITRARY_SEND_ETH_COUNT=0; reference the Slither output
filename and the metric name ARBITRARY_SEND_ETH_COUNT so future reviewers can
rerun the same query and verify the zero count, and ensure the updated
ops/SLITHER_BASELINE.md counts remain consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Around line 1710-1711: Record the exact extraction method from the Slither
JSON that proves "arbitrary-send-eth now reports zero current findings": update
ops/AUTONOMOUS_RUN.md (near the regenerated counts) to show the command or JSON
query used to compute ARBITRARY_SEND_ETH_COUNT (e.g., the jq/grep/JSONPath
expression run against the Slither output file) and state the resulting value
ARBITRARY_SEND_ETH_COUNT=0; reference the Slither output filename and the metric
name ARBITRARY_SEND_ETH_COUNT so future reviewers can rerun the same query and
verify the zero count, and ensure the updated ops/SLITHER_BASELINE.md counts
remain consistent.

In `@ops/ROADMAP.md`:
- Around line 1875-1877: The roadmap wording is ambiguous about the scope of
"current emergency-withdrawal surfaces"; update the sentence in ROADMAP.md to
explicitly state whether it covers all contracts with emergency withdrawal
functions or only the subset addressed by this PR, and enumerate the included
symbols (StreamDrops.emergencyWithdrawable(),
StreamCuratorsPool.emergencyWithdrawable(), StreamMinter, NextGenRandomizerRNG
and StreamAuction/StreamFixedPrice emergency withdrawal paths) and any known
exclusions; if full coverage is intended, replace "current surfaces" with "all
emergency-withdrawal surfaces in the protocol" and add a short parenthetical
list of excluded contracts (or a link to the tracking issue) so readers can
unambiguously tell which contracts were validated.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0be7924f-9bf8-42ee-9c54-cfe547214667

📥 Commits

Reviewing files that changed from the base of the PR and between 51db3fd and 451eaa9.

📒 Files selected for processing (13)

• docs/adr/0002-auction-custody.md
• docs/adr/0003-payment-accounting.md
• docs/auction-custody.md
• docs/known-blockers.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• ops/SLITHER_BASELINE.md
• smart-contracts/AuctionContract.sol
• smart-contracts/RandomizerRNG.sol
• smart-contracts/StreamMinter.sol
• test/README.md
• test/StreamEmergencyWithdraw.t.sol

[punk6529]

@claude please review the latest head 77743912aac975fe13ac2d622237a9d5b7ecd0ba. This follow-up only addresses CodeRabbit's documentation nitpicks: it clarifies the complete first-party emergency-withdrawal surface coverage and records the exact Slither JSON extraction used for ARBITRARY_SEND_ETH_COUNT=0.

[punk6529]

@coderabbitai review Please verify the latest head 77743912aac975fe13ac2d622237a9d5b7ecd0ba, which responds to your two nitpicks by clarifying emergency-withdrawal coverage in ops/ROADMAP.md and documenting the Slither JSON query for ARBITRARY_SEND_ETH_COUNT=0 in ops/AUTONOMOUS_RUN.md.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the diff introduced by the latest commit
git show 77743912aac975fe13ac2d622237a9d5b7ecd0ba -- ops/ROADMAP.md ops/AUTONOMOUS_RUN.md

Length of output: 7750

---

🏁 Script executed:

#!/bin/bash
# Reproduce the exact rg command cited in the ROADMAP change
rg -n "function emergencyWithdraw" smart-contracts/

Length of output: 1252

---

---

@punk6529 Both nitpicks are fully and accurately addressed at 77743912aac975fe13ac2d622237a9d5b7ecd0ba. Here is what I verified:

ops/ROADMAP.md — Emergency surplus boundary row

Reproducing the cited rg -n "function emergencyWithdraw" smart-contracts command confirms the inventory exactly:

Contract file	emergencyWithdraw()	emergencyWithdrawable()
AuctionContract.sol (StreamAuctions)	✅ Line 494	✅ Line 484
StreamCuratorsPool.sol	✅ Line 161	✅ Line 142
StreamMinter.sol	✅ Line 137	✅ Line 127
RandomizerRNG.sol (NextGenRandomizerRNG)	✅ Line 90	✅ Line 84
StreamDrops.sol	❌ none	✅ Line 352

The updated row correctly names all four first-party emergencyWithdraw functions, correctly states StreamDrops has no emergencyWithdraw function (only the surplus view), and the claim "No first-party exclusions are known" is verified exhaustively by that search. The "full shared-ledger invariant coverage remains open" caveat is preserved.

ops/AUTONOMOUS_RUN.md — Slither JSON extraction

The added PowerShell snippet (Get-Content … | ConvertFrom-Json → Where-Object { $_.check -eq "arbitrary-send-eth" } → .Count) is a correct and reproducible method for extracting the detector count from Slither's JSON output. The intermediate variable ($json) and file path ($env:TEMP\6529stream-slither-emergency.json) match the surrounding context.

No new issues introduced. The PR looks good to merge.

[approve]

[punk6529]

Merge-readiness note for latest head 77743912aac975fe13ac2d622237a9d5b7ecd0ba:

• GitHub Actions CI run 27274061799 completed successfully.
• Claude was explicitly requested again in comment 4669833035; Claude review remains unavailable due the org overage skip already recorded in review 4467324335.
• CodeRabbit status is success and comment 4669840843 verifies both follow-up nitpick fixes, ending with [approve].
• No review threads are open.
• Local review-response validation: git diff --check, git diff --cached --check, and targeted snippet verification passed.
• Prior full PR validation remains recorded in the PR body/state: focused emergency tests, broader Stream payment tests, make check, Windows scripts/check.ps1, formatting check for the new test, whitespace checks, and Slither delta evidence with ARBITRARY_SEND_ETH_COUNT=0.

Merging under the autonomous manager run protocol.