Implement pause and emergency controls

[punk6529]

Summary

Implements the accepted ADR 0004 pause and emergency-control model for the current P0 surfaces.

• Adds shared pause-domain constants and StreamAdmins pause state, pause guardians, unpause admins, pause events, and explicit emergencyRecipient() routing.
• Gates drop execution, direct minter paths, auction bids, auction settlement, mutable metadata operations, and randomizer request paths with domain-specific pauses.
• Keeps user withdrawals unpaused by default and proves poster credits remain withdrawable while operational domains are paused.
• Routes positive emergency surplus from StreamMinter, StreamAuctions, and StreamCuratorsPool to the explicit emergency recipient while preserving existing surplus-only accounting bounds.
• Updates ADR/status/blocker/test/roadmap/autonomous-run docs and the Slither baseline delta.

Closes #35.
Refs #33.

Validation

• forge test --match-contract "Stream(PauseControls|EmergencyWithdraw)Test" -vvv -> 16 passing tests.
• forge test --match-contract "Stream(EmergencyWithdraw|AuctionPayments|CuratorsPool)Test" -vvv -> 33 passing tests.
• make check -> 142 passing tests.
• powershell -NoProfile -ExecutionPolicy Bypass -File scripts\check.ps1 -> 142 passing tests.
• forge fmt --check smart-contracts\StreamPauseDomains.sol smart-contracts\IStreamAdmins.sol smart-contracts\StreamAdmins.sol smart-contracts\StreamDrops.sol smart-contracts\StreamMinter.sol smart-contracts\AuctionContract.sol smart-contracts\StreamCuratorsPool.sol smart-contracts\StreamCore.sol smart-contracts\RandomizerRNG.sol smart-contracts\RandomizerVRF.sol smart-contracts\RandomizerNXT.sol test\StreamPauseControls.t.sol test\StreamEmergencyWithdraw.t.sol test\StreamDropsCharacterization.t.sol test\StreamAuctionPayments.t.sol test\StreamCuratorsPool.t.sol
• git diff --check
• rg -n "^#|^##|^###" ops/ROADMAP.md ops/AUTONOMOUS_RUN.md ops/SLITHER_BASELINE.md docs/status.md docs/known-blockers.md docs/adr/0004-admin-governance.md test/README.md
• slither . --config-file slither.config.json --foundry-compile-all --json <temp-file> remains non-gating and exits non-zero because accepted/open baseline findings remain; final JSON reports 676 total findings: 9 High, 29 Medium, 61 Low, 571 Informational, 6 Optimization. High/medium totals are unchanged and arbitrary-send-eth remains zero.

Summary by CodeRabbit

Release Notes

• New Features
  • Added pause controls for critical operations (drop execution, minting, auctions, metadata updates, and randomness requests)
  • Implemented configurable emergency fund recipient for authorized withdrawals
  • Introduced pause guardian and unpause admin roles for improved governance separation

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, push a new commit or reopen this pull request to trigger a review.

[punk6529]

@claude please review the latest head for P0-ADMIN-002 pause/emergency controls. Please focus on pause-domain coverage, emergency-recipient routing, withdrawal non-pause policy, and whether any pause guard accidentally blocks unrelated user funds or randomness fulfillment paths.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR implements P0-ADMIN-002, adding domain-scoped pause controls and explicit emergency-recipient routing across the Stream protocol. It introduces pause-domain constants, authorization-aware pause/unpause state management in StreamAdmins, runtime pause guards on drop execution, minting, auction bidding/settlement, metadata mutation, and randomness request entrypoints, emergency-withdrawal recipient routing to StreamAdmins.emergencyRecipient(), comprehensive test coverage for pause behavior and signer-compromise recovery, and synchronizes governance, roadmap, and status documentation to reflect the implementation.

Changes

Pause and Emergency Control Implementation

Layer / File(s)	Summary
Pause domain constants and admin interface smart-contracts/StreamPauseDomains.sol, smart-contracts/IStreamAdmins.sol	New StreamPauseDomains library defines internal bytes32 constants for DROP_EXECUTION, MINT, AUCTION_BID, AUCTION_SETTLEMENT, METADATA_MUTATION, RANDOMNESS_REQUEST, and EMERGENCY domains. IStreamAdmins interface adds isPaused(bytes32 _domain) query and emergencyRecipient() accessor methods.
Admin state and pause authorization smart-contracts/StreamAdmins.sol	StreamAdmins imports pause domains, adds public constant domain identifiers, state for pauseGuardians, unpauseAdmins, pausedDomains mapping, and emergencyRecipient address. Introduces PauseGuardianUpdated, UnpauseAdminUpdated, PauseUpdated, and EmergencyRecipientUpdated events. Adds owner-only registration functions for guardians/unpause admins, setPaused with role-aware authorization checks via _canPause/_canUnpause, updateEmergencyRecipient, and isPaused view accessor.
Drop execution pause guard smart-contracts/StreamDrops.sol	Imports StreamPauseDomains and adds pause check in mintDrop that reverts with "Drop paused" when DROP_EXECUTION domain is paused.
Minting pause guards smart-contracts/StreamMinter.sol	Imports StreamPauseDomains and pause-domain constants. Adds MINT domain checks in mint and mintAndAuction paths that revert with "Mint paused". Introduces EmergencyWithdrawal event and updates emergencyWithdraw to route ETH to adminsContract.emergencyRecipient() with new event emission.
Auction pause guards and emergency routing smart-contracts/AuctionContract.sol	Imports StreamPauseDomains and adds AUCTION_BID check in participateToAuction and AUCTION_SETTLEMENT checks in claimAuction/claimNoBidAuctionToken. Introduces EmergencyWithdrawal event and updates emergencyWithdraw to use adminsContract.emergencyRecipient() with event emission.
Metadata mutation pause guard smart-contracts/StreamCore.sol	Imports StreamPauseDomains and adds _requireMetadataMutationNotPaused() helper enforcing METADATA_MUTATION pause check. Guards eight metadata-changing functions (createCollection, setCollectionData, updateCollectionInfo, artistSignature, changeMetadataView, changeTokenData, updateImagesAndAttributes, freezeCollection).
Randomness pause guards smart-contracts/RandomizerVRF.sol, smart-contracts/RandomizerRNG.sol, smart-contracts/RandomizerNXT.sol	Each randomizer implementation imports StreamPauseDomains and adds RANDOMNESS_REQUEST pause checks in requestRandomWords and calculateTokenHash paths, reverting with "Randomness paused".
Emergency withdrawal recipient routing smart-contracts/StreamCuratorsPool.sol	Imports StreamPauseDomains, introduces EmergencyWithdrawal event, and updates emergencyWithdraw to route surplus ETH to adminsContract.emergencyRecipient() with event emission.
Pause behavior test suite test/StreamPauseControls.t.sol	New comprehensive Foundry test file covering pause authorization rules (guardians can pause but not unpause), domain-specific paused behavior transitions across drop execution, minting, auction, metadata mutation, randomness, user credit withdrawal availability during operational pauses, and signer-compromise response flows. Includes supporting AuctionSetup struct, PauseMockArrngController mock, and deployment/pause-state helpers.
Existing test setup migrations test/StreamAuctionPayments.t.sol, test/StreamCuratorsPool.t.sol, test/StreamEmergencyWithdraw.t.sol, test/StreamDropsCharacterization.t.sol	Emergency-withdraw test setups migrated from transferOwnership(PAYOUT) to updateEmergencyRecipient(PAYOUT). StreamDropsCharacterization helper updated to instantiate StreamAdmins locally instead of using constant address.
Test documentation test/README.md	Adds P0-ADMIN-002 coverage documentation describing pause/unpause authorization rules, domain-specific paused behavior, credit-withdrawal exemption, explicit emergency recipient usage, surplus/reserve boundary preservation, and signer-compromise recovery flow validation.
Governance and status documentation docs/adr/0004-admin-governance.md, docs/known-blockers.md, docs/status.md	ADR implementation status extended with P0-ADMIN-002 scope details. Known-blockers expanded to describe domain-scoped pause controls and explicit emergency-recipient routing. Status.md Gate A baseline refreshed with additional emergency-withdrawal and randomizer behavior enumeration.
Roadmap, autonomous-run, and verification synchronization ops/ROADMAP.md, ops/AUTONOMOUS_RUN.md, ops/SLITHER_BASELINE.md	ROADMAP.md P0-ADMIN-002 section tightened to enumerate domain-scoped pause coverage, updated test matrix to mark pause controls/emergency controls as "Passing" with detailed notes. AUTONOMOUS_RUN.md PR queue advanced: Queue Item 22 merged in PR #63, Queue Item 23 recorded as PR #64 open with updated worklog. SLITHER_BASELINE.md metadata and delta narrative updated to reflect pause-control implementation progress.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly related PRs

• 6529-Collections/6529Stream#56: Modifies StreamDrops.sol mintDrop execution path with EIP-712 DropAuthorization signature verification, directly overlapping with this PR's addition of DROP_EXECUTION pause-domain guard on the same function.
• 6529-Collections/6529Stream#59: Introduces auction custody/settlement functionality that this PR extends by adding AUCTION_BID/AUCTION_SETTLEMENT pause gates and emergency-recipient routing to the same AuctionContract.sol settlement and claim flows.
• 6529-Collections/6529Stream#62: Overlaps on emergency-withdrawal logic in AuctionContract.sol and StreamMinter.sol by modifying recipient/event handling and surplus/emergency-withdrawable accounting in the same methods.

🐰 A bunny hops through domains with a pause so grand,
Guardians guard while admins command,
Emergency funds know where they go,
To explicit recipients—let safety flow!
No more confusion, no more strife,
Protocol pauses make operations bright. 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Implement pause and emergency controls' clearly summarizes the main objective of the pull request, matching the primary implementation work described across all modified files.
Linked Issues check	✅ Passed	The PR implements all core requirements from #35: domain-scoped pauses (drop, mint, auction bid/settlement, metadata, randomness), pause guardians and unpause admins, explicit emergencyRecipient() routing, emergency withdrawals bounded by surplus accounting, indexed events, and comprehensive test coverage with documentation updates.
Out of Scope Changes check	✅ Passed	All code changes are directly aligned with P0-ADMIN-002 requirements. Documentation updates (ADR, roadmap, blockers, status, autonomous-run, Slither baseline) appropriately reflect the pause/emergency implementation status and validation progress. No unrelated refactoring or feature scope creep is present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/pause-emergency-controls

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review latest head please. This PR implements P0-ADMIN-002 pause/emergency controls; please focus on unintended pause coverage gaps, surplus-only emergency withdrawal routing, and test/doc traceability.

[coderabbitai]

@punk6529 I’ll review the latest head with focus on:

• Pause-domain coverage gaps and accidental over-broad guards
• Surplus-only emergency withdrawal accounting and emergencyRecipient() routing
• Ensuring withdrawals/user funds remain unpaused where intended
• Randomness fulfillment paths not being blocked unintentionally
• Test/doc traceability against P0-ADMIN-002 and ADR 0004

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

@claude please review latest head 055ffb6 as well. The only change since the earlier ping is the durable autonomous-run state entry for PR #64; the pause/emergency implementation remains as described.

[punk6529]

@coderabbitai review latest head 055ffb6 please. Only a durable state-file update was added after the initial review request; implementation scope is unchanged.

[coderabbitai]

@punk6529 Triggering a review of the latest head 055ffb6. I'll focus on:

1. Pause-domain coverage — gaps, accidental over-broad guards, and any paths that should be unpaused but aren't
2. Emergency-recipient routing — surplus-only accounting bounds in StreamMinter, StreamAuctions, and StreamCuratorsPool
3. Withdrawal non-pause policy — ensuring user withdrawals and poster credits remain withdrawable while operational domains are paused
4. Randomness fulfillment paths — confirming RandomizerRNG/RandomizerVRF/RandomizerNXT callbacks are not accidentally blocked
5. Test/doc traceability — coverage against ADR 0004 and P0-ADMIN-002 requirements

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

Merge readiness note for the autonomous run:

• Latest head: 055ffb63962de8b33f250e8d86ea2d933bc0bfb9.
• GitHub CI run 27278804614 completed successfully.
• No inline review threads are open.
• Claude was explicitly requested and skipped due the organization overage limit in review pullrequestreview-4468100654.
• CodeRabbit was explicitly requested twice for latest-head review and updated the PR with release notes, but its aggregate status remains pending with no actionable review comments or threads visible after repeated polls.

Proceeding under the same stale-status maintainer decision used on recent CI-clean PRs in this autonomous run.