Fix dependency script encoding hashes

docs/adr/0006-metadata-freeze.md

@@ -65,9 +65,12 @@ Current source references:
   possible after collections reference that dependency key.
 - `StreamCore.updateContracts(3, newContract)` can swap the dependency registry
   address for future reads.
-- `retrieveDependencyScript` concatenates dependency chunks through dynamic
-  string composition. Slither tracks this as
-  [P0-META-001](https://github.com/6529-Collections/6529Stream/issues/9).
+- `retrieveDependencyScript` renders dependency chunks with initialized
+  `string.concat`, and `retrieveDependencyScriptContentHash(tokenId)` exposes a
+  typed dependency content hash for the referenced dependency key. The hash is
+  segment-safe for the current registry content, but it is not a full freeze
+  manifest by itself because it does not pin registry identity, provenance, or
+  immutable version lifecycle.
 - `burn(collectionId, tokenId)` burns the ERC-721 token and increments
   `burnAmount[collectionId]`. After burn, `tokenURI(tokenId)` reverts through
   `_requireMinted`, while internal token mappings remain in storage.
@@ -332,10 +335,16 @@ Required model:
 - frozen collections resolve dependency output from the pinned immutable record
   or from a manifest snapshot
 
-`P0-META-001` owns the packed/dynamic composition fix. The implementation must
-avoid ambiguous dynamic concatenation when hashing or proving dependency
-content. Use `abi.encode`, length-prefixing, per-chunk hashes, or an equivalent
-typed format instead of ambiguous packed dynamic fields.
+`P0-META-001` owns the packed/dynamic composition fix and now provides typed
+per-chunk and full-content hashes. The accepted hash shape uses `abi.encode`,
+the dependency key, chunk count, chunk index, chunk byte length, and per-chunk
+content hash so two ambiguous chunk layouts that render the same JavaScript
+still produce distinct proof hashes.
+
+`P1-META-003` remains responsible for immutable dependency versions,
+provenance, registry identity, deprecation semantics, and freeze-manifest
+pinning. Release manifests must pair any dependency content hash with the
+registry contract identity and accepted dependency version record.
 
 ## ERC-4906 Event Policy
 
@@ -561,7 +570,9 @@ signal that metadata changed before freeze.
 
 ## Open Follow-Ups
 
-- Resolve [P0-META-001](https://github.com/6529-Collections/6529Stream/issues/9).
+- Keep the [P0-META-001](https://github.com/6529-Collections/6529Stream/issues/9)
+  typed dependency hash regression suite in place while later freeze-manifest
+  work builds on it.
 - Implement [P1-META-001](https://github.com/6529-Collections/6529Stream/issues/46).
 - Complete [P1-META-002](https://github.com/6529-Collections/6529Stream/issues/47).
 - Build [P1-META-003](https://github.com/6529-Collections/6529Stream/issues/48).

docs/known-blockers.md

@@ -52,15 +52,20 @@ contributors who start from the README.
   richer metadata state exposure, provider configuration runbooks, canonical
   core/coordinator lifecycle ownership, and full handling of weak helper
   randomness beyond disabling `RandomizerNXT` as a production randomizer.
+- Dependency script retrieval now has segment-safe typed chunk and content
+  hashes, so the former packed/dynamic chunk-boundary Slither finding is fixed.
+  Remaining metadata blockers include golden-file metadata tests, collection
+  freeze manifests, immutable dependency version records, registry identity
+  pinning, ERC-4906 signaling, burn semantics, escaping, and size limits.
 - Slither high/medium findings are captured in `ops/SLITHER_BASELINE.md` and
   need triage before audit readiness.
 - Auction custody, auction bid/outbid payment, auction settlement-credit,
   fixed-price pull-payment, curator reward-credit, StreamMinter
   emergency-surplus, randomizer request lifecycle, randomizer callback
   validation, deterministic randomizer retry, raw-output hash storage, and
   randomizer reserve-boundary regressions now exist, but broader payment,
-  metadata, deployment,
-  production-governance, and invariant tests are still missing.
+  metadata, dependency versioning/freeze, deployment, production-governance, and
+  invariant tests are still missing.
 - Deployment scripts, manifests, and rehearsal runbooks are missing.
 
 Do not treat the current build/test smoke baseline as a security claim.

docs/status.md

@@ -12,20 +12,25 @@ The current Gate A smoke baseline proves:
   fixed-price pull-payment credits, curator reward claim credits, and
   randomness lifecycle behavior. Current emergency-withdrawal target-state
   tests also cover explicit emergency recipients, `StreamMinter` surplus
-  withdrawal, and `NextGenRandomizerRNG` reserve boundaries.
+  withdrawal, `NextGenRandomizerRNG` reserve boundaries, and dependency-script
+  segment-safe content hashing.
 - Randomizer tests now cover request lifecycle views, callback validation,
   raw-output hash storage, failed post-processing state, bounded deterministic
   post-processing retry, and the conservative provider-migration policy that
   blocks lifecycle-aware provider replacement while collection requests are
   pending.
+- Metadata encoding tests now prove dependency chunk boundaries are included in
+  typed content hashes while preserving the existing rendered generative script
+  output.
 - CI can run the same build/test smoke commands and publish logs.
 
 The current tests are regression tripwires, not a correctness proof. Known
 blockers remain tracked in `ops/ROADMAP.md`, including broader pull-payment
 accounting and cross-contract invariants, fuller randomizer reserve lifecycle
 accounting, callback-after-burn policy, canonical randomizer lifecycle
-ownership, static-analysis triage, signer lifecycle operations, deployment
-discipline, and the broader P0/P1 test suite.
+ownership, remaining static-analysis triage, signer lifecycle operations,
+dependency version/freeze manifest work, deployment discipline, and the broader
+P0/P1 test suite.
 
 Contributor and security intake files exist so future work can be packaged and
 reviewed consistently, but they do not change the pre-audit status.

ops/AUTONOMOUS_RUN.md

@@ -33,11 +33,11 @@ tests, security hardening, deployment discipline, and release/audit readiness.
 | Field | Value |
 | --- | --- |
 | Remote | `https://github.com/6529-Collections/6529Stream.git` |
-| Active PR branch | `codex/randomizer-raw-output-hash` |
-| Last merged PR | `https://github.com/6529-Collections/6529Stream/pull/69` |
+| Active PR branch | `codex/dependency-script-safe-encoding` |
+| Last merged PR | `https://github.com/6529-Collections/6529Stream/pull/70` |
 | Roadmap file | `ops/ROADMAP.md` |
 | State file | `ops/AUTONOMOUS_RUN.md` |
-| Last updated | `2026-06-10 17:58 UTC` |
+| Last updated | `2026-06-10 18:27 UTC` |
 
 ## Packaging Notes
 
@@ -83,7 +83,8 @@ The queue will evolve as PRs merge and bot feedback arrives.
 | 26 | Block randomizer migration while requests are pending | Gate C | Implement P0-RAND-005 default ADR policy: lifecycle-aware pending counts, provider-migration guard, stale/fulfilled unblocking, tests, docs, and roadmap state updates | Merged in PR #67 |
 | 27 | Add failed randomness post-processing state | Gate C | Implement P0-RAND-004 failed-state path for deterministic post-processing reverts, with VRF/arRNG tests, docs, and roadmap state updates | Merged in PR #68 |
 | 28 | Add bounded randomness post-processing retry | Gate C | Implement P0-RAND-006 stored-seed manual retry for deterministic failed post-processing, with VRF/arRNG tests, docs, and roadmap state updates | Merged in PR #69 |
-| 29 | Store raw random output hashes | Gate C | Implement P0-RAND-007 raw-output hash storage policy, domain-separated seed derivation, event/view exposure, tests, docs, and roadmap state updates | Open in PR #70; CI green, CodeRabbit clean by review comment, aggregate status stale pending |
+| 29 | Store raw random output hashes | Gate C | Implement P0-RAND-007 raw-output hash storage policy, domain-separated seed derivation, event/view exposure, tests, docs, and roadmap state updates | Merged in PR #70 |
+| 30 | Fix dependency script packed encoding | Gate C/Gate D | Implement P0-META-001 typed dependency chunk/content hashes, preserve rendered-script compatibility, add metadata encoding tests, and update Slither/roadmap traceability | Open in PR #71; follow-up local validation complete, post-follow-up CI pending |
 
 ## Current PR Worklog
 
@@ -2401,9 +2402,7 @@ Outcome:
 
 ### PR #70: Store raw random output hashes (Queue Item 29)
 
-Status: PR #70 open and merge-ready by autonomous maintainer decision; CI is
-green, CodeRabbit's latest review comment is clean, and the aggregate CodeRabbit
-status remains stale pending as documented in prior PR cycles.
+Status: Merged.
 Branch: `codex/randomizer-raw-output-hash`.
 Pull request: `https://github.com/6529-Collections/6529Stream/pull/70`.
 Related issue:
@@ -2515,6 +2514,122 @@ Review requests:
   clean, and left only non-blocking maintainability notes. Its aggregate commit
   status remained stale pending despite the clean review evidence.
 
+Outcome:
+
+- Merged as PR #70 on `2026-06-10 18:02 UTC`.
+- Merge commit: `350667fff6472e938790f0c7db5895fc3c4ddee9`.
+- Latest head before merge: `f52cd8f3cf83a8c131bdbc233c4769a4ba72e3fb`.
+- Issue #43 closed completed.
+- GitHub CI passed on final head in run `27295440912`.
+- CodeRabbit final clean comment: `4672928268`.
+- Claude was not requested for this PR per user instruction; CodeRabbit was
+  sufficient.
+
+### PR #71: Fix dependency script packed encoding (Queue Item 30)
+
+Status: Open; CodeRabbit clean with non-blocking observations addressed in
+follow-up; local follow-up validation complete, post-follow-up CI pending.
+Branch: `codex/dependency-script-safe-encoding`.
+Pull request: `https://github.com/6529-Collections/6529Stream/pull/71`.
+Latest head before PR-state update: `457ca920cb55c9d4b75efcede714ccc1ef700a5b`.
+Related issue:
+
+- `https://github.com/6529-Collections/6529Stream/issues/9`
+
+Goal:
+
+- Complete `P0-META-001` by eliminating the remaining first-party Slither
+  `encode-packed-collision` row for dependency script composition.
+- Preserve the current rendered dependency script output for compatibility while
+  exposing typed, segment-safe chunk and content hashes for proof, indexing, and
+  future freeze manifests.
+- Keep full dependency versioning, registry identity pinning, provenance, and
+  freeze-manifest semantics in the later `P1-META-003` workstream.
+
+Candidate files:
+
+- `smart-contracts/DependencyRegistry.sol`
+- `smart-contracts/IDependencyRegistry.sol`
+- `smart-contracts/StreamCore.sol`
+- `test/StreamMetadataEncoding.t.sol`
+- `docs/adr/0006-metadata-freeze.md`
+- `docs/known-blockers.md`
+- `docs/status.md`
+- `test/README.md`
+- `ops/ROADMAP.md`
+- `ops/SLITHER_BASELINE.md`
+- `ops/AUTONOMOUS_RUN.md`
+
+Initial implementation notes:
+
+- `DependencyRegistry` now exposes
+  `getDependencyScriptChunkHash(bytes32,uint256)` and
+  `getDependencyScriptContentHash(bytes32)`.
+- Chunk hashes include `DEPENDENCY_SCRIPT_CHUNK_TYPEHASH`, chunk index,
+  `keccak256(bytes(chunk))`, and byte length.
+- Content hashes include `DEPENDENCY_SCRIPT_CONTENT_TYPEHASH`, dependency key,
+  chunk count, and a folded `abi.encode` hash of all typed chunk hashes.
+- `StreamCore.retrieveDependencyScript(uint256)` initializes its accumulator and
+  uses `string.concat` for rendering.
+- `StreamCore.retrieveDependencyScriptContentHash(uint256)` exposes the
+  referenced dependency content hash for minted tokens.
+- `test/StreamMetadataEncoding.t.sol` proves that chunks `["ab", "c"]` and
+  `["a", "bc"]` render the same script but produce distinct typed content
+  hashes, and that empty chunk hashes differ by index.
+
+Validation so far:
+
+- PR #70 merge checked locally by fast-forwarding `main` to
+  `350667fff6472e938790f0c7db5895fc3c4ddee9`.
+- Focused `forge test --match-contract StreamMetadataEncodingTest -vvv`
+  passed: 2 tests, 0 failed.
+- `forge fmt` ran on changed Solidity files.
+- Slither delta run returned the expected remaining baseline findings while
+  removing the target rows: `slither_exit=-1`, `total=685`, `high=8`,
+  `medium=28`, `low=63`, `informational=580`, `optimization=6`,
+  `encode-packed-collision=0`, and `uninitialized-local=10`.
+- `forge fmt --check smart-contracts\DependencyRegistry.sol
+  smart-contracts\IDependencyRegistry.sol smart-contracts\StreamCore.sol
+  test\StreamMetadataEncoding.t.sol` passed.
+- Focused `forge test --match-contract StreamMetadataEncodingTest -vvv`
+  passed: 2 tests, 0 failed.
+- `make check` passed: 173 tests, 0 failed.
+- `powershell -ExecutionPolicy Bypass -File scripts\check.ps1` passed:
+  173 tests, 0 failed.
+- `git diff --check` passed.
+- Markdown heading scan passed for the roadmap, Slither baseline, autonomous
+  run state, ADR 0006, status docs, known blockers, and test README.
+- Traceability grep passed for `P0-META-001`, `StreamMetadataEncoding`,
+  dependency typehashes, dependency hash views, Slither detector rows, PR #70
+  merge commit `350667fff6472e938790f0c7db5895fc3c4ddee9`, and CodeRabbit
+  final clean comment `4672928268`.
+- Final Slither confirmation returned
+  `{"slither_exit":-1,"total":685,"high":8,"medium":28,"low":63,"informational":580,"optimization":6,"encode_packed_collision":0,"uninitialized_local":10,"calls_loop":8}`.
+- GitHub CI passed on head `fd0b5b89d16fc0e42a839431fcae5e7edc3b399c`
+  in run `27297022773`.
+- CodeRabbit comment `4673171581` confirmed the PR is correct and well-scoped,
+  with only non-blocking observations.
+- Follow-up addressed the non-blocking NatSpec and zero-chunk test observations
+  by documenting the new public hash views and adding
+  `testEmptyDependencyContentHashIsDeterministic`.
+- Follow-up `forge fmt --check smart-contracts\DependencyRegistry.sol
+  smart-contracts\StreamCore.sol test\StreamMetadataEncoding.t.sol` passed.
+- Follow-up focused `forge test --match-contract StreamMetadataEncodingTest
+  -vvv` passed: 3 tests, 0 failed.
+- Follow-up `make check` passed: 174 tests, 0 failed.
+- Follow-up `powershell -ExecutionPolicy Bypass -File scripts\check.ps1`
+  passed: 174 tests, 0 failed.
+- Follow-up Slither confirmation remained unchanged:
+  `{"slither_exit":-1,"total":685,"high":8,"medium":28,"low":63,"informational":580,"optimization":6,"encode_packed_collision":0,"uninitialized_local":10,"calls_loop":8}`.
+
+Review requests:
+
+- CodeRabbit requested in issue comment `4673145958`.
+- CodeRabbit review comment `4673171581` reported the PR correct and
+  well-scoped; non-blocking observations were addressed in follow-up.
+- Claude is intentionally skipped per current user instruction; use CodeRabbit
+  unless risk or future user instruction changes.
+
 ## Decision Log
 
 | Time UTC | Decision | Rationale |
@@ -2722,6 +2837,13 @@ Review requests:
 | 2026-06-10 17:52 | Address CodeRabbit PR #70 review | Add lifecycle interface request views, arRNG provider raw-word fulfillment event, stale zero-hash coverage, monotonic log helpers, retry-event documentation, and a defense-in-depth seed guard comment |
 | 2026-06-10 17:56 | Validate CodeRabbit PR #70 review response | Focused lifecycle/retry suites, full `make check`, Windows wrapper, formatting, diff hygiene, traceability, heading scan, and Slither baseline comparison all pass with 171 tests and unchanged high/medium counts |
 | 2026-06-10 17:58 | Mark PR #70 merge-ready by review evidence | GitHub CI passed on head `f8d0470b665eee2b528f95c380719014be639295`, CodeRabbit comment `4672884249` verified the fixes and marked the PR clean, and the stale aggregate pending context is documented as non-blocking |
+| 2026-06-10 18:02 | Merge PR #70 | Raw-output hash storage merged as `350667fff6472e938790f0c7db5895fc3c4ddee9`; CI passed on final head `f52cd8f3cf83a8c131bdbc233c4769a4ba72e3fb`, CodeRabbit final clean comment `4672928268`, and issue #43 closed completed |
+| 2026-06-10 18:05 | Select Queue Item 30 | Next open P0 Slither blocker is `P0-META-001`, a focused dependency-script `encode-packed-collision` fix with clear tests and low coupling to later metadata/freeze work |
+| 2026-06-10 18:11 | Implement Queue Item 30 local draft | Added typed dependency chunk/content hashes, initialized `StreamCore` dependency script rendering, focused ambiguous-boundary tests, and Slither delta evidence showing `encode-packed-collision=0` |
+| 2026-06-10 18:18 | Validate Queue Item 30 locally | Focused metadata tests, full `make check`, Windows wrapper, formatting, whitespace, heading scan, traceability grep, and final Slither confirmation pass with 173 tests and `encode-packed-collision=0` |
+| 2026-06-10 18:20 | Open PR #71 | Dependency-script encoding hash fix published with full local validation evidence; CodeRabbit review will be requested on the PR-state head |
+| 2026-06-10 18:21 | Request CodeRabbit PR #71 review | CodeRabbit review requested in issue comment `4673145958`; Claude intentionally skipped per current user instruction |
+| 2026-06-10 18:27 | Address CodeRabbit PR #71 non-blocking observations | Added NatSpec for the new hash views, added zero-chunk dependency hash coverage, refreshed focused/full/Windows/Slither validation, and kept Slither counts unchanged |
 
 ## Resume Instructions