Prove vendored library provenance

[punk6529]

Summary

• add docs/vendored-libraries.md with OpenZeppelin tag URLs, upstream/local SHA-256s, and local delta notes for retained utility libraries
• add StreamVendoredLibraries.t.sol coverage for Base64 golden/padding vectors and Math.mulDiv precision, rounding, overflow, and zero-denominator behavior
• mark vendored incorrect-exp / divide-before-multiply Slither rows as documented false positives, refresh roadmap/status/test traceability, and correct the Strings.sol provenance header to v4.9.0

Closes #11.

Slither note

• High/medium counts remain 4 High / 19 Medium.
• Total findings move from 666 to 668 due to lower-impact/informational/optimization churn from the new provenance test/header surface.
• Current vendored high/medium rows remain visible in Slither but are documented false positives rather than open remediation items.

Validation

• forge fmt --check test\StreamVendoredLibraries.t.sol
• forge test --match-path test\StreamVendoredLibraries.t.sol -vvv (5 tests, 0 failed)
• make check (187 tests, 0 failed)
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 (187 tests, 0 failed)
• git diff --check
• rg -n "^#|^##|^###" docs\vendored-libraries.md docs\known-blockers.md docs\status.md test\README.md ops\ROADMAP.md ops\SLITHER_BASELINE.md ops\AUTONOMOUS_RUN.md
• Traceability grep for P0-LIB-001, StreamVendoredLibraries, docs/vendored-libraries.md, False Positive, incorrect-exp, divide-before-multiply, OpenZeppelin v4.7.0/v4.8.0/v4.9.0 tags, and the 668 total / 4 High and 19 Medium Slither status
• Slither JSON summary: {"slither_exit":-1,"total":668,"high":4,"medium":19,"low":63,"informational":575,"optimization":7,"incorrect_exp":1,"divide_before_multiply":9,"unused_return":1}

Slither still exits nonzero because accepted test-only and documented false-positive rows remain visible, plus lower-impact findings are not yet a CI gate.

Summary by CodeRabbit

• Tests

  • Added end-to-end tests validating vendored library behavior: Base64 golden vectors, Math.mulDiv full-precision/rounding/overflow/zero-denominator cases, and revert payload checks.

• Documentation

  • Added vendored-libraries provenance doc with verification commands and manifest.
  • Updated status, known-blockers, Slither baseline, roadmap, and ops notes to reflect vendored-library disposition and test coverage.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00788f69-c6a4-4029-865b-54c1b682f9da

📥 Commits

Reviewing files that changed from the base of the PR and between 20fceb6 and 715ab17.

📒 Files selected for processing (1)

• test/StreamVendoredLibraries.t.sol

🚧 Files skipped from review as they are similar to previous changes (1)

• test/StreamVendoredLibraries.t.sol

---

📝 Walkthrough

Walkthrough

This PR documents vendored OpenZeppelin library provenance with SHA-256 manifests, adds focused regression tests for Base64 and Math behaviors, updates Slither high/medium rows to documented false positives, and records those changes in roadmap and autonomous-run documentation.

Changes

Vendored Library Provenance Documentation and Testing

Layer / File(s)	Summary
Vendored library manifest & verification docs/vendored-libraries.md, smart-contracts/Strings.sol, test/README.md	Adds a manifest table with upstream source/version links, upstream/local SHA-256 hashes, Slither disposition notes for vendored files, verification PowerShell commands, and updates Strings.sol header and test README references.
Regression tests for vendored libs test/StreamVendoredLibraries.t.sol	Adds VendoredLibraryHarness and StreamVendoredLibrariesTest with tests for Base64 golden vectors and binary/padding cases, Math.mulDiv full-precision boundaries, mulDiv rounding-up semantics, and revert-case validation via staticcall payload hashing.
Slither baseline triage updates ops/SLITHER_BASELINE.md, docs/known-blockers.md	Updates Slither capture metadata and High/Medium detector rows to mark incorrect-exp and divide-before-multiply as documented false positives with rationale referencing provenance and test evidence; clarifies CI gating excludes low/informational/optimization findings.
Project status and roadmap docs/status.md, ops/ROADMAP.md	Expands Gate A smoke baseline regression coverage items (including vendored-library provenance/behavior), updates Slither totals to 668 (4 High, 19 Medium), and adds an Appendix B row for vendored-library Slither findings.
Autonomous execution tracking ops/AUTONOMOUS_RUN.md	Updates last-updated timestamp, marks PR #75 merged, advances PR queue to item 34 in-progress, and appends the “Prove vendored library provenance” PR TBD section and Decision Log entries.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 6529-Collections/6529Stream#3: Updates control-plane documentation (ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md) and verification-baseline tracking used here.
• 6529-Collections/6529Stream#7: Prior Slither baseline/triage work that this PR extends with vendored-library false-positive handling and tests.

"🐰 Vendor proof at last we bring,
SHA-256 hashes in every thing,
Math and Base64 tested true,
False positives now belong to you,
P0-LIB evidence—hopped through!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Prove vendored library provenance' directly reflects the main objective of the PR, which adds documentation, tests, and Slither disposition notes for vendored libraries.
Linked Issues check	✅ Passed	All objectives from #11 are addressed: upstream source/version documented in vendored-libraries.md, checksums/provenance recorded, Slither findings marked as false positives with rationale, targeted regression tests added (Math.mulDiv and Base64), and make check passes.
Out of Scope Changes check	✅ Passed	All changes directly support proving vendored library provenance: documentation, tests, Slither disposition updates, status/roadmap alignment, and Strings.sol version bump. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/prove-vendored-library-provenance

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

🧹 Nitpick comments (1)

test/StreamVendoredLibraries.t.sol (1)

77-80: ⚡ Quick win

Consider validating zero-denominator revert data format.

The overflow test (lines 71-75) validates the exact revert message format using keccak256, but the zero-denominator test only checks that revert data is non-empty. For consistency and stronger coverage, consider validating the zero-denominator revert format as well.

💡 Suggested enhancement

 (bool zeroDenominatorSuccess, bytes memory zeroDenominatorRevertData) =
     address(harness).staticcall(abi.encodeWithSelector(harness.mulDiv.selector, 1, 1, 0));
 zeroDenominatorSuccess.assertFalse("zero denominator mulDiv succeeded");
-(zeroDenominatorRevertData.length > 0).assertTrue("zero denominator revert data");
+keccak256(zeroDenominatorRevertData)
+    .assertEq(
+        keccak256(abi.encodeWithSignature("Error(string)", "Math: mulDiv zero denominator")),
+        "zero denominator revert data"
+    );

Note: You'll need to verify the actual revert message used by Solidity for division by zero in Math.mulDiv.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/StreamVendoredLibraries.t.sol` around lines 77 - 80, The
zero-denominator test currently only checks that revert data is non-empty; make
it assert the exact revert payload like the overflow test: after calling
address(harness).staticcall(abi.encodeWithSelector(harness.mulDiv.selector, 1,
1, 0)) use zeroDenominatorRevertData to compare against the expected Solidity
revert encoding (e.g. keccak256(abi.encodeWithSignature("Error(string)",
"<actual division by zero message>")) wrapped via abi.encodeWithSelector or the
appropriate custom error selector if Math.mulDiv uses one); replace the loose
non-empty check with an assertion that keccak256(zeroDenominatorRevertData) ==
keccak256(expectedRevertBytes) so the test validates the exact revert format for
harness.mulDiv.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/StreamVendoredLibraries.t.sol`:
- Around line 77-80: The zero-denominator test currently only checks that revert
data is non-empty; make it assert the exact revert payload like the overflow
test: after calling
address(harness).staticcall(abi.encodeWithSelector(harness.mulDiv.selector, 1,
1, 0)) use zeroDenominatorRevertData to compare against the expected Solidity
revert encoding (e.g. keccak256(abi.encodeWithSignature("Error(string)",
"<actual division by zero message>")) wrapped via abi.encodeWithSelector or the
appropriate custom error selector if Math.mulDiv uses one); replace the loose
non-empty check with an assertion that keccak256(zeroDenominatorRevertData) ==
keccak256(expectedRevertBytes) so the test validates the exact revert format for
harness.mulDiv.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 81649ebd-612f-4bc5-9285-f42e47c4e8cb

📥 Commits

Reviewing files that changed from the base of the PR and between f042b14 and 20fceb6.

📒 Files selected for processing (9)

• docs/known-blockers.md
• docs/status.md
• docs/vendored-libraries.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• ops/SLITHER_BASELINE.md
• smart-contracts/Strings.sol
• test/README.md
• test/StreamVendoredLibraries.t.sol