6529-Collections · punk6529 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -65,8 +65,11 @@ contributors who start from the README.
   default locals explicitly and have targeted regressions for string counting,
   delegation status/gating, empty-script rendering, and minter return indexes.
 - Slither high/medium findings are captured in `ops/SLITHER_BASELINE.md`;
-  current high/medium findings are limited to vendored-library triage and
-  accepted test-only helper findings before audit readiness.
+  current high/medium rows are now fixed, documented as false positives for
+  retained OpenZeppelin utility libraries, or accepted as test-only helper
+  findings. Vendored-library provenance is tracked in
+  `docs/vendored-libraries.md`. Low, informational, and optimization findings
+  remain outside the current CI gate.
 - Auction custody, auction bid/outbid payment, auction settlement-credit,
   fixed-price pull-payment, curator reward-credit, StreamMinter
   emergency-surplus, randomizer request lifecycle, randomizer callback

@@ -13,9 +13,10 @@ The current Gate A smoke baseline proves:
   randomness lifecycle behavior. Current emergency-withdrawal target-state
   tests also cover explicit emergency recipients, `StreamMinter` surplus
   withdrawal, `NextGenRandomizerRNG` reserve boundaries, dependency-script
-  segment-safe content hashing, explicit local-initialization regressions, and
-  retained airdrop mint-accounting behavior after removal of dead
-  public/allowlist counters.
+  segment-safe content hashing, explicit local-initialization regressions,
+  vendored OpenZeppelin utility-library provenance/behavior regressions, and
+  retained airdrop mint-accounting behavior after removal of dead public/allowlist
+  counters.
 - Randomizer tests now cover request lifecycle views, callback validation,
   raw-output hash storage, failed post-processing state, bounded deterministic
   post-processing retry, and the conservative provider-migration policy that
@@ -32,12 +33,9 @@ The current tests are regression tripwires, not a correctness proof. Known
 blockers remain tracked in `ops/ROADMAP.md`, including broader pull-payment
 accounting and cross-contract invariants, fuller randomizer reserve lifecycle
 accounting, callback-after-burn policy, canonical randomizer lifecycle
-  ownership, remaining static-analysis triage beyond the now-fixed
-  `uninitialized-state` mint-accounting, first-party production
-  `uninitialized-local`, and `weak-prng` helper rows, signer lifecycle
-  operations,
-dependency version/freeze manifest work, deployment discipline, and the broader
-P0/P1 test suite.
+ownership, lower-impact static-analysis cleanup beyond the now-triaged
+high/medium baseline, signer lifecycle operations, dependency version/freeze
+manifest work, deployment discipline, and the broader P0/P1 test suite.
 
 Contributor and security intake files exist so future work can be packaged and
 reviewed consistently, but they do not change the pre-audit status.
@@ -0,0 +1,50 @@
+# Vendored Libraries
+
+This repository currently keeps a small set of OpenZeppelin utility libraries
+under `smart-contracts/` instead of importing them from a package manager.
+Vendored files are allowed only when their provenance, local deltas, and
+static-analysis disposition are recorded here.
+
+## Manifest
+
+| Local file | Upstream source | Upstream SHA-256 | Local SHA-256 | Local delta |
+| --- | --- | --- | --- | --- |
+| `smart-contracts/Base64.sol` | [OpenZeppelin Contracts v4.7.0 `contracts/utils/Base64.sol`](https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v4.7.0/contracts/utils/Base64.sol) | `9FBD7A4462F54BBB6B0BD03231738E5F081A092E9A8FD789FB4D1AECA3758AEC` | `3735F85C6E229E85144FBB306CD46F83BCD6965DF4705A97D06AA22F2AB8261E` | Local pragma is `^0.8.19` instead of upstream `^0.8.0`; encoding logic is unchanged. |
+| `smart-contracts/Math.sol` | [OpenZeppelin Contracts v4.8.0 `contracts/utils/math/Math.sol`](https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v4.8.0/contracts/utils/math/Math.sol) | `8059D642EC219D0B9B62FBC76912079529CF494CAC988ABE5E371F1168B29B0F` | `D684AE61F88D564DE2D0515BC6356D0972C3CF9421F185A862D30662B7E1AD21` | Local copy keeps equivalent arithmetic with formatting deltas, an added denominator-zero comment, an overflow revert string, and `1 << (result << 3)` instead of upstream `1 << (result * 8)`. The arithmetic result is unchanged; overflow revert data differs. |
+| `smart-contracts/SignedMath.sol` | [OpenZeppelin Contracts v4.8.0 `contracts/utils/math/SignedMath.sol`](https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v4.8.0/contracts/utils/math/SignedMath.sol) | `420A5A5D8D94611A04B39D6CF5F02492552ED4257EA82ABA3C765B1AD52F77F6` | `AEECC7E5AD0F981B63B486E2F296BB12439CA6C500FA1E62C7471AD7F72CA429` | Content matches upstream except local file ending. |
+| `smart-contracts/Strings.sol` | [OpenZeppelin Contracts v4.9.0 `contracts/utils/Strings.sol`](https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v4.9.0/contracts/utils/Strings.sol) | `CB2DF477077A5963AB50A52768CB74EC6F32177177A78611DDBBE2C07E2D36DE` | `FD2B96FEACEA647D67A888537B75C4673C4193F444FAAE892634E5FC11C922D2` | Local imports point at sibling files in `smart-contracts/`; code behavior is otherwise unchanged. |
+
+## Slither Disposition
+
+The current high/medium Slither findings against these libraries are treated as
+false positives for `P0-LIB-001`:
+
+- `incorrect-exp` in `Math.mulDiv(...)`: Solidity uses `^` for bitwise XOR, not
+  exponentiation. The expression `(3 * denominator) ^ 2` is the OpenZeppelin
+  modular-inverse seed used by the full-precision `mulDiv` algorithm.
+- `divide-before-multiply` in `Math.mulDiv(...)`: the flagged operations are
+  part of the OpenZeppelin 512-bit multiplication/division algorithm and are
+  not lossy reorderable payment or accounting arithmetic.
+- `divide-before-multiply` in `Base64.encode(...)`: the flagged length formula
+  intentionally computes `4 * ceil(data.length / 3)` for Base64 output sizing;
+  padding golden vectors cover the non-multiple-of-three cases.
+
+Regression coverage lives in `test/StreamVendoredLibraries.t.sol` and covers
+Base64 golden vectors, binary padding, `mulDiv` full-precision boundaries,
+rounding-up behavior, overflow, and zero-denominator reverts.
+
+## Verification Commands
+
+Use these commands when updating a vendored file:
+
+```powershell
+Get-FileHash smart-contracts\Base64.sol -Algorithm SHA256
+Get-FileHash smart-contracts\Math.sol -Algorithm SHA256
+Get-FileHash smart-contracts\SignedMath.sol -Algorithm SHA256
+Get-FileHash smart-contracts\Strings.sol -Algorithm SHA256
+forge test --match-path test\StreamVendoredLibraries.t.sol -vvv
+```
+
+When a vendored file changes, update this manifest, rerun the focused
+regressions, and refresh `ops/SLITHER_BASELINE.md` if static-analysis status or
+counts change.
@@ -37,7 +37,7 @@ tests, security hardening, deployment discipline, and release/audit readiness.
 | Last merged PR | `https://github.com/6529-Collections/6529Stream/pull/74` |
 | Roadmap file | `ops/ROADMAP.md` |
 | State file | `ops/AUTONOMOUS_RUN.md` |
-| Last updated | `2026-06-10 19:30 UTC` |
+| Last updated | `2026-06-10 20:01 UTC` |
 
 ## Packaging Notes
 
@@ -87,7 +87,8 @@ The queue will evolve as PRs merge and bot feedback arrives.
 | 30 | Fix dependency script packed encoding | Gate C/Gate D | Implement P0-META-001 typed dependency chunk/content hashes, preserve rendered-script compatibility, add metadata encoding tests, and update Slither/roadmap traceability | Merged in PR #71 |
 | 31 | Remove dead mint-accounting state | Gate C | Implement P0-CORE-001 by removing never-written public/allowlist mint counters, keeping retained airdrop-counter tests, and updating Slither/roadmap traceability | Merged in PR #72 |
 | 32 | Remove weak helper randomness | Gate C | Implement P0-RAND-008 by removing the concrete `XRandoms` helper from production source, preserving the `RandomizerNXT` legacy-only regression, and updating Slither/roadmap traceability | Merged in PR #74 |
-| 33 | Resolve first-party uninitialized locals | Gate C | Implement P0-INIT-001 by explicitly initializing remaining production locals, adding targeted regression tests, and updating Slither/roadmap traceability | Open in PR #75 |
+| 33 | Resolve first-party uninitialized locals | Gate C | Implement P0-INIT-001 by explicitly initializing remaining production locals, adding targeted regression tests, and updating Slither/roadmap traceability | Merged in PR #75 |
+| 34 | Prove vendored library provenance | Gate F | Complete P0-LIB-001 by documenting retained OpenZeppelin utility provenance, marking vendored Slither rows as false positives with proof, and adding focused Base64/Math regressions | In progress on `codex/prove-vendored-library-provenance` |
 
 ## Current PR Worklog
 
@@ -2798,7 +2799,7 @@ Outcome:
 
 ### PR #75: Resolve first-party uninitialized locals (Queue Item 33)
 
-Status: Open.
+Status: Merged.
 Branch: `codex/resolve-uninitialized-locals`.
 Pull request: `#75`.
 Related issue:
@@ -2866,6 +2867,84 @@ Validation so far:
 
 Review requests:
 
+- CodeRabbit finished successfully on final head `b28466f`.
+- Claude is intentionally skipped per current user instruction; use CodeRabbit
+  unless risk or future user instruction changes.
+
+Outcome:
+
+- Merged as PR #75 on `2026-06-10`.
+- GitHub CI run `27301659259` passed on the final head.
+- CodeRabbit status was green and both actionable review threads were marked
+  addressed.
+- Issue #15 closed completed.
+
+### PR TBD: Prove vendored library provenance (Queue Item 34)
+
+Status: Ready to open PR.
+Branch: `codex/prove-vendored-library-provenance`.
+Pull request: TBD.
+Related issue:
+
+- `https://github.com/6529-Collections/6529Stream/issues/11`
+
+Goal:
+
+- Complete `P0-LIB-001` by proving provenance for retained OpenZeppelin utility
+  files and resolving the remaining vendored high/medium Slither rows without
+  suppressing detectors.
+- Add focused regressions for the exact `Base64` and `Math.mulDiv` behavior
+  Slither flags.
+- Keep the current import layout stable; do not introduce package-manager churn
+  in the same PR.
+
+Candidate files:
+
+- `docs/vendored-libraries.md`
+- `smart-contracts/Strings.sol`
+- `test/StreamVendoredLibraries.t.sol`
+- `docs/known-blockers.md`
+- `docs/status.md`
+- `test/README.md`
+- `ops/ROADMAP.md`
+- `ops/SLITHER_BASELINE.md`
+- `ops/AUTONOMOUS_RUN.md`
+
+Implementation notes:
+
+- Added a vendored-library manifest with OpenZeppelin tag URLs, upstream
+  hashes, local hashes, and local delta notes.
+- Corrected the `Strings.sol` provenance header to the v4.9.0 OpenZeppelin
+  content it actually matches, while keeping local sibling imports.
+- Added focused Base64 golden-vector/padding tests and `Math.mulDiv`
+  precision, rounding, overflow, and zero-denominator tests.
+- Updated Slither baseline, roadmap, status, blockers, and test README
+  traceability so the vendored rows are documented false positives rather than
+  `Needs Issue`.
+
+Validation so far:
+
+- `forge fmt --check test\StreamVendoredLibraries.t.sol` passed.
+- Focused `forge test --match-path test\StreamVendoredLibraries.t.sol -vvv`
+  passed: 5 tests, 0 failed.
+- `make check` passed on the final local head: 187 tests, 0 failed.
+- `powershell -ExecutionPolicy Bypass -File scripts\check.ps1` passed on the
+  final local head: 187 tests, 0 failed.
+- `git diff --check` passed.
+- Markdown heading scan passed for the vendored-library doc, status docs, test
+  README, roadmap, Slither baseline, and autonomous run state.
+- Traceability grep passed for `P0-LIB-001`, `StreamVendoredLibraries`,
+  `docs/vendored-libraries.md`, `False Positive`, `incorrect-exp`,
+  `divide-before-multiply`, OpenZeppelin v4.7.0/v4.8.0/v4.9.0 tags, and the
+  `668 total` / `4 High and 19 Medium` Slither status.
+- Slither confirmation returned
+  `{"slither_exit":-1,"total":668,"high":4,"medium":19,"low":63,"informational":575,"optimization":7,"incorrect_exp":1,"divide_before_multiply":9,"unused_return":1}`.
+- The only current `unused-return` row remains the accepted test-only
+  `StreamDropsERC1271Test` tuple helper; the vendored-library test adds no
+  high/medium Slither rows.
+
+Review requests:
+
 - CodeRabbit will be requested after the PR is opened.
 - Claude is intentionally skipped per current user instruction; use CodeRabbit
   unless risk or future user instruction changes.
@@ -3099,6 +3178,10 @@ Review requests:
 | 2026-06-10 19:20 | Select Queue Item 33 | Next focused P0 Slither blocker is `P0-INIT-001`, because explicit local initialization can eliminate remaining first-party production `uninitialized-local` rows while preserving behavior |
 | 2026-06-10 19:25 | Implement Queue Item 33 local draft | Initialized remaining first-party production locals explicitly, added `StreamInitialization.t.sol`, and refreshed Slither/roadmap/status/test traceability; Slither now reports one accepted test-only `uninitialized-local` row, `total=666`, `high=4`, and `medium=19` |
 | 2026-06-10 19:30 | Finish local Queue Item 33 validation | Focused initialization tests, full `make check`, Windows wrapper, targeted formatting, whitespace, heading scan, traceability grep, and Slither confirmation all pass; Slither final JSON has `uninitialized_local=1` test-only, `total=666`, `high=4`, and `medium=19` |
+| 2026-06-10 19:46 | Merge PR #75 | First-party production uninitialized locals merged as `f042b14a43ed427fa57567d8d58a65ca2851e382`; issue #15 closed completed after CI and CodeRabbit were green |
+| 2026-06-10 19:48 | Select Queue Item 34 | The only remaining non-test high/medium Slither rows are vendored OpenZeppelin utility-library findings owned by `P0-LIB-001` |
+| 2026-06-10 19:55 | Implement Queue Item 34 local draft | Added vendored-library provenance docs, Base64/Math regressions, `Strings.sol` header correction, and Slither/roadmap/status/test traceability for false-positive disposition |
+| 2026-06-10 20:01 | Finish local Queue Item 34 validation | Focused vendored tests, full `make check`, Windows wrapper, formatting, whitespace, heading scan, traceability grep, and Slither confirmation all pass; high/medium Slither counts remain `4 High / 19 Medium` and vendored rows are documented false positives |
 
 ## Resume Instructions