Add dependency version immutability

[punk6529]

Summary

Implements the first P1-META-003 dependency-versioning slice for immutable dependency records and collection dependency pins.

• Converts dependency writes into immutable per-key version records with typed content hashes, provenance, creator, creation block/time, and deprecation state.
• Keeps latest-version helper views for existing callers while adding versioned registry views for scripts, chunks, content hashes, and record metadata.
• Pins each collection to dependency key/version/content hash/registry address at creation and explicit full metadata repins, so later registry versions or registry swaps do not silently alter existing collection output.
• Rejects nonzero unknown dependency keys while preserving bytes32(0) as the explicit no-dependency sentinel and reserving that key from real dependency writes.
• Includes the pinned dependency version/content hash/registry address in collection freeze manifests and exposes collectionDependencyVersionState plus DependencyVersionPinned for indexers/releases.
• Adds focused dependency registry, pinning, repinning, unknown-key, no-dependency, zero-key reservation, registry-swap, and frozen-output stability tests, and updates metadata/status/blocker docs plus roadmap/test traceability.
• Addresses CodeRabbit follow-up by centralizing dependency hash/rendering helper logic in test/helpers/TestHashingUtils.sol and updating the autonomous run timestamp.

Refs #48

Validation

• forge build
• forge test --match-contract StreamDependencyRegistryTest -vvv (10 passed)
• forge test --match-contract "StreamMetadata(Encoding|Freeze)Test" -vvv (10 passed)
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• forge fmt --check smart-contracts\DependencyRegistry.sol smart-contracts\IDependencyRegistry.sol smart-contracts\StreamCore.sol smart-contracts\IStreamCore.sol test\StreamDependencyRegistry.t.sol test\StreamMetadataEncoding.t.sol
• forge fmt --check test\helpers\TestHashingUtils.sol test\StreamDependencyRegistry.t.sol test\StreamMetadataEncoding.t.sol
• git diff --check
• rg -n "^#|^##|^###" ops\ROADMAP.md ops\AUTONOMOUS_RUN.md docs\metadata.md test\README.md
• Traceability grep for dependency pinning, registry address, zero-key/no-dependency, and 10-test validation coverage
• Duplicate-helper grep confirms dependency hash/rendering helpers now live only in test/helpers/TestHashingUtils.sol
• slither . --config-file slither.config.json --foundry-compile-all --json <temp-file> returned accepted nonzero exit with 718 total findings, high/medium unchanged at 4/19, and selected critical detectors still zero for arbitrary-send-eth, reentrancy-eth, weak-prng, encode-packed-collision, and uninitialized-state.

Summary by CodeRabbit

• New Features

  • Immutable, versioned dependency registry and per-collection dependency pinning; freeze manifests now include pinned dependency version/content to keep outputs stable until explicit repin.

• Behavior Changes

  • Creating new registry versions or swapping registries does not change outputs for pinned or frozen collections; explicit repinning triggers metadata update emissions.

• Documentation

  • Revised metadata spec, ERC-4906 guidance, roadmap, and known blockers; remaining work refocused to artifact packaging and migration runbooks.

• Tests

  • Added tests for version immutability, chunk-derived versioning, reserved no-dependency behavior, pinning/repinning, registry swaps, and freeze stability.

• Ops

  • Updated ops state, decision log, and roadmap to reflect merged work and next deliverables.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Converts DependencyRegistry to immutable per-version dependency records with provenance and typed content hashes; extends registry and core interfaces; StreamCore pins collections to dependency (key, version, contentHash, registry) at create/update and uses pinned values for rendering and freeze-manifest hashing; tests, fixtures, docs, roadmap, and ops updated.

Changes

Dependency Version Immutability

Layer / File(s)	Summary
Documentation and ops updates docs/known-blockers.md, docs/metadata.md, docs/status.md, ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md, test/README.md	Clarifies freeze-manifest inclusion of pinned dependency version/content-hash and registry, rephrases future-work to artifact packaging and deployment migration runbooks, updates roadmap/test-matrix and autonomous-run state, and documents P1-META-003 test targets.
IDependencyRegistry & IStreamCore interfaces smart-contracts/IDependencyRegistry.sol, smart-contracts/IStreamCore.sol	Adds latest/versioned metadata query methods and version-scoped script accessors to IDependencyRegistry; adds collectionDependencyVersionState view to IStreamCore.
DependencyRegistry schema, events, and errors smart-contracts/DependencyRegistry.sol	Introduces per-version dependency records, typed errors (including DependencyKeyReserved, DependencyVersionMissing, DependencyChunkIndexOutOfBounds) and events (DependencyVersionCreated, DependencyVersionDeprecated), and migrates storage to nested per-version mappings with latest-version tracking.
DependencyRegistry operations and internals smart-contracts/DependencyRegistry.sol	Admin writes create immutable versions (addDependencyWithProvenance, index-update derives new version, deprecateDependencyVersion); read APIs gain latest/at-version variants with bounds-checking; internals compute/store typed chunk/content hashes and version metadata.
StreamCore constants, storage, and entry points smart-contracts/StreamCore.sol	Adds collection token-range/update constants, UnknownDependency error, per-collection pinned dependency registry/version/content-hash storage, DependencyVersionPinned event, and pins on createCollection and full updateCollectionInfo paths; minor token-range and setTokenHash checks adjusted.
StreamCore pinning, retrieval, and freeze integration smart-contracts/StreamCore.sol	Adds _pinCollectionDependency helper to resolve and persist pinned dependency tuple (key, version, contentHash, registry), uses pinned version/registry for dependency script assembly and retrieveDependencyScriptContentHash, and stores pinned values in freeze manifest hashing and integration state.
Tests, fixtures, and helpers test/StreamDependencyRegistry.t.sol, test/StreamMetadataEncoding.t.sol, test/helpers/StreamFixture.sol, test/helpers/TestHashingUtils.sol, test/README.md	Adds comprehensive tests for immutable versions, chunk-index-derived versions, deprecation, reserved zero-key behavior, collection pin/repin semantics, pinned-registry address behavior, frozen-output stability, event/log assertion helpers, hashing helpers and test double (ZeroKeyLatestRevertingRegistry), plus FULL_COLLECTION_UPDATE_INDEX and _pinCollectionDependency fixture helper; updates metadata encoding test to pin before assertions.

🎯 4 (Complex) | ⏱️ ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Deployer
  participant StreamCore
  participant DependencyRegistry
  participant FreezeManifest
  Deployer->>StreamCore: createCollection(..., dependencyKey)
  StreamCore->>DependencyRegistry: latestDependencyVersion(dependencyKey)
  DependencyRegistry-->>StreamCore: (version)
  StreamCore->>DependencyRegistry: getDependencyScriptContentHashAtVersion(dependencyKey, version)
  DependencyRegistry-->>StreamCore: (contentHash)
  StreamCore-->>Deployer: emit DependencyVersionPinned(collectionID, dependencyKey, version, contentHash, registry)
  Deployer->>StreamCore: updateCollectionInfo(..., dependencyKey) (repin)
  StreamCore->>DependencyRegistry: getDependencyScriptAtVersion(dependencyKey, pinnedVersion, index)
  StreamCore->>FreezeManifest: include pinned version/contentHash/registry in freeze manifest hash

Loading

Possibly related issues

• [P1-META-003] Add dependency registry versioning, immutability, and provenance #48: Matches this PR’s work on dependency registry versioning, immutability, provenance, and StreamCore per-collection dependency pinning.

Possibly related PRs

• 6529-Collections/6529Stream#84: Overlaps on freeze-manifest hashing and related StreamCore changes.
• 6529-Collections/6529Stream#71: Related dependency-script hashing/typehash work leveraged by the registry and StreamCore.
• 6529-Collections/6529Stream#6: Related StreamFixture setup used by new fixture helpers.

"🐰 I stamp each version with a hop and a grin,
New hashes nest tight where the old ones had been,
Frozen tokens keep secrets that never unspin,
Registries grow — but my garden stays still,
Hooray for pinned roots and immutable will!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add dependency version immutability' clearly and accurately summarizes the main change: implementing immutable versioned dependency records in the dependency registry system.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/dependency-version-immutability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/StreamMetadataEncoding.t.sol (1)

121-140: ⚡ Quick win

Extract duplicated collection-pinning helper into a shared test utility.

_pinCollectionDependency here duplicates the same update payload used in test/StreamDependencyRegistry.t.sol. Moving this into test/helpers/StreamFixture.sol will reduce drift when collection-update fields/constants change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/StreamMetadataEncoding.t.sol` around lines 121 - 140, The helper
_pinCollectionDependency duplicates the collection update payload used
elsewhere; extract its logic into a shared test utility (e.g., add a
public/internal helper function in StreamFixture with the same signature and
payload constants) and replace the local _pinCollectionDependency implementation
with calls to that shared helper; ensure the new helper exposes the same
parameters (DeployedStream memory deployed, bytes32 dependencyKey) and uses the
same updateCollectionInfo call and script payload so tests in
StreamMetadataEncoding.t.sol and StreamDependencyRegistry.t.sol both call the
single shared implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 545-555: The _pinCollectionDependency function currently accepts
bytes32(0) or unknown keys because
dependencyRegistry.latestDependencyVersion(...) can return 0 and
getDependencyScriptContentHashAtVersion(...,0) returns the empty-script hash;
add an explicit validation in _pinCollectionDependency to reject zero/unknown
dependency keys by checking that dependencyNameAndVersion != bytes32(0) and that
dependencyRegistry.latestDependencyVersion(dependencyNameAndVersion) != 0 (or
use a registry-provided exists check) and revert with a clear error (e.g.,
"UnknownDependency" or similar) before reading the content hash; reference the
functions dependencyRegistry.latestDependencyVersion and
dependencyRegistry.getDependencyScriptContentHashAtVersion as the locations to
validate against.

---

Nitpick comments:
In `@test/StreamMetadataEncoding.t.sol`:
- Around line 121-140: The helper _pinCollectionDependency duplicates the
collection update payload used elsewhere; extract its logic into a shared test
utility (e.g., add a public/internal helper function in StreamFixture with the
same signature and payload constants) and replace the local
_pinCollectionDependency implementation with calls to that shared helper; ensure
the new helper exposes the same parameters (DeployedStream memory deployed,
bytes32 dependencyKey) and uses the same updateCollectionInfo call and script
payload so tests in StreamMetadataEncoding.t.sol and
StreamDependencyRegistry.t.sol both call the single shared implementation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98a5fdf6-709e-4ba4-a092-997f704125be

📥 Commits

Reviewing files that changed from the base of the PR and between 72779ca and e370d75.

📒 Files selected for processing (12)

• docs/known-blockers.md
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• smart-contracts/DependencyRegistry.sol
• smart-contracts/IDependencyRegistry.sol
• smart-contracts/IStreamCore.sol
• smart-contracts/StreamCore.sol
• test/README.md
• test/StreamDependencyRegistry.t.sol
• test/StreamMetadataEncoding.t.sol

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

smart-contracts/StreamCore.sol (1)

546-552: ⚠️ Potential issue | 🟠 Major

Fix bytes32(0) sentinel drift: reserve it in DependencyRegistry write paths (and/or force StreamCore to ignore 0-key versions).

• DependencyRegistry._createDependencyVersion accepts bytes32 _collectionDependencyName and creates versions by doing latestDependencyVersions[_collectionDependencyName] + 1 with no require(_collectionDependencyName != bytes32(0)), so real dependency versions can be created for bytes32(0).
• StreamCore._pinCollectionDependency only reverts on dependencyNameAndVersion != bytes32(0) && version == 0; when dependencyNameAndVersion == bytes32(0), it will still pin latestDependencyVersion(bytes32(0)) if non-zero—so the intended “no dependency” sentinel can change behavior if a 0-key entry is ever written.
• Add an explicit rejection for bytes32(0) in DependencyRegistry (e.g., in _createDependencyVersion / public add* entrypoints), and/or harden StreamCore._pinCollectionDependency to force version = 0 (and thus empty-script hash) whenever dependencyNameAndVersion == bytes32(0).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@smart-contracts/StreamCore.sol` around lines 546 - 552, Reject the bytes32(0)
sentinel on write in DependencyRegistry by adding a
require(_collectionDependencyName != bytes32(0)) in the creation/add entrypoints
(e.g., in _createDependencyVersion and any public add* functions that call it)
so no real versions can be recorded under the zero key, and also harden
StreamCore._pinCollectionDependency to treat dependencyNameAndVersion ==
bytes32(0) as “no dependency” by skipping the registry lookup and forcing
version = 0 (or returning early) instead of using
latestDependencyVersion(bytes32(0)); reference
DependencyRegistry._createDependencyVersion, latestDependencyVersions, and
StreamCore._pinCollectionDependency.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 546-552: Reject the bytes32(0) sentinel on write in
DependencyRegistry by adding a require(_collectionDependencyName != bytes32(0))
in the creation/add entrypoints (e.g., in _createDependencyVersion and any
public add* functions that call it) so no real versions can be recorded under
the zero key, and also harden StreamCore._pinCollectionDependency to treat
dependencyNameAndVersion == bytes32(0) as “no dependency” by skipping the
registry lookup and forcing version = 0 (or returning early) instead of using
latestDependencyVersion(bytes32(0)); reference
DependencyRegistry._createDependencyVersion, latestDependencyVersions, and
StreamCore._pinCollectionDependency.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e9b07f50-c9ba-472b-88da-d4e5fa66e2f6

📥 Commits

Reviewing files that changed from the base of the PR and between e370d75 and 9cc8ac8.

📒 Files selected for processing (7)

• docs/metadata.md
• ops/AUTONOMOUS_RUN.md
• smart-contracts/StreamCore.sol
• test/README.md
• test/StreamDependencyRegistry.t.sol
• test/StreamMetadataEncoding.t.sol
• test/helpers/StreamFixture.sol

💤 Files with no reviewable changes (1)

• test/StreamMetadataEncoding.t.sol

✅ Files skipped from review due to trivial changes (1)

• test/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/metadata.md
• ops/AUTONOMOUS_RUN.md

[punk6529]

@coderabbitai review

Latest head is 9cc8ac86a68a2fefe9b8d7cc6e604d97b4d25c33. CI is green, the prior actionable thread is resolved, and the review-fix validation evidence is in the PR body. Please re-check the latest head before merge.

[coderabbitai]

@punk6529 Acknowledged — CI green, prior thread resolved, and validation evidence noted. Triggering a fresh full review of the latest head (9cc8ac86a68a2fefe9b8d7cc6e604d97b4d25c33) now.

✅ Action performed

Full review finished.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@smart-contracts/StreamCore.sol`:
- Around line 546-559: _pinCollectionDependency currently pins only version and
content hash but not the registry address, so later reads may resolve against a
mutated dependencyRegistry and break immutability; modify
_pinCollectionDependency to also store the current dependencyRegistry address
into a new or existing mapping (e.g.,
collectionDependencyRegistries[_collectionID]) and emit it if appropriate, then
update all readers (collectionDependencyVersionState(),
retrieveDependencyScript(), retrieveDependencyScriptContentHash() and the code
blocks around the other affected regions noted) to read from that pinned
collectionDependencyRegistries[_collectionID] instead of the global
dependencyRegistry so all lookups use the exact same registry that produced the
pinned version/content-hash.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ccbdf53b-8921-4502-bf76-966790e6747c

📥 Commits

Reviewing files that changed from the base of the PR and between 72779ca and 9cc8ac8.

📒 Files selected for processing (13)

• docs/known-blockers.md
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• smart-contracts/DependencyRegistry.sol
• smart-contracts/IDependencyRegistry.sol
• smart-contracts/IStreamCore.sol
• smart-contracts/StreamCore.sol
• test/README.md
• test/StreamDependencyRegistry.t.sol
• test/StreamMetadataEncoding.t.sol
• test/helpers/StreamFixture.sol

[punk6529]

@coderabbitai review

Latest head is 08da0f7ccb81ec4cc9f117d0b19c134819d8b53f. This addresses the registry-address pinning thread by storing and using the pinned dependency registry address for state views, dependency script reads, DependencyVersionPinned, and freeze manifests.

Local validation evidence is in the PR body: dependency suite 10/10, adjacent metadata suites pass, full make check, Windows wrapper, formatting, whitespace, heading/traceability checks, and Slither high/medium unchanged at 4/19. Please re-check the latest head before merge.

[coderabbitai]

@punk6529 Acknowledged — validation evidence noted (dependency suite 10/10, adjacent metadata suites green, full make check, Windows wrapper, formatting/whitespace/heading/traceability checks, Slither high/medium unchanged at 4/19). Triggering a fresh full review of the latest head (08da0f7ccb81ec4cc9f117d0b19c134819d8b53f) now.

✅ Action performed

Full review finished.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/StreamDependencyRegistry.t.sol (1)

540-563: 💤 Low value

Consider extracting duplicated hash helpers to a shared test utility.

The _contentHash, _chunkHash, and _expectedGenerativeScript helper functions are duplicated between StreamDependencyRegistry.t.sol and StreamMetadataEncoding.t.sol. While acceptable for test independence, extracting these to a shared test utility contract would reduce duplication and ensure consistency if the hashing logic needs updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/StreamDependencyRegistry.t.sol` around lines 540 - 563, The helper
functions _contentHash, _chunkHash, and _expectedGenerativeScript are duplicated
across tests; extract them into a shared test utility contract (e.g.,
TestHashingUtils) and have both StreamDependencyRegistry.t.sol and
StreamMetadataEncoding.t.sol inherit or import that utility instead of
redefining the functions. Move the implementations of _contentHash and
_chunkHash (and _expectedGenerativeScript) into the new utility, keep the same
function signatures and DEPENDENCY_* TYPEHASH constants accessible (export or
replicate only in the utility if needed), remove the duplicated definitions from
both test files, and update the tests to call the shared functions (or inherit
the utility contract) so hashing logic stays centralized and consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ops/AUTONOMOUS_RUN.md`:
- Line 40: The "Last updated" header entry is stale; update the timestamp string
in the AUTONOMOUS_RUN.md header line labeled "Last updated" to match the most
recent Decision Log entry (e.g., change `2026-06-11 02:17 UTC` to `2026-06-11
02:45 UTC`) so the file header is consistent with the timeline; ensure the exact
timestamp format and backticks are preserved.

---

Nitpick comments:
In `@test/StreamDependencyRegistry.t.sol`:
- Around line 540-563: The helper functions _contentHash, _chunkHash, and
_expectedGenerativeScript are duplicated across tests; extract them into a
shared test utility contract (e.g., TestHashingUtils) and have both
StreamDependencyRegistry.t.sol and StreamMetadataEncoding.t.sol inherit or
import that utility instead of redefining the functions. Move the
implementations of _contentHash and _chunkHash (and _expectedGenerativeScript)
into the new utility, keep the same function signatures and DEPENDENCY_*
TYPEHASH constants accessible (export or replicate only in the utility if
needed), remove the duplicated definitions from both test files, and update the
tests to call the shared functions (or inherit the utility contract) so hashing
logic stays centralized and consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fdf92927-ee23-45f4-b611-4265a1559e42

📥 Commits

Reviewing files that changed from the base of the PR and between 72779ca and 08da0f7.

📒 Files selected for processing (13)

• docs/known-blockers.md
• docs/metadata.md
• docs/status.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• smart-contracts/DependencyRegistry.sol
• smart-contracts/IDependencyRegistry.sol
• smart-contracts/IStreamCore.sol
• smart-contracts/StreamCore.sol
• test/README.md
• test/StreamDependencyRegistry.t.sol
• test/StreamMetadataEncoding.t.sol
• test/helpers/StreamFixture.sol

[punk6529]

@coderabbitai review

Latest head is 1ec5147f6a79d819cc2b3c373d670e3186d96713. This addresses the fresh follow-up by updating ops/AUTONOMOUS_RUN.md's Last updated timestamp to match the newest decision-log entry and moving the duplicated dependency hash/rendering helpers into test/helpers/TestHashingUtils.sol, with both affected tests inheriting the shared helper.

Validation passed locally after the follow-up:

• forge test --match-contract StreamDependencyRegistryTest -vvv (10 passed)
• forge test --match-contract "StreamMetadata(Encoding|Freeze)Test" -vvv (10 passed)
• make check
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1
• forge fmt --check test\helpers\TestHashingUtils.sol test\StreamDependencyRegistry.t.sol test\StreamMetadataEncoding.t.sol
• git diff --check
• Duplicate-helper grep confirms the dependency hash/rendering helpers now live only in test/helpers/TestHashingUtils.sol.

[coderabbitai]

@punk6529 Acknowledged — validation evidence noted (dependency suite 10/10, StreamMetadata(Encoding|Freeze)Test 10/10, full make check, Windows wrapper, forge fmt --check on the new helper and both affected tests, git diff --check, and grep confirming the dependency hash/rendering helpers now live exclusively in test/helpers/TestHashingUtils.sol). Triggering a fresh full review of the latest head (1ec5147f6a79d819cc2b3c373d670e3186d96713) now.

✅ Action performed

Full review finished.

[punk6529]

@coderabbitai resume

Latest head remains 1ec5147f6a79d819cc2b3c373d670e3186d96713. The previous full-review command was acknowledged, but the aggregate CodeRabbit status is still pending and the summary comment still shows reviews paused. Please resume/review this latest head.

[punk6529]

Merging with CodeRabbit aggregate status treated as stale.

Current evidence before merge:

• Latest head: 1ec5147f6a79d819cc2b3c373d670e3186d96713
• GitHub Actions CI run 27320421786: completed successfully
• PR is mergeable
• All CodeRabbit review threads are resolved or outdated
• Latest CodeRabbit release notes/summary were refreshed on this head
• @coderabbitai review was acknowledged, and @coderabbitai resume was posted after the summary still showed paused review state
• The only remaining status is CodeRabbit: pending with no target URL, while no new actionable comments have appeared

Local validation for the final head is captured in the PR body, including full make check, Windows wrapper, focused dependency and metadata/freeze suites, formatting, whitespace, traceability grep, and Slither comparison with high/medium unchanged at 4/19.

[coderabbitai]

@punk6529 Acknowledged — resuming reviews now and triggering a fresh full review of 1ec5147f6a79d819cc2b3c373d670e3186d96713.

✅ Action performed

Reviews resumed.

---

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

@punk6529 Understood — the merge decision is well-supported: CI green on 1ec5147f6a79d819cc2b3c373d670e3186d96713, all CodeRabbit threads resolved or outdated, and comprehensive local validation captured in the PR body (full make check, Windows wrapper, dependency suite 10/10, StreamMetadata(Encoding|Freeze)Test 10/10, formatting/whitespace/traceability checks, Slither high/medium unchanged at 4/19). The stale CodeRabbit: pending status with no target URL is a known stuck-status condition that doesn't reflect any unresolved review concern. Resuming now to clear the paused state for subsequent PRs.

✅ Action performed

Reviews resumed.