Update release and migration notes + small docs changes

rkalis · rkalis · commit 8bf234eb0066 · 2026-02-19T10:51:43.000+01:00
diff --git a/website/docs/language/contracts.md b/website/docs/language/contracts.md
@@ -71,8 +71,8 @@ Function parameters are passed in the reversed order of their declaration. This
 
 In CashScript the types for the function arguments are **not** enforced automatically at the contract level. This can be especially relevant for types like `bool`, `bytesX` and other semantic bytes types. Instead this type information is only used by the SDK to check whether these arguments match the expected type during transaction building.
 
-:::caution
-The typings for the function arguments are only semantic, this means the length of bounded bytes types like `bytes20` are **not** contract enforced automatically. Instead add an explicit length check `require(item.length == 20)`.
+:::info
+The typings for function arguments are enforced by default for boolean values and bounded bytes types such as `bytes20` and `bytes32`.
 :::
 
 ## Statements
diff --git a/website/docs/releases/migration-notes.md b/website/docs/releases/migration-notes.md
@@ -52,6 +52,41 @@ require(bool(5) == true); // => true || compiles to 0x05 OP_0NOTEQUAL 0x01 OP_NU
 
 If you want to keep the old behaviour (without added opcodes), you can use the `unsafe_bool()` casting function instead.
 
+#### Function parameter type enforcement
+
+Function parameter types are now strictly enforced by default. Previously, no length checks were performed on bounded bytes types like `bytes20` and `bytes32` and no value checks were performed on boolean values. That meant that you could pass arguments to functions that were not of the correct type, which could lead to runtime vulnerabilities.
+
+We made this the new compiler default because it is more secure and more explicit. If you want to opt out of this behaviour, you can set the `enforceFunctionParameterTypes` option to `false` in the compiler options when compiling programatically, or use the `--skip-enforce-function-parameter-types` flag when using the CLI.
+
+Now, the compiler adds extra opcodes to the script to enforce the correct types. If you pass a byte string of an incorrect length to a function that expects e.g. a `bytes20`, the transaction will fail. If you pass in a numeric non-boolean value to a function that expects a `bool`, it will be converted to a boolean value using the `OP_0NOTEQUAL` opcode. If you pass in a non-numeric value to a function that expects a `bool`, the transaction will fail.
+
+We added no extra checks for `int` values, because any numeric operations on a non-numeric value will automatically fail the entire transaction.
+
+### CashScript SDK
+
+The `addressType` option on the `Contract` constructor has been renamed to `contractType`.
+
+```ts
+// Before: addressType option
+const contract = new Contract(artifact, constructorArgs, { addressType: 'p2sh32' });
+
+// After: contractType option
+const contract = new Contract(artifact, constructorArgs, { contractType: 'p2sh32' });
+```
+
+### Network Provider
+
+If you are using a custom network provider, you will need to update the code for the custom provider to implement the new `getUtxosForLockingBytecode()` method to be compatible with the new `NetworkProvider` interface.
+
+```ts
+  /**
+   * Retrieve all UTXOs (confirmed and unconfirmed) for a given locking bytecode.
+   * @param lockingBytecode The locking bytecode for which we wish to retrieve UTXOs.
+   * @returns List of UTXOs spendable by the provided locking bytecode.
+   */
+  getUtxosForLockingBytecode(lockingBytecode: Uint8Array | string): Promise<Utxo[]>;
+```
+
 ## v0.11 to v0.12
 
 There are several breaking changes to the SDK in this release.
diff --git a/website/docs/releases/release-notes.md b/website/docs/releases/release-notes.md
@@ -2,22 +2,29 @@
 title: Release Notes
 ---
 
-## v0.13.0-next.3
+## v0.13.0-next.4
 
 This release contains several breaking changes, please refer to the [migration notes](/docs/releases/migration-notes) for more information.
 
 #### cashc compiler
 - :sparkles: Add support for `do {} while ()` loops.
 - :sparkles: Add support for bitwise and arithmetic shift operators (`<<`, `>>`) and bitwise inversion (`~`).
 - :sparkles: Add `unsafe_bool()` and `unsafe_int()` casting for semantic-only casts.
+- :hammer_and_wrench: **BREAKING**: Function parameter types are now strictly enforced (bounded bytes and boolean values).
+- :hammer_and_wrench: Add compiler option to `cashc` (programmatic and CLI compilation) to allow for opting out of function parameter type enforcement.
 - :bug: **BREAKING**: Fix issue where `bool()` casting did not change the value of the argument.
 - :boom: **BREAKING**: Rename `bytes4(int)` and `bytes(int, 4)` to `toPaddedBytes(int, 4)`.
 - :boom: **BREAKING**: Rename `bytes4(bytes)` to `unsafe_bytes4(bytes)`.
-- :racehorse: Add optimisations for negated number comparisons.
+- :racehorse: Add optimisations for negated number comparisons and boolean comparisons.
 
 #### CashScript SDK
 
 - :sparkles: Add support for `do {} while ()` loops in debug tooling.
+- :sparkles: Add support for `p2s` contract type.
+- :sparkles: Add `lockingBytecode` property to `Contract` class.
+- :sparkles: Add `getUtxosForLockingBytecode()` method to `ElectrumNetworkProvider` class and `MockNetworkProvider` interface.
+- :hammer_and_wrench: **BREAKING**: Rename `addressType` option on `Contract` constructor to `contractType`.
+- :hammer_and_wrench: **BREAKING**: Remove undocumented `redeemScript` property from `Contract` class.
 - :hammer_and_wrench: Update default VM target to `BCH_2026_05`.
 - :hammer_and_wrench: Improve package size by tidying up dependencies.
 
diff --git a/website/docs/sdk/instantiation.md b/website/docs/sdk/instantiation.md
@@ -29,7 +29,7 @@ If compilation is done using the `cashc` CLI with the <span style={{ display: 'i
 
 The `NetworkProvider` option is used to manage network operations for the CashScript contract. By default, a mainnet `ElectrumNetworkProvider` is used, but the network providers can be configured. See the docs on [NetworkProvider](/docs/sdk/network-provider).
 
-The `contractType` option is used to choose between a `p2sh20`, `p2sh32` or `p2s` contract type for the CashScript contract. By default `p2sh32` is used because it has increased cryptographic security — but it is not yet supported by all wallets.
+The `contractType` option is used to choose between a `p2sh20`, `p2sh32` or `p2s` contract type for the CashScript contract. By default `p2sh32` is used because it has increased cryptographic security over `p2sh20` — but it is not yet supported by all wallets. `p2s` is a new contract type where the contract code is not hidden behind a hash. This has some benefits for public visibility of the contract code.
 
 :::caution
 p2sh32 was introduced because p2sh20 is cryptographically insecure for a large subset of smart contracts. For contracts holding large sums of BCH this provides an incentive to find a hash collision and hack the contract.
