chore: promote dev to canary for OP Sepolia staging

.github/dependabot.yml

@@ -44,6 +44,6 @@ updates:
       - dependency-name: "@hono/node-server"
         versions: ["<= 1.13.8"]
       - dependency-name: "drizzle-orm"
-        versions: ["<= 0.38.1"]
+        versions: ["<= 0.38.4"]
       - dependency-name: "@stablelib/ed25519"
         versions: ["<= 1.0.3"]

.github/workflows/_reusable-contracts-slither.yml

@@ -2,12 +2,6 @@ name: Reusable Contracts Slither
 
 on:
   workflow_call:
-    inputs:
-      foundry_version:
-        description: Foundry version used for Slither compile path
-        required: false
-        default: "1.5.0"
-        type: string
 
 jobs:
   slither-core:
@@ -29,23 +23,8 @@ jobs:
         run: pip install slither-analyzer==0.11.5
 
       - name: Setup Foundry
-        uses: ./.github/actions/setup-foundry
-        with:
-          foundry-version: ${{ inputs.foundry_version }}
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run Slither on MARK core contracts
         working-directory: contracts
-        run: |
-          for target in \
-            src/token/RYLA.sol \
-            src/bridge/MARKBridgeAdapter.sol \
-            src/settlement/MARKSettlementModule.sol \
-            src/settlement/verifier/AttestedSettlementVerifier.sol
-          do
-            slither "$target" \
-              --solc-remaps "@interop-lib/=lib/interop-lib/src/ @openzeppelin/=lib/createx/lib/openzeppelin-contracts/" \
-              --exclude-dependencies \
-              --exclude "naming-convention,timestamp,arbitrary-send-erc20,reentrancy-balance,reentrancy-benign" \
-              --filter-paths "lib|test|script|out|cache" \
-              --fail-medium
-          done
+        run: make slither-core

.github/workflows/circuits-ci.yml

@@ -0,0 +1,43 @@
+name: Circuits CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - canary
+      - dev
+
+jobs:
+  circuits-test:
+    name: Circuits Witness Tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: circuits
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+
+      - name: Install circom
+        run: |
+          CIRCOM_VERSION="v2.2.3"
+          CIRCOM_URL="https://github.com/iden3/circom/releases/download/${CIRCOM_VERSION}/circom-linux-amd64"
+          curl -L "$CIRCOM_URL" -o circom
+          chmod +x circom
+          sudo mv circom /usr/local/bin/circom
+          circom --version
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run witness tests
+        run: npm test

.github/workflows/codeql.yml

@@ -3,12 +3,6 @@ name: CodeQL
 on:
   pull_request:
     branches: [main, canary, dev]
-    paths:
-      - "src/**"
-      - "contracts/**"
-      - "package.json"
-      - "pnpm-lock.yaml"
-      - ".github/workflows/codeql.yml"
   push:
     branches: [main, canary, dev]
     paths:

.github/workflows/contracts-ci.yml

@@ -30,7 +30,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Enforce architecture boundaries
         run: make architecture-guard
@@ -66,7 +66,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Start anvil
         run: anvil --host 127.0.0.1 --port 8545 > /tmp/anvil.log 2>&1 &
@@ -120,6 +120,28 @@ jobs:
             .gitCommit != null
           ' broadcast/mark-release-ci.json
 
+      - name: Run pool release orchestrator dry-run
+        run: |
+          TOKEN=$(jq -r '.token' broadcast/mark-release-ci.json)
+          POOL_VERIFIER=$(forge create src/pool/verifier/MARKPoolVerifier.sol:MARKPoolVerifier \
+            --rpc-url $RPC_URL \
+            --private-key $PRIVATE_KEY \
+            --broadcast \
+            --json | jq -r '.deployedTo')
+          if [ -z "$POOL_VERIFIER" ] || [ "$POOL_VERIFIER" = "null" ]; then
+            echo "failed to deploy MARKPoolVerifier for pool dry-run" >&2
+            exit 1
+          fi
+          MARK_RYLA_TOKEN="$TOKEN" \
+          MARK_POOL_VERIFIER="$POOL_VERIFIER" \
+          forge script script/ops/pool/ReleasePool.s.sol --rpc-url $RPC_URL -vv
+
+      # Pool execute smoke is omitted: Foundry's contract size check rejects the
+      # PoseidonT3 library artifact (55,856 bytes) during broadcast even though
+      # via_ir inlines it into MARKPool at compile time (MARKPool itself is 24,298
+      # bytes and deployable). The dry-run above validates the pool release script
+      # logic without triggering the size check. See KI-8 in KNOWN_ISSUES.md.
+
       - name: Print anvil logs on failure
         if: failure()
         run: tail -n 200 /tmp/anvil.log || true
@@ -140,7 +162,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run production mode smoke target
         run: make smoke-production-mode
@@ -184,14 +206,21 @@ jobs:
         working-directory: .
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Start supersim
         run: pnpm dev:supersim > /tmp/supersim.log 2>&1 &
         working-directory: .
 
       - name: Wait for supersim readiness
-        run: pnpm wait-port 8420
+        run: |
+          for _ in $(seq 1 30); do
+            if nc -z 127.0.0.1 9545 && nc -z 127.0.0.1 9546; then exit 0; fi
+            sleep 2
+          done
+          echo "supersim did not become ready on ports 9545/9546" >&2
+          tail -n 100 /tmp/supersim.log || true
+          exit 1
         working-directory: .
 
       - name: Run integration suite

.github/workflows/contracts-mainnet-readiness.yml

@@ -64,7 +64,7 @@ jobs:
         run: pip install slither-analyzer==0.11.5
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run mainnet readiness gate
         working-directory: contracts

.github/workflows/contracts-production-lock-verify.yml

@@ -65,7 +65,7 @@ jobs:
           submodules: recursive
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run production lock verification
         run: make verify-production-lock

.github/workflows/contracts-release-gate-container.yml

@@ -2,9 +2,6 @@ name: Contracts Release Gate (Containerized)
 
 on:
   pull_request:
-    paths:
-      - "contracts/**"
-      - ".github/workflows/contracts-release-gate-container.yml"
   workflow_dispatch:
     inputs:
       gate_mode:

.github/workflows/contracts-staging-rehearsal.yml

@@ -97,7 +97,7 @@ jobs:
           }
 
       - name: Setup Foundry
-        uses: foundry-rs/foundry-toolchain@v1
+        uses: foundry-rs/foundry-toolchain@c7450ba673e133f5ee30098b3b54f444d3a2ca2d  # v1.8.0
 
       - name: Run staging rehearsal (release + production lock verify)
         run: make rehearse-production-lock

.github/workflows/dependency-review.yml

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Review dependency changes
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@v5
         with:
           fail-on-severity: high
           warn-only: false

.github/workflows/scripts-ci.yml

@@ -26,6 +26,6 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run shellcheck
-        uses: ludeeus/action-shellcheck@2.0.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38  # v2.0.0
         with:
           scandir: "scripts contracts/script"

DEPLOYMENT.md

@@ -407,6 +407,32 @@ make verify-evidence-manifest
 make sign-evidence-manifest
 ```
 
+#### Step 18: Wire Groth16SettlementVerifier (if using ZK settlement)
+
+After deploying `Groth16SettlementVerifier`, two post-deploy calls are required
+before ZK-based settlement is active. `AttestedSettlementVerifier` remains the
+fallback until this is complete.
+
+```bash
+# 1. Bind the verifier to the settlement module (prevents cross-module replay)
+cast send $GROTH16_VERIFIER_ADDRESS \
+  "setSettlementModule(address)" $SETTLEMENT_MODULE_ADDRESS \
+  --rpc-url $MAINNET_RPC --private-key $DEPLOYER_KEY
+
+# 2. Set the MARKPoolVerifier contract
+cast send $GROTH16_VERIFIER_ADDRESS \
+  "setVerifierContract(address)" $MARK_POOL_VERIFIER_ADDRESS \
+  --rpc-url $MAINNET_RPC --private-key $DEPLOYER_KEY
+
+# 3. Wire into settlement module
+cast send $SETTLEMENT_MODULE_ADDRESS \
+  "setVerifier(address,bool)" $GROTH16_VERIFIER_ADDRESS true \
+  --rpc-url $MAINNET_RPC --private-key $DEPLOYER_KEY
+```
+
+See `contracts/RUNBOOK.md` → "Groth16 Direction Rollout" for the full
+migration sequence before enabling production mode.
+
 ---
 
 ## Verification & Monitoring

LICENSE

@@ -1,6 +1,6 @@
 (The MIT License)
 
-Copyright 2020-2025 Optimism
+Copyright 2026 Trade
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

circuits/.gitignore

@@ -0,0 +1,9 @@
+build/
+node_modules/
+*.zkey
+*.ptau
+witness.wtns
+
+# Prototype files (superseded by circuits/mark/MARKPool.circom)
+utxo/
+setup.js