fix: use solver-determined fee for BYOS fulfillments

.cargo/audit.toml

@@ -5,59 +5,23 @@
 [advisories]
 # Known vulnerabilities that are tracked in https://github.com/cowprotocol/services/issues/3338
 ignore = [
-    # alloy-dyn-abi - DoS vulnerability (RUSTSEC-2025-0073)
-    # Needs upgrade to 1.4.1+ (part of alloy migration)
-    "RUSTSEC-2025-0073",
+  # rsa - Marvin Attack timing sidechannel (RUSTSEC-2023-0071)
+  # No patch available yet (cryptography vulnerability)
+  "RUSTSEC-2023-0071",
 
-    # idna - Punycode label vulnerability (RUSTSEC-2024-0421)
-    # Needs upgrade to 1.0.0+ (transitive dependency)
-    "RUSTSEC-2024-0421",
+  # derivative - Unmaintained (RUSTSEC-2024-0388)
+  # Evaluate alternatives (tracked in #3338)
+  "RUSTSEC-2024-0388",
 
-    # protobuf - Uncontrolled recursion (RUSTSEC-2024-0437)
-    # Needs upgrade to 3.7.2+ (transitive dependency)
-    "RUSTSEC-2024-0437",
+  # instant - Unmaintained (RUSTSEC-2024-0384)
+  # Use web-time instead (tracked in #3338)
+  "RUSTSEC-2024-0384",
 
-    # rsa - Marvin Attack timing sidechannel (RUSTSEC-2023-0071)
-    # No patch available yet (cryptography vulnerability)
-    "RUSTSEC-2023-0071",
+  # paste - Unmaintained (RUSTSEC-2024-0436)
+  # Archived upstream (tracked in #3338)
+  "RUSTSEC-2024-0436",
 
-    # sqlx - Binary protocol overflow (RUSTSEC-2024-0363)
-    # Needs upgrade to 0.8.1+ (breaking changes, tracked in #3338)
-    "RUSTSEC-2024-0363",
-
-    # tracing-subscriber - ANSI escape injection (RUSTSEC-2025-0055)
-    # Needs upgrade to 0.3.20+ (minimal risk in current usage)
-    "RUSTSEC-2025-0055",
-
-    # atty - Unmaintained (RUSTSEC-2024-0375)
-    # Migrate to std::io::IsTerminal (tracked in #3338)
-    "RUSTSEC-2024-0375",
-
-    # atty - Unsound potential unaligned read (RUSTSEC-2021-0145)
-    # Will be removed when migrating to std::io::IsTerminal
-    "RUSTSEC-2021-0145",
-
-    # derivative - Unmaintained (RUSTSEC-2024-0388)
-    # Evaluate alternatives (tracked in #3338)
-    "RUSTSEC-2024-0388",
-
-    # adler - Unmaintained (RUSTSEC-2025-0056)
-    # Use adler2 instead (tracked in #3338)
-    "RUSTSEC-2025-0056",
-
-    # instant - Unmaintained (RUSTSEC-2024-0384)
-    # Use web-time instead (tracked in #3338)
-    "RUSTSEC-2024-0384",
-
-    # paste - Unmaintained (RUSTSEC-2024-0436)
-    # Archived upstream (tracked in #3338)
-    "RUSTSEC-2024-0436",
-
-    # proc-macro-error - Unmaintained (RUSTSEC-2024-0370)
-    # Transitive dependency (tracked in #3338)
-    "RUSTSEC-2024-0370",
-
-    # model crate - data race in Shared (RUSTSEC-2020-0140)
-    # Internal crate issue (tracked in #3338)
-    "RUSTSEC-2020-0140",
+  # model crate - data race in Shared (RUSTSEC-2020-0140)
+  # Internal crate issue (tracked in #3338)
+  "RUSTSEC-2020-0140",
 ]

.claude/commands/debug-order.md

@@ -0,0 +1,28 @@
+---
+description: Debug why a CoW Protocol order failed to match
+---
+
+Debug order: $ARGUMENTS
+
+Read and follow the instructions in ./docs/COW_ORDER_DEBUG_SKILL.md to investigate this order.
+
+Key steps:
+1. Parse the order UID and network from arguments (default: mainnet)
+2. **Start with the debug endpoint** — fetch the comprehensive debug report first:
+   ```bash
+   source .env.claude && curl -s -H "X-API-Key: $COW_DEBUG_API_KEY" "https://partners.cow.fi/$NETWORK/restricted/api/v1/debug/order/$ORDER_UID" | jq .
+   ```
+   This returns order details, lifecycle events, auction participation, proposed solutions, executions, trades, and settlement attempts — all in one call.
+3. Analyze the debug report — key event meanings:
+   - `ready` = order made it into an auction (was sent to solvers)
+   - `considered` = a solver included this order in a solution but that solution didn't win
+   - `executing` = order is in the winning solution, being submitted on-chain
+   - `traded` = order was settled on-chain
+   - `filtered` / `invalid` = order was excluded (check the `reason` field)
+4. Search Victoria Logs for additional context (filter reasons, error details, solver logs)
+   - For finding discarded solutions where the order UID appears in calldata, use regex: `.*ORDER_UID_WITHOUT_0X.*` plus `discarded`
+5. Use DB queries or API calls only if the debug report is missing info or you need deeper investigation
+6. Identify root cause and report findings with evidence
+7. If you haven't found anything go wild and try all SQL / log searches / codebase searches you can think of
+
+Always show your evidence (log lines, DB results, API responses) when presenting findings.

.clippy.toml

@@ -1,7 +1,6 @@
 disallowed-methods = [
-    { path = "web3::api::Net::version", reason = "Calling `eth().chain_id().await?.to_string()` is equivalent and is better supported." },
-    { path = "alloy::rpc::client::RpcClient::new_batch", reason = "There is no need to manually send batched requests because the alloy transport layer batches requests automatically under the hood." },
-    { path = "alloy::rpc::client::BatchRequest::new", reason = "There is no need to manually send batched requests because the alloy transport layer batches requests automatically under the hood." },
+  { path = "alloy::rpc::client::RpcClient::new_batch", reason = "There is no need to manually send batched requests because the alloy transport layer batches requests automatically under the hood." },
+  { path = "alloy::rpc::client::BatchRequest::new", reason = "There is no need to manually send batched requests because the alloy transport layer batches requests automatically under the hood." },
 ]
 await-holding-invalid-types = [
   "tracing::span::Entered",

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/devcontainers/base:bullseye
+FROM mcr.microsoft.com/devcontainers/base:bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     # Remove imagemagick due to https://security-tracker.debian.org/tracker/CVE-2019-10131

.devcontainer/devcontainer.json

@@ -16,7 +16,7 @@
         },
         "ghcr.io/devcontainers/features/rust:1": {},
 		"ghcr.io/devcontainers/features/git:1": {},
-		"ghcr.io/nlordell/features/foundry": {},
+		"ghcr.io/nlordell/features/foundry": { "version": "v1.7.1" },
 		"ghcr.io/devcontainers/features/docker-in-docker:2": {
             "dockerDashComposeVersion": "v2"
         },
@@ -33,6 +33,17 @@
         "seccomp=unconfined"
     ],
 
+    "containerEnv": {
+        "PGHOST": "localhost",
+        "PGPORT": "5432",
+        "PGUSER": "vscode",
+        "PGDATABASE": "vscode",
+        // Drop debug info from dev/test builds: the e2e test binary's debug info
+        // is large enough to get the linker OOM-killed on a stock setup.
+        "CARGO_PROFILE_DEV_DEBUG": "0",
+        "CARGO_PROFILE_TEST_DEBUG": "0"
+    },
+
     "customizations": {
         "vscode": {
             "settings": {
@@ -51,7 +62,10 @@
 
 	// Use 'postCreateCommand' to run commands after the container is created.
 	// "postCreateCommand": "rustc --version",
-	"postCreateCommand": "rustup toolchain install nightly && cargo install flamegraph",
+	"postCreateCommand": "rustup toolchain install nightly --component rustfmt && cargo install flamegraph && cargo install cargo-nextest --locked && cargo install just --locked && bash .devcontainer/setup-e2e.sh",
+
+	// (Re)start the local Postgres cluster on every container start.
+	"postStartCommand": "bash .devcontainer/start-postgres.sh",
 
 	// Set `remoteUser` to `root` to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
 	"remoteUser": "vscode"

.devcontainer/setup-e2e.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+#
+# Provisions the one thing the e2e test suite needs but the base image can't
+# provide out of the box:
+#
+#   * Postgres server – we run a native server (rather than the docker-compose
+#              one) so it survives container restarts and is up before any test
+#              runs, then apply the flyway migrations the harness expects to
+#              already exist.
+#
+# anvil/forge come from the foundry devcontainer feature; their prebuilt binaries
+# run directly on the bookworm base image (glibc >= 2.32), so nothing to do here.
+#
+# Runs as `postCreateCommand` (once, when the container is created).
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+
+# -----------------------------------------------------------------------------
+echo "==> postgres"
+# Install a server only if no cluster exists yet (fresh container). Reuse whatever
+# version is already present otherwise, so this is safe to re-run.
+if ! ls -d /etc/postgresql/*/main >/dev/null 2>&1; then
+    echo "    installing postgresql-16..."
+    sudo apt-get update -qq
+    sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq postgresql-16
+fi
+PG_VERSION="$(ls /etc/postgresql | sort -n | tail -1)"
+echo "    using cluster ${PG_VERSION}/main"
+
+# Start the cluster (shared with postStart so the two can't drift).
+bash "$REPO_ROOT/.devcontainer/start-postgres.sh"
+
+# Trust auth for local connections (development container only).
+HBA="/etc/postgresql/${PG_VERSION}/main/pg_hba.conf"
+sudo tee "$HBA" >/dev/null <<'EOF'
+local   all   all                  trust
+host    all   all   127.0.0.1/32   trust
+host    all   all   ::1/128        trust
+EOF
+sudo pg_ctlcluster "$PG_VERSION" main reload
+
+# The e2e harness connects with the bare url `postgresql://`, which resolves to a
+# role and database named after $PGUSER/$PGDATABASE (see containerEnv in
+# devcontainer.json and DatabasePoolConfig::test_default).
+psql -h 127.0.0.1 -U postgres -d postgres -tAc \
+    "SELECT 1 FROM pg_roles WHERE rolname='${PGUSER}'" | grep -q 1 \
+    || psql -h 127.0.0.1 -U postgres -d postgres -c \
+        "CREATE ROLE \"${PGUSER}\" LOGIN SUPERUSER;"
+psql -h 127.0.0.1 -U postgres -d postgres -tAc \
+    "SELECT 1 FROM pg_database WHERE datname='${PGDATABASE}'" | grep -q 1 \
+    || psql -h 127.0.0.1 -U postgres -d postgres -c \
+        "CREATE DATABASE \"${PGDATABASE}\" OWNER \"${PGUSER}\";"
+
+# Apply the migrations with the same flyway image the rest of the repo uses
+# (see docker-compose.yaml). Flyway tracks what it has already applied, so this is
+# incremental and idempotent: re-running only applies new migrations and fails
+# loudly if one is incompatible with the current schema. The native server runs
+# on the host network namespace, so `--network=host` lets flyway reach it on
+# 127.0.0.1:${PGPORT}.
+echo "    applying flyway migrations..."
+docker run --rm --network=host \
+    -v "$REPO_ROOT/database/sql:/flyway/sql:ro" \
+    -v "$REPO_ROOT/database/conf:/flyway/conf:ro" \
+    flyway/flyway:10.7.1 \
+    -url="jdbc:postgresql://127.0.0.1:${PGPORT}/${PGDATABASE}?user=${PGUSER}&password=" \
+    migrate
+
+echo "==> e2e environment ready (postgres)"

.devcontainer/start-postgres.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+#
+# Starts the local Postgres cluster on every container start. There is no init
+# system in the container, so the cluster does not come up on its own after a
+# stop/start. Provisioning (install, role, db, migrations) is done once by
+# setup-e2e.sh; this only (re)starts what already exists.
+#
+# Runs as `postStartCommand`.
+set -euo pipefail
+
+PG_VERSION="$(ls /etc/postgresql | sort -n | tail -1)"
+
+# `start` errors if the cluster is already running, so only start it when it
+# isn't online; a genuine start failure then surfaces instead of being swallowed.
+if ! pg_lsclusters -h "$PG_VERSION" main | grep -q online; then
+    sudo pg_ctlcluster "$PG_VERSION" main start
+fi

.gemini/config.yaml

@@ -0,0 +1,5 @@
+code_review:
+  pull_request_opened:
+    summary: false
+    code_review: true
+    include_drafts: false

.gemini/styleguide.md

@@ -0,0 +1,15 @@
+# Code Review Style Guide: Stricter & Actionable Feedback Only
+
+## 1. Interaction & Noise Reduction
+* **No Positive Feedback:** Do not post comments that praise the code, highlight "good solutions," or confirm that a change is a "good improvement."
+* **Confirm Clean Reviews:** If no critical issues are found, post a single summary comment stating "No critical issues found" rather than staying silent.
+* **Severity Threshold:** Only surface findings that meet the "High" or "Critical" severity criteria. Treat "Medium" findings as "Low" and ignore them unless they represent a direct logic error.
+* **Focus on Changed Code:** Only comment on code that was actually modified in the PR. Do not flag issues in unchanged code or code that was simply moved/refactored without logic changes, unless the issue is a severe security vulnerability or critical bug.
+
+## 2. Technical Standards
+* **Actionability:** Every comment must include a clear, actionable suggestion for improvement. Do not leave "FYI" or informational comments.
+* **Edge Cases & Logic:** Focus exclusively on identifying missing edge cases, potential race conditions, or logic that deviates from the PR's stated goals.
+* **Security & Performance:** Prioritize findings related to resource leaks, unnecessary complexity, or potential security vulnerabilities.
+
+## 3. Formatting
+* **Conciseness:** Keep comments concise, direct and technical. Skip the introductory and concluding pleasantries.

.github/CODEOWNERS

@@ -1,2 +1,2 @@
 * @cowprotocol/backend
-
+.github/workflows/ @cowprotocol/devops @cowprotocol/backend

.github/codeql/codeql-config.yml

@@ -0,0 +1,4 @@
+name: "CoW Protocol CodeQL Config"
+
+paths-ignore:
+  - crates/e2e

.github/pull_request_template.md

@@ -4,8 +4,8 @@
 # Changes
 <!-- List of detailed changes (how the change is accomplished) -->
 
-- [ ] ...
-- [ ] ...
+* ...
+* ...
 
 ## How to test
 <!--- Include details of how to test your changes, including any pre-requisites. If no unit tests are included, please explain why and how to test manually
@@ -18,4 +18,4 @@
 ## Related Issues
 
 Fixes #
--->
+-->

.github/renovate.json5

@@ -0,0 +1,27 @@
+// This file follows JSON5 syntax, to make it
+// easier to maintain.
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  // Disable every built-in manager (npm, dockerfile, ...) except github-actions.
+  enabledManagers: ["github-actions"],
+  // PR titles use Conventional Commits: `deps(<action>): ...`
+  semanticCommits: "enabled",
+  semanticCommitType: "deps",
+  packageRules: [
+    // GitHub Actions updates: run weekly, skip releases newer than 2 weeks
+    // to avoid picking up freshly published versions that may be unstable or
+    // compromised, and pin to full commit SHAs (with the version as a
+    // trailing comment) rather than mutable tags.
+    // When both major and minor releases exist, propose only the latest bump
+    // (typically major) instead of a separate minor PR.
+    {
+      matchManagers: ["github-actions"],
+      schedule: ["on monday"],
+      minimumReleaseAge: "14 days",
+      pinDigests: true,
+      separateMajorMinor: false,
+      semanticCommitScope: "{{depName}}",
+      commitMessageTopic: "{{depName}}",
+    },
+  ],
+}

.github/workflows/add-to-project.yml

@@ -10,7 +10,7 @@ jobs:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+      - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         with:
           project-url: https://github.com/orgs/cowprotocol/projects/8
           github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}