chore: verify proxy and implementation contracts

[hmzakhalid]

Summary by CodeRabbit

• Chores

  • Updated deployed contract records with refreshed block numbers, addresses, many owner/admin and token references; consolidated network entries under sepolia and removed localhost defaults.

• Refactor

  • Deployment metadata now records proxy details (init data, initial owner, proxy & admin addresses, implementation) and persist proxyRecords consistently; deploy/upgrade flows updated and some return payloads now include implementationAddress.

• Bug Fixes

  • Verification and upgrade flows now detect and handle proxy deployments and proxy admins correctly.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
crisp	Skipped			Nov 13, 2025 8:44am
enclave-docs	Skipped			Nov 13, 2025 8:44am

[coderabbitai]

Walkthrough

Deployment, upgrade, and verification scripts were made proxy-aware: proxies are deployed with owner, proxy metadata (proxyRecords) is collected and persisted, upgrades merge/update proxyRecords, manifests updated to include proxy details, and verification now verifies proxy, proxy admin, then implementation.

Changes

Cohort / File(s)	Summary
Deployed manifests packages/enclave-contracts/deployed_contracts.json	Updated addresses/blockNumbers; many contracts now include nested proxyRecords; localhost removed; entries consolidated under sepolia and undefined updated.
Deploy-and-save scripts packages/enclave-contracts/scripts/deployAndSave/* packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts, packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts, packages/enclave-contracts/scripts/deployAndSave/enclave.ts	Proxy deployment uses owner (not signer); retrieves proxyAdminAddress; deployment metadata now persists proxyRecords ({initData, initialOwner, proxyAddress, proxyAdminAddress, implementationAddress}); upgrade flows merge/update proxyRecords instead of writing a top-level implementationAddress.
Upgrade scripts packages/enclave-contracts/scripts/upgrade/* packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts, .../ciphernodeRegistryOwnable.ts, .../enclave.ts	Upgrade guards now check preDeployedArgs.proxyRecords.implementationAddress (proxy-aware) rather than a top-level implementationAddress, changing validation path for upgrades.
Utilities / Types packages/enclave-contracts/scripts/utils.ts	DeploymentArgs updated: removed `implementationAddress?: string
Verification tooling packages/enclave-contracts/scripts/verify.ts	Added proxy-aware verification: detect proxyRecords, verify TransparentUpgradeableProxy and ProxyAdmin (using proxyRecords constructor args), then verify implementation at implementationAddress (no constructor args); adjusted logs and error messaging.
Misc contract metadata packages/enclave-contracts/deployed_contracts.json (many entries: Enclave, CiphernodeRegistryOwnable, Mock*, EnclaveToken, EnclaveTicketToken, SlashingManager, BondingRegistry, etc.)	Updated constructor args, owners/admins, token references, blockNumbers/addresses and added proxyRecords where applicable to reflect proxied deployments.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as Deploy/Verify CLI
    participant Proxy as TransparentUpgradeableProxy
    participant ProxyAdmin as ProxyAdmin
    participant Impl as Implementation
    participant Store as deployed_contracts.json

    CLI->>Proxy: deploy proxy (constructor arg: owner)
    Proxy-->>CLI: returns proxyAddress
    CLI->>ProxyAdmin: query admin for proxyAddress
    ProxyAdmin-->>CLI: returns proxyAdminAddress
    CLI->>Store: persist proxyRecords {initData, initialOwner, proxyAddress, proxyAdminAddress, implementationAddress}

    note right of CLI: Verification (proxy-aware)
    CLI->>Store: read proxyRecords → detect proxy
    CLI->>Proxy: verify TransparentUpgradeableProxy (constructor args from proxyRecords)
    CLI->>ProxyAdmin: verify ProxyAdmin (constructor args from proxyRecords)
    CLI->>Impl: verify implementation at implementationAddress (no constructor args)
    Impl-->>CLI: verification results

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Attention areas:
  • packages/enclave-contracts/scripts/verify.ts — proxy detection, verification target selection, and constructor-arg handling.
  • packages/enclave-contracts/scripts/deployAndSave/* — creation, merging, and persistence shape of proxyRecords.
  • packages/enclave-contracts/scripts/utils.ts — callers handling removal of implementationAddress and new proxyRecords field.
  • packages/enclave-contracts/deployed_contracts.json — validate addresses/blockNumbers and consistency with runtime behavior.

Possibly related PRs

• feat: deploy transparent proxy contracts [skip-line-limit] #987 — implements TransparentUpgradeableProxy migration and proxy metadata handling (proxy admin, implementation storage); strongly related.
• fix: contracts exports #732 — related changes to script exports/packaging that interact with deployment/verification scripts.
• Enclave contracts deployment Sepolia #400 — overlapping Sepolia deployment metadata updates for mock contracts in this manifest.

Suggested reviewers

• ryardley
• cedoor

Poem

🐰 I hop and write each proxy trace,
Owner passed to find its place.
Records nested, tidy, bright,
Verifications take their flight.
Tiny paws, deployments light ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: updating proxy and implementation contract verification logic across deployment scripts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/verify-proxy-contracts

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 09928a5 and 4813127.

📒 Files selected for processing (9)

• packages/enclave-contracts/deployed_contracts.json (2 hunks)
• packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (3 hunks)
• packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (2 hunks)
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts (3 hunks)
• packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts (1 hunks)
• packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts (1 hunks)
• packages/enclave-contracts/scripts/upgrade/enclave.ts (1 hunks)
• packages/enclave-contracts/scripts/utils.ts (1 hunks)
• packages/enclave-contracts/scripts/verify.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/enclave-contracts/scripts/utils.ts
• packages/enclave-contracts/scripts/upgrade/enclave.ts
• packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-19T11:16:53.825Z

Learnt from: cedoor
Repo: gnosisguild/enclave PR: 752
File: packages/enclave-contracts/contracts/Enclave.sol:15-17
Timestamp: 2025-09-19T11:16:53.825Z
Learning: The Enclave contract in the gnosisguild/enclave repository has not been deployed yet as of September 2025, so storage layout considerations for upgradeable contracts don't apply to current changes.

Applied to files:

• packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts
• packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts
• packages/enclave-contracts/deployed_contracts.json

📚 Learning: 2025-10-10T12:56:40.538Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 830
File: templates/default/README.md:123-128
Timestamp: 2025-10-10T12:56:40.538Z
Learning: In the Enclave repository, the hard-coded Hardhat development private key `0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80` is acceptable in template README files and documentation for local testing/interaction purposes.

Applied to files:

• packages/enclave-contracts/deployed_contracts.json

🧬 Code graph analysis (3)

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (2)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/utils.ts (1)

• storeDeploymentArgs (35-67)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (2)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/utils.ts (1)

• storeDeploymentArgs (35-67)

packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (2)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/utils.ts (1)

• storeDeploymentArgs (35-67)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build_e3_support_dev
• GitHub Check: build_sdk
• GitHub Check: test_net
• GitHub Check: build_enclave_cli
• GitHub Check: integration_prebuild
• GitHub Check: test_contracts
• GitHub Check: rust_unit
• GitHub Check: rust_integration

🔇 Additional comments (10)

packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts (1)

34-34: LGTM!

The validation now correctly checks for proxy-based deployments using proxyRecords?.implementationAddress, aligning with the new proxy-aware deployment structure.

packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (2)

94-94: LGTM!

Proxy deployment correctly uses owner as the initial admin, aligning with the proxy-based deployment pattern.

---

100-115: LGTM!

The proxyRecords structure correctly captures all proxy-related metadata (initData, initialOwner, proxyAddress, proxyAdminAddress, implementationAddress) needed for verification and future upgrades.

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (2)

105-105: LGTM!

Proxy deployment correctly uses owner as the initial admin.

---

109-127: LGTM!

The proxyRecords structure correctly captures all proxy-related metadata needed for verification and future upgrades.

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (2)

118-118: LGTM!

Proxy deployment correctly uses owner as the initial admin.

---

122-143: LGTM!

The proxyRecords structure correctly captures all proxy-related metadata needed for verification and future upgrades.

packages/enclave-contracts/scripts/verify.ts (2)

148-172: LGTM!

The proxy detection and verification flow is well-structured:

1. Detects proxy deployments via proxyRecords?.implementationAddress
2. Verifies TransparentUpgradeableProxy with correct constructor args
3. Verifies ProxyAdmin with initialOwner
4. Falls through to verify the implementation separately

This enables complete verification of the proxy deployment chain.

---

184-196: LGTM!

The verification target selection correctly distinguishes between proxy and non-proxy deployments:

• For proxies: targets the implementation address without constructor args
• For non-proxies: targets the deployment address with constructor args

The logic and logging are clear and appropriate.

packages/enclave-contracts/deployed_contracts.json (1)

1-139: LGTM!

The deployment data correctly reflects the proxy-based deployment structure with proxyRecords for Enclave, CiphernodeRegistryOwnable, and BondingRegistry. The structure is consistent with the code changes in the deployment scripts.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (1)

219-229: Data loss: proxyRecords replacement discards deployment metadata.

The upgrade function replaces the entire proxyRecords object with only implementationAddress, discarding initData, initialOwner, proxyAddress, and proxyAdminAddress from the initial deployment. This metadata loss could break verification workflows and make it difficult to track proxy configuration history.

Apply this diff to preserve existing proxy metadata:

   storeDeploymentArgs(
     {
       ...preDeployedArgs,
       proxyRecords: {
+        ...preDeployedArgs.proxyRecords,
         // initData, //TODO: Add init data if needed
         implementationAddress: newImplementationAddress,
       },
     },
     "BondingRegistry",
     chain,
   );

🧹 Nitpick comments (1)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (1)

210-211: Track upgrade initialization data requirements.

The TODO comments indicate that upgrade initialization data handling is incomplete. While upgradeAndCall currently uses empty initData, future implementation changes might require initialization functions to be called during upgrades.

Would you like me to open an issue to track this requirement and ensure proper initialization data handling is implemented before any upgrades that require it?

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf8dd2c and 2173352.

📒 Files selected for processing (6)

• packages/enclave-contracts/deployed_contracts.json (2 hunks)
• packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (4 hunks)
• packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (3 hunks)
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts (4 hunks)
• packages/enclave-contracts/scripts/utils.ts (1 hunks)
• packages/enclave-contracts/scripts/verify.ts (2 hunks)

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-09-19T11:16:53.825Z

Learnt from: cedoor
Repo: gnosisguild/enclave PR: 752
File: packages/enclave-contracts/contracts/Enclave.sol:15-17
Timestamp: 2025-09-19T11:16:53.825Z
Learning: The Enclave contract in the gnosisguild/enclave repository has not been deployed yet as of September 2025, so storage layout considerations for upgradeable contracts don't apply to current changes.

Applied to files:

• packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts
• packages/enclave-contracts/deployed_contracts.json
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts

📚 Learning: 2025-10-10T12:56:40.538Z

Learnt from: 0xjei
Repo: gnosisguild/enclave PR: 830
File: templates/default/README.md:123-128
Timestamp: 2025-10-10T12:56:40.538Z
Learning: In the Enclave repository, the hard-coded Hardhat development private key `0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80` is acceptable in template README files and documentation for local testing/interaction purposes.

Applied to files:

• packages/enclave-contracts/deployed_contracts.json

🧬 Code graph analysis (3)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (1)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (2)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/utils.ts (1)

• storeDeploymentArgs (35-67)

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (1)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build_enclave_cli
• GitHub Check: integration_prebuild
• GitHub Check: test_net
• GitHub Check: rust_unit
• GitHub Check: test_contracts
• GitHub Check: rust_integration

🔇 Additional comments (4)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (4)

18-29: LGTM: Required fields improve type safety.

Making all deployment parameters required aligns well with the validation logic below and prevents runtime errors from missing configuration.

---

118-118: LGTM: Correct admin parameter for transparent proxy.

Passing owner as the admin parameter ensures the ProxyAdmin contract is owned by the specified owner address rather than the deploying signer.

---

122-123: LGTM: ERC1967-compliant ProxyAdmin address retrieval.

Retrieving the ProxyAdmin address via the ERC1967 storage slot is the correct approach for transparent proxies.

---

137-143: LGTM: Comprehensive proxy metadata storage.

The new proxyRecords structure captures all essential proxy-related information, enabling proper verification and upgrade workflows.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (1)

204-207: Duplicate: Keep proxyRecords intact during upgrades

This issue has already been flagged in a previous review comment on lines 205-207. The upgrade path overwrites proxyRecords with only the new implementationAddress, discarding critical metadata needed by verify.ts.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2173352 and 8ef20f4.

📒 Files selected for processing (6)

• packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (3 hunks)
• packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts (2 hunks)
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts (3 hunks)
• packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts (1 hunks)
• packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts (1 hunks)
• packages/enclave-contracts/scripts/upgrade/enclave.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/enclave-contracts/scripts/deployAndSave/ciphernodeRegistryOwnable.ts

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-19T11:16:53.825Z

Learnt from: cedoor
Repo: gnosisguild/enclave PR: 752
File: packages/enclave-contracts/contracts/Enclave.sol:15-17
Timestamp: 2025-09-19T11:16:53.825Z
Learning: The Enclave contract in the gnosisguild/enclave repository has not been deployed yet as of September 2025, so storage layout considerations for upgradeable contracts don't apply to current changes.

Applied to files:

• packages/enclave-contracts/scripts/upgrade/enclave.ts
• packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts
• packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts
• packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts
• packages/enclave-contracts/scripts/deployAndSave/enclave.ts

🧬 Code graph analysis (2)

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (1)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (1)

packages/enclave-contracts/scripts/proxy.ts (1)

• getProxyAdmin (22-35)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: integration_prebuild
• GitHub Check: build_sdk
• GitHub Check: test_contracts
• GitHub Check: test_net
• GitHub Check: build_enclave_cli
• GitHub Check: rust_integration
• GitHub Check: rust_unit

🔇 Additional comments (7)

packages/enclave-contracts/scripts/upgrade/bondingRegistry.ts (1)

29-33: LGTM!

The validation now correctly checks for proxy-based deployments using the new proxyRecords structure, aligning with the updated deployment metadata format.

packages/enclave-contracts/scripts/upgrade/enclave.ts (1)

29-33: LGTM!

The validation correctly enforces proxy-based deployment requirements using the new proxyRecords.implementationAddress field.

packages/enclave-contracts/scripts/upgrade/ciphernodeRegistryOwnable.ts (1)

34-38: LGTM!

The validation is consistent with other upgrade scripts and correctly enforces the proxy-based deployment requirement.

packages/enclave-contracts/scripts/deployAndSave/enclave.ts (2)

105-107: LGTM!

Correctly deploys the TransparentUpgradeableProxy with owner as the initial admin, which is the proper pattern for this proxy type.

---

109-127: LGTM!

The deployment correctly retrieves the proxy admin address and stores comprehensive proxy metadata including initData, initialOwner, proxyAddress, proxyAdminAddress, and implementationAddress. This provides all necessary information for future upgrades and verification.

packages/enclave-contracts/scripts/deployAndSave/bondingRegistry.ts (2)

118-120: LGTM!

Correctly deploys the TransparentUpgradeableProxy with owner as the initial admin parameter.

---

122-143: LGTM!

The deployment correctly retrieves the proxy admin address and stores comprehensive metadata in proxyRecords, ensuring all necessary information is available for verification and future upgrades.

[ctrlc03]

utACK