[FEAT] Add CI checks for cofhe-contracts (#53)

* [FEAT] Add CI checks: storage layout, contract size, solhint, slither, gas report

Add comprehensive CI pipeline for cofhe-contracts with 5 parallel jobs:

- Storage layout snapshot validation to catch breaking upgrade changes
- Contract size enforcement (24KB EVM limit)
- Solhint linting with project-specific rule overrides
- Slither static analysis (medium+ severity)
- Gas usage reporting uploaded as CI artifact

* [FIX] Fix Slither medium-severity findings in TaskManager

- Initialize `combined` variable explicitly (`bytes memory combined = ""`)
- Add slither-disable comments for false-positive unused-return on
  ECDSA.tryRecover tuple destructuring and getDecryptResultSafe forwarding
- Exclude low-severity false positives from Slither config (trusted
  contract calls in loops, reentrancy-events, missing-zero-check on
  intentionally-nullable signers, timestamp, events-maths)

* [TEST] Add storage variable to TaskManager (should fail storage-layout CI)

This commit intentionally adds a new storage variable to break the
storage layout snapshot check. Expected CI failure: storage-layout job.

* Revert "[TEST] Add storage variable to TaskManager (should fail storage-layout CI)"

This reverts commit 99c1957.

* [FIX] Use upgrade-compatibility check instead of strict snapshot equality

Replace exact JSON comparison with OZ's getStorageUpgradeReport which
understands UUPS upgrade rules: appending variables is safe, inserting
or reordering is breaking. Stores raw StorageLayout in snapshot for
direct use by the compatibility checker.

Author: roeezolantz

.github/workflows/checks.yml

@@ -0,0 +1,231 @@
+name: Checks
+
+on:
+  pull_request:
+    branches:
+      - master
+  push:
+    branches:
+      - master
+
+env:
+  WORKING_DIR: contracts/internal/host-chain
+  KEY: "0x0000000000000000000000000000000000000000000000000000000000000001"
+  KEY2: "0x0000000000000000000000000000000000000000000000000000000000000002"
+  AGGREGATOR_KEY: "0x0000000000000000000000000000000000000000000000000000000000000003"
+
+jobs:
+  lint-solhint:
+    name: Solhint Lint
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts/internal/host-chain
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('contracts/internal/host-chain/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Run Solhint
+        run: pnpm lint:sol
+
+  storage-layout:
+    name: Storage Layout Check
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts/internal/host-chain
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('contracts/internal/host-chain/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Compile contracts
+        run: pnpm compile
+
+      - name: Check storage layout
+        run: pnpm storage-layout:check
+
+  contract-size:
+    name: Contract Size Check
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts/internal/host-chain
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('contracts/internal/host-chain/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Compile contracts
+        run: pnpm compile
+
+      - name: Check contract sizes
+        run: pnpm check:size
+
+  slither:
+    name: Slither Analysis
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts/internal/host-chain
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('contracts/internal/host-chain/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Compile contracts
+        run: pnpm compile
+
+      - name: Run Slither
+        uses: crytic/slither-action@v0.4.0
+        with:
+          target: contracts/internal/host-chain
+          solc-version: "0.8.25"
+          slither-config: contracts/internal/host-chain/slither.config.json
+          fail-on: medium
+
+  gas-report:
+    name: Gas Report
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: contracts/internal/host-chain
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('contracts/internal/host-chain/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Run tests with gas reporting
+        run: pnpm test
+        env:
+          REPORT_GAS: "true"
+          GAS_REPORT_FILE: gas-report.txt
+
+      - name: Upload gas report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: gas-report
+          path: contracts/internal/host-chain/gas-report.txt
+          retention-days: 30

contracts/internal/host-chain/.solhint.json

@@ -0,0 +1,13 @@
+{
+  "extends": "solhint:recommended",
+  "rules": {
+    "no-empty-blocks": "off",
+    "no-inline-assembly": "off",
+    "one-contract-per-file": "off",
+    "func-name-mixedcase": "off",
+    "const-name-snakecase": "off",
+    "compiler-version": ["error", ">=0.8.19"],
+    "func-visibility": ["warn", { "ignoreConstructors": true }],
+    "no-unused-import": "warn"
+  }
+}

contracts/internal/host-chain/.solhintignore

@@ -0,0 +1,3 @@
+node_modules/
+contracts/tests/
+contracts/detereministic-tm/

contracts/internal/host-chain/contracts/TaskManager.sol

@@ -101,7 +101,7 @@ library TMCommon {
         uint256[] memory inputs,
         FunctionId functionId
     ) internal pure returns (uint256) {
-        bytes memory combined;
+        bytes memory combined = "";
         bool isTriviallyEncrypted = (functionId == FunctionId.trivialEncrypt);
         for (uint8 i = 0; i < inputs.length; i++) {
             combined = bytes.concat(combined, uint256ToBytes32(inputs[i]));
@@ -240,7 +240,6 @@ contract TaskManager is ITaskManager, Initializable, UUPSUpgradeable, Ownable2St
     // When set to address(0), signature verification is skipped (debug mode)
     address public decryptResultSigner;
 
-
     modifier onlyAggregator() {
         if (!aggregators[msg.sender]) {
             revert OnlyAggregatorAllowed(msg.sender);
@@ -632,6 +631,7 @@ contract TaskManager is ITaskManager, Initializable, UUPSUpgradeable, Ownable2St
         }
 
         bytes32 messageHash = _computeDecryptResultHash(ctHash, result);
+        // slither-disable-next-line unused-return
         (address recovered, ECDSA.RecoverError err, ) = ECDSA.tryRecover(messageHash, signature);
 
         if (err != ECDSA.RecoverError.NoError || recovered == address(0)) {
@@ -681,6 +681,7 @@ contract TaskManager is ITaskManager, Initializable, UUPSUpgradeable, Ownable2St
         emit ProtocolNotification(ctHash, operation, errorMessage);
     }
 
+    // slither-disable-next-line unused-return
     function getDecryptResultSafe(uint256 ctHash) external view returns (uint256, bool) {
         return plaintextsStorage.getResult(ctHash);
     }

contracts/internal/host-chain/hardhat.config.ts

@@ -129,6 +129,11 @@ const config: HardhatUserConfig = {
     outDir: "types",
     target: "ethers-v6",
   },
+  gasReporter: {
+    enabled: process.env.REPORT_GAS === "true",
+    outputFile: process.env.GAS_REPORT_FILE || undefined,
+    noColors: !!process.env.GAS_REPORT_FILE,
+  },
 };
 
 export default config;

contracts/internal/host-chain/package.json

@@ -13,7 +13,11 @@
     "task:deploy": "hardhat deploy",
     "deploy:deterministicTM": "hardhat compile && hardhat task:deployDeterministicTM",
     "task:upgradeTM": "hardhat task:upgradeTM",
-    "deploy:sepolia": "hardhat deploy --network sepolia"
+    "deploy:sepolia": "hardhat deploy --network sepolia",
+    "storage-layout:generate": "hardhat task:storage-layout --network hardhat",
+    "storage-layout:check": "hardhat task:storage-layout --network hardhat --check",
+    "check:size": "hardhat task:check-contract-size --network hardhat",
+    "lint:sol": "solhint 'contracts/**/*.sol'"
   },
   "author": "Fhenix",
   "license": "MIT",
@@ -49,6 +53,7 @@
     "hardhat": "^2.28.0",
     "hardhat-deploy": "^0.11.45",
     "hardhat-gas-reporter": "^1.0.10",
+    "solhint": "^5.0.0",
     "mocha": "^10.8.2",
     "rimraf": "^5.0.10",
     "solidity-coverage": "^0.8.17",