Skip to content

feat: add Shiora, ZeroID, NoblePay dApps and protocol-wide updates #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ramtamilselvan wants to merge 17 commits into from
Closed

feat: add Shiora, ZeroID, NoblePay dApps and protocol-wide updates #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
6cf7654
feat: add NoblePay dApp — enterprise cross-border payments with TEE c…
Mar 14, 2026
573eed6
feat(noblepay): comprehensive security hardening, CI, and production …
Mar 16, 2026
93da0b8
fix(noblepay): add migration deploy checks to release gate and CI
Mar 16, 2026
0b4576a
fix(noblepay): fix migration gate CLI flags and add CI Postgres service
Mar 16, 2026
0754234
fix(noblepay): align local and CI lint gates, zero warnings
Mar 16, 2026
b3402f7
fix(noblepay): add sitemap config and suppress MetaMask build warning
Mar 16, 2026
e93a0f5
feat: add Shiora, ZeroID dApps and protocol-wide updates
Mar 16, 2026
ccbf06e
fix: restore general-context AI provider references
Mar 16, 2026
b46bbcd
fix(dapps): standardize license to Apache 2.0 and fix app URLs
Mar 16, 2026
99afcb3
fix(dapps): point App links to deployed app subdomains
Mar 16, 2026
1d2a16c
chore(dapps): restore SSR configs for Vercel deployment
Mar 16, 2026
029d155
feat(docs): complete documentation site for docs.aethelred.io
Mar 17, 2026
ed0c302
ci(docs): trigger docs deploy from feature branch
Mar 18, 2026
2a37b71
fix(docs): serve from GitHub Pages project URL until DNS is configured
Mar 18, 2026
d710bf3
fix(docs): point README docs badge to live GitHub Pages URL
Mar 18, 2026
e09eb1d
Prepare testnet release hardening and GitHub repo docs
ramtamilselvan Mar 26, 2026
6a6421c
Harden dependency hygiene and app validation
ramtamilselvan Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
11 changes: 11 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
blank_issues_enabled: false
contact_links:
- name: Security reports
url: mailto:security@aethelred.io
about: Report vulnerabilities privately. Do not use public issues.
- name: Documentation
url: https://docs.aethelred.io
about: Start with the docs, guides, and runbooks.
- name: Community support
url: https://discord.gg/aethelred
about: Ask questions and get routed to the right maintainer or repo.
2 changes: 1 addition & 1 deletion .github/ISSUE_TEMPLATE/feature_request.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,4 @@ assignees: ''

---

> For major protocol changes, please open an [Aethelred Improvement Proposal](https://github.com/aethelred/AIPs) instead.
> For major protocol changes, please open an [Aethelred Improvement Proposal](https://github.com/aethelred-foundation/AIPs) instead.
28 changes: 28 additions & 0 deletions .github/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# GitHub Configuration

This directory contains the repository-wide GitHub configuration for Aethelred.

## What Lives Here

- `workflows/`: CI, security, release, deployment, SDK, docs, and launch gates
- `ISSUE_TEMPLATE/`: issue intake templates for bugs and feature requests
- `PULL_REQUEST_TEMPLATE.md`: pull request checklist and contributor expectations
- `branch-protection/`: required check definitions used to keep launch branches honest
- `dependabot.yml`: dependency update policy

## Operating Rules

- Treat workflow changes as production-affecting changes.
- Keep required gates aligned with `docs/operations/GATE_INVENTORY.md`.
- Do not merge workflow or branch-protection changes without corresponding evidence.
- Release and launch changes must follow `docs/operations/FREEZE_POLICY.md`.

## Maintainers

Primary owners for this directory are Release Engineering, Security, and Core Protocol.

## Related Docs

- `docs/operations/GATE_INVENTORY.md`
- `docs/operations/FREEZE_POLICY.md`
- `docs/VALIDATOR_RUNBOOK.md`
30 changes: 17 additions & 13 deletions .github/branch-protection/required-checks.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,44 @@
{
"default": [
"Core Required Gate",
"Contracts Required Gate",
"Rust Required Gate",
"Security Required Gate",
"Sandbox Required Gate",
"Docker Required Gate"
"Docker Required Gate",
"Load Test Required Gate",
"Fuzzing Required Gate",
"dApps Required Gate"
],
"main": [
"Audit Signoff Required Gate",
"Core Required Gate",
"Contracts Required Gate",
"Rust Required Gate",
"Security Required Gate",
"Sandbox Required Gate",
"Load Test Required Gate",
"Docker Required Gate",
"E2E Required Gate"
"Load Test Required Gate",
"Fuzzing Required Gate",
"E2E Required Gate",
"dApps Required Gate"
],
"develop": [
"Core Required Gate",
"Contracts Required Gate",
"Rust Required Gate",
"Security Required Gate",
"Sandbox Required Gate",
"Docker Required Gate"
"Docker Required Gate",
"Load Test Required Gate",
"Fuzzing Required Gate",
"dApps Required Gate"
],
"release/*": [
"Audit Signoff Required Gate",
"Core Required Gate",
"Contracts Required Gate",
"Rust Required Gate",
"Security Required Gate",
"Sandbox Required Gate",
"Load Test Required Gate",
"Docker Required Gate",
"E2E Required Gate"
"Load Test Required Gate",
"Fuzzing Required Gate",
"E2E Required Gate",
"dApps Required Gate"
]
}
}
8 changes: 4 additions & 4 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ updates:
interval: "weekly"
day: "monday"
reviewers:
- "aethelred/core-team"
- "aethelred-foundation/core-team"
labels:
- "dependencies"
- "go"
Expand Down Expand Up @@ -61,12 +61,12 @@ updates:

# Solidity contracts (npm)
- package-ecosystem: "npm"
directory: "/contracts/ethereum"
directory: "/contracts"
schedule:
interval: "weekly"
day: "tuesday"
reviewers:
- "aethelred/contracts-team"
- "aethelred-foundation/contracts-team"
labels:
- "dependencies"
- "solidity"
Expand All @@ -77,7 +77,7 @@ updates:

# VSCode extension
- package-ecosystem: "npm"
directory: "/vscode-extension"
directory: "/tools/vscode-aethelred"
schedule:
interval: "weekly"
day: "tuesday"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/contracts-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
defaults:
run:
working-directory: contracts/ethereum
working-directory: contracts
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
Expand All @@ -37,7 +37,7 @@ jobs:
runs-on: ubuntu-latest
defaults:
run:
working-directory: contracts/ethereum
working-directory: contracts
steps:
- uses: actions/checkout@v4
- uses: foundry-rs/foundry-toolchain@v1
Expand Down
209 changes: 209 additions & 0 deletions .github/workflows/dapps-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
name: dApps CI

on:
push:
branches: [main, develop, release/**]
paths:
- 'dApps/**'
- '.github/workflows/dapps-ci.yml'
pull_request:
branches: [main, develop, release/**]
paths:
- 'dApps/**'
- '.github/workflows/dapps-ci.yml'
workflow_dispatch:

jobs:
# ---------------------------------------------------------------------------
# ZeroID Backend
# ---------------------------------------------------------------------------
zeroid-backend:
name: ZeroID Backend
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/zeroid/backend
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: dApps/zeroid/backend/package-lock.json
- name: Install dependencies
run: npm ci --no-fund
- name: Security audit
run: npm audit --audit-level=high
- name: Lint
run: npm run lint
- name: Type-check
run: npx tsc --noEmit
- name: Run tests
run: npm test -- --forceExit --ci
- name: Build
run: npm run build

# ---------------------------------------------------------------------------
# ZeroID Frontend
# ---------------------------------------------------------------------------
zeroid-frontend:
Comment on lines +21 to +49

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

In general, fix this by explicitly declaring permissions: for the workflow (or each job) so that the GITHUB_TOKEN has only the scopes actually required. For this CI workflow, all jobs just check out code and run Node commands; they do not create releases, modify issues, or push code, so contents: read is sufficient.

The simplest, non‑behavior‑changing fix is to add a single root‑level permissions: block that applies to all jobs. This should be placed near the top of .github/workflows/dapps-ci.yml, after the name: and on: definitions, and before jobs:. Set it to:

permissions:
  contents: read

No additional methods, imports, or definitions are needed, and no job steps need to change. This explicitly documents and enforces read‑only repository access for all jobs using GITHUB_TOKEN.

Suggested changeset 1
.github/workflows/dapps-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dapps-ci.yml b/.github/workflows/dapps-ci.yml
--- a/.github/workflows/dapps-ci.yml
+++ b/.github/workflows/dapps-ci.yml
@@ -13,6 +13,9 @@
       - '.github/workflows/dapps-ci.yml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # ---------------------------------------------------------------------------
   # ZeroID Backend
EOF
@@ -13,6 +13,9 @@
- '.github/workflows/dapps-ci.yml'
workflow_dispatch:

permissions:
contents: read

jobs:
# ---------------------------------------------------------------------------
# ZeroID Backend
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
name: ZeroID Frontend
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/zeroid
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: dApps/zeroid/package-lock.json
- name: Install dependencies
run: npm ci --no-fund
- name: Lint
run: npm run lint
- name: Type-check
run: npm run type-check
- name: Format check
run: npm run format:check
- name: Run tests with coverage
run: npm run test:ci
- name: Build
run: npm run build

# ---------------------------------------------------------------------------
# Cruzible
# ---------------------------------------------------------------------------
cruzible:
Comment on lines +50 to +78

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

In general, the fix is to add an explicit permissions block that grants only the minimal scopes required by the jobs, preferably at the workflow root so it applies to all jobs. For typical CI that just checks out code and runs tests/builds, contents: read is sufficient; no write permissions are needed.

The best fix here is to add a top-level permissions block after the on: section, setting contents: read. This will apply to all jobs (zeroid-backend, zeroid-frontend, cruzible, noblepay, and dapps-required-gate) because none of them currently define their own permissions. This change does not alter existing functionality since the jobs only read the repository. Concretely, in .github/workflows/dapps-ci.yml, insert:

permissions:
  contents: read

between the on: block (ending at line 15) and the jobs: key (line 16). No additional methods, imports, or definitions are needed.

Suggested changeset 1
.github/workflows/dapps-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dapps-ci.yml b/.github/workflows/dapps-ci.yml
--- a/.github/workflows/dapps-ci.yml
+++ b/.github/workflows/dapps-ci.yml
@@ -13,6 +13,9 @@
       - '.github/workflows/dapps-ci.yml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # ---------------------------------------------------------------------------
   # ZeroID Backend
EOF
@@ -13,6 +13,9 @@
- '.github/workflows/dapps-ci.yml'
workflow_dispatch:

permissions:
contents: read

jobs:
# ---------------------------------------------------------------------------
# ZeroID Backend
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
name: Cruzible
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/cruzible
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: dApps/cruzible/package-lock.json
- name: Install dependencies
run: npm ci --no-fund
- name: Validate (type-check + lint + format + test)
run: npm run validate
- name: Build
run: npm run build

# ---------------------------------------------------------------------------
# NoblePay
# ---------------------------------------------------------------------------
noblepay:
Comment on lines +79 to +101

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

In general, the fix is to add an explicit permissions: block that grants only the minimal required scopes to the GITHUB_TOKEN. Since all jobs in this workflow only need to read the repository contents (checkout, install, lint, test, build) and do not push, create releases, or modify issues/PRs, the least-privilege practical setting is contents: read.

The best way to fix this without changing functionality is to add a single permissions: block at the root of the workflow (top level, alongside name: and on:). This block will apply to all jobs (zeroid-backend, zeroid-frontend, cruzible, noblepay, and any others in the omitted section) that don’t declare their own permissions. We don’t need any imports or extra methods; this is a pure YAML configuration change.

Concretely:

  • Edit .github/workflows/dapps-ci.yml.

  • After the name: dApps CI line (line 1) and before the on: block (line 3), insert:

    permissions:
  contents: read

This explicitly restricts the GITHUB_TOKEN to read-only access to repository contents for all jobs, satisfying CodeQL’s recommendation and GitHub’s least-privilege guidance.

Suggested changeset 1
.github/workflows/dapps-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dapps-ci.yml b/.github/workflows/dapps-ci.yml
--- a/.github/workflows/dapps-ci.yml
+++ b/.github/workflows/dapps-ci.yml
@@ -1,5 +1,8 @@
 name: dApps CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main, develop, release/**]
EOF
@@ -1,5 +1,8 @@
name: dApps CI

permissions:
contents: read

on:
push:
branches: [main, develop, release/**]
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
name: NoblePay
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/noblepay
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: dApps/noblepay/package-lock.json
- name: Install dependencies
run: npm ci --no-fund
- name: Validate all components
run: npm run validate
- name: Build
run: npm run build

# ---------------------------------------------------------------------------
# Shiora
# ---------------------------------------------------------------------------
shiora:
name: Shiora
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/shiora
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: "npm"
cache-dependency-path: dApps/shiora/package-lock.json
- name: Install dependencies
run: npm ci --no-fund
- name: Lint
run: npm run lint
- name: Type-check
run: npm run type-check
- name: Format check
run: npm run format:check
- name: Run tests with coverage
run: npm run test -- --coverage --ci
- name: Build
run: npm run build

# ---------------------------------------------------------------------------
# TerraQura
# ---------------------------------------------------------------------------
terraqura:
name: TerraQura
runs-on: ubuntu-latest
defaults:
run:
working-directory: dApps/terraqura
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
- name: Install pnpm
run: corepack enable && corepack prepare pnpm@9 --activate
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Lint
run: pnpm lint
- name: Type-check
run: pnpm typecheck
- name: Run tests
run: pnpm test
- name: Build
run: pnpm build

# ---------------------------------------------------------------------------
# Required gate — all dApps must pass before merge
# ---------------------------------------------------------------------------
dapps-required-gate:
Comment on lines +102 to +180

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 2 months ago

In general, fix this by adding an explicit permissions: block that requests only the minimal scopes required. Since this workflow just checks out code and runs Node commands, it only needs read access to repository contents (and possibly packages, which are covered by contents: read for the code itself). The cleanest way, without changing existing behavior, is to define a top-level permissions: block on the workflow so all jobs inherit restricted permissions by default.

Specifically, edit .github/workflows/dapps-ci.yml near the top of the file, after the name: dApps CI line and before the on: block, and add:

permissions:
  contents: read

This sets the default GITHUB_TOKEN permissions for all jobs (including noblepay) to read-only repository contents, which is sufficient for actions/checkout and any standard read-only operations. No additional imports, methods, or definitions are needed, and no per-job permissions are required given the current steps.

Suggested changeset 1
.github/workflows/dapps-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dapps-ci.yml b/.github/workflows/dapps-ci.yml
--- a/.github/workflows/dapps-ci.yml
+++ b/.github/workflows/dapps-ci.yml
@@ -1,5 +1,8 @@
 name: dApps CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main, develop, release/**]
EOF
@@ -1,5 +1,8 @@
name: dApps CI

permissions:
contents: read

on:
push:
branches: [main, develop, release/**]
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
name: dApps Required Gate
runs-on: ubuntu-latest
needs:
- zeroid-backend
- zeroid-frontend
- cruzible
- noblepay
- shiora
- terraqura
if: always()
steps:
- name: Check all jobs passed
run: |
if [[ "${{ needs.zeroid-backend.result }}" != "success" ]] ||
[[ "${{ needs.zeroid-frontend.result }}" != "success" ]] ||
[[ "${{ needs.cruzible.result }}" != "success" ]] ||
[[ "${{ needs.noblepay.result }}" != "success" ]] ||
[[ "${{ needs.shiora.result }}" != "success" ]] ||
[[ "${{ needs.terraqura.result }}" != "success" ]]; then
echo "One or more dApps CI jobs failed:"
echo " zeroid-backend: ${{ needs.zeroid-backend.result }}"
echo " zeroid-frontend: ${{ needs.zeroid-frontend.result }}"
echo " cruzible: ${{ needs.cruzible.result }}"
echo " noblepay: ${{ needs.noblepay.result }}"
echo " shiora: ${{ needs.shiora.result }}"
echo " terraqura: ${{ needs.terraqura.result }}"
exit 1
fi
echo "All dApps CI gates passed."
Comment on lines +181 to +209

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 months ago

In general, the fix is to add an explicit permissions: block to the workflow (at the root level or per-job) that grants only the minimal required permissions. For this CI workflow, all jobs only check out code, install dependencies, run audits/lint/tests/builds, and perform a logical gate; they do not need to write to the repo or to pull requests. The standard minimal setting for such workflows is permissions: contents: read, which is equivalent to the read-only default.

The single best fix with no functional change is to add a root-level permissions: block (applies to all jobs) right after the name: dApps CI line. This will ensure every job’s GITHUB_TOKEN is limited to read-only repository contents (sufficient for actions/checkout@v4 if needed) while not enabling any write scopes. No other lines or behavior need to change, and no imports or extra methods are required since this is a YAML configuration change only.

Concretely: edit .github/workflows/dapps-ci.yml to insert:

permissions:
  contents: read

between line 1 (name: dApps CI) and line 3 (on:). This documents the intended permissions and prevents the workflow from accidentally gaining broader permissions if repository/organization defaults change in the future.

Suggested changeset 1
.github/workflows/dapps-ci.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dapps-ci.yml b/.github/workflows/dapps-ci.yml
--- a/.github/workflows/dapps-ci.yml
+++ b/.github/workflows/dapps-ci.yml
@@ -1,5 +1,8 @@
 name: dApps CI
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main, develop, release/**]
EOF
@@ -1,5 +1,8 @@
name: dApps CI

permissions:
contents: read

on:
push:
branches: [main, develop, release/**]
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Loading
Loading