Merge remote-tracking branch 'origin/main' into dango

Author: Rhaki

.changeset/config.json

@@ -10,7 +10,6 @@
       "@hyperlane-xyz/cli",
       "@hyperlane-xyz/cosmos-sdk",
       "@hyperlane-xyz/cosmos-types",
-      "@hyperlane-xyz/eslint-config",
       "@hyperlane-xyz/github-proxy",
       "@hyperlane-xyz/helloworld",
       "@hyperlane-xyz/http-registry-server",

.claude/skills/verify-warp-contracts/SKILL.md

@@ -398,6 +398,117 @@ hyperlane warp check \
 
 **NOTE**: Warp check may show provider errors for newly added chains - this is expected.
 
+### Step 8b: Test transferRemote on Fork
+
+After verifying configuration with `warp check`, test that an actual token transfer works on the forked chains. This catches issues that config checks miss: broken `transferRemote` calldata, token accounting bugs (lock/mint/burn/unlock), and message dispatch failures.
+
+#### 8b.1 Pick an Origin → Destination Pair
+
+Choose one origin → destination pair from the warp route. Prefer a pair where both chains have transactions (i.e., both were modified), so you're testing the freshly configured path.
+
+#### 8b.2 Bypass ISM on Destination (Required for Self-Relay)
+
+Forked mainnet chains have real multisig ISMs that require validator signatures. Since there are no validators on anvil forks, you must set a permissive ISM on the destination so self-relay can deliver the message.
+
+```bash
+# 1. Get the mailbox address for the destination chain from the forked registry
+DEST_MAILBOX=$(cast call <warp-router-address> "mailbox()(address)" --rpc-url http://localhost:<DEST-PORT>)
+
+# 2. Get the mailbox owner
+MAILBOX_OWNER=$(cast call $DEST_MAILBOX "owner()(address)" --rpc-url http://localhost:<DEST-PORT>)
+
+# 3. Get the current default ISM (to restore later if needed)
+OLD_ISM=$(cast call $DEST_MAILBOX "defaultIsm()(address)" --rpc-url http://localhost:<DEST-PORT>)
+
+# 4. Deploy Hyperlane's TestIsm.
+# TestIsm returns Types.NULL from moduleType() and true from verify(bytes,bytes),
+# so `hyperlane warp send --relay` uses null metadata instead of trying to derive
+# multisig/routing metadata on the fork.
+TEST_DEPLOYER_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
+# Ensure Foundry dependencies are materialized in fresh worktrees/checkouts.
+pnpm -C solidity deps:soldeer
+TEST_ISM_ADDRESS=$(forge create \
+  --root solidity \
+  --broadcast \
+  --rpc-url http://localhost:<DEST-PORT> \
+  --private-key $TEST_DEPLOYER_KEY \
+  contracts/test/TestIsm.sol:TestIsm \
+  | awk '/Deployed to:/ {print $3}')
+
+# Confirm the fork bypass ISM has the expected Hyperlane behavior:
+# moduleType() == 6 (Types.NULL) and verify(...) == true.
+cast call $TEST_ISM_ADDRESS "moduleType()(uint8)" --rpc-url http://localhost:<DEST-PORT>
+cast call $TEST_ISM_ADDRESS "verify(bytes,bytes)(bool)" 0x 0x --rpc-url http://localhost:<DEST-PORT>
+
+# 5. Impersonate mailbox owner and set the permissive ISM
+cast rpc anvil_impersonateAccount $MAILBOX_OWNER --rpc-url http://localhost:<DEST-PORT>
+BALANCE="0x56BC75E2D63100000"
+cast rpc anvil_setBalance $MAILBOX_OWNER $BALANCE --rpc-url http://localhost:<DEST-PORT>
+cast send $DEST_MAILBOX "setDefaultIsm(address)" $TEST_ISM_ADDRESS --from $MAILBOX_OWNER --rpc-url http://localhost:<DEST-PORT> --unlocked
+cast rpc anvil_stopImpersonatingAccount $MAILBOX_OWNER --rpc-url http://localhost:<DEST-PORT>
+```
+
+**NOTE**: If the warp router has a custom ISM set (not using the mailbox default), you'll need to impersonate the router owner and call `setInterchainSecurityModule(address)` on the router instead.
+
+#### 8b.3 Fund the Test Sender
+
+```bash
+# Generate a test private key (or use a well-known anvil key)
+TEST_KEY="0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
+TEST_SENDER="0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"  # Anvil account 0
+
+# Fund with native gas on origin
+cast rpc anvil_setBalance $TEST_SENDER "0x56BC75E2D63100000" --rpc-url http://localhost:<ORIGIN-PORT>
+
+# For collateral/ERC20 routes: mint or transfer tokens to the test sender
+# Option A: If the token has a mint function (e.g., test tokens)
+# cast send <token-address> "mint(address,uint256)" $TEST_SENDER 1000000000000000000 ...
+
+# Option B: Impersonate a whale holder and transfer
+# Find a top holder from the fork state, impersonate, and transfer
+# cast rpc anvil_impersonateAccount <whale> --rpc-url http://localhost:<ORIGIN-PORT>
+# cast send <token-address> "transfer(address,uint256)" $TEST_SENDER <amount> --from <whale> --rpc-url http://localhost:<ORIGIN-PORT> --unlocked
+
+# Option C: For native token routes, setBalance is sufficient (already done above)
+
+# Also fund on destination for self-relay gas
+cast rpc anvil_setBalance $TEST_SENDER "0x56BC75E2D63100000" --rpc-url http://localhost:<DEST-PORT>
+```
+
+#### 8b.4 Run the Transfer
+
+```bash
+HYP_KEY=$TEST_KEY \
+hyperlane warp send \
+  --registry <YOUR-ACTUAL-forked-registry-url-from-step-4> \
+  --warp-route-id <warp-route-id> \
+  --origin <origin-chain> \
+  --destination <destination-chain> \
+  --amount 1 \
+  --relay \
+  --skip-validation \
+  --yes
+```
+
+**Key flags:**
+
+- `--relay` — Self-relay the message (no real relayer on forks)
+- `--skip-validation` — Skip balance/collateral checks that may fail on forks
+- `--amount 1` — Use smallest practical amount (1 wei or 1 unit)
+
+#### 8b.5 Verify Result
+
+- **Success**: The CLI should log `Transfer was self-relayed!` and show the message ID
+- **Failure**: Check the error output. Common issues:
+  - `Ownable: caller is not the owner` on ISM bypass → wrong mailbox owner or router has custom ISM
+  - `insufficient funds` → test sender not funded with tokens (for collateral routes)
+  - `message already delivered` → ISM bypass not working, retry with router-level ISM override
+  - Timeout waiting for delivery → self-relay failed, check ISM was properly set
+
+**Capture output** to `/tmp/warp-transfer-test.log` for the final report.
+
+**NOTE**: This step is optional but strongly recommended. If it fails due to ISM complexity (e.g., routing ISMs, aggregation ISMs), document the failure and move on — the config check in Step 8 still validates the deployment.
+
 ### Step 9: Interpret Results
 
 Analyze the warp check output carefully:
@@ -516,6 +627,14 @@ Create a comprehensive markdown report with the following sections:
 
 [List of chains not modified and their expected violations]
 
+## Transfer Test Results
+
+- **Origin → Destination**: <chain-a> → <chain-b>
+- **Amount**: <amount>
+- **Result**: ✅ Success / ❌ Failed (reason)
+- **Message ID**: <id> (if successful)
+- **ISM Bypass**: Yes (TestIsm deployed at <address> set on destination mailbox)
+
 ## Decoded Transactions (Heimdall Output)
 
 ```json

.claude/skills/warp-route-check/skill.md

@@ -1,4 +1,5 @@
 typescript/sdk/src/cw-types/*.types.ts linguist-generated=true
+typescript/svm-sdk/src/hyperlane/program-bytes.ts linguist-generated=true binary
 rust/main/chains/hyperlane-ethereum/abis/*.abi.json linguist-generated=true
 solidity/contracts/interfaces/avs/*.sol linguist-vendored=true
 solidity/contracts/avs/ECDSA*.sol linguist-vendored=true

.gitattributes

@@ -40,5 +40,5 @@ typescript/rebalancer-sim @Mo-Hussain @nambrot @paulbalaji
 typescript/relayer @Mo-Hussain @yorhodes @paulbalaji
 
 ## Shared Tooling
-typescript/eslint-config @xeno097 @paulbalaji
+oxlint.json @xeno097 @paulbalaji
 typescript/tsconfig @xeno097 @paulbalaji

.github/CODEOWNERS

@@ -77,7 +77,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          prompt: "Use agent teams to run /claude-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments"
+          prompt: 'Use agent teams to run /claude-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments'
           track_progress: true
           use_sticky_comment: false
           claude_args: |
@@ -132,7 +132,7 @@ jobs:
           PR_NUMBER: ${{ github.event.issue.number }}
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          prompt: "Use agent teams to run /claude-security-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments"
+          prompt: 'Use agent teams to run /claude-security-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments'
           track_progress: true
           use_sticky_comment: false
           claude_args: |
@@ -200,7 +200,7 @@ jobs:
           PR_NUMBER: ${{ github.event.issue.number }}
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          prompt: "Use agent teams to run /claude-tob-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments"
+          prompt: 'Use agent teams to run /claude-tob-review, then use /inline-pr-comments to post findings as a consolidated PR review with inline comments'
           track_progress: true
           use_sticky_comment: false
           claude_args: |
@@ -271,7 +271,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-          prompt: "When you have specific code feedback on changed lines, use /inline-pr-comments to deliver it as a consolidated GitHub review with inline comments."
+          prompt: 'When you have specific code feedback on changed lines, use /inline-pr-comments to deliver it as a consolidated GitHub review with inline comments.'
           track_progress: true
           use_sticky_comment: false
-          claude_args: "--model ${{ env.CLAUDE_SONNET_MODEL }}"
+          claude_args: '--model ${{ env.CLAUDE_SONNET_MODEL }}'

.github/workflows/claude-code-review.yml

@@ -40,7 +40,7 @@ jobs:
             hyperlane-agent
             hyperlane-monorepo
             hyperlane-node-services
-          image-tags: "pr-*"
+          image-tags: 'pr-*'
           tag-selection: tagged
           cut-off: 1w
           keep-n-most-recent: 5

.github/workflows/ghcr-cleanup.yml

@@ -128,7 +128,7 @@ jobs:
           |-------|-----|
           | hyperlane-node-services | \`${TAG_SHA_DATE}\` |
 
-          **Services included:** rebalancer, warp-monitor, ccip-server, keyfunder, relayer
+          **Services included:** rebalancer, warp-monitor, ccip-server, keyfunder, relayer, fee-quoting
 
           **Full image path:**
           \`\`\`

.github/workflows/node-services-docker.yml

@@ -10,7 +10,6 @@ on:
       - 'typescript/**'
       - '!typescript/infra/**'
       - '!typescript/ccip-server/**'
-      - '!typescript/eslint-config/**'
       - '!typescript/github-proxy/**'
       - '!typescript/http-registry-server/**'
       - '!typescript/tsconfig/**'
@@ -31,6 +30,11 @@ on:
           - alpha
           - rc
           - preview
+      include_zksync:
+        description: 'Include ZKSync build artifacts (adds ~6min)'
+        required: false
+        default: false
+        type: boolean
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -255,6 +259,19 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      # Need to install foundry for the build step. `hardhat-foundry` expects foundry to be installed.
+      - name: Setup Foundry
+        uses: ./.github/actions/setup-foundry
+
+      # Build BEFORE snapshot versioning so turbo cache hits are preserved.
+      # Snapshot versioning rewrites every package.json, which invalidates turbo hashes.
+      - name: Build packages
+        run: pnpm run build
+
+      - name: Build ZKSync artifacts
+        if: inputs.include_zksync
+        run: pnpm run build:zk
+
       - name: Create snapshot versions
         run: pnpm exec changeset version --snapshot ${{ inputs.snapshot_tag }}
 
@@ -264,13 +281,6 @@ jobs:
           SNAPSHOT_VERSION=$(node -p "require('./typescript/sdk/package.json').version")
           echo "snapshot=$SNAPSHOT_VERSION" >> $GITHUB_OUTPUT
 
-      # Need to install foundry for the build step. `hardhat-foundry` expects foundry to be installed.
-      - name: Setup Foundry
-        uses: ./.github/actions/setup-foundry
-
-      - name: Build packages
-        run: pnpm run build && pnpm run build:zk
-
       - name: Publish beta packages
         run: pnpm exec changeset publish --tag ${{ inputs.snapshot_tag }} --no-git-tag
         env:
@@ -289,3 +299,31 @@ jobs:
           echo "npm install @hyperlane-xyz/sdk@${{ inputs.snapshot_tag }}" >> $GITHUB_STEP_SUMMARY
           echo "npm install @hyperlane-xyz/cli@${{ inputs.snapshot_tag }}" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
+
+  notify-publish-failure:
+    if: >-
+      always() && (
+        needs.publish-release.result == 'failure' ||
+        needs.check-latest-published.result == 'failure' ||
+        needs.cli-install-cross-platform-release-test.result == 'failure'
+      )
+    needs:
+      [
+        check-latest-published,
+        cli-install-cross-platform-release-test,
+        publish-release,
+      ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Slack on publish failure
+        uses: slackapi/slack-github-action@v3
+        with:
+          webhook: ${{ secrets.SLACK_INCIDENTS_WEBHOOK }}
+          webhook-type: incoming-webhook
+          payload: |
+            text: ":red-siren: NPM package publish failed — see workflow run for details"
+            blocks:
+              - type: "section"
+                text:
+                  type: "mrkdwn"
+                  text: ":red-siren: *NPM package publish failed*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View workflow run #${{ github.run_number }}>"

.github/workflows/release.yml

@@ -191,7 +191,7 @@ jobs:
           git config user.name "${{ steps.generate-token.outputs.app-slug }}[bot]"
           git config user.email "${BOT_USER_ID}+${{ steps.generate-token.outputs.app-slug }}[bot]@users.noreply.github.com"
 
-          BRANCH_NAME="release-agents-v${NEW_VERSION}"
+          BRANCH_NAME="release-agents"
 
           # Create branch from current HEAD (which is main)
           git checkout -B "$BRANCH_NAME"