ci.yml

name: ci

# Every push / PR runs the full gate.  Jobs are designed to fail fast and to
# surface the exact invariant that broke (no "see logs" black boxes).
#
# Toolchain is pinned by `flake.nix` + `scripts/bootstrap.sh` — neither CI nor
# contributors install Solana/Anchor/circom/snarkjs/wasm-pack globally.  The
# first job (`toolchain`) provisions `.toolchain/` into the cache and every
# downstream job restores it.

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read

env:
  SOLANA_VERSION: 1.18.22
  ANCHOR_VERSION: 0.30.1
  RUST_VERSION: 1.79.0
  # solid-prover lives in its own workspace and pins a NEWER toolchain
  # (1.85) than the rest of the repo (1.79).  Reason: ark-circom 0.5
  # transitively pulls modern crates whose Cargo.toml manifests use
  # `edition = "2024"`, which cargo < 1.84 cannot parse at all.
  # solid-prover is a host-only tool with no Solana platform-tools
  # constraint so the bump is safe.  See
  # `tools/solid-prover/rust-toolchain.toml` for the full rationale.
  RUST_VERSION_PROVER: 1.85.0
  NODE_VERSION: 18
  CIRCOM_VERSION: 2.1.9
  SNARKJS_VERSION: 0.7.5
  WASM_PACK_VERSION: 0.13.1

jobs:
  # ───────────────────────── 0. TOOLCHAIN ─────────────────────────
  # Warm, cached toolchain.  Every other job depends on it.
  toolchain:
    name: toolchain (bootstrap)
    runs-on: ubuntu-latest
    outputs:
      cache-key: ${{ steps.key.outputs.value }}
    steps:
      - uses: actions/checkout@v4

      - id: key
        run: |
          echo "value=toolchain-${{ runner.os }}-${{ hashFiles('scripts/bootstrap.sh', 'flake.nix') }}" >> "$GITHUB_OUTPUT"

      - name: Cache .toolchain
        id: cache-toolchain
        uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ steps.key.outputs.value }}

      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: rustfmt, clippy
          target: wasm32-unknown-unknown

      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}

      - name: Bootstrap toolchain
        if: steps.cache-toolchain.outputs.cache-hit != 'true'
        run: bash scripts/bootstrap.sh

      - name: Verify pinned versions
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          solana --version
          anchor --version
          circom --version
          npx snarkjs --version || true
          wasm-pack --version

  # ───────────────────────── 1. FORMAT + CLIPPY ─────────────────────────
  fmt-clippy:
    name: fmt + clippy
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: rustfmt, clippy
      - name: cargo fmt (root workspace)
        run: cargo fmt --all -- --check
      - name: cargo clippy (root workspace, non-BPF libs)
        # Only lint the non-program crates here; programs are BPF-only and
        # are linted by `anchor build` with proper cfg gating.
        run: cargo clippy -p solid-core -p solid-light -- -D warnings
      - name: cargo clippy (Anchor programs, host-target lint gate)
        # SOLID-SEC-A5 (2026-05-28): forbid production-code panic surfaces.
        #
        # Each program crate carries a crate-root
        #   #![deny(clippy::unwrap_used, clippy::expect_used, clippy::panic)]
        # that turns any future re-introduction of `.unwrap()` / `.expect()` /
        # `panic!()` outside `#[cfg(test)]` into a hard build error.  The deny
        # is attached at the source so it cannot be silently dropped by edits
        # to this workflow; this step exists to surface the failure in CI
        # rather than only at `anchor build` time.
        #
        # `--lib` keeps clippy on the host target — clippy is a syntactic /
        # MIR-level analysis, so the BPF target is not required for the lint
        # gate.  BPF-specific issues are still caught by the `anchor` job.
        # Test modules carry `#[allow(clippy::unwrap_used, clippy::expect_used,
        # clippy::panic)]` at the source so assertion-style unwraps inside
        # `#[cfg(test)] mod tests { ... }` remain idiomatic.
        run: cargo clippy --lib -p zk-verifier -p issuer-registry -p schema-registry -- -D warnings
      # solid-prover fmt/clippy moved to the `prover` job below, since
      # that workspace pins a different toolchain (1.85 vs 1.79 here).
      # Keeping them in this job would require installing two toolchains
      # in one runner; cleaner to keep each workspace's gates with its
      # own toolchain install.

  # ───────────────────────── 2. RUST LIBRARY TESTS ─────────────────────────
  rust:
    name: rust (solid-core + solid-light)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - name: Restore cargo caches
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            target
          key: cargo-${{ runner.os }}-${{ hashFiles('Cargo.lock') }}
      - name: Lockfile is v3 (Anchor requirement)
        run: head -5 Cargo.lock | grep -qE '^version = 3($|[[:space:]])'
      - name: Build + test (solid-core, solid-light)
        run: cargo test -p solid-core -p solid-light --no-fail-fast
      - name: Unit tests for zk-verifier host code
        # `zk-verifier` tests that don't need the BPF target (VkBuf parser
        # tests, negate_g1_point, etc.).  BPF build is covered by the
        # `anchor` job.
        run: cargo test -p zk-verifier --lib --no-fail-fast

  # ───────────────────────── 3. PROVER (separate workspace, separate toolchain) ─────────────────────────
  # solid-prover pins rust 1.85 (not 1.79) because its dep closure pulls
  # crates whose manifests declare `edition = "2024"`, unparseable by
  # cargo < 1.84.  See `tools/solid-prover/rust-toolchain.toml` for the
  # full rationale.  This job installs 1.85 and runs fmt + clippy +
  # tests for that workspace only.
  prover:
    name: prover (tools/solid-prover, rust 1.85)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION_PROVER }}
          components: rustfmt, clippy
      - name: Cache prover target
        uses: actions/cache@v4
        with:
          path: tools/solid-prover/target
          key: prover-${{ runner.os }}-${{ hashFiles('tools/solid-prover/Cargo.lock') }}
      - name: cargo fmt (solid-prover)
        working-directory: tools/solid-prover
        run: cargo fmt --all -- --check
      - name: cargo clippy (solid-prover)
        working-directory: tools/solid-prover
        run: cargo clippy --all-targets -- -D warnings
      - name: Build + test prover
        working-directory: tools/solid-prover
        run: cargo test --no-fail-fast

  # ───────────────────────── 4. ANCHOR BPF BUILD ─────────────────────────
  anchor:
    name: anchor build (BPF)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
      - name: Build all three programs
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          anchor build --no-idl
      - name: Emit IDLs (sanity — they must parse)
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          anchor idl build -p zk_verifier > /dev/null
          anchor idl build -p issuer_registry > /dev/null
          anchor idl build -p schema_registry > /dev/null

  # ───────────────────────── 5. WASM BRIDGE ─────────────────────────
  # Canonical bridge lives in `wasm/` (crate `solid-wasm`), not in
  # `crates/solid-core` (which stays BPF-compatible and exposes zero
  # `#[wasm_bindgen]` symbols).  Output is written into the consumer
  # package (`ts-sdk/packages/core/wasm/`) so the TS SDK can resolve
  # it via a relative import — one source of truth per artifact
  # (ADR-0002 / SOLID-SEC-028).
  wasm:
    name: wasm (solid-wasm → ts-sdk/packages/core/wasm)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          target: wasm32-unknown-unknown
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Build wasm bridge
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          wasm-pack build wasm/ --target nodejs \
            --out-dir ../ts-sdk/packages/core/wasm --release
      - name: Verify expected artifacts
        run: |
          test -f ts-sdk/packages/core/wasm/solid_wasm.js
          test -f ts-sdk/packages/core/wasm/solid_wasm_bg.wasm
          test -f ts-sdk/packages/core/wasm/solid_wasm.d.ts
          test -f ts-sdk/packages/core/wasm/package.json

  # ───────────────────────── 5b. WASM BRIDGE SMOKE TEST ─────────────────────────
  # End-to-end check that the SDK's pinned import path actually
  # reaches into the just-built wasm artifact and that a real Poseidon
  # call returns a non-zero digest. Hard gates SOLID-SEC-009: a broken
  # SDK build would have produced an empty `pkg` dir before; now it
  # fails here instead of at a downstream consumer.
  wasm_bridge_smoke:
    name: wasm bridge smoke (SDK pinned path reaches real artifact)
    needs: [toolchain, wasm]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          target: wasm32-unknown-unknown
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: npm
          cache-dependency-path: ts-sdk/package-lock.json
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Build wasm bridge
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          wasm-pack build wasm/ --target nodejs \
            --out-dir ../ts-sdk/packages/core/wasm --release
      - name: Install workspace deps + build core
        working-directory: ts-sdk
        run: |
          npm ci
          npm run build --workspace=@solid-protocol/core
      - name: Smoke-test the SDK pinned import path
        working-directory: ts-sdk/packages/core
        run: node ../../../scripts/wasm_bridge_smoke.mjs

  # ───────────────────────── 6. CIRCUITS (compile only) ─────────────────────────
  circuits:
    name: circuits (circom compile)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Compile every .circom file
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          mkdir -p target/circuits
          for f in circuits/*.circom; do
            echo "→ compiling $f"
            circom "$f" --r1cs --sym -o target/circuits \
              -l node_modules -l circuits/lib || exit 1
          done
      - name: Upload R1CS artifacts
        uses: actions/upload-artifact@v4
        with:
          name: r1cs
          path: target/circuits/

  # ───────────────────────── 6b. CIRCUIT WITNESS TESTS ─────────────────────────
  # Regression gates for SOLID-SEC-001 (query-index range checks) and
  # SOLID-SEC-029 (IdentityAnchor enable gate).  The tests drive
  # isolated templates under `circuits/test/templates/` via
  # circom_tester; this is a strictly stronger signal than "the
  # main circuit compiles" because the assertions fire on out-of-
  # range or bit-violating witnesses.  When Phase 2 lands the
  # SEC-004 / SEC-008 circuit revision, the harness here is what
  # guards the added constraints.
  circuit_witness_tests:
    name: circuit witness tests (SEC-001, SEC-029 regression gates)
    needs: toolchain
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Install circuits/ npm deps
        working-directory: circuits
        run: npm install
      - name: Run mocha witness tests
        working-directory: circuits
        run: |
          export PATH="$PWD/../.toolchain/bin:$PATH"
          npm test

  # ───────────────────────── 7. SDK (TypeScript) ─────────────────────────
  sdk:
    name: sdk (TypeScript build + unit tests)
    needs: [toolchain, wasm]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: npm
          cache-dependency-path: ts-sdk/package-lock.json
      # We need the wasm artifact from the `wasm` job.  Rebuild it here (fast,
      # since the cargo registry is warm) to keep this job self-contained.
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          target: wasm32-unknown-unknown
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Rebuild wasm (nodejs target)
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          wasm-pack build wasm/ --target nodejs \
            --out-dir ../ts-sdk/packages/core/wasm --release
      - name: Install workspace deps
        working-directory: ts-sdk
        run: npm ci
      - name: Build all packages
        working-directory: ts-sdk
        run: npm run build
      - name: Run SDK tests
        working-directory: ts-sdk
        run: npm test --workspaces --if-present

  # ───────────────────────── 8. CROSS-LANGUAGE VECTORS ─────────────────────────
  # The single most important invariant in the whole repo: Rust and
  # TypeScript MUST agree bit-for-bit on the commitment + nullifier.  Any
  # divergence (e.g. Poseidon constant drift, endianness regression)
  # reports here, not in prod.
  cross_language_vectors:
    name: cross-language vectors (Rust ↔ TS)
    needs: [rust, sdk]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          target: wasm32-unknown-unknown
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: npm
          cache-dependency-path: ts-sdk/package-lock.json
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Regenerate Rust-side vectors
        run: cargo run -p solid-core --example gen_vectors -- tests/vectors/commitment_and_nullifier.json
      - name: Vectors unchanged (Rust is the source of truth)
        run: git diff --exit-code -- tests/vectors/commitment_and_nullifier.json
      # Phase 3.4: regenerate the circuit-side vectors (BJJ keys,
      # Poseidon-derived credPriv with bit-253 regression cases,
      # 254-bit-safe Fp ordering ground truth) and assert no drift.
      # Rust is the source of truth here too; any divergence between
      # `solid_core::babyjubjub` / `poseidon` and the committed
      # fixture is a HARD failure that blocks the build.
      - name: Regenerate circuit vectors (Rust -> circuit fixture)
        run: cargo run --release -p solid-core --example gen_circuit_vectors
      - name: Circuit vectors unchanged
        run: git diff --exit-code -- circuits/test/fixtures/circuit_vectors.json
      - name: Build wasm + SDK
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          wasm-pack build wasm/ --target nodejs \
            --out-dir ../ts-sdk/packages/core/wasm --release
          cd ts-sdk && npm ci && npm run build
      - name: Run TS-side vector check
        working-directory: ts-sdk
        run: npx ts-node --project ../tsconfig.json ../tests/vectors/check_vectors.ts
      # Phase 3.4: drive the circuit mocha suite on the freshly
      # regenerated fixture.  This closes the SDK<->circuit byte-
      # identity contract: lt_bn254 + babypbk254 + identity_anchor
      # all witness-calc against Rust ground truth, plus a triple
      # witness against circomlibjs Poseidon.
      - name: Install circuits npm deps
        working-directory: circuits
        run: npm ci
      - name: Run circuit mocha suite
        working-directory: circuits
        run: |
          export PATH="$PWD/../.toolchain/bin:$PATH"
          npm test

  # ───────────────────────── 9. PROGRAM-ID CONSISTENCY ─────────────────────────
  # Hard gate on the drift that previously blocked a devnet deploy:
  # Anchor.toml ↔ `declare_id!` ↔ `cpi_helpers.rs` consts ↔
  # `deployments/*.json` ↔ allowlisted ts-sdk owner files must all agree.
  # Now also includes SOLID-SEC-081 (NF-05): the gate's TS-side coverage,
  # plus its own regression suite (`scripts/test_check_program_ids.py`)
  # that asserts the gate itself fires on planted-drift fixtures.
  program_id_consistency:
    name: program-id consistency
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - name: Run check_program_ids.py against the live tree
        run: python3 scripts/check_program_ids.py
      - name: Run check_program_ids regression suite (SOLID-SEC-081)
        run: python3 scripts/test_check_program_ids.py

  # ───────────────────────── 10. E2E LOCALNET ─────────────────────────
  # The SOLID-SEC-011 regression gate that Phase 1 deferred to
  # Phase 2.  Runs the full E2E pipeline against
  # `solana-test-validator` in the background:
  #
  #   anchor deploy
  #   initialize.ts    (register schema, bindings, VK upload)
  #   bootstrap_issuer.ts   (governance mint + DAO approval)
  #   issue.ts         (credential issuance)
  #   prove.ts         (Groth16 proof + on-chain verify + replay reject)
  #
  # Any step failing fails the job.  On green, we have evidence that
  # a stranger can run the pipeline from a clean checkout.
  #
  # Note: uses the single-party TESTNET zkey produced by
  # `circuits/scripts/setup.js` (SOLID-SEC-012 multi-party ceremony
  # is a Phase 3 deliverable).
  e2e_localnet:
    name: e2e localnet (SEC-011 regression gate)
    needs: [toolchain, anchor, wasm, circuits]
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          target: wasm32-unknown-unknown
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: npm
      - uses: actions/cache@v4
        with:
          path: |
            .toolchain
            ~/.cargo/bin
            ~/.cargo/registry
          key: ${{ needs.toolchain.outputs.cache-key }}
      - name: Install root workspace deps
        run: npm install
      - name: Install ts-sdk workspace deps
        working-directory: ts-sdk
        run: npm ci
      - name: Build wasm bridge
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          wasm-pack build wasm/ --target nodejs \
            --out-dir ../ts-sdk/packages/core/wasm --release
      - name: Build ts-sdk packages
        working-directory: ts-sdk
        run: npm run build
      - name: Compile circuits and run trusted setup (TESTNET)
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          cd circuits
          npm install
          npm run compile
          node scripts/setup.js
      - name: Anchor build
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          anchor build --no-idl
          anchor idl build -p zk_verifier > target/idl/zk_verifier.json
          anchor idl build -p issuer_registry > target/idl/issuer_registry.json
          anchor idl build -p schema_registry > target/idl/schema_registry.json
      - name: Start test validator (background)
        run: |
          export PATH="$PWD/.toolchain/bin:$PATH"
          solana-test-validator \
            --reset --quiet \
            --bpf-program DcyezhHYGwFTZCeb3BMJbQHFh7EyQMx8WCrKDNLbarb target/deploy/zk_verifier.so \
            --bpf-program 5fxhJ1uKBtsVGq17xuVDapcTALZprNVU8Ar9mFHVijMx target/deploy/issuer_registry.so \
            --bpf-program 4ZCrxVBKpko7xUSrLq7zZzd87xGEKFSxFm3JG6j3CmF1 target/deploy/schema_registry.so \
            >/tmp/validator.log 2>&1 &
          echo $! > /tmp/validator.pid
          # Wait for RPC readiness
          for i in $(seq 1 60); do
            if solana --url http://127.0.0.1:8899 cluster-version >/dev/null 2>&1; then
              echo "validator ready"; break
            fi
            sleep 1
          done
          solana config set --url http://127.0.0.1:8899
          solana airdrop 100 || true
      - name: Run E2E pipeline (full)
        env:
          SOLID_RPC_URL: http://127.0.0.1:8899
          SOLID_VOTING_PERIOD_SECONDS: '120'
        run: |
          # The full sequence: init-onchain -> backfill-issuer-tree ->
          # bootstrap-schema-tree -> bootstrap-issuer -> issue -> prove.
          # `prove` exercises the SOLID-SEC-054 / B13 Option 2 buffer-
          # account flow + the on-chain Groth16 verify.  Green tail must
          # include `verified: true` followed by `ok (replay rejected by
          # nullifier PDA init constraint)`.  This is the load-bearing
          # SOLID-SEC-011 regression gate.
          npm run e2e
      - name: SOLID-SEC-046 CU regression gate
        env:
          SOLID_RPC_URL: http://127.0.0.1:8899
        run: |
          # Re-measure on-chain CU consumption per ix from the just-run
          # e2e and compare against pinned baselines.  Fails the build
          # on `consumed > baseline * 1.10`.  Baselines + tx hashes:
          # `tests/cu_baselines.json` + `docs/CU_BUDGET.md`.
          python3 scripts/measure_cu.py
      - name: Dump validator log on failure
        if: failure()
        run: tail -n 400 /tmp/validator.log || true
      - name: Stop test validator
        if: always()
        run: |
          if [ -f /tmp/validator.pid ]; then
            kill "$(cat /tmp/validator.pid)" || true
          fi