Project import generated by Copybara.

GitOrigin-RevId: f7d7c8b7212cb30fb543784d0f00127b4e370571

Author: Copybara Bot

.github/workflows/test.yml

@@ -238,6 +238,7 @@ jobs:
       - name: Run Clippy
         run: |
           cargo hack clippy \
+            --locked \
             --workspace --all-targets \
             --feature-powerset \
             --exclude-features bb_rs,bb_utxo

.gitignore

@@ -29,5 +29,4 @@ temp_fixtures
 # Claude Code completion markers
 .done
 
-# Symlink to GENERATED_AI_GUIDANCE.md (canonical file)
-CLAUDE.md
+PLAN.md

Cargo.lock

@@ -271,13 +271,13 @@ once_cell = "1.19.0"
 parking_lot = "0.12.1"
 phonenumber = "0.3"
 pretty-hex = "0.3.0"
-proptest = "1.6.0"
+proptest = "1.11.0"
 proc-macro2 = "1.0"
 quote = "1.0"
 quickcheck = "1.0.3"
 rand = "0.8.5"
 rand_chacha = "0.3.1"
-rand_xorshift = "0.3"
+rand_xorshift = "0.4"
 reqwest = { version = "0.12", features = ["json", "multipart"] }
 rlp = "0.6.1"
 rocksdb = "0.21"

Cargo.toml

@@ -363,6 +363,7 @@ cargo hakari manage-deps --yes
 ```
 
 The `Rust / Hakari Check` GitHub workflow enforces that the crate stays synchronized; if it fails, re-run the commands above and commit the resulting changes.
+The main `Test` workflow also verifies `Cargo.lock` during its clippy run by adding `--locked` to `cargo hack clippy`; if that check reports that the lockfile needs updates, regenerate and commit `Cargo.lock` before retrying CI.
 
 ## Contributing
 

README.md

@@ -15,10 +15,15 @@ echo "📋 Checking generated types ..."
 
 # Type-check only the generated TypeScript types using the custom tsconfig
 cd "${workspace_root}/app/packages/payy"
+
+# Keep this aligned with the app TypeScript toolchain (see app/yarn.lock).
+TS_RS_TS_VERSION="5.9.3"
+echo "Using TypeScript ${TS_RS_TS_VERSION} for generated-bindings type checking."
+
 # Note: this expects at least one top-level `src/ts-rs-bindings/*.ts` file.
 # If we adopt namespaced exports via `#[ts(export_to = ".../")]`, revisit this
 # check and `src/ts-rs-bindings/tsconfig.tsrs.json` include patterns.
-if ls src/ts-rs-bindings/*.ts && npx tsc --project src/ts-rs-bindings/tsconfig.tsrs.json; then
+if ls src/ts-rs-bindings/*.ts && npx --yes --package typescript@${TS_RS_TS_VERSION} tsc --project src/ts-rs-bindings/tsconfig.tsrs.json; then
   echo "✅ TypeScript type check passed for generated bindings."
 else
   echo "❌ TypeScript type check failed for generated bindings!"

app/packages/payy/scripts/export-ts-types.sh

@@ -1,4 +1,6 @@
 # Build aggregator CLI binary
+ARG DEBIAN_TESTING_SNAPSHOT=20260404T140000Z
+
 FROM rust:1-bookworm AS workspace
 
 ARG SCCACHE_GCS_BUCKET
@@ -75,6 +77,8 @@ RUN mkdir -p /build/bin && \
 # Runtime image with barretenberg CLI installed
 FROM debian:bookworm-slim as runtime
 
+ARG DEBIAN_TESTING_SNAPSHOT
+
 ENV ROOT_DIR /polybase
 WORKDIR $ROOT_DIR
 
@@ -93,12 +97,13 @@ RUN wget https://storage.googleapis.com/payy-public-fixtures/bb/v3.0.0-manual.20
     mv bb /usr/local/bin/bb && \
     rm barretenberg.tar.gz
 
-# Fetch modern libc/libstdc++ plus jq which bb expects
-RUN echo 'deb http://deb.debian.org/debian testing main' \
-    >  /etc/apt/sources.list.d/testing.list         && \
-    echo 'APT::Default-Release "stable";'               \
-    >  /etc/apt/apt.conf.d/99defaultrelease         && \
-    apt-get update                                      && \
+# Freeze Debian testing to a known-good snapshot so upstream testing changes
+# do not break image builds.
+RUN echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/${DEBIAN_TESTING_SNAPSHOT} testing main" \
+    > /etc/apt/sources.list.d/testing.list && \
+    echo 'APT::Default-Release "stable";' \
+    > /etc/apt/apt.conf.d/99defaultrelease && \
+    apt-get update && \
     DEBIAN_FRONTEND=noninteractive \
     apt-get install -y -t testing libc6 libstdc++6 jq
 

docker/Dockerfile.aggregator

@@ -1,4 +1,6 @@
 # Build binary
+ARG DEBIAN_TESTING_SNAPSHOT=20260404T140000Z
+
 FROM rust:1-bookworm AS workspace
 
 ARG SCCACHE_GCS_BUCKET
@@ -37,6 +39,8 @@ WORKDIR /build
 
 FROM workspace AS tester
 
+ARG DEBIAN_TESTING_SNAPSHOT
+
 SHELL ["/bin/bash", "--login", "-c"]
 
 RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash
@@ -53,15 +57,14 @@ RUN wget https://storage.googleapis.com/payy-public-fixtures/bb/v3.0.0-manual.20
     mv bb /usr/local/bin/bb && \
     rm barretenberg.tar.gz
 
-# bb requires a recent glibcxx version
-# Enable backports and pull libstdc++ 13.x (exports GLIBCXX_3.4.31)
-# also installs jq, some bb commands require jq
-RUN echo 'deb http://deb.debian.org/debian testing main' \
-    >  /etc/apt/sources.list.d/testing.list         && \
-    echo 'APT::Default-Release "stable";'               \
-    >  /etc/apt/apt.conf.d/99defaultrelease         && \
-    apt-get update                                      && \
-    # pull only the two runtime libs from testing
+# bb requires a recent glibcxx version.
+# Freeze Debian testing to a known-good snapshot so upstream testing changes
+# do not break image builds.
+RUN echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/${DEBIAN_TESTING_SNAPSHOT} testing main" \
+    > /etc/apt/sources.list.d/testing.list && \
+    echo 'APT::Default-Release "stable";' \
+    > /etc/apt/apt.conf.d/99defaultrelease && \
+    apt-get update && \
     DEBIAN_FRONTEND=noninteractive \
     apt-get install -y -t testing libc6 libstdc++6 jq
 
@@ -140,6 +143,8 @@ RUN cp /build/target/$([ "$RELEASE" = "1" ] && echo "release" || echo "debug")/b
 # Runtime stage dedicated to barretenberg-api-server
 FROM debian:bookworm-slim as runtime
 
+ARG DEBIAN_TESTING_SNAPSHOT
+
 ENV ROOT_DIR /polybase
 WORKDIR $ROOT_DIR
 
@@ -158,14 +163,12 @@ RUN wget https://storage.googleapis.com/payy-public-fixtures/bb/v3.0.0-manual.20
     mv bb /usr/local/bin/bb && \
     rm barretenberg.tar.gz
 
-# Enable backports and pull libstdc++ 13.x (exports GLIBCXX_3.4.31)
-# also installs jq, some bb commands require jq
-RUN echo 'deb http://deb.debian.org/debian testing main' \
-    >  /etc/apt/sources.list.d/testing.list         && \
-    echo 'APT::Default-Release "stable";'               \
-    >  /etc/apt/apt.conf.d/99defaultrelease         && \
-    apt-get update                                      && \
-    # pull only the two runtime libs from testing
+# Freeze Debian testing to the same snapshot used in the tester stage.
+RUN echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/${DEBIAN_TESTING_SNAPSHOT} testing main" \
+    > /etc/apt/sources.list.d/testing.list && \
+    echo 'APT::Default-Release "stable";' \
+    > /etc/apt/apt.conf.d/99defaultrelease && \
+    apt-get update && \
     DEBIAN_FRONTEND=noninteractive \
     apt-get install -y -t testing libc6 libstdc++6 jq
 

docker/Dockerfile.barretenberg-api-server

@@ -1,3 +1,5 @@
+ARG DEBIAN_TESTING_SNAPSHOT=20260404T140000Z
+
 FROM rust:1-bookworm AS builder
 ARG RUST_GIT_FETCH_CLI
 ARG SCCACHE_GCS_BUCKET
@@ -55,6 +57,8 @@ RUN if [ -f /gcs_key.json ]; then \
 
 FROM debian:bookworm-slim
 
+ARG DEBIAN_TESTING_SNAPSHOT
+
 #Add custom user
 RUN adduser --disabled-password --gecos "" --uid 1001 polybase
 
@@ -67,14 +71,13 @@ RUN wget https://storage.googleapis.com/payy-public-fixtures/bb/v3.0.0-manual.20
     mv bb /usr/local/bin/bb && \
     rm barretenberg.tar.gz
 
-# Enable backports and pull libstdc++ 13.x (exports GLIBCXX_3.4.31)
-# also installs jq, some bb commands require jq
-RUN echo 'deb http://deb.debian.org/debian testing main' \
-    >  /etc/apt/sources.list.d/testing.list         && \
-    echo 'APT::Default-Release "stable";'               \
-    >  /etc/apt/apt.conf.d/99defaultrelease         && \
-    apt-get update                                      && \
-    # pull only the two runtime libs from testing
+# Freeze Debian testing to a known-good snapshot so upstream testing changes
+# do not break image builds.
+RUN echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/${DEBIAN_TESTING_SNAPSHOT} testing main" \
+    > /etc/apt/sources.list.d/testing.list && \
+    echo 'APT::Default-Release "stable";' \
+    > /etc/apt/apt.conf.d/99defaultrelease && \
+    apt-get update && \
     DEBIAN_FRONTEND=noninteractive \
     apt-get install -y -t testing libc6 libstdc++6 jq
 

docker/Dockerfile.guild

@@ -1,3 +1,5 @@
+ARG DEBIAN_TESTING_SNAPSHOT=20260404T140000Z
+
 FROM rust:1-bookworm AS builder
 ARG RUST_GIT_FETCH_CLI
 ARG SCCACHE_GCS_BUCKET
@@ -50,6 +52,8 @@ RUN if [ -f /gcs_key.json ]; then \
 
 FROM debian:bookworm-slim
 
+ARG DEBIAN_TESTING_SNAPSHOT
+
 RUN apt-get update && apt-get install -y openssl ca-certificates libpq-dev postgresql wget tar curl
 
 # Download and install barretenberg
@@ -59,14 +63,13 @@ RUN wget https://storage.googleapis.com/payy-public-fixtures/bb/v3.0.0-manual.20
     mv bb /usr/local/bin/bb && \
     rm barretenberg.tar.gz
 
-# Enable backports and pull libstdc++ 13.x (exports GLIBCXX_3.4.31)
-# also installs jq, some bb commands require jq
-RUN echo 'deb http://deb.debian.org/debian testing main' \
-    >  /etc/apt/sources.list.d/testing.list         && \
-    echo 'APT::Default-Release "stable";'               \
-    >  /etc/apt/apt.conf.d/99defaultrelease         && \
-    apt-get update                                      && \
-    # pull only the two runtime libs from testing
+# Freeze Debian testing to a known-good snapshot so upstream testing changes
+# do not break image builds.
+RUN echo "deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/${DEBIAN_TESTING_SNAPSHOT} testing main" \
+    > /etc/apt/sources.list.d/testing.list && \
+    echo 'APT::Default-Release "stable";' \
+    > /etc/apt/apt.conf.d/99defaultrelease && \
+    apt-get update && \
     DEBIAN_FRONTEND=noninteractive \
     apt-get install -y -t testing libc6 libstdc++6 jq
 
@@ -87,4 +90,4 @@ ENV NODE_URL=http://localhost:8091/v0
 ENV BURN_EVM_ADDR=0x9A4ebe49A963D3BC5f16639A0ABFF093CA0b040D
 ENV BATCH=10
 
-CMD merge-cli merge-ramps --batch ${BATCH} --burn-evm-address ${BURN_EVM_ADDR}
+CMD ["sh", "-c", "exec merge-cli merge-ramps --batch ${BATCH} --burn-evm-address ${BURN_EVM_ADDR}"]