mirror of
https://github.com/selfxyz/self.git
synced 2026-04-27 03:01:15 -04:00
822e1eea4d
* test: ofac updating tests * feat: add registry deployment info * chore: add gitignore for generated files * feat: add kyc documents to upgrade scripts * docs: update upgrade script readme for kyc * feat: IdentityRegistryKyc v1.1.0 deployed on Celo-sepolia Add TEE-attested OFAC root updates via updateOfacRootsWithProof - Implementation: 0x530eEA7E5b286108926B05510491560c4bAE018e - Adds updateOfacRootsWithProof() for ZK-verified OFAC root updates - New errors: InvalidRootsHash, InvalidRootsCount - New event: OfacRootsUpdatedWithProof * feat: add OFAC rolling root window to all 4 registries Add previousRoot storage variables to all identity registries so that checkOfacRoots accepts both the current and previous root for each OFAC tree. This prevents verification failures for users mid-proof when roots are updated on-chain between proof generation and on-chain verification. - Passport: 3 prev roots (passportNo, nameAndDob, nameAndYob) - KYC, ID Card, Aadhaar: 2 prev roots each (nameAndDob, nameAndYob) - KYC updateOfacRootsWithProof also rotates previous roots - Added getPrev* getter functions on all registries - Storage appended at end of each storage contract (UUPS-safe) - 17 new tests covering all registries (window=1 acceptance/rejection) * feat: deploy IdentityRegistryKyc v1.2.0 to Celo Sepolia Add rolling OFAC root window: store previous roots alongside current, accept either in checkOfacRoots for graceful mid-verification transitions. New impl: 0x6E2889Bc9baa6F53bDdf4843675155811F0AAAEd Proxy: 0x90e907E4AaB6e9bcFB94997Af4A097e8CAadBdf3 Pending Safe multisig execution for proxy upgrade. * feat: add TEE-attested OFAC root updates to Aadhaar, IdCard, and Passport registries Extend updateOfacRootsWithProof() to the remaining 3 identity registries, matching the pattern already deployed on the KYC registry (v1.1.0). - Add GCP JWT verifier, PCR0Manager, TEE address, and root CA pubkey hash storage to each registry - Add initializeOfacProof() reinitializer for upgrade path - Add onlyTEE modifier and updateOfacRootsWithProof() with Groth16 proof verification, TEE attestation validation, timestamp checks, and global roots hash commitment verification - Rolling window behavior preserved: previous roots saved before overwrite - Admin functions for updating TEE infrastructure (SECURITY_ROLE gated) - Bumps all 3 registries to v1.3.0 * refactor: simplify updateOfacRootsWithProof to use per-registry roots hash as nonce * fix: address CodeRabbit review comments on OFAC proof upgrade - Add onlyProxy + onlyRole(DEFAULT_ADMIN_ROLE) guard to initializeOfacProof() on Passport, Aadhaar, and IdCard registries to prevent front-running during the window between upgradeToAndCall and the separate initializer call - Fix checkOfacRoots() across all 4 registries to use atomic snapshot comparison instead of per-root matching — prevents accepting Frankenstein pairs like (new DOB root, old YOB root) that were never attested together - Add IdentityRegistryKycImplV1 to PoseidonT3 linking branch in prepare.ts so upgrade:prepare works correctly for KYC - Add prev* slot assertions and mixed-pair rejection test to ofacUpgradePath.test.ts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * feat: add view getters, fix initializeOfacProof guard, add upgrade scripts - Add getGcpJwtVerifier() and getPcr0Manager() getters to KYC and Aadhaar - Fix initializeOfacProof guard: SECURITY_ROLE instead of DEFAULT_ADMIN_ROLE (DEFAULT_ADMIN_ROLE is never granted in governance setup) - Add Ignition upgrade scripts for KYC and Aadhaar registries - Comment out registry deploy in deployKycRegistry (verifier-only redeploy) - Update deployed_addresses.json with sepolia upgrade artifacts - Bump KYC to v1.2.1, Aadhaar to v1.3.1 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: addresses and error selectors * style: format registry contracts and upgrade scripts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: formatting * fix: error selectors * fix: error selectors * fix: error selectors --------- Co-authored-by: Evi Nova <tranquil_flow@protonmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>