PR: #36 feat(contracts): Foundry workspace + CharonLiquidator skeleton
Problem: .gitmodules registers contracts/lib/forge-std tracking a branch (HEAD of foundry-rs/forge-std) rather than a pinned commit SHA. Every fresh git submodule update --init pulls whatever is at the tip of that branch at that moment.
Impact: Builds non-reproducible across machines and CI runs. A breaking change in forge-std (changed helper signatures, new deps, removed cheatcodes) silently breaks the test suite without any change to this repo's commit graph. Supply-chain hygiene issue: attacker who compromises forge-std could push malicious commit that is automatically pulled.
Fix: Pin submodule to specific commit SHA that was tested:
cd contracts/lib/forge-std
git rev-parse HEAD # capture the SHA
cd ../..
git add lib/forge-std
git commit -m "chore(contracts): pin forge-std to <SHA>"
Add SHA to .gitmodules entry or document the pinned tag.
PR: #36 feat(contracts): Foundry workspace + CharonLiquidator skeleton
Problem:
.gitmodulesregisterscontracts/lib/forge-stdtracking a branch (HEAD offoundry-rs/forge-std) rather than a pinned commit SHA. Every freshgit submodule update --initpulls whatever is at the tip of that branch at that moment.Impact: Builds non-reproducible across machines and CI runs. A breaking change in
forge-std(changed helper signatures, new deps, removed cheatcodes) silently breaks the test suite without any change to this repo's commit graph. Supply-chain hygiene issue: attacker who compromisesforge-stdcould push malicious commit that is automatically pulled.Fix: Pin submodule to specific commit SHA that was tested:
Add SHA to
.gitmodulesentry or document the pinned tag.