Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/evm-contracts.yml:
- Around line 5-11: The workflow path filters only include "contracts/evm/**"
and the workflow file itself; update both the "paths" and "pull_request.paths"
arrays in evm-contracts.yml to also match repo-root dependency inputs used when
installing deps (e.g. package.json, package-lock.json, yarn.lock,
pnpm-lock.yaml, pnpm-workspace.yaml, and any monorepo/tooling manifests like
turbo.json or workspace config) so changes to those files will trigger the job;
modify the same filters referenced in the diff and the dependency-install
section (the block around the install step currently at lines 45-47) so both
push and PR triggers include those root files.

In @.github/workflows/stellar-contracts.yml:
- Around line 55-60: The workflow is downloading and extracting the Stellar CLI
without any integrity checks; update the run step that fetches
/tmp/stellar-cli.tar.gz to compute and record a SHA256 hash immediately after
download (e.g., compute sha256sum of /tmp/stellar-cli.tar.gz and write it to the
job log and an artifact) and make the job optionally verify against a pinned
value supplied via an input or env var (e.g., STELLAR_CLI_SHA256) so CI fails if
a known-good hash is provided and doesn't match; if no pinned checksum is
available, at minimum persist the computed hash for auditing and add a TODO note
to switch to official checksums/GPG signatures once Stellar publishes them.

In `@contracts/evm/src/Verifier.sol`:
- Around line 776-778: The staticcall to the precompile (address(0x08)) decodes
result unconditionally which can revert if the call failed or returned empty
data; change the logic in the function around the (bool success, bytes memory
result) = address(0x08).staticcall(input) so that you first check success (and
optionally result.length > 0) and only call abi.decode(result, (bool)) when
success is true, returning false (or the appropriate fallback) otherwise; update
any return to use the safely decoded value (e.g., decodedResult) only after the
success check.

---

Outside diff comments:
In `@contracts/evm/src/Verifier.sol`:
- Around line 233-240: The exp function currently replaces base with base*base
in a doubling loop and returns base, which computes only powers of two; fix it
to perform proper exponentiation by squaring: unwrap the exponent into a local
uint256 (e.g., uint256 e = Fr.unwrap(exponent)), initialize an accumulator
result = Fr.wrap(1), then while e > 0 if e & 1 == 1 multiply result by base,
then square base (base = base * base) and shift e >>= 1; finally return result;
update references to Fr.unwrap/Fr.wrap and the function exp signature
accordingly.

---

Nitpick comments:
In @.github/workflows/evm-contracts.yml:
- Around line 26-31: The workflow uses mutable action tags (e.g.,
actions/checkout@v4 and foundry-rs/foundry-toolchain@v1) which should be
replaced with immutable commit SHAs; update each `uses:` entry for the four
actions mentioned (the ones currently using `@v4/`@v1 tags) to reference their
corresponding full commit SHA instead of the tag, ensuring you fetch the exact
commit SHAs from the upstream repos and replace the `uses:` values consistently
so the workflow is pinned to immutable versions.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/stellar-contracts.yml:
- Around line 58-61: The shell commands mkdir -p, tar -xzf, chmod, and echo in
the install block use unquoted variables which can trigger
word-splitting/globbing (SC2086); update those commands to quote
environment-variable expansions such as "$HOME/.local/bin", the tar archive path
"/tmp/stellar-cli.tar.gz" (and the -C target "$HOME/.local/bin"), and the
GITHUB_PATH destination "$GITHUB_PATH" so each command (mkdir -p
"$HOME/.local/bin", tar -xzf "/tmp/stellar-cli.tar.gz" -C "$HOME/.local/bin"
stellar, chmod +x "$HOME/.local/bin"/stellar, echo "$HOME/.local/bin" >>
"$GITHUB_PATH") safely handles paths with spaces or special characters.

In `@scripts/build_circuits.sh`:
- Around line 123-126: Add an explicit check that the provided path exists and
is a directory before attempting to cd; e.g., before setting TARGET_PATH use a
test like if [ ! -e "$1" ] || [ ! -d "$1" ] then print a clear error (to stderr)
and call usage (or exit), then proceed with TARGET_PATH="$(cd "$1" && pwd)";
reference the existing usage function and the TARGET_PATH/PROVE variables when
making the change.

---

Duplicate comments:
In @.github/workflows/stellar-contracts.yml:
- Around line 6-12: The workflow trigger lists under the push and pull_request
"paths" blocks only include "contracts/stellar/**" and miss other inputs; update
both paths arrays (the push.paths and pull_request.paths entries) to also
include "scripts/build_circuits.sh" and "proof_circuits/deposits" so changes to
the build script and proof circuit sources will trigger the CI run alongside
changes to "contracts/stellar/**".