feat(stream_contract): add overflow-safe calculate_claimable helper f…

[codewithzubair07]

Closes #79

This PR introduces a helper function calculate_claimable(stream, now) to compute the withdrawable amount based on elapsed time.

Summary of Changes

• Added calculate_claimable(&Stream, now) helper.

• Implements precise streaming formula:

  claimable = (now - last_update_time) * rate_per_second

• Uses saturating_sub to prevent negative elapsed time.

• Uses checked_mul to prevent integer overflow.

• Caps the result to the remaining stream balance to prevent over-withdrawal.

• Updated withdraw() to use the new helper function.

Mathematical Safety

• All calculations use integer-only arithmetic (no floating point).

• Overflow is handled safely via checked_mul.

• Final claimable amount is bounded by:

  deposited_amount - withdrawn_amount

This guarantees:

withdrawn_amount ≤ deposited_amount

Rounding Behavior

• Integer division during stream creation (amount / duration) ensures deterministic floor rounding.
• Elapsed time is second-precise using env.ledger().timestamp().

Scope

• No existing logic removed.
• No changes to top_up_stream, cancel_stream, or events.
• Minimal and isolated modification inside withdraw().

This implementation satisfies all acceptance criteria for Issue #79.

[codewithzubair07]

@ogazboiz You can comment on the PR:

Hi 👋
The CI is currently failing due to npm audit --audit-level=moderate.
The remaining vulnerabilities appear to be from dev dependencies (ESLint, Prisma tooling, etc.), and npm audit fix does not resolve them without breaking changes.

Would you prefer:

Upgrading dependencies with breaking changes?

Relaxing the audit level?

Or allowing audit warnings without failing CI?

Happy to follow your preferred approach

[ogazboiz]

Thanks for resubmitting this as a cleaner PR! The calculate_claimable helper and overflow-safe arithmetic are the right approach. However, this PR is currently conflicting with main.

Please run:

git fetch origin
git rebase origin/main
git push --force-with-lease

Once rebased and conflict-free, this will be ready to merge quickly. Looking forward to it! ✅

[ogazboiz]

hey! thanks for looking into the CI failures.

for the npm audit issue, let's just allow audit warnings without failing the CI for now — no need to introduce breaking changes for dev dependencies at this stage.

also, i noticed the PR currently has merge conflicts with main. could you run git fetch origin && git rebase origin/main to resolve them? once that's forced pushed and the CI passes, this will be ready to merge!

[codewithzubair07]

@ogazboiz

Hi 👋

I’ve updated the security workflow to allow npm audit warnings without failing CI, as suggested.

The audit still runs and reports vulnerabilities in the logs, but it no longer blocks the pipeline due to moderate-level issues from dev dependencies.

There are no changes to application logic or dependency versions — this only adjusts CI behavior.

Please let me know if you’d prefer tightening the audit level (e.g., critical only) instead.