From ffbc363491dc38027d3c752e895c1c310938743b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Thu, 8 Jan 2026 21:58:39 -0300
Subject: [PATCH 1/7] misc: dockerfile git clone cleanup

---
 Makefile                                      |  2 +-
 Dockerfile.evm => evm-build.Dockerfile        |  0
 ts-pkgs/peer-client/Dockerfile                | 16 ++++++--
 ts-pkgs/peer-client/Dockerfile.dockerignore   | 37 +++++++++++++++++++
 .../{dkg/Dockerfile => dkg.Dockerfile}        | 16 +++++++-
 .../peer-client/dkg.Dockerfile.dockerignore   | 37 +++++++++++++++++++
 ts-pkgs/peer-client/package.json              |  3 +-
 ts-pkgs/peer-client/scripts/build-tls-gen.sh  |  5 +++
 .../{tls/Dockerfile => tls.Dockerfile}        |  0
 ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile   | 11 +++---
 .../tests/e2e/anvil/Dockerfile.dockerignore   | 33 +++++++++++++++++
 ts-pkgs/peer-e2e/tests/e2e/scripts/anvil.sh   |  2 +-
 ts-pkgs/peer-e2e/tests/e2e/scripts/clean.sh   |  2 +-
 ts-pkgs/peer-e2e/tests/e2e/scripts/client.sh  | 32 ++++++++--------
 ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh  |  7 +++-
 ts-pkgs/peer-server/Dockerfile                | 24 ++++++++----
 ts-pkgs/peer-server/Dockerfile.dockerignore   | 37 +++++++++++++++++++
 17 files changed, 225 insertions(+), 39 deletions(-)
 rename Dockerfile.evm => evm-build.Dockerfile (100%)
 create mode 100644 ts-pkgs/peer-client/Dockerfile.dockerignore
 rename ts-pkgs/peer-client/{dkg/Dockerfile => dkg.Dockerfile} (71%)
 create mode 100644 ts-pkgs/peer-client/dkg.Dockerfile.dockerignore
 create mode 100755 ts-pkgs/peer-client/scripts/build-tls-gen.sh
 rename ts-pkgs/peer-client/{tls/Dockerfile => tls.Dockerfile} (100%)
 create mode 100644 ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile.dockerignore
 create mode 100644 ts-pkgs/peer-server/Dockerfile.dockerignore

diff --git a/Makefile b/Makefile
index e57ed3f..b22f8b0 100644
--- a/Makefile
+++ b/Makefile
@@ -29,7 +29,7 @@ build-evm: dependencies-evm
 	forge build
 
 verifiable-build-evm: dependencies-evm
-	mkdir -p verifiable-evm-build && docker build  --file ./Dockerfile.evm . --tag verification-v2-evm-build --output type=local,dest=verifiable-evm-build
+	mkdir -p verifiable-evm-build && docker build --file ./evm-build.Dockerfile . --tag verification-v2-evm-build --output type=local,dest=verifiable-evm-build
 
 test-evm: dependencies-evm
 	forge test
diff --git a/Dockerfile.evm b/evm-build.Dockerfile
similarity index 100%
rename from Dockerfile.evm
rename to evm-build.Dockerfile
diff --git a/ts-pkgs/peer-client/Dockerfile b/ts-pkgs/peer-client/Dockerfile
index fdf446c..1b612a7 100644
--- a/ts-pkgs/peer-client/Dockerfile
+++ b/ts-pkgs/peer-client/Dockerfile
@@ -1,11 +1,19 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git
+RUN mkdir --parents core-bridge/ts-pkgs/peer-client core-bridge/ts-pkgs/peer-lib
+COPY --link .yarn core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
+COPY --link ts-pkgs/peer-client/package.json core-bridge/ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+WORKDIR /core-bridge
+RUN yarnpkg workspaces focus --all
 
-# TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
+COPY --link ts-pkgs/config/ ts-pkgs/config/
+COPY --link ts-pkgs/peer-lib/tsconfig.json ts-pkgs/peer-lib/
+COPY --link ts-pkgs/peer-lib/src ts-pkgs/peer-lib/src
+COPY --link ts-pkgs/peer-client/tsconfig.json ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-client/src ts-pkgs/peer-client/src
 WORKDIR /core-bridge/ts-pkgs/peer-client
-RUN yarnpkg install --immutable
 RUN yarnpkg build
 
 ARG TLS_HOSTNAME
diff --git a/ts-pkgs/peer-client/Dockerfile.dockerignore b/ts-pkgs/peer-client/Dockerfile.dockerignore
new file mode 100644
index 0000000..0252a5e
--- /dev/null
+++ b/ts-pkgs/peer-client/Dockerfile.dockerignore
@@ -0,0 +1,37 @@
+src/
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+ts-pkgs/deploy
+ts-pkgs/peer-e2e
+ts-pkgs/tss-definitions
+ts-pkgs/peer-server
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+foundry.toml
+guardian_key.txt
+Makefile
+README.md
+eslint.config.mjs
+
+*Dockerfile
+*dockerignore
\ No newline at end of file
diff --git a/ts-pkgs/peer-client/dkg/Dockerfile b/ts-pkgs/peer-client/dkg.Dockerfile
similarity index 71%
rename from ts-pkgs/peer-client/dkg/Dockerfile
rename to ts-pkgs/peer-client/dkg.Dockerfile
index a72b839..50991b3 100644
--- a/ts-pkgs/peer-client/dkg/Dockerfile
+++ b/ts-pkgs/peer-client/dkg.Dockerfile
@@ -3,14 +3,26 @@ FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a679150
 RUN apt-get update && apt-get -y install git golang jq
 
 # TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
 RUN git clone -b schnorr --depth 1 https://github.com/XLabs/wormhole.git
 
 WORKDIR /wormhole/node/pkg/tss/internal/cmd
 RUN go build -o=./server ./dkg
 
+WORKDIR /
+RUN mkdir --parents core-bridge/ts-pkgs/peer-client core-bridge/ts-pkgs/peer-lib
+COPY --link .yarn core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
+COPY --link ts-pkgs/peer-client/package.json core-bridge/ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+WORKDIR /core-bridge
+RUN yarnpkg workspaces focus --all
+
+COPY --link ts-pkgs/config/ ts-pkgs/config/
+COPY --link ts-pkgs/peer-lib/tsconfig.json ts-pkgs/peer-lib/
+COPY --link ts-pkgs/peer-lib/src ts-pkgs/peer-lib/src
+COPY --link ts-pkgs/peer-client/tsconfig.json ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-client/src ts-pkgs/peer-client/src
 WORKDIR /core-bridge/ts-pkgs/peer-client
-RUN yarnpkg install --immutable
 RUN yarnpkg build
 
 COPY --chmod=555 <<EOT poll_guardians.sh
diff --git a/ts-pkgs/peer-client/dkg.Dockerfile.dockerignore b/ts-pkgs/peer-client/dkg.Dockerfile.dockerignore
new file mode 100644
index 0000000..0252a5e
--- /dev/null
+++ b/ts-pkgs/peer-client/dkg.Dockerfile.dockerignore
@@ -0,0 +1,37 @@
+src/
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+ts-pkgs/deploy
+ts-pkgs/peer-e2e
+ts-pkgs/tss-definitions
+ts-pkgs/peer-server
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+foundry.toml
+guardian_key.txt
+Makefile
+README.md
+eslint.config.mjs
+
+*Dockerfile
+*dockerignore
\ No newline at end of file
diff --git a/ts-pkgs/peer-client/package.json b/ts-pkgs/peer-client/package.json
index 065669f..af9c963 100644
--- a/ts-pkgs/peer-client/package.json
+++ b/ts-pkgs/peer-client/package.json
@@ -8,7 +8,8 @@
   "scripts": {
     "build": "tsc --build",
     "start:client": "tsx src/cli.ts",
-    "dev:client": "tsx --watch src/cli.ts"
+    "dev:client": "tsx --watch src/cli.ts",
+    "docker:build:tls-gen": "./scripts/build-tls-gen.sh"
   },
   "dependencies": {
     "@xlabs-xyz/peer-lib": "workspace:*",
diff --git a/ts-pkgs/peer-client/scripts/build-tls-gen.sh b/ts-pkgs/peer-client/scripts/build-tls-gen.sh
new file mode 100755
index 0000000..42d3f33
--- /dev/null
+++ b/ts-pkgs/peer-client/scripts/build-tls-gen.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+ctx=$(mktemp --directory)
+docker build --tag tls-gen --file ./tls.Dockerfile --progress=plain "$ctx"
+rm -rf "$ctx"
\ No newline at end of file
diff --git a/ts-pkgs/peer-client/tls/Dockerfile b/ts-pkgs/peer-client/tls.Dockerfile
similarity index 100%
rename from ts-pkgs/peer-client/tls/Dockerfile
rename to ts-pkgs/peer-client/tls.Dockerfile
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
index c997ac6..d711328 100644
--- a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
@@ -1,17 +1,18 @@
-FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:7ec8952cc5322dce65091768e9efab8641ea9b54105f21fd71d4ae3dc3da05a8 as foundry
+FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:7ec8952cc5322dce65091768e9efab8641ea9b54105f21fd71d4ae3dc3da05a8 AS foundry
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
 RUN apt-get update && apt-get -y install git make
 
 COPY --from=foundry /usr/local/bin/anvil /usr/local/bin/forge /usr/local/bin/cast /bin/
 
-# TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
+RUN mkdir --parents core-bridge/src
+COPY --link foundry.toml Makefile core-bridge/
+COPY --link src/evm core-bridge/src/evm
+COPY --link test core-bridge/test
+COPY --link ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh core-bridge/
 
 WORKDIR /core-bridge
 
 RUN make build-evm
 
-WORKDIR /core-bridge/ts-pkgs/peer-e2e/tests/e2e/anvil/
-
 ENTRYPOINT ["./localAnvilWithVerifier.sh"]
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile.dockerignore b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile.dockerignore
new file mode 100644
index 0000000..0c3f60f
--- /dev/null
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile.dockerignore
@@ -0,0 +1,33 @@
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+ts-pkgs/
+!ts-pkgs/peer-e2e
+
+src/solana
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+guardian_key.txt
+README.md
+eslint.config.mjs
+
+.yarn/
+package.json
+tsconfig.json
+yarn.lock
+.pnp.*
+
+*Dockerfile
+*dockerignore
\ No newline at end of file
diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/anvil.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/anvil.sh
index 723b132..ca6cb9f 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/anvil.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/anvil.sh
@@ -3,6 +3,6 @@
 set -meuo pipefail
 export DOCKER_BUILDKIT=1
 
-docker build --tag anvil-with-verifier --file ./anvil/Dockerfile --progress=plain ./anvil
+docker build --tag anvil-with-verifier --file ./anvil/Dockerfile --progress=plain ../../../..
 
 docker run --rm --network=dkg-test --name anvil-with-verifier anvil-with-verifier
diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/clean.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/clean.sh
index cffc358..258cd93 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/clean.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/clean.sh
@@ -6,7 +6,7 @@ echo "Cleaning up dangling Docker containers, builders and networks..."
 
 for i in $(seq 0 18)
 do
-  docker stop Guardian$i 2>/dev/null &
+  docker stop "Guardian$i" 2>/dev/null &
 done;
 
 docker stop anvil-with-verifier peer-server 2>/dev/null &
diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/client.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/client.sh
index db5c4f9..efc0cc4 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/client.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/client.sh
@@ -33,7 +33,7 @@ GUARDIAN_PRIVATE_KEYS=(
 )
 
 createGuardianPrivateKey() {
-  echo 0a20${GUARDIAN_PRIVATE_KEYS[$1]} | \
+  echo "0a20${GUARDIAN_PRIVATE_KEYS[$1]}" | \
     xxd -r -p | gpg --enarmor | \
     awk 'BEGIN {print "-----BEGIN WORMHOLE GUARDIAN PRIVATE KEY-----"}
       NR>2 {print last}
@@ -42,13 +42,13 @@ createGuardianPrivateKey() {
 }
 
 # Build the dockerfile that generates the TLS key and certificate
-docker build --tag tls-gen --file ../../../peer-client/tls/Dockerfile --progress=plain .
+yarn workspace @xlabs-xyz/peer-client run docker:build:tls-gen
 
 for i in "${!GUARDIAN_PRIVATE_KEYS[@]}"
 do
-  mkdir -p out/$i/keys
-  docker run --rm --mount type=bind,src=./out/$i/keys,dst=/keys \
-    --env TLS_HOSTNAME=${TLS_HOSTNAME}$i \
+  mkdir -p "out/$i/keys"
+  docker run --rm --mount "type=bind,src=./out/$i/keys,dst=/keys" \
+    --env "TLS_HOSTNAME=${TLS_HOSTNAME}$i" \
     --env TLS_PUBLIC_IP=${TLS_PUBLIC_IP} \
     tls-gen &
 done
@@ -56,7 +56,7 @@ done
 wait
 
 # Build the docker cache first. It will throw an error but it will save time
-docker build --builder dkg-builder --network=host --file ../../../peer-client/Dockerfile --progress=plain . 2>/dev/null || true
+docker build --builder dkg-builder --network=host --file ../../../peer-client/Dockerfile --progress=plain ../../../.. 2>/dev/null || true
 
 # Wait until the server starts listening
 until docker logs peer-server 2>/dev/null | grep "running"
@@ -68,24 +68,24 @@ for i in "${!GUARDIAN_PRIVATE_KEYS[@]}"
 do
    # The host here refers to the builder host container, not the host machine.
   docker build --builder dkg-builder --network=host --file ../../../peer-client/Dockerfile \
-    --secret id=guardian_pk,src=<(createGuardianPrivateKey $i) \
-    --secret id=cert.pem,src=./out/$i/keys/cert.pem \
-    --build-arg TLS_HOSTNAME=${TLS_HOSTNAME}$i \
-    --build-arg TLS_PORT=$((TLS_BASE_PORT + $i)) \
+    --secret id=guardian_pk,src=<(createGuardianPrivateKey "$i") \
+    --secret "id=cert.pem,src=./out/$i/keys/cert.pem" \
+    --build-arg "TLS_HOSTNAME=${TLS_HOSTNAME}$i" \
+    --build-arg TLS_PORT=$((TLS_BASE_PORT + i)) \
     --build-arg PEER_SERVER_URL=${PEER_SERVER_URL} \
-    --progress=plain . &
+    --progress=plain ../../../.. &
 done
 
 wait
 
-docker build --tag dkg-client --file ../../../peer-client/dkg/Dockerfile --progress=plain .
+docker build --tag dkg-client --file ../../../peer-client/dkg.Dockerfile --progress=plain ../../../..
 
 for i in "${!GUARDIAN_PRIVATE_KEYS[@]}"
 do
-  docker run --rm --name ${TLS_HOSTNAME}$i --network=dkg-test \
-    --mount type=bind,src=./out/$i/keys,dst=/keys \
-    --env TLS_HOSTNAME=${TLS_HOSTNAME}$i \
-    --env TLS_PORT=$((TLS_BASE_PORT + $i)) \
+  docker run --rm --name "${TLS_HOSTNAME}$i" --network=dkg-test \
+    --mount "type=bind,src=./out/$i/keys,dst=/keys" \
+    --env "TLS_HOSTNAME=${TLS_HOSTNAME}$i" \
+    --env TLS_PORT=$((TLS_BASE_PORT + i)) \
     --env PEER_SERVER_URL=${PEER_SERVER_URL} \
     --env ETHEREUM_RPC_URL=${ETHEREUM_RPC_URL} \
     --env WORMHOLE_CONTRACT_ADDRESS=${WORMHOLE_ADDRESS} \
diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
index 008318b..a1cbe11 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
@@ -7,7 +7,12 @@ SERVER_PORT="3000"
 ETHEREUM_RPC_URL="http://anvil-with-verifier:8545"
 WORMHOLE_ADDRESS="0x5FbDB2315678afecb367f032d93F642f64180aa3"
 
-docker build --tag peer-server --file ../../../peer-server/Dockerfile --build-arg SERVER_PORT=${SERVER_PORT} --build-arg ETHEREUM_RPC_URL=${ETHEREUM_RPC_URL} --build-arg WORMHOLE_ADDRESS=${WORMHOLE_ADDRESS} --progress=plain .
+docker build --tag peer-server \
+  --file ../../../peer-server/Dockerfile \
+  --build-arg SERVER_PORT=${SERVER_PORT} \
+  --build-arg ETHEREUM_RPC_URL=${ETHEREUM_RPC_URL} \
+  --build-arg WORMHOLE_ADDRESS=${WORMHOLE_ADDRESS} \
+  --progress=plain ../../../..
 
 # Wait until anvil starts listening
 until docker logs anvil-with-verifier 2>/dev/null | grep Listening
diff --git a/ts-pkgs/peer-server/Dockerfile b/ts-pkgs/peer-server/Dockerfile
index 389780e..17aa3ec 100644
--- a/ts-pkgs/peer-server/Dockerfile
+++ b/ts-pkgs/peer-server/Dockerfile
@@ -1,19 +1,29 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git
-
 ARG SERVER_PORT
 ARG ETHEREUM_RPC_URL
 ARG WORMHOLE_ADDRESS=0x98f3c9e6E3fAce36bAAd05FE09d375Ef1464288B
 
-RUN test -n "${SERVER_PORT}" && \
-    test -n "${ETHEREUM_RPC_URL}"
+RUN mkdir --parents core-bridge/ts-pkgs/peer-server core-bridge/ts-pkgs/peer-lib
+COPY --link .yarn core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
+COPY --link ts-pkgs/peer-server/package.json core-bridge/ts-pkgs/peer-server/
+COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+WORKDIR /core-bridge
+RUN yarnpkg workspaces focus --all
+
+COPY --link ts-pkgs/config/ ts-pkgs/config/
+COPY --link ts-pkgs/peer-lib/tsconfig.json ts-pkgs/peer-lib/
+COPY --link ts-pkgs/peer-lib/src ts-pkgs/peer-lib/src
+COPY --link ts-pkgs/peer-server/tsconfig.json ts-pkgs/peer-server/
+COPY --link ts-pkgs/peer-server/src ts-pkgs/peer-server/src
 
-# TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
 WORKDIR /core-bridge/ts-pkgs/peer-server
-RUN yarnpkg install --immutable
 RUN yarnpkg build
+
+RUN test -n "${SERVER_PORT}" && \
+    test -n "${ETHEREUM_RPC_URL}"
+
 # This is the config for the peer server
 COPY <<EOT config.json
 {
diff --git a/ts-pkgs/peer-server/Dockerfile.dockerignore b/ts-pkgs/peer-server/Dockerfile.dockerignore
new file mode 100644
index 0000000..f71a83d
--- /dev/null
+++ b/ts-pkgs/peer-server/Dockerfile.dockerignore
@@ -0,0 +1,37 @@
+src/
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+ts-pkgs/deploy
+ts-pkgs/peer-e2e
+ts-pkgs/tss-definitions
+ts-pkgs/peer-client
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+foundry.toml
+guardian_key.txt
+Makefile
+README.md
+eslint.config.mjs
+
+*Dockerfile
+*dockerignore
\ No newline at end of file

From 49bff89a783378f9641ccfc5f066c154a933c3e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 09:52:20 -0300
Subject: [PATCH 2/7] evm: adds dockerignore for build

---
 evm-build.Dockerfile              |  6 +++++-
 evm-build.Dockerfile.dockerignore | 32 +++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 evm-build.Dockerfile.dockerignore

diff --git a/evm-build.Dockerfile b/evm-build.Dockerfile
index ad3e0e9..a995fb6 100644
--- a/evm-build.Dockerfile
+++ b/evm-build.Dockerfile
@@ -15,7 +15,11 @@ COPY --link src/evm src/evm
 # Prepare compiler input. NOTE: jq must be pre-applied to "clean" the output from forge.
 # Otherwise solc aborts with duplicated key/newline problems.
 
-RUN forge verify-contract --show-standard-json-input 0x0000000000000000000000000000000000000000 src/evm/WormholeVerifier.sol:WormholeVerifier | jq '.' > WormholeVerifier.input.json
+RUN forge verify-contract \
+  --show-standard-json-input \
+  0x0000000000000000000000000000000000000000 \
+  src/evm/WormholeVerifier.sol:WormholeVerifier \
+  | jq '.' > WormholeVerifier.input.json
 
 # Get compiler according to forge configuration (foundry.toml specified)
 
diff --git a/evm-build.Dockerfile.dockerignore b/evm-build.Dockerfile.dockerignore
new file mode 100644
index 0000000..3598e85
--- /dev/null
+++ b/evm-build.Dockerfile.dockerignore
@@ -0,0 +1,32 @@
+data/
+.vscode/
+.vim/
+.github/
+cache/
+out/
+tmp/
+verifiable-evm-build/
+
+ts-pkgs/
+
+src/solana
+test/
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+guardian_key.txt
+README.md
+eslint.config.mjs
+
+.yarn/
+package.json
+tsconfig.json
+yarn.lock
+.pnp.*
+
+*Dockerfile
+*dockerignore
\ No newline at end of file

From 204f963925f374a020177af17fe0f05a6212845b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 10:36:22 -0300
Subject: [PATCH 3/7] misc: updates foundry docker images

---
 evm-build.Dockerfile                        | 8 +++++++-
 ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/evm-build.Dockerfile b/evm-build.Dockerfile
index a995fb6..9e2e53a 100644
--- a/evm-build.Dockerfile
+++ b/evm-build.Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/foundry-rs/foundry:v1.3.4@sha256:3afb57dcd8f06e098d643d04e0b541ef83a1edf94c0a80ea5e89329ec50ccd92 AS builder
+FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS builder
 
 # Foundry image runs as foundry user by default
 # We need root to both run apt and to write files to the filesystem
@@ -12,6 +12,11 @@ COPY foundry.toml foundry.toml
 COPY --link lib/wormhole-solidity-sdk lib/wormhole-solidity-sdk
 COPY --link src/evm src/evm
 
+# forge logs "errors" and warnings to the standard output
+# Luckily, the only warning here is that forge's solidity compiler cache is missing.
+# However, we need to drop it to have a valid JSON.
+# See https://github.com/foundry-rs/foundry/issues/13034
+
 # Prepare compiler input. NOTE: jq must be pre-applied to "clean" the output from forge.
 # Otherwise solc aborts with duplicated key/newline problems.
 
@@ -19,6 +24,7 @@ RUN forge verify-contract \
   --show-standard-json-input \
   0x0000000000000000000000000000000000000000 \
   src/evm/WormholeVerifier.sol:WormholeVerifier \
+  | sed '1d' \
   | jq '.' > WormholeVerifier.input.json
 
 # Get compiler according to forge configuration (foundry.toml specified)
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
index d711328..ce36e91 100644
--- a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:7ec8952cc5322dce65091768e9efab8641ea9b54105f21fd71d4ae3dc3da05a8 AS foundry
+FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS foundry
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
 RUN apt-get update && apt-get -y install git make

From aed2ddb8ee514cb1f9a77a13fcb3d934a1b5d3dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 14:24:16 -0300
Subject: [PATCH 4/7] misc: several minor improvements to dockerfiles

---
 evm-build.Dockerfile                        | 11 ++++++-----
 ts-pkgs/peer-client/Dockerfile              |  8 ++++----
 ts-pkgs/peer-client/dkg.Dockerfile          |  6 +++++-
 ts-pkgs/peer-client/tls.Dockerfile          |  8 +++++---
 ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile | 12 ++++++------
 ts-pkgs/peer-server/Dockerfile              |  9 +++++----
 6 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/evm-build.Dockerfile b/evm-build.Dockerfile
index 9e2e53a..3e4ae2e 100644
--- a/evm-build.Dockerfile
+++ b/evm-build.Dockerfile
@@ -3,7 +3,8 @@ FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40
 # Foundry image runs as foundry user by default
 # We need root to both run apt and to write files to the filesystem
 USER root
-RUN apt update && apt install -y jq wget
+RUN apt-get update && apt-get install --no-install-recommends --yes jq wget
+USER foundry
 
 # Preflight
 
@@ -30,8 +31,8 @@ RUN forge verify-contract \
 # Get compiler according to forge configuration (foundry.toml specified)
 
 RUN SOLC_VERSION=$(forge config | grep "^solc =" | sed 's/solc = //' | sed 's/"//g'); \
-    if [ -z $SOLC_VERSION ]; then echo "SOLC_VERSION not set"; exit 1; fi; \
-    wget --output-document=solc https://github.com/ethereum/solidity/releases/download/v$SOLC_VERSION/solc-static-linux && chmod +x solc
+    if [ -z "$SOLC_VERSION" ]; then echo "SOLC_VERSION not set"; exit 1; fi; \
+    wget --progress=dot:giga --output-document=solc "https://github.com/ethereum/solidity/releases/download/v$SOLC_VERSION/solc-static-linux" && chmod +x solc
 
 # Compile contract(s).
 
@@ -39,10 +40,10 @@ RUN ./solc --standard-json WormholeVerifier.input.json > WormholeVerifier.output
     SOLC_ERR=$(jq '.errors[]? | select(.severity == "error")' WormholeVerifier.output.json) && \
     if [ ! -z "$SOLC_ERR" ]; then \
         echo "Error detected during solc execution."; \
-        echo $SOLC_ERR; \
+        echo "$SOLC_ERR"; \
         exit 2; \
     fi
 
 # Consolidate all generated output
 FROM scratch AS foundry-export
-COPY --from=builder /app/*.input.json /app/*.output.json ./
+COPY --from=builder /app/*.input.json /app/*.output.json /
diff --git a/ts-pkgs/peer-client/Dockerfile b/ts-pkgs/peer-client/Dockerfile
index 1b612a7..6a4c6fa 100644
--- a/ts-pkgs/peer-client/Dockerfile
+++ b/ts-pkgs/peer-client/Dockerfile
@@ -1,10 +1,10 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
 RUN mkdir --parents core-bridge/ts-pkgs/peer-client core-bridge/ts-pkgs/peer-lib
-COPY --link .yarn core-bridge/.yarn
-COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
-COPY --link ts-pkgs/peer-client/package.json core-bridge/ts-pkgs/peer-client/
-COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+COPY --link .yarn /core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml /core-bridge/
+COPY --link ts-pkgs/peer-client/package.json /core-bridge/ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-lib/package.json /core-bridge/ts-pkgs/peer-lib/
 WORKDIR /core-bridge
 RUN yarnpkg workspaces focus --all
 
diff --git a/ts-pkgs/peer-client/dkg.Dockerfile b/ts-pkgs/peer-client/dkg.Dockerfile
index 50991b3..0c496b4 100644
--- a/ts-pkgs/peer-client/dkg.Dockerfile
+++ b/ts-pkgs/peer-client/dkg.Dockerfile
@@ -1,6 +1,10 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git golang jq
+RUN apt-get update && apt-get --no-install-recommends --yes install \
+  git \
+  golang \
+  jq \
+  && rm -rf /var/lib/apt/lists
 
 # TODO: Pin the commit
 RUN git clone -b schnorr --depth 1 https://github.com/XLabs/wormhole.git
diff --git a/ts-pkgs/peer-client/tls.Dockerfile b/ts-pkgs/peer-client/tls.Dockerfile
index 6592d6c..1f4c286 100644
--- a/ts-pkgs/peer-client/tls.Dockerfile
+++ b/ts-pkgs/peer-client/tls.Dockerfile
@@ -1,9 +1,11 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install openssl
+RUN apt-get update && apt-get --no-install-recommends --yes install \
+  openssl \
+  && rm -rf /var/lib/apt/lists
 
 # Generate the TLS key and certificate
-COPY --chmod=555 <<EOT generate_tls_key.sh
+COPY --chmod=555 <<EOT /generate_tls_key.sh
 #!/bin/bash
 set -euo pipefail
 
@@ -24,4 +26,4 @@ openssl req -x509 -key /keys/key.pem -out /keys/cert.pem -days 365 \\
   -addext "extendedKeyUsage=serverAuth,clientAuth"
 EOT
 
-ENTRYPOINT ["./generate_tls_key.sh"]
\ No newline at end of file
+ENTRYPOINT ["/generate_tls_key.sh"]
\ No newline at end of file
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
index ce36e91..cea795f 100644
--- a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
@@ -1,15 +1,15 @@
 FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS foundry
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git make
+RUN apt-get update && apt-get --no-install-recommends --yes install git make
 
 COPY --from=foundry /usr/local/bin/anvil /usr/local/bin/forge /usr/local/bin/cast /bin/
 
-RUN mkdir --parents core-bridge/src
-COPY --link foundry.toml Makefile core-bridge/
-COPY --link src/evm core-bridge/src/evm
-COPY --link test core-bridge/test
-COPY --link ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh core-bridge/
+RUN mkdir --parents /core-bridge/src
+COPY --link foundry.toml Makefile /core-bridge/
+COPY --link src/evm /core-bridge/src/evm
+COPY --link test /core-bridge/test
+COPY --link ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh /core-bridge/
 
 WORKDIR /core-bridge
 
diff --git a/ts-pkgs/peer-server/Dockerfile b/ts-pkgs/peer-server/Dockerfile
index 17aa3ec..db48e7c 100644
--- a/ts-pkgs/peer-server/Dockerfile
+++ b/ts-pkgs/peer-server/Dockerfile
@@ -5,10 +5,10 @@ ARG ETHEREUM_RPC_URL
 ARG WORMHOLE_ADDRESS=0x98f3c9e6E3fAce36bAAd05FE09d375Ef1464288B
 
 RUN mkdir --parents core-bridge/ts-pkgs/peer-server core-bridge/ts-pkgs/peer-lib
-COPY --link .yarn core-bridge/.yarn
-COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
-COPY --link ts-pkgs/peer-server/package.json core-bridge/ts-pkgs/peer-server/
-COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+COPY --link .yarn /core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml /core-bridge/
+COPY --link ts-pkgs/peer-server/package.json /core-bridge/ts-pkgs/peer-server/
+COPY --link ts-pkgs/peer-lib/package.json /core-bridge/ts-pkgs/peer-lib/
 WORKDIR /core-bridge
 RUN yarnpkg workspaces focus --all
 
@@ -36,4 +36,5 @@ COPY <<EOT config.json
   "threshold": 13
 }
 EOT
+
 ENTRYPOINT ["yarnpkg", "start:server"]

From ae19b4b6455a29478f839ff5fa14df4c52d53da8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 15:37:41 -0300
Subject: [PATCH 5/7] misc: removes some noise from the docker builds

---
 evm-build.Dockerfile                                       | 2 +-
 ts-pkgs/peer-client/dkg.Dockerfile                         | 3 ++-
 ts-pkgs/peer-client/tls.Dockerfile                         | 2 +-
 ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile                | 2 +-
 ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh | 2 +-
 ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh               | 2 +-
 6 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/evm-build.Dockerfile b/evm-build.Dockerfile
index 3e4ae2e..9c1acee 100644
--- a/evm-build.Dockerfile
+++ b/evm-build.Dockerfile
@@ -3,7 +3,7 @@ FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40
 # Foundry image runs as foundry user by default
 # We need root to both run apt and to write files to the filesystem
 USER root
-RUN apt-get update && apt-get install --no-install-recommends --yes jq wget
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install jq wget
 USER foundry
 
 # Preflight
diff --git a/ts-pkgs/peer-client/dkg.Dockerfile b/ts-pkgs/peer-client/dkg.Dockerfile
index 0c496b4..1802bca 100644
--- a/ts-pkgs/peer-client/dkg.Dockerfile
+++ b/ts-pkgs/peer-client/dkg.Dockerfile
@@ -1,9 +1,10 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get --no-install-recommends --yes install \
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install \
   git \
   golang \
   jq \
+  ca-certificates \
   && rm -rf /var/lib/apt/lists
 
 # TODO: Pin the commit
diff --git a/ts-pkgs/peer-client/tls.Dockerfile b/ts-pkgs/peer-client/tls.Dockerfile
index 1f4c286..c0be7db 100644
--- a/ts-pkgs/peer-client/tls.Dockerfile
+++ b/ts-pkgs/peer-client/tls.Dockerfile
@@ -1,6 +1,6 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get --no-install-recommends --yes install \
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install \
   openssl \
   && rm -rf /var/lib/apt/lists
 
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
index cea795f..cdc4e6e 100644
--- a/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile
@@ -1,7 +1,7 @@
 FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS foundry
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get --no-install-recommends --yes install git make
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install git make ca-certificates
 
 COPY --from=foundry /usr/local/bin/anvil /usr/local/bin/forge /usr/local/bin/cast /bin/
 
diff --git a/ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh b/ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh
index d116805..882eb82 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh
@@ -42,7 +42,7 @@ GUARDIAN_SET="([${GUARDIAN_ADDRESSES[*]}], $EXPIRATION_TIME)"
 UPDATE_FUNCTION_SIG="update(bytes)"
 PULL_AND_APPEND_MESSAGE=0x0200000001010a4c01000000001300c784b72bdbc69e5504aa1242eb7bd0ed6fac4a1781564bf2d86920e2d4c29a1807e1c30276e5f413e4ba1306640a3c21f5339729e4d67f2cec043050848387c000018cd679bcc0b02021fd44831e7dc98fbf7e6345cb27315b8e7923e6deaaf232bb6e061d7bb1ca927a7e23dc1961d54187f5c4257d1d6bc39848b669d4f01425270002775c91c5982248a1db4832b4d2625cc3733cbdd9fa80a4ff52f2103d32c4650c73ba6941244acbe55cb62fbb04f98bbe6d59fc9be3b2802c557f82e182750ae00003f30ff41563588014f41408fedb77e937c1166a36f876b43cc3d67a6a8829f1f80ae6d2de6e497c6e50741a82c3723c0bca7c23c21e406905c1a2823914c28648000477728606d481c8357c47b93478a5d7d91bfcc256bda8603f3859c3770fdff8f34b68300a5553c6503231381ddffd5f327cda90b009c12772ab280b74ad041ee001052fd1b5c788173564cb606a3b71f448f1a6f9d7cf27e1f307523a93d63be9be3255dd97ad2acbf8f50adff60b0824a4a7951cc00da3daf62b1daac5f955215b550006dde6eb08bf523ce2e8c0cf3a473d6815435dadc9dfe779d35b6a82d0346890347b84dfab5ccf7d0cf518b786a84ba451f51906ac7cb82786b4f0c42bf6849d9a0107403a723f07cbcdcf5929e7d532268911c898771e4ff6f97d4ef6dc53a503658a42dd99a6e75509b7ec8d50cfe71999fdec7f701bcb087887f4e5bf187d0de07a0008f59922132f01bdd1fc3fe06aa259ec0c1cf7c0fe540df5ae4fb98b8c3271c0a668de31e5d4a3badfafa9db3d04144f825cc586d037bc2ae8ab5112c467d45e17010936f22ca8d661f2ef1a8d5b137f25f13096ee386c5f21cfebb15026ebaea247021534c2b5888bb84105d2468ed51f2509384a1e2a0c149bd01e190627febc682c000a70025707a7a678310ccb4854be55ece069ccd2c12f9b3c14a1ec86bed0aef7a16a77a2f69979f3e8fdcaeffe04aca36a10f401e31d94b83da21e0b1e57b8506a010b7cdd119fb609d6ab1f0c4b5fffc08edc6201d335d5d8bdb1957ba66112ca2b8e74676cc181c431bfc5b15daec79f90485cb6cd2f186576232ce327f25d99bf28010c9d9230d97ced30899540eac30dcd61bca8bad2e942ff755b77423c38777d90fa51dcf65e503bd2b74e2a51ff9230bd152d9cc127572f33057bffac00c4a0c0f5010dae858697d71e8699d9fd540a07e7058b37b7b92af3e0d28bec3581c54190a8ff5a9161b86a676054ee4cb58261f0a9d4d3ac445534560041c7eceb1284fb0850010e10bea0368026099259909b9f16f6303abdd63a0718c88a8009a03b5ab042154936c1f8c6fca7c73215ddabc9d47d0e1ac75861e2674784c11053a80aef6b1f1b010fd93a93d7c58851b5b2e2a18fdb126b4a0e3e2985ea1618245ef977cd44219fd06beb7def5842df4f7a1cdfb98fad3b3b41658c1e7198755388f1c6eed97496dd01109d9d17618012f0ae4127d41a7218bf2d36607b4d542abe750481e71b4a50443d275acd51043f5c2f7b97d072b9e725a2b773db1d7994d4780aa7e008c83d0b2e01113e7be58ec63f184f8e7ff87d77bb81f54fa23751aaa29cd4a038ef67784dd7f8719bc49ded5f77a9af49bc498d4fc185725bf5cf6b17f85be1659518e3a465a7011210bbde4e6b986e2a8bf190d8fe1ad38cf686b8a13684cc8555f5139dda344e274d660f7ed457b2db848d21e1f7e4cf8ee200eaa28bf65914fc5da2f76d44401a000000000100000000000100000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000545353010000000000000000c11b6c8b8e4ecc62ebf10437678eb70f17f1e53abdb3fa8df1912e3b3d11b5b9000000007af3ae7c8391b4ed809917baff6b5ba28a315410aa382d07f5fa84a9c51c31af0000000000000000000000000000000000000000000000000000000000000013c67c82a42364074e4a3ffec944a96d758cec08da09275ada471fe82c95159af922b517009ccd7ede90cebf16ab630868989172c72ebd70ffc6d04cb783eeba6182272a56366878aa05e5cbcd5cd1d195d14ca26064be20cdb7aacebcf2c86a206e24f50d0c1bae02d47e0ef5ae26cc5e3ee7d98660b508736fa4a7d64fe3c625c81a9b27aeef5a963959d5e424a0686a981918a009cacef18ded6e6496c9a808439bd6108f1590b56ebdea0706c2dc308240c4a47d94f42d16f92db81f6222b9a2218874818e7da07f632a9c9bbfcd96ed478b6a4a6a9829bff2eb5f8ed719a8d73ba7c666d41f554e8beaf96d5e2ae6590aefc7b5ef7008dc0b49b6328966a07b015af9ed3b47ff5a1a71410bbda0aaf40111858925784658f19acf4c085f2efe156e000de4ae76fd51fb41331bbab47a10a6f0d8ea96859cd5f66e2ec9b6a9ebbe5853f748ac603c984ed162ee44d2e898ca4552f3b153f59a665681ab2c00155f68801d5a51f216b26a3e0f5fb41a1f0525a61cddb6b0ab2b4c19213ebc552c45b839f24d1cb4ea25c0079e62f930f91499c77d13b43074b3c3810718cd8d61bad7e65e328ae170db4326021c7585baadae785350e12f1f2bdb7e73c10b289f8efce656540a4ddd16a323d7a3e2e9355dc13c7afa1f6197ea72cfc1375517ef60c2cd0f8ae627298a1dd237670198aa1dabb3cbcf2a532fd1cadc698788e383b81eb33a7fcb0694e212de9e4fb0db2579e8c4941a43adae1ebd8f43559aa924b2e1ac892f26e3741cd99b29ceb4c9f6acadb1af74942e83f23f8d37dcb6d6759540959b56070ee6effb4793af059d49897d9b54edaf78f0f06f5b03ec6c2c00000000000000000000000000000000000000000000000000000000000000130000000000000000000000001bb315e24af6bb5daba538dd17a6168cfa91a213000000000000000000000000d1ffc4dd68bd8f241032b5beac1cf6099c5c80110000000000000000000000007ab4f18499e49ff14b1b1eaad92c0229036ad0520000000000000000000000004ac1bdfcdc3ef49a9553d1bcf6a56e36e815ea06000000000000000000000000d1523f8e5dc2ecf403dc733819cb20185f8d6ad1000000000000000000000000b7d8612e65d6f95707173492bb497728108b6b9a0000000000000000000000003022ee66b0fd56d6a3f0b5b520973b29c2ef67ea0000000000000000000000008b0798246b538f49eaf429b5b011eb65c5a30cde0000000000000000000000009b550e6cb0553dee579ecf2700d096bb235783f10000000000000000000000007ba7f6acfcd9a721eb906a2da8ebcbc8a83f250b0000000000000000000000006ebda46121d17b95220f2f9af86c68ce90b790850000000000000000000000004fdd5551d20f0d3798fd9da624ae8fcc6959edb20000000000000000000000001d7c41ecc9d30f84a922708c9aea53c3f5dbcb650000000000000000000000003e1fd6000b547f1d8302d6eeb89aadeea5f6de3d0000000000000000000000004ae924b2b7f4992b11285dafe052d158dfd80d060000000000000000000000007d4b0dedb4e8d43801823632e788cd600e45292c0000000000000000000000002f38a48f8968114aa5a62e3a106d2d3dd5478bf2010a4c0100000000130038bdd723fbe87acb6cebac6f6b250dd67d8c79609fe9680406c5ec06ffb030ba2382bfe3f84f71b695b8a7f9cac579ba08bce9531dc888f756903d3606844e530001e832daa17b481bae90f65d912de12855efd69330795210e5ca0627c2062d2b3957bde66a6ef2c50e50a431ba700c74deb635d4d193cb666ffef4771e9c56788100024e04df9e21405713919a91e25935abbf5f772ea97256f35bc70be5ce30161bd57230368755b6e757f6574abb71037aca755e4582898f434d36d15a64510cf3120003c0d6f16b3bad00ef78b3c5e9b6b13975c67bab8abae9477e236f159069036dcc0871657314684d4618a1d1c01ec4484d6cf8d1f2ef77d15aa65360f5b06ae5280004680f1b88e7284e04b1a95ccb62ed0661242f8abc9323105639b60e22ded1c70d4129c165dd58c943fd513e878fcd4dc3fb201ef181d8251ba39eced82c92ee6b000553f5989e4f5bcee22aa27e3d76cec1d441cb75184a5ea06b369f2cf026f9fe3a5bb540d08bbf2f06a950b928a907d11a6f5cdeed255be6fc01db61e19d27a9440006ac03376fc0913caba1d2bc1d8e51378883f491a34e51e0b0f582ea207ab8eae24d43d7ddabd7b51846bbbc3fb4f0b93433b860e4bea53990a44a8860eb4c611301076bce961fe9c60bc1e7f9540ad792718ca14e1dc8d4b6a3fee2e5d2ee1d07df4719c5ddc716db7b7b11f3fd60122b1e625740f124acee64771e5a3e94e99b86ce00084e0b0c75f1f7190fc5b2f02e553c9f3922af7ad267f74468139536f374e3e07057fbf23e3b8eacee916ec46d12b0283878f7e95f9644d268aa60699d4a20aace00095341fe0a7fad83e34c43d903917ed422df0493c82c42a3b8453a1ebb3cfc6517222527ec944167b2f7f42944698c49a89d4fe1b8d900f3f1064aaa61714b24ed010a977d3781675af3ad76c8c65d7b2b22a72b4c94bbd71bb7f01a61745d3b08b731393a49d1c0bb35c866a1320af9ce62cbe38a502a0e1492c08fe25015fe5af6c0010b2dc5fdb0ccf2371b63403c2b66243dc6c7911341255141544345660fa777604d2994c1320be28f3e7a9f5c8361818603a0d5c0ec3f1440b05f982a1f45573eb1010c1ea0f0771a82568b333ab7fc39e78861cd1feb5e883a5e9ec622699db0475d8308a096e2b38372da6ac9acc6a4e5bf7e7c0d9c27f325792f1b4bad60b0559ff3000d74083918894415bd7973ae66ba458b88fad1c87239e94df2c38b255dbc51db4075cb60fa2638f36791e86ad758c3c7434342d507a43d56507b1bd3a4c9105bfe010e6961de7e9262854369632aaeafcbaf489a6f257c94fc4820f07f17c28c699b0640e2cea75d8ec8d193f252aa8d1404d02f9927a6ace53e4894c5ced89c56957d000f75ffbaf7255d8e9f3dd236261f4d1a892f349f2443934af11bf70cd8bd3e821e1b1c0e9fc8447705e15625325062192ae084cbd44e1f4bd53a0d14da690f5649011053a91e0d339c6075de697c6889b06eebecc392c92dc3c9e34cb72eddc4640a3442406d81f8cb484c63278c94576fde969a22e1fd32eb51e84409aadb31ff1f1300113ade6f3bcbdfc248a2b26872869ac39b7b7731bf25887f82085790b73a6b59367d1298668186e2cbc8007da8f1b6aaded73db30c03d06c275e30ee6058a0e362001215f45e167c8563d6920091ba99088ff5bb9c0f874aa4defd3814d9307c983b19204e3c33f7f062493d9c413a6fb1afa9e6b2ebeea49b77fca9806c8bf28452a801000000010000000000010000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000054535301000000010000000055c79afbfe1347cd62a6af7cfb28c20d4cc83f64e258a3140928518b96b004fc000151807af3ae7c8391b4ed809917baff6b5ba28a315410aa382d07f5fa84a9c51c31af0000000000000000000000000000000000000000000000000000000000000013c67c82a42364074e4a3ffec944a96d758cec08da09275ada471fe82c95159af922b517009ccd7ede90cebf16ab630868989172c72ebd70ffc6d04cb783eeba6182272a56366878aa05e5cbcd5cd1d195d14ca26064be20cdb7aacebcf2c86a206e24f50d0c1bae02d47e0ef5ae26cc5e3ee7d98660b508736fa4a7d64fe3c625c81a9b27aeef5a963959d5e424a0686a981918a009cacef18ded6e6496c9a808439bd6108f1590b56ebdea0706c2dc308240c4a47d94f42d16f92db81f6222b9a2218874818e7da07f632a9c9bbfcd96ed478b6a4a6a9829bff2eb5f8ed719a8d73ba7c666d41f554e8beaf96d5e2ae6590aefc7b5ef7008dc0b49b6328966a07b015af9ed3b47ff5a1a71410bbda0aaf40111858925784658f19acf4c085f2efe156e000de4ae76fd51fb41331bbab47a10a6f0d8ea96859cd5f66e2ec9b6a9ebbe5853f748ac603c984ed162ee44d2e898ca4552f3b153f59a665681ab2c00155f68801d5a51f216b26a3e0f5fb41a1f0525a61cddb6b0ab2b4c19213ebc552c45b839f24d1cb4ea25c0079e62f930f91499c77d13b43074b3c3810718cd8d61bad7e65e328ae170db4326021c7585baadae785350e12f1f2bdb7e73c10b289f8efce656540a4ddd16a323d7a3e2e9355dc13c7afa1f6197ea72cfc1375517ef60c2cd0f8ae627298a1dd237670198aa1dabb3cbcf2a532fd1cadc698788e383b81eb33a7fcb0694e212de9e4fb0db2579e8c4941a43adae1ebd8f43559aa924b2e1ac892f26e3741cd99b29ceb4c9f6acadb1af74942e83f23f8d37dcb6d6759540959b56070ee6effb4793af059d49897d9b54edaf78f0f06f5b03ec6c2c00000000000000000000000000000000000000000000000000000000000000130000000000000000000000001bb315e24af6bb5daba538dd17a6168cfa91a213000000000000000000000000d1ffc4dd68bd8f241032b5beac1cf6099c5c80110000000000000000000000007ab4f18499e49ff14b1b1eaad92c0229036ad0520000000000000000000000004ac1bdfcdc3ef49a9553d1bcf6a56e36e815ea06000000000000000000000000d1523f8e5dc2ecf403dc733819cb20185f8d6ad1000000000000000000000000b7d8612e65d6f95707173492bb497728108b6b9a0000000000000000000000003022ee66b0fd56d6a3f0b5b520973b29c2ef67ea0000000000000000000000008b0798246b538f49eaf429b5b011eb65c5a30cde0000000000000000000000009b550e6cb0553dee579ecf2700d096bb235783f10000000000000000000000007ba7f6acfcd9a721eb906a2da8ebcbc8a83f250b0000000000000000000000006ebda46121d17b95220f2f9af86c68ce90b790850000000000000000000000004fdd5551d20f0d3798fd9da624ae8fcc6959edb20000000000000000000000001d7c41ecc9d30f84a922708c9aea53c3f5dbcb650000000000000000000000003e1fd6000b547f1d8302d6eeb89aadeea5f6de3d0000000000000000000000004ae924b2b7f4992b11285dafe052d158dfd80d060000000000000000000000007d4b0dedb4e8d43801823632e788cd600e45292c0000000000000000000000002f38a48f8968114aa5a62e3a106d2d3dd5478bf2
 
-anvil --host 0.0.0.0 &
+anvil --quiet --host 0.0.0.0 &
 forge create --private-key $PRIVATE_KEY --broadcast test/WormholeVerifier.t.sol:WormholeV1Mock
 forge create WormholeVerifier --private-key $PRIVATE_KEY --broadcast --constructor-args $MOCK_ADDRESS 0 0 0 0x
 cast send --private-key $PRIVATE_KEY $MOCK_ADDRESS "$APPEND_SET_FUNCTION_SIG" "$GUARDIAN_SET"
diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
index a1cbe11..9b88140 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
@@ -15,7 +15,7 @@ docker build --tag peer-server \
   --progress=plain ../../../..
 
 # Wait until anvil starts listening
-until docker logs anvil-with-verifier 2>/dev/null | grep Listening
+until test -n "${ETHEREUM_RPC_URL}"
 do
   sleep 1
 done

From c182f43c705f2b454909daf2dc5ed8e0572d9c1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 16:39:52 -0300
Subject: [PATCH 6/7] evm: adds lint rule disables

---
 src/evm/WormholeVerifier.sol | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/evm/WormholeVerifier.sol b/src/evm/WormholeVerifier.sol
index a2ad13f..12b1c61 100644
--- a/src/evm/WormholeVerifier.sol
+++ b/src/evm/WormholeVerifier.sol
@@ -1280,6 +1280,8 @@ contract WormholeVerifier is EIP712Encoding {
       // Check if we need to update the current guardian set
       if (oldMultisigKeysLength > 0) {
         // Pull and write the current guardian set expiration time
+        // There can't be more than 2^32 - 1 guardian sets
+        // forge-lint: disable-next-line(unsafe-typecast)
         uint32 updateIndex = uint32(oldMultisigKeysLength - 1);
         uint32 expirationTime = _coreBridge.getGuardianSet(updateIndex).expirationTime;
         _setMultisigExpirationTime(updateIndex, expirationTime);
@@ -1292,6 +1294,8 @@ contract WormholeVerifier is EIP712Encoding {
       // Pull and append the guardian sets
       for (uint256 i = oldMultisigKeysLength; i < upper; i++) {
         // Pull the guardian set, write the expiration time, and append the guardian set data to the ExtStore
+        // There can't be more than 2^32 - 1 guardian sets
+        // forge-lint: disable-next-line(unsafe-typecast)
         GuardianSet memory guardians = _coreBridge.getGuardianSet(uint32(i));
         _appendMultisigKeyData(guardians.keys, guardians.expirationTime);
       }
@@ -1319,9 +1323,13 @@ contract WormholeVerifier is EIP712Encoding {
     uint256 multisigDataSlot = SLOT_MULTISIG_KEY_DATA + index;
     uint256 entry;
     assembly ("memory-safe") { entry := sload(multisigDataSlot) }
+    // We clear the upper bits
+    // forge-lint: disable-next-line(unsafe-typecast)
     expirationTime = uint32(entry & MASK_MULTISIG_ENTRY_EXPIRATION_TIME);
 
     // Load the key data contract, validate the size
+    // We select the bits that contain the address
+    // forge-lint: disable-next-line(unsafe-typecast)
     address keyDataAddress = address(uint160(entry >> SHIFT_MULTISIG_ENTRY_ADDRESS));
     uint256 keyDataSize = keyDataAddress.code.length;
     require (keyDataSize > 0, UnknownGuardianSet(index));
@@ -1398,9 +1406,12 @@ contract WormholeVerifier is EIP712Encoding {
     uint256 storageWord;
     assembly ("memory-safe") { storageWord := sload(extraDataSlot) }
 
+    // We select the relevant bits for each field
+    // forge-lint: disable-start(unsafe-typecast)
     expirationTime   = uint32( storageWord                                           & MASK_SCHNORR_EXTRA_EXPIRATION_TIME);
     shardCount       = uint8 ((storageWord >> SHIFT_SCHNORR_EXTRA_SHARD_COUNT)       & MASK_SCHNORR_EXTRA_SHARD_COUNT    );
     multisigKeyIndex = uint32( storageWord >> SHIFT_SCHNORR_EXTRA_MULTISIG_KEY_INDEX                                     );
+    // forge-lint: disable-end(unsafe-typecast)
   }
 
   function _getSchnorrShardDataExport(uint32 index) internal view returns (uint8 shardCount, bytes memory shardData) {

From 53680fd036eab202f30cb78bdaf61b072e58476e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Claudio=20Nale?= <sebinale@gmail.com>
Date: Fri, 9 Jan 2026 16:40:43 -0300
Subject: [PATCH 7/7] misc: fixes wait for anvil in e2e test

---
 ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
index 9b88140..1be5062 100755
--- a/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
+++ b/ts-pkgs/peer-e2e/tests/e2e/scripts/server.sh
@@ -15,9 +15,16 @@ docker build --tag peer-server \
   --progress=plain ../../../..
 
 # Wait until anvil starts listening
-until test -n "${ETHEREUM_RPC_URL}"
-do
-  sleep 1
-done
+docker run --rm --network=dkg-test --env ETHEREUM_RPC_URL ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e sh -lc '
+  deadline=$((SECONDS+60))
+  until cast block-number --rpc-url "$ETHEREUM_RPC_URL" >/dev/null 2>&1; do
+    if [ "$SECONDS" -ge "$deadline" ]; then
+      echo "Timed out waiting for $ETHEREUM_RPC_URL" >&2
+      exit 1
+    fi
+    sleep 0.5
+  done
+'
+
 
 docker run --rm --network=dkg-test --name peer-server peer-server