misc: dockerfile git clone cleanup

Makefile

@@ -29,7 +29,7 @@ build-evm: dependencies-evm
 	forge build
 
 verifiable-build-evm: dependencies-evm
-	mkdir -p verifiable-evm-build && docker build  --file ./Dockerfile.evm . --tag verification-v2-evm-build --output type=local,dest=verifiable-evm-build
+	mkdir -p verifiable-evm-build && docker build --file ./evm-build.Dockerfile . --tag verification-v2-evm-build --output type=local,dest=verifiable-evm-build
 
 test-evm: dependencies-evm
 	forge test

evm-build.Dockerfile

@@ -0,0 +1,49 @@
+FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS builder
+
+# Foundry image runs as foundry user by default
+# We need root to both run apt and to write files to the filesystem
+USER root
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install jq wget
+USER foundry
+
+# Preflight
+
+WORKDIR /app
+COPY foundry.toml foundry.toml
+COPY --link lib/wormhole-solidity-sdk lib/wormhole-solidity-sdk
+COPY --link src/evm src/evm
+
+# forge logs "errors" and warnings to the standard output
+# Luckily, the only warning here is that forge's solidity compiler cache is missing.
+# However, we need to drop it to have a valid JSON.
+# See https://github.com/foundry-rs/foundry/issues/13034
+
+# Prepare compiler input. NOTE: jq must be pre-applied to "clean" the output from forge.
+# Otherwise solc aborts with duplicated key/newline problems.
+
+RUN forge verify-contract \
+  --show-standard-json-input \
+  0x0000000000000000000000000000000000000000 \
+  src/evm/WormholeVerifier.sol:WormholeVerifier \
+  | sed '1d' \
+  | jq '.' > WormholeVerifier.input.json
+
+# Get compiler according to forge configuration (foundry.toml specified)
+
+RUN SOLC_VERSION=$(forge config | grep "^solc =" | sed 's/solc = //' | sed 's/"//g'); \
+    if [ -z "$SOLC_VERSION" ]; then echo "SOLC_VERSION not set"; exit 1; fi; \
+    wget --progress=dot:giga --output-document=solc "https://github.com/ethereum/solidity/releases/download/v$SOLC_VERSION/solc-static-linux" && chmod +x solc
+
+# Compile contract(s).
+
+RUN ./solc --standard-json WormholeVerifier.input.json > WormholeVerifier.output.json && \
+    SOLC_ERR=$(jq '.errors[]? | select(.severity == "error")' WormholeVerifier.output.json) && \
+    if [ ! -z "$SOLC_ERR" ]; then \
+        echo "Error detected during solc execution."; \
+        echo "$SOLC_ERR"; \
+        exit 2; \
+    fi
+
+# Consolidate all generated output
+FROM scratch AS foundry-export
+COPY --from=builder /app/*.input.json /app/*.output.json /

evm-build.Dockerfile.dockerignore

@@ -0,0 +1,32 @@
+data/
+.vscode/
+.vim/
+.github/
+cache/
+out/
+tmp/
+verifiable-evm-build/
+
+ts-pkgs/
+
+src/solana
+test/
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+guardian_key.txt
+README.md
+eslint.config.mjs
+
+.yarn/
+package.json
+tsconfig.json
+yarn.lock
+.pnp.*
+
+*Dockerfile
+*dockerignore

src/evm/WormholeVerifier.sol

@@ -1280,6 +1280,8 @@ contract WormholeVerifier is EIP712Encoding {
       // Check if we need to update the current guardian set
       if (oldMultisigKeysLength > 0) {
         // Pull and write the current guardian set expiration time
+        // There can't be more than 2^32 - 1 guardian sets
+        // forge-lint: disable-next-line(unsafe-typecast)
         uint32 updateIndex = uint32(oldMultisigKeysLength - 1);
         uint32 expirationTime = _coreBridge.getGuardianSet(updateIndex).expirationTime;
         _setMultisigExpirationTime(updateIndex, expirationTime);
@@ -1292,6 +1294,8 @@ contract WormholeVerifier is EIP712Encoding {
       // Pull and append the guardian sets
       for (uint256 i = oldMultisigKeysLength; i < upper; i++) {
         // Pull the guardian set, write the expiration time, and append the guardian set data to the ExtStore
+        // There can't be more than 2^32 - 1 guardian sets
+        // forge-lint: disable-next-line(unsafe-typecast)
         GuardianSet memory guardians = _coreBridge.getGuardianSet(uint32(i));
         _appendMultisigKeyData(guardians.keys, guardians.expirationTime);
       }
@@ -1319,9 +1323,13 @@ contract WormholeVerifier is EIP712Encoding {
     uint256 multisigDataSlot = SLOT_MULTISIG_KEY_DATA + index;
     uint256 entry;
     assembly ("memory-safe") { entry := sload(multisigDataSlot) }
+    // We clear the upper bits
+    // forge-lint: disable-next-line(unsafe-typecast)
     expirationTime = uint32(entry & MASK_MULTISIG_ENTRY_EXPIRATION_TIME);
 
     // Load the key data contract, validate the size
+    // We select the bits that contain the address
+    // forge-lint: disable-next-line(unsafe-typecast)
     address keyDataAddress = address(uint160(entry >> SHIFT_MULTISIG_ENTRY_ADDRESS));
     uint256 keyDataSize = keyDataAddress.code.length;
     require (keyDataSize > 0, UnknownGuardianSet(index));
@@ -1398,9 +1406,12 @@ contract WormholeVerifier is EIP712Encoding {
     uint256 storageWord;
     assembly ("memory-safe") { storageWord := sload(extraDataSlot) }
 
+    // We select the relevant bits for each field
+    // forge-lint: disable-start(unsafe-typecast)
     expirationTime   = uint32( storageWord                                           & MASK_SCHNORR_EXTRA_EXPIRATION_TIME);
     shardCount       = uint8 ((storageWord >> SHIFT_SCHNORR_EXTRA_SHARD_COUNT)       & MASK_SCHNORR_EXTRA_SHARD_COUNT    );
     multisigKeyIndex = uint32( storageWord >> SHIFT_SCHNORR_EXTRA_MULTISIG_KEY_INDEX                                     );
+    // forge-lint: disable-end(unsafe-typecast)
   }
 
   function _getSchnorrShardDataExport(uint32 index) internal view returns (uint8 shardCount, bytes memory shardData) {

ts-pkgs/peer-client/Dockerfile

@@ -1,11 +1,19 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git
+RUN mkdir --parents core-bridge/ts-pkgs/peer-client core-bridge/ts-pkgs/peer-lib
+COPY --link .yarn /core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml /core-bridge/
+COPY --link ts-pkgs/peer-client/package.json /core-bridge/ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-lib/package.json /core-bridge/ts-pkgs/peer-lib/
+WORKDIR /core-bridge
+RUN yarnpkg workspaces focus --all
 
-# TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
+COPY --link ts-pkgs/config/ ts-pkgs/config/
+COPY --link ts-pkgs/peer-lib/tsconfig.json ts-pkgs/peer-lib/
+COPY --link ts-pkgs/peer-lib/src ts-pkgs/peer-lib/src
+COPY --link ts-pkgs/peer-client/tsconfig.json ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-client/src ts-pkgs/peer-client/src
 WORKDIR /core-bridge/ts-pkgs/peer-client
-RUN yarnpkg install --immutable
 RUN yarnpkg build
 
 ARG TLS_HOSTNAME

ts-pkgs/peer-client/Dockerfile.dockerignore

@@ -0,0 +1,37 @@
+src/
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+ts-pkgs/deploy
+ts-pkgs/peer-e2e
+ts-pkgs/tss-definitions
+ts-pkgs/peer-server
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+foundry.toml
+guardian_key.txt
+Makefile
+README.md
+eslint.config.mjs
+
+*Dockerfile
+*dockerignore

ts-pkgs/peer-client/dkg/Dockerfile → ts-pkgs/peer-client/dkg.Dockerfile

@@ -1,16 +1,33 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git golang jq
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install \
+  git \
+  golang \
+  jq \
+  ca-certificates \
+  && rm -rf /var/lib/apt/lists
 
 # TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
 RUN git clone -b schnorr --depth 1 https://github.com/XLabs/wormhole.git
 
 WORKDIR /wormhole/node/pkg/tss/internal/cmd
 RUN go build -o=./server ./dkg
 
+WORKDIR /
+RUN mkdir --parents core-bridge/ts-pkgs/peer-client core-bridge/ts-pkgs/peer-lib
+COPY --link .yarn core-bridge/.yarn
+COPY --link package.json yarn.lock .yarnrc.yml core-bridge/
+COPY --link ts-pkgs/peer-client/package.json core-bridge/ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-lib/package.json core-bridge/ts-pkgs/peer-lib/
+WORKDIR /core-bridge
+RUN yarnpkg workspaces focus --all
+
+COPY --link ts-pkgs/config/ ts-pkgs/config/
+COPY --link ts-pkgs/peer-lib/tsconfig.json ts-pkgs/peer-lib/
+COPY --link ts-pkgs/peer-lib/src ts-pkgs/peer-lib/src
+COPY --link ts-pkgs/peer-client/tsconfig.json ts-pkgs/peer-client/
+COPY --link ts-pkgs/peer-client/src ts-pkgs/peer-client/src
 WORKDIR /core-bridge/ts-pkgs/peer-client
-RUN yarnpkg install --immutable
 RUN yarnpkg build
 
 COPY --chmod=555 <<EOT poll_guardians.sh

ts-pkgs/peer-client/dkg.Dockerfile.dockerignore

@@ -0,0 +1,37 @@
+src/
+data/
+.vscode/
+.vim/
+.github/
+cache/
+lib/
+out/
+tmp/
+verifiable-evm-build/
+
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+ts-pkgs/deploy
+ts-pkgs/peer-e2e
+ts-pkgs/tss-definitions
+ts-pkgs/peer-server
+
+**/ts-build
+
+.gitignore
+.gitmodules
+*.sublime-*
+*.awk
+foundry.toml
+guardian_key.txt
+Makefile
+README.md
+eslint.config.mjs
+
+*Dockerfile
+*dockerignore

ts-pkgs/peer-client/package.json

@@ -8,7 +8,8 @@
   "scripts": {
     "build": "tsc --build",
     "start:client": "tsx src/cli.ts",
-    "dev:client": "tsx --watch src/cli.ts"
+    "dev:client": "tsx --watch src/cli.ts",
+    "docker:build:tls-gen": "./scripts/build-tls-gen.sh"
   },
   "dependencies": {
     "@xlabs-xyz/peer-lib": "workspace:*",

ts-pkgs/peer-client/scripts/build-tls-gen.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+ctx=$(mktemp --directory)
+docker build --tag tls-gen --file ./tls.Dockerfile --progress=plain "$ctx"
+rm -rf "$ctx"

ts-pkgs/peer-client/tls/Dockerfile → ts-pkgs/peer-client/tls.Dockerfile

@@ -1,9 +1,11 @@
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install openssl
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install \
+  openssl \
+  && rm -rf /var/lib/apt/lists
 
 # Generate the TLS key and certificate
-COPY --chmod=555 <<EOT generate_tls_key.sh
+COPY --chmod=555 <<EOT /generate_tls_key.sh
 #!/bin/bash
 set -euo pipefail
 
@@ -24,4 +26,4 @@ openssl req -x509 -key /keys/key.pem -out /keys/cert.pem -days 365 \\
   -addext "extendedKeyUsage=serverAuth,clientAuth"
 EOT
 
-ENTRYPOINT ["./generate_tls_key.sh"]
+ENTRYPOINT ["/generate_tls_key.sh"]

ts-pkgs/peer-e2e/tests/e2e/anvil/Dockerfile

@@ -1,17 +1,18 @@
-FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:7ec8952cc5322dce65091768e9efab8641ea9b54105f21fd71d4ae3dc3da05a8 as foundry
+FROM ghcr.io/foundry-rs/foundry:v1.5.1@sha256:3a70bfa9bd2c732a767bb60d12c8770b40e8f9b6cca28efc4b12b1be81c7f28e AS foundry
 FROM node:22.21-trixie-slim@sha256:1ddaeddded05b2edeaf35fac720a18019e1044a6791509c8670c53c2308301bb
 
-RUN apt-get update && apt-get -y install git make
+RUN apt-get --quiet update && apt-get --quiet --no-install-recommends --yes install git make ca-certificates
 
 COPY --from=foundry /usr/local/bin/anvil /usr/local/bin/forge /usr/local/bin/cast /bin/
 
-# TODO: Pin the commit
-RUN git clone -b feat/dkg-docker --depth 1 https://github.com/XLabs/core-bridge.git
+RUN mkdir --parents /core-bridge/src
+COPY --link foundry.toml Makefile /core-bridge/
+COPY --link src/evm /core-bridge/src/evm
+COPY --link test /core-bridge/test
+COPY --link ts-pkgs/peer-e2e/tests/e2e/anvil/localAnvilWithVerifier.sh /core-bridge/
 
 WORKDIR /core-bridge
 
 RUN make build-evm
 
-WORKDIR /core-bridge/ts-pkgs/peer-e2e/tests/e2e/anvil/
-
 ENTRYPOINT ["./localAnvilWithVerifier.sh"]