Merge branch 'next'

Author: GTC6244

.github/workflows/deploy-staging.yml

@@ -175,6 +175,7 @@ jobs:
           DEPLOY_PATHS=(
             lit-actions/
             lit-api-server/
+            lit-billing-core/
             lit-core/
             otel-collector/
             Dockerfile.lit-actions

.github/workflows/k6-client-check.yml

@@ -45,7 +45,7 @@ jobs:
 
       - name: Generate OpenAPI spec from sources
         working-directory: lit-api-server
-        run: cargo run --bin openapi_spec > "${{ runner.temp }}/openapi-from-source.json"
+        run: cargo run --locked --bin openapi_spec > "${{ runner.temp }}/openapi-from-source.json"
 
       - name: Generate k6 client from spec
         run: |

.github/workflows/manual_contract-upgrade-prod-1-propose.yml

@@ -69,7 +69,7 @@ jobs:
 
       - name: Build contract deployer
         working-directory: lit-api-server/blockchain/rust_generator_and_deployer
-        run: cargo build --bin contract_deployer
+        run: cargo build --locked --bin contract_deployer
 
       - name: Deploy facets and generate proposal
         working-directory: lit-api-server/blockchain/lit_node_express

.github/workflows/manual_contract-upgrade.yml

@@ -74,7 +74,7 @@ jobs:
 
       - name: Build contract deployer
         working-directory: lit-api-server/blockchain/rust_generator_and_deployer
-        run: cargo build --bin contract_deployer
+        run: cargo build --locked --bin contract_deployer
 
       - name: Upgrade diamond facets
         working-directory: lit-api-server/blockchain/lit_node_express

.github/workflows/manual_phala-envs-update-prod.yml

@@ -1,104 +0,0 @@
-# Push sealed environment variables to a specific Phala CVM and start it (PROD).
-#
-# Prod-flavored sibling of manual_phala-envs-update.yml. Used during CVM
-# migrations (e.g. prod6 → prod2) to bootstrap a freshly-provisioned chipotle-prod
-# replica with the same live env vars CI would normally push during the
-# tag-triggered deploy-prod-* flow.
-#
-# Differences from the next/staging variant:
-#   - Stripe LIVE keys (STRIPE_SECRET_KEY / STRIPE_PUBLISHABLE_KEY), not sandbox
-#   - Defaults: CERTBOT_DOMAIN=api.chipotle.litprotocol.com, GCP_PROJECT_ID=chipotle-prod
-#
-# Env block mirrors deploy-prod-1-propose.yml:341-372 (encryptEnvVars step).
-#
-# Required secrets:
-#   PHALA_CLOUD_API_KEY            - Phala Cloud API key
-#   PHALA_DSTACKAPP_PRIVATE_KEY    - DstackApp owner key (unused for prod Safe-owned app,
-#                                     kept for parity with `phala envs update` CLI args)
-#   BASE_CHAIN_RPC                 - Base mainnet RPC URL
-#   GCP_SERVICE_ACCOUNT_JSON       - GCP service account key
-#   STRIPE_SECRET_KEY              - Stripe LIVE secret key
-#   STRIPE_PUBLISHABLE_KEY         - Stripe LIVE publishable key
-#   CERTBOT_AWS_ACCESS_KEY_ID      - Route 53 IAM access key
-#   CERTBOT_AWS_SECRET_ACCESS_KEY  - Route 53 IAM secret key
-#   CERTBOT_AWS_ROLE_ARN           - IAM role ARN for STS assumption
-#
-# Required vars:
-#   CERTBOT_AWS_REGION             - AWS region for STS endpoint
-
-name: Phala Envs Update + Start (Prod, manual)
-
-permissions:
-  contents: read
-
-on:
-  workflow_dispatch:
-    inputs:
-      cvm_id:
-        description: "Target CVM (UUID, app_id, instance_id, or name) — e.g. cvm_qwrMBqKl"
-        required: true
-        type: string
-      certbot_domain:
-        description: "CERTBOT_DOMAIN for dstack-ingress. Leave blank to skip ingress cert acquisition."
-        required: false
-        type: string
-        default: "api.chipotle.litprotocol.com"
-      gcp_project_id:
-        description: "GCP_PROJECT_ID for otel-collector"
-        required: false
-        type: string
-        default: "chipotle-prod"
-      start:
-        description: "Start the CVM after pushing envs"
-        required: false
-        type: boolean
-        default: true
-
-jobs:
-  envs-update:
-    runs-on: self-hosted
-    steps:
-      - uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-
-      - name: Install Phala CLI
-        run: npm install -g phala
-
-      - name: Push sealed envs to CVM
-        env:
-          PHALA_CLOUD_API_KEY: ${{ secrets.PHALA_CLOUD_API_KEY }}
-          PRIVATE_KEY: ${{ secrets.PHALA_DSTACKAPP_PRIVATE_KEY }}
-          ETH_RPC_URL: ${{ secrets.BASE_CHAIN_RPC }}
-          BASE_CHAIN_RPC: ${{ secrets.BASE_CHAIN_RPC }}
-          STRIPE_SECRET_KEY: ${{ secrets.STRIPE_SECRET_KEY }}
-          STRIPE_PUBLISHABLE_KEY: ${{ secrets.STRIPE_PUBLISHABLE_KEY }}
-          GCP_SERVICE_ACCOUNT_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_JSON }}
-          CERTBOT_AWS_ACCESS_KEY_ID: ${{ secrets.CERTBOT_AWS_ACCESS_KEY_ID }}
-          CERTBOT_AWS_SECRET_ACCESS_KEY: ${{ secrets.CERTBOT_AWS_SECRET_ACCESS_KEY }}
-          CERTBOT_AWS_ROLE_ARN: ${{ secrets.CERTBOT_AWS_ROLE_ARN }}
-        run: |
-          phala envs update "${{ inputs.cvm_id }}" \
-            -e "STRIPE_SECRET_KEY=$STRIPE_SECRET_KEY" \
-            -e "STRIPE_PUBLISHABLE_KEY=$STRIPE_PUBLISHABLE_KEY" \
-            -e "GCP_SERVICE_ACCOUNT_JSON=$GCP_SERVICE_ACCOUNT_JSON" \
-            -e "GCP_PROJECT_ID=${{ inputs.gcp_project_id }}" \
-            -e "BASE_CHAIN_RPC=$BASE_CHAIN_RPC" \
-            -e "CERTBOT_DOMAIN=${{ inputs.certbot_domain }}" \
-            -e "CERTBOT_AWS_ACCESS_KEY_ID=$CERTBOT_AWS_ACCESS_KEY_ID" \
-            -e "CERTBOT_AWS_SECRET_ACCESS_KEY=$CERTBOT_AWS_SECRET_ACCESS_KEY" \
-            -e "CERTBOT_AWS_ROLE_ARN=$CERTBOT_AWS_ROLE_ARN" \
-            -e "CERTBOT_AWS_REGION=${{ vars.CERTBOT_AWS_REGION }}"
-
-      - name: Start CVM
-        if: inputs.start
-        env:
-          PHALA_CLOUD_API_KEY: ${{ secrets.PHALA_CLOUD_API_KEY }}
-        run: |
-          phala cvms start "${{ inputs.cvm_id }}"
-
-      - name: Show CVM status
-        env:
-          PHALA_CLOUD_API_KEY: ${{ secrets.PHALA_CLOUD_API_KEY }}
-        run: |
-          phala cvms get "${{ inputs.cvm_id }}"

.github/workflows/phala-simulator.yml

@@ -149,7 +149,7 @@ jobs:
           }
 
           # Run the Rust unit tests against the simulator socket.
-          (cd lit-api-server && DSTACK_SOCKET="$SIM_SOCK" cargo test --features dstack -- dstack::v1::dstack::tests --nocapture)
+          (cd lit-api-server && DSTACK_SOCKET="$SIM_SOCK" cargo test --locked --features dstack -- dstack::v1::dstack::tests --nocapture)
           STATUS=$?
 
           # Teardown.
@@ -159,7 +159,7 @@ jobs:
           exit "$STATUS"
 
       - name: Build lit-api-server
-        run: cargo build --manifest-path=lit-api-server/Cargo.toml --features dstack --bin lit-api-server
+        run: cargo build --locked --manifest-path=lit-api-server/Cargo.toml --features dstack --bin lit-api-server
 
       # ── 3. dstack-verifier end-to-end attestation pipeline ─────────────────
       # Start simulator, start lit-api-server (attestation-only; fetches from simulator),

.github/workflows/rust-ci.yml

@@ -29,6 +29,7 @@ jobs:
           - lit-core
           - lit-api-server
           - lit-api-server/blockchain/rust_generator_and_deployer
+          - lit-billing-core
 
     steps:
       - uses: actions/checkout@v4
@@ -74,12 +75,29 @@ jobs:
 
       - name: clippy
         working-directory: ${{ matrix.crate }}
-        run: cargo clippy --all-features -- -D warnings
+        run: cargo clippy --locked --all-features -- -D warnings
 
       - name: build
         working-directory: ${{ matrix.crate }}
-        run: cargo build --all-features
+        run: cargo build --locked --all-features
 
       - name: test
         working-directory: ${{ matrix.crate }}
-        run: cargo test --all-features
+        run: cargo test --locked --all-features
+
+      # Supply-chain check: cargo-deny covers the RustSec advisory DB (same
+      # source as cargo-audit) plus a git-source allowlist. Installed once per
+      # matrix job via taiki-e/install-action, which uses prebuilt binaries.
+      # The pre-existing advisory backlog lives in deny.toml's [advisories.ignore]
+      # block; new RUSTSEC IDs fail CI by default.
+      - uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-deny
+
+      - name: deny
+        working-directory: ${{ matrix.crate }}
+        # -W advisory-not-detected / unmatched-source: the deny.toml ignore +
+        # allow-git lists are the union across all four workspaces, so each
+        # individual workspace sees entries that don't apply — downgrade those
+        # lints to warnings so they don't fail the build.
+        run: cargo deny check --config ${{ github.workspace }}/deny.toml -W advisory-not-detected -W unmatched-source advisories sources

.github/workflows/wait-for-api-restart.yml

@@ -118,15 +118,24 @@ jobs:
           # The API's commit_version is produced by git_version!() which runs
           # git describe --always at compile time. Reproduce the same output
           # here so we can compare directly.
+          #
+          # Note: git describe abbreviates the SHA using core.abbrev=auto
+          # (default since Git 2.11), which picks length based on the local
+          # repo's object count. The builder container and this runner can
+          # differ by a character (e.g. g615bf66 vs g615bf664), so we accept
+          # any pair where one side is a prefix of the other — the shorter
+          # SHA is always a prefix of the longer one.
           EXPECTED_VERSION=$(git describe --always "${{ inputs.expected_sha }}")
 
           echo "Polling $VERSION_URL for commit_version == $EXPECTED_VERSION (timeout: ${TIMEOUT}s)..."
           deadline=$(( $(date +%s) + TIMEOUT ))
 
           while true; do
             CURRENT_VERSION=$(curl -sf "$VERSION_URL" 2>/dev/null | jq -r '.commit_version // empty' 2>/dev/null || true)
-            if [ "$CURRENT_VERSION" = "$EXPECTED_VERSION" ]; then
-              echo "Version matched: $CURRENT_VERSION"
+            case "$EXPECTED_VERSION" in "$CURRENT_VERSION"*) PREFIX_MATCH=1 ;; *) PREFIX_MATCH=0 ;; esac
+            case "$CURRENT_VERSION" in "$EXPECTED_VERSION"*) REVERSE_MATCH=1 ;; *) REVERSE_MATCH=0 ;; esac
+            if [ -n "$CURRENT_VERSION" ] && { [ "$PREFIX_MATCH" = 1 ] || [ "$REVERSE_MATCH" = 1 ]; }; then
+              echo "Version matched: $CURRENT_VERSION (expected: $EXPECTED_VERSION)"
               break
             fi
             if [ "$(date +%s)" -ge "$deadline" ]; then

deny.toml

@@ -0,0 +1,91 @@
+# cargo-deny configuration.
+#
+# Scope: advisory + source-allowlist checks only. License and ban checks are
+# intentionally not enabled here so this config does not block builds on
+# unrelated policy decisions — tighten later if/when we want that coverage.
+#
+# Run locally:    cargo deny check --config <repo-root>/deny.toml advisories sources
+# CI invocation:  see .github/workflows/rust-ci.yml
+
+[graph]
+all-features = true
+
+[advisories]
+# RustSec advisory database. Vulnerabilities still fail the build by default;
+# yanked crates warn (the lockfile can lag a yank by hours).
+db-urls = ["https://github.com/rustsec/advisory-db"]
+yanked = "warn"
+
+# Pre-existing advisory backlog captured on 2026-05-19 across all four cargo
+# workspaces (lit-actions, lit-core, lit-api-server, rust_generator_and_deployer).
+# Every entry here should be triaged and either resolved (cargo update / dep
+# bump) or kept with explicit justification. Advisories published AFTER this
+# snapshot will NOT be in this list, so they will fail CI — that is the point.
+#
+# History:
+# - 2026-05-19: initial snapshot, 34 advisories.
+# - 2026-05-19: lockfile bumps via `cargo update -p` cleared RUSTSEC-2026-{0007,
+#   0037,0067,0068} (bytes / quinn-proto / tar / tar) across all workspaces,
+#   and RUSTSEC-2026-0009 (time) in lit-core and lit-api-server. Picked up
+#   RUSTSEC-2024-0388 (derivative unmaintained, transitive via ark-ff). The
+#   time bump in lit-actions had to be reverted because `time --precise 0.3.47`
+#   cascaded serde to 1.0.228, which broke compilation of `swc_config 0.1.15`
+#   and `swc_common 0.37.5` (transitives via deno_ast → deno_runtime — they
+#   re-export the removed `serde::__private` module). Real fix is bumping
+#   deno_runtime; until then time stays at 0.3.44 in lit-actions and
+#   RUSTSEC-2026-0009 stays in the ignore list. Net: 31 active.
+#
+# Suggested triage order: vulnerabilities > unsound > unmaintained.
+ignore = [
+    # ── vulnerabilities ───────────────────────────────────────────────────────
+    { id = "RUSTSEC-2023-0071", reason = "Marvin Attack timing sidechannel in rsa — transitive via ethers; no upstream fix" },
+    { id = "RUSTSEC-2025-0009", reason = "AES panic on overflow check — transitive; pre-existing" },
+    { id = "RUSTSEC-2026-0009", reason = "time DoS via stack exhaustion — still present in lit-actions (time 0.3.47 cascades serde 1.0.228 which breaks swc_config/swc_common from deno chain); cleared in lit-core and lit-api-server" },
+    { id = "RUSTSEC-2026-0049", reason = "rustls-webpki CRL distribution-point matching — pinned by rustls 0.21 via ethers chain" },
+    { id = "RUSTSEC-2026-0098", reason = "rustls-webpki URI name constraints — pinned by rustls 0.21 via ethers chain" },
+    { id = "RUSTSEC-2026-0099", reason = "rustls-webpki wildcard name constraints — pinned by rustls 0.21 via ethers chain" },
+    { id = "RUSTSEC-2026-0104", reason = "rustls-webpki CRL parsing panic — pinned by rustls 0.21 via ethers chain" },
+    { id = "RUSTSEC-2026-0118", reason = "hickory NSEC3 unbounded loop — no upstream fix yet" },
+    { id = "RUSTSEC-2026-0119", reason = "hickory DNS O(n^2) name compression — pinned by deno_runtime chain" },
+
+    # ── unsound ───────────────────────────────────────────────────────────────
+    { id = "RUSTSEC-2019-0036", reason = "failure type confusion — transitive; pre-existing" },
+    { id = "RUSTSEC-2021-0145", reason = "atty unaligned read — transitive; pre-existing" },
+    { id = "RUSTSEC-2026-0012", reason = "keccak ARMv8 asm backend — only triggers with opt-in feature; pre-existing" },
+    { id = "RUSTSEC-2026-0097", reason = "rand custom logger unsound — pre-existing" },
+
+    # ── unmaintained ──────────────────────────────────────────────────────────
+    { id = "RUSTSEC-2020-0036", reason = "failure deprecated — transitive; pre-existing" },
+    { id = "RUSTSEC-2024-0370", reason = "proc-macro-error unmaintained — pre-existing" },
+    { id = "RUSTSEC-2024-0375", reason = "atty unmaintained — pre-existing" },
+    { id = "RUSTSEC-2024-0384", reason = "instant unmaintained — pre-existing" },
+    { id = "RUSTSEC-2024-0388", reason = "derivative unmaintained — transitive via ark-ff; surfaced after bytes/quinn/tar bumps refreshed the lockfile" },
+    { id = "RUSTSEC-2024-0436", reason = "paste unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0010", reason = "ring <0.17 unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0052", reason = "async-std discontinued — pre-existing" },
+    { id = "RUSTSEC-2025-0056", reason = "adler unmaintained, use adler2 — pre-existing" },
+    { id = "RUSTSEC-2025-0057", reason = "fxhash unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0075", reason = "unic-char-range unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0080", reason = "unic-common unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0081", reason = "unic-char-property unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0098", reason = "unic-ucd-version unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0100", reason = "unic-ucd-ident unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0134", reason = "rustls-pemfile unmaintained — pre-existing" },
+    { id = "RUSTSEC-2025-0141", reason = "bincode unmaintained — pre-existing" },
+    { id = "RUSTSEC-2026-0105", reason = "core2 unmaintained, all versions yanked — pre-existing" },
+]
+
+[sources]
+# Block any non-crates.io registry and any git dep not on the explicit allow
+# list below. New git deps must be added here, which forces a review.
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = [
+    "https://github.com/LIT-Protocol/bulletproofs",
+    "https://github.com/Lit-Protocol/deno_core",
+    "https://github.com/LIT-Protocol/env_logger",
+    "https://github.com/LIT-Protocol/rust-ipfs-api",
+    "https://github.com/LIT-Protocol/zerossl",
+    "https://github.com/integer32llc/libffi-rs",
+]

docs/docs.json

@@ -93,7 +93,8 @@
   "footer": {
     "socials": {
       "x": "https://twitter.com/litprotocol",
-      "discord": "https://litgateway.com/discord"
+      "discord": "https://litgateway.com/discord",
+      "github": "https://github.com/LIT-Protocol/chipotle"
     }
   }
 }