Feat/retrieve OFAC trees from api

[remicolin]

Summary by CodeRabbit

• New Features

  • Added support for fetching and storing OFAC-related data in the protocol store for both passport and ID card sections, enabling dynamic retrieval of sanction lists for identity verification.
  • Introduced a script to update OFAC root hashes in Ethereum-based identity registries.
  • Added a utility to fetch OFAC data trees from remote endpoints based on environment and document type.

• Bug Fixes

  • Updated logic and comments to generalize document nullification checks, replacing passport-specific checks with document-wide checks.

• Refactor

  • Centralized OFAC data sourcing to runtime state, removing reliance on static JSON imports.
  • Updated function and variable names for improved clarity and generalization.

• Chores

  • Removed unused scripts, data files, and documentation related to OFAC data processing.
  • Updated test data import paths to use local fixtures.
  • Adjusted package configuration and deployment scripts for improved maintainability.
  • Updated .gitignore to exclude .yarnrc.yml file.

[coderabbitai]

Walkthrough

This update refactors OFAC (Office of Foreign Assets Control) sanction list handling across the stack. It removes static OFAC data and processing scripts from the repository, shifts SMT (Sparse Merkle Tree) data sourcing to runtime store fetches, generalizes nullification checks for multiple document types, and introduces a new script for updating OFAC roots in registry contracts. Test and deployment scripts are updated accordingly.

Changes

File(s) / Path(s)	Change Summary
.gitignore	Added .yarnrc.yml to ignore list.
app/src/screens/misc/SplashScreen.tsx app/src/utils/proving/provingMachine.ts	Updated comments and imports to use isDocumentNullified instead of isPassportNullified.
app/src/stores/protocolStore.ts	Added runtime fetching and state management for OFAC SMTs for both passport and ID card; extended fetch methods and error handling.
app/src/utils/ofac.ts	Added utility to fetch OFAC SMT data remotely for passport and ID card variants with error handling.
app/src/utils/proving/provingInputs.ts	Removed static SMT imports and helper; now sources SMTs dynamically from store; error if SMTs missing.
app/src/utils/proving/validateDocument.ts	Renamed and generalized nullification check to isDocumentNullified; switched to new API endpoint and attestation logic.
circuits/tests/disclose/vc_and_disclose.test.ts circuits/tests/disclose/vc_and_disclose_id.test.ts circuits/tests/ofac/ofac.test.ts	Changed SMT JSON imports from package to local relative paths.
common/ofacdata/ReadMe.md common/ofacdata/inputs/eth_addresses.json common/ofacdata/original/dataspec.txt common/ofacdata/scripts/ofac.ipynb	Removed OFAC data documentation, processing scripts, and static data files.
common/package.json	Bumped version to 0.0.6; removed OFAC SMT JSONs from exports.
contracts/ignition/deployments/staging/deployed_addresses.json	Renamed "IdentityRegistryIdCard" key to "IdentityRegistry" for ID card registry.
contracts/ignition/modules/scripts/updateRegistryOfacRoot.ts	Deleted Ignition deployment module for updating OFAC roots.
contracts/package.json	Changed update:ofacroot script to run new TypeScript script directly, defaulting to "alfajores" network.
contracts/scripts/updateRegistryOfacRoot.ts	Added a new script to update OFAC roots in passport and ID card registries, with improved logging and error handling.
contracts/test/utils/generateProof.ts	Added ID card variant SMTs to test utility return object.

Sequence Diagram(s)

sequenceDiagram
    participant App
    participant ProtocolStore
    participant OFAC_API
    participant RegistryContract

    App->>ProtocolStore: fetch_all(environment, ski)
    ProtocolStore->>OFAC_API: fetch_ofac_trees(environment)
    OFAC_API-->>ProtocolStore: Return OFAC SMTs
    ProtocolStore-->>App: Store OFAC SMTs in state
    App->>ProtocolStore: Retrieve OFAC SMTs for proving
    App->>RegistryContract: isDocumentNullified(passportData)
    RegistryContract-->>App: Nullification status

Loading

sequenceDiagram
    participant Script
    participant Blockchain
    participant PassportRegistry
    participant IdCardRegistry

    Script->>Blockchain: Connect via RPC/PrivateKey
    Script->>PassportRegistry: updateOfacRoot(rootType, newRoot)
    PassportRegistry-->>Script: Transaction receipt
    Script->>IdCardRegistry: updateOfacRoot(rootType, newRoot)
    IdCardRegistry-->>Script: Transaction receipt
    Script-->>Script: Log success/failure

Loading

Possibly related PRs

• App/eu id updates #638: Refactored proving logic and SMT data sourcing for multi-document support, closely related to this PR's runtime SMT handling and nullification checks.
• update the smart contracts scripts #684: Updated deployed contract address keys and registry update scripts, directly intersecting with this PR's registry script and deployment key changes.

Poem

OFAC roots now fetched on the fly,
Old scripts and static files say goodbye.
Registries updated, contracts anew,
Nullifiers check more than just a few.
SMTs at runtime, tests in the clear—
Sanctions compliance, smarter this year!
🚀✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 14

🧹 Nitpick comments (5)

.gitignore (1)

12-12: Consider ignoring Yarn PnP artifacts as well

Good call adding .yarnrc.yml.
If the team ever switches Yarn to Plug-n-Play resolution (quite common with Yarn ≥2), the repo will also generate .pnp.cjs / .pnp.mjs files at the project root. They’re machine-generated and should stay untracked.

Suggested follow-up diff:

 .yarnrc.yml
+.pnp.*

common/src/constants/constants.ts (1)

570-586: Reduce duplication when declaring new OFAC URLs

Six nearly-identical lines hard-code prod/staging variants.
Consider a helper to avoid drift:

-export const OFAC_PASSPORT_NO_NATIONALITY_SMT_URL = `${TREE_URL}/ofac/passport-no-nationality`;
-export const OFAC_PASSPORT_NO_NATIONALITY_SMT_URL_STAGING = `${TREE_URL_STAGING}/ofac/passport-no-nationality`;
+# const builder
+const ofacUrl = (suffix: string, staging = false) =>
+  `${staging ? TREE_URL_STAGING : TREE_URL}/ofac/${suffix}`;
+
+export const OFAC_PASSPORT_NO_NATIONALITY_SMT_URL          = ofacUrl('passport-no-nationality');
+export const OFAC_PASSPORT_NO_NATIONALITY_SMT_URL_STAGING  = ofacUrl('passport-no-nationality', true);

This trims repetition, keeps prod/staging in sync, and eases future additions.

app/src/utils/proving/validateDocument.ts (1)

148-154: Fix formatting issues flagged by linter

The static analysis tool flagged several formatting issues with indentation and spacing that should be addressed for consistency.

-  const response = await fetch(`${baseUrl}/is-nullifier-onchain-with-attestation-id`, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({ nullifier: nullifierHex , attestation_id: attestationId}),
-  });
+  const response = await fetch(
+    `${baseUrl}/is-nullifier-onchain-with-attestation-id`,
+    {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({ nullifier: nullifierHex, attestation_id: attestationId }),
+    },
+  );

app/src/utils/proving/provingInputs.ts (1)

77-90: Consider performance implications of runtime SMT initialization

Creating and importing SMTs on every function call could be expensive. Consider caching initialized SMTs or moving initialization to a higher level.

// Consider adding memoization or caching at the store level
const getInitializedOfacTrees = useMemo(() => {
  if (!ofac_trees) return null;
  
  const trees = {
    nameAndDob: new SMT(poseidon2, true),
    nameAndYob: new SMT(poseidon2, true),
    passportNoAndNationality: document === 'passport' ? new SMT(poseidon2, true) : null,
  };
  
  trees.nameAndDob.import(ofac_trees.nameAndDob);
  trees.nameAndYob.import(ofac_trees.nameAndYob);
  if (trees.passportNoAndNationality && ofac_trees.passportNoAndNationality) {
    trees.passportNoAndNationality.import(ofac_trees.passportNoAndNationality);
  }
  
  return trees;
}, [ofac_trees, document]);

app/src/stores/protocolStore.ts (1)

229-236: Add timeout and retry logic for network requests

The fetch operations lack timeout protection and retry logic, which could lead to hanging requests in poor network conditions.

const fetchTree = async (url: string, retries = 3, timeout = 10000) => {
  const fetchWithTimeout = async (fetchUrl: string, options: RequestInit = {}) => {
    const controller = new AbortController();
    const timeoutId = setTimeout(() => controller.abort(), timeout);
    
    try {
      const response = await fetch(fetchUrl, {
        ...options,
        signal: controller.signal,
      });
      clearTimeout(timeoutId);
      return response;
    } catch (error) {
      clearTimeout(timeoutId);
      throw error;
    }
  };

  for (let i = 0; i < retries; i++) {
    try {
      const res = await fetchWithTimeout(url);
      if (!res.ok) {
        throw new Error(`HTTP error fetching ${url}! status: ${res.status}`);
      }
      const responseData = await res.json();
      if (responseData.status !== 'success' || !responseData.data) {
        throw new Error(
          `Failed to fetch tree from ${url}: ${
            responseData.message || 'Invalid response format'
          }`,
        );
      }
      return responseData.data;
    } catch (error) {
      if (i === retries - 1) throw error;
      await new Promise(resolve => setTimeout(resolve, 1000 * (i + 1)));
    }
  }
};

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2494a43 and b7d1c6c.

⛔ Files ignored due to path filters (4)

• app/ios/Podfile.lock is excluded by !**/*.lock
• common/ofacdata/original/add.csv is excluded by !**/*.csv
• common/ofacdata/original/sdn.csv is excluded by !**/*.csv
• common/ofacdata/scripts/cleaned_sdn.csv is excluded by !**/*.csv

📒 Files selected for processing (20)

• .gitignore (1 hunks)
• app/src/screens/misc/SplashScreen.tsx (1 hunks)
• app/src/stores/protocolStore.ts (9 hunks)
• app/src/utils/proving/provingInputs.ts (2 hunks)
• app/src/utils/proving/provingMachine.ts (2 hunks)
• app/src/utils/proving/validateDocument.ts (2 hunks)
• circuits/tests/disclose/vc_and_disclose.test.ts (1 hunks)
• circuits/tests/disclose/vc_and_disclose_id.test.ts (1 hunks)
• circuits/tests/ofac/ofac.test.ts (1 hunks)
• common/ofacdata/ReadMe.md (0 hunks)
• common/ofacdata/inputs/eth_addresses.json (0 hunks)
• common/ofacdata/original/dataspec.txt (0 hunks)
• common/ofacdata/scripts/ofac.ipynb (0 hunks)
• common/package.json (1 hunks)
• common/src/constants/constants.ts (1 hunks)
• contracts/ignition/deployments/staging/deployed_addresses.json (1 hunks)
• contracts/ignition/modules/scripts/updateRegistryOfacRoot.ts (0 hunks)
• contracts/package.json (1 hunks)
• contracts/scripts/updateRegistryOfacRoot.ts (1 hunks)
• contracts/test/utils/generateProof.ts (1 hunks)

💤 Files with no reviewable changes (5)

• common/ofacdata/inputs/eth_addresses.json
• contracts/ignition/modules/scripts/updateRegistryOfacRoot.ts
• common/ofacdata/ReadMe.md
• common/ofacdata/original/dataspec.txt
• common/ofacdata/scripts/ofac.ipynb

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{test,spec}.{ts,js,tsx,jsx}

Instructions used from:

Sources:
⚙️ CodeRabbit Configuration File

app/src/**/*.{ts,tsx,js,jsx}

Instructions used from:

Sources:
⚙️ CodeRabbit Configuration File

🧬 Code Graph Analysis (5)

app/src/utils/proving/provingMachine.ts (1)

app/src/utils/proving/validateDocument.ts (1)

• isDocumentNullified (138-158)

app/src/utils/proving/provingInputs.ts (1)

app/src/stores/protocolStore.ts (1)

• useProtocolStore (76-457)

app/src/utils/proving/validateDocument.ts (3)

common/index.ts (2)

• PassportData (36-36)
• generateNullifier (56-56)

common/src/utils/types.ts (1)

• PassportData (4-19)

common/src/constants/constants.ts (2)

• API_URL (11-11)
• API_URL_STAGING (14-14)

app/src/stores/protocolStore.ts (1)

common/src/constants/constants.ts (2)

• TREE_URL (12-12)
• TREE_URL_STAGING (13-13)

contracts/scripts/updateRegistryOfacRoot.ts (2)

common/src/constants/constants.ts (1)

• RPC_URL (32-32)

contracts/scripts/constants.ts (5)

• getSavedRepo (35-38)
• getDeployedAddresses (40-43)
• log (68-74)
• getContractAbi (44-47)
• getContractAddress (49-54)

🪛 GitHub Check: lint

app/src/utils/proving/validateDocument.ts

[warning] 152-152:
Insert ··

---

[warning] 151-151:
Insert ··

---

[warning] 150-150:
Insert ··

---

[warning] 149-149:
Replace ···· with ······

---

[warning] 148-148:
Replace ``${baseUrl}/is-nullifier-onchain-with-attestation-id, with `⏎····`${baseUrl}/is-nullifier-onchain-with-attestation-id`,⏎···`

---

[warning] 146-146:
Delete ⏎···

app/src/stores/protocolStore.ts

[failure] 27-27:
'OFAC_NAME_AND_YOB_SMT_URL_STAGING_ID' is defined but never used

---

[failure] 26-26:
'OFAC_NAME_AND_YOB_SMT_URL_ID' is defined but never used

---

[failure] 25-25:
'OFAC_NAME_AND_DOB_SMT_URL_STAGING_ID' is defined but never used

---

[failure] 24-24:
'OFAC_NAME_AND_DOB_SMT_URL_ID' is defined but never used

---

[failure] 23-23:
'OFAC_NAME_AND_YOB_SMT_URL_STAGING' is defined but never used

---

[failure] 22-22:
'OFAC_NAME_AND_YOB_SMT_URL' is defined but never used

---

[failure] 21-21:
'OFAC_NAME_AND_DOB_SMT_URL_STAGING' is defined but never used

---

[failure] 20-20:
'OFAC_NAME_AND_DOB_SMT_URL' is defined but never used

---

[failure] 19-19:
'OFAC_PASSPORT_NO_NATIONALITY_SMT_URL_STAGING' is defined but never used

---

[failure] 18-18:
'OFAC_PASSPORT_NO_NATIONALITY_SMT_URL' is defined but never used

---

[warning] 41-41:
Replace ·passportNoAndNationality:·any;·nameAndDob:·any;·nameAndYob:·any; with ⏎······passportNoAndNationality:·any;⏎······nameAndDob:·any;⏎······nameAndYob:·any;⏎···

---

[warning] 61-61:
Replace ·passportNoAndNationality:·any;·nameAndDob:·any;·nameAndYob:·any; with ⏎······passportNoAndNationality:·any;⏎······nameAndDob:·any;⏎······nameAndYob:·any;⏎···

🪛 GitHub Actions: App CI

app/src/stores/protocolStore.ts

[warning] 3-3: ESLint warning: Run autofix to sort these imports! (simple-import-sort/imports)

---

[error] 18-18: ESLint error: 'OFAC_PASSPORT_NO_NATIONALITY_SMT_URL' is defined but never used (@typescript-eslint/no-unused-vars)

🔇 Additional comments (9)

app/src/screens/misc/SplashScreen.tsx (1)

95-99: Comment wording looks good

Only a comment change; no action required.

circuits/tests/disclose/vc_and_disclose_id.test.ts (1)

14-15: Relative JSON paths LGTM – double-check test runner cwd

Switching to ../consts/ofac/... is fine, just ensure ts-mocha is invoked from circuits/tests (default) so the paths resolve on CI.

contracts/ignition/deployments/staging/deployed_addresses.json (1)

8-8: Two IdentityRegistry keys may be ambiguous

Now we have
• DeployRegistryModule#IdentityRegistry (passport)
• DeployIdCardRegistryModule#IdentityRegistry (ID card)

If tooling parses on the suffix #IdentityRegistry, the second entry may shadow the first. Verify downstream scripts (e.g. updateRegistryOfacRoot.ts) explicitly look up the full key string.

circuits/tests/disclose/vc_and_disclose.test.ts (1)

9-11: Import path migration looks good and aligns with the broader OFAC data handling refactor.

The change from package-scoped imports to relative local paths is consistent with the migration from static JSON files to dynamic API fetching described in the PR objectives. The modern ES module syntax with { type: 'json' } is correctly used for JSON imports.

contracts/test/utils/generateProof.ts (2)

435-436: ID card SMT imports follow consistent patterns.

The addition of ID card-specific SMTs (nameAndDobSMT_ID.json and nameAndYobSMT_ID.json) extends the existing OFAC data structure to support multiple document types. The naming convention with the _ID suffix clearly distinguishes these from passport variants.

---

442-443: SMT return object properly extended for ID card support.

The new SMTs are correctly added to the return object, maintaining consistency with the existing structure and enabling ID card document verification alongside passport verification.

app/src/utils/proving/provingMachine.ts (2)

45-45: Function import renamed to support multiple document types.

The change from isPassportNullified to isDocumentNullified aligns with the broader generalization to support multiple document types (passport and ID cards). This is a logical improvement in naming.

---

693-693: Audit generalized nullifier check in isDocumentNullified

The original isPassportNullified function no longer exists—its behavior has been folded into the new isDocumentNullified. Please manually verify that this generalization preserves all security guarantees:

• generateNullifier(passportData) still produces the exact same nullifier value for passports.
• The attestationId mapping (0x...0001 for documentCategory === 'passport', 0x...0002 otherwise) aligns with the on-chain contract’s expected IDs.
• The HTTP endpoint (/is-nullifier-onchain-with-attestation-id) and JSON payload structure remain unchanged from the previous implementation.

circuits/tests/ofac/ofac.test.ts (1)

7-12: Comprehensive OFAC SMT import path migration maintains test coverage.

The migration from package-scoped imports to relative local paths is consistent with the broader refactor. The imports cover both passport and ID card variants of OFAC SMT data, ensuring comprehensive test coverage for multiple document types. The modern ES module JSON import syntax is correctly applied.

[coderabbitai]

⚠️ Potential issue

Breaking change warrants at least a minor version bump

Removing previously-exported OFAC JSON files is a breaking change for any consumer that still imports them. Jumping from 0.0.5 → 0.0.6 (patch) violates semantic-versioning rules; either bump minor or major and call this out in the changelog.

🤖 Prompt for AI Agents

In common/package.json at line 3, the version is currently set to 0.0.6, which
is a patch version. Since removing previously-exported OFAC JSON files is a
breaking change, update the version to at least 0.1.0 (minor) or 1.0.0 (major)
to comply with semantic versioning. Also, update the changelog to clearly
indicate this breaking change.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Script migration from Hardhat Ignition to direct execution - verify network configuration.

The change from Hardhat Ignition deployment to direct tsx execution simplifies the OFAC root update process. However, the network default has changed from localhost to alfajores. Please ensure:

1. The new script scripts/updateRegistryOfacRoot.ts exists and functions correctly
2. The alfajores network default is intentional for production usage
3. Proper error handling and authentication are in place for network operations

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the new OFAC root update script exists and check its implementation

# Check if the new script exists
if [ -f "scripts/updateRegistryOfacRoot.ts" ]; then
  echo "✓ New script exists"
  # Show the script structure
  head -20 scripts/updateRegistryOfacRoot.ts
else
  echo "✗ New script missing"
fi

# Check if the old Ignition script was removed
if [ -f "ignition/modules/scripts/updateRegistryOfacRoot.ts" ]; then
  echo "⚠ Old Ignition script still exists"
else
  echo "✓ Old Ignition script removed"
fi

Length of output: 230

---

Missing scripts/updateRegistryOfacRoot.ts – npm script will fail

The update:ofacroot entry in contracts/package.json (line 68) now points to scripts/updateRegistryOfacRoot.ts, but that file isn’t in the repo—even the old Ignition version was removed. Please:

• Add the new scripts/updateRegistryOfacRoot.ts file (or place it under the correct path)
• OR update the package.json script to reference the actual file location
• Ensure the TS script includes proper error handling and network/auth validation

Without this, running npm run update:ofacroot will error out.

🤖 Prompt for AI Agents

In contracts/package.json at line 68, the npm script "update:ofacroot"
references a missing file scripts/updateRegistryOfacRoot.ts, causing the script
to fail. To fix this, either add the missing TypeScript file at the specified
path or update the script to point to the correct existing file location.
Additionally, ensure the TypeScript script includes proper error handling and
validates network and authentication parameters to prevent runtime issues.

[coderabbitai]

🛠️ Refactor suggestion

Consider using constants for attestation IDs to improve maintainability

Hard-coded hex values reduce readability and maintainability. Since PASSPORT_ATTESTATION_ID and ID_CARD_ATTESTATION_ID are already imported, use them consistently.

-  const attestationId =
-    passportData.documentCategory === 'passport'
-      ? '0x0000000000000000000000000000000000000000000000000000000000000001'
-      : '0x0000000000000000000000000000000000000000000000000000000000000002';
+  const attestationId =
+    passportData.documentCategory === 'passport'
+      ? PASSPORT_ATTESTATION_ID
+      : ID_CARD_ATTESTATION_ID;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const attestationId =
	passportData.documentCategory === 'passport'
	? '0x0000000000000000000000000000000000000000000000000000000000000001'
	: '0x0000000000000000000000000000000000000000000000000000000000000002';
	const attestationId =
	passportData.documentCategory === 'passport'
	? PASSPORT_ATTESTATION_ID
	: ID_CARD_ATTESTATION_ID;

🤖 Prompt for AI Agents

In app/src/utils/proving/validateDocument.ts around lines 141 to 144, replace
the hard-coded hex strings for attestationId with the imported constants
PASSPORT_ATTESTATION_ID and ID_CARD_ATTESTATION_ID. This improves readability
and maintainability by using named constants instead of literal values.

[coderabbitai]

🛠️ Refactor suggestion

Add comprehensive error handling for network requests

The function lacks proper error handling for network failures, malformed responses, or API errors. This could lead to unhandled promise rejections.

 export async function isDocumentNullified(passportData: PassportData) {
+  try {
     const nullifier = generateNullifier(passportData);
     const nullifierHex = `0x${BigInt(nullifier).toString(16)}`;
     const attestationId =
       passportData.documentCategory === 'passport'
         ? PASSPORT_ATTESTATION_ID
         : ID_CARD_ATTESTATION_ID;
     console.log('checking for nullifier', nullifierHex, attestationId);
     const baseUrl =
       passportData.mock === false ? API_URL : API_URL_STAGING;
     const response = await fetch(
       `${baseUrl}/is-nullifier-onchain-with-attestation-id`,
       {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
         },
         body: JSON.stringify({ nullifier: nullifierHex, attestation_id: attestationId }),
       },
     );
+    
+    if (!response.ok) {
+      throw new Error(`HTTP error! status: ${response.status}`);
+    }
+    
     const data = await response.json();
     console.log('isDocumentNullified', data);
     return data.data;
+  } catch (error) {
+    console.error('Failed to check document nullification:', error);
+    throw error; // Re-throw to let caller handle
+  }
 }

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 GitHub Check: lint

[warning] 152-152:
Insert ··

---

[warning] 151-151:
Insert ··

---

[warning] 150-150:
Insert ··

---

[warning] 149-149:
Replace ···· with ······

---

[warning] 148-148:
Replace ``${baseUrl}/is-nullifier-onchain-with-attestation-id, with `⏎····`${baseUrl}/is-nullifier-onchain-with-attestation-id`,⏎···`

---

[warning] 146-146:
Delete ⏎···

🤖 Prompt for AI Agents

In app/src/utils/proving/validateDocument.ts around lines 138 to 158, the
isDocumentNullified function does not handle errors from the fetch call or JSON
parsing, which can cause unhandled promise rejections. Wrap the fetch and
response processing in a try-catch block to catch network errors and JSON
parsing issues. In the catch block, log the error and return a safe fallback
value or propagate the error appropriately to ensure the function handles
failures gracefully.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Validate URL selection logic for security

The URL selection based on the mock flag could be vulnerable to manipulation if the mock property can be controlled by untrusted input. Consider validating the environment context.

---

🏁 Script executed:

#!/bin/bash
# Check if mock flag is validated or sanitized elsewhere in the codebase
rg -A 5 -B 5 "mock.*=" --type ts

Length of output: 157081

---

🏁 Script executed:

#!/bin/bash
set -e
# Locate PassportData type or interface definitions
rg -n "type PassportData" --type ts
rg -n "interface PassportData" --type ts

Length of output: 308

---

🏁 Script executed:

#!/bin/bash
set -e
# Show the function signature and context where passportData is used
sed -n '1,50p' app/src/utils/proving/validateDocument.ts
echo "..."
sed -n '100,160p' app/src/utils/proving/validateDocument.ts

Length of output: 4091

---

Ensure baseUrl selection isn’t user-controlled

Relying on passportData.mock—which can trace back to user-supplied or deep-link inputs—to pick between production (API_URL) and staging (API_URL_STAGING) can be manipulated. Instead, derive your environment at build/runtime (e.g. __DEV__, NODE_ENV, or a secure feature flag) and ignore any mock value coming from untrusted sources.

• File: app/src/utils/proving/validateDocument.ts
Lines 145–149

// ❌ Do not trust passportData.mock for URLs
const baseUrl =
  passportData.mock === false ? API_URL : API_URL_STAGING;

Recommendations:

• Use a compile-time or process-level environment variable to choose the URL:

  const baseUrl = __DEV__ 
    ? API_URL_STAGING 
    : API_URL;

• If you still need a “mock” mode, guard it behind a secure flag or only allow it in tests/development builds.
• Strip out or ignore any mock property on passportData when running in production.

🧰 Tools

🪛 GitHub Check: lint

[warning] 148-148:
Replace ``${baseUrl}/is-nullifier-onchain-with-attestation-id, with `⏎····`${baseUrl}/is-nullifier-onchain-with-attestation-id`,⏎···`

---

[warning] 146-146:
Delete ⏎···

🤖 Prompt for AI Agents

In app/src/utils/proving/validateDocument.ts around lines 146 to 148, the
baseUrl is currently chosen based on passportData.mock, which can be manipulated
by user input. To fix this, replace the baseUrl assignment to use a secure
environment variable or compile-time flag like __DEV__ or NODE_ENV instead of
passportData.mock. For example, set baseUrl to API_URL_STAGING if __DEV__ is
true, otherwise API_URL. Remove any reliance on passportData.mock for URL
selection and ensure mock mode is only enabled via secure flags or in
development/test environments.

[coderabbitai]

🛠️ Refactor suggestion

Add validation for critical registry addresses

The script should validate that the registry addresses are valid Ethereum addresses before attempting to create contract instances.

   if (!registryAddress || !registryIdCardAddress) {
     throw new Error("❌ Registry addresses not found in deployed_addresses.json");
   }
+  
+  // Validate addresses are valid Ethereum addresses
+  if (!ethers.isAddress(registryAddress) || !ethers.isAddress(registryIdCardAddress)) {
+    throw new Error("❌ Invalid registry addresses found in deployed_addresses.json");
+  }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In contracts/scripts/updateRegistryOfacRoot.ts around lines 51 to 53, the code
checks for the presence of registry addresses but does not validate if they are
valid Ethereum addresses. Add validation logic to verify that both
registryAddress and registryIdCardAddress conform to the Ethereum address format
before proceeding. If either address is invalid, throw an error to prevent
creating contract instances with invalid addresses.

[coderabbitai]

🛠️ Refactor suggestion

Add transaction receipt validation

The script waits for transaction confirmation but doesn't validate the transaction success status, which could lead to false positives.

       try {
         totalUpdates++;
         const tx = await deployedRegistryInstance.updatePassportNoOfacRoot(passportNo_smt_root);
         const receipt = await tx.wait();
+        if (receipt.status !== 1) {
+          throw new Error(`Transaction failed with status: ${receipt.status}`);
+        }
         log.success(`PassportNo OFAC root updated (tx: ${receipt.hash})`);
         successfulUpdates++;
       } catch (error) {
         log.error(`Failed to update PassportNo OFAC root: ${error}`);
       }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const tx = await deployedRegistryInstance.updatePassportNoOfacRoot(passportNo_smt_root);
	const receipt = await tx.wait();
	log.success(`PassportNo OFAC root updated (tx: ${receipt.hash})`);
	successfulUpdates++;
	} catch (error) {
	log.error(`Failed to update PassportNo OFAC root: ${error}`);
	}
	const tx = await deployedRegistryInstance.updatePassportNoOfacRoot(passportNo_smt_root);
	const receipt = await tx.wait();
	if (receipt.status !== 1) {
	throw new Error(`Transaction failed with status: ${receipt.status}`);
	}
	log.success(`PassportNo OFAC root updated (tx: ${receipt.hash})`);
	successfulUpdates++;
	} catch (error) {
	log.error(`Failed to update PassportNo OFAC root: ${error}`);
	}

🤖 Prompt for AI Agents

In contracts/scripts/updateRegistryOfacRoot.ts around lines 74 to 80, the code
waits for the transaction receipt but does not check if the transaction was
successful. To fix this, after awaiting tx.wait(), check the receipt's status
property to confirm the transaction succeeded (status === 1). Only log success
and increment successfulUpdates if the transaction was successful; otherwise,
log an error indicating the transaction failed.

[coderabbitai]

🛠️ Refactor suggestion

Improve type safety for OFAC trees structure

The any type reduces type safety. Consider defining a proper interface for the OFAC trees structure.

interface OfacTrees {
  passportNoAndNationality: any; // Consider defining specific tree structure
  nameAndDob: any;
  nameAndYob: any;
}

// Then update the interface
interface ProtocolState {
  passport: {
    // ... other properties
    ofac_trees: OfacTrees | null;
    // ... methods
  };
  id_card: {
    // ... other properties  
    ofac_trees: OfacTrees | null;
    // ... methods
  };
}

Also applies to: 61-61

🧰 Tools

🪛 GitHub Check: lint

[warning] 41-41:
Replace ·passportNoAndNationality:·any;·nameAndDob:·any;·nameAndYob:·any; with ⏎······passportNoAndNationality:·any;⏎······nameAndDob:·any;⏎······nameAndYob:·any;⏎···

🤖 Prompt for AI Agents

In app/src/stores/protocolStore.ts at lines 41 and 61, the ofac_trees property
uses the any type, which reduces type safety. Define a specific interface, e.g.,
OfacTrees, with properly typed properties for passportNoAndNationality,
nameAndDob, and nameAndYob instead of any. Then update the ProtocolState
interface to use this new OfacTrees interface for the ofac_trees properties in
both passport and id_card sections.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

app/src/utils/ofac.ts (3)

5-5: Consider using a union type with const assertions for better type safety.

While the current type definition works, using const assertions would provide better IntelliSense and prevent typos.

-export type OfacVariant = 'passport' | 'id_card';
+export const OFAC_VARIANTS = ['passport', 'id_card'] as const;
+export type OfacVariant = typeof OFAC_VARIANTS[number];

---

46-57: Consider adding logging for performance monitoring.

For a mobile app, it's important to monitor network performance, especially when fetching large datasets like OFAC trees.

   // For ID cards, we intentionally skip fetching the (large) passport-number-tree.
   if (variant === 'id_card') {
+    console.log('[OFAC] Fetching ID card variant trees (skipping passport-number tree)');
+    const startTime = Date.now();
     const [nameDobData, nameYobData] = await Promise.all([
       fetchTree(nameDobUrl),
       fetchTree(nameYobUrl),
     ]);
+    console.log(`[OFAC] ID card trees fetched in ${Date.now() - startTime}ms`);

     return {
       passportNoAndNationality: null,
       nameAndDob: nameDobData,
       nameAndYob: nameYobData,
     };
   }

---

59-71: Add similar logging for passport variant and consider retry logic.

For production mobile apps, network requests should be resilient to temporary failures.

   // Passport variant → fetch all three.
+  console.log('[OFAC] Fetching passport variant trees (all three trees)');
+  const startTime = Date.now();
   const [ppNoNatData, nameDobData, nameYobData] = await Promise.all([
     fetchTree(ppNoNatUrl),
     fetchTree(nameDobUrl),
     fetchTree(nameYobUrl),
   ]);
+  console.log(`[OFAC] Passport trees fetched in ${Date.now() - startTime}ms`);

   return {
     passportNoAndNationality: ppNoNatData,
     nameAndDob: nameDobData,
     nameAndYob: nameYobData,
   };

Additionally, consider implementing exponential backoff retry logic for network resilience:

const fetchTreeWithRetry = async (url: string, maxRetries = 3): Promise<OfacTreeData> => {
  for (let attempt = 1; attempt <= maxRetries; attempt++) {
    try {
      return await fetchTree(url);
    } catch (error) {
      if (attempt === maxRetries) throw error;
      const delay = Math.pow(2, attempt - 1) * 1000; // Exponential backoff
      await new Promise(resolve => setTimeout(resolve, delay));
    }
  }
  throw new Error('Max retries exceeded');
};

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 83abd64 and 86518b5.

📒 Files selected for processing (2)

• app/src/stores/protocolStore.ts (9 hunks)
• app/src/utils/ofac.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• app/src/stores/protocolStore.ts

🧰 Additional context used

📓 Path-based instructions (1)

app/src/**/*.{ts,tsx,js,jsx}

Instructions used from:

Sources:
⚙️ CodeRabbit Configuration File

🧬 Code Graph Analysis (1)

app/src/utils/ofac.ts (1)

common/src/constants/constants.ts (2)

• TREE_URL (12-12)
• TREE_URL_STAGING (13-13)

⏰ Context from checks skipped due to timeout of 300000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: run_circuit_tests

🔇 Additional comments (3)

app/src/utils/ofac.ts (3)

1-1: SPDX license header is properly included.

Good practice to include the license header at the top of the file for legal compliance.

---

3-3: Import statement looks correct.

The import from @selfxyz/common aligns with the relevant code snippets showing these constants are defined there.

---

37-43: ✅ OFAC endpoint URLs validated

All five endpoints (passport-no-nationality, name-dob, name-yob, and their -id variants) returned HTTP 200 with the expected data and status keys. The URL patterns in app/src/utils/ofac.ts match the live API.

No changes needed here.

[coderabbitai]

🛠️ Refactor suggestion

Replace any types with proper TypeScript interfaces for better type safety.

Using any defeats the purpose of TypeScript and can lead to runtime errors. The OFAC tree data should have a predictable structure.

+// Define the structure of OFAC tree data
+interface OfacTreeData {
+  // Add specific properties based on the actual tree structure
+  // This should match the response.data structure from the API
+  root?: string;
+  leaves?: any[]; // or more specific array type
+  // Add other expected properties
+}
+
 export interface OfacTrees {
-  passportNoAndNationality: any;
-  nameAndDob: any;
-  nameAndYob: any;
+  passportNoAndNationality: OfacTreeData | null;
+  nameAndDob: OfacTreeData;
+  nameAndYob: OfacTreeData;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export interface OfacTrees {
	passportNoAndNationality: any;
	nameAndDob: any;
	nameAndYob: any;
	}
	// Define the structure of OFAC tree data
	interface OfacTreeData {
	// Add specific properties based on the actual tree structure
	// This should match the response.data structure from the API
	root?: string;
	leaves?: any[]; // or more specific array type
	// Add other expected properties
	}
	export interface OfacTrees {
	passportNoAndNationality: OfacTreeData | null;
	nameAndDob: OfacTreeData;
	nameAndYob: OfacTreeData;
	}

🤖 Prompt for AI Agents

In app/src/utils/ofac.ts between lines 7 and 11, the OfacTrees interface uses
'any' types which reduces type safety. Define and replace 'any' with specific
TypeScript interfaces that describe the expected structure of
passportNoAndNationality, nameAndDob, and nameAndYob properties to ensure proper
type checking and prevent runtime errors.

[coderabbitai]

🛠️ Refactor suggestion

Add input validation and improve type safety for environment parameter.

The environment parameter should be validated and typed more strictly to prevent runtime errors.

+const ENVIRONMENTS = ['prod', 'stg'] as const;
+type Environment = typeof ENVIRONMENTS[number];
+
 export const fetchOfacTrees = async (
-  environment: 'prod' | 'stg',
+  environment: Environment,
   variant: OfacVariant = 'passport',
 ): Promise<OfacTrees> => {
+  if (!ENVIRONMENTS.includes(environment)) {
+    throw new Error(`Invalid environment: ${environment}. Must be one of: ${ENVIRONMENTS.join(', ')}`);
+  }
+  
   const baseUrl = environment === 'prod' ? TREE_URL : TREE_URL_STAGING;

🤖 Prompt for AI Agents

In app/src/utils/ofac.ts around lines 31 to 44, the environment parameter is
currently typed as a union of string literals but lacks runtime validation. Add
a validation step at the start of the fetchOfacTrees function to check if the
environment value is either 'prod' or 'stg'. If it is invalid, throw an error or
handle it appropriately. This ensures type safety and prevents runtime errors
from invalid inputs.

[coderabbitai]

🛠️ Refactor suggestion

Add timeout and improve error handling for network requests.

The fetch request lacks timeout handling which could cause the app to hang on slow networks, especially important for mobile applications.

-const fetchTree = async (url: string): Promise<any> => {
+const fetchTree = async (url: string): Promise<OfacTreeData> => {
-  const res = await fetch(url);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 30000); // 30 second timeout
+  
+  try {
+    const res = await fetch(url, {
+      signal: controller.signal,
+      headers: {
+        'Accept': 'application/json',
+        'Content-Type': 'application/json',
+      },
+    });
+    clearTimeout(timeoutId);
+    
     if (!res.ok) {
       throw new Error(`HTTP error fetching ${url}! status: ${res.status}`);
     }
     const responseData = await res.json();
     if (responseData.status !== 'success' || !responseData.data) {
       throw new Error(
         `Failed to fetch tree from ${url}: ${
           responseData.message || 'Invalid response format'
         }`,
       );
     }
     return responseData.data;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error.name === 'AbortError') {
+      throw new Error(`Request timeout fetching ${url}`);
+    }
+    throw error;
+  }
 };

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const fetchTree = async (url: string): Promise<any> => {
	const res = await fetch(url);
	if (!res.ok) {
	throw new Error(`HTTP error fetching ${url}! status: ${res.status}`);
	}
	const responseData = await res.json();
	if (responseData.status !== 'success' || !responseData.data) {
	throw new Error(
	`Failed to fetch tree from ${url}: ${
	responseData.message || 'Invalid response format'
	}`,
	);
	}
	return responseData.data;
	};
	const fetchTree = async (url: string): Promise<OfacTreeData> => {
	const controller = new AbortController();
	const timeoutId = setTimeout(() => controller.abort(), 30000); // 30 second timeout
	try {
	const res = await fetch(url, {
	signal: controller.signal,
	headers: {
	'Accept': 'application/json',
	'Content-Type': 'application/json',
	},
	});
	clearTimeout(timeoutId);
	if (!res.ok) {
	throw new Error(`HTTP error fetching ${url}! status: ${res.status}`);
	}
	const responseData = await res.json();
	if (responseData.status !== 'success' || !responseData.data) {
	throw new Error(
	`Failed to fetch tree from ${url}: ${
	responseData.message || 'Invalid response format'
	}`,
	);
	}
	return responseData.data;
	} catch (error) {
	clearTimeout(timeoutId);
	if ((error as any).name === 'AbortError') {
	throw new Error(`Request timeout fetching ${url}`);
	}
	throw error;
	}
	};

🤖 Prompt for AI Agents

In app/src/utils/ofac.ts between lines 14 and 28, the fetchTree function lacks
timeout handling for the fetch request, which can cause the app to hang on slow
networks. To fix this, implement a timeout mechanism using AbortController to
abort the fetch if it exceeds a specified duration. Additionally, enhance error
handling by catching fetch errors and throwing descriptive error messages that
include timeout or network failure details.