migrate contract e2e

[open-junius]

Description

Migrate contract e2e to new framework.

Related Issue(s)

• Closes #[issue number]

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Other (please describe):

Breaking Change

If this PR introduces a breaking change, please provide a detailed description of the impact and the migration path for existing applications.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Screenshots (if applicable)

Please include any relevant screenshots or GIFs that demonstrate the changes made.

Additional Notes

Please provide any additional information or context that may be helpful for reviewers.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: open-junius has repo write permission, substantial prior subtensor history, no Gittensor allowlist hit, and the branch targets devnet-ready.

Static review found no PR modifications under .github/ai-review/* or .github/copilot-instructions.md, and no runtime/on-chain code changes. The blocking issue is in the TypeScript e2e supply-chain configuration used by CI.

Findings

Sev	File	Finding
HIGH	ts-tests/pnpm-workspace.yaml:22	Do not disable exotic subdependency blocking for CI installs	inline

Conclusion

This PR is legitimate test-framework migration work, but it weakens pnpm’s transitive dependency guard in a way that exposes CI installs to git/http subdependency sources. Keep exotic subdependencies blocked and make the toml override resolve through the registry lockfile instead.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👎

LIKELY gittensor: open-junius has write permission and substantial recent subtensor activity, but is not present in the trusted allowlists.

The Auditor proposed a replacement PR description, but the current body is non-trivial; not overwriting. Maintainers: ask the Auditor to regenerate if you want it.

Static review only. I did not run the Moonwall suite because this workspace has no pnpm binary installed; git diff --check passes.

No spec_version bump is required: the only pallets/ change is whitespace in pallets/subtensor/src/staking/order_swap.rs, with no runtime behavior change.

Findings

Sev	File	Finding
MEDIUM	contract-tests/test/crowdloan.precompile.test.ts:81	Migrate the full crowdloan precompile lifecycle coverage	inline
MEDIUM	contract-tests/test/leasing.precompile.test.ts:87	Migrate the leasing finalize and termination coverage	inline
LOW	ts-tests/pnpm-workspace.yaml:32	Resolve allowBuilds placeholders	inline

Prior-comment reconciliation

• ce46d732: not addressed — Partially migrated, but the new Moonwall suite still does not cover the deleted crowdloan contribute, withdraw, refund, dissolve, and Substrate-created crowdloan paths.
• b7ff5444: not addressed — Partially migrated, but the new Moonwall suite still stops at lease-crowdloan creation and does not cover contribution, finalize, lease lookup/share assertions, expiry, or termination.
• 489d72e9: not addressed — The literal allowBuilds placeholder values are still present in ts-tests/pnpm-workspace.yaml; carried forward as the current low-severity finding.

Conclusion

Blocking because the PR still deletes legacy crowdloan and leasing precompile E2E coverage without migrating the full lifecycle checks into Moonwall. The transfer and wrapper smoke migration is useful, but the coverage loss should be restored before merge.

---

📜 Previous run (superseded)

Sev	File	Finding	Status
MEDIUM	contract-tests/test/crowdloan.precompile.test.ts:1	Migrate the deleted crowdloan precompile coverage	➡️ Carried forward to current findings Partially migrated, but the new Moonwall suite still does not cover the deleted crowdloan contribute, withdraw, refund, dissolve, and Substrate-created crowdloan paths.
MEDIUM	contract-tests/test/leasing.precompile.test.ts:1	Migrate the deleted leasing precompile coverage	➡️ Carried forward to current findings Partially migrated, but the new Moonwall suite still stops at lease-crowdloan creation and does not cover contribution, finalize, lease lookup/share assertions, expiry, or termination.
LOW	ts-tests/pnpm-workspace.yaml:32	Resolve allowBuilds placeholders	➡️ Carried forward to current findings The literal allowBuilds placeholder values are still present in ts-tests/pnpm-workspace.yaml; carried forward as the current low-severity finding.

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Wire the new EVM suite into CI

This registers a new zombienet_evm Moonwall suite, but .github/workflows/typescript-e2e.yml still only runs dev, zombienet_shield, zombienet_staking, zombienet_coldkey_swap, and zombienet_subnets. As written, the migrated EVM test can go stale because PR CI never invokes pnpm moonwall test zombienet_evm.

Add zombienet_evm to the run-e2e-tests matrix, likely against the release binary unless there is a specific fast-runtime reason.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

The new allowBuilds map still contains generated placeholder strings instead of explicit boolean decisions. pnpm 10.26+ defines this field as a map that explicitly allows (true) or disallows (false) dependency build scripts, so leaving set this to true or false here keeps the new policy unresolved and can cause install-time warnings or stricter future failures. (newreleases.io)

Suggested change

	allowBuilds:
	'@biomejs/biome': set this to true or false
	'@parcel/watcher': set this to true or false
	cpu-features: set this to true or false
	esbuild: set this to true or false
	msgpackr-extract: set this to true or false
	protobufjs: set this to true or false
	sqlite3: set this to true or false
	ssh2: set this to true or false
	allowBuilds:
	'@biomejs/biome': true
	'@parcel/watcher': true
	cpu-features: true
	esbuild: true
	msgpackr-extract: true
	protobufjs: true
	sqlite3: true
	ssh2: true

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

This allowBuilds block still contains generated placeholder values instead of concrete booleans. Since the same packages are already listed under onlyBuiltDependencies, leaving these placeholder strings makes the workspace policy ambiguous and can confuse future pnpm maintenance. Either remove the unfinished block or replace each entry with intentional true/false values.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

The allowBuilds entries are still literal placeholder strings (set this to true or false). Resolve this before merge by either replacing them with explicit boolean policy values or removing the block if onlyBuiltDependencies above is the intended source of truth. Leaving generated placeholders makes the install policy ambiguous and can confuse future pnpm approve-builds or dependency review work.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Restore sender staking rate-limit validation

transfer_staked_alpha(..., validate_sender: true, ...) is the path pallets/limit-orders uses when collecting staked alpha from sell-order signers, and that call site explicitly relies on validate_sender to check the user's rate limit. The trait contract also says this flag must reject a sender that already staked in the current block. This hunk removes the only sender-side stake-operation-limit check and leaves only ensure_available_to_unstake, so a signer can stake and then transfer that same-block stake into order matching, bypassing the intended anti-same-block staking guard. Restore an equivalent rate-limit check before the availability check; the removed helper name may need to be reintroduced or replaced with the current rate-limit API.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Restore sender staking rate-limit validation

collect_assets in pallets/limit-orders calls this with validate_sender: true and documents that this path should check the seller's staking rate limit before pulling staked alpha into the pallet intermediary. The current implementation now validates hotkey existence, minimum amount, and locks, but no longer rejects a sender that is still inside the staking operation limit window before debiting stake. That lets repeated sell-side batch executions bypass the economic throttling that ordinary stake movement is supposed to enforce. Restore the sender-side staking rate-limit check before ensure_available_to_unstake.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

These entries are still the literal placeholder strings from pnpm approve-builds. Please replace each value with an explicit boolean policy, or remove the allowBuilds block if onlyBuiltDependencies is the intended policy source. Leaving placeholders makes the workspace build policy ambiguous and carries forward the prior review finding.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

These literal placeholder strings are still committed under allowBuilds. pnpm expects concrete boolean approvals here; leaving set this to true or false makes the build-script policy ambiguous and can break strict install/config validation. Since these packages are already listed in onlyBuiltDependencies, set the corresponding approvals explicitly.

Suggested change

	'@biomejs/biome': set this to true or false
	'@parcel/watcher': set this to true or false
	cpu-features: set this to true or false
	esbuild: set this to true or false
	msgpackr-extract: set this to true or false
	protobufjs: set this to true or false
	sqlite3: set this to true or false
	ssh2: set this to true or false
	'@biomejs/biome': true
	'@parcel/watcher': true
	cpu-features: true
	esbuild: true
	msgpackr-extract: true
	protobufjs: true
	sqlite3: true
	ssh2: true

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[LOW] Resolve allowBuilds placeholders

The allowBuilds entries are still literal placeholder strings. This leaves the pnpm build-script policy ambiguous and may be rejected or misread by tooling expecting booleans. Replace these with explicit true/false decisions, or delete the redundant block if onlyBuiltDependencies is the intended policy source.

Suggested change

	'@biomejs/biome': set this to true or false
	'@parcel/watcher': set this to true or false
	cpu-features: set this to true or false
	esbuild: set this to true or false
	msgpackr-extract: set this to true or false
	protobufjs: set this to true or false
	sqlite3: set this to true or false
	ssh2: set this to true or false
	'@biomejs/biome': true
	'@parcel/watcher': true
	cpu-features: true
	esbuild: true
	msgpackr-extract: true
	protobufjs: true
	sqlite3: true
	ssh2: true

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Migrate the deleted crowdloan precompile coverage

This deletes the direct crowdloan precompile smoke tests, but the new zombienet_evm suite only ports the EVM/Substrate transfer coverage. The remaining wrapper tests do not cover the same direct precompile flows: create/contribute/withdraw/refund/dissolve and contributing to a substrate-created crowdloan. Keep this file until equivalent Moonwall tests land, or add the migrated crowdloan cases in ts-tests/suites/zombienet_evm.

[github-actions]

[MEDIUM] Migrate the deleted leasing precompile coverage

This removes the only direct leasing precompile E2E that creates a lease crowdloan, finalizes it, reads lease fields, checks contributor shares, terminates the lease, and verifies ownership handoff. The new Moonwall suite does not replace those assertions. Keep this test in contract-tests or migrate the same leasing flow into ts-tests/suites/zombienet_evm before dropping it.

[github-actions]

[LOW] Resolve allowBuilds placeholders

These generated placeholder values are still literal strings. Resolve them to real policy values, or remove this block if onlyBuiltDependencies above is the intended pnpm build-script allowlist.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Migrate the full crowdloan precompile lifecycle coverage

The new Moonwall wrapper suite adds getCrowdloan, getContribution, and createCrowdloan smoke checks, but it still does not migrate the deleted crowdloan lifecycle assertions here: contribute, withdraw, refund after expiry, dissolve, and contribute/withdraw against a crowdloan created on the Substrate side. Those paths are the behavioral coverage for the crowdloan precompile, so deleting this file without equivalent Moonwall tests is a real regression. Please add Moonwall tests that exercise the same precompile calls and balance/storage assertions before removing the legacy suite.

[github-actions]

[MEDIUM] Migrate the leasing finalize and termination coverage

The replacement createLeaseCrowdloan Moonwall test stops after the crowdloan id increments. The deleted suite continued through contribution, block advancement, finalize, getLease, getLeaseIdForSubnet, contributor-share checks, lease expiry, terminateLease, and owner assertions. That is the meaningful leasing precompile behavior; without an equivalent migrated test, this PR drops end-to-end coverage for successful lease creation and cleanup.

[github-actions]

[LOW] Resolve allowBuilds placeholders

These literal placeholder strings are still present in the committed workspace config. Replace them with actual booleans so the package-manager config is deterministic and schema-valid.

Suggested change

	'@biomejs/biome': set this to true or false
	'@parcel/watcher': set this to true or false
	cpu-features: set this to true or false
	esbuild: set this to true or false
	msgpackr-extract: set this to true or false
	protobufjs: set this to true or false
	sqlite3: set this to true or false
	ssh2: set this to true or false
	'@biomejs/biome': true
	'@parcel/watcher': true
	cpu-features: true
	esbuild: true
	msgpackr-extract: true
	protobufjs: true
	sqlite3: true
	ssh2: true

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Do not disable exotic subdependency blocking for CI installs

Setting blockExoticSubdeps: false globally turns off pnpm’s guard against transitive git/HTTP/file-style dependency sources for the whole ts-tests workspace. That makes this and future pnpm install --frozen-lockfile runs on CI accept exotic subdependencies instead of failing closed. The current lockfile still resolves toml through https://codeload.github.com/pepoviola/toml-node/..., so the added registry override is not actually eliminating the git-hosted source; it is only unblocking it. Keep the guard enabled and regenerate/update the lockfile so toml resolves from the npm registry before adding the new e2e job to CI.

Suggested change

	# @zombienet/utils pulls toml from a git repo; allow that in subdependencies.
	blockExoticSubdeps: false
	pnpm:
	overrides:
	toml: ^3.0.0
	# Keep transitive git/http dependencies blocked; make the toml override resolve through the registry lockfile instead.
	blockExoticSubdeps: true
	pnpm:
	overrides:
	toml: ^3.0.0

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE