. #34630

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add Bitcoin Core configuration files (bitcoin.conf.local, settings.json)
- Add RPC authentication files (.cookie, .rpcauth)
- Add wallet journal and lock files (wallet.dat-journal, .walletlock)
- Add process ID and lock files (bitcoind.pid, .lock)
- Add explicit Tor/I2P private key patterns
- Add hardware wallet socket patterns (*.sock, *.socket)
- Add additional seed phrase patterns (*.words, recovery_phrase.txt)
- Add encrypted backup patterns (*.gpg, *.enc, *.aes)
- Add network-specific test wallet patterns
- Add data directory patterns for all networks (testnet3, testnet4, signet)
- Improve comments for better documentation
- Add reference to doc/files.md

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Use wildcard pattern bitcoin.conf.* to catch all variants
- Remove leading slashes from data directory patterns to match in subdirs
- This ensures better coverage for test, data, and nested directories

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Replace unsafe shell command with GitHub Script action to prevent
command injection attacks through unsanitized context variables

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Added detailed security guidance for GitHub Actions workflows including:
- Command injection prevention
- Input validation
- Secure secrets management
- Dependency pinning
- Security checklist

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds Bitcoin Core-specific privacy patterns to prevent accidental commit
of sensitive runtime data, credentials, and cryptographic material.

## Changes

### Critical Protection
- **Wallet journals**: `wallet.dat-journal`, `*.wallet-journal` - SQLite
rollback journals must be protected equally to wallet.dat
- **Seed phrases**: `*.words`, `recovery_phrase.txt`,
`backup_phrase.txt` - comprehensive mnemonic protection
- **RPC authentication**: `.cookie`, `.rpcauth`, `rpcauth.txt` - session
tokens and credential files
- **Network privacy keys**: `onion_v3_private_key`, `i2p_private_key` -
explicit Tor/I2P identity protection

### Configuration & Runtime
- **Config variants**: `bitcoin.conf.*` - wildcard pattern catches
local/dev/backup variations
- **Process files**: `bitcoind.pid`, `bitcoin-qt.pid`, `.lock`,
`.walletlock`
- **Settings**: `settings.json.bak`, `guisettings.ini.bak`

### Hardware Wallet & External Signers
- **Communication channels**: `*.sock`, `*.socket`, `.trezor*`,
`.ledger*`
- **Directories**: `hwi/`, `signer/`

### Test Networks & Data
- **Wallet files**: `testnet3_wallet.dat`, `testnet4_wallet.dat`,
`signet_wallet.dat`
- **Data directories**: `testnet3/`, `testnet4/`, `signet/`, `regtest/`
- removed leading slashes to match in subdirectories
- **Blockchain data**: `blocks/`, `chainstate/`, `indexes/`, `wallets/`
- pattern optimization for nested paths

### Encrypted Backups
- **Archive formats**: `*.backup.gpg`, `*.backup.enc`, `*.backup.aes`,
`*.wallet.zip`
- Rationale: Encryption may be broken; keep offline

### Pattern Improvements
- `bitcoin.conf.local` → `bitcoin.conf.*` for broader coverage
- `/blocks/` → `blocks/` to match anywhere in repository tree
- Added BDB legacy wallet support: `database/`, `db.log`

## Documentation
Added inline references to `doc/files.md` and critical warnings for seed
phrase patterns.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

- Use environment variables for input validation to prevent injection
- Pin Trivy action to specific version instead of mutable tag

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Use environment variables in github-script for input values
- Use context object properties instead of direct interpolation
- Ensure all examples consistently follow secure patterns

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Changed from @v2 to @v4 to align with actual usage in the repository

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Command injection vulnerability in GitHub Actions workflow from
unsanitized `${{ github.repository }}` interpolation in shell command.
Shell context allows malicious repository names to execute arbitrary
commands.

## Changes

### Workflow Security Fix
Replaced shell-based `gh` CLI with `actions/github-script` API calls:

**Before:**
```yaml
- run: |
    gh issue --repo ${{ github.repository }} \
      create --title "Issue title" --body "Issue body"
```

**After:**
```yaml
- name: Create issue using GitHub Script
  uses: actions/github-script@v7
  with:
    script: |
      await github.rest.issues.create({
        owner: context.repo.owner,
        repo: context.repo.repo,
        title: 'Issue title',
        body: 'Issue body'
      });
```

Eliminates shell execution path entirely. Values passed as structured
data, not string interpolation.

### Documentation
Added "GitHub Actions Security" section (263 lines) to
`SECURITY_PRACTICES.md`:

- **Command injection prevention** - vulnerable patterns, two secure
approaches (GitHub Script, environment variables)
- **Input validation** - environment variable usage in shell and
JavaScript contexts
- **Secrets management** - safe patterns, common pitfalls
- **Workflow permissions** - least privilege configuration
- **Dependency pinning** - specific versions vs mutable tags
- **Security checklist** - pre-merge verification steps

All examples validated for consistency with documented patterns.

## Files Changed
- `.github/workflows/open-issue.yml` - new secure workflow (27 lines)
- `SECURITY_PRACTICES.md` - security guidance (+263 lines)

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Strengthens repository security posture by expanding .gitignore coverage
and documenting safe development practices for contributors working with
a security-critical cryptocurrency project.

## Changes

### .gitignore (+60 lines)
- CMake build artifacts (CMakeCache.txt, CMakeFiles/,
compile_commands.json)
- IDE patterns: JetBrains, VSCode, Vim, Emacs
- OS-specific files (.DS_Store, Thumbs.db, .Spotlight-V100)
- GitHub Codespaces configuration

### README.md (+29 lines)
New "Security and Safe Development Practices" section:
- Key security reminders (never commit keys/wallets, use env vars,
report privately)
- Safe Git practices (review before commit, focused commits, GPG
signing)
- Cross-references to SECURITY.md and SECURITY_PRACTICES.md

### SECURITY.md (+91 lines, 21→109 lines)
Expanded from basic reporting info to comprehensive security policy:
- Detailed vulnerability submission guidelines (what to include,
response process)
- Security best practices for contributors (before/during development)
- Authentication and secrets management guidance
- Security-related files inventory
- Additional resources and contact information

All documentation changes reference the existing SECURITY_PRACTICES.md
for detailed Maven/GitHub Packages authentication and deployment
guidance.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Signed-off-by: Yaketh <193178375+Kushmanmb@users.noreply.github.com>

Implements WebAssembly module for Bitcoin PDF utilities and React
frontend with defense-in-depth security measures.

## WASM Module (`pdf-utils/wasm/`)

- Rust-based WASM with input validation (hex format, length limits,
injection prevention)
- Automated build script with prerequisite checks, build verification,
and artifact sanitization
- Release profile: LTO enabled, panic=abort, optimized for size

```rust
fn validate_transaction_id(transaction_id: &str) -> Result<(), &'static str> {
    if transaction_id.is_empty() { return Err("Transaction ID cannot be empty"); }
    if transaction_id.len() > 64 { return Err("Transaction ID too long"); }
    if !transaction_id.chars().all(|c| c.is_ascii_hexdigit()) {
        return Err("Transaction ID must contain only hexadecimal characters");
    }
    Ok(())
}
```

## Frontend (`app/`)

- React 18.3.1 + Vite with CSP and security headers (X-Frame-Options:
DENY, X-Content-Type-Options: nosniff)
- Production builds strip console.log/debugger, disable source maps
- ESLint rules: no-eval, no-implied-eval, no-new-func, no-script-url
- Frontend input validation mirrors WASM validation

## Security Measures

- Multi-layer input validation (WASM + frontend)
- CSP with documented `wasm-unsafe-eval` requirement
- No credentials in source, comprehensive .gitignore for artifacts
- Dependencies pinned and vulnerability-scanned

## Build Commands

```bash
# WASM
cd pdf-utils/wasm && ./generate_wasm.sh

# Frontend  
cd app && yarn install && yarn dev
```

Documentation: BUILD_WASM_AND_FRONTEND.md,
WASM_FRONTEND_IMPLEMENTATION.md, IMPLEMENTATION_GUIDE.md

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

- Change SSH key generation from ed25519 to ed25519-sk for enhanced security
- Add comprehensive hardware security key benefits and supported devices
- Update email to kushmanmb@gmx.com as specified
- Include fallback guidance for standard ed25519 keys
- Enhance security measures with detailed best practices

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Updates SSH key management documentation to prioritize FIDO2/U2F
hardware security keys over software-based keys.

## Changes

- **Primary recommendation**: `ssh-keygen -t ed25519-sk`
(hardware-backed) instead of `ed25519` (software)
- **Security properties**: Documents phishing resistance, tamper-proof
storage, and required physical presence
- **Device support**: Lists compatible FIDO2/U2F devices (YubiKey,
Titan, SoloKeys)
- **Fallback guidance**: Retains standard ed25519 instructions when
hardware unavailable
- **Enhanced measures**: 20-char passphrases, annual rotation, key
separation by purpose

## Example

```bash
# Hardware security key (recommended)
ssh-keygen -t ed25519-sk -C "kushmanmb@gmx.com"
ssh-add ~/.ssh/id_ed25519_sk

# Standard key (fallback)
ssh-keygen -t ed25519 -C "kushmanmb@gmx.com"
```

Hardware keys provide defense against credential phishing and
malware-based key extraction by keeping private keys in tamper-proof
secure elements.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Signed-off-by: Yaketh <193178375+Kushmanmb@users.noreply.github.com>

Updates documentation to recommend hardware security keys (ed25519-sk)
over software-only keys (ed25519) for SSH authentication.

## Changes

- **Key type**: `ed25519` → `ed25519-sk` (requires FIDO/U2F hardware
device)
- **File paths**: `id_ed25519` → `id_ed25519_sk` throughout examples
- **Email**: Updated to `mattbrace92@gmail.com`
- **Documentation**: Added hardware key requirements and security
benefits

## Before/After

```bash
# Before
ssh-keygen -t ed25519 -C "your_email@example.com"
ssh-add ~/.ssh/id_ed25519

# After
ssh-keygen -t ed25519-sk -C "mattbrace92@gmail.com"
ssh-add ~/.ssh/id_ed25519_sk
```

Hardware-backed keys prevent private key exfiltration by storing keys in
tamper-resistant hardware (YubiKey, SoloKey, etc.) and require physical
device presence for operations.

**File**: `SECURITY_PRACTICES.md` (SSH Key Management section)

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Enhanced .gitignore with comprehensive self-hosted runner privacy entries
- Created self-hosted runner configuration workflow with cross-platform support
- Added comprehensive self-hosted runner setup guide
- Integrated kushmanmb.eth ENS domain into Etherscan API workflow
- Created ENS configuration documentation
- Updated README with ENS and security documentation references

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created quick start guide for ENS and self-hosted runner usage
- Enhanced data/etherscan README with detailed usage instructions
- Added examples for querying and parsing Etherscan API data

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created detailed implementation summary document
- Documented all changes, security validations, and usage instructions
- Validated all workflows for syntax and security
- Confirmed cross-platform compatibility
- Ready for final review

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Added validation check that fails with clear error if zero address is used
- Enhanced documentation with configuration requirements
- Updated ENS_CONFIGURATION.md with detailed setup steps
- Updated QUICKSTART guide with required configuration warning
- Workflow now prevents accidental use of placeholder address

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Enhanced summary job to format results with emojis
- Added status check for overall workflow result
- Handles skipped, success, failure, and cancelled states properly
- Summary now shows meaningful messages for each state

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements self-hosted runner support with cross-platform privacy
protection and integrates kushmanmb.eth ENS domain for blockchain data
queries via Etherscan API v2.

## Changes

### Self-Hosted Runner Infrastructure
- **Workflow validation**
(`.github/workflows/self-hosted-runner-setup.yml`): Cross-platform
runner health checks with security validation and automated workspace
cleanup
- **Platform coverage**: Linux (systemd), macOS (launchd), Windows
(Service) with platform-specific isolation and credential sanitization

### Privacy Hardening
- **`.gitignore` expansion**: 150+ patterns covering runner credentials
(`_work/`, `.credentials`, `runner-*-token.txt`), cloud provider
metadata (AWS/Azure/GCP), and container orchestration artifacts
- **Scope**: Runner working directories, registration tokens, VPN
configs, telemetry data, cloud credentials

### kushmanmb.eth Integration  
- **Etherscan API v2 workflow**
(`.github/workflows/etherscan-apiv2.yml`): ENS resolution with
configurable endpoints (account, transaction, contract, ens_resolve)
- **Configuration validation**: Fails fast on placeholder address with
actionable error messages
- **Scheduled collection**: Daily runs at 00:00 UTC with timestamped
archiving to `data/etherscan/`

Example usage:
```yaml
# Trigger with ENS name and endpoint selection
inputs:
  ens_name: "kushmanmb.eth"
  api_endpoint: "ens_resolve"  # Uses eth_call via Etherscan proxy
```

Implementation follows the specified eth_call pattern:
```bash
curl "https://api.etherscan.io/v2/api?chainid=1&module=proxy&action=eth_call&to=0xAEEF46DB4855E25702F8237E8f403FddcaF931C0&data=0x70a08231000000000000000000000000e16359506c028e51f16be38986ec5746251e9724&tag=latest&apikey=${ETHERSCAN_API_KEY}"
```

### Documentation
- `SELF_HOSTED_RUNNER_SETUP.md`: Installation, configuration,
maintenance across platforms
- `ENS_CONFIGURATION.md`: kushmanmb.eth setup, resolution methods,
privacy considerations
- `QUICKSTART_KUSHMANMB_ETH.md`: Prerequisites, workflow execution,
common use cases

## Configuration Required

Before use:
1. Update `KUSHMANMB_ADDRESS` in workflow (resolves from kushmanmb.eth)
2. Add `ETHERSCAN_API_KEY` to repository secrets
3. For self-hosted runners: Configure with labels `[self-hosted, OS,
ARCH, secure]`

## Security

- No hardcoded credentials; all secrets via GitHub Secrets
- Credential persistence disabled in checkouts (`persist-credentials:
false`)
- Runner artifacts protected via comprehensive gitignore patterns
- Placeholder address validation prevents misconfiguration

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Implements a zero-knowledge proof library for verifying substring claims
in PDF documents at specific byte offsets.

## Changes

**New library: `zkpdf_lib/`**

- **Core API**
- `PDFCircuitInput` struct with `pdf_bytes`, `page_number`, `offset`,
`substring` fields
- `verify_pdf_claim(input: PDFCircuitInput) ->
Result<PDFVerificationProof, PDFVerificationError>`
  - `PDFVerificationProof` with verification status and metadata

- **Security validations**
  - Bounds checking on offsets and substring lengths
  - Overflow prevention in offset arithmetic
  - Resource limits (max page number: 10,000)
  - Input sanitization for empty data/substrings

- **Testing**
  - 10 unit tests covering success/error paths
  - 4 integration tests matching usage patterns
  - 1 doc test

## Usage

```rust
use zkpdf_lib::{verify_pdf_claim, PDFCircuitInput};

let input = PDFCircuitInput {
    pdf_bytes: pdf_data,
    page_number: 0,
    offset: 100,
    substring: "Important Document".to_string(),
};

let result = verify_pdf_claim(input)?;
assert!(result.verified);
```

## Dependencies

- `serde 1.0` with derive feature for serialization
- `thiserror 1.0` for error handling
- No known CVEs in dependency tree

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Create fetch-erc20-events.js to fetch ERC20 token transfers from Etherscan API
- Add comprehensive error handling for HTTP failures, API errors, and empty results
- Use environment variables for API key (ETHERSCAN_API_KEY)
- Print formatted transaction details (hash, block, from, to, value, symbol)
- Add test script to verify formatting functions
- Update README.md with usage documentation

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Address code review feedback - all example addresses now have 40 hex characters

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Document various output scenarios including successful fetches and error handling

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add comment clarifying 100 transaction limit is per page
- Document test timestamp as intentional test data

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds a Node.js script to query and display ERC20 token transfers from
Etherscan's `tokentx` endpoint.

## Implementation

**Script** (`contrib/devtools/fetch-erc20-events.js`)
- Queries Etherscan API for token transfers by address
- Formats token values using decimals from response
- Outputs: tx hash, block number, from/to addresses, value, token
symbol/name, timestamp
- Validates Ethereum address format (0x + 40 hex chars)
- HTTP error handling: 401/429/network failures with contextual messages
- API error handling: empty results, malformed JSON, error responses

**Configuration**
- `ETHERSCAN_API_KEY` (required): API authentication
- `ADDRESS` (optional): Alternative to CLI argument

**Example**
```bash
ETHERSCAN_API_KEY=ABC123 node contrib/devtools/fetch-erc20-events.js 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0
```

Output per transaction:
```
────────────────────────────────────────────────────────────────────────────────
Transaction Hash: 0xabc123...
Block Number:     15234567
From:             0x1234...5678
To:               0xabcd...ef12
Value:            1000.000000000000000000
Token Symbol:     USDT
```

## Testing

Test suite (`test-erc20-events.js`) verifies token value formatting
across various decimal places and transaction output structure.

## Security

- No hardcoded credentials
- HTTPS only
- Zero external dependencies (Node.js built-ins)
- Input sanitization via regex validation

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `api.etherscan.io`
> - Triggering command:
`/home/REDACTED/work/_temp/ghcca-node/node/bin/node node
fetch-erc20-events.js 0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb0` (dns
block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> Add a JavaScript script that fetches ERC20 token transfer events from
the Etherscan API, processes the result, and prints details (hash,
block, from, to, value, token symbol) for each transaction. The script
should handle errors appropriately, including HTTP response failures and
empty or error results from the API. All sensitive data, like the API
key, must be accessed from environment variables. Example output for
each event should include transaction hash, block number, sender and
recipient addresses, token value, and symbol, each clearly labeled.


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds `contrib/devtools/check-gem-version.sh` to verify Ruby gem
availability and version in build environments.

**Implementation:**
- Checks for `gem` command presence with error handling
- Outputs current gem version via `gem --version`
- Follows existing devtools script conventions

```bash
$ contrib/devtools/check-gem-version.sh
Checking gem version...
3.4.20
```

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

All workflows now support self-hosted runners and display kushmanmb.eth
ownership. Changes are backward compatible - GitHub-hosted runners
remain the default.

## Changes

**Ownership Banner (9 workflows)**
- Added standardized header identifying repository owner
(kushmanmb.eth), creator (Kushman MB), and ENS identifiers
- Provides verifiable on-chain identity attribution

**Self-Hosted Runner Support (24+ jobs)**
- Conditional runner selection via `USE_SELF_HOSTED` repository variable
- Pattern: `runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted'
|| 'ubuntu-latest' }}`
- Zero configuration required - falls back to GitHub-hosted by default

**Repository Configuration**
- Updated `ci.yml`: `REPO_USE_CIRRUS_RUNNERS: 'kushmanmb-org/bitcoin'`
- Added `REPO_USE_SELF_HOSTED: 'true'` environment variable

## Example

Before:
```yaml
jobs:
  my-job:
    runs-on: ubuntu-latest
```

After:
```yaml
# ═══════════════════════════════════════════════════════════════════
# GLOBAL OWNERSHIP & CREATOR STATUS
# ═══════════════════════════════════════════════════════════════════
# Repository Owner: kushmanmb.eth (Ethereum Name Service)
# Creator: Kushman MB
# ENS Identifiers:
#   - Primary: kushmanmb.eth (Ethereum Mainnet)
#   - Base Network: Kushmanmb.base.eth
# ═══════════════════════════════════════════════════════════════════

jobs:
  my-job:
    runs-on: ${{ vars.USE_SELF_HOSTED == 'true' && 'self-hosted' || 'ubuntu-latest' }}
```

## Activation

Set repository variable `USE_SELF_HOSTED=true` to enable self-hosted
runners. No variable = GitHub-hosted runners (current behavior).

## Files Modified

- `.github/workflows/*.yml` (9 files)
- Documentation: `WORKFLOW_UPDATES.md`, `WORKFLOW_CHANGES_SUMMARY.md`,
`IMPLEMENTATION_COMPLETE.md`

**Stats**: +516 lines, -17 lines across 11 files

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

  - Announced at: 2026-02-15-14-42-31
  - Type: ownership
  - ENS: Kushmanmb.base.eth, kushmanmb.eth
  - Workflow run: 22037540998

  This commit contains a timestamped announcement of Bitcoin
  ownership associated with the specified ENS names.
  No private keys or sensitive data are included.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

  - Announced at: 2026-02-15-14-50-42
  - Type: ownership
  - ENS: Kushmanmb.base.eth, kushmanmb.eth
  - Workflow run: 22037657996

  This commit contains a timestamped announcement of Bitcoin
  ownership associated with the specified ENS names.
  No private keys or sensitive data are included.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

The Etherscan API workflow required manual configuration of a hardcoded
Ethereum address for the kushmanmb.eth ENS name. This introduced
friction and prevented automatic updates when ENS records changed.

## Changes

**Workflow (`.github/workflows/etherscan-apiv2.yml`)**
- Added automatic ENS resolution using Etherscan's ENS lookup API
(`module=ens&action=getaddress`)
- Replaced hardcoded `KUSHMANMB_ADDRESS` placeholder with dynamic
`RESOLVED_ADDRESS` and `TARGET_ADDRESS` variables
- Implemented proper error handling for API failures, network issues,
and invalid responses
- API key validation moved from workflow conditional to script-level
check (fixes GitHub Actions secret handling)
- Added `resolved_address` field to output JSON metadata

**Documentation**
- Removed manual configuration instructions from ENS_CONFIGURATION.md,
QUICKSTART_KUSHMANMB_ETH.md
- Updated IMPLEMENTATION_KUSHMANMB_ETH.md to reflect automated
resolution

## Example

```bash
# Before: Required editing workflow file with resolved address
KUSHMANMB_ADDRESS="0x0000000000000000000000000000000000000000"  # Manual update needed

# After: Automatic resolution at runtime
ENS_LOOKUP_URL="https://api.etherscan.io/api?module=ens&action=getaddress&name=${ENS_NAME}&apikey=${API_KEY}"
RESOLVED_ADDRESS=$(curl -s "${ENS_LOOKUP_URL}" | jq -r '.result // empty')
TARGET_ADDRESS="${RESOLVED_ADDRESS}"  # Used for all API calls
```

The workflow now requires only an Etherscan API key in secrets and
automatically tracks ENS record changes.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `api.ensideas.com`
>   - Triggering command: `/usr/bin/curl curl -s REDACTED` (dns block)
> - `etherscan.io`
>   - Triggering command: `/usr/bin/curl curl -s REDACTED` (dns block)
> - `metadata.ens.domains`
>   - Triggering command: `/usr/bin/curl curl -s REDACTED` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

- Update fetch-erc20-events.js to use V2 API endpoint (/v2/api) and add chainid parameter
- Update etherscan-apiv2.yml workflow to use V2 API for all endpoints consistently
- Update documentation (ENS_CONFIGURATION.md, IMPLEMENTATION_KUSHMANMB_ETH.md) with V2 examples
- All API calls now include chainid=1 for Ethereum mainnet
- Update User-Agent to v2.0

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds `yaketh.eth` as an ENS identifier alongside existing
`kushmanmb.eth` and `Kushmanmb.base.eth` entries. Creates ownership
attestation in private key handling documentation.

## Changes

- **Workflow files (9)**: Added `yaketh.eth` to ENS Identifiers sections
in all GitHub Actions workflows
- **Ownership announcements**: Updated `/data/ownership/` documents to
include `yaketh.eth`
- **Private data handling**: Added "Repository Ownership & Creator
Badge" section to `wiki/Private-Data-Handling.md` documenting:
  - Repository owner: `kushmanmb.eth`
  - Creator: `kushmanmb`
- All ENS identifiers: `kushmanmb.eth`, `Kushmanmb.base.eth`,
`yaketh.eth`
- Ownership verification methods (timestamped announcements, GitHub
Actions signatures, ENS associations)
- Explicit security notice that private keys for these identifiers are
never stored in repository

## Example

```yaml
# ENS Identifiers:
#   - Primary: kushmanmb.eth (Ethereum Mainnet)
#   - Base Network: Kushmanmb.base.eth
#   - yaketh.eth
```

All changes maintain existing capitalization conventions
(`Kushmanmb.base.eth` with capital K per repository standard).

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

  - Announced at: 2026-02-15-18-36-57
  - Type: ownership
  - ENS: Kushmanmb.base.eth, kushmanmb.eth
  - Workflow run: 22040941797

  This commit contains a timestamped announcement of Bitcoin
  ownership associated with the specified ENS names.
  No private keys or sensitive data are included.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements authenticated requests to Coinbase Developer Platform API for
querying EVM blockchain data (token balances, transactions, blocks)
across multiple networks including base-sepolia.

## Implementation

**Core client** (`contrib/devtools/fetch-cdp-api.js`)
- JWT token generation with ES256 signing algorithm
- Automatic base64 decoding of PEM-encoded private keys
- 2-minute token expiration with random nonce
- Environment variable and CLI argument support

**Credentials**: `KEY_ID` (UUID), `KEY_SECRET` (base64 PEM key)  
**Request config**: `REQUEST_METHOD` (default: GET), `REQUEST_PATH`,
`REQUEST_HOST` (default: api.cdp.coinbase.com)

## Usage

```bash
export KEY_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export KEY_SECRET="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=="
export REQUEST_PATH="/platform/v2/evm/token-balances/base-sepolia/0x8fddcc0c5c993a1968b46787919cc34577d6dc5c"
node contrib/devtools/fetch-cdp-api.js
```

Alternative with CLI args:
```bash
node contrib/devtools/fetch-cdp-api.js \
  --key-id "..." --key-secret "..." \
  --path "/platform/v2/evm/token-balances/base-sepolia/0x..."
```

## Files

- `fetch-cdp-api.js` - Main implementation (390 lines)
- `fetch-cdp-api.sh` - Shell wrapper with validation
- `test-cdp-api.js` - Test suite (12 tests)
- `demo-cdp-api.sh` - Usage examples
- Documentation: `CDP_API_README.md`, `CDP_API_QUICKSTART.md`,
`CDP_API_IMPLEMENTATION.md`

## Security

- Credentials never logged (KEY_ID truncated in output)
- Environment variable-only credential management
- Input validation on all parameters
- No hardcoded secrets

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Sets the global Git user email to `kushmanmb.bitcoin@github.com` for all
commits in this development environment.

## Configuration Applied

- **Command executed**: `git config --global user.email
"kushmanmb.bitcoin@github.com"`
- **Scope**: Global (affects all repositories unless overridden locally)
- **Storage**: `~/.gitconfig`

All subsequent commits will be attributed to this email address by
default.

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> Configure Git globally to use the email address
'kushmanmb.bitcoin@github.com'. This ensures that all commits made using
Git will be associated with this email unless specifically overridden
for particular repositories. The change should be made on the user's
local development environment by running the following command:
> 
>     git config --global user.email "kushmanmb.bitcoin@github.com"
> 
> No code changes are needed in the repository; this is an
environment/configuration instruction.


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created from Copilot chat.*
>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

  - Announced at: 2026-02-16-02-31-05
  - Type: ownership
  - ENS: Kushmanmb.base.eth, kushmanmb.eth
  - Workflow run: 22048128366

  This commit contains a timestamped announcement of Bitcoin
  ownership associated with the specified ENS names.
  No private keys or sensitive data are included.

## User Profile Form Implementation Plan

- [ ] Analyze existing website structure and styling
- [ ] Create user profile form HTML page
- [ ] Implement form validation in JavaScript
- [ ] Add CSS styling to match existing site design
- [ ] Add security features (CSP, input validation, XSS protection)
- [ ] Update navigation to include profile page link
- [ ] Test form functionality
- [ ] Run code review
- [ ] Run security scanning (CodeQL)

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

## Summary

Security audit identified command injection vulnerabilities (CWE-78) in
GitHub Actions workflows caused by direct interpolation of GitHub
context variables into shell commands.

## Changes

### Workflow Security Fixes

**bitcoin-ownership-announcement.yml**
- Move `github.event.inputs.announcement_type`, `github.run_id`,
`github.ref_name` from direct interpolation to env block

**etherscan-apiv2.yml**
- Move `github.event.inputs.{ens_name,api_endpoint}`,
`github.{repository,ref_name,run_id}`, and secrets to env block
- Fix variable reference inconsistencies (`ENS_NAME` → `ENS_NAME_INPUT`)

### Example

Before (vulnerable):
```yaml
- run: |
    endpoint="${{ github.event.inputs.api_endpoint }}"
    git push origin ${{ github.ref_name }}
```

After (secure):
```yaml
- env:
    API_ENDPOINT: ${{ github.event.inputs.api_endpoint }}
    REF_NAME: ${{ github.ref_name }}
  run: |
    endpoint="${API_ENDPOINT}"
    git push origin "${REF_NAME}"
```

### Documentation

**SECURITY_AUDIT.md**
- Blockchain code audit findings: no critical vulnerabilities in
consensus-critical code
- Workflow security issues and remediation
- Security strengths: secure allocators, bounds checking, cryptographic
implementations
- Recommendations for ongoing security practices

## Blockchain Code Assessment

Core implementation verified secure:
- Memory safety with `secure_allocator<unsigned char>` for private keys
- Proper bounds validation on buffer operations
- secp256k1 library for ECDSA
- Multi-level transaction validation
- Script execution limits enforced
- Integer overflow protections in place

CodeQL: 0 alerts

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

  - Announced at: 2026-02-16-03-20-13
  - Type: ownership
  - ENS: Kushmanmb.base.eth, kushmanmb.eth
  - Workflow run: 22048968481

  This commit contains a timestamped announcement of Bitcoin
  ownership associated with the specified ENS names.
  No private keys or sensitive data are included.

## Git pow documentation verification

- [x] Explore repository structure and locate relevant files
- [x] Identify existing documentation for Git workflow
- [x] Identify existing documentation for pow (proof of work)
- [x] Review pow source code (pow.h, pow.cpp)
- [x] Create comprehensive pow design documentation
- [x] Verify Git workflow documentation accuracy
- [x] Add cross-references between related documentation
- [x] Review and validate all changes
- [ ] Run code review
- [ ] Run security checks

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements proxy contract verification on Base network (chainid=8453)
per the provided API specification.

## Changes

**Multi-chain support**
- Added `chain_id` input parameter (`1` for Ethereum, `8453` for Base)
- Routes requests to `api.basescan.org` for Base, `api.etherscan.io` for
Ethereum
- ENS resolution skipped for non-mainnet chains

**Proxy verification endpoint**
- New `verify_proxy` endpoint with POST method
- Added `contract_address` and `implementation_address` inputs
- Implements `module=contract&action=verifyproxycontract` API call

**Example usage:**
```yaml
# Workflow inputs
api_endpoint: verify_proxy
chain_id: '8453'
contract_address: '0x4200000000000000000000000000000000000006'
implementation_address: '0x1F39De4e1fA3a5aa77202C14033AE37C49B0e337'
```

Generates:
```bash
curl -X POST 'https://api.basescan.org/api?module=contract&action=verifyproxycontract&address=0x4200000000000000000000000000000000000006&expectedimplementation=0x1F39De4e1fA3a5aa77202C14033AE37C49B0e337&apikey=...'
```

Existing endpoints (`account`, `transaction`, `contract`, `ens_resolve`)
unchanged.

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Implement Node.js script to make eth_call requests to Ethereum smart
contracts via Etherscan API v2 proxy endpoint. This tool replicates
the curl command functionality from the problem statement.

- Add fetch-etherscan-eth-call.js: Main client script
- Add test-etherscan-eth-call.js: Comprehensive test suite
- Add demo-etherscan-eth-call.sh: Demo/example script
- Update contrib/devtools/README.md with documentation

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Create user-friendly quick start guide with common use cases,
troubleshooting tips, and practical examples for the Etherscan
eth_call API tool.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Added eth_blockNumber option to workflow api_endpoint choices
- Implemented proxy/eth_blockNumber handler that doesn't require address
- Updated logic to skip address resolution for eth_blockNumber
- Added proper output messages for eth_blockNumber endpoint
- Updated documentation with example curl command from problem statement

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements support for fetching current block number via Etherscan API
v2 proxy module:

```bash
curl "https://api.etherscan.io/v2/api?chainid=1&module=proxy&action=eth_blockNumber&apikey=<key>"
```

## Changes

**Workflow** (`.github/workflows/etherscan-apiv2.yml`):
- Added `eth_blockNumber` to `api_endpoint` input choices
- Skip address resolution for this endpoint (no address required)
- Case handler: `module=proxy`, `action=eth_blockNumber`, no params
- Updated conditional logic for output messages and summary

**Documentation** (`QUICKSTART_KUSHMANMB_ETH.md`):
- Added endpoint to usage list
- Example showing curl command format for both Ethereum mainnet and Base
network

## Implementation

The endpoint bypasses ENS/address resolution since block number queries
don't require an address:

```bash
if [ "${ENDPOINT}" = "eth_blockNumber" ]; then
  TARGET_ADDRESS=""
  # ... 
  MODULE="proxy"
  ACTION="eth_blockNumber"
  PARAMS=""
fi
```

Supports both Ethereum mainnet (chain ID 1) and Base network (chain ID
8453).

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

## Implementation Plan: createCDPEmbeddedWalletConnector

### Understanding
The task is to implement a `createCDPEmbeddedWalletConnector` function
for the bitcoin-onchain-app that will enable CDP (Coinbase Developer
Platform) Embedded Wallet integration with the existing OnchainKit
setup.

### Current State
- [x] Analyzed existing bitcoin-onchain-app structure
- [x] Reviewed OnchainKit provider setup in rootProvider.tsx
- [x] Identified dependencies: @coinbase/onchainkit, wagmi, viem
- [x] Understood current wallet implementation (using OnchainKit
defaults)

### Implementation Tasks
- [x] Create a utility file for CDP Embedded Wallet connector
configuration
- [x] Implement `createCDPEmbeddedWalletConnector` function with proper
wagmi connector setup
- [x] Update rootProvider.tsx to use the custom wagmi configuration
- [x] Add comprehensive documentation for the new connector function
- [ ] Add TypeScript type tests
- [ ] Test the implementation with local dev server
- [ ] Run linting
- [ ] Run code review
- [ ] Run security checks

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Implements Node.js CLI for making `eth_call` requests to Ethereum smart
contracts via Etherscan API v2 proxy endpoint.

## Implementation

- **`fetch-etherscan-eth-call.js`** - HTTPS client for Etherscan v2
`eth_call` endpoint with address/hex validation
- **`test-etherscan-eth-call.js`** - Unit tests covering validation,
result parsing, and API calls (14 tests)
- **`demo-etherscan-eth-call.sh`** - Usage examples

## Features

- Detects and formats common ERC20 function signatures (balanceOf,
decimals, totalSupply, etc.)
- Dual input: CLI args or env vars (`--to`/`TO_ADDRESS`,
`--data`/`CALL_DATA`, `--tag`/`TAG`)
- Auto-normalizes hex data (adds `0x` prefix if missing)

## Usage

```bash
ETHERSCAN_API_KEY=key node contrib/devtools/fetch-etherscan-eth-call.js \
  --to 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 \
  --data 0x313ce567  # decimals()
```

Output includes raw hex result, parsed value for known functions, and
full JSON response.

## Documentation

- `contrib/devtools/README.md` - Tool reference
- `ETHERSCAN_ETH_CALL_IMPLEMENTATION.md` - Technical details and
function signatures
- `ETHERSCAN_ETH_CALL_QUICKSTART.md` - Common use cases and
troubleshooting

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Updates the resolver contract address for token transfer consolidation
from `0xAEEF46DB4855E25702F8237E8f403FddcaF931C0` to the new
implementation at `0x6fb9e80dDd0f5DC99D7cB38b07e8b298A57bF253`.

## Changes

- **`.github/workflows/etherscan-apiv2.yml`**: Updated
`RESOLVER_CONTRACT` to new implementation address
- **Documentation**: Updated curl examples in `ENS_CONFIGURATION.md` and
`QUICKSTART_KUSHMANMB_ETH.md`

## Impact

The `ens_resolve` endpoint now queries the new implementation when
performing token transfer operations:

```bash
curl "https://api.etherscan.io/v2/api?chainid=1&module=proxy&action=eth_call&to=0x6fb9e80dDd0f5DC99D7cB38b07e8b298A57bF253&data=0x70a08231000000000000000000000000e16359506c028e51f16be38986ec5746251e9724&tag=latest&apikey=<KEY>"
```

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements `npm create onchain-agent@latest` for scaffolding AI-powered
blockchain agent projects.

## Implementation

**CLI Package** (`/create-onchain-agent`)
- Interactive prompts (project name, API key, usage data)
- Project validation: lowercase alphanumeric + hyphens only
- Recursive template copying with `.env` generation
- Auto-installs dependencies post-scaffold
- Dependencies: prompts, chalk, ora

**Template** (Next.js 15 + React 19 + TypeScript)
- Agent interface component with chat UI and message history
- Wallet connection via Wagmi v2 + Coinbase Smart Wallet
- OnchainKit integration with Base/Base Sepolia chains pre-configured
- Provider setup: `rootProvider.tsx` wraps Wagmi, React Query,
OnchainKit
- ESLint config uses Next.js built-in (no extra deps)

**Generated Project Structure**
```
my-agent/
├── app/
│   ├── components/
│   │   ├── AgentInterface.tsx      # Chat UI, message state
│   │   └── ConnectButton.tsx       # Wallet connection
│   ├── rootProvider.tsx            # Wagmi + OnchainKit providers
│   └── walletConnectors.ts         # Chain/connector config
├── .env                            # Generated with user inputs
└── package.json                    # Next 15.3.9+, React 19
```

**Security**
- Input validation prevents injection (regex + path.join for all fs ops)
- No command injection (npm install in controlled directory only)
- `.env` excluded from git, API keys never logged

**Documentation**
- `CREATE_ONCHAIN_AGENT_GUIDE.md`: Setup, configuration, deployment
- `USAGE_EXAMPLE.md`: Common agent patterns (trading, NFT, DeFi)
- Updated root README with tool reference

## Usage

```bash
npm create onchain-agent@latest
# Prompts for: name, API key (optional), telemetry
# Creates: Complete Next.js app with agent UI + wallet
# Auto-runs: npm install
```

Template includes placeholder agent logic in `AgentInterface.tsx` for
developers to implement custom behavior (smart contract calls,
blockchain queries, etc.).

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created .github/rulesets/ directory with JSON configuration files
- Added master-branch-protection.json with PR requirements and status checks
- Added release-branch-protection.json for release/* branches
- Added development-branches.json for feature/fix/docs branches
- Added release-tags-protection.json for version tag protection
- Created comprehensive README.md with usage instructions
- Added apply-rulesets.sh script for easy ruleset management

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created IMPLEMENTATION_NOTES.md explaining rule types
- Documented differences between RULESETS.md specifications and API implementation
- Clarified bypass actors configuration
- Added validation and testing recommendations

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Remove unused filename variable
- Add -r flag to read command to properly handle backslashes

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created QUICKSTART.md with step-by-step instructions
- Included testing procedures and troubleshooting
- Added common commands reference

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements GitHub repository rulesets as version-controlled JSON
configurations with API deployment tooling.

## Changes

**Ruleset Configurations** (`.github/rulesets/`)
- `master-branch-protection.json` - Enforces PR approval, code owner
review, required status checks (ci, lint, CodeQL, secret scanning),
blocks force push/deletion
- `release-branch-protection.json` - Enforces PR approval, blocks force
push/deletion
- `release-tags-protection.json` - Restricts tag
creation/deletion/modification to repository admins
- `development-branches.json` - Minimal restrictions for `feature/*`,
`fix/*`, `docs/*` branches

**Tooling**
- `apply-rulesets.sh` - CLI tool for creating, listing, and verifying
rulesets via GitHub API
- Requires `gh` CLI and `jq`, validates JSON, provides rollback
capability

**Documentation**
- `README.md` - API usage, manual application, troubleshooting
- `QUICKSTART.md` - 3-step deployment guide
- `IMPLEMENTATION_NOTES.md` - Rule type mappings, bypass actor
configuration

## Usage

```bash
# Deploy all rulesets
.github/rulesets/apply-rulesets.sh --create

# Verify active
.github/rulesets/apply-rulesets.sh --verify
```

## Technical Notes

Rulesets use GitHub's API actor_id `5` (RepositoryRole) for admin
bypass. Status check contexts match existing workflow job names. Tag
protection uses `creation`/`deletion`/`update` rule types to restrict
operations rather than GPG signature enforcement (not available in
Rulesets API).

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `https://api.github.com/graphql`
>   - Triggering command: `/usr/bin/gh gh auth status` (http block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Creates a minimal starter project demonstrating CDP SDK setup with
TypeScript, following the specified initialization pattern.

## Changes

- **cdp-sdk-example/** - New directory with npm package configured as ES
module
- `main.ts` - TypeScript entry point with environment validation and
usage guidance
  - `.env` - Credential template (gitignored)
  - `package.json` - ES module configuration with `npm start` script
  - `README.md` - Setup instructions and CDP API integration references
  - `.gitignore` - Protects node_modules and environment files

## Structure

```typescript
// main.ts
import { config } from 'dotenv';
config();

async function main() {
  console.log('CDP_API_KEY_NAME:', process.env.CDP_API_KEY_NAME ? '✓ Set' : '✗ Not set');
  // ... usage instructions
}
```

Package configured with `type: "module"` for native ES module support.
Environment file properly excluded from version control via existing
repository `.gitignore` rules.

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

- Create 5 validator actions: code quality, security, dependencies, commit messages, secure environment
- Add 4 comprehensive workflows: automated validators, test suite, lint and build, runner health check
- Add KEY_MANAGEMENT_GUIDE.md with comprehensive secrets and key rotation procedures
- All workflows support self-hosted runners via USE_SELF_HOSTED variable
- Implement security best practices for CI/CD pipelines

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Create detailed README for workflows and validators
- Update DOCUMENTATION_INDEX with new automation sections
- Document all validators, workflows, and their usage
- Add troubleshooting guides and best practices

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add workflow-level and job-level permissions blocks
- Follow principle of least privilege (contents: read)
- Resolves all CodeQL security alerts
- Ensures GITHUB_TOKEN has minimal required permissions

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Create AUTOMATED_VALIDATORS_IMPLEMENTATION.md
- Document all implementations, features, and usage
- Include testing results and security enhancements
- Provide maintenance guidelines and future enhancements

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements automated validation pipeline with self-hosted runner support
and comprehensive key management for CI/CD security.

## Validator Actions

- **validate-code-quality**: clang-format, whitespace, tabs, file
permissions
- **validate-security**: hardcoded secrets, unsafe C functions, SQL
injection patterns, dependency vulnerabilities
- **validate-dependencies**: npm audit, safety (Python), Maven analysis
- **validate-commit-messages**: conventional commit enforcement
- **setup-secure-environment**: GPG/SSH config, secure temp dirs, secret
detection

## Workflows

**automated-validators.yml**: Runs all validators on push/PR with
artifact uploads
**test-suite.yml**: Unit (C++/Python), lint (flake8/pylint/shellcheck),
functional tests
**lint-and-build.yml**: Multi-language linting + CMake builds with
ccache
**runner-health-check.yml**: Scheduled infrastructure monitoring (6h
interval)

All workflows support `USE_SELF_HOSTED` variable for runtime runner
selection with GitHub-hosted fallback.

## Key Management

**KEY_MANAGEMENT_GUIDE.md** documents:
- Rotation schedules (90d prod, 180d staging, 365d SSH/GPG)
- Encrypted secrets via GPG/Age
- Emergency procedures
- Audit compliance

## Security

Added explicit `permissions: contents: read` to all workflows (resolves
19 CodeQL alerts). Implements least-privilege GITHUB_TOKEN access.

## Usage

```yaml
# Enable in repo variables
USE_SELF_HOSTED: true

# Use validators in any workflow
- uses: ./.github/actions/validate-security
  with:
    check-secrets: 'true'
    check-dependencies: 'true'
```

Documentation: `.github/workflows/README.md`,
`AUTOMATED_VALIDATORS_IMPLEMENTATION.md`

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add rpctoken.py utility for token generation
- Implement Bearer token validation in httprpc.cpp
- Add -rpctoken configuration parameter support
- Add functional test for token authentication
- Update documentation for token authentication

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add spaces after comment slashes per style guide
- Fix dictionary literal spacing in rpctoken.py per PEP 8

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Use more robust path construction in test
- Add proper subprocess error handling with communicate()
- Rename odict to credentials_dict for clarity

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Use JSON output format for parsing token generation results
- Clarify help text for optional token parameter
- Add explicit rpctoken= prefix in config file writes

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Add detailed Bearer token authentication guide (doc/bearer-token-auth.md)
- Add Python example script demonstrating token usage
- Include configuration examples and security best practices
- Document troubleshooting and comparison with Basic auth

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements automated deployment of GitLab agent for Kubernetes cluster
integration using Helm.

## Changes

**New deployment structure:**
- `deployment/gitlab-agent/install.sh` - Automated Helm installation
with configurable parameters
- `deployment/gitlab-agent/uninstall.sh` - Cleanup script with timeout
handling
- `deployment/gitlab-agent/README.md` - Setup and configuration
documentation
- `deployment/gitlab-agent/.env.example` - Environment variable template

**Key implementation details:**
- Agent token via `GITLAB_AGENT_TOKEN` environment variable (no
hardcoded credentials)
- Configurable via env vars: agent name, namespace, KAS address
- Defaults: agent `kushbot801`, namespace `gitlab-agent-kushbot801`, KAS
`wss://kas.gitlab.com`
- Script validation ensures token is set before execution

## Usage

```bash
export GITLAB_AGENT_TOKEN='<your-token>'
./deployment/gitlab-agent/install.sh
```

All configuration overridable via environment variables
(`GITLAB_AGENT_NAME`, `GITLAB_AGENT_NAMESPACE`, `GITLAB_KAS_ADDRESS`).

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Bitcoin Core RPC authentication was limited to Basic auth
(username:password). This adds Bearer token support for modern API
integrations and stateless authentication flows.

## Implementation

**Core Changes**
- `src/httprpc.cpp`: Added `CheckTokenAuthorized()` with
timing-resistant token validation via HMAC-SHA256
- `src/httprpc.cpp`: Extended `RPCAuthorized()` to handle
`Authorization: Bearer <token>` headers alongside existing Basic auth
- `src/init.cpp`: Added `-rpctoken=<username>:<salt>$<hash>`
configuration parameter

**Tooling**
- `share/rpcauth/rpctoken.py`: Token generation utility matching
`rpcauth.py` interface
- `test/functional/rpc_token_auth.py`: Functional test coverage for
token authentication flows

**Documentation**
- `doc/bearer-token-auth.md`: Usage guide with curl/Python/JavaScript
examples
- `share/rpcauth/bearer_token_example.py`: Reference implementation

## Usage

Generate a token:
```bash
$ python3 share/rpcauth/rpctoken.py apiuser
String to be appended to bitcoin.conf:
rpctoken=apiuser:14371a7b6bd55af41895ed5fedb7f745$c77cc...
Your token:
nB06tMrfJzrc3F7nLmNROGnhpADD4C83h2sTaSNi1lw
```

Use with curl:
```bash
curl -H "Authorization: Bearer nB06tMrfJzrc3F7nLmNROGnhpADD4C83h2sTaSNi1lw" \
     -d '{"method":"getblockcount"}' http://localhost:8332/
```

## Technical Notes

- Reuses existing `g_rpcauth` pattern with separate `g_rpctoken` storage
- Compatible with `-rpcwhitelist` for per-user method restrictions
- Zero breaking changes - Basic auth continues to work
- CodeQL clean (0 alerts)

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Integrates GitGuardian to automatically detect hardcoded secrets, API
keys, and credentials in commits.

## Changes

- **Workflow** (`.github/workflows/gitguardian.yml`)
  - Scans on PR, push, and daily schedule (2 AM UTC)
  - Uses pinned version `v1.33.0` for stability
- Integrates with GitHub Security tab via `security-events: write`
permission

- **Documentation** (`GITGUARDIAN_SETUP.md`)
  - Setup instructions for `GITGUARDIAN_API_KEY` secret configuration
  - Remediation guide for detected secrets
  - Troubleshooting common issues

## Setup Required

Repository admin must add `GITGUARDIAN_API_KEY` secret. Workflow shows
"action required" status until configured. See `GITGUARDIAN_SETUP.md`
for details.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> -
`https://api.github.com/repos/GitGuardian/ggshield-action/releases/latest`
>   - Triggering command: `/usr/bin/curl curl -s REDACTED` (http block)
> - `https://api.github.com/repos/GitGuardian/ggshield-action/tags`
>   - Triggering command: `/usr/bin/curl curl -sL REDACTED` (http block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

## GitHub Attestation Verification for kushmanmb.base.eth

### Completed
- [x] Add attestation generation to build artifacts in
lint-and-build.yml workflow
- [x] Update workflow permissions to include id-token and attestations
write
- [x] Add attestation step for bitcoind, bitcoin-cli, and bitcoin-tx
binaries
- [x] Create verification workflow (verify-attestation.yml) to verify
attestations
- [x] Create standalone verification script
(contrib/verify-attestation.sh)
- [x] Create comprehensive attestation documentation
(ATTESTATION_VERIFICATION.md)
- [x] Update README.md with attestation information
- [x] Update DOCUMENTATION_INDEX.md to include attestation docs

### Remaining
- [ ] Test the attestation generation and verification process
- [ ] Run code review
- [ ] Run security scan

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds web3 library as a project dependency.

## Changes
- Created `requirements.txt` with `web3==7.14.1`

Install with:
```bash
pip install -r requirements.txt
```

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

- Add fetch-withdrawal-credentials.js: Query and decode Ethereum validator withdrawal credentials
- Add test-withdrawal-credentials.js: Comprehensive test suite with 9 test cases
- Add demo-withdrawal-credentials.sh: Interactive demo script
- Add WITHDRAWAL_CREDENTIALS_README.md: Detailed documentation
- Update contrib/devtools/README.md: Document new tool

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Adds tooling to query and decode Ethereum 2.0 validator withdrawal
credentials via Beacon Chain API or offline analysis.

## Implementation

- **`fetch-withdrawal-credentials.js`**: Query validators by
index/pubkey or decode credentials hex directly
- Distinguishes 0x00 (BLS, requires upgrade) from 0x01 (execution
address, withdrawal-ready)
  - Extracts and validates execution addresses from 0x01 type
  - Integrates with Beacon Chain API (beaconcha.in default)

- **`test-withdrawal-credentials.js`**: Test suite covering both
credential types, validation, and error cases

- **`demo-withdrawal-credentials.sh`**: Usage demonstrations

- **Documentation**: `WITHDRAWAL_CREDENTIALS_README.md` and updated
`contrib/devtools/README.md`

## Usage

```bash
# Decode offline
node contrib/devtools/fetch-withdrawal-credentials.js \
  --decode 0x010000000000000000000000e16359506c028e51f16be38986ec5746251e9724

# Query live validator
node contrib/devtools/fetch-withdrawal-credentials.js --index 12345
```

Output identifies credential type, extracts execution address (0x01),
and flags legacy credentials needing upgrade (0x00).

Follows existing patterns from `fetch-etherscan-eth-call.js` and related
Ethereum integration tools.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `ethereum.org`
> - Triggering command:
`/home/REDACTED/work/_temp/ghcca-node/node/bin/node
/home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps
/home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js`
(dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Implements comprehensive verification for the Ethereum withdrawal
credentials decoder (CBSC: Credentials Beacon Signature Check).

## Changes

**Automated verification script** (`verify-cbsc.sh`)
- Runs 25+ validation tests covering credential decoding, format
validation, error handling, and documentation
- Tests both 0x00 (BLS) and 0x01 (execution address) credential types
- Validates address extraction and padding verification
- All tests currently passing (100%)

**Verification documentation** (`CBSC_VERIFICATION.md`)
- Complete verification checklist for credential format, Beacon Chain
data, and BLS signatures
- Security best practices and troubleshooting guide
- References to EIP-4895 and EIP-7044 specifications

**Usage:**
```bash
bash contrib/devtools/verify-cbsc.sh
```

Output confirms all withdrawal credentials components (format
validation, address extraction, error handling) are working correctly.

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

- Fix command injection in ci.yml arithmetic expression
- Fix secret exposure in etherscan-apiv2.yml API calls
- Update SECURITY_AUDIT.md with new findings

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Security audit identified two vulnerabilities in GitHub Actions
workflows: direct GitHub context interpolation enabling command
injection, and secrets exposed in curl URLs.

## Changes

**Command injection in CI workflow**
- `.github/workflows/ci.yml`: Isolated
`github.event.pull_request.commits` through env block before shell
arithmetic
```yaml
# Before: vulnerable to injection
run: echo "FETCH_DEPTH=$((${{ github.event.pull_request.commits }} + 2))" >> "$GITHUB_ENV"

# After: sanitized through environment variable
env:
  PR_COMMITS: ${{ github.event.pull_request.commits }}
run: echo "FETCH_DEPTH=$(($PR_COMMITS + 2))" >> "$GITHUB_ENV"
```

**Secret exposure in API calls**
- `.github/workflows/etherscan-apiv2.yml`: Changed curl to use env
variable instead of direct secret interpolation
```yaml
# Before: exposes secret in process listing
curl -s "${api_url}&apikey=${{ secrets.ETHERSCAN_API_KEY }}"

# After: uses existing env variable
curl -s "${api_url}&apikey=${ETHERSCAN_API_KEY}"
```

**Documentation**
- `SECURITY_AUDIT.md`: Added findings for 2026-02-19 audit

## Validation
- CodeQL: 0 alerts
- Comprehensive scan: no hardcoded secrets, SQL injection, or path
traversal vulnerabilities found

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

The problem statement requested executing `git stash apply`, but no
stash entries exist in the repository.

## Investigation Results

- Repository has no stash entries (`git stash list` empty)
- No unreferenced stash objects found via `git fsck`
- Remote repository contains no stash references
- Command correctly returns: "No stash entries found"

## Status

No changes required. The repository is in a clean state with no stashed
changes to apply. If specific code changes were intended to be stashed
and applied, please provide the stash reference or the expected changes.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Created src/common/app_constants.h for shared application constants
- Removed duplicate CONTINUE_EXECUTION definitions from bitcoin-cli.cpp, bitcoin-tx.cpp, and bitcoin-util.cpp
- All three files now include the shared header for this constant
- Reduces code duplication and improves maintainability

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

- Added app_error namespace to app_constants.h with common error messages
- Replaced duplicate error messages in bitcoin-cli.cpp, bitcoin-tx.cpp, bitcoin-util.cpp, and bitcoin-wallet.cpp
- Eliminated 8 duplicate string literals across 4 files
- Improves consistency and maintainability of error messages

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Address code review feedback:
- Changed static constexpr to inline constexpr for CONTINUE_EXECUTION
- Changed namespace-scope constexpr to inline constexpr for error messages
- Prevents ODR violations and code bloat from multiple instances per translation unit
- Follows C++17 best practices for header-only constants

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Audit identified duplicate constants and error message strings across
command-line tools (bitcoin-cli, bitcoin-tx, bitcoin-util,
bitcoin-wallet).

## Changes

- **Created `src/common/app_constants.h`** with shared constants using
`inline constexpr` for C++17 ODR compliance
  - `CONTINUE_EXECUTION` constant (was duplicated in 3 files)
- `app_error` namespace with 3 common error messages (duplicated across
4 files)

- **Updated 4 command-line tools** to use shared constants instead of
local duplicates

## Example

Before:
```cpp
// bitcoin-cli.cpp
static const int CONTINUE_EXECUTION=-1;
tfm::format(std::cerr, "Error parsing command line arguments: %s\n", error);

// bitcoin-tx.cpp  
static const int CONTINUE_EXECUTION=-1;
tfm::format(std::cerr, "Error parsing command line arguments: %s\n", error);
```

After:
```cpp
// common/app_constants.h
inline constexpr int CONTINUE_EXECUTION = -1;
namespace app_error {
    inline constexpr const char* COMMAND_LINE_PARSE_ERROR = "Error parsing command line arguments: %s\n";
}

// bitcoin-cli.cpp, bitcoin-tx.cpp, etc.
tfm::format(std::cerr, app_error::COMMAND_LINE_PARSE_ERROR, error);
```

Eliminates 11 duplicate literals. Uses `inline constexpr` to prevent
multiple definition issues across translation units.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Resolved linting errors identified during codebase audit: unused scope
declarations, PEP 8 violations, shell script safety issues, and unused
variables.

### Python
- Removed unnecessary `nonlocal`/`global` declarations (F824) - list
mutation doesn't require scope declaration
- Fixed PEP 8 violations in `.github/configs/`: whitespace, line length,
blank lines

### Shell Scripts
- Added `-r` flag to `read` commands in `contrib/devtools/check-deps.sh`
to prevent backslash mangling
- Removed unused `YELLOW` variable in `contrib/devtools/verify-cbsc.sh`

### JavaScript
- Suppressed eslint warning for `setWasmModule` state reserved for
future WASM integration

### Dependencies
- Updated Vite (5.2.0 → 7.3.1) and Vitest (1.4.0 → 4.0.18)
- Production dependencies: 0 vulnerabilities
- Dev dependencies: 10 known ESLint-related vulnerabilities documented
in `app/SECURITY_NOTES.md` (ReDoS in linting tools, no runtime impact)

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent
pull requests. You can protect all pull requests by enabling Advanced
Security for your repositories. [Learn more about Advanced
Security.](https://gh.io/cca-advanced-security)

Adds `./start.sh` as single-command entrypoint to build and run the
application.

## Implementation

- **Prerequisites validation**: Checks Node.js, npm/yarn, Rust,
wasm-pack with version reporting
- **WASM build**: Invokes `pdf-utils/wasm/generate_wasm.sh` if toolchain
available, degrades gracefully if not
- **Dependency management**: Prefers yarn over npm, installs frontend
deps automatically
- **Dev server**: Launches Vite on localhost:3000

## Technical Details

- Uses `set -euo pipefail` for fail-fast execution
- Color-coded log levels (INFO/WARN/ERROR/STEP) for output clarity
- Resolves script directory dynamically for path independence
- Shellcheck compliant (SC2155 addressed via separate declare/assign)

## Usage

```bash
./start.sh
# Validates prerequisites → builds WASM → installs deps → starts dev server
```

Script auto-detects missing tools and provides installation guidance
rather than failing silently.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

## Security Enhancement Plan: Prevent Data Leaks

### Current State Analysis
- ✅ GitGuardian workflow configured for secret scanning
- ✅ Comprehensive .gitignore covering sensitive files
- ✅ CodeQL analysis for security vulnerabilities
- ✅ Proper secrets management in GitHub workflows

### Enhancement Plan

- [ ] Add pre-commit hooks to prevent accidental secret commits
- [ ] Create security configuration file for consistent scanning
- [ ] Add workflow step to mask sensitive outputs
- [ ] Document security best practices for contributors
- [ ] Add secret detection rules to CI/CD pipeline
- [ ] Create automated security audit script
- [ ] Add security checklist for PRs
- [ ] Configure Dependabot for security updates
- [ ] Add SECURITY_AUDIT_CHECKLIST.md
- [ ] Enhance workflow output sanitization

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Existing ruleset configurations require exact status check name matches
that may not align with actual workflow outputs. This adds verification
tooling and a simplified alternative.

## Added Files

**Configurations:**
- `master-branch-protection-simple.json` - Ruleset without status check
dependencies, applies immediately while full version is verified

**Tooling:**
- `verify-status-checks.sh` - Extracts actual status check names from
PRs and workflows for validation
- `STATUS_CHECK_NOTES.md` - Documents status check context naming and
common mismatches

**Documentation:**
- `APPLICATION_GUIDE.md` - Prerequisites, authentication, and
application procedures with both simplified and full paths
- `RULESETS_IMPLEMENTATION_COMPLETE.md` - Implementation summary with
quick start

**Updates:**
- `README.md` - Quick links section

## Usage

Simplified approach (recommended initial setup):
```bash
gh auth login
gh api --method POST \
  -H "Accept: application/vnd.github+json" \
  repos/kushmanmb-org/bitcoin/rulesets \
  --input .github/rulesets/master-branch-protection-simple.json
```

Verification of status checks for full version:
```bash
.github/rulesets/verify-status-checks.sh
# Review output, update master-branch-protection.json with actual context names
```

## Key Differences

**Simplified ruleset:**
- Requires PR approval + code owner review
- Blocks force pushes and deletions
- No status check dependencies

**Full ruleset:**
- Adds status check requirements (CI, lint, CodeQL, secret scanning)
- Requires exact context name matches from workflows

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `https://api.github.com/graphql`
>   - Triggering command: `/usr/bin/gh gh auth status` (http block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/kushmanmb-org/bitcoin/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Bumps the npm_and_yarn group with 1 update in the /bitcoin-onchain-app directory: [hono](https://github.com/honojs/hono).


Updates `hono` from 4.11.9 to 4.12.0
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](https://github.com/honojs/hono/compare/v4.11.9...v4.12.0)

---
updated-dependencies:
- dependency-name: hono
  dependency-version: 4.12.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps the npm_and_yarn group with 1 update in the /bitcoin-onchain-app
directory: [hono](https://github.com/honojs/hono).

Updates `hono` from 4.11.9 to 4.12.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/honojs/hono/releases">hono's
releases</a>.</em></p>
<blockquote>
<h2>v4.12.0</h2>
<h1>Release Notes</h1>
<p>Hono v4.12.0 is now available!</p>
<p>This release includes new features for the Hono client, middleware
improvements, adapter enhancements, and significant performance
improvements to the router and context.</p>
<h2><code>$path</code> for Hono Client</h2>
<p>The Hono client now has a <code>$path()</code> method that returns
the path string instead of a full URL. This is useful when you need just
the path portion for routing or key-based operations:</p>
<pre lang="ts"><code>const client = hc&lt;typeof
app&gt;('http://localhost:8787')
<p>// Get the path string
const path = client.api.posts.$path()
// =&gt; '/api/posts'</p>
<p>// With path parameters
const postPath = client.api.posts[':id'].$path({
param: { id: '123' },
})
// =&gt; '/api/posts/123'</p>
<p>// With query parameters
const searchPath = client.api.posts.$path({
query: { filter: 'test' },
})
// =&gt; '/api/posts?filter=test'
</code></pre></p>
<p>Unlike <code>$url()</code> which returns a <code>URL</code> object,
<code>$path()</code> returns a plain path string, making it convenient
for use with routers or as cache keys.</p>
<p>Thanks <a
href="https://github.com/ShaMan123"><code>@​ShaMan123</code></a>!</p>
<h2><code>ApplyGlobalResponse</code> Type Helper for RPC Client</h2>
<p>The new <code>ApplyGlobalResponse</code> type helper allows you to
add global error response types to all routes in the RPC client. This is
useful for typing common error responses from <code>app.onError()</code>
or global middlewares:</p>
<pre lang="ts"><code>const app = new Hono()
  .get('/api/users', (c) =&gt; c.json({ users: ['alice', 'bob'] }, 200))
  .onError((err, c) =&gt; c.json({ error: err.message }, 500))
<p>type AppWithErrors = ApplyGlobalResponse&lt;
typeof app,
{
401: { json: { error: string; message: string } }
500: { json: { error: string; message: string } }
}
&lt;/tr&gt;&lt;/table&gt;
</code></pre></p>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/honojs/hono/commit/d2ed2e9c966d82e2369bd74bdae4acd4e8f57807"><code>d2ed2e9</code></a>
4.12.0</li>
<li><a
href="https://github.com/honojs/hono/commit/01e78adc637de2bc4ae532cf4a80bf7863652f8e"><code>01e78ad</code></a>
Merge pull request <a
href="https://redirect.github.com/honojs/hono/issues/4735">#4735</a>
from honojs/next</li>
<li><a
href="https://github.com/honojs/hono/commit/a340a25fc6065f41328a20068c495f8a32410401"><code>a340a25</code></a>
perf(context): use <code>createResponseInstance</code> for new Response
(<a
href="https://redirect.github.com/honojs/hono/issues/4733">#4733</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/bd26c3129f8e159864d3f96522f44e900516e847"><code>bd26c31</code></a>
perf(trie-router): improve performance (1.5x ~ 2.0x) (<a
href="https://redirect.github.com/honojs/hono/issues/4724">#4724</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/b85c1e032864322c581f4d04652d37ef59130eee"><code>b85c1e0</code></a>
feat(types): Add exports field to ExecutionContext (<a
href="https://redirect.github.com/honojs/hono/issues/4719">#4719</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/02346c6d945a10c98f54ae51622e8c7afbe3bad4"><code>02346c6</code></a>
feat(language): add progressive locale code truncation to
normalizeLanguage (...</li>
<li><a
href="https://github.com/honojs/hono/commit/7438ab93553ce61773e2a74376972777602f08ff"><code>7438ab9</code></a>
perf(context): add fast path to c.json() matching c.text() optimization
(<a
href="https://redirect.github.com/honojs/hono/issues/4707">#4707</a>)</li>
<li><a
href="https://github.com/honojs/hono/commit/034223f1bf8db3c98e4bf2d11d597c94362729d7"><code>034223f</code></a>
feat(trailing-slash): add <code>alwaysRedirect</code> option to support
wildcard routes ...</li>
<li><a
href="https://github.com/honojs/hono/commit/16321afd47e1bf8f48d06d9d8a2eae6b607c73ef"><code>16321af</code></a>
feat(adapter): add getConnInfo for AWS Lambda, Cloudflare Pages, and
Netlify ...</li>
<li><a
href="https://github.com/honojs/hono/commit/bf37828d6df56618bb90649c65c1c4deb2f9bcd6"><code>bf37828</code></a>
feat(basic-auth): add context key and callback options (<a
href="https://redirect.github.com/honojs/hono/issues/4645">#4645</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/honojs/hono/compare/v4.11.9...v4.12.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=hono&package-manager=npm_and_yarn&previous-version=4.11.9&new-version=4.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/kushmanmb-org/bitcoin/network/alerts).

</details>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com>

Repository has comprehensive ruleset configurations and policy
documentation but lacks validation automation.

## Changes

### New GitHub Actions Workflow

**`.github/workflows/apply-rulesets.yml`**
- Validates JSON syntax of all ruleset configurations (master, release,
development branches, tags)
- Verifies required rulesets are defined with active enforcement
- Checks policy documentation completeness (POLICY.md, RULESETS.md,
SECURITY.md, CONTRIBUTING.md)
- Generates summary reports with configuration details
- Triggers on changes to `.github/rulesets/*.json` or policy documents
- Supports manual dispatch with actions: `verify`, `apply`, `list`

**Two jobs:**
1. `verify-rulesets` - Validates configurations, lists active rulesets,
provides application instructions
2. `policy-check` - Verifies documentation, validates CODEOWNERS if
present

### Documentation Update

**`.github/rulesets/README.md`**
- Added "Automated Workflow" section with trigger instructions and
result viewing

## Workflow Triggers

```yaml
on:
  push:
    branches: [master]
    paths: ['.github/rulesets/*.json', 'RULESETS.md', 'POLICY.md']
  pull_request:
    branches: [master]
    paths: ['.github/rulesets/*.json', 'RULESETS.md', 'POLICY.md']
  workflow_dispatch:
    inputs:
      action: [verify, apply, list]
```

Manual trigger via CLI:
```bash
gh workflow run apply-rulesets.yml -f action=verify
```

The workflow validates but does not apply rulesets (requires admin
permissions). It provides clear instructions for manual application via
`apply-rulesets.sh` script or GitHub API.

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

CI builds were failing because CMake enabled IPC support by default,
requiring Cap'n Proto library which wasn't installed in the runner
environment.

## Changes

- Added `-DENABLE_IPC=OFF` to CMake configuration in
`lint-and-build.yml` and `test-suite.yml`

This aligns CI configuration with other platform-specific builds
(Windows, i686) that already disable IPC when dependencies are
unavailable.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/kushmanmb-org/bitcoin/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.