chore: sync main into audit-q1-2026

[larryob]

Syncs latest main branch changes into audit-q1-2026.

[changeset-bot]

🦋 Changeset detected

Latest commit: 4c2292c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 21 packages

Name	Type
@hyperlane-xyz/aleo-sdk	Minor
@hyperlane-xyz/cli	Minor
@hyperlane-xyz/warp-monitor	Patch
@hyperlane-xyz/rebalancer	Patch
@hyperlane-xyz/infra	Minor
@hyperlane-xyz/ccip-server	Minor
@hyperlane-xyz/cosmos-sdk	Minor
@hyperlane-xyz/utils	Minor
@hyperlane-xyz/sdk	Minor
@hyperlane-xyz/deploy-sdk	Minor
@hyperlane-xyz/provider-sdk	Minor
@hyperlane-xyz/radix-sdk	Minor
@hyperlane-xyz/metrics	Minor
@hyperlane-xyz/widgets	Minor
@hyperlane-xyz/helloworld	Minor
@hyperlane-xyz/http-registry-server	Minor
@hyperlane-xyz/starknet-core	Minor
@hyperlane-xyz/cosmos-types	Minor
@hyperlane-xyz/eslint-config	Minor
@hyperlane-xyz/github-proxy	Minor
@hyperlane-xyz/tsconfig	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[claude]

Claude finished @larryob's task in 2m 8s —— View job

---

Security Analysis Complete

Analyzing PR for Trail of Bits security patterns and Hyperlane-specific concerns...

• Gather context on changed files
• Analyze Rust agent changes for security issues
• Review TypeScript SDK changes (hook modules, warp routes, ICA verification)
• Review AltVM SDK hook implementations (Aleo, Cosmos, Radix)
• Check for Hyperlane-specific security concerns
• Provide security summary with findings

---

Security Analysis Summary

This PR syncs main branch changes into the audit-q1-2026 branch. No Solidity contract files were changed. The changes are focused on Rust agents, TypeScript SDK/CLI, and AltVM hook implementations.

Findings

🟢 LOW - Rust: Nonce Boundary Update After Finalization (Good Pattern)

Location: rust/main/lander/src/adapter/chains/ethereum/adapter.rs:793-799

The new post_finalized() method updates nonce boundaries when transactions are finalized:

async fn post_finalized(&self) -> Result<(), LanderError> {
    self.nonce_manager
        .nonce_updater
        .update_boundaries()
        .await
        .map_err(Into::into)
}

Assessment: This is a positive security change. It ensures the nonce manager stays in sync with on-chain state after finalization, reducing the risk of nonce-related transaction failures or stuck messages.

---

🟢 LOW - Rust: Memory Optimization with Arc (Good Pattern)

Location: rust/main/agents/relayer/src/settings/mod.rs, db_loader.rs, metadata/base.rs

Changed metric_app_contexts: Vec<(MatchingList, String)> to Arc<Vec<(MatchingList, String)>>.

Assessment: Reduces memory allocation by sharing the app contexts across multiple components. No security concern - this is an optimization.

---

🟢 LOW - Rust: Aleo Protocol Added to Lander Submitter

Location: rust/main/hyperlane-base/src/settings/parser/mod.rs:297

None => match connection.protocol() {
    HyperlaneDomainProtocol::Ethereum
    | HyperlaneDomainProtocol::Aleo  // New
    | HyperlaneDomainProtocol::Radix
    | HyperlaneDomainProtocol::Sealevel => SubmitterType::Lander,

Assessment: Expands protocol support. No security concern.

---

🟡 INFORMATIONAL - TypeScript: New ICA Owner Verification Feature

Location: typescript/cli/src/check/warp.ts:105-197

New runWarpIcaOwnerCheck() function verifies that destination chain owners match expected ICA addresses derived from the origin chain owner.

Assessment: This is a good security feature - it helps ensure warp routes have proper ICA ownership configuration. The implementation correctly:

• Validates origin chain has an owner configured
• Filters to only EVM chains (ICA is EVM-specific)
• Uses the InterchainAccount SDK to derive expected addresses
• Properly reports mismatches

---

🟡 INFORMATIONAL - TypeScript: Deferred Signer Initialization

Location: typescript/cli/src/context/context.ts:310-353

New ensureEvmSignersForChains() function allows lazy signer attachment for commands with interactive chain selection.

Assessment: The implementation correctly:

• Filters to only EVM chains
• Checks if signers already exist before creating new ones
• Uses the existing MultiProtocolSignerManager infrastructure
• Properly handles ZkSync chains and strategy-based keys

No security issues identified.

---

🟡 INFORMATIONAL - TypeScript: Hook Artifact API Refactoring

Location: typescript/deploy-sdk/src/hook/, typescript/aleo-sdk/src/hook/, typescript/cosmos-sdk/src/hook/

Major refactoring of hook deployment to use an Artifact-based API:

• Removed AltVMHookModule and AltVMHookReader
• Added HookWriter and HookReader with artifact manager pattern
• Protocol-specific implementations for Aleo and Cosmos

Assessment: The refactoring maintains the same security properties:

• IGP hooks support owner and gas config updates
• MerkleTree hooks remain immutable
• Proper type checking for hook types
• Gas config validation for remote domains

---

🟡 INFORMATIONAL - TypeScript: mapAllSettled Helper

Location: typescript/utils/src/async.ts:189-287

New helper function for processing items with Promise.allSettled semantics.

Assessment: The implementation:

• Properly converts non-Error rejections to Error objects
• Returns typed Maps for fulfilled/rejected results
• Has comprehensive test coverage

This is a utility improvement with no security implications.

---

Hyperlane-Specific Security Checklist

Concern	Status	Notes
Reentrancy in handle() callbacks	N/A	No Solidity changes
Access control on privileged functions	✅	IGP hook updates require current owner
Merkle proof verification	N/A	No changes to verification logic
Domain ID validation	✅	ChainLookup validates domains in SDK
ISM threshold/validator security	N/A	No ISM changes
Warp route collateral accounting	N/A	No warp route contract changes
Message processing idempotency	N/A	No changes to process() logic

---

Invariant Suggestions

Since no Solidity contracts were modified, no new invariant tests are needed. However, the TypeScript SDK changes add good validation:

1. ICA Owner Invariant: warp check --ica verifies that destination owners match expected ICA addresses
2. Hook Type Immutability: shouldDeployNewHook() correctly identifies when a new hook must be deployed vs updated

---

Summary

Severity: No security vulnerabilities found

This PR primarily contains:

1. Rust agent improvements - nonce management, memory optimization
2. TypeScript SDK refactoring - hook artifact API, ICA verification
3. AltVM SDK extensions - Aleo and Cosmos hook implementations

All changes follow established patterns and maintain security properties. The ICA owner verification feature is a positive addition for security.

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7835
gcr.io/abacus-labs-dev/hyperlane-monorepo:4c2292c-20260120-151120

[hyper-gonk]

♻️ Rebalancer Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-rebalancer:pr-7835
gcr.io/abacus-labs-dev/hyperlane-rebalancer:4c2292c-20260120-151128

[hyper-gonk]

🕵️ Warp Monitor Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-warp-monitor:pr-7835
gcr.io/abacus-labs-dev/hyperlane-warp-monitor:4c2292c-20260120-151126

[hyper-gonk]

🦀 Rust Agent Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-agent:pr-7835
gcr.io/abacus-labs-dev/hyperlane-agent:4c2292c-20260120-151118

[hyper-gonk]

🔍 CCIP Server Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-offchain-lookup-server:pr-7835
gcr.io/abacus-labs-dev/hyperlane-offchain-lookup-server:4c2292c-20260120-151130

[larryob]

Cherry picked #7808 instead in #7668

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (d14275f) to head (4c2292c).
⚠️ Report is 1 commits behind head on audit-q1-2026.

Additional details and impacted files

@@              Coverage Diff               @@
##           audit-q1-2026    #7835   +/-   ##
==============================================
  Coverage          77.02%   77.02%           
==============================================
  Files                117      117           
  Lines               2651     2651           
  Branches             244      244           
==============================================
  Hits                2042     2042           
  Misses               593      593           
  Partials              16       16           

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.