feat(infra): restrict keyfunder sweeping to allowlist of chains

[paulbalaji]

Summary

• Added CHAINS_TO_SWEEP allowlist to limit which chains the keyfunder sweeps excess funds from
• Only sweeps: arbitrum, avalanche, base, blast, bsc, celo, ethereum, fraxtal, hyperevm, ink, linea, lisk, mitosis, optimism, polygon, soneium, superseed, unichain

Test plan

• Deploy keyfunder with updated image
• Verify sweeping only occurs on allowlisted chains

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Service configuration version updated.

• New Features

  • Fund sweeping mechanism now includes chain-level validation through an allowlist. Sweeping operations are restricted to pre-designated chains, preventing transfers on unapproved networks. Operations on non-approved chains are skipped with debug logging for visibility. This enhancement provides improved control and safety for fund management operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7914
gcr.io/abacus-labs-dev/hyperlane-monorepo:19ce70d-20260127-185509

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the keyFunder Docker service tag to a newer version and adds a chain allowlist guard to the funding script that prevents sweeping excess funds on chains not explicitly listed in the CHAINS_TO_SWEEP allowlist.

Changes

Cohort / File(s)	Summary
Docker Configuration typescript/infra/config/docker.ts	Updated mainnetDockerTags.keyFunder version from 'a52b9e6-20260122-173924' to 'f7e18fc-20260127-184855'
Funding Script Allowlist typescript/infra/scripts/funding/fund-keys-from-deployer.ts	Introduced CHAINS_TO_SWEEP allowlist constant; added guard in attemptToSweepExcessFunds to skip sweeping and log debug message for chains not in the allowlist

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• refactor(infra): centralize Docker image/tag configuration #7705: Updates to mainnetDockerTags configuration in the same docker.ts file
• feat: support rebalancer key in key funder cron job #7052: Previous modifications to fund-keys-from-deployer.ts funding logic and structure
• feat(keyfunder): automate deployer sweeps #7211: Controls sweep execution flow through chain-specific guards in attemptToSweepExcessFunds

Suggested reviewers

• Mo-Hussain
• antigremlin

Poem

🧅 Like layers in an onion, chains need their allowlist,
No sweeping where it's not welcome—keeps things simple, not hostile,
A version bump here, a guard there,
Infrastructure gets a little more care. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the main change and test plan but is missing the structured template sections like 'Drive-by changes', 'Related issues', 'Backward compatibility', and 'Testing' headers.	Restructure the description to match the repository template, including all required sections like Backward compatibility implications and Testing methodology in the proper format.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: restricting keyfunder sweeping to an allowlist of chains, which aligns with the code changes introducing CHAINS_TO_SWEEP.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch paul/restrict-sweep-chains

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (974534b) to head (19ce70d).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7914   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         117      117           
  Lines        2651     2651           
  Branches      244      244           
=======================================
  Hits         2042     2042           
  Misses        593      593           
  Partials       16       16           

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.