[RELEASE] Merge develop into master

[drewstone]

Syncs master with develop. All conflicts resolved preferring develop (source of truth).

Key changes: shielded payments, EVM migration, code splitting, encrypted credit keys, wallet-switch safety, dependabot bumps.

Verification: tangle-cloud typecheck pass, lint pass, 52/52 tests pass. Zero conflict markers.

[netlify]

✅ Deploy Preview for tangle-dapp ready!

Name	Link
🔨 Latest commit	ba5c65c
🔍 Latest deploy log	https://app.netlify.com/projects/tangle-dapp/deploys/69bdfe612221ed000855b90b
😎 Deploy Preview	https://deploy-preview-3150--tangle-dapp.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for tangle-leaderboard ready!

Name	Link
🔨 Latest commit	ba5c65c
🔍 Latest deploy log	https://app.netlify.com/projects/tangle-leaderboard/deploys/69bdfe614b99310008e32aa3
😎 Deploy Preview	https://deploy-preview-3150--tangle-leaderboard.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for tangle-cloud ready!

Name	Link
🔨 Latest commit	ba5c65c
🔍 Latest deploy log	https://app.netlify.com/projects/tangle-cloud/deploys/69bdfe61fa15b200083bade6
😎 Deploy Preview	https://deploy-preview-3150--tangle-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[drewstone]

❌ PR Review #3 w/ codex, claude

Recommendation	Needs Work
Findings	6 total — 🔴 2 high, 🟠 2 medium, 🟡 2 low
Ensemble	2 reviewers × 4 tracks
Files reviewed	135 files changed
Validator	claude
Provenance	individual reviewer outputs

---

🔴 HIGH (2)

• Shielded note private keys stored unencrypted in IndexedDB apps/tangle-cloud/src/utils/payments/indexedDbNoteStorage.ts:32

  NoteData contains privateKey and blinding fields (shielded.ts:10-11). ShieldedProvider serializes these via JSON.stringify (line 37-38) and stores them in IndexedDB via IndexedDbNoteStorage.save() with zero encryption. Credit keys are encrypted before storage, but notes are not — inconsistent security posture. Any same-origin JavaScript (XSS, malicious extension) can read all note private keys from IndexedDB. This finding has persisted across 3 reviews without being addressed.

• Contract addresses default to empty string when env vars missing apps/tangle-cloud/src/constants/payments.ts:2

  SHIELDED_GATEWAY_ADDRESS, SHIELDED_CREDITS_ADDRESS, and WRAPPED_TOKEN_ADDRESS all fall back to '' when their VITE_ env vars are unset. Empty strings passed as contract addresses to viem/wagmi will cause opaque runtime errors at transaction time rather than a clear failure at startup. The enabled: Boolean(SHIELDED_CREDITS_ADDRESS) guard in hooks like useDomainSeparator (line 12) prevents reads, but this is fragile and not applied consistently across all consumers. Persisted across 3 reviews.

🟠 MEDIUM (2)

• Payment contract addresses not resolved per-network apps/tangle-cloud/src/constants/payments.ts:1

  Core staking contracts use getContractsByChainId(chainId) for per-network resolution. Payment contracts use global env vars that don't change when the user switches networks. If a user switches chains, payment operations will target the wrong contracts. Persisted across 3 reviews.

• Payment env vars missing from .env.example .env.example:1

  The three VITE_SHIELDED_* and VITE_WRAPPED_TOKEN_ADDRESS env vars required by the payments feature are not documented in .env.example. New developers and CI pipelines will have no indication these are required, leading to the empty-string fallback. Persisted across 3 reviews.

🟡 LOW (2)

• Read-then-delete uses two separate IndexedDB transactions apps/tangle-cloud/src/utils/payments/indexedDbCreditStorage.ts:114

  deleteCreditKeys performs an ownership check in a readonly transaction, then deletes in a separate readwrite transaction. In a multi-tab scenario, a race exists where the record could be modified between the two transactions. Impact is minimal but the fix is trivial — use a single readwrite transaction for both operations. Persisted across 3 reviews.

• Decryption errors silently swallowed in credit key loading apps/tangle-cloud/src/utils/payments/indexedDbCreditStorage.ts:88

  loadCreditKeysForAddress catches all decryption errors and marks the key as isLocked=true without distinguishing between wrong-password, corrupted data, and system errors. Makes debugging key corruption impossible. Persisted across 3 reviews.

---

🎯 What would get this approved

• MUST: Encrypt note private keys before IndexedDB storage in indexedDbNoteStorage.ts, matching the encryption pattern already used by indexedDbCreditStorage.ts. ~15 LOC: accept an encryption key param in save(), call encryptData() on each serialized note before store.put(). Mirror in load() with decryptData().
• MUST: Add the 3 missing env vars (VITE_SHIELDED_GATEWAY_ADDRESS, VITE_SHIELDED_CREDITS_ADDRESS, VITE_WRAPPED_TOKEN_ADDRESS) to .env.example with empty defaults and comments. ~6 LOC.
• SHOULD: Add a startup-time or import-time assertion in payments.ts that throws if any of the 3 contract addresses resolve to empty string, so misconfigured deployments fail loudly. ~5 LOC.
• SHOULD: Make payment contract addresses chain-aware (resolve via chainId like the rest of the dApp) or document why single-network is intentional for this feature. If intentional, add a comment in payments.ts explaining the constraint.

---

_{pr-reviewer v0.5.0 · review #3 · 2026-03-21T02:18:07.828349+00:00}