Skip to content

feat(audit): merge audit trail and fixes#130

Open
Meyanis95 wants to merge 28 commits into
masterfrom
feat/audit
Open

feat(audit): merge audit trail and fixes#130
Meyanis95 wants to merge 28 commits into
masterfrom
feat/audit

Conversation

@Meyanis95

@Meyanis95 Meyanis95 commented Apr 6, 2026

Copy link
Copy Markdown
Collaborator

Opening this branch to follow the informal audit of the map, the goal is to make the map both sound and complete.

Audit needs to make sure that:

  • All the mechanisms used in /vendors and /approches are patterns
  • Ensure I2U protection in approaches and all the corresponding patterns are listed
  • All the lines written in the map have been checked, and open questions have been raised in the audit doc. (i.e., if we're not sure about a specific notion/construction)

Process

Claim-and-reveal workflow on QA-AUDIT.md: claim a batch of pending files (commit + push), review on this branch, fix small issues inline, raise GitHub issues for big ones. See "How the audit works" in the doc.

scripts/audit-sync.js keeps the tracker in sync with the content list on master; CI checks it on every push to this branch.

Before merge

  • Delete scripts/audit-sync.js and .github/workflows/audit-check.yml (audit scaffolding only)
  • Add a chore: CHANGELOG entry for the audit

Summary by CodeRabbit

  • Documentation

    • Updated many use cases, approaches, patterns, vendors, and jurisdictions to a ready state with refreshed review dates.
    • Reworked jurisdiction cards and templates into clearer “At a Glance,” “What to Watch,” and “See also” sections, and refreshed terminology for consistency.
    • Added a Q2 2026 QA audit tracker and progress summary; removed the “Weekly Summaries” section and related content.
  • Chores & Quality

    • Removed the weekly-summary automation and the dormant weekly-updates artifacts.
    • Improved validation expectations and documentation templates; adjusted schemas for domain options and vendor maturity.
    • Updated review automation rules to better align with the new card section requirements.

@coderabbitai

coderabbitai Bot commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Q2 2026 audit pass across repository docs and validation config. It adds a QA audit tracker, updates validation and template rules, rewrites jurisdiction cards into a shorter developer-oriented format, corrects approach and pattern content, and promotes use-case and vendor documents to ready.

Changes

Q2 2026 IPTF Map Content Audit

Layer / File(s) Summary
QA-AUDIT.md and changelog
QA-AUDIT.md, CHANGELOG.md
Adds the audit tracker, workflow rules, status tables, structural checks, and open questions. Adds changelog entries for the audit pass and weekly-update removal.
Weekly-update cleanup, schema, and validation
CONTRIBUTING.md, .coderabbit.yaml, scripts/schemas/vendor.json, scripts/schemas/use-case.json, scripts/validate-patterns.js, use-cases/_template.md
Removes weekly-summary docs, stops excluding weekly-updates/** from auto-review, makes vendor CROPS evaluation optional, updates jurisdiction section requirements, expands vendor maturity enum, updates use-case domain schema, revises validation constants, and adds status to the use-case template.
Jurisdiction template and cards
jurisdictions/_template.md, jurisdictions/cn-crypto-ban.md, jurisdictions/de-eWpG.md, jurisdictions/eu-MiCA.md, jurisdictions/eu-data-protection.md, jurisdictions/hk-crypto-licensing.md, jurisdictions/int-banking-secrecy.md, jurisdictions/us-SEC.md
Rewrites the jurisdiction template and all jurisdiction cards into the shorter developer-oriented format with updated metadata, condensed sections, and removed compliance-playbook sections.
Approach document corrections
approaches/approach-dvp-atomic-settlement.md, approaches/approach-private-bonds.md, approaches/approach-private-broadcasting.md, approaches/approach-private-derivatives.md, approaches/approach-private-identity.md, approaches/approach-private-money-market-funds.md, approaches/approach-private-payments.md, approaches/approach-private-trade-settlement.md, approaches/approach-white-label-deployment.md, approaches/approach-civic-participation.md
Applies factual corrections and formatting updates across the approach set, including HTLC ordering, co-SNARK trust assumptions, SUAVE archiving, ERC-7683 naming, TACEO OPRF wording, SEC Rule 2a-7 text, and removal of bold emphasis in recommendation text.
Pattern document corrections and deletion
patterns/pattern-zk-wrappers.md, patterns/pattern-social-recovery.md, patterns/pattern-origin-locked-confidential-ledger.md, patterns/pattern-focil-eip7805.md, patterns/pattern-l2-privacy-evaluation.md (deleted), patterns/pattern-erc3643-rwa.md, patterns/pattern-cross-chain-privacy-bridge.md, patterns/pattern-shielding.md, patterns/pattern-dvp-erc7573.md, patterns/pattern-privacy-l2s.md, patterns/pattern-*
Deletes pattern-l2-privacy-evaluation. Rewrites zk-wrappers, social-recovery, origin-locked-confidential-ledger, and FOCIL protocol text; removes ERC-8056 and EIP-7573 references where applicable; updates many pattern cards to ready status with date and wording corrections.
Use-case and vendor status normalization
use-cases/*, vendors/*, rfps/rfp-benchmark-dashboard.md
Promotes use-case documents to ready with minor factual and cross-link updates, normalizes vendor pages to ready with linked pattern references and simplified headings, and removes the L2 privacy evaluation reference from the RFP dashboard.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

Suggested reviewers: oskarth

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description doesn’t follow the required template; it omits the 'What are you adding?' section and the checklist items. Add the template headings, choose one 'What are you adding?' option, provide a brief description, and complete the three checklist items.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the PR’s audit-focused fixes and scaffolding cleanup, and is specific enough for history scanning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/audit

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@oskarth

oskarth commented Apr 20, 2026

Copy link
Copy Markdown
Collaborator

LMK when ready for review

@oskarth

oskarth commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

@Meyanis95 how can we get this to be ready for review and mergeable? Would be good if we can get it reviewed and merged before EOW. Right now it is WIP draft.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/ethereum/iptf-map/issues/comments/4194235477","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/ethereum/iptf-map/pull/130?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: Path: .coderabbit.yaml\n> \n> **Review profile**: ASSERTIVE\n> \n> **Plan**: Pro\n> \n> **Run ID**: `e134f955-3b2a-4b4d-9267-64f91edc7195`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 538a46b2a9fa087986e1d7ee83c629687f5bd7b2 and 40b86f24d9d0f05b5a71de2dd1df695c6373650d.\n> \n> </details>\n> \n> <details>\n> <summary>⛔ Files ignored due to path filters (2)</summary>\n> \n> * `weekly-updates/2026-01-16.md` is excluded by `!weekly-updates/**`\n> * `weekly-updates/README.md` is excluded by `!weekly-updates/**`\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (147)</summary>\n> \n> * `.coderabbit.yaml`\n> * `.github/workflows/audit-check.yml`\n> * `CHANGELOG.md`\n> * `CONTRIBUTING.md`\n> * `QA-AUDIT.md`\n> * `approaches/approach-civic-participation.md`\n> * `approaches/approach-dvp-atomic-settlement.md`\n> * `approaches/approach-private-bonds.md`\n> * `approaches/approach-private-broadcasting.md`\n> * `approaches/approach-private-derivatives.md`\n> * `approaches/approach-private-identity.md`\n> * `approaches/approach-private-money-market-funds.md`\n> * `approaches/approach-private-payments.md`\n> * `approaches/approach-private-trade-settlement.md`\n> * `approaches/approach-white-label-deployment.md`\n> * `jurisdictions/_template.md`\n> * `jurisdictions/cn-crypto-ban.md`\n> * `jurisdictions/de-eWpG.md`\n> * `jurisdictions/eu-MiCA.md`\n> * `jurisdictions/eu-data-protection.md`\n> * `jurisdictions/hk-crypto-licensing.md`\n> * `jurisdictions/int-banking-secrecy.md`\n> * `jurisdictions/us-SEC.md`\n> * `patterns/pattern-blob-anchored-state-with-dispute.md`\n> * `patterns/pattern-co-snark.md`\n> * `patterns/pattern-commit-and-prove.md`\n> * `patterns/pattern-compliance-monitoring.md`\n> * `patterns/pattern-cross-chain-privacy-bridge.md`\n> * `patterns/pattern-crypto-registry-bridge-ewpg-eas.md`\n> * `patterns/pattern-dvp-erc7573.md`\n> * `patterns/pattern-eil.md`\n> * `patterns/pattern-erc3643-rwa.md`\n> * `patterns/pattern-focil-eip7805.md`\n> * `patterns/pattern-forced-withdrawal.md`\n> * `patterns/pattern-forward-secure-pseudorandom-tree.md`\n> * `patterns/pattern-forward-secure-signatures.md`\n> * `patterns/pattern-hybrid-public-private-modes.md`\n> * `patterns/pattern-icma-bdt-data-model.md`\n> * `patterns/pattern-immutable-guarantees.md`\n> * `patterns/pattern-l2-encrypted-offchain-audit.md`\n> * `patterns/pattern-l2-privacy-evaluation.md`\n> * `patterns/pattern-lean-ethereum.md`\n> * `patterns/pattern-mesh-store-forward-submission.md`\n> * `patterns/pattern-mixnet-anonymity.md`\n> * `patterns/pattern-modular-privacy-stack.md`\n> * `patterns/pattern-mpc-custody.md`\n> * `patterns/pattern-native-account-abstraction.md`\n> * `patterns/pattern-network-anonymity.md`\n> * `patterns/pattern-noir-private-contracts.md`\n> * `patterns/pattern-oif.md`\n> * `patterns/pattern-onion-routing.md`\n> * `patterns/pattern-origin-locked-confidential-ledger.md`\n> * `patterns/pattern-permissioned-ledger-interoperability.md`\n> * `patterns/pattern-permissionless-spend-auth.md`\n> * `patterns/pattern-plasma-stateless-privacy.md`\n> * `patterns/pattern-pretrade-privacy-encryption.md`\n> * `patterns/pattern-privacy-l2s.md`\n> * `patterns/pattern-private-information-retrieval.md`\n> * `patterns/pattern-private-iso20022.md`\n> * `patterns/pattern-private-mtp-auth.md`\n> * `patterns/pattern-private-pvp-stablecoins-erc7573.md`\n> * `patterns/pattern-private-set-intersection-circuit.md`\n> * `patterns/pattern-private-set-intersection-dh.md`\n> * `patterns/pattern-private-set-intersection-fhe.md`\n> * `patterns/pattern-private-set-intersection-oprf.md`\n> * `patterns/pattern-private-shared-state-cosnark.md`\n> * `patterns/pattern-private-shared-state-fhe.md`\n> * `patterns/pattern-private-shared-state-tee.md`\n> * `patterns/pattern-private-stablecoin-shielded-payments.md`\n> * `patterns/pattern-private-transaction-broadcasting.md`\n> * `patterns/pattern-private-vaults.md`\n> * `patterns/pattern-proof-of-innocence.md`\n> * `patterns/pattern-recipient-derived-receive-addresses.md`\n> * `patterns/pattern-regulatory-disclosure-keys-proofs.md`\n> * `patterns/pattern-relay-mediated-proving.md`\n> * `patterns/pattern-safe-proof-delegation.md`\n> * `patterns/pattern-shielding.md`\n> * `patterns/pattern-social-recovery.md`\n> * `patterns/pattern-stealth-addresses.md`\n> * `patterns/pattern-tee-based-privacy.md`\n> * `patterns/pattern-tee-key-manager.md`\n> * `patterns/pattern-tee-network-anonymity.md`\n> * `patterns/pattern-tee-zk-settlement.md`\n> * `patterns/pattern-threshold-encrypted-mempool.md`\n> * `patterns/pattern-tls-payment-bridge.md`\n> * `patterns/pattern-user-controlled-viewing-keys.md`\n> * `patterns/pattern-verifiable-attestation.md`\n> * `patterns/pattern-voprf-nullifiers.md`\n> * `patterns/pattern-zk-kyc-ml-id-erc734-735.md`\n> * `patterns/pattern-zk-promises.md`\n> * `patterns/pattern-zk-proof-systems.md`\n> * `patterns/pattern-zk-tls.md`\n> * `patterns/pattern-zk-wrappers.md`\n> * `rfps/rfp-benchmark-dashboard.md`\n> * `scripts/audit-sync.js`\n> * `scripts/schemas/use-case.json`\n> * `scripts/schemas/vendor.json`\n> * `scripts/validate-patterns.js`\n> * `scripts/weekly-summary.sh`\n> * `use-cases/_template.md`\n> * `use-cases/private-bonds.md`\n> * `use-cases/private-commodities.md`\n> * `use-cases/private-corporate-bonds.md`\n> * `use-cases/private-derivatives.md`\n> * `use-cases/private-fx.md`\n> * `use-cases/private-government-debt.md`\n> * `use-cases/private-identity.md`\n> * `use-cases/private-messaging.md`\n> * `use-cases/private-money-market-funds.md`\n> * `use-cases/private-oracles.md`\n> * `use-cases/private-payments.md`\n> * `use-cases/private-procurement.md`\n> * `use-cases/private-read.md`\n> * `use-cases/private-registry.md`\n> * `use-cases/private-repo.md`\n> * `use-cases/private-rwa-tokenization.md`\n> * `use-cases/private-stablecoins.md`\n> * `use-cases/private-stocks.md`\n> * `use-cases/private-supply-chain.md`\n> * `use-cases/private-treasuries.md`\n> * `use-cases/resilient-civic-participation.md`\n> * `use-cases/resilient-disbursement-rails.md`\n> * `use-cases/resilient-identity-continuity.md`\n> * `vendors/_template.md`\n> * `vendors/aztec.md`\n> * `vendors/chainlink-ace.md`\n> * `vendors/curvy.md`\n> * `vendors/ey.md`\n> * `vendors/fairblock.md`\n> * `vendors/fhenix.md`\n> * `vendors/fireblocks.md`\n> * `vendors/flashbots.md`\n> * `vendors/hinkal.md`\n> * `vendors/iexec.md`\n> * `vendors/miden.md`\n> * `vendors/paladin.md`\n> * `vendors/peer.md`\n> * `vendors/privacypools.md`\n> * `vendors/railgun.md`\n> * `vendors/renegade.md`\n> * `vendors/shutter.md`\n> * `vendors/soda-labs.md`\n> * `vendors/space-and-time.md`\n> * `vendors/taceo-merces.md`\n> * `vendors/tx-shield.md`\n> * `vendors/zama.md`\n> * `vendors/zksync.md`\n> \n> </details>\n> \n> ```ascii\n>  _____________________________________________________________________________________________________________\n> < Hello, it's me. I was wondering if after all these reviews you'd like to meet...to celebrate bug-free code. >\n>  -------------------------------------------------------------------------------------------------------------\n>   \\\n>    \\   \\\n>         \\ /\\\n>         ( )\n>       .( o ).\n> ```\n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- oss_config_warning_start -->\n\n> [!WARNING]\n> Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.\n\n<!-- oss_config_warning_end -->\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>📝 Generate docstrings</summary>\n\n- [ ] <!-- {\"checkboxId\": \"7962f53c-55bc-4827-bfbf-6a18da830691\"} --> Create stacked PR\n- [ ] <!-- {\"checkboxId\": \"3e1879ae-f29b-4d0d-8e06-d12b7ba33d98\"} --> Commit on current branch\n\n</details>\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n- [ ] <!-- {\"checkboxId\": \"6ba7b810-9dad-11d1-80b4-00c04fd430c8\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Commit unit tests in branch `feat/audit`\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=ethereum/iptf-map&utm_content=130)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":3,"signal":{},"retries":3,"retryAfter":16}}}

@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@coderabbitai help

@ethereum ethereum deleted a comment from coderabbitai Bot Jun 29, 2026
@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 27

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (18)
vendors/fhenix.md (2)

14-20: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use relative paths for internal pattern links.

The pattern links use absolute GitHub URLs (https://github.com/ethereum/iptf-map/blob/master/patterns/...). Relative paths (../patterns/pattern-...) are preferred for internal cross-references — they work locally, in forks, and don't hardcode branch names.

- [Selective disclosure (viewing keys + ZK proofs)](../patterns/pattern-regulatory-disclosure-keys-proofs.md)
+ [Selective disclosure (viewing keys + ZK proofs)](../patterns/pattern-regulatory-disclosure-keys-proofs.md)

(Apply to all pattern links in this file.)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/fhenix.md` around lines 14 - 20, The internal pattern references in
the Fhenix markdown use hardcoded GitHub blob URLs, which should be changed to
relative links. Update all pattern links in this section to use relative paths
to the corresponding files under patterns so the references work in forks and
local previews without depending on a specific branch. Keep the link targets
consistent across every occurrence in this file and use the existing pattern
filenames as the source of truth.

1-63: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add a CROPS profile section. This vendor card is missing the required ## CROPS profile table for CR, OS, Privacy, Security, and Context; add it to match the vendor template and scoring rules.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/fhenix.md` around lines 1 - 63, The Fhenix vendor card is missing the
required CROPS profile section. Add a "## CROPS profile" table in this document
with rows for CR, OS, Privacy, Security, and Context, matching the existing
vendor template and scoring format used by other vendor profiles. Use the
current content in the vendor card to populate the scores and short
justifications, and place the new section in the standard position alongside the
other top-level vendor metadata sections.

Source: Path instructions

vendors/fireblocks.md (1)

1-61: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add the missing ## CROPS profile section. This vendor card still needs the required product-level CROPS table to match vendors/_template.md.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/fireblocks.md` around lines 1 - 61, The Fireblocks vendor card is
missing the required product-level CROPS profile section from the vendor
template. Add a new “## CROPS profile” section in this document, using the same
structure and fields as vendors/_template.md, and place it in a sensible spot
alongside the other top-level sections such as “What it is” and “Fits with
patterns.” Ensure the new section is complete and consistent with the existing
Fireblocks content.

Source: Path instructions

vendors/fairblock.md (1)

1-88: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Add the ## CROPS profile section. vendors/fairblock.md currently ends at Links and is missing the required CROPS table with Product | CR | OS | Privacy | Security | Context.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/fairblock.md` around lines 1 - 88, The Fairblock vendor doc is
missing the required CROPS profile section at the end of the file. Add a new “##
CROPS profile” section after the Links content in vendors/fairblock.md, and
include the required table with the columns Product, CR, OS, Privacy, Security,
and Context, using the existing Fairblock/FairyRing details from the document.

Source: Path instructions

vendors/flashbots.md (1)

45-65: 🔒 Security & Privacy | 🔴 Critical | 🏗️ Heavy lift

Critical: Missing required CROPS profile section.

Per the vendor template and vendors/README.md, vendor cards MUST include a ## CROPS profile section with a table evaluating CR, OS, Privacy, Security, and Context for each product. This card has no CROPS profile and cannot be marked ready without it.

Additionally, soften promotional phrasing in Strengths:

  • "significant adoption" → "substantial adoption" or "notable adoption"
  • "strong relationship" → "established integration" or "close collaboration"
  • "next-generation infrastructure" → "new infrastructure" or remove
📝 Proposed CROPS profile addition (verify values before using)
## CROPS profile

| Product | CR | OS | Privacy | Security | Context |
|---------|----|----|---------|----------|---------|
| Flashbots Auction | medium | yes | none | medium | i2i |
| SUAVE/BuilderNet | medium | partial | partial | medium | i2u |

- **CR**: Medium (user can choose builders, but builder set is centralized)
- **OS**: Yes for Auction (open APIs), partial for SUAVE (under development)
- **Privacy**: None for Auction (transactions visible after inclusion); partial for SUAVE (intent privacy until execution)
- **Security**: Medium (established operational security, but trust in builders)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/flashbots.md` around lines 45 - 65, Add the missing required ## CROPS
profile section to the Flashbots vendor card, using the vendor template in
vendors/README.md and the existing Strengths/Risks structure as a guide; include
a table for each product with CR, OS, Privacy, Security, and Context, and ensure
the card is not marked ready until this section exists. While editing the same
card, tone down the promotional language in the Strengths bullets referenced by
the Flashbots section so terms like “significant adoption,” “strong
relationship,” and “next-generation infrastructure” are replaced with more
neutral wording, keeping the content aligned with the template.

Source: Path instructions

vendors/paladin.md (2)

1-112: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Missing required ## Privacy domains section.

Per vendors/_template.md, the required section headings include "Privacy domains". The file mentions privacy domains in passing (line 17) but does not have a dedicated ## Privacy domains section. Add this section before ## Enterprise demand and use cases.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/paladin.md` around lines 1 - 112, The vendor page is missing the
required dedicated Privacy domains section. Add a new “## Privacy domains”
section in paladin.md before “## Enterprise demand and use cases,” and move or
summarize the existing mentions of Zeto, Noto, and Pente there so the document
matches the required headings from vendors/_template.md.

1-112: 🗄️ Data Integrity & Integration | 🔴 Critical | 🏗️ Heavy lift

Missing required ## CROPS profile section.

Per vendors/_template.md and path instructions, vendor cards MUST include a ## CROPS profile section with a table evaluating CR, OS, Privacy, Security, and Context. This file is missing the section entirely and cannot be ready without it.

📋 Required addition
## CROPS profile

| Product | CR | OS | Privacy | Security | Context |
|---------|----|----|---------|----------|---------|
| Paladin | ... | ... | ... | ... | ... |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/paladin.md` around lines 1 - 112, The Paladin vendor card is missing
the required CROPS profile section, so add a new “## CROPS profile” section in
the Paladin markdown and include the evaluation table for CR, OS, Privacy,
Security, and Context. Place it alongside the existing sections in this vendor
doc so the card can be marked ready; use the current content in
vendors/paladin.md to fill the row for the Paladin entry.
vendors/peer.md (2)

1-67: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Missing required ## Privacy domains section.

Per vendors/_template.md, vendor cards must include a ## Privacy domains section. This file lacks it. Add between ## Architecture and ## Enterprise demand and use cases.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/peer.md` around lines 1 - 67, Add the missing required Privacy
domains section in the Peer vendor card, using the same style as the existing
sections. Place the new ## Privacy domains heading between the Architecture and
Enterprise demand and use cases sections in vendors/peer.md, and ensure it
summarizes the relevant privacy domains for Peer consistently with the rest of
the document.

1-67: 🗄️ Data Integrity & Integration | 🔴 Critical | ⚡ Quick win

CROPS profile table was removed—this is required.

The path instructions and vendors/_template.md require vendor cards to include a ## CROPS profile section with a CROPS evaluation table. This file previously had one (per change description) and it was removed in this PR. Restore it before marking ready.

📋 Required restoration
## CROPS profile

| Product | CR | OS | Privacy | Security | Context |
|---------|----|----|---------|----------|---------|
| Peer    | ... | ... | ... | ... | ... |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/peer.md` around lines 1 - 67, Restore the missing CROPS profile
section in the Peer vendor card, since `vendors/_template.md` and the vendor
path rules require it before the file can stay ready. Add back the `## CROPS
profile` heading and the CROPS evaluation table in the `Peer` document, keeping
the existing vendor summary intact and making sure the section appears with the
rest of the card content.
vendors/soda-labs.md (3)

41-41: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix typo: "Cirtcuit" → "Circuit".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/soda-labs.md` at line 41, The typo in the Soda Labs description
should be corrected in the Garbled Circuit + ZK phrase. Update the text in the
affected markdown entry so the term is spelled “Circuit” instead of “Cirtcuit,”
keeping the rest of the sentence unchanged.

32-32: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix typo: "posession" → "possession".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/soda-labs.md` at line 32, Fix the typo in the Soda Labs documentation
text by updating the misspelled word in the sentence about Evaluators and
garbled circuits; specifically, correct the wording in the markdown content that
contains “posession” so it reads “possession” while keeping the rest of the
paragraph unchanged.

59-59: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Replace superlative with neutral phrasing.

"lowest latency" is promotional. Use "lower latency" or specify the comparative basis factually.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/soda-labs.md` at line 59, The wording in the Soda Labs description
uses a promotional superlative (“lowest latency”); update the affected sentence
in the markdown copy to neutral, factual phrasing such as “lower latency” or a
clearly qualified comparison, keeping the rest of the text unchanged.
vendors/tx-shield.md (1)

6-136: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Flag marketing language and verify CROPS profile.

The vendor card contains promotional phrasing that violates the neutral tone requirement per vendors/README.md:

  • Line 57: "high performance" → consider "MPC-based payment layer with threshold key control"
  • Line 82: "Ideal for" → consider "Suited for" or remove
  • Line 105: "delivers institutional-grade" → consider "provides"
  • Line 106: "enables privacy-preserving" → consider "supports"

Also verify:

  • ## CROPS profile table exists per vendors/_template.md.
  • Word count is under 1800 (warn if >1000).
  • Ethereum alignment: TX-SHIELD mentions "on-chain" settlement but specify which chain(s).
#!/bin/bash
# Check for CROPS profile section
rg -n -A 10 "## CROPS profile" vendors/tx-shield.md
# Check word count
wc -w vendors/tx-shield.md
# Check Ethereum mentions
rg -n -i "ethereum|evm|eip|erc" vendors/tx-shield.md
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/tx-shield.md` around lines 6 - 136, The vendor card in tx-shield.md
uses promotional wording that should be replaced with neutral descriptions,
especially in the Architectural, Enterprise demand, and Strengths sections;
update phrases like “high performance,” “Ideal for,” “delivers
institutional-grade,” and “enables privacy-preserving” in the relevant
TX-SHIELD, OpenTMP LLM, and Collab-Key descriptions. Also verify that a ## CROPS
profile section/table exists per the vendor template, confirm the document stays
within the word-count guidance, and clarify the Ethereum/alignment claim by
naming the specific chain(s) for the on-chain settlement mention.

Source: Path instructions

vendors/zksync.md (1)

50-53: 📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Remove superlatives and fix typo.

  • "Comprehensive enterprise features" → remove superlative, state features factually.
  • "Efficient ZK Proving" → quantify or remove vague praise.
  • "accross" → "across"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/zksync.md` around lines 50 - 53, Revise the bullet list in the vendor
description to use factual, non-promotional wording: remove the superlative from
the enterprise features line, replace the vague “Efficient ZK Proving” phrasing
with a neutral concrete description or drop it, and correct the typo in the
interoperability bullet from “accross” to “across”; update the text where these
bullets appear in the markdown content.

Source: Path instructions

approaches/approach-white-label-deployment.md (1)

1-261: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Trim this approach card to under 2000 words. approaches/approach-white-label-deployment.md is 2651 words, which exceeds the approach-card warning threshold.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@approaches/approach-white-label-deployment.md` around lines 1 - 261, The
approach card is over the 2000-word limit and needs to be shortened without
losing the core decision guidance. Trim repetitive detail in the long narrative
sections of approach-white-label-deployment.md, especially the repeated
trust/threat/implementation prose under Vendor-Managed Deployment,
Institution-Controlled Deployment, and the Legal & risk/Technical perspective
sections, while preserving the summary, comparison table, and recommendation.
Keep the unique identifying section headers intact so the card remains easy to
scan.
approaches/approach-private-identity.md (1)

300-304: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Avoid marketing language: "only."

Per house style (IPTF.Marketing), avoid "only" as marketing language. The claim that Issuer-Independent OPRF is "the only category designed to survive single-issuer failure" is a strong uniqueness claim that should be verified or softened to neutral, factual terms.

- but is the only category designed to survive single-issuer failure
+ but is the category most explicitly designed to survive single-issuer failure
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@approaches/approach-private-identity.md` around lines 300 - 304, Update the
wording in the “Technical perspective” section to remove the uniqueness claim
around Issuer-Independent OPRF; in the sentence in the approach-private-identity
discussion that currently says it is “the only category designed to survive
single-issuer failure,” rewrite it in neutral factual terms or qualify it as one
option rather than the sole one. Keep the rest of the comparison intact and
preserve the technical positioning of Issuer-Independent OPRF, Registry
Membership, Document ZK, TLS Transcript Proofs, On-Chain Attestation, and POD2.

Source: Linters/SAST tools

approaches/approach-private-trade-settlement.md (1)

1-35: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Set use_case to private-trade-settlement.
The frontmatter currently points this approach card at private-bonds, which breaks the required use-case cross-reference for this file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@approaches/approach-private-trade-settlement.md` around lines 1 - 35, Update
the frontmatter in approach-private-trade-settlement so the use_case matches the
document’s own topic; replace the current private-bonds value with
private-trade-settlement. Keep the rest of the metadata unchanged, and verify
the related_use_cases and other approach fields still align with the Private
Trade Settlement card.
vendors/_template.md (1)

42-43: 📐 Maintainability & Code Quality | 🟠 Major | ⚖️ Poor tradeoff

Restore the CROPS profile section.

The template removes the mandatory ## CROPS profile table, but path instructions require vendor cards to include this evaluation. Per vendors/README.md and CONTRIBUTING.md § CROPS Evaluation, CROPS is assessed per product with columns Product | CR | OS | Privacy | Security | Context. Removing it from the template will cause new vendor cards to omit required scoring.

If the project is intentionally dropping CROPS from vendors, update the path instructions first; otherwise restore the section in the template.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/_template.md` around lines 42 - 43, The vendor card template is
missing the required CROPS profile section, so restore the `## CROPS profile`
table in the template used for new vendor cards. Update the markdown in the
template so it includes the full evaluation columns for Product, CR, OS,
Privacy, Security, and Context, matching the guidance referenced by the template
and the contributing rules. If CROPS is being removed intentionally, update the
path instructions first; otherwise keep the section in place for consistency
with vendor card requirements.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/audit-check.yml:
- Around line 17-29: The checkout step in the audit workflow is keeping
repository credentials available longer than needed. Update the existing
actions/checkout step in the audit-check job to disable persisted credentials,
and add a top-level permissions block that limits the job to contents: read.
Keep the rest of the job, including the Fetch master and scripts/audit-sync.js
steps, unchanged.

In `@approaches/approach-dvp-atomic-settlement.md`:
- Around line 198-210: Update the Default recommendation in the atomic
settlement approach to avoid implying ERC-3643 is production-ready; in the
section describing Escrow with Dual Approval, explicitly qualify the reference
to ERC-3643 by noting it is Draft or only applicable where available. Keep the
wording aligned with the existing terminology in the document so the Default,
Decision factors, and Hybrid guidance remain consistent.
- Around line 40-52: The standard-status wording in the atomic-settlement
approach is inaccurate because ERC-6123 is Draft but ERC-3643 is Final. Update
the requirements text to reflect the correct status for both standards, and keep
the reference to ERC-6123 and ERC-3643 in the same section so the status
statement is clear and consistent.

In `@approaches/approach-private-identity.md`:
- Line 256: Update the TACEO:OPRF status text in approach-private-identity.md so
it no longer says “currently in public beta”; replace it with the correct
production/live status in the “How it works” section where TACEO operates the
threshold OPRF network, keeping the rest of the enrollment flow unchanged.
- Around line 314-320: The phrase in the decision factors list should use the
hyphenated form “on-chain” to match the rest of the document’s terminology.
Update the wording in the sentence under the TLS Transcript Proofs bullet so it
reads “brought on-chain” while leaving the rest of the guidance unchanged; use
the surrounding “Decision factors” section and the “TLS Transcript Proofs”
bullet to locate it.

In `@CHANGELOG.md`:
- Line 7: Update the CHANGELOG entry in CHANGELOG.md so it includes a markdown
link to the changed file as required by the path instructions. Keep the existing
chore/PR reference, and add a link to the relevant markdown file reference
within the same entry so the changelog item satisfies the file-link rule.

In `@jurisdictions/_template.md`:
- Around line 12-27: The jurisdiction template in the markdown card structure is
missing the required Actionable Best Practices section and its subsections, so
either restore those subsections in the template or update the path instructions
that govern jurisdiction cards to no longer require them. Use the template’s
existing headings like At a Glance, What to Watch, and See also to locate the
restructuring, and make the guidance consistent with whichever format is
intended.

In `@jurisdictions/int-banking-secrecy.md`:
- Around line 15-30: The jurisdiction card content is out of the required
template because it is missing the mandatory `## Actionable Best Practices`
section and the six required subsections. Update the
`jurisdictions/int-banking-secrecy.md` card structure to match the standard
jurisdiction-card contract by adding `## Actionable Best Practices` with
Payments, Trading, Funds & Assets, Custody, Identity & Compliance, and Data &
Oracles, while keeping the existing banking-secrecy guidance under the
appropriate headings.

In `@jurisdictions/us-SEC.md`:
- Around line 30-31: The reference label for the SEC document is overstated,
since the linked PDF is a public submission to the SEC rather than an
SEC-authored proposal. Update the markdown entry in us-SEC.md to use a neutral,
accurate title for that citation, keeping the White House Digital Assets Report
entry unchanged and adjusting only the second bullet so the label matches the
document’s true origin.
- Around line 17-31: The jurisdiction card content is using the old “At a Glance
/ What to Watch / See also” layout and no longer matches the required template.
Update the `jurisdictions/us-SEC.md` card to follow the standard
jurisdiction-card structure used by the other rewritten cards: keep the overview
concise, add `## Actionable Best Practices`, and include the six required
subsections for Payments, Trading, Funds & Assets, Custody, Identity &
Compliance, and Data & Oracles so it conforms to `jurisdictions/**/*.md`.

In `@patterns/pattern-cross-chain-privacy-bridge.md`:
- Line 101: In the deployment topologies list, the privacy-to-privacy
description uses marketing language with “maximum privacy”; rephrase that part
in pattern-cross-chain-privacy-bridge.md using neutral wording such as “privacy
on both sender and receiver ends” or “end-to-end shielding,” while keeping the
rest of the topology descriptions unchanged.

In `@patterns/pattern-lean-ethereum.md`:
- Line 61: Update the client-team count wording in the lean Ethereum pattern so
it only refers to consensus clients, not all clients. Replace the unsupported
“eight independent client teams” claim with a source-backed statement that names
or counts the consensus-layer teams, and adjust the surrounding phrasing in the
relevant markdown section to avoid including execution clients like Besu and
Erigon.

In `@patterns/pattern-recipient-derived-receive-addresses.md`:
- Around line 3-6: The frontmatter for
pattern-recipient-derived-receive-addresses is missing the required type field.
Update the document’s frontmatter to include type with the correct
classification, using type: standard unless this pattern should be meta, and
keep the existing frontmatter keys like status, maturity, layer, and
last_reviewed intact.

In `@scripts/audit-sync.js`:
- Around line 108-130: `check()` and `buildRows()` need to enforce exactly one
active row per master file before syncing. Update the validation in `check()` so
it rejects duplicate entries for the same file and flags any row whose file
still exists in `masterFiles(section.dir)` if its status is `deprecated`. Then
make `buildRows()` avoid silently collapsing duplicates via the `byFile` Map,
and ensure `--sync` only proceeds after these constraints are satisfied so each
master file has one live row.

In `@scripts/validate-patterns.js`:
- Around line 133-141: The jurisdiction validation in validate-patterns.js is
now too permissive because REQUIRED_JURISDICTION_SECTIONS no longer enforces the
documented card contract. Update the jurisdiction checks so
jurisdictions/**/*.md still require ## Actionable Best Practices and all
mandated subsections (Payments, Trading, Funds & Assets, Custody, Identity &
Compliance, and Data & Oracles), and make sure the logic tied to
RECOMMENDED_JURISDICTION_SECTIONS does not replace the required validation in
the jurisdiction card path.

In `@use-cases/resilient-civic-participation.md`:
- Around line 2-5: The frontmatter in the resilient civic participation use case
uses a shortened domain label; update the primary_domain value to the full
governance domain name while leaving secondary_domain unchanged. Locate the
frontmatter fields in the markdown file and ensure the existing title/status
entries stay intact, with primary_domain set to Civic Coordination & Governance.

In `@use-cases/resilient-identity-continuity.md`:
- Around line 2-4: The frontmatter for the Resilient Identity Continuity
use-case is missing the required secondary_domain field, so the file no longer
matches the use-case template. Update the markdown frontmatter in
resilient-identity-continuity.md to include secondary_domain alongside title,
status, and primary_domain, using the same naming pattern as the template in
_template.md.

In `@vendors/fhenix.md`:
- Around line 11-12: The vendor description in the Fhenix markdown is too
promotional and should be rewritten in a neutral, factual tone. Update the copy
in the Fhenix card to remove marketing qualifiers like “fast” and “easy,” and
keep the wording focused on what CoFHE is and does; use the existing description
text to identify the affected sentence and replace it with a concise, objective
summary.

In `@vendors/flashbots.md`:
- Around line 25-44: The Flashbots vendor card is missing the template-mandated
“Privacy domains” section, so update the markdown structure in the Flashbots
content to include that heading alongside the existing Architecture, Enterprise
demand and use cases, and Technical details sections. Keep the current facts,
but add a dedicated “Privacy domains” section in the same style as the other
headings so the vendor-card format is complete.

In `@vendors/hinkal.md`:
- Around line 13-18: The Hinkal vendor card is missing the required CROPS
profile section from the template. Add a new “## CROPS profile” section in this
document and include the per-product CROPS table alongside the existing sections
like “## Fits with patterns” so the card matches the standard vendor-card
structure.

In `@vendors/iexec.md`:
- Line 3: The iExec vendor template is missing the required CROPS profile
section, so add the mandatory “## CROPS profile” table to the markdown alongside
the existing template sections. Update vendors/iexec.md to include the full
CROPS entry in the same style as the other vendor docs, using the document’s
existing section structure so it remains consistent and discoverable.

In `@vendors/privacypools.md`:
- Around line 14-19: The privacypools vendor doc is missing the mandatory CROPS
profile section. Update the `vendors/privacypools.md` content by adding a `##
CROPS profile` section with the required table, and keep the existing pattern
links unchanged since they already resolve correctly. Use the existing document
structure in `privacypools.md` to place the new section in the appropriate spot.

In `@vendors/railgun.md`:
- Around line 14-19: Add the missing CROPS profile section to railgun.md using
the vendor template structure, placing the required CROPS table in the
appropriate spot near the existing top-level sections. Keep the surrounding
sections like Fits with patterns intact, and ensure the new section follows the
same heading and table conventions used by other vendor docs so the document
matches the expected template.

In `@vendors/renegade.md`:
- Around line 14-18: The vendor card is missing the required CROPS profile
section, so update the markdown in renegade.md to add a `## CROPS profile` block
that matches the standard vendor template. Use the existing pattern links under
`## Fits with patterns` as context, and ensure the new section includes the
CROPS table content in the expected format so the card conforms to the template.

In `@vendors/taceo-merces.md`:
- Around line 1-3: The TACEO Merces vendor card is missing the required CROPS
profile content and the Ethereum-alignment note is incomplete. Update the
markdown in the vendor document to add the ## CROPS profile section with the
Product | CR | OS | Privacy | Security | Context table, and revise the existing
note so it explicitly states the Ethereum-alignment basis rather than mentioning
only Base and Arc testnets. Refer to the existing heading structure in the
document so the new section is placed consistently.

In `@vendors/zksync.md`:
- Around line 28-29: Fix the typo and grammar in the architecture description
for the ZKsync Gateway sentence: update the misspelled “setllement” to
“settlement” and rewrite the clause around “who ZK commit blocks” to use correct
subject-verb agreement and phrasing. Adjust the text in the ZKsync section so it
reads naturally, using the existing description sentence as the reference point.
- Line 10: The vendor description in the ZKsync card uses promotional
superlative phrasing, so rewrite the copy in vendors/zksync.md to be neutral and
factual. Replace the marketing language in the Prividium description with an
objective summary of its capabilities, while keeping the core references to
ZKsync, enterprise solutions, real-world asset tokenization, private capital
markets, institutional financial infrastructure, and selective disclosure.

---

Outside diff comments:
In `@approaches/approach-private-identity.md`:
- Around line 300-304: Update the wording in the “Technical perspective” section
to remove the uniqueness claim around Issuer-Independent OPRF; in the sentence
in the approach-private-identity discussion that currently says it is “the only
category designed to survive single-issuer failure,” rewrite it in neutral
factual terms or qualify it as one option rather than the sole one. Keep the
rest of the comparison intact and preserve the technical positioning of
Issuer-Independent OPRF, Registry Membership, Document ZK, TLS Transcript
Proofs, On-Chain Attestation, and POD2.

In `@approaches/approach-private-trade-settlement.md`:
- Around line 1-35: Update the frontmatter in approach-private-trade-settlement
so the use_case matches the document’s own topic; replace the current
private-bonds value with private-trade-settlement. Keep the rest of the metadata
unchanged, and verify the related_use_cases and other approach fields still
align with the Private Trade Settlement card.

In `@approaches/approach-white-label-deployment.md`:
- Around line 1-261: The approach card is over the 2000-word limit and needs to
be shortened without losing the core decision guidance. Trim repetitive detail
in the long narrative sections of approach-white-label-deployment.md, especially
the repeated trust/threat/implementation prose under Vendor-Managed Deployment,
Institution-Controlled Deployment, and the Legal & risk/Technical perspective
sections, while preserving the summary, comparison table, and recommendation.
Keep the unique identifying section headers intact so the card remains easy to
scan.

In `@vendors/_template.md`:
- Around line 42-43: The vendor card template is missing the required CROPS
profile section, so restore the `## CROPS profile` table in the template used
for new vendor cards. Update the markdown in the template so it includes the
full evaluation columns for Product, CR, OS, Privacy, Security, and Context,
matching the guidance referenced by the template and the contributing rules. If
CROPS is being removed intentionally, update the path instructions first;
otherwise keep the section in place for consistency with vendor card
requirements.

In `@vendors/fairblock.md`:
- Around line 1-88: The Fairblock vendor doc is missing the required CROPS
profile section at the end of the file. Add a new “## CROPS profile” section
after the Links content in vendors/fairblock.md, and include the required table
with the columns Product, CR, OS, Privacy, Security, and Context, using the
existing Fairblock/FairyRing details from the document.

In `@vendors/fhenix.md`:
- Around line 14-20: The internal pattern references in the Fhenix markdown use
hardcoded GitHub blob URLs, which should be changed to relative links. Update
all pattern links in this section to use relative paths to the corresponding
files under patterns so the references work in forks and local previews without
depending on a specific branch. Keep the link targets consistent across every
occurrence in this file and use the existing pattern filenames as the source of
truth.
- Around line 1-63: The Fhenix vendor card is missing the required CROPS profile
section. Add a "## CROPS profile" table in this document with rows for CR, OS,
Privacy, Security, and Context, matching the existing vendor template and
scoring format used by other vendor profiles. Use the current content in the
vendor card to populate the scores and short justifications, and place the new
section in the standard position alongside the other top-level vendor metadata
sections.

In `@vendors/fireblocks.md`:
- Around line 1-61: The Fireblocks vendor card is missing the required
product-level CROPS profile section from the vendor template. Add a new “##
CROPS profile” section in this document, using the same structure and fields as
vendors/_template.md, and place it in a sensible spot alongside the other
top-level sections such as “What it is” and “Fits with patterns.” Ensure the new
section is complete and consistent with the existing Fireblocks content.

In `@vendors/flashbots.md`:
- Around line 45-65: Add the missing required ## CROPS profile section to the
Flashbots vendor card, using the vendor template in vendors/README.md and the
existing Strengths/Risks structure as a guide; include a table for each product
with CR, OS, Privacy, Security, and Context, and ensure the card is not marked
ready until this section exists. While editing the same card, tone down the
promotional language in the Strengths bullets referenced by the Flashbots
section so terms like “significant adoption,” “strong relationship,” and
“next-generation infrastructure” are replaced with more neutral wording, keeping
the content aligned with the template.

In `@vendors/paladin.md`:
- Around line 1-112: The vendor page is missing the required dedicated Privacy
domains section. Add a new “## Privacy domains” section in paladin.md before “##
Enterprise demand and use cases,” and move or summarize the existing mentions of
Zeto, Noto, and Pente there so the document matches the required headings from
vendors/_template.md.
- Around line 1-112: The Paladin vendor card is missing the required CROPS
profile section, so add a new “## CROPS profile” section in the Paladin markdown
and include the evaluation table for CR, OS, Privacy, Security, and Context.
Place it alongside the existing sections in this vendor doc so the card can be
marked ready; use the current content in vendors/paladin.md to fill the row for
the Paladin entry.

In `@vendors/peer.md`:
- Around line 1-67: Add the missing required Privacy domains section in the Peer
vendor card, using the same style as the existing sections. Place the new ##
Privacy domains heading between the Architecture and Enterprise demand and use
cases sections in vendors/peer.md, and ensure it summarizes the relevant privacy
domains for Peer consistently with the rest of the document.
- Around line 1-67: Restore the missing CROPS profile section in the Peer vendor
card, since `vendors/_template.md` and the vendor path rules require it before
the file can stay ready. Add back the `## CROPS profile` heading and the CROPS
evaluation table in the `Peer` document, keeping the existing vendor summary
intact and making sure the section appears with the rest of the card content.

In `@vendors/soda-labs.md`:
- Line 41: The typo in the Soda Labs description should be corrected in the
Garbled Circuit + ZK phrase. Update the text in the affected markdown entry so
the term is spelled “Circuit” instead of “Cirtcuit,” keeping the rest of the
sentence unchanged.
- Line 32: Fix the typo in the Soda Labs documentation text by updating the
misspelled word in the sentence about Evaluators and garbled circuits;
specifically, correct the wording in the markdown content that contains
“posession” so it reads “possession” while keeping the rest of the paragraph
unchanged.
- Line 59: The wording in the Soda Labs description uses a promotional
superlative (“lowest latency”); update the affected sentence in the markdown
copy to neutral, factual phrasing such as “lower latency” or a clearly qualified
comparison, keeping the rest of the text unchanged.

In `@vendors/tx-shield.md`:
- Around line 6-136: The vendor card in tx-shield.md uses promotional wording
that should be replaced with neutral descriptions, especially in the
Architectural, Enterprise demand, and Strengths sections; update phrases like
“high performance,” “Ideal for,” “delivers institutional-grade,” and “enables
privacy-preserving” in the relevant TX-SHIELD, OpenTMP LLM, and Collab-Key
descriptions. Also verify that a ## CROPS profile section/table exists per the
vendor template, confirm the document stays within the word-count guidance, and
clarify the Ethereum/alignment claim by naming the specific chain(s) for the
on-chain settlement mention.

In `@vendors/zksync.md`:
- Around line 50-53: Revise the bullet list in the vendor description to use
factual, non-promotional wording: remove the superlative from the enterprise
features line, replace the vague “Efficient ZK Proving” phrasing with a neutral
concrete description or drop it, and correct the typo in the interoperability
bullet from “accross” to “across”; update the text where these bullets appear in
the markdown content.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4394ae21-8d62-4e97-8b82-9eb32afcbb8b

📥 Commits

Reviewing files that changed from the base of the PR and between 538a46b and 40b86f2.

⛔ Files ignored due to path filters (2)
  • weekly-updates/2026-01-16.md is excluded by !weekly-updates/**
  • weekly-updates/README.md is excluded by !weekly-updates/**
📒 Files selected for processing (147)
  • .coderabbit.yaml
  • .github/workflows/audit-check.yml
  • CHANGELOG.md
  • CONTRIBUTING.md
  • QA-AUDIT.md
  • approaches/approach-civic-participation.md
  • approaches/approach-dvp-atomic-settlement.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-broadcasting.md
  • approaches/approach-private-derivatives.md
  • approaches/approach-private-identity.md
  • approaches/approach-private-money-market-funds.md
  • approaches/approach-private-payments.md
  • approaches/approach-private-trade-settlement.md
  • approaches/approach-white-label-deployment.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/eu-MiCA.md
  • jurisdictions/eu-data-protection.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/us-SEC.md
  • patterns/pattern-blob-anchored-state-with-dispute.md
  • patterns/pattern-co-snark.md
  • patterns/pattern-commit-and-prove.md
  • patterns/pattern-compliance-monitoring.md
  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-crypto-registry-bridge-ewpg-eas.md
  • patterns/pattern-dvp-erc7573.md
  • patterns/pattern-eil.md
  • patterns/pattern-erc3643-rwa.md
  • patterns/pattern-focil-eip7805.md
  • patterns/pattern-forced-withdrawal.md
  • patterns/pattern-forward-secure-pseudorandom-tree.md
  • patterns/pattern-forward-secure-signatures.md
  • patterns/pattern-hybrid-public-private-modes.md
  • patterns/pattern-icma-bdt-data-model.md
  • patterns/pattern-immutable-guarantees.md
  • patterns/pattern-l2-encrypted-offchain-audit.md
  • patterns/pattern-l2-privacy-evaluation.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-mesh-store-forward-submission.md
  • patterns/pattern-mixnet-anonymity.md
  • patterns/pattern-modular-privacy-stack.md
  • patterns/pattern-mpc-custody.md
  • patterns/pattern-native-account-abstraction.md
  • patterns/pattern-network-anonymity.md
  • patterns/pattern-noir-private-contracts.md
  • patterns/pattern-oif.md
  • patterns/pattern-onion-routing.md
  • patterns/pattern-origin-locked-confidential-ledger.md
  • patterns/pattern-permissioned-ledger-interoperability.md
  • patterns/pattern-permissionless-spend-auth.md
  • patterns/pattern-plasma-stateless-privacy.md
  • patterns/pattern-pretrade-privacy-encryption.md
  • patterns/pattern-privacy-l2s.md
  • patterns/pattern-private-information-retrieval.md
  • patterns/pattern-private-iso20022.md
  • patterns/pattern-private-mtp-auth.md
  • patterns/pattern-private-pvp-stablecoins-erc7573.md
  • patterns/pattern-private-set-intersection-circuit.md
  • patterns/pattern-private-set-intersection-dh.md
  • patterns/pattern-private-set-intersection-fhe.md
  • patterns/pattern-private-set-intersection-oprf.md
  • patterns/pattern-private-shared-state-cosnark.md
  • patterns/pattern-private-shared-state-fhe.md
  • patterns/pattern-private-shared-state-tee.md
  • patterns/pattern-private-stablecoin-shielded-payments.md
  • patterns/pattern-private-transaction-broadcasting.md
  • patterns/pattern-private-vaults.md
  • patterns/pattern-proof-of-innocence.md
  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-regulatory-disclosure-keys-proofs.md
  • patterns/pattern-relay-mediated-proving.md
  • patterns/pattern-safe-proof-delegation.md
  • patterns/pattern-shielding.md
  • patterns/pattern-social-recovery.md
  • patterns/pattern-stealth-addresses.md
  • patterns/pattern-tee-based-privacy.md
  • patterns/pattern-tee-key-manager.md
  • patterns/pattern-tee-network-anonymity.md
  • patterns/pattern-tee-zk-settlement.md
  • patterns/pattern-threshold-encrypted-mempool.md
  • patterns/pattern-tls-payment-bridge.md
  • patterns/pattern-user-controlled-viewing-keys.md
  • patterns/pattern-verifiable-attestation.md
  • patterns/pattern-voprf-nullifiers.md
  • patterns/pattern-zk-kyc-ml-id-erc734-735.md
  • patterns/pattern-zk-promises.md
  • patterns/pattern-zk-proof-systems.md
  • patterns/pattern-zk-tls.md
  • patterns/pattern-zk-wrappers.md
  • rfps/rfp-benchmark-dashboard.md
  • scripts/audit-sync.js
  • scripts/schemas/use-case.json
  • scripts/schemas/vendor.json
  • scripts/validate-patterns.js
  • scripts/weekly-summary.sh
  • use-cases/_template.md
  • use-cases/private-bonds.md
  • use-cases/private-commodities.md
  • use-cases/private-corporate-bonds.md
  • use-cases/private-derivatives.md
  • use-cases/private-fx.md
  • use-cases/private-government-debt.md
  • use-cases/private-identity.md
  • use-cases/private-messaging.md
  • use-cases/private-money-market-funds.md
  • use-cases/private-oracles.md
  • use-cases/private-payments.md
  • use-cases/private-procurement.md
  • use-cases/private-read.md
  • use-cases/private-registry.md
  • use-cases/private-repo.md
  • use-cases/private-rwa-tokenization.md
  • use-cases/private-stablecoins.md
  • use-cases/private-stocks.md
  • use-cases/private-supply-chain.md
  • use-cases/private-treasuries.md
  • use-cases/resilient-civic-participation.md
  • use-cases/resilient-disbursement-rails.md
  • use-cases/resilient-identity-continuity.md
  • vendors/_template.md
  • vendors/aztec.md
  • vendors/chainlink-ace.md
  • vendors/curvy.md
  • vendors/ey.md
  • vendors/fairblock.md
  • vendors/fhenix.md
  • vendors/fireblocks.md
  • vendors/flashbots.md
  • vendors/hinkal.md
  • vendors/iexec.md
  • vendors/miden.md
  • vendors/paladin.md
  • vendors/peer.md
  • vendors/privacypools.md
  • vendors/railgun.md
  • vendors/renegade.md
  • vendors/shutter.md
  • vendors/soda-labs.md
  • vendors/space-and-time.md
  • vendors/taceo-merces.md
  • vendors/tx-shield.md
  • vendors/zama.md
  • vendors/zksync.md
💤 Files with no reviewable changes (4)
  • patterns/pattern-l2-privacy-evaluation.md
  • .coderabbit.yaml
  • CONTRIBUTING.md
  • scripts/weekly-summary.sh

Comment thread .github/workflows/audit-check.yml Outdated
Comment thread approaches/approach-dvp-atomic-settlement.md Outdated
Comment thread approaches/approach-dvp-atomic-settlement.md
Comment thread approaches/approach-private-identity.md Outdated
Comment thread approaches/approach-private-identity.md
Comment thread vendors/railgun.md
Comment thread vendors/renegade.md
Comment thread vendors/taceo-merces.md
Comment thread vendors/zksync.md
Comment thread vendors/zksync.md
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Meyanis95

Meyanis95 commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator Author

CodeRabbit review — triage & fixes

Pushed 62aeb95 addressing this review. Full triage of the 27 inline comments:

✅ Fixed (62aeb95)

  • approach-dvp-atomic-settlement.md — ERC-3643 is Final, ERC-6123 Draft (was "both still Draft"); cleared a Vale only.
  • approach-private-identity.md — TACEO:OPRF "public beta" → "live in production"; "on chain" → "on-chain".
  • pattern-lean-ethereum.md — "Eight independent client teams" → "Multiple … as of mid-2026". These are lean-consensus clients (not mainnet execution/consensus clients); leanroadmap.org lists ~9 and is evolving with no fixed total, so a hard number would go stale.
  • pattern-cross-chain-privacy-bridge.md — "maximum privacy" → "privacy on both sender and receiver ends".
  • pattern-recipient-derived-receive-addresses.md — added type: standard.
  • jurisdictions/us-SEC.md — relabeled the 2nd reference: it is a public submission to the SEC's Crypto Task Force, not an SEC-authored proposal.
  • Governance domain → canonical Civic Coordination & Governance (schema enum + resilient-civic-participation.md + private-identity.md).

🔧 Config reconciled (62aeb95)

  • .coderabbit.yaml — jurisdiction instructions now match the current At a Glance / What to Watch / See also structure; vendor ## CROPS profile relaxed from required → optional.
  • vendors/_template.md — reverted to master (keeps ## CROPS profile documented).
  • ⚠️ For OSS repos CodeRabbit applies config from the base branch, so these .coderabbit.yaml changes only take full effect once this PR merges. Expect the vendor-CROPS flags to persist on re-review until then.

⏸️ Deferred — vendor cards (out of scope this round, tracked in QA-AUDIT.md)

CROPS profile (hinkal, iexec, privacypools, railgun, renegade, taceo-merces), marketing language (fhenix, zksync), zksync typo, flashbots ## Privacy domains. CROPS evaluation is not enforced at the vendors' level, so these are not blocking.

🚫 Won't fix (rationale)

  • Jurisdiction "Actionable Best Practices" structure (template, int-banking-secrecy, us-SEC, validate-patterns.js): the cards were intentionally reshaped to a short developer-orientation format; the validator and .coderabbit.yaml now match.
  • ERC-3643 "(Draft)" note: superseded — ERC-3643 is Final.
  • secondary_domain on resilient-identity-continuity: schema now allows it to be optional/null.
  • CHANGELOG file link: the entry removes files that no longer exist — nothing to link.
  • audit-check.yml / audit-sync.js (persist-credentials, dedup): audit scaffolding, removed before merge.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
QA-AUDIT.md (1)

177-191: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Update the approach-private-identity.md tracker note
QA-AUDIT.md:186 still says TACEO OPRF was corrected from 13-node production to public beta, but the current file says live in production and maturity: production. Align the row with the current wording.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@QA-AUDIT.md` around lines 177 - 191, Update the tracker note for
approach-private-identity.md in QA-AUDIT so it matches the current wording in
the source document. The row currently references the old TACEO OPRF phrasing;
revise the notes to reflect “live in production” and “maturity: production”
instead of “13-node production” to “public beta,” keeping the rest of the review
status entry unchanged.
scripts/schemas/use-case.json (1)

27-33: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Keep secondary_domain aligned with the published use-case template.

This schema now permits secondary_domain: null and describes the field as optional, but the current use-cases/_template.md contract still lists secondary_domain as required. Because scripts/validate-patterns.js compiles this schema directly, CI will start accepting frontmatter that no longer matches the documented template.

If optionality is intentional, update the template/readme in the same PR; otherwise keep this field non-nullable here.

Suggested fix
     "secondary_domain": {
       "oneOf": [
         { "type": "string" },
-        { "type": "array", "items": { "type": "string" } },
-        { "type": "null" }
+        { "type": "array", "items": { "type": "string" } }
       ],
-      "description": "Secondary business domain(s); optional"
+      "description": "Secondary business domain(s)"
     },
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/schemas/use-case.json` around lines 27 - 33, The `secondary_domain`
field in the `use-case.json` schema is now out of sync with the published
template contract. Either make the schema match `use-cases/_template.md` by
removing the `null`/optional allowance, or, if optionality is intended, update
the template and any README/docs in the same change so
`scripts/validate-patterns.js` and the documented frontmatter rules stay
aligned. Use the `secondary_domain` schema block and the
`use-cases/_template.md` contract as the source of truth when making the fix.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@QA-AUDIT.md`:
- Around line 177-191: Update the tracker note for approach-private-identity.md
in QA-AUDIT so it matches the current wording in the source document. The row
currently references the old TACEO OPRF phrasing; revise the notes to reflect
“live in production” and “maturity: production” instead of “13-node production”
to “public beta,” keeping the rest of the review status entry unchanged.

In `@scripts/schemas/use-case.json`:
- Around line 27-33: The `secondary_domain` field in the `use-case.json` schema
is now out of sync with the published template contract. Either make the schema
match `use-cases/_template.md` by removing the `null`/optional allowance, or, if
optionality is intended, update the template and any README/docs in the same
change so `scripts/validate-patterns.js` and the documented frontmatter rules
stay aligned. Use the `secondary_domain` schema block and the
`use-cases/_template.md` contract as the source of truth when making the fix.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b013a35d-32ca-4d3b-a096-becd5d5c4332

📥 Commits

Reviewing files that changed from the base of the PR and between 40b86f2 and 62aeb95.

📒 Files selected for processing (11)
  • .coderabbit.yaml
  • QA-AUDIT.md
  • approaches/approach-dvp-atomic-settlement.md
  • approaches/approach-private-identity.md
  • jurisdictions/us-SEC.md
  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-recipient-derived-receive-addresses.md
  • scripts/schemas/use-case.json
  • use-cases/private-identity.md
  • use-cases/resilient-civic-participation.md
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Validate Documentation Patterns
🧰 Additional context used
📓 Path-based instructions (4)
use-cases/**/*.md

⚙️ CodeRabbit configuration file

use-cases/**/*.md: This is a use case card.

Structure & frontmatter: Validate against the template at use-cases/_template.md.
Rules and scope are in use-cases/README.md.

Check that primary_domain matches one of the domains listed in domains/README.md.
Use cases should stay on a single page — flag if the content is excessively long or duplicates linked docs.

Warn if section ## 2) Additional Business Context contains anything that looks like confidential
information (specific organization names, pilot scopes, committed volumes) — these belong in context/ files.

Files:

  • use-cases/resilient-civic-participation.md
  • use-cases/private-identity.md
patterns/pattern-*.md

⚙️ CodeRabbit configuration file

patterns/pattern-*.md: This is a pattern card.

Structure & frontmatter: Validate against the template at patterns/_template.md.
File naming rules are in patterns/README.md. Filename must start with pattern- in kebab-case.
Pattern names must be vendor-neutral (no vendor-specific names like aztec, nightfall, railgun, etc.).

CROPS alignment (CRITICAL):
crops_profile with all four fields (cr, os, privacy, security) is required — CI will reject patterns missing it.
Exception: meta/evaluation patterns that do not implement privacy directly may set crops_profile: "n/a" — flag if this is used on a pattern that clearly does implement a privacy primitive.
Valid enum values are defined in CONTRIBUTING.md § CROPS Evaluation and enforced by the JSON schema at scripts/schemas/pattern.json.

Your job is to review CROPS scores for plausibility, which CI cannot check:

  • A pattern requiring a centralized operator should not claim cr: high.
  • If the pattern involves I2U context, check that the CR score accounts for user escape paths per the CR rubric in CONTRIBUTING.md.
  • A pattern using proprietary components should not claim os: yes.
  • A pattern where the operator sees all user operations should not claim privacy: full.

Word limits: warn > 800, error > 1500.
Tone: factual and neutral per house style. No marketing language.

Files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
jurisdictions/**/*.md

⚙️ CodeRabbit configuration file

jurisdictions/**/*.md: This is a jurisdiction card.

Structure & frontmatter: Validate against the template at jurisdictions/_template.md.
All required subsections under ## Actionable Best Practices must be present
(Payments, Trading, Funds & Assets, Custody, Identity & Compliance, Data & Oracles).

Files:

  • jurisdictions/us-SEC.md
approaches/**/*.md

⚙️ CodeRabbit configuration file

approaches/**/*.md: This is an approach card.

Structure: Validate against the template at approaches/_template.md.
File naming and conventions are in approaches/README.md. Filename must start with approach- in kebab-case.

Approach cards MUST link to both the use case they address and the patterns they combine.
Flag if no pattern or use case cross-references are present.

Word limits: warn > 2000, error > 3000.

Files:

  • approaches/approach-private-identity.md
  • approaches/approach-dvp-atomic-settlement.md
🧠 Learnings (18)
📚 Learning: 2026-04-14T08:10:15.334Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 145
File: use-cases/resilient-identity-continuity.md:26-26
Timestamp: 2026-04-14T08:10:15.334Z
Learning: In ethereum/iptf-map’s `use-cases/` markdown files, the `## 3) Actors` section may use a single-line inline `·`-separated actor list (e.g., `Actor A · Actor B · Actor C`) instead of a bulleted list. If the formatting matches `use-cases/_template.md`, do not flag it as non-compliant.

Applied to files:

  • use-cases/resilient-civic-participation.md
  • use-cases/private-identity.md
📚 Learning: 2026-03-18T09:21:53.725Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 116
File: patterns/pattern-private-set-intersection-dh.md:38-40
Timestamp: 2026-03-18T09:21:53.725Z
Learning: In the ethereum/iptf-map repository, pattern documentation should keep the Protocol section high-level and concise. Do not include granular implementation steps (e.g., explicit point-validation sub-steps). If such concerns must be mentioned, use lightweight callouts in a separate Security Notes or Caveats section. Apply this guideline to all pattern docs under the patterns directory.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-03-20T05:29:08.871Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 120
File: patterns/pattern-private-set-intersection-circuit.md:19-23
Timestamp: 2026-03-20T05:29:08.871Z
Learning: When reviewing Ethereum iPTF-Map pattern documentation, distinguish clearly between **censorship** and **liveness**: treat censorship as the operator blocking user inputs from being processed (this impacts CR score), while treat liveness as the operator withholding outputs after protocol participation (this does not directly affect CR score). For garbled-circuit PSI patterns specifically, if the **garbler withholds the output decoding table**, classify this as a **liveness** concern—not censorship—and therefore **do not** flag it as a “CR justification gap.”

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:49:47.740Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-lean-ethereum.md:4-4
Timestamp: 2026-05-04T14:49:47.740Z
Learning: In ethereum/iptf-map, pattern card markdown files under `patterns/` use v2 front-matter for the `maturity` field. When reviewing these files, treat `maturity` as a v2 enum and only consider it valid if it is one of: `research`, `concept`, `testnet`, or `production`. Do not flag `research` as invalid.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:50:03.967Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-privacy-l2s.md:4-4
Timestamp: 2026-05-04T14:50:03.967Z
Learning: In ethereum/iptf-map pattern cards using schema v2 (introduced in PR `#152`), validate the `maturity` field against the v2 enum values only: `research | concept | testnet | production`. The v1 enum (`PoC | pilot | prod`) is no longer applicable to v2-migrated pattern cards. When reviewing v2 pattern files, do not flag `production` as non-canonical (it is a valid v2 value).

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:50:03.935Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-mixnet-anonymity.md:4-4
Timestamp: 2026-05-04T14:50:03.935Z
Learning: In this repo’s pattern files under `patterns/`, the IPtF map schema maturity enum must use the v2 values only: `research | concept | testnet | production`. The legacy v1 values `PoC | pilot | prod` are invalid after the v2 schema migration (PR `#152`). Therefore, when reviewing `patterns/**/*.md`, do not flag `testnet` or `production` as invalid maturity values; instead, flag any remaining usage of the old v1 enum values (`PoC`, `pilot`, `prod`) as incorrect.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:50:06.756Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-compliance-monitoring.md:4-4
Timestamp: 2026-05-04T14:50:06.756Z
Learning: In ethereum/iptf-map, for v2 pattern cards under the `patterns/` directory, validate the `maturity` field against the v2 enum only: `research | concept | testnet | production`. Do not treat `testnet` or `production` as invalid maturity values for v2 pattern cards (the v1 enum `PoC | pilot | prod` is obsolete for content migrated to v2).

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:50:06.734Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-private-contract-dsl.md:4-4
Timestamp: 2026-05-04T14:50:06.734Z
Learning: For ethereum/iptf-map v2 pattern cards in the `patterns/` directory, validate the `maturity` field against the v2 enum defined in `scripts/schemas/pattern.json`: `research`, `concept`, `testnet`, `production`. Do NOT flag `maturity: production` as non-standard in v2 pattern files. Conversely, do not accept the v1 enum values (`PoC`, `pilot`, `prod`) for v2 pattern cards.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T19:17:00.734Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 155
File: patterns/pattern-private-stablecoin-shielded-payments.md:38-43
Timestamp: 2026-05-04T19:17:00.734Z
Learning: In this repo’s IPtF map pattern Markdown files, the v2 frontmatter key `visibility:` is part of the approved schema (defined by `patterns/_template.md`). It encodes the four-slot visibility matrix (counterparty, chain, regulator, public) for transaction-level pattern cards. Do not flag `visibility` as an unknown/ad-hoc/non-schema frontmatter key in `patterns/**/*.md`; only treat it as an issue if it violates the expected schema/format.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-14T23:07:51.781Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 166
File: patterns/pattern-immutable-guarantees.md:47-110
Timestamp: 2026-05-14T23:07:51.781Z
Learning: When reviewing ethereum/iptf-map “pattern card” Markdown documents, treat the word-count threshold of >800 words as advisory only. Do not raise it as a blocking issue unless the document exceeds the error threshold of >1500 words. In particular, word counts in the 800–1500 range should not be flagged for remediation of the body content.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-15T20:51:34.203Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 168
File: patterns/pattern-private-information-retrieval.md:36-36
Timestamp: 2026-05-15T20:51:34.203Z
Learning: When reviewing pattern card Markdown files under `patterns/`, do not flag acronyms/abbreviations as “unexpanded” if they are defined in the project’s `Glossary` (e.g., `HNDL` = “Harvest Now, Decrypt Later”). Inline expansion is not required for terms covered by the Glossary.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-03-19T10:42:48.438Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 120
File: patterns/pattern-private-set-intersection-circuit.md:5-7
Timestamp: 2026-03-19T10:42:48.438Z
Learning: In ethereum/iptf-map, when reviewing documentation files in the `patterns/` directory (e.g., `patterns/*.md`), do not flag frontmatter fields `layer`, `privacy_goal`, or `assumptions` as invalid/non-schema fields. These fields are explicitly defined as valid properties in `scripts/schemas/pattern.json` with the expected types/constraints: `layer` (enum: L1, L2, offchain, hybrid), `privacy_goal` (string, maxLength 200), and `assumptions` (string or array of strings).

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:49:53.905Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-co-snark.md:4-4
Timestamp: 2026-05-04T14:49:53.905Z
Learning: In ethereum/iptf-map, for pattern markdown files under `patterns/` that use the v2 schema (introduced in PR `#152`), the `maturity` field must be one of: `research | concept | testnet | production`. Do not flag `testnet` or `production` as invalid in these v2-migrated pattern cards, and treat the old v1 values (`PoC | pilot | prod`) as not valid for v2 patterns.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:49:53.905Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-co-snark.md:4-4
Timestamp: 2026-05-04T14:49:53.905Z
Learning: When reviewing `patterns/*.md` in the `ethereum/iptf-map` repository that have been migrated to schema v2, interpret and validate the `maturity` field using the v2 enum values: `research | concept | testnet | production` (and do not accept legacy values `PoC | pilot | prod`). Also verify that `maturity` describes the repository’s Ethereum integration readiness (e.g., readiness of the native Ethereum execution-client integration represented in the repo), not the general real-world production readiness of the underlying technology.

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-04T14:50:02.790Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-icma-bdt-data-model.md:4-4
Timestamp: 2026-05-04T14:50:02.790Z
Learning: When reviewing `maturity` fields in v2 pattern-card files under `patterns/` (v2 schema introduced in PR `#152` for `ethereum/iptf-map`), use the v2 enum values only: `research | concept | testnet | production`. Do not flag `production` as non-conformant in v2 pattern files, and do not recommend replacing `production` with the v1 value `prod` (v1 enum `PoC | pilot | prod` is obsolete for v2).

Applied to files:

  • patterns/pattern-recipient-derived-receive-addresses.md
  • patterns/pattern-lean-ethereum.md
  • patterns/pattern-cross-chain-privacy-bridge.md
📚 Learning: 2026-05-06T13:50:53.704Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-trade-settlement.md:42-62
Timestamp: 2026-05-06T13:50:53.704Z
Learning: For approach Markdown cards using the v2 schema in the ethereum/iptf-map repo, treat the use_case frontmatter slug as the canonical cross-reference to the addressed use case. Do not enforce an in-body markdown link to the use case on v2 approach cards. The in-body link requirement is a v1 convention and should not be applied to v2 cards; this distinction is tracked separately. This pattern applies to all approach Markdown files under approaches/ (e.g., approaches/**/*.md). For the file approaches/approach-private-trade-settlement.md specifically, ensure it adheres to the v2 rule by using the frontmatter use_case reference and omit enforcing in-body use-case links.

Applied to files:

  • approaches/approach-private-identity.md
  • approaches/approach-dvp-atomic-settlement.md
📚 Learning: 2026-05-06T13:50:59.931Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-money-market-funds.md:1-24
Timestamp: 2026-05-06T13:50:59.931Z
Learning: In iptf-map v2 approach cards, iptf_pocs is for IPTF-internal research prototypes tied to a specific sub-approach, while open_source_implementations is for third-party production-viability signals. Do not flag a missing iptf_pocs block unless an IPTF-internal prototype actually exists for that approach; a sub-approach with maturity: prototyped does not imply an IPTF PoC exists. Reviewers should: (1) verify whether an IPTF-internal prototype exists for the sub-approach in question; (2) if yes, ensure an iptf_pocs block is present and accurately describes it; (3) if no internal prototype exists, do not require an iptf_pocs block. This guideline applies to all approach markdown files under approaches/ in this repository (ethereum/iptf-map).

Applied to files:

  • approaches/approach-private-identity.md
  • approaches/approach-dvp-atomic-settlement.md
📚 Learning: 2026-05-06T13:50:58.986Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-broadcasting.md:1-26
Timestamp: 2026-05-06T13:50:58.986Z
Learning: Follow the v2 schema for approach cards in approaches/**/*.md. iptf_pocs is strictly for IPTF-internal research prototypes with a matching sub_approach entry; open_source_implementations covers third-party production-viability signals. Do not flag missing iptf_pocs when there is no IPTF-internal prototype for the approach card; the field is optional and must not be fabricated.

Applied to files:

  • approaches/approach-private-identity.md
  • approaches/approach-dvp-atomic-settlement.md
🪛 GitHub Check: vale
patterns/pattern-cross-chain-privacy-bridge.md

[warning] 101-101: [vale] patterns/pattern-cross-chain-privacy-bridge.md#L101
[IPTF.Marketing] Avoid marketing language: 'first'. Use neutral, factual terms.

QA-AUDIT.md

[warning] 60-60: [vale] QA-AUDIT.md#L60
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 62-62: [vale] QA-AUDIT.md#L62
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.


[warning] 62-62: [vale] QA-AUDIT.md#L62
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 65-65: [vale] QA-AUDIT.md#L65
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.

🔇 Additional comments (33)
QA-AUDIT.md (10)

1-41: LGTM!


44-55: LGTM!


58-73: LGTM!


74-148: LGTM!


149-176: LGTM!


192-204: LGTM!


205-216: LGTM!


217-247: LGTM!


248-263: LGTM!


264-277: LGTM!

patterns/pattern-lean-ethereum.md (3)

3-7: LGTM!


52-52: LGTM!


61-61: LGTM! The previously flagged "eight independent client teams" claim has been replaced with appropriately vague "Multiple independent client teams" wording, avoiding the execution-vs-consensus client overcount issue.

patterns/pattern-cross-chain-privacy-bridge.md (3)

3-7: LGTM!


101-101: LGTM! The previously flagged "maximum privacy" marketing language has been corrected to neutral phrasing. The vale warning for "first" is a false positive — it is used sequentially ("first…then"), not promotionally.


112-114: LGTM!

patterns/pattern-recipient-derived-receive-addresses.md (2)

3-7: LGTM! The previously flagged missing type frontmatter field has been added with type: standard.


56-63: LGTM!

Also applies to: 80-83

use-cases/private-identity.md (2)

2-5: LGTM!


19-19: LGTM! The revised "18M+ verified humans" figure is more precise than the prior "25M+ registrations" claim, correctly distinguishing verified unique humans from raw registrations.

use-cases/resilient-civic-participation.md (1)

2-5: LGTM! The previously flagged shortened primary_domain has been corrected to the full canonical Civic Coordination & Governance.

approaches/approach-dvp-atomic-settlement.md (6)

47-47: LGTM! The standard-status wording is now accurate: ERC-6123 as Draft and ERC-3643 as Final.


59-90: LGTM! The HTLC section correctly inverts the timeout ordering to T2 > T1, explicitly calls out the free-option problem, and properly scopes HTLC to cross-chain use. CROPS metadata and narrative are consistent.


125-134: LGTM! Adding pattern-shielding to uses_patterns aligns with the privacy recommendations in this approach. Verify it appears in the card's primary_patterns or supporting_patterns front-matter list.


167-181: LGTM! Comparison table aligns with revised HTLC CROPS and privacy/trust descriptions.


182-195: LGTM! Persona perspectives correctly restate single-network atomicity, scope HTLC to cross-chain, and accurately note that privacy requires shielded pools beyond the atomicity mechanism itself.


196-210: LGTM! The Default recommendation correctly shifts to Escrow with Dual Approval. Decision factors properly route Oracle to event-driven triggers and HTLC to cross-chain cases. The hybrid guidance correctly emphasizes shielded-pool privacy and timed unilateral refund fallback.

approaches/approach-private-identity.md (5)

3-4: LGTM! Status correctly promoted to ready with updated last_reviewed date.


244-280: LGTM! TACEO status correctly updated to "live in production." Sub-approach YAML block is complete with all required v2 fields. CROPS profile is plausible for issuer-independent threshold OPRF with social recovery exit paths.


300-300: LGTM! Formatting change removes bold emphasis from approach names while preserving factual tone.


314-320: LGTM! "on-chain" hyphenation is correctly applied.

Note: Lines 318–320 have three successive sentences beginning with "If". Consider varying the structure for readability, though this is not blocking.


322-325: LGTM! Hybrid guidance appropriately layers approaches and correctly frames coercion-resistance as an open research item.

scripts/schemas/use-case.json (1)

13-25: 🗄️ Data Integrity & Integration

No change needed The primary_domain enum matches the list in domains/README.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Meyanis95 Meyanis95 changed the title audit [WIP] feat(audit): merge audit trail and fixes Jun 29, 2026
@Meyanis95 Meyanis95 requested review from mojalil, oskarth and rymnc June 29, 2026 19:00
Comment thread approaches/approach-private-bonds.md Outdated

@rymnc rymnc left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally looks good, can you get rid of emdashes please :)

@oskarth

oskarth commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Humanizer/style pass notes:

  • Remove PR-added em dashes. The main clusters are in QA-AUDIT.md, jurisdictions/*, approaches/approach-dvp-atomic-settlement.md, and patterns/pattern-cross-chain-privacy-bridge.md.
  • Reduce arrow notation in prose/table notes. status→ready, EIP→ERC, etc. is compact, but repeated across the audit tracker it starts to read mechanical. Use "to" or "renamed from X to Y" where space allows.
  • Remove emphasis bolding inside body prose where it is not structural. Keep table/status formatting, but jurisdiction prose like **banned since 2021**, **permissive but licensed**, and **not absolute** can be plain text.
  • Replace the repeated jurisdiction disclaimer High-level orientation for developers — not legal advice. with something shorter like Developer orientation. Not legal advice.
  • Avoid the repeated Posture: ... ending in jurisdiction cards. Work it into the sentence instead, e.g. Hong Kong is permissive by comparison, but access depends on licensing.
  • Break up the longest legal-review paragraphs in the approaches. A few read like stitched-together policy memos, especially approach-private-identity.md, approach-white-label-deployment.md, and approach-dvp-atomic-settlement.md.
  • Replace single source of truth in QA-AUDIT.md with a plainer line like Use this tracker to avoid duplicate reviews.

Otherwise LGTM to me.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
vendors/shutter.md (2)

7-60: 📐 Maintainability & Code Quality | 🟠 Major | 🏗️ Heavy lift

Add the required ## CROPS profile table.

This vendor card is missing the per-product CROPS evaluation required by the template, so CR / OS / Privacy / Security / Context cannot be audited here. Per the vendor template requirements in vendors/_template.md.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/shutter.md` around lines 7 - 60, The Shutter Network vendor card is
missing the required CROPS profile section, so add the per-product evaluation
table in this document using the same structure as other vendor cards. Update
the content around the existing Shutter overview sections to include a clear “##
CROPS profile” heading with the CR, OS, Privacy, Security, and Context
assessments so it matches the vendor template requirements in
vendors/_template.md.

Source: Path instructions


11-17: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep Fits with patterns names-only and tone factual.

../approaches/approach-private-broadcasting.md is an approach, not a pattern, and the section should not use markdown links. The rest of the card also reads promotional (prevents MEV extraction, Proven solution, Effective MEV prevention) and should be rewritten as neutral facts. Per the vendor template and house style in vendors/_template.md and vendors/README.md.

Also applies to: 30-33, 41-46

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@vendors/shutter.md` around lines 11 - 17, The vendor card text in the Shutter
entry is too promotional and the “Fits with patterns” section uses markdown
links and includes an approach, not just pattern names. Rewrite the Shutter
description in neutral, factual language, remove promotional phrasing, and
change “Fits with patterns” to names-only entries that list only valid pattern
names without links. Use the Shutter card content plus the vendor template and
README guidance to align wording and section style, especially around the
patterns list.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@QA-AUDIT.md`:
- Line 68: The vendor CROPS guidance is inconsistent between the audit note and
the repository rule, so future checks may treat a required vendor-card section
as optional. Update the repo instruction in .coderabbit.yaml or revise the
QA-AUDIT.md note so they match, and make sure the vendor-card guidance for CROPS
aligns with the current policy around the CROPS profile section and its table
requirement.

---

Outside diff comments:
In `@vendors/shutter.md`:
- Around line 7-60: The Shutter Network vendor card is missing the required
CROPS profile section, so add the per-product evaluation table in this document
using the same structure as other vendor cards. Update the content around the
existing Shutter overview sections to include a clear “## CROPS profile” heading
with the CR, OS, Privacy, Security, and Context assessments so it matches the
vendor template requirements in vendors/_template.md.
- Around line 11-17: The vendor card text in the Shutter entry is too
promotional and the “Fits with patterns” section uses markdown links and
includes an approach, not just pattern names. Rewrite the Shutter description in
neutral, factual language, remove promotional phrasing, and change “Fits with
patterns” to names-only entries that list only valid pattern names without
links. Use the Shutter card content plus the vendor template and README guidance
to align wording and section style, especially around the patterns list.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b2e820d4-f98c-40eb-8b26-aee7cd5e4ce9

📥 Commits

Reviewing files that changed from the base of the PR and between e1d0b07 and 44ad3fa.

📒 Files selected for processing (21)
  • QA-AUDIT.md
  • approaches/approach-dvp-atomic-settlement.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-identity.md
  • approaches/approach-private-payments.md
  • approaches/approach-white-label-deployment.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/eu-MiCA.md
  • jurisdictions/eu-data-protection.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/us-SEC.md
  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
  • use-cases/private-rwa-tokenization.md
  • use-cases/resilient-disbursement-rails.md
  • use-cases/resilient-identity-continuity.md
  • vendors/flashbots.md
  • vendors/shutter.md
📜 Review details
⏰ Context from checks skipped due to timeout. (1)
  • GitHub Check: Validate Documentation Patterns
🧰 Additional context used
📓 Path-based instructions (5)
approaches/**/*.md

⚙️ CodeRabbit configuration file

approaches/**/*.md: This is an approach card.

Structure: Validate against the template at approaches/_template.md.
File naming and conventions are in approaches/README.md. Filename must start with approach- in kebab-case.

Approach cards MUST link to both the use case they address and the patterns they combine.
Flag if no pattern or use case cross-references are present.

Word limits: warn > 2000, error > 3000.

Files:

  • approaches/approach-private-payments.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-identity.md
  • approaches/approach-white-label-deployment.md
  • approaches/approach-dvp-atomic-settlement.md
jurisdictions/**/*.md

⚙️ CodeRabbit configuration file

jurisdictions/**/*.md: This is a jurisdiction card.

Structure & frontmatter: Validate against the template at jurisdictions/_template.md.
All required subsections under ## Actionable Best Practices must be present
(Payments, Trading, Funds & Assets, Custody, Identity & Compliance, Data & Oracles).

Files:

  • jurisdictions/eu-MiCA.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/us-SEC.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/eu-data-protection.md
use-cases/**/*.md

⚙️ CodeRabbit configuration file

use-cases/**/*.md: This is a use case card.

Structure & frontmatter: Validate against the template at use-cases/_template.md.
Rules and scope are in use-cases/README.md.

Check that primary_domain matches one of the domains listed in domains/README.md.
Use cases should stay on a single page — flag if the content is excessively long or duplicates linked docs.

Warn if section ## 2) Additional Business Context contains anything that looks like confidential
information (specific organization names, pilot scopes, committed volumes) — these belong in context/ files.

Files:

  • use-cases/private-rwa-tokenization.md
  • use-cases/resilient-identity-continuity.md
  • use-cases/resilient-disbursement-rails.md
patterns/pattern-*.md

⚙️ CodeRabbit configuration file

patterns/pattern-*.md: This is a pattern card.

Structure & frontmatter: Validate against the template at patterns/_template.md.
File naming rules are in patterns/README.md. Filename must start with pattern- in kebab-case.
Pattern names must be vendor-neutral (no vendor-specific names like aztec, nightfall, railgun, etc.).

CROPS alignment (CRITICAL):
crops_profile with all four fields (cr, os, privacy, security) is required — CI will reject patterns missing it.
Exception: meta/evaluation patterns that do not implement privacy directly may set crops_profile: "n/a" — flag if this is used on a pattern that clearly does implement a privacy primitive.
Valid enum values are defined in CONTRIBUTING.md § CROPS Evaluation and enforced by the JSON schema at scripts/schemas/pattern.json.

Your job is to review CROPS scores for plausibility, which CI cannot check:

  • A pattern requiring a centralized operator should not claim cr: high.
  • If the pattern involves I2U context, check that the CR score accounts for user escape paths per the CR rubric in CONTRIBUTING.md.
  • A pattern using proprietary components should not claim os: yes.
  • A pattern where the operator sees all user operations should not claim privacy: full.

Word limits: warn > 800, error > 1500.
Tone: factual and neutral per house style. No marketing language.

Files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
vendors/**/*.md

⚙️ CodeRabbit configuration file

vendors/**/*.md: This is a vendor card.

Structure & frontmatter: Validate against the template at vendors/_template.md.

Ethereum alignment (CRITICAL):
Per vendors/README.md, IPTF only lists vendors whose products are Ethereum-aligned.
Check that the product is built for or deployed on Ethereum mainnet or production L2s,
or is a multichain solution that benefits the Ethereum ecosystem (supports EIPs/ERCs,
advances shared privacy patterns, or brings institutional adoption to Ethereum).
Flag products that primarily serve non-Ethereum L1s without meaningful Ethereum integration.

CROPS evaluation (CRITICAL):
Vendor cards MUST include a ## CROPS profile section with a table evaluating each product.
Table columns: Product | CR | OS | Privacy | Security | Context.
Validate scores against the rubrics in CONTRIBUTING.md § CROPS Evaluation.
CROPS is assessed per product, not per vendor — a single vendor may have products with different profiles.
For vendors, the Security score should also consider: audit status, upgrade key controls, admin key scope, incident history, and bug bounty program.

Tone (CRITICAL): Must be neutral and factual per vendors/README.md house style.
Vendor cards describe capabilities objectively — they do not endorse products.
Flag any promotional language, superlatives, or marketing copy.

Word limits: warn > 1000, error > 1800.

Files:

  • vendors/flashbots.md
  • vendors/shutter.md
🧠 Learnings (21)
📚 Learning: 2026-05-06T13:50:53.704Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-trade-settlement.md:42-62
Timestamp: 2026-05-06T13:50:53.704Z
Learning: For approach Markdown cards using the v2 schema in the ethereum/iptf-map repo, treat the use_case frontmatter slug as the canonical cross-reference to the addressed use case. Do not enforce an in-body markdown link to the use case on v2 approach cards. The in-body link requirement is a v1 convention and should not be applied to v2 cards; this distinction is tracked separately. This pattern applies to all approach Markdown files under approaches/ (e.g., approaches/**/*.md). For the file approaches/approach-private-trade-settlement.md specifically, ensure it adheres to the v2 rule by using the frontmatter use_case reference and omit enforcing in-body use-case links.

Applied to files:

  • approaches/approach-private-payments.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-identity.md
  • approaches/approach-white-label-deployment.md
  • approaches/approach-dvp-atomic-settlement.md
📚 Learning: 2026-05-06T13:50:59.931Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-money-market-funds.md:1-24
Timestamp: 2026-05-06T13:50:59.931Z
Learning: In iptf-map v2 approach cards, iptf_pocs is for IPTF-internal research prototypes tied to a specific sub-approach, while open_source_implementations is for third-party production-viability signals. Do not flag a missing iptf_pocs block unless an IPTF-internal prototype actually exists for that approach; a sub-approach with maturity: prototyped does not imply an IPTF PoC exists. Reviewers should: (1) verify whether an IPTF-internal prototype exists for the sub-approach in question; (2) if yes, ensure an iptf_pocs block is present and accurately describes it; (3) if no internal prototype exists, do not require an iptf_pocs block. This guideline applies to all approach markdown files under approaches/ in this repository (ethereum/iptf-map).

Applied to files:

  • approaches/approach-private-payments.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-identity.md
  • approaches/approach-white-label-deployment.md
  • approaches/approach-dvp-atomic-settlement.md
📚 Learning: 2026-05-06T13:50:58.986Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 160
File: approaches/approach-private-broadcasting.md:1-26
Timestamp: 2026-05-06T13:50:58.986Z
Learning: Follow the v2 schema for approach cards in approaches/**/*.md. iptf_pocs is strictly for IPTF-internal research prototypes with a matching sub_approach entry; open_source_implementations covers third-party production-viability signals. Do not flag missing iptf_pocs when there is no IPTF-internal prototype for the approach card; the field is optional and must not be fabricated.

Applied to files:

  • approaches/approach-private-payments.md
  • approaches/approach-private-bonds.md
  • approaches/approach-private-identity.md
  • approaches/approach-white-label-deployment.md
  • approaches/approach-dvp-atomic-settlement.md
📚 Learning: 2026-06-29T17:36:52.262Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 130
File: jurisdictions/_template.md:12-27
Timestamp: 2026-06-29T17:36:52.262Z
Learning: In ethereum/iptf-map, jurisdiction card markdown files under `jurisdictions/**/*.md` should use the shorter developer-oriented template. They should include `## At a Glance` and may include `## What to Watch` plus `## See also`; do not require or enforce the legacy `## Actionable Best Practices` subsections that were removed in favor of `jurisdictions/_template.md`.

Applied to files:

  • jurisdictions/eu-MiCA.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/us-SEC.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/eu-data-protection.md
📚 Learning: 2026-06-29T17:37:02.314Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 130
File: jurisdictions/int-banking-secrecy.md:15-30
Timestamp: 2026-06-29T17:37:02.314Z
Learning: For markdown files under `jurisdictions/**/*.md`, use the required developer-oriented documentation structure: include the section `## At a Glance`. Also include `## What to Watch` and `## See also` (recommended). Do not require `## Actionable Best Practices` or its six subsections—these should be omitted unless already present for a specific reason.

Applied to files:

  • jurisdictions/eu-MiCA.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/us-SEC.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/eu-data-protection.md
📚 Learning: 2026-06-29T17:37:30.625Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 130
File: jurisdictions/us-SEC.md:0-0
Timestamp: 2026-06-29T17:37:30.625Z
Learning: In `ethereum/iptf-map`, jurisdiction card markdown files under `jurisdictions/**/*.md` must use the newer concise developer-oriented section format: require a `## At a Glance` section, strongly recommend including `## What to Watch` and `## See also`, and stop requiring/reminding the legacy `## Actionable Best Practices` section with its six subsections.

Applied to files:

  • jurisdictions/eu-MiCA.md
  • jurisdictions/_template.md
  • jurisdictions/cn-crypto-ban.md
  • jurisdictions/us-SEC.md
  • jurisdictions/de-eWpG.md
  • jurisdictions/int-banking-secrecy.md
  • jurisdictions/hk-crypto-licensing.md
  • jurisdictions/eu-data-protection.md
📚 Learning: 2026-04-14T08:10:15.334Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 145
File: use-cases/resilient-identity-continuity.md:26-26
Timestamp: 2026-04-14T08:10:15.334Z
Learning: In ethereum/iptf-map’s `use-cases/` markdown files, the `## 3) Actors` section may use a single-line inline `·`-separated actor list (e.g., `Actor A · Actor B · Actor C`) instead of a bulleted list. If the formatting matches `use-cases/_template.md`, do not flag it as non-compliant.

Applied to files:

  • use-cases/private-rwa-tokenization.md
  • use-cases/resilient-identity-continuity.md
  • use-cases/resilient-disbursement-rails.md
📚 Learning: 2026-03-18T09:21:53.725Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 116
File: patterns/pattern-private-set-intersection-dh.md:38-40
Timestamp: 2026-03-18T09:21:53.725Z
Learning: In the ethereum/iptf-map repository, pattern documentation should keep the Protocol section high-level and concise. Do not include granular implementation steps (e.g., explicit point-validation sub-steps). If such concerns must be mentioned, use lightweight callouts in a separate Security Notes or Caveats section. Apply this guideline to all pattern docs under the patterns directory.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-03-20T05:29:08.871Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 120
File: patterns/pattern-private-set-intersection-circuit.md:19-23
Timestamp: 2026-03-20T05:29:08.871Z
Learning: When reviewing Ethereum iPTF-Map pattern documentation, distinguish clearly between **censorship** and **liveness**: treat censorship as the operator blocking user inputs from being processed (this impacts CR score), while treat liveness as the operator withholding outputs after protocol participation (this does not directly affect CR score). For garbled-circuit PSI patterns specifically, if the **garbler withholds the output decoding table**, classify this as a **liveness** concern—not censorship—and therefore **do not** flag it as a “CR justification gap.”

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:49:47.740Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-lean-ethereum.md:4-4
Timestamp: 2026-05-04T14:49:47.740Z
Learning: In ethereum/iptf-map, pattern card markdown files under `patterns/` use v2 front-matter for the `maturity` field. When reviewing these files, treat `maturity` as a v2 enum and only consider it valid if it is one of: `research`, `concept`, `testnet`, or `production`. Do not flag `research` as invalid.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:50:03.967Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-privacy-l2s.md:4-4
Timestamp: 2026-05-04T14:50:03.967Z
Learning: In ethereum/iptf-map pattern cards using schema v2 (introduced in PR `#152`), validate the `maturity` field against the v2 enum values only: `research | concept | testnet | production`. The v1 enum (`PoC | pilot | prod`) is no longer applicable to v2-migrated pattern cards. When reviewing v2 pattern files, do not flag `production` as non-canonical (it is a valid v2 value).

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:50:03.935Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-mixnet-anonymity.md:4-4
Timestamp: 2026-05-04T14:50:03.935Z
Learning: In this repo’s pattern files under `patterns/`, the IPtF map schema maturity enum must use the v2 values only: `research | concept | testnet | production`. The legacy v1 values `PoC | pilot | prod` are invalid after the v2 schema migration (PR `#152`). Therefore, when reviewing `patterns/**/*.md`, do not flag `testnet` or `production` as invalid maturity values; instead, flag any remaining usage of the old v1 enum values (`PoC`, `pilot`, `prod`) as incorrect.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:50:06.756Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-compliance-monitoring.md:4-4
Timestamp: 2026-05-04T14:50:06.756Z
Learning: In ethereum/iptf-map, for v2 pattern cards under the `patterns/` directory, validate the `maturity` field against the v2 enum only: `research | concept | testnet | production`. Do not treat `testnet` or `production` as invalid maturity values for v2 pattern cards (the v1 enum `PoC | pilot | prod` is obsolete for content migrated to v2).

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:50:06.734Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-private-contract-dsl.md:4-4
Timestamp: 2026-05-04T14:50:06.734Z
Learning: For ethereum/iptf-map v2 pattern cards in the `patterns/` directory, validate the `maturity` field against the v2 enum defined in `scripts/schemas/pattern.json`: `research`, `concept`, `testnet`, `production`. Do NOT flag `maturity: production` as non-standard in v2 pattern files. Conversely, do not accept the v1 enum values (`PoC`, `pilot`, `prod`) for v2 pattern cards.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T19:17:00.734Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 155
File: patterns/pattern-private-stablecoin-shielded-payments.md:38-43
Timestamp: 2026-05-04T19:17:00.734Z
Learning: In this repo’s IPtF map pattern Markdown files, the v2 frontmatter key `visibility:` is part of the approved schema (defined by `patterns/_template.md`). It encodes the four-slot visibility matrix (counterparty, chain, regulator, public) for transaction-level pattern cards. Do not flag `visibility` as an unknown/ad-hoc/non-schema frontmatter key in `patterns/**/*.md`; only treat it as an issue if it violates the expected schema/format.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-14T23:07:51.781Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 166
File: patterns/pattern-immutable-guarantees.md:47-110
Timestamp: 2026-05-14T23:07:51.781Z
Learning: When reviewing ethereum/iptf-map “pattern card” Markdown documents, treat the word-count threshold of >800 words as advisory only. Do not raise it as a blocking issue unless the document exceeds the error threshold of >1500 words. In particular, word counts in the 800–1500 range should not be flagged for remediation of the body content.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-15T20:51:34.203Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 168
File: patterns/pattern-private-information-retrieval.md:36-36
Timestamp: 2026-05-15T20:51:34.203Z
Learning: When reviewing pattern card Markdown files under `patterns/`, do not flag acronyms/abbreviations as “unexpanded” if they are defined in the project’s `Glossary` (e.g., `HNDL` = “Harvest Now, Decrypt Later”). Inline expansion is not required for terms covered by the Glossary.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-03-19T10:42:48.438Z
Learnt from: rymnc
Repo: ethereum/iptf-map PR: 120
File: patterns/pattern-private-set-intersection-circuit.md:5-7
Timestamp: 2026-03-19T10:42:48.438Z
Learning: In ethereum/iptf-map, when reviewing documentation files in the `patterns/` directory (e.g., `patterns/*.md`), do not flag frontmatter fields `layer`, `privacy_goal`, or `assumptions` as invalid/non-schema fields. These fields are explicitly defined as valid properties in `scripts/schemas/pattern.json` with the expected types/constraints: `layer` (enum: L1, L2, offchain, hybrid), `privacy_goal` (string, maxLength 200), and `assumptions` (string or array of strings).

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:49:53.905Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-co-snark.md:4-4
Timestamp: 2026-05-04T14:49:53.905Z
Learning: In ethereum/iptf-map, for pattern markdown files under `patterns/` that use the v2 schema (introduced in PR `#152`), the `maturity` field must be one of: `research | concept | testnet | production`. Do not flag `testnet` or `production` as invalid in these v2-migrated pattern cards, and treat the old v1 values (`PoC | pilot | prod`) as not valid for v2 patterns.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:49:53.905Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-co-snark.md:4-4
Timestamp: 2026-05-04T14:49:53.905Z
Learning: When reviewing `patterns/*.md` in the `ethereum/iptf-map` repository that have been migrated to schema v2, interpret and validate the `maturity` field using the v2 enum values: `research | concept | testnet | production` (and do not accept legacy values `PoC | pilot | prod`). Also verify that `maturity` describes the repository’s Ethereum integration readiness (e.g., readiness of the native Ethereum execution-client integration represented in the repo), not the general real-world production readiness of the underlying technology.

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
📚 Learning: 2026-05-04T14:50:02.790Z
Learnt from: Meyanis95
Repo: ethereum/iptf-map PR: 154
File: patterns/pattern-icma-bdt-data-model.md:4-4
Timestamp: 2026-05-04T14:50:02.790Z
Learning: When reviewing `maturity` fields in v2 pattern-card files under `patterns/` (v2 schema introduced in PR `#152` for `ethereum/iptf-map`), use the v2 enum values only: `research | concept | testnet | production`. Do not flag `production` as non-conformant in v2 pattern files, and do not recommend replacing `production` with the v1 value `prod` (v1 enum `PoC | pilot | prod` is obsolete for v2).

Applied to files:

  • patterns/pattern-cross-chain-privacy-bridge.md
  • patterns/pattern-zk-wrappers.md
🪛 GitHub Check: vale
patterns/pattern-cross-chain-privacy-bridge.md

[warning] 101-101: [vale] patterns/pattern-cross-chain-privacy-bridge.md#L101
[IPTF.Marketing] Avoid marketing language: 'first'. Use neutral, factual terms.

approaches/approach-private-identity.md

[warning] 310-310: [vale] approaches/approach-private-identity.md#L310
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.

QA-AUDIT.md

[warning] 58-58: [vale] QA-AUDIT.md#L58
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 60-60: [vale] QA-AUDIT.md#L60
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.


[warning] 60-60: [vale] QA-AUDIT.md#L60
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 63-63: [vale] QA-AUDIT.md#L63
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 83-83: [vale] QA-AUDIT.md#L83
[IPTF.Terminology] Use 'eWpG' instead of 'ewpg' for consistency with GLOSSARY.md.


[warning] 84-84: [vale] QA-AUDIT.md#L84
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.


[warning] 84-84: [vale] QA-AUDIT.md#L84
[IPTF.Terminology] Use 'ERC-7573' instead of 'erc7573' for consistency with GLOSSARY.md.


[warning] 86-86: [vale] QA-AUDIT.md#L86
[IPTF.Terminology] Use 'ERC-3643' instead of 'erc3643' for consistency with GLOSSARY.md.


[warning] 115-115: [vale] QA-AUDIT.md#L115
[IPTF.Terminology] Use 'PvP' instead of 'pvp' for consistency with GLOSSARY.md.


[warning] 115-115: [vale] QA-AUDIT.md#L115
[IPTF.Terminology] Use 'ERC-7573' instead of 'erc7573' for consistency with GLOSSARY.md.


[warning] 145-145: [vale] QA-AUDIT.md#L145
[IPTF.Terminology] Use 'zero-knowledge proof' instead of 'zk-proof' for consistency with GLOSSARY.md.


[warning] 182-182: [vale] QA-AUDIT.md#L182
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.


[warning] 254-254: [vale] QA-AUDIT.md#L254
[IPTF.Terminology] Use 'ERC-3643' instead of 'ERC3643' for consistency with GLOSSARY.md.


[warning] 259-259: [vale] QA-AUDIT.md#L259
[IPTF.Marketing] Avoid marketing language: 'only'. Use neutral, factual terms.


[warning] 276-276: [vale] QA-AUDIT.md#L276
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.


[warning] 276-276: [vale] QA-AUDIT.md#L276
[IPTF.Terminology] Use 'DvP' instead of 'dvp' for consistency with GLOSSARY.md.

🪛 LanguageTool
jurisdictions/eu-data-protection.md

[grammar] ~19-~19: Ensure spelling is correct
Context: ...erasure rights and the anonymisation-vs-pseudonymisation line are being actively clarified by th...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

approaches/approach-white-label-deployment.md

[style] ~247-~247: ‘under stress’ might be wordy. Consider a shorter alternative.
Context: ...olution timelines the regulator expects under stress. ## Recommendation ### Default For i...

(EN_WORDINESS_PREMIUM_UNDER_STRESS)

QA-AUDIT.md

[grammar] ~182-~182: Ensure spelling is correct
Context: ...ved + 6123/3643 made optional; FINOS to chatch HTLC repo; added pattern-shielding (inc...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[grammar] ~270-~270: Ensure spelling is correct
Context: ...on` applied consistently? It sits on an offchain pattern with no mainnet usage (mesh) an...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[grammar] ~273-~273: Ensure spelling is correct
Context: ... use-cases but is a Vercel preview URL (linkrot risk). Repoint to a stable/canonical UR...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

approaches/approach-dvp-atomic-settlement.md

[grammar] ~204-~204: Ensure spelling is correct
Context: ...dit access to its evidence trail. HTLC, where used for a cross-chain leg, has a deter...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)


[grammar] ~204-~204: Use a hyphen to join words.
Context: ...precisely, but it publishes the trade on chain; whether that documentation and di...

(QB_NEW_EN_HYPHEN)

🔇 Additional comments (20)
approaches/approach-private-payments.md (1)

357-357: LGTM!

jurisdictions/eu-MiCA.md (1)

15-20: LGTM!

jurisdictions/_template.md (1)

12-19: LGTM!

use-cases/private-rwa-tokenization.md (1)

17-18: LGTM!

vendors/shutter.md (1)

11-11: Verify the Ethereum-aligned vendor scope.

The card only documents a Gnosis Chain deployment, with Ethereum support still framed as planned. If this is meant to stay in vendors/, add the Ethereum-mainnet / production-L2 deployment or the explicit Ethereum-ecosystem benefit that makes it eligible. Per the vendor scope rules in vendors/README.md.

Also applies to: 36-37

Source: Path instructions

approaches/approach-white-label-deployment.md (1)

243-247: LGTM!

patterns/pattern-zk-wrappers.md (1)

37-37: LGTM!

jurisdictions/cn-crypto-ban.md (1)

15-19: LGTM!

use-cases/resilient-identity-continuity.md (1)

88-88: LGTM!

jurisdictions/us-SEC.md (1)

17-27: 📐 Maintainability & Code Quality

Verify the legal claims in this summary block.

The GENIUS Act, staking, and generic-listing statements are time-sensitive regulatory facts; please confirm them against current primary sources before merging.

use-cases/resilient-disbursement-rails.md (1)

91-91: LGTM!

Also applies to: 107-107

jurisdictions/de-eWpG.md (1)

14-18: LGTM!

approaches/approach-dvp-atomic-settlement.md (1)

40-52: LGTM!

Also applies to: 57-89, 94-180, 186-232

jurisdictions/int-banking-secrecy.md (1)

15-20: LGTM!

patterns/pattern-cross-chain-privacy-bridge.md (1)

101-101: LGTM!

approaches/approach-private-bonds.md (1)

233-237: 🎯 Functional Correctness

Verify the external support claims behind this default.

The recommendation leans on the Railgun volume figure, Paladin coverage, and PoC results across the IPTF implementations. Please confirm those facts still hold or add a source before keeping UTXO Shielded Notes as the default.

vendors/flashbots.md (1)

7-65: 📐 Maintainability & Code Quality | 🏗️ Heavy lift

Add the required ## CROPS profile table.

The vendor template requires product-level CROPS scores, and this rewrite does not include the table. Please add rows for Flashbots Auction and SUAVE before merging.

Source: Path instructions

jurisdictions/hk-crypto-licensing.md (1)

15-20: 📐 Maintainability & Code Quality | ⚡ Quick win

Use neutral wording for the regime summary.

“progressive regime” and “APAC institutional crypto hub” read as promotional; describe the licensing path and scope factually instead.

Source: Path instructions

approaches/approach-private-identity.md (1)

308-312: LGTM!

Also applies to: 318-324

jurisdictions/eu-data-protection.md (1)

15-26: LGTM!

Comment thread QA-AUDIT.md
@Meyanis95

Copy link
Copy Markdown
Collaborator Author

@rymnc @oskarth thanks for the comments. Should be ready for re-review.

@Meyanis95 Meyanis95 requested a review from rymnc July 1, 2026 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants