chore: sync from monorepo @35cafa4

[WomB0ComB0]

Automated sync from resq-software/resQ@35cafa4.

Review before merging — direct pushes to standalone repos are preserved.

Summary by CodeRabbit

• New Features

  • Added permit validation helper to check permit expiration status.

• Bug Fixes

  • Fixed syntax errors in error handling and validation logic.
  • Updated default access policy behavior for consistency.

• Tests

  • Cleaned up and refactored test files for improved maintainability.

• Chores

  • Removed obsolete security scanner configurations.
  • Simplified compiler lint attributes.
  • Reformatted code for consistency.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR performs workspace-wide cleanup and refactoring: removes OSV-Scanner vulnerability ignore configurations and gitignore entries, fixes syntax errors in error enums, refactors instruction handlers to use single-line require macros, adds an explicit AccessPolicy Default implementation and a Permit::is_active() helper, simplifies crate-level allow attributes, replaces .contains() range checks with direct comparisons, and condenses test code formatting without functional logic changes.

Changes

Security & Workspace Configuration Cleanup

Layer / File(s)	Summary
Gitignore .gitignore	Removed entries for target/, .anchor/, node_modules/, test-ledger/, \*.so, and .DS_Store.
OSV-Scanner Configuration osv-scanner.toml, vendor/solana-program-test/osv-scanner.toml	Deleted OSV-Scanner configuration files entirely, including all [[IgnoredVulns]] blocks and advisories.

resq-airspace Refactoring & Fixes

Layer / File(s)	Summary
Syntax Fixes resq-airspace/src/error.rs	Removed stray line-number artifacts in AirspaceError enum, restoring valid Rust syntax.
Default Implementation resq-airspace/src/state/airspace_account.rs	Replaced derived Default on AccessPolicy with explicit impl Default returning AccessPolicy::Open.
Helper Method resq-airspace/src/state/permit.rs	Added Permit::is_active(now: i64) -> bool to check permit validity against expiry timestamp.
Module Organization resq-airspace/src/state/mod.rs	Repositioned pub mod permit; relative to pub mod airspace_account;.
Instruction Handler Cleanup resq-airspace/src/instructions/grant_permit.rs, resq-airspace/src/instructions/update_treasury.rs, resq-airspace/src/instructions/initialize_property.rs	Reformatted multi-line require! macros to single-line calls; removed #[allow(clippy::too_many_arguments)] attribute; updated vertex_count validation from .contains() to direct comparisons.
Instruction Signature Refactoring resq-airspace/src/instructions/record_crossing.rs, resq-airspace/src/instructions/update_policy.rs	Reformatted parameter lists and range validations into multi-line layouts; adjusted coordinate validation from .contains() to explicit boolean expressions.
Crate Entrypoint resq-airspace/src/lib.rs	Reformatted transfer_ownership function signature to multi-line parameter layout; simplified crate-level allow attributes.
Test Cleanup resq-airspace/tests/host_init_regression.rs, resq-airspace/tests/integration.rs	Removed file-level #![allow(...)] lint suppressions; reorganized imports; inlined instruction/account construction; refactored record-crossing tests to reuse setup_open_airspace() helper; updated initialize_property_ix(...) calls to async/await.

resq-delivery Refactoring & Fixes

Layer / File(s)	Summary
Syntax Fixes resq-delivery/src/error.rs	Properly closed DeliveryError enum after TimestampInFuture variant with correct #[msg(...)] annotation.
Range Validation resq-delivery/src/instructions/record_delivery.rs	Replaced .contains() calls on range objects with direct inclusive comparisons (>= and <=) for latitude and longitude validation.
Crate-Level Attributes resq-delivery/src/lib.rs	Simplified crate-level #![allow(...)] to only #![allow(unexpected_cfgs)], removing previous clippy suppressions.
State & Module Organization resq-delivery/src/state/delivery_record.rs, resq-delivery/src/state/mod.rs, resq-delivery/src/instructions/mod.rs	Corrected closing braces in impl DeliveryRecord; repositioned module declarations.
Test Cleanup resq-delivery/tests/integration.rs	Removed file-level lint attributes; reorganized imports; condensed assertions and deserialization logic into single-line expressions without changing behavior.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Whiskers twitching, code so clean,
Guardians of safety, now unseen—
Single lines where many stood,
Defaults explicit, ranges good.
Permit helpers now in place,
A cleaner, brighter codebase!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: sync from monorepo @35cafa4' clearly and concisely summarizes the main change—an automated synchronization from the monorepo at a specific commit hash. It is directly related to the changeset, which consists entirely of formatting, refactoring, and configuration updates synchronized from the upstream monorepo.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sync/monorepo-35cafa4

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces several regressions and maintenance issues. Key concerns include the removal of the .gitignore and osv-scanner.toml files, and the downgrade of the rand crate which re-exposes a known security vulnerability (RUSTSEC-2026-0097). Furthermore, removing Clippy allow attributes for functions with many arguments will likely break CI builds, and the change from idiomatic range checks to explicit comparisons is a step backward in code quality.

I am having trouble creating individual review comments. Click here to see my feedback.

Cargo.lock (155)

Downgrading rand from 0.8.6 to 0.8.5 (and 0.9.3 to 0.9.2 elsewhere in this file) appears to be a security regression. The osv-scanner.toml file being removed in this PR explicitly identifies 0.8.6 and 0.9.3 as the minimum fixed versions for an unsoundness issue (RUSTSEC-2026-0097). Reverting to older versions may re-expose the project to this vulnerability.

.gitignore (1-6)

The removal of the .gitignore file is a regression in repository maintenance. Without this file, build artifacts (target/), dependency directories (node_modules/), and OS-specific files (.DS_Store) will be tracked by Git, leading to cluttered commits and potential inclusion of large binaries in the repository history.

osv-scanner.toml (1-58)

The removal of osv-scanner.toml deletes the documented security context and rationales for ignoring specific vulnerabilities. This reduces the visibility of the project's security posture and may cause automated security scans to fail or become unmonitored without clear justification for existing issues.

resq-airspace/src/instructions/initialize_property.rs (55)

The handler function takes 9 arguments, which exceeds the default Clippy limit of 7. Removing this allow attribute, especially alongside the removal of the crate-level allow in lib.rs, will cause Clippy linting to fail in CI.

#[allow(clippy::too_many_arguments)]
pub fn handler(

resq-airspace/src/lib.rs (1)

Removing crate-level allow attributes for clippy::too_many_arguments and clippy::diverging_sub_expression is likely to break the build during linting. The project contains functions with more than 7 arguments (e.g., initialize_property::handler) and uses unreachable!() (e.g., in record_crossing::handler), both of which will trigger these lints.

#![allow(
    unexpected_cfgs,
    clippy::too_many_arguments,
    clippy::diverging_sub_expression
)]

resq-airspace/src/instructions/initialize_property.rs (69)

The change from (1..=8).contains(&vertex_count) to explicit comparison is less idiomatic in Rust. Using range methods is generally preferred for readability and clarity.

        (1..=8).contains(&vertex_count),

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

resq-delivery/tests/integration.rs (1)

266-330: ⚡ Quick win

Add exact-boundary cases for the inclusive GPS checks.

These tests only exercise out-of-range values. Since the handler change is specifically about inclusive bounds, add cases for ±900_000_000 latitude and ±1_800_000_000 longitude so a future >/< regression gets caught.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resq-delivery/tests/integration.rs` around lines 266 - 330, Add
exact-boundary tests for the inclusive GPS checks: create additional test cases
(or extend test_rejects_latitude_out_of_range and
test_rejects_longitude_out_of_range) that call create_record_ix with latitude =
900_000_000 and latitude = -900_000_000, and longitude = 1_800_000_000 and
longitude = -1_800_000_000 (use the same delivery_pda/delivered_at, funding
transfer, and tx signing flow as the existing tests), then call
banks_client.process_transaction(tx).await and assert the transaction succeeds
(i.e., no unwrap_err) to ensure the handler accepts the inclusive bounds rather
than rejecting them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@resq-airspace/src/instructions/record_crossing.rs`:
- Line 126: The permit validity check currently uses clock.unix_timestamp
(require!(permit.is_active(clock.unix_timestamp), ...)) which validates at
processing time and can reject delayed submissions; change the check to use the
recorded crossing time (crossed_at) instead (i.e., call
permit.is_active(crossed_at)) so permits are validated at crossing time; update
the require! invocation accordingly and ensure crossed_at is passed/available in
the same scope where permit.is_active is called.

In `@resq-delivery/tests/integration.rs`:
- Around line 382-384: The current assertion is too broad; tighten it to verify
the specific "account already in use" error by checking the error debug string
for the concrete variant name instead of the generic "InstructionError"
fallback. Replace the assert that checks for "InstructionError" with one that
asserts format!("{:?}", err) contains either "already in use" or the specific
variant string "AccountInUse" (or "AccountAlreadyInitialized" if that's the
variant used in this codebase) so the test proves the duplicate-delivery path
rather than any InstructionError.

---

Nitpick comments:
In `@resq-delivery/tests/integration.rs`:
- Around line 266-330: Add exact-boundary tests for the inclusive GPS checks:
create additional test cases (or extend test_rejects_latitude_out_of_range and
test_rejects_longitude_out_of_range) that call create_record_ix with latitude =
900_000_000 and latitude = -900_000_000, and longitude = 1_800_000_000 and
longitude = -1_800_000_000 (use the same delivery_pda/delivered_at, funding
transfer, and tx signing flow as the existing tests), then call
banks_client.process_transaction(tx).await and assert the transaction succeeds
(i.e., no unwrap_err) to ensure the handler accepts the inclusive bounds rather
than rejecting them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4ecab411-7c28-4cac-9838-4dcc9c0349af

📥 Commits

Reviewing files that changed from the base of the PR and between 2ce6f0e and a5ead01.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (22)

• .gitignore
• osv-scanner.toml
• resq-airspace/src/error.rs
• resq-airspace/src/instructions/grant_permit.rs
• resq-airspace/src/instructions/initialize_property.rs
• resq-airspace/src/instructions/record_crossing.rs
• resq-airspace/src/instructions/update_policy.rs
• resq-airspace/src/instructions/update_treasury.rs
• resq-airspace/src/lib.rs
• resq-airspace/src/state/airspace_account.rs
• resq-airspace/src/state/mod.rs
• resq-airspace/src/state/permit.rs
• resq-airspace/tests/host_init_regression.rs
• resq-airspace/tests/integration.rs
• resq-delivery/src/error.rs
• resq-delivery/src/instructions/mod.rs
• resq-delivery/src/instructions/record_delivery.rs
• resq-delivery/src/lib.rs
• resq-delivery/src/state/delivery_record.rs
• resq-delivery/src/state/mod.rs
• resq-delivery/tests/integration.rs
• vendor/solana-program-test/osv-scanner.toml

💤 Files with no reviewable changes (3)

• vendor/solana-program-test/osv-scanner.toml
• osv-scanner.toml
• .gitignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate permit at crossing time, not processing time.

Line 126 checks permit activity against clock.unix_timestamp, but Lines 88-93 explicitly allow delayed submissions using crossed_at. A permit that was valid at crossing time can be wrongly rejected if it expires before processing.

Suggested fix

-            require!(permit.is_active(clock.unix_timestamp), AirspaceError::PermitExpired);
+            require!(permit.is_active(crossed_at), AirspaceError::PermitExpired);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	require!(permit.is_active(clock.unix_timestamp), AirspaceError::PermitExpired);
	require!(permit.is_active(crossed_at), AirspaceError::PermitExpired);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resq-airspace/src/instructions/record_crossing.rs` at line 126, The permit
validity check currently uses clock.unix_timestamp
(require!(permit.is_active(clock.unix_timestamp), ...)) which validates at
processing time and can reject delayed submissions; change the check to use the
recorded crossing time (crossed_at) instead (i.e., call
permit.is_active(crossed_at)) so permits are validated at crossing time; update
the require! invocation accordingly and ensure crossed_at is passed/available in
the same scope where permit.is_active is called.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Tighten the duplicate-delivery assertion.

The InstructionError fallback is broad enough to hide unrelated failures, so this test can pass without proving the account-already-in-use path.

Suggested tightening

-    assert!(format!("{:?}", err).contains("already in use") || format!("{:?}", err).contains("InstructionError"));
+    let err_str = format!("{:?}", err);
+    assert!(
+        err_str.contains("already in use"),
+        "unexpected duplicate-delivery error: {err_str}",
+    );

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let err = banks_client.process_transaction(tx2).await.unwrap_err();
	// Anchor initialization failure
	assert!(
	format!("{:?}", err).contains("already in use")
	|| format!("{:?}", err).contains("InstructionError")
	);
	assert!(format!("{:?}", err).contains("already in use") || format!("{:?}", err).contains("InstructionError"));
	let err = banks_client.process_transaction(tx2).await.unwrap_err();
	// Anchor initialization failure
	let err_str = format!("{:?}", err);
	assert!(
	err_str.contains("already in use"),
	"unexpected duplicate-delivery error: {err_str}",
	);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@resq-delivery/tests/integration.rs` around lines 382 - 384, The current
assertion is too broad; tighten it to verify the specific "account already in
use" error by checking the error debug string for the concrete variant name
instead of the generic "InstructionError" fallback. Replace the assert that
checks for "InstructionError" with one that asserts format!("{:?}", err)
contains either "already in use" or the specific variant string "AccountInUse"
(or "AccountAlreadyInitialized" if that's the variant used in this codebase) so
the test proves the duplicate-delivery path rather than any InstructionError.