feat(protocol-contracts): add task:acceptOwnership on Safe (#1290)

* feat(protocol-contracts): add task:acceptOwnership on Safe

* revert(protocol-contracts): unwanted deployer wallet changes

* chore(protocol-contracts): remove governance_deployer from required config

* chore(protocol-contracts): minor naming changes

Author: enitrat

protocol-contracts/deployment-cli/.env.example

@@ -5,7 +5,7 @@
 # ================================================
 # Wallet Configuration
 # ================================================
-# Private keys for protocol deployment and contract deployment
+# Private keys for protocol deployment and governance contracts deployment
 PROTOCOL_DEPLOYER_PRIVATE_KEY=0x...
 DEPLOYER_PRIVATE_KEY=0x...
 

protocol-contracts/deployment-cli/deployment-state/deployment-config.yaml

@@ -27,12 +27,12 @@ networks:
       layerzero_config: "layerzero.config.testnet.ts"  # LayerZero config file for this environment
 
 wallets:
-  governance_deployer:
-    description: "Governance deployer (deploys Aragon DAO, only exists during Phase 1)"
-    private_key_env: "GOVERNANCE_DEPLOYER_PRIVATE_KEY"
   protocol_deployer:
     description: "Protocol deployer (owns governance until DAO takes over)"
     private_key_env: "PROTOCOL_DEPLOYER_PRIVATE_KEY"
+  deployer:
+    description: "Deployer for gateway and host contracts"
+    private_key_env: "DEPLOYER_PRIVATE_KEY"
 
 operators:
   - name: "Operator 1"

protocol-contracts/deployment-cli/src/config/schema.ts

@@ -214,8 +214,8 @@ export const DeploymentConfigSchema = z.object({
             "At least one network environment must be defined",
         ),
     wallets: z.object({
-        governance_deployer: WalletSchema,
         protocol_deployer: WalletSchema,
+        deployer: WalletSchema,
     }),
     operators: z.array(OperatorSchema).min(1),
     protocol: ProtocolSchema,

protocol-contracts/deployment-cli/src/steps/step-02-safe.ts

@@ -18,33 +18,36 @@ export class Step02Safe extends BaseStep {
         ctx: DeploymentContext,
     ): Promise<StepExecutionResult> {
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
+        const protocolDeployerPk =
+            ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const projectRoot = resolveProjectRoot();
         const reader = new TaskOutputReader(projectRoot);
 
         const baseEnv = ctx.env.buildTaskEnv({
-            PRIVATE_KEY: deployerPk,
+            PRIVATE_KEY: protocolDeployerPk,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gateway.rpcUrl,
         });
 
         // Check if Safe is already deployed
         const taskOutput = new TaskOutputReader(projectRoot);
-        let safeAddress: string | undefined;
+        let safeProxyAddress: string | undefined;
         try {
-            safeAddress = taskOutput.readHardhatDeployment(
+            safeProxyAddress = taskOutput.readHardhatDeployment(
                 this.pkgName,
                 gateway.name,
                 "SafeL2Proxy",
             );
         } catch (_error) {
-            safeAddress = undefined;
+            safeProxyAddress = undefined;
         }
 
-        if (safeAddress) {
+        if (safeProxyAddress) {
             ctx.logger.info(
                 "Safe artifact found, reading existing deployment...",
             );
-            ctx.logger.success(`Using existing Safe proxy at ${safeAddress}`);
+            ctx.logger.success(
+                `Using existing Safe proxy at ${safeProxyAddress}`,
+            );
         } else {
             // Compile before deploying
             ctx.logger.info("Compiling Safe contracts...");
@@ -64,16 +67,22 @@ export class Step02Safe extends BaseStep {
                 env: baseEnv,
             });
 
-            safeAddress = reader.readHardhatDeployment(
+            safeProxyAddress = reader.readHardhatDeployment(
                 this.pkgName,
                 gateway.name,
                 "SafeL2Proxy",
             );
-            ctx.logger.success(`Deployed Safe proxy at ${safeAddress}`);
+            ctx.logger.success(`Deployed Safe proxy at ${safeProxyAddress}`);
         }
-
+        const safeAddress = reader.readHardhatDeployment(
+            this.pkgName,
+            gateway.name,
+            "SafeL2",
+        );
+        ctx.env.recordAddress("SAFE_ADDRESS", safeAddress, this.id);
         return {
             addresses: {
+                SAFE_PROXY_ADDRESS: safeProxyAddress,
                 SAFE_ADDRESS: safeAddress,
             },
             notes: [
@@ -85,14 +94,13 @@ export class Step02Safe extends BaseStep {
 
     protected async verifyDeployments(
         ctx: DeploymentContext,
-        result: StepExecutionResult,
+        _result: StepExecutionResult,
     ): Promise<void> {
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
-        const safeAddress = result.addresses?.SAFE_ADDRESS;
-
+        const protocolDeployerPk =
+            ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const baseEnv = ctx.env.buildTaskEnv({
-            PRIVATE_KEY: deployerPk,
+            PRIVATE_KEY: protocolDeployerPk,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gateway.rpcUrl,
         });
 
@@ -109,6 +117,9 @@ export class Step02Safe extends BaseStep {
             ctx.logger.warn(
                 "Safe verification failed (this may be acceptable if already verified)",
             );
+            ctx.logger.error(
+                _error instanceof Error ? _error.message : String(_error),
+            );
         }
 
         // AdminModule verification is performed in Step 03 after it is deployed with the correct ADMIN_ACCOUNT (receiver)

protocol-contracts/deployment-cli/src/steps/step-03-layerzero.ts

@@ -22,7 +22,7 @@ export class Step03LayerzeroLink extends BaseStep {
 
     protected async validate(ctx: DeploymentContext): Promise<void> {
         const dao = ctx.env.getAddress("DAO_ADDRESS");
-        const safe = ctx.env.getAddress("SAFE_ADDRESS");
+        const safe = ctx.env.getAddress("SAFE_PROXY_ADDRESS");
 
         if (!dao) {
             throw new ValidationError(
@@ -43,9 +43,9 @@ export class Step03LayerzeroLink extends BaseStep {
         const gatewayNetwork = ctx.networks.getGateway();
         const protocolPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const daoAddress = ctx.env.getAddress("DAO_ADDRESS");
-        const safeAddress = ctx.env.getAddress("SAFE_ADDRESS");
+        const safeProxyAddress = ctx.env.getAddress("SAFE_PROXY_ADDRESS");
 
-        if (!daoAddress || !safeAddress) {
+        if (!daoAddress || !safeProxyAddress) {
             throw new ValidationError(
                 "DAO and Safe addresses are required before executing Step 3.",
             );
@@ -56,7 +56,7 @@ export class Step03LayerzeroLink extends BaseStep {
             SEPOLIA_RPC_URL: ethereumNetwork.rpcUrl,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gatewayNetwork.rpcUrl,
             DAO_ADDRESS: daoAddress,
-            SAFE_ADDRESS: safeAddress,
+            SAFE_PROXY_ADDRESS: safeProxyAddress,
             ETHERSCAN_API: ethereumNetwork.explorerApiKey,
             BLOCKSCOUT_API: gatewayNetwork.blockscoutApiUrl,
         });
@@ -124,7 +124,7 @@ export class Step03LayerzeroLink extends BaseStep {
             PRIVATE_KEY: protocolPk,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gatewayNetwork.rpcUrl,
             ADMIN_ADDRESS: receiverAddress,
-            SAFE_ADDRESS: safeAddress,
+            SAFE_PROXY_ADDRESS: safeProxyAddress,
         });
         await ctx.hardhat.runTask({
             pkg: "protocol-contracts/safe",
@@ -205,7 +205,7 @@ export class Step03LayerzeroLink extends BaseStep {
             `Transferring GovernanceOAppSender ownership to DAO (${daoAddress}) and...`,
         );
         ctx.logger.info(
-            `Transferring GovernanceOAppReceiver ownership to Safe (${safeAddress})...`,
+            `Transferring GovernanceOAppReceiver ownership to Safe (${safeProxyAddress})...`,
         );
         await ctx.hardhat.runTask({
             pkg: this.pkgName,
@@ -236,14 +236,14 @@ export class Step03LayerzeroLink extends BaseStep {
         const networkEnvironment = ctx.networks.getSelectedEnvironment();
         const protocolPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const daoAddress = ctx.env.getAddress("DAO_ADDRESS");
-        const safeAddress = ctx.env.getAddress("SAFE_ADDRESS");
+        const safeProxyAddress = ctx.env.getAddress("SAFE_PROXY_ADDRESS");
 
         const baseEnv = ctx.env.buildTaskEnv({
             PRIVATE_KEY: protocolPk,
             SEPOLIA_RPC_URL: ethereumNetwork.rpcUrl,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gatewayNetwork.rpcUrl,
             DAO_ADDRESS: daoAddress,
-            SAFE_ADDRESS: safeAddress,
+            SAFE_PROXY_ADDRESS: safeProxyAddress,
             ETHERSCAN_API: ethereumNetwork.explorerApiKey,
             BLOCKSCOUT_API: gatewayNetwork.blockscoutApiUrl,
         });

protocol-contracts/deployment-cli/src/steps/step-04-token.ts

@@ -29,8 +29,8 @@ export class Step04TokenDeployment extends BaseStep {
         if (!receiver) {
             throw new ValidationError("DAO address is required before Step 4.");
         }
-        const safeAddress = ctx.env.getAddress("SAFE_ADDRESS");
-        if (!safeAddress) {
+        const safeProxyAddress = ctx.env.getAddress("SAFE_PROXY_ADDRESS");
+        if (!safeProxyAddress) {
             throw new ValidationError(
                 "Safe address is required before Step 4.",
             );
@@ -44,9 +44,9 @@ export class Step04TokenDeployment extends BaseStep {
         const gateway = ctx.networks.getGateway();
         const protocolPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const daoAddress = ctx.env.getAddress("DAO_ADDRESS");
-        const safeAddress = ctx.env.getAddress("SAFE_ADDRESS");
+        const safeProxyAddress = ctx.env.getAddress("SAFE_PROXY_ADDRESS");
 
-        if (!daoAddress || !safeAddress) {
+        if (!daoAddress || !safeProxyAddress) {
             throw new ValidationError(
                 "Required prerequisite addresses missing before token deployment.",
             );
@@ -59,7 +59,7 @@ export class Step04TokenDeployment extends BaseStep {
             SEPOLIA_RPC_URL: ethereum.rpcUrl,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gateway.rpcUrl,
             DAO_ADDRESS: daoAddress,
-            SAFE_ADDRESS: safeAddress,
+            SAFE_PROXY_ADDRESS: safeProxyAddress,
             NUM_INITIAL_RECEIVERS: recipients.length.toString(),
         };
 
@@ -132,7 +132,7 @@ export class Step04TokenDeployment extends BaseStep {
                 task: "zama:oft:setDelegate",
                 args: [
                     "--address",
-                    safeAddress,
+                    safeProxyAddress,
                     "--from-deployment",
                     "true",
                     "--network",
@@ -143,7 +143,7 @@ export class Step04TokenDeployment extends BaseStep {
                 task: "zama:oft:transferOwnership",
                 args: [
                     "--address",
-                    safeAddress,
+                    safeProxyAddress,
                     "--from-deployment",
                     "true",
                     "--network",
@@ -175,15 +175,13 @@ export class Step04TokenDeployment extends BaseStep {
         const gateway = ctx.networks.getGateway();
         const protocolPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
         const daoAddress = ctx.env.getAddress("DAO_ADDRESS");
-        const safeAddress = ctx.env.getAddress("SAFE_ADDRESS");
 
         const baseEnv = ctx.env.buildTaskEnv({
             PRIVATE_KEY: protocolPk,
             INITIAL_ADMIN: ctx.config.wallets.protocol_deployer.address,
             SEPOLIA_RPC_URL: ethereum.rpcUrl,
             RPC_URL_ZAMA_GATEWAY_TESTNET: gateway.rpcUrl,
             DAO_ADDRESS: daoAddress,
-            SAFE_ADDRESS: safeAddress,
             ETHERSCAN_API: ethereum.explorerApiKey,
             BLOCKSCOUT_API: gateway.blockscoutApiUrl,
         });

protocol-contracts/deployment-cli/src/steps/step-06-gateway-contracts.ts

@@ -34,7 +34,7 @@ export class Step06GatewayContracts extends BaseStep {
         ctx: DeploymentContext,
     ): Promise<StepExecutionResult> {
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
+        const deployerPk = ctx.env.resolveWalletPrivateKey("deployer");
 
         // Build environment variables from config
         const baseEnvVars: Record<string, string> = {
@@ -187,7 +187,7 @@ export class Step06GatewayContracts extends BaseStep {
 
     protected async verifyDeployments(ctx: DeploymentContext): Promise<void> {
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
+        const deployerPk = ctx.env.resolveWalletPrivateKey("deployer");
 
         const baseEnvVars: Record<string, string> = {
             DEPLOYER_PRIVATE_KEY: deployerPk,

protocol-contracts/deployment-cli/src/steps/step-07-host-contracts.ts

@@ -22,7 +22,7 @@ export class Step07HostContracts extends BaseStep {
     ): Promise<StepExecutionResult> {
         const ethereum = ctx.networks.getEthereum();
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
+        const deployerPk = ctx.env.resolveWalletPrivateKey("deployer");
 
         const gatewayProvider = new ethers.JsonRpcProvider(gateway.rpcUrl);
         const gatewayNetwork = await gatewayProvider.getNetwork();
@@ -133,7 +133,7 @@ export class Step07HostContracts extends BaseStep {
     protected async verifyDeployments(ctx: DeploymentContext): Promise<void> {
         const ethereum = ctx.networks.getEthereum();
         const gateway = ctx.networks.getGateway();
-        const deployerPk = ctx.env.resolveWalletPrivateKey("protocol_deployer");
+        const deployerPk = ctx.env.resolveWalletPrivateKey("deployer");
 
         const gatewayProvider = new ethers.JsonRpcProvider(gateway.rpcUrl);
         const gatewayNetwork = await gatewayProvider.getNetwork();