contracts/L2/scripts/deploy_l2.ts (1)

14-16: RPC defaults updated to v0_8 are appropriate; consider tightening devnet URL and adding a chain sanity check.

• Good update to v0_8 endpoints for sepolia/mainnet.
• Optional: Devnet often expects the /rpc path; using it avoids 404s on some builds.
• Optional: Log chainId early to fail fast if a wrong RPC is supplied.

Apply this minimal tweak if you want the devnet default to be explicit:

 const DEFAULT_RPC_URLS = {
-    sepolia: "https://starknet-sepolia.public.blastapi.io/rpc/v0_8",
-    mainnet: "https://starknet-mainnet.public.blastapi.io/rpc/v0_8", 
-    devnet: "http://127.0.0.1:5050"
+    sepolia: "https://starknet-sepolia.public.blastapi.io/rpc/v0_8",
+    mainnet: "https://starknet-mainnet.public.blastapi.io/rpc/v0_8",
+    devnet: "http://127.0.0.1:5050/rpc"
 };

If you decide to add a chain sanity check (outside this hunk), you can do:

// After constructing provider
const { chainId } = await provider.getChainId();
console.log(`Connected to chainId: ${chainId}`);

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

contracts/L2/README.md (2)

62-63: RPC bump to v0_8 looks good, but .env example still shows v0_7 — please align.

Default RPC URLs are now v0_8. The “Environment Setup” example earlier still uses /v0_7, which can mislead deployers.

Update the .env snippet to v0_8 (illustrative snippet):

# Starknet Configuration
STARKNET_PRIVATE_KEY=your_private_key_here
STARKNET_ACCOUNT_ADDRESS=your_account_address_here
STARKNET_RPC_URL=https://starknet-sepolia.public.blastapi.io/rpc/v0_8

---

71-77: Verified consistency of deployed addresses – All four contract addresses in contracts/L2/README.md match those in contracts/L2/scripts/deployments-sepolia.json, so there’s no drift at the moment.

You may still want to automate or simplify this section to prevent future mismatches:

• Option 1: Generate the markdown table (or list) directly from deployments-sepolia.json in CI (e.g. via a small script) so it’s always up to date.
• Option 2: Link to the JSON file and include only a brief summary in the README (for example, “See the full list of deployed addresses in deployments-sepolia.json”).

contracts/L2/abi/ProofRegistry.abi.json (1)

21-77: Confirm external mutator access policy for register_deposit_proof.

ABI alone doesn’t convey authorization. If anyone can call and write the same commitment twice, ensure idempotency and proper revert on conflicts. If restricted, please confirm the guard (e.g., proof submitter allowlist).

contracts/L2/abi/L2Oracle.abi.json (1)

35-79: Please confirm only-owner enforcement on setters.

Given set_total_tvl and set_relayer are external, verify the implementation enforces onlyOwner (or equivalent) and emits the corresponding events consistently.

contracts/L2/abi/xZBERC20.abi.json (1)

118-121: AccessControl and ERC20 mixins present — verify mint/burn gating matches bridge design.

Please confirm:

• mint is restricted to the bridge (or a dedicated MINTER_ROLE),
• burn is restricted appropriately (caller’s own balance vs. bridge-controlled burn-from),
• set_bridge_address is owner- or admin-only.

Also applies to: 355-549

contracts/L2/scripts/deployments-sepolia.json (1)

1-33: Consider adding metadata for reproducibility and CI drift checks.

Optional enhancements:

• Add compilerVersion and cairo/oz component versions used,
• Add abiSaved: true and abiCommit hash to tie ABIs to deployments,
• Add a simple schemaVersion field.

contracts/L2/scripts/deploy_l2.ts (7)

19-21: Make state/config file paths deterministic regardless of cwd.

getConfigFilename/getDeploymentsFilename return relative scripts/*.json, which depends on process cwd. Running the CLI from repo root will write to ./scripts instead of contracts/L2/scripts.

-const getConfigFilename = (network: string) => `scripts/.deploy-config-${network}.json`;
-const getDeploymentsFilename = (network: string) => `scripts/deployments-${network}.json`;
+const getConfigFilename = (network: string) =>
+  path.join(__dirname, `.deploy-config-${network}.json`);
+const getDeploymentsFilename = (network: string) =>
+  path.join(__dirname, `deployments-${network}.json`);

save/load functions already ensure directories; this change makes outputs consistently land under contracts/L2/scripts/.

Also applies to: 153-170, 190-199

---

283-285: Use utf8 when reading JSON files.

toString("ascii") risks mangling non-ASCII characters. utf8 is standard and safer for JSON.

-const sierraContract = json.parse(fs.readFileSync(sierraPath).toString("ascii"));
-const casmContract = json.parse(fs.readFileSync(casmPath).toString("ascii"));
+const sierraContract = json.parse(fs.readFileSync(sierraPath, "utf8"));
+const casmContract = json.parse(fs.readFileSync(casmPath, "utf8"));

---

301-317: Broaden "already declared" handling to be more robust.

Relying on error.message string matching is brittle. starknet.js can surface provider error structures with different wording.

• Check for error.code/classAlreadyDeclared-like markers if present (e.g., error.response?.data?.error?.code).
• As a fallback, if declare fails, query getClassByHash to confirm existence and proceed.

If you want, I can draft a helper normalizeStarknetError(e) to centralize this.

---

531-541: Optional: reuse the existing provider via account.provider.

You don’t need to instantiate an extra RpcProvider in declareAndDeploy; account.provider implements getClassAt.

-const rpc = new RpcProvider({ nodeUrl: config.starknetRpcUrl! });
-const { abi } = await rpc.getClassAt(address);
+// Reuse the existing provider
+const { abi } = await (account as any).provider.getClassAt(address);

If you prefer type safety, type the provider as ProviderInterface.

---

500-527: Post-deploy relationship setup — LGTM with a minor improvement.

execute + wait is correct. Consider also logging the transaction hash to aid debugging and explorers.

- spinner.info("Bridge address set in xZBERC20 contract");
+ spinner.info(`Bridge address set in xZBERC20 contract (tx: ${response.transaction_hash})`);

---

590-602: Interactive flows are fine; consider a non-interactive mode for CI.

You already support --no-config. A future enhancement is to accept all config via env/flags to run headless in CI, skipping ask() prompts.

If useful, I can add a --ci flag that forces defaults/envs and errors out if required values are missing instead of prompting.

Also applies to: 607-627, 632-643

---

581-585: Tiny UX nit: use path.resolve for displayed filenames.

Printing absolute paths reduces confusion about where files were written if cwd varies.

- console.log(`💾 Deployment state saved to: ${deploymentsFilename}`);
- console.log(`⚙️  Configuration saved to: ${configFilename}\n`);
+ console.log(`💾 Deployment state saved to: ${path.resolve(deploymentsFilename)}`);
+ console.log(`⚙️  Configuration saved to: ${path.resolve(configFilename)}\n`);

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.