Op tooling for pre-jovian (v4) & jovian (v5).

[Mc01]

Description

Adds op-deployer v4 tooling for the pre-Jovian upgrade (v4.1.0) and v5 tooling for the Jovian upgrade (v5.0.0/U17), reorganizes the existing op-deployer scripts into versioned subdirectories, and introduces the x-ray web dashboard for inspecting OP Stack contract versions, implementations, and state across networks. Previously, all op-deployer scripts lived flat under op-deployer/; they are now organized as op-deployer/v3/, op-deployer/v4/, and op-deployer/v5/.

The v4 scripts target chaos, sepolia, and mainnet networks (replacing the deprecated alfajores/baklava testnets), introduce new bootstrap flags (--superchain-proxy-admin, --challenger), use MIPS v7, and simplify the upgrade pipeline by removing the bootstrap-validator.sh step.

The v5 scripts build on v4 with updated prestate hash (0x03caa187...), MIPS v8, the renamed --l1-proxy-admin-owner flag, and optional contract verification support via VERIFIER_API_KEY env var (--verify --verifier-api-key). The upgrade config interface is identical to v4 (both delegate to the v2.0.0 UpgradeOPChainInput struct).

Also adds new Safe multisig scripts for DisputeGameFactory pruning, AnchorStateRegistry retirement, SystemConfig ownership transfer, and CeloSuperchainConfig deployment/upgrade — all following the getTransactionHash() / execTransaction() two-step pattern.

Other changes

• exec/exec-v2v3.sh: Now accepts a version argument (v2 or v3) instead of running both upgrades in sequence
• exec/exec-jovian-sepolia.sh: New — Executes OPCM upgrade transactions on Celo Sepolia through the Jovian-era Safe multisig chain (2-of-2: cLabs + Council, no Grand Child). Accepts version argument (v4, v5, or succinct-v2) with hardcoded nonces, target addresses, and signatures per version.
• x-ray/: New — Vercel-hosted web dashboard for inspecting OP Stack contract state across networks. Shows proxy/implementation addresses, version strings, ownership, dispute game details (type 1 PermissionedGame + type 42 OPSuccinctGame), and cross-reference validation. Includes light/dark mode, side navigation, and unified chain-pointer property display.
• fork/fork_l1.sh: Removed Holesky network support (only mainnet and sepolia remain); supports RPC_URL directly with ALCHEMY_API_KEY as optional fallback
• fork/mock-sepolia.sh: New — Prepares forked testnet environment for Jovian upgrade testing. Fixes SuperchainConfig proxy admin slot, transfers ownership of ProxyAdmin/SystemConfig/DisputeGameFactory/DelayedWETH/ProtocolVersions to the network's deployed Safe via impersonation. Supports sepolia and chaos networks.
• op-deployer/v3/bootstrap.sh: Replaced alfajores/baklava network configs with sepolia; updated config file paths from ./op-deployer/ to ./ to reflect the new directory structure
• op-deployer/v3/bootstrap-validator.sh, upgrade.sh, run_upgrade.sh: Updated internal paths from ./op-deployer/ to ./
• op-deployer/v4/ and op-deployer/v5/: Added chaos network support (multisig address, proxy addresses, upgradeSuperchainConfig=true)
• op-deployer/v5/bootstrap.sh: Fixed unquoted $VERIFIER_API_KEY in the empty-check ([ -z "$VERIFIER_API_KEY" ]) and in the --verifier-api-key argument to prevent incorrect branch evaluation when the variable is empty
• impls/DeployMIPS.sol: Renamed to DeployMIPS.s.sol (correct Foundry script naming convention)
• impls/DeployCeloConfigImpl.s.sol: New — Deploys CeloSuperchainConfig implementation using deterministic deployment (DeployUtils.createDeterministic)
• impls/SafeSetCeloConfig.s.sol: New — Upgrades CeloSuperchainConfig proxy to a new implementation via Safe multisig + ProxyAdmin
• scripts/MigrateOwnershipToSafe.s.sol: New — Foundry script that migrates OP Stack L1 contract ownership from an EOA to a Gnosis Safe. Performs ProxyAdmin, SystemConfig, DisputeGameFactory ownership transfers + SuperchainConfig proxy admin migration in a single broadcast. Currently supports chaos network.
• scripts/migrate-ownership-to-safe.sh: New — Shell wrapper for the migration script with env var validation; shebang corrected to #!/usr/bin/env bash to support bash-specific features (local, indirect expansion, set -o pipefail)
• scripts/SafePruneGamesFromStorage.s.sol: New — Safe multisig script to prune games from DisputeGameFactory storage. Deploys DisputeGameFactoryPrunner via CREATE2, performs upgradeAndCall to prune, then restores original impl. Includes MAX_PRUNE=500 limit. SIG defaults to empty bytes so MissingSignatures() guard fires correctly when no signature is provided.
• scripts/SafeResetAnchorGame.s.sol: New — Safe multisig version of ResetAnchorGame for resetting anchor state via Safe transaction. SIG defaults to empty bytes.
• scripts/SafeRetireASR.s.sol: New — Retires the AnchorStateRegistry via Safe transaction by writing retirementTimestamp into packed storage slot 6, preserving respectedGameType. SIG defaults to empty bytes.
• scripts/SafeSystemConfigOwner.s.sol: New — Transfers SystemConfig ownership via Safe transaction (transferOwnership call, with pre/post verification). SIG defaults to empty bytes.
• verify/verify-versions.sh: New — Comprehensive OP Stack contract diagnostic tool. Shows proxy/implementation addresses, version strings, ownership, dispute game implementations, and a color-coded upgrade status matrix (v3/Isthmus → v4.1.0/pre-Jovian → v5.0.0/Jovian). Supports sepolia, chaos, and mainnet.
• safe/: Removed safe/ directory entirely (queue-safe.sh + README) — no longer needed

Tested

These are shell scripts, Foundry scripts, and documentation changes — no unit tests apply. The scripts have been validated structurally (correct env var checks, proper network/version case statements, valid contract addresses). The Jovian upgrade has been executed on the Chaos testnet using the v5 scripts with mock-sepolia.sh for environment preparation. The x-ray dashboard has been deployed to Vercel and verified against all three networks (sepolia, chaos, mainnet).

Backwards compatibility

Not backwards compatible for consumers of the flat op-deployer/ script paths — scripts have moved from op-deployer/bootstrap.sh to op-deployer/v3/bootstrap.sh (and similarly for other v3 scripts). The safe/ directory has been removed entirely. exec-v2v3.sh now requires a version argument (v2 or v3) — previously it ran both in sequence. Internal paths within scripts have been updated accordingly, so running scripts from within their version directories works correctly.

Documentation

• packages/op-tooling/README.md — Updated op-deployer entry to reference versioned subdirectories; removed safe/ entry; added x-ray entry
• packages/op-tooling/op-deployer/README.md — Rewritten as high-level overview with version table linking to v3, v4, and v5; added chaos network to v4/v5 rows
• packages/op-tooling/op-deployer/v3/README.md — New: Detailed docs for v2.0.0/v3.0.0 upgrade scripts
• packages/op-tooling/op-deployer/v4/README.md — New: Detailed docs for v4.1.0 upgrade scripts, including comparison table vs v3; documents chaos network
• packages/op-tooling/op-deployer/v5/README.md — New: Detailed docs for v5.0.0 upgrade scripts, including comparison table vs v4, verification support; documents chaos network
• packages/op-tooling/fork/README.md — Updated: removed Holesky, documented RPC_URL support, replaced Alfajores with Celo Sepolia; added mock-sepolia.sh documentation
• packages/op-tooling/exec/README.md — Updated: added exec-jovian-sepolia.sh and exec-succinct.sh documentation; updated exec-v2v3.sh docs to reflect version argument; added Succinct execution flow
• packages/op-tooling/impls/README.md — Updated: fixed DeployMIPS.sol → DeployMIPS.s.sol heading; added DeployCeloConfigImpl.s.sol and SafeSetCeloConfig.s.sol documentation
• packages/op-tooling/verify/README.md — Updated: replaced Baklava/Alfajores references with Sepolia; added verify-versions.sh documentation
• packages/op-tooling/scripts/README.md — Updated: added MigrateOwnershipToSafe.s.sol, migrate-ownership-to-safe.sh, SafePruneGamesFromStorage.s.sol, SafeResetAnchorGame.s.sol, SafeRetireASR.s.sol, and SafeSystemConfigOwner.s.sol documentation
• packages/op-tooling/safe/README.md — Removed (directory deleted)

[Mc01]

@copilot please review 🙏

[Copilot]

@copilot please review 🙏

Here's the review of the PR changes. Overall the work is well-structured and the upgrade pipeline is sound. A few observations:

Bug / Correctness

1. scripts/SafeResetAnchorGame.s.sol — stale comment (line 135): The inline comment reads "swap to StorageSetter and set slot 3 to new anchor game", but ANCHOR_GAME_SLOT = 2 and the header comment on lines 25-26 explicitly says v3.5.0 puts anchorGame at slot 2. The comment should say "slot 2".

2. scripts/SafePruneGamesFromStorage.s.sol — MissingSignatures() is dead code: vm.envOr("SIG", bytes(hex"00")) returns a 1-byte 0x00 when SIG is absent, so config.signatures.length is 1, never 0. The same pattern appears in SafeRetireASR, SafeResetAnchorGame, and SafeSetCeloConfig. The guard should be config.signatures.length <= 1 (or check against the sentinel) to actually catch the "no sig" case before execTransaction reverts inside Safe.

Consistency / Naming

3. exec-jovian-sepolia.sh vs exec-jovian.sh — version token mismatch: Sepolia uses succinct-v2; mainnet uses succ-v2. The README documents each script correctly, but users context-switching between the two may be confused. Worth aligning on one name.

4. verify/verify-versions.sh Chaos addresses differ from all other files: SYSTEM_CONFIG_PROXY is 0x624c… here vs 0x6baf… everywhere else (config.js, v4/bootstrap.sh, mock-sepolia.sh). If this is an intentional "old deployment" snapshot for diagnostic reference that's fine — a comment explaining the discrepancy would help.

Minor

5. impls/SafeSetCeloConfig.s.sol — no post-exec verification: All peer scripts (SafeRetireASR, SafeResetAnchorGame, SafeSystemConfigOwner) verify state after execTransaction. SafeSetCeloConfig logs the tx but doesn't confirm the new implementation is in place.

6. MigrateOwnershipToSafe.s.sol line 229 — comment says // 6. EIP-1967 admin verification but that's the 7th check in _preflight. Minor numbering drift.

CI is green on the branch. Happy to fix any of these if you'd like — just let me know which ones to address.

[Copilot]

Pull request overview

This PR expands and reorganizes packages/op-tooling to support OP Stack upgrades across multiple eras (pre-Jovian v4.1.0 and Jovian v5.0.0), adds several Safe-multisig Foundry scripts for maintenance/ownership operations, and introduces a new static “x-ray” web dashboard for inspecting deployed contract state across networks.

Changes:

• Reorganize op-deployer scripts into versioned directories (v3/, v4/, v5/) and add new v4/v5 bootstrap + upgrade pipelines.
• Add new exec flows for Jovian upgrades (mainnet + sepolia), plus a base-fee proposal execution script and additional encrypted signer bundles.
• Add new Safe-based Foundry scripts (ownership migration, ASR retirement/reset, DGF pruning) and a static x-ray dashboard deployed via Vercel.

Reviewed changes

Copilot reviewed 47 out of 53 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
secrets/.env.signers.v5.enc	Adds encrypted signer bundle for v5 execution flows.
secrets/.env.signers.v4.enc	Adds encrypted signer bundle for v4 execution flows.
secrets/.env.signers.succinct200.enc	Adds encrypted signer bundle for succinct-v2 (Jovian) execution flows.
secrets/.env.signers.basefee.enc	Adds encrypted signer bundle for basefee proposal execution.
scripts/key_placer.sh	Adds new signer bundles to decrypt/encrypt workflow.
packages/op-tooling/x-ray/vercel.json	Vercel SPA routing + JS headers for the new dashboard.
packages/op-tooling/x-ray/README.md	Documents running/deploying the x-ray dashboard.
packages/op-tooling/x-ray/.gitignore	Ignores Vercel metadata directory.
packages/op-tooling/verify/README.md	Updates verification docs and adds verify-versions.sh documentation.
packages/op-tooling/scripts/SafeSystemConfigOwner.s.sol	New Safe tx script to transfer SystemConfig ownership.
packages/op-tooling/scripts/SafeRetireASR.s.sol	New Safe tx script to retire ASR by writing packed storage slot.
packages/op-tooling/scripts/SafeResetAnchorGame.s.sol	New Safe tx script to override ASR anchorGame slot via temporary impl.
packages/op-tooling/scripts/SafePruneGamesFromStorage.s.sol	New Safe tx script to prune DGF games using temporary prunner impl.
packages/op-tooling/scripts/README.md	Documents new scripts and expands usage guidance.
packages/op-tooling/scripts/MigrateOwnershipToSafe.s.sol	New Foundry script for migrating multiple contract ownerships to a Safe.
packages/op-tooling/scripts/migrate-ownership-to-safe.sh	Wrapper script to run the ownership migration with network presets.
packages/op-tooling/safe/README.md	Removes deprecated Safe Gateway queue docs.
packages/op-tooling/safe/queue-safe.sh	Removes deprecated Safe Gateway queue script.
packages/op-tooling/README.md	Updates top-level op-tooling index (adds x-ray, updates op-deployer paths).
packages/op-tooling/op-deployer/v5/upgrade.sh	New v5 upgrade driver script (op-deployer upgrade v5.0.0).
packages/op-tooling/op-deployer/v5/run_upgrade.sh	New v5 orchestrator script (bootstrap → upgrade).
packages/op-tooling/op-deployer/v5/README.md	Documents v5 workflow, config, and network parameters.
packages/op-tooling/op-deployer/v5/bootstrap.sh	New v5 bootstrap script with optional verifier support and new flags.
packages/op-tooling/op-deployer/v4/upgrade.sh	New v4 upgrade driver script (op-deployer upgrade v4.1.0).
packages/op-tooling/op-deployer/v4/run_upgrade.sh	New v4 orchestrator script (bootstrap → upgrade).
packages/op-tooling/op-deployer/v4/README.md	Documents v4 workflow, config, and differences from v3.
packages/op-tooling/op-deployer/v4/bootstrap.sh	New v4 bootstrap script using updated flags and networks.
packages/op-tooling/op-deployer/v3/upgrade.sh	Updates v3 config paths to match new directory layout.
packages/op-tooling/op-deployer/v3/run_upgrade.sh	Updates v3 runner to call scripts from version directory.
packages/op-tooling/op-deployer/v3/README.md	Adds versioned v3 documentation.
packages/op-tooling/op-deployer/v3/bootstrap.sh	Replaces deprecated testnets with sepolia and updates paths.
packages/op-tooling/op-deployer/v3/bootstrap-validator.sh	Updates v3 validator bootstrap paths.
packages/op-tooling/op-deployer/README.md	Rewrites op-deployer docs as a version index + quick start.
packages/op-tooling/impls/SafeSetCeloConfig.s.sol	New Safe tx script to upgrade CeloSuperchainConfig proxy via ProxyAdmin.
packages/op-tooling/impls/README.md	Updates docs for renamed/new impl scripts.
packages/op-tooling/impls/DeployMIPS.s.sol	Adds/renames Foundry script for deterministic MIPS deployment.
packages/op-tooling/impls/DeployCeloConfigImpl.s.sol	New deterministic deployment script for CeloSuperchainConfig impl.
packages/op-tooling/fork/README.md	Updates fork docs: removes Holesky and adds mock-sepolia workflow.
packages/op-tooling/fork/mock-sepolia.sh	New script to prep sepolia/chaos forks (admin slot fix + ownership transfers).
packages/op-tooling/fork/mock-mainnet.sh	Adds ordering validation and fixes minor text.
packages/op-tooling/fork/fork_l1.sh	Removes Holesky fork option.
packages/op-tooling/exec/README.md	Documents new Jovian execution flows + updated signer file requirements.
packages/op-tooling/exec/exec-v2v3.sh	Adds required version argument (v2 or v3) instead of running both.
packages/op-tooling/exec/exec-mocked.sh	Extends mocked exec to support v4/v5/succ-v2 and validates signer ordering.
packages/op-tooling/exec/exec-jovian.sh	New mainnet Jovian execution script loading signatures from decoded signer files.
packages/op-tooling/exec/exec-jovian-sepolia.sh	New sepolia Jovian execution script with hardcoded signatures/nonces.
packages/op-tooling/exec/exec-basefee.sh	New direct cLabs Safe execution for base fee update proposal.

Comments suppressed due to low confidence (1)

packages/op-tooling/impls/README.md:42

• The README section was updated to DeployMIPS.s.sol, but the example commands still invoke forge script DeployMIPS.sol. Update the examples to use the renamed script filename so the docs are runnable.

**Example Execution:**

```bash
# Using existing oracle
PREIMAGE_ORACLE="0x..." forge script DeployMIPS.sol --root $PATH_TO_OP_REPO/packages/contracts-bedrock --broadcast --private-key $PK --rpc-url $RPC

# Deploying new oracle with MIPS
MIN_PROPOSAL_SIZE=1000 CHALLENGE_PERIOD=3600 forge script DeployMIPS.sol --root $PATH_TO_OP_REPO/packages/contracts-bedrock --broadcast --private-key $PK --rpc-url $RPC

</details>



---

💡 <a href="/celo-org/celo-monorepo/new/master?filename=.github/instructions/*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 33eae327df

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve bigint precision when formatting uint values

formatValue converts uint256/uint64 results with Number(value), but RPC reads return bigint and any value above 2^53-1 is rounded in JavaScript numbers. That causes the dashboard to show incorrect numeric state (notably fields like protocol version integers) and can mislead upgrade verification. Format these values from bigint/string directly instead of coercing through Number.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Correct truncated AnchorStateRegistry impl address

The mainnet initial entry for AnchorStateRegistry is a truncated hex literal (0x...c2d3f2), not a full 20-byte address, so implLookup can never match that implementation and will omit/misclassify its version tag. This is an accuracy regression in the dashboard’s version mapping and appears to be a typo (the full address is used elsewhere in-repo).

Useful? React with 👍 / 👎.