chore: supply chain update - 1

.github/CODEOWNERS

@@ -0,0 +1,34 @@
+# CODEOWNERS for autonolas-subgraph-studio
+#
+# This file routes review of security- and supply-chain-sensitive files to
+# the security reviewer(s). Enforcement requires "Require review from Code
+# Owners" in branch protection settings — until that is enabled this file
+# is advisory and only nudges GitHub's PR review-request UI.
+#
+# Owner is an individual until a security team exists; switch to a team
+# handle (e.g., @valory-xyz/<team>) once one is created. Path scope below
+# covers only files that exist today; the next supply-chain PR will add
+# lines for `.supply-chain/`, scripts/, and governance docs as they land.
+
+# Default owner: any unowned path falls back here.
+*                                @Tanya-atatakai
+
+# Workflows, actions config, repository-level GitHub config.
+/.github/                        @Tanya-atatakai
+
+# Top-level package metadata + lockfile.
+/package.json                    @Tanya-atatakai
+/yarn.lock                       @Tanya-atatakai
+
+# Disclosure policy.
+/SECURITY.md                     @Tanya-atatakai
+
+# AI / contributor onboarding context — changes here shape future agent behavior.
+/CLAUDE.md                       @Tanya-atatakai
+
+# Per-subgraph package metadata + lockfiles. Picks up flat (subgraphs/<name>/)
+# and nested (subgraphs/predict/predict-omen/, subgraphs/babydegen/babydegen-optimism/) layouts.
+/subgraphs/*/package.json        @Tanya-atatakai
+/subgraphs/*/yarn.lock           @Tanya-atatakai
+/subgraphs/*/*/package.json      @Tanya-atatakai
+/subgraphs/*/*/yarn.lock         @Tanya-atatakai

.github/workflows/deploy-subgraph.yaml

@@ -23,24 +23,34 @@ on:
         type: string
         default: "subgraph.yaml"
 
+permissions:
+  contents: read
+
 jobs:
   plan:
     runs-on: ubuntu-latest
     steps:
       - name: Display deployment plan
+        env:
+          INPUT_FOLDER: ${{ inputs.folder }}
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_MANIFEST: ${{ inputs.manifest }}
         run: |
-          echo "## 📋 Deployment Plan" >> $GITHUB_STEP_SUMMARY
-          echo "- Subgraph folder: \`${{ inputs.folder }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- Subgraph name: \`${{ inputs.name }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- Version: \`${{ inputs.version }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- Manifest: \`${{ inputs.manifest }}\`" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## 📋 Deployment Plan"
+            echo "- Subgraph folder: \`$INPUT_FOLDER\`"
+            echo "- Subgraph name: \`$INPUT_NAME\`"
+            echo "- Version: \`$INPUT_VERSION\`"
+            echo "- Manifest: \`$INPUT_MANIFEST\`"
+          } >> "$GITHUB_STEP_SUMMARY"
 
   validate-inputs:
     needs: plan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Validate deployment branch
         run: |
@@ -53,16 +63,50 @@ jobs:
           echo "✅ Branch validation passed: deploying from main branch"
 
       - name: Validate version format
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          if [[ ! "${{ inputs.version }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          if [[ ! "$INPUT_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             echo "❌ Error: Version must follow format vX.Y.Z (e.g., v0.1.2)"
             exit 1
           fi
-          echo "✅ Version format is valid: ${{ inputs.version }}"
+          echo "✅ Version format is valid: $INPUT_VERSION"
+
+      - name: Validate folder format
+        env:
+          INPUT_FOLDER: ${{ inputs.folder }}
+        run: |
+          if [[ ! "$INPUT_FOLDER" =~ ^[a-z0-9][a-z0-9_-]*(/[a-z0-9][a-z0-9_-]*)?$ ]]; then
+            echo "❌ Error: folder must be alphanumeric with dashes/underscores, optionally one nested level (e.g., 'liquidity', 'predict/predict-omen')"
+            exit 1
+          fi
+          echo "✅ Folder format is valid: $INPUT_FOLDER"
+
+      - name: Validate subgraph name format
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+        run: |
+          if [[ ! "$INPUT_NAME" =~ ^[a-z0-9][a-z0-9_-]+$ ]]; then
+            echo "❌ Error: name must match The Graph's slug pattern (lowercase alphanumeric, dashes, underscores)"
+            exit 1
+          fi
+          echo "✅ Name format is valid: $INPUT_NAME"
+
+      - name: Validate manifest filename
+        env:
+          INPUT_MANIFEST: ${{ inputs.manifest }}
+        run: |
+          if [[ ! "$INPUT_MANIFEST" =~ ^subgraph(\.[a-z0-9_-]+)?\.yaml$ ]]; then
+            echo "❌ Error: manifest must match subgraph[.network].yaml (e.g., subgraph.yaml, subgraph.gnosis.yaml)"
+            exit 1
+          fi
+          echo "✅ Manifest filename is valid: $INPUT_MANIFEST"
 
       - name: Validate subgraph folder exists
+        env:
+          INPUT_FOLDER: ${{ inputs.folder }}
         run: |
-          SUBGRAPH_PATH="subgraphs/${{ inputs.folder }}"
+          SUBGRAPH_PATH="subgraphs/$INPUT_FOLDER"
 
           if [ ! -d "$SUBGRAPH_PATH" ]; then
             echo "❌ Error: Subgraph folder '$SUBGRAPH_PATH' does not exist!"
@@ -74,14 +118,17 @@ jobs:
           echo "✅ Subgraph folder found: $SUBGRAPH_PATH"
 
       - name: Validate manifest file exists
+        env:
+          INPUT_FOLDER: ${{ inputs.folder }}
+          INPUT_MANIFEST: ${{ inputs.manifest }}
         run: |
-          MANIFEST_PATH="subgraphs/${{ inputs.folder }}/${{ inputs.manifest }}"
+          MANIFEST_PATH="subgraphs/$INPUT_FOLDER/$INPUT_MANIFEST"
 
           if [ ! -f "$MANIFEST_PATH" ]; then
             echo "❌ Error: Manifest file '$MANIFEST_PATH' does not exist!"
             echo ""
-            echo "Available files in subgraphs/${{ inputs.folder }}:"
-            ls -1 subgraphs/${{ inputs.folder }}/ | grep subgraph
+            echo "Available files in subgraphs/$INPUT_FOLDER:"
+            ls -1 "subgraphs/$INPUT_FOLDER/" | grep subgraph
             exit 1
           fi
           echo "✅ Manifest file found: $MANIFEST_PATH"
@@ -91,10 +138,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
           node-version: "24"
           cache: "yarn"
@@ -105,29 +152,44 @@ jobs:
 
       - name: Authenticate
         working-directory: subgraphs/${{ inputs.folder }}
-        run: yarn graph auth ${{ secrets.SUBGRAPH_STUDIO_KEY }}
+        env:
+          STUDIO_KEY: ${{ secrets.SUBGRAPH_STUDIO_KEY }}
+        run: yarn graph auth "$STUDIO_KEY"
 
       - name: Generate code
         working-directory: subgraphs/${{ inputs.folder }}
-        run: yarn graph codegen ${{ inputs.manifest }}
+        env:
+          INPUT_MANIFEST: ${{ inputs.manifest }}
+        run: yarn graph codegen "$INPUT_MANIFEST"
 
       - name: Build subgraph
         working-directory: subgraphs/${{ inputs.folder }}
-        run: yarn graph build ${{ inputs.manifest }}
+        env:
+          INPUT_MANIFEST: ${{ inputs.manifest }}
+        run: yarn graph build "$INPUT_MANIFEST"
 
       - name: Deploy subgraph
         working-directory: subgraphs/${{ inputs.folder }}
+        env:
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_MANIFEST: ${{ inputs.manifest }}
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
           yarn graph deploy \
-            ${{ inputs.name }} \
-            ${{ inputs.manifest }} \
-            -l ${{ inputs.version }}
+            "$INPUT_NAME" \
+            "$INPUT_MANIFEST" \
+            -l "$INPUT_VERSION"
 
       - name: Deployment summary
         if: success()
+        env:
+          INPUT_FOLDER: ${{ inputs.folder }}
+          INPUT_NAME: ${{ inputs.name }}
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_MANIFEST: ${{ inputs.manifest }}
         run: |
           echo "✅ Subgraph deployed successfully"
-          echo "- Subgraph folder: ${{ inputs.folder }}"
-          echo "- Subgraph name: ${{ inputs.name }}"
-          echo "- Version: ${{ inputs.version }}"
-          echo "- Manifest: ${{ inputs.manifest }}"
+          echo "- Subgraph folder: $INPUT_FOLDER"
+          echo "- Subgraph name: $INPUT_NAME"
+          echo "- Version: $INPUT_VERSION"
+          echo "- Manifest: $INPUT_MANIFEST"

.github/workflows/test.yaml

@@ -5,6 +5,9 @@ on:
   push:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -55,15 +58,15 @@ jobs:
 
     name: test / ${{ matrix.subgraph }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e  # v6.4.0
         with:
-          node-version: "20"
+          node-version: "24"
 
       - name: Install dependencies
         working-directory: ${{ matrix.path }}
-        run: yarn install --frozen-lockfile || yarn install
+        run: yarn install --frozen-lockfile
 
       - name: Generate manifests
         if: matrix.generate

.gitignore

@@ -15,4 +15,14 @@ generated-l2/
 
 .yarn
 
-.DS_Store
+.DS_Store
+
+/.plans
+
+# This repo uses yarn classic; reject lockfiles from other package managers
+package-lock.json
+pnpm-lock.yaml
+bun.lockb
+
+# Local supply-chain audit baselines (Tier 0 / pre-PR recon output)
+/audit

CLAUDE.md

@@ -8,17 +8,18 @@ Monorepo of [The Graph](https://thegraph.com/) subgraphs for the Autonolas/Olas
 abis/                          # Shared ABI files (referenced by all subgraphs)
 scripts/
   generate-manifests.js        # Generates network manifests from templates
+  pol-aggregation.js           # Cross-chain POL + protocol fees report (queries all liquidity subgraphs + Solana RPC)
 shared/
   constants.ts                 # Shared constants across subgraphs
 subgraphs/
   babydegen/                   # Baby Degen agent portfolio tracking (Optimism)
   governance/                  # Governance tracking
   legacy-mech-fees/            # Legacy mech fee indexing
   liquidity/                   # Protocol Owned Liquidity — Ethereum mainnet (OLAS-ETH + bridged L2 LP tokens)
-  liquidity-l2/                # Protocol Owned Liquidity — L2 Balancer pools (6 networks, template pattern)
-  new-mech-fees/               # Multi-network mech fees (Gnosis, Base, Polygon, Optimism)
-  predict/                     # Prediction markets (Omen on Gnosis, Polymarket)
-  service-registry/            # Service registry (7 networks, template pattern)
+  liquidity-l2/                # Protocol Owned Liquidity — L2 pools (6 networks; template pattern with manual overrides for Base dual-pool and Celo Ubeswap)
+  new-mech-fees/               # Multi-network mech fees (Gnosis, Base, Polygon, Optimism, Arbitrum, Celo, Ethereum — 7 networks)
+  predict/                     # Prediction markets (Omen on Gnosis, Polymarket on Polygon)
+  service-registry/            # Service registry (8 networks; hybrid: hand-crafted mainnet manifest + L2 template)
   staking/                     # Staking contracts (7 networks, template pattern)
   tokenomics-eth/              # Tokenomics L1 (Ethereum mainnet, standalone)
   tokenomics-l2/               # Tokenomics L2 (6 networks, template pattern)
@@ -33,9 +34,10 @@ subgraphs/
 
 ## Multi-Network Patterns
 
-1. **Template Pattern** (staking, service-registry, tokenomics-l2, liquidity-l2): `subgraph.template.yaml` + `networks.json` + `generate-manifests.js`
-2. **Per-Network Manifests** (new-mech-fees): shared `src/` with `subgraph.<network>.yaml` per network
-3. **Single Network** (babydegen, governance, liquidity, legacy-mech-fees, tokenomics-eth): standalone `subgraph.yaml`
+1. **Template Pattern** (staking, tokenomics-l2, liquidity-l2): `subgraph.template.yaml` + `networks.json` + `generate-manifests.js`. `liquidity-l2` additionally maintains hand-crafted manifests for Base (dual pool) and Celo (Ubeswap, not Balancer).
+2. **Per-Network Manifests** (new-mech-fees): shared `src/` with `subgraph.<network>.yaml` per network; mappings dispatch on `dataSource.network()`.
+3. **Hybrid** (service-registry): `subgraph.mainnet.yaml` (1-param `CreateService` ABI) alongside template-generated L2 manifests (2-param `CreateService` + `configHash`); separate `mapping.ts` / `mapping-eth.ts` share `utils.ts`.
+4. **Single Network** (babydegen, governance, liquidity, legacy-mech-fees, tokenomics-eth, predict-omen, predict-polymarket): standalone `subgraph.yaml`.
 
 ## Development Workflow
 
@@ -49,12 +51,12 @@ yarn build                             # Build subgraph (compiles to WASM)
 yarn test                              # Run Matchstick tests
 ```
 
-CI runs on every PR via `.github/workflows/test.yaml` — tests subgraphs with Matchstick tests (liquidity, liquidity-l2, staking, tokenomics-eth) and build-checks all others. Deployment is handled via `.github/workflows/deploy-subgraph.yaml` (manual dispatch from main).
+CI runs on every PR via `.github/workflows/test.yaml` — a matrix over all 12 subgraph targets runs `yarn graph codegen` followed by `yarn graph test` (Matchstick) for each. Template subgraphs run `yarn generate-manifests` first; per-network subgraphs symlink a representative manifest (`subgraph.gnosis.yaml`) before testing. Deployment is handled via `.github/workflows/deploy-subgraph.yaml` (manual dispatch from main).
 
 ## Conventions
 
 - Entity IDs: typically address-based (e.g., safe address, `<address>-<tokenId>`, `<address>-<dayTimestamp>`)
-- All financial fields use `BigInt` (no BigDecimal)
+- Financial fields use `BigInt` by default. Exception: `new-mech-fees` uses `BigDecimal` for USD-denominated fields (rationale in [`docs/TOKEN-PAYMENT-POOLS.md`](docs/TOKEN-PAYMENT-POOLS.md)).
 - UTC midnight timestamps for daily entities: `timestamp / 86400 * 86400`
 - Shared ABIs live in root `abis/` directory
 - Each subgraph has its own `schema.graphql`, `subgraph.yaml`, `src/`, and optional `tests/`

CONTRIBUTING.md

@@ -25,7 +25,7 @@ For repository structure, development setup, multi-network patterns, and how to
 
 ## Code of Conduct
 
-This project adheres to the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to **security@valory.xyz**.
+This project adheres to the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/) Code of Conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to **info@valory.xyz**.
 
 ---
 
@@ -47,7 +47,7 @@ This project adheres to the [Contributor Covenant](https://www.contributor-coven
 
 **Do not** open public GitHub issues for security vulnerabilities. Instead:
 
-- Email **security@valory.xyz** with a detailed report.
+- Email **info@valory.xyz** with a detailed report.
 - Include the affected subgraph, potential impact, and steps to reproduce.
 
 We aim to acknowledge receipt within 72 hours.
@@ -107,6 +107,6 @@ This project is licensed under the **Apache License 2.0**. See `LICENSE`.
 ## Contact
 
 - General questions: **info@valory.xyz**
-- Security: **security@valory.xyz**
+- Security: **info@valory.xyz**
 
 Thank you for contributing!

SECURITY.md

@@ -0,0 +1,43 @@
+# Security Policy
+
+This repository hosts subgraphs that are deployed to The Graph Studio and consumed by Olas dashboards, frontends, and analytics across the wider Autonolas ecosystem. A vulnerability in code shipped from this repo can affect every downstream consumer of an Olas subgraph endpoint.
+
+## Reporting a Vulnerability
+
+**Do not open a public GitHub issue for a security vulnerability.**
+
+Instead, email **info@valory.xyz** with:
+
+- The affected subgraph (e.g., `subgraphs/tokenomics-eth`).
+- The affected network (e.g., Ethereum mainnet, Gnosis).
+- A clear description of the vulnerability and its potential impact.
+- Steps to reproduce, ideally including the relevant transaction hash, block number, or entity ID.
+- Any proof-of-concept exploit you have, kept private.
+
+We aim to acknowledge receipt within **72 hours** and work with you on triage, fix, and disclosure timelines.
+
+## Scope
+
+In scope:
+
+- Mapping logic that produces incorrect indexed data or could be tricked into doing so.
+- Build / deployment workflows ([`.github/workflows/`](.github/workflows/)) that could exfiltrate secrets or publish unauthorized subgraph versions.
+- Dependency-chain compromises in `@graphprotocol/graph-cli`, `@graphprotocol/graph-ts`, `matchstick-as`, or any transitive dep that runs at install or build time.
+- Misconfiguration of contract addresses, start blocks, or ABIs that could cause indexing of attacker-controlled data.
+- Leakage of `SUBGRAPH_STUDIO_KEY` or any other deploy-auth credential.
+
+Out of scope:
+
+- Vulnerabilities in The Graph's hosted service itself (Subgraph Studio, Hosted Service, or Decentralized Network) — please report those to The Graph directly.
+- Vulnerabilities in upstream smart contracts (`Tokenomics`, `Depository`, `ServiceRegistry`, etc.) — these are tracked in their respective repositories.
+- Vulnerabilities in third-party dashboards or frontends that consume our subgraphs.
+- Best-practice or defense-in-depth suggestions that do not correspond to a concrete attack scenario.
+- Theoretical issues with no practical impact on indexed data, build artifacts, or deploy authentication.
+
+## Supported Versions
+
+Subgraph deployments are versioned per subgraph through The Graph Studio. Security fixes are applied on top of the currently-deployed version of each subgraph and re-published. We do not maintain backports for older deployed versions.
+
+## Acknowledgements
+
+We're grateful for responsible disclosure. Reporters who follow this policy will be credited in the relevant fix's release notes (with permission), unless they prefer to remain anonymous.