chore: mainnet deployment

deployment/mainnet/README.md

@@ -0,0 +1,56 @@
+This document is a guide for reviewers to inspect deployment information.
+The main function is to ensure the deployment is correct.
+
+## Requirements
+Install and configure necessary software.
+
+* Compile or download ckb-cli
+https://github.com/nervosnetwork/ckb-cli  Use version: 1.15.0 or above
+
+* Configure ckb-cli
+Before signing, please configure ckb-cli to use the correct mainnet. You can use the following commands:
+ ```
+ $ ckb-cli
+ CKB > config --url https://mainnet.ckb.dev
+ info[  ckb-cli version ]: 1.15.0 (8c892a5 2025-06-06)
+ [              url ]: https://mainnet.ckb.dev (network: Mainnet, #17314192
+ ```
+This step is very important, otherwise subsequent signing will fail. This setting takes effect immediately, no need to sync blocks or wait.
+
+* Install [jq](https://jqlang.org/)
+
+
+## How to upgrade
+It is locked by 3-of-5 multisig with following people:
+
+| # | Contact Information | CKB Address |
+|---|-------|-------------|
+| 1 | [email protected] | ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqw8jqfpfe9lwsvs74j3a27aalhqshrslps8hlplq |
+| 2 | [email protected] | ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2u7q5rqr3nam68g2wfel9365l855m7fcg58j52a |
+| 3 | [email protected] | ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2hvk2yvt998w799ra8t73gunvrjrlw4agv2t7np |
+| 4 | [email protected] | ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqt4q36wdxa34k89g5snyw694jy0nxht8yshfyw55 |
+| 5 | [email protected] | ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq0jyvhms76lphfm56dmd2s06k9yxwkxy4gqzah69 |
+
+Any one can reach these people by contact information to verify the CKB address. The contact information can be:
+
+- email
+- GitHub account
+- X (Twitter) account
+- Discord account
+- Well-known nickname in the CKB community
+
+
+## Process
+
+Reviewers should inspect `info.json` to ensure it contains the correct configuration. There are 3 key aspects to verify:
+
+1. The cell data contains the correct binary generated by a reproducible build.
+2. The corresponding lock script uses multisig with the correct arguments. This is the most critical aspect.
+   - check address of reviewer is correct
+   - check configuration of multisig is correct (e.g. m-of-n)
+   - check code_hash and hash_type is correct
+
+3. The corresponding type script uses Type ID.
+
+To simplify these verification steps, a [bash script](./verify.sh) is provided. Reviewers can follow the steps described in the script to verify the configuration above.
+

deployment/mainnet/deployment.toml

@@ -0,0 +1,17 @@
+[[cells]]
+name = "quantum-resistant-lock-script"
+enable_type_id = true
+location = { file = "../../build/release/c-sphincs-all-in-one-lock" }
+
+
+# This is the lock script in output. Check it very carefully.
+# 1. [email protected]       ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqw8jqfpfe9lwsvs74j3a27aalhqshrslps8hlplq
+# 2. [email protected]    ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2u7q5rqr3nam68g2wfel9365l855m7fcg58j52a
+# 3. [email protected]   ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2hvk2yvt998w799ra8t73gunvrjrlw4agv2t7np
+# 4. [email protected]      ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqt4q36wdxa34k89g5snyw694jy0nxht8yshfyw55
+# 5. [email protected] ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq0jyvhms76lphfm56dmd2s06k9yxwkxy4gqzah69
+
+[lock]
+code_hash = "0x5c5069eb0857efc65e1bca0c07df34c31663b3622fd3876c876320fc9634e2a8"
+args = "0xb9f04d55adb7b0fa0b56a752c72f201003115907"
+hash_type = "type"

deployment/mainnet/step-1-gen-tx.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+ckb-cli deploy gen-txs \
+    --deployment-config ./deployment.toml \
+    --migration-dir ./migrations \
+    --fee-rate 2000 \
+    --from-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqw9zyl653xlmzkkwmkguk0sqxkalkyat8suxxefv \
+    --info-file info.json

deployment/mainnet/step-2-sign.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+ckb-cli deploy sign-txs \
+    --from-account ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqw9zyl653xlmzkkwmkguk0sqxkalkyat8suxxefv \
+    --add-signatures \
+    --info-file info.json

deployment/mainnet/step-3-apply.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ckb-cli deploy apply-txs --migration-dir ./migrations --info-file info.json

deployment/mainnet/verify.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+
+## step 1: verify binary
+function verify_binary() {
+    get_expected_hash() {
+        grep "build/release/c-sphincs-all-in-one-lock$" ../../checksums.txt | awk '{print $1}'
+    }
+
+    expected_hash=$(get_expected_hash)
+
+    actual_hash=$(jq -r '.cell_tx.outputs_data[0]' info.json | xxd -r -p | shasum -a 256 | awk '{print $1}')
+
+    if [ "$expected_hash" != "$actual_hash" ]; then
+        echo "✗ Binary verification failed!"
+        exit 1
+    fi
+    echo "✓ Binary verification passed!"
+}
+
+verify_binary
+
+
+## step 2: verify lock script
+
+function verify_lock_script() {
+    code_hash=$(jq -r '.cell_tx.outputs[0].lock.code_hash' info.json)
+    hash_type=$(jq -r '.cell_tx.outputs[0].lock.hash_type' info.json)
+    args=$(jq -r '.cell_tx.outputs[0].lock.args' info.json)
+
+    # https://github.com/nervosnetwork/rfcs/blob/master/rfcs/0024-ckb-genesis-script-list/0024-ckb-genesis-script-list.md#secp256k1multisig
+    expected_code_hash="0x5c5069eb0857efc65e1bca0c07df34c31663b3622fd3876c876320fc9634e2a8"
+    expected_hash_type="type"
+
+    if [ "$code_hash" != "$expected_code_hash" ]; then
+        echo "✗ code_hash verification failed!"
+        exit 1
+    fi
+
+    if [ "$hash_type" != "$expected_hash_type" ]; then
+        echo "✗ hash_type verification failed!"
+        exit 1
+    fi
+    echo "✓ Lock script verification passed!"
+
+    multisig_output=$(ckb-cli tx build-multisig-address \
+    --sighash-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqw8jqfpfe9lwsvs74j3a27aalhqshrslps8hlplq \
+    --sighash-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2u7q5rqr3nam68g2wfel9365l855m7fcg58j52a \
+    --sighash-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq2hvk2yvt998w799ra8t73gunvrjrlw4agv2t7np \
+    --sighash-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsqt4q36wdxa34k89g5snyw694jy0nxht8yshfyw55 \
+    --sighash-address ckb1qzda0cr08m85hc8jlnfp3zer7xulejywt49kt2rr0vthywaa50xwsq0jyvhms76lphfm56dmd2s06k9yxwkxy4gqzah69 \
+    --threshold 3 \
+    --require-first-n 0 \
+    --multisig-code-hash legacy)
+
+    expected_args=$(echo "$multisig_output" | grep "lock-arg:" | awk '{print $2}')
+
+    if [ "$args" != "$expected_args" ]; then
+        echo "✗ Lock args verification failed!"
+        echo "  Expected: $expected_args"
+        echo "  Actual:   $args"
+        exit 1
+    fi
+    echo "✓ Lock args verification passed!"
+}
+
+verify_lock_script
+
+## step 3: verify type script
+function verify_type_script() {
+    code_hash=$(jq -r '.cell_tx.outputs[0].type.code_hash' info.json)
+    hash_type=$(jq -r '.cell_tx.outputs[0].type.hash_type' info.json)
+    args=$(jq -r '.cell_tx.outputs[0].type.args' info.json)
+
+    # https://github.com/nervosnetwork/rfcs/blob/4b502ffcb02fc7019e0dd4b5f866b5f09819cfbe/rfcs/0024-ckb-genesis-script-list/0024-ckb-genesis-script-list.md#type-id
+    expected_code_hash="0x00000000000000000000000000000000000000000000000000545950455f4944"
+    expected_hash_type="type"
+
+    if [ "$code_hash" != "$expected_code_hash" ]; then
+        echo "✗ type script code_hash verification failed!"
+        exit 1
+    fi
+
+    if [ "$hash_type" != "$expected_hash_type" ]; then
+        echo "✗ type script hash_type verification failed!"
+        exit 1
+    fi
+
+    echo "✓ Type script verification passed!"
+}
+
+verify_type_script