circlefin · circle-github-action-bot · May 2, 2026
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -24,4 +24,13 @@ ignore = [
     # to 0.9+ requires a major-version API migration and transitive deps (yamux, libp2p)
     # still require rand 0.8.x
     "RUSTSEC-2026-0097",
+
+    # hickory-proto 0.25.2 - NSEC3 closest-encloser proof unbounded loop; no fixed version
+    # available yet. Transitive dependency via reth-dns-discovery (reth v1.11.3) and
+    # libp2p-mdns (libp2p 0.56.0) — cannot be updated without bumping reth/libp2p.
+    "RUSTSEC-2026-0118",
+    # hickory-proto 0.25.2 - O(n²) name compression CPU exhaustion; fix requires >=0.26.1.
+    # Transitive dependency via reth-dns-discovery (reth v1.11.3) and libp2p-mdns
+    # (libp2p 0.56.0) — both pin hickory-proto to 0.25.x; cannot update without bumping reth.
+    "RUSTSEC-2026-0119",
 ]
diff --git a/.github/workflows/label-external-prs.yml b/.github/workflows/label-external-prs.yml
@@ -9,14 +9,13 @@ on:
     branches: [main]
 
 permissions:
-  issues: write
+  pull-requests: write
 
 concurrency:
   group: label-external-pr-${{ github.event.pull_request.number }}
   cancel-in-progress: false
-  # cancel-in-progress: false is correct — label ops are idempotent but partial
-  # cancellation could leave a PR unlabeled. Two simultaneous merges both hit
-  # `gh label create --force`; one wins, the other is a no-op.
+  # Partial cancellation could leave a PR unlabeled; label application is
+  # idempotent so letting both runs finish is safe.
 
 jobs:
   label:
@@ -31,16 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - name: Ensure label exists and apply
+      - name: Apply pending-import label
         env:
           GH_TOKEN: ${{ github.token }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REPO: ${{ github.repository }}
         run: |
           set -euo pipefail
-          gh label create pending-import \
-            --repo "${REPO}" \
-            --color ededed \
-            --description "Merged PR awaiting reverse-sync to upstream" \
-            --force
           gh pr edit "${PR_NUMBER}" --repo "${REPO}" --add-label pending-import
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -101,6 +101,7 @@ config             = { version = "0.14", features = ["toml"], default-features =
 # get the wrong path, update this when the workflow has been updated
 #
 # See: https://github.com/eira-fransham/crunchy/issues/13
+criterion = "0.7"
 crunchy = "=0.2.2"
 csv = "1.4"
 deranged = "0.5.5"
@@ -223,6 +224,7 @@ serde = { version = "1.0", default-features = false }
 serde_json = { version = "1.0", default-features = false, features = ["alloc"] }
 serde_with = { version = "3", default-features = false, features = ["macros"] }
 serial_test = "3"
+sha2 = "0.10.9"
 sha3 = "0.10.5"
 signature          = "2.2.0"
 # Security fix for RUSTSEC-2025-0047

diff --git a/assets/devnet/genesis.config.ts b/assets/devnet/genesis.config.ts
@@ -68,7 +68,6 @@ const build = async () => {
       owner: creator.nextAccount('ProtocolConfig.owner', adminPrefund),
       controller: creator.nextAccount('ProtocolConfig.controller', adminPrefund),
       pauser: creator.nextAccount('ProtocolConfig.pauser', adminPrefund),
-      beneficiary: creator.nextAccount('ProtocolConfig.beneficiary'),
       feeParams: {
         alpha: 20n,
         kRate: 25n,