[V2-199] feat: verify OutputFilled via routemesh RPC before Polymer proof request (V2-199)

[reednaa]

Summary

• Gate POST /polymer with a pre-flight RPC lookup against routemesh (https://lb.routeme.sh/rpc/<chainId>/<key>) that confirms the targeted (block, logIndex) actually emitted an OutputFilled event before any Polymer proof request goes out.
• Mismatches → HTTP 400 with {"error": "log is not an OutputFilled event"} and zero outbound calls to api.polymer.zone.
• RPC unreachable (401, timeout, etc.) → log a warning and fall through to the existing Polymer flow. Verification is best-effort, never a hard gate on infra blips.
• Skip the check on the status-polling path (when the caller already supplies a polymerIndex).

Linear: V2-199

Implementation notes

• New helper src/lib/libraries/outputFilledVerify.ts wraps viem's createPublicClient + getLogs with fromBlock === toBlock and the typed OutputFilled event from COIN_FILLER_ABI. Topic0 filter happens RPC-side; helper just checks logs.some(l => Number(l.logIndex) === globalLogIndex).
• No viem chain object passed to the client — keeps us from maintaining a chain map for every chain Polymer supports.
• Reuses COIN_FILLER_ABI from src/lib/abi/outputsettler.ts; no event redeclaration.
• New env var PRIVATE_ROUTEMESH_API_KEY added to .env.example. Needs to be set on Cloudflare Workers via wrangler secret put PRIVATE_ROUTEMESH_API_KEY before deploy.

Test plan

• Set PRIVATE_ROUTEMESH_API_KEY locally and bun run dev.
• Happy path: trigger a real fill via the UI; endpoint behaves as before, one extra getLogs round-trip visible.
• Mismatch path: curl POST /polymer with (chainId, blockNumber, logIndex) pointing to a non-OutputFilled log (e.g. an ERC20 Transfer). Expect 400 + no request to api.polymer.zone.
• RPC-down path: set PRIVATE_ROUTEMESH_API_KEY=invalid, re-trigger a fill. Expect a console warning and the Polymer flow to still complete.
• Polling skip: hit the endpoint with a valid polymerIndex + arbitrary globalLogIndex. Expect zero outbound requests to lb.routeme.sh.
• wrangler secret put PRIVATE_ROUTEMESH_API_KEY on prod before merging.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added automatic verification of output logs to validate they correspond to the expected blockchain event.

• Chores

  • New API key environment variable required for log verification configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces log verification for OutputFilled events. A new utility queries Routemesh RPC endpoints to validate that logs at specific block/log indices match expected OutputFilled event signatures, integrating a mismatch rejection into the polymer POST handler, with supporting environment variable configuration.

Changes

OutputFilled Log Verification

Layer / File(s)	Summary
OutputFilled verification utility src/lib/libraries/outputFilledVerify.ts	OutputFilledVerification type constrains return values to "match", "mismatch", or "unknown". The verifyOutputFilledLog function queries OutputFilled logs from Routemesh for a chainId and blockNumber, compares logIndex against globalLogIndex, and handles RPC errors with console warnings.
Environment configuration .env.example	PRIVATE_ROUTEMESH_API_KEY environment variable added to document the required Routemesh API credential.
POST handler verification integration src/routes/polymer/+server.ts	Import of verifyOutputFilledLog and a new verification checkpoint in the POST handler that checks the OutputFilled log and returns HTTP 400 if verification returns "mismatch".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A log to check, events aligned,
Routemesh queries, truth to find,
Mismatches caught with warnings bright,
Polymer flows now verified right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main feature: adding OutputFilled verification via Routemesh RPC before Polymer proof requests.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-v2-199-polymer-outputfilled-verify

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/routes/polymer/`+server.ts:
- Around line 31-35: The code directly calls BigInt(srcBlockNumber) (and
Number(srcChainId)/Number(globalLogIndex)) on untrusted JSON before calling
verifyOutputFilledLog, which can throw and return a 500; validate and sanitize
these numeric inputs first (e.g., check typeof/value, ensure srcBlockNumber
matches /^\d+$/ before BigInt conversion, and that srcChainId/globalLogIndex are
finite numbers), or move the coercion inside a try/catch around the parsing and
return a 400/validation error on failure; update the call site that invokes
verifyOutputFilledLog to pass only validated/converted values (references:
srcBlockNumber, srcChainId, globalLogIndex, verifyOutputFilledLog).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 095eb4b0-877c-4e90-8963-e288c47e42df

📥 Commits

Reviewing files that changed from the base of the PR and between 6b76278 and 2de90bf.

📒 Files selected for processing (3)

• .env.example
• src/lib/libraries/outputFilledVerify.ts
• src/routes/polymer/+server.ts

[github-actions]

🚀 Preview deployed!

Worker: lintent-pr-53
URL: https://lintent-pr-53.li-fi374.workers.dev