CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

Features:

• 241fe2bb8 Consensus,Interface(orchestrator): Include latest CUP time in orchestrator’s dashboard (#5328)
  Notes: This commit causes the get_local_cup_info function to include the CUP’s consensus times that are fetched from cup.content.block.get_value().context.time and encoded as a UNIX timestamp with the readable string.
  Review: Code changes look good and match release notes.

• 398efca66 Execution,Interface: Implement snapshot data upload (#4837)
  Notes: Adds upload_canister_snapshot_metadata and upload_canister_snapshot_data endpoints to support creating and populating canister snapshots with binary data, using a feature flag and a safely gated ErrorCode enum variant.
  Review: Code changes look good and match release notes.

• ea88bf355 Execution,Interface: system API ic0.root_key_{size, copy} (#4470)
  Notes: This commit introduces the ic0.root_key_size and ic0.root_key_copy system API calls to allow canisters to securely fetch the IC root public key during replicated execution.
  Review: Code changes look good and match release notes.

• a8289b351 Interface,Message Routing: Canister renaming in the state manager (#5273)
  Notes: Adds a RenameCanister variant to UnflushedCheckpointOp and includes logic in TipHandler to move canister directories when flushing the state.
  Review: Code changes look good and match release notes.

• 4a7a911a8 Interface,Message Routing: Shuffle streams in XNet payload builder (#5300)
  Notes: Replaces rotate_left with a true random_shuffle of stream positions using a new random_shuffle method to ensure fairer selection of streams during XNet payload building.
  Review: Code changes look good and match release notes.

• 06bdd95d1 Interface,Node(node): Add a new option in config.ini to enable Trusted Execution Environment (#5333)
  Notes: Adds TEE support via enable_trusted_execution_environment config with checks, Rust parsing, and deployment script updates.
  Review: Code changes look good and match release notes.

Bugfixes:

• d12013bb2 Execution,Interface: do not include See documentation without doc link (#5285)
  Notes: This commit updates ErrorHelp::UserError in errors.rs to check if the doc_link is non-empty before appending “See documentation” to the suggestion.
  Review: Code changes look good and match release notes.

• 790a466b0 Execution,Interface: use saturating arithmetics for validating module chunk upload (#5287)
  Notes: This commit uses saturating_add instead of regular addition in ModuleStorage::write to safely compute the end offset to prevent integer overflow during module chunk upload validation.
  Review: Code changes look good and match release notes.

• b9c23dd08 Interface,Node: Fix hostname validation and remove guest- prefix in bootstrap.rs (#5330)
  Notes: Enhances hostname validation by enforcing length and character rules without regex, removes the guest- prefix in bootstrap hostname assignment, and updates tests to reflect these changes.
  Review: Code changes look good and match release notes.

Chores:

• 17c6b29e6 Consensus,Interface(networking): add canister_http_payload_size histogram metric (#5192)
  Notes: Adds a new histogram metric canister_http_payload_bytes_delivered in FinalizerMetrics to track HTTP payload sizes, updating BatchStats and CanisterHttpBatchStats to record payload byte counts.
  Review: Code changes look good and match release notes.

• 7b4e27b3a Consensus,Interface: bump ic-agent to v0.40.1 (#5162)
  Notes: This commit updates the ic-agent dependency to version v0.40.1 to incorporate the latest fixes and features.
  Review: Code changes look good and match release notes.

• 7e2c79b15 Execution,Interface: Remove compute and memory allocation from InstallCodeArgs (#5190)
  Notes: This commit removes the deprecated compute_allocation and memory_allocation fields from InstallCodeArgs and related code, updating displays and tests to reflect their removal.
  Review: Code changes look good and match release notes.

• b8cc778f5 Interface: deprecate some redundant Haskell tests (#5314)
  Notes: Removes redundant Haskell tests for canister creation with specified_id and cycle minting, as these are now covered by Rust tests.
  Review: Code changes look good and match release notes.

• def34c889 Interface: use ic-gateway in PocketIC (#5298)
  Notes: The commit replaces the custom ic-http-gateway wrapper with the ic-gateway in PocketIC and updates dependencies by bumping ic-gateway and ic-bn-lib to their latest master versions.
  Review: Code changes look good and match release notes.

• 2cc5b2479 Interface(ICRC_Ledger): Use test_strategy instead of proptest macro for ICRC1 ledger suite tests (#5039)
  Notes: Replaces the proptest! macro with test_strategy annotations in the ICRC1 ledger tests to enable rustfmt formatting and added test-strategy crate (v0.4.0) as a dependency across relevant build files.
  Review: Code changes look good and match release notes.

• 0c1e945dc Interface,Message Routing: Remove defrag_canisters_map step (#5313)
  Notes: The commit removes the costly but functionally unnecessary defrag_canisters_map step from create_checkpoint_and_switch to improve checkpointing performance by eliminating up to 40% overhead.
  Review: Code changes look good and match release notes.

• 831f9bce4 Owners(IDX): Extract artifact upload from build (#5274)
  Notes: This commit separates the artifact upload into its own step that runs after the build, making it easier to manage AWS credentials and keeping build and upload processes separate.
  Review: Code changes look good and match release notes.

Refactoring:

• b898b3ba0 Consensus,Interface(replay): Remove dependency to canister_client in ic-replay (#5240)
  Notes: This commit replaces the deprecated canister_client with ic-agent for ingress message handling in ic-replay, updating dependencies and removing unused canister_client references in related tests.
  Review: Code changes look good and match release notes.

• 01a663320 Consensus,Interface: Move DkgPayloadBuidler error types into ic-types (#4960)
  Notes: This commit moves and renames DkgPayloadBuilder error types from ic-consensus-dkg to ic-types with a Dkg prefix, enabling their use in ic-interfaces to support defining the DkgPayloadBuilder trait.
  Review: Code changes look good and match release notes.

• 2e5678e0e Interface,Node: Pass GuestOS config as a rust struct and consolidate test bootstrapping (#5294)
  Notes: Refactors GuestOS config handling by passing it as a Rust struct instead of JSON, consolidating test bootstrapping to consistently set BootstrapOptions and GenerateTestnetConfigArgs fields, and removing deprecated file-path usage.
  Review: Code changes look good and match release notes.

• a87bc0bc0 Interface,Node: Add new generate-guestos-vm-config feature to ic-os config tool which replaces generate-guestos-config.sh (#5264)
  Notes: Replaces shell scripts with a faster, type-safe Rust tool using Jinja-like templates to generate guest OS VM configs, adding tests and eliminating temporary config files by managing configs directly as Rust structs.
  Review: Code changes look good and match release notes.

• 93bd45938 Interface,Node: Replace usages of the build-bootstrap-config-image.sh script with a new Rust-based implementation for generating bootstrap configuration images (#5248)
  Notes: This commit replaces the build-bootstrap-config-image.sh shell script with a new Rust module guestos_bootstrap_image that generates bootstrap config images with type safety and test coverage.
  Review: Code changes look good and match release notes.

• 6482c5b5c Interface,Node: Use Paths in metrics_tool instead of Strings (#5265)
  Notes: Refactors metrics_tool to use PathBuf instead of String for file paths to enhance type safety and Rust usage.
  Review: Code changes look good and match release notes.

• 697e96bfc Node: Remove build-bootstrap-config-image.sh script which has been migrated to config::guest_vm_config (#5349)
  Notes: This commit removes the build-bootstrap-config-image.sh script, which has been migrated to the config::guest_vm_config Rust module.
  Review: Code changes look good and match release notes.

Tests:

• 04c2565fa Interface,Node: Enable golden tests for #5264 (#5291)
  Notes: This commit adds two new XML golden files for KVM and QEMU VM configurations to enable consistent golden tests for issue #5264
  Review: Code changes look good and match release notes.

Features:

• 398efca66 Execution,Interface: Implement snapshot data upload (#4837)
  Notes: Adds upload_canister_snapshot_metadata and upload_canister_snapshot_data endpoints to support creating and populating canister snapshots with binary data by using a feature flag and a safely gated ErrorCode enum variant.
  Review: Code changes look good and match release notes.

• 06bdd95d1 Interface,Node(node): Add a new option in config.ini to enable Trusted Execution Environment (#5333)
  Notes: Adds TEE support via enable_trusted_execution_environment config with checks, Rust parsing, and deployment script updates.
  Review: Code changes look good and match release note.

• 18af55a8f Node: guestos-recovery-upgrader service (#4993)
  Notes: This commit adds the guestos-recovery-upgrader from the GRUB boot menu (15s timeout) to upgrade GuestOS during NNS recovery by downloading and installing the specified version via boot parameters (recovery=1 version=ABC hash=XYZ).
  Review: Code changes look good and match release note.

Bugfixes:

• b9c23dd08 Interface,Node: Fix hostname validation and remove guest- prefix in bootstrap.rs (#5330)
  Notes: Enhances hostname validation by enforcing length and character rules without regex, removes the guest- prefix in bootstrap hostname assignment, and updates tests to reflect these changes.
  Review: Code changes look good and match release notes.

Chores:

• 7b4e27b3a Consensus,Interface: bump ic-agent to v0.40.1 (#5162)
  Notes: This commit bumps the ic-agent dependency to v0.40.1 to bring in the latest bug fixes and new features.
  Review: Code changes look good and match release notes.

• 7e2c79b15 Execution,Interface: Remove compute and memory allocation from InstallCodeArgs (#5190)
  Notes: This commit removes the outdated compute_allocation and memory_allocation fields from InstallCodeArgs, and associated code, and updates display, and tests to demonstrate removal.
  Review: Code changes look good and match release notes.

• 831f9bce4 Owners(IDX): Extract artifact upload from build (#5274)
  Notes: This commit extracts the artifact upload step, so that it executes after the build step which makes it easier to manage AWS credentials, and keeps the build process separate from the uploading of the artifact.
  Review: Code changes look good and match release notes.

Refactoring:

• 01a663320 Consensus,Interface: Move DkgPayloadBuidler error types into ic-types (#4960)
  Notes: This commit moves and renames DkgPayloadBuilder error types from ic-consensus-dkg to ic-types with a Dkg prefix, enabling their use in ic-interfaces to support defining the DkgPayloadBuilder trait.
  Review: Code changes look good and match release notes.

• 2e5678e0e Interface,Node: Pass GuestOS config as a rust struct and consolidate test bootstrapping (#5294)
  Notes: Refactors GuestOS config handling by passing it as a Rust struct instead of JSON, consolidating test bootstrapping to consistently set BootstrapOptions and GenerateTestnetConfigArgs fields, and removing deprecated file-path usage.
  Review: Code changes look good and match release notes.

• a87bc0bc0 Interface,Node: Add new generate-guestos-vm-config feature to ic-os config tool which replaces generate-guestos-config.sh (#5264)
  Notes: Replaces shell scripts with a faster, type-safe Rust tool using Jinja-like templates to generate guest OS VM configs, adding tests and eliminating temporary config files by managing configs directly as Rust structs.
  Review: Code changes look good and match release notes.

• 93bd45938 Interface,Node: Replace usages of the build-bootstrap-config-image.sh script with a new Rust-based implementation for generating bootstrap configuration images (#5248)
  Notes: This commit replaces the build-bootstrap-config-image.sh shell script with a new Rust module guestos_bootstrap_image that generates bootstrap config images with type safety and test coverage.
  Review: Code changes look good and match release notes.

• 697e96bfc Node: Remove build-bootstrap-config-image.sh script which has been migrated to config::guest_vm_config (#5349)
  Notes: This commit removes the build-bootstrap-config-image.sh script, which has been migrated to the config::guest_vm_config Rust module.
  Review: Code changes look good and match release notes.

Tests:

• 04c2565fa Interface,Node: Enable golden tests for #5264 (#5291)
  Notes: This commit adds two new XML golden files for KVM and QEMU VM configurations to enable consistent golden tests for issue #5264
  Review: Code changes look good and match release notes.

Features:

• 241fe2bb8 Consensus,Interface(orchestrator): Include latest CUP time in orchestrator’s dashboard (#5328)
  Review: Matches description + changes are appropriate
  Notes: This commit adds consensus time metadata to the orchestrator dashboard, improving visibility into CUPs for stalled subnet recoveries by including CUP timestamp alongside existing height and hash information.

• 398efca66 Execution,Interface: Implement snapshot data upload (#4837)
  Review: Matches description + changes are appropriate
  Notes: This commit enhances the orchestrator dashboard by displaying the consensus timestamp of the latest CUP, aiding recovery workflows by making critical CUP metadata like height, signature, hash, and time readily accessible.

• ea88bf355 Execution,Interface: system API ic0.root_key_{size, copy} (#4470)
  Review: Matches description + changes are appropriate
  Notes: This commit introduces two new system API calls ic0.root_key_size and ic0.root_key_copy—allowing canisters to securely retrieve the IC root public key only during replicated execution contexts.

• a8289b351 Interface,Message Routing: Canister renaming in the state manager (#5273)
  Review: Matches description + changes are appropriate
  Notes: This commit adds support for renaming canisters within the state manager by introducing filesystem-level directory moves and tracking via unflushed checkpoint operations, laying groundwork for upcoming canister migration functionality.

• 4a7a911a8 Interface,Message Routing: Shuffle streams in XNet payload builder (#5300)
  Review: Matches description + changes are appropriate
  Notes:This commit replaces deterministic rotation with random shuffling of streams in the XNet payload builder to enhance fairness in stream selection under byte limits.

• 06bdd95d1 Interface,Node(node): Add a new option in config.ini to enable Trusted Execution Environment (#5333)
  Review: Matches description + changes are appropriate
  Notes: This commit introduces a configuration option to enable Trusted Execution Environment (TEE), enforces Gen2 hardware validation, and integrates support across deployment scripts, config parsing, and testnet generation logic.

Bugfixes:

• d12013bb2 Execution,Interface: do not include See documentation without doc link (#5285)
  Review: Matches description + changes are appropriate
  Notes: This commit corrects user error messages by omitting the “See documentation” text when no documentation link is provided, ensuring clearer and more professional output.

• 790a466b0 Execution,Interface: use saturating arithmetics for validating module chunk upload (#5287)
  Review: Matches description + changes are appropriate
  Notes: This commit applies saturating addition when calculating buffer end offset during module chunk uploads, preventing potential overflows and improving robustness in boundary validation logic.

• b9c23dd08 Interface,Node: Fix hostname validation and remove guest- prefix in bootstrap.rs (#5330)
  Review: Matches description + changes are appropriate
  Notes: This commit fixes hostname validation by correctly allowing digit-starting hostnames, enforcing a 63-byte limit, and removes the unnecessary guest- prefix in bootstrap configuration.

Chores:

• 17c6b29e6 Consensus,Interface(networking): add canister_http_payload_size histogram metric (#5192)
  Review: Matches description + changes are appropriate
  Notes: This commit introduces a canister_http_payload_size histogram metric to improve observability of HTTP payload sizes in executed blocks, enabling more detailed performance analysis and system tuning.

• 7b4e27b3a Consensus,Interface: bump ic-agent to v0.40.1 (#5162)
  Review: Matches description + changes are appropriate
  Notes: This commit updates the ic-agent dependency to version 0.40.1, alongside related dependency bumps and lockfile adjustments, ensuring compatibility and incorporating upstream improvements from the latest agent release.

• 7e2c79b15 Execution,Interface: Remove compute and memory allocation from InstallCodeArgs (#5190)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the deprecated compute_allocation and memory_allocation fields from InstallCodeArgs and related structures. The change cleans up unused optional fields across code, tests, and documentation, simplifying canister installation logic.

• b8cc778f5 Interface: deprecate some redundant Haskell tests (#5314)
  Review: Matches description + changes are appropriate
  Notes: this commit deprecates redundant Haskell tests related to canister creation and cycle minting, removing overlaps with Rust tests to simplify refactoring and reduce test maintenance burden across multiple test files.

• def34c889 Interface: use ic-gateway in PocketIC (#5298)
  Review: Matches description + changes are appropriate
  Notes: This commit switches PocketIC to use ic-gateway, removed custom wrapper, updated dependencies, and deleted redundant code to streamline HTTP gateway integration.

• 2cc5b2479 Interface(ICRC_Ledger): Use test_strategy instead of proptest macro for ICRC1 ledger suite tests (#5039)
  Review: Matches description + changes are appropriate
  Notes: This commit replaces the use of the proptest! macro with #[test_strategy::proptest] annotations in ICRC-1 ledger suite tests, enabling rustfmt compatibility.

• 0c1e945dc Interface,Message Routing: Remove defrag_canisters_map step (#5313)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the defrag_canisters_map step from the checkpointing process, as it no longer provides performance benefits and adds unnecessary overhead.

• 831f9bce4 Owners(IDX): Extract artifact upload from build (#5274)
  Review: Matches description + changes are appropriate
  Notes:This commit extracts artifact upload logic from the Bazel build process into a separate executable rule, allowing it to be triggered via bazel run. This separation of build and release responsibilities removes the need to configure AWS credentials during the build phase and improves CI flexibility and security.

Refactoring:

• b898b3ba0 Consensus,Interface(replay): Remove dependency to canister_client in ic-replay (#5240)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the deprecated canister_client crate from ic-replay and replaces it with ic-agent, simplifying dependencies and improving maintainability.

• 01a663320 Consensus,Interface: Move DkgPayloadBuidler error types into ic-types (#4960)
  Review: Matches description + changes are appropriate
  Notes: This commit relocates DKG error types to ic-types, enabling cross-crate access for trait definitions and improving modularity and clarity with renamed types.

• 2e5678e0e Interface,Node: Pass GuestOS config as a rust struct and consolidate test bootstrapping (#5294)
  Review: Matches description + changes are appropriate
  Notes: This commit refactors GuestOS configuration handling by replacing JSON file passing with Rust struct usage and consolidating test bootstrap logic for consistency and clarity.

• a87bc0bc0 Interface,Node: Add new generate-guestos-vm-config feature to ic-os config tool which replaces generate-guestos-config.sh (#5264)
  Review: Matches description + changes are appropriate
  Notes: this commit replaces shell scripts with a Rust-based GuestOS config generator using templates, improving performance, maintainability, testability, and enabling feature-based behavior customization.

• 93bd45938 Interface,Node: Replace usages of the build-bootstrap-config-image.sh script with a new Rust-based implementation for generating bootstrap configuration images (#5248)
  Review: Matches description + changes are appropriate
  Notes: This commit replaces a shell script with a Rust-based bootstrap config image builder, improving safety, testability, modularity, and enabling feature-flag-driven test customization.

• 6482c5b5c Interface,Node: Use Paths in metrics_tool instead of Strings (#5265)
  Review: Matches description + changes are appropriate
  Notes: This commit replaces String with PathBuf in metrics_tool, improving type safety, path handling robustness, and aligning with idiomatic Rust filesystem APIs.

• 697e96bfc Node: Remove build-bootstrap-config-image.sh script which has been migrated to config::guest_vm_config (#5349)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the obsolete build-bootstrap-config-image.sh script, completing its migration to Rust via config::guestos_bootstrap_image, simplifying config image generation.

Tests:

• 04c2565fa Interface,Node: Enable golden tests for #5264 (#5291)
  Review: Matches description + changes are appropriate
  Notes: This commit enables golden tests for VM XML generation by checking in expected outputs for KVM and QEMU, improving regression safety and configuration verification.

• 398efca66 Execution,Interface: Implement snapshot data upload (#4837)
  Review: Matches description + changes are appropriate
  Notes: This commit enhances the orchestrator dashboard by displaying the consensus timestamp of the latest CUP, aiding recovery workflows by making critical CUP metadata like height, signature, hash, and time readily accessible.

• 06bdd95d1 Interface,Node(node): Add a new option in config.ini to enable Trusted Execution Environment (#5333)
  Review: Matches description + changes are appropriate
  Notes: This commit introduces a configuration option to enable Trusted Execution Environment (TEE), enforces Gen2 hardware validation, and integrates support across deployment scripts, config parsing, and testnet generation logic.

• 18af55a8f Node: guestos-recovery-upgrader service (#4993)
  Review: Matches description + changes are appropriate
  Notes: This commit introduces the guestos-recovery-upgrader service, enabling manual GuestOS upgrades via GRUB parameters during NNS recovery scenarios, with support scripts, GRUB boot integration, and service lifecycle management.

Bugfixes:

• b9c23dd08 Interface,Node: Fix hostname validation and remove guest- prefix in bootstrap.rs (#5330)
  Review: Matches description + changes are appropriate
  Notes: This commit fixes hostname validation by correctly allowing digit-starting hostnames, enforcing a 63-byte limit, and removes the unnecessary guest- prefix in bootstrap configuration.

Chores:

• 7b4e27b3a Consensus,Interface: bump ic-agent to v0.40.1 (#5162)
  Review: Matches description + changes are appropriate
  Notes: This commit updates the ic-agent dependency to version 0.40.1, alongside related dependency bumps and lockfile adjustments, ensuring compatibility and incorporating upstream improvements from the latest agent release.

• 7e2c79b15 Execution,Interface: Remove compute and memory allocation from InstallCodeArgs (#5190)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the deprecated compute_allocation and memory_allocation fields from InstallCodeArgs and related structures. The change cleans up unused optional fields across code, tests, and documentation, simplifying canister installation logic.

• 831f9bce4 Owners(IDX): Extract artifact upload from build (#5274)
  Review: Matches description + changes are appropriate
  Notes: This commit extracts artifact upload logic from the Bazel build process into a separate executable rule, allowing it to be triggered via bazel run. This separation of build and release responsibilities removes the need to configure AWS credentials during the build phase and improves CI flexibility and security.

Refactoring:

• 01a663320 Consensus,Interface: Move DkgPayloadBuidler error types into ic-types (#4960)
  Review: Matches description + changes are appropriate
  Notes: This commit relocates DKG error types to ic-types, enabling cross-crate access for trait definitions and improving modularity and clarity with renamed types.

• 2e5678e0e Interface,Node: Pass GuestOS config as a rust struct and consolidate test bootstrapping (#5294)
  Review: Matches description + changes are appropriate
  Notes: This commit refactors GuestOS configuration handling by replacing JSON file passing with Rust struct usage and consolidating test bootstrap logic for consistency and clarity.

• a87bc0bc0 Interface,Node: Add new generate-guestos-vm-config feature to ic-os config tool which replaces generate-guestos-config.sh (#5264)
  Review: Matches description + changes are appropriate
  Notes: this commit replaces shell scripts with a Rust-based GuestOS config generator using templates, improving performance, maintainability, testability, and enabling feature-based behavior customization.

• 93bd45938 Interface,Node: Replace usages of the build-bootstrap-config-image.sh script with a new Rust-based implementation for generating bootstrap configuration images (#5248)
  Review: Matches description + changes are appropriate
  Notes: This commit replaces a shell script with a Rust-based bootstrap config image builder, improving safety, testability, modularity, and enabling feature-flag-driven test customization.

• 697e96bfc Node: Remove build-bootstrap-config-image.sh script which has been migrated to config::guest_vm_config (#5349)
  Review: Matches description + changes are appropriate
  Notes: This commit removes the obsolete build-bootstrap-config-image.sh script, completing its migration to Rust via config::guestos_bootstrap_image, simplifying config image generation.

Tests:

• 04c2565fa Interface,Node: Enable golden tests for #5264 (#5291)
  Review: Matches description + changes are appropriate
  Notes: This commit enables golden tests for VM XML generation by checking in expected outputs for KVM and QEMU, improving regression safety and configuration verification.

Features:

• 241fe2bb8
  Summary: Include latest CUP time in orchestrator’s dashboard.
  Notes: Add a recovery CUP timestamp to the dashboard for subnets that are stalled at CUP height. Height, State Hash and Time of the recovery CUP to be submitted are needed.
  Review: The description matches the code changes.
• 398efca66
  Summary: Implement snapshot data upload.
  Notes: Implement management canister endpoints
  upload_canister_snapshot_metadata and upload_canister_snapshot_data. The methods can be used for loading canister snapshots with the feature flag enabled. The ErrorCode enum was also added.
  Review: The description matches the code changes.
• ea88bf355
  Summary: system API ic0.root_key_{size, copy}.
  Notes: Implement new system API’s ic0.root_key_size and ic0.root_key_copy for fetching the public key of the IC root key.
  Review: The description matches the code changes.
• a8289b351
  Summary: Canister renaming in the state manager.
  Notes: Add move_canister_directory to copy data. This is part of the canister migration feature and will be enabled as part of a future PR.
  Review: The description matches the code changes.
• 4a7a911a8
  Summary: Shuffle streams in XNet payload builder.
  Notes: Random shuffle stream positions by replacing rotate_left with random_shuffle, so all slices have equal chances to be picked if byte_limit is exceeded to provide better fairness during XNet payload building.
  Review: The description matches the code changes.
• 06bdd95d1
  Summary: Add a new option in config.ini to enable Trusted Execution Environment.
  Notes: Gen2 HW verification, add support for new config in baremetal deploy script and testnet configs, and introduce a config option to enable Trusted Execution Environment (TEE).
  Review: The description matches the code changes.
  18af55a8f
  Summary: guestos-recovery-upgrader service.
  Notes: Add guestos-recovery-upgrader service, which can be used during an NNS recovery. It can perform a manual Guest OS upgrade for the specified Guest OS version.
  Review: The description matches the code changes.

Bugfixes:

• d12013bb2
  Summary: do not include See documentation without doc link.
  Notes: Fix ErrorHelp::UserError to ensure all See documentation errors contain links to the necessary documentation.
  Review The description matches the code changes.
• 790a466b0
  Summary: use saturating arithmetics for validating module chunk upload.
  Notes: Replace + with saturating_add() for caution to validate module chunk upload.
  Review: The description matches the code changes.
• b9c23dd08
  Summary: Fix hostname validation and remove guest- prefix in bootstrap.rs.
  Notes: Fix hostname validation by updating the verification logic to allow digits as first characters since the standard allows it, and the hostname should be less than 63 bytes. Also removes the guest- prefix in bootstrap.rs
  Review: The description matches the code changes.

Chores:

• 17c6b29e6
  Summary: add canister_http_payload_size histogram metric.
  Notes: Add canister_http_payload_size, a histogram metric that will monitor the HTTP payload values.
  Review: The description matches the code changes.
• 7b4e27b3a
  Summary: bump ic-agent to v0.40.1.
  Notes: Upgrade ic-agent to 0.40.1 from 0.39.2 along with some other dependencies and small changes to ensure compatibility with this new version.
  Review: The description matches the code changes.
• 7e2c79b15
  Summary: Remove compute and memory allocation from InstallCodeArgs.
  Notes: Remove the deprecated compute_allocation and
  memory_allocation fields from InstallCodeArgs (and InstallCodeArgsV2). They are being removed since the fields are not used according to internal metrics and are optional.
  Review: The description matches the code changes.
• b8cc778f5
  Summary: deprecate some redundant Haskell tests.
  Notes: Deprecate some Haskell tests since they were ported to Rust.
  Review: The description matches the code changes.
• def34c889
  Summary: use ic-gateway in PocketIC
  Notes: Use ic-gateway in PocketIC instead of a custom wrapper around ic-http-gateway and upgrade ic-gateway and ic-bn-lib versions.
  Review: The description matches the code changes.
• 2cc5b2479
  Summary: Use test_strategy instead of proptest macro for ICRC1 ledger suite tests.
  Notes: Replace proptest! macro with #[test_strategy::proptest] annotations in the ICRC1 ledger suite tests. This change enables rustfmt to format the code.
  Review: The description matches the code changes.
• 0c1e945dc
  Summary: Remove defrag_canisters_map step.
  Notes: Remove defrag_canisters_map step without replacement since it is functionally a no-op and causes performance degradation with asynchronous checkpointing.
  Review: The description matches the code changes.
• 831f9bce4
  Summary: Extract artifact upload from build.
  Notes: Move upload_artifact into a separate executable rule which can be run after the Bazel build. The AWS credentials don’t have to be set in the build due to the uncoupling of the build & release steps.
  Review: The description matches the code changes.

Refactoring:

• b898b3ba0
  Summary: Remove dependency to canister_client in ic-replay.
  Notes: Replace unmaintained packages in ic-replay such as
  canister_client with ic-agent.
  Review: The description matches the code changes.
• 01a663320
  Summary: Move DkgPayloadBuidler error types into ic-types.
  Notes: Rename some of the types by prefixing them with Dkg to avoid confusion. Additionally, move the error types from ic-consensus-dkg crate into the ic-types crate.
  Review: The description matches the code changes.
• 2e5678e0e
  Summary: Pass GuestOS config as a rust struct and consolidate test bootstrapping.
  Notes: Update GuestOS config as a Rust struct instead of a JSON string in BootstrapOptions::guestos_config and consolidate logic in bootstrap.rs.
  Review: The description matches the code changes.
• a87bc0bc0
  Summary: Add new generate-guestos-vm-config feature to ic-os config tool which replaces generate-guestos-config.sh.
  Notes: Add a typesafe implementation generate_guest_vm_configof generate-guestos-config.sh and dev-generate-guestos-config.sh in Rust for better maintainability and performance. Tests were also added for the same. Replace the old generate-guestos-config.sh with generate-guestos-vm-config.
  Review: The description matches the code changes.
• 93bd45938
  Summary: Replace usages of the build-bootstrap-config-image.sh script with a new Rust-based implementation for generating bootstrap configuration images.
  Notes: Replace build-bootstrap-config-image.sh with guestos_bootstrap_image.rs for a typesafe implementation in Rust. This improves testability and security.
  Review: The description matches the code changes.
• 6482c5b5c
  Summary: Use Paths in metrics_tool instead of Strings.
  Notes: Update the type of a few variables from String to PathBuf and remove the associated explicit type conversions.
  Review: The description matches the code changes.
• 697e96bfc
  Summary: Remove build-bootstrap-config-image.sh script which has been migrated to config::guest_vm_config.
  Notes: Remove the build-bootstrap-config-image.sh script as it has been migrated to Rust via config::guestos_bootstrap_image.
  Review: The description matches the code changes.

Tests:

• 04c2565fa
  Summary: Enable golden tests for #5264.
  Notes: Enable golden tests to compare expected outputs for testing as they were not submitted as part of #5264 since the golden files messed up the git history.
  Review: The description matches the code changes.

proposal/136789

241fe2bb8
Updates get_local_cup_info to include the CUP’s timestamp (in nanoseconds and human-readable form) in the dashboard output alongside the existing height, signed status, and state hash.

398efca66
Adds creating snapshots from uploaded metadata and writing snapshot data in chunks, introducing new types and arguments (e.g., UploadCanisterSnapshotMetadataArgs, UploadCanisterSnapshotDataArgs, ValidatedSnapshotMetadata, CanisterSnapshotDataOffset) to validate, reserve memory, and charge cycles/instructions appropriately. At the same time, existing snapshot read, delete, and load methods are refactored to use centralized helpers (get_snapshot/get_snapshot_mut) that enforce snapshot ownership checks and handle new snapshot “source” distinctions.

ea88bf355
ic0.root_key_size and ic0.root_key_copy allow canisters to query and copy the IC root key. It updates the Wasm linker, SystemApi trait, and sandbox‐safe system state to implement these calls. Adds end‐to‐end tests in both the embedders and execution environment to verify that canisters on NNS and non‐NNS subnets can read the root key.

a8289b351
UnflushedCheckpointOp::RenameCanister(old_id, new_id) so that whenever a canister’s ID changes in memory, the change is recorded and later replayed on disk. Adds a move_canister_directory method in state_layout::TipHandler (invoked from flush_unflushed_checkpoint_ops) which performs an actual std::fs::rename(src_path, dst_path) to atomically move the on‐disk directory from the old canister ID to the new one.

4a7a911a8
Previously, it picked a random “first” subnet and then did a rotate_left(first_subnet) on the Vec<(SubnetId, ExpectedIndices)>. In the new version, that has been replaced with a full Fisher–Yates–style shuffle via a new random_shuffle helper.

06bdd95d1
Add enable_trusted_execution_environment, across the OS setup and config toolchain and uses it to gate a hardware check for SEV-SNP support. In the shell script (check-hardware.sh), it sources the main config, then if trusted execution is enabled, verifies that the machine is Gen2 or aborts.

d12013bb2
Fix err ErrorHelp::UserError .

790a466b0
Prevents offset + buf.len() from overflowing (it “saturates” to usize::MAX on overflow), rather than panicking.

b9c23dd08
The validate_hostname function was rewritten to replace the regex with manual ASCII checks that enforce a maximum length of 63 bytes and allow hostnames to start with a digit.

17c6b29e6
Added tracking and metrics for the size of canister‐HTTP payloads, storing payload_bytes in BatchStats, registering a new canister_http_payload_bytes_delivered histogram in FinalizerMetrics.

7b4e27b3a
cc was raised from 1.1.37 to 1.2.22, dfx-core from 0.1.3 to 0.1.4, ic-agent to 0.40.1
ic-utils and ic-transport-types to 0.40.1, ic-http-gateway to 0.3.0, and ring to 0.17.14
cc_rs.patch refactors the build logic by introducing a clang_target variable.

7e2c79b15
Removes the optional compute_allocation and memory_allocation parameters from all InstallCodeArgs/InstallCodeArgsV2 constructors, their type definitions, the InstallCodeContext conversion logic, and every test or helper that passed None, None.

b8cc778f5
The Haskell Spec.hs, the entire "NNS canisters" test‐case is removed and replaced with a version that calls ic_create without a hard‐coded ID. The old group_03 NNS‐specific tests are deleted.

def34c889
Updates the ic-bn-lib and ic-gateway dependencies to new git revisions across all Cargo. Removes the ic-http-gateway dependency, and adds uuid to the pocket_ic_server. It also refactors pocket_ic_server to use ic-gateway’s setup_router for handling /_/dashboard and /_/topology routes.

2cc5b2479
Adds the test‐strategy crate as a development dependency across various ICRC1 and token modules and refactors existing property‐based tests by replacing proptest! macros with #[test_strategy::proptest] annotations.

0c1e945dc
Remove defrag_canisters_map step from create_checkpoint_and_switch.

831f9bce4
Extends the bazel-test-all GitHub Action by adding a new upload-artifacts input and a conditional “Upload to S3” step that writes AWS credentials and runs bazel run //:upload-artifacts when upload-artifacts is true and release-build is enabled.

b898b3ba0
Removed all uses of the deprecated ic-canister-client crate and replaced them with the newer ic-agent, refactoring make_signed_ingress to use Agent::builder().update().expire_at().sign() instead of prepare_update.

01a663320
Replaced every use of the legacy dkg::Summary type with the new DkgSummary across the artifact pool and consensus code.

2e5678e0e
The generate_testnet_config and related code were refactored to return a GuestOSConfig struct instead of writing it to a temporary JSON file, and all callers were updated to pass around the GuestOSConfig object directly.

a87bc0bc0
Removes the legacy shell-based GuestOS config scripts and replaces them with a new Rust-based ic_os/config tool, moving the guestos.xml.template into rs/ic_os/config/templates and introducing associated tests and metrics.

93bd45938
All references to the old build-bootstrap-config-image.sh script have been removed. In its place, a new Rust‐based guestos_bootstrap_image library has been introduced—complete with config_lib_dev and config_lib_test targets, a dev feature, and updated dev‐tooling.

6482c5b5c
Refactored to use PathBuf instead of raw String/&str for file paths, including updating its constructor, methods, and associated tests.

697e96bfc
All of the old Bash logic for assembling and formatting the GuestOS bootstrap image (build-bootstrap-config-image.sh) has been removed.

04c2565fa
Two new “golden” XML templates for QEMU and KVM VM configs have been checked in under rs/ic_os/config/golden/, and the guest_vm_config.rs tests have been updated to automatically generate and compare the rendered XML against those golden files using the goldenfile crate.

proposal/136790

18af55a8f
Two new systemd units and scripts introduce a “guestos‐recovery‐upgrader” mode: if the kernel command line includes recovery=1, the guestos-recovery-upgrader.service runs a shell script that locates the inactive GuestOS partition, downloads the specified update image (verifying its SHA-256 hash), writes the new boot and root images, wipes the var partition, and flips GRUB’s boot_alternative so the next boot uses the newly installed GuestOS. The GRUB configuration now presents a 15-second recovery menu timeout, allowing manual entry of version and hash parameters to trigger the upgrade path before a normal boot.

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neuron’s Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralization of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.

CodeGov has a team of developers who review and vote independently on the following proposal topics: IC-OS Version Election, Protocol Canister Management, Subnet Management, API Boundary Node Management, Node Admin, and Participant Management. The CodeGov NNS known neuron is configured to follow our reviewers on these technical topics. We also have a group of Followees who vote independently on the Governance and the SNS & Neurons’ Fund topics. We strive to be a credible and reliable Followee option that votes on every proposal and every proposal topic in the NNS. We also support decentralisation of SNS projects such as WaterNeuron, KongSwap, and Alice with a known neuron and credible Followees.

Learn more about CodeGov and its mission at codegov.org.