Skip to content

Commit dcfc4ab

Browse files
QSchlegelclaude
andcommitted
docs(roadmap): July status snapshot — Mesh 2.0 cutover blocked upstream, hardening progress
Mesh core 2.0 still isn't published (npm latest 1.9.1), so the runtime cutover can't start; readiness on our side is documented instead. Records production-hardening state (Node-22 fix on main, ProposalTally still unapplied, RLS fix in #332, gitlink fix in #333) and the systemic dependabot smoke failure as a CI watch item. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent f42bacb commit dcfc4ab

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

ROADMAP.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,17 @@ Mid-month snapshot. Last updated 2026-06-17.
100100
| Wallet V2 — on-chain registration and discovery — design the on-chain registration record + discovery index, define the data model, prototype lookup by signer/policy | #33 |
101101
| CI/maintenance baseline — keep smoke + unit/tRPC suites green on Node 22, dependency/security updates | |
102102

103+
### Progress
104+
105+
Early-month snapshot. Last updated 2026-07-06.
106+
107+
| Task | Status | Evidence |
108+
|------|--------|----------|
109+
| Mesh 2.0 runtime cutover | **Blocked upstream** | No 2.0 of `@meshsdk/core`/`core-cst`/`core-csl` exists on npm (latest = 1.9.1, published 2026-06-01; MeshJS/mesh's latest release is 1.9.0). Only `@meshsdk/react` has a 2.0 (2.0.0-beta.2), already in use. Readiness on our side is verified: all wallet ops funnel through the `useMeshWallet`/`useActiveWallet` bridge ([#278](https://github.com/MeshJS/multisig/pull/278)) and byte-preserving witness merge is implemented + regression-tested (`src/__tests__/mergeSignerWitnesses.test.ts`). When core 2.0 ships, the cutover is a single-layer change: bump `@meshsdk/*`, re-source the bridge wallet, fix the 2.0 deltas (`signData` arg order, `signTx(tx, partialSign)`, `getUtxos(): string[]`, removed `getDRep`/`getAssets`/`getLovelace`), drop the ESLint guardrail. Watch item: check npm for `@meshsdk/core` 2.x |
110+
| Production hardening follow-through | In progress | Node-22 deploy-migrations fix confirmed on `main` (via [#321](https://github.com/MeshJS/multisig/pull/321)) ✅. `ProposalTally` migration still **unapplied in production** — the June 17 deploy run (pre-fix) failed and nothing has re-triggered it; needs a manual "Deploy Database Migrations" dispatch on `main` (governance tallies error until then). RLS advisory reviewed → [#332](https://github.com/MeshJS/multisig/pull/332) enables RLS + deny-all policies on the 7 flagged tables plus `ProposalTally` and the notification-center tables. Supabase also warns the Postgres version has pending security patches (dashboard upgrade). Stray committed worktree gitlink breaking CI submodule cleanup fixed in [#333](https://github.com/MeshJS/multisig/pull/333) |
111+
| FROST research kickoff (#220) | Not started | |
112+
| CI/maintenance baseline | Watch item | `multisig-v1-smoke` fails on **every dependabot PR** — dependabot-triggered runs don't receive repo Actions secrets (`CI_BLOCKFROST_PREPROD_API_KEY` is empty), and this job lacks the skip-when-secrets-missing guard the other smoke job has. Dependabot CI is red for systemic reasons, not because of the version bumps |
113+
103114
---
104115

105116
## Month 4 — August 2026

0 commit comments

Comments
 (0)