Bump npm_and_yarn dependencies in /dsm_client/new_frontend

[cryptskii]

This pull request introduces several improvements and updates across the codebase, focusing on dependency upgrades, workflow enhancements, repository metadata corrections, and minor code refactoring. The most significant changes are grouped below:

Dependency and Library Upgrades:

• Upgraded several Rust crate dependencies in dsm_client/deterministic_state_machine/dsm/Cargo.toml, including prost (0.13→0.14), blake3 (1.5.0→1.8.4), rand (0.8.5→0.10.0), jni (0.21→0.22), and derive_more (1.0.0→2.1.1), among others. These upgrades help keep the project current, improve compatibility, and may include security or performance improvements. [1] [2] [3] [4] [5]

• Refactored code to use the updated rand crate API, replacing deprecated RngCore and thread_rng() usage with the new Rng trait and associated methods throughout the Rust codebase (e.g., in timing_analysis.rs and genesis.rs). [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

GitHub Actions Workflow Improvements:

• Added a new nightly security audit workflow (.github/workflows/nightly-security-audit.yml) that runs cargo audit on a schedule to proactively detect security vulnerabilities in Rust dependencies.

• Introduced a stale issue and PR management workflow (.github/workflows/stale.yml) to automatically mark and close inactive issues and pull requests, improving repository hygiene.

• Updated existing CI workflows to use newer versions of actions: codecov-action upgraded from v5 to v6 and upload-artifact from v4 to v7, ensuring continued support and bug fixes. [1] [2] [3]

Repository Metadata and Documentation:

• Updated repository URLs in Cargo.toml files and Dockerfile labels to the new canonical GitHub organization/repository (deterministicstatemachine/dsm) for consistency and accuracy. [1] [2] [3]

• Updated a documentation link in the Android app to point to the new architecture guide location.

Other Codebase Changes:

• Removed the unused Android NFC write activity layout file (activity_nfc_write.xml).

• Minor clarification in a code comment regarding the format of a domain separator in the bilateral transaction manager.

[Copilot]

Pull request overview

This PR updates dependency versions across Rust and the React frontend, adapts code to updated RNG / library APIs, and adds/updates GitHub automation and repo metadata links.

Changes:

• Bump Rust crate versions (e.g., prost/blake3/rand/jni/toml/rcgen) and adjust RNG usage across core/SDK/tools/storage-node.
• Bump frontend devDependencies (webpack/jest/buf tooling) and refactor a few hooks/components for simpler state handling and D-pad navigation.
• Add new GitHub workflows (nightly cargo audit, stale bot) and update CI action versions; refresh repository URLs/docs links; remove unused NFC UI assets/bridge code.

Reviewed changes

Copilot reviewed 60 out of 62 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tools/vertical_validation/src/property_tests.rs	Switch deterministic RNG usage and rand API in property tests.
tools/vertical_validation/Cargo.toml	Bump prost/blake3/rand; replace rand_chacha with chacha20.
tools/vector_runner/Cargo.toml	Bump prost to 0.14.
tools/vector_builder/Cargo.toml	Bump prost to 0.14.
dsm_storage_node/tests/object_store.rs	Update rand API usage in integration tests.
dsm_storage_node/src/chaos_testing.rs	Make random sizing logic safer against underflow/zero span.
dsm_storage_node/src/api/genesis.rs	Update OS entropy generation to new rand API.
dsm_storage_node/src/api/device_api.rs	Simplify auth token generation to rand::random().
dsm_storage_node/Cargo.toml	Bump server/crypto/config/protobuf deps (axum-server/blake3/rand/toml/prost/etc).
dsm_client/frontend/src/hooks/useIntroGate.ts	Simplify intro gate hook to a pure boolean expression.
dsm_client/frontend/src/hooks/useDpadNav.ts	Refactor focus clamping + onSelect ref handling.
dsm_client/frontend/src/components/screens/EnhancedWalletScreen.tsx	Update BitcoinTapTab import path.
dsm_client/frontend/src/components/screens/DevDeTfiLaunchScreen.tsx	Replace memoized action list with index-based onSelect callback.
dsm_client/frontend/src/components/screens/BleTestScreen.tsx	Replace memoized action list with index-based onSelect callback.
dsm_client/frontend/src/components/screens/BitcoinTapTab.tsx	Remove re-export shim (file deleted).
dsm_client/frontend/src/components/screens/tests/BitcoinTapTab.disabled.test.tsx	Update import path for BitcoinTapTab.
dsm_client/frontend/src/components/qr/GenesisQrPanel.tsx	Memoize QR encoding and switch QR generation to promise-based flow.
dsm_client/frontend/src/components/lock/StateboyComboInput.tsx	Update onComplete ref in an effect to avoid render-time mutation.
dsm_client/frontend/src/components/DiagnosticsOverlay.tsx	Rename internal render helpers to avoid component-like capitalization.
dsm_client/frontend/src/components/common/LoadingSpinner.tsx	Make dot animation deterministic via event tick + external tick.
dsm_client/frontend/package.json	Bump frontend devDependencies (buf, webpack, jest env, etc).
dsm_client/frontend/package-lock.json	Lockfile updates for bumped frontend devDependencies.
dsm_client/deterministic_state_machine/dsm/tests/dsm_end_to_end_test.rs	Re-enable a previously ignored random-walk test (comment updated).
dsm_client/deterministic_state_machine/dsm/src/utils/mod.rs	Update utility OS RNG usage via new rand API.
dsm_client/deterministic_state_machine/dsm/src/crypto/sphincs.rs	Update keygen entropy source to new rand API.
dsm_client/deterministic_state_machine/dsm/src/crypto/rng.rs	Refactor deterministic RNG + OS RNG fallback code to new rand API.
dsm_client/deterministic_state_machine/dsm/src/crypto/pedersen.rs	Update RNG trait bounds and tests to new rand API.
dsm_client/deterministic_state_machine/dsm/src/crypto/kyber.rs	Switch Kyber RNG imports to compatible rand_core/rand_chacha versions.
dsm_client/deterministic_state_machine/dsm/src/core/state_machine/bilateral.rs	Update entropy generation to new RNG trait usage.
dsm_client/deterministic_state_machine/dsm/src/core/identity/genesis.rs	Update RNG trait usage for helper functions.
dsm_client/deterministic_state_machine/dsm/src/core/bilateral_transaction_manager.rs	Clarify domain-tag comment for commitment signing.
dsm_client/deterministic_state_machine/dsm/Dockerfile	Update OCI source label to new GitHub repo URL.
dsm_client/deterministic_state_machine/dsm/Cargo.toml	Bump core crate deps and introduce chacha20/rand_core06 alignment deps.
dsm_client/deterministic_state_machine/dsm/benches/timing_analysis.rs	Update bench randomness to new rand API.
dsm_client/deterministic_state_machine/dsm_sdk/tests/tls_transport_sdk_test.rs	Update rcgen API usage for cert/key DER extraction.
dsm_client/deterministic_state_machine/dsm_sdk/tests/offline_real_protocol_ble_mock.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/tests/live_e2e.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/tests/e2e_token_create_lifecycle.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/tests/e2e_online_transfer.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/tests/e2e_faucet_contact_transfer.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/tests/bilateral_event_guarantee.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/src/security/wal_transaction_queue.rs	Switch nonce RNG to rand_core06::OsRng.
dsm_client/deterministic_state_machine/dsm_sdk/src/security/offline_security.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/src/sdk/wallet_sdk.rs	Clarify proof_data comment / sequencing.
dsm_client/deterministic_state_machine/dsm_sdk/src/sdk/recovery_sdk.rs	Switch mnemonic entropy RNG to rand_core06::OsRng.
dsm_client/deterministic_state_machine/dsm_sdk/src/sdk/bluetooth_transport.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/src/sdk/bitcoin_tap_sdk.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/src/sdk/b0x_sdk.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/src/jni/unified_protobuf_bridge.rs	Remove JNI NFC password helper (function deleted).
dsm_client/deterministic_state_machine/dsm_sdk/src/handlers/storage_routes.rs	Clarify signing-bytes preimage comment.
dsm_client/deterministic_state_machine/dsm_sdk/src/handlers/bitcoin_invoke_routes.rs	Switch mnemonic entropy RNG to rand_core06::OsRng.
dsm_client/deterministic_state_machine/dsm_sdk/src/crypto_performance.rs	Update deterministic RNG imports and rand API usage in tests.
dsm_client/deterministic_state_machine/dsm_sdk/src/bluetooth/bilateral_ble_handler.rs	Clarify bilateral signature domain-tag comment.
dsm_client/deterministic_state_machine/dsm_sdk/examples/submit_to_recipient.rs	Switch OS RNG imports to rand_core06.
dsm_client/deterministic_state_machine/dsm_sdk/Cargo.toml	Bump deps (prost/blake3/jni/toml/rand/rcgen/hostname) and add chacha20/rand_core06 alignment deps.
dsm_client/deterministic_state_machine/Cargo.toml	Update workspace repository URL.
dsm_client/android/app/src/main/res/layout/activity_nfc_write.xml	Remove unused NFC write activity layout (file deleted).
dsm_client/android/app/src/main/java/com/dsm/wallet/ui/MainActivity.kt	Update architecture guide URL.
Cargo.lock	Lockfile updates for bumped Rust dependencies.
.github/workflows/stale.yml	Add stale issue/PR management workflow.
.github/workflows/nightly-security-audit.yml	Add nightly cargo audit workflow.
.github/workflows/ci.yml	Bump Codecov and upload-artifact action versions.

Files not reviewed (1)

• dsm_client/frontend/package-lock.json: Language not supported

Comments suppressed due to low confidence (2)

dsm_client/deterministic_state_machine/dsm/src/core/state_machine/bilateral.rs:262

• rng.next_u64() / rng.fill_bytes(...) assume an infallible RngCore-style API, but SecureRng now implements TryRng/TryCryptoRng (fallible methods). This will fail to compile unless you switch to try_next_u64 / try_fill_bytes (and handle/unwrap) or change SecureRng to implement the infallible RNG traits expected here.

        use rand::Rng;
        let mut rng = crate::crypto::rng::SecureRng;
        let seed = rng.next_u64();
        entropy.extend_from_slice(&seed.to_le_bytes());

        // Add random bytes
        let mut random_bytes = [0u8; 32];
        rng.fill_bytes(&mut random_bytes);
        entropy.extend_from_slice(&random_bytes);

dsm_client/deterministic_state_machine/dsm/src/crypto/pedersen.rs:208

• commit_with_rng now requires R: Rng + CryptoRng, but this module’s own commit() passes crate::crypto::rng::SecureRng, which currently implements TryRng/TryCryptoRng (not rand::CryptoRng). This will break compilation unless SecureRng is updated to implement the rand traits, or the Pedersen APIs are updated to accept the new RNG abstraction.

    pub fn commit_with_rng<R: Rng + CryptoRng>(
        params: &PedersenParams,
        value: &[u8],
        rng: &mut R,
    ) -> DsmResult<(Self, BigUint)> {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

There’s a duplicated/misaligned comment line (// Advance on DSM activity events ...) which looks like an accidental leftover and hurts readability. Consider removing the extra line or fixing indentation so the comment only appears once.

[Copilot]

SecureRng is described as a RngCore + CryptoRng wrapper, but the implementation below only provides rand_core::TryRng / TryCryptoRng. That breaks code expecting next_u64()/fill_bytes() and any APIs that bound on rand::CryptoRng. Either implement the expected rand_core::RngCore + rand::CryptoRng traits, or update call sites and bounds to consistently use the try_* API.

Suggested change

	impl rand_core::RngCore for SecureRng {
	fn next_u32(&mut self) -> u32 {
	let mut buf = [0u8; 4];
	self.fill_bytes(&mut buf);
	u32::from_le_bytes(buf)
	}
	fn next_u64(&mut self) -> u64 {
	let mut buf = [0u8; 8];
	self.fill_bytes(&mut buf);
	u64::from_le_bytes(buf)
	}
	fn fill_bytes(&mut self, dest: &mut [u8]) {
	let bytes = random_bytes(dest.len());
	dest.copy_from_slice(&bytes);
	}
	}
	impl rand::CryptoRng for SecureRng {}

[Copilot]

random_bytes() returns an all-zero buffer if the OS RNG fails. Returning predictable bytes from a crypto RNG helper can silently compromise nonces/keys; prefer propagating the error (Result) or hard-failing rather than falling back to zero entropy.

[Copilot]

On OS RNG failure this helper logs and returns an all-zero buffer, but it is documented as producing cryptographically secure randomness. Returning predictable bytes here can silently compromise callers; prefer returning Result (and propagating), or hard-failing instead of falling back to zero entropy.

[Copilot]

When genesisHashBase32 changes, a new QR generation is kicked off but qrPngUrl is not cleared first, so the previous QR image can remain visible until the new toDataURL() promise resolves. Consider resetting qrPngUrl/error state at the start of this effect whenever encodedQr.data changes.

[Copilot]

Dependency bumps here include packages that require Node >=20.x (some >=20.9.0), but this repo still declares engines.node as >=18. This mismatch can cause local installs/builds to fail or behave inconsistently; consider raising the declared Node engine requirement (and updating docs) or pinning to Node-18-compatible versions.