Harden share-token TTL and archival runbook

[carrion256]

Summary

Fixes/triages the share-token TTL and archival follow-up findings:

• A-096 / Nexus 1423b989-f1cf-4827-bc37-6d76d00018f8 — document the Soroban archival restore story for the share token.
• A-098 / Nexus 8e84564c-0b32-40b9-8bc8-227b2ca23395 — refresh instance TTL from all SEP-41 read-only methods.
• A-100 / Nexus 1122e421-af18-43d0-9062-bb44dbe948cc — document/prove why admin extend_ttl remains instance-only while holder balances/allowances keep per-entry semantics.

This is stacked on the consolidated share-token PR branch audit/share-token-admin-immutable.

Changes

• Add extend_instance_ttl(e) to SEP-41 read-only methods: total_supply, balance, allowance, decimals, name, symbol.
• Add README runbook language for proactive share-token TTL maintenance and archived-instance recovery: restore via Stellar/Soroban archival restore first, then call extend_ttl from the configured admin.
• Record A-100 as an intentional design boundary rather than adding an unbounded holder/allowance index:
  • upstream stellar-tokens refreshes touched persistent holder balances on balance reads/writes;
  • allowances are temporary storage entries bounded by the caller-selected live_until_ledger.
• Add regression coverage for the read-only TTL surface and the admin extend_ttl balance/allowance semantics.

Verification

• RUSTUP_TOOLCHAIN=1.89.0 cargo fmt --all --check
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/contracts-share-token-ttl-archival/target cargo test -p templar-soroban-share-token read_only_entrypoints_cover_share_token_ttl_maintenance_surface -- --nocapture
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/contracts-share-token-ttl-archival/target cargo test -p templar-soroban-share-token admin_extend_ttl_preserves_holder_balances_and_allowance_expiry_semantics -- --nocapture
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/contracts-share-token-ttl-archival/target cargo test -p templar-soroban-share-token -- --nocapture — 22 passed
• git diff --check
• Post-commit Soroban size-budget-check — passed at 93961 bytes

Tracker

Updated local tracker rows and cluster notes:

• contracts-audit-findings-index.md
• contracts-audit-clusters/storage-versioning-ttl.audit.md
• contracts-audit-clusters/share-token-admin.audit.md

---

This change is 

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7cec756e-d0d5-47d1-8350-9809fbdde64f

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR introduces time-to-live (TTL) management for the Soroban share-token contract. Read-only token methods now extend the contract instance TTL before returning values. An admin-only extend_ttl entrypoint enables proactive TTL maintenance. Tests verify correct behavior and allowance expiry semantics.

Changes

Share-Token TTL Extension and Allowance Expiry

Layer / File(s)	Summary
TTL and archival recovery documentation contract/vault/soroban/README.md	New section explains how share-token instance TTL is refreshed across public entrypoints, the admin extend_ttl keeper path and archival restore prerequisite, and TTL behavior for per-holder balances (refreshed only when touched) and allowances (bounded by live_until_ledger, not extended by keeper).
TTL extension in read-only token methods contract/vault/soroban/share-token/src/lib.rs	extend_instance_ttl(e) calls are inserted in total_supply, balance, allowance, decimals, name, and symbol methods before delegating to underlying Base implementations.
TTL and allowance expiry test coverage contract/vault/soroban/share-token/src/tests.rs	Two new tests verify read-only token surfaces return correct values after minting and approving, and verify admin extend_ttl behavior preserves balances while respecting allowance expiry when ledger time advances.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• royalf00l

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 45.45% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden share-token TTL and archival runbook' directly reflects the main changes: adding TTL maintenance capabilities and archival recovery documentation for the share-token contract.
Description check	✅ Passed	The description is comprehensive and clearly related to the changeset, detailing the audit findings addressed, specific code changes made, testing performed, and tracking updates.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/share-token-ttl-and-archival

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• LINEAR integration encountered authorization issues. Please disconnect and reconnect the integration in the CodeRabbit UI.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carrion256]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[carrion256]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@contract/vault/soroban/share-token/src/tests.rs`:
- Around line 470-525: The test
read_only_entrypoints_cover_share_token_ttl_maintenance_surface currently only
asserts token values and must also verify TTL movement: read and store the
contract instance TTL for token before calling the read-only entrypoint(s) (use
env to query the instance TTL), invoke the read-only extend_instance_ttl
entrypoint via env.invoke_contract (Symbol::new(&env, "extend_instance_ttl") or
the specific read-only method you want to exercise), then read the instance TTL
again and assert it has advanced/been refreshed; update the test to perform this
before/after TTL assertion using the existing token variable and the test
function read_only_entrypoints_cover_share_token_ttl_maintenance_surface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 44083f83-a1fa-4e04-b033-e728e8dbc679

📥 Commits

Reviewing files that changed from the base of the PR and between f8dedf6 and 396f310.

📒 Files selected for processing (3)

• contract/vault/soroban/README.md
• contract/vault/soroban/share-token/src/lib.rs
• contract/vault/soroban/share-token/src/tests.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

TTL regression test is value-only and does not prove TTL refresh.

On Line 471, this test name states TTL maintenance coverage, but it only asserts token values. It would still pass even if the read-only extend_instance_ttl calls were removed. Please add an assertion that verifies observable instance-TTL movement before/after at least one of these read-only calls.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contract/vault/soroban/share-token/src/tests.rs` around lines 470 - 525, The
test read_only_entrypoints_cover_share_token_ttl_maintenance_surface currently
only asserts token values and must also verify TTL movement: read and store the
contract instance TTL for token before calling the read-only entrypoint(s) (use
env to query the instance TTL), invoke the read-only extend_instance_ttl
entrypoint via env.invoke_contract (Symbol::new(&env, "extend_instance_ttl") or
the specific read-only method you want to exercise), then read the instance TTL
again and assert it has advanced/been refreshed; update the test to perform this
before/after TTL assertion using the existing token variable and the test
function read_only_entrypoints_cover_share_token_ttl_maintenance_surface.