added laso and some helpers to improve xp

[metanallok]

Awaiting confirmation from Laso, but otherwise the primary pieces are here.

• Need to write approval script for Laso, expect it to approve fixed amount for a few addresses then pro-rata for the rest. We could experiment with pro-rata time based accumulator or something, but that's offchain.

[github-actions]

Repository Guard

• Cargo.lock: pass
• yarn.lock (root): pass
• yarn.lock (sdk): pass
• Repo guard: pass

Repository Guard

Cargo dependency pinning

• Status: pass
• Every programs/*/Cargo.toml dep uses =x.y.z, a path = .. workspace ref, or a git dep with a 40-char rev.

Cross-program Anchor/Solana version consistency

• Status: pass
• anchor-lang and anchor-spl are pinned to the version declared in repo-guard.toml across every program.

solana-program crate pin

• Status: pass
• Every solana-program = "=X" declaration is =1.17.14 (locked to match Cargo.lock).

Anchor.toml solana_version

• Status: pass
• Anchor.toml declares solana_version = "1.17.34" (local-dev install for anchor test).

Crate minimum age

• Status: pass
• All Cargo deps changed by this PR are at least 14 days old on crates.io.

Yarn package.json pinning

• Status: pass
• All package.json deps use exact versions (no ^, ~, ranges).

npm minimum age

• Status: pass
• All npm deps changed by this PR are at least 14 days old.

Workflow toolchain consistency

• Status: pass
• Every workflow declares anchor-version: 0.29.0.
• Per-file solana-cli-version values match [toolchain.workflow_solana_cli] in repo-guard.toml.

GitHub Action SHA pinning

• Status: pass
• Every third-party action is pinned to a SHA in [actions.sha_allowlist].

Sensitive program / config changes

• Status: warn
• Review hint only (CODEOWNERS is the merge gate). Lines below match heuristics for security-sensitive changes:
• scripts/v0.7/laso/constants.ts:8 Hardcoded Solana address literal -> + "82MdwSmh7JEK9cywZusE27m8zwbhmkR9Bs38jQoAwwCc",
• scripts/v0.7/laso/constants.ts:12 Hardcoded Solana address literal -> + new PublicKey("4XMTsBivE5V73ScmuChGVLS6oF8MFb2P3fvR3gt9So9J"),
• scripts/v0.7/laso/constants.ts:16 Hardcoded Solana address literal -> + "11111111111111111111111111111111", // Placeholder for no performance package
• scripts/v0.7/laso/constants.ts:26 Hardcoded Solana address literal -> + "91PL1BRM2jGbt6jxv56hhkAFbvsHMHLirMXDQCQcvY92",

Overall status: pass

Lockfile freshness (Cargo.lock + yarn.lock) is checked by the workflow directly and cannot be bypassed. The sensitive-diff section is a review hint - CODEOWNERS handles the actual merge gate.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​ledgerhq/​hw-transport-node-hid@​6.33.4
	npm/​@​ledgerhq/​hw-app-solana@​7.10.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Deprecated by its maintainer: npm prebuild-install Reason: No longer maintained. Please contact the author of the relevant native addon; alternatives are available. From: ? → npm/@ledgerhq/hw-transport-node-hid@6.33.4 → npm/prebuild-install@7.1.3 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prebuild-install@7.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[metapileks]

LGTM

Nit: We have this repeating pattern of simulating then sending off the tx with simulation units + 20%. Maybe we can refactor that too.

[metanallok]

Updating the ledger stuff beyond this package version is only 3 days old, so would rather not. But can resolve in short order. I agree on the common features / libs since we've been using it a lot now, there's a question if it belongs in the SDK in my mind given the fact that we need it for scripts and likely just want coverage on many functions.

We'll see how it goes but since I've been using it a lot I think I've got some ideas.

[metapileks]

Updating the ledger stuff beyond this package version is only 3 days old, so would rather not. But can resolve in short order. I agree on the common features / libs since we've been using it a lot now, there's a question if it belongs in the SDK in my mind given the fact that we need it for scripts and likely just want coverage on many functions.

We'll see how it goes but since I've been using it a lot I think I've got some ideas.

My hesitance with adding it to the SDK as some form of helper collection is that we're then implying it inside our SDK's semver. And these are things that teams usually ship for themselves. But we can get you set up with a separate collection of scripts if you want these. 😄