feat(ev-deployer): part 3 - add Permit2 contract support

.claude/skills/contracts.md

@@ -1,5 +1,5 @@
 ---
-description: This skill should be used when the user asks about "ev-reth contracts", "FeeVault", "AdminProxy", "fee bridging to Celestia", "Hyperlane integration", "Foundry deployment scripts", "genesis allocations", or wants to understand how base fees are redirected and bridged.
+description: This skill should be used when the user asks about "ev-reth contracts", "FeeVault", "AdminProxy", "fee distribution", "Foundry deployment scripts", "genesis allocations", or wants to understand how base fees are redirected and distributed.
 ---
 
 # Contracts Onboarding
@@ -9,13 +9,13 @@ description: This skill should be used when the user asks about "ev-reth contrac
 The contracts live in `contracts/` and use Foundry for development. There are two main contracts:
 
 1. **AdminProxy** (`src/AdminProxy.sol`) - Bootstrap contract for admin addresses at genesis
-2. **FeeVault** (`src/FeeVault.sol`) - Collects base fees, bridges to Celestia via Hyperlane (cross-chain messaging protocol)
+2. **FeeVault** (`src/FeeVault.sol`) - Collects base fees and distributes them between configured recipients
 
 ## Key Files
 
 ### Contract Sources
 - `contracts/src/AdminProxy.sol` - Transparent proxy pattern for admin control
-- `contracts/src/FeeVault.sol` - Fee collection and bridging logic
+- `contracts/src/FeeVault.sol` - Fee collection and distribution logic
 
 ### Deployment Scripts
 - `contracts/script/DeployFeeVault.s.sol` - FeeVault deployment with CREATE2
@@ -34,7 +34,7 @@ The AdminProxy contract provides a bootstrap mechanism for setting admin address
 ### FeeVault
 The FeeVault serves as the destination for redirected base fees (instead of burning them). Key responsibilities:
 - Receive base fees from block production
-- Bridge accumulated fees to Celestia via Hyperlane
+- Distribute accumulated fees between configured recipients
 - Manage withdrawal permissions
 
 ## Connection to Rust Code

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "contracts/lib/forge-std"]
 	path = contracts/lib/forge-std
 	url = https://github.com/foundry-rs/forge-std
+[submodule "contracts/lib/permit2"]
+	path = contracts/lib/permit2
+	url = https://github.com/Uniswap/permit2

bin/ev-deployer/README.md

@@ -14,15 +14,6 @@ The binary is output to `target/release/ev-deployer`.
 
 EV Deployer uses a TOML config file to define what contracts to include and how to configure them. See [`examples/devnet.toml`](examples/devnet.toml) for a complete example.
 
-```toml
-[chain]
-chain_id = 1234
-
-[contracts.admin_proxy]
-address = "0x000000000000000000000000000000000000Ad00"
-owner = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
-```
-
 ### Config reference
 
 #### `[chain]`
@@ -38,6 +29,12 @@ owner = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
 | `address` | address | Address to deploy at      |
 | `owner`   | address | Owner (must not be zero)  |
 
+#### `[contracts.permit2]`
+
+| Field     | Type    | Description                                              |
+|-----------|---------|----------------------------------------------------------|
+| `address` | address | Address to deploy at (canonical: `0x000000000022D473...`) |
+
 ## Usage
 
 ### Generate a starter config
@@ -88,7 +85,8 @@ Output:
 
 ```json
 {
-  "admin_proxy": "0x000000000000000000000000000000000000Ad00"
+  "admin_proxy": "0x000000000000000000000000000000000000Ad00",
+  "permit2": "0x000000000022D473030F116dDEE9F6B43aC78BA3"
 }
 ```
 
@@ -100,9 +98,10 @@ ev-deployer compute-address --config deploy.toml --contract admin_proxy
 
 ## Contracts
 
-| Contract       | Description                                         |
-|----------------|-----------------------------------------------------|
-| `admin_proxy`  | Proxy contract with owner-based access control      |
+| Contract      | Description                                        |
+|---------------|----------------------------------------------------|
+| `admin_proxy` | Proxy contract with owner-based access control     |
+| `permit2`     | Uniswap canonical token approval manager           |
 
 Runtime bytecodes are embedded in the binary — no external toolchain is needed at deploy time.
 

bin/ev-deployer/examples/devnet.toml

@@ -4,3 +4,8 @@ chain_id = 1234
 [contracts.admin_proxy]
 address = "0x000000000000000000000000000000000000Ad00"
 owner = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
+
+[contracts.permit2]
+# Canonical Uniswap Permit2 address (same on all chains via CREATE2).
+# Using it here so frontends, SDKs and routers work out of the box.
+address = "0x000000000022D473030F116dDEE9F6B43aC78BA3"

bin/ev-deployer/src/config.rs

@@ -28,6 +28,8 @@ pub(crate) struct ChainConfig {
 pub(crate) struct ContractsConfig {
     /// `AdminProxy` contract config (optional).
     pub admin_proxy: Option<AdminProxyConfig>,
+    /// `Permit2` contract config (optional).
+    pub permit2: Option<Permit2Config>,
 }
 
 /// `AdminProxy` configuration.
@@ -39,6 +41,13 @@ pub(crate) struct AdminProxyConfig {
     pub owner: Address,
 }
 
+/// `Permit2` configuration (Uniswap token approval manager).
+#[derive(Debug, Deserialize)]
+pub(crate) struct Permit2Config {
+    /// Address to deploy at.
+    pub address: Address,
+}
+
 impl DeployConfig {
     /// Load and validate config from a TOML file.
     pub(crate) fn load(path: &Path) -> eyre::Result<Self> {

bin/ev-deployer/src/contracts/immutables.rs

@@ -0,0 +1,76 @@
+//! Bytecode patching for Solidity immutable variables.
+//!
+//! Solidity `immutable` values are embedded in the **runtime bytecode** by the
+//! compiler, not in storage.  When compiling with placeholder values (e.g.
+//! `address(0)`, `uint32(0)`), the compiler leaves zero-filled regions at known
+//! byte offsets.  This module replaces those regions with the actual values from
+//! the deploy config at genesis-generation time.
+
+use alloy_primitives::{B256, U256};
+
+/// A single immutable reference inside a bytecode blob.
+#[derive(Debug, Clone, Copy)]
+pub(crate) struct ImmutableRef {
+    /// Byte offset into the **runtime** bytecode.
+    pub start: usize,
+    /// Number of bytes (always 32 for EVM words).
+    pub length: usize,
+}
+
+/// Patch a mutable bytecode slice, writing `value` at every listed offset.
+///
+/// # Panics
+///
+/// Panics if any reference extends past the end of `bytecode`.
+pub(crate) fn patch_bytes(bytecode: &mut [u8], refs: &[ImmutableRef], value: &[u8; 32]) {
+    for r in refs {
+        assert!(
+            r.start + r.length <= bytecode.len(),
+            "immutable ref out of bounds: start={} length={} bytecode_len={}",
+            r.start,
+            r.length,
+            bytecode.len()
+        );
+        bytecode[r.start..r.start + r.length].copy_from_slice(value);
+    }
+}
+
+/// Convenience: patch with an ABI-encoded `uint256`.
+pub(crate) fn patch_u256(bytecode: &mut [u8], refs: &[ImmutableRef], val: U256) {
+    let word = B256::from(val);
+    patch_bytes(bytecode, refs, &word.0);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn patch_single_ref() {
+        let mut bytecode = vec![0u8; 64];
+        let refs = [ImmutableRef {
+            start: 10,
+            length: 32,
+        }];
+        let value = B256::from(U256::from(42u64));
+        patch_bytes(&mut bytecode, &refs, &value.0);
+
+        assert_eq!(bytecode[41], 42);
+        // bytes before are untouched
+        assert_eq!(bytecode[9], 0);
+        // bytes after are untouched
+        assert_eq!(bytecode[42], 0);
+    }
+
+    #[test]
+    #[should_panic(expected = "immutable ref out of bounds")]
+    fn patch_out_of_bounds_panics() {
+        let mut bytecode = vec![0u8; 16];
+        let refs = [ImmutableRef {
+            start: 0,
+            length: 32,
+        }];
+        let value = [0u8; 32];
+        patch_bytes(&mut bytecode, &refs, &value);
+    }
+}

bin/ev-deployer/src/contracts/mod.rs

@@ -1,6 +1,8 @@
 //! Contract bytecode and storage encoding.
 
 pub(crate) mod admin_proxy;
+pub(crate) mod immutables;
+pub(crate) mod permit2;
 
 use alloy_primitives::{Address, Bytes, B256};
 use std::collections::BTreeMap;

bin/ev-deployer/src/genesis.rs

@@ -17,6 +17,11 @@ pub(crate) fn build_alloc(config: &DeployConfig) -> Value {
         insert_contract(&mut alloc, &contract);
     }
 
+    if let Some(ref p2_config) = config.contracts.permit2 {
+        let contract = contracts::permit2::build(p2_config, config.chain.chain_id);
+        insert_contract(&mut alloc, &contract);
+    }
+
     Value::Object(alloc)
 }
 
@@ -102,6 +107,7 @@ mod tests {
                     address: address!("000000000000000000000000000000000000ad00"),
                     owner: address!("f39Fd6e51aad88F6F4ce6aB8827279cffFb92266"),
                 }),
+                permit2: None,
             },
         }
     }

bin/ev-deployer/src/init_template.toml

@@ -14,3 +14,7 @@ chain_id = 0
 # [contracts.admin_proxy]
 # address = "0x000000000000000000000000000000000000Ad00"
 # owner = "0x..."
+
+# Permit2: Uniswap canonical token approval manager.
+# [contracts.permit2]
+# address = "0x000000000022D473030F116dDEE9F6B43aC78BA3"

bin/ev-deployer/src/main.rs

@@ -119,6 +119,12 @@ fn main() -> eyre::Result<()> {
                     .as_ref()
                     .map(|c| c.address)
                     .ok_or_else(|| eyre::eyre!("admin_proxy not configured"))?,
+                "permit2" => cfg
+                    .contracts
+                    .permit2
+                    .as_ref()
+                    .map(|c| c.address)
+                    .ok_or_else(|| eyre::eyre!("permit2 not configured"))?,
                 other => eyre::bail!("unknown contract: {other}"),
             };
 

bin/ev-deployer/src/output.rs

@@ -14,5 +14,12 @@ pub(crate) fn build_manifest(config: &DeployConfig) -> Value {
         );
     }
 
+    if let Some(ref p2) = config.contracts.permit2 {
+        manifest.insert(
+            "permit2".to_string(),
+            Value::String(format!("{}", p2.address)),
+        );
+    }
+
     Value::Object(manifest)
 }

bin/ev-deployer/tests/e2e_genesis.sh

@@ -77,10 +77,12 @@ echo "=== Generating genesis with ev-deployer ==="
 echo "Genesis written to $GENESIS"
 
 # Quick sanity: address should be in the alloc
-grep -q "000000000000000000000000000000000000Ad00" "$GENESIS" \
+grep -qi "000000000000000000000000000000000000Ad00" "$GENESIS" \
     || fail "AdminProxy address not found in genesis"
+grep -qi "000000000022D473030F116dDEE9F6B43aC78BA3" "$GENESIS" \
+    || fail "Permit2 address not found in genesis"
 
-pass "genesis contains AdminProxy address"
+pass "genesis contains all contract addresses"
 
 # ── Step 3: Start ev-reth ────────────────────────────────
 
@@ -125,6 +127,26 @@ expected_owner_slot="0x000000000000000000000000f39fd6e51aad88f6f4ce6ab8827279cff
     || fail "AdminProxy slot 0 (owner) mismatch: got $admin_slot0, expected $expected_owner_slot"
 pass "AdminProxy owner slot 0 = $ADMIN_OWNER"
 
+# ── Step 5: Verify Permit2 ──────────────────────────────
+
+PERMIT2="0x000000000022D473030F116dDEE9F6B43aC78BA3"
+
+echo "=== Verifying Permit2 at $PERMIT2 ==="
+
+# Check code is present
+p2_code=$(rpc_call "eth_getCode" "[\"$PERMIT2\", \"latest\"]")
+[[ "$p2_code" != "0x" && "$p2_code" != "0x0" && ${#p2_code} -gt 10 ]] \
+    || fail "Permit2 has no bytecode (got: $p2_code)"
+pass "Permit2 has bytecode (${#p2_code} hex chars)"
+
+# Call DOMAIN_SEPARATOR() — selector 0x3644e515
+# Should return the cached domain separator matching chain_id=1234 and the contract address
+p2_domain_sep=$(rpc_call "eth_call" "[{\"to\":\"$PERMIT2\",\"data\":\"0x3644e515\"}, \"latest\"]")
+expected_domain_sep="0x6cda538cafce36292a6ef27740629597f85f6716f5694d26d5c59fc1d07cfd95"
+[[ "$(echo "$p2_domain_sep" | tr '[:upper:]' '[:lower:]')" == "$(echo "$expected_domain_sep" | tr '[:upper:]' '[:lower:]')" ]] \
+    || fail "Permit2 DOMAIN_SEPARATOR() mismatch: got $p2_domain_sep, expected $expected_domain_sep"
+pass "Permit2 DOMAIN_SEPARATOR() correct for chain_id=1234"
+
 # ── Done ─────────────────────────────────────────────────
 
 echo ""