Upgrade from v0.15.0 to v1.4.1

.env.sample

@@ -4,10 +4,20 @@ AMQP_EXCHANGE=safe-transaction-service-events
 AMQP_QUEUE=safe-events-service
 ADMIN_EMAIL=admin@safe
 ADMIN_PASSWORD=password
+ADMIN_COOKIE_SECRET=change-me-in-production
+ADMIN_SESSION_SECRET=change-me-in-production
 WEBHOOKS_CACHE_TTL=300000
 NODE_ENV=dev
 SSE_AUTH_TOKEN=aW5mcmFAc2FmZS5nbG9iYWw6YWJjMTIz
 DATABASE_SSL_ENABLED=false
 ADMIN_WEBHOOK_AUTH=super-secret-token
 # DATABASE_CA_PATH=/path/of/db/certificate
-# URL_BASE_PATH=/test  # Set a globlal url path
+# URL_BASE_PATH=/test  # Set a global url path
+# HTTP_TIMEOUT=5000  # Webhook HTTP client timeout in milliseconds (default: 5000)
+# HTTP_MAX_RETRIES=2  # Max retry attempts for transient errors/5xx responses (default: 2)
+# DB_HEALTH_CHECK_TIMEOUT=5000  # Database health check timeout in milliseconds (default: 5000)
+# AMQP_PREFETCH_MESSAGES=100  # RabbitMQ prefetch message count (default: 10)
+# WEBHOOK_AUTO_DISABLE=false  # Auto-disable webhooks exceeding the failure threshold (default: false)
+# WEBHOOK_FAILURE_THRESHOLD=90  # Failure rate percentage to trigger auto-disable (default: 90)
+# WEBHOOK_HEALTH_MINUTES_WINDOW=60  # Rolling window in minutes for webhook health stats (default: 60)
+# LOG_LEVEL=log  # Logging level: verbose, debug, log, warn, error, fatal (default: log)

.github/CODEOWNERS

@@ -1,3 +1,3 @@
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence.
-* @safe-global/mainframe
+* @safe-global/platform

.github/workflows/ci.yml

@@ -7,30 +7,44 @@ on:
   release:
     types: [released]
 
+permissions: {}
+
 jobs:
   format:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '22.x'
-          cache: 'npm'
-      - run: npm i
-      - run: npm run format
+          node-version: '24.x'
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+        env:
+          HUSKY: 0
+      - run: pnpm run format
 
   lint:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '22.x'
-          cache: 'npm'
-      - run: npm i
-      - run: npm run lint
+          node-version: '24.x'
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+        env:
+          HUSKY: 0
+      - run: pnpm run lint
 
   db-migrations:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     services:
       postgres:
@@ -48,18 +62,23 @@ jobs:
           - 5433:5432
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '22.x'
-          cache: 'npm'
-      - run: npm i
+          node-version: '24.x'
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+        env:
+          HUSKY: 0
       - run: cp .env.sample .env
-      - run: npm run build
+      - run: pnpm run build
       - run: bash ./scripts/db_run_migrations.sh
       - run: bash ./scripts/db_check_migrations.sh
 
   tests:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     services:
       postgres:
@@ -90,52 +109,59 @@ jobs:
       matrix:
         task: ['test:cov', 'test:e2e:cov']
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: '22.x'
-          cache: 'npm'
-      - run: npm i
+          node-version: '24.x'
+          cache: 'pnpm'
+      - run: pnpm install --frozen-lockfile
+        env:
+          HUSKY: 0
       - run: cp .env.sample .env
-      - run: npm run build
-      - run: npm run ${{matrix.task}}
+      - run: pnpm run build
+      - run: pnpm run ${{matrix.task}}
       - name: Coveralls Parallel
-        uses: coverallsapp/github-action@v2.3.6
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           flag-name: run-${{ matrix.task }}
           parallel: true
 
   tests-finish:
+    permissions:
+      contents: read
     needs: tests
     runs-on: ubuntu-latest
     steps:
       - name: Coveralls Finished
-        uses: coverallsapp/github-action@v2.3.6
+        uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           parallel-finished: true
 
   docker-publish:
+    permissions:
+      contents: read
     if: github.ref == 'refs/heads/main' || (github.event_name == 'release' && github.event.action == 'released')
     needs:
       - format
       - lint
       - tests
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
         with:
           platforms: arm64
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Deploy main
         if: github.ref == 'refs/heads/main'
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           platforms: linux/amd64,linux/arm64
           push: true
@@ -144,7 +170,7 @@ jobs:
           cache-to: type=gha,mode=max
       - name: Deploy Tag
         if: (github.event_name == 'release' && github.event.action == 'released')
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           platforms: linux/amd64,linux/arm64
           push: true
@@ -155,11 +181,13 @@ jobs:
           cache-to: type=gha,mode=max
 
   autodeploy:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: [docker-publish]
     if: github.ref == 'refs/heads/main'
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Deploy Staging
       if: github.ref == 'refs/heads/main'
       run: bash scripts/autodeploy.sh

.github/workflows/cla.yml

@@ -5,14 +5,18 @@ on:
   pull_request_target:
     types: [opened, closed, synchronize]
 
+permissions: {}
+
 jobs:
   CLAAssistant:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: 'CLA Assistant'
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
         # Beta Release
-        uses: contributor-assistant/github-action@v2.6.1
+        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret

.npmrc

@@ -0,0 +1,5 @@
+# adminjs creates a virtual Babel entry file at the project root to resolve its
+# .babelrc.json at runtime. pnpm strict hoisting prevents Babel from finding
+# adminjs's own babel plugins from that path, so we hoist them to root node_modules.
+public-hoist-pattern[]=@babel/plugin-syntax-import-assertions
+public-hoist-pattern[]=@babel/plugin-syntax-import-attributes

.vscode/launch.json

@@ -8,22 +8,16 @@
       "type": "node",
       "request": "launch",
       "name": "Launch Program",
-      "skipFiles": [
-        "<node_internals>/**"
-      ],
+      "skipFiles": ["<node_internals>/**"],
       "program": "${workspaceFolder}/src/main.ts",
       "preLaunchTask": "tsc: build - tsconfig.json",
-      "outFiles": [
-        "${workspaceFolder}/dist/**/*.js"
-      ]
+      "outFiles": ["${workspaceFolder}/dist/**/*.js"]
     },
     {
       "type": "node",
       "request": "launch",
       "name": "Debug tests",
-      "skipFiles": [
-        "<node_internals>/**"
-      ],
+      "skipFiles": ["<node_internals>/**"],
       "runtimeArgs": [
         "--inspect-brk",
         "${workspaceRoot}/node_modules/.bin/jest",
@@ -37,9 +31,7 @@
       "type": "node",
       "request": "launch",
       "name": "Debug current test file",
-      "skipFiles": [
-        "<node_internals>/**"
-      ],
+      "skipFiles": ["<node_internals>/**"],
       "runtimeArgs": [
         "--inspect-brk",
         "${workspaceRoot}/node_modules/.bin/jest",
@@ -54,9 +46,7 @@
       "type": "node",
       "request": "launch",
       "name": "Debug current E2E test file",
-      "skipFiles": [
-        "<node_internals>/**"
-      ],
+      "skipFiles": ["<node_internals>/**"],
       "runtimeArgs": [
         "--inspect-brk",
         "${workspaceRoot}/node_modules/.bin/jest",
@@ -68,4 +58,4 @@
       "console": "integratedTerminal"
     }
   ]
-}
+}

CONTRIBUTING.md

@@ -0,0 +1,30 @@
+# Contributing
+
+Thanks for your interest in contributing to this repository.
+
+## Licensing and CLA
+
+This repository contains code under two licensing regimes, split by a cut-over
+date:
+
+- Up to and including February 16, 2026:
+  Copyright (c) Safe Ecosystem Foundation, licensed under the MIT License.
+- From February 17, 2026 onward:
+  Copyright (c) Safe Labs GmbH, licensed under the Functional Source License
+  v1.1 (MIT Future License).
+
+By submitting a pull request, you agree that your contribution will be licensed
+under the regime applicable at the time your pull request is merged.
+
+For contributions merged on or after February 17, 2026, acceptance of the Safe
+Labs Contributor License Agreement (CLA) is required and enforced via CI.
+
+For details, see:
+- `LICENSE`
+- `NOTICE`
+
+## Process
+
+- Open an issue or pull request with a clear description of your change.
+- Keep pull requests focused and minimal.
+- Follow the guidance in `README.md`.