Fix verified issues across 8 skills from multi-agent audit (#4)

- certified-variables: Add missing Cargo.toml headers, HTTP cert API warning
- https-outcalls: Fix Motoko Blob API (fromArray/toArray/empty), Rust import path
- icrc-ledger: Add transient keyword, pin wasm/candid URLs
- internet-identity: Remove invalid .unwrap() on StableCell::set()
- multi-canister: Fix nested RefCell panic, ic-cdk 0.18 type names
- sns-launch: Fix quill→dfx CLI commands, token math
- vetkd: Fix git URL, version 0.6.0, determinism test claim
- wallet: Fix ic-cdk 0.18 type names and call signatures

Author: JoshDFN

public/llms-full.txt

@@ -377,6 +377,14 @@ CLIENT VERIFICATION:
 **Cargo.toml:**
 
 ```toml
+[package]
+name = "certified_vars_backend"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
 [dependencies]
 candid = "0.10"
 ic-cdk = "0.18"
@@ -496,12 +504,22 @@ For canisters serving HTTP responses directly (not through the asset canister),
 **Additional Cargo.toml dependency:**
 
 ```toml
+[package]
+name = "http_certified_backend"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
 [dependencies]
 ic-http-certification = "2.6"
 ```
 
 **Certifying HTTP responses:**
 
+> **Note:** The HTTP certification API is evolving rapidly. Verify these examples against the latest [ic-http-certification docs](https://docs.rs/ic-http-certification) before use.
+
 ```rust
 use ic_http_certification::{
     HttpCertification, HttpCertificationTree, HttpCertificationTreeEntry,
@@ -2431,7 +2449,6 @@ import Blob "mo:core/Blob";
 import Nat64 "mo:core/Nat64";
 import Text "mo:core/Text";
 import Runtime "mo:core/Runtime";
-import Iter "mo:core/Iter";
 
 persistent actor {
 
@@ -2502,7 +2519,7 @@ persistent actor {
       method = #get;
       transform = ?{
         function = transform;
-        context = Blob.fromIter(Iter.empty());
+        context = Blob.empty();
       };
     };
 
@@ -2511,7 +2528,7 @@ persistent actor {
     let response = await (with cycles = 200_000_000) ic.http_request(request);
 
     // Decode the response body
-    let bodyBlob = Blob.fromIter(Iter.fromArray(response.body));
+    let bodyBlob = Blob.fromArray(response.body);
     let body = Text.decodeUtf8(bodyBlob);
     switch (body) {
       case (?text) { text };
@@ -2523,7 +2540,7 @@ persistent actor {
   public func postData(jsonPayload : Text) : async Text {
     let url = "https://httpbin.org/post";
 
-    let bodyBytes = Iter.toArray(Blob.values(Text.encodeUtf8(jsonPayload)));
+    let bodyBytes = Blob.toArray(Text.encodeUtf8(jsonPayload));
 
     let request : HttpRequestArgs = {
       url = url;
@@ -2538,14 +2555,14 @@ persistent actor {
       method = #post;
       transform = ?{
         function = transform;
-        context = Blob.fromIter(Iter.empty());
+        context = Blob.empty();
       };
     };
 
     // POST may cost more due to request body size
     let response = await (with cycles = 300_000_000) ic.http_request(request);
 
-    let bodyBlob = Blob.fromIter(Iter.fromArray(response.body));
+    let bodyBlob = Blob.fromArray(response.body);
     let body = Text.decodeUtf8(bodyBlob);
     switch (body) {
       case (?text) { text };
@@ -2575,7 +2592,7 @@ serde_json = "1"
 ```
 
 ```rust
-use ic_cdk::management_canister::http_request::{
+use ic_cdk::api::management_canister::http_request::{
     http_request, CanisterHttpRequestArgument, HttpHeader, HttpMethod, HttpResponse,
     TransformArgs, TransformContext, TransformFunc,
 };
@@ -2973,7 +2990,7 @@ persistent actor {
   };
 
   // Remote ledger actor reference (ICP ledger shown; swap canister ID for other tokens)
-  let icpLedger = actor ("ryjl3-tyaaa-aaaaa-aaaba-cai") : actor {
+  transient let icpLedger = actor ("ryjl3-tyaaa-aaaaa-aaaba-cai") : actor {
     icrc1_balance_of : shared query (Account) -> async Nat;
     icrc1_transfer : shared (TransferArg) -> async { #Ok : Nat; #Err : TransferError };
     icrc2_approve : shared (ApproveArg) -> async { #Ok : Nat; #Err : ApproveError };
@@ -3214,13 +3231,15 @@ async fn transfer_from(from: Principal, to: Principal, amount: Nat) -> Result<Na
 
 Add to `icp.json`:
 
+Pin the release hash before deploying: get the latest hash from https://dashboard.internetcomputer.org/releases, then substitute it for `<RELEASE_HASH>` in both URLs below.
+
 ```json
 {
   "canisters": {
     "icrc1_ledger": {
       "type": "custom",
-      "candid": "https://raw.githubusercontent.com/dfinity/ic/master/rs/ledger_suite/icrc1/ledger/ledger.did",
-      "wasm": "https://download.dfinity.systems/ic/master/canisters/ic-icrc1-ledger.wasm.gz",
+      "candid": "https://raw.githubusercontent.com/dfinity/ic/<RELEASE_HASH>/rs/ledger_suite/icrc1/ledger/ledger.did",
+      "wasm": "https://download.dfinity.systems/ic/<RELEASE_HASH>/canisters/ic-icrc1-ledger.wasm.gz",
       "init_arg_file": "icrc1_ledger_init.args"
     }
   }
@@ -3628,7 +3647,7 @@ fn init_owner() -> String {
         let mut cell = owner.borrow_mut();
         match cell.get() {
             None => {
-                cell.set(Some(caller)).unwrap();
+                cell.set(Some(caller));
                 format!("Owner set to {}", caller)
             }
             Some(_) => "Owner already initialized".to_string(),
@@ -4177,19 +4196,17 @@ fn register(username: String) -> Result<UserProfile, String> {
 
     let key = principal_to_key(&caller);
     USERS.with(|users| {
-        let users = users.borrow();
-        if users.contains_key(&key) {
+        if users.borrow().contains_key(&key) {
             return Err("Already exists".to_string());
         }
-        drop(users);
 
         let profile = UserProfile {
             id: caller,
             username,
             created: ic_cdk::api::time() as i64,
         };
         let bytes = serialize_profile(&profile);
-        USERS.with(|u| u.borrow_mut().insert(key, bytes));
+        users.borrow_mut().insert(key, bytes);
         Ok(profile)
     })
 }
@@ -4493,9 +4510,9 @@ persistent actor Self {
 
 ```rust
 use candid::{CandidType, Deserialize, Principal, encode_one};
-use ic_cdk::management_canister::main::{
+use ic_cdk::management_canister::{
     create_canister, install_code,
-    CreateCanisterArgument, InstallCodeArgument, CanisterInstallMode, CanisterSettings,
+    CreateCanisterArgs, InstallCodeArgs, CanisterInstallMode, CanisterSettings,
 };
 use ic_cdk::update;
 use ic_stable_structures::memory_manager::{MemoryId, MemoryManager, VirtualMemory};
@@ -4522,7 +4539,7 @@ async fn create_child_canister(wasm_module: Vec<u8>) -> Principal {
     assert_ne!(caller, Principal::anonymous(), "Auth required");
 
     // Create canister
-    let create_args = CreateCanisterArgument {
+    let create_args = CreateCanisterArgs {
         settings: Some(CanisterSettings {
             controllers: Some(vec![ic_cdk::id(), caller]),
             compute_allocation: None,
@@ -4535,21 +4552,21 @@ async fn create_child_canister(wasm_module: Vec<u8>) -> Principal {
     };
 
     // Attach 1T cycles for the new canister
-    let (create_result,) = create_canister(create_args, 1_000_000_000_000u128)
+    let create_result = create_canister(&create_args, 1_000_000_000_000u128)
         .await
         .expect("Failed to create canister");
 
     let canister_id = create_result.canister_id;
 
     // Install code
-    let install_args = InstallCodeArgument {
+    let install_args = InstallCodeArgs {
         mode: CanisterInstallMode::Install,
         canister_id,
         wasm_module,
         arg: encode_one(&caller).unwrap(), // Pass owner as init arg
     };
 
-    install_code(install_args)
+    install_code(&install_args)
         .await
         .expect("Failed to install code");
 
@@ -4725,7 +4742,7 @@ dependencies: [icrc-ledger, multi-canister]
 ---
 
 # SNS DAO Launch
-> version: 1.8.0 | requires: [icp-cli >= 0.1.0, quill CLI, NNS neuron with stake]
+> version: 1.8.0 | requires: [icp-cli >= 0.1.0, dfx sns extension, NNS neuron with stake]
 
 ## What This Is
 
@@ -4734,7 +4751,7 @@ Service Nervous System (SNS) is the DAO framework for decentralizing individual
 ## Prerequisites
 
 - `icp-cli` >= 0.1.0 (`brew install dfinity/tap/icp-cli`)
-- `quill` CLI for proposal submission (`quill sns make-proposal` is the recommended approach)
+- `dfx` with the sns extension (`dfx extension install sns`) for prepare-canisters, validate, and propose
 - An NNS neuron with sufficient stake to submit proposals (mainnet)
 - Dapp canisters already deployed and working on mainnet
 - `sns_init.yaml` configuration file with all parameters defined
@@ -4891,7 +4908,7 @@ Swap:
 ```
 Stage 1:  Developer defines parameters in sns_init.yaml
 Stage 2:  Developer adds NNS Root as co-controller of dapp canisters
-Stage 3:  Developer submits NNS proposal using `quill sns make-proposal`
+Stage 3:  Developer submits NNS proposal using `dfx sns propose`
 Stage 4:  NNS community votes on the proposal
 Stage 5:  (If adopted) SNS-W deploys uninitialized SNS canisters
 Stage 6:  SNS Root becomes sole controller of dapp canisters
@@ -5058,17 +5075,17 @@ icp deploy my_frontend
 
 ```bash
 # Step 1: Add NNS Root as co-controller of each dapp canister
-# Use quill to add NNS Root as co-controller:
-quill sns prepare-canisters add-nns-root BACKEND_CANISTER_ID --network ic
-quill sns prepare-canisters add-nns-root FRONTEND_CANISTER_ID --network ic
+# Requires dfx sns extension: `dfx extension install sns`
+dfx sns prepare-canisters add-nns-root BACKEND_CANISTER_ID --network ic
+dfx sns prepare-canisters add-nns-root FRONTEND_CANISTER_ID --network ic
 
 # Step 2: Validate your config locally before submitting
-sns-cli validate --init-config-file sns_init.yaml
+dfx sns init-config-file validate
 # Or review the rendered proposal by inspecting the yaml output carefully.
 # You can also test the full flow on a local replica first (see Local Testing above).
 
 # Step 3: Submit the proposal (THIS IS IRREVERSIBLE — double-check your config)
-quill sns make-proposal --network ic --neuron-id NEURON_ID sns_init.yaml
+dfx sns propose --network ic --neuron $NEURON_ID sns_init.yaml
 ```
 
 ## Verify It Works
@@ -5622,9 +5639,9 @@ serde_bytes = "0.11"
 
 # Option A: Use the high-level ic-vetkeys library (if available on crates.io)
 # ⚠ Verify this crate exists before adding. If not published, use a git dependency:
-# ic-vetkeys = { git = "https://github.com/dfinity/examples", branch = "master" }
+# ic-vetkeys = { git = "https://github.com/dfinity/ic-vetkeys" }
 # Or use Option B (raw canister calls) which has no extra dependency.
-ic-vetkeys = "0.1"
+ic-vetkeys = "0.6.0"
 
 # Option B: Call management canister directly (lower level, always works)
 # No extra dependency -- use ic_cdk::api::call::call_with_payment128
@@ -5918,9 +5935,10 @@ icp canister call backend getPublicKey '()'
 icp canister call backend deriveKey '(blob "\00\01...")'
 # Expected: (blob "\12\34\56...")  -- encrypted key material
 
-# 3. Verify determinism: same inputs produce same output
-# Call deriveKey twice with identical transport key
-# Expected: identical encrypted_key blobs both times
+# 3. Note: vetkd_derive_key uses randomized encryption — the encrypted blobs DIFFER each call.
+# The underlying derived key is deterministic (same canister/context/input always produces the same key),
+# but the encrypted_key blob varies because a fresh random nonce is used each time.
+# To verify the underlying key is correct, decrypt both blobs with the transport secret and confirm they match.
 
 # 4. Verify isolation: different callers get different keys
 icp identity new test-user-1 --storage-mode=plaintext
@@ -6139,8 +6157,8 @@ use candid::{CandidType, Deserialize, Nat, Principal};
 use ic_cdk::update;
 use ic_cdk::management_canister::{
     create_canister, canister_status, deposit_cycles, stop_canister, delete_canister,
-    CreateCanisterArgument, CanisterIdRecord,
-    CanisterSettings, CanisterStatusResponse,
+    CreateCanisterArgs, CanisterStatusArgs, DepositCyclesArgs, StopCanisterArgs, DeleteCanisterArgs,
+    CanisterSettings, CanisterStatusResult,
 };
 
 #[update]
@@ -6157,40 +6175,39 @@ async fn create_new_canister() -> Principal {
         wasm_memory_limit: None,
     };
 
-    let arg = CreateCanisterArgument {
+    let arg = CreateCanisterArgs {
         settings: Some(settings),
     };
 
     // Send 1T cycles with the create call
-    let (result,) = create_canister(arg, 1_000_000_000_000u128)
+    let result = create_canister(&arg, 1_000_000_000_000u128)
         .await
         .expect("Failed to create canister");
 
     result.canister_id
 }
 
 #[update]
-async fn check_status(canister_id: Principal) -> CanisterStatusResponse {
-    let (status,) = canister_status(CanisterIdRecord { canister_id })
+async fn check_status(canister_id: Principal) -> CanisterStatusResult {
+    canister_status(&CanisterStatusArgs { canister_id })
         .await
-        .expect("Failed to get canister status");
-    status
+        .expect("Failed to get canister status")
 }
 
 #[update]
 async fn top_up(canister_id: Principal, amount: u128) {
-    deposit_cycles(CanisterIdRecord { canister_id }, amount)
+    deposit_cycles(&DepositCyclesArgs { canister_id }, amount)
         .await
         .expect("Failed to deposit cycles");
 }
 
 #[update]
 async fn stop_and_delete(canister_id: Principal) {
-    stop_canister(CanisterIdRecord { canister_id })
+    stop_canister(&StopCanisterArgs { canister_id })
         .await
         .expect("Failed to stop canister");
 
-    delete_canister(CanisterIdRecord { canister_id })
+    delete_canister(&DeleteCanisterArgs { canister_id })
         .await
         .expect("Failed to delete canister");
 }

skills/certified-variables/SKILL.md

@@ -78,6 +78,14 @@ CLIENT VERIFICATION:
 **Cargo.toml:**
 
 ```toml
+[package]
+name = "certified_vars_backend"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
 [dependencies]
 candid = "0.10"
 ic-cdk = "0.18"
@@ -197,12 +205,22 @@ For canisters serving HTTP responses directly (not through the asset canister),
 **Additional Cargo.toml dependency:**
 
 ```toml
+[package]
+name = "http_certified_backend"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+crate-type = ["cdylib"]
+
 [dependencies]
 ic-http-certification = "2.6"
 ```
 
 **Certifying HTTP responses:**
 
+> **Note:** The HTTP certification API is evolving rapidly. Verify these examples against the latest [ic-http-certification docs](https://docs.rs/ic-http-certification) before use.
+
 ```rust
 use ic_http_certification::{
     HttpCertification, HttpCertificationTree, HttpCertificationTreeEntry,