feat: move watchdog to atomic on-chain rescue v1 (breaking)

[felipecsl]

Summary

• replace repay-based watchdog flow with atomic on-chain rescue submission
• add Foundry Solidity package with AaveAtomicRescueV1, deploy script, and contract tests
• migrate watchdog config/schema/UI to rescue-specific fields (breaking)
• update docs and ops runbook for rescue v1

Breaking changes

• watchdog config shape changed: removes repay-specific fields and adds rescue fields (minResultingHF, maxTopUpWbtc, deadlineSeconds, rescueContract)
• server watchdog behavior now uses WBTC top-up rescue path only

Validation

• yarn lint
• yarn format
• yarn typecheck
• yarn test
• yarn test:contracts (not executable in this environment: forge missing)

[Copilot]

Pull request overview

This PR replaces the multi-transaction repay-based watchdog flow with an atomic on-chain rescue system (v1). The watchdog now computes a WBTC collateral top-up amount off-chain and submits a single rescue(...) transaction to a dedicated Solidity contract that atomically supplies collateral and verifies the resulting health factor.

Changes:

• Added AaveAtomicRescueV1 Solidity contract with Foundry tests and deploy script for atomic WBTC collateral top-up rescue
• Migrated watchdog config, schema, UI, and server logic from repay-specific fields (maxRepayUsd) to rescue-specific fields (minResultingHF, maxTopUpWbtc, deadlineSeconds, rescueContract)
• Updated documentation, ops runbook, CI pipeline, and tests to reflect the new rescue v1 behavior

Reviewed changes

Copilot reviewed 27 out of 30 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
packages/rescue-contract/src/AaveAtomicRescueV1.sol	New Solidity contract for atomic Aave rescue via collateral supply
packages/rescue-contract/test/AaveAtomicRescueV1.t.sol	Foundry unit tests for rescue contract
packages/rescue-contract/script/DeployAaveAtomicRescueV1.s.sol	Foundry deploy script
packages/rescue-contract/foundry.toml	Foundry project config
packages/rescue-contract/foundry.lock	Foundry dependency lock
packages/rescue-contract/README.md	Package documentation
packages/rescue-contract/lib/forge-std	forge-std submodule
packages/server/src/watchdog.ts	Replaced repay logic with atomic rescue planner/submitter
packages/server/src/storage.ts	Added env overrides for new watchdog fields
packages/server/src/runtime.ts	Added validation and formatting for new fields
packages/server/src/monitor.ts	Removed walletStablecoinBalances from evaluate call
packages/server/src/index.ts	Updated Zod schema for new watchdog fields
packages/server/test/watchdog.test.ts	Rewrote tests for rescue flow
packages/server/test/storage.test.ts	Updated tests for new config fields
packages/server/test/runtime.test.ts	Updated tests for new validation and formatting
packages/aave-core/src/types.ts	Added new watchdog config type fields
packages/aave-core/src/metrics.ts	Removed computeRepaymentAmount
packages/aave-core/src/index.ts	Removed export of computeRepaymentAmount
packages/aave-core/src/constants.ts	Updated default watchdog config values
src/components/ServerSettings.tsx	Added UI controls for new rescue config fields
docs/watchdog-user-manual.md	Rewrote for rescue v1
docs/rescue-v1-ops.md	New ops runbook
plans/rescue-v1.md	Design plan document
CLAUDE.md	Updated agent instructions
README.md	Updated project docs
package.json	Added test:contracts and deploy scripts
.github/workflows/ci.yml	Added Foundry setup and contract tests
.gitmodules	Added forge-std submodule
.gitignore	Added Foundry build artifacts

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

_forceApprove approves only the exact amount needed for the current rescue. If there's any token dust left after pool.supply (e.g., due to rounding), a stale non-zero approval will remain for the Aave pool. More importantly, approving only the exact amount means every rescue call will re-approve. Consider approving type(uint256).max once (as is common for Aave interactions) or explicitly resetting to 0 after the supply call to avoid dangling approvals.

Suggested change

	bool ok = IERC20(asset).approve(spender, amount);
	bool ok = IERC20(asset).approve(spender, type(uint256).max);

[Copilot]

value.toFixed(18) can produce unexpected results for values like 1.85 due to floating-point representation. For example, (1.85).toFixed(18) yields "1.849999999999999956", which when parsed to 18 decimal wad will be slightly less than the intended 1.85e18. This could cause the projectedHFWad < minHFWad comparison to produce incorrect results (e.g., treating a HF of exactly 1.85 as below the minimum). Consider using a string-based approach or rounding to fewer significant decimals (e.g., value.toFixed(4)) before parsing.

Suggested change

	return parseUnits(value.toFixed(18), 18);
	// Round to 4 decimal places to avoid floating-point artifacts like 1.849999999999999956
	return parseUnits(value.toFixed(4), 18);

[Copilot]

The new env overrides for WATCHDOG_MIN_RESULTING_HF and WATCHDOG_MAX_TOP_UP_WBTC are added, but WATCHDOG_DEADLINE_SECONDS and WATCHDOG_RESCUE_CONTRACT (referenced as rescueContract in the config) are not present as env overrides, while the docs in CLAUDE.md only mention the two added here. Consider whether deadlineSeconds and rescueContract should also have env overrides for consistency, or document why they are intentionally excluded.

Suggested change

	if (maxTopUpWbtc !== undefined) watchdog.maxTopUpWbtc = maxTopUpWbtc;
	if (maxTopUpWbtc !== undefined) watchdog.maxTopUpWbtc = maxTopUpWbtc;
	const deadlineSecondsRaw = process.env['WATCHDOG_DEADLINE_SECONDS'];
	if (deadlineSecondsRaw) {
	const parsedDeadline = Number(deadlineSecondsRaw.trim());
	if (Number.isFinite(parsedDeadline) && parsedDeadline > 0) {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	(watchdog as any).deadlineSeconds = parsedDeadline;
	}
	}
	const rescueContractEnv = process.env['WATCHDOG_RESCUE_CONTRACT'];
	if (rescueContractEnv && rescueContractEnv.trim()) {
	// eslint-disable-next-line @typescript-eslint/no-explicit-any
	(watchdog as any).rescueContract = rescueContractEnv.trim();
	}

[Copilot]

The comment on line 352 states "HF is linear in amount" to justify the two-point interpolation. However, HF as a function of added collateral amount is not strictly linear — it depends on the weighted average liquidation threshold, which changes as new collateral is added (the new asset's LT may differ from the existing weighted LT). The linear approximation works reasonably well for small amounts relative to total collateral, but the comment should note this is an approximation, not an exact relationship.

[Copilot]

totalBorrowedUsd is set to 1_600 (with underscore separator = 1600) but borrowed.amount and borrowed.usdValue on lines 34 and 36 are set to 1600 (no underscore). These values match, but note that the HF for this loan would be (3200 * 0.75) / 1600 = 1.5, which is below the default triggerHF of 1.65. This is intentional for triggering the watchdog in tests, but worth confirming the test fixture produces the expected HF. The fixture is consistent.

[Copilot]

The MockPool.supply always adds a fixed 0.2e18 to healthFactor regardless of the amount supplied. This means test_preview_increases_with_amount (line 233) passes only because previewResultingHF is a pure calculation that doesn't call supply, but the actual rescue execution path cannot meaningfully test that different amounts produce different HF outcomes. Consider making the mock's HF increase proportional to amount for more realistic coverage of the rescue path.

Suggested change

	data.healthFactor += 0.2e18;
	// Make health factor change proportional to the supplied amount for more realistic testing
	data.healthFactor += amount / 100;