From 0d500343ed48c0ec73d9d7b1e3419306a3cab0b7 Mon Sep 17 00:00:00 2001
From: Ed Hennis <ed@ripple.com>
Date: Thu, 4 Sep 2025 14:08:54 -0400
Subject: [PATCH 1/4] New invariant privilege "mayDeleteMPT", used by
 VauleDeposit & Clawback

---
 include/xrpl/protocol/detail/transactions.macro | 4 ++--
 src/xrpld/app/tx/detail/InvariantCheck.cpp      | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/xrpl/protocol/detail/transactions.macro b/include/xrpl/protocol/detail/transactions.macro
index f9f74d2492..09e1c183b2 100644
--- a/include/xrpl/protocol/detail/transactions.macro
+++ b/include/xrpl/protocol/detail/transactions.macro
@@ -844,7 +844,7 @@ TRANSACTION(ttVAULT_DEPOSIT, 68, VaultDeposit,
 #endif
 TRANSACTION(ttVAULT_WITHDRAW, 69, VaultWithdraw,
     Delegation::delegatable,
-    noPriv,
+    mayDeleteMPT,
     ({
     {sfVaultID, soeREQUIRED},
     {sfAmount, soeREQUIRED, soeMPTSupported},
@@ -858,7 +858,7 @@ TRANSACTION(ttVAULT_WITHDRAW, 69, VaultWithdraw,
 #endif
 TRANSACTION(ttVAULT_CLAWBACK, 70, VaultClawback,
     Delegation::delegatable,
-    noPriv,
+    mayDeleteMPT,
     ({
     {sfVaultID, soeREQUIRED},
     {sfHolder, soeREQUIRED},
diff --git a/src/xrpld/app/tx/detail/InvariantCheck.cpp b/src/xrpld/app/tx/detail/InvariantCheck.cpp
index 201419e149..1a2b69c579 100644
--- a/src/xrpld/app/tx/detail/InvariantCheck.cpp
+++ b/src/xrpld/app/tx/detail/InvariantCheck.cpp
@@ -76,6 +76,8 @@ enum Privilege {
                                 // object (except by issuer)
     mayAuthorizeMPT = 0x0200,   // The transaction MAY create or delete an MPT
                                 // object (except by issuer)
+    mayDeleteMPT =
+        0x0400,  // The transaction MAY delete an MPT object. May not create.
 };
 constexpr Privilege
 operator|(Privilege lhs, Privilege rhs)
@@ -1554,10 +1556,9 @@ ValidMPTIssuance::finalize(
             return true;
         }
 
-        if ((tx.getTxnType() == ttVAULT_CLAWBACK ||
-             tx.getTxnType() == ttVAULT_WITHDRAW) &&
-            mptokensDeleted_ == 1 && mptokensCreated_ == 0 &&
-            mptIssuancesCreated_ == 0 && mptIssuancesDeleted_ == 0)
+        if (hasPrivilege(tx, mayDeleteMPT) && mptokensDeleted_ == 1 &&
+            mptokensCreated_ == 0 && mptIssuancesCreated_ == 0 &&
+            mptIssuancesDeleted_ == 0)
             return true;
     }
 

From 3865dde0b89a778b3bd7d0ebf6c368bbd83ce6c6 Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Thu, 4 Sep 2025 20:26:57 +0100
Subject: [PATCH 2/4] fix: Add missing info to notify-clio workflow (#5761)

* Add missing info to notify-clio workflow, as conan_ref
---
 .github/workflows/notify-clio.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/notify-clio.yml b/.github/workflows/notify-clio.yml
index f7e10de7af..b0e5f35787 100644
--- a/.github/workflows/notify-clio.yml
+++ b/.github/workflows/notify-clio.yml
@@ -50,6 +50,10 @@ jobs:
           echo "channel=pr_${{ github.event.pull_request.number }}" >> "${GITHUB_OUTPUT}"
           echo 'Extracting version.'
           echo "version=$(cat src/libxrpl/protocol/BuildInfo.cpp | grep "versionString =" | awk -F '"' '{print $2}')" >> "${GITHUB_OUTPUT}"
+      - name: Calculate conan reference
+        id: conan_ref
+        run: |
+          echo "conan_ref=${{ steps.generate.outputs.version }}@${{ steps.generate.outputs.user }}/@${{ steps.generate.outputs.channel }}" >> "${GITHUB_OUTPUT}"
       - name: Add Conan remote
         run: |
           echo "Adding Conan remote '${{ inputs.conan_remote_name }}' at ${{ inputs.conan_remote_url }}."
@@ -61,10 +65,9 @@ jobs:
       - name: Upload package
         run: |
           conan export --user=${{ steps.generate.outputs.user }} --channel=${{ steps.generate.outputs.channel }} .
-          conan upload --confirm --check --remote=${{ inputs.conan_remote_name }} xrpl/${{ steps.generate.outputs.version }}@${{ steps.generate.outputs.user }}/${{ steps.generate.outputs.channel }}
+          conan upload --confirm --check --remote=${{ inputs.conan_remote_name }} xrpl/${{ steps.conan_ref.outputs.conan_ref }}
     outputs:
-      channel: ${{ steps.generate.outputs.channel }}
-      version: ${{ steps.generate.outputs.version }}
+      conan_ref: ${{ steps.conan_ref.outputs.conan_ref }}
 
   notify:
     needs: upload
@@ -76,5 +79,5 @@ jobs:
         run: |
           gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
           /repos/xrplf/clio/dispatches -f "event_type=check_libxrpl" \
-          -F "client_payload[version]=${{ needs.upload.outputs.version }}@${{ needs.upload.outputs.user }}/${{ needs.upload.outputs.channel }}" \
-          -F "client_payload[pr]=${{ github.event.pull_request.number }}"
+          -F "client_payload[conan_ref]=${{ needs.upload.outputs.conan_ref }}" \
+          -F "client_payload[pr_url]=${{ github.event.pull_request.html_url }}"

From 7a78449f6d319e21d5ce09a41d9611cc12a54b2f Mon Sep 17 00:00:00 2001
From: Ed Hennis <ed@ripple.com>
Date: Thu, 4 Sep 2025 15:53:04 -0400
Subject: [PATCH 3/4] Fix minor review feedback from @Bronek

- Clean up assert, log, and comments
---
 src/xrpld/app/tx/detail/Transactor.cpp | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/xrpld/app/tx/detail/Transactor.cpp b/src/xrpld/app/tx/detail/Transactor.cpp
index 14faffd048..6da22de9fb 100644
--- a/src/xrpld/app/tx/detail/Transactor.cpp
+++ b/src/xrpld/app/tx/detail/Transactor.cpp
@@ -685,15 +685,12 @@ Transactor::checkSign(
     }
 
     // Check Single Sign
-    // This ternary is only needed to handle `simulate`
     XRPL_ASSERT(
-        !pkSigner.empty(),
-        "ripple::Transactor::checkSingleSign : non-empty signer or simulation");
+        !pkSigner.empty(), "ripple::Transactor::checkSign : non-empty signer");
 
     if (!publicKeyType(makeSlice(pkSigner)))
     {
-        JLOG(ctx.j.trace())
-            << "checkSingleSign: signing public key type is unknown";
+        JLOG(ctx.j.trace()) << "checkSign: signing public key type is unknown";
         return tefBAD_AUTH;  // FIXME: should be better error!
     }
 
@@ -823,7 +820,6 @@ Transactor::checkSingleSign(
     return tesSUCCESS;
 }
 
-// TODO generalize
 NotTEC
 Transactor::checkMultiSign(
     PreclaimContext const& ctx,

From b0f4174e4790a96de39bd05c19807627b39d2cd8 Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Thu, 4 Sep 2025 21:30:54 +0100
Subject: [PATCH 4/4] chore: Use tooling provided by pre-commit (#5753)

---
 .github/workflows/check-format.yml | 35 +----------------
 .pre-commit-config.yaml            | 60 +++++++++---------------------
 2 files changed, 19 insertions(+), 76 deletions(-)

diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
index 359e3e634b..c63589017d 100644
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -17,41 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     container: ghcr.io/xrplf/ci/tools-rippled-pre-commit
     steps:
-      # The $GITHUB_WORKSPACE and ${{ github.workspace }} might not point to the
-      # same directory for jobs running in containers. The actions/checkout step
-      # is *supposed* to checkout into $GITHUB_WORKSPACE and then add it to
-      # safe.directory (see instructions at https://github.com/actions/checkout)
-      # but that is apparently not happening for some container images. We
-      # therefore preemptively add both directories to safe.directory. See also
-      # https://github.com/actions/runner/issues/2058 for more details.
-      - name: Configure git safe.directory
-        run: |
-          git config --global --add safe.directory $GITHUB_WORKSPACE
-          git config --global --add safe.directory ${{ github.workspace }}
       - name: Checkout repository
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
-      - name: Check configuration
-        run: |
-          echo 'Checking path.'
-          echo ${PATH} | tr ':' '\n'
-
-          echo 'Checking environment variables.'
-          env | sort
-
-          echo 'Checking pre-commit version.'
-          pre-commit --version
-
-          echo 'Checking clang-format version.'
-          clang-format --version
-
-          echo 'Checking NPM version.'
-          npm --version
-
-          echo 'Checking Node.js version.'
-          node --version
-
-          echo 'Checking prettier version.'
-          prettier --version
+      - name: Prepare runner
+        uses: XRPLF/actions/.github/actions/prepare-runner@638e0dc11ea230f91bd26622fb542116bb5254d5
       - name: Format code
         run: pre-commit run --show-diff-on-failure --color=always --all-files
       - name: Check for differences
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 223c324a8c..85568a8b2e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,18 +1,5 @@
 # To run pre-commit hooks, first install pre-commit:
 # - `pip install pre-commit==${PRE_COMMIT_VERSION}`
-# - `pip install pre-commit-hooks==${PRE_COMMIT_HOOKS_VERSION}`
-#
-# Depending on your system, you can use `brew install` or `apt install` as well
-# for installing the pre-commit package, but `pip` is needed to install the
-# hooks; you can also use `pipx` if you prefer.
-# Next, install the required formatters:
-# - `pip install clang-format==${CLANG_VERSION}`
-# - `npm install prettier@${PRETTIER_VERSION}`
-#
-# See https://github.com/XRPLF/ci/blob/main/.github/workflows/tools-rippled.yml
-# for the versions used in the CI pipeline. You will need to have the exact same
-# versions of the tools installed on your system to produce the same results as
-# the pipeline.
 #
 # Then, run the following command to install the git hook scripts:
 # - `pre-commit install`
@@ -20,42 +7,29 @@
 # - `pre-commit run --all-files`
 # To manually run a specific hook, use:
 # - `pre-commit run <hook_id> --all-files`
-# To run the hooks against only the files changed in the current commit, use:
+# To run the hooks against only the staged files, use:
 # - `pre-commit run`
 repos:
-  - repo: local
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: mixed-line-ending
+      - id: check-merge-conflict
+        args: [--assume-in-merge]
+
+  - repo: https://github.com/pre-commit/mirrors-clang-format
+    rev: 7d85583be209cb547946c82fbe51f4bc5dd1d017 # frozen: v18.1.8
     hooks:
       - id: clang-format
-        name: clang-format
-        language: system
-        entry: clang-format -i
-        files: '\.(cpp|hpp|h|ipp|proto)$'
-      - id: trailing-whitespace
-        name: trailing-whitespace
-        entry: trailing-whitespace-fixer
-        language: system
-        types: [text]
-      - id: end-of-file
-        name: end-of-file
-        entry: end-of-file-fixer
-        language: system
-        types: [text]
-      - id: mixed-line-ending
-        name: mixed-line-ending
-        entry: mixed-line-ending
-        language: system
-        types: [text]
-      - id: check-merge-conflict
-        name: check-merge-conflict
-        entry: check-merge-conflict --assume-in-merge
-        language: system
-        types: [text]
-  - repo: local
+        args: [--style=file]
+        "types_or": [c++, c, proto]
+
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: 5ba47274f9b181bce26a5150a725577f3c336011 # frozen: v3.6.2
     hooks:
       - id: prettier
-        name: prettier
-        language: system
-        entry: prettier --ignore-unknown --write
 
 exclude: |
   (?x)^(