Re-export vault registry: add DeBlock steakusdc OAVs + global refresh

[ajag408]

Summary by CodeRabbit

• Chores
  • Version bumped to 1.2.6 (patch release)

Re-exports vault-registry.json from production GET /v1/shield/registry (last export was 2026-03-23, now 2026-06-18). This picks up two DeBlock allocator vaults (OAVs) on the base-usdc-steakusdc yield that were deployed 2026-06-08, plus other vaults onboarded across all clients since the last export.

New DeBlock OAVs now whitelisted:

• 0x3090DA9cA38f8412BC7d3542406af866F9EBE962 (feeConfig 8fb60a73)
• 0x570Ad4ba8DBE4197a34E6d0edcf01b17C7EDa28B (feeConfig cb8476e9)

Why

DeBlock withdraws routed through these two OAVs were failing Shield validation with "Vault address not whitelisted" in production (MONITOR mode, Betterstack). The OAVs are LIVE in the DB but were added after the last registry export, so the embedded registry didn't know about them. This is the same OAV-churn failure class as the Apr 29 Trust campaign incident — the static registry goes stale whenever a new allocator vault is deployed on an already-enabled yield.

Changes

• src/validators/evm/erc4626/vault-registry.json — re-exported (1,516 → 1,607 vaults)
• Re-applied the BSC/WBNB isWethVault: true patch post-export (export doesn't set it correctly for WBNB-input vaults on chainId 56)
• Version bump 1.2.5 → 1.2.6

Verification

• Confirmed both OAVs absent from the old registry, present in the new export under the steakusdc yield's allocatorVaults
• Diff is additive — no yields removed (verified via comm on sorted yieldId sets); the only non-addition is a reordering within one yield's allocatorVaults array
• WBNB patch re-applied and verified (BSC/WBNB vaults flagged isWethVault: true)
• pnpm test vault-registry passes

Follow-up

• After merge + npm publish: bump @yieldxyz/shield to 1.2.6 in apps/api + apps/yield-api in the monorepo, deploy, and confirm the DeBlock "Vault address not whitelisted" false positives stop in Betterstack
• Systemic fix tracked separately: Phase 1 runtime injection via ValidationContext.feeConfiguration, so the embedded registry is no longer the single source of OAV staleness

[coderabbitai]

📝 Walkthrough

Walkthrough

The version field in package.json is incremented from 1.2.5 to 1.2.6. No other files or fields are modified.

Changes

Version Bump

Layer / File(s)	Summary
Package version update package.json	Version field changed from 1.2.5 to 1.2.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minutes

Possibly related PRs

• stakekit/shield#18: Also a standalone package.json version bump (1.2.3 → 1.2.4) with no other code changes.

Suggested reviewers

• jdomingos
• auralshin
• aditya172926
• Philippoes

Poem

A tiny hop, a version nudge,
From five to six without a grudge,
🐇 One field changed, the rest stands still,
A patch release — what a thrill!
The shield grows stronger, line by line!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title states 'Re-export vault registry: add DeBlock steakusdc OAVs + global refresh', but the actual change in the raw summary shows only a package.json version bump from 1.2.5 to 1.2.6 with no modifications to vault registry files.	The title should accurately reflect the actual changes present in this commit. If this PR only bumps the package version, use a more descriptive title like 'Bump package version to 1.2.6' or verify the vault registry file changes are missing.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch registry-reexport-deblock-oavs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 3: Update the version field in package.json from "1.2.6" to "1.2.7" to
align with the PR objectives which explicitly require a version bump from 1.2.6
to 1.2.7. This ensures the package version matches what consuming packages will
expect when they update their dependency on `@yieldxyz/shield` to 1.2.7 in
follow-up work.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e0e88b8d-c446-4f58-a1d6-5a1b4690f834

📥 Commits

Reviewing files that changed from the base of the PR and between 5ac0c8b and 537e293.

📒 Files selected for processing (2)

• package.json
• src/validators/evm/erc4626/vault-registry.json