dtaghavi/skunk-net-e2e
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7ea5e193c98e36c47c88c453c2fc72eae390b72
skunk-net-e2e/OPP-COHESIVE-DESIGN.md
Daniel Taghavi 16d5eb3a86 Add local instaswap E2E workspace harness
2026-04-03 17:17:40 -04:00

378 lines
13 KiB
Markdown
Raw Blame History

# Cohesive OPP Design
## Problem
The current repos already show the shape of the system, but not a single transport model that works cleanly for all four directions:
- `wire-ethereum` has a real outbound OPP sender and a partially implemented inbound verifier.
- `capital-staking` has several concrete business flows and several OPP placeholders.
- `wire-sysio` has protobuf ABI support and chain identity types, but no shared OPP depot/runtime in this checkout.
The main failure mode in the current shape is coupling unrelated traffic through global epoch state. That is the wrong abstraction for instant swaps and for the broader outpost/depot model.
The correct abstraction is:
- four independent directed OPP routes:
- `Ethereum -> Wire`
- `Wire -> Ethereum`
- `Solana -> Wire`
- `Wire -> Solana`
- optional sub-lanes inside each route so BAR traffic cannot stall Depositor traffic
- consensus on matching submissions of the same batch data
- request/response correlation by payload ID, not by shared epoch numbering across directions
## Design Goals
- No global OPP epoch across chains or directions.
- Ordering is only required inside a single directed stream.
- Batching exists for operator consensus and gas/tx sizing, not as a business rule.
- Multiple batch operators can submit the same batch independently; the depot accepts the batch once matching weight reaches threshold.
- Reverse-direction flows are independent streams. A `Wire -> Solana` completion is not transport-coupled to the `Solana -> Wire` request batch that caused it.
- Payloads are canonical protobuf messages, even if some origin repos still need a temporary translator while migrating.
- Delivery is idempotent and replay-safe.
## Route And Stream Model
There are four mandatory top-level OPP routes:
| Route | Meaning |
| --- | --- |
| `Ethereum -> Wire` | Ethereum outposts mirror facts into Wire |
| `Wire -> Ethereum` | Wire depot sends commands or acknowledgements to Ethereum outposts |
| `Solana -> Wire` | Solana outposts mirror facts into Wire |
| `Wire -> Solana` | Wire depot sends commands or acknowledgements to Solana outposts |
Each route may contain one or more logical lanes. Lanes are required because the current business surfaces already split into different domains:
- `depositor`
- `pretoken`
- `bar`
- `admin`
The minimum stream identity must therefore be:
```text
stream_key = (
from_chain,
to_chain,
origin_system,
destination_system,
lane
)
```
Where:
- `from_chain` and `to_chain` use `chain_kind_t`
- `origin_system` is the origin contract/program/depot identifier
- `destination_system` is the destination contract/program/depot identifier
- `lane` is a stable logical channel inside the route
This keeps the four chain directions independent while still allowing multiple application lanes per directed pair.
## Transport Units
The transport has three layers:
1. `Assertion`
2. `Message`
3. `Batch`
Definitions:
- An `Assertion` is one business fact or command.
- A `Message` is a deterministic ordered set of assertions derived from one origin transaction or one origin-side decision.
- A `Batch` is a transport seal over a contiguous message range in one stream.
Important rule:
- `Batch` replaces the old global `epoch` concept.
- Batch numbering is per `stream_key`.
- Batches can be sealed by time, size, or explicit flush.
- Failing to deliver batch `N` on one stream must not stall batch creation or delivery on any other stream.
## Protobuf Canonical Format
The canonical transport format should be defined once and shared by all three repos. The simplest shape that fits the current codebase is:
```proto
syntax = "proto3";
package wire.opp.v1;
message StreamKey {
uint32 from_chain = 1;
uint32 to_chain = 2;
bytes origin_system = 3;
bytes destination_system = 4;
uint32 lane = 5;
}
message Assertion {
uint32 assertion_type = 1;
bytes payload = 2;
}
message Uint256 {
bytes be_bytes = 1;
}
message MessageHeader {
StreamKey stream = 1;
uint64 sequence = 2;
bytes previous_message_hash = 3;
uint64 source_timestamp_ms = 4;
bytes source_event_id = 5;
bytes payload_hash = 6;
}
message Message {
MessageHeader header = 1;
repeated Assertion assertions = 2;
}
message BatchHeader {
StreamKey stream = 1;
uint64 batch_number = 2;
bytes previous_batch_hash = 3;
uint64 first_sequence = 4;
uint64 last_sequence = 5;
uint64 sealed_at_ms = 6;
bytes merkle_root = 7;
}
message Batch {
BatchHeader header = 1;
repeated Assertion summary_assertions = 2;
}
message BatchSubmission {
BatchHeader header = 1;
bytes batch_hash = 2;
bytes operator_id = 3;
bytes signature = 4;
}
```
Notes:
- `assertion_type` stays numeric because the current Ethereum code and manager wiring already depend on a numeric registry.
- `payload` becomes a protobuf-encoded business message specific to that assertion type.
- `source_event_id` is the deterministic origin reference used for replay protection and migration from legacy encoders.
- Protobuf has no native `uint256`, so business payload schemas should use a canonical `Uint256` wrapper. The wrapper should be encoded as exactly 32 unsigned big-endian bytes.
## Consensus Model
Consensus happens at the destination depot or endpoint, not at the sender.
For each `(stream_key, batch_number)` the destination keeps:
- every operator submission keyed by `(operator_id, batch_hash)`
- cumulative weight per `batch_hash`
- a single accepted `batch_hash` once threshold is met
Rules:
- A batch is accepted when matching submission weight reaches threshold.
- Conflicting submissions for the same `(stream_key, batch_number)` are retained as evidence.
- Acceptance is per stream only. No other stream is affected.
- Operators may submit late. Late submission is a liveness concern, not a protocol deadlock.
This is the core point the current design needs: consensus is "multiple operators submitted the same batch digest", not "the whole system advanced the next epoch".
## Delivery Model
Once a batch is accepted, any operator may deliver messages from that batch with Merkle proofs.
Execution state is per stream:
- `next_sequence`
- `last_applied_message_hash`
- `next_batch_number`
- optionally one currently accepted batch being drained
The simplest execution rule is:
- delivery chunks must be contiguous within the accepted batch
- the first delivered sequence must equal `next_sequence`
- successful execution increments `next_sequence`
That preserves deterministic ordering while still allowing large batches to be split across multiple destination transactions.
If arbitrary subset delivery is needed later, a per-batch bitmap can be added. It is not required for the first correct implementation.
## Request/Response Correlation
Transport ordering and business correlation are separate concerns.
Any payload that expects a reverse-direction response must include:
- `request_id`
- `origin_message_id` or `source_event_id`
Examples:
- `Solana -> Wire` withdraw request carries `request_id`
- `Wire -> Solana` withdraw completion references the same `request_id`
- `Ethereum -> Wire` unbond request carries `request_id`
- `Wire -> Ethereum` unbond completion or slash references the same `request_id`
This removes the false dependency on shared epoch numbers between opposite directions.
## Current Repo Surfaces Mapped To The Model
### Ethereum -> Wire
Current origin surfaces already emitting OPP payloads:
- `wire-ethereum/contracts/outpost/Depositor.sol`
- `3001` stake
- `3002` unstake
- `3004` liq pretoken purchase
- `3006` yield pretoken purchase
- `wire-ethereum/contracts/outpost/Pretoken.sol`
- `3005` pretoken purchase
- `wire-ethereum/contracts/outpost/BAR.sol`
- `2001` bonded actor
- `2002` unbonded actor
- `2003` bond slashed
Design meaning:
- This route is a facts-to-Wire route.
- Messages represent Ethereum-local state transitions that Wire mirrors.
- The sender can continue producing batches even if a prior batch has not yet been submitted to Wire.
### Wire -> Ethereum
Current transport surface exists in `wire-ethereum/contracts/outpost/OPPInbound.sol`, but it is still globally sequential and not yet attached to real business handlers.
Design meaning:
- This route is a commands/acknowledgements route.
- It needs a real endpoint contract per lane, or one endpoint with per-type handlers.
- State must move from one global queue to per-stream state keyed by `stream_key`.
Immediate commands that fit this route:
- approvals or rejections for cross-chain requests
- BAR role outcomes if Wire is authoritative
- settlement callbacks for future instant swap flows
### Solana -> Wire
Current business surfaces that should emit outbound OPP requests or facts:
- `capital-staking/.../wire_syndication/syndicate_liqsol.rs`
- stake mirror
- `capital-staking/.../wire_syndication/desyndicate_liqsol.rs`
- post-launch withdraw request to Wire is currently a TODO
- `capital-staking/.../wire_pretokens/purchase_pretoken.rs`
- pretoken purchase mirror
- `capital-staking/.../wire_pretokens/purchase_pretokens_from_yield.rs`
- yield purchase mirror
- `capital-staking/.../bar/bond_ops.rs`
- bond request
- unbond request
Design meaning:
- This route is the Solana mirror/request route.
- Solana should emit canonical protobuf messages, or a deterministic translator must derive them from Solana instruction data until native protobuf encoding exists.
### Wire -> Solana
Current destination-side business surfaces already exist:
- `capital-staking/.../wire_config/admin_instructions.rs`
- `complete_withdraw_handler`
- `capital-staking/.../bar/admin_instructions.rs`
- `complete_unbond_role_handler`
- `slash_bond_handler`
- `admin_force_unbond_role_handler`
Design meaning:
- This route is a commands/acknowledgements route.
- These handlers should stop being human-admin-only settlement paths.
- They should become callable by an OPP authority PDA or gateway that verifies accepted Wire batches and enforces idempotency.
## Authority And Idempotency Rules
Every destination endpoint needs the same guarantees:
- only accepted OPP deliveries can execute privileged effects
- the same `request_id` cannot execute twice
- the same `(stream_key, sequence)` cannot execute twice
Practical requirements by repo:
- Ethereum:
- replace global inbound state in `OPPInbound.sol` with per-stream state
- register real assertion handlers for business routes
- Solana:
- add an OPP authority PDA or gateway instruction layer
- move current admin settlement handlers behind that authority
- Wire:
- implement an actual depot contract or plugin state machine for stream state, operator submissions, accepted batches, and handler dispatch
## Migration Strategy
The clean migration path is:
1. Define the shared protobuf schema in one place and vendor it into all repos.
2. Keep the current numeric assertion type registry.
3. Canonicalize every observed origin event into the shared protobuf `Message`.
4. Run consensus on protobuf `Batch` hashes.
5. Dispatch protobuf payloads at the destination.
This allows migration even if some origin contracts still emit legacy byte payloads for a short time, because the operator canonicalization step can deterministically translate them into the protobuf form used for batch hashing and destination execution.
## Immediate Implementation Plan
### Phase 1: Shared Schema
- Add `wire.opp.v1` protobuf definitions to the shared contract/protocol area.
- Add a registry document mapping numeric `assertion_type` values to protobuf payload messages.
### Phase 2: Wire Depot
- Implement per-stream tables:
- `stream_state`
- `batch_submission`
- `accepted_batch`
- `executed_message`
- Implement threshold matching on `(stream_key, batch_number, batch_hash)`.
- Implement contiguous chunk delivery with Merkle proof validation.
### Phase 3: Ethereum Endpoint
- Refactor inbound state from one global queue to `mapping(stream_hash => StreamState)`.
- Keep the sender-side forward progress behavior already added in `OPP.sol`.
- Add real business handlers for `Wire -> Ethereum`.
### Phase 4: Solana Endpoint
- Add an OPP gateway account model and authority PDA.
- Convert current admin settlement instructions into OPP-executable handlers.
- Emit outbound request/fact messages for the existing TODO sites.
### Phase 5: End-To-End Instant Swap Tests
Build the first full-path tests around request/response pairs that prove route independence:
- `Solana -> Wire` withdraw request followed by `Wire -> Solana` completion
- `Ethereum -> Wire` BAR unbond request followed by `Wire -> Ethereum` completion or slash
- one route deliberately delayed while another route continues progressing
## Non-Goals
- No global epoch shared across all routes.
- No requirement that opposite directions share batch numbers.
- No requirement that batch sealing blocks new origin-side messages.
- No special transport rule for instant swaps beyond per-stream ordering and request/response correlation.
## Decision
The system should be built as independent directed OPP streams with per-stream batching and per-stream operator consensus. "Epoch" becomes a local batching mechanism, not a system-wide gating primitive. Reverse-direction actions are correlated by payload IDs, not by transport epoch state.
Reference in New Issue View Git Blame Copy Permalink