feat(dpp): shielded state transitions and Orchard bundle types (Medusa)#3177
Merged
QuantumExplorer merged 35 commits intov3.1-devfrom Mar 6, 2026
Merged
feat(dpp): shielded state transitions and Orchard bundle types (Medusa)#3177QuantumExplorer merged 35 commits intov3.1-devfrom
QuantumExplorer merged 35 commits intov3.1-devfrom
Conversation
Add the DPP layer for the shielded credit pool: - Five new state transition types: Shield (15), ShieldedTransfer (16), Unshield (17), ShieldFromAssetLock (18), ShieldedWithdrawal (19) - Orchard bundle builder (shielded/builder.rs) with platform sighash - Bundle serialization (SerializedAction) and deserialization - 12 new consensus errors (basic + state) for shielded validation - PlatformAddress Orchard payment address support - Platform version fields for shielded serialization and validation - Workspace profile optimizations for ZK crypto crates Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…dent packages Adds compilation stubs across rs-drive, rs-drive-abci, wasm-dpp, wasm-dpp2, and rs-sdk-ffi for the new shielded state transition variants (Shield, ShieldedTransfer, Unshield, ShieldFromAssetLock, ShieldedWithdrawal) and updated grovedb API (sinsemilla_hash_calls, Option<KeyInfo>, new TreeType variants, GroveDBProof::V1). These will be replaced with real implementations when each package is split out from feat/zk. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
|
Important Review skippedToo many files! This PR contains 193 files, which is 43 over the limit of 150. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (193)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
✅ DashSDKFFI.xcframework built for this PR.
SwiftPM (host the zip at a stable URL, then use): .binaryTarget(
name: "DashSDKFFI",
url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
checksum: "467d4c9448d761195008f957e317cee65e7a7f53d75eaeeb1edf9c471aff09e8"
)Xcode manual integration:
|
QuantumExplorer
commented
Mar 4, 2026
Member
Author
QuantumExplorer
left a comment
QuantumExplorer
left a comment
There was a problem hiding this comment.
Need some changes so far
- OrchardAddress: wrap PaymentAddress directly instead of raw bytes
- serialize_authorized_bundle: return SerializedBundle struct instead of tuple
- Add From<&OrchardAddress> for PaymentAddress (infallible since wrapper)
- Fix version comments in v7.rs (add reason for create_initial_state_structure,
remove stale //changed comments)
- Add comment explaining drive change in v12.rs
- List new Element variants in rs-sdk-ffi path_elements.rs (CommitmentTree,
MmrTree, BulkAppendTree, DenseAppendOnlyFixedSizeTree)
- Add shielded consensus errors properly in wasm-dpp:
- State: InvalidAnchor, NullifierAlreadySpent, InvalidShieldedProof,
InsufficientPoolNotes, InsufficientShieldedFee
- Basic: ShieldedNoActions, ShieldedTooManyActions, ShieldedEmptyProof,
ShieldedZeroAnchor, ShieldedInvalidValueBalance, UnshieldAmountZero,
UnshieldValueBalanceBelowAmount
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…c Merkle root The anchor in shielded state transitions is specifically the Sinsemilla root of the depth-32 Orchard note commitment tree (over cmx values), not the GroveDB commitment tree state root which also includes the BulkAppendTree. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
QuantumExplorer
commented
Mar 4, 2026
Member
Author
QuantumExplorer
left a comment
QuantumExplorer
left a comment
There was a problem hiding this comment.
Needs more fixes
.../src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/mod.rs
Outdated
Show resolved
Hide resolved
.../src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/mod.rs
Outdated
Show resolved
Hide resolved
...ate_transitions/shielded/shield_from_asset_lock_transition/v0/state_transition_validation.rs
Outdated
Show resolved
Hide resolved
...rc/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/types.rs
Outdated
Show resolved
Hide resolved
...rc/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/types.rs
Outdated
Show resolved
Hide resolved
...dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/mod.rs
Outdated
Show resolved
Hide resolved
...dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/mod.rs
Outdated
Show resolved
Hide resolved
…nature property paths - Improve flags field documentation on all 5 shielded transitions to explain the Orchard bundle bit layout (bit 0 = spends_enabled, bit 1 = outputs_enabled) with per-transition usage context. - Change ShieldFromAssetLockTransitionV0.value_balance from i64 to u64 since value can only flow one direction (into the pool). Adds validation that value_balance > 0 and <= i64::MAX. Updates builder to negate the Orchard bundle's negative i64 value_balance. - Add signature_property_paths and binary_property_paths returning SIGNATURE for ShieldFromAssetLockTransition (both v0 and enum wrapper) with a new fields.rs module. This transition is the only shielded transition with an ECDSA signature field. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Orchard bundle flags are deterministic per transition type: - Shield/ShieldFromAssetLock: always 0x02 (outputs_enabled only) - Transfer/Unshield/Withdrawal: always 0x03 (both enabled) No need to store or pass them through. The flags are still extracted from the bundle in SerializedBundle for internal use but are no longer part of the on-chain state transition representation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Allow too_many_arguments on 6 builder functions - Replace clone-to-slice with std::slice::from_ref for SpendAuthorizingKey - Fix doc_lazy_continuation in SerializedAction docs Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Shorter, clearer name for the feature gate that enables OrchardAddress, the shielded transaction builder, and grovedb-commitment-tree dependency. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Flags are deterministic per transition type, same as the transition structs themselves. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…Lock The fee is implicitly the difference between the asset lock value and value_balance, so no separate fee multiplier is needed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ransitions Remove StateTransitionHasUserFeeIncrease from shielded transitions that don't support fee adjustment (ShieldedTransfer, Unshield, ShieldedWithdrawal, ShieldFromAssetLock) and move it to the new trait for Shield transition. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Split the monolithic builder/mod.rs (639 lines) into individual files per builder function, keeping shared types and internal helpers in mod.rs. Added 9 tests covering error paths and happy paths for all 5 builders. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…o amount, add fee cap - Introduce OrchardProver trait abstracting over Halo 2 proving key access, following the same pattern as Signer - Change ShieldTransitionV0.value_balance (i64) to amount (u64) since shield can only flow credits into the pool - Add 1000x minimum fee cap check in shielded transfer builder - Use letter generics <P: OrchardProver> across all builder functions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix import ordering in shield.rs tests (dpp formatting) - Handle Option<KeyInfo> in credit_pools test assertions (drive) - Add create_initial_state_structure v3 stub delegating to v2 (drive-abci) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…etLock The asset lock can only be consumed once, making it the natural deduplication key — consistent with IdentityTopUp. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ldedWithdrawal The `amount` is fully derivable from `value_balance - fee` where fee is deterministic. Removing it simplifies the structs, eliminates redundant validation checks, and reduces the sighash extra_data to just the output address/script. The amount is already cryptographically bound through value_balance in the bundle commitment. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…shield and ShieldedWithdrawal Rename `value_balance: i64` to `unshielding_amount: u64` since these transitions always have positive outflow. Simplifies validation (== 0 instead of <= 0) and makes the type match semantics. Also adds TODO comments on `calculate_min_required_fee` returning 0 for shielded types, and replaces todo!() panics in path_elements display with simple strings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
QuantumExplorer
commented
Mar 5, 2026
.../src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/mod.rs
Outdated
Show resolved
Hide resolved
...rc/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/v0/types.rs
Outdated
Show resolved
Hide resolved
...dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/mod.rs
Outdated
Show resolved
Hide resolved
- Remove user_fee_increase field (fee is implicit from asset lock value) - Add proof to binary_property_paths alongside signature Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Orchard value balances are signed i64, so amounts must not exceed i64::MAX when represented as u64. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tion Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shumkov
requested changes
Mar 5, 2026
The upstream grovedb Display impl now includes `0x` prefixes on hex bytes and prints the `add_parent_tree_on_subquery` field. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…t OrchardAddress - Move serde_bytes_64 from shielded/mod.rs to serialization/serde_bytes_64.rs with hex encoding for human-readable formats (JSON) - Extract OrchardAddress into its own address_funds/orchard_address.rs module, gated once with #[cfg(feature = "shielded-tx")] at the module level Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. Thanks for integrating Codecov - We've got you covered ☂️ |
shumkov
requested changes
Mar 5, 2026
...ion/state_transitions/shielded/shield_from_asset_lock_transition/v0/state_transition_like.rs
Show resolved
Hide resolved
packages/rs-dpp/src/state_transition/state_transitions/shielded/common_validation.rs
Outdated
Show resolved
Hide resolved
…helpers Change `validate_actions_count`, `validate_proof_not_empty`, and `validate_anchor_not_zero` to return `SimpleConsensusValidationResult` directly instead of `Option<SimpleConsensusValidationResult>`. Update all 5 call sites to use `if !result.is_valid()` pattern. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shumkov
requested changes
Mar 6, 2026
...dpp/src/state_transition/state_transitions/shielded/shield_from_asset_lock_transition/mod.rs
Show resolved
Hide resolved
...s/rs-dpp/src/state_transition/state_transitions/shielded/shield_transition/methods/v0/mod.rs
Show resolved
Hide resolved
..._transition/state_transitions/shielded/unshield_transition/v0/state_transition_validation.rs
Show resolved
Hide resolved
…ove serde(skip) Add serde derives to StoredAssetLockInfo, AssetLockValue, and AssetLockValueV0 so the VerifiedAssetLockConsumed variant no longer needs to be skipped during serialization. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
shumkov
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Split from #3076 — this PR contains the DPP layer of the shielded credit pool (Medusa) feature:
rs-platform-versionfor shielded operations in Drive, Drive-ABCI, and DPP7ecb8465which adds commitment tree support (sinsemilla_hash_calls, newTreeTypevariants,Option<KeyInfo>)Dependent packages (
rs-drive,rs-drive-abci,wasm-dpp,wasm-dpp2,rs-sdk-ffi) includetodo!()stubs so the workspace compiles. These will be replaced with real implementations in subsequent split PRs.Packages Changed
rs-dpprs-platform-versionrs-drivers-drive-abciwasm-dpp/wasm-dpp2rs-sdk-ffiTest plan
cargo check --workspacepasses (verified locally)cargo test -p dpppasses🤖 Generated with Claude Code