feat(primitives): enshrine is_payment_v2#3844
Open
0xrusowsky wants to merge 42 commits intotanishk/tip-1034-implfrom
Open
feat(primitives): enshrine is_payment_v2#38440xrusowsky wants to merge 42 commits intotanishk/tip-1034-implfrom
is_payment_v2#38440xrusowsky wants to merge 42 commits intotanishk/tip-1034-implfrom
Conversation
Automated nightly update of reth dependencies from `paradigmxyz/reth` main branch. ## Upstream reth changes [`38c627c...8328732`](paradigmxyz/reth@38c627c...8328732) 🔗 Amp thread: https://ampcode.com/threads/T-019df89b-7bd5-7546-abc8-f81cb9bbbab9 - **Engine** - Add shared block accessor to `EthBuiltPayload`, expose built payload block access list, and require built payload conversion ([#23862](paradigmxyz/reth#23862), [#23860](paradigmxyz/reth#23860), [#23928](paradigmxyz/reth#23928)) - Spawn deferred trie work for directly inserted payloads and skip already-known executed blocks ([#23935](paradigmxyz/reth#23935), [#23987](paradigmxyz/reth#23987)) - Acknowledge `save_blocks` before prune ([#23904](paradigmxyz/reth#23904)) - Increase state root task timeout to 4s ([#23949](paradigmxyz/reth#23949)) - **Storage / BAL** - Add in-memory BAL retention and BAL notification stream ([#23873](paradigmxyz/reth#23873), [#23918](paradigmxyz/reth#23918)) - Add BAL validation in post-execution ([#23496](paradigmxyz/reth#23496)) - **Networking** - Add capability message id helpers in `eth-wire` ([#23908](paradigmxyz/reth#23908)) - Validate EIP-1459 hash labels before caching entries ([#22582](paradigmxyz/reth#22582)) - **RPC** - Fill `maxUsedGas` in `simulate` results ([#23983](paradigmxyz/reth#23983)) - **Debug Client** - Pass execution data from providers ([#23969](paradigmxyz/reth#23969)) - **Perf / Tooling** - Skip recomputing receipts root in `generate-big-blocks` ([#23930](paradigmxyz/reth#23930)) - **Chore** - Fix nightly clippy warnings ([#23923](paradigmxyz/reth#23923)) ## Migrations 🔗 Amp thread: https://ampcode.com/threads/T-019df89b-9c72-705e-9e62-ef9d142f32be - Bumped `reth` git dependency revision from `38c627c` to `8328732` for all `reth-*` crates in `Cargo.toml`. - Updated `FullConsensus::validate_block_post_execution` to accept a new `block_access_list_hash: Option<B256>` parameter (forwarded to inner consensus); test call site updated accordingly. - Migrated `DebugNode` impl from `rpc_to_primitive_block` → `rpc_to_execution_data`, now returning a `TempoExecutionData` wrapping an `Arc<SealedBlock>` plus `validator_set: None` to match the new trait signature. - Replaced `either::Either::Left(Arc::new(...))` wrappers for `hashed_state` and `trie_updates` in `BuiltPayloadExecutedBlock` with plain `Arc::new(...)`, since the upstream fields are no longer `Either`-typed. - Dropped the now-unused `either` dependency from `crates/payload/builder/Cargo.toml` and its import. [GitHub Workflow](https://github.com/tempoxyz/tempo/actions/runs/25383044680) --------- Co-authored-by: klkvr <klkvrr@gmail.com>
Removes the `--consensus.fee-recipient` CLI argument. Fee recipients are now expected to be configured via the V2 smart contract only. The `suggested_fee_recipient` argument was removed from `TempoPayloadAttributes` because it is never used. The fee recipient plumbing is not connected to the subblocks smart contract. For the time being, all fee recipients will be set to `Address::ZERO` until the subblocks mechanism is reworked (currently disabled on mainnet).
Adds TIP-1033: a minimal two-hop fallback for FeeAMM swaps when there's no direct liquidity between userToken and validatorToken. Single path only: `userToken → userToken.quoteToken() → validatorToken`. Both hops at standard M rate (0.997), validator gets M² ≈ 0.994009. Key design points: - Reserve liquidity in both pools during pre-tx (extends T1C+ reservation) - Store intermediate token in transient storage for post-tx - Block `completeQuoteTokenUpdate` on the fee token during two-hop txs to prevent routing inconsistency Design-only TIP, no implementation. Co-Authored-By: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Prompted by: dan --------- Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Co-authored-by: 0xrusowsky <90208954+0xrusowsky@users.noreply.github.com> Co-authored-by: 0xrusowsky <0xrusowsky@proton.me> Co-authored-by: Jennifer <jenpaff0@gmail.com> Co-authored-by: Centaur AI <ai@centaur.local>
Follow-up to #3817 — the CLI arg was removed from the binary, so drop it from the localnet helper script as well. Co-authored-by: Centaur AI <ai@centaur.local>
Follower nodes should also do verify and drive sync through CL FCU. `--follow && --follow.experimental.certify=true` spins up a lightweight consensus engine to drive fcu to the EL * On startup, if there's snapshotted marshal state, the identity scheme picks up where the snapshot left off. Otherwise bootstraps itself from the upstream provider * The driver ensures identity schemes are updated exclusively through parsed boundary blocks * The same archive is used for finalizations and finalizations-by-height, meaning validator snapshots can be used for follower nodes. And the `consensus_` rpcs are available to follower nodes ## Migration * `follow.experimental.certify=false` by default. `--follow` preserves existing behavior (unsafe) * Our url that external users use with `--follow` need to first be updated to serve consensus rpcs. Once snapshots also include this consensus state we can flip this to be the default ## E2E Tests * Follower can bootstrap itself from either a validator or another follower. First identity scheme is trusted * If a snapshotted/archive state is used, the follower continues with the last finalized height --------- Co-authored-by: Richard Janis Goldschmidt <github@aberrat.io>
* Remove migration logic * Remove syncing_players metric which is always zero * Remove `syncers` from State and hide wire format within Read/Write impls
Adds TIP-1026: a `logoURI` string field (256-byte cap) to TIP-20 tokens, admin-mutable via `setLogoURI`. Lets wallets/explorers read token icons on-chain without the off-chain token list. Co-Authored-By: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Prompted by: dan --------- Co-authored-by: Daniel Robinson <1187252+danrobinson@users.noreply.github.com> Co-authored-by: Federico Gimenez <fgimenez@users.noreply.github.com> Co-authored-by: 0xKitsune <77890308+0xKitsune@users.noreply.github.com> Co-authored-by: Jennifer <jenpaff0@gmail.com>
…3819) Considers consensus context when constructing a payload ID. Because reth is caching payloads by their IDs, ignoring consensus context would mean that the execution layer might return a payload with the wrong context, which would subsequently be ignored. PR #3751 proactively cancels ongoing payload builds when a view is cancelled. However, there is still a race between a new build request and cancellation of the old one, which can lead to conflicts.
Tempo now enables `suppress_persistence_during_build` in its engine defaults so payload construction defers persistence I/O by default.
Schedule T4 hardfork activation on both networks: | Network | Date | Time | Unix | |---|---|---|---| | Moderato (testnet) | Thu May 14, 2026 | 16:00 CEST / 14:00 UTC | `1778767200` | | Presto (mainnet) | Mon May 18, 2026 | 16:00 CEST / 14:00 UTC | `1779112800` | **Changes:** - `constants.rs`: add `MODERATO_T4_TIMESTAMP` and `MAINNET_T4_TIMESTAMP` - `hardfork.rs`: wire T4 into `moderato_activation_timestamp()` and `mainnet_activation_timestamp()` - `moderato.json` / `presto.json`: add `t4Time` to genesis configs - `spec.rs`: update chainspec tests for T4 activation All 23 `tempo-chainspec` tests pass. --------- Co-authored-by: Centaur AI <ai@centaur.local> Co-authored-by: Jennifer <jenpaff0@gmail.com>
…_transfer_from (#3827) Clarifies in the Initial List table that StablecoinDEX switches from `transfer_from` to `system_transfer_from` as part of TIP-1035. --------- Co-authored-by: Centaur AI <ai@centaur.local> Co-authored-by: klkvr <klkvrr@gmail.com>
Switches replay benchmark token plumbing to `DEREK_BENCH_REPLAY_TOKEN`, including the reusable workflow secret and txgen install auth. This isolates replay from the shared `DEREK_PAT` secret that returned bad credentials. Validated with `git diff --check` and `bash -n .github/scripts/bench-tempo-replay.sh`.
### Summary - Switch the bench dispatch and e2e workflows to use `DEREK_BENCH_REPLAY_TOKEN` for PR lookup, comment reactions, status updates, and `txgen` checkout. - Pass the replay token through the reusable workflow instead of the older `DEREK_PAT` secret so bench comment handling no longer depends on the broken shared PAT. ### Testing - Not run (not requested) - Verified the workflow diff and updated secret wiring across `bench.yml` and `bench-e2e.yml`
Adds a new metric `consensus_engine_executor_finalized_blocks_proposed_by_self`, which is counting how many finalized blocks were proposed by this node (and subsequently processed).
Unpins the specs workflow from the temporary no-OP Foundry SHA and checks out Foundry master again. Forge is now built with `--no-default-features`, matching the supported OP-disabled lane from foundry-rs/foundry#14612. The patch script now resolves Foundry metadata with the same no-default feature set so OP-only dependencies do not enter the patched lockfile before the build. Validation: - `bash -n scripts/foundry-patch.sh` - `shellcheck scripts/foundry-patch.sh` - `ruby -e 'require "yaml"; YAML.load_file(".github/workflows/specs.yml")'` - fresh-worktree patch against Foundry master, then `cargo +1.94 tree -p forge --no-default-features` with no `op-*` / `alloy-op-*` matches
Adds per-run metrics label files for `tempo.nu` benchmark executions instead of writing a shared `/tmp/bench-metrics-labels.json` path. The benchmark proxy now receives the run-specific labels file, which avoids collisions and the permission failure seen in the e2e bench job. Testing: - `git diff --check` - `nu --ide-check 5 tempo.nu`
) similar to #3766 but for `GetBlockBodies`
…reproducible build (#3804) Adds SLSA build provenance, SBOM generation + attestation, a bare-binary checksum, `--locked` builds, and the foundation for byte-deterministic reproducible builds — letting downstream consumers verify each release artifact's origin, contents, and integrity, and letting independent rebuilders confirm a published binary corresponds bit-for-bit to its source. ### Supply-chain attestations - add anchore/sbom-action to generate SPDX-JSON per archive - add actions/attest in SBOM mode binding the SBOM to archive + binary digests - add actions/attest in provenance mode (SLSA v1) for archive + binary - grant id-token/attestations write perms on the build-release job - record both archive and bare-binary sha256 (`.tar.gz.sha256` + `.sha256`) - pass `--locked` to `cargo build` to lock the dep graph - README: replace the prior multi-step recipe with two independent paths under the Security section — Path A (`sha256sum -c` + `gpg --verify`, offline / no GitHub auth) or Path B (`gh attestation verify` against the SLSA provenance). Either path proves the archive came from the tagged commit, signed by tempoxyz. SBOM verification is dropped from the operator recipe. - `tempoup`: verifies the archive checksum, GPG signature, and SLSA build provenance (via `gh attestation verify`) on every install. Hard-fails by default if `gpg` or `gh` are missing, or if `gh` is not authenticated; pass `--unsafe-skip-verify` to downgrade those (tool-availability) failures to warnings. Cryptographic failures (bad signature, bad attestation) still abort regardless of the flag. Error messages distinguish "gh not found" from "gh not authenticated" so the remediation is actionable. SBOM attestation verification dropped (operators don't consume it). ### Reproducible build (x86_64-unknown-linux-gnu) - `Dockerfile.reproducible`: hermetic build environment pinned to a specific `rust:1.93.0-bookworm` digest, with `/etc/apt/sources.list` repointed at `snapshot.debian.org` so apt-installed deps (libjemalloc, mold, libclang) can't drift between an in-CI build and a later rebuild. RUSTFLAGS strip every known source of non-determinism (`SOURCE_DATE_EPOCH`, `--remap-path-prefix`, `--build-id=none`, `symbol-mangling-version=v0`, `metadata=`). - `Cargo.toml`: new `[profile.reproducible]` inheriting `release` with `panic = "abort"`, `strip = "none"`, `debug = "none"`, `codegen-units = 1`, `incremental = false`. Diverges from `maxperf` only in the bits required for byte-determinism — `panic = "abort"` is the deliberate choice for this profile because it eliminates unwinding tables and the associated codegen paths, the most reliable source of byte drift between toolchain versions. The user-shipped binary still uses `maxperf` (with `panic = "unwind"`) so production backtraces are unchanged. - `scripts/reproducible-build.sh`: single shared docker-build wrapper. Both the in-CI workflow and any external rebuilder run the literal same command so the comparison can never silently diverge through someone editing one site and forgetting the other. - `.github/workflows/reproducible-build.yml`: standalone workflow with two triggers — `push` to `main` (continuous reproducibility canary on every merged PR) and `workflow_dispatch` with a `ref` input (manual builds for ad-hoc verification by independent rebuilders). Unsigned hash, 7-day artifact retention. 3-attempt retry on the docker step to absorb the dominant transient failure mode (snapshot.debian.org throttling). Concurrency is set so back-to-back merges to `main` cancel earlier in-progress canary runs. Locally verified that the recipe produces byte-identical hashes (`92b754ce…`) on Mac/OrbStack/Rosetta and on Ubuntu 24.04 native. **TODO (after tested with an independent rebuilder against this manual workflow):** - add a `workflow_call` trigger to `reproducible-build.yml` plus a GPG-sign step gated on a `sign` input - add a `build-reproducible` job in `release.yml` that calls it (`uses: ./.github/workflows/reproducible-build.yml`, `sign: true`) - so each tagged release ships a signed `.reproducible.sha256` sidecar attached automatically via the existing `gh release create … artifacts/**/*` glob - extend the README's Security-section recipe with a step 7 that `gpg --verify`s the sidecar and confirms an independent rebuild from source matches it --------- Co-authored-by: Amp <amp@ampcode.com>
Co-authored-by: Jennifer <jenpaff0@gmail.com>
0xrusowsky
requested review from
0xKitsune,
dankrad,
danrobinson,
fgimenez,
klkvr,
legion2002 and
mattsse
as code owners
Contributor
✅ Changelog found on PR. |
Recognized `approve` as a TIP-20 payment selector.
Contributor
📊 Tempo Precompiles CoverageprecompilesCoverage: 5622/8213 lines (68.45%) File details
contractsCoverage: 1/296 lines (0.34%) File details
Total: 5623/8509 lines (66.08%) |
0xrusowsky
requested review from
SuperFluffy,
Zygimantass,
hamdiallam and
joshieDo
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
this PR enshrines
is_payment_v2into the protocol, as per TIP-1045