20 Commits

Author SHA1 Message Date
bristinWild
210e2f4ad7 fix(demo): align spel CLI args to IDL; remove b58_to_hex conversion 2026-07-02 01:25:13 +05:30
bristinWild
aee5372f2a fix(lp-0013): address review feedback — docs alignment and missing rotation test
- Add integration test `token_rotate_authority_then_new_authority_can_mint`:
  create with self-authority, rotate to external key, verify new authority
  mints as rest account, verify old authority is rejected (RFP-001 end-to-end)
- Fix README error table: 'must sign' -> 'must authorize' (matches mint.rs:36)
- Fix guest doc comments for mint/set_authority to describe the 0-or-1
  external authority model correctly
- Fix example scripts: new-fungible-definition-with-authority -> new-fungible-definition,
  --initial-supply -> --total-supply (align to token-idl.json and demo-full-flow.sh)
2026-07-02 01:20:33 +05:30
bristinWild
686a7d066a fix(token): owner-guard set_authority; align demo script to token IDL
Second review round on PR #125 (LP-0013):

- set_authority now rejects foreign-owned definitions. It takes the
  ProgramContext and asserts definition_account.program_owner ==
  self_program_id, matching mint and initialize_account. Without this a
  foreign-owned account with token-shaped data could have its authority
  field rewritten. Added test_set_authority_rejects_foreign_owned_definition.

- demo-full-flow.sh now calls instruction and flag names that exist in
  the regenerated token IDL: new-fungible-definition (was the nonexistent
  new-fungible-definition-with-authority), --total-supply (was
  --initial-supply), and drops --authority-account for the self-authority
  mint/set-authority path (the rest account is --authority-accounts and is
  empty when the definition is its own authority).

- Stripped a trailing-space lint nit in docs/LP-0013-README.md.
2026-07-02 01:20:32 +05:30
bristinWild
160ff8ee4a fix(token): support external mint authority; intentional metadata supply; demo path resolver
Addresses review on PR #125 (LP-0013):

#1 authority transfer now hands control to the new signer. mint and
set_authority take a trailing authority_accounts (Vec<AccountWithMetadata>):
empty preserves the original self/PDA-authority behavior (AMM unchanged),
one entry lets an external/rotated authority actually mint or rotate again.
Tests: rotated_authority_can_mint, rotated_authority_old_key_cannot_mint.

#2 metadata-backed fungibles take a real mint_authority instead of a
hardcoded Authority::renounced(), matching the plain-fungible supply model.
Test: test_metadata_fungible_with_authority_is_mintable.

#3 demo-full-flow.sh resolves TOKEN_BIN from the README-documented
cargo risczero build output, falling back to the workspace build, with an
explicit TOKEN_BIN override still respected.

Regenerated token-idl.json for the new trailing authority_accounts.
2026-07-02 01:20:32 +05:30
bristinWild
83df2037ef refactor(authority): embed Authority type in TokenDefinition; fix AMM LP minting
Addresses @0x-r4bbit's review:

- lez-authority now provides an Authority(Option<[u8;32]>) newtype and an
  Ownable trait (require_owner / transfer_ownership / renounce_ownership);
  programs embed the authority slot in their account type instead of calling
  a wrapper. Replaces the old AuthoritySlot.
- TokenDefinition::Fungible embeds authority: Authority; TokenDefinition
  implements Ownable.
- Fold mint authority into NewFungibleDefinition { mint_authority: Option<AccountId> };
  remove the separate NewFungibleDefinitionWithAuthority instruction.
- mint/set_authority authorize against the definition account itself (its id
  must match the stored authority and be authorized in the tx), restoring the
  2-account mint shape and supporting PDA authorities.
- Fix AMM: the pool-definition PDA is now the LP token's mint authority, so the
  AMM mints LP at creation and on add-liquidity (was permanently revoked).
- Instruction params use AccountId; remove LP-0013-specific comments.
- Regenerate token/amm/ata/stablecoin IDLs.

Tests: lez-authority 8, token unit 56, token/amm/stablecoin/ata integration all
green under RISC0_DEV_MODE=1; fmt + clippy clean.
2026-07-02 01:18:39 +05:30
bristinWild
c2a7d753d7 fix: address Copilot review round 2
- set_authority rejects all-zero new_authority on rotation (matches creation guard)
- SetAuthority/Mint doc comments now list the required authority signer account
- README: add --authority-account to mint/set-authority CLI examples,
  correct error-code table to actual panic strings, make program ID build-dependent
2026-07-02 01:17:06 +05:30
bristinWild
1c41d19a51 feat: reject all-zero mint authority; restore 7-step demo-full-flow.sh
- new_fungible_definition_with_authority rejects all-zero mint_authority (RFP-001 reliability)
- add test_new_fungible_definition_with_authority_rejects_zero_authority
- restore demo-full-flow.sh (had been overwritten with example content); now
  uses the correct account parsing, base58->hex authority, and --authority-account flag
- commit updated Cargo.lock files for the lez-authority dependency
2026-07-02 01:16:49 +05:30
bristinWild
175c9d256c refactor: gate mint/set_authority via lez-authority with explicit signer account 2026-07-02 01:15:03 +05:30
bristinWild
029f617737 style: fix rustfmt trailing newline and replace unwrap with expect for clippy 2026-07-02 01:11:53 +05:30
bristinWild
b561f91db2 fix: enforce mint authority key validation in mint and set_authority
- mint.rs: validate caller account_id matches stored mint_authority key
- set_authority.rs: validate caller matches mint_authority before rotation/revoke
- tests.rs: align AUTHORITY constant and fixtures to match account_id [15; 32]
- demo-full-flow.sh: fix --public flag, remove || true from spel commands,
  update test count to 60
2026-07-02 01:11:53 +05:30
bristinWild
cc70332293 fix: add mint_authority to amm and fix nightly fmt 2026-07-02 01:11:53 +05:30
bristinWild
a8863ab7ea feat(LP-0013): add mint authority model to token program
- Add lez-authority crate: agnostic AuthoritySlot library (RFP-001)
- Add mint_authority field to TokenDefinition::Fungible
- Add NewFungibleDefinitionWithAuthority instruction
- Add SetAuthority instruction (rotation + permanent revocation)
- Update Mint to enforce authority guard
- Wire new instructions into guest binary
- Add 8 authority unit tests (53 total passing)
- Add LP-0013 README, IDL, demo script, and example scripts
2026-07-02 01:11:53 +05:30
r4bbit
0a120bd42c docs: add a testnet run book to show how to deploy and use the programs 2026-06-30 15:13:47 +02:00
r4bbit
091ea5a5d0 chore: update to LEZ v0.2.0-rc6
Bump the LEZ dependency from the `lez-core-v0.2.0` tag to `v0.2.0-rc6` across
the workspace and all guest manifests (still resolving via the renamed
`lee_core`/`lee` packages), and regenerate the lockfiles to match.

rc6 moved the clock program out of `nssa` into a separate system-programs crate
(gated behind the guest-building `artifacts` feature), so adapt the tests:

- Import `ClockAccountData` and `CLOCK_01_PROGRAM_ACCOUNT_ID` from `clock_core`
  instead of `nssa`, and build clock data via `ClockAccountData::to_bytes()`
  rather than hand-encoding the Borsh layout.
- `V03State::new()` no longer auto-creates the clock account, so AMM tests seed
  the canonical 1-block clock explicitly before ops that read it.
- `advance_clock` now writes the clock account directly via
  `force_insert_account` (the clock can no longer be ticked with a real
  transaction), matching how upstream rc6 state-machine tests seed accounts.
- Add the `clock_core` dependency to integration_tests/benchmark.
2026-06-30 15:13:47 +02:00
r4bbit
c42d4b6c07 refactor: migrate programs to LEZ lez-core-v0.2.0
Bump the LEZ dependency from the `v0.2.0-rc3` tags to the released
`lez-core-v0.2.0` tag across the workspace and all guest manifests. The crate
was renamed upstream, so `nssa_core`/`nssa` now resolve via the `lee_core`/`lee`
packages, and spel-framework points at the `refactor/lez-v020-compat` fork
branch for compatibility.

Adapt the integration tests to the new API surface:

- `NssaError` is now `LeeError` (error variants unchanged).
- Account inputs move from numeric mask vectors (`vec![2, 0, 0]`) to typed
  `InputAccountIdentity` values (e.g. `PrivateUnauthorized { epk, view_tag,
  npk, ssk, identifier }`).
- `ViewingPublicKey::from_scalar` → `from_seed(d, z)`; `AccountId::from(&npk)`
  → `AccountId::for_regular_private_account(&npk, 0)`; ephemeral-key/shared-
  secret setup → `SharedSecretKey::encapsulate_deterministic(...)` with the
  circuit filling the EPK.

Regenerate all guest Cargo.lock files and the workspace lockfile to match.
2026-06-30 15:13:47 +02:00
Ricardo Guilherme Schmidt
497e13db85 build(guest): strip release symbols
Configure guest release profiles with debug = 0 and strip = "symbols" so deployed RISC Zero artifacts use stripped binaries.

Document that release-profile ImageIDs are canonical for testnet and mainnet deployments and dependent values must be refreshed.
2026-06-28 20:57:02 -03:00
Ricardo Guilherme Schmidt
255f87f38f fix(idl): align LEZ account metadata
Mark unconditional signer, init, and mutable accounts in guest entrypoints.

Regenerate IDL artifacts for token, ATA, stablecoin, TWAP oracle, and AMM.
2026-06-28 15:24:29 +02:00
r4bbit
e4447617f6 chore: pin ruint dep 2026-06-26 14:33:47 -03:00
r4bbit
fe9d919299 feat(twap-oracle): implement CreatePriceObservations instruction
Adds the CreatePriceObservations instruction to the TWAP oracle program.
The instruction initialises a PriceObservations PDA for a given price
source account and time window, writing the initial tick and timestamp
as the first entry.

Key design decisions:

- Per-window accounts: each (price_source, window_duration) pair maps to
  a distinct PriceObservations PDA. The window duration is baked into the
  PDA seed so a single price source can support multiple TWAP windows
  (24h, 7d, 30d) at independent sampling rates without sharing a buffer.

- window_duration not stored on struct: it is implicit in the PDA address.
  Any reader that located the account already knows the window duration
  used to derive it. Storing it would be redundant.

- Authorization is implicit: the PriceObservations PDA is derived from
  the price source account ID, so is_authorized = true on the price source
  proves the caller controls it without a redundant authority field.

- Impersonation is prevented by the PDA check: passing a controlled price
  source with a victim's observations account ID fails immediately because
  the computed PDA (from the attacker's source) does not match.

Closes #126
2026-06-09 13:23:46 +02:00
r4bbit
3622016e6c refactor: move programs into programs and UIs into apps
This refactors the repository structure as it has grown over time.
2026-05-26 14:05:52 +02:00