refactor: drop operator staking stack for permissionless settlement#10
Open
grimnote wants to merge 4 commits into
Open
refactor: drop operator staking stack for permissionless settlement#10grimnote wants to merge 4 commits into
grimnote wants to merge 4 commits into
Conversation
Delete the on-chain `orchestration` package (OperatorRegistry, OperatorSlashingManager, FeeManager, TaskExecutor, CCTPHandler, TaskLib, CCTPMessageLib + interfaces/mocks/tests/scripts). `CCTPV2EscrowReceiver.settle()` already verifies Circle's CCTP attestation and is permissionless, so the operator stack was an access gate over an already-safe action — not a security layer. Escrow and recourse had no compile/deploy dependency on orchestration. - Relocate CCTPV2Forwarder (+ interface + test) into packages/escrow/contracts/receivers/ - Update CI matrices (ci/coverage/slither/aderyn), aderyn.toml, run-slither.sh, root package.json scripts, README, docs/IMPLEMENTATION-STATUS.md, ICore comment - Add ADR 0001 and the redesign checklist The off-chain operator service and SDK bridge rewire to settle() are a follow-up (PR 2); they bind contracts by ABI/address so still build and run against existing deployments. forge test: escrow 145 passed, recourse 284 passed, shared builds — all green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove TODO-LIGHTWEIGHT-REDESIGN.md and docs/adr/0001-drop-operator-staking.md and the references to the ADR in docs/IMPLEMENTATION-STATUS.md. The §8 status text (permissionless settlement) is retained. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Review of PR #10 found the teardown left orchestration references behind: - LICENSE, NOTICE, CONTRIBUTING.md, SECURITY.md, RELEASES.md: drop the deleted packages/orchestration from the core-protocol / scope lists (kept historical deployment-date narrative in RELEASES). - .github/CODEOWNERS: remove the dangling /packages/orchestration/ owner rule. - .github/pull_request_template.md: remove the orchestration affected-package box. - packages/escrow/README.md: remove the (now-wrong) 'moved to orchestration' note and the dead Related Repositories link — the forwarder lives here now. Also align the relocated forwarder with its escrow siblings: - CCTPV2Forwarder.sol + ICCTPV2Forwarder.sol: pragma ^0.8.24 -> ^0.8.25. - CCTPV2Forwarder.t.sol: SPDX MIT -> FSL-1.1-ALv2. escrow: forge test 145 passed. prettier clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
grimnote
added a commit
that referenced
this pull request
Jun 27, 2026
From the PR #10 review (cross-checked against this branch): - offchain/README: remove the dead @reineira-os/orchestration related-repo link (the receiver lives in @reineira-os/escrow now). - sdk: remove the stale governanceToken field/address (the GOV staking token of the deleted OperatorRegistry); unused by any SDK module. sdk: tsup build + 78 vitest passed. prettier clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Align the relocated forwarder test with its contract/interface (^0.8.25) and the escrow package solc — completes the pragma alignment from the relocation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Collapse cross-chain settlement to one permissionless, trustless environment by deleting the on-chain operator staking stack. This is the first of two PRs (on-chain teardown now; off-chain client adaptation follows).
Why
CCTPV2EscrowReceiver.settle(message, attestation)(and its confidential twin) is alreadyexternal+ permissionless, and it verifies Circle's CCTP attestation on-chain. The settlement outcome is fully determined by(message, attestation), so the operator stack —OperatorRegistry(GOV staking, claim windows),OperatorSlashingManager(optimistic-dispute slashing),FeeManager(zero fees),TaskExecutor(thecanExecuteTaskgate),CCTPHandler— was an access gate over an action that is already safe for anyone to perform. It added no settlement safety. A component audit confirmedescrowandrecoursehave no compile- or deploy-time dependency onorchestration.Full rationale:
docs/adr/0001-drop-operator-staking.md.Changes
orchestrationpackage —OperatorRegistry,OperatorSlashingManager,FeeManager,TaskExecutor,CCTPHandler,TaskLib,CCTPMessageLib+ their interfaces, mocks, tests, and deploy/upgrade scripts.CCTPV2Forwarder(the independent, permissionless non-FHE forwarder) + its interface and test intopackages/escrow/contracts/receivers/.ci.yml,coverage.yml,slither.yml,aderyn.ymlmatrices,aderyn.toml,scripts/run-slither.sh, rootpackage.jsonscripts,README.md,docs/IMPLEMENTATION-STATUS.md, anICoredoc comment.TODO-LIGHTWEIGHT-REDESIGN.md(the two-PR checklist).55 files changed, +203 / −4,008(≈1,400 LOC of contracts + their tests/mocks removed).Trust model after
settle().settle()if it's down). The relayer affects speed, never safety.Verification
forge testescrow: 145 passed / 0 failed (includes the relocatedCCTPV2Forwarder.t.sol, 13 tests).forge testrecourse: 284 passed / 0 failed.sharedbuilds clean (no test fns).md/json/sol.Out of scope (follow-up PR 2)
The off-chain operator service rewrite and SDK
bridgerewire to callsettle()directly are deferred. They bind contracts by ABI/address (not import), so they still build and run against existing deployments — nothing here breaks them. Tracked inTODO-LIGHTWEIGHT-REDESIGN.md.Accepted trade-off
With operator staking gone and no restaking backstop yet, recourse claims cap at LP pool liquidity (truncate above it). This is a deliberate simplicity trade, documented in the ADR. EigenLayer restaking as a deep backstop is a future, opt-in scale dial.
🤖 Generated with Claude Code