Skip to content

refactor: drop operator staking stack for permissionless settlement#10

Open
grimnote wants to merge 4 commits into
mainfrom
redesign/drop-operator-staking
Open

refactor: drop operator staking stack for permissionless settlement#10
grimnote wants to merge 4 commits into
mainfrom
redesign/drop-operator-staking

Conversation

@grimnote

Copy link
Copy Markdown
Contributor

What

Collapse cross-chain settlement to one permissionless, trustless environment by deleting the on-chain operator staking stack. This is the first of two PRs (on-chain teardown now; off-chain client adaptation follows).

Why

CCTPV2EscrowReceiver.settle(message, attestation) (and its confidential twin) is already external + permissionless, and it verifies Circle's CCTP attestation on-chain. The settlement outcome is fully determined by (message, attestation), so the operator stack — OperatorRegistry (GOV staking, claim windows), OperatorSlashingManager (optimistic-dispute slashing), FeeManager (zero fees), TaskExecutor (the canExecuteTask gate), CCTPHandler — was an access gate over an action that is already safe for anyone to perform. It added no settlement safety. A component audit confirmed escrow and recourse have no compile- or deploy-time dependency on orchestration.

Full rationale: docs/adr/0001-drop-operator-staking.md.

Changes

  • Delete the orchestration packageOperatorRegistry, OperatorSlashingManager, FeeManager, TaskExecutor, CCTPHandler, TaskLib, CCTPMessageLib + their interfaces, mocks, tests, and deploy/upgrade scripts.
  • Relocate CCTPV2Forwarder (the independent, permissionless non-FHE forwarder) + its interface and test into packages/escrow/contracts/receivers/.
  • Update CI/configci.yml, coverage.yml, slither.yml, aderyn.yml matrices, aderyn.toml, scripts/run-slither.sh, root package.json scripts, README.md, docs/IMPLEMENTATION-STATUS.md, an ICore doc comment.
  • Add ADR 0001 and TODO-LIGHTWEIGHT-REDESIGN.md (the two-PR checklist).

55 files changed, +203 / −4,008 (≈1,400 LOC of contracts + their tests/mocks removed).

Trust model after

  • Settlement safety = Circle CCTP attestation, verified on-chain in settle().
  • Liveness = a thin relayer bot, with a permissionless backstop (anyone can call settle() if it's down). The relayer affects speed, never safety.
  • Recourse capital = LP liquidity + premiums.

Verification

  • forge test escrow: 145 passed / 0 failed (includes the relocated CCTPV2Forwarder.t.sol, 13 tests).
  • forge test recourse: 284 passed / 0 failed.
  • shared builds clean (no test fns).
  • Prettier-clean on all touched md/json/sol.

Out of scope (follow-up PR 2)

The off-chain operator service rewrite and SDK bridge rewire to call settle() directly are deferred. They bind contracts by ABI/address (not import), so they still build and run against existing deployments — nothing here breaks them. Tracked in TODO-LIGHTWEIGHT-REDESIGN.md.

Accepted trade-off

With operator staking gone and no restaking backstop yet, recourse claims cap at LP pool liquidity (truncate above it). This is a deliberate simplicity trade, documented in the ADR. EigenLayer restaking as a deep backstop is a future, opt-in scale dial.

🤖 Generated with Claude Code

Delete the on-chain `orchestration` package (OperatorRegistry,
OperatorSlashingManager, FeeManager, TaskExecutor, CCTPHandler, TaskLib,
CCTPMessageLib + interfaces/mocks/tests/scripts). `CCTPV2EscrowReceiver.settle()`
already verifies Circle's CCTP attestation and is permissionless, so the operator
stack was an access gate over an already-safe action — not a security layer.
Escrow and recourse had no compile/deploy dependency on orchestration.

- Relocate CCTPV2Forwarder (+ interface + test) into packages/escrow/contracts/receivers/
- Update CI matrices (ci/coverage/slither/aderyn), aderyn.toml, run-slither.sh,
  root package.json scripts, README, docs/IMPLEMENTATION-STATUS.md, ICore comment
- Add ADR 0001 and the redesign checklist

The off-chain operator service and SDK bridge rewire to settle() are a follow-up
(PR 2); they bind contracts by ABI/address so still build and run against existing
deployments.

forge test: escrow 145 passed, recourse 284 passed, shared builds — all green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove TODO-LIGHTWEIGHT-REDESIGN.md and docs/adr/0001-drop-operator-staking.md
and the references to the ADR in docs/IMPLEMENTATION-STATUS.md. The §8 status
text (permissionless settlement) is retained.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Review of PR #10 found the teardown left orchestration references behind:
- LICENSE, NOTICE, CONTRIBUTING.md, SECURITY.md, RELEASES.md: drop the deleted
  packages/orchestration from the core-protocol / scope lists (kept historical
  deployment-date narrative in RELEASES).
- .github/CODEOWNERS: remove the dangling /packages/orchestration/ owner rule.
- .github/pull_request_template.md: remove the orchestration affected-package box.
- packages/escrow/README.md: remove the (now-wrong) 'moved to orchestration' note
  and the dead Related Repositories link — the forwarder lives here now.

Also align the relocated forwarder with its escrow siblings:
- CCTPV2Forwarder.sol + ICCTPV2Forwarder.sol: pragma ^0.8.24 -> ^0.8.25.
- CCTPV2Forwarder.t.sol: SPDX MIT -> FSL-1.1-ALv2.

escrow: forge test 145 passed. prettier clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
grimnote added a commit that referenced this pull request Jun 27, 2026
From the PR #10 review (cross-checked against this branch):
- offchain/README: remove the dead @reineira-os/orchestration related-repo link
  (the receiver lives in @reineira-os/escrow now).
- sdk: remove the stale governanceToken field/address (the GOV staking token of
  the deleted OperatorRegistry); unused by any SDK module.

sdk: tsup build + 78 vitest passed. prettier clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Align the relocated forwarder test with its contract/interface (^0.8.25) and the
escrow package solc — completes the pragma alignment from the relocation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant