[PWABoot] SetBoot — on-chain PWA boot-blob (draft PoC, discussion #759)#760
Draft
Hugegreencandle wants to merge 2 commits into
Draft
[PWABoot] SetBoot — on-chain PWA boot-blob (draft PoC, discussion #759)#760Hugegreencandle wants to merge 2 commits into
Hugegreencandle wants to merge 2 commits into
Conversation
Adds the PWABoot amendment: a storage primitive for a small on-chain "bootloader" blob, the layer-1 root of trust for a Hook's UI (discussion Xahau#759). A wallet renders the stub, which fetches + hash-verifies a larger stage-2 app before running it; the node only stores + serves the bytes. Modeled on the Remarks amendment: - feature PWABoot (DefaultNo) - sfBootBlob (VL, code 33) - ttBOOT_SET (105) / SetBoot transactor - sfBootBlob as an optional field on AccountRoot - SetBoot: amendment-gated; set / replace / delete the sender's own boot blob; fee = base + 1 drop/byte; 4 KB cap. v0 is per-account + owner-key-mutable. Tests (ripple.app.SetBoot, 3 cases / 53 checks, green): amendment-disabled => temDISABLED; set/replace/delete round-trip on AccountRoot; empty + oversize => temMALFORMED, at-cap ok. SetHookTSH_test gets a testSetBootTSH stub (full TSH coverage is a follow-up). Follow-ups: immutability (tfBootImmutable), per-hook keying / dedicated ltBOOT object, the wallet resolve/verify/sandbox standard, and an xahc-prover proof of the verify core. See Xahau#759 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…audit TA-03/04) Audit found the fee path was never validated (every submission hard-coded a flat 1,000,000-drop fee, swamping the surcharge) and the delete-when-absent doApply branch was uncovered. Add: - testFeeSurcharge: submit exactly base + 1 drop/blob-byte (tesSUCCESS) and one drop short (telINSUF_FEE_P) via a no-baked-fee helper, so calculateBaseFee is actually enforced — a zero/wrong/sign-flipped surcharge now fails a test. - testDeleteWhenAbsentIsNoOp: delete a boot blob on an account that never had one -> tesSUCCESS, field stays absent (the doApply fall-through branch). ripple.app.SetBoot now 5 cases / 84 checks, green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Draft / PoC for design discussion #759 — #759
A storage primitive for a small on-chain "bootloader" blob — the layer-1 root of trust for a Hook's UI. A wallet renders the on-chain stub, which fetches + hash-verifies a larger stage-2 app before running it (secure-boot, rooted in the ledger). The node only stores + serves the bytes; the verify/render/sandbox runtime is wallet-side.
Modeled on the Remarks amendment.
What's here (v0)
featurePWABoot(DefaultNo)sfBootBlob(VL, code 33)ttBOOT_SET(105) /SetBoottransactorsfBootBlobas an optional field onAccountRootSetBoot: amendment-gated; set / replace / delete the sender's own boot blob; fee = base + 1 drop/byte; 4 KB cap. Per-account, owner-key-mutable.Tests
ripple.app.SetBoot— 3 cases / 53 checks, green: amendment-disabled →temDISABLED; set/replace/delete round-trip on AccountRoot; empty + oversize →temMALFORMED, at-cap ok. (SetHookTSH_testgets atestSetBootTSHstub; full TSH coverage is a follow-up.)Open for discussion (#759)
ltBOOTobjecttfBootImmutable) — fixed-pin vs owner-key rotationxahc-proverproof of the bootloader's verify core (the "loads-only-verified" invariant) (scoped: proves the gate's accept logic —accept ⟹ candidate hash == pin. The on-chain SetBoot stores the blob verbatim and verifies nothing; the wallet's hashing + stage-2 sandbox stay trusted. Not an end-to-end "whole app proven" claim.)Marking draft — opening early so the ledger shape can be shaped with @RichardAH / the wallet side before it's polished.
🤖 Generated with Claude Code