Version v1.2.13: reward authority rotation primitive (RewardPool)#260
Merged
Conversation
Ships PR #254. Adds CometBFT-side `RewardPool` so the eth addresses authorized to attest for programmatic rewards under a Solana RM can be updated without reissuing reward rows. Unblocks the artist-coin attestation kill-switch from v1.2.11/#215. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
5 tasks
raymondjacobson
approved these changes
May 12, 2026
rickyrombo
added a commit
to AudiusProject/api
that referenced
this pull request
May 14, 2026
## Summary Adapts the two CreateReward call sites in this repo to the new cometbft `RewardPool` primitive shipping in go-openaudio v1.2.13 ([OpenAudio/go-openaudio#254](OpenAudio/go-openaudio#254)). Without this, the launchpad reward-code flow breaks at deploy: the new `CreateReward` proto reserves the old `claim_authorities` / `deadline_block_height` fields, and the validator now refuses any `CreateReward` whose RM has no pool. ## Why The pool primitive moves the eth addresses authorized to attest for programmatic rewards off each `core_rewards` row and onto a `core_reward_pools` row keyed by the Solana RM pubkey. Rewards now reference a pool by `rewards_manager_pubkey`; the pool's authority set is mutable via cometbft transactions; validators consult the pool's *current* authorities when serving claim attestations. Rotation becomes a one-row update instead of mass row reissuance. For us to call `CreateReward`, a pool keyed by the mint's RM must already exist. Brand-new mints need a one-time `CreateRewardPool` call first. ## What changed ### `utils/derive_reward_manager_keypair.go` (new) `DeriveRewardManagerKeypair(secretHex, mint) ed25519.PrivateKey` returns the deterministic ed25519 keypair the solana-relay used to init the Solana reward manager state account for a given mint. Seed material matches `apps/.../solana-relay/.../launchpad/launch_coin.ts`'s `deriveKeypair('reward-manager', mint)`: ``` seed = sha256(secret_utf8 || "audius-launchpad" || "reward-manager" || mint_bytes) ``` The returned private key's public key IS the `rewards_manager_pubkey` cometbft carries. Used to sign `CreateRewardPool`'s envelope-level ed25519 `rm_owner_signature`, which is the frontrunning defense — only callers who hold the launchpad's deterministic secret can produce it. ### `api/v1_create_reward_code.go` and `cmd/create_reward_codes/main.go` Both rewards code paths reshaped identically: 1. **Derive the RM keypair** for this mint (above). 2. **Ensure the pool exists**: `oap.Rewards.GetRewardPool(rewardsManagerPubkey)`. If `CodeNotFound`, call `oap.Rewards.CreateRewardPool(...)` with the RM private key as the new `rmKey` argument. Pool authorities = the per-mint claim authority eth address (the existing `DeriveEthAddressForMint` output). 3. **Submit `CreateReward`** with `RewardsManagerPubkey: rewardsManagerPubkey`. The legacy `ClaimAuthorities` slice and inline `DeadlineBlockHeight` are gone (proto tags 4–6 reserved on `CreateReward`); deadline is now a separate SDK argument. The CLI's "reward already exists, look up the stored address" idempotency path is preserved. The HTTP path's no-op behavior when `LaunchpadDeterministicSecret` is unset is preserved. ### `go.mod` `github.com/OpenAudio/go-openaudio v1.2.11` → `v1.2.13` (pseudo-version pointing at the merge commit). ## Test plan - [x] `go build ./...` and `go vet ./...` clean. - [x] `go test ./utils/...` — new `TestDeriveRewardManagerKeypair` covers well-formedness, determinism, sign/verify round-trip, and that different mints / secrets produce different keypairs (5 subtests). - [ ] After merge: bump `go.mod` to the clean `v1.2.13` tag once go-openaudio cuts it. - [ ] Devnet smoke: launch a new coin via the launchpad-relay, POST `/v1/rewards/code`, observe the first call creates both the pool and the reward, subsequent calls for the same mint create only the reward. - [ ] Staging: run the CLI against a fresh mint; verify the same two-call pattern then the idempotent reuse path on a second run. ## Dependencies - Blocked on: [OpenAudio/go-openaudio#254](OpenAudio/go-openaudio#254) (merged). - Coordinated with: [OpenAudio/go-openaudio#260](OpenAudio/go-openaudio#260) (the v1.2.13 version bump; this PR's go.mod pseudo-version will be rewritten to the clean tag after that lands). 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Ships as v1.2.13 (
.version.jsonbumped in this PR). Releases theRewardPoolcometbft primitive merged in #254, which unblocks the artist-coin attestation kill switch added in v1.2.11 (#215).What's in v1.2.13
PR #254 — Reward authority rotation primitive (RewardPool):
00034_reward_pools.sql): newcore_reward_poolstable keyed by the Solana RM pubkey;core_rewards.rewards_manager_pubkeyFK with reads aliased asclaim_authoritiesvia LEFT JOIN.launchpad_authority_rmseed table maps each per-mint claim authority eth address → its Solana RM, backfilling existing reward rows to real-RM-bound pools. The legacycore_rewards.claim_authoritiescolumn is dropped.CreateRewardPoolandSetRewardPoolAuthoritiesactions.CreateRewardnow requires an existing pool; signer must be in the pool's authorities.CreateRewardPooladditionally requires an ed25519rm_owner_signatureover the body bytes, produced by the RM's keypair — defeats pool-creation frontrunning by an observer who watches Solana RM init events but lacks the launchpad's deterministic secret.GetRewardAttestationrestored from the Temporarily block artist-coin attestations at the node #215 kill switch; auth check uses the pool's current authorities so rotation immediately revokes attestation rights.GetRewardSenderAttestation/GetDeleteRewardSenderAttestationgate per-RM (pool members for pool-managed RMs; validator/AAO trust set only for the configured AUDIO RM; everything else is refused).validateCreateRewardPoolrefuses the configured AUDIO RM, so AUDIO attestation authority remains on the network-wide trust set.What changed
pkg/version/.version.json:1.2.12→1.2.13.Implications for rollout
This release pairs with corresponding API-repo work (deferred from PR #254) that lands
CreateRewardPoolcalls beforeCreateRewardfor new launchpad mints. Until that ships, new mints will fail atvalidateCreateReward's pool-existence check. Existing mints work via the migration backfill.The wire-compat layer keeps the chain replayable for any node bootstrapping from genesis. PR #232 (separate, post-network-restart cleanup) strips it later.
Test plan
Create Releaseworkflow withversion=v1.2.13edgeand verify the AUDIO denylist is active in the chosen environment (AudioRewardsManagerPubkey()returns the expected RM)CreateRewardPoolintegration test against devnet round-trips: pool created → reward created against pool → authority rotated viaSetRewardPoolAuthorities→ rotated-out authority can no longer attest🤖 Generated with Claude Code