This document defines the shared trust/source contract used by core, CLI, and desktop output.
packages/core/src/lib/trust/sources.tspackages/core/src/lib/trust/types.tspackages/core/src/lib/verify/index.ts
Use constants from VERIFICATION_SOURCE_IDS and GENERATION_SOURCE_IDS instead of hardcoded strings.
Why:
- Shared IDs keep CLI/UI/tests aligned.
- Refactors remain compile-safe when IDs evolve.
Always construct context via createVerificationSourceContext(...).
This enforces defaults from DEFAULT_VERIFICATION_SOURCE_CONTEXT and avoids field drift at call sites.
Consensus trust for consensus-proof is derived from:
hasConsensusProofconsensusVerifiedconsensusMode(beacon,opstack,linea)
Rules:
hasConsensusProof=false:- source status:
disabled - trust:
rpc-sourced - summary/detail explain proof omission and fallback trust
- source status:
hasConsensusProof=true,consensusVerified=false:- source status:
enabled - trust:
rpc-sourced - summary/detail explain included-but-not-upgraded proof
- source status:
hasConsensusProof=true,consensusVerified=true:- source status:
enabled - trust:
- beacon ->
consensus-verified-beacon - opstack ->
consensus-verified-opstack - linea ->
consensus-verified-linea
- beacon ->
- source status:
For OP Stack and Linea, summary/detail must preserve the non-equivalence boundary to Beacon light-client finality.
Desktop UI rule:
Chain state is finalizedmust consume the coreconsensusTrustDecisionReason.- Even when
consensusVerification.valid === true, any non-null trust decision reason (for examplestate-root-mismatch-policy-prooforblock-number-mismatch-policy-proof) must downgrade the safety check fromcheckto warning/error according toisWarningConsensusTrustDecisionReason(...).
decoded-calldata trust is derived from decodedCalldataVerification:
self-verified-> trustself-verifiedpartial-> trustapi-sourcedwith partial-verification wordingmismatch-> trustapi-sourcedwith explicit mismatch wordingapi-onlyor omitted -> trustapi-sourced
simulation trust is derived from witness + replay outcomes:
- no simulation artifact -> source disabled
- simulation without witness -> trust
rpc-sourced - simulation + witness, but witness verification fails -> trust
rpc-sourced - simulation + witness verified, replay not run/failed/mismatch -> trust
rpc-sourced - simulation + witness verified, replay executes and matches, and structural simulation verification passes -> trust remains
rpc-sourceduntil replay world-state accounts are fully state-root proven
Notes:
- In witness-only packages, replay-complete inputs are attached so simulation effects can be re-derived locally during verification; packaged simulation effects are retained for replay/effect comparison.
simulationWitness.simulationDigestmust always be computed from the exact packaged simulation payload (including witness-only stripped projections).- Desktop
Simulation outcomemust not return a success/check state for witness-only packages unless both witness verification and replay verification succeed. - Witness-only replay requires complete replay inputs: world-state accounts and pinned block environment (timestamp/gas/basefee/beneficiary, plus optional prevrandao/difficulty). If block context is missing, replay must fail closed.
- Replay currently supports
operation=0(CALL) only. Foroperation=1(DELEGATECALL), generator must keep packaged simulation effects and export cannot be labeledfully-verifiable. - Log equality checks apply when packaged logs are present; witness-only replay still enforces success/return-data/gas policy checks.
- Replay success currently proves deterministic consistency against provided
witness inputs, not full cryptographic completeness for all replay world-state
accounts. Do not label simulation as
proof-verifiedunder this model.
When changing this contract, update and run:
packages/core/src/lib/trust/__tests__/sources.test.tspackages/core/src/lib/verify/__tests__/report.test.tspackages/cli/src/cli.output.test.ts(if output wording or IDs change)