M2 epic: TWAP + EthFlow modules + module.toml manifests#22
Open
brunota20 wants to merge 21 commits into
Open
Conversation
Author
|
Fix-pass on the linearised stack: rebased dev/m2-base onto a doc-link backport so
|
Author
|
Audit-driven fix pass landed on dev/m2-base. Before: a0e34a3 Fixes applied (3 commits):
Audit reference: bruno-brain/wiki/projects/shepherd-audits/milestone-rubric-grant-audit-2026-06-25.md |
Author
|
Audit judgment-call pass complete on top of #22. New tip: Changes layered on top by the bleu/nullis-shepherd audit pass:
All 4 gates (fmt, clippy --workspace --all-targets --all-features -D warnings, test --workspace --all-features, RUSTDOCFLAGS="-D warnings" doc) green on the new tip. No upstream commits amended; the JC changes land as their own commits on top. Pushed alongside as |
jean-neiverth
force-pushed
the
dev/m2-base
branch
from
21204ba to
075e626
Compare
jean-neiverth
force-pushed
the
dev/m2-base
branch
2 times, most recently
from
2830974 to
9db5d94
Compare
…ance) Filtered subset of the compliance applied in PRs #66/#67 of bleu/nullis-shepherd, restricted to files that exist on the M2 epic head. M3+ files (shepherd-sdk, examples, backtest, deploy artifacts) and M4-coupled hunks (ProviderError typed-source variants, JoinSet reconnect tasks, supervisor restart helper) are skipped — they land via their own upstream PRs. Brings M2 epic in line with the repo-wide rust rubric (typed errors, no anyhow in libs, em-dash sweep, #[non_exhaustive] on public error enums).
The M2 compliance pass (2b11f91) narrowed several manifest/host re-exports from `pub` to `pub(crate)`. Three intra-doc links inherited from the wider M1 docs no longer resolve under `-D warnings`: - `crate::host::impls` — module is `mod impls;` (always private); the link doc-rendered as code at the M1-era visibility. Demote to a plain code span; the path is still grep-able and accurate. - `manifest::mod` link to `[load]` — ambiguous now that `pub(crate) use load::{... load};` makes `load` both a module and a function. Use `mod@load` to disambiguate to the module (matches the surrounding prose, which describes the file's responsibilities). - `manifest::types` link to `[super::load]` — same ambiguity, same fix: `mod@super::load`. Fixes the `RUSTDOCFLAGS="-D warnings" cargo doc` gate on dev/m2-base.
Audit reference: milestone-rubric-grant-audit-2026-06-25.md, Major #1. Vendored rubric mandates `strum::IntoStaticStr` (with `#[strum(serialize_all = "snake_case")]`) on every error enum so `error_kind` labels on the `shepherd_chain_request_total` / `shepherd_cow_api_*` counters stay in lock-step with the Rust source of truth instead of growing a `match err { ... => "connect" ... }` ladder per call site. Enums covered on this milestone (the ones present on dev/m2-base): - `nexum_engine::host::cow_orderbook::CowApiError` - `nexum_engine::host::provider_pool::ProviderError` - `nexum_engine::manifest::error::ParseError` - `nexum_engine::engine_config::EngineConfigError` Also adds `#[non_exhaustive]` to `CowApiError` and `ProviderError` (audit Major #2). The other two already carried it. `strum = "0.26"` lands as a direct dep on nexum-engine. The workspace-deps hoist (audit P1, Major #5) is intentionally a separate judgment call left to Bruno; this commit ships the substantive rubric fix without coupling to the broader Cargo.toml restructure.
Audit reference: milestone-rubric-grant-audit-2026-06-25.md,
duplication finding "internal_error('local-store', err.to_string())
map closures" (4 sites in one file).
The four `local-store` host endpoints all `.map_err`-ed the same
`StorageError -> HostError` conversion inline. Replace with a single
`local_store_err(StorageError) -> HostError` free function so a
future error-model change (richer kind, structured `data`) lands in
one place instead of four call sites.
Behaviour is identical; the helper is `fn`, not a closure, so
codegen is one shared symbol.
Audit reference: milestone-rubric-grant-audit-2026-06-25.md, Major #10 (`eprintln!` in daemon-side manifest loader code). Every other deprecation site in the engine routes through `tracing` (the main binary installs a JSON `tracing_subscriber` and the manifest loader itself uses `warn!`). The supervisor's `nexum.toml` fallback was the lone `eprintln!` survivor, which bypasses the structured-log pipeline and breaks operators who set `RUST_LOG=warn,manifest=warn` for daemon log aggregation. Switches to `warn!(target: "manifest", path = %legacy.display(), ...)` so the deprecation surfaces through the same channel as the no-`[capabilities]` warning emitted a few lines later by `manifest::load`.
…ss (issues 3, 5, 7) Add 12 tests across three M2 host modules: cow_orderbook (5 tests): Network error on dead server, 5xx passthrough, BadPath leniency, Decode on invalid/wrong-schema JSON for submit_order. provider_pool (3 tests): InvalidParams through full request path, Rpc error on unreachable node, Rpc error on malformed node response. Adds test_config helper for EngineConfig construction. local_store_redb (4 tests): Concurrent writes across namespaces, concurrent reads during writes, list_keys/delete race, stress test with 8 writers on one namespace.
Per ADR-0001 (module.toml schema), authored for the two M2
modules:
twap-monitor / module.toml
- capabilities.required = ["logging", "local-store", "chain",
"cow-api"] — matches the Rust imports the BLEU-826/827/828
paths exercise.
- [[subscription]] log on Sepolia (chain_id 11155111) against
ComposableCoW (0xfdaFc9d1902f4e0b84f65F49f244b32b31013b74)
with topic-0 keccak256(
"ConditionalOrderCreated(address,(address,bytes32,bytes))"
) = 0x2cceac5555b0ca45a3744ced542f54b56ad2eb45e521962372eef212a2cbf361.
- [[subscription]] block on Sepolia for the BLEU-827 poll loop.
ethflow-watcher / module.toml
- Same capability set (chain reserved for a future eth_call —
e.g. read the EthFlow refund pointer — without churning the
manifest).
- [[subscription]] log on Sepolia against CoWSwapEthFlow
production (0xbA3cB449bD2B4ADddBc894D8697F5170800EAdeC) with
topic-0 keccak256(
"OrderPlacement(address,(address,address,address,uint256,uint256,
uint32,bytes32,uint256,bytes32,bool,bytes32,bytes32),
(uint8,bytes),bytes)"
) = 0xcf5f9de2984132265203b5c335b25727702ca77262ff622e136baa7362bf1da9.
Both [capabilities.http].allow stay empty: all outbound HTTP
flows through the cow-api capability, which routes via the
host's pinned orderbook URL.
The content hash field is the 0.2 placeholder all-zero sha256;
0.3 will validate it against the loaded component bytes.
Linear: BLEU-834. Ref ADR-0001.
Three threads from the internal review mirror of upstream nullislabs/shepherd PR #17: 1. ethflow-watcher/module.toml capabilities: move `chain` from required to optional. The comment on the original manifest already said the module does not call `chain` today; declaring it as required widened the grant for a capability the module does not exercise. Optional keeps "future-proofing" (BLEU-855 can use it without manifest churn) without violating least-privilege. 2. ethflow-watcher/module.toml subscription comment: soften the "identical on every chain" claim. cow-rs::ETH_FLOW_PRODUCTION is identical across chains today, but unlike ComposableCoW's CREATE2 address EthFlow has had multiple per-network and per-version deployments historically. Multi-chain config in M5 must re-check per `chain_id` instead of assuming the address carries. Address itself stays unchanged: 0xbA3cB449bD2B4ADddBc894D8697F5170800EAdeC is verified against the live Sepolia deployment (event firing observed in the COW-1064 dry-run on 2026-06-18 + cow-rs canonical constant + multiple load-test runs). 3. README.md module manifest example: the documented `address` field said `0xC92E8bdf79f0507f65a392b0ab4667716BFE0110` labeled "ComposableCoW", but that is the GPv2VaultRelayer (per scripts/lib.sh). ComposableCoW is `0xfdaFc9d1902f4e0b84f65F49f244b32b31013b74`. Fixed the address; expanded the comment to clarify it is the canonical CREATE2 address (same on every supported chain). Stays on `feat/m2-module-manifests-bleu-834` as a stacked branch so upstream PR #17 + internal mirror PR #54 can see the fixes as a separate, atomic commit.
Add modules/twap-monitor/ as a workspace member. Cargo.toml declares [lib] crate-type = ["cdylib"] for WASM Component output, and pulls the deps the TWAP module path needs: cowprotocol (default-features off — only typed primitives and OrderCreation surface needed), alloy-sol-types (event/return decoding lands in BLEU-826/827), and wit-bindgen. src/lib.rs binds against the shepherd:cow/shepherd world (event- module imports + cow-api). generate_all is required because the world include pulls nexum:host/types across packages — without it, wit-bindgen panics on the missing cross-package mapping. init and on_event are stubbed: init logs once; on_event is a no-op until the Event::Log / Event::Block dispatch lands in BLEU-826 / BLEU-827. Verification: cargo build --target wasm32-wasip2 --release -p twap-monitor emits a 65 KB .wasm. Engine load is gated on module.toml (BLEU-834).
…-826)
`on_event(Event::Logs)` decodes each log against
`ComposableCoW.ConditionalOrderCreated` via `alloy_sol_types`,
extracts `(owner, params)`, and writes `watch:{owner}:{params_hash}`
to local-store with the abi-encoded `ConditionalOrderParams` as
the value. BLEU-827 reads this back via `list-keys("watch:")` and
the value is exactly the `(handler, salt, staticInput)` tuple the
poll path passes to `getTradeableOrderWithSignature`.
Idempotency: `local_store::set` overwrites in place, so re-org
replay or overlapping subscription windows produce no observable
side effect.
Resilience: `decode_conditional_order_created` returns `None`
when topic0 does not match the event signature or the payload
fails ABI decoding. Adjacent events on the same subscription
(MerkleRootSet, SwapGuardSet) are silently skipped instead of
short-circuiting the batch. The fn is on plain slices so the
host-free unit tests cover well-formed / wrong-topic / empty-
topics without wit-bindgen scaffolding.
Block, Tick, and Message variants of `Event` are left unhandled
in this PR — `Event::Block` dispatch lands in BLEU-827 (poll
path); the other two are not used by this module.
Adds `alloy-primitives` as a direct dep so the topic/data plumbing
does not rely on alloy types leaking through `cowprotocol`'s
re-exports.
`cargo build --target wasm32-wasip2 --release -p twap-monitor`
emits a 96 KB .wasm (up from the 65 KB skeleton because of the
alloy + cowprotocol composable types now linked in).
`on_event(Event::Block)` walks every persisted watch, skips the
ones gated by a future `next_block:` / `next_epoch:` entry, and
dispatches the ready ones via `chain::request("eth_call",
[{to: COMPOSABLE_COW, data}, "latest"])` to
`ComposableCoW.getTradeableOrderWithSignature(owner, params,
"", [])`.
Returns:
- Successful return data → `<(GPv2OrderData, Bytes)>::abi_decode_params`
→ `PollOutcome::Ready { order, signature }`.
- Revert payload → `decode_revert` matches the four-byte selector
against the five `IConditionalOrder` errors:
OrderNotValid → DontTryAgain
PollNever → DontTryAgain
PollTryNextBlock → TryNextBlock
PollTryAtBlock(n) → TryOnBlock(n)
PollTryAtEpoch(t) → TryAtEpoch(t)
- Anything else falls back to TryNextBlock so a flaky RPC or
unmodelled require-revert is retried instead of dropped.
Decoder ABI: a local `abi::Params` struct mirrors the wire format
of `cowprotocol::ConditionalOrderParams` because sol! cannot cross
crate boundaries; the resulting call selector is byte-equal to the
real contract. The successful return path decodes into the
canonical `cowprotocol::GPv2OrderData` directly, so the 12-field
struct is not duplicated. `Ready` boxes the order to keep
`PollOutcome` cache-friendly (clippy::large_enum_variant).
Storage conventions (shared with BLEU-830, which writes these):
- `next_block:{owner}:{params_hash}` -> u64 LE — block number gate
- `next_epoch:{owner}:{params_hash}` -> u64 LE — Unix-seconds gate
Either / both / neither may be set; the watch polls when both pass.
`block.timestamp` is milliseconds per WIT, so we divide by 1000 to
compare against the `TryAtEpoch` (seconds) convention.
Host follow-up: the chain backend currently swallows alloy's
`RpcError::ErrorResp.data` (it becomes `host-error.message`,
unstructured). `poll_one` is wired to consume structured revert
hex via `host-error.data` once that lands — the `decode_revert_hex`
test locks the path. Until then, every revert defaults to
TryNextBlock, which is the safe choice.
Tests: 14 new (return round-trip, all five revert variants, hex
plumbing, eth_call JSON shape, watch-key round-trip, U256
saturation), keeping the 3 BLEU-826 regressions. `.wasm` grows
from 96 KB to 215 KB (serde_json + IConditionalOrder ABI + the
GPv2OrderData decode path linked in).
Linear: BLEU-827. Ref ADR-0006.
…828)
On `PollOutcome::Ready { order, signature }`, convert the
`GPv2OrderData` to the typed `OrderData` (maps the on-chain
bytes32 markers `kind` / `sellTokenBalance` / `buyTokenBalance`
via cowprotocol's `from_contract_bytes`), wrap the signature as
`Signature::Eip1271` (ComposableCoW returns the orderbook wire
form: raw verifier bytes, the orderbook re-prepends `from`
before settlement), and feed everything through
`OrderCreation::from_signed_order_data`. The body is then
serde-encoded and pushed to `cow_api::submit_order(chain_id,
body)`.
On success, persist `submitted:{uid}` in local-store as an
empty marker — presence of the key is the receipt; BLEU-830
may later attach metadata but the bare flag is enough to
suppress double submits.
Scope notes (deliberately deferred):
- `app_data` is hard-coded to `EMPTY_APP_DATA_JSON`.
Conditional orders that pin a real document on IPFS get
rejected by `from_signed_order_data` (digest mismatch) and
skipped with a Warn log instead of submitting a corrupt body.
Resolving the document is its own concern.
- Submission errors are logged. BLEU-829 wires
`OrderPostError::retry_hint` into this site so the backoff /
drop decision is data-driven.
- `from` is set to the watch owner (the address that emitted
`ConditionalOrderCreated`). The orderbook prepends this to
the EIP-1271 blob during settlement.
Tests: 7 new (gpv2_to_order_data marker mapping incl. zero-
receiver normalisation, unknown kind / balance marker
rejection; build_order_creation happy path with serde round-
trip; rejection of non-empty app_data and `from = ZERO`).
Total 24 host tests. `.wasm` 273 KB (was 215 KB; serde for
OrderCreation, the OrderData/Signature/SigningScheme modules,
and serde_with's runtime ride along).
Linear: BLEU-828. Ref ADR-0006 (modules build orders
themselves).
After \`cow_api::submit_order\` returns Err, decode the orderbook's
typed \`ApiError\` JSON from \`host-error.data\` and dispatch on
\`OrderPostErrorKind::is_retriable()\`:
- retriable (InsufficientFee, TooManyLimitOrders,
PriceExceedsMarketPrice) -> RetryAction::TryNextBlock — leave
the watch in place so the next block re-attempts.
- permanent (InvalidSignature, WrongOwner, DuplicateOrder,
UnsupportedToken, InvalidAppData, ...) -> RetryAction::Drop —
delete watch:{owner}:{params_hash} and any stale next_block /
next_epoch entries the lifecycle layer may have written.
- typed payload missing or unparseable -> TryNextBlock (safe
default: a flaky orderbook should not poison a still-valid
watch).
A \`RetryAction::Backoff { seconds }\` variant is defined for the
BLEU-829 contract but has no producer: cowprotocol's surface today
is bool-only (no server-supplied delay). The variant is kept so the
dispatcher can grow into it once a hint shows up (e.g. server
\`Retry-After\` header or a richer typed error).
## Host follow-up
\`cow_api::submit_order\` in nullislabs/shepherd PR #8 stuffs the
formatted error string into \`host-error.message\` with \`data: None\`
and \`code: 0\`. \`try_decode_api_error\` reads from \`host-error.data\`
already, so once the host forwards the upstream JSON the dispatch
becomes data-driven without further module changes. Test
\`classify_missing_data_defaults_to_try_next_block\` documents the
current fallback; the four other classify tests lock the
intended semantics for when the host catches up.
Tests: 5 new (retriable / permanent / unknown / missing-data /
malformed-data). Total 29 host tests. \`.wasm\` 298 KB (was 273 KB;
adds the typed ApiError decode + the small dispatcher).
Note: this branch also picks up the dev/m2-base bump to
bleu/cow-rs main (\`57f5f55\`), which lands BLEU-822
(\`OrderPostErrorKind\`) + BLEU-823 — both now visible through the
\`cowprotocol\` re-exports.
Linear: BLEU-829.
After poll_one, the non-Ready arms now reach a typed lifecycle
step instead of dead-ending in the log:
- TryNextBlock -> NoOp — re-poll next block
- TryOnBlock(n) -> SetNextBlock(n) -> persist next_block:{...}
- TryAtEpoch(t) -> SetNextEpoch(t) -> persist next_epoch:{...}
- DontTryAgain -> DropWatch -> delete watch:{...} +
best-effort delete of the
stale next_block: /
next_epoch: gates
The decision is split out as a pure `outcome_to_update` returning
a `WatchUpdate` enum, with the impure `apply_watch_update`
performing the local-store writes. That partition lets the four
host-free tests assert the mapping exhaustively without
wit-bindgen scaffolding.
`Ready` is deliberately mapped to `NoOp` here as a safety net —
poll_all_watches routes Ready to submit_ready, which owns the
post-submit book-keeping (submitted: marker + retry / drop). If
a future refactor accidentally pipes Ready through the lifecycle
path, the watch must NOT be erased.
Wire-format conventions (u64 LE bytes, key shape watch:{owner}:
{params_hash} and parallel next_block: / next_epoch:) stay the
same as BLEU-827; no consumer changes required.
Tests: 5 new (Ready, TryNextBlock, TryOnBlock, TryAtEpoch,
DontTryAgain). Total 34 host tests.
Linear: BLEU-830.
Mirror of the twap-monitor skeleton (BLEU-825) for the EthFlow path. Adds modules/ethflow-watcher/ as a workspace member, with [lib] crate-type = ["cdylib"] for WASM Component output, and the same dep set (cowprotocol no-default-features, alloy-primitives, alloy-sol-types, wit-bindgen) pre-pulled so BLEU-832 (event decode) and BLEU-833 (EIP-1271 submit + retry) can layer in without churning Cargo.toml. src/lib.rs binds against shepherd:cow/shepherd, init logs once, on_event logs Event::Logs as a placeholder until BLEU-832 decodes the CoWSwapEthFlow OrderPlacement payload. cargo build --target wasm32-wasip2 --release -p ethflow-watcher emits a 67 KB .wasm (within ~3 KB of twap-monitor's skeleton — identical world + deps, identical link footprint). Engine load is gated on module.toml (BLEU-834).
\`on_event(Event::Logs)\` matches each log against
\`CoWSwapOnchainOrders.OrderPlacement\` and keeps the four
fields BLEU-833's submission path will consume:
(sender, order, signature, data)
where \`order\` is the 12-field \`GPv2OrderData\` the
settlement contract verifies, and \`signature\` is the typed
\`OnchainSignature { scheme, data }\` pair (EIP-1271 or
PreSign).
Guardrails: \`decode_order_placement\` rejects the log when
the contract address is not one of the canonical EthFlow
deployments (production or staging — both share the same
address on every chain). topic0 must match the event
signature hash and the body must round-trip through
\`SolEvent::decode_raw_log\`. The decoder is on plain slices so
the seven host-free tests cover the happy path, the alternate
staging address, an unrelated contract, a wrong topic, a
truncated address, a truncated body, and an empty topic list.
\`DecodedPlacement\` boxes \`GPv2OrderData\` (~300 bytes); the
struct is kept private and \`#[allow(dead_code)]\` until
BLEU-833 wires the submit path.
\`cargo build --target wasm32-wasip2 --release -p
ethflow-watcher\` -> 96 KB .wasm (was 67 KB skeleton; the
\`CoWSwapOnchainOrders\` ABI + GPv2OrderData decode pull in
~30 KB of alloy sol-types runtime).
Linear: BLEU-832. Ref ADR-0006.
…(BLEU-833)
\`on_event(Event::Logs)\` now ends in a complete pipeline:
1. \`decode_order_placement\` (BLEU-832) lifts the log to a
\`DecodedPlacement\` carrying the contract, sender, order,
onchain signature and refund pointer.
2. \`build_eth_flow_creation\` translates that into a typed
\`(OrderCreation, OrderUid)\`:
- \`gpv2_to_order_data\` maps the on-chain \`bytes32\` markers
to the typed \`OrderKind\` / balance enums; same logic as
the TWAP module, kept inline because the two crates are
independent.
- \`to_signature\` lifts \`OnchainSignature\` into
\`Signature::Eip1271(bytes)\` or \`Signature::PreSign\`.
The hidden \`__Invalid\` sol! variant is surfaced as
\`Option::None\` so a malformed event skips the placement
instead of panicking.
- \`OrderData::uid(domain, contract)\` computes the canonical
56-byte order UID locally; the orderbook returns the same
value from POST /api/v1/orders and a Warn fires if they
drift (domain or owner divergence).
- \`from\` = EthFlow contract (the EIP-1271 verifier), NOT
the user's \`sender\` — matches the on-chain signing scheme.
- \`app_data\` is fixed to \`EMPTY_APP_DATA_JSON\` for now;
placements pinning a real IPFS document are rejected by
\`from_signed_order_data\` (digest mismatch) and skipped.
3. Serialise + \`cow_api::submit_order(chain_id, body)\`.
4. Persist the outcome:
- success -> \`submitted:{uid}\`
- retriable -> \`backoff:{uid}\` (same OrderPostError
classification path as
BLEU-829)
- permanent -> \`dropped:{uid}\`
\`apply_submit_retry\` mirrors BLEU-829's
\`classify_submit_error\` — when the host forwards the orderbook
JSON via \`host-error.data\`, the dispatch is data-driven;
absent data, the safe default is \`backoff:\` (retry next event)
rather than \`dropped:\`.
The \`Backoff { seconds }\` variant of \`RetryAction\` is parked:
cowprotocol's surface today is bool-only, so until a server
hint shows up (Retry-After or a typed delay) the variant
remains intentionally producer-less.
Tests: 10 host tests covering BLEU-832 (2 decode regressions)
and BLEU-833 (5 order-build edges + 3 error-classification
arms). \`.wasm\` 268 KB (was 96 KB; the OrderCreation +
serde_json + DomainSeparator + OrderUid surface get linked
in). Same scope-knot on app-data resolution as the TWAP
module; same host follow-up on \`host-error.data\` forwarding.
Linear: BLEU-833. Ref ADR-0006.
\`submit_placement\` now checks for a prior terminal marker before
calling \`cow_api::submit_order\`. Re-delivered \`OrderPlacement\`
logs (engine restart with replay, host reconnect, indexer
back-fill) would otherwise re-submit the same body, the orderbook
would reject \`DuplicateOrder\` (permanent), and the module would
end up with BOTH \`submitted:{uid}\` AND \`dropped:{uid}\` written
for the same key.
The guard is a typed `prior_outcome(uid_hex)` lookup:
- \`Submitted\` -> skip (the most common re-delivery cause)
- \`Dropped\` -> skip (orderbook permanently rejected previously)
- \`Backoff\` -> proceed: a transient failure deserves a fresh
attempt on re-delivery; the new outcome
overrides.
- \`None\` -> proceed: a clean first try.
On a successful submit, any previous \`backoff:\` marker is also
cleared so the local store carries at most one outcome flag per
UID at rest. Same cleanup happens on a permanent drop in
\`apply_submit_retry\`.
Linear: BLEU-833 (fix on the same PR — review identified the
re-delivery gap).
Update twap-monitor and ethflow-watcher Cargo.toml to use workspace dep versions (alloy-primitives 1.6, alloy-sol-types 1.6, wit-bindgen 0.58) and apply cargo fmt to the cherry-picked module source.
jean-neiverth
force-pushed
the
dev/m2-base
branch
from
9db5d94 to
7a68e38
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
M2 epic — consolidated for review
This PR aggregates the M2 deliverable on top of the M1 consolidated branch (
dev/m1-prs). M2 ships two production-shaped modules that consume the M1 host surface end-to-end, plus engine hardening and additional test coverage.Modules
modules/twap-monitor/— indexesComposableCoW.ConditionalOrderCreatedevents into local-store, polls watches viaeth_callagainstgetTradeableOrderWithSignature, decodesPollOutcomefrom the return/revert data, buildsOrderCreationwith EIP-1271 signatures, submits via cow-api, and appliesOrderPostError::retry_hint()for typed retry classification (TryNextBlock/TryAtEpoch/DontTryAgain/Drop).modules/ethflow-watcher/— decodesCoWSwapEthFlow.OrderPlacementlogs, lifts the embeddedGPv2OrderDatainto anOrderCreationwithSignature::Eip1271(orPreSignfor non-EthFlow chains), submits via cow-api, applies the same retry classification, and persistssubmitted:{uid}/dropped:{uid}/backoff:{uid}keys for re-delivery idempotency.Both modules ship with
module.tomlmanifests declaring capability requirements and subscription filters.Engine hardening (on top of M1)
strum::IntoStaticStrderived on all error enums for structured-log metric labelspub(crate)visibility sweep#[from]on error variants, unused dep silencing)local_store_errhelper extracted to centraliseStorageError→HostErrormappingtracing::warn!for nexum.toml deprecation (waseprintln!)cowprotocolpatch bumped tobleu/cow-rsrev57f5f55(BLEU-822OrderPostErrorKind+retry_hint(), BLEU-823OrderBookApi::with_base_url)Test coverage
PollOutcomelifecycle,OrderCreationbuilder, retry classification, watch-key parsingOrderCreationbuilder (EIP-1271 + PreSign), retry classification, unsupported-chain rejection, non-empty app_data rejectionTotal: 98 tests passing.
cow-rs dependency
Patches
cowprotocoltobleu/cow-rsmain (rev57f5f55). The fork carries:OrderPostErrorKind+retry_hint()onApiErrorOrderBookApi::with_base_url(chain, base_url)Drop the patch once
cowprotocol >= 1.0.0-alpha.4ships upstream. Tracked as ADR-0007 + ADR-0004.Validation