hypercall_state_commitment/

leaves.rs

use serde::{Deserialize, Serialize};

/// Fixed-point scale: 1e8 (same as engine contract units).
/// All monetary values in leaves are stored as i128 scaled by 1e8.
/// Example: $95,000.50 = 9_500_050_000_000i128
pub const PRICE_SCALE: i128 = 100_000_000;

/// Account metadata leaf.
/// Key: keccak256(address || "account")
///
/// `cash` is the ledger balance scaled by 1e8 (from `Decimal`).
/// `margin_mode`: 0 = Standard, 1 = Portfolio.
/// `liquidation_state`: 0 = Healthy, 1 = PreLiquidation, 2 = InLiquidation, 3 = Liquidated.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct AccountLeaf {
    /// Ledger cash balance, scaled 1e8. Preserves full `Decimal` precision.
    pub cash: i128,
    pub nonce: u64,
    pub margin_mode: u8,
    pub liquidation_state: u8,
}

/// Option position leaf.
/// Key: keccak256(address || "pos" || symbol)
///
/// Both fields scaled 1e8, matching engine's `Decimal` via `to_contract_units()`.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct OptionPositionLeaf {
    /// Signed quantity scaled 1e8. Positive = long, negative = short.
    pub quantity: i128,
    /// Average entry price scaled 1e8.
    pub entry_price: i128,
}

/// Open order leaf.
/// Key: keccak256(address || "order" || order_id_be_bytes)
///
/// All prices/sizes scaled 1e8.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct OrderLeaf {
    /// Order ID.
    pub order_id: u64,
    /// Instrument symbol (variable length, borsh length-prefixed).
    pub symbol: String,
    /// 0 = Buy, 1 = Sell.
    pub side: u8,
    /// Limit price scaled 1e8.
    pub price: i128,
    /// Remaining size scaled 1e8.
    pub remaining_size: i128,
    /// Original size scaled 1e8.
    pub original_size: i128,
    /// Client-assigned ID (optional).
    pub client_id: Option<String>,
    /// Whether MMP is enabled for this order.
    pub mmp_enabled: bool,
}

/// Perp position leaf.
/// Key: keccak256(address || "perp" || coin)
///
/// Stored as i128 scaled 1e8 to avoid f64 non-determinism in commitments.
/// Conversion from engine's `f64`: `(size * 1e8) as i128`.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct PerpPositionLeaf {
    /// Signed size scaled 1e8. Positive = long, negative = short.
    pub size: i128,
    /// Entry price scaled 1e8.
    pub entry_price: i128,
}

/// MMP config leaf.
/// Key: keccak256(address || "mmp" || currency)
///
/// Limits stored as i128 scaled 1e8 (from engine's `f64`).
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct MmpConfigLeaf {
    pub enabled: bool,
    pub interval_ms: i64,
    pub frozen_time_ms: i64,
    /// Quantity limit scaled 1e8. None = no limit.
    pub qty_limit: Option<i128>,
    /// Delta limit scaled 1e8. None = no limit.
    pub delta_limit: Option<i128>,
    /// Vega limit scaled 1e8. None = no limit.
    pub vega_limit: Option<i128>,
}

/// Instrument metadata leaf (global).
/// Key: keccak256("instrument" || symbol)
///
/// Strike scaled 1e8.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct InstrumentLeaf {
    pub expired: bool,
    /// 0 = OrderbookOnly, 1 = RfqOnly, 2 = Both
    pub trading_mode: u8,
    pub expiry: u64,
    /// Strike price scaled 1e8.
    pub strike: i128,
    /// 0 = Call, 1 = Put
    pub option_type: u8,
}

/// Oracle anchor leaf (global).
/// Key: keccak256("oracle" || underlying)
///
/// Spot price scaled 1e8 (from engine's `Decimal`).
/// IV surface is too large to store inline -- we commit its hash only.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct OracleLeaf {
    /// Spot price scaled 1e8.
    pub spot_price: i128,
    /// keccak256 hash of the serialized VolatilitySurface.
    pub iv_surface_hash: [u8; 32],
}

/// Global counters leaf (singleton).
/// Key: keccak256("global")
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct GlobalLeaf {
    pub next_order_id: u64,
    pub next_trade_id: u64,
    pub command_chain_root: [u8; 32],
    pub command_chain_seq: u64,
}

/// Risk leaf (separate JMT).
/// Key: keccak256(address)
///
/// All monetary fields scaled 1e8 to preserve sub-cent precision from
/// the engine's `Decimal`/`f64` risk computations.
#[derive(
    Debug, Clone, Serialize, Deserialize, PartialEq, borsh::BorshSerialize, borsh::BorshDeserialize,
)]
pub struct RiskLeaf {
    /// Equity = cash + option UPNL + perp UPNL, scaled 1e8.
    pub equity: i128,
    /// Initial margin required, scaled 1e8.
    pub initial_margin: i128,
    /// Maintenance margin required, scaled 1e8.
    pub maintenance_margin: i128,
    /// SPAN scanning risk, scaled 1e8.
    pub scanning_risk: i128,
    /// Incremented on every risk recomputation for this account.
    pub health_nonce: u64,
}

/// Serialize a leaf to bytes using borsh for deterministic encoding.
pub fn leaf_to_bytes<T: borsh::BorshSerialize>(leaf: &T) -> Vec<u8> {
    borsh::to_vec(leaf).expect("borsh serialization should not fail for fixed-size types")
}

/// Deserialize a leaf from borsh bytes.
pub fn leaf_from_bytes<T: borsh::BorshDeserialize>(bytes: &[u8]) -> Result<T, std::io::Error> {
    borsh::from_slice(bytes)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn account_leaf_round_trip() {
        let leaf = AccountLeaf {
            cash: 1_000_000 * PRICE_SCALE,
            nonce: 42,
            margin_mode: 1,
            liquidation_state: 0,
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: AccountLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf, decoded);
    }

    #[test]
    fn risk_leaf_round_trip() {
        let leaf = RiskLeaf {
            equity: 500_000 * PRICE_SCALE,
            initial_margin: 200_000 * PRICE_SCALE,
            maintenance_margin: 100_000 * PRICE_SCALE,
            scanning_risk: 150_000 * PRICE_SCALE,
            health_nonce: 7,
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: RiskLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf, decoded);
    }

    #[test]
    fn global_leaf_round_trip() {
        let leaf = GlobalLeaf {
            next_order_id: 12345,
            next_trade_id: 6789,
            command_chain_root: [0xAB; 32],
            command_chain_seq: 100,
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: GlobalLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf, decoded);
    }

    #[test]
    fn borsh_encoding_is_deterministic() {
        let leaf = OptionPositionLeaf {
            quantity: 100_000_000,
            entry_price: 9500000,
        };
        let a = leaf_to_bytes(&leaf);
        let b = leaf_to_bytes(&leaf);
        assert_eq!(a, b);
    }

    #[test]
    fn perp_leaf_i128_preserves_precision() {
        let leaf = PerpPositionLeaf {
            size: 1_234_567_89,             // 0.12345679 BTC in 1e8
            entry_price: 95_000_50_000_000, // $95,000.50 in 1e8
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: PerpPositionLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf, decoded);
    }

    #[test]
    fn mmp_limits_i128_preserves_fractional() {
        let leaf = MmpConfigLeaf {
            enabled: true,
            interval_ms: 1000,
            frozen_time_ms: 5000,
            qty_limit: Some(1_50_000_000), // 1.5 in 1e8
            delta_limit: Some(50_000_000), // 0.5 in 1e8
            vega_limit: Some(25_000_000),  // 0.25 in 1e8
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: MmpConfigLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf, decoded);
    }
}

// ============================================================
// Kani formal verification harnesses
// ============================================================

#[cfg(kani)]
mod kani_proofs {
    use super::*;

    /// Prove: AccountLeaf serialization round-trips for ALL possible values.
    #[kani::proof]
    fn fast_account_leaf_round_trip_all() {
        let leaf = AccountLeaf {
            cash: kani::any(),
            nonce: kani::any(),
            margin_mode: kani::any(),
            liquidation_state: kani::any(),
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: AccountLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf.cash, decoded.cash);
        assert_eq!(leaf.nonce, decoded.nonce);
        assert_eq!(leaf.margin_mode, decoded.margin_mode);
        assert_eq!(leaf.liquidation_state, decoded.liquidation_state);
    }

    /// Prove: OptionPositionLeaf serialization round-trips for ALL possible values.
    #[kani::proof]
    fn fast_option_position_leaf_round_trip_all() {
        let leaf = OptionPositionLeaf {
            quantity: kani::any(),
            entry_price: kani::any(),
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: OptionPositionLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf.quantity, decoded.quantity);
        assert_eq!(leaf.entry_price, decoded.entry_price);
    }

    /// Prove: PerpPositionLeaf serialization round-trips for ALL possible values.
    #[kani::proof]
    fn fast_perp_position_leaf_round_trip_all() {
        let leaf = PerpPositionLeaf {
            size: kani::any(),
            entry_price: kani::any(),
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: PerpPositionLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf.size, decoded.size);
        assert_eq!(leaf.entry_price, decoded.entry_price);
    }

    /// Prove: RiskLeaf serialization round-trips for ALL possible values.
    #[kani::proof]
    fn fast_risk_leaf_round_trip_all() {
        let leaf = RiskLeaf {
            equity: kani::any(),
            initial_margin: kani::any(),
            maintenance_margin: kani::any(),
            scanning_risk: kani::any(),
            health_nonce: kani::any(),
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: RiskLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf.equity, decoded.equity);
        assert_eq!(leaf.initial_margin, decoded.initial_margin);
        assert_eq!(leaf.maintenance_margin, decoded.maintenance_margin);
        assert_eq!(leaf.scanning_risk, decoded.scanning_risk);
        assert_eq!(leaf.health_nonce, decoded.health_nonce);
    }

    /// Prove: GlobalLeaf serialization round-trips for ALL possible values
    /// (excluding command_chain_root which is fixed-size [u8;32]).
    #[kani::proof]
    fn fast_global_leaf_round_trip_all() {
        let leaf = GlobalLeaf {
            next_order_id: kani::any(),
            next_trade_id: kani::any(),
            command_chain_root: kani::any(),
            command_chain_seq: kani::any(),
        };
        let bytes = leaf_to_bytes(&leaf);
        let decoded: GlobalLeaf = leaf_from_bytes(&bytes).unwrap();
        assert_eq!(leaf.next_order_id, decoded.next_order_id);
        assert_eq!(leaf.next_trade_id, decoded.next_trade_id);
        assert_eq!(leaf.command_chain_root, decoded.command_chain_root);
        assert_eq!(leaf.command_chain_seq, decoded.command_chain_seq);
    }

    /// Prove: leaf_to_bytes never panics for any AccountLeaf.
    #[kani::proof]
    fn fast_account_leaf_serialize_no_panic() {
        let leaf = AccountLeaf {
            cash: kani::any(),
            nonce: kani::any(),
            margin_mode: kani::any(),
            liquidation_state: kani::any(),
        };
        let _ = leaf_to_bytes(&leaf);
    }

    /// Prove: borsh encoding is deterministic -- same input always produces same output.
    #[kani::proof]
    fn fast_borsh_deterministic() {
        let quantity: i128 = kani::any();
        let entry_price: i128 = kani::any();
        let leaf = OptionPositionLeaf {
            quantity,
            entry_price,
        };
        let a = leaf_to_bytes(&leaf);
        let b = leaf_to_bytes(&leaf);
        assert_eq!(a, b);
    }
}