[Dijkstra] CIP-159-05: Update UTxO for direct deposits and balance intervals (#1117)#1160
Open
williamdemeo wants to merge 2 commits intomasterfrom
Open
[Dijkstra] CIP-159-05: Update UTxO for direct deposits and balance intervals (#1117)#1160williamdemeo wants to merge 2 commits intomasterfrom
williamdemeo wants to merge 2 commits intomasterfrom
Conversation
9 tasks
williamdemeo
force-pushed
the
1117-cip-159-05-update-utxo-for-dir-deps-bal-intervals
branch
from
3dc0948 to
37f2bf6
Compare
11 tasks
This was referenced Apr 14, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Dijkstra UTxO and Ledger specifications to incorporate CIP-159 direct deposits into preservation-of-value and to add phase-1 validation for account balance interval assertions, threading pre-batch account balances through the relevant environments.
Changes:
- Extend
UTxOEnv,SubUTxOEnv, andSubLedgerEnvwithaccountBalances : Rewardsplus aHasAccountBalancesaccessor. - Update the preservation-of-value accounting by adding direct deposits to
producedTx. - Add new UTXO/SUBUTXO premises enforcing (1) direct deposit target registration and (2) phase-1
InBalanceIntervalchecks against pre-batch balances, and propagate the new env field through computational/constructor plumbing.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/Ledger/Dijkstra/Specification/Utxo.lagda.md |
Adds accountBalances to UTxO environments, includes direct deposits in producedTx, and adds new UTXO/SUBUTXO premises for CIP-159 registration + balance interval validation. |
src/Ledger/Dijkstra/Specification/Utxo/Properties/Computational.lagda.md |
Updates the computational proof plumbing to account for the expanded UTXO premise tuple. |
src/Ledger/Dijkstra/Specification/Ledger.lagda.md |
Extends SubLedgerEnv with accountBalances and wires pre-batch balances into SUBLEDGER/LEDGER premises where environments are constructed. |
src/Ledger/Dijkstra/Specification/Ledger/Properties/Computational.lagda.md |
Threads pre-batch balances through computational environment constructors for SUBLEDGER/LEDGER. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
carlostome
reviewed
Apr 20, 2026
williamdemeo
force-pushed
the
1117-cip-159-05-update-utxo-for-dir-deps-bal-intervals
branch
2 times, most recently
from
33b565b to
0c5d520
Compare
…nce intervals (#1117) CIP-159 changes the transaction balancing rules and introduces Phase-1 balance interval validation. This commit updates the UTxO transition system accordingly. `Utxo.lagda.md`: + Add accountBalances : Rewards field to UTxOEnv and SubUTxOEnv for pre-batch account balance lookups; + Add HasAccountBalances type class and instances; + Update producedTx to include direct deposit amounts on the produced side of the preservation-of-value equation; + Add direct deposit registration premise to UTXO and SUBUTXO (`dom DirectDepositsOf ⊆ dom AccountBalancesOf`); + Add balance interval validation premise to UTXO and SUBUTXO (∀ (c,interval) ∈ BalanceIntervalsOf, InBalanceInterval using pre-batch account balances). `Utxo/Properties/Computational.lagda.md`: + Update Computational-UTXO for new premise tuple arity (19+h → 21+h) `Ledger.lagda.md`: + Add accountBalances field to SubLedgerEnv; + Populate accountBalances in SUBLEDGER-V, SUBLEDGER-I, LEDGER-V, LEDGER-I using RewardsOf certState₀ (pre-batch balances).
williamdemeo
force-pushed
the
1117-cip-159-05-update-utxo-for-dir-deps-bal-intervals
branch
from
0c5d520 to
389d947
Compare
Added check: if a balance interval constraint is specified for a credential, then that credential belongs to the domain of `AccountBalancesOf Γ`; see Carlos' comment: #1160 (comment)
carlostome
reviewed
Apr 24, 2026
Collaborator
carlostome
left a comment
carlostome
left a comment
There was a problem hiding this comment.
Nice work, LGTM!
I left a minor comment about spliting a precondition to make imho it somewhat more readable.
Comment on lines
+476
to
+477
| ∙ ∀[ (c , interval) ∈ BalanceIntervalsOf txSub ˢ ] | ||
| c ∈ dom (AccountBalancesOf Γ ˢ) × InBalanceInterval (maybe id 0 (lookupᵐ? (AccountBalancesOf Γ) c)) interval |
Collaborator
There was a problem hiding this comment.
In hindsight, maybe it'd be clearer (given the other precondition above) to add a separate precondition:
∙ dom (BalanceIntervalsOf txSub) ⊆ dom (AccountBalancesOf Γ)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR closes Issue #1117.
This PR updates the Dijkstra UTxO transition system for CIP-159 direct deposits and balance interval validation, as specified by CIP-159.
Changes
src/Ledger/Dijkstra/Specification/Utxo.lagda.md:Extended
UTxOEnvandSubUTxOEnv. NewaccountBalances : Rewardsfield carrying the pre-batch account balances. Accompanied by aHasAccountBalancestype class and instances for both environment types.Updated
producedTx. Addsinject (getCoin (DirectDepositsOf tx))to the produced side of the preservation-of-value equation. Direct deposits are value flowing from the transaction into account addresses.New
UTXOpremises.dom (DirectDepositsOf txTop) ⊆ dom (AccountBalancesOf Γ)— direct deposit targets must be registered accounts.∀[ (c , interval) ∈ BalanceIntervalsOf txTop ˢ ] InBalanceInterval (maybe 0 id (lookupᵐ? (AccountBalancesOf Γ) c)) interval— Phase-1 balance interval validation against pre-batch balances.New
SUBUTXOpremises. Same two premises as UTXO, applied per-sub-transaction.src/Ledger/Dijkstra/Specification/Utxo/Properties/Computational.lagda.md:Updated
Computational-UTXO. Premise tuple grows from 19+h to 21+h. BothcomputeProofbranches and bothcompletenessbranches updated.Computational-SUBUTXO. Uses the full tuplepwithout destructuring, so it adapts automatically viagenPremises.src/Ledger/Dijkstra/Specification/Ledger.lagda.md:Extended
SubLedgerEnv. NewaccountBalances : Rewardsfield, withHasAccountBalancesinstance.Populated
accountBalancesat all construction sites.SUBLEDGER-V,SUBLEDGER-I,LEDGER-V, andLEDGER-Iall passRewardsOf certState₀as the pre-batch account balances.Design Notes
Pre-batch account balances. Both
UTxOEnv.accountBalancesandSubUTxOEnv.accountBalancescarry the same pre-batch snapshot (RewardsOf certState₀); this is consistent with CIP-159's design for local determinism: balance interval assertions are checked against the state before any sub-transaction in the batch modifies it, just as spending inputs are resolved againstutxo₀.maybe id 0 (lookupᵐ? ...)for balance interval lookup. For unregistered credentials, the lookup returnsnothingandmaybegives 0. An unregistered credential with effective balance 0 may legitimately satisfy⟦0, ub ⦆intervals; the separate registration premise (dom DirectDepositsOf ⊆ dom AccountBalancesOf) ensures deposit targets are known, but balance intervals don't require registration.Per-transaction, not batch-wide. Balance interval assertions are checked per-(sub)transaction, analogous to slot validity intervals; no batch-level aggregation of balance intervals is performed.
Direct deposit registration per-transaction. Each (sub)transaction independently verifies that its direct deposit targets are registered, rather than checking batch-wide via
allDirectDeposits.Ledger plumbing. The
accountBalancesfield is populated immediately in this PR rather than deferred to [Dijkstra] CIP-159-10: Update LEDGER rule to integrate direct deposits and thread account balances #1122; keeps the code typecheckable and avoids using placeholders.UTXOSunchanged. The DijkstraUTXOSrule is a trivial⊤ → ⊤transition checking only phase-2 script evaluation; no CIP-159 changes needed.Acceptance criteria
producedTxincludes direct deposit amountsUTXOruleSUBUTXOruleInBalanceIntervalpredicate used correctlyUTxOEnvandSubUTxOEnvextended withaccountBalancesHasAccountBalancestype class and instances definedUTXOSconfirmed: no changes neededaccountBalancespopulated in Ledger construction sites--safeChecklist
CHANGELOG.md