shell-chain v0.23.0 — 32-byte BLAKE3 Address & PQ Precompile Suite

What's New

🔑 32-Byte BLAKE3 Address Type

Shell addresses are now 32 bytes, derived as BLAKE3(algo_id || public_key). This gives post-quantum addresses a distinct, non-truncatable identity — PQ public keys (Dilithium3, ML-DSA-65) produce addresses with non-zero upper 12 bytes that can never collide with legacy 20-byte EVM addresses.

🔐 6-Precompile PQ Suite

Six new EVM precompiles for post-quantum cryptography:

Address	Name	Function
0x0b	verify_dilithium3	Dilithium3 single-signature verify
0x0c	verify_dilithium3_batch	Dilithium3 batch verify
0x0d	blake3_256	BLAKE3-256 hash
0x0e	blake3_512	BLAKE3-512 (512-bit output)
0x0f	verify_mldsa65	ML-DSA-65 single verify
0x10	verify_mldsa65_batch	ML-DSA-65 batch verify

🔄 PQTx sig_type Field

PQTransaction now carries an explicit sig_type byte (0 = Dilithium3, 1 = ML-DSA-65). Signing hash preimage includes sig_type to prevent cross-algorithm replay attacks.

🗺️ EVM/PQ Address Bridge

• ShellStateDb carries a pq_hints map to recover full 32-byte PQ addresses from the 20-byte EVM truncation
• TxExecutionResult propagates pq_addr_map so commit_evm_state writes nonce/balance to the correct 32-byte slot
• system_contracts::decode_address now reads full 32-byte ABI words (was 20-byte)

Breaking Changes

• Address / ShellAddress is now 32 bytes everywhere — update any Address::from([u8; 20]) calls to [u8; 32]
• Transaction::signing_hash(sig_type) replaces keccak256/RLP signing — ensure wallets and test fixtures use BLAKE3 preimage
• EVM receiver addresses with non-zero upper 12 bytes (PQ addresses) are not round-trippable through the EVM layer without pq_hints

Full Changelog

v0.22.2...v0.23.0

shell-chain v0.22.2 — STARK drain-frontier fix

What's Changed

STARK Prover Fixes

• Fix STARK drain-reseed infinite loop — added stark_drain_frontier shared AtomicU64 between the event loop seeder and prover service; the seeder now clamps scan_start to the drain floor, permanently breaking the drain↔reseed loop that caused frontier_lag to spike on sparse-witness blocks
• Strict L1 min-entry threshold — pop_contiguous_with_min_entries enforces entry count before popping; stall diagnostics added for gap detection
• Witness pruner STARK guard — prevents pruning witnesses that haven't been proved yet
• Gap drain confirmation — transient backlog gaps require 2 consecutive 60s observations before draining (prevents irreversible task loss on transient gaps)

L2 Aggregation Scaffolding

• Canonical L1 input index (l2i/), durable job store (l2j/), scheduler with gap detection
• L2StarkMode config enum: Disabled / Scaffold / Active
• CLI --l2-stark-mode flag; observability metrics

Correctness & Safety

• Canonical SigBatchEntry reconstruction helper in stark_sources.rs
• Proof↔source binding validation on gossip receipt and block production
• Prefer widest same-start proof for settlement ordering

Full Changelog: https://github.com/ShellDAO/shell-chain/blob/main/CHANGELOG.md

shell-chain v0.22.0

shell-chain v0.22.0 — Stability, STARK hardening, and ops maturity

Added

• Durable STARK settled-source index (ss/ key prefix): settled (layer, source_hash) pairs are now written to persistent storage on every settlement. Node restart loads from the index in O(prefix-scan) instead of scanning all blocks; first-run backfills the index automatically from chain history.
• O(3) compression_layer_for_source lookup: replaced O(n-settled) linear scan with a constant-cost check across layers 1–3, eliminating the performance cliff as the settled set grows.
• Proof input decode in RPC: system_tx_to_rpc now decodes StarkReward transaction payloads into a structured decodedInput JSON field (block range, layer, entry count, compression sizes, settlement tx hash).
• Settlement liveness metrics: added Prometheus counters/gauges shell_stark_settlements_accepted_total, shell_stark_settlements_rejected_total, and shell_stark_frontier_lag.
• SettledSourceIndex re-exported from shell-storage for use by downstream tooling and tests.
• Restart-recovery tests: stark_settled_index_survives_simulated_restart and import_invalid_stark_settlement_does_not_poison_settled_index.

Changed

• Settlement validation now increments stark_settlements_rejected on any ordering/layer/frontier rejection, enabling ops monitoring of invalid proof traffic.
• rebuild_settled_stark_sources_from_chain() uses the persistent index as a fast path; falls back to chain scan only when index is absent (upgrade path).

---

Upgrade path: Existing nodes upgrading from v0.21.x will automatically backfill the ss/ index on first start — no manual migration needed.

shell-chain v0.21.1

Fixed

• Harden STARK settlement/reward handling so proof payloads are carried by canonical StarkReward system transactions and imported blocks materialize proof pointers consistently.
• Preserve legacy block RLP compatibility for pre-system_transactions blocks with non-empty proposer seals.
• Prevent STARK prover backlog stalls on long low-entry L1 ranges at the configured max-source window.
• Align node tests with current system reward receipts, continuous STARK frontier ranges, and 2s testnet block cadence.

shell-chain v0.21.0

Highlights

• Breaking: Shell Chain is now pq1-only for user-facing addresses; legacy 0x address input paths are removed.
• Added BFT finality and fork protection, including commit certificate sidecars, finalized block tags, finality proof/info RPC, and finality metrics.
• Added STARK aggregate proof amendment infrastructure and shell_getProofAmendment.
• Reworked faucet flow around PQ signing and pq1-only requests.
• Promoted ML-DSA-65 and SK-only keystore compatibility work from testnet hardening into the release train.

Validation

PR #33 passed Check & Lint, Test, and Supply Chain Security.

v0.19.0 — AA Phase 2: Contract Paymaster, Session Keys, Guardian Recovery

What's New in v0.19.0

⚠️ Breaking change: AaBundle RLP wire format grows from 3 to 5 fields. All v0.18.x nodes will reject v0.19.0 bundles. Coordinate network upgrades before deploying.

---

Added

• AA Phase 2 wire format (crates/core): AaBundle extended with paymaster_context: Option<Bytes> (contract paymaster) and session_auth: Option<SessionAuth> (session key delegation). SessionAuth carries session_pubkey, session_algo, optional target, value_cap, expiry_block, root_signature, and session_signature. RLP encodes as a 5-field list. See docs/AA_PHASE2_SPEC.md.

• AA Phase 2 contract paymaster (crates/evm): validatePaymasterOp ABI call dispatched when paymaster_context is present. Call runs in a world-state snapshot (mutations discarded). Gas cap 50k.

• AA Phase 2 session keys (crates/evm): Session-key-signed AA bundles validated via two-step PQ verification — root key authorizes session key via session_auth_hash, then session key signs the tx. Enforces: expiry block, value cap (Σ inner call values), optional target restriction.

• AA Phase 2 guardian recovery (crates/evm, crates/storage): AccountManager gains 4 new entry points: setGuardians, submitRecovery, executeRecovery, cancelRecovery. k-of-n threshold, max 5 guardians, 100-block minimum timelock.

• I4: ProofWindowManager wired into node (crates/node): Node now calls advance() on every block import and gc() every 100 blocks.

Fixed

• Double PQ signature verification (crates/evm): Redundant second verify_paymaster_signature() call removed. PQ sig verification now performed exactly once per path.

Changed

• Default idle block skip: --max-idle-interval now defaults to 60 seconds (was 0). Pass --max-idle-interval 0 to restore legacy every-tick behavior.

---

Full changelog: https://github.com/ShellDAO/shell-chain/blob/main/CHANGELOG.md
SDK: shell-sdk v0.5.0

v0.18.0 — Native AA Phase 1 + Operations Hardening

What's New

Native AA Phase 1: Batch Transactions

• New tx_type = 0x7E AA bundle — Vec<InnerCall> with atomic execution under a single PQ signature
• batch_signing_hash domain-separated from legacy tx hash (no cross-type replay)
• shell_estimateBatch RPC, full mempool AA validation, per-bundle receipt with inner_results
• MAX_INNER_CALLS = 16

Native AA Phase 1: Sponsored Gas

• Optional paymaster + paymaster_signature fields in AaBundle
• shell_getPaymasterPolicy + shell_isSponsored RPCs
• Fully backward-compatible — all AA fields optional, legacy txs unchanged

OPS-1: Storage Profile Rollout

• archive / full / light profiles via CLI flag + config
• shell_getStorageProfile RPC returns current profile and retention parameters
• docs/storage-profiles.md

OPS-2: Witness Endpoint Hardening

• shell_getWitness returns full Merkle proof on archive/full nodes
• New shell_verifyWitnessRoot RPC for light-client verification

OPS-3: Observability

• Prometheus rpc_request_duration_seconds histogram per-method
• /healthz and /readyz Kubernetes probes
• docs/observability.md (Grafana dashboard JSON + K8s probe config)

OPS-4: RPC Stability

• Unified error code table in crates/rpc/src/error.rs
• All -32xxx magic literals replaced with named constructors
• docs/rpc-reference.md — full reference for all namespaces

Tests

• 1364 library unit tests passing
• 9 AA batch + 6 AA sponsored gas e2e tests

v0.17.0 — Security & Efficiency Hardening

shell-chain v0.17.0

This official ShellDAO release includes the v0.17.0 Security & Efficiency Hardening baseline plus the merged sdk/wallet compatibility follow-up from PR #24.

Highlights:

• hardened RPC defaults, gas caps, error handling, keystore permissions, and tx broadcast backpressure
• storage profile support for archive/full/light nodes and historical body sync
• SignedTransaction JSON compatibility guard for legacy sender_pubkey payloads
• Dilithium3 compatibility fallback for shell-sdk's current ML-DSA-65-produced signatures
• RPC contract alignment for shell_getNodeInfo, shell_getWitness, and transaction history totals
• regression coverage for crypto, RPC, and receipt-visible e2e flows

v0.16.0 — M14: Storage Profile Node Classification

What's New

Added

• --storage-profile <archive|full|light> — single flag replaces --body-retention / --witness-retention as the primary storage UX.

  Profile	TX bodies	PQ witnesses	State roots	~Daily write
  archive	forever	forever	forever	~12.8 GB/day
  full (default)	forever	128 blocks	forever	~1.5 GB/day
  light	4096 blocks (~2.3 h)	64 blocks	4096 blocks	~1 GB fixed

• StorageProfile enum with to_pruning_config() / from_pruning_config() / impl FromStr.

• StorageCapability P2P message — nodes advertise data-retention level on connect and startup.

• BodyRequest / BodyResponse P2P messages for historical body back-fill (128-block batches).

• HistoricalBodySync — automatic body back-fill on profile upgrade (e.g. light → full).

• NetworkTopic enum + NetworkMessage::topic() for safe libp2p message routing.

• ChainStore::has_body() and ChainStore::put_body_only() for selective body restore.

• Node::oldest_available_body_block() binary-search helper.

• Docker compose updated: node1=archive, node2/node3=full.

• New docs: BLOCK_PRUNING_AND_COMPRESSION.md storage profiles section.

Changed

• --body-retention / --witness-retention are now Option<u64> overrides; profile defaults apply when omitted.
• proof_replacement_grace is now profile-driven (0 for full/light, u64::MAX for archive).
• Node startup banner now shows active profile name and actual retention values.
• --pruning 0 (default) defers keep_recent to the profile default (light auto-sets 4096).

Bug Fixes

• Fixed BodyResponse hash validation before storage (prevent malicious peer disk writes).
• Fixed sync stall when all batch hashes mismatch — first_gap tracking re-requests from first missing block.
• Fixed from_pruning_config() Full detection.
• Fixed banner profile classification to use from_pruning_config() consistently.
• BodyRequest handler warns about broadcast amplification (unicast API tracked as TODO).

Full Changelog

https://github.com/ShellDAO/shell-chain/blob/main/CHANGELOG.md

v0.15.0 — wPoA+STARK Signature Aggregation

What's New

wPoA + STARK Signature Aggregation System

This release ships the full weighted Proof-of-Authority (wPoA) + STARK signature aggregation system, transforming per-transaction Dilithium3 post-quantum signatures into compressed Winterfell STARK proofs.

---

Highlights

🔒 Core data types

• PubkeyMode enum — Embedded (first tx) vs Reference (registered addr)
• StrippedTransaction, TxWitness, WitnessBundle, witness_root in BlockHeader
• Per-CF Zstd compression for chain/receipts column families

⚡ STARK circuit

• Dilithium3-verify STARK circuit (hash-chain accumulator AIR) via Winterfell
• Block-level STARK proof integration + sig_aggregate_proof in block header
• L2 recursive verifier AIR scaffold

🌐 Network profiles

• NetworkType enum (Dev / Testnet / Mainnet) with per-network STARK defaults
• --network CLI flag + genesis templates

🔄 Async proof lifecycle

• Background ProverService — never blocks block production
• ProofBacklog with watermark, ProofAmendment P2P gossip
• Block state machine: Sealed → Proven → Stripped

⚖️ wPoA rotation

• Weighted proposer rotation + dedicated Prover NodeRole
• Prover activation on idle slots, standalone prover node lifecycle

🛡️ Anti-fraud

• Equivocation propagation, proof validity challenge, rate limiting
• Prover registry + anti-Sybil, enhanced peer scoring

📊 Metrics

• Prometheus metrics: shell_stark_proofs_total, proof latency, backlog depth, amendments broadcast

---

Benchmark Results

Batch	STARK proof	Raw Dilithium3	Compression
5 txs	3.7 KB	25.7 KB	7.1×
10 txs	12.7 KB	52.7 KB	~4.0×

6-hour soak test: 3.4M proofs, 0 failures, 157 proofs/sec

---

Full Changelog

• PR #18: feat(wpoa+stark): wPoA consensus + STARK sig-aggregation proof system
• PR #19: chore: bump version to 0.15.0