@rootzero/contracts 0.2.0 → 0.4.0

package/commands/Withdraw.sol

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandContext, CommandBase, State } from "./Base.sol";
+import { Cursors, Cur, Schemas } from "../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "withdraw";
+
+/// @title Withdraw
+/// @notice Command that delivers BALANCE state blocks to an external destination.
+/// Use `withdraw` for assets being sent outside the protocol (e.g. ERC-20 transfers, ETH sends).
+/// For internal balance credits, use `creditAccount` instead.
+abstract contract Withdraw is CommandBase {
+    uint internal immutable withdrawId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Recipient, withdrawId, State.Balances, State.Empty);
+    }
+
+    /// @notice Override to send funds to `account`.
+    /// Called once per BALANCE block in state.
+    /// @param account Destination account identifier (resolved from RECIPIENT block or caller).
+    /// @param asset Asset identifier.
+    /// @param meta Asset metadata slot.
+    /// @param amount Amount to deliver.
+    function withdraw(bytes32 account, bytes32 asset, bytes32 meta, uint amount) internal virtual;
+
+    function withdraw(
+        CommandContext calldata c
+    ) external payable onlyCommand(withdrawId, c.target) returns (bytes memory) {
+        (Cur memory state, , ) = cursor(c.state, 1);
+        Cur memory request = cursor(c.request);
+        bytes32 to = request.recipientAfter(c.account);
+
+        while (state.i < state.bound) {
+            (bytes32 asset, bytes32 meta, uint amount) = state.unpackBalance();
+            withdraw(to, asset, meta, amount);
+        }
+
+        state.complete();
+        return "";
+    }
+}
+
+
+
+
+

package/commands/admin/Allocate.sol

@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "allocate";
+
+/// @title Allocate
+/// @notice Admin command that applies cross-host allocation entries via a virtual hook.
+/// Each ALLOCATION block in the request calls `allocate`. Only callable by the admin account.
+abstract contract Allocate is CommandBase {
+    uint internal immutable allocateId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Allocation, allocateId, State.Empty, State.Empty);
+    }
+
+    /// @dev Override to apply a single allocation entry.
+    /// Called once per ALLOCATION block in the request.
+    function allocate(uint host, bytes32 asset, bytes32 meta, uint amount) internal virtual;
+
+    function allocate(CommandContext calldata c) external payable onlyAdmin(c.account) onlyCommand(allocateId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            (uint host, bytes32 asset, bytes32 meta, uint amount) = request.unpackAllocation();
+            allocate(host, asset, meta, amount);
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+
+

package/commands/admin/AllowAssets.sol

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "allowAssets";
+
+/// @title AllowAssets
+/// @notice Admin command that permits a list of (asset, meta) pairs via a virtual hook.
+/// Each ASSET block in the request calls `allowAsset`. Only callable by the admin account.
+abstract contract AllowAssets is CommandBase {
+    uint internal immutable allowAssetsId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Asset, allowAssetsId, State.Empty, State.Empty);
+    }
+
+    /// @dev Override to allow a single asset/meta pair.
+    /// Called once per ASSET block in the request.
+    function allowAsset(bytes32 asset, bytes32 meta) internal virtual returns (bool);
+
+    function allowAssets(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(allowAssetsId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            (bytes32 asset, bytes32 meta) = request.unpackAsset();
+            allowAsset(asset, meta);
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+
+

package/commands/admin/Authorize.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "authorize";
+
+/// @title Authorize
+/// @notice Admin command that grants authorization to a list of node IDs.
+/// Each NODE block in the request is authorized on the host.
+/// Only callable by the admin account.
+abstract contract Authorize is CommandBase {
+    uint internal immutable authorizeId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Node, authorizeId, State.Empty, State.Empty);
+    }
+
+    function authorize(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(authorizeId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            uint node = request.unpackNode();
+            access(node, true);
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+

package/commands/admin/DenyAssets.sol

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "denyAssets";
+
+/// @title DenyAssets
+/// @notice Admin command that blocks a list of (asset, meta) pairs via a virtual hook.
+/// Each ASSET block in the request calls `denyAsset`. Only callable by the admin account.
+abstract contract DenyAssets is CommandBase {
+    uint internal immutable denyAssetsId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Asset, denyAssetsId, State.Empty, State.Empty);
+    }
+
+    /// @dev Override to deny a single asset/meta pair.
+    /// Called once per ASSET block in the request.
+    function denyAsset(bytes32 asset, bytes32 meta) internal virtual returns (bool);
+
+    function denyAssets(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(denyAssetsId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            (bytes32 asset, bytes32 meta) = request.unpackAsset();
+            denyAsset(asset, meta);
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+
+

package/commands/admin/Destroy.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur } from "../../Cursors.sol";
+
+string constant NAME = "destroy";
+
+using Cursors for Cur;
+
+/// @title Destroy
+/// @notice Admin command that runs host teardown logic via a virtual hook.
+/// The full request is passed to `destroy` as a cursor. Only callable by the admin account.
+abstract contract Destroy is CommandBase {
+    uint internal immutable destroyId = commandId(NAME);
+
+    constructor(string memory input) {
+        emit Command(host, NAME, input, destroyId, State.Empty, State.Empty);
+    }
+
+    /// @notice Override to run host teardown or destruction logic.
+    /// @param input Cursor over the full request byte stream.
+    function destroy(Cur memory input) internal virtual;
+
+    function destroy(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(destroyId, c.target) returns (bytes memory) {
+        Cur memory input = cursor(c.request);
+        destroy(input);
+        return "";
+    }
+}
+
+
+
+
+
+

package/commands/admin/Init.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur } from "../../Cursors.sol";
+
+string constant NAME = "init";
+
+using Cursors for Cur;
+
+/// @title Init
+/// @notice Admin command that runs host initialization logic via a virtual hook.
+/// The full request is passed to `init` as a cursor. Only callable by the admin account.
+abstract contract Init is CommandBase {
+    uint internal immutable initId = commandId(NAME);
+
+    constructor(string memory input) {
+        emit Command(host, NAME, input, initId, State.Empty, State.Empty);
+    }
+
+    /// @notice Override to run host initialization logic.
+    /// @param input Cursor over the full request byte stream.
+    function init(Cur memory input) internal virtual;
+
+    function init(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(initId, c.target) returns (bytes memory) {
+        Cur memory input = cursor(c.request);
+        init(input);
+        return "";
+    }
+}
+
+
+
+
+
+

package/commands/admin/Relocate.sol

@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "relocate";
+
+/// @title Relocate
+/// @notice Admin command that forwards native value (ETH) to one or more destination hosts.
+/// Each FUNDING block in the request specifies a target host node ID and an amount to forward.
+/// Only callable by the admin account.
+abstract contract Relocate is CommandBase {
+    uint internal immutable relocateId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Funding, relocateId, State.Empty, State.Empty);
+    }
+
+    function relocate(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(relocateId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            (uint host, uint amount) = request.unpackFunding();
+            callTo(host, amount, "");
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+
+

package/commands/admin/Unauthorize.sol

@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { CommandBase, CommandContext, State } from "../Base.sol";
+import { Cursors, Cur, Schemas } from "../../Cursors.sol";
+using Cursors for Cur;
+
+string constant NAME = "unauthorize";
+
+/// @title Unauthorize
+/// @notice Admin command that revokes authorization from a list of node IDs.
+/// Each NODE block in the request is deauthorized on the host.
+/// Only callable by the admin account.
+abstract contract Unauthorize is CommandBase {
+    uint internal immutable unauthorizeId = commandId(NAME);
+
+    constructor() {
+        emit Command(host, NAME, Schemas.Node, unauthorizeId, State.Empty, State.Empty);
+    }
+
+    function unauthorize(
+        CommandContext calldata c
+    ) external payable onlyAdmin(c.account) onlyCommand(unauthorizeId, c.target) returns (bytes memory) {
+        (Cur memory request, , ) = cursor(c.request, 1);
+
+        while (request.i < request.bound) {
+            uint node = request.unpackNode();
+            access(node, false);
+        }
+
+        request.complete();
+        return "";
+    }
+}
+
+
+
+

package/core/Access.sol

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { AccessEvent } from "../events/Access.sol";
+import { Accounts } from "../utils/Accounts.sol";
+import { Ids } from "../utils/Ids.sol";
+import { addrOr } from "../utils/Utils.sol";
+
+/// @title AccessControl
+/// @notice Host access control layer.
+/// Tracks an immutable trusted commander, the host's own node ID, and a
+/// mapping of externally authorized node IDs. Inbound trust is host-based:
+/// authorized hosts, the commander, and this contract itself may interact
+/// with the host through the guarded command and peer entrypoints.
+abstract contract AccessControl is AccessEvent {
+    /// @dev Trusted commander address. All calls from this address are implicitly trusted.
+    /// Defaults to `address(this)` when no external commander is provided.
+    address internal immutable commander;
+    /// @dev Admin account ID derived from the commander address at construction time.
+    bytes32 internal immutable adminAccount;
+    /// @dev This host's node ID, set to `Ids.toHost(address(this))` at construction.
+    uint public immutable host;
+
+    /// @dev Mapping from node ID to authorization status.
+    /// Authorised nodes may interact with the host as trusted callers or call targets.
+    mapping(uint => bool) internal authorized;
+
+    /// @dev Thrown when `ensureTrusted` is called with a node that is not authorized.
+    error UnauthorizedNode(uint node);
+    /// @dev Thrown when `enforceCaller` is called by an address that is not trusted.
+    error UnauthorizedCaller(address addr);
+
+    constructor(address cmdr) {
+        commander = addrOr(cmdr, address(this));
+        adminAccount = Accounts.toAdmin(commander);
+        host = Ids.toHost(address(this));
+    }
+
+    /// @notice Grant or revoke authorization for a node.
+    /// Inbound authentication is host-based: the node ID used here should be a host ID.
+    /// @param node Node ID to authorize or deauthorize.
+    /// @param allow True to grant authorization, false to revoke it.
+    function access(uint node, bool allow) internal {
+        authorized[node] = allow;
+        emit Access(host, node, allow);
+    }
+
+    /// @notice Return true if `caller` is an implicitly trusted address.
+    /// Trusted callers: the commander, this contract itself, or any address
+    /// whose host ID has been explicitly authorized.
+    /// @param caller Address to check.
+    function isTrusted(address caller) internal view returns (bool) {
+        return caller == commander || caller == address(this) || authorized[Ids.toHost(caller)];
+    }
+
+    /// @notice Assert that `caller` is trusted and return it.
+    /// Used by command and peer modifiers to gate execution to authorized senders.
+    /// @param caller Address to validate.
+    /// @return The same `caller` value if trusted.
+    function enforceCaller(address caller) internal view returns (address) {
+        if (caller == address(0) || !isTrusted(caller)) {
+            revert UnauthorizedCaller(caller);
+        }
+        return caller;
+    }
+
+    /// @notice Assert that `node` is in the authorized set and return it.
+    /// Used for outbound trust checks before calling another node.
+    /// Accepts any authorized node ID (host or command).
+    /// Inbound caller authentication is host-only via `enforceCaller(msg.sender)`.
+    /// @param node Node ID to validate.
+    /// @return The same `node` value if authorized.
+    function ensureTrusted(uint node) internal view returns (uint) {
+        if (node == 0 || !authorized[node]) {
+            revert UnauthorizedNode(node);
+        }
+        return node;
+    }
+}

package/core/Balances.sol

@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import {BalanceEvent} from "../events/Balance.sol";
+
+/// @dev Thrown when a debit would reduce a balance below zero.
+error InsufficientFunds();
+
+/// @title Balances
+/// @notice On-chain ledger for per-account, per-asset token balances.
+/// Balances are keyed by `(account, assetKey)` where `assetKey` is the
+/// value returned by `Assets.key(asset, meta)`.
+abstract contract Balances is BalanceEvent {
+    /// @dev account -> assetKey -> balance (in the asset's native units).
+    mapping(bytes32 account => mapping(bytes32 assetKey => uint amount)) internal balances;
+
+    /// @notice Deduct `amount` from an account balance and return the new balance.
+    /// Reverts with `InsufficientFunds` if the current balance is less than `amount`.
+    /// @param account Account identifier.
+    /// @param assetKey Storage key for the (asset, meta) pair.
+    /// @param amount Amount to deduct.
+    /// @return balance New balance after the debit.
+    function debitFrom(bytes32 account, bytes32 assetKey, uint amount) internal returns (uint balance) {
+        balance = balances[account][assetKey];
+        if (balance < amount) revert InsufficientFunds();
+        unchecked {
+            balance -= amount;
+        }
+        balances[account][assetKey] = balance;
+    }
+
+    /// @notice Add `amount` to an account balance and return the new balance.
+    /// @param account Account identifier.
+    /// @param assetKey Storage key for the (asset, meta) pair.
+    /// @param amount Amount to credit.
+    /// @return balance New balance after the credit.
+    function creditTo(bytes32 account, bytes32 assetKey, uint amount) internal returns (uint balance) {
+        balance = balances[account][assetKey] += amount;
+    }
+}

package/core/Host.sol

@@ -0,0 +1,44 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { AccessControl } from "./Access.sol";
+import { Authorize } from "../commands/admin/Authorize.sol";
+import { Unauthorize } from "../commands/admin/Unauthorize.sol";
+import { Relocate } from "../commands/admin/Relocate.sol";
+import { HostAnnouncedEvent } from "../events/HostAnnounced.sol";
+import { IHostDiscovery } from "../interfaces/IHostDiscovery.sol";
+import { Ids } from "../utils/Ids.sol";
+
+/// @notice Mixin that allows a contract to act as a host discovery registry.
+/// Hosts call `announceHost` on a discovery contract to register themselves.
+abstract contract HostDiscovery is HostAnnouncedEvent, IHostDiscovery {
+    /// @notice Announce this host to the discovery registry.
+    /// Validates that `id` matches `msg.sender` before emitting.
+    /// @param id Host node ID (must equal `Ids.toHost(msg.sender)`).
+    /// @param blocknum Block number at which the host was deployed.
+    /// @param version Protocol version the host implements.
+    /// @param namespace Human-readable namespace string for the host.
+    function announceHost(uint id, uint blocknum, uint16 version, string calldata namespace) external {
+        emit HostAnnounced(Ids.host(id, msg.sender), blocknum, version, namespace);
+    }
+}
+
+/// @title Host
+/// @notice Abstract base contract for rootzero host implementations.
+/// Inherits admin command support (authorize, unauthorize, relocate) and
+/// optionally announces itself to a discovery contract at deployment.
+/// Accepts native ETH payments via the `receive` function.
+abstract contract Host is Authorize, Unauthorize, Relocate {
+    /// @param cmdr Commander address; passed to `AccessControl`.
+    ///        If `cmdr` is a deployed contract, the host calls `announceHost`
+    ///        on it during construction to register with the discovery registry.
+    /// @param version Protocol version number to publish in the announcement.
+    /// @param namespace Human-readable namespace string for the host.
+    constructor(address cmdr, uint16 version, string memory namespace) AccessControl(cmdr) {
+        if (cmdr == address(0) || cmdr == address(this) || cmdr.code.length == 0) return;
+        IHostDiscovery(cmdr).announceHost(host, block.number, version, namespace);
+    }
+
+    /// @notice Accept native ETH transfers (e.g. from command value flows).
+    receive() external payable {}
+}

package/core/Operation.sol

@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { AccessControl } from "./Access.sol";
+import { Assets } from "../utils/Assets.sol";
+import { Ids } from "../utils/Ids.sol";
+import { Cur, Cursors } from "../Cursors.sol";
+
+using Cursors for Cur;
+
+/// @dev Emitted when a trusted inter-node call fails.
+/// @param addr Contract address that was called.
+/// @param node Node ID of the callee.
+/// @param selector 4-byte selector of the called function.
+/// @param err Revert data returned by the failed call.
+error FailedCall(address addr, uint node, bytes4 selector, bytes err);
+
+/// @title OperationBase
+/// @notice Shared base for command and peer contracts.
+/// Provides convenience wrappers for cursor construction, quotient validation,
+/// and trusted inter-node calls. Inherits access control from `AccessControl`.
+abstract contract OperationBase is AccessControl {
+    /// @dev Asset ID for the native chain value (ETH), bound to the current chain at deployment.
+    bytes32 public immutable valueAsset = Assets.toValue();
+
+    /// @notice Open a cursor over a calldata block stream.
+    /// @param source Calldata slice to parse.
+    /// @return cur Cursor positioned at the beginning of `source`.
+    function cursor(bytes calldata source) internal pure returns (Cur memory cur) {
+        return Cursors.open(source);
+    }
+
+    /// @notice Open a cursor and prime it for a grouped iteration pass in one call.
+    /// Equivalent to `open(source)` followed by `primeRun(group)`.
+    /// @param source Calldata slice to parse.
+    /// @param group Expected block group size (e.g. 1 for single, 2 for paired).
+    /// @return cur Cursor with `bound` set to the end of the first run.
+    /// @return count Total number of blocks in the run (a multiple of `group`).
+    /// @return quotient Number of groups in the run (`count / group`).
+    function cursor(bytes calldata source, uint group) internal pure returns (Cur memory cur, uint count, uint quotient) {
+        cur = Cursors.open(source);
+        (, count, quotient) = cur.primeRun(group);
+    }
+
+    /// @notice Assert that two normalized group quotients are equal.
+    /// Reverts with `Cursors.BadRatio` when `lq != rq`.
+    /// @param lq Left-hand quotient.
+    /// @param rq Right-hand quotient.
+    function checkQuotient(uint lq, uint rq) internal pure {
+        if (lq != rq) revert Cursors.BadRatio();
+    }
+
+    /// @notice Make a trusted call to another node in the network.
+    /// Looks up the node's contract address via `ensureTrusted` + `Ids.nodeAddr`,
+    /// then issues a low-level call forwarding `value` ETH and `data`.
+    /// Reverts with `FailedCall` if the call is unsuccessful.
+    /// @param node Node ID of the callee (must be in the authorized set).
+    /// @param value Native value to forward in wei.
+    /// @param data Encoded calldata to send.
+    /// @return out Return data from the successful call.
+    function callTo(uint node, uint value, bytes memory data) internal returns (bytes memory out) {
+        bool success;
+        address addr = Ids.nodeAddr(ensureTrusted(node));
+        (success, out) = payable(addr).call{value: value}(data);
+        if (!success) {
+            revert FailedCall(addr, node, bytes4(data), out);
+        }
+    }
+}

package/core/Validator.sol

@@ -0,0 +1,46 @@
+// SPDX-License-Identifier: GPL-3.0-only
+pragma solidity ^0.8.33;
+
+import { ECDSA } from "../utils/ECDSA.sol";
+
+/// @title Validator
+/// @notice ECDSA proof verification with nonce-based replay protection.
+/// Proofs use the layout `[bytes20 signer][bytes65 sig]` (85 bytes total).
+/// Each (signer, nonce) pair may only be used once; subsequent uses revert.
+abstract contract Validator {
+    using ECDSA for bytes32;
+
+    /// @dev Thrown when the proof is not exactly 85 bytes.
+    error InvalidProof();
+    /// @dev Thrown when the recovered signer does not match the claimed signer in the proof.
+    error InvalidSigner();
+    /// @dev Thrown when the (signer, nonce) pair has already been used.
+    error InvalidNonce();
+
+    /// @dev signer address → nonce key → use count (0 = unused, 1+ = used).
+    mapping(address account => mapping(uint192 key => uint64)) internal nonces;
+
+    /// @dev Recover the signer from an Ethereum signed message hash and signature.
+    function recover(bytes32 hash, bytes calldata sig) private pure returns (address) {
+        return hash.toEthSignedMessageHash().tryRecoverCalldata(sig);
+    }
+
+    /// @notice Verify an 85-byte proof against a message hash and nonce.
+    /// Proof layout: `[bytes20 signer][bytes65 sig]`.
+    /// Increments the (signer, nonce) counter to prevent replay.
+    /// @param hash Message hash that was signed.
+    /// @param nonce 192-bit nonce key (typically derived from a deadline or sequence number).
+    /// @param proof 85-byte proof: 20-byte signer address followed by a 65-byte ECDSA signature.
+    /// @return Verified signer address.
+    function verify(bytes32 hash, uint192 nonce, bytes calldata proof) internal returns (address) {
+        if (proof.length != 85) revert InvalidProof();
+
+        address account = address(bytes20(proof[0:20]));
+        address signer = recover(hash, proof[20:]);
+
+        if (account == address(0) || signer != account) revert InvalidSigner();
+        if (nonces[account][nonce]++ != 0) revert InvalidNonce();
+
+        return account;
+    }
+}