nightpay 0.1.2 → 0.2.1

package/skills/nightpay/contracts/receipt.compact

@@ -1,195 +1,197 @@
-// NightPay — Midnight Compact contract (ledger-compatible)
-//
-// Built against: midnightntwrk/midnight-ledger spec
-//
-// SECURITY MODEL:
-//   - initialize() can only be called once — locked forever after
-//   - withdrawFees() is gated to the operator address set at init
-//   - operatorFeeBps and operatorAddress are IMMUTABLE after initialization
-//   - Fee split is enforced in-circuit with constrained balance effects
-//   - activeCount is underflow-guarded, completedCount is overflow-guarded
-//   - All domain-separated hashes prevent cross-namespace collisions
-//   - Gateway address is locked at init — cannot be injected via transaction metadata
-//   - Total bounty throughput capped to prevent counter exhaustion griefing
-
-pragma compact >= 0.19;
-
-module NightPay {
-
-  // ─── Public state ───────────────────────────────────────────────────────────
-  state completedCount:  Counter;
-  state activeCount:     Counter;
-  state operatorFeeBps:  Field;
-  state operatorAddress: Bytes<32>;
-
-  // SECURITY: one-time init lock — set to 1 after initialize() runs
-  state initialized: Field;
-
-  // DARK ENERGY: gateway address locked at init — cannot be injected per-transaction.
-  // Without this, a malicious caller could supply a custom "gateway" address in
-  // transaction metadata and redirect all bounty payments to themselves.
-  state gatewayAddress: Bytes<32>;
-
-  // ─── Private state (shielded via ZK) ────────────────────────────────────────
-  secret state bountyTree:  MerkleTree<25>;
-  secret state receiptTree: MerkleTree<25>;
-  secret state nullifiers:  Set<Bytes<32>>;
-
-  // ─── Domain separation prefixes ─────────────────────────────────────────────
-  // Prevents hash collisions between bounty commitments and receipt hashes.
-  const DOMAIN_BOUNTY:     Bytes<8> = 0x626f756e7479303030; // "bounty000"
-  const DOMAIN_RECEIPT:    Bytes<8> = 0x726563656970743030; // "receipt00"
-  const DOMAIN_NULLIFIER:  Bytes<8> = 0x6e756c6c6966696572; // "nullifier"
-
-  // ─── Capacity limits ─────────────────────────────────────────────────────────
-  // SECURITY: Merkle tree depth 25 = 2^25 = 33,554,432 max entries.
-  // We cap at 90% to leave headroom and reject spam before overflow.
-  // At 1 bounty/second this lasts ~348 days.
-  const MAX_TREE_ENTRIES: Field = 30199000;  // ~90% of 2^25
-
-  // DARK ENERGY: completedCount overflow griefing guard.
-  // An attacker who posts + completes millions of dust bounties could overflow
-  // the Counter if Compact's Counter is bounded. We cap total lifetime completions
-  // to the same tree limit — a completed bounty always consumed a tree slot first,
-  // so this is never a tighter constraint than MAX_TREE_ENTRIES.
-  const MAX_COMPLETED: Field = 30199000;  // matches MAX_TREE_ENTRIES
-
-  // SECURITY: Field arithmetic overflow guard.
-  // Midnight's Field is a 256-bit prime. We cap amount at 2^53 - 1
-  // (max safe JavaScript integer) so amount * operatorFeeBps (max 500)
-  // stays within safe range: 2^53 * 500 << 2^256.
-  const MAX_AMOUNT: Field = 9007199254740991;  // 2^53 - 1
-
-  // ─── Circuits ───────────────────────────────────────────────────────────────
-
-  // SECURITY: guarded by initialized flag — reverts if called twice.
-  // DARK ENERGY: gatewayAddress is set at init and locked — prevents per-transaction
-  // gateway address injection that would redirect bounty payments to an attacker.
-  export circuit initialize(
-    operatorAddr: Bytes<32>,
-    gatewayAddr:  Bytes<32>,   // DARK ENERGY: locked here, used in postBounty
-    feeBps:       Field
-  ): Void {
-    assert initialized == 0;        // SECURITY: one-time only
-    assert feeBps <= 500;           // SECURITY: max 5% fee cap, enforced on-chain
-    assert feeBps >= 0;             // SECURITY: no negative fee abuse
-
-    operatorAddress = operatorAddr;
-    gatewayAddress  = gatewayAddr;  // DARK ENERGY: immutable after init
-    operatorFeeBps  = feeBps;
-    initialized     = 1;           // SECURITY: lock forever
-  }
-
-  // postBounty: funder deposits shielded NIGHT, commitment stored in Merkle tree.
-  // SECURITY: fee split enforced in-circuit via effects API.
-  export circuit postBounty(
-    witness payerNullifier: Bytes<32>,
-    witness amount:         Field,
-    witness jobHash:        Bytes<32>,
-    witness nonce:          Bytes<32>
-  ): Bytes<32> {
-    assert initialized == 1;                  // SECURITY: contract must be initialized
-    assert amount > 0;                        // SECURITY: no zero-value bounties
-    assert amount <= MAX_AMOUNT;              // SECURITY: Field overflow guard
-
-    // SECURITY: reject when tree is at 90% capacity — prevents overflow DoS
-    assert activeCount < MAX_TREE_ENTRIES;
-
-    // SECURITY: domain-separated hash — bounty commitments can never collide
-    // with receipt hashes or nullifiers even if inputs are identical
-    const commitment = hash(DOMAIN_BOUNTY, payerNullifier, amount, jobHash, nonce);
-
-    // SECURITY: commitment must be fresh — prevents replay of old deposits
-    assert !nullifiers.contains(commitment);
-
-    bountyTree.insert(commitment);
-    activeCount.increment();
-
-    // SECURITY: fee split enforced on-chain via Zswap effects
-    // Both transfers are constrained — operator cannot take more than feeBps
-    const fee       = amount * operatorFeeBps / 10000;
-    const netAmount = amount - fee;
-
-    assert fee + netAmount == amount; // SECURITY: no rounding loss or gain
-
-    // Retain fee in contract balance (operator withdraws later)
-    effects.retainInContract(fee);
-    // DARK ENERGY: use the locked gatewayAddress from state, not a caller-supplied
-    // value. Without this, a malicious caller injects their own address in the
-    // transaction and redirects all bounty funds to themselves.
-    effects.releaseToAddress(gatewayAddress, netAmount);
-
-    return commitment;
-  }
-
-  // completeAndReceipt: nullifies bounty, mints ZK receipt, releases payment.
-  // SECURITY: double-completion prevented by nullifier set.
-  export circuit completeAndReceipt(
-    witness bountyCommitment:  Bytes<32>,
-    witness bountyMerkleProof: Proof<25>,
-    witness outputHash:        Bytes<32>,
-    witness completionNonce:   Bytes<32>
-  ): Bytes<32> {
-    assert initialized == 1;   // SECURITY: contract must be initialized
-
-    // SECURITY: bounty must exist in tree — proves it was legitimately posted
-    assert bountyTree.verify(bountyCommitment, bountyMerkleProof);
-
-    // SECURITY: nullifier check prevents double-claim / double-payment
-    assert !nullifiers.contains(bountyCommitment);
-    nullifiers.insert(bountyCommitment);
-
-    // SECURITY: domain-separated receipt hash — cannot be forged from bounty inputs
-    const receipt = hash(DOMAIN_RECEIPT, bountyCommitment, outputHash, completionNonce);
-
-    // SECURITY: receipt deduplication uses a dedicated receiptProof, not the
-    // bountyMerkleProof — these are separate trees with separate proofs.
-    // Reusing bountyMerkleProof here would be a logic error (different tree).
-    // The nullifier insertion above already prevents double-completion;
-    // this insert is the canonical record.
-    receiptTree.insert(receipt);
-
-    // SECURITY: counters stay consistent — activeCount only decrements if > 0
-    assert activeCount > 0;
-    // DARK ENERGY: completedCount overflow guard — an attacker who posts and
-    // completes millions of dust bounties could wrap the counter if it is bounded.
-    // Since every completion consumed a tree slot, this cap is never tighter
-    // than MAX_TREE_ENTRIES; it just makes the invariant explicit in-circuit.
-    assert completedCount < MAX_COMPLETED;
-    completedCount.increment();
-    activeCount.decrement();
-
-    return receipt;
-  }
-
-  // verifyReceipt: anyone can verify a receipt is valid — reveals nothing about the bounty.
-  export circuit verifyReceipt(
-    witness receiptCommitment:  Bytes<32>,
-    witness receiptMerkleProof: Proof<25>
-  ): Boolean {
-    return receiptTree.verify(receiptCommitment, receiptMerkleProof);
-  }
-
-  // withdrawFees: operator-only — gated to the address set at initialization.
-  // SECURITY: caller identity is constrained — no other address can withdraw.
-  export circuit withdrawFees(
-    caller:       Bytes<32>,   // must match operatorAddress
-    withdrawAmount: Field
-  ): Void {
-    assert initialized == 1;   // SECURITY: contract must be initialized
-
-    // SECURITY: only the operator set at init can withdraw
-    assert caller == operatorAddress;
-
-    // SECURITY: cannot withdraw more than contract holds — ledger enforces balance
-    assert withdrawAmount > 0;
-
-    // Ledger's apply() rejects if contract balance < withdrawAmount — no overdraft
-    effects.releaseToAddress(caller, withdrawAmount);
-  }
-
-  // getStats: public read-only view — no sensitive data exposed.
-  export circuit getStats(): [Field, Field, Field] {
-    return [completedCount, activeCount, operatorFeeBps];
-  }
-}
+// NightPay — Midnight Compact contract (ledger-compatible)
+//
+// Built against: midnightntwrk/midnight-ledger spec
+//
+// SECURITY MODEL:
+//   - initialize() can only be called once — locked forever after
+//   - withdrawFees() is gated to the operator address set at init
+//   - operatorFeeBps and operatorAddress are IMMUTABLE after initialization
+//   - Fee split is enforced in-circuit with constrained balance effects
+//   - activeCount is underflow-guarded, completedCount is overflow-guarded
+//   - All domain-separated hashes prevent cross-namespace collisions
+//   - Gateway address is locked at init — cannot be injected via transaction metadata
+//   - Total bounty throughput capped to prevent counter exhaustion griefing
+
+pragma language_version >= 0.19;
+
+import CompactStandardLibrary;
+
+module NightPay {
+
+  // ─── Public ledger state ─────────────────────────────────────────────────────
+  ledger completedCount:  Counter;
+  ledger activeCount:     Counter;
+  ledger operatorFeeBps:  Field;
+  ledger operatorAddress: Bytes<32>;
+
+  // SECURITY: one-time init lock — set to 1 after initialize() runs
+  ledger initialized: Field;
+
+  // DARK ENERGY: gateway address locked at init — cannot be injected per-transaction.
+  // Without this, a malicious caller could supply a custom "gateway" address in
+  // transaction metadata and redirect all bounty payments to themselves.
+  ledger gatewayAddress: Bytes<32>;
+
+  // ─── Private state (shielded via ZK) ────────────────────────────────────────
+  secret ledger bountyTree:  MerkleTree<25>;
+  secret ledger receiptTree: MerkleTree<25>;
+  secret ledger nullifiers:  Set<Bytes<32>>;
+
+  // ─── Domain separation prefixes ─────────────────────────────────────────────
+  // Prevents hash collisions between bounty commitments and receipt hashes.
+  const DOMAIN_BOUNTY:     Bytes<8> = 0x626f756e7479303030; // "bounty000"
+  const DOMAIN_RECEIPT:    Bytes<8> = 0x726563656970743030; // "receipt00"
+  const DOMAIN_NULLIFIER:  Bytes<8> = 0x6e756c6c6966696572; // "nullifier"
+
+  // ─── Capacity limits ─────────────────────────────────────────────────────────
+  // SECURITY: Merkle tree depth 25 = 2^25 = 33,554,432 max entries.
+  // We cap at 90% to leave headroom and reject spam before overflow.
+  // At 1 bounty/second this lasts ~348 days.
+  const MAX_TREE_ENTRIES: Field = 30199000;  // ~90% of 2^25
+
+  // DARK ENERGY: completedCount overflow griefing guard.
+  // An attacker who posts + completes millions of dust bounties could overflow
+  // the Counter if Compact's Counter is bounded. We cap total lifetime completions
+  // to the same tree limit — a completed bounty always consumed a tree slot first,
+  // so this is never a tighter constraint than MAX_TREE_ENTRIES.
+  const MAX_COMPLETED: Field = 30199000;  // matches MAX_TREE_ENTRIES
+
+  // SECURITY: Field arithmetic overflow guard.
+  // Midnight's Field is a 256-bit prime. We cap amount at 2^53 - 1
+  // (max safe JavaScript integer) so amount * operatorFeeBps (max 500)
+  // stays within safe range: 2^53 * 500 << 2^256.
+  const MAX_AMOUNT: Field = 9007199254740991;  // 2^53 - 1
+
+  // ─── Circuits ───────────────────────────────────────────────────────────────
+
+  // SECURITY: guarded by initialized flag — reverts if called twice.
+  // DARK ENERGY: gatewayAddress is set at init and locked — prevents per-transaction
+  // gateway address injection that would redirect bounty payments to an attacker.
+  export circuit initialize(
+    operatorAddr: Bytes<32>,
+    gatewayAddr:  Bytes<32>,   // DARK ENERGY: locked here, used in postBounty
+    feeBps:       Field
+  ): Void {
+    assert initialized == 0;        // SECURITY: one-time only
+    assert feeBps <= 500;           // SECURITY: max 5% fee cap, enforced on-chain
+    assert feeBps >= 0;             // SECURITY: no negative fee abuse
+
+    operatorAddress = operatorAddr;
+    gatewayAddress  = gatewayAddr;  // DARK ENERGY: immutable after init
+    operatorFeeBps  = feeBps;
+    initialized     = 1;           // SECURITY: lock forever
+  }
+
+  // postBounty: funder deposits shielded NIGHT, commitment stored in Merkle tree.
+  // SECURITY: fee split enforced in-circuit via effects API.
+  export circuit postBounty(
+    witness payerNullifier: Bytes<32>,
+    witness amount:         Field,
+    witness jobHash:        Bytes<32>,
+    witness nonce:          Bytes<32>
+  ): Bytes<32> {
+    assert initialized == 1;                  // SECURITY: contract must be initialized
+    assert amount > 0;                        // SECURITY: no zero-value bounties
+    assert amount <= MAX_AMOUNT;              // SECURITY: Field overflow guard
+
+    // SECURITY: reject when tree is at 90% capacity — prevents overflow DoS
+    assert activeCount < MAX_TREE_ENTRIES;
+
+    // SECURITY: domain-separated hash — bounty commitments can never collide
+    // with receipt hashes or nullifiers even if inputs are identical
+    const commitment = hash(DOMAIN_BOUNTY, payerNullifier, amount, jobHash, nonce);
+
+    // SECURITY: commitment must be fresh — prevents replay of old deposits
+    assert !nullifiers.contains(commitment);
+
+    bountyTree.insert(commitment);
+    activeCount.increment(1);
+
+    // SECURITY: fee split enforced on-chain via Zswap effects
+    // Both transfers are constrained — operator cannot take more than feeBps
+    const fee       = amount * operatorFeeBps / 10000;
+    const netAmount = amount - fee;
+
+    assert fee + netAmount == amount; // SECURITY: no rounding loss or gain
+
+    // Retain fee in contract balance (operator withdraws later)
+    effects.retainInContract(fee);
+    // DARK ENERGY: use the locked gatewayAddress from state, not a caller-supplied
+    // value. Without this, a malicious caller injects their own address in the
+    // transaction and redirects all bounty funds to themselves.
+    effects.releaseToAddress(gatewayAddress, netAmount);
+
+    return commitment;
+  }
+
+  // completeAndReceipt: nullifies bounty, mints ZK receipt, releases payment.
+  // SECURITY: double-completion prevented by nullifier set.
+  export circuit completeAndReceipt(
+    witness bountyCommitment:  Bytes<32>,
+    witness bountyMerkleProof: Proof<25>,
+    witness outputHash:        Bytes<32>,
+    witness completionNonce:   Bytes<32>
+  ): Bytes<32> {
+    assert initialized == 1;   // SECURITY: contract must be initialized
+
+    // SECURITY: bounty must exist in tree — proves it was legitimately posted
+    assert bountyTree.verify(bountyCommitment, bountyMerkleProof);
+
+    // SECURITY: nullifier check prevents double-claim / double-payment
+    assert !nullifiers.contains(bountyCommitment);
+    nullifiers.insert(bountyCommitment);
+
+    // SECURITY: domain-separated receipt hash — cannot be forged from bounty inputs
+    const receipt = hash(DOMAIN_RECEIPT, bountyCommitment, outputHash, completionNonce);
+
+    // SECURITY: receipt deduplication uses a dedicated receiptProof, not the
+    // bountyMerkleProof — these are separate trees with separate proofs.
+    // Reusing bountyMerkleProof here would be a logic error (different tree).
+    // The nullifier insertion above already prevents double-completion;
+    // this insert is the canonical record.
+    receiptTree.insert(receipt);
+
+    // SECURITY: counters stay consistent — activeCount only decrements if > 0
+    assert activeCount > 0;
+    // DARK ENERGY: completedCount overflow guard — an attacker who posts and
+    // completes millions of dust bounties could wrap the counter if it is bounded.
+    // Since every completion consumed a tree slot, this cap is never tighter
+    // than MAX_TREE_ENTRIES; it just makes the invariant explicit in-circuit.
+    assert completedCount < MAX_COMPLETED;
+    completedCount.increment(1);
+    activeCount.decrement(1);
+
+    return receipt;
+  }
+
+  // verifyReceipt: anyone can verify a receipt is valid — reveals nothing about the bounty.
+  export circuit verifyReceipt(
+    witness receiptCommitment:  Bytes<32>,
+    witness receiptMerkleProof: Proof<25>
+  ): Boolean {
+    return receiptTree.verify(receiptCommitment, receiptMerkleProof);
+  }
+
+  // withdrawFees: operator-only — gated to the address set at initialization.
+  // SECURITY: caller identity is constrained — no other address can withdraw.
+  export circuit withdrawFees(
+    caller:       Bytes<32>,   // must match operatorAddress
+    withdrawAmount: Field
+  ): Void {
+    assert initialized == 1;   // SECURITY: contract must be initialized
+
+    // SECURITY: only the operator set at init can withdraw
+    assert caller == operatorAddress;
+
+    // SECURITY: cannot withdraw more than contract holds — ledger enforces balance
+    assert withdrawAmount > 0;
+
+    // Ledger's apply() rejects if contract balance < withdrawAmount — no overdraft
+    effects.releaseToAddress(caller, withdrawAmount);
+  }
+
+  // getStats: public read-only view — no sensitive data exposed.
+  export circuit getStats(): [Field, Field, Field] {
+    return [completedCount, activeCount, operatorFeeBps];
+  }
+}

package/skills/nightpay/openclaw-fragment.json

@@ -1,20 +1,20 @@
-{
-  "$comment": "Merge this into your ~/.openclaw/openclaw.json under 'skills.entries' to enable the nightpay skill. OpenClaw discovers the skill automatically once it is installed into ./skills/nightpay — this fragment just supplies the required env vars.",
-  "skills": {
-    "entries": {
-      "nightpay": {
-        "enabled": true,
-        "env": {
-          "MASUMI_API_KEY": "MASUMI_API_KEY",
-          "OPERATOR_ADDRESS": "OPERATOR_ADDRESS",
-          "MIDNIGHT_NETWORK": "MIDNIGHT_NETWORK",
-          "OPERATOR_FEE_BPS": "OPERATOR_FEE_BPS",
-          "RECEIPT_CONTRACT_ADDRESS": "RECEIPT_CONTRACT_ADDRESS",
-          "OPERATOR_SECRET_KEY": "OPERATOR_SECRET_KEY",
-          "CONTENT_SAFETY_URL": "CONTENT_SAFETY_URL",
-          "BRIDGE_URL": "BRIDGE_URL"
-        }
-      }
-    }
-  }
-}
+{
+  "$comment": "Merge this into your ~/.openclaw/openclaw.json under 'skills.entries' to enable the nightpay skill. OpenClaw discovers the skill automatically once it is installed into ./skills/nightpay — this fragment just supplies the required env vars.",
+  "skills": {
+    "entries": {
+      "nightpay": {
+        "enabled": true,
+        "env": {
+          "MASUMI_API_KEY": "MASUMI_API_KEY",
+          "OPERATOR_ADDRESS": "OPERATOR_ADDRESS",
+          "MIDNIGHT_NETWORK": "MIDNIGHT_NETWORK",
+          "OPERATOR_FEE_BPS": "OPERATOR_FEE_BPS",
+          "RECEIPT_CONTRACT_ADDRESS": "RECEIPT_CONTRACT_ADDRESS",
+          "OPERATOR_SECRET_KEY": "OPERATOR_SECRET_KEY",
+          "CONTENT_SAFETY_URL": "CONTENT_SAFETY_URL",
+          "BRIDGE_URL": "BRIDGE_URL"
+        }
+      }
+    }
+  }
+}