Add UTXOW preconditions

carlostome · carlostome · commit ee7c2004702d · 2026-01-12T17:16:33.000+01:00
diff --git a/src/Ledger/Dijkstra/Specification/Ledger.lagda.md b/src/Ledger/Dijkstra/Specification/Ledger.lagda.md
@@ -1,4 +1,4 @@
----
+--
 source_branch: master
 source_path: src/Ledger/Dijkstra/Specification/Ledger.lagda
 ---
@@ -46,7 +46,10 @@ record SubLedgerEnv : Type where
     pparams     : PParams
     enactState  : EnactState
     treasury    : Treasury
-    isValid     : Bool
+    utxo₀            : UTxO
+    isTopLevelValid  : Bool
+    globalScripts    : ℙ Script
+    globalData       : DataHash ⇀ Datum
 
 record LedgerEnv : Type where
   field
@@ -172,6 +175,7 @@ private variable
   Γ                     : LedgerEnv
   s s' s''              : LState
   utxoState utxoState'  : UTxOState
+  utxo₀                 : UTxO
   govState govState'    : GovState
   certState certState'  : CertState
   stx                   : SubLevelTx
@@ -181,33 +185,36 @@ private variable
   enactState            : EnactState
   treasury              : Treasury
   isTopLevelValid       : Bool
+  globalScripts         : ℙ Script
+  globalData            : DataHash ⇀ Datum
 ```
 -->
 
 ```agda
 data _⊢_⇀⦇_,SUBLEDGER⦈_ : SubLedgerEnv → LState → SubLevelTx → LState → Type where
   SUBLEDGER-V :
-    let  txb = stx .txBody
+    let txb = stx .txBody
+
 ```
 <!--
 ```agda
-         open TxBody txb
+        open TxBody txb
 ```
 -->
 ```agda
     in
       ∙ isTopLevelValid ≡ true
-      ∙ ⟦ slot , pp , treasury ⟧  ⊢ utxoState ⇀⦇ stx ,SUBUTXOW⦈ utxoState'
+      ∙ ⟦ slot , pp , treasury , utxo₀ , isTopLevelValid , globalScripts , globalData ⟧  ⊢ utxoState ⇀⦇ stx ,SUBUTXOW⦈ utxoState'
       ∙ ⟦ epoch slot , pp , txGovVotes , txWithdrawals , allColdCreds govState enactState ⟧ ⊢ certState ⇀⦇ txCerts ,CERTS⦈ certState'
       ∙ ⟦ txId , epoch slot , pp , ppolicy , enactState , certState' , dom (RewardsOf certState) ⟧ ⊢ {- rmOrphanDRepVotes certState' -} govState ⇀⦇ txgov txb ,GOVS⦈ govState'
       ────────────────────────────────
-      ⟦ slot , ppolicy , pp , enactState , treasury , isTopLevelValid ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ stx ,SUBLEDGER⦈ ⟦ utxoState' , govState' , certState' ⟧
+      ⟦ slot , ppolicy , pp , enactState , treasury , utxo₀ , isTopLevelValid , globalScripts , globalData ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ stx ,SUBLEDGER⦈ ⟦ utxoState' , govState' , certState' ⟧
 
   SUBLEDGER-I :
       ∙ isTopLevelValid ≡ false
-      ∙ ⟦ slot , pp , treasury ⟧ ⊢ utxoState ⇀⦇ stx ,SUBUTXOW⦈ utxoState
+      ∙ ⟦ slot , pp , treasury , utxo₀ , isTopLevelValid , globalScripts , globalData ⟧ ⊢ utxoState ⇀⦇ stx ,SUBUTXOW⦈ utxoState
       ────────────────────────────────
-      ⟦ slot , ppolicy , pp , enactState , treasury , isTopLevelValid ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ stx ,SUBLEDGER⦈ ⟦ utxoState , govState , certState ⟧
+      ⟦ slot , ppolicy , pp , enactState , treasury , utxo₀ , isTopLevelValid , globalScripts , globalData ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ stx ,SUBLEDGER⦈ ⟦ utxoState , govState , certState ⟧
 
 _⊢_⇀⦇_,SUBLEDGERS⦈_ : SubLedgerEnv → LState → List SubLevelTx → LState → Type
 _⊢_⇀⦇_,SUBLEDGERS⦈_ = ReflexiveTransitiveClosure {sts = _⊢_⇀⦇_,SUBLEDGER⦈_}
@@ -227,6 +234,14 @@ private variable
 data _⊢_⇀⦇_,LEDGER⦈_ : LedgerEnv → LState → TopLevelTx → LState → Type where
   LEDGER-V :
     let  txb = tx .txBody
+
+         utxo₀ = UTxOOf utxoState
+
+         globalScripts : ℙ Script
+         globalScripts = ∅ -- TODO
+
+         globalData : DataHash ⇀ Datum
+         globalData = ∅ -- TODO
 ```
 <!--
 ```agda
@@ -236,15 +251,23 @@ data _⊢_⇀⦇_,LEDGER⦈_ : LedgerEnv → LState → TopLevelTx → LState 
 ```agda
     in
       ∙ isValid tx ≡ true
-      ∙ ⟦ slot , ppolicy , pp , enactState , treasury , isValid tx ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ txSubTransactions ,SUBLEDGERS⦈ ⟦ utxoState' , govState' , certState' ⟧
-      ∙ ⟦ slot , pp , treasury ⟧  ⊢ utxoState' ⇀⦇ tx ,UTXOW⦈ utxoState''
+      ∙ ⟦ slot , ppolicy , pp , enactState , treasury , utxo₀ , isValid tx , globalScripts , globalData ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ txSubTransactions ,SUBLEDGERS⦈ ⟦ utxoState' , govState' , certState' ⟧
+      ∙ ⟦ slot , pp , treasury , utxo₀ , isValid tx , globalScripts , globalData ⟧  ⊢ utxoState' ⇀⦇ tx ,UTXOW⦈ utxoState''
       ∙ ⟦ epoch slot , pp , txGovVotes , txWithdrawals , allColdCreds govState enactState ⟧ ⊢ certState' ⇀⦇ txCerts ,CERTS⦈ certState''
       ∙ ⟦ txId , epoch slot , pp , ppolicy , enactState , certState' , dom (RewardsOf certState) ⟧ ⊢ {- rmOrphanDRepVotes certState' -} govState ⇀⦇ txgov txb ,GOVS⦈ govState'
       ────────────────────────────────
       ⟦ slot , ppolicy , pp , enactState , treasury ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ tx ,LEDGER⦈ ⟦ utxoState'' , govState'' , certState'' ⟧
 
   LEDGER-I :
     let  txb = tx .txBody
+
+         utxo₀ = UTxOOf utxoState
+
+         globalScripts : ℙ Script
+         globalScripts = ∅ -- TODO
+
+         globalData : DataHash ⇀ Datum
+         globalData = ∅ -- TODO
 ```
 <!--
 ```agda
@@ -254,8 +277,8 @@ data _⊢_⇀⦇_,LEDGER⦈_ : LedgerEnv → LState → TopLevelTx → LState 
 ```agda
     in
       ∙ isValid tx ≡ false
-      ∙ ⟦ slot , ppolicy , pp , enactState , treasury , isValid tx ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ txSubTransactions  ,SUBLEDGERS⦈ ⟦ utxoState , govState , certState ⟧
-      ∙ ⟦ slot , pp , treasury ⟧ ⊢ utxoState ⇀⦇ tx ,UTXOW⦈ utxoState'
+      ∙ ⟦ slot , ppolicy , pp , enactState , treasury , utxo₀ , isValid tx , globalScripts , globalData ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ txSubTransactions  ,SUBLEDGERS⦈ ⟦ utxoState , govState , certState ⟧
+      ∙ ⟦ slot , pp , treasury , utxo₀ , isValid tx , globalScripts , globalData ⟧ ⊢ utxoState ⇀⦇ tx ,UTXOW⦈ utxoState'
       ────────────────────────────────
       ⟦ slot , ppolicy , pp , enactState , treasury ⟧ ⊢ ⟦ utxoState , govState , certState ⟧ ⇀⦇ tx ,LEDGER⦈ ⟦ utxoState' , govState , certState ⟧
 ```
diff --git a/src/Ledger/Dijkstra/Specification/Script/Validation.lagda.md b/src/Ledger/Dijkstra/Specification/Script/Validation.lagda.md
@@ -156,12 +156,12 @@ credsNeededMinusCollateral txb = a ∪ b ∪ c ∪ d ∪ e
   e = mapPartial (λ p → if PolicyOf p then (λ {sh} → just (Propose  p , ScriptObj sh)) else nothing)
                  (fromList (GovProposalsOf txb))
 
-credsNeeded : (ℓ : TxLevel) → UTxO → (TxBody ℓ) → ℙ (ScriptPurpose × Credential)
-credsNeeded TxLevelTop utxo txb = credsNeededMinusCollateral txb
+credsNeeded : {ℓ : TxLevel} → UTxO → (TxBody ℓ) → ℙ (ScriptPurpose × Credential)
+credsNeeded {TxLevelTop} utxo txb = credsNeededMinusCollateral txb
   ∪ mapˢ (λ (i , o) → (Spend  i , payCred (proj₁ o))) ((utxo ∣ (txIns ∪ collateralInputs)) ˢ)
   where open TxBody txb
 
-credsNeeded TxLevelSub utxo txb = credsNeededMinusCollateral txb
+credsNeeded {TxLevelSub} utxo txb = credsNeededMinusCollateral txb
   ∪ mapˢ (λ (i , o) → (Spend  i , payCred (proj₁ o))) ((utxo ∣ txIns) ˢ)
   where open TxBody txb
 
diff --git a/src/Ledger/Dijkstra/Specification/Transaction.lagda.md b/src/Ledger/Dijkstra/Specification/Transaction.lagda.md
@@ -404,6 +404,9 @@ This section collects some unimportant but useful helper and accessor functions.
   txinsScript : ℙ TxIn → UTxO → ℙ TxIn
   txinsScript txins utxo = txins ∩ dom (proj₁ (scriptOuts utxo))
 
+  txOutToScript : TxOut → Maybe Script
+  txOutToScript (_ , _ , _ , s) = s
+
   refScripts : Tx txLevel → UTxO → List Script
   refScripts tx utxo =
     mapMaybe (proj₂ ∘ proj₂ ∘ proj₂) $ setToList (range (utxo ∣ (txIns ∪ refInputs)))
@@ -414,26 +417,9 @@ This section collects some unimportant but useful helper and accessor functions.
     where open Tx; open TxWitnesses
 
   lookupScriptHash : ScriptHash → Tx txLevel → UTxO → Maybe Script
-  lookupScriptHash sh tx utxo =
-    if sh ∈ mapˢ proj₁ (m ˢ) then
-      just (lookupᵐ m sh)
-    else
-      nothing
-    where m = setToMap (mapˢ < hash , id > (txscripts tx utxo))
-
-  getSubTxScripts : SubLevelTx → ℙ (TxId × ScriptHash)
-  getSubTxScripts subtx = mapˢ (λ hash → (TxIdOf subtx , hash)) (ScriptHashes subtx)
-    where
-    ScriptHashes : Tx TxLevelSub → ℙ ScriptHash
-    ScriptHashes tx =                                   -- `txRequiredTopLevelGuards`
-      mapPartial (isScriptObj ∘ proj₁)                  -- has key creds too, but only
-        (TxBody.txRequiredTopLevelGuards (TxBodyOf tx)) -- `ScriptObj hash` contributes
-                                                        -- a phase-2 script hash.
-
-  getTxScripts : {ℓ : TxLevel} → Tx ℓ → ℙ (TxId × ScriptHash)
-  getTxScripts {TxLevelSub} = getSubTxScripts
-  getTxScripts {TxLevelTop} =
-    concatMapˢ getSubTxScripts ∘ fromList ∘ TxBody.txSubTransactions ∘ TxBodyOf
+  lookupScriptHash sh tx utxo = lookupHash sh (txscripts tx utxo)
+
+  -- TODO: implement the actual evolving `utxoRefView` (issue #1006)
 ```
 
 CIP-0118 models "required top-level guards" as a list of requirements coming
diff --git a/src/Ledger/Dijkstra/Specification/Utxo.lagda.md b/src/Ledger/Dijkstra/Specification/Utxo.lagda.md
@@ -38,9 +38,13 @@ open import Ledger.Dijkstra.Specification.Script.Validation txs abs
 ```agda
 record UTxOEnv : Type where
   field
-    slot      : Slot
-    pparams   : PParams
-    treasury  : Treasury
+    slot             : Slot
+    pparams          : PParams
+    treasury         : Treasury
+    utxo₀            : UTxO
+    isTopLevelValid  : Bool
+    globalRefInputsScripts : ℙ Script
+    globalData             : DataHash ⇀ Datum
 
 record UTxOState : Type where
   field
@@ -56,6 +60,9 @@ instance
   unquoteDecl HasCast-UTxOEnv HasCast-UTxOState = derive-HasCast
     ( (quote UTxOEnv   , HasCast-UTxOEnv  ) ∷
     [ (quote UTxOState , HasCast-UTxOState) ])
+
+  HasUTxO-UTxOState : HasUTxO UTxOState
+  HasUTxO-UTxOState .HasUTxO.UTxOOf = UTxOState.utxo
 ```
 -->
 
diff --git a/src/Ledger/Dijkstra/Specification/Utxow.lagda.md b/src/Ledger/Dijkstra/Specification/Utxow.lagda.md
@@ -3,12 +3,7 @@ source_branch: master
 source_path: src/Ledger/Dijkstra/Specification/Utxow.lagda.md
 ---
 
-# UTxOW (Dijkstra skeleton)
-
-This is a **minimal skeleton** of the Dijkstra-era witnessing layer.
-
-It currently acts as a wrapper around `UTXO`, mirroring Conway's shape, but without
-committing to full witnessing checks yet.
+# UTxOW
 
 <!--
 ```agda
@@ -24,30 +19,133 @@ module Ledger.Dijkstra.Specification.Utxow
   where
 
 open import Ledger.Dijkstra.Specification.Utxo txs abs
+open import Ledger.Dijkstra.Specification.Script.Validation txs abs
 
 private variable
+  ℓ : TxLevel
   Γ  : UTxOEnv
   s s' : UTxOState
   tx : TopLevelTx
   stx : SubLevelTx
 ```
 -->
 
+```agda
+languages : Tx ℓ → UTxO → ℙ Language
+languages tx utxo = ∅ -- TODO
+
+allowedLanguages : Tx ℓ → UTxO → ℙ Language
+allowedLanguages tx utxo = ∅ -- TODO
+```
+
 ```agda
 data _⊢_⇀⦇_,SUBUTXOW⦈_ : UTxOEnv → UTxOState → SubLevelTx → UTxOState → Type where
 
   SUBUTXOW :
+    let
+         open Tx tx
+         open TxBody txBody
+         open TxWitnesses txWitnesses
+         open UTxOEnv
+
+         utxo₀               = Γ .utxo₀
+         utxo                = s .UTxOState.utxo
+
+         witsKeyHashes       : ℙ KeyHash
+         witsKeyHashes       = mapˢ hash (dom vKeySigs)
+
+         allScripts : ℙ Script
+         allScripts =
+           ( scripts                             -- (1) scripts from witnesses
+             ∪ mapPartial txOutToScript
+                 ( range (utxo₀ ∣ txIns)         -- (2) scripts from transaction inputs
+                   ∪ range (utxo ∣ refInputs)    -- (3) scripts from reference inputs
+                 )
+             ∪ Γ .globalRefInputsScripts         -- (4) scripts from global reference inputs
+           )
+
+         p1Scripts : ℙ P1Script
+         p1Scripts = mapPartial toP1Script allScripts
+
+         p2Scripts : ℙ P2Script
+         p2Scripts = mapPartial toP2Script allScripts
+
+         neededScriptHashes  : ℙ ScriptHash
+         neededScriptHashes  = mapPartial (isScriptObj  ∘ proj₂) (credsNeeded utxo₀ txBody)
+
+         neededVKeyHashes : ℙ KeyHash
+         neededVKeyHashes = mapPartial (isKeyHashObj ∘ proj₂) (credsNeeded utxo₀ txBody)
+
+         neededDataHashes : ℙ DataHash
+         neededDataHashes = mapPartial (λ txOut@(a , _ , d , _) → do sh ← isScriptObj (payCred a)
+                                                                     _  ← lookupHash sh p2Scripts
+                                                                     d >>= isInj₂)
+                                       (range (utxo₀ ∣ txIns))
+
+    in
+    ∙  ∀[ (vk , σ) ∈ vKeySigs ] isSigned vk (txidBytes txId) σ
+    ∙  ∀[ s ∈ p1Scripts ] (hash s ∈ neededScriptHashes → validP1Script witsKeyHashes txVldt s)
+    ∙  neededVKeyHashes ⊆ witsKeyHashes
+    ∙  neededScriptHashes ⊆ mapˢ hash allScripts
+    ∙  neededDataHashes ⊆ dom (Γ .globalData)
+    ∙  languages tx utxo ⊆ allowedLanguages tx utxo
+    ∙  txADhash ≡ map hash txAuxData
     ∙ Γ ⊢ s ⇀⦇ stx ,SUBUTXO⦈ s'
       ────────────────────────────────
       Γ ⊢ s ⇀⦇ stx ,SUBUTXOW⦈ s'
 
 data _⊢_⇀⦇_,UTXOW⦈_ : UTxOEnv → UTxOState → TopLevelTx → UTxOState → Type where
 
   UTXOW :
-    ∙ Γ ⊢ s ⇀⦇ tx ,UTXO⦈ s'
+    let
+         open Tx tx
+         open TxBody txBody
+         open TxWitnesses txWitnesses
+         open UTxOEnv
+
+         utxo₀               = Γ .utxo₀
+         utxo                = s .UTxOState.utxo
+
+         witsKeyHashes       : ℙ KeyHash
+         witsKeyHashes       = mapˢ hash (dom vKeySigs)
+
+         allScripts : ℙ Script
+         allScripts =
+           ( scripts                             -- (1) scripts from witnesses
+             ∪ mapPartial txOutToScript
+                 ( range (utxo₀ ∣ txIns)         -- (2) scripts from transaction inputs
+                   ∪ range (utxo ∣ refInputs)    -- (3) scripts from reference inputs
+                 )
+             ∪ Γ .globalRefInputsScripts         -- (4) scripts from global reference inputs
+           )
+
+         p1Scripts : ℙ P1Script
+         p1Scripts = mapPartial toP1Script allScripts
+
+         p2Scripts : ℙ P2Script
+         p2Scripts = mapPartial toP2Script allScripts
+
+         neededScriptHashes  : ℙ ScriptHash
+         neededScriptHashes  = mapPartial (isScriptObj  ∘ proj₂) (credsNeeded utxo₀ txBody)
+
+         neededVKeyHashes : ℙ KeyHash
+         neededVKeyHashes = mapPartial (isKeyHashObj ∘ proj₂) (credsNeeded utxo₀ txBody)
+
+         neededDataHashes : ℙ DataHash
+         neededDataHashes = mapPartial (λ txOut@(a , _ , d , _) → do sh ← isScriptObj (payCred a)
+                                                                     _  ← lookupHash sh p2Scripts
+                                                                     d >>= isInj₂)
+                                       (range (utxo₀ ∣ txIns))
+
+    in
+    ∙  ∀[ (vk , σ) ∈ vKeySigs ] isSigned vk (txidBytes txId) σ
+    ∙  ∀[ s ∈ p1Scripts ] (hash s ∈ neededScriptHashes → validP1Script witsKeyHashes txVldt s)
+    ∙  neededVKeyHashes ⊆ witsKeyHashes
+    ∙  neededScriptHashes ⊆ mapˢ hash allScripts
+    ∙  neededDataHashes ⊆ dom (Γ .globalData)
+    ∙  languages tx utxo ⊆ allowedLanguages tx utxo
+    ∙  txADhash ≡ map hash txAuxData
+    ∙  Γ ⊢ s ⇀⦇ tx ,UTXO⦈ s'
       ────────────────────────────────
       Γ ⊢ s ⇀⦇ tx ,UTXOW⦈ s'
 ```
-
-This file intentionally contains **no** additional premises yet.  As Dijkstra witnessing
-evolves, this is where signature / script / datum / language constraints can be added.
diff --git a/src/Ledger/Prelude.lagda.md b/src/Ledger/Prelude.lagda.md
@@ -86,4 +86,8 @@ module Filter where
   filter : ∀ {a} {p} {A : Type a} → (P : Pred A p) → ⦃ P ⁇¹ ⦄ → List A → List A
   filter P = Data.List.filter ¿ P ¿¹
 
+lookupHash : ∀ {T H : Type} ⦃ _ : DecEq H ⦄ ⦃ _ : Hashable T H ⦄ → H → ℙ T → Maybe T
+lookupHash h s =
+  if h ∈ mapˢ proj₁ (m ˢ) then just (lookupᵐ m h) else nothing
+  where m = setToMap (mapˢ < hash , id > s)
 ```
