docs: ETCM-12356 selection pallet and inherents documentation (#1055)

Author: AmbientTea

toolkit/committee-selection/authority-selection-inherents/src/lib.rs

@@ -1,4 +1,41 @@
-//! This crate provides inherents for authority selection.
+//! # Partner Chain Committee Selection
+//!
+//! Inherent data provider and selection logic for Partner Chain committee selection.
+//!
+//! ## Overview
+//!
+//! This crate provides an IDP and all types necessary for a Partner Chain to select
+//! block producer committees using data sourced from Cardano smart contracts.
+//!
+//! ## Usage
+//!
+//! ### Prerequisites
+//!
+//! This crate is intended to work with `pallet_session_validator_management`. See
+//! the pallet's documentation for instructions how to add it to you runtime. Your
+//! pallet should be configured with [CommitteeMember] as its `CommitteeMember`,
+//! using the `CrossChainPublic` and `SessionKeys` defined described in the pallet's
+//! documentation.
+//!
+//! Additionally [AriadneInherentDataProvider] needs access to a data source
+//! implementing [AuthoritySelectionDataSource]. A Db-Sync-based implementation is
+//! provided by the `partner_chains_db_sync_data_sources` crate.
+//!
+//! ### Adding to the node
+//!
+//! #### Implementing runtime API
+//!
+//! Implement the [SessionValidatorManagementApi] for your runtime. Each API method has
+//! a corresponding method in the pallet that should be used for that purpose. Refer to
+//! the demo runtime for an example.
+//!
+//! #### Add the inherent data provider
+//!
+//! Wire the [AriadneInherentDataProvider] into your inherent data provider stack. The same
+//! constructor [AriadneInherentDataProvider::new] should be used for both proposing and
+//! validating blocks. Refer to the demo node implementation for an example of how to wire
+//! it correctly into a node.
+//!
 #![cfg_attr(not(feature = "std"), no_std)]
 #![deny(missing_docs)]
 

toolkit/committee-selection/pallet/Cargo.toml

@@ -34,6 +34,7 @@ frame-benchmarking = { workspace = true, optional = true }
 [dev-dependencies]
 sp-io = { workspace = true }
 pallet-balances = { workspace = true }
+sp-runtime = { workspace = true, default-features = true }
 
 [features]
 default = ["std"]

toolkit/committee-selection/pallet/src/lib.rs

@@ -1,19 +1,245 @@
-//!  Pallet for setting the Partner Chain validators using inherent data
+//! Pallet for setting the Partner Chain validators using inherent data
 //!
-//! *Important*: It is recommended that when `pallet_session` is wired into the runtime, its
-//! extrinsics are hidden, using `exclude_parts` like so:
-//! ```rust,ignore
+//! # Purpose of the pallet
+//!
+//! This pallet provides a mechanism to rotate Partner Chain's block producing committees
+//! based on candidate registrations and chain configuration sourced from Cardano. It works
+//! by integrating with `pallet_session` as a [SessionManager] and [ShouldEndSession] to provide it
+//! with committee information and to rotate sessions. In addition to managing the sessions,
+//! the pallet automatically registers session keys of all active block producers, alleviating
+//! the need for manual key registration, and ensures that all necessary chain-local accounts
+//! exist.
+//!
+//! # Committee selection overview
+//!
+//! Committees are selected for sessions corresponding roughly to Partner Chain epochs, whose
+//! duration is configurable for each Partner Chain. Due to the way session rotation works in
+//! `pallet_session`, these sessions are delayed by *2 blocks* relative to their respective
+//! epoch.
+//!
+//! Committees are selected based on the following inputs sourced from Cardano:
+//! - `Registered candidates`:
+//!   Cardano SPOs who have registered themselves as willing to participate as block producers.
+//!   These candidates need to control an ADA stake pool to be eligible for selection to a
+//!   committee, and their chance at securing a seat is proportional to their pool's size.
+//!   This candidate group corresponds to a typical "trustless" Proof of Stake block producers.
+//! - `Permissioned candidates`:
+//!   A list of trusted block producers that do not need to register themselves or control any
+//!   ADA stake on Cardano to be eligible for a Partner Chain committee.
+//!   This candidate group serves a special role as trusted block producers during initial phase
+//!   of a Partner Chain's lifetime (when there may not be enough registered candidates to ensure
+//!   proper security and decentralization of the network), and are intended to be phased out as
+//!   the number of trustless participants grows.
+//! - `D-Parameter`:
+//!   A pair of two values `R` and `P`, controlling the number of committee seats alloted for
+//!   registered and permissioned candidates respectively, which means that a committee has R+P
+//!   seats overall. This parameter gives the Partner Chain the ability to bootstrap itself using
+//!   an initial pool of permissioned candidates running trusted nodes, and then gradually shift
+//!   to registered (trustless) candidates when proper decentralization is achieved
+//! - `randomness seed`:
+//!   All randomness when selecting the committee is seeded from data sourced from Cardano so that
+//!   it is tamper-proof and agreed upon by all nodes.
+//!
+//! The permissioned candidate list and the D-Parameter are controlled by the Partner Chain's
+//! governance authority and are crucial in ensuring the chain's security in initial phases of
+//! its existence
+//!
+//! # Observability parameters
+//!
+//! All input data used when selecting a committee of a Partner Chain is sourced from Cardano.
+//! To correctly identify it, each node needs access to the current values of:
+//! - `the registration validator address`, at which all registration UTXOs are located
+//! - `the D-Parameter minting policy`, whose tokens mark the UTXO containing D-Parameter value
+//! - `the permissioned candidate minting policy`, whose tokens mark the UTXO containing the
+//!   permissioned candidate list
+//!
+//! These values are stored in the pallet storage, ensuring that they're available for all nodes
+//! to use and agreed upon through the consensus mechanism, and can be updated using a governance
+//! level extrinsic [set_main_chain_scripts].
+//!
+//! # Usage
+//!
+//! ## Prerequisites
+//!
+//! This pallet's operation requires the appropriate inherent data provider and data source
+//! be present in the node. As this pallet is crucial for the operation of the chain itself,
+//! these must be present before at the chain start or before the pallet is migrated to, to
+//! avoid down time. See documentation of `sp_session_validator_management` for information
+//! on how to add the IDP to your node. A Db-Sync-based data source implementation is provided
+//! by the `partner_chains_db_sync_data_sources` crate.
+//!
+//! Aside from the node components, the pallet requires the Partner Chain smart contracts to
+//! have been initialized on Cardano and that at least one candidate - either a registered or
+//! permissioned one - exists. See `docs/user-guides/governance/governance.md` and
+//! `docs/user-guides/chain-builder.md` for more information about governance and how to set
+//! up the Partner Chain on Cardano.
+//!
+//! ## Adding into the runtime
+//!
+//! ### Defining key types
+//!
+//! As with a stock Substrate chain, a Partner Chain needs to define its session keys. What
+//! these keys are depends on the consensus mechanisms used by the chain. For a Partner Chain
+//! using Aura as its consensus with a Grandpa finality gadget, the session keys can be defined
+//! as following:
+//!
+//! ```rust, ignore
+//! sp_runtime::impl_opaque_keys! {
+//! 	#[derive(MaxEncodedLen, PartialOrd, Ord)]
+//! 	pub struct SessionKeys {
+//! 		pub aura: Aura
+//! 		pub grandpa: Grandpa,
+//! 	}
+//! }
+//! ```
+//!
+//! In addition to the session keys, the runtime needs to define an ECDSA key type to represent
+//! the `cross-chain key`:
+//! ```rust
+//! pub mod cross_chain_app {
+//!     use sp_runtime::KeyTypeId;
+//!     use sp_runtime::app_crypto::{ app_crypto, ecdsa };
+//!     pub const CROSS_CHAIN: KeyTypeId = KeyTypeId(*b"crch");
+//! 	app_crypto!(ecdsa, CROSS_CHAIN);
+//! }
+//! pub type CrossChainPublic = cross_chain_app::Public;
+//! ```
+//!
+//! This key serves as the identity of a Partner Chain user across all chains in the ecosystem.
+//!
+//! ### Adding the pallet
+//!
+//! The pallet should be added to the runtime _before_ `pallet_session`, but after the consensus
+//! pallets used by the chain:
+//!
+//! ```rust, ignore
 //! construct_runtime!(
 //! 	pub struct Runtime {
 //! 		System: frame_system,
+//! 		Timestamp: pallet_timestamp,
+//! 		Aura: pallet_aura,
+//! 		Grandpa: pallet_grandpa,
+//! 		Sidechain: pallet_sidechain,
 //! 		SessionCommitteeManagement: pallet_session_validator_management,
-//!         // ..other pallets
 //! 		Session: pallet_session exclude_parts { Call },
+//!         // ... other pallets
+//! 	}
+//! );
+//! ```
+//!
+//! *Important*:
+//! It is recommended that when `pallet_session` is wired into the runtime, its extrinsics are
+//! hidden, using `exclude_parts` like in the example above. This ensures that chain users can't
+//! manually register their keys in the pallet and so the registrations done on Cardano remain
+//! the sole source of truth about key ownership. Proper operation in presence of manually set
+//! user keys is not guaranteed by the toolkit and its behavior is left unspecified.
+//!
+//! ### Configuring the pallet
+//!
+//! Configuring the pallet is straightforward and mostly consists of passing to it types already
+//! defined by other crates and in previous steps:
+//!
+//! ```rust, ignore
+//! impl pallet_session_validator_management::Config for Runtime {
+//! 	type MaxValidators = MaxValidators;
+//! 	type AuthorityId = CrossChainPublic;
+//! 	type AuthorityKeys = SessionKeys;
+//! 	type AuthoritySelectionInputs = authority_selection_inherents::AuthoritySelectionInputs;
+//! 	type ScEpochNumber = sidechain_domain::ScEpochNumber;
+//! 	type WeightInfo = pallet_session_validator_management::weights::SubstrateWeight<Runtime>;
+//! 	type CommitteeMember = authority_selection_inherents::CommitteeMember<CrossChainPublic, SessionKeys>;
+//! 	type MainChainScriptsOrigin = EnsureRoot<Self::AccountId>;
+//!
+//! 	fn select_authorities(
+//! 		input: AuthoritySelectionInputs,
+//! 		sidechain_epoch: ScEpochNumber,
+//! 	) -> Option<BoundedVec<Self::CommitteeMember, Self::MaxValidators>> {
+//! 		authority_selection_inherents::select_authorities::<CrossChainPublic, SessionKeys, MaxValidators>(
+//! 			Sidechain::genesis_utxo(),
+//! 			input,
+//! 			sidechain_epoch,
+//! 		)
+//! 	}
+//!
+//! 	fn current_epoch_number() -> ScEpochNumber {
+//! 		Sidechain::current_epoch_number()
+//! 	}
+//! }
+//! ```
+//!
+//! One value that needs to be decided upon by the chain builder is `MaxValidators` which dictates
+//! the maximum size of a committee. This value should be higher than the P + R of the D-Parameter
+//! used and should be adjusted accordingly before any D-Parameter changes that would exceed the
+//! previous value. In case a committee selected is bigger than `MaxValidators`, it will be truncated,
+//! potentially leading to a skewed seat allocation and threatening the security of the consensus.
+//!
+//! ## Genesis configuration
+//!
+//! Genesis config can be created programmatically:
+//!
+//! ```rust,ignore
+//! GenesisConfig {
+//! 	initial_authorities: vec![
+//!        CommitteeMember::permissioned(cross_chain_pubkey_1, session_keys_1),
+//!     ],
+//! 	main_chain_scripts: MainChainScripts::read_from_env()?,
+//! }
+//! ```
+//!
+//! However, it is more typical for production chains to define their specs using Json. In that case
+//! an example configuration could look like this:
+//!
+//! ```json
+//! {
+//!   "initialAuthorities": [
+//!     {
+//!       "Permissioned": {
+//!         "id": "KW39r9CJjAVzmkf9zQ4YDb2hqfAVGdRqn53eRqyruqpxAP5YL",
+//!         "keys": {
+//!           "aura": "5GrwvaEF5zXb26Fz9rcQpDWS57CtERHpNehXCPcNoHGKutQY",
+//!           "grandpa": "5FA9nQDVg267DEd8m1ZypXLBnvN7SFxYwV7ndqSYGiN9TTpu"
+//!         }
+//!       }
 //!     }
-//! };
+//!   ],
+//!   "mainChainScripts": {
+//!     "committee_candidate_address": "addr_test1wrp8p2c5h7encl55gv26d5fpz9r99jxjcm0rxgny3993dxs2xy42p",
+//!     "d_parameter_policy_id": "0x434dc797fd036b0b654c005551ec08f39d25fa7f0eecdf4b170d46cf",
+//!     "permissioned_candidates_policy_id": "0xe1ce5d1b8b3e93a7493ecc11556790f915aabbc44a56b0b5145770b2"
+//!   }
+//! }
 //! ```
-//! This ensures that chain users can't manually register their keys in the pallet and so the
-//! registrations done on Cardano remain the sole source of truth about key ownership.
+//!
+//! *Important*:
+//! Notice, that since the pallet's operation is necessary for block production, all main chain script
+//! values and at least one initial authority (block producer) must be provided by the genesis config.
+//!
+//!
+//! ## Updating pallet configuration
+//!
+//! ### MaxValidators
+//!
+//! The maximum number of committee seats. As this value is not typically expected to change, it is
+//! configured as part of the pallet's [Config]. This means that it can only be updated as part of a
+//! runtime upgrade. The chain builder should release a new runtime version with this value updated
+//! and the Partner Chain's governance mechanism should be used to apply it using [set_code].
+//!
+//! ### Main chain scripts
+//!
+//! The main chain scripts can change over time as the Partner Chain migrates to new versions of the
+//! Partner Chain smart contracts, either due to bug fixes or new features being released. This is
+//! necessary, because the script addresses are derived by hashing their Plutus code and are affected
+//! by any change made to it.
+//!
+//! The scripts are updated by invoking the [set_main_chain_scripts] extrinsic using the Partner Chain's
+//! governance mechanism.
+//!
+//! *Important*: Setting incorrect main chain script values will result in stalling block production
+//!              indefinitely, requiring a network-wide roll-back. As such, main chain scripts update
+//!              should be carried out with special care.
+//!
+//! [SessionManager]: pallet_session::SessionManager
+//! [set_code]: frame_system::Pallet::set_code
 
 #![cfg_attr(not(feature = "std"), no_std)]
 #![allow(clippy::type_complexity)]
@@ -223,11 +449,6 @@ pub mod pallet {
 	#[pallet::hooks]
 	impl<T: Config> Hooks<BlockNumberFor<T>> for Pallet<T> {
 		// Only reason for this hook is to set the genesis committee as the committee for first block's epoch.
-		// If it wouldn't be set, the should_end_session() function would return true at the 2nd block,
-		// thus denying handover phase to genesis committee, which would break the chain. With this hook,
-		// should_end_session() returns true at 1st block and changes committee to the same one, thus allowing
-		// handover phase to happen. After having proper chain initialization procedure this probably won't be needed anymore.
-		// Note: If chain is started during handover phase, it will wait until new epoch to produce the first block.
 		fn on_initialize(block_nr: BlockNumberFor<T>) -> Weight {
 			if block_nr.is_one() {
 				CurrentCommittee::<T>::mutate(|committee| {
@@ -270,7 +491,6 @@ pub mod pallet {
 			}
 		}
 
-		// TODO make this call run by every full node, so it can be relied upon for ensuring that the block is correct
 		fn check_inherent(call: &Self::Call, data: &InherentData) -> Result<(), Self::Error> {
 			let (validators_param, for_epoch_number_param, call_selection_inputs_hash) = match call
 			{

toolkit/committee-selection/primitives/src/lib.rs

@@ -1,4 +1,7 @@
-//! Primitives for `committee-selection`.
+//! # Primitives for Partner Chain committee selection.
+//!
+//! This crate implements shared types and traits used to implement Partner Chain committee rotation.
+
 #![cfg_attr(not(feature = "std"), no_std)]
 #![deny(missing_docs)]