Direct-Spend Private-Lineage Transcript v1 (DSLTv1)¶
Status: frozen design output for TKT-P4-09B (#207), refining CEv1 (#206).
Purpose: freeze hidden transcript components and exact subcommit constructions for CEv1 slots:
lineage_commit32state_commit32recovery_tx_binding_commit32
This is a binding design, not on-chain identity storage.
1) CEv1 refinement boundary¶
DSLTv1 is constrained by CEv1:
- envelope bytes/layout remain as frozen in CEv1 (
#206) hash_policy_id=0x01(HASH256)domain_policy_id=0x01(fixed CEv1 domain tags)
DSLTv1 freezes hidden transcript width/encoding and preimage order for the three CEv1 subcommit slots.
2) Canonical transcript fields (width + encoding freeze)¶
| Field | Width | Encoding | Rule |
|---|---|---|---|
lineage_id |
32 bytes | raw bytes32 | opaque lineage handle bytes; not plaintext identity text |
lineage_blind |
32 bytes | raw bytes32 | secret blinding material |
state_ref |
32 bytes | raw bytes32 | opaque state reference handle |
recovery_handle |
32 bytes | raw bytes32 | recovery linkage handle |
tx_binding_digest |
32 bytes | raw bytes32 | tx-context digest under CEv1 hash policy |
Reject rules:
- any field with non-32-byte width MUST reject
- hex helpers MUST reject malformed or non-even-width input
- UTF-8 string serialization is forbidden for transcript fields
3) Domain tags and preimage framing¶
DSLTv1 uses CEv1 domain tags:
DSCE1:lineage_commit:v1DSCE1:state_commit:v1DSCE1:recovery_tx_binding_commit:v1
Preimage framing is strict:
domain_ascii || 0x00 || field_1 || field_2 || ...
Where:
domain_asciiis ASCII bytes exactly as listed above- separator byte
0x00is mandatory once after the domain bytes - fields are fixed-width bytes32 in frozen order
Hash function:
H32(x) = HASH256(x) (CEv1 hash_policy_id=0x01)
4) Exact subcommit constructions (CEv1 slots)¶
4.1 lineage_commit32¶
lineage_commit32 = H32("DSCE1:lineage_commit:v1" || 0x00 || lineage_id || lineage_blind)
Frozen field order:
- domain bytes
0x00lineage_idlineage_blind
4.2 state_commit32¶
state_commit32 = H32("DSCE1:state_commit:v1" || 0x00 || lineage_commit32 || state_ref || tx_binding_digest)
Frozen field order:
- domain bytes
0x00lineage_commit32state_reftx_binding_digest
4.3 recovery_tx_binding_commit32¶
recovery_tx_binding_commit32 = H32("DSCE1:recovery_tx_binding_commit:v1" || 0x00 || lineage_commit32 || recovery_handle || tx_binding_digest)
Frozen field order:
- domain bytes
0x00lineage_commit32recovery_handletx_binding_digest
5) Strict placement-refinement table¶
Placement values are:
RequiredForbiddenOptional (profile-gated)
| Component | Wallet-local only | Encrypted payload only | Public commitment input | Duplicated by design | Notes |
|---|---|---|---|---|---|
lineage_id |
Required | Optional (profile-gated) | Required | No | optional payload duplication remains allowed but not required |
lineage_blind |
Required | Forbidden | Required | No | secret blinding input |
state_ref |
Required | Optional (profile-gated) | Required | No | optional payload duplication remains allowed but not required |
recovery_handle |
Required | Required | Required | Yes | dual placement is intentional for recovery continuity |
tx_binding_digest |
Required (derived locally) | Forbidden | Required | No | recomputable digest; payload copy is forbidden |
lineage_commit32 |
Forbidden | Forbidden | Required | No | CEv1 commitment slot |
state_commit32 |
Forbidden | Forbidden | Required | No | CEv1 commitment slot |
recovery_tx_binding_commit32 |
Forbidden | Forbidden | Required | No | CEv1 commitment slot |
Compatibility note:
- CEv1 allows optional payload copies for selected hidden components.
- DSLTv1 keeps those copies profile-gated and non-authoritative; commitment inputs remain the authority surface.
6) Transcript invariants¶
6.1 Stable across lineage continuation¶
lineage_idremains stable across continuity domain for the same private lineage authority domain.lineage_blindremains stable for a given lineage authority epoch in DSLTv1.
6.2 May rotate¶
state_refMAY rotate on each valid transition.recovery_handleMAY rotate at wallet policy boundaries (key-rotation or recovery-policy update).tx_binding_digestSHOULD rotate per transaction context.
6.3 Recovery binding¶
recovery_tx_binding_commit32MUST bindrecovery_handleandtx_binding_digestunder the same lineage anchor (lineage_commit32).
6.4 Transaction-semantics binding¶
tx_binding_digestMUST be present in bothstate_commit32andrecovery_tx_binding_commit32preimages to prevent detached recovery semantics.
6.5 Migration survivability¶
The following must survive future locking-script / proofblob32 / protocol-state-cell evolution:
lineage_commit32as lineage authority anchorstate_commit32as state-authority bridgerecovery_tx_binding_commit32as tx-bound recovery continuity anchor
No future migration may reinterpret these as plaintext identity storage.
7) Merged-slot stress test: recovery_tx_binding_commit32¶
7.1 Why keep recovery and tx binding merged (now)¶
- Keeps CEv1 within fixed 128-byte layout without reopening
#206. - Forces recovery semantics to stay transaction-bound, preventing detached recovery references.
- Simplifies review by having one recovery-facing commitment slot at this stage.
7.2 What is lost by separating them¶
- Would require either:
- reopening CEv1 layout allocation, or
- reducing existing control/reserved surfaces and increasing migration risk.
- Introduces immediate complexity in wallet/recovery semantics before migration mapping is complete.
7.3 What is gained by keeping them merged¶
- Strong atomic binding of recovery + tx semantics.
- Smaller near-term semantic surface for
#209authority migration. - Clear handoff to
#208for future split evaluation at script/state-cell layer if needed.
7.4 Would later migration be cleaner with separate commitments?¶
Possibly, for some covenant/state-cell designs. But DSLTv1 conclusion is:
- keep merged slot in CEv1 now
- defer any separation to later migration layer design (
#208) where locking-script/proofblob32/state-cell enforcement tradeoffs are fully mapped
Decision: merged recovery_tx_binding_commit32 remains justified for CEv1/DSLTv1.
8) Anti-repackaging guard¶
DSLTv1 MUST NOT merely rename or relocate the same public shell linkage under new commitment labels.
Concretely:
- no direct dependency on public
category32bytes as lineage identity preimage - no textual/public-shell identifier copies in transcript fields
- no design that turns CE commitments into public identity aliases
If a candidate transcript design can be substituted with the same public-shell linkage and preserve behavior, it fails this guard.
9) #208 compact migration matrix (implementation handoff)¶
| Field/subcommit | Authoritative today? | Checked by wallet? | Checked by recovery? | Enforced later by covenant? | Enforced later by proofblob32/state cell? | Notes/blockers |
|---|---|---|---|---|---|---|
lineage_commit32 |
Yes | Yes | Indirectly (via candidate/payload validation flow) | Planned selector/binding role | Planned authoritative lineage anchor | Must remain independent from public category32 semantics |
state_commit32 |
Yes | Yes | Indirectly (consistency checks) | Planned transition-binding role | Planned authoritative state continuity anchor | Includes tx_binding_digest intentionally to prevent detached state semantics |
recovery_tx_binding_commit32 |
Yes | Yes (construction/validation surface) | Yes (recovery-handle + tx-bound linkage) | Candidate split/elevation point if later covenant policy needs separate checks | Candidate split/elevation point for later state-cell policy | Merged slot retained now; re-evaluate split only at later enforcement design layer |
lineage_id (hidden component) |
Via lineage_commit32 |
Yes | Optional profile-gated payload visibility | No direct plaintext enforcement | No direct plaintext enforcement | Hidden input only; never authoritative as plaintext |
lineage_blind (hidden component) |
Via lineage_commit32 |
Yes | No | No direct plaintext enforcement | No direct plaintext enforcement | Secret input; disclosure forbidden |
state_ref (hidden component) |
Via state_commit32 |
Yes | Optional profile-gated payload visibility | Planned via commitment check path | Planned via state-cell continuity check path | Rotatable; commitment remains authority |
recovery_handle (hidden component) |
Via recovery_tx_binding_commit32 |
Yes | Yes | Potential future covenant-visible selector input (commitment-bound) | Potential future state-cell/payload coherence anchor | Duplicated by design in payload + commitment input |
tx_binding_digest (hidden component) |
Via state_commit32 + recovery_tx_binding_commit32 |
Yes | Yes (when validating tx-bound recovery semantics) | Planned tx-semantic binding hook | Planned tx-context consistency hook | Appears in both subcommits intentionally and remains required |
Current-vs-later enforcement boundary:
- Current phase authority: commitment model (
lineage_commit32,state_commit32,recovery_tx_binding_commit32) with wallet/recovery semantic checks. - Later enforcement path: elevate selected checks into covenant and proofblob32/state-cell layers without resetting lineage semantics.
- Implementation blocker for
#209: none at semantic-boundary level; proceed with authority migration refactor using this matrix as contract.