Skip to content

Enforce issuer authorized share ceiling#243

Closed
HardlyDifficult wants to merge 14 commits into
codex/ocf-reference-integrityfrom
codex/ocf-issuer-aggregate-share-ceiling
Closed

Enforce issuer authorized share ceiling#243
HardlyDifficult wants to merge 14 commits into
codex/ocf-reference-integrityfrom
codex/ocf-issuer-aggregate-share-ceiling

Conversation

@HardlyDifficult

@HardlyDifficult HardlyDifficult commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Stacked on #241.

This adds a final-state cap-table invariant: when the issuer has a finite authorized-share limit, the sum of effective stock-class authorized shares cannot exceed it.

The effective issuer limit is:

  • latest IssuerAuthorizedSharesAdjustment.new_shares_authorized, when present;
  • otherwise Issuer.initial_shares_authorized, when finite;
  • otherwise uncapped when issuer authorization is missing or unlimited.

The effective stock-class total is the sum of each stock class's current authorization, using the latest StockClassAuthorizedSharesAdjustment.new_shares_authorized when present, otherwise StockClass.initial_shares_authorized. If any stock class is unlimited, a finite issuer cap rejects the final cap table.

The check runs once after deletes, edits, issuer edit, and creates have all been processed, so a single batch can correct the issuer max and add/raise stock-class authorization together while still rejecting invalid final state.

OCF documentation

Tests

Added TestIssuerAuthorizedShares coverage for:

  • stock-class create exceeding issuer initial authorization;
  • same-batch issuer authorization increase plus stock-class creation;
  • issuer authorization adjustment dropping below existing stock-class authorization;
  • issuer edit dropping below existing stock-class authorization;
  • stock-class authorization adjustment exceeding issuer authorization;
  • deleting an issuer authorization adjustment that would invalidate stock classes;
  • finite issuer rejecting an unlimited stock class.

Also updated the default test issuer authorization to a valid high ceiling and made the existing unlimited-stock-class issuance test explicitly use an uncapped issuer.

Validation

  • NODE_PATH=/Users/fairnick/Documents/code/fairmint/open-captable-protocol-daml/node_modules PATH="/Users/fairnick/Documents/code/fairmint/open-captable-protocol-daml/node_modules/.bin:$HOME/.dpm/bin:$PATH" npm run build
  • From Test/: JAVA_HOME=/opt/homebrew/opt/openjdk@17 PATH="/opt/homebrew/opt/openjdk@17/bin:$HOME/.dpm/bin:$PATH" dpm test --show-coverage --color --coverage-ignore-choice 'splice-amulet:.*'

Note

Medium Risk
Changes cap-table mutation rules for authorized shares across issuer edits, adjustments, and stock classes; incorrect logic could block valid updates or allow invalid totals, but behavior is covered by new Daml script tests.

Overview
When the issuer has a finite authorized-share limit, UpdateCapTable now rejects the final cap table if the sum of each stock class’s effective authorization exceeds that limit. Effective issuer cap uses the latest IssuerAuthorizedSharesAdjustment when present, otherwise finite Issuer.initial_shares_authorized; missing or unlimited issuer authorization stays uncapped. Stock-class totals use each class’s latest adjustment or initial authorization, and any unlimited class fails against a finite issuer cap.

The check runs once at the end of a batch (after deletes, edits, issuer edit, and creates), so a single update can raise the issuer ceiling and add or increase classes in the same transaction while still blocking invalid end state.

OpenCapTable-v34 is bumped to 0.0.4 with updated DAR artifacts. Tests add TestIssuerAuthorizedShares for create/edit/adjustment/delete edge cases; default setup uses a high issuer ceiling and defaultIssuerWithAuthorizedShares for targeted limits. The unlimited stock-class issuance test explicitly sets an uncapped issuer.

Reviewed by Cursor Bugbot for commit 84cce5c. Bugbot is set up for automated code reviews on this repo. Configure here.

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b858afad-4f81-417f-a5d7-1955a2c23369

📥 Commits

Reviewing files that changed from the base of the PR and between 4e07ce3 and 84cce5c.

⛔ Files ignored due to path filters (1)
  • dars/dars.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • OpenCapTable-v34/daml.yaml
  • Test/daml.yaml
  • Test/daml/OpenCapTable/Setup.daml
  • Test/daml/OpenCapTable/TestHelpers.daml
  • Test/daml/OpenCapTable/TestIssuerAuthorizedShares.daml
  • Test/daml/OpenCapTable/TestStockClassAuthorizedShares.daml
  • dars/OpenCapTable-v34/0.0.2/OpenCapTable-v34.dar
  • dars/OpenCapTable-v34/0.0.4/OpenCapTable-v34.dar
  • scripts/codegen/templates/CapTable.daml.template
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/ocf-issuer-aggregate-share-ceiling

Comment @coderabbitai help to get the list of available commands.

@HardlyDifficult HardlyDifficult marked this pull request as ready for review July 8, 2026 23:48
@HardlyDifficult HardlyDifficult requested a review from Copilot July 8, 2026 23:48

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a final-state cap-table invariant ensuring that when an issuer has a finite authorized-share ceiling, the sum of effective stock-class authorized shares cannot exceed it (and any unlimited stock class is rejected under a finite issuer cap). This integrates into the UpdateCapTable batch flow so the invariant is evaluated once after deletes/edits/issuer edit/creates have all been applied.

Changes:

  • Implement issuer-vs-stock-class authorized share ceiling validation in the generated CapTable logic (final-state check in UpdateCapTable).
  • Add a dedicated TestIssuerAuthorizedShares test module covering issuer/stock-class authorization interactions and edge cases (including unlimited stock classes under finite issuer caps).
  • Adjust test fixtures to use a higher default issuer authorization and make the “unlimited stock class issuance” test explicitly use an uncapped issuer.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
Test/daml/OpenCapTable/TestStockClassAuthorizedShares.daml Makes the unlimited-stock-class issuance test explicitly operate under an uncapped issuer by editing issuer authorization to None.
Test/daml/OpenCapTable/TestIssuerAuthorizedShares.daml Adds new test coverage for issuer authorized-share ceiling enforcement across creates/edits/deletes/adjustments.
Test/daml/OpenCapTable/TestHelpers.daml Introduces defaultIssuerWithAuthorizedShares to reduce issuer-edit boilerplate in tests.
Test/daml/OpenCapTable/Setup.daml Raises the default test issuer authorization ceiling to avoid unrelated failures from the new invariant.
scripts/codegen/templates/CapTable.daml.template Adds issuer authorized-share limit computation, stock-class authorization total computation, and final-state invariant validation in UpdateCapTable.
dars/OpenCapTable-v34/0.0.2/OpenCapTable-v34.dar Updates the compiled DAR artifact to include the new invariant and related changes.
dars/dars.lock Updates locked DAR hash/size metadata to match the regenerated artifact.

Comment on lines +244 to +247
(\totalOpt stockClassCid -> do
stockClass <- fetch stockClassCid
stockClassLimitOpt <- currentStockClassAuthorizedLimit maps stockClass.stock_class_data.id None None None
pure (addOptionalAuthorizedShares totalOpt stockClassLimitOpt))

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 14f3e5b5c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

validateIssuerAuthorizedShares : CapTableMaps -> ContractId Issuer -> Update ()
validateIssuerAuthorizedShares maps issuerCid = do
issuerLimitOpt <- currentIssuerAuthorizedLimit maps issuerCid
stockClassTotalOpt <- currentStockClassAuthorizedTotal maps

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Short-circuit uncapped issuer validation

When the issuer has no finite cap (None/enum initial shares and no issuer adjustment), this still fetches every stock class and, for each one, scans all stock-class authorization adjustments before the None -> pure () branch returns. On large uncapped cap tables, unrelated updates pay O(stock classes × adjustments) ledger reads and can hit transaction limits even though there is no issuer ceiling to enforce; compute currentStockClassAuthorizedTotal only inside the Some issuerLimit branch.

Useful? React with 👍 / 👎.

foldlA
(\totalOpt stockClassCid -> do
stockClass <- fetch stockClassCid
stockClassLimitOpt <- currentStockClassAuthorizedLimit maps stockClass.stock_class_data.id None None None

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Avoid rescanning adjustments per stock class

When the issuer has a finite cap, every UpdateCapTable folds over all stock classes and this call scans all stock-class authorization adjustments again for each class. A cap table with N stock classes and M authorization adjustments therefore performs O(N×M) contract fetches even for an unrelated update, which can make otherwise valid transactions exceed ledger limits; build the latest adjustment per class in one pass and sum from that index instead.

Useful? React with 👍 / 👎.

Comment on lines +262 to +263
None ->
assertMsg "Issuer authorized shares exceeded: stock class authorization is unlimited but issuer authorization is finite" False

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don't reject NOT_APPLICABLE as unlimited

For a finite issuer, this branch rejects any stock class whose effective authorization is None, but authorizedSharesLimit returns None for both OcfAuthorizedSharesUnlimited and OcfAuthorizedSharesNotApplicable. That means a valid OCF stock class using NOT_APPLICABLE is treated as if it authorizes unlimited shares and blocks all future updates under a finite issuer cap; distinguish the enum variants so only UNLIMITED triggers this failure.

Useful? React with 👍 / 👎.

@HardlyDifficult HardlyDifficult changed the base branch from codex/ocf-issuer-adjustment-reference-integrity to codex/ocf-reference-integrity July 9, 2026 00:22
@HardlyDifficult

Copy link
Copy Markdown
Collaborator Author

Retargeted this non-reference aggregate-ceiling PR onto #251 so it stays stacked above the consolidated reference-integrity branch after the old reference-check stack was closed.

@HardlyDifficult

Copy link
Copy Markdown
Collaborator Author

Superseded by the combined authorized-share ceiling PR: #238.\n\nI folded this issuer aggregate ceiling work into #238 because both PRs enforce the same OCF authorized-share ceiling requirement. While consolidating, I also incorporated the review feedback from this PR: issuer validation now short-circuits when uncapped, stock-class authorized adjustments are indexed once for aggregate validation, already-fetched stock-class data is reused through the final-state path, and NOT_APPLICABLE is distinguished from UNLIMITED under a finite issuer cap. The combined PR includes the issuer-level tests from this PR plus an explicit NOT_APPLICABLE regression test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants