Skip to content

[SO-275] Bridge M0+M1 Foundation: Messaging Contracts, Locker, Signer & Relayer#276

Open
ewitulsk wants to merge 15 commits into
stagingfrom
ewitulsk/sui-bridge
Open

[SO-275] Bridge M0+M1 Foundation: Messaging Contracts, Locker, Signer & Relayer#276
ewitulsk wants to merge 15 commits into
stagingfrom
ewitulsk/sui-bridge

Conversation

@ewitulsk

@ewitulsk ewitulsk commented Jul 2, 2026

Copy link
Copy Markdown
Owner

SO-275 · Epic SO-274

M0+M1 foundation of the cross-chain messaging layer + lock-and-mint bridge (HyperEVM ⇄ Sui testnets, per bridge-spec.md v0.2). Deployed to both testnets 2026-06-29.

  • Layer 1 — messaging: Sui Move Outbox/Inbox with hot-potato delivery (consume(&UID)), chain/group-key registries with rotation, envelope/message/chain_id codecs; Solidity/Foundry equivalents with callback delivery. Both sides agree on the canonical encoding + keccak256 digest and the (family << 27) | chain_id internal-id scheme.
  • Layer 2 — Locker: Sui Locker (escrow/mint, peers, decimals normalization) + Solidity TransferPayload codec.
  • Off-chain (Rust): bridge-types + bridge-signer crates; bridge-signer-service (1-of-1 signer, architected for k-of-n); bridge-relayer (Sui→EVM watcher + submitter).
  • Docs: bridge-spec.md, bridge_tickets/ (01–10 remaining-work breakdown), contract READMEs, DEPLOYMENTS.md.

Notes

  • .env (testnet deployer key), Move build/ artifacts, Foundry out//lib/, and .design-sync/.cache are all gitignored and excluded from the diff. Added a .gitignore to sui-locker/ mirroring the sibling sui/ package so its build/ isn't committed.
  • Also bundles unrelated frontend/.design-sync/ tooling that was sitting on this branch.
  • Remaining bridge work (RPC source verifier, domain separator, Nautilus enclave, Seal provisioning, threshold/DKG, lifecycle hardening) is tracked under epic SO-274 via bridge_tickets/.

🤖 Generated with Claude Code

… & relayer

Cross-chain messaging layer + lock-and-mint bridge between HyperEVM and Sui
testnets (bridge-spec.md v0.2), deployed to both testnets 2026-06-29.

- Layer 1 messaging: Sui Move Outbox/Inbox (hot-potato consume(&UID)),
  chain/group-key registries, envelope/message/chain_id codecs; Solidity/Foundry
  equivalents with callback delivery.
- Layer 2: Sui Locker (escrow/mint, peers, decimals normalization) + Solidity
  TransferPayload codec.
- Rust: bridge-types + bridge-signer crates; bridge-signer-service (1-of-1);
  bridge-relayer (Sui->EVM).
- Docs: bridge-spec.md, bridge_tickets/ (01-10 remaining work), contract READMEs,
  DEPLOYMENTS.md.
- Also includes unrelated frontend .design-sync tooling that was on the branch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
sui-options Ready Ready Preview, Comment Jul 8, 2026 12:19am

Request Review

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ay, async signing + live M2 round trip

Completes the M1 gaps and M2 across Move / Solidity / Rust, deployed to Sui +
HyperEVM testnet with a live HyperEVM→Sui→HyperEVM round trip.

- Domain-separated digest (DOMAIN_SEP) in all three impls; both chains redeployed.
- RpcVerifier (§5.4): all-provider-quorum EVM/Sui commitment-at-finality probes;
  bounded eth_getLogs lookback window (public RPCs cap the block range).
- EVM Locker + WrappedToken (escrow/mint, NTT decimals scaling, rate-limit queue).
- Sui Locker rate-limit overflow queue + permissionless claim (parity with EVM).
- EVM→Sui relay: Move BCS from_bcs / Rust to_move_bcs, EvmSourceWatcher, generic
  type-derived SuiDestSubmitter, family router; tx-failed alert_id.
- Async signing API: POST /sign_requests + poll-by-hash, idempotent sessions,
  verify-before-admit, per-IP rate limit.
- Live: both group signatures verified on the real Inboxes; relayer binary Sui
  write path validated on testnet. Addresses in DEPLOYMENTS.md.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…oning, DKG, hardening)

Expand the M3/M4 tickets into concrete implementation plans — phased sub-tasks,
technical specifics (in-enclave TLS transport, per-node seal_approve binding,
FROST/GG20 selection criteria, governance/finality/audit), exit criteria, and the
findings from the live relayer run (bounded eth_getLogs lookback, public-RPC rate
limits, demo-key retirement, Sui is_delivered follow-up).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ging scaffold (ticket 07)

- .github/workflows/bridge-enclave.yml: build the enclave EIF on a free
  public-repo arm64 runner (ubuntu-24.04-arm), PCR0 drift gate, manual-only ECR
  deploy. Cleanly separated: own concurrency + name, path-filtered to the enclave
  crates only, own ECR repo, does not touch move-ci / _deploy.yml.
- rust-backend/bridge-enclave/: Dockerfile (signer app image, --locked), README,
  .dockerignore, PCR0 placeholder. Scaffold — the nautilus vsock/attestation
  wrapper and reproducible-build hardening are ticket-07 phases still TODO.
- Detail ticket 07: c7g.large (Graviton, 2-vCPU floor) sizing + why, isolated
  infra-bridge terraform root (avoids the main infra drift landmine), arm64 CI.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…hase 3)

sui-bridge-contracts/enclave/ (package bridge_enclave), adapted from nautilus
enclave.move (Apache-2.0); attestation verification is native in the Sui
framework (sui::nitro_attestation).

- enclave::enclave — EnclaveConfig<T> (governance Cap-gated PCRs + version),
  register_enclave -> per-node Enclave<T> holding the attested ephemeral pubkey,
  verify_signature for enclave-signed intents.
- enclave::signer — BRIDGE_SIGNER witness + init minting the governance Cap.
- Bridge additions: update_enclave_pk re-registers a fresh key into the SAME
  Enclave object (stable id, so the ticket-08 Seal share binding survives a
  restart, §6.4); owner-gated; register/update events (ticket-10 alerting);
  version-gated destroy_old_enclave.
- 7 Move tests for the registry/cap/owner/version logic. The attestation path
  (needs a real NitroAttestationDocument + hardware) is integration-only.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
… .mv files committed in a05139a)

The new enclave package lacked a .gitignore; add one matching the other Move
packages and untrack build/.
Capture the structural decisions from review discussion:
- vendor the nautilus subtree into this monorepo (pinned commit + FORK_DELTA.md),
  not a separate fork repo (keeps one PR/audit surface; signer is a workspace crate)
- clone-to-validate-then-vendor bring-up sequence (stock example on the box first)
- embed the signer as a lib via path dep, not 'move into the app slot'
- keep the enclave build a separate Cargo project (own Cargo.lock) for PCR
  reproducibility, not a main-workspace member

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…large Nitro host (ticket 07 Phase 5)

New Terraform root rust-backend/infra-bridge/ (own local state, separate from the
main infra root + its drift landmine). Reuses the main VPC/subnet by data lookup.

- aws_instance.enclave: c7g.large, AL2023 arm64, enclave_options enabled, IMDSv2,
  gp3 30GB; user_data installs nitro-cli + docker + allocator (1 vCPU / 1536 MiB),
  SSM-managed (no SSH). Host comes up enclave-ready (no EIF until Phase 1).
- ecr.enclave: standalone immutable repo (push target for bridge-enclave.yml),
  kept out of the main ecr.tf for_each drift.
- IAM role/profile (SSM + scoped ECR pull), SG (egress all; ingress 3000 opt-in).
- terraform fmt + init + validate all pass; apply needs AWS creds (user runs it).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
ewitulsk and others added 2 commits July 3, 2026 16:38
- make install (install-tools) installs both nitro-cli AND vsock-proxy;
  only nitro-cli was built, so install died on the missing binary
- nitro-cli itself compiles clean on the hosted arm64 runner (the Phase 2
  smoke-test question is answered)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- options-gh-actions-deploy's push perms are a hard allowlist of the
  options/* service repos; the enclave repo wasn't on it (push would 403)
- separate named inline policy from the isolated infra-bridge root, scoped
  to just options-bridge-signer-enclave; applied
- main root manages standalone aws_iam_role_policy resources, so no drift

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…efix)

- make install lands in ./build/install, not /usr/bin — nitro-cli was
  "command not found" after a successful install
- source the upstream env.sh (PATH + NITRO_CLI_BLOBS) in both steps that
  run nitro-cli

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- rpm/deb installs create the log dir; the from-source local-prefix
  install doesn't, and nitro-cli exits E19 when it can't open its log

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- main DEPLOY_ROLE_ARN's OIDC trust only covers refs/heads/{staging,main};
  dispatch from the bridge branch failed sts:AssumeRoleWithWebIdentity
- new options-bridge-gh-deploy role in the isolated root (trusts bridge
  branch + staging + main), carries the scoped ECR push policy — moved off
  options-gh-actions-deploy, which is back to its pre-existing state
- workflow now assumes vars.BRIDGE_DEPLOY_ROLE_ARN (repo var set); applied

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- BRIDGE_CONTEXT.md: full state of ticket 07 after the 2026-07-03 session —
  live Nitro host, working CI deploy, stock-nautilus validation PASSED with
  on-chain attestation verification (all object ids/txs/gotchas recorded)
- enclave Move.lock + Published.toml: bridge_enclave published to testnet at
  0xeda4ddd0…, validated via a real register_enclave against live hardware

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant