Skip to content

Draft CIP-XXX: CC Locking Module - Phase 2 Primitive#2

Draft
Ian-avro wants to merge 4 commits into
mainfrom
avro/cc-locking-module-phase2
Draft

Draft CIP-XXX: CC Locking Module - Phase 2 Primitive#2
Ian-avro wants to merge 4 commits into
mainfrom
avro/cc-locking-module-phase2

Conversation

@Ian-avro
Copy link
Copy Markdown

@Ian-avro Ian-avro commented May 22, 2026

Summary

Initial Standards Track draft of the on-chain CC locking primitive required to satisfy Phase 2 enforcement of CIP-0105 (SV Locking) and CIP-0116 (Featured App Locking), plus the atomic form of the Lock Substitution provision from the SV Locking Operational Guidelines.

  • Specifies what the network must compute / enforce / expose to support continuous, on-chain tier evaluation; thresholds and reward formulas stay in the Tokenomics CIPs.
  • Covers the two-state token model, ActiveLockContext / VestingLockContext lifecycle, beneficiary attribution, alternative authorization sets for unlock / withdraw / substitution, atomic Lock Substitution (replacing the Phase 1 24-hour add-then-swap window), and the event surface needed for indexers, dashboards, and underlock / restoration enforcement.
  • Path A (Amulet root state) and Path D (sibling template) from the working-group requirements doc are summarized in section 6.5 as illustrative implementations of section 4; the final path selection is deferred to Splice contributor engineers and remains open to further engineering input.
  • Open discussion points from the working group (atomic-withdraw-in-substitute, indexer load, Foundation tooling cadence, beneficiary-type storage, rewards split, traffic/metadata) are carried forward in section 10.

Authors: Luke Farrell (Cashen), Ian Hensel (Avro) w/ Community Working Group. CIP number is a placeholder; CIP editors assign the real number at acceptance.

Test plan

  • Working-group review of section 4 (requirements) for fidelity with Section A of the requirements doc
  • Splice engineering review of section 6.5 candidate paths and section 8 reference-implementation requirements
  • Confirm references and inter-CIP links resolve once a real CIP number is assigned
  • Add Discussions-To header once the cip-discuss thread is opened

@Ian-avro
Draft CIP-XXX: CC Locking Module - Phase 2 Primitive
e50dd4d 
Initial Standards Track draft of the on-chain CC locking primitive
required to satisfy Phase 2 enforcement of CIP-0105 and CIP-0116, and
the Lock Substitution provision of the SV Locking Operational
Guidelines.

Specifies the network primitive's compute / enforce / expose
requirements: two-state token model, ActiveLockContext /
VestingLockContext lifecycle, beneficiary attribution and aggregation,
alternative authorization sets for unlock / withdraw / substitution,
atomic Lock Substitution (replacing the Phase 1 24-hour add-then-swap
window), and the event surface for indexers, dashboards, and
underlock / restoration enforcement.

Summarizes Path A (Amulet root state) and Path D (sibling template)
from the working-group requirements document as illustrative
implementation paths; final path selection is deferred to Splice
contributor engineers and remains open to further engineering input.

Authors: Luke Farrell (Cashen), Ian Hensel (Avro) w/ Community
Working Group.
@cashenLuke
Copy link
Copy Markdown

cashenLuke commented May 26, 2026

I did a review of Test plan bullet 1.
Coverage is complete, no missing requirements. Every requirement A.1.1 through A.6.3 in the requirements doc maps cleanly to a corresponding requirement in CIP Section 4

Ian-avro
Ian-avro commented May 26, 2026
View reviewed changes
Comment thread cip-XXX-CC-Locking-Module/cip-XXX-CC-Locking-Module.md
Ian-avro
Ian-avro commented May 26, 2026
View reviewed changes
Comment thread cip-XXX-CC-Locking-Module/cip-XXX-CC-Locking-Module.md
- **Lock creation is unilateral (§4.4.5).** A holder can create an `ActiveLockContext` against any beneficiary they choose, contributing to that beneficiary's aggregate. Beneficiaries that do not wish to receive locks from arbitrary holders should consider this when defining substitution and withdraw authorization arrangements with counterparties (the operational, not protocol, layer).
- **Underlock event timing (§4.5.3).** The event fires at the round in which the threshold is crossed. Foundation tooling that triggers penalties at the round level needs to accept this cadence; tooling that batches events on a slower cadence may delay enforcement actions defined in CIP-0105 §6.

## 10. Open discussion points
Copy link
Copy Markdown
Author

@Ian-avro Ian-avro May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 - implementation specific
2 - Leave to tech choice, implementation question
3 - can strike
4 - leave too tech choice
5 - state, assert that rewards can be emitted in locked state.
6 - leave too tech choice

Ian-avro
Ian-avro commented May 26, 2026
View reviewed changes
Comment thread cip-XXX-CC-Locking-Module/cip-XXX-CC-Locking-Module.md Outdated

The shape of the token-layer state is the point of divergence between the candidate paths (see §6).

### 4.8 Reward attribution (work in progress)
Copy link
Copy Markdown
Author

@Ian-avro Ian-avro May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per Wayne

Include ability to allocate earned coupons to multiple beneficiaries and also to allocate minting actions into locked and liquid states

I need to verify the language here, remove the WIP status

Ian-avro added 3 commits May 26, 2026 09:55
@Ian-avro
Address Luke's review: S3 source docs, 4.3.2 wording, 6.5 ref
ea1fcf3 
- Move Source documents out of section 3 (already covered by section 11
  References); add a one-line pointer instead.
- Rework section 4.3.2 to state that beneficiary-type storage is left
  to the implementation, rather than flagging it as an open
  working-group question with a section 10 cross-reference.
- Update section 6.5 cross-reference to the requirements doc from
  section 3 to section 11.
@Ian-avro
Drop section 10 item on beneficiary-type storage
ea29f54 
Now that section 4.3.2 frames beneficiary-type storage as
implementation discretion, the matching entry in section 10 (open
discussion points) is redundant. Remove it and renumber the remaining
items.
@Ian-avro
Drop WIP from section 4.8 and assert reward-allocation behaviors
cedae90 
The underlying reward-allocation logic already exists in Canton Coin's
minting and distribution machinery. Section 4.8 now states what the
primitive supports rather than flagging open questions:

  - Allocation across multiple beneficiaries (split policy at the
    application layer; primitive surfaces attribution data).
  - Allocation of minting actions into Locked and Liquid states in
    configured proportions.
@vaziliaz
Copy link
Copy Markdown

vaziliaz commented May 26, 2026

Thanks @Ian-avro, @waynecollier-da, @ericmann, @ali-abrar, @cardenaso11, @cashenLuke and everyone who pushed this forward. Helix supports the direction of the draft and the post-call updates to Section 4.8.

Two points I would like to make explicit before this moves from draft PR to CIP Discuss / formal CIP PR:

  1. Attribution: please include Zandanbal Arslankhuyag / @vaziliaz, Helix Labs in the working-group / contributor credit. Helix's prior PR work in feat: CIP-0105 Phase 2 — Locking Declarations and Delegated Locking (Capabilities #1 + #4) canton-network/splice#4848 is part of the input set for this primitive, alongside Avro's feat: CIP-0105 Phase 2 — lock-derived SV weight evaluation (Capability #3) canton-network/splice#4898 and the working-group requirements document.

  2. Requirements / conformance: Helix is aligned with Obsidian owning implementation. Helix can contribute requirements validation and reference-consumer checks around A.4, A.6, and A.7:

  • canonical aggregate lifetime SV rewards denominator for tier evaluation;
  • observable reward / coupon attribution per beneficiary, including multi-beneficiary allocation;
  • observable locked/liquid reward mint routing, with amount, state, beneficiary, and round/time fields;
  • milestone or escrowed reward denominator timing;
  • historical aggregate lock and reward reads sufficient for dashboards and explorers.

Acceptance criterion: given the same lock contexts, reward/coupon stream, and round cutoff, independent dashboards should compute the same beneficiary attribution, locked/liquid split, lifetime-rewards denominator, and tier inputs without private spreadsheets or Foundation-only joins.

This keeps application/commercial deal logic above the primitive while making the network facts testable from public state.

@cashenLuke
Copy link
Copy Markdown

cashenLuke commented May 26, 2026

@vaziliaz seems your message here and my post to cip-discuss crossed paths - CIP-TBD has been posted and is live on forum.

  1. incorporated all primary contributors, so this is aligned.
  2. These are implementation details (who does what, along with existing PRs) , which are best to follow the CIP requirements vote + passage

Thank you everyone for your input to get a very strong collaborative document that should shorten the timeline to get
this into production

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ian-avro @cashenLuke @vaziliaz