docs: describe the on-device prepare-and-sign flow#358
Conversation
eldenpark
requested review from
Dzejkop,
Guardiola31337,
andy-t-wang,
aurel-fr,
karankurbur,
murph,
paolodamico and
sideround
as code owners
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
eldenpark
force-pushed
the
elden/redesign-transfer-2
branch
from
9e64d91 to
34de181
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2ffda58cb6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| The five gas fields are zeroed and the paymaster fields (`paymaster`, | ||
| `paymasterData`, `paymasterVerificationGasLimit`, `paymasterPostOpGasLimit`) | ||
| are **absent** from the response, not present-with-zero values. Bedrock | ||
| detects absent fields via `Option<…>` in Rust and skips |
There was a problem hiding this comment.
This states that bundler-sponsored responses have zeroed gas and absent paymaster fields, but the SDK’s V2 parser (PmSponsorUserOperationResponse) currently requires paymasterVerificationGasLimit and paymasterPostOpGasLimit and tests expect them present (often as 0x0). If an endpoint is implemented from this doc, Bedrock will fail to deserialize the sponsorship response and transaction execution will stop with a JSON/RPC error.
Useful? React with 👍 / 👎.
| - returns `-32602 "sponsorship declined"` with the structured payload above. | ||
|
|
||
| Bedrock never retries on transport errors or `-32603` (internal server | ||
| error) — those surface as errors to the user. The decline payload is the | ||
| only branch that triggers the self-sponsored retry. |
There was a problem hiding this comment.
The document says -32602 decline payloads trigger a self-sponsored retry, but current V2 execution does not implement that branch: RPC errors are surfaced as RpcResponseError and sign_and_execute_v2 returns immediately on pm_sponsorUserOperation failure. As written, this promises behavior Bedrock does not perform and can mislead integrators and auditors about failure handling.
Useful? React with 👍 / 👎.
Add docs/architecture/transactions/prepare_sign_tx.md — a public-facing description of how Bedrock turns a user intent into a signed ERC-4337 UserOperation, intended for external auditors of the wallet's self-custody guarantees. Sections: - Trust model: calldata is constructed locally; the user signs only payloads the device can independently verify. - What this design replaces: a sequenceDiagram of the legacy prepare/send flow where the server encoded calldata and the device signed an opaque hash — the two trust gaps that motivated the redesign. - High-level flow: build callData → wrap in Safe execTransaction → compute userOpHash → sponsor → sign → submit → poll. - Sponsored path and decline → self-sponsored retry, each with a sequenceDiagram and the JSON-RPC wire shapes. - Sponsorship decline payload contract: required token / paymasterAddress fields, optional advisory cost fields the wallet tolerates as absent. - Per-step details and observable error categories. - Versioning and compatibility: path-versioned endpoint, the non-breaking / breaking change distinction, and how Bedrock's FFI versioning decouples consumers from server version changes. The file is intended to be kept up to date as the on-device flow evolves; it documents the wire contract, not internal infrastructure.
eldenpark
force-pushed
the
elden/redesign-transfer-2-1
branch
from
2ffda58 to
dcde82e
Compare
1 participant
Add docs/architecture/transactions/prepare_sign_tx.md — a public-facing
description of how Bedrock turns a user intent into a signed ERC-4337
UserOperation, intended for external auditors of the wallet's
self-custody guarantees.
Sections:
payloads the device can independently verify.
prepare/send flow where the server encoded calldata and the device
signed an opaque hash — the two trust gaps that motivated the
redesign.
compute userOpHash → sponsor → sign → submit → poll.
sequenceDiagram and the JSON-RPC wire shapes.
paymasterAddress fields, optional advisory cost fields the wallet
tolerates as absent.
non-breaking / breaking change distinction, and how Bedrock's FFI
versioning decouples consumers from server version changes.
The file is intended to be kept up to date as the on-device flow
evolves; it documents the wire contract, not internal infrastructure.