Merge pull request #7540 from PeterChen13579/mergeDevelop

Merge latest develop into Confidential MPT

.clang-tidy

@@ -153,8 +153,8 @@ Checks: "-*,
   readability-use-std-min-max
   "
 # ---
-# readability-inconsistent-declaration-parameter-name, # in this codebase this check will break a lot of arg names
-# readability-static-accessed-through-instance,        # this check is probably unnecessary. it makes the code less readable
+# readability-inconsistent-declaration-parameter-name, # In this codebase this check will break a lot of arg names
+# readability-static-accessed-through-instance,        # this check is probably unnecessary. It makes the code less readable
 # ---
 
 CheckOptions:

.gersemi/definitions.cmake

@@ -11,9 +11,6 @@ endfunction()
 function(create_symbolic_link target link)
 endfunction()
 
-function(xrpl_add_test name)
-endfunction()
-
 macro(exclude_from_default target_)
 endmacro()
 

.github/actions/build-deps/action.yml

@@ -35,9 +35,8 @@ runs:
         LOG_VERBOSITY: ${{ inputs.log_verbosity }}
         SANITIZERS: ${{ inputs.sanitizers }}
       run: |
-        echo 'Installing dependencies.'
         conan install \
-            --profile ci \
+            --profile:all ci \
             --build="${BUILD_OPTION}" \
             --options:host='&:tests=True' \
             --options:host='&:xrpld=True' \

.github/actions/set-compiler-env/action.yml

@@ -0,0 +1,34 @@
+name: Set compiler environment
+description: "Set CC and CXX environment variables for the given compiler."
+
+inputs:
+  compiler:
+    description: 'The compiler to use ("gcc" or "clang").'
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Set CC and CXX for gcc
+      if: ${{ inputs.compiler == 'gcc' }}
+      shell: bash
+      run: |
+        echo "CC=gcc" >>"${GITHUB_ENV}"
+        echo "CXX=g++" >>"${GITHUB_ENV}"
+
+    - name: Set CC and CXX for clang
+      if: ${{ inputs.compiler == 'clang' }}
+      shell: bash
+      run: |
+        echo "CC=clang" >>"${GITHUB_ENV}"
+        echo "CXX=clang++" >>"${GITHUB_ENV}"
+
+    - name: Fail on unknown compiler
+      if: ${{ inputs.compiler != 'gcc' && inputs.compiler != 'clang' }}
+      shell: bash
+      env:
+        COMPILER: ${{ inputs.compiler }}
+      run: |
+        echo "Unknown compiler: $COMPILER" >&2
+        exit 1

.github/actions/setup-conan/action.yml

@@ -15,32 +15,35 @@ runs:
   using: composite
 
   steps:
-    - name: Set up Conan configuration
+    - name: Apply custom configuration to global.conf
       shell: bash
       run: |
-        echo 'Installing configuration.'
         cat conan/global.conf ${{ runner.os == 'Linux' && '>>' || '>' }} $(conan config home)/global.conf
 
-        echo 'Conan configuration:'
-        conan config show '*'
-
-    - name: Set up Conan profile
+    - name: Show global configuration
+      shell: bash
+      run: |
+        conan config show '*'
+
+    - name: Install profiles
       shell: bash
       run: |
-        echo 'Installing profile.'
         conan config install conan/profiles/ -tf $(conan config home)/profiles/
 
-        echo 'Conan profile:'
+    - name: Show CI profile
+      shell: bash
+      run: |
         conan profile show --profile ci
 
-    - name: Set up Conan remote
+    - name: Add a remote
       shell: bash
       env:
         REMOTE_NAME: ${{ inputs.remote_name }}
         REMOTE_URL: ${{ inputs.remote_url }}
       run: |
-        echo "Adding Conan remote '${REMOTE_NAME}' at '${REMOTE_URL}'."
         conan remote add --index 0 --force "${REMOTE_NAME}" "${REMOTE_URL}"
 
-        echo 'Listing Conan remotes.'
+    - name: List remotes
+      shell: bash
+      run: |
         conan remote list

.github/dependabot.yml

@@ -1,40 +1,12 @@
 version: 2
 updates:
   - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-      time: "04:00"
-      timezone: Etc/GMT
-    commit-message:
-      prefix: "ci: [DEPENDABOT] "
-    target-branch: develop
-
-  - package-ecosystem: github-actions
-    directory: .github/actions/build-deps/
-    schedule:
-      interval: weekly
-      day: monday
-      time: "04:00"
-      timezone: Etc/GMT
-    commit-message:
-      prefix: "ci: [DEPENDABOT] "
-    target-branch: develop
-
-  - package-ecosystem: github-actions
-    directory: .github/actions/generate-version/
-    schedule:
-      interval: weekly
-      day: monday
-      time: "04:00"
-      timezone: Etc/GMT
-    commit-message:
-      prefix: "ci: [DEPENDABOT] "
-    target-branch: develop
-
-  - package-ecosystem: github-actions
-    directory: .github/actions/setup-conan/
+    directories:
+      - /
+      - .github/actions/build-deps/
+      - .github/actions/generate-version/
+      - .github/actions/set-compiler-env/
+      - .github/actions/setup-conan/
     schedule:
       interval: weekly
       day: monday

.github/scripts/levelization/results/ordering.txt

@@ -1,6 +1,8 @@
 libxrpl.basics > xrpl.basics
 libxrpl.conditions > xrpl.basics
 libxrpl.conditions > xrpl.conditions
+libxrpl.config > xrpl.basics
+libxrpl.config > xrpl.config
 libxrpl.core > xrpl.basics
 libxrpl.core > xrpl.core
 libxrpl.core > xrpl.json
@@ -17,6 +19,7 @@ libxrpl.ledger > xrpl.shamap
 libxrpl.net > xrpl.basics
 libxrpl.net > xrpl.net
 libxrpl.nodestore > xrpl.basics
+libxrpl.nodestore > xrpl.config
 libxrpl.nodestore > xrpl.json
 libxrpl.nodestore > xrpl.nodestore
 libxrpl.nodestore > xrpl.protocol
@@ -24,6 +27,7 @@ libxrpl.protocol > xrpl.basics
 libxrpl.protocol > xrpl.json
 libxrpl.protocol > xrpl.protocol
 libxrpl.rdb > xrpl.basics
+libxrpl.rdb > xrpl.config
 libxrpl.rdb > xrpl.core
 libxrpl.rdb > xrpl.rdb
 libxrpl.resource > xrpl.basics
@@ -31,6 +35,7 @@ libxrpl.resource > xrpl.json
 libxrpl.resource > xrpl.protocol
 libxrpl.resource > xrpl.resource
 libxrpl.server > xrpl.basics
+libxrpl.server > xrpl.config
 libxrpl.server > xrpl.core
 libxrpl.server > xrpl.json
 libxrpl.server > xrpl.protocol
@@ -52,6 +57,7 @@ libxrpl.tx > xrpl.tx
 test.app > test.jtx
 test.app > test.unit_test
 test.app > xrpl.basics
+test.app > xrpl.config
 test.app > xrpl.core
 test.app > xrpld.app
 test.app > xrpld.consensus
@@ -90,6 +96,7 @@ test.consensus > xrpl.tx
 test.core > test.jtx
 test.core > test.unit_test
 test.core > xrpl.basics
+test.core > xrpl.config
 test.core > xrpl.core
 test.core > xrpld.core
 test.core > xrpl.json
@@ -104,6 +111,7 @@ test.csf > xrpl.protocol
 test.json > test.jtx
 test.json > xrpl.json
 test.jtx > xrpl.basics
+test.jtx > xrpl.config
 test.jtx > xrpl.core
 test.jtx > xrpld.app
 test.jtx > xrpld.core
@@ -126,6 +134,7 @@ test.ledger > xrpl.protocol
 test.nodestore > test.jtx
 test.nodestore > test.unit_test
 test.nodestore > xrpl.basics
+test.nodestore > xrpl.config
 test.nodestore > xrpld.core
 test.nodestore > xrpl.nodestore
 test.nodestore > xrpl.protocol
@@ -133,6 +142,7 @@ test.nodestore > xrpl.rdb
 test.overlay > test.jtx
 test.overlay > test.unit_test
 test.overlay > xrpl.basics
+test.overlay > xrpl.config
 test.overlay > xrpld.app
 test.overlay > xrpld.core
 test.overlay > xrpld.overlay
@@ -159,6 +169,7 @@ test.resource > xrpl.basics
 test.resource > xrpl.resource
 test.rpc > test.jtx
 test.rpc > xrpl.basics
+test.rpc > xrpl.config
 test.rpc > xrpl.core
 test.rpc > xrpld.app
 test.rpc > xrpld.core
@@ -173,6 +184,7 @@ test.rpc > xrpl.tx
 test.server > test.jtx
 test.server > test.unit_test
 test.server > xrpl.basics
+test.server > xrpl.config
 test.server > xrpld.app
 test.server > xrpld.core
 test.server > xrpl.json
@@ -180,6 +192,7 @@ test.server > xrpl.protocol
 test.server > xrpl.server
 test.shamap > test.unit_test
 test.shamap > xrpl.basics
+test.shamap > xrpl.config
 test.shamap > xrpl.nodestore
 test.shamap > xrpl.protocol
 test.shamap > xrpl.shamap
@@ -188,6 +201,7 @@ test.toplevel > xrpl.json
 test.unit_test > xrpl.basics
 test.unit_test > xrpl.protocol
 tests.libxrpl > xrpl.basics
+tests.libxrpl > xrpl.config
 tests.libxrpl > xrpl.core
 tests.libxrpl > xrpl.json
 tests.libxrpl > xrpl.ledger
@@ -200,6 +214,7 @@ tests.libxrpl > xrpl.shamap
 tests.libxrpl > xrpl.tx
 xrpl.conditions > xrpl.basics
 xrpl.conditions > xrpl.protocol
+xrpl.config > xrpl.basics
 xrpl.core > xrpl.basics
 xrpl.core > xrpl.json
 xrpl.core > xrpl.protocol
@@ -210,6 +225,7 @@ xrpl.ledger > xrpl.server
 xrpl.ledger > xrpl.shamap
 xrpl.net > xrpl.basics
 xrpl.nodestore > xrpl.basics
+xrpl.nodestore > xrpl.config
 xrpl.nodestore > xrpl.protocol
 xrpl.protocol > xrpl.basics
 xrpl.protocol > xrpl.json
@@ -237,6 +253,7 @@ xrpl.tx > xrpl.ledger
 xrpl.tx > xrpl.protocol
 xrpld.app > test.unit_test
 xrpld.app > xrpl.basics
+xrpld.app > xrpl.config
 xrpld.app > xrpl.core
 xrpld.app > xrpld.consensus
 xrpld.app > xrpld.core
@@ -255,11 +272,13 @@ xrpld.consensus > xrpl.json
 xrpld.consensus > xrpl.ledger
 xrpld.consensus > xrpl.protocol
 xrpld.core > xrpl.basics
+xrpld.core > xrpl.config
 xrpld.core > xrpl.core
 xrpld.core > xrpl.net
 xrpld.core > xrpl.protocol
 xrpld.core > xrpl.rdb
 xrpld.overlay > xrpl.basics
+xrpld.overlay > xrpl.config
 xrpld.overlay > xrpl.core
 xrpld.overlay > xrpld.consensus
 xrpld.overlay > xrpld.core
@@ -272,15 +291,18 @@ xrpld.overlay > xrpl.server
 xrpld.overlay > xrpl.shamap
 xrpld.overlay > xrpl.tx
 xrpld.peerfinder > xrpl.basics
+xrpld.peerfinder > xrpl.config
 xrpld.peerfinder > xrpld.core
 xrpld.peerfinder > xrpl.protocol
 xrpld.peerfinder > xrpl.rdb
 xrpld.perflog > xrpl.basics
+xrpld.perflog > xrpl.config
 xrpld.perflog > xrpl.core
 xrpld.perflog > xrpld.rpc
 xrpld.perflog > xrpl.json
 xrpld.perflog > xrpl.protocol
 xrpld.rpc > xrpl.basics
+xrpld.rpc > xrpl.config
 xrpld.rpc > xrpl.core
 xrpld.rpc > xrpld.core
 xrpld.rpc > xrpl.json

.github/scripts/rename/cmake.sh

@@ -43,9 +43,6 @@ pushd "${DIRECTORY}"
 # Rename the files.
 find cmake -type f -name 'Rippled*.cmake' -exec bash -c 'mv "${1}" "${1/Rippled/Xrpl}"' - {} \;
 find cmake -type f -name 'Ripple*.cmake' -exec bash -c 'mv "${1}" "${1/Ripple/Xrpl}"' - {} \;
-if [ -e cmake/xrpl_add_test.cmake ]; then
-    mv cmake/xrpl_add_test.cmake cmake/XrplAddTest.cmake
-fi
 if [ -e include/xrpl/proto/ripple.proto ]; then
     mv include/xrpl/proto/ripple.proto include/xrpl/proto/xrpl.proto
 fi
@@ -60,7 +57,6 @@ find cmake -type f -name '*.cmake' | while read -r FILE; do
 done
 ${SED_COMMAND} -i -E 's/Rippled?/Xrpl/g' CMakeLists.txt
 ${SED_COMMAND} -i 's/ripple/xrpl/g' CMakeLists.txt
-${SED_COMMAND} -i 's/include(xrpl_add_test)/include(XrplAddTest)/' src/tests/libxrpl/CMakeLists.txt
 ${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' include/xrpl/protocol/messages.h
 ${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' BUILD.md
 ${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' BUILD.md

.github/scripts/strategy-matrix/generate.py

@@ -1,384 +1,324 @@
 #!/usr/bin/env python3
 import argparse
+import dataclasses
 import itertools
 import json
-from dataclasses import dataclass
 from pathlib import Path
 
 THIS_DIR = Path(__file__).parent.resolve()
 
+_BASE_CMAKE_ARGS = ["-Dtests=ON", "-Dwerr=ON", "-Dxrpld=ON", "-Dwextra=ON"]
 
-@dataclass
-class Config:
-    architecture: list[dict]
-    os: list[dict]
-    build_type: list[str]
-    cmake_args: list[str]
+# Maps sanitizer names (as used in cmake) to short config-name suffixes.
+_SANITIZER_SUFFIX: dict[str, str] = {
+    "address": "asan",
+    "undefinedbehavior": "ubsan",
+    "thread": "tsan",
+}
 
 
-"""
-Generate a strategy matrix for GitHub Actions CI.
-
-On each PR commit we will build a selection of Debian, RHEL, Ubuntu, MacOS, and
-Windows configurations, while upon merge into the develop or release branches,
-we will build all configurations, and test most of them.
-
-We will further set additional CMake arguments as follows:
-- All builds will have the `tests`, `werr`, and `xrpld` options.
-- All builds will have the `wextra` option except for GCC 12 and Clang 16.
-- All release builds will have the `assert` option.
-- Certain Debian Bookworm configurations will change the reference fee, enable
-  codecov, and enable voidstar in PRs.
-"""
+def get_cmake_args(build_type: str, extra_args: str) -> str:
+    """Get the full list of CMake arguments for a config."""
+    args = _BASE_CMAKE_ARGS.copy()
+    if build_type == "Release":
+        args.append("-Dassert=ON")
+    if extra_args:
+        args.extend(extra_args.split())
+    return " ".join(args)
 
 
-def build_config_name(os_entry: dict[str, str], platform: str, build_type: str) -> str:
-    parts = [os_entry["distro_name"]]
-    for key in ("distro_version", "compiler_name", "compiler_version"):
-        if value := os_entry[key]:
-            parts.append(value)
-    parts.append("arm64" if "arm64" in platform else "amd64")
-    parts.append(build_type.lower())
-    return "-".join(parts)
+def runs_on_event(exclude_event_types: list[str], event: str | None) -> bool:
+    """Whether a config should run for the current event.
 
-
-def generate_packaging_matrix(config: Config) -> list[dict]:
-    """Emit one entry per os entry with `package: true`. Architecture is
-    hardcoded to linux/amd64 here (and the runner is hardcoded at the
-    workflow level) until arm64 packaging is ready.
+    'exclude_event_types' is a list of GitHub event names (e.g.
+    ["pull_request"]) on which the config should NOT run; an empty list means
+    the config runs on every event. When no event is given (event is None), no
+    filtering is applied.
     """
-    return [
-        {
-            "artifact_name": f"xrpld-{build_config_name(os, 'linux/amd64', 'Release')}",
-            "os": os,
-        }
-        for os in config.os
-        if os.get("package", False)
-    ]
+    if event is None:
+        return True
+    return event not in exclude_event_types
 
 
-def generate_strategy_matrix(all: bool, config: Config) -> list[dict]:
-    configurations = []
-    for architecture, os, build_type, cmake_args in itertools.product(
-        config.architecture, config.os, config.build_type, config.cmake_args
-    ):
-        # The default CMake target is 'all' for Linux and MacOS and 'install'
-        # for Windows, but it can get overridden for certain configurations.
-        cmake_target = "install" if os["distro_name"] == "windows" else "all"
+# ---------------------------------------------------------------------------
+# Input types — shapes of the JSON config files
+# ---------------------------------------------------------------------------
 
-        # We build and test all configurations by default, except for Windows in
-        # Debug, because it is too slow, as well as when code coverage is
-        # enabled as that mode already runs the tests.
-        build_only = False
-        if os["distro_name"] == "windows" and build_type == "Debug":
-            build_only = True
 
-        # Only generate a subset of configurations in PRs.
-        if not all:
-            # Debian:
-            # - Bookworm using GCC 13: Debug on linux/amd64, set the reference
-            #   fee to 500 and enable code coverage (which will be done below).
-            # - Bookworm using GCC 15: Debug on linux/amd64, enable Address and
-            #   UB sanitizers (which will be done below).
-            # - Bookworm using Clang 16: Debug on linux/amd64, enable voidstar.
-            # - Bookworm using Clang 17: Release on linux/amd64, set the
-            #   reference fee to 1000.
-            # - Bookworm using Clang 20: Debug on linux/amd64, enable Address
-            #   and UB sanitizers (which will be done below).
-            if os["distro_name"] == "debian":
-                skip = True
-                if os["distro_version"] == "bookworm":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
-                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=500 {cmake_args}"
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-16"
-                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        cmake_args = f"-Dvoidstar=ON {cmake_args}"
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-17"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=1000 {cmake_args}"
-                        skip = False
-                elif os["distro_version"] == "trixie":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
-                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                if skip:
-                    continue
+@dataclasses.dataclass
+class LinuxConfig:
+    """One entry in linux.json's 'configs' or 'package_configs' arrays."""
 
-            # RHEL:
-            # - 9 using GCC 12: Debug and Release on linux/amd64
-            #   (Release is required for RPM packaging).
-            # - 10 using Clang: Release on linux/amd64.
-            if os["distro_name"] == "rhel":
-                skip = True
-                if os["distro_version"] == "9":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
-                        and build_type in ["Debug", "Release"]
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                elif os["distro_version"] == "10":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-any"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                if skip:
-                    continue
+    compiler: list[str]
+    build_type: list[str]
+    arch: list[str]
+    sanitizers: list[str] = dataclasses.field(default_factory=list)
+    suffix: str = ""
+    extra_cmake_args: str = ""
+    image: str = ""  # only used by package_configs entries
+    # List of GitHub event names (e.g. "pull_request") on which this config
+    # should NOT run. Empty means it runs on every event.
+    exclude_event_types: list[str] = dataclasses.field(default_factory=list)
 
-            # Ubuntu:
-            # - Jammy using GCC 12: Debug on linux/arm64, Release on
-            #   linux/amd64 (Release is required for DEB packaging).
-            # - Noble using GCC 14: Release on linux/amd64.
-            # - Noble using Clang 18: Debug on linux/amd64.
-            # - Noble using Clang 19: Release on linux/arm64.
-            if os["distro_name"] == "ubuntu":
-                skip = True
-                if os["distro_version"] == "jammy":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
-                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/arm64"
-                    ):
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                elif os["distro_version"] == "noble":
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-14"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-18"
-                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/amd64"
-                    ):
-                        skip = False
-                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-19"
-                        and build_type == "Release"
-                        and architecture["platform"] == "linux/arm64"
-                    ):
-                        skip = False
-                if skip:
-                    continue
 
-            # MacOS:
-            # - Debug on macos/arm64.
-            if os["distro_name"] == "macos" and not (
-                build_type == "Debug" and architecture["platform"] == "macos/arm64"
-            ):
+@dataclasses.dataclass
+class LinuxFile:
+    """Shape of linux.json."""
+
+    image_tag: str
+    configs: dict[str, list[LinuxConfig]]  # distro → configs
+    package_configs: dict[str, list[LinuxConfig]]  # distro → packaging configs
+
+    @classmethod
+    def load(cls, path: Path) -> "LinuxFile":
+        data = json.loads(path.read_text())
+
+        def parse(section: dict) -> dict[str, list[LinuxConfig]]:
+            return {
+                distro: [LinuxConfig(**c) for c in cfgs]
+                for distro, cfgs in section.items()
+            }
+
+        return cls(
+            image_tag=data["image_tag"],
+            configs=parse(data["configs"]),
+            package_configs=parse(data.get("package_configs", {})),
+        )
+
+
+@dataclasses.dataclass
+class PlatformConfig:
+    """One entry in macos.json's or windows.json's 'configs' array."""
+
+    build_type: list[str]
+    build_only: bool = False  # if true, skip tests (e.g. macos/Windows Debug)
+    extra_cmake_args: str = ""
+    # List of GitHub event names (e.g. "pull_request") on which this config
+    # should NOT run. Empty means it runs on every event.
+    exclude_event_types: list[str] = dataclasses.field(default_factory=list)
+
+    def __post_init__(self) -> None:
+        if isinstance(self.build_type, str):
+            self.build_type = [self.build_type]
+
+
+@dataclasses.dataclass
+class PlatformFile:
+    """Shape of macos.json and windows.json."""
+
+    platform: str  # e.g. "macos/arm64" or "windows/amd64"
+    runner: list[str]  # GitHub Actions runner labels
+    configs: list[PlatformConfig]
+
+    @classmethod
+    def load(cls, path: Path) -> "PlatformFile":
+        data = json.loads(path.read_text())
+        return cls(
+            platform=data["platform"],
+            runner=data["runner"],
+            configs=[PlatformConfig(**c) for c in data["configs"]],
+        )
+
+
+# ---------------------------------------------------------------------------
+# Output types — shapes of the generated GitHub Actions matrix entries
+# ---------------------------------------------------------------------------
+
+
+@dataclasses.dataclass
+class Architecture:
+    platform: str
+    runner: list[str]
+
+
+@dataclasses.dataclass
+class MatrixEntry:
+    """One entry in the generated build/test strategy matrix."""
+
+    config_name: str
+    cmake_args: str
+    cmake_target: str
+    build_only: bool
+    build_type: str
+    architecture: Architecture
+    sanitizers: str
+    image: str = ""  # container image; empty for macOS/Windows (runs natively)
+    compiler: str = ""  # compiler name ("gcc" or "clang"); empty for macOS/Windows
+
+
+@dataclasses.dataclass
+class PackagingEntry:
+    """One entry in the generated packaging strategy matrix."""
+
+    artifact_name: str
+    image: str
+    distro: str  # e.g. "debian" or "rhel"; drives package-format-specific steps
+
+
+# ---------------------------------------------------------------------------
+# Matrix expansion
+# ---------------------------------------------------------------------------
+
+_ARCHS: dict[str, Architecture] = {
+    "amd64": Architecture(
+        platform="linux/amd64", runner=["self-hosted", "Linux", "X64", "heavy"]
+    ),
+    "arm64": Architecture(
+        platform="linux/arm64",
+        runner=["self-hosted", "Linux", "ARM64", "heavy-arm64"],
+    ),
+}
+
+
+def expand_linux_matrix(
+    linux: LinuxFile, event: str | None = None
+) -> list[MatrixEntry]:
+    """Expand a LinuxFile into a flat list of matrix entries.
+
+    Each config entry is expanded over the cross-product of its
+    compiler, build_type, sanitizers, and architecture lists. Configs that
+    exclude the current event are skipped.
+    """
+    entries: list[MatrixEntry] = []
+
+    for distro, configs in linux.configs.items():
+        for cfg in configs:
+            if not runs_on_event(cfg.exclude_event_types, event):
                 continue
+            # An empty sanitizers list means "one entry with no sanitizer".
+            effective_sanitizers = cfg.sanitizers or [""]
+            effective_archs = {arch: _ARCHS[arch] for arch in cfg.arch}
 
-            # Windows:
-            # - Release on windows/amd64.
-            if os["distro_name"] == "windows" and not (
-                build_type == "Release" and architecture["platform"] == "windows/amd64"
+            for compiler, build_type, sanitizer, (arch, arch_info) in itertools.product(
+                cfg.compiler,
+                cfg.build_type,
+                effective_sanitizers,
+                effective_archs.items(),
             ):
-                continue
+                name = f"{distro}-{compiler}-{build_type.lower()}-{arch}"
+                suffix_parts = [
+                    s for s in [cfg.suffix, _SANITIZER_SUFFIX.get(sanitizer, "")] if s
+                ]
+                if suffix_parts:
+                    name += "-" + "-".join(suffix_parts)
 
-        # Additional CMake arguments.
-        cmake_args = f"{cmake_args} -Dtests=ON -Dwerr=ON -Dxrpld=ON"
-        if not f"{os['compiler_name']}-{os['compiler_version']}" in [
-            "gcc-12",
-            "clang-16",
-        ]:
-            cmake_args = f"{cmake_args} -Dwextra=ON"
-        if build_type == "Release":
-            cmake_args = f"{cmake_args} -Dassert=ON"
-
-        # We skip all RHEL on arm64 due to a build failure that needs further
-        # investigation.
-        if os["distro_name"] == "rhel" and architecture["platform"] == "linux/arm64":
-            continue
-
-        # We skip all clang 20+ on arm64 due to Boost build error.
-        if (
-            os["compiler_name"] == "clang"
-            and os["compiler_version"].isdigit()
-            and int(os["compiler_version"]) >= 20
-            and architecture["platform"] == "linux/arm64"
-        ):
-            continue
-
-        # Enable code coverage for Debian Bookworm using GCC 13 in Debug on
-        # linux/amd64.
-        if (
-            f"{os['distro_name']}-{os['distro_version']}" == "debian-bookworm"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
-            and build_type == "Debug"
-            and architecture["platform"] == "linux/amd64"
-        ):
-            cmake_args = f"{cmake_args} -Dcoverage=ON -Dcoverage_format=xml -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_C_FLAGS=-O0 -DCMAKE_CXX_FLAGS=-O0"
-
-        # Enable unity build for Ubuntu Jammy using GCC 12 in Debug on
-        # linux/amd64.
-        if (
-            f"{os['distro_name']}-{os['distro_version']}" == "ubuntu-jammy"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
-            and build_type == "Debug"
-            and architecture["platform"] == "linux/amd64"
-        ):
-            cmake_args = f"{cmake_args} -Dunity=ON"
-
-        # Generate a unique name for the configuration, e.g. macos-arm64-debug
-        # or debian-bookworm-gcc-12-amd64-release.
-        config_name = build_config_name(os, architecture["platform"], build_type)
-        if "-Dcoverage=ON" in cmake_args:
-            config_name += "-coverage"
-        if "-Dunity=ON" in cmake_args:
-            config_name += "-unity"
-
-        # Add the configuration to the list, with the most unique fields first,
-        # so that they are easier to identify in the GitHub Actions UI, as long
-        # names get truncated.
-        # Add Address and UB sanitizers as separate configurations for specific
-        # bookworm distros. Thread sanitizer is currently disabled (see below).
-        # GCC-Asan xrpld-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
-        if (
-            os["distro_version"] == "bookworm"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
-        ) or (
-            os["distro_version"] == "trixie"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
-        ):
-            # Add ASAN and UBSAN configurations for both gcc-15 and clang-22
-            configurations.append(
-                {
-                    "config_name": config_name + "-asan",
-                    "cmake_args": cmake_args,
-                    "cmake_target": cmake_target,
-                    "build_only": build_only,
-                    "build_type": build_type,
-                    "os": os,
-                    "architecture": architecture,
-                    "sanitizers": "address",
-                }
-            )
-            configurations.append(
-                {
-                    "config_name": config_name + "-ubsan",
-                    "cmake_args": cmake_args,
-                    "cmake_target": cmake_target,
-                    "build_only": build_only,
-                    "build_type": build_type,
-                    "os": os,
-                    "architecture": architecture,
-                    "sanitizers": "undefinedbehavior",
-                }
-            )
-            # TSAN is deactivated due to seg faults with latest compilers.
-            activate_tsan = False
-            if activate_tsan:
-                configurations.append(
-                    {
-                        "config_name": config_name + "-tsan-ubsan",
-                        "cmake_args": cmake_args,
-                        "cmake_target": cmake_target,
-                        "build_only": build_only,
-                        "build_type": build_type,
-                        "os": os,
-                        "architecture": architecture,
-                        "sanitizers": "thread,undefinedbehavior",
-                    }
+                entries.append(
+                    MatrixEntry(
+                        config_name=name,
+                        image=f"ghcr.io/xrplf/xrpld/nix-{distro}:{linux.image_tag}",
+                        cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
+                        cmake_target="all",
+                        build_only=False,
+                        build_type=build_type,
+                        architecture=arch_info,
+                        sanitizers=sanitizer,
+                        compiler=compiler,
+                    )
+                )
+
+    return entries
+
+
+def expand_linux_packaging(linux: LinuxFile) -> list[PackagingEntry]:
+    """Generate the packaging matrix from a LinuxFile's package_configs section.
+
+    Packaging uses vanilla distro images (debian:bookworm, ubi9, …) instead of
+    the nix-based build images, because deb/rpm tooling (debhelper, rpm-build)
+    is taken from the distro's archive rather than from nixpkgs. Each config
+    entry carries its own 'image'.
+    """
+    entries = []
+    for distro, configs in linux.package_configs.items():
+        for cfg in configs:
+            for compiler, build_type in itertools.product(cfg.compiler, cfg.build_type):
+                entries.append(
+                    PackagingEntry(
+                        artifact_name=f"xrpld-{distro}-{compiler}-{build_type.lower()}-amd64",
+                        image=cfg.image,
+                        distro=distro,
+                    )
+                )
+
+    return entries
+
+
+def expand_platform_matrix(
+    pf: PlatformFile, event: str | None = None
+) -> list[MatrixEntry]:
+    """Expand a PlatformFile (macOS or Windows) into matrix entries.
+
+    Configs that exclude the current event are skipped.
+    """
+    platform_name, arch = pf.platform.split("/")
+    is_windows = platform_name == "windows"
+
+    entries: list[MatrixEntry] = []
+    for cfg in pf.configs:
+        if not runs_on_event(cfg.exclude_event_types, event):
+            continue
+        for build_type in cfg.build_type:
+            entries.append(
+                MatrixEntry(
+                    config_name=f"{platform_name}-{arch}-{build_type.lower()}",
+                    cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
+                    cmake_target="install" if is_windows else "all",
+                    build_only=cfg.build_only,
+                    build_type=build_type,
+                    architecture=Architecture(platform=pf.platform, runner=pf.runner),
+                    sanitizers="",
                 )
-        else:
-            configurations.append(
-                {
-                    "config_name": config_name,
-                    "cmake_args": cmake_args,
-                    "cmake_target": cmake_target,
-                    "build_only": build_only,
-                    "build_type": build_type,
-                    "os": os,
-                    "architecture": architecture,
-                    "sanitizers": "",
-                }
             )
-
-    return configurations
+    return entries
 
 
-def read_config(file: Path) -> Config:
-    config = json.loads(file.read_text())
-    if (
-        config["architecture"] is None
-        or config["os"] is None
-        or config["build_type"] is None
-        or config["cmake_args"] is None
-    ):
-        raise Exception("Invalid configuration file.")
-
-    return Config(**config)
+# ---------------------------------------------------------------------------
+# Entry point
+# ---------------------------------------------------------------------------
 
 
 if __name__ == "__main__":
-    parser = argparse.ArgumentParser()
-    parser.add_argument(
-        "-a",
-        "--all",
-        help="Set to generate all configurations (generally used when merging a PR) or leave unset to generate a subset of configurations (generally used when committing to a PR).",
-        action="store_true",
+    parser = argparse.ArgumentParser(
+        description="Generate a CI strategy matrix for all platforms or a specific one."
     )
     parser.add_argument(
         "-c",
         "--config",
-        help="Path to the JSON file containing the strategy matrix configurations.",
-        required=False,
-        type=Path,
+        help="Platform to generate for ('linux', 'macos', or 'windows'). Defaults to all platforms.",
+        choices=["linux", "macos", "windows"],
+        default=None,
     )
     parser.add_argument(
         "-p",
         "--packaging",
-        help="Emit the packaging matrix (derived from the 'package' field on os entries) instead of the build/test matrix.",
+        help="Emit the Linux packaging matrix instead of the build/test matrix.",
         action="store_true",
     )
+    parser.add_argument(
+        "-e",
+        "--event",
+        help="The GitHub event name that triggered the workflow (e.g. 'push', "
+        "'pull_request'). Configs are filtered by their 'event_type'. If "
+        "omitted, no filtering is applied.",
+        default=None,
+    )
     args = parser.parse_args()
 
-    matrix = []
-    if args.packaging:
-        config_path = args.config if args.config else THIS_DIR / "linux.json"
-        matrix += generate_packaging_matrix(read_config(config_path))
-    elif args.config is None or args.config == "":
-        matrix += generate_strategy_matrix(
-            args.all, read_config(THIS_DIR / "linux.json")
-        )
-        matrix += generate_strategy_matrix(
-            args.all, read_config(THIS_DIR / "macos.json")
-        )
-        matrix += generate_strategy_matrix(
-            args.all, read_config(THIS_DIR / "windows.json")
-        )
-    else:
-        matrix += generate_strategy_matrix(args.all, read_config(args.config))
+    matrix: list[MatrixEntry] | list[PackagingEntry] = []
 
-    # Generate the strategy matrix.
-    print(f"matrix={json.dumps({'include': matrix})}")
+    if args.packaging:
+        matrix = expand_linux_packaging(LinuxFile.load(THIS_DIR / "linux.json"))
+    else:
+        if args.config in ("linux", None):
+            matrix += expand_linux_matrix(
+                LinuxFile.load(THIS_DIR / "linux.json"), args.event
+            )
+        if args.config in ("macos", None):
+            matrix += expand_platform_matrix(
+                PlatformFile.load(THIS_DIR / "macos.json"), args.event
+            )
+        if args.config in ("windows", None):
+            matrix += expand_platform_matrix(
+                PlatformFile.load(THIS_DIR / "windows.json"), args.event
+            )
+
+    print(f"matrix={json.dumps({'include': [dataclasses.asdict(e) for e in matrix]})}")

.github/scripts/strategy-matrix/linux.json

@@ -1,221 +1,84 @@
 {
-  "architecture": [
-    {
-      "platform": "linux/amd64",
-      "runner": ["self-hosted", "Linux", "X64", "heavy"]
-    },
-    {
-      "platform": "linux/arm64",
-      "runner": ["self-hosted", "Linux", "ARM64", "heavy-arm64"]
-    }
-  ],
-  "os": [
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "gcc",
-      "compiler_version": "12",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "gcc",
-      "compiler_version": "13",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "gcc",
-      "compiler_version": "15",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "clang",
-      "compiler_version": "16",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "clang",
-      "compiler_version": "17",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "clang",
-      "compiler_version": "18",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "clang",
-      "compiler_version": "19",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "bookworm",
-      "compiler_name": "clang",
-      "compiler_version": "20",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "trixie",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "trixie",
-      "compiler_name": "gcc",
-      "compiler_version": "15",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "trixie",
-      "compiler_name": "clang",
-      "compiler_version": "20",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "trixie",
-      "compiler_name": "clang",
-      "compiler_version": "21",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "debian",
-      "distro_version": "trixie",
-      "compiler_name": "clang",
-      "compiler_version": "22",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "8",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "8",
-      "compiler_name": "clang",
-      "compiler_version": "any",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "9",
-      "compiler_name": "gcc",
-      "compiler_version": "12",
-      "image_sha": "4c086b9",
-      "package": true
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "9",
-      "compiler_name": "gcc",
-      "compiler_version": "13",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "9",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "9",
-      "compiler_name": "clang",
-      "compiler_version": "any",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "10",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "rhel",
-      "distro_version": "10",
-      "compiler_name": "clang",
-      "compiler_version": "any",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "jammy",
-      "compiler_name": "gcc",
-      "compiler_version": "12",
-      "image_sha": "4c086b9",
-      "package": true
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "gcc",
-      "compiler_version": "13",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "gcc",
-      "compiler_version": "14",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "clang",
-      "compiler_version": "16",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "clang",
-      "compiler_version": "17",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "clang",
-      "compiler_version": "18",
-      "image_sha": "4c086b9"
-    },
-    {
-      "distro_name": "ubuntu",
-      "distro_version": "noble",
-      "compiler_name": "clang",
-      "compiler_version": "19",
-      "image_sha": "4c086b9"
-    }
-  ],
-  "build_type": ["Debug", "Release"],
-  "cmake_args": [""]
+  "image_tag": "sha-63ffdc3",
+  "configs": {
+    "ubuntu": [
+      {
+        "compiler": ["gcc", "clang"],
+        "build_type": ["Debug", "Release"],
+        "arch": ["amd64", "arm64"]
+      },
+
+      {
+        "compiler": ["gcc", "clang"],
+        "build_type": ["Debug", "Release"],
+        "arch": ["amd64"],
+        "sanitizers": ["address", "undefinedbehavior"]
+      },
+
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "coverage",
+        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=500 -Dcoverage=ON -Dcoverage_format=xml -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_C_FLAGS=-O0 -DCMAKE_CXX_FLAGS=-O0"
+      },
+      {
+        "compiler": ["clang"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "voidstar",
+        "extra_cmake_args": "-Dvoidstar=ON"
+      },
+      {
+        "compiler": ["clang"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "suffix": "reffee",
+        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=1000"
+      },
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "unity",
+        "extra_cmake_args": "-Dunity=ON",
+        "exclude_event_types": ["pull_request"]
+      }
+    ],
+
+    "debian": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"]
+      }
+    ],
+
+    "rhel": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"]
+      }
+    ]
+  },
+  "package_configs": {
+    "debian": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "image": "ghcr.io/xrplf/xrpld/packaging-debian:sha-63ffdc3"
+      }
+    ],
+
+    "rhel": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "image": "ghcr.io/xrplf/xrpld/packaging-rhel:sha-63ffdc3"
+      }
+    ]
+  }
 }

.github/scripts/strategy-matrix/macos.json

@@ -1,19 +1,16 @@
 {
-  "architecture": [
+  "platform": "macos/arm64",
+  "runner": ["self-hosted", "macOS", "ARM64", "mac-runner-m1"],
+  "configs": [
     {
-      "platform": "macos/arm64",
-      "runner": ["self-hosted", "macOS", "ARM64", "mac-runner-m1"]
-    }
-  ],
-  "os": [
+      "build_type": "Release",
+      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5"
+    },
     {
-      "distro_name": "macos",
-      "distro_version": "",
-      "compiler_name": "",
-      "compiler_version": "",
-      "image_sha": ""
+      "build_type": "Debug",
+      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5",
+      "build_only": true,
+      "exclude_event_types": ["pull_request"]
     }
-  ],
-  "build_type": ["Debug", "Release"],
-  "cmake_args": ["-DCMAKE_POLICY_VERSION_MINIMUM=3.5"]
+  ]
 }

.github/scripts/strategy-matrix/windows.json

@@ -1,19 +1,12 @@
 {
-  "architecture": [
+  "platform": "windows/amd64",
+  "runner": ["self-hosted", "Windows", "devbox"],
+  "configs": [
+    { "build_type": "Release" },
     {
-      "platform": "windows/amd64",
-      "runner": ["self-hosted", "Windows", "devbox"]
+      "build_type": "Debug",
+      "build_only": true,
+      "exclude_event_types": ["pull_request"]
     }
-  ],
-  "os": [
-    {
-      "distro_name": "windows",
-      "distro_version": "",
-      "compiler_name": "",
-      "compiler_version": "",
-      "image_sha": ""
-    }
-  ],
-  "build_type": ["Debug", "Release"],
-  "cmake_args": [""]
+  ]
 }

.github/workflows/build-nix-image.yml

@@ -1,109 +0,0 @@
-name: Build Nix Docker image
-
-on:
-  push:
-    branches:
-      - develop
-    paths:
-      - ".github/workflows/build-nix-image.yml"
-      - ".github/workflows/reusable-build-docker-image.yml"
-      - "docker/**"
-      - "flake.nix"
-      - "flake.lock"
-      - "nix/**"
-  pull_request:
-    paths:
-      - ".github/workflows/build-nix-image.yml"
-      - ".github/workflows/reusable-build-docker-image.yml"
-      - "docker/**"
-      - "flake.nix"
-      - "flake.lock"
-      - "nix/**"
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  build:
-    name: Build ${{ matrix.distro.name }} (${{ matrix.target.platform }})
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      fail-fast: false
-      matrix:
-        # The base images are the oldest supported version of each distro
-        # that we want to build images for.
-        distro:
-          - name: nixos
-            base_image: nixos/nix:latest
-          - name: ubuntu
-            base_image: ubuntu:20.04
-          - name: rhel
-            base_image: registry.access.redhat.com/ubi9/ubi:latest
-          - name: debian
-            base_image: debian:bookworm
-        target:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-    uses: ./.github/workflows/reusable-build-docker-image.yml
-    with:
-      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
-      dockerfile: docker/nix.Dockerfile
-      base_image: ${{ matrix.distro.base_image }}
-      platform: ${{ matrix.target.platform }}
-      runner: ${{ matrix.target.runner }}
-      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
-
-  merge:
-    name: Merge ${{ matrix.distro }} manifest
-    needs: build
-    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      fail-fast: false
-      matrix:
-        distro: [nixos, ubuntu, rhel, debian]
-    env:
-      IMAGE_NAME: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro }}
-
-    steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
-        with:
-          images: ${{ env.IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=sha-,format=short
-            type=raw,value=latest
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create multi-arch manifests
-        run: |
-          for tag in $(jq -cr '.tags[]' <<<"$DOCKER_METADATA_OUTPUT_JSON"); do
-              docker buildx imagetools create -t "$tag" "${tag}-amd64" "${tag}-arm64"
-          done
-
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect "${IMAGE_NAME}:${{ steps.meta.outputs.version }}"

.github/workflows/build-nix-images.yml

@@ -0,0 +1,54 @@
+name: Build Nix Docker images
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-nix-images.yml"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  pull_request:
+    paths:
+      - ".github/workflows/build-nix-images.yml"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  workflow_dispatch:
+
+concurrency:
+  # Read `on-trigger.yml` for the rationale behind this concurrency group name.
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-merge:
+    name: Build and push nix-${{ matrix.distro.name }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # The base images are the oldest supported version of each distro
+        # that we want to build images for.
+        distro:
+          - name: nixos
+            base_image: nixos/nix:latest
+          - name: ubuntu
+            base_image: ubuntu:20.04
+          - name: debian
+            base_image: debian:bookworm
+          - name: rhel
+            base_image: registry.access.redhat.com/ubi9/ubi:latest
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    with:
+      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
+      dockerfile: nix/docker/Dockerfile
+      base_image: ${{ matrix.distro.base_image }}
+      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}

.github/workflows/build-packaging-images.yml

@@ -0,0 +1,46 @@
+name: Build packaging Docker images
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-packaging-images.yml"
+      - "package/Dockerfile"
+      - "package/install-packaging-tools.sh"
+  pull_request:
+    paths:
+      - ".github/workflows/build-packaging-images.yml"
+      - "package/Dockerfile"
+      - "package/install-packaging-tools.sh"
+  workflow_dispatch:
+
+concurrency:
+  # Read `on-trigger.yml` for the rationale behind this concurrency group name.
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-merge:
+    name: Build and push packaging-${{ matrix.distro.name }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+          - name: debian
+            base_image: debian:bookworm
+          - name: rhel
+            base_image: registry.access.redhat.com/ubi9/ubi:latest
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    with:
+      image_name: ghcr.io/xrplf/xrpld/packaging-${{ matrix.distro.name }}
+      dockerfile: package/Dockerfile
+      base_image: ${{ matrix.distro.base_image }}
+      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}

.github/workflows/check-pr-description.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Write PR body to file
         env:

.github/workflows/conflicting-pr.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check if PRs are dirty
-        uses: eps1lon/actions-label-merge-conflict@1df065ebe6e3310545d4f4c4e862e43bdca146f0 # v3.0.3
+        uses: eps1lon/actions-label-merge-conflict@0273be72a0bbd58fcd71d0d6c02c209b50d1e5e1 # v3.1.0
         with:
           dirtyLabel: "PR: has conflicts"
           repoToken: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/on-pr.yml

@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Determine changed files
         # This step checks whether any files have changed that should
         # cause the next jobs to run. We do it this way rather than

.github/workflows/on-tag.yml

@@ -33,7 +33,6 @@ jobs:
     with:
       ccache_enabled: false
       os: ${{ matrix.os }}
-      strategy_matrix: minimal
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 

.github/workflows/on-trigger.yml

@@ -88,7 +88,6 @@ jobs:
       # not identical to a regular compilation.
       ccache_enabled: ${{ github.repository_owner == 'XRPLF' && !startsWith(github.ref, 'refs/heads/release') }}
       os: ${{ matrix.os }}
-      strategy_matrix: ${{ github.event_name == 'schedule' && 'all' || 'minimal' }}
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 

.github/workflows/pre-commit.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   # Call the workflow in the XRPLF/actions repo that runs the pre-commit hooks.
   run-hooks:
-    uses: XRPLF/actions/.github/workflows/pre-commit.yml@cba1f0891650baf1a9c88624dc2d72573be2eb81
+    uses: XRPLF/actions/.github/workflows/pre-commit.yml@312aaab296060ff89d7f798dcab59f019bea6e02
     with:
       runs_on: ubuntu-latest
       container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-41ec7c1" }'

.github/workflows/publish-docs.yml

@@ -41,13 +41,13 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/ci/tools-rippled-documentation:sha-a8c7be1
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
         with:
           enable_ccache: false
 
@@ -57,19 +57,11 @@ jobs:
         with:
           subtract: ${{ env.NPROC_SUBTRACT }}
 
-      - name: Check configuration
-        run: |
-          echo 'Checking path.'
-          echo ${PATH} | tr ':' '\n'
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
 
-          echo 'Checking environment variables.'
-          env | sort
-
-          echo 'Checking CMake version.'
-          cmake --version
-
-          echo 'Checking Doxygen version.'
-          doxygen --version
+      - name: Check Doxygen version
+        run: doxygen --version
 
       - name: Build documentation
         env:

.github/workflows/reusable-build-docker-image.yml

@@ -1,89 +0,0 @@
-# Build a single-platform Docker image. On push, the image is pushed to
-# GHCR with arch-suffixed tags (e.g. `:latest-amd64`, `:sha-abc-amd64`)
-# so the calling workflow can stitch per-arch builds into a multi-arch
-# manifest without needing to pass digests around.
-name: Reusable build Docker image (single platform)
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        description: "Full image name without tag (e.g. 'ghcr.io/xrplf/xrpld/nix-ubuntu')"
-        required: true
-        type: string
-      dockerfile:
-        description: "Path to the Dockerfile, relative to the repository root"
-        required: true
-        type: string
-      base_image:
-        description: "Value passed to the Dockerfile as the BASE_IMAGE build arg"
-        required: true
-        type: string
-      platform:
-        description: "Docker platform string, e.g. linux/amd64"
-        required: true
-        type: string
-      runner:
-        description: "GitHub Actions runner label to build on"
-        required: true
-        type: string
-      push:
-        description: "Whether to push the image to GHCR"
-        required: true
-        type: boolean
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  build:
-    name: Build (${{ inputs.platform }})
-    runs-on: ${{ inputs.runner }}
-    permissions:
-      contents: read
-      packages: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Determine arch
-        id: vars
-        env:
-          PLATFORM: ${{ inputs.platform }}
-        run: |
-          echo "arch=${PLATFORM##*/}" >>$GITHUB_OUTPUT
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
-
-      - name: Login to GitHub Container Registry
-        if: inputs.push
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
-        with:
-          images: ${{ inputs.image_name }}
-          tags: |
-            type=sha,prefix=sha-,format=short
-            type=raw,value=latest
-          flavor: |
-            suffix=-${{ steps.vars.outputs.arch }},onlatest=true
-
-      - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
-        with:
-          context: .
-          file: ${{ inputs.dockerfile }}
-          platforms: ${{ inputs.platform }}
-          push: ${{ inputs.push }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: BASE_IMAGE=${{ inputs.base_image }}

.github/workflows/reusable-build-test-config.yml

@@ -57,6 +57,12 @@ on:
         type: string
         default: ""
 
+      compiler:
+        description: 'The compiler to use ("gcc" or "clang"). Leave empty for macOS/Windows (uses system default).'
+        required: false
+        type: string
+        default: ""
+
     secrets:
       CODECOV_TOKEN:
         description: "The Codecov token to use for uploading coverage reports."
@@ -76,7 +82,7 @@ jobs:
     name: ${{ inputs.config_name }}
     runs-on: ${{ fromJSON(inputs.runs_on) }}
     container: ${{ inputs.image != '' && inputs.image || null }}
-    timeout-minutes: ${{ inputs.sanitizers != '' && 360 || 60 }}
+    timeout-minutes: ${{ inputs.sanitizers != '' && 360 || 90 }}
     env:
       # Use a namespace to keep the objects separate for each configuration.
       CCACHE_NAMESPACE: ${{ inputs.config_name }}
@@ -104,10 +110,10 @@ jobs:
         uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
 
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
         with:
           enable_ccache: ${{ inputs.ccache_enabled }}
 
@@ -124,6 +130,12 @@ jobs:
         with:
           subtract: ${{ inputs.nproc_subtract }}
 
+      - name: Set compiler environment (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: ${{ inputs.compiler }}
+
       - name: Setup Conan
         env:
           SANITIZERS: ${{ inputs.sanitizers }}
@@ -191,6 +203,21 @@ jobs:
               --parallel "${BUILD_NPROC}" \
               --target "${CMAKE_TARGET}"
 
+      # This step is needed to allow running in non-Nix environments
+      - name: Patch binary to use default loader and remove rpath (Linux)
+        if: ${{ runner.os == 'Linux' && env.SANITIZERS_ENABLED == 'false' }}
+        run: |
+          loader="$(/tmp/loader-path.sh)"
+          patchelf --set-interpreter "${loader}" --remove-rpath "${{ env.BUILD_DIR }}/xrpld"
+
+      # We're only running aarch64 Linux builds in Ubuntu-based images, so this is kept simple
+      - name: Install libatomic (Linux aarch64)
+        if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
+        run: |
+          apt update --yes
+          apt install -y --no-install-recommends \
+              libatomic1
+
       - name: Show ccache statistics
         if: ${{ inputs.ccache_enabled }}
         run: |
@@ -209,6 +236,15 @@ jobs:
           retention-days: 3
           if-no-files-found: error
 
+      - name: Upload the test binary (Linux)
+        if: ${{ github.event.repository.visibility == 'public' && runner.os == 'Linux' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: xrpl_tests-${{ inputs.config_name }}
+          path: ${{ env.BUILD_DIR }}/xrpl_tests
+          retention-days: 3
+          if-no-files-found: error
+
       - name: Export server definitions
         if: ${{ runner.os != 'Windows' && !inputs.build_only && env.VOIDSTAR_ENABLED != 'true' }}
         working-directory: ${{ env.BUILD_DIR }}
@@ -217,7 +253,7 @@ jobs:
           ./xrpld --definitions | python3 -m json.tool >server_definitions.json
 
       - name: Upload server definitions
-        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-bookworm-gcc-13-amd64-release' }}
+        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-gcc-release-amd64' }}
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: server-definitions
@@ -259,16 +295,8 @@ jobs:
 
       - name: Run the separate tests
         if: ${{ !inputs.build_only }}
-        working-directory: ${{ env.BUILD_DIR }}
-        # Windows locks some of the build files while running tests, and parallel jobs can collide
-        env:
-          BUILD_TYPE: ${{ inputs.build_type }}
-          PARALLELISM: ${{ runner.os == 'Windows' && '1' || steps.nproc.outputs.nproc }}
-        run: |
-          ctest \
-              --output-on-failure \
-              -C "${BUILD_TYPE}" \
-              -j "${PARALLELISM}"
+        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        run: ./xrpl_tests
 
       - name: Run the embedded tests
         if: ${{ !inputs.build_only }}
@@ -279,7 +307,25 @@ jobs:
           set -o pipefail
           # Coverage builds are slower due to instrumentation; use fewer parallel jobs to avoid flakiness
           [ "$COVERAGE_ENABLED" = "true" ] && BUILD_NPROC=$((BUILD_NPROC - 2))
-          ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log
+
+          # The resolver/preload workaround is only correct for the ASan build:
+          # a regular build doesn't hit the __dn_expand interceptor bug, and must
+          # NOT have libasan injected. So only preload when xrpld is ASan-built.
+          #
+          # libresolv hosts getaddrinfo's resolver helpers (dn_expand, res_*). Under ASan
+          # these are intercepted via dlsym(RTLD_NEXT, ...), which yields a NULL pointer
+          # and crashes DNS resolution if libresolv isn't loaded. Linking it guarantees
+          # the symbols are present; it's a harmless no-op on glibc >= 2.34 (merged into
+          # libc) and is what the compiler driver already does for sanitizer builds.
+          #   https://github.com/llvm/llvm-project/issues/59007
+          #   https://github.com/google/sanitizers/issues/1592
+          if ldd ./xrpld | grep -q libasan; then
+              PRELOAD="$(gcc -print-file-name=libasan.so):/usr/lib/x86_64-linux-gnu/libresolv.so.2"
+          else
+              PRELOAD=""
+          fi
+
+          LD_PRELOAD="$PRELOAD" ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log
 
       - name: Show test failure summary
         if: ${{ failure() && !inputs.build_only }}
@@ -324,7 +370,7 @@ jobs:
 
       - name: Upload coverage report
         if: ${{ github.repository == 'XRPLF/rippled' && !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         with:
           disable_search: true
           disable_telem: true

.github/workflows/reusable-build-test.yml

@@ -19,13 +19,6 @@ on:
         required: true
         type: string
 
-      strategy_matrix:
-        # TODO: Support additional strategies, e.g. "ubuntu" for generating all Ubuntu configurations.
-        description: 'The strategy matrix to use for generating the configurations ("minimal", "all").'
-        required: false
-        type: string
-        default: "minimal"
-
     secrets:
       CODECOV_TOKEN:
         description: "The Codecov token to use for uploading coverage reports."
@@ -37,7 +30,6 @@ jobs:
     uses: ./.github/workflows/reusable-strategy-matrix.yml
     with:
       os: ${{ inputs.os }}
-      strategy_matrix: ${{ inputs.strategy_matrix }}
 
   # Build and test the binary for each configuration.
   build-test-config:
@@ -47,7 +39,6 @@ jobs:
     strategy:
       fail-fast: ${{ github.event_name == 'merge_group' }}
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
-      max-parallel: 10
     with:
       build_only: ${{ matrix.build_only }}
       build_type: ${{ matrix.build_type }}
@@ -55,8 +46,9 @@ jobs:
       cmake_args: ${{ matrix.cmake_args }}
       cmake_target: ${{ matrix.cmake_target }}
       runs_on: ${{ toJSON(matrix.architecture.runner) }}
-      image: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) || '' }}
+      image: ${{ matrix.image || '' }}
       config_name: ${{ matrix.config_name }}
       sanitizers: ${{ matrix.sanitizers }}
+      compiler: ${{ matrix.compiler || '' }}
     secrets:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/reusable-check-levelization.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Check levelization
         run: python .github/scripts/levelization/generate.py
       - name: Check for differences

.github/workflows/reusable-check-rename.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Check definitions
         run: .github/scripts/rename/definitions.sh .
       - name: Check copyright notices

.github/workflows/reusable-clang-tidy.yml

@@ -29,23 +29,23 @@ jobs:
     if: ${{ inputs.check_only_changed }}
     permissions:
       contents: read
-    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@224f3c48d3014d082a1129237b8291ff0b0a331f
+    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@312aaab296060ff89d7f798dcab59f019bea6e02
 
   run-clang-tidy:
     name: Run clang tidy
     needs: [determine-files]
     if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.cpp_changed_files != '' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
     runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: "ghcr.io/xrplf/ci/debian-trixie:clang-21-sha-53033a2"
+    container: "ghcr.io/xrplf/xrpld/nix-debian:sha-63ffdc3"
     permissions:
       contents: read
       issues: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
         with:
           enable_ccache: false
 
@@ -56,6 +56,11 @@ jobs:
         uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
         id: nproc
 
+      - name: Set compiler environment
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: clang
+
       - name: Setup Conan
         uses: ./.github/actions/setup-conan
 

.github/workflows/reusable-package.yml

@@ -1,8 +1,7 @@
 # Build Linux packages (DEB and RPM) from pre-built binary artifacts.
-# Discovers which configurations to package from linux.json (os entries
-# with "package": true) and fans out one job per entry. Today only
-# linux/amd64 is emitted; the architecture is hardcoded both here
-# (runner) and in generate.py.
+# Discovers which configurations to package from linux.json (configs in
+# "package_configs") and fans out one job per distro. Only linux/amd64 is
+# supported; the runner is hardcoded in the job below.
 name: Package
 
 on:
@@ -28,18 +27,17 @@ jobs:
       matrix: ${{ steps.generate.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: 3.13
+          python-version: "3.13"
 
       - name: Generate packaging matrix
         id: generate
         working-directory: .github/scripts/strategy-matrix
-        run: |
-          ./generate.py --packaging --config=linux.json >>"${GITHUB_OUTPUT}"
+        run: ./generate.py --packaging >>"${GITHUB_OUTPUT}"
 
   generate-version:
     runs-on: ubuntu-latest
@@ -47,7 +45,7 @@ jobs:
       version: ${{ steps.version.outputs.version }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           sparse-checkout: |
             .github/actions/generate-version
@@ -66,12 +64,12 @@ jobs:
     permissions:
       contents: read
     runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: ${{ format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) }}
+    container: ${{ matrix.image }}
     timeout-minutes: 30
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Download pre-built binary
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

.github/workflows/reusable-strategy-matrix.yml

@@ -4,15 +4,9 @@ on:
   workflow_call:
     inputs:
       os:
-        description: 'The operating system to use for the build ("linux", "macos", "windows").'
+        description: 'The operating system to use for the build ("linux", "macos", "windows", or empty for all).'
         required: false
         type: string
-      strategy_matrix:
-        # TODO: Support additional strategies, e.g. "ubuntu" for generating all Ubuntu configurations.
-        description: 'The strategy matrix to use for generating the configurations ("minimal", "all").'
-        required: false
-        type: string
-        default: "minimal"
     outputs:
       matrix:
         description: "The generated strategy matrix."
@@ -29,17 +23,17 @@ jobs:
       matrix: ${{ steps.generate.outputs.matrix }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: 3.13
+          python-version: "3.13"
 
       - name: Generate strategy matrix
         working-directory: .github/scripts/strategy-matrix
         id: generate
         env:
-          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}.json', inputs.os) || '' }}
-          GENERATE_OPTION: ${{ inputs.strategy_matrix == 'all' && '--all' || '' }}
-        run: ./generate.py ${GENERATE_OPTION} ${GENERATE_CONFIG} >>"${GITHUB_OUTPUT}"
+          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}', inputs.os) || '' }}
+          GENERATE_EVENT: ${{ github.event_name }}
+        run: ./generate.py ${GENERATE_CONFIG} --event="${GENERATE_EVENT}" >>"${GITHUB_OUTPUT}"

.github/workflows/reusable-upload-recipe.yml

@@ -40,10 +40,10 @@ defaults:
 jobs:
   upload:
     runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/ci/ubuntu-noble:gcc-13-sha-5dd7158
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Generate build version number
         id: version

.github/workflows/upload-conan-deps.yml

@@ -30,6 +30,7 @@ on:
       - ".github/scripts/strategy-matrix/**"
       - conanfile.py
       - conan.lock
+      - conan/profiles/**
 
 env:
   CONAN_REMOTE_NAME: xrplf
@@ -48,8 +49,6 @@ jobs:
   # Generate the strategy matrix to be used by the following job.
   generate-matrix:
     uses: ./.github/workflows/reusable-strategy-matrix.yml
-    with:
-      strategy_matrix: ${{ github.event_name == 'pull_request' && 'minimal' || 'all' }}
 
   # Build and upload the dependencies for each configuration.
   run-upload-conan-deps:
@@ -58,19 +57,18 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
-      max-parallel: 10
     runs-on: ${{ matrix.architecture.runner }}
-    container: ${{ contains(matrix.architecture.platform, 'linux') && format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) || null }}
+    container: ${{ matrix.image || null }}
     steps:
       - name: Cleanup workspace (macOS and Windows)
         if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
         uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
 
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
         with:
           enable_ccache: false
 
@@ -83,6 +81,12 @@ jobs:
         with:
           subtract: ${{ env.NPROC_SUBTRACT }}
 
+      - name: Set compiler environment (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: ${{ matrix.compiler }}
+
       - name: Setup Conan
         env:
           SANITIZERS: ${{ matrix.sanitizers }}

BUILD.md

@@ -45,14 +45,14 @@ found here](./docs/build/environment.md).
     It is possible to build with Conan 1.60+, but the instructions are
     significantly different, which is why we are not recommending it.
 
-`xrpld` is written in the C++20 dialect and includes the `<concepts>` header.
-The [minimum compiler versions][2] required are:
+`xrpld` is written in the C++23 dialect and includes the `<concepts>` header.
+The [tested compiler versions][2] are:
 
 | Compiler    | Version   |
 | ----------- | --------- |
-| GCC         | 12        |
-| Clang       | 16        |
-| Apple Clang | 16        |
+| GCC         | 15        |
+| Clang       | 22        |
+| Apple Clang | 17        |
 | MSVC        | 19.44[^3] |
 
 ### Linux
@@ -232,11 +232,11 @@ name and then creating a new `default` profile for a different compiler.
 #### Select language
 
 The default profile created by Conan will typically select different C++ dialect
-than C++20 used by this project. You should set `20` in the profile line
+than C++23 used by this project. You should set `23` in the profile line
 starting with `compiler.cppstd=`. For example:
 
 ```bash
-sed -i.bak -e 's|^compiler\.cppstd=.*$|compiler.cppstd=20|' $(conan config home)/profiles/default
+sed -i.bak -e 's|^compiler\.cppstd=.*$|compiler.cppstd=23|' $(conan config home)/profiles/default
 ```
 
 #### Select standard library in Linux

CMakeLists.txt

@@ -15,7 +15,7 @@ list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
 
 project(xrpl)
 set(CMAKE_CXX_EXTENSIONS OFF)
-set(CMAKE_CXX_STANDARD 20)
+set(CMAKE_CXX_STANDARD 23)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
 set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
@@ -88,6 +88,7 @@ find_package(ed25519 REQUIRED)
 find_package(gRPC REQUIRED)
 find_package(LibArchive REQUIRED)
 find_package(lz4 REQUIRED)
+find_package(mpt-crypto REQUIRED)
 find_package(nudb REQUIRED)
 find_package(OpenSSL REQUIRED)
 find_package(secp256k1 REQUIRED)
@@ -100,6 +101,7 @@ target_link_libraries(
     INTERFACE
         ed25519::ed25519
         lz4::lz4
+        mpt-crypto::mpt-crypto
         OpenSSL::Crypto
         OpenSSL::SSL
         secp256k1::secp256k1

cmake/XrplAddTest.cmake

@@ -1,22 +0,0 @@
-include(isolate_headers)
-
-function(xrpl_add_test name)
-    set(target ${PROJECT_NAME}.test.${name})
-
-    file(
-        GLOB_RECURSE sources
-        CONFIGURE_DEPENDS
-        "${CMAKE_CURRENT_SOURCE_DIR}/${name}/*.cpp"
-        "${CMAKE_CURRENT_SOURCE_DIR}/${name}.cpp"
-    )
-    add_executable(${target} ${ARGN} ${sources})
-
-    isolate_headers(
-        ${target}
-        "${CMAKE_SOURCE_DIR}"
-        "${CMAKE_SOURCE_DIR}/tests/${name}"
-        PRIVATE
-    )
-
-    add_test(NAME ${target} COMMAND ${target})
-endfunction()

cmake/XrplCompiler.cmake

@@ -145,13 +145,39 @@ else()
         INTERFACE
             -rdynamic
             $<$<BOOL:${is_linux}>:-Wl,-z,relro,-z,now,--build-id>
-            # link to static libc/c++ iff: * static option set and * NOT APPLE (AppleClang does not support static
-            # libc/c++) and * NOT SANITIZERS (sanitizers typically don't work with static libc/c++)
-            $<$<AND:$<BOOL:${static}>,$<NOT:$<BOOL:${APPLE}>>,$<NOT:$<BOOL:${SANITIZERS_ENABLED}>>>:
+            # link to static libc/c++ if:
+            # * static option set and
+            # * NOT APPLE (AppleClang does not support static libc/c++)
+            $<$<AND:$<BOOL:${static}>,$<NOT:$<BOOL:${APPLE}>>>:
             -static-libstdc++
             -static-libgcc
             >
     )
+
+    # Keep -stdlib=libstdc++ off the compile commands, but preserve it for linking.
+    #
+    # Conan turns `compiler.libcxx=libstdc++` into `-stdlib=libstdc++` and puts it in
+    # CMAKE_CXX_FLAGS, which CMake passes to BOTH compile and link steps. On a normal Clang
+    # the compile step consumes it while choosing the C++ stdlib include paths. The Nixpkgs
+    # Clang wrapper supplies those paths itself (via -nostdinc++), so at compile time the
+    # flag is unused -> Clang errors under our -Werror. At link time the flag IS consumed
+    # (it selects the C++ runtime), so we move it there instead of dropping it entirely.
+    get_filename_component(_cxx_real "${CMAKE_CXX_COMPILER}" REALPATH)
+    if(
+        _cxx_real MATCHES "^/nix/store/"
+        AND is_linux
+        AND is_clang
+        AND CMAKE_CXX_FLAGS MATCHES "stdlib=libstdc"
+    )
+        string(
+            REPLACE "-stdlib=libstdc++"
+            ""
+            CMAKE_CXX_FLAGS
+            "${CMAKE_CXX_FLAGS}"
+        )
+        string(STRIP "${CMAKE_CXX_FLAGS}" CMAKE_CXX_FLAGS)
+        add_link_options($<$<LINK_LANGUAGE:CXX>:-stdlib=libstdc++>)
+    endif()
 endif()
 
 # Antithesis instrumentation will only be built and deployed using machines running Linux.

cmake/XrplCore.cmake

@@ -94,6 +94,9 @@ add_module(xrpl basics)
 target_link_libraries(xrpl.libxrpl.basics PUBLIC xrpl.libxrpl.beast)
 
 # Level 03
+add_module(xrpl config)
+target_link_libraries(xrpl.libxrpl.config PUBLIC xrpl.libxrpl.basics)
+
 add_module(xrpl json)
 target_link_libraries(xrpl.libxrpl.json PUBLIC xrpl.libxrpl.basics)
 
@@ -120,6 +123,7 @@ target_link_libraries(
     xrpl.libxrpl.core
     PUBLIC
         xrpl.libxrpl.basics
+        xrpl.libxrpl.config
         xrpl.libxrpl.json
         xrpl.libxrpl.protocol
         xrpl.libxrpl.protocol_autogen
@@ -143,7 +147,11 @@ target_link_libraries(
 add_module(xrpl nodestore)
 target_link_libraries(
     xrpl.libxrpl.nodestore
-    PUBLIC xrpl.libxrpl.basics xrpl.libxrpl.json xrpl.libxrpl.protocol
+    PUBLIC
+        xrpl.libxrpl.basics
+        xrpl.libxrpl.config
+        xrpl.libxrpl.json
+        xrpl.libxrpl.protocol
 )
 
 add_module(xrpl shamap)
@@ -159,13 +167,14 @@ target_link_libraries(
 add_module(xrpl rdb)
 target_link_libraries(
     xrpl.libxrpl.rdb
-    PUBLIC xrpl.libxrpl.basics xrpl.libxrpl.core
+    PUBLIC xrpl.libxrpl.basics xrpl.libxrpl.config xrpl.libxrpl.core
 )
 
 add_module(xrpl server)
 target_link_libraries(
     xrpl.libxrpl.server
     PUBLIC
+        xrpl.libxrpl.config
         xrpl.libxrpl.protocol
         xrpl.libxrpl.core
         xrpl.libxrpl.rdb
@@ -210,6 +219,7 @@ target_link_modules(
     basics
     beast
     conditions
+    config
     core
     crypto
     git

cmake/XrplCov.cmake

@@ -47,7 +47,7 @@ setup_target_for_coverage_gcovr(
         "include/xrpl/beast/test"
         "include/xrpl/beast/unit_test"
         "${CMAKE_BINARY_DIR}/pb-xrpl.libpb"
-    DEPENDENCIES xrpld xrpl.tests
+    DEPENDENCIES xrpld xrpl_tests
 )
 
 add_code_coverage_to_target(opts INTERFACE)

cmake/scripts/codegen/templates/LedgerEntry.h.mako

@@ -33,7 +33,7 @@ public:
      * @brief Construct a ${name} ledger entry wrapper from an existing SLE object.
      * @throws std::runtime_error if the ledger entry type doesn't match.
      */
-    explicit ${name}(std::shared_ptr<SLE const> sle)
+    explicit ${name}(SLE::const_pointer sle)
         : LedgerEntryBase(std::move(sle))
     {
         // Verify ledger entry type
@@ -168,7 +168,7 @@ ${field['typeData']['setter_type']} ${field['paramName']}${',' if i < len(requir
      * @param sle The existing ledger entry to copy from.
      * @throws std::runtime_error if the ledger entry type doesn't match.
      */
-    ${name}Builder(std::shared_ptr<SLE const> sle)
+    ${name}Builder(SLE::const_pointer sle)
     {
         if (sle->at(sfLedgerEntryType) != ${tag})
         {

conan.lock

@@ -1,9 +1,9 @@
 {
     "version": "0.5",
     "requires": [
-        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1777558780.503",
+        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1778091116.056",
         "xxhash/0.8.3#681d36a0a6111fc56e5e45ea182c19cc%1765850149.987",
-        "sqlite3/3.53.0#324ada52333108388a9a6108bfa96734%1776096494.149",
+        "sqlite3/3.53.0#324ada52333108388a9a6108bfa96734%1778091117.311",
         "soci/4.0.3#fe32b9ad5eb47e79ab9e45a68f363945%1774450067.231",
         "snappy/1.1.10#968fef506ff261592ec30c574d4a7809%1765850147.878",
         "secp256k1/0.7.1#481881709eb0bdd0185a12b912bbe8ad%1770910500.329",
@@ -12,10 +12,11 @@
         "protobuf/6.33.5#d96d52ba5baaaa532f47bda866ad87a5%1774467363.12",
         "openssl/3.6.2#4789bbf131b77d0515d15e094c8f697f%1778071755.506",
         "nudb/2.0.9#11149c73f8f2baff9a0198fe25971fc7%1775040983.408",
+        "mpt-crypto/0.3.0-rc4#67142060d3e9b33cf49b980b1bfba40a%1781115459.717",
         "lz4/1.10.0#59fc63cac7f10fbe8e05c7e62c2f3504%1765850143.914",
         "libiconv/1.17#1e65319e945f2d31941a9d28cc13c058%1765842973.492",
         "libbacktrace/cci.20210118#a7691bfccd8caaf66309df196790a5a1%1765842973.03",
-        "libarchive/3.8.7#c446109bd1f1d8ba7936c94189bc50e6%1776147552.838",
+        "libarchive/3.8.7#c446109bd1f1d8ba7936c94189bc50e6%1778091117.848",
         "jemalloc/5.3.1#1fc58d55316041f10fbc1e8a2eae632a%1776700028.228",
         "gtest/1.17.0#5224b3b3ff3b4ce1133cbdd27d53ee7d%1768312129.152",
         "grpc/1.78.1#b1a9e74b145cc471bed4dc64dc6eb2c1%1774467387.342",
@@ -23,11 +24,11 @@
         "date/3.0.4#862e11e80030356b53c2c38599ceb32b%1765850143.772",
         "c-ares/1.34.6#545240bb1c40e2cacd4362d6b8967650%1774439234.681",
         "bzip2/1.0.8#c470882369c2d95c5c77e970c0c7e321%1765850143.837",
-        "boost/1.91.0#ea540ca2133d831b560036aa24dece3c%1778050991.9",
+        "boost/1.91.0#ea540ca2133d831b560036aa24dece3c%1778091165.282",
         "abseil/20250127.0#bb0baf1f362bc4a725a24eddd419b8f7%1774365460.196"
     ],
     "build_requires": [
-        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1777558780.503",
+        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1778091116.056",
         "strawberryperl/5.32.1.1#8d114504d172cfea8ea1662d09b6333e%1774447376.964",
         "protobuf/6.33.5#d96d52ba5baaaa532f47bda866ad87a5%1774467363.12",
         "nasm/2.16.01#31e26f2ee3c4346ecd347911bd126904%1765850144.707",

conan/lockfile/linux.profile

@@ -2,7 +2,7 @@
 arch=x86_64
 build_type=Release
 compiler=gcc
-compiler.cppstd=20
+compiler.cppstd=23
 compiler.libcxx=libstdc++11
 compiler.version=13
 os=Linux

conan/lockfile/macos.profile

@@ -2,7 +2,7 @@
 arch=armv8
 build_type=Release
 compiler=apple-clang
-compiler.cppstd=20
+compiler.cppstd=23
 compiler.libcxx=libc++
 compiler.version=17.0
 os=Macos

conan/lockfile/windows.profile

@@ -2,7 +2,7 @@
 arch=x86_64
 build_type=Release
 compiler=msvc
-compiler.cppstd=20
+compiler.cppstd=23
 compiler.runtime=dynamic
 compiler.runtime_type=Release
 compiler.version=194

conan/profiles/ci

@@ -1 +1,8 @@
+{% set os = detect_api.detect_os() %}
 include(sanitizers)
+
+[conf]
+{% if os == "Linux" %}
+user.package:libc_version=2.31
+tools.info.package_id:confs+=["user.package:libc_version"]
+{% endif %}

conan/profiles/default

@@ -12,7 +12,7 @@ arch={{ arch }}
 build_type=Debug
 compiler={{compiler}}
 compiler.version={{ compiler_version }}
-compiler.cppstd=20
+compiler.cppstd=23
 {% if os == "Windows" %}
 compiler.runtime=static
 {% else %}

conan/profiles/sanitizers

@@ -52,52 +52,50 @@ include(default)
 {% endif %}
 
 {# Frame pointer required for meaningful stack traces; -O1 for reasonable performance #}
-{% set compile_flags = ["-fno-omit-frame-pointer", "-O1"] %}
+{% set sanitizer_compiler_flags = ["-fno-omit-frame-pointer", "-O1"] %}
 
 {% if compiler == "gcc" %}
     {# Suppress false positive warnings with GCC #}
-    {% set _ = compile_flags.append("-Wno-stringop-overflow") %}
+    {% set _ = sanitizer_compiler_flags.append("-Wno-stringop-overflow") %}
 
     {% set relocation_flags = [] %}
 
     {% if arch == "x86_64" and enable_asan %}
         {# Large code model prevents relocation errors in instrumented ASAN binaries #}
-        {% set _ = compile_flags.append("-mcmodel=large") %}
+        {% set _ = sanitizer_compiler_flags.append("-mcmodel=large") %}
         {% set _ = relocation_flags.append("-mcmodel=large") %}
     {% elif enable_tsan %}
         {# GCC doesn't support atomic_thread_fence with TSAN; suppress warnings #}
-        {% set _ = compile_flags.append("-Wno-tsan") %}
+        {% set _ = sanitizer_compiler_flags.append("-Wno-tsan") %}
         {% if arch == "x86_64" %}
             {# Medium code model for TSAN; large is incompatible #}
-            {% set _ = compile_flags.append("-mcmodel=medium") %}
+            {% set _ = sanitizer_compiler_flags.append("-mcmodel=medium") %}
             {% set _ = relocation_flags.append("-mcmodel=medium") %}
         {% endif %}
     {% endif %}
 
     {% set fsanitize = "-fsanitize=" ~ ",".join(sanitizer_types) %}
-    {% set _ = compile_flags.append(fsanitize) %}
+    {% set _ = sanitizer_compiler_flags.append(fsanitize) %}
     {% set _ = relocation_flags.append(fsanitize) %}
 
-    {% set sanitizer_compiler_flags = " ".join(compile_flags) %}
-    {% set sanitizer_linker_flags = " ".join(relocation_flags) %}
+    {% set sanitizer_linker_flags = relocation_flags %}
 {% elif compiler == "clang" or compiler == "apple-clang" %}
     {% set fsanitize = "-fsanitize=" ~ ",".join(sanitizer_types) %}
-    {% set _ = compile_flags.append(fsanitize) %}
+    {% set _ = sanitizer_compiler_flags.append(fsanitize) %}
 
-    {% set sanitizer_compiler_flags = " ".join(compile_flags) %}
-    {% set sanitizer_linker_flags = fsanitize %}
+    {% set sanitizer_linker_flags = [fsanitize] %}
 {% endif %}
 
 [conf]
 tools.build:defines+={{defines}}
-tools.build:cxxflags+=['{{sanitizer_compiler_flags}}']
-tools.build:sharedlinkflags+=['{{sanitizer_linker_flags}}']
-tools.build:exelinkflags+=['{{sanitizer_linker_flags}}']
+tools.build:cxxflags+={{sanitizer_compiler_flags}}
+tools.build:sharedlinkflags+={{sanitizer_linker_flags}}
+tools.build:exelinkflags+={{sanitizer_linker_flags}}
 
 tools.info.package_id:confs+=["tools.build:cxxflags", "tools.build:exelinkflags", "tools.build:sharedlinkflags", "tools.build:defines"]
 
 # &: means "apply only to the consumer/root package"
-&:tools.cmake.cmaketoolchain:extra_variables={"SANITIZERS": "{{sanitizers}}", "SANITIZERS_COMPILER_FLAGS": "{{sanitizer_compiler_flags}}", "SANITIZERS_LINKER_FLAGS": "{{sanitizer_linker_flags}}"}
+&:tools.cmake.cmaketoolchain:extra_variables={"SANITIZERS": "{{sanitizers}}", "SANITIZERS_COMPILER_FLAGS": "{{sanitizer_compiler_flags | join(' ')}}", "SANITIZERS_LINKER_FLAGS": "{{sanitizer_linker_flags | join(' ')}}"}
 
 [options]
 {% if enable_asan %}

conanfile.py

@@ -30,6 +30,7 @@ class Xrpl(ConanFile):
         "ed25519/2015.03",
         "grpc/1.78.1",
         "libarchive/3.8.7",
+        "mpt-crypto/0.3.0-rc4",
         "nudb/2.0.9",
         "openssl/3.6.2",
         "secp256k1/0.7.1",
@@ -208,6 +209,7 @@ class Xrpl(ConanFile):
             "grpc::grpc++",
             "libarchive::libarchive",
             "lz4::lz4",
+            "mpt-crypto::mpt-crypto",
             "nudb::nudb",
             "openssl::crypto",
             "protobuf::libprotobuf",

cspell.config.yaml

@@ -50,6 +50,7 @@ words:
   - AMMXRP
   - amt
   - amts
+  - archs
   - asnode
   - asynchrony
   - attestation
@@ -59,6 +60,7 @@ words:
   - autobridging
   - bimap
   - bindir
+  - blindings
   - bookdir
   - Bougalis
   - Britto
@@ -83,6 +85,7 @@ words:
   - coro
   - coros
   - cowid
+  - cpack
   - cryptocondition
   - cryptoconditional
   - cryptoconditions
@@ -93,6 +96,7 @@ words:
   - daria
   - dcmake
   - dearmor
+  - decryptor
   - dedented
   - deleteme
   - demultiplexer
@@ -104,6 +108,7 @@ words:
   - distro
   - doxyfile
   - dxrpl
+  - elgamal
   - enabled
   - enablerepo
   - endmacro
@@ -116,6 +121,7 @@ words:
   - fmtdur
   - fsanitize
   - funclets
+  - Gamal
   - gcov
   - gcovr
   - ghead
@@ -134,6 +140,7 @@ words:
   - iou
   - ious
   - isrdc
+  - isystem
   - itype
   - jemalloc
   - jlog
@@ -212,6 +219,7 @@ words:
   - partitioner
   - paychan
   - paychans
+  - Pedersen
   - permdex
   - perminute
   - permissioned
@@ -230,9 +238,13 @@ words:
   - pyenv
   - pyparsing
   - qalloc
+  - qbsprofile
   - queuable
   - Raphson
+  - rcflags
   - replayer
+  - rerandomization
+  - rerandomized
   - rerere
   - retriable
   - RIPD
@@ -249,6 +261,7 @@ words:
   - sahyadri
   - Satoshi
   - scons
+  - Schnorr
   - secp
   - sendq
   - seqit
@@ -279,6 +292,7 @@ words:
   - stvar
   - stvector
   - stxchainattestations
+  - summands
   - superpeer
   - superpeers
   - takergets

docker/check-sanitizers.sh

@@ -1,48 +0,0 @@
-#!/bin/bash
-
-# Sanity-check that the sanitizer runtimes shipped with g++/clang++ work
-# end-to-end against the system loader: compile each example with both
-# compilers, run it, and confirm the expected diagnostic is emitted.
-
-set -eo pipefail
-
-cpp_files_dir="${1:?usage: $0 <cpp_files_dir>}"
-
-case "$(uname -m)" in
-    x86_64) loader=/lib64/ld-linux-x86-64.so.2 ;;
-    aarch64) loader=/lib/ld-linux-aarch64.so.1 ;;
-    *)
-        echo "Unsupported arch: $(uname -m)" >&2
-        exit 1
-        ;;
-esac
-
-declare -A sanitize=(
-    [asan]="-fsanitize=address"
-    [tsan]="-fsanitize=thread"
-    [ubsan]="-fsanitize=undefined"
-)
-declare -A expect=(
-    [asan]="heap-use-after-free"
-    [tsan]="data race"
-    [ubsan]="signed integer overflow"
-)
-
-for compiler in g++ clang++; do
-    for name in asan tsan ubsan; do
-        bin="/tmp/${name}-${compiler}"
-        echo "=== Build ${name} with ${compiler} ==="
-        "$compiler" -std=c++20 -O1 -g ${sanitize[$name]} \
-            -Wl,--dynamic-linker=$loader \
-            "${cpp_files_dir}/${name}.cpp" -o "$bin"
-        echo "=== Run ${name}-${compiler} ==="
-        output=$("$bin" 2>&1) || true
-        echo "$output"
-        echo "$output" | grep -q "${expect[$name]}" ||
-            {
-                echo "expected '${expect[$name]}' from $bin"
-                exit 1
-            }
-        rm -f "$bin"
-    done
-done

docker/nix.Dockerfile

@@ -1,95 +0,0 @@
-ARG BASE_IMAGE=nixos/nix:latest
-
-# Nix builder
-FROM nixos/nix:latest AS builder-source
-
-RUN mkdir -p ~/.config/nix && \
-    echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
-
-# Copy our source and setup our working dir.
-COPY nix/ci-env.nix /tmp/build/nix/ci-env.nix
-COPY nix/packages.nix /tmp/build/nix/packages.nix
-COPY nix/utils.nix /tmp/build/nix/utils.nix
-COPY flake.nix /tmp/build/
-COPY flake.lock /tmp/build/
-WORKDIR /tmp/build
-
-FROM builder-source AS builder
-
-# Build our Nix CI environment (all build tools in a single store path)
-RUN nix \
-    --option filter-syscalls false \
-    build
-
-# Copy the Nix store closure into a directory. The Nix store closure is the
-# entire set of Nix store values that we need for our build.
-RUN mkdir /tmp/nix-store-closure && \
-    cp -R $(nix-store -qR result/) /tmp/nix-store-closure
-
-# Final image
-FROM ${BASE_IMAGE}
-
-# bash is not located at /bin/bash in nixos/nix, so we need to create a symlink to it.
-RUN if [ -d /nix ]; then \
-        ln -s /root/.nix-profile/bin/bash /bin/bash; \
-    fi
-
-# Use Bash as the default shell for RUN commands, using the options
-# `set -o errexit -o pipefail`, and as the entrypoint.
-SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
-ENTRYPOINT ["/bin/bash"]
-
-# Copy /nix/store and the env symlink tree
-COPY --from=builder /tmp/nix-store-closure /nix/store
-COPY --from=builder /tmp/build/result /nix/ci-env
-
-ENV PATH="/nix/ci-env/bin:$PATH"
-
-# Externally-built dynamically-linked ELF binaries hard-code the loader path
-# (e.g. /lib64/ld-linux-x86-64.so.2) in their PT_INTERP header. Copy the
-# loader from the Nix store to that path when the base image doesn't already
-# provide one (i.e. on nixos/nix).
-RUN <<EOF
-case "$(uname -m)" in
-    x86_64)  target=/lib64/ld-linux-x86-64.so.2 ;;
-    aarch64) target=/lib/ld-linux-aarch64.so.1 ;;
-    *) echo "Unsupported arch: $(uname -m)" >&2; exit 1 ;;
-esac
-if [ ! -e "$target" ]; then
-    # Use the loader from the same glibc that gcc links libc against, so
-    # ld-linux and libc/libpthread share GLIBC_PRIVATE symbols at runtime.
-    src="$(dirname "$(gcc -print-file-name=libc.so.6)")/$(basename "$target")"
-    [ -e "$src" ] || { echo "ld-linux not found at $src" >&2; exit 1; }
-    mkdir -p "$(dirname "$target")"
-    cp "$src" "$target"
-fi
-EOF
-
-RUN <<EOF
-ccache --version
-clang --version
-clang++ --version
-clang-format --version
-cmake --version
-conan --version
-g++ --version
-gcc --version
-gcovr --version
-git --version
-make --version
-mold --version
-ninja --version
-perl --version
-pkg-config --version
-pre-commit --version
-python3 --version
-run-clang-tidy --help
-vim --version
-EOF
-
-# Sanity-check that the sanitizer runtimes shipped with g++/clang++ work
-# end-to-end against the system loader.
-COPY docker/cpp_files/ /tmp/cpp_files/
-COPY docker/check-sanitizers.sh /tmp/check-sanitizers.sh
-
-RUN grep -qi ubuntu /etc/os-release 2>/dev/null && /tmp/check-sanitizers.sh /tmp/cpp_files || true

flake.lock

@@ -2,17 +2,18 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "lastModified": 1781173989,
+        "narHash": "sha256-fnzKKPvS+oieI/pTzotA5tkoM47EB1NpaBcgk4R97hE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "8c91a71d13451abc40eb9dae8910f972f979852f",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-custom-glibc": {

flake.nix

@@ -1,7 +1,7 @@
 {
   description = "Nix related things for xrpld";
   inputs = {
-    nixpkgs.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     # nixpkgs snapshot (2020-06-30) that shipped glibc 2.31 as the primary
     # version — matches the system libc on Ubuntu 20.04 LTS. Imported
     # manually (flake = false) because this revision predates nixpkgs'

include/xrpl/basics/Expected.h

@@ -1,248 +0,0 @@
-#pragma once
-
-#include <xrpl/basics/contract.h>
-
-#include <boost/outcome.hpp>
-
-#include <stdexcept>
-
-namespace xrpl {
-
-/** Expected is an approximation of std::expected (hoped for in C++23)
-
-    See: http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2021/p0323r10.html
-
-    The implementation is entirely based on boost::outcome_v2::result.
-*/
-
-// Exception thrown by an invalid access to Expected.
-struct BadExpectedAccess : public std::runtime_error
-{
-    BadExpectedAccess() : runtime_error("bad expected access")
-    {
-    }
-};
-
-namespace detail {
-
-// Custom policy for Expected.  Always throw on an invalid access.
-struct ThrowPolicy : public boost::outcome_v2::policy::base
-{
-    template <class Impl>
-    static constexpr void
-    // NOLINTNEXTLINE(readability-identifier-naming)
-    wide_value_check(Impl&& self)
-    {
-        if (!base::_has_value(std::forward<Impl>(self)))
-            Throw<BadExpectedAccess>();
-    }
-
-    template <class Impl>
-    static constexpr void
-    // NOLINTNEXTLINE(readability-identifier-naming)
-    wide_error_check(Impl&& self)
-    {
-        if (!base::_has_error(std::forward<Impl>(self)))
-            Throw<BadExpectedAccess>();
-    }
-
-    template <class Impl>
-    static constexpr void
-    // NOLINTNEXTLINE(readability-identifier-naming)
-    wide_exception_check(Impl&& self)
-    {
-        if (!base::_has_exception(std::forward<Impl>(self)))
-            Throw<BadExpectedAccess>();
-    }
-};
-
-}  // namespace detail
-
-// Definition of Unexpected, which is used to construct the unexpected
-// return type of an Expected.
-template <class E>
-class Unexpected
-{
-public:
-    static_assert(!std::is_same_v<E, void>, "E must not be void");
-
-    Unexpected() = delete;
-
-    constexpr explicit Unexpected(E const& e) : val_(e)
-    {
-    }
-
-    constexpr explicit Unexpected(E&& e) : val_(std::move(e))
-    {
-    }
-
-    [[nodiscard]] constexpr E const&
-    value() const&
-    {
-        return val_;
-    }
-
-    constexpr E&
-    value() &
-    {
-        return val_;
-    }
-
-    constexpr E&&
-    value() &&
-    {
-        return std::move(val_);
-    }
-
-    [[nodiscard]] constexpr E const&&
-    value() const&&
-    {
-        return std::move(val_);
-    }
-
-private:
-    E val_;
-};
-
-// Unexpected deduction guide that converts array to const*.
-template <typename E, std::size_t N>
-Unexpected(E (&)[N]) -> Unexpected<E const*>;
-
-// Definition of Expected.  All of the machinery comes from boost::result.
-template <class T, class E>
-class [[nodiscard]] Expected : private boost::outcome_v2::result<T, E, detail::ThrowPolicy>
-{
-    using Base = boost::outcome_v2::result<T, E, detail::ThrowPolicy>;
-
-public:
-    template <typename U>
-        requires std::convertible_to<U, T>
-    constexpr Expected(U&& r) : Base(boost::outcome_v2::in_place_type_t<T>{}, std::forward<U>(r))
-    {
-    }
-
-    template <typename U>
-        requires std::convertible_to<U, E> && (!std::is_reference_v<U>)
-    constexpr Expected(Unexpected<U> e)
-        : Base(boost::outcome_v2::in_place_type_t<E>{}, std::move(e.value()))
-    {
-    }
-
-    [[nodiscard]] constexpr bool
-    // NOLINTNEXTLINE(readability-identifier-naming)
-    has_value() const
-    {
-        return Base::has_value();
-    }
-
-    [[nodiscard]] constexpr T const&
-    value() const
-    {
-        return Base::value();
-    }
-
-    constexpr T&
-    value()
-    {
-        return Base::value();
-    }
-
-    [[nodiscard]] constexpr E const&
-    error() const&
-    {
-        return Base::error();
-    }
-
-    [[nodiscard]] constexpr E&
-    error() &
-    {
-        return Base::error();
-    }
-
-    [[nodiscard]] constexpr E&&
-    error() &&
-    {
-        return std::move(Base::error());
-    }
-
-    constexpr explicit
-    operator bool() const
-    {
-        return has_value();
-    }
-
-    // Add operator* and operator-> so the Expected API looks a bit more like
-    // what std::expected is likely to look like.  See:
-    // http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2021/p0323r10.html
-    [[nodiscard]] constexpr T&
-    operator*()
-    {
-        return this->value();
-    }
-
-    [[nodiscard]] constexpr T const&
-    operator*() const
-    {
-        return this->value();
-    }
-
-    [[nodiscard]] constexpr T*
-    operator->()
-    {
-        return &this->value();
-    }
-
-    [[nodiscard]] constexpr T const*
-    operator->() const
-    {
-        return &this->value();
-    }
-};
-
-// Specialization of Expected<void, E>.  Allows returning either success
-// (without a value) or the reason for the failure.
-template <class E>
-class [[nodiscard]]
-Expected<void, E> : private boost::outcome_v2::result<void, E, detail::ThrowPolicy>
-{
-    using Base = boost::outcome_v2::result<void, E, detail::ThrowPolicy>;
-
-public:
-    // The default constructor makes a successful Expected<void, E>.
-    // This aligns with std::expected behavior proposed in P0323R10.
-    constexpr Expected() : Base(boost::outcome_v2::success())
-    {
-    }
-
-    template <typename U>
-        requires std::convertible_to<U, E> && (!std::is_reference_v<U>)
-    constexpr Expected(Unexpected<U> e) : Base(E(std::move(e.value())))
-    {
-    }
-
-    [[nodiscard]] constexpr E const&
-    error() const&
-    {
-        return Base::error();
-    }
-
-    [[nodiscard]] constexpr E&
-    error() &
-    {
-        return Base::error();
-    }
-
-    [[nodiscard]] constexpr E&&
-    error() &&
-    {
-        return std::move(Base::error());
-    }
-
-    constexpr explicit
-    operator bool() const
-    {
-        return Base::has_value();
-    }
-};
-
-}  // namespace xrpl

include/xrpl/basics/Number.h

@@ -408,33 +408,40 @@ public:
     }
 
     friend constexpr bool
-    operator<(Number const& x, Number const& y) noexcept
+    operator<(Number const& l, Number const& r) noexcept
     {
+        bool const lneg = l.negative_;
+        bool const rneg = r.negative_;
+
         // If the two amounts have different signs (zero is treated as positive)
         // then the comparison is true iff the left is negative.
-        bool const lneg = x.negative_;
-        bool const rneg = y.negative_;
-
         if (lneg != rneg)
             return lneg;
 
-        // Both have same sign and the left is zero: the right must be
-        // greater than 0.
-        if (x.mantissa_ == 0)
-            return y.mantissa_ > 0;
+        // Both have same sign and the left is zero: both must be non-negative.
+        // If the right is greater than 0, then it is larger, so the comparison is true.
+        if (l.mantissa_ == 0)
+            return r.mantissa_ > 0;
 
-        // Both have same sign, the right is zero and the left is non-zero.
-        if (y.mantissa_ == 0)
+        // Both have same sign, the right is zero and the left is non-zero, so the left must be
+        // positive, and thus is larger, so the comparison is false.
+        if (r.mantissa_ == 0)
             return false;
 
         // Both have the same sign, compare by exponents:
-        if (x.exponent_ > y.exponent_)
+        if (l.exponent_ > r.exponent_)
             return lneg;
-        if (x.exponent_ < y.exponent_)
+        if (l.exponent_ < r.exponent_)
             return !lneg;
 
-        // If equal exponents, compare mantissas
-        return x.mantissa_ < y.mantissa_;
+        // If equal signs and exponents, compare mantissas.
+        if (lneg)
+        {
+            // If negative, the operator is reversed.
+            return l.mantissa_ > r.mantissa_;
+        }
+
+        return l.mantissa_ < r.mantissa_;
     }
 
     /** Return the sign of the amount */

include/xrpl/basics/StringUtilities.h

@@ -11,6 +11,7 @@
 #include <cstdint>
 #include <optional>
 #include <string>
+#include <string_view>
 #include <type_traits>
 
 namespace xrpl {
@@ -95,13 +96,7 @@ strUnHex(std::size_t strSize, Iterator begin, Iterator end)
 }
 
 inline std::optional<Blob>
-strUnHex(std::string const& strSrc)
-{
-    return strUnHex(strSrc.size(), strSrc.cbegin(), strSrc.cend());
-}
-
-inline std::optional<Blob>
-strViewUnHex(std::string_view strSrc)
+strUnHex(std::string_view strSrc)
 {
     return strUnHex(strSrc.size(), strSrc.cbegin(), strSrc.cend());
 }

include/xrpl/basics/TaggedCache.h

@@ -157,7 +157,7 @@ public:
     /** Fetch an item from the cache.
         If the digest was not found, Handler
         will be called with this signature:
-            std::shared_ptr<SLE const>(void)
+            SLE::const_pointer(void)
     */
     template <class Handler>
     SharedPointerType

include/xrpl/basics/base64.h

@@ -36,6 +36,7 @@
 
 #include <cstdint>
 #include <string>
+#include <string_view>
 
 namespace xrpl {
 
@@ -43,7 +44,7 @@ std::string
 base64Encode(std::uint8_t const* data, std::size_t len);
 
 inline std::string
-base64Encode(std::string const& s)
+base64Encode(std::string_view s)
 {
     return base64Encode(reinterpret_cast<std::uint8_t const*>(s.data()), s.size());
 }

include/xrpl/basics/base_uint.h

@@ -5,7 +5,6 @@
 
 #pragma once
 
-#include <xrpl/basics/Expected.h>
 #include <xrpl/basics/Slice.h>
 #include <xrpl/basics/contract.h>
 #include <xrpl/basics/hardened_hash.h>
@@ -20,6 +19,7 @@
 #include <algorithm>
 #include <array>
 #include <cstring>
+#include <expected>
 #include <type_traits>
 
 namespace xrpl {
@@ -177,7 +177,7 @@ private:
         BadChar,
     };
 
-    constexpr Expected<decltype(data_), ParseResult>
+    constexpr std::expected<decltype(data_), ParseResult>
     parseFromStringView(std::string_view sv) noexcept
     {
         // Local lambda that converts a single hex char to four bits and
@@ -216,7 +216,7 @@ private:
         }
 
         if (sv.size() != size() * 2)
-            return Unexpected(ParseResult::BadLength);
+            return std::unexpected(ParseResult::BadLength);
 
         std::size_t i = 0u;
         auto in = sv.begin();
@@ -227,7 +227,7 @@ private:
             {
                 if (auto const result = hexCharToUInt(*in++, shift, accum);
                     result != ParseResult::Okay)
-                    return Unexpected(result);
+                    return std::unexpected(result);
             }
             ret[i++] = accum;
         }

include/xrpl/basics/join.h

@@ -1,12 +1,13 @@
 #pragma once
 
 #include <string>
+#include <string_view>
 
 namespace xrpl {
 
 template <class Stream, class Iter>
 Stream&
-join(Stream& s, Iter iter, Iter end, std::string const& delimiter)
+join(Stream& s, Iter iter, Iter end, std::string_view delimiter)
 {
     if (iter == end)
         return s;

include/xrpl/beast/hash/xxhasher.h

@@ -7,8 +7,11 @@
 #include <array>
 #include <cstddef>
 #include <cstdint>
+#include <cstring>
+#include <new>
 #include <optional>
 #include <span>
+#include <type_traits>
 
 namespace beast {
 

include/xrpl/beast/insight/Counter.h

@@ -3,6 +3,7 @@
 #include <xrpl/beast/insight/CounterImpl.h>
 
 #include <memory>
+#include <utility>
 
 namespace beast::insight {
 
@@ -29,7 +30,7 @@ public:
         factory function in the Collector interface.
         @see Collector.
     */
-    explicit Counter(std::shared_ptr<CounterImpl> const& impl) : impl_(impl)
+    explicit Counter(std::shared_ptr<CounterImpl> impl) : impl_(std::move(impl))
     {
     }
 

include/xrpl/beast/insight/Event.h

@@ -4,6 +4,7 @@
 
 #include <chrono>
 #include <memory>
+#include <utility>
 
 namespace beast::insight {
 
@@ -31,7 +32,7 @@ public:
         factory function in the Collector interface.
         @see Collector.
     */
-    explicit Event(std::shared_ptr<EventImpl> const& impl) : impl_(impl)
+    explicit Event(std::shared_ptr<EventImpl> impl) : impl_(std::move(impl))
     {
     }
 

include/xrpl/beast/insight/Gauge.h

@@ -3,6 +3,7 @@
 #include <xrpl/beast/insight/GaugeImpl.h>
 
 #include <memory>
+#include <utility>
 
 namespace beast::insight {
 
@@ -31,7 +32,7 @@ public:
         factory function in the Collector interface.
         @see Collector.
     */
-    explicit Gauge(std::shared_ptr<GaugeImpl> const& impl) : impl_(impl)
+    explicit Gauge(std::shared_ptr<GaugeImpl> impl) : impl_(std::move(impl))
     {
     }
 

include/xrpl/beast/insight/Hook.h

@@ -3,6 +3,7 @@
 #include <xrpl/beast/insight/HookImpl.h>
 
 #include <memory>
+#include <utility>
 
 namespace beast::insight {
 
@@ -20,7 +21,7 @@ public:
         factory function in the Collector interface.
         @see Collector.
     */
-    explicit Hook(std::shared_ptr<HookImpl> const& impl) : impl_(impl)
+    explicit Hook(std::shared_ptr<HookImpl> impl) : impl_(std::move(impl))
     {
     }
 

include/xrpl/beast/insight/Meter.h

@@ -3,6 +3,7 @@
 #include <xrpl/beast/insight/MeterImpl.h>
 
 #include <memory>
+#include <utility>
 
 namespace beast::insight {
 
@@ -28,7 +29,7 @@ public:
         factory function in the Collector interface.
         @see Collector.
     */
-    explicit Meter(std::shared_ptr<MeterImpl> const& impl) : impl_(impl)
+    explicit Meter(std::shared_ptr<MeterImpl> impl) : impl_(std::move(impl))
     {
     }
 

include/xrpl/beast/unit_test/match.h

@@ -41,7 +41,7 @@ private:
 
 public:
     template <class = void>
-    explicit Selector(ModeT mode, std::string const& pattern = "");
+    explicit Selector(ModeT mode, std::string pattern = "");
 
     template <class = void>
     bool
@@ -51,9 +51,9 @@ public:
 //------------------------------------------------------------------------------
 
 template <class>
-Selector::Selector(ModeT mode, std::string const& pattern) : mode_(mode), pat_(pattern)
+Selector::Selector(ModeT mode, std::string pattern) : mode_(mode), pat_(std::move(pattern))
 {
-    if (mode_ == ModeT::Automatch && pattern.empty())
+    if (mode_ == ModeT::Automatch && pat_.empty())
         mode_ = ModeT::All;
 }
 

include/xrpl/beast/utility/instrumentation.h

@@ -11,6 +11,8 @@
 // Macros below are copied from antithesis_sdk.h and slightly simplified
 // The duplication is because Visual Studio 2019 cannot compile that header
 // even with the option -Zc:__cplusplus added.
+// NOTE: cond must not contain bare commas outside () or []. Commas inside {}
+// are not protected by the preprocessor and would be parsed as extra arguments.
 #define ALWAYS(cond, message, ...) assert((message) && (cond))
 #define ALWAYS_OR_UNREACHABLE(cond, message) assert((message) && (cond))
 #define SOMETIMES(cond, message, ...)
@@ -22,6 +24,8 @@
 #define XRPL_ASSERT_PARTS(cond, function, description, ...) \
     XRPL_ASSERT(cond, function " : " description)
 
+#define XRPL_ASSERT_IF(guard, cond, message) XRPL_ASSERT(!(guard) || (cond), message)
+
 // How to use the instrumentation macros:
 //
 // * XRPL_ASSERT if cond must be true but the line might not be reached during
@@ -29,6 +33,14 @@
 // * XRPL_ASSERT_PARTS is for convenience, and works like XRPL_ASSERT, but
 //   splits the message param into "function" and "description", then joins
 //   them with " : " before passing to XRPL_ASSERT.
+// * XRPL_ASSERT_IF(guard, cond, message) asserts the implication
+//   `guard => cond`: it can only fail when guard is true (e.g. an amendment
+//   is enabled) and cond is false. Unlike `if (guard) XRPL_ASSERT(...)`, the
+//   assertion site is always evaluated, so the fuzzer registers it
+//   unconditionally; cond itself is short-circuited and only evaluated when
+//   guard is true. NOTE: do not rely on side effects in guard — in release
+//   builds the assertion body is stripped, and the compiler may optimize away
+//   a side-effect-free guard entirely.
 // * ALWAYS if cond must be true _and_ the line must be reached during fuzzing.
 //   Same like `assert` in normal use.
 // * REACHABLE if the line must be reached during fuzzing

include/xrpl/config/Constants.h

@@ -0,0 +1,180 @@
+#pragma once
+
+namespace xrpl {
+
+struct Sections
+{
+    static constexpr auto kAmendments = "amendments";
+    static constexpr auto kAmendmentMajorityTime = "amendment_majority_time";
+    static constexpr auto kBetaRpcApi = "beta_rpc_api";
+    static constexpr auto kClusterNodes = "cluster_nodes";
+    static constexpr auto kCompression = "compression";
+    static constexpr auto kCrawl = "crawl";
+    static constexpr auto kDatabasePath = "database_path";
+    static constexpr auto kDebugLogfile = "debug_logfile";
+    static constexpr auto kElbSupport = "elb_support";
+    static constexpr auto kFeatures = "features";
+    static constexpr auto kFeeDefault = "fee_default";
+    static constexpr auto kFetchDepth = "fetch_depth";
+    static constexpr auto kHashrouter = "hashrouter";
+    static constexpr auto kImportNodeDatabase = "import_db";
+    static constexpr auto kInsight = "insight";
+    static constexpr auto kIoWorkers = "io_workers";
+    static constexpr auto kIps = "ips";
+    static constexpr auto kIpsFixed = "ips_fixed";
+    static constexpr auto kLedgerHistory = "ledger_history";
+    static constexpr auto kLedgerReplay = "ledger_replay";
+    static constexpr auto kLedgerTxTables = "ledger_tx_tables";
+    static constexpr auto kMaxTransactions = "max_transactions";
+    static constexpr auto kNetworkId = "network_id";
+    static constexpr auto kNetworkQuorum = "network_quorum";
+    static constexpr auto kNodeDatabase = "node_db";
+    static constexpr auto kNodeSeed = "node_seed";
+    static constexpr auto kNodeSize = "node_size";
+    static constexpr auto kOverlay = "overlay";
+    static constexpr auto kPathSearch = "path_search";
+    static constexpr auto kPathSearchFast = "path_search_fast";
+    static constexpr auto kPathSearchMax = "path_search_max";
+    static constexpr auto kPathSearchOld = "path_search_old";
+    static constexpr auto kPeerPrivate = "peer_private";
+    static constexpr auto kPeersInMax = "peers_in_max";
+    static constexpr auto kPeersMax = "peers_max";
+    static constexpr auto kPeersOutMax = "peers_out_max";
+    static constexpr auto kPerf = "perf";
+    static constexpr auto kPortGrpc = "port_grpc";
+    static constexpr auto kPortPeer = "port_peer";
+    static constexpr auto kPortRpc = "port_rpc";
+    static constexpr auto kPortWs = "port_ws";
+    static constexpr auto kPortWssAdmin = "port_wss_admin";
+    static constexpr auto kPrefetchWorkers = "prefetch_workers";
+    static constexpr auto kReduceRelay = "reduce_relay";
+    static constexpr auto kRelationalDb = "relational_db";
+    static constexpr auto kRelayProposals = "relay_proposals";
+    static constexpr auto kRelayValidations = "relay_validations";
+    static constexpr auto kRpcStartup = "rpc_startup";
+    static constexpr auto kServer = "server";
+    static constexpr auto kServerDomain = "server_domain";
+    static constexpr auto kSigningSupport = "signing_support";
+    static constexpr auto kSntp = "sntp_servers";
+    static constexpr auto kSqdb = "sqdb";
+    static constexpr auto kSqlite = "sqlite";
+    static constexpr auto kSslVerify = "ssl_verify";
+    static constexpr auto kSslVerifyDir = "ssl_verify_dir";
+    static constexpr auto kSslVerifyFile = "ssl_verify_file";
+    static constexpr auto kSweepInterval = "sweep_interval";
+    static constexpr auto kTransactionQueue = "transaction_queue";
+    static constexpr auto kValidationSeed = "validation_seed";
+    static constexpr auto kValidatorKeys = "validator_keys";
+    static constexpr auto kValidatorKeyRevocation = "validator_key_revocation";
+    static constexpr auto kValidatorListKeys = "validator_list_keys";
+    static constexpr auto kValidatorListSites = "validator_list_sites";
+    static constexpr auto kValidatorListThreshold = "validator_list_threshold";
+    static constexpr auto kValidatorToken = "validator_token";
+    static constexpr auto kValidators = "validators";
+    static constexpr auto kValidatorsFile = "validators_file";
+    static constexpr auto kVetoAmendments = "veto_amendments";
+    static constexpr auto kVl = "vl";
+    static constexpr auto kVoting = "voting";
+    static constexpr auto kWorkers = "workers";
+};
+
+struct Keys
+{
+    static constexpr auto kAccountReserve = "account_reserve";
+    static constexpr auto kAddress = "address";
+    static constexpr auto kAdmin = "admin";
+    static constexpr auto kAdminPassword = "admin_password";
+    static constexpr auto kAdminUser = "admin_user";
+    static constexpr auto kAdvisoryDelete = "advisory_delete";
+    static constexpr auto kAgeThresholdSeconds = "age_threshold_seconds";
+    static constexpr auto kBackOff = "backOff";
+    static constexpr auto kBackOffMilliseconds = "back_off_milliseconds";
+    static constexpr auto kBackend = "backend";
+    static constexpr auto kBbtOptions = "bbt_options";
+    static constexpr auto kBgThreads = "bg_threads";
+    static constexpr auto kBlockSize = "block_size";
+    static constexpr auto kCacheAge = "cache_age";
+    static constexpr auto kCacheMb = "cache_mb";
+    static constexpr auto kCacheSize = "cache_size";
+    static constexpr auto kClientMaxWindowBits = "client_max_window_bits";
+    static constexpr auto kClientNoContextTakeover = "client_no_context_takeover";
+    static constexpr auto kCompressLevel = "compress_level";
+    static constexpr auto kCounts = "counts";
+    static constexpr auto kDeleteBatch = "delete_batch";
+    static constexpr auto kEarliestSeq = "earliest_seq";
+    static constexpr auto kFastLoad = "fast_load";
+    static constexpr auto kFileSizeMb = "file_size_mb";
+    static constexpr auto kFileSizeMult = "file_size_mult";
+    static constexpr auto kFilterBits = "filter_bits";
+    static constexpr auto kFilterFull = "filter_full";
+    static constexpr auto kHardSet = "hard_set";
+    static constexpr auto kHighThreads = "high_threads";
+    static constexpr auto kHoldTime = "hold_time";
+    static constexpr auto kIp = "ip";
+    static constexpr auto kJournalMode = "journal_mode";
+    static constexpr auto kJournalSizeLimit = "journal_size_limit";
+    static constexpr auto kLedgersInQueue = "ledgers_in_queue";
+    static constexpr auto kLimit = "limit";
+    static constexpr auto kLogInterval = "log_interval";
+    static constexpr auto kMaxDivergedTime = "max_diverged_time";
+    static constexpr auto kMaxLedgerCountsToStore = "max_ledger_counts_to_store";
+    static constexpr auto kMaxUnknownTime = "max_unknown_time";
+    static constexpr auto kMaximumTxnInLedger = "maximum_txn_in_ledger";
+    static constexpr auto kMaximumTxnPerAccount = "maximum_txn_per_account";
+    static constexpr auto kMemoryLevel = "memory_level";
+    static constexpr auto kMinLedgersToComputeSizeLimit = "min_ledgers_to_compute_size_limit";
+    static constexpr auto kMinimumEscalationMultiplier = "minimum_escalation_multiplier";
+    static constexpr auto kMinimumLastLedgerBuffer = "minimum_last_ledger_buffer";
+    static constexpr auto kMinimumQueueSize = "minimum_queue_size";
+    static constexpr auto kMinimumTxnInLedger = "minimum_txn_in_ledger";
+    static constexpr auto kMinimumTxnInLedgerStandalone = "minimum_txn_in_ledger_standalone";
+    static constexpr auto kNormalConsensusIncreasePercent = "normal_consensus_increase_percent";
+    static constexpr auto kNudbBlockSize = "nudb_block_size";
+    static constexpr auto kOnlineDelete = "online_delete";
+    static constexpr auto kOpenFiles = "open_files";
+    static constexpr auto kOptions = "options";
+    static constexpr auto kOverlay = "overlay";
+    static constexpr auto kOwnerReserve = "owner_reserve";
+    static constexpr auto kPageSize = "page_size";
+    static constexpr auto kPassword = "password";
+    static constexpr auto kPath = "path";
+    static constexpr auto kPermessageDeflate = "permessage_deflate";
+    static constexpr auto kPort = "port";
+    static constexpr auto kPrefix = "prefix";
+    static constexpr auto kProtocol = "protocol";
+    static constexpr auto kRecoveryWaitSeconds = "recovery_wait_seconds";
+    static constexpr auto kReferenceFee = "reference_fee";
+    static constexpr auto kRelayTime = "relay_time";
+    static constexpr auto kRetrySequencePercent = "retry_sequence_percent";
+    static constexpr auto kRqBundle = "rq_bundle";
+    static constexpr auto kSafetyLevel = "safety_level";
+    static constexpr auto kSecureGateway = "secure_gateway";
+    static constexpr auto kSendQueueLimit = "send_queue_limit";
+    static constexpr auto kServer = "server";
+    static constexpr auto kServerMaxWindowBits = "server_max_window_bits";
+    static constexpr auto kServerNoContextTakeover = "server_no_context_takeover";
+    static constexpr auto kSlowConsensusDecreasePercent = "slow_consensus_decrease_percent";
+    static constexpr auto kSslCert = "ssl_cert";
+    static constexpr auto kSslCertChain = "ssl_cert_chain";
+    static constexpr auto kSslChain = "ssl_chain";
+    static constexpr auto kSslCiphers = "ssl_ciphers";
+    static constexpr auto kSslClientCa = "ssl_client_ca";
+    static constexpr auto kSslKey = "ssl_key";
+    static constexpr auto kSynchronous = "synchronous";
+    static constexpr auto kTargetTxnInLedger = "target_txn_in_ledger";
+    static constexpr auto kTempStore = "temp_store";
+    static constexpr auto kTxEnable = "tx_enable";
+    static constexpr auto kTxMetrics = "tx_metrics";
+    static constexpr auto kTxMinPeers = "tx_min_peers";
+    static constexpr auto kTxRelayPercentage = "tx_relay_percentage";
+    static constexpr auto kType = "type";
+    static constexpr auto kUniversalCompaction = "universal_compaction";
+    static constexpr auto kUnl = "unl";
+    static constexpr auto kUseTxTables = "use_tx_tables";
+    static constexpr auto kUser = "user";
+    static constexpr auto kVpBaseSquelchEnable = "vp_base_squelch_enable";
+    static constexpr auto kVpBaseSquelchMaxSelectedPeers = "vp_base_squelch_max_selected_peers";
+    static constexpr auto kVpEnable = "vp_enable";
+};
+
+}  // namespace xrpl

include/xrpl/core/PerfLog.h

@@ -1,6 +1,5 @@
 #pragma once
 
-#include <xrpl/basics/BasicConfig.h>
 #include <xrpl/core/JobTypes.h>
 #include <xrpl/json/json_value.h>
 
@@ -18,6 +17,7 @@ class Journal;
 
 namespace xrpl {
 class Application;
+class Section;
 namespace perf {
 
 /**

include/xrpl/crypto/RFC1751.h

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <string>
+#include <string_view>
 #include <vector>
 
 namespace xrpl {
@@ -34,7 +35,7 @@ private:
     static void
     standard(std::string& strWord);
     static int
-    wsrch(std::string const& strWord, int iMin, int iMax);
+    wsrch(std::string_view strWord, int iMin, int iMax);
     static int
     etob(std::string& strData, std::vector<std::string> vsHuman);
 

include/xrpl/ledger/ApplyView.h

@@ -123,7 +123,7 @@ private:
         bool preserveOrder,
         Keylet const& directory,
         uint256 const& key,
-        std::function<void(std::shared_ptr<SLE> const&)> const& describe);
+        std::function<void(SLE::ref)> const& describe);
 
 public:
     ApplyView() = default;
@@ -153,7 +153,7 @@ public:
 
         @return `nullptr` if the key is not present
     */
-    virtual std::shared_ptr<SLE>
+    virtual SLE::pointer
     peek(Keylet const& k) = 0;
 
     /** Remove a peeked SLE.
@@ -168,7 +168,7 @@ public:
             The key is no longer associated with the SLE.
     */
     virtual void
-    erase(std::shared_ptr<SLE> const& sle) = 0;
+    erase(SLE::ref sle) = 0;
 
     /** Insert a new state SLE
 
@@ -189,7 +189,7 @@ public:
         @note The key is taken from the SLE
     */
     virtual void
-    insert(std::shared_ptr<SLE> const& sle) = 0;
+    insert(SLE::ref sle) = 0;
 
     /** Indicate changes to a peeked SLE
 
@@ -208,7 +208,7 @@ public:
     */
     /** @{ */
     virtual void
-    update(std::shared_ptr<SLE> const& sle) = 0;
+    update(SLE::ref sle) = 0;
 
     //--------------------------------------------------------------------------
 
@@ -301,7 +301,7 @@ public:
     dirAppend(
         Keylet const& directory,
         Keylet const& key,
-        std::function<void(std::shared_ptr<SLE> const&)> const& describe)
+        std::function<void(SLE::ref)> const& describe)
     {
         if (key.type != ltOFFER)
         {
@@ -340,7 +340,7 @@ public:
     dirInsert(
         Keylet const& directory,
         uint256 const& key,
-        std::function<void(std::shared_ptr<SLE> const&)> const& describe)
+        std::function<void(SLE::ref)> const& describe)
     {
         return dirAdd(false, directory, key, describe);
     }
@@ -349,7 +349,7 @@ public:
     dirInsert(
         Keylet const& directory,
         Keylet const& key,
-        std::function<void(std::shared_ptr<SLE> const&)> const& describe)
+        std::function<void(SLE::ref)> const& describe)
     {
         return dirAdd(false, directory, key.key, describe);
     }
@@ -411,7 +411,7 @@ createRoot(
     ApplyView& view,
     Keylet const& directory,
     uint256 const& key,
-    std::function<void(std::shared_ptr<SLE> const&)> const& describe);
+    std::function<void(SLE::ref)> const& describe);
 
 auto
 findPreviousPage(ApplyView& view, Keylet const& directory, SLE::ref start);
@@ -434,7 +434,7 @@ insertPage(
     SLE::ref next,
     uint256 const& key,
     Keylet const& directory,
-    std::function<void(std::shared_ptr<SLE> const&)> const& describe);
+    std::function<void(SLE::ref)> const& describe);
 
 }  // namespace directory
 }  // namespace xrpl

include/xrpl/ledger/ApplyViewImpl.h

@@ -67,8 +67,8 @@ public:
         std::function<void(
             uint256 const& key,
             bool isDelete,
-            std::shared_ptr<SLE const> const& before,
-            std::shared_ptr<SLE const> const& after)> const& func);
+            SLE::const_ref before,
+            SLE::const_ref after)> const& func);
 
 private:
     std::optional<STAmount> deliver_;

include/xrpl/ledger/BookDirs.h

@@ -11,13 +11,13 @@ private:
     uint256 const root_;
     uint256 const nextQuality_;
     uint256 const key_;
-    std::shared_ptr<SLE const> sle_ = nullptr;
+    SLE::const_pointer sle_ = nullptr;
     unsigned int entry_ = 0;
     uint256 index_;
 
 public:
     class const_iterator;  // NOLINT(readability-identifier-naming)
-    using value_type = std::shared_ptr<SLE const>;
+    using value_type = SLE::const_pointer;
 
     BookDirs(ReadView const&, Book const&);
 
@@ -76,7 +76,7 @@ private:
     uint256 nextQuality_;
     uint256 key_;
     uint256 curKey_;
-    std::shared_ptr<SLE const> sle_;
+    SLE::const_pointer sle_;
     unsigned int entry_ = 0;
     uint256 index_;
     std::optional<value_type> mutable cache_;

include/xrpl/ledger/CachedView.h

@@ -36,7 +36,7 @@ public:
     bool
     exists(Keylet const& k) const override;
 
-    std::shared_ptr<SLE const>
+    SLE::const_pointer
     read(Keylet const& k) const override;
 
     bool

include/xrpl/ledger/CanonicalTXSet.h

@@ -93,7 +93,7 @@ public:
     }
 
     void
-    insert(std::shared_ptr<STTx const> const& txn);
+    insert(std::shared_ptr<STTx const> txn);
 
     // Pops the next transaction on account that follows seqProx in the
     // sort order.  Normally called when a transaction is successfully

include/xrpl/ledger/Dir.h

@@ -22,12 +22,12 @@ class Dir
 private:
     ReadView const* view_ = nullptr;
     Keylet root_;
-    std::shared_ptr<SLE const> sle_;
+    SLE::const_pointer sle_;
     STVector256 const* indexes_ = nullptr;
 
 public:
     class ConstIterator;
-    using value_type = std::shared_ptr<SLE const>;
+    using value_type = SLE::const_pointer;
 
     Dir(ReadView const&, Keylet const&);
 
@@ -102,7 +102,7 @@ private:
     Keylet page_;
     uint256 index_;
     std::optional<value_type> mutable cache_;
-    std::shared_ptr<SLE const> sle_;
+    SLE::const_pointer sle_;
     STVector256 const* indexes_ = nullptr;
     std::vector<uint256>::const_iterator it_;
 };

include/xrpl/ledger/Ledger.h

@@ -166,7 +166,7 @@ public:
     std::optional<uint256>
     succ(uint256 const& key, std::optional<uint256> const& last = std::nullopt) const override;
 
-    std::shared_ptr<SLE const>
+    SLE::const_pointer
     read(Keylet const& k) const override;
 
     std::unique_ptr<SlesType::iter_base>
@@ -202,16 +202,16 @@ public:
     //
 
     void
-    rawErase(std::shared_ptr<SLE> const& sle) override;
+    rawErase(SLE::ref sle) override;
 
     void
-    rawInsert(std::shared_ptr<SLE> const& sle) override;
+    rawInsert(SLE::ref sle) override;
 
     void
     rawErase(uint256 const& key);
 
     void
-    rawReplace(std::shared_ptr<SLE> const& sle) override;
+    rawReplace(SLE::ref sle) override;
 
     void
     rawDestroyXRP(XRPAmount const& fee) override
@@ -361,7 +361,7 @@ public:
     bool
     isVotingLedger() const;
 
-    std::shared_ptr<SLE>
+    SLE::pointer
     peek(Keylet const& k) const;
 
 private:

include/xrpl/ledger/OpenView.h

@@ -197,7 +197,7 @@ public:
     std::optional<key_type>
     succ(key_type const& key, std::optional<key_type> const& last = std::nullopt) const override;
 
-    std::shared_ptr<SLE const>
+    SLE::const_pointer
     read(Keylet const& k) const override;
 
     std::unique_ptr<SlesType::iter_base>
@@ -224,13 +224,13 @@ public:
     // RawView
 
     void
-    rawErase(std::shared_ptr<SLE> const& sle) override;
+    rawErase(SLE::ref sle) override;
 
     void
-    rawInsert(std::shared_ptr<SLE> const& sle) override;
+    rawInsert(SLE::ref sle) override;
 
     void
-    rawReplace(std::shared_ptr<SLE> const& sle) override;
+    rawReplace(SLE::ref sle) override;
 
     void
     rawDestroyXRP(XRPAmount const& fee) override;

include/xrpl/ledger/RawView.h

@@ -25,7 +25,7 @@ public:
         can calculate metadata.
     */
     virtual void
-    rawErase(std::shared_ptr<SLE> const& sle) = 0;
+    rawErase(SLE::ref sle) = 0;
 
     /** Unconditionally insert a state item.
 
@@ -39,7 +39,7 @@ public:
         @note The key is taken from the SLE
     */
     virtual void
-    rawInsert(std::shared_ptr<SLE> const& sle) = 0;
+    rawInsert(SLE::ref sle) = 0;
 
     /** Unconditionally replace a state item.
 
@@ -54,7 +54,7 @@ public:
         @note The key is taken from the SLE
     */
     virtual void
-    rawReplace(std::shared_ptr<SLE> const& sle) = 0;
+    rawReplace(SLE::ref sle) = 0;
 
     /** Destroy XRP.
 

include/xrpl/ledger/ReadView.h

@@ -34,9 +34,9 @@ public:
 
     using key_type = uint256;
 
-    using mapped_type = std::shared_ptr<SLE const>;
+    using mapped_type = SLE::const_pointer;
 
-    struct SlesType : detail::ReadViewFwdRange<std::shared_ptr<SLE const>>
+    struct SlesType : detail::ReadViewFwdRange<SLE::const_pointer>
     {
         explicit SlesType(ReadView const& view);
         [[nodiscard]] Iterator
@@ -143,7 +143,7 @@ public:
         @return `nullptr` if the key is not present or
                 if the type does not match.
     */
-    [[nodiscard]] virtual std::shared_ptr<SLE const>
+    [[nodiscard]] virtual SLE::const_pointer
     read(Keylet const& k) const = 0;
 
     // Accounts in a payment are not allowed to use assets acquired during that

include/xrpl/ledger/View.h

@@ -12,7 +12,6 @@
 #include <cstdint>
 #include <functional>
 #include <map>
-#include <memory>
 #include <optional>
 #include <set>
 #include <utility>
@@ -135,7 +134,7 @@ areCompatible(
 dirLink(
     ApplyView& view,
     AccountID const& owner,
-    std::shared_ptr<SLE>& object,
+    SLE::pointer& object,
     SF_UINT64 const& node = sfOwnerNode);
 
 /** Checks that can withdraw funds from an object to itself or a destination.
@@ -215,8 +214,8 @@ doWithdraw(
  * (if should not be skipped) and if the entry should be skipped. The status
  * is always tesSUCCESS if the entry should be skipped.
  */
-using EntryDeleter = std::function<
-    std::pair<TER, SkipEntry>(LedgerEntryType, uint256 const&, std::shared_ptr<SLE>&)>;
+using EntryDeleter =
+    std::function<std::pair<TER, SkipEntry>(LedgerEntryType, uint256 const&, SLE::pointer&)>;
 /** Cleanup owner directory entries on account delete.
  * Used for a regular and AMM accounts deletion. The caller
  * has to provide the deleter function, which handles details of

include/xrpl/ledger/detail/ApplyStateTable.h

@@ -8,8 +8,6 @@
 #include <xrpl/protocol/TxMeta.h>
 #include <xrpl/protocol/XRPAmount.h>
 
-#include <memory>
-
 namespace xrpl::detail {
 
 // Helper class that buffers modifications
@@ -26,7 +24,7 @@ private:
         Modify,
     };
 
-    using items_t = std::map<key_type, std::pair<Action, std::shared_ptr<SLE>>>;
+    using items_t = std::map<key_type, std::pair<Action, SLE::pointer>>;
 
     items_t items_;
     XRPAmount dropsDestroyed_{0};
@@ -60,10 +58,10 @@ public:
     [[nodiscard]] std::optional<key_type>
     succ(ReadView const& base, key_type const& key, std::optional<key_type> const& last) const;
 
-    [[nodiscard]] std::shared_ptr<SLE const>
+    [[nodiscard]] SLE::const_pointer
     read(ReadView const& base, Keylet const& k) const;
 
-    std::shared_ptr<SLE>
+    SLE::pointer
     peek(ReadView const& base, Keylet const& k);
 
     [[nodiscard]] std::size_t
@@ -75,23 +73,23 @@ public:
         std::function<void(
             uint256 const& key,
             bool isDelete,
-            std::shared_ptr<SLE const> const& before,
-            std::shared_ptr<SLE const> const& after)> const& func) const;
+            SLE::const_ref before,
+            SLE::const_ref after)> const& func) const;
 
     void
-    erase(ReadView const& base, std::shared_ptr<SLE> const& sle);
+    erase(ReadView const& base, SLE::ref sle);
 
     void
-    rawErase(ReadView const& base, std::shared_ptr<SLE> const& sle);
+    rawErase(ReadView const& base, SLE::ref sle);
 
     void
-    insert(ReadView const& base, std::shared_ptr<SLE> const& sle);
+    insert(ReadView const& base, SLE::ref sle);
 
     void
-    update(ReadView const& base, std::shared_ptr<SLE> const& sle);
+    update(ReadView const& base, SLE::ref sle);
 
     void
-    replace(ReadView const& base, std::shared_ptr<SLE> const& sle);
+    replace(ReadView const& base, SLE::ref sle);
 
     void
     destroyXRP(XRPAmount const& fee);
@@ -104,12 +102,12 @@ public:
     }
 
 private:
-    using Mods = hash_map<key_type, std::shared_ptr<SLE>>;
+    using Mods = hash_map<key_type, SLE::pointer>;
 
     static void
-    threadItem(TxMeta& meta, std::shared_ptr<SLE> const& to);
+    threadItem(TxMeta& meta, SLE::ref to);
 
-    std::shared_ptr<SLE>
+    SLE::pointer
     getForMod(ReadView const& base, key_type const& key, Mods& mods, beast::Journal j);
 
     void
@@ -119,7 +117,7 @@ private:
     threadOwners(
         ReadView const& base,
         TxMeta& meta,
-        std::shared_ptr<SLE const> const& sle,
+        SLE::const_ref sle,
         Mods& mods,
         beast::Journal j);
 };

include/xrpl/ledger/detail/ApplyViewBase.h

@@ -40,7 +40,7 @@ public:
     [[nodiscard]] std::optional<key_type>
     succ(key_type const& key, std::optional<key_type> const& last = std::nullopt) const override;
 
-    [[nodiscard]] std::shared_ptr<SLE const>
+    [[nodiscard]] SLE::const_pointer
     read(Keylet const& k) const override;
 
     [[nodiscard]] std::unique_ptr<SlesType::iter_base>
@@ -69,28 +69,28 @@ public:
     [[nodiscard]] ApplyFlags
     flags() const override;
 
-    std::shared_ptr<SLE>
+    SLE::pointer
     peek(Keylet const& k) override;
 
     void
-    erase(std::shared_ptr<SLE> const& sle) override;
+    erase(SLE::ref sle) override;
 
     void
-    insert(std::shared_ptr<SLE> const& sle) override;
+    insert(SLE::ref sle) override;
 
     void
-    update(std::shared_ptr<SLE> const& sle) override;
+    update(SLE::ref sle) override;
 
     // RawView
 
     void
-    rawErase(std::shared_ptr<SLE> const& sle) override;
+    rawErase(SLE::ref sle) override;
 
     void
-    rawInsert(std::shared_ptr<SLE> const& sle) override;
+    rawInsert(SLE::ref sle) override;
 
     void
-    rawReplace(std::shared_ptr<SLE> const& sle) override;
+    rawReplace(SLE::ref sle) override;
 
     void
     rawDestroyXRP(XRPAmount const& feeDrops) override;

include/xrpl/ledger/detail/RawStateTable.h

@@ -49,15 +49,15 @@ public:
     succ(ReadView const& base, key_type const& key, std::optional<key_type> const& last) const;
 
     void
-    erase(std::shared_ptr<SLE> const& sle);
+    erase(SLE::ref sle);
 
     void
-    insert(std::shared_ptr<SLE> const& sle);
+    insert(SLE::ref sle);
 
     void
-    replace(std::shared_ptr<SLE> const& sle);
+    replace(SLE::ref sle);
 
-    [[nodiscard]] std::shared_ptr<SLE const>
+    [[nodiscard]] SLE::const_pointer
     read(ReadView const& base, Keylet const& k) const;
 
     void
@@ -84,10 +84,10 @@ private:
     struct SleAction
     {
         Action action;
-        std::shared_ptr<SLE> sle;
+        SLE::pointer sle;
 
         // Constructor needed for emplacement in std::map
-        SleAction(Action action, std::shared_ptr<SLE> const& sle) : action(action), sle(sle)
+        SleAction(Action action, SLE::pointer sle) : action(action), sle(std::move(sle))
         {
         }
     };

include/xrpl/ledger/helpers/AMMHelpers.h

@@ -1,6 +1,5 @@
 #pragma once
 
-#include <xrpl/basics/Expected.h>
 #include <xrpl/basics/Log.h>
 #include <xrpl/basics/Number.h>
 #include <xrpl/beast/utility/Journal.h>
@@ -18,6 +17,8 @@
 #include <xrpl/protocol/STAmount.h>
 #include <xrpl/protocol/STLedgerEntry.h>
 
+#include <expected>
+
 namespace xrpl {
 
 namespace detail {
@@ -741,7 +742,7 @@ ammPoolHolds(
  * provided then they are used as the AMM token pair issues.
  * Otherwise the missing issues are fetched from ammSle.
  */
-Expected<std::tuple<STAmount, STAmount, STAmount>, TER>
+std::expected<std::tuple<STAmount, STAmount, STAmount>, TER>
 ammHolds(
     ReadView const& view,
     SLE const& ammSle,
@@ -792,7 +793,7 @@ deleteAMMAccount(Sandbox& view, Asset const& asset, Asset const& asset2, beast::
 void
 initializeFeeAuctionVote(
     ApplyView& view,
-    std::shared_ptr<SLE>& ammSle,
+    SLE::pointer& ammSle,
     AccountID const& account,
     Asset const& lptAsset,
     std::uint16_t tfee);
@@ -801,18 +802,18 @@ initializeFeeAuctionVote(
  * otherwise. Return tecINTERNAL if encountered an unexpected condition,
  * for instance Liquidity Provider has more than one LPToken trustline.
  */
-Expected<bool, TER>
+std::expected<bool, TER>
 isOnlyLiquidityProvider(ReadView const& view, Issue const& ammIssue, AccountID const& lpAccount);
 
 /** Due to rounding, the LPTokenBalance of the last LP might
  * not match the LP's trustline balance. If it's within the tolerance,
  * update LPTokenBalance to match the LP's trustline balance.
  */
-Expected<bool, TER>
+std::expected<bool, TER>
 verifyAndAdjustLPTokenBalance(
     Sandbox& sb,
     STAmount const& lpTokens,
-    std::shared_ptr<SLE>& ammSle,
+    SLE::pointer& ammSle,
     AccountID const& account);
 
 }  // namespace xrpl

include/xrpl/ledger/helpers/AccountRootHelpers.h

@@ -1,6 +1,5 @@
 #pragma once
 
-#include <xrpl/basics/Expected.h>
 #include <xrpl/beast/utility/Journal.h>
 #include <xrpl/ledger/ApplyView.h>
 #include <xrpl/ledger/ReadView.h>
@@ -9,7 +8,7 @@
 #include <xrpl/protocol/STLedgerEntry.h>
 #include <xrpl/protocol/TER.h>
 
-#include <memory>
+#include <expected>
 #include <set>
 #include <vector>
 
@@ -36,11 +35,7 @@ xrpLiquid(ReadView const& view, AccountID const& id, std::int32_t ownerCountAdj,
 
 /** Adjust the owner count up or down. */
 void
-adjustOwnerCount(
-    ApplyView& view,
-    std::shared_ptr<SLE> const& sle,
-    std::int32_t amount,
-    beast::Journal j);
+adjustOwnerCount(ApplyView& view, SLE::ref sle, std::int32_t amount, beast::Journal j);
 
 /** Returns IOU issuer transfer fee as Rate. Rate specifies
  * the fee as fractions of 1 billion. For example, 1% transfer rate
@@ -76,9 +71,7 @@ getPseudoAccountFields();
     - null pointer
 */
 [[nodiscard]] bool
-isPseudoAccount(
-    std::shared_ptr<SLE const> sleAcct,
-    std::set<SField const*> const& pseudoFieldFilter = {});
+isPseudoAccount(SLE::const_pointer sleAcct, std::set<SField const*> const& pseudoFieldFilter = {});
 
 /** Convenience overload that reads the account from the view. */
 [[nodiscard]] inline bool
@@ -98,7 +91,7 @@ isPseudoAccount(
  * before using a field. The amendment check is **not** performed in
  * createPseudoAccount.
  */
-[[nodiscard]] Expected<std::shared_ptr<SLE>, TER>
+[[nodiscard]] std::expected<SLE::pointer, TER>
 createPseudoAccount(ApplyView& view, uint256 const& pseudoOwnerKey, SField const& ownerField);
 
 /** Checks the destination and tag.

include/xrpl/ledger/helpers/CredentialHelpers.h

@@ -23,7 +23,7 @@ checkExpired(SLE const& sleCredential, NetClock::time_point const& closed);
 
 // Actually remove a credentials object from the ledger
 [[nodiscard]] TER
-deleteSLE(ApplyView& view, std::shared_ptr<SLE> const& sleCredential, beast::Journal j);
+deleteSLE(ApplyView& view, SLE::ref sleCredential, beast::Journal j);
 
 // Amendment and parameters checks for sfCredentialIDs field
 NotTEC
@@ -63,6 +63,20 @@ checkArray(STArray const& credentials, unsigned maxSize, beast::Journal j);
 TER
 verifyValidDomain(ApplyView& view, AccountID const& account, uint256 domainID, beast::Journal j);
 
+// Check DepositPreauth authorization
+TER
+checkDepositPreauth(
+    STTx const& tx,
+    ReadView const& view,
+    AccountID const& src,
+    AccountID const& dst,
+    std::shared_ptr<SLE const> const& sleDst,
+    beast::Journal j);
+
+// Remove expired credentials
+TER
+cleanupExpiredCredentials(STTx const& tx, ApplyView& view, beast::Journal j);
+
 // Check expired credentials and for existing DepositPreauth ledger object
 TER
 verifyDepositPreauth(
@@ -70,7 +84,7 @@ verifyDepositPreauth(
     ApplyView& view,
     AccountID const& src,
     AccountID const& dst,
-    std::shared_ptr<SLE const> const& sleDst,
+    SLE::const_ref sleDst,
     beast::Journal j);
 
 }  // namespace xrpl

include/xrpl/ledger/helpers/DelegateHelpers.h

@@ -15,7 +15,7 @@ namespace xrpl {
  * if not.
  */
 NotTEC
-checkTxPermission(std::shared_ptr<SLE const> const& delegate, STTx const& tx);
+checkTxPermission(SLE::const_ref delegate, STTx const& tx);
 
 /**
  * Load the granular permissions granted to the delegate account for the
@@ -28,7 +28,7 @@ checkTxPermission(std::shared_ptr<SLE const> const& delegate, STTx const& tx);
  */
 void
 loadGranularPermission(
-    std::shared_ptr<SLE const> const& delegate,
+    SLE::const_ref delegate,
     TxType const& type,
     std::unordered_set<GranularPermissionType>& granularPermissions);
 

include/xrpl/ledger/helpers/DirectoryHelpers.h

@@ -115,7 +115,7 @@ bool
 cdirFirst(
     ReadView const& view,
     uint256 const& root,
-    std::shared_ptr<SLE const>& page,
+    SLE::const_pointer& page,
     unsigned int& index,
     uint256& entry);
 
@@ -123,7 +123,7 @@ bool
 dirFirst(
     ApplyView& view,
     uint256 const& root,
-    std::shared_ptr<SLE>& page,
+    SLE::pointer& page,
     unsigned int& index,
     uint256& entry);
 /** @} */
@@ -147,7 +147,7 @@ bool
 cdirNext(
     ReadView const& view,
     uint256 const& root,
-    std::shared_ptr<SLE const>& page,
+    SLE::const_pointer& page,
     unsigned int& index,
     uint256& entry);
 
@@ -155,17 +155,14 @@ bool
 dirNext(
     ApplyView& view,
     uint256 const& root,
-    std::shared_ptr<SLE>& page,
+    SLE::pointer& page,
     unsigned int& index,
     uint256& entry);
 /** @} */
 
 /** Iterate all items in the given directory. */
 void
-forEachItem(
-    ReadView const& view,
-    Keylet const& root,
-    std::function<void(std::shared_ptr<SLE const> const&)> const& f);
+forEachItem(ReadView const& view, Keylet const& root, std::function<void(SLE::const_ref)> const& f);
 
 /** Iterate all items after an item in the given directory.
     @param after The key of the item to start after
@@ -180,14 +177,11 @@ forEachItemAfter(
     uint256 const& after,
     std::uint64_t const hint,
     unsigned int limit,
-    std::function<bool(std::shared_ptr<SLE const> const&)> const& f);
+    std::function<bool(SLE::const_ref)> const& f);
 
 /** Iterate all items in an account's owner directory. */
 inline void
-forEachItem(
-    ReadView const& view,
-    AccountID const& id,
-    std::function<void(std::shared_ptr<SLE const> const&)> const& f)
+forEachItem(ReadView const& view, AccountID const& id, std::function<void(SLE::const_ref)> const& f)
 {
     forEachItem(view, keylet::ownerDir(id), f);
 }
@@ -205,7 +199,7 @@ forEachItemAfter(
     uint256 const& after,
     std::uint64_t const hint,
     unsigned int limit,
-    std::function<bool(std::shared_ptr<SLE const> const&)> const& f)
+    std::function<bool(SLE::const_ref)> const& f)
 {
     return forEachItemAfter(view, keylet::ownerDir(id), after, hint, limit, f);
 }

include/xrpl/ledger/helpers/EscrowHelpers.h

@@ -18,7 +18,7 @@ TER
 escrowUnlockApplyHelper(
     ApplyView& view,
     Rate lockedRate,
-    std::shared_ptr<SLE> const& sleDest,
+    SLE::ref sleDest,
     STAmount const& xrpBalance,
     STAmount const& amount,
     AccountID const& issuer,
@@ -32,7 +32,7 @@ inline TER
 escrowUnlockApplyHelper<Issue>(
     ApplyView& view,
     Rate lockedRate,
-    std::shared_ptr<SLE> const& sleDest,
+    SLE::ref sleDest,
     STAmount const& xrpBalance,
     STAmount const& amount,
     AccountID const& issuer,
@@ -162,7 +162,7 @@ inline TER
 escrowUnlockApplyHelper<MPTIssue>(
     ApplyView& view,
     Rate lockedRate,
-    std::shared_ptr<SLE> const& sleDest,
+    SLE::ref sleDest,
     STAmount const& xrpBalance,
     STAmount const& amount,
     AccountID const& issuer,

include/xrpl/ledger/helpers/LendingHelpers.h

@@ -4,6 +4,7 @@
 #include <xrpl/protocol/Rules.h>
 #include <xrpl/protocol/st.h>
 
+#include <expected>
 #include <string_view>
 
 namespace xrpl {
@@ -397,7 +398,7 @@ struct LoanStateDeltas
     nonNegative();
 };
 
-Expected<std::pair<LoanPaymentParts, LoanProperties>, TER>
+std::expected<std::pair<LoanPaymentParts, LoanProperties>, TER>
 tryOverpayment(
     Rules const& rules,
     Asset const& asset,
@@ -523,7 +524,7 @@ isRounded(Asset const& asset, Number const& value, std::int32_t scale);
 // potential extra work at the end.
 enum class LoanPaymentType { Regular = 0, Late, Full, Overpayment };
 
-Expected<LoanPaymentParts, TER>
+std::expected<LoanPaymentParts, TER>
 loanMakePayment(
     Asset const& asset,
     ApplyView& view,

include/xrpl/ledger/helpers/NFTokenHelpers.h

@@ -28,10 +28,9 @@ findToken(ReadView const& view, AccountID const& owner, uint256 const& nftokenID
 struct TokenAndPage
 {
     STObject token;
-    std::shared_ptr<SLE> page;
+    SLE::pointer page;
 
-    TokenAndPage(STObject token, std::shared_ptr<SLE> page)
-        : token(std::move(token)), page(std::move(page))
+    TokenAndPage(STObject token, SLE::pointer page) : token(std::move(token)), page(std::move(page))
     {
     }
 };
@@ -47,11 +46,7 @@ TER
 removeToken(ApplyView& view, AccountID const& owner, uint256 const& nftokenID);
 
 TER
-removeToken(
-    ApplyView& view,
-    AccountID const& owner,
-    uint256 const& nftokenID,
-    std::shared_ptr<SLE> const& page);
+removeToken(ApplyView& view, AccountID const& owner, uint256 const& nftokenID, SLE::ref page);
 
 /** Deletes the given token offer.
 
@@ -63,7 +58,7 @@ removeToken(
     The offer also consumes one incremental reserve.
  */
 bool
-deleteTokenOffer(ApplyView& view, std::shared_ptr<SLE> const& offer);
+deleteTokenOffer(ApplyView& view, SLE::ref offer);
 
 /** Repairs the links in an NFTokenPage directory.
 

include/xrpl/ledger/helpers/OfferHelpers.h

@@ -5,8 +5,6 @@
 #include <xrpl/protocol/STLedgerEntry.h>
 #include <xrpl/protocol/TER.h>
 
-#include <memory>
-
 namespace xrpl {
 
 /** Delete an offer.
@@ -23,6 +21,6 @@ namespace xrpl {
 */
 // [[nodiscard]] // nodiscard commented out so Flow, BookTip and others compile.
 TER
-offerDelete(ApplyView& view, std::shared_ptr<SLE> const& sle, beast::Journal j);
+offerDelete(ApplyView& view, SLE::ref sle, beast::Journal j);
 
 }  // namespace xrpl

include/xrpl/ledger/helpers/PaymentChannelHelpers.h

@@ -8,10 +8,6 @@
 namespace xrpl {
 
 TER
-closeChannel(
-    std::shared_ptr<SLE> const& slep,
-    ApplyView& view,
-    uint256 const& key,
-    beast::Journal j);
+closeChannel(SLE::ref slep, ApplyView& view, uint256 const& key, beast::Journal j);
 
 }  // namespace xrpl

include/xrpl/ledger/helpers/RippleStateHelpers.h

@@ -154,7 +154,7 @@ trustCreate(
 [[nodiscard]] TER
 trustDelete(
     ApplyView& view,
-    std::shared_ptr<SLE> const& sleRippleState,
+    SLE::ref sleRippleState,
     AccountID const& uLowAccountID,
     AccountID const& uHighAccountID,
     beast::Journal j);
@@ -248,7 +248,7 @@ removeEmptyHolding(
 [[nodiscard]] TER
 deleteAMMTrustLine(
     ApplyView& view,
-    std::shared_ptr<SLE> sleState,
+    SLE::pointer sleState,
     std::optional<AccountID> const& ammAccountID,
     beast::Journal j);
 
@@ -258,7 +258,7 @@ deleteAMMTrustLine(
 [[nodiscard]] TER
 deleteAMMMPToken(
     ApplyView& view,
-    std::shared_ptr<SLE> sleMPT,
+    SLE::pointer sleMPT,
     AccountID const& ammAccountID,
     beast::Journal j);
 

include/xrpl/ledger/helpers/VaultHelpers.h

@@ -5,7 +5,6 @@
 #include <xrpl/protocol/STAmount.h>
 #include <xrpl/protocol/STLedgerEntry.h>
 
-#include <memory>
 #include <optional>
 
 namespace xrpl {
@@ -21,10 +20,7 @@ namespace xrpl {
     @return The number of shares, or nullopt on error.
 */
 [[nodiscard]] std::optional<STAmount>
-assetsToSharesDeposit(
-    std::shared_ptr<SLE const> const& vault,
-    std::shared_ptr<SLE const> const& issuance,
-    STAmount const& assets);
+assetsToSharesDeposit(SLE::const_ref vault, SLE::const_ref issuance, STAmount const& assets);
 
 /** From the perspective of a vault, return the number of assets to take from
     depositor when they receive a fixed amount of shares. Note, since shares are
@@ -37,10 +33,7 @@ assetsToSharesDeposit(
     @return The number of assets, or nullopt on error.
 */
 [[nodiscard]] std::optional<STAmount>
-sharesToAssetsDeposit(
-    std::shared_ptr<SLE const> const& vault,
-    std::shared_ptr<SLE const> const& issuance,
-    STAmount const& shares);
+sharesToAssetsDeposit(SLE::const_ref vault, SLE::const_ref issuance, STAmount const& shares);
 
 /** Controls whether to truncate shares instead of rounding. */
 enum class TruncateShares : bool { No = false, Yes = true };
@@ -69,8 +62,8 @@ enum class WaiveUnrealizedLoss : bool { No = false, Yes = true };
 */
 [[nodiscard]] std::optional<STAmount>
 assetsToSharesWithdraw(
-    std::shared_ptr<SLE const> const& vault,
-    std::shared_ptr<SLE const> const& issuance,
+    SLE::const_ref vault,
+    SLE::const_ref issuance,
     STAmount const& assets,
     TruncateShares truncate = TruncateShares::No,
     WaiveUnrealizedLoss waive = WaiveUnrealizedLoss::No);
@@ -89,8 +82,8 @@ assetsToSharesWithdraw(
 */
 [[nodiscard]] std::optional<STAmount>
 sharesToAssetsWithdraw(
-    std::shared_ptr<SLE const> const& vault,
-    std::shared_ptr<SLE const> const& issuance,
+    SLE::const_ref vault,
+    SLE::const_ref issuance,
     STAmount const& shares,
     WaiveUnrealizedLoss waive = WaiveUnrealizedLoss::No);
 
@@ -104,9 +97,6 @@ sharesToAssetsWithdraw(
                     both the share MPTID and the outstanding-amount total.
 */
 [[nodiscard]] bool
-isSoleShareholder(
-    ReadView const& view,
-    AccountID const& account,
-    std::shared_ptr<SLE const> const& issuance);
+isSoleShareholder(ReadView const& view, AccountID const& account, SLE::const_ref issuance);
 
 }  // namespace xrpl

include/xrpl/net/HTTPClient.h

@@ -53,7 +53,7 @@ public:
             boost::system::error_code const& ecResult,
             int iStatus,
             std::string const& strData)> complete,
-        beast::Journal& j);
+        beast::Journal const& j);
 
     static void
     get(bool bSSL,
@@ -67,7 +67,7 @@ public:
             boost::system::error_code const& ecResult,
             int iStatus,
             std::string const& strData)> complete,
-        beast::Journal& j);
+        beast::Journal const& j);
 
     static void
     request(
@@ -82,7 +82,7 @@ public:
             boost::system::error_code const& ecResult,
             int iStatus,
             std::string const& strData)> complete,
-        beast::Journal& j);
+        beast::Journal const& j);
 };
 
 }  // namespace xrpl

include/xrpl/nodestore/Database.h

@@ -1,6 +1,5 @@
 #pragma once
 
-#include <xrpl/basics/BasicConfig.h>
 #include <xrpl/basics/Log.h>
 #include <xrpl/basics/TaggedCache.ipp>
 #include <xrpl/nodestore/Backend.h>
@@ -10,6 +9,10 @@
 
 #include <condition_variable>
 
+namespace xrpl {
+class Section;
+}  // namespace xrpl
+
 namespace xrpl::NodeStore {
 
 /** Persistency layer for NodeObject

include/xrpl/nodestore/Factory.h

@@ -1,12 +1,15 @@
 #pragma once
 
-#include <xrpl/basics/BasicConfig.h>
 #include <xrpl/beast/utility/Journal.h>
 #include <xrpl/nodestore/Backend.h>
 #include <xrpl/nodestore/Scheduler.h>
 
 #include <nudb/store.hpp>
 
+namespace xrpl {
+class Section;
+}  // namespace xrpl
+
 namespace xrpl::NodeStore {
 
 /** Base class for backend factories. */