Restore serializer, add node check

Merge branch 'develop' into bthomee/node_depth
refactor: Use dispatch instead of post (#7438 )
2026-06-24 02:56:56 +00:00 · 2026-06-23 13:24:31 -04:00 · 2026-06-23 10:54:00 -04:00 · 2026-06-22 22:35:28 +00:00 · 2026-06-22 18:44:42 +00:00 · 2026-06-22 18:42:57 +00:00
165 changed files with 5094 additions and 3507 deletions
--- a/.clang-tidy
+++ b/.clang-tidy
@@ -153,6 +153,7 @@ Checks: "-*,
  readability-use-std-min-max
  "
 # ---
+# bugprone-narrowing-conversions,                      # this will break a lot of code but we should enable it in the future because it can eliminate a lot of bugs
 # readability-inconsistent-declaration-parameter-name, # In this codebase this check will break a lot of arg names
 # readability-static-accessed-through-instance,        # this check is probably unnecessary. It makes the code less readable
 # ---
--- a/.github/scripts/levelization/results/ordering.txt
+++ b/.github/scripts/levelization/results/ordering.txt
@@ -14,7 +14,6 @@ libxrpl.ledger > xrpl.json
 libxrpl.ledger > xrpl.ledger
 libxrpl.ledger > xrpl.nodestore
 libxrpl.ledger > xrpl.protocol
-libxrpl.ledger > xrpl.server
 libxrpl.ledger > xrpl.shamap
 libxrpl.net > xrpl.basics
 libxrpl.net > xrpl.net
@@ -221,7 +220,6 @@ xrpl.core > xrpl.protocol
 xrpl.json > xrpl.basics
 xrpl.ledger > xrpl.basics
 xrpl.ledger > xrpl.protocol
-xrpl.ledger > xrpl.server
 xrpl.ledger > xrpl.shamap
 xrpl.net > xrpl.basics
 xrpl.nodestore > xrpl.basics
--- a/.github/scripts/strategy-matrix/generate.py
+++ b/.github/scripts/strategy-matrix/generate.py
@@ -20,8 +20,6 @@ _SANITIZER_SUFFIX: dict[str, str] = {
 def get_cmake_args(build_type: str, extra_args: str) -> str:
    """Get the full list of CMake arguments for a config."""
    args = _BASE_CMAKE_ARGS.copy()
-    if build_type == "Release":
-        args.append("-Dassert=ON")
    if extra_args:
        args.extend(extra_args.split())
    return " ".join(args)
--- a/.github/scripts/strategy-matrix/linux.json
+++ b/.github/scripts/strategy-matrix/linux.json
@@ -1,5 +1,5 @@
 {
-  "image_tag": "sha-63ffdc3",
+  "image_tag": "sha-fe4c8ae",
  "configs": {
    "ubuntu": [
      {
@@ -10,7 +10,7 @@

      {
        "compiler": ["gcc", "clang"],
-        "build_type": ["Debug"],
+        "build_type": ["Debug", "Release"],
        "arch": ["amd64"],
        "sanitizers": ["address", "undefinedbehavior"]
      },
@@ -68,7 +68,7 @@
        "compiler": ["gcc"],
        "build_type": ["Release"],
        "arch": ["amd64"],
-        "image": "ghcr.io/xrplf/xrpld/packaging-debian:sha-63ffdc3"
+        "image": "ghcr.io/xrplf/xrpld/packaging-debian:sha-577d745"
      }
    ],

@@ -77,7 +77,7 @@
        "compiler": ["gcc"],
        "build_type": ["Release"],
        "arch": ["amd64"],
-        "image": "ghcr.io/xrplf/xrpld/packaging-rhel:sha-63ffdc3"
+        "image": "ghcr.io/xrplf/xrpld/packaging-rhel:sha-577d745"
      }
    ]
  }
--- a/.github/workflows/build-nix-images.yml
+++ b/.github/workflows/build-nix-images.yml
@@ -9,12 +9,20 @@ on:
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
+      - "!nix/docker/README.md"
+      - "!nix/devshell.nix"
+      - "bin/check-tools.sh"
+      - "bin/install-sanitizer-libs.sh"
  pull_request:
    paths:
      - ".github/workflows/build-nix-images.yml"
      - "flake.nix"
      - "flake.lock"
      - "nix/**"
+      - "!nix/docker/README.md"
+      - "!nix/devshell.nix"
+      - "bin/check-tools.sh"
+      - "bin/install-sanitizer-libs.sh"
  workflow_dispatch:

 concurrency:
@@ -46,9 +54,9 @@ jobs:
            base_image: debian:bookworm
          - name: rhel
            base_image: registry.access.redhat.com/ubi9/ubi:latest
-    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@ee03d31bcc4501d7599dc1b1ecd7a34af582ad1c
    with:
-      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
+      image_name: xrpld/nix-${{ matrix.distro.name }}
      dockerfile: nix/docker/Dockerfile
      base_image: ${{ matrix.distro.base_image }}
-      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
+      push: ${{ github.event_name == 'push' }}
--- a/.github/workflows/build-packaging-images.yml
+++ b/.github/workflows/build-packaging-images.yml
@@ -38,9 +38,9 @@ jobs:
            base_image: debian:bookworm
          - name: rhel
            base_image: registry.access.redhat.com/ubi9/ubi:latest
-    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@ee03d31bcc4501d7599dc1b1ecd7a34af582ad1c
    with:
-      image_name: ghcr.io/xrplf/xrpld/packaging-${{ matrix.distro.name }}
+      image_name: xrpld/packaging-${{ matrix.distro.name }}
      dockerfile: package/Dockerfile
      base_image: ${{ matrix.distro.base_image }}
-      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
+      push: ${{ github.event_name == 'push' }}
--- a/.github/workflows/check-pr-description.yml
+++ b/.github/workflows/check-pr-description.yml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Write PR body to file
        env:
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -33,7 +33,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Determine changed files
        # This step checks whether any files have changed that should
        # cause the next jobs to run. We do it this way rather than
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -14,7 +14,7 @@ on:
 jobs:
  # Call the workflow in the XRPLF/actions repo that runs the pre-commit hooks.
  run-hooks:
-    uses: XRPLF/actions/.github/workflows/pre-commit.yml@312aaab296060ff89d7f798dcab59f019bea6e02
+    uses: XRPLF/actions/.github/workflows/pre-commit.yml@e06d4138c9ec8dceeb7c818645faa38087ea9e3d
    with:
      runs_on: ubuntu-latest
      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-41ec7c1" }'
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -41,10 +41,10 @@ env:
 jobs:
  build:
    runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-fe4c8ae
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Prepare runner
        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
--- a/.github/workflows/reusable-build-test-config.yml
+++ b/.github/workflows/reusable-build-test-config.yml
@@ -110,7 +110,7 @@ jobs:
        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4

      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Prepare runner
        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
@@ -121,6 +121,11 @@ jobs:
        if: ${{ inputs.ccache_enabled && runner.debug == '1' }}
        run: echo "CCACHE_LOGFILE=${{ runner.temp }}/ccache.log" >>"${GITHUB_ENV}"

+      - name: Check tools
+        env:
+          CHECK_TOOLS_SKIP_CLONE: "1"
+        run: ./bin/check-tools.sh
+
      - name: Print build environment
        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574

@@ -164,6 +169,27 @@ jobs:
              ${CMAKE_ARGS} \
              ..

+      # Export the sanitizer options before any instrumented binary runs. The
+      # protocol code-gen and build steps below invoke instrumented dependency
+      # tools (protoc, grpc), so setting UBSAN_OPTIONS here lets the UBSan
+      # suppression list silence their diagnostics too, not just at test time.
+      # GITHUB_WORKSPACE (not the github.workspace context) is used so the path
+      # resolves correctly inside the container job.
+      - name: Set sanitizer options
+        if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }}
+        env:
+          CONFIG_NAME: ${{ inputs.config_name }}
+        run: |
+          SUPP="${GITHUB_WORKSPACE}/sanitizers/suppressions"
+          ASAN_OPTS="include=${SUPP}/runtime-asan-options.txt:suppressions=${SUPP}/asan.supp"
+          if [[ "${CONFIG_NAME}" == *gcc* ]]; then
+              ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0"
+          fi
+          echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV}
+          echo "TSAN_OPTIONS=include=${SUPP}/runtime-tsan-options.txt:suppressions=${SUPP}/tsan.supp" >>${GITHUB_ENV}
+          echo "UBSAN_OPTIONS=include=${SUPP}/runtime-ubsan-options.txt:suppressions=${SUPP}/ubsan.supp" >>${GITHUB_ENV}
+          echo "LSAN_OPTIONS=include=${SUPP}/runtime-lsan-options.txt:suppressions=${SUPP}/lsan.supp" >>${GITHUB_ENV}
+
      - name: Check protocol autogen files are up-to-date
        working-directory: ${{ env.BUILD_DIR }}
        env:
@@ -279,20 +305,6 @@ jobs:
        run: |
          ./xrpld --version | grep libvoidstar

-      - name: Set sanitizer options
-        if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }}
-        env:
-          CONFIG_NAME: ${{ inputs.config_name }}
-        run: |
-          ASAN_OPTS="include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-asan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp"
-          if [[ "${CONFIG_NAME}" == *gcc* ]]; then
-              ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0"
-          fi
-          echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV}
-          echo "TSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-tsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >>${GITHUB_ENV}
-          echo "UBSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >>${GITHUB_ENV}
-          echo "LSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-lsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >>${GITHUB_ENV}
-
      - name: Run the separate tests
        if: ${{ !inputs.build_only }}
        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
--- a/.github/workflows/reusable-check-levelization.yml
+++ b/.github/workflows/reusable-check-levelization.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Check levelization
        run: python .github/scripts/levelization/generate.py
      - name: Check for differences
--- a/.github/workflows/reusable-check-rename.yml
+++ b/.github/workflows/reusable-check-rename.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
      - name: Check definitions
        run: .github/scripts/rename/definitions.sh .
      - name: Check copyright notices
--- a/.github/workflows/reusable-clang-tidy.yml
+++ b/.github/workflows/reusable-clang-tidy.yml
@@ -20,29 +20,32 @@ env:
  BUILD_DIR: build
  BUILD_TYPE: Debug # Debug so that ASSERTS and such participate in clang-tidy check

-  OUTPUT_FILE: clang-tidy-output.txt
-  DIFF_FILE: clang-tidy-git-diff.txt
-  ISSUE_FILE: clang-tidy-issue.md
+  OUTPUT_FILE: /tmp/clang-tidy-output.txt
+  FILTERED_OUTPUT_FILE: /tmp/clang-tidy-filtered-output.txt
+  DIFF_FILE: /tmp/clang-tidy-git-diff.txt
+  ISSUE_FILE: /tmp/clang-tidy-issue.md
+
+  COMPILER: clang

 jobs:
  determine-files:
    if: ${{ inputs.check_only_changed }}
    permissions:
      contents: read
-    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@312aaab296060ff89d7f798dcab59f019bea6e02
+    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@c7045074aafe9fb92fa537aa4446f81fbfc17e8b

  run-clang-tidy:
    name: Run clang tidy
    needs: [determine-files]
    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.cpp_changed_files != '' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: "ghcr.io/xrplf/xrpld/nix-debian:sha-63ffdc3"
+    container: "ghcr.io/xrplf/xrpld/nix-debian:sha-fe4c8ae"
    permissions:
      contents: read
      issues: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Prepare runner
        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
@@ -59,7 +62,7 @@ jobs:
      - name: Set compiler environment
        uses: ./.github/actions/set-compiler-env
        with:
-          compiler: clang
+          compiler: ${{ env.COMPILER }}

      - name: Setup Conan
        uses: ./.github/actions/setup-conan
@@ -150,21 +153,21 @@ jobs:
        run: |
          if [ -f "${OUTPUT_FILE}" ]; then
              # Extract lines containing 'error:', 'warning:', or 'note:'
-              grep -E '(error:|warning:|note:)' "${OUTPUT_FILE}" >filtered-output.txt || true
+              grep -E '(error:|warning:|note:)' "${OUTPUT_FILE}" >"${FILTERED_OUTPUT_FILE}" || true

              # If filtered output is empty, use original (might be a different error format)
-              if [ ! -s filtered-output.txt ]; then
-                  cp "${OUTPUT_FILE}" filtered-output.txt
+              if [ ! -s "${FILTERED_OUTPUT_FILE}" ]; then
+                  cp "${OUTPUT_FILE}" "${FILTERED_OUTPUT_FILE}"
              fi

              # Truncate if too large
-              head -c 60000 filtered-output.txt >>"${ISSUE_FILE}"
-              if [ "$(wc -c <filtered-output.txt)" -gt 60000 ]; then
+              head -c 60000 "${FILTERED_OUTPUT_FILE}" >>"${ISSUE_FILE}"
+              if [ "$(wc -c <"${FILTERED_OUTPUT_FILE}")" -gt 60000 ]; then
                  echo "" >>"${ISSUE_FILE}"
                  echo "... (output truncated, see artifacts for full output)" >>"${ISSUE_FILE}"
              fi

-              rm filtered-output.txt
+              rm "${FILTERED_OUTPUT_FILE}"
          else
              echo "No output file found" >>"${ISSUE_FILE}"
          fi
--- a/.github/workflows/reusable-package.yml
+++ b/.github/workflows/reusable-package.yml
@@ -27,7 +27,7 @@ jobs:
      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -45,7 +45,7 @@ jobs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          sparse-checkout: |
            .github/actions/generate-version
@@ -69,7 +69,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Download pre-built binary
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
--- a/.github/workflows/reusable-strategy-matrix.yml
+++ b/.github/workflows/reusable-strategy-matrix.yml
@@ -23,7 +23,7 @@ jobs:
      matrix: ${{ steps.generate.outputs.matrix }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Set up Python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
--- a/.github/workflows/reusable-upload-recipe.yml
+++ b/.github/workflows/reusable-upload-recipe.yml
@@ -40,10 +40,10 @@ defaults:
 jobs:
  upload:
    runs-on: ubuntu-latest
-    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-fe4c8ae
    steps:
      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Generate build version number
        id: version
--- a/.github/workflows/upload-conan-deps.yml
+++ b/.github/workflows/upload-conan-deps.yml
@@ -65,7 +65,7 @@ jobs:
        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4

      - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

      - name: Prepare runner
        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
--- a/BUILD.md
+++ b/BUILD.md
@@ -1,26 +1,57 @@
-| :warning: **WARNING** :warning:                                                                                                                                                                                                |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| These instructions assume you have a C++ development environment ready with Git, Python, Conan, CMake, and a C++ compiler. For help setting one up on Linux, macOS, or Windows, [see this guide](./docs/build/environment.md). |
+| :warning: **WARNING** :warning:                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| These instructions assume you have a C++ development environment ready with Git, Python, Conan, CMake, and a C++ compiler. For help setting one up on Linux, macOS, or Windows, [see this guide](./docs/build/environment.md).<br><br>These instructions also assume a basic familiarity with Conan and CMake. If you are unfamiliar with Conan, you can read our [crash course](./docs/build/conan.md) or the official [Getting Started][conan-getting-started] walkthrough. |

-> These instructions also assume a basic familiarity with Conan and CMake.
-> If you are unfamiliar with Conan, you can read our
-> [crash course](./docs/build/conan.md) or the official [Getting Started][3]
-> walkthrough.
+## Minimum Requirements

-## Branches
+See [System Requirements](https://xrpl.org/system-requirements.html).

-For a stable release, choose the `master` branch or one of the [tagged
-releases](https://github.com/XRPLF/rippled/releases).
+Building xrpld generally requires Git, Python, Conan, CMake, and a C++
+compiler.
+
+- [Python](https://www.python.org/downloads/)
+- [Conan](https://conan.io/downloads.html)
+- [CMake](https://cmake.org/download/)
+
+You can verify that the required tools are installed and runnable with:

 ```bash
-git checkout master
+./bin/check-tools.sh
 ```

-For the latest release candidate, choose the `release` branch.
+`xrpld` is written in the C++23 dialect. The [tested compiler versions][cpp23-support] are:

-```bash
-git checkout release
-```
+| Compiler    | Version         |
+| ----------- | --------------- |
+| GCC         | 15.2            |
+| Clang       | 22              |
+| Apple Clang | 17              |
+| MSVC        | 19.44[^windows] |
+
+## Operating Systems
+
+Please see the [environment setup guide](./docs/build/environment.md) for detailed instructions for all platforms.
+
+### Linux
+
+The Ubuntu Linux distribution has received the highest level of quality
+assurance, testing, and support. We also support Red Hat and use Debian
+internally.
+Our Linux CI tooling is distro-independent and uses a Nix-based environment, so it should be possible to build on other Linux distributions as well, although we have not tested them.
+
+### macOS
+
+Many `xrpld` engineers use macOS for development.
+
+### Windows
+
+Windows is used by some engineers for development only.
+
+[^windows]: Windows is not recommended for production use.
+
+## Steps
+
+### Branches

 For the latest set of untested features, or to contribute, choose the `develop`
 branch.
@@ -29,55 +60,15 @@ branch.
 git checkout develop
 ```

-## Minimum Requirements
+For a release candidate, choose the relevant release branch, e.g.
+`release/3.2.x`.

-See [System Requirements](https://xrpl.org/system-requirements.html).
+```bash
+git checkout release/3.2.x
+```

-Building xrpld generally requires git, Python, Conan, CMake, and a C++
-compiler. Some guidance on setting up such a [C++ development environment can be
-found here](./docs/build/environment.md).
-
- [Python 3.11](https://www.python.org/downloads/), or higher
- [Conan 2.17](https://conan.io/downloads.html)[^1], or higher
- [CMake 3.22](https://cmake.org/download/), or higher
-
-[^1]:
-    It is possible to build with Conan 1.60+, but the instructions are
-    significantly different, which is why we are not recommending it.
-
-`xrpld` is written in the C++23 dialect and includes the `<concepts>` header.
-The [tested compiler versions][2] are:
-
-| Compiler    | Version   |
-| ----------- | --------- |
-| GCC         | 15        |
-| Clang       | 22        |
-| Apple Clang | 17        |
-| MSVC        | 19.44[^3] |
-
-### Linux
-
-The Ubuntu Linux distribution has received the highest level of quality
-assurance, testing, and support. We also support Red Hat and use Debian
-internally.
-
-Here are [sample instructions for setting up a C++ development environment on
-Linux](./docs/build/environment.md#linux).
-
-### Mac
-
-Many xrpld engineers use macOS for development.
-
-Here are [sample instructions for setting up a C++ development environment on
-macOS](./docs/build/environment.md#macos).
-
-### Windows
-
-Windows is used by some engineers for development only.
-
-[^3]: Windows is not recommended for production use.
-
-## Steps
+For a stable release, choose one of the [tagged
+releases](https://github.com/XRPLF/rippled/releases).

 ### Set Up Conan

@@ -86,18 +77,11 @@ Conan, CMake, and a C++ compiler, you may need to set up your Conan profile.

 These instructions assume a basic familiarity with Conan and CMake. If you are
 unfamiliar with Conan, then please read [this crash course](./docs/build/conan.md) or the official
-[Getting Started][3] walkthrough.
+[Getting Started][conan-getting-started] walkthrough.

-#### Conan lockfile
+#### Profiles

-To achieve reproducible dependencies, we use a [Conan lockfile](https://docs.conan.io/2/tutorial/versioning/lockfiles.html),
-which has to be updated every time dependencies change.
-
-Please see the [instructions on how to regenerate the lockfile](conan/lockfile/README.md).
-
-#### Default profile
-
-We recommend that you import the provided `conan/profiles/default` profile:
+We recommend that you install our Conan profiles:

 ```bash
 conan config install conan/profiles/ -tf $(conan config home)/profiles/
@@ -109,222 +93,15 @@ You can check your Conan profile by running:
 conan profile show
 ```

-#### Custom profile
+If the default profile is not suitable for your environment, you can create a custom profile and pass it to Conan.
+More information on customizing Conan can be found in the [Advanced Conan configuration](./docs/build/advanced_conan.md).

-If the default profile does not work for you and you do not yet have a Conan
-profile, you can create one by running:
+#### Add xrplf remote
+
+Run the following command to add the `xrplf` remote, which hosts some of our dependencies:

 ```bash
-conan profile detect
-```
-
-You may need to make changes to the profile to suit your environment. You can
-refer to the provided `conan/profiles/default` profile for inspiration, and you
-may also need to apply the required [tweaks](#conan-profile-tweaks) to this
-default profile.
-
-### Patched recipes
-
-Occasionally, we need patched recipes or recipes not present in Conan Center.
-We maintain a fork of the Conan Center Index
-[here](https://github.com/XRPLF/conan-center-index/) containing the modified and newly added recipes.
-
-To ensure our patched recipes are used, you must add our Conan remote at a
-higher index than the default Conan Center remote, so it is consulted first. You
-can do this by running:
-
-```bash
-conan remote add --index 0 xrplf https://conan.ripplex.io
-```
-
-Alternatively, you can pull our recipes from the repository and export them locally:
-
-```bash
-# Define which recipes to export.
-recipes=('abseil' 'ed25519' 'mpt-crypto' 'openssl' 'secp256k1' 'snappy' 'soci' 'wasm-xrplf' 'wasmi')
-
-# Selectively check out the recipes from our CCI fork.
-cd external
-mkdir -p conan-center-index
-cd conan-center-index
-git init
-git remote add origin git@github.com:XRPLF/conan-center-index.git
-git sparse-checkout init
-for recipe in "${recipes[@]}"; do
-    echo "Checking out recipe '${recipe}'..."
-    git sparse-checkout add recipes/${recipe}
-done
-git fetch origin master
-git checkout master
-
-./export_all.sh
-cd ../../
-```
-
-In the case we switch to a newer version of a dependency that still requires a
-patch or add a new dependency, it will be necessary for you to pull in the changes and re-export the
-updated dependencies with the newer version. However, if we switch to a newer
-version that no longer requires a patch, no action is required on your part, as
-the new recipe will be automatically pulled from the official Conan Center.
-
-> [!NOTE]
-> You might need to add `--lockfile=""` to your `conan install` command
-> to avoid automatic use of the existing `conan.lock` file when you run
-> `conan export` manually on your machine
->
-> This is not recommended though, as you might end up using different revisions of recipes.
-
-### Conan profile tweaks
-
-#### Missing compiler version
-
-If you see an error similar to the following after running `conan profile show`:
-
-```text
-ERROR: Invalid setting '17' is not a valid 'settings.compiler.version' value.
-Possible values are ['5.0', '5.1', '6.0', '6.1', '7.0', '7.3', '8.0', '8.1',
-'9.0', '9.1', '10.0', '11.0', '12.0', '13', '13.0', '13.1', '14', '14.0', '15',
-'15.0', '16', '16.0']
-Read "http://docs.conan.io/2/knowledge/faq.html#error-invalid-setting"
-```
-
-you need to add your compiler to the list of compiler versions in
-`$(conan config home)/settings_user.yml`, by adding the required version number(s)
-to the `version` array specific for your compiler. For example:
-
-```yaml
-compiler:
-  apple-clang:
-    version: ["17.0"]
-```
-
-#### Multiple compilers
-
-If you have multiple compilers installed, make sure to select the one to use in
-your default Conan configuration **before** running `conan profile detect`, by
-setting the `CC` and `CXX` environment variables.
-
-For example, if you are running MacOS and have [homebrew
-LLVM@18](https://formulae.brew.sh/formula/llvm@18), and want to use it as a
-compiler in the new Conan profile:
-
-```bash
-export CC=$(brew --prefix llvm@18)/bin/clang
-export CXX=$(brew --prefix llvm@18)/bin/clang++
-conan profile detect
-```
-
-You should also explicitly set the path to the compiler in the profile file,
-which helps to avoid errors when `CC` and/or `CXX` are set and disagree with the
-selected Conan profile. For example:
-
-```text
-[conf]
-tools.build:compiler_executables={'c':'/usr/bin/gcc','cpp':'/usr/bin/g++'}
-```
-
-#### Multiple profiles
-
-You can manage multiple Conan profiles in the directory
-`$(conan config home)/profiles`, for example renaming `default` to a different
-name and then creating a new `default` profile for a different compiler.
-
-#### Select language
-
-The default profile created by Conan will typically select different C++ dialect
-than C++23 used by this project. You should set `23` in the profile line
-starting with `compiler.cppstd=`. For example:
-
-```bash
-sed -i.bak -e 's|^compiler\.cppstd=.*$|compiler.cppstd=23|' $(conan config home)/profiles/default
-```
-
-#### Select standard library in Linux
-
-**Linux** developers will commonly have a default Conan [profile][] that
-compiles with GCC and links with libstdc++. If you are linking with libstdc++
-(see profile setting `compiler.libcxx`), then you will need to choose the
-`libstdc++11` ABI:
-
-```bash
-sed -i.bak -e 's|^compiler\.libcxx=.*$|compiler.libcxx=libstdc++11|' $(conan config home)/profiles/default
-```
-
-#### Select architecture and runtime in Windows
-
-**Windows** developers may need to use the x64 native build tools. An easy way
-to do that is to run the shortcut "x64 Native Tools Command Prompt" for the
-version of Visual Studio that you have installed.
-
-Windows developers must also build `xrpld` and its dependencies for the x64
-architecture:
-
-```bash
-sed -i.bak -e 's|^arch=.*$|arch=x86_64|' $(conan config home)/profiles/default
-```
-
-**Windows** developers also must select static runtime:
-
-```bash
-sed -i.bak -e 's|^compiler\.runtime=.*$|compiler.runtime=static|' $(conan config home)/profiles/default
-```
-
-#### Clang workaround for grpc
-
-If your compiler is clang, version 19 or later, or apple-clang, version 17 or
-later, you may encounter a compilation error while building the `grpc`
-dependency:
-
-```text
-In file included from .../lib/promise/try_seq.h:26:
-.../lib/promise/detail/basic_seq.h:499:38: error: a template argument list is expected after a name prefixed by the template keyword [-Wmissing-template-arg-list-after-template-kw]
-  499 |                     Traits::template CallSeqFactory(f_, *cur_, std::move(arg)));
-      |                                      ^
-```
-
-The workaround for this error is to add two lines to profile:
-
-```text
-[conf]
-tools.build:cxxflags=['-Wno-missing-template-arg-list-after-template-kw']
-```
-
-#### Workaround for gcc 12
-
-If your compiler is gcc, version 12, and you have enabled `werr` option, you may
-encounter a compilation error such as:
-
-```text
-/usr/include/c++/12/bits/char_traits.h:435:56: error: 'void* __builtin_memcpy(void*, const void*, long unsigned int)' accessing 9223372036854775810 or more bytes at offsets [2, 9223372036854775807] and 1 may overlap up to 9223372036854775813 bytes at offset -3 [-Werror=restrict]
-  435 |         return static_cast<char_type*>(__builtin_memcpy(__s1, __s2, __n));
-      |                                        ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
-cc1plus: all warnings being treated as errors
-```
-
-The workaround for this error is to add two lines to your profile:
-
-```text
-[conf]
-tools.build:cxxflags=['-Wno-restrict']
-```
-
-#### Workaround for clang 16
-
-If your compiler is clang, version 16, you may encounter compilation error such
-as:
-
-```text
-In file included from .../boost/beast/websocket/stream.hpp:2857:
-.../boost/beast/websocket/impl/read.hpp:695:17: error: call to 'async_teardown' is ambiguous
-                async_teardown(impl.role, impl.stream(),
-                ^~~~~~~~~~~~~~
-```
-
-The workaround for this error is to add two lines to your profile:
-
-```text
-[conf]
-tools.build:cxxflags=['-DBOOST_ASIO_DISABLE_CONCEPTS']
+conan remote add --index 0 --force xrplf https://conan.ripplex.io
 ```

 ### Set Up Ccache
@@ -333,14 +110,7 @@ To speed up repeated compilations, we recommend that you install
 [ccache](https://ccache.dev), a tool that wraps your compiler so that it can
 cache build objects locally.

-#### Linux
-
-You can install it using the package manager, e.g. `sudo apt install ccache`
-(Ubuntu) or `sudo dnf install ccache` (RHEL).
-
-#### macOS
-
-You can install it using Homebrew, i.e. `brew install ccache`.
+On Linux and macOS, `ccache` is included in the [Nix development shell](./docs/build/nix.md).

 #### Windows

@@ -549,7 +319,7 @@ See [Sanitizers docs](./docs/build/sanitizers.md) for more details.

 | Option     | Default Value | Description                                                    |
 | ---------- | ------------- | -------------------------------------------------------------- |
-| `assert`   | OFF           | Enable assertions.                                             |
+| `assert`   | OFF           | Force enabling assertions.                                     |
 | `coverage` | OFF           | Prepare the coverage report.                                   |
 | `tests`    | OFF           | Build tests.                                                   |
 | `unity`    | OFF           | Configure a unity build.                                       |
@@ -557,7 +327,7 @@ See [Sanitizers docs](./docs/build/sanitizers.md) for more details.
 | `werr`     | OFF           | Treat compilation warnings as errors                           |
 | `wextra`   | OFF           | Enable additional compilation warnings                         |

-[Unity builds][5] may be faster for the first build (at the cost of much more
+[Unity builds][unity-build] may be faster for the first build (at the cost of much more
 memory) since they concatenate sources into fewer translation units. Non-unity
 builds may be faster for incremental builds, and can be helpful for detecting
 `#include` omissions.
@@ -583,14 +353,14 @@ After any updates or changes to dependencies, you may need to do the following:
   conan remove '*'
   ```

-3. Re-run [conan export](#patched-recipes) if needed.
-4. [Regenerate lockfile](#conan-lockfile).
+3. Re-run [conan export](./docs/build/advanced_conan.md#patched-recipes) if needed.
+4. [Regenerate lockfile](./docs/build/advanced_conan.md#conan-lockfile).
 5. Re-run [conan install](#build-and-test).

 #### ERROR: Package not resolved

 If you're seeing an error like `ERROR: Package 'snappy/1.1.10' not resolved: Unable to find 'snappy/1.1.10#968fef506ff261592ec30c574d4a7809%1756234314.246' in remotes.`,
-please add `xrplf` remote or re-run `conan export` for [patched recipes](#patched-recipes).
+please [add `xrplf` remote](#add-xrplf-remote) or re-run `conan export` for [patched recipes](./docs/build/advanced_conan.md#patched-recipes).

 ### `protobuf/port_def.inc` file not found

@@ -610,28 +380,9 @@ For example, if you want to build Debug:
 1. For conan install, pass `--settings build_type=Debug`
 2. For cmake, pass `-DCMAKE_BUILD_TYPE=Debug`

-## Add a Dependency
-
-If you want to experiment with a new package, follow these steps:
-
-1. Search for the package on [Conan Center](https://conan.io/center/).
-2. Modify [`conanfile.py`](./conanfile.py):
-   - Add a version of the package to the `requires` property.
-   - Change any default options for the package by adding them to the
-     `default_options` property (with syntax `'$package:$option': $value`).
-3. Modify [`CMakeLists.txt`](./CMakeLists.txt):
-   - Add a call to `find_package($package REQUIRED)`.
-   - Link a library from the package to the target `xrpl_libs`
-     (search for the existing call to `target_link_libraries(xrpl_libs INTERFACE ...)`).
-4. Start coding! Don't forget to include whatever headers you need from the package.
-
-[1]: https://github.com/conan-io/conan-center-index/issues/13168
-[2]: https://en.cppreference.com/w/cpp/compiler_support/20
-[3]: https://docs.conan.io/en/latest/getting_started.html
-[5]: https://en.wikipedia.org/wiki/Unity_build
-[6]: https://github.com/boostorg/beast/issues/2648
-[7]: https://github.com/boostorg/beast/issues/2661
+[cpp23-support]: https://en.cppreference.com/w/cpp/compiler_support/23
+[conan-getting-started]: https://docs.conan.io/en/latest/getting_started.html
+[unity-build]: https://en.wikipedia.org/wiki/Unity_build
 [gcovr]: https://gcovr.com/en/stable/getting-started.html
 [python-pip]: https://packaging.python.org/en/latest/guides/installing-using-pip-and-virtual-environments/
 [build_type]: https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html
-[profile]: https://docs.conan.io/en/latest/reference/profiles.html
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -14,9 +14,9 @@ The following branches exist in the main project repository:

 - `develop`: The latest set of unreleased features, and the most common
  starting point for contributions.
- `release`: The latest beta release or release candidate.
- `master`: The latest stable release.
- `gh-pages`: The documentation for this project, built by Doxygen.
+- `release/*` (e.g. `release/3.2.x`): Release branches, one per release line,
+  holding the latest release candidate, or stable release for that line.
+  Stable releases are published as [tagged releases](https://github.com/XRPLF/rippled/releases).

 The tip of each branch must be signed. In order for GitHub to sign a
 squashed commit that it builds from your pull request, GitHub must know
@@ -130,11 +130,9 @@ tl;dr
 ## Pull requests

 In general, pull requests use `develop` as the base branch.
-The exceptions are

- Fixes and improvements to a release candidate use `release` as the
-  base.
- Hotfixes use `master` as the base.
+The exceptions are fixes, improvements, and hotfixes for an existing release,
+which use that release's branch (e.g. `release/3.2.x`) as the base.

 If your changes are not quite ready, but you want to make it easily available
 for preliminary examination or review, you can create a "Draft" pull request.
@@ -216,7 +214,7 @@ coherent rather than a set of _thou shalt not_ commandments.

 ## Formatting

-All code must conform to `clang-format` version 21,
+All code must conform to `clang-format` version 22,
 according to the settings in [`.clang-format`](./.clang-format),
 unless the result would be unreasonably difficult to read or maintain.
 To demarcate lines that should be left as-is, surround them with comments like
@@ -261,7 +259,7 @@ This ensures that configuration changes don't introduce new warnings across the

 ### Installing clang-tidy

-See the [environment setup guide](./docs/build/environment.md#clang-tidy) for platform-specific installation instructions.
+See the [environment setup guide](./docs/build/environment.md#clang-tidy) for how to get clang-tidy.

 ### Running clang-tidy locally

--- a/bin/check-tools.sh
+++ b/bin/check-tools.sh
@@ -0,0 +1,158 @@
+#!/usr/bin/env bash
+#
+# check-tools.sh — verify the xrpld development tooling is present and runnable.
+#
+# Works on Linux, macOS, and Windows (Git Bash / MSYS). For every expected tool
+# it runs a version probe, collecting anything that is missing or fails to run,
+# and prints a summary at the end (exiting non-zero if anything is missing).
+#
+# The tool set is platform-aware:
+#   - Linux:   the full Nix CI environment (see nix/packages.nix, nix/ci-env.nix),
+#              with GCC, Clang and the sanitizer/coverage tooling. This script is
+#              run during the Nix Docker image build (nix/docker/Dockerfile), so
+#              the Linux list is kept in sync with that environment.
+#   - macOS:   the same tooling, minus GCC/g++/gcov/mold
+#   - Windows: the core build tools only (CMake, Conan, Git, Python).
+#              MSVC is expected to be provided separately and is not checked here.
+#
+# Some tools (clang-format, doxygen, gcovr, gh, git-cliff, gpg, pre-commit,
+# run-clang-tidy) are present in our Linux CI images and in local development
+# setups, but not in the macOS CI environment. They are checked everywhere
+# except when running in CI on macOS.
+#
+# Environment variables:
+#   CI                      if set, skip the tools above when on macOS.
+#   CHECK_TOOLS_SKIP_CLONE  if set, skip the git-over-HTTPS connectivity check.
+
+set -uo pipefail
+
+missing=()
+checked=0
+
+# check <name> [probe-command...]
+# Runs the probe (default: "<name> --version") quietly. Records <name> as
+# missing if the command is not found or exits non-zero.
+check() {
+    local name="$1"
+    shift
+    local -a probe=("$@")
+    if [ "${#probe[@]}" -eq 0 ]; then
+        probe=("${name}" --version)
+    fi
+
+    echo "Checking ${name}..."
+    checked=$((checked + 1))
+    if "${probe[@]}" | head -n 1; then
+        printf '  [ ok ] %s\n' "${name}"
+    else
+        printf '  [MISS] %s\n' "${name}"
+        missing+=("${name}")
+    fi
+}
+
+case "$(uname -s)" in
+    Linux*) os=linux ;;
+    Darwin*) os=macos ;;
+    MINGW* | MSYS* | CYGWIN*) os=windows ;;
+    *)
+        echo "Unknown OS: $(uname -s)" >&2
+        exit 1
+        ;;
+esac
+
+echo "Detected OS: ${os} ($(uname -s) $(uname -m))"
+echo
+echo "Core build tools:"
+check cmake
+check conan
+check git
+if [ "${os}" = "windows" ]; then
+    check python python --version
+else
+    check python3
+fi
+
+# The full development toolchain. Available from Nix on Linux and macOS; on
+# Windows these are typically not installed, so they are skipped.
+if [ "${os}" = "linux" ] || [ "${os}" = "macos" ]; then
+    echo
+    echo "Development tooling:"
+    check ccache
+    check clang
+    check clang++
+    check ClangBuildAnalyzer
+    check curl
+    check file
+    check less
+    check make
+    check netstat which netstat
+    check ninja
+    check perl
+    check pkg-config
+    check vim
+
+    # These tools are present in our Linux CI images and in local development
+    # setups, but not in the macOS CI environment. So check them everywhere
+    # except when running in CI on macOS.
+    if [ "${os}" = "linux" ] || [ -z "${CI:-}" ]; then
+        check clang-format
+        check doxygen
+        check gcovr
+        check gh
+        check git-cliff
+        check gpg
+        # pre-commit, or its alternative implementation prek
+        check pre-commit sh -c 'pre-commit --version || prek --version'
+        check run-clang-tidy run-clang-tidy --help
+    fi
+fi
+
+# GCC is the default compiler on Linux. macOS uses the system Apple Clang
+# instead, so GCC/g++/gcov are not expected there.
+if [ "${os}" = "linux" ]; then
+    echo
+    echo "GCC toolchain:"
+    check gcc
+    check g++
+    check gcov
+
+    echo
+    echo "Mold:"
+    check mold
+fi
+
+if [ "${os}" = "windows" ]; then
+    echo
+    echo "Note: on Windows the C++ compiler is MSVC, which is provided"
+    echo "      separately (e.g. via Visual Studio) and is not checked here."
+fi
+
+# A simple test to verify that git can clone a repository over HTTPS
+# (i.e. the CA bundle is wired up). Clone to a temp dir and clean up.
+if [ -n "${CHECK_TOOLS_SKIP_CLONE:-}" ]; then
+    echo
+    echo "Skipping git-over-HTTPS check (CHECK_TOOLS_SKIP_CLONE is set)."
+else
+    echo
+    echo "Connectivity check:"
+    checked=$((checked + 1))
+    tmp_clone="$(mktemp -d)"
+    if git clone --depth 1 https://github.com/XRPLF/actions.git "${tmp_clone}/actions" >/dev/null 2>&1; then
+        printf '  [ ok ] git clone over HTTPS\n'
+    else
+        printf '  [MISS] git clone over HTTPS\n'
+        missing+=("git-https-clone")
+    fi
+    rm -rf "${tmp_clone}"
+fi
+
+echo
+if [ "${#missing[@]}" -eq 0 ]; then
+    echo "All ${checked} checked tools are present and runnable."
+else
+    echo "Missing or non-functional tools (${#missing[@]} of ${checked}):" >&2
+    for tool in "${missing[@]}"; do
+        echo "  - ${tool}" >&2
+    done
+    exit 1
+fi
--- a/nix/docker/install-sanitizer-libs.sh
+++ b/nix/docker/install-sanitizer-libs.sh
--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@@ -109,6 +109,7 @@ words:
  - enabled
  - enablerepo
  - endmacro
+  - envrc
  - exceptioned
  - EXPECT_STREQ
  - Falco
@@ -233,8 +234,10 @@ words:
  - pyenv
  - pyparsing
  - qalloc
+  - qbsprofile
  - queuable
  - Raphson
+  - rcflags
  - replayer
  - rerere
  - retriable
--- a/docs/build/advanced_conan.md
+++ b/docs/build/advanced_conan.md
@@ -0,0 +1,193 @@
+# Advanced Conan configuration
+
+This document provides advanced instructions for setting up and configuring Conan for `xrpld` development: custom profiles, the lockfile, patched recipes, and profile tweaks.
+
+## Custom profile
+
+If the default profile does not work for you and you do not yet have a Conan
+profile, you can create one by running:
+
+```bash
+conan profile detect
+```
+
+You may need to make changes to the profile to suit your environment. You can
+refer to the provided `conan/profiles/default` profile for inspiration, and you
+may also need to apply the required [tweaks](#conan-profile-tweaks) to this
+default profile.
+
+## Conan lockfile
+
+To achieve reproducible dependencies, we use a [Conan lockfile](https://docs.conan.io/2/tutorial/versioning/lockfiles.html),
+which has to be updated every time dependencies change.
+
+Please see the [instructions on how to regenerate the lockfile](../../conan/lockfile/README.md).
+
+## Patched recipes
+
+Occasionally, we need patched recipes or recipes not present in Conan Center.
+We maintain a fork of the Conan Center Index
+[here](https://github.com/XRPLF/conan-center-index/) containing the modified and newly added recipes.
+
+To ensure our patched recipes are used, you must add our Conan remote at a
+higher index than the default Conan Center remote, so it is consulted first. You
+can do this by running:
+
+```bash
+conan remote add --index 0 --force xrplf https://conan.ripplex.io
+```
+
+Alternatively, you can pull our recipes from the repository and export them locally:
+
+```bash
+# Define which recipes to export.
+recipes=('abseil' 'ed25519' 'mpt-crypto' 'openssl' 'secp256k1' 'snappy' 'soci' 'wasm-xrplf' 'wasmi')
+
+# Selectively check out the recipes from our CCI fork.
+cd external
+mkdir -p conan-center-index
+cd conan-center-index
+git init
+git remote add origin git@github.com:XRPLF/conan-center-index.git
+git sparse-checkout init
+for recipe in "${recipes[@]}"; do
+    echo "Checking out recipe '${recipe}'..."
+    git sparse-checkout add recipes/${recipe}
+done
+git fetch origin master
+git checkout master
+
+./export_all.sh
+cd ../../
+```
+
+In the case we switch to a newer version of a dependency that still requires a
+patch or add a new dependency, it will be necessary for you to pull in the changes and re-export the
+updated dependencies with the newer version. However, if we switch to a newer
+version that no longer requires a patch, no action is required on your part, as
+the new recipe will be automatically pulled from the official Conan Center.
+
+> [!NOTE]
+> You might need to add `--lockfile=""` to your `conan install` command
+> to avoid automatic use of the existing `conan.lock` file when you run
+> `conan export` manually on your machine
+>
+> This is not recommended though, as you might end up using different revisions of recipes.
+
+## Conan profile tweaks
+
+### Missing compiler version
+
+If you see an error similar to the following after running `conan profile show`:
+
+```text
+ERROR: Invalid setting '17' is not a valid 'settings.compiler.version' value.
+Possible values are ['5.0', '5.1', '6.0', '6.1', '7.0', '7.3', '8.0', '8.1',
+'9.0', '9.1', '10.0', '11.0', '12.0', '13', '13.0', '13.1', '14', '14.0', '15',
+'15.0', '16', '16.0']
+Read "http://docs.conan.io/2/knowledge/faq.html#error-invalid-setting"
+```
+
+you need to create `$(conan config home)/settings_user.yml` file if it doesn't exist and add the required version number(s)
+to the `version` array specific for your compiler. For example:
+
+```yaml
+compiler:
+  apple-clang:
+    version: ["17.0"]
+```
+
+### Multiple compilers
+
+If you have multiple compilers installed, make sure to select the one to use in
+your default Conan configuration **before** running `conan profile detect`, by
+setting the `CC` and `CXX` environment variables.
+
+For example, if you are running MacOS and have [homebrew
+LLVM@18](https://formulae.brew.sh/formula/llvm@18), and want to use it as a
+compiler in the new Conan profile:
+
+```bash
+export CC=$(brew --prefix llvm@18)/bin/clang
+export CXX=$(brew --prefix llvm@18)/bin/clang++
+conan profile detect
+```
+
+You should also explicitly set the path to the compiler in the profile file,
+which helps to avoid errors when `CC` and/or `CXX` are set and disagree with the
+selected Conan profile. For example:
+
+```text
+[conf]
+tools.build:compiler_executables={'c':'/usr/bin/gcc','cpp':'/usr/bin/g++'}
+```
+
+### Multiple profiles
+
+You can manage multiple Conan profiles in the directory
+`$(conan config home)/profiles`, for example renaming `default` to a different
+name and then creating a new `default` profile for a different compiler.
+
+### Select language
+
+The default profile created by Conan will typically select different C++ dialect
+than C++23 used by this project. You should set `23` in the profile line
+starting with `compiler.cppstd=`. For example:
+
+```bash
+sed -i.bak -e 's|^compiler\.cppstd=.*$|compiler.cppstd=23|' $(conan config home)/profiles/default
+```
+
+### Select standard library in Linux
+
+**Linux** developers will commonly have a default Conan [profile][] that
+compiles with GCC and links with libstdc++. If you are linking with libstdc++
+(see profile setting `compiler.libcxx`), then you will need to choose the
+`libstdc++11` ABI:
+
+```bash
+sed -i.bak -e 's|^compiler\.libcxx=.*$|compiler.libcxx=libstdc++11|' $(conan config home)/profiles/default
+```
+
+### Select architecture and runtime in Windows
+
+**Windows** developers may need to use the x64 native build tools. An easy way
+to do that is to run the shortcut "x64 Native Tools Command Prompt" for the
+version of Visual Studio that you have installed.
+
+Windows developers must also build `xrpld` and its dependencies for the x64
+architecture:
+
+```bash
+sed -i.bak -e 's|^arch=.*$|arch=x86_64|' $(conan config home)/profiles/default
+```
+
+**Windows** developers also must select static runtime:
+
+```bash
+sed -i.bak -e 's|^compiler\.runtime=.*$|compiler.runtime=static|' $(conan config home)/profiles/default
+```
+
+## Add a Dependency
+
+If you want to experiment with a new package, follow these steps:
+
+1. Search for the package on [Conan Center](https://conan.io/center/).
+2. Modify [`conanfile.py`](../../conanfile.py):
+   - Add a version of the package to the `requires` property.
+   - Change any default options for the package by adding them to the
+     `default_options` property (with syntax `'$package:$option': $value`).
+3. Regenerate the [Conan lockfile](../../conan/lockfile/README.md) so the new
+   dependency is captured:
+
+   ```bash
+   ./conan/lockfile/regenerate.sh
+   ```
+
+4. Modify [`CMakeLists.txt`](../../CMakeLists.txt):
+   - Add a call to `find_package($package REQUIRED)`.
+   - Link a library from the package to the target `xrpl_libs`
+     (search for the existing call to `target_link_libraries(xrpl_libs INTERFACE ...)`).
+5. Start coding! Don't forget to include whatever headers you need from the package.
+
+[profile]: https://docs.conan.io/2/reference/config_files/profiles.html
--- a/docs/build/conan.md
+++ b/docs/build/conan.md
@@ -115,7 +115,7 @@ By default, Conan will use the profile named "default".
 [find_package]: https://cmake.org/cmake/help/latest/command/find_package.html
 [pcf]: https://cmake.org/cmake/help/latest/manual/cmake-packages.7.html#package-configuration-file
 [prefix_path]: https://cmake.org/cmake/help/latest/variable/CMAKE_PREFIX_PATH.html
-[profile]: https://docs.conan.io/en/latest/reference/profiles.html
+[profile]: https://docs.conan.io/2/reference/config_files/profiles.html
 [pvf]: https://cmake.org/cmake/help/latest/manual/cmake-packages.7.html#package-version-file
 [runtime]: https://cmake.org/cmake/help/latest/variable/CMAKE_MSVC_RUNTIME_LIBRARY.html
 [search]: https://cmake.org/cmake/help/latest/command/find_package.html#search-procedure
--- a/docs/build/environment.md
+++ b/docs/build/environment.md
@@ -1,69 +1,73 @@
 Our [build instructions][BUILD.md] assume you have a C++ development
 environment complete with Git, Python, Conan, CMake, and a C++ compiler.
-This document exists to help readers set one up on any of the Big Three
-platforms: Linux, macOS, or Windows.
-
-As an alternative to system packages, the Nix development shell can be used to provide a development environment. See [using nix development shell](./nix.md) for more details.
+This document explains how to set one up.

 [BUILD.md]: ../../BUILD.md

-## Linux
+## Tested compiler versions

-Package ecosystems vary across Linux distributions,
-so there is no one set of instructions that will work for every Linux user.
-The instructions below are written for Debian 12 (Bookworm).
+`xrpld` is built in the **C++23** dialect by default.
+Make sure your toolchain is recent enough — the compiler versions currently tested in CI are:

-```
-export GCC_RELEASE=12
-sudo apt update
-sudo apt install --yes gcc-${GCC_RELEASE} g++-${GCC_RELEASE} python3-pip \
-  python-is-python3 python3-venv python3-dev curl wget ca-certificates \
-  git build-essential cmake ninja-build libc6-dev
-sudo pip install --break-system-packages conan
+| Compiler    | Version |
+| ----------- | ------- |
+| GCC         | 15.2    |
+| Clang       | 22      |
+| Apple Clang | 17      |
+| MSVC        | 19.44   |

-sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-${GCC_RELEASE} 999
-sudo update-alternatives --install \
-  /usr/bin/gcc gcc /usr/bin/gcc-${GCC_RELEASE} 100 \
-  --slave /usr/bin/g++ g++ /usr/bin/g++-${GCC_RELEASE} \
-  --slave /usr/bin/gcc-ar gcc-ar /usr/bin/gcc-ar-${GCC_RELEASE} \
-  --slave /usr/bin/gcc-nm gcc-nm /usr/bin/gcc-nm-${GCC_RELEASE} \
-  --slave /usr/bin/gcc-ranlib gcc-ranlib /usr/bin/gcc-ranlib-${GCC_RELEASE} \
-  --slave /usr/bin/gcov gcov /usr/bin/gcov-${GCC_RELEASE} \
-  --slave /usr/bin/gcov-tool gcov-tool /usr/bin/gcov-tool-${GCC_RELEASE} \
-  --slave /usr/bin/gcov-dump gcov-dump /usr/bin/gcov-dump-${GCC_RELEASE} \
-  --slave /usr/bin/lto-dump lto-dump /usr/bin/lto-dump-${GCC_RELEASE}
-sudo update-alternatives --auto cc
-sudo update-alternatives --auto gcc
+LLVM tools (`clang-tidy` and `clang-format`) are also pinned to version 22.
+
+Older compilers may fail to build the latest `develop` code: the codebase now
+relies on C++23 features and has been adjusted for `clang-tidy`.
+If the latest code doesn't build for you, update your build toolchain first.
+
+## Linux and macOS
+
+The **recommended way** to get a development environment on Linux and macOS is
+the Nix development shell. It provides the exact tooling used in CI — `git`,
+`python`, `conan`, `cmake`, `clang-tidy`, `clang-format`, and everything else —
+with a single command and without installing anything system-wide:
+
+```bash
+nix --experimental-features 'nix-command flakes' develop
 ```

-If you use different Linux distribution, hope the instruction above can guide
-you in the right direction. We try to maintain compatibility with all recent
-compiler releases, so if you use a rolling distribution like e.g. Arch or CentOS
-then there is a chance that everything will "just work".
+On **Linux**, Nix also provides the compiler (GCC). On **macOS**, the shell uses
+your **system-wide Apple Clang** as the compiler, so you still need to manage
+its version (see below).

-## macOS
+See [Using the Nix development shell](./nix.md) for installation and usage
+details, including how to select a different compiler.

-Open a Terminal and enter the below command to bring up a dialog to install
-the command line developer tools.
-Once it is finished, this command should return a version greater than the
-minimum required (see [BUILD.md][]).
+> [!NOTE]
+> Using Nix is not mandatory. Any custom environment (Homebrew packages or
+> anything else) will continue to work, but then it is up to you to keep it in
+> sync with the environment used in CI. Nix unifies the development environment
+> for everyone and synchronizes updates, which is why we recommend it.

-```
+### macOS: managing the Apple Clang version
+
+Because the Nix shell uses the system-wide Apple Clang on macOS, the compiler
+version is whatever your installed Xcode (or Command Line Tools) provides. The
+following command should return a version greater than or equal to the
+[minimum required](#tested-compiler-versions):
+
+```bash
 clang --version
 ```

-### Install Xcode Specific Version (Optional)
-
-If you develop other applications using XCode you might be consistently updating to the newest version of Apple Clang.
-This will likely cause issues building xrpld. You may want to install a specific version of Xcode:
+If you develop other applications using Xcode, you might be consistently
+updating to the newest version of Apple Clang, which will likely cause issues
+building xrpld. You may want to install and pin a specific version of Xcode:

 1. **Download Xcode**
   - Visit [Apple Developer Downloads](https://developer.apple.com/download/more/)
   - Sign in with your Apple Developer account
-   - Search for an Xcode version that includes **Apple Clang (Expected Version)**
+   - Search for an Xcode version that includes the expected Apple Clang version
   - Download the `.xip` file

-2. **Install and Configure Xcode**
+2. **Install and configure Xcode**

   ```bash
   # Extract the .xip file and rename for version management
@@ -79,62 +83,28 @@ This will likely cause issues building xrpld. You may want to install a specific
   export DEVELOPER_DIR=/Applications/Xcode_16.2.app/Contents/Developer
   ```

-The command line developer tools should include Git too:
+## Windows

-```
-git --version
-```
+Nix is not available on Windows, so the required tools have to be installed
+manually:

-Install [Homebrew][],
-use it to install [pyenv][],
-use it to install Python,
-and use it to install Conan:
+- [Visual Studio 2022](https://visualstudio.microsoft.com/) with the
+  **"Desktop development with C++"** workload — this provides MSVC and the
+  "x64 Native Tools Command Prompt".
+- [Git for Windows](https://git-scm.com/download/win)
+- [Python 3.11](https://www.python.org/downloads/), or higher
+- [Conan 2.17](https://conan.io/downloads.html), or higher
+- [CMake 3.22](https://cmake.org/download/), or higher

-[Homebrew]: https://brew.sh/
-[pyenv]: https://github.com/pyenv/pyenv
-
-```
-/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-brew update
-brew install xz
-brew install pyenv
-pyenv install 3.11
-pyenv global 3.11
-eval "$(pyenv init -)"
-pip install 'conan'
-```
-
-Install CMake with Homebrew too:
-
-```
-brew install cmake
-```
+> [!NOTE]
+> Windows is used for development only and is not recommended for production.

 ## Clang-tidy

-Clang-tidy is required to run static analysis checks locally (see [CONTRIBUTING.md](../../CONTRIBUTING.md)).
-It is not required to build the project. Currently this project uses clang-tidy version 21.
+`clang-tidy` is required to run static analysis checks locally (see
+[CONTRIBUTING.md](../../CONTRIBUTING.md)). It is not required to build the
+project. This project currently uses `clang-tidy` version 22.

-### Linux
-
-LLVM 21 is not available in the default Debian 12 (Bookworm) repositories.
-Install it using the official LLVM apt installer:
-
-```
-wget https://apt.llvm.org/llvm.sh
-chmod +x llvm.sh
-sudo ./llvm.sh 21
-sudo apt install --yes clang-tidy-21
-```
-
-Then use `run-clang-tidy-21` when running clang-tidy locally.
-
-### macOS
-
-Install LLVM 21 via Homebrew:
-
-```
-brew install llvm@21
-```
-
-Then use `run-clang-tidy` from the LLVM 21 Homebrew prefix when running clang-tidy locally.
+On Linux and macOS, the [Nix development shell](./nix.md) provides `clang-tidy`
+22 out of the box — run it via `run-clang-tidy`. No separate installation is
+needed.
--- a/docs/build/nix.md
+++ b/docs/build/nix.md
@@ -2,9 +2,12 @@

 This guide explains how to use Nix to set up a reproducible development environment for xrpld. Using Nix eliminates the need to manually install utilities and ensures consistent tooling across different machines.

+**The Nix development shell is the recommended way to develop xrpld.** It unifies the development environment for everyone and synchronizes updates: the same tooling and compiler versions are used both here and in CI. Any custom environment (Homebrew packages or anything else) will continue to work, but then it is up to you to keep it in sync with the environment used in CI.
+
 ## Benefits of Using Nix

 - **Reproducible environment**: Everyone gets the same versions of tools and compilers
+- **Matches CI**: The Linux CI runs in Docker images built from this exact Nix environment
 - **No system pollution**: Dependencies are isolated and don't affect your system packages
 - **Multiple compiler versions**: Easily switch between different GCC and Clang versions
 - **Quick setup**: Get started with a single command
@@ -28,11 +31,22 @@ This will:

 - Download and set up all required development tools (CMake, Ninja, Conan, etc.)
 - Configure the appropriate compiler for your platform:
-  - **macOS**: Apple Clang (default system compiler)
-  - **Linux**: GCC 15
+  - **Linux**: GCC 15.2 (provided by Nix)
+  - **macOS**: Apple Clang (your system compiler)

 The first time you run this command, it will take a few minutes to download and build the environment. Subsequent runs will be much faster.

+### Platform notes
+
+- **Linux**: `nix develop` gives you a shell with all the tooling necessary to
+  develop xrpld and with GCC 15.2 (also provided by Nix). There are no caveats.
+- **macOS**: `nix develop` gives you a full environment too. The compiler is
+  your system-wide Apple Clang, while every other tool — including Conan — is
+  provided by Nix. Conan has no binary in the Nix cache for macOS, so it is
+  built from source the first time you enter the shell, which makes the initial
+  setup slower (this is handled automatically; see
+  [`nix/devshell.nix`](../../nix/devshell.nix)).
+
 > [!TIP]
 > To avoid typing `--experimental-features 'nix-command flakes'` every time, you can permanently enable flakes by creating `~/.config/nix/nix.conf`:
 >
@@ -51,7 +65,7 @@ The first time you run this command, it will take a few minutes to download and
 A compiler can be chosen by providing its name with the `.#` prefix, e.g. `nix develop .#gcc15`.
 Use `nix flake show` to see all the available development shells.

-Use `nix develop .#no_compiler` to use the compiler from your system.
+Use `nix develop .#no-compiler` to use the compiler from your system.

 ### Example Usage

@@ -68,12 +82,28 @@ nix develop

 ### Using a different shell

-`nix develop` opens bash by default. If you want to use another shell this could be done by adding `-c` flag. For example:
+`nix develop` opens bash by default. To use another shell, pass it with the `-c` flag — this works with any shell, e.g. `zsh` or `fish`:

 ```bash
+# Use zsh
 nix develop -c zsh
+
+# Use fish
+nix develop -c fish
+
+# Use your login shell
+nix develop -c "$SHELL"
 ```

+> [!WARNING]
+> Your shell's interactive startup files (e.g. `config.fish`, `.zshrc`) may prepend other directories — most commonly Homebrew — to `$PATH`, which can shadow the tools provided by the Nix shell. After entering, verify that tools resolve into the Nix store:
+>
+> ```bash
+> command -v cmake   # should print a /nix/store/... path
+> ```
+>
+> If it doesn't, either adjust your shell configuration so it doesn't override `$PATH`, or use [direnv](#automatic-activation-with-direnv) (below), which loads the environment _after_ your shell config and so takes precedence regardless of the shell you use.
+
 ## Building xrpld with Nix

 Once inside the Nix development shell, follow the standard [build instructions](../../BUILD.md#steps). The Nix shell provides all necessary tools (CMake, Ninja, Conan, etc.).
@@ -82,6 +112,8 @@ Once inside the Nix development shell, follow the standard [build instructions](

 [direnv](https://direnv.net/) or [nix-direnv](https://github.com/nix-community/nix-direnv) can automatically activate the Nix development shell when you enter the repository directory.

+This is also the most robust way to use the environment from **any shell** (bash, zsh, fish, …): direnv stays in your current shell and loads the environment _after_ your shell's startup files have run, so the Nix-provided tools take precedence over anything your shell configuration adds to `$PATH`. To use it, install direnv for your shell, then add an `.envrc` containing `use flake` at the repository root and run `direnv allow`.
+
 ## Conan and Prebuilt Packages

 Please note that there is no guarantee that binaries from conan cache will work when using nix. If you encounter any errors, please use `--build '*'` to force conan to compile everything from source:
@@ -93,3 +125,8 @@ conan install .. --output-folder . --build '*' --settings build_type=Release
 ## Updating `flake.lock` file

 To update `flake.lock` to the latest revision use `nix flake update` command.
+
+## Troubleshooting
+
+See [Troubleshooting Nix problems](./nix_troubleshooting.md) for common issues,
+such as `nix develop` failing inside Git worktrees.
--- a/docs/build/nix_troubleshooting.md
+++ b/docs/build/nix_troubleshooting.md
@@ -0,0 +1,61 @@
+# Troubleshooting Nix problems
+
+Common issues encountered when using the [Nix development shell](./nix.md), and
+how to resolve them.
+
+## Git worktrees
+
+If `nix develop` fails with an error like:
+
+```
+error:
+       … while fetching the input 'git+file:///path/to/rippled'
+
+       error: opening Git repository "/path/to/rippled": unsupported extension name extensions.relativeworktrees (libgit2 error code = 6)
+```
+
+then your Nix is linked against a libgit2 older than **1.9.4**. Git 2.48+ writes
+the `extensions.relativeWorktrees` config entry when a worktree is created with
+relative paths (`git worktree add --relative-paths`, or with
+`worktree.useRelativePaths=true`), and older libgit2 versions refuse to open a
+repository that uses it. Nix uses libgit2 to read the flake, so evaluation
+fails.
+
+> [!IMPORTANT]
+> This entry is written to the **shared** repository config, so once any
+> relative worktree exists, `nix develop` fails in the main checkout too — not
+> just inside the worktree.
+
+### Workarounds
+
+These work today, with any Nix version:
+
+- bypass libgit2 with a `path:` flakeref: `nix develop "path:$PWD"`
+  (note: this copies the working tree to the store and ignores `.gitignore`); or
+- create worktrees with absolute paths (omit `--relative-paths`); or
+- clear the extension if you don't need relative worktrees:
+  `git config --unset extensions.relativeWorktrees`.
+
+### Permanent fix
+
+The fix is in [libgit2 1.9.4](https://github.com/libgit2/libgit2/releases/tag/v1.9.4),
+so the real solution is a Nix that links against libgit2 `1.9.4` or newer. Check
+which version yours links against:
+
+```bash
+nix-store -qR "$(readlink -f "$(command -v nix)")" | grep libgit2
+```
+
+> [!WARNING]
+> `nix upgrade-nix` does **not** help yet. It installs the build from the
+> official [`nix-fallback-paths`](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/tools/nix-fallback-paths.nix),
+> which is still linked against libgit2 `1.9.2` — there is no new upstream Nix
+> release with the fix. (On some systems that build is even the exact store path
+> you already have, making the upgrade a no-op.)
+
+nixpkgs has already rebuilt Nix against the fixed libgit2 (e.g. `nix-2.34.7+1`),
+so the cleanest path is to reinstall Nix using your usual installation method
+once it picks up that rebuild, then re-run the `grep libgit2` check above to
+confirm it reports `1.9.4` or newer.
+
+Until then, prefer the workarounds above.
--- a/flake.lock
+++ b/flake.lock
@@ -2,17 +2,18 @@
  "nodes": {
    "nixpkgs": {
      "locked": {
-        "lastModified": 1780749050,
-        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
+        "lastModified": 1781173989,
+        "narHash": "sha256-fnzKKPvS+oieI/pTzotA5tkoM47EB1NpaBcgk4R97hE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
+        "rev": "8c91a71d13451abc40eb9dae8910f972f979852f",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-unstable",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
      }
    },
    "nixpkgs-custom-glibc": {
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
 {
  description = "Nix related things for xrpld";
  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    # nixpkgs snapshot (2020-06-30) that shipped glibc 2.31 as the primary
    # version — matches the system libc on Ubuntu 20.04 LTS. Imported
    # manually (flake = false) because this revision predates nixpkgs'
--- a/include/xrpl/basics/Archive.h
+++ b/include/xrpl/basics/Archive.h
@@ -1,6 +1,6 @@
 #pragma once

-#include <filesystem>
+#include <boost/filesystem.hpp>

 namespace xrpl {

@@ -12,6 +12,6 @@ namespace xrpl {
    @throws runtime_error
 */
 void
-extractTarLz4(std::filesystem::path const& src, std::filesystem::path const& dst);
+extractTarLz4(boost::filesystem::path const& src, boost::filesystem::path const& dst);

 }  // namespace xrpl
--- a/include/xrpl/basics/FileUtilities.h
+++ b/include/xrpl/basics/FileUtilities.h
@@ -1,22 +1,22 @@
 #pragma once

-#include <filesystem>
+#include <boost/filesystem.hpp>
+#include <boost/system/error_code.hpp>
+
 #include <optional>
-#include <string>
-#include <system_error>

 namespace xrpl {

 std::string
 getFileContents(
-    std::error_code& ec,
-    std::filesystem::path const& sourcePath,
+    boost::system::error_code& ec,
+    boost::filesystem::path const& sourcePath,
    std::optional<std::size_t> maxSize = std::nullopt);

 void
 writeFileContents(
-    std::error_code& ec,
-    std::filesystem::path const& destPath,
+    boost::system::error_code& ec,
+    boost::filesystem::path const& destPath,
    std::string const& contents);

 }  // namespace xrpl
--- a/include/xrpl/basics/Log.h
+++ b/include/xrpl/basics/Log.h
@@ -4,8 +4,8 @@
 #include <xrpl/beast/utility/Journal.h>

 #include <boost/beast/core/string.hpp>
+#include <boost/filesystem.hpp>

-#include <filesystem>
 #include <fstream>
 #include <map>
 #include <memory>
@@ -76,7 +76,7 @@ private:
            @return `true` if the file was opened.
        */
        bool
-        open(std::filesystem::path const& path);
+        open(boost::filesystem::path const& path);

        /** Close and re-open the system file associated with the log
            This assists in interoperating with external log management tools.
@@ -118,7 +118,7 @@ private:

    private:
        std::unique_ptr<std::ofstream> stream_;
-        std::filesystem::path path_;
+        boost::filesystem::path path_;
    };

    std::mutex mutable mutex_;
@@ -137,7 +137,7 @@ public:
    virtual ~Logs() = default;

    bool
-    open(std::filesystem::path const& pathToLogFile);
+    open(boost::filesystem::path const& pathToLogFile);

    beast::Journal::Sink&
    get(std::string const& name);
--- a/include/xrpl/basics/Slice.h
+++ b/include/xrpl/basics/Slice.h
@@ -11,6 +11,7 @@
 #include <limits>
 #include <stdexcept>
 #include <string>
+#include <string_view>
 #include <type_traits>
 #include <vector>

@@ -231,4 +232,11 @@ makeSlice(std::basic_string<char, Traits, Alloc> const& s)
    return Slice(s.data(), s.size());
 }

+template <class Traits>
+Slice
+makeSlice(std::basic_string_view<char, Traits> s)
+{
+    return Slice(s.data(), s.size());
+}
+
 }  // namespace xrpl
--- a/include/xrpl/basics/rocksdb.h
+++ b/include/xrpl/basics/rocksdb.h
@@ -1,29 +0,0 @@
-#pragma once
-
-#if XRPL_ROCKSDB_AVAILABLE
-// #include <rocksdb2/port/port_posix.h>
-#include <rocksdb/cache.h>
-#include <rocksdb/compaction_filter.h>
-#include <rocksdb/comparator.h>
-#include <rocksdb/convenience.h>
-#include <rocksdb/db.h>
-#include <rocksdb/env.h>
-#include <rocksdb/filter_policy.h>
-#include <rocksdb/flush_block_policy.h>
-#include <rocksdb/iterator.h>
-#include <rocksdb/memtablerep.h>
-#include <rocksdb/merge_operator.h>
-#include <rocksdb/options.h>
-#include <rocksdb/perf_context.h>
-#include <rocksdb/slice.h>
-#include <rocksdb/slice_transform.h>
-#include <rocksdb/statistics.h>
-#include <rocksdb/status.h>
-#include <rocksdb/table.h>
-#include <rocksdb/table_properties.h>
-#include <rocksdb/transaction_log.h>
-#include <rocksdb/types.h>
-#include <rocksdb/universal_compaction.h>
-#include <rocksdb/write_batch.h>
-
-#endif
--- a/include/xrpl/basics/sanitizers.h
+++ b/include/xrpl/basics/sanitizers.h
@@ -4,7 +4,7 @@
 /*
 ASAN flags some false positives with sudden jumps in control flow, like
 exceptions, or when encountering coroutine stack switches. This macro can be used to disable ASAN
- intrumentation for specific functions.
+ instrumentation for specific functions.
 */
 #if defined(__GNUC__) || defined(__clang__)
 #define XRPL_NO_SANITIZE_ADDRESS __attribute__((no_sanitize("address", "hwaddress")))
--- a/include/xrpl/beast/unit_test/suite.h
+++ b/include/xrpl/beast/unit_test/suite.h
@@ -6,10 +6,10 @@

 #include <xrpl/beast/unit_test/runner.h>

+#include <boost/filesystem.hpp>
 #include <boost/lexical_cast.hpp>
 #include <boost/throw_exception.hpp>

-#include <filesystem>
 #include <ostream>
 #include <sstream>
 #include <string>
@@ -25,7 +25,7 @@ makeReason(String const& reason, char const* file, int line)
    std::string s(reason);
    if (!s.empty())
        s.append(": ");
-    namespace fs = std::filesystem;
+    namespace fs = boost::filesystem;
    s.append(fs::path{file}.filename().string());
    s.append("(");
    s.append(boost::lexical_cast<std::string>(line));
--- a/include/xrpl/beast/utility/temp_dir.h
+++ b/include/xrpl/beast/utility/temp_dir.h
@@ -1,56 +1,19 @@
 #pragma once

-#include <filesystem>
-#include <iomanip>
-#include <random>
-#include <sstream>
-#include <stdexcept>
+#include <boost/filesystem.hpp>
+
 #include <string>
-#include <system_error>

 namespace beast {

-/** Generate a unique, non-existing path under @p base with an optional @p prefix
-    and a random hex suffix.
-
-    Attempts up to @p maxAttempts paths. Throws `std::runtime_error` if a
-    unique path cannot be found or if the filesystem returns an error while
-    checking for existence.
-*/
-inline std::filesystem::path
-uniqueRandomPath(
-    std::filesystem::path const& base,
-    std::size_t maxAttempts = 100,
-    std::string const& prefix = "")
-{
-    std::random_device rd;
-    for (std::size_t attempt = 0; attempt < maxAttempts; ++attempt)
-    {
-        std::ostringstream oss;
-        oss << prefix << std::hex << std::setfill('0') << std::setw(8) << rd() << std::setw(8)
-            << rd();
-        auto candidate = base / oss.str();
-        std::error_code ec;
-        bool const exists = std::filesystem::exists(candidate, ec);
-        if (ec)
-        {
-            throw std::runtime_error(
-                "Unable to check path '" + candidate.string() + "': " + ec.message());
-        }
-        if (!exists)
-            return candidate;
-    }
-    throw std::runtime_error("Unable to generate a unique path under '" + base.string() + "'");
-}
-
 /** RAII temporary directory.

    The directory and all its contents are deleted when
-    the instance of `TempDir` is destroyed.
+    the instance of `temp_dir` is destroyed.
 */
 class TempDir
 {
-    std::filesystem::path path_;
+    boost::filesystem::path path_;

 public:
 #if !GENERATING_DOCS
@@ -62,16 +25,20 @@ public:
    /// Construct a temporary directory.
    TempDir()
    {
-        path_ = uniqueRandomPath(std::filesystem::temp_directory_path());
-        std::filesystem::create_directory(path_);
+        auto const dir = boost::filesystem::temp_directory_path();
+        do
+        {
+            path_ = dir / boost::filesystem::unique_path();
+        } while (boost::filesystem::exists(path_));
+        boost::filesystem::create_directory(path_);
    }

    /// Destroy a temporary directory.
    ~TempDir()
    {
        // use non-throwing calls in the destructor
-        std::error_code ec;
-        std::filesystem::remove_all(path_, ec);
+        boost::system::error_code ec;
+        boost::filesystem::remove_all(path_, ec);
        // TODO: warn/notify if ec set ?
    }

--- a/include/xrpl/core/PerfLog.h
+++ b/include/xrpl/core/PerfLog.h
@@ -3,9 +3,10 @@
 #include <xrpl/core/JobTypes.h>
 #include <xrpl/json/json_value.h>

+#include <boost/filesystem.hpp>
+
 #include <chrono>
 #include <cstdint>
-#include <filesystem>
 #include <functional>
 #include <memory>
 #include <string>
@@ -42,7 +43,7 @@ public:
     */
    struct Setup
    {
-        std::filesystem::path perfLog;
+        boost::filesystem::path perfLog;
        // log_interval is in milliseconds to support faster testing.
        milliseconds logInterval{seconds(1)};
    };
@@ -147,7 +148,7 @@ public:
 };

 PerfLog::Setup
-setupPerfLog(Section const& section, std::filesystem::path const& configDir);
+setupPerfLog(Section const& section, boost::filesystem::path const& configDir);

 std::unique_ptr<PerfLog>
 makePerfLog(
--- a/include/xrpl/ledger/BookListeners.h
+++ b/include/xrpl/ledger/BookListeners.h
@@ -1,49 +0,0 @@
-#pragma once
-
-#include <xrpl/protocol/MultiApiJson.h>
-#include <xrpl/server/InfoSub.h>
-
-#include <memory>
-#include <mutex>
-
-namespace xrpl {
-
-/** Listen to public/subscribe messages from a book. */
-class BookListeners
-{
-public:
-    using pointer = std::shared_ptr<BookListeners>;
-
-    BookListeners() = default;
-
-    /** Add a new subscription for this book
-     */
-    void
-    addSubscriber(InfoSub::ref sub);
-
-    /** Stop publishing to a subscriber
-     */
-    void
-    removeSubscriber(std::uint64_t sub);
-
-    /** Publish a transaction to subscribers
-
-        Publish a transaction to clients subscribed to changes on this book.
-        Uses havePublished to prevent sending duplicate transactions to clients
-        that have subscribed to multiple books.
-
-        @param jvObj JSON transaction data to publish
-        @param havePublished InfoSub sequence numbers that have already
-                             published this transaction.
-
-    */
-    void
-    publish(MultiApiJson const& jvObj, hash_set<std::uint64_t>& havePublished);
-
-private:
-    std::recursive_mutex lock_;
-
-    hash_map<std::uint64_t, InfoSub::wptr> listeners_;
-};
-
-}  // namespace xrpl
--- a/include/xrpl/ledger/OrderBookDB.h
+++ b/include/xrpl/ledger/OrderBookDB.h
@@ -1,11 +1,11 @@
 #pragma once

+#include <xrpl/basics/UnorderedContainers.h>
+#include <xrpl/beast/utility/Journal.h>
 #include <xrpl/ledger/AcceptedLedgerTx.h>
-#include <xrpl/ledger/BookListeners.h>
 #include <xrpl/ledger/ReadView.h>
 #include <xrpl/protocol/Asset.h>
 #include <xrpl/protocol/Book.h>
-#include <xrpl/protocol/MultiApiJson.h>
 #include <xrpl/protocol/UintTypes.h>

 #include <memory>
@@ -77,34 +77,24 @@ public:
    */
    virtual bool
    isBookToXRP(Asset const& asset, std::optional<Domain> const& domain = std::nullopt) = 0;
-
-    /**
-     * Process a transaction for order book tracking.
-     * @param ledger The ledger the transaction was applied to
-     * @param alTx The transaction to process
-     * @param jvObj The JSON object of the transaction
-     */
-    virtual void
-    processTxn(
-        std::shared_ptr<ReadView const> const& ledger,
-        AcceptedLedgerTx const& alTx,
-        MultiApiJson const& jvObj) = 0;
-
-    /**
-     * Get the book listeners for a book.
-     * @param book The book to get the listeners for
-     * @return The book listeners for the book
-     */
-    virtual BookListeners::pointer
-    getBookListeners(Book const&) = 0;
-
-    /**
-     * Create a new book listeners for a book.
-     * @param book The book to create the listeners for
-     * @return The new book listeners for the book
-     */
-    virtual BookListeners::pointer
-    makeBookListeners(Book const&) = 0;
 };

+/** Extract the set of books affected by a transaction.
+ *
+ *  Walks the transaction's metadata nodes and collects every order book
+ *  whose offers were created, modified, or deleted. Used by NetworkOPs to
+ *  fan transaction notifications out to book subscribers.
+ *
+ *  @param alTx The accepted ledger transaction to inspect.
+ *  @param j Journal used to log per-node parsing failures. Inspecting an
+ *           offer node can throw if a required field is missing; in that
+ *           case the bad node is skipped and a warn-level message is
+ *           emitted via @p j. Other affected books in the same transaction
+ *           are still returned.
+ *  @return The set of books whose offers were created, modified, or
+ *          deleted. May be empty for non-offer transactions.
+ */
+hash_set<Book>
+affectedBooks(AcceptedLedgerTx const& alTx, beast::Journal const& j);
+
 }  // namespace xrpl
--- a/include/xrpl/ledger/helpers/AMMHelpers.h
+++ b/include/xrpl/ledger/helpers/AMMHelpers.h
@@ -37,6 +37,8 @@ reduceOffer(auto const& amount)

 enum class IsDeposit : bool { No = false, Yes = true };

+inline Number const kAMMInvariantRelativeTolerance{1, -11};
+
 /** Calculate LP Tokens given AMM pool reserves.
 * @param asset1 AMM one side of the pool reserve
 * @param asset2 AMM another side of the pool reserve
@@ -738,6 +740,30 @@ ammPoolHolds(
    AuthHandling authHandling,
    beast::Journal const j);

+/** Check AMM pool product invariant after an AMM operation that changes LP tokens
+ * (deposit/withdraw/clawback) from an already calculated pool product mean.
+ * Returns tecPRECISION_LOSS if poolProductMean < newLPTokenBalance beyond the
+ * invariant tolerance,
+ * tesSUCCESS otherwise. Skips check when newLPTokenBalance is zero (last withdrawal).
+ */
+TER
+checkAMMPrecisionLoss(Number const& poolProductMean, STAmount const& newLPTokenBalance);
+
+/** Check AMM pool product invariant after an AMM operation that changes LP tokens
+ * (deposit/withdraw/clawback).
+ * Returns tecPRECISION_LOSS if sqrt(asset1 * asset2) < newLPTokenBalance beyond
+ * the invariant tolerance,
+ * tesSUCCESS otherwise. Skips check when newLPTokenBalance is zero (last withdrawal).
+ */
+TER
+checkAMMPrecisionLoss(
+    ReadView const& view,
+    AccountID const& ammAccountID,
+    Asset const& asset1,
+    Asset const& asset2,
+    STAmount const& newLPTokenBalance,
+    beast::Journal const j);
+
 /** Get AMM pool and LP token balances. If both optIssue are
 * provided then they are used as the AMM token pair issues.
 * Otherwise the missing issues are fetched from ammSle.
--- a/include/xrpl/ledger/helpers/CredentialHelpers.h
+++ b/include/xrpl/ledger/helpers/CredentialHelpers.h
@@ -36,13 +36,13 @@ checkFields(STTx const& tx, beast::Journal j);
 TER
 valid(STTx const& tx, ReadView const& view, AccountID const& src, beast::Journal j);

-// Check if subject has any credential maching the given domain. If you call it
+// Check if subject has any credential matching the given domain. If you call it
 // in preclaim and it returns tecEXPIRED, you should call verifyValidDomain in
 // doApply. This will ensure that expired credentials are deleted.
 TER
 validDomain(ReadView const& view, uint256 domainID, AccountID const& subject);

-// This function is only called when we about to return tecNO_PERMISSION
+// This function is only called when we are about to return tecNO_PERMISSION
 // because all the checks for the DepositPreauth authorization failed.
 TER
 authorizedDepositPreauth(ReadView const& view, STVector256 const& ctx, AccountID const& dst);
@@ -58,7 +58,7 @@ checkArray(STArray const& credentials, unsigned maxSize, beast::Journal j);

 }  // namespace credentials

-// Check expired credentials and for credentials maching DomainID of the ledger
+// Check expired credentials and for credentials matching DomainID of the ledger
 // object
 TER
 verifyValidDomain(ApplyView& view, AccountID const& account, uint256 domainID, beast::Journal j);
--- a/include/xrpl/ledger/helpers/DelegateHelpers.h
+++ b/include/xrpl/ledger/helpers/DelegateHelpers.h
@@ -23,13 +23,9 @@ checkTxPermission(SLE::const_ref delegate, STTx const& tx);
 * @param delegate The delegate account.
 * @param type Used to determine which granted granular permissions to load,
 * based on the transaction type.
- * @param granularPermissions Granted granular permissions tied to the
- * transaction type.
+ * @return the granted granular permissions tied to the transaction type.
 */
-void
-loadGranularPermission(
-    SLE::const_ref delegate,
-    TxType const& type,
-    std::unordered_set<GranularPermissionType>& granularPermissions);
+std::unordered_set<GranularPermissionType>
+getGranularPermission(SLE::const_ref delegate, TxType const& type);

 }  // namespace xrpl
--- a/include/xrpl/ledger/helpers/PaymentChannelHelpers.h
+++ b/include/xrpl/ledger/helpers/PaymentChannelHelpers.h
@@ -5,9 +5,45 @@
 #include <xrpl/protocol/TER.h>
 #include <xrpl/protocol/UintTypes.h>

+#include <cstdint>
+#include <memory>
+#include <optional>
+
 namespace xrpl {

+/** Close a payment channel and return its remaining funds to the channel owner.
+ *
+ *  @param slep  The SLE for the PayChannel object to close.
+ *  @param view  The apply view in which ledger state modifications are made.
+ *  @param key   The ledger key identifying the PayChannel entry.
+ *  @param j     Journal used for fatal-level diagnostic messages.
+ *  @return      tesSUCCESS on success; tefBAD_LEDGER if a directory removal
+ *               fails; tefINTERNAL if the source account SLE cannot be found.
+ */
 TER
 closeChannel(SLE::ref slep, ApplyView& view, uint256 const& key, beast::Journal j);

+/** Add two uint32_t values with saturation at UINT32_MAX.
+ *
+ *  @param rules  The current ledger rules used to check amendment status.
+ *  @param lhs    Left-hand operand.
+ *  @param rhs    Right-hand operand.
+ *  @return       @p lhs + @p rhs, saturated at UINT32_MAX when the amendment
+ *                is active.
+ */
+uint32_t
+saturatingAdd(Rules const& rules, uint32_t const lhs, uint32_t const rhs);
+
+/** Determine whether a payment channel time field represents an expired time.
+ *
+ *  @param view       The apply view providing the parent close time and rules.
+ *  @param timeField  The optional expiry timestamp (seconds since the XRP
+ *                    Ledger epoch).  If empty, the function returns false.
+ *  @return           @c true if @p timeField is set and the indicated time is
+ *                    in the past relative to the view's parent close time;
+ *                    @c false otherwise.
+ */
+bool
+isChannelExpired(ApplyView const& view, std::optional<std::uint32_t> timeField);
+
 }  // namespace xrpl
--- a/include/xrpl/proto/xrpl.proto
+++ b/include/xrpl/proto/xrpl.proto
@@ -246,7 +246,15 @@ message TMGetObjectByHash {

 message TMLedgerNode {
  required bytes nodedata = 1;
-  optional bytes nodeid = 2;  // missing for ledger base data
+
+  // Used when protocol version <2.3. Not set for ledger base data.
+  optional bytes nodeid = 2;
+
+  // Used when protocol version >=2.3. Neither value is set for ledger base data.
+  oneof reference {
+    bytes id = 3;      // Set for inner nodes.
+    uint32 depth = 4;  // Set for leaf nodes.
+  }
 }

 enum TMLedgerInfoType {
--- a/include/xrpl/protocol/ApiVersion.h
+++ b/include/xrpl/protocol/ApiVersion.h
@@ -102,25 +102,32 @@ getAPIVersionNumber(json::Value const& jv, bool betaEnabled)
    json::Value const maxVersion(
        betaEnabled ? RPC::kApiBetaVersion : RPC::kApiMaximumSupportedVersion);

-    if (jv.isObject())
+    if (!jv.isObject() || !jv.isMember(jss::api_version))
+        return RPC::kApiVersionIfUnspecified;
+
+    try
    {
-        if (jv.isMember(jss::api_version))
+        auto const& rawVersion = jv[jss::api_version];
+        switch (rawVersion.type())
        {
-            auto const specifiedVersion = jv[jss::api_version];
-            if (!specifiedVersion.isInt() && !specifiedVersion.isUInt())
-            {
-                return RPC::kApiInvalidVersion;
+            case json::ValueType::Int:
+                if (rawVersion.asInt() < 0)
+                    return RPC::kApiInvalidVersion;
+                [[fallthrough]];
+            case json::ValueType::UInt: {
+                auto const apiVersion = rawVersion.asUInt();
+                if (apiVersion < kMinVersion || apiVersion > maxVersion)
+                    return RPC::kApiInvalidVersion;
+                return apiVersion;
            }
-            auto const specifiedVersionInt = specifiedVersion.asInt();
-            if (specifiedVersionInt < kMinVersion || specifiedVersionInt > maxVersion)
-            {
+            default:
                return RPC::kApiInvalidVersion;
-            }
-            return specifiedVersionInt;
        }
    }
-
-    return RPC::kApiVersionIfUnspecified;
+    catch (...)
+    {
+        return RPC::kApiInvalidVersion;
+    }
 }

 }  // namespace RPC
--- a/include/xrpl/protocol/LedgerFormats.h
+++ b/include/xrpl/protocol/LedgerFormats.h
@@ -180,12 +180,12 @@ enum LedgerEntryType : std::uint16_t {
        LSF_FLAG(lsfMPTCanClawback, 0x00000040))                                                                                   \
                                                                                                                                   \
    LEDGER_OBJECT(MPTokenIssuanceMutable,                                                                                          \
-        LSF_FLAG(lsmfMPTCanMutateCanLock, 0x00000002)                                                                              \
-        LSF_FLAG(lsmfMPTCanMutateRequireAuth, 0x00000004)                                                                          \
-        LSF_FLAG(lsmfMPTCanMutateCanEscrow, 0x00000008)                                                                            \
-        LSF_FLAG(lsmfMPTCanMutateCanTrade, 0x00000010)                                                                             \
-        LSF_FLAG(lsmfMPTCanMutateCanTransfer, 0x00000020)                                                                          \
-        LSF_FLAG(lsmfMPTCanMutateCanClawback, 0x00000040)                                                                          \
+        LSF_FLAG(lsmfMPTCanEnableCanLock, 0x00000002)                                                                              \
+        LSF_FLAG(lsmfMPTCanEnableRequireAuth, 0x00000004)                                                                          \
+        LSF_FLAG(lsmfMPTCanEnableCanEscrow, 0x00000008)                                                                            \
+        LSF_FLAG(lsmfMPTCanEnableCanTrade, 0x00000010)                                                                             \
+        LSF_FLAG(lsmfMPTCanEnableCanTransfer, 0x00000020)                                                                          \
+        LSF_FLAG(lsmfMPTCanEnableCanClawback, 0x00000040)                                                                          \
        LSF_FLAG(lsmfMPTCanMutateMetadata, 0x00010000)                                                                             \
        LSF_FLAG(lsmfMPTCanMutateTransferFee, 0x00020000))                                                                         \
                                                                                                                                   \
--- a/include/xrpl/protocol/Permissions.h
+++ b/include/xrpl/protocol/Permissions.h
@@ -7,8 +7,13 @@
 #include <optional>
 #include <string>
 #include <unordered_map>
+#include <unordered_set>
+#include <vector>

 namespace xrpl {
+
+class STTx;
+
 /**
 * We have both transaction type permissions and granular type permissions.
 * Since we will reuse the TransactionFormats to parse the Transaction
@@ -19,15 +24,15 @@ namespace xrpl {
 // Macro-generated, complex
 // NOLINTNEXTLINE(cppcoreguidelines-use-enum-class)
 enum GranularPermissionType : std::uint32_t {
-#pragma push_macro("PERMISSION")
-#undef PERMISSION
+#pragma push_macro("GRANULAR_PERMISSION")
+#undef GRANULAR_PERMISSION

-#define PERMISSION(type, txType, value) type = (value),
+#define GRANULAR_PERMISSION(name, txType, value, ...) name = (value),

 #include <xrpl/protocol/detail/permissions.macro>

-#undef PERMISSION
-#pragma pop_macro("PERMISSION")
+#undef GRANULAR_PERMISSION
+#pragma pop_macro("GRANULAR_PERMISSION")
 };

 // Injected bare enumerators (xrpl::delegable / xrpl::notDelegable) are required by preprocessor
@@ -40,15 +45,30 @@ class Permission
 private:
    Permission();

-    std::unordered_map<std::uint16_t, uint256> txFeatureMap_;
+    struct GranularPermissionEntry
+    {
+        std::string name;
+        TxType txType;
+        std::uint32_t permittedFlags;
+        SOTemplate permittedFields;

-    std::unordered_map<std::uint16_t, Delegation> delegableTx_;
+        GranularPermissionEntry(
+            std::string name,
+            TxType txType,
+            std::uint32_t permittedFlags,
+            std::vector<SOElement> fields);
+    };

-    std::unordered_map<std::string, GranularPermissionType> granularPermissionMap_;
+    struct TxDelegationEntry
+    {
+        uint256 amendment;
+        Delegation delegable{NotDelegable};
+    };

-    std::unordered_map<GranularPermissionType, std::string> granularNameMap_;
-
-    std::unordered_map<GranularPermissionType, TxType> granularTxTypeMap_;
+    std::unordered_set<TxType> granularTxTypes_;
+    std::unordered_map<TxType, TxDelegationEntry> txDelegationMap_;
+    std::unordered_map<std::string, GranularPermissionType> granularPermissionsByName_;
+    std::unordered_map<GranularPermissionType, GranularPermissionEntry> granularPermissions_;

 public:
    static Permission const&
@@ -59,30 +79,52 @@ public:
    operator=(Permission const&) = delete;

    [[nodiscard]] std::optional<std::string>
-    getPermissionName(std::uint32_t const value) const;
+    getPermissionName(std::uint32_t value) const;

    [[nodiscard]] std::optional<std::uint32_t>
    getGranularValue(std::string const& name) const;

    [[nodiscard]] std::optional<std::string>
-    getGranularName(GranularPermissionType const& value) const;
+    getGranularName(GranularPermissionType value) const;

    [[nodiscard]] std::optional<TxType>
-    getGranularTxType(GranularPermissionType const& gpType) const;
+    getGranularTxType(GranularPermissionType gpType) const;

+    // Returns a reference to avoid copying uint256 - 32 bytes. std::optional
+    // cannot hold references directly, so std::reference_wrapper is used.
    [[nodiscard]] std::optional<std::reference_wrapper<uint256 const>>
    getTxFeature(TxType txType) const;

    [[nodiscard]] bool
-    isDelegable(std::uint32_t const& permissionValue, Rules const& rules) const;
+    isDelegable(std::uint32_t permissionValue, Rules const& rules) const;
+
+    [[nodiscard]] bool
+    hasGranularPermissions(TxType txType) const;

    // for tx level permission, permission value is equal to tx type plus one
-    static uint32_t
-    txToPermissionType(TxType const& type);
+    [[nodiscard]] static uint32_t
+    txToPermissionType(TxType type);

    // tx type value is permission value minus one
-    static TxType
-    permissionToTxType(uint32_t const& value);
+    [[nodiscard]] static TxType
+    permissionToTxType(std::uint32_t value);
+
+    /**
+     * @brief Verifies a delegated transaction against its granular permission template.
+     *
+     * @note WARNING: Do not move this check before standard transaction-level
+     * format checks, which is in preclaim. This function assumes the transaction's
+     * base structural integrity (fees, sequence, signatures) has already been
+     * validated.
+     *
+     * @param tx The transaction to verify.
+     * @param heldPermissions The granular permissions that the sender hold.
+     * @return true if the transaction fields and flags comply with the granular template.
+     */
+    [[nodiscard]] bool
+    checkGranularSandbox(
+        STTx const& tx,
+        std::unordered_set<GranularPermissionType> const& heldPermissions) const;
 };

 }  // namespace xrpl
--- a/include/xrpl/protocol/TxFlags.h
+++ b/include/xrpl/protocol/TxFlags.h
@@ -341,38 +341,32 @@ inline constexpr FlagValue tfTrustSetPermissionMask =

 // MPTokenIssuanceCreate MutableFlags:
 // Indicating specific fields or flags may be changed after issuance.
-inline constexpr FlagValue tmfMPTCanMutateCanLock = lsmfMPTCanMutateCanLock;
-inline constexpr FlagValue tmfMPTCanMutateRequireAuth = lsmfMPTCanMutateRequireAuth;
-inline constexpr FlagValue tmfMPTCanMutateCanEscrow = lsmfMPTCanMutateCanEscrow;
-inline constexpr FlagValue tmfMPTCanMutateCanTrade = lsmfMPTCanMutateCanTrade;
-inline constexpr FlagValue tmfMPTCanMutateCanTransfer = lsmfMPTCanMutateCanTransfer;
-inline constexpr FlagValue tmfMPTCanMutateCanClawback = lsmfMPTCanMutateCanClawback;
+inline constexpr FlagValue tmfMPTCanEnableCanLock = lsmfMPTCanEnableCanLock;
+inline constexpr FlagValue tmfMPTCanEnableRequireAuth = lsmfMPTCanEnableRequireAuth;
+inline constexpr FlagValue tmfMPTCanEnableCanEscrow = lsmfMPTCanEnableCanEscrow;
+inline constexpr FlagValue tmfMPTCanEnableCanTrade = lsmfMPTCanEnableCanTrade;
+inline constexpr FlagValue tmfMPTCanEnableCanTransfer = lsmfMPTCanEnableCanTransfer;
+inline constexpr FlagValue tmfMPTCanEnableCanClawback = lsmfMPTCanEnableCanClawback;
 inline constexpr FlagValue tmfMPTCanMutateMetadata = lsmfMPTCanMutateMetadata;
 inline constexpr FlagValue tmfMPTCanMutateTransferFee = lsmfMPTCanMutateTransferFee;
 inline constexpr FlagValue tmfMPTokenIssuanceCreateMutableMask =
-    ~(tmfMPTCanMutateCanLock | tmfMPTCanMutateRequireAuth | tmfMPTCanMutateCanEscrow |
-      tmfMPTCanMutateCanTrade | tmfMPTCanMutateCanTransfer | tmfMPTCanMutateCanClawback |
+    ~(tmfMPTCanEnableCanLock | tmfMPTCanEnableRequireAuth | tmfMPTCanEnableCanEscrow |
+      tmfMPTCanEnableCanTrade | tmfMPTCanEnableCanTransfer | tmfMPTCanEnableCanClawback |
      tmfMPTCanMutateMetadata | tmfMPTCanMutateTransferFee);

 // MPTokenIssuanceSet MutableFlags:
-// Set or Clear flags.
+// Enable mutable capability flags. These flags are one-way: once enabled,
+// the corresponding capability cannot be disabled by MPTokenIssuanceSet.

 inline constexpr FlagValue tmfMPTSetCanLock = 0x00000001;
-inline constexpr FlagValue tmfMPTClearCanLock = 0x00000002;
-inline constexpr FlagValue tmfMPTSetRequireAuth = 0x00000004;
-inline constexpr FlagValue tmfMPTClearRequireAuth = 0x00000008;
-inline constexpr FlagValue tmfMPTSetCanEscrow = 0x00000010;
-inline constexpr FlagValue tmfMPTClearCanEscrow = 0x00000020;
-inline constexpr FlagValue tmfMPTSetCanTrade = 0x00000040;
-inline constexpr FlagValue tmfMPTClearCanTrade = 0x00000080;
-inline constexpr FlagValue tmfMPTSetCanTransfer = 0x00000100;
-inline constexpr FlagValue tmfMPTClearCanTransfer = 0x00000200;
-inline constexpr FlagValue tmfMPTSetCanClawback = 0x00000400;
-inline constexpr FlagValue tmfMPTClearCanClawback = 0x00000800;
-inline constexpr FlagValue tmfMPTokenIssuanceSetMutableMask = ~(
-    tmfMPTSetCanLock | tmfMPTClearCanLock | tmfMPTSetRequireAuth | tmfMPTClearRequireAuth |
-    tmfMPTSetCanEscrow | tmfMPTClearCanEscrow | tmfMPTSetCanTrade | tmfMPTClearCanTrade |
-    tmfMPTSetCanTransfer | tmfMPTClearCanTransfer | tmfMPTSetCanClawback | tmfMPTClearCanClawback);
+inline constexpr FlagValue tmfMPTSetRequireAuth = 0x00000002;
+inline constexpr FlagValue tmfMPTSetCanEscrow = 0x00000004;
+inline constexpr FlagValue tmfMPTSetCanTrade = 0x00000008;
+inline constexpr FlagValue tmfMPTSetCanTransfer = 0x00000010;
+inline constexpr FlagValue tmfMPTSetCanClawback = 0x00000020;
+inline constexpr FlagValue tmfMPTokenIssuanceSetMutableMask =
+    ~(tmfMPTSetCanLock | tmfMPTSetRequireAuth | tmfMPTSetCanEscrow | tmfMPTSetCanTrade |
+      tmfMPTSetCanTransfer | tmfMPTSetCanClawback);

 // Prior to fixRemoveNFTokenAutoTrustLine, transfer of an NFToken between accounts allowed a
 // TrustLine to be added to the issuer of that token without explicit permission from that issuer.
--- a/include/xrpl/protocol/detail/features.macro
+++ b/include/xrpl/protocol/detail/features.macro
@@ -21,10 +21,10 @@ XRPL_FEATURE(MPTokensV2,                  Supported::No,  VoteBehavior::DefaultN
 XRPL_FIX    (Cleanup3_1_3,                Supported::Yes, VoteBehavior::DefaultYes)
 XRPL_FIX    (BatchInnerSigs,              Supported::No,  VoteBehavior::DefaultNo)
 XRPL_FEATURE(LendingProtocol,             Supported::Yes, VoteBehavior::DefaultNo)
-XRPL_FEATURE(PermissionDelegationV1_1,    Supported::No,  VoteBehavior::DefaultNo)
+XRPL_FEATURE(PermissionDelegationV1_1,    Supported::Yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (DirectoryLimit,              Supported::Yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (IncludeKeyletFields,         Supported::Yes, VoteBehavior::DefaultNo)
-XRPL_FEATURE(DynamicMPT,                  Supported::No,  VoteBehavior::DefaultNo)
+XRPL_FEATURE(DynamicMPT,                  Supported::Yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (TokenEscrowV1,               Supported::Yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (PriceOracleOrder,            Supported::Yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (MPTDeliveredAmount,          Supported::Yes, VoteBehavior::DefaultNo)
--- a/include/xrpl/protocol/detail/permissions.macro
+++ b/include/xrpl/protocol/detail/permissions.macro
@@ -1,49 +1,74 @@
-#if !defined(PERMISSION)
-#error "undefined macro: PERMISSION"
+#if !defined(GRANULAR_PERMISSION)
+#error "undefined macro: GRANULAR_PERMISSION"
 #endif

 /**
- * PERMISSION(name, type, txType, value)
+ * GRANULAR_PERMISSION(name, txType, value, allowedFlags, allowedFields)
 *
- * This macro defines a permission:
- * name: the name of the permission.
- * type: the GranularPermissionType enum.
- * txType: the corresponding TxType for this permission.
- * value: the uint32 numeric value for the enum type.
+ * Defines a granular permission:
+ *   name:          the granular permission name.
+ *   txType:        the corresponding TxType for this permission.
+ *   value:         the uint32 numeric value for the enum type.
+ *   allowedFlags:  transaction flags permitted under this permission.
+ *   allowedFields: transaction fields permitted under this permission.
 */

-/** This permission grants the delegated account the ability to authorize a trustline. */
-PERMISSION(TrustlineAuthorize, ttTRUST_SET, 65537)
+/** Grants the ability to authorize a trustline. */
+GRANULAR_PERMISSION(TrustlineAuthorize, ttTRUST_SET, 65537, tfUniversal | tfSetfAuth,
+    ({{sfLimitAmount, SoeRequired}}))

-/** This permission grants the delegated account the ability to freeze a trustline. */
-PERMISSION(TrustlineFreeze, ttTRUST_SET, 65538)
+/** Grants the ability to freeze a trustline. */
+GRANULAR_PERMISSION(TrustlineFreeze, ttTRUST_SET, 65538, tfUniversal | tfSetFreeze,
+    ({{sfLimitAmount, SoeRequired}}))

-/** This permission grants the delegated account the ability to unfreeze a trustline. */
-PERMISSION(TrustlineUnfreeze, ttTRUST_SET, 65539)
+/** Grants the ability to unfreeze a trustline. */
+GRANULAR_PERMISSION(TrustlineUnfreeze, ttTRUST_SET, 65539, tfUniversal | tfClearFreeze,
+    ({{sfLimitAmount, SoeRequired}}))

-/** This permission grants the delegated account the ability to set Domain. */
-PERMISSION(AccountDomainSet, ttACCOUNT_SET, 65540)
+/** Grants the ability to set Domain. */
+GRANULAR_PERMISSION(AccountDomainSet, ttACCOUNT_SET, 65540, tfUniversal,
+    ({{sfDomain, SoeOptional}}))

-/** This permission grants the delegated account the ability to set EmailHashSet. */
-PERMISSION(AccountEmailHashSet, ttACCOUNT_SET, 65541)
+/** Grants the ability to set EmailHash. */
+GRANULAR_PERMISSION(AccountEmailHashSet, ttACCOUNT_SET, 65541, tfUniversal,
+    ({{sfEmailHash, SoeOptional}}))

-/** This permission grants the delegated account the ability to set MessageKey. */
-PERMISSION(AccountMessageKeySet, ttACCOUNT_SET, 65542)
+/** Grants the ability to set MessageKey. */
+GRANULAR_PERMISSION(AccountMessageKeySet, ttACCOUNT_SET, 65542, tfUniversal,
+    ({{sfMessageKey, SoeOptional}}))

-/** This permission grants the delegated account the ability to set TransferRate. */
-PERMISSION(AccountTransferRateSet, ttACCOUNT_SET, 65543)
+/** Grants the ability to set TransferRate. */
+GRANULAR_PERMISSION(AccountTransferRateSet, ttACCOUNT_SET, 65543, tfUniversal,
+    ({{sfTransferRate, SoeOptional}}))

-/** This permission grants the delegated account the ability to set TickSize. */
-PERMISSION(AccountTickSizeSet, ttACCOUNT_SET, 65544)
+/** Grants the ability to set TickSize. */
+GRANULAR_PERMISSION(AccountTickSizeSet, ttACCOUNT_SET, 65544, tfUniversal,
+    ({{sfTickSize, SoeOptional}}))

-/** This permission grants the delegated account the ability to mint payment, which means sending a payment for a currency where the sending account is the issuer. */
-PERMISSION(PaymentMint, ttPAYMENT, 65545)
+/** Grants the ability to mint payment (sending account is the issuer). Cross-currency payments are disallowed. */
+GRANULAR_PERMISSION(PaymentMint, ttPAYMENT, 65545, tfUniversal,
+    ({{sfDestination, SoeRequired},
+      {sfAmount, SoeRequired},
+      {sfSendMax, SoeOptional},
+      {sfInvoiceID, SoeOptional},
+      {sfDestinationTag, SoeOptional},
+      {sfCredentialIDs, SoeOptional}}))

-/** This permission grants the delegated account the ability to burn payment, which means sending a payment for a currency where the destination account is the issuer */
-PERMISSION(PaymentBurn, ttPAYMENT, 65546)
+/** Grants the ability to burn payment (destination account is the issuer). Cross-currency payments are disallowed. */
+GRANULAR_PERMISSION(PaymentBurn, ttPAYMENT, 65546, tfUniversal,
+    ({{sfDestination, SoeRequired},
+      {sfAmount, SoeRequired},
+      {sfSendMax, SoeOptional},
+      {sfInvoiceID, SoeOptional},
+      {sfDestinationTag, SoeOptional},
+      {sfCredentialIDs, SoeOptional}}))

-/** This permission grants the delegated account the ability to lock MPToken. */
-PERMISSION(MPTokenIssuanceLock, ttMPTOKEN_ISSUANCE_SET, 65547)
+/** Grants the ability to lock an MPToken. */
+GRANULAR_PERMISSION(MPTokenIssuanceLock, ttMPTOKEN_ISSUANCE_SET, 65547, tfUniversal | tfMPTLock,
+    ({{sfMPTokenIssuanceID, SoeRequired},
+      {sfHolder, SoeOptional}}))

-/** This permission grants the delegated account the ability to unlock MPToken. */
-PERMISSION(MPTokenIssuanceUnlock, ttMPTOKEN_ISSUANCE_SET, 65548)
+/** Grants the ability to unlock an MPToken. */
+GRANULAR_PERMISSION(MPTokenIssuanceUnlock, ttMPTOKEN_ISSUANCE_SET, 65548, tfUniversal | tfMPTUnlock,
+    ({{sfMPTokenIssuanceID, SoeRequired},
+      {sfHolder, SoeOptional}}))
--- a/include/xrpl/rdb/DatabaseCon.h
+++ b/include/xrpl/rdb/DatabaseCon.h
@@ -6,7 +6,8 @@
 #include <xrpl/rdb/DBInit.h>
 #include <xrpl/rdb/SociDB.h>

-#include <filesystem>
+#include <boost/filesystem/path.hpp>
+
 #include <mutex>
 #include <optional>
 #include <string>
@@ -71,7 +72,7 @@ public:

        StartUpType startUp = StartUpType::Normal;
        bool standAlone = false;
-        std::filesystem::path dataDir;
+        boost::filesystem::path dataDir;
        // Indicates whether or not to return the `globalPragma`
        // from commonPragma()
        bool useGlobalPragma = false;
@@ -134,7 +135,7 @@ public:

    template <std::size_t N, std::size_t M>
    DatabaseCon(
-        std::filesystem::path const& dataDir,
+        boost::filesystem::path const& dataDir,
        std::string const& dbName,
        std::array<std::string, N> const& pragma,
        std::array<char const*, M> const& initSQL,
@@ -146,7 +147,7 @@ public:
    // Use this constructor to setup checkpointing
    template <std::size_t N, std::size_t M>
    DatabaseCon(
-        std::filesystem::path const& dataDir,
+        boost::filesystem::path const& dataDir,
        std::string const& dbName,
        std::array<std::string, N> const& pragma,
        std::array<char const*, M> const& initSQL,
@@ -181,7 +182,7 @@ private:

    template <std::size_t N, std::size_t M>
    DatabaseCon(
-        std::filesystem::path const& pPath,
+        boost::filesystem::path const& pPath,
        std::vector<std::string> const* commonPragma,
        std::array<std::string, N> const& pragma,
        std::array<char const*, M> const& initSQL,
--- a/include/xrpl/rdb/RelationalDatabase.h
+++ b/include/xrpl/rdb/RelationalDatabase.h
@@ -10,6 +10,7 @@
 #include <xrpl/protocol/TxSearched.h>
 #include <xrpl/rdb/DatabaseCon.h>

+#include <boost/filesystem.hpp>
 #include <boost/variant.hpp>

 namespace xrpl {
--- a/include/xrpl/server/InfoSub.h
+++ b/include/xrpl/server/InfoSub.h
@@ -1,6 +1,7 @@
 #pragma once

 #include <xrpl/basics/CountedObject.h>
+#include <xrpl/beast/utility/Journal.h>
 #include <xrpl/json/json_value.h>
 #include <xrpl/protocol/Book.h>
 #include <xrpl/protocol/ErrorCodes.h>
@@ -26,6 +27,19 @@ public:
 };

 /** Manages a client's subscription to data feeds.
+ *
+ *  An InfoSub holds a non-owning reference to its `Source` (typically the
+ *  process-wide `NetworkOPsImp`). The destructor reaches back into the
+ *  `Source` to remove this subscriber from every server-side subscription
+ *  map.
+ *
+ *  @note Lifetime contract: every `InfoSub` instance MUST be destroyed
+ *        before the backing `Source`. NetworkOPsImp shutdown drops all
+ *        subscriber strong refs before its own teardown to satisfy this.
+ *  @note Thread-safety: per-instance state is guarded by `lock_`. The
+ *        destructor reads tracking sets without taking `lock_` because
+ *        the strong-pointer ref-count is zero at destruction time, so
+ *        no other thread can be calling the public mutators.
 */
 class InfoSub : public CountedObject<InfoSub>
 {
@@ -117,8 +131,43 @@ public:

        virtual bool
        subBook(ref ispListener, Book const&) = 0;
+
+        /**
+         * Remove a book subscription for a live subscriber.
+         *
+         * Clears the book from the subscriber's own tracking set
+         * (InfoSub::bookSubscriptions_) and then removes the server-side
+         * entry from subBook_. Call this from RPC unsubscribe handlers.
+         *
+         * @param ispListener The subscriber requesting removal.
+         * @param book        The order book to unsubscribe from.
+         * @return true if the entry was present and removed, false if the
+         *         subscriber was not subscribed to @p book.
+         *
+         * @note Thread-safety: acquires subLock_ internally.
+         * @note Do NOT call from ~InfoSub(). Use unsubBookInternal instead
+         *       to avoid a redundant write-back to bookSubscriptions_ on a
+         *       partially-destroyed object.
+         */
        virtual bool
-        unsubBook(std::uint64_t uListener, Book const&) = 0;
+        unsubBook(ref ispListener, Book const&) = 0;
+
+        /**
+         * Remove a book subscription during InfoSub teardown.
+         *
+         * Removes only the server-side entry from subBook_. Does NOT touch
+         * InfoSub::bookSubscriptions_ because the InfoSub is being destroyed.
+         * Called by ~InfoSub() for each book in bookSubscriptions_.
+         *
+         * @param uListener The sequence number of the subscriber being torn down.
+         * @param book      The order book entry to remove.
+         * @return true if the entry was present and removed, false otherwise
+         *         (e.g., already removed by a concurrent RPC unsubscribe).
+         *
+         * @note Thread-safety: acquires subLock_ internally.
+         */
+        virtual bool
+        unsubBookInternal(std::uint64_t uListener, Book const&) = 0;

        virtual bool
        subTransactions(ref ispListener) = 0;
@@ -158,6 +207,13 @@ public:
        addRpcSub(std::string const& strUrl, ref rspEntry) = 0;
        virtual bool
        tryRemoveRpcSub(std::string const& strUrl) = 0;
+
+        /** Journal used by InfoSub for diagnostics that occur after the
+         *  owning subsystem (e.g. application-level Logs) is the only
+         *  surviving sink — primarily destructor-time cleanup failures.
+         */
+        [[nodiscard]] virtual beast::Journal const&
+        journal() const = 0;
    };

 public:
@@ -184,6 +240,31 @@ public:
    void
    deleteSubAccountInfo(AccountID const& account, bool rt);

+    /** Record that this subscriber is following @p book.
+     *
+     *  Called by NetworkOPsImp::subBook so that ~InfoSub() can issue a
+     *  matching unsubBook for every book this subscriber is tracking,
+     *  keeping per-subscriber state symmetric with the server-side map.
+     *
+     *  @param book The order book this subscriber has just subscribed to.
+     *  @note Idempotent: re-inserting an already-tracked book is a no-op.
+     *  @note Thread-safe: takes InfoSub::lock_.
+     */
+    void
+    insertBookSubscription(Book const& book);
+
+    /** Stop tracking @p book for this subscriber.
+     *
+     *  Called by the unsubscribe RPC handler so that the book is not
+     *  re-unsubscribed by ~InfoSub(). Pairs with insertBookSubscription.
+     *
+     *  @param book The order book to forget.
+     *  @note No-op if @p book was not previously inserted.
+     *  @note Thread-safe: takes InfoSub::lock_.
+     */
+    void
+    deleteBookSubscription(Book const& book);
+
    // return false if already subscribed to this account
    bool
    insertSubAccountHistory(AccountID const& account);
@@ -217,6 +298,7 @@ private:
    std::shared_ptr<InfoSubRequest> request_;
    std::uint64_t seq_;
    hash_set<AccountID> accountHistorySubscriptions_;
+    hash_set<Book> bookSubscriptions_;
    unsigned int apiVersion_ = 0;

    static int
--- a/include/xrpl/server/NetworkOPs.h
+++ b/include/xrpl/server/NetworkOPs.h
@@ -249,6 +249,19 @@ public:

    virtual void
    stateAccounting(json::Value& obj) = 0;
+
+    /** Total number of (book, subscriber) entries currently tracked.
+     *
+     *  Counts every weak_ptr stored across every book in subBook_, NOT the
+     *  number of distinct subscribers and NOT the number of distinct
+     *  books: a single subscriber following N books contributes N entries.
+     *
+     *  @note Diagnostic accessor; intended for tests and operator visibility
+     *        into per-book subscription state. The returned value is a
+     *        snapshot under the subscription lock.
+     */
+    virtual std::size_t
+    getBookSubscribersCount() = 0;
 };

 }  // namespace xrpl
--- a/include/xrpl/server/State.h
+++ b/include/xrpl/server/State.h
@@ -4,6 +4,8 @@
 #include <xrpl/rdb/DatabaseCon.h>
 #include <xrpl/server/Manifest.h>

+#include <boost/filesystem.hpp>
+
 namespace xrpl {

 struct SavedState
--- a/include/xrpl/shamap/SHAMap.h
+++ b/include/xrpl/shamap/SHAMap.h
@@ -16,6 +16,7 @@

 #include <set>
 #include <stack>
+#include <tuple>
 #include <vector>

 namespace xrpl {
@@ -73,6 +74,17 @@ enum class SHAMapState {

    See https://en.wikipedia.org/wiki/Merkle_tree
 */
+
+/** Holds a SHAMap node's identity, serialized data, and leaf status.
+    Used by getNodeFat to return node data for peer synchronization.
+*/
+struct SHAMapNodeData
+{
+    SHAMapNodeID nodeID;
+    bool isLeaf;
+    Blob data;  // Placed last, so `isLeaf` can fit into the alignment padding of `nodeID`.
+};
+
 class SHAMap
 {
 private:
@@ -250,10 +262,10 @@ public:
    std::vector<std::pair<SHAMapNodeID, uint256>>
    getMissingNodes(int maxNodes, SHAMapSyncFilter const* filter);

-    bool
+    [[nodiscard]] bool
    getNodeFat(
        SHAMapNodeID const& wanted,
-        std::vector<std::pair<SHAMapNodeID, Blob>>& data,
+        std::vector<SHAMapNodeData>& data,
        bool fatLeaves,
        std::uint32_t depth) const;

@@ -280,10 +292,43 @@ public:
    void
    serializeRoot(Serializer& s) const;

+    /** Add a root node to the SHAMap during synchronization.
+     *
+     * This function is used when receiving the root node of a SHAMap from a peer during ledger
+     * synchronization. The node must already have been deserialized.
+     *
+     * @param hash The expected hash of the root node.
+     * @param rootNode A deserialized root node to add.
+     * @param filter Optional sync filter to track received nodes.
+     * @return Status indicating whether the node was useful, duplicate, or invalid.
+     *
+     * @note This function expects the rootNode to be a valid, deserialized SHAMapTreeNode. The
+     *       caller is responsible for deserialization and basic validation before calling this
+     *       function.
+     */
    SHAMapAddNode
-    addRootNode(SHAMapHash const& hash, Slice const& rootNode, SHAMapSyncFilter const* filter);
+    addRootNode(SHAMapHash const& hash, SHAMapTreeNodePtr rootNode, SHAMapSyncFilter const* filter);
+
+    /** Add a known node at a specific position in the SHAMap during synchronization.
+     *
+     * This function is used when receiving nodes from peers during ledger synchronization. The node
+     * is inserted at the position specified by nodeID. The node must already have been
+     * deserialized.
+     *
+     * @param nodeID The position in the tree where this node belongs.
+     * @param treeNode A deserialized tree node to add.
+     * @param filter Optional sync filter to track received nodes.
+     * @return Status indicating whether the node was useful, duplicate, or invalid.
+     *
+     * @note This function expects the treeNode to be a valid, deserialized SHAMapTreeNode. The
+     *       caller is responsible for deserialization and basic validation before calling this
+     *       function. This also means that the nodeID must be consistent with the node's content.
+     */
    SHAMapAddNode
-    addKnownNode(SHAMapNodeID const& nodeID, Slice const& rawNode, SHAMapSyncFilter const* filter);
+    addKnownNode(
+        SHAMapNodeID const& nodeID,
+        SHAMapTreeNodePtr treeNode,
+        SHAMapSyncFilter const* filter);

    // status functions
    void
--- a/include/xrpl/tx/Transactor.h
+++ b/include/xrpl/tx/Transactor.h
@@ -7,6 +7,7 @@
 #include <xrpl/tx/ApplyContext.h>
 #include <xrpl/tx/applySteps.h>

+#include <tuple>
 #include <utility>

 namespace xrpl {
@@ -222,8 +223,63 @@ public:
        return tesSUCCESS;
    }

+    /**
+     * This function can be overridden to introduce additional semantic constraints beyond the
+     * granular template validation for granular permissions. It is called by the base
+     * invokeCheckPermission method only after the transaction has successfully passed
+     * checkGranularSandbox.
+     */
    static NotTEC
-    checkPermission(ReadView const& view, STTx const& tx);
+    checkGranularSemantics(
+        ReadView const& view,
+        STTx const& tx,
+        std::unordered_set<GranularPermissionType> const& heldGranularPermissions)
+    {
+        return tesSUCCESS;
+    }
+
+    /**
+     * Checks whether the transaction is authorized to be executed by the delegated account.
+     * This function enforces the strict permission check hierarchy. It is explicitly
+     * designed NOT to be overridden. Derived transactors must instead implement
+     * checkGranularSemantics to add custom validation logic for granular permissions.
+     *
+     * The evaluation proceeds as follows:
+     * - If transaction-level permission is granted, the function immediately returns tesSUCCESS.
+     * - If transaction-level permission is not granted, the function checks whether the transaction
+     * matches the granular permission template defined in permissions.macro. If it does, it then
+     * calls checkGranularSemantics to perform any additional, fine-grained validation.
+     *
+     */
+    template <class T>
+    static NotTEC
+    invokeCheckPermission(ReadView const& view, STTx const& tx)
+    {
+        // heldGranularPermissions is passed by reference into checkPermission.
+        // It is populated with the sender’s granular permissions only when the sender
+        // lacks tx-level permission but has granular permissions that satisfy the
+        // granular permission template.
+        //
+        // - result is terNO_DELEGATE_PERMISSION: return immediately.
+        // - result is tesSUCCESS and heldGranularPermissions is empty: tx-level permission was
+        // granted, so we returned success before populating it.
+        // - result is tesSUCCESS and heldGranularPermissions is not empty: tx-level permission was
+        // not granted, but the held granular permissions passed checkGranularSandbox, so we proceed
+        // to checkGranularSemantics.
+        //
+        // WARNING: Do not simplify checkPermission to return only
+        // heldGranularPermissions or the ter code. Both the result and the
+        // populated set are required to enforce the strict permission hierarchy
+        // described above.
+        std::unordered_set<GranularPermissionType> heldGranularPermissions;
+        if (NotTEC const result = checkPermission(view, tx, heldGranularPermissions);
+            !isTesSuccess(result) || heldGranularPermissions.empty())
+        {
+            return result;
+        }
+
+        return T::checkGranularSemantics(view, tx, heldGranularPermissions);
+    }
    /////////////////////////////////////////////////////

    // Interface used by AccountDelete
@@ -353,13 +409,24 @@ protected:
        unit::ValueUnit<Unit, T> min = unit::ValueUnit<Unit, T>{});

 private:
+    static NotTEC
+    checkPermission(
+        ReadView const& view,
+        STTx const& tx,
+        std::unordered_set<GranularPermissionType>& heldGranularPermissions);
+
    std::pair<TER, XRPAmount>
    reset(XRPAmount fee);

    TER
    consumeSeqProxy(SLE::pointer const& sleAccount);
+
    TER
    payFee();
+
+    std::tuple<TER, XRPAmount, bool>
+    processPersistentChanges(TER result, XRPAmount fee);
+
    static NotTEC
    checkSingleSign(
        ReadView const& view,
@@ -367,6 +434,7 @@ private:
        AccountID const& idAccount,
        SLE::const_pointer sleAccount,
        beast::Journal const j);
+
    static NotTEC
    checkMultiSign(
        ReadView const& view,
--- a/include/xrpl/tx/invariants/AMMInvariant.h
+++ b/include/xrpl/tx/invariants/AMMInvariant.h
@@ -15,7 +15,9 @@ class ValidAMM
    std::optional<AccountID> ammAccount_;
    std::optional<STAmount> lptAMMBalanceAfter_;
    std::optional<STAmount> lptAMMBalanceBefore_;
+    std::optional<STAmount> lptAMMBalanceBeforeDeletion_;
    bool ammPoolChanged_{false};
+    bool ammDeleted_{false};

 public:
    enum class ZeroAllowed : bool { No = false, Yes = true };
@@ -35,12 +37,17 @@ private:
    [[nodiscard]] bool
    finalizeCreate(STTx const&, ReadView const&, bool enforce, beast::Journal const&) const;
    [[nodiscard]] bool
-    finalizeDelete(bool enforce, TER res, beast::Journal const&) const;
+    finalizeDelete(bool enforce, bool enforceAMMDelete, TER res, beast::Journal const&) const;
    [[nodiscard]] bool
    finalizeDeposit(STTx const&, ReadView const&, bool enforce, beast::Journal const&) const;
    // Includes clawback
    [[nodiscard]] bool
-    finalizeWithdraw(STTx const&, ReadView const&, bool enforce, beast::Journal const&) const;
+    finalizeWithdraw(
+        STTx const&,
+        ReadView const&,
+        bool enforce,
+        bool enforceAMMDelete,
+        beast::Journal const&) const;
    [[nodiscard]] bool
    finalizeDEX(bool enforce, beast::Journal const&) const;
    [[nodiscard]] bool
--- a/include/xrpl/tx/transactors/account/AccountSet.h
+++ b/include/xrpl/tx/transactors/account/AccountSet.h
@@ -23,9 +23,6 @@ public:
    static NotTEC
    preflight(PreflightContext const& ctx);

-    static NotTEC
-    checkPermission(ReadView const& view, STTx const& tx);
-
    static TER
    preclaim(PreclaimContext const& ctx);

--- a/include/xrpl/tx/transactors/payment/Payment.h
+++ b/include/xrpl/tx/transactors/payment/Payment.h
@@ -32,7 +32,10 @@ public:
    preflight(PreflightContext const& ctx);

    static NotTEC
-    checkPermission(ReadView const& view, STTx const& tx);
+    checkGranularSemantics(
+        ReadView const& view,
+        STTx const& tx,
+        std::unordered_set<GranularPermissionType> const& heldGranularPermissions);

    static TER
    preclaim(PreclaimContext const& ctx);
--- a/include/xrpl/tx/transactors/token/MPTokenIssuanceSet.h
+++ b/include/xrpl/tx/transactors/token/MPTokenIssuanceSet.h
@@ -22,9 +22,6 @@ public:
    static NotTEC
    preflight(PreflightContext const& ctx);

-    static NotTEC
-    checkPermission(ReadView const& view, STTx const& tx);
-
    static TER
    preclaim(PreclaimContext const& ctx);

--- a/include/xrpl/tx/transactors/token/TrustSet.h
+++ b/include/xrpl/tx/transactors/token/TrustSet.h
@@ -21,7 +21,10 @@ public:
    preflight(PreflightContext const& ctx);

    static NotTEC
-    checkPermission(ReadView const& view, STTx const& tx);
+    checkGranularSemantics(
+        ReadView const& view,
+        STTx const& tx,
+        std::unordered_set<GranularPermissionType> const& heldGranularPermissions);

    static TER
    preclaim(PreclaimContext const& ctx);
--- a/nix/docker/Dockerfile
+++ b/nix/docker/Dockerfile
@@ -71,7 +71,7 @@ if [ ! -e "${target}" ]; then
 fi
 EOF

-COPY nix/docker/check-tools.sh /tmp/check-tools.sh
+COPY bin/check-tools.sh /tmp/check-tools.sh
 RUN /tmp/check-tools.sh

 # Sanity-check that the g++/clang++ are able to build binaries, including sanitizer-instrumented ones.
@@ -93,7 +93,7 @@ RUN if echo "${BASE_IMAGE}" | grep -qiE 'nixos'; then \
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]

 # Sanity-check that the built binaries run correctly in the vanilla base image, with the necessary sanitizer runtime libraries installed.
-COPY nix/docker/install-sanitizer-libs.sh /tmp/install-sanitizer-libs.sh
+COPY bin/install-sanitizer-libs.sh /tmp/install-sanitizer-libs.sh
 COPY nix/docker/test_files/run-test-binaries.sh /tmp/run-test-binaries.sh
 COPY --from=final /tmp/bins /tmp/bins

--- a/nix/docker/README.md
+++ b/nix/docker/README.md
@@ -0,0 +1,90 @@
+# Nix CI Docker images
+
+This directory builds the Docker images used by xrpld's Linux CI. Each image
+bundles the **exact same toolchain that the Nix development shell provides**
+(see [`docs/build/nix.md`](../../docs/build/nix.md)), so what runs in CI matches
+what developers get locally from `nix develop`.
+
+The toolchain (CMake, Ninja, Conan, GCC, Clang, clang-tidy, the
+sanitizer/coverage tools, …) is defined in [`nix/packages.nix`](../packages.nix)
+and assembled for CI by [`nix/ci-env.nix`](../ci-env.nix). The Docker build
+turns that Nix environment into an ordinary container image layered on top of a
+conventional base image (Ubuntu, Debian, RHEL, or `nixos/nix`).
+
+## Images
+
+The images are built by the [`build-nix-images.yml`](../../.github/workflows/build-nix-images.yml)
+workflow and pushed to `ghcr.io/xrplf/xrpld/nix-<distro>`. The `<distro>` is
+selected through the `BASE_IMAGE` build argument; the base images are the
+**oldest supported version** of each distribution we target:
+
+| Image        | `BASE_IMAGE`                                 | Notes                                              |
+| ------------ | -------------------------------------------- | -------------------------------------------------- |
+| `nix-nixos`  | `nixos/nix:latest`                           | Build/lint only; binaries are not run (see below). |
+| `nix-ubuntu` | `ubuntu:20.04`                               | Oldest supported Ubuntu (glibc 2.31).              |
+| `nix-debian` | `debian:bookworm`                            |                                                    |
+| `nix-rhel`   | `registry.access.redhat.com/ubi9/ubi:latest` |                                                    |
+
+All images carry the full toolchain on `PATH` (via `/nix/ci-env/bin`) plus the
+CA bundle shipped in the Nix environment, so HTTPS clients (git, curl, Conan)
+work without `ca-certificates` being installed in the base image.
+
+## Build stages
+
+[`Dockerfile`](./Dockerfile) is a multi-stage build:
+
+1. **`builder`** — On a `nixos/nix` builder, evaluate the flake and build the
+   CI environment (`nix/ci-env.nix`). The resulting Nix store closure (the
+   complete set of store paths the toolchain depends on) is copied into a
+   staging directory.
+2. **`final`** — Start from `BASE_IMAGE`, copy in the Nix store closure and the
+   `ci-env` symlink tree, and wire up `PATH` and the CA bundle. It then:
+   - installs the dynamic linker if the base image lacks one (see
+     [How libc is handled](#how-libc-is-handled)),
+   - runs [`bin/check-tools.sh`](../../bin/check-tools.sh) to verify every
+     expected tool is present and runnable, and
+   - compiles the C++ test programs in
+     [`test_files/`](./test_files) with both `g++` and `clang++`, and sanitizers.
+3. **`tester`** — Start again from a clean `BASE_IMAGE` (no Nix toolchain),
+   install only the sanitizer runtime libraries
+   ([`install-sanitizer-libs.sh`](./install-sanitizer-libs.sh)), and run the
+   binaries compiled in `final`. This proves the binaries built with the Nix
+   toolchain actually run on a vanilla base image. On `nixos/nix` this step is
+   skipped (the binaries are patched for a conventional FHS loader).
+4. **Output** — The final image is gated on the tester succeeding: it copies a
+   sentinel file out of `tester`, so a failed test run fails the whole build.
+
+## How libc is handled
+
+The goal is for binaries built in these images to run on the **oldest supported
+base image** (Ubuntu 20.04, glibc 2.31) and newer — without the developer's Nix
+toolchain being present at runtime. Two pieces make that work:
+
+- **Compilers linked against an old glibc.** The Nix CI environment does not use
+  nixpkgs' current glibc. Instead it pins a 2020 nixpkgs snapshot whose primary
+  glibc is **2.31** (matching Ubuntu 20.04), via the `nixpkgs-custom-glibc`
+  flake input. GCC, Clang, binutils and compiler-rt are all rebuilt/wrapped
+  against this custom glibc (see [`nix/ci-env.nix`](../ci-env.nix)). As a result
+  the libraries they emit (`libstdc++`, `libgcc_s`, the sanitizer runtimes)
+  reference only symbols available in glibc 2.31.
+
+- **An expected dynamic linker in the image.**
+  Binaries built in Nix environments reference a dynamic linker from Nix store paths, which won't be present in the base image. However,
+  [`loader-path.sh`](./loader-path.sh) reports the expected loader path for the
+  current architecture, so we can patch the binaries to use the correct loader.
+
+The build then verifies all of this end to end: the test programs in
+`test_files/` (a regular binary plus ASan/TSan/UBSan variants) are compiled in
+`final`, their `PT_INTERP` is patched to the target loader, and they are run in
+the clean `tester` stage to confirm each emits the expected sanitizer
+diagnostic on a stock base image.
+
+## Files
+
+| File                                                                    | Purpose                                                                       |
+| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
+| [`./Dockerfile`](./Dockerfile)                                          | Multi-stage build described above.                                            |
+| [`./loader-path.sh`](./loader-path.sh)                                  | Print the dynamic-linker (`PT_INTERP`) path for the current architecture.     |
+| [`./test_files/`](./test_files)                                         | C++ sources and scripts to compile and run the sanitizer smoke tests.         |
+| [`/bin/check-tools.sh`](../../bin/check-tools.sh)                       | Verify every expected tools are present and runnable.                         |
+| [`/bin/install-sanitizer-libs.sh`](../../bin/install-sanitizer-libs.sh) | Install `libasan`/`libtsan`/`libubsan` runtimes on the supported base images. |
--- a/nix/docker/check-tools.sh
+++ b/nix/docker/check-tools.sh
@@ -1,38 +0,0 @@
-#!/bin/bash
-# Verify that every tool expected in the Nix CI env is present and runnable.
-set -euo pipefail
-
-ccache --version
-clang --version
-clang++ --version
-clang-format --version
-cmake --version
-conan --version
-curl --version
-doxygen --version
-file --version
-g++ --version
-gcc --version
-gcov --version
-gcovr --version
-gh --version
-git --version
-git-cliff --version
-gpg --version
-less --version
-make --version
-mold --version
-netstat --version
-ninja --version
-perl --version
-pkg-config --version
-pre-commit --version
-python3 --version
-run-clang-tidy --help
-vim --version
-
-# A simple test to verify that git can clone a repository over HTTPS
-# (i.e. the CA bundle is wired up). Clone to a temp dir and clean up.
-tmp_clone="$(mktemp -d)"
-git clone --depth 1 https://github.com/XRPLF/actions.git "${tmp_clone}/actions"
-rm -rf "${tmp_clone}"
--- a/nix/packages.nix
+++ b/nix/packages.nix
@@ -9,6 +9,7 @@ in
 {
  commonPackages = with pkgs; [
    ccache
+    clangbuildanalyzer
    cmake
    conan
    curlMinimal # needed for codecov/codecov-action
@@ -18,8 +19,10 @@ in
    gh
    git
    git-cliff
+    git-lfs
    gnumake
    gnupg # needed for signing commits & codecov/codecov-action
+    graphviz
    llvmPackages_22.clang-tools
    less # needed for git diff
    mold
@@ -32,5 +35,6 @@ in
    python3
    runClangTidy
    vim
+    zip
  ];
 }
--- a/package/README.md
+++ b/package/README.md
@@ -15,7 +15,6 @@ package/
    xrpld.sysusers      sysusers.d config (used by both RPM and DEB)
    xrpld.tmpfiles      tmpfiles.d config (used by both RPM and DEB)
    xrpld.logrotate     logrotate config (installed to /etc/logrotate.d/xrpld)
-    update-xrpld        auto-update script (installed to /usr/libexec/xrpld/, run by update-xrpld.timer)
 ```

 ## Prerequisites
--- a/package/build_pkg.sh
+++ b/package/build_pkg.sh
@@ -114,10 +114,11 @@ VER_BASE="${VERSION%%-*}"
 VER_SUFFIX="${VERSION#*-}"
 [[ "${VER_SUFFIX}" == "${VERSION}" ]] && VER_SUFFIX=""

-# Reject multi-segment suffixes (e.g. "beta-1", "rc1-15-gabc123"). The RPM
-# Release field forbids '-', and the convention here is single-token suffixes
-# like b1 or rc2. Fail early with a clear message rather than letting either
-# rpmbuild blow up or silently mangling dashes into dots.
+# Reject multi-segment suffixes (e.g. "beta-1", "rc1-15-gabc123"). Neither an
+# RPM Version nor a Debian upstream version may contain '-' (it's the NVR /
+# version-revision separator), and the convention here is single-token
+# suffixes like b1 or rc2. Fail early with a clear message rather than letting
+# the package tooling blow up or silently mangle dashes.
 if [[ "${VER_SUFFIX}" == *-* ]]; then
    echo "build_pkg.sh: multi-segment pre-release in VERSION='${VERSION}' (suffix '${VER_SUFFIX}')." >&2
    echo "Use single-token suffixes like 3.2.0-b1 or 3.2.0-rc2." >&2
@@ -142,9 +143,6 @@ stage_common() {
    cp "${SHARED}/xrpld.sysusers" "${dest}/xrpld.sysusers"
    cp "${SHARED}/xrpld.tmpfiles" "${dest}/xrpld.tmpfiles"
    cp "${SHARED}/xrpld.logrotate" "${dest}/xrpld.logrotate"
-    cp "${SHARED}/update-xrpld" "${dest}/update-xrpld"
-    cp "${SHARED}/update-xrpld.service" "${dest}/update-xrpld.service"
-    cp "${SHARED}/update-xrpld.timer" "${dest}/update-xrpld.timer"
    cp "${SHARED}/50-xrpld.preset" "${dest}/50-xrpld.preset"
 }

@@ -156,20 +154,18 @@ build_rpm() {
    cp "${SRC_DIR}/package/rpm/xrpld.spec" "${topdir}/SPECS/xrpld.spec"
    stage_common "${topdir}/SOURCES"

-    # RPM Version can't contain '-'. A pre-release goes in Release with a
-    # leading "0." so 3.2.0-b1 sorts before the final 3.2.0-<pkg_release>.
-    # The order is "0.<pkg_release>.<suffix>" (e.g. 0.1.b6) — the Fedora/EPEL
-    # convention. Reversing to "0.<suffix>.<pkg_release>" (e.g. 0.b6.1) breaks
-    # rpmvercmp against the former because numeric segments outrank alphabetic
-    # ones, so "0.1.b5" would sort newer than "0.b6.1".
-    local rpm_release="${PKG_RELEASE}"
-    [[ -n "${VER_SUFFIX}" ]] && rpm_release="0.${PKG_RELEASE}.${VER_SUFFIX}"
+    # Pre-releases use the modern rpm '~' convention (rpm >= 4.10): the suffix
+    # goes in Version (e.g. 3.2.0~b1), which rpmvercmp sorts *before* the final
+    # 3.2.0 — identical semantics to Debian's '~'. Release is just the package
+    # release number. This replaces the older "0.<release>.<suffix>" Release
+    # hack and keeps the RPM and DEB version strings symmetric.
+    local rpm_version="${VER_BASE}${VER_SUFFIX:+~${VER_SUFFIX}}"

    set -x
    rpmbuild -bb \
        --define "_topdir ${topdir}" \
-        --define "xrpld_version ${VER_BASE}" \
-        --define "xrpld_release ${rpm_release}" \
+        --define "xrpld_version ${rpm_version}" \
+        --define "xrpld_release ${PKG_RELEASE}" \
        "${topdir}/SPECS/xrpld.spec"
 }

@@ -181,13 +177,10 @@ build_deb() {
    stage_common "${staging}"
    cp -r "${DEBIAN_DIR}" "${staging}/debian"

-    # Debhelper auto-discovers these only from debian/.
    cp "${staging}/xrpld.service" "${staging}/debian/xrpld.service"
    cp "${staging}/xrpld.sysusers" "${staging}/debian/xrpld.sysusers"
    cp "${staging}/xrpld.tmpfiles" "${staging}/debian/xrpld.tmpfiles"
    cp "${staging}/xrpld.logrotate" "${staging}/debian/xrpld.logrotate"
-    cp "${staging}/update-xrpld.service" "${staging}/debian/xrpld.update-xrpld.service"
-    cp "${staging}/update-xrpld.timer" "${staging}/debian/xrpld.update-xrpld.timer"

    # Debian '~' marks a pre-release; 3.2.0~b1 sorts before 3.2.0.
    local deb_full_version="${VER_BASE}${VER_SUFFIX:+~${VER_SUFFIX}}-${PKG_RELEASE}"
--- a/package/debian/rules
+++ b/package/debian/rules
@@ -10,7 +10,6 @@ override_dh_auto_configure override_dh_auto_build override_dh_auto_test:

 override_dh_installsystemd:
 	dh_installsystemd --no-stop-on-upgrade xrpld.service
-	dh_installsystemd --name=update-xrpld --no-enable --no-start update-xrpld.service update-xrpld.timer

 execute_before_dh_installtmpfiles:
 	dh_installsysusers
@@ -21,7 +20,6 @@ override_dh_install:
 	install -D -m 0755 xrpld            debian/xrpld/usr/bin/xrpld
 	install -D -m 0644 xrpld.cfg        debian/xrpld/etc/xrpld/xrpld.cfg
 	install -D -m 0644 validators.txt   debian/xrpld/etc/xrpld/validators.txt
-	install -D -m 0755 update-xrpld     debian/xrpld/usr/libexec/xrpld/update-xrpld

 override_dh_dwz:
 	@:
--- a/package/debian/xrpld.docs
+++ b/package/debian/xrpld.docs
@@ -1,2 +1 @@
 README.md
-LICENSE.md
--- a/package/rpm/xrpld.spec
+++ b/package/rpm/xrpld.spec
@@ -35,8 +35,6 @@ install -Dm0644 %{_sourcedir}/validators.txt       %{buildroot}%{_sysconfdir}/%{

 # systemd units, sysusers, tmpfiles, preset
 install -Dm0644 %{_sourcedir}/xrpld.service        %{buildroot}%{_unitdir}/xrpld.service
-install -Dm0644 %{_sourcedir}/update-xrpld.service %{buildroot}%{_unitdir}/update-xrpld.service
-install -Dm0644 %{_sourcedir}/update-xrpld.timer   %{buildroot}%{_unitdir}/update-xrpld.timer
 install -Dm0644 %{_sourcedir}/xrpld.sysusers       %{buildroot}%{_sysusersdir}/xrpld.conf
 install -Dm0644 %{_sourcedir}/xrpld.tmpfiles       %{buildroot}%{_tmpfilesdir}/xrpld.conf
 install -Dm0644 %{_sourcedir}/50-xrpld.preset      %{buildroot}%{_presetdir}/50-xrpld.preset
@@ -44,9 +42,6 @@ install -Dm0644 %{_sourcedir}/50-xrpld.preset      %{buildroot}%{_presetdir}/50-
 # Logrotate config
 install -Dm0644 %{_sourcedir}/xrpld.logrotate      %{buildroot}%{_sysconfdir}/logrotate.d/%{name}

-# Update helper
-install -Dm0755 %{_sourcedir}/update-xrpld         %{buildroot}%{_libexecdir}/%{name}/update-xrpld
-
 # Docs
 install -Dm0644 %{_sourcedir}/LICENSE.md %{buildroot}%{_docdir}/%{name}/LICENSE.md
 install -Dm0644 %{_sourcedir}/README.md  %{buildroot}%{_docdir}/%{name}/README.md
@@ -61,10 +56,10 @@ ln -s %{_bindir}/%{name} %{buildroot}/usr/local/bin/rippled

 %post
 systemd-tmpfiles --create %{_tmpfilesdir}/xrpld.conf || :
-%systemd_post xrpld.service update-xrpld.timer
+%systemd_post xrpld.service

 %preun
-%systemd_preun xrpld.service update-xrpld.timer
+%systemd_preun xrpld.service

 %postun
 %systemd_postun_with_restart xrpld.service
@@ -74,7 +69,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/xrpld.conf || :
 %doc %{_docdir}/%{name}/README.md

 %dir %{_sysconfdir}/%{name}
-%dir %{_libexecdir}/%{name}

 %{_bindir}/%{name}

@@ -82,18 +76,13 @@ systemd-tmpfiles --create %{_tmpfilesdir}/xrpld.conf || :
 %config(noreplace) %{_sysconfdir}/%{name}/validators.txt
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}

-%{_libexecdir}/%{name}/update-xrpld

 %{_unitdir}/xrpld.service
-%{_unitdir}/update-xrpld.service
-%{_unitdir}/update-xrpld.timer
 %{_presetdir}/50-xrpld.preset
 %{_sysusersdir}/xrpld.conf
 %{_tmpfilesdir}/xrpld.conf
-
-%ghost %dir /var/lib/%{name}
-%ghost %dir /var/log/%{name}
-
+%ghost %dir /var/lib/xrpld
+%ghost %dir /var/log/xrpld

 # Legacy compatibility for pre-FHS package layouts.
 # TODO: remove after rippled fully deprecated.
--- a/package/shared/50-xrpld.preset
+++ b/package/shared/50-xrpld.preset
@@ -1,4 +1,2 @@
 # /usr/lib/systemd/system-preset/50-xrpld.preset
 enable xrpld.service
-# Don't enable automatic updates
-disable update-xrpld.timer
--- a/package/shared/update-xrpld
+++ b/package/shared/update-xrpld
@@ -1,152 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Optional: also write logs to a legacy file in addition to journald.
-# By default, this script logs to systemd/journald, viewable via:
-#   journalctl -t update-xrpld
-#
-# Uncomment the line below if you need a flat file for compatibility with
-# external tooling, manual inspection, or environments where journald logs
-# are not persisted or easily accessible.
-#
-# Note: This duplicates all output (stdout/stderr) to both journald and the file.
-# It is generally not needed on modern systems and may cause log file growth
-# if left enabled long-term.
-#
-# Requires /var/log/xrpld/ to exist and be writable by the service (root).
-#
-# exec > >(tee -a /var/log/xrpld/update.log) 2>&1
-
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-PKG_NAME=${PKG_NAME:-xrpld}
-
-log() {
-    # If running under systemd/journald, let it handle timestamps.
-    if [[ -n "${JOURNAL_STREAM:-}" ]]; then
-        printf '%s\n' "$*"
-    else
-        printf '%s %s\n' "$(date -u +'%Y-%m-%dT%H:%M:%SZ')" "$*"
-    fi
-}
-
-require_root() {
-    if [[ ${EUID:-$(id -u)} -ne 0 ]]; then
-        log "RESULT: failed reason=not-root"
-        exit 1
-    fi
-}
-
-get_installed_version() {
-    if command -v dpkg-query >/dev/null 2>&1; then
-        dpkg-query -W -f='${Version}' "$PKG_NAME" 2>/dev/null || printf 'unknown'
-    elif command -v rpm >/dev/null 2>&1; then
-        rpm -q --qf '%{VERSION}-%{RELEASE}' "$PKG_NAME" 2>/dev/null || printf 'unknown'
-    else
-        printf 'unknown'
-    fi
-}
-
-trap 'log "RESULT: failed reason=script-error exit_code=$?"' ERR
-
-apt_can_update() {
-    apt-get update -qq
-    apt-get -s --only-upgrade install "$PKG_NAME" 2>/dev/null | grep -q "^Inst ${PKG_NAME}\b"
-}
-
-apt_apply_update() {
-    DEBIAN_FRONTEND=noninteractive apt-get install -y -qq \
-        -o Dpkg::Options::="--force-confdef" \
-        -o Dpkg::Options::="--force-confold" \
-        "$PKG_NAME"
-}
-
-get_rpm_pm() {
-    if command -v dnf >/dev/null 2>&1; then
-        printf 'dnf\n'
-    elif command -v yum >/dev/null 2>&1; then
-        printf 'yum\n'
-    else
-        return 1
-    fi
-}
-
-rpm_refresh_metadata() {
-    local pm=$1
-    if [[ "$pm" == "dnf" ]]; then
-        dnf makecache --refresh -q >/dev/null
-    else
-        yum clean expire-cache -q >/dev/null
-    fi
-}
-
-rpm_can_update() {
-    local pm=$1
-
-    rpm_refresh_metadata "$pm"
-    local rc=0
-    set +e
-    "$pm" check-update -q "$PKG_NAME" >/dev/null 2>&1
-    rc=$?
-    set -e
-
-    if [[ $rc -eq 100 ]]; then
-        return 0
-    elif [[ $rc -eq 0 ]]; then
-        return 1
-    else
-        log "$pm check-update failed with exit code ${rc}."
-        exit 1
-    fi
-}
-
-rpm_apply_update() {
-    local pm=$1
-    "$pm" update -y "$PKG_NAME"
-}
-
-restart_service() {
-    # Preserve the operator's prior service state: if xrpld was intentionally
-    # stopped before the update, don't bring it back up just because the
-    # auto-update timer fired.
-    if systemctl is-active --quiet "${PKG_NAME}.service"; then
-        systemctl restart "${PKG_NAME}.service"
-        log "${PKG_NAME} service restarted successfully."
-    else
-        log "${PKG_NAME} service was not running; skipping restart to preserve prior state."
-    fi
-}
-
-main() {
-    require_root
-    if command -v apt-get >/dev/null 2>&1; then
-        log "Checking for ${PKG_NAME} updates via apt"
-        if apt_can_update; then
-            log "Update available; installing."
-            apt_apply_update
-            restart_service
-            log "RESULT: updated ${PKG_NAME}=$(get_installed_version)"
-        else
-            log "RESULT: no-update ${PKG_NAME}=$(get_installed_version)"
-        fi
-        return
-    fi
-
-    local rpm_pm=""
-    if rpm_pm="$(get_rpm_pm)"; then
-        log "Checking for ${PKG_NAME} updates via ${rpm_pm}"
-        if rpm_can_update "$rpm_pm"; then
-            log "Update available; installing"
-            rpm_apply_update "$rpm_pm"
-            restart_service
-            log "RESULT: updated ${PKG_NAME}=$(get_installed_version)"
-        else
-            log "RESULT: no-update ${PKG_NAME}=$(get_installed_version)"
-        fi
-        return
-    fi
-    log "RESULT: failed reason=no-package-manager"
-    exit 1
-}
-
-main "$@"
--- a/package/shared/update-xrpld.service
+++ b/package/shared/update-xrpld.service
@@ -1,16 +0,0 @@
-[Unit]
-Description=Check for and install xrpld package updates
-Documentation=man:systemd.service(5)
-Wants=network-online.target
-After=network-online.target
-ConditionPathExists=/usr/libexec/xrpld/update-xrpld
-ConditionPathExists=/usr/bin/xrpld
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/flock -n /run/lock/xrpld-update.lock /usr/libexec/xrpld/update-xrpld
-StandardOutput=journal
-StandardError=journal
-SyslogIdentifier=update-xrpld
-TimeoutStartSec=30min
-PrivateTmp=true
--- a/package/shared/update-xrpld.timer
+++ b/package/shared/update-xrpld.timer
@@ -1,10 +0,0 @@
-[Unit]
-Description=Daily xrpld update check
-
-[Timer]
-OnCalendar=*-*-* 00:00:00
-RandomizedDelaySec=4h
-Persistent=true
-
-[Install]
-WantedBy=timers.target
--- a/package/shared/xrpld.service
+++ b/package/shared/xrpld.service
@@ -17,7 +17,16 @@ ProtectHome=true
 PrivateTmp=true
 User=xrpld
 Group=xrpld
+StateDirectory=xrpld
+StateDirectoryMode=0750
+LogsDirectory=xrpld
+LogsDirectoryMode=0750
 LimitNOFILE=65536
+SystemCallArchitectures=native
+
+# Uncomment both lines to allow xrpld to bind to privileged ports (<1024)
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+#AmbientCapabilities=CAP_NET_BIND_SERVICE

 [Install]
 WantedBy=multi-user.target
--- a/sanitizers/suppressions/runtime-ubsan-options.txt
+++ b/sanitizers/suppressions/runtime-ubsan-options.txt
@@ -1 +1 @@
-halt_on_error=false
+halt_on_error=true
--- a/sanitizers/suppressions/ubsan.supp
+++ b/sanitizers/suppressions/ubsan.supp
@@ -72,7 +72,7 @@ vptr:boost

 # Google protobuf - intentional overflows in hash functions
 undefined:protobuf
-unsigned-integer-overflow:google/protobuf/stubs/stringpiece.h
+unsigned-integer-overflow:protobuf

 # gRPC intentional overflows in timer calculations
 unsigned-integer-overflow:grpc
@@ -102,47 +102,103 @@ undefined:nudb
 # Snappy compression library intentional overflows
 unsigned-integer-overflow:snappy.cc

-# Abseil intentional overflows
-unsigned-integer-overflow:absl/strings/numbers.cc
-unsigned-integer-overflow:absl/strings/internal/cord_rep_flat.h
-unsigned-integer-overflow:absl/base/internal/low_level_alloc.cc
-unsigned-integer-overflow:absl/hash/internal/hash.h
-unsigned-integer-overflow:absl/container/internal/raw_hash_set.h
+# Abseil intentional overflows in hashing, RNG and time arithmetic.
+# Matched at library scope (like boost above): the wraparound is by design
+# across many absl files (hash mixing, raw_hash_set probing, duration math,
+# int128, uniform_int_distribution), so listing individual files just churns.
+unsigned-integer-overflow:absl

 # Standard library intentional overflows
 unsigned-integer-overflow:basic_string.h
+unsigned-integer-overflow:bits/align.h
+unsigned-integer-overflow:bits/basic_string.tcc
 unsigned-integer-overflow:bits/chrono.h
 unsigned-integer-overflow:bits/random.h
 unsigned-integer-overflow:bits/random.tcc
 unsigned-integer-overflow:bits/stl_algobase.h
+unsigned-integer-overflow:bits/string_view.tcc
 unsigned-integer-overflow:bits/uniform_int_dist.h
 unsigned-integer-overflow:string_view
 unsigned-integer-overflow:__random/seed_seq.h
 unsigned-integer-overflow:__charconv/traits.h
 unsigned-integer-overflow:__chrono/duration.h
+# libstdc++ <bit> (std::__bit_ceil etc.) negates an unsigned width; <bit> is a
+# distinct header from the bits/ directory so it needs its own entry.
+unsigned-integer-overflow:include/c++/*/bit

 # =============================================================================
 # Rippled code suppressions
 # =============================================================================

-# Signed integer negation (-value) in amount types.
-# INT64_MIN cannot occur in practice due to domain invariants (mantissa ranges
-# are well within int64_t bounds), but UBSan flags the pattern as potential
-# signed overflow. Narrowed to operator- to avoid suppressing unrelated
-# overflows anywhere in a stack trace containing these type names.
-signed-integer-overflow:operator-*IOUAmount*
-signed-integer-overflow:operator-*XRPAmount*
-signed-integer-overflow:operator-*MPTAmount*
-signed-integer-overflow:operator-*STAmount*
+# These suppressions are keyed by SOURCE FILE, not function name. This UBSan
+# build runs without symbol information, so the runtime only knows the
+# file:line of each report, never the enclosing function — function-name
+# patterns silently never match. Each entry below is therefore scoped to the
+# file whose arithmetic is intentional; the comment names the specific
+# construct.

-# STAmount::operator+ signed addition — operands are bounded by total supply
-# (~10^17 for XRP, ~10^18 for MPT) so overflow cannot occur in practice.
-signed-integer-overflow:operator+*STAmount*
+# STAmount amount-type arithmetic. Unary negation of the mantissa in xrp()/
+# iou()/mpt()/canonicalize() and getInt64Value, plus bounded +/- on amounts:
+# INT64_MIN cannot occur because canonicalize() keeps the mantissa well within
+# int64_t, and operands are bounded by total supply (~10^17 XRP, ~10^18 MPT).
+signed-integer-overflow:protocol/STAmount.cpp

-# STAmount::getRate uses unsigned shift and addition
-unsigned-integer-overflow:*STAmount*getRate*
-# STAmount::serialize uses unsigned bitwise operations
-unsigned-integer-overflow:*STAmount*serialize*
+# nft::cipheredTaxon uses intentional uint32 wraparound (LCG permutation);
+# the helper lives in the generated protocol header nft.h.
+unsigned-integer-overflow:protocol/nft.h

-# nft::cipheredTaxon uses intentional uint32 wraparound (LCG permutation)
-unsigned-integer-overflow:cipheredTaxon
+# STPathElement::getHash multiplies/adds accumulators (non-secure, speed-first).
+unsigned-integer-overflow:protocol/STPathSet.cpp
+
+# beast XorShiftEngine PRNG and murmurhash3 mixing wrap by design.
+unsigned-integer-overflow:beast/xor_shift_engine.h
+
+# Number::normalizeToRange multiplies the mantissa by powers of ten; the result
+# is intentionally allowed to wrap while searching for the in-range value.
+unsigned-integer-overflow:basics/Number.h
+
+# Counter / sequence arithmetic with intentional unsigned wraparound, each
+# guarded by an explicit overflow or domain check at the call site:
+#   base_uint operator++/-- wrap by definition;
+#   ApplyView::insertPage ++page is asserted to wrap to 0 (page exhaustion);
+#   confineOwnerCount documents "overflow is well defined on unsigned";
+#   NFTokenMint checks tokenSeq + 1u == 0u; AmendmentTable does (seq - 1) / 256.
+unsigned-integer-overflow:basics/base_uint.h
+unsigned-integer-overflow:ledger/ApplyView.cpp
+unsigned-integer-overflow:ledger/helpers/AccountRootHelpers.cpp
+unsigned-integer-overflow:tx/transactors/nft/NFTokenMint.cpp
+unsigned-integer-overflow:app/misc/detail/AmendmentTable.cpp
+
+# Sentinel / bounded subtractions that wrap by design (loop counters, reverse
+# iteration, "not found" sentinels, balance math bounded by issuance invariants,
+# base58/base64 codec index math, hash-router and role bit math).
+unsigned-integer-overflow:shamap/SHAMap.cpp
+unsigned-integer-overflow:protocol/Permissions.cpp
+unsigned-integer-overflow:protocol/tokens.cpp
+unsigned-integer-overflow:basics/base64.cpp
+unsigned-integer-overflow:json/json_value.cpp
+unsigned-integer-overflow:app/misc/NetworkOPs.cpp
+unsigned-integer-overflow:rpc/detail/Role.cpp
+unsigned-integer-overflow:tx/transactors/oracle/OracleSet.cpp
+unsigned-integer-overflow:ledger/helpers/MPTokenHelpers.cpp
+unsigned-integer-overflow:crypto/RFC1751.cpp
+unsigned-integer-overflow:tx/paths/detail/StrandFlow.h
+unsigned-integer-overflow:protocol/STObject.h
+
+# GetAggregatePrice negates an unsigned trim count to step a reverse iterator;
+# trimCount is bounded by the price set size.
+unsigned-integer-overflow:rpc/handlers/orderbook/GetAggregatePrice.cpp
+
+# Test-only intentional overflow/underflow in fixture and unit-test arithmetic.
+unsigned-integer-overflow:tests/libxrpl/basics/RangeSet.cpp
+unsigned-integer-overflow:test/app/Batch_test.cpp
+unsigned-integer-overflow:test/app/Invariants_test.cpp
+unsigned-integer-overflow:test/app/Loan_test.cpp
+unsigned-integer-overflow:test/app/NFToken_test.cpp
+unsigned-integer-overflow:test/app/OfferMPT_test.cpp
+unsigned-integer-overflow:test/app/Offer_test.cpp
+unsigned-integer-overflow:test/app/Path_test.cpp
+unsigned-integer-overflow:test/jtx/impl/acctdelete.cpp
+unsigned-integer-overflow:test/ledger/SkipList_test.cpp
+unsigned-integer-overflow:test/rpc/Subscribe_test.cpp
+signed-integer-overflow:test/basics/XRPAmount_test.cpp
--- a/src/libxrpl/basics/Archive.cpp
+++ b/src/libxrpl/basics/Archive.cpp
@@ -2,20 +2,22 @@

 #include <xrpl/basics/contract.h>

+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>
+
 #include <archive.h>
 #include <archive_entry.h>

 #include <cstddef>
-#include <filesystem>
 #include <memory>
 #include <stdexcept>

 namespace xrpl {

 void
-extractTarLz4(std::filesystem::path const& src, std::filesystem::path const& dst)
+extractTarLz4(boost::filesystem::path const& src, boost::filesystem::path const& dst)
 {
-    if (!std::filesystem::is_regular_file(src))
+    if (!is_regular_file(src))
        Throw<std::runtime_error>("Invalid source file");

    using archive_ptr = std::unique_ptr<struct archive, void (*)(struct archive*)>;
--- a/src/libxrpl/basics/FileUtilities.cpp
+++ b/src/libxrpl/basics/FileUtilities.cpp
@@ -1,24 +1,29 @@
 #include <xrpl/basics/FileUtilities.h>

+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>
+#include <boost/system/detail/errc.hpp>
+#include <boost/system/detail/error_code.hpp>
+#include <boost/system/errc.hpp>
+
 #include <cerrno>
 #include <cstddef>
-#include <filesystem>
 #include <fstream>
 #include <ios>
 #include <iterator>
 #include <optional>
 #include <string>
-#include <system_error>

 namespace xrpl {

 std::string
 getFileContents(
-    std::error_code& ec,
-    std::filesystem::path const& sourcePath,
+    boost::system::error_code& ec,
+    boost::filesystem::path const& sourcePath,
    std::optional<std::size_t> maxSize)
 {
-    using namespace std::filesystem;
+    using namespace boost::filesystem;
+    using namespace boost::system::errc;

    path const fullPath{canonical(sourcePath, ec)};
    if (ec)
@@ -27,15 +32,15 @@ getFileContents(
    if (maxSize && (file_size(fullPath, ec) > *maxSize || ec))
    {
        if (!ec)
-            ec = make_error_code(std::errc::file_too_large);
+            ec = make_error_code(file_too_large);
        return {};
    }

-    std::ifstream fileStream(fullPath, std::ios::in);
+    std::ifstream fileStream(fullPath.string(), std::ios::in);

    if (!fileStream)
    {
-        ec.assign(errno, std::generic_category());
+        ec = make_error_code(static_cast<errc_t>(errno));
        return {};
    }

@@ -44,7 +49,7 @@ getFileContents(

    if (fileStream.bad())
    {
-        ec.assign(errno, std::generic_category());
+        ec = make_error_code(static_cast<errc_t>(errno));
        return {};
    }

@@ -53,15 +58,18 @@ getFileContents(

 void
 writeFileContents(
-    std::error_code& ec,
-    std::filesystem::path const& destPath,
+    boost::system::error_code& ec,
+    boost::filesystem::path const& destPath,
    std::string const& contents)
 {
-    std::ofstream fileStream(destPath, std::ios::out | std::ios::trunc);
+    using namespace boost::filesystem;
+    using namespace boost::system::errc;
+
+    std::ofstream fileStream(destPath.string(), std::ios::out | std::ios::trunc);

    if (!fileStream)
    {
-        ec.assign(errno, std::generic_category());
+        ec = make_error_code(static_cast<errc_t>(errno));
        return;
    }

@@ -69,7 +77,7 @@ writeFileContents(

    if (fileStream.bad())
    {
-        ec.assign(errno, std::generic_category());
+        ec = make_error_code(static_cast<errc_t>(errno));
        return;
    }
 }
--- a/src/libxrpl/basics/Log.cpp
+++ b/src/libxrpl/basics/Log.cpp
@@ -5,10 +5,10 @@
 #include <xrpl/beast/utility/instrumentation.h>

 #include <boost/algorithm/string/predicate.hpp>
+#include <boost/filesystem/path.hpp>

 #include <chrono>
 #include <cstring>
-#include <filesystem>
 #include <fstream>
 #include <functional>
 #include <iostream>
@@ -54,7 +54,7 @@ Logs::File::isOpen() const noexcept
 }

 bool
-Logs::File::open(std::filesystem::path const& path)
+Logs::File::open(boost::filesystem::path const& path)
 {
    close();

@@ -114,7 +114,7 @@ Logs::Logs(beast::Severity thresh) : thresh_(thresh)  // default severity
 }

 bool
-Logs::open(std::filesystem::path const& pathToLogFile)
+Logs::open(boost::filesystem::path const& pathToLogFile)
 {
    return file_.open(pathToLogFile);
 }
--- a/src/libxrpl/ledger/BookListeners.cpp
+++ b/src/libxrpl/ledger/BookListeners.cpp
@@ -1,55 +0,0 @@
-#include <xrpl/ledger/BookListeners.h>
-
-#include <xrpl/basics/UnorderedContainers.h>
-#include <xrpl/json/json_value.h>
-#include <xrpl/protocol/MultiApiJson.h>
-#include <xrpl/server/InfoSub.h>
-
-#include <cstdint>
-#include <mutex>
-
-namespace xrpl {
-
-void
-BookListeners::addSubscriber(InfoSub::ref sub)
-{
-    std::scoped_lock const sl(lock_);
-    listeners_[sub->getSeq()] = sub;
-}
-
-void
-BookListeners::removeSubscriber(std::uint64_t seq)
-{
-    std::scoped_lock const sl(lock_);
-    listeners_.erase(seq);
-}
-
-void
-BookListeners::publish(MultiApiJson const& jvObj, hash_set<std::uint64_t>& havePublished)
-{
-    std::scoped_lock const sl(lock_);
-    auto it = listeners_.cbegin();
-
-    while (it != listeners_.cend())
-    {
-        InfoSub::pointer p = it->second.lock();
-
-        if (p)
-        {
-            // Only publish jvObj if this is the first occurrence
-            if (havePublished.emplace(p->getSeq()).second)
-            {
-                jvObj.visit(
-                    p->getApiVersion(),  //
-                    [&](json::Value const& jv) { p->send(jv, true); });
-            }
-            ++it;
-        }
-        else
-        {
-            it = listeners_.erase(it);
-        }
-    }
-}
-
-}  // namespace xrpl
--- a/src/libxrpl/ledger/helpers/AMMHelpers.cpp
+++ b/src/libxrpl/ledger/helpers/AMMHelpers.cpp
@@ -433,6 +433,43 @@ ammPoolHolds(
    return std::make_pair(assetInBalance, assetOutBalance);
 }

+TER
+checkAMMPrecisionLoss(Number const& poolProductMean, STAmount const& newLPTokenBalance)
+{
+    if (newLPTokenBalance <= beast::kZero)
+        return tesSUCCESS;
+    if (poolProductMean >= newLPTokenBalance)
+        return tesSUCCESS;
+    // Strong check failed. Allow the same relative tolerance as the invariant
+    // checker's weak check. Only return tecPRECISION_LOSS when both fail.
+    if (withinRelativeDistance(
+            poolProductMean, Number{newLPTokenBalance}, kAMMInvariantRelativeTolerance))
+        return tesSUCCESS;
+    return tecPRECISION_LOSS;
+}
+
+TER
+checkAMMPrecisionLoss(
+    ReadView const& view,
+    AccountID const& ammAccountID,
+    Asset const& asset1,
+    Asset const& asset2,
+    STAmount const& newLPTokenBalance,
+    beast::Journal const j)
+{
+    if (newLPTokenBalance <= beast::kZero)
+        return tesSUCCESS;
+    auto const [amount, amount2] = ammPoolHolds(
+        view,
+        ammAccountID,
+        asset1,
+        asset2,
+        FreezeHandling::IgnoreFreeze,
+        AuthHandling::IgnoreAuth,
+        j);
+    return checkAMMPrecisionLoss(root2(amount * amount2), newLPTokenBalance);
+}
+
 std::expected<std::tuple<STAmount, STAmount, STAmount>, TER>
 ammHolds(
    ReadView const& view,
--- a/src/libxrpl/ledger/helpers/PaymentChannelHelpers.cpp
+++ b/src/libxrpl/ledger/helpers/PaymentChannelHelpers.cpp
@@ -5,13 +5,20 @@
 #include <xrpl/beast/utility/Journal.h>
 #include <xrpl/beast/utility/instrumentation.h>
 #include <xrpl/ledger/ApplyView.h>
+#include <xrpl/ledger/View.h>
 #include <xrpl/ledger/helpers/AccountRootHelpers.h>
 #include <xrpl/protocol/AccountID.h>
+#include <xrpl/protocol/Feature.h>
 #include <xrpl/protocol/Indexes.h>
 #include <xrpl/protocol/SField.h>
 #include <xrpl/protocol/STLedgerEntry.h>
 #include <xrpl/protocol/TER.h>

+#include <algorithm>
+#include <cstdint>
+#include <limits>
+#include <optional>
+
 namespace xrpl {

 TER
@@ -59,4 +66,28 @@ closeChannel(SLE::ref slep, ApplyView& view, uint256 const& key, beast::Journal
    return tesSUCCESS;
 }

+uint32_t
+saturatingAdd(Rules const& rules, uint32_t const lhs, uint32_t const rhs)
+{
+    if (rules.enabled(fixCleanup3_2_0))
+    {
+        static constexpr auto kUint32Max =
+            static_cast<uint64_t>(std::numeric_limits<uint32_t>::max());
+        uint64_t const saturatedResult = std::min(uint64_t{lhs} + rhs, kUint32Max);
+        return static_cast<uint32_t>(saturatedResult);
+    }
+
+    return lhs + rhs;
+}
+
+bool
+isChannelExpired(ApplyView const& view, std::optional<uint32_t> timeField)
+{
+    if (!timeField)
+        return false;
+    if (view.rules().enabled(fixCleanup3_2_0))
+        return after(view.header().parentCloseTime, *timeField);
+    return view.header().parentCloseTime.time_since_epoch().count() >= *timeField;
+}
+
 }  // namespace xrpl
--- a/src/libxrpl/nodestore/ManagerImp.cpp
+++ b/src/libxrpl/nodestore/ManagerImp.cpp
@@ -45,8 +45,10 @@ ManagerImp::missingBackend()
 // the Factory classes is an undefined behaviour.
 void
 registerNuDBFactory(Manager& manager);
+#if XRPL_ROCKSDB_AVAILABLE
 void
 registerRocksDBFactory(Manager& manager);
+#endif
 void
 registerNullFactory(Manager& manager);
 void
@@ -55,7 +57,9 @@ registerMemoryFactory(Manager& manager);
 ManagerImp::ManagerImp()
 {
    registerNuDBFactory(*this);
+#if XRPL_ROCKSDB_AVAILABLE
    registerRocksDBFactory(*this);
+#endif
    registerNullFactory(*this);
    registerMemoryFactory(*this);
 }
--- a/src/libxrpl/nodestore/backend/NuDBFactory.cpp
+++ b/src/libxrpl/nodestore/backend/NuDBFactory.cpp
@@ -16,6 +16,8 @@
 #include <xrpl/nodestore/detail/EncodedBlob.h>
 #include <xrpl/nodestore/detail/codec.h>

+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>
 #include <boost/system/detail/errc.hpp>

 #include <nudb/context.hpp>
@@ -34,14 +36,12 @@
 #include <cstdint>
 #include <cstdio>
 #include <exception>
-#include <filesystem>
 #include <functional>
 #include <memory>
 #include <optional>
 #include <sstream>
 #include <stdexcept>
 #include <string>
-#include <system_error>
 #include <utility>

 namespace xrpl::NodeStore {
@@ -131,7 +131,7 @@ public:
    void
    open(bool createIfMissing, uint64_t appType, uint64_t uid, uint64_t salt) override
    {
-        using namespace std::filesystem;
+        using namespace boost::filesystem;
        if (db.is_open())
        {
            // LCOV_EXCL_START
@@ -194,12 +194,11 @@ public:

            if (deletePath)
            {
-                std::error_code fsec;
-                std::filesystem::remove_all(name, fsec);
-                if (fsec)
+                boost::filesystem::remove_all(name, ec);
+                if (ec)
                {
-                    JLOG(j.fatal()) << "Filesystem remove_all of " << name
-                                    << " failed with: " << fsec.message();
+                    JLOG(j.fatal())
+                        << "Filesystem remove_all of " << name << " failed with: " << ec.message();
                }
            }
        }
@@ -353,7 +352,7 @@ private:
    static std::size_t
    parseBlockSize(std::string const& name, Section const& keyValues, beast::Journal journal)
    {
-        using namespace std::filesystem;
+        using namespace boost::filesystem;
        auto const folder = path(name);
        auto const kp = (folder / "nudb.key").string();

--- a/src/libxrpl/nodestore/backend/RocksDBFactory.cpp
+++ b/src/libxrpl/nodestore/backend/RocksDBFactory.cpp
@@ -1,13 +1,26 @@
+#if XRPL_ROCKSDB_AVAILABLE
+#include <xrpl/basics/ByteUtilities.h>
 #include <xrpl/basics/Log.h>
 #include <xrpl/basics/base_uint.h>
+#include <xrpl/basics/contract.h>
+#include <xrpl/basics/safe_cast.h>
+#include <xrpl/beast/core/CurrentThreadName.h>
 #include <xrpl/beast/utility/Journal.h>
 #include <xrpl/beast/utility/instrumentation.h>
 #include <xrpl/config/BasicConfig.h>
 #include <xrpl/config/Constants.h>
 #include <xrpl/nodestore/Backend.h>
+#include <xrpl/nodestore/Factory.h>
+#include <xrpl/nodestore/Manager.h>
 #include <xrpl/nodestore/NodeObject.h>
 #include <xrpl/nodestore/Scheduler.h>
 #include <xrpl/nodestore/Types.h>
+#include <xrpl/nodestore/detail/BatchWriter.h>
+#include <xrpl/nodestore/detail/DecodedBlob.h>
+#include <xrpl/nodestore/detail/EncodedBlob.h>
+
+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>

 #include <rocksdb/advanced_options.h>
 #include <rocksdb/cache.h>
@@ -22,27 +35,14 @@
 #include <rocksdb/table.h>
 #include <rocksdb/write_batch.h>

+#include <atomic>
 #include <bit>
 #include <cstddef>
-#include <filesystem>
 #include <functional>
+#include <memory>
 #include <stdexcept>
 #include <string>

-#if XRPL_ROCKSDB_AVAILABLE
-#include <xrpl/basics/ByteUtilities.h>
-#include <xrpl/basics/contract.h>
-#include <xrpl/basics/safe_cast.h>
-#include <xrpl/beast/core/CurrentThreadName.h>
-#include <xrpl/nodestore/Factory.h>
-#include <xrpl/nodestore/Manager.h>
-#include <xrpl/nodestore/detail/BatchWriter.h>
-#include <xrpl/nodestore/detail/DecodedBlob.h>
-#include <xrpl/nodestore/detail/EncodedBlob.h>
-
-#include <atomic>
-#include <memory>
-
 namespace xrpl::NodeStore {

 class RocksDBEnv : public rocksdb::EnvWrapper
@@ -263,8 +263,8 @@ public:
            db.reset();
            if (deletePath_)
            {
-                std::filesystem::path const dir = name;
-                std::filesystem::remove_all(dir);
+                boost::filesystem::path const dir = name;
+                boost::filesystem::remove_all(dir);
            }
        }
    }
--- a/src/libxrpl/protocol/BuildInfo.cpp
+++ b/src/libxrpl/protocol/BuildInfo.cpp
@@ -23,7 +23,7 @@ namespace {
 //------------------------------------------------------------------------------
 // clang-format off
 // NOLINTNEXTLINE(readability-identifier-naming)
-char const* const versionString = "3.2.0-rc3"
+char const* const versionString = "3.3.0-b0"
    // clang-format on
    ;

--- a/src/libxrpl/protocol/Permissions.cpp
+++ b/src/libxrpl/protocol/Permissions.cpp
@@ -1,91 +1,136 @@
 #include <xrpl/protocol/Permissions.h>

 #include <xrpl/basics/base_uint.h>
+#include <xrpl/basics/contract.h>
 #include <xrpl/beast/utility/instrumentation.h>
-#include <xrpl/protocol/Feature.h>  // IWYU pragma: keep
 #include <xrpl/protocol/Rules.h>
+#include <xrpl/protocol/SField.h>
+#include <xrpl/protocol/SOTemplate.h>
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol/TxFlags.h>  // IWYU pragma: keep
 #include <xrpl/protocol/TxFormats.h>

+#include <algorithm>
 #include <cstdint>
 #include <functional>
 #include <optional>
+#include <stdexcept>
 #include <string>
+#include <tuple>
+#include <unordered_set>
+#include <utility>
+#include <vector>

 namespace xrpl {

+Permission::GranularPermissionEntry::GranularPermissionEntry(
+    std::string name,
+    TxType txType,
+    std::uint32_t permittedFlags,
+    std::vector<SOElement> permittedFields)
+    : name(std::move(name))
+    , txType(txType)
+    , permittedFlags(permittedFlags)
+    , permittedFields(std::move(permittedFields), TxFormats::getCommonFields())
+{
+}
+
 Permission::Permission()
 {
-    txFeatureMap_ = {
-#pragma push_macro("TRANSACTION")
-#undef TRANSACTION
-
-#define TRANSACTION(tag, value, name, delegable, amendment, ...) {value, amendment},
-
-#include <xrpl/protocol/detail/transactions.macro>
-
-#undef TRANSACTION
-#pragma pop_macro("TRANSACTION")
-    };
-
-    delegableTx_ = {
-#pragma push_macro("TRANSACTION")
-#undef TRANSACTION
-
-#define TRANSACTION(tag, value, name, delegable, ...) {value, delegable},
-
-#include <xrpl/protocol/detail/transactions.macro>
-
-#undef TRANSACTION
-#pragma pop_macro("TRANSACTION")
-    };
-
-    granularPermissionMap_ = {
-#pragma push_macro("PERMISSION")
-#undef PERMISSION
-
-#define PERMISSION(type, txType, value) {#type, type},
-
-#include <xrpl/protocol/detail/permissions.macro>
-
-#undef PERMISSION
-#pragma pop_macro("PERMISSION")
-    };
-
-    granularNameMap_ = {
-#pragma push_macro("PERMISSION")
-#undef PERMISSION
-
-#define PERMISSION(type, txType, value) {type, #type},
-
-#include <xrpl/protocol/detail/permissions.macro>
-
-#undef PERMISSION
-#pragma pop_macro("PERMISSION")
-    };
-
-    granularTxTypeMap_ = {
-#pragma push_macro("PERMISSION")
-#undef PERMISSION
-
-#define PERMISSION(type, txType, value) {type, txType},
-
-#include <xrpl/protocol/detail/permissions.macro>
-
-#undef PERMISSION
-#pragma pop_macro("PERMISSION")
-    };
-
-    XRPL_ASSERT(
-        txFeatureMap_.size() == delegableTx_.size(),
-        "xrpl::Permission : txFeatureMap_ and delegableTx_ must have same "
-        "size");
-
-    for ([[maybe_unused]] auto const& permission : granularPermissionMap_)
    {
-        XRPL_ASSERT(
-            permission.second > UINT16_MAX,
-            "xrpl::Permission::granularPermissionMap_ : granular permission "
-            "value must not exceed the maximum uint16_t value.");
+#pragma push_macro("TRANSACTION")
+#undef TRANSACTION
+
+#define TRANSACTION(tag, value, name, delegable, amendment, ...) \
+    txDelegationMap_[static_cast<TxType>(value)] = {amendment, delegable};
+
+#include <xrpl/protocol/detail/transactions.macro>
+
+#undef TRANSACTION
+#pragma pop_macro("TRANSACTION")
+    }
+
+    granularPermissionsByName_ = {
+#pragma push_macro("GRANULAR_PERMISSION")
+#undef GRANULAR_PERMISSION
+
+#define GRANULAR_PERMISSION(type, ...) {#type, type},
+
+#include <xrpl/protocol/detail/permissions.macro>
+
+#undef GRANULAR_PERMISSION
+#pragma pop_macro("GRANULAR_PERMISSION")
+    };
+
+    {
+#pragma push_macro("GRANULAR_PERMISSION")
+#undef GRANULAR_PERMISSION
+
+// NOLINTBEGIN(bugprone-macro-parentheses)
+#define GRANULAR_PERMISSION(type, txType, value, flags, fields) \
+    granularPermissions_.emplace(                               \
+        std::piecewise_construct,                               \
+        std::forward_as_tuple(GranularPermissionType::type),    \
+        std::forward_as_tuple(                                  \
+            #type, txType, static_cast<std::uint32_t>(flags), std::vector<SOElement> fields));
+        // NOLINTEND(bugprone-macro-parentheses)
+
+#include <xrpl/protocol/detail/permissions.macro>
+
+#undef GRANULAR_PERMISSION
+#pragma pop_macro("GRANULAR_PERMISSION")
+    }
+
+    if (granularPermissionsByName_.size() != granularPermissions_.size())
+    {
+        // LCOV_EXCL_START
+        Throw<std::logic_error>(
+            "granularPermissionsByName_ and granularPermissions_ must have same size");
+        // LCOV_EXCL_STOP
+    }
+
+    for (auto const& [name, type] : granularPermissionsByName_)
+    {
+        if (type <= UINT16_MAX)
+        {
+            // LCOV_EXCL_START
+            Throw<std::logic_error>(
+                "Granular permission value must exceed the maximum uint16_t value: " + name);
+            // LCOV_EXCL_STOP
+        }
+    }
+
+    for (auto const& [type, entry] : granularPermissions_)
+        granularTxTypes_.insert(entry.txType);
+
+    // Validate that all fields listed in permissions.macro exist in the
+    // corresponding transaction type's format, catching typos at startup.
+    for (auto const& [type, entry] : granularPermissions_)
+    {
+        if (!txDelegationMap_.contains(entry.txType))
+        {
+            // LCOV_EXCL_START
+            Throw<std::logic_error>("Invalid granular permission txType in txDelegationMap_");
+            // LCOV_EXCL_STOP
+        }
+
+        auto const* fmt = TxFormats::getInstance().findByType(entry.txType);
+        if (fmt == nullptr)
+        {
+            // LCOV_EXCL_START
+            Throw<std::logic_error>("Invalid granular permission txType");
+            // LCOV_EXCL_STOP
+        }
+
+        for (auto const& field : entry.permittedFields)
+        {
+            if (fmt->getSOTemplate().getIndex(field.sField()) == -1)
+            {
+                // LCOV_EXCL_START
+                Throw<std::logic_error>("Invalid granular permission field");
+                // LCOV_EXCL_STOP
+            }
+        }
    }
 }

@@ -97,8 +142,11 @@ Permission::getInstance()
 }

 std::optional<std::string>
-Permission::getPermissionName(std::uint32_t const value) const
+Permission::getPermissionName(std::uint32_t value) const
 {
+    if (value == 0)
+        return std::nullopt;
+
    auto const permissionValue = static_cast<GranularPermissionType>(value);
    if (auto const granular = getGranularName(permissionValue))
        return granular;
@@ -114,90 +162,131 @@ Permission::getPermissionName(std::uint32_t const value) const
 std::optional<std::uint32_t>
 Permission::getGranularValue(std::string const& name) const
 {
-    auto const it = granularPermissionMap_.find(name);
-    if (it != granularPermissionMap_.end())
+    auto const it = granularPermissionsByName_.find(name);
+    if (it != granularPermissionsByName_.end())
        return static_cast<uint32_t>(it->second);

    return std::nullopt;
 }

 std::optional<std::string>
-Permission::getGranularName(GranularPermissionType const& value) const
+Permission::getGranularName(GranularPermissionType value) const
 {
-    auto const it = granularNameMap_.find(value);
-    if (it != granularNameMap_.end())
-        return it->second;
+    auto const it = granularPermissions_.find(value);
+    if (it != granularPermissions_.end())
+        return it->second.name;

    return std::nullopt;
 }

 std::optional<TxType>
-Permission::getGranularTxType(GranularPermissionType const& gpType) const
+Permission::getGranularTxType(GranularPermissionType gpType) const
 {
-    auto const it = granularTxTypeMap_.find(gpType);
-    if (it != granularTxTypeMap_.end())
-        return it->second;
+    auto const it = granularPermissions_.find(gpType);
+    if (it != granularPermissions_.end())
+        return it->second.txType;

    return std::nullopt;
 }

+bool
+Permission::hasGranularPermissions(TxType txType) const
+{
+    return granularTxTypes_.contains(txType);
+}
+
 std::optional<std::reference_wrapper<uint256 const>>
 Permission::getTxFeature(TxType txType) const
 {
-    auto const txFeaturesIt = txFeatureMap_.find(txType);
+    auto const it = txDelegationMap_.find(txType);
    XRPL_ASSERT(
-        txFeaturesIt != txFeatureMap_.end(),
-        "xrpl::Permissions::getTxFeature : tx exists in txFeatureMap_");
+        it != txDelegationMap_.end(),
+        "xrpl::Permission::getTxFeature : tx exists in txDelegationMap_");

-    if (txFeaturesIt->second == uint256{})
+    if (it->second.amendment == uint256{})
        return std::nullopt;
-    return txFeaturesIt->second;
+
+    return std::optional{std::cref(it->second.amendment)};
 }

 bool
-Permission::isDelegable(std::uint32_t const& permissionValue, Rules const& rules) const
+Permission::isDelegable(std::uint32_t permissionValue, Rules const& rules) const
 {
-    auto const granularPermission =
-        getGranularName(static_cast<GranularPermissionType>(permissionValue));
-    if (granularPermission)
+    if (permissionValue == 0)
+        return false;  // LCOV_EXCL_LINE
+
+    auto const amendmentEnabled = [&rules](TxDelegationEntry const& entry) {
+        return entry.amendment == uint256{} || rules.enabled(entry.amendment);
+    };
+
+    // Granular permissions may authorize a limited subset of a tx type even
+    // when the full tx type is not delegable. They still require the
+    // underlying transaction amendment to be enabled.
+    if (auto const granularIt =
+            granularPermissions_.find(static_cast<GranularPermissionType>(permissionValue));
+        granularIt != granularPermissions_.end())
    {
-        // granular permissions are always allowed to be delegated
-        return true;
+        auto const txIt = txDelegationMap_.find(granularIt->second.txType);
+        return txIt != txDelegationMap_.end() && amendmentEnabled(txIt->second);
    }

    auto const txType = permissionToTxType(permissionValue);
-    auto const it = delegableTx_.find(txType);
+    auto const txIt = txDelegationMap_.find(txType);

-    if (it == delegableTx_.end())
-        return false;
-
-    auto const txFeaturesIt = txFeatureMap_.find(txType);
-    XRPL_ASSERT(
-        txFeaturesIt != txFeatureMap_.end(),
-        "xrpl::Permissions::isDelegable : tx exists in txFeatureMap_");
-
-    // Delegation is only allowed if the required amendment for the transaction
-    // is enabled. For transactions that do not require an amendment, delegation
-    // is always allowed.
-    if (txFeaturesIt->second != uint256{} && !rules.enabled(txFeaturesIt->second))
-        return false;
-
-    if (it->second == Delegation::NotDelegable)
-        return false;
-
-    return true;
+    // Tx-level permissions require the transaction type itself to be delegable, and
+    // the corresponding amendment enabled.
+    return txIt != txDelegationMap_.end() && txIt->second.delegable != NotDelegable &&
+        amendmentEnabled(txIt->second);
 }

 uint32_t
-Permission::txToPermissionType(TxType const& type)
+Permission::txToPermissionType(TxType const type)
 {
    return static_cast<uint32_t>(type) + 1;
 }

 TxType
-Permission::permissionToTxType(uint32_t const& value)
+Permission::permissionToTxType(uint32_t value)
 {
+    XRPL_ASSERT(value > 0, "xrpl::Permission::permissionToTxType : value is greater than 0");
    return static_cast<TxType>(value - 1);
 }

+bool
+Permission::checkGranularSandbox(
+    STTx const& tx,
+    std::unordered_set<GranularPermissionType> const& heldPermissions) const
+{
+    // Build union of flags upfront to enable an early exit. Fields are not stored and
+    // grouped in advance to avoid heap allocation.
+    std::uint32_t unionFlags = 0;
+    for (auto const& gp : heldPermissions)
+    {
+        auto const it = granularPermissions_.find(gp);
+        if (it != granularPermissions_.end())
+            unionFlags |= it->second.permittedFlags;
+    }
+
+    // Check if flags are permitted
+    if ((tx.getFlags() & ~unionFlags) != 0)
+        return false;
+
+    // Check if fields are permitted. Every present field must appear in at least one held
+    // permission's template. The common fields are included in the constructor.
+    for (auto const& field : tx)
+    {
+        if (field.getSType() == STI_NOTPRESENT)
+            continue;
+
+        if (!std::ranges::any_of(heldPermissions, [&](auto const& gp) {
+                auto const it = granularPermissions_.find(gp);
+                return it != granularPermissions_.end() &&
+                    it->second.permittedFields.getIndex(field.getFName()) != -1;
+            }))
+            return false;
+    }
+
+    return true;
+}
+
 }  // namespace xrpl
--- a/src/libxrpl/protocol/STTx.cpp
+++ b/src/libxrpl/protocol/STTx.cpp
@@ -217,7 +217,7 @@ STTx::getFeePayer() const
 {
    // If sfDelegate is present, the delegate account is the payer
    // note: if a delegate is specified, its authorization to act on behalf of the account is
-    // enforced in `Transactor::checkPermission`
+    // enforced in `Transactor::invokeCheckPermission`
    // cryptographic signature validity is checked separately (e.g., in `Transactor::checkSign`)
    if (isFieldPresent(sfDelegate))
        return getAccountID(sfDelegate);
--- a/src/libxrpl/rdb/SociDB.cpp
+++ b/src/libxrpl/rdb/SociDB.cpp
@@ -5,11 +5,13 @@
 #include <xrpl/core/JobQueue.h>
 #include <xrpl/core/ServiceRegistry.h>

+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>
+
 #include <soci/blob.h>

 #include <cstddef>
 #include <cstdint>
-#include <filesystem>
 #include <mutex>
 #include <stdexcept>
 #include <string>
@@ -43,8 +45,8 @@ getSociSqliteInit(std::string const& name, std::string const& dir, std::string c
        Throw<std::runtime_error>(
            "Sqlite databases must specify a dir and a name. Name: " + name + " Dir: " + dir);
    }
-    std::filesystem::path file(dir);
-    if (std::filesystem::is_directory(file))
+    boost::filesystem::path file(dir);
+    if (is_directory(file))
        file /= name + ext;
    return file.string();
 }
--- a/src/libxrpl/server/InfoSub.cpp
+++ b/src/libxrpl/server/InfoSub.cpp
@@ -1,15 +1,47 @@
 #include <xrpl/server/InfoSub.h>

+#include <xrpl/basics/Log.h>
+#include <xrpl/beast/utility/Journal.h>
 #include <xrpl/beast/utility/instrumentation.h>
 #include <xrpl/protocol/AccountID.h>
+#include <xrpl/protocol/Book.h>
 #include <xrpl/resource/Consumer.h>

 #include <cstdint>
+#include <exception>
 #include <memory>
 #include <mutex>

 namespace xrpl {

+namespace {
+
+// Wraps a Source teardown call so that an exception from one cleanup
+// step does not prevent the subsequent steps from running. Source methods
+// acquire a lock and can throw std::system_error; a throw out of ~InfoSub
+// during stack unwinding would terminate the process. Failures are
+// reported through the Source's Journal so they reach the configured log
+// sinks; JLOG itself cannot throw, so the noexcept guarantee holds.
+template <typename F>
+void
+safeUnsub(std::uint64_t seq, F&& f, beast::Journal j) noexcept
+{
+    try
+    {
+        f();
+    }
+    catch (std::exception const& e)
+    {
+        JLOG(j.warn()) << "~InfoSub[seq=" << seq << "]: cleanup step failed: " << e.what();
+    }
+    catch (...)
+    {
+        JLOG(j.warn()) << "~InfoSub[seq=" << seq << "]: cleanup step failed: unknown exception";
+    }
+}
+
+}  // namespace
+
 // This is the primary interface into the "client" portion of the program.
 // Code that wants to do normal operations on the network such as
 // creating and monitoring accounts, creating transactions, and so on
@@ -32,25 +64,44 @@ InfoSub::InfoSub(Source& source, Consumer consumer)

 InfoSub::~InfoSub()
 {
-    source_.unsubTransactions(seq_);
-    source_.unsubRTTransactions(seq_);
-    source_.unsubLedger(seq_);
-    source_.unsubManifests(seq_);
-    source_.unsubServer(seq_);
-    source_.unsubValidations(seq_);
-    source_.unsubPeerStatus(seq_);
-    source_.unsubConsensus(seq_);
+    // Each Source teardown call below acquires a server-side lock and
+    // can throw. Wrap each independent call so partial failure does not
+    // skip the remaining teardown steps.
+
+    auto const& j = source_.journal();
+
+    safeUnsub(seq_, [&] { source_.unsubTransactions(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubRTTransactions(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubLedger(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubManifests(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubServer(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubValidations(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubPeerStatus(seq_); }, j);
+    safeUnsub(seq_, [&] { source_.unsubConsensus(seq_); }, j);

    // Use the internal unsubscribe so that it won't call
    // back to us and modify its own parameter
    if (!realTimeSubscriptions_.empty())
-        source_.unsubAccountInternal(seq_, realTimeSubscriptions_, true);
+    {
+        safeUnsub(
+            seq_, [&] { source_.unsubAccountInternal(seq_, realTimeSubscriptions_, true); }, j);
+    }

    if (!normalSubscriptions_.empty())
-        source_.unsubAccountInternal(seq_, normalSubscriptions_, false);
+    {
+        safeUnsub(
+            seq_, [&] { source_.unsubAccountInternal(seq_, normalSubscriptions_, false); }, j);
+    }

    for (auto const& account : accountHistorySubscriptions_)
-        source_.unsubAccountHistoryInternal(seq_, account, false);
+    {
+        safeUnsub(seq_, [&] { source_.unsubAccountHistoryInternal(seq_, account, false); }, j);
+    }
+
+    for (auto const& book : bookSubscriptions_)
+    {
+        safeUnsub(seq_, [&] { source_.unsubBookInternal(seq_, book); }, j);
+    }
 }

 Resource::Consumer&
@@ -114,6 +165,20 @@ InfoSub::deleteSubAccountHistory(AccountID const& account)
    accountHistorySubscriptions_.erase(account);
 }

+void
+InfoSub::insertBookSubscription(Book const& book)
+{
+    std::scoped_lock const sl(lock_);
+    bookSubscriptions_.insert(book);
+}
+
+void
+InfoSub::deleteBookSubscription(Book const& book)
+{
+    std::scoped_lock const sl(lock_);
+    bookSubscriptions_.erase(book);
+}
+
 void
 InfoSub::clearRequest()
 {
--- a/src/libxrpl/server/Vacuum.cpp
+++ b/src/libxrpl/server/Vacuum.cpp
@@ -5,12 +5,13 @@
 #include <xrpl/rdb/DBInit.h>
 #include <xrpl/rdb/DatabaseCon.h>

+#include <boost/filesystem/operations.hpp>
+#include <boost/filesystem/path.hpp>
 #include <boost/format.hpp>  // IWYU pragma: keep

 #include <soci/into.h>

 #include <cstdint>
-#include <filesystem>
 #include <iostream>
 #include <memory>

@@ -19,12 +20,12 @@ namespace xrpl {
 bool
 doVacuumDB(DatabaseCon::Setup const& setup, beast::Journal j)
 {
-    std::filesystem::path const dbPath = setup.dataDir / kTxDbName;
+    boost::filesystem::path const dbPath = setup.dataDir / kTxDbName;

-    uintmax_t const dbSize = std::filesystem::file_size(dbPath);
+    uintmax_t const dbSize = file_size(dbPath);
    XRPL_ASSERT(dbSize != static_cast<uintmax_t>(-1), "xrpl::doVacuumDB : file_size succeeded");

-    if (auto available = std::filesystem::space(dbPath.parent_path()).available; available < dbSize)
+    if (auto available = space(dbPath.parent_path()).available; available < dbSize)
    {
        std::cerr << "The database filesystem must have at least as "
                     "much free space as the size of "
--- a/src/libxrpl/shamap/SHAMapNodeID.cpp
+++ b/src/libxrpl/shamap/SHAMapNodeID.cpp
@@ -129,7 +129,8 @@ selectBranch(SHAMapNodeID const& id, uint256 const& hash)
 SHAMapNodeID
 SHAMapNodeID::createID(int depth, uint256 const& key)
 {
-    XRPL_ASSERT((depth >= 0) && (depth < 65), "xrpl::SHAMapNodeID::createID : valid branch input");
+    XRPL_ASSERT(
+        depth >= 0 && depth <= SHAMap::kLeafDepth, "xrpl::SHAMapNodeID::createID : valid depth");
    return SHAMapNodeID(depth, key & depthMask(depth));
 }

--- a/src/libxrpl/shamap/SHAMapSync.cpp
+++ b/src/libxrpl/shamap/SHAMapSync.cpp
@@ -413,7 +413,7 @@ SHAMap::getMissingNodes(int max, SHAMapSyncFilter const* filter)
 bool
 SHAMap::getNodeFat(
    SHAMapNodeID const& wanted,
-    std::vector<std::pair<SHAMapNodeID, Blob>>& data,
+    std::vector<SHAMapNodeData>& data,
    bool fatLeaves,
    std::uint32_t depth) const
 {
@@ -459,7 +459,7 @@ SHAMap::getNodeFat(
        // Add this node to the reply
        s.erase();
        node->serializeForWire(s);
-        data.emplace_back(nodeID, s.getData());
+        data.emplace_back(nodeID, node->isLeaf(), s.getData());

        if (node->isInner())
        {
@@ -489,7 +489,7 @@ SHAMap::getNodeFat(
                            // Just include this node
                            s.erase();
                            childNode->serializeForWire(s);
-                            data.emplace_back(childID, s.getData());
+                            data.emplace_back(childID, childNode->isLeaf(), s.getData());
                        }
                    }
                }
@@ -507,25 +507,32 @@ SHAMap::serializeRoot(Serializer& s) const
 }

 SHAMapAddNode
-SHAMap::addRootNode(SHAMapHash const& hash, Slice const& rootNode, SHAMapSyncFilter const* filter)
+SHAMap::addRootNode(
+    SHAMapHash const& hash,
+    SHAMapTreeNodePtr rootNode,
+    SHAMapSyncFilter const* filter)
 {
+    XRPL_ASSERT(cowid_ >= 1, "xrpl::SHAMap::addRootNode : valid cowid");
+    XRPL_ASSERT(rootNode, "xrpl::SHAMap::addRootNode : non-null root node");
+
    // we already have a root_ node
    if (root_->getHash().isNonZero())
    {
-        JLOG(journal_.trace()) << "got root node, already have one";
-        XRPL_ASSERT(root_->getHash() == hash, "xrpl::SHAMap::addRootNode : valid hash input");
+        JLOG(journal_.trace()) << "Got root node, already have one";
+        XRPL_ASSERT(root_->getHash() == hash, "xrpl::SHAMap::addRootNode : valid hash");
        return SHAMapAddNode::duplicate();
    }

-    XRPL_ASSERT(cowid_ >= 1, "xrpl::SHAMap::addRootNode : valid cowid");
-    auto node = SHAMapTreeNode::makeFromWire(rootNode);
-    if (!node || node->getHash() != hash)
+    if (rootNode->getHash() != hash)
+    {
+        JLOG(journal_.warn()) << "Corrupt node received";
        return SHAMapAddNode::invalid();
+    }

    if (backed_)
-        canonicalize(hash, node);
+        canonicalize(hash, rootNode);

-    root_ = node;
+    root_ = std::move(rootNode);

    if (root_->isLeaf())
        clearSynching();
@@ -542,9 +549,20 @@ SHAMap::addRootNode(SHAMapHash const& hash, Slice const& rootNode, SHAMapSyncFil
 }

 SHAMapAddNode
-SHAMap::addKnownNode(SHAMapNodeID const& node, Slice const& rawNode, SHAMapSyncFilter const* filter)
+SHAMap::addKnownNode(
+    SHAMapNodeID const& nodeID,
+    SHAMapTreeNodePtr treeNode,
+    SHAMapSyncFilter const* filter)
 {
-    XRPL_ASSERT(!node.isRoot(), "xrpl::SHAMap::addKnownNode : valid node input");
+    XRPL_ASSERT(!nodeID.isRoot(), "xrpl::SHAMap::addKnownNode : valid node");
+    XRPL_ASSERT(treeNode, "xrpl::SHAMap::addKnownNode : non-null tree node");
+    XRPL_ASSERT(
+        !treeNode->isLeaf() ||
+            SHAMapNodeID::createID(
+                nodeID.getDepth(),
+                safeDowncast<SHAMapLeafNode const*>(treeNode.get())->peekItem()->key())
+                    .getNodeID() == nodeID.getNodeID(),
+        "xrpl::SHAMap::addKnownNode : leaf position consistent with node ID");

    if (!isSynching())
    {
@@ -558,14 +576,14 @@ SHAMap::addKnownNode(SHAMapNodeID const& node, Slice const& rawNode, SHAMapSyncF

    while (currNode->isInner() &&
           !safeDowncast<SHAMapInnerNode*>(currNode)->isFullBelow(generation) &&
-           (currNodeID.getDepth() < node.getDepth()))
+           (currNodeID.getDepth() < nodeID.getDepth()))
    {
-        int const branch = selectBranch(currNodeID, node.getNodeID());
+        int const branch = selectBranch(currNodeID, nodeID.getNodeID());
        XRPL_ASSERT(branch >= 0, "xrpl::SHAMap::addKnownNode : valid branch");
        auto inner = safeDowncast<SHAMapInnerNode*>(currNode);
        if (inner->isEmptyBranch(branch))
        {
-            JLOG(journal_.warn()) << "Add known node for empty branch" << node;
+            JLOG(journal_.warn()) << "Add known node for empty branch" << nodeID;
            return SHAMapAddNode::invalid();
        }

@@ -581,67 +599,44 @@ SHAMap::addKnownNode(SHAMapNodeID const& node, Slice const& rawNode, SHAMapSyncF
        if (currNode != nullptr)
            continue;

-        auto newNode = SHAMapTreeNode::makeFromWire(rawNode);
-
-        if (!newNode || childHash != newNode->getHash())
+        if (childHash != treeNode->getHash())
        {
            JLOG(journal_.warn()) << "Corrupt node received";
            return SHAMapAddNode::invalid();
        }

-        // In rare cases, a node can still be corrupt even after hash
-        // validation. For leaf nodes, we perform an additional check to
-        // ensure the node's position in the tree is consistent with its
-        // content to prevent inconsistencies that could
-        // propagate further down the line.
-        if (newNode->isLeaf())
-        {
-            auto const& actualKey =
-                safeDowncast<SHAMapLeafNode const*>(newNode.get())->peekItem()->key();
-
-            // Validate that this leaf belongs at the target position
-            auto const expectedNodeID = SHAMapNodeID::createID(node.getDepth(), actualKey);
-            if (expectedNodeID.getNodeID() != node.getNodeID())
-            {
-                JLOG(journal_.debug())
-                    << "Leaf node position mismatch: "
-                    << "expected=" << expectedNodeID.getNodeID() << ", actual=" << node.getNodeID();
-                return SHAMapAddNode::invalid();
-            }
-        }
-
        // Inner nodes must be at a level strictly less than 64
        // but leaf nodes (while notionally at level 64) can be
        // at any depth up to and including 64:
        if ((currNodeID.getDepth() > kLeafDepth) ||
-            (newNode->isInner() && currNodeID.getDepth() == kLeafDepth))
+            (treeNode->isInner() && currNodeID.getDepth() == kLeafDepth))
        {
            // Map is provably invalid
            state_ = SHAMapState::Invalid;
            return SHAMapAddNode::useful();
        }

-        if (currNodeID != node)
+        if (currNodeID != nodeID)
        {
            // Either this node is broken or we didn't request it (yet)
-            JLOG(journal_.warn()) << "unable to hook node " << node;
+            JLOG(journal_.warn()) << "unable to hook node " << nodeID;
            JLOG(journal_.info()) << " stuck at " << currNodeID;
-            JLOG(journal_.info()) << "got depth=" << node.getDepth()
+            JLOG(journal_.info()) << "got depth=" << nodeID.getDepth()
                                  << ", walked to= " << currNodeID.getDepth();
            return SHAMapAddNode::useful();
        }

        if (backed_)
-            canonicalize(childHash, newNode);
+            canonicalize(childHash, treeNode);

-        newNode = prevNode->canonicalizeChild(branch, std::move(newNode));
+        treeNode = prevNode->canonicalizeChild(branch, std::move(treeNode));

        if (filter != nullptr)
        {
            Serializer s;
-            newNode->serializeWithPrefix(s);
+            treeNode->serializeWithPrefix(s);
            filter->gotNode(
-                false, childHash, ledgerSeq_, std::move(s.modData()), newNode->getType());
+                false, childHash, ledgerSeq_, std::move(s.modData()), treeNode->getType());
        }

        return SHAMapAddNode::useful();
--- a/src/libxrpl/tx/Transactor.cpp
+++ b/src/libxrpl/tx/Transactor.cpp
@@ -22,6 +22,7 @@
 #include <xrpl/protocol/Feature.h>
 #include <xrpl/protocol/Indexes.h>
 #include <xrpl/protocol/LedgerFormats.h>
+#include <xrpl/protocol/Permissions.h>
 #include <xrpl/protocol/Protocol.h>
 #include <xrpl/protocol/PublicKey.h>
 #include <xrpl/protocol/Rules.h>
@@ -44,8 +45,11 @@
 #include <cstddef>
 #include <cstdint>
 #include <exception>
+#include <map>
 #include <optional>
 #include <stdexcept>
+#include <tuple>
+#include <unordered_set>
 #include <utility>
 #include <vector>

@@ -175,6 +179,16 @@ Transactor::preflight1(PreflightContext const& ctx, std::uint32_t flagMask)

        if (ctx.tx[sfDelegate] == ctx.tx[sfAccount])
            return temBAD_SIGNER;
+
+        auto const& perm = Permission::getInstance();
+        auto const txType = ctx.tx.getTxnType();
+
+        // If the transaction is not delegable and does not have granular permissions, fail earlier
+        // with temINVALID. This is to prevent transactions that are not delegable at all from
+        // being processed further in the invokeCheckPermission function.
+        if (!perm.isDelegable(Permission::txToPermissionType(txType), ctx.rules) &&
+            !perm.hasGranularPermissions(txType))
+            return temINVALID;
    }

    if (auto const ret = preflight0(ctx, flagMask))
@@ -295,19 +309,33 @@ Transactor::preflightSigValidated(PreflightContext const& ctx)
 }

 NotTEC
-Transactor::checkPermission(ReadView const& view, STTx const& tx)
+Transactor::checkPermission(
+    ReadView const& view,
+    STTx const& tx,
+    std::unordered_set<GranularPermissionType>& heldGranularPermissions)
 {
    auto const delegate = tx[~sfDelegate];
    if (!delegate)
        return tesSUCCESS;

-    auto const delegateKey = keylet::delegate(tx[sfAccount], *delegate);
-    auto const sle = view.read(delegateKey);
-
+    auto const sle = view.read(keylet::delegate(tx[sfAccount], *delegate));
    if (!sle)
        return terNO_DELEGATE_PERMISSION;

-    return checkTxPermission(sle, tx);
+    if (isTesSuccess(checkTxPermission(sle, tx)))
+        return tesSUCCESS;
+
+    if (!Permission::getInstance().hasGranularPermissions(tx.getTxnType()))
+        return terNO_DELEGATE_PERMISSION;
+
+    heldGranularPermissions = getGranularPermission(sle, tx.getTxnType());
+    if (heldGranularPermissions.empty())
+        return terNO_DELEGATE_PERMISSION;
+
+    if (!Permission::getInstance().checkGranularSandbox(tx, heldGranularPermissions))
+        return terNO_DELEGATE_PERMISSION;
+
+    return tesSUCCESS;
 }

 XRPAmount
@@ -1052,26 +1080,6 @@ removeDeletedTrustLines(
    }
 }

-static void
-removeDeletedMPTs(ApplyView& view, std::vector<uint256> const& mpts, beast::Journal viewJ)
-{
-    // There could be at most two MPTs - one for each side of AMM pool
-    if (mpts.size() > 2)
-    {
-        JLOG(viewJ.error()) << "removeDeletedMPTs: deleted mpts exceed 2 " << mpts.size();
-        return;
-    }
-
-    for (auto const& index : mpts)
-    {
-        if (auto const sleState = view.peek({ltMPTOKEN, index}); sleState &&
-            deleteAMMMPToken(view, sleState, (*sleState)[sfIssuer], viewJ) != tesSUCCESS)
-        {
-            JLOG(viewJ.error()) << "removeDeletedMPTs: failed to delete AMM MPT";
-        }
-    }
-}
-
 /** Reset the context, discarding any changes made and adjust the fee.

    @param fee The transaction fee to be charged.
@@ -1134,6 +1142,118 @@ Transactor::trapTransaction(uint256 txHash) const
    JLOG(j_.debug()) << "Transaction trapped: " << txHash;
 }

+std::tuple<TER, XRPAmount, bool>
+Transactor::processPersistentChanges(TER result, XRPAmount fee)
+{
+    JLOG(j_.trace()) << "reapplying because of " << transToken(result);
+
+    // FIXME: This mechanism for doing work while returning a `tec` is
+    //        awkward and very limiting. A more general purpose approach
+    //        should be used, making it possible to do more useful work
+    //        when transactions fail with a `tec` code.
+
+    auto typesForResult = [](TER const ter) {
+        std::unordered_set<LedgerEntryType> types;
+        if ((ter == tecOVERSIZE) || (ter == tecKILLED))
+        {
+            types.insert(ltOFFER);
+        }
+        else if (ter == tecINCOMPLETE)
+        {
+            types.insert(ltRIPPLE_STATE);
+        }
+        else if (ter == tecEXPIRED)
+        {
+            types.insert(ltNFTOKEN_OFFER);
+            types.insert(ltCREDENTIAL);
+        }
+        return types;
+    };
+
+    // Build a list of ledger entry types to collect, based on the
+    // result code. Only deleted objects of these types will be
+    // re-applied after the context is reset.
+    auto const typesToCollect = typesForResult(result);
+
+    std::map<LedgerEntryType, std::vector<uint256>> deletedObjects;
+    if (!typesToCollect.empty())
+    {
+        ctx_.visit(
+            [&typesToCollect, &deletedObjects](
+                uint256 const& index, bool isDelete, SLE::const_ref before, SLE::const_ref after) {
+                if (isDelete)
+                {
+                    XRPL_ASSERT(
+                        before && after,
+                        "xrpl::Transactor::processPersistentChanges : non-null "
+                        "SLE inputs");
+                    if (before && after)
+                    {
+                        auto const type = before->getType();
+                        if (typesToCollect.contains(type))
+                        {
+                            // For offers, only collect unfunded removals
+                            // (where TakerPays is unchanged)
+                            if (type == ltOFFER &&
+                                before->getFieldAmount(sfTakerPays) !=
+                                    after->getFieldAmount(sfTakerPays))
+                                return;
+
+                            deletedObjects[type].push_back(index);
+                        }
+                    }
+                }
+            });
+    }
+
+    // Reset the context, potentially adjusting the fee.
+    {
+        auto const resetResult = reset(fee);
+        if (!isTesSuccess(resetResult.first))
+            result = resetResult.first;
+
+        fee = resetResult.second;
+    }
+
+    // Re-apply the collected deletions, but only if the reset succeeded
+    // and the post-reset result still allows the same deletion type.
+    auto const typesToApply = typesForResult(result);
+    if (isTecClaim(result) && !typesToApply.empty())
+    {
+        auto const viewJ = ctx_.registry.get().getJournal("View");
+        for (auto const& [type, ids] : deletedObjects)
+        {
+            if (ids.empty() || !typesToApply.contains(type))
+                continue;
+
+            switch (type)
+            {
+                case ltOFFER:
+                    removeUnfundedOffers(view(), ids, viewJ);
+                    break;
+                case ltNFTOKEN_OFFER:
+                    removeExpiredNFTokenOffers(view(), ids, viewJ);
+                    break;
+                case ltRIPPLE_STATE:
+                    removeDeletedTrustLines(view(), ids, viewJ);
+                    break;
+                case ltCREDENTIAL:
+                    removeExpiredCredentials(view(), ids, viewJ);
+                    break;
+                // LCOV_EXCL_START
+                default:
+                    UNREACHABLE(
+                        "xrpl::Transactor::processPersistentChanges() : "
+                        "unexpected type");
+                    break;
+                    // LCOV_EXCL_STOP
+            }
+        }
+    }
+
+    return {result, fee, isTecClaim(result)};
+}
+
 [[nodiscard]] TER
 Transactor::checkTransactionInvariants(TER result, XRPAmount fee)
 {
@@ -1183,6 +1303,7 @@ Transactor::checkInvariants(TER result, XRPAmount fee)
     */
    return ctx_.checkInvariants(result, fee);
 }
+
 //------------------------------------------------------------------------------
 ApplyResult
 Transactor::operator()()
@@ -1249,108 +1370,7 @@ Transactor::operator()()
        (result == tecOVERSIZE) || (result == tecKILLED) || (result == tecINCOMPLETE) ||
        (result == tecEXPIRED) || (isTecClaimHardFail(result, view().flags())))
    {
-        JLOG(j_.trace()) << "reapplying because of " << transToken(result);
-
-        // FIXME: This mechanism for doing work while returning a `tec` is
-        //        awkward and very limiting. A more general purpose approach
-        //        should be used, making it possible to do more useful work
-        //        when transactions fail with a `tec` code.
-        std::vector<uint256> removedOffers;
-        std::vector<uint256> removedTrustLines;
-        std::vector<uint256> removedMPTs;
-        std::vector<uint256> expiredNFTokenOffers;
-        std::vector<uint256> expiredCredentials;
-
-        bool const doOffers = ((result == tecOVERSIZE) || (result == tecKILLED));
-        bool const doLinesOrMPTs = (result == tecINCOMPLETE);
-        bool const doNFTokenOffers = (result == tecEXPIRED);
-        bool const doCredentials = (result == tecEXPIRED);
-        if (doOffers || doLinesOrMPTs || doNFTokenOffers || doCredentials)
-        {
-            ctx_.visit([doOffers,
-                        &removedOffers,
-                        doLinesOrMPTs,
-                        &removedTrustLines,
-                        &removedMPTs,
-                        doNFTokenOffers,
-                        &expiredNFTokenOffers,
-                        doCredentials,
-                        &expiredCredentials](
-                           uint256 const& index,
-                           bool isDelete,
-                           SLE::const_ref before,
-                           SLE::const_ref after) {
-                if (isDelete)
-                {
-                    XRPL_ASSERT(
-                        before && after,
-                        "xrpl::Transactor::operator()::visit : non-null SLE "
-                        "inputs");
-                    if (doOffers && before && after && (before->getType() == ltOFFER) &&
-                        (before->getFieldAmount(sfTakerPays) == after->getFieldAmount(sfTakerPays)))
-                    {
-                        // Removal of offer found or made unfunded
-                        removedOffers.push_back(index);
-                    }
-
-                    if (doLinesOrMPTs && before && after)
-                    {
-                        // Removal of obsolete AMM trust line
-                        if (before->getType() == ltRIPPLE_STATE)
-                        {
-                            removedTrustLines.push_back(index);
-                        }
-                        else if (before->getType() == ltMPTOKEN)
-                        {
-                            removedMPTs.push_back(index);
-                        }
-                    }
-
-                    if (doNFTokenOffers && before && after &&
-                        (before->getType() == ltNFTOKEN_OFFER))
-                        expiredNFTokenOffers.push_back(index);
-
-                    if (doCredentials && before && after && (before->getType() == ltCREDENTIAL))
-                        expiredCredentials.push_back(index);
-                }
-            });
-        }
-
-        // Reset the context, potentially adjusting the fee.
-        {
-            auto const resetResult = reset(fee);
-            if (!isTesSuccess(resetResult.first))
-                result = resetResult.first;
-
-            fee = resetResult.second;
-        }
-
-        // If necessary, remove any offers found unfunded during processing
-        if ((result == tecOVERSIZE) || (result == tecKILLED))
-        {
-            removeUnfundedOffers(view(), removedOffers, ctx_.registry.get().getJournal("View"));
-        }
-
-        if (result == tecEXPIRED)
-        {
-            removeExpiredNFTokenOffers(
-                view(), expiredNFTokenOffers, ctx_.registry.get().getJournal("View"));
-        }
-
-        if (result == tecINCOMPLETE)
-        {
-            removeDeletedTrustLines(
-                view(), removedTrustLines, ctx_.registry.get().getJournal("View"));
-            removeDeletedMPTs(view(), removedMPTs, ctx_.registry.get().getJournal("View"));
-        }
-
-        if (result == tecEXPIRED)
-        {
-            removeExpiredCredentials(
-                view(), expiredCredentials, ctx_.registry.get().getJournal("View"));
-        }
-
-        applied = isTecClaim(result);
+        std::tie(result, fee, applied) = processPersistentChanges(result, fee);
    }

    if (applied)
--- a/src/libxrpl/tx/applySteps.cpp
+++ b/src/libxrpl/tx/applySteps.cpp
@@ -181,7 +181,8 @@ invokePreclaim(PreclaimContext const& ctx)
                        if (NotTEC const result = T::checkPriorTxAndLastLedger(ctx))
                            return result;

-                        if (NotTEC const result = T::checkPermission(ctx.view, ctx.tx))
+                        if (NotTEC const result =
+                                Transactor::invokeCheckPermission<T>(ctx.view, ctx.tx))
                            return result;

                        if (NotTEC const result = T::checkSign(ctx))
--- a/src/libxrpl/tx/invariants/AMMInvariant.cpp
+++ b/src/libxrpl/tx/invariants/AMMInvariant.cpp
@@ -27,7 +27,14 @@ void
 ValidAMM::visitEntry(bool isDelete, SLE::const_ref before, SLE::const_ref after)
 {
    if (isDelete)
+    {
+        if (before && before->getType() == ltAMM)
+        {
+            ammDeleted_ = true;
+            lptAMMBalanceBeforeDeletion_ = before->getFieldAmount(sfLPTokenBalance);
+        }
        return;
+    }

    if (after)
    {
@@ -166,18 +173,60 @@ ValidAMM::finalizeCreate(
 }

 bool
-ValidAMM::finalizeDelete(bool enforce, TER res, beast::Journal const& j) const
+ValidAMM::finalizeDelete(bool enforce, bool enforceAMMDelete, TER res, beast::Journal const& j)
+    const
 {
    if (ammAccount_)
    {
        // LCOV_EXCL_START
-        std::string const msg = (isTesSuccess(res)) ? "AMM object is not deleted on tesSUCCESS"
-                                                    : "AMM object is changed on tecINCOMPLETE";
+        std::string const msg = (isTesSuccess(res)) ? "AMM object remained on tesSUCCESS"
+                                                    : "AMM object changed on tecINCOMPLETE";
        JLOG(j.error()) << "Invariant failed: AMMDelete failed, " << msg;
        if (enforce)
            return false;
        // LCOV_EXCL_STOP
    }
+    if (enforceAMMDelete)
+    {
+        if (isTesSuccess(res))
+        {
+            if (!ammDeleted_)
+            {
+                // LCOV_EXCL_START
+                JLOG(j.error())
+                    << "Invariant failed: AMMDelete failed, AMM object remained on tesSUCCESS";
+                return false;
+                // LCOV_EXCL_STOP
+            }
+            if (!lptAMMBalanceBeforeDeletion_)
+            {
+                // LCOV_EXCL_START
+                JLOG(j.error())
+                    << "Invariant failed: AMMDelete failed, AMM object deleted without LP balance";
+                return false;
+                // LCOV_EXCL_STOP
+            }
+            if (*lptAMMBalanceBeforeDeletion_ != beast::kZero)
+            {
+                // LCOV_EXCL_START
+                JLOG(j.error())
+                    << "Invariant failed: AMMDelete failed, AMM object deleted with non-zero LP "
+                       "balance: "
+                    << *lptAMMBalanceBeforeDeletion_;
+                return false;
+                // LCOV_EXCL_STOP
+            }
+        }
+        else if (ammDeleted_)
+        {
+            // AMM should only be fully deleted when AMMDelete returns tesSUCCESS.
+            // LCOV_EXCL_START
+            JLOG(j.error()) << "Invariant failed: AMMDelete failed, AMM object deleted when result "
+                               "is not tesSUCCESS";
+            return false;
+            // LCOV_EXCL_STOP
+        }
+    }

    return true;
 }
@@ -221,13 +270,8 @@ ValidAMM::generalInvariant(
    auto const poolProductMean = root2(amount * amount2);
    bool const nonNegativeBalances =
        validBalances(amount, amount2, *lptAMMBalanceAfter_, zeroAllowed);
-    bool const strongInvariantCheck = poolProductMean >= *lptAMMBalanceAfter_;
-    // Allow for a small relative error if strongInvariantCheck fails
-    auto weakInvariantCheck = [&]() {
-        return *lptAMMBalanceAfter_ != beast::kZero &&
-            withinRelativeDistance(poolProductMean, Number{*lptAMMBalanceAfter_}, Number{1, -11});
-    };
-    if (!nonNegativeBalances || (!strongInvariantCheck && !weakInvariantCheck()))
+    auto const precisionLoss = checkAMMPrecisionLoss(poolProductMean, *lptAMMBalanceAfter_);
+    if (!nonNegativeBalances || !isTesSuccess(precisionLoss))
    {
        JLOG(j.error()) << "Invariant failed: AMM " << tx.getTxnType() << " "
                        << tx.getHash(HashPrefix::TransactionId) << " " << ammPoolChanged_ << " "
@@ -271,16 +315,20 @@ ValidAMM::finalizeWithdraw(
    xrpl::STTx const& tx,
    xrpl::ReadView const& view,
    bool enforce,
+    bool enforceAMMDelete,
    beast::Journal const& j) const
 {
-    if (!ammAccount_)
+    if (enforceAMMDelete && ammDeleted_)
    {
-        // Last Withdraw or Clawback deleted AMM
+        // Last Withdraw or Clawback can delete the AMM. We don't have to check
+        // the LPToken balance because a final AMMWithdraw or AMMClawback can
+        // redeem the remaining LP tokens and delete the AMM entry in the same
+        // transaction.
+        return true;
    }
-    else if (!generalInvariant(tx, view, ZeroAllowed::Yes, j))
+    if (ammAccount_ && !generalInvariant(tx, view, ZeroAllowed::Yes, j) && enforce)
    {
-        if (enforce)
-            return false;
+        return false;
    }

    return true;
@@ -300,6 +348,25 @@ ValidAMM::finalize(
        return true;

    bool const enforce = view.rules().enabled(fixAMMv1_3);
+    bool const enforceAMMDelete = view.rules().enabled(fixCleanup3_3_0);
+
+    // AMM can only be deleted by AMMWithdraw, AMMClawback, and AMMDelete
+    if (enforceAMMDelete && ammDeleted_)
+    {
+        switch (tx.getTxnType())
+        {
+            case ttAMM_WITHDRAW:
+            case ttAMM_CLAWBACK:
+            case ttAMM_DELETE:
+                break;
+            default:
+                // LCOV_EXCL_START
+                JLOG(j.error()) << "Invariant failed: AMM failed, unexpected AMM deletion by "
+                                << tx.getTxnType();
+                return false;
+                // LCOV_EXCL_STOP
+        }
+    }

    switch (tx.getTxnType())
    {
@@ -309,13 +376,13 @@ ValidAMM::finalize(
            return finalizeDeposit(tx, view, enforce, j);
        case ttAMM_CLAWBACK:
        case ttAMM_WITHDRAW:
-            return finalizeWithdraw(tx, view, enforce, j);
+            return finalizeWithdraw(tx, view, enforce, enforceAMMDelete, j);
        case ttAMM_BID:
            return finalizeBid(enforce, j);
        case ttAMM_VOTE:
            return finalizeVote(enforce, j);
        case ttAMM_DELETE:
-            return finalizeDelete(enforce, result, j);
+            return finalizeDelete(enforce, enforceAMMDelete, result, j);
        case ttCHECK_CASH:
        case ttOFFER_CREATE:
        case ttPAYMENT:
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Bart	6da2b9e925	Restore serializer, add node check	2026-06-23 13:24:31 -04:00
Bart	b156c19f82	Merge branch 'develop' into bthomee/node_depth	2026-06-23 10:54:00 -04:00
Bart	ff02269c0d	refactor: Use dispatch instead of post (#7438 ) Co-authored-by: Bart <11445373+bthomee@users.noreply.github.com>	2026-06-22 22:35:28 +00:00
Mayukha Vadari	dd7401fde2	refactor: Clean up tec object deletion logic (#6588 ) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-06-22 18:44:42 +00:00
Zhiyuan Wang	19a9ed7767	fix: Move AMMInvariant weakInvariantCheck logic into the transaction (#7032 )	2026-06-22 18:42:57 +00:00
Zhiyuan Wang	93eab33dc2	fix: Improve ValidAMM invariant (#7295 )	2026-06-22 17:45:42 +00:00
yinyiqian1	997267f845	feat: Remove clear mutable flags for DynamicMPT XLS-94 (#7439 )	2026-06-22 17:36:06 +00:00
Ayaz Salikhov	e29b523620	ci: Build and push docker images in forks too (#7588 )	2026-06-22 17:00:40 +00:00
dependabot[bot]	b1f794f067	ci: [DEPENDABOT] bump actions/checkout from 6.0.3 to 7.0.0 (#7585 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-22 13:39:38 +00:00
Michael Legleux	b6a1ad5bb3	fix: Ensure xrpld service directories exist at startup (#7565 )	2026-06-18 19:21:12 +00:00
yinyiqian1	772ea80a25	fix: Use template for granular delegation permissions (#6613 ) Co-authored-by: Bart <bthomee@users.noreply.github.com>	2026-06-17 23:20:54 +00:00
solunolab	480676d0bf	docs: Fix some comments to improve readability (#7405 ) Signed-off-by: solunolab <solunolab@outlook.com> Co-authored-by: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>	2026-06-17 13:55:00 +00:00
Michael Legleux	f07de6c454	ci: Disable assertions on Release builds (#7443 )	2026-06-17 13:54:55 +00:00
Ayaz Salikhov	cb2642be05	build: Add graphviz to Nix images (#7566 )	2026-06-17 13:54:46 +00:00
Pratik Mankawde	7e0ff536f5	refactor: Rerevert "Explicitly trim the heap after cache sweeps (#6022 )" Signed-off-by: Pratik Mankawde <3397372+pratikmankawde@users.noreply.github.com>	2026-06-17 13:31:43 +01:00
Pratik Mankawde	044ca7719d	release: Bump version to 3.3.0-b0 Signed-off-by: Pratik Mankawde <3397372+pratikmankawde@users.noreply.github.com>	2026-06-17 12:58:01 +01:00
Pratik Mankawde	cccce1c32e	Merge remote-tracking branch 'origin/release/3.2.x' into pratik/merge_3.2.x Signed-off-by: Pratik Mankawde <3397372+pratikmankawde@users.noreply.github.com>	2026-06-17 12:53:02 +01:00
Ayaz Salikhov	5de434436e	ci: Make clang-tidy workflow adjustments to stay in sync with Clio (#7563 )	2026-06-17 10:02:17 +00:00
Ayaz Salikhov	45ddc1d868	build: Add git-lfs to Nix images (#7561 )	2026-06-16 23:13:33 +00:00
Ayaz Salikhov	7b9d55326d	build: Add zip to Nix images (#7551 )	2026-06-16 17:35:33 +00:00
Ayaz Salikhov	0364e4dc41	docs: Rewrite build environment docs (#7533 ) Co-authored-by: Ed Hennis <ed@ripple.com>	2026-06-16 13:24:12 +00:00
Ayaz Salikhov	3c43f4614f	release: Bump version to 3.2.0	2026-06-15 19:46:56 -04:00
dependabot[bot]	6b63f0ff61	ci: [DEPENDABOT] bump codecov/codecov-action from 6.0.1 to 7.0.0 (#7426 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-15 19:46:49 -04:00
Bart	0ac8e6cf1e	release: Bump version to 3.2.0-rc6	2026-06-15 22:24:03 +01:00
Vito Tumas	ed5f13481a	fix: Disable transaction invariants	2026-06-15 22:24:03 +01:00
Vito Tumas	781ef175c9	perf: Dispatch "hasInvalidAmount()" on type tag instead of dynamic_cast	2026-06-15 22:24:03 +01:00
Ed Hennis	e5785c4fcb	fix: Fix Number comparison operator	2026-06-15 22:24:02 +01:00
Michael Legleux	96d0563ea6	fix: Adjust xrpld systemd service	2026-06-15 22:24:02 +01:00
Bart	61dae6f792	release: Bump version to 3.2.0-rc5	2026-06-15 22:24:02 +01:00
yinyiqian1	fded06652a	fix: Add zero NFT Offer ID check for NFTokenCancelOffer	2026-06-15 22:24:02 +01:00
Valentin Balaschenko	e833e8884d	refactor: Revert "Explicitly trim the heap after cache sweeps (#6022 )"	2026-06-15 22:24:02 +01:00
Michael Legleux	8e3eabc398	refactor: Remove auto-update script and update RPM version * refactor: Update RPM version scheme; remove auto-update script; service hardening - RPM version scheme: pre-releases now use `~` in the `Version` field instead of the `0.<release>.<suffix>` `Release`-field hack. Matches Debian's `~` convention, so RPM and DEB version strings are symmetric. Requires rpm ≥ 4.10 (RHEL 9 ships 4.17). Before/after for a pre-release build: ``` # before xrpld-3.2.0-0.1.rc3+202606011647.d4cb68d5.el9.x86_64.rpm # after (symmetric with DEB) xrpld-3.2.0~rc2+202606010139.7679a310-1.el9.x86_64.rpm xrpld_3.2.0~rc2+202606010139.7679a310-1_amd64.deb ``` - Auto-update removed: `update-xrpld`, `update-xrpld.service`, and `update-xrpld.timer` deleted. The `50-xrpld.preset` `disable` line for the timer is dropped too. - Service hardening (two new `[Service]` directives in `xrpld.service`): - `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` — drops every Linux capability except `CAP_NET_BIND_SERVICE`, capping the privilege ceiling to least-privilege while still letting operators bind ports <1024 (e.g. WS/HTTPS on 443). - `SystemCallArchitectures=native` — restricts the service to the native syscall ABI, blocking alternate-ABI (32-bit/x32) syscalls used to evade seccomp filtering. - [ ] Build RPM from a pre-release version (e.g. `3.2.0-b1`) and confirm `rpm -qi` shows `Version: 3.2.0~b1`, `Release: 1` - [ ] Confirm `3.2.0~b1` sorts before `3.2.0` via `rpmvercmp` - [ ] Install package and confirm no `update-xrpld` units appear in `systemctl list-unit-files` - [ ] Confirm `systemctl show xrpld` reflects the new `CapabilityBoundingSet` and `SystemCallArchitectures` fix: Track tmpfiles-created directories in RPM %files as %ghost	2026-06-15 22:24:02 +01:00
Sergey Kuznetsov	47b06ecd17	refactor: Use rocksdb includes only when it is available	2026-06-15 22:23:54 +01:00
Bart	5a25c9188b	release: Bump version to 3.2.0-rc4	2026-06-15 22:23:53 +01:00
Bart	82ee5b7556	refactor: Handle int and uint API versions separately	2026-06-15 22:23:38 +01:00
Pratik Mankawde	f98c251011	refactor: Improve tracking of book (un)subscriptions	2026-06-15 22:23:38 +01:00
Sergey Kuznetsov	e29dc474b3	refactor: Improve payment channel closing and returned error codes	2026-06-15 22:23:28 +01:00
Pratik Mankawde	2728e11809	fix: Set request size limits and differential pricing for get-object-by-hash calls	2026-06-15 22:23:28 +01:00
Jingchen	9650fe8a6e	refactor: Use explicit types to help compiler	2026-06-15 22:22:53 +01:00
Pratik Mankawde	2df96b1550	fix: Silence UBSan diagnostics in the ubsan build config (#7531 ) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-15 19:25:37 +00:00
Ayaz Salikhov	fe4c8ae82a	build: Add ClangBuildAnalyzer to Nix (#7538 ) Co-authored-by: Bart <bthomee@users.noreply.github.com>	2026-06-15 19:04:33 +00:00
Zhiyuan Wang	b34aa84e5a	fix: Check Fee-Free Division by Zero in AMMWithdraw singleWithdrawEPrice (#6989 )	2026-06-15 15:31:22 +00:00
Bart	f5985e73ec	fix: Always charge peer on strand (#7422 ) Co-authored-by: Bart <11445373+bthomee@users.noreply.github.com>	2026-06-15 14:55:56 +00:00
Sergey Kuznetsov	4387aac1a5	chore: Remove conan patch in nix (#7534 )	2026-06-15 14:55:43 +00:00
Pratik Mankawde	df395d6851	test: Add null check unit test for `Oracle::aggregatePrice` (#7306 ) Signed-off-by: Pratik Mankawde <3397372+pratikmankawde@users.noreply.github.com>	2026-06-11 18:05:36 +00:00
Ayaz Salikhov	8e618d68cd	ci: Patch conan recipe for Nix to be able to use on macOS (#7532 )	2026-06-11 17:36:33 +00:00
Ayaz Salikhov	cee157485e	ci: Run sanitizers on release builds too (#7527 )	2026-06-11 12:59:22 +00:00
Bart	eda7ec104a	Merge branch 'develop' into bthomee/node_depth	2026-06-05 17:48:43 -04:00
Bart	6ffef55fac	Optimize handling, support relaying to old node	2026-06-05 17:48:16 -04:00
Bart	b82baaec0f	Merge branch 'develop' into bthomee/node_depth	2026-06-05 10:51:08 -04:00
Bart	5f59b7f4ad	Merge branch 'develop' into bthomee/node_depth	2026-06-03 12:34:42 -04:00
Bart	b8be772441	Charge peers for invalid data	2026-06-02 14:21:21 -04:00
Bart	0c7873c9f1	Merge branch 'develop' into bthomee/node_depth	2026-06-02 14:06:01 -04:00
Bart	ec290777c5	Merge branch 'develop' into bthomee/node_depth	2026-05-31 17:54:25 -04:00
Bart	cd7babf4b6	Merge branch 'develop' into bthomee/node_depth	2026-05-28 11:54:05 -04:00
Bart	3f4d730a61	Merge branch 'develop' into bthomee/node_depth	2026-05-21 12:20:19 +01:00
Bart	41b258ae73	Merge branch 'develop' into bthomee/node_depth	2026-05-15 13:17:41 -04:00
Bart	cf8744ebe3	Merge branch 'develop' into bthomee/node_depth	2026-05-14 15:09:05 -04:00
Bart	6f7c6a79f5	Try removing SHAMapNodeData constructor	2026-05-12 08:30:50 -04:00
Bart	35ffa71c0b	Review feedback	2026-05-11 17:53:43 -04:00
Bart	4e8b6c4176	Merge branch 'develop' into bthomee/node_depth	2026-05-11 17:48:34 -04:00
Bart	081d86653f	Update levelization	2026-05-11 09:57:25 -04:00
Bart	4ba60eae21	Review feedback	2026-05-11 09:45:01 -04:00
Bart	e21f879437	Merge branch 'develop' into bthomee/node_depth	2026-05-11 09:30:39 -04:00
Bart	5023558e11	Merge branch 'develop' into bthomee/node_depth	2026-05-07 16:07:16 -04:00
Bart	4b83169922	Address AI feedback	2026-05-03 19:51:58 -04:00
Bart	d5d79c1d09	Apply clang-tidy diff	2026-05-03 18:16:19 -04:00
Bart	7912d112e7	Address AI feedback	2026-05-03 17:48:25 -04:00
Bart	1a35abbb43	Apply clang-tidy fixes	2026-05-03 09:24:59 -04:00
Bart	95e3267b07	Merge branch 'develop' into bthomee/node_depth	2026-05-03 08:55:50 -04:00
Bart	42e5683385	Merge branch 'develop' into bthomee/node_depth	2026-04-29 13:57:28 -04:00
Bart	fe6ddccabb	Merge branch 'develop' into bthomee/node_depth	2026-04-28 13:43:22 -04:00
Bart	49faf696d4	Address Copilot feedback	2026-04-26 11:48:58 -04:00
Bart	5b5ad09c53	Merge branch 'develop' into bthomee/node_depth	2026-04-24 14:44:42 -04:00
Bart	2405a3353c	Add [[nodiscard]] to getNodeFat	2026-04-24 09:52:39 -04:00
Bart	705622011b	Merge branch 'develop' into bthomee/node_depth	2026-04-24 09:47:14 -04:00
Bart	ae5f5cb92b	Use emplace_back instead of push_back	2026-04-24 09:45:03 -04:00
Bart	cde8f17b5d	Merge branch 'develop' into bthomee/node_depth	2026-04-24 09:26:37 -04:00
Bart	c8fb69ee1a	Address Copilot feedback	2026-04-23 19:02:21 -07:00
Bart	430f770f2a	Apply clang-tidy diff	2026-04-23 18:52:19 -07:00
Bart	44590a7008	Review feedback	2026-04-23 18:15:01 -07:00
Bart	1934c316b2	Update levelization	2026-04-23 15:46:24 -07:00
Bart	fd2a8b5825	Apply clang-tidy diff	2026-04-23 15:43:59 -07:00
Bart	012144c16c	Merge branch 'develop' into bthomee/node_depth	2026-04-23 15:30:19 -07:00
Bart	8e2d949680	Review feedback	2026-04-23 15:01:01 -07:00
Bart	b781018fee	Merge branch 'develop' into bthomee/node_depth	2026-04-23 04:50:55 -07:00
Bart	d867c9b26d	Address Copilot feedback	2026-04-21 15:29:50 -07:00
Bart	7749ed8488	Address Copilot feedback	2026-04-21 15:03:32 -07:00
Bart	4d01cac564	Update levelization	2026-04-21 15:00:07 -07:00
Bart	98e1ad2dec	Add more clang-tidy fixes	2026-04-21 14:42:21 -07:00
Bart	342171bf20	Merge branch 'develop' into bthomee/node_depth	2026-04-21 14:06:15 -07:00
Bart	fe74f48e7a	Add more clang-tidy fixes	2026-04-21 13:29:19 -07:00
Bart	d6e05cf513	Add more clang-tidy fixes	2026-04-21 11:28:40 -07:00
Bart	e31419aa06	Address Copilot feedback	2026-04-21 11:08:02 -07:00
Bart	05b4c67b96	Restore invalid clang-tidy fix	2026-04-21 10:58:12 -07:00
Bart	2524476124	Update levelization	2026-04-21 10:26:25 -07:00
Bart	8007788d77	Merge branch 'develop' into bthomee/node_depth	2026-04-21 10:25:58 -07:00
Bart	809395a59c	Merge branch 'develop' into bthomee/node_depth	2026-04-20 11:21:40 -04:00
Bart	3ef64e019b	Merge branch 'develop' into bthomee/node_depth	2026-04-02 16:56:09 -04:00
Bart	228ad1e98f	Fix clang-tidy findings	2026-03-31 17:33:15 -04:00
Bart	c4b342a027	Merge branch 'develop' into bthomee/node_depth	2026-03-31 17:12:43 -04:00
Bart	556d80e724	Fix clang-tidy findings	2026-03-31 16:31:24 -04:00
Bart	044f1e67b9	Merge branch 'develop' into bthomee/node_depth	2026-03-31 14:00:34 -04:00
Bart	0ad72fae8f	Merge branch 'develop' into bthomee/node_depth	2026-03-22 06:33:02 -04:00
Bart	cc383c5fb8	Clang-tidy fixes	2026-03-18 15:09:46 -04:00
Bart	88715f1e5a	Merge branch 'develop' into bthomee/node_depth	2026-03-18 13:38:55 -04:00
Bart	e1477cef0c	Fix merge conflict	2026-03-18 09:56:08 -04:00
Bart	942874d7b0	Merge branch 'develop' into bthomee/node_depth	2026-03-18 09:47:16 -04:00
Bart	79326fc6b5	Merge branch 'develop' into bthomee/node_depth	2026-03-16 19:48:17 -04:00
Bart	48535d5226	Merge branch 'develop' into bthomee/node_depth	2026-03-10 17:11:14 +01:00
Bart	d1a6558080	Merge branch 'develop' into bthomee/node_depth	2026-03-10 15:39:32 +01:00
Bart	84f86b354f	Add defensive check	2026-03-06 13:28:39 +01:00
Bart	40a3985b02	Merge branch 'develop' into bthomee/node_depth	2026-03-06 09:27:59 +01:00
Bart	208bd35d45	Merge branch 'develop' into bthomee/node_depth	2026-03-05 08:36:13 +01:00
Bart	e90fbbf7b2	Copilot review feedback	2026-03-02 13:39:29 -05:00
Bart	277450e648	Merge branch 'develop' into bthomee/node_depth	2026-03-02 12:16:33 -05:00
Bart	e6993524ea	Copilot review feedback	2026-03-02 12:10:12 -05:00
Bart	b117ecc6a2	Use std::string_view	2026-03-02 11:58:57 -05:00
Bart	6c3b00c342	Change takeNodes vector argument to r-value	2026-03-02 09:41:23 -05:00
Bart	8c296a935a	Improve docstring	2026-03-01 17:44:48 -05:00
Bart	573ba82181	Copilot review feedback	2026-03-01 17:33:03 -05:00
Bart	1542ab7e27	Copilot review feedback	2026-03-01 17:04:04 -05:00
Bart	6374f4886d	Support leaf nodes at depth 0, use std::move, simplify tests	2026-03-01 16:44:58 -05:00
Bart	ebf336f472	Copilot review feedback	2026-03-01 15:10:57 -05:00
Bart	ddc15ad612	Copilot review feedback	2026-03-01 14:48:27 -05:00
Bart	82db6ac498	Restore try-catch to protect against other exceptions	2026-03-01 13:33:39 -05:00
Bart	f749c41306	Add log message for consistency	2026-02-28 17:31:22 -05:00
Bart	f25e47a58d	Improve comment	2026-02-28 17:27:15 -05:00
Bart	2396799bd8	Update levelization	2026-02-28 16:03:02 -05:00
Bart	4855b9f96a	Improve function docstrings, fix tests	2026-02-28 15:46:49 -05:00
Bart	b2f65cb7eb	Fix protocol version test	2026-02-28 14:40:55 -05:00
Bart	c523673885	Update levelization	2026-02-28 14:00:13 -05:00
Bart	caac4d63d3	Merge branch 'develop' into bthomee/node_depth	2026-02-28 13:56:37 -05:00
Bart	29b0076fa8	Use new protocol version instead of amendment, add tests	2026-02-28 13:54:00 -05:00
Bart	c9aa1094a7	Update docstrings	2026-02-27 12:55:14 -05:00
Bart	b86f69cb82	Merge branch 'develop' into bthomee/node_depth	2026-02-26 17:33:25 -05:00
Bart	5d0bf78512	Clang-format to 100 line length	2026-02-26 17:09:20 -05:00
Bart	554df631c6	Remove pragma once	2026-02-18 08:28:56 -05:00
Bart	5e704bfdfb	Merge branch 'develop' into bthomee/node_depth	2026-02-18 08:02:52 -05:00
Bart	fe8cc02bfa	Refine	2026-02-18 07:54:33 -05:00
Bart	061c033f52	Use oneof in proto message	2026-02-16 16:50:40 -05:00
Bart	832a7e7e4a	Remove depth, do not include node ID for leaf nodes	2026-02-13 17:05:05 -05:00
Bart	b2371c4c02	Fixes	2026-02-13 15:47:08 -05:00
Bart	b94a7c4b44	Merge branch 'develop' into bthomee/node_depth	2026-02-13 11:46:56 -05:00
Bart	9b9027112d	Use helper functions	2026-02-13 11:44:58 -05:00
Bart	8e7889c66e	Refactor	2026-02-12 16:55:38 -05:00
Bart	d836c3788d	Merge branch 'develop' into bthomee/node_depth	2026-02-12 15:33:13 -05:00
Bart	1cb7c0293f	Check if amendment is enabled	2026-02-12 06:31:32 -05:00
Bart	52dabc1f79	Remove deprecated stanza on nodeid field	2026-02-11 16:28:35 -05:00
Bart	2d78d41f7b	perf: Replace node ID by depth in TMLedgerNode	2026-02-11 15:55:16 -05:00